After 6b770f9a both @netsource and @srcprops are leaked
because of early return introduced in the commit.

==1812== 644 bytes in 4 blocks are definitely lost in loss record 835 of 885
==1812==    at 0x4C2F12F: realloc (vg_replace_malloc.c:785)
==1812==    by 0x8846393: xmlSaveUriRealloc (in /usr/lib64/libxml2.so.2.9.8)
==1812==    by 0x8846B1C: xmlSaveUri (in /usr/lib64/libxml2.so.2.9.8)
==1812==    by 0x5DDA619: virURIFormat (viruri.c:256)
==1812==    by 0x56E941B: qemuBuildNetworkDriveURI (qemu_command.c:781)
==1812==    by 0x56E979A: qemuBuildNetworkDriveStr (qemu_command.c:859)
==1812==    by 0x56F3A0B: qemuBuildSCSIiSCSIHostdevDrvStr (qemu_command.c:4664)
==1812==    by 0x56F3D1F: qemuBuildSCSIHostdevDrvStr (qemu_command.c:4732)
==1812==    by 0x56F57F7: qemuBuildHostdevCommandLine (qemu_command.c:5337)
==1812==    by 0x570303A: qemuBuildCommandLine (qemu_command.c:10376)
==1812==    by 0x57604EE: qemuProcessCreatePretendCmd (qemu_process.c:6649)
==1812==    by 0x11352A: testCompareXMLToArgv (qemuxml2argvtest.c:566)
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

When support was adding for passing a pre-opened listener socket to UNIX
chardevs, it accidentally passed the listener socket for client mode
chardevs too with predictable amounts of fail resulting. This affects
libvirt when using QEMU >= 2.12

Expand the unit test coverage to validate that we are only doing FD
passing when operating in server mode.

  https://bugzilla.redhat.com/show_bug.cgi?id=1598440Tested-by: NRichard W.M. Jones <rjones@redhat.com>
Reported-by: NRichard W.M. Jones <rjones@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

QEMU chardevs have a bug which makes the vhostuser backend complain
about lack of support for FD passing when validating the chardev.
While this is ultimately QEMU's responsibility to fix, libvirt needs to
avoid tickling the bug.

Simply disabling chardev FD passing just for vhostuser's chardev is
the most prudent approach, avoiding need for a QEMU version number
check.
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

There are two boolean parameters passed to qemuBuildChrChardevStr,
and soon there will be a third. It will be clearer to understand
from callers' POV if we use named flags instead.
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

The vhostuser network backend is only supported with the UNIX domain
socket chardev backend, so passing around chardevStdioLogd is not
required.
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=1598084

When creating a snapshot with --quiesce an async job is grabbed
and just before executing guest fs-freeze command an agent job is
grabbed. This is achieved by calling

  qemuDomainObjBeginJobInternal(job = QEMU_JOB_NONE,
                                agentJob = QEMU_AGENT_JOB_MODIFY);

Since there already is an async job set on the domain (by the
same thread) qemuDomainNestedJobAllowed(priv, job) is consulted
if @job is allowed by job mask. But this function returns false
(meaning sync @job is not allowed) which leads to a deadlock.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NJiri Denemark <jdenemar@redhat.com>

from src/qemu/qemu_domain_address.c to src/conf/domain_addr.c
and rename to virDomainCCWAddressSetCreateFromDomain

(rename to have Address in full instead of Addr to follow
the naming convention of other virDomainCCWAddress functions)
Signed-off-by: NAnya Harter <aharter@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

Currently we format the serial, geometry and error policy on the -drive
backend argument.

QEMU added the ability to set serial and geometry on the frontend in
the 1.2 release deprecating use of -drive, with support being deleted
from -drive in 3.0.

We keep formatting error policy on -drive for now, because we don't
ahve support for that with -device for usb-storage just yet.

Note that some disk buses (sd) still don't support -device. Although
QEMU allowed these properties to be set on -drive for if=sd, they
have been ignored so we now report an error in this case.
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

The private data of a virStorageSource which is backing an iSCSI hostdev
may be NULL if no authentication is present. The code handling the
hotplug would attempt to extract the authentication info stored in
'secinfo' without checking if it is allocated which resulted in a crash.

Here we opt the easy way to check if srcPriv is not NULL so that we
don't duplicate all the logic which selects whether the disk source has
a secret.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1597550Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

This argument is not used anymore. The only function that is
passing non-NULL (qemuDomainSaveMemory) does not actually care
for the value (after 23087cfd) and every other caller just
passes NULL anyway.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

When using domxml-to-native, we must generate CLI args that can be used
in a standalone scenario. This means no FD passing can be used. To
achieve this we must clear the QEMU_CAPS_CHARDEV_FD_PASS capability bit.
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

This makes the feature fully operational.

https://bugzilla.redhat.com/show_bug.cgi?id=1525599Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

The processing code which prepares images should be executed really only
for the images which were detected. The code actually tried to update
the last user-specified layer as well. Thankfully we don't do anything
that would be a problem at this point.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=1515533

The @prefix attribute to <ip/> element for interface type user is
optional. Therefore, if left out it has value of zero in which
case we should not check whether it falls into <4, 27> range.
Otherwise we fail parsing domain XML for no good reason.

Broken by commit b62b8090.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Once we called qemuDomainObjEnterRemote to talk to the destination
daemon during a peer to peer migration, the vm lock is released and we
only hold an async job. If the source domain dies at this point the
monitor EOF callback is allowed to do its job and (among other things)
clear all private data irrelevant for stopped domain. Thus when we call
qemuDomainObjExitRemote, the domain may already be gone and we should
avoid touching runtime private data (such as current job info).

In other words after acquiring the lock in qemuDomainObjExitRemote, we
need to check the domain is still alive. Unless we're doing offline
migration.

https://bugzilla.redhat.com/show_bug.cgi?id=1589730Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

The variable is used to store the offline migration capability of the
destination daemon. Let's call it 'dstOffline' so that we can later use
'offline' to indicate whether we were asked to do offline migration.
Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=1541921

In TCG mode, there are no vCPU threads and thus there's nothing
to be placed into resctrl group. Forbid such configuration.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

If we ever fail to properly set jobinfo->statsType,
qemuDomainJobInfoToParams would return -1 without setting an error.
Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=1585108

When updating a live device users might pass different alias than
the one the device has. Currently, this is silently ignored which
goes against our behaviour for other parts of the device where we
explicitly allow only certain changes and error out loudly on
anything else.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

This was lost in c57f3fd2. But now we are going to
need it again (except the DETACH action where checking for device
compatibility does not make much sense anyway).
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

When updating device it's worth parsing live info too as users
might want to update it as well.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

Mediated devices of model 'vfio-ccw' are using CCW addresses, so make
sure to call the correct address preparation code for the model.
Reviewed-by: NShalini Chellathurai Saroja <shalini@linux.ibm.com>
Reviewed-by: NBoris Fiuczynski <fiuczy@linux.ibm.com>
Signed-off-by: NBjoern Walk <bwalk@linux.ibm.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

Remove the callbacks that the nwfilter driver registers with the domain
object config layer. Instead make the current helper methods call into
the public API for creating/deleting nwfilter bindings.
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Now that the nwfilter driver keeps a list of bindings that it has
created, there is no need for the complex virt driver callbacks. It is
possible to simply iterate of the list of recorded filter bindings.

This means that rebuilding filters no longer has to acquire any locks on
the virDomainObj objects, as they're never touched.
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Add comma escaping for netsource. This is done here because
qemuBuildNetworkDriveStr has other external callers which
may not expect an escaped comma; however, this particular
command building path needs to perform the escaping for the
hostdev command line, so we do it now to ensure src->path
and src->host->name are covered.
Signed-off-by: NAnya Harter <aharter@redhat.com>

Instead of source to enable use of virBuffer functions in
string construction.
Signed-off-by: NAnya Harter <aharter@redhat.com>

If a thread is unable to acquire a job (e.g. because of timeout)
an error is reported and the error message contains reference to
the other thread holding the job. Well, the error message should
report agent job too as it is yet another source of possible
failure.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

This makes the feature fully functional.

https://bugzilla.redhat.com/show_bug.cgi?id=1571078Signed-off-by: NAndrea Bolognani <abologna@redhat.com>

This doesn't seem very useful at the moment, but it will make
sense once we introduce another HPT-related setting.

The output XML is decoupled from the input XML in preparation
of future changes as well; while doing so, we can shave a few
lines off the latter.

This commit is best viewed with 'git show -w'.
Signed-off-by: NAndrea Bolognani <abologna@redhat.com>

We're going to introduce a second HPT-related setting soon,
at which point using a single location to store everything is
no longer going to cut it.

This mostly, but not completely, reverts 3dd1eb3b.
Signed-off-by: NAndrea Bolognani <abologna@redhat.com>

Signed-off-by: NAndrea Bolognani <abologna@redhat.com>

fix 'device' leak in qemuDomainBlockJobSetSpeed

Signed-off-by: Jie Wang <wangjie88.huawei.com>
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Exiting early through the return path did result in 'port_str'
being leaked.

Signed-off-by: Jie Wang <wangjie88.huawei.com>

The UNIX socket FDs were we passing to QEMU inherited a label based on
libvirtd's context. QEMU is thus denied ability to access the UNIX
socket. We need to use the security manager to change our current
context temporarily when creating the UNIX socket FD.
Reviewed-by: NLaine Stump <laine@laine.org>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

If a thread is unable to start a job (e.g. because of timeout)
a warning is printed into the logs. So far, the message does not
contain agent job info. Add it as it might help future debugging.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NJiri Denemark <jdenemar@redhat.com>

As qemuMonitorJSONIOProcess will call qemuMonitorJSONIOProcessEvent
which unlocks the monitor mutex, there is some extreme situation,
eg qemu send message to monitor twice in a short time, where the
local viriable 'msg' of qemuMonitorIOProcess could be a wild point:

1. qemuMonitorSend() assign mon->msg to parameter 'msg', which is alse a
local variable of its caller qemuMonitorJSONCommandWithFd(), cause
eventloop to send message to monitor, then wait condition.
2. qemu send message to monitor for the first time immediately.
3. qemuMonitorIOProcess() is called, then wake up the qemuMonitorSend()
thread, but the qemuMonitorSend() thread stuck for a while as cpu pressure
or some other reasons, which means the qemu monitor is still unlocked.
4. qemu send event message to monitor for the second time,
such as RTC_CHANGE event
5. qemuMonitorIOProcess() is called again, the local viriable 'msg' is
assigned to mon->msg.
6. qemuMonitorIOProcess() call qemuMonitorJSONIOProcess() to deal with
the qemu event.
7. qemuMonitorJSONIOProcess() unlock the qemu monitor in the macro
'QEMU_MONITOR_CALLBACK', then qemuMonitorSend() thread get the mutex
and free the mon->msg, assign mon->msg to NULL.
Signed-off-by: NWeilun Zhu <zhuweilun@huawei.com>
Reviewed-by: NJiri Denemark <jdenemar@redhat.com>

Add comma escaping for disk->blkdeviotune.group_name.
Signed-off-by: NAnya Harter <aharter@redhat.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=1591628

Attempting to use the FORCE flag for snapshot-revert was resulting
in failures because qemuProcessStart and qemuProcessStartCPUs were
using QEMU_ASYNC_JOB_START after a qemuProcessStop resulting in an
error when entering the monitor:

error: internal error: unexpected async job 6 type expected 0

So create a local @jobType, initialize to QEMU_ASYNC_JOB_START, and
change to QEMU_ASYNC_JOB_NONE if we end up in the --force path
where the qemuProcessStop is run before a Start and StartCPUs.
Signed-off-by: NJohn Ferlan <jferlan@redhat.com>
ACKed-by: NMichal Privoznik <mprivozn@redhat.com>