mirror of
https://github.com/xemu-project/xemu.git
synced 2025-01-06 03:31:30 +00:00
6e4ed42397
Coverity reports:
*** CID 1419387: Memory - illegal accesses (OVERRUN)
/hw/hppa/dino.c: 267 in dino_chip_read_with_attrs()
261 val = s->ilr & s->imr & s->icr;
262 break;
263 case DINO_TOC_ADDR:
264 val = s->toc_addr;
265 break;
266 case DINO_GMASK ... DINO_TLTIM:
>>> CID 1419387: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "s->reg800" of 12 4-byte elements at element index 12 (byte offset 48) using index "(addr - 2048UL) / 4UL" (which evaluates to 12).
267 val = s->reg800[(addr - DINO_GMASK) / 4];
268 if (addr == DINO_PAMR) {
269 val &= ~0x01; /* LSB is hardwired to 0 */
270 }
271 if (addr == DINO_MLTIM) {
272 val &= ~0x07; /* 3 LSB are hardwired to 0 */
*** CID 1419393: Memory - corruptions (OVERRUN)
/hw/hppa/dino.c: 363 in dino_chip_write_with_attrs()
357 /* These registers are read-only. */
358 break;
359
360 case DINO_GMASK ... DINO_TLTIM:
361 i = (addr - DINO_GMASK) / 4;
362 val &= reg800_keep_bits[i];
>>> CID 1419393: Memory - corruptions (OVERRUN)
>>> Overrunning array "s->reg800" of 12 4-byte elements at element index 12 (byte offset 48) using index "i" (which evaluates to 12).
363 s->reg800[i] = val;
364 break;
365
366 default:
367 /* Controlled by dino_chip_mem_valid above. */
368 g_assert_not_reached();
*** CID 1419394: Memory - illegal accesses (OVERRUN)
/hw/hppa/dino.c: 362 in dino_chip_write_with_attrs()
356 case DINO_IRR1:
357 /* These registers are read-only. */
358 break;
359
360 case DINO_GMASK ... DINO_TLTIM:
361 i = (addr - DINO_GMASK) / 4;
>>> CID 1419394: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "reg800_keep_bits" of 12 4-byte elements at element index 12 (byte offset 48) using index "i" (which evaluates to 12).
362 val &= reg800_keep_bits[i];
363 s->reg800[i] = val;
364 break;
365
366 default:
367 /* Controlled by dino_chip_mem_valid above. */
Indeed the array should contain 13 entries, the undocumented
register 0x82c is missing. Fix by increasing the array size
and adding the missing register.
CID 1419387 can be verified with:
$ echo x 0xfff80830 | hppa-softmmu/qemu-system-hppa -S -monitor stdio -display none
QEMU 4.2.50 monitor - type 'help' for more information
(qemu) x 0xfff80830
qemu/hw/hppa/dino.c:267:15: runtime error: index 12 out of bounds for type 'uint32_t [12]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phil/source/qemu/hw/hppa/dino.c:267:15 in
00000000fff80830: 0x00000000
and CID 1419393/1419394 with:
$ echo writeb 0xfff80830 0x69 \
| hppa-softmmu/qemu-system-hppa -S -accel qtest -qtest stdio -display none
[I 1581634452.654113] OPENED
[R +4.105415] writeb 0xfff80830 0x69
qemu/hw/hppa/dino.c:362:16: runtime error: index 12 out of bounds for type 'const uint32_t [12]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior qemu/hw/hppa/dino.c:362:16 in
=================================================================
==29607==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5577dae32f30 at pc 0x5577d93f2463 bp 0x7ffd97ea11b0 sp 0x7ffd97ea11a8
READ of size 4 at 0x5577dae32f30 thread T0
#0 0x5577d93f2462 in dino_chip_write_with_attrs qemu/hw/hppa/dino.c:362:16
#1 0x5577d9025664 in memory_region_write_with_attrs_accessor qemu/memory.c:503:12
#2 0x5577d9024920 in access_with_adjusted_size qemu/memory.c:539:18
#3 0x5577d9023608 in memory_region_dispatch_write qemu/memory.c:1482:13
#4 0x5577d8e3177a in flatview_write_continue qemu/exec.c:3166:23
#5 0x5577d8e20357 in flatview_write qemu/exec.c:3206:14
#6 0x5577d8e1fef4 in address_space_write qemu/exec.c:3296:18
#7 0x5577d8e20693 in address_space_rw qemu/exec.c:3306:16
#8 0x5577d9011595 in qtest_process_command qemu/qtest.c:432:13
#9 0x5577d900d19f in qtest_process_inbuf qemu/qtest.c:705:9
#10 0x5577d900ca22 in qtest_read qemu/qtest.c:717:5
#11 0x5577da8c4254 in qemu_chr_be_write_impl qemu/chardev/char.c:183:9
#12 0x5577da8c430c in qemu_chr_be_write qemu/chardev/char.c:195:9
#13 0x5577da8cf587 in fd_chr_read qemu/chardev/char-fd.c:68:9
#14 0x5577da9836cd in qio_channel_fd_source_dispatch qemu/io/channel-watch.c:84:12
#15 0x7faf44509ecc in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x4fecc)
#16 0x5577dab75f96 in glib_pollfds_poll qemu/util/main-loop.c:219:9
#17 0x5577dab74797 in os_host_main_loop_wait qemu/util/main-loop.c:242:5
#18 0x5577dab7435a in main_loop_wait qemu/util/main-loop.c:518:11
#19 0x5577d9514eb3 in main_loop qemu/vl.c:1682:9
#20 0x5577d950699d in main qemu/vl.c:4450:5
#21 0x7faf41a87f42 in __libc_start_main (/lib64/libc.so.6+0x23f42)
#22 0x5577d8cd4d4d in _start (qemu/build/sanitizer/hppa-softmmu/qemu-system-hppa+0x1256d4d)
0x5577dae32f30 is located 0 bytes to the right of global variable 'reg800_keep_bits' defined in 'qemu/hw/hppa/dino.c:87:23' (0x5577dae32f00) of size 48
SUMMARY: AddressSanitizer: global-buffer-overflow qemu/hw/hppa/dino.c:362:16 in dino_chip_write_with_attrs
Shadow bytes around the buggy address:
0x0aaf7b5be590: 00 f9 f9 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
0x0aaf7b5be5a0: 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
0x0aaf7b5be5b0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0aaf7b5be5c0: 00 00 00 02 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0aaf7b5be5d0: 00 00 00 00 00 00 00 00 00 00 00 03 f9 f9 f9 f9
=>0x0aaf7b5be5e0: 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9 00 00 00 00
0x0aaf7b5be5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aaf7b5be600: 00 00 01 f9 f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9
0x0aaf7b5be610: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0aaf7b5be620: 00 00 00 05 f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9
0x0aaf7b5be630: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==29607==ABORTING
Fixes: Covertiy CID 1419387 / 1419393 / 1419394 (commit 18092598a5)
Acked-by: Helge Deller <deller@gmx.de>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20200218063355.18577-3-f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
609 lines
18 KiB
C
609 lines
18 KiB
C
/*
|
|
* HP-PARISC Dino PCI chipset emulation, as in B160L and similiar machines
|
|
*
|
|
* (C) 2017-2019 by Helge Deller <deller@gmx.de>
|
|
*
|
|
* This work is licensed under the GNU GPL license version 2 or later.
|
|
*
|
|
* Documentation available at:
|
|
* https://parisc.wiki.kernel.org/images-parisc/9/91/Dino_ers.pdf
|
|
* https://parisc.wiki.kernel.org/images-parisc/7/70/Dino_3_1_Errata.pdf
|
|
*/
|
|
|
|
#include "qemu/osdep.h"
|
|
#include "qemu/module.h"
|
|
#include "qemu/units.h"
|
|
#include "qapi/error.h"
|
|
#include "cpu.h"
|
|
#include "hw/irq.h"
|
|
#include "hw/pci/pci.h"
|
|
#include "hw/pci/pci_bus.h"
|
|
#include "migration/vmstate.h"
|
|
#include "hppa_sys.h"
|
|
#include "exec/address-spaces.h"
|
|
#include "trace.h"
|
|
|
|
|
|
#define TYPE_DINO_PCI_HOST_BRIDGE "dino-pcihost"
|
|
|
|
#define DINO_IAR0 0x004
|
|
#define DINO_IODC 0x008
|
|
#define DINO_IRR0 0x00C /* RO */
|
|
#define DINO_IAR1 0x010
|
|
#define DINO_IRR1 0x014 /* RO */
|
|
#define DINO_IMR 0x018
|
|
#define DINO_IPR 0x01C
|
|
#define DINO_TOC_ADDR 0x020
|
|
#define DINO_ICR 0x024
|
|
#define DINO_ILR 0x028 /* RO */
|
|
#define DINO_IO_COMMAND 0x030 /* WO */
|
|
#define DINO_IO_STATUS 0x034 /* RO */
|
|
#define DINO_IO_CONTROL 0x038
|
|
#define DINO_IO_GSC_ERR_RESP 0x040 /* RO */
|
|
#define DINO_IO_ERR_INFO 0x044 /* RO */
|
|
#define DINO_IO_PCI_ERR_RESP 0x048 /* RO */
|
|
#define DINO_IO_FBB_EN 0x05c
|
|
#define DINO_IO_ADDR_EN 0x060
|
|
#define DINO_PCI_CONFIG_ADDR 0x064
|
|
#define DINO_PCI_CONFIG_DATA 0x068
|
|
#define DINO_PCI_IO_DATA 0x06c
|
|
#define DINO_PCI_MEM_DATA 0x070 /* Dino 3.x only */
|
|
#define DINO_GSC2X_CONFIG 0x7b4 /* RO */
|
|
#define DINO_GMASK 0x800
|
|
#define DINO_PAMR 0x804
|
|
#define DINO_PAPR 0x808
|
|
#define DINO_DAMODE 0x80c
|
|
#define DINO_PCICMD 0x810
|
|
#define DINO_PCISTS 0x814 /* R/WC */
|
|
#define DINO_MLTIM 0x81c
|
|
#define DINO_BRDG_FEAT 0x820
|
|
#define DINO_PCIROR 0x824
|
|
#define DINO_PCIWOR 0x828
|
|
#define DINO_TLTIM 0x830
|
|
|
|
#define DINO_IRQS 11 /* bits 0-10 are architected */
|
|
#define DINO_IRR_MASK 0x5ff /* only 10 bits are implemented */
|
|
#define DINO_LOCAL_IRQS (DINO_IRQS + 1)
|
|
#define DINO_MASK_IRQ(x) (1 << (x))
|
|
|
|
#define PCIINTA 0x001
|
|
#define PCIINTB 0x002
|
|
#define PCIINTC 0x004
|
|
#define PCIINTD 0x008
|
|
#define PCIINTE 0x010
|
|
#define PCIINTF 0x020
|
|
#define GSCEXTINT 0x040
|
|
/* #define xxx 0x080 - bit 7 is "default" */
|
|
/* #define xxx 0x100 - bit 8 not used */
|
|
/* #define xxx 0x200 - bit 9 not used */
|
|
#define RS232INT 0x400
|
|
|
|
#define DINO_MEM_CHUNK_SIZE (8 * MiB)
|
|
|
|
#define DINO_PCI_HOST_BRIDGE(obj) \
|
|
OBJECT_CHECK(DinoState, (obj), TYPE_DINO_PCI_HOST_BRIDGE)
|
|
|
|
#define DINO800_REGS (1 + (DINO_TLTIM - DINO_GMASK) / 4)
|
|
static const uint32_t reg800_keep_bits[DINO800_REGS] = {
|
|
MAKE_64BIT_MASK(0, 1), /* GMASK */
|
|
MAKE_64BIT_MASK(0, 7), /* PAMR */
|
|
MAKE_64BIT_MASK(0, 7), /* PAPR */
|
|
MAKE_64BIT_MASK(0, 8), /* DAMODE */
|
|
MAKE_64BIT_MASK(0, 7), /* PCICMD */
|
|
MAKE_64BIT_MASK(0, 9), /* PCISTS */
|
|
MAKE_64BIT_MASK(0, 32), /* Undefined */
|
|
MAKE_64BIT_MASK(0, 8), /* MLTIM */
|
|
MAKE_64BIT_MASK(0, 30), /* BRDG_FEAT */
|
|
MAKE_64BIT_MASK(0, 25), /* PCIROR */
|
|
MAKE_64BIT_MASK(0, 22), /* PCIWOR */
|
|
MAKE_64BIT_MASK(0, 32), /* Undocumented */
|
|
MAKE_64BIT_MASK(0, 9), /* TLTIM */
|
|
};
|
|
|
|
typedef struct DinoState {
|
|
PCIHostState parent_obj;
|
|
|
|
/* PCI_CONFIG_ADDR is parent_obj.config_reg, via pci_host_conf_be_ops,
|
|
so that we can map PCI_CONFIG_DATA to pci_host_data_be_ops. */
|
|
uint32_t config_reg_dino; /* keep original copy, including 2 lowest bits */
|
|
|
|
uint32_t iar0;
|
|
uint32_t iar1;
|
|
uint32_t imr;
|
|
uint32_t ipr;
|
|
uint32_t icr;
|
|
uint32_t ilr;
|
|
uint32_t io_fbb_en;
|
|
uint32_t io_addr_en;
|
|
uint32_t io_control;
|
|
uint32_t toc_addr;
|
|
|
|
uint32_t reg800[DINO800_REGS];
|
|
|
|
MemoryRegion this_mem;
|
|
MemoryRegion pci_mem;
|
|
MemoryRegion pci_mem_alias[32];
|
|
|
|
AddressSpace bm_as;
|
|
MemoryRegion bm;
|
|
MemoryRegion bm_ram_alias;
|
|
MemoryRegion bm_pci_alias;
|
|
MemoryRegion bm_cpu_alias;
|
|
} DinoState;
|
|
|
|
/*
|
|
* Dino can forward memory accesses from the CPU in the range between
|
|
* 0xf0800000 and 0xff000000 to the PCI bus.
|
|
*/
|
|
static void gsc_to_pci_forwarding(DinoState *s)
|
|
{
|
|
uint32_t io_addr_en, tmp;
|
|
int enabled, i;
|
|
|
|
tmp = extract32(s->io_control, 7, 2);
|
|
enabled = (tmp == 0x01);
|
|
io_addr_en = s->io_addr_en;
|
|
/* Mask out first (=firmware) and last (=Dino) areas. */
|
|
io_addr_en &= ~(BIT(31) | BIT(0));
|
|
|
|
memory_region_transaction_begin();
|
|
for (i = 1; i < 31; i++) {
|
|
MemoryRegion *mem = &s->pci_mem_alias[i];
|
|
if (enabled && (io_addr_en & (1U << i))) {
|
|
if (!memory_region_is_mapped(mem)) {
|
|
uint32_t addr = 0xf0000000 + i * DINO_MEM_CHUNK_SIZE;
|
|
memory_region_add_subregion(get_system_memory(), addr, mem);
|
|
}
|
|
} else if (memory_region_is_mapped(mem)) {
|
|
memory_region_del_subregion(get_system_memory(), mem);
|
|
}
|
|
}
|
|
memory_region_transaction_commit();
|
|
}
|
|
|
|
static bool dino_chip_mem_valid(void *opaque, hwaddr addr,
|
|
unsigned size, bool is_write,
|
|
MemTxAttrs attrs)
|
|
{
|
|
bool ret = false;
|
|
|
|
switch (addr) {
|
|
case DINO_IAR0:
|
|
case DINO_IAR1:
|
|
case DINO_IRR0:
|
|
case DINO_IRR1:
|
|
case DINO_IMR:
|
|
case DINO_IPR:
|
|
case DINO_ICR:
|
|
case DINO_ILR:
|
|
case DINO_IO_CONTROL:
|
|
case DINO_IO_FBB_EN:
|
|
case DINO_IO_ADDR_EN:
|
|
case DINO_PCI_IO_DATA:
|
|
case DINO_TOC_ADDR:
|
|
case DINO_GMASK ... DINO_TLTIM:
|
|
ret = true;
|
|
break;
|
|
case DINO_PCI_IO_DATA + 2:
|
|
ret = (size <= 2);
|
|
break;
|
|
case DINO_PCI_IO_DATA + 1:
|
|
case DINO_PCI_IO_DATA + 3:
|
|
ret = (size == 1);
|
|
}
|
|
trace_dino_chip_mem_valid(addr, ret);
|
|
return ret;
|
|
}
|
|
|
|
static MemTxResult dino_chip_read_with_attrs(void *opaque, hwaddr addr,
|
|
uint64_t *data, unsigned size,
|
|
MemTxAttrs attrs)
|
|
{
|
|
DinoState *s = opaque;
|
|
MemTxResult ret = MEMTX_OK;
|
|
AddressSpace *io;
|
|
uint16_t ioaddr;
|
|
uint32_t val;
|
|
|
|
switch (addr) {
|
|
case DINO_PCI_IO_DATA ... DINO_PCI_IO_DATA + 3:
|
|
/* Read from PCI IO space. */
|
|
io = &address_space_io;
|
|
ioaddr = s->parent_obj.config_reg + (addr & 3);
|
|
switch (size) {
|
|
case 1:
|
|
val = address_space_ldub(io, ioaddr, attrs, &ret);
|
|
break;
|
|
case 2:
|
|
val = address_space_lduw_be(io, ioaddr, attrs, &ret);
|
|
break;
|
|
case 4:
|
|
val = address_space_ldl_be(io, ioaddr, attrs, &ret);
|
|
break;
|
|
default:
|
|
g_assert_not_reached();
|
|
}
|
|
break;
|
|
|
|
case DINO_IO_FBB_EN:
|
|
val = s->io_fbb_en;
|
|
break;
|
|
case DINO_IO_ADDR_EN:
|
|
val = s->io_addr_en;
|
|
break;
|
|
case DINO_IO_CONTROL:
|
|
val = s->io_control;
|
|
break;
|
|
|
|
case DINO_IAR0:
|
|
val = s->iar0;
|
|
break;
|
|
case DINO_IAR1:
|
|
val = s->iar1;
|
|
break;
|
|
case DINO_IMR:
|
|
val = s->imr;
|
|
break;
|
|
case DINO_ICR:
|
|
val = s->icr;
|
|
break;
|
|
case DINO_IPR:
|
|
val = s->ipr;
|
|
/* Any read to IPR clears the register. */
|
|
s->ipr = 0;
|
|
break;
|
|
case DINO_ILR:
|
|
val = s->ilr;
|
|
break;
|
|
case DINO_IRR0:
|
|
val = s->ilr & s->imr & ~s->icr;
|
|
break;
|
|
case DINO_IRR1:
|
|
val = s->ilr & s->imr & s->icr;
|
|
break;
|
|
case DINO_TOC_ADDR:
|
|
val = s->toc_addr;
|
|
break;
|
|
case DINO_GMASK ... DINO_TLTIM:
|
|
val = s->reg800[(addr - DINO_GMASK) / 4];
|
|
if (addr == DINO_PAMR) {
|
|
val &= ~0x01; /* LSB is hardwired to 0 */
|
|
}
|
|
if (addr == DINO_MLTIM) {
|
|
val &= ~0x07; /* 3 LSB are hardwired to 0 */
|
|
}
|
|
if (addr == DINO_BRDG_FEAT) {
|
|
val &= ~(0x10710E0ul | 8); /* bits 5-7, 24 & 15 reserved */
|
|
}
|
|
break;
|
|
|
|
default:
|
|
/* Controlled by dino_chip_mem_valid above. */
|
|
g_assert_not_reached();
|
|
}
|
|
|
|
trace_dino_chip_read(addr, val);
|
|
*data = val;
|
|
return ret;
|
|
}
|
|
|
|
static MemTxResult dino_chip_write_with_attrs(void *opaque, hwaddr addr,
|
|
uint64_t val, unsigned size,
|
|
MemTxAttrs attrs)
|
|
{
|
|
DinoState *s = opaque;
|
|
AddressSpace *io;
|
|
MemTxResult ret;
|
|
uint16_t ioaddr;
|
|
int i;
|
|
|
|
trace_dino_chip_write(addr, val);
|
|
|
|
switch (addr) {
|
|
case DINO_IO_DATA ... DINO_PCI_IO_DATA + 3:
|
|
/* Write into PCI IO space. */
|
|
io = &address_space_io;
|
|
ioaddr = s->parent_obj.config_reg + (addr & 3);
|
|
switch (size) {
|
|
case 1:
|
|
address_space_stb(io, ioaddr, val, attrs, &ret);
|
|
break;
|
|
case 2:
|
|
address_space_stw_be(io, ioaddr, val, attrs, &ret);
|
|
break;
|
|
case 4:
|
|
address_space_stl_be(io, ioaddr, val, attrs, &ret);
|
|
break;
|
|
default:
|
|
g_assert_not_reached();
|
|
}
|
|
return ret;
|
|
|
|
case DINO_IO_FBB_EN:
|
|
s->io_fbb_en = val & 0x03;
|
|
break;
|
|
case DINO_IO_ADDR_EN:
|
|
s->io_addr_en = val;
|
|
gsc_to_pci_forwarding(s);
|
|
break;
|
|
case DINO_IO_CONTROL:
|
|
s->io_control = val;
|
|
gsc_to_pci_forwarding(s);
|
|
break;
|
|
|
|
case DINO_IAR0:
|
|
s->iar0 = val;
|
|
break;
|
|
case DINO_IAR1:
|
|
s->iar1 = val;
|
|
break;
|
|
case DINO_IMR:
|
|
s->imr = val;
|
|
break;
|
|
case DINO_ICR:
|
|
s->icr = val;
|
|
break;
|
|
case DINO_IPR:
|
|
/* Any write to IPR clears the register. */
|
|
s->ipr = 0;
|
|
break;
|
|
case DINO_TOC_ADDR:
|
|
/* IO_COMMAND of CPU with client_id bits */
|
|
s->toc_addr = 0xFFFA0030 | (val & 0x1e000);
|
|
break;
|
|
|
|
case DINO_ILR:
|
|
case DINO_IRR0:
|
|
case DINO_IRR1:
|
|
/* These registers are read-only. */
|
|
break;
|
|
|
|
case DINO_GMASK ... DINO_TLTIM:
|
|
i = (addr - DINO_GMASK) / 4;
|
|
val &= reg800_keep_bits[i];
|
|
s->reg800[i] = val;
|
|
break;
|
|
|
|
default:
|
|
/* Controlled by dino_chip_mem_valid above. */
|
|
g_assert_not_reached();
|
|
}
|
|
return MEMTX_OK;
|
|
}
|
|
|
|
static const MemoryRegionOps dino_chip_ops = {
|
|
.read_with_attrs = dino_chip_read_with_attrs,
|
|
.write_with_attrs = dino_chip_write_with_attrs,
|
|
.endianness = DEVICE_BIG_ENDIAN,
|
|
.valid = {
|
|
.min_access_size = 1,
|
|
.max_access_size = 4,
|
|
.accepts = dino_chip_mem_valid,
|
|
},
|
|
.impl = {
|
|
.min_access_size = 1,
|
|
.max_access_size = 4,
|
|
},
|
|
};
|
|
|
|
static const VMStateDescription vmstate_dino = {
|
|
.name = "Dino",
|
|
.version_id = 2,
|
|
.minimum_version_id = 1,
|
|
.fields = (VMStateField[]) {
|
|
VMSTATE_UINT32(iar0, DinoState),
|
|
VMSTATE_UINT32(iar1, DinoState),
|
|
VMSTATE_UINT32(imr, DinoState),
|
|
VMSTATE_UINT32(ipr, DinoState),
|
|
VMSTATE_UINT32(icr, DinoState),
|
|
VMSTATE_UINT32(ilr, DinoState),
|
|
VMSTATE_UINT32(io_fbb_en, DinoState),
|
|
VMSTATE_UINT32(io_addr_en, DinoState),
|
|
VMSTATE_UINT32(io_control, DinoState),
|
|
VMSTATE_UINT32(toc_addr, DinoState),
|
|
VMSTATE_END_OF_LIST()
|
|
}
|
|
};
|
|
|
|
/* Unlike pci_config_data_le_ops, no check of high bit set in config_reg. */
|
|
|
|
static uint64_t dino_config_data_read(void *opaque, hwaddr addr, unsigned len)
|
|
{
|
|
PCIHostState *s = opaque;
|
|
return pci_data_read(s->bus, s->config_reg | (addr & 3), len);
|
|
}
|
|
|
|
static void dino_config_data_write(void *opaque, hwaddr addr,
|
|
uint64_t val, unsigned len)
|
|
{
|
|
PCIHostState *s = opaque;
|
|
pci_data_write(s->bus, s->config_reg | (addr & 3), val, len);
|
|
}
|
|
|
|
static const MemoryRegionOps dino_config_data_ops = {
|
|
.read = dino_config_data_read,
|
|
.write = dino_config_data_write,
|
|
.endianness = DEVICE_LITTLE_ENDIAN,
|
|
};
|
|
|
|
static uint64_t dino_config_addr_read(void *opaque, hwaddr addr, unsigned len)
|
|
{
|
|
DinoState *s = opaque;
|
|
return s->config_reg_dino;
|
|
}
|
|
|
|
static void dino_config_addr_write(void *opaque, hwaddr addr,
|
|
uint64_t val, unsigned len)
|
|
{
|
|
PCIHostState *s = opaque;
|
|
DinoState *ds = opaque;
|
|
ds->config_reg_dino = val; /* keep a copy of original value */
|
|
s->config_reg = val & ~3U;
|
|
}
|
|
|
|
static const MemoryRegionOps dino_config_addr_ops = {
|
|
.read = dino_config_addr_read,
|
|
.write = dino_config_addr_write,
|
|
.valid.min_access_size = 4,
|
|
.valid.max_access_size = 4,
|
|
.endianness = DEVICE_BIG_ENDIAN,
|
|
};
|
|
|
|
static AddressSpace *dino_pcihost_set_iommu(PCIBus *bus, void *opaque,
|
|
int devfn)
|
|
{
|
|
DinoState *s = opaque;
|
|
|
|
return &s->bm_as;
|
|
}
|
|
|
|
/*
|
|
* Dino interrupts are connected as shown on Page 78, Table 23
|
|
* (Little-endian bit numbers)
|
|
* 0 PCI INTA
|
|
* 1 PCI INTB
|
|
* 2 PCI INTC
|
|
* 3 PCI INTD
|
|
* 4 PCI INTE
|
|
* 5 PCI INTF
|
|
* 6 GSC External Interrupt
|
|
* 7 Bus Error for "less than fatal" mode
|
|
* 8 PS2
|
|
* 9 Unused
|
|
* 10 RS232
|
|
*/
|
|
|
|
static void dino_set_irq(void *opaque, int irq, int level)
|
|
{
|
|
DinoState *s = opaque;
|
|
uint32_t bit = 1u << irq;
|
|
uint32_t old_ilr = s->ilr;
|
|
|
|
if (level) {
|
|
uint32_t ena = bit & ~old_ilr;
|
|
s->ipr |= ena;
|
|
s->ilr = old_ilr | bit;
|
|
if (ena & s->imr) {
|
|
uint32_t iar = (ena & s->icr ? s->iar1 : s->iar0);
|
|
stl_be_phys(&address_space_memory, iar & -32, iar & 31);
|
|
}
|
|
} else {
|
|
s->ilr = old_ilr & ~bit;
|
|
}
|
|
}
|
|
|
|
static int dino_pci_map_irq(PCIDevice *d, int irq_num)
|
|
{
|
|
int slot = d->devfn >> 3;
|
|
|
|
assert(irq_num >= 0 && irq_num <= 3);
|
|
|
|
return slot & 0x03;
|
|
}
|
|
|
|
static void dino_set_timer_irq(void *opaque, int irq, int level)
|
|
{
|
|
/* ??? Not connected. */
|
|
}
|
|
|
|
static void dino_set_serial_irq(void *opaque, int irq, int level)
|
|
{
|
|
dino_set_irq(opaque, 10, level);
|
|
}
|
|
|
|
PCIBus *dino_init(MemoryRegion *addr_space,
|
|
qemu_irq *p_rtc_irq, qemu_irq *p_ser_irq)
|
|
{
|
|
DeviceState *dev;
|
|
DinoState *s;
|
|
PCIBus *b;
|
|
int i;
|
|
|
|
dev = qdev_create(NULL, TYPE_DINO_PCI_HOST_BRIDGE);
|
|
s = DINO_PCI_HOST_BRIDGE(dev);
|
|
s->iar0 = s->iar1 = CPU_HPA + 3;
|
|
s->toc_addr = 0xFFFA0030; /* IO_COMMAND of CPU */
|
|
|
|
/* Dino PCI access from main memory. */
|
|
memory_region_init_io(&s->this_mem, OBJECT(s), &dino_chip_ops,
|
|
s, "dino", 4096);
|
|
memory_region_add_subregion(addr_space, DINO_HPA, &s->this_mem);
|
|
|
|
/* Dino PCI config. */
|
|
memory_region_init_io(&s->parent_obj.conf_mem, OBJECT(&s->parent_obj),
|
|
&dino_config_addr_ops, dev, "pci-conf-idx", 4);
|
|
memory_region_init_io(&s->parent_obj.data_mem, OBJECT(&s->parent_obj),
|
|
&dino_config_data_ops, dev, "pci-conf-data", 4);
|
|
memory_region_add_subregion(&s->this_mem, DINO_PCI_CONFIG_ADDR,
|
|
&s->parent_obj.conf_mem);
|
|
memory_region_add_subregion(&s->this_mem, DINO_CONFIG_DATA,
|
|
&s->parent_obj.data_mem);
|
|
|
|
/* Dino PCI bus memory. */
|
|
memory_region_init(&s->pci_mem, OBJECT(s), "pci-memory", 1ull << 32);
|
|
|
|
b = pci_register_root_bus(dev, "pci", dino_set_irq, dino_pci_map_irq, s,
|
|
&s->pci_mem, get_system_io(),
|
|
PCI_DEVFN(0, 0), 32, TYPE_PCI_BUS);
|
|
s->parent_obj.bus = b;
|
|
qdev_init_nofail(dev);
|
|
|
|
/* Set up windows into PCI bus memory. */
|
|
for (i = 1; i < 31; i++) {
|
|
uint32_t addr = 0xf0000000 + i * DINO_MEM_CHUNK_SIZE;
|
|
char *name = g_strdup_printf("PCI Outbound Window %d", i);
|
|
memory_region_init_alias(&s->pci_mem_alias[i], OBJECT(s),
|
|
name, &s->pci_mem, addr,
|
|
DINO_MEM_CHUNK_SIZE);
|
|
g_free(name);
|
|
}
|
|
|
|
/* Set up PCI view of memory: Bus master address space. */
|
|
memory_region_init(&s->bm, OBJECT(s), "bm-dino", 1ull << 32);
|
|
memory_region_init_alias(&s->bm_ram_alias, OBJECT(s),
|
|
"bm-system", addr_space, 0,
|
|
0xf0000000 + DINO_MEM_CHUNK_SIZE);
|
|
memory_region_init_alias(&s->bm_pci_alias, OBJECT(s),
|
|
"bm-pci", &s->pci_mem,
|
|
0xf0000000 + DINO_MEM_CHUNK_SIZE,
|
|
30 * DINO_MEM_CHUNK_SIZE);
|
|
memory_region_init_alias(&s->bm_cpu_alias, OBJECT(s),
|
|
"bm-cpu", addr_space, 0xfff00000,
|
|
0xfffff);
|
|
memory_region_add_subregion(&s->bm, 0,
|
|
&s->bm_ram_alias);
|
|
memory_region_add_subregion(&s->bm,
|
|
0xf0000000 + DINO_MEM_CHUNK_SIZE,
|
|
&s->bm_pci_alias);
|
|
memory_region_add_subregion(&s->bm, 0xfff00000,
|
|
&s->bm_cpu_alias);
|
|
address_space_init(&s->bm_as, &s->bm, "pci-bm");
|
|
pci_setup_iommu(b, dino_pcihost_set_iommu, s);
|
|
|
|
*p_rtc_irq = qemu_allocate_irq(dino_set_timer_irq, s, 0);
|
|
*p_ser_irq = qemu_allocate_irq(dino_set_serial_irq, s, 0);
|
|
|
|
return b;
|
|
}
|
|
|
|
static void dino_pcihost_class_init(ObjectClass *klass, void *data)
|
|
{
|
|
DeviceClass *dc = DEVICE_CLASS(klass);
|
|
|
|
dc->vmsd = &vmstate_dino;
|
|
}
|
|
|
|
static const TypeInfo dino_pcihost_info = {
|
|
.name = TYPE_DINO_PCI_HOST_BRIDGE,
|
|
.parent = TYPE_PCI_HOST_BRIDGE,
|
|
.instance_size = sizeof(DinoState),
|
|
.class_init = dino_pcihost_class_init,
|
|
};
|
|
|
|
static void dino_register_types(void)
|
|
{
|
|
type_register_static(&dino_pcihost_info);
|
|
}
|
|
|
|
type_init(dino_register_types)
|