From 6598510159bfb9e6e5bb0a70bbfe8129a3604226 Mon Sep 17 00:00:00 2001 From: Eric Blake Date: Fri, 19 Jul 2013 09:07:19 -0600 Subject: [PATCH] security: fix deadlock with prefork https://bugzilla.redhat.com/show_bug.cgi?id=964358 Attempts to start a domain with both SELinux and DAC security modules loaded will deadlock; latent problem introduced in commit fdb3bde and exposed in commit 29fe5d7. Basically, when recursing into the security manager for other driver's prefork, we have to undo the asymmetric lock taken at the manager level. Reported by Jiri Denemark, with diagnosis help from Dan Berrange. * src/security/security_stack.c (virSecurityStackPreFork): Undo extra lock grabbed during recursion. Signed-off-by: Eric Blake (cherry picked from commit bfc183c1e377b24cebf5cede4c00f3dc0d1b3486) --- src/security/security_stack.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/security/security_stack.c b/src/security/security_stack.c index 82b79c326c..087aa81752 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -129,6 +129,11 @@ virSecurityStackPreFork(virSecurityManagerPtr mgr) rc = -1; break; } + /* Undo the unbalanced locking left behind after recursion; if + * PostFork ever delegates to driver callbacks, we'd instead + * need to recurse to an internal method that does not regrab + * a lock. */ + virSecurityManagerPostFork(item->securityManager); } return rc;