BadInstr Register (CP0 Register 8, Select 1)
The BadInstr register is a read-only register that capture the most recent
instruction which caused an exception.

BadInstrP Register (CP0 Register 8, Select 2)
The BadInstrP register contains the prior branch instruction, when the
faulting instruction is in a branch delay slot.

Using error_code to indicate whether AdEL or TLBL was triggered during
instruction fetch, in this case BadInstr is not updated as valid instruction
word is not available.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NYongbok Kim <yongbok.kim@imgtec.com>

For Standard TLB configuration (Config.MT=1):

TLBINV invalidates a set of TLB entries based on ASID. The virtual address is
ignored in the entry match. TLB entries which have their G bit set to 1 are not
modified.

TLBINVF causes all entries to be invalidated.

Single TLB entry can be marked as invalid on TLB entry write by having
EntryHi.EHINV set to 1.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NYongbok Kim <yongbok.kim@imgtec.com>

An Execute-Inhibit exception occurs when the virtual address of an instruction
fetch matches a TLB entry whose XI bit is set. This exception type can only
occur if the XI bit is implemented within the TLB and is enabled, this is
denoted by the PageGrain XIE bit.

An Read-Inhibit exception occurs when the virtual address of a memory load
reference matches a TLB entry whose RI bit is set. This exception type can
only occur if the RI bit is implemented within the TLB and is enabled, this is
denoted by the PageGrain RIE bit.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NYongbok Kim <yongbok.kim@imgtec.com>

PageGrain needs rw bitmask which differs between MIPS architectures.
In pre-R6 if RIXI is supported, PageGrain.XIE and PageGrain.RIE are writeable,
whereas in R6 they are read-only 1.

On MIPS64 mtc0 instruction left shifts bits 31:30 for MIPS32 backward
compatiblity, therefore there are separate mtc0 and dmtc0 helpers.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NYongbok Kim <yongbok.kim@imgtec.com>

In Revision 3 of the architecture, the RI and XI bits were added to the TLB
to enable more secure access of memory pages. These bits (along with the Dirty
bit) allow the implementation of read-only, write-only, no-execute access
policies for mapped pages.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NYongbok Kim <yongbok.kim@imgtec.com>

Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NYongbok Kim <yongbok.kim@imgtec.com>

New MIPS features depend on the access type and enum is more convenient than
using the numbers directly.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NThomas Huth <thuth@linux.vnet.ibm.com>

KScratch<n> Registers (CP0 Register 31, Selects 2 to 7)

The KScratch registers are read/write registers available for scratch pad
storage by kernel mode software. They are 32-bits in width for 32-bit
processors and 64-bits for 64-bit processors.

CP0Config4.KScrExist[2:7] bits indicate presence of CP0_KScratch1-6 registers.
For Release 6, all KScratch registers are required.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NYongbok Kim <yongbok.kim@imgtec.com>

Commit 9d8bf2d1 moved the softmmu slow path out of line and introduce a
regression at the same time by always calling tcg_out_tlb_load with
is_load=1. This makes impossible to run any significant code under
qemu-system-mips*.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>

* remotes/sstabellini/xen-2014-10-30:
  fix off-by-one error in pci_piix3_xen_ide_unplug
  xen-hvm.c: Add support for Xen access to vmport
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

vmware-vga: add rectangle verification (CVE-2014-3689)

# gpg: Signature made Wed 29 Oct 2014 11:45:29 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-cve-2014-3689-20141029-1:
  vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect
  vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect
  vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect
  vmware-vga: add vmsvga_verify_rect
  vmware-vga: CVE-2014-3689: turn off hw accel
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

vnc: return directly if no vnc client connected
vnc: sanitize bits_per_pixel from the client (CVE-2014-7815)

# gpg: Signature made Tue 28 Oct 2014 10:52:31 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-vnc-20141028-1:
  vnc: return directly if no vnc client connected
  vnc: sanitize bits_per_pixel from the client
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Fixes for libcacard (usb smartcard emulation), xhci and uhci.

# gpg: Signature made Tue 28 Oct 2014 10:39:52 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-usb-20141028-1:
  uhci: remove useless DEBUG
  xhci: add property to turn on/off streams support
  libcacard: don't free sign buffer while sign op is pending
  libcacard: Lock NSS cert db when selecting an applet on an emulated card
  libcacard: introduce new vcard_emul_logout
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

gtk: fix two warnings with gtk 3.14+

# gpg: Signature made Tue 28 Oct 2014 10:25:52 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-gtk-20141028-1:
  gtk: avoid gd_widget_reparent with gtk 3.14+
  gtk: drop gtk_widget_set_double_buffered call
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Fix off-by-one error when unplugging disks, which would otherwise leave the last ATA disk plugged, with obvious consequences. Also rewrite loop to be more readable.
Signed-off-by: NJames Harper <james.harper@ejbdigital.com.au>
Signed-off-by: NStefano Stabellini <stefano.stabellini@eu.citrix.com>

This adds synchronisation of the 6 vcpu registers (only 32bits of
them) that vmport.c needs between Xen and QEMU.

This is to avoid a 2nd and 3rd exchange between QEMU and Xen to
fetch and put these 6 vcpu registers used by the code in vmport.c
and vmmouse.c

The registers are passed in the new shared page provided by
HVM_PARAM_VMPORT_REGS_PFN.

Add new array to XenIOState that allows selection of current_cpu by
vcpu id.

Now pass XenIOState to handle_ioreq().

Add new routines regs_to_cpu(), regs_from_cpu(), and
handle_vmport_ioreq().
Signed-off-by: NDon Slutz <dslutz@verizon.com>
Reviewed-by: NPaul Durrant <paul.durrant@citrix.com>
Signed-off-by: NStefano Stabellini <stefano.stabellini@eu.citrix.com>

virtio-scsi fixes, the first part of dynamic sysbus devices,
MAINTAINERS updates, and AVX512 support.

# gpg: Signature made Mon 27 Oct 2014 15:12:13 GMT using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream: (28 commits)
  aio / timers: De-document -clock
  hw/scsi/virtio-scsi.c: fix the "type" use error in virtio_scsi_handle_ctrl
  virtio-scsi: sense in virtio_scsi_command_complete
  target-i386: add Intel AVX-512 support
  get_maintainer.pl: restrict cases where it falls back to --git
  get_maintainer.pl: move git loop under "if ($email) {"
  qtest: fix qtest log fd should be initialized before qtest chardev
  MAINTAINERS: avoid M entries that point to mailing lists
  MAINTAINERS: add some tests directories
  MAINTAINERS: Add more TCG files
  MAINTAINERS: add myself for X86
  MAINTAINERS: add Samuel Thibault as usb-serial.c and baum.c maintainer
  MAINTAINERS: grab more files from Anthony's pile
  target-i386: warns users when CPU threads>1 for non-Intel CPUs
  sysbus: Use TYPE_DEVICE GPIO functionality
  qdev: gpio: Define qdev_pass_gpios()
  qdev: gpio: Remove qdev_init_gpio_out x1 restriction
  qdev: gpio: delete NamedGPIOList::out
  irq: Remove qemu_irq_intercept_out
  qtest/irq: Rework IRQ interception
  ...
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

The virtio-rng backend is currently linked twice, once in the proxy
device (e.g. virtio-rng-pci) and once in virtio-rng-device.  This causes
a double unref of the backend when the parent device is unplugged.

To fix this, make the proxy device use an alias, similar to what is
already being done for the iothread link.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Reviewed-by: NGonglei <arei.gonglei@huawei.com>
Message-id: 1414577839-18695-1-git-send-email-pbonzini@redhat.com
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Add verification to vmsvga_fill_rect, re-enable HW_FILL_ACCEL.

Cc: qemu-stable@nongnu.org
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NDon Koch <dkoch@verizon.com>

Add verification to vmsvga_copy_rect, re-enable HW_RECT_ACCEL.

Cc: qemu-stable@nongnu.org
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NDon Koch <dkoch@verizon.com>

graphic_hw_update and vnc_refresh_server_surface aren't
need to do when no vnc client connected. It can reduce
lock contention, because vnc_refresh will hold global big
lock two millisecond every three seconds.
Signed-off-by: NChenLiang <chenliang88@huawei.com>
Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

bits_per_pixel that are less than 8 could result in accessing
non-initialized buffers later in the code due to the expectation
that bytes_per_pixel value that is used to initialize these buffers is
never zero.

To fix this check that bits_per_pixel from the client is one of the
values that the rfb protocol specification allows.

This is CVE-2014-7815.
Signed-off-by: NPetr Matousek <pmatouse@redhat.com>

[ kraxel: apply codestyle fix ]
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

commit 50dcc0f8 (uhci: tracing support) had removed
DPRINTF, the DEBUG marco is useless now, remove it.
Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

streams support in usb-redir and usb-host works only with recent enough
versions of the support libraries (libusbredir and libusbx).  Failure
mode is rather unelegant:  Any stream usb transfers will throw stall
errors.  Turning off support for streams in the xhci host controller
will work better as the guest can figure beforehand that streams are
not going to work.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NHans de Goede <hdegoede@redhat.com>

commit 57f97834 cleaned up
the cac_applet_pki_process_apdu function to have a single
exit point. Unfortunately, that commit introduced a bug
where the sign buffer can get free'd and nullified while
it's still being used.

This commit corrects the bug by introducing a boolean to
track whether or not the sign buffer should be freed in
the function exit path.
Signed-off-by: NRay Strode <rstrode@redhat.com>
Reviewed-by: NAlon Levy <alon@pobox.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

When a process in a guest uses an emulated smartcard, libcacard running
on the host passes the PIN from the guest to the PK11_Authenticate NSS
function. The first time PK11_Authenticate is called the passed in PIN
is used to unlock the certificate database. Subsequent calls to
PK11_Authenticate will transparently succeed, regardless of the passed in
PIN. This is a convenience for applications provided by NSS.

Of course, the guest may have many applications using the one emulated
smart card all driven from the same host QEMU process.  That means if a
user enters the right PIN in one program in the guest, and then enters the
wrong PIN in another program in the guest, the wrong PIN will still
successfully unlock the virtual smartcard.

This commit forces the NSS certificate database to be locked anytime an
applet is selected on an emulated smartcard by calling vcard_emul_logout.
Signed-off-by: NRay Strode <rstrode@redhat.com>
Reviewed-By: NRobert Relyea <rrelyea@redhat.com>
Reviewed-By: NAlon Levy <alevy@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

vcard_emul_reset currently only logs NSS out, but there is a TODO
for potentially sending insertion/removal events when powering down
or powering up.

For clarity, this commit moves the current guts of vcard_emul_reset to
a new vcard_emul_logout function which will never send insertion/removal
events. The vcard_emul_reset function now just calls vcard_emul_logout,
but also retains its TODO for watching power state transitions and sending
insertion/removal events.
Signed-off-by: NRay Strode <rstrode@redhat.com>
Reviewed-By: NRobert Relyea <rrelyea@redhat.com>
Reviewed-By: NAlon Levy <alevy@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

gtk_widget_reparent is depricated in gtk 3.14, stop using it.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Dunno why it is here.  Removing it seems to have no ill side effects.
It is depricated in 3.14+.  In some cases it has no effect since 3.10
according to the docs:

https://developer.gnome.org/gtk3/stable/GtkWidget.html#gtk-widget-set-double-bufferedSigned-off-by: NGerd Hoffmann <kraxel@redhat.com>

Switch vmsvga_update_rect over to use vmsvga_verify_rect.  Slight change
in behavior:  We don't try to automatically fixup rectangles any more.
In case we find invalid update requests we'll do a full-screen update
instead.

Cc: qemu-stable@nongnu.org
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NDon Koch <dkoch@verizon.com>

Add verification function for rectangles, returning
true if verification passes and false otherwise.

Cc: qemu-stable@nongnu.org
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NDon Koch <dkoch@verizon.com>

Quick & easy stopgap for CVE-2014-3689:  We just compile out the
hardware acceleration functions which lack sanity checks.  Thankfully
we have capability bits for them (SVGA_CAP_RECT_COPY and
SVGA_CAP_RECT_FILL), so guests should deal just fine, in theory.

Subsequent patches will add the missing checks and re-enable the
hardware acceleration emulation.

Cc: qemu-stable@nongnu.org
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NDon Koch <dkoch@verizon.com>

Commit 6d327171 "aio / timers: Remove alarm timers" has issues:

1. It silently ignores -clock for backward compatibility.
Incompatible change: -clock help no longer terminates the program.
Tolerable.

2. Failed to update option documentation.  In particular, -help still
advises users to try -clock help for available timers.  Drop all
documentation on -clock.

3. The 'query-alarm-clock' example in docs/writing-commands.txt no
longer works, and needs to be redone.  Can't do that right now, so I
just stick in a FIXME.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The local variable "type" in virtio_scsi_handle_ctl represents the tmf
command type from the guest and it has the same meaning as the
req->req.tmf.type. However, before the invoking of virtio_scsi_parse_req
the req->req.tmf.type doesn't has the correct value(just initialized to
zero). Therefore, we need to use the "type" variable to judge the case.

Cc: qemu-stable@nongnu.org
Signed-off-by: NBin Wu <wu.wubin@huawei.com>
[Actually make it compile, "type" must be uint32_t in order to pass
 it to virtio_tswap32s. - Paolo]
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

If req->resp.cmd.status is not GOOD, the address of sense for
qemu_iovec_from_buf should be modified from &req->resp to sense.

Cc: qemu-stable@nongnu.org
Signed-off-by: NTing Wang <kathy.wangting@huawei.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This reverts commit 15124e14. It breaks
debuggability of qemu and is no longer needed as the problem has
now been addressed in a different way.

Instead we provide a comment about why these signals must be
handled asynchronously.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: NGonglei <arei.gonglei@huawei.com>
[PMM: added comment]
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

qemu_shutdown_requested may be interrupted by qemu_system_killed. If the
latter sets shutdown_requested after qemu_shutdown_requested has read it
but before it was cleared, the shutdown event is lost. Fix this by using
atomic_xchg.

This provides a different fix for the problem which commit 15124e14
attempts to deal with. That commit breaks use of ^C to drop into gdb,
and so this approach is better (and 15124e14 can be reverted).
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: NGonglei <arei.gonglei@huawei.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
[PMM: commit message tweak]
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Add AVX512 feature bits, register definition and corresponding
xsave/vmstate support.
Reviewed-by: NEduardo Habkost <ehabkost@redhat.com>
Signed-off-by: NChao Peng <chao.p.peng@linux.intel.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NStefan Weil <sw@weilnetz.de>
Reviewed-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com>
Acked-by: NKevin Wolf <kwolf@redhat.com>
Acked-by: NMarkus Armbruster <armbru@redhat.com>
Message-id: 1413405052-4527-1-git-send-email-peter.maydell@linaro.org

Add myself to the maintainer list for MIPS guest cores and update the status
from "Odd Fixes" to "Maintained".
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Acked-by: NAurelien Jarno <aurelien@aurel32.net>
Message-id: 1413459487-13658-1-git-send-email-leon.alrae@imgtec.com
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>