Fix the test suite on s390x

libvirt-4.7.0-5.fc29
CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API (bz #1722463, bz #1720115) CVE-2019-10166: virDomainManagedSaveDefineXML API exposed to readonly clients (bz #1722462, bz #1720114) CVE-2019-10167: arbitrary command execution via virConnectGetDomainCapabilities API (bz #1722464, bz #1720117) CVE-2019-10168: arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs (bz #1722466, bz #1720118) CVE-2019-3886: virsh domhostname command discloses guest hostname in readonly mode [fedora-rawhide Failed to attache NEW rbd device to guest (bz #1672620) PCI hostdev interface segfault (bz #1692053)
2019-06-20 16:45:14 -04:00 · 2019-06-20 13:02:52 -04:00 · 2019-05-21 17:06:47 +01:00 · 2019-05-14 19:45:59 +01:00 · 2019-04-02 11:57:46 -04:00 · 2018-09-04 10:43:47 +01:00
31 changed files with 1322 additions and 1185 deletions
@@ -1,32 +0,0 @@
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Mon, 21 May 2018 23:05:07 +0100
-Subject: [PATCH] cpu: define the 'ssbd' CPUID feature bit (CVE-2018-3639)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-New microcode introduces the "Speculative Store Bypass Disable"
-CPUID feature bit. This needs to be exposed to guest OS to allow
-them to protect against CVE-2018-3639.
-
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
-Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
-(cherry picked from commit 1dbca2eccad58d91a5fd33962854f1a653638182)
---
- src/cpu/cpu_map.xml | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
-index 00a43b172c..245aec3309 100644
--- a/src/cpu/cpu_map.xml
-+++ b/src/cpu/cpu_map.xml
-@@ -298,6 +298,9 @@
-     <feature name='spec-ctrl'>
-       <cpuid eax_in='0x07' ecx_in='0x00' edx='0x04000000'/>
-     </feature>
-+    <feature name='ssbd'>
-+      <cpuid eax_in='0x07' ecx_in='0x00' edx='0x80000000'/>
-+    </feature>
- 
-     <!-- Processor Extended State Enumeration sub leaf 1 -->
-     <feature name='xsaveopt'>
@@ -0,0 +1,112 @@
+From: Andrea Bolognani <abologna@redhat.com>
+Date: Wed, 27 Feb 2019 18:41:35 +0100
+Subject: [PATCH] qemu: Allow creating ppc64 guests with graphics and no USB
+ mouse
+
+The existing behavior for ppc64 guests is to always add a USB
+keyboard and mouse combo if graphics are present; unfortunately,
+this means any attempt to use a USB tablet will cause both pointing
+devices to show up in the guest, which in turn will result in poor
+user experience.
+
+We can't just stop adding the USB mouse or start adding a USB tablet
+instead, because existing applications and users might rely on the
+current behavior; however, we can avoid adding the USB mouse if a USB
+tablet is already present, thus allowing users and applications to
+create guests that contain a single pointing device.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1683681
+
+Signed-off-by: Andrea Bolognani <abologna@redhat.com>
+Reviewed-by: Cole Robinson <crobinso@redhat.com>
+(cherry picked from commit 186bb479d0f409dc75175bea48a760838c479a6c)
+---
+ src/qemu/qemu_domain.c                        | 20 ++++++++
+ .../ppc64-pseries-graphics.ppc64-latest.args  | 47 +++++++++++++++++++
+ 2 files changed, 67 insertions(+)
+ create mode 100644 tests/qemuxml2argvdata/ppc64-pseries-graphics.ppc64-latest.args
+
+diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
+index f161cf6c84..764ffacb2e 100644
+--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
+@@ -3384,6 +3384,26 @@ qemuDomainDefAddDefaultDevices(virDomainDefPtr def,
+         def->memballoon = memballoon;
+     }
+ 
+    if (addDefaultUSBMouse) {
+        bool hasUSBTablet = false;
+        size_t j;
+
+        for (j = 0; j < def->ninputs; j++) {
+            if (def->inputs[j]->type == VIR_DOMAIN_INPUT_TYPE_TABLET &&
+                def->inputs[j]->bus == VIR_DOMAIN_INPUT_BUS_USB) {
+                hasUSBTablet = true;
+                break;
+            }
+        }
+
+        /* Historically, we have automatically added USB keyboard and
+         * mouse to some guests. While the former device is generally
+         * safe to have, adding the latter is undesiderable if a USB
+         * tablet is already present in the guest */
+        if (hasUSBTablet)
+            addDefaultUSBMouse = false;
+    }
+
+     if (addDefaultUSBKBD &&
+         def->ngraphics > 0 &&
+         virDomainDefMaybeAddInput(def,
+diff --git a/tests/qemuxml2argvdata/ppc64-pseries-graphics.ppc64-latest.args b/tests/qemuxml2argvdata/ppc64-pseries-graphics.ppc64-latest.args
+new file mode 100644
+index 0000000000..b81648f078
+--- /dev/null
+++ b/tests/qemuxml2argvdata/ppc64-pseries-graphics.ppc64-latest.args
+@@ -0,0 +1,47 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/home/test \
+USER=test \
+LOGNAME=test \
+QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-ppc64 \
+-name guest=guest,debug-threads=on \
+-S \
+-object secret,id=masterKey0,format=raw,\
+file=/tmp/lib/domain--1-guest/master-key.aes \
+-machine pseries,accel=tcg,usb=off,dump-guest-core=off \
+-m 4096 \
+-realtime mlock=off \
+-smp 4,sockets=4,cores=1,threads=1 \
+-uuid b35969f7-e7cf-4d90-a9a0-4dd9000f9824 \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server,nowait \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-boot strict=on \
+-device qemu-xhci,p2=15,p3=15,id=usb,bus=pci.0,addr=0x2 \
+-device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x3 \
+-drive file=/var/lib/libvirt/images/guest.qcow2,format=qcow2,if=none,\
+id=drive-virtio-disk0 \
+-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
+id=virtio-disk0,bootindex=1 \
+-netdev user,id=hostnet0 \
+-device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:a2:44:92,bus=pci.0,\
+addr=0x1 \
+-chardev pty,id=charserial0 \
+-device spapr-vty,chardev=charserial0,id=serial0,reg=0x30000000 \
+-chardev socket,id=charchannel0,fd=1729,server,nowait \
+-device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,\
+id=channel0,name=org.qemu.guest_agent.0 \
+-device usb-tablet,id=input0,bus=usb.0,port=1 \
+-device usb-kbd,id=input1,bus=usb.0,port=2 \
+-vnc 127.0.0.1:0 \
+-device VGA,id=video0,vgamem_mb=16,bus=pci.0,addr=0x7 \
+-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 \
+-object rng-random,id=objrng0,filename=/dev/urandom \
+-device virtio-rng-pci,rng=objrng0,id=rng0,bus=pci.0,addr=0x6 \
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
+resourcecontrol=deny \
+-msg timestamp=on
@@ -0,0 +1,34 @@
+From: John Ferlan <jferlan@redhat.com>
+Date: Fri, 7 Sep 2018 16:01:27 -0400
+Subject: [PATCH] qemu: Remove duplicated qemuAgentCheckError
+
+Commit 5b3492fadb moved qemuAgentCheckError calls into
+qemuAgentCommand for various reasons; however, subsequent
+commit 0977b8aa0 adding a new command made call again
+So let's just remove the duplicitous call from
+qemuAgentGetInterfaces.
+
+Signed-off-by: John Ferlan <jferlan@redhat.com>
+ACKed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 9ed175fbc2deecfdaeabca7bc77c7e7ae33a3377)
+---
+ src/qemu/qemu_agent.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/qemu/qemu_agent.c b/src/qemu/qemu_agent.c
+index bf08871f18..d235c058a5 100644
+--- a/src/qemu/qemu_agent.c
+++ b/src/qemu/qemu_agent.c
+@@ -1987,10 +1987,9 @@ qemuAgentGetInterfaces(qemuAgentPtr mon,
+     if (!(cmd = qemuAgentMakeCommand("guest-network-get-interfaces", NULL)))
+         goto cleanup;
+ 
+-    if (qemuAgentCommand(mon, cmd, &reply, false, VIR_DOMAIN_QEMU_AGENT_COMMAND_BLOCK) < 0 ||
+-        qemuAgentCheckError(cmd, reply) < 0) {
+    if (qemuAgentCommand(mon, cmd, &reply, false,
+                         VIR_DOMAIN_QEMU_AGENT_COMMAND_BLOCK) < 0)
+         goto cleanup;
+-    }
+ 
+     if (!(ret_array = virJSONValueObjectGet(reply, "return"))) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
@@ -1,65 +0,0 @@
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Mon, 5 Mar 2018 12:46:16 +0000
-Subject: [PATCH] tests: force use of "NORMAL" TLS priority in test suite
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When generating certificates we rely on GNUTLS' built-in default setup
-for the ciphers used in the certs. We then currently run with the distro
-specific TLS priority setup which can be much stronger, to the extent
-that the certificates we generate are considered untrustworthy. We don't
-care about the quality of the ciphers we use in the test suite, so just
-force the priority to "NORMAL" which should ensure our certs are
-accepted by GNUTLS.
-
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
- tests/virnettlscontexttest.c | 4 ++--
- tests/virnettlssessiontest.c | 4 ++--
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c
-index 089c10e964..86647f3014 100644
--- a/tests/virnettlscontexttest.c
-+++ b/tests/virnettlscontexttest.c
-@@ -72,7 +72,7 @@ static int testTLSContextInit(const void *opaque)
-                                          data->crt,
-                                          KEYFILE,
-                                          NULL,
-                                         NULL,
-+                                         "NORMAL",
-                                          true,
-                                          true);
-     } else {
-@@ -80,7 +80,7 @@ static int testTLSContextInit(const void *opaque)
-                                          NULL,
-                                          data->crt,
-                                          KEYFILE,
-                                         NULL,
-+                                         "NORMAL",
-                                          true,
-                                          true);
-     }
-diff --git a/tests/virnettlssessiontest.c b/tests/virnettlssessiontest.c
-index 6d639e5b16..7e85607181 100644
--- a/tests/virnettlssessiontest.c
-+++ b/tests/virnettlssessiontest.c
-@@ -113,7 +113,7 @@ static int testTLSSessionInit(const void *opaque)
-                                            data->servercrt,
-                                            KEYFILE,
-                                            data->wildcards,
-                                           NULL,
-+                                           "NORMAL",
-                                            false,
-                                            true);
- 
-@@ -121,7 +121,7 @@ static int testTLSSessionInit(const void *opaque)
-                                            NULL,
-                                            data->clientcrt,
-                                            KEYFILE,
-                                           NULL,
-+                                           "NORMAL",
-                                            false,
-                                            true);
- 
@@ -1,42 +0,0 @@
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Mon, 21 May 2018 23:05:08 +0100
-Subject: [PATCH] cpu: define the 'virt-ssbd' CPUID feature bit (CVE-2018-3639)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Some AMD processors only support a non-architectural means of
-enabling Speculative Store Bypass Disable. To allow simplified
-handling in virtual environments, hypervisors will expose an
-architectural definition through CPUID bit 0x80000008_EBX[25].
-This needs to be exposed to guest OS running on AMD x86 hosts to
-allow them to protect against CVE-2018-3639.
-
-Note that since this CPUID bit won't be present in the host CPUID
-results on physical hosts, it will not be enabled automatically
-in guests configured with "host-model" CPU unless using QEMU
-version >= 2.9.0. Thus for older versions of QEMU, this feature
-must be manually enabled using policy=force. Guests using the
-"host-passthrough" CPU mode do not need special handling.
-
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
-Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
-(cherry picked from commit 9267342206ce17f6933d57a3128cdc504d5945c9)
---
- src/cpu/cpu_map.xml | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
-index 245aec3309..96daa0f9af 100644
--- a/src/cpu/cpu_map.xml
-+++ b/src/cpu/cpu_map.xml
-@@ -433,6 +433,9 @@
-     <feature name='ibpb'>
-       <cpuid eax_in='0x80000008' ebx='0x00001000'/>
-     </feature>
-+    <feature name='virt-ssbd'>
-+      <cpuid eax_in='0x80000008' ebx='0x02000000'/>
-+    </feature>
- 
-     <!-- models -->
-     <model name='486'>
@@ -0,0 +1,40 @@
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 4 Jan 2019 10:17:46 +0100
+Subject: [PATCH] qemu: require reply from guest agent in
+ qemuAgentGetInterfaces
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Since its introduction in commit 0977b8aa071 (released in v1.2.14)
+qemuAgentGetInterfaces calls qemuAgentCommand with needReply=false,
+which allows qemuAgentCommand to return 0 even when it did not get
+any reply from the agent.
+
+Set needReply to true, since we dereference it right after.
+
+This can be hit if libvirt is waiting for an event from the agent
+(e.g. shutdown) and the agent cannot reply in time (e.g. due to
+the guest being shut down), as reported in:
+https://bugzilla.redhat.com/show_bug.cgi?id=1663051
+
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 7cfd1fbb1332ae5df678b9f41a62156cb2e88c73)
+---
+ src/qemu/qemu_agent.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/qemu/qemu_agent.c b/src/qemu/qemu_agent.c
+index d235c058a5..af0c054f99 100644
+--- a/src/qemu/qemu_agent.c
+++ b/src/qemu/qemu_agent.c
+@@ -1987,7 +1987,7 @@ qemuAgentGetInterfaces(qemuAgentPtr mon,
+     if (!(cmd = qemuAgentMakeCommand("guest-network-get-interfaces", NULL)))
+         goto cleanup;
+ 
+-    if (qemuAgentCommand(mon, cmd, &reply, false,
+    if (qemuAgentCommand(mon, cmd, &reply, true,
+                          VIR_DOMAIN_QEMU_AGENT_COMMAND_BLOCK) < 0)
+         goto cleanup;
+ 
@@ -1,7 +1,6 @@
-From 8d6ab7976fa691763fc05a154f2bab865d435b00 Mon Sep 17 00:00:00 2001
 From: Jiri Denemark <jdenemar@redhat.com>
 Date: Fri, 5 Apr 2019 11:33:32 +0200
-Subject: [PATCH 1/4] cpu_x86: Do not cache microcode version
+Subject: [PATCH] cpu_x86: Do not cache microcode version
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -21,10 +20,10 @@ Reviewed-by: Ján Tomko <jtomko@redhat.com>
 1 file changed, 1 insertion(+), 4 deletions(-)

 diff --git a/src/cpu/cpu_x86.c b/src/cpu/cpu_x86.c
-index b2398c5ad2..38cab15c59 100644
+index cb27550025..ce48ca6867 100644
 --- a/src/cpu/cpu_x86.c
 +++ b/src/cpu/cpu_x86.c
-@@ -154,7 +154,6 @@ struct _virCPUx86Map {
+@@ -163,7 +163,6 @@ struct _virCPUx86Map {
 };
 
 static virCPUx86MapPtr cpuMap;
@@ -32,7 +31,7 @@ index b2398c5ad2..38cab15c59 100644
 
 int virCPUx86DriverOnceInit(void);
 VIR_ONCE_GLOBAL_INIT(virCPUx86Driver);
-@@ -1413,8 +1412,6 @@ virCPUx86DriverOnceInit(void)
+@@ -1331,8 +1330,6 @@ virCPUx86DriverOnceInit(void)
     if (!(cpuMap = virCPUx86LoadMap()))
         return -1;
 
@@ -41,7 +40,7 @@ index b2398c5ad2..38cab15c59 100644
     return 0;
 }
 
-@@ -2454,7 +2451,7 @@ virCPUx86GetHost(virCPUDefPtr cpu,
+@@ -2372,7 +2369,7 @@ virCPUx86GetHost(virCPUDefPtr cpu,
         goto cleanup;
 
     ret = x86DecodeCPUData(cpu, cpuData, models);
@@ -50,6 +49,3 @@ index b2398c5ad2..38cab15c59 100644
 
  cleanup:
     virCPUx86DataFree(cpuData);
-- 
-2.21.0
-
@@ -1,31 +0,0 @@
-From: Jim Fehlig <jfehlig@suse.com>
-Date: Wed, 14 Mar 2018 16:42:39 -0600
-Subject: [PATCH] lockd: fix typo in virtlockd-admin.socket
-
-Commit ce7ae55ea1 introduced a typo in virtlockd-admin socket file
-
-/usr/lib/systemd/system/virtlockd-admin.socket:7: Unknown lvalue
-'Server' in section 'Socket'
-
-Change 'Server' to 'Service'.
-
-Signed-off-by: Jim Fehlig <jfehlig@suse.com>
-Reviewed-by: Erik Skultety <eskultet@redhat.com>
-Signed-off-by: Cole Robinson <crobinso@redhat.com>
---
- src/locking/virtlockd-admin.socket.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in
-index 1fa0a3dc33..2a7500f3d0 100644
--- a/src/locking/virtlockd-admin.socket.in
-+++ b/src/locking/virtlockd-admin.socket.in
-@@ -4,7 +4,7 @@ Before=libvirtd.service
- 
- [Socket]
- ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
-Server=virtlockd.service
-+Service=virtlockd.service
- 
- [Install]
- WantedBy=sockets.target
@@ -1,105 +0,0 @@
-From: Laine Stump <laine@laine.org>
-Date: Wed, 25 Apr 2018 17:12:03 -0400
-Subject: [PATCH] nwfilter: increase pcap buffer size to be compatible with
- TPACKET_V3
-
-When an nwfilter rule sets the parameter CTRL_IP_LEARNING to "dhcp",
-this turns on the "dhcpsnoop" thread, which uses libpcap to monitor
-traffic on the domain's tap device and extract the IP address from the
-DHCP response.
-
-If libpcap on the host is built with HAVE_TPACKET3 defined (to enable
-support for TPACKET_V3), the dhcpsnoop code's initialization of the
-libpcap socket would fail with the following error:
-
-  virNWFilterSnoopDHCPOpen:1134 : internal error: pcap_setfilter: can't remove kernel filter: Bad file descriptor
-
-It turns out that this was because TPACKET_V3 requires a larger buffer
-size than libvirt was setting (we were setting it to 128k). Changing
-the buffer size to 256k eliminates the error, and the dhcpsnoop thread
-once again works properly.
-
-A fuller explanation of why TPACKET_V3 requires such a large buffer,
-for future git spelunkers:
-
-libpcap calls setsockopt(... SOL_PACKET, PACKET_RX_RING...) to setup a
-ring buffer for receiving packets; two of the attributes sent to this
-API are called tp_frame_size, and tp_frame_nr. If libpcap was built
-with HAVE_TPACKET3 defined, tp_trame_size is set to MAXIMUM_SNAPLEN
-(defined in libpcap sources as 262144) and tp_frame_nr is set to:
-
- [the buffer size we set, i.e. PCAP_BUFFERSIZE i.e. 262144] / tp_frame_size.
-
-So if PCAP_BUFFERSIZE < MAXIMUM_SNAPLEN, then tp_frame_nr (the number
-of frames in the ring buffer) is 0, which is nonsensical. This same
-value is later used as a multiplier to determine the size for a call
-to malloc() (which would also fail).
-
-(NB: if HAVE_TPACKET3 is *not* defined, then tp_frame_size is set to
-the snaplen set by the user (in our case 576) plus a small amount to
-account for ethernet headers, so 256k is far more than adequate)
-
-Since the TPACKET_V3 code in libpcap actually reads multiple packets
-into each frame, it's not a problem to have only a single frame
-(especially when we are monitoring such infrequent traffic), so it's
-okay to set this relatively small buffer size (in comparison to the
-default, which is 2MB), which is important since every guest using
-dhcp snooping in a nwfilter rule will hold 2 of these buffers for the
-entire life of the guest.
-
-Thanks to Christian Ehrhardt for discovering that buffer size was the
-problem (this was not at all obvious from the error that was logged!)
-
-Resolves: https://bugzilla.redhat.com/1547237
-Fixes: https://bugs.launchpad.net/libvirt/+bug/1758037
-
-Signed-off-by: Laine Stump <laine@laine.org>
-Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> (V1)
-Reviewed-by: John Ferlan <jferlan@redhat.com>
-Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
-Signed-off-by: Cole Robinson <crobinso@redhat.com>
---
- src/nwfilter/nwfilter_dhcpsnoop.c | 22 +++++++++++++++++++---
- 1 file changed, 19 insertions(+), 3 deletions(-)
-
-diff --git a/src/nwfilter/nwfilter_dhcpsnoop.c b/src/nwfilter/nwfilter_dhcpsnoop.c
-index 6069e70460..50cfb944a2 100644
--- a/src/nwfilter/nwfilter_dhcpsnoop.c
-+++ b/src/nwfilter/nwfilter_dhcpsnoop.c
-@@ -256,10 +256,21 @@ struct _virNWFilterDHCPDecodeJob {
- # define DHCP_BURST_INTERVAL_S  10 /* sec */
- 
- /*
- * libpcap 1.5 requires a 128kb buffer
- * 128 kb is bigger than (DHCP_PKT_BURST * PCAP_PBUFSIZE / 2)
-+ * NB: Any libpcap built with HAVE_TPACKET3 will require
-+ * PCAP_BUFFERSIZE to be at least 262144 (although
-+ * pcap_set_buffer_size() with a lower value will succeed, and the
-+ * error will only show up later when pcap_setfilter() is called).
-+ *
-+ * It is possible that in the future libpcap could increase the
-+ * minimum size even further, but due to the fact that each guest
-+ * using dhcp snooping keeps 2 pcap sockets open (and thus 2 buffers
-+ * allocated) for the life of the guest, we want to minimize the
-+ * length of the buffer, so instead of leaving it at the default size
-+ * (2MB), we are setting it to the minimum viable size and including
-+ * this clue in the source to help quickly resolve the problem when/if
-+ * it reoccurs.
-  */
-# define PCAP_BUFFERSIZE        (128 * 1024)
-+# define PCAP_BUFFERSIZE        (256 * 1024)
- 
- # define MAX_QUEUED_JOBS        (DHCP_PKT_BURST + 2 * DHCP_PKT_RATE)
- 
-@@ -1114,6 +1125,11 @@ virNWFilterSnoopDHCPOpen(const char *ifname, virMacAddr *mac,
-         goto cleanup_nohandle;
-     }
- 
-+    /* IMPORTANT: If there is any failure of *any* pcap_* function
-+     * during setup of the socket, look to the comment where
-+     * PCAP_BUFFERSIZE is defined. It may be too small, even if the
-+     * generated error doesn't imply that.
-+     */
-     if (pcap_set_snaplen(handle, PCAP_PBUFSIZE) < 0 ||
-         pcap_set_buffer_size(handle, PCAP_BUFFERSIZE) < 0 ||
-         pcap_activate(handle) < 0) {
@@ -1,7 +1,6 @@
-From cb6bcb0312a33a0b6a48d0ee1f368c9080e4a13d Mon Sep 17 00:00:00 2001
 From: Jiri Denemark <jdenemar@redhat.com>
 Date: Fri, 12 Apr 2019 21:21:05 +0200
-Subject: [PATCH 2/4] qemu: Don't cache microcode version
+Subject: [PATCH] qemu: Don't cache microcode version
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -19,14 +18,10 @@ Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
 Reviewed-by: Ján Tomko <jtomko@redhat.com>
 (cherry picked from commit 673c62a3b7855a0685d8f116e227c402720b9ee9)

-CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
-
 Conflicts:
-	src/qemu/qemu_capabilities.c
+        src/qemu/qemu_capabilities.c
            - virQEMUCapsCacheLookupByArch refactoring (commits
              7948ad4129a and 1a3de67001c) are missing
-            - commit a7424faff0f "Force QMP capability probing" is
-              missing downstream

 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
 ---
@@ -37,19 +32,19 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
 4 files changed, 11 insertions(+), 15 deletions(-)

 diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
-index b5eb8cf46a..17eb6579bf 100644
+index a075677421..eaf369f5b1 100644
 --- a/src/qemu/qemu_capabilities.c
 +++ b/src/qemu/qemu_capabilities.c
-@@ -5343,7 +5343,7 @@ virQEMUCapsNewData(const char *binary,
+@@ -4700,7 +4700,7 @@ virQEMUCapsNewData(const char *binary,
                                            priv->libDir,
                                            priv->runUid,
                                            priv->runGid,
 -                                           priv->microcodeVersion,
 +                                           virHostCPUGetMicrocodeVersion(),
-                                            priv->kernelVersion,
-                                            false);
+                                            priv->kernelVersion);
 }
-@@ -5427,8 +5427,7 @@ virFileCachePtr
+ 
+@@ -4783,8 +4783,7 @@ virFileCachePtr
 virQEMUCapsCacheNew(const char *libDir,
                     const char *cacheDir,
                     uid_t runUid,
@@ -59,7 +54,7 @@ index b5eb8cf46a..17eb6579bf 100644
 {
     char *capsCacheDir = NULL;
     virFileCachePtr cache = NULL;
-@@ -5452,7 +5451,6 @@ virQEMUCapsCacheNew(const char *libDir,
+@@ -4808,7 +4807,6 @@ virQEMUCapsCacheNew(const char *libDir,
 
     priv->runUid = runUid;
     priv->runGid = runGid;
@@ -67,7 +62,7 @@ index b5eb8cf46a..17eb6579bf 100644
 
     if (uname(&uts) == 0 &&
         virAsprintf(&priv->kernelVersion, "%s %s", uts.release, uts.version) < 0)
-@@ -5473,8 +5471,11 @@ virQEMUCapsPtr
+@@ -4829,8 +4827,11 @@ virQEMUCapsPtr
 virQEMUCapsCacheLookup(virFileCachePtr cache,
                        const char *binary)
 {
@@ -79,7 +74,7 @@ index b5eb8cf46a..17eb6579bf 100644
     ret = virFileCacheLookup(cache, binary);
 
     VIR_DEBUG("Returning caps %p for %s", ret, binary);
-@@ -5520,10 +5521,13 @@ virQEMUCapsPtr
+@@ -4876,10 +4877,13 @@ virQEMUCapsPtr
 virQEMUCapsCacheLookupByArch(virFileCachePtr cache,
                              virArch arch)
 {
@@ -94,10 +89,10 @@ index b5eb8cf46a..17eb6579bf 100644
     if (!ret) {
         /* If the first attempt at finding capabilities has failed, try
 diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
-index c2ec2be193..7fd51f5fa0 100644
+index 3d3a978759..956babc7eb 100644
 --- a/src/qemu/qemu_capabilities.h
 +++ b/src/qemu/qemu_capabilities.h
-@@ -524,8 +524,7 @@ void virQEMUCapsFilterByMachineType(virQEMUCapsPtr qemuCaps,
+@@ -574,8 +574,7 @@ void virQEMUCapsFilterByMachineType(virQEMUCapsPtr qemuCaps,
 virFileCachePtr virQEMUCapsCacheNew(const char *libDir,
                                     const char *cacheDir,
                                     uid_t uid,
@@ -108,10 +103,10 @@ index c2ec2be193..7fd51f5fa0 100644
                                       const char *binary);
 virQEMUCapsPtr virQEMUCapsCacheLookupCopy(virFileCachePtr cache,
 diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
-index 96454c17c0..bb38904090 100644
+index a0f7c71675..75f8699e7d 100644
 --- a/src/qemu/qemu_driver.c
 +++ b/src/qemu/qemu_driver.c
-@@ -610,8 +610,6 @@ qemuStateInitialize(bool privileged,
+@@ -592,8 +592,6 @@ qemuStateInitialize(bool privileged,
     char *hugepagePath = NULL;
     char *memoryBackingPath = NULL;
     size_t i;
@@ -120,7 +115,7 @@ index 96454c17c0..bb38904090 100644
 
     if (VIR_ALLOC(qemu_driver) < 0)
         return -1;
-@@ -831,15 +829,10 @@ qemuStateInitialize(bool privileged,
+@@ -813,15 +811,10 @@ qemuStateInitialize(bool privileged,
         run_gid = cfg->group;
     }
 
@@ -138,10 +133,10 @@ index 96454c17c0..bb38904090 100644
         goto error;
 
 diff --git a/tests/testutilsqemu.c b/tests/testutilsqemu.c
-index f8182033fc..2c7124bf26 100644
+index 8438613f28..4e53f03f9e 100644
 --- a/tests/testutilsqemu.c
 +++ b/tests/testutilsqemu.c
-@@ -603,7 +603,7 @@ int qemuTestDriverInit(virQEMUDriver *driver)
+@@ -707,7 +707,7 @@ int qemuTestDriverInit(virQEMUDriver *driver)
 
     /* Using /dev/null for libDir and cacheDir automatically produces errors
      * upon attempt to use any of them */
@@ -150,6 +145,3 @@ index f8182033fc..2c7124bf26 100644
     if (!driver->qemuCapsCache)
         goto error;
 
-- 
-2.21.0
-
@@ -1,7 +1,6 @@
-From 36151b10d3e1f8f92f4ad6b8200ce5355b7f96f0 Mon Sep 17 00:00:00 2001
 From: Jiri Denemark <jdenemar@redhat.com>
 Date: Fri, 5 Apr 2019 11:19:30 +0200
-Subject: [PATCH 3/4] cputest: Add data for Intel(R) Xeon(R) CPU E3-1225 v5
+Subject: [PATCH] cputest: Add data for Intel(R) Xeon(R) CPU E3-1225 v5
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -15,19 +14,20 @@ Conflicts:
 	tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
 	tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
            - intel-pt feature is missing
+	    - stibp feature is missing

 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
 ---
 tests/cputest.c                               |   1 +
 .../x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml |   7 +
 .../x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml  |   8 +
- .../x86_64-cpuid-Xeon-E3-1225-v5-guest.xml    |  27 +
- .../x86_64-cpuid-Xeon-E3-1225-v5-host.xml     |  28 +
- .../x86_64-cpuid-Xeon-E3-1225-v5-json.xml     |  11 +
+ .../x86_64-cpuid-Xeon-E3-1225-v5-guest.xml    |  26 +
+ .../x86_64-cpuid-Xeon-E3-1225-v5-host.xml     |  27 +
+ .../x86_64-cpuid-Xeon-E3-1225-v5-json.xml     |  10 +
 .../x86_64-cpuid-Xeon-E3-1225-v5.json         | 652 ++++++++++++++++++
 .../x86_64-cpuid-Xeon-E3-1225-v5.sig          |   4 +
 .../x86_64-cpuid-Xeon-E3-1225-v5.xml          |  47 ++
- 9 files changed, 785 insertions(+)
+ 9 files changed, 782 insertions(+)
 create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml
 create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
 create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
@@ -38,10 +38,10 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
 create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml

 diff --git a/tests/cputest.c b/tests/cputest.c
-index 1e79edbef7..2df1d28e39 100644
+index baf2b3c648..fbb2a86af8 100644
 --- a/tests/cputest.c
 +++ b/tests/cputest.c
-@@ -1189,6 +1189,7 @@ mymain(void)
+@@ -1190,6 +1190,7 @@ mymain(void)
     DO_TEST_CPUID(VIR_ARCH_X86_64, "Phenom-B95", JSON_HOST);
     DO_TEST_CPUID(VIR_ARCH_X86_64, "Ryzen-7-1800X-Eight-Core", JSON_HOST);
     DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-5110", JSON_NONE);
@@ -78,10 +78,10 @@ index 0000000000..0deca9fba6
 +</cpudata>
 diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
 new file mode 100644
-index 0000000000..141c01c841
+index 0000000000..993db80cc9
 --- /dev/null
 +++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
-@@ -0,0 +1,27 @@
+@@ -0,0 +1,26 @@
 +<cpu mode='custom' match='exact'>
 +  <model fallback='forbid'>Skylake-Client-IBRS</model>
 +  <vendor>Intel</vendor>
@@ -103,7 +103,6 @@ index 0000000000..141c01c841
 +  <feature policy='require' name='osxsave'/>
 +  <feature policy='require' name='tsc_adjust'/>
 +  <feature policy='require' name='clflushopt'/>
-+  <feature policy='require' name='stibp'/>
 +  <feature policy='require' name='ssbd'/>
 +  <feature policy='require' name='xsaves'/>
 +  <feature policy='require' name='pdpe1gb'/>
@@ -111,10 +110,10 @@ index 0000000000..141c01c841
 +</cpu>
 diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
 new file mode 100644
-index 0000000000..53bfc9728d
+index 0000000000..074a39ba1d
 --- /dev/null
 +++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
-@@ -0,0 +1,28 @@
+@@ -0,0 +1,27 @@
 +<cpu>
 +  <arch>x86_64</arch>
 +  <model>Skylake-Client-IBRS</model>
@@ -137,7 +136,6 @@ index 0000000000..53bfc9728d
 +  <feature name='osxsave'/>
 +  <feature name='tsc_adjust'/>
 +  <feature name='clflushopt'/>
-+  <feature name='stibp'/>
 +  <feature name='ssbd'/>
 +  <feature name='xsaves'/>
 +  <feature name='pdpe1gb'/>
@@ -145,10 +143,10 @@ index 0000000000..53bfc9728d
 +</cpu>
 diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
 new file mode 100644
-index 0000000000..1f321db273
+index 0000000000..1984bd4cf2
 --- /dev/null
 +++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,10 @@
 +<cpu mode='custom' match='exact'>
 +  <model fallback='forbid'>Skylake-Client-IBRS</model>
 +  <vendor>Intel</vendor>
@@ -156,7 +154,6 @@ index 0000000000..1f321db273
 +  <feature policy='require' name='hypervisor'/>
 +  <feature policy='require' name='tsc_adjust'/>
 +  <feature policy='require' name='clflushopt'/>
-+  <feature policy='require' name='stibp'/>
 +  <feature policy='require' name='ssbd'/>
 +  <feature policy='require' name='pdpe1gb'/>
 +</cpu>
@@ -881,6 +878,3 @@ index 0000000000..437429d61d
 +  <cpuid eax_in='0x80860000' ecx_in='0x00' eax='0x00000ce4' ebx='0x00000e74' ecx='0x00000064' edx='0x00000000'/>
 +  <cpuid eax_in='0xc0000000' ecx_in='0x00' eax='0x00000ce4' ebx='0x00000e74' ecx='0x00000064' edx='0x00000000'/>
 +</cpudata>
-- 
-2.21.0
-
@@ -1,253 +0,0 @@
-From: Vincent Bernat <vincent@bernat.im>
-Date: Tue, 10 Apr 2018 08:27:15 +0200
-Subject: [PATCH] util: don't check for parallel iteration in hash-related
- functions
-
-This is the responsability of the caller to apply the correct lock
-before using these functions. Moreover, the use of a simple boolean
-was still racy: two threads may check the boolean and "lock" it
-simultaneously.
-
-Users of functions from src/util/virhash.c have to be checked for
-correctness. Lookups and iteration should hold a RO
-lock. Modifications should hold a RW lock.
-
-Most important uses seem to be covered. Callers have now a greater
-responsability, notably the ability to execute some operations while
-iterating were reliably forbidden before are now accepted.
-
-Signed-off-by: Vincent Bernat <vincent@bernat.im>
-(cherry picked from commit 4d7384eb9ddef2008cb0cc165eb808f74bc83d6b)
---
- src/util/virhash.c  | 37 --------------------
- tests/virhashtest.c | 83 ---------------------------------------------
- 2 files changed, 120 deletions(-)
-
-diff --git a/src/util/virhash.c b/src/util/virhash.c
-index 0ffbfcce2c..475c2b0281 100644
--- a/src/util/virhash.c
-+++ b/src/util/virhash.c
-@@ -41,12 +41,6 @@ VIR_LOG_INIT("util.hash");
- 
- /* #define DEBUG_GROW */
- 
-#define virHashIterationError(ret) \
-    do { \
-        VIR_ERROR(_("Hash operation not allowed during iteration")); \
-        return ret; \
-    } while (0)
-
- /*
-  * A single entry in the hash table
-  */
-@@ -66,10 +60,6 @@ struct _virHashTable {
-     uint32_t seed;
-     size_t size;
-     size_t nbElems;
-    /* True iff we are iterating over hash entries. */
-    bool iterating;
-    /* Pointer to the current entry during iteration. */
-    virHashEntryPtr current;
-     virHashDataFree dataFree;
-     virHashKeyCode keyCode;
-     virHashKeyEqual keyEqual;
-@@ -339,9 +329,6 @@ virHashAddOrUpdateEntry(virHashTablePtr table, const void *name,
-     if ((table == NULL) || (name == NULL))
-         return -1;
- 
-    if (table->iterating)
-        virHashIterationError(-1);
-
-     key = virHashComputeKey(table, name);
- 
-     /* Check for duplicate entry */
-@@ -551,9 +538,6 @@ virHashRemoveEntry(virHashTablePtr table, const void *name)
-     nextptr = table->table + virHashComputeKey(table, name);
-     for (entry = *nextptr; entry; entry = entry->next) {
-         if (table->keyEqual(entry->name, name)) {
-            if (table->iterating && table->current != entry)
-                virHashIterationError(-1);
-
-             if (table->dataFree)
-                 table->dataFree(entry->payload, entry->name);
-             if (table->keyFree)
-@@ -593,18 +577,11 @@ virHashForEach(virHashTablePtr table, virHashIterator iter, void *data)
-     if (table == NULL || iter == NULL)
-         return -1;
- 
-    if (table->iterating)
-        virHashIterationError(-1);
-
-    table->iterating = true;
-    table->current = NULL;
-     for (i = 0; i < table->size; i++) {
-         virHashEntryPtr entry = table->table[i];
-         while (entry) {
-             virHashEntryPtr next = entry->next;
-            table->current = entry;
-             ret = iter(entry->payload, entry->name, data);
-            table->current = NULL;
- 
-             if (ret < 0)
-                 goto cleanup;
-@@ -615,7 +592,6 @@ virHashForEach(virHashTablePtr table, virHashIterator iter, void *data)
- 
-     ret = 0;
-  cleanup:
-    table->iterating = false;
-     return ret;
- }
- 
-@@ -643,11 +619,6 @@ virHashRemoveSet(virHashTablePtr table,
-     if (table == NULL || iter == NULL)
-         return -1;
- 
-    if (table->iterating)
-        virHashIterationError(-1);
-
-    table->iterating = true;
-    table->current = NULL;
-     for (i = 0; i < table->size; i++) {
-         virHashEntryPtr *nextptr = table->table + i;
- 
-@@ -667,7 +638,6 @@ virHashRemoveSet(virHashTablePtr table,
-             }
-         }
-     }
-    table->iterating = false;
- 
-     return count;
- }
-@@ -723,23 +693,16 @@ void *virHashSearch(const virHashTable *ctable,
-     if (table == NULL || iter == NULL)
-         return NULL;
- 
-    if (table->iterating)
-        virHashIterationError(NULL);
-
-    table->iterating = true;
-    table->current = NULL;
-     for (i = 0; i < table->size; i++) {
-         virHashEntryPtr entry;
-         for (entry = table->table[i]; entry; entry = entry->next) {
-             if (iter(entry->payload, entry->name, data)) {
-                table->iterating = false;
-                 if (name)
-                     *name = table->keyCopy(entry->name);
-                 return entry->payload;
-             }
-         }
-     }
-    table->iterating = false;
- 
-     return NULL;
- }
-diff --git a/tests/virhashtest.c b/tests/virhashtest.c
-index 3b85b62c30..e9c03c1afb 100644
--- a/tests/virhashtest.c
-+++ b/tests/virhashtest.c
-@@ -221,32 +221,6 @@ testHashRemoveForEachAll(void *payload ATTRIBUTE_UNUSED,
- }
- 
- 
-const int testHashCountRemoveForEachForbidden = ARRAY_CARDINALITY(uuids);
-
-static int
-testHashRemoveForEachForbidden(void *payload ATTRIBUTE_UNUSED,
-                               const void *name,
-                               void *data)
-{
-    virHashTablePtr hash = data;
-    size_t i;
-
-    for (i = 0; i < ARRAY_CARDINALITY(uuids_subset); i++) {
-        if (STREQ(uuids_subset[i], name)) {
-            int next = (i + 1) % ARRAY_CARDINALITY(uuids_subset);
-
-            if (virHashRemoveEntry(hash, uuids_subset[next]) == 0) {
-                VIR_TEST_VERBOSE(
-                        "\nentry \"%s\" should not be allowed to be removed",
-                        uuids_subset[next]);
-            }
-            break;
-        }
-    }
-    return 0;
-}
-
-
- static int
- testHashRemoveForEach(const void *data)
- {
-@@ -303,61 +277,6 @@ testHashSteal(const void *data ATTRIBUTE_UNUSED)
- }
- 
- 
-static int
-testHashIter(void *payload ATTRIBUTE_UNUSED,
-             const void *name ATTRIBUTE_UNUSED,
-             void *data ATTRIBUTE_UNUSED)
-{
-    return 0;
-}
-
-static int
-testHashForEachIter(void *payload ATTRIBUTE_UNUSED,
-                    const void *name ATTRIBUTE_UNUSED,
-                    void *data)
-{
-    virHashTablePtr hash = data;
-
-    if (virHashAddEntry(hash, uuids_new[0], NULL) == 0)
-        VIR_TEST_VERBOSE("\nadding entries in ForEach should be forbidden");
-
-    if (virHashUpdateEntry(hash, uuids_new[0], NULL) == 0)
-        VIR_TEST_VERBOSE("\nupdating entries in ForEach should be forbidden");
-
-    if (virHashSteal(hash, uuids_new[0]) != NULL)
-        VIR_TEST_VERBOSE("\nstealing entries in ForEach should be forbidden");
-
-    if (virHashSteal(hash, uuids_new[0]) != NULL)
-        VIR_TEST_VERBOSE("\nstealing entries in ForEach should be forbidden");
-
-    if (virHashForEach(hash, testHashIter, NULL) >= 0)
-        VIR_TEST_VERBOSE("\niterating through hash in ForEach"
-                " should be forbidden");
-    return 0;
-}
-
-static int
-testHashForEach(const void *data ATTRIBUTE_UNUSED)
-{
-    virHashTablePtr hash;
-    int ret = -1;
-
-    if (!(hash = testHashInit(0)))
-        return -1;
-
-    if (virHashForEach(hash, testHashForEachIter, hash)) {
-        VIR_TEST_VERBOSE("\nvirHashForEach didn't go through all entries");
-        goto cleanup;
-    }
-
-    ret = 0;
-
- cleanup:
-    virHashFree(hash);
-    return ret;
-}
-
-
- static int
- testHashRemoveSetIter(const void *payload ATTRIBUTE_UNUSED,
-                       const void *name,
-@@ -628,9 +547,7 @@ mymain(void)
-     DO_TEST("Remove", Remove);
-     DO_TEST_DATA("Remove in ForEach", RemoveForEach, Some);
-     DO_TEST_DATA("Remove in ForEach", RemoveForEach, All);
-    DO_TEST_DATA("Remove in ForEach", RemoveForEach, Forbidden);
-     DO_TEST("Steal", Steal);
-    DO_TEST("Forbidden ops in ForEach", ForEach);
-     DO_TEST("RemoveSet", RemoveSet);
-     DO_TEST("Search", Search);
-     DO_TEST("GetItems", GetItems);
@@ -1,12 +1,11 @@
-From 7bde733e906a9eb513448fd58201a333a1793811 Mon Sep 17 00:00:00 2001
 From: Jiri Denemark <jdenemar@redhat.com>
-Date: Fri, 5 Apr 2019 15:11:20 +0200
-Subject: [PATCH 4/4] cpu_map: Define md-clear CPUID bit
+Date: Tue, 9 Apr 2019 12:35:52 +0200
+Subject: [PATCH] cpu_map: Define md-clear CPUID bit
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

-CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

 The bit is set when microcode provides the mechanism to invoke a flush
 of various exploitable CPU buffers by invoking the VERW instruction.
@@ -17,40 +16,41 @@ Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
 (cherry picked from commit 538d873571d7a682852dc1d70e5f4478f4d64e85)

 Conflicts:
-	src/cpu_map/x86_features.xml
-            - no CPU map split downstream
+        src/cpu_map/x86_features.xml
+            - missing pconfig feature

-	tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-guest.xml
-	tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-host.xml
+        tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-guest.xml
+        tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-host.xml
            - test data missing downstream

-	tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
-	tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
-            - intel-pt feature is missing downstream
+        tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
+        tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
+            - intel-pt feature is missing
+	    - stibp feature is missing

 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
 ---
- src/cpu/cpu_map.xml                                        | 3 +++
+ src/cpu_map/x86_features.xml                               | 3 +++
 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml | 2 +-
 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml   | 1 +
 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml    | 1 +
 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml    | 1 +
 5 files changed, 7 insertions(+), 1 deletion(-)

-diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
-index 96daa0f9af..250e241df9 100644
--- a/src/cpu/cpu_map.xml
-+++ b/src/cpu/cpu_map.xml
-@@ -295,6 +295,9 @@
-     <feature name='avx512-4fmaps'>
-       <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00000008'/>
-     </feature>
-+    <feature name='md-clear'> <!-- md_clear -->
-+      <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00000400'/>
-+    </feature>
-     <feature name='spec-ctrl'>
-       <cpuid eax_in='0x07' ecx_in='0x00' edx='0x04000000'/>
-     </feature>
+diff --git a/src/cpu_map/x86_features.xml b/src/cpu_map/x86_features.xml
+index 109c653dbc..c8ae540ccc 100644
+--- a/src/cpu_map/x86_features.xml
+++ b/src/cpu_map/x86_features.xml
+@@ -290,6 +290,9 @@
+   <feature name='avx512-4fmaps'>
+     <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00000008'/>
+   </feature>
+  <feature name='md-clear'> <!-- md_clear -->
+    <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00000400'/>
+  </feature>
+   <feature name='spec-ctrl'>
+     <cpuid eax_in='0x07' ecx_in='0x00' edx='0x04000000'/>
+   </feature>
 diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
 index 0deca9fba6..74763a462b 100644
 --- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
@@ -65,7 +65,7 @@ index 0deca9fba6..74763a462b 100644
   <cpuid eax_in='0x80000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000121' edx='0x2c100800'/>
 </cpudata>
 diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
-index 141c01c841..3b3472742e 100644
+index 993db80cc9..29c1fdb80a 100644
 --- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
 +++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
@@ -19,6 +19,7 @@
@@ -73,11 +73,11 @@ index 141c01c841..3b3472742e 100644
   <feature policy='require' name='tsc_adjust'/>
   <feature policy='require' name='clflushopt'/>
 +  <feature policy='require' name='md-clear'/>
-   <feature policy='require' name='stibp'/>
   <feature policy='require' name='ssbd'/>
   <feature policy='require' name='xsaves'/>
+   <feature policy='require' name='pdpe1gb'/>
 diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
-index 53bfc9728d..df4f97417c 100644
+index 074a39ba1d..2003ca9ef6 100644
 --- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
 +++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
@@ -20,6 +20,7 @@
@@ -85,11 +85,11 @@ index 53bfc9728d..df4f97417c 100644
   <feature name='tsc_adjust'/>
   <feature name='clflushopt'/>
 +  <feature name='md-clear'/>
-   <feature name='stibp'/>
   <feature name='ssbd'/>
   <feature name='xsaves'/>
+   <feature name='pdpe1gb'/>
 diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
-index 1f321db273..a5591278df 100644
+index 1984bd4cf2..d6529c59a3 100644
 --- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
 +++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
@@ -5,6 +5,7 @@
@@ -97,9 +97,6 @@ index 1f321db273..a5591278df 100644
   <feature policy='require' name='tsc_adjust'/>
   <feature policy='require' name='clflushopt'/>
 +  <feature policy='require' name='md-clear'/>
-   <feature policy='require' name='stibp'/>
   <feature policy='require' name='ssbd'/>
   <feature policy='require' name='pdpe1gb'/>
-- 
-2.21.0
-
+ </cpu>
@@ -1,64 +0,0 @@
-From: Matthias Bolte <matthias.bolte@googlemail.com>
-Date: Thu, 2 Aug 2018 17:33:37 +0200
-Subject: [PATCH] esx: Fix double-free and freeing static strings in
- esxDomainSetAutostart
-
-Since commit ae83e02f3dd7fe99fed5d8159a35b666fafeafd5#l3393 the
-newPowerInfo pointer itself is used to track the ownership of the
-AutoStartPowerInfo object to make Coverity understand the code better.
-This broke the code that unset some members of the AutoStartPowerInfo
-object that should not be freed the normal way.
-
-Instead, transfer ownership of the AutoStartPowerInfo object to the
-HostAutoStartManagerConfig object before filling in the values that
-need special handling. This allows to free the AutoStartPowerInfo
-directly without having to deal with the special values, or to let
-the old (now restored) logic handle the special values again.
-
-Signed-off-by: Matthias Bolte <matthias.bolte@googlemail.com>
-Tested-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
-Reviewed-by: John Ferlan <jferlan@redhat.com>
-(cherry picked from commit 3ad77f853230f870efa396636e008292c7f2b1c0)
---
- src/esx/esx_driver.c | 14 ++++----------
- 1 file changed, 4 insertions(+), 10 deletions(-)
-
-diff --git a/src/esx/esx_driver.c b/src/esx/esx_driver.c
-index b065cdc513..9a7006c6e5 100644
--- a/src/esx/esx_driver.c
-+++ b/src/esx/esx_driver.c
-@@ -3422,7 +3422,10 @@ esxDomainSetAutostart(virDomainPtr domain, int autostart)
-     if (esxVI_AutoStartPowerInfo_Alloc(&newPowerInfo) < 0 ||
-         esxVI_Int_Alloc(&newPowerInfo->startOrder) < 0 ||
-         esxVI_Int_Alloc(&newPowerInfo->startDelay) < 0 ||
-        esxVI_Int_Alloc(&newPowerInfo->stopDelay) < 0) {
-+        esxVI_Int_Alloc(&newPowerInfo->stopDelay) < 0 ||
-+        esxVI_AutoStartPowerInfo_AppendToList(&spec->powerInfo,
-+                                              newPowerInfo) < 0) {
-+        esxVI_AutoStartPowerInfo_Free(&newPowerInfo);
-         goto cleanup;
-     }
- 
-@@ -3434,13 +3437,6 @@ esxDomainSetAutostart(virDomainPtr domain, int autostart)
-     newPowerInfo->stopDelay->value = -1; /* use system default */
-     newPowerInfo->stopAction = (char *)"none";
- 
-    if (esxVI_AutoStartPowerInfo_AppendToList(&spec->powerInfo,
-                                              newPowerInfo) < 0) {
-        goto cleanup;
-    }
-
-    newPowerInfo = NULL;
-
-     if (esxVI_ReconfigureAutostart
-           (priv->primary,
-            priv->primary->hostSystem->configManager->autoStartManager,
-@@ -3462,8 +3458,6 @@ esxDomainSetAutostart(virDomainPtr domain, int autostart)
-     esxVI_AutoStartDefaults_Free(&defaults);
-     esxVI_AutoStartPowerInfo_Free(&powerInfoList);
- 
-    esxVI_AutoStartPowerInfo_Free(&newPowerInfo);
-
-     return result;
- }
- 
@@ -1,8 +1,7 @@
-From 39fb5ab3125d1669344bab94ccb71bce814d9ae2 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Tue, 30 Apr 2019 17:26:13 +0100
-Subject: [PATCH 1/3] admin: reject clients unless their UID matches the
- current UID
+Subject: [PATCH] admin: reject clients unless their UID matches the current
+ UID
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -53,6 +52,3 @@ index b78ff902c0..9f25813ae3 100644
 
     if (VIR_ALLOC(priv) < 0)
         return NULL;
-- 
-2.21.0
-
@@ -1,7 +1,6 @@
-From 41f06e6095e17b61b2af35821d204afc5c34777c Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Tue, 30 Apr 2019 16:51:37 +0100
-Subject: [PATCH 2/3] locking: restrict sockets to mode 0600
+Subject: [PATCH] locking: restrict sockets to mode 0600
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -46,6 +45,3 @@ index 45e0f20235..d701b27516 100644
 
 [Install]
 WantedBy=sockets.target
-- 
-2.21.0
-
@@ -1,7 +1,6 @@
-From f0e014133104cdb5af5c7d96a7aa6dc0f1bbb03c Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Tue, 30 Apr 2019 17:27:41 +0100
-Subject: [PATCH 3/3] logging: restrict sockets to mode 0600
+Subject: [PATCH] logging: restrict sockets to mode 0600
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -46,6 +45,3 @@ index 22b9360c8d..ae48cdab9a 100644
 
 [Install]
 WantedBy=sockets.target
-- 
-2.21.0
-
@@ -0,0 +1,80 @@
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 14 Jun 2019 08:47:42 +0200
+Subject: [PATCH] api: disallow virDomainSaveImageGetXMLDesc on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virDomainSaveImageGetXMLDesc API is taking a path parameter,
+which can point to any path on the system. This file will then be
+read and parsed by libvirtd running with root privileges.
+
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10161
+Reported-by: Matthias Gerstner <mgerstner@suse.de>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit aed6a032cead4386472afb24b16196579e239580)
+---
+ src/libvirt-domain.c         | 10 ++--------
+ src/qemu/qemu_driver.c       |  2 +-
+ src/remote/remote_protocol.x |  3 +--
+ 3 files changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index ef460277f7..cda579180b 100644
+--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
+@@ -1073,8 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,
+  * previously by virDomainSave() or virDomainSaveFlags().
+  *
+  * No security-sensitive data will be included unless @flags contains
+- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only
+- * connections.  For this API, @flags should not contain either
+ * VIR_DOMAIN_XML_SECURE
+  * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
+  *
+  * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
+@@ -1091,12 +1090,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,
+ 
+     virCheckConnectReturn(conn, NULL);
+     virCheckNonNullArgGoto(file, error);
+-
+-    if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
+-        virReportError(VIR_ERR_OPERATION_DENIED, "%s",
+-                       _("virDomainSaveImageGetXMLDesc with secure flag"));
+-        goto error;
+-    }
+    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->domainSaveImageGetXMLDesc) {
+         char *ret;
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 75f8699e7d..933f71c7b8 100644
+--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
+@@ -6791,7 +6791,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,
+     if (fd < 0)
+         goto cleanup;
+ 
+-    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
+    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
+         goto cleanup;
+ 
+     ret = qemuDomainDefFormatXML(driver, def, flags);
+diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
+index 28c8febabd..52b92334fa 100644
+--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
+@@ -5226,8 +5226,7 @@ enum remote_procedure {
+     /**
+      * @generate: both
+      * @priority: high
+-     * @acl: domain:read
+-     * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
+     * @acl: domain:write
+      */
+     REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
+ 
@@ -0,0 +1,33 @@
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 14 Jun 2019 09:14:53 +0200
+Subject: [PATCH] api: disallow virDomainManagedSaveDefineXML on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virDomainManagedSaveDefineXML can be used to alter the domain's
+config used for managedsave or even execute arbitrary emulator binaries.
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10166
+Reported-by: Matthias Gerstner <mgerstner@suse.de>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit db0b78457f183e4c7ac45bc94de86044a1e2056a)
+---
+ src/libvirt-domain.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index cda579180b..4c0355180e 100644
+--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
+@@ -9483,6 +9483,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml,
+ 
+     virCheckDomainReturn(domain, -1);
+     conn = domain->conn;
+    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->domainManagedSaveDefineXML) {
+         int ret;
@@ -1,56 +0,0 @@
-From 4cb90fa2335b75a0fc39440853bd681955b326a4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Tue, 14 May 2019 21:09:59 +0100
-Subject: [PATCH] cputest: remove stibp flag from test data
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-stibp flag doesn't exist in this maint branch.
-
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
- tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml | 1 -
- tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml  | 1 -
- tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml  | 1 -
- 3 files changed, 3 deletions(-)
-
-diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
-index 3b3472742e..29c1fdb80a 100644
--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
-+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
-@@ -20,7 +20,6 @@
-   <feature policy='require' name='tsc_adjust'/>
-   <feature policy='require' name='clflushopt'/>
-   <feature policy='require' name='md-clear'/>
-  <feature policy='require' name='stibp'/>
-   <feature policy='require' name='ssbd'/>
-   <feature policy='require' name='xsaves'/>
-   <feature policy='require' name='pdpe1gb'/>
-diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
-index df4f97417c..2003ca9ef6 100644
--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
-+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
-@@ -21,7 +21,6 @@
-   <feature name='tsc_adjust'/>
-   <feature name='clflushopt'/>
-   <feature name='md-clear'/>
-  <feature name='stibp'/>
-   <feature name='ssbd'/>
-   <feature name='xsaves'/>
-   <feature name='pdpe1gb'/>
-diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
-index a5591278df..d6529c59a3 100644
--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
-+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
-@@ -6,7 +6,6 @@
-   <feature policy='require' name='tsc_adjust'/>
-   <feature policy='require' name='clflushopt'/>
-   <feature policy='require' name='md-clear'/>
-  <feature policy='require' name='stibp'/>
-   <feature policy='require' name='ssbd'/>
-   <feature policy='require' name='pdpe1gb'/>
- </cpu>
-- 
-2.21.0
-
@@ -0,0 +1,31 @@
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 14 Jun 2019 09:16:14 +0200
+Subject: [PATCH] api: disallow virConnectGetDomainCapabilities on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This API can be used to execute arbitrary emulators.
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10167
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26)
+---
+ src/libvirt-domain.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 4c0355180e..8ecb964381 100644
+--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
+@@ -11275,6 +11275,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn,
+     virResetLastError();
+ 
+     virCheckConnectReturn(conn, NULL);
+    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->connectGetDomainCapabilities) {
+         char *ret;
@@ -0,0 +1,39 @@
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 14 Jun 2019 09:17:39 +0200
+Subject: [PATCH] api: disallow virConnect*HypervisorCPU on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+These APIs can be used to execute arbitrary emulators.
+Forbid them on read-only connections.
+
+Fixes: CVE-2019-10168
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit bf6c2830b6c338b1f5699b095df36f374777b291)
+---
+ src/libvirt-host.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libvirt-host.c b/src/libvirt-host.c
+index e20d6ee250..2978825d22 100644
+--- a/src/libvirt-host.c
+++ b/src/libvirt-host.c
+@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn,
+ 
+     virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR);
+     virCheckNonNullArgGoto(xmlCPU, error);
+    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->connectCompareHypervisorCPU) {
+         int ret;
+@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn,
+ 
+     virCheckConnectReturn(conn, NULL);
+     virCheckNonNullArgGoto(xmlCPUs, error);
+    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->connectBaselineHypervisorCPU) {
+         char *cpu;
@@ -0,0 +1,32 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 27 Mar 2019 10:59:58 +0000
+Subject: [PATCH] api: disallow virDomainGetHostname for read-only connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virDomainGetHostname API is fetching guest information and this may
+involve use of an untrusted guest agent. As such its use must be
+forbidden on a read-only connection to libvirt.
+
+Fixes CVE-2019-3886
+Reviewed-by: Jim Fehlig <jfehlig@suse.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 2a07c990bd9143d7a0fe8d1b6b7c763c52185240)
+---
+ src/libvirt-domain.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 8ecb964381..cc2f61275d 100644
+--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
+@@ -10940,6 +10940,8 @@ virDomainGetHostname(virDomainPtr domain, unsigned int flags)
+     virCheckDomainReturn(domain, NULL);
+     conn = domain->conn;
+ 
+    virCheckReadOnlyGoto(domain->conn->flags, error);
+
+     if (conn->driver->domainGetHostname) {
+         char *ret;
+         ret = conn->driver->domainGetHostname(domain, flags);
@@ -0,0 +1,42 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 27 Mar 2019 11:22:49 +0000
+Subject: [PATCH] remote: enforce ACL write permission for getting guest time &
+ hostname
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Getting the guest time and hostname both require use of guest agent
+commands. These must not be allowed for read-only users, so the
+permissions check must validate "write" permission not "read".
+
+Fixes CVE-2019-3886
+Reviewed-by: Jim Fehlig <jfehlig@suse.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit ae076bb40e0e150aef41361b64001138d04d6c60)
+---
+ src/remote/remote_protocol.x | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
+index 52b92334fa..58ab4ab039 100644
+--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
+@@ -5496,7 +5496,7 @@ enum remote_procedure {
+ 
+     /**
+      * @generate: both
+-     * @acl: domain:read
+     * @acl: domain:write
+      */
+     REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277,
+ 
+@@ -5891,7 +5891,7 @@ enum remote_procedure {
+ 
+     /**
+      * @generate: none
+-     * @acl: domain:read
+     * @acl: domain:write
+      */
+     REMOTE_PROC_DOMAIN_GET_TIME = 337,
+ 
@@ -0,0 +1,75 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Mon, 24 Sep 2018 16:49:01 +0200
+Subject: [PATCH] Revert "qemu: hotplug: Prepare disk source in
+ qemuDomainAttachDeviceDiskLive"
+
+Preparing the storage source prior to assigning the alias will not work
+as the names of the certain objects depend on the alias for the legacy
+hotplug case as we generate the object names for the secrets based on
+the alias.
+
+This reverts commit 192fdaa614e3800255048a8a70c1292ccf18397a.
+
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+(cherry picked from commit 9ac196997839a29486029a02d8f519df54ae0186)
+---
+ src/qemu/qemu_hotplug.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
+index 4f290b5648..421cc2c174 100644
+--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
+@@ -781,6 +781,7 @@ qemuDomainAttachDiskGeneric(virQEMUDriverPtr driver,
+     qemuDomainObjPrivatePtr priv = vm->privateData;
+     qemuHotplugDiskSourceDataPtr diskdata = NULL;
+     char *devstr = NULL;
+    virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
+ 
+     if (qemuHotplugPrepareDiskAccess(driver, vm, disk, NULL, false) < 0)
+         goto cleanup;
+@@ -788,6 +789,9 @@ qemuDomainAttachDiskGeneric(virQEMUDriverPtr driver,
+     if (qemuAssignDeviceDiskAlias(vm->def, disk, priv->qemuCaps) < 0)
+         goto error;
+ 
+    if (qemuDomainPrepareDiskSource(disk, priv, cfg) < 0)
+        goto error;
+
+     if (!(diskdata = qemuHotplugDiskSourceAttachPrepare(disk, priv->qemuCaps)))
+         goto error;
+ 
+@@ -822,6 +826,7 @@ qemuDomainAttachDiskGeneric(virQEMUDriverPtr driver,
+     qemuHotplugDiskSourceDataFree(diskdata);
+     qemuDomainSecretDiskDestroy(disk);
+     VIR_FREE(devstr);
+    virObjectUnref(cfg);
+     return ret;
+ 
+  exit_monitor:
+@@ -1062,8 +1067,6 @@ qemuDomainAttachDeviceDiskLive(virQEMUDriverPtr driver,
+                                bool forceMediaChange)
+ {
+     size_t i;
+-    virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
+-    qemuDomainObjPrivatePtr priv = vm->privateData;
+     virDomainDiskDefPtr disk = dev->data.disk;
+     virDomainDiskDefPtr orig_disk = NULL;
+     int ret = -1;
+@@ -1080,9 +1083,6 @@ qemuDomainAttachDeviceDiskLive(virQEMUDriverPtr driver,
+     if (qemuDomainDetermineDiskChain(driver, vm, disk, true) < 0)
+         goto cleanup;
+ 
+-    if (qemuDomainPrepareDiskSource(disk, priv, cfg) < 0)
+-        goto cleanup;
+-
+     switch ((virDomainDiskDevice) disk->device)  {
+     case VIR_DOMAIN_DISK_DEVICE_CDROM:
+     case VIR_DOMAIN_DISK_DEVICE_FLOPPY:
+@@ -1153,7 +1153,6 @@ qemuDomainAttachDeviceDiskLive(virQEMUDriverPtr driver,
+  cleanup:
+     if (ret != 0)
+         ignore_value(qemuRemoveSharedDevice(driver, dev, vm->def->name));
+-    virObjectUnref(cfg);
+     return ret;
+ }
+ 
@@ -0,0 +1,29 @@
+From: Radoslaw Biernacki <radoslaw.biernacki@linaro.org>
+Date: Tue, 22 Jan 2019 12:26:15 -0700
+Subject: [PATCH] util: Fixing invalid error checking from virPCIGetNetname()
+
+The @linkdev is In/Out function parameter as second order
+reference pointer so requires first order dereference for
+checking NULL which can be the result of virPCIGetNetName().
+
+Fixes: d6ee56d7237 (util: change virPCIGetNetName() to not return error if device has no net name)
+Signed-off-by: Radoslaw Biernacki <radoslaw.biernacki@linaro.org>
+Signed-off-by: dann frazier <dann.frazier@canonical.com>
+(cherry picked from commit 04983c3c6a821f67994b1c65d4d6175f3ac49d69)
+---
+ src/util/virhostdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/util/virhostdev.c b/src/util/virhostdev.c
+index ca79c37787..d9a3711386 100644
+--- a/src/util/virhostdev.c
+++ b/src/util/virhostdev.c
+@@ -319,7 +319,7 @@ virHostdevNetDevice(virDomainHostdevDefPtr hostdev,
+         if (virPCIGetNetName(sysfs_path, 0, NULL, linkdev) < 0)
+             return -1;
+ 
+-        if (!linkdev) {
+        if (!(*linkdev)) {
+             virReportError(VIR_ERR_INTERNAL_ERROR,
+                            _("The device at %s has no network device name"),
+                              sysfs_path);
@@ -0,0 +1,203 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Tue, 1 May 2018 11:34:51 +0100
+Subject: [PATCH] tests: merge code for UNIX and TCP socket testing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The test code for UNIX and TCP sockets will need to be rewritten and
+extended later, and will benefit from code sharing.
+
+Reviewed-by: Andrea Bolognani <abologna@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 9e2fad87b429060842a536de26d6af61ea3d96ea)
+---
+ tests/virnetsockettest.c | 120 +++++++++++++++++----------------------
+ 1 file changed, 51 insertions(+), 69 deletions(-)
+
+diff --git a/tests/virnetsockettest.c b/tests/virnetsockettest.c
+index 9f9a243484..e463d432ff 100644
+--- a/tests/virnetsockettest.c
+++ b/tests/virnetsockettest.c
+@@ -116,38 +116,67 @@ checkProtocols(bool *hasIPv4, bool *hasIPv6,
+ }
+ 
+ 
+-struct testTCPData {
+struct testSocketData {
+     const char *lnode;
+     int port;
+     const char *cnode;
+ };
+ 
+-static int testSocketTCPAccept(const void *opaque)
+static int testSocketAccept(const void *opaque)
+ {
+     virNetSocketPtr *lsock = NULL; /* Listen socket */
+     size_t nlsock = 0, i;
+     virNetSocketPtr ssock = NULL; /* Server socket */
+     virNetSocketPtr csock = NULL; /* Client socket */
+-    const struct testTCPData *data = opaque;
+    const struct testSocketData *data = opaque;
+     int ret = -1;
+     char portstr[100];
+    char *tmpdir = NULL;
+    char *path = NULL;
+    char template[] = "/tmp/libvirt_XXXXXX";
+ 
+-    snprintf(portstr, sizeof(portstr), "%d", data->port);
+    if (!data) {
+        virNetSocketPtr usock;
+        tmpdir = mkdtemp(template);
+        if (tmpdir == NULL) {
+            VIR_WARN("Failed to create temporary directory");
+            goto cleanup;
+        }
+        if (virAsprintf(&path, "%s/test.sock", tmpdir) < 0)
+            goto cleanup;
+ 
+-    if (virNetSocketNewListenTCP(data->lnode, portstr,
+-                                 AF_UNSPEC,
+-                                 &lsock, &nlsock) < 0)
+-        goto cleanup;
+        if (virNetSocketNewListenUNIX(path, 0700, -1, getegid(), &usock) < 0)
+            goto cleanup;
+
+        if (VIR_ALLOC_N(lsock, 1) < 0) {
+            virObjectUnref(usock);
+            goto cleanup;
+        }
+
+        lsock[0] = usock;
+        nlsock = 1;
+    } else {
+        snprintf(portstr, sizeof(portstr), "%d", data->port);
+        if (virNetSocketNewListenTCP(data->lnode, portstr,
+                                     AF_UNSPEC,
+                                     &lsock, &nlsock) < 0)
+            goto cleanup;
+    }
+ 
+     for (i = 0; i < nlsock; i++) {
+         if (virNetSocketListen(lsock[i], 0) < 0)
+             goto cleanup;
+     }
+ 
+-    if (virNetSocketNewConnectTCP(data->cnode, portstr,
+-                                  AF_UNSPEC,
+-                                  &csock) < 0)
+-        goto cleanup;
+    if (!data) {
+        if (virNetSocketNewConnectUNIX(path, false, NULL, &csock) < 0)
+            goto cleanup;
+    } else {
+        if (virNetSocketNewConnectTCP(data->cnode, portstr,
+                                      AF_UNSPEC,
+                                      &csock) < 0)
+            goto cleanup;
+    }
+ 
+     virObjectUnref(csock);
+ 
+@@ -171,62 +200,15 @@ static int testSocketTCPAccept(const void *opaque)
+     for (i = 0; i < nlsock; i++)
+         virObjectUnref(lsock[i]);
+     VIR_FREE(lsock);
+-    return ret;
+-}
+-#endif
+-
+-
+-#ifndef WIN32
+-static int testSocketUNIXAccept(const void *data ATTRIBUTE_UNUSED)
+-{
+-    virNetSocketPtr lsock = NULL; /* Listen socket */
+-    virNetSocketPtr ssock = NULL; /* Server socket */
+-    virNetSocketPtr csock = NULL; /* Client socket */
+-    int ret = -1;
+-
+-    char *path = NULL;
+-    char *tmpdir;
+-    char template[] = "/tmp/libvirt_XXXXXX";
+-
+-    tmpdir = mkdtemp(template);
+-    if (tmpdir == NULL) {
+-        VIR_WARN("Failed to create temporary directory");
+-        goto cleanup;
+-    }
+-    if (virAsprintf(&path, "%s/test.sock", tmpdir) < 0)
+-        goto cleanup;
+-
+-    if (virNetSocketNewListenUNIX(path, 0700, -1, getegid(), &lsock) < 0)
+-        goto cleanup;
+-
+-    if (virNetSocketListen(lsock, 0) < 0)
+-        goto cleanup;
+-
+-    if (virNetSocketNewConnectUNIX(path, false, NULL, &csock) < 0)
+-        goto cleanup;
+-
+-    virObjectUnref(csock);
+-
+-    if (virNetSocketAccept(lsock, &ssock) != -1) {
+-        char c = 'a';
+-        if (virNetSocketWrite(ssock, &c, 1) != -1) {
+-            VIR_DEBUG("Unexpected client socket present");
+-            goto cleanup;
+-        }
+-    }
+-
+-    ret = 0;
+-
+- cleanup:
+     VIR_FREE(path);
+-    virObjectUnref(lsock);
+-    virObjectUnref(ssock);
+     if (tmpdir)
+         rmdir(tmpdir);
+     return ret;
+ }
+#endif
+ 
+ 
+#ifndef WIN32
+ static int testSocketUNIXAddrs(const void *data ATTRIBUTE_UNUSED)
+ {
+     virNetSocketPtr lsock = NULL; /* Listen socket */
+@@ -456,28 +438,28 @@ mymain(void)
+     }
+ 
+     if (hasIPv4) {
+-        struct testTCPData tcpData = { "127.0.0.1", freePort, "127.0.0.1" };
+-        if (virTestRun("Socket TCP/IPv4 Accept", testSocketTCPAccept, &tcpData) < 0)
+        struct testSocketData tcpData = { "127.0.0.1", freePort, "127.0.0.1" };
+        if (virTestRun("Socket TCP/IPv4 Accept", testSocketAccept, &tcpData) < 0)
+             ret = -1;
+     }
+     if (hasIPv6) {
+-        struct testTCPData tcpData = { "::1", freePort, "::1" };
+-        if (virTestRun("Socket TCP/IPv6 Accept", testSocketTCPAccept, &tcpData) < 0)
+        struct testSocketData tcpData = { "::1", freePort, "::1" };
+        if (virTestRun("Socket TCP/IPv6 Accept", testSocketAccept, &tcpData) < 0)
+             ret = -1;
+     }
+     if (hasIPv6 && hasIPv4) {
+-        struct testTCPData tcpData = { NULL, freePort, "127.0.0.1" };
+-        if (virTestRun("Socket TCP/IPv4+IPv6 Accept", testSocketTCPAccept, &tcpData) < 0)
+        struct testSocketData tcpData = { NULL, freePort, "127.0.0.1" };
+        if (virTestRun("Socket TCP/IPv4+IPv6 Accept", testSocketAccept, &tcpData) < 0)
+             ret = -1;
+ 
+         tcpData.cnode = "::1";
+-        if (virTestRun("Socket TCP/IPv4+IPv6 Accept", testSocketTCPAccept, &tcpData) < 0)
+        if (virTestRun("Socket TCP/IPv4+IPv6 Accept", testSocketAccept, &tcpData) < 0)
+             ret = -1;
+     }
+ #endif
+ 
+ #ifndef WIN32
+-    if (virTestRun("Socket UNIX Accept", testSocketUNIXAccept, NULL) < 0)
+    if (virTestRun("Socket UNIX Accept", testSocketAccept, NULL) < 0)
+         ret = -1;
+ 
+     if (virTestRun("Socket UNIX Addrs", testSocketUNIXAddrs, NULL) < 0)
@@ -0,0 +1,241 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Tue, 1 May 2018 11:55:02 +0100
+Subject: [PATCH] tests: rewrite socket to do something sensible and reliable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The current socket test is rather crazy in that it sets up a server
+listening for sockets and then runs a client connect call, relying on
+the fact that the kernel will accept this despite the application
+not having called accept() yet. It then closes the client socket and
+calls accept() on the server. On Linux accept() will always see that
+the client has gone and so skip the rest of the code. On FreeBSD,
+however, the accept sometimes succeeds, causing us to then go into
+code that attempts to read and write to the client which will fail
+aborting the test. The accept() never succeeds on FreeBSD guests
+with a single CPU, but as you add more CPUs, accept() becomes more and
+more likely to succeed, giving a 100% failure rate for the test when
+using 8 CPUs.
+
+This completely rewrites the test so that it is avoids this designed in
+race condition. We simply spawn a background thread to act as the
+client, which will read a byte from the server and write it back again.
+The main thread can now properly listen and accept the client in a
+synchronous manner avoiding any races.
+
+Reviewed-by: Andrea Bolognani <abologna@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 39015a6f3a0d4f9ca2041b9227094f0bcc2217e9)
+---
+ tests/virnetsockettest.c | 141 +++++++++++++++++++++++++++++++++------
+ 1 file changed, 120 insertions(+), 21 deletions(-)
+
+diff --git a/tests/virnetsockettest.c b/tests/virnetsockettest.c
+index e463d432ff..cccb90d0be 100644
+--- a/tests/virnetsockettest.c
+++ b/tests/virnetsockettest.c
+@@ -115,6 +115,56 @@ checkProtocols(bool *hasIPv4, bool *hasIPv6,
+     return ret;
+ }
+ 
+struct testClientData {
+    const char *path;
+    const char *cnode;
+    const char *portstr;
+};
+
+static void
+testSocketClient(void *opaque)
+{
+    struct testClientData *data = opaque;
+    char c;
+    virNetSocketPtr csock = NULL;
+
+    if (data->path) {
+        if (virNetSocketNewConnectUNIX(data->path, false,
+                                       NULL, &csock) < 0)
+            return;
+    } else {
+        if (virNetSocketNewConnectTCP(data->cnode, data->portstr,
+                                      AF_UNSPEC,
+                                      &csock) < 0)
+            return;
+    }
+
+    virNetSocketSetBlocking(csock, true);
+
+    if (virNetSocketRead(csock, &c, 1) != 1) {
+        VIR_DEBUG("Cannot read from server");
+        goto done;
+    }
+    if (virNetSocketWrite(csock, &c, 1) != 1) {
+        VIR_DEBUG("Cannot write to server");
+        goto done;
+    }
+
+ done:
+    virObjectUnref(csock);
+}
+
+
+static void
+testSocketIncoming(virNetSocketPtr sock,
+                   int events ATTRIBUTE_UNUSED,
+                   void *opaque)
+{
+    virNetSocketPtr *retsock = opaque;
+    VIR_DEBUG("Incoming sock=%p events=%d\n", sock, events);
+    *retsock = sock;
+}
+
+ 
+ struct testSocketData {
+     const char *lnode;
+@@ -122,18 +172,25 @@ struct testSocketData {
+     const char *cnode;
+ };
+ 
+-static int testSocketAccept(const void *opaque)
+
+static int
+testSocketAccept(const void *opaque)
+ {
+     virNetSocketPtr *lsock = NULL; /* Listen socket */
+     size_t nlsock = 0, i;
+     virNetSocketPtr ssock = NULL; /* Server socket */
+-    virNetSocketPtr csock = NULL; /* Client socket */
+    virNetSocketPtr rsock = NULL; /* Incoming client socket */
+     const struct testSocketData *data = opaque;
+     int ret = -1;
+     char portstr[100];
+     char *tmpdir = NULL;
+     char *path = NULL;
+     char template[] = "/tmp/libvirt_XXXXXX";
+    virThread th;
+    struct testClientData cdata = { 0 };
+    bool goodsock = false;
+    char a = 'a';
+    char b = '\0';
+ 
+     if (!data) {
+         virNetSocketPtr usock;
+@@ -155,50 +212,90 @@ static int testSocketAccept(const void *opaque)
+ 
+         lsock[0] = usock;
+         nlsock = 1;
+
+        cdata.path = path;
+     } else {
+         snprintf(portstr, sizeof(portstr), "%d", data->port);
+         if (virNetSocketNewListenTCP(data->lnode, portstr,
+                                      AF_UNSPEC,
+                                      &lsock, &nlsock) < 0)
+             goto cleanup;
+
+        cdata.cnode = data->cnode;
+        cdata.portstr = portstr;
+     }
+ 
+     for (i = 0; i < nlsock; i++) {
+         if (virNetSocketListen(lsock[i], 0) < 0)
+             goto cleanup;
+-    }
+ 
+-    if (!data) {
+-        if (virNetSocketNewConnectUNIX(path, false, NULL, &csock) < 0)
+-            goto cleanup;
+-    } else {
+-        if (virNetSocketNewConnectTCP(data->cnode, portstr,
+-                                      AF_UNSPEC,
+-                                      &csock) < 0)
+        if (virNetSocketAddIOCallback(lsock[i],
+                                      VIR_EVENT_HANDLE_READABLE,
+                                      testSocketIncoming,
+                                      &rsock,
+                                      NULL) < 0) {
+             goto cleanup;
+        }
+     }
+ 
+-    virObjectUnref(csock);
+    if (virThreadCreate(&th, true,
+                        testSocketClient,
+                        &cdata) < 0)
+        goto cleanup;
+
+    while (rsock == NULL)
+        virEventRunDefaultImpl();
+ 
+     for (i = 0; i < nlsock; i++) {
+-        if (virNetSocketAccept(lsock[i], &ssock) != -1 && ssock) {
+-            char c = 'a';
+-            if (virNetSocketWrite(ssock, &c, 1) != -1 &&
+-                virNetSocketRead(ssock, &c, 1) != -1) {
+-                VIR_DEBUG("Unexpected client socket present");
+-                goto cleanup;
+-            }
+        if (lsock[i] == rsock) {
+            goodsock = true;
+            break;
+         }
+-        virObjectUnref(ssock);
+-        ssock = NULL;
+     }
+ 
+    if (!goodsock) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                       "Unexpected server socket seen");
+        goto join;
+    }
+
+    if (virNetSocketAccept(rsock, &ssock) < 0)
+        goto join;
+
+    if (!ssock) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                       "Client went away unexpectedly");
+        goto join;
+    }
+
+    virNetSocketSetBlocking(ssock, true);
+
+    if (virNetSocketWrite(ssock, &a, 1) < 0 ||
+        virNetSocketRead(ssock, &b, 1) < 0) {
+        goto join;
+    }
+
+    if (a != b) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       "Bad data received '%x' != '%x'", a, b);
+        goto join;
+    }
+
+    virObjectUnref(ssock);
+    ssock = NULL;
+
+     ret = 0;
+ 
+ join:
+    virThreadJoin(&th);
+
+  cleanup:
+     virObjectUnref(ssock);
+-    for (i = 0; i < nlsock; i++)
+    for (i = 0; i < nlsock; i++) {
+        virNetSocketRemoveIOCallback(lsock[i]);
+        virNetSocketClose(lsock[i]);
+         virObjectUnref(lsock[i]);
+    }
+     VIR_FREE(lsock);
+     VIR_FREE(path);
+     if (tmpdir)
+@@ -431,6 +528,8 @@ mymain(void)
+ 
+     signal(SIGPIPE, SIG_IGN);
+ 
+    virEventRegisterDefaultImpl();
+
+ #ifdef HAVE_IFADDRS_H
+     if (checkProtocols(&hasIPv4, &hasIPv6, &freePort) < 0) {
+         fprintf(stderr, "Cannot identify IPv4/6 availability\n");
@@ -0,0 +1,34 @@
+From: John Ferlan <jferlan@redhat.com>
+Date: Fri, 7 Sep 2018 08:20:15 -0400
+Subject: [PATCH] test: Remove possible infinite loop in virnetsockettest
+
+Commit 39015a6f3 modified the test to be more reliable/realistic,
+but without checking the return status of virEventRunDefaultImpl
+it's possible that the test could run infinitely.
+
+Found by Coverity
+
+Signed-off-by: John Ferlan <jferlan@redhat.com>
+ACKed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit a0ba31c0069e89f178f064e724ddbc8540b64d32)
+---
+ tests/virnetsockettest.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/tests/virnetsockettest.c b/tests/virnetsockettest.c
+index cccb90d0be..5927be1f80 100644
+--- a/tests/virnetsockettest.c
+++ b/tests/virnetsockettest.c
+@@ -243,8 +243,10 @@ testSocketAccept(const void *opaque)
+                         &cdata) < 0)
+         goto cleanup;
+ 
+-    while (rsock == NULL)
+-        virEventRunDefaultImpl();
+    while (rsock == NULL) {
+        if (virEventRunDefaultImpl() < 0)
+            break;
+    }
+ 
+     for (i = 0; i < nlsock; i++) {
+         if (lsock[i] == rsock) {
@@ -1 +1 @@
-SHA512 (libvirt-4.1.0.tar.xz) = 62d1a228adf3270cc6defe3cbf92dac8c4ce2c434c4d97219571ccef799a4f6304cfd1ba9938338356641285f53ac71145d7b398523021c5ea1dc8e3d49cf894
+SHA512 (libvirt-4.7.0.tar.xz) = a4b320460b923508d9519c65c8be18b5013eb7ed4d581984cc5edf0d3476c34f959d69ad4ca7a0e257dac91351e11718785efc3f201d4b58fa999dbca1daac47
Author	SHA1	Message	Date
Cole Robinson	f92cc4a3a0	Fix the test suite on s390x	2019-06-20 16:45:14 -04:00
Cole Robinson	823c0cc7e3	libvirt-4.7.0-5.fc29 CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API (bz #1722463, bz #1720115) CVE-2019-10166: virDomainManagedSaveDefineXML API exposed to readonly clients (bz #1722462, bz #1720114) CVE-2019-10167: arbitrary command execution via virConnectGetDomainCapabilities API (bz #1722464, bz #1720117) CVE-2019-10168: arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs (bz #1722466, bz #1720118) CVE-2019-3886: virsh domhostname command discloses guest hostname in readonly mode [fedora-rawhide Failed to attache NEW rbd device to guest (bz #1672620) PCI hostdev interface segfault (bz #1692053)	2019-06-20 13:02:52 -04:00
Daniel P. Berrangé	4502524d76	Fix systemd socket permissions (CVE-2019-10132) Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>	2019-05-21 17:06:47 +01:00
Daniel P. Berrangé	96dfc352ed	Define md-clear CPUID bit CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>	2019-05-14 19:45:59 +01:00
Cole Robinson	382105ed17	Mouse cursor doubled on QEMU VNC on ppc64le (bz #1565253 ) CVE-2019-3840: NULL deref after running qemuAgentGetInterfaces (bz #1665229)	2019-04-02 11:57:46 -04:00
Daniel P. Berrangé	e5fa1c00d2	Update to 4.7.0 release Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>	2018-09-04 10:43:47 +01:00
David Abdurachmanov	18f7b8c79c	Add support for RISC-V (riscv64)	2018-08-19 19:41:56 +01:00
Daniel P. Berrangé	782468f8e9	Update to 4.6.0 release Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>	2018-08-06 14:07:24 +01:00
Fedora Release Engineering	202e7d9569	- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>	2018-07-13 09:01:16 +00:00
Daniel P. Berrangé	0676a07265	Fix regressions in chardev handling Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>	2018-07-06 11:30:44 +01:00
Daniel P. Berrangé	f57ce74947	Update to 4.5.0 release Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>	2018-07-03 11:00:57 +01:00
Daniel P. Berrangé	851cfde15b	Fix typo in date Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>	2018-06-05 12:49:52 +01:00
Daniel P. Berrangé	06123137eb	Update to 4.4.0 release Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>	2018-06-05 12:30:16 +01:00
Igor Gnatenko	6ccf3cb58c	Remove %clean section None of currently supported distributions need that. Last one was EL5 which is EOL for a while. Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>	2018-05-07 09:38:07 +02:00
Igor Gnatenko	030ddaa4ef	Remove BuildRoot definition None of currently supported distributions need that. It was needed last for EL5 which is EOL now Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>	2018-05-07 09:38:07 +02:00
Daniel P. Berrangé	a8886736c4	Set wireshark plugin dir dynamically Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>	2018-05-03 12:26:11 +01:00
Daniel P. Berrangé	4fd635e537	Update to 4.3.0 release Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>	2018-05-03 10:55:46 +01:00
Daniel P. Berrangé	6210c457fc	Update to 4.2.0 release Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>	2018-04-03 13:42:58 +01:00
Iryna Shcherbina	82926cfdf0	Update Python 2 dependency declarations to new packaging standards	2018-03-23 23:29:56 +01:00
Daniel P. Berrangé	e7a3ca6f6b	Fix systemd macro argument with line continuations (rhbz#1558648) Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>	2018-03-21 09:38:28 +00:00
Daniel P. Berrangé	1ae6f647b7	Upload 4.1.0 sources Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>	2018-03-05 13:36:35 +00:00
Daniel P. Berrangé	48941c011f	Rebase to version 4.1.0 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>	2018-03-05 13:31:54 +00:00