From acaf2bc0831df69fdfbfe33b96119b2bc2119166 Mon Sep 17 00:00:00 2001
From: Jiri Denemark <jdenemar@redhat.com>
Date: Fri, 6 Mar 2026 17:42:54 +0100
Subject: [PATCH] libvirt-11.10.0-11.el9

- domain_conf: initialize network hostdev private data (RHEL-151953)
- qemu_hotplug: enter monitor in order to rollback passed FD (RHEL-151953)

Resolves: RHEL-151953
---
 ...tialize-network-hostdev-private-data.patch | 94 +++++++++++++++++++
 ...nitor-in-order-to-rollback-passed-FD.patch | 46 +++++++++
 libvirt.spec                                  |  8 +-
 3 files changed, 147 insertions(+), 1 deletion(-)
 create mode 100644 libvirt-domain_conf-initialize-network-hostdev-private-data.patch
 create mode 100644 libvirt-qemu_hotplug-enter-monitor-in-order-to-rollback-passed-FD.patch

diff --git a/libvirt-domain_conf-initialize-network-hostdev-private-data.patch b/libvirt-domain_conf-initialize-network-hostdev-private-data.patch
new file mode 100644
index 0000000..5296517
--- /dev/null
+++ b/libvirt-domain_conf-initialize-network-hostdev-private-data.patch
@@ -0,0 +1,94 @@
+From 51ada853c575b6361d013e1b594d918d862f873b Mon Sep 17 00:00:00 2001
+Message-ID: <51ada853c575b6361d013e1b594d918d862f873b.1772815374.git.jdenemar@redhat.com>
+From: Pavel Hrdina <phrdina@redhat.com>
+Date: Thu, 26 Feb 2026 10:18:23 +0100
+Subject: [PATCH] domain_conf: initialize network hostdev private data
+
+Currently virDomainNetDef and virDomainActualNetDef use
+virDomainHostdevDef directly as structure and the code doesn't call
+virDomainHostdevDefNew() that would initialize private data.
+
+This is hackish quick fix to solve a crash that happens in two
+scenarios:
+
+1. attaching any interface with hostdev backend
+
+0x0000fffbfc0e2a90 in qemuDomainAttachHostPCIDevice (driver=0xfffbb4006750, vm=0xfffbf001f790, hostdev=0xfffbf400b150) at ../src/qemu/qemu_hotplug.c:1652
+1652 if ((ret = qemuFDPassDirectTransferMonitor(hostdevPriv->vfioDeviceFd, priv->mon)) < 0)
+
+2. starting VM with interface with hostdev backend using iommufd
+
+0x00007f6638d5b9ca in qemuProcessOpenVfioDeviceFd (hostdev=hostdev@entry=0x7f6634425ee0) at ../src/qemu/qemu_process.c:7719
+7719	    hostdevPriv->vfioDeviceFd = qemuFDPassDirectNew(name, &vfioDeviceFd);
+
+Proper fix for this issue is to refactor network code to use pointer and to
+use virDomainHostdevDefNew().
+
+Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+(cherry picked from commit fe782ed334ea0d4373e6dad093f5815fc925a56b)
+
+https://issues.redhat.com/browse/RHEL-151953
+
+Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
+---
+ src/conf/domain_conf.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
+index cb047e5a3e..df05d96f01 100644
+--- a/src/conf/domain_conf.c
++++ b/src/conf/domain_conf.c
+@@ -3489,6 +3489,20 @@ void virDomainVideoDefFree(virDomainVideoDef *def)
+ }
+ 
+ 
++static int
++virDomainHostdevDefPrivateDataNew(virDomainHostdevDef *def,
++                                  virDomainXMLOption *xmlopt)
++{
++    if (!xmlopt || !xmlopt->privateData.hostdevNew)
++        return 0;
++
++    if (!(def->privateData = xmlopt->privateData.hostdevNew()))
++        return -1;
++
++    return 0;
++}
++
++
+ virDomainHostdevDef *
+ virDomainHostdevDefNew(virDomainXMLOption *xmlopt)
+ {
+@@ -3498,8 +3512,7 @@ virDomainHostdevDefNew(virDomainXMLOption *xmlopt)
+ 
+     def->info = g_new0(virDomainDeviceInfo, 1);
+ 
+-    if (xmlopt && xmlopt->privateData.hostdevNew &&
+-        !(def->privateData = xmlopt->privateData.hostdevNew())) {
++    if (virDomainHostdevDefPrivateDataNew(def, xmlopt) < 0) {
+         VIR_FREE(def->info);
+         VIR_FREE(def);
+         return NULL;
+@@ -9653,6 +9666,9 @@ virDomainActualNetDefParseXML(xmlNodePtr node,
+         virDomainHostdevDef *hostdev = &actual->data.hostdev.def;
+         int type;
+ 
++        if (virDomainHostdevDefPrivateDataNew(hostdev, xmlopt) < 0)
++            goto error;
++
+         hostdev->parentnet = parent;
+         hostdev->info = &parent->info;
+         /* The helper function expects type to already be found and
+@@ -10346,6 +10362,9 @@ virDomainNetDefParseXML(virDomainXMLOption *xmlopt,
+         g_autofree char *addrtype = virXPathString("string(./source/address/@type)", ctxt);
+         int type;
+ 
++        if (virDomainHostdevDefPrivateDataNew(&def->data.hostdev.def, xmlopt) < 0)
++            return NULL;
++
+         def->data.hostdev.def.parentnet = def;
+         def->data.hostdev.def.info = &def->info;
+         def->data.hostdev.def.mode = VIR_DOMAIN_HOSTDEV_MODE_SUBSYS;
+-- 
+2.53.0
diff --git a/libvirt-qemu_hotplug-enter-monitor-in-order-to-rollback-passed-FD.patch b/libvirt-qemu_hotplug-enter-monitor-in-order-to-rollback-passed-FD.patch
new file mode 100644
index 0000000..8d1a04b
--- /dev/null
+++ b/libvirt-qemu_hotplug-enter-monitor-in-order-to-rollback-passed-FD.patch
@@ -0,0 +1,46 @@
+From cff0f011f46b13ae363b9938e65a071584b16327 Mon Sep 17 00:00:00 2001
+Message-ID: <cff0f011f46b13ae363b9938e65a071584b16327.1772815374.git.jdenemar@redhat.com>
+From: Pavel Hrdina <phrdina@redhat.com>
+Date: Thu, 26 Feb 2026 10:54:18 +0100
+Subject: [PATCH] qemu_hotplug: enter monitor in order to rollback passed FD
+
+Reported-by: Peter Krempa <pkrempa@redhat.com>
+Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 4374dbbbf0d87f0052dd96be96baad6c20963713)
+
+https://issues.redhat.com/browse/RHEL-151953
+
+Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
+---
+ src/qemu/qemu_hotplug.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
+index a455c2cd53..bb88815e27 100644
+--- a/src/qemu/qemu_hotplug.c
++++ b/src/qemu/qemu_hotplug.c
+@@ -1682,15 +1682,16 @@ qemuDomainAttachHostPCIDevice(virQEMUDriver *driver,
+     if (teardownmemlock && qemuDomainAdjustMaxMemLock(vm) < 0)
+         VIR_WARN("Unable to reset maximum locked memory on hotplug fail");
+ 
+-    if (removeiommufd) {
+-        qemuDomainObjEnterMonitor(vm);
++    qemuDomainObjEnterMonitor(vm);
++
++    if (removeiommufd)
+         ignore_value(qemuMonitorDelObject(priv->mon, "iommufd0", false));
+-        qemuDomainObjExitMonitor(vm);
+-    }
+ 
+     qemuFDPassDirectTransferMonitorRollback(hostdevPriv->vfioDeviceFd, priv->mon);
+     qemuFDPassDirectTransferMonitorRollback(priv->iommufd, priv->mon);
+ 
++    qemuDomainObjExitMonitor(vm);
++
+     if (releaseaddr)
+         qemuDomainReleaseDeviceAddress(vm, info);
+ 
+-- 
+2.53.0
diff --git a/libvirt.spec b/libvirt.spec
index bf26028..f5fc5d4 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -294,7 +294,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 11.10.0
-Release: 10%{?dist}%{?extra_release}
+Release: 11%{?dist}%{?extra_release}
 License: GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OFL-1.1
 URL: https://libvirt.org/
 
@@ -376,6 +376,8 @@ Patch71: libvirt-conf-Introduce-iommufd-enum-for-domaincaps.patch
 Patch72: libvirt-qemu-Fill-iommufd-domain-capability.patch
 Patch73: libvirt-tests-properly-mock-VFIO-and-IOMMU-checks.patch
 Patch74: libvirt-iommufd-fix-FD-leak-in-case-of-error.patch
+Patch75: libvirt-domain_conf-initialize-network-hostdev-private-data.patch
+Patch76: libvirt-qemu_hotplug-enter-monitor-in-order-to-rollback-passed-FD.patch
 
 
 Requires: libvirt-daemon = %{version}-%{release}
@@ -2767,6 +2769,10 @@ exit 0
 %endif
 
 %changelog
+* Fri Mar  6 2026 Jiri Denemark <jdenemar@redhat.com> - 11.10.0-11
+- domain_conf: initialize network hostdev private data (RHEL-151953)
+- qemu_hotplug: enter monitor in order to rollback passed FD (RHEL-151953)
+
 * Wed Feb 18 2026 Jiri Denemark <jdenemar@redhat.com> - 11.10.0-10
 - qemu: Introduce QEMU_CAPS_OBJECT_IOMMUFD (RHEL-150353)
 - qemu: Move IOMMUFD validation to qemu_validate (RHEL-150353)