From 722e8085db76a4334d6eac2a4668ce0a24bb6bbd Mon Sep 17 00:00:00 2001
From: Andrew Lukoshko <andrew.lukoshko@gmail.com>
Date: Wed, 12 Jul 2023 13:43:01 +0000
Subject: [PATCH] Fix CVE-2023-2700 + bugfixes

---
 ...-in-virNodeDeviceGetPCIVPDDynamicCap.patch |  53 ++++++
 ...e-struct-_qemuMonitorMessage-private.patch | 106 ++++++++++++
 ...elds-from-struct-_qemuMonitorMessage.patch |  45 +++++
 ...-_qemuMonitor-to-qemu_monitor_priv.h.patch | 158 ++++++++++++++++++
 ...-block-nodes-supports-flat-parameter.patch |  58 +++++++
 ...NodeData-Remove-pointless-error-path.patch |  54 ++++++
 ...flat-mode-of-query-named-block-nodes.patch |  42 +++++
 ...in-virPCIVirtualFunctionList-cleanup.patch |  57 +++++++
 SPECS/libvirt.spec                            |  21 ++-
 9 files changed, 593 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/libvirt-node_device_conf-Avoid-memleak-in-virNodeDeviceGetPCIVPDDynamicCap.patch
 create mode 100644 SOURCES/libvirt-qemu-Make-struct-_qemuMonitorMessage-private.patch
 create mode 100644 SOURCES/libvirt-qemu-monitor-Drop-old-monitor-fields-from-struct-_qemuMonitorMessage.patch
 create mode 100644 SOURCES/libvirt-qemu-monitor-Move-declaration-of-struct-_qemuMonitor-to-qemu_monitor_priv.h.patch
 create mode 100644 SOURCES/libvirt-qemu-monitor-Store-whether-query-named-block-nodes-supports-flat-parameter.patch
 create mode 100644 SOURCES/libvirt-qemu-qemuBlockGetNamedNodeData-Remove-pointless-error-path.patch
 create mode 100644 SOURCES/libvirt-qemuMonitorJSONBlockStatsUpdateCapacityBlockdev-Use-flat-mode-of-query-named-block-nodes.patch
 create mode 100644 SOURCES/libvirt-virpci-Resolve-leak-in-virPCIVirtualFunctionList-cleanup.patch

diff --git a/SOURCES/libvirt-node_device_conf-Avoid-memleak-in-virNodeDeviceGetPCIVPDDynamicCap.patch b/SOURCES/libvirt-node_device_conf-Avoid-memleak-in-virNodeDeviceGetPCIVPDDynamicCap.patch
new file mode 100644
index 0000000..129931f
--- /dev/null
+++ b/SOURCES/libvirt-node_device_conf-Avoid-memleak-in-virNodeDeviceGetPCIVPDDynamicCap.patch
@@ -0,0 +1,53 @@
+From 989a569c9c9da0fbf89aab7f292669366b2503f1 Mon Sep 17 00:00:00 2001
+Message-Id: <989a569c9c9da0fbf89aab7f292669366b2503f1@dist-git>
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Wed, 30 Nov 2022 14:53:21 +0100
+Subject: [PATCH] node_device_conf: Avoid memleak in
+ virNodeDeviceGetPCIVPDDynamicCap()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virNodeDeviceGetPCIVPDDynamicCap() function is called from
+virNodeDeviceGetPCIDynamicCaps() and therefore has to be a wee
+bit more clever about adding VPD capability. Namely, it has to
+remove the old one before adding a new one. This is how other
+functions called from virNodeDeviceGetPCIDynamicCaps() behave
+as well.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2143235
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+(cherry picked from commit 64d32118540aca3d42bc5ee21c8b780cafe04bfa)
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-2700
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
+---
+ src/conf/node_device_conf.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/conf/node_device_conf.c b/src/conf/node_device_conf.c
+index 16b9497faf..eee94a3900 100644
+--- a/src/conf/node_device_conf.c
++++ b/src/conf/node_device_conf.c
+@@ -3100,6 +3100,9 @@ virNodeDeviceGetPCIVPDDynamicCap(virNodeDevCapPCIDev *devCapPCIDev)
+     virPCIDeviceAddress devAddr;
+     g_autoptr(virPCIVPDResource) res = NULL;
+ 
++    g_clear_pointer(&devCapPCIDev->vpd, virPCIVPDResourceFree);
++    devCapPCIDev->flags &= ~VIR_NODE_DEV_CAP_FLAG_PCI_VPD;
++
+     devAddr.domain = devCapPCIDev->domain;
+     devAddr.bus = devCapPCIDev->bus;
+     devAddr.slot = devCapPCIDev->slot;
+@@ -3113,8 +3116,6 @@ virNodeDeviceGetPCIVPDDynamicCap(virNodeDevCapPCIDev *devCapPCIDev)
+         if ((res = virPCIDeviceGetVPD(pciDev))) {
+             devCapPCIDev->flags |= VIR_NODE_DEV_CAP_FLAG_PCI_VPD;
+             devCapPCIDev->vpd = g_steal_pointer(&res);
+-        } else {
+-            virPCIVPDResourceFree(g_steal_pointer(&devCapPCIDev->vpd));
+         }
+     }
+     return 0;
+-- 
+2.40.1
diff --git a/SOURCES/libvirt-qemu-Make-struct-_qemuMonitorMessage-private.patch b/SOURCES/libvirt-qemu-Make-struct-_qemuMonitorMessage-private.patch
new file mode 100644
index 0000000..161a257
--- /dev/null
+++ b/SOURCES/libvirt-qemu-Make-struct-_qemuMonitorMessage-private.patch
@@ -0,0 +1,106 @@
+From 85b7d8295d72214b08f0fff93c473baaa88a569b Mon Sep 17 00:00:00 2001
+Message-Id: <85b7d8295d72214b08f0fff93c473baaa88a569b@dist-git>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Mon, 14 Feb 2022 15:57:21 +0100
+Subject: [PATCH] qemu: Make 'struct _qemuMonitorMessage' private
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Move the declaration of the struct into 'qemu_monitor_priv.h' as other
+code has no business in peeking into the monitor messages.
+
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit f9ae469a6ebb17e0990096e826f049c1c46cd760)
+https://bugzilla.redhat.com/show_bug.cgi?id=2170472
+Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
+---
+ src/qemu/qemu_monitor.h      | 14 --------------
+ src/qemu/qemu_monitor_json.c |  3 +++
+ src/qemu/qemu_monitor_priv.h | 16 ++++++++++++++++
+ tests/qemucapsprobemock.c    |  3 +++
+ 4 files changed, 22 insertions(+), 14 deletions(-)
+
+diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h
+index a4a4edf5a6..d00967d84f 100644
+--- a/src/qemu/qemu_monitor.h
++++ b/src/qemu/qemu_monitor.h
+@@ -34,21 +34,7 @@
+ #include "virenum.h"
+ 
+ typedef struct _qemuMonitor qemuMonitor;
+-
+ typedef struct _qemuMonitorMessage qemuMonitorMessage;
+-struct _qemuMonitorMessage {
+-    int txFD;
+-
+-    const char *txBuffer;
+-    int txOffset;
+-    int txLength;
+-
+-    /* Used by the JSON monitor to hold reply / error */
+-    void *rxObject;
+-
+-    /* True if rxObject is ready, or a fatal error occurred on the monitor channel */
+-    bool finished;
+-};
+ 
+ typedef enum {
+     QEMU_MONITOR_EVENT_PANIC_INFO_TYPE_NONE = 0,
+diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
+index 34a46b9b41..7d8755246f 100644
+--- a/src/qemu/qemu_monitor_json.c
++++ b/src/qemu/qemu_monitor_json.c
+@@ -44,6 +44,9 @@
+ # include "libvirt_qemu_probes.h"
+ #endif
+ 
++#define LIBVIRT_QEMU_MONITOR_PRIV_H_ALLOW
++#include "qemu_monitor_priv.h"
++
+ #define VIR_FROM_THIS VIR_FROM_QEMU
+ 
+ VIR_LOG_INIT("qemu.qemu_monitor_json");
+diff --git a/src/qemu/qemu_monitor_priv.h b/src/qemu/qemu_monitor_priv.h
+index 31bb3526b9..6115f830de 100644
+--- a/src/qemu/qemu_monitor_priv.h
++++ b/src/qemu/qemu_monitor_priv.h
+@@ -24,5 +24,21 @@
+ 
+ #include "qemu_monitor.h"
+ 
++
++struct _qemuMonitorMessage {
++    int txFD;
++
++    const char *txBuffer;
++    int txOffset;
++    int txLength;
++
++    /* Used by the JSON monitor to hold reply / error */
++    void *rxObject;
++
++    /* True if rxObject is ready, or a fatal error occurred on the monitor channel */
++    bool finished;
++};
++
++
+ void
+ qemuMonitorResetCommandID(qemuMonitor *mon);
+diff --git a/tests/qemucapsprobemock.c b/tests/qemucapsprobemock.c
+index 915036d178..2717ed5d84 100644
+--- a/tests/qemucapsprobemock.c
++++ b/tests/qemucapsprobemock.c
+@@ -25,6 +25,9 @@
+ #include "qemu/qemu_monitor.h"
+ #include "qemu/qemu_monitor_json.h"
+ 
++#define LIBVIRT_QEMU_MONITOR_PRIV_H_ALLOW
++#include "qemu/qemu_monitor_priv.h"
++
+ #define REAL_SYM(realFunc) \
+     do { \
+         if (!realFunc && !(realFunc = dlsym(RTLD_NEXT, __FUNCTION__))) { \
+-- 
+2.40.1
diff --git a/SOURCES/libvirt-qemu-monitor-Drop-old-monitor-fields-from-struct-_qemuMonitorMessage.patch b/SOURCES/libvirt-qemu-monitor-Drop-old-monitor-fields-from-struct-_qemuMonitorMessage.patch
new file mode 100644
index 0000000..75c52f8
--- /dev/null
+++ b/SOURCES/libvirt-qemu-monitor-Drop-old-monitor-fields-from-struct-_qemuMonitorMessage.patch
@@ -0,0 +1,45 @@
+From a4d8210ae9fd84740e01b96d28bfb6183f3f3270 Mon Sep 17 00:00:00 2001
+Message-Id: <a4d8210ae9fd84740e01b96d28bfb6183f3f3270@dist-git>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Mon, 14 Feb 2022 16:02:29 +0100
+Subject: [PATCH] qemu: monitor: Drop old monitor fields from 'struct
+ _qemuMonitorMessage'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The fields are no longer used since we've deleted support for HMP-only
+qemus. The HMP command pass-through works via a QMP command.
+
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit c5eb99a9d9af8683789e99cc904671e343580058)
+https://bugzilla.redhat.com/show_bug.cgi?id=2170472
+Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
+---
+ src/qemu/qemu_monitor.h | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h
+index d2037914be..a4a4edf5a6 100644
+--- a/src/qemu/qemu_monitor.h
++++ b/src/qemu/qemu_monitor.h
+@@ -43,15 +43,10 @@ struct _qemuMonitorMessage {
+     int txOffset;
+     int txLength;
+ 
+-    /* Used by the text monitor reply / error */
+-    char *rxBuffer;
+-    int rxLength;
+     /* Used by the JSON monitor to hold reply / error */
+     void *rxObject;
+ 
+-    /* True if rxBuffer / rxObject are ready, or a
+-     * fatal error occurred on the monitor channel
+-     */
++    /* True if rxObject is ready, or a fatal error occurred on the monitor channel */
+     bool finished;
+ };
+ 
+-- 
+2.40.1
diff --git a/SOURCES/libvirt-qemu-monitor-Move-declaration-of-struct-_qemuMonitor-to-qemu_monitor_priv.h.patch b/SOURCES/libvirt-qemu-monitor-Move-declaration-of-struct-_qemuMonitor-to-qemu_monitor_priv.h.patch
new file mode 100644
index 0000000..81867e6
--- /dev/null
+++ b/SOURCES/libvirt-qemu-monitor-Move-declaration-of-struct-_qemuMonitor-to-qemu_monitor_priv.h.patch
@@ -0,0 +1,158 @@
+From c2ed5aeee7bf365877e0764699f032fb749630b0 Mon Sep 17 00:00:00 2001
+Message-Id: <c2ed5aeee7bf365877e0764699f032fb749630b0@dist-git>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Mon, 14 Feb 2022 16:07:41 +0100
+Subject: [PATCH] qemu: monitor: Move declaration of struct _qemuMonitor to
+ qemu_monitor_priv.h
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In order to mock the SCM_RIGHTS sendmsg to simulate sending
+filedescriptors to fake qemu in tests we need access to some fields of
+'struct _qemuMonitor'. Move its declaration to the private header file.
+
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 7c35c483eaa78eb847e0865cbb210d5355f75d7a)
+https://bugzilla.redhat.com/show_bug.cgi?id=2170472
+Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
+---
+ src/qemu/qemu_monitor.c      | 50 ---------------------------------
+ src/qemu/qemu_monitor_priv.h | 54 ++++++++++++++++++++++++++++++++++++
+ 2 files changed, 54 insertions(+), 50 deletions(-)
+
+diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
+index 23638d3fe8..bba92592c5 100644
+--- a/src/qemu/qemu_monitor.c
++++ b/src/qemu/qemu_monitor.c
+@@ -65,56 +65,6 @@ VIR_LOG_INIT("qemu.qemu_monitor");
+  */
+ #define QEMU_MONITOR_MAX_RESPONSE (10 * 1024 * 1024)
+ 
+-struct _qemuMonitor {
+-    virObjectLockable parent;
+-
+-    virCond notify;
+-
+-    int fd;
+-
+-    GMainContext *context;
+-    GSocket *socket;
+-    GSource *watch;
+-
+-    virDomainObj *vm;
+-    char *domainName;
+-
+-    qemuMonitorCallbacks *cb;
+-    void *callbackOpaque;
+-
+-    /* If there's a command being processed this will be
+-     * non-NULL */
+-    qemuMonitorMessage *msg;
+-
+-    /* Buffer incoming data ready for Text/QMP monitor
+-     * code to process & find message boundaries */
+-    size_t bufferOffset;
+-    size_t bufferLength;
+-    char *buffer;
+-
+-    /* If anything went wrong, this will be fed back
+-     * the next monitor msg */
+-    virError lastError;
+-
+-    /* Set to true when EOF is detected on the monitor */
+-    bool goteof;
+-
+-    int nextSerial;
+-
+-    bool waitGreeting;
+-
+-    /* If found, path to the virtio memballoon driver */
+-    char *balloonpath;
+-    bool ballooninit;
+-
+-    /* Log file context of the qemu process to dig for usable info */
+-    qemuMonitorReportDomainLogError logFunc;
+-    void *logOpaque;
+-    virFreeCallback logDestroy;
+-
+-    /* true if qemu no longer wants 'props' sub-object of object-add */
+-    bool objectAddNoWrap;
+-};
+ 
+ /**
+  * QEMU_CHECK_MONITOR_FULL:
+diff --git a/src/qemu/qemu_monitor_priv.h b/src/qemu/qemu_monitor_priv.h
+index 6115f830de..606aa79fbd 100644
+--- a/src/qemu/qemu_monitor_priv.h
++++ b/src/qemu/qemu_monitor_priv.h
+@@ -24,6 +24,8 @@
+ 
+ #include "qemu_monitor.h"
+ 
++#include <gio/gio.h>
++
+ 
+ struct _qemuMonitorMessage {
+     int txFD;
+@@ -40,5 +42,57 @@ struct _qemuMonitorMessage {
+ };
+ 
+ 
++struct _qemuMonitor {
++    virObjectLockable parent;
++
++    virCond notify;
++
++    int fd;
++
++    GMainContext *context;
++    GSocket *socket;
++    GSource *watch;
++
++    virDomainObj *vm;
++    char *domainName;
++
++    qemuMonitorCallbacks *cb;
++    void *callbackOpaque;
++
++    /* If there's a command being processed this will be
++     * non-NULL */
++    qemuMonitorMessage *msg;
++
++    /* Buffer incoming data ready for Text/QMP monitor
++     * code to process & find message boundaries */
++    size_t bufferOffset;
++    size_t bufferLength;
++    char *buffer;
++
++    /* If anything went wrong, this will be fed back
++     * the next monitor msg */
++    virError lastError;
++
++    /* Set to true when EOF is detected on the monitor */
++    bool goteof;
++
++    int nextSerial;
++
++    bool waitGreeting;
++
++    /* If found, path to the virtio memballoon driver */
++    char *balloonpath;
++    bool ballooninit;
++
++    /* Log file context of the qemu process to dig for usable info */
++    qemuMonitorReportDomainLogError logFunc;
++    void *logOpaque;
++    virFreeCallback logDestroy;
++
++    /* true if qemu no longer wants 'props' sub-object of object-add */
++    bool objectAddNoWrap;
++};
++
++
+ void
+ qemuMonitorResetCommandID(qemuMonitor *mon);
+-- 
+2.40.1
diff --git a/SOURCES/libvirt-qemu-monitor-Store-whether-query-named-block-nodes-supports-flat-parameter.patch b/SOURCES/libvirt-qemu-monitor-Store-whether-query-named-block-nodes-supports-flat-parameter.patch
new file mode 100644
index 0000000..ed98199
--- /dev/null
+++ b/SOURCES/libvirt-qemu-monitor-Store-whether-query-named-block-nodes-supports-flat-parameter.patch
@@ -0,0 +1,58 @@
+From b3ffc8876adf777c7baefb6e467d7552c0a03251 Mon Sep 17 00:00:00 2001
+Message-Id: <b3ffc8876adf777c7baefb6e467d7552c0a03251@dist-git>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 9 Nov 2022 10:53:49 +0100
+Subject: [PATCH] qemu: monitor: Store whether 'query-named-block-nodes'
+ supports 'flat' parameter
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Rather than having callers always pass this flag store it in the
+qemuMonitor object. Following patches will convert the code to use this
+internal flag.
+
+In the future this will also simplify removal when all supported qemu
+versions will support the new mode.
+
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit b0e4ad5263c73a926b8246028c76c552b07fca74)
+https://bugzilla.redhat.com/show_bug.cgi?id=2170472
+Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
+---
+ src/qemu/qemu_monitor.c      | 4 +++-
+ src/qemu/qemu_monitor_priv.h | 2 ++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
+index bba92592c5..99667fdf2f 100644
+--- a/src/qemu/qemu_monitor.c
++++ b/src/qemu/qemu_monitor.c
+@@ -610,8 +610,10 @@ qemuMonitorOpenInternal(virDomainObj *vm,
+     mon->cb = cb;
+     mon->callbackOpaque = opaque;
+ 
+-    if (priv)
++    if (priv) {
+         mon->objectAddNoWrap = virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_OBJECT_JSON);
++        mon->queryNamedBlockNodesFlat = virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QMP_QUERY_NAMED_BLOCK_NODES_FLAT);
++    }
+ 
+     if (virSetCloseExec(mon->fd) < 0) {
+         virReportError(VIR_ERR_INTERNAL_ERROR,
+diff --git a/src/qemu/qemu_monitor_priv.h b/src/qemu/qemu_monitor_priv.h
+index 606aa79fbd..e32928805f 100644
+--- a/src/qemu/qemu_monitor_priv.h
++++ b/src/qemu/qemu_monitor_priv.h
+@@ -91,6 +91,8 @@ struct _qemuMonitor {
+ 
+     /* true if qemu no longer wants 'props' sub-object of object-add */
+     bool objectAddNoWrap;
++    /* query-named-block-nodes supports the 'flat' option */
++    bool queryNamedBlockNodesFlat;
+ };
+ 
+ 
+-- 
+2.40.1
diff --git a/SOURCES/libvirt-qemu-qemuBlockGetNamedNodeData-Remove-pointless-error-path.patch b/SOURCES/libvirt-qemu-qemuBlockGetNamedNodeData-Remove-pointless-error-path.patch
new file mode 100644
index 0000000..70e29ab
--- /dev/null
+++ b/SOURCES/libvirt-qemu-qemuBlockGetNamedNodeData-Remove-pointless-error-path.patch
@@ -0,0 +1,54 @@
+From 31986239312c0e460800f5b9921f6593f1556015 Mon Sep 17 00:00:00 2001
+Message-Id: <31986239312c0e460800f5b9921f6593f1556015@dist-git>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 9 Nov 2022 10:45:27 +0100
+Subject: [PATCH] qemu: qemuBlockGetNamedNodeData: Remove pointless error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We don't need automatic freeing for 'blockNamedNodeData' and we can
+directly return it rather than checking it for NULL-ness first.
+
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 3fe74ebd9037d695df906ed137d22a8d8d77e169)
+
+ Conflicts:
+	src/qemu/qemu_block.c
+
+    - qemuDomainObjEnter/ExitMonitor still needs 'driver'
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2170472
+Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
+---
+ src/qemu/qemu_block.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
+index aa566d0097..c9229d1918 100644
+--- a/src/qemu/qemu_block.c
++++ b/src/qemu/qemu_block.c
+@@ -3020,7 +3020,7 @@ qemuBlockGetNamedNodeData(virDomainObj *vm,
+ {
+     qemuDomainObjPrivate *priv = vm->privateData;
+     virQEMUDriver *driver = priv->driver;
+-    g_autoptr(GHashTable) blockNamedNodeData = NULL;
++    GHashTable *blockNamedNodeData = NULL;
+     bool supports_flat = virQEMUCapsGet(priv->qemuCaps,
+                                         QEMU_CAPS_QMP_QUERY_NAMED_BLOCK_NODES_FLAT);
+ 
+@@ -3031,10 +3031,7 @@ qemuBlockGetNamedNodeData(virDomainObj *vm,
+ 
+     qemuDomainObjExitMonitor(driver, vm);
+ 
+-    if (!blockNamedNodeData)
+-        return NULL;
+-
+-    return g_steal_pointer(&blockNamedNodeData);
++    return blockNamedNodeData;
+ }
+ 
+ 
+-- 
+2.40.1
diff --git a/SOURCES/libvirt-qemuMonitorJSONBlockStatsUpdateCapacityBlockdev-Use-flat-mode-of-query-named-block-nodes.patch b/SOURCES/libvirt-qemuMonitorJSONBlockStatsUpdateCapacityBlockdev-Use-flat-mode-of-query-named-block-nodes.patch
new file mode 100644
index 0000000..6e51eb0
--- /dev/null
+++ b/SOURCES/libvirt-qemuMonitorJSONBlockStatsUpdateCapacityBlockdev-Use-flat-mode-of-query-named-block-nodes.patch
@@ -0,0 +1,42 @@
+From f20062e1fe1e7bca8b97d2383f9e8a06f0f4111a Mon Sep 17 00:00:00 2001
+Message-Id: <f20062e1fe1e7bca8b97d2383f9e8a06f0f4111a@dist-git>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 9 Nov 2022 11:06:25 +0100
+Subject: [PATCH] qemuMonitorJSONBlockStatsUpdateCapacityBlockdev: Use 'flat'
+ mode of query-named-block-nodes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+'query-named-block-nodes' in non-flat mode returns redundantly nested
+data under the 'backing-image' field. Fortunately we don't need it when
+updating the capacity stats.
+
+This function was unfortunately not fixed originally when the support
+for flat mode was added. Use the flat cached in the monitor object to
+force flat mode if available.
+
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit bbd4d4899391b3bd1906cce61a3634f42f4b1bdf)
+https://bugzilla.redhat.com/show_bug.cgi?id=2170472
+Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
+---
+ src/qemu/qemu_monitor_json.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
+index 7d8755246f..789554e225 100644
+--- a/src/qemu/qemu_monitor_json.c
++++ b/src/qemu/qemu_monitor_json.c
+@@ -2679,7 +2679,7 @@ qemuMonitorJSONBlockStatsUpdateCapacityBlockdev(qemuMonitor *mon,
+ {
+     g_autoptr(virJSONValue) nodes = NULL;
+ 
+-    if (!(nodes = qemuMonitorJSONQueryNamedBlockNodes(mon, false)))
++    if (!(nodes = qemuMonitorJSONQueryNamedBlockNodes(mon, mon->queryNamedBlockNodesFlat)))
+         return -1;
+ 
+     if (virJSONValueArrayForeachSteal(nodes,
+-- 
+2.40.1
diff --git a/SOURCES/libvirt-virpci-Resolve-leak-in-virPCIVirtualFunctionList-cleanup.patch b/SOURCES/libvirt-virpci-Resolve-leak-in-virPCIVirtualFunctionList-cleanup.patch
new file mode 100644
index 0000000..48ebb56
--- /dev/null
+++ b/SOURCES/libvirt-virpci-Resolve-leak-in-virPCIVirtualFunctionList-cleanup.patch
@@ -0,0 +1,57 @@
+From 0e91f4dc214d01e9d9537b1111ce67010530fd20 Mon Sep 17 00:00:00 2001
+Message-Id: <0e91f4dc214d01e9d9537b1111ce67010530fd20@dist-git>
+From: Tim Shearer <TShearer@adva.com>
+Date: Mon, 1 May 2023 13:15:48 +0000
+Subject: [PATCH] virpci: Resolve leak in virPCIVirtualFunctionList cleanup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Repeatedly querying an SR-IOV PCI device's capabilities exposes a
+memory leak caused by a failure to free the virPCIVirtualFunction
+array within the parent struct's g_autoptr cleanup.
+
+Valgrind output after getting a single interface's XML description
+1000 times:
+
+==325982== 256,000 bytes in 1,000 blocks are definitely lost in loss record 2,634 of 2,635
+==325982==    at 0x4C3C096: realloc (vg_replace_malloc.c:1437)
+==325982==    by 0x59D952D: g_realloc (in /usr/lib64/libglib-2.0.so.0.5600.4)
+==325982==    by 0x4EE1F52: virReallocN (viralloc.c:52)
+==325982==    by 0x4EE1FB7: virExpandN (viralloc.c:78)
+==325982==    by 0x4EE219A: virInsertElementInternal (viralloc.c:183)
+==325982==    by 0x4EE23B2: virAppendElement (viralloc.c:288)
+==325982==    by 0x4F65D85: virPCIGetVirtualFunctionsFull (virpci.c:2389)
+==325982==    by 0x4F65753: virPCIGetVirtualFunctions (virpci.c:2256)
+==325982==    by 0x505CB75: virNodeDeviceGetPCISRIOVCaps (node_device_conf.c:2969)
+==325982==    by 0x505D181: virNodeDeviceGetPCIDynamicCaps (node_device_conf.c:3099)
+==325982==    by 0x505BC4E: virNodeDeviceUpdateCaps (node_device_conf.c:2677)
+==325982==    by 0x260FCBB2: nodeDeviceGetXMLDesc (node_device_driver.c:355)
+
+Signed-off-by: Tim Shearer <tshearer@adva.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 6425a311b8ad19d6f9c0b315bf1d722551ea3585)
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2196351
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-2700
+
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
+---
+ src/util/virpci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/util/virpci.c b/src/util/virpci.c
+index 4949d1a3d4..2714d11a7d 100644
+--- a/src/util/virpci.c
++++ b/src/util/virpci.c
+@@ -2255,6 +2255,7 @@ virPCIVirtualFunctionListFree(virPCIVirtualFunctionList *list)
+         g_free(list->functions[i].ifname);
+     }
+ 
++    g_free(list->functions);
+     g_free(list);
+ }
+ 
+-- 
+2.40.1
diff --git a/SPECS/libvirt.spec b/SPECS/libvirt.spec
index bf8f899..337378b 100644
--- a/SPECS/libvirt.spec
+++ b/SPECS/libvirt.spec
@@ -210,7 +210,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 8.0.0
-Release: 19%{?dist}%{?extra_release}
+Release: 19.2%{?dist}%{?extra_release}.alma
 License: LGPLv2+
 URL: https://libvirt.org/
 
@@ -306,6 +306,15 @@ Patch83: libvirt-vircpi-Add-PCIe-5.0-and-6.0-link-speeds.patch
 Patch84: libvirt-conf-Make-VIR_DOMAIN_NET_TYPE_ETHERNET-not-share-host-view.patch
 Patch85: libvirt-qemu-domain-Fix-logic-when-tainting-domain.patch
 Patch86: libvirt-qemu-agent-Make-fetching-of-can-offline-member-from-guest-query-vcpus-optional.patch
+# Patches taken from Oracle Linux libvirt-8.0.0-19.0.2.module+el8.8.0+21112+1cc1a24b.src.rpm
+Patch87: libvirt-qemu-monitor-Drop-old-monitor-fields-from-struct-_qemuMonitorMessage.patch
+Patch88: libvirt-qemu-Make-struct-_qemuMonitorMessage-private.patch
+Patch89: libvirt-qemu-monitor-Move-declaration-of-struct-_qemuMonitor-to-qemu_monitor_priv.h.patch
+Patch90: libvirt-qemu-qemuBlockGetNamedNodeData-Remove-pointless-error-path.patch
+Patch91: libvirt-qemu-monitor-Store-whether-query-named-block-nodes-supports-flat-parameter.patch
+Patch92: libvirt-qemuMonitorJSONBlockStatsUpdateCapacityBlockdev-Use-flat-mode-of-query-named-block-nodes.patch
+Patch93: libvirt-virpci-Resolve-leak-in-virPCIVirtualFunctionList-cleanup.patch
+Patch94: libvirt-node_device_conf-Avoid-memleak-in-virNodeDeviceGetPCIVPDDynamicCap.patch
 
 Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-daemon-config-network = %{version}-%{release}
@@ -2185,6 +2194,16 @@ exit 0
 
 
 %changelog
+* Wed Jul 12 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 8.0.0-19.2.alma
+- qemu: monitor: Drop old monitor fields from 'struct _qemuMonitorMessage'
+- qemu: Make 'struct _qemuMonitorMessage' private
+- qemu: monitor: Move declaration of struct _qemuMonitor to qemu_monitor_priv.h
+- qemu: qemuBlockGetNamedNodeData: Remove pointless error path
+- qemu: monitor: Store whether 'query-named-block-nodes' supports 'flat' parameter
+- qemuMonitorJSONBlockStatsUpdateCapacityBlockdev: Use 'flat' mode of query-named-block-nodes
+- virpci: Resolve leak in virPCIVirtualFunctionList cleanup [CVE-2023-2700]
+- node_device_conf: Avoid memleak in virNodeDeviceGetPCIVPDDynamicCap() [CVE-2023-2700]
+
 * Tue Mar 14 2023 Jiri Denemark <jdenemar@redhat.com> - 8.0.0-19
 - qemu: domain: Fix logic when tainting domain (rhbz#2174447)
 - qemu: agent: Make fetching of 'can-offline' member from 'guest-query-vcpus' optional (rhbz#2174447)