qemu-kvm can be used to run ppc64 guests on ppc64le hosts and vice
versa, since the hardware is actually the same and the endianness
is chosen by the guest kernel.

Up until now, however, libvirt didn't allow the use of qemu-kvm
to run guests if their endianness didn't match the host's.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1267882
(cherry picked from commit 938368f8)

Commit 792f81a4 caused a regression in the libssh2 host key
verification code by changing the variable type of 'i' to unsigned.
Since one of the loops used -1 as a special value if the asking
callback was found the conversion made a subsequent test always fail.

The bug was stealth enough to pass review, compilers and coverity.

Refactor the condition to avoid problems.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1047861
(cherry picked from commit 9869f24d)

(cherry picked from commit 387c316e)

Since commit e0139e30, we update the pool allocation with
the user-provided allocation values.

For qcow2, the allocation is ignored for volume building,
but we still subtracted it from pool's allocation.
This can result in interesting values if the user-provided
allocation is large enough:

Capacity:       104.71 GiB
Allocation:     109.13 GiB
Available:      16.00 EiB

We already do a VolRefresh on volume creation. Also refresh
the volume after creating and use the new value to update the pool.

https://bugzilla.redhat.com/show_bug.cgi?id=1163091
(cherry picked from commit 56a4e9cb)

otherwise messages end up in /var/log/kern.log if journald forwards to
syslog.

Reference: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799633
(cherry picked from commit fd00f0e6)

https://bugzilla.redhat.com/show_bug.cgi?id=871452

So, you want to create a domain from XML. The domain already
exists in libvirt's database of domains. It's okay, because name
and UUID matches. However, on domain startup, internal
representation of the domain is overwritten with your XML even
though we claim that the XML you've provided is a transient one.
The bug is to be found across nearly all the drivers.
Le sigh.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
(cherry picked from commit c99b8cec)

https://bugzilla.redhat.com/show_bug.cgi?id=871452

Okay, so we allow users to 'virsh create' an already existing
domain, providing completely different XML than the one stored in
Libvirt. Well, as long as name and UUID matches. However, in some
drivers the code that handles errors unconditionally removes the
domain that failed to start even though the domain might have
been persistent. Fortunately, the domain is removed just from the
internal list of domains and the config file is kept around.

Steps to reproduce:

1) virsh dumpxml $dom > /tmp/dom.xml
2) change XML so that it is still parse-able but won't boot, e.g.
change guest agent path to /foo/bar
3) virsh create /tmp/dom.xml
4) virsh dumpxml $dom
5) Observe "No such domain" error
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 37405b91)

Qemu unfortunately doesn't update internal state right after migration
and so the actual balloon size as returned by 'query-balloon' are
invalid for a while after the CPUs are started after migration. If we'd
refresh our internal state at this point we would report invalid current
memory size until the next balloon event would arrive.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1242940
(cherry picked from commit d7a0386e)

As of commit 69929941, we set graphics/@listen attribute according to the
first listen child element even if that element is of type='network'.
This was done for backward compatibility with applications which only
support the original listen attribute. However, by doing so we broke
migration to older libvirt which tried to check that the listen
attribute matches one of the listen child elements but which did not
take type='network' elements into account.

We are not concerned about compatibility with old applications when
formatting domain XML for migration for two reasons. The XML is consumed
only by libvirtd and the IP address associated with type='network'
listen address on the source host is just useless on the destination
host. Thus, we can safely avoid propagating the type='network' IP
address to graphics/@listen attribute when creating migratable XML.

https://bugzilla.redhat.com/show_bug.cgi?id=1265111Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
(cherry picked from commit c0806dc3)

This patch addresses BZ 1244895.

Adapt the sysfs TPM command cancel path for the TPM driver that
does not use a miscdevice anymore since Linux 4.0. Support old
and new paths and check their availability.

Add a mockup for the test cases to avoid the testing for
availability of the cancel path.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
(cherry picked from commit 5ed7afa9)

Since we can't know at service start how many VMs will be running we
can't calculate an apropriate shutdown timeout. So instead of killing
off the service just let it use it's own internal timeout mechanism.

References:
    http://bugs.debian.org/803714
    https://bugzilla.redhat.com/show_bug.cgi?id=1195544

(cherry picked from commit ba08d16d)

Machine name escaping follows the same rules as serice name escape,
except that '.' and '-' must not be escaped in machine names, due
to a bug in systemd-machined.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1282846Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 0e0149ce)

According to the documentation, CreateMachine accepts only 7bit ASCII
characters in the machinename parameter, so let's make sure we can start
machines with unicode names with systemd.  We already have a function
for that, we just forgot to use it.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1062943
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1282846Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
(cherry picked from commit e24eda48)

The libvirt file system storage driver determines what file to
act on by concatenating the pool location with the volume name.
If a user is able to pick names like "../../../etc/passwd", then
they can escape the bounds of the pool.  For that matter,
virStoragePoolListVolumes() doesn't descend into subdirectories,
so a user really shouldn't use a name with a slash.

Normally, only privileged users can coerce libvirt into creating
or opening existing files using the virStorageVol APIs; and such
users already have full privilege to create any domain XML (so it
is not an escalation of privilege).  But in the case of
fine-grained ACLs, it is feasible that a user can be granted
storage_vol:create but not domain:write, and it violates
assumptions if such a user can abuse libvirt to access files
outside of the storage pool.

Therefore, prevent all use of volume names that contain "/",
whether or not such a name is actually attempting to escape the
pool.

This changes things from:

$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
Vol ../../../../../../etc/haha created
$ rm /etc/haha

to:

$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
error: Failed to create vol ../../../../../../etc/haha
error: Requested operation is not valid: volume name '../../../../../../etc/haha' cannot contain '/'
Signed-off-by: NEric Blake <eblake@redhat.com>
(cherry picked from commit 034e47c3)

Event implementations need to be registered before a connection to the
Hypervisor is opened, otherwise event handling can be impaired (e.g.
delayed messages). This fact is referenced in an e-mail [1], but should
also be noted in the documentation of the registration functions.

[1] https://www.redhat.com/archives/libvirt-users/2014-April/msg00011.html

(cherry picked from commit 9bf1cef7)

$ rpmbuild -ba libvirt.spec
warning: Macro expanded in comment on line 5: # If neither fedora nor rhel was defined, try to guess them from %{dist}

warning: Macro %enable_autotools defined but not used within scope
warning: Macro %client_only defined but not used within scope
...

(cherry picked from commit dae1250b)

Commit 307fb904 (Sep 10) added a 'privileged' variable when creating
the DAC driver:

@@ -153,6 +157,7 @@ virSecurityManagerNewDAC(const char *virtDriver,
                          bool defaultConfined,
                          bool requireConfined,
                          bool dynamicOwnership,
+                         bool privileged,
                          virSecurityManagerDACChownCallback chownCallback)

But argument order is mixed up at the caller, swapping dynamicOwnership
and privileged values. This corrects the argument order

https://bugzilla.redhat.com/show_bug.cgi?id=1266628
(cherry picked from commit 68572de8)

 Invalid read of size 4
    at 0x945CA30: __pthread_mutex_unlock_full (in /lib64/libpthread-2.20.so)
    by 0x4F0404B: virMutexUnlock (virthread.c:94)
    by 0x4F7161B: virStoragePoolObjUnlock (storage_conf.c:2603)
    by 0x4FE0476: testStoragePoolUndefine (test_driver.c:4328)
    by 0x4FCF086: virStoragePoolUndefine (libvirt-storage.c:656)
    by 0x15A7F5: cmdPoolUndefine (virsh-pool.c:1721)
    by 0x12F48D: vshCommandRun (vsh.c:1212)
    by 0x132AA7: main (virsh.c:943)
  Address 0xfda56a0 is 16 bytes inside a block of size 104 free'd
    at 0x4C2BA6C: free (vg_replace_malloc.c:473)
    by 0x4EA5C96: virFree (viralloc.c:582)
    by 0x4F70B69: virStoragePoolObjFree (storage_conf.c:412)
    by 0x4F7167B: virStoragePoolObjRemove (storage_conf.c:437)
    by 0x4FE0468: testStoragePoolUndefine (test_driver.c:4323)
    by 0x4FCF086: virStoragePoolUndefine (libvirt-storage.c:656)
    by 0x15A7F5: cmdPoolUndefine (virsh-pool.c:1721)
    by 0x12F48D: vshCommandRun (vsh.c:1212)
    by 0x132AA7: main (virsh.c:943)

(cherry picked from commit 03cf57a3)

After attach-device a <hostdev> with --config, new device doesn't
show up in dumpxml and in guest.

To fix that, set dev->data.hostdev = NULL after work so that the
pointer is not freed, since vmdef has the pointer and still need it.
Signed-off-by: NChunyan Liu <cyliu@suse.com>
(cherry picked from commit 56945e13)

https://bugzilla.redhat.com/show_bug.cgi?id=1124841

If running in session mode it may happen that we fail to set
correct SELinux label, but the image may still be readable to
the qemu process. Take this into account.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 00e5b967)

Remove unused variable, tag unused parameter and adjust return type.

introduced by 3f48345f

CC     security/libvirt_security_manager_la-security_selinux.lo
security/security_selinux.c: In function 'virSecuritySELinuxDomainSetDirLabel':
security/security_selinux.c:2520:5: error: return makes pointer from integer without a cast [-Werror]
security/security_selinux.c:2514:9: error: unused variable 'ret' [-Werror=unused-variable]
security/security_selinux.c:2509:59: error: unused parameter 'mgr' [-Werror=unused-parameter]

(cherry picked from commit 4d4c90df)

Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 3f48345f)

That function can be used for setting security labels on arbitrary
directories.
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
(cherry picked from commit f65a2a12)

In virSecuritySELinuxSetSecurityChardevLabel() we are labelling unix
socket path, but accessing another structure of the union.  This does
not pose a problem currently as both paths are at the same offset, but
this should be fixed for the future.
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 4ac6ce38)

We have plenty of callbacks in the driver. Some of these
callbacks require more than one argument to be passed. For that
we currently have a data type (struct) per each callback. Well,
so far for only one - SELinuxSCSICallbackData. But lets turn it
into more general name so it can be reused in other callbacks too
instead of each one introducing a new, duplicate data type.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 276c4091)

The check is done in virSecuritySELinuxSetFilecon itself. There's
no need to check it again.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 370461d1)

We may want to do some decisions in drivers based on fact if we
are running as privileged user or not. Propagate this info there.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 307fb904)

Commit 8125113c added code that should remove the disk backend if the
fronted hotplug failed for any reason. The code had a bug though as it
used the disk string for unplug rather than the backend alias. Fix the
code by pre-creating an alias string and using it instead of the disk
string. In cases where qemu does not support QEMU_CAPS_DEVICE, we ignore
the unplug of the backend since we can't really create an alias in that
case.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1262399
(cherry picked from commit 64c6695f)

The xenXMConfigCacheRefresh method scans /etc/xen and loads
all config files it finds. It then scans its internal hash
table and purges any (previously) loaded config files whose
refresh timestamp does not match the timestamp recorded at
the start of xenXMConfigCacheRefresh(). There is unfortunately
a subtle flaw in this, because if loading the config files
takes longer than 1 second, some of the config files will
have a refresh timestamp that is 1 or more seconds different
(newer) than is checked for. So we immediately purge a bunch
of valid config files we just loaded.

To avoid this flaw, we must pass the timestamp we record at
the start of xenXMConfigCacheRefresh() into the
xenXMConfigCacheAddFile() method, instead of letting the
latter call time(NULL) again.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 427067f7)

commit 4b53d0d4 "libxl: don't remove persistent domain on start
failure" cleans up the vm object and sets it to NULL if the vm is not
persistent, however at end job vm (now NULL) is dereferenced via the call to
libxlDomainObjEndJob. Avoid this by skipping "endjob" and going
straight to "cleanup" in this case.
Signed-off-by: NIan Campbell <ian.campbell@citrix.com>
(cherry picked from commit ee7758f0)

https://bugzilla.redhat.com/show_bug.cgi?id=1260846

Introduced by 8fedbbdb, if we parse an unordered NUMA cell, will
get a segfault. This is because of a check for overlapping @cpus
sets we have there. However, since the array to hold guest NUMA
cells is allocated upfront and therefore it contains all zeros,
an out of order cell will break our assumption that cell IDs have
increasing character. At this point we try to access yet NULL
bitmap and therefore segfault.
Signed-off-by: NLuyao Huang <lhuang@redhat.com>
(cherry picked from commit 83ae3ee3)

Commit id '2e7cea24' added a check for an error from Finish instead
of 'unexpected error'; however, if for some reason there wasn't an
error, then virGetLastError could return NULL resulting in the
NULL pointer deref to err->domain.

(cherry picked from commit ea3c5f25)

Remove redundant error reporting in libxlDomainMigrationPerform().
virNetSocketNewConnectTCP() is perfectly capable of reporting
sensible errors.

(cherry picked from commit 6ce939c2)

Commit d091518b tried to escape all strings in produced XML, but missed
this one.
Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
(cherry picked from commit e92e5ba1)

Like we are checking for the correct order in SYM_FILES, we
should do the same for ADMIN_SYM_FILES.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
(cherry picked from commit a0d2ceb3)

It's a generated file, so after 'distclean' it should be gone.
But it isn't yet.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 28fa50d2)

We have this check rule in src/Makefile: check-symfile that
should check if all symbols we wanted to export are exported.
Moreover, if we are not exporting something more. Do the same
with libvirt_admin.syms.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 74f11dd2)

commit 09778e09 switched from using ioctl(SIOCBRDELBR) for bridge
device deletion to using a netlink RTM_DELLINK message, which is the
more modern way to delete a bridge (and also doesn't require the
bridge to be ~IFF_UP to succeed). However, although older kernels
(e.g. 2.6.32, in RHEL6/CentOS6) support deleting *some* link types
with RTM_NEWLINK, they don't support deleting bridges, and there is no
compile-time way to figure this out.

This patch moves the body of the SIOCBRDELBR version of
virNetDevBridgeDelete() into a static function, calls the new function
from the original, and also calls the new function from the
RTM_DELLINK version if the RTM_DELLINK message generates an EOPNOTSUPP
error. Since RTM_DELLINK is done from the subordinate function
virNetlinkDelLink, which is also called for other purposes (deleting a
macvtap interface), a function pointer called "fallback" has been
added to the arglist of virNetlinkDelLink() - if that arg != NULL, the
provided function will be called when (and only when) RTM_DELLINK
fails with EOPNOTSUPP.

Resolves:  https://bugzilla.redhat.com/show_bug.cgi?id=1252780 (part 2)
(cherry picked from commit 97d26e47)

commit fc7b23db switched from using ioctl(SIOCBRADDBR) for bridge
creation to using a netlink RTM_NEWLINK message with IFLA_INFO_KIND =
"bridge", which is the more modern way to create a bridge. However,
although older kernels (e.g. 2.6.32, in RHEL6/CentOS6) support
creating *some* link types with RTM_NEWLINK, they don't support
creating bridges, and there is no compile-time way to figure this out
(since the "type" isn't an enum, but rather a character string).

This patch moves the body of the SIOCBRADDBR version of
virNetDevBridgeCreate() into a static function, calls the new function
from the original, and also calls the new function from the
RTM_NEWLINK version if the RTM_NEWLINK message generates an EOPNOTSUPP
error.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1252780
(cherry picked from commit 66dcb409)