Commit Graph

7590 Commits

Author SHA1 Message Date
Eric Blake
f17eeede1e daemon: plug memory leak
Detected by Coverity.  Commit ef21beda was incomplete; it solved
a leak one one path, but not on the other.

* daemon/libvirtd.c (qemudSetLogging): Avoid leak on success.
2011-06-08 05:30:57 -06:00
Eric Blake
d7814b21a2 build: break some long lines
As long as I was already touching the function...

* src/qemu/qemu_hotplug.c (qemuDomainChangeGraphics): Line wrap.
2011-06-08 05:30:56 -06:00
Eric Blake
ddc5b158d7 qemu: add missing break statement
Detected by Coverity.  Bug introduced in commit 9d73efd (v0.8.8).

* src/qemu/qemu_hotplug.c (qemuDomainChangeGraphics): Don't report
error on success.
2011-06-08 05:30:56 -06:00
Eric Blake
1eca8c3e8c build: silence coverity false positives
Coverity complained about these intentional fallthrough cases, but
not about other cases that were explicitly marked with nice comments.

For some reason, Coverity doesn't seem smart enough to parse the
up-front English comment in virsh about intentional fallthrough :)

* tools/virsh.c (cmdVolSize): Mark fallthrough in a more typical
fashion.
* src/conf/nwfilter_conf.c (virNWFilterRuleDefDetailsFormat)
(virNWFilterRuleDetailsParse): Mark explicit fallthrough.
2011-06-08 05:30:56 -06:00
Eric Blake
657ae229c8 esx: avoid dead code
Detected by Coverity.  The beginning of the function already filtered
out NULL objectContentList as invalid.  Further investigation shows:

esxVI_RetrieveProperties is generated and returns a list of objects
that match the given propertyFilterSpec.
esxVI_LookupObjectContentByType then tests whether the result
corresponds to the expected occurrence and reports an error otherwise.
This simplifies the callers of  esxVI_LookupObjectContentByType, but
due to the missing dereference the check was never performed because
the code thought that at least one item was obtained. NULL represents
an empty list. This is a potential segfault fix because callers of
esxVI_LookupObjectContentByType that specified "required" occurrence
assume *objectContentList to be non-NULL when
esxVI_LookupObjectContentByType succeeds.

* src/esx/esx_vi.c (esxVI_LookupObjectContentByType): Check
correct pointer.
2011-06-08 05:28:25 -06:00
Eric Blake
ba4983da47 secret: drop dead code
Detected by Coverity.  The only ways to get to the cleanup label
were by an early abort (list still unassigned) or after successfully
transferring list to dest, so there is no list to clean up.

* src/secret/secret_driver.c (loadSecrets): Kill dead code.
2011-06-08 05:28:20 -06:00
Eric Blake
4eb17d642e qemu: reorder checks for safety
Detected by Coverity.  All existing callers happen to be in
range, so this isn't too serious.

* src/qemu/qemu_cgroup.c (qemuCgroupControllerActive): Check
bounds before dereference.
2011-06-08 05:28:20 -06:00
Eric Blake
208a675688 uuid: annotate non-null requirements
Coverity already saw through a NULL dereference without these
annotations, and gcc is still too puny to do good NULL analysis.
But clang still benefits (and is easier to run than coverity),
not to mention that adding this bit of documentation to the code
may help future developers remember the constraints.

* src/util/uuid.h (virGetHostUUID, virUUIDFormat): Document
restrictions, for improved static analysis.
2011-06-08 05:28:20 -06:00
Eric Blake
2ed0c94dbc debug: avoid null dereference on uuid lookup api
Detected by Coverity.  Commit a98d8f0d tried to make uuid debugging
more robust, but missed some APIs.  And on the APIs that it visited,
the mere act of preparing the debug message ends up dereferencing
uuid prior to the null check.  Which means the APIs which are supposed
to gracefully reject NULL arguments now end up with SIGSEGV.

* src/libvirt.c (VIR_UUID_DEBUG): New macro.
(virDomainLookupByUUID, virDomainLookupByUUIDString)
(virNetworkLookupByUUID, virNetworkLookupByUUIDString)
(virStoragePoolLookupByUUID, virStoragePoolLookupByUUIDString)
(virSecretLookupByUUID, virSecretLookupByUUIDString)
(virNWFilterLookupByUUID, virNWFilterLookupByUUIDString): Avoid
null dereference.
2011-06-08 05:28:20 -06:00
Eric Blake
f73198df3b python: avoid unlikely sign extension bug
Detected by Coverity.  cpumap was allocated with a value of
(unsigned short)*(int), which is an int computation, and then
promotes to size_t.  On a 64-bit platform, this fails if bit
32 of the product is set (because of sign extension giving
a HUGE value to malloc), even though a naive programmer would
assume that since the first value is unsigned, the product
is also unsigned and at most 4GB would be allocated.

Won't bite in practice (the product should never be that large),
but worth using the right types to begin with, so that we are
now computing (unsigned short)*(size_t).

* python/libvirt-override.c (libvirt_virDomainGetVcpus): Use
correct type.
2011-06-08 05:28:20 -06:00
Eric Blake
f876c30cfe build: silence coverity false positive
Similar in nature to commit fd21ecfd, which shut up valgrind.

sigaction is apparently a nasty interface for analyzer tools,
at least for how many false positives it generates.

* src/util/command.c (virExecWithHook): Initialize entire var, since
coverity gripes about the (unused and non-standard) sa_restorer.
2011-06-08 05:23:00 -06:00
Eric Blake
54456cc0fd storage: avoid mishandling backing store > 2GB
Detected by Coverity.  The code was doing math on shifted unsigned
char (which promotes to int), then promoting that to unsigned long
during assignment to size.  On 64-bit platforms, this risks sign
extending values of size > 2GiB.  Bug present since commit
489fd3 (v0.6.0).

I'm not sure if a specially-crafted bogus qcow2 image could
exploit this, although it's probably not possible, since we
were already checking for the computed results being within
range of our fixed-size buffer.

* src/util/storage_file.c (qcowXGetBackingStore): Avoid sign
extension.
2011-06-08 05:18:46 -06:00
Eric Blake
28ea3bf31c build: detect Coverity 5.3.0
Coverity 5.3.0 still outputs lots of COVERITY_* variables, but no
longer modifies COVERITY_BUILD_COMMAND in the environment.  Pick
one that seems likely to stay around.

* configure.ac (STATIC_ANALYSIS): Detect newer Coverity.
2011-06-08 04:47:05 -06:00
Osier Yang
31967cff04 build: Fix typos in configure.ac 2011-06-08 15:07:24 +08:00
Osier Yang
b73f1f8d5c virsh: Expose virDomainMigrateSetMaxSpeed API to virsh
API virDomainMigrateSetMaxSpeed was introduced since 0.9.0, but
no command in virsh yet.
2011-06-08 10:40:57 +08:00
Cole Robinson
f9e8d6a065 lxc: Ensure container <init> actually exists
Since we can't really get useful error reporting from virCommandExec since
it needs to be the last thing we do.
2011-06-07 14:38:54 -04:00
Cole Robinson
4fb706a5a7 lxc: Verify root fs exists before mounting
Otherwise the following virFileMakePath will create the directory for
us and fail further ahead, which probably isn't intended.
2011-06-07 14:38:54 -04:00
Cole Robinson
a7e2dd1c32 lxc: controller: Improve container error reporting
Add a handshake with the cloned container process to try and detect
if it fails to start.
2011-06-07 14:38:54 -04:00
Cole Robinson
965a957ccc lxc: Improve guest startup error reporting
Add a simple handshake with the lxc_controller process so we can detect
process startup failures. We do this by adding a new --handshake cli arg
to lxc_controller for passing a file descriptor. If the process fails to
launch, we scrape all output from the logfile and report it to the user.
2011-06-07 14:38:39 -04:00
Cole Robinson
af1e180f48 lxc: Refactor controller command building
Arranges things similar to the qemu driver. Will allow us to more easily
report command error output.
2011-06-07 14:36:38 -04:00
Cole Robinson
6973594ca8 lxc: Don't report error in Wait/SendContinue
We will reuse these shortly, and each use should have a different error
message.
2011-06-07 14:32:03 -04:00
Cole Robinson
eee1763c8c lxc: Drop container stdio as late as possible
Makes it more likely we get useful error output in the logs
2011-06-07 14:32:03 -04:00
Cole Robinson
02e86910e2 Move virRun, virExec*, virFork to util/command
Seems reasonable to have all command wrappers in the same place

v2:
    Dont move SetInherit

v3:
    Comment spelling fix
    Adjust WARN0 comment
    Remove spurious #include movement
    Don't include sys/types.h
    Combine virExec enums

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2011-06-07 14:06:11 -04:00
Cole Robinson
3c269b51a6 util: Implement virRun as a wrapper around virCommand
v2:
    Simplify command building
    Handle command building failure

v3:
    Remove unneeded NULL check

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2011-06-07 11:24:52 -04:00
Cole Robinson
d886ed9597 util: Remove unused virExec wrapper
v3:
    Remove obsolete comment

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2011-06-07 11:12:58 -04:00
Cole Robinson
1ba75cf9aa qemu: Convert virExec usage to virCommand
v2:
    Have virCommand cleanup intermediate process for us

v3:
    Preserve original FD closing behavior

Signed-off-by: Cole Robinson <crobinso@redhat.com>
2011-06-07 11:11:02 -04:00
Matthias Bolte
0068b58c71 esx: Remove duplicated invalid-argument checks
Those checks are already performed at the public API level.
2011-06-07 15:21:47 +02:00
Osier Yang
99c8a5c8af docs: Add doc for video element
For backwards compatibility, if no <video> is set but there is a
<graphics> tag, then we add a default <video> according to the
guest type. Add docs to tell the user about this to not make
them confused. Especially if they remove the video (such as via
"virsh edit"), it will be surprised for them to see the video
element is still in domain XML.
2011-06-07 16:56:06 +08:00
Osier Yang
ebf6b11ac1 Use VIR_USE_CPU instead of new wheel 2011-06-07 16:51:51 +08:00
Matthias Bolte
b10bca09f9 Avoid virGetVersion failure on specific driver support configurations
virGetVersion itself doesn't take a virConnectPtr, but in order to obtain
the hypervisor version against which libvirt was compiled it is used in
combination with virConnectGetType like this:

hvType = virConnectGetType(conn)
virGetVersion(&libVer, hvType, &typeVer)

When virConnectGetType is called on a remote connection then the remote
driver returns the type of the underlying driver on the server side, for
example QEMU. Then virGetVersion compares hvType to a set of strings that
depend on configure options and returns LIBVIR_VERSION_NUMBER in most
cases. Now this fails in case libvirt on the client side is just compiled
with the remote driver enabled only and the server side has the actual
driver such as the QEMU driver. It just happens to work when the actual
driver is enabled on client and server side. But that's not always true.
I noticed this on FreeBSD:

freebsd# virsh -c qemu+tcp://192.168.178.22/system version
Compiled against library: libvir 0.9.2
error: failed to get the library version
error: this function is not supported by the connection driver: virGetVersion

This is not FreeBSD specific, happens on Windows as well due to the
similar driver support configuration. The problem is that virConnectGetType
returns QEMU, but virGetVersion on the client side only accepts Remote
as hvType due to all other drivers being disabled on the client side.

Daniel P. Berrange suggested to get rid of all the conditional code in
virGetVersion, ignoring the hvType and always setting typeVer to
LIBVIR_VERSION_NUMBER. virConnectGetVersion is supposed to be used to
obtain the hypervisor version.
2011-06-07 09:41:35 +02:00
Matthias Bolte
4bf1f33b7e docs: Make hvsupport.pl pick up the host device drivers
Annotate the ESX device driver dummy.

Refactor the udev and hal device driver strcuts to match the
common annotation pattern.
2011-06-06 10:45:59 +02:00
Daniel Veillard
2c5ded6e82 Release of libvirt-0.9.2
* configure.ac docs/news.html.in libvirt.spec.in: update for release
* po/*.po*: updated translations and regenerated
2011-06-06 11:46:37 +08:00
Matthias Bolte
33cb519417 esx: Fix driver method version annotations
Change the driver comments for proper extraction and values by
the scripts used for documentation
2011-06-06 11:08:06 +08:00
Daniel P. Berrange
3e87a3901a Fix QEMU p2p v2 migration when run from a v3 client
When peer-2-peer migration was invoked by a client supporting
v3, but where the target server only supported v2, we'd not
correctly shutdown the guest.

* src/qemu/qemu_migration.c: Ensure guest is shutdown in
  v2 peer 2 peer migration
2011-06-06 11:05:34 +08:00
Matthias Bolte
cc79a4c52e vbox: Fix typo in error message 2011-06-04 22:41:49 +02:00
Daniel P. Berrange
a50f5f6faa Don't raise an error if the migration cookie is NULL
The v2 migration protocol doesn't use cookies, so we should not
be raising an error if the cookie parameters are NULL.

* src/qemu/qemu_migration.c: Don't raise error if cookie is NULL
2011-06-04 07:26:32 -04:00
Daniel P. Berrange
a018c0b910 Fix check of virKillProcess return status
The error code for virKillProcess is returned in the errno variable
not the return value. THis mistake caused the logs to be filled with
errors when shutting down QEMU processes

* src/qemu/qemu_process.c: Fix process kill check.
2011-06-04 07:26:07 -04:00
Matthias Bolte
eb2664cbe6 vbox: Fix version extraction on Windows for newer VirtualBox versions
VirtualBox 4.0.8 changed the registry key layout. Before the version
number was in a Version key. Now the Version key contains %VER% and
the actual version number is in VersionExt now.

Move value lookup code into its own function: vboxLookupRegistryValue.
2011-06-04 10:50:36 +02:00
Eric Blake
33d90bafe7 API: consolidate common unreleased enums
This commit is safe precisely because there has been no release
for any of the enum values being deleted (they were added post-0.9.1).

After the 0.9.2 release, we can then take advantage of
virDomainModificationImpact in more places.

* include/libvirt/libvirt.h.in (virDomainModificationImpact): New
enum.
(virDomainSchedParameterFlags, virMemoryParamFlags): Delete, since
these were never released, and the new enum works fine here.
* src/libvirt.c	(virDomainGetMemoryParameters)
(virDomainSetMemoryParameters)
(virDomainGetSchedulerParametersFlags)
(virDomainSetSchedulerParametersFlags): Update documentation.
* src/qemu/qemu_driver.c (qemuDomainSetMemoryParameters)
(qemuDomainGetMemoryParameters, qemuSetSchedulerParametersFlags)
(qemuSetSchedulerParameters, qemuGetSchedulerParametersFlags)
(qemuGetSchedulerParameters): Adjust clients.
* tools/virsh.c (cmdSchedinfo, cmdMemtune): Likewise.
Based on ideas by Daniel Veillard and Hu Tao.
2011-06-04 09:58:53 +02:00
Jiri Denemark
aeed51f775 qemu: Avoid use after free in qemuCaps parsing 2011-06-03 19:58:43 +02:00
Jiri Denemark
4e3a1c3021 virsh: Document nodeinfo output 2011-06-03 19:57:04 +02:00
Laine Stump
62ed801c13 security driver: ignore EINVAL when chowning an image file
This fixes:

  https://bugzilla.redhat.com/show_bug.cgi?id=702044
  https://bugzilla.redhat.com/show_bug.cgi?id=709454

Both of these complain of a failure to use an image file that resides
on a read-only NFS volume. The function in the DAC security driver
that chowns image files to the qemu user:group before using them
already has special cases to ignore failure of chown on read-only file
systems, and in a few other cases, but it hadn't been checking for
EINVAL, which is what is returned if the qemu user doesn't even exist
on the NFS server.

Since the explanation of EINVAL in the chown man page almost exactly
matches the log message already present for the case of EOPNOTSUPP,
I've just added EINVAL to that same conditional.
2011-06-03 12:27:05 -04:00
Matthias Bolte
6b5c589d84 Make dlopen usage in lock manager conditional
This fixes a build failure on MinGW, due to MinGW not supporting dlopen.
2011-06-03 16:46:09 +02:00
Neil Wilson
5b8d2e6d92 Correct 'cputune' documentation example.
Signed-off-by: Neil Wilson <neil@aldur.co.uk>
2011-06-03 08:40:51 -06:00
Eric Blake
32ce66f5ea build: silence coverity false positive
Coverity couldn't see that priv is NULL on failure.  But on failure,
we might as well guarantee that callers don't try to free uninitialized
memory.

* src/remote/remote_driver.c (remoteGenericOpen): Even on failure,
pass priv back to caller.
2011-06-03 08:23:32 -06:00
Eric Blake
89e651fa76 build: silence coverity false positive
Coverity complained that infd could be -1 at the point where it is
passed to write, when in reality, this code can only be reached if
infd is non-negative.

* src/util/command.c (virCommandProcessIO): Help out coverity.
2011-06-03 08:23:29 -06:00
Eric Blake
d391661ae4 migrate: detect xml incompatibility
Detected by Coverity.  Bug introduced in 08106e2044 (unreleased).

* src/conf/domain_conf.c (virDomainChannelDefCheckABIStability):
Use correct sizeof operand.
2011-06-03 08:23:28 -06:00
Eric Blake
278a050a52 event: avoid memory leak on cleanup
Detected by Coverity.  Introduced in commit aaf2b70, and turned into
a regression in the next few commits through 4e6e6672 (unreleased).

* src/conf/domain_event.c (virDomainEventStateFree): Free object,
per documentation.
2011-06-03 08:11:43 -06:00
Eric Blake
2834d57175 qemu: avoid memory leak on vcpupin
Detected by Coverity.  This leaked a cpumap on every iteration
of the loop.  Leak introduced in commit 1cc4d02 (v0.9.0).

* src/qemu/qemu_process.c (qemuProcessSetVcpuAffinites): Plug
leak, and hoist allocation outside loop.
2011-06-03 08:11:43 -06:00
Eric Blake
c0e65ae5b2 remote: avoid leak on failure
Detected by Coverity.  Only possible in OOM situations.

* daemon/remote.c (remoteDispatchDomainScreenshot): Plug leak.
2011-06-03 08:11:43 -06:00