target/i386/seg_helper: introduce tss_set_busy

Eliminate a shadowed local variable in the process.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

target/i386: implement SYSCALL/SYSRET in 32-bit emulators

AMD supports both 32-bit and 64-bit SYSCALL/SYSRET, but the TCG only
exposes it for 64-bit targets. For system emulation just reuse the
hel

target/i386: implement SYSCALL/SYSRET in 32-bit emulators

AMD supports both 32-bit and 64-bit SYSCALL/SYSRET, but the TCG only
exposes it for 64-bit targets. For system emulation just reuse the
helper; for user-mode emulation the ABI is the same as "int $80".

The BSDs does not support any fast system call mechanism in 32-bit
mode so add to bsd-user the same stub that FreeBSD has for 64-bit
compatibility mode.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

i386: Emit correct error code for 64-bit IDT entry

When in 64-bit mode, IDT entiries are 16 bytes, so `intno * 16` is used
for base/limit/offset calculations. However, even in 64-bit mode, the
excep

i386: Emit correct error code for 64-bit IDT entry

When in 64-bit mode, IDT entiries are 16 bytes, so `intno * 16` is used
for base/limit/offset calculations. However, even in 64-bit mode, the
exception error code still uses bits [3,16) for the invlaid interrupt
index.

This means the error code should still be `intno * 8 + 2` even in 64-bit
mode.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1382
Signed-off-by: Joe Richey <joerichey@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

target/i386: Truncate values for lcall_real to i32

Use i32 not int or tl for eip and cs arguments.

Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Richard Henderson <richard.henders

target/i386: Truncate values for lcall_real to i32

Use i32 not int or tl for eip and cs arguments.

Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20221001140935.465607-15-richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

target/i386: Throw a #SS when loading a non-canonical IST

Loading a non-canonical address into rsp when handling an interrupt or
performing a far call should raise a #SS not a #GP.

Resolves: https:

target/i386: Throw a #SS when loading a non-canonical IST

Loading a non-canonical address into rsp when handling an interrupt or
performing a far call should raise a #SS not a #GP.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/870
Signed-off-by: Gareth Webb <gareth.webb@umbralsoftware.co.uk>
Message-Id: <164529651121.25406.15337137068584246397-0@git.sr.ht>
[Move get_pg_mode to seg_helper.c for user-mode emulators. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

target/i386: Move x86_cpu_exec_interrupt() under sysemu/ folder

Following the logic of commit 30493a030ff ("i386: split seg_helper
into user-only and sysemu parts"), move x86_cpu_exec_interrupt()
un

target/i386: Move x86_cpu_exec_interrupt() under sysemu/ folder

Following the logic of commit 30493a030ff ("i386: split seg_helper
into user-only and sysemu parts"), move x86_cpu_exec_interrupt()
under sysemu/seg_helper.c.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-By: Warner Losh <imp@bsdimp.com>
Message-Id: <20210911165434.531552-12-f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

target/i386: Restrict cpu_exec_interrupt() handler to sysemu

Restrict cpu_exec_interrupt() and its callees to sysemu.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Warner Los

target/i386: Restrict cpu_exec_interrupt() handler to sysemu

Restrict cpu_exec_interrupt() and its callees to sysemu.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Warner Losh <imp@bsdimp.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20210911165434.531552-11-f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

target/i386: Simplify TARGET_X86_64 #ifdef'ry

Merge two TARGET_X86_64 consecutive blocks.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Warner Losh <imp@bsdimp.com>
Reviewed-

target/i386: Simplify TARGET_X86_64 #ifdef'ry

Merge two TARGET_X86_64 consecutive blocks.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Warner Losh <imp@bsdimp.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20210911165434.531552-4-f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

target/i386: Moved int_ctl into CPUX86State structure

Moved int_ctl into the CPUX86State structure. It removes some
unnecessary stores and loads, and prepares for tracking the vIRQ
state even when

target/i386: Moved int_ctl into CPUX86State structure

Moved int_ctl into the CPUX86State structure. It removes some
unnecessary stores and loads, and prepares for tracking the vIRQ
state even when it is masked due to vGIF.

Signed-off-by: Lara Lazier <laramglazier@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

target/i386: tcg: fix switching from 16-bit to 32-bit tasks or vice versa

The format of the task state segment is governed by bit 3 in the
descriptor type field. On a task switch, the format for sa

target/i386: tcg: fix switching from 16-bit to 32-bit tasks or vice versa

The format of the task state segment is governed by bit 3 in the
descriptor type field. On a task switch, the format for saving
is given by the current value of TR's type field, while the
format for loading is given by the new descriptor.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

target/i386: tcg: fix loading of registers from 16-bit TSS

According to the manual, the high 16-bit of the registers are preserved
when switching to a 16-bit task. Implement this in switch_tss_ra.

target/i386: tcg: fix loading of registers from 16-bit TSS

According to the manual, the high 16-bit of the registers are preserved
when switching to a 16-bit task. Implement this in switch_tss_ra.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

target/i386: tcg: fix segment register offsets for 16-bit TSS

The TSS offsets in the manuals have only 2-byte slots for the
segment registers. QEMU incorrectly uses 4-byte slots, so
that SS overlap

target/i386: tcg: fix segment register offsets for 16-bit TSS

The TSS offsets in the manuals have only 2-byte slots for the
segment registers. QEMU incorrectly uses 4-byte slots, so
that SS overlaps the LDT selector.

Resolves: #382
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

target/i386: Move helper_check_io to sysemu

The we never allow i/o from user-only, and the tss check
that helper_check_io does will always fail. Use an ifdef
within gen_check_io and return false, i

target/i386: Move helper_check_io to sysemu

The we never allow i/o from user-only, and the tss check
that helper_check_io does will always fail. Use an ifdef
within gen_check_io and return false, indicating that an
exception is known to be raised.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20210514151342.384376-50-richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

target/i386: Create helper_check_io

Drop helper_check_io[bwl] and expose their common
subroutine to tcg directly.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philip

target/i386: Create helper_check_io

Drop helper_check_io[bwl] and expose their common
subroutine to tcg directly.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210514151342.384376-49-richard.henderson@linaro.org>

show more ...

i386: split seg_helper into user-only and sysemu parts

Signed-off-by: Claudio Fontana <cfontana@suse.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

[claudio]:
Rebased on commit 6

i386: split seg_helper into user-only and sysemu parts

Signed-off-by: Claudio Fontana <cfontana@suse.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

[claudio]:
Rebased on commit 68775856 ("target/i386: svm: do not discard high 32 bits")

Signed-off-by: Claudio Fontana <cfontana@suse.de>
Message-Id: <20210322132800.7470-18-cfontana@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

i386: split smm helper (sysemu)

smm is only really useful for sysemu, split in two modules
around the CONFIG_USER_ONLY, in order to remove the ifdef
and use the build system instead.

add cpu_abort(

i386: split smm helper (sysemu)

smm is only really useful for sysemu, split in two modules
around the CONFIG_USER_ONLY, in order to remove the ifdef
and use the build system instead.

add cpu_abort() when detecting attempts to enter SMM mode via
SMI interrupt in user-mode, and assert that the cpu is not
in SMM mode while translating RSM instructions.

Signed-off-by: Claudio Fontana <cfontana@suse.de>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20210322132800.7470-12-cfontana@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

target/i386: svm: do not discard high 32 bits of EXITINFO1

env->error_code is only 32-bits wide, so the high 32 bits of EXITINFO1
are being lost. However, even though saving guest state and restori

target/i386: svm: do not discard high 32 bits of EXITINFO1

env->error_code is only 32-bits wide, so the high 32 bits of EXITINFO1
are being lost. However, even though saving guest state and restoring
host state must be delayed to do_vmexit, because they might take tb_lock,
it is always possible to write to the VMCB. So do this for the exit
code and EXITINFO1, just like it is already being done for EXITINFO2.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

target/i386: Use X86Seg enum for segment registers

Use the dedicated X86Seg enum type for segment registers.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210109233427.7497

target/i386: Use X86Seg enum for segment registers

Use the dedicated X86Seg enum type for segment registers.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210109233427.749748-1-f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

target/i386: Check privilege level for protected mode 'int N' task gate

When the 'int N' instruction is executed in protected mode, the
pseudocode in the architecture manual specifies that we need t

target/i386: Check privilege level for protected mode 'int N' task gate

When the 'int N' instruction is executed in protected mode, the
pseudocode in the architecture manual specifies that we need to check:

* vector number within IDT limits
* selected IDT descriptor is a valid type (interrupt, trap or task gate)
* if this was a software interrupt then gate DPL < CPL

The way we had structured the code meant that the privilege check for
software interrupts ended up not in the code path taken for task gate
handling, because all of the task gate handling code was in the 'case 5'
of the switch which was checking "is this descriptor a valid type".

Move the task gate handling code out of that switch (so that it is now
purely doing the "valid type?" check) and below the software interrupt
privilege check.

The effect of this missing check was that in a guest userspace binary
executing 'int 8' would cause a guest kernel panic rather than the
userspace binary being handed a SEGV.

This is essentially the same bug fixed in VirtualBox in 2012:
https://www.halfdog.net/Security/2012/VirtualBoxSoftwareInterrupt0x8GuestCrash/

Note that for QEMU this is not a security issue because it is only
present when using TCG.

Fixes: https://bugs.launchpad.net/qemu/+bug/1813201
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20201121224445.16236-1-peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

i386: move TCG cpu class initialization to tcg/

to do this, we need to take code out of cpu.c and helper.c,
and also move some prototypes from cpu.h, for code that is
needed in tcg/xxx_helper.c, and

i386: move TCG cpu class initialization to tcg/

to do this, we need to take code out of cpu.c and helper.c,
and also move some prototypes from cpu.h, for code that is
needed in tcg/xxx_helper.c, and which in turn is part of the
callbacks registered by the class initialization.

Therefore, do some shuffling of the parts of cpu.h that
are only relevant for tcg/, and put them in tcg/helper-tcg.h

For FT0 and similar macros, put them in tcg/fpu-helper.c
since they are used only there.

Signed-off-by: Claudio Fontana <cfontana@suse.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20201212155530.23098-8-cfontana@suse.de>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>

show more ...

i386: move TCG accel files into tcg/

Signed-off-by: Claudio Fontana <cfontana@suse.de>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

i386: move TCG accel files into tcg/

Signed-off-by: Claudio Fontana <cfontana@suse.de>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

[claudio: moved cc_helper_template.h to tcg/ too]

Signed-off-by: Claudio Fontana <cfontana@suse.de>
Message-Id: <20201212155530.23098-6-cfontana@suse.de>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>

show more ...

Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into staging

* New -action option and set-action QMP command (Alejandro)
* More vl.c cleanup (myself with help from Daniel and

Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into staging

* New -action option and set-action QMP command (Alejandro)
* More vl.c cleanup (myself with help from Daniel and Igor)
* Remove deprecated options (Philippe, Thomas)
* Dirty bitmap fix (Zenghui)
* icount caching speedup (Pavel)
* SCSI race fix (Maxim)
* Remove pre-GCC 4.8 code (Marc-André)

# gpg: Signature made Tue 15 Dec 2020 17:53:24 GMT
# gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg: issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full]
# gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full]
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83

* remotes/bonzini-gitlab/tags/for-upstream: (45 commits)
build: -no-pie is no functional linker flag
scripts/git.orderfile: Keep files with .inc extension sorted
compiler.h: remove QEMU_GNUC_PREREQ
linux-user: remove GNUC check
compiler: remove GNUC check
xen: remove GNUC check
poison: remove GNUC check
compiler.h: explicit case for Clang printf attribute
virtiofsd: replace _Static_assert with QEMU_BUILD_BUG_ON
tests: remove GCC < 4 fallbacks
qemu-plugin.h: remove GCC < 4
compiler.h: remove GCC < 3 __builtin_expect fallback
accel/tcg: Remove special case for GCC < 4.6
qemu/atomic: Drop special case for unsupported compiler
hw/core: Restrict 'fw-path-provider.c' to system mode emulation
docs: set CONFDIR when running sphinx
vl: rename local variable in configure_accelerators
qemu-option: pass QemuOptsList to opts_accepts_any
qemu-option: simplify search for end of key
kvm: Take into account the unaligned section size when preparing bitmap
...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

# Conflicts:
# softmmu/vl.c

show more ...