From nobody Wed May 15 16:19:59 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.133.124 as permitted sender) client-ip=170.10.133.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1643622171; cv=none;
	d=zohomail.com; s=zohoarc;
	b=m0VnyRNomjEUAWD56SZoiZf742bWPXntZqHavobnBALQljBFbwiRiz34j8Y5z1i+ozvRwlV0OLntS7H/SP+pcQGfL0XByAd7pj8/mmbSZQj22ZdMNrUB3MqxBr6yVfDdqK8hXJ20lSwA+QV8cefxKRhIz/gaagJx3VeB8rqGIzo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1643622171;
 h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=8d1CHpfoXrHR3OI6gYl2cSRJWUJoxkPi1WcD3e3/Onw=;
	b=B8xGN0xyk+m+ZFrbMNxSfGjO6W4OoxuVoGEHQ/QWdTq3svnShkFrForzzqtOR8E4GM/mZWCEY7T+NSZNEqUZIgG4aQ0ySsn3uihXvfvuW5m7mF+1qGeB2mCXNodC9cKup0CdxTfaET9y8wzivic2YiAblJ/cQh2+zq9rr355geo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<mprivozn@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
	with SMTPS id 1643622171119862.8242831106662;
 Mon, 31 Jan 2022 01:42:51 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-296-axWt7_60NXWjnQcxm1rwsw-1; Mon, 31 Jan 2022 04:42:46 -0500
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
 [10.5.11.12])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8B0FF1853026;
	Mon, 31 Jan 2022 09:42:41 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 67FF96E4D3;
	Mon, 31 Jan 2022 09:42:41 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 38DEE1809CB8;
	Mon, 31 Jan 2022 09:42:41 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
	[10.5.11.12])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 20V9gdNJ014034 for <libvir-list@listman.util.phx.redhat.com>;
	Mon, 31 Jan 2022 04:42:39 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 77BEE6E4C0; Mon, 31 Jan 2022 09:42:39 +0000 (UTC)
Received: from localhost.localdomain (unknown [10.40.193.157])
	by smtp.corp.redhat.com (Postfix) with ESMTP id EED966E4D5
	for <libvir-list@redhat.com>; Mon, 31 Jan 2022 09:42:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1643622170;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=8d1CHpfoXrHR3OI6gYl2cSRJWUJoxkPi1WcD3e3/Onw=;
	b=XGs+WtoMN9l6q6Qm44BSAHTElEirAYVjKKlugXSxel5g9Y5/qL3LkWg2FbF1DHy/QbgtpH
	VT62vLI3n+YjOfkfq6uX3UGQ7g3tAQ3wxNPMclQrt4eCF1+amexC09fmHL1Dqz8aBwcjFS
	ls5HPe4QhK2MfoeTiRXF2m+0a5DBFNA=
X-MC-Unique: axWt7_60NXWjnQcxm1rwsw-1
From: Michal Privoznik <mprivozn@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH] qemu: Audit VIR_DOMAIN_DEF_PARSE_SKIP_VALIDATE flag usage
Date: Mon, 31 Jan 2022 10:42:28 +0100
Message-Id: 
 <5a5bffb17d770b27bc7c93cf7b7e229ba2ebf5e8.1643622148.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-loop: libvir-list@redhat.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1643622173633100001
Content-Type: text/plain; charset="utf-8"

There is plenty of places where a domain XML is parsed using
VIR_DOMAIN_DEF_PARSE_SKIP_VALIDATE flag, but not all are
warranted. The flag usage is okay when parsing an XML produced by
us (e.g. when copying virDomainDef). In the rest of places
(especially when the XML might come from user) we need to
validate the XML, otherwise we may start QEMU assuming it has
certain capabilities while in fact it doesn't. For instance, in
this specific case when migrating a guest with virtio-mem to a
QEMU that has virtio-mem disabled, loading migration fails with:

  qemu-kvm: ... 'virtio-mem-pci' is not a valid device model name

This bug is more visible the more we transfer validation from
qemu_command.c into qemu_validate.c.

There is a possibility that we might prevent migration because of
a bug in our validator, but that's better than starting a QEMU
with features it doesn't support.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D2048435
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/qemu/qemu_driver.c    | 5 ++---
 src/qemu/qemu_migration.c | 9 +++------
 src/qemu/qemu_saveimage.c | 3 +--
 3 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 370d223198..7d12b187ba 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -2681,8 +2681,7 @@ qemuDomainSaveInternal(virQEMUDriver *driver,
=20
         if (!(def =3D virDomainDefParseString(xmlin, driver->xmlopt,
                                             priv->qemuCaps,
-                                            VIR_DOMAIN_DEF_PARSE_INACTIVE |
-                                            VIR_DOMAIN_DEF_PARSE_SKIP_VALI=
DATE))) {
+                                            VIR_DOMAIN_DEF_PARSE_INACTIVE)=
)) {
             goto endjob;
         }
         if (!qemuDomainCheckABIStability(driver, vm, def))
@@ -7944,7 +7943,7 @@ qemuDomainDetachDeviceLiveAndConfig(virQEMUDriver *dr=
iver,
     g_autoptr(virQEMUDriverConfig) cfg =3D NULL;
     g_autoptr(virDomainDeviceDef) dev =3D NULL;
     virDomainDeviceDef *dev_copy =3D NULL;
-    unsigned int parse_flags =3D VIR_DOMAIN_DEF_PARSE_SKIP_VALIDATE;
+    unsigned int parse_flags =3D 0;
     g_autoptr(virDomainDef) vmdef =3D NULL;
     int ret =3D -1;
=20
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index 2635ef1162..c83eb41693 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -2469,8 +2469,7 @@ qemuMigrationSrcBeginPhase(virQEMUDriver *driver,
=20
     if (xmlin) {
         if (!(def =3D virDomainDefParseString(xmlin, driver->xmlopt, priv-=
>qemuCaps,
-                                            VIR_DOMAIN_DEF_PARSE_INACTIVE |
-                                            VIR_DOMAIN_DEF_PARSE_SKIP_VALI=
DATE)))
+                                            VIR_DOMAIN_DEF_PARSE_INACTIVE)=
))
             return NULL;
=20
         if (!qemuDomainCheckABIStability(driver, vm, def))
@@ -2858,8 +2857,7 @@ qemuMigrationDstPrepareAny(virQEMUDriver *driver,
=20
                 VIR_DEBUG("Using hook-filtered domain XML: %s", xmlout);
                 newdef =3D virDomainDefParseString(xmlout, driver->xmlopt,=
 NULL,
-                                                 VIR_DOMAIN_DEF_PARSE_INAC=
TIVE |
-                                                 VIR_DOMAIN_DEF_PARSE_SKIP=
_VALIDATE);
+                                                 VIR_DOMAIN_DEF_PARSE_INAC=
TIVE);
                 if (!newdef)
                     goto cleanup;
=20
@@ -3355,8 +3353,7 @@ qemuMigrationAnyPrepareDef(virQEMUDriver *driver,
=20
     if (!(def =3D virDomainDefParseString(dom_xml, driver->xmlopt,
                                         qemuCaps,
-                                        VIR_DOMAIN_DEF_PARSE_INACTIVE |
-                                        VIR_DOMAIN_DEF_PARSE_SKIP_VALIDATE=
)))
+                                        VIR_DOMAIN_DEF_PARSE_INACTIVE)))
         goto cleanup;
=20
     if (dname) {
diff --git a/src/qemu/qemu_saveimage.c b/src/qemu/qemu_saveimage.c
index 557ee2cd21..b106e5b299 100644
--- a/src/qemu/qemu_saveimage.c
+++ b/src/qemu/qemu_saveimage.c
@@ -556,8 +556,7 @@ qemuSaveImageOpen(virQEMUDriver *driver,
=20
     /* Create a domain from this XML */
     if (!(def =3D virDomainDefParseString(data->xml, driver->xmlopt, qemuC=
aps,
-                                        VIR_DOMAIN_DEF_PARSE_INACTIVE |
-                                        VIR_DOMAIN_DEF_PARSE_SKIP_VALIDATE=
)))
+                                        VIR_DOMAIN_DEF_PARSE_INACTIVE)))
         return -1;
=20
     *ret_def =3D g_steal_pointer(&def);
--=20
2.34.1