From: Binfeng Wu Date: Tue, 21 Jul 2020 09:21:10 +0000 (+0800) Subject: mdev: Fix daemon crash when reattaching mdevs on assignment conflict X-Git-Tag: v6.7.0-rc1~163 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8361d335ab77cb1f3b70a3fa92f7e2d0aaa31bac;p=thirdparty%2Flibvirt.git mdev: Fix daemon crash when reattaching mdevs on assignment conflict If there's a list of mdevs to be assigned to a domain, but one of them (NOT the first) is already assigned to a different domain we're going to crash in the qemuProcessStop phase in virMediatedDeviceListFindIndex, because some of the pointers in mgr->activeMediatedHostdevs are dangling. This is due to virMediatedDeviceListMarkDevices using cleanup instead of rollback when we find out that a device is already taken. Reproducer steps: 1. start vm1 with mdev1 2. start vm2 with mdev2, mdev1 (the order is important!) Backtrace: #0 0x0000ffffb8c36250 in strcmp #1 0x0000ffffb9b80754 in virMediatedDeviceListFindIndex #2 0x0000ffffb9b80870 in virMediatedDeviceListFind #3 0x0000ffffb9c9e168 in virHostdevReAttachMediatedDevices #4 0x0000ffff9949f724 in qemuHostdevReAttachMediatedDevices #5 0x0000ffff9949f7f8 in qemuHostdevReAttachDomainDevices #6 0x0000ffff994bcd70 in qemuProcessStop #7 0x0000ffff994bf4e0 in qemuProcessStart Signed-off-by: Binfeng Wu Reviewed-by: Erik Skultety --- diff --git a/src/util/virmdev.c b/src/util/virmdev.c index b8023dd991..26cb8300ff 100644 --- a/src/util/virmdev.c +++ b/src/util/virmdev.c @@ -439,7 +439,7 @@ virMediatedDeviceListMarkDevices(virMediatedDeviceListPtr dst, if (virMediatedDeviceIsUsed(mdev, dst) || virMediatedDeviceSetUsedBy(mdev, drvname, domname) < 0) - goto cleanup; + goto rollback; /* Copy mdev references to the driver list: * - caller is responsible for NOT freeing devices in @src on success