Based on Coverity's finding on the previous patch, I audited
gnulib's pipe2 code and found that we had the potential for
a subtle double-close bug, unless gnulib guarantees that the
contents of the fd array are unchanged on pipe2() failure.
* .gnulib: Update to latest, for pipe2 fix.
Detected by Coverity. Both are instances of bad things happening
if pipe2 fails; the virNetClientNew failure could free garbage,
and virNetSocketNewConnectCommand could close random fds.
Note: POSIX doesn't guarantee the contents of fd[0] and fd[1]
after pipe failure: http://austingroupbugs.net/view.php?id=467
We may need to introduce a virPipe2 wrapper that guarantees
that on pipe failure, the fds are explicitly set to -1, rather
than our current state of assuming the fds are unchanged from
their value prior to the failed pipe call.
* src/rpc/virnetclient.c (virNetClientNew): Initialize variable.
* src/rpc/virnetsocket.c (virNetSocketNewConnectCommand):
Likewise.
Detected by Coverity. info.nrVirtCpu is unsigned short, but if
cpumaplen is int, then the product of the two in vshMalloc risks
unintended sign extension. cmdVcpuinfo had already solved this
by using size_t cpumaplen.
* tools/virsh.c (cmdVcpuPin): Use correct type.
The virDomainMigratePrepareTunnel3 impl in the remote driver
was using the procedure number for the virDomainMigratePrepareTunnel
method. This doesn't work out so well, because it makes the server
ignore & drop all stream packets
* src/remote/remote_driver.c: Fix procedure for PrepareTunnel3
We ignore any stream data packets which come in for streams which
are not registered, since these packets are async and do not have
a reply. If we get a stream control packet though we must send back
an actual error, otherwise a (broken) client may hang forever
making it hard to diagnose the client bug.
* src/rpc/virnetserverprogram.c: Send back error for unexpected
stream control messages
If a message packet for a invalid stream is received it is just
free'd. This is not good because it doesn't let the client RPC
request counter decrement. If a stream is shutdown with pending
packets the message also isn't released properly because of an
incorrect header type
* daemon/stream.c: Fix message header type
* src/rpc/virnetserverprogram.c: Send dummy reply instead of
free'ing ignored stream message
While investigating some memory leaks it was unclear whether the
JSON code correctly free'd all memory during parsing. Add a test
case which can be run under valgrind to clearly demonstrate that
the parser is leak free.
* tests/Makefile.am: Add 'jsontest'
* tests/jsontest.c: A few simple JSON parsing tests
The qemudDomainSaveFlag method will call EndJob on the 'vm'
object it is passed in. This can result in the 'vm' object
being free'd if the last reference is removed. Thus no caller
of 'qemudDomainSaveFlag' must *ever* reference 'vm' again
upon return.
Unfortunately qemudDomainSave and qemuDomainManagedSave
both call 'virDomainObjUnlock', which can result in a
crash. This is non-deterministic since it involves a race
with the monitor I/O thread.
Fix this by making qemudDomainSaveFlag responsible for
calling virDomainObjUnlock instead.
* src/qemu/qemu_driver.c: Fix potential use after free
when saving guests
The 'char control[CMSG_SPACE(sizeof(int))];' was not being
wiped, so could potentially contain uninitialized bytes.
While this was harmless in this case, it caused complaints
from valgrind
* src/qemu/qemu_monitor.c: memset 'control' variable
in qemuMonitorIOWriteWithFD
The event handler functions do not free the virJSONValuePtr
object. Every event received from a VM thus caused a memory
leak
* src/qemu/qemu_monitor_json.c: Fix leak of event object
The 'function' field in the PCI address was not correctly
initialized, so it was building the wrong address address
string and so not removing all functions from the in use
list.
* src/qemu/qemu_command.c: Fix initialization of PCI function
When adding a callback to an FD stream, we take an extra reference
on the virStreamPtr instance. We forgot to registered a free function
with the callback, so when the callback was removed, the extra
reference held on virStreamPtr was not released.
* src/fdstream.c: Use a free callback to release reference on
virStreamPtr when removing callback
The stream code was reusing a stream message object before
it was removed from the linked list of filtered messages.
This caused any later queued messages to be completely lost.
* daemon/stream.c: Delay reuse of stream message until
after it is removed from the queue
To save on memory reallocation, virNetMessage instances that
have been transmitted, may be reused for a subsequent incoming
message. We forgot to clear out the old data of the message
fully, which caused later confusion upon read.
* src/rpc/virnetserverclient.c: memset entire message before
reusing it
The virNetServerClient object had a hardcoded limit of 10 requests
per client. Extend constructor to allow it to be passed in as a
configurable variable. Wire this up to the 'max_client_requests'
config parameter in libvirtd
* daemon/libvirtd.c: Pass max_client_requests into services
* src/rpc/virnetserverservice.c, src/rpc/virnetserverservice.h: Pass
nrequests_client_max to clients
* src/rpc/virnetserverclient.c, src/rpc/virnetserverclient.h: Allow
configurable request limit
If we pass VIR_DOMAIN_AFFECT_LIVE | VIR_DOMAIN_AFFECT_CONFIG to
qemuGetSchedulerParametersFlags() or *nparams is less than 1,
we will unlock qemu_driver without locking it. It's very dangerous.
We should lock qemu_driver after calling virCheckFlags().
virDomainVcpuPinDefFree() does not free def->cputune.vcpupin if nvcpupin
is 0, and does not set def->cputune.vcpupin to NULL.
If we set nvcpupin to 0 but do not free vcpupin, vcpupin will not be freed
when vm->def is freed.
Use VIR_FREE() instead of virDomainVcpuPinDefFree() to free the memory
and set def->cputune.vcpupint to NULL.
virt-sanlock-cleanup.8 has static contents (no dependency on
configure), but is generated by pod2man (a perl dependency that
maintainers must have, but which ordinary tarball users need
not have). Therefore, ensure that it is always part of the
tarball, even though it is only conditionally installed.
This is similar to commit 6db98a2d4b, but made simpler by the fact
that the .8 page is static content.
* tools/Makefile.am (EXTRA_DIST): Add virt-sanlock-cleanup.8.
When the remote client receives end of file on the stream
it never invokes the stream callback. Applications relying
on async event driven I/O will thus never see the EOF
condition on the stream
* src/rpc/virnetclient.c, src/rpc/virnetclientstream.c:
Ensure EOF is dispatched
The client stream object can be used independently of the
virNetClientPtr object, so must have full locking of its
own and not rely on any caller.
* src/remote/remote_driver.c: Remove locking around stream
callback
* src/rpc/virnetclientstream.c: Add locking to all APIs
and callbacks
When a filter steals an RPC message, that message must
not be freed, except by the filter code itself
* src/rpc/virnetserverclient.c: Don't free stolen RPC
messages
Improve log messages issued when encountering a bogus
message length to include the actual length and the
limit violated
* src/rpc/virnetmessage.c: Improve log messages
On stream completion it is neccessary to send back a
message with an empty payload. The message header was
not being filled out correctly, since we were not writing
any payload. Add a method for encoding an empty payload
which updates the message headers correctly.
* src/rpc/virnetmessage.c, src/rpc/virnetmessage.h: Add
a virNetMessageEncodePayloadEmpty method
* src/rpc/virnetserverprogram.c: Write empty payload on
stream completion
The RPC client treats failure to register a socket watch
as non-fatal, since we do not mandate that a libvirt client
application provide an event loop implementation. It is
thus inappropriate to a log a message at VIR_LOG_WARN
* src/rpc/virnetsocket.c: Lower logging level
If a streams error is raised, virNetClientIOEventLoop
returns 0, but an error is set. Check for this and
propagate it if present
* src/rpc/virnetclient.c: Propagate streams error
If a callback being invoked from a stream issues a virStreamAbort
operation, the stream data will be free'd but the callback will
then still try to use this. Delay free'ing of the stream data when
a callback is dispatching
* src/fdstream.c: Delay stream free when callback is active
Although we create a temporary file, it is owned by root:root and have
rights 0600. In case qemu does not run under root, it is unable to write
to that file and thus we transfer 0B sized file.
addnhostsSave and hostsfileSave expect < 0 return value on error from
addnhostsWrite and hostsfileWrite but then pass err instead of -err
to virReportSystemError that expects an errno value.
Also addnhostsWrite returns -ENOMEM and errno, change this to -errno.
addnhostsWrite and hostsfileWrite tried to unlink the tempfile after
renaming it, making both fail on the final step. Remove the unnecessary
unlink calls.
networkSaveDnsmasqHostsfile was added in 8fa9c22142 (Apr 2010).
It has a force flag. If the dnsmasq hostsfile already exists force
needs to be true to overwrite it. networkBuildDnsmasqArgv sets force
to false, networkDefine sets it to true. This results in the
hostsfile being written only in networkDefine in the common case.
If no error occurred networkSaveDnsmasqHostsfile returns true and
networkBuildDnsmasqArgv adds the --dhcp-hostsfile to the dnsmasq
command line.
networkSaveDnsmasqHostsfile was changed in 89ae9849f7 (24 Jun 2011)
to return a new dnsmasqContext instead of reusing one. This change broke
the logic of the force flag as now networkSaveDnsmasqHostsfile returns
NULL on error, but the early return -- if force was not set and the
hostsfile exists -- returns 0. This turned the early return in an error
case and networkBuildDnsmasqArgv didn't add the --dhcp-hostsfile option
anymore if the hostsfile already exists. It did because networkDefine
created the hostsfile already.
Then 9d4e2845d4 fixed the return 0 case in networkSaveDnsmasqHostsfile
but didn't apply the force option correctly to the new addnhosts file.
Now force doesn't control an early return anymore, but influences the
handling of the hostsfile context creation and dnsmasqSave is always
called now. This commit also added test cases that reveal several
problems. First, the tests now calls functions that try to write the
dnsmasq config files to disk. If someone runs this tests as root this
might overwrite actively used dnsmasq config files, this is a no-go. Also
the tests depend on configure --localstatedir, this needs to be fixed as
well, because it makes the tests fail when localstatedir is different
from /var.
This patch does several things to fix this:
1) Move dnsmasqContext creation and saving out of networkBuildDnsmasqArgv
to the caller to separate the command line generation from the config
file writing. This makes the command line generation testable without the
risk of interfering with system files, because the tests just don't call
dnsmasqSave.
2) This refactoring of networkSaveDnsmasqHostsfile makes the force flag
useless as the saving happens somewhere else now. This fixes the wrong
usage of the force flag in combination with then newly added addnhosts
file by removing the force flag.
3) Adapt the wrong test cases to the correct behavior, by adding the
missing --dhcp-hostsfile option. Both affected tests contain DHCP host
elements but missed the necessary --dhcp-hostsfile option.
4) Rename networkSaveDnsmasqHostsfile to networkBuildDnsmasqHostsfile,
because it doesn't save the dnsmasqContext anymore.
5) Move all directory creations in dnsmasq context handling code from
the *New functions to dnsmasqSave to avoid directory creations in system
paths in the test cases.
6) Now that networkBuildDnsmasqArgv doesn't create the dnsmasqContext
anymore the test case can create one with the localstatedir that is
expected by the tests instead of the configure --localstatedir given one.
Version 1.3 of <sys/sdt.h> uses this macro
#define STAP_CAST(t) (size_t)t
that breaks like this if t is a function
remote.c:1775: error: cast from function call of type 'const char *'
to non-matching type 'long unsigned int' [-Wbad-function-cast]
For that to work it should probably look like this
#define STAP_CAST(t) ((size_t)(t))
In systemtap 1.4 this was completely rewritten.
Anyway, before commit df0b57a95a t was always a variable, but now
also a function is used here, namely virNetSASLSessionGetIdentity.
Use an intermediate variable to avoid this problem.
./autobuild.sh died on several messages resembling:
../../src/rpc/virnetsocket.c: In function 'virNetSocketNewListenTCP':
../../src/rpc/virnetsocket.c:231:9: error: implicit declaration of function 'bind_used_without_requesting_gnulib_module_bind' [-Wimplicit-function-declaration]
../../src/rpc/virnetsocket.c:231:9: error: nested extern declaration of 'bind_used_without_requesting_gnulib_module_bind' [-Wnested-externs]
Basically, gnulib socket fds are not safe to pass to mingw socket
functions unless we pull in those gnulib modules.
* bootstrap.conf (gnulib_modules): Add modules to handle socket
functions on mingw.
Detected by gcc -O2, introduced in commit 532ce9c2. If dmidecode
outputs a field unrecognized by the parsers, then the code would
dereference an uninitialized eol variable.
* src/util/sysinfo.c (virSysinfoParseBIOS)
(virSysinfoParseSystem, virSysinfoParseProcessor)
(virSysinfoParseMemory): Avoid uninitialized variable.
The last patch was incomplete. The translated strings merely
moved between generated file names, rather than disappearing.
* cfg.mk (generated_files): Update generated file names.
* po/POTFILES.in: Add remote_dispatch.h