Fix 32-bit overflow in parallels image support
[qemu-kvm/fedora.git] / hw / pxa2xx_mmci.c
blob4c306cf4ef26a4eeabcf1fc91d3514312e3331bd
1 /*
2 * Intel XScale PXA255/270 MultiMediaCard/SD/SDIO Controller emulation.
4 * Copyright (c) 2006 Openedhand Ltd.
5 * Written by Andrzej Zaborowski <balrog@zabor.org>
7 * This code is licensed under the GPLv2.
8 */
10 #include "hw.h"
11 #include "pxa.h"
12 #include "sd.h"
14 struct PXA2xxMMCIState {
15 qemu_irq irq;
16 void *dma;
18 SDState *card;
20 uint32_t status;
21 uint32_t clkrt;
22 uint32_t spi;
23 uint32_t cmdat;
24 uint32_t resp_tout;
25 uint32_t read_tout;
26 int blklen;
27 int numblk;
28 uint32_t intmask;
29 uint32_t intreq;
30 int cmd;
31 uint32_t arg;
33 int active;
34 int bytesleft;
35 uint8_t tx_fifo[64];
36 int tx_start;
37 int tx_len;
38 uint8_t rx_fifo[32];
39 int rx_start;
40 int rx_len;
41 uint16_t resp_fifo[9];
42 int resp_len;
44 int cmdreq;
45 int ac_width;
48 #define MMC_STRPCL 0x00 /* MMC Clock Start/Stop register */
49 #define MMC_STAT 0x04 /* MMC Status register */
50 #define MMC_CLKRT 0x08 /* MMC Clock Rate register */
51 #define MMC_SPI 0x0c /* MMC SPI Mode register */
52 #define MMC_CMDAT 0x10 /* MMC Command/Data register */
53 #define MMC_RESTO 0x14 /* MMC Response Time-Out register */
54 #define MMC_RDTO 0x18 /* MMC Read Time-Out register */
55 #define MMC_BLKLEN 0x1c /* MMC Block Length register */
56 #define MMC_NUMBLK 0x20 /* MMC Number of Blocks register */
57 #define MMC_PRTBUF 0x24 /* MMC Buffer Partly Full register */
58 #define MMC_I_MASK 0x28 /* MMC Interrupt Mask register */
59 #define MMC_I_REG 0x2c /* MMC Interrupt Request register */
60 #define MMC_CMD 0x30 /* MMC Command register */
61 #define MMC_ARGH 0x34 /* MMC Argument High register */
62 #define MMC_ARGL 0x38 /* MMC Argument Low register */
63 #define MMC_RES 0x3c /* MMC Response FIFO */
64 #define MMC_RXFIFO 0x40 /* MMC Receive FIFO */
65 #define MMC_TXFIFO 0x44 /* MMC Transmit FIFO */
66 #define MMC_RDWAIT 0x48 /* MMC RD_WAIT register */
67 #define MMC_BLKS_REM 0x4c /* MMC Blocks Remaining register */
69 /* Bitfield masks */
70 #define STRPCL_STOP_CLK (1 << 0)
71 #define STRPCL_STRT_CLK (1 << 1)
72 #define STAT_TOUT_RES (1 << 1)
73 #define STAT_CLK_EN (1 << 8)
74 #define STAT_DATA_DONE (1 << 11)
75 #define STAT_PRG_DONE (1 << 12)
76 #define STAT_END_CMDRES (1 << 13)
77 #define SPI_SPI_MODE (1 << 0)
78 #define CMDAT_RES_TYPE (3 << 0)
79 #define CMDAT_DATA_EN (1 << 2)
80 #define CMDAT_WR_RD (1 << 3)
81 #define CMDAT_DMA_EN (1 << 7)
82 #define CMDAT_STOP_TRAN (1 << 10)
83 #define INT_DATA_DONE (1 << 0)
84 #define INT_PRG_DONE (1 << 1)
85 #define INT_END_CMD (1 << 2)
86 #define INT_STOP_CMD (1 << 3)
87 #define INT_CLK_OFF (1 << 4)
88 #define INT_RXFIFO_REQ (1 << 5)
89 #define INT_TXFIFO_REQ (1 << 6)
90 #define INT_TINT (1 << 7)
91 #define INT_DAT_ERR (1 << 8)
92 #define INT_RES_ERR (1 << 9)
93 #define INT_RD_STALLED (1 << 10)
94 #define INT_SDIO_INT (1 << 11)
95 #define INT_SDIO_SACK (1 << 12)
96 #define PRTBUF_PRT_BUF (1 << 0)
98 /* Route internal interrupt lines to the global IC and DMA */
99 static void pxa2xx_mmci_int_update(PXA2xxMMCIState *s)
101 uint32_t mask = s->intmask;
102 if (s->cmdat & CMDAT_DMA_EN) {
103 mask |= INT_RXFIFO_REQ | INT_TXFIFO_REQ;
105 pxa2xx_dma_request(s->dma,
106 PXA2XX_RX_RQ_MMCI, !!(s->intreq & INT_RXFIFO_REQ));
107 pxa2xx_dma_request(s->dma,
108 PXA2XX_TX_RQ_MMCI, !!(s->intreq & INT_TXFIFO_REQ));
111 qemu_set_irq(s->irq, !!(s->intreq & ~mask));
114 static void pxa2xx_mmci_fifo_update(PXA2xxMMCIState *s)
116 if (!s->active)
117 return;
119 if (s->cmdat & CMDAT_WR_RD) {
120 while (s->bytesleft && s->tx_len) {
121 sd_write_data(s->card, s->tx_fifo[s->tx_start ++]);
122 s->tx_start &= 0x1f;
123 s->tx_len --;
124 s->bytesleft --;
126 if (s->bytesleft)
127 s->intreq |= INT_TXFIFO_REQ;
128 } else
129 while (s->bytesleft && s->rx_len < 32) {
130 s->rx_fifo[(s->rx_start + (s->rx_len ++)) & 0x1f] =
131 sd_read_data(s->card);
132 s->bytesleft --;
133 s->intreq |= INT_RXFIFO_REQ;
136 if (!s->bytesleft) {
137 s->active = 0;
138 s->intreq |= INT_DATA_DONE;
139 s->status |= STAT_DATA_DONE;
141 if (s->cmdat & CMDAT_WR_RD) {
142 s->intreq |= INT_PRG_DONE;
143 s->status |= STAT_PRG_DONE;
147 pxa2xx_mmci_int_update(s);
150 static void pxa2xx_mmci_wakequeues(PXA2xxMMCIState *s)
152 int rsplen, i;
153 SDRequest request;
154 uint8_t response[16];
156 s->active = 1;
157 s->rx_len = 0;
158 s->tx_len = 0;
159 s->cmdreq = 0;
161 request.cmd = s->cmd;
162 request.arg = s->arg;
163 request.crc = 0; /* FIXME */
165 rsplen = sd_do_command(s->card, &request, response);
166 s->intreq |= INT_END_CMD;
168 memset(s->resp_fifo, 0, sizeof(s->resp_fifo));
169 switch (s->cmdat & CMDAT_RES_TYPE) {
170 #define PXAMMCI_RESP(wd, value0, value1) \
171 s->resp_fifo[(wd) + 0] |= (value0); \
172 s->resp_fifo[(wd) + 1] |= (value1) << 8;
173 case 0: /* No response */
174 goto complete;
176 case 1: /* R1, R4, R5 or R6 */
177 if (rsplen < 4)
178 goto timeout;
179 goto complete;
181 case 2: /* R2 */
182 if (rsplen < 16)
183 goto timeout;
184 goto complete;
186 case 3: /* R3 */
187 if (rsplen < 4)
188 goto timeout;
189 goto complete;
191 complete:
192 for (i = 0; rsplen > 0; i ++, rsplen -= 2) {
193 PXAMMCI_RESP(i, response[i * 2], response[i * 2 + 1]);
195 s->status |= STAT_END_CMDRES;
197 if (!(s->cmdat & CMDAT_DATA_EN))
198 s->active = 0;
199 else
200 s->bytesleft = s->numblk * s->blklen;
202 s->resp_len = 0;
203 break;
205 timeout:
206 s->active = 0;
207 s->status |= STAT_TOUT_RES;
208 break;
211 pxa2xx_mmci_fifo_update(s);
214 static uint32_t pxa2xx_mmci_read(void *opaque, target_phys_addr_t offset)
216 PXA2xxMMCIState *s = (PXA2xxMMCIState *) opaque;
217 uint32_t ret;
219 switch (offset) {
220 case MMC_STRPCL:
221 return 0;
222 case MMC_STAT:
223 return s->status;
224 case MMC_CLKRT:
225 return s->clkrt;
226 case MMC_SPI:
227 return s->spi;
228 case MMC_CMDAT:
229 return s->cmdat;
230 case MMC_RESTO:
231 return s->resp_tout;
232 case MMC_RDTO:
233 return s->read_tout;
234 case MMC_BLKLEN:
235 return s->blklen;
236 case MMC_NUMBLK:
237 return s->numblk;
238 case MMC_PRTBUF:
239 return 0;
240 case MMC_I_MASK:
241 return s->intmask;
242 case MMC_I_REG:
243 return s->intreq;
244 case MMC_CMD:
245 return s->cmd | 0x40;
246 case MMC_ARGH:
247 return s->arg >> 16;
248 case MMC_ARGL:
249 return s->arg & 0xffff;
250 case MMC_RES:
251 if (s->resp_len < 9)
252 return s->resp_fifo[s->resp_len ++];
253 return 0;
254 case MMC_RXFIFO:
255 ret = 0;
256 while (s->ac_width -- && s->rx_len) {
257 ret |= s->rx_fifo[s->rx_start ++] << (s->ac_width << 3);
258 s->rx_start &= 0x1f;
259 s->rx_len --;
261 s->intreq &= ~INT_RXFIFO_REQ;
262 pxa2xx_mmci_fifo_update(s);
263 return ret;
264 case MMC_RDWAIT:
265 return 0;
266 case MMC_BLKS_REM:
267 return s->numblk;
268 default:
269 hw_error("%s: Bad offset " REG_FMT "\n", __FUNCTION__, offset);
272 return 0;
275 static void pxa2xx_mmci_write(void *opaque,
276 target_phys_addr_t offset, uint32_t value)
278 PXA2xxMMCIState *s = (PXA2xxMMCIState *) opaque;
280 switch (offset) {
281 case MMC_STRPCL:
282 if (value & STRPCL_STRT_CLK) {
283 s->status |= STAT_CLK_EN;
284 s->intreq &= ~INT_CLK_OFF;
286 if (s->cmdreq && !(s->cmdat & CMDAT_STOP_TRAN)) {
287 s->status &= STAT_CLK_EN;
288 pxa2xx_mmci_wakequeues(s);
292 if (value & STRPCL_STOP_CLK) {
293 s->status &= ~STAT_CLK_EN;
294 s->intreq |= INT_CLK_OFF;
295 s->active = 0;
298 pxa2xx_mmci_int_update(s);
299 break;
301 case MMC_CLKRT:
302 s->clkrt = value & 7;
303 break;
305 case MMC_SPI:
306 s->spi = value & 0xf;
307 if (value & SPI_SPI_MODE)
308 printf("%s: attempted to use card in SPI mode\n", __FUNCTION__);
309 break;
311 case MMC_CMDAT:
312 s->cmdat = value & 0x3dff;
313 s->active = 0;
314 s->cmdreq = 1;
315 if (!(value & CMDAT_STOP_TRAN)) {
316 s->status &= STAT_CLK_EN;
318 if (s->status & STAT_CLK_EN)
319 pxa2xx_mmci_wakequeues(s);
322 pxa2xx_mmci_int_update(s);
323 break;
325 case MMC_RESTO:
326 s->resp_tout = value & 0x7f;
327 break;
329 case MMC_RDTO:
330 s->read_tout = value & 0xffff;
331 break;
333 case MMC_BLKLEN:
334 s->blklen = value & 0xfff;
335 break;
337 case MMC_NUMBLK:
338 s->numblk = value & 0xffff;
339 break;
341 case MMC_PRTBUF:
342 if (value & PRTBUF_PRT_BUF) {
343 s->tx_start ^= 32;
344 s->tx_len = 0;
346 pxa2xx_mmci_fifo_update(s);
347 break;
349 case MMC_I_MASK:
350 s->intmask = value & 0x1fff;
351 pxa2xx_mmci_int_update(s);
352 break;
354 case MMC_CMD:
355 s->cmd = value & 0x3f;
356 break;
358 case MMC_ARGH:
359 s->arg &= 0x0000ffff;
360 s->arg |= value << 16;
361 break;
363 case MMC_ARGL:
364 s->arg &= 0xffff0000;
365 s->arg |= value & 0x0000ffff;
366 break;
368 case MMC_TXFIFO:
369 while (s->ac_width -- && s->tx_len < 0x20)
370 s->tx_fifo[(s->tx_start + (s->tx_len ++)) & 0x1f] =
371 (value >> (s->ac_width << 3)) & 0xff;
372 s->intreq &= ~INT_TXFIFO_REQ;
373 pxa2xx_mmci_fifo_update(s);
374 break;
376 case MMC_RDWAIT:
377 case MMC_BLKS_REM:
378 break;
380 default:
381 hw_error("%s: Bad offset " REG_FMT "\n", __FUNCTION__, offset);
385 static uint32_t pxa2xx_mmci_readb(void *opaque, target_phys_addr_t offset)
387 PXA2xxMMCIState *s = (PXA2xxMMCIState *) opaque;
388 s->ac_width = 1;
389 return pxa2xx_mmci_read(opaque, offset);
392 static uint32_t pxa2xx_mmci_readh(void *opaque, target_phys_addr_t offset)
394 PXA2xxMMCIState *s = (PXA2xxMMCIState *) opaque;
395 s->ac_width = 2;
396 return pxa2xx_mmci_read(opaque, offset);
399 static uint32_t pxa2xx_mmci_readw(void *opaque, target_phys_addr_t offset)
401 PXA2xxMMCIState *s = (PXA2xxMMCIState *) opaque;
402 s->ac_width = 4;
403 return pxa2xx_mmci_read(opaque, offset);
406 static CPUReadMemoryFunc *pxa2xx_mmci_readfn[] = {
407 pxa2xx_mmci_readb,
408 pxa2xx_mmci_readh,
409 pxa2xx_mmci_readw
412 static void pxa2xx_mmci_writeb(void *opaque,
413 target_phys_addr_t offset, uint32_t value)
415 PXA2xxMMCIState *s = (PXA2xxMMCIState *) opaque;
416 s->ac_width = 1;
417 pxa2xx_mmci_write(opaque, offset, value);
420 static void pxa2xx_mmci_writeh(void *opaque,
421 target_phys_addr_t offset, uint32_t value)
423 PXA2xxMMCIState *s = (PXA2xxMMCIState *) opaque;
424 s->ac_width = 2;
425 pxa2xx_mmci_write(opaque, offset, value);
428 static void pxa2xx_mmci_writew(void *opaque,
429 target_phys_addr_t offset, uint32_t value)
431 PXA2xxMMCIState *s = (PXA2xxMMCIState *) opaque;
432 s->ac_width = 4;
433 pxa2xx_mmci_write(opaque, offset, value);
436 static CPUWriteMemoryFunc *pxa2xx_mmci_writefn[] = {
437 pxa2xx_mmci_writeb,
438 pxa2xx_mmci_writeh,
439 pxa2xx_mmci_writew
442 static void pxa2xx_mmci_save(QEMUFile *f, void *opaque)
444 PXA2xxMMCIState *s = (PXA2xxMMCIState *) opaque;
445 int i;
447 qemu_put_be32s(f, &s->status);
448 qemu_put_be32s(f, &s->clkrt);
449 qemu_put_be32s(f, &s->spi);
450 qemu_put_be32s(f, &s->cmdat);
451 qemu_put_be32s(f, &s->resp_tout);
452 qemu_put_be32s(f, &s->read_tout);
453 qemu_put_be32(f, s->blklen);
454 qemu_put_be32(f, s->numblk);
455 qemu_put_be32s(f, &s->intmask);
456 qemu_put_be32s(f, &s->intreq);
457 qemu_put_be32(f, s->cmd);
458 qemu_put_be32s(f, &s->arg);
459 qemu_put_be32(f, s->cmdreq);
460 qemu_put_be32(f, s->active);
461 qemu_put_be32(f, s->bytesleft);
463 qemu_put_byte(f, s->tx_len);
464 for (i = 0; i < s->tx_len; i ++)
465 qemu_put_byte(f, s->tx_fifo[(s->tx_start + i) & 63]);
467 qemu_put_byte(f, s->rx_len);
468 for (i = 0; i < s->rx_len; i ++)
469 qemu_put_byte(f, s->rx_fifo[(s->rx_start + i) & 31]);
471 qemu_put_byte(f, s->resp_len);
472 for (i = s->resp_len; i < 9; i ++)
473 qemu_put_be16s(f, &s->resp_fifo[i]);
476 static int pxa2xx_mmci_load(QEMUFile *f, void *opaque, int version_id)
478 PXA2xxMMCIState *s = (PXA2xxMMCIState *) opaque;
479 int i;
481 qemu_get_be32s(f, &s->status);
482 qemu_get_be32s(f, &s->clkrt);
483 qemu_get_be32s(f, &s->spi);
484 qemu_get_be32s(f, &s->cmdat);
485 qemu_get_be32s(f, &s->resp_tout);
486 qemu_get_be32s(f, &s->read_tout);
487 s->blklen = qemu_get_be32(f);
488 s->numblk = qemu_get_be32(f);
489 qemu_get_be32s(f, &s->intmask);
490 qemu_get_be32s(f, &s->intreq);
491 s->cmd = qemu_get_be32(f);
492 qemu_get_be32s(f, &s->arg);
493 s->cmdreq = qemu_get_be32(f);
494 s->active = qemu_get_be32(f);
495 s->bytesleft = qemu_get_be32(f);
497 s->tx_len = qemu_get_byte(f);
498 s->tx_start = 0;
499 if (s->tx_len >= sizeof(s->tx_fifo) || s->tx_len < 0)
500 return -EINVAL;
501 for (i = 0; i < s->tx_len; i ++)
502 s->tx_fifo[i] = qemu_get_byte(f);
504 s->rx_len = qemu_get_byte(f);
505 s->rx_start = 0;
506 if (s->rx_len >= sizeof(s->rx_fifo) || s->rx_len < 0)
507 return -EINVAL;
508 for (i = 0; i < s->rx_len; i ++)
509 s->rx_fifo[i] = qemu_get_byte(f);
511 s->resp_len = qemu_get_byte(f);
512 if (s->resp_len > 9 || s->resp_len < 0)
513 return -EINVAL;
514 for (i = s->resp_len; i < 9; i ++)
515 qemu_get_be16s(f, &s->resp_fifo[i]);
517 return 0;
520 PXA2xxMMCIState *pxa2xx_mmci_init(target_phys_addr_t base,
521 BlockDriverState *bd, qemu_irq irq, void *dma)
523 int iomemtype;
524 PXA2xxMMCIState *s;
526 s = (PXA2xxMMCIState *) qemu_mallocz(sizeof(PXA2xxMMCIState));
527 s->irq = irq;
528 s->dma = dma;
530 iomemtype = cpu_register_io_memory(pxa2xx_mmci_readfn,
531 pxa2xx_mmci_writefn, s);
532 cpu_register_physical_memory(base, 0x00100000, iomemtype);
534 /* Instantiate the actual storage */
535 s->card = sd_init(bd, 0);
537 register_savevm("pxa2xx_mmci", 0, 0,
538 pxa2xx_mmci_save, pxa2xx_mmci_load, s);
540 return s;
543 void pxa2xx_mmci_handlers(PXA2xxMMCIState *s, qemu_irq readonly,
544 qemu_irq coverswitch)
546 sd_set_cb(s->card, readonly, coverswitch);