virNetDevLinkDump() gets a message from netlink into "resp", then
calls nlmsg_parse() to fill the table "tb" with pointers into resp. It
then returns tb to its caller, but not before freeing the buffer at
resp. That means that all the callers of virNetDevLinkDump() are
examining memory that has already been freed. This can be verified by
filling the buffer at resp with garbage prior to freeing it (or, I
suppose, just running libvirtd under valgrind) then performing some
operation that calls virNetDevLinkDump().

The code has been like this ever since virNetDevLinkDump() was written
- the original author didn't notice it, and neither did later
additional users of the function. It has only been pure luck (or maybe
a lack of heavy load, and/or maybe an allocation algorithm in malloc()
that delays re-use of just-freed memory) that has kept this from
causing errors, for example when configuring a PCI passthrough or
macvtap passthrough network interface.

The solution taken in this patch is the simplest - just return resp to
the caller along with tb, then have the caller free it after they are
finished using the data (pointers) in tb. I alternately could have
made a cleaner interface by creating a new struct that put tb and resp
together along with a vir*Free() function for it, but this function is
only used in a couple places, and I'm not sure there will be
additional new uses of virNetDevLinkDump(), so the value of adding a
new type, extra APIs, etc. is dubious.

The helper checks whether a string contains only whitespace or is NULL.
This will be helpful to skip cases where a user string is optional, but
may be provided empty with the same meaning.

Newer versions of Debian use '/run/initctl' instead of '/dev/initctl'.
This patch updates the code to search for the FIFO from a list of
well-known locations.

Build with clang fails with:

  CC       util/libvirt_util_la-virsocketaddr.lo
util/virsocketaddr.c:904:17: error: cast from 'struct sockaddr *' to
'struct sockaddr_in *' increases required alignment from 1 to 4
[-Werror,-Wcast-align]
        inet4 = (struct sockaddr_in*) res->ai_addr;
                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
util/virsocketaddr.c:909:17: error: cast from 'struct sockaddr *' to
'struct sockaddr_in6 *' increases required alignment from 1 to 4
[-Werror,-Wcast-align]
        inet6 = (struct sockaddr_in6*) res->ai_addr;
                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 errors generated.

Fix that by replacing virSocketAddrParseInternal() call with
virSocketAddrParse() in the virSocketAddrIsNumericLocalhost() function.
virSocketAddrParse stores an address in virSocketAddr.
virSocketAddr uses a union to store an address, so it doesn't
need casting.

Signed-off-by: NChen Fan <chen.fan.fnst@cn.fujitsu.com>

Add a new option specifier that will optionally add a JSON key=value pair
containing a nested object if the added object isn't NULL.

The JSON structure constructor has an option to add JSON arrays to the
constructed object. The description is inaccurate as it can add any json
object even a dict. Change the docs to cover this option and reject
adding NULL objects.

Our qemu monitor code has a converter from key-value pairs to a json
value object. I want to re-use the code later and having it part of the
monitor command generator is inflexible. Split it out into a separate
helper.

Signed-off-by: NChen Fan <chen.fan.fnst@cn.fujitsu.com>

Signed-off-by: NChen Fan <chen.fan.fnst@cn.fujitsu.com>
Signed-off-by: NJán Tomko <jtomko@redhat.com>

if specifying migration_host to an Ipv6 address without brackets,
it was resolved to an incorrect address, such as:
    tcp:2001:0DB8::1428:4444,
but the correct address should be:
    tcp:[2001:0DB8::1428]:4444
so we should add brackets when parsing it.
Signed-off-by: NChen Fan <chen.fan.fnst@cn.fujitsu.com>

Helper function to strip the brackets from an IPv6 address.
Tested by viruritest.

The actual origin of this so called typo are two commits.  The first one
was commit 72f8a7f1 that came up with the following condition:

if ((i == 8) & (flags & VIR_QEMU_PROCESS_KILL_FORCE))

Fortunately this succeeded thanks to bool being (int)1 and
VIR_QEMU_PROCESS_KILL_FORCE having the value of 1 << 0.  The check was
then moved and altered in 8fd38231 to
current state:

if ((i == 50) & force)

that will work again (both sides of '&' being booleans), but since this
was missed so many times, it may pose a problem in the future in case it
gets copy-pasted again.
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

This same structure will be used to retrieve RX filter info for
interfaces on the host via netlink messages, and RX filter info for
interfaces on the guest via the qemu "query-rx-filter" command.

Since commit 8eb55d782a2b9afacc7938694891cc6fad7b42a5 libxml2 removes
two slashes from the URI when there is no server part.  This is fixed
with beb7281055dbf0ed4d041022a67c6c5cfd126f25, but only if the calling
application calls xmlSaveUri() on URI that xmlURIParse() parsed.  And
that is not the case in virURIFormat().  virURIFormat() accepts
virURIPtr that can be created without parsing it and we do that when we
format network storage paths for gluster for example.  Even though
virStorageSourceParseBackingURI() uses virURIParse(), it throws that data
structure right away.

Since we want to format URIs as URIs and not absolute URIs or opaque
URIs (see RFC 3986), we can specify that with a special hack thanks to
commit beb7281055dbf0ed4d041022a67c6c5cfd126f25, by setting port to -1.

This fixes qemuxml2argvtest test where the disk-drive-network-gluster
case was failing.
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

Fix the build on FreeBSD, broken by commit 4882618e.
Signed-off-by: NJán Tomko <jtomko@redhat.com>

A cygwin build of 1.2.9 fails with:

util/virprocess.c:87:27: fatal error: sys/syscall.h: No such file or directory
 #  include <sys/syscall.h>

But in reality, the ONLY user of setns() is lxc, which is Linux-only.
It's easiest to just limit the setns workarounds to Linux.

* src/util/virprocess.c (setns): Limit definition to Linux.
Signed-off-by: NEric Blake <eblake@redhat.com>

If we don't properly clean up all processes in the
machine-<vmname>.scope systemd won't remove the cgroup and subsequent vm
starts fail with

  'CreateMachine: File exists'

Additional processes can e.g. be added via

  echo $PID > /sys/fs/cgroup/systemd/machine.slice/machine-${VMNAME}.scope/tasks

but there are other cases like

  http://bugs.debian.org/761521

Invoke TerminateMachine to be on the safe side since systemd tracks the
cgroup anyway. This is a noop if all processes have terminated already.

and tweak the code to avoid using it.

The commit 1b854c76 introduced a new function 'virPolkitCheckAuth' and
in the #else section when you don't have polkit all attributes should be
follwed by ATTRIBUTE_UNUSED.
Signed-off-by: NPavel Hrdina <phrdina@redhat.com>

This internal API can be used to allocate or free some pages in
the huge pages pool.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Spawning the pkcheck program every time a permission check is
required is hugely expensive on CPU. The pkcheck program is just
a dumb wrapper for the DBus API, so rewrite the code to use the
DBus API directly. This also simplifies error handling a bit.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Currently DBus dict values must be passed inline

   virDBusMessageEncode("a{ss}",
                        3,
                        "key1", "val1",
                        "key2", "val2",
                        "key3", "val3");
   virDBusMessageDecode("a{ss}",
                        3,
                        &key1, &val1,
                        &key2, &val2,
                        &key3, &val3);

This allows them to be passed by reference

   const char **dictin = {
      "key1", "val1",
      "key2", "val2",
      "key3", "val3"
   };
   char **dictout;
   size_t ndictout;

   virDBusMessageEncode("a&{ss}",
                        ARRAY_CARDINALITY(dict) / 2,
                        dictin);
   virDBusMessageDecode("a&{ss}",
                        &ndictout,
                        &dictout);
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Update virNetServerClientCreateIdentity and virIdentityGetSystem
to use the new typesafe APIs for setting identity attributes
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Instead of requiring the caller to format to/from strings,
add typesafe APIs todo this work.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

There are now two places in libvirt which use polkit. Currently
they use pkexec, which is set to be replaced by direct DBus API
calls. Add a common API which they will both be able to use for
this purpose.

No tests are added at this time, since the impl will be gutted
in favour of a DBus API call shortly.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Free str unconditionally since we allocate it without WITH_AUDIT
too.

virVasprintf sets the output to NULL on failure.

When trying to remove nonexistent metadata from XML, libvirt daemon
crashes due to dereferencing NULL pointer.

Resolves https://bugzilla.redhat.com/show_bug.cgi?id=1143955

Clean up all _virDomainInterfaceStats.
Signed-off-by: NWang Yufei <james.wangyufei@huawei.com>
Signed-off-by: NWang Rui <moon.wangrui@huawei.com>
Signed-off-by: NEric Blake <eblake@redhat.com>

virStorageSourceInitChainElement initializes a new storage chain element
for use as a new disk source. If the new element doesn't contain the
driver name, copy it from the old source.

This fixes issue where a disk would forget the driver after a snapshot.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140984

Pass the user-specified tun path down when creating tap device
when called from the qemu driver.

Also honor the vhost device path specified by user.

Currently, the setns() wrapper is supported only for x86_64 and i686
which leaves us failing to build on other platforms like arm, aarch64
and so on. This means, that the wrapper needs to be extended to those
platforms and make to fail on runtime not compile time.

The syscall numbers for other platforms was fetched using this
command:

kernel.git $ git grep "define.*__NR_setns" | grep -e arm -e powerpc -e s390
arch/arm/include/uapi/asm/unistd.h:#define __NR_setns                   (__NR_SYSCALL_BASE+375)
arch/arm64/include/asm/unistd32.h:#define __NR_setns 375
arch/powerpc/include/uapi/asm/unistd.h:#define __NR_setns               350
arch/s390/include/uapi/asm/unistd.h:#define __NR_setns          339
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

The backing store string location offset 0 determines that the file
isn't present. The string size shouldn't be then checked:

from qemu.git/docs/specs/qcow2.txt

== Header ==

The first cluster of a qcow2 image contains the file header:

Byte  0 -  3:   magic
                QCOW magic string ("QFI\xfb")

      4 -  7:   version
                Version number (valid values are 2 and 3)

      8 - 15:   backing_file_offset
                Offset into the image file at which the backing file name
                is stored (NB: The string is not null terminated). 0 if the
                image doesn't have a backing file.

     16 - 19:   backing_file_size
                Length of the backing file name in bytes. Must not be
                longer than 1023 bytes. Undefined if the image doesn't have
                a backing file.         ^^^^^^^^^

This patch intentionally leaves the backing file string size check in
place in case a malformatted file would be presented to libvirt. Also
according to the docs the string size is maximum 1023 bytes, thus this
patch adds a check to verify that.

I was also able to verify that the check was done the same way in the
legacy qcow fromat (in qemu's code).

I missed adding virCgroupNewIOThread to the !VIR_CGROUP_SUPPORTED

Pushing as build breaker

Add virCgroupNewIOThread() to mimic virCgroupNewVcpu() except the naming
scheme with use "iothread" rather than "vcpu".

Signed-off-by: NErik Skultety <eskultet@redhat.com>
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

Coverity complains that because of how 'offset' is initialized to
0 (zero), the resulting math and comparison on rem is pointless.

According to the origin commit id '3ec12898', the code is a
replacement for gmtime(), but without the localtime() or GMT
calculations - so just remove this code and add a comment
indicating the removal

Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>