* Mon Feb 07 2022 Miroslav Rezanina <mrezanin@redhat.com> - 6.2.0-7

- kvm-qemu-storage-daemon-Add-vhost-user-blk-help.patch [bz#1962088]
- kvm-qemu-storage-daemon-Fix-typo-in-vhost-user-blk-help.patch [bz#1962088]
- kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch [bz#2046201]
- kvm-block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch [bz#2034791]
- kvm-block-rbd-workaround-for-ceph-issue-53784.patch [bz#2034791]
- Resolves: bz#1962088
  ([QSD] wrong help message for the fuse)
- Resolves: bz#2046201
  (CVE-2022-0358 qemu-kvm: QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405 [rhel-9.0])
- Resolves: bz#2034791
  (Booting from Local Snapshot Core Dumped Whose Backing File Is Based on RBD)

kvm-block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch

@@ -0,0 +1,59 @@
+From d374d5aa4485a0c62d6b48eec64491cae2fd0873 Mon Sep 17 00:00:00 2001
+From: Peter Lieven <pl@kamp.de>
+Date: Thu, 13 Jan 2022 15:44:25 +0100
+Subject: [PATCH 4/5] block/rbd: fix handling of holes in .bdrv_co_block_status
+
+RH-Author: Stefano Garzarella <sgarzare@redhat.com>
+RH-MergeRequest: 68: block/rbd: fix handling of holes in .bdrv_co_block_status
+RH-Commit: [1/2] 8ef178b01885e3c292f7844ccff865b1a8d4faf0 (sgarzarella/qemu-kvm-c-9-s)
+RH-Bugzilla: 2034791
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Hanna Reitz <hreitz@redhat.com>
+
+the assumption that we can't hit a hole if we do not diff against a snapshot was wrong.
+
+We can see a hole in an image if we diff against base if there exists an older snapshot
+of the image and we have discarded blocks in the image where the snapshot has data.
+
+Fix this by simply handling a hole like an unallocated area. There are no callbacks
+for unallocated areas so just bail out if we hit a hole.
+
+Fixes: 0347a8fd4c3faaedf119be04c197804be40a384b
+Suggested-by: Ilya Dryomov <idryomov@gmail.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Peter Lieven <pl@kamp.de>
+Message-Id: <20220113144426.4036493-2-pl@kamp.de>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 9e302f64bb407a9bb097b626da97228c2654cfee)
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+---
+ block/rbd.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/block/rbd.c b/block/rbd.c
+index def96292e0..20bb896c4a 100644
+--- a/block/rbd.c
++++ b/block/rbd.c
+@@ -1279,11 +1279,11 @@ static int qemu_rbd_diff_iterate_cb(uint64_t offs, size_t len,
+     RBDDiffIterateReq *req = opaque;
+ 
+     assert(req->offs + req->bytes <= offs);
+-    /*
+-     * we do not diff against a snapshot so we should never receive a callback
+-     * for a hole.
+-     */
+-    assert(exists);
++
++    /* treat a hole like an unallocated area and bail out */
++    if (!exists) {
++        return 0;
++    }
+ 
+     if (!req->exists && offs > req->offs) {
+         /*
+-- 
+2.27.0
+

kvm-block-rbd-workaround-for-ceph-issue-53784.patch

@@ -0,0 +1,103 @@
+From f035b5250529eed8d12e0b93b1b6d6f2c50003f6 Mon Sep 17 00:00:00 2001
+From: Peter Lieven <pl@kamp.de>
+Date: Thu, 13 Jan 2022 15:44:26 +0100
+Subject: [PATCH 5/5] block/rbd: workaround for ceph issue #53784
+
+RH-Author: Stefano Garzarella <sgarzare@redhat.com>
+RH-MergeRequest: 68: block/rbd: fix handling of holes in .bdrv_co_block_status
+RH-Commit: [2/2] 5feaa2e20a77886cc1a84cdf212ade3dcda28289 (sgarzarella/qemu-kvm-c-9-s)
+RH-Bugzilla: 2034791
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Hanna Reitz <hreitz@redhat.com>
+
+librbd had a bug until early 2022 that affected all versions of ceph that
+supported fast-diff. This bug results in reporting of incorrect offsets
+if the offset parameter to rbd_diff_iterate2 is not object aligned.
+
+This patch works around this bug for pre Quincy versions of librbd.
+
+Fixes: 0347a8fd4c3faaedf119be04c197804be40a384b
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Peter Lieven <pl@kamp.de>
+Message-Id: <20220113144426.4036493-3-pl@kamp.de>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Tested-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit fc176116cdea816ceb8dd969080b2b95f58edbc0)
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+---
+ block/rbd.c | 42 ++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 40 insertions(+), 2 deletions(-)
+
+diff --git a/block/rbd.c b/block/rbd.c
+index 20bb896c4a..8f183eba2a 100644
+--- a/block/rbd.c
++++ b/block/rbd.c
+@@ -1320,6 +1320,7 @@ static int coroutine_fn qemu_rbd_co_block_status(BlockDriverState *bs,
+     int status, r;
+     RBDDiffIterateReq req = { .offs = offset };
+     uint64_t features, flags;
++    uint64_t head = 0;
+ 
+     assert(offset + bytes <= s->image_size);
+ 
+@@ -1347,7 +1348,43 @@ static int coroutine_fn qemu_rbd_co_block_status(BlockDriverState *bs,
+         return status;
+     }
+ 
+-    r = rbd_diff_iterate2(s->image, NULL, offset, bytes, true, true,
++#if LIBRBD_VERSION_CODE < LIBRBD_VERSION(1, 17, 0)
++    /*
++     * librbd had a bug until early 2022 that affected all versions of ceph that
++     * supported fast-diff. This bug results in reporting of incorrect offsets
++     * if the offset parameter to rbd_diff_iterate2 is not object aligned.
++     * Work around this bug by rounding down the offset to object boundaries.
++     * This is OK because we call rbd_diff_iterate2 with whole_object = true.
++     * However, this workaround only works for non cloned images with default
++     * striping.
++     *
++     * See: https://tracker.ceph.com/issues/53784
++     */
++
++    /* check if RBD image has non-default striping enabled */
++    if (features & RBD_FEATURE_STRIPINGV2) {
++        return status;
++    }
++
++#pragma GCC diagnostic push
++#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
++    /*
++     * check if RBD image is a clone (= has a parent).
++     *
++     * rbd_get_parent_info is deprecated from Nautilus onwards, but the
++     * replacement rbd_get_parent is not present in Luminous and Mimic.
++     */
++    if (rbd_get_parent_info(s->image, NULL, 0, NULL, 0, NULL, 0) != -ENOENT) {
++        return status;
++    }
++#pragma GCC diagnostic pop
++
++    head = req.offs & (s->object_size - 1);
++    req.offs -= head;
++    bytes += head;
++#endif
++
++    r = rbd_diff_iterate2(s->image, NULL, req.offs, bytes, true, true,
+                           qemu_rbd_diff_iterate_cb, &req);
+     if (r < 0 && r != QEMU_RBD_EXIT_DIFF_ITERATE2) {
+         return status;
+@@ -1366,7 +1403,8 @@ static int coroutine_fn qemu_rbd_co_block_status(BlockDriverState *bs,
+         status = BDRV_BLOCK_ZERO | BDRV_BLOCK_OFFSET_VALID;
+     }
+ 
+-    *pnum = req.bytes;
++    assert(req.bytes > head);
++    *pnum = req.bytes - head;
+     return status;
+ }
+ 
+-- 
+2.27.0
+

kvm-qemu-storage-daemon-Add-vhost-user-blk-help.patch

@@ -0,0 +1,72 @@
+From 0f4592f79f8c24f84db18a8c39c6056b2a0be524 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 7 Jan 2022 11:54:19 +0100
+Subject: [PATCH 1/5] qemu-storage-daemon: Add vhost-user-blk help
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Kevin Wolf <kwolf@redhat.com>
+RH-MergeRequest: 63: qemu-storage-daemon: Add vhost-user-blk help
+RH-Commit: [1/2] 6b08fec5d6ceea9f8f3810321099310069e08b53 (kmwolf/centos-qemu-kvm)
+RH-Bugzilla: 1962088
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Hanna Reitz <hreitz@redhat.com>
+
+Add missing vhost-user-blk help:
+
+  $ qemu-storage-daemon -h
+  ...
+    --export [type=]vhost-user-blk,id=<id>,node-name=<node-name>,
+             addr.type=unix,addr.path=<socket-path>[,writable=on|off]
+             [,logical-block-size=<block-size>][,num-queues=<num-queues>]
+                           export the specified block node as a
+                           vhosts-user-blk device over UNIX domain socket
+    --export [type=]vhost-user-blk,id=<id>,node-name=<node-name>,
+             fd,addr.str=<fd>[,writable=on|off]
+             [,logical-block-size=<block-size>][,num-queues=<num-queues>]
+                           export the specified block node as a
+                           vhosts-user-blk device over file descriptor
+  ...
+
+Fixes: 90fc91d50b7 ("convert vhost-user-blk server to block export API")
+Reported-by: Qing Wang <qinwang@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-Id: <20220107105420.395011-3-f4bug@amsat.org>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit c8cbc9524269d9583749aaaea8aa244add7e1900)
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+---
+ storage-daemon/qemu-storage-daemon.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/storage-daemon/qemu-storage-daemon.c b/storage-daemon/qemu-storage-daemon.c
+index 52cf17e8ac..9d76d1114d 100644
+--- a/storage-daemon/qemu-storage-daemon.c
++++ b/storage-daemon/qemu-storage-daemon.c
+@@ -104,6 +104,19 @@ static void help(void)
+ "                         export the specified block node over FUSE\n"
+ "\n"
+ #endif /* CONFIG_FUSE */
++#ifdef CONFIG_VHOST_USER_BLK_SERVER
++"  --export [type=]vhost-user-blk,id=<id>,node-name=<node-name>,\n"
++"           addr.type=unix,addr.path=<socket-path>[,writable=on|off]\n"
++"           [,logical-block-size=<block-size>][,num-queues=<num-queues>]\n"
++"                         export the specified block node as a\n"
++"                         vhost-user-blk device over UNIX domain socket\n"
++"  --export [type=]vhost-user-blk,id=<id>,node-name=<node-name>,\n"
++"           fd,addr.str=<fd>[,writable=on|off]\n"
++"           [,logical-block-size=<block-size>][,num-queues=<num-queues>]\n"
++"                         export the specified block node as a\n"
++"                         vhost-user-blk device over file descriptor\n"
++"\n"
++#endif /* CONFIG_VHOST_USER_BLK_SERVER */
+ "  --monitor [chardev=]name[,mode=control][,pretty[=on|off]]\n"
+ "                         configure a QMP monitor\n"
+ "\n"
+-- 
+2.27.0
+

kvm-qemu-storage-daemon-Fix-typo-in-vhost-user-blk-help.patch

@@ -0,0 +1,41 @@
+From 20edf203c8cb314e27409918399aa7cbdc6fdb02 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Tue, 25 Jan 2022 16:15:14 +0100
+Subject: [PATCH 2/5] qemu-storage-daemon: Fix typo in vhost-user-blk help
+
+RH-Author: Kevin Wolf <kwolf@redhat.com>
+RH-MergeRequest: 63: qemu-storage-daemon: Add vhost-user-blk help
+RH-Commit: [2/2] b7afb670c398799b6e49b926e296771453a55fba (kmwolf/centos-qemu-kvm)
+RH-Bugzilla: 1962088
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Hanna Reitz <hreitz@redhat.com>
+
+The syntax of the fd passing case misses the "addr.type=" key. Add it.
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Message-Id: <20220125151514.49035-1-kwolf@redhat.com>
+Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit e66e665f15736f5ee1fbd8087926cb0f1e52f61a)
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+---
+ storage-daemon/qemu-storage-daemon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/storage-daemon/qemu-storage-daemon.c b/storage-daemon/qemu-storage-daemon.c
+index 9d76d1114d..ec9aa79b55 100644
+--- a/storage-daemon/qemu-storage-daemon.c
++++ b/storage-daemon/qemu-storage-daemon.c
+@@ -111,7 +111,7 @@ static void help(void)
+ "                         export the specified block node as a\n"
+ "                         vhost-user-blk device over UNIX domain socket\n"
+ "  --export [type=]vhost-user-blk,id=<id>,node-name=<node-name>,\n"
+-"           fd,addr.str=<fd>[,writable=on|off]\n"
++"           addr.type=fd,addr.str=<fd>[,writable=on|off]\n"
+ "           [,logical-block-size=<block-size>][,num-queues=<num-queues>]\n"
+ "                         export the specified block node as a\n"
+ "                         vhost-user-blk device over file descriptor\n"
+-- 
+2.27.0
+

kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch

@@ -0,0 +1,110 @@
+From 846192d22a1ddfa87682bb0b67febef5c30c9743 Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Tue, 25 Jan 2022 13:51:14 -0500
+Subject: [PATCH 3/5] virtiofsd: Drop membership of all supplementary groups
+ (CVE-2022-0358)
+
+RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-MergeRequest: 66: c9s:  virtiofsd security fix - drop secondary groups
+RH-Commit: [1/1] cdf3b0405ea3369933e76761890f16b040641036 (redhat/centos-stream/src/qemu-kvm)
+RH-Bugzilla: 2046201
+RH-Acked-by: Hanna Reitz <hreitz@redhat.com>
+RH-Acked-by: Sergio Lopez <None>
+RH-Acked-by: Vivek Goyal <None>
+
+At the start, drop membership of all supplementary groups. This is
+not required.
+
+If we have membership of "root" supplementary group and when we switch
+uid/gid using setresuid/setsgid, we still retain membership of existing
+supplemntary groups. And that can allow some operations which are not
+normally allowed.
+
+For example, if root in guest creates a dir as follows.
+
+$ mkdir -m 03777 test_dir
+
+This sets SGID on dir as well as allows unprivileged users to write into
+this dir.
+
+And now as unprivileged user open file as follows.
+
+$ su test
+$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755);
+
+This will create SGID set executable in test_dir/.
+
+And that's a problem because now an unpriviliged user can execute it,
+get egid=0 and get access to resources owned by "root" group. This is
+privilege escalation.
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863
+Fixes: CVE-2022-0358
+Reported-by: JIETAO XIAO <shawtao1125@gmail.com>
+Suggested-by: Miklos Szeredi <mszeredi@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Message-Id: <YfBGoriS38eBQrAb@redhat.com>
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+  dgilbert: Fixed missing {}'s style nit
+(cherry picked from commit 449e8171f96a6a944d1f3b7d3627ae059eae21ca)
+---
+ tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index 64b5b4fbb1..b3d0674f6d 100644
+--- a/tools/virtiofsd/passthrough_ll.c
++++ b/tools/virtiofsd/passthrough_ll.c
+@@ -54,6 +54,7 @@
+ #include <sys/wait.h>
+ #include <sys/xattr.h>
+ #include <syslog.h>
++#include <grp.h>
+ 
+ #include "qemu/cutils.h"
+ #include "passthrough_helpers.h"
+@@ -1161,6 +1162,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
+ #define OURSYS_setresuid SYS_setresuid
+ #endif
+ 
++static void drop_supplementary_groups(void)
++{
++    int ret;
++
++    ret = getgroups(0, NULL);
++    if (ret == -1) {
++        fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n",
++                 errno, strerror(errno));
++        exit(1);
++    }
++
++    if (!ret) {
++        return;
++    }
++
++    /* Drop all supplementary groups. We should not need it */
++    ret = setgroups(0, NULL);
++    if (ret == -1) {
++        fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n",
++                 errno, strerror(errno));
++        exit(1);
++    }
++}
++
+ /*
+  * Change to uid/gid of caller so that file is created with
+  * ownership of caller.
+@@ -3926,6 +3951,8 @@ int main(int argc, char *argv[])
+ 
+     qemu_init_exec_dir(argv[0]);
+ 
++    drop_supplementary_groups();
++
+     pthread_mutex_init(&lo.mutex, NULL);
+     lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal);
+     lo.root.fd = -1;
+-- 
+2.27.0
+

qemu-kvm.spec

@@ -144,7 +144,7 @@ Obsoletes: %{name}-block-iscsi <= %{version}                    \
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 6.2.0
-Release: 6%{?rcrel}%{?dist}%{?cc_suffix}
+Release: 7%{?rcrel}%{?dist}%{?cc_suffix}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 # Epoch 15 used for RHEL 8
 # Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5)
@@ -217,6 +217,16 @@ Patch36: kvm-x86-Add-q35-RHEL-8.6.0-machine-type.patch
 Patch37: kvm-x86-Add-q35-RHEL-9.0.0-machine-type.patch
 # For bz#2036669 - DEVICE_DELETED event is not delivered for device frontend if -device is configured via JSON
 Patch38: kvm-softmmu-fix-device-deletion-events-with-device-JSON-.patch
+# For bz#1962088 - [QSD] wrong help message for the fuse
+Patch39: kvm-qemu-storage-daemon-Add-vhost-user-blk-help.patch
+# For bz#1962088 - [QSD] wrong help message for the fuse
+Patch40: kvm-qemu-storage-daemon-Fix-typo-in-vhost-user-blk-help.patch
+# For bz#2046201 - CVE-2022-0358 qemu-kvm: QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405 [rhel-9.0]
+Patch41: kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch
+# For bz#2034791 - Booting from Local Snapshot Core Dumped Whose Backing File Is Based on RBD
+Patch42: kvm-block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch
+# For bz#2034791 - Booting from Local Snapshot Core Dumped Whose Backing File Is Based on RBD
+Patch43: kvm-block-rbd-workaround-for-ceph-issue-53784.patch
 
 # Source-git patches
 
@@ -1275,6 +1285,19 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 %endif
 
 %changelog
+* Mon Feb 07 2022 Miroslav Rezanina <mrezanin@redhat.com> - 6.2.0-7
+- kvm-qemu-storage-daemon-Add-vhost-user-blk-help.patch [bz#1962088]
+- kvm-qemu-storage-daemon-Fix-typo-in-vhost-user-blk-help.patch [bz#1962088]
+- kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch [bz#2046201]
+- kvm-block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch [bz#2034791]
+- kvm-block-rbd-workaround-for-ceph-issue-53784.patch [bz#2034791]
+- Resolves: bz#1962088
+  ([QSD] wrong help message for the fuse)
+- Resolves: bz#2046201
+  (CVE-2022-0358 qemu-kvm: QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405 [rhel-9.0])
+- Resolves: bz#2034791
+  (Booting from Local Snapshot Core Dumped Whose Backing File Is Based on RBD)
+
 * Wed Feb 02 2022 Miroslav Rezanina <mrezanin@redhat.com> - 6.2.0-6
 - Moving feature support out of qemu-kvm-core to separate packages (can
   cause loss of functionality when using only qemu-kvm-core - qemu-kvm keeps