Fix off-by-one error in udevListInterfacesByStatus
Ever since this function was introduced in 2012 it could've tried
filling in an extra interface name. That was made worse in 2019 when
the caller functions started accepting NULL arrays of size 0.
This is assigned CVE-2024-1441.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com> Reported-by: Alexander Kuznetsov <kuznetsovam@altlinux.org> Fixes: 5a33366f5c0b18c93d161bd144f9f079de4ac8ca Fixes: d6064e2759a24e0802f363e3a810dc5a7d7ebb15 Reviewed-by: Ján Tomko <jtomko@redhat.com>
Boris Fiuczynski [Wed, 28 Feb 2024 18:46:08 +0000 (19:46 +0100)]
remote_protocol: Fix ACL on REMOTE_PROC_NODE_DEVICE_DEFINE_XML
Adding 'save' ACL to REMOTE_PROC_NODE_DEVICE_DEFINE_XML to make
REMOTE_PROC_NODE_DEVICE_UPDATE ACLs meaningful.
Fixes: 69f9e7dbc24657e85761f03574779540d0f18315 Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Michal Privoznik [Mon, 26 Feb 2024 11:42:09 +0000 (12:42 +0100)]
nodedevmdevctltest: Fix two memleaks
There are two memleaks inside of nodedevmdevctltest:
1) In the testCommandDryRunCallback() - when appending lines to
stdinbuf the pointer is overwritten without freeing the old
memory it pointed to.
2) In testMdevctlModify() the livecmd variable is reused and
since its marked as g_autoptr() the first use leaks.
Fixes: 582f27ff15f14fa0e913278c0a2ca9840c3f12f5 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Boris Fiuczynski <fiuczy@linux.ibm.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Andrea Bolognani [Mon, 19 Feb 2024 10:33:45 +0000 (11:33 +0100)]
docs: Rewrite a few awkward sections
Address several oddities, and bring them in line with the style
used for the vast majority of our documentation. In a couple of
cases, some of the possible values for an attribute were listed
with :since: information matching that off the attribute itself,
making it redundant.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Mon, 19 Feb 2024 18:20:38 +0000 (19:20 +0100)]
docs: Fix a few weird :since: tags
These either mention libvirt explicitly, which is something
that we generally don't do, or lack the word "since", which
makes the resulting HTML awkward.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Mon, 19 Feb 2024 17:04:12 +0000 (18:04 +0100)]
docs: Remove unnecessary whitespace
It slipped in during the conversion to reStructuredText.
In one case, part of the preformatted text shouldn't have been
marked as such, so that's addressed too. A spurious opening
parenthesis is dropped as well.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Boris Fiuczynski [Thu, 22 Feb 2024 13:02:07 +0000 (14:02 +0100)]
nodedev: Implement virNodeDeviceUpdate
Implement the API functions in the node device driver by using mdevctl
modify with the options defined and live.
Instead of increasing the minimum mdevctl version to 1.3.0 in the spec
file to ensure support exists in mdevctl the support is dynamically
checked before using mdevctl.
Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Boris Fiuczynski [Thu, 22 Feb 2024 13:02:06 +0000 (14:02 +0100)]
api: add virNodeDeviceUpdate()
A public API method which allows to update or modify objects is
implemented for almost all other objects that have a concept of
persistent definition and activatability. Currently node devices of type
mdev can be persistent and active. This new method allows to update
defined and active node devices as well.
Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com> Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Boris Fiuczynski [Thu, 22 Feb 2024 13:02:04 +0000 (14:02 +0100)]
tools: add switches persistent and transient to nodedev-list
Now that we can filter persistent and transient node devices in
virConnectListAllNodeDevices(), add these switches also to the
virsh nodedev-list command.
Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com> Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Boris Fiuczynski [Thu, 22 Feb 2024 13:02:01 +0000 (14:02 +0100)]
nodedev: add an active config to mdev
The configuration of a defined mdev can be modified after the mdev is
started. The defined configuration and the active configuration can
therefore run out of sync. Handle this by storing the modifiable data
which is the mdev type and attributes in two separate active and
defined configurations. mdevctl supports with callout scripts to do an
attribute retrieval of started mdevs which is already implemented in
libvirt.
Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Boris Fiuczynski [Thu, 22 Feb 2024 13:01:58 +0000 (14:01 +0100)]
virmdev: prepare type and attributes for dual state
Create a new structure holding type and attributes as these are
modifiable in a persistent mdev configuration and run out of sync with
the active mdev configuration.
Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com> Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Vincent Vanlaer [Mon, 19 Feb 2024 22:24:02 +0000 (23:24 +0100)]
daemon: fix wrong request count for sparse stream
Similar to when actual data is being written to the stream, it is
necessary to acknowledge handling of the client request when a hole is
encountered. This is done later in daemonStreamHandleWrite by sending a
fake zero-length reply if the status variable is set to
VIR_STREAM_CONTINUE. It seems that setting status from the message
header was missed for holes in the introduction of the sparse stream
feature.
Signed-off-by: Vincent Vanlaer <libvirt-e6954efa@volkihar.be> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Michal Privoznik [Tue, 20 Feb 2024 15:28:55 +0000 (16:28 +0100)]
qemuxmlconftest: Introduce memory-hotplug-nvdimm-overlap test case
This new test case checks whether we are handling NVDIMMs
correctly when checking for overlapping memory devices (see
previous commit). Without previous commit, this test case would
fail, yet it was produced in real life (at least the NVDIMM
part) and thus it is valid.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Michal Privoznik [Mon, 19 Feb 2024 14:37:16 +0000 (15:37 +0100)]
domain_validate: Account for NVDIMM label size properly when checking for memory conflicts
As of v9.8.0-rc1~7 we check whether two <memory/> devices don't
overlap (since we allow setting where a <memory/> device should
be mapped to). We do this pretty straightforward, by comparing
start and end address of each <memory/> device combination.
But since only the start address is given (an exposed in the
XML), the end address is computed trivially as:
start + mem->size * 1024
And for majority of memory device types this works. Except for
NVDIMMs. For them the <memory/> device consists of two separate
regions: 1) actual memory device, and 2) label.
Label is where NVDIMM stores some additional information like
namespaces partition and so on. But it's not mapped into the
guest the same way as actual memory device. In fact, mem->size is
a sum of both actual memory device and label sizes. And to make
things a bit worse, both sizes are subject to alignment (either
the alignsize value specified in XML, or system page size if not
specified in XML).
Therefore, to get the size of actual memory device we need to
take mem->size and substract label size rounded up to alignment.
If we don't do this we report there's an overlap between two
NVDIMMs even when in reality there's none.
Fixes: 3fd64fb0e236fc80ffa2cc977c0d471f11fc39bf Fixes: 91f9a9fb4fc0d34ed8d7a869de3d9f87687c3618
Resolves: https://issues.redhat.com/browse/RHEL-4452?focusedId=23805174#comment-23805174 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
ray [Wed, 21 Feb 2024 14:45:36 +0000 (06:45 -0800)]
qemu: Fix guest-sync response time in qga command
The current implementation sets the guest-sync timeout to the
smaller value between the default value (QEMU_AGENT_WAIT_TIME)
and agent->timeout, without considering the timeout passed
via the qga command.
This patch enhances the guest-sync timeout logic to use the
minimum value among the default value, agent->timeout, and
the timeout passed via the qga command.
Resolves: https://gitlab.com/libvirt/libvirt/-/issues/590 Signed-off-by: ray <honglei.wang@smartx.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Peter Krempa [Mon, 19 Feb 2024 12:53:26 +0000 (13:53 +0100)]
qemuMigrationDstPrepareStorage: Reject migration into 'dir' and 'vhost-user' types
Migrating into a 'directory' won't ever work as we ask qemu to emulate a
fat filesystem, so restoring of the files won't be possible. Same for
'vhost-user' disks which don't support blockjobs as there's no block
backend used in qemu.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Peter Krempa [Thu, 8 Feb 2024 15:48:17 +0000 (16:48 +0100)]
qemuMigrationDstPrecreateDisk: Refactor cleanup
Automatically free helper variables, remove the 'cleanup' label and
use virBufferCurrentContent() to take the XML from the buffer rather
than extracting it to a separate variable.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Peter Krempa [Fri, 16 Feb 2024 15:40:20 +0000 (16:40 +0100)]
qemuMigrationDstPrepareStorage: Properly consider path for 'vdpa' devices
Allow storage migration of VDPA devices by properly checking that they
exist on the destionation. Pre-creation is not supported but if the
device exists the migration should be able to succeed.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Peter Krempa [Thu, 8 Feb 2024 15:48:25 +0000 (16:48 +0100)]
qemuMigrationDstPrepareStorage: Use 'switch' statement to include all storage types
Decrease the likelyhood that addition of a new storage type will be
forgotten.
This patch also unifies the type check to consult the 'actual' type of
the storage in both cases as the NVMe check looked for the XML declared
type while virStorageSourceIsLocalStorage() looks for the
actual/translated type.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Tim Wiederhake [Thu, 1 Feb 2024 20:51:01 +0000 (21:51 +0100)]
cpu_map: Rewrite feature sync script
Previously, the script would only detect differences between
libvirt's and qemu's list of x86 features, adding those features
to libvirt was a manual and error prone procedure.
Replace with a script that can generate libvirt's feature list
directly from qemu source code.
If not specified otherwise, "output" defaults to x86_features.xml
in the same directory as sync_qemu_features_i386.py. If a checkout
of the qemu source code resides next to the libvirt directory, it
will be found automatically and need not be specified.
Signed-off-by: Tim Wiederhake <twiederh@redhat.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Laine Stump [Fri, 16 Feb 2024 17:43:59 +0000 (12:43 -0500)]
Set stubDriverName from hostdev driver model attribute during pci device setup
commit v9.10.0-129-g8b93d78c83 (first appearing in libvirt-10.0.0) was
supposed to allow forcing a PCI hostdev to be bound to a particular
driver by adding <driver model='blah'/> to the XML for the
device. Unfortunately, a single line was missed during the final
changes to the patch prior to pushing, and the result was that the
driver model could be set to *anything* and it would be accepted but
just ignored.
This patch adds the missing line, which will set the stubDriverName
field of the virPCIDevice object from the hostdev object as the
virPCIDevice is being created. This ends up being used by
virPCIDeviceBindToStub() as the driver that it binds the device to.
Fixes: 8b93d78c8325f1fba5db98848350f3db43f5e7d5 Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Adam Julis [Tue, 20 Feb 2024 09:31:34 +0000 (10:31 +0100)]
virsh-completer: modify and fix bug in virshPoolTypeCompleter, now used for more commands
Signed-off-by: Adam Julis <ajulis@redhat.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
We warned users before the meson times, so do like an S Club 7 and bring
it all back.
Add the information into a new section of the summary, because even
though using `warning()` looks better, it scrolls on by once the summary
is printed.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Andrea Bolognani [Fri, 16 Feb 2024 14:03:19 +0000 (15:03 +0100)]
syntax-check: Drop 'syntax-check' target
Our entry point for syntax-check rules is meson, which calls
to each of them specifically; additionally, we have the 'all'
target that warns users who try to use make directly.
The 'syntax-check' target is not used by anything, and in fact
it couldn't be even if one tried: its availability depends on
the $(_gl-Makefile) variable, which in our case is never
defined.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Andrea Bolognani [Fri, 16 Feb 2024 14:09:45 +0000 (15:09 +0100)]
syntax-check: Sync with gnulib
The most notable change is the new 'sc_unportable_grep_q' rule.
While importing it from gnulib, the rule has been tweaked
slightly by adding superflous quotes so that syntax-check.mk
itself doesn't trip it. This is similar to the tricks employed
for the 'sc_prohibit_close' and 'sc_copyright_usage' rules,
among many others.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Andrea Bolognani [Fri, 16 Feb 2024 14:15:55 +0000 (15:15 +0100)]
all: Don't use 'grep -q'
It's not portable.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Peter Krempa [Fri, 16 Feb 2024 08:40:59 +0000 (09:40 +0100)]
docs: domain: Fix iothread to virtqueue mapping example
Each queue can be referenced only once and queues are numbered starting
from 0. Modify the example to show a valid configuration of one
iothread servicing more queues.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Jiri Denemark [Thu, 8 Feb 2024 14:56:38 +0000 (15:56 +0100)]
qemu: Add support for /dev/userfaultfd
/dev/userfaultfd device is preferred over userfaultfd syscall for
post-copy migrations. Unless qemu driver is configured to disable mount
namespace or to forbid access to /dev/userfaultfd in cgroup_device_acl,
we will copy it to the limited /dev filesystem QEMU will have access to
and label it appropriately. So in the default configuration post-copy
migration will be allowed even without enabling
vm.unprivileged_userfaultfd sysctl.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Timothée Ravier [Fri, 2 Feb 2024 18:59:44 +0000 (18:59 +0000)]
qemu: Add sysusers config file for qemu & kvm user/groups
Install a systemd sysusers config file for the qemu & kvm user/groups.
We can not use the sysusers_create_compat macro in the RPM specfile to
create those users as we want to keep the specfile standalone and not
relying on additionnal files.
Update the specfile to make the commands closer to what is generated by
the current macro.
Based on previous work by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Timothée Ravier <tim@siosm.fr> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Our virSecret XML is still parsed and formatted using old way
(e.g. virXPathString() + virXXXTypeFromString() combo, or
formatting elements using plain virBufferAsprintf() instead of
virXMLFormatElement()). Modernize the code as it'll make it
easier for future expansion.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
When adding vtpm virSecret usage type (in v5.6.0-rc1~61) we
forgot to update polkit access check. This limited user's ability
to match secrets in their rules. Add missing case into switch in
virAccessDriverPolkitCheckSecret().
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Jonathon Jongsma [Thu, 25 Jan 2024 17:51:51 +0000 (11:51 -0600)]
qemu: handle adding/removing nbdkit-backed disk sources
Previously we were only starting or stopping nbdkit when the guest was
started or stopped or when hotplugging/unplugging a disk. But when doing
block operations, the disk backing store sources can also be be added or
removed independently of the disk device. When this happens the nbdkit
backend was not being handled properly. For example, when doing a
blockcopy from a nbdkit-backed disk to a new disk and pivoting to that
new location, the nbdkit process did not get cleaned up properly. Add
some functionality to qemuDomainStorageSourceAccessModify() to handle
this scenario.
Since we're now starting nbdkit from the ChainAccessAllow/Revoke()
functions, we no longer need to explicitly start nbdkit in hotplug code
paths because the hotplug functions already call these allow/revoke
functions and will start/stop nbdkit if necessary.
Add a check to qemuNbdkitProcessStart() to report an error if we
are trying to start nbdkit for a disk source that already has a running
nbdkit process. This shouldn't happen, and if it does it indicates an
error in another part of our code.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Jonathon Jongsma [Thu, 25 Jan 2024 20:02:16 +0000 (14:02 -0600)]
qemu: roll back if not all nbdkit backends are successful
When starting nbdkit processes for the backing store of a disk, we were
returning an error if any backing store failed, but we were not cleaning
up processes that succeeded higher in the chain. Make sure that if we
return a failure status from qemuNbdkitStartStorageSource() that we roll
back any processes that had been started.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Jonathon Jongsma [Thu, 25 Jan 2024 17:30:02 +0000 (11:30 -0600)]
qemu: add a 'chain' parameter to nbdkit start/stop
This will allow us to start or stop nbdkit for just a single disk source
or for every source in the backing chain. This will be used in following
patches.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
tests: Update capabilities for QEMU 8.1.0 on s390x
The existing capabilities were generated against a build made
quite early in the QEMU 8.1.0 development cycle. Update them
to match the final release.
A notable effect of this is that the recently introduced
s390-usb-model test now passes instead of failing: QEMU 8.1.0
enables several new devices on s390x, including the qemu-xhci
USB controller.
There's a small amount of additional churn caused by the fact
that the machine on which I have generated these capabilities
is apparently slightly less fancy than the one used originally.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Show what happens when trying to use a specific type of USB
controller. This currently fails because the QEMU binary doesn't
include the necessary device.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
These tests currently cover the scenarios in which the guest
can end up with no USB controller, one of which is specific
to s390x. We are going to add more USB on s390x scenarios, so
a different naming convention is needed.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Jonathon Jongsma [Fri, 26 Jan 2024 16:41:58 +0000 (10:41 -0600)]
qemu: fix nbdkit command test for backing chains
Previously this test only tested the generated nbdkit command for the
top level disk source. Update it to test the generated commmands for all
sources in the chain.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
I've seen examples in the wild of the cluster attribute having
non-zero value on x86_64.
This is obviously quite confusing, but it's the information that
Linux exposes to userspace and we don't really have a way to tell
apart a valid die/cluster ID from a dummy one.
What ultimately matters is that the underlying assumptions about
topology are respected, which they are: in the x86_64 cases that
I have analyzed, for example, each "cluster" contained exactly
one core, so any program that would use this information to
influence guest topology decisions would be unaffected by the
additional level showing up in the hierarchy.
In an attempt to reduce confusion, remove any reference to any
specific value for the attributes having any special meaning
attached to it.
In fact, since there are plans to make it possible to create
guests with multiple CPU clusters on x86_64, rework the note
into a more generic warning cautioning users that an attribute
showing up here does not imply that the same attribute can be
used when defining a guest CPU topology.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Peter Krempa [Wed, 7 Feb 2024 16:05:49 +0000 (17:05 +0100)]
docs: page.xsl: Split up 'href_base' for assets and links
To allow reuse of this template as-is in libvirt-wiki, we need to be
able to specify a distinct asset_href_base and link_href_base. Adjust
the template to allow that.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
projects / libvirt.git / log