Fix multiple crashes listing interfaces

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

0001-Fix-off-by-one-error-in-udevListInterfacesByStatus.patch

@@ -0,0 +1,40 @@
+From 6f3ee0c553bafec957e69df7fc42f83985d55c0f Mon Sep 17 00:00:00 2001
+From: Martin Kletzander <mkletzan@redhat.com>
+Date: Tue, 27 Feb 2024 16:20:12 +0100
+Subject: [PATCH] Fix off-by-one error in udevListInterfacesByStatus
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ever since this function was introduced in 2012 it could've tried
+filling in an extra interface name.  That was made worse in 2019 when
+the caller functions started accepting NULL arrays of size 0.
+
+This is assigned CVE-2024-1441.
+
+Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
+Reported-by: Alexander Kuznetsov <kuznetsovam@altlinux.org>
+Fixes: 5a33366f5c0b18c93d161bd144f9f079de4ac8ca
+Fixes: d6064e2759a24e0802f363e3a810dc5a7d7ebb15
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit c664015fe3a7bf59db26686e9ed69af011c6ebb8)
+---
+ src/interface/interface_backend_udev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c
+index ef334f175b..abeb766294 100644
+--- a/src/interface/interface_backend_udev.c
++++ b/src/interface/interface_backend_udev.c
+@@ -222,7 +222,7 @@ udevListInterfacesByStatus(virConnectPtr conn,
+         g_autoptr(virInterfaceDef) def = NULL;
+ 
+         /* Ensure we won't exceed the size of our array */
+-        if (count > names_len)
++        if (count >= names_len)
+             break;
+ 
+         path = udev_list_entry_get_name(dev_entry);
+-- 
+2.43.0
+

0001-interface-fix-udev_device_get_sysattr_value-return-v.patch

@@ -0,0 +1,90 @@
+From 13ea81b22cde0a429aa1de8b58655296084ce8d7 Mon Sep 17 00:00:00 2001
+From: Dmitry Frolov <frolov@swemel.ru>
+Date: Tue, 12 Sep 2023 15:56:47 +0300
+Subject: [PATCH] interface: fix udev_device_get_sysattr_value return value
+ check
+
+Reviewing the code I found that return value of function
+udev_device_get_sysattr_value() is dereferenced without a check.
+udev_device_get_sysattr_value() may return NULL by number of reasons.
+
+v2: VIR_DEBUG added, replaced STREQ(NULLSTR()) with STREQ_NULLABLE()
+v3: More checks added, to skip earlier. More verbose VIR_DEBUG.
+
+Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit 2ca94317ac642a70921947150ced8acc674ccdc8)
+---
+ src/interface/interface_backend_udev.c | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c
+index 54b43fb999..ef334f175b 100644
+--- a/src/interface/interface_backend_udev.c
++++ b/src/interface/interface_backend_udev.c
+@@ -23,6 +23,7 @@
+ #include <dirent.h>
+ #include <libudev.h>
+ 
++#include "virlog.h"
+ #include "virerror.h"
+ #include "virfile.h"
+ #include "datatypes.h"
+@@ -40,6 +41,8 @@
+ 
+ #define VIR_FROM_THIS VIR_FROM_INTERFACE
+ 
++VIR_LOG_INIT("interface.interface_backend_udev");
++
+ struct udev_iface_driver {
+     struct udev *udev;
+     /* pid file FD, ensures two copies of the driver can't use the same root */
+@@ -354,11 +357,20 @@ udevConnectListAllInterfaces(virConnectPtr conn,
+         const char *macaddr;
+         g_autoptr(virInterfaceDef) def = NULL;
+ 
+-        path = udev_list_entry_get_name(dev_entry);
+-        dev = udev_device_new_from_syspath(udev, path);
+-        name = udev_device_get_sysname(dev);
++        if (!(path = udev_list_entry_get_name(dev_entry))) {
++            VIR_DEBUG("Skipping interface, path == NULL");
++            continue;
++        }
++        if (!(dev = udev_device_new_from_syspath(udev, path))) {
++            VIR_DEBUG("Skipping interface '%s', dev == NULL", path);
++            continue;
++        }
++        if (!(name = udev_device_get_sysname(dev))) {
++            VIR_DEBUG("Skipping interface '%s', name == NULL", path);
++            continue;
++        }
+         macaddr = udev_device_get_sysattr_value(dev, "address");
+-        status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up");
++        status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up");
+ 
+         def = udevGetMinimalDefForDevice(dev);
+         if (!virConnectListAllInterfacesCheckACL(conn, def)) {
+@@ -962,9 +974,9 @@ udevGetIfaceDef(struct udev *udev, const char *name)
+ 
+     /* MTU */
+     mtu_str = udev_device_get_sysattr_value(dev, "mtu");
+-    if (virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) {
++    if (!mtu_str || virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) {
+         virReportError(VIR_ERR_INTERNAL_ERROR,
+-                _("Could not parse MTU value '%s'"), mtu_str);
++                       _("Could not parse MTU value '%s'"), NULLSTR(mtu_str));
+         goto error;
+     }
+     ifacedef->mtu = mtu;
+@@ -1087,7 +1099,7 @@ udevInterfaceIsActive(virInterfacePtr ifinfo)
+        goto cleanup;
+ 
+     /* Check if it's active or not */
+-    status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up");
++    status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up");
+ 
+     udev_device_unref(dev);
+ 
+-- 
+2.43.0
+

0001-qemu-xen-add-missing-deps-on-virtlockd-virtlogd-sock.patch

@@ -1,66 +0,0 @@
-From 88c5b9f827779ae6fe5a6f08100a4b6184492a1c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Tue, 31 Aug 2021 10:59:39 +0100
-Subject: [PATCH] qemu, xen: add missing deps on virtlockd/virtlogd sockets
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The QEMU driver uses both virtlogd and virtlockd, while the Xen driver
-uses virtlockd. The libvirtd.service unit contains deps on the socket
-units for these services, but these deps were missed in the modular
-daemons. As a result the virtlockd/virtlogd sockets are not started
-when the virtqemud/virtxend daemons are started.
-
-Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
----
- src/libxl/virtxend.service.in | 2 ++
- src/qemu/virtqemud.service.in | 4 ++++
- 2 files changed, 6 insertions(+)
-
-diff --git a/src/libxl/virtxend.service.in b/src/libxl/virtxend.service.in
-index a863917467..19b19ce3e6 100644
---- a/src/libxl/virtxend.service.in
-+++ b/src/libxl/virtxend.service.in
-@@ -1,6 +1,7 @@
- [Unit]
- Description=Virtualization xen daemon
- Conflicts=libvirtd.service
-+Requires=virtlockd.socket
- Requires=virtxend.socket
- Requires=virtxend-ro.socket
- Requires=virtxend-admin.socket
-@@ -25,6 +26,7 @@ KillMode=process
- 
- [Install]
- WantedBy=multi-user.target
-+Also=virtlockd.socket
- Also=virtxend.socket
- Also=virtxend-ro.socket
- Also=virtxend-admin.socket
-diff --git a/src/qemu/virtqemud.service.in b/src/qemu/virtqemud.service.in
-index 8abc9d3a7f..20e1b43a6e 100644
---- a/src/qemu/virtqemud.service.in
-+++ b/src/qemu/virtqemud.service.in
-@@ -1,6 +1,8 @@
- [Unit]
- Description=Virtualization qemu daemon
- Conflicts=libvirtd.service
-+Requires=virtlogd.socket
-+Requires=virtlockd.socket
- Requires=virtqemud.socket
- Requires=virtqemud-ro.socket
- Requires=virtqemud-admin.socket
-@@ -42,6 +44,8 @@ LimitMEMLOCK=64M
- 
- [Install]
- WantedBy=multi-user.target
-+Also=virtlogd.socket
-+Also=virtlockd.socket
- Also=virtqemud.socket
- Also=virtqemud-ro.socket
- Also=virtqemud-admin.socket
--- 
-2.31.1
-

0001-qemuProcessRefreshDisks-Don-t-skip-filling-of-disk-i.patch

@@ -0,0 +1,58 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Thu, 9 Feb 2023 09:40:32 +0100
+Subject: [PATCH] qemuProcessRefreshDisks: Don't skip filling of disk
+ information if tray state didn't change
+Content-type: text/plain
+
+Commit 5ef2582646eb98 added emitting of even when refreshign disk state,
+where it wanted to avoid sending the event if disk state didn't change.
+This was achieved by using 'continue' in the loop filling the
+information. Unfortunately this skips extraction of whether the device
+has a tray which is propagated into internal structures, which in turn
+broke cdrom media change as the code thought there's no tray for the
+device.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2166411
+Fixes: 5ef2582646eb98af208ce37355f82bdef39931fa
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Kristina Hanicova <khanicov@redhat.com>
+(cherry picked from commit 86cfe93ef7fdc2d665a2fc88b79af89e7978ba78)
+---
+ src/qemu/qemu_process.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
+index ee9f0784d3..0c408ee547 100644
+--- a/src/qemu/qemu_process.c
++++ b/src/qemu/qemu_process.c
+@@ -8724,16 +8724,13 @@ qemuProcessRefreshDisks(virDomainObj *vm,
+             continue;
+ 
+         if (info->removable) {
+-            virObjectEvent *event = NULL;
++            bool emitEvent = info->tray_open != disk->tray_status;
+             int reason;
+ 
+             if (info->empty)
+                 virDomainDiskEmptySource(disk);
+ 
+             if (info->tray) {
+-                if (info->tray_open == disk->tray_status)
+-                    continue;
+-
+                 if (info->tray_open) {
+                     reason = VIR_DOMAIN_EVENT_TRAY_CHANGE_OPEN;
+                     disk->tray_status = VIR_DOMAIN_DISK_TRAY_OPEN;
+@@ -8742,8 +8739,10 @@ qemuProcessRefreshDisks(virDomainObj *vm,
+                     disk->tray_status = VIR_DOMAIN_DISK_TRAY_CLOSED;
+                 }
+ 
+-                event = virDomainEventTrayChangeNewFromObj(vm, disk->info.alias, reason);
+-                virObjectEventStateQueue(driver->domainEventState, event);
++                if (emitEvent) {
++                    virObjectEvent *event = virDomainEventTrayChangeNewFromObj(vm, disk->info.alias, reason);
++                    virObjectEventStateQueue(driver->domainEventState, event);
++                }
+             }
+         }
+ 

0002-ch-use-CURLOPT_UPLOAD-instead-of-CURLOPT_PUT.patch

@@ -0,0 +1,39 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 18 Jan 2023 09:45:52 +0000
+Subject: [PATCH] ch: use CURLOPT_UPLOAD instead of CURLOPT_PUT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Content-type: text/plain
+
+The CURLOPT_PUT constant causes a deprecation warning when compiling on
+Alpine Edge.  The docs indicate it is deprecated since 7.2.1
+
+  https://curl.se/libcurl/c/CURLOPT_PUT.html
+
+Since 7.87 the deprecation is now exposed at build time via a compiler
+warning.
+
+We already use CURLOPT_UPLOAD in the ESX driver, so this brings the CH
+driver into line.
+
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 9cd70fb25cad171e415fb05a4e01f244304c602e)
+---
+ src/ch/ch_monitor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/ch/ch_monitor.c b/src/ch/ch_monitor.c
+index 8d8654332f..7b8f0a8077 100644
+--- a/src/ch/ch_monitor.c
++++ b/src/ch/ch_monitor.c
+@@ -660,7 +660,7 @@ virCHMonitorPutNoContent(virCHMonitor *mon, const char *endpoint)
+ 
+     curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH, mon->socketpath);
+     curl_easy_setopt(mon->handle, CURLOPT_URL, url);
+-    curl_easy_setopt(mon->handle, CURLOPT_PUT, true);
++    curl_easy_setopt(mon->handle, CURLOPT_UPLOAD, 1L);
+     curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, NULL);
+ 
+     responseCode = virCHMonitorCurlPerform(mon->handle);

0002-wireshark-Switch-to-tvb_bytes_to_str.patch

@@ -1,81 +0,0 @@
-From 7e299ba649b1288d529c7595c0e6060c9ae0ff2a Mon Sep 17 00:00:00 2001
-From: Michal Privoznik <mprivozn@redhat.com>
-Date: Mon, 29 Nov 2021 09:57:49 +0100
-Subject: [PATCH 1/2] wireshark: Switch to tvb_bytes_to_str()
-
-When the dissector sees a byte sequence that is either an opaque
-data (xdr_opaque) or a byte sequence (xdr_bytes) it formats the
-bytes as a hex numbers using our own implementation. But
-wireshark already provides a function for it: tvb_bytes_to_str().
-NB, the reason why it returns a const string is so that callers
-don't try to free it - the string is allocated using an allocator
-which will decide when to free it.
-
-The wireshark formatter was introduced in wireshark commit of
-v1.99.2~479 and thus is present in the version we require at
-least (2.6.0).
-
-Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
-Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
----
- tools/wireshark/src/packet-libvirt.c | 30 ++++++++--------------------
- 1 file changed, 8 insertions(+), 22 deletions(-)
-
-diff --git a/tools/wireshark/src/packet-libvirt.c b/tools/wireshark/src/packet-libvirt.c
-index f43919b05d..cb922b8070 100644
---- a/tools/wireshark/src/packet-libvirt.c
-+++ b/tools/wireshark/src/packet-libvirt.c
-@@ -158,24 +158,6 @@ dissect_xdr_string(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf,
-     }
- }
- 
--static const gchar *
--format_xdr_bytes(guint8 *bytes, guint32 length)
--{
--    gchar *buf;
--    guint32 i;
--
--    if (length == 0)
--        return "";
--    buf = wmem_alloc(wmem_packet_scope(), length*2 + 1);
--    for (i = 0; i < length; i++) {
--        /* We know that buf has enough size to contain
--           2 * length + '\0' characters. */
--        g_snprintf(buf, 2*(length - i) + 1, "%02x", bytes[i]);
--        buf += 2;
--    }
--    return buf - length*2;
--}
--
- static gboolean
- dissect_xdr_opaque(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf,
-                    guint32 size)
-@@ -187,8 +169,10 @@ dissect_xdr_opaque(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf,
-     val = g_malloc(size);
-     start = xdr_getpos(xdrs);
-     if ((rc = xdr_opaque(xdrs, (caddr_t)val, size))) {
--        proto_tree_add_bytes_format_value(tree, hf, tvb, start, xdr_getpos(xdrs) - start,
--                                          NULL, "%s", format_xdr_bytes(val, size));
-+        gint len = xdr_getpos(xdrs) - start;
-+        const char *s = tvb_bytes_to_str(wmem_packet_scope(), tvb, start, len);
-+
-+        proto_tree_add_bytes_format_value(tree, hf, tvb, start, len, NULL, "%s", s);
-     } else {
-         proto_tree_add_item(tree, hf_libvirt_unknown, tvb, start, -1, ENC_NA);
-     }
-@@ -207,8 +191,10 @@ dissect_xdr_bytes(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf,
- 
-     start = xdr_getpos(xdrs);
-     if (xdr_bytes(xdrs, (char **)&val, &length, maxlen)) {
--        proto_tree_add_bytes_format_value(tree, hf, tvb, start, xdr_getpos(xdrs) - start,
--                                          NULL, "%s", format_xdr_bytes(val, length));
-+        gint len = xdr_getpos(xdrs) - start;
-+        const char *s = tvb_bytes_to_str(wmem_packet_scope(), tvb, start, len);
-+
-+        proto_tree_add_bytes_format_value(tree, hf, tvb, start, len, NULL, "%s", s);
-         /* Seems I can't call xdr_free() for this case.
-            It will raises SEGV by referencing out of bounds call stack */
-         free(val);
--- 
-2.33.1
-

0003-storage-Fix-returning-of-locked-objects-from-virStor.patch

@@ -0,0 +1,56 @@
+From 9a47442366fcf8a7b6d7422016d7bbb6764a1098 Mon Sep 17 00:00:00 2001
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Thu, 13 Jul 2023 16:16:37 +0200
+Subject: [PATCH] storage: Fix returning of locked objects from
+ 'virStoragePoolObjListSearch'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2023-3750
+
+'virStoragePoolObjListSearch' explicitly documents that it's returning
+a pointer to a locked and ref'd pool that maches the lookup function.
+
+This was not the case as in commit 0c4b391e2a9 (released in
+libvirt-8.3.0) the code was accidentally converted to use 'VIR_LOCK_GUARD'
+which auto-unlocked it when leaving the scope, even when the code was
+originally "leaking" the lock.
+
+Revert the corresponding conversion and add a comment that this function
+is intentionally leaking a locked object.
+
+Fixes: 0c4b391e2a9
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2221851
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Han Han <hhan@redhat.com>
+---
+ src/conf/virstorageobj.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/conf/virstorageobj.c b/src/conf/virstorageobj.c
+index 7010e97d61..59fa5da372 100644
+--- a/src/conf/virstorageobj.c
++++ b/src/conf/virstorageobj.c
+@@ -454,11 +454,16 @@ virStoragePoolObjListSearchCb(const void *payload,
+     virStoragePoolObj *obj = (virStoragePoolObj *) payload;
+     struct _virStoragePoolObjListSearchData *data =
+         (struct _virStoragePoolObjListSearchData *)opaque;
+-    VIR_LOCK_GUARD lock = virObjectLockGuard(obj);
+ 
++    virObjectLock(obj);
++
++    /* If we find the matching pool object we must return while the object is
++     * locked as the caller wants to return a locked object. */
+     if (data->searcher(obj, data->opaque))
+         return 1;
+ 
++    virObjectUnlock(obj);
++
+     return 0;
+ }
+ 
+-- 
+2.41.0
+

0003-wireshark-Drop-needless-comment-in-dissect_xdr_bytes.patch

@@ -1,33 +0,0 @@
-From 010613cfd8dae6d85602a84c5c95b2d441e1b3d1 Mon Sep 17 00:00:00 2001
-From: Michal Privoznik <mprivozn@redhat.com>
-Date: Mon, 29 Nov 2021 10:20:05 +0100
-Subject: [PATCH 2/2] wireshark: Drop needless comment in dissect_xdr_bytes()
-
-In the dissect_xdr_bytes() there's a comment that the string
-allocated by xdr_bytes() can't be freed using xdr_free(). Well,
-that is expected because xdr_bytes() used plain calloc() AND the
-string is not an XDR struct but plain 'char *' type. Passing it
-to xdr_free() must result in weird things happening.
-
-Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
-Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
----
- tools/wireshark/src/packet-libvirt.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/tools/wireshark/src/packet-libvirt.c b/tools/wireshark/src/packet-libvirt.c
-index cb922b8070..eeacbcdf0e 100644
---- a/tools/wireshark/src/packet-libvirt.c
-+++ b/tools/wireshark/src/packet-libvirt.c
-@@ -195,8 +195,6 @@ dissect_xdr_bytes(tvbuff_t *tvb, proto_tree *tree, XDR *xdrs, int hf,
-         const char *s = tvb_bytes_to_str(wmem_packet_scope(), tvb, start, len);
- 
-         proto_tree_add_bytes_format_value(tree, hf, tvb, start, len, NULL, "%s", s);
--        /* Seems I can't call xdr_free() for this case.
--           It will raises SEGV by referencing out of bounds call stack */
-         free(val);
-         return TRUE;
-     } else {
--- 
-2.33.1
-

0004-tests-virstoragetest-remove-tests-without-backing-ty.patch

@@ -1,78 +0,0 @@
-From 979d1ba3ae1332bda80cb6eca98e41dc4462a226 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
-Date: Tue, 31 Aug 2021 11:41:55 +0200
-Subject: [PATCH] tests: virstoragetest: remove tests without backing type
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-As of qemu commit:
-
-  commit 497a30dbb065937d67f6c43af6dd78492e1d6f6d
-    qemu-img: Require -F with -b backing image
-
-creating images with backing images requires specifying the format.
-
-Remove tests which do not pass the backing format on the command
-line.
-
-Signed-off-by: Ján Tomko <jtomko@redhat.com>
-Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
----
- tests/virstoragetest.c | 33 ---------------------------------
- 1 file changed, 33 deletions(-)
-
-diff --git a/tests/virstoragetest.c b/tests/virstoragetest.c
-index 1b211b60e6..b80818bc7b 100644
---- a/tests/virstoragetest.c
-+++ b/tests/virstoragetest.c
-@@ -638,30 +638,6 @@ mymain(void)
-     };
-     TEST_CHAIN(abswrap, VIR_STORAGE_FILE_QCOW2, (&wrap, &qcow2, &raw), EXP_PASS);
- 
--    /* Rewrite qcow2 and wrap file to omit backing file type */
--    virCommandFree(cmd);
--    cmd = virCommandNewArgList(qemuimg, "rebase", "-u", "-f", "qcow2",
--                               "-b", absraw, "qcow2", NULL);
--    if (virCommandRun(cmd, NULL) < 0)
--        ret = -1;
--
--    virCommandFree(cmd);
--    cmd = virCommandNewArgList(qemuimg, "rebase", "-u", "-f", "qcow2",
--                               "-b", absqcow2, "wrap", NULL);
--    if (virCommandRun(cmd, NULL) < 0)
--        ret = -1;
--
--    /* Qcow2 file with raw as absolute backing, backing format omitted */
--    testFileData wrap_as_raw = {
--        .expBackingStoreRaw = absqcow2,
--        .expCapacity = 1024,
--        .path = abswrap,
--        .type = VIR_STORAGE_TYPE_FILE,
--        .format = VIR_STORAGE_FILE_QCOW2,
--    };
--    TEST_CHAIN(abswrap, VIR_STORAGE_FILE_QCOW2,
--               (&wrap_as_raw, &qcow2_as_raw), EXP_FAIL);
--
-     /* Rewrite qcow2 to a missing backing file, with backing type */
-     virCommandFree(cmd);
-     cmd = virCommandNewArgList(qemuimg, "rebase", "-u", "-f", "qcow2",
-@@ -674,15 +650,6 @@ mymain(void)
-     /* Qcow2 file with missing backing file but specified type */
-     TEST_CHAIN(absqcow2, VIR_STORAGE_FILE_QCOW2, (&qcow2), EXP_FAIL);
- 
--    /* Rewrite qcow2 to a missing backing file, without backing type */
--    virCommandFree(cmd);
--    cmd = virCommandNewArgList(qemuimg, "rebase", "-u", "-f", "qcow2",
--                               "-b", datadir "/bogus", "qcow2", NULL);
--    if (virCommandRun(cmd, NULL) < 0)
--        ret = -1;
--
--    /* Qcow2 file with missing backing file and no specified type */
--    TEST_CHAIN(absqcow2, VIR_STORAGE_FILE_QCOW2, (&qcow2), EXP_FAIL);
- 
-     /* Rewrite qcow2 to use an nbd: protocol as backend */
-     virCommandFree(cmd);
--- 
-2.33.1
-

0004-virpci-Resolve-leak-in-virPCIVirtualFunctionList-cle.patch

@@ -0,0 +1,51 @@
+From 6425a311b8ad19d6f9c0b315bf1d722551ea3585 Mon Sep 17 00:00:00 2001
+From: Tim Shearer <TShearer@adva.com>
+Date: Mon, 1 May 2023 13:15:48 +0000
+Subject: [PATCH] virpci: Resolve leak in virPCIVirtualFunctionList cleanup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Repeatedly querying an SR-IOV PCI device's capabilities exposes a
+memory leak caused by a failure to free the virPCIVirtualFunction
+array within the parent struct's g_autoptr cleanup.
+
+Valgrind output after getting a single interface's XML description
+1000 times:
+
+==325982== 256,000 bytes in 1,000 blocks are definitely lost in loss record 2,634 of 2,635
+==325982==    at 0x4C3C096: realloc (vg_replace_malloc.c:1437)
+==325982==    by 0x59D952D: g_realloc (in /usr/lib64/libglib-2.0.so.0.5600.4)
+==325982==    by 0x4EE1F52: virReallocN (viralloc.c:52)
+==325982==    by 0x4EE1FB7: virExpandN (viralloc.c:78)
+==325982==    by 0x4EE219A: virInsertElementInternal (viralloc.c:183)
+==325982==    by 0x4EE23B2: virAppendElement (viralloc.c:288)
+==325982==    by 0x4F65D85: virPCIGetVirtualFunctionsFull (virpci.c:2389)
+==325982==    by 0x4F65753: virPCIGetVirtualFunctions (virpci.c:2256)
+==325982==    by 0x505CB75: virNodeDeviceGetPCISRIOVCaps (node_device_conf.c:2969)
+==325982==    by 0x505D181: virNodeDeviceGetPCIDynamicCaps (node_device_conf.c:3099)
+==325982==    by 0x505BC4E: virNodeDeviceUpdateCaps (node_device_conf.c:2677)
+==325982==    by 0x260FCBB2: nodeDeviceGetXMLDesc (node_device_driver.c:355)
+
+Signed-off-by: Tim Shearer <tshearer@adva.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Han Han <hhan@redhat.com>
+---
+ src/util/virpci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/util/virpci.c b/src/util/virpci.c
+index 9e564e4a4f..cc2b07bbba 100644
+--- a/src/util/virpci.c
++++ b/src/util/virpci.c
+@@ -2245,6 +2245,7 @@ virPCIVirtualFunctionListFree(virPCIVirtualFunctionList *list)
+         g_free(list->functions[i].ifname);
+     }
+ 
++    g_free(list->functions);
+     g_free(list);
+ }
+ 
+-- 
+2.41.0
+

sources

@@ -1 +1 @@
-SHA512 (libvirt-7.6.0.tar.xz) = bad6cc02af071ca909bbbe3c07165e91cad863c9a759b26d9cff6aed6ea5643bc723d2f3c61ad41436dffd4fd50389333d74b131e37eaa54a5071a3ae26df627
+SHA512 (libvirt-9.0.0.tar.xz) = 135f690f9fe722161c22579166f10a54d52941a371439165fd0e3d391ca7835049a3bcbff33fc81c50153046230db8a5a318d707383bad3141d489d2faa09ecb