Revert OL modifications

SOURCES/libvirt-conf-add-deprecated_features-attribute.patch

@@ -0,0 +1,135 @@
+From 7a412cc71a4764f7e80bf475c39d999a584f41aa Mon Sep 17 00:00:00 2001
+Message-ID: <7a412cc71a4764f7e80bf475c39d999a584f41aa.1749113304.git.jdenemar@redhat.com>
+From: Collin Walling <walling@linux.ibm.com>
+Date: Mon, 16 Dec 2024 18:03:58 -0500
+Subject: [PATCH] conf: add deprecated_features attribute
+
+Add a new a attribute, deprecated_features='on|off' to the <cpu>
+element.  This is used to toggle features flagged as deprecated on the
+CPU model on or off.  When this attribute is paired with 'on',
+deprecated features will not be filtered.  When paired with 'off', any
+CPU features that are flagged as deprecated will be listed under the
+CPU model with the 'disable' policy.
+
+Example:
+
+  <cpu mode='host-model' check='partial' deprecated_features='off'/>
+
+The absence of this attribute is equivalent to the 'on' option.
+
+The deprecated features that will populate the domain XML are the same
+features that result in the virsh domcapabilities command with the
+--disable-deprecated-features argument present.
+
+It is recommended to define a domain XML with this attribute set to
+'off' to ensure migration to machines that may outright drop these
+features in the future.
+
+Signed-off-by: Collin Walling <walling@linux.ibm.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 62658bbf060784c757f96c9de3935f27885834aa)
+
+JIRA: https://issues.redhat.com/browse/RHEL-88716
+Conflicts:
+    src/qemu/qemu_process.c
+    (contextual conflict)
+    tests/*
+    (dropped the changes to these files since they are of no use in
+     downstream - upstream testing code changed too much, so it's
+     not possible to get the related tests to work in downstream)
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+---
+ docs/schemas/cputypes.rng |  5 +++++
+ src/conf/cpu_conf.c       | 11 +++++++++++
+ src/conf/cpu_conf.h       |  1 +
+ src/qemu/qemu_process.c   | 11 +++++++++++
+ 4 files changed, 28 insertions(+)
+
+diff --git a/docs/schemas/cputypes.rng b/docs/schemas/cputypes.rng
+index 056e66e1b4..2d831b423c 100644
+--- a/docs/schemas/cputypes.rng
++++ b/docs/schemas/cputypes.rng
+@@ -395,6 +395,11 @@
+       <optional>
+         <ref name="cpuCheck"/>
+       </optional>
++      <optional>
++        <attribute name="deprecated_features">
++          <ref name="virOnOff"/>
++        </attribute>
++      </optional>
+       <optional>
+         <attribute name="migratable">
+           <ref name="virOnOff"/>
+diff --git a/src/conf/cpu_conf.c b/src/conf/cpu_conf.c
+index fbceac1657..1db0c978e2 100644
+--- a/src/conf/cpu_conf.c
++++ b/src/conf/cpu_conf.c
+@@ -238,6 +238,7 @@ virCPUDefCopyWithoutModel(const virCPUDef *cpu)
+     copy->mode = cpu->mode;
+     copy->match = cpu->match;
+     copy->check = cpu->check;
++    copy->deprecated_feats = cpu->deprecated_feats;
+     copy->fallback = cpu->fallback;
+     copy->sockets = cpu->sockets;
+     copy->dies = cpu->dies;
+@@ -431,6 +432,11 @@ virCPUDefParseXML(xmlXPathContextPtr ctxt,
+         if (virXMLPropEnum(ctxt->node, "check", virCPUCheckTypeFromString,
+                            VIR_XML_PROP_NONE, &def->check) < 0)
+             return -1;
++
++        if (virXMLPropTristateSwitch(ctxt->node, "deprecated_features",
++                                     VIR_XML_PROP_NONE,
++                                     &def->deprecated_feats) < 0)
++            return -1;
+     }
+ 
+     if (def->type == VIR_CPU_TYPE_HOST) {
+@@ -707,6 +713,11 @@ virCPUDefFormatBufFull(virBuffer *buf,
+             virBufferAsprintf(&attributeBuf, " migratable='%s'",
+                               virTristateSwitchTypeToString(def->migratable));
+         }
++
++        if (def->deprecated_feats) {
++            virBufferAsprintf(&attributeBuf, " deprecated_features='%s'",
++                              virTristateSwitchTypeToString(def->deprecated_feats));
++        }
+     }
+ 
+     /* Format children */
+diff --git a/src/conf/cpu_conf.h b/src/conf/cpu_conf.h
+index b0a81895be..a69ff724ca 100644
+--- a/src/conf/cpu_conf.h
++++ b/src/conf/cpu_conf.h
+@@ -140,6 +140,7 @@ struct _virCPUDef {
+     virCPUCacheDef *cache;
+     virHostCPUTscInfo *tsc;
+     virTristateSwitch migratable; /* for host-passthrough mode */
++    virTristateSwitch deprecated_feats;
+ };
+ 
+ virCPUDef *virCPUDefNew(void);
+diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
+index 73d54f01cd..54afcbe53e 100644
+--- a/src/qemu/qemu_process.c
++++ b/src/qemu/qemu_process.c
+@@ -6143,6 +6143,17 @@ qemuProcessUpdateGuestCPU(virDomainDef *def,
+             return -1;
+     }
+ 
++    if (def->cpu->deprecated_feats &&
++        !virQEMUCapsGet(qemuCaps, QEMU_CAPS_QUERY_CPU_MODEL_EXPANSION_DEPRECATED_PROPS)) {
++        virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
++                       _("toggling deprecated features for CPU model is unsupported"));
++        return -1;
++    }
++
++    if (def->cpu->deprecated_feats == VIR_TRISTATE_SWITCH_OFF) {
++        virQEMUCapsUpdateCPUDeprecatedFeatures(qemuCaps, def->virtType, def->cpu);
++    }
++
+     return 0;
+ }
+ 
+-- 
+2.49.0

SOURCES/libvirt-lib-Set-up-cpuset-controller-for-restrictive-numatune.patch

@@ -0,0 +1,77 @@
+From 08ddc711a2e6d94a0fce55fec8e012a434655d2c Mon Sep 17 00:00:00 2001
+Message-ID: <08ddc711a2e6d94a0fce55fec8e012a434655d2c.1690812875.git.jdenemar@redhat.com>
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Fri, 1 Apr 2022 14:30:05 +0200
+Subject: [PATCH] lib: Set up cpuset controller for restrictive numatune
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The aim of 'restrictive' numatune mode is to rely solely on
+CGroups to have QEMU running on configured NUMA nodes.  However,
+we were never setting the cpuset controller when a domain was
+starting up. We are doing so only when
+virDomainSetNumaParameters() is called (aka live pinning).
+
+This is obviously wrong. Fortunately, fix is simple as
+'restrictive' is similar to 'strict' - every location where
+VIR_DOMAIN_NUMATUNE_MEM_STRICT occurs can be audited and
+VIR_DOMAIN_NUMATUNE_MEM_RESTRICTIVE case can be added.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2070380
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 629282d8845407c1aff9a26f5dc026e15121f8cd)
+
+Conflicts:
+- src/ch/ch_process.c: The CH driver diverged because it's
+  unsupported downstream. Just drop the conflicting hunk from
+  there.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2223464
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/lxc/lxc_controller.c | 3 ++-
+ src/qemu/qemu_process.c  | 6 ++++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
+index 3c930eaacd..6fd8373256 100644
+--- a/src/lxc/lxc_controller.c
++++ b/src/lxc/lxc_controller.c
+@@ -812,7 +812,8 @@ static int virLXCControllerSetupResourceLimits(virLXCController *ctrl)
+     virDomainNumatuneMemMode mode;
+ 
+     if (virDomainNumatuneGetMode(ctrl->def->numa, -1, &mode) == 0) {
+-        if (mode == VIR_DOMAIN_NUMATUNE_MEM_STRICT &&
++        if ((mode == VIR_DOMAIN_NUMATUNE_MEM_STRICT ||
++             mode == VIR_DOMAIN_NUMATUNE_MEM_RESTRICTIVE) &&
+             virCgroupControllerAvailable(VIR_CGROUP_CONTROLLER_CPUSET)) {
+             /* Use virNuma* API iff necessary. Once set and child is exec()-ed,
+              * there's no way for us to change it. Rely on cgroups (if available
+diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
+index 0fb665bc82..73d54f01cd 100644
+--- a/src/qemu/qemu_process.c
++++ b/src/qemu/qemu_process.c
+@@ -2645,7 +2645,8 @@ qemuProcessSetupPid(virDomainObj *vm,
+         virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_CPUSET)) {
+ 
+         if (virDomainNumatuneGetMode(vm->def->numa, -1, &mem_mode) == 0 &&
+-            mem_mode == VIR_DOMAIN_NUMATUNE_MEM_STRICT &&
++            (mem_mode == VIR_DOMAIN_NUMATUNE_MEM_STRICT ||
++             mem_mode == VIR_DOMAIN_NUMATUNE_MEM_RESTRICTIVE) &&
+             virDomainNumatuneMaybeFormatNodeset(vm->def->numa,
+                                                 priv->autoNodeset,
+                                                 &mem_mask, -1) < 0)
+@@ -3162,7 +3163,8 @@ static int qemuProcessHook(void *data)
+         goto cleanup;
+ 
+     if (virDomainNumatuneGetMode(h->vm->def->numa, -1, &mode) == 0) {
+-        if (mode == VIR_DOMAIN_NUMATUNE_MEM_STRICT &&
++        if ((mode == VIR_DOMAIN_NUMATUNE_MEM_STRICT ||
++             mode == VIR_DOMAIN_NUMATUNE_MEM_RESTRICTIVE) &&
+             h->cfg->cgroupControllers & (1 << VIR_CGROUP_CONTROLLER_CPUSET) &&
+             virCgroupControllerAvailable(VIR_CGROUP_CONTROLLER_CPUSET)) {
+             /* Use virNuma* API iff necessary. Once set and child is exec()-ed,
+-- 
+2.41.0

SOURCES/libvirt-libvirt-domain-introduce-VIR_CONNECT_GET_DOMAIN_CAPABILITIES_DISABLE_DEPRECATED_FEATURES.patch

@@ -0,0 +1,58 @@
+From a47232facc446039ed509100f80ebb7de621fffa Mon Sep 17 00:00:00 2001
+Message-ID: <a47232facc446039ed509100f80ebb7de621fffa.1749113303.git.jdenemar@redhat.com>
+From: Collin Walling <walling@linux.ibm.com>
+Date: Mon, 16 Dec 2024 18:03:55 -0500
+Subject: [PATCH] libvirt-domain: introduce
+ VIR_CONNECT_GET_DOMAIN_CAPABILITIES_DISABLE_DEPRECATED_FEATURES
+
+Introduce domain flag used to filter deprecated features from the
+domain's CPU model.
+
+Signed-off-by: Collin Walling <walling@linux.ibm.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 4e2c8de2047e21d98443944a2bfe94529b269efa)
+JIRA: https://issues.redhat.com/browse/RHEL-88716
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+---
+ include/libvirt/libvirt-domain.h | 12 ++++++++++++
+ src/libvirt-domain.c             |  2 +-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-domain.h
+index 792973ce2d..d3101b112b 100644
+--- a/include/libvirt/libvirt-domain.h
++++ b/include/libvirt/libvirt-domain.h
+@@ -1160,6 +1160,18 @@ int virDomainMigrateGetMaxSpeed(virDomainPtr domain,
+ int virDomainMigrateStartPostCopy(virDomainPtr domain,
+                                   unsigned int flags);
+ 
++/**
++ * virConnectGetDomainCapabilitiesFlags:
++ *
++ * Domain capabilities flags.
++ *
++ * Since: 11.0.0
++ */
++typedef enum {
++    /* Report host model with deprecated features disabled. (Since: 11.0.0) */
++    VIR_CONNECT_GET_DOMAIN_CAPABILITIES_DISABLE_DEPRECATED_FEATURES = (1 << 0),
++} virConnectGetDomainCapabilitiesFlags;
++
+ char * virConnectGetDomainCapabilities(virConnectPtr conn,
+                                        const char *emulatorbin,
+                                        const char *arch,
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 5912551a49..7083f10f04 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -11573,7 +11573,7 @@ virDomainSetUserPassword(virDomainPtr dom,
+  * @arch: domain architecture
+  * @machine: machine type
+  * @virttype: virtualization type
+- * @flags: extra flags; not used yet, so callers should always pass 0
++ * @flags: extra flags; bitwise-OR of virConnectGetDomainCapabilitiesFlags
+  *
+  * Prior creating a domain (for instance via virDomainCreateXML
+  * or virDomainDefineXML) it may be suitable to know what the
+-- 
+2.49.0

SOURCES/libvirt-node_device_conf-Avoid-memleak-in-virNodeDeviceGetPCIVPDDynamicCap.patch

@@ -0,0 +1,52 @@
+From 989a569c9c9da0fbf89aab7f292669366b2503f1 Mon Sep 17 00:00:00 2001
+Message-Id: <989a569c9c9da0fbf89aab7f292669366b2503f1@dist-git>
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Wed, 30 Nov 2022 14:53:21 +0100
+Subject: [PATCH] node_device_conf: Avoid memleak in
+ virNodeDeviceGetPCIVPDDynamicCap()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virNodeDeviceGetPCIVPDDynamicCap() function is called from
+virNodeDeviceGetPCIDynamicCaps() and therefore has to be a wee
+bit more clever about adding VPD capability. Namely, it has to
+remove the old one before adding a new one. This is how other
+functions called from virNodeDeviceGetPCIDynamicCaps() behave
+as well.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2143235
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+(cherry picked from commit 64d32118540aca3d42bc5ee21c8b780cafe04bfa)
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-2700
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+---
+ src/conf/node_device_conf.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/conf/node_device_conf.c b/src/conf/node_device_conf.c
+index 16b9497faf..eee94a3900 100644
+--- a/src/conf/node_device_conf.c
++++ b/src/conf/node_device_conf.c
+@@ -3100,6 +3100,9 @@ virNodeDeviceGetPCIVPDDynamicCap(virNodeDevCapPCIDev *devCapPCIDev)
+     virPCIDeviceAddress devAddr;
+     g_autoptr(virPCIVPDResource) res = NULL;
+ 
++    g_clear_pointer(&devCapPCIDev->vpd, virPCIVPDResourceFree);
++    devCapPCIDev->flags &= ~VIR_NODE_DEV_CAP_FLAG_PCI_VPD;
++
+     devAddr.domain = devCapPCIDev->domain;
+     devAddr.bus = devCapPCIDev->bus;
+     devAddr.slot = devCapPCIDev->slot;
+@@ -3113,8 +3116,6 @@ virNodeDeviceGetPCIVPDDynamicCap(virNodeDevCapPCIDev *devCapPCIDev)
+         if ((res = virPCIDeviceGetVPD(pciDev))) {
+             devCapPCIDev->flags |= VIR_NODE_DEV_CAP_FLAG_PCI_VPD;
+             devCapPCIDev->vpd = g_steal_pointer(&res);
+-        } else {
+-            virPCIVPDResourceFree(g_steal_pointer(&devCapPCIDev->vpd));
+         }
+     }
+     return 0;
+-- 
+2.40.1

SOURCES/libvirt-nodedev-update-transient-mdevs.patch

@@ -0,0 +1,79 @@
+From aebcc09c7060f6eace93821c6a782031cf107d85 Mon Sep 17 00:00:00 2001
+Message-ID: <aebcc09c7060f6eace93821c6a782031cf107d85.1687452713.git.jdenemar@redhat.com>
+From: Boris Fiuczynski <fiuczy@linux.ibm.com>
+Date: Mon, 8 May 2023 19:10:46 +0200
+Subject: [PATCH] nodedev: update transient mdevs
+
+Instead of updating defined mdevs only add another update for active
+devices as well to cover transient mdev devices as well.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2143158
+Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
+Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com>
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2143160
+
+(cherry picked from commit 44a0f2f0c8ff5e78c238013ed297b8fce223ac5a)
+Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
+---
+ src/node_device/node_device_driver.c | 31 ++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/src/node_device/node_device_driver.c b/src/node_device/node_device_driver.c
+index e6ab4bb94c..943f6121a0 100644
+--- a/src/node_device/node_device_driver.c
++++ b/src/node_device/node_device_driver.c
+@@ -1651,6 +1651,24 @@ virMdevctlListDefined(virNodeDeviceDef ***devs, char **errmsg)
+ }
+ 
+ 
++static int
++virMdevctlListActive(virNodeDeviceDef ***devs, char **errmsg)
++{
++    int status;
++    g_autofree char *output = NULL;
++    g_autoptr(virCommand) cmd = nodeDeviceGetMdevctlListCommand(false, &output, errmsg);
++
++    if (virCommandRun(cmd, &status) < 0 || status != 0) {
++        return -1;
++    }
++
++    if (!output)
++        return -1;
++
++    return nodeDeviceParseMdevctlJSON(output, devs);
++}
++
++
+ typedef struct _virMdevctlForEachData virMdevctlForEachData;
+ struct _virMdevctlForEachData {
+     int ndefs;
+@@ -1712,6 +1730,8 @@ int
+ nodeDeviceUpdateMediatedDevices(void)
+ {
+     g_autofree virNodeDeviceDef **defs = NULL;
++    g_autofree virNodeDeviceDef **act_defs = NULL;
++    int act_ndefs = 0;
+     g_autofree char *errmsg = NULL;
+     g_autofree char *mdevctl = NULL;
+     virMdevctlForEachData data = { 0, };
+@@ -1738,6 +1758,17 @@ nodeDeviceUpdateMediatedDevices(void)
+         if (nodeDeviceUpdateMediatedDevice(defs[i]) < 0)
+             return -1;
+ 
++    /* Update active/transient mdev devices */
++    if ((act_ndefs = virMdevctlListActive(&act_defs, &errmsg)) < 0) {
++        virReportError(VIR_ERR_INTERNAL_ERROR,
++                       _("failed to query mdevs from mdevctl: %1$s"), errmsg);
++        return -1;
++    }
++
++    for (i = 0; i < act_ndefs; i++)
++        if (nodeDeviceUpdateMediatedDevice(act_defs[i]) < 0)
++            return -1;
++
+     return 0;
+ }
+ 
+-- 
+2.41.0

SOURCES/libvirt-qemu-Make-struct-_qemuMonitorMessage-private.patch

@@ -0,0 +1,105 @@
+From 85b7d8295d72214b08f0fff93c473baaa88a569b Mon Sep 17 00:00:00 2001
+Message-Id: <85b7d8295d72214b08f0fff93c473baaa88a569b@dist-git>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Mon, 14 Feb 2022 15:57:21 +0100
+Subject: [PATCH] qemu: Make 'struct _qemuMonitorMessage' private
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Move the declaration of the struct into 'qemu_monitor_priv.h' as other
+code has no business in peeking into the monitor messages.
+
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit f9ae469a6ebb17e0990096e826f049c1c46cd760)
+https://bugzilla.redhat.com/show_bug.cgi?id=2170472
+---
+ src/qemu/qemu_monitor.h      | 14 --------------
+ src/qemu/qemu_monitor_json.c |  3 +++
+ src/qemu/qemu_monitor_priv.h | 16 ++++++++++++++++
+ tests/qemucapsprobemock.c    |  3 +++
+ 4 files changed, 22 insertions(+), 14 deletions(-)
+
+diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h
+index a4a4edf5a6..d00967d84f 100644
+--- a/src/qemu/qemu_monitor.h
++++ b/src/qemu/qemu_monitor.h
+@@ -34,21 +34,7 @@
+ #include "virenum.h"
+ 
+ typedef struct _qemuMonitor qemuMonitor;
+-
+ typedef struct _qemuMonitorMessage qemuMonitorMessage;
+-struct _qemuMonitorMessage {
+-    int txFD;
+-
+-    const char *txBuffer;
+-    int txOffset;
+-    int txLength;
+-
+-    /* Used by the JSON monitor to hold reply / error */
+-    void *rxObject;
+-
+-    /* True if rxObject is ready, or a fatal error occurred on the monitor channel */
+-    bool finished;
+-};
+ 
+ typedef enum {
+     QEMU_MONITOR_EVENT_PANIC_INFO_TYPE_NONE = 0,
+diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
+index 34a46b9b41..7d8755246f 100644
+--- a/src/qemu/qemu_monitor_json.c
++++ b/src/qemu/qemu_monitor_json.c
+@@ -44,6 +44,9 @@
+ # include "libvirt_qemu_probes.h"
+ #endif
+ 
++#define LIBVIRT_QEMU_MONITOR_PRIV_H_ALLOW
++#include "qemu_monitor_priv.h"
++
+ #define VIR_FROM_THIS VIR_FROM_QEMU
+ 
+ VIR_LOG_INIT("qemu.qemu_monitor_json");
+diff --git a/src/qemu/qemu_monitor_priv.h b/src/qemu/qemu_monitor_priv.h
+index 31bb3526b9..6115f830de 100644
+--- a/src/qemu/qemu_monitor_priv.h
++++ b/src/qemu/qemu_monitor_priv.h
+@@ -24,5 +24,21 @@
+ 
+ #include "qemu_monitor.h"
+ 
++
++struct _qemuMonitorMessage {
++    int txFD;
++
++    const char *txBuffer;
++    int txOffset;
++    int txLength;
++
++    /* Used by the JSON monitor to hold reply / error */
++    void *rxObject;
++
++    /* True if rxObject is ready, or a fatal error occurred on the monitor channel */
++    bool finished;
++};
++
++
+ void
+ qemuMonitorResetCommandID(qemuMonitor *mon);
+diff --git a/tests/qemucapsprobemock.c b/tests/qemucapsprobemock.c
+index 915036d178..2717ed5d84 100644
+--- a/tests/qemucapsprobemock.c
++++ b/tests/qemucapsprobemock.c
+@@ -25,6 +25,9 @@
+ #include "qemu/qemu_monitor.h"
+ #include "qemu/qemu_monitor_json.h"
+ 
++#define LIBVIRT_QEMU_MONITOR_PRIV_H_ALLOW
++#include "qemu/qemu_monitor_priv.h"
++
+ #define REAL_SYM(realFunc) \
+     do { \
+         if (!realFunc && !(realFunc = dlsym(RTLD_NEXT, __FUNCTION__))) { \
+-- 
+2.40.1

SOURCES/libvirt-qemu-monitor-Drop-old-monitor-fields-from-struct-_qemuMonitorMessage.patch

@@ -0,0 +1,44 @@
+From a4d8210ae9fd84740e01b96d28bfb6183f3f3270 Mon Sep 17 00:00:00 2001
+Message-Id: <a4d8210ae9fd84740e01b96d28bfb6183f3f3270@dist-git>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Mon, 14 Feb 2022 16:02:29 +0100
+Subject: [PATCH] qemu: monitor: Drop old monitor fields from 'struct
+ _qemuMonitorMessage'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The fields are no longer used since we've deleted support for HMP-only
+qemus. The HMP command pass-through works via a QMP command.
+
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit c5eb99a9d9af8683789e99cc904671e343580058)
+https://bugzilla.redhat.com/show_bug.cgi?id=2170472
+---
+ src/qemu/qemu_monitor.h | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h
+index d2037914be..a4a4edf5a6 100644
+--- a/src/qemu/qemu_monitor.h
++++ b/src/qemu/qemu_monitor.h
+@@ -43,15 +43,10 @@ struct _qemuMonitorMessage {
+     int txOffset;
+     int txLength;
+ 
+-    /* Used by the text monitor reply / error */
+-    char *rxBuffer;
+-    int rxLength;
+     /* Used by the JSON monitor to hold reply / error */
+     void *rxObject;
+ 
+-    /* True if rxBuffer / rxObject are ready, or a
+-     * fatal error occurred on the monitor channel
+-     */
++    /* True if rxObject is ready, or a fatal error occurred on the monitor channel */
+     bool finished;
+ };
+ 
+-- 
+2.40.1

SOURCES/libvirt-qemu-monitor-Move-declaration-of-struct-_qemuMonitor-to-qemu_monitor_priv.h.patch

@@ -0,0 +1,157 @@
+From c2ed5aeee7bf365877e0764699f032fb749630b0 Mon Sep 17 00:00:00 2001
+Message-Id: <c2ed5aeee7bf365877e0764699f032fb749630b0@dist-git>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Mon, 14 Feb 2022 16:07:41 +0100
+Subject: [PATCH] qemu: monitor: Move declaration of struct _qemuMonitor to
+ qemu_monitor_priv.h
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In order to mock the SCM_RIGHTS sendmsg to simulate sending
+filedescriptors to fake qemu in tests we need access to some fields of
+'struct _qemuMonitor'. Move its declaration to the private header file.
+
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 7c35c483eaa78eb847e0865cbb210d5355f75d7a)
+https://bugzilla.redhat.com/show_bug.cgi?id=2170472
+---
+ src/qemu/qemu_monitor.c      | 50 ---------------------------------
+ src/qemu/qemu_monitor_priv.h | 54 ++++++++++++++++++++++++++++++++++++
+ 2 files changed, 54 insertions(+), 50 deletions(-)
+
+diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
+index 23638d3fe8..bba92592c5 100644
+--- a/src/qemu/qemu_monitor.c
++++ b/src/qemu/qemu_monitor.c
+@@ -65,56 +65,6 @@ VIR_LOG_INIT("qemu.qemu_monitor");
+  */
+ #define QEMU_MONITOR_MAX_RESPONSE (10 * 1024 * 1024)
+ 
+-struct _qemuMonitor {
+-    virObjectLockable parent;
+-
+-    virCond notify;
+-
+-    int fd;
+-
+-    GMainContext *context;
+-    GSocket *socket;
+-    GSource *watch;
+-
+-    virDomainObj *vm;
+-    char *domainName;
+-
+-    qemuMonitorCallbacks *cb;
+-    void *callbackOpaque;
+-
+-    /* If there's a command being processed this will be
+-     * non-NULL */
+-    qemuMonitorMessage *msg;
+-
+-    /* Buffer incoming data ready for Text/QMP monitor
+-     * code to process & find message boundaries */
+-    size_t bufferOffset;
+-    size_t bufferLength;
+-    char *buffer;
+-
+-    /* If anything went wrong, this will be fed back
+-     * the next monitor msg */
+-    virError lastError;
+-
+-    /* Set to true when EOF is detected on the monitor */
+-    bool goteof;
+-
+-    int nextSerial;
+-
+-    bool waitGreeting;
+-
+-    /* If found, path to the virtio memballoon driver */
+-    char *balloonpath;
+-    bool ballooninit;
+-
+-    /* Log file context of the qemu process to dig for usable info */
+-    qemuMonitorReportDomainLogError logFunc;
+-    void *logOpaque;
+-    virFreeCallback logDestroy;
+-
+-    /* true if qemu no longer wants 'props' sub-object of object-add */
+-    bool objectAddNoWrap;
+-};
+ 
+ /**
+  * QEMU_CHECK_MONITOR_FULL:
+diff --git a/src/qemu/qemu_monitor_priv.h b/src/qemu/qemu_monitor_priv.h
+index 6115f830de..606aa79fbd 100644
+--- a/src/qemu/qemu_monitor_priv.h
++++ b/src/qemu/qemu_monitor_priv.h
+@@ -24,6 +24,8 @@
+ 
+ #include "qemu_monitor.h"
+ 
++#include <gio/gio.h>
++
+ 
+ struct _qemuMonitorMessage {
+     int txFD;
+@@ -40,5 +42,57 @@ struct _qemuMonitorMessage {
+ };
+ 
+ 
++struct _qemuMonitor {
++    virObjectLockable parent;
++
++    virCond notify;
++
++    int fd;
++
++    GMainContext *context;
++    GSocket *socket;
++    GSource *watch;
++
++    virDomainObj *vm;
++    char *domainName;
++
++    qemuMonitorCallbacks *cb;
++    void *callbackOpaque;
++
++    /* If there's a command being processed this will be
++     * non-NULL */
++    qemuMonitorMessage *msg;
++
++    /* Buffer incoming data ready for Text/QMP monitor
++     * code to process & find message boundaries */
++    size_t bufferOffset;
++    size_t bufferLength;
++    char *buffer;
++
++    /* If anything went wrong, this will be fed back
++     * the next monitor msg */
++    virError lastError;
++
++    /* Set to true when EOF is detected on the monitor */
++    bool goteof;
++
++    int nextSerial;
++
++    bool waitGreeting;
++
++    /* If found, path to the virtio memballoon driver */
++    char *balloonpath;
++    bool ballooninit;
++
++    /* Log file context of the qemu process to dig for usable info */
++    qemuMonitorReportDomainLogError logFunc;
++    void *logOpaque;
++    virFreeCallback logDestroy;
++
++    /* true if qemu no longer wants 'props' sub-object of object-add */
++    bool objectAddNoWrap;
++};
++
++
+ void
+ qemuMonitorResetCommandID(qemuMonitor *mon);
+-- 
+2.40.1

SOURCES/libvirt-qemu-monitor-Store-whether-query-named-block-nodes-supports-flat-parameter.patch

@@ -0,0 +1,57 @@
+From b3ffc8876adf777c7baefb6e467d7552c0a03251 Mon Sep 17 00:00:00 2001
+Message-Id: <b3ffc8876adf777c7baefb6e467d7552c0a03251@dist-git>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 9 Nov 2022 10:53:49 +0100
+Subject: [PATCH] qemu: monitor: Store whether 'query-named-block-nodes'
+ supports 'flat' parameter
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Rather than having callers always pass this flag store it in the
+qemuMonitor object. Following patches will convert the code to use this
+internal flag.
+
+In the future this will also simplify removal when all supported qemu
+versions will support the new mode.
+
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit b0e4ad5263c73a926b8246028c76c552b07fca74)
+https://bugzilla.redhat.com/show_bug.cgi?id=2170472
+---
+ src/qemu/qemu_monitor.c      | 4 +++-
+ src/qemu/qemu_monitor_priv.h | 2 ++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
+index bba92592c5..99667fdf2f 100644
+--- a/src/qemu/qemu_monitor.c
++++ b/src/qemu/qemu_monitor.c
+@@ -610,8 +610,10 @@ qemuMonitorOpenInternal(virDomainObj *vm,
+     mon->cb = cb;
+     mon->callbackOpaque = opaque;
+ 
+-    if (priv)
++    if (priv) {
+         mon->objectAddNoWrap = virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_OBJECT_JSON);
++        mon->queryNamedBlockNodesFlat = virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QMP_QUERY_NAMED_BLOCK_NODES_FLAT);
++    }
+ 
+     if (virSetCloseExec(mon->fd) < 0) {
+         virReportError(VIR_ERR_INTERNAL_ERROR,
+diff --git a/src/qemu/qemu_monitor_priv.h b/src/qemu/qemu_monitor_priv.h
+index 606aa79fbd..e32928805f 100644
+--- a/src/qemu/qemu_monitor_priv.h
++++ b/src/qemu/qemu_monitor_priv.h
+@@ -91,6 +91,8 @@ struct _qemuMonitor {
+ 
+     /* true if qemu no longer wants 'props' sub-object of object-add */
+     bool objectAddNoWrap;
++    /* query-named-block-nodes supports the 'flat' option */
++    bool queryNamedBlockNodesFlat;
+ };
+ 
+ 
+-- 
+2.40.1

SOURCES/libvirt-qemu-parse-deprecated-props-from-query-cpu-model-expansion-response.patch

@@ -0,0 +1,214 @@
+From 5289208127468cd34b5cb6ea7bb45bbeff45d537 Mon Sep 17 00:00:00 2001
+Message-ID: <5289208127468cd34b5cb6ea7bb45bbeff45d537.1749113303.git.jdenemar@redhat.com>
+From: Collin Walling <walling@linux.ibm.com>
+Date: Mon, 16 Dec 2024 18:03:53 -0500
+Subject: [PATCH] qemu: parse deprecated-props from query-cpu-model-expansion
+ response
+
+query-cpu-model-expansion may report an array of deprecated properties.
+This array is optional, and may not be supported for a particular
+architecture or reported for a particular CPU model. If the output is
+present, then capture it and store in a qemuMonitorCPUModelInfo struct
+for later use.
+
+The deprecated features will be retained in qemuCaps->kvm->hostCPU.info
+and will be stored in the capabilities cache file under the <hostCPU>
+element using the following format:
+
+        <deprecatedFeatures>
+                <property name='bpb'/>
+                <property name='csske'/>
+                <property name='cte'/>
+                <property name='te'/>
+        </deprecatedFeatures>
+
+At this time the data is only queried, parsed, and cached.  The data
+will be utilized in a subsequent patch.
+
+Signed-off-by: Collin Walling <walling@linux.ibm.com>
+Reviewed-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 45140d293007c1b29f7563bf6ee9640e27769b96)
+
+JIRA: https://issues.redhat.com/browse/RHEL-88716
+Conflicts:
+    tests/qemucapabilitiesdata/caps_9.1.0.s390x.xml
+    tests/qemucapabilitiesdata/caps_9.2.0.s390x.xml
+    (dropped the changes to these files since they are of no use in
+     downstream - upstream testing code changed too much, so it's
+     not possible to get the related tests to work in downstream)
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+---
+ src/qemu/qemu_capabilities.c | 31 +++++++++++++++++++++++++++++++
+ src/qemu/qemu_monitor.c      |  3 +++
+ src/qemu/qemu_monitor.h      |  1 +
+ src/qemu/qemu_monitor_json.c | 18 ++++++++++++++++++
+ 4 files changed, 53 insertions(+)
+
+diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
+index c4f7db55c8..d616273406 100644
+--- a/src/qemu/qemu_capabilities.c
++++ b/src/qemu/qemu_capabilities.c
+@@ -3766,6 +3766,7 @@ virQEMUCapsLoadHostCPUModelInfo(virQEMUCapsAccel *caps,
+ {
+     g_autofree char *migratability = NULL;
+     xmlNodePtr hostCPUNode;
++    xmlNodePtr deprecated_props;
+     g_autofree xmlNodePtr *nodes = NULL;
+     VIR_XPATH_NODE_AUTORESTORE(ctxt)
+     g_autoptr(qemuMonitorCPUModelInfo) hostCPU = NULL;
+@@ -3870,6 +3871,24 @@ virQEMUCapsLoadHostCPUModelInfo(virQEMUCapsAccel *caps,
+         }
+     }
+ 
++    ctxt->node = hostCPUNode;
++
++    if ((deprecated_props = virXPathNode("./deprecatedFeatures", ctxt))) {
++        g_autoptr(GPtrArray) props = virXMLNodeGetSubelementList(deprecated_props, NULL);
++
++        hostCPU->deprecated_props = g_new0(char *, props->len + 1);
++
++        for (i = 0; i < props->len; i++) {
++            xmlNodePtr prop = g_ptr_array_index(props, i);
++
++            if (!(hostCPU->deprecated_props[i] = virXMLPropString(prop, "name"))) {
++                virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
++                               _("missing 'name' attribute for a host CPU model deprecated property in QEMU capabilities cache"));
++                return -1;
++            }
++        }
++    }
++
+     caps->hostCPU.info = g_steal_pointer(&hostCPU);
+     return 0;
+ }
+@@ -4500,6 +4519,18 @@ virQEMUCapsFormatHostCPUModelInfo(virQEMUCapsAccel *caps,
+         virBufferAddLit(buf, "/>\n");
+     }
+ 
++    if (model->deprecated_props) {
++        virBufferAddLit(buf, "<deprecatedFeatures>\n");
++        virBufferAdjustIndent(buf, 2);
++
++        for (i = 0; i < g_strv_length(model->deprecated_props); i++)
++            virBufferAsprintf(buf, "<property name='%s'/>\n",
++                              model->deprecated_props[i]);
++
++        virBufferAdjustIndent(buf, -2);
++        virBufferAddLit(buf, "</deprecatedFeatures>\n");
++    }
++
+     virBufferAdjustIndent(buf, -2);
+     virBufferAddLit(buf, "</hostCPU>\n");
+ }
+diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
+index 99667fdf2f..8f72fc5bd9 100644
+--- a/src/qemu/qemu_monitor.c
++++ b/src/qemu/qemu_monitor.c
+@@ -3487,6 +3487,7 @@ qemuMonitorCPUModelInfoFree(qemuMonitorCPUModelInfo *model_info)
+             g_free(model_info->props[i].value.string);
+     }
+ 
++    g_strfreev(model_info->deprecated_props);
+     g_free(model_info->props);
+     g_free(model_info->name);
+     g_free(model_info);
+@@ -3531,6 +3532,8 @@ qemuMonitorCPUModelInfoCopy(const qemuMonitorCPUModelInfo *orig)
+         }
+     }
+ 
++    copy->deprecated_props = g_strdupv(orig->deprecated_props);
++
+     return copy;
+ }
+ 
+diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h
+index d00967d84f..5b9ea336ec 100644
+--- a/src/qemu/qemu_monitor.h
++++ b/src/qemu/qemu_monitor.h
+@@ -1238,6 +1238,7 @@ struct _qemuMonitorCPUModelInfo {
+     char *name;
+     size_t nprops;
+     qemuMonitorCPUProperty *props;
++    GStrv deprecated_props;
+     bool migratability;
+ };
+ 
+diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
+index 487f8028d9..9a3ca3d186 100644
+--- a/src/qemu/qemu_monitor_json.c
++++ b/src/qemu/qemu_monitor_json.c
+@@ -5500,6 +5500,7 @@ qemuMonitorJSONParseCPUModelExpansionData(virJSONValue *data,
+                                           bool fail_no_props,
+                                           virJSONValue **cpu_model,
+                                           virJSONValue **cpu_props,
++                                          virJSONValue **cpu_deprecated_props,
+                                           const char **cpu_name)
+ {
+     if (qemuMonitorJSONParseCPUModelData(data, "query-cpu-model-expansion",
+@@ -5507,6 +5508,12 @@ qemuMonitorJSONParseCPUModelExpansionData(virJSONValue *data,
+                                          cpu_name) < 0)
+         return -1;
+ 
++    /*
++     * Unconditionally check for the deprecated-props array, as
++     * it is not a guarantee response even if QEMU supports it.
++     */
++    *cpu_deprecated_props = virJSONValueObjectGetArray(data, "deprecated-props");
++
+     return 0;
+ }
+ 
+@@ -5514,6 +5521,7 @@ qemuMonitorJSONParseCPUModelExpansionData(virJSONValue *data,
+ static int
+ qemuMonitorJSONParseCPUModelExpansion(const char *cpu_name,
+                                       virJSONValue *cpu_props,
++                                      virJSONValue *cpu_deprecated_props,
+                                       qemuMonitorCPUModelInfo **model_info)
+ {
+     g_autoptr(qemuMonitorCPUModelInfo) expanded_model = NULL;
+@@ -5521,6 +5529,12 @@ qemuMonitorJSONParseCPUModelExpansion(const char *cpu_name,
+     if (qemuMonitorJSONParseCPUModel(cpu_name, cpu_props, &expanded_model) < 0)
+         return -1;
+ 
++    if (cpu_deprecated_props &&
++        virJSONValueArraySize(cpu_deprecated_props) &&
++        (!(expanded_model->deprecated_props = virJSONValueArrayToStringList(cpu_deprecated_props)))) {
++        return -1;
++    }
++
+     *model_info = g_steal_pointer(&expanded_model);
+     return 0;
+ }
+@@ -5584,6 +5598,7 @@ qemuMonitorJSONGetCPUModelExpansion(qemuMonitor *mon,
+     g_autoptr(virJSONValue) fullData = NULL;
+     virJSONValue *cpu_model;
+     virJSONValue *cpu_props = NULL;
++    virJSONValue *cpu_deprecated_props = NULL;
+     const char *cpu_name = "";
+     int rc;
+ 
+@@ -5597,6 +5612,7 @@ qemuMonitorJSONGetCPUModelExpansion(qemuMonitor *mon,
+ 
+     if (qemuMonitorJSONParseCPUModelExpansionData(data, fail_no_props,
+                                                   &cpu_model, &cpu_props,
++                                                  &cpu_deprecated_props,
+                                                   &cpu_name) < 0)
+         return -1;
+ 
+@@ -5615,11 +5631,13 @@ qemuMonitorJSONGetCPUModelExpansion(qemuMonitor *mon,
+ 
+         if (qemuMonitorJSONParseCPUModelExpansionData(fullData, fail_no_props,
+                                                       &cpu_model, &cpu_props,
++                                                      &cpu_deprecated_props,
+                                                       &cpu_name) < 0)
+             return -1;
+     }
+ 
+     return qemuMonitorJSONParseCPUModelExpansion(cpu_name, cpu_props,
++                                                 cpu_deprecated_props,
+                                                  model_info);
+ }
+ 
+-- 
+2.49.0

SOURCES/libvirt-qemu-qemuBlockGetNamedNodeData-Remove-pointless-error-path.patch

@@ -0,0 +1,53 @@
+From 31986239312c0e460800f5b9921f6593f1556015 Mon Sep 17 00:00:00 2001
+Message-Id: <31986239312c0e460800f5b9921f6593f1556015@dist-git>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 9 Nov 2022 10:45:27 +0100
+Subject: [PATCH] qemu: qemuBlockGetNamedNodeData: Remove pointless error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We don't need automatic freeing for 'blockNamedNodeData' and we can
+directly return it rather than checking it for NULL-ness first.
+
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 3fe74ebd9037d695df906ed137d22a8d8d77e169)
+
+ Conflicts:
+	src/qemu/qemu_block.c
+
+    - qemuDomainObjEnter/ExitMonitor still needs 'driver'
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2170472
+---
+ src/qemu/qemu_block.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
+index aa566d0097..c9229d1918 100644
+--- a/src/qemu/qemu_block.c
++++ b/src/qemu/qemu_block.c
+@@ -3020,7 +3020,7 @@ qemuBlockGetNamedNodeData(virDomainObj *vm,
+ {
+     qemuDomainObjPrivate *priv = vm->privateData;
+     virQEMUDriver *driver = priv->driver;
+-    g_autoptr(GHashTable) blockNamedNodeData = NULL;
++    GHashTable *blockNamedNodeData = NULL;
+     bool supports_flat = virQEMUCapsGet(priv->qemuCaps,
+                                         QEMU_CAPS_QMP_QUERY_NAMED_BLOCK_NODES_FLAT);
+ 
+@@ -3031,10 +3031,7 @@ qemuBlockGetNamedNodeData(virDomainObj *vm,
+ 
+     qemuDomainObjExitMonitor(driver, vm);
+ 
+-    if (!blockNamedNodeData)
+-        return NULL;
+-
+-    return g_steal_pointer(&blockNamedNodeData);
++    return blockNamedNodeData;
+ }
+ 
+ 
+-- 
+2.40.1

SOURCES/libvirt-qemu-relax-shared-memory-check-for-vhostuser-daemons.patch

@@ -0,0 +1,65 @@
+From e9418cec1ba24b6cf78f85bbbef8586ed612692a Mon Sep 17 00:00:00 2001
+Message-Id: <e9418cec1ba24b6cf78f85bbbef8586ed612692a@dist-git>
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Mon, 13 Mar 2023 13:56:47 +0100
+Subject: [PATCH] qemu: relax shared memory check for vhostuser daemons
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+For some vhostuser daemons, we validate that the guest memory is shared
+with the host.
+
+With earlier versions of QEMU, it was only possible to mark memory
+as shared by defining an explicit NUMA topology.  Later, QEMU exposed
+the name of the default memory backend (defaultRAMid) so we can mark
+that memory as shared.
+
+Since libvirt commit:
+  commit bff2ad5d6b1f25da02802273934d2a519159fec7
+    qemu: Relax validation for mem->access if guest has no NUMA
+we already check for the case when user requests shared memory,
+but QEMU did not expose defaultRAMid.
+
+Drop the duplicit check from vhostuser device validation, to make
+it pass on hotplug even after libvirtd restart.
+
+This avoids the need to store the defaultRAMid, since we don't really
+need it for anything after the VM has been already started.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2078693
+https://bugzilla.redhat.com/show_bug.cgi?id=2177701
+
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit d5c7b7870e45575f81fffcb611c2546d0e02e778)
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+---
+ src/qemu/qemu_validate.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
+index 7bc14293d6..4069f47c12 100644
+--- a/src/qemu/qemu_validate.c
++++ b/src/qemu/qemu_validate.c
+@@ -1588,16 +1588,12 @@ qemuValidateDomainVirtioOptions(const virDomainVirtioOptions *virtio,
+ static int
+ qemuValidateDomainDefVhostUserRequireSharedMemory(const virDomainDef *def,
+                                                   const char *name,
+-                                                  virQEMUCaps *qemuCaps)
++                                                  virQEMUCaps *qemuCaps G_GNUC_UNUSED)
+ {
+-    const char *defaultRAMId = virQEMUCapsGetMachineDefaultRAMid(qemuCaps,
+-                                                                 def->virtType,
+-                                                                 def->os.machine);
+     size_t numa_nodes = virDomainNumaGetNodeCount(def->numa);
+     size_t i;
+ 
+-    if (numa_nodes == 0 &&
+-        !(defaultRAMId && def->mem.access == VIR_DOMAIN_MEMORY_ACCESS_SHARED)) {
++    if (numa_nodes == 0 && def->mem.access != VIR_DOMAIN_MEMORY_ACCESS_SHARED) {
+         virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                        _("'%s' requires shared memory"), name);
+         return -1;
+-- 
+2.40.1

SOURCES/libvirt-qemuMonitorJSONBlockStatsUpdateCapacityBlockdev-Use-flat-mode-of-query-named-block-nodes.patch

@@ -0,0 +1,41 @@
+From f20062e1fe1e7bca8b97d2383f9e8a06f0f4111a Mon Sep 17 00:00:00 2001
+Message-Id: <f20062e1fe1e7bca8b97d2383f9e8a06f0f4111a@dist-git>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 9 Nov 2022 11:06:25 +0100
+Subject: [PATCH] qemuMonitorJSONBlockStatsUpdateCapacityBlockdev: Use 'flat'
+ mode of query-named-block-nodes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+'query-named-block-nodes' in non-flat mode returns redundantly nested
+data under the 'backing-image' field. Fortunately we don't need it when
+updating the capacity stats.
+
+This function was unfortunately not fixed originally when the support
+for flat mode was added. Use the flat cached in the monitor object to
+force flat mode if available.
+
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit bbd4d4899391b3bd1906cce61a3634f42f4b1bdf)
+https://bugzilla.redhat.com/show_bug.cgi?id=2170472
+---
+ src/qemu/qemu_monitor_json.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
+index 7d8755246f..789554e225 100644
+--- a/src/qemu/qemu_monitor_json.c
++++ b/src/qemu/qemu_monitor_json.c
+@@ -2679,7 +2679,7 @@ qemuMonitorJSONBlockStatsUpdateCapacityBlockdev(qemuMonitor *mon,
+ {
+     g_autoptr(virJSONValue) nodes = NULL;
+ 
+-    if (!(nodes = qemuMonitorJSONQueryNamedBlockNodes(mon, false)))
++    if (!(nodes = qemuMonitorJSONQueryNamedBlockNodes(mon, mon->queryNamedBlockNodesFlat)))
+         return -1;
+ 
+     if (virJSONValueArrayForeachSteal(nodes,
+-- 
+2.40.1

SOURCES/libvirt-qemuMonitorJSONGetCPUModelExpansion-refactor-parsing-functions.patch

@@ -0,0 +1,100 @@
+From ed03cdb563ee30bff2f4f8a66f7778b5e55a4683 Mon Sep 17 00:00:00 2001
+Message-ID: <ed03cdb563ee30bff2f4f8a66f7778b5e55a4683.1749113303.git.jdenemar@redhat.com>
+From: Collin Walling <walling@linux.ibm.com>
+Date: Mon, 16 Dec 2024 18:03:52 -0500
+Subject: [PATCH] qemuMonitorJSONGetCPUModelExpansion: refactor parsing
+ functions
+
+Refactor the CPU Model parsing functions within
+qemuMonitorJSONGetCPUModelExpansion.  The new functions,
+qemuMonitorJSONParseCPUModelExpansionData and
+qemuMonitorJSONParseCPUModelExpansion invoke the functions they
+replace and leave room for a subsequent patch to handle parsing the
+(optional) deprecated_props field resulting from the command.
+
+Signed-off-by: Collin Walling <walling@linux.ibm.com>
+Reviewed-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 60e407deb5cd88e5f1564d1c9145e374001cf34f)
+JIRA: https://issues.redhat.com/browse/RHEL-88716
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+---
+ src/qemu/qemu_monitor_json.c | 46 ++++++++++++++++++++++++++++++------
+ 1 file changed, 39 insertions(+), 7 deletions(-)
+
+diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
+index 789554e225..487f8028d9 100644
+--- a/src/qemu/qemu_monitor_json.c
++++ b/src/qemu/qemu_monitor_json.c
+@@ -5495,6 +5495,37 @@ qemuMonitorJSONParseCPUModel(const char *cpu_name,
+ }
+ 
+ 
++static int
++qemuMonitorJSONParseCPUModelExpansionData(virJSONValue *data,
++                                          bool fail_no_props,
++                                          virJSONValue **cpu_model,
++                                          virJSONValue **cpu_props,
++                                          const char **cpu_name)
++{
++    if (qemuMonitorJSONParseCPUModelData(data, "query-cpu-model-expansion",
++                                         fail_no_props, cpu_model, cpu_props,
++                                         cpu_name) < 0)
++        return -1;
++
++    return 0;
++}
++
++
++static int
++qemuMonitorJSONParseCPUModelExpansion(const char *cpu_name,
++                                      virJSONValue *cpu_props,
++                                      qemuMonitorCPUModelInfo **model_info)
++{
++    g_autoptr(qemuMonitorCPUModelInfo) expanded_model = NULL;
++
++    if (qemuMonitorJSONParseCPUModel(cpu_name, cpu_props, &expanded_model) < 0)
++        return -1;
++
++    *model_info = g_steal_pointer(&expanded_model);
++    return 0;
++}
++
++
+ static int
+ qemuMonitorJSONQueryCPUModelExpansionOne(qemuMonitor *mon,
+                                          qemuMonitorCPUModelExpansionType type,
+@@ -5564,9 +5595,9 @@ qemuMonitorJSONGetCPUModelExpansion(qemuMonitor *mon,
+     if ((rc = qemuMonitorJSONQueryCPUModelExpansionOne(mon, type, &model, &data)) <= 0)
+         return rc;
+ 
+-    if (qemuMonitorJSONParseCPUModelData(data, "query-cpu-model-expansion",
+-                                         fail_no_props, &cpu_model, &cpu_props,
+-                                         &cpu_name) < 0)
++    if (qemuMonitorJSONParseCPUModelExpansionData(data, fail_no_props,
++                                                  &cpu_model, &cpu_props,
++                                                  &cpu_name) < 0)
+         return -1;
+ 
+     /* QEMU_MONITOR_CPU_MODEL_EXPANSION_STATIC_FULL requests "full" expansion
+@@ -5582,13 +5613,14 @@ qemuMonitorJSONGetCPUModelExpansion(qemuMonitor *mon,
+         if ((rc = qemuMonitorJSONQueryCPUModelExpansionOne(mon, type, &fullModel, &fullData)) <= 0)
+             return rc;
+ 
+-        if (qemuMonitorJSONParseCPUModelData(fullData, "query-cpu-model-expansion",
+-                                             fail_no_props, &cpu_model, &cpu_props,
+-                                             &cpu_name) < 0)
++        if (qemuMonitorJSONParseCPUModelExpansionData(fullData, fail_no_props,
++                                                      &cpu_model, &cpu_props,
++                                                      &cpu_name) < 0)
+             return -1;
+     }
+ 
+-    return qemuMonitorJSONParseCPUModel(cpu_name, cpu_props, model_info);
++    return qemuMonitorJSONParseCPUModelExpansion(cpu_name, cpu_props,
++                                                 model_info);
+ }
+ 
+ 
+-- 
+2.49.0

SOURCES/libvirt-qemu_capabilities-filter-deprecated-features-if-requested.patch

@@ -0,0 +1,95 @@
+From 59ec9c201e8849f7231557c6019e1fabd0893240 Mon Sep 17 00:00:00 2001
+Message-ID: <59ec9c201e8849f7231557c6019e1fabd0893240.1749113303.git.jdenemar@redhat.com>
+From: Collin Walling <walling@linux.ibm.com>
+Date: Mon, 16 Dec 2024 18:03:56 -0500
+Subject: [PATCH] qemu_capabilities: filter deprecated features if requested
+
+If flag VIR_CONNECT_GET_DOMAIN_CAPABILITIES_DISABLE_DEPRECATED_FEATURES
+is passed to qemuConnectGetDomainCapabilities, then the domain's CPU
+model features will be updated to set any deprecated features to the
+'disabled' policy.
+
+Signed-off-by: Collin Walling <walling@linux.ibm.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit cd1e837c22182dcadfe17b469c931f9fc9745a46)
+JIRA: https://issues.redhat.com/browse/RHEL-88716
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+---
+ src/qemu/qemu_capabilities.c | 20 ++++++++++++++++++++
+ src/qemu/qemu_capabilities.h |  3 +++
+ src/qemu/qemu_driver.c       |  8 +++++++-
+ 3 files changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
+index 98773d2a0a..389b43ab3d 100644
+--- a/src/qemu/qemu_capabilities.c
++++ b/src/qemu/qemu_capabilities.c
+@@ -3152,6 +3152,26 @@ virQEMUCapsGetCPUFeatures(virQEMUCaps *qemuCaps,
+ }
+ 
+ 
++void
++virQEMUCapsUpdateCPUDeprecatedFeatures(virQEMUCaps *qemuCaps,
++                                       virDomainVirtType virtType,
++                                       virCPUDef *cpu)
++{
++    qemuMonitorCPUModelInfo *modelInfo;
++    size_t i;
++
++    modelInfo = virQEMUCapsGetCPUModelInfo(qemuCaps, virtType);
++
++    if (!modelInfo || !modelInfo->deprecated_props)
++        return;
++
++    for (i = 0; i < g_strv_length(modelInfo->deprecated_props); i++) {
++        virCPUDefUpdateFeature(cpu, modelInfo->deprecated_props[i],
++                               VIR_CPU_FEATURE_DISABLE);
++    }
++}
++
++
+ struct tpmTypeToCaps {
+     int type;
+     virQEMUCapsFlags caps;
+diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
+index 4a7fb2c726..249adf66fa 100644
+--- a/src/qemu/qemu_capabilities.h
++++ b/src/qemu/qemu_capabilities.h
+@@ -702,6 +702,9 @@ int virQEMUCapsGetCPUFeatures(virQEMUCaps *qemuCaps,
+                               virDomainVirtType virtType,
+                               bool migratable,
+                               char ***features);
++void virQEMUCapsUpdateCPUDeprecatedFeatures(virQEMUCaps *qemuCaps,
++                                            virDomainVirtType virtType,
++                                            virCPUDef *cpu);
+ 
+ virDomainVirtType virQEMUCapsGetVirtType(virQEMUCaps *qemuCaps);
+ 
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index d3d76c003f..315abe57b0 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -17383,7 +17383,8 @@ qemuConnectGetDomainCapabilities(virConnectPtr conn,
+     virDomainVirtType virttype;
+     g_autoptr(virDomainCaps) domCaps = NULL;
+ 
+-    virCheckFlags(0, NULL);
++    virCheckFlags(VIR_CONNECT_GET_DOMAIN_CAPABILITIES_DISABLE_DEPRECATED_FEATURES,
++                  NULL);
+ 
+     if (virConnectGetDomainCapabilitiesEnsureACL(conn) < 0)
+         return NULL;
+@@ -17402,6 +17403,11 @@ qemuConnectGetDomainCapabilities(virConnectPtr conn,
+                                                        arch, virttype)))
+         return NULL;
+ 
++    if (flags & VIR_CONNECT_GET_DOMAIN_CAPABILITIES_DISABLE_DEPRECATED_FEATURES) {
++        virQEMUCapsUpdateCPUDeprecatedFeatures(qemuCaps, virttype,
++                                               domCaps->cpu.hostModel);
++    }
++
+     return virDomainCapsFormat(domCaps);
+ }
+ 
+-- 
+2.49.0

SOURCES/libvirt-qemu_capabilities-query-deprecated-features-for-host-model.patch

@@ -0,0 +1,128 @@
+From 4ad452d843406b9bb8423a47987f4180d565f11a Mon Sep 17 00:00:00 2001
+Message-ID: <4ad452d843406b9bb8423a47987f4180d565f11a.1749113303.git.jdenemar@redhat.com>
+From: Collin Walling <walling@linux.ibm.com>
+Date: Mon, 16 Dec 2024 18:03:54 -0500
+Subject: [PATCH] qemu_capabilities: query deprecated features for host-model
+
+Add QEMU_CAPS_QUERY_CPU_MODEL_EXPANSION_DEPRECATED_PROPS for detecting
+if query-cpu-model-expansion can report deprecated CPU model properties.
+QEMU introduced this capability in 9.1 release.  Add flag and deprecated
+features to the capabilities test data for QEMU 9.1 and 9.2 replies/XML
+since it can now be accounted for.
+
+When probing for the host CPU, perform a full CPU model expansion to
+retrieve the list of features deprecated across the entire architecture.
+The list and count are stored in the host's CPU model info within the
+QEMU capabilities.  Other info resulting from this query (e.g. model
+name, etc) is ignored.
+
+The new capabilities flag is used to fence off the extra query for
+architectures/QEMU binaries that do not report deprecated CPU model
+features.
+
+Signed-off-by: Collin Walling <walling@linux.ibm.com>
+Reviewed-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 51c098347d7f2af9b4386ac0adc4431997d06f3d)
+
+JIRA: https://issues.redhat.com/browse/RHEL-88716
+Conflicts:
+    src/qemu/qemu_capabilities.c
+    src/qemu/qemu_capabilities.h
+    (Contextual conflicts due to missing other patches in downstream
+     and qemuMonitorGetCPUModelExpansion() having one parameter less
+     in downstream)
+    tests/qemucapabilitiesdata/caps_9.*
+    (dropped the changes to these files since they are of no use in
+     downstream - upstream testing code changed too much, so it's
+     not possible to get the related tests to work in downstream)
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+---
+ src/qemu/qemu_capabilities.c | 38 ++++++++++++++++++++++++++++++++++++
+ src/qemu/qemu_capabilities.h |  1 +
+ 2 files changed, 39 insertions(+)
+
+diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
+index d616273406..98773d2a0a 100644
+--- a/src/qemu/qemu_capabilities.c
++++ b/src/qemu/qemu_capabilities.c
+@@ -658,6 +658,7 @@ VIR_ENUM_IMPL(virQEMUCaps,
+               /* 420 */
+               "blockdev-reopen.__com.redhat_rhel-av-8_2_0-api", /* QEMU_CAPS_BLOCKDEV_REOPEN_COM_REDHAT_AV_8_2_0_API */
+               "memory-backend-file.prealloc-threads", /* QEMU_CAPS_MEMORY_BACKEND_PREALLOC_THREADS */
++              "query-cpu-model-expansion.deprecated-props", /* QEMU_CAPS_QUERY_CPU_MODEL_EXPANSION_DEPRECATED_PROPS */
+     );
+ 
+ 
+@@ -1579,6 +1580,7 @@ static struct virQEMUCapsStringFlags virQEMUCapsQMPSchemaQueries[] = {
+     { "screendump/arg-type/device", QEMU_CAPS_SCREENDUMP_DEVICE },
+     { "set-numa-node/arg-type/+hmat-lb", QEMU_CAPS_NUMA_HMAT },
+     { "object-add/arg-type/+sev-guest/kernel-hashes", QEMU_CAPS_SEV_GUEST_KERNEL_HASHES },
++    { "query-cpu-model-expansion/ret-type/deprecated-props", QEMU_CAPS_QUERY_CPU_MODEL_EXPANSION_DEPRECATED_PROPS },
+ };
+ 
+ typedef struct _virQEMUCapsObjectTypeProps virQEMUCapsObjectTypeProps;
+@@ -2982,6 +2984,38 @@ virQEMUCapsProbeCPUDefinitionsTest(virQEMUCaps *qemuCaps,
+ }
+ 
+ 
++/**
++ * virQEMUCapsProbeFullDeprecatedProperties
++ * @mon: QEMU monitor
++ * @cpu: CPU definition to be expanded
++ * @props: the array to be filled with deprecated features
++ *
++ * Performs a full CPU model expansion to retrieve an array of deprecated
++ * properties. If the expansion succeeds, then data previously stored in
++ * @props is freed.
++ *
++ * Returns: -1 if the expansion failed; otherwise 0.
++ */
++static int
++virQEMUCapsProbeFullDeprecatedProperties(qemuMonitor *mon,
++                                         virCPUDef *cpu,
++                                         GStrv *props)
++{
++    g_autoptr(qemuMonitorCPUModelInfo) propsInfo = NULL;
++
++    if (qemuMonitorGetCPUModelExpansion(mon, QEMU_MONITOR_CPU_MODEL_EXPANSION_FULL,
++                                        cpu, true, false, &propsInfo) < 0)
++        return -1;
++
++    if (propsInfo && propsInfo->deprecated_props) {
++        g_free(*props);
++        *props = g_steal_pointer(&propsInfo->deprecated_props);
++    }
++
++    return 0;
++}
++
++
+ static int
+ virQEMUCapsProbeQMPHostCPU(virQEMUCaps *qemuCaps,
+                            virQEMUCapsAccel *accel,
+@@ -3065,6 +3099,10 @@ virQEMUCapsProbeQMPHostCPU(virQEMUCaps *qemuCaps,
+         modelInfo->migratability = true;
+     }
+ 
++    if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_QUERY_CPU_MODEL_EXPANSION_DEPRECATED_PROPS) &&
++        virQEMUCapsProbeFullDeprecatedProperties(mon, cpu, &modelInfo->deprecated_props) < 0)
++        return -1;
++
+     accel->hostCPU.info = g_steal_pointer(&modelInfo);
+     return 0;
+ }
+diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
+index 8e65635e0d..4a7fb2c726 100644
+--- a/src/qemu/qemu_capabilities.h
++++ b/src/qemu/qemu_capabilities.h
+@@ -637,6 +637,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for syntax-check */
+     /* 420 */
+     QEMU_CAPS_BLOCKDEV_REOPEN_COM_REDHAT_AV_8_2_0_API, /* downstream support for blockdev reopen in rhel-av-8.2.0 */
+     QEMU_CAPS_MEMORY_BACKEND_PREALLOC_THREADS, /* -object memory-backend-*.prealloc-threads */
++    QEMU_CAPS_QUERY_CPU_MODEL_EXPANSION_DEPRECATED_PROPS, /* query-cpu-model-expansion may report deprecated CPU properties */
+ 
+     QEMU_CAPS_LAST /* this must always be the last item */
+ } virQEMUCapsFlags;
+-- 
+2.49.0

SOURCES/libvirt-remote-check-for-negative-array-lengths-before-allocation.patch

@@ -0,0 +1,218 @@
+From cb42cd98d347deeee7c225d8d1e9f71f232cad29 Mon Sep 17 00:00:00 2001
+Message-ID: <cb42cd98d347deeee7c225d8d1e9f71f232cad29.1712647819.git.jdenemar@redhat.com>
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Fri, 15 Mar 2024 10:47:50 +0000
+Subject: [PATCH] remote: check for negative array lengths before allocation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+While the C API entry points will validate non-negative lengths
+for various parameters, the RPC server de-serialization code
+will need to allocate memory for arrays before entering the C
+API. These allocations will thus happen before the non-negative
+length check is performed.
+
+Passing a negative length to the g_new0 function will usually
+result in a crash due to the negative length being treated as
+a huge positive number.
+
+This was found and diagnosed by ALT Linux Team with AFLplusplus.
+
+CVE-2024-2494
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+Found-by: Alexandr Shashkin <dutyrok@altlinux.org>
+Co-developed-by: Alexander Kuznetsov <kuznetsovam@altlinux.org>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 8a3f8d957507c1f8223fdcf25a3ff885b15557f2)
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/remote/remote_daemon_dispatch.c | 65 +++++++++++++++++++++++++++++
+ src/rpc/gendispatch.pl              |  5 +++
+ 2 files changed, 70 insertions(+)
+
+diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c
+index 689001889e..c193227926 100644
+--- a/src/remote/remote_daemon_dispatch.c
++++ b/src/remote/remote_daemon_dispatch.c
+@@ -2306,6 +2306,10 @@ remoteDispatchDomainGetSchedulerParameters(virNetServer *server G_GNUC_UNUSED,
+     if (!conn)
+         goto cleanup;
+ 
++    if (args->nparams < 0) {
++        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++        goto cleanup;
++    }
+     if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -2354,6 +2358,10 @@ remoteDispatchDomainGetSchedulerParametersFlags(virNetServer *server G_GNUC_UNUS
+     if (!conn)
+         goto cleanup;
+ 
++    if (args->nparams < 0) {
++        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++        goto cleanup;
++    }
+     if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -2512,6 +2520,10 @@ remoteDispatchDomainBlockStatsFlags(virNetServer *server G_GNUC_UNUSED,
+         goto cleanup;
+     flags = args->flags;
+ 
++    if (args->nparams < 0) {
++        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++        goto cleanup;
++    }
+     if (args->nparams > REMOTE_DOMAIN_BLOCK_STATS_PARAMETERS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -2737,6 +2749,14 @@ remoteDispatchDomainGetVcpuPinInfo(virNetServer *server G_GNUC_UNUSED,
+     if (!(dom = get_nonnull_domain(conn, args->dom)))
+         goto cleanup;
+ 
++    if (args->ncpumaps < 0) {
++        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps must be non-negative"));
++        goto cleanup;
++    }
++    if (args->maplen < 0) {
++        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative"));
++        goto cleanup;
++    }
+     if (args->ncpumaps > REMOTE_VCPUINFO_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps > REMOTE_VCPUINFO_MAX"));
+         goto cleanup;
+@@ -2831,6 +2851,11 @@ remoteDispatchDomainGetEmulatorPinInfo(virNetServer *server G_GNUC_UNUSED,
+     if (!(dom = get_nonnull_domain(conn, args->dom)))
+         goto cleanup;
+ 
++    if (args->maplen < 0) {
++        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative"));
++        goto cleanup;
++    }
++
+     /* Allocate buffers to take the results */
+     if (args->maplen > 0)
+         cpumaps = g_new0(unsigned char, args->maplen);
+@@ -2878,6 +2903,14 @@ remoteDispatchDomainGetVcpus(virNetServer *server G_GNUC_UNUSED,
+     if (!(dom = get_nonnull_domain(conn, args->dom)))
+         goto cleanup;
+ 
++    if (args->maxinfo < 0) {
++        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative"));
++        goto cleanup;
++    }
++    if (args->maplen < 0) {
++        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative"));
++        goto cleanup;
++    }
+     if (args->maxinfo > REMOTE_VCPUINFO_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo > REMOTE_VCPUINFO_MAX"));
+         goto cleanup;
+@@ -3117,6 +3150,10 @@ remoteDispatchDomainGetMemoryParameters(virNetServer *server G_GNUC_UNUSED,
+ 
+     flags = args->flags;
+ 
++    if (args->nparams < 0) {
++        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++        goto cleanup;
++    }
+     if (args->nparams > REMOTE_DOMAIN_MEMORY_PARAMETERS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -3177,6 +3214,10 @@ remoteDispatchDomainGetNumaParameters(virNetServer *server G_GNUC_UNUSED,
+ 
+     flags = args->flags;
+ 
++    if (args->nparams < 0) {
++        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++        goto cleanup;
++    }
+     if (args->nparams > REMOTE_DOMAIN_NUMA_PARAMETERS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -3237,6 +3278,10 @@ remoteDispatchDomainGetBlkioParameters(virNetServer *server G_GNUC_UNUSED,
+ 
+     flags = args->flags;
+ 
++    if (args->nparams < 0) {
++        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++        goto cleanup;
++    }
+     if (args->nparams > REMOTE_DOMAIN_BLKIO_PARAMETERS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -3298,6 +3343,10 @@ remoteDispatchNodeGetCPUStats(virNetServer *server G_GNUC_UNUSED,
+ 
+     flags = args->flags;
+ 
++    if (args->nparams < 0) {
++        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++        goto cleanup;
++    }
+     if (args->nparams > REMOTE_NODE_CPU_STATS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -3365,6 +3414,10 @@ remoteDispatchNodeGetMemoryStats(virNetServer *server G_GNUC_UNUSED,
+ 
+     flags = args->flags;
+ 
++    if (args->nparams < 0) {
++        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++        goto cleanup;
++    }
+     if (args->nparams > REMOTE_NODE_MEMORY_STATS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -3545,6 +3598,10 @@ remoteDispatchDomainGetBlockIoTune(virNetServer *server G_GNUC_UNUSED,
+     if (!conn)
+         goto cleanup;
+ 
++    if (args->nparams < 0) {
++        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++        goto cleanup;
++    }
+     if (args->nparams > REMOTE_DOMAIN_BLOCK_IO_TUNE_PARAMETERS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -5087,6 +5144,10 @@ remoteDispatchDomainGetInterfaceParameters(virNetServer *server G_GNUC_UNUSED,
+ 
+     flags = args->flags;
+ 
++    if (args->nparams < 0) {
++        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++        goto cleanup;
++    }
+     if (args->nparams > REMOTE_DOMAIN_INTERFACE_PARAMETERS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -5307,6 +5368,10 @@ remoteDispatchNodeGetMemoryParameters(virNetServer *server G_GNUC_UNUSED,
+ 
+     flags = args->flags;
+ 
++    if (args->nparams < 0) {
++        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++        goto cleanup;
++    }
+     if (args->nparams > REMOTE_NODE_MEMORY_PARAMETERS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl
+index 9f5bf0e316..aacab88808 100755
+--- a/src/rpc/gendispatch.pl
++++ b/src/rpc/gendispatch.pl
+@@ -1074,6 +1074,11 @@ elsif ($mode eq "server") {
+         print "\n";
+ 
+         if ($single_ret_as_list) {
++            print "    if (args->$single_ret_list_max_var < 0) {\n";
++            print "        virReportError(VIR_ERR_RPC,\n";
++            print "                       \"%s\", _(\"max$single_ret_list_name must be non-negative\"));\n";
++            print "        goto cleanup;\n";
++            print "    }\n";
+             print "    if (args->$single_ret_list_max_var > $single_ret_list_max_define) {\n";
+             print "        virReportError(VIR_ERR_RPC,\n";
+             print "                       \"%s\", _(\"max$single_ret_list_name > $single_ret_list_max_define\"));\n";
+-- 
+2.44.0

SOURCES/libvirt-rpc-ensure-temporary-GSource-is-removed-from-client-event-loop.patch

@@ -0,0 +1,101 @@
+From b84d0a699f3976644d3090562ce62ede55335fbc Mon Sep 17 00:00:00 2001
+Message-ID: <b84d0a699f3976644d3090562ce62ede55335fbc.1717684031.git.jdenemar@redhat.com>
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Tue, 30 Apr 2024 11:51:15 +0100
+Subject: [PATCH] rpc: ensure temporary GSource is removed from client event
+ loop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Users are seeing periodic segfaults from libvirt client apps,
+especially thread heavy ones like virt-manager. A typical
+stack trace would end up in the virNetClientIOEventFD method,
+with illegal access to stale stack data. eg
+
+==238721==ERROR: AddressSanitizer: stack-use-after-return on address 0x75cd18709788 at pc 0x75cd3111f907 bp 0x75cd181ff550 sp 0x75cd181ff548
+WRITE of size 4 at 0x75cd18709788 thread T11
+    #0 0x75cd3111f906 in virNetClientIOEventFD /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:1634:15
+    #1 0x75cd3210d198  (/usr/lib/libglib-2.0.so.0+0x5a198) (BuildId: 0a2311dfbbc6c215dc36f4b6bdd2b4b6fbae55a2)
+    #2 0x75cd3216c3be  (/usr/lib/libglib-2.0.so.0+0xb93be) (BuildId: 0a2311dfbbc6c215dc36f4b6bdd2b4b6fbae55a2)
+    #3 0x75cd3210ddc6 in g_main_loop_run (/usr/lib/libglib-2.0.so.0+0x5adc6) (BuildId: 0a2311dfbbc6c215dc36f4b6bdd2b4b6fbae55a2)
+    #4 0x75cd3111a47c in virNetClientIOEventLoop /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:1722:9
+    #5 0x75cd3111a47c in virNetClientIO /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:2002:10
+    #6 0x75cd3111a47c in virNetClientSendInternal /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:2170:11
+    #7 0x75cd311198a8 in virNetClientSendWithReply /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:2198:11
+    #8 0x75cd31111653 in virNetClientProgramCall /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclientprogram.c:318:9
+    #9 0x75cd31241c8f in callFull /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/remote/remote_driver.c:6054:10
+    #10 0x75cd31241c8f in call /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/remote/remote_driver.c:6076:12
+    #11 0x75cd31241c8f in remoteNetworkGetXMLDesc /usr/src/debug/libvirt/libvirt-10.2.0/build/src/remote/remote_client_bodies.h:5959:9
+    #12 0x75cd31410ff7 in virNetworkGetXMLDesc /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/libvirt-network.c:952:15
+
+The root cause is a bad assumption in the virNetClientIOEventLoop
+method. This method is run by whichever thread currently owns the
+buck, and is responsible for handling I/O. Inside a for(;;) loop,
+this method creates a temporary GSource, adds it to the event loop
+and runs g_main_loop_run(). When I/O is ready, the GSource callback
+(virNetClientIOEventFD) will fire and call g_main_loop_quit(), and
+return G_SOURCE_REMOVE which results in the temporary GSource being
+destroyed. A g_autoptr() will then remove the last reference.
+
+What was overlooked, is that a second thread can come along and
+while it can't enter virNetClientIOEventLoop, it will register an
+idle source that uses virNetClientIOWakeup to interrupt the
+original thread's 'g_main_loop_run' call. When this happens the
+virNetClientIOEventFD callback never runs, and so the temporary
+GSource is not destroyed. The g_autoptr() will remove a reference,
+but by virtue of still being attached to the event context, there
+is an extra reference held causing GSource to be leaked. The
+next time 'g_main_loop_run' is called, the original GSource will
+trigger its callback, and access data that was allocated on the
+stack by the previous thread, and likely SEGV.
+
+To solve this, the thread calling 'g_main_loop_run' must call
+g_source_destroy, immediately upon return, to guarantee that
+the temporary GSource is removed.
+
+CVE-2024-4418
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Reported-by: Martin Shirokov <shirokovmartin@gmail.com>
+Tested-by: Martin Shirokov <shirokovmartin@gmail.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 8074d64dc2eca846d6a61efe1a9b7428a0ce1dd1)
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/rpc/virnetclient.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c
+index f526ad89ec..b9490072c3 100644
+--- a/src/rpc/virnetclient.c
++++ b/src/rpc/virnetclient.c
+@@ -1664,7 +1664,7 @@ static int virNetClientIOEventLoop(virNetClient *client,
+ #endif /* !WIN32 */
+         int timeout = -1;
+         virNetMessage *msg = NULL;
+-        g_autoptr(GSource) G_GNUC_UNUSED source = NULL;
++        g_autoptr(GSource) source = NULL;
+         GIOCondition ev = 0;
+         struct virNetClientIOEventData data = {
+             .client = client,
+@@ -1728,6 +1728,18 @@ static int virNetClientIOEventLoop(virNetClient *client,
+ 
+         g_main_loop_run(client->eventLoop);
+ 
++        /*
++         * If virNetClientIOEventFD ran, this GSource will already be
++         * destroyed due to G_SOURCE_REMOVE. It is harmless to re-destroy
++         * it, since we still own a reference.
++         *
++         * If virNetClientIOWakeup ran, it will have interrupted the
++         * g_main_loop_run call, before virNetClientIOEventFD could
++         * run, and thus the GSource is still registered, and we need
++         * to destroy it since it is referencing stack memory for 'data'
++         */
++        g_source_destroy(source);
++
+ #ifndef WIN32
+         ignore_value(pthread_sigmask(SIG_SETMASK, &oldmask, NULL));
+ #endif /* !WIN32 */
+-- 
+2.45.1

SOURCES/libvirt-util-Fix-error-return-for-virProcessKillPainfullyDelay.patch

@@ -0,0 +1,39 @@
+From ffbae27bd15ae9475fd4f0e79b492a7e03bca93e Mon Sep 17 00:00:00 2001
+Message-ID: <ffbae27bd15ae9475fd4f0e79b492a7e03bca93e.1717684031.git.jdenemar@redhat.com>
+From: Jonathon Jongsma <jjongsma@redhat.com>
+Date: Fri, 22 Sep 2023 14:23:10 -0500
+Subject: [PATCH] util: Fix error return for virProcessKillPainfullyDelay()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Commit 93af79fb removed a cleanup label in favor of returning error
+values directly in certain cases. But the final return value was changed
+from -1 to 0. If we get to the end of the function, that means that
+we've waited for the process to exit but it still exists. So we should
+return -1. The error message was still being set correctly, but we were
+returning a success status (0).
+
+Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 51a074e74c6ef2fb95e6f53d41315e3f1e00be77)
+https://issues.redhat.com/browse/RHEL-36064
+---
+ src/util/virprocess.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/util/virprocess.c b/src/util/virprocess.c
+index b559a4257e..f3933a2d16 100644
+--- a/src/util/virprocess.c
++++ b/src/util/virprocess.c
+@@ -471,7 +471,7 @@ virProcessKillPainfullyDelay(pid_t pid, bool force, unsigned int extradelay, boo
+                          _("Failed to terminate process %lld with SIG%s"),
+                          (long long)pid, signame);
+ 
+-    return 0;
++    return -1;
+ }
+ 
+ 
+-- 
+2.45.1

SOURCES/libvirt-util-xml-Introduce-virXMLNodeGetSubelementList.patch

@@ -0,0 +1,104 @@
+From 534bb6a049e7ad227d143457ddcfe828238cea18 Mon Sep 17 00:00:00 2001
+Message-ID: <534bb6a049e7ad227d143457ddcfe828238cea18.1749113303.git.jdenemar@redhat.com>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Mon, 13 Feb 2023 15:53:23 +0100
+Subject: [PATCH] util: xml: Introduce virXMLNodeGetSubelementList
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The new helper is similar to virXPathNodeSet list but for cases where we
+want to get subelements directly rather than using XPath.
+
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit dcd49d2cd65c9fe58d3df536fa258fc70c633d7e)
+
+JIRA: https://issues.redhat.com/browse/RHEL-88716
+Conflicts:
+    Trivial contextual conflicts in all files
+    (due to missing other patches in downstream)
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+---
+ src/libvirt_private.syms |  1 +
+ src/util/virxml.c        | 35 +++++++++++++++++++++++++++++++++++
+ src/util/virxml.h        |  6 ++++++
+ 3 files changed, 42 insertions(+)
+
+diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
+index 7c558ad364..3af1b33a6c 100644
+--- a/src/libvirt_private.syms
++++ b/src/libvirt_private.syms
+@@ -3619,6 +3619,7 @@ virXMLFormatElementEmpty;
+ virXMLFormatMetadata;
+ virXMLNewNode;
+ virXMLNodeContentString;
++virXMLNodeGetSubelementList;
+ virXMLNodeNameEqual;
+ virXMLNodeSanitizeNamespaces;
+ virXMLNodeToString;
+diff --git a/src/util/virxml.c b/src/util/virxml.c
+index 4b09374107..b57462e2d0 100644
+--- a/src/util/virxml.c
++++ b/src/util/virxml.c
+@@ -838,6 +838,41 @@ virXPathBoolean(const char *xpath,
+     return obj->boolval;
+ }
+ 
++
++/**
++ * virXMLNodeGetSubelementList:
++ * @node: node to get subelement of
++ * @name: name of subelement to fetch (NULL to fetch all sub-elements)
++ * @list: If non-NULL, filled with a list of pointers to the nodes. Caller is
++ *        responsible for freeing the list but not the members.
++ *
++ * Find and return a sub-elements node of @node named @name in a list.
++ * Returns the number of subelements with @name
++ */
++size_t
++virXMLNodeGetSubelementList(xmlNodePtr node,
++                            const char *name,
++                            xmlNodePtr **list)
++{
++    xmlNodePtr n;
++    size_t nelems = 0;
++
++    for (n = node->children; n; n = n->next) {
++        if (n->type == XML_ELEMENT_NODE) {
++            if (name && !virXMLNodeNameEqual(n, name))
++                continue;
++
++            if (list)
++                VIR_APPEND_ELEMENT_COPY(*list, nelems, n);
++            else
++                nelems++;
++        }
++    }
++
++    return nelems;
++}
++
++
+ /**
+  * virXPathNode:
+  * @xpath: the XPath string to evaluate
+diff --git a/src/util/virxml.h b/src/util/virxml.h
+index c39eae6282..7b60551898 100644
+--- a/src/util/virxml.h
++++ b/src/util/virxml.h
+@@ -83,6 +83,12 @@ int
+ virXPathULongHex(const char *xpath,
+                  xmlXPathContextPtr ctxt,
+                  unsigned long *value);
++
++size_t
++virXMLNodeGetSubelementList(xmlNodePtr node,
++                            const char *name,
++                            xmlNodePtr **list);
++
+ xmlNodePtr
+ virXPathNode(const char *xpath,
+              xmlXPathContextPtr ctxt);
+-- 
+2.49.0

SOURCES/libvirt-util-xml-Return-GPtrArray-from-virXMLNodeGetSubelement-partial.patch

@@ -0,0 +1,92 @@
+From f3c75e44ad85fb01473c78adfc2a6d2c53f4f358 Mon Sep 17 00:00:00 2001
+Message-ID: <f3c75e44ad85fb01473c78adfc2a6d2c53f4f358.1749113303.git.jdenemar@redhat.com>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Mon, 13 Feb 2023 15:53:23 +0100
+Subject: [PATCH] util: xml: Return GPtrArray from virXMLNodeGetSubelement
+ [partial]
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Rework the helper to use a GPtrArray structure to simplify callers.
+
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 08a7fc834c7c505e73bfcfa11c4a841a972d4f5d)
+
+JIRA: https://issues.redhat.com/browse/RHEL-88716
+Conflicts:
+    src/conf/*.c
+    Dropped the hunks that modify the callers
+    (since these are not available in downstream yet)
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+---
+ src/util/virxml.c | 21 ++++++++-------------
+ src/util/virxml.h |  5 ++---
+ 2 files changed, 10 insertions(+), 16 deletions(-)
+
+diff --git a/src/util/virxml.c b/src/util/virxml.c
+index b57462e2d0..46afcf2146 100644
+--- a/src/util/virxml.c
++++ b/src/util/virxml.c
+@@ -843,33 +843,28 @@ virXPathBoolean(const char *xpath,
+  * virXMLNodeGetSubelementList:
+  * @node: node to get subelement of
+  * @name: name of subelement to fetch (NULL to fetch all sub-elements)
+- * @list: If non-NULL, filled with a list of pointers to the nodes. Caller is
+- *        responsible for freeing the list but not the members.
+  *
+- * Find and return a sub-elements node of @node named @name in a list.
+- * Returns the number of subelements with @name
++ * Find and return a sub-elements node of @node named @name in a GPtrArray
++ * populated with the xmlNodePtr objects. Caller is responsible for freeing the
++ * array but not the contained xmlNode objects.
+  */
+-size_t
++GPtrArray *
+ virXMLNodeGetSubelementList(xmlNodePtr node,
+-                            const char *name,
+-                            xmlNodePtr **list)
++                            const char *name)
+ {
++    GPtrArray *ret = g_ptr_array_new();
+     xmlNodePtr n;
+-    size_t nelems = 0;
+ 
+     for (n = node->children; n; n = n->next) {
+         if (n->type == XML_ELEMENT_NODE) {
+             if (name && !virXMLNodeNameEqual(n, name))
+                 continue;
+ 
+-            if (list)
+-                VIR_APPEND_ELEMENT_COPY(*list, nelems, n);
+-            else
+-                nelems++;
++            g_ptr_array_add(ret, n);
+         }
+     }
+ 
+-    return nelems;
++    return ret;
+ }
+ 
+ 
+diff --git a/src/util/virxml.h b/src/util/virxml.h
+index 7b60551898..03677afc33 100644
+--- a/src/util/virxml.h
++++ b/src/util/virxml.h
+@@ -84,10 +84,9 @@ virXPathULongHex(const char *xpath,
+                  xmlXPathContextPtr ctxt,
+                  unsigned long *value);
+ 
+-size_t
++GPtrArray *
+ virXMLNodeGetSubelementList(xmlNodePtr node,
+-                            const char *name,
+-                            xmlNodePtr **list);
++                            const char *name);
+ 
+ xmlNodePtr
+ virXPathNode(const char *xpath,
+-- 
+2.49.0

SOURCES/libvirt-virStorageBackendLogicalCheckPool-Properly-mark-empty-logical-pools-as-active.patch

@@ -0,0 +1,51 @@
+From afbf59c823a04b417b4ae66edb99e15e6e8ba877 Mon Sep 17 00:00:00 2001
+Message-ID: <afbf59c823a04b417b4ae66edb99e15e6e8ba877.1730898528.git.jdenemar@redhat.com>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Tue, 8 Aug 2023 15:53:53 +0200
+Subject: [PATCH] virStorageBackendLogicalCheckPool: Properly mark empty
+ logical pools as active
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The '/dev' filesystem convenience directory for a LVM volume group is
+not created when the volume group is empty.
+
+The logic in 'virStorageBackendLogicalCheckPool' which is used to see
+whether a pool is active was first checking presence of the directory,
+which failed for an empty VG.
+
+Since the second step is virStorageBackendLogicalMatchPoolSource which
+is checking mapping between configured PVs and the VG, we can simply
+rely on the function to also check presence of the pool.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2228223
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit fa1a54baa59d244289ce666f9dc52d9eabca47f1)
+https://issues.redhat.com/browse/RHEL-65771
+---
+ src/storage/storage_backend_logical.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/src/storage/storage_backend_logical.c b/src/storage/storage_backend_logical.c
+index 3f27e63aeb..b7e3ba2498 100644
+--- a/src/storage/storage_backend_logical.c
++++ b/src/storage/storage_backend_logical.c
+@@ -628,13 +628,7 @@ static int
+ virStorageBackendLogicalCheckPool(virStoragePoolObj *pool,
+                                   bool *isActive)
+ {
+-    virStoragePoolDef *def = virStoragePoolObjGetDef(pool);
+-
+-    /* If we can find the target.path as well as ensure that the
+-     * pool's def source
+-     */
+-    *isActive = virFileExists(def->target.path) &&
+-                virStorageBackendLogicalMatchPoolSource(pool);
++    *isActive = virStorageBackendLogicalMatchPoolSource(pool);
+     return 0;
+ }
+ 
+-- 
+2.47.0

SOURCES/libvirt-virnuma-Avoid-integer-overflow-in-virNumaGetPages.patch

@@ -0,0 +1,68 @@
+From f3ae3ac1807549c1eb4cc5a0286047ff019e14a0 Mon Sep 17 00:00:00 2001
+Message-ID: <f3ae3ac1807549c1eb4cc5a0286047ff019e14a0.1702401900.git.jdenemar@redhat.com>
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Fri, 24 Nov 2023 11:59:32 +0100
+Subject: [PATCH] virnuma: Avoid integer overflow in virNumaGetPages()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+On systems with humongous pages (16GiB) and 32bit int it's easy
+to hit integer overflow in virNumaGetPages(). What happens is,
+inside of virNumaGetPages() as we process hugepages for given
+NUMA node (e.g. in order to produce capabilities XML), we keep a
+sum of sizes of pools in an ULL variable (huge_page_sum). In each
+iteration, the variable is incremented by 1024 * page_size *
+page_avail. Now, page_size is just an uint, so we have:
+
+  ULL += U * U * ULL;
+
+and because of associativity, U * U is computed first and since
+we have two operands of the same type, no type expansion happens.
+But this means, for humongous pages (like 16GiB) the
+multiplication overflows.
+
+Therefore, move the multiplication out of the loop. This helps in
+two ways:
+
+1) now we have ULL += U * ULL; which expands the uint in
+   multiplication,
+
+2) it saves couple of CPU cycles.
+
+Resolves: https://issues.redhat.com/browse/RHEL-16749
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 9694d1ca6a4ef7a37ac20249eb8b85c1bb48ef6b)
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/util/virnuma.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/util/virnuma.c b/src/util/virnuma.c
+index 7c892d6267..e0938867f9 100644
+--- a/src/util/virnuma.c
++++ b/src/util/virnuma.c
+@@ -806,9 +806,7 @@ virNumaGetPages(int node,
+         tmp_free[ntmp] = page_free;
+         ntmp++;
+ 
+-        /* page_size is in kibibytes while we want huge_page_sum
+-         * in just bytes. */
+-        huge_page_sum += 1024 * page_size * page_avail;
++        huge_page_sum += page_size * page_avail;
+     }
+ 
+     if (direrr < 0)
+@@ -819,6 +817,9 @@ virNumaGetPages(int node,
+     VIR_REALLOC_N(tmp_avail, ntmp + 1);
+     VIR_REALLOC_N(tmp_free, ntmp + 1);
+ 
++    /* page_size is in kibibytes while we want huge_page_sum in just bytes. */
++    huge_page_sum *= 1024;
++
+     if (virNumaGetPageInfo(node, system_page_size, huge_page_sum,
+                            &tmp_avail[ntmp], &tmp_free[ntmp]) < 0)
+         return -1;
+-- 
+2.43.0

SOURCES/libvirt-virpci-Resolve-leak-in-virPCIVirtualFunctionList-cleanup.patch

@@ -0,0 +1,56 @@
+From 0e91f4dc214d01e9d9537b1111ce67010530fd20 Mon Sep 17 00:00:00 2001
+Message-Id: <0e91f4dc214d01e9d9537b1111ce67010530fd20@dist-git>
+From: Tim Shearer <TShearer@adva.com>
+Date: Mon, 1 May 2023 13:15:48 +0000
+Subject: [PATCH] virpci: Resolve leak in virPCIVirtualFunctionList cleanup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Repeatedly querying an SR-IOV PCI device's capabilities exposes a
+memory leak caused by a failure to free the virPCIVirtualFunction
+array within the parent struct's g_autoptr cleanup.
+
+Valgrind output after getting a single interface's XML description
+1000 times:
+
+==325982== 256,000 bytes in 1,000 blocks are definitely lost in loss record 2,634 of 2,635
+==325982==    at 0x4C3C096: realloc (vg_replace_malloc.c:1437)
+==325982==    by 0x59D952D: g_realloc (in /usr/lib64/libglib-2.0.so.0.5600.4)
+==325982==    by 0x4EE1F52: virReallocN (viralloc.c:52)
+==325982==    by 0x4EE1FB7: virExpandN (viralloc.c:78)
+==325982==    by 0x4EE219A: virInsertElementInternal (viralloc.c:183)
+==325982==    by 0x4EE23B2: virAppendElement (viralloc.c:288)
+==325982==    by 0x4F65D85: virPCIGetVirtualFunctionsFull (virpci.c:2389)
+==325982==    by 0x4F65753: virPCIGetVirtualFunctions (virpci.c:2256)
+==325982==    by 0x505CB75: virNodeDeviceGetPCISRIOVCaps (node_device_conf.c:2969)
+==325982==    by 0x505D181: virNodeDeviceGetPCIDynamicCaps (node_device_conf.c:3099)
+==325982==    by 0x505BC4E: virNodeDeviceUpdateCaps (node_device_conf.c:2677)
+==325982==    by 0x260FCBB2: nodeDeviceGetXMLDesc (node_device_driver.c:355)
+
+Signed-off-by: Tim Shearer <tshearer@adva.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 6425a311b8ad19d6f9c0b315bf1d722551ea3585)
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2196351
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-2700
+
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+---
+ src/util/virpci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/util/virpci.c b/src/util/virpci.c
+index 4949d1a3d4..2714d11a7d 100644
+--- a/src/util/virpci.c
++++ b/src/util/virpci.c
+@@ -2255,6 +2255,7 @@ virPCIVirtualFunctionListFree(virPCIVirtualFunctionList *list)
+         g_free(list->functions[i].ifname);
+     }
+ 
++    g_free(list->functions);
+     g_free(list);
+ }
+ 
+-- 
+2.40.1

SOURCES/libvirt-virsh-add-disable-deprecated-features-flag-to-domcapabilities.patch

@@ -0,0 +1,83 @@
+From 16a50b3a73f496be8cd2bb9b9c0b88ca9a84ed0e Mon Sep 17 00:00:00 2001
+Message-ID: <16a50b3a73f496be8cd2bb9b9c0b88ca9a84ed0e.1749113304.git.jdenemar@redhat.com>
+From: Collin Walling <walling@linux.ibm.com>
+Date: Mon, 16 Dec 2024 18:03:57 -0500
+Subject: [PATCH] virsh: add --disable-deprecated-features flag to
+ domcapabilities
+
+Add a new flag, --disable-deprecated-features, to the domcapabilities
+command.  This will modify the output to show the 'host-model' CPU
+with features flagged as deprecated paired with the 'disable' policy.
+
+virsh domcapabilities --disable-deprecated-features
+
+Signed-off-by: Collin Walling <walling@linux.ibm.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 15d45964e453e04f1761e527266af45554f58fcc)
+
+JIRA: https://issues.redhat.com/browse/RHEL-88716
+Conflicts:
+    docs/manpages/virsh.rst
+    tools/virsh-host.c
+    (Simple contextual conflicts due to other missing patches in downstream)
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+---
+ docs/manpages/virsh.rst | 6 ++++++
+ tools/virsh-host.c      | 9 ++++++++-
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst
+index d24e7774a6..3adbf42280 100644
+--- a/docs/manpages/virsh.rst
++++ b/docs/manpages/virsh.rst
+@@ -562,6 +562,7 @@ domcapabilities
+ ::
+ 
+    domcapabilities [virttype] [emulatorbin] [arch] [machine]
++                   [--disable-deprecated-features]
+ 
+ 
+ Print an XML document describing the domain capabilities for the
+@@ -596,6 +597,11 @@ supplied along with either the *emulatorbin* or *arch* in order to
+ generate output for the default *machine*.  Supplying a *machine*
+ value will generate output for the specific machine.
+ 
++The **--disable-deprecated-features** argument will modify the contents
++of host-model CPU XML, updating the features list with any features
++flagged as deprecated for the CPU model by the hypervisor. These
++features will be paired with the "disable" policy.
++
+ 
+ pool-capabilities
+ -----------------
+diff --git a/tools/virsh-host.c b/tools/virsh-host.c
+index 5ee3834de2..874875b378 100644
+--- a/tools/virsh-host.c
++++ b/tools/virsh-host.c
+@@ -91,6 +91,10 @@ static const vshCmdOptDef opts_domcapabilities[] = {
+      .type = VSH_OT_STRING,
+      .help = N_("machine type (/domain/os/type/@machine)"),
+     },
++    {.name = "disable-deprecated-features",
++     .type = VSH_OT_BOOL,
++     .help = N_("report host CPU model with deprecated features disabled"),
++    },
+     {.name = NULL}
+ };
+ 
+@@ -102,9 +106,12 @@ cmdDomCapabilities(vshControl *ctl, const vshCmd *cmd)
+     const char *emulatorbin = NULL;
+     const char *arch = NULL;
+     const char *machine = NULL;
+-    const unsigned int flags = 0; /* No flags so far */
++    unsigned int flags = 0;
+     virshControl *priv = ctl->privData;
+ 
++    if (vshCommandOptBool(cmd, "disable-deprecated-features"))
++        flags |= VIR_CONNECT_GET_DOMAIN_CAPABILITIES_DISABLE_DEPRECATED_FEATURES;
++
+     if (vshCommandOptStringReq(ctl, cmd, "virttype", &virttype) < 0 ||
+         vshCommandOptStringReq(ctl, cmd, "emulatorbin", &emulatorbin) < 0 ||
+         vshCommandOptStringReq(ctl, cmd, "arch", &arch) < 0 ||
+-- 
+2.49.0

SPECS/libvirt.spec

@@ -210,7 +210,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 8.0.0
-Release: 19%{?dist}%{?extra_release}
+Release: 23.4%{?dist}%{?extra_release}
 License: LGPLv2+
 URL: https://libvirt.org/
 
@@ -306,6 +306,31 @@ Patch83: libvirt-vircpi-Add-PCIe-5.0-and-6.0-link-speeds.patch
 Patch84: libvirt-conf-Make-VIR_DOMAIN_NET_TYPE_ETHERNET-not-share-host-view.patch
 Patch85: libvirt-qemu-domain-Fix-logic-when-tainting-domain.patch
 Patch86: libvirt-qemu-agent-Make-fetching-of-can-offline-member-from-guest-query-vcpus-optional.patch
+Patch87: libvirt-qemu-monitor-Drop-old-monitor-fields-from-struct-_qemuMonitorMessage.patch
+Patch88: libvirt-qemu-Make-struct-_qemuMonitorMessage-private.patch
+Patch89: libvirt-qemu-monitor-Move-declaration-of-struct-_qemuMonitor-to-qemu_monitor_priv.h.patch
+Patch90: libvirt-qemu-qemuBlockGetNamedNodeData-Remove-pointless-error-path.patch
+Patch91: libvirt-qemu-monitor-Store-whether-query-named-block-nodes-supports-flat-parameter.patch
+Patch92: libvirt-qemuMonitorJSONBlockStatsUpdateCapacityBlockdev-Use-flat-mode-of-query-named-block-nodes.patch
+Patch93: libvirt-qemu-relax-shared-memory-check-for-vhostuser-daemons.patch
+Patch94: libvirt-virpci-Resolve-leak-in-virPCIVirtualFunctionList-cleanup.patch
+Patch95: libvirt-node_device_conf-Avoid-memleak-in-virNodeDeviceGetPCIVPDDynamicCap.patch
+Patch96: libvirt-nodedev-update-transient-mdevs.patch
+Patch97: libvirt-lib-Set-up-cpuset-controller-for-restrictive-numatune.patch
+Patch98: libvirt-virnuma-Avoid-integer-overflow-in-virNumaGetPages.patch
+Patch99: libvirt-remote-check-for-negative-array-lengths-before-allocation.patch
+Patch100: libvirt-util-Fix-error-return-for-virProcessKillPainfullyDelay.patch
+Patch101: libvirt-rpc-ensure-temporary-GSource-is-removed-from-client-event-loop.patch
+Patch102: libvirt-virStorageBackendLogicalCheckPool-Properly-mark-empty-logical-pools-as-active.patch
+Patch103: libvirt-util-xml-Introduce-virXMLNodeGetSubelementList.patch
+Patch104: libvirt-util-xml-Return-GPtrArray-from-virXMLNodeGetSubelement-partial.patch
+Patch105: libvirt-qemuMonitorJSONGetCPUModelExpansion-refactor-parsing-functions.patch
+Patch106: libvirt-qemu-parse-deprecated-props-from-query-cpu-model-expansion-response.patch
+Patch107: libvirt-qemu_capabilities-query-deprecated-features-for-host-model.patch
+Patch108: libvirt-libvirt-domain-introduce-VIR_CONNECT_GET_DOMAIN_CAPABILITIES_DISABLE_DEPRECATED_FEATURES.patch
+Patch109: libvirt-qemu_capabilities-filter-deprecated-features-if-requested.patch
+Patch110: libvirt-virsh-add-disable-deprecated-features-flag-to-domcapabilities.patch
+Patch111: libvirt-conf-add-deprecated_features-attribute.patch
 
 Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-daemon-config-network = %{version}-%{release}
@@ -2185,6 +2210,47 @@ exit 0
 
 
 %changelog
+* Thu Jun  5 2025 Jiri Denemark <jdenemar@redhat.com> - 8.0.0-23.4.el8
+- util: xml: Introduce virXMLNodeGetSubelementList (RHEL-88716)
+- util: xml: Return GPtrArray from virXMLNodeGetSubelement [partial] (RHEL-88716)
+- qemuMonitorJSONGetCPUModelExpansion: refactor parsing functions (RHEL-88716)
+- qemu: parse deprecated-props from query-cpu-model-expansion response (RHEL-88716)
+- qemu_capabilities: query deprecated features for host-model (RHEL-88716)
+- libvirt-domain: introduce VIR_CONNECT_GET_DOMAIN_CAPABILITIES_DISABLE_DEPRECATED_FEATURES (RHEL-88716)
+- qemu_capabilities: filter deprecated features if requested (RHEL-88716)
+- virsh: add --disable-deprecated-features flag to domcapabilities (RHEL-88716)
+- conf: add deprecated_features attribute (RHEL-88716)
+
+* Wed Nov  6 2024 Jiri Denemark <jdenemar@redhat.com> - 8.0.0-23.3.el8
+- virStorageBackendLogicalCheckPool: Properly mark empty logical pools as active (RHEL-65771)
+
+* Thu Jun  6 2024 Jiri Denemark <jdenemar@redhat.com> - 8.0.0-23.2.el8
+- util: Fix error return for virProcessKillPainfullyDelay() (RHEL-36064)
+- rpc: ensure temporary GSource is removed from client event loop (CVE-2024-4418)
+
+* Tue Apr  9 2024 Jiri Denemark <jdenemar@redhat.com> - 8.0.0-23.1.el8
+- remote: check for negative array lengths before allocation (CVE-2024-2494)
+
+* Tue Dec 12 2023 Jiri Denemark <jdenemar@redhat.com> - 8.0.0-23
+- virnuma: Avoid integer overflow in virNumaGetPages() (rhbz#RHEL-16749)
+
+* Mon Jul 31 2023 Jiri Denemark <jdenemar@redhat.com> - 8.0.0-22
+- lib: Set up cpuset controller for restrictive numatune (rhbz#2223464)
+
+* Thu Jun 22 2023 Jiri Denemark <jdenemar@redhat.com> - 8.0.0-21
+- nodedev: update transient mdevs (rhbz#2143160)
+
+* Fri May 19 2023 Jiri Denemark <jdenemar@redhat.com> - 8.0.0-20
+- qemu: monitor: Drop old monitor fields from 'struct _qemuMonitorMessage' (rhbz#2170472)
+- qemu: Make 'struct _qemuMonitorMessage' private (rhbz#2170472)
+- qemu: monitor: Move declaration of struct _qemuMonitor to qemu_monitor_priv.h (rhbz#2170472)
+- qemu: qemuBlockGetNamedNodeData: Remove pointless error path (rhbz#2170472)
+- qemu: monitor: Store whether 'query-named-block-nodes' supports 'flat' parameter (rhbz#2170472)
+- qemuMonitorJSONBlockStatsUpdateCapacityBlockdev: Use 'flat' mode of query-named-block-nodes (rhbz#2170472)
+- qemu: relax shared memory check for vhostuser daemons (rhbz#2177701)
+- virpci: Resolve leak in virPCIVirtualFunctionList cleanup (CVE-2023-2700)
+- node_device_conf: Avoid memleak in virNodeDeviceGetPCIVPDDynamicCap() (CVE-2023-2700)
+
 * Tue Mar 14 2023 Jiri Denemark <jdenemar@redhat.com> - 8.0.0-19
 - qemu: domain: Fix logic when tainting domain (rhbz#2174447)
 - qemu: agent: Make fetching of 'can-offline' member from 'guest-query-vcpus' optional (rhbz#2174447)