From 89027b54f251e2b87ff2afab5af7b95178238094 Mon Sep 17 00:00:00 2001
From: Roberto Campesato <render@metalabs.org>
Date: Jun 14 2024 12:29:00 +0000
Subject: Merge remote-tracking branch 'upstream/rawhide' into libvirt-hyperscale-10.4.0


---

diff --git a/0001-interface-fix-udev-reference-leak-with-invalid-flags.patch b/0001-interface-fix-udev-reference-leak-with-invalid-flags.patch
new file mode 100644
index 0000000..cdc4a2b
--- /dev/null
+++ b/0001-interface-fix-udev-reference-leak-with-invalid-flags.patch
@@ -0,0 +1,41 @@
+From 3499354e12a1c1832bf4030693a64e03ceb79d05 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 5 Jun 2024 11:16:21 +0100
+Subject: [PATCH] interface: fix udev reference leak with invalid flags
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The udevInterfaceGetXMLDesc method takes a reference on the udev
+driver as its first action. If the virCheckFlags() condition
+fails, however, this reference is never released.
+
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/interface/interface_backend_udev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c
+index fdf11a8318..e1a50389c9 100644
+--- a/src/interface/interface_backend_udev.c
++++ b/src/interface/interface_backend_udev.c
+@@ -1027,12 +1027,14 @@ static char *
+ udevInterfaceGetXMLDesc(virInterfacePtr ifinfo,
+                         unsigned int flags)
+ {
+-    struct udev *udev = udev_ref(driver->udev);
++    struct udev *udev = NULL;
+     g_autoptr(virInterfaceDef) ifacedef = NULL;
+     char *xmlstr = NULL;
+ 
+     virCheckFlags(VIR_INTERFACE_XML_INACTIVE, NULL);
+ 
++    udev = udev_ref(driver->udev);
++
+     /* Recursively build up the interface XML based on the requested
+      * interface name
+      */
+-- 
+2.45.1
+
diff --git a/0001-rpc-avoid-leak-of-GSource-in-use-for-interrupting-ma.patch b/0001-rpc-avoid-leak-of-GSource-in-use-for-interrupting-ma.patch
new file mode 100644
index 0000000..afa729d
--- /dev/null
+++ b/0001-rpc-avoid-leak-of-GSource-in-use-for-interrupting-ma.patch
@@ -0,0 +1,49 @@
+From 98f1cf88fa7e0f992d93f376418fbfb3996a9690 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Fri, 17 May 2024 14:55:24 +0100
+Subject: [PATCH] rpc: avoid leak of GSource in use for interrupting main loop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We never release the reference on the GSource created for
+interrupting the main loop, nor do we remove it from the
+main context if our thread is woken up prior to the wakeup
+callback firing.
+
+This can result in a leak of GSource objects, along with an
+ever growing list of GSources attached to the main context,
+which will gradually slow down execution of the loop, as
+several operations are O(N) for the number of attached GSource
+objects.
+
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/rpc/virnetclient.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c
+index 147b0d661a..6d424eb599 100644
+--- a/src/rpc/virnetclient.c
++++ b/src/rpc/virnetclient.c
+@@ -1946,7 +1946,7 @@ static int virNetClientIO(virNetClient *client,
+     /* Check to see if another thread is dispatching */
+     if (client->haveTheBuck) {
+         /* Force other thread to wakeup from poll */
+-        GSource *wakeup = g_idle_source_new();
++        g_autoptr(GSource) wakeup = g_idle_source_new();
+         g_source_set_callback(wakeup, virNetClientIOWakeup, client->eventLoop, NULL);
+         g_source_attach(wakeup, client->eventCtx);
+ 
+@@ -1968,6 +1968,7 @@ static int virNetClientIO(virNetClient *client,
+             return -1;
+         }
+ 
++        g_source_destroy(wakeup);
+         VIR_DEBUG("Woken up from sleep head=%p call=%p",
+                   client->waitDispatch, thiscall);
+         /* Three reasons we can be woken up
+-- 
+2.45.1
+
diff --git a/libvirt.spec b/libvirt.spec
index a0774ca..07c1ddf 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -205,6 +205,16 @@
     %define with_modular_daemons 1
 %endif
 
+# Prefer nftables for future OS releases but keep using iptables
+# for existing ones
+%if 0%{?rhel} >= 10 || 0%{?fedora} >= 41
+    %define prefer_nftables 1
+    %define firewall_backend_priority nftables,iptables
+%else
+    %define prefer_nftables 0
+    %define firewall_backend_priority iptables,nftables
+%endif
+
 # Force QEMU to run as non-root
 %define qemu_user  qemu
 %define qemu_group  qemu
@@ -275,14 +285,14 @@
     %{nil}
 
 # To prevent rpmdev-bumpspec breakage
-%global baserelease 1
+%global baserelease 2
 
 # Hyperscale release
 %global hsrel .1
 
 Summary: Library providing a simple virtualization API
 Name: libvirt
-Version: 10.1.0
+Version: 10.4.0
 Release: %{baserelease}%{?hsrel}%{?dist}
 License: GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OFL-1.1
 URL: https://libvirt.org/
@@ -291,6 +301,8 @@ URL: https://libvirt.org/
     %define mainturl stable_updates/
 %endif
 Source: https://download.libvirt.org/%{?mainturl}libvirt-%{version}.tar.xz
+Patch2: 0001-rpc-avoid-leak-of-GSource-in-use-for-interrupting-ma.patch
+Patch3: 0001-interface-fix-udev-reference-leak-with-invalid-flags.patch
 
 Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-daemon-config-network = %{version}-%{release}
@@ -342,7 +354,7 @@ BuildRequires: gcc
     %if %{with_libxl}
 BuildRequires: xen-devel
     %endif
-BuildRequires: glib2-devel >= 2.56
+BuildRequires: glib2-devel >= 2.58
 BuildRequires: libxml2-devel
 BuildRequires: readline-devel
 BuildRequires: pkgconfig(bash-completion) >= 2.0
@@ -362,8 +374,6 @@ BuildRequires: sanlock-devel >= 2.4
 BuildRequires: libpcap-devel >= 1.5.0
 BuildRequires: libnl3-devel
 BuildRequires: libselinux-devel
-BuildRequires: iptables
-BuildRequires: ebtables
 # For modprobe
 BuildRequires: kmod
 BuildRequires: cyrus-sasl-devel
@@ -600,7 +610,11 @@ Summary: Network driver plugin for the libvirtd daemon
 Requires: libvirt-daemon-common = %{version}-%{release}
 Requires: libvirt-libs = %{version}-%{release}
 Requires: dnsmasq >= 2.41
+    %if %{prefer_nftables}
+Requires: nftables
+    %else
 Requires: iptables
+    %endif
 
 %description daemon-driver-network
 The network driver plugin for the libvirtd daemon, providing
@@ -821,8 +835,13 @@ Requires: gzip
 Requires: bzip2
 Requires: lzop
 Requires: xz
+Requires: zstd
 Requires: systemd-container
+        %if 0%{?facebook}
+Recommends: swtpm-tools
+        %else
 Requires: swtpm-tools
+        %endif
         %if %{with_numad}
 Requires: numad
         %endif
@@ -908,6 +927,7 @@ Requires: libvirt-daemon-driver-nodedev = %{version}-%{release}
 Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release}
 Requires: libvirt-daemon-driver-secret = %{version}-%{release}
 Requires: libvirt-daemon-driver-storage = %{version}-%{release}
+Requires: libvirt-ssh-proxy = %{version}-%{release}
 Requires: qemu
 
 %description daemon-qemu
@@ -936,6 +956,7 @@ Requires: libvirt-daemon-driver-nodedev = %{version}-%{release}
 Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release}
 Requires: libvirt-daemon-driver-secret = %{version}-%{release}
 Requires: libvirt-daemon-driver-storage = %{version}-%{release}
+Requires: libvirt-ssh-proxy = %{version}-%{release}
 
 # relax requirement for qemu-kvm for fb builds
 %if 0%{?facebook}
@@ -1111,6 +1132,13 @@ Requires: libvirt-daemon-driver-network = %{version}-%{release}
 Libvirt plugin for NSS for translating domain names into IP addresses.
 %endif
 
+%package ssh-proxy
+Summary: Libvirt SSH proxy
+Requires: libvirt-libs = %{version}-%{release}
+
+%description ssh-proxy
+Allows SSH into domains via VSOCK without need for network.
+
 %if %{with_mingw32}
 %package -n mingw32-libvirt
 Summary: %{summary}
@@ -1383,9 +1411,11 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
            -Dtls_priority=%{tls_priority} \
            -Dsysctl_config=enabled \
            %{?arg_userfaultfd_sysctl} \
+           -Dssh_proxy=enabled \
            %{?enable_werror} \
            -Dexpensive_tests=enabled \
            -Dinit_script=systemd \
+           -Dfirewall_backend_priority=%{firewall_backend_priority} \
            -Ddocs=enabled \
            -Dtests=enabled \
            -Drpath=disabled \
@@ -1467,6 +1497,7 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
   -Dstorage_zfs=disabled \
   -Dsysctl_config=disabled \
   -Duserfaultfd_sysctl=disabled \
+  -Dssh_proxy=disabled \
   -Dtests=disabled \
   -Dudev=disabled \
   -Dwireshark_dissector=disabled \
@@ -1577,7 +1608,8 @@ rm -rf $RPM_BUILD_ROOT%{mingw64_libexecdir}/libvirt-guests.sh
 %if %{with_native}
 # Building on slow archs, like emulated s390x in Fedora copr, requires
 # raising the test timeout
-VIR_TEST_DEBUG=1 %meson_test --no-suite syntax-check --timeout-multiplier 10
+VIR_TEST_DEBUG=1
+%meson_test --no-suite syntax-check --timeout-multiplier 10
 %endif
 
 %define libvirt_rpmstatedir %{_localstatedir}/lib/rpm-state/libvirt
@@ -2120,6 +2152,9 @@ exit 0
 %config(noreplace) %{_sysconfdir}/libvirt/virtnetworkd.conf
 %{_datadir}/augeas/lenses/virtnetworkd.aug
 %{_datadir}/augeas/lenses/tests/test_virtnetworkd.aug
+%config(noreplace) %{_sysconfdir}/libvirt/network.conf
+%{_datadir}/augeas/lenses/libvirtd_network.aug
+%{_datadir}/augeas/lenses/tests/test_libvirtd_network.aug
 %{_unitdir}/virtnetworkd.service
 %{_unitdir}/virtnetworkd.socket
 %{_unitdir}/virtnetworkd-ro.socket
@@ -2437,6 +2472,10 @@ exit 0
 %{_libdir}/libnss_libvirt.so.2
 %{_libdir}/libnss_libvirt_guest.so.2
 
+%files ssh-proxy
+%config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/30-libvirt-ssh-proxy.conf
+%{_libexecdir}/libvirt-ssh-proxy
+
     %if %{with_lxc}
 %files login-shell
 %attr(4750, root, virtlogin) %{_bindir}/virt-login-shell
@@ -2600,6 +2639,28 @@ exit 0
 
 
 %changelog
+* Wed Jun 14 2024 Roberto Campesato <render@metalabs.org> - 10.4.0-2.1
+- Update to version 10.4.0
+- Relax dependency on swtpm-tools for facebook builds
+
+* Wed Jun  5 2024 Daniel P. Berrangé <berrange@redhat.com> - 10.4.0-2
+- Fix leak of GSource handle
+- Fix leak of udev reference (rhbz #2266017)
+
+* Wed Jun  5 2024 Daniel P. Berrangé <berrange@redhat.com> - 10.4.0-1
+- Update to version 10.4.0
+- Change virtual network backend from iptables to nftables
+- Introduce SSH VSOCK proxy
+
+* Thu May  2 2024 Daniel P. Berrangé <berrange@redhat.com> - 10.3.0-1
+- Update to version 10.3.0
+
+* Sat Apr 06 2024 Cole Robinson <crobinso@redhat.com> - 10.2.0-2
+- Rebuild for new libiscsi
+
+* Fri Apr 05 2024 Cole Robinson <crobinso@redhat.com> - 10.2.0-1
+- Update to version 10.2.0
+
 * Wed Mar 27 2024 Roberto Campesato <render@metalabs.org> - 10.1.0-1.1
 - Update to version 10.1.0
 - Relax dependency on qemu-kvm for facebook builds
diff --git a/sources b/sources
index fa67790..f84031b 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (libvirt-10.1.0.tar.xz) = 08e73ae15de5681430b62db85ec9901242dca5e9a4ca9685614f4a67092c6e28f27f9187144b3ceb18ad6b40e6eb1a90b1a4b056b0888724d04a62002ee2bc48
+SHA512 (libvirt-10.4.0.tar.xz) = 711be39f3fb831a5073b25a5b02410676147114f3dcf85b24c8505b611a81bf64cf3b95f66908e0dc3a2f3e66e5fc31b2d95db610ea3f1b747a9fd1f52b1ffa7