security: fix deadlock with prefork

https://bugzilla.redhat.com/show_bug.cgi?id=964358 Attempts to start a domain with both SELinux and DAC security modules loaded will deadlock; latent problem introduced in commit fdb3bde3 and exposed in commit 29fe5d74. Basically, when recursing into the security manager for other driver's prefork, we have to undo the asymmetric lock taken at the manager level. Reported by Jiri Denemark, with diagnosis help from Dan Berrange. * src/security/security_stack.c (virSecurityStackPreFork): Undo extra lock grabbed during recursion. Signed-off-by: N Eric Blake <eblake@redhat.com> (cherry picked from commit bfc183c1)

security: fix deadlock with prefork
https://bugzilla.redhat.com/show_bug.cgi?id=964358 Attempts to start a domain with both SELinux and DAC security modules loaded will deadlock; latent problem introduced in commit fdb3bde3 and exposed in commit 29fe5d74. Basically, when recursing into the security manager for other driver's prefork, we have to undo the asymmetric lock taken at the manager level. Reported by Jiri Denemark, with diagnosis help from Dan Berrange. * src/security/security_stack.c (virSecurityStackPreFork): Undo extra lock grabbed during recursion. Signed-off-by: N Eric Blake <eblake@redhat.com> (cherry picked from commit bfc183c1)
7f72e6c3 · Eric Blake · 47d520cd · 7f72e6c3
隐藏空白更改
内联并排

Showing with 5 addition and 0 deletion

src/security/security_stack.c src/security/security_stack.c +5 -0

未找到文件。
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -129,6 +129,11 @@ virSecurityStackPreFork(virSecurityManagerPtr mgr)
            rc = -1;
            break;
        }
+        /* Undo the unbalanced locking left behind after recursion; if
+         * PostFork ever delegates to driver callbacks, we'd instead
+         * need to recurse to an internal method that does not regrab
+         * a lock. */
+        virSecurityManagerPostFork(item->securityManager);
    }

    return rc;