Fix virsh domifaddr --source=arp on kernel 6.10 (bz #2302245)

Signed-off-by: Cole Robinson <crobinso@redhat.com>

0001-Fix-off-by-one-error-in-udevListInterfacesByStatus.patch

@@ -1,40 +0,0 @@
-From 76cdc7adf55723ff8da146bd3c15c64d0afd5d93 Mon Sep 17 00:00:00 2001
-From: Martin Kletzander <mkletzan@redhat.com>
-Date: Tue, 27 Feb 2024 16:20:12 +0100
-Subject: [PATCH] Fix off-by-one error in udevListInterfacesByStatus
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Ever since this function was introduced in 2012 it could've tried
-filling in an extra interface name.  That was made worse in 2019 when
-the caller functions started accepting NULL arrays of size 0.
-
-This is assigned CVE-2024-1441.
-
-Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
-Reported-by: Alexander Kuznetsov <kuznetsovam@altlinux.org>
-Fixes: 5a33366f5c0b18c93d161bd144f9f079de4ac8ca
-Fixes: d6064e2759a24e0802f363e3a810dc5a7d7ebb15
-Reviewed-by: Ján Tomko <jtomko@redhat.com>
-(cherry picked from commit c664015fe3a7bf59db26686e9ed69af011c6ebb8)
----
- src/interface/interface_backend_udev.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c
-index fb6799ed94..4091483060 100644
---- a/src/interface/interface_backend_udev.c
-+++ b/src/interface/interface_backend_udev.c
-@@ -222,7 +222,7 @@ udevListInterfacesByStatus(virConnectPtr conn,
-         g_autoptr(virInterfaceDef) def = NULL;
- 
-         /* Ensure we won't exceed the size of our array */
--        if (count > names_len)
-+        if (count >= names_len)
-             break;
- 
-         path = udev_list_entry_get_name(dev_entry);
--- 
-2.43.0
-

0001-interface-fix-udev_device_get_sysattr_value-return-v.patch

@@ -1,90 +0,0 @@
-From c120b31f826cd51127d28f8beaa61ac0d5f03048 Mon Sep 17 00:00:00 2001
-From: Dmitry Frolov <frolov@swemel.ru>
-Date: Tue, 12 Sep 2023 15:56:47 +0300
-Subject: [PATCH] interface: fix udev_device_get_sysattr_value return value
- check
-
-Reviewing the code I found that return value of function
-udev_device_get_sysattr_value() is dereferenced without a check.
-udev_device_get_sysattr_value() may return NULL by number of reasons.
-
-v2: VIR_DEBUG added, replaced STREQ(NULLSTR()) with STREQ_NULLABLE()
-v3: More checks added, to skip earlier. More verbose VIR_DEBUG.
-
-Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
-Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
-(cherry picked from commit 2ca94317ac642a70921947150ced8acc674ccdc8)
----
- src/interface/interface_backend_udev.c | 26 +++++++++++++++++++-------
- 1 file changed, 19 insertions(+), 7 deletions(-)
-
-diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c
-index a0485ddd21..fb6799ed94 100644
---- a/src/interface/interface_backend_udev.c
-+++ b/src/interface/interface_backend_udev.c
-@@ -23,6 +23,7 @@
- #include <dirent.h>
- #include <libudev.h>
- 
-+#include "virlog.h"
- #include "virerror.h"
- #include "virfile.h"
- #include "datatypes.h"
-@@ -40,6 +41,8 @@
- 
- #define VIR_FROM_THIS VIR_FROM_INTERFACE
- 
-+VIR_LOG_INIT("interface.interface_backend_udev");
-+
- struct udev_iface_driver {
-     struct udev *udev;
-     /* pid file FD, ensures two copies of the driver can't use the same root */
-@@ -354,11 +357,20 @@ udevConnectListAllInterfaces(virConnectPtr conn,
-         const char *macaddr;
-         g_autoptr(virInterfaceDef) def = NULL;
- 
--        path = udev_list_entry_get_name(dev_entry);
--        dev = udev_device_new_from_syspath(udev, path);
--        name = udev_device_get_sysname(dev);
-+        if (!(path = udev_list_entry_get_name(dev_entry))) {
-+            VIR_DEBUG("Skipping interface, path == NULL");
-+            continue;
-+        }
-+        if (!(dev = udev_device_new_from_syspath(udev, path))) {
-+            VIR_DEBUG("Skipping interface '%s', dev == NULL", path);
-+            continue;
-+        }
-+        if (!(name = udev_device_get_sysname(dev))) {
-+            VIR_DEBUG("Skipping interface '%s', name == NULL", path);
-+            continue;
-+        }
-         macaddr = udev_device_get_sysattr_value(dev, "address");
--        status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up");
-+        status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up");
- 
-         def = udevGetMinimalDefForDevice(dev);
-         if (!virConnectListAllInterfacesCheckACL(conn, def)) {
-@@ -964,9 +976,9 @@ udevGetIfaceDef(struct udev *udev, const char *name)
- 
-     /* MTU */
-     mtu_str = udev_device_get_sysattr_value(dev, "mtu");
--    if (virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) {
-+    if (!mtu_str || virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) {
-         virReportError(VIR_ERR_INTERNAL_ERROR,
--                _("Could not parse MTU value '%1$s'"), mtu_str);
-+                _("Could not parse MTU value '%1$s'"), NULLSTR(mtu_str));
-         goto error;
-     }
-     ifacedef->mtu = mtu;
-@@ -1089,7 +1101,7 @@ udevInterfaceIsActive(virInterfacePtr ifinfo)
-        goto cleanup;
- 
-     /* Check if it's active or not */
--    status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up");
-+    status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up");
- 
-     udev_device_unref(dev);
- 
--- 
-2.43.0
-

0001-rpc-fix-race-in-waking-up-client-event-loop.patch

@@ -1,76 +0,0 @@
-From 7cb03e6a28e465c49f0cabe8fe2e7d21edb5aadf Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Mon, 18 Dec 2023 12:17:18 +0000
-Subject: [PATCH] rpc: fix race in waking up client event loop
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The first thread to issue a client RPC request will own the event
-loop execution, sitting in the virNetClientIOEventLoop function.
-
-It releases the client lock while running:
-
-   virNetClientUnlock()
-   g_main_loop_run()
-   virNetClientLock()
-
-If a second thread arrives with an RPC request, it will queue it
-for the first thread to process. To inform the first thread that
-there's a new request it calls g_main_loop_quit() to break it out
-of the main loop.
-
-This works if the first thread is in g_main_loop_run() at that
-time. There is a small window of opportunity, however, where
-the first thread has released the client lock, but not yet got
-into g_main_loop_run(). If that happens, the wakeup from the
-second thread is lost.
-
-This patch deals with that by changing the way the wakeup is
-performed. Instead of directly calling g_main_loop_quit(), the
-second thread creates an idle source to run the quit function
-from within the first thread. This guarantees that the first
-thread will see the wakeup.
-
-Tested by: Fima Shevrin <efim.shevrin@virtuozzo.com>
-Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
-Reviewed-by: Denis V. Lunev <den@openvz.org>
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
----
- src/rpc/virnetclient.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c
-index 4ab8af68c5..68098b1c8d 100644
---- a/src/rpc/virnetclient.c
-+++ b/src/rpc/virnetclient.c
-@@ -1848,6 +1848,15 @@ static void virNetClientIOUpdateCallback(virNetClient *client,
- }
- 
- 
-+static gboolean virNetClientIOWakeup(gpointer opaque)
-+{
-+    GMainLoop *loop = opaque;
-+
-+    g_main_loop_quit(loop);
-+
-+    return G_SOURCE_REMOVE;
-+}
-+
- /*
-  * This function sends a message to remote server and awaits a reply
-  *
-@@ -1925,7 +1934,9 @@ static int virNetClientIO(virNetClient *client,
-     /* Check to see if another thread is dispatching */
-     if (client->haveTheBuck) {
-         /* Force other thread to wakeup from poll */
--        g_main_loop_quit(client->eventLoop);
-+        GSource *wakeup = g_idle_source_new();
-+        g_source_set_callback(wakeup, virNetClientIOWakeup, client->eventLoop, NULL);
-+        g_source_attach(wakeup, client->eventCtx);
- 
-         /* If we are non-blocking, detach the thread and keep the call in the
-          * queue. */
--- 
-2.43.0
-

0001-virarptable-Properly-calculate-rtattr-length.patch

@@ -0,0 +1,35 @@
+From adfdb79f1e01401349e1321d0f5059d7b6489f00 Mon Sep 17 00:00:00 2001
+Message-ID: <adfdb79f1e01401349e1321d0f5059d7b6489f00.1724763718.git.crobinso@redhat.com>
+From: Martin Kletzander <mkletzan@redhat.com>
+Date: Fri, 16 Aug 2024 13:56:51 +0200
+Subject: [PATCH 1/3] virarptable: Properly calculate rtattr length
+Content-type: text/plain
+
+Use convenience macro which does almost the same thing we were doing,
+but also pads out the payload length to a multiple of NLMSG_ALIGNTO (4)
+bytes.
+
+Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
+Reviewed-by: Laine Stump <laine@redhat.com>
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ src/util/virarptable.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/util/virarptable.c b/src/util/virarptable.c
+index 299dddd664..d8e41c5a86 100644
+--- a/src/util/virarptable.c
++++ b/src/util/virarptable.c
+@@ -102,8 +102,7 @@ virArpTableGet(void)
+             return table;
+ 
+         VIR_WARNINGS_NO_CAST_ALIGN
+-        parse_rtattr(tb, NDA_MAX, NDA_RTA(r),
+-                     nh->nlmsg_len - NLMSG_LENGTH(sizeof(*r)));
++        parse_rtattr(tb, NDA_MAX, NDA_RTA(r), NLMSG_PAYLOAD(nh, sizeof(*r)));
+         VIR_WARNINGS_RESET
+ 
+         if (tb[NDA_DST] == NULL || tb[NDA_LLADDR] == NULL)
+-- 
+2.46.0
+

0002-virarptable-Fix-check-for-message-length.patch

@@ -0,0 +1,42 @@
+From 137779b894858bd958ea575cec260a0559b31e48 Mon Sep 17 00:00:00 2001
+Message-ID: <137779b894858bd958ea575cec260a0559b31e48.1724763718.git.crobinso@redhat.com>
+In-Reply-To: <adfdb79f1e01401349e1321d0f5059d7b6489f00.1724763718.git.crobinso@redhat.com>
+References: <adfdb79f1e01401349e1321d0f5059d7b6489f00.1724763718.git.crobinso@redhat.com>
+From: Martin Kletzander <mkletzan@redhat.com>
+Date: Fri, 16 Aug 2024 13:59:15 +0200
+Subject: [PATCH 2/3] virarptable: Fix check for message length
+Content-type: text/plain
+
+The previous check was all wrong since it calculated the how long would
+the netlink message be if the netlink header was the payload and then
+subtracted that from the whole message length, a variable that was not
+used later in the code.  This check can fail if there are no additional
+payloads, struct rtattr in particular, which we are parsing later,
+however the RTA_OK macro would've caught that anyway.
+
+Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
+Reviewed-by: Laine Stump <laine@redhat.com>
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ src/util/virarptable.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/util/virarptable.c b/src/util/virarptable.c
+index d8e41c5a86..45ee76766f 100644
+--- a/src/util/virarptable.c
++++ b/src/util/virarptable.c
+@@ -81,10 +81,9 @@ virArpTableGet(void)
+     for (; NLMSG_OK(nh, msglen); nh = NLMSG_NEXT(nh, msglen)) {
+         VIR_WARNINGS_RESET
+         struct ndmsg *r = NLMSG_DATA(nh);
+-        int len = nh->nlmsg_len;
+         void *addr;
+ 
+-        if ((len -= NLMSG_LENGTH(sizeof(*nh))) < 0) {
++        if (nh->nlmsg_len < NLMSG_SPACE(sizeof(*r))) {
+             virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                            _("wrong nlmsg len"));
+             goto cleanup;
+-- 
+2.46.0
+

0003-virarptable-End-parsing-earlier-in-case-of-NLMSG_DON.patch

@@ -0,0 +1,54 @@
+From df2cefb31dab2fa56e0864fbd2b8ad468dee22c0 Mon Sep 17 00:00:00 2001
+Message-ID: <df2cefb31dab2fa56e0864fbd2b8ad468dee22c0.1724763718.git.crobinso@redhat.com>
+In-Reply-To: <adfdb79f1e01401349e1321d0f5059d7b6489f00.1724763718.git.crobinso@redhat.com>
+References: <adfdb79f1e01401349e1321d0f5059d7b6489f00.1724763718.git.crobinso@redhat.com>
+From: Martin Kletzander <mkletzan@redhat.com>
+Date: Fri, 16 Aug 2024 14:02:48 +0200
+Subject: [PATCH 3/3] virarptable: End parsing earlier in case of NLMSG_DONE
+Content-type: text/plain
+
+Check for the last multipart message right as the first thing.  The
+presumption probably was that the last message might still contain a
+payload we want to parse.  However that cannot be true since that would
+have to be a type RTM_NEWNEIGH.  This was not caught because older
+kernels were note sending NLMSG_DONE and probably relied on the fact
+that the parsing just stops after all the messages are walked through,
+which the NLMSG_OK macro successfully did.
+
+Resolves: https://issues.redhat.com/browse/RHEL-52449
+Resolves: https://bugzilla.redhat.com/2302245
+Fixes: a176d67cdfaf5b8237a7e3a80d8be0e6bdf2d8fd
+Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
+Reviewed-by: Laine Stump <laine@redhat.com>
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ src/util/virarptable.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/util/virarptable.c b/src/util/virarptable.c
+index 45ee76766f..20d11f97b0 100644
+--- a/src/util/virarptable.c
++++ b/src/util/virarptable.c
+@@ -83,6 +83,9 @@ virArpTableGet(void)
+         struct ndmsg *r = NLMSG_DATA(nh);
+         void *addr;
+ 
++        if (nh->nlmsg_type == NLMSG_DONE)
++            break;
++
+         if (nh->nlmsg_len < NLMSG_SPACE(sizeof(*r))) {
+             virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                            _("wrong nlmsg len"));
+@@ -97,9 +100,6 @@ virArpTableGet(void)
+             (!(r->ndm_state == NUD_STALE || r->ndm_state == NUD_REACHABLE)))
+             continue;
+ 
+-        if (nh->nlmsg_type == NLMSG_DONE)
+-            return table;
+-
+         VIR_WARNINGS_NO_CAST_ALIGN
+         parse_rtattr(tb, NDA_MAX, NDA_RTA(r), NLMSG_PAYLOAD(nh, sizeof(*r)));
+         VIR_WARNINGS_RESET
+-- 
+2.46.0
+

fix-virtiofs-socket-label.patch

@@ -0,0 +1,31 @@
+From 4c5b2e1e0d0d0cbbf8c6ed28ce77d055d5974f7f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Wed, 6 Mar 2024 17:26:40 +0100
+Subject: [PATCH] qemu: virtiofs: set correct label when creating the socket
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use svirt_t instead of virtd_t, since virtd_t is not available in the
+session mode and qemu with svirt_t won't be able to talk to unconfined_t
+socket.
+
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/qemu/qemu_virtiofs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/qemu/qemu_virtiofs.c b/src/qemu/qemu_virtiofs.c
+index 15dea3bb57f..d80cddd3ba9 100644
+--- a/src/qemu/qemu_virtiofs.c
++++ b/src/qemu/qemu_virtiofs.c
+@@ -102,7 +102,7 @@ qemuVirtioFSOpenChardev(virQEMUDriver *driver,
+     chrdev->data.nix.listen = true;
+     chrdev->data.nix.path = g_strdup(socket_path);
+ 
+-    if (qemuSecuritySetDaemonSocketLabel(driver->securityManager, vm->def) < 0)
++    if (qemuSecuritySetSocketLabel(driver->securityManager, vm->def) < 0)
+         goto cleanup;
+     fd = qemuOpenChrChardevUNIXSocket(chrdev);
+     if (fd < 0) {

libvirt-regression-input-default-bus.patch

@@ -1,31 +0,0 @@
-From c9056e682a8a67dc29e39eb01392fcf8ee978c31 Mon Sep 17 00:00:00 2001
-From: Jonathan Wright <jonathan@almalinux.org>
-Date: Wed, 3 Jan 2024 09:26:59 -0600
-Subject: [PATCH] conf: Restore setting default bus for input devices
-
-Prior to v9.3.0-rc1~30 we used to set default bus for <input/>
-devices, during XML parsing. In the commit this code was moved to
-a post parse callback. But somehow the line that sets the bus in
-one specific case disappeared. Bring it back.
-
-Resolves: https://gitlab.com/libvirt/libvirt/-/issues/577
-Fixes: c4bc4d3b82fbe22e03c986ca896090f481df5c10
-Signed-off-by: Jonathan Wright <jonathan@almalinux.org>
-Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
----
- src/conf/domain_postparse.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/conf/domain_postparse.c b/src/conf/domain_postparse.c
-index e79913b73f..ee27023f3e 100644
---- a/src/conf/domain_postparse.c
-+++ b/src/conf/domain_postparse.c
-@@ -657,6 +657,7 @@ virDomainInputDefPostParse(virDomainInputDef *input,
-             if ((input->type == VIR_DOMAIN_INPUT_TYPE_MOUSE ||
-                  input->type == VIR_DOMAIN_INPUT_TYPE_KBD) &&
-                 (ARCH_IS_X86(def->os.arch) || def->os.arch == VIR_ARCH_NONE)) {
-+                    input->bus = VIR_DOMAIN_INPUT_BUS_PS2;
-             } else if (ARCH_IS_S390(def->os.arch) ||
-                        input->type == VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH) {
-                 input->bus = VIR_DOMAIN_INPUT_BUS_VIRTIO;
--- 

sources

@@ -1 +1 @@
-SHA512 (libvirt-9.7.0.tar.xz) = dd771822c0fa0861a32cab9d7f82235b101867fa0a4e8cf9a857ddfb2347e41b625b1e6f8791c4b3543fec836a1a23cae1fac4ce4b40debd51f2097bae46c949
+SHA512 (libvirt-10.1.0.tar.xz) = 08e73ae15de5681430b62db85ec9901242dca5e9a4ca9685614f4a67092c6e28f27f9187144b3ceb18ad6b40e6eb1a90b1a4b056b0888724d04a62002ee2bc48