Rename CSSELR (cache size selection register) and add secure
instance (AArch32).
Signed-off-by: NFabian Aggeler <aggelerf@ethz.ch>
Signed-off-by: NGreg Bellows <greg.bellows@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 1416242878-876-16-git-send-email-greg.bellows@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Add checks of SCR AW/FW bits when performing writes of CPSR.  These SCR bits
are used to control whether the CPSR masking bits can be adjusted from
non-secure state.
Signed-off-by: NFabian Aggeler <aggelerf@ethz.ch>
Signed-off-by: NGreg Bellows <greg.bellows@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 1416242878-876-15-git-send-email-greg.bellows@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Implements SCTLR_EL3 and uses secure/non-secure instance when
needed.
Signed-off-by: NFabian Aggeler <aggelerf@ethz.ch>
Signed-off-by: NGreg Bellows <greg.bellows@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 1416242878-876-14-git-send-email-greg.bellows@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Use MVBAR register as exception vector base address for
exceptions taken to CPU monitor mode.
Signed-off-by: NSergey Fedorov <s.fedorov@samsung.com>
Signed-off-by: NFabian Aggeler <aggelerf@ethz.ch>
Signed-off-by: NGreg Bellows <greg.bellows@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 1416242878-876-13-git-send-email-greg.bellows@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Added CP register defintions for SDER and SDER32_EL3 as well as cp15.sder for
register storage.
Signed-off-by: NSergey Fedorov <s.fedorov@samsung.com>
Signed-off-by: NFabian Aggeler <aggelerf@ethz.ch>
Signed-off-by: NGreg Bellows <greg.bellows@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 1416242878-876-12-git-send-email-greg.bellows@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Implements NSACR register with corresponding read/write functions
for ARMv7 and ARMv8.
Signed-off-by: NSergey Fedorov <s.fedorov@samsung.com>
Signed-off-by: NFabian Aggeler <aggelerf@ethz.ch>
Signed-off-by: NGreg Bellows <greg.bellows@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 1416242878-876-11-git-send-email-greg.bellows@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

SCR.{IRQ/FIQ} bits allow to route IRQ/FIQ exceptions to monitor CPU
mode. When taking IRQ exception to monitor mode FIQ exception is
additionally masked.
Signed-off-by: NSergey Fedorov <s.fedorov@samsung.com>
Signed-off-by: NFabian Aggeler <aggelerf@ethz.ch>
Signed-off-by: NGreg Bellows <greg.bellows@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 1416242878-876-10-git-send-email-greg.bellows@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Define a new ARM CP register info list for the ARMv7 Security Extension
feature. Register that list only for ARM cores with Security Extension/EL3
support. Moving AArch32 SCR into Security Extension register group.
Signed-off-by: NSergey Fedorov <s.fedorov@samsung.com>
Signed-off-by: NFabian Aggeler <aggelerf@ethz.ch>
Signed-off-by: NGreg Bellows <greg.bellows@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 1416242878-876-9-git-send-email-greg.bellows@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Prepare for cp register banking by inserting every cp register twice,
once for secure world and once for non-secure world.
Signed-off-by: NFabian Aggeler <aggelerf@ethz.ch>
Signed-off-by: NGreg Bellows <greg.bellows@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 1416242878-876-8-git-send-email-greg.bellows@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Added additional NS-bit to CPREG hash encoding.  Updated hash lookup
locations to specify hash bit currently set to non-secure.
Signed-off-by: NGreg Bellows <greg.bellows@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 1416242878-876-7-git-send-email-greg.bellows@linaro.org
[PMM: fix uses of ENCODE_CP_REG in kvm32.c to add extra argument]
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Prepare ARMCPRegInfo to support specifying two fieldoffsets per
register definition. This will allow us to keep one register
definition for banked registers (different offsets for secure/
non-secure world).

Also added secure state tracking field and flags.  This allows for
identification of the register info secure state.
Signed-off-by: NFabian Aggeler <aggelerf@ethz.ch>
Signed-off-by: NGreg Bellows <greg.bellows@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 1416242878-876-6-git-send-email-greg.bellows@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This patch is based on idea found in patch at
git://github.com/jowinter/qemu-trustzone.git
f3d955c6c0ed8c46bc0eb10b634201032a651dd2 by
Johannes Winter <johannes.winter@iaik.tugraz.at>.

The TBFLAG captures the SCR NS secure state at the time when a TB is created so
the correct bank is accessed on system register accesses.
Signed-off-by: NSergey Fedorov <s.fedorov@samsung.com>
Signed-off-by: NFabian Aggeler <aggelerf@ethz.ch>
Signed-off-by: NGreg Bellows <greg.bellows@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 1416242878-876-5-git-send-email-greg.bellows@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

If EL3 is in AArch32 state certain cp registers are banked (secure and
non-secure instance). When reading or writing to coprocessor registers
the following macros can be used.

- A32_BANKED macros are used for choosing the banked register based on provided
  input security argument.  This macro is used to choose the bank during
  translation of MRC/MCR instructions that are dependent on something other
  than the current secure state.
- A32_BANKED_CURRENT macros are used for choosing the banked register based on
  current secure state.  This is NOT to be used for choosing the bank used
  during translation as it breaks monitor mode.

If EL3 is operating in AArch64 state coprocessor registers are not
banked anymore. The macros use the non-secure instance (_ns) in this
case, which is architecturally mapped to the AArch64 EL register.
Signed-off-by: NSergey Fedorov <s.fedorov@samsung.com>
Signed-off-by: NFabian Aggeler <aggelerf@ethz.ch>
Signed-off-by: NGreg Bellows <greg.bellows@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 1416242878-876-4-git-send-email-greg.bellows@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Adds a dedicated function and a lookup table for determining the target
exception level of IRQ and FIQ exceptions.  The lookup table is taken from the
ARMv7 and ARMv8 specification exception routing tables.
Signed-off-by: NGreg Bellows <greg.bellows@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 1416242878-876-3-git-send-email-greg.bellows@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This patch extends arm_excp_unmasked() to use lookup tables for determining
whether IRQ and FIQ exceptions are masked.  The lookup tables are based on the
ARMv8 and ARMv7 specification physical interrupt masking tables.

If EL3 is using AArch64 IRQ/FIQ masking is ignored in all exception levels
other than EL3 if SCR.{FIQ|IRQ} is set to 1 (routed to EL3).
Signed-off-by: NGreg Bellows <greg.bellows@linaro.org>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 1416242878-876-2-git-send-email-greg.bellows@linaro.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

The usual semihosting behaviour is to process the system calls locally and
return; unfortuantelly the initial implementation dinamically changed the
target to GDB during debug sessions, which, for the usual arm-none-eabi-gdb,
is not implemented. The result was that during debug sessions the semihosting
calls were discarded.

This patch adds a configuration variable and an option to set it on the
command line:

    -semihosting-config [enable=on|off,]target=native|gdb|auto

This option enables semihosting and defines where the semihosting calls will
be addressed, to QEMU ('native') or to GDB ('gdb'). The default is auto, which
means 'gdb' during debug sessions and 'native' otherwise.
Signed-off-by: NLiviu Ionescu <ilg@livius.net>
Message-id: 1416341957-9796-1-git-send-email-ilg@livius.net
[PMM: moved declaration and definition of semihosting_target to
 gdbstub.h and gdbstub.c to fix build failure on linux-user]
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

In order to run unit tests under semihosting, it is necessary to pass the
application exit code back to the system.

ARM defines only the code to be used for non-error application exit
(ADP_Stopped_ApplicationExit), all other codes should return non-zero
exit codes.

This patch checks if the application code passed via TARGET_SYS_EXIT is
ADP_Stopped_ApplicationExit, and return 0, otherwise return 1.
Signed-off-by: NLiviu Ionescu <ilg@livius.net>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

TriCore BOL, BRC, BRN, BRR, RC, RCPW, RCRR, RCR, RLC and RCR insn added

# gpg: Signature made Wed 10 Dec 2014 11:21:58 GMT using RSA key ID 6B69CA14
# gpg: Good signature from "Bastian Koppelmann <kbastian@mail.uni-paderborn.de>"

* remotes/bkoppelmann/tags/pull-tricore-20141210:
  target-tricore: Add instructions of RCR opcode format
  target-tricore: Add instructions of RLC opcode format
  target-tricore: Add instructions of RCPW, RCRR and RCRW opcode format
  target-tricore: Make TRICORE_FEATURES implying others.
  target-tricore: Add instructions of RC opcode format
  target-tricore: Add instructions of BRR opcode format
  target-tricore: Add instructions of BRN opcode format
  target-tricore: Add instructions of BRC opcode format
  target-tricore: Add instructions of BOL opcode format
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

vnc-enc-tight fix, keymaps code style.

# gpg: Signature made Wed 10 Dec 2014 09:24:33 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-vnc-20141210-1:
  keymaps: correct keymaps.c following Qemu coding style
  vnc-enc-tight: fix Arguments in wrong order
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Add instructions of RCR opcode format.
Add helper for madd32/64_ssov and madd32/64_suov.
Add helper for msub32/64_ssov and msub32/64_suov.
Add microcode generator function madd/msub for 32bit and 64bit, which calculate a mul and a add/sub.
OPC2_32_RCR_MSUB_U_32 -> OPC2_32_RCR_MSUB_U_32.
Signed-off-by: NBastian Koppelmann <kbastian@mail.uni-paderborn.de>
Reviewed-by: NRichard Henderson <rth@twiddle.net>

Add instructions of RLC opcode format.
Add helper psw_write/read.
Add microcode generator gen_mtcr/mfcr, which loads/stores a value to a core special function register, which are defined in csfr.def
Signed-off-by: NBastian Koppelmann <kbastian@mail.uni-paderborn.de>
Reviewed-by: NRichard Henderson <rth@twiddle.net>

Add instructions of RCPW, RCRR and RCRW opcode format.
Add microcode generator function gen_insert.
Signed-off-by: NBastian Koppelmann <kbastian@mail.uni-paderborn.de>
Reviewed-by: NRichard Henderson <rth@twiddle.net>

Since all the TriCore instructionsets are subsets of each other (1.3 C 1.3.1 C 1.6),
make the features implying each other, e.g 1.6 also has 1.3.1 and 1.3. This way
we only need to check our features for the instructionset, where a instruction was first introduced.
Signed-off-by: NBastian Koppelmann <kbastian@mail.uni-paderborn.de>
Reviewed-by: NRichard Henderson <rth@twiddle.net>

Add instructions of RC opcode format.
Add helper for mul, sha, absdif with signed saturation on overflow.
Add helper for add, sub, mul with unsigned saturation on overflow.
Add microcode generator functions:
    * gen_add_CC, which calculates the carry bit.
    * gen_addc_CC, which adds the carry bit to the add and calculates the carry bit.
    * gen_absdif, which calculates the absolute difference.
    * gen_mul_i64s/u, which mul two 32 bits val into one 64bit reg.
    * gen_sh_hi, which shifts two 16bit words in one reg.
    * gen_sha_hi, which does a arithmetic shift on two 16bit words.
    * gen_sh_cond, which shifts left a reg by one and writes the result of cond into the lsb.
    * gen_accumulating_cond, which ands/ors/xors the result of cond of the lsbs
      with the lsb of the result.
    * gen_eqany_bi/hi, which checks ever byte/hword on equality.
Signed-off-by: NBastian Koppelmann <kbastian@mail.uni-paderborn.de>
Reviewed-by: NRichard Henderson <rth@twiddle.net>

Add instructions of BRR opcode format.
Add MASK_OP_BRR_DISP15_SEXT.
Signed-off-by: NBastian Koppelmann <kbastian@mail.uni-paderborn.de>
Reviewed-by: NRichard Henderson <rth@twiddle.net>

Add instructions of BRN opcode format.
Add MASK_OP_BRN_DISP15_SEXT.
Signed-off-by: NBastian Koppelmann <kbastian@mail.uni-paderborn.de>
Reviewed-by: NRichard Henderson <rth@twiddle.net>

Add instructions of BRC opcode format.
Fixed OP2_BRC_JGE -> OP2_32_BRC_JGE
Signed-off-by: NBastian Koppelmann <kbastian@mail.uni-paderborn.de>
Reviewed-by: NRichard Henderson <rth@twiddle.net>

Add instructions of BOL opcode format.
Signed-off-by: NBastian Koppelmann <kbastian@mail.uni-paderborn.de>
Reviewed-by: NRichard Henderson <rth@twiddle.net>

It's hard to read because of the confused coding
style in this file. Let's correct it following Qemu
coding style.
Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Arguments in wrong order (SWAPPED_ARGUMENTS)
The positions of arguments in the call to
tight_fill_palette do not match the ordering of the parameters:
 &fg is passed to bg
 &bg is passed to fg

Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

cirrus: fix blit region check

# gpg: Signature made Thu 04 Dec 2014 11:54:57 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-cve-2014-8106-20141204-1:
  cirrus: don't overflow CirrusVGAState->cirrus_bltbuf
  cirrus: fix blit region check
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Reviewed-by: NJason Wang <jasowang@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Message-id: 1417166789-1960-1-git-send-email-arei.gonglei@huawei.com
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This is CVE-2014-8106.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Issues:
 * Doesn't check pitches correctly in case it is negative.
 * Doesn't check width at all.

Turn macro into functions while being at it, also factor out the check
for one region which we then can simply call twice for src + dst.

This is CVE-2014-8106.
Reported-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>

VirtIO devices now remember which endianness they're operating in in order
to support targets which may have guests of either endianness, such as
powerpc.  This endianness state is transferred in a subsection of the
virtio device's information.

With virtio-rng this can lead to an abort after a loadvm hitting the
assert() in virtio_is_big_endian().  This can be reproduced by doing a
migrate and load from file on a bi-endian target with a virtio-rng device.
The actual guest state isn't particularly important to triggering this.

The cause is that virtio_rng_load_device() calls virtio_rng_process() which
accesses the ring and thus needs the endianness.  However,
virtio_rng_process() is called via virtio_load() before it loads the
subsections.  Essentially the ->load callback in VirtioDeviceClass should
only be used for actually reading the device state from the stream, not for
post-load re-initialization.

This patch fixes the bug by moving the virtio_rng_process() after the call
to virtio_load().  Better yet would be to convert virtio to use vmsd and
have the virtio_rng_process() as a post_load callback, but that's a bigger
project for another day.

This is bugfix, and should be considered for the 2.2 branch.
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
Reviewed-by: NGreg Kurz <gkurz@linux.vnet.ibm.com>
Message-id: 1417067290-20715-1-git-send-email-david@gibson.dropbear.id.au
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

virtio_net_handle_ctrl() and other functions that process control vq
request call iov_discard_front() which will shorten the iov. This will
lead unmapping in virtqueue_push() leaks mapping.

Fixes this by keeping the original iov untouched and using a temp variable
in those functions.

Cc: Wen Congyang <wency@cn.fujitsu.com>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: NJason Wang <jasowang@redhat.com>
Reviewed-by: NStefano Stabellini <stefano.stabellini@eu.citrix.com>
Reviewed-by: NFam Zheng <famz@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Message-id: 1417082643-23907-1-git-send-email-jasowang@redhat.com
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>