xref: /freebsd/usr.sbin/bhyve/gdb.c (revision 3f5d875a27318a909f23a2b7463c4b2d963085df)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2017-2018 John H. Baldwin <jhb@FreeBSD.org>
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25  * SUCH DAMAGE.
26  */
27 
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
30 
31 #include <sys/param.h>
32 #ifndef WITHOUT_CAPSICUM
33 #include <sys/capsicum.h>
34 #endif
35 #include <sys/endian.h>
36 #include <sys/ioctl.h>
37 #include <sys/mman.h>
38 #include <sys/queue.h>
39 #include <sys/socket.h>
40 #include <machine/atomic.h>
41 #include <machine/specialreg.h>
42 #include <machine/vmm.h>
43 #include <netinet/in.h>
44 #include <assert.h>
45 #ifndef WITHOUT_CAPSICUM
46 #include <capsicum_helpers.h>
47 #endif
48 #include <err.h>
49 #include <errno.h>
50 #include <fcntl.h>
51 #include <netdb.h>
52 #include <pthread.h>
53 #include <pthread_np.h>
54 #include <stdbool.h>
55 #include <stdio.h>
56 #include <stdlib.h>
57 #include <string.h>
58 #include <sysexits.h>
59 #include <unistd.h>
60 #include <vmmapi.h>
61 
62 #include "bhyverun.h"
63 #include "config.h"
64 #include "gdb.h"
65 #include "mem.h"
66 #include "mevent.h"
67 
68 /*
69  * GDB_SIGNAL_* numbers are part of the GDB remote protocol.  Most stops
70  * use SIGTRAP.
71  */
72 #define	GDB_SIGNAL_TRAP		5
73 
74 static void gdb_resume_vcpus(void);
75 static void check_command(int fd);
76 
77 static struct mevent *read_event, *write_event;
78 
79 static cpuset_t vcpus_active, vcpus_suspended, vcpus_waiting;
80 static pthread_mutex_t gdb_lock;
81 static pthread_cond_t idle_vcpus;
82 static bool first_stop, report_next_stop, swbreak_enabled;
83 
84 /*
85  * An I/O buffer contains 'capacity' bytes of room at 'data'.  For a
86  * read buffer, 'start' is unused and 'len' contains the number of
87  * valid bytes in the buffer.  For a write buffer, 'start' is set to
88  * the index of the next byte in 'data' to send, and 'len' contains
89  * the remaining number of valid bytes to send.
90  */
91 struct io_buffer {
92 	uint8_t *data;
93 	size_t capacity;
94 	size_t start;
95 	size_t len;
96 };
97 
98 struct breakpoint {
99 	uint64_t gpa;
100 	uint8_t shadow_inst;
101 	TAILQ_ENTRY(breakpoint) link;
102 };
103 
104 /*
105  * When a vCPU stops to due to an event that should be reported to the
106  * debugger, information about the event is stored in this structure.
107  * The vCPU thread then sets 'stopped_vcpu' if it is not already set
108  * and stops other vCPUs so the event can be reported.  The
109  * report_stop() function reports the event for the 'stopped_vcpu'
110  * vCPU.  When the debugger resumes execution via continue or step,
111  * the event for 'stopped_vcpu' is cleared.  vCPUs will loop in their
112  * event handlers until the associated event is reported or disabled.
113  *
114  * An idle vCPU will have all of the boolean fields set to false.
115  *
116  * When a vCPU is stepped, 'stepping' is set to true when the vCPU is
117  * released to execute the stepped instruction.  When the vCPU reports
118  * the stepping trap, 'stepped' is set.
119  *
120  * When a vCPU hits a breakpoint set by the debug server,
121  * 'hit_swbreak' is set to true.
122  */
123 struct vcpu_state {
124 	bool stepping;
125 	bool stepped;
126 	bool hit_swbreak;
127 };
128 
129 static struct io_buffer cur_comm, cur_resp;
130 static uint8_t cur_csum;
131 static struct vmctx *ctx;
132 static int cur_fd = -1;
133 static TAILQ_HEAD(, breakpoint) breakpoints;
134 static struct vcpu_state *vcpu_state;
135 static int cur_vcpu, stopped_vcpu;
136 static bool gdb_active = false;
137 
138 static const int gdb_regset[] = {
139 	VM_REG_GUEST_RAX,
140 	VM_REG_GUEST_RBX,
141 	VM_REG_GUEST_RCX,
142 	VM_REG_GUEST_RDX,
143 	VM_REG_GUEST_RSI,
144 	VM_REG_GUEST_RDI,
145 	VM_REG_GUEST_RBP,
146 	VM_REG_GUEST_RSP,
147 	VM_REG_GUEST_R8,
148 	VM_REG_GUEST_R9,
149 	VM_REG_GUEST_R10,
150 	VM_REG_GUEST_R11,
151 	VM_REG_GUEST_R12,
152 	VM_REG_GUEST_R13,
153 	VM_REG_GUEST_R14,
154 	VM_REG_GUEST_R15,
155 	VM_REG_GUEST_RIP,
156 	VM_REG_GUEST_RFLAGS,
157 	VM_REG_GUEST_CS,
158 	VM_REG_GUEST_SS,
159 	VM_REG_GUEST_DS,
160 	VM_REG_GUEST_ES,
161 	VM_REG_GUEST_FS,
162 	VM_REG_GUEST_GS
163 };
164 
165 static const int gdb_regsize[] = {
166 	8,
167 	8,
168 	8,
169 	8,
170 	8,
171 	8,
172 	8,
173 	8,
174 	8,
175 	8,
176 	8,
177 	8,
178 	8,
179 	8,
180 	8,
181 	8,
182 	8,
183 	4,
184 	4,
185 	4,
186 	4,
187 	4,
188 	4,
189 	4
190 };
191 
192 #ifdef GDB_LOG
193 #include <stdarg.h>
194 #include <stdio.h>
195 
196 static void __printflike(1, 2)
197 debug(const char *fmt, ...)
198 {
199 	static FILE *logfile;
200 	va_list ap;
201 
202 	if (logfile == NULL) {
203 		logfile = fopen("/tmp/bhyve_gdb.log", "w");
204 		if (logfile == NULL)
205 			return;
206 #ifndef WITHOUT_CAPSICUM
207 		if (caph_limit_stream(fileno(logfile), CAPH_WRITE) == -1) {
208 			fclose(logfile);
209 			logfile = NULL;
210 			return;
211 		}
212 #endif
213 		setlinebuf(logfile);
214 	}
215 	va_start(ap, fmt);
216 	vfprintf(logfile, fmt, ap);
217 	va_end(ap);
218 }
219 #else
220 #define debug(...)
221 #endif
222 
223 static void	remove_all_sw_breakpoints(void);
224 
225 static int
226 guest_paging_info(int vcpu, struct vm_guest_paging *paging)
227 {
228 	uint64_t regs[4];
229 	const int regset[4] = {
230 		VM_REG_GUEST_CR0,
231 		VM_REG_GUEST_CR3,
232 		VM_REG_GUEST_CR4,
233 		VM_REG_GUEST_EFER
234 	};
235 
236 	if (vm_get_register_set(ctx, vcpu, nitems(regset), regset, regs) == -1)
237 		return (-1);
238 
239 	/*
240 	 * For the debugger, always pretend to be the kernel (CPL 0),
241 	 * and if long-mode is enabled, always parse addresses as if
242 	 * in 64-bit mode.
243 	 */
244 	paging->cr3 = regs[1];
245 	paging->cpl = 0;
246 	if (regs[3] & EFER_LMA)
247 		paging->cpu_mode = CPU_MODE_64BIT;
248 	else if (regs[0] & CR0_PE)
249 		paging->cpu_mode = CPU_MODE_PROTECTED;
250 	else
251 		paging->cpu_mode = CPU_MODE_REAL;
252 	if (!(regs[0] & CR0_PG))
253 		paging->paging_mode = PAGING_MODE_FLAT;
254 	else if (!(regs[2] & CR4_PAE))
255 		paging->paging_mode = PAGING_MODE_32;
256 	else if (regs[3] & EFER_LME)
257 		paging->paging_mode = (regs[2] & CR4_LA57) ?
258 		    PAGING_MODE_64_LA57 :  PAGING_MODE_64;
259 	else
260 		paging->paging_mode = PAGING_MODE_PAE;
261 	return (0);
262 }
263 
264 /*
265  * Map a guest virtual address to a physical address (for a given vcpu).
266  * If a guest virtual address is valid, return 1.  If the address is
267  * not valid, return 0.  If an error occurs obtaining the mapping,
268  * return -1.
269  */
270 static int
271 guest_vaddr2paddr(int vcpu, uint64_t vaddr, uint64_t *paddr)
272 {
273 	struct vm_guest_paging paging;
274 	int fault;
275 
276 	if (guest_paging_info(vcpu, &paging) == -1)
277 		return (-1);
278 
279 	/*
280 	 * Always use PROT_READ.  We really care if the VA is
281 	 * accessible, not if the current vCPU can write.
282 	 */
283 	if (vm_gla2gpa_nofault(ctx, vcpu, &paging, vaddr, PROT_READ, paddr,
284 	    &fault) == -1)
285 		return (-1);
286 	if (fault)
287 		return (0);
288 	return (1);
289 }
290 
291 static void
292 io_buffer_reset(struct io_buffer *io)
293 {
294 
295 	io->start = 0;
296 	io->len = 0;
297 }
298 
299 /* Available room for adding data. */
300 static size_t
301 io_buffer_avail(struct io_buffer *io)
302 {
303 
304 	return (io->capacity - (io->start + io->len));
305 }
306 
307 static uint8_t *
308 io_buffer_head(struct io_buffer *io)
309 {
310 
311 	return (io->data + io->start);
312 }
313 
314 static uint8_t *
315 io_buffer_tail(struct io_buffer *io)
316 {
317 
318 	return (io->data + io->start + io->len);
319 }
320 
321 static void
322 io_buffer_advance(struct io_buffer *io, size_t amount)
323 {
324 
325 	assert(amount <= io->len);
326 	io->start += amount;
327 	io->len -= amount;
328 }
329 
330 static void
331 io_buffer_consume(struct io_buffer *io, size_t amount)
332 {
333 
334 	io_buffer_advance(io, amount);
335 	if (io->len == 0) {
336 		io->start = 0;
337 		return;
338 	}
339 
340 	/*
341 	 * XXX: Consider making this move optional and compacting on a
342 	 * future read() before realloc().
343 	 */
344 	memmove(io->data, io_buffer_head(io), io->len);
345 	io->start = 0;
346 }
347 
348 static void
349 io_buffer_grow(struct io_buffer *io, size_t newsize)
350 {
351 	uint8_t *new_data;
352 	size_t avail, new_cap;
353 
354 	avail = io_buffer_avail(io);
355 	if (newsize <= avail)
356 		return;
357 
358 	new_cap = io->capacity + (newsize - avail);
359 	new_data = realloc(io->data, new_cap);
360 	if (new_data == NULL)
361 		err(1, "Failed to grow GDB I/O buffer");
362 	io->data = new_data;
363 	io->capacity = new_cap;
364 }
365 
366 static bool
367 response_pending(void)
368 {
369 
370 	if (cur_resp.start == 0 && cur_resp.len == 0)
371 		return (false);
372 	if (cur_resp.start + cur_resp.len == 1 && cur_resp.data[0] == '+')
373 		return (false);
374 	return (true);
375 }
376 
377 static void
378 close_connection(void)
379 {
380 
381 	/*
382 	 * XXX: This triggers a warning because mevent does the close
383 	 * before the EV_DELETE.
384 	 */
385 	pthread_mutex_lock(&gdb_lock);
386 	mevent_delete(write_event);
387 	mevent_delete_close(read_event);
388 	write_event = NULL;
389 	read_event = NULL;
390 	io_buffer_reset(&cur_comm);
391 	io_buffer_reset(&cur_resp);
392 	cur_fd = -1;
393 
394 	remove_all_sw_breakpoints();
395 
396 	/* Clear any pending events. */
397 	memset(vcpu_state, 0, guest_ncpus * sizeof(*vcpu_state));
398 
399 	/* Resume any stopped vCPUs. */
400 	gdb_resume_vcpus();
401 	pthread_mutex_unlock(&gdb_lock);
402 }
403 
404 static uint8_t
405 hex_digit(uint8_t nibble)
406 {
407 
408 	if (nibble <= 9)
409 		return (nibble + '0');
410 	else
411 		return (nibble + 'a' - 10);
412 }
413 
414 static uint8_t
415 parse_digit(uint8_t v)
416 {
417 
418 	if (v >= '0' && v <= '9')
419 		return (v - '0');
420 	if (v >= 'a' && v <= 'f')
421 		return (v - 'a' + 10);
422 	if (v >= 'A' && v <= 'F')
423 		return (v - 'A' + 10);
424 	return (0xF);
425 }
426 
427 /* Parses big-endian hexadecimal. */
428 static uintmax_t
429 parse_integer(const uint8_t *p, size_t len)
430 {
431 	uintmax_t v;
432 
433 	v = 0;
434 	while (len > 0) {
435 		v <<= 4;
436 		v |= parse_digit(*p);
437 		p++;
438 		len--;
439 	}
440 	return (v);
441 }
442 
443 static uint8_t
444 parse_byte(const uint8_t *p)
445 {
446 
447 	return (parse_digit(p[0]) << 4 | parse_digit(p[1]));
448 }
449 
450 static void
451 send_pending_data(int fd)
452 {
453 	ssize_t nwritten;
454 
455 	if (cur_resp.len == 0) {
456 		mevent_disable(write_event);
457 		return;
458 	}
459 	nwritten = write(fd, io_buffer_head(&cur_resp), cur_resp.len);
460 	if (nwritten == -1) {
461 		warn("Write to GDB socket failed");
462 		close_connection();
463 	} else {
464 		io_buffer_advance(&cur_resp, nwritten);
465 		if (cur_resp.len == 0)
466 			mevent_disable(write_event);
467 		else
468 			mevent_enable(write_event);
469 	}
470 }
471 
472 /* Append a single character to the output buffer. */
473 static void
474 send_char(uint8_t data)
475 {
476 	io_buffer_grow(&cur_resp, 1);
477 	*io_buffer_tail(&cur_resp) = data;
478 	cur_resp.len++;
479 }
480 
481 /* Append an array of bytes to the output buffer. */
482 static void
483 send_data(const uint8_t *data, size_t len)
484 {
485 
486 	io_buffer_grow(&cur_resp, len);
487 	memcpy(io_buffer_tail(&cur_resp), data, len);
488 	cur_resp.len += len;
489 }
490 
491 static void
492 format_byte(uint8_t v, uint8_t *buf)
493 {
494 
495 	buf[0] = hex_digit(v >> 4);
496 	buf[1] = hex_digit(v & 0xf);
497 }
498 
499 /*
500  * Append a single byte (formatted as two hex characters) to the
501  * output buffer.
502  */
503 static void
504 send_byte(uint8_t v)
505 {
506 	uint8_t buf[2];
507 
508 	format_byte(v, buf);
509 	send_data(buf, sizeof(buf));
510 }
511 
512 static void
513 start_packet(void)
514 {
515 
516 	send_char('$');
517 	cur_csum = 0;
518 }
519 
520 static void
521 finish_packet(void)
522 {
523 
524 	send_char('#');
525 	send_byte(cur_csum);
526 	debug("-> %.*s\n", (int)cur_resp.len, io_buffer_head(&cur_resp));
527 }
528 
529 /*
530  * Append a single character (for the packet payload) and update the
531  * checksum.
532  */
533 static void
534 append_char(uint8_t v)
535 {
536 
537 	send_char(v);
538 	cur_csum += v;
539 }
540 
541 /*
542  * Append an array of bytes (for the packet payload) and update the
543  * checksum.
544  */
545 static void
546 append_packet_data(const uint8_t *data, size_t len)
547 {
548 
549 	send_data(data, len);
550 	while (len > 0) {
551 		cur_csum += *data;
552 		data++;
553 		len--;
554 	}
555 }
556 
557 static void
558 append_string(const char *str)
559 {
560 
561 	append_packet_data(str, strlen(str));
562 }
563 
564 static void
565 append_byte(uint8_t v)
566 {
567 	uint8_t buf[2];
568 
569 	format_byte(v, buf);
570 	append_packet_data(buf, sizeof(buf));
571 }
572 
573 static void
574 append_unsigned_native(uintmax_t value, size_t len)
575 {
576 	size_t i;
577 
578 	for (i = 0; i < len; i++) {
579 		append_byte(value);
580 		value >>= 8;
581 	}
582 }
583 
584 static void
585 append_unsigned_be(uintmax_t value, size_t len)
586 {
587 	char buf[len * 2];
588 	size_t i;
589 
590 	for (i = 0; i < len; i++) {
591 		format_byte(value, buf + (len - i - 1) * 2);
592 		value >>= 8;
593 	}
594 	append_packet_data(buf, sizeof(buf));
595 }
596 
597 static void
598 append_integer(unsigned int value)
599 {
600 
601 	if (value == 0)
602 		append_char('0');
603 	else
604 		append_unsigned_be(value, (fls(value) + 7) / 8);
605 }
606 
607 static void
608 append_asciihex(const char *str)
609 {
610 
611 	while (*str != '\0') {
612 		append_byte(*str);
613 		str++;
614 	}
615 }
616 
617 static void
618 send_empty_response(void)
619 {
620 
621 	start_packet();
622 	finish_packet();
623 }
624 
625 static void
626 send_error(int error)
627 {
628 
629 	start_packet();
630 	append_char('E');
631 	append_byte(error);
632 	finish_packet();
633 }
634 
635 static void
636 send_ok(void)
637 {
638 
639 	start_packet();
640 	append_string("OK");
641 	finish_packet();
642 }
643 
644 static int
645 parse_threadid(const uint8_t *data, size_t len)
646 {
647 
648 	if (len == 1 && *data == '0')
649 		return (0);
650 	if (len == 2 && memcmp(data, "-1", 2) == 0)
651 		return (-1);
652 	if (len == 0)
653 		return (-2);
654 	return (parse_integer(data, len));
655 }
656 
657 /*
658  * Report the current stop event to the debugger.  If the stop is due
659  * to an event triggered on a specific vCPU such as a breakpoint or
660  * stepping trap, stopped_vcpu will be set to the vCPU triggering the
661  * stop.  If 'set_cur_vcpu' is true, then cur_vcpu will be updated to
662  * the reporting vCPU for vCPU events.
663  */
664 static void
665 report_stop(bool set_cur_vcpu)
666 {
667 	struct vcpu_state *vs;
668 
669 	start_packet();
670 	if (stopped_vcpu == -1) {
671 		append_char('S');
672 		append_byte(GDB_SIGNAL_TRAP);
673 	} else {
674 		vs = &vcpu_state[stopped_vcpu];
675 		if (set_cur_vcpu)
676 			cur_vcpu = stopped_vcpu;
677 		append_char('T');
678 		append_byte(GDB_SIGNAL_TRAP);
679 		append_string("thread:");
680 		append_integer(stopped_vcpu + 1);
681 		append_char(';');
682 		if (vs->hit_swbreak) {
683 			debug("$vCPU %d reporting swbreak\n", stopped_vcpu);
684 			if (swbreak_enabled)
685 				append_string("swbreak:;");
686 		} else if (vs->stepped)
687 			debug("$vCPU %d reporting step\n", stopped_vcpu);
688 		else
689 			debug("$vCPU %d reporting ???\n", stopped_vcpu);
690 	}
691 	finish_packet();
692 	report_next_stop = false;
693 }
694 
695 /*
696  * If this stop is due to a vCPU event, clear that event to mark it as
697  * acknowledged.
698  */
699 static void
700 discard_stop(void)
701 {
702 	struct vcpu_state *vs;
703 
704 	if (stopped_vcpu != -1) {
705 		vs = &vcpu_state[stopped_vcpu];
706 		vs->hit_swbreak = false;
707 		vs->stepped = false;
708 		stopped_vcpu = -1;
709 	}
710 	report_next_stop = true;
711 }
712 
713 static void
714 gdb_finish_suspend_vcpus(void)
715 {
716 
717 	if (first_stop) {
718 		first_stop = false;
719 		stopped_vcpu = -1;
720 	} else if (report_next_stop) {
721 		assert(!response_pending());
722 		report_stop(true);
723 		send_pending_data(cur_fd);
724 	}
725 }
726 
727 /*
728  * vCPU threads invoke this function whenever the vCPU enters the
729  * debug server to pause or report an event.  vCPU threads wait here
730  * as long as the debug server keeps them suspended.
731  */
732 static void
733 _gdb_cpu_suspend(int vcpu, bool report_stop)
734 {
735 
736 	debug("$vCPU %d suspending\n", vcpu);
737 	CPU_SET(vcpu, &vcpus_waiting);
738 	if (report_stop && CPU_CMP(&vcpus_waiting, &vcpus_suspended) == 0)
739 		gdb_finish_suspend_vcpus();
740 	while (CPU_ISSET(vcpu, &vcpus_suspended))
741 		pthread_cond_wait(&idle_vcpus, &gdb_lock);
742 	CPU_CLR(vcpu, &vcpus_waiting);
743 	debug("$vCPU %d resuming\n", vcpu);
744 }
745 
746 /*
747  * Invoked at the start of a vCPU thread's execution to inform the
748  * debug server about the new thread.
749  */
750 void
751 gdb_cpu_add(int vcpu)
752 {
753 
754 	if (!gdb_active)
755 		return;
756 	debug("$vCPU %d starting\n", vcpu);
757 	pthread_mutex_lock(&gdb_lock);
758 	assert(vcpu < guest_ncpus);
759 	CPU_SET(vcpu, &vcpus_active);
760 	if (!TAILQ_EMPTY(&breakpoints)) {
761 		vm_set_capability(ctx, vcpu, VM_CAP_BPT_EXIT, 1);
762 		debug("$vCPU %d enabled breakpoint exits\n", vcpu);
763 	}
764 
765 	/*
766 	 * If a vcpu is added while vcpus are stopped, suspend the new
767 	 * vcpu so that it will pop back out with a debug exit before
768 	 * executing the first instruction.
769 	 */
770 	if (!CPU_EMPTY(&vcpus_suspended)) {
771 		CPU_SET(vcpu, &vcpus_suspended);
772 		_gdb_cpu_suspend(vcpu, false);
773 	}
774 	pthread_mutex_unlock(&gdb_lock);
775 }
776 
777 /*
778  * Invoked by vCPU before resuming execution.  This enables stepping
779  * if the vCPU is marked as stepping.
780  */
781 static void
782 gdb_cpu_resume(int vcpu)
783 {
784 	struct vcpu_state *vs;
785 	int error;
786 
787 	vs = &vcpu_state[vcpu];
788 
789 	/*
790 	 * Any pending event should already be reported before
791 	 * resuming.
792 	 */
793 	assert(vs->hit_swbreak == false);
794 	assert(vs->stepped == false);
795 	if (vs->stepping) {
796 		error = vm_set_capability(ctx, vcpu, VM_CAP_MTRAP_EXIT, 1);
797 		assert(error == 0);
798 	}
799 }
800 
801 /*
802  * Handler for VM_EXITCODE_DEBUG used to suspend a vCPU when the guest
803  * has been suspended due to an event on different vCPU or in response
804  * to a guest-wide suspend such as Ctrl-C or the stop on attach.
805  */
806 void
807 gdb_cpu_suspend(int vcpu)
808 {
809 
810 	if (!gdb_active)
811 		return;
812 	pthread_mutex_lock(&gdb_lock);
813 	_gdb_cpu_suspend(vcpu, true);
814 	gdb_cpu_resume(vcpu);
815 	pthread_mutex_unlock(&gdb_lock);
816 }
817 
818 static void
819 gdb_suspend_vcpus(void)
820 {
821 
822 	assert(pthread_mutex_isowned_np(&gdb_lock));
823 	debug("suspending all CPUs\n");
824 	vcpus_suspended = vcpus_active;
825 	vm_suspend_cpu(ctx, -1);
826 	if (CPU_CMP(&vcpus_waiting, &vcpus_suspended) == 0)
827 		gdb_finish_suspend_vcpus();
828 }
829 
830 /*
831  * Handler for VM_EXITCODE_MTRAP reported when a vCPU single-steps via
832  * the VT-x-specific MTRAP exit.
833  */
834 void
835 gdb_cpu_mtrap(int vcpu)
836 {
837 	struct vcpu_state *vs;
838 
839 	if (!gdb_active)
840 		return;
841 	debug("$vCPU %d MTRAP\n", vcpu);
842 	pthread_mutex_lock(&gdb_lock);
843 	vs = &vcpu_state[vcpu];
844 	if (vs->stepping) {
845 		vs->stepping = false;
846 		vs->stepped = true;
847 		vm_set_capability(ctx, vcpu, VM_CAP_MTRAP_EXIT, 0);
848 		while (vs->stepped) {
849 			if (stopped_vcpu == -1) {
850 				debug("$vCPU %d reporting step\n", vcpu);
851 				stopped_vcpu = vcpu;
852 				gdb_suspend_vcpus();
853 			}
854 			_gdb_cpu_suspend(vcpu, true);
855 		}
856 		gdb_cpu_resume(vcpu);
857 	}
858 	pthread_mutex_unlock(&gdb_lock);
859 }
860 
861 static struct breakpoint *
862 find_breakpoint(uint64_t gpa)
863 {
864 	struct breakpoint *bp;
865 
866 	TAILQ_FOREACH(bp, &breakpoints, link) {
867 		if (bp->gpa == gpa)
868 			return (bp);
869 	}
870 	return (NULL);
871 }
872 
873 void
874 gdb_cpu_breakpoint(int vcpu, struct vm_exit *vmexit)
875 {
876 	struct breakpoint *bp;
877 	struct vcpu_state *vs;
878 	uint64_t gpa;
879 	int error;
880 
881 	if (!gdb_active) {
882 		fprintf(stderr, "vm_loop: unexpected VMEXIT_DEBUG\n");
883 		exit(4);
884 	}
885 	pthread_mutex_lock(&gdb_lock);
886 	error = guest_vaddr2paddr(vcpu, vmexit->rip, &gpa);
887 	assert(error == 1);
888 	bp = find_breakpoint(gpa);
889 	if (bp != NULL) {
890 		vs = &vcpu_state[vcpu];
891 		assert(vs->stepping == false);
892 		assert(vs->stepped == false);
893 		assert(vs->hit_swbreak == false);
894 		vs->hit_swbreak = true;
895 		vm_set_register(ctx, vcpu, VM_REG_GUEST_RIP, vmexit->rip);
896 		for (;;) {
897 			if (stopped_vcpu == -1) {
898 				debug("$vCPU %d reporting breakpoint at rip %#lx\n", vcpu,
899 				    vmexit->rip);
900 				stopped_vcpu = vcpu;
901 				gdb_suspend_vcpus();
902 			}
903 			_gdb_cpu_suspend(vcpu, true);
904 			if (!vs->hit_swbreak) {
905 				/* Breakpoint reported. */
906 				break;
907 			}
908 			bp = find_breakpoint(gpa);
909 			if (bp == NULL) {
910 				/* Breakpoint was removed. */
911 				vs->hit_swbreak = false;
912 				break;
913 			}
914 		}
915 		gdb_cpu_resume(vcpu);
916 	} else {
917 		debug("$vCPU %d injecting breakpoint at rip %#lx\n", vcpu,
918 		    vmexit->rip);
919 		error = vm_set_register(ctx, vcpu,
920 		    VM_REG_GUEST_ENTRY_INST_LENGTH, vmexit->u.bpt.inst_length);
921 		assert(error == 0);
922 		error = vm_inject_exception(ctx, vcpu, IDT_BP, 0, 0, 0);
923 		assert(error == 0);
924 	}
925 	pthread_mutex_unlock(&gdb_lock);
926 }
927 
928 static bool
929 gdb_step_vcpu(int vcpu)
930 {
931 	int error, val;
932 
933 	debug("$vCPU %d step\n", vcpu);
934 	error = vm_get_capability(ctx, vcpu, VM_CAP_MTRAP_EXIT, &val);
935 	if (error < 0)
936 		return (false);
937 
938 	discard_stop();
939 	vcpu_state[vcpu].stepping = true;
940 	vm_resume_cpu(ctx, vcpu);
941 	CPU_CLR(vcpu, &vcpus_suspended);
942 	pthread_cond_broadcast(&idle_vcpus);
943 	return (true);
944 }
945 
946 static void
947 gdb_resume_vcpus(void)
948 {
949 
950 	assert(pthread_mutex_isowned_np(&gdb_lock));
951 	vm_resume_cpu(ctx, -1);
952 	debug("resuming all CPUs\n");
953 	CPU_ZERO(&vcpus_suspended);
954 	pthread_cond_broadcast(&idle_vcpus);
955 }
956 
957 static void
958 gdb_read_regs(void)
959 {
960 	uint64_t regvals[nitems(gdb_regset)];
961 
962 	if (vm_get_register_set(ctx, cur_vcpu, nitems(gdb_regset),
963 	    gdb_regset, regvals) == -1) {
964 		send_error(errno);
965 		return;
966 	}
967 	start_packet();
968 	for (size_t i = 0; i < nitems(regvals); i++)
969 		append_unsigned_native(regvals[i], gdb_regsize[i]);
970 	finish_packet();
971 }
972 
973 static void
974 gdb_read_mem(const uint8_t *data, size_t len)
975 {
976 	uint64_t gpa, gva, val;
977 	uint8_t *cp;
978 	size_t resid, todo, bytes;
979 	bool started;
980 	int error;
981 
982 	/* Skip 'm' */
983 	data += 1;
984 	len -= 1;
985 
986 	/* Parse and consume address. */
987 	cp = memchr(data, ',', len);
988 	if (cp == NULL || cp == data) {
989 		send_error(EINVAL);
990 		return;
991 	}
992 	gva = parse_integer(data, cp - data);
993 	len -= (cp - data) + 1;
994 	data += (cp - data) + 1;
995 
996 	/* Parse length. */
997 	resid = parse_integer(data, len);
998 
999 	started = false;
1000 	while (resid > 0) {
1001 		error = guest_vaddr2paddr(cur_vcpu, gva, &gpa);
1002 		if (error == -1) {
1003 			if (started)
1004 				finish_packet();
1005 			else
1006 				send_error(errno);
1007 			return;
1008 		}
1009 		if (error == 0) {
1010 			if (started)
1011 				finish_packet();
1012 			else
1013 				send_error(EFAULT);
1014 			return;
1015 		}
1016 
1017 		/* Read bytes from current page. */
1018 		todo = getpagesize() - gpa % getpagesize();
1019 		if (todo > resid)
1020 			todo = resid;
1021 
1022 		cp = paddr_guest2host(ctx, gpa, todo);
1023 		if (cp != NULL) {
1024 			/*
1025 			 * If this page is guest RAM, read it a byte
1026 			 * at a time.
1027 			 */
1028 			if (!started) {
1029 				start_packet();
1030 				started = true;
1031 			}
1032 			while (todo > 0) {
1033 				append_byte(*cp);
1034 				cp++;
1035 				gpa++;
1036 				gva++;
1037 				resid--;
1038 				todo--;
1039 			}
1040 		} else {
1041 			/*
1042 			 * If this page isn't guest RAM, try to handle
1043 			 * it via MMIO.  For MMIO requests, use
1044 			 * aligned reads of words when possible.
1045 			 */
1046 			while (todo > 0) {
1047 				if (gpa & 1 || todo == 1)
1048 					bytes = 1;
1049 				else if (gpa & 2 || todo == 2)
1050 					bytes = 2;
1051 				else
1052 					bytes = 4;
1053 				error = read_mem(ctx, cur_vcpu, gpa, &val,
1054 				    bytes);
1055 				if (error == 0) {
1056 					if (!started) {
1057 						start_packet();
1058 						started = true;
1059 					}
1060 					gpa += bytes;
1061 					gva += bytes;
1062 					resid -= bytes;
1063 					todo -= bytes;
1064 					while (bytes > 0) {
1065 						append_byte(val);
1066 						val >>= 8;
1067 						bytes--;
1068 					}
1069 				} else {
1070 					if (started)
1071 						finish_packet();
1072 					else
1073 						send_error(EFAULT);
1074 					return;
1075 				}
1076 			}
1077 		}
1078 		assert(resid == 0 || gpa % getpagesize() == 0);
1079 	}
1080 	if (!started)
1081 		start_packet();
1082 	finish_packet();
1083 }
1084 
1085 static void
1086 gdb_write_mem(const uint8_t *data, size_t len)
1087 {
1088 	uint64_t gpa, gva, val;
1089 	uint8_t *cp;
1090 	size_t resid, todo, bytes;
1091 	int error;
1092 
1093 	/* Skip 'M' */
1094 	data += 1;
1095 	len -= 1;
1096 
1097 	/* Parse and consume address. */
1098 	cp = memchr(data, ',', len);
1099 	if (cp == NULL || cp == data) {
1100 		send_error(EINVAL);
1101 		return;
1102 	}
1103 	gva = parse_integer(data, cp - data);
1104 	len -= (cp - data) + 1;
1105 	data += (cp - data) + 1;
1106 
1107 	/* Parse and consume length. */
1108 	cp = memchr(data, ':', len);
1109 	if (cp == NULL || cp == data) {
1110 		send_error(EINVAL);
1111 		return;
1112 	}
1113 	resid = parse_integer(data, cp - data);
1114 	len -= (cp - data) + 1;
1115 	data += (cp - data) + 1;
1116 
1117 	/* Verify the available bytes match the length. */
1118 	if (len != resid * 2) {
1119 		send_error(EINVAL);
1120 		return;
1121 	}
1122 
1123 	while (resid > 0) {
1124 		error = guest_vaddr2paddr(cur_vcpu, gva, &gpa);
1125 		if (error == -1) {
1126 			send_error(errno);
1127 			return;
1128 		}
1129 		if (error == 0) {
1130 			send_error(EFAULT);
1131 			return;
1132 		}
1133 
1134 		/* Write bytes to current page. */
1135 		todo = getpagesize() - gpa % getpagesize();
1136 		if (todo > resid)
1137 			todo = resid;
1138 
1139 		cp = paddr_guest2host(ctx, gpa, todo);
1140 		if (cp != NULL) {
1141 			/*
1142 			 * If this page is guest RAM, write it a byte
1143 			 * at a time.
1144 			 */
1145 			while (todo > 0) {
1146 				assert(len >= 2);
1147 				*cp = parse_byte(data);
1148 				data += 2;
1149 				len -= 2;
1150 				cp++;
1151 				gpa++;
1152 				gva++;
1153 				resid--;
1154 				todo--;
1155 			}
1156 		} else {
1157 			/*
1158 			 * If this page isn't guest RAM, try to handle
1159 			 * it via MMIO.  For MMIO requests, use
1160 			 * aligned writes of words when possible.
1161 			 */
1162 			while (todo > 0) {
1163 				if (gpa & 1 || todo == 1) {
1164 					bytes = 1;
1165 					val = parse_byte(data);
1166 				} else if (gpa & 2 || todo == 2) {
1167 					bytes = 2;
1168 					val = be16toh(parse_integer(data, 4));
1169 				} else {
1170 					bytes = 4;
1171 					val = be32toh(parse_integer(data, 8));
1172 				}
1173 				error = write_mem(ctx, cur_vcpu, gpa, val,
1174 				    bytes);
1175 				if (error == 0) {
1176 					gpa += bytes;
1177 					gva += bytes;
1178 					resid -= bytes;
1179 					todo -= bytes;
1180 					data += 2 * bytes;
1181 					len -= 2 * bytes;
1182 				} else {
1183 					send_error(EFAULT);
1184 					return;
1185 				}
1186 			}
1187 		}
1188 		assert(resid == 0 || gpa % getpagesize() == 0);
1189 	}
1190 	assert(len == 0);
1191 	send_ok();
1192 }
1193 
1194 static bool
1195 set_breakpoint_caps(bool enable)
1196 {
1197 	cpuset_t mask;
1198 	int vcpu;
1199 
1200 	mask = vcpus_active;
1201 	while (!CPU_EMPTY(&mask)) {
1202 		vcpu = CPU_FFS(&mask) - 1;
1203 		CPU_CLR(vcpu, &mask);
1204 		if (vm_set_capability(ctx, vcpu, VM_CAP_BPT_EXIT,
1205 		    enable ? 1 : 0) < 0)
1206 			return (false);
1207 		debug("$vCPU %d %sabled breakpoint exits\n", vcpu,
1208 		    enable ? "en" : "dis");
1209 	}
1210 	return (true);
1211 }
1212 
1213 static void
1214 remove_all_sw_breakpoints(void)
1215 {
1216 	struct breakpoint *bp, *nbp;
1217 	uint8_t *cp;
1218 
1219 	if (TAILQ_EMPTY(&breakpoints))
1220 		return;
1221 
1222 	TAILQ_FOREACH_SAFE(bp, &breakpoints, link, nbp) {
1223 		debug("remove breakpoint at %#lx\n", bp->gpa);
1224 		cp = paddr_guest2host(ctx, bp->gpa, 1);
1225 		*cp = bp->shadow_inst;
1226 		TAILQ_REMOVE(&breakpoints, bp, link);
1227 		free(bp);
1228 	}
1229 	TAILQ_INIT(&breakpoints);
1230 	set_breakpoint_caps(false);
1231 }
1232 
1233 static void
1234 update_sw_breakpoint(uint64_t gva, int kind, bool insert)
1235 {
1236 	struct breakpoint *bp;
1237 	uint64_t gpa;
1238 	uint8_t *cp;
1239 	int error;
1240 
1241 	if (kind != 1) {
1242 		send_error(EINVAL);
1243 		return;
1244 	}
1245 
1246 	error = guest_vaddr2paddr(cur_vcpu, gva, &gpa);
1247 	if (error == -1) {
1248 		send_error(errno);
1249 		return;
1250 	}
1251 	if (error == 0) {
1252 		send_error(EFAULT);
1253 		return;
1254 	}
1255 
1256 	cp = paddr_guest2host(ctx, gpa, 1);
1257 
1258 	/* Only permit breakpoints in guest RAM. */
1259 	if (cp == NULL) {
1260 		send_error(EFAULT);
1261 		return;
1262 	}
1263 
1264 	/* Find any existing breakpoint. */
1265 	bp = find_breakpoint(gpa);
1266 
1267 	/*
1268 	 * Silently ignore duplicate commands since the protocol
1269 	 * requires these packets to be idempotent.
1270 	 */
1271 	if (insert) {
1272 		if (bp == NULL) {
1273 			if (TAILQ_EMPTY(&breakpoints) &&
1274 			    !set_breakpoint_caps(true)) {
1275 				send_empty_response();
1276 				return;
1277 			}
1278 			bp = malloc(sizeof(*bp));
1279 			bp->gpa = gpa;
1280 			bp->shadow_inst = *cp;
1281 			*cp = 0xcc;	/* INT 3 */
1282 			TAILQ_INSERT_TAIL(&breakpoints, bp, link);
1283 			debug("new breakpoint at %#lx\n", gpa);
1284 		}
1285 	} else {
1286 		if (bp != NULL) {
1287 			debug("remove breakpoint at %#lx\n", gpa);
1288 			*cp = bp->shadow_inst;
1289 			TAILQ_REMOVE(&breakpoints, bp, link);
1290 			free(bp);
1291 			if (TAILQ_EMPTY(&breakpoints))
1292 				set_breakpoint_caps(false);
1293 		}
1294 	}
1295 	send_ok();
1296 }
1297 
1298 static void
1299 parse_breakpoint(const uint8_t *data, size_t len)
1300 {
1301 	uint64_t gva;
1302 	uint8_t *cp;
1303 	bool insert;
1304 	int kind, type;
1305 
1306 	insert = data[0] == 'Z';
1307 
1308 	/* Skip 'Z/z' */
1309 	data += 1;
1310 	len -= 1;
1311 
1312 	/* Parse and consume type. */
1313 	cp = memchr(data, ',', len);
1314 	if (cp == NULL || cp == data) {
1315 		send_error(EINVAL);
1316 		return;
1317 	}
1318 	type = parse_integer(data, cp - data);
1319 	len -= (cp - data) + 1;
1320 	data += (cp - data) + 1;
1321 
1322 	/* Parse and consume address. */
1323 	cp = memchr(data, ',', len);
1324 	if (cp == NULL || cp == data) {
1325 		send_error(EINVAL);
1326 		return;
1327 	}
1328 	gva = parse_integer(data, cp - data);
1329 	len -= (cp - data) + 1;
1330 	data += (cp - data) + 1;
1331 
1332 	/* Parse and consume kind. */
1333 	cp = memchr(data, ';', len);
1334 	if (cp == data) {
1335 		send_error(EINVAL);
1336 		return;
1337 	}
1338 	if (cp != NULL) {
1339 		/*
1340 		 * We do not advertise support for either the
1341 		 * ConditionalBreakpoints or BreakpointCommands
1342 		 * features, so we should not be getting conditions or
1343 		 * commands from the remote end.
1344 		 */
1345 		send_empty_response();
1346 		return;
1347 	}
1348 	kind = parse_integer(data, len);
1349 	data += len;
1350 	len = 0;
1351 
1352 	switch (type) {
1353 	case 0:
1354 		update_sw_breakpoint(gva, kind, insert);
1355 		break;
1356 	default:
1357 		send_empty_response();
1358 		break;
1359 	}
1360 }
1361 
1362 static bool
1363 command_equals(const uint8_t *data, size_t len, const char *cmd)
1364 {
1365 
1366 	if (strlen(cmd) > len)
1367 		return (false);
1368 	return (memcmp(data, cmd, strlen(cmd)) == 0);
1369 }
1370 
1371 static void
1372 check_features(const uint8_t *data, size_t len)
1373 {
1374 	char *feature, *next_feature, *str, *value;
1375 	bool supported;
1376 
1377 	str = malloc(len + 1);
1378 	memcpy(str, data, len);
1379 	str[len] = '\0';
1380 	next_feature = str;
1381 
1382 	while ((feature = strsep(&next_feature, ";")) != NULL) {
1383 		/*
1384 		 * Null features shouldn't exist, but skip if they
1385 		 * do.
1386 		 */
1387 		if (strcmp(feature, "") == 0)
1388 			continue;
1389 
1390 		/*
1391 		 * Look for the value or supported / not supported
1392 		 * flag.
1393 		 */
1394 		value = strchr(feature, '=');
1395 		if (value != NULL) {
1396 			*value = '\0';
1397 			value++;
1398 			supported = true;
1399 		} else {
1400 			value = feature + strlen(feature) - 1;
1401 			switch (*value) {
1402 			case '+':
1403 				supported = true;
1404 				break;
1405 			case '-':
1406 				supported = false;
1407 				break;
1408 			default:
1409 				/*
1410 				 * This is really a protocol error,
1411 				 * but we just ignore malformed
1412 				 * features for ease of
1413 				 * implementation.
1414 				 */
1415 				continue;
1416 			}
1417 			value = NULL;
1418 		}
1419 
1420 		if (strcmp(feature, "swbreak") == 0)
1421 			swbreak_enabled = supported;
1422 	}
1423 	free(str);
1424 
1425 	start_packet();
1426 
1427 	/* This is an arbitrary limit. */
1428 	append_string("PacketSize=4096");
1429 	append_string(";swbreak+");
1430 	finish_packet();
1431 }
1432 
1433 static void
1434 gdb_query(const uint8_t *data, size_t len)
1435 {
1436 
1437 	/*
1438 	 * TODO:
1439 	 * - qSearch
1440 	 */
1441 	if (command_equals(data, len, "qAttached")) {
1442 		start_packet();
1443 		append_char('1');
1444 		finish_packet();
1445 	} else if (command_equals(data, len, "qC")) {
1446 		start_packet();
1447 		append_string("QC");
1448 		append_integer(cur_vcpu + 1);
1449 		finish_packet();
1450 	} else if (command_equals(data, len, "qfThreadInfo")) {
1451 		cpuset_t mask;
1452 		bool first;
1453 		int vcpu;
1454 
1455 		if (CPU_EMPTY(&vcpus_active)) {
1456 			send_error(EINVAL);
1457 			return;
1458 		}
1459 		mask = vcpus_active;
1460 		start_packet();
1461 		append_char('m');
1462 		first = true;
1463 		while (!CPU_EMPTY(&mask)) {
1464 			vcpu = CPU_FFS(&mask) - 1;
1465 			CPU_CLR(vcpu, &mask);
1466 			if (first)
1467 				first = false;
1468 			else
1469 				append_char(',');
1470 			append_integer(vcpu + 1);
1471 		}
1472 		finish_packet();
1473 	} else if (command_equals(data, len, "qsThreadInfo")) {
1474 		start_packet();
1475 		append_char('l');
1476 		finish_packet();
1477 	} else if (command_equals(data, len, "qSupported")) {
1478 		data += strlen("qSupported");
1479 		len -= strlen("qSupported");
1480 		check_features(data, len);
1481 	} else if (command_equals(data, len, "qThreadExtraInfo")) {
1482 		char buf[16];
1483 		int tid;
1484 
1485 		data += strlen("qThreadExtraInfo");
1486 		len -= strlen("qThreadExtraInfo");
1487 		if (*data != ',') {
1488 			send_error(EINVAL);
1489 			return;
1490 		}
1491 		tid = parse_threadid(data + 1, len - 1);
1492 		if (tid <= 0 || !CPU_ISSET(tid - 1, &vcpus_active)) {
1493 			send_error(EINVAL);
1494 			return;
1495 		}
1496 
1497 		snprintf(buf, sizeof(buf), "vCPU %d", tid - 1);
1498 		start_packet();
1499 		append_asciihex(buf);
1500 		finish_packet();
1501 	} else
1502 		send_empty_response();
1503 }
1504 
1505 static void
1506 handle_command(const uint8_t *data, size_t len)
1507 {
1508 
1509 	/* Reject packets with a sequence-id. */
1510 	if (len >= 3 && data[0] >= '0' && data[0] <= '9' &&
1511 	    data[0] >= '0' && data[0] <= '9' && data[2] == ':') {
1512 		send_empty_response();
1513 		return;
1514 	}
1515 
1516 	switch (*data) {
1517 	case 'c':
1518 		if (len != 1) {
1519 			send_error(EINVAL);
1520 			break;
1521 		}
1522 
1523 		discard_stop();
1524 		gdb_resume_vcpus();
1525 		break;
1526 	case 'D':
1527 		send_ok();
1528 
1529 		/* TODO: Resume any stopped CPUs. */
1530 		break;
1531 	case 'g': {
1532 		gdb_read_regs();
1533 		break;
1534 	}
1535 	case 'H': {
1536 		int tid;
1537 
1538 		if (data[1] != 'g' && data[1] != 'c') {
1539 			send_error(EINVAL);
1540 			break;
1541 		}
1542 		tid = parse_threadid(data + 2, len - 2);
1543 		if (tid == -2) {
1544 			send_error(EINVAL);
1545 			break;
1546 		}
1547 
1548 		if (CPU_EMPTY(&vcpus_active)) {
1549 			send_error(EINVAL);
1550 			break;
1551 		}
1552 		if (tid == -1 || tid == 0)
1553 			cur_vcpu = CPU_FFS(&vcpus_active) - 1;
1554 		else if (CPU_ISSET(tid - 1, &vcpus_active))
1555 			cur_vcpu = tid - 1;
1556 		else {
1557 			send_error(EINVAL);
1558 			break;
1559 		}
1560 		send_ok();
1561 		break;
1562 	}
1563 	case 'm':
1564 		gdb_read_mem(data, len);
1565 		break;
1566 	case 'M':
1567 		gdb_write_mem(data, len);
1568 		break;
1569 	case 'T': {
1570 		int tid;
1571 
1572 		tid = parse_threadid(data + 1, len - 1);
1573 		if (tid <= 0 || !CPU_ISSET(tid - 1, &vcpus_active)) {
1574 			send_error(EINVAL);
1575 			return;
1576 		}
1577 		send_ok();
1578 		break;
1579 	}
1580 	case 'q':
1581 		gdb_query(data, len);
1582 		break;
1583 	case 's':
1584 		if (len != 1) {
1585 			send_error(EINVAL);
1586 			break;
1587 		}
1588 
1589 		/* Don't send a reply until a stop occurs. */
1590 		if (!gdb_step_vcpu(cur_vcpu)) {
1591 			send_error(EOPNOTSUPP);
1592 			break;
1593 		}
1594 		break;
1595 	case 'z':
1596 	case 'Z':
1597 		parse_breakpoint(data, len);
1598 		break;
1599 	case '?':
1600 		report_stop(false);
1601 		break;
1602 	case 'G': /* TODO */
1603 	case 'v':
1604 		/* Handle 'vCont' */
1605 		/* 'vCtrlC' */
1606 	case 'p': /* TODO */
1607 	case 'P': /* TODO */
1608 	case 'Q': /* TODO */
1609 	case 't': /* TODO */
1610 	case 'X': /* TODO */
1611 	default:
1612 		send_empty_response();
1613 	}
1614 }
1615 
1616 /* Check for a valid packet in the command buffer. */
1617 static void
1618 check_command(int fd)
1619 {
1620 	uint8_t *head, *hash, *p, sum;
1621 	size_t avail, plen;
1622 
1623 	for (;;) {
1624 		avail = cur_comm.len;
1625 		if (avail == 0)
1626 			return;
1627 		head = io_buffer_head(&cur_comm);
1628 		switch (*head) {
1629 		case 0x03:
1630 			debug("<- Ctrl-C\n");
1631 			io_buffer_consume(&cur_comm, 1);
1632 
1633 			gdb_suspend_vcpus();
1634 			break;
1635 		case '+':
1636 			/* ACK of previous response. */
1637 			debug("<- +\n");
1638 			if (response_pending())
1639 				io_buffer_reset(&cur_resp);
1640 			io_buffer_consume(&cur_comm, 1);
1641 			if (stopped_vcpu != -1 && report_next_stop) {
1642 				report_stop(true);
1643 				send_pending_data(fd);
1644 			}
1645 			break;
1646 		case '-':
1647 			/* NACK of previous response. */
1648 			debug("<- -\n");
1649 			if (response_pending()) {
1650 				cur_resp.len += cur_resp.start;
1651 				cur_resp.start = 0;
1652 				if (cur_resp.data[0] == '+')
1653 					io_buffer_advance(&cur_resp, 1);
1654 				debug("-> %.*s\n", (int)cur_resp.len,
1655 				    io_buffer_head(&cur_resp));
1656 			}
1657 			io_buffer_consume(&cur_comm, 1);
1658 			send_pending_data(fd);
1659 			break;
1660 		case '$':
1661 			/* Packet. */
1662 
1663 			if (response_pending()) {
1664 				warnx("New GDB command while response in "
1665 				    "progress");
1666 				io_buffer_reset(&cur_resp);
1667 			}
1668 
1669 			/* Is packet complete? */
1670 			hash = memchr(head, '#', avail);
1671 			if (hash == NULL)
1672 				return;
1673 			plen = (hash - head + 1) + 2;
1674 			if (avail < plen)
1675 				return;
1676 			debug("<- %.*s\n", (int)plen, head);
1677 
1678 			/* Verify checksum. */
1679 			for (sum = 0, p = head + 1; p < hash; p++)
1680 				sum += *p;
1681 			if (sum != parse_byte(hash + 1)) {
1682 				io_buffer_consume(&cur_comm, plen);
1683 				debug("-> -\n");
1684 				send_char('-');
1685 				send_pending_data(fd);
1686 				break;
1687 			}
1688 			send_char('+');
1689 
1690 			handle_command(head + 1, hash - (head + 1));
1691 			io_buffer_consume(&cur_comm, plen);
1692 			if (!response_pending())
1693 				debug("-> +\n");
1694 			send_pending_data(fd);
1695 			break;
1696 		default:
1697 			/* XXX: Possibly drop connection instead. */
1698 			debug("-> %02x\n", *head);
1699 			io_buffer_consume(&cur_comm, 1);
1700 			break;
1701 		}
1702 	}
1703 }
1704 
1705 static void
1706 gdb_readable(int fd, enum ev_type event __unused, void *arg __unused)
1707 {
1708 	size_t pending;
1709 	ssize_t nread;
1710 	int n;
1711 
1712 	if (ioctl(fd, FIONREAD, &n) == -1) {
1713 		warn("FIONREAD on GDB socket");
1714 		return;
1715 	}
1716 	assert(n >= 0);
1717 	pending = n;
1718 
1719 	/*
1720 	 * 'pending' might be zero due to EOF.  We need to call read
1721 	 * with a non-zero length to detect EOF.
1722 	 */
1723 	if (pending == 0)
1724 		pending = 1;
1725 
1726 	/* Ensure there is room in the command buffer. */
1727 	io_buffer_grow(&cur_comm, pending);
1728 	assert(io_buffer_avail(&cur_comm) >= pending);
1729 
1730 	nread = read(fd, io_buffer_tail(&cur_comm), io_buffer_avail(&cur_comm));
1731 	if (nread == 0) {
1732 		close_connection();
1733 	} else if (nread == -1) {
1734 		if (errno == EAGAIN)
1735 			return;
1736 
1737 		warn("Read from GDB socket");
1738 		close_connection();
1739 	} else {
1740 		cur_comm.len += nread;
1741 		pthread_mutex_lock(&gdb_lock);
1742 		check_command(fd);
1743 		pthread_mutex_unlock(&gdb_lock);
1744 	}
1745 }
1746 
1747 static void
1748 gdb_writable(int fd, enum ev_type event __unused, void *arg __unused)
1749 {
1750 
1751 	send_pending_data(fd);
1752 }
1753 
1754 static void
1755 new_connection(int fd, enum ev_type event __unused, void *arg)
1756 {
1757 	int optval, s;
1758 
1759 	s = accept4(fd, NULL, NULL, SOCK_NONBLOCK);
1760 	if (s == -1) {
1761 		if (arg != NULL)
1762 			err(1, "Failed accepting initial GDB connection");
1763 
1764 		/* Silently ignore errors post-startup. */
1765 		return;
1766 	}
1767 
1768 	optval = 1;
1769 	if (setsockopt(s, SOL_SOCKET, SO_NOSIGPIPE, &optval, sizeof(optval)) ==
1770 	    -1) {
1771 		warn("Failed to disable SIGPIPE for GDB connection");
1772 		close(s);
1773 		return;
1774 	}
1775 
1776 	pthread_mutex_lock(&gdb_lock);
1777 	if (cur_fd != -1) {
1778 		close(s);
1779 		warnx("Ignoring additional GDB connection.");
1780 	}
1781 
1782 	read_event = mevent_add(s, EVF_READ, gdb_readable, NULL);
1783 	if (read_event == NULL) {
1784 		if (arg != NULL)
1785 			err(1, "Failed to setup initial GDB connection");
1786 		pthread_mutex_unlock(&gdb_lock);
1787 		return;
1788 	}
1789 	write_event = mevent_add(s, EVF_WRITE, gdb_writable, NULL);
1790 	if (write_event == NULL) {
1791 		if (arg != NULL)
1792 			err(1, "Failed to setup initial GDB connection");
1793 		mevent_delete_close(read_event);
1794 		read_event = NULL;
1795 	}
1796 
1797 	cur_fd = s;
1798 	cur_vcpu = 0;
1799 	stopped_vcpu = -1;
1800 
1801 	/* Break on attach. */
1802 	first_stop = true;
1803 	report_next_stop = false;
1804 	gdb_suspend_vcpus();
1805 	pthread_mutex_unlock(&gdb_lock);
1806 }
1807 
1808 #ifndef WITHOUT_CAPSICUM
1809 static void
1810 limit_gdb_socket(int s)
1811 {
1812 	cap_rights_t rights;
1813 	unsigned long ioctls[] = { FIONREAD };
1814 
1815 	cap_rights_init(&rights, CAP_ACCEPT, CAP_EVENT, CAP_READ, CAP_WRITE,
1816 	    CAP_SETSOCKOPT, CAP_IOCTL);
1817 	if (caph_rights_limit(s, &rights) == -1)
1818 		errx(EX_OSERR, "Unable to apply rights for sandbox");
1819 	if (caph_ioctls_limit(s, ioctls, nitems(ioctls)) == -1)
1820 		errx(EX_OSERR, "Unable to apply rights for sandbox");
1821 }
1822 #endif
1823 
1824 void
1825 init_gdb(struct vmctx *_ctx)
1826 {
1827 	int error, flags, optval, s;
1828 	struct addrinfo hints;
1829 	struct addrinfo *gdbaddr;
1830 	const char *saddr, *value;
1831 	char *sport;
1832 	bool wait;
1833 
1834 	value = get_config_value("gdb.port");
1835 	if (value == NULL)
1836 		return;
1837 	sport = strdup(value);
1838 	if (sport == NULL)
1839 		errx(4, "Failed to allocate memory");
1840 
1841 	wait = get_config_bool_default("gdb.wait", false);
1842 
1843 	saddr = get_config_value("gdb.address");
1844 	if (saddr == NULL) {
1845 		saddr = "localhost";
1846 	}
1847 
1848 	debug("==> starting on %s:%s, %swaiting\n",
1849 	    saddr, sport, wait ? "" : "not ");
1850 
1851 	error = pthread_mutex_init(&gdb_lock, NULL);
1852 	if (error != 0)
1853 		errc(1, error, "gdb mutex init");
1854 	error = pthread_cond_init(&idle_vcpus, NULL);
1855 	if (error != 0)
1856 		errc(1, error, "gdb cv init");
1857 
1858 	memset(&hints, 0, sizeof(hints));
1859 	hints.ai_family = AF_UNSPEC;
1860 	hints.ai_socktype = SOCK_STREAM;
1861 	hints.ai_flags = AI_NUMERICSERV | AI_PASSIVE;
1862 
1863 	error = getaddrinfo(saddr, sport, &hints, &gdbaddr);
1864 	if (error != 0)
1865 		errx(1, "gdb address resolution: %s", gai_strerror(error));
1866 
1867 	ctx = _ctx;
1868 	s = socket(gdbaddr->ai_family, gdbaddr->ai_socktype, 0);
1869 	if (s < 0)
1870 		err(1, "gdb socket create");
1871 
1872 	optval = 1;
1873 	(void)setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval));
1874 
1875 	if (bind(s, gdbaddr->ai_addr, gdbaddr->ai_addrlen) < 0)
1876 		err(1, "gdb socket bind");
1877 
1878 	if (listen(s, 1) < 0)
1879 		err(1, "gdb socket listen");
1880 
1881 	stopped_vcpu = -1;
1882 	TAILQ_INIT(&breakpoints);
1883 	vcpu_state = calloc(guest_ncpus, sizeof(*vcpu_state));
1884 	if (wait) {
1885 		/*
1886 		 * Set vcpu 0 in vcpus_suspended.  This will trigger the
1887 		 * logic in gdb_cpu_add() to suspend the first vcpu before
1888 		 * it starts execution.  The vcpu will remain suspended
1889 		 * until a debugger connects.
1890 		 */
1891 		CPU_SET(0, &vcpus_suspended);
1892 		stopped_vcpu = 0;
1893 	}
1894 
1895 	flags = fcntl(s, F_GETFL);
1896 	if (fcntl(s, F_SETFL, flags | O_NONBLOCK) == -1)
1897 		err(1, "Failed to mark gdb socket non-blocking");
1898 
1899 #ifndef WITHOUT_CAPSICUM
1900 	limit_gdb_socket(s);
1901 #endif
1902 	mevent_add(s, EVF_READ, new_connection, NULL);
1903 	gdb_active = true;
1904 	freeaddrinfo(gdbaddr);
1905 	free(sport);
1906 }
1907