Coverity complained about these intentional fallthrough cases, but
not about other cases that were explicitly marked with nice comments.
For some reason, Coverity doesn't seem smart enough to parse the
up-front English comment in virsh about intentional fallthrough :)
* tools/virsh.c (cmdVolSize): Mark fallthrough in a more typical
fashion.
* src/conf/nwfilter_conf.c (virNWFilterRuleDefDetailsFormat)
(virNWFilterRuleDetailsParse): Mark explicit fallthrough.
Detected by Coverity. The beginning of the function already filtered
out NULL objectContentList as invalid. Further investigation shows:
esxVI_RetrieveProperties is generated and returns a list of objects
that match the given propertyFilterSpec.
esxVI_LookupObjectContentByType then tests whether the result
corresponds to the expected occurrence and reports an error otherwise.
This simplifies the callers of esxVI_LookupObjectContentByType, but
due to the missing dereference the check was never performed because
the code thought that at least one item was obtained. NULL represents
an empty list. This is a potential segfault fix because callers of
esxVI_LookupObjectContentByType that specified "required" occurrence
assume *objectContentList to be non-NULL when
esxVI_LookupObjectContentByType succeeds.
* src/esx/esx_vi.c (esxVI_LookupObjectContentByType): Check
correct pointer.
Detected by Coverity. The only ways to get to the cleanup label
were by an early abort (list still unassigned) or after successfully
transferring list to dest, so there is no list to clean up.
* src/secret/secret_driver.c (loadSecrets): Kill dead code.
Detected by Coverity. All existing callers happen to be in
range, so this isn't too serious.
* src/qemu/qemu_cgroup.c (qemuCgroupControllerActive): Check
bounds before dereference.
Coverity already saw through a NULL dereference without these
annotations, and gcc is still too puny to do good NULL analysis.
But clang still benefits (and is easier to run than coverity),
not to mention that adding this bit of documentation to the code
may help future developers remember the constraints.
* src/util/uuid.h (virGetHostUUID, virUUIDFormat): Document
restrictions, for improved static analysis.
Detected by Coverity. Commit a98d8f0d tried to make uuid debugging
more robust, but missed some APIs. And on the APIs that it visited,
the mere act of preparing the debug message ends up dereferencing
uuid prior to the null check. Which means the APIs which are supposed
to gracefully reject NULL arguments now end up with SIGSEGV.
* src/libvirt.c (VIR_UUID_DEBUG): New macro.
(virDomainLookupByUUID, virDomainLookupByUUIDString)
(virNetworkLookupByUUID, virNetworkLookupByUUIDString)
(virStoragePoolLookupByUUID, virStoragePoolLookupByUUIDString)
(virSecretLookupByUUID, virSecretLookupByUUIDString)
(virNWFilterLookupByUUID, virNWFilterLookupByUUIDString): Avoid
null dereference.
Similar in nature to commit fd21ecfd, which shut up valgrind.
sigaction is apparently a nasty interface for analyzer tools,
at least for how many false positives it generates.
* src/util/command.c (virExecWithHook): Initialize entire var, since
coverity gripes about the (unused and non-standard) sa_restorer.
Detected by Coverity. The code was doing math on shifted unsigned
char (which promotes to int), then promoting that to unsigned long
during assignment to size. On 64-bit platforms, this risks sign
extending values of size > 2GiB. Bug present since commit
489fd3 (v0.6.0).
I'm not sure if a specially-crafted bogus qcow2 image could
exploit this, although it's probably not possible, since we
were already checking for the computed results being within
range of our fixed-size buffer.
* src/util/storage_file.c (qcowXGetBackingStore): Avoid sign
extension.
Add a simple handshake with the lxc_controller process so we can detect
process startup failures. We do this by adding a new --handshake cli arg
to lxc_controller for passing a file descriptor. If the process fails to
launch, we scrape all output from the logfile and report it to the user.
Seems reasonable to have all command wrappers in the same place
v2:
Dont move SetInherit
v3:
Comment spelling fix
Adjust WARN0 comment
Remove spurious #include movement
Don't include sys/types.h
Combine virExec enums
Signed-off-by: Cole Robinson <crobinso@redhat.com>
virGetVersion itself doesn't take a virConnectPtr, but in order to obtain
the hypervisor version against which libvirt was compiled it is used in
combination with virConnectGetType like this:
hvType = virConnectGetType(conn)
virGetVersion(&libVer, hvType, &typeVer)
When virConnectGetType is called on a remote connection then the remote
driver returns the type of the underlying driver on the server side, for
example QEMU. Then virGetVersion compares hvType to a set of strings that
depend on configure options and returns LIBVIR_VERSION_NUMBER in most
cases. Now this fails in case libvirt on the client side is just compiled
with the remote driver enabled only and the server side has the actual
driver such as the QEMU driver. It just happens to work when the actual
driver is enabled on client and server side. But that's not always true.
I noticed this on FreeBSD:
freebsd# virsh -c qemu+tcp://192.168.178.22/system version
Compiled against library: libvir 0.9.2
error: failed to get the library version
error: this function is not supported by the connection driver: virGetVersion
This is not FreeBSD specific, happens on Windows as well due to the
similar driver support configuration. The problem is that virConnectGetType
returns QEMU, but virGetVersion on the client side only accepts Remote
as hvType due to all other drivers being disabled on the client side.
Daniel P. Berrange suggested to get rid of all the conditional code in
virGetVersion, ignoring the hvType and always setting typeVer to
LIBVIR_VERSION_NUMBER. virConnectGetVersion is supposed to be used to
obtain the hypervisor version.
When peer-2-peer migration was invoked by a client supporting
v3, but where the target server only supported v2, we'd not
correctly shutdown the guest.
* src/qemu/qemu_migration.c: Ensure guest is shutdown in
v2 peer 2 peer migration
The v2 migration protocol doesn't use cookies, so we should not
be raising an error if the cookie parameters are NULL.
* src/qemu/qemu_migration.c: Don't raise error if cookie is NULL
The error code for virKillProcess is returned in the errno variable
not the return value. THis mistake caused the logs to be filled with
errors when shutting down QEMU processes
* src/qemu/qemu_process.c: Fix process kill check.
VirtualBox 4.0.8 changed the registry key layout. Before the version
number was in a Version key. Now the Version key contains %VER% and
the actual version number is in VersionExt now.
Move value lookup code into its own function: vboxLookupRegistryValue.
This commit is safe precisely because there has been no release
for any of the enum values being deleted (they were added post-0.9.1).
After the 0.9.2 release, we can then take advantage of
virDomainModificationImpact in more places.
* include/libvirt/libvirt.h.in (virDomainModificationImpact): New
enum.
(virDomainSchedParameterFlags, virMemoryParamFlags): Delete, since
these were never released, and the new enum works fine here.
* src/libvirt.c (virDomainGetMemoryParameters)
(virDomainSetMemoryParameters)
(virDomainGetSchedulerParametersFlags)
(virDomainSetSchedulerParametersFlags): Update documentation.
* src/qemu/qemu_driver.c (qemuDomainSetMemoryParameters)
(qemuDomainGetMemoryParameters, qemuSetSchedulerParametersFlags)
(qemuSetSchedulerParameters, qemuGetSchedulerParametersFlags)
(qemuGetSchedulerParameters): Adjust clients.
* tools/virsh.c (cmdSchedinfo, cmdMemtune): Likewise.
Based on ideas by Daniel Veillard and Hu Tao.
This fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=702044https://bugzilla.redhat.com/show_bug.cgi?id=709454
Both of these complain of a failure to use an image file that resides
on a read-only NFS volume. The function in the DAC security driver
that chowns image files to the qemu user:group before using them
already has special cases to ignore failure of chown on read-only file
systems, and in a few other cases, but it hadn't been checking for
EINVAL, which is what is returned if the qemu user doesn't even exist
on the NFS server.
Since the explanation of EINVAL in the chown man page almost exactly
matches the log message already present for the case of EOPNOTSUPP,
I've just added EINVAL to that same conditional.
Coverity couldn't see that priv is NULL on failure. But on failure,
we might as well guarantee that callers don't try to free uninitialized
memory.
* src/remote/remote_driver.c (remoteGenericOpen): Even on failure,
pass priv back to caller.
Coverity complained that infd could be -1 at the point where it is
passed to write, when in reality, this code can only be reached if
infd is non-negative.
* src/util/command.c (virCommandProcessIO): Help out coverity.
Detected by Coverity. Bug introduced in 08106e2044 (unreleased).
* src/conf/domain_conf.c (virDomainChannelDefCheckABIStability):
Use correct sizeof operand.
Detected by Coverity. Introduced in commit aaf2b70, and turned into
a regression in the next few commits through 4e6e6672 (unreleased).
* src/conf/domain_event.c (virDomainEventStateFree): Free object,
per documentation.
Detected by Coverity. This leaked a cpumap on every iteration
of the loop. Leak introduced in commit 1cc4d02 (v0.9.0).
* src/qemu/qemu_process.c (qemuProcessSetVcpuAffinites): Plug
leak, and hoist allocation outside loop.
Spotted by coverity. Triggers on failed stat, although I'm not sure
how easy that condition is, so I'm not sure if this is a runtime
memory hog. Regression introduced in commit 8077d64 (unreleased).
* src/util/storage_file.c (virStorageFileGetMetadataFromFD):
Reduce need for malloc, avoiding a leak.
Coverity detected that options was being set by strdup but never
freed. But why even bother with an options variable? The options
parameter never changes! Leak present since commit 44948f5b (0.7.0).
This function could probably be rewritten to take better advantage
of virCommand, but that is more invasive.
* src/storage/storage_backend_fs.c
(virStorageBackendFileSystemMount): Avoid wasted strdup, and
guarantee proper cleanup on all paths.
Detected by Coverity. While it is possible on OOM condition, as
well as with bad code that passes binary == NULL, it is unlikely
to be encountered in the wild.
* src/util/command.c (virCommandNewArgList): Don't leak memory.
In v3 migration, once migration is completed, the VM needs
to be left in a paused state until after Finish3 has been
executed on the target. Only then will the VM be killed
off. When using non-JSON QEMU monitor though, we don't
receive any 'STOP' event from QEMU, so we need to manually
set our state offline & thus release lock manager leases.
It doesn't hurt to run this on the JSON case too, just in
case the event gets lost somehow
* src/qemu/qemu_migration.c: Explicitly set VM state to
paused when migration completes
The change 18c2a59206 caused
some regressions in behaviour of virDomainBlockStats
and virDomainBlockInfo in the QEMU driver.
The virDomainBlockInfo API stopped working for inactive
guests if querying a block device.
The virDomainBlockStats API did not promptly report
an error if the guest was not running in some cases.
* src/qemu/qemu_driver.c: Fix inactive guest handling
in BlockStats/Info APIs
The qemuAuditDisk calls in disk hotunplug operations were being
passed 'ret >= 0', but the code which sets ret to 0 was not yet
executed, and the error path had already jumped to the 'cleanup'
label. This meant hotunplug failures were never audited, and
hotunplug success was audited as a failure
* src/qemu/qemu_hotplug.c: Fix auditing of hotunplug
When virLockDriverAcquire is invoked during hotplug the state
parameter will be left as NULL.
* src/locking/lock_driver_nop.c,
src/locking/lock_driver_sanlock.c: Don't reference NULL state
parameter
Refactoring of the lock manager hotplug methods lost the
ret = 0 assignment for successful return path
* src/locking/domain_lock.c: Add missing ret = 0 assignments
Commit 4454a9efc7 introduced bad
behaviour on the VIR_EVENT_HANDLE_ERROR condition. This condition
is only hit when an invalid FD is used in poll() (typically due
to a double-close bug). The QEMU monitor code was treating this
condition as non-fatal, and thus libvirt would poll() in a fast
loop forever burning 100% CPU. VIR_EVENT_HANDLE_ERROR must be
handled in the same way as VIR_EVENT_HANDLE_HANGUP, killing the
QEMU instance.
* src/qemu/qemu_monitor.c: Treat VIR_EVENT_HANDLE_ERROR as EOF