From nobody Mon Feb 9 16:45:23 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) client-ip=205.139.110.61; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1575562157; cv=none; d=zohomail.com; s=zohoarc; b=hIEdQIkeKTybQ+jJh3GyAlv13O56MG43JOx+7cwwhYFV1acp21tMQq2e7A5seAdNkLCtVjFAt8jE0PDGDbRFNkeoUoW3pbig7XALFQHH96MKJgvUmdhRbdvE3BgDnG25JKRsjpt7ceEaaORNgCRVAiYxSF4nd8dPDSFcF3mlkIw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1575562157; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=VFLqUS+nVkFm81OBAx6qjh4LM4k3EA903qyu8AvPVmE=; b=KrBXCBCy3BxfGX+fRff+ETzzpcpJsAU5Aq+gz4QHCZslWPIcCnKfEJkX4B7+8UEib76MqcYJZEopgfpmFCM57JxS8LKgQQ89qEhhLZfcZ/PnUe0dqYJAS697rKMKieLlbhHEkv7/r3GFViwtLdsHCs4lDZF5BFG/8l0RlSItdMk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) by mx.zohomail.com with SMTPS id 157556215785133.09474386580666; Thu, 5 Dec 2019 08:09:17 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-72-bo2W0a3pMAuzSd0HqGCtjw-1; Thu, 05 Dec 2019 11:09:12 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B963B8E336A; Thu, 5 Dec 2019 16:09:07 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8E2AD5DDA9; Thu, 5 Dec 2019 16:09:07 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 43CA118089CF; Thu, 5 Dec 2019 16:09:07 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id xB5G93qt024048 for ; Thu, 5 Dec 2019 11:09:03 -0500 Received: by smtp.corp.redhat.com (Postfix) id 8B4BC600D1; Thu, 5 Dec 2019 16:09:03 +0000 (UTC) Received: from himantopus.redhat.com (ovpn-116-111.phx2.redhat.com [10.3.116.111]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 583C360142 for ; Thu, 5 Dec 2019 16:09:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1575562156; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=VFLqUS+nVkFm81OBAx6qjh4LM4k3EA903qyu8AvPVmE=; b=VqIM0xdyPd82eCe5+JZ+qwX76cPG6XGti88J9CssCPBt3T1TYXsfmQz/3TIzWKriLsL60E 6KsYQ5HL5rpyAhsT3ExsTqahd4SBAMeaIKQiO2dcXvA9bEv0ZjgbbfeDow18hCfPdl1xaz aFDykNBS33rvuVmgSXn6V8tO3CQpQyY= From: Jonathon Jongsma To: libvir-list@redhat.com Date: Thu, 5 Dec 2019 10:08:51 -0600 Message-Id: <20191205160857.30182-3-jjongsma@redhat.com> In-Reply-To: <20191205160857.30182-1-jjongsma@redhat.com> References: <20191205160857.30182-1-jjongsma@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 2/8] qemu: don't hold a monitor and agent job for reboot X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-MC-Unique: bo2W0a3pMAuzSd0HqGCtjw-1 X-Mimecast-Spam-Score: 0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" We have to assume that the guest agent may be malicious so we don't want to allow any agent queries to block any other libvirt API. By holding a monitor job while we're querying the agent, we open ourselves up to a DoS. Split the function so that we only hold the appropriate type of job while rebooting. Signed-off-by: Jonathon Jongsma --- src/qemu/qemu_driver.c | 111 +++++++++++++++++++++++++---------------- 1 file changed, 68 insertions(+), 43 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 92efde72dd..edd36f4a89 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -2059,6 +2059,69 @@ static int qemuDomainShutdown(virDomainPtr dom) return qemuDomainShutdownFlags(dom, 0); } =20 +static int +qemuDomainRebootAgent(virQEMUDriverPtr driver, + virDomainObjPtr vm, + bool isReboot, + bool agentForced) +{ + qemuAgentPtr agent; + int ret =3D -1; + int agentFlag =3D QEMU_AGENT_SHUTDOWN_REBOOT; + + if (!isReboot) + agentFlag =3D QEMU_AGENT_SHUTDOWN_POWERDOWN; + + if (qemuDomainObjBeginAgentJob(driver, vm, + QEMU_AGENT_JOB_MODIFY) < 0) + return -1; + + if (!qemuDomainAgentAvailable(vm, agentForced)) + goto endjob; + + if (virDomainObjCheckActive(vm) < 0) + goto endjob; + + qemuDomainSetFakeReboot(driver, vm, false); + agent =3D qemuDomainObjEnterAgent(vm); + ret =3D qemuAgentShutdown(agent, agentFlag); + qemuDomainObjExitAgent(vm, agent); + + endjob: + qemuDomainObjEndAgentJob(vm); + return ret; +} + +static int +qemuDomainRebootMonitor(virQEMUDriverPtr driver, + virDomainObjPtr vm, + bool isReboot) +{ + qemuDomainObjPrivatePtr priv =3D vm->privateData; + int ret =3D -1; + + if (qemuDomainObjBeginJob(driver, vm, + QEMU_JOB_MODIFY) < 0) + return -1; + + if (virDomainObjCheckActive(vm) < 0) + goto endjob; + +#if !WITH_YAJL + virReportError(VIR_ERR_OPERATION_INVALID, "%s", + _("ACPI reboot is not supported without the JSON monito= r")); + goto endjob; +#endif + qemuDomainSetFakeReboot(driver, vm, isReboot); + qemuDomainObjEnterMonitor(driver, vm); + ret =3D qemuMonitorSystemPowerdown(priv->mon); + if (qemuDomainObjExitMonitor(driver, vm) < 0) + ret =3D -1; + + endjob: + qemuDomainObjEndJob(driver, vm); + return ret; +} =20 static int qemuDomainReboot(virDomainPtr dom, unsigned int flags) @@ -2070,8 +2133,6 @@ qemuDomainReboot(virDomainPtr dom, unsigned int flags) bool useAgent =3D false, agentRequested, acpiRequested; bool isReboot =3D true; bool agentForced; - qemuDomainAgentJob agentJob =3D QEMU_AGENT_JOB_NONE; - int agentFlag =3D QEMU_AGENT_SHUTDOWN_REBOOT; =20 virCheckFlags(VIR_DOMAIN_REBOOT_ACPI_POWER_BTN | VIR_DOMAIN_REBOOT_GUEST_AGENT, -1); @@ -2081,7 +2142,6 @@ qemuDomainReboot(virDomainPtr dom, unsigned int flags) =20 if (vm->def->onReboot =3D=3D VIR_DOMAIN_LIFECYCLE_ACTION_DESTROY || vm->def->onReboot =3D=3D VIR_DOMAIN_LIFECYCLE_ACTION_PRESERVE) { - agentFlag =3D QEMU_AGENT_SHUTDOWN_POWERDOWN; isReboot =3D false; VIR_INFO("Domain on_reboot setting overridden, shutting down"); } @@ -2097,56 +2157,21 @@ qemuDomainReboot(virDomainPtr dom, unsigned int fla= gs) if (virDomainRebootEnsureACL(dom->conn, vm->def, flags) < 0) goto cleanup; =20 - if (useAgent) - agentJob =3D QEMU_AGENT_JOB_MODIFY; - - if (qemuDomainObjBeginJobWithAgent(driver, vm, - QEMU_JOB_MODIFY, - agentJob) < 0) - goto cleanup; - agentForced =3D agentRequested && !acpiRequested; - if (!qemuDomainAgentAvailable(vm, agentForced)) { - if (agentForced) - goto endjob; - useAgent =3D false; - } - - if (virDomainObjCheckActive(vm) < 0) - goto endjob; - - if (useAgent) { - qemuAgentPtr agent; + if (useAgent) + ret =3D qemuDomainRebootAgent(driver, vm, isReboot, agentForced); =20 - qemuDomainSetFakeReboot(driver, vm, false); - agent =3D qemuDomainObjEnterAgent(vm); - ret =3D qemuAgentShutdown(agent, agentFlag); - qemuDomainObjExitAgent(vm, agent); - } + if (ret < 0 && agentForced) + goto cleanup; =20 /* If we are not enforced to use just an agent, try ACPI * shutdown as well in case agent did not succeed. */ if ((!useAgent) || (ret < 0 && (acpiRequested || !flags))) { -#if !WITH_YAJL - virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("ACPI reboot is not supported without the JSON mo= nitor")); - goto endjob; -#endif - qemuDomainSetFakeReboot(driver, vm, isReboot); - qemuDomainObjEnterMonitor(driver, vm); - ret =3D qemuMonitorSystemPowerdown(priv->mon); - if (qemuDomainObjExitMonitor(driver, vm) < 0) - ret =3D -1; + ret =3D qemuDomainRebootMonitor(driver, vm, isReboot); } =20 - endjob: - if (agentJob) - qemuDomainObjEndJobWithAgent(driver, vm); - else - qemuDomainObjEndJob(driver, vm); - cleanup: virDomainObjEndAPI(&vm); return ret; --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list