[Qemu-devel] [PULL 0/5] linux-user fixes for 2.7

[Qemu-devel] [PULL 0/5] linux-user fixes for 2.7

[riku.voipio]

From: Riku Voipio <riku.voipio@linaro.org>

The following changes since commit 09704e6ded83fa0bec14baf32f800f6512156ca0:

  Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2016-08-04 10:24:27 +0100)

are available in the git repository at:

  git://git.linaro.org/people/riku.voipio/qemu.git tags/pull-linux-user-20160804

for you to fetch changes up to ef4330c23bb47b97a859dbdbae1c784fd2ca402f:

  linux-user: Handle brk() attempts with very large sizes (2016-08-04 16:38:17 +0300)

----------------------------------------------------------------
linux-user important fixes for 2.7

----------------------------------------------------------------

Peter Maydell (5):
  linux-user: Use correct alignment for long long on i386 guests
  linux-user: Fix memchr() argument in open_self_cmdline()
  linux-user: Don't write off end of new_utsname buffer
  linux-user: Fix target_semid_ds structure definition
  linux-user: Handle brk() attempts with very large sizes

 include/exec/user/abitypes.h       |  4 ++++
 linux-user/syscall.c               | 29 +++++++++++++++++------------
 linux-user/x86_64/target_structs.h | 15 +++++++++++++++
 3 files changed, 36 insertions(+), 12 deletions(-)

-- 
2.1.4

[Qemu-devel] [PULL 1/5] linux-user: Use correct alignment for long long on i386 guests

[riku.voipio]

From: Peter Maydell <peter.maydell@linaro.org>

For i386, the ABI specifies that 'long long' (8 byte values)
need only be 4 aligned, but we were requiring them to be
8-aligned. This meant we were laying out the target_epoll_event
structure wrongly. Add a suitable ifdef to abitypes.h to
specify the i386-specific alignment requirement.

Reported-by: Icenowy Zheng <icenowy@aosc.xyz>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
---
 include/exec/user/abitypes.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/include/exec/user/abitypes.h b/include/exec/user/abitypes.h
index a09d6c6..ba18860 100644
--- a/include/exec/user/abitypes.h
+++ b/include/exec/user/abitypes.h
@@ -15,6 +15,10 @@
 #define ABI_LLONG_ALIGNMENT 2
 #endif
 
+#if defined(TARGET_I386) && !defined(TARGET_X86_64)
+#define ABI_LLONG_ALIGNMENT 4
+#endif
+
 #ifndef ABI_SHORT_ALIGNMENT
 #define ABI_SHORT_ALIGNMENT 2
 #endif
-- 
2.1.4

[Qemu-devel] [PULL 2/5] linux-user: Fix memchr() argument in open_self_cmdline()

[riku.voipio]

From: Peter Maydell <peter.maydell@linaro.org>

In open_self_cmdline() we look for a 0 in the buffer we read
from /prc/self/cmdline. We were incorrectly passing the length
of our buf[] array to memchr() as the length to search, rather
than the number of bytes we actually read into it, which could
be shorter. This was spotted by Coverity (because it could
result in our trying to pass a negative length argument to
write()).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
---
 linux-user/syscall.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index ca6a2b4..092ff4e 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -6856,7 +6856,7 @@ static int open_self_cmdline(void *cpu_env, int fd)
         if (!word_skipped) {
             /* Skip the first string, which is the path to qemu-*-static
                instead of the actual command. */
-            cp_buf = memchr(buf, 0, sizeof(buf));
+            cp_buf = memchr(buf, 0, nb_read);
             if (cp_buf) {
                 /* Null byte found, skip one string */
                 cp_buf++;
-- 
2.1.4

[Qemu-devel] [PULL 3/5] linux-user: Don't write off end of new_utsname buffer

[riku.voipio]

From: Peter Maydell <peter.maydell@linaro.org>

Use g_strlcpy() rather than strcpy() to copy the uname string
into the structure we return to the guest for the uname syscall.
This avoids overrunning the buffer if the user passed us an
overlong string via the QEMU command line.

We fix a comment typo while we're in the neighbourhood.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
---
 linux-user/syscall.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 092ff4e..5bc42c0 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -9237,12 +9237,14 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
                 goto efault;
             ret = get_errno(sys_uname(buf));
             if (!is_error(ret)) {
-                /* Overrite the native machine name with whatever is being
+                /* Overwrite the native machine name with whatever is being
                    emulated. */
                 strcpy (buf->machine, cpu_to_uname_machine(cpu_env));
                 /* Allow the user to override the reported release.  */
-                if (qemu_uname_release && *qemu_uname_release)
-                  strcpy (buf->release, qemu_uname_release);
+                if (qemu_uname_release && *qemu_uname_release) {
+                    g_strlcpy(buf->release, qemu_uname_release,
+                              sizeof(buf->release));
+                }
             }
             unlock_user_struct(buf, arg1, 1);
         }
-- 
2.1.4

[Qemu-devel] [PULL 4/5] linux-user: Fix target_semid_ds structure definition

[riku.voipio]

From: Peter Maydell <peter.maydell@linaro.org>

The target_semid_ds structure is not correct for all
architectures: the padding fields should only exist for:
 * 32-bit ABIs
 * x86

It is also misnamed, since it is following the kernel
semid64_ds structure (QEMU doesn't support the legacy
semid_ds structure at all). Rename the struct, provide
a correct generic definition and allow the oddball x86
architecture to provide its own version.

This fixes broken SYSV semaphores for all our 64-bit
architectures except x86 and ppc.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
---
 linux-user/syscall.c               | 17 ++++++++++-------
 linux-user/x86_64/target_structs.h | 15 +++++++++++++++
 2 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 5bc42c0..df6f2a9 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3754,27 +3754,30 @@ static struct shm_region {
     bool in_use;
 } shm_regions[N_SHM_REGIONS];
 
-struct target_semid_ds
+#ifndef TARGET_SEMID64_DS
+/* asm-generic version of this struct */
+struct target_semid64_ds
 {
   struct target_ipc_perm sem_perm;
   abi_ulong sem_otime;
-#if !defined(TARGET_PPC64)
+#if TARGET_ABI_BITS == 32
   abi_ulong __unused1;
 #endif
   abi_ulong sem_ctime;
-#if !defined(TARGET_PPC64)
+#if TARGET_ABI_BITS == 32
   abi_ulong __unused2;
 #endif
   abi_ulong sem_nsems;
   abi_ulong __unused3;
   abi_ulong __unused4;
 };
+#endif
 
 static inline abi_long target_to_host_ipc_perm(struct ipc_perm *host_ip,
                                                abi_ulong target_addr)
 {
     struct target_ipc_perm *target_ip;
-    struct target_semid_ds *target_sd;
+    struct target_semid64_ds *target_sd;
 
     if (!lock_user_struct(VERIFY_READ, target_sd, target_addr, 1))
         return -TARGET_EFAULT;
@@ -3802,7 +3805,7 @@ static inline abi_long host_to_target_ipc_perm(abi_ulong target_addr,
                                                struct ipc_perm *host_ip)
 {
     struct target_ipc_perm *target_ip;
-    struct target_semid_ds *target_sd;
+    struct target_semid64_ds *target_sd;
 
     if (!lock_user_struct(VERIFY_WRITE, target_sd, target_addr, 0))
         return -TARGET_EFAULT;
@@ -3829,7 +3832,7 @@ static inline abi_long host_to_target_ipc_perm(abi_ulong target_addr,
 static inline abi_long target_to_host_semid_ds(struct semid_ds *host_sd,
                                                abi_ulong target_addr)
 {
-    struct target_semid_ds *target_sd;
+    struct target_semid64_ds *target_sd;
 
     if (!lock_user_struct(VERIFY_READ, target_sd, target_addr, 1))
         return -TARGET_EFAULT;
@@ -3845,7 +3848,7 @@ static inline abi_long target_to_host_semid_ds(struct semid_ds *host_sd,
 static inline abi_long host_to_target_semid_ds(abi_ulong target_addr,
                                                struct semid_ds *host_sd)
 {
-    struct target_semid_ds *target_sd;
+    struct target_semid64_ds *target_sd;
 
     if (!lock_user_struct(VERIFY_WRITE, target_sd, target_addr, 0))
         return -TARGET_EFAULT;
diff --git a/linux-user/x86_64/target_structs.h b/linux-user/x86_64/target_structs.h
index 3489827..b6e82a8 100644
--- a/linux-user/x86_64/target_structs.h
+++ b/linux-user/x86_64/target_structs.h
@@ -55,4 +55,19 @@ struct target_shmid_ds {
     abi_ulong __unused5;
 };
 
+/* The x86 definition differs from the generic one in that the
+ * two padding fields exist whether the ABI is 32 bits or 64 bits.
+ */
+#define TARGET_SEMID64_DS
+struct target_semid64_ds {
+    struct target_ipc_perm sem_perm;
+    abi_ulong sem_otime;
+    abi_ulong __unused1;
+    abi_ulong sem_ctime;
+    abi_ulong __unused2;
+    abi_ulong sem_nsems;
+    abi_ulong __unused3;
+    abi_ulong __unused4;
+};
+
 #endif
-- 
2.1.4

[Qemu-devel] [PULL 5/5] linux-user: Handle brk() attempts with very large sizes

[riku.voipio]

From: Peter Maydell <peter.maydell@linaro.org>

In do_brk(), we were inadvertently truncating the size
of a requested brk() from the guest by putting it into an
'int' variable. This meant that we would incorrectly report
success back to the guest rather than a failed allocation,
typically resulting in the guest then segfaulting. Use
abi_ulong instead.

This fixes a crash in the '31370.cc' test in the gcc libstdc++ test
suite (the test case starts by trying to allocate a very large
size and reduces the size until the allocation succeeds).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
---
 linux-user/syscall.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index df6f2a9..833f853 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -839,7 +839,7 @@ void target_set_brk(abi_ulong new_brk)
 abi_long do_brk(abi_ulong new_brk)
 {
     abi_long mapped_addr;
-    int	new_alloc_size;
+    abi_ulong new_alloc_size;
 
     DEBUGF_BRK("do_brk(" TARGET_ABI_FMT_lx ") -> ", new_brk);
 
-- 
2.1.4

Re: [Qemu-devel] [PULL 0/5] linux-user fixes for 2.7

[Peter Maydell]

On 4 August 2016 at 15:15,  <riku.voipio@linaro.org> wrote:
> From: Riku Voipio <riku.voipio@linaro.org>
>
> The following changes since commit 09704e6ded83fa0bec14baf32f800f6512156ca0:
>
>   Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2016-08-04 10:24:27 +0100)
>
> are available in the git repository at:
>
>   git://git.linaro.org/people/riku.voipio/qemu.git tags/pull-linux-user-20160804
>
> for you to fetch changes up to ef4330c23bb47b97a859dbdbae1c784fd2ca402f:
>
>   linux-user: Handle brk() attempts with very large sizes (2016-08-04 16:38:17 +0300)
>
> ----------------------------------------------------------------
> linux-user important fixes for 2.7
>
> ----------------------------------------------------------------
>
> Peter Maydell (5):
>   linux-user: Use correct alignment for long long on i386 guests
>   linux-user: Fix memchr() argument in open_self_cmdline()
>   linux-user: Don't write off end of new_utsname buffer
>   linux-user: Fix target_semid_ds structure definition
>   linux-user: Handle brk() attempts with very large sizes

Applied, thanks.

-- PMM