We shouldn't allow guest filesystem pollution on error paths.
Suggested-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NLaszlo Ersek <lersek@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Reviewed-by: NLuiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

In Windows guests this may make a difference.

Since the original patch (commit c689b4f1) sought to be pedantic and to
consider theoretical corner cases of portability, we should fix it up
where it failed to come through in that pursuit.
Suggested-by: NEric Blake <eblake@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NLaszlo Ersek <lersek@redhat.com>
Reviewed-by: NLuiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

The qemu guest agent creates a bunch of files with insecure permissions
when started in daemon mode. For example:

  -rw-rw-rw- 1 root root /var/log/qemu-ga.log
  -rw-rw-rw- 1 root root /var/run/qga.state
  -rw-rw-rw- 1 root root /var/log/qga-fsfreeze-hook.log

In addition, at least all files created with the "guest-file-open" QMP
command, and all files created with shell output redirection (or
otherwise) by utilities invoked by the fsfreeze hook script are affected.

For now mask all file mode bits for "group" and "others" in
become_daemon().

Temporarily, for compatibility reasons, stick with the 0666 file-mode in
case of files newly created by the "guest-file-open" QMP call. Do so
without changing the umask temporarily.
Signed-off-by: NLaszlo Ersek <lersek@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Fix various typos and misspellings. The bulk of these were found with
codespell.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: NLaszlo Ersek <lersek@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Signed-off-by: NLaszlo Ersek <lersek@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Signed-off-by: NLaszlo Ersek <lersek@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Signed-off-by: NLei Li <lilei@linux.vnet.ibm.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

*added stub for w32
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Signed-off-by: NLei Li <lilei@linux.vnet.ibm.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

*added stub for w32
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Hosts hold on to handles provided by guest-file-open for periods that can
span beyond the life of the qemu-ga process that issued them. Since these
are issued starting from 0 on every restart, we run the risk of issuing
duplicate handles after restarts/reboots.

As a result, users with a stale copy of these handles may end up
reading/writing corrupted data due to their existing handles effectively
being re-assigned to an unexpected file or offset.

We unfortunately do not issue handles as strings, but as integers, so a
solution such as using UUIDs can't be implemented without introducing a
new interface.

As a workaround, we fix this by implementing a persistent key-value store
that will be used to track the value of the last handle that was issued
across restarts/reboots to avoid issuing duplicates.

The store is automatically written to the same directory we currently
set via --statedir to track fsfreeze state, and so should be applicable
for stable releases where this flag is supported.

A follow-up can use this same store for handling fsfreeze state, but
that change is cosmetic and left out for now.
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Cc: qemu-stable@nongnu.org

* fixed guest_file_handle_add() return value from uint64_t to int64_t

Spotted by Coverity.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Reviewed-by: NLuiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Neglects to free errors allocated by qmp_guest_fsfreeze_thaw().
Spotted by Coverity.

While there, drop the test whether return value is negative (it's
never true), and improve logging.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Reviewed-by: NLuiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

g_strdup_printf already handles OOM errors, so some error handling in
QEMU code can be removed.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

To use the online disk snapshot for online-backup, application-level
consistency of the snapshot image is required. However, currently the
guest agent can provide only filesystem-level consistency, and the
snapshot may contain dirty data, for example, incomplete transactions.
This patch provides the opportunity to quiesce applications before
snapshot is taken.

If --fsfreeze-hook option is specified, the hook is executed with
"freeze" argument before the filesystem is frozen by fsfreeze-freeze
command. As for fsfreeze-thaw command, the hook is executed with "thaw"
argument after the filesystem is thawed.

This patch depends on patchset to improve error reporting by Luiz Capitulino:
  http://lists.gnu.org/archive/html/qemu-devel/2012-11/msg03016.htmlSigned-off-by: NTomoki Sekiyama <tomoki.sekiyama.qu@hitachi.com>
Reviewed-by: NLuiz Capitulino <lcapitulino@redhat.com>

*clarified usage in help output
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Most errors are QERR_UNDEFINED_ERROR today.
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Most errors are QERR_UNDEFINED_ERROR today.
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Convert them to error_setg_errno().
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Convert them to error_setg_errno().
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Convert them to error_setg_errno().
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Most errors are QERR_UNDEFINED_ERROR. Also, adds ga_wait_child() as
a future commit will use it too.
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Use error_setg_errno() when possible with an improved error description.
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

fclose() returns EOF on error.
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

*Fixed missing space character in error message
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This patch cleans up return sentences in the end of void functions.
Reported-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAmos Kong <akong@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@gmail.com>

NUL-termination of the .ifr_name field is not required, but is fine
(and preferable to using strncpy and leaving the reader to wonder),
since the first thing the linux kernel does is to clear the last byte.
Besides, using pstrcpy here makes this setting of ifr_name consistent
with the other code (e.g., net/tap-linux.c) that does the same thing.
Reviewed-by: NLuiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: NJim Meyering <meyering@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

FITRIM is a mounted filesystem feature to discard (or "trim") blocks which
are not in use by the filesystem. This is useful for solid-state drives
(SSDs) and thinly-provisioned storage.  Provide access to the feature
from the host so that filesystems can be trimmed periodically or before
migration.

Here is an example using scsi_debug:

    # modprobe scsi_debug lbpu=1 lbpws=1
    # sg_vpd -p0xb2 /dev/sdb
    Logical block provisioning VPD page (SBC):
      Unmap command supported (LBPU): 1
      Write same (16) with unmap bit supported (LBWS): 1
      Write same (10) with unmap bit supported (LBWS10): 0
    # mke2fs /dev/sdb
    # cat /sys/bus/pseudo/drivers/scsi_debug/map
    1-616,16257-16383
    # mount /dev/sdb /run/media/pbonzini/test
    # dd if=/dev/zero of=/run/media/pbonzini/test/file
    # cat map
    1-616,645-1588,1599-4026,4029-16383
    # rm /run/media/pbonzini/test/file
    # ./qemu-ga /dev/fd/0
    {"execute":"guest-fstrim"}
    {"return": {}}
    # cat map
    1-612
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Reviewed-by: NLuiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

We will use these functions and types for more than FSFREEZE, so rename them.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Reviewed-by: NLuiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Currently we re-read/re-process /etc/mtab to get an updated list of
mounts when guest-fsfreeze-thaw is called. This can cause an atime
update on /etc/mtab, which will block if we're in a frozen state.

Instead, use /proc's version of mtab, which may not be up-to-date with
options passed via -o remount, but is compatible for our use cases since
we only care about the filesystem type.
Reported-by: NMatsuda, Daiki <matsudadik@intellilink.co.jp>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Use _NSGetEnviron() helper to access the environment.
Signed-off-by: NAndreas Färber <andreas.faerber@web.de>
Cc: Charlie Somerville <charlie@charliesomerville.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Commit 3674838c uses the environ global
variable, but is relying on environ to be declared somewhere else.

This worked for me because on F16 environ is declared in <unistd.h>, but
that doesn't happen in OpenBSD for example, causing a build failure.

This commit fixes the build error by declaring environ if it hasn't
being declared yet.

Also fixes a build warning due to a missing <sys/wait.h> include.
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

POSIX mandates[1] that a child process of a multi-thread program uses
only async-signal-safe functions before exec(). We consider qemu-ga
to be multi-thread, because it uses glib.

However, qmp_guest_shutdown() uses functions that are not
async-signal-safe. Fix it the following way:

- fclose() -> reopen_fd_to_null()
- execl() -> execle()
- exit() -> _exit()
- drop slog() usage (which is not safe)

  [1] http://pubs.opengroup.org/onlinepubs/009695399/functions/fork.htmlSigned-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Last commit dropped qemu-ga's SIGCHLD handler, used to automatically
reap terminated children processes. This introduced a bug to
qmp_guest_shutdown(): it will generate zombies.

This problem probably doesn't matter in the success case, as the VM
will shutdown anyway, but let's do the right thing and reap the
created process. This ultimately means that guest-shutdown is now a
synchronous command.

An interesting side effect is that guest-shutdown is now able to
report an error to the client if shutting down fails.
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Currently, qemu-ga has a SIGCHLD handler that automatically reaps terminated
children processes. The idea is to avoid having qemu-ga commands blocked
waiting for children to terminate.

That approach has two problems:

 1. qemu-ga is unable to detect errors in the child, meaning that qemu-ga
    returns success even if the child fails to perform its task

 2. if a command does depend on the child exit status, the command has to
    play tricks to bypass the automatic reaper

Case 2 impacts the guest-suspend-* API, because it has to execute an external
program to check for suspend support. Today, to bypass the automatic reaper,
suspend code has to double fork and pass exit status information through a
pipe. Besides being complex, this is prone to race condition bugs. Indeed,
the current code does have such bugs.

Making the guest-suspend-* API synchronous (ie. by dropping the SIGCHLD
handler and calling waitpid() from commands) is a much simpler approach,
which fixes current race conditions bugs and enables commands to detect
errors in the child.

This commit does just that. There's a side effect though, guest-shutdown
will generate zombies if shutting down fails. This will be fixed by the
next commit.
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

The next commit wants to use it.
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

These were identified using: http://github.com/lyda/misspell-check
and run like this to create a bourne shell script using GNU sed's
-i option:

git ls-files|grep -vF .bin | misspellings -f - |grep -v '^ERROR:' |perl \
-pe 's/^(.*?)\[(\d+)\]: (\w+) -> "(.*?)"$/sed -i '\''${2}s!$3!$4!'\'' $1/'

Manually eliding the FP, "rela->real" and resolving "addres" to
address (not "adders") we get this:

  sed -i '450s!thru!through!' Changelog
  sed -i '260s!neccessary!necessary!' coroutine-sigaltstack.c
  sed -i '54s!miniscule!minuscule!' disas.c
  sed -i '1094s!thru!through!' hw/usb/hcd-ehci.c
  sed -i '1095s!thru!through!' hw/usb/hcd-ehci.c
  sed -i '21s!unecessary!unnecessary!' qapi-schema-guest.json
  sed -i '307s!explictly!explicitly!' qemu-ga.c
  sed -i '490s!preceeding!preceding!' qga/commands-posix.c
  sed -i '792s!addres!address!' qga/commands-posix.c
  sed -i '6s!beeing!being!' tests/tcg/test-mmap.c

Also, manually fix "arithmentic", spotted by Peter Maydell:

  sed -i 's!arithmentic!arithmetic!' coroutine-sigaltstack.c
Signed-off-by: NJim Meyering <meyering@redhat.com>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>

Currently we rely on fsfreeze/thaw commands disabling/enabling logging
then having other commands check whether logging is disabled to avoid
executing if they aren't safe for running while a filesystem is frozen.

Instead, have an explicit whitelist of fsfreeze-safe commands, and
consolidate logging and command enablement/disablement into a pair
of helper functions: ga_set_frozen()/ga_unset_frozen()
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

guest-fsfreeze-thaw relies on state information obtained from
guest-fsfreeze-freeze to determine what filesystems to unfreeze.
This is unreliable due to the fact that that state does not account
for FIFREEZE being issued by other processes, or previous instances
of qemu-ga. This means in certain situations we cannot thaw
filesystems even with a responsive qemu-ga instance at our disposal.

This patch allows guest-fsfreeze-thaw to be issued unconditionally.
It also adds some additional logic to allow us to thaw filesystems
regardless of how many times the filesystem's "frozen" refcount has
been incremented by any guest processes.

Also, guest-fsfreeze-freeze now operates atomically: on success all
freezable filesystems are frozen, and on error all filesystems are
thawed. The ambiguous "GUEST_FSFREEZE_STATUS_ERROR" state is no
longer entered.
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>