From 0e5e6219ed75f133a14d6bab39f6966540941864 Mon Sep 17 00:00:00 2001
From: Samuel Tardieu <sam@rfc1149.net>
Date: Tue, 19 Dec 2023 19:22:11 +0100
Subject: [PATCH 1/8] tcg: Remove unreachable code

The `fail_rx`/`fail` block is only entered while `buf_rx` is equal to
its initial value `MAP_FAILED`. The `munmap(buf_rx, size);` was never
executed.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2030
Signed-off-by: Samuel Tardieu <sam@rfc1149.net>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20231219182212.455952-2-sam@rfc1149.net>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/region.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/tcg/region.c b/tcg/region.c
index 86692455c0..467e51cf6f 100644
--- a/tcg/region.c
+++ b/tcg/region.c
@@ -597,9 +597,7 @@ static int alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
  fail_rx:
     error_setg_errno(errp, errno, "failed to map shared memory for execute");
  fail:
-    if (buf_rx != MAP_FAILED) {
-        munmap(buf_rx, size);
-    }
+    /* buf_rx is always equal to MAP_FAILED here and does not require cleanup */
     if (buf_rw) {
         munmap(buf_rw, size);
     }

From 8f8419d3255365121e3596307b98ab3d6dcbdf1a Mon Sep 17 00:00:00 2001
From: Samuel Tardieu <sam@rfc1149.net>
Date: Tue, 19 Dec 2023 19:22:12 +0100
Subject: [PATCH 2/8] tcg: Make the cleanup-on-error path unique

By calling `error_setg_errno()` before jumping to the cleanup-on-error
path at the `fail` label, the cleanup path is clearer.

Signed-off-by: Samuel Tardieu <sam@rfc1149.net>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20231219182212.455952-3-sam@rfc1149.net>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/region.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tcg/region.c b/tcg/region.c
index 467e51cf6f..478ec051c4 100644
--- a/tcg/region.c
+++ b/tcg/region.c
@@ -584,7 +584,9 @@ static int alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
 
     buf_rx = mmap(NULL, size, host_prot_read_exec(), MAP_SHARED, fd, 0);
     if (buf_rx == MAP_FAILED) {
-        goto fail_rx;
+        error_setg_errno(errp, errno,
+                         "failed to map shared memory for execute");
+        goto fail;
     }
 
     close(fd);
@@ -594,8 +596,6 @@ static int alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
 
     return PROT_READ | PROT_WRITE;
 
- fail_rx:
-    error_setg_errno(errp, errno, "failed to map shared memory for execute");
  fail:
     /* buf_rx is always equal to MAP_FAILED here and does not require cleanup */
     if (buf_rw) {

From 6d913158b5023ac948b8fd649d77fc86e28072f6 Mon Sep 17 00:00:00 2001
From: Robbin Ehn <rehn@rivosinc.com>
Date: Fri, 12 Jan 2024 21:57:22 +0100
Subject: [PATCH 3/8] linux-user: Fixed cpu restore with pc 0 on SIGBUS

Commit f4e1168198 (linux-user: Split out host_sig{segv,bus}_handler)
introduced a bug, when returning from host_sigbus_handler the PC is
never set. Thus cpu_loop_exit_restore is called with a zero PC and
we immediate get a SIGSEGV.

Signed-off-by: Robbin Ehn <rehn@rivosinc.com>
Fixes: f4e1168198 ("linux-user: Split out host_sig{segv,bus}_handler")
Reviewed-by: Palmer Dabbelt <palmer@rivosinc.com>
Message-Id: <33f27425878fb529b9e39ef22c303f6e0d90525f.camel@rivosinc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 linux-user/signal.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/linux-user/signal.c b/linux-user/signal.c
index b35d1e512f..c9527adfa3 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -925,7 +925,7 @@ static void host_sigsegv_handler(CPUState *cpu, siginfo_t *info,
     cpu_loop_exit_sigsegv(cpu, guest_addr, access_type, maperr, pc);
 }
 
-static void host_sigbus_handler(CPUState *cpu, siginfo_t *info,
+static uintptr_t host_sigbus_handler(CPUState *cpu, siginfo_t *info,
                                 host_sigcontext *uc)
 {
     uintptr_t pc = host_signal_pc(uc);
@@ -947,6 +947,7 @@ static void host_sigbus_handler(CPUState *cpu, siginfo_t *info,
         sigprocmask(SIG_SETMASK, host_signal_mask(uc), NULL);
         cpu_loop_exit_sigbus(cpu, guest_addr, access_type, pc);
     }
+    return pc;
 }
 
 static void host_signal_handler(int host_sig, siginfo_t *info, void *puc)
@@ -974,7 +975,7 @@ static void host_signal_handler(int host_sig, siginfo_t *info, void *puc)
             host_sigsegv_handler(cpu, info, uc);
             return;
         case SIGBUS:
-            host_sigbus_handler(cpu, info, uc);
+            pc = host_sigbus_handler(cpu, info, uc);
             sync_sig = true;
             break;
         case SIGILL:

From c1ddc18f37108498f45d57afd6bf33a23b703648 Mon Sep 17 00:00:00 2001
From: Richard Henderson <richard.henderson@linaro.org>
Date: Wed, 17 Jan 2024 21:13:35 +0000
Subject: [PATCH 4/8] tcg/s390x: Fix encoding of VRIc, VRSa, VRSc insns

While the format names the second vector register 'v3',
it is still in the second position (bits 12-15) and
the argument to RXB must match.

Example error:
 -   e7 00 00 10 2a 33       verllf  %v16,%v0,16
 +   e7 00 00 10 2c 33       verllf  %v16,%v16,16

Cc: qemu-stable@nongnu.org
Reported-by: Michael Tokarev <mjt@tls.msk.ru>
Fixes: 22cb37b4172 ("tcg/s390x: Implement vector shift operations")
Fixes: 79cada8693d ("tcg/s390x: Implement tcg_out_dup*_vec")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2054
Reviewed-by: Thomas Huth <thuth@redhat.com>
Tested-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <20240117213646.159697-2-richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/s390x/tcg-target.c.inc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tcg/s390x/tcg-target.c.inc b/tcg/s390x/tcg-target.c.inc
index fbee43d3b0..7f6b84aa2c 100644
--- a/tcg/s390x/tcg-target.c.inc
+++ b/tcg/s390x/tcg-target.c.inc
@@ -683,7 +683,7 @@ static void tcg_out_insn_VRIc(TCGContext *s, S390Opcode op,
     tcg_debug_assert(is_vector_reg(v3));
     tcg_out16(s, (op & 0xff00) | ((v1 & 0xf) << 4) | (v3 & 0xf));
     tcg_out16(s, i2);
-    tcg_out16(s, (op & 0x00ff) | RXB(v1, 0, v3, 0) | (m4 << 12));
+    tcg_out16(s, (op & 0x00ff) | RXB(v1, v3, 0, 0) | (m4 << 12));
 }
 
 static void tcg_out_insn_VRRa(TCGContext *s, S390Opcode op,
@@ -738,7 +738,7 @@ static void tcg_out_insn_VRSa(TCGContext *s, S390Opcode op, TCGReg v1,
     tcg_debug_assert(is_vector_reg(v3));
     tcg_out16(s, (op & 0xff00) | ((v1 & 0xf) << 4) | (v3 & 0xf));
     tcg_out16(s, b2 << 12 | d2);
-    tcg_out16(s, (op & 0x00ff) | RXB(v1, 0, v3, 0) | (m4 << 12));
+    tcg_out16(s, (op & 0x00ff) | RXB(v1, v3, 0, 0) | (m4 << 12));
 }
 
 static void tcg_out_insn_VRSb(TCGContext *s, S390Opcode op, TCGReg v1,
@@ -762,7 +762,7 @@ static void tcg_out_insn_VRSc(TCGContext *s, S390Opcode op, TCGReg r1,
     tcg_debug_assert(is_vector_reg(v3));
     tcg_out16(s, (op & 0xff00) | (r1 << 4) | (v3 & 0xf));
     tcg_out16(s, b2 << 12 | d2);
-    tcg_out16(s, (op & 0x00ff) | RXB(0, 0, v3, 0) | (m4 << 12));
+    tcg_out16(s, (op & 0x00ff) | RXB(0, v3, 0, 0) | (m4 << 12));
 }
 
 static void tcg_out_insn_VRX(TCGContext *s, S390Opcode op, TCGReg v1,

From 1b21fe27e75a59bfe2513f5abcc6a18cfc35cfc8 Mon Sep 17 00:00:00 2001
From: Richard Henderson <richard.henderson@linaro.org>
Date: Sat, 13 Jan 2024 09:02:38 +1100
Subject: [PATCH 5/8] linux-user/riscv: Adjust vdso signal frame cfa offsets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A typo in sizeof_reg put the registers at the wrong offset.

Simplify the expressions to use positive addresses from the
start of uc_mcontext instead of negative addresses from the
end of uc_mcontext.

Reported-by: Vineet Gupta <vineetg@rivosinc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 linux-user/riscv/vdso-32.so | Bin 2900 -> 2980 bytes
 linux-user/riscv/vdso-64.so | Bin 3856 -> 3944 bytes
 linux-user/riscv/vdso.S     |   8 ++++----
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/linux-user/riscv/vdso-32.so b/linux-user/riscv/vdso-32.so
index 1ad1e5cbbbb8b1fe36b0fe4bcb6c06fab8219ecd..c2ce2a4757900a16b891bb98f7a027ac30c47a5f 100755
GIT binary patch
delta 643
zcmYjPOH5Ni6ur|gwzc+9XhF0TMNp`GR6Zh~mKGzXLQ}<nX)IXKDriMfutkSuO^l&=
z8%#8QLeLmPh&6@~q8pbkjmE?!?quJE3vZFdn`GwPbMD;S+&S~jvFMz4i@%wQ7Lm>j
z)#}rFqIBkAs)(L%{#f{&3ii(}e_yh8Pgey7+LRKpj+~BYkcbM&LN$yL<+mtroa4HJ
zZMB#&#N4vYgN#$Ed?)jGwn>u^j$uL6%5;@6#JIs26v~>`CEXn6`%uX09<>tLIBejZ
zFY)AcUK{^`w8`*U60=@WX3@OR=)D9Xp?Lu9eduPPPr;Cc@g53huwxpgyD;B@WePiQ
z!+Hz5CSkh?Bv5z*_UkB`K=C*n*Cd=*Q4&Y#73{u@vN7x##oicPmry<e_b@6hVqXON
zFQ9S|2hOAF9IC@O7{Z}G)C5s`8lF=)d=hm5)OVx7i^fk9N7f~du1OqQm1z1X(fmQ8
z<-J7fip23{iMDqVC*Df5zmc$aEJ<`ON_4%FJY|0RKiMa`*FxkJpP`=5Nj~S5mxeB>
ze%vHqR9p0zd0b`2Q|4;3R+vXr`7g}X=20v*GSM6w@2yKv<qSmwLw&w8y?%;@!u|f9
zz(BYsnvEJuwVHOJBuy@TzIRS}W~$!$N`A#>wky9(Ht|*2WbKiW=;xN^G26tL(qVS~
E1D4W)y8r+H

delta 565
zcmZ1?eno780^^#Aisp<K6C<@*Em#>CEGBkVi#XS5FJ{d(y6ALK`0fjZ#F<&4uOCj9
zVB90Pf`x%0f`NfSh=GSe3rO=!e#$6sXaLm50TmSm(hNX850vi%q*ajQ?SOoV&8AHG
zjA8<eK<j|q3?Ll<q^AJsKMa$1G0W9o0CGY0Fa+=^r0_8?2mqM|Kn&8N0}=;<DG-W*
zxhg1_fw9JcQJRNo11qaTN@G$}LUUY8OlwqIM0;3ANM}%2K(}9yPp?;>N59(ymx)f3
z946aMv6*T$&0@OQ43n8gvkYeI&C!{wHBV!{+5(q_PELy)7TYbcS!%V+V!7E0la)rR
z3|8x{(OIjtPGh~=29=FUn-n(7ZIRh3wM}BX*bb4MLc0WZ^X=i;%e9YVKO5Mwb2h(Z
zS<c9~V)8^beIR)dNIFdZ$Yx)U92QkTA0UTlACNDB6n1lfeB`j*0Oa!^$sYmok;9rH
zIXR%X(kC%nFP}lBf+5}|($CS?)0rVYAjsd@)g?5@HGcDYc1dQ&H<K4~2~WPm#ls4+
se#PXsT<YM+cb+_vTX?b#w*X_!WLs`^RvUH(hMQoq8lafy<X&!Z0L@r})Bpeg

diff --git a/linux-user/riscv/vdso-64.so b/linux-user/riscv/vdso-64.so
index 83992bebe6d0182f24edfffc531015fd2f4e1cfb..ae49f5b043b5941b9d304a056c2b50c185f413b0 100755
GIT binary patch
delta 646
zcmZWmUr1A79KGMY?$6b`wWF>%t*xcjTq|2?Y1y{IoJiPMVG&Z%B2pwIB5I9(EFvNz
z?)pL^MhuHse{pSyL_`lkFFpi~An2jTdJL*3ANrQJmv!LB`8el0AAG-~d%k&ezwB?w
z2F6$=o7t~c%+g;}vY+2KKi``ijg36bKRDF->-VRR@qD&8Un;XH#&qseT&%$Rm2UT<
z5wR{OC8yv<Nt1Fsqqy8}YuvEmmP<wD5_3*7Ng5DRT5w!&LGU==ZEB~WIB7zu!XYLo
zrbB2|uHxr1NlGelKw{}AYt!U8*%Xz)E<;X3NullnOy^-f2g_Mlr=gxf{S+D|p`C{9
z6znIl;shMWfum>~N7E5BABJ-bD-Xhz0JX&79!2Xuw2ffZFjf!2GYIb<tck++hOqWE
zq5T!1V}Z~)Pgqwbtba-H&k?#_5CYE#8=eq?1;WNhgiQ|#-Lr(vc|zzuVM~s%^&X+;
zE}?gZu<Z_E`)xv>PUycy@b0)t*m;96aGkL08X<g@5V=C)*VSz-@lJE8^u?@+F0z>>
zzGUeUrG%_8_LX0>9{X?YDUqp`qVpeCm%D6~@^8O6!(HS))fFn#xbF-%SEEbG<V5e#
zU|*s%p~mXuVa5Zphkvj+RNc6#^Y69@tMD#+L~gP0Nqd+r@W=LunynXa3e51L=KTW|
Cbc<&I

delta 523
zcmaDMH$iTK2Ga$uiCSTd6%!l%IV;#0z@TE{&Eq0-y=7zemwaL`Tf>?2`}67j2EFQ>
zo3}9LFfy7<R%8}u^qFkQtS?yr)xrVM$sh`(g&24k940q1i%X`U$=X3>BQ|eju4WV!
zVPs&i0SYMq=>Q<@1Ed)yJF+U*UjQ<AfEWY>fLI5JPe5rP#V`Xz00DDVP%r~yjRT`J
z57PlQR)-eG#s<cwn&yg@lGcK@oc4^4l+J{%nC^(4kluhkpMH-CE)yLl*-W;WVlvfW
zn$C2M87easX35N!m?JV*U>?tWjs-3YofbJbEw)=?v(##t#d5P1CM%6r8LZY@qqA0P
zoyK~#4JsRzHYseD+aj}7YMaD%u^l2ig?0(-=G()wmunx#evpSj4qh<1k!|y419kyW
za5-|gGn!0n6rMbX!-TP6@<on##+1p1oZ^xu(C~qIwGXHh6nYVp6M?emVY>k;>oa*G
zP}TuWFGF&2M1Z-gk@Mz*obD`4Zx|+X@#%5GYydif&z`YjawDHTFrX$M;<IB+n9Rs;
L&uBT>kzXAEcnEna

diff --git a/linux-user/riscv/vdso.S b/linux-user/riscv/vdso.S
index a86d8fc488..c37275233a 100644
--- a/linux-user/riscv/vdso.S
+++ b/linux-user/riscv/vdso.S
@@ -101,12 +101,12 @@ endf __vdso_flush_icache
 	.cfi_startproc simple
 	.cfi_signal_frame
 
-#define sizeof_reg	(__riscv_xlen / 4)
+#define sizeof_reg	(__riscv_xlen / 8)
 #define sizeof_freg	8
-#define B_GR	(offsetof_uc_mcontext - sizeof_rt_sigframe)
-#define B_FR	(offsetof_uc_mcontext - sizeof_rt_sigframe + offsetof_freg0)
+#define B_GR	0
+#define B_FR	offsetof_freg0
 
-	.cfi_def_cfa	2, sizeof_rt_sigframe
+	.cfi_def_cfa	2, offsetof_uc_mcontext
 
 	/* Return address */
 	.cfi_return_column 64

From 3805d4287fd64917a20bdc406b52d37800d46659 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <thomas@t-8ch.de>
Date: Sat, 20 Jan 2024 22:45:24 +0100
Subject: [PATCH 6/8] linux-user/elfload: test return value of getrlimit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Should getrlimit() fail the value of dumpsize.rlimit_cur may not be
initialized. Avoid reading garbage data by checking the return value of
getrlimit.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>
Message-Id: <20240120-qemu-user-dumpable-v3-1-6aa410c933f1@t-8ch.de>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 linux-user/elfload.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index cf9e74468b..c596871938 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -4667,9 +4667,9 @@ static int elf_core_dump(int signr, const CPUArchState *env)
     init_note_info(&info);
 
     errno = 0;
-    getrlimit(RLIMIT_CORE, &dumpsize);
-    if (dumpsize.rlim_cur == 0)
+    if (getrlimit(RLIMIT_CORE, &dumpsize) == 0 && dumpsize.rlim_cur == 0) {
         return 0;
+    }
 
     corefile = core_dump_filename(ts);
 

From 0ea731db5a0edb5b1b9038e1c0059053e20ce5d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <thomas@t-8ch.de>
Date: Sat, 20 Jan 2024 22:45:25 +0100
Subject: [PATCH 7/8] linux-user/elfload: check PR_GET_DUMPABLE before creating
 coredump
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A process can opt-out of coredump creation by calling
prctl(PR_SET_DUMPABLE, 0).
linux-user passes this call from the guest through to the
operating system.
From there it can be read back again to avoid creating coredumps from
qemu-user itself if the guest chose so.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>
Message-Id: <20240120-qemu-user-dumpable-v3-2-6aa410c933f1@t-8ch.de>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 linux-user/elfload.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index c596871938..daf7ef8435 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -2,6 +2,7 @@
 #include "qemu/osdep.h"
 #include <sys/param.h>
 
+#include <sys/prctl.h>
 #include <sys/resource.h>
 #include <sys/shm.h>
 
@@ -4667,6 +4668,11 @@ static int elf_core_dump(int signr, const CPUArchState *env)
     init_note_info(&info);
 
     errno = 0;
+
+    if (prctl(PR_GET_DUMPABLE) == 0) {
+        return 0;
+    }
+
     if (getrlimit(RLIMIT_CORE, &dumpsize) == 0 && dumpsize.rlim_cur == 0) {
         return 0;
     }

From 9f6523e8e4689cafdbed7c10b7cf7c775b5a607b Mon Sep 17 00:00:00 2001
From: Joseph Burt <caseorum@gmail.com>
Date: Sun, 21 Jan 2024 21:14:39 +0000
Subject: [PATCH 8/8] tcg/arm: Fix SIGILL in tcg_out_qemu_st_direct

When tcg_out_qemu_st_{index,direct} were merged, the direct case for
MO_64 was omitted, causing qemu_st_i64 to be encoded as 0xffffffff due
to underflow when adding h.base and h.index.

Fixes: 1df6d611bdc2 ("tcg/arm: Introduce HostAddress")
Signed-off-by: Joseph Burt <caseorum@gmail.com>
Message-Id: <20240121211439.100829-1-caseorum@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/arm/tcg-target.c.inc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tcg/arm/tcg-target.c.inc b/tcg/arm/tcg-target.c.inc
index fc78566494..a9aa8aa91c 100644
--- a/tcg/arm/tcg-target.c.inc
+++ b/tcg/arm/tcg-target.c.inc
@@ -1662,6 +1662,9 @@ static void tcg_out_qemu_st_direct(TCGContext *s, MemOp opc, TCGReg datalo,
             } else {
                 tcg_out_strd_r(s, h.cond, datalo, h.base, h.index);
             }
+        } else if (h.index < 0) {
+            tcg_out_st32_12(s, h.cond, datalo, h.base, 0);
+            tcg_out_st32_12(s, h.cond, datahi, h.base, 4);
         } else if (h.index_scratch) {
             tcg_out_st32_rwb(s, h.cond, datalo, h.index, h.base);
             tcg_out_st32_12(s, h.cond, datahi, h.index, 4);