Fix the null pointer access when UUID is not specified.
Introduce a bool 'uuidUsable' to virStoragePoolAuthCephx that indicates
if uuid was specified or not and use it instead of the pointless
comparison of the static UUID array to NULL.
Add an error message if both uuid and usage are specified.

Fixes:
Error: FORWARD_NULL (CWE-476):
libvirt-0.10.2/src/conf/storage_conf.c:461: var_deref_model: Passing
    null pointer "uuid" to function "virUUIDParse(char const *, unsigned
    char *)", which dereferences it. (The dereference is assumed on the
    basis of the 'nonnull' parameter attribute.)
Error: NO_EFFECT (CWE-398):
    libvirt-0.10.2/src/conf/storage_conf.c:979: array_null: Comparing an
    array to null is not useful: "src->auth.cephx.secret.uuid != NULL".
(cherry picked from commit bc680e13)

The virNodeSuspend API allows for a duration of 0, to mean no
timed wakup. virsh needlessly forbids this though
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 1cad5eba)

When seeing a message

 virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in whitelist

it isn't immediately obvious that 'admin' is the identity
being checked. Quote the string to make it more obvious
(cherry picked from commit 07da0a6b)

detecet by

	http://honk.sigxcpu.org:8001/job/libvirt-build/348/console
(cherry picked from commit d01e427e)

Also removed some unreachable code found by coverity:
libvirt-0.10.2/src/nwfilter/nwfilter_driver.c:259: unreachable: This
code cannot be reached: "nwfilterDriverUnlock(driver...".
(cherry picked from commit 4f9af085)

On error, virStoragePoolGetAutostart would return -1 leaving autostart
untouched.

Removed the misleading debug message as well.

Error: CHECKED_RETURN (CWE-252):
libvirt-0.10.2/tools/virsh-pool.c:1386: unchecked_value: No check of the
    return value of "virStoragePoolGetAutostart(pool, &autostart)".
(cherry picked from commit e9d74a7a)

If allocation of names fails, list is uninitialized.
(cherry picked from commit 892582f9)

On OOM, xdr_destroy got called even though it wasn't created yet.

Found by coverity:
Error: UNINIT (CWE-457):
    libvirt-0.10.2/src/rpc/virnetmessage.c:214: var_decl: Declaring
    variable "xdr" without initializer.
    libvirt-0.10.2/src/rpc/virnetmessage.c:219: cond_true: Condition
    "virReallocN(&msg->buffer, 1UL /* sizeof (*msg->buffer) */,
    msg->bufferLength) < 0", taking true branch
    libvirt-0.10.2/src/rpc/virnetmessage.c:221: goto: Jumping to label
    "cleanup"
    libvirt-0.10.2/src/rpc/virnetmessage.c:257: label: Reached label
    "cleanup"
    libvirt-0.10.2/src/rpc/virnetmessage.c:258: uninit_use: Using
    uninitialized value "xdr.x_ops".
(cherry picked from commit 6e1fc355)

Time values were uninitialized if the connection wasn't usable.
(cherry picked from commit 8b235d40)

Found by coverity:
Error: SIZEOF_MISMATCH (CWE-569):
    libvirt-0.10.2/tools/virsh-domain.c:4754: suspicious_sizeof: Passing
    argument "8UL /* sizeof (cpumap) */" to function
    "_vshCalloc(vshControl *, size_t, size_t, char const *, int)" and
    then casting the return value to "unsigned char *" is suspicious.

Error: SIZEOF_MISMATCH (CWE-569):
    libvirt-0.10.2/tools/virsh-domain.c:4942: suspicious_sizeof: Passing
    argument "8UL /* sizeof (cpumap) */" to function
    "_vshCalloc(vshControl *, size_t, size_t, char const *, int)" and
    then casting the return value to "unsigned char *" is suspicious.
(cherry picked from commit dc04b2a7)

Found by coverity:
Error: REVERSE_INULL (CWE-476):
    libvirt-0.10.2/src/util/processinfo.c:141: deref_ptr: Directly
    dereferencing pointer "map".
    libvirt-0.10.2/src/util/processinfo.c:142: check_after_deref:
    Null-checking "map" suggests that it may be null, but it has already
    been dereferenced on all paths leading to the check.
(cherry picked from commit 7730257d)

This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=879473

The name attribute is required for portgroup elements (yes, the RNG
specifies that), and there is code in libvirt that assumes it is
non-null.  Unfortunately, the portgroup parsing function wasn't
checking for lack of portgroup. One adverse result of this was that
attempts to update a network by adding a portgroup with no name would
cause libvirtd to segfault. For example:

   virsh net-update default add portgroup "<portgroup default='yes'/>"

This patch causes virNetworkPortGroupParseXML to fail if no name is
specified, thus avoiding any later problems.
(cherry picked from commit 012d69df)

When starting an LXC guest with a virNetwork based NIC device,
if the network was not active, the virNetworkPtr device would
be leaked
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 509ce943)

In virNetDevVethDelete the virRun method will properly report
errors, but when checking the exit status for non-zero exit
code no error is reported
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 0584d662)

When starting a container, newDef is initialized to a
copy of 'def', but when startup fails newDef is never
removed. This cause later attempts to use 'virDomainDefine'
to lose the new data being defined.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 9d2bfc1c)

A mistaken initialization of 'ret' caused failure to create
macvtap devices to be ignored. The libvirt_lxc process
would later fail to start due to missing devices

Also make sure code checks '< 0' and not '!= 0' since only
-1 is considered an error condition
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 43db9cf4)

If the <interface> device did not contain any <target>
element, LXC would crash on a NULL pointer if starting
the container failed
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 68dceb63)

When failing to create a macvlan interface, make sure the
error message contains the name of the host interface
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit e11daa2b)

The LXC driver relies on use of cgroups to kill off LXC processes
in shutdown. If cgroups aren't available, we're unable to kill
off processes, so we must treat lack of cgroups as a fatal startup
error.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 7c5ba648)

The code setting up LXC cgroups used an 'rc' variable both
for capturing the return value of methods it calls, and
its own return status. The result was that several failures
in setting up cgroups would actually result in success being
returned.

Use a separate 'ret' for tracking return value as per normal
code design in other parts of libvirt
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 8e1f0c38)

When no security driver is specified libvirt_lxc segfaults as a debug
message tries to access security labels for the container that are not
present.

This problem was introduced in commit 6c3cf57d.
(cherry picked from commit 99a388e6)

Early jumps to the cleanup label caused a crash of the libvirt_lxc
container helper as the cleanup section called
virLXCControllerDeleteInterfaces(ctrl) without checking the ctrl argument
for NULL. The argument was de-referenced soon after.

$ /usr/libexec/libvirt_lxc
/usr/libexec/libvirt_lxc: missing --name argument for configuration
Segmentation fault
(cherry picked from commit 81efb13b)

Commit 258e06c8 removed setting of the volume type to
VIR_STORAGE_VOL_BLOCK, which leads to failures in
storageVolumeCreateXMLFrom.

The type (and target.format) of the volume was set to zero. In
virStorageBackendGetBuildVolFromFunction, this gets interpreted as
VIR_STORAGE_FILE_NONE and the qemu-img tool is called with unknown
"none" format.

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=879780
(cherry picked from commit 70f0bbe8)

It is possible for there to be deleted timers when we
calculate the next timeout, and they must be skipped.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit afbd9667)

The event code is a no-op if requested to update a non-existent
timer/handle watch. This makes it hard to detect bugs in the
caller who have passed bogus data. Add a VIR_WARN output in
such cases, since the API does not allow for return errors.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 39064f0f)

The docs for virDiskNameToIndex claim it ignores partition
numbers. In actual fact though, a code ordering bug means
that a partition number will cause the code to accidentally
multiply the result by 26.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 81d6c4de)

The error "... but the cause is unknown" appeared for XMLs similar to
this:

 <disk type='file' device='cdrom'>
   <driver name='qemu' type='raw'/>
   <source file='/dev/zero'/>
   <target dev='sr0'/>
 </disk>

Notice unsupported disk type (for the driver), but also no address
specified. The first part is not a problem and we should not abort
immediately because of that, but the combination with the address
unknown was causing an unspecified error.

While fixing this, I added an error to one place where this return
value was not managed properly.
(cherry picked from commit 03cd6e4a)

The LXC controller code currently directly invokes the
libvirt main loop code. The problem is that this misses
the cleanup of virNetServerClient connections that
virNetServerRun takes care of.

The result is that when libvirtd is stopped, the
libvirt_lxc controller process gets stuck in a I/O loop.
When libvirtd is then started again, it fails to connect
to the controller and thus kills off the entire domain.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit f33e43c2)

Regression introduced by commit 258e06c8, "ret" could be set to 1
or 0 by virStorageBackendFileSystemIsMounted before goto cleanup.
This could mislead the callers (up to the public API
virStoragePoolDestroy) to return success even the underlying umount
command fails.
(cherry picked from commit f4ac0656)

Commit a4c19459 only added the
QEMU capability flag, command line option and added the boot element
for redirdev's in the XML schema.

This patch adds support for parsing and writing the XML with redirdevs
with the boot flag. It also ignores unknown XML elements in redirdev
instead of failing with:
"error: An error occurred, but the cause is unknown"

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=805414
(cherry picked from commit cc244e24)

This resolves:

  https://bugzilla.redhat.com/show_bug.cgi?id=873134

The reported problem is that an attempt to restore a saved domain that
was configured with <currentMemory> and <memory> set to some (same for
both) number that's not a multiple of 4096KiB results in an error like
this:

  error: Failed to start domain libvirt_test_api
  error: XML error: current memory '4001792k' exceeds maximum '4000768k'

(in this case, currentMemory was set to 4000000KiB).

The reason for this failure is:

1) a saved image contains the "live xml" of the domain at the time of
the save.

2) the live xml of a running domain gets its currentMemory
(a.k.a. cur_balloon) directly from the qemu monitor rather than from
the configuration of the domain.

3) the value reported by qemu is (sometimes) not exactly what was
originally given to qemu when the domain was started, but is rounded
up to [some indeterminate granularity] - in some versions of qemu that
granularity is apparently 1MiB, and in others it is 4MiB.

4) When the XML is parsed to setup the state of the restored domain,
the XML parser for <currentMemory> compares it to <memory> (which is
the maximum allowed memory size for the domain) and if <currentMemory>
is greater than the next 1024KiB boundary above <memory>, it spits out
an error and fails.

For example (from the BZ) if you start qemu on RHEL6 with both
<currentMemory> and <memory> of 4000000 (this number is in KiB),
libvirt's dominfo or dumpxml will report "4001792" back (rounded up to
next 4MiB) for 10-20 seconds after the start, then revert to reporting
"4000000". On Fedora 16 (which uses qemu-1.0), it will instead report
"4000768" (rounded up to next 1MiB). On Fedora 17 (qemu-1.2), it seems
to always report "4000000". ("4000000" is of course okay, and
"4000768" is also okay since that's the next 1024KiB boundary above
"4000000" and the parser was already allowing for that. But "4001792
is *not* okay and produces the error message.)

This patch solves the problem by changing the allowed "fudge factor"
when parsing from 1024KiB to 4096KiB to match the maximum up-rounding
that could be done in qemu.

(I had earlier thought to fix this by up-rounding <memory> in the
dumpxml that's put into the saved image, but that wouldn't have fixed
the case where the save image was produced by an "unfixed"
libvirtd.)
(cherry picked from commit 89204fca)

On RHEL 5, I was getting a segfault trying to start libvirtd,
because we were failing virNodeParseSocket but not checking
for errors, and then calling CPU_SET(-1, &sock_map) as a result.
But if you don't have a topology/physical_package_id file,
then you can just assume that the cpu belongs to socket 0.

* src/nodeinfo.c (virNodeGetCpuValue): Change bool into
default_value.
(virNodeParseSocket): Allow for default value when file is missing,
different from fatal error on reading file.
(virNodeParseNode): Update call sites to fail on error.
(cherry picked from commit 47976b48)

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=876868
(cherry picked from commit 58110b48)

(cherry picked from commit bf60b6b3)

Ever since commit 7b21981c started generating AUTHORS, we now have
the situation that if you flip between two branches in the same
git repository that cross that commit boundary, then 'make' will
fail due to automake complaining about AUTHORS not existing.  The
simplest solution is to realize that if AUTHORS does not exist,
then we flipped branches so we will need to rerun bootstrap
anyways; and rerunning bootstrap ensures AUTHORS will exist in time.

* cfg.mk (_update_required): Also depend on AUTHORS.
(cherry picked from commit 71d12562)

The lack of initialization of 'opts' caused a SEGV in the
cleanup: path if the root->src directory did not exist
(cherry picked from commit 3782814d)

If domain uses only TLS port we don't want to add
'port=0' explicitly to command line.
(cherry picked from commit 9f872472)

We require a file and don't accept standard input:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692322
(cherry picked from commit d49adae2)

After the connection to ESX 5.1 being broken since g1e7cd395, the fix
in bab7752c helped a bit, but still missed a spot, so the connection
is now successful, but some APIs (for example defineXML) don't work.
Two cases missing are added in this patch to avoid that.
(cherry picked from commit 9c294e6f)

qemu is sensitive to the order of arguments passed. Hence, if a
device requires a controller, the controller cmd string must
precede device cmd string. The same apply for controllers, when
for instance ccid controller requires usb controller. So
controllers create partial ordering in which they should be added
to qemu cmd line.
(cherry picked from commit 0f720ab3)