[Qemu-devel] [PULL 0/8] Usb 20180612 patches

[Qemu-devel] [PULL 0/8] Usb 20180612 patches

[Gerd Hoffmann]

The following changes since commit 2afc4e3df80d947dd1bd42ce80278f591b35c74a:

  Merge remote-tracking branch 'remotes/maxreitz/tags/pull-block-2018-06-11' into staging (2018-06-11 15:31:20 +0100)

are available in the git repository at:

  git://git.kraxel.org/qemu tags/usb-20180612-pull-request

for you to fetch changes up to 3c969a6022438cf59de10d2dc3c58f4807788f98:

  usb-mtp: Return error on suspicious TYPE_DATA packet from initiator (2018-06-12 12:08:12 +0200)

----------------------------------------------------------------
usb: bug fix collection, doc update.

----------------------------------------------------------------

Bandan Das (1):
  usb-mtp: Return error on suspicious TYPE_DATA packet from initiator

Gerd Hoffmann (1):
  usb: update docs

Marc-André Lureau (4):
  bus: do not unref the added child bus on realize
  object: fix OBJ_PROP_LINK_UNREF_ON_RELEASE ambivalence
  usb-ccid: fix bus leak
  usb-hcd-xhci-test: add a test for ccid hotplug

Philippe Mathieu-Daudé (2):
  usb: correctly handle Zero Length Packets
  usb/dev-mtp: Fix use of uninitialized values

 docs/usb2.txt                 | 99 ++++++++++++++++++++++++-------------------
 include/qom/object.h          | 12 ++++--
 hw/core/bus.c                 |  1 -
 hw/core/qdev-properties.c     |  2 +-
 hw/core/qdev.c                |  2 +-
 hw/display/xlnx_dp.c          |  2 +-
 hw/dma/xilinx_axidma.c        |  4 +-
 hw/dma/xlnx-zdma.c            |  2 +-
 hw/i386/pc.c                  |  2 +-
 hw/i386/pc_piix.c             |  2 +-
 hw/i386/pc_q35.c              |  2 +-
 hw/ipmi/ipmi.c                |  2 +-
 hw/net/xilinx_axienet.c       |  4 +-
 hw/ssi/xilinx_spips.c         |  2 +-
 hw/usb/dev-mtp.c              | 11 ++++-
 hw/usb/dev-smartcard-reader.c |  1 +
 hw/usb/redirect.c             |  2 +-
 net/can/can_host.c            |  2 +-
 net/colo-compare.c            |  2 +-
 qom/object.c                  |  8 ++--
 target/arm/cpu.c              |  4 +-
 tests/usb-hcd-xhci-test.c     | 10 +++++
 ui/console.c                  |  2 +-
 23 files changed, 109 insertions(+), 71 deletions(-)

-- 
2.9.3

[Qemu-devel] [PULL 1/8] usb: update docs

[Gerd Hoffmann]

xhci is rock solid meanwhile.  So move it up in the docs and feature it
as prefered usb host adapter, instead of the old shy version saying "you
might want try ...".

While being at it rework the text on ehci and companion controllers too.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-id: 20180605132915.3640-1-kraxel@redhat.com
---
 docs/usb2.txt | 99 +++++++++++++++++++++++++++++++++--------------------------
 1 file changed, 55 insertions(+), 44 deletions(-)

diff --git a/docs/usb2.txt b/docs/usb2.txt
index 09df45b5b1..e2fa2cfde0 100644
--- a/docs/usb2.txt
+++ b/docs/usb2.txt
@@ -1,16 +1,42 @@
 
-USB 2.0 Quick Start
-===================
+USB Quick Start
+===============
 
-The QEMU EHCI Adapter can be used with and without companion
-controllers.  See below for the companion controller mode.
+XHCI controller support
+-----------------------
 
-When not running in companion controller mode there are two completely
-separate USB busses: One USB 1.1 bus driven by the UHCI controller and
-one USB 2.0 bus driven by the EHCI controller.  Devices must be
-attached to the correct controller manually.
+QEMU has XHCI host adapter support.  The XHCI hardware design is much
+more virtualization-friendly when compared to EHCI and UHCI, thus XHCI
+emulation uses less resources (especially cpu).  So if your guest
+supports XHCI (which should be the case for any operating system
+released around 2010 or later) we recommend using it:
 
-The '-usb' switch will make qemu create the UHCI controller as part of
+    qemu -device qemu-xhci
+
+XHCI supports USB 1.1, USB 2.0 and USB 3.0 devices, so this is the
+only controller you need.  With only a single USB controller (and
+therefore only a single USB bus) present in the system there is no
+need to use the bus= parameter when adding USB devices.
+
+
+EHCI controller support
+-----------------------
+
+The QEMU EHCI Adapter supports USB 2.0 devices.  It can be used either
+standalone or with companion controllers (UHCI, OHCI) for USB 1.1
+devices.  The companion controller setup is more convenient to use
+because it provides a single USB bus supporting both USB 2.0 and USB
+1.1 devices.  See next section for details.
+
+When running EHCI in standalone mode you can add UHCI or OHCI
+controllers for USB 1.1 devices too.  Each controller creates its own
+bus though, so there are two completely separate USB buses: One USB
+1.1 bus driven by the UHCI controller and one USB 2.0 bus driven by
+the EHCI controller.  Devices must be attached to the correct
+controller manually.
+
+The easiest way to add a UHCI controller to a 'pc' machine is the
+'-usb' switch.  QEMU will create the UHCI controller as function of
 the PIIX3 chipset.  The USB 1.1 bus will carry the name "usb-bus.0".
 
 You can use the standard -device switch to add a EHCI controller to
@@ -19,9 +45,8 @@ the controller so the USB 2.0 bus gets a individual name, for example
 '-device usb-ehci,id=ehci".  This will give you a USB 2.0 bus named
 "ehci.0".
 
-I strongly recommend to also use -device to attach usb devices because
-you can specify the bus they should be attached to this way.  Here is
-a complete example:
+When adding USB devices using the -device switch you can specify the
+bus they should be attached to.  Here is a complete example:
 
     qemu -M pc ${otheroptions}                           \
         -drive if=none,id=usbstick,file=/path/to/image   \
@@ -30,58 +55,44 @@ a complete example:
         -device usb-tablet,bus=usb-bus.0                 \
         -device usb-storage,bus=ehci.0,drive=usbstick
 
-This attaches a usb tablet to the UHCI adapter and a usb mass storage
+This attaches a USB tablet to the UHCI adapter and a USB mass storage
 device to the EHCI adapter.
 
 
 Companion controller support
 ----------------------------
 
-Companion controller support has been added recently.  The operational
-model described above with two completely separate busses still works
-fine.  Additionally the UHCI and OHCI controllers got the ability to
-attach to a usb bus created by EHCI as companion controllers.  This is
-done by specifying the masterbus and firstport properties.  masterbus
-specifies the bus name the controller should attach to.  firstport
-specifies the first port the controller should attach to, which is
-needed as usually one ehci controller with six ports has three uhci
-companion controllers with two ports each.
+The UHCI and OHCI controllers can attach to a USB bus created by EHCI
+as companion controllers.  This is done by specifying the masterbus
+and firstport properties.  masterbus specifies the bus name the
+controller should attach to.  firstport specifies the first port the
+controller should attach to, which is needed as usually one EHCI
+controller with six ports has three UHCI companion controllers with
+two ports each.
 
-There is a config file in docs which will do all this for you, just
-try ...
+There is a config file in docs which will do all this for
+you, just try ...
 
     qemu -readconfig docs/config/ich9-ehci-uhci.cfg
 
-... then use "bus=ehci.0" to assign your usb devices to that bus.
+... then use "bus=ehci.0" to assign your USB devices to that bus.
 
-
-xhci controller support
------------------------
-
-There is also xhci host controller support available.  It got a lot
-less testing than ehci and there are a bunch of known limitations, so
-ehci may work better for you.  On the other hand the xhci hardware
-design is much more virtualization-friendly, thus xhci emulation uses
-less resources (especially cpu).  If you want to give xhci a try
-use this to add the host controller ...
-
-    qemu -device nec-usb-xhci,id=xhci
-
-... then use "bus=xhci.0" when assigning usb devices.
+Using the '-usb' switch for 'q35' machines will create a similar
+USB controller configuration.
 
 
 More USB tips & tricks
 ======================
 
-Recently the usb pass through driver (also known as usb-host) and the
-qemu usb subsystem gained a few capabilities which are available only
+Recently the USB pass through driver (also known as usb-host) and the
+QEMU USB subsystem gained a few capabilities which are available only
 via qdev properties, i,e. when using '-device'.
 
 
 physical port addressing
 ------------------------
 
-First you can (for all usb devices) specify the physical port where
+First you can (for all USB devices) specify the physical port where
 the device will show up in the guest.  This can be done using the
 "port" property.  UHCI has two root ports (1,2).  EHCI has four root
 ports (1-4), the emulated (1.1) USB hub has eight ports.
@@ -94,7 +105,7 @@ Plugging a hub into UHCI port 2 works like this:
 
         -device usb-hub,bus=usb-bus.0,port=2
 
-Plugging a virtual usb stick into port 4 of the hub just plugged works
+Plugging a virtual USB stick into port 4 of the hub just plugged works
 this way:
 
         -device usb-storage,bus=usb-bus.0,port=2.4,drive=...
@@ -143,7 +154,7 @@ practice only a few combinations are useful:
 
 Note that USB 1.1 devices are handled by UHCI/OHCI and USB 2.0 by
 EHCI.  That means a device plugged into the very same physical port
-may show up on different busses depending on the speed.  The port I'm
+may show up on different buses depending on the speed.  The port I'm
 using for testing is bus 1 + port 1 for 2.0 devices and bus 3 + port 1
 for 1.1 devices.  Passing through any device plugged into that port
 and also assign them to the correct bus can be done this way:
-- 
2.9.3

[Qemu-devel] [PULL 2/8] usb: correctly handle Zero Length Packets

[Gerd Hoffmann]

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

USB Specification Revision 2.0, §5.5.3:
  The Data stage of a control transfer from an endpoint to the host is complete when the endpoint does one of the following:
  • Has transferred exactly the amount of data specified during the Setup stage
  • Transfers a packet with a payload size less than wMaxPacketSize or transfers a zero-length packet"

hw/usb/redirect.c:802:9: warning: Declared variable-length array (VLA) has zero size
        uint8_t buf[size];
        ^~~~~~~~~~~ ~~~~

Reported-by: Clang Static Analyzer
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180604151421.23385-2-f4bug@amsat.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/usb/redirect.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index 65a9196c1a..58e8f7f5bd 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -795,7 +795,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p,
            usbredirparser_peer_has_cap(dev->parser,
                                        usb_redir_cap_32bits_bulk_length));
 
-    if (ep & USB_DIR_IN) {
+    if (ep & USB_DIR_IN || size == 0) {
         usbredirparser_send_bulk_packet(dev->parser, p->id,
                                         &bulk_packet, NULL, 0);
     } else {
-- 
2.9.3

[Qemu-devel] [PULL 3/8] usb/dev-mtp: Fix use of uninitialized values

[Gerd Hoffmann]

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

This fixes:

  hw/usb/dev-mtp.c:971:5: warning: 4th function call argument is an uninitialized value
      trace_usb_mtp_op_get_partial_object(s->dev.addr, o->handle, o->path,
                                           c->argv[1], c->argv[2]);
                                                       ^~~~~~~~~~
and:

  hw/usb/dev-mtp.c:981:12: warning: Assigned value is garbage or undefined
      offset = c->argv[1];
               ^ ~~~~~~~~~~

Reported-by: Clang Static Analyzer
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180604151421.23385-3-f4bug@amsat.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/usb/dev-mtp.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 560c61c7c1..b0ab6a7912 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -1017,12 +1017,16 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c,
 static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c,
                                            MTPObject *o)
 {
-    MTPData *d = usb_mtp_data_alloc(c);
+    MTPData *d;
     off_t offset;
 
+    if (c->argc <= 2) {
+        return NULL;
+    }
     trace_usb_mtp_op_get_partial_object(s->dev.addr, o->handle, o->path,
                                         c->argv[1], c->argv[2]);
 
+    d = usb_mtp_data_alloc(c);
     d->fd = open(o->path, O_RDONLY);
     if (d->fd == -1) {
         usb_mtp_data_free(d);
-- 
2.9.3

[Qemu-devel] [PULL 4/8] bus: do not unref the added child bus on realize

[Gerd Hoffmann]

From: Marc-André Lureau <marcandre.lureau@redhat.com>

When the parent bus removes the child property, it takes care of
removing the added reference, in object_finalize_child_property().

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20180531195119.22021-2-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/core/bus.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/hw/core/bus.c b/hw/core/bus.c
index 4651f24486..ad0c9df335 100644
--- a/hw/core/bus.c
+++ b/hw/core/bus.c
@@ -102,7 +102,6 @@ static void qbus_realize(BusState *bus, DeviceState *parent, const char *name)
         QLIST_INSERT_HEAD(&bus->parent->child_bus, bus, sibling);
         bus->parent->num_child_bus++;
         object_property_add_child(OBJECT(bus->parent), bus->name, OBJECT(bus), NULL);
-        object_unref(OBJECT(bus));
     } else if (bus != sysbus_get_default()) {
         /* TODO: once all bus devices are qdevified,
            only reset handler for main_system_bus should be registered here. */
-- 
2.9.3

[Qemu-devel] [PULL 5/8] object: fix OBJ_PROP_LINK_UNREF_ON_RELEASE ambivalence

[Gerd Hoffmann]

From: Marc-André Lureau <marcandre.lureau@redhat.com>

A link property can be set during creation, with
object_property_add_link() and later with object_property_set_link().

add_link() doesn't add a reference to the target object, while
set_link() does.

Furthemore, OBJ_PROP_LINK_UNREF_ON_RELEASE flags, set during add_link,
says whether a reference must be released when the property is destroyed.
This can lead to leaks if the property was later set_link(), as the
added reference is never released.

Instead, rename OBJ_PROP_LINK_UNREF_ON_RELEASE to OBJ_PROP_LINK_STRONG
and use that has an indication on how the link handle reference
management in set_link().

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20180531195119.22021-3-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 include/qom/object.h      | 12 +++++++++---
 hw/core/qdev-properties.c |  2 +-
 hw/core/qdev.c            |  2 +-
 hw/display/xlnx_dp.c      |  2 +-
 hw/dma/xilinx_axidma.c    |  4 ++--
 hw/dma/xlnx-zdma.c        |  2 +-
 hw/i386/pc.c              |  2 +-
 hw/i386/pc_piix.c         |  2 +-
 hw/i386/pc_q35.c          |  2 +-
 hw/ipmi/ipmi.c            |  2 +-
 hw/net/xilinx_axienet.c   |  4 ++--
 hw/ssi/xilinx_spips.c     |  2 +-
 net/can/can_host.c        |  2 +-
 net/colo-compare.c        |  2 +-
 qom/object.c              |  8 +++++---
 target/arm/cpu.c          |  4 ++--
 ui/console.c              |  2 +-
 17 files changed, 32 insertions(+), 24 deletions(-)

diff --git a/include/qom/object.h b/include/qom/object.h
index a0c78c76f7..f3d2308d56 100644
--- a/include/qom/object.h
+++ b/include/qom/object.h
@@ -1103,6 +1103,11 @@ char *object_property_get_str(Object *obj, const char *name,
  * @errp: returns an error if this function fails
  *
  * Writes an object's canonical path to a property.
+ *
+ * If the link property was created with
+ * <code>OBJ_PROP_LINK_STRONG</code> bit, the old target object is
+ * unreferenced, and a reference is added to the new target object.
+ *
  */
 void object_property_set_link(Object *obj, Object *value,
                               const char *name, Error **errp);
@@ -1394,7 +1399,7 @@ void object_property_add_child(Object *obj, const char *name,
 
 typedef enum {
     /* Unref the link pointer when the property is deleted */
-    OBJ_PROP_LINK_UNREF_ON_RELEASE = 0x1,
+    OBJ_PROP_LINK_STRONG = 0x1,
 } ObjectPropertyLinkFlags;
 
 /**
@@ -1432,8 +1437,9 @@ void object_property_allow_set_link(const Object *, const char *,
  * link property.  The reference count for <code>*@child</code> is
  * managed by the property from after the function returns till the
  * property is deleted with object_property_del().  If the
- * <code>@flags</code> <code>OBJ_PROP_LINK_UNREF_ON_RELEASE</code> bit is set,
- * the reference count is decremented when the property is deleted.
+ * <code>@flags</code> <code>OBJ_PROP_LINK_STRONG</code> bit is set,
+ * the reference count is decremented when the property is deleted or
+ * modified.
  */
 void object_property_add_link(Object *obj, const char *name,
                               const char *type, Object **child,
diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c
index 989778ab7f..35072dec1e 100644
--- a/hw/core/qdev-properties.c
+++ b/hw/core/qdev-properties.c
@@ -1308,7 +1308,7 @@ static void create_link_property(Object *obj, Property *prop, Error **errp)
     object_property_add_link(obj, prop->name, prop->link_type,
                              child,
                              qdev_prop_allow_set_link_before_realize,
-                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
+                             OBJ_PROP_LINK_STRONG,
                              errp);
 }
 
diff --git a/hw/core/qdev.c b/hw/core/qdev.c
index ffec461791..cf0db4b6da 100644
--- a/hw/core/qdev.c
+++ b/hw/core/qdev.c
@@ -409,7 +409,7 @@ void qdev_init_gpio_out_named(DeviceState *dev, qemu_irq *pins,
         object_property_add_link(OBJECT(dev), propname, TYPE_IRQ,
                                  (Object **)&pins[i],
                                  object_property_allow_set_link,
-                                 OBJ_PROP_LINK_UNREF_ON_RELEASE,
+                                 OBJ_PROP_LINK_STRONG,
                                  &error_abort);
         g_free(propname);
     }
diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
index c32ab083f8..51301220e8 100644
--- a/hw/display/xlnx_dp.c
+++ b/hw/display/xlnx_dp.c
@@ -1223,7 +1223,7 @@ static void xlnx_dp_init(Object *obj)
     object_property_add_link(obj, "dpdma", TYPE_XLNX_DPDMA,
                              (Object **) &s->dpdma,
                              xlnx_dp_set_dpdma,
-                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
+                             OBJ_PROP_LINK_STRONG,
                              &error_abort);
 
     /*
diff --git a/hw/dma/xilinx_axidma.c b/hw/dma/xilinx_axidma.c
index 9b48103574..401a328e27 100644
--- a/hw/dma/xilinx_axidma.c
+++ b/hw/dma/xilinx_axidma.c
@@ -525,12 +525,12 @@ static void xilinx_axidma_realize(DeviceState *dev, Error **errp)
     object_property_add_link(OBJECT(ds), "dma", TYPE_XILINX_AXI_DMA,
                              (Object **)&ds->dma,
                              object_property_allow_set_link,
-                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
+                             OBJ_PROP_LINK_STRONG,
                              &local_err);
     object_property_add_link(OBJECT(cs), "dma", TYPE_XILINX_AXI_DMA,
                              (Object **)&cs->dma,
                              object_property_allow_set_link,
-                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
+                             OBJ_PROP_LINK_STRONG,
                              &local_err);
     if (local_err) {
         goto xilinx_axidma_realize_fail;
diff --git a/hw/dma/xlnx-zdma.c b/hw/dma/xlnx-zdma.c
index 8eea757aff..b6745f5bcf 100644
--- a/hw/dma/xlnx-zdma.c
+++ b/hw/dma/xlnx-zdma.c
@@ -787,7 +787,7 @@ static void zdma_init(Object *obj)
     object_property_add_link(obj, "dma", TYPE_MEMORY_REGION,
                              (Object **)&s->dma_mr,
                              qdev_prop_allow_set_link_before_realize,
-                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
+                             OBJ_PROP_LINK_STRONG,
                              &error_abort);
 }
 
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index f3befe6721..ea57a46f81 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -483,7 +483,7 @@ void pc_cmos_init(PCMachineState *pcms,
                              TYPE_ISA_DEVICE,
                              (Object **)&pcms->rtc,
                              object_property_allow_set_link,
-                             OBJ_PROP_LINK_UNREF_ON_RELEASE, &error_abort);
+                             OBJ_PROP_LINK_STRONG, &error_abort);
     object_property_set_link(OBJECT(pcms), OBJECT(s),
                              "rtc_state", &error_abort);
 
diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index 3d81136065..d2f0d60361 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -289,7 +289,7 @@ static void pc_init1(MachineState *machine,
                                  TYPE_HOTPLUG_HANDLER,
                                  (Object **)&pcms->acpi_dev,
                                  object_property_allow_set_link,
-                                 OBJ_PROP_LINK_UNREF_ON_RELEASE, &error_abort);
+                                 OBJ_PROP_LINK_STRONG, &error_abort);
         object_property_set_link(OBJECT(machine), OBJECT(piix4_pm),
                                  PC_MACHINE_ACPI_DEVICE_PROP, &error_abort);
     }
diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index b60cbb9266..5be6ef73bb 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -194,7 +194,7 @@ static void pc_q35_init(MachineState *machine)
                              TYPE_HOTPLUG_HANDLER,
                              (Object **)&pcms->acpi_dev,
                              object_property_allow_set_link,
-                             OBJ_PROP_LINK_UNREF_ON_RELEASE, &error_abort);
+                             OBJ_PROP_LINK_STRONG, &error_abort);
     object_property_set_link(OBJECT(machine), OBJECT(lpc),
                              PC_MACHINE_ACPI_DEVICE_PROP, &error_abort);
 
diff --git a/hw/ipmi/ipmi.c b/hw/ipmi/ipmi.c
index 9be281fd87..63c031703d 100644
--- a/hw/ipmi/ipmi.c
+++ b/hw/ipmi/ipmi.c
@@ -104,7 +104,7 @@ void ipmi_bmc_find_and_link(Object *obj, Object **bmc)
 {
     object_property_add_link(obj, "bmc", TYPE_IPMI_BMC, bmc,
                              isa_ipmi_bmc_check,
-                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
+                             OBJ_PROP_LINK_STRONG,
                              &error_abort);
 }
 
diff --git a/hw/net/xilinx_axienet.c b/hw/net/xilinx_axienet.c
index d4c2c89dc1..cc880a3d08 100644
--- a/hw/net/xilinx_axienet.c
+++ b/hw/net/xilinx_axienet.c
@@ -951,12 +951,12 @@ static void xilinx_enet_realize(DeviceState *dev, Error **errp)
     object_property_add_link(OBJECT(ds), "enet", "xlnx.axi-ethernet",
                              (Object **) &ds->enet,
                              object_property_allow_set_link,
-                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
+                             OBJ_PROP_LINK_STRONG,
                              &local_err);
     object_property_add_link(OBJECT(cs), "enet", "xlnx.axi-ethernet",
                              (Object **) &cs->enet,
                              object_property_allow_set_link,
-                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
+                             OBJ_PROP_LINK_STRONG,
                              &local_err);
     if (local_err) {
         goto xilinx_enet_realize_fail;
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index 03f5faee4b..f599025956 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -1346,7 +1346,7 @@ static void xlnx_zynqmp_qspips_init(Object *obj)
     object_property_add_link(obj, "stream-connected-dma", TYPE_STREAM_SLAVE,
                              (Object **)&rq->dma,
                              object_property_allow_set_link,
-                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
+                             OBJ_PROP_LINK_STRONG,
                              NULL);
 }
 
diff --git a/net/can/can_host.c b/net/can/can_host.c
index c3d26521cd..c79347abab 100644
--- a/net/can/can_host.c
+++ b/net/can/can_host.c
@@ -77,7 +77,7 @@ static void can_host_instance_init(Object *obj)
     object_property_add_link(obj, "canbus", TYPE_CAN_BUS,
                              (Object **)&ch->bus,
                              object_property_allow_set_link,
-                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
+                             OBJ_PROP_LINK_STRONG,
                              &error_abort);
 }
 
diff --git a/net/colo-compare.c b/net/colo-compare.c
index c3a2be4c90..dd745a491b 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -980,7 +980,7 @@ static void colo_compare_init(Object *obj)
     object_property_add_link(obj, "iothread", TYPE_IOTHREAD,
                             (Object **)&s->iothread,
                             object_property_allow_set_link,
-                            OBJ_PROP_LINK_UNREF_ON_RELEASE, NULL);
+                            OBJ_PROP_LINK_STRONG, NULL);
 
     s->vnet_hdr = false;
     object_property_add_bool(obj, "vnet_hdr_support", compare_get_vnet_hdr,
diff --git a/qom/object.c b/qom/object.c
index cb7a8cd589..e6462f289c 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -1564,9 +1564,11 @@ static void object_set_link_property(Object *obj, Visitor *v,
         return;
     }
 
-    object_ref(new_target);
     *child = new_target;
-    object_unref(old_target);
+    if (prop->flags == OBJ_PROP_LINK_STRONG) {
+        object_ref(new_target);
+        object_unref(old_target);
+    }
 }
 
 static Object *object_resolve_link_property(Object *parent, void *opaque, const gchar *part)
@@ -1581,7 +1583,7 @@ static void object_release_link_property(Object *obj, const char *name,
 {
     LinkProperty *prop = opaque;
 
-    if ((prop->flags & OBJ_PROP_LINK_UNREF_ON_RELEASE) && *prop->child) {
+    if ((prop->flags & OBJ_PROP_LINK_STRONG) && *prop->child) {
         object_unref(*prop->child);
     }
     g_free(prop);
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index 5d60893a07..ab047b9402 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -690,7 +690,7 @@ static void arm_cpu_post_init(Object *obj)
                                  TYPE_MEMORY_REGION,
                                  (Object **)&cpu->secure_memory,
                                  qdev_prop_allow_set_link_before_realize,
-                                 OBJ_PROP_LINK_UNREF_ON_RELEASE,
+                                 OBJ_PROP_LINK_STRONG,
                                  &error_abort);
 #endif
     }
@@ -718,7 +718,7 @@ static void arm_cpu_post_init(Object *obj)
     if (arm_feature(&cpu->env, ARM_FEATURE_M_SECURITY)) {
         object_property_add_link(obj, "idau", TYPE_IDAU_INTERFACE, &cpu->idau,
                                  qdev_prop_allow_set_link_before_realize,
-                                 OBJ_PROP_LINK_UNREF_ON_RELEASE,
+                                 OBJ_PROP_LINK_STRONG,
                                  &error_abort);
         qdev_property_add_static(DEVICE(obj), &arm_cpu_initsvtor_property,
                                  &error_abort);
diff --git a/ui/console.c b/ui/console.c
index ef1247f872..bc58458ee8 100644
--- a/ui/console.c
+++ b/ui/console.c
@@ -1287,7 +1287,7 @@ static QemuConsole *new_console(DisplayState *ds, console_type_t console_type,
     object_property_add_link(obj, "device", TYPE_DEVICE,
                              (Object **)&s->device,
                              object_property_allow_set_link,
-                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
+                             OBJ_PROP_LINK_STRONG,
                              &error_abort);
     object_property_add_uint32_ptr(obj, "head",
                                    &s->head, &error_abort);
-- 
2.9.3

[Qemu-devel] [PULL 6/8] usb-ccid: fix bus leak

[Gerd Hoffmann]

From: Marc-André Lureau <marcandre.lureau@redhat.com>

qbus_create_inplace() creates a new reference in realize(), it must be
released in unrealize().

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20180531195119.22021-4-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/usb/dev-smartcard-reader.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
index 2131e33d27..f7c91230d5 100644
--- a/hw/usb/dev-smartcard-reader.c
+++ b/hw/usb/dev-smartcard-reader.c
@@ -1147,6 +1147,7 @@ static void ccid_unrealize(USBDevice *dev, Error **errp)
     USBCCIDState *s = USB_CCID_DEV(dev);
 
     ccid_bulk_in_clear(s);
+    object_unref(OBJECT(&s->bus));
 }
 
 static void ccid_flush_pending_answers(USBCCIDState *s)
-- 
2.9.3

[Qemu-devel] [PULL 7/8] usb-hcd-xhci-test: add a test for ccid hotplug

[Gerd Hoffmann]

From: Marc-André Lureau <marcandre.lureau@redhat.com>

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20180531195119.22021-5-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 tests/usb-hcd-xhci-test.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/tests/usb-hcd-xhci-test.c b/tests/usb-hcd-xhci-test.c
index 9c14e3053a..5b1b681bf2 100644
--- a/tests/usb-hcd-xhci-test.c
+++ b/tests/usb-hcd-xhci-test.c
@@ -35,6 +35,15 @@ static void test_usb_uas_hotplug(void)
     qtest_qmp_device_del("uas");
 }
 
+static void test_usb_ccid_hotplug(void)
+{
+    qtest_qmp_device_add("usb-ccid", "ccid", NULL);
+    qtest_qmp_device_del("ccid");
+    /* check the device can be added again */
+    qtest_qmp_device_add("usb-ccid", "ccid", NULL);
+    qtest_qmp_device_del("ccid");
+}
+
 int main(int argc, char **argv)
 {
     int ret;
@@ -44,6 +53,7 @@ int main(int argc, char **argv)
     qtest_add_func("/xhci/pci/init", test_xhci_init);
     qtest_add_func("/xhci/pci/hotplug", test_xhci_hotplug);
     qtest_add_func("/xhci/pci/hotplug/usb-uas", test_usb_uas_hotplug);
+    qtest_add_func("/xhci/pci/hotplug/usb-ccid", test_usb_ccid_hotplug);
 
     qtest_start("-device nec-usb-xhci,id=xhci"
                 " -drive id=drive0,if=none,file=null-co://,format=raw");
-- 
2.9.3

[Qemu-devel] [PULL 8/8] usb-mtp: Return error on suspicious TYPE_DATA packet from initiator

[Gerd Hoffmann]

From: Bandan Das <bsd@redhat.com>

CID 1390604
If the initiator sends a packet with TYPE_DATA set without
initiating a CMD_GET_OBJECT_INFO first, then usb_mtp_get_data
can trip on a null s->data_out.

Signed-off-by: Bandan Das <bsd@redhat.com>
Message-Id: <jpgr2m8ajfk.fsf_-_@linux.bootlegged.copy>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/usb/dev-mtp.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index b0ab6a7912..1ded7ac9a3 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -1700,6 +1700,11 @@ static void usb_mtp_get_data(MTPState *s, mtp_container *container,
     uint64_t dlen;
     uint32_t data_len = p->iov.size;
 
+    if (!d) {
+            usb_mtp_queue_result(s, RES_INVALID_OBJECTINFO, 0,
+                                 0, 0, 0, 0);
+            return;
+    }
     if (d->first) {
         /* Total length of incoming data */
         d->length = cpu_to_le32(container->length) - sizeof(mtp_container);
-- 
2.9.3

Re: [Qemu-devel] [PULL 0/8] Usb 20180612 patches

[Peter Maydell]

On 12 June 2018 at 11:44, Gerd Hoffmann <kraxel@redhat.com> wrote:
> The following changes since commit 2afc4e3df80d947dd1bd42ce80278f591b35c74a:
>
>   Merge remote-tracking branch 'remotes/maxreitz/tags/pull-block-2018-06-11' into staging (2018-06-11 15:31:20 +0100)
>
> are available in the git repository at:
>
>   git://git.kraxel.org/qemu tags/usb-20180612-pull-request
>
> for you to fetch changes up to 3c969a6022438cf59de10d2dc3c58f4807788f98:
>
>   usb-mtp: Return error on suspicious TYPE_DATA packet from initiator (2018-06-12 12:08:12 +0200)
>
> ----------------------------------------------------------------
> usb: bug fix collection, doc update.
>
> ----------------------------------------------------------------

Applied, thanks.

-- PMM

Re: [Qemu-devel] [PULL 4/8] bus: do not unref the added child bus on realize

[Paolo Bonzini]

On 12/06/2018 12:44, Gerd Hoffmann wrote:
> 
> When the parent bus removes the child property, it takes care of
> removing the added reference, in object_finalize_child_property().
> 
> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> Message-id: 20180531195119.22021-2-marcandre.lureau@redhat.com
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>  hw/core/bus.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/hw/core/bus.c b/hw/core/bus.c
> index 4651f24486..ad0c9df335 100644
> --- a/hw/core/bus.c
> +++ b/hw/core/bus.c
> @@ -102,7 +102,6 @@ static void qbus_realize(BusState *bus, DeviceState *parent, const char *name)
>          QLIST_INSERT_HEAD(&bus->parent->child_bus, bus, sibling);
>          bus->parent->num_child_bus++;
>          object_property_add_child(OBJECT(bus->parent), bus->name, OBJECT(bus), NULL);
> -        object_unref(OBJECT(bus));

This is wrong.  object_finalize_child_property()'s unref balances the
ref in object_property_add_child().  qbus_realize's unref balances the
ref that was initially placed by object_new/object_initialize.

So you're introducing a leak.

Paolo

Re: [Qemu-devel] [PULL 5/8] object: fix OBJ_PROP_LINK_UNREF_ON_RELEASE ambivalence

[Paolo Bonzini]

On 12/06/2018 12:44, Gerd Hoffmann wrote:
> From: Marc-André Lureau <marcandre.lureau@redhat.com>
> 
> A link property can be set during creation, with
> object_property_add_link() and later with object_property_set_link().
> 
> add_link() doesn't add a reference to the target object, while
> set_link() does.
> 
> Furthemore, OBJ_PROP_LINK_UNREF_ON_RELEASE flags, set during add_link,
> says whether a reference must be released when the property is destroyed.
> This can lead to leaks if the property was later set_link(), as the
> added reference is never released.
> 
> Instead, rename OBJ_PROP_LINK_UNREF_ON_RELEASE to OBJ_PROP_LINK_STRONG
> and use that has an indication on how the link handle reference
> management in set_link().

The difference between add_link() and set_link() is a bit confusing.
Maybe we can mention it explicitly in the documentation of the two
functions, and also explain the rationale for add_link() not ref'ing the
object?

Also, more immediately:

>      /* Unref the link pointer when the property is deleted */

This is wrong now.

Paolo

> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> Message-id: 20180531195119.22021-3-marcandre.lureau@redhat.com
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

 ---
>  include/qom/object.h      | 12 +++++++++---
>  hw/core/qdev-properties.c |  2 +-
>  hw/core/qdev.c            |  2 +-
>  hw/display/xlnx_dp.c      |  2 +-
>  hw/dma/xilinx_axidma.c    |  4 ++--
>  hw/dma/xlnx-zdma.c        |  2 +-
>  hw/i386/pc.c              |  2 +-
>  hw/i386/pc_piix.c         |  2 +-
>  hw/i386/pc_q35.c          |  2 +-
>  hw/ipmi/ipmi.c            |  2 +-
>  hw/net/xilinx_axienet.c   |  4 ++--
>  hw/ssi/xilinx_spips.c     |  2 +-
>  net/can/can_host.c        |  2 +-
>  net/colo-compare.c        |  2 +-
>  qom/object.c              |  8 +++++---
>  target/arm/cpu.c          |  4 ++--
>  ui/console.c              |  2 +-
>  17 files changed, 32 insertions(+), 24 deletions(-)
> 
> diff --git a/include/qom/object.h b/include/qom/object.h
> index a0c78c76f7..f3d2308d56 100644
> --- a/include/qom/object.h
> +++ b/include/qom/object.h
> @@ -1103,6 +1103,11 @@ char *object_property_get_str(Object *obj, const char *name,
>   * @errp: returns an error if this function fails
>   *
>   * Writes an object's canonical path to a property.
> + *
> + * If the link property was created with
> + * <code>OBJ_PROP_LINK_STRONG</code> bit, the old target object is
> + * unreferenced, and a reference is added to the new target object.
> + *
>   */
>  void object_property_set_link(Object *obj, Object *value,
>                                const char *name, Error **errp);
> @@ -1394,7 +1399,7 @@ void object_property_add_child(Object *obj, const char *name,
>  
>  typedef enum {
>      /* Unref the link pointer when the property is deleted */
> -    OBJ_PROP_LINK_UNREF_ON_RELEASE = 0x1,
> +    OBJ_PROP_LINK_STRONG = 0x1,
>  } ObjectPropertyLinkFlags;
>  
>  /**
> @@ -1432,8 +1437,9 @@ void object_property_allow_set_link(const Object *, const char *,
>   * link property.  The reference count for <code>*@child</code> is
>   * managed by the property from after the function returns till the
>   * property is deleted with object_property_del().  If the
> - * <code>@flags</code> <code>OBJ_PROP_LINK_UNREF_ON_RELEASE</code> bit is set,
> - * the reference count is decremented when the property is deleted.
> + * <code>@flags</code> <code>OBJ_PROP_LINK_STRONG</code> bit is set,
> + * the reference count is decremented when the property is deleted or
> + * modified.
>   */
>  void object_property_add_link(Object *obj, const char *name,
>                                const char *type, Object **child,
> diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c
> index 989778ab7f..35072dec1e 100644
> --- a/hw/core/qdev-properties.c
> +++ b/hw/core/qdev-properties.c
> @@ -1308,7 +1308,7 @@ static void create_link_property(Object *obj, Property *prop, Error **errp)
>      object_property_add_link(obj, prop->name, prop->link_type,
>                               child,
>                               qdev_prop_allow_set_link_before_realize,
> -                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
> +                             OBJ_PROP_LINK_STRONG,
>                               errp);
>  }
>  
> diff --git a/hw/core/qdev.c b/hw/core/qdev.c
> index ffec461791..cf0db4b6da 100644
> --- a/hw/core/qdev.c
> +++ b/hw/core/qdev.c
> @@ -409,7 +409,7 @@ void qdev_init_gpio_out_named(DeviceState *dev, qemu_irq *pins,
>          object_property_add_link(OBJECT(dev), propname, TYPE_IRQ,
>                                   (Object **)&pins[i],
>                                   object_property_allow_set_link,
> -                                 OBJ_PROP_LINK_UNREF_ON_RELEASE,
> +                                 OBJ_PROP_LINK_STRONG,
>                                   &error_abort);
>          g_free(propname);
>      }
> diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
> index c32ab083f8..51301220e8 100644
> --- a/hw/display/xlnx_dp.c
> +++ b/hw/display/xlnx_dp.c
> @@ -1223,7 +1223,7 @@ static void xlnx_dp_init(Object *obj)
>      object_property_add_link(obj, "dpdma", TYPE_XLNX_DPDMA,
>                               (Object **) &s->dpdma,
>                               xlnx_dp_set_dpdma,
> -                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
> +                             OBJ_PROP_LINK_STRONG,
>                               &error_abort);
>  
>      /*
> diff --git a/hw/dma/xilinx_axidma.c b/hw/dma/xilinx_axidma.c
> index 9b48103574..401a328e27 100644
> --- a/hw/dma/xilinx_axidma.c
> +++ b/hw/dma/xilinx_axidma.c
> @@ -525,12 +525,12 @@ static void xilinx_axidma_realize(DeviceState *dev, Error **errp)
>      object_property_add_link(OBJECT(ds), "dma", TYPE_XILINX_AXI_DMA,
>                               (Object **)&ds->dma,
>                               object_property_allow_set_link,
> -                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
> +                             OBJ_PROP_LINK_STRONG,
>                               &local_err);
>      object_property_add_link(OBJECT(cs), "dma", TYPE_XILINX_AXI_DMA,
>                               (Object **)&cs->dma,
>                               object_property_allow_set_link,
> -                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
> +                             OBJ_PROP_LINK_STRONG,
>                               &local_err);
>      if (local_err) {
>          goto xilinx_axidma_realize_fail;
> diff --git a/hw/dma/xlnx-zdma.c b/hw/dma/xlnx-zdma.c
> index 8eea757aff..b6745f5bcf 100644
> --- a/hw/dma/xlnx-zdma.c
> +++ b/hw/dma/xlnx-zdma.c
> @@ -787,7 +787,7 @@ static void zdma_init(Object *obj)
>      object_property_add_link(obj, "dma", TYPE_MEMORY_REGION,
>                               (Object **)&s->dma_mr,
>                               qdev_prop_allow_set_link_before_realize,
> -                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
> +                             OBJ_PROP_LINK_STRONG,
>                               &error_abort);
>  }
>  
> diff --git a/hw/i386/pc.c b/hw/i386/pc.c
> index f3befe6721..ea57a46f81 100644
> --- a/hw/i386/pc.c
> +++ b/hw/i386/pc.c
> @@ -483,7 +483,7 @@ void pc_cmos_init(PCMachineState *pcms,
>                               TYPE_ISA_DEVICE,
>                               (Object **)&pcms->rtc,
>                               object_property_allow_set_link,
> -                             OBJ_PROP_LINK_UNREF_ON_RELEASE, &error_abort);
> +                             OBJ_PROP_LINK_STRONG, &error_abort);
>      object_property_set_link(OBJECT(pcms), OBJECT(s),
>                               "rtc_state", &error_abort);
>  
> diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
> index 3d81136065..d2f0d60361 100644
> --- a/hw/i386/pc_piix.c
> +++ b/hw/i386/pc_piix.c
> @@ -289,7 +289,7 @@ static void pc_init1(MachineState *machine,
>                                   TYPE_HOTPLUG_HANDLER,
>                                   (Object **)&pcms->acpi_dev,
>                                   object_property_allow_set_link,
> -                                 OBJ_PROP_LINK_UNREF_ON_RELEASE, &error_abort);
> +                                 OBJ_PROP_LINK_STRONG, &error_abort);
>          object_property_set_link(OBJECT(machine), OBJECT(piix4_pm),
>                                   PC_MACHINE_ACPI_DEVICE_PROP, &error_abort);
>      }
> diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
> index b60cbb9266..5be6ef73bb 100644
> --- a/hw/i386/pc_q35.c
> +++ b/hw/i386/pc_q35.c
> @@ -194,7 +194,7 @@ static void pc_q35_init(MachineState *machine)
>                               TYPE_HOTPLUG_HANDLER,
>                               (Object **)&pcms->acpi_dev,
>                               object_property_allow_set_link,
> -                             OBJ_PROP_LINK_UNREF_ON_RELEASE, &error_abort);
> +                             OBJ_PROP_LINK_STRONG, &error_abort);
>      object_property_set_link(OBJECT(machine), OBJECT(lpc),
>                               PC_MACHINE_ACPI_DEVICE_PROP, &error_abort);
>  
> diff --git a/hw/ipmi/ipmi.c b/hw/ipmi/ipmi.c
> index 9be281fd87..63c031703d 100644
> --- a/hw/ipmi/ipmi.c
> +++ b/hw/ipmi/ipmi.c
> @@ -104,7 +104,7 @@ void ipmi_bmc_find_and_link(Object *obj, Object **bmc)
>  {
>      object_property_add_link(obj, "bmc", TYPE_IPMI_BMC, bmc,
>                               isa_ipmi_bmc_check,
> -                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
> +                             OBJ_PROP_LINK_STRONG,
>                               &error_abort);
>  }
>  
> diff --git a/hw/net/xilinx_axienet.c b/hw/net/xilinx_axienet.c
> index d4c2c89dc1..cc880a3d08 100644
> --- a/hw/net/xilinx_axienet.c
> +++ b/hw/net/xilinx_axienet.c
> @@ -951,12 +951,12 @@ static void xilinx_enet_realize(DeviceState *dev, Error **errp)
>      object_property_add_link(OBJECT(ds), "enet", "xlnx.axi-ethernet",
>                               (Object **) &ds->enet,
>                               object_property_allow_set_link,
> -                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
> +                             OBJ_PROP_LINK_STRONG,
>                               &local_err);
>      object_property_add_link(OBJECT(cs), "enet", "xlnx.axi-ethernet",
>                               (Object **) &cs->enet,
>                               object_property_allow_set_link,
> -                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
> +                             OBJ_PROP_LINK_STRONG,
>                               &local_err);
>      if (local_err) {
>          goto xilinx_enet_realize_fail;
> diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
> index 03f5faee4b..f599025956 100644
> --- a/hw/ssi/xilinx_spips.c
> +++ b/hw/ssi/xilinx_spips.c
> @@ -1346,7 +1346,7 @@ static void xlnx_zynqmp_qspips_init(Object *obj)
>      object_property_add_link(obj, "stream-connected-dma", TYPE_STREAM_SLAVE,
>                               (Object **)&rq->dma,
>                               object_property_allow_set_link,
> -                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
> +                             OBJ_PROP_LINK_STRONG,
>                               NULL);
>  }
>  
> diff --git a/net/can/can_host.c b/net/can/can_host.c
> index c3d26521cd..c79347abab 100644
> --- a/net/can/can_host.c
> +++ b/net/can/can_host.c
> @@ -77,7 +77,7 @@ static void can_host_instance_init(Object *obj)
>      object_property_add_link(obj, "canbus", TYPE_CAN_BUS,
>                               (Object **)&ch->bus,
>                               object_property_allow_set_link,
> -                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
> +                             OBJ_PROP_LINK_STRONG,
>                               &error_abort);
>  }
>  
> diff --git a/net/colo-compare.c b/net/colo-compare.c
> index c3a2be4c90..dd745a491b 100644
> --- a/net/colo-compare.c
> +++ b/net/colo-compare.c
> @@ -980,7 +980,7 @@ static void colo_compare_init(Object *obj)
>      object_property_add_link(obj, "iothread", TYPE_IOTHREAD,
>                              (Object **)&s->iothread,
>                              object_property_allow_set_link,
> -                            OBJ_PROP_LINK_UNREF_ON_RELEASE, NULL);
> +                            OBJ_PROP_LINK_STRONG, NULL);
>  
>      s->vnet_hdr = false;
>      object_property_add_bool(obj, "vnet_hdr_support", compare_get_vnet_hdr,
> diff --git a/qom/object.c b/qom/object.c
> index cb7a8cd589..e6462f289c 100644
> --- a/qom/object.c
> +++ b/qom/object.c
> @@ -1564,9 +1564,11 @@ static void object_set_link_property(Object *obj, Visitor *v,
>          return;
>      }
>  
> -    object_ref(new_target);
>      *child = new_target;
> -    object_unref(old_target);
> +    if (prop->flags == OBJ_PROP_LINK_STRONG) {
> +        object_ref(new_target);
> +        object_unref(old_target);
> +    }
>  }
>  
>  static Object *object_resolve_link_property(Object *parent, void *opaque, const gchar *part)
> @@ -1581,7 +1583,7 @@ static void object_release_link_property(Object *obj, const char *name,
>  {
>      LinkProperty *prop = opaque;
>  
> -    if ((prop->flags & OBJ_PROP_LINK_UNREF_ON_RELEASE) && *prop->child) {
> +    if ((prop->flags & OBJ_PROP_LINK_STRONG) && *prop->child) {
>          object_unref(*prop->child);
>      }
>      g_free(prop);
> diff --git a/target/arm/cpu.c b/target/arm/cpu.c
> index 5d60893a07..ab047b9402 100644
> --- a/target/arm/cpu.c
> +++ b/target/arm/cpu.c
> @@ -690,7 +690,7 @@ static void arm_cpu_post_init(Object *obj)
>                                   TYPE_MEMORY_REGION,
>                                   (Object **)&cpu->secure_memory,
>                                   qdev_prop_allow_set_link_before_realize,
> -                                 OBJ_PROP_LINK_UNREF_ON_RELEASE,
> +                                 OBJ_PROP_LINK_STRONG,
>                                   &error_abort);
>  #endif
>      }
> @@ -718,7 +718,7 @@ static void arm_cpu_post_init(Object *obj)
>      if (arm_feature(&cpu->env, ARM_FEATURE_M_SECURITY)) {
>          object_property_add_link(obj, "idau", TYPE_IDAU_INTERFACE, &cpu->idau,
>                                   qdev_prop_allow_set_link_before_realize,
> -                                 OBJ_PROP_LINK_UNREF_ON_RELEASE,
> +                                 OBJ_PROP_LINK_STRONG,
>                                   &error_abort);
>          qdev_property_add_static(DEVICE(obj), &arm_cpu_initsvtor_property,
>                                   &error_abort);
> diff --git a/ui/console.c b/ui/console.c
> index ef1247f872..bc58458ee8 100644
> --- a/ui/console.c
> +++ b/ui/console.c
> @@ -1287,7 +1287,7 @@ static QemuConsole *new_console(DisplayState *ds, console_type_t console_type,
>      object_property_add_link(obj, "device", TYPE_DEVICE,
>                               (Object **)&s->device,
>                               object_property_allow_set_link,
> -                             OBJ_PROP_LINK_UNREF_ON_RELEASE,
> +                             OBJ_PROP_LINK_STRONG,
>                               &error_abort);
>      object_property_add_uint32_ptr(obj, "head",
>                                     &s->head, &error_abort);
> 

Re: [Qemu-devel] [PULL 6/8] usb-ccid: fix bus leak

[Paolo Bonzini]

On 12/06/2018 12:44, Gerd Hoffmann wrote:
> From: Marc-André Lureau <marcandre.lureau@redhat.com>
> 
> qbus_create_inplace() creates a new reference in realize(), it must be
> released in unrealize().
> 
> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> Message-id: 20180531195119.22021-4-marcandre.lureau@redhat.com
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Nope, that's only happening because patch 3 was wrong---and if we did
keep patch 3, you would have to do it in all devices that produce buses;
not just this one.

Paolo

> ---
>  hw/usb/dev-smartcard-reader.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
> index 2131e33d27..f7c91230d5 100644
> --- a/hw/usb/dev-smartcard-reader.c
> +++ b/hw/usb/dev-smartcard-reader.c
> @@ -1147,6 +1147,7 @@ static void ccid_unrealize(USBDevice *dev, Error **errp)
>      USBCCIDState *s = USB_CCID_DEV(dev);
>  
>      ccid_bulk_in_clear(s);
> +    object_unref(OBJECT(&s->bus));
>  }
>  
>  static void ccid_flush_pending_answers(USBCCIDState *s)
> 

Re: [Qemu-devel] [PULL 4/8] bus: do not unref the added child bus on realize

[Marc-André Lureau]

Hi

On Wed, Jun 13, 2018 at 6:05 PM, Paolo Bonzini <pbonzini@redhat.com> wrote:
> On 12/06/2018 12:44, Gerd Hoffmann wrote:
>>
>> When the parent bus removes the child property, it takes care of
>> removing the added reference, in object_finalize_child_property().
>>
>> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
>> Message-id: 20180531195119.22021-2-marcandre.lureau@redhat.com
>> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
>> ---
>>  hw/core/bus.c | 1 -
>>  1 file changed, 1 deletion(-)
>>
>> diff --git a/hw/core/bus.c b/hw/core/bus.c
>> index 4651f24486..ad0c9df335 100644
>> --- a/hw/core/bus.c
>> +++ b/hw/core/bus.c
>> @@ -102,7 +102,6 @@ static void qbus_realize(BusState *bus, DeviceState *parent, const char *name)
>>          QLIST_INSERT_HEAD(&bus->parent->child_bus, bus, sibling);
>>          bus->parent->num_child_bus++;
>>          object_property_add_child(OBJECT(bus->parent), bus->name, OBJECT(bus), NULL);
>> -        object_unref(OBJECT(bus));
>
> This is wrong.  object_finalize_child_property()'s unref balances the
> ref in object_property_add_child().  qbus_realize's unref balances the
> ref that was initially placed by object_new/object_initialize.
>
> So you're introducing a leak.

Oops, too bad you didn't review earlier. Hmm.. I vote for reverting
the 4 patches.



-- 
Marc-André Lureau