lib: Avoid changing const strings via strchr() and friends

There's new commit in glibc [1] which makes memchr(), strchr(),
strrchr(), strpbrk() and strstr() reflect type of the input
string. If it's a constant string, then the return type of these
functions is also 'const char *'. But this change tickles
-Wincompatible-pointer-types-discards-qualifiers warning.

And indeed, there are some places where we use a 'char *' typed
variable to store the retval, or even misuse the fact 'char *' is
returned and modify const string.

To fix this, a couple of different approaches is used:

  a) switch variable type to 'const char *',
  b) switch argument to 'char *' (in a few places we have
     strdup()-ed) the const string already,
  c) strdup() the string and use b).

1: https://sourceware.org/git/?p=glibc.git;a=commit;h=cd748a63ab1a7ae846175c532a3daab341c62690
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Tested-by: Jaroslav Suchanek <jsuchane@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>

NEWS.rst

@@ -8,6 +8,20 @@ the changes introduced by each of them.
 For a more fine-grained view, use the `git log`_.
 
 
+v12.0.0 (unreleased)
+====================
+
+* **Security**
+
+* **Removed features**
+
+* **New features**
+
+* **Improvements**
+
+* **Bug fixes**
+
+
 v11.10.0 (2025-12-01)
 =====================
 

libvirt.spec.in

@@ -41,7 +41,7 @@
     %define with_qemu      0%{!?_without_qemu:1}
 %else
     # QEMU drops 32-bit in Fedora 44
-    %if %{?fedora} > 43
+    %if 0%{?fedora} > 43
         %define with_qemu  0
     %else
         %define with_qemu  0%{!?_without_qemu:1}

meson.build

@@ -1,6 +1,6 @@
 project(
   'libvirt', 'c',
-  version: '11.10.0',
+  version: '12.0.0',
   license: 'LGPLv2+',
   meson_version: '>= 0.57.0',
   default_options: [

src/cpu_map/sync_qemu_features_i386.py

@@ -1,6 +1,7 @@
 #!/usr/bin/env python3
 
 import argparse
+import enum
 import os
 import re
 
@@ -202,6 +203,22 @@ def add_feature_cpuid(eax, ecx, reg, bit, name):
     _FEATURES["cpuid"][eax][ecx][reg][bit] = name
 
 
+class VmxMsr(enum.Enum):
+    MSR_IA32_VMX_PROCBASED_CTLS2 = 0x0000048b
+    MSR_IA32_VMX_TRUE_PINBASED_CTLS = 0x0000048d
+    MSR_IA32_VMX_TRUE_PROCBASED_CTLS = 0x0000048e
+    MSR_IA32_VMX_TRUE_ENTRY_CTLS = 0x00000490
+    MSR_IA32_VMX_TRUE_EXIT_CTLS = 0x0000048f
+
+
+def is_vmx_msr(msr):
+    try:
+        VmxMsr(msr)
+        return True
+    except ValueError:
+        return False
+
+
 # add new msr feature bit
 def add_feature_msr(msr, bit, name):
     if not name:
@@ -213,6 +230,11 @@ def add_feature_msr(msr, bit, name):
     if msr not in _FEATURES["msr"]:
         _FEATURES["msr"][msr] = dict()
 
+    # VMX-* features are specified in the 32 higher bits
+    # of the MSR value
+    if is_vmx_msr(msr):
+        bit += 32
+
     _FEATURES["msr"][msr][bit] = name
 
 

src/cpu_map/x86_features.xml

@@ -982,67 +982,67 @@
 
   <!-- msr 0x0000048b -->
   <feature name='vmx-apicv-xapic'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x00000001'/>
+    <msr index='0x0000048b' edx='0x00000001' eax='0x00000000'/>
   </feature>
   <feature name='vmx-ept'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x00000002'/>
+    <msr index='0x0000048b' edx='0x00000002' eax='0x00000000'/>
   </feature>
   <feature name='vmx-desc-exit'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x00000004'/>
+    <msr index='0x0000048b' edx='0x00000004' eax='0x00000000'/>
   </feature>
   <feature name='vmx-rdtscp-exit'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x00000008'/>
+    <msr index='0x0000048b' edx='0x00000008' eax='0x00000000'/>
   </feature>
   <feature name='vmx-apicv-x2apic'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x00000010'/>
+    <msr index='0x0000048b' edx='0x00000010' eax='0x00000000'/>
   </feature>
   <feature name='vmx-vpid'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x00000020'/>
+    <msr index='0x0000048b' edx='0x00000020' eax='0x00000000'/>
   </feature>
   <feature name='vmx-wbinvd-exit'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x00000040'/>
+    <msr index='0x0000048b' edx='0x00000040' eax='0x00000000'/>
   </feature>
   <feature name='vmx-unrestricted-guest'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x00000080'/>
+    <msr index='0x0000048b' edx='0x00000080' eax='0x00000000'/>
   </feature>
   <feature name='vmx-apicv-register'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x00000100'/>
+    <msr index='0x0000048b' edx='0x00000100' eax='0x00000000'/>
   </feature>
   <feature name='vmx-apicv-vid'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x00000200'/>
+    <msr index='0x0000048b' edx='0x00000200' eax='0x00000000'/>
   </feature>
   <feature name='vmx-ple'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x00000400'/>
+    <msr index='0x0000048b' edx='0x00000400' eax='0x00000000'/>
   </feature>
   <feature name='vmx-rdrand-exit'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x00000800'/>
+    <msr index='0x0000048b' edx='0x00000800' eax='0x00000000'/>
   </feature>
   <feature name='vmx-invpcid-exit'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x00001000'/>
+    <msr index='0x0000048b' edx='0x00001000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-vmfunc'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x00002000'/>
+    <msr index='0x0000048b' edx='0x00002000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-shadow-vmcs'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x00004000'/>
+    <msr index='0x0000048b' edx='0x00004000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-encls-exit'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x00008000'/>
+    <msr index='0x0000048b' edx='0x00008000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-rdseed-exit'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x00010000'/>
+    <msr index='0x0000048b' edx='0x00010000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-pml'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x00020000'/>
+    <msr index='0x0000048b' edx='0x00020000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-xsaves'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x00100000'/>
+    <msr index='0x0000048b' edx='0x00100000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-tsc-scaling'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x02000000'/>
+    <msr index='0x0000048b' edx='0x02000000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-enable-user-wait-pause'>
-    <msr index='0x0000048b' edx='0x00000000' eax='0x04000000'/>
+    <msr index='0x0000048b' edx='0x04000000' eax='0x00000000'/>
   </feature>
 
   <!-- msr 0x0000048c -->
@@ -1101,151 +1101,151 @@
 
   <!-- msr 0x0000048d -->
   <feature name='vmx-intr-exit'>
-    <msr index='0x0000048d' edx='0x00000000' eax='0x00000001'/>
+    <msr index='0x0000048d' edx='0x00000001' eax='0x00000000'/>
   </feature>
   <feature name='vmx-nmi-exit'>
-    <msr index='0x0000048d' edx='0x00000000' eax='0x00000008'/>
+    <msr index='0x0000048d' edx='0x00000008' eax='0x00000000'/>
   </feature>
   <feature name='vmx-vnmi'>
-    <msr index='0x0000048d' edx='0x00000000' eax='0x00000020'/>
+    <msr index='0x0000048d' edx='0x00000020' eax='0x00000000'/>
   </feature>
   <feature name='vmx-preemption-timer'>
-    <msr index='0x0000048d' edx='0x00000000' eax='0x00000040'/>
+    <msr index='0x0000048d' edx='0x00000040' eax='0x00000000'/>
   </feature>
   <feature name='vmx-posted-intr'>
-    <msr index='0x0000048d' edx='0x00000000' eax='0x00000080'/>
+    <msr index='0x0000048d' edx='0x00000080' eax='0x00000000'/>
   </feature>
 
   <!-- msr 0x0000048e -->
   <feature name='vmx-vintr-pending'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x00000004'/>
+    <msr index='0x0000048e' edx='0x00000004' eax='0x00000000'/>
   </feature>
   <feature name='vmx-tsc-offset'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x00000008'/>
+    <msr index='0x0000048e' edx='0x00000008' eax='0x00000000'/>
   </feature>
   <feature name='vmx-hlt-exit'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x00000080'/>
+    <msr index='0x0000048e' edx='0x00000080' eax='0x00000000'/>
   </feature>
   <feature name='vmx-invlpg-exit'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x00000200'/>
+    <msr index='0x0000048e' edx='0x00000200' eax='0x00000000'/>
   </feature>
   <feature name='vmx-mwait-exit'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x00000400'/>
+    <msr index='0x0000048e' edx='0x00000400' eax='0x00000000'/>
   </feature>
   <feature name='vmx-rdpmc-exit'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x00000800'/>
+    <msr index='0x0000048e' edx='0x00000800' eax='0x00000000'/>
   </feature>
   <feature name='vmx-rdtsc-exit'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x00001000'/>
+    <msr index='0x0000048e' edx='0x00001000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-cr3-load-noexit'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x00008000'/>
+    <msr index='0x0000048e' edx='0x00008000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-cr3-store-noexit'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x00010000'/>
+    <msr index='0x0000048e' edx='0x00010000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-cr8-load-exit'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x00080000'/>
+    <msr index='0x0000048e' edx='0x00080000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-cr8-store-exit'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x00100000'/>
+    <msr index='0x0000048e' edx='0x00100000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-flexpriority'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x00200000'/>
+    <msr index='0x0000048e' edx='0x00200000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-vnmi-pending'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x00400000'/>
+    <msr index='0x0000048e' edx='0x00400000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-movdr-exit'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x00800000'/>
+    <msr index='0x0000048e' edx='0x00800000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-io-exit'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x01000000'/>
+    <msr index='0x0000048e' edx='0x01000000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-io-bitmap'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x02000000'/>
+    <msr index='0x0000048e' edx='0x02000000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-mtf'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x08000000'/>
+    <msr index='0x0000048e' edx='0x08000000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-msr-bitmap'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x10000000'/>
+    <msr index='0x0000048e' edx='0x10000000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-monitor-exit'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x20000000'/>
+    <msr index='0x0000048e' edx='0x20000000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-pause-exit'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x40000000'/>
+    <msr index='0x0000048e' edx='0x40000000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-secondary-ctls'>
-    <msr index='0x0000048e' edx='0x00000000' eax='0x80000000'/>
+    <msr index='0x0000048e' edx='0x80000000' eax='0x00000000'/>
   </feature>
 
   <!-- msr 0x0000048f -->
   <feature name='vmx-exit-nosave-debugctl'>
-    <msr index='0x0000048f' edx='0x00000000' eax='0x00000004'/>
+    <msr index='0x0000048f' edx='0x00000004' eax='0x00000000'/>
   </feature>
   <feature name='vmx-exit-load-perf-global-ctrl'>
-    <msr index='0x0000048f' edx='0x00000000' eax='0x00001000'/>
+    <msr index='0x0000048f' edx='0x00001000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-exit-ack-intr'>
-    <msr index='0x0000048f' edx='0x00000000' eax='0x00008000'/>
+    <msr index='0x0000048f' edx='0x00008000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-exit-save-pat'>
-    <msr index='0x0000048f' edx='0x00000000' eax='0x00040000'/>
+    <msr index='0x0000048f' edx='0x00040000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-exit-load-pat'>
-    <msr index='0x0000048f' edx='0x00000000' eax='0x00080000'/>
+    <msr index='0x0000048f' edx='0x00080000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-exit-save-efer'>
-    <msr index='0x0000048f' edx='0x00000000' eax='0x00100000'/>
+    <msr index='0x0000048f' edx='0x00100000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-exit-load-efer'>
-    <msr index='0x0000048f' edx='0x00000000' eax='0x00200000'/>
+    <msr index='0x0000048f' edx='0x00200000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-exit-save-preemption-timer'>
-    <msr index='0x0000048f' edx='0x00000000' eax='0x00400000'/>
+    <msr index='0x0000048f' edx='0x00400000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-exit-clear-bndcfgs'>
-    <msr index='0x0000048f' edx='0x00000000' eax='0x00800000'/>
+    <msr index='0x0000048f' edx='0x00800000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-exit-clear-rtit-ctl'>
-    <msr index='0x0000048f' edx='0x00000000' eax='0x02000000'/>
+    <msr index='0x0000048f' edx='0x02000000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-exit-load-pkrs'>
-    <msr index='0x0000048f' edx='0x00000000' eax='0x20000000'/>
+    <msr index='0x0000048f' edx='0x20000000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-exit-secondary-ctls'>
-    <msr index='0x0000048f' edx='0x00000000' eax='0x80000000'/>
+    <msr index='0x0000048f' edx='0x80000000' eax='0x00000000'/>
   </feature>
 
   <!-- msr 0x00000490 -->
   <feature name='vmx-entry-noload-debugctl'>
-    <msr index='0x00000490' edx='0x00000000' eax='0x00000004'/>
+    <msr index='0x00000490' edx='0x00000004' eax='0x00000000'/>
   </feature>
   <feature name='vmx-entry-ia32e-mode'>
-    <msr index='0x00000490' edx='0x00000000' eax='0x00000200'/>
+    <msr index='0x00000490' edx='0x00000200' eax='0x00000000'/>
   </feature>
   <feature name='vmx-entry-load-perf-global-ctrl'>
-    <msr index='0x00000490' edx='0x00000000' eax='0x00002000'/>
+    <msr index='0x00000490' edx='0x00002000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-entry-load-pat'>
-    <msr index='0x00000490' edx='0x00000000' eax='0x00004000'/>
+    <msr index='0x00000490' edx='0x00004000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-entry-load-efer'>
-    <msr index='0x00000490' edx='0x00000000' eax='0x00008000'/>
+    <msr index='0x00000490' edx='0x00008000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-entry-load-bndcfgs'>
-    <msr index='0x00000490' edx='0x00000000' eax='0x00010000'/>
+    <msr index='0x00000490' edx='0x00010000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-entry-load-rtit-ctl'>
-    <msr index='0x00000490' edx='0x00000000' eax='0x00040000'/>
+    <msr index='0x00000490' edx='0x00040000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-entry-load-pkrs'>
-    <msr index='0x00000490' edx='0x00000000' eax='0x00400000'/>
+    <msr index='0x00000490' edx='0x00400000' eax='0x00000000'/>
   </feature>
   <feature name='vmx-entry-load-fred'>
-    <msr index='0x00000490' edx='0x00000000' eax='0x00800000'/>
+    <msr index='0x00000490' edx='0x00800000' eax='0x00000000'/>
   </feature>
 
   <!-- msr 0x00000491 -->

src/interface/interface_backend_udev.c

@@ -927,7 +927,7 @@ udevGetIfaceDef(struct udev *udev, const char *name)
     g_autoptr(virInterfaceDef) ifacedef = NULL;
     unsigned int mtu;
     const char *mtu_str;
-    char *vlan_parent_dev = NULL;
+    const char *vlan_parent_dev = NULL;
     const char *devtype;
 
     /* Allocate our interface definition structure */

src/libxl/xen_common.c

@@ -802,20 +802,20 @@ static virDomainChrDef *
 xenParseSxprChar(const char *value,
                  const char *tty)
 {
-    const char *prefix;
+    g_autofree char *prefix = NULL;
     char *tmp;
     virDomainChrDef *def;
 
     if (!(def = virDomainChrDefNew(NULL)))
         return NULL;
 
-    prefix = value;
+    prefix = g_strdup(value);
 
     if (g_path_is_absolute(value)) {
         def->source->type = VIR_DOMAIN_CHR_TYPE_DEV;
         def->source->data.file.path = g_strdup(value);
     } else {
-        if ((tmp = strchr(value, ':')) != NULL) {
+        if ((tmp = strchr(prefix, ':')) != NULL) {
             *tmp = '\0';
             value = tmp + 1;
         }
@@ -1019,7 +1019,7 @@ xenParseCharDev(virConf *conf, virDomainDef *def, const char *nativeFormat)
 static int
 xenParseVifBridge(virDomainNetDef *net, const char *bridge)
 {
-    char *vlanstr;
+    const char *vlanstr;
     unsigned int tag;
 
     if ((vlanstr = strchr(bridge, '.'))) {
@@ -1144,7 +1144,7 @@ xenParseVif(char *entry, const char *vif_typename)
 
     for (keyval = keyvals; keyval && *keyval; keyval++) {
         const char *key = *keyval;
-        char *val = strchr(key, '=');
+        const char *val = strchr(key, '=');
 
         virSkipSpaces(&key);
 

src/libxl/xen_xm.c

@@ -154,9 +154,11 @@ xenParseXMDisk(char *entry, int hvm)
     src = virDomainDiskGetSource(disk);
     if (src) {
         size_t len;
+        const char *sep;
+
         /* The main type  phy:, file:, tap: ... */
-        if ((tmp = strchr(src, ':')) != NULL) {
-            len = tmp - src;
+        if ((sep = strchr(src, ':')) != NULL) {
+            len = sep - src;
             tmp = g_strndup(src, len);
 
             virDomainDiskSetDriver(disk, tmp);
@@ -173,9 +175,9 @@ xenParseXMDisk(char *entry, int hvm)
             STREQ_NULLABLE(virDomainDiskGetDriver(disk), "tap2")) {
             char *driverType;
 
-            if (!(tmp = strchr(src, ':')))
+            if (!(sep = strchr(src, ':')))
                 goto error;
-            len = tmp - src;
+            len = sep - src;
 
             driverType = g_strndup(src, len);
 

src/network/meson.build

@@ -10,6 +10,7 @@ if host_machine.system() == 'freebsd'
   network_driver_sources += 'network_pf.c'
 endif
 
+network_inc_dir = include_directories('.')
 driver_source_files += files(network_driver_sources)
 stateful_driver_source_files += files(network_driver_sources)
 

src/network/network_iptables.c

@@ -84,27 +84,34 @@ iptablesPrivateChainCreate(virFirewall *fw,
 {
     iptablesGlobalChainData *data = opaque;
     g_autoptr(GHashTable) chains = virHashNew(NULL);
-    g_autoptr(GHashTable) links = virHashNew(NULL);
-    const char *const *tmp;
+    g_autoptr(GHashTable) links = virHashNew(g_free);
+    const char *const *line;
     size_t i;
 
-    tmp = lines;
-    while (tmp && *tmp) {
-        if (STRPREFIX(*tmp, "-N ")) { /* eg "-N LIBVIRT_INP" */
-            if (virHashUpdateEntry(chains, *tmp + 3, (void *)0x1) < 0)
+    line = lines;
+    while (line && *line) {
+        const char *tmp;
+
+        if ((tmp = STRSKIP(*line, "-N "))) { /* eg "-N LIBVIRT_INP" */
+            if (virHashUpdateEntry(chains, tmp, (void *)0x1) < 0)
                 return -1;
-        } else if (STRPREFIX(*tmp, "-A ")) { /* eg "-A INPUT -j LIBVIRT_INP" */
-            char *sep = strchr(*tmp + 3, ' ');
+        } else if ((tmp = STRSKIP(*line, "-A "))) { /* eg "-A INPUT -j LIBVIRT_INP" */
+            const char *sep = strchr(tmp, ' ');
+
             if (sep) {
-                *sep = '\0';
-                if (STRPREFIX(sep + 1, "-j ")) {
-                    if (virHashUpdateEntry(links, sep + 4,
-                                           (char *)*tmp + 3) < 0)
+                const char *target;
+
+                if ((target = STRSKIP(sep + 1, "-j "))) {
+                    char *chain = g_strndup(tmp, sep - tmp);
+
+                    if (virHashUpdateEntry(links, target, chain) < 0) {
+                        g_free(chain);
                         return -1;
+                    }
                 }
             }
         }
-        tmp++;
+        line++;
     }
 
     for (i = 0; i < data->nchains; i++) {

src/node_device/node_device_udev.c

@@ -1187,7 +1187,7 @@ static int
 udevGetCCWAddress(const char *sysfs_path,
                   virNodeDevCapData *data)
 {
-    char *p;
+    const char *p;
     g_autofree virCCWDeviceAddress *ccw_addr = g_new0(virCCWDeviceAddress, 1);
 
     if ((p = strrchr(sysfs_path, '/')) == NULL ||

src/nwfilter/nwfilter_ebiptables_driver.c

@@ -2604,7 +2604,7 @@ ebtablesRemoveSubChainsQuery(virFirewall *fw,
     const char *chainprefixes = opaque;
 
     for (i = 0; lines[i] != NULL; i++) {
-        char *tmp = strstr(lines[i], "-j ");
+        const char *tmp = strstr(lines[i], "-j ");
 
         VIR_DEBUG("Considering '%s'", lines[i]);
 
@@ -2708,7 +2708,7 @@ ebtablesRenameTmpSubAndRootChainsQuery(virFirewall *fw,
     char newchain[MAX_CHAINNAME_LENGTH];
 
     for (i = 0; lines[i] != NULL; i++) {
-        char *tmp = strstr(lines[i], "-j ");
+        const char *tmp = strstr(lines[i], "-j ");
 
         VIR_DEBUG("Considering '%s'", lines[i]);
 

src/qemu/qemu_monitor_json.c

@@ -241,7 +241,7 @@ qemuMonitorJSONIOProcess(qemuMonitor *mon,
     /*VIR_DEBUG("Data %d bytes [%s]", len, data);*/
 
     while (used < len) {
-        char *nl = strstr(data + used, LINE_ENDING);
+        const char *nl = strstr(data + used, LINE_ENDING);
 
         if (nl) {
             int got = nl - (data + used);

src/qemu/qemu_nbdkit.c

@@ -146,7 +146,7 @@ qemuNbdkitCapsQueryBuildConfig(qemuNbdkitCaps *nbdkit)
     size_t i;
     g_autofree char *output = NULL;
     g_auto(GStrv) lines = NULL;
-    const char *line;
+    char *line;
     g_autoptr(virCommand) cmd = virCommandNewArgList(nbdkit->path,
                                                      "--dump-config",
                                                      NULL);

src/rpc/virnetsshsession.c

@@ -216,13 +216,14 @@ virNetSSHKbIntCb(const char *name G_GNUC_UNUSED,
 
     /* fill data structures for auth callback */
     for (i = 0; i < num_prompts; i++) {
-        askcred[i].prompt = g_strdup((char*)prompts[i].text);
+        char *prompt = g_strdup((char*)prompts[i].text);
 
         /* remove colon and trailing spaces from prompts, as default behavior
          * of libvirt's auth callback is to add them */
-        if ((tmp = strrchr(askcred[i].prompt, ':')))
+        if ((tmp = strrchr(prompt, ':')))
             *tmp = '\0';
 
+        askcred[i].prompt = prompt;
         askcred[i].type = prompts[i].echo ? credtype_echo : credtype_noecho;
     }
 

src/storage/storage_util.c

@@ -3773,7 +3773,7 @@ getOldStyleBlockDevice(const char *lun_path G_GNUC_UNUSED,
                        const char *block_name,
                        char **block_device)
 {
-    char *blockp = NULL;
+    const char *blockp = NULL;
 
     /* old-style; just parse out the sd */
     if (!(blockp = strrchr(block_name, ':'))) {

src/storage_file/storage_source.c

@@ -45,8 +45,8 @@ VIR_LOG_INIT("storage_source");
 static bool
 virStorageSourceBackinStoreStringIsFile(const char *backing)
 {
-    char *colon;
-    char *slash;
+    const char *colon;
+    const char *slash;
 
     if (!backing)
         return false;

src/util/vircgroup.c

@@ -517,7 +517,7 @@ int
 virCgroupSetValueRaw(const char *path,
                      const char *value)
 {
-    char *tmp;
+    const char *tmp;
 
     VIR_DEBUG("Set path '%s' to value '%s'", path, value);
     if (virFileWriteStr(path, value, 0) < 0) {

src/util/vircommand.c

@@ -3184,6 +3184,7 @@ virCommandDryRunTokenFree(virCommandDryRunToken *tok)
  * @bufArgLinebreaks: add linebreaks after command and every argument or argument pair
  * @bufCommandStripPath: strip leading paths of command
  * @callback: callback to process input/output/args
+ * @opaque: data blob to pass to @callback
  *
  * Sometimes it's desired to not actually run given command, but
  * see its string representation without having to change the
@@ -3200,13 +3201,14 @@ virCommandDryRunTokenFree(virCommandDryRunToken *tok)
  * The strings stored in @buf are escaped for a shell and
  * separated by a newline. For example:
  *
- * virBuffer buffer = VIR_BUFFER_INITIALIZER;
- * virCommandSetDryRun(&buffer);
- *
+ * g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
+ * g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
  * virCommand *echocmd = virCommandNewArgList("/bin/echo", "Hello world", NULL);
+ *
+ * virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, NULL, NULL);
  * virCommandRun(echocmd, NULL);
  *
- * After this, the @buffer should contain:
+ * After this, the @cmdbuf should contain:
  *
  * /bin/echo 'Hello world'\n
  *

src/util/virfile.c

@@ -3359,7 +3359,7 @@ char *
 virFileSanitizePath(const char *path)
 {
     const char *cur = path;
-    char *uri;
+    const char *uri;
     char *cleanpath;
     int idx = 0;
 

src/util/virstoragefile.c

@@ -119,8 +119,8 @@ virStorageFileGetNPIVKey(const char *path,
                          char **key)
 {
     int status;
-    const char *serial;
-    const char *port;
+    char *serial;
+    char *port;
     g_autofree char *outbuf = NULL;
     g_autoptr(virCommand) cmd = NULL;
 

src/util/virstring.c

@@ -484,17 +484,23 @@ virTrimSpaces(char *str, char **endp)
  * but spaces.
  */
 void
-virSkipSpacesBackwards(const char *str, char **endp)
+virSkipSpacesBackwards(const char *str,
+                       const char **endp)
 {
-    /* Casting away const is safe, since virTrimSpaces does not
-     * modify string with this particular usage.  */
-    char *s = (char*) str;
+    const char *end;
 
     if (!*endp)
-        *endp = s + strlen(s);
-    virTrimSpaces(s, endp);
-    if (s == *endp)
+        end = str + strlen(str);
+    else
+        end = *endp;
+
+    while (end > str && g_ascii_isspace(end[-1]))
+        end--;
+
+    if (str == end)
         *endp = NULL;
+    else
+        *endp = end;
 }
 
 /**

src/util/virstring.h

@@ -75,7 +75,7 @@ void virSkipSpaces(const char **str) ATTRIBUTE_NONNULL(1);
 void virSkipSpacesAndBackslash(const char **str) ATTRIBUTE_NONNULL(1);
 void virSkipToDigit(const char **str) ATTRIBUTE_NONNULL(1);
 void virTrimSpaces(char *str, char **endp) ATTRIBUTE_NONNULL(1);
-void virSkipSpacesBackwards(const char *str, char **endp)
+void virSkipSpacesBackwards(const char *str, const char **endp)
     ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
 
 bool virStringIsEmpty(const char *str);

src/util/virsysinfo.c

@@ -219,7 +219,7 @@ static int
 virSysinfoParsePPCSystem(const char *base, virSysinfoSystemDef **sysdef)
 {
     int ret = -1;
-    char *eol = NULL;
+    const char *eol = NULL;
     const char *cur;
     virSysinfoSystemDef *def;
 
@@ -267,7 +267,7 @@ static void
 virSysinfoParsePPCProcessor(const char *base, virSysinfoDef *ret)
 {
     const char *cur;
-    char *eol, *tmp_base;
+    const char *eol, *tmp_base;
     virSysinfoProcessorDef *processor;
 
     while ((tmp_base = strstr(base, "processor")) != NULL) {
@@ -336,7 +336,7 @@ static int
 virSysinfoParseARMSystem(const char *base, virSysinfoSystemDef **sysdef)
 {
     int ret = -1;
-    char *eol = NULL;
+    const char *eol = NULL;
     const char *cur;
     virSysinfoSystemDef *def;
 
@@ -384,7 +384,7 @@ static void
 virSysinfoParseARMProcessor(const char *base, virSysinfoDef *ret)
 {
     const char *cur;
-    char *eol, *tmp_base;
+    const char *eol, *tmp_base;
     virSysinfoProcessorDef *processor;
     char *processor_type = NULL;
 
@@ -625,7 +625,7 @@ virSysinfoParseBIOS(const char *base, virSysinfoBIOSDef **bios)
 {
     int ret = -1;
     const char *cur;
-    char *eol = NULL;
+    const char *eol = NULL;
     virSysinfoBIOSDef *def;
 
     if ((cur = strstr(base, "BIOS Information")) == NULL)
@@ -679,7 +679,7 @@ virSysinfoParseX86System(const char *base, virSysinfoSystemDef **sysdef)
 {
     int ret = -1;
     const char *cur;
-    char *eol = NULL;
+    const char *eol = NULL;
     virSysinfoSystemDef *def;
 
     if ((cur = strstr(base, "System Information")) == NULL)
@@ -755,7 +755,7 @@ virSysinfoParseX86BaseBoard(const char *base,
                             size_t *nbaseBoard)
 {
     const char *cur;
-    char *eol = NULL;
+    const char *eol = NULL;
     virSysinfoBaseBoardDef *boards = NULL;
     size_t nboards = 0;
 
@@ -832,7 +832,7 @@ virSysinfoParseX86Chassis(const char *base,
 {
     int ret = -1;
     const char *cur;
-    char *eol = NULL;
+    const char *eol = NULL;
     virSysinfoChassisDef *def;
 
     if ((cur = strstr(base, "Chassis Information")) == NULL)
@@ -942,7 +942,7 @@ virSysinfoParseOEMStrings(const char *base,
     while ((cur = strstr(cur, "String "))) {
         char *collon = NULL;
         unsigned int idx = 0;
-        char *eol;
+        const char *eol;
 
         cur += 7;
 
@@ -1005,7 +1005,7 @@ static void
 virSysinfoParseX86Processor(const char *base, virSysinfoDef *ret)
 {
     const char *cur, *tmp_base;
-    char *eol;
+    const char *eol;
     virSysinfoProcessorDef *processor;
 
     while ((tmp_base = strstr(base, "Processor Information")) != NULL) {
@@ -1103,7 +1103,7 @@ static void
 virSysinfoParseX86Memory(const char *base, virSysinfoDef *ret)
 {
     const char *cur, *tmp_base;
-    char *eol;
+    const char *eol;
     virSysinfoMemoryDef *memory;
 
     while ((tmp_base = strstr(base, "Memory Device")) != NULL) {

src/util/virxml.c

@@ -368,7 +368,8 @@ virXMLCheckIllegalChars(const char *nodeName,
                         const char *str,
                         const char *illegal)
 {
-    char *c;
+    const char *c;
+
     if ((c = strpbrk(str, illegal))) {
         virReportError(VIR_ERR_XML_DETAIL,
                        _("invalid char in %1$s: %2$c"), nodeName, *c);

src/vmware/vmware_conf.c

@@ -305,7 +305,7 @@ vmwareDomainConfigDisplay(vmwareDomainPtr pDomain, virDomainDef *def)
 static int
 vmwareParsePath(const char *path, char **directory, char **filename)
 {
-    char *separator;
+    const char *separator;
 
     separator = strrchr(path, '/');
 

tests/cputestdata/x86_64-cpuid-Atom-P5362-2-enabled.xml

@@ -9,11 +9,11 @@
   <msr index='0x10a' edx='0x00000000' eax='0x0400006b'/>
   <msr index='0x480' edx='0x00c00000' eax='0x00000000'/>
   <msr index='0x485' edx='0x00000000' eax='0x20000160'/>
-  <msr index='0x48b' edx='0x00000000' eax='0x06136bff'/>
+  <msr index='0x48b' edx='0x06136bff' eax='0x00000000'/>
   <msr index='0x48c' edx='0x00000d01' eax='0x06330041'/>
-  <msr index='0x48d' edx='0x00000000' eax='0x000000e9'/>
-  <msr index='0x48e' edx='0x00000000' eax='0xfbf99e8c'/>
-  <msr index='0x48f' edx='0x00000000' eax='0x007c8004'/>
-  <msr index='0x490' edx='0x00000000' eax='0x0000c204'/>
+  <msr index='0x48d' edx='0x000000e9' eax='0x00000000'/>
+  <msr index='0x48e' edx='0xfbf99e8c' eax='0x00000000'/>
+  <msr index='0x48f' edx='0x007c8004' eax='0x00000000'/>
+  <msr index='0x490' edx='0x0000c204' eax='0x00000000'/>
   <msr index='0x491' edx='0x00000000' eax='0x00000001'/>
 </cpudata>

tests/cputestdata/x86_64-cpuid-Atom-P5362-enabled.xml

@@ -9,11 +9,11 @@
   <msr index='0x10a' edx='0x00000000' eax='0x0000006b'/>
   <msr index='0x480' edx='0x00c00000' eax='0x00000000'/>
   <msr index='0x485' edx='0x00000000' eax='0x20000060'/>
-  <msr index='0x48b' edx='0x00000000' eax='0x00136bff'/>
+  <msr index='0x48b' edx='0x00136bff' eax='0x00000000'/>
   <msr index='0x48c' edx='0x00000d01' eax='0x06330041'/>
-  <msr index='0x48d' edx='0x00000000' eax='0x000000e9'/>
-  <msr index='0x48e' edx='0x00000000' eax='0xfbf99e8c'/>
-  <msr index='0x48f' edx='0x00000000' eax='0x007c8004'/>
-  <msr index='0x490' edx='0x00000000' eax='0x0000c204'/>
+  <msr index='0x48d' edx='0x000000e9' eax='0x00000000'/>
+  <msr index='0x48e' edx='0xfbf99e8c' eax='0x00000000'/>
+  <msr index='0x48f' edx='0x007c8004' eax='0x00000000'/>
+  <msr index='0x490' edx='0x0000c204' eax='0x00000000'/>
   <msr index='0x491' edx='0x00000000' eax='0x00000001'/>
 </cpudata>

tests/cputestdata/x86_64-cpuid-Cooperlake-enabled.xml

@@ -10,11 +10,11 @@
   <msr index='0x10a' edx='0x00000000' eax='0x000001eb'/>
   <msr index='0x480' edx='0x00c00000' eax='0x00000000'/>
   <msr index='0x485' edx='0x00000000' eax='0x20000060'/>
-  <msr index='0x48b' edx='0x00000000' eax='0x00137bff'/>
+  <msr index='0x48b' edx='0x00137bff' eax='0x00000000'/>
   <msr index='0x48c' edx='0x00000d01' eax='0x06330041'/>
-  <msr index='0x48d' edx='0x00000000' eax='0x000000e9'/>
-  <msr index='0x48e' edx='0x00000000' eax='0xfbf99e8c'/>
-  <msr index='0x48f' edx='0x00000000' eax='0x007c8004'/>
-  <msr index='0x490' edx='0x00000000' eax='0x0000c204'/>
+  <msr index='0x48d' edx='0x000000e9' eax='0x00000000'/>
+  <msr index='0x48e' edx='0xfbf99e8c' eax='0x00000000'/>
+  <msr index='0x48f' edx='0x007c8004' eax='0x00000000'/>
+  <msr index='0x490' edx='0x0000c204' eax='0x00000000'/>
   <msr index='0x491' edx='0x00000000' eax='0x00000001'/>
 </cpudata>

tests/cputestdata/x86_64-cpuid-Core-i7-1270P-enabled.xml

@@ -11,11 +11,11 @@
   <msr index='0x10a' edx='0x00000000' eax='0x1400e06b'/>
   <msr index='0x480' edx='0x00c00000' eax='0x00000000'/>
   <msr index='0x485' edx='0x00000000' eax='0x20000160'/>
-  <msr index='0x48b' edx='0x00000000' eax='0x06137bff'/>
+  <msr index='0x48b' edx='0x06137bff' eax='0x00000000'/>
   <msr index='0x48c' edx='0x00000d01' eax='0x06330041'/>
-  <msr index='0x48d' edx='0x00000000' eax='0x000000e9'/>
-  <msr index='0x48e' edx='0x00000000' eax='0xfbf99e8c'/>
-  <msr index='0x48f' edx='0x00000000' eax='0x007c9004'/>
-  <msr index='0x490' edx='0x00000000' eax='0x0000e204'/>
+  <msr index='0x48d' edx='0x000000e9' eax='0x00000000'/>
+  <msr index='0x48e' edx='0xfbf99e8c' eax='0x00000000'/>
+  <msr index='0x48f' edx='0x007c9004' eax='0x00000000'/>
+  <msr index='0x490' edx='0x0000e204' eax='0x00000000'/>
   <msr index='0x491' edx='0x00000000' eax='0x00000001'/>
 </cpudata>

tests/cputestdata/x86_64-cpuid-Core-i7-1365U-enabled.xml

@@ -11,11 +11,11 @@
   <msr index='0x10a' edx='0x00000000' eax='0x1400e06b'/>
   <msr index='0x480' edx='0x00c00000' eax='0x00000000'/>
   <msr index='0x485' edx='0x00000000' eax='0x20000160'/>
-  <msr index='0x48b' edx='0x00000000' eax='0x06137bff'/>
+  <msr index='0x48b' edx='0x06137bff' eax='0x00000000'/>
   <msr index='0x48c' edx='0x00000d01' eax='0x06330041'/>
-  <msr index='0x48d' edx='0x00000000' eax='0x000000e9'/>
-  <msr index='0x48e' edx='0x00000000' eax='0xfbf99e8c'/>
-  <msr index='0x48f' edx='0x00000000' eax='0x007c9004'/>
-  <msr index='0x490' edx='0x00000000' eax='0x0000e204'/>
+  <msr index='0x48d' edx='0x000000e9' eax='0x00000000'/>
+  <msr index='0x48e' edx='0xfbf99e8c' eax='0x00000000'/>
+  <msr index='0x48f' edx='0x007c9004' eax='0x00000000'/>
+  <msr index='0x490' edx='0x0000e204' eax='0x00000000'/>
   <msr index='0x491' edx='0x00000000' eax='0x00000001'/>
 </cpudata>

tests/cputestdata/x86_64-cpuid-Core-i7-8550U-enabled.xml

@@ -8,11 +8,11 @@
   <msr index='0x10a' edx='0x00000000' eax='0x00000048'/>
   <msr index='0x480' edx='0x00c00000' eax='0x00000000'/>
   <msr index='0x485' edx='0x00000000' eax='0x20000060'/>
-  <msr index='0x48b' edx='0x00000000' eax='0x001378ff'/>
+  <msr index='0x48b' edx='0x001378ff' eax='0x00000000'/>
   <msr index='0x48c' edx='0x00000d01' eax='0x06330041'/>
-  <msr index='0x48d' edx='0x00000000' eax='0x00000069'/>
-  <msr index='0x48e' edx='0x00000000' eax='0xfbf99e8c'/>
-  <msr index='0x48f' edx='0x00000000' eax='0x007c8004'/>
-  <msr index='0x490' edx='0x00000000' eax='0x0000c204'/>
+  <msr index='0x48d' edx='0x00000069' eax='0x00000000'/>
+  <msr index='0x48e' edx='0xfbf99e8c' eax='0x00000000'/>
+  <msr index='0x48f' edx='0x007c8004' eax='0x00000000'/>
+  <msr index='0x490' edx='0x0000c204' eax='0x00000000'/>
   <msr index='0x491' edx='0x00000000' eax='0x00000001'/>
 </cpudata>

tests/cputestdata/x86_64-cpuid-Xeon-6731E-enabled.xml

@@ -11,11 +11,11 @@
   <msr index='0x10a' edx='0x00000000' eax='0x0d00e06b'/>
   <msr index='0x480' edx='0x00c00000' eax='0x00000000'/>
   <msr index='0x485' edx='0x00000000' eax='0x20000160'/>
-  <msr index='0x48b' edx='0x00000000' eax='0x06137bff'/>
+  <msr index='0x48b' edx='0x06137bff' eax='0x00000000'/>
   <msr index='0x48c' edx='0x00000d01' eax='0x06330041'/>
-  <msr index='0x48d' edx='0x00000000' eax='0x000000e9'/>
-  <msr index='0x48e' edx='0x00000000' eax='0xfbf99e8c'/>
-  <msr index='0x48f' edx='0x00000000' eax='0x007c9004'/>
-  <msr index='0x490' edx='0x00000000' eax='0x0000e204'/>
+  <msr index='0x48d' edx='0x000000e9' eax='0x00000000'/>
+  <msr index='0x48e' edx='0xfbf99e8c' eax='0x00000000'/>
+  <msr index='0x48f' edx='0x007c9004' eax='0x00000000'/>
+  <msr index='0x490' edx='0x0000e204' eax='0x00000000'/>
   <msr index='0x491' edx='0x00000000' eax='0x00000001'/>
 </cpudata>

tests/cputestdata/x86_64-cpuid-Xeon-6788P-disabled.xml

@@ -7,4 +7,5 @@
   <msr index='0xcf' edx='0x00000000' eax='0x00000020'/>
   <msr index='0x10a' edx='0x00000000' eax='0x00000100'/>
   <msr index='0x480' edx='0x05000000' eax='0x00000000'/>
+  <msr index='0x48b' edx='0x00000400' eax='0x00000000'/>
 </cpudata>

tests/cputestdata/x86_64-cpuid-Xeon-6788P-enabled.xml

@@ -12,11 +12,11 @@
   <msr index='0x10a' edx='0x40000000' eax='0x0d00e0eb'/>
   <msr index='0x480' edx='0x00c00000' eax='0x00000000'/>
   <msr index='0x485' edx='0x00000000' eax='0x20000160'/>
-  <msr index='0x48b' edx='0x00000000' eax='0x06137bff'/>
+  <msr index='0x48b' edx='0x06137bff' eax='0x00000000'/>
   <msr index='0x48c' edx='0x00000d01' eax='0x063300c1'/>
-  <msr index='0x48d' edx='0x00000000' eax='0x000000e9'/>
-  <msr index='0x48e' edx='0x00000000' eax='0xfbf99e8c'/>
-  <msr index='0x48f' edx='0x00000000' eax='0x007c9004'/>
-  <msr index='0x490' edx='0x00000000' eax='0x0000e204'/>
+  <msr index='0x48d' edx='0x000000e9' eax='0x00000000'/>
+  <msr index='0x48e' edx='0xfbf99e8c' eax='0x00000000'/>
+  <msr index='0x48f' edx='0x007c9004' eax='0x00000000'/>
+  <msr index='0x490' edx='0x0000e204' eax='0x00000000'/>
   <msr index='0x491' edx='0x00000000' eax='0x00000001'/>
 </cpudata>

tests/cputestdata/x86_64-cpuid-Xeon-6788P-guest.xml

@@ -55,6 +55,7 @@
   <feature policy='require' name='rfds-no'/>
   <feature policy='require' name='vmx-any-errcode'/>
   <feature policy='require' name='vmx-nested-exception'/>
+  <feature policy='require' name='vmx-ple'/>
   <feature policy='disable' name='hle'/>
   <feature policy='disable' name='rtm'/>
   <feature policy='disable' name='taa-no'/>
@@ -63,16 +64,7 @@
   <feature policy='disable' name='vmx-store-lma'/>
   <feature policy='disable' name='vmx-activity-hlt'/>
   <feature policy='disable' name='vmx-vmwrite-vmexit-fields'/>
-  <feature policy='disable' name='vmx-apicv-xapic'/>
-  <feature policy='disable' name='vmx-ept'/>
-  <feature policy='disable' name='vmx-desc-exit'/>
-  <feature policy='disable' name='vmx-rdtscp-exit'/>
-  <feature policy='disable' name='vmx-apicv-x2apic'/>
-  <feature policy='disable' name='vmx-vpid'/>
-  <feature policy='disable' name='vmx-wbinvd-exit'/>
-  <feature policy='disable' name='vmx-unrestricted-guest'/>
   <feature policy='disable' name='vmx-apicv-register'/>
-  <feature policy='disable' name='vmx-apicv-vid'/>
   <feature policy='disable' name='vmx-rdrand-exit'/>
   <feature policy='disable' name='vmx-invpcid-exit'/>
   <feature policy='disable' name='vmx-vmfunc'/>
@@ -99,6 +91,11 @@
   <feature policy='disable' name='vmx-vintr-pending'/>
   <feature policy='disable' name='vmx-tsc-offset'/>
   <feature policy='disable' name='vmx-hlt-exit'/>
+  <feature policy='disable' name='vmx-invlpg-exit'/>
+  <feature policy='disable' name='vmx-mwait-exit'/>
+  <feature policy='disable' name='vmx-rdpmc-exit'/>
+  <feature policy='disable' name='vmx-rdtsc-exit'/>
+  <feature policy='disable' name='vmx-cr3-load-noexit'/>
   <feature policy='disable' name='vmx-cr3-store-noexit'/>
   <feature policy='disable' name='vmx-cr8-load-exit'/>
   <feature policy='disable' name='vmx-cr8-store-exit'/>
@@ -112,6 +109,7 @@
   <feature policy='disable' name='vmx-monitor-exit'/>
   <feature policy='disable' name='vmx-pause-exit'/>
   <feature policy='disable' name='vmx-secondary-ctls'/>
+  <feature policy='disable' name='vmx-exit-nosave-debugctl'/>
   <feature policy='disable' name='vmx-exit-load-perf-global-ctrl'/>
   <feature policy='disable' name='vmx-exit-ack-intr'/>
   <feature policy='disable' name='vmx-exit-save-pat'/>
@@ -119,6 +117,7 @@
   <feature policy='disable' name='vmx-exit-save-efer'/>
   <feature policy='disable' name='vmx-exit-load-efer'/>
   <feature policy='disable' name='vmx-exit-save-preemption-timer'/>
+  <feature policy='disable' name='vmx-entry-noload-debugctl'/>
   <feature policy='disable' name='vmx-entry-ia32e-mode'/>
   <feature policy='disable' name='vmx-entry-load-perf-global-ctrl'/>
   <feature policy='disable' name='vmx-entry-load-pat'/>

tests/cputestdata/x86_64-cpuid-Xeon-6788P-host.xml

@@ -89,13 +89,16 @@
   <feature name='rfds-no'/>
   <feature name='vmx-any-errcode'/>
   <feature name='vmx-nested-exception'/>
+  <feature name='vmx-apicv-xapic'/>
+  <feature name='vmx-ept'/>
+  <feature name='vmx-desc-exit'/>
+  <feature name='vmx-rdtscp-exit'/>
+  <feature name='vmx-apicv-x2apic'/>
+  <feature name='vmx-vpid'/>
+  <feature name='vmx-wbinvd-exit'/>
+  <feature name='vmx-unrestricted-guest'/>
+  <feature name='vmx-apicv-vid'/>
+  <feature name='vmx-ple'/>
   <feature name='vmx-invept-single-context'/>
   <feature name='vmx-invept-all-context'/>
-  <feature name='vmx-invlpg-exit'/>
-  <feature name='vmx-mwait-exit'/>
-  <feature name='vmx-rdpmc-exit'/>
-  <feature name='vmx-rdtsc-exit'/>
-  <feature name='vmx-cr3-load-noexit'/>
-  <feature name='vmx-exit-nosave-debugctl'/>
-  <feature name='vmx-entry-noload-debugctl'/>
 </cpu>

tests/cputestdata/x86_64-cpuid-Xeon-Bronze-3408U-enabled.xml

@@ -11,11 +11,11 @@
   <msr index='0x10a' edx='0x00000000' eax='0x0c00e0eb'/>
   <msr index='0x480' edx='0x00c00000' eax='0x00000000'/>
   <msr index='0x485' edx='0x00000000' eax='0x20000160'/>
-  <msr index='0x48b' edx='0x00000000' eax='0x06137bff'/>
+  <msr index='0x48b' edx='0x06137bff' eax='0x00000000'/>
   <msr index='0x48c' edx='0x00000d01' eax='0x063300c1'/>
-  <msr index='0x48d' edx='0x00000000' eax='0x000000e9'/>
-  <msr index='0x48e' edx='0x00000000' eax='0xfbf99e8c'/>
-  <msr index='0x48f' edx='0x00000000' eax='0x007c9004'/>
-  <msr index='0x490' edx='0x00000000' eax='0x0000e204'/>
+  <msr index='0x48d' edx='0x000000e9' eax='0x00000000'/>
+  <msr index='0x48e' edx='0xfbf99e8c' eax='0x00000000'/>
+  <msr index='0x48f' edx='0x007c9004' eax='0x00000000'/>
+  <msr index='0x490' edx='0x0000e204' eax='0x00000000'/>
   <msr index='0x491' edx='0x00000000' eax='0x00000001'/>
 </cpudata>

tests/cputestdata/x86_64-cpuid-Xeon-E3-1270-v5-enabled.xml

@@ -8,11 +8,11 @@
   <msr index='0x10a' edx='0x00000000' eax='0x08000048'/>
   <msr index='0x480' edx='0x00c00000' eax='0x00000000'/>
   <msr index='0x485' edx='0x00000000' eax='0x20000160'/>
-  <msr index='0x48b' edx='0x00000000' eax='0x001378ff'/>
+  <msr index='0x48b' edx='0x001378ff' eax='0x00000000'/>
   <msr index='0x48c' edx='0x00000d01' eax='0x06330041'/>
-  <msr index='0x48d' edx='0x00000000' eax='0x00000069'/>
-  <msr index='0x48e' edx='0x00000000' eax='0xfbf99e8c'/>
-  <msr index='0x48f' edx='0x00000000' eax='0x00fc9004'/>
-  <msr index='0x490' edx='0x00000000' eax='0x0001e204'/>
+  <msr index='0x48d' edx='0x00000069' eax='0x00000000'/>
+  <msr index='0x48e' edx='0xfbf99e8c' eax='0x00000000'/>
+  <msr index='0x48f' edx='0x00fc9004' eax='0x00000000'/>
+  <msr index='0x490' edx='0x0001e204' eax='0x00000000'/>
   <msr index='0x491' edx='0x00000000' eax='0x00000001'/>
 </cpudata>

tests/cputestdata/x86_64-cpuid-Xeon-Gold-6152-enabled.xml

@@ -9,11 +9,11 @@
   <msr index='0x10a' edx='0x00000000' eax='0x08000048'/>
   <msr index='0x480' edx='0x00c00000' eax='0x00000000'/>
   <msr index='0x485' edx='0x00000000' eax='0x20000160'/>
-  <msr index='0x48b' edx='0x00000000' eax='0x02137bff'/>
+  <msr index='0x48b' edx='0x02137bff' eax='0x00000000'/>
   <msr index='0x48c' edx='0x00000d01' eax='0x06330041'/>
-  <msr index='0x48d' edx='0x00000000' eax='0x000000e9'/>
-  <msr index='0x48e' edx='0x00000000' eax='0xfbf99e8c'/>
-  <msr index='0x48f' edx='0x00000000' eax='0x00fc9004'/>
-  <msr index='0x490' edx='0x00000000' eax='0x0001e204'/>
+  <msr index='0x48d' edx='0x000000e9' eax='0x00000000'/>
+  <msr index='0x48e' edx='0xfbf99e8c' eax='0x00000000'/>
+  <msr index='0x48f' edx='0x00fc9004' eax='0x00000000'/>
+  <msr index='0x490' edx='0x0001e204' eax='0x00000000'/>
   <msr index='0x491' edx='0x00000000' eax='0x00000001'/>
 </cpudata>

tests/cputestdata/x86_64-cpuid-Xeon-Gold-6530-enabled.xml

@@ -10,11 +10,11 @@
   <msr index='0x10a' edx='0x00000000' eax='0x0c00e0eb'/>
   <msr index='0x480' edx='0x00c00000' eax='0x00000000'/>
   <msr index='0x485' edx='0x00000000' eax='0x20000160'/>
-  <msr index='0x48b' edx='0x00000000' eax='0x06137bff'/>
+  <msr index='0x48b' edx='0x06137bff' eax='0x00000000'/>
   <msr index='0x48c' edx='0x00000d01' eax='0x063300c1'/>
-  <msr index='0x48d' edx='0x00000000' eax='0x000000e9'/>
-  <msr index='0x48e' edx='0x00000000' eax='0xfbf99e8c'/>
-  <msr index='0x48f' edx='0x00000000' eax='0x007c8004'/>
-  <msr index='0x490' edx='0x00000000' eax='0x0000c204'/>
+  <msr index='0x48d' edx='0x000000e9' eax='0x00000000'/>
+  <msr index='0x48e' edx='0xfbf99e8c' eax='0x00000000'/>
+  <msr index='0x48f' edx='0x007c8004' eax='0x00000000'/>
+  <msr index='0x490' edx='0x0000c204' eax='0x00000000'/>
   <msr index='0x491' edx='0x00000000' eax='0x00000001'/>
 </cpudata>

tests/cputestdata/x86_64-cpuid-Xeon-Platinum-9242-enabled.xml

@@ -9,11 +9,11 @@
   <msr index='0x10a' edx='0x00000000' eax='0x000000eb'/>
   <msr index='0x480' edx='0x00c00000' eax='0x00000000'/>
   <msr index='0x485' edx='0x00000000' eax='0x20000060'/>
-  <msr index='0x48b' edx='0x00000000' eax='0x00137bff'/>
+  <msr index='0x48b' edx='0x00137bff' eax='0x00000000'/>
   <msr index='0x48c' edx='0x00000d01' eax='0x06330041'/>
-  <msr index='0x48d' edx='0x00000000' eax='0x000000e9'/>
-  <msr index='0x48e' edx='0x00000000' eax='0xfbf99e8c'/>
-  <msr index='0x48f' edx='0x00000000' eax='0x007c8004'/>
-  <msr index='0x490' edx='0x00000000' eax='0x0000c204'/>
+  <msr index='0x48d' edx='0x000000e9' eax='0x00000000'/>
+  <msr index='0x48e' edx='0xfbf99e8c' eax='0x00000000'/>
+  <msr index='0x48f' edx='0x007c8004' eax='0x00000000'/>
+  <msr index='0x490' edx='0x0000c204' eax='0x00000000'/>
   <msr index='0x491' edx='0x00000000' eax='0x00000001'/>
 </cpudata>

tests/cputestdata/x86_64-cpuid-Xeon-Silver-4214R-enabled.xml

@@ -9,11 +9,11 @@
   <msr index='0x10a' edx='0x00000000' eax='0x080000eb'/>
   <msr index='0x480' edx='0x00c00000' eax='0x00000000'/>
   <msr index='0x485' edx='0x00000000' eax='0x20000160'/>
-  <msr index='0x48b' edx='0x00000000' eax='0x02137bff'/>
+  <msr index='0x48b' edx='0x02137bff' eax='0x00000000'/>
   <msr index='0x48c' edx='0x00000d01' eax='0x06330041'/>
-  <msr index='0x48d' edx='0x00000000' eax='0x000000e9'/>
-  <msr index='0x48e' edx='0x00000000' eax='0xfbf99e8c'/>
-  <msr index='0x48f' edx='0x00000000' eax='0x00fc9004'/>
-  <msr index='0x490' edx='0x00000000' eax='0x0001e204'/>
+  <msr index='0x48d' edx='0x000000e9' eax='0x00000000'/>
+  <msr index='0x48e' edx='0xfbf99e8c' eax='0x00000000'/>
+  <msr index='0x48f' edx='0x00fc9004' eax='0x00000000'/>
+  <msr index='0x490' edx='0x0001e204' eax='0x00000000'/>
   <msr index='0x491' edx='0x00000000' eax='0x00000001'/>
 </cpudata>

tests/cputestdata/x86_64-cpuid-Xeon-w7-3465X-enabled.xml

@@ -10,11 +10,11 @@
   <msr index='0x10a' edx='0x00000000' eax='0x0c00e0eb'/>
   <msr index='0x480' edx='0x00c00000' eax='0x00000000'/>
   <msr index='0x485' edx='0x00000000' eax='0x20000160'/>
-  <msr index='0x48b' edx='0x00000000' eax='0x06137bff'/>
+  <msr index='0x48b' edx='0x06137bff' eax='0x00000000'/>
   <msr index='0x48c' edx='0x00000d01' eax='0x063300c1'/>
-  <msr index='0x48d' edx='0x00000000' eax='0x000000e9'/>
-  <msr index='0x48e' edx='0x00000000' eax='0xfbf99e8c'/>
-  <msr index='0x48f' edx='0x00000000' eax='0x007c8004'/>
-  <msr index='0x490' edx='0x00000000' eax='0x0000c204'/>
+  <msr index='0x48d' edx='0x000000e9' eax='0x00000000'/>
+  <msr index='0x48e' edx='0xfbf99e8c' eax='0x00000000'/>
+  <msr index='0x48f' edx='0x007c8004' eax='0x00000000'/>
+  <msr index='0x490' edx='0x0000c204' eax='0x00000000'/>
   <msr index='0x491' edx='0x00000000' eax='0x00000001'/>
 </cpudata>

tests/meson.build

@@ -259,6 +259,13 @@ if conf.has('WITH_QEMU')
   domaincapstest_link_whole += [ test_utils_qemu_lib ]
 endif
 
+virfirewalltest_include = []
+virfirewalltest_link_with = []
+if conf.has('WITH_NETWORK')
+  virfirewalltest_include += [ network_inc_dir ]
+  virfirewalltest_link_with += [ network_driver_impl ]
+endif
+
 tests += [
   { 'name': 'commandtest' },
   { 'name': 'cputest', 'link_with': cputest_link_with, 'link_whole': cputest_link_whole },
@@ -286,7 +293,7 @@ tests += [
   { 'name': 'virerrortest' },
   { 'name': 'virfilecachetest' },
   { 'name': 'virfiletest' },
-  { 'name': 'virfirewalltest' },
+  { 'name': 'virfirewalltest', 'include': virfirewalltest_include, 'link_with': virfirewalltest_link_with },
   { 'name': 'virhostcputest', 'link_whole': [ test_file_wrapper_lib ] },
   { 'name': 'virhostdevtest' },
   { 'name': 'viridentitytest' },

tests/virfirewalltest.c

@@ -26,6 +26,9 @@
 
 # include "virbuffer.h"
 # include "virfirewall.h"
+# if WITH_NETWORK
+#  include "network_iptables.h"
+# endif
 
 # define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW
 # include "vircommandpriv.h"
@@ -763,6 +766,113 @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED)
 }
 
 
+static void G_GNUC_UNUSED
+testIPtablesSetupPrivateChainsHook(const char *const *args,
+                                   const char *const *env G_GNUC_UNUSED,
+                                   const char *input G_GNUC_UNUSED,
+                                   char **output,
+                                   char **error,
+                                   int *status,
+                                   void *opaque G_GNUC_UNUSED)
+{
+    if (STREQ_NULLABLE(*args, "iptables") &&
+        STREQ_NULLABLE(*(args + 1), "-w") &&
+        STREQ_NULLABLE(*(args + 2), "--table") &&
+        STREQ_NULLABLE(*(args + 3), "filter") &&
+        STREQ_NULLABLE(*(args + 4), "--list-rules")) {
+        *output = g_strdup("-P INPUT ACCEPT\n"
+                           "-P FORWARD ACCEPT\n"
+                           "-P OUTPUT ACCEPT\n"
+                          );
+        *error = NULL;
+        *status = EXIT_SUCCESS;
+        return;
+    }
+
+    if (STREQ_NULLABLE(*args, "iptables") &&
+        STREQ_NULLABLE(*(args + 1), "-w") &&
+        STREQ_NULLABLE(*(args + 2), "--table") &&
+        STREQ_NULLABLE(*(args + 3), "nat") &&
+        STREQ_NULLABLE(*(args + 4), "--list-rules")) {
+        *output = g_strdup("-P PREROUTING ACCEPT\n"
+                           "-P INPUT ACCEPT\n"
+                           "-P OUTPUT ACCEPT\n"
+                           "-P POSTROUTING ACCEPT\n");
+        *error = NULL;
+        *status = EXIT_SUCCESS;
+        return;
+    }
+
+    /* Intentionally steering away from empty rules above. This is how the
+     * table looks AFTER we've injected our rules. The idea is to cover more
+     * lines, esp. in iptablesPrivateChainCreate(). */
+    if (STREQ_NULLABLE(*args, "iptables") &&
+        STREQ_NULLABLE(*(args + 1), "-w") &&
+        STREQ_NULLABLE(*(args + 2), "--table") &&
+        STREQ_NULLABLE(*(args + 3), "mangle") &&
+        STREQ_NULLABLE(*(args + 4), "--list-rules")) {
+        *output = g_strdup("-P PREROUTING ACCEPT\n"
+                           "-P INPUT ACCEPT\n"
+                           "-P FORWARD ACCEPT\n"
+                           "-P OUTPUT ACCEPT\n"
+                           "-P POSTROUTING ACCEPT\n"
+                           "-N LIBVIRT_PRT\n"
+                           "-A POSTROUTING -j LIBVIRT_PRT\n"
+                           "-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill\n");
+        *error = NULL;
+        *status = EXIT_SUCCESS;
+        return;
+    }
+
+    *output = NULL;
+    *error = NULL;
+    *status = EXIT_SUCCESS;
+}
+
+
+static int
+testIPtablesSetupPrivateChains(const void *opaque G_GNUC_UNUSED)
+{
+# if WITH_NETWORK
+    g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
+    g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
+    const char *actual;
+    const char *expected =
+        IPTABLES " -w --table filter --list-rules\n"
+        IPTABLES " -w --table nat --list-rules\n"
+        IPTABLES " -w --table mangle --list-rules\n"
+        IPTABLES " -w --table filter --new-chain LIBVIRT_INP\n"
+        IPTABLES " -w --table filter --insert INPUT --jump LIBVIRT_INP\n"
+        IPTABLES " -w --table filter --new-chain LIBVIRT_OUT\n"
+        IPTABLES " -w --table filter --insert OUTPUT --jump LIBVIRT_OUT\n"
+        IPTABLES " -w --table filter --new-chain LIBVIRT_FWO\n"
+        IPTABLES " -w --table filter --insert FORWARD --jump LIBVIRT_FWO\n"
+        IPTABLES " -w --table filter --new-chain LIBVIRT_FWI\n"
+        IPTABLES " -w --table filter --insert FORWARD --jump LIBVIRT_FWI\n"
+        IPTABLES " -w --table filter --new-chain LIBVIRT_FWX\n"
+        IPTABLES " -w --table filter --insert FORWARD --jump LIBVIRT_FWX\n"
+        IPTABLES " -w --table nat --new-chain LIBVIRT_PRT\n"
+        IPTABLES " -w --table nat --insert POSTROUTING --jump LIBVIRT_PRT\n";
+
+    virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testIPtablesSetupPrivateChainsHook, NULL);
+
+    if (iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV4) < 0)
+        return -1;
+
+    actual = virBufferCurrentContent(&cmdbuf);
+
+    if (virTestCompareToString(expected, actual) < 0) {
+        fprintf(stderr, "Unexpected command execution\n");
+        return -1;
+    }
+
+    return 0;
+# else
+    return EXIT_AM_SKIP;
+# endif
+}
+
+
 static int
 mymain(void)
 {
@@ -784,6 +894,7 @@ mymain(void)
     RUN_TEST("many rollback", testFirewallManyRollback);
     RUN_TEST("chained rollback", testFirewallChainedRollback);
     RUN_TEST("query transaction", testFirewallQuery);
+    RUN_TEST("setup private chains", testIPtablesSetupPrivateChains);
 
     return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
 }

tests/virstringtest.c

@@ -111,6 +111,51 @@ testStringSortCompare(const void *opaque G_GNUC_UNUSED)
 }
 
 
+#define TEST_STR "This is a static string with spaces"
+#define TEST_SPACES "   "
+
+static int
+testSkipSpacesBackwards(const void *opaque G_GNUC_UNUSED)
+{
+    const char *str = TEST_STR TEST_SPACES;
+    const char *eol = NULL;
+
+    virSkipSpacesBackwards(str, &eol);
+
+    if (STRNEQ(str, TEST_STR TEST_SPACES)) {
+        fprintf(stderr, "expected '" TEST_STR TEST_SPACES "' got '%s'\n", str);
+        return -1;
+    }
+
+    while (g_ascii_isspace(*eol))
+        eol++;
+
+    if (*eol != '\0') {
+        fprintf(stderr, "expected empty string, got '%s'\n", eol);
+        return -1;
+    }
+
+    eol = (char *)str + strlen(TEST_STR);
+
+    virSkipSpacesBackwards(str, &eol);
+
+    if (STRNEQ(str, TEST_STR TEST_SPACES)) {
+        fprintf(stderr, "expected '" TEST_STR TEST_SPACES "' got '%s'\n", str);
+        return -1;
+    }
+
+    if (STRNEQ(eol, TEST_SPACES)) {
+        fprintf(stderr, "expected empty string, got '%s'\n", eol);
+        return -1;
+    }
+
+    return 0;
+}
+
+#undef TEST_SPACES
+#undef TEST_STR
+
+
 struct stringSearchData {
     const char *str;
     const char *regexp;
@@ -463,6 +508,9 @@ mymain(void)
     if (virTestRun("virStringSortCompare", testStringSortCompare, NULL) < 0)
         ret = -1;
 
+    if (virTestRun("virSkipSpacesBackwards", testSkipSpacesBackwards, NULL) < 0)
+        ret = -1;
+
 #define TEST_SEARCH(s, r, x, n, m, e) \
     do { \
         struct stringSearchData data = { \

tools/vsh.c

@@ -413,7 +413,7 @@ vshCmddefCheckInternals(vshControl *ctl,
         case VSH_OT_ALIAS: {
             size_t j;
             g_autofree char *name = NULL;
-            char *p;
+            const char *p;
 
             if (opt->required ||
                 opt->positional ||
@@ -502,7 +502,7 @@ vshCmdGetOption(vshControl *ctl,
                alias of option and its default value */
             alias = g_strdup(n->def->help);
             name = alias;
-            if ((value = strchr(name, '='))) {
+            if ((value = strchr(alias, '='))) {
                 *value = '\0';
                 if (*optstr) {
                     if (report)
@@ -1660,7 +1660,7 @@ vshCommandParse(vshControl *ctl,
              *   value
              *   -- (terminate accepting '--option', fill only positional args)
              */
-            const char *optionname = tkdata + 2;
+            char *optionname = tkdata + 2;
             char *sep;
 
             if (!STRPREFIX(tkdata, "--")) {