mdev: Fix daemon crash when reattaching mdevs on assignment conflict

If there's a list of mdevs to be assigned to a domain, but one of them
(NOT the first) is already assigned to a different domain we're going
to crash in the qemuProcessStop phase in
virMediatedDeviceListFindIndex, because some of the pointers in
mgr->activeMediatedHostdevs are dangling. This is due to
virMediatedDeviceListMarkDevices using cleanup instead of rollback when
we find out that a device is already taken.

Reproducer steps:
1. start vm1 with mdev1
2. start vm2 with mdev2, mdev1 (the order is important!)

Backtrace:
 #0  0x0000ffffb8c36250 in strcmp
 #1  0x0000ffffb9b80754 in virMediatedDeviceListFindIndex
 #2  0x0000ffffb9b80870 in virMediatedDeviceListFind
 #3  0x0000ffffb9c9e168 in virHostdevReAttachMediatedDevices
 #4  0x0000ffff9949f724 in qemuHostdevReAttachMediatedDevices
 #5  0x0000ffff9949f7f8 in qemuHostdevReAttachDomainDevices
 #6  0x0000ffff994bcd70 in qemuProcessStop
 #7  0x0000ffff994bf4e0 in qemuProcessStart

Signed-off-by: Binfeng Wu <wubinfeng@huawei.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>

diff --git a/src/util/virmdev.c b/src/util/virmdev.c
index b8023dd99116d00c50d495c5d6f8ef91bb0a4b08..26cb8300ff4dcff12ab9901c723ee2bc4d127cce 100644 (file)
--- a/src/util/virmdev.c
+++ b/src/util/virmdev.c
@@ -439,7 +439,7 @@ virMediatedDeviceListMarkDevices(virMediatedDeviceListPtr dst,
 
         if (virMediatedDeviceIsUsed(mdev, dst) ||
             virMediatedDeviceSetUsedBy(mdev, drvname, domname) < 0)
-            goto cleanup;
+            goto rollback;
 
         /* Copy mdev references to the driver list:
          * - caller is responsible for NOT freeing devices in @src on success