aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--libraries/libvirt/libvirt.SlackBuild7
-rw-r--r--libraries/libvirt/libvirt.info6
-rw-r--r--libraries/libvirt/patches/0001-Don-t-fail-qemu-driver-intialization-if-we-can-t-det.patch40
-rw-r--r--libraries/libvirt/patches/0001-blockjob-correctly-report-active-commit-for-job-info.patch35
-rw-r--r--libraries/libvirt/patches/0002-blockjob-avoid-memory-leak-during-block-pivot.patch48
-rw-r--r--libraries/libvirt/patches/0003-blockjob-fix-use-after-free-in-blockcopy.patch105
6 files changed, 237 insertions, 4 deletions
diff --git a/libraries/libvirt/libvirt.SlackBuild b/libraries/libvirt/libvirt.SlackBuild
index e39684a713247..d9a6e23cad632 100644
--- a/libraries/libvirt/libvirt.SlackBuild
+++ b/libraries/libvirt/libvirt.SlackBuild
@@ -5,7 +5,7 @@
# Maintained by Bogdan Radulescu <bogdan@nimblex.net>
PRGNAM=libvirt
-VERSION=${VERSION:-1.2.6}
+VERSION=${VERSION:-1.2.7}
BUILD=${BUILD:-1}
TAG=${TAG:-_SBo}
@@ -56,6 +56,11 @@ find -L . \
# we have sysctld files in /etc/sysctl.d
sed -i "s|(prefix)/lib/sysctl|(sysconfdir)/sysctl|" daemon/Makefile.in
+patch -p1 < $CWD/patches/0001-Don-t-fail-qemu-driver-intialization-if-we-can-t-det.patch
+patch -p1 < $CWD/patches/0001-blockjob-correctly-report-active-commit-for-job-info.patch
+patch -p1 < $CWD/patches/0002-blockjob-avoid-memory-leak-during-block-pivot.patch
+patch -p1 < $CWD/patches/0003-blockjob-fix-use-after-free-in-blockcopy.patch
+
CFLAGS="$SLKCFLAGS" \
./configure \
--prefix=/usr \
diff --git a/libraries/libvirt/libvirt.info b/libraries/libvirt/libvirt.info
index ba29981fe2172..e8b6b5a9b70fd 100644
--- a/libraries/libvirt/libvirt.info
+++ b/libraries/libvirt/libvirt.info
@@ -1,8 +1,8 @@
PRGNAM="libvirt"
-VERSION="1.2.6"
+VERSION="1.2.7"
HOMEPAGE="http://libvirt.org"
-DOWNLOAD="http://libvirt.org/sources/libvirt-1.2.6.tar.gz"
-MD5SUM="ac1c3edbafb38f7978debe9507e5515c"
+DOWNLOAD="http://libvirt.org/sources/libvirt-1.2.7.tar.gz"
+MD5SUM="d556b3d815a222fd9680f9f3948595cb"
DOWNLOAD_x86_64=""
MD5SUM_x86_64=""
REQUIRES="yajl urlgrabber"
diff --git a/libraries/libvirt/patches/0001-Don-t-fail-qemu-driver-intialization-if-we-can-t-det.patch b/libraries/libvirt/patches/0001-Don-t-fail-qemu-driver-intialization-if-we-can-t-det.patch
new file mode 100644
index 0000000000000..ce9a62b4ad525
--- /dev/null
+++ b/libraries/libvirt/patches/0001-Don-t-fail-qemu-driver-intialization-if-we-can-t-det.patch
@@ -0,0 +1,40 @@
+From ee2a7c5483c9dc746ad439340925947f393b919a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Sun, 10 Aug 2014 12:42:37 +0200
+Subject: [PATCH] Don't fail qemu driver intialization if we can't determine
+ hugepage size
+
+Otherwise we fail like
+
+ libvirt version: 1.2.7, package: 6 (root 2014-08-08-16:09:22 bogon)
+ virAuditOpen:62 : Unable to initialize audit layer: Protocol not supported
+ virFileGetDefaultHugepageSize:2958 : internal error: Unable to parse /proc/meminfo
+ virStateInitialize:749 : Initialization of QEMU state driver failed: internal error: Unable to parse /proc/meminfo
+ daemonRunStateInit:922 : Driver state initialization failed
+
+if the data can't be determined.
+
+Reference: http://bugs.debian.org/757609
+---
+ src/util/virfile.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/util/virfile.c b/src/util/virfile.c
+index f9efc65..b6f5e3f 100644
+--- a/src/util/virfile.c
++++ b/src/util/virfile.c
+@@ -2953,8 +2953,9 @@ virFileGetDefaultHugepageSize(unsigned long long *size)
+ goto cleanup;
+
+ if (!(c = strstr(meminfo, HUGEPAGESIZE_STR))) {
+- virReportError(VIR_ERR_INTERNAL_ERROR,
+- _("Unable to parse %s"),
++ virReportError(VIR_ERR_NO_SUPPORT,
++ _("%s not found in %s"),
++ HUGEPAGESIZE_STR,
+ PROC_MEMINFO);
+ goto cleanup;
+ }
+--
+2.0.3
+
diff --git a/libraries/libvirt/patches/0001-blockjob-correctly-report-active-commit-for-job-info.patch b/libraries/libvirt/patches/0001-blockjob-correctly-report-active-commit-for-job-info.patch
new file mode 100644
index 0000000000000..a86263cbd3509
--- /dev/null
+++ b/libraries/libvirt/patches/0001-blockjob-correctly-report-active-commit-for-job-info.patch
@@ -0,0 +1,35 @@
+From 2151695a5119a8d7f44d416c730df50a1e42695a Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Tue, 5 Aug 2014 08:49:32 -0600
+Subject: [PATCH 1/3] blockjob: correctly report active commit for job info
+
+Commit 232a31b munged job info to report 'active commit' instead of
+'commit' when generating events, but forgot to also munge the polling
+variant of the command.
+
+* src/qemu/qemu_driver.c (qemuDomainBlockJobImpl): Adjust type as
+needed.
+
+Signed-off-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit e8cc973041e7ac4ddeefe343af751863c76687fe)
+---
+ src/qemu/qemu_driver.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index a3de784..57cc913 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -15103,6 +15103,9 @@ qemuDomainBlockJobImpl(virDomainObjPtr vm,
+ ret = qemuMonitorBlockJob(priv->mon, device, basePath, backingPath,
+ bandwidth, info, mode, async);
+ qemuDomainObjExitMonitor(driver, vm);
++ if (info && info->type == VIR_DOMAIN_BLOCK_JOB_TYPE_COMMIT &&
++ disk->mirrorJob == VIR_DOMAIN_BLOCK_JOB_TYPE_ACTIVE_COMMIT)
++ info->type = disk->mirrorJob;
+ if (ret < 0) {
+ if (mode == BLOCK_JOB_ABORT && disk->mirror)
+ disk->mirrorState = VIR_DOMAIN_DISK_MIRROR_STATE_NONE;
+--
+2.0.3
+
diff --git a/libraries/libvirt/patches/0002-blockjob-avoid-memory-leak-during-block-pivot.patch b/libraries/libvirt/patches/0002-blockjob-avoid-memory-leak-during-block-pivot.patch
new file mode 100644
index 0000000000000..1f430369ff325
--- /dev/null
+++ b/libraries/libvirt/patches/0002-blockjob-avoid-memory-leak-during-block-pivot.patch
@@ -0,0 +1,48 @@
+From 7620b422e515249bbfff02d0372301334fe1dd50 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Wed, 6 Aug 2014 14:48:59 -0600
+Subject: [PATCH 2/3] blockjob: avoid memory leak during block pivot
+
+Valgrind caught a memory leak:
+
+==2018== 9 bytes in 1 blocks are definitely lost in loss record 143 of 927
+==2018== at 0x4A0645D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
+==2018== by 0x8C42369: strdup (strdup.c:42)
+==2018== by 0x50EACC9: virStrdup (virstring.c:676)
+==2018== by 0x50E79E5: virStorageSourceCopy (virstoragefile.c:1845)
+==2018== by 0x20A3FAA7: qemuDomainBlockCommit (qemu_driver.c:15620)
+==2018== by 0x51DC6B2: virDomainBlockCommit (libvirt.c:20092)
+
+I traced it to the fact that blockcopy and blockcommit end up
+reparsing a backing chain on pivot, but the chain parsing code
+doesn't gracefully handle the case where the backing file is
+already known.
+
+I'm not exactly sure when this was introduced, but suspect that the
+refactoring in commit 9944b71 and friends that moved towards probing
+in-place rather than into a temporary structure are part of the cause.
+
+* src/util/virstoragefile.c (virStorageFileGetMetadataInternal):
+Don't leak any prior value.
+
+Signed-off-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit a595a005725f142e1a258d10f7647982efa3cfd8)
+---
+ src/util/virstoragefile.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
+index 3da9073..5b6b2f5 100644
+--- a/src/util/virstoragefile.c
++++ b/src/util/virstoragefile.c
+@@ -817,6 +817,7 @@ virStorageFileGetMetadataInternal(virStorageSourcePtr meta,
+ goto cleanup;
+ }
+
++ VIR_FREE(meta->backingStoreRaw);
+ if (fileTypeInfo[meta->format].getBackingStore != NULL) {
+ int store = fileTypeInfo[meta->format].getBackingStore(&meta->backingStoreRaw,
+ backingFormat,
+--
+2.0.3
+
diff --git a/libraries/libvirt/patches/0003-blockjob-fix-use-after-free-in-blockcopy.patch b/libraries/libvirt/patches/0003-blockjob-fix-use-after-free-in-blockcopy.patch
new file mode 100644
index 0000000000000..0f967214e4411
--- /dev/null
+++ b/libraries/libvirt/patches/0003-blockjob-fix-use-after-free-in-blockcopy.patch
@@ -0,0 +1,105 @@
+From 9617e31b5349b193469874706abcbcb013e6a6fd Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Wed, 6 Aug 2014 14:06:23 -0600
+Subject: [PATCH 3/3] blockjob: fix use-after-free in blockcopy
+
+Commit febf84c2 tried to delay in-memory modification of the actual
+domain disk structure until after the qemu event was received.
+However, I missed that the code for block pivot had been temporarily
+setting disk->src = disk->mirror prior to the qemu command, in order
+to label the backing chain of a reused external blockcopy disk;
+and calls into qemu while still in that state before finally undoing
+things at the cleanup label. Since the qemu event handler then does:
+ virStorageSourceFree(disk->src);
+ disk->src = disk->mirror;
+we have the sad race that a fast enough qemu event can cause a leak of
+the original disk->src, as well as a use-after-free of the disk->mirror
+contents, bad enough to crash libvirtd in some of my test runs, even
+though the common case of the qemu event being much later won't trip
+the race.
+
+I'll go wear the brown paper bag of shame, for introducing a crasher
+in between rc1 and rc2 of the freeze for 1.2.7 :( My only
+consolation is that virDomainBlockJobAbort requires the domain:write
+ACL, so it is not a CVE.
+
+The valgrind report when the race occurs looks like:
+
+==25612== Invalid read of size 4
+==25612== at 0x50E7C90: virStorageSourceGetActualType (virstoragefile.c:1948)
+==25612== by 0x209C0B18: qemuDomainDetermineDiskChain (qemu_domain.c:2473)
+==25612== by 0x209D7F6A: qemuProcessHandleBlockJob (qemu_process.c:1087)
+==25612== by 0x209F40C9: qemuMonitorEmitBlockJob (qemu_monitor.c:1357)
+...
+==25612== Address 0xe4b5610 is 0 bytes inside a block of size 200 free'd
+==25612== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
+==25612== by 0x50839E9: virFree (viralloc.c:582)
+==25612== by 0x50E7E51: virStorageSourceFree (virstoragefile.c:2015)
+==25612== by 0x209D7EFF: qemuProcessHandleBlockJob (qemu_process.c:1073)
+==25612== by 0x209F40C9: qemuMonitorEmitBlockJob (qemu_monitor.c:1357)
+
+* src/qemu/qemu_driver.c (qemuDomainBlockPivot): Don't corrupt
+disk->src, and only label chain for blockcopy.
+
+Signed-off-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit 265680c58ebbee30bb70369e7d9905a599afbd6a)
+---
+ src/qemu/qemu_driver.c | 40 +++++++++++++++++++++++++---------------
+ 1 file changed, 25 insertions(+), 15 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 57cc913..a050dbc 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -14888,23 +14888,33 @@ qemuDomainBlockPivot(virConnectPtr conn,
+ }
+ }
+
+- /* We previously labeled only the top-level image; but if the
+- * image includes a relative backing file, the pivot may result in
+- * qemu needing to open the entire backing chain, so we need to
+- * label the entire chain. This action is safe even if the
+- * backing chain has already been labeled; but only necessary when
+- * we know for sure that there is a backing chain. */
+- oldsrc = disk->src;
+- disk->src = disk->mirror;
++ /* For active commit, the mirror is part of the already labeled
++ * chain. For blockcopy, we previously labeled only the top-level
++ * image; but if the user is reusing an external image that
++ * includes a backing file, the pivot may result in qemu needing
++ * to open the entire backing chain, so we need to label the
++ * entire chain. This action is safe even if the backing chain
++ * has already been labeled; but only necessary when we know for
++ * sure that there is a backing chain. */
++ if (disk->mirrorJob == VIR_DOMAIN_BLOCK_JOB_TYPE_COPY) {
++ oldsrc = disk->src;
++ disk->src = disk->mirror;
++
++ if (qemuDomainDetermineDiskChain(driver, vm, disk, false) < 0)
++ goto cleanup;
+
+- if (qemuDomainDetermineDiskChain(driver, vm, disk, false) < 0)
+- goto cleanup;
++ if (disk->mirror->format &&
++ disk->mirror->format != VIR_STORAGE_FILE_RAW &&
++ (virDomainLockDiskAttach(driver->lockManager, cfg->uri, vm,
++ disk) < 0 ||
++ qemuSetupDiskCgroup(vm, disk) < 0 ||
++ virSecurityManagerSetDiskLabel(driver->securityManager, vm->def,
++ disk) < 0))
++ goto cleanup;
+
+- if (disk->mirror->format && disk->mirror->format != VIR_STORAGE_FILE_RAW &&
+- (virDomainLockDiskAttach(driver->lockManager, cfg->uri, vm, disk) < 0 ||
+- qemuSetupDiskCgroup(vm, disk) < 0 ||
+- virSecurityManagerSetDiskLabel(driver->securityManager, vm->def, disk) < 0))
+- goto cleanup;
++ disk->src = oldsrc;
++ oldsrc = NULL;
++ }
+
+ /* Attempt the pivot. Record the attempt now, to prevent duplicate
+ * attempts; but the actual disk change will be made when emitting
+--
+2.0.3
+