Check the result of qemu_strtoXX() and assert
if the string cannot be converted.
Signed-off-by: NLaurent Vivier <lvivier@redhat.com>
Reviewed-by: NDavid Gibson <david@gibson.dropbear.id.au>
Reviewed-by: NGreg Kurz <groug@kaod.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

There were a number of bugs in the implementation:

 - The structure alignment was wrong for 64-bit.

 - Also 64-bit only does RT signals.

 - On 64-bit, we need to put a pointer to the (aligned) vector registers
   in the frame and use it for restoring

 - We had endian bugs when saving/restoring vector registers

 - My recent fixes for exception NIP broke sigreturn in user mode
   causing us to resume one instruction too far.

 - Add VSR second halves
Signed-off-by: NBenjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

Add vpermr instruction from ISA 3.0.
Signed-off-by: NRajalakshmi Srinivasaraghavan <raji@linux.vnet.ibm.com>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

Add vbpermd instruction from ISA 3.0.
Signed-off-by: NRajalakshmi Srinivasaraghavan <raji@linux.vnet.ibm.com>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

The following vector count trailing zeros instructions are
added from ISA 3.0.

vctzb - Vector Count Trailing Zeros Byte
vctzh - Vector Count Trailing Zeros Halfword
vctzw - Vector Count Trailing Zeros Word
vctzd - Vector Count Trailing Zeros Doubleword
Signed-off-by: NRajalakshmi Srinivasaraghavan <raji@linux.vnet.ibm.com>
Reviewed-by: NDavid Gibson <david@gibson.dropbear.id.au>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

The following vector extract instructions are added from ISA 3.0.

vextractub - Vector Extract Unsigned Byte
vextractuh - Vector Extract Unsigned Halfword
vextractuw - Vector Extract Unsigned Word
vextractd - Vector Extract Unsigned Doubleword
Signed-off-by: NRajalakshmi Srinivasaraghavan <raji@linux.vnet.ibm.com>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

The following vector insert instructions are added from ISA 3.0.

vinsertb - Vector Insert Byte
vinserth - Vector Insert Halfword
vinsertw - Vector Insert Word
vinsertd - Vector Insert Doubleword
Signed-off-by: NRajalakshmi Srinivasaraghavan <raji@linux.vnet.ibm.com>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

Power ISA 2.x has deleted the rfi instruction and rfid shoud be used
instead on cpus following this instruction set or later.

This will raise an invalid exception when rfi is used on such
processors: Book3S 64-bit processors.
Signed-off-by: NBenjamin Herrenschmidt <benh@kernel.crashing.org>
Reviewed-by: NDavid Gibson <david@gibson.dropbear.id.au>
[clg: the required fix in openbios, commit b747b6acc272 ('ppc: use
      rfid when running under a CPU from the 970 family.'), is now
      merged in qemu under commit 5cebd885 ('Update OpenBIOS
      images to b747b6a built from submodule.') ]
Signed-off-by: NCédric Le Goater <clg@kaod.org>
Reviewed-by: NThomas Huth <thuth@redhat.com>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

There are some powerpc related files in the QEMU source tree
which are currently not covered by the MAINTAINERS file and
thus not properly classified by the get_maintainer.pl script.
So let's add them to the proper sections.
Signed-off-by: NThomas Huth <thuth@redhat.com>
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>

linux-user changes since 2.7 release

# gpg: Signature made Thu 22 Sep 2016 13:09:17 BST
# gpg:                using RSA key 0xB44890DEDE3C9BC0
# gpg: Good signature from "Riku Voipio <riku.voipio@iki.fi>"
# gpg:                 aka "Riku Voipio <riku.voipio@linaro.org>"
# Primary key fingerprint: FF82 03C8 C391 98AE 0581  41EF B448 90DE DE3C 9BC0

* remotes/riku/tags/pull-linux-user-20160915: (26 commits)
  linux-user: fix TARGET_NR_select
  linux-user: Fix incorrect offset of tuc_stack in ARM do_sigframe_return_v2
  linux-user: Sanity check clone flags
  linux-user: Remove unnecessary nptl_flags variable from do_fork()
  linux-user: Implement force_sigsegv() via force_sig()
  linux-user: SIGSEGV from sigreturn need not be fatal
  linux-user: ARM: Give SIGSEGV if signal frame setup fails
  linux-user: SIGSEGV on signal entry need not be fatal
  linux-user: Pass si_type information to queue_signal() explicitly
  linux-user: Recheck for pending synchronous signals too
  linux-user: ppc64: set MSR_CM bit for BookE 2.06 MMU
  linux-user: Use correct target SHMLBA in shmat()
  linux-user: Use glib malloc functions in load_symbols()
  linux-user: Check dump_write() return in elf_core_dump()
  linux-user: Fix error handling in flatload.c target_pread()
  linux-user: Fix incorrect use of host errno in do_ioctl_dm()
  linux-user: Check lock_user() return value for NULL
  linux-user: Pass missing MAP_ANONYMOUS to target_mmap() call
  linux-user: report signals being taken in strace output
  linux-user: Range check the nfds argument to ppoll syscall
  ...
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

seccomp branch queue

# gpg: Signature made Wed 21 Sep 2016 10:30:09 BST
# gpg:                using RSA key 0xFD0CFF5B12F8BD2F
# gpg: Good signature from "Eduardo Otubo (Software Engineer @ ProfitBricks) <eduardo.otubo@profitbricks.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 1C96 46B6 E1D1 C38A F2EC  3FDE FD0C FF5B 12F8 BD2F

* remotes/otubo/tags/pull-seccomp-20160921:
  seccomp: adding getrusage to the whitelist
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Block patches for 2.8

# gpg: Signature made Tue 20 Sep 2016 21:29:53 BST
# gpg:                using RSA key 0xF407DB0061D5CF40
# gpg: Good signature from "Max Reitz <mreitz@redhat.com>"
# Primary key fingerprint: 91BE B60A 30DB 3E88 57D1  1829 F407 DB00 61D5 CF40

* remotes/maxreitz/tags/pull-block-2016-09-20:
  iotest 055: refactor and speed up
  commit: get the overlay node before manipulating the backing chain
  blockdev: Modularize nfs block driver
  blockdev: Add dynamic module loading for block drivers
  blockdev: Add dynamic generation of module_block.h
  blockdev: prepare iSCSI block driver for dynamic loading
  qemu-img: add skip option to dd
  qemu-img: add the 'dd' subcommand
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

tcg updates for 20 Sep

# gpg: Signature made Tue 20 Sep 2016 19:48:04 BST
# gpg:                using RSA key 0xAD1270CC4DD0279B
# gpg: Good signature from "Richard Henderson <rth7680@gmail.com>"
# gpg:                 aka "Richard Henderson <rth@redhat.com>"
# gpg:                 aka "Richard Henderson <rth@twiddle.net>"
# Primary key fingerprint: 9CB1 8DDA F8E8 49AD 2AFC  16A4 AD12 70CC 4DD0 279B

* remotes/rth/tags/pull-tcg-20160920:
  tcg/i386: Extend TARGET_PAGE_MASK to the proper type
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

TARGET_NR_select can have three different implementations:

  1- to always return -ENOSYS

     microblaze, ppc, ppc64

     -> TARGET_WANT_NI_OLD_SELECT

  2- to take parameters from a structure pointed by arg1
    (kernel sys_old_select)

     i386, arm, m68k

     -> TARGET_WANT_OLD_SYS_SELECT

  3- to take parameters from arg[1-5]
     (kernel sys_select)

     x86_64, alpha, s390x,
     cris, sparc, sparc64

Some (new) architectures don't define NR_select,

  4- but only NR__newselect with sys_select:

      mips, mips64, sh

  5- don't define NR__newselect, and use pselect6 syscall:

      aarch64, openrisc, tilegx, unicore32
Reported-by: NTimothy Pearson <tpearson@raptorengineering.com>
Reported-by: NAllan Wirth <awirth@akamai.com>
Suggested-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NLaurent Vivier <laurent@vivier.eu>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

struct target_ucontext_v2 is not at the begining of the signal frame,
therefore do_sigaltstack was being passed bogus arguments.

As the offset depends on the type of signal frame fixed by passing in the
beginning of the context from do_sigreturn_v2 and do_rt_sigreturn_v2.
Suggested-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NTimothy Edward Baldwin <T.E.Baldwin99@members.leeds.ac.uk>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

We currently make no checks on the flags passed to the clone syscall,
which means we will not fail clone attempts which ask for features
that we can't implement. Add sanity checking of the flags to clone
(which we were already doing in the "this is a fork" path, but not
for the "this is a new thread" path), tidy up the checking in
the fork path to match it, and check that the fork case isn't trying
to specify a custom termination signal.

This is helpful in causing some LTP test cases to fail cleanly
rather than behaving bizarrely when we let the clone succeed
but didn't provide the semantics requested by the flags.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

The 'nptl_flags' variable in do_fork() is set to a copy of
'flags', and then the CLONE_NPTL_FLAGS are cleared out of 'flags'.
However the only effect of this is that the later check on
"if (flags & CLONE_PARENT_SETTID)" is never true. Since we
will already have done the setting of parent_tidptr in clone_func()
in the child thread, we don't need to do it again.

Delete the dead if() and the clearing of CLONE_NPTL_FLAGS from
'flags', and then use 'flags' where we were previously using
'nptl_flags', so we can delete the unnecessary variable.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

Now that we have a force_sig() with the semantics we need,
we can implement force_sigsegv() to call it rather than
open-coding the call to queue_signal().
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

If the sigreturn syscall fails to read memory then this causes a
SIGSEGV, but this is not necessarily a fatal signal -- the guest
process can catch it.

We don't implement this correctly because the behaviour of QEMU's
force_sig() function has drifted away from the kernel function of the
same name -- ours now does "always do a guest core dump and abort
execution", whereas the kernel version simply forces the guest to
take a signal, which may or may not eventually cause a core dump.

Rename our force_sig() to dump_core_and_abort(), and provide a
force_sig() which acts more like the kernel version as the sigreturn
implementations expect it to.  Since force_sig() now returns, we must
update all the callsites to return -TARGET_QEMU_ESIGRETURN so that
the main loop doesn't change the guest registers before the signal
handler is invoked.
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

The 32-bit ARM signal frame setup code was just bailing out
on error returns from lock_user_struct calls, without
generating the SIGSEGV that should happen here. Wire up
error return codes to call force_sigsegv().
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

A failed write to memory trying to set up the signal frame
should trigger a SIGSEGV, but this need not be fatal: the
guest has a chance to catch it. Implement this via a force_sigsegv()
function with the same behaviour as the kernel function of that
name: make sure that we don't try to re-take a failed SIGSEGV,
and force a synchronous signal.
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

Instead of assuming in queue_signal() that all callers are passing
a siginfo structure which uses the _sifields._sigfault part of the
union (and thus a si_type of QEMU_SI_FAULT), make callers pass
the si_type they require in as an argument.

[RV adjusted to apply]
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

In process_pending_signals() we restart the scan of possible
pending signals after calling handle_pending_signal() in
case some other signal has been generated. This rescan
should also include a check for a new synchronous signal
since those are in fact the only kind of new signal that
the signal frame setup process might produce.
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

64 bit user mode doesn't work for the e5500 core because the MSR_CM bit is
not set which enables the 64 bit mode for this MMU model. Memory addresses
are truncated to 32 bit, which results in "Invalid data memory access"
error messages. Fix it by setting the MSR_CM bit for this MMU model.
Signed-off-by: NMichael Walle <michael@walle.cc>
Reviewed-by: NAlexander Graf <agraf@suse.de>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

The shmat() handling needs to do target-specific handling
of the attach address for shmat():
 * if the SHM_RND flag is passed, the address is rounded
   down to a SHMLBA boundary
 * if SHM_RND is not passed, then the call is failed EINVAL
   if the address is not a multiple of SHMLBA

Since SHMLBA is target-specific, we need to do this
checking and rounding in QEMU and can't leave it up to the
host syscall.

Allow targets to define TARGET_FORCE_SHMLBA and provide
a target_shmlba() function if appropriate, and update
do_shmat() to honour them.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

Switch to using the glib malloc functions in load_symbols();
this deals with a Coverity complaint about possible
integer overflow calculating the allocation size with
'nsyms * sizeof(*syms)'.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

One of the calls to dump_write() in elf_core_dump() was missing
a check for failure (spotted by Coverity). Add the check to
bring it into line with the other calls from this function.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

The flatload.c target_pread() function is supposed to return
0 on success or negative host errnos; however it wasn't
checking lock_user() for failure or returning the errno from
the pread() call. Fix these problems (the first of which is
noted by Coverity).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

do_ioctl_dm() should return target errno values, not host ones;
correct an accidental use of a host errno in an error path.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

lock_user() can return NULL, which typically means the syscall
should fail with EFAULT. Add checks in various places where
Coverity spotted that we were missing them.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

A target_mmap() call in load_elf_binary() was missing the MAP_ANONYMOUS
flag. (Spotted by Coverity, because target_mmap() will try to use
-1 as the filedescriptor in this case.)

This has never been noticed because the code in question is for
handling ancient SVr4 iBCS2 binaries.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

Native strace reports when the process being traced takes a signal:
   --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} ---

Report something similar when QEMU is doing its internal strace of
the guest process and is about to deliver it a signal.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

Do an initial range check on the ppoll syscall's nfds argument,
to avoid possible overflow in the calculation of the lock_user()
size argument. The host kernel will later apply the rather lower
limit based on RLIMIT_NOFILE as appropriate.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

The kernel checks that the maxevents parameter to epoll_wait
is non-negative and not larger than EP_MAX_EVENTS. Add this
check to our implementation, so that:
 * we fail these cases EINVAL rather than EFAULT
 * we don't pass negative or overflowing values to the
   lock_user() size calculation
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

The linux utimensat syscall differs in semantics from the
libc function because the syscall combines the features
of utimensat() and futimens(). Rather than trying to
split these apart in order to call the two libc functions
which then call the same underlying syscall, just always
directly make the host syscall. This fixes bugs in some
of the corner cases which should return errors from the
syscall but which we were incorrectly directing to futimens().

This doesn't reduce the set of hosts that our syscall
implementation will work on, because if the direct syscall
fails ENOSYS then the libc functions would also fail ENOSYS.
(The system call has been in the kernel since 2.6.22 anyway.)
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

Implement the FS_IOC_GETFLAGS and FS_IOC_SETFLAGS ioctls, as used
by chattr.

Note that the type information encoded in these ioctl numbers
is at odds with the actual type the kernel accesses, as discussed
in http://thread.gmane.org/gmane.linux.file-systems/80164.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

The POSIX standard mandates that for a connected socket recvfrom()
must ignore the msg_name and msg_namelen fields. This is awkward
for QEMU because we will attempt to copy them from guest address
space. Handle this by not immediately returning a TARGET_EFAULT
if the copy failed, but instead passing a known-bad address
to the host kernel, which can then return EFAULT or ignore the
value appropriately.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

The sendmsg and recvmsg syscalls use a different errno to indicate
an overlarge iovec length from readv and writev. Handle this
special case in do_sendrcvmsg_locked() to avoid getting the
default errno returned by lock_iovec().
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

In the kernel the length of an iovec is generally handled as
an unsigned long, not an integer; fix the parameter to
lock_iovec() accordingly.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

getrusage is used in a number of places throughout the qemu codebase
(notably, in crypto/pbkdf.c).  Without this syscall being whitelisted,
qemu ends up getting killed by the kernel whenever you try to connect to
a VNC console.
Signed-off-by: NBrian Rak <brak@gameservers.com>
Acked-by: NEduardo Otubo <eduardo.otubo@profitbricks.com>