[PATCH] qemuProcessReconnect: fix possible use after free for xmlopt
by Chuan Zheng
From: Zheng Chuan <zhengchuan(a)huawei.com>
In a case that libvirtd is killed when it has just started,
the qemu_driver->xmlopt is freed in the main thread while qemuProcessReconnect
still visits it, which resulting in null pointer accesses.
Fix that by adding refcount of qemu_driver->xmlopt at the begining of
qemuProcessReconnect.
Signed-off-by: Zheng Chuan <zhengchuan(a)huawei.com>
---
src/qemu/qemu_process.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index ec6ca14..ef3fe12 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -8009,6 +8009,7 @@ qemuProcessReconnect(void *opaque)
virQEMUDriverPtr driver = data->driver;
virDomainObjPtr obj = data->obj;
qemuDomainObjPrivatePtr priv;
+ virDomainXMLOptionPtr xmlopt;
qemuDomainJobObj oldjob;
int state;
int reason;
@@ -8030,6 +8031,9 @@ qemuProcessReconnect(void *opaque)
cfg = virQEMUDriverGetConfig(driver);
priv = obj->privateData;
+ /* need xmlopt later to save status, do not free */
+ xmlopt = virObjectRef(driver->xmlopt);
+
if (qemuDomainObjBeginJob(driver, obj, QEMU_JOB_MODIFY) < 0)
goto error;
jobStarted = true;
@@ -8229,7 +8233,7 @@ qemuProcessReconnect(void *opaque)
}
/* update domain state XML with possibly updated state in virDomainObj */
- if (virDomainObjSave(obj, driver->xmlopt, cfg->stateDir) < 0)
+ if (virDomainObjSave(obj, xmlopt, cfg->stateDir) < 0)
goto error;
/* Run an hook to allow admins to do some magic */
@@ -8262,6 +8266,7 @@ qemuProcessReconnect(void *opaque)
if (!virDomainObjIsActive(obj))
qemuDomainRemoveInactiveJob(driver, obj);
}
+ virObjectUnref(xmlopt);
virDomainObjEndAPI(&obj);
virNWFilterUnlockFilterUpdates();
virIdentitySetCurrent(NULL);
--
1.8.3.1
4 years, 10 months
[PATCH 0/2] remove kvm_pr PPC64 support for non-Power8 hosts
by Daniel Henrique Barboza
The reasoning is described in the commit message of patch 02.
Gitlab tree: https://gitlab.com/danielhb/libvirt/-/tree/kvmpr_cap_v1
Daniel Henrique Barboza (2):
virt-host-validade-common: move virHostKernelModuleIsLoaded to virkmod
qemu_capabilities.c: drop 'kvm_pr' support for non-Power8 hosts
src/libvirt_private.syms | 1 +
src/qemu/qemu_capabilities.c | 38 +++++++++++++++++++++++++++++--
src/util/virkmod.c | 34 +++++++++++++++++++++++++++
src/util/virkmod.h | 1 +
tools/virt-host-validate-common.c | 27 ----------------------
tools/virt-host-validate-common.h | 2 --
tools/virt-host-validate-qemu.c | 3 ++-
7 files changed, 74 insertions(+), 32 deletions(-)
--
2.26.2
4 years, 10 months
Entering freeze for libvirt-6.6.0
by Jiri Denemark
I have just tagged v6.6.0-rc1 in the repository and pushed signed
tarballs and source RPMs to https://libvirt.org/sources/
Please give the release candidate some testing and in case you find a
serious issue which should have a fix in the upcoming release, feel
free to reply to this thread to make sure the issue is more visible.
If you have not done so yet, please update NEWS.rst to document any
significant change you made since the last release.
As already announced I'm on vacation next week and thus I won't make the
usual second release candidate. If everything looks good when I'm back,
I will make the final release on Aug 1.
Thanks,
Jirka
4 years, 10 months
[PATCH v4 0/2] conf: add 'isa' controller type
by Roman Bogorodskiy
No code changes, just re-arranged commits. Now commits are more
granular than v3, but still less granular as v2. Specifically, now
there are a 'conf' part as a separate commit and 'bhyve' part as a
separate commit. My thought was that automatic addition of the 'isa'
controller and controller index validation patches are small compared to
the main code, so should not increase reviewing difficulty much. Please
let me know if it's still desired to make more granular commits.
I plan to submit corresponding news and docs entries as a separate
series.
Roman Bogorodskiy (2):
conf: add 'isa' controller type
bhyve: support 'isa' controller for LPC
docs/schemas/domaincommon.rng | 6 ++++
src/bhyve/bhyve_command.c | 27 +++++++-------
src/bhyve/bhyve_device.c | 23 +++++++++---
src/bhyve/bhyve_domain.c | 25 +++++++++++--
src/bhyve/bhyve_domain.h | 2 --
src/conf/domain_conf.c | 9 +++++
src/conf/domain_conf.h | 8 +++++
src/qemu/qemu_command.c | 1 +
src/qemu/qemu_domain.c | 1 +
src/qemu/qemu_domain_address.c | 1 +
src/qemu/qemu_validate.c | 1 +
src/vbox/vbox_common.c | 1 +
..ml2argv-addr-isa-controller-on-slot-1.args | 10 ++++++
...2argv-addr-isa-controller-on-slot-1.ldargs | 3 ++
...xml2argv-addr-isa-controller-on-slot-1.xml | 26 ++++++++++++++
...l2argv-addr-isa-controller-on-slot-31.args | 10 ++++++
...argv-addr-isa-controller-on-slot-31.ldargs | 3 ++
...ml2argv-addr-isa-controller-on-slot-31.xml | 26 ++++++++++++++
...argv-addr-non-isa-controller-on-slot-1.xml | 23 ++++++++++++
.../bhyvexml2argv-console.args | 2 +-
.../bhyvexml2argv-isa-controller.args | 10 ++++++
.../bhyvexml2argv-isa-controller.ldargs | 3 ++
.../bhyvexml2argv-isa-controller.xml | 24 +++++++++++++
...bhyvexml2argv-isa-multiple-controllers.xml | 25 +++++++++++++
.../bhyvexml2argv-serial-grub-nocons.args | 2 +-
.../bhyvexml2argv-serial-grub.args | 2 +-
.../bhyvexml2argv-serial.args | 2 +-
.../bhyvexml2argvdata/bhyvexml2argv-uefi.args | 4 +--
.../bhyvexml2argv-vnc-autoport.args | 4 +--
.../bhyvexml2argv-vnc-vgaconf-io.args | 4 +--
.../bhyvexml2argv-vnc-vgaconf-off.args | 4 +--
.../bhyvexml2argv-vnc-vgaconf-on.args | 4 +--
.../bhyvexml2argvdata/bhyvexml2argv-vnc.args | 4 +--
tests/bhyvexml2argvtest.c | 5 +++
...l2xmlout-addr-isa-controller-on-slot-1.xml | 36 +++++++++++++++++++
...2xmlout-addr-isa-controller-on-slot-31.xml | 36 +++++++++++++++++++
.../bhyvexml2xmlout-console.xml | 3 ++
.../bhyvexml2xmlout-isa-controller.xml | 36 +++++++++++++++++++
.../bhyvexml2xmlout-serial-grub-nocons.xml | 3 ++
.../bhyvexml2xmlout-serial-grub.xml | 3 ++
.../bhyvexml2xmlout-serial.xml | 3 ++
.../bhyvexml2xmlout-vnc-autoport.xml | 3 ++
.../bhyvexml2xmlout-vnc-vgaconf-io.xml | 3 ++
.../bhyvexml2xmlout-vnc-vgaconf-off.xml | 3 ++
.../bhyvexml2xmlout-vnc-vgaconf-on.xml | 3 ++
.../bhyvexml2xmlout-vnc.xml | 3 ++
tests/bhyvexml2xmltest.c | 3 ++
47 files changed, 406 insertions(+), 37 deletions(-)
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-addr-isa-controller-on-slot-1.args
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-addr-isa-controller-on-slot-1.ldargs
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-addr-isa-controller-on-slot-1.xml
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-addr-isa-controller-on-slot-31.args
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-addr-isa-controller-on-slot-31.ldargs
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-addr-isa-controller-on-slot-31.xml
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-addr-non-isa-controller-on-slot-1.xml
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-isa-controller.args
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-isa-controller.ldargs
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-isa-controller.xml
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-isa-multiple-controllers.xml
create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-addr-isa-controller-on-slot-1.xml
create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-addr-isa-controller-on-slot-31.xml
create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-isa-controller.xml
--
2.27.0
4 years, 10 months
[PATCH libvirt-python 0/5] Fixes from adding type annotation
by Philipp Hahn
Hello,
as announced a long time ago with
<https://www.redhat.com/archives/libvir-list/2018-November/msg00291.html>
and recently refreshed with
<https://www.redhat.com/archives/libvir-list/2020-April/msg00892.html>
I'm working on adding PEP 484 type hints
<https://www.python.org/dev/peps/pep-0484/> to the Python binding of
libvirt.
I have finished this work now and have a working version at
<https://github.com/univention/libvirt-python/tree/typing> which
consists of 90 patches in total as I has to go over evry file to
understand and fix all things.
As that patch bomb is quiet large I'm going to submit them in smaller
chunks to make them more reviewable. Today I start with the first round
consisting of "real" bugs in the current code:
Philipp Hahn (5):
generator: Fix undefined variables file
generator: Fix string formatting
generator: Fix domainSnapshot.listAllChildren()
qemu-api: Fix return type
libvirtaio: Fix return types of callback
generator.py | 6 +++---
libvirt-override-virDomainSnapshot.py | 2 +-
libvirt-qemu-override-api.xml | 4 ++--
libvirtaio.py | 18 ++++++++++++------
4 files changed, 18 insertions(+), 12 deletions(-)
After that I plan to continue with:
2. fix examples/ to work with Python 3
3. Cleanup code tree-wide
4. Cleanup generator.py
5. Cleanup sanitytest.py
6. Teach generator.py to add PEP 484 annotation
7. Assorted cleanups
(the order and chunking is not final yet)
> examples/domipaddrs: Convert to python 3 print()
> examples/domipaddrs: Fix Python 2 dict.iteritems()
> examples/*: Remove stray semicolon
> example/dhcp*: Fix None comparison
> examples/event-test: Remove unneeded global statement
> examples/event-test: Work with old version of python-libvirt
> examples/event-test: Use atexit for Python 3
> examples/esxlist: Fix Python 2 raw_input()
> examples/consolecallback: Add var to save callback
> examples/consolecallback: Fix assorted errors
> examples: Add missing return values
> libvirtaio: Drop object(*args, **kwargs)
> libvirtaio: Fix return type
> libvirtaio: assert callback type
> Do not use bare except
> Cleanup imports
> Fix white space
> Remove legacy libvirtError arguments
> stream: Fix exception traceback handling
> override: Simplify exception handling
> generator: Simplify exception handling
> generator: Change type of quiet to bool
> generator: Remove unneeded line continuation
> generator: Convert to 'not in' and 'is not'
> generator: Remove dead variable assignments
> generator: Remove skipped_modules
> generator: Remove useless sort key
> generator: Fix return type on failure
> generator: Merge now identical if-elif-else cases
> generator: Use more string formatting
> generator: Simplify string concatentaion
> generator: Use enumerate()
> generator: Use increment assignment
> generator: Use string concatenation
> generator: Remove global declarations
> generator: Initialize function_classes directly
> generator: Check contained in hash
> generator: Use dict.item() to walk keys and values
> generator: Walk only the values
> generator: Directly get dict length
> generator: Just walk the dict
> generator: Use splitlines()
> generator: Open file with context manager
> generator: Refactor parser creation
> generator: Remove unused SAX content handler methods
> generator: Use SAX method names
> generator: Use string formatting
> generator: Convert in_function to boolean
> generator: Simplify XML attribute fetching
> generator: Initialize with empty strings
> generator: Expand tuple to names in for loop
> generator: Store arguments and return as tuple
> generator: Fixed writing cached=None
> generator: Simplify sorting
> generator: Simplify loop break
> generator: Simplify boolean condition
> generator: Convert dict() to set()
> generator: Converto to defaultdict()
> generator: Add PEP 484 type annotations
> override: Add manual PEP 484 type annotations
> sanitytest: Skip type annotations
> stream: Simplify boolean condition
> domain: Fix None comparison
> stream: no type change
> stream: Convert type() to isinstance()
> stream: Return None from callback
> connect: Just clear all event handlers
> override: no type change
> sanitytest: Do not re-declare set
> sanitytest: Drop else:pass
> sanitytest: Drop Python 2 compatibility
> sanitytest: Add PEP 484 type annotations
> sanitytest: Use 3-tuple for basicklassmap
> sanitytest: Use 3-tuple for finalklassmap
> sanitytest: Use set for tracking used functions
> sanitytest: Use str.startswith() instead of str[0]
> generator: Generate PEP 484 type annotation
> override: Catch type error
> generator: Special handling for virStoragePool.listAllVolumes
> generator: Merge code for __init__ genration
> generator: Use empty string instead of None
> generator: break lines in generated code
> generator: Expand tuple to names in for loop
> generator: Work around type change
> generator: use pointer wrapper for all objects
> examples: Add/fix PEP 484 type annotation
--
2.20.1
4 years, 10 months
[PATCH for 6.6.0] news: Document recent CVE fix
by Michal Privoznik
Document the fix of leaking /dev/mapper/control to QEMU (fixed in
v6.6.0-rc1-3-g2249455654).
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
NEWS.rst | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/NEWS.rst b/NEWS.rst
index ff977968c7..8b53d21b8a 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -33,6 +33,13 @@ v6.6.0 (unreleased)
* **Bug fixes**
+ * virdevmapper: Don't use libdevmapper to obtain dependencies
+
+ When building domain's private ``/dev`` in a namespace, libdevmapper was
+ consulted for getting full dependency tree of domain's disks. However, this
+ meant that libdevmapper opened ``/dev/mapper/control`` which wasn't closed
+ and was leaked to QEMU. CVE-2020-14339
+
v6.5.0 (2020-07-03)
===================
--
2.26.2
4 years, 10 months
[PATCH] migration: fix xml file residual during vm crash with migration
by Chuan Zheng
From: Zheng Chuan <zhengchuan(a)huawei.com>
when migration is cancelled (such as kill -9 vmpid in Src, etc), it could
do virDomainSaveStatus() to save xml file after qemuProcessStop(), which results
in xml residulal.
Fix it by that do not do virDomainSaveStatus() if vm is not active.
Signed-off-by: Zheng Chuan <zhengchuan(a)huawei.com>
---
src/qemu/qemu_migration.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index 2c7bf34..d2804ab 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -3073,6 +3073,9 @@ qemuMigrationSrcConfirmPhase(virQEMUDriverPtr driver,
qemuMigrationParamsReset(driver, vm, QEMU_ASYNC_JOB_MIGRATION_OUT,
jobPriv->migParams, priv->job.apiFlags);
+ if (!virDomainObjIsActive(vm))
+ goto done;
+
if (virDomainObjSave(vm, driver->xmlopt, cfg->stateDir) < 0)
VIR_WARN("Failed to save status on vm %s", vm->def->name);
}
--
1.8.3.1
4 years, 10 months
[PATCH] examples: Use event loop impl in events.stp
by Han Han
Update the events stap example because the event loop impl is replaced by
GLib based event loop impl after commit 55fe8110.
Signed-off-by: Han Han <hhan(a)redhat.com>
---
examples/systemtap/events.stp | 26 ++++++++------------------
1 file changed, 8 insertions(+), 18 deletions(-)
diff --git a/examples/systemtap/events.stp b/examples/systemtap/events.stp
index fd4fe4664d..016e2ca048 100644
--- a/examples/systemtap/events.stp
+++ b/examples/systemtap/events.stp
@@ -89,44 +89,34 @@ probe begin {
print_ts("begin");
}
-probe libvirt.event_poll.add_handle {
+probe libvirt.event_glib.add_handle {
print_ts(sprintf("%d + handle %d %d %d", pid(), watch, fd, events));
}
-probe libvirt.event_poll.remove_handle {
+probe libvirt.event_glib.remove_handle {
print_ts(sprintf("%d - handle %d", pid(), watch));
}
-probe libvirt.event_poll.update_handle {
+probe libvirt.event_glib.update_handle {
if (showUpdates)
print_ts(sprintf("%d * handle %d %d", pid(), watch, events));
}
-probe libvirt.event_poll.purge_handle {
- print_ts(sprintf("%d ! handle %d", pid(), watch));
-}
-probe libvirt.event_poll.dispatch_handle {
+probe libvirt.event_glib.dispatch_handle {
if (showDispatch)
print_ts(sprintf("%d > handle %d %d", pid(), watch, events));
}
-probe libvirt.event_poll.add_timeout {
+probe libvirt.event_glib.add_timeout {
print_ts(sprintf("%d + timeout %d %d", pid(), timer, frequency));
}
-probe libvirt.event_poll.remove_timeout {
+probe libvirt.event_glib.remove_timeout {
print_ts(sprintf("%d - timeout %d", pid(), timer));
}
-probe libvirt.event_poll.update_timeout {
+probe libvirt.event_glib.update_timeout {
if (showUpdates)
print_ts(sprintf("%d * timeout %d %d", pid(), timer, frequency));
}
-probe libvirt.event_poll.purge_timeout {
- print_ts(sprintf("%d ! timeout %d", pid(), timer));
-}
-probe libvirt.event_poll.dispatch_timeout {
+probe libvirt.event_glib.dispatch_timeout {
if (showDispatch)
print_ts(sprintf("%d > timeout %d", pid(), timer));
}
-probe libvirt.event_poll.run {
- if (showIter)
- print_ts(sprintf("%d ~ %d %d", pid(), nfds, timeout));
-}
--
2.27.0
4 years, 10 months
[PATCH 0/2] qemu: support shmem device migration
by Wang Xin
Shmem device support property role with 'master'(master=on) or
'peer'(master=off, default mode), which controls to copy the
shared memory on migration to the destination host or not. see
https://git.qemu.org/?p=qemu.git;a=blob_plain;f=docs/system/ivshmem.rst;h...
The 1st patch add attribute 'role', it based on Martin's old patch
https://www.redhat.com/archives/libvir-list/2016-September/msg00536.html
The 2nd patch remove shmem name check in migraiton, which
allows user change shared memory path on destination host.
v3 -> v2:
1. Correct description of shmem ���role��� attribute. If there is any
mistake in the description, please show me. Sorry for my poor
English :)
2. Remove the inappropriate suggestion in migration log.
3. allow shmem name change in migration, instead add a new
'mem-path' attribute.
v2 -> v1:
Fix ivshmem testcases failure.
Wang Xin (2):
qemu: add support for shmem-{plain, doorbell} role
conf: allow shmem name change in migration
docs/formatdomain.html.in | 13 ++++++-
docs/schemas/domaincommon.rng | 8 ++++
src/conf/domain_conf.c | 37 +++++++++++++++++--
src/conf/domain_conf.h | 10 +++++
src/libvirt_private.syms | 2 +
src/qemu/qemu_command.c | 17 ++++++++-
src/qemu/qemu_migration.c | 20 ++++++++--
.../qemuhotplug-ivshmem-plain-detach.xml | 2 +-
.../qemuhotplug-ivshmem-plain.xml | 2 +-
...qemuhotplug-base-live+ivshmem-doorbell.xml | 2 +-
.../qemuhotplug-base-live+ivshmem-plain.xml | 2 +-
.../shmem-plain-doorbell.args | 6 ++-
.../qemuxml2argvdata/shmem-plain-doorbell.xml | 4 +-
.../shmem-plain-doorbell.xml | 4 +-
tests/qemuxml2xmltest.c | 3 +-
15 files changed, 110 insertions(+), 22 deletions(-)
--
2.23.0
4 years, 10 months
