diff --git a/p11-kit-0.23.1-no-finalize.patch b/p11-kit-0.23.1-no-finalize.patch
new file mode 100644
index 0000000..e067df5
--- /dev/null
+++ b/p11-kit-0.23.1-no-finalize.patch
@@ -0,0 +1,86 @@
+From cacaf8cd0b0a4f2cd61b61b012cd5cbf715fe38f Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Wed, 24 Jun 2015 09:43:57 +0200
+Subject: In proxy module don't call C_Finalize on a forked process.
+
+This corrects a deadlock on the forked process. The deadlock
+happened because the proxy called C_Finalize prior to a C_Initialize
+which is wrong according to PKCS #11 (2.40). This patch eliminates
+the C_Finalize call in that case.
+
+This resolves #90289
+https://bugs.freedesktop.org/show_bug.cgi?id=90289
+
+Reviewed-by: Stef Walter <stefw@redhat.com>
+
+diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c
+index db2acb8..28fd186 100644
+--- a/p11-kit/proxy.c
++++ b/p11-kit/proxy.c
+@@ -98,6 +98,7 @@ static State *all_instances = NULL;
+ static State global = { { { { -1, -1 }, NULL, }, }, NULL, NULL, FIRST_HANDLE, NULL };
+ 
+ #define PROXY_VALID(px) ((px) && (px)->forkid == p11_forkid)
++#define PROXY_FORKED(px) ((px) && (px)->forkid != p11_forkid)
+ 
+ #define MANUFACTURER_ID         "PKCS#11 Kit                     "
+ #define LIBRARY_DESCRIPTION     "PKCS#11 Kit Proxy Module        "
+@@ -187,10 +188,11 @@ map_session_to_real (Proxy *px,
+ }
+ 
+ static void
+-proxy_free (Proxy *py)
++proxy_free (Proxy *py, unsigned finalize)
+ {
+ 	if (py) {
+-		p11_kit_modules_finalize (py->inited);
++		if (finalize)
++			p11_kit_modules_finalize (py->inited);
+ 		free (py->inited);
+ 		p11_dict_free (py->sessions);
+ 		free (py->mappings);
+@@ -227,7 +229,7 @@ proxy_C_Finalize (CK_X_FUNCTION_LIST *self,
+ 
+ 		p11_unlock ();
+ 
+-		proxy_free (py);
++		proxy_free (py, 1);
+ 	}
+ 
+ 	p11_debug ("out: %lu", rv);
+@@ -301,7 +303,7 @@ proxy_create (Proxy **res)
+ 	}
+ 
+ 	if (rv != CKR_OK) {
+-		proxy_free (py);
++		proxy_free (py, 1);
+ 		return rv;
+ 	}
+ 
+@@ -331,8 +333,13 @@ proxy_C_Initialize (CK_X_FUNCTION_LIST *self,
+ 	p11_lock ();
+ 
+ 		if (!PROXY_VALID (state->px)) {
++			unsigned call_finalize = 1;
++
+ 			initialize = true;
+-			proxy_free (state->px);
++			if (PROXY_FORKED(state->px))
++				call_finalize = 0;
++			proxy_free (state->px, call_finalize);
++
+ 			state->px = NULL;
+ 		} else {
+ 			state->px->refs++;
+@@ -360,7 +367,7 @@ proxy_C_Initialize (CK_X_FUNCTION_LIST *self,
+ 
+ 	p11_unlock ();
+ 
+-	proxy_free (py);
++	proxy_free (py, 1);
+ 	p11_debug ("out: 0");
+ 	return rv;
+ }
+-- 
+cgit v0.10.2
+
diff --git a/p11-kit-0.23.1-no-libffi-deinit.patch b/p11-kit-0.23.1-no-libffi-deinit.patch
new file mode 100644
index 0000000..0e5395a
--- /dev/null
+++ b/p11-kit-0.23.1-no-libffi-deinit.patch
@@ -0,0 +1,58 @@
+From ec8a291efb87f1751a18c7e023a67232c15a4ef2 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Wed, 24 Jun 2015 16:08:42 +0200
+Subject: Do not deinitialize libffi's wrapper functions
+
+Libffi uses shared memory to store them, and a deallocation
+in a child will cause issues for the parent or vice versa.
+
+Signed-off-by: Stef Walter <stefw@redhat.com>
+ * Use #if to comment out code, avoid compiler warnings
+
+diff --git a/p11-kit/virtual.c b/p11-kit/virtual.c
+index 2f4f0ae..bb0d845 100644
+--- a/p11-kit/virtual.c
++++ b/p11-kit/virtual.c
+@@ -54,6 +54,13 @@
+  * not be defined. This is checked in configure.ac
+  */
+ 
++/*
++ * Since libffi uses shared memory to store that, releasing it
++ * will cause issues on any other child or parent process that relies
++ * on that. Don't release it.
++ */
++#define LIBFFI_FREE_CLOSURES 0
++
+ #include "ffi.h"
+ #ifndef FFI_CLOSURES
+ #error "FFI_CLOSURES should be checked in configure.ac"
+@@ -2718,6 +2725,7 @@ init_wrapper_funcs (Wrapper *wrapper)
+ 	return true;
+ }
+ 
++#if LIBFFI_FREE_CLOSURES
+ static void
+ uninit_wrapper_funcs (Wrapper *wrapper)
+ {
+@@ -2726,6 +2734,7 @@ uninit_wrapper_funcs (Wrapper *wrapper)
+ 	for (i = 0; i < wrapper->ffi_used; i++)
+ 		ffi_closure_free (wrapper->ffi_closures[i]);
+ }
++#endif
+ 
+ CK_FUNCTION_LIST *
+ p11_virtual_wrap (p11_virtual *virt,
+@@ -2792,7 +2801,9 @@ p11_virtual_unwrap (CK_FUNCTION_LIST_PTR module)
+ 	if (wrapper->destroyer)
+ 		(wrapper->destroyer) (wrapper->virt);
+ 
++#if LIBFFI_FREE_CLOSURES
+ 	uninit_wrapper_funcs (wrapper);
++#endif
+ 	free (wrapper);
+ }
+ 
+-- 
+cgit v0.10.2
+
diff --git a/p11-kit.spec b/p11-kit.spec
index 81e6e67..0bba4d9 100644
--- a/p11-kit.spec
+++ b/p11-kit.spec
@@ -1,12 +1,17 @@
 Name:           p11-kit
 Version:        0.23.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Library for loading and sharing PKCS#11 modules
 
 License:        BSD
 URL:            http://p11-glue.freedesktop.org/p11-kit.html
 Source0:        http://p11-glue.freedesktop.org/releases/p11-kit-%{version}.tar.gz
 Source1:        trust-extract-compat
+# upstreamed, can be removed when rebasing to next release
+Patch0:         p11-kit-0.23.1-no-finalize.patch
+# upstreamed, can be removed when rebasing to next release
+Patch1:         p11-kit-0.23.1-no-libffi-deinit.patch
+
 BuildRequires:  libtasn1-devel >= 2.3
 BuildRequires:  nss-softokn-freebl
 BuildRequires:  libffi-devel
@@ -50,6 +55,8 @@ contains certificate anchors and black lists.
 
 %prep
 %setup -q
+%patch0 -p1
+%patch1 -p1
 
 %build
 # These paths are the source paths that  come from the plan here:
@@ -118,6 +125,10 @@ fi
 
 
 %changelog
+* Tue Jun 30 2015 Martin Preisler <mpreisle@redhat.com> - 0.23.1-4
+- In proxy module don't call C_Finalize on a forked process [#1217915]
+- Do not deinitialize libffi's wrapper functions [#1217915]
+
 * Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.23.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild