nwfilter: increase pcap buffer size to be compatible with TPACKET_V3 (bz #1547237 )

Adapt to changed wireshark plugin install dir
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 12:15:26 -04:00 · 2018-06-21 10:56:18 +01:00 · 2018-06-21 09:16:26 +01:00 · 2018-02-13 14:26:06 -05:00 · 2017-12-04 12:11:03 -05:00 · 2017-09-15 19:06:08 -04:00
47 changed files with 4770 additions and 3055 deletions
@@ -1,13 +0,0 @@
-.build*.log
-*.rpm
-i686
-x86_64
-libvirt-*.tar.gz
-libvirt-0.6.0.tar.gz
-libvirt-0.6.1.tar.gz
-libvirt-0.6.2.tar.gz
-libvirt-0.6.3.tar.gz
-libvirt-0.6.4.tar.gz
-libvirt-0.6.5.tar.gz
-libvirt-0.7.0.tar.gz
-libvirt-0.7.1.tar.gz
@@ -0,0 +1,5 @@
+.build*.log
+*.rpm
+i686
+x86_64
+libvirt-*.tar.xz
@@ -0,0 +1,34 @@
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Thu, 29 Jun 2017 14:01:11 -0400
+Subject: [PATCH] tpm: Use /dev/null for cancel path if none was found
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+TPM 2 does not implement sysfs files for cancellation of commands.
+We therefore use /dev/null for the cancel path passed to QEMU.
+
+Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Tested-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit dfbb15b75433e520fb1b905c1c3e28753e53e4a5)
+---
+ src/util/virtpm.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/util/virtpm.c b/src/util/virtpm.c
+index 6d9b0657a..d5c10da38 100644
+--- a/src/util/virtpm.c
+++ b/src/util/virtpm.c
+@@ -61,9 +61,7 @@ virTPMCreateCancelPath(const char *devpath)
+                 VIR_FREE(path);
+             }
+             if (!path)
+-                virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+-                               _("No usable sysfs TPM cancel file could be "
+-                                 "found"));
+                ignore_value(VIR_STRDUP(path, "/dev/null"));
+         } else {
+             virReportError(VIR_ERR_INTERNAL_ERROR,
+                            _("TPM device path %s is invalid"), devpath);
@@ -0,0 +1,108 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Sun, 27 Aug 2017 11:23:47 -0400
+Subject: [PATCH] security: add MANAGER_MOUNT_NAMESPACE flag
+
+The VIR_SECURITY_MANAGER_MOUNT_NAMESPACE flag informs the DAC driver
+if mount namespaces are in use for the VM. Will be used for future
+changes.
+
+Wire it up in the qemu driver
+
+(cherry picked from commit 321031e482425dfeae0f125cdac6df870f079efd)
+---
+ src/qemu/qemu_driver.c          |  2 ++
+ src/security/security_dac.c     | 10 ++++++++++
+ src/security/security_dac.h     |  3 +++
+ src/security/security_manager.c |  4 +++-
+ src/security/security_manager.h |  1 +
+ 5 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index b7824512c..1f9264639 100644
+--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
+@@ -419,6 +419,8 @@ qemuSecurityInit(virQEMUDriverPtr driver)
+     if (virQEMUDriverIsPrivileged(driver)) {
+         if (cfg->dynamicOwnership)
+             flags |= VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP;
+        if (virBitmapIsBitSet(cfg->namespaces, QEMU_DOMAIN_NS_MOUNT))
+            flags |= VIR_SECURITY_MANAGER_MOUNT_NAMESPACE;
+         if (!(mgr = qemuSecurityNewDAC(QEMU_DRIVER_NAME,
+                                        cfg->user,
+                                        cfg->group,
+diff --git a/src/security/security_dac.c b/src/security/security_dac.c
+index ca7a6af6d..507be44a2 100644
+--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
+@@ -57,6 +57,7 @@ struct _virSecurityDACData {
+     gid_t *groups;
+     int ngroups;
+     bool dynamicOwnership;
+    bool mountNamespace;
+     char *baselabel;
+     virSecurityManagerDACChownCallback chownCallback;
+ };
+@@ -237,6 +238,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
+     priv->dynamicOwnership = dynamicOwnership;
+ }
+ 
+void
+virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr,
+                                bool mountNamespace)
+{
+    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    priv->mountNamespace = mountNamespace;
+}
+
+
+ void
+ virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
+                                virSecurityManagerDACChownCallback chownCallback)
+diff --git a/src/security/security_dac.h b/src/security/security_dac.h
+index 846cefbb5..97681c961 100644
+--- a/src/security/security_dac.h
+++ b/src/security/security_dac.h
+@@ -32,6 +32,9 @@ int virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr,
+ void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
+                                        bool dynamic);
+ 
+void virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr,
+                                     bool mountNamespace);
+
+ void virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
+                                     virSecurityManagerDACChownCallback chownCallback);
+ 
+diff --git a/src/security/security_manager.c b/src/security/security_manager.c
+index 95b995230..e43c99d4f 100644
+--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
+@@ -146,7 +146,8 @@ virSecurityManagerNewDAC(const char *virtDriver,
+     virSecurityManagerPtr mgr;
+ 
+     virCheckFlags(VIR_SECURITY_MANAGER_NEW_MASK |
+-                  VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP, NULL);
+                  VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP |
+                  VIR_SECURITY_MANAGER_MOUNT_NAMESPACE, NULL);
+ 
+     mgr = virSecurityManagerNewDriver(&virSecurityDriverDAC,
+                                       virtDriver,
+@@ -161,6 +162,7 @@ virSecurityManagerNewDAC(const char *virtDriver,
+     }
+ 
+     virSecurityDACSetDynamicOwnership(mgr, flags & VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP);
+    virSecurityDACSetMountNamespace(mgr, flags & VIR_SECURITY_MANAGER_MOUNT_NAMESPACE);
+     virSecurityDACSetChownCallback(mgr, chownCallback);
+ 
+     return mgr;
+diff --git a/src/security/security_manager.h b/src/security/security_manager.h
+index 01296d339..08fb89203 100644
+--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
+@@ -36,6 +36,7 @@ typedef enum {
+     VIR_SECURITY_MANAGER_REQUIRE_CONFINED   = 1 << 2,
+     VIR_SECURITY_MANAGER_PRIVILEGED         = 1 << 3,
+     VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP  = 1 << 4,
+    VIR_SECURITY_MANAGER_MOUNT_NAMESPACE    = 1 << 5,
+ } virSecurityManagerNewFlags;
+ 
+ # define VIR_SECURITY_MANAGER_NEW_MASK  \
@@ -0,0 +1,101 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Mon, 17 Jul 2017 08:57:57 -0400
+Subject: [PATCH] security: dac: relabel spice rendernode
+
+For a logged in user this a path like /dev/dri/renderD128 will have
+default ownership root:video which won't work for the qemu:qemu user,
+so we need to chown it.
+
+We only do this when mount namespaces are enabled in the qemu driver,
+so the chown'ing doesn't interfere with other users of the shared
+render node path
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1460804
+(cherry picked from commit 98931187eefdec6f2dea5cb82ab6d23a3ffa6634)
+---
+ src/security/security_dac.c | 58 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 58 insertions(+)
+
+diff --git a/src/security/security_dac.c b/src/security/security_dac.c
+index 507be44a2..349dbe81d 100644
+--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
+@@ -1380,6 +1380,54 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr,
+ }
+ 
+ 
+static int
+virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr,
+                               virDomainDefPtr def,
+                               virDomainGraphicsDefPtr gfx)
+
+{
+    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    virSecurityLabelDefPtr seclabel;
+    uid_t user;
+    gid_t group;
+
+    /* Skip chowning the shared render file if namespaces are disabled */
+    if (!priv->mountNamespace)
+        return 0;
+
+    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
+    if (seclabel && !seclabel->relabel)
+        return 0;
+
+    if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
+        return -1;
+
+    if (gfx->type == VIR_DOMAIN_GRAPHICS_TYPE_SPICE &&
+        gfx->data.spice.gl == VIR_TRISTATE_BOOL_YES &&
+        gfx->data.spice.rendernode) {
+        if (virSecurityDACSetOwnership(priv, NULL,
+                                       gfx->data.spice.rendernode,
+                                       user, group) < 0)
+            return -1;
+    }
+
+    return 0;
+}
+
+
+static int
+virSecurityDACRestoreGraphicsLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                               virDomainDefPtr def ATTRIBUTE_UNUSED,
+                               virDomainGraphicsDefPtr gfx ATTRIBUTE_UNUSED)
+
+{
+    /* The only graphics labelling we do is dependent on mountNamespaces,
+       in which case 'restoring' the label doesn't actually accomplish
+       anything, so there's nothing to do here */
+    return 0;
+}
+
+
+ static int
+ virSecurityDACSetInputLabel(virSecurityManagerPtr mgr,
+                             virDomainDefPtr def,
+@@ -1491,6 +1539,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
+             rc = -1;
+     }
+ 
+    for (i = 0; i < def->ngraphics; i++) {
+        if (virSecurityDACRestoreGraphicsLabel(mgr, def, def->graphics[i]) < 0)
+            return -1;
+    }
+
+     for (i = 0; i < def->ninputs; i++) {
+         if (virSecurityDACRestoreInputLabel(mgr, def, def->inputs[i]) < 0)
+             rc = -1;
+@@ -1611,6 +1664,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
+             return -1;
+     }
+ 
+    for (i = 0; i < def->ngraphics; i++) {
+        if (virSecurityDACSetGraphicsLabel(mgr, def, def->graphics[i]) < 0)
+            return -1;
+    }
+
+     for (i = 0; i < def->ninputs; i++) {
+         if (virSecurityDACSetInputLabel(mgr, def, def->inputs[i]) < 0)
+             return -1;
@@ -0,0 +1,72 @@
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Thu, 5 Oct 2017 17:54:28 +0100
+Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate
+
+The default_tls_x509_verify (and related) parameters in qemu.conf
+control whether the QEMU TLS servers request & verify certificates
+from clients. This works as a simple access control system for
+servers by requiring the CA to issue certs to permitted clients.
+This use of client certificates is disabled by default, since it
+requires extra work to issue client certificates.
+
+Unfortunately the code was using this configuration parameter when
+setting up both TLS clients and servers in QEMU. The result was that
+TLS clients for character devices and disk devices had verification
+turned off, meaning they would ignore errors while validating the
+server certificate.
+
+This allows for trivial MITM attacks between client and server,
+as any certificate returned by the attacker will be accepted by
+the client.
+
+This is assigned CVE-2017-1000256  / LSN-2017-0002
+
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+(cherry picked from commit 441d3eb6d1be940a67ce45a286602a967601b157)
+(cherry picked from commit dc6c41798d1eb5c52c75365ffa22f7672709dfa7)
+---
+ src/qemu/qemu_command.c                                                 | 2 +-
+ tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args     | 2 +-
+ .../qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args                 | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
+index 9a27987d4..ae78cd17e 100644
+--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
+@@ -718,7 +718,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
+     if (virJSONValueObjectCreate(propsret,
+                                  "s:dir", path,
+                                  "s:endpoint", (isListen ? "server": "client"),
+-                                 "b:verify-peer", verifypeer,
+                                 "b:verify-peer", (isListen ? verifypeer : true),
+                                  NULL) < 0)
+         goto cleanup;
+ 
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+index 5aff7734e..ab5f7e27f 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+@@ -26,7 +26,7 @@ server,nowait \
+ localport=1111 \
+ -device isa-serial,chardev=charserial0,id=serial0 \
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
+-endpoint=client,verify-peer=no \
+endpoint=client,verify-peer=yes \
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
+ tls-creds=objcharserial1_tls0 \
+ -device isa-serial,chardev=charserial1,id=serial1 \
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+index 91f1fe0cd..2567abbfa 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+@@ -31,7 +31,7 @@ localport=1111 \
+ data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
+-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \
+endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
+ tls-creds=objcharserial1_tls0 \
+ -device isa-serial,chardev=charserial1,id=serial1 \
@@ -0,0 +1,177 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 15 Nov 2017 13:15:57 +0100
+Subject: [PATCH] qemu: Move snapshot disk validation functions into one
+
+Move the code so that both the new image and old image can be verified
+in the same function.
+
+(cherry picked from commit 8ffdeed455650557df531aafc66c20b31bd4e0c4)
+---
+ src/qemu/qemu_driver.c | 91 ++++++++++++++++++++------------------------------
+ 1 file changed, 36 insertions(+), 55 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 1f9264639..57f0c2bf4 100644
+--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
+@@ -13793,17 +13793,19 @@ qemuDomainSnapshotCreateActiveInternal(virConnectPtr conn,
+ 
+ 
+ static int
+-qemuDomainSnapshotPrepareDiskExternalBackingInactive(virDomainDiskDefPtr disk)
+qemuDomainSnapshotPrepareDiskExternalInactive(virDomainSnapshotDiskDefPtr snapdisk,
+                                              virDomainDiskDefPtr domdisk)
+ {
+-    int actualType = virStorageSourceGetActualType(disk->src);
+    int domDiskType = virStorageSourceGetActualType(domdisk->src);
+    int snapDiskType = virStorageSourceGetActualType(snapdisk->src);
+ 
+-    switch ((virStorageType) actualType) {
+    switch ((virStorageType) domDiskType) {
+     case VIR_STORAGE_TYPE_BLOCK:
+     case VIR_STORAGE_TYPE_FILE:
+-        return 0;
+        break;
+ 
+     case VIR_STORAGE_TYPE_NETWORK:
+-        switch ((virStorageNetProtocol) disk->src->protocol) {
+        switch ((virStorageNetProtocol) domdisk->src->protocol) {
+         case VIR_STORAGE_NET_PROTOCOL_NONE:
+         case VIR_STORAGE_NET_PROTOCOL_NBD:
+         case VIR_STORAGE_NET_PROTOCOL_RBD:
+@@ -13820,7 +13822,7 @@ qemuDomainSnapshotPrepareDiskExternalBackingInactive(virDomainDiskDefPtr disk)
+             virReportError(VIR_ERR_INTERNAL_ERROR,
+                            _("external inactive snapshots are not supported on "
+                              "'network' disks using '%s' protocol"),
+-                           virStorageNetProtocolTypeToString(disk->src->protocol));
+                           virStorageNetProtocolTypeToString(domdisk->src->protocol));
+             return -1;
+         }
+         break;
+@@ -13831,7 +13833,23 @@ qemuDomainSnapshotPrepareDiskExternalBackingInactive(virDomainDiskDefPtr disk)
+     case VIR_STORAGE_TYPE_LAST:
+         virReportError(VIR_ERR_INTERNAL_ERROR,
+                        _("external inactive snapshots are not supported on "
+-                         "'%s' disks"), virStorageTypeToString(actualType));
+                         "'%s' disks"), virStorageTypeToString(domDiskType));
+        return -1;
+    }
+
+    switch ((virStorageType) snapDiskType) {
+    case VIR_STORAGE_TYPE_BLOCK:
+    case VIR_STORAGE_TYPE_FILE:
+        break;
+
+    case VIR_STORAGE_TYPE_NETWORK:
+    case VIR_STORAGE_TYPE_DIR:
+    case VIR_STORAGE_TYPE_VOLUME:
+    case VIR_STORAGE_TYPE_NONE:
+    case VIR_STORAGE_TYPE_LAST:
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("external inactive snapshots are not supported on "
+                         "'%s' disks"), virStorageTypeToString(snapDiskType));
+         return -1;
+     }
+ 
+@@ -13840,33 +13858,27 @@ qemuDomainSnapshotPrepareDiskExternalBackingInactive(virDomainDiskDefPtr disk)
+ 
+ 
+ static int
+-qemuDomainSnapshotPrepareDiskExternalBackingActive(virDomainDiskDefPtr disk)
+qemuDomainSnapshotPrepareDiskExternalActive(virDomainSnapshotDiskDefPtr snapdisk,
+                                            virDomainDiskDefPtr domdisk)
+ {
+-    if (disk->device == VIR_DOMAIN_DISK_DEVICE_LUN) {
+    int actualType = virStorageSourceGetActualType(snapdisk->src);
+
+    if (domdisk->device == VIR_DOMAIN_DISK_DEVICE_LUN) {
+         virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                        _("external active snapshots are not supported on scsi "
+                          "passthrough devices"));
+         return -1;
+     }
+ 
+-    return 0;
+-}
+-
+-
+-static int
+-qemuDomainSnapshotPrepareDiskExternalOverlayActive(virDomainSnapshotDiskDefPtr disk)
+-{
+-    int actualType = virStorageSourceGetActualType(disk->src);
+-
+     switch ((virStorageType) actualType) {
+     case VIR_STORAGE_TYPE_BLOCK:
+     case VIR_STORAGE_TYPE_FILE:
+-        return 0;
+        break;
+ 
+     case VIR_STORAGE_TYPE_NETWORK:
+-        switch ((virStorageNetProtocol) disk->src->protocol) {
+        switch ((virStorageNetProtocol) snapdisk->src->protocol) {
+         case VIR_STORAGE_NET_PROTOCOL_GLUSTER:
+-            return 0;
+            break;
+ 
+         case VIR_STORAGE_NET_PROTOCOL_NONE:
+         case VIR_STORAGE_NET_PROTOCOL_NBD:
+@@ -13883,7 +13895,7 @@ qemuDomainSnapshotPrepareDiskExternalOverlayActive(virDomainSnapshotDiskDefPtr d
+             virReportError(VIR_ERR_INTERNAL_ERROR,
+                            _("external active snapshots are not supported on "
+                              "'network' disks using '%s' protocol"),
+-                           virStorageNetProtocolTypeToString(disk->src->protocol));
+                           virStorageNetProtocolTypeToString(snapdisk->src->protocol));
+             return -1;
+ 
+         }
+@@ -13903,31 +13915,6 @@ qemuDomainSnapshotPrepareDiskExternalOverlayActive(virDomainSnapshotDiskDefPtr d
+ }
+ 
+ 
+-static int
+-qemuDomainSnapshotPrepareDiskExternalOverlayInactive(virDomainSnapshotDiskDefPtr disk)
+-{
+-    int actualType = virStorageSourceGetActualType(disk->src);
+-
+-    switch ((virStorageType) actualType) {
+-    case VIR_STORAGE_TYPE_BLOCK:
+-    case VIR_STORAGE_TYPE_FILE:
+-        return 0;
+-
+-    case VIR_STORAGE_TYPE_NETWORK:
+-    case VIR_STORAGE_TYPE_DIR:
+-    case VIR_STORAGE_TYPE_VOLUME:
+-    case VIR_STORAGE_TYPE_NONE:
+-    case VIR_STORAGE_TYPE_LAST:
+-        virReportError(VIR_ERR_INTERNAL_ERROR,
+-                       _("external inactive snapshots are not supported on "
+-                         "'%s' disks"), virStorageTypeToString(actualType));
+-        return -1;
+-    }
+-
+-    return 0;
+-}
+-
+-
+ static int
+ qemuDomainSnapshotPrepareDiskExternal(virConnectPtr conn,
+                                       virDomainDiskDefPtr disk,
+@@ -13945,16 +13932,10 @@ qemuDomainSnapshotPrepareDiskExternal(virConnectPtr conn,
+         if (virStorageTranslateDiskSourcePool(conn, disk) < 0)
+             return -1;
+ 
+-        if (qemuDomainSnapshotPrepareDiskExternalBackingInactive(disk) < 0)
+-            return -1;
+-
+-        if (qemuDomainSnapshotPrepareDiskExternalOverlayInactive(snapdisk) < 0)
+        if (qemuDomainSnapshotPrepareDiskExternalInactive(snapdisk, disk) < 0)
+             return -1;
+     } else {
+-        if (qemuDomainSnapshotPrepareDiskExternalBackingActive(disk) < 0)
+-            return -1;
+-
+-        if (qemuDomainSnapshotPrepareDiskExternalOverlayActive(snapdisk) < 0)
+        if (qemuDomainSnapshotPrepareDiskExternalActive(snapdisk, disk) < 0)
+             return -1;
+     }
+ 
@@ -0,0 +1,55 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Tue, 14 Nov 2017 15:34:46 +0100
+Subject: [PATCH] qemu: block: Add function to check if storage source allows
+ concurrent access
+
+Storage source format backing a shared device (e.g. running a cluster
+filesystem) needs to support the sharing so that metadata are not
+corrupted. Add a central function for checking this.
+
+(cherry picked from commit 1fc3cd8731640aefc48bbd9fc489f21cb99c6f67)
+---
+ src/qemu/qemu_block.c | 15 +++++++++++++++
+ src/qemu/qemu_block.h |  3 +++
+ 2 files changed, 18 insertions(+)
+
+diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
+index 7fb12ea5a..4c0a5eb78 100644
+--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
+@@ -379,6 +379,21 @@ qemuBlockGetNodeData(virJSONValuePtr data)
+ }
+ 
+ 
+/**
+ * qemuBlockStorageSourceSupportsConcurrentAccess:
+ * @src: disk storage source
+ *
+ * Returns true if the given storage format supports concurrent access from two
+ * separate processes.
+ */
+bool
+qemuBlockStorageSourceSupportsConcurrentAccess(virStorageSourcePtr src)
+{
+    /* no need to check in backing chain since only RAW storage supports this */
+    return src->format == VIR_STORAGE_FILE_RAW;
+}
+
+
+ /**
+  * qemuBlockStorageSourceBuildHostsJSONSocketAddress:
+  * @src: disk storage source
+diff --git a/src/qemu/qemu_block.h b/src/qemu/qemu_block.h
+index f0a2c9aa7..ebf3149ce 100644
+--- a/src/qemu/qemu_block.h
+++ b/src/qemu/qemu_block.h
+@@ -53,6 +53,9 @@ qemuBlockNodeNamesDetect(virQEMUDriverPtr driver,
+ virHashTablePtr
+ qemuBlockGetNodeData(virJSONValuePtr data);
+ 
+bool
+qemuBlockStorageSourceSupportsConcurrentAccess(virStorageSourcePtr src);
+
+ virJSONValuePtr
+ qemuBlockStorageSourceGetBackendProps(virStorageSourcePtr src);
+ 
@@ -0,0 +1,146 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Tue, 14 Nov 2017 15:37:09 +0100
+Subject: [PATCH] qemu: domain: Reject shared disk access if backing format
+ does not support it
+
+Disk sharing between two VMs may corrupt the images if the format driver
+does not support it. Check that the user declared use of a supported
+storage format when they want to share the disk.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1511480
+(cherry picked from commit 3b03a27cd00c2f032661d2bf8905795425752fc7)
+---
+ src/qemu/qemu_domain.c                             | 29 +++++++++++++++++++++-
+ .../qemuxml2argv-disk-drive-shared-qcow.xml        | 28 +++++++++++++++++++++
+ .../qemuxml2argv-disk-drive-shared.args            |  2 +-
+ .../qemuxml2argv-disk-drive-shared.xml             |  2 +-
+ tests/qemuxml2argvtest.c                           |  1 +
+ 5 files changed, 59 insertions(+), 3 deletions(-)
+ create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-qcow.xml
+
+diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
+index b98ffffae..42d17c1b0 100644
+--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
+@@ -25,6 +25,7 @@
+ 
+ #include "qemu_domain.h"
+ #include "qemu_alias.h"
+#include "qemu_block.h"
+ #include "qemu_cgroup.h"
+ #include "qemu_command.h"
+ #include "qemu_process.h"
+@@ -3299,6 +3300,29 @@ qemuDomainRedirdevDefValidate(const virDomainRedirdevDef *def)
+ }
+ 
+ 
+static int
+qemuDomainDeviceDefValidateDisk(const virDomainDiskDef *disk)
+{
+    if (disk->src->shared && !disk->src->readonly) {
+        if (disk->src->format <= VIR_STORAGE_FILE_AUTO) {
+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                           _("shared access for disk '%s' requires use of "
+                             "explicitly specified disk format"), disk->dst);
+            return -1;
+        }
+
+        if (!qemuBlockStorageSourceSupportsConcurrentAccess(disk->src)) {
+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                           _("shared access for disk '%s' requires use of "
+                             "supported storage format"), disk->dst);
+            return -1;
+        }
+    }
+
+    return 0;
+}
+
+
+ static int
+ qemuDomainDeviceDefValidate(const virDomainDeviceDef *dev,
+                             const virDomainDef *def ATTRIBUTE_UNUSED,
+@@ -3308,7 +3332,10 @@ qemuDomainDeviceDefValidate(const virDomainDeviceDef *dev,
+     virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
+     int ret = -1;
+ 
+-    if (dev->type == VIR_DOMAIN_DEVICE_NET) {
+    if (dev->type == VIR_DOMAIN_DEVICE_DISK) {
+        if (qemuDomainDeviceDefValidateDisk(dev->data.disk) < 0)
+            goto cleanup;
+    } else if (dev->type == VIR_DOMAIN_DEVICE_NET) {
+         const virDomainNetDef *net = dev->data.net;
+ 
+         if (net->guestIP.nroutes || net->guestIP.nips) {
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-qcow.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-qcow.xml
+new file mode 100644
+index 000000000..ca88a944b
+--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-qcow.xml
+@@ -0,0 +1,28 @@
+<domain type='qemu'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219136</memory>
+  <currentMemory unit='KiB'>219136</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='i686' machine='pc'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-i686</emulator>
+    <disk type='block' device='disk'>
+      <driver name='qemu' type='qcow2'/>
+      <source dev='/dev/HostVG/QEMUGuest1'/>
+      <target dev='hda' bus='ide'/>
+      <shareable/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <controller type='usb' index='0'/>
+    <controller type='ide' index='0'/>
+    <memballoon model='virtio'/>
+  </devices>
+</domain>
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.args
+index 502157bf8..326fde1b3 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.args
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.args
+@@ -19,7 +19,7 @@ server,nowait \
+ -no-acpi \
+ -boot c \
+ -usb \
+--drive file=/dev/HostVG/QEMUGuest1,format=qcow2,if=none,id=drive-ide0-0-0,\
+-drive file=/dev/HostVG/QEMUGuest1,format=raw,if=none,id=drive-ide0-0-0,\
+ serial=XYZXYZXYZYXXYZYZYXYZY,cache=none \
+ -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 \
+ -drive file=/dev/HostVG/QEMUGuest2,format=raw,if=none,media=cdrom,\
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.xml
+index 9f7472378..677c2b0b7 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.xml
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.xml
+@@ -15,7 +15,7 @@
+   <devices>
+     <emulator>/usr/bin/qemu-system-i686</emulator>
+     <disk type='block' device='disk'>
+-      <driver name='qemu' type='qcow2'/>
+      <driver name='qemu' type='raw'/>
+       <source dev='/dev/HostVG/QEMUGuest1'/>
+       <target dev='hda' bus='ide'/>
+       <shareable/>
+diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
+index 18f06e5aa..93f892229 100644
+--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
+@@ -895,6 +895,7 @@ mymain(void)
+             QEMU_CAPS_DRIVE_BOOT);
+     DO_TEST("disk-drive-shared",
+             QEMU_CAPS_DRIVE_SERIAL);
+    DO_TEST_PARSE_ERROR("disk-drive-shared-qcow", NONE);
+     DO_TEST("disk-drive-error-policy-stop",
+             QEMU_CAPS_MONITOR_JSON);
+     DO_TEST("disk-drive-error-policy-enospace",
@@ -0,0 +1,63 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 15 Nov 2017 13:41:01 +0100
+Subject: [PATCH] qemu: snapshot: Disallow snapshot of unsupported shared disks
+
+Creating a snapshot would introduce a possibly unsupported member for
+sharing into the backing chain. Add a check to prevent that from
+happening.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1511480
+(cherry picked from commit 9b2fbfa6f6b535b9f41a7503531d43d86d7a8868)
+---
+ src/qemu/qemu_driver.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 57f0c2bf4..91119a494 100644
+--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
+@@ -13792,6 +13792,24 @@ qemuDomainSnapshotCreateActiveInternal(virConnectPtr conn,
+ }
+ 
+ 
+static int
+qemuDomainSnapshotPrepareDiskShared(virDomainSnapshotDiskDefPtr snapdisk,
+                                    virDomainDiskDefPtr domdisk)
+{
+    if (!domdisk->src->shared || domdisk->src->readonly)
+        return 0;
+
+    if (!qemuBlockStorageSourceSupportsConcurrentAccess(snapdisk->src)) {
+        virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                       _("shared access for disk '%s' requires use of "
+                         "supported storage format"), domdisk->dst);
+        return -1;
+    }
+
+    return 0;
+}
+
+
+ static int
+ qemuDomainSnapshotPrepareDiskExternalInactive(virDomainSnapshotDiskDefPtr snapdisk,
+                                               virDomainDiskDefPtr domdisk)
+@@ -13853,6 +13871,9 @@ qemuDomainSnapshotPrepareDiskExternalInactive(virDomainSnapshotDiskDefPtr snapdi
+         return -1;
+     }
+ 
+    if (qemuDomainSnapshotPrepareDiskShared(snapdisk, domdisk) < 0)
+        return -1;
+
+     return 0;
+ }
+ 
+@@ -13911,6 +13932,9 @@ qemuDomainSnapshotPrepareDiskExternalActive(virDomainSnapshotDiskDefPtr snapdisk
+         return -1;
+     }
+ 
+    if (qemuDomainSnapshotPrepareDiskShared(snapdisk, domdisk) < 0)
+        return -1;
+
+     return 0;
+ }
+ 
@@ -0,0 +1,34 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 15 Nov 2017 14:33:11 +0100
+Subject: [PATCH] qemu: Disallow pivot of shared disks to unsupported storage
+
+Pivoting to a unsupported storage type might break the assumption that
+shared disks will not corrupt metadata.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1511480
+(cherry picked from commit 2b41c86294786c07f53afa633fe3dce703debc3c)
+---
+ src/qemu/qemu_driver.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 91119a494..208ccc9bc 100644
+--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
+@@ -16325,6 +16325,16 @@ qemuDomainBlockPivot(virQEMUDriverPtr driver,
+         goto cleanup;
+     }
+ 
+    /* When pivoting to a shareable disk we need to make sure that the disk can
+     * be safely shared, since block copy might have changed the format. */
+    if (disk->src->shared && !disk->src->readonly &&
+        !qemuBlockStorageSourceSupportsConcurrentAccess(disk->mirror)) {
+        virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
+                       _("can't pivot a shared disk to a storage volume not "
+                         "supporting sharing"));
+        goto cleanup;
+    }
+
+     /* For active commit, the mirror is part of the already labeled
+      * chain.  For blockcopy, we previously labeled only the top-level
+      * image; but if the user is reusing an external image that
@@ -0,0 +1,126 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 15 Nov 2017 15:02:58 +0100
+Subject: [PATCH] qemu: caps: Add capability for 'share-rw' disk option
+
+'share-rw' for the disk device configures qemu to allow concurrent
+access to the backing storage.
+
+The capability is checked in various supported disk frontend buses since
+it does not make sense to partially backport it.
+
+(cherry picked from commit 860a3c4bea1d24773d8a495f213d5de3ac48a462)
+---
+ src/qemu/qemu_capabilities.c                      | 14 ++++++++++++++
+ src/qemu/qemu_capabilities.h                      | 10 ++++++++++
+ tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml |  1 +
+ tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml   |  1 +
+ tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml  |  1 +
+ 5 files changed, 27 insertions(+)
+
+diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
+index e7ea6f47c..2de84715e 100644
+--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
+@@ -439,6 +439,16 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST,
+               "virtio-net.tx_queue_size",
+               "chardev-reconnect",
+               "virtio-gpu.max_outputs",
+
+              /* 270 */
+              "vxhs",
+              "virtio-blk.num-queues",
+              "machine.pseries.resize-hpt",
+              "vmcoreinfo",
+              "spapr-vty",
+
+              /* 275 */
+              "disk-share-rw",
+     );
+ 
+ 
+@@ -1702,6 +1712,7 @@ static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsVirtioBlk[] = {
+     { "event_idx", QEMU_CAPS_VIRTIO_BLK_EVENT_IDX },
+     { "scsi", QEMU_CAPS_VIRTIO_BLK_SCSI },
+     { "logical_block_size", QEMU_CAPS_BLOCKIO },
+    { "share-rw", QEMU_CAPS_DISK_SHARE_RW },
+ };
+ 
+ static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsVirtioNet[] = {
+@@ -1732,10 +1743,12 @@ static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsVfioPCI[] = {
+ static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsSCSIDisk[] = {
+     { "channel", QEMU_CAPS_SCSI_DISK_CHANNEL },
+     { "wwn", QEMU_CAPS_SCSI_DISK_WWN },
+    { "share-rw", QEMU_CAPS_DISK_SHARE_RW },
+ };
+ 
+ static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsIDEDrive[] = {
+     { "wwn", QEMU_CAPS_IDE_DRIVE_WWN },
+    { "share-rw", QEMU_CAPS_DISK_SHARE_RW },
+ };
+ 
+ static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsPiix4PM[] = {
+@@ -1766,6 +1779,7 @@ static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsQ35PCIHost[] = {
+ 
+ static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsUSBStorage[] = {
+     { "removable", QEMU_CAPS_USB_STORAGE_REMOVABLE },
+    { "share-rw", QEMU_CAPS_DISK_SHARE_RW },
+ };
+ 
+ static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsKVMPit[] = {
+diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
+index f32687d4a..9c92d6b46 100644
+--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
+@@ -426,6 +426,16 @@ typedef enum {
+     QEMU_CAPS_CHARDEV_RECONNECT, /* -chardev reconnect */
+     QEMU_CAPS_VIRTIO_GPU_MAX_OUTPUTS, /* -device virtio-(vga|gpu-*),max-outputs= */
+ 
+    /* 270 */
+    QEMU_CAPS_VXHS, /* -drive file.driver=vxhs via query-qmp-schema */
+    QEMU_CAPS_VIRTIO_BLK_NUM_QUEUES, /* virtio-blk-*.num-queues */
+    QEMU_CAPS_MACHINE_PSERIES_RESIZE_HPT, /* -machine pseries,resize-hpt */
+    QEMU_CAPS_DEVICE_VMCOREINFO, /* -device vmcoreinfo */
+    QEMU_CAPS_DEVICE_SPAPR_VTY, /* -device spapr-vty */
+
+    /* 275 */
+    QEMU_CAPS_DISK_SHARE_RW, /* share-rw=on for concurrent disk access */
+
+     QEMU_CAPS_LAST /* this must always be the last item */
+ } virQEMUCapsFlags;
+ 
+diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml b/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml
+index a373a6db6..9551907c6 100644
+--- a/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml
+++ b/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml
+@@ -172,6 +172,7 @@
+   <flag name='vnc-multi-servers'/>
+   <flag name='chardev-reconnect'/>
+   <flag name='virtio-gpu.max_outputs'/>
+  <flag name='disk-share-rw'/>
+   <version>2009000</version>
+   <kvmVersion>0</kvmVersion>
+   <package> (v2.9.0)</package>
+diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml b/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml
+index e80782cfb..0a6fbd077 100644
+--- a/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml
+@@ -137,6 +137,7 @@
+   <flag name='vnc-multi-servers'/>
+   <flag name='chardev-reconnect'/>
+   <flag name='virtio-gpu.max_outputs'/>
+  <flag name='disk-share-rw'/>
+   <version>2009000</version>
+   <kvmVersion>0</kvmVersion>
+   <package></package>
+diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml
+index 3641d0332..1294ebdb3 100644
+--- a/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml
+@@ -220,6 +220,7 @@
+   <flag name='vnc-multi-servers'/>
+   <flag name='chardev-reconnect'/>
+   <flag name='virtio-gpu.max_outputs'/>
+  <flag name='disk-share-rw'/>
+   <version>2009000</version>
+   <kvmVersion>0</kvmVersion>
+   <package> (v2.9.0)</package>
@@ -0,0 +1,133 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 15 Nov 2017 15:21:14 +0100
+Subject: [PATCH] qemu: command: Mark <shared/> disks as such in qemu
+
+Qemu has now an internal mechanism for locking images to fix specific
+cases of disk corruption. This requires libvirt to mark the image as
+shared so that qemu lifts certain restrictions.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1378242
+(cherry picked from commit 28907b0043fbf71085a798372ab9c816ba043b93)
+---
+ src/qemu/qemu_command.c                            |  4 +++
+ .../qemuxml2argv-disk-drive-shared-locking.args    | 32 +++++++++++++++++
+ .../qemuxml2argv-disk-drive-shared-locking.xml     | 42 ++++++++++++++++++++++
+ tests/qemuxml2argvtest.c                           |  2 ++
+ 4 files changed, 80 insertions(+)
+ create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.args
+ create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.xml
+
+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
+index ae78cd17e..883525752 100644
+--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
+@@ -2075,6 +2075,10 @@ qemuBuildDriveDevStr(const virDomainDef *def,
+         goto error;
+     }
+ 
+    if (disk->src->shared &&
+        virQEMUCapsGet(qemuCaps, QEMU_CAPS_DISK_SHARE_RW))
+        virBufferAddLit(&opt, ",share-rw=on");
+
+     if (!(drivealias = qemuAliasFromDisk(disk)))
+         goto error;
+     virBufferAsprintf(&opt, ",drive=%s,id=%s", drivealias, disk->info.alias);
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.args
+new file mode 100644
+index 000000000..cdf17f26d
+--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.args
+@@ -0,0 +1,32 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/home/test \
+USER=test \
+LOGNAME=test \
+QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-i686 \
+-name QEMUGuest1 \
+-S \
+-M pc \
+-m 214 \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-nographic \
+-nodefaults \
+-chardev socket,id=charmonitor,path=/tmp/lib/domain--1-QEMUGuest1/monitor.sock,\
+server,nowait \
+-mon chardev=charmonitor,id=monitor,mode=readline \
+-no-acpi \
+-boot c \
+-device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x3 \
+-usb \
+-drive file=/dev/ide,format=raw,if=none,id=drive-ide0-0-0,cache=none \
+-device ide-drive,bus=ide.0,unit=0,share-rw=on,drive=drive-ide0-0-0,\
+id=ide0-0-0 \
+-drive file=/dev/scsi,format=raw,if=none,id=drive-scsi0-0-0-0,cache=none \
+-device scsi-disk,bus=scsi0.0,channel=0,scsi-id=0,lun=0,share-rw=on,\
+drive=drive-scsi0-0-0-0,id=scsi0-0-0-0 \
+-drive file=/dev/virtio,format=raw,if=none,id=drive-virtio-disk0,cache=none \
+-device virtio-blk-pci,bus=pci.0,addr=0x4,share-rw=on,drive=drive-virtio-disk0,\
+id=virtio-disk0 \
+-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.xml
+new file mode 100644
+index 000000000..dd48857a3
+--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.xml
+@@ -0,0 +1,42 @@
+<domain type='qemu'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219136</memory>
+  <currentMemory unit='KiB'>219136</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='i686' machine='pc'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-i686</emulator>
+    <disk type='block' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source dev='/dev/ide'/>
+      <target dev='hda' bus='ide'/>
+      <shareable/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <disk type='block' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source dev='/dev/scsi'/>
+      <target dev='sda' bus='scsi'/>
+      <shareable/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <disk type='block' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source dev='/dev/virtio'/>
+      <target dev='vda' bus='virtio'/>
+      <shareable/>
+    </disk>
+    <controller type='usb' index='0'/>
+    <controller type='ide' index='0'/>
+    <controller type='scsi' index='0' model='virtio-scsi'/>
+    <memballoon model='virtio'/>
+  </devices>
+</domain>
+diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
+index 93f892229..9585fdb70 100644
+--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
+@@ -896,6 +896,8 @@ mymain(void)
+     DO_TEST("disk-drive-shared",
+             QEMU_CAPS_DRIVE_SERIAL);
+     DO_TEST_PARSE_ERROR("disk-drive-shared-qcow", NONE);
+    DO_TEST("disk-drive-shared-locking",
+            QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DISK_SHARE_RW);
+     DO_TEST("disk-drive-error-policy-stop",
+             QEMU_CAPS_MONITOR_JSON);
+     DO_TEST("disk-drive-error-policy-enospace",
@@ -0,0 +1,36 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 20 Dec 2017 12:58:36 +0100
+Subject: [PATCH] util: probe: Add quiet versions of the "PROBE" macro
+
+PROBE macro adds a logging entry, when used in places seeing a lot of
+traffic this can cause a significant slowdown.
+
+(cherry picked from commit f06e488d5484031a76e7ed231c8fef8fa1181d2c)
+---
+ src/util/virprobe.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/util/virprobe.h b/src/util/virprobe.h
+index 7565954af..bd8c32964 100644
+--- a/src/util/virprobe.h
+++ b/src/util/virprobe.h
+@@ -90,11 +90,19 @@
+         PROBE_EXPAND(LIBVIRT_ ## NAME,                       \
+                      VIR_ADD_CASTS(__VA_ARGS__));            \
+     }
+
+#  define PROBE_QUIET(NAME, FMT, ...) \
+    if (LIBVIRT_ ## NAME ## _ENABLED()) { \
+        PROBE_EXPAND(LIBVIRT_ ## NAME, \
+                     VIR_ADD_CASTS(__VA_ARGS__)); \
+    }
+ # else
+ #  define PROBE(NAME, FMT, ...)                              \
+     VIR_INFO_INT(&virLogSelf,                                \
+                  __FILE__, __LINE__, __func__,               \
+                  #NAME ": " FMT, __VA_ARGS__);
+
+#  define PROBE_QUIET(NAME, FMT, ...)
+ # endif
+ 
+ #endif /* __VIR_PROBE_H__ */
@@ -0,0 +1,49 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 20 Dec 2017 13:09:07 +0100
+Subject: [PATCH] qemu: monitor: Decrease logging verbosity
+
+The PROBE macro used in qemuMonitorIOProcess and the VIR_DEBUG message
+in qemuMonitorJSONIOProcess create a lot of logging churn when debug
+logging is enabled during monitor communication.
+
+The messages logged from the PROBE macro are rather useless since they
+are reporting the partial state of receiving the reply from qemu. The
+actual full reply is still logged in qemuMonitorJSONIOProcessLine once
+the full message is received.
+
+(cherry picked from commit f10bb3347b43d900ff361cda5fe1996782284991)
+---
+ src/qemu/qemu_monitor.c      | 4 ++--
+ src/qemu/qemu_monitor_json.c | 3 +++
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
+index 19082d8bf..3def28852 100644
+--- a/src/qemu/qemu_monitor.c
+++ b/src/qemu/qemu_monitor.c
+@@ -434,8 +434,8 @@ qemuMonitorIOProcess(qemuMonitorPtr mon)
+ # endif
+ #endif
+ 
+-    PROBE(QEMU_MONITOR_IO_PROCESS,
+-          "mon=%p buf=%s len=%zu", mon, mon->buffer, mon->bufferOffset);
+    PROBE_QUIET(QEMU_MONITOR_IO_PROCESS, "mon=%p buf=%s len=%zu",
+                mon, mon->buffer, mon->bufferOffset);
+ 
+     if (mon->json)
+         len = qemuMonitorJSONIOProcess(mon,
+diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
+index df5fb7c8f..461aae089 100644
+--- a/src/qemu/qemu_monitor_json.c
+++ b/src/qemu/qemu_monitor_json.c
+@@ -259,7 +259,10 @@ int qemuMonitorJSONIOProcess(qemuMonitorPtr mon,
+         }
+     }
+ 
+#if DEBUG_IO
+     VIR_DEBUG("Total used %d bytes out of %zd available in buffer", used, len);
+#endif
+
+     return used;
+ }
+ 
@@ -0,0 +1,63 @@
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Sat, 27 Jan 2018 23:43:58 +0100
+Subject: [PATCH] virlog: determine the hostname on startup CVE-2018-6764
+
+At later point it might not be possible or even safe to use getaddrinfo(). It
+can in turn result in a load of NSS module.
+
+Notably, on a LXC container startup we may find ourselves with the guest
+filesystem already having replaced the host one. Loading a NSS module
+from the guest tree would allow a malicous guest to escape the
+confinement of its container environment because libvirt will not yet
+have locked it down.
+
+(cherry picked from commit 759b4d1b0fe5f4d84d98b99153dfa7ac289dd167)
+---
+ src/util/virlog.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/src/util/virlog.c b/src/util/virlog.c
+index d45a451a7..05e0e199e 100644
+--- a/src/util/virlog.c
+++ b/src/util/virlog.c
+@@ -64,6 +64,7 @@
+ VIR_LOG_INIT("util.log");
+ 
+ static regex_t *virLogRegex;
+static char *virLogHostname;
+ 
+ 
+ #define VIR_LOG_DATE_REGEX "[0-9]{4}-[0-9]{2}-[0-9]{2}"
+@@ -271,6 +272,12 @@ virLogOnceInit(void)
+             VIR_FREE(virLogRegex);
+     }
+ 
+    /* We get and remember the hostname early, because at later time
+     * it might not be possible to load NSS modules via getaddrinfo()
+     * (e.g. at container startup the host filesystem will not be
+     * accessible anymore. */
+    virLogHostname = virGetHostnameQuiet();
+
+     virLogUnlock();
+     return 0;
+ }
+@@ -466,17 +473,14 @@ static int
+ virLogHostnameString(char **rawmsg,
+                      char **msg)
+ {
+-    char *hostname = virGetHostnameQuiet();
+     char *hoststr;
+ 
+-    if (!hostname)
+    if (!virLogHostname)
+         return -1;
+ 
+-    if (virAsprintfQuiet(&hoststr, "hostname: %s", hostname) < 0) {
+-        VIR_FREE(hostname);
+    if (virAsprintfQuiet(&hoststr, "hostname: %s", virLogHostname) < 0) {
+         return -1;
+     }
+-    VIR_FREE(hostname);
+ 
+     if (virLogFormatString(msg, 0, NULL, VIR_LOG_INFO, hoststr) < 0) {
+         VIR_FREE(hoststr);
@@ -0,0 +1,27 @@
+From: Andrea Bolognani <abologna@redhat.com>
+Date: Wed, 7 Feb 2018 14:39:18 +0100
+Subject: [PATCH] util: Fix syntax-check
+
+Broken by 759b4d1b0fe5f4d84d98b99153dfa7ac289dd167.
+
+Signed-off-by: Andrea Bolognani <abologna@redhat.com>
+(cherry picked from commit 6ce3acc129bfdbe7fd02bcb8bbe8af6d13903684)
+---
+ src/util/virlog.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/util/virlog.c b/src/util/virlog.c
+index 05e0e199e..056b53cda 100644
+--- a/src/util/virlog.c
+++ b/src/util/virlog.c
+@@ -478,9 +478,8 @@ virLogHostnameString(char **rawmsg,
+     if (!virLogHostname)
+         return -1;
+ 
+-    if (virAsprintfQuiet(&hoststr, "hostname: %s", virLogHostname) < 0) {
+    if (virAsprintfQuiet(&hoststr, "hostname: %s", virLogHostname) < 0)
+         return -1;
+-    }
+ 
+     if (virLogFormatString(msg, 0, NULL, VIR_LOG_INFO, hoststr) < 0) {
+         VIR_FREE(hoststr);
@@ -0,0 +1,121 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 12 Feb 2018 10:03:08 +0000
+Subject: [PATCH] log: fix deadlock obtaining hostname (related CVE-2018-6764)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The fix for CVE-2018-6764 introduced a potential deadlock scenario
+that gets triggered by the NSS module when virGetHostname() calls
+getaddrinfo to resolve the hostname:
+
+ #0  0x00007f6e714b57e7 in futex_wait
+ #1  futex_wait_simple
+ #2  __pthread_once_slow
+ #3  0x00007f6e71d16e7d in virOnce
+ #4  0x00007f6e71d0997c in virLogInitialize
+ #5  0x00007f6e71d0a09a in virLogVMessage
+ #6  0x00007f6e71d09ffd in virLogMessage
+ #7  0x00007f6e71d0db22 in virObjectNew
+ #8  0x00007f6e71d0dbf1 in virObjectLockableNew
+ #9  0x00007f6e71d0d3e5 in virMacMapNew
+ #10 0x00007f6e71cdc50a in findLease
+ #11 0x00007f6e71cdcc56 in _nss_libvirt_gethostbyname4_r
+ #12 0x00007f6e724631fc in gaih_inet
+ #13 0x00007f6e72464697 in __GI_getaddrinfo
+ #14 0x00007f6e71d19e81 in virGetHostnameImpl
+ #15 0x00007f6e71d1a057 in virGetHostnameQuiet
+ #16 0x00007f6e71d09936 in virLogOnceInit
+ #17 0x00007f6e71d09952 in virLogOnce
+ #18 0x00007f6e714b5829 in __pthread_once_slow
+ #19 0x00007f6e71d16e7d in virOnce
+ #20 0x00007f6e71d0997c in virLogInitialize
+ #21 0x00007f6e71d0a09a in virLogVMessage
+ #22 0x00007f6e71d09ffd in virLogMessage
+ #23 0x00007f6e71d0db22 in virObjectNew
+ #24 0x00007f6e71d0dbf1 in virObjectLockableNew
+ #25 0x00007f6e71d0d3e5 in virMacMapNew
+ #26 0x00007f6e71cdc50a in findLease
+ #27 0x00007f6e71cdc839 in _nss_libvirt_gethostbyname3_r
+ #28 0x00007f6e71cdc724 in _nss_libvirt_gethostbyname2_r
+ #29 0x00007f6e7248f72f in __gethostbyname2_r
+ #30 0x00007f6e7248f494 in gethostbyname2
+ #31 0x000056348c30c36d in hosts_keys
+ #32 0x000056348c30b7d2 in main
+
+Fortunately the extra stuff virGetHostname does is totally irrelevant to
+the needs of the logging code, so we can just inline a call to the
+native hostname() syscall directly.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit c2dc6698c88fb591639e542c8ecb0076c54f3dfb)
+---
+ cfg.mk            |  2 +-
+ src/util/virlog.c | 20 ++++++++++++++------
+ 2 files changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/cfg.mk b/cfg.mk
+index 56cb14bd9..a4131592c 100644
+--- a/cfg.mk
+++ b/cfg.mk
+@@ -1158,7 +1158,7 @@ _src2=src/(util/vircommand|libvirt|lxc/lxc_controller|locking/lock_daemon|loggin
+ exclude_file_name_regexp--sc_prohibit_fork_wrappers = \
+   (^($(_src2)|tests/testutils|daemon/libvirtd)\.c$$)
+ 
+-exclude_file_name_regexp--sc_prohibit_gethostname = ^src/util/virutil\.c$$
+exclude_file_name_regexp--sc_prohibit_gethostname = ^src/util/vir(util|log)\.c$$
+ 
+ exclude_file_name_regexp--sc_prohibit_internal_functions = \
+   ^src/(util/(viralloc|virutil|virfile)\.[hc]|esx/esx_vi\.c)$$
+diff --git a/src/util/virlog.c b/src/util/virlog.c
+index 056b53cda..f76fc2caf 100644
+--- a/src/util/virlog.c
+++ b/src/util/virlog.c
+@@ -64,7 +64,7 @@
+ VIR_LOG_INIT("util.log");
+ 
+ static regex_t *virLogRegex;
+-static char *virLogHostname;
+static char virLogHostname[HOST_NAME_MAX+1];
+ 
+ 
+ #define VIR_LOG_DATE_REGEX "[0-9]{4}-[0-9]{2}-[0-9]{2}"
+@@ -261,6 +261,8 @@ virLogPriorityString(virLogPriority lvl)
+ static int
+ virLogOnceInit(void)
+ {
+    int r;
+
+     if (virMutexInit(&virLogMutex) < 0)
+         return -1;
+ 
+@@ -275,8 +277,17 @@ virLogOnceInit(void)
+     /* We get and remember the hostname early, because at later time
+      * it might not be possible to load NSS modules via getaddrinfo()
+      * (e.g. at container startup the host filesystem will not be
+-     * accessible anymore. */
+-    virLogHostname = virGetHostnameQuiet();
+     * accessible anymore.
+     * Must not use virGetHostname though as that causes re-entrancy
+     * problems if it triggers logging codepaths
+     */
+    r = gethostname(virLogHostname, sizeof(virLogHostname));
+    if (r == -1) {
+        ignore_value(virStrcpy(virLogHostname,
+                               "(unknown)", sizeof(virLogHostname)));
+    } else {
+        NUL_TERMINATE(virLogHostname);
+    }
+ 
+     virLogUnlock();
+     return 0;
+@@ -475,9 +486,6 @@ virLogHostnameString(char **rawmsg,
+ {
+     char *hoststr;
+ 
+-    if (!virLogHostname)
+-        return -1;
+-
+     if (virAsprintfQuiet(&hoststr, "hostname: %s", virLogHostname) < 0)
+         return -1;
+ 
@@ -0,0 +1,59 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Thu, 4 Jan 2018 11:11:53 +0100
+Subject: [PATCH] qemuDomainAttachDeviceMknodHelper: Remove symlink before
+ creating it
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1528502
+
+So imagine you have /dev/blah symlink which points to /dev/sda.
+You attach /dev/blah as disk to your domain. Libvirt correctly
+creates the /dev/blah -> /dev/sda symlink in the qemu namespace.
+However, then you detach the disk, change the symlink so that it
+points to /dev/sdb and tries to attach the disk again. This time,
+however, the attach fails (well, qemu attaches wrong disk)
+because the code assumes that symlinks don't change. Well they
+do.
+
+This is inspired by test fix written by Eduardo Habkost.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Andrea Bolognani <abologna@redhat.com>
+(cherry picked from commit db98e7f67ea0d7699410f514f01947cef5128a6c)
+---
+ src/qemu/qemu_domain.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
+index 42d17c1b0..e0f4aaafa 100644
+--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
+@@ -8864,13 +8864,23 @@ qemuDomainAttachDeviceMknodHelper(pid_t pid ATTRIBUTE_UNUSED,
+ 
+     if (isLink) {
+         VIR_DEBUG("Creating symlink %s -> %s", data->file, data->target);
+
+        /* First, unlink the symlink target. Symlinks change and
+         * therefore we have no guarantees that pre-existing
+         * symlink is still valid. */
+        if (unlink(data->file) < 0 &&
+            errno != ENOENT) {
+            virReportSystemError(errno,
+                                 _("Unable to remove symlink %s"),
+                                 data->file);
+            goto cleanup;
+        }
+
+         if (symlink(data->target, data->file) < 0) {
+-            if (errno != EEXIST) {
+-                virReportSystemError(errno,
+-                                     _("Unable to create symlink %s"),
+-                                     data->target);
+-                goto cleanup;
+-            }
+            virReportSystemError(errno,
+                                 _("Unable to create symlink %s (pointing to %s)"),
+                                 data->file, data->target);
+            goto cleanup;
+         } else {
+             delDevice = true;
+         }
@@ -0,0 +1,110 @@
+From ce5aebeacd10a1c15cb3ee46a59c8b5ff235589e Mon Sep 17 00:00:00 2001
+Message-Id: <ce5aebeacd10a1c15cb3ee46a59c8b5ff235589e.1530632895.git.crobinso@redhat.com>
+From: Laine Stump <laine@laine.org>
+Date: Wed, 25 Apr 2018 17:12:03 -0400
+Subject: [PATCH] nwfilter: increase pcap buffer size to be compatible with
+ TPACKET_V3
+
+When an nwfilter rule sets the parameter CTRL_IP_LEARNING to "dhcp",
+this turns on the "dhcpsnoop" thread, which uses libpcap to monitor
+traffic on the domain's tap device and extract the IP address from the
+DHCP response.
+
+If libpcap on the host is built with HAVE_TPACKET3 defined (to enable
+support for TPACKET_V3), the dhcpsnoop code's initialization of the
+libpcap socket would fail with the following error:
+
+  virNWFilterSnoopDHCPOpen:1134 : internal error: pcap_setfilter: can't remove kernel filter: Bad file descriptor
+
+It turns out that this was because TPACKET_V3 requires a larger buffer
+size than libvirt was setting (we were setting it to 128k). Changing
+the buffer size to 256k eliminates the error, and the dhcpsnoop thread
+once again works properly.
+
+A fuller explanation of why TPACKET_V3 requires such a large buffer,
+for future git spelunkers:
+
+libpcap calls setsockopt(... SOL_PACKET, PACKET_RX_RING...) to setup a
+ring buffer for receiving packets; two of the attributes sent to this
+API are called tp_frame_size, and tp_frame_nr. If libpcap was built
+with HAVE_TPACKET3 defined, tp_trame_size is set to MAXIMUM_SNAPLEN
+(defined in libpcap sources as 262144) and tp_frame_nr is set to:
+
+ [the buffer size we set, i.e. PCAP_BUFFERSIZE i.e. 262144] / tp_frame_size.
+
+So if PCAP_BUFFERSIZE < MAXIMUM_SNAPLEN, then tp_frame_nr (the number
+of frames in the ring buffer) is 0, which is nonsensical. This same
+value is later used as a multiplier to determine the size for a call
+to malloc() (which would also fail).
+
+(NB: if HAVE_TPACKET3 is *not* defined, then tp_frame_size is set to
+the snaplen set by the user (in our case 576) plus a small amount to
+account for ethernet headers, so 256k is far more than adequate)
+
+Since the TPACKET_V3 code in libpcap actually reads multiple packets
+into each frame, it's not a problem to have only a single frame
+(especially when we are monitoring such infrequent traffic), so it's
+okay to set this relatively small buffer size (in comparison to the
+default, which is 2MB), which is important since every guest using
+dhcp snooping in a nwfilter rule will hold 2 of these buffers for the
+entire life of the guest.
+
+Thanks to Christian Ehrhardt for discovering that buffer size was the
+problem (this was not at all obvious from the error that was logged!)
+
+Resolves: https://bugzilla.redhat.com/1547237
+Fixes: https://bugs.launchpad.net/libvirt/+bug/1758037
+
+Signed-off-by: Laine Stump <laine@laine.org>
+Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> (V1)
+Reviewed-by: John Ferlan <jferlan@redhat.com>
+Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ src/nwfilter/nwfilter_dhcpsnoop.c | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/src/nwfilter/nwfilter_dhcpsnoop.c b/src/nwfilter/nwfilter_dhcpsnoop.c
+index 6069e70460..50cfb944a2 100644
+--- a/src/nwfilter/nwfilter_dhcpsnoop.c
+++ b/src/nwfilter/nwfilter_dhcpsnoop.c
+@@ -256,10 +256,21 @@ struct _virNWFilterDHCPDecodeJob {
+ # define DHCP_BURST_INTERVAL_S  10 /* sec */
+ 
+ /*
+- * libpcap 1.5 requires a 128kb buffer
+- * 128 kb is bigger than (DHCP_PKT_BURST * PCAP_PBUFSIZE / 2)
+ * NB: Any libpcap built with HAVE_TPACKET3 will require
+ * PCAP_BUFFERSIZE to be at least 262144 (although
+ * pcap_set_buffer_size() with a lower value will succeed, and the
+ * error will only show up later when pcap_setfilter() is called).
+ *
+ * It is possible that in the future libpcap could increase the
+ * minimum size even further, but due to the fact that each guest
+ * using dhcp snooping keeps 2 pcap sockets open (and thus 2 buffers
+ * allocated) for the life of the guest, we want to minimize the
+ * length of the buffer, so instead of leaving it at the default size
+ * (2MB), we are setting it to the minimum viable size and including
+ * this clue in the source to help quickly resolve the problem when/if
+ * it reoccurs.
+  */
+-# define PCAP_BUFFERSIZE        (128 * 1024)
+# define PCAP_BUFFERSIZE        (256 * 1024)
+ 
+ # define MAX_QUEUED_JOBS        (DHCP_PKT_BURST + 2 * DHCP_PKT_RATE)
+ 
+@@ -1114,6 +1125,11 @@ virNWFilterSnoopDHCPOpen(const char *ifname, virMacAddr *mac,
+         goto cleanup_nohandle;
+     }
+ 
+    /* IMPORTANT: If there is any failure of *any* pcap_* function
+     * during setup of the socket, look to the comment where
+     * PCAP_BUFFERSIZE is defined. It may be too small, even if the
+     * generated error doesn't imply that.
+     */
+     if (pcap_set_snaplen(handle, PCAP_PBUFSIZE) < 0 ||
+         pcap_set_buffer_size(handle, PCAP_BUFFERSIZE) < 0 ||
+         pcap_activate(handle) < 0) {
+-- 
+2.17.1
+
@@ -0,0 +1,74 @@
+From e18672ce9a5fff383992fd6e842d1cbe85c141ea Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 12 Dec 2017 16:23:40 +0100
+Subject: [PATCH 10/19] util: add virFileReadHeaderQuiet wrapper around
+ virFileReadHeaderFD
+
+CVE-2017-5715
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/libvirt_private.syms |  1 +
+ src/util/virfile.c       | 19 +++++++++++++++++++
+ src/util/virfile.h       |  2 ++
+ 3 files changed, 22 insertions(+)
+
+diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
+index f30a04b145..29b73fa046 100644
+--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
+@@ -1703,6 +1703,7 @@ virFileReadAll;
+ virFileReadAllQuiet;
+ virFileReadBufQuiet;
+ virFileReadHeaderFD;
+virFileReadHeaderQuiet;
+ virFileReadLimFD;
+ virFileReadLink;
+ virFileReadValueBitmap;
+diff --git a/src/util/virfile.c b/src/util/virfile.c
+index 2f28e83f44..269db995ff 100644
+--- a/src/util/virfile.c
+++ b/src/util/virfile.c
+@@ -1356,6 +1356,25 @@ virFileReadHeaderFD(int fd, int maxlen, char **buf)
+ }
+ 
+ 
+int
+virFileReadHeaderQuiet(const char *path,
+                       int maxlen,
+                       char **buf)
+{
+    int fd;
+    int len;
+
+    fd = open(path, O_RDONLY);
+    if (fd < 0)
+        return -1;
+
+    len = virFileReadHeaderFD(fd, maxlen, buf);
+    VIR_FORCE_CLOSE(fd);
+
+    return len;
+}
+
+
+ /* A wrapper around saferead_lim that maps a failure due to
+    exceeding the maximum size limitation to EOVERFLOW.  */
+ int
+diff --git a/src/util/virfile.h b/src/util/virfile.h
+index 57ceb80721..657e7216fb 100644
+--- a/src/util/virfile.h
+++ b/src/util/virfile.h
+@@ -129,6 +129,8 @@ int virFileDeleteTree(const char *dir);
+ 
+ int virFileReadHeaderFD(int fd, int maxlen, char **buf)
+     ATTRIBUTE_RETURN_CHECK ATTRIBUTE_NONNULL(3);
+int virFileReadHeaderQuiet(const char *path, int maxlen, char **buf)
+    ATTRIBUTE_RETURN_CHECK ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(3);
+ int virFileReadLimFD(int fd, int maxlen, char **buf)
+     ATTRIBUTE_RETURN_CHECK ATTRIBUTE_NONNULL(3);
+ int virFileReadAll(const char *path, int maxlen, char **buf)
+-- 
+2.17.0
+
@@ -0,0 +1,36 @@
+From a84e70ad247da5d3ad13615efd70b91951392aa1 Mon Sep 17 00:00:00 2001
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Fri, 5 Jan 2018 17:43:03 +0100
+Subject: [PATCH 12/19] cpu_x86: Copy CPU signature from ancestor
+
+When specifying a new CPU model in cpu_map.xml as an extension to an
+existing model, we forgot to copy the signature (family + model) from
+the original CPU model.
+
+We don't use this way of specifying CPU models, but it's still supported
+and it becomes useful when someone wants to quickly hack up a CPU model
+for testing or when creating additional variants of existing models to
+help with fixing some spectral issues.
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
+(cherry picked from commit b427cf4831d0ea7aac9dd1a3aa7682478356a483)
+---
+ src/cpu/cpu_x86.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/cpu/cpu_x86.c b/src/cpu/cpu_x86.c
+index 2864454211..3b7a6f95fe 100644
+--- a/src/cpu/cpu_x86.c
+++ b/src/cpu/cpu_x86.c
+@@ -1206,6 +1206,7 @@ x86ModelParse(xmlXPathContextPtr ctxt,
+         VIR_FREE(name);
+ 
+         model->vendor = ancestor->vendor;
+        model->signature = ancestor->signature;
+         if (x86DataCopy(&model->data, &ancestor->data) < 0)
+             goto error;
+     }
+-- 
+2.17.0
+
@@ -0,0 +1,97 @@
+From de12d97c029d6644bb42afaa38410c4263bef41f Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 12 Dec 2017 16:23:41 +0100
+Subject: [PATCH 13/19] util: introduce virHostCPUGetMicrocodeVersion
+
+This new API reads host's CPU microcode version from /proc/cpuinfo.
+
+Unfortunately, there is no other way of reading microcode version which
+would be usable from both system and session daemon.
+
+CVE-2017-5715
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/libvirt_private.syms |  1 +
+ src/util/virhostcpu.c    | 43 ++++++++++++++++++++++++++++++++++++++++
+ src/util/virhostcpu.h    |  2 ++
+ 3 files changed, 46 insertions(+)
+
+diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
+index 29b73fa046..0ecd58a12c 100644
+--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
+@@ -1811,6 +1811,7 @@ virHostCPUGetCount;
+ virHostCPUGetInfo;
+ virHostCPUGetKVMMaxVCPUs;
+ virHostCPUGetMap;
+virHostCPUGetMicrocodeVersion;
+ virHostCPUGetOnline;
+ virHostCPUGetOnlineBitmap;
+ virHostCPUGetPresentBitmap;
+diff --git a/src/util/virhostcpu.c b/src/util/virhostcpu.c
+index c485a97211..713fdec553 100644
+--- a/src/util/virhostcpu.c
+++ b/src/util/virhostcpu.c
+@@ -1206,3 +1206,46 @@ virHostCPUGetKVMMaxVCPUs(void)
+     return -1;
+ }
+ #endif /* HAVE_LINUX_KVM_H */
+
+
+#ifdef __linux__
+
+unsigned int
+virHostCPUGetMicrocodeVersion(void)
+{
+    char *outbuf = NULL;
+    char *cur;
+    unsigned int version = 0;
+
+    if (virFileReadHeaderQuiet(CPUINFO_PATH, 4096, &outbuf) < 0) {
+        char ebuf[1024];
+        VIR_DEBUG("Failed to read microcode version from %s: %s",
+                  CPUINFO_PATH, virStrerror(errno, ebuf, sizeof(ebuf)));
+        return 0;
+    }
+
+    /* Account for format 'microcode    : XXXX'*/
+    if (!(cur = strstr(outbuf, "microcode")) ||
+        !(cur = strchr(cur, ':')))
+        goto cleanup;
+    cur++;
+
+    /* Linux places the microcode revision in a 32-bit integer, so
+     * ui is fine for us too.  */
+    if (virStrToLong_ui(cur, &cur, 0, &version) < 0)
+        goto cleanup;
+
+ cleanup:
+    VIR_FREE(outbuf);
+    return version;
+}
+
+#else
+
+unsigned int
+virHostCPUGetMicrocodeVersion(void)
+{
+    return 0;
+}
+
+#endif
+diff --git a/src/util/virhostcpu.h b/src/util/virhostcpu.h
+index 67033de842..f9f3359288 100644
+--- a/src/util/virhostcpu.h
+++ b/src/util/virhostcpu.h
+@@ -66,4 +66,6 @@ virBitmapPtr virHostCPUGetSiblingsList(unsigned int cpu);
+ 
+ int virHostCPUGetOnline(unsigned int cpu, bool *online);
+ 
+unsigned int virHostCPUGetMicrocodeVersion(void);
+
+ #endif /* __VIR_HOSTCPU_H__*/
+-- 
+2.17.0
+
@@ -0,0 +1,51 @@
+From a0ad8c160ed81417e4d5b46adf3118df1b6b1b77 Mon Sep 17 00:00:00 2001
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Wed, 13 Dec 2017 22:30:31 +0100
+Subject: [PATCH 14/19] cpu_x86: Rename virCPUx86MapInitialize
+
+The function will be used to initialize internal data of the x86 CPU
+driver (including the CPU map).
+
+CVE-2017-5715
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/cpu/cpu_x86.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/cpu/cpu_x86.c b/src/cpu/cpu_x86.c
+index 3b7a6f95fe..0cb0dcacb3 100644
+--- a/src/cpu/cpu_x86.c
+++ b/src/cpu/cpu_x86.c
+@@ -153,8 +153,8 @@ struct _virCPUx86Map {
+ };
+ 
+ static virCPUx86MapPtr cpuMap;
+-int virCPUx86MapOnceInit(void);
+-VIR_ONCE_GLOBAL_INIT(virCPUx86Map);
+int virCPUx86DriverOnceInit(void);
+VIR_ONCE_GLOBAL_INIT(virCPUx86Driver);
+ 
+ 
+ typedef enum {
+@@ -1387,7 +1387,7 @@ virCPUx86LoadMap(void)
+ 
+ 
+ int
+-virCPUx86MapOnceInit(void)
+virCPUx86DriverOnceInit(void)
+ {
+     if (!(cpuMap = virCPUx86LoadMap()))
+         return -1;
+@@ -1399,7 +1399,7 @@ virCPUx86MapOnceInit(void)
+ static virCPUx86MapPtr
+ virCPUx86GetMap(void)
+ {
+-    if (virCPUx86MapInitialize() < 0)
+    if (virCPUx86DriverInitialize() < 0)
+         return NULL;
+ 
+     return cpuMap;
+-- 
+2.17.0
+
@@ -0,0 +1,133 @@
+From c628c42493170bfd70f30d9fb56d0067e6e4828a Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 19 Jun 2018 16:47:20 +0100
+Subject: [PATCH 15/19] conf: include x86 microcode version in virsh
+ capabiltiies
+
+A microcode update can cause the CPUID bits to change; an example
+from the past was the update that disabled TSX on several Haswell and
+Broadwell machines.
+
+In order to track the x86 microcode version in the QEMU capabilities,
+we have to fetch it and store it in the host CPU.  This also makes the
+version visible in "virsh capabilities", which is a nice side effect.
+
+CVE-2017-5715
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/conf/cpu_conf.c | 14 ++++++++++++++
+ src/conf/cpu_conf.h |  1 +
+ src/cpu/cpu_x86.c   |  9 +++++++++
+ 3 files changed, 24 insertions(+)
+
+diff --git a/src/conf/cpu_conf.c b/src/conf/cpu_conf.c
+index c21d11d244..3f3c25320e 100644
+--- a/src/conf/cpu_conf.c
+++ b/src/conf/cpu_conf.c
+@@ -127,6 +127,7 @@ virCPUDefCopyModelFilter(virCPUDefPtr dst,
+         VIR_STRDUP(dst->vendor_id, src->vendor_id) < 0 ||
+         VIR_ALLOC_N(dst->features, src->nfeatures) < 0)
+         return -1;
+    dst->microcodeVersion = src->microcodeVersion;
+     dst->nfeatures_max = src->nfeatures;
+     dst->nfeatures = 0;
+ 
+@@ -178,6 +179,7 @@ virCPUDefStealModel(virCPUDefPtr dst,
+ 
+     VIR_STEAL_PTR(dst->model, src->model);
+     VIR_STEAL_PTR(dst->features, src->features);
+    dst->microcodeVersion = src->microcodeVersion;
+     dst->nfeatures_max = src->nfeatures_max;
+     src->nfeatures_max = 0;
+     dst->nfeatures = src->nfeatures;
+@@ -379,6 +381,14 @@ virCPUDefParseXML(xmlXPathContextPtr ctxt,
+             goto cleanup;
+         }
+         VIR_FREE(arch);
+
+        if (virXPathBoolean("boolean(./microcode[1]/@version)", ctxt) > 0 &&
+            virXPathUInt("string(./microcode[1]/@version)", ctxt,
+                         &def->microcodeVersion) < 0) {
+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                           _("invalid microcode version"));
+            goto cleanup;
+        }
+     }
+ 
+     if (!(def->model = virXPathString("string(./model[1])", ctxt)) &&
+@@ -723,6 +733,10 @@ virCPUDefFormatBuf(virBufferPtr buf,
+     if (formatModel && def->vendor)
+         virBufferEscapeString(buf, "<vendor>%s</vendor>\n", def->vendor);
+ 
+    if (def->type == VIR_CPU_TYPE_HOST && def->microcodeVersion)
+        virBufferAsprintf(buf, "<microcode version='%u'/>\n",
+                          def->microcodeVersion);
+
+     if (def->sockets && def->cores && def->threads) {
+         virBufferAddLit(buf, "<topology");
+         virBufferAsprintf(buf, " sockets='%u'", def->sockets);
+diff --git a/src/conf/cpu_conf.h b/src/conf/cpu_conf.h
+index b44974f47e..a30ecf8681 100644
+--- a/src/conf/cpu_conf.h
+++ b/src/conf/cpu_conf.h
+@@ -133,6 +133,7 @@ struct _virCPUDef {
+     char *vendor_id;    /* vendor id returned by CPUID in the guest */
+     int fallback;       /* enum virCPUFallback */
+     char *vendor;
+    unsigned int microcodeVersion;
+     unsigned int sockets;
+     unsigned int cores;
+     unsigned int threads;
+diff --git a/src/cpu/cpu_x86.c b/src/cpu/cpu_x86.c
+index 0cb0dcacb3..41aaa61c35 100644
+--- a/src/cpu/cpu_x86.c
+++ b/src/cpu/cpu_x86.c
+@@ -33,6 +33,7 @@
+ #include "virbuffer.h"
+ #include "virendian.h"
+ #include "virstring.h"
+#include "virhostcpu.h"
+ 
+ #define VIR_FROM_THIS VIR_FROM_CPU
+ 
+@@ -153,6 +154,8 @@ struct _virCPUx86Map {
+ };
+ 
+ static virCPUx86MapPtr cpuMap;
+static unsigned int microcodeVersion;
+
+ int virCPUx86DriverOnceInit(void);
+ VIR_ONCE_GLOBAL_INIT(virCPUx86Driver);
+ 
+@@ -1392,6 +1395,8 @@ virCPUx86DriverOnceInit(void)
+     if (!(cpuMap = virCPUx86LoadMap()))
+         return -1;
+ 
+    microcodeVersion = virHostCPUGetMicrocodeVersion();
+
+     return 0;
+ }
+ 
+@@ -2409,6 +2414,9 @@ virCPUx86GetHost(virCPUDefPtr cpu,
+     virCPUDataPtr cpuData = NULL;
+     int ret = -1;
+ 
+    if (virCPUx86DriverInitialize() < 0)
+        goto cleanup;
+
+     if (!(cpuData = virCPUDataNew(archs[0])))
+         goto cleanup;
+ 
+@@ -2417,6 +2425,7 @@ virCPUx86GetHost(virCPUDefPtr cpu,
+         goto cleanup;
+ 
+     ret = x86DecodeCPUData(cpu, cpuData, models, nmodels, NULL);
+    cpu->microcodeVersion = microcodeVersion;
+ 
+  cleanup:
+     virCPUx86DataFree(cpuData);
+-- 
+2.17.0
+
@@ -0,0 +1,535 @@
+From a31edb693bb79f1ad8931db284f1dbceae178f27 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 19 Jun 2018 16:50:02 +0100
+Subject: [PATCH 16/19] qemu: capabilities: force update if the microcode
+ version does not match
+
+A microcode update can cause the CPUID bits to change; an example
+from the past was the update that disabled TSX on several Haswell
+and Broadwell machines.
+
+Therefore, place microcode version in the virQEMUCaps struct and
+XML, and rebuild the cache if the versions do not match.
+
+CVE-2017-5715
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/qemu/qemu_capabilities.c                  | 40 ++++++++++++++++++-
+ src/qemu/qemu_capabilities.h                  |  6 ++-
+ src/qemu/qemu_capspriv.h                      |  6 +++
+ src/qemu/qemu_driver.c                        |  9 ++++-
+ .../caps_1.2.2.x86_64.xml                     |  1 +
+ .../caps_1.3.1.x86_64.xml                     |  1 +
+ .../caps_1.4.2.x86_64.xml                     |  1 +
+ .../caps_1.5.3.x86_64.xml                     |  1 +
+ .../caps_1.6.0.x86_64.xml                     |  1 +
+ .../caps_1.7.0.x86_64.xml                     |  1 +
+ .../caps_2.1.1.x86_64.xml                     |  1 +
+ .../caps_2.4.0.x86_64.xml                     |  1 +
+ .../caps_2.5.0.x86_64.xml                     |  1 +
+ .../caps_2.6.0-gicv2.aarch64.xml              |  1 +
+ .../caps_2.6.0-gicv3.aarch64.xml              |  1 +
+ .../caps_2.6.0.ppc64le.xml                    |  1 +
+ .../caps_2.6.0.x86_64.xml                     |  1 +
+ .../qemucapabilitiesdata/caps_2.7.0.s390x.xml |  1 +
+ .../caps_2.7.0.x86_64.xml                     |  1 +
+ .../qemucapabilitiesdata/caps_2.8.0.s390x.xml |  1 +
+ .../caps_2.8.0.x86_64.xml                     |  1 +
+ .../caps_2.9.0.ppc64le.xml                    |  1 +
+ .../qemucapabilitiesdata/caps_2.9.0.s390x.xml |  1 +
+ .../caps_2.9.0.x86_64.xml                     |  1 +
+ tests/qemucapabilitiestest.c                  | 14 +++++--
+ tests/qemucapsprobe.c                         |  2 +-
+ tests/testutilsqemu.c                         |  2 +-
+ 27 files changed, 89 insertions(+), 10 deletions(-)
+
+diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
+index 2de84715ea..72b70ce750 100644
+--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
+@@ -500,6 +500,7 @@ struct _virQEMUCaps {
+     unsigned int version;
+     unsigned int kvmVersion;
+     unsigned int libvirtVersion;
+    unsigned int microcodeVersion;
+     char *package;
+ 
+     virArch arch;
+@@ -2304,6 +2305,7 @@ virQEMUCapsPtr virQEMUCapsNewCopy(virQEMUCapsPtr qemuCaps)
+ 
+     ret->version = qemuCaps->version;
+     ret->kvmVersion = qemuCaps->kvmVersion;
+    ret->microcodeVersion = qemuCaps->microcodeVersion;
+ 
+     if (VIR_STRDUP(ret->package, qemuCaps->package) < 0)
+         goto error;
+@@ -3809,6 +3811,7 @@ struct _virQEMUCapsCachePriv {
+     uid_t runUid;
+     gid_t runGid;
+     virArch hostArch;
+    unsigned int microcodeVersion;
+ };
+ typedef struct _virQEMUCapsCachePriv virQEMUCapsCachePriv;
+ typedef virQEMUCapsCachePriv *virQEMUCapsCachePrivPtr;
+@@ -3931,6 +3934,13 @@ virQEMUCapsLoadCache(virArch hostArch,
+         goto cleanup;
+     }
+ 
+    if (virXPathUInt("string(./microcodeVersion)", ctxt,
+                     &qemuCaps->microcodeVersion) < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                       _("missing microcode version in QEMU capabilities cache"));
+        goto cleanup;
+    }
+
+     if (virXPathBoolean("boolean(./package)", ctxt) > 0) {
+         qemuCaps->package = virXPathString("string(./package)", ctxt);
+         if (!qemuCaps->package &&
+@@ -4195,6 +4205,9 @@ virQEMUCapsFormatCache(virQEMUCapsPtr qemuCaps)
+     virBufferAsprintf(&buf, "<kvmVersion>%d</kvmVersion>\n",
+                       qemuCaps->kvmVersion);
+ 
+    virBufferAsprintf(&buf, "<microcodeVersion>%u</microcodeVersion>\n",
+                      qemuCaps->microcodeVersion);
+
+     if (qemuCaps->package)
+         virBufferAsprintf(&buf, "<package>%s</package>\n",
+                           qemuCaps->package);
+@@ -4336,6 +4349,16 @@ virQEMUCapsIsValid(void *data,
+         return false;
+     }
+ 
+    if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_KVM) &&
+        priv->microcodeVersion != qemuCaps->microcodeVersion) {
+        VIR_DEBUG("Outdated capabilities for '%s': microcode version changed "
+                  "(%u vs %u)",
+                  qemuCaps->binary,
+                  priv->microcodeVersion,
+                  qemuCaps->microcodeVersion);
+        return false;
+    }
+
+     return true;
+ }
+ 
+@@ -5151,6 +5174,7 @@ virQEMUCapsNewForBinaryInternal(virArch hostArch,
+                                 const char *libDir,
+                                 uid_t runUid,
+                                 gid_t runGid,
+                                unsigned int microcodeVersion,
+                                 bool qmpOnly)
+ {
+     virQEMUCapsPtr qemuCaps;
+@@ -5207,6 +5231,9 @@ virQEMUCapsNewForBinaryInternal(virArch hostArch,
+     virQEMUCapsInitHostCPUModel(qemuCaps, hostArch, VIR_DOMAIN_VIRT_KVM);
+     virQEMUCapsInitHostCPUModel(qemuCaps, hostArch, VIR_DOMAIN_VIRT_QEMU);
+ 
+    if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_KVM))
+        qemuCaps->microcodeVersion = microcodeVersion;
+
+  cleanup:
+     VIR_FREE(qmperr);
+     return qemuCaps;
+@@ -5228,6 +5255,7 @@ virQEMUCapsNewData(const char *binary,
+                                            priv->libDir,
+                                            priv->runUid,
+                                            priv->runGid,
+                                           priv->microcodeVersion,
+                                            false);
+ }
+ 
+@@ -5310,7 +5338,8 @@ virFileCachePtr
+ virQEMUCapsCacheNew(const char *libDir,
+                     const char *cacheDir,
+                     uid_t runUid,
+-                    gid_t runGid)
+                    gid_t runGid,
+                    unsigned int microcodeVersion)
+ {
+     char *capsCacheDir = NULL;
+     virFileCachePtr cache = NULL;
+@@ -5333,6 +5362,7 @@ virQEMUCapsCacheNew(const char *libDir,
+ 
+     priv->runUid = runUid;
+     priv->runGid = runGid;
+    priv->microcodeVersion = microcodeVersion;
+ 
+  cleanup:
+     VIR_FREE(capsCacheDir);
+@@ -5810,3 +5840,11 @@ virQEMUCapsFillDomainCaps(virCapsPtr caps,
+         return -1;
+     return 0;
+ }
+
+
+void
+virQEMUCapsSetMicrocodeVersion(virQEMUCapsPtr qemuCaps,
+                               unsigned int microcodeVersion)
+{
+    qemuCaps->microcodeVersion = microcodeVersion;
+}
+diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
+index 9c92d6b469..eea296c9c3 100644
+--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
+@@ -514,8 +514,10 @@ void virQEMUCapsFilterByMachineType(virQEMUCapsPtr qemuCaps,
+                                     const char *machineType);
+ 
+ virFileCachePtr virQEMUCapsCacheNew(const char *libDir,
+-                                        const char *cacheDir,
+-                                        uid_t uid, gid_t gid);
+                                    const char *cacheDir,
+                                    uid_t uid,
+                                    gid_t gid,
+                                    unsigned int microcodeVersion);
+ virQEMUCapsPtr virQEMUCapsCacheLookup(virFileCachePtr cache,
+                                       const char *binary);
+ virQEMUCapsPtr virQEMUCapsCacheLookupCopy(virFileCachePtr cache,
+diff --git a/src/qemu/qemu_capspriv.h b/src/qemu/qemu_capspriv.h
+index d05256bd35..38c14ffa01 100644
+--- a/src/qemu/qemu_capspriv.h
+++ b/src/qemu/qemu_capspriv.h
+@@ -36,6 +36,7 @@ virQEMUCapsNewForBinaryInternal(virArch hostArch,
+                                 const char *libDir,
+                                 uid_t runUid,
+                                 gid_t runGid,
+                                unsigned int microcodeVersion,
+                                 bool qmpOnly);
+ 
+ int virQEMUCapsLoadCache(virArch hostArch,
+@@ -101,4 +102,9 @@ virQEMUCapsParseHelpStr(const char *qemu,
+ int
+ virQEMUCapsParseDeviceStr(virQEMUCapsPtr qemuCaps,
+                           const char *str);
+
+void
+virQEMUCapsSetMicrocodeVersion(virQEMUCapsPtr qemuCaps,
+                               unsigned int microcodeVersion);
+
+ #endif
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 208ccc9bc3..d8dc5388ea 100644
+--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
+@@ -631,6 +631,8 @@ qemuStateInitialize(bool privileged,
+     gid_t run_gid = -1;
+     char *hugepagePath = NULL;
+     size_t i;
+    virCPUDefPtr hostCPU = NULL;
+    unsigned int microcodeVersion = 0;
+ 
+     if (VIR_ALLOC(qemu_driver) < 0)
+         return -1;
+@@ -853,10 +855,15 @@ qemuStateInitialize(bool privileged,
+         run_gid = cfg->group;
+     }
+ 
+    if ((hostCPU = virCPUProbeHost(virArchFromHost())))
+        microcodeVersion = hostCPU->microcodeVersion;
+    virCPUDefFree(hostCPU);
+
+     qemu_driver->qemuCapsCache = virQEMUCapsCacheNew(cfg->libDir,
+                                                      cfg->cacheDir,
+                                                      run_uid,
+-                                                     run_gid);
+                                                     run_gid,
+                                                     microcodeVersion);
+     if (!qemu_driver->qemuCapsCache)
+         goto error;
+ 
+diff --git a/tests/qemucapabilitiesdata/caps_1.2.2.x86_64.xml b/tests/qemucapabilitiesdata/caps_1.2.2.x86_64.xml
+index 956284d5d3..f3f66cd8f5 100644
+--- a/tests/qemucapabilitiesdata/caps_1.2.2.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_1.2.2.x86_64.xml
+@@ -111,6 +111,7 @@
+   <flag name='query-cpu-definitions'/>
+   <version>1002002</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>26900</microcodeVersion>
+   <package></package>
+   <arch>x86_64</arch>
+   <cpu type='kvm' name='qemu64'/>
+diff --git a/tests/qemucapabilitiesdata/caps_1.3.1.x86_64.xml b/tests/qemucapabilitiesdata/caps_1.3.1.x86_64.xml
+index 99384ce5e6..1c4d5ff4a4 100644
+--- a/tests/qemucapabilitiesdata/caps_1.3.1.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_1.3.1.x86_64.xml
+@@ -129,6 +129,7 @@
+   <flag name='query-cpu-definitions'/>
+   <version>1003001</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>30198</microcodeVersion>
+   <package></package>
+   <arch>x86_64</arch>
+   <cpu type='kvm' name='qemu64'/>
+diff --git a/tests/qemucapabilitiesdata/caps_1.4.2.x86_64.xml b/tests/qemucapabilitiesdata/caps_1.4.2.x86_64.xml
+index aea043c57d..a50383c259 100644
+--- a/tests/qemucapabilitiesdata/caps_1.4.2.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_1.4.2.x86_64.xml
+@@ -130,6 +130,7 @@
+   <flag name='query-cpu-definitions'/>
+   <version>1004002</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>30915</microcodeVersion>
+   <package></package>
+   <arch>x86_64</arch>
+   <cpu type='kvm' name='Opteron_G5'/>
+diff --git a/tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml b/tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml
+index 6f860e4f25..ad3e122775 100644
+--- a/tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml
+@@ -142,6 +142,7 @@
+   <flag name='kernel-irqchip'/>
+   <version>1005003</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>47019</microcodeVersion>
+   <package></package>
+   <arch>x86_64</arch>
+   <cpu type='kvm' name='Opteron_G5'/>
+diff --git a/tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml
+index e5dc8360de..7b2324d697 100644
+--- a/tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml
+@@ -147,6 +147,7 @@
+   <flag name='kernel-irqchip'/>
+   <version>1006000</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>45248</microcodeVersion>
+   <package></package>
+   <arch>x86_64</arch>
+   <cpu type='kvm' name='Opteron_G5'/>
+diff --git a/tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml
+index 86d87eaf0c..4ba509a753 100644
+--- a/tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml
+@@ -149,6 +149,7 @@
+   <flag name='kernel-irqchip'/>
+   <version>1007000</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>50692</microcodeVersion>
+   <package></package>
+   <arch>x86_64</arch>
+   <cpu type='kvm' name='Opteron_G5'/>
+diff --git a/tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml
+index 2fa551b1a0..416703ac89 100644
+--- a/tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml
+@@ -165,6 +165,7 @@
+   <flag name='kernel-irqchip'/>
+   <version>2001001</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>59488</microcodeVersion>
+   <package></package>
+   <arch>x86_64</arch>
+   <cpu type='kvm' name='Opteron_G5'/>
+diff --git a/tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml
+index f97e4cb813..4550139e0c 100644
+--- a/tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml
+@@ -190,6 +190,7 @@
+   <flag name='virtio-gpu.max_outputs'/>
+   <version>2004000</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>75653</microcodeVersion>
+   <package></package>
+   <arch>x86_64</arch>
+   <cpu type='kvm' name='Opteron_G5'/>
+diff --git a/tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml
+index 2ba40fc494..6072438688 100644
+--- a/tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml
+@@ -196,6 +196,7 @@
+   <flag name='virtio-gpu.max_outputs'/>
+   <version>2005000</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>216775</microcodeVersion>
+   <package></package>
+   <arch>x86_64</arch>
+   <cpu type='kvm' name='Opteron_G5'/>
+diff --git a/tests/qemucapabilitiesdata/caps_2.6.0-gicv2.aarch64.xml b/tests/qemucapabilitiesdata/caps_2.6.0-gicv2.aarch64.xml
+index 0b34fa30d4..6fc0ab25e0 100644
+--- a/tests/qemucapabilitiesdata/caps_2.6.0-gicv2.aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.6.0-gicv2.aarch64.xml
+@@ -174,6 +174,7 @@
+   <flag name='virtio-gpu.max_outputs'/>
+   <version>2006000</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>228838</microcodeVersion>
+   <package></package>
+   <arch>aarch64</arch>
+   <cpu type='kvm' name='pxa262'/>
+diff --git a/tests/qemucapabilitiesdata/caps_2.6.0-gicv3.aarch64.xml b/tests/qemucapabilitiesdata/caps_2.6.0-gicv3.aarch64.xml
+index d41d578c7e..1846bf6a7c 100644
+--- a/tests/qemucapabilitiesdata/caps_2.6.0-gicv3.aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.6.0-gicv3.aarch64.xml
+@@ -174,6 +174,7 @@
+   <flag name='virtio-gpu.max_outputs'/>
+   <version>2006000</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>228838</microcodeVersion>
+   <package></package>
+   <arch>aarch64</arch>
+   <cpu type='kvm' name='pxa262'/>
+diff --git a/tests/qemucapabilitiesdata/caps_2.6.0.ppc64le.xml b/tests/qemucapabilitiesdata/caps_2.6.0.ppc64le.xml
+index f1c9fc98a4..199fc2cd22 100644
+--- a/tests/qemucapabilitiesdata/caps_2.6.0.ppc64le.xml
+++ b/tests/qemucapabilitiesdata/caps_2.6.0.ppc64le.xml
+@@ -169,6 +169,7 @@
+   <flag name='virtio-gpu.max_outputs'/>
+   <version>2006000</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>263602</microcodeVersion>
+   <package></package>
+   <arch>ppc64</arch>
+   <cpu type='kvm' name='default'/>
+diff --git a/tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml
+index bdf006f6be..5897fbc0c9 100644
+--- a/tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml
+@@ -206,6 +206,7 @@
+   <flag name='virtio-gpu.max_outputs'/>
+   <version>2006000</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>227579</microcodeVersion>
+   <package></package>
+   <arch>x86_64</arch>
+   <cpu type='kvm' name='Opteron_G5'/>
+diff --git a/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml b/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml
+index fe7bca93b9..4c208008be 100644
+--- a/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml
+@@ -136,6 +136,7 @@
+   <flag name='virtio-gpu.max_outputs'/>
+   <version>2007000</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>217559</microcodeVersion>
+   <package></package>
+   <arch>s390x</arch>
+   <cpu type='kvm' name='host'/>
+diff --git a/tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml
+index 3fd28f09fe..e3a154806c 100644
+--- a/tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml
+@@ -209,6 +209,7 @@
+   <flag name='virtio-gpu.max_outputs'/>
+   <version>2007000</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>239276</microcodeVersion>
+   <package> (v2.7.0)</package>
+   <arch>x86_64</arch>
+   <cpu type='kvm' name='Opteron_G5'/>
+diff --git a/tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml b/tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml
+index 21bbb820d0..f13c783d44 100644
+--- a/tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml
+@@ -138,6 +138,7 @@
+   <flag name='virtio-gpu.max_outputs'/>
+   <version>2007093</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>242460</microcodeVersion>
+   <package></package>
+   <arch>s390x</arch>
+   <hostCPU type='kvm' model='zEC12.2-base' migratability='no'>
+diff --git a/tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml
+index 761f9d1415..f5bd1d7272 100644
+--- a/tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml
+@@ -211,6 +211,7 @@
+   <flag name='virtio-gpu.max_outputs'/>
+   <version>2008000</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>255931</microcodeVersion>
+   <package> (v2.8.0)</package>
+   <arch>x86_64</arch>
+   <cpu type='kvm' name='host' usable='yes'/>
+diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml b/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml
+index 9551907c66..2d1d0f9a89 100644
+--- a/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml
+++ b/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml
+@@ -175,6 +175,7 @@
+   <flag name='disk-share-rw'/>
+   <version>2009000</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>347135</microcodeVersion>
+   <package> (v2.9.0)</package>
+   <arch>ppc64</arch>
+   <cpu type='kvm' name='default'/>
+diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml b/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml
+index 0a6fbd0776..3b733801f8 100644
+--- a/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml
+@@ -140,6 +140,7 @@
+   <flag name='disk-share-rw'/>
+   <version>2009000</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>265878</microcodeVersion>
+   <package></package>
+   <arch>s390x</arch>
+   <hostCPU type='kvm' model='z13.2-base' migratability='no'>
+diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml
+index 1294ebdb31..086594def5 100644
+--- a/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml
+@@ -223,6 +223,7 @@
+   <flag name='disk-share-rw'/>
+   <version>2009000</version>
+   <kvmVersion>0</kvmVersion>
+  <microcodeVersion>321194</microcodeVersion>
+   <package> (v2.9.0)</package>
+   <arch>x86_64</arch>
+   <hostCPU type='kvm' model='base' migratability='yes'>
+diff --git a/tests/qemucapabilitiestest.c b/tests/qemucapabilitiestest.c
+index 3ae55fc62f..4608fffbb2 100644
+--- a/tests/qemucapabilitiestest.c
+++ b/tests/qemucapabilitiestest.c
+@@ -61,10 +61,16 @@ testQemuCaps(const void *opaque)
+                                   qemuMonitorTestGetMonitor(mon)) < 0)
+         goto cleanup;
+ 
+-    if (virQEMUCapsGet(capsActual, QEMU_CAPS_KVM) &&
+-        virQEMUCapsInitQMPMonitorTCG(capsActual,
+-                                     qemuMonitorTestGetMonitor(mon)) < 0)
+-        goto cleanup;
+    if (virQEMUCapsGet(capsActual, QEMU_CAPS_KVM)) {
+        if (virQEMUCapsInitQMPMonitorTCG(capsActual,
+                                         qemuMonitorTestGetMonitor(mon)) < 0)
+            goto cleanup;
+
+        /* Fill microcodeVersion with a "random" value which is the file
+         * length to provide a reproducible number for testing.
+         */
+        virQEMUCapsSetMicrocodeVersion(capsActual, virFileLength(repliesFile, -1));
+    }
+ 
+     if (!(actual = virQEMUCapsFormatCache(capsActual)))
+         goto cleanup;
+diff --git a/tests/qemucapsprobe.c b/tests/qemucapsprobe.c
+index 4b8d6229b4..a5f5a38b16 100644
+--- a/tests/qemucapsprobe.c
+++ b/tests/qemucapsprobe.c
+@@ -72,7 +72,7 @@ main(int argc, char **argv)
+         return EXIT_FAILURE;
+ 
+     if (!(caps = virQEMUCapsNewForBinaryInternal(VIR_ARCH_NONE, argv[1], "/tmp",
+-                                                 -1, -1, true)))
+                                                 -1, -1, 0, true)))
+         return EXIT_FAILURE;
+ 
+     virObjectUnref(caps);
+diff --git a/tests/testutilsqemu.c b/tests/testutilsqemu.c
+index 2c7124bf26..f8182033fc 100644
+--- a/tests/testutilsqemu.c
+++ b/tests/testutilsqemu.c
+@@ -603,7 +603,7 @@ int qemuTestDriverInit(virQEMUDriver *driver)
+ 
+     /* Using /dev/null for libDir and cacheDir automatically produces errors
+      * upon attempt to use any of them */
+-    driver->qemuCapsCache = virQEMUCapsCacheNew("/dev/null", "/dev/null", 0, 0);
+    driver->qemuCapsCache = virQEMUCapsCacheNew("/dev/null", "/dev/null", 0, 0, 0);
+     if (!driver->qemuCapsCache)
+         goto error;
+ 
+-- 
+2.17.0
+
@@ -0,0 +1,142 @@
+From ac0e85360cd8f25160b67ee9fb45663d20f82c1d Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 19 Jun 2018 16:51:13 +0100
+Subject: [PATCH 17/19] cpu: add CPU features and model for indirect branch
+ prediction protection
+
+CVE-2017-5715
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/cpu/cpu_map.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 44 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index 8e7ac4973d..c31e7ce36a 100644
+--- a/src/cpu/cpu_map.xml
+++ b/src/cpu/cpu_map.xml
+@@ -283,6 +283,9 @@
+     <feature name='avx512-4fmaps'>
+       <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00000008'/>
+     </feature>
+    <feature name='spec-ctrl'>
+      <cpuid eax_in='0x07' ecx_in='0x00' edx='0x04000000'/>
+    </feature>
+ 
+     <!-- Processor Extended State Enumeration sub leaf 1 -->
+     <feature name='xsaveopt'>
+@@ -411,6 +414,11 @@
+       <cpuid eax_in='0x80000007' edx='0x00000100'/>
+     </feature>
+ 
+    <!-- More AMD-specific features -->
+    <feature name='ibpb'>
+      <cpuid eax_in='0x80000008' ebx='0x00001000'/>
+    </feature>
+
+     <!-- models -->
+     <model name='486'>
+       <feature name='fpu'/>
+@@ -857,6 +865,10 @@
+       <feature name='syscall'/>
+       <feature name='tsc'/>
+     </model>
+    <model name='Nehalem-IBRS'>
+      <model name='Nehalem'/>
+      <feature name='spec-ctrl'/>
+    </model>
+ 
+     <model name='Westmere'>
+       <signature family='6' model='44'/>
+@@ -894,6 +906,10 @@
+       <feature name='syscall'/>
+       <feature name='tsc'/>
+     </model>
+    <model name='Westmere-IBRS'>
+      <model name='Westmere'/>
+      <feature name='spec-ctrl'/>
+    </model>
+ 
+     <model name='SandyBridge'>
+       <signature family='6' model='42'/>
+@@ -937,6 +953,10 @@
+       <feature name='x2apic'/>
+       <feature name='xsave'/>
+     </model>
+    <model name='SandyBridge-IBRS'>
+      <model name='SandyBridge'/>
+      <feature name='spec-ctrl'/>
+    </model>
+ 
+     <model name='IvyBridge'>
+       <signature family='6' model='58'/>
+@@ -986,6 +1006,10 @@
+       <feature name='x2apic'/>
+       <feature name='xsave'/>
+     </model>
+    <model name='IvyBridge-IBRS'>
+      <model name='IvyBridge'/>
+      <feature name='spec-ctrl'/>
+    </model>
+ 
+     <model name='Haswell-noTSX'>
+       <signature family='6' model='60'/>
+@@ -1039,6 +1063,10 @@
+       <feature name='x2apic'/>
+       <feature name='xsave'/>
+     </model>
+    <model name='Haswell-noTSX-IBRS'>
+      <model name='Haswell-noTSX'/>
+      <feature name='spec-ctrl'/>
+    </model>
+ 
+     <model name='Haswell'>
+       <signature family='6' model='60'/>
+@@ -1094,6 +1122,10 @@
+       <feature name='x2apic'/>
+       <feature name='xsave'/>
+     </model>
+    <model name='Haswell-IBRS'>
+      <model name='Haswell'/>
+      <feature name='spec-ctrl'/>
+    </model>
+ 
+     <model name='Broadwell-noTSX'>
+       <signature family='6' model='61'/>
+@@ -1151,6 +1183,10 @@
+       <feature name='x2apic'/>
+       <feature name='xsave'/>
+     </model>
+    <model name='Broadwell-noTSX-IBRS'>
+      <model name='Broadwell-noTSX'/>
+      <feature name='spec-ctrl'/>
+    </model>
+ 
+     <model name='Broadwell'>
+       <signature family='6' model='61'/>
+@@ -1210,6 +1246,10 @@
+       <feature name='x2apic'/>
+       <feature name='xsave'/>
+     </model>
+    <model name='Broadwell-IBRS'>
+      <model name='Broadwell'/>
+      <feature name='spec-ctrl'/>
+    </model>
+ 
+     <model name='Skylake-Client'>
+       <signature family='6' model='94'/>
+@@ -1278,6 +1318,10 @@
+       <feature name='xsavec'/>
+       <feature name='xsaveopt'/>
+     </model>
+    <model name='Skylake-Client-IBRS'>
+      <model name='Skylake-Client'/>
+      <feature name='spec-ctrl'/>
+    </model>
+ 
+     <!-- AMD CPUs -->
+     <model name='athlon'>
+-- 
+2.17.0
+
@@ -0,0 +1,37 @@
+From 9a252992aa81b4873b22f174de9d345f4289051c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 21 May 2018 23:05:07 +0100
+Subject: [PATCH 18/19] cpu: define the 'ssbd' CPUID feature bit
+ (CVE-2018-3639)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+New microcode introduces the "Speculative Store Bypass Disable"
+CPUID feature bit. This needs to be exposed to guest OS to allow
+them to protect against CVE-2018-3639.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 1dbca2eccad58d91a5fd33962854f1a653638182)
+---
+ src/cpu/cpu_map.xml | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index c31e7ce36a..87301dc0ef 100644
+--- a/src/cpu/cpu_map.xml
+++ b/src/cpu/cpu_map.xml
+@@ -286,6 +286,9 @@
+     <feature name='spec-ctrl'>
+       <cpuid eax_in='0x07' ecx_in='0x00' edx='0x04000000'/>
+     </feature>
+    <feature name='ssbd'>
+      <cpuid eax_in='0x07' ecx_in='0x00' edx='0x80000000'/>
+    </feature>
+ 
+     <!-- Processor Extended State Enumeration sub leaf 1 -->
+     <feature name='xsaveopt'>
+-- 
+2.17.0
+
@@ -0,0 +1,46 @@
+From 7774fbbda1c886633eaf0015d6211fc0ad703bc7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 21 May 2018 23:05:08 +0100
+Subject: [PATCH 19/19] cpu: define the 'virt-ssbd' CPUID feature bit
+ (CVE-2018-3639)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some AMD processors only support a non-architectural means of
+enabling Speculative Store Bypass Disable. To allow simplified
+handling in virtual environments, hypervisors will expose an
+architectural definition through CPUID bit 0x80000008_EBX[25].
+This needs to be exposed to guest OS running on AMD x86 hosts to
+allow them to protect against CVE-2018-3639.
+
+Note that since this CPUID bit won't be present in the host CPUID
+results on physical hosts, it will not be enabled automatically
+in guests configured with "host-model" CPU unless using QEMU
+version >= 2.9.0. Thus for older versions of QEMU, this feature
+must be manually enabled using policy=force. Guests using the
+"host-passthrough" CPU mode do not need special handling.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/cpu/cpu_map.xml | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index 87301dc0ef..e31c9ae86c 100644
+--- a/src/cpu/cpu_map.xml
+++ b/src/cpu/cpu_map.xml
+@@ -421,6 +421,9 @@
+     <feature name='ibpb'>
+       <cpuid eax_in='0x80000008' ebx='0x00001000'/>
+     </feature>
+    <feature name='virt-ssbd'>
+      <cpuid eax_in='0x80000008' ebx='0x02000000'/>
+    </feature>
+ 
+     <!-- models -->
+     <model name='486'>
+-- 
+2.17.0
+
@@ -4,7 +4,7 @@ NAME := libvirt
 SPECFILE = $(firstword $(wildcard *.spec))

 define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
+for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
 endef

 MAKEFILE_COMMON := $(shell $(find-makefile-common))
@@ -1,34 +0,0 @@
-From bcd4180124afa20580d720912e2179b3a2f9295a Mon Sep 17 00:00:00 2001
-From: Daniel Veillard <veillard@redhat.com>
-Date: Mon, 5 Oct 2009 17:03:14 +0200
-Subject: [PATCH] 526769 change logrotate config default to weekly
-
-* daemon/libvirtd.logrotate.in: change to weekly rotation of logs,
-  keep a month worth of data and also extend to cover LXC and UML
-  domain logs
-
-(cherry picked from commit 529325bbdd050af89bda5a5c1a01b5553c49a57e)
-
-Fedora-patch: libvirt-change-logrotate-config-to-weekly.patch
---
- qemud/libvirtd.logrotate.in |    6 +++---
- 1 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/qemud/libvirtd.logrotate.in b/qemud/libvirtd.logrotate.in
-index 9b42630..093651c 100644
--- a/qemud/libvirtd.logrotate.in
-+++ b/qemud/libvirtd.logrotate.in
-@@ -1,7 +1,7 @@
-@localstatedir@/log/libvirt/qemu/*.log {
-        daily
-+@localstatedir@/log/libvirt/qemu/*.log @localstatedir@/log/libvirt/uml/*.log @localstatedir@/log/libvirt/lxc/*.log {
-+        weekly
-         missingok
-        rotate 7
-+        rotate 4
-         compress
-         delaycompress
-         copytruncate
-- 
-1.6.2.5
-
@@ -1,77 +0,0 @@
-From 4721ceb9b85daabe53804627473b06ced821c695 Mon Sep 17 00:00:00 2001
-From: Daniel P. Berrange <berrange@redhat.com>
-Date: Mon, 14 Sep 2009 11:23:20 +0100
-Subject: [PATCH] Allow control over QEMU audio backend
-
-When using VNC for graphics + keyboard + mouse, we shouldn't
-then use the host OS for audio. Audio should go back over
-VNC.
-
-When using SDL for graphics, we should use the host OS for
-audio since that's where the display is. We need to allow
-certain QEMU env variables to be passed through to guest
-too to allow choice of QEMU audio backend.
-
-* qemud/libvirtd.sysconf: Mention QEMU/SDL audio env vars
-* src/qemu_conf.c: Passthrough QEMU/SDL audio env for SDL display,
-  disable host audio for VNC display
-
-(cherry picked from commit b08e6d38ae7a0ed70300d7d82107f83fddb60f44)
-
-Fedora-patch: libvirt-disable-audio-backend.patch
---
- qemud/libvirtd.sysconf |    8 ++++++++
- src/qemu_conf.c        |   14 ++++++++++++++
- 2 files changed, 22 insertions(+), 0 deletions(-)
-
-diff --git a/qemud/libvirtd.sysconf b/qemud/libvirtd.sysconf
-index fe4596a..28080a0 100644
--- a/qemud/libvirtd.sysconf
-+++ b/qemud/libvirtd.sysconf
-@@ -7,3 +7,11 @@
- 
- # Override Kerberos service keytab for SASL/GSSAPI
- #KRB5_KTNAME=/etc/libvirt/krb5.tab
-+
-+# Override the QEMU/SDL default audio driver probing when
-+# starting virtual machines using SDL graphics
-+#
-+# NB these have no effect for VMs using VNC
-+#QEMU_AUDIO_DRV=sdl
-+#
-+#SDL_AUDIODRIVER=pulse
-diff --git a/src/qemu_conf.c b/src/qemu_conf.c
-index f92bcef..0dd0624 100644
--- a/src/qemu_conf.c
-+++ b/src/qemu_conf.c
-@@ -2109,6 +2109,13 @@ int qemudBuildCommandLine(virConnectPtr conn,
-             ADD_ARG_LIT("-k");
-             ADD_ARG_LIT(def->graphics[0]->data.vnc.keymap);
-         }
-+
-+        /* QEMU implements a VNC extension for providing audio, so we
-+         * set the audio backend to none, to prevent it opening the
-+         * host OS audio devices since that causes security issues
-+         * and is non-sensical when using VNC.
-+         */
-+        ADD_ENV_LIT("QEMU_AUDIO_DRV=none");
-     } else if ((def->ngraphics == 1) &&
-                def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_SDL) {
-         char *xauth = NULL;
-@@ -2131,6 +2138,13 @@ int qemudBuildCommandLine(virConnectPtr conn,
-             ADD_ENV(display);
-         if (def->graphics[0]->data.sdl.fullscreen)
-             ADD_ARG_LIT("-full-screen");
-+
-+        /* If using SDL for video, then we should just let it
-+         * use QEMU's host audio drivers, possibly SDL too
-+         * User can set these two before starting libvirtd
-+         */
-+        ADD_ENV_COPY("QEMU_AUDIO_DRV");
-+        ADD_ENV_COPY("SDL_AUDIODRIVER");
-     }
- 
-     if (def->nvideos) {
-- 
-1.6.2.5
-
@@ -1,29 +0,0 @@
-From 58c38896a67c170063401d8091bae7dca8842923 Mon Sep 17 00:00:00 2001
-From: Jiri Denemark <jdenemar@redhat.com>
-Date: Wed, 23 Sep 2009 18:46:23 +0200
-Subject: [PATCH] Fix a typo in virDiskHasValidPciAddr()
-
-(cherry-picked from commit 3620e3cdcfe56cc4475b5ef1a0a893757240b795)
-
-Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
-Fedora-patch: libvirt-fix-device-detach-typo1.patch
---
- src/domain_conf.h |    2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/src/domain_conf.h b/src/domain_conf.h
-index 09368d9..d494e54 100644
--- a/src/domain_conf.h
-+++ b/src/domain_conf.h
-@@ -125,7 +125,7 @@ struct _virDomainDiskDef {
- static inline int
- virDiskHasValidPciAddr(virDomainDiskDefPtr def)
- {
-    return def->pci_addr.domain || def->pci_addr.domain || def->pci_addr.slot;
-+    return def->pci_addr.domain || def->pci_addr.bus || def->pci_addr.slot;
- }
- 
- 
-- 
-1.6.2.5
-
@@ -1,30 +0,0 @@
-From 81e967c716ce8c085be8baad9169f7772452d187 Mon Sep 17 00:00:00 2001
-From: Mark McLoughlin <markmc@redhat.com>
-Date: Thu, 24 Sep 2009 08:55:55 +0100
-Subject: [PATCH] Fix a typo in virNetHasValidPciAddr() too
-
-* src/domain_conf.h: check domain/bus/slot, not domain/domain/slot
-
-(cherry-picked from commit 6bfffce91635bb08de601747e94ed1182c0f47eb)
-
-Fedora-patch: libvirt-fix-device-detach-typo2.patch
---
- src/domain_conf.h |    2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/src/domain_conf.h b/src/domain_conf.h
-index d494e54..7c918a7 100644
--- a/src/domain_conf.h
-+++ b/src/domain_conf.h
-@@ -207,7 +207,7 @@ struct _virDomainNetDef {
- static inline int
- virNetHasValidPciAddr(virDomainNetDefPtr def)
- {
-    return def->pci_addr.domain || def->pci_addr.domain || def->pci_addr.slot;
-+    return def->pci_addr.domain || def->pci_addr.bus || def->pci_addr.slot;
- }
- 
- enum virDomainChrSrcType {
-- 
-1.6.2.5
-
@@ -1,30 +0,0 @@
-From 3a64779ec5a89d38d64e07bca2b11b19e1882d7a Mon Sep 17 00:00:00 2001
-From: Charles Duffy <charles@dyfis.net>
-Date: Thu, 24 Sep 2009 09:00:24 +0100
-Subject: [PATCH] Fix unitialized variable in qemudDomainDetachHostPciDevice()
-
-* src/qemu_driver.c: initialize detach var
-
-(cherry-picked from commit 580ad29288751234bee47ac9f6c04dac1dc529ea)
-
-Fedora-patch: libvirt-fix-device-detach-typo3.patch
---
- src/qemu_driver.c |    2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/src/qemu_driver.c b/src/qemu_driver.c
-index 7c7b985..550a59c 100644
--- a/src/qemu_driver.c
-+++ b/src/qemu_driver.c
-@@ -6126,7 +6126,7 @@ static int qemudDomainDetachHostPciDevice(virConnectPtr conn,
-                                           virDomainObjPtr vm,
-                                           virDomainDeviceDefPtr dev)
- {
-    virDomainHostdevDefPtr detach;
-+    virDomainHostdevDefPtr detach = NULL;
-     char *cmd, *reply;
-     int i, ret;
-     pciDevice *pci;
-- 
-1.6.2.5
-
@@ -1,32 +0,0 @@
-From 7692e1e19487c28454b1e5f6488d5574c70883f2 Mon Sep 17 00:00:00 2001
-From: Chris Lalancette <clalance@redhat.com>
-Date: Mon, 21 Sep 2009 14:53:31 +0200
-Subject: [PATCH] Don't do virSetConnError when virDrvSupportsFeature is successful.
-
-Signed-off-by: Chris Lalancette <clalance@redhat.com>
-Fedora-patch: libvirt-fix-drv-supports-feature-bogus-error.patch
---
- src/libvirt.c |    7 +++++--
- 1 files changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/src/libvirt.c b/src/libvirt.c
-index 4a11688..fa59dc7 100644
--- a/src/libvirt.c
-+++ b/src/libvirt.c
-@@ -1349,8 +1349,11 @@ virDrvSupportsFeature (virConnectPtr conn, int feature)
-     }
- 
-     ret = VIR_DRV_SUPPORTS_FEATURE (conn->driver, conn, feature);
-    /* Copy to connection error object for back compatability */
-    virSetConnError(conn);
-+
-+    if (ret < 0)
-+        /* Copy to connection error object for back compatability */
-+        virSetConnError(conn);
-+
-     return ret;
- }
- 
-- 
-1.6.2.5
-
@@ -1,79 +0,0 @@
-From 71de8d92f20a9a9ee76d4d5df77ff477f1b7d441 Mon Sep 17 00:00:00 2001
-From: Matthias Bolte <matthias.bolte@googlemail.com>
-Date: Wed, 30 Sep 2009 02:17:27 +0200
-Subject: [PATCH] Fix memory leaks in libvirtd's message processing
-
-Commit 47cab734995fa9521b1df05d37e9978eedd8d3a2 changed the way how
-qemud_client_message objects were reused. Before this commit
-remoteDispatchClientRequest() reused the received message for normal responses
-and to report non-fatal errors. If a fatal error occurred qemudWorker() frees
-the message. After this commit non-fatal errors are reported by
-remoteSerializeReplyError() using a new qemud_client_message object and the
-original message leaks.
-
-To fix this leak the original message has to be freed if
-remoteSerializeReplyError() succeeds. If remoteSerializeReplyError()
-fails the original message is freed in qemudWorker().
-
-* daemon/dispatch.c: free qemud_client_message objects that will not be reused
-  and would leak otherwise, also free the allocated qemud_client_message object
-  in remoteSerializeError() if an error occurs
-
-(cherry-picked from commit c6f1459eb998619ab21a92d9bb87341f26978181)
-
-Fedora-patch: libvirt-fix-libvirtd-leak-in-error-reply.patch
---
- qemud/dispatch.c |   15 +++++++++++++--
- 1 files changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/qemud/dispatch.c b/qemud/dispatch.c
-index a60f2f4..ddb3215 100644
--- a/qemud/dispatch.c
-+++ b/qemud/dispatch.c
-@@ -191,6 +191,7 @@ remoteSerializeError(struct qemud_client *client,
- 
- xdr_error:
-     xdr_destroy(&xdr);
-+    VIR_FREE(msg);
- fatal_error:
-     xdr_free((xdrproc_t)xdr_remote_error,  (char *)rerr);
-     return -1;
-@@ -336,6 +337,7 @@ remoteDispatchClientRequest (struct qemud_server *server,
-                              struct qemud_client *client,
-                              struct qemud_client_message *msg)
- {
-+    int ret;
-     remote_error rerr;
- 
-     memset(&rerr, 0, sizeof rerr);
-@@ -364,7 +366,12 @@ remoteDispatchClientRequest (struct qemud_server *server,
-     }
- 
- error:
-    return remoteSerializeReplyError(client, &rerr, &msg->hdr);
-+    ret = remoteSerializeReplyError(client, &rerr, &msg->hdr);
-+
-+    if (ret >= 0)
-+        VIR_FREE(msg);
-+
-+    return ret;
- }
- 
- 
-@@ -521,8 +528,12 @@ remoteDispatchClientCall (struct qemud_server *server,
- rpc_error:
-     /* Semi-bad stuff happened, we can still try to send back
-      * an RPC error message to client */
-    return remoteSerializeReplyError(client, &rerr, &msg->hdr);
-+    rv = remoteSerializeReplyError(client, &rerr, &msg->hdr);
-+
-+    if (rv >= 0)
-+        VIR_FREE(msg);
- 
-+    return rv;
- 
- xdr_error:
-     /* Seriously bad stuff happened, so we'll kill off this client
-- 
-1.6.2.5
-
@@ -1,46 +0,0 @@
-From ba585ed6cff624c6c0f1f9801382fd6846466ee0 Mon Sep 17 00:00:00 2001
-From: Mark McLoughlin <markmc@redhat.com>
-Date: Thu, 17 Sep 2009 15:31:08 +0100
-Subject: [PATCH] Fix net/disk hot-unplug segfault
-
-When we hot-unplug the last device, we're currently double-freeing
-the device definition.
-
-Reported by Michal Nowak here:
-
-  https://bugzilla.redhat.com/523953
-
-* src/qemu_driver.c: fix double free
-
-(cherry-picked from commit 8881ae1bf8783006777429403cc543c33187175d)
-
-Fedora-patch: libvirt-fix-net-hotunplug-double-free.patch
---
- src/qemu_driver.c |    4 ++--
- 1 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/qemu_driver.c b/src/qemu_driver.c
-index a65334f..de31581 100644
--- a/src/qemu_driver.c
-+++ b/src/qemu_driver.c
-@@ -5998,7 +5998,7 @@ try_command:
-             /* ignore, harmless */
-         }
-     } else {
-        VIR_FREE(vm->def->disks[0]);
-+        VIR_FREE(vm->def->disks);
-         vm->def->ndisks = 0;
-     }
-     virDomainDiskDefFree(detach);
-@@ -6100,7 +6100,7 @@ qemudDomainDetachNetDevice(virConnectPtr conn,
-             /* ignore, harmless */
-         }
-     } else {
-        VIR_FREE(vm->def->nets[0]);
-+        VIR_FREE(vm->def->nets);
-         vm->def->nnets = 0;
-     }
-     virDomainNetDefFree(detach);
-- 
-1.6.2.5
-
@@ -1,50 +0,0 @@
-From 17831d20051f8de8f1f7d661e8a23f4fe67c2153 Mon Sep 17 00:00:00 2001
-From: Mark McLoughlin <markmc@redhat.com>
-Date: Thu, 17 Sep 2009 15:32:45 +0100
-Subject: [PATCH] Fix leak in PCI hostdev hot-unplug
-
-* src/qemu_driver.c: sync the hostdev hot-unplug code with the disk/net
-  code.
-
-(cherry-picked from commit a70da51ff76ed860bfc0cdee2e1d556da997c557)
-
-Fedora-patch: libvirt-fix-pci-hostdev-hotunplug-leak.patch
---
- src/qemu_driver.c |   20 +++++++++++++-------
- 1 files changed, 13 insertions(+), 7 deletions(-)
-
-diff --git a/src/qemu_driver.c b/src/qemu_driver.c
-index de31581..2ddcdc0 100644
--- a/src/qemu_driver.c
-+++ b/src/qemu_driver.c
-@@ -6206,14 +6206,20 @@ static int qemudDomainDetachHostPciDevice(virConnectPtr conn,
-         pciFreeDevice(conn, pci);
-     }
- 
-    if (i != --vm->def->nhostdevs)
-        memmove(&vm->def->hostdevs[i],
-                &vm->def->hostdevs[i+1],
-                sizeof(*vm->def->hostdevs) * (vm->def->nhostdevs-i));
-    if (VIR_REALLOC_N(vm->def->hostdevs, vm->def->nhostdevs) < 0) {
-        virReportOOMError(conn);
-        ret = -1;
-+    if (vm->def->nhostdevs > 1) {
-+        memmove(vm->def->hostdevs + i,
-+                vm->def->hostdevs + i + 1,
-+                sizeof(*vm->def->hostdevs) *
-+                (vm->def->nhostdevs - (i + 1)));
-+        vm->def->nhostdevs--;
-+        if (VIR_REALLOC_N(vm->def->hostdevs, vm->def->nhostdevs) < 0) {
-+            /* ignore, harmless */
-+        }
-+    } else {
-+        VIR_FREE(vm->def->hostdevs);
-+        vm->def->nhostdevs = 0;
-     }
-+    virDomainHostdevDefFree(detach);
- 
-     return ret;
- }
-- 
-1.6.2.5
-
@@ -1,53 +0,0 @@
-From f1be5a4714e194a84840343e0937fe62463a18dc Mon Sep 17 00:00:00 2001
-From: Charles Duffy <Charles_Duffy@dell.com>
-Date: Fri, 18 Sep 2009 11:32:35 -0500
-Subject: [PATCH] Prevent attempt to call cat -c during virDomainSave to raw
-
-Fedora-patch: libvirt-fix-qemu-raw-format-save.patch
---
- src/qemu_driver.c |   28 ++++++++++++++++++----------
- 1 files changed, 18 insertions(+), 10 deletions(-)
-
-diff --git a/src/qemu_driver.c b/src/qemu_driver.c
-index 2ddcdc0..7c7b985 100644
--- a/src/qemu_driver.c
-+++ b/src/qemu_driver.c
-@@ -3905,17 +3905,25 @@ static int qemudDomainSave(virDomainPtr dom,
-         goto cleanup;
-     }
- 
-    const char *prog = qemudSaveCompressionTypeToString(header.compressed);
-    if (prog == NULL) {
-        qemudReportError(dom->conn, dom, NULL, VIR_ERR_INTERNAL_ERROR,
-                         _("Invalid compress format %d"), header.compressed);
-        goto cleanup;
-    }
-+    {
-+        const char *prog = qemudSaveCompressionTypeToString(header.compressed);
-+        const char *args;
- 
-    if (STREQ (prog, "raw"))
-        prog = "cat";
-    internalret = virAsprintf(&command, "migrate \"exec:"
-                              "%s -c >> '%s' 2>/dev/null\"", prog, safe_path);
-+        if (prog == NULL) {
-+            qemudReportError(dom->conn, dom, NULL, VIR_ERR_INTERNAL_ERROR,
-+                             _("Invalid compress format %d"), header.compressed);
-+            goto cleanup;
-+        }
-+
-+        if (STREQ (prog, "raw")) {
-+            prog = "cat";
-+            args = "";
-+        } else {
-+            args = "-c";
-+        }
-+        internalret = virAsprintf(&command, "migrate \"exec:"
-+                                  "%s %s >> '%s' 2>/dev/null\"", prog, args, safe_path);
-+    }
- 
-     if (internalret < 0) {
-         virReportOOMError(dom->conn);
-- 
-1.6.2.5
-
@@ -1,38 +0,0 @@
-From 0b846a30468a6b4586407f020ccde7bb51afaf98 Mon Sep 17 00:00:00 2001
-From: Daniel P. Berrange <berrange@redhat.com>
-Date: Mon, 12 Oct 2009 20:03:50 +0100
-Subject: [PATCH] Fix QEMU restore from file in raw format
-
-The logic for running the decompression programs was broken in
-commit f238709304f9f6c57204cdd943e542cbae38fa5f, so that for
-non-raw formats the decompression program was never run, and
-for raw formats, it tried to exec an argv[] with initial NULL
-in the program name.
-
-* src/qemu/qemu_driver.c: Fix logic in runing decompression program
-
-(cherry picked from commit 74b379cbd5ba9f472a3a2d5710e497966b1a3a37)
-
-Fedora-patch: libvirt-fix-qemu-restore-from-raw1.patch
---
- src/qemu_driver.c |    3 +--
- 1 files changed, 1 insertions(+), 2 deletions(-)
-
-diff --git a/src/qemu_driver.c b/src/qemu_driver.c
-index 550a59c..0ce403c 100644
--- a/src/qemu_driver.c
-+++ b/src/qemu_driver.c
-@@ -4541,9 +4541,8 @@ static int qemudDomainRestore(virConnectPtr conn,
-             goto cleanup;
-         }
- 
-        if (header.compressed != QEMUD_SAVE_FORMAT_RAW)
-+        if (header.compressed != QEMUD_SAVE_FORMAT_RAW) {
-             intermediate_argv[0] = prog;
-        else {
-             intermediatefd = fd;
-             fd = -1;
-             if (virExec(conn, intermediate_argv, NULL, NULL,
-- 
-1.6.2.5
-
@@ -1,120 +0,0 @@
-From 57d7cc602d14c6b50e2826e427a5de124e479f95 Mon Sep 17 00:00:00 2001
-From: Daniel P. Berrange <berrange@redhat.com>
-Date: Mon, 12 Oct 2009 20:32:33 +0100
-Subject: [PATCH] Fix virFileReadLimFD/virFileReadAll to handle EINTR
-
-The fread_file_lim() function uses fread() but never handles
-EINTR results, causing unexpected failures when reading QEMU
-help arg info. It was unneccessarily using FILE * instead
-of plain UNIX file handles, which prevented use of saferead()
-
-* src/util/util.c: Switch fread_file_lim over to use saferead
-  instead of fread, remove FILE * use, and rename
-
-(cherry picked from commit 11a36d956cb8a5e439e535bff3e0cfce50a64bca)
-
-Fedora-patch: libvirt-fix-qemu-restore-from-raw2.patch
---
- src/util.c |   45 ++++++++++++---------------------------------
- 1 files changed, 12 insertions(+), 33 deletions(-)
-
-diff --git a/src/util.c b/src/util.c
-index 1878e33..7bc3a66 100644
--- a/src/util.c
-+++ b/src/util.c
-@@ -887,7 +887,7 @@ virExec(virConnectPtr conn,
-    number of bytes.  If the length of the input is <= max_len, and
-    upon error while reading that data, it works just like fread_file.  */
- static char *
-fread_file_lim (FILE *stream, size_t max_len, size_t *length)
-+saferead_lim (int fd, size_t max_len, size_t *length)
- {
-     char *buf = NULL;
-     size_t alloc = 0;
-@@ -895,8 +895,8 @@ fread_file_lim (FILE *stream, size_t max_len, size_t *length)
-     int save_errno;
- 
-     for (;;) {
-        size_t count;
-        size_t requested;
-+        int count;
-+        int requested;
- 
-         if (size + BUFSIZ + 1 > alloc) {
-             alloc += alloc / 2;
-@@ -912,12 +912,12 @@ fread_file_lim (FILE *stream, size_t max_len, size_t *length)
-         /* Ensure that (size + requested <= max_len); */
-         requested = MIN (size < max_len ? max_len - size : 0,
-                          alloc - size - 1);
-        count = fread (buf + size, 1, requested, stream);
-+        count = saferead (fd, buf + size, requested);
-         size += count;
- 
-         if (count != requested || requested == 0) {
-             save_errno = errno;
-            if (ferror (stream))
-+            if (count < 0)
-                 break;
-             buf[size] = '\0';
-             *length = size;
-@@ -930,12 +930,12 @@ fread_file_lim (FILE *stream, size_t max_len, size_t *length)
-     return NULL;
- }
- 
-/* A wrapper around fread_file_lim that maps a failure due to
-+/* A wrapper around saferead_lim that maps a failure due to
-    exceeding the maximum size limitation to EOVERFLOW.  */
-static int virFileReadLimFP(FILE *fp, int maxlen, char **buf)
-+int virFileReadLimFD(int fd, int maxlen, char **buf)
- {
-     size_t len;
-    char *s = fread_file_lim (fp, maxlen+1, &len);
-+    char *s = saferead_lim (fd, maxlen+1, &len);
-     if (s == NULL)
-         return -1;
-     if (len > maxlen || (int)len != len) {
-@@ -949,37 +949,16 @@ static int virFileReadLimFP(FILE *fp, int maxlen, char **buf)
-     return len;
- }
- 
-/* Like virFileReadLimFP, but use a file descriptor rather than a FILE*.  */
-int virFileReadLimFD(int fd_arg, int maxlen, char **buf)
-{
-    int fd = dup (fd_arg);
-    if (fd >= 0) {
-        FILE *fp = fdopen (fd, "r");
-        if (fp) {
-            int len = virFileReadLimFP (fp, maxlen, buf);
-            int saved_errno = errno;
-            fclose (fp);
-            errno = saved_errno;
-            return len;
-        } else {
-            int saved_errno = errno;
-            close (fd);
-            errno = saved_errno;
-        }
-    }
-    return -1;
-}
-
- int virFileReadAll(const char *path, int maxlen, char **buf)
- {
-    FILE *fh = fopen(path, "r");
-    if (fh == NULL) {
-+    int fd = open(path, O_RDONLY);
-+    if (fd < 0) {
-         virReportSystemError(NULL, errno, _("Failed to open file '%s'"), path);
-         return -1;
-     }
- 
-    int len = virFileReadLimFP (fh, maxlen, buf);
-    fclose(fh);
-+    int len = virFileReadLimFD(fd, maxlen, buf);
-+    close(fd);
-     if (len < 0) {
-         virReportSystemError(NULL, errno, _("Failed to read file '%s'"), path);
-         return -1;
-- 
-1.6.2.5
-
@@ -1,41 +0,0 @@
-From 6b12148864cf6a1d22a2cf4e0e9c48e9946331cb Mon Sep 17 00:00:00 2001
-From: Mark McLoughlin <markmc@redhat.com>
-Date: Wed, 30 Sep 2009 18:37:03 +0100
-Subject: [PATCH] Fix USB device re-labelling
-
-A simple misplaced break out of a switch results in:
-
-  libvir: error : Failed to open file '/sys/bus/pci/devices/0000:00:54c./vendor': No such file or directory
-  libvir: error : Failed to open file '/sys/bus/pci/devices/0000:00:54c./device': No such file or directory
-  libvir: error : this function is not supported by the hypervisor: Failed to read product/vendor ID for 0000:00:54c.
-
-when trying to passthrough a USB host device to qemu.
-
-* src/security_selinux.c: fix a switch/break thinko
-
-Fedora-patch: libvirt-fix-usb-device-passthrough.patch
---
- src/security_selinux.c |    3 +--
- 1 files changed, 1 insertions(+), 2 deletions(-)
-
-diff --git a/src/security_selinux.c b/src/security_selinux.c
-index bc295b1..b4dc153 100644
--- a/src/security_selinux.c
-+++ b/src/security_selinux.c
-@@ -464,12 +464,11 @@ SELinuxSetSecurityHostdevLabel(virConnectPtr conn,
- 
-             ret = usbDeviceFileIterate(conn, usb, SELinuxSetSecurityUSBLabel, vm);
-             usbFreeDevice(conn, usb);
-
-            break;
-         } else {
-             /* XXX deal with product/vendor better */
-             ret = 0;
-         }
-+        break;
-     }
- 
-     case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
-- 
-1.6.2.5
-
@@ -1,54 +0,0 @@
-From b7e3ac4f23befe67518b57e34691c301820a436c Mon Sep 17 00:00:00 2001
-From: Mark McLoughlin <markmc@redhat.com>
-Date: Tue, 6 Oct 2009 12:33:17 +0100
-Subject: [PATCH] Create /var/log/libvirt/{lxc,uml} dirs
-
-Otherwise logrotate barfs:
-
-  error: error accessing /var/log/libvirt/uml: No such file or directory
-  error: libvirtd:1 glob failed for /var/log/libvirt/uml/*.log
-  error: found error in /var/log/libvirt/qemu/*.log /var/log/libvirt/uml/*.log /var/log/libvirt/lxc/*.log , skipping
-
-* qemud/Makefile.am: always create /var/log/libvirt/{lxc,uml} when
-  installing the logrotate conf; not ideal, but easier than making
-  the logrotate conf depend on which drivers are enabled
-
-Fedora-patch: libvirt-logrotate-create-lxc-uml-dirs.patch
---
- qemud/Makefile.am |    6 ++++--
- 1 files changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/qemud/Makefile.am b/qemud/Makefile.am
-index 3d143da..a7f4bdf 100644
--- a/qemud/Makefile.am
-+++ b/qemud/Makefile.am
-@@ -176,7 +176,7 @@ install-data-local: install-init install-data-sasl install-data-polkit \
- 	test -e $(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/autostart/default.xml || \
-            ln -s ../default.xml \
- 	    $(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/autostart/default.xml
-	mkdir -p $(DESTDIR)$(localstatedir)/log/libvirt/qemu
-+	mkdir -p $(DESTDIR)$(localstatedir)/log/libvirt
- 	mkdir -p $(DESTDIR)$(localstatedir)/run/libvirt
- 	mkdir -p $(DESTDIR)$(localstatedir)/lib/libvirt
- 
-@@ -184,7 +184,7 @@ uninstall-local:: uninstall-init uninstall-data-sasl install-data-polkit
- 	rm -f $(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/autostart/default.xml
- 	rm -f $(DESTDIR)$(sysconfdir)/$(default_xml_dest)
- 	rmdir $(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/autostart || :
-	rmdir $(DESTDIR)$(localstatedir)/log/libvirt/qemu || :
-+	rmdir $(DESTDIR)$(localstatedir)/log/libvirt || :
- 	rmdir $(DESTDIR)$(localstatedir)/run/libvirt || :
- 	rmdir $(DESTDIR)$(localstatedir)/lib/libvirt || :
- 
-@@ -240,6 +240,8 @@ libvirtd.logrotate: libvirtd.logrotate.in
- 
- install-logrotate: libvirtd.logrotate
- 	mkdir -p $(DESTDIR)$(localstatedir)/log/libvirt/qemu/
-+	mkdir -p $(DESTDIR)$(localstatedir)/log/libvirt/lxc/
-+	mkdir -p $(DESTDIR)$(localstatedir)/log/libvirt/uml/
- 	mkdir -p $(DESTDIR)$(sysconfdir)/logrotate.d/
- 	$(INSTALL_DATA) $< $(DESTDIR)$(sysconfdir)/logrotate.d/libvirtd
- 
-- 
-1.6.2.5
-
@@ -1 +1 @@
-f1cd360a5da38b847e166c6482141940  libvirt-0.7.1.tar.gz
+SHA512 (libvirt-3.7.0.tar.xz) = b3f7021ef4c6954430f8fa503f0c49e3df4f662b228cb631ba2c2139ecec2307dde6cec05037cc28663e82ab1001296c20c5c68acd183cd364dd484a7746f498