|
 |
44173a |
From bbab997f4307da65856dedd3f319037ce442d17e Mon Sep 17 00:00:00 2001
|
|
|
44173a |
Message-Id: <bbab997f4307da65856dedd3f319037ce442d17e@dist-git>
|
|
|
44173a |
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
|
|
44173a |
Date: Thu, 24 Feb 2022 18:41:29 +0000
|
|
|
44173a |
Subject: [PATCH] nwfilter: hold filter update lock when creating/deleting
|
|
|
44173a |
bindings
|
|
|
44173a |
MIME-Version: 1.0
|
|
|
44173a |
Content-Type: text/plain; charset=UTF-8
|
|
|
44173a |
Content-Transfer-Encoding: 8bit
|
|
|
44173a |
|
|
|
44173a |
The nwfilter update lock is historically acquired by the virt
|
|
|
44173a |
drivers in order to achieve serialization between nwfilter
|
|
|
44173a |
define/undefine, and instantiation/teardown of filters.
|
|
|
44173a |
|
|
|
44173a |
When running in the modular daemons, however, the mutex that
|
|
|
44173a |
the virt drivers are locking is in a completely different
|
|
|
44173a |
process from the mutex that the nwfilter driver is locking.
|
|
|
44173a |
|
|
|
44173a |
Serialization is lost and thus call from the virt driver to
|
|
|
44173a |
virNWFilterBindingCreateXML can deadlock with a concurrent
|
|
|
44173a |
call to the virNWFilterDefineXML method.
|
|
|
44173a |
|
|
|
44173a |
The solution is surprisingly easy, the update lock simply
|
|
|
44173a |
needs acquiring in the virNWFilterBindingCreateXML method
|
|
|
44173a |
and virNWFilterBindingUndefine method instead of in the
|
|
|
44173a |
virt drivers.
|
|
|
44173a |
|
|
|
44173a |
The only semantic difference here is that when a virtual
|
|
|
44173a |
machine has multiple NICs, the instantiation and teardown
|
|
|
44173a |
of filters is no longer serialized for the whole VM, but
|
|
|
44173a |
rather for each NIC. This should not be a problem since
|
|
|
44173a |
the virt drivers already need to cope with tearing down
|
|
|
44173a |
a partially created VM where only some of the NICs are
|
|
|
44173a |
setup.
|
|
|
44173a |
|
|
|
44173a |
Reviewed-by: Laine Stump <laine@redhat.com>
|
|
|
44173a |
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
|
44173a |
(cherry picked from commit 65dc79f50b96b34b2253601b8972d5ca90658f33)
|
|
|
44173a |
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2044379
|
|
|
44173a |
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
44173a |
---
|
|
|
44173a |
src/nwfilter/nwfilter_driver.c | 5 +++++
|
|
|
44173a |
1 file changed, 5 insertions(+)
|
|
|
44173a |
|
|
|
44173a |
diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c
|
|
|
44173a |
index 200451d6b1..a4479fc9fe 100644
|
|
|
44173a |
--- a/src/nwfilter/nwfilter_driver.c
|
|
|
44173a |
+++ b/src/nwfilter/nwfilter_driver.c
|
|
|
44173a |
@@ -760,12 +760,15 @@ nwfilterBindingCreateXML(virConnectPtr conn,
|
|
|
44173a |
if (!(ret = virGetNWFilterBinding(conn, def->portdevname, def->filter)))
|
|
|
44173a |
goto cleanup;
|
|
|
44173a |
|
|
|
44173a |
+ virNWFilterReadLockFilterUpdates();
|
|
|
44173a |
if (virNWFilterInstantiateFilter(driver, def) < 0) {
|
|
|
44173a |
+ virNWFilterUnlockFilterUpdates();
|
|
|
44173a |
virNWFilterBindingObjListRemove(driver->bindings, obj);
|
|
|
44173a |
virObjectUnref(ret);
|
|
|
44173a |
ret = NULL;
|
|
|
44173a |
goto cleanup;
|
|
|
44173a |
}
|
|
|
44173a |
+ virNWFilterUnlockFilterUpdates();
|
|
|
44173a |
virNWFilterBindingObjSave(obj, driver->bindingDir);
|
|
|
44173a |
|
|
|
44173a |
cleanup:
|
|
|
44173a |
@@ -802,7 +805,9 @@ nwfilterBindingDelete(virNWFilterBindingPtr binding)
|
|
|
44173a |
if (virNWFilterBindingDeleteEnsureACL(binding->conn, def) < 0)
|
|
|
44173a |
goto cleanup;
|
|
|
44173a |
|
|
|
44173a |
+ virNWFilterReadLockFilterUpdates();
|
|
|
44173a |
virNWFilterTeardownFilter(def);
|
|
|
44173a |
+ virNWFilterUnlockFilterUpdates();
|
|
|
44173a |
virNWFilterBindingObjDelete(obj, driver->bindingDir);
|
|
|
44173a |
virNWFilterBindingObjListRemove(driver->bindings, obj);
|
|
|
44173a |
|
|
|
44173a |
--
|
|
|
44173a |
2.35.1
|
|
|
44173a |
|