Message ID | 20190703224707.12437-1-eblake@redhat.com |
---|---|
State | New |
Headers | show |
Series | [v2,RFC] qemu-nbd: Permit TLS with Unix sockets | expand |
Patchew URL: https://patchew.org/QEMU/20190703224707.12437-1-eblake@redhat.com/ Hi, This series failed the asan build test. Please find the testing commands and their output below. If you have Docker installed, you can probably reproduce it locally. === TEST SCRIPT BEGIN === #!/bin/bash make docker-image-fedora V=1 NETWORK=1 time make docker-test-debug@fedora TARGET_LIST=x86_64-softmmu J=14 NETWORK=1 === TEST SCRIPT END === PASS 1 fdc-test /x86_64/fdc/cmos PASS 2 fdc-test /x86_64/fdc/no_media_on_start PASS 3 fdc-test /x86_64/fdc/read_without_media ==10051==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 fdc-test /x86_64/fdc/media_change PASS 5 fdc-test /x86_64/fdc/sense_interrupt PASS 6 fdc-test /x86_64/fdc/relative_seek --- PASS 32 test-opts-visitor /visitor/opts/range/beyond PASS 33 test-opts-visitor /visitor/opts/dict/unvisited MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-coroutine -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-coroutine" ==10096==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==10096==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffffb89b000; bottom 0x7f13499f8000; size: 0x00ecb1ea3000 (1016597196800) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 1 test-coroutine /basic/no-dangling-access --- PASS 12 test-aio /aio/event/flush PASS 13 test-aio /aio/event/wait/no-flush-cb PASS 14 test-aio /aio/timer/schedule ==10111==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 15 test-aio /aio/coroutine/queue-chaining PASS 16 test-aio /aio-gsource/flush PASS 17 test-aio /aio-gsource/bh/schedule --- PASS 13 fdc-test /x86_64/fdc/fuzz-registers PASS 28 test-aio /aio-gsource/timer/schedule MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-aio-multithread -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-aio-multithread" ==10118==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-aio-multithread /aio/multi/lifecycle MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/ide-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="ide-test" PASS 2 test-aio-multithread /aio/multi/schedule ==10135==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 ide-test /x86_64/ide/identify PASS 3 test-aio-multithread /aio/multi/mutex/contended ==10146==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 ide-test /x86_64/ide/flush ==10157==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 ide-test /x86_64/ide/bmdma/simple_rw PASS 4 test-aio-multithread /aio/multi/mutex/handoff ==10163==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 ide-test /x86_64/ide/bmdma/trim PASS 5 test-aio-multithread /aio/multi/mutex/mcs ==10174==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 5 ide-test /x86_64/ide/bmdma/short_prdt PASS 6 test-aio-multithread /aio/multi/mutex/pthread MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-throttle -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-throttle" ==10185==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-throttle /throttle/leak_bucket PASS 2 test-throttle /throttle/compute_wait PASS 3 test-throttle /throttle/init --- PASS 5 test-throttle /throttle/have_timer PASS 6 test-throttle /throttle/detach_attach PASS 7 test-throttle /throttle/config_functions ==10191==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 8 test-throttle /throttle/accounting PASS 9 test-throttle /throttle/groups PASS 10 test-throttle /throttle/config/enabled --- PASS 15 test-throttle /throttle/config/iops_size MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-thread-pool -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-thread-pool" PASS 6 ide-test /x86_64/ide/bmdma/one_sector_short_prdt ==10198==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-thread-pool /thread-pool/submit PASS 2 test-thread-pool /thread-pool/submit-aio PASS 3 test-thread-pool /thread-pool/submit-co PASS 4 test-thread-pool /thread-pool/submit-many ==10200==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 7 ide-test /x86_64/ide/bmdma/long_prdt ==10272==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==10272==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffec41b2000; bottom 0x7f228cffe000; size: 0x00dc371b4000 (945817337856) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 5 test-thread-pool /thread-pool/cancel PASS 8 ide-test /x86_64/ide/bmdma/no_busmaster PASS 9 ide-test /x86_64/ide/flush/nodev PASS 6 test-thread-pool /thread-pool/cancel-async ==10283==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-hbitmap -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-hbitmap" PASS 10 ide-test /x86_64/ide/flush/empty_drive PASS 1 test-hbitmap /hbitmap/granularity PASS 2 test-hbitmap /hbitmap/size/0 PASS 3 test-hbitmap /hbitmap/size/unaligned PASS 4 test-hbitmap /hbitmap/iter/empty ==10293==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 5 test-hbitmap /hbitmap/iter/partial PASS 6 test-hbitmap /hbitmap/iter/granularity PASS 7 test-hbitmap /hbitmap/iter/iter_and_reset --- PASS 14 test-hbitmap /hbitmap/set/twice PASS 15 test-hbitmap /hbitmap/set/overlap PASS 16 test-hbitmap /hbitmap/reset/empty ==10299==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 17 test-hbitmap /hbitmap/reset/general PASS 12 ide-test /x86_64/ide/flush/retry_isa PASS 18 test-hbitmap /hbitmap/reset/all --- PASS 28 test-hbitmap /hbitmap/truncate/shrink/medium PASS 29 test-hbitmap /hbitmap/truncate/shrink/large PASS 30 test-hbitmap /hbitmap/meta/zero ==10305==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 13 ide-test /x86_64/ide/cdrom/pio ==10311==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 14 ide-test /x86_64/ide/cdrom/pio_large ==10317==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 15 ide-test /x86_64/ide/cdrom/dma MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/ahci-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="ahci-test" PASS 31 test-hbitmap /hbitmap/meta/one --- PASS 33 test-hbitmap /hbitmap/meta/word PASS 34 test-hbitmap /hbitmap/meta/sector PASS 35 test-hbitmap /hbitmap/serialize/align ==10331==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 ahci-test /x86_64/ahci/sanity ==10337==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 ahci-test /x86_64/ahci/pci_spec PASS 36 test-hbitmap /hbitmap/serialize/basic PASS 37 test-hbitmap /hbitmap/serialize/part --- PASS 42 test-hbitmap /hbitmap/next_dirty_area/next_dirty_area_1 PASS 43 test-hbitmap /hbitmap/next_dirty_area/next_dirty_area_4 MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-bdrv-drain -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-bdrv-drain" ==10343==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==10346==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-bdrv-drain /bdrv-drain/nested PASS 2 test-bdrv-drain /bdrv-drain/multiparent PASS 3 test-bdrv-drain /bdrv-drain/set_aio_context --- PASS 37 test-bdrv-drain /bdrv-drain/detach/parent_cb PASS 38 test-bdrv-drain /bdrv-drain/detach/driver_cb PASS 39 test-bdrv-drain /bdrv-drain/attach/drain ==10378==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-bdrv-graph-mod -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-bdrv-graph-mod" ==10396==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-bdrv-graph-mod /bdrv-graph-mod/update-perm-tree PASS 2 test-bdrv-graph-mod /bdrv-graph-mod/should-update-child MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-blockjob -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-blockjob" PASS 4 ahci-test /x86_64/ahci/hba_spec ==10402==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-blockjob /blockjob/ids PASS 2 test-blockjob /blockjob/cancel/created PASS 3 test-blockjob /blockjob/cancel/running --- PASS 7 test-blockjob /blockjob/cancel/pending PASS 8 test-blockjob /blockjob/cancel/concluded MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-blockjob-txn -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-blockjob-txn" ==10404==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==10408==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-blockjob-txn /single/success PASS 2 test-blockjob-txn /single/failure PASS 3 test-blockjob-txn /single/cancel --- PASS 7 test-blockjob-txn /pair/fail-cancel-race PASS 5 ahci-test /x86_64/ahci/hba_enable MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-block-backend -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-block-backend" ==10419==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-block-backend /block-backend/drain_aio_error PASS 2 test-block-backend /block-backend/drain_all_aio_error ==10417==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-block-iothread -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-block-iothread" ==10428==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-block-iothread /sync-op/pread PASS 2 test-block-iothread /sync-op/pwrite PASS 3 test-block-iothread /sync-op/load_vmstate --- PASS 16 test-block-iothread /propagate/mirror PASS 6 ahci-test /x86_64/ahci/identify MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-image-locking -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-image-locking" ==10451==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-image-locking /image-locking/basic PASS 2 test-image-locking /image-locking/set-perm-abort ==10449==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-x86-cpuid -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-x86-cpuid" PASS 1 test-x86-cpuid /cpuid/topology/basic MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-xbzrle -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-xbzrle" --- PASS 7 ahci-test /x86_64/ahci/max PASS 6 test-xbzrle /xbzrle/encode_decode MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-vmstate -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-vmstate" ==10467==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-vmstate /vmstate/tmp_struct PASS 2 test-vmstate /vmstate/simple/primitive PASS 3 test-vmstate /vmstate/simple/array --- PASS 10 test-int128 /int128/int128_rshift MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/rcutorture -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="rcutorture" PASS 8 ahci-test /x86_64/ahci/reset ==10506==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 rcutorture /rcu/torture/1reader ==10506==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffee2233000; bottom 0x7fdba4dfe000; size: 0x00233d435000 (151351676928) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 9 ahci-test /x86_64/ahci/io/pio/lba28/simple/zero PASS 2 rcutorture /rcu/torture/10readers MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-rcu-list -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-rcu-list" ==10528==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==10528==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7fff6df45000; bottom 0x7f0b4cffe000; size: 0x00f420f47000 (1048524910592) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 1 test-rcu-list /rcu/qlist/single-threaded PASS 10 ahci-test /x86_64/ahci/io/pio/lba28/simple/low ==10547==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 test-rcu-list /rcu/qlist/short-few ==10547==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7fffcc579000; bottom 0x7f80e7ffe000; size: 0x007ee457b000 (544996831232) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 11 ahci-test /x86_64/ahci/io/pio/lba28/simple/high ==10574==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==10574==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffedf665000; bottom 0x7fcca49fe000; size: 0x00323ac67000 (215734448128) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 3 test-rcu-list /rcu/qlist/long-many MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-rcu-simpleq -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-rcu-simpleq" PASS 12 ahci-test /x86_64/ahci/io/pio/lba28/double/zero ==10587==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-rcu-simpleq /rcu/qsimpleq/single-threaded ==10587==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffc3aafe000; bottom 0x7ff996dfe000; size: 0x0002a3d00000 (11338252288) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 13 ahci-test /x86_64/ahci/io/pio/lba28/double/low PASS 2 test-rcu-simpleq /rcu/qsimpleq/short-few ==10599==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==10599==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffdb7ed8000; bottom 0x7f2ca41fe000; size: 0x00d113cda000 (897980407808) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 14 ahci-test /x86_64/ahci/io/pio/lba28/double/high ==10626==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==10626==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffd4cec0000; bottom 0x7fa9dff24000; size: 0x00536cf9c000 (358310592512) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 3 test-rcu-simpleq /rcu/qsimpleq/long-many MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-rcu-tailq -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-rcu-tailq" PASS 15 ahci-test /x86_64/ahci/io/pio/lba28/long/zero PASS 1 test-rcu-tailq /rcu/qtailq/single-threaded ==10639==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==10639==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffe340f1000; bottom 0x7fbeb757c000; size: 0x003f7cb75000 (272675328000) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 2 test-rcu-tailq /rcu/qtailq/short-few PASS 16 ahci-test /x86_64/ahci/io/pio/lba28/long/low ==10672==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==10672==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7fffdd147000; bottom 0x7f63e3bfe000; size: 0x009bf9549000 (669902999552) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 3 test-rcu-tailq /rcu/qtailq/long-many --- PASS 8 test-qdist /qdist/binning/shrink MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-qht -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-qht" PASS 17 ahci-test /x86_64/ahci/io/pio/lba28/long/high ==10687==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 18 ahci-test /x86_64/ahci/io/pio/lba28/short/zero ==10693==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 19 ahci-test /x86_64/ahci/io/pio/lba28/short/low ==10699==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 20 ahci-test /x86_64/ahci/io/pio/lba28/short/high ==10705==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==10705==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffedbc2c000; bottom 0x7fb1597fe000; size: 0x004d8242e000 (332897902592) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 21 ahci-test /x86_64/ahci/io/pio/lba48/simple/zero ==10711==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==10711==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffd02465000; bottom 0x7fc63cbfe000; size: 0x0036c5867000 (235242156032) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 22 ahci-test /x86_64/ahci/io/pio/lba48/simple/low ==10717==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==10717==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffd9a189000; bottom 0x7f3600ffe000; size: 0x00c79918b000 (857267023872) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 23 ahci-test /x86_64/ahci/io/pio/lba48/simple/high ==10723==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==10723==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffe1ed41000; bottom 0x7fc9f29fe000; size: 0x00342c343000 (224079917056) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 24 ahci-test /x86_64/ahci/io/pio/lba48/double/zero ==10729==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==10729==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffc859ea000; bottom 0x7f335e9fe000; size: 0x00c926fec000 (863942656000) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 25 ahci-test /x86_64/ahci/io/pio/lba48/double/low ==10735==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==10735==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffeb2a66000; bottom 0x7f2954dfe000; size: 0x00d55dc68000 (916401324032) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 26 ahci-test /x86_64/ahci/io/pio/lba48/double/high ==10741==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==10741==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffca9feb000; bottom 0x7f62653fe000; size: 0x009a44bed000 (662578319360) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 27 ahci-test /x86_64/ahci/io/pio/lba48/long/zero ==10747==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==10747==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffe762a5000; bottom 0x7f4d137fe000; size: 0x00b162aa7000 (761864548352) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 1 test-qht /qht/mode/default PASS 2 test-qht /qht/mode/resize MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-qht-par -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-qht-par" PASS 28 ahci-test /x86_64/ahci/io/pio/lba48/long/low ==10759==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==10759==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffc4c4d3000; bottom 0x7fe4f07fe000; size: 0x00175bcd5000 (100324429824) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 1 test-qht-par /qht/parallel/2threads-0%updates-1s PASS 29 ahci-test /x86_64/ahci/io/pio/lba48/long/high PASS 2 test-qht-par /qht/parallel/2threads-20%updates-1s MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-bitops -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-bitops" ==10776==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-bitops /bitops/sextract32 PASS 2 test-bitops /bitops/sextract64 PASS 3 test-bitops /bitops/half_shuffle32 --- PASS 8 check-qom-proplist /qom/proplist/delchild PASS 9 check-qom-proplist /qom/resolve/partial MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-qemu-opts -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-qemu-opts" ==10807==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-qemu-opts /qemu-opts/find_unknown_opts PASS 2 test-qemu-opts /qemu-opts/find_opts PASS 3 test-qemu-opts /qemu-opts/opts_create --- PASS 4 test-crypto-hash /crypto/hash/digest PASS 5 test-crypto-hash /crypto/hash/base64 MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-crypto-hmac -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-crypto-hmac" ==10830==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-crypto-hmac /crypto/hmac/iov PASS 2 test-crypto-hmac /crypto/hmac/alloc PASS 3 test-crypto-hmac /crypto/hmac/prealloc --- PASS 32 ahci-test /x86_64/ahci/io/pio/lba48/short/high PASS 1 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/perfectserver PASS 2 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/perfectclient ==10860==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodca1 PASS 33 ahci-test /x86_64/ahci/io/dma/lba28/fragmented PASS 4 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodca2 ==10866==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 5 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodca3 PASS 6 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/badca1 PASS 7 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/badca2 PASS 8 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/badca3 PASS 34 ahci-test /x86_64/ahci/io/dma/lba28/retry PASS 9 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver1 ==10872==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 10 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver2 PASS 35 ahci-test /x86_64/ahci/io/dma/lba28/simple/zero ==10878==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 11 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver3 PASS 36 ahci-test /x86_64/ahci/io/dma/lba28/simple/low PASS 12 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver4 ==10884==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 13 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver5 PASS 37 ahci-test /x86_64/ahci/io/dma/lba28/simple/high PASS 14 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver6 ==10890==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 15 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver7 PASS 16 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/badserver1 PASS 17 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/badserver2 --- PASS 39 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/missingclient MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-crypto-tlssession -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-crypto-tlssession" PASS 38 ahci-test /x86_64/ahci/io/dma/lba28/double/zero ==10901==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-crypto-tlssession /qcrypto/tlssession/psk PASS 2 test-crypto-tlssession /qcrypto/tlssession/basicca PASS 39 ahci-test /x86_64/ahci/io/dma/lba28/double/low PASS 3 test-crypto-tlssession /qcrypto/tlssession/differentca ==10907==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 test-crypto-tlssession /qcrypto/tlssession/altname1 PASS 5 test-crypto-tlssession /qcrypto/tlssession/altname2 PASS 40 ahci-test /x86_64/ahci/io/dma/lba28/double/high PASS 6 test-crypto-tlssession /qcrypto/tlssession/altname3 ==10913==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 7 test-crypto-tlssession /qcrypto/tlssession/altname4 PASS 8 test-crypto-tlssession /qcrypto/tlssession/altname5 PASS 41 ahci-test /x86_64/ahci/io/dma/lba28/long/zero PASS 9 test-crypto-tlssession /qcrypto/tlssession/altname6 ==10919==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 10 test-crypto-tlssession /qcrypto/tlssession/wildcard1 PASS 11 test-crypto-tlssession /qcrypto/tlssession/wildcard2 PASS 42 ahci-test /x86_64/ahci/io/dma/lba28/long/low PASS 12 test-crypto-tlssession /qcrypto/tlssession/wildcard3 PASS 13 test-crypto-tlssession /qcrypto/tlssession/wildcard4 ==10925==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 14 test-crypto-tlssession /qcrypto/tlssession/wildcard5 PASS 43 ahci-test /x86_64/ahci/io/dma/lba28/long/high ==10931==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 15 test-crypto-tlssession /qcrypto/tlssession/wildcard6 PASS 44 ahci-test /x86_64/ahci/io/dma/lba28/short/zero ==10937==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 16 test-crypto-tlssession /qcrypto/tlssession/cachain PASS 45 ahci-test /x86_64/ahci/io/dma/lba28/short/low MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-qga -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-qga" ==10944==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 46 ahci-test /x86_64/ahci/io/dma/lba28/short/high PASS 1 test-qga /qga/sync-delimited PASS 2 test-qga /qga/sync --- PASS 15 test-qga /qga/invalid-cmd PASS 16 test-qga /qga/invalid-args PASS 17 test-qga /qga/fsfreeze-status ==10955==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 47 ahci-test /x86_64/ahci/io/dma/lba48/simple/zero PASS 18 test-qga /qga/blacklist PASS 19 test-qga /qga/config PASS 20 test-qga /qga/guest-exec PASS 21 test-qga /qga/guest-exec-invalid ==10963==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 22 test-qga /qga/guest-get-osinfo PASS 23 test-qga /qga/guest-get-host-name PASS 24 test-qga /qga/guest-get-timezone --- PASS 7 test-util-sockets /socket/fd-pass/num/bad PASS 8 test-util-sockets /socket/fd-pass/num/nocli MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-authz-simple -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-authz-simple" ==10988==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-authz-simple /authz/simple MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-authz-list -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-authz-list" PASS 1 test-authz-list /auth/list/complex --- PASS 4 test-io-channel-file /io/channel/pipe/sync PASS 5 test-io-channel-file /io/channel/pipe/async MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-io-channel-tls -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-io-channel-tls" ==11051==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-io-channel-tls /qio/channel/tls/basic MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-io-channel-command -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-io-channel-command" PASS 1 test-io-channel-command /io/channel/command/fifo/sync --- PASS 3 test-base64 /util/base64/not-nul-terminated PASS 4 test-base64 /util/base64/invalid-chars MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-crypto-pbkdf -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-crypto-pbkdf" ==11097==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-crypto-pbkdf /crypto/pbkdf/rfc3962/sha1/iter1 PASS 2 test-crypto-pbkdf /crypto/pbkdf/rfc3962/sha1/iter2 PASS 3 test-crypto-pbkdf /crypto/pbkdf/rfc3962/sha1/iter1200a --- PASS 1 test-logging /logging/parse_range PASS 2 test-logging /logging/parse_path MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-replication -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-replication" ==11132==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==11138==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-replication /replication/primary/read PASS 2 test-replication /replication/primary/write PASS 52 ahci-test /x86_64/ahci/io/dma/lba48/double/high ==11147==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 test-replication /replication/primary/start PASS 4 test-replication /replication/primary/stop PASS 5 test-replication /replication/primary/do_checkpoint PASS 6 test-replication /replication/primary/get_error_all PASS 53 ahci-test /x86_64/ahci/io/dma/lba48/long/zero PASS 7 test-replication /replication/secondary/read ==11153==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 8 test-replication /replication/secondary/write PASS 54 ahci-test /x86_64/ahci/io/dma/lba48/long/low ==11159==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==11138==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffc9b908000; bottom 0x7fd9c32fc000; size: 0x0022d860c000 (149659107328) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 55 ahci-test /x86_64/ahci/io/dma/lba48/long/high ==11185==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 9 test-replication /replication/secondary/start PASS 56 ahci-test /x86_64/ahci/io/dma/lba48/short/zero ==11191==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 57 ahci-test /x86_64/ahci/io/dma/lba48/short/low ==11197==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 10 test-replication /replication/secondary/stop PASS 58 ahci-test /x86_64/ahci/io/dma/lba48/short/high ==11203==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 59 ahci-test /x86_64/ahci/io/ncq/simple ==11209==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 11 test-replication /replication/secondary/do_checkpoint PASS 60 ahci-test /x86_64/ahci/io/ncq/retry PASS 12 test-replication /replication/secondary/get_error_all ==11215==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-bufferiszero -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-bufferiszero" PASS 61 ahci-test /x86_64/ahci/flush/simple ==11225==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 62 ahci-test /x86_64/ahci/flush/retry ==11231==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==11236==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 63 ahci-test /x86_64/ahci/flush/migrate ==11245==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==11250==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 64 ahci-test /x86_64/ahci/migrate/sanity ==11260==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==11265==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 65 ahci-test /x86_64/ahci/migrate/dma/simple ==11274==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==11279==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 66 ahci-test /x86_64/ahci/migrate/dma/halted ==11288==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==11293==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 67 ahci-test /x86_64/ahci/migrate/ncq/simple ==11302==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==11307==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 68 ahci-test /x86_64/ahci/migrate/ncq/halted ==11316==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 69 ahci-test /x86_64/ahci/cdrom/eject ==11321==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 70 ahci-test /x86_64/ahci/cdrom/dma/single ==11327==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-bufferiszero /cutils/bufferiszero MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-uuid -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-uuid" PASS 71 ahci-test /x86_64/ahci/cdrom/dma/multi --- PASS 1 test-qapi-util /qapi/util/qapi_enum_parse PASS 2 test-qapi-util /qapi/util/parse_qapi_name MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-qgraph -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-qgraph" ==11338==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-qgraph /qgraph/init_nop PASS 2 test-qgraph /qgraph/test_machine PASS 3 test-qgraph /qgraph/test_contains --- PASS 22 test-qgraph /qgraph/test_test_in_path PASS 23 test-qgraph /qgraph/test_double_edge PASS 72 ahci-test /x86_64/ahci/cdrom/pio/single ==11356==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==11356==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffc4e18c000; bottom 0x7f8185ffe000; size: 0x007ac818e000 (527343083520) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 73 ahci-test /x86_64/ahci/cdrom/pio/multi ==11362==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 74 ahci-test /x86_64/ahci/cdrom/pio/bcl MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/hd-geo-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="hd-geo-test" PASS 1 hd-geo-test /x86_64/hd-geo/ide/none ==11376==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 hd-geo-test /x86_64/hd-geo/ide/drive/cd_0 ==11382==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 hd-geo-test /x86_64/hd-geo/ide/drive/mbr/blank ==11388==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 hd-geo-test /x86_64/hd-geo/ide/drive/mbr/lba ==11394==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 5 hd-geo-test /x86_64/hd-geo/ide/drive/mbr/chs ==11400==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 6 hd-geo-test /x86_64/hd-geo/ide/device/mbr/blank ==11406==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 7 hd-geo-test /x86_64/hd-geo/ide/device/mbr/lba ==11412==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 8 hd-geo-test /x86_64/hd-geo/ide/device/mbr/chs ==11418==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 9 hd-geo-test /x86_64/hd-geo/ide/device/user/chs ==11423==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 10 hd-geo-test /x86_64/hd-geo/ide/device/user/chst MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/boot-order-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="boot-order-test" PASS 1 boot-order-test /x86_64/boot-order/pc --- Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==11491==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 bios-tables-test /x86_64/acpi/piix4 Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==11497==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 bios-tables-test /x86_64/acpi/q35 Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==11503==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 bios-tables-test /x86_64/acpi/piix4/bridge Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==11509==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 bios-tables-test /x86_64/acpi/piix4/ipmi Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==11515==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 5 bios-tables-test /x86_64/acpi/piix4/cpuhp Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==11522==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 6 bios-tables-test /x86_64/acpi/piix4/memhp Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==11528==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 7 bios-tables-test /x86_64/acpi/piix4/numamem Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==11534==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 8 bios-tables-test /x86_64/acpi/piix4/dimmpxm Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==11543==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 9 bios-tables-test /x86_64/acpi/q35/bridge Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==11549==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 10 bios-tables-test /x86_64/acpi/q35/mmio64 Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==11555==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 11 bios-tables-test /x86_64/acpi/q35/ipmi Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==11561==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 12 bios-tables-test /x86_64/acpi/q35/cpuhp Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==11568==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 13 bios-tables-test /x86_64/acpi/q35/memhp Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==11574==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 14 bios-tables-test /x86_64/acpi/q35/numamem Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==11580==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 15 bios-tables-test /x86_64/acpi/q35/dimmpxm MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/boot-serial-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="boot-serial-test" PASS 1 boot-serial-test /x86_64/boot-serial/isapc --- PASS 1 i440fx-test /x86_64/i440fx/defaults PASS 2 i440fx-test /x86_64/i440fx/pam PASS 3 i440fx-test /x86_64/i440fx/firmware/bios ==11664==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 i440fx-test /x86_64/i440fx/firmware/pflash MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/fw_cfg-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="fw_cfg-test" PASS 1 fw_cfg-test /x86_64/fw_cfg/signature --- MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/drive_del-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="drive_del-test" PASS 1 drive_del-test /x86_64/drive_del/without-dev PASS 2 drive_del-test /x86_64/drive_del/after_failed_device_add ==11752==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 drive_del-test /x86_64/blockdev/drive_del_device_del MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/wdt_ib700-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="wdt_ib700-test" PASS 1 wdt_ib700-test /x86_64/wdt_ib700/pause --- PASS 1 usb-hcd-uhci-test /x86_64/uhci/pci/init PASS 2 usb-hcd-uhci-test /x86_64/uhci/pci/port1 PASS 3 usb-hcd-uhci-test /x86_64/uhci/pci/hotplug ==11947==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 usb-hcd-uhci-test /x86_64/uhci/pci/hotplug/usb-storage MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/usb-hcd-xhci-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="usb-hcd-xhci-test" PASS 1 usb-hcd-xhci-test /x86_64/xhci/pci/init PASS 2 usb-hcd-xhci-test /x86_64/xhci/pci/hotplug ==11956==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 usb-hcd-xhci-test /x86_64/xhci/pci/hotplug/usb-uas PASS 4 usb-hcd-xhci-test /x86_64/xhci/pci/hotplug/usb-ccid MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/cpu-plug-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="cpu-plug-test" --- Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==12062==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 vmgenid-test /x86_64/vmgenid/vmgenid/set-guid Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==12068==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 vmgenid-test /x86_64/vmgenid/vmgenid/set-guid-auto Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==12074==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 vmgenid-test /x86_64/vmgenid/vmgenid/query-monitor MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/tpm-crb-swtpm-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="tpm-crb-swtpm-test" SKIP 1 tpm-crb-swtpm-test /x86_64/tpm/crb-swtpm/test # SKIP swtpm not in PATH or missing --tpm2 support --- Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==12179==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==12184==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 migration-test /x86_64/migration/fd_proto Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==12192==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==12197==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 migration-test /x86_64/migration/postcopy/unix PASS 5 migration-test /x86_64/migration/postcopy/recovery Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==12227==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==12232==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 6 migration-test /x86_64/migration/precopy/unix Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==12241==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==12246==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 7 migration-test /x86_64/migration/precopy/tcp Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==12255==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==12260==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 8 migration-test /x86_64/migration/xbzrle/unix MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/test-x86-cpuid-compat -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-x86-cpuid-compat" PASS 1 test-x86-cpuid-compat /x86/cpuid/parsing-plus-minus --- PASS 6 numa-test /x86_64/numa/pc/dynamic/cpu MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/qmp-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="qmp-test" PASS 1 qmp-test /x86_64/qmp/protocol ==12589==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 qmp-test /x86_64/qmp/oob PASS 3 qmp-test /x86_64/qmp/preconfig PASS 4 qmp-test /x86_64/qmp/missing-any-arg --- PASS 5 device-introspect-test /x86_64/device/introspect/abstract-interfaces ================================================================= ==12837==ERROR: LeakSanitizer: detected memory leaks Direct leak of 32 byte(s) in 1 object(s) allocated from: #0 0x557b91372b6e in calloc (/tmp/qemu-test/build/x86_64-softmmu/qemu-system-x86_64+0x19f9b6e) --- SUMMARY: AddressSanitizer: 64 byte(s) leaked in 2 allocation(s). /tmp/qemu-test/src/tests/libqtest.c:137: kill_qemu() tried to terminate QEMU process but encountered exit status 1 ERROR - too few tests run (expected 6, got 5) make: *** [/tmp/qemu-test/src/tests/Makefile.include:896: check-qtest-x86_64] Error 1 make: *** Waiting for unfinished jobs.... Traceback (most recent call last): The full log is available at http://patchew.org/logs/20190703224707.12437-1-eblake@redhat.com/testing.asan/?type=message. --- Email generated automatically by Patchew [https://patchew.org/]. Please send your feedback to patchew-devel@redhat.com
On 04.07.19 00:47, Eric Blake wrote: > Although you generally won't use encryption with a Unix socket (after > all, everything is local, so why waste the CPU power), there are > situations in testsuites where Unix sockets are much nicer than TCP > sockets. Since nbdkit allows encryption over both types of sockets, > it makes sense for qemu-nbd to do likewise. Hmm. The code is simple enough, so I don’t see a good reason not to. > The restriction has been present since its introduction in commits > 145614a1 and 75822a12 (v2.6), where the former documented the > limitation but did not provide any additional explanation why it was > added; but looking closer, it seems the most likely reason is that > x509 verification requires a hostname. But we can do the same as > migration did, and add a tls-hostname parameter to supply that > information. > > Signed-off-by: Eric Blake <eblake@redhat.com> > > --- > > Since this is now adding a new qemu-nbd command-line option, as well > as new QMP for blockdev-add, it has missed 4.1 softfreeze and should > probably be delayed to 4.2. > > RFC: The test is racy - it sometimes passes, and sometimes fails with: > > == check TLS with authorization over Unix == > qemu-img: Could not open 'driver=nbd,path=SOCKET,tls-creds=tls0,tls-hostname=localhost': Failed to read option reply: Cannot read from TLS channel: Input/output error > -qemu-img: Could not open 'driver=nbd,path=SOCKET,tls-creds=tls0,tls-hostname=localhost': Failed to read option reply: Cannot read from TLS channel: Input/output error > +qemu-img: Could not open 'driver=nbd,path=SOCKET,tls-creds=tls0,tls-hostname=localhost': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort Well, the first thing is that over TCP, the reference output shows that it should indeed fail with ECONNABORTED. So to me it seems like EIO is actually the wrong error code. Um, also, a perhaps stupid question: Why is there no passing test for client authorization? > I suspect that there is a bug in the qio TLS channel code when it > comes to handling a failed TLS handshake, which results in the racy > output. I'll need help solving that first. It might also be nice if > we had a bit more visibility into the gnutls error message when TLS > handshake fails. Well, what I can see is that the error code comes from qcrypto_tls_session_read(). You get ECONNABORTED for GNUTLS_E_PREMATURE_TERMINATION, and EIO for GNUTLS_E_PULL_ERROR (under default; but that’s the error that appears if it isn’t PREMATURE_TERMINATION). So I suppose you get ECONNABORTED if the first read happens after the RST is received (or the equivalent on Unix sockets, I have no idea how they work on the low level); and you get EIO if you try to read before that (because the TLS connection has just not been established successfully). I have experimented a bit, but unfortunately couldn’t find anything to change the test results in any way... :/ > --- > qemu-nbd.texi | 3 ++ > qapi/block-core.json | 5 ++ > block/nbd.c | 27 +++++++++-- > qemu-nbd.c | 26 ++++++++--- > tests/qemu-iotests/233 | 94 ++++++++++++++++++++++++++++++++++++-- > tests/qemu-iotests/233.out | 61 +++++++++++++++++++++++-- > tests/qemu-iotests/group | 2 +- > 7 files changed, 198 insertions(+), 20 deletions(-) > > diff --git a/qemu-nbd.texi b/qemu-nbd.texi > index 7f55657722bd..764518baef84 100644 > --- a/qemu-nbd.texi > +++ b/qemu-nbd.texi > @@ -123,6 +123,9 @@ Store the server's process ID in the given file. > Specify the ID of a qauthz object previously created with the > --object option. This will be used to authorize connecting users > against their x509 distinguished name. > +@item --tls-hostname=NAME > +When using list mode with TLS over a Unix socket, supply the hostname > +to use during validation of the server's x509 certificate. > @item -v, --verbose > Display extra debugging information. > @item -h, --help qemu-nbd.c has some parameter documentation, too. Maybe this option should be listed there. > diff --git a/qapi/block-core.json b/qapi/block-core.json > index 0d43d4f37c1a..95da0d44c220 100644 > --- a/qapi/block-core.json > +++ b/qapi/block-core.json > @@ -3856,6 +3856,10 @@ > # > # @tls-creds: TLS credentials ID > # > +# @tls-hostname: Hostname of the server, required only when using x509 based > +# TLS credentials when @server lacks a hostname (such as > +# using a Unix socket). (Since 4.1) Well, 4.2 now. > +# > # @x-dirty-bitmap: A "qemu:dirty-bitmap:NAME" string to query in place of > # traditional "base:allocation" block status (see > # NBD_OPT_LIST_META_CONTEXT in the NBD protocol) (since 3.0) [...] > diff --git a/block/nbd.c b/block/nbd.c > index 81edabbf35ed..ce3db21190ce 100644 > --- a/block/nbd.c > +++ b/block/nbd.c [...] > @@ -1624,12 +1629,25 @@ static int nbd_open(BlockDriverState *bs, QDict *options, int flags, > goto error; > } > > - /* TODO SOCKET_ADDRESS_KIND_FD where fd has AF_INET or AF_INET6 */ > - if (s->saddr->type != SOCKET_ADDRESS_TYPE_INET) { > - error_setg(errp, "TLS only supported over IP sockets"); > + switch (s->saddr->type) { > + case SOCKET_ADDRESS_TYPE_INET: > + hostname = s->saddr->u.inet.host; > + if (qemu_opt_get(opts, "tls-hostname")) { > + error_setg(errp, "tls-hostname not required with inet socket"); This is more “not allowed”, right? (Actually, why not? We could make the information from @server a default, but this would override it. Maybe useful just for testing, but why not.) > + goto error; > + } > + break; > + case SOCKET_ADDRESS_TYPE_UNIX: > + hostname = qemu_opt_get(opts, "tls-hostname"); Shouldn’t we check that @hostname is non-NULL? As far as I read the code now, if this option doesn’t exist, “<null>” will be used as the hostname somewhere down the stack. Which probably gives a weird error. > + break; > + default: > + /* TODO SOCKET_ADDRESS_KIND_FD where fd has AF_INET or AF_INET6 */ > + error_setg(errp, "TLS only supported over IP or Unix sockets"); > goto error; > } > - hostname = s->saddr->u.inet.host; > + } else if (qemu_opt_get(opts, "tls-hostname")) { > + error_setg(errp, "tls-hostname not supported without tls-creds"); > + goto error; > } > > /* NBD handshake */ [...] > diff --git a/qemu-nbd.c b/qemu-nbd.c > index a8cb39e51043..40ea1e299dc7 100644 > --- a/qemu-nbd.c > +++ b/qemu-nbd.c [...] > @@ -931,18 +937,22 @@ int main(int argc, char **argv) > } > > if (tlscredsid) { > - if (sockpath) { > - error_report("TLS is only supported with IPv4/IPv6"); > - exit(EXIT_FAILURE); > - } > if (device) { > error_report("TLS is not supported with a host device"); > exit(EXIT_FAILURE); > } > if (tlsauthz && list) { > - error_report("TLS authorization is incompatible with export list"); > + error_report("TLS authorization is incompatible with --list"); > exit(EXIT_FAILURE); > } > + if (tlshost) { > + if (!list) { > + error_report("TLS hostname is only for use with --list"); > + exit(EXIT_FAILURE); > + } > + } else { > + tlshost = bindto; Again, I wonder whether there should be a nice error message here if bindto is NULL. > + } > tlscreds = nbd_get_tls_creds(tlscredsid, list, &local_err); > if (local_err) { > error_report("Failed to get TLS creds %s", [...] > diff --git a/tests/qemu-iotests/233.out b/tests/qemu-iotests/233.out > index 9b46284ab0de..b86bee020649 100644 > --- a/tests/qemu-iotests/233.out > +++ b/tests/qemu-iotests/233.out [...] > +== check TLS works over Unix == > +image: nbd+unix://?socket=SOCKET > +file format: nbd > +virtual size: 64 MiB (67108864 bytes) > +disk size: unavailable This has worked surprisingly well considering you did not pass tls-hostname. On the same note: If I remove the tls-hostname option from the “perform I/O over TLS” test, it keeps working. > +image: nbd+unix://?socket=SOCKET > +file format: nbd > +virtual size: 64 MiB (67108864 bytes) > +disk size: unavailable > +qemu-nbd: Certificate does not match the hostname 0.0.0.0 Yeah, that’s a weird error message. I think it could be better. Max > +exports available: 1 > + export: '' > + size: 67108864 > + flags: 0x4ed ( flush fua trim zeroes df cache ) > + min block: 1 > + opt block: 4096 > + max block: 33554432 > + available meta contexts: 1 > + base:allocation
On Wed, Jul 03, 2019 at 05:47:07PM -0500, Eric Blake wrote: > Although you generally won't use encryption with a Unix socket (after > all, everything is local, so why waste the CPU power), there are > situations in testsuites where Unix sockets are much nicer than TCP > sockets. Since nbdkit allows encryption over both types of sockets, > it makes sense for qemu-nbd to do likewise. > > The restriction has been present since its introduction in commits > 145614a1 and 75822a12 (v2.6), where the former documented the > limitation but did not provide any additional explanation why it was > added; but looking closer, it seems the most likely reason is that > x509 verification requires a hostname. But we can do the same as > migration did, and add a tls-hostname parameter to supply that > information. Yes, the x509 cert validation is precisely the reason. The client must validate the hostname it is connecting to, against the x509 certificate received from the server. If it doesn't use IP, then it had no hostnmae to validate the cert against. Since that time though, we added support for PSK credentials with TLS which requires no hostname validation, so the restriction no longer makes sense. Adding ability to set a tls-hostname parameter further enables its use with x509 credentials. > RFC: The test is racy - it sometimes passes, and sometimes fails with: > > == check TLS with authorization over Unix == > qemu-img: Could not open 'driver=nbd,path=SOCKET,tls-creds=tls0,tls-hostname=localhost': Failed to read option reply: Cannot read from TLS channel: Input/output error > -qemu-img: Could not open 'driver=nbd,path=SOCKET,tls-creds=tls0,tls-hostname=localhost': Failed to read option reply: Cannot read from TLS channel: Input/output error > +qemu-img: Could not open 'driver=nbd,path=SOCKET,tls-creds=tls0,tls-hostname=localhost': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort It is a bit complex to debug this because unfortunately gnutls API doesn't allow us to propagate the root cause error accurately. We return ECONNABORTED when GNUTLS reports GNUTLS_E_PREMATURE_TERMINATION. It reports this when it tries to read a packet header and gets EOF from the socket. We return EIO in other cases where there's no GNUTLS error code we want to handle explicitly. With some debugging I find that GNUTLS is returned GNUTLS_E_PULL_ERROR which is a generic code it returns whenever the read() callback fails for a reason which isn't EAGAIN. With more debugging I find the original recvfrom() is returning ECONNRESET, so this is basically just another name for EOF. I'm curious why we see EOF sometimes and ECONNRESET at other times. I disabled the qio_channel_shutdown call on the server and that just changed to a different race. Now we sometimes get ECONNRESET, and sometimes get EIO when trying to send the first NBD option header instead. > I suspect that there is a bug in the qio TLS channel code when it > comes to handling a failed TLS handshake, which results in the racy > output. I'll need help solving that first. It might also be nice if > we had a bit more visibility into the gnutls error message when TLS > handshake fails. I'm not sure there is a bug - it feels like there's just a few different shutdown scenarios we can hit based on timing, due to the fact there is no synchronization with the client when we drop the connection if authz fails. > @@ -1624,12 +1629,25 @@ static int nbd_open(BlockDriverState *bs, QDict *options, int flags, > goto error; > } > > - /* TODO SOCKET_ADDRESS_KIND_FD where fd has AF_INET or AF_INET6 */ > - if (s->saddr->type != SOCKET_ADDRESS_TYPE_INET) { > - error_setg(errp, "TLS only supported over IP sockets"); > + switch (s->saddr->type) { > + case SOCKET_ADDRESS_TYPE_INET: > + hostname = s->saddr->u.inet.host; > + if (qemu_opt_get(opts, "tls-hostname")) { > + error_setg(errp, "tls-hostname not required with inet socket"); > + goto error; > + } We don't need to forbid this. Consider if you have setup an SSH tunnel from localhost:someport, over to your remote server. NBD will get told to connect to localhost, but will need to validate the cert against the real remote hostname. > + break; > + case SOCKET_ADDRESS_TYPE_UNIX: > + hostname = qemu_opt_get(opts, "tls-hostname"); > + break; > + default: > + /* TODO SOCKET_ADDRESS_KIND_FD where fd has AF_INET or AF_INET6 */ > + error_setg(errp, "TLS only supported over IP or Unix sockets"); > goto error; > } I don't think we need any of this switch, instead just something like thus: hostname = qemu_opt_get(opts, "tls-hostname"); if (!hostname) { if (s->saddr->type == SOCKET_ADDRESS_TYPE_INET) { hostname = s->sadddr->u.inet.host; } else { error_setg(errp, "tls-hostname is required for non-IP sockets"); goto error; } } > - hostname = s->saddr->u.inet.host; > + } else if (qemu_opt_get(opts, "tls-hostname")) { > + error_setg(errp, "tls-hostname not supported without tls-creds"); > + goto error; > } > > /* NBD handshake */ > @@ -1752,6 +1770,7 @@ static const char *const nbd_strong_runtime_opts[] = { > "port", > "export", > "tls-creds", > + "tls-hostname", > "server.", > > NULL > diff --git a/qemu-nbd.c b/qemu-nbd.c > index a8cb39e51043..40ea1e299dc7 100644 > --- a/qemu-nbd.c > +++ b/qemu-nbd.c > @@ -62,6 +62,7 @@ > #define QEMU_NBD_OPT_FORK 263 > #define QEMU_NBD_OPT_TLSAUTHZ 264 > #define QEMU_NBD_OPT_PID_FILE 265 > +#define QEMU_NBD_OPT_TLSHOST 266 > > #define MBR_SIZE 512 > > @@ -76,6 +77,7 @@ static int nb_fds; > static QIONetListener *server; > static QCryptoTLSCreds *tlscreds; > static const char *tlsauthz; > +static const char *tlshost; > > static void usage(const char *name) > { > @@ -640,6 +642,7 @@ int main(int argc, char **argv) > { "description", required_argument, NULL, 'D' }, > { "tls-creds", required_argument, NULL, QEMU_NBD_OPT_TLSCREDS }, > { "tls-authz", required_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ }, > + { "tls-hostname", required_argument, NULL, QEMU_NBD_OPT_TLSHOST }, > { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS }, > { "trace", required_argument, NULL, 'T' }, > { "fork", no_argument, NULL, QEMU_NBD_OPT_FORK }, > @@ -864,6 +867,9 @@ int main(int argc, char **argv) > case QEMU_NBD_OPT_TLSAUTHZ: > tlsauthz = optarg; > break; > + case QEMU_NBD_OPT_TLSHOST: > + tlshost = optarg; > + break; > case QEMU_NBD_OPT_FORK: > fork_process = true; > break; > @@ -931,18 +937,22 @@ int main(int argc, char **argv) > } > > if (tlscredsid) { > - if (sockpath) { > - error_report("TLS is only supported with IPv4/IPv6"); > - exit(EXIT_FAILURE); > - } > if (device) { > error_report("TLS is not supported with a host device"); > exit(EXIT_FAILURE); > } > if (tlsauthz && list) { > - error_report("TLS authorization is incompatible with export list"); > + error_report("TLS authorization is incompatible with --list"); > exit(EXIT_FAILURE); > } > + if (tlshost) { > + if (!list) { > + error_report("TLS hostname is only for use with --list"); > + exit(EXIT_FAILURE); > + } > + } else { > + tlshost = bindto; I was a bit confused by the "bindto" name being used as the hostname to connect to for the --list client. Perhas we should rename it to something neutral - just hostname perhaps. > + } > tlscreds = nbd_get_tls_creds(tlscredsid, list, &local_err); > if (local_err) { > error_report("Failed to get TLS creds %s", > @@ -954,11 +964,15 @@ int main(int argc, char **argv) > error_report("--tls-authz is not permitted without --tls-creds"); > exit(EXIT_FAILURE); > } > + if (tlshost) { > + error_report("--tls-hostname is not permitted without --tls-creds"); > + exit(EXIT_FAILURE); > + } > } > > if (list) { > saddr = nbd_build_socket_address(sockpath, bindto, port); > - return qemu_nbd_client_list(saddr, tlscreds, bindto); > + return qemu_nbd_client_list(saddr, tlscreds, tlshost); > } > > #if !HAVE_NBD_DEVICE Regards, Daniel
On Fri, Jul 05, 2019 at 11:31:51AM +0200, Max Reitz wrote: > On 04.07.19 00:47, Eric Blake wrote: > > diff --git a/tests/qemu-iotests/233.out b/tests/qemu-iotests/233.out > > index 9b46284ab0de..b86bee020649 100644 > > --- a/tests/qemu-iotests/233.out > > +++ b/tests/qemu-iotests/233.out > > [...] > > > +== check TLS works over Unix == > > +image: nbd+unix://?socket=SOCKET > > +file format: nbd > > +virtual size: 64 MiB (67108864 bytes) > > +disk size: unavailable > > This has worked surprisingly well considering you did not pass tls-hostname. > > On the same note: If I remove the tls-hostname option from the “perform > I/O over TLS” test, it keeps working. Yeah, that's a bug in crypto/tlssession.c. It is assuming that the hostname will always be provided for sessions in client mode, which was valid previously as all sessions were TCP based. ie it assumed that if hostname was NULL, it was doing server side certificate validation. That assumption is bogus now we allow sessions on non-TCP, so we must fix the code thus: @@ -365,6 +367,14 @@ qcrypto_tls_session_check_certificate(QCryptoTLSSession *session, goto error; } } + if (!session->hostname && + session->creds->endpoint == + QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT) { + error_setg(errp, + "No hostname available to validate against " + "server's x509 certificate"); + goto error; + } if (session->hostname) { if (!gnutls_x509_crt_check_hostname(cert, session->hostname)) { error_setg(errp, Regards, Daniel
On Wed, Jul 03, 2019 at 05:47:07PM -0500, Eric Blake wrote: > +== check TLS works over Unix == > +image: nbd+unix://?socket=SOCKET > +file format: nbd > +virtual size: 64 MiB (67108864 bytes) > +disk size: unavailable > +image: nbd+unix://?socket=SOCKET > +file format: nbd > +virtual size: 64 MiB (67108864 bytes) > +disk size: unavailable > +qemu-nbd: Certificate does not match the hostname 0.0.0.0 Seeing 0.0.0.0 is very odd since we don't specify that on the CLI anywhere. It looks like this is a side effect of reusing the "bindto" variable in --list mode, getting the default bind address of 0.0.0.0. We should ensure that this variable defaults to NULL when in --list mode I think, which will probably highlight the tlssession.c bug i mentioned. Regards, Daniel
On 7/5/19 4:31 AM, Max Reitz wrote: > On 04.07.19 00:47, Eric Blake wrote: >> Although you generally won't use encryption with a Unix socket (after >> all, everything is local, so why waste the CPU power), there are >> situations in testsuites where Unix sockets are much nicer than TCP >> sockets. Since nbdkit allows encryption over both types of sockets, >> it makes sense for qemu-nbd to do likewise. > > Hmm. The code is simple enough, so I don’t see a good reason not to. > > Um, also, a perhaps stupid question: Why is there no passing test for > client authorization? > Not a stupid question. It's copy-and-paste from the existing test over TCP, which Dan added in b25e12daf without any additional successful test I guess the earlier tests in the file are the success cases, and this just checks that authz restrictions cover the expected failure case of something that would succeed without authz? Or maybe that commit really is incomplete?
diff --git a/qemu-nbd.texi b/qemu-nbd.texi index 7f55657722bd..764518baef84 100644 --- a/qemu-nbd.texi +++ b/qemu-nbd.texi @@ -123,6 +123,9 @@ Store the server's process ID in the given file. Specify the ID of a qauthz object previously created with the --object option. This will be used to authorize connecting users against their x509 distinguished name. +@item --tls-hostname=NAME +When using list mode with TLS over a Unix socket, supply the hostname +to use during validation of the server's x509 certificate. @item -v, --verbose Display extra debugging information. @item -h, --help diff --git a/qapi/block-core.json b/qapi/block-core.json index 0d43d4f37c1a..95da0d44c220 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -3856,6 +3856,10 @@ # # @tls-creds: TLS credentials ID # +# @tls-hostname: Hostname of the server, required only when using x509 based +# TLS credentials when @server lacks a hostname (such as +# using a Unix socket). (Since 4.1) +# # @x-dirty-bitmap: A "qemu:dirty-bitmap:NAME" string to query in place of # traditional "base:allocation" block status (see # NBD_OPT_LIST_META_CONTEXT in the NBD protocol) (since 3.0) @@ -3866,6 +3870,7 @@ 'data': { 'server': 'SocketAddress', '*export': 'str', '*tls-creds': 'str', + '*tls-hostname': 'str', '*x-dirty-bitmap': 'str' } } ## diff --git a/block/nbd.c b/block/nbd.c index 81edabbf35ed..ce3db21190ce 100644 --- a/block/nbd.c +++ b/block/nbd.c @@ -1577,6 +1577,11 @@ static QemuOptsList nbd_runtime_opts = { .type = QEMU_OPT_STRING, .help = "ID of the TLS credentials to use", }, + { + .name = "tls-hostname", + .type = QEMU_OPT_STRING, + .help = "hostname for x509 TLS credentials of target host", + }, { .name = "x-dirty-bitmap", .type = QEMU_OPT_STRING, @@ -1624,12 +1629,25 @@ static int nbd_open(BlockDriverState *bs, QDict *options, int flags, goto error; } - /* TODO SOCKET_ADDRESS_KIND_FD where fd has AF_INET or AF_INET6 */ - if (s->saddr->type != SOCKET_ADDRESS_TYPE_INET) { - error_setg(errp, "TLS only supported over IP sockets"); + switch (s->saddr->type) { + case SOCKET_ADDRESS_TYPE_INET: + hostname = s->saddr->u.inet.host; + if (qemu_opt_get(opts, "tls-hostname")) { + error_setg(errp, "tls-hostname not required with inet socket"); + goto error; + } + break; + case SOCKET_ADDRESS_TYPE_UNIX: + hostname = qemu_opt_get(opts, "tls-hostname"); + break; + default: + /* TODO SOCKET_ADDRESS_KIND_FD where fd has AF_INET or AF_INET6 */ + error_setg(errp, "TLS only supported over IP or Unix sockets"); goto error; } - hostname = s->saddr->u.inet.host; + } else if (qemu_opt_get(opts, "tls-hostname")) { + error_setg(errp, "tls-hostname not supported without tls-creds"); + goto error; } /* NBD handshake */ @@ -1752,6 +1770,7 @@ static const char *const nbd_strong_runtime_opts[] = { "port", "export", "tls-creds", + "tls-hostname", "server.", NULL diff --git a/qemu-nbd.c b/qemu-nbd.c index a8cb39e51043..40ea1e299dc7 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -62,6 +62,7 @@ #define QEMU_NBD_OPT_FORK 263 #define QEMU_NBD_OPT_TLSAUTHZ 264 #define QEMU_NBD_OPT_PID_FILE 265 +#define QEMU_NBD_OPT_TLSHOST 266 #define MBR_SIZE 512 @@ -76,6 +77,7 @@ static int nb_fds; static QIONetListener *server; static QCryptoTLSCreds *tlscreds; static const char *tlsauthz; +static const char *tlshost; static void usage(const char *name) { @@ -640,6 +642,7 @@ int main(int argc, char **argv) { "description", required_argument, NULL, 'D' }, { "tls-creds", required_argument, NULL, QEMU_NBD_OPT_TLSCREDS }, { "tls-authz", required_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ }, + { "tls-hostname", required_argument, NULL, QEMU_NBD_OPT_TLSHOST }, { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS }, { "trace", required_argument, NULL, 'T' }, { "fork", no_argument, NULL, QEMU_NBD_OPT_FORK }, @@ -864,6 +867,9 @@ int main(int argc, char **argv) case QEMU_NBD_OPT_TLSAUTHZ: tlsauthz = optarg; break; + case QEMU_NBD_OPT_TLSHOST: + tlshost = optarg; + break; case QEMU_NBD_OPT_FORK: fork_process = true; break; @@ -931,18 +937,22 @@ int main(int argc, char **argv) } if (tlscredsid) { - if (sockpath) { - error_report("TLS is only supported with IPv4/IPv6"); - exit(EXIT_FAILURE); - } if (device) { error_report("TLS is not supported with a host device"); exit(EXIT_FAILURE); } if (tlsauthz && list) { - error_report("TLS authorization is incompatible with export list"); + error_report("TLS authorization is incompatible with --list"); exit(EXIT_FAILURE); } + if (tlshost) { + if (!list) { + error_report("TLS hostname is only for use with --list"); + exit(EXIT_FAILURE); + } + } else { + tlshost = bindto; + } tlscreds = nbd_get_tls_creds(tlscredsid, list, &local_err); if (local_err) { error_report("Failed to get TLS creds %s", @@ -954,11 +964,15 @@ int main(int argc, char **argv) error_report("--tls-authz is not permitted without --tls-creds"); exit(EXIT_FAILURE); } + if (tlshost) { + error_report("--tls-hostname is not permitted without --tls-creds"); + exit(EXIT_FAILURE); + } } if (list) { saddr = nbd_build_socket_address(sockpath, bindto, port); - return qemu_nbd_client_list(saddr, tlscreds, bindto); + return qemu_nbd_client_list(saddr, tlscreds, tlshost); } #if !HAVE_NBD_DEVICE diff --git a/tests/qemu-iotests/233 b/tests/qemu-iotests/233 index a5c17c39639d..1891a3a65084 100755 --- a/tests/qemu-iotests/233 +++ b/tests/qemu-iotests/233 @@ -30,7 +30,7 @@ _cleanup() { nbd_server_stop _cleanup_test_img - # If we aborted early we want to see this log for diagnosis + # If we aborted early we want to see these logs for diagnosis test -f "$TEST_DIR/server.log" && cat "$TEST_DIR/server.log" rm -f "$TEST_DIR/server.log" tls_x509_cleanup @@ -67,7 +67,7 @@ _make_test_img 64M $QEMU_IO -c 'w -P 0x11 1m 1m' "$TEST_IMG" | _filter_qemu_io echo -echo "== check TLS client to plain server fails ==" +echo "== check TLS client to plain TCP server fails ==" nbd_server_start_tcp_socket -f $IMGFMT "$TEST_IMG" 2> "$TEST_DIR/server.log" obj=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 @@ -80,7 +80,7 @@ $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj \ nbd_server_stop echo -echo "== check plain client to TLS server fails ==" +echo "== check plain client to TLS TCP server fails ==" nbd_server_start_tcp_socket \ --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=yes \ @@ -91,7 +91,7 @@ $QEMU_IMG info nbd://localhost:$nbd_tcp_port 2>&1 | sed "s/$nbd_tcp_port/PORT/g" $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port echo -echo "== check TLS works ==" +echo "== check TLS works over TCP ==" obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 obj2=tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0 $QEMU_IMG info --image-opts --object $obj1 \ @@ -123,7 +123,7 @@ $QEMU_IO -c 'r -P 0x11 1m 1m' -c 'w -P 0x22 1m 1m' --image-opts \ $QEMU_IO -f $IMGFMT -r -U -c 'r -P 0x22 1m 1m' "$TEST_IMG" | _filter_qemu_io echo -echo "== check TLS with authorization ==" +echo "== check TLS with authorization over TCP ==" nbd_server_stop @@ -145,6 +145,90 @@ $QEMU_IMG info --image-opts \ driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \ 2>&1 | sed "s/$nbd_tcp_port/PORT/g" +nbd_server_stop + +echo +echo "== check TLS client to plain Unix server fails ==" +nbd_server_start_unix_socket -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log" + +obj=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 +$QEMU_IMG info --image-opts --object $obj \ + driver=nbd,path=$nbd_unix_socket,tls-creds=tls0,tls-hostname=localhost \ + 2>&1 | sed "s,$nbd_unix_socket,SOCKET,g" +$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj --tls-creds=tls0 + +nbd_server_stop + +echo +echo "== check plain client to TLS Unix server fails ==" + +nbd_server_start_unix_socket \ + --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=yes \ + --tls-creds tls0 \ + -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log" + +$QEMU_IMG info nbd+unix://\?socket=$nbd_unix_socket \ + 2>&1 | sed "s,$nbd_unix_socket,SOCKET,g" +$QEMU_NBD_PROG -L -k $nbd_unix_socket + +echo +echo "== check TLS works over Unix ==" +obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 +obj2=tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0 +$QEMU_IMG info --image-opts --object $obj1 \ + driver=nbd,path=$nbd_unix_socket,tls-creds=tls0 \ + 2>&1 | sed "s,$nbd_unix_socket,SOCKET,g" +$QEMU_IMG info --image-opts --object $obj2 \ + driver=nbd,path=$nbd_unix_socket,tls-creds=tls0,tls-hostname=localhost \ + 2>&1 | sed "s,$nbd_unix_socket,SOCKET,g" +$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 --tls-creds=tls0 +$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 --tls-creds=tls0 \ + --tls-hostname=localhost + +echo +echo "== check TLS with different CA fails ==" +obj=tls-creds-x509,dir=${tls_dir}/client2,endpoint=client,id=tls0 +$QEMU_IMG info --image-opts --object $obj \ + driver=nbd,path=$nbd_unix_socket,tls-creds=tls0,tls-hostname=localhost \ + 2>&1 | sed "s,$nbd_unix_socket,SOCKET,g" +$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj \ + --tls-creds=tls0 --tls-hostname=localhost + +echo +echo "== perform I/O over TLS ==" +QEMU_IO_OPTIONS=$QEMU_IO_OPTIONS_NO_FMT +$QEMU_IO -c 'r -P 0x22 1m 1m' -c 'w -P 0x33 1m 1m' --image-opts \ + --object tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 \ + driver=nbd,path=$nbd_unix_socket,tls-creds=tls0,tls-hostname=localhost \ + 2>&1 | _filter_qemu_io + +$QEMU_IO -f $IMGFMT -r -U -c 'r -P 0x33 1m 1m' "$TEST_IMG" | _filter_qemu_io + +echo +echo "== check TLS with authorization over Unix ==" + +nbd_server_stop + +nbd_server_start_unix_socket \ + --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=yes \ + --object "authz-simple,id=authz0,identity=CN=localhost,, \ + O=Cthulu Dark Lord Enterprises client1,,L=R'lyeh,,C=South Pacific" \ + --tls-authz authz0 \ + --tls-creds tls0 \ + -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log" + +$QEMU_IMG info --image-opts \ + --object tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 \ + driver=nbd,path=$nbd_unix_socket,tls-creds=tls0,tls-hostname=localhost \ + 2>&1 | sed "s,$nbd_unix_socket,SOCKET,g" + +$QEMU_IMG info --image-opts \ + --object tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0 \ + driver=nbd,path=$nbd_unix_socket,tls-creds=tls0,tls-hostname=localhost \ + 2>&1 | sed "s,$nbd_unix_socket,SOCKET,g" + +nbd_server_stop + echo echo "== final server log ==" cat "$TEST_DIR/server.log" diff --git a/tests/qemu-iotests/233.out b/tests/qemu-iotests/233.out index 9b46284ab0de..b86bee020649 100644 --- a/tests/qemu-iotests/233.out +++ b/tests/qemu-iotests/233.out @@ -13,19 +13,19 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 wrote 1048576/1048576 bytes at offset 1048576 1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) -== check TLS client to plain server fails == +== check TLS client to plain TCP server fails == qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Denied by server for option 5 (starttls) server reported: TLS not configured qemu-nbd: Denied by server for option 5 (starttls) server reported: TLS not configured -== check plain client to TLS server fails == +== check plain client to TLS TCP server fails == qemu-img: Could not open 'nbd://localhost:PORT': TLS negotiation required before option 8 (structured reply) server reported: Option 0x8 not permitted before TLS qemu-nbd: TLS negotiation required before option 8 (structured reply) server reported: Option 0x8 not permitted before TLS -== check TLS works == +== check TLS works over TCP == image: nbd://127.0.0.1:PORT file format: nbd virtual size: 64 MiB (67108864 bytes) @@ -56,13 +56,66 @@ wrote 1048576/1048576 bytes at offset 1048576 read 1048576/1048576 bytes at offset 1048576 1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) -== check TLS with authorization == +== check TLS with authorization over TCP == qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort +== check TLS client to plain Unix server fails == +qemu-img: Could not open 'driver=nbd,path=SOCKET,tls-creds=tls0,tls-hostname=localhost': Denied by server for option 5 (starttls) +server reported: TLS not configured +qemu-nbd: Denied by server for option 5 (starttls) +server reported: TLS not configured + +== check plain client to TLS Unix server fails == +qemu-img: Could not open 'nbd+unix://?socket=SOCKET': TLS negotiation required before option 8 (structured reply) +server reported: Option 0x8 not permitted before TLS +qemu-nbd: TLS negotiation required before option 8 (structured reply) +server reported: Option 0x8 not permitted before TLS + +== check TLS works over Unix == +image: nbd+unix://?socket=SOCKET +file format: nbd +virtual size: 64 MiB (67108864 bytes) +disk size: unavailable +image: nbd+unix://?socket=SOCKET +file format: nbd +virtual size: 64 MiB (67108864 bytes) +disk size: unavailable +qemu-nbd: Certificate does not match the hostname 0.0.0.0 +exports available: 1 + export: '' + size: 67108864 + flags: 0x4ed ( flush fua trim zeroes df cache ) + min block: 1 + opt block: 4096 + max block: 33554432 + available meta contexts: 1 + base:allocation + +== check TLS with different CA fails == +qemu-img: Could not open 'driver=nbd,path=SOCKET,tls-creds=tls0,tls-hostname=localhost': The certificate hasn't got a known issuer +qemu-nbd: The certificate hasn't got a known issuer + +== perform I/O over TLS == +read 1048576/1048576 bytes at offset 1048576 +1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) +wrote 1048576/1048576 bytes at offset 1048576 +1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) +read 1048576/1048576 bytes at offset 1048576 +1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +== check TLS with authorization over Unix == +qemu-img: Could not open 'driver=nbd,path=SOCKET,tls-creds=tls0,tls-hostname=localhost': Failed to read option reply: Cannot read from TLS channel: Input/output error +qemu-img: Could not open 'driver=nbd,path=SOCKET,tls-creds=tls0,tls-hostname=localhost': Failed to read option reply: Cannot read from TLS channel: Input/output error + == final server log == qemu-nbd: option negotiation failed: Verify failed: No certificate was found. qemu-nbd: option negotiation failed: Verify failed: No certificate was found. qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client1,L=R'lyeh,C=South Pacific is denied qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client3,L=R'lyeh,C=South Pacific is denied +qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort +qemu-nbd: option negotiation failed: Verify failed: No certificate was found. +qemu-nbd: option negotiation failed: Verify failed: No certificate was found. +qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client1,L=R'lyeh,C=South Pacific is denied +qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client3,L=R'lyeh,C=South Pacific is denied *** done diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group index b34c8e3c0c6d..7d02363f14bd 100644 --- a/tests/qemu-iotests/group +++ b/tests/qemu-iotests/group @@ -245,7 +245,7 @@ 229 auto quick 231 auto quick 232 quick -233 auto quick +233 auto 234 quick migration 235 quick 236 quick
Although you generally won't use encryption with a Unix socket (after all, everything is local, so why waste the CPU power), there are situations in testsuites where Unix sockets are much nicer than TCP sockets. Since nbdkit allows encryption over both types of sockets, it makes sense for qemu-nbd to do likewise. The restriction has been present since its introduction in commits 145614a1 and 75822a12 (v2.6), where the former documented the limitation but did not provide any additional explanation why it was added; but looking closer, it seems the most likely reason is that x509 verification requires a hostname. But we can do the same as migration did, and add a tls-hostname parameter to supply that information. Signed-off-by: Eric Blake <eblake@redhat.com> --- Since this is now adding a new qemu-nbd command-line option, as well as new QMP for blockdev-add, it has missed 4.1 softfreeze and should probably be delayed to 4.2. RFC: The test is racy - it sometimes passes, and sometimes fails with: == check TLS with authorization over Unix == qemu-img: Could not open 'driver=nbd,path=SOCKET,tls-creds=tls0,tls-hostname=localhost': Failed to read option reply: Cannot read from TLS channel: Input/output error -qemu-img: Could not open 'driver=nbd,path=SOCKET,tls-creds=tls0,tls-hostname=localhost': Failed to read option reply: Cannot read from TLS channel: Input/output error +qemu-img: Could not open 'driver=nbd,path=SOCKET,tls-creds=tls0,tls-hostname=localhost': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort I suspect that there is a bug in the qio TLS channel code when it comes to handling a failed TLS handshake, which results in the racy output. I'll need help solving that first. It might also be nice if we had a bit more visibility into the gnutls error message when TLS handshake fails. --- qemu-nbd.texi | 3 ++ qapi/block-core.json | 5 ++ block/nbd.c | 27 +++++++++-- qemu-nbd.c | 26 ++++++++--- tests/qemu-iotests/233 | 94 ++++++++++++++++++++++++++++++++++++-- tests/qemu-iotests/233.out | 61 +++++++++++++++++++++++-- tests/qemu-iotests/group | 2 +- 7 files changed, 198 insertions(+), 20 deletions(-)