Fix virsh domifaddr --source=arp on kernel 6.10 (bz #2302245)

Signed-off-by: Cole Robinson <crobinso@redhat.com>

0001-esx-Allow-connecting-to-IPv6-server.patch

@@ -1,41 +0,0 @@
-From 845210011a9ffd9d17e30c51cbc81ba67c5d3166 Mon Sep 17 00:00:00 2001
-From: Michal Privoznik <mprivozn@redhat.com>
-Date: Tue, 20 Jan 2026 10:08:29 +0100
-Subject: [PATCH] esx: Allow connecting to IPv6 server
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When connecting to a VMWare server, the hostname from URI is
-resolved using esxUtil_ResolveHostname() which in turn calls
-getaddrinfo(). But in the hints argument, we restrict the return
-address to be IPv4 (AF_INET) which obviously fails if the address
-to resolve is an IPv6 address. Set the hint to AF_UNSPEC which
-allows both IPv4 and IPv6. While at it, also allow IPv4 addresses
-mapped in IPv6 by setting AI_V4MAPPED flag.
-
-Resolves: https://issues.redhat.com/browse/RHEL-138300
-Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
-Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
----
- src/esx/esx_util.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/esx/esx_util.c b/src/esx/esx_util.c
-index 88b3dc893f..a6275babd5 100644
---- a/src/esx/esx_util.c
-+++ b/src/esx/esx_util.c
-@@ -275,8 +275,8 @@ esxUtil_ResolveHostname(const char *hostname, char **ipAddress)
-     int errcode;
-     g_autofree char *address = NULL;
- 
--    hints.ai_flags = AI_ADDRCONFIG;
--    hints.ai_family = AF_INET;
-+    hints.ai_flags = AI_ADDRCONFIG | AI_V4MAPPED;
-+    hints.ai_family = AF_UNSPEC;
-     hints.ai_socktype = SOCK_STREAM;
-     hints.ai_protocol = 0;
- 
--- 
-2.52.0
-

0001-interface-fix-udev-reference-leak-with-invalid-flags.patch

@@ -0,0 +1,41 @@
+From 3499354e12a1c1832bf4030693a64e03ceb79d05 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 5 Jun 2024 11:16:21 +0100
+Subject: [PATCH] interface: fix udev reference leak with invalid flags
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The udevInterfaceGetXMLDesc method takes a reference on the udev
+driver as its first action. If the virCheckFlags() condition
+fails, however, this reference is never released.
+
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/interface/interface_backend_udev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c
+index fdf11a8318..e1a50389c9 100644
+--- a/src/interface/interface_backend_udev.c
++++ b/src/interface/interface_backend_udev.c
+@@ -1027,12 +1027,14 @@ static char *
+ udevInterfaceGetXMLDesc(virInterfacePtr ifinfo,
+                         unsigned int flags)
+ {
+-    struct udev *udev = udev_ref(driver->udev);
++    struct udev *udev = NULL;
+     g_autoptr(virInterfaceDef) ifacedef = NULL;
+     char *xmlstr = NULL;
+ 
+     virCheckFlags(VIR_INTERFACE_XML_INACTIVE, NULL);
+ 
++    udev = udev_ref(driver->udev);
++
+     /* Recursively build up the interface XML based on the requested
+      * interface name
+      */
+-- 
+2.45.1
+

0001-rpc-avoid-leak-of-GSource-in-use-for-interrupting-ma.patch

@@ -0,0 +1,49 @@
+From 98f1cf88fa7e0f992d93f376418fbfb3996a9690 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Fri, 17 May 2024 14:55:24 +0100
+Subject: [PATCH] rpc: avoid leak of GSource in use for interrupting main loop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We never release the reference on the GSource created for
+interrupting the main loop, nor do we remove it from the
+main context if our thread is woken up prior to the wakeup
+callback firing.
+
+This can result in a leak of GSource objects, along with an
+ever growing list of GSources attached to the main context,
+which will gradually slow down execution of the loop, as
+several operations are O(N) for the number of attached GSource
+objects.
+
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/rpc/virnetclient.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c
+index 147b0d661a..6d424eb599 100644
+--- a/src/rpc/virnetclient.c
++++ b/src/rpc/virnetclient.c
+@@ -1946,7 +1946,7 @@ static int virNetClientIO(virNetClient *client,
+     /* Check to see if another thread is dispatching */
+     if (client->haveTheBuck) {
+         /* Force other thread to wakeup from poll */
+-        GSource *wakeup = g_idle_source_new();
++        g_autoptr(GSource) wakeup = g_idle_source_new();
+         g_source_set_callback(wakeup, virNetClientIOWakeup, client->eventLoop, NULL);
+         g_source_attach(wakeup, client->eventCtx);
+ 
+@@ -1968,6 +1968,7 @@ static int virNetClientIO(virNetClient *client,
+             return -1;
+         }
+ 
++        g_source_destroy(wakeup);
+         VIR_DEBUG("Woken up from sleep head=%p call=%p",
+                   client->waitDispatch, thiscall);
+         /* Three reasons we can be woken up
+-- 
+2.45.1
+

0001-rpc-ensure-temporary-GSource-is-removed-from-client-.patch

@@ -0,0 +1,99 @@
+From 8074d64dc2eca846d6a61efe1a9b7428a0ce1dd1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Tue, 30 Apr 2024 11:51:15 +0100
+Subject: [PATCH] rpc: ensure temporary GSource is removed from client event
+ loop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Users are seeing periodic segfaults from libvirt client apps,
+especially thread heavy ones like virt-manager. A typical
+stack trace would end up in the virNetClientIOEventFD method,
+with illegal access to stale stack data. eg
+
+==238721==ERROR: AddressSanitizer: stack-use-after-return on address 0x75cd18709788 at pc 0x75cd3111f907 bp 0x75cd181ff550 sp 0x75cd181ff548
+WRITE of size 4 at 0x75cd18709788 thread T11
+    #0 0x75cd3111f906 in virNetClientIOEventFD /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:1634:15
+    #1 0x75cd3210d198  (/usr/lib/libglib-2.0.so.0+0x5a198) (BuildId: 0a2311dfbbc6c215dc36f4b6bdd2b4b6fbae55a2)
+    #2 0x75cd3216c3be  (/usr/lib/libglib-2.0.so.0+0xb93be) (BuildId: 0a2311dfbbc6c215dc36f4b6bdd2b4b6fbae55a2)
+    #3 0x75cd3210ddc6 in g_main_loop_run (/usr/lib/libglib-2.0.so.0+0x5adc6) (BuildId: 0a2311dfbbc6c215dc36f4b6bdd2b4b6fbae55a2)
+    #4 0x75cd3111a47c in virNetClientIOEventLoop /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:1722:9
+    #5 0x75cd3111a47c in virNetClientIO /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:2002:10
+    #6 0x75cd3111a47c in virNetClientSendInternal /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:2170:11
+    #7 0x75cd311198a8 in virNetClientSendWithReply /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:2198:11
+    #8 0x75cd31111653 in virNetClientProgramCall /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclientprogram.c:318:9
+    #9 0x75cd31241c8f in callFull /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/remote/remote_driver.c:6054:10
+    #10 0x75cd31241c8f in call /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/remote/remote_driver.c:6076:12
+    #11 0x75cd31241c8f in remoteNetworkGetXMLDesc /usr/src/debug/libvirt/libvirt-10.2.0/build/src/remote/remote_client_bodies.h:5959:9
+    #12 0x75cd31410ff7 in virNetworkGetXMLDesc /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/libvirt-network.c:952:15
+
+The root cause is a bad assumption in the virNetClientIOEventLoop
+method. This method is run by whichever thread currently owns the
+buck, and is responsible for handling I/O. Inside a for(;;) loop,
+this method creates a temporary GSource, adds it to the event loop
+and runs g_main_loop_run(). When I/O is ready, the GSource callback
+(virNetClientIOEventFD) will fire and call g_main_loop_quit(), and
+return G_SOURCE_REMOVE which results in the temporary GSource being
+destroyed. A g_autoptr() will then remove the last reference.
+
+What was overlooked, is that a second thread can come along and
+while it can't enter virNetClientIOEventLoop, it will register an
+idle source that uses virNetClientIOWakeup to interrupt the
+original thread's 'g_main_loop_run' call. When this happens the
+virNetClientIOEventFD callback never runs, and so the temporary
+GSource is not destroyed. The g_autoptr() will remove a reference,
+but by virtue of still being attached to the event context, there
+is an extra reference held causing GSource to be leaked. The
+next time 'g_main_loop_run' is called, the original GSource will
+trigger its callback, and access data that was allocated on the
+stack by the previous thread, and likely SEGV.
+
+To solve this, the thread calling 'g_main_loop_run' must call
+g_source_destroy, immediately upon return, to guarantee that
+the temporary GSource is removed.
+
+CVE-2024-4418
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Reported-by: Martin Shirokov <shirokovmartin@gmail.com>
+Tested-by: Martin Shirokov <shirokovmartin@gmail.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/rpc/virnetclient.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c
+index 68098b1c8d..147b0d661a 100644
+--- a/src/rpc/virnetclient.c
++++ b/src/rpc/virnetclient.c
+@@ -1657,7 +1657,7 @@ static int virNetClientIOEventLoop(virNetClient *client,
+ #endif /* !WIN32 */
+         int timeout = -1;
+         virNetMessage *msg = NULL;
+-        g_autoptr(GSource) G_GNUC_UNUSED source = NULL;
++        g_autoptr(GSource) source = NULL;
+         GIOCondition ev = 0;
+         struct virNetClientIOEventData data = {
+             .client = client,
+@@ -1721,6 +1721,18 @@ static int virNetClientIOEventLoop(virNetClient *client,
+ 
+         g_main_loop_run(client->eventLoop);
+ 
++        /*
++         * If virNetClientIOEventFD ran, this GSource will already be
++         * destroyed due to G_SOURCE_REMOVE. It is harmless to re-destroy
++         * it, since we still own a reference.
++         *
++         * If virNetClientIOWakeup ran, it will have interrupted the
++         * g_main_loop_run call, before virNetClientIOEventFD could
++         * run, and thus the GSource is still registered, and we need
++         * to destroy it since it is referencing stack memory for 'data'
++         */
++        g_source_destroy(source);
++
+ #ifndef WIN32
+         ignore_value(pthread_sigmask(SIG_SETMASK, &oldmask, NULL));
+ #endif /* !WIN32 */
+-- 
+2.45.1
+

0001-virarptable-Properly-calculate-rtattr-length.patch

@@ -0,0 +1,35 @@
+From adfdb79f1e01401349e1321d0f5059d7b6489f00 Mon Sep 17 00:00:00 2001
+Message-ID: <adfdb79f1e01401349e1321d0f5059d7b6489f00.1724763718.git.crobinso@redhat.com>
+From: Martin Kletzander <mkletzan@redhat.com>
+Date: Fri, 16 Aug 2024 13:56:51 +0200
+Subject: [PATCH 1/3] virarptable: Properly calculate rtattr length
+Content-type: text/plain
+
+Use convenience macro which does almost the same thing we were doing,
+but also pads out the payload length to a multiple of NLMSG_ALIGNTO (4)
+bytes.
+
+Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
+Reviewed-by: Laine Stump <laine@redhat.com>
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ src/util/virarptable.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/util/virarptable.c b/src/util/virarptable.c
+index 299dddd664..d8e41c5a86 100644
+--- a/src/util/virarptable.c
++++ b/src/util/virarptable.c
+@@ -102,8 +102,7 @@ virArpTableGet(void)
+             return table;
+ 
+         VIR_WARNINGS_NO_CAST_ALIGN
+-        parse_rtattr(tb, NDA_MAX, NDA_RTA(r),
+-                     nh->nlmsg_len - NLMSG_LENGTH(sizeof(*r)));
++        parse_rtattr(tb, NDA_MAX, NDA_RTA(r), NLMSG_PAYLOAD(nh, sizeof(*r)));
+         VIR_WARNINGS_RESET
+ 
+         if (tb[NDA_DST] == NULL || tb[NDA_LLADDR] == NULL)
+-- 
+2.46.0
+

0002-virarptable-Fix-check-for-message-length.patch

@@ -0,0 +1,42 @@
+From 137779b894858bd958ea575cec260a0559b31e48 Mon Sep 17 00:00:00 2001
+Message-ID: <137779b894858bd958ea575cec260a0559b31e48.1724763718.git.crobinso@redhat.com>
+In-Reply-To: <adfdb79f1e01401349e1321d0f5059d7b6489f00.1724763718.git.crobinso@redhat.com>
+References: <adfdb79f1e01401349e1321d0f5059d7b6489f00.1724763718.git.crobinso@redhat.com>
+From: Martin Kletzander <mkletzan@redhat.com>
+Date: Fri, 16 Aug 2024 13:59:15 +0200
+Subject: [PATCH 2/3] virarptable: Fix check for message length
+Content-type: text/plain
+
+The previous check was all wrong since it calculated the how long would
+the netlink message be if the netlink header was the payload and then
+subtracted that from the whole message length, a variable that was not
+used later in the code.  This check can fail if there are no additional
+payloads, struct rtattr in particular, which we are parsing later,
+however the RTA_OK macro would've caught that anyway.
+
+Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
+Reviewed-by: Laine Stump <laine@redhat.com>
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ src/util/virarptable.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/util/virarptable.c b/src/util/virarptable.c
+index d8e41c5a86..45ee76766f 100644
+--- a/src/util/virarptable.c
++++ b/src/util/virarptable.c
+@@ -81,10 +81,9 @@ virArpTableGet(void)
+     for (; NLMSG_OK(nh, msglen); nh = NLMSG_NEXT(nh, msglen)) {
+         VIR_WARNINGS_RESET
+         struct ndmsg *r = NLMSG_DATA(nh);
+-        int len = nh->nlmsg_len;
+         void *addr;
+ 
+-        if ((len -= NLMSG_LENGTH(sizeof(*nh))) < 0) {
++        if (nh->nlmsg_len < NLMSG_SPACE(sizeof(*r))) {
+             virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                            _("wrong nlmsg len"));
+             goto cleanup;
+-- 
+2.46.0
+

0003-virarptable-End-parsing-earlier-in-case-of-NLMSG_DON.patch

@@ -0,0 +1,54 @@
+From df2cefb31dab2fa56e0864fbd2b8ad468dee22c0 Mon Sep 17 00:00:00 2001
+Message-ID: <df2cefb31dab2fa56e0864fbd2b8ad468dee22c0.1724763718.git.crobinso@redhat.com>
+In-Reply-To: <adfdb79f1e01401349e1321d0f5059d7b6489f00.1724763718.git.crobinso@redhat.com>
+References: <adfdb79f1e01401349e1321d0f5059d7b6489f00.1724763718.git.crobinso@redhat.com>
+From: Martin Kletzander <mkletzan@redhat.com>
+Date: Fri, 16 Aug 2024 14:02:48 +0200
+Subject: [PATCH 3/3] virarptable: End parsing earlier in case of NLMSG_DONE
+Content-type: text/plain
+
+Check for the last multipart message right as the first thing.  The
+presumption probably was that the last message might still contain a
+payload we want to parse.  However that cannot be true since that would
+have to be a type RTM_NEWNEIGH.  This was not caught because older
+kernels were note sending NLMSG_DONE and probably relied on the fact
+that the parsing just stops after all the messages are walked through,
+which the NLMSG_OK macro successfully did.
+
+Resolves: https://issues.redhat.com/browse/RHEL-52449
+Resolves: https://bugzilla.redhat.com/2302245
+Fixes: a176d67cdfaf5b8237a7e3a80d8be0e6bdf2d8fd
+Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
+Reviewed-by: Laine Stump <laine@redhat.com>
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ src/util/virarptable.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/util/virarptable.c b/src/util/virarptable.c
+index 45ee76766f..20d11f97b0 100644
+--- a/src/util/virarptable.c
++++ b/src/util/virarptable.c
+@@ -83,6 +83,9 @@ virArpTableGet(void)
+         struct ndmsg *r = NLMSG_DATA(nh);
+         void *addr;
+ 
++        if (nh->nlmsg_type == NLMSG_DONE)
++            break;
++
+         if (nh->nlmsg_len < NLMSG_SPACE(sizeof(*r))) {
+             virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                            _("wrong nlmsg len"));
+@@ -97,9 +100,6 @@ virArpTableGet(void)
+             (!(r->ndm_state == NUD_STALE || r->ndm_state == NUD_REACHABLE)))
+             continue;
+ 
+-        if (nh->nlmsg_type == NLMSG_DONE)
+-            return table;
+-
+         VIR_WARNINGS_NO_CAST_ALIGN
+         parse_rtattr(tb, NDA_MAX, NDA_RTA(r), NLMSG_PAYLOAD(nh, sizeof(*r)));
+         VIR_WARNINGS_RESET
+-- 
+2.46.0
+

fix-virtiofs-socket-label.patch

@@ -0,0 +1,31 @@
+From 4c5b2e1e0d0d0cbbf8c6ed28ce77d055d5974f7f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Wed, 6 Mar 2024 17:26:40 +0100
+Subject: [PATCH] qemu: virtiofs: set correct label when creating the socket
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use svirt_t instead of virtd_t, since virtd_t is not available in the
+session mode and qemu with svirt_t won't be able to talk to unconfined_t
+socket.
+
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/qemu/qemu_virtiofs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/qemu/qemu_virtiofs.c b/src/qemu/qemu_virtiofs.c
+index 15dea3bb57f..d80cddd3ba9 100644
+--- a/src/qemu/qemu_virtiofs.c
++++ b/src/qemu/qemu_virtiofs.c
+@@ -102,7 +102,7 @@ qemuVirtioFSOpenChardev(virQEMUDriver *driver,
+     chrdev->data.nix.listen = true;
+     chrdev->data.nix.path = g_strdup(socket_path);
+ 
+-    if (qemuSecuritySetDaemonSocketLabel(driver->securityManager, vm->def) < 0)
++    if (qemuSecuritySetSocketLabel(driver->securityManager, vm->def) < 0)
+         goto cleanup;
+     fd = qemuOpenChrChardevUNIXSocket(chrdev);
+     if (fd < 0) {

libvirt.spec

@@ -3,15 +3,15 @@
 # This spec file assumes you are building on a Fedora or RHEL version
 # that's still supported by the vendor. It may work on other distros
 # or versions, but no effort will be made to ensure that going forward.
-%define min_rhel 9
-%define min_fedora 41
+%define min_rhel 8
+%define min_fedora 37
 
-%define arches_qemu_kvm         %{ix86} x86_64 %{power64} aarch64 s390x riscv64
+%define arches_qemu_kvm         %{ix86} x86_64 %{power64} %{arm} aarch64 s390x
 %if 0%{?rhel}
-    %if 0%{?rhel} >= 10
-        %define arches_qemu_kvm     x86_64 aarch64 s390x riscv64
-    %else
+    %if 0%{?rhel} > 8
         %define arches_qemu_kvm     x86_64 aarch64 s390x
+    %else
+        %define arches_qemu_kvm     x86_64 %{power64} aarch64 s390x
     %endif
 %endif
 
@@ -19,7 +19,7 @@
 %define arches_x86              %{ix86} x86_64
 
 %define arches_systemtap_64bit  %{arches_64bit}
-%define arches_dmidecode        %{arches_x86} aarch64 riscv64
+%define arches_dmidecode        %{arches_x86}
 %define arches_xen              %{arches_x86} aarch64
 %if 0%{?fedora}
     %define arches_xen          x86_64 aarch64
@@ -29,24 +29,12 @@
 %define arches_zfs              %{arches_x86} %{power64} %{arm}
 %define arches_numactl          %{arches_x86} %{power64} aarch64 s390x
 %define arches_numad            %{arches_x86} %{power64} aarch64
-%define arches_ch               x86_64 aarch64
 
 # The hypervisor drivers that run in libvirtd
+%define with_qemu          0%{!?_without_qemu:1}
 %define with_lxc           0%{!?_without_lxc:1}
 %define with_libxl         0%{!?_without_libxl:1}
 %define with_vbox          0%{!?_without_vbox:1}
-%define with_ch            0%{!?_without_ch:1}
-
-%ifarch %{arches_64bit}
-    %define with_qemu      0%{!?_without_qemu:1}
-%else
-    # QEMU drops 32-bit in Fedora 44
-    %if 0%{?fedora} > 43
-        %define with_qemu  0
-    %else
-        %define with_qemu  0%{!?_without_qemu:1}
-    %endif
-%endif
 
 %ifarch %{arches_qemu_kvm}
     %define with_qemu_kvm      %{with_qemu}
@@ -54,12 +42,6 @@
     %define with_qemu_kvm      0
 %endif
 
-%if 0%{?fedora} >= 42
-    %define with_account_add 0
-%else
-    %define with_account_add 1
-%endif
-
 %define with_qemu_tcg      %{with_qemu}
 
 # RHEL disables TCG on all architectures
@@ -82,13 +64,18 @@
 
 %define with_storage_gluster 0%{!?_without_storage_gluster:1}
 %if 0%{?rhel}
-    # Glusterfs has been dropped in RHEL-9.
-    %define with_storage_gluster 0
+    # Glusterfs has been dropped in RHEL-9, and before that
+    # was only enabled on arches where KVM exists
+    %if 0%{?rhel} > 8
+        %define with_storage_gluster 0
+    %else
+        %ifnarch %{arches_qemu_kvm}
+            %define with_storage_gluster 0
+        %endif
+    %endif
 %endif
 
-# On Fedora 43, the 'zfs-fuse' package was removed, but is obtainable via
-# other means. Build the backend, but it's no longer considered to be part
-# of 'daemon-driver-storage'.
+# Fedora has zfs-fuse
 %if 0%{?fedora}
     %define with_storage_zfs      0%{!?_without_storage_zfs:1}
 %else
@@ -97,12 +84,13 @@
 
 %define with_storage_iscsi_direct 0%{!?_without_storage_iscsi_direct:1}
 # libiscsi has been dropped in RHEL-9
-%if 0%{?rhel}
+%if 0%{?rhel} > 8
     %define with_storage_iscsi_direct 0
 %endif
 
 # Other optional features
 %define with_numactl          0%{!?_without_numactl:1}
+%define with_userfaultfd_sysctl 0%{!?_without_userfaultfd_sysctl:1}
 
 # A few optional bits off by default, we enable later
 %define with_fuse             0
@@ -135,9 +123,6 @@
 %ifnarch %{arches_ceph}
     %define with_storage_rbd 0
 %endif
-%ifnarch %{arches_ch}
-    %define with_ch 0
-%endif
 
 # RHEL doesn't ship many hypervisor drivers
 %if 0%{?rhel}
@@ -147,11 +132,14 @@
     %define with_libxl 0
     %define with_hyperv 0
     %define with_lxc 0
-    %define with_ch 0
 %endif
 
 %define with_firewalld_zone 0%{!?_without_firewalld_zone:1}
 
+%if 0%{?rhel} && 0%{?rhel} < 9
+    %define with_netcf 0%{!?_without_netcf:1}
+%endif
+
 # fuse is used to provide virtualized /proc for LXC
 %if %{with_lxc}
     %define with_fuse      0%{!?_without_fuse:1}
@@ -193,7 +181,8 @@
 # Right now that's not the case anywhere, but things should be fine by the time
 # Fedora 40 is released.
 %if %{with_qemu}
-    %if 0%{?fedora} || 0%{?rhel}
+    # rhel-8 lacks pidfd_open
+    %if 0%{?fedora} || 0%{?rhel} >= 9
         %define with_nbdkit 0%{!?_without_nbdkit:1}
 
         # setting 'with_nbdkit_config_default' must be done only when compiling
@@ -201,7 +190,7 @@
         #
         # TODO: add RHEL 9 once a minor release that contains the necessary SELinux
         #       bits exists (we only support the most recent minor release)
-        %if 0%{?fedora}
+        %if 0%{?fedora} >= 40
             %define with_nbdkit_config_default 0%{!?_without_nbdkit_config_default:1}
         %endif
     %endif
@@ -212,22 +201,10 @@
 %endif
 
 %define with_modular_daemons 0
-%if 0%{?fedora} || 0%{?rhel}
+%if 0%{?fedora} || 0%{?rhel} >= 9
     %define with_modular_daemons 1
 %endif
 
-# Prefer nftables for future OS releases but keep using iptables
-# for existing ones
-%if 0%{?rhel} >= 10 || 0%{?fedora}
-    %define prefer_nftables 1
-    %define firewall_backend_priority nftables,iptables
-%else
-    %define prefer_nftables 0
-    %define firewall_backend_priority iptables,nftables
-%endif
-
-
-
 # Force QEMU to run as non-root
 %define qemu_user  qemu
 %define qemu_group  qemu
@@ -263,14 +240,19 @@
 
 # RHEL releases provide stable tool chains and so it is safe to turn
 # compiler warning into errors without being worried about frequent
-# changes in reported warnings. ELN is a rebuild of Rawhide so should
-# be treated as unstable for this flag
-%if 0%{?rhel} && !0%{?eln}
+# changes in reported warnings
+%if 0%{?rhel}
     %define enable_werror -Dwerror=true
 %else
     %define enable_werror -Dwerror=false -Dgit_werror=disabled
 %endif
 
+# Fedora and RHEL-9 are new enough to support /dev/userfaultfd, which
+# does not require enabling vm.unprivileged_userfaultfd sysctl.
+%if 0%{?fedora} || 0%{?rhel} >= 9
+    %define with_userfaultfd_sysctl 0
+%endif
+
 %define tls_priority "@LIBVIRT,SYSTEM"
 
 # libvirt 8.1.0 stops distributing any sysconfig files.
@@ -294,8 +276,8 @@
 
 Summary: Library providing a simple virtualization API
 Name: libvirt
-Version: 12.0.0
-Release: 3%{?dist}
+Version: 10.1.0
+Release: 4%{?dist}
 License: GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OFL-1.1
 URL: https://libvirt.org/
 
@@ -303,10 +285,16 @@ URL: https://libvirt.org/
     %define mainturl stable_updates/
 %endif
 Source: https://download.libvirt.org/%{?mainturl}libvirt-%{version}.tar.xz
+Patch1: 0001-rpc-ensure-temporary-GSource-is-removed-from-client-.patch
+Patch2: 0001-rpc-avoid-leak-of-GSource-in-use-for-interrupting-ma.patch
+Patch3: 0001-interface-fix-udev-reference-leak-with-invalid-flags.patch
+
+Patch0: fix-virtiofs-socket-label.patch
+
+Patch10: 0001-virarptable-Properly-calculate-rtattr-length.patch
+Patch11: 0002-virarptable-Fix-check-for-message-length.patch
+Patch12: 0003-virarptable-End-parsing-earlier-in-case-of-NLMSG_DON.patch
 
-# Fix IPv6 connections to ESXi
-# Upstream in > 12.0.0
-Patch: 0001-esx-Allow-connecting-to-IPv6-server.patch
 
 Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-daemon-config-network = %{version}-%{release}
@@ -327,9 +315,6 @@ Obsoletes: libvirt-daemon-uml <= 5.0.0
 %if %{with_vbox}
 Requires: libvirt-daemon-driver-vbox = %{version}-%{release}
 %endif
-%if %{with_ch}
-Requires: libvirt-daemon-driver-ch = %{version}-%{release}
-%endif
 Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release}
 Requires: libvirt-daemon-driver-interface = %{version}-%{release}
 Requires: libvirt-daemon-driver-secret = %{version}-%{release}
@@ -344,7 +329,7 @@ Requires: libvirt-libs = %{version}-%{release}
 BuildRequires: python3-docutils
 BuildRequires: meson >= 0.56.0
 BuildRequires: ninja-build
-BuildRequires: git-core
+BuildRequires: git
 BuildRequires: perl-interpreter
 BuildRequires: python3
 BuildRequires: python3-pytest
@@ -361,7 +346,7 @@ BuildRequires: gcc
     %if %{with_libxl}
 BuildRequires: xen-devel
     %endif
-BuildRequires: glib2-devel >= 2.66
+BuildRequires: glib2-devel >= 2.56
 BuildRequires: libxml2-devel
 BuildRequires: readline-devel
 BuildRequires: pkgconfig(bash-completion) >= 2.0
@@ -374,14 +359,21 @@ BuildRequires: libblkid-devel >= 2.17
 BuildRequires: augeas
 BuildRequires: systemd-devel >= 185
 BuildRequires: libpciaccess-devel >= 0.10.9
-BuildRequires: json-c-devel
+BuildRequires: yajl-devel
     %if %{with_sanlock}
 BuildRequires: sanlock-devel >= 2.4
     %endif
 BuildRequires: libpcap-devel >= 1.5.0
 BuildRequires: libnl3-devel
 BuildRequires: libselinux-devel
+BuildRequires: iptables
+BuildRequires: ebtables
+# For modprobe
+BuildRequires: kmod
 BuildRequires: cyrus-sasl-devel
+BuildRequires: polkit >= 0.112
+# For mount/umount in FS driver
+BuildRequires: util-linux
     %if %{with_qemu}
 # For managing ACLs
 BuildRequires: libacl-devel
@@ -392,6 +384,10 @@ BuildRequires: /usr/bin/qemu-img
     %if %{with_nbdkit}
 BuildRequires: libnbd-devel
     %endif
+# For LVM drivers
+BuildRequires: lvm2
+# For pool type=iscsi
+BuildRequires: iscsi-initiator-utils
     %if %{with_storage_iscsi_direct}
 # For pool type=iscsi-direct
 BuildRequires: libiscsi-devel
@@ -414,7 +410,7 @@ BuildRequires: numactl-devel
     %endif
 BuildRequires: libcap-ng-devel >= 0.5.0
     %if %{with_fuse}
-BuildRequires: fuse3-devel
+BuildRequires: fuse-devel >= 2.8.6
     %endif
     %if %{with_libssh2}
 BuildRequires: libssh2-devel >= 1.3.0
@@ -429,8 +425,16 @@ BuildRequires: libcurl-devel
 BuildRequires: libwsman-devel >= 2.6.3
     %endif
 BuildRequires: audit-libs-devel
+# we need /usr/sbin/dtrace
 BuildRequires: systemtap-sdt-devel
 BuildRequires: /usr/bin/dtrace
+# For mount/umount in FS driver
+BuildRequires: util-linux
+# For showmount in FS driver (netfs discovery)
+BuildRequires: nfs-utils
+    %if %{with_numad}
+BuildRequires: numad
+    %endif
     %if %{with_wireshark}
 BuildRequires: wireshark-devel
     %endif
@@ -511,8 +515,6 @@ Requires: libvirt-libs = %{version}-%{release}
 # Recommends here will install libvirt-client by default (if available), but
 # RPM won't complain if the package is unavailable, masked, or removed later.
 Recommends: libvirt-client = %{version}-%{release}
-# For modprobe and rmmod
-Requires: kmod
 # for /sbin/ip
 Requires: iproute
 # for /sbin/tc
@@ -527,10 +529,8 @@ Requires(posttrans): /usr/bin/systemctl
 Requires(preun): /usr/bin/systemctl
 # libvirtd depends on 'messagebus' service
 Requires: dbus
-    %if %{with_account_add}
 # For uid creation during pre
 Requires(pre): shadow-utils
-    %endif
 # Needed by /usr/libexec/libvirt-guests.sh script.
     %if 0%{?fedora}
 Requires: gettext-runtime
@@ -557,7 +557,6 @@ resources
 %package daemon-plugin-lockd
 Summary: lockd client plugin for virtlockd
 Requires: libvirt-libs = %{version}-%{release}
-Requires: libvirt-daemon-common = %{version}-%{release}
 Requires: libvirt-daemon-lock = %{version}-%{release}
 
 %description daemon-plugin-lockd
@@ -606,11 +605,7 @@ Summary: Network driver plugin for the libvirtd daemon
 Requires: libvirt-daemon-common = %{version}-%{release}
 Requires: libvirt-libs = %{version}-%{release}
 Requires: dnsmasq >= 2.41
-    %if %{prefer_nftables}
-Requires: nftables
-    %else
 Requires: iptables
-    %endif
 
 %description daemon-driver-network
 The network driver plugin for the libvirtd daemon, providing
@@ -671,8 +666,8 @@ an implementation of the secret key APIs.
 Summary: Storage driver plugin including base backends for the libvirtd daemon
 Requires: libvirt-daemon-common = %{version}-%{release}
 Requires: libvirt-libs = %{version}-%{release}
-Recommends: nfs-utils
-# For mkfs and mount/umount
+Requires: nfs-utils
+# For mkfs
 Requires: util-linux
 # For storage wiping with different algorithms
 Requires: scrub
@@ -784,13 +779,9 @@ volumes using the ceph protocol.
 Summary: Storage driver plugin for ZFS
 Requires: libvirt-daemon-driver-storage-core = %{version}-%{release}
 Requires: libvirt-libs = %{version}-%{release}
-# Starting with Fedora 43 the 'zfs-fuse' is no longer shipped but obtainable
-# externally. The package builds fine without these. Users will have to provide
-# their own implementation.
-        %if 0%{?fedora} && 0%{?fedora} < 43
+# Support any conforming implementation of zfs
 Requires: /sbin/zfs
 Requires: /sbin/zpool
-        %endif
 
 %description daemon-driver-storage-zfs
 The storage driver backend adding implementation of the storage APIs for
@@ -814,10 +805,7 @@ Requires: libvirt-daemon-driver-storage-gluster = %{version}-%{release}
     %if %{with_storage_rbd}
 Requires: libvirt-daemon-driver-storage-rbd = %{version}-%{release}
     %endif
-# Starting with Fedora 43 the 'zfs-fuse' is no longer shipped but obtainable
-# externally. We do not want to install this as part of 'daemon-driver-storage'
-# any more.
-    %if %{with_storage_zfs} && 0%{?fedora} && 0%{?fedora} < 43
+    %if %{with_storage_zfs}
 Requires: libvirt-daemon-driver-storage-zfs = %{version}-%{release}
     %endif
 
@@ -838,13 +826,12 @@ Requires: gzip
 Requires: bzip2
 Requires: lzop
 Requires: xz
-Requires: zstd
 Requires: systemd-container
 Requires: swtpm-tools
         %if %{with_numad}
 Requires: numad
         %endif
-        %if 0%{?fedora} || 0%{?rhel}
+        %if 0%{?fedora} || 0%{?rhel} >= 9
 Recommends: passt
 Recommends: passt-selinux
         %endif
@@ -926,7 +913,6 @@ Requires: libvirt-daemon-driver-nodedev = %{version}-%{release}
 Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release}
 Requires: libvirt-daemon-driver-secret = %{version}-%{release}
 Requires: libvirt-daemon-driver-storage = %{version}-%{release}
-Requires: libvirt-ssh-proxy = %{version}-%{release}
 Requires: qemu
 
 %description daemon-qemu
@@ -955,7 +941,6 @@ Requires: libvirt-daemon-driver-nodedev = %{version}-%{release}
 Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release}
 Requires: libvirt-daemon-driver-secret = %{version}-%{release}
 Requires: libvirt-daemon-driver-storage = %{version}-%{release}
-Requires: libvirt-ssh-proxy = %{version}-%{release}
 Requires: qemu-kvm
 
 %description daemon-kvm
@@ -1004,6 +989,7 @@ Requires: libvirt-daemon-driver-libxl = %{version}-%{release}
 Requires: libvirt-daemon-driver-interface = %{version}-%{release}
 Requires: libvirt-daemon-driver-network = %{version}-%{release}
 Requires: libvirt-daemon-driver-nodedev = %{version}-%{release}
+Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release}
 Requires: libvirt-daemon-driver-secret = %{version}-%{release}
 Requires: libvirt-daemon-driver-storage = %{version}-%{release}
 Requires: xen
@@ -1037,23 +1023,11 @@ Server side daemon and driver required to manage the virtualization
 capabilities of VirtualBox
     %endif
 
-    %if %{with_ch}
-%package daemon-driver-ch
-Summary: Cloud-Hypervisor driver plugin for libvirtd daemon
-Requires: libvirt-daemon-common = %{version}-%{release}
-Requires: libvirt-daemon-log = %{version}-%{release}
-Requires: libvirt-libs = %{version}-%{release}
-
-%description daemon-driver-ch
-The ch driver plugin for the libvirtd daemon, providing
-an implementation of the hypervisor driver APIs by
-Cloud-Hypervisor
-    %endif
-
-
 %package client
 Summary: Client side utilities of the libvirt library
 Requires: libvirt-libs = %{version}-%{release}
+# Needed by virt-pki-validate script.
+Requires: gnutls-utils
 
 # Ensure smooth upgrades
 Obsoletes: libvirt-bash-completion < 7.3.0
@@ -1075,6 +1049,8 @@ with some QEMU specific features of libvirt.
 
 %package libs
 Summary: Client side libraries
+# So remote clients can access libvirt over SSH tunnel
+Requires: cyrus-sasl
 # Needed by default sasl.conf - no onerous extra deps, since
 # 100's of other things on a system already pull in krb5-libs
 Requires: cyrus-sasl-gssapi
@@ -1096,10 +1072,6 @@ Wireshark dissector plugin for better analysis of libvirt RPC traffic.
 %package login-shell
 Summary: Login shell for connecting users to an LXC container
 Requires: libvirt-libs = %{version}-%{release}
-        %if %{with_account_add}
-# For uid creation during pre
-Requires(pre): shadow-utils
-        %endif
 
 %description login-shell
 Provides the set-uid virt-login-shell binary that is used to
@@ -1122,7 +1094,6 @@ Requires: sanlock >= 2.4
 #for virt-sanlock-cleanup require augeas
 Requires: augeas
 Requires: libvirt-libs = %{version}-%{release}
-Requires: libvirt-daemon-common = %{version}-%{release}
 Obsoletes: libvirt-lock-sanlock < 9.1.0
 Provides: libvirt-lock-sanlock = %{version}-%{release}
 
@@ -1139,13 +1110,6 @@ Requires: libvirt-daemon-driver-network = %{version}-%{release}
 Libvirt plugin for NSS for translating domain names into IP addresses.
 %endif
 
-%package ssh-proxy
-Summary: Libvirt SSH proxy
-Requires: libvirt-libs = %{version}-%{release}
-
-%description ssh-proxy
-Allows SSH into domains via VSOCK without need for network.
-
 %if %{with_mingw32}
 %package -n mingw32-libvirt
 Summary: %{summary}
@@ -1218,15 +1182,9 @@ exit 1
 %endif
 
 %if %{with_esx}
-    %define arg_esx -Ddriver_esx=enabled
+    %define arg_esx -Ddriver_esx=enabled -Dcurl=enabled
 %else
-    %define arg_esx -Ddriver_esx=disabled
-%endif
-
-%if %{with_esx} || %{with_ch}
-    %define arg_curl -Dcurl=enabled
-%else
-    %define arg_curl -Dcurl=disabled
+    %define arg_esx -Ddriver_esx=disabled -Dcurl=disabled
 %endif
 
 %if %{with_hyperv}
@@ -1241,12 +1199,6 @@ exit 1
     %define arg_vmware -Ddriver_vmware=disabled
 %endif
 
-%if %{with_ch}
-    %define arg_ch -Ddriver_ch=enabled
-%else
-    %define arg_ch -Ddriver_ch=disabled
-%endif
-
 %if %{with_storage_rbd}
     %define arg_storage_rbd -Dstorage_rbd=enabled
 %else
@@ -1343,6 +1295,12 @@ exit 1
     %define arg_remote_mode -Dremote_default_mode=legacy
 %endif
 
+%if %{with_userfaultfd_sysctl}
+    %define arg_userfaultfd_sysctl -Duserfaultfd_sysctl=enabled
+%else
+    %define arg_userfaultfd_sysctl -Duserfaultfd_sysctl=disabled
+%endif
+
 %define when  %(date +"%%F-%%T")
 %define where %(hostname)
 %define who   %{?packager}%{!?packager:Unknown}
@@ -1358,8 +1316,6 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
 %meson \
            -Drunstatedir=%{_rundir} \
            -Dinitconfdir=%{_sysconfdir}/sysconfig \
-           -Dunitdir=%{_unitdir} \
-           -Dsysusersdir=%{_sysusersdir} \
            %{?arg_qemu} \
            %{?arg_openvz} \
            %{?arg_lxc} \
@@ -1371,12 +1327,11 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
            -Ddriver_remote=enabled \
            -Ddriver_test=enabled \
            %{?arg_esx} \
-           %{?arg_curl} \
            %{?arg_hyperv} \
            %{?arg_vmware} \
-           %{?arg_ch} \
            -Ddriver_vz=disabled \
            -Ddriver_bhyve=disabled \
+           -Ddriver_ch=disabled \
            %{?arg_remote_mode} \
            -Ddriver_interface=enabled \
            -Ddriver_network=enabled \
@@ -1403,7 +1358,7 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
            -Dapparmor_profiles=disabled \
            -Dsecdriver_apparmor=disabled \
            -Dudev=enabled \
-           -Djson_c=enabled \
+           -Dyajl=enabled \
            %{?arg_sanlock} \
            -Dlibpcap=enabled \
            %{?arg_nbdkit} \
@@ -1426,11 +1381,10 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
            -Dqemu_datadir=%{qemu_datadir} \
            -Dtls_priority=%{tls_priority} \
            -Dsysctl_config=enabled \
-           -Dssh_proxy=enabled \
+           %{?arg_userfaultfd_sysctl} \
            %{?enable_werror} \
            -Dexpensive_tests=enabled \
            -Dinit_script=systemd \
-           -Dfirewall_backend_priority=%{firewall_backend_priority} \
            -Ddocs=enabled \
            -Dtests=enabled \
            -Drpath=disabled \
@@ -1455,7 +1409,6 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
   -Dblkid=disabled \
   -Dcapng=disabled \
   -Ddriver_bhyve=disabled \
-  -Ddriver_ch=disabled \
   -Ddriver_hyperv=disabled \
   -Ddriver_interface=disabled \
   -Ddriver_libvirtd=disabled \
@@ -1475,7 +1428,6 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
   -Dfuse=disabled \
   -Dglusterfs=disabled \
   -Dhost_validate=disabled \
-  -Djson_c=disabled \
   -Dlibiscsi=disabled \
   -Dnbdkit=disabled \
   -Dnbdkit_config_default=disabled \
@@ -1513,12 +1465,12 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
   -Dstorage_vstorage=disabled \
   -Dstorage_zfs=disabled \
   -Dsysctl_config=disabled \
-  -Dssh_proxy=disabled \
+  -Duserfaultfd_sysctl=disabled \
   -Dtests=disabled \
   -Dudev=disabled \
   -Dwireshark_dissector=disabled \
-  %{?enable_werror}
-%mingw_ninja
+  -Dyajl=disabled
+    %mingw_ninja
 %endif
 
 %install
@@ -1577,10 +1529,6 @@ rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/libvirtd.libxl
 rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/libvirtd_libxl.aug
 rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/tests/test_libvirtd_libxl.aug
     %endif
-    %if ! %{with_ch}
-rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/libvirtd_ch.aug
-rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/tests/test_libvirtd_ch.aug
-    %endif
 
 # Copied into libvirt-docs subpackage eventually
 mv $RPM_BUILD_ROOT%{_datadir}/doc/libvirt libvirt-docs
@@ -1628,8 +1576,7 @@ rm -rf $RPM_BUILD_ROOT%{mingw64_libexecdir}/libvirt-guests.sh
 %if %{with_native}
 # Building on slow archs, like emulated s390x in Fedora copr, requires
 # raising the test timeout
-export VIR_TEST_DEBUG=1
-%meson_test --no-suite syntax-check --timeout-multiplier 10
+VIR_TEST_DEBUG=1 %meson_test --no-suite syntax-check --timeout-multiplier 10
 %endif
 
 %define libvirt_rpmstatedir %{_localstatedir}/lib/rpm-state/libvirt
@@ -1791,12 +1738,10 @@ export VIR_TEST_DEBUG=1
 %pre daemon-common
 %libvirt_sysconfig_pre libvirt-guests
 %libvirt_systemd_oneshot_pre libvirt-guests
-    %if %{with_account_add}
 # 'libvirt' group is just to allow password-less polkit access to libvirt
 # daemons. The uid number is irrelevant, so we use dynamic allocation.
 getent group libvirt >/dev/null || groupadd -r libvirt
 exit 0
-    %endif
 
 %posttrans daemon-common
 %libvirt_sysconfig_posttrans libvirt-guests
@@ -1919,7 +1864,6 @@ exit 0
 %libvirt_sysconfig_pre virtqemud
 %libvirt_systemd_unix_pre virtqemud
 
-        %if %{with_account_add}
 # We want soft static allocation of well-known ids, as disk images
 # are commonly shared across NFS mounts by id rather than name.
 # See https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/
@@ -1935,7 +1879,6 @@ if ! getent passwd 'qemu' >/dev/null; then
   fi
 fi
 exit 0
-        %endif
 
 %posttrans daemon-driver-qemu
 %libvirt_sysconfig_posttrans virtqemud
@@ -1984,19 +1927,6 @@ exit 0
 %libvirt_systemd_unix_preun virtxend
     %endif
 
-    %if %{with_ch}
-%pre daemon-driver-ch
-%libvirt_sysconfig_pre virtchd
-%libvirt_systemd_unix_pre virtchd
-
-%posttrans daemon-driver-ch
-%libvirt_sysconfig_posttrans virtchd
-%libvirt_systemd_unix_posttrans virtchd
-
-%preun daemon-driver-ch
-%libvirt_systemd_unix_preun virtchd
-    %endif
-
 %pre daemon-config-network
 %libvirt_systemd_config_pre libvirtd
 %libvirt_systemd_config_pre virtnetworkd
@@ -2062,10 +1992,8 @@ done
 
     %if %{with_lxc}
 %pre login-shell
-        %if %{with_account_add}
 getent group virtlogin >/dev/null || groupadd -r virtlogin
 exit 0
-        %endif
     %endif
 %endif
 
@@ -2086,9 +2014,7 @@ exit 0
 %config(noreplace) %{_sysconfdir}/libvirt/libvirtd.conf
 %config(noreplace) %{_prefix}/lib/sysctl.d/60-libvirtd.conf
 %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd
-%dir %{_datadir}/augeas/lenses
 %{_datadir}/augeas/lenses/libvirtd.aug
-%dir %{_datadir}/augeas/lenses/tests
 %{_datadir}/augeas/lenses/tests/test_libvirtd.aug
 %attr(0755, root, root) %{_sbindir}/libvirtd
 %{_mandir}/man8/libvirtd.8*
@@ -2099,7 +2025,7 @@ exit 0
 %config(noreplace) %{_sysconfdir}/sasl2/libvirt.conf
 %dir %{_datadir}/libvirt/
 %ghost %dir %{_rundir}/libvirt/
-%ghost %dir %attr(0700, root, root) %{_rundir}/libvirt/common/
+%ghost %dir %{_rundir}/libvirt/common/
 %dir %attr(0755, root, root) %{_localstatedir}/lib/libvirt/
 %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/images/
 %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/filesystems/
@@ -2109,11 +2035,9 @@ exit 0
 %dir %attr(0755, root, root) %{_libdir}/libvirt/connection-driver/
 %dir %attr(0755, root, root) %{_libdir}/libvirt/storage-backend/
 %dir %attr(0755, root, root) %{_libdir}/libvirt/storage-file/
-%dir %attr(0755, root, root) %{_libdir}/libvirt/lock-driver/
 %{_datadir}/polkit-1/actions/org.libvirt.unix.policy
 %{_datadir}/polkit-1/actions/org.libvirt.api.policy
 %{_datadir}/polkit-1/rules.d/50-libvirt.rules
-%{_sysusersdir}/libvirt.conf
 %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/
 %attr(0755, root, root) %{_libexecdir}/libvirt_iohelper
 %attr(0755, root, root) %{_bindir}/virt-ssh-helper
@@ -2141,6 +2065,7 @@ exit 0
 %{_mandir}/man8/virtlockd.8*
 
 %files daemon-plugin-lockd
+%dir %attr(0755, root, root) %{_libdir}/libvirt/lock-driver/
 %attr(0755, root, root) %{_libdir}/libvirt/lock-driver/lockd.so
 
 %files daemon-log
@@ -2186,7 +2111,7 @@ exit 0
 %{_unitdir}/virtinterfaced-ro.socket
 %{_unitdir}/virtinterfaced-admin.socket
 %attr(0755, root, root) %{_sbindir}/virtinterfaced
-%ghost %dir %attr(0700, root, root) %{_rundir}/libvirt/interface/
+%ghost %dir %{_rundir}/libvirt/interface/
 %{_libdir}/libvirt/connection-driver/libvirt_driver_interface.so
 %{_mandir}/man8/virtinterfaced.8*
 
@@ -2194,9 +2119,6 @@ exit 0
 %config(noreplace) %{_sysconfdir}/libvirt/virtnetworkd.conf
 %{_datadir}/augeas/lenses/virtnetworkd.aug
 %{_datadir}/augeas/lenses/tests/test_virtnetworkd.aug
-%config(noreplace) %{_sysconfdir}/libvirt/network.conf
-%{_datadir}/augeas/lenses/libvirtd_network.aug
-%{_datadir}/augeas/lenses/tests/test_libvirtd_network.aug
 %{_unitdir}/virtnetworkd.service
 %{_unitdir}/virtnetworkd.socket
 %{_unitdir}/virtnetworkd-ro.socket
@@ -2228,7 +2150,7 @@ exit 0
 %{_unitdir}/virtnodedevd-ro.socket
 %{_unitdir}/virtnodedevd-admin.socket
 %attr(0755, root, root) %{_sbindir}/virtnodedevd
-%ghost %dir %attr(0700, root, root) %{_rundir}/libvirt/nodedev/
+%ghost %dir %{_rundir}/libvirt/nodedev/
 %{_libdir}/libvirt/connection-driver/libvirt_driver_nodedev.so
 %{_mandir}/man8/virtnodedevd.8*
 
@@ -2243,8 +2165,8 @@ exit 0
 %attr(0755, root, root) %{_sbindir}/virtnwfilterd
 %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/nwfilter/
 %ghost %dir %{_rundir}/libvirt/network/
-%ghost %dir %attr(0700, root, root) %{_rundir}/libvirt/nwfilter-binding/
-%ghost %dir %attr(0700, root, root) %{_rundir}/libvirt/nwfilter/
+%ghost %dir %{_rundir}/libvirt/nwfilter-binding/
+%ghost %dir %{_rundir}/libvirt/nwfilter/
 %{_libdir}/libvirt/connection-driver/libvirt_driver_nwfilter.so
 %{_mandir}/man8/virtnwfilterd.8*
 
@@ -2258,7 +2180,7 @@ exit 0
 %{_unitdir}/virtsecretd-admin.socket
 %attr(0755, root, root) %{_sbindir}/virtsecretd
 %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/secrets/
-%ghost %dir %attr(0700, root, root) %{_rundir}/libvirt/secrets/
+%ghost %dir %{_rundir}/libvirt/secrets/
 %{_libdir}/libvirt/connection-driver/libvirt_driver_secret.so
 %{_mandir}/man8/virtsecretd.8*
 
@@ -2279,6 +2201,7 @@ exit 0
 %ghost %dir %{_rundir}/libvirt/storage/
 %{_libdir}/libvirt/connection-driver/libvirt_driver_storage.so
 %{_libdir}/libvirt/storage-backend/libvirt_storage_backend_fs.so
+%{_libdir}/libvirt/storage-file/libvirt_storage_file_fs.so
 %{_mandir}/man8/virtstoraged.8*
 
 %files daemon-driver-storage-disk
@@ -2320,6 +2243,9 @@ exit 0
     %if %{with_qemu}
 %files daemon-driver-qemu
 %config(noreplace) %{_sysconfdir}/libvirt/virtqemud.conf
+        %if %{with_userfaultfd_sysctl}
+%config(noreplace) %{_prefix}/lib/sysctl.d/60-qemu-postcopy-migration.conf
+        %endif
 %{_datadir}/augeas/lenses/virtqemud.aug
 %{_datadir}/augeas/lenses/tests/test_virtqemud.aug
 %{_unitdir}/virtqemud.service
@@ -2333,11 +2259,11 @@ exit 0
 %config(noreplace) %{_sysconfdir}/libvirt/qemu.conf
 %config(noreplace) %{_sysconfdir}/libvirt/qemu-lockd.conf
 %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
-%ghost %dir %attr(0755, %{qemu_user}, %{qemu_group}) %{_rundir}/libvirt/qemu/
-%ghost %dir %attr(0770, %{qemu_user}, %{qemu_group}) %{_rundir}/libvirt/qemu/dbus/
-%ghost %dir %attr(0755, %{qemu_user}, %{qemu_group}) %{_rundir}/libvirt/qemu/passt/
-%ghost %dir %attr(0755, %{qemu_user}, %{qemu_group}) %{_rundir}/libvirt/qemu/slirp/
-%ghost %dir %attr(0770, %{qemu_user}, %{qemu_group}) %{_rundir}/libvirt/qemu/swtpm/
+%ghost %dir %{_rundir}/libvirt/qemu/
+%ghost %dir %{_rundir}/libvirt/qemu/dbus/
+%ghost %dir %{_rundir}/libvirt/qemu/passt/
+%ghost %dir %{_rundir}/libvirt/qemu/slirp/
+%ghost %dir %{_rundir}/libvirt/qemu/swtpm/
 %dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
 %dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/checkpoint/
 %dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/dump/
@@ -2451,6 +2377,7 @@ exit 0
         %if %{with_libxl}
 %config(noreplace) %{_sysconfdir}/libvirt/libxl-sanlock.conf
         %endif
+%dir %attr(0755, root, root) %{_libdir}/libvirt/lock-driver/
 %attr(0755, root, root) %{_libdir}/libvirt/lock-driver/sanlock.so
 %{_datadir}/augeas/lenses/libvirt_sanlock.aug
 %{_datadir}/augeas/lenses/tests/test_libvirt_sanlock.aug
@@ -2460,22 +2387,6 @@ exit 0
 %attr(0755, root, root) %{_libexecdir}/libvirt_sanlock_helper
     %endif
 
-    %if %{with_ch}
-%files daemon-driver-ch
-%attr(0755, root, root) %{_sbindir}/virtchd
-%config(noreplace) %{_sysconfdir}/libvirt/virtchd.conf
-%{_datadir}/augeas/lenses/virtchd.aug
-%{_datadir}/augeas/lenses/tests/test_virtchd.aug
-%{_unitdir}/virtchd-admin.socket
-%{_unitdir}/virtchd-ro.socket
-%{_unitdir}/virtchd.service
-%{_unitdir}/virtchd.socket
-%{_libdir}/libvirt/connection-driver/libvirt_driver_ch.so
-%config(noreplace) %{_sysconfdir}/libvirt/ch.conf
-%{_datadir}/augeas/lenses/libvirtd_ch.aug
-%{_datadir}/augeas/lenses/tests/test_libvirtd_ch.aug
-    %endif
-
 %files client
 %{_mandir}/man1/virsh.1*
 %{_mandir}/man1/virt-xml-validate.1*
@@ -2506,17 +2417,15 @@ exit 0
 %{_libdir}/libvirt-lxc.so.*
 %{_libdir}/libvirt-admin.so.*
 %dir %{_datadir}/libvirt/
-%{_datadir}/libvirt/test-screenshot.png
 %dir %{_datadir}/libvirt/schemas/
-%{_datadir}/libvirt/schemas/*.rng
-%dir %{_datadir}/systemtap/tapset/
 %{_datadir}/systemtap/tapset/libvirt_probes*.stp
 %{_datadir}/systemtap/tapset/libvirt_functions.stp
     %if %{with_qemu}
 %{_datadir}/systemtap/tapset/libvirt_qemu_probes*.stp
     %endif
-%dir %{_datadir}/libvirt/cpu_map
+%{_datadir}/libvirt/schemas/*.rng
 %{_datadir}/libvirt/cpu_map/*.xml
+%{_datadir}/libvirt/test-screenshot.png
 
     %if %{with_wireshark}
 %files wireshark
@@ -2527,16 +2436,11 @@ exit 0
 %{_libdir}/libnss_libvirt.so.2
 %{_libdir}/libnss_libvirt_guest.so.2
 
-%files ssh-proxy
-%config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/30-libvirt-ssh-proxy.conf
-%{_libexecdir}/libvirt-ssh-proxy
-
     %if %{with_lxc}
 %files login-shell
 %attr(4750, root, virtlogin) %{_bindir}/virt-login-shell
 %{_libexecdir}/virt-login-shell-helper
 %config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf
-%{_sysusersdir}/libvirt-login-shell.conf
 %{_mandir}/man1/virt-login-shell.1*
     %endif
 
@@ -2585,7 +2489,7 @@ exit 0
 %{mingw32_bindir}/virt-admin.exe
 %{mingw32_bindir}/virt-xml-validate
 %{mingw32_bindir}/virt-pki-query-dn.exe
-%{mingw32_bindir}/virt-pki-validate.exe
+%{mingw32_bindir}/virt-pki-validate
 %{mingw32_bindir}/libvirt-lxc-0.dll
 %{mingw32_bindir}/libvirt-qemu-0.dll
 %{mingw32_bindir}/libvirt-admin-0.dll
@@ -2644,7 +2548,7 @@ exit 0
 %{mingw64_bindir}/virt-admin.exe
 %{mingw64_bindir}/virt-xml-validate
 %{mingw64_bindir}/virt-pki-query-dn.exe
-%{mingw64_bindir}/virt-pki-validate.exe
+%{mingw64_bindir}/virt-pki-validate
 %{mingw64_bindir}/libvirt-lxc-0.dll
 %{mingw64_bindir}/libvirt-qemu-0.dll
 %{mingw64_bindir}/libvirt-admin-0.dll
@@ -2695,142 +2599,17 @@ exit 0
 
 
 %changelog
-* Mon Jan 26 2026 Richard W.M. Jones <rjones@redhat.com> - 12.0.0-3
-- Backport fix for IPv6 connections to ESXi
+* Tue Aug 27 2024 Cole Robinson <crobinso@redhat.com> - 10.1.0-4
+- Fix 'virsh domifaddr --source=arp' on kernel 6.10 (bz #2302245)
 
-* Fri Jan 16 2026 Fedora Release Engineering <releng@fedoraproject.org> - 12.0.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
+* Tue Jul  9 2024 Daniel P. Berrangé <berrange@redhat.com> - 10.1.0-3
+- Fix virtiofs SELinux socket label
 
-* Thu Jan 15 2026 Daniel P. Berrangé <berrange@redhat.com> - 12.0.0-1
-- Update to 12.0.0
-
-* Mon Jan 12 2026 Daniel P. Berrangé <berrange@redhat.com> - 11.10.0-3
-- Disable -Werror on ELN
-
-* Thu Jan 08 2026 Richard W.M. Jones <rjones@redhat.com> - 11.10.0-2
-- Rebuild for xen 4.21.0
-
-* Mon Dec 01 2025 Cole Robinson <crobinso@redhat.com> - 11.10.0-1
-- Update to version 11.10.0
-
-* Mon Nov 17 2025 Richard W.M. Jones <rjones@redhat.com> - 11.9.0-3
-- Add upstream patches to fix parallel libguestfs
-
-* Tue Nov  4 2025 Tom Callaway <spot@fedoraproject.org> - 11.9.0-2
-- rebuild against new fuse3
-
-* Mon Nov  3 2025 Daniel P. Berrangé <berrange@redhat.com> - 11.9.0-1
-- Update to 11.9.0 release
-
-* Wed Oct 29 2025 Peter Robinson <pbrobinson@fedoraproject.org> - 11.8.0-3
-- Build against fuse3, supported since 8.2
-
-* Tue Oct 14 2025 Cole Robinson <crobinso@redhat.com> - 11.8.0-2
-- Fix build with latest wireshark
-
-* Wed Oct 01 2025 Cole Robinson <crobinso@redhat.com> - 11.8.0-1
-- Update to version 11.8.0
-
-* Thu Sep 04 2025 Adam Williamson <awilliam@redhat.com> - 11.7.0-3
-- Rebuild on a side tag
-
-* Thu Sep 04 2025 Adam Williamson <awilliam@redhat.com> - 11.7.0-2
-- Rebuild for libiscsi.so.11
-
-* Tue Sep 02 2025 Cole Robinson <crobinso@redhat.com> - 11.7.0-1
-- Update to version 11.7.0
-
-* Tue Aug 05 2025 Cole Robinson <crobinso@redhat.com> - 11.6.0-1
-- Update to version 11.6.0
-
-* Thu Jul 24 2025 Fedora Release Engineering <releng@fedoraproject.org> - 11.5.0-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
-
-* Wed Jul 16 2025 Richard W.M. Jones <rjones@redhat.com> - 11.5.0-2
-- Rebuild for updated Xen
-
-* Wed Jul 09 2025 Cole Robinson <crobinso@redhat.com> - 11.5.0-1
-- Update to version 11.5.0
-
-* Fri Jun 20 2025 Cole Robinson <crobinso@redhat.com> - 11.4.0-2
-- Fix dumpxml failures after migration (bz 2369243)
-
-* Mon Jun 02 2025 Cole Robinson <crobinso@redhat.com> - 11.4.0-1
-- Update to version 11.4.0
-
-* Thu May 08 2025 Adam Williamson <awilliam@redhat.com> - 11.3.0-3
-- Properly obsolete libvirt-daemon-driver-storage-zfs
-
-* Thu May 08 2025 Cole Robinson <crobinso@redhat.com> - 11.3.0-2
-- zfs-fuse is gone from rawhide, drop libvirt-daemon-storage-zfs
-
-* Wed May 07 2025 Cole Robinson <crobinso@redhat.com> - 11.3.0-1
-- Update to version 11.3.0
-
-* Tue Apr 29 2025 Daniel P. Berrangé <berrange@redhat.com> - 11.2.0-2
-- Fix install of Ampere 1 ARM CPU model (rhbz #2361196)
-- Fix location of mount, umount (rhbz #2359196)
-- Fix location of numad (rhbz #2359736)
-- Fix tests on rebuild with latest GCC 15
-
-* Tue Apr 01 2025 Cole Robinson <crobinso@redhat.com> - 11.2.0-1
-- Update to version 11.2.0
-
-* Mon Mar 03 2025 Cole Robinson <crobinso@redhat.com> - 11.1.0-1
-- Update to version 11.1.0
-
-* Fri Jan 17 2025 Cole Robinson <crobinso@redhat.com> - 11.0.0-1
-- Update to version 11.0.0
-
-* Fri Jan 17 2025 Fedora Release Engineering <releng@fedoraproject.org> - 10.10.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
-
-* Mon Dec 02 2024 Cole Robinson <crobinso@redhat.com> - 10.10.0-1
-- Update to version 10.10.0
-
-* Fri Nov  1 2024 Daniel P. Berrangé <berrange@redhat.com> - 10.9.0-1
-- Update to version 10.9.0
-
-* Tue Oct 01 2024 Cole Robinson <crobinso@redhat.com> - 10.8.0-1
-- Update to version 10.8.0
-
-* Mon Sep 02 2024 Cole Robinson <crobinso@redhat.com> - 10.7.0-1
-- Update to version 10.7.0
-
-* Tue Aug 27 2024 Cole Robinson <crobinso@redhat.com> - 10.6.0-2
-- Fix `virsh domifaddr --source=arp` on kernel 6.10 (bz #2302245)
-- Add new systemtap-sdt-dtrace to build deps
-
-* Tue Aug 06 2024 Cole Robinson <crobinso@redhat.com> - 10.6.0-1
-- Update to version 10.6.0
-
-* Mon Aug 05 2024 Richard W.M. Jones <rjones@redhat.com> - 10.5.0-3
-- Rebuild for Xen 4.19.0
-
-* Thu Jul 18 2024 Fedora Release Engineering <releng@fedoraproject.org> - 10.5.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Thu Jul  4 2024 Daniel P. Berrangé <berrange@redhat.com> - 10.5.0-1
-- Rebase to 10.5.0 release
-
-* Wed Jun  5 2024 Daniel P. Berrangé <berrange@redhat.com> - 10.4.0-2
+* Fri Mar 01 2024 Cole Robinson <crobinso@redhat.com> - 10.1.0-2
+- Fix crash in event loop (CVE-2024-4418)
 - Fix leak of GSource handle
 - Fix leak of udev reference (rhbz #2266017)
 
-* Wed Jun  5 2024 Daniel P. Berrangé <berrange@redhat.com> - 10.4.0-1
-- Update to version 10.4.0
-- Change virtual network backend from iptables to nftables
-- Introduce SSH VSOCK proxy
-
-* Thu May  2 2024 Daniel P. Berrangé <berrange@redhat.com> - 10.3.0-1
-- Update to version 10.3.0
-
-* Sat Apr 06 2024 Cole Robinson <crobinso@redhat.com> - 10.2.0-2
-- Rebuild for new libiscsi
-
-* Fri Apr 05 2024 Cole Robinson <crobinso@redhat.com> - 10.2.0-1
-- Update to version 10.2.0
-
 * Fri Mar 01 2024 Cole Robinson <crobinso@redhat.com> - 10.1.0-1
 - Update to version 10.1.0
 

sources

@@ -1 +1 @@
-SHA512 (libvirt-12.0.0.tar.xz) = 5613e4e59865f688fe4cca2734c6de1cf68d0540c6e3013c9c21e583accd4f4fc21ec98e9c794036c5d6d0c8dd05ad1d22dab61f8c7d2934c8cb507b5bee76ad
+SHA512 (libvirt-10.1.0.tar.xz) = 08e73ae15de5681430b62db85ec9901242dca5e9a4ca9685614f4a67092c6e28f27f9187144b3ceb18ad6b40e6eb1a90b1a4b056b0888724d04a62002ee2bc48