From 9a826d7854baf6b90de46fea785d1bfc5d2c22a7 Mon Sep 17 00:00:00 2001 From: Mike McCormack Date: Wed, 1 Jun 2011 15:14:37 +0900 Subject: [PATCH 01/18] Don't translate pointer when in restore_sigcontext Fixes crash in i386 when user emulation base address is non-zero. 21797 rt_sigreturn(8,1082124603,1,0,1082126048,1082126248)Exit reason and status: signal 11 Signed-off-by: Mike McCormack Signed-off-by: Riku Voipio --- linux-user/signal.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux-user/signal.c b/linux-user/signal.c index 11b25be7b8..cb7138f1cf 100644 --- a/linux-user/signal.c +++ b/linux-user/signal.c @@ -981,8 +981,8 @@ restore_sigcontext(CPUX86State *env, struct target_sigcontext *sc, int *peax) env->regs[R_ECX] = tswapl(sc->ecx); env->eip = tswapl(sc->eip); - cpu_x86_load_seg(env, R_CS, lduw(&sc->cs) | 3); - cpu_x86_load_seg(env, R_SS, lduw(&sc->ss) | 3); + cpu_x86_load_seg(env, R_CS, lduw_p(&sc->cs) | 3); + cpu_x86_load_seg(env, R_SS, lduw_p(&sc->ss) | 3); tmpflags = tswapl(sc->eflags); env->eflags = (env->eflags & ~0x40DD5) | (tmpflags & 0x40DD5); From b947527941b17c8f4a31f95dfa114e467ba1325d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20VINCENT?= Date: Wed, 1 Jun 2011 14:36:38 +0200 Subject: [PATCH 02/18] linux-user: Fix the load of ELF files that have no "useful" symbol MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch fixes a "double free()" due to "realloc(syms, 0)" in the loader when the ELF file has no "useful" symbol, as with the following example (compiled with "sh4-linux-gcc -nostdlib"): .text .align 1 .global _start _start: mov #1, r3 trapa #40 // syscall(__NR_exit) nop The bug appears when the log (option "-d") is enabled. Signed-off-by: Cédric VINCENT Signed-off-by: Yves JANIN Signed-off-by: Riku Voipio Reviewed-by: Richard Henderson --- linux-user/elfload.c | 34 +++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/linux-user/elfload.c b/linux-user/elfload.c index dcfeb7a286..a4aabd5ca1 100644 --- a/linux-user/elfload.c +++ b/linux-user/elfload.c @@ -1643,9 +1643,9 @@ static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias) { int i, shnum, nsyms, sym_idx = 0, str_idx = 0; struct elf_shdr *shdr; - char *strings; - struct syminfo *s; - struct elf_sym *syms, *new_syms; + char *strings = NULL; + struct syminfo *s = NULL; + struct elf_sym *new_syms, *syms = NULL; shnum = hdr->e_shnum; i = shnum * sizeof(struct elf_shdr); @@ -1670,24 +1670,19 @@ static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias) /* Now know where the strtab and symtab are. Snarf them. */ s = malloc(sizeof(*s)); if (!s) { - return; + goto give_up; } i = shdr[str_idx].sh_size; s->disas_strtab = strings = malloc(i); if (!strings || pread(fd, strings, i, shdr[str_idx].sh_offset) != i) { - free(s); - free(strings); - return; + goto give_up; } i = shdr[sym_idx].sh_size; syms = malloc(i); if (!syms || pread(fd, syms, i, shdr[sym_idx].sh_offset) != i) { - free(s); - free(strings); - free(syms); - return; + goto give_up; } nsyms = i / sizeof(struct elf_sym); @@ -1710,16 +1705,18 @@ static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias) } } + /* No "useful" symbol. */ + if (nsyms == 0) { + goto give_up; + } + /* Attempt to free the storage associated with the local symbols that we threw away. Whether or not this has any effect on the memory allocation depends on the malloc implementation and how many symbols we managed to discard. */ new_syms = realloc(syms, nsyms * sizeof(*syms)); if (new_syms == NULL) { - free(s); - free(syms); - free(strings); - return; + goto give_up; } syms = new_syms; @@ -1734,6 +1731,13 @@ static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias) s->lookup_symbol = lookup_symbolxx; s->next = syminfos; syminfos = s; + + return; + +give_up: + free(s); + free(strings); + free(syms); } int load_elf_binary(struct linux_binprm * bprm, struct target_pt_regs * regs, From f3ed1f5d476bfc18c4b2e27bf2386f54c98561f1 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Tue, 17 May 2011 13:34:46 +0100 Subject: [PATCH 03/18] linux-user: Handle images where lowest vaddr is not page aligned Fix a bug in the linux-user ELF loader code where it was not correctly handling images where the lowest vaddr to be loaded was not page aligned. The problem was that the code to probe for a suitable guest base address was changing the 'loaddr' variable (by rounding it to a page boundary), which meant that the load bias would then be incorrectly calculated unless loaddr happened to already be page-aligned. Binaries generated by gcc with the default linker script do start with a loadable segment at a page-aligned vaddr, so were unaffected. This bug was noticed with a binary created by the Google Go toolchain for ARM. We fix the bug by refactoring the "probe for guest base" code out into its own self-contained function. Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/elfload.c | 130 ++++++++++++++++++++++++------------------- 1 file changed, 73 insertions(+), 57 deletions(-) diff --git a/linux-user/elfload.c b/linux-user/elfload.c index a4aabd5ca1..a13eb7be62 100644 --- a/linux-user/elfload.c +++ b/linux-user/elfload.c @@ -1288,6 +1288,78 @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc, return sp; } +static void probe_guest_base(const char *image_name, + abi_ulong loaddr, abi_ulong hiaddr) +{ + /* Probe for a suitable guest base address, if the user has not set + * it explicitly, and set guest_base appropriately. + * In case of error we will print a suitable message and exit. + */ +#if defined(CONFIG_USE_GUEST_BASE) + const char *errmsg; + if (!have_guest_base && !reserved_va) { + unsigned long host_start, real_start, host_size; + + /* Round addresses to page boundaries. */ + loaddr &= qemu_host_page_mask; + hiaddr = HOST_PAGE_ALIGN(hiaddr); + + if (loaddr < mmap_min_addr) { + host_start = HOST_PAGE_ALIGN(mmap_min_addr); + } else { + host_start = loaddr; + if (host_start != loaddr) { + errmsg = "Address overflow loading ELF binary"; + goto exit_errmsg; + } + } + host_size = hiaddr - loaddr; + while (1) { + /* Do not use mmap_find_vma here because that is limited to the + guest address space. We are going to make the + guest address space fit whatever we're given. */ + real_start = (unsigned long) + mmap((void *)host_start, host_size, PROT_NONE, + MAP_ANONYMOUS | MAP_PRIVATE | MAP_NORESERVE, -1, 0); + if (real_start == (unsigned long)-1) { + goto exit_perror; + } + if (real_start == host_start) { + break; + } + /* That address didn't work. Unmap and try a different one. + The address the host picked because is typically right at + the top of the host address space and leaves the guest with + no usable address space. Resort to a linear search. We + already compensated for mmap_min_addr, so this should not + happen often. Probably means we got unlucky and host + address space randomization put a shared library somewhere + inconvenient. */ + munmap((void *)real_start, host_size); + host_start += qemu_host_page_size; + if (host_start == loaddr) { + /* Theoretically possible if host doesn't have any suitably + aligned areas. Normally the first mmap will fail. */ + errmsg = "Unable to find space for application"; + goto exit_errmsg; + } + } + qemu_log("Relocating guest address space from 0x" + TARGET_ABI_FMT_lx " to 0x%lx\n", + loaddr, real_start); + guest_base = real_start - loaddr; + } + return; + +exit_perror: + errmsg = strerror(errno); +exit_errmsg: + fprintf(stderr, "%s: %s\n", image_name, errmsg); + exit(-1); +#endif +} + + /* Load an ELF image into the address space. IMAGE_NAME is the filename of the image, to use in error messages. @@ -1373,63 +1445,7 @@ static void load_elf_image(const char *image_name, int image_fd, /* This is the main executable. Make sure that the low address does not conflict with MMAP_MIN_ADDR or the QEMU application itself. */ -#if defined(CONFIG_USE_GUEST_BASE) - /* - * In case where user has not explicitly set the guest_base, we - * probe here that should we set it automatically. - */ - if (!have_guest_base && !reserved_va) { - unsigned long host_start, real_start, host_size; - - /* Round addresses to page boundaries. */ - loaddr &= qemu_host_page_mask; - hiaddr = HOST_PAGE_ALIGN(hiaddr); - - if (loaddr < mmap_min_addr) { - host_start = HOST_PAGE_ALIGN(mmap_min_addr); - } else { - host_start = loaddr; - if (host_start != loaddr) { - errmsg = "Address overflow loading ELF binary"; - goto exit_errmsg; - } - } - host_size = hiaddr - loaddr; - while (1) { - /* Do not use mmap_find_vma here because that is limited to the - guest address space. We are going to make the - guest address space fit whatever we're given. */ - real_start = (unsigned long) - mmap((void *)host_start, host_size, PROT_NONE, - MAP_ANONYMOUS | MAP_PRIVATE | MAP_NORESERVE, -1, 0); - if (real_start == (unsigned long)-1) { - goto exit_perror; - } - if (real_start == host_start) { - break; - } - /* That address didn't work. Unmap and try a different one. - The address the host picked because is typically right at - the top of the host address space and leaves the guest with - no usable address space. Resort to a linear search. We - already compensated for mmap_min_addr, so this should not - happen often. Probably means we got unlucky and host - address space randomization put a shared library somewhere - inconvenient. */ - munmap((void *)real_start, host_size); - host_start += qemu_host_page_size; - if (host_start == loaddr) { - /* Theoretically possible if host doesn't have any suitably - aligned areas. Normally the first mmap will fail. */ - errmsg = "Unable to find space for application"; - goto exit_errmsg; - } - } - qemu_log("Relocating guest address space from 0x" - TARGET_ABI_FMT_lx " to 0x%lx\n", loaddr, real_start); - guest_base = real_start - loaddr; - } -#endif + probe_guest_base(image_name, loaddr, hiaddr); } load_bias = load_addr - loaddr; From 00faf08c951fcc351467faac5697307a86edb077 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 18 Apr 2011 16:34:24 +0100 Subject: [PATCH 04/18] linux-user: Don't use MAP_FIXED in do_brk() Since mmap() with MAP_FIXED will map over the top of existing mappings, it's a bad idea to use it to implement brk(), because brk() with a large size is likely to overwrite important things like qemu itself or the host libc. So we drop MAP_FIXED and handle "mapped but at different address" as an error case instead. Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/syscall.c | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 5cb27c7f9f..b9757306ac 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -735,23 +735,34 @@ abi_long do_brk(abi_ulong new_brk) return target_brk; } - /* We need to allocate more memory after the brk... */ + /* We need to allocate more memory after the brk... Note that + * we don't use MAP_FIXED because that will map over the top of + * any existing mapping (like the one with the host libc or qemu + * itself); instead we treat "mapped but at wrong address" as + * a failure and unmap again. + */ new_alloc_size = HOST_PAGE_ALIGN(new_brk - brk_page + 1); mapped_addr = get_errno(target_mmap(brk_page, new_alloc_size, PROT_READ|PROT_WRITE, - MAP_ANON|MAP_FIXED|MAP_PRIVATE, 0, 0)); + MAP_ANON|MAP_PRIVATE, 0, 0)); + + if (mapped_addr == brk_page) { + target_brk = new_brk; + return target_brk; + } else if (mapped_addr != -1) { + /* Mapped but at wrong address, meaning there wasn't actually + * enough space for this brk. + */ + target_munmap(mapped_addr, new_alloc_size); + mapped_addr = -1; + } #if defined(TARGET_ALPHA) /* We (partially) emulate OSF/1 on Alpha, which requires we return a proper errno, not an unchanged brk value. */ - if (is_error(mapped_addr)) { - return -TARGET_ENOMEM; - } + return -TARGET_ENOMEM; #endif - - if (!is_error(mapped_addr)) { - target_brk = new_brk; - } + /* For everything else, return the previous break. */ return target_brk; } From 206ae74aea5593f5f5bad769a6b4f101f17bc6fd Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 18 Apr 2011 16:34:25 +0100 Subject: [PATCH 05/18] arm-semi.c: Use correct check for failure of do_brk() In the ARM semihosting implementation of SYS_HEAPINFO, use the correct check for whether do_brk() has failed -- it does not return -1 but the previous value of the break limit. Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- arm-semi.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/arm-semi.c b/arm-semi.c index e9e6f8993f..5a62d03b36 100644 --- a/arm-semi.c +++ b/arm-semi.c @@ -440,15 +440,16 @@ uint32_t do_arm_semihosting(CPUState *env) /* Some C libraries assume the heap immediately follows .bss, so allocate it using sbrk. */ if (!ts->heap_limit) { - long ret; + abi_ulong ret; ts->heap_base = do_brk(0); limit = ts->heap_base + ARM_ANGEL_HEAP_SIZE; /* Try a big heap, and reduce the size if that fails. */ for (;;) { ret = do_brk(limit); - if (ret != -1) + if (ret >= limit) { break; + } limit = (ts->heap_base >> 1) + (limit >> 1); } ts->heap_limit = limit; From 5382a012e8ce7cf5ea612d291286be827574c181 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 18 Apr 2011 16:34:26 +0100 Subject: [PATCH 06/18] m68k-semi.c: Use correct check for failure of do_brk() In the m68k semihosting implementation of HOSTED_INIT_SIM, use the correct check for whether do_brk() has failed -- it does not return -1 but the previous value of the break limit. Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- m68k-semi.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/m68k-semi.c b/m68k-semi.c index 0371089b98..7fde10e8f3 100644 --- a/m68k-semi.c +++ b/m68k-semi.c @@ -370,7 +370,7 @@ void do_m68k_semihosting(CPUM68KState *env, int nr) TaskState *ts = env->opaque; /* Allocate the heap using sbrk. */ if (!ts->heap_limit) { - long ret; + abi_ulong ret; uint32_t size; uint32_t base; @@ -379,8 +379,9 @@ void do_m68k_semihosting(CPUM68KState *env, int nr) /* Try a big heap, and reduce the size if that fails. */ for (;;) { ret = do_brk(base + size); - if (ret != -1) + if (ret >= (base + size)) { break; + } size >>= 1; } ts->heap_limit = base + size; From 4d1de87c75007ee7e29dd271ebb4afdcf01ad7aa Mon Sep 17 00:00:00 2001 From: vincent Date: Tue, 14 Jun 2011 21:56:33 +0000 Subject: [PATCH 07/18] linux-user: Fix the computation of the requested heap size MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There were several remaining bugs in the previous implementation of do_brk(): 1. the value of "new_alloc_size" was one page too large when the requested brk was aligned on a host page boundary. 2. no new pages should be (re-)allocated when the requested brk is in the range of the pages that were already allocated previsouly (for the same purpose). Technically these pages are never unmapped in the current implementation. The problem/fix can be reproduced/validated with the test-suite above: #include /* syscall(2), */ #include /* SYS_brk, */ #include /* puts(3), */ #include /* exit(3), EXIT_*, */ #include /* uint*_t, */ #include /* mmap(2), MAP_*, */ #include /* memset(3), */ int main() { int exit_status = EXIT_SUCCESS; uint8_t *current_brk = 0; uint8_t *initial_brk; uint8_t *new_brk; uint8_t *old_brk; int failure = 0; int i; void test_brk(int increment, int expected_result) { new_brk = (uint8_t *)syscall(SYS_brk, current_brk + increment); if ((new_brk == current_brk) == expected_result) failure = 1; current_brk = (uint8_t *)syscall(SYS_brk, 0); } void test_result() { if (!failure) puts("OK"); else { puts("failure"); exit_status = EXIT_FAILURE; } } void test_title(const char *title) { failure = 0; printf("%-45s : ", title); fflush(stdout); } test_title("Initialization"); test_brk(0, 1); initial_brk = current_brk; test_result(); test_title("Don't overlap \"brk\" pages"); test_brk(HOST_PAGE_SIZE, 1); test_brk(HOST_PAGE_SIZE, 1); test_result(); /* Preparation for the test "Re-allocated heap is initialized". */ old_brk = current_brk - HOST_PAGE_SIZE; memset(old_brk, 0xFF, HOST_PAGE_SIZE); test_title("Don't allocate the same \"brk\" page twice"); test_brk(-HOST_PAGE_SIZE, 1); test_brk(HOST_PAGE_SIZE, 1); test_result(); test_title("Re-allocated \"brk\" pages are initialized"); for (i = 0; i < HOST_PAGE_SIZE; i++) { if (old_brk[i] != 0) { printf("(index = %d, value = 0x%x) ", i, old_brk[i]); failure = 1; break; } } test_result(); test_title("Don't allocate \"brk\" pages over \"mmap\" pages"); new_brk = mmap(current_brk, HOST_PAGE_SIZE / 2, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); if (new_brk == (void *) -1) puts("unknown"); else { test_brk(HOST_PAGE_SIZE, 0); test_result(); } test_title("All \"brk\" pages are writable (please wait)"); if (munmap(current_brk, HOST_PAGE_SIZE / 2) != 0) puts("unknown"); else { while (current_brk - initial_brk < 2*1024*1024*1024UL) { old_brk = current_brk; test_brk(HOST_PAGE_SIZE, -1); if (old_brk == current_brk) break; for (i = 0; i < HOST_PAGE_SIZE; i++) old_brk[i] = 0xAA; } puts("OK"); } test_title("Maximum size of the heap > 16MB"); failure = (current_brk - initial_brk) < 16*1024*1024; test_result(); exit(exit_status); } Changes introduced in patch v2: * extend the "brk" test-suite embedded within the commit message; * heap contents have to be initialized to zero, this bug was exposed by "tst-calloc.c" from the GNU C library; * don't [try to] allocate a new host page if the new "brk" is equal to the latest allocated host page ("brk_page"); and * print some debug information when DEBUGF_BRK is defined. Signed-off-by: Cédric VINCENT Reviewed-by: Christophe Guillon Cc: Riku Voipio Signed-off-by: Riku Voipio --- linux-user/syscall.c | 39 ++++++++++++++++++++++++++++++--------- 1 file changed, 30 insertions(+), 9 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index b9757306ac..608924a27a 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -709,29 +709,44 @@ char *target_strerror(int err) static abi_ulong target_brk; static abi_ulong target_original_brk; +static abi_ulong brk_page; void target_set_brk(abi_ulong new_brk) { target_original_brk = target_brk = HOST_PAGE_ALIGN(new_brk); + brk_page = HOST_PAGE_ALIGN(target_brk); } +//#define DEBUGF_BRK(message, args...) do { fprintf(stderr, (message), ## args); } while (0) +#define DEBUGF_BRK(message, args...) + /* do_brk() must return target values and target errnos. */ abi_long do_brk(abi_ulong new_brk) { - abi_ulong brk_page; abi_long mapped_addr; int new_alloc_size; - if (!new_brk) - return target_brk; - if (new_brk < target_original_brk) - return target_brk; + DEBUGF_BRK("do_brk(%#010x) -> ", new_brk); - brk_page = HOST_PAGE_ALIGN(target_brk); + if (!new_brk) { + DEBUGF_BRK("%#010x (!new_brk)\n", target_brk); + return target_brk; + } + if (new_brk < target_original_brk) { + DEBUGF_BRK("%#010x (new_brk < target_original_brk)\n", target_brk); + return target_brk; + } - /* If the new brk is less than this, set it and we're done... */ - if (new_brk < brk_page) { + /* If the new brk is less than the highest page reserved to the + * target heap allocation, set it and we're almost done... */ + if (new_brk <= brk_page) { + /* Heap contents are initialized to zero, as for anonymous + * mapped pages. */ + if (new_brk > target_brk) { + memset(g2h(target_brk), 0, new_brk - target_brk); + } target_brk = new_brk; + DEBUGF_BRK("%#010x (new_brk <= brk_page)\n", target_brk); return target_brk; } @@ -741,13 +756,15 @@ abi_long do_brk(abi_ulong new_brk) * itself); instead we treat "mapped but at wrong address" as * a failure and unmap again. */ - new_alloc_size = HOST_PAGE_ALIGN(new_brk - brk_page + 1); + new_alloc_size = HOST_PAGE_ALIGN(new_brk - brk_page); mapped_addr = get_errno(target_mmap(brk_page, new_alloc_size, PROT_READ|PROT_WRITE, MAP_ANON|MAP_PRIVATE, 0, 0)); if (mapped_addr == brk_page) { target_brk = new_brk; + brk_page = HOST_PAGE_ALIGN(target_brk); + DEBUGF_BRK("%#010x (mapped_addr == brk_page)\n", target_brk); return target_brk; } else if (mapped_addr != -1) { /* Mapped but at wrong address, meaning there wasn't actually @@ -755,6 +772,10 @@ abi_long do_brk(abi_ulong new_brk) */ target_munmap(mapped_addr, new_alloc_size); mapped_addr = -1; + DEBUGF_BRK("%#010x (mapped_addr != -1)\n", target_brk); + } + else { + DEBUGF_BRK("%#010x (otherwise)\n", target_brk); } #if defined(TARGET_ALPHA) From 055e090687d31429b4cd080626d2bf9ce8bbfe59 Mon Sep 17 00:00:00 2001 From: Mike Frysinger Date: Fri, 3 Jun 2011 17:01:49 -0400 Subject: [PATCH 08/18] linux-user: add pselect6 syscall support Some architectures (like Blackfin) only implement pselect6 (and skip select/newselect). So add support for it. Signed-off-by: Mike Frysinger Signed-off-by: Riku Voipio --- linux-user/syscall.c | 149 +++++++++++++++++++++++++++++++++++++------ 1 file changed, 130 insertions(+), 19 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 608924a27a..9f9693e806 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -550,6 +550,15 @@ _syscall5(int, sys_ppoll, struct pollfd *, fds, nfds_t, nfds, size_t, sigsetsize) #endif +#if defined(TARGET_NR_pselect6) +#ifndef __NR_pselect6 +# define __NR_pselect6 -1 +#endif +#define __NR_sys_pselect6 __NR_pselect6 +_syscall6(int, sys_pselect6, int, nfds, fd_set *, readfds, fd_set *, writefds, + fd_set *, exceptfds, struct timespec *, timeout, void *, sig); +#endif + extern int personality(int); extern int flock(int, int); extern int setfsuid(int); @@ -819,6 +828,20 @@ static inline abi_long copy_from_user_fdset(fd_set *fds, return 0; } +static inline abi_ulong copy_from_user_fdset_ptr(fd_set *fds, fd_set **fds_ptr, + abi_ulong target_fds_addr, + int n) +{ + if (target_fds_addr) { + if (copy_from_user_fdset(fds, target_fds_addr, n)) + return -TARGET_EFAULT; + *fds_ptr = fds; + } else { + *fds_ptr = NULL; + } + return 0; +} + static inline abi_long copy_to_user_fdset(abi_ulong target_fds_addr, const fd_set *fds, int n) @@ -984,6 +1007,7 @@ static inline abi_long copy_to_user_mq_attr(abi_ulong target_mq_attr_addr, } #endif +#if defined(TARGET_NR_select) || defined(TARGET_NR__newselect) /* do_select() must return target values and target errnos. */ static abi_long do_select(int n, abi_ulong rfd_addr, abi_ulong wfd_addr, @@ -994,26 +1018,17 @@ static abi_long do_select(int n, struct timeval tv, *tv_ptr; abi_long ret; - if (rfd_addr) { - if (copy_from_user_fdset(&rfds, rfd_addr, n)) - return -TARGET_EFAULT; - rfds_ptr = &rfds; - } else { - rfds_ptr = NULL; + ret = copy_from_user_fdset_ptr(&rfds, &rfds_ptr, rfd_addr, n); + if (ret) { + return ret; } - if (wfd_addr) { - if (copy_from_user_fdset(&wfds, wfd_addr, n)) - return -TARGET_EFAULT; - wfds_ptr = &wfds; - } else { - wfds_ptr = NULL; + ret = copy_from_user_fdset_ptr(&wfds, &wfds_ptr, wfd_addr, n); + if (ret) { + return ret; } - if (efd_addr) { - if (copy_from_user_fdset(&efds, efd_addr, n)) - return -TARGET_EFAULT; - efds_ptr = &efds; - } else { - efds_ptr = NULL; + ret = copy_from_user_fdset_ptr(&efds, &efds_ptr, efd_addr, n); + if (ret) { + return ret; } if (target_tv_addr) { @@ -1040,6 +1055,7 @@ static abi_long do_select(int n, return ret; } +#endif static abi_long do_pipe2(int host_pipe[], int flags) { @@ -5601,7 +5617,102 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, #endif #ifdef TARGET_NR_pselect6 case TARGET_NR_pselect6: - goto unimplemented_nowarn; + { + abi_long rfd_addr, wfd_addr, efd_addr, n, ts_addr; + fd_set rfds, wfds, efds; + fd_set *rfds_ptr, *wfds_ptr, *efds_ptr; + struct timespec ts, *ts_ptr; + + /* + * The 6th arg is actually two args smashed together, + * so we cannot use the C library. + */ + sigset_t set; + struct { + sigset_t *set; + size_t size; + } sig, *sig_ptr; + + abi_ulong arg_sigset, arg_sigsize, *arg7; + target_sigset_t *target_sigset; + + n = arg1; + rfd_addr = arg2; + wfd_addr = arg3; + efd_addr = arg4; + ts_addr = arg5; + + ret = copy_from_user_fdset_ptr(&rfds, &rfds_ptr, rfd_addr, n); + if (ret) { + goto fail; + } + ret = copy_from_user_fdset_ptr(&wfds, &wfds_ptr, wfd_addr, n); + if (ret) { + goto fail; + } + ret = copy_from_user_fdset_ptr(&efds, &efds_ptr, efd_addr, n); + if (ret) { + goto fail; + } + + /* + * This takes a timespec, and not a timeval, so we cannot + * use the do_select() helper ... + */ + if (ts_addr) { + if (target_to_host_timespec(&ts, ts_addr)) { + goto efault; + } + ts_ptr = &ts; + } else { + ts_ptr = NULL; + } + + /* Extract the two packed args for the sigset */ + if (arg6) { + sig_ptr = &sig; + sig.size = _NSIG / 8; + + arg7 = lock_user(VERIFY_READ, arg6, sizeof(*arg7) * 2, 1); + if (!arg7) { + goto efault; + } + arg_sigset = tswapl(arg7[0]); + arg_sigsize = tswapl(arg7[1]); + unlock_user(arg7, arg6, 0); + + if (arg_sigset) { + sig.set = &set; + target_sigset = lock_user(VERIFY_READ, arg_sigset, + sizeof(*target_sigset), 1); + if (!target_sigset) { + goto efault; + } + target_to_host_sigset(&set, target_sigset); + unlock_user(target_sigset, arg_sigset, 0); + } else { + sig.set = NULL; + } + } else { + sig_ptr = NULL; + } + + ret = get_errno(sys_pselect6(n, rfds_ptr, wfds_ptr, efds_ptr, + ts_ptr, sig_ptr)); + + if (!is_error(ret)) { + if (rfd_addr && copy_to_user_fdset(rfd_addr, &rfds, n)) + goto efault; + if (wfd_addr && copy_to_user_fdset(wfd_addr, &wfds, n)) + goto efault; + if (efd_addr && copy_to_user_fdset(efd_addr, &efds, n)) + goto efault; + + if (ts_addr && host_to_target_timespec(ts_addr, &ts)) + goto efault; + } + } + break; #endif case TARGET_NR_symlink: { From 14322bad88c46e41b962ff8f4a6f524dd883670c Mon Sep 17 00:00:00 2001 From: Laurent ALFONSI Date: Mon, 20 Jun 2011 08:43:13 +0200 Subject: [PATCH 09/18] linux-user: Define AT_RANDOM to support target stack protection mechanism. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The dynamic linker from the GNU C library v2.10+ uses the ELF auxiliary vector AT_RANDOM [1] as a pointer to 16 bytes with random values to initialize the stack protection mechanism. Technically the emulated GNU dynamic linker crashes due to a NULL pointer derefencement if it is built with stack protection enabled and if AT_RANDOM is not defined by the QEMU ELF loader. [1] This ELF auxiliary vector was introduced in Linux v2.6.29. This patch can be tested with the code above: #include /* Elf*_auxv_t, AT_RANDOM, */ #include /* printf(3), */ #include /* exit(3), EXIT_*, */ #include /* uint8_t, */ #include /* memcpy(3), */ #if defined(__LP64__) || defined(__ILP64__) || defined(__LLP64__) # define Elf_auxv_t Elf64_auxv_t #else # define Elf_auxv_t Elf32_auxv_t #endif main(int argc, char* argv[], char* envp[]) { Elf_auxv_t *auxv; /* *envp = NULL marks end of envp. */ while (*envp++ != NULL); /* auxv->a_type = AT_NULL marks the end of auxv. */ for (auxv = (Elf_auxv_t *)envp; auxv->a_type != AT_NULL; auxv++) { if (auxv->a_type == AT_RANDOM) { int i; uint8_t rand_bytes[16]; printf("AT_RANDOM is: 0x%x\n", auxv->a_un.a_val); memcpy(rand_bytes, (const uint8_t *)auxv->a_un.a_val, sizeof(rand_bytes)); printf("it points to: "); for (i = 0; i < 16; i++) { printf("0x%02x ", rand_bytes[i]); } printf("\n"); exit(EXIT_SUCCESS); } } exit(EXIT_FAILURE); } Changes introduced in v2 and v3: * Fix typos + thinko (AT_RANDOM is used for stack canary, not for ASLR) * AT_RANDOM points to 16 random bytes stored inside the user stack. * Add a small test program. Signed-off-by: Cédric VINCENT Signed-off-by: Laurent ALFONSI Signed-off-by: Riku Voipio --- linux-user/elfload.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/linux-user/elfload.c b/linux-user/elfload.c index a13eb7be62..b2746f2558 100644 --- a/linux-user/elfload.c +++ b/linux-user/elfload.c @@ -927,7 +927,7 @@ struct exec #define TARGET_ELF_PAGESTART(_v) ((_v) & ~(unsigned long)(TARGET_ELF_EXEC_PAGESIZE-1)) #define TARGET_ELF_PAGEOFFSET(_v) ((_v) & (TARGET_ELF_EXEC_PAGESIZE-1)) -#define DLINFO_ITEMS 12 +#define DLINFO_ITEMS 13 static inline void memcpy_fromfs(void * to, const void * from, unsigned long n) { @@ -1202,6 +1202,9 @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc, { abi_ulong sp; int size; + int i; + abi_ulong u_rand_bytes; + uint8_t k_rand_bytes[16]; abi_ulong u_platform; const char *k_platform; const int n = sizeof(elf_addr_t); @@ -1231,6 +1234,20 @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc, /* FIXME - check return value of memcpy_to_target() for failure */ memcpy_to_target(sp, k_platform, len); } + + /* + * Generate 16 random bytes for userspace PRNG seeding (not + * cryptically secure but it's not the aim of QEMU). + */ + srand((unsigned int) time(NULL)); + for (i = 0; i < 16; i++) { + k_rand_bytes[i] = rand(); + } + sp -= 16; + u_rand_bytes = sp; + /* FIXME - check return value of memcpy_to_target() for failure */ + memcpy_to_target(sp, k_rand_bytes, 16); + /* * Force 16 byte _final_ alignment here for generality. */ @@ -1271,6 +1288,8 @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc, NEW_AUX_ENT(AT_EGID, (abi_ulong) getegid()); NEW_AUX_ENT(AT_HWCAP, (abi_ulong) ELF_HWCAP); NEW_AUX_ENT(AT_CLKTCK, (abi_ulong) sysconf(_SC_CLK_TCK)); + NEW_AUX_ENT(AT_RANDOM, (abi_ulong) u_rand_bytes); + if (k_platform) NEW_AUX_ENT(AT_PLATFORM, u_platform); #ifdef ARCH_DLINFO From 331c23b5ca44293d13299d12f1a36826395d7254 Mon Sep 17 00:00:00 2001 From: Juan Quintela Date: Thu, 16 Jun 2011 17:37:08 +0100 Subject: [PATCH 10/18] linuxload: id_change was a write only variable Signed-off-by: Juan Quintela Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/linuxload.c | 25 +------------------------ 1 file changed, 1 insertion(+), 24 deletions(-) diff --git a/linux-user/linuxload.c b/linux-user/linuxload.c index ac8c486c5f..62ebc7ed41 100644 --- a/linux-user/linuxload.c +++ b/linux-user/linuxload.c @@ -26,22 +26,6 @@ abi_long memcpy_to_target(abi_ulong dest, const void *src, return 0; } -static int in_group_p(gid_t g) -{ - /* return TRUE if we're in the specified group, FALSE otherwise */ - int ngroup; - int i; - gid_t grouplist[NGROUPS]; - - ngroup = getgroups(NGROUPS, grouplist); - for(i = 0; i < ngroup; i++) { - if(grouplist[i] == g) { - return 1; - } - } - return 0; -} - static int count(char ** vec) { int i; @@ -57,7 +41,7 @@ static int prepare_binprm(struct linux_binprm *bprm) { struct stat st; int mode; - int retval, id_change; + int retval; if(fstat(bprm->fd, &st) < 0) { return(-errno); @@ -73,14 +57,10 @@ static int prepare_binprm(struct linux_binprm *bprm) bprm->e_uid = geteuid(); bprm->e_gid = getegid(); - id_change = 0; /* Set-uid? */ if(mode & S_ISUID) { bprm->e_uid = st.st_uid; - if(bprm->e_uid != geteuid()) { - id_change = 1; - } } /* Set-gid? */ @@ -91,9 +71,6 @@ static int prepare_binprm(struct linux_binprm *bprm) */ if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { bprm->e_gid = st.st_gid; - if (!in_group_p(bprm->e_gid)) { - id_change = 1; - } } retval = read(bprm->fd, bprm->buf, BPRM_BUF_SIZE); From 1add86983cbc972a3431368203f630e290c3f2bb Mon Sep 17 00:00:00 2001 From: Juan Quintela Date: Thu, 16 Jun 2011 17:37:09 +0100 Subject: [PATCH 11/18] syscall: really return ret code We assign ret with the error code, but then return 0 unconditionally. Signed-off-by: Juan Quintela Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/syscall.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 9f9693e806..00484f1f18 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -3799,10 +3799,10 @@ static abi_long do_get_thread_area(CPUX86State *env, abi_ulong ptr) #ifndef TARGET_ABI32 static abi_long do_arch_prctl(CPUX86State *env, int code, abi_ulong addr) { - abi_long ret; + abi_long ret = 0; abi_ulong val; int idx; - + switch(code) { case TARGET_ARCH_SET_GS: case TARGET_ARCH_SET_FS: @@ -3821,13 +3821,13 @@ static abi_long do_arch_prctl(CPUX86State *env, int code, abi_ulong addr) idx = R_FS; val = env->segs[idx].base; if (put_user(val, addr, abi_ulong)) - return -TARGET_EFAULT; + ret = -TARGET_EFAULT; break; default: ret = -TARGET_EINVAL; break; } - return 0; + return ret; } #endif From bc088ba1db4ec9e5c3bc3e6b2bac816673d9cbdd Mon Sep 17 00:00:00 2001 From: Juan Quintela Date: Thu, 16 Jun 2011 17:37:10 +0100 Subject: [PATCH 12/18] linux-user: syscall should use sanitized arg1 Looking at the other architectures, we should be using "how" not "arg1". Signed-off-by: Juan Quintela [peter.maydell@linaro.org: remove unnecessary initialisation of how] Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/syscall.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 00484f1f18..5a919f68e7 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -7201,7 +7201,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, case TARGET_NR_osf_sigprocmask: { abi_ulong mask; - int how = arg1; + int how; sigset_t set, oldset; switch(arg1) { @@ -7220,7 +7220,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, } mask = arg2; target_to_host_old_sigset(&set, &mask); - sigprocmask(arg1, &set, &oldset); + sigprocmask(how, &set, &oldset); host_to_target_old_sigset(&mask, &oldset); ret = mask; } From e7730352fb63879da816893d868e6d77be9594a3 Mon Sep 17 00:00:00 2001 From: Juan Quintela Date: Thu, 16 Jun 2011 17:37:11 +0100 Subject: [PATCH 13/18] flatload: end_code was only used in a debug message Just unfold its definition in only use. Signed-off-by: Juan Quintela [peter.maydell@linaro.org: fixed typo in the debug code, added parentheses to fix precedence issue] Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/flatload.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/linux-user/flatload.c b/linux-user/flatload.c index cd7af7cdff..6fb78f544f 100644 --- a/linux-user/flatload.c +++ b/linux-user/flatload.c @@ -384,7 +384,7 @@ static int load_flat_file(struct linux_binprm * bprm, abi_ulong reloc = 0, rp; int i, rev, relocs = 0; abi_ulong fpos; - abi_ulong start_code, end_code; + abi_ulong start_code; abi_ulong indx_len; hdr = ((struct flat_hdr *) bprm->buf); /* exec-header */ @@ -552,11 +552,10 @@ static int load_flat_file(struct linux_binprm * bprm, /* The main program needs a little extra setup in the task structure */ start_code = textpos + sizeof (struct flat_hdr); - end_code = textpos + text_len; DBG_FLT("%s %s: TEXT=%x-%x DATA=%x-%x BSS=%x-%x\n", id ? "Lib" : "Load", bprm->filename, - (int) start_code, (int) end_code, + (int) start_code, (int) (textpos + text_len), (int) datapos, (int) (datapos + data_len), (int) (datapos + data_len), From 3002fa8472b1b9293cac785ca032df727540f85d Mon Sep 17 00:00:00 2001 From: Juan Quintela Date: Thu, 16 Jun 2011 17:37:12 +0100 Subject: [PATCH 14/18] flatload: memp was a write-only variable Signed-off-by: Juan Quintela Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/flatload.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/linux-user/flatload.c b/linux-user/flatload.c index 6fb78f544f..1062da3852 100644 --- a/linux-user/flatload.c +++ b/linux-user/flatload.c @@ -379,7 +379,6 @@ static int load_flat_file(struct linux_binprm * bprm, abi_long result; abi_ulong realdatastart = 0; abi_ulong text_len, data_len, bss_len, stack_len, flags; - abi_ulong memp = 0; /* for finding the brk area */ abi_ulong extra; abi_ulong reloc = 0, rp; int i, rev, relocs = 0; @@ -491,7 +490,6 @@ static int load_flat_file(struct linux_binprm * bprm, } reloc = datapos + (ntohl(hdr->reloc_start) - text_len); - memp = realdatastart; } else { @@ -506,7 +504,6 @@ static int load_flat_file(struct linux_binprm * bprm, realdatastart = textpos + ntohl(hdr->data_start); datapos = realdatastart + indx_len; reloc = (textpos + ntohl(hdr->reloc_start) + indx_len); - memp = textpos; #ifdef CONFIG_BINFMT_ZFLAT #error code needs checking From 5945cfcb4b862a57fbbbf794f5e4b0fa4499624a Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Thu, 16 Jun 2011 17:37:13 +0100 Subject: [PATCH 15/18] linux-user: Bump do_syscall() up to 8 syscall arguments On 32 bit MIPS a few syscalls have 7 arguments, and so to call them via NR_syscall the guest needs to be able to pass 8 arguments to do_syscall(). Raise the number of arguments do_syscall() takes accordingly. This fixes some gcc 4.6 compiler warnings about arg7 and arg8 variables being set and never used. Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/main.c | 37 ++++++++++++++++++++++++------------- linux-user/qemu.h | 3 ++- linux-user/syscall.c | 8 +++++--- 3 files changed, 31 insertions(+), 17 deletions(-) diff --git a/linux-user/main.c b/linux-user/main.c index 71dd253786..1293450da7 100644 --- a/linux-user/main.c +++ b/linux-user/main.c @@ -319,7 +319,8 @@ void cpu_loop(CPUX86State *env) env->regs[R_EDX], env->regs[R_ESI], env->regs[R_EDI], - env->regs[R_EBP]); + env->regs[R_EBP], + 0, 0); break; #ifndef TARGET_ABI32 case EXCP_SYSCALL: @@ -331,7 +332,8 @@ void cpu_loop(CPUX86State *env) env->regs[R_EDX], env->regs[10], env->regs[8], - env->regs[9]); + env->regs[9], + 0, 0); env->eip = env->exception_next_eip; break; #endif @@ -735,7 +737,8 @@ void cpu_loop(CPUARMState *env) env->regs[2], env->regs[3], env->regs[4], - env->regs[5]); + env->regs[5], + 0, 0); } } else { goto error; @@ -831,7 +834,8 @@ void cpu_loop(CPUState *env) env->regs[2], env->regs[3], env->regs[4], - env->regs[5]); + env->regs[5], + 0, 0); } } else { goto error; @@ -1018,7 +1022,8 @@ void cpu_loop (CPUSPARCState *env) ret = do_syscall (env, env->gregs[1], env->regwptr[0], env->regwptr[1], env->regwptr[2], env->regwptr[3], - env->regwptr[4], env->regwptr[5]); + env->regwptr[4], env->regwptr[5], + 0, 0); if ((abi_ulong)ret >= (abi_ulong)(-515)) { #if defined(TARGET_SPARC64) && !defined(TARGET_ABI32) env->xcc |= PSR_CARRY; @@ -1611,7 +1616,7 @@ void cpu_loop(CPUPPCState *env) env->crf[0] &= ~0x1; ret = do_syscall(env, env->gpr[0], env->gpr[3], env->gpr[4], env->gpr[5], env->gpr[6], env->gpr[7], - env->gpr[8]); + env->gpr[8], 0, 0); if (ret == (uint32_t)(-TARGET_QEMU_ESIGRETURN)) { /* Returning from a successful sigreturn syscall. Avoid corrupting register state. */ @@ -2072,7 +2077,7 @@ void cpu_loop(CPUMIPSState *env) env->active_tc.gpr[5], env->active_tc.gpr[6], env->active_tc.gpr[7], - arg5, arg6/*, arg7, arg8*/); + arg5, arg6, arg7, arg8); } if (ret == -TARGET_QEMU_ESIGRETURN) { /* Returning from a successful sigreturn syscall. @@ -2160,7 +2165,8 @@ void cpu_loop (CPUState *env) env->gregs[6], env->gregs[7], env->gregs[0], - env->gregs[1]); + env->gregs[1], + 0, 0); env->gregs[0] = ret; break; case EXCP_INTERRUPT: @@ -2229,7 +2235,8 @@ void cpu_loop (CPUState *env) env->regs[12], env->regs[13], env->pregs[7], - env->pregs[11]); + env->pregs[11], + 0, 0); env->regs[10] = ret; break; case EXCP_DEBUG: @@ -2288,7 +2295,8 @@ void cpu_loop (CPUState *env) env->regs[7], env->regs[8], env->regs[9], - env->regs[10]); + env->regs[10], + 0, 0); env->regs[3] = ret; env->sregs[SR_PC] = env->regs[14]; break; @@ -2398,7 +2406,8 @@ void cpu_loop(CPUM68KState *env) env->dregs[3], env->dregs[4], env->dregs[5], - env->aregs[0]); + env->aregs[0], + 0, 0); } break; case EXCP_INTERRUPT: @@ -2576,7 +2585,8 @@ void cpu_loop (CPUState *env) sysret = do_syscall(env, trapnr, env->ir[IR_A0], env->ir[IR_A1], env->ir[IR_A2], env->ir[IR_A3], - env->ir[IR_A4], env->ir[IR_A5]); + env->ir[IR_A4], env->ir[IR_A5], + 0, 0); if (trapnr == TARGET_NR_sigreturn || trapnr == TARGET_NR_rt_sigreturn) { break; @@ -2707,7 +2717,8 @@ void cpu_loop(CPUS390XState *env) env->regs[4], env->regs[5], env->regs[6], - env->regs[7]); + env->regs[7], + 0, 0); } break; case EXCP_ADDR: diff --git a/linux-user/qemu.h b/linux-user/qemu.h index 237386caac..627c8b3423 100644 --- a/linux-user/qemu.h +++ b/linux-user/qemu.h @@ -192,7 +192,8 @@ abi_long do_brk(abi_ulong new_brk); void syscall_init(void); abi_long do_syscall(void *cpu_env, int num, abi_long arg1, abi_long arg2, abi_long arg3, abi_long arg4, - abi_long arg5, abi_long arg6); + abi_long arg5, abi_long arg6, abi_long arg7, + abi_long arg8); void gemu_log(const char *fmt, ...) GCC_FMT_ATTR(1, 2); extern THREAD CPUState *thread_env; void cpu_loop(CPUState *env); diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 5a919f68e7..9e149375e4 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -4532,7 +4532,8 @@ int get_osversion(void) All errnos that do_syscall() returns must be -TARGET_. */ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, abi_long arg2, abi_long arg3, abi_long arg4, - abi_long arg5, abi_long arg6) + abi_long arg5, abi_long arg6, abi_long arg7, + abi_long arg8) { abi_long ret; struct stat st; @@ -6172,8 +6173,9 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, #endif #ifdef TARGET_NR_syscall case TARGET_NR_syscall: - ret = do_syscall(cpu_env,arg1 & 0xffff,arg2,arg3,arg4,arg5,arg6,0); - break; + ret = do_syscall(cpu_env, arg1 & 0xffff, arg2, arg3, arg4, arg5, + arg6, arg7, arg8, 0); + break; #endif case TARGET_NR_wait4: { From 2aec3a27d78075c4b4c44a241f32f27e9a7b9a8a Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Thu, 16 Jun 2011 17:37:14 +0100 Subject: [PATCH 16/18] linux-user/signal.c: Remove only-ever-set variable fpu_save_addr Move the access of fpu_save into the commented out skeleton code for restoring FPU registers on SPARC sigreturn, thus silencing a gcc 4.6 "variable set but never used" warning. (This doesn't affect the calculation of 'err' because in fact __get_user() can never fail.) Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/signal.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/linux-user/signal.c b/linux-user/signal.c index cb7138f1cf..4edd974ce1 100644 --- a/linux-user/signal.c +++ b/linux-user/signal.c @@ -2080,7 +2080,6 @@ long do_sigreturn(CPUState *env) uint32_t up_psr, pc, npc; target_sigset_t set; sigset_t host_set; - abi_ulong fpu_save_addr; int err, i; sf_addr = env->regwptr[UREG_FP]; @@ -2120,10 +2119,11 @@ long do_sigreturn(CPUState *env) err |= __get_user(env->regwptr[i + UREG_I0], &sf->info.si_regs.u_regs[i+8]); } - err |= __get_user(fpu_save_addr, &sf->fpu_save); - - //if (fpu_save) - // err |= restore_fpu_state(env, fpu_save); + /* FIXME: implement FPU save/restore: + * __get_user(fpu_save, &sf->fpu_save); + * if (fpu_save) + * err |= restore_fpu_state(env, fpu_save); + */ /* This is pretty much atomic, no amount locking would prevent * the races which exist anyways. From c7b016ba04aa0ba71e068deb24163fb8b4dcd421 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Thu, 16 Jun 2011 17:37:15 +0100 Subject: [PATCH 17/18] linux-user/signal.c: Remove unused fenab Remove fenab as it is only written, never used. Add a FIXME comment about the discrepancy between our behaviour and that of the Linux kernel for this routine. Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/signal.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/linux-user/signal.c b/linux-user/signal.c index 4edd974ce1..7d168e100f 100644 --- a/linux-user/signal.c +++ b/linux-user/signal.c @@ -2228,7 +2228,6 @@ void sparc64_set_context(CPUSPARCState *env) target_mc_gregset_t *grp; abi_ulong pc, npc, tstate; abi_ulong fp, i7, w_addr; - unsigned char fenab; int err; unsigned int i; @@ -2293,7 +2292,11 @@ void sparc64_set_context(CPUSPARCState *env) if (put_user(i7, w_addr + offsetof(struct target_reg_window, ins[7]), abi_ulong) != 0) goto do_sigsegv; - err |= __get_user(fenab, &(ucp->tuc_mcontext.mc_fpregs.mcfpu_enab)); + /* FIXME this does not match how the kernel handles the FPU in + * its sparc64_set_context implementation. In particular the FPU + * is only restored if fenab is non-zero in: + * __get_user(fenab, &(ucp->tuc_mcontext.mc_fpregs.mcfpu_enab)); + */ err |= __get_user(env->fprs, &(ucp->tuc_mcontext.mc_fpregs.mcfpu_fprs)); { uint32_t *src, *dst; From bfcedc572bb77f3d21cd3a297b4215389a2f7df4 Mon Sep 17 00:00:00 2001 From: Riku Voipio Date: Mon, 20 Jun 2011 16:24:39 +0300 Subject: [PATCH 18/18] linux-user: Fix sync_file_range on 32bit mips As noticed while looking at "Bump do_syscall() up to 8 syscall arguments" patch, sync_file_range uses a pad argument on 32bit mips. Deal with it by reading the correct arguments when on mips. Signed-off-by: Riku Voipio --- linux-user/syscall.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 9e149375e4..fed7a8fe0f 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -7862,8 +7862,13 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1, #if defined(TARGET_NR_sync_file_range) case TARGET_NR_sync_file_range: #if TARGET_ABI_BITS == 32 +#if defined(TARGET_MIPS) + ret = get_errno(sync_file_range(arg1, target_offset64(arg3, arg4), + target_offset64(arg5, arg6), arg7)); +#else ret = get_errno(sync_file_range(arg1, target_offset64(arg2, arg3), target_offset64(arg4, arg5), arg6)); +#endif /* !TARGET_MIPS */ #else ret = get_errno(sync_file_range(arg1, arg2, arg3, arg4)); #endif