vvfat: fat_chksum(): fix access above array bounds
[qemu.git] / hw / pxa2xx_dma.c
blob9c479df04e1287390b7036c1485798de09d180c3
1 /*
2 * Intel XScale PXA255/270 DMA controller.
4 * Copyright (c) 2006 Openedhand Ltd.
5 * Copyright (c) 2006 Thorsten Zitterell
6 * Written by Andrzej Zaborowski <balrog@zabor.org>
8 * This code is licenced under the GPL.
9 */
11 #include "hw.h"
12 #include "pxa.h"
14 typedef struct {
15 target_phys_addr_t descr;
16 target_phys_addr_t src;
17 target_phys_addr_t dest;
18 uint32_t cmd;
19 uint32_t state;
20 int request;
21 } PXA2xxDMAChannel;
23 /* Allow the DMA to be used as a PIC. */
24 typedef void (*pxa2xx_dma_handler_t)(void *opaque, int irq, int level);
26 struct PXA2xxDMAState {
27 pxa2xx_dma_handler_t handler;
28 qemu_irq irq;
30 uint32_t stopintr;
31 uint32_t eorintr;
32 uint32_t rasintr;
33 uint32_t startintr;
34 uint32_t endintr;
36 uint32_t align;
37 uint32_t pio;
39 int channels;
40 PXA2xxDMAChannel *chan;
42 uint8_t *req;
44 /* Flag to avoid recursive DMA invocations. */
45 int running;
48 #define PXA255_DMA_NUM_CHANNELS 16
49 #define PXA27X_DMA_NUM_CHANNELS 32
51 #define PXA2XX_DMA_NUM_REQUESTS 75
53 #define DCSR0 0x0000 /* DMA Control / Status register for Channel 0 */
54 #define DCSR31 0x007c /* DMA Control / Status register for Channel 31 */
55 #define DALGN 0x00a0 /* DMA Alignment register */
56 #define DPCSR 0x00a4 /* DMA Programmed I/O Control Status register */
57 #define DRQSR0 0x00e0 /* DMA DREQ<0> Status register */
58 #define DRQSR1 0x00e4 /* DMA DREQ<1> Status register */
59 #define DRQSR2 0x00e8 /* DMA DREQ<2> Status register */
60 #define DINT 0x00f0 /* DMA Interrupt register */
61 #define DRCMR0 0x0100 /* Request to Channel Map register 0 */
62 #define DRCMR63 0x01fc /* Request to Channel Map register 63 */
63 #define D_CH0 0x0200 /* Channel 0 Descriptor start */
64 #define DRCMR64 0x1100 /* Request to Channel Map register 64 */
65 #define DRCMR74 0x1128 /* Request to Channel Map register 74 */
67 /* Per-channel register */
68 #define DDADR 0x00
69 #define DSADR 0x01
70 #define DTADR 0x02
71 #define DCMD 0x03
73 /* Bit-field masks */
74 #define DRCMR_CHLNUM 0x1f
75 #define DRCMR_MAPVLD (1 << 7)
76 #define DDADR_STOP (1 << 0)
77 #define DDADR_BREN (1 << 1)
78 #define DCMD_LEN 0x1fff
79 #define DCMD_WIDTH(x) (1 << ((((x) >> 14) & 3) - 1))
80 #define DCMD_SIZE(x) (4 << (((x) >> 16) & 3))
81 #define DCMD_FLYBYT (1 << 19)
82 #define DCMD_FLYBYS (1 << 20)
83 #define DCMD_ENDIRQEN (1 << 21)
84 #define DCMD_STARTIRQEN (1 << 22)
85 #define DCMD_CMPEN (1 << 25)
86 #define DCMD_FLOWTRG (1 << 28)
87 #define DCMD_FLOWSRC (1 << 29)
88 #define DCMD_INCTRGADDR (1 << 30)
89 #define DCMD_INCSRCADDR (1 << 31)
90 #define DCSR_BUSERRINTR (1 << 0)
91 #define DCSR_STARTINTR (1 << 1)
92 #define DCSR_ENDINTR (1 << 2)
93 #define DCSR_STOPINTR (1 << 3)
94 #define DCSR_RASINTR (1 << 4)
95 #define DCSR_REQPEND (1 << 8)
96 #define DCSR_EORINT (1 << 9)
97 #define DCSR_CMPST (1 << 10)
98 #define DCSR_MASKRUN (1 << 22)
99 #define DCSR_RASIRQEN (1 << 23)
100 #define DCSR_CLRCMPST (1 << 24)
101 #define DCSR_SETCMPST (1 << 25)
102 #define DCSR_EORSTOPEN (1 << 26)
103 #define DCSR_EORJMPEN (1 << 27)
104 #define DCSR_EORIRQEN (1 << 28)
105 #define DCSR_STOPIRQEN (1 << 29)
106 #define DCSR_NODESCFETCH (1 << 30)
107 #define DCSR_RUN (1 << 31)
109 static inline void pxa2xx_dma_update(PXA2xxDMAState *s, int ch)
111 if (ch >= 0) {
112 if ((s->chan[ch].state & DCSR_STOPIRQEN) &&
113 (s->chan[ch].state & DCSR_STOPINTR))
114 s->stopintr |= 1 << ch;
115 else
116 s->stopintr &= ~(1 << ch);
118 if ((s->chan[ch].state & DCSR_EORIRQEN) &&
119 (s->chan[ch].state & DCSR_EORINT))
120 s->eorintr |= 1 << ch;
121 else
122 s->eorintr &= ~(1 << ch);
124 if ((s->chan[ch].state & DCSR_RASIRQEN) &&
125 (s->chan[ch].state & DCSR_RASINTR))
126 s->rasintr |= 1 << ch;
127 else
128 s->rasintr &= ~(1 << ch);
130 if (s->chan[ch].state & DCSR_STARTINTR)
131 s->startintr |= 1 << ch;
132 else
133 s->startintr &= ~(1 << ch);
135 if (s->chan[ch].state & DCSR_ENDINTR)
136 s->endintr |= 1 << ch;
137 else
138 s->endintr &= ~(1 << ch);
141 if (s->stopintr | s->eorintr | s->rasintr | s->startintr | s->endintr)
142 qemu_irq_raise(s->irq);
143 else
144 qemu_irq_lower(s->irq);
147 static inline void pxa2xx_dma_descriptor_fetch(
148 PXA2xxDMAState *s, int ch)
150 uint32_t desc[4];
151 target_phys_addr_t daddr = s->chan[ch].descr & ~0xf;
152 if ((s->chan[ch].descr & DDADR_BREN) && (s->chan[ch].state & DCSR_CMPST))
153 daddr += 32;
155 cpu_physical_memory_read(daddr, (uint8_t *) desc, 16);
156 s->chan[ch].descr = desc[DDADR];
157 s->chan[ch].src = desc[DSADR];
158 s->chan[ch].dest = desc[DTADR];
159 s->chan[ch].cmd = desc[DCMD];
161 if (s->chan[ch].cmd & DCMD_FLOWSRC)
162 s->chan[ch].src &= ~3;
163 if (s->chan[ch].cmd & DCMD_FLOWTRG)
164 s->chan[ch].dest &= ~3;
166 if (s->chan[ch].cmd & (DCMD_CMPEN | DCMD_FLYBYS | DCMD_FLYBYT))
167 printf("%s: unsupported mode in channel %i\n", __FUNCTION__, ch);
169 if (s->chan[ch].cmd & DCMD_STARTIRQEN)
170 s->chan[ch].state |= DCSR_STARTINTR;
173 static void pxa2xx_dma_run(PXA2xxDMAState *s)
175 int c, srcinc, destinc;
176 uint32_t n, size;
177 uint32_t width;
178 uint32_t length;
179 uint8_t buffer[32];
180 PXA2xxDMAChannel *ch;
182 if (s->running ++)
183 return;
185 while (s->running) {
186 s->running = 1;
187 for (c = 0; c < s->channels; c ++) {
188 ch = &s->chan[c];
190 while ((ch->state & DCSR_RUN) && !(ch->state & DCSR_STOPINTR)) {
191 /* Test for pending requests */
192 if ((ch->cmd & (DCMD_FLOWSRC | DCMD_FLOWTRG)) && !ch->request)
193 break;
195 length = ch->cmd & DCMD_LEN;
196 size = DCMD_SIZE(ch->cmd);
197 width = DCMD_WIDTH(ch->cmd);
199 srcinc = (ch->cmd & DCMD_INCSRCADDR) ? width : 0;
200 destinc = (ch->cmd & DCMD_INCTRGADDR) ? width : 0;
202 while (length) {
203 size = MIN(length, size);
205 for (n = 0; n < size; n += width) {
206 cpu_physical_memory_read(ch->src, buffer + n, width);
207 ch->src += srcinc;
210 for (n = 0; n < size; n += width) {
211 cpu_physical_memory_write(ch->dest, buffer + n, width);
212 ch->dest += destinc;
215 length -= size;
217 if ((ch->cmd & (DCMD_FLOWSRC | DCMD_FLOWTRG)) &&
218 !ch->request) {
219 ch->state |= DCSR_EORINT;
220 if (ch->state & DCSR_EORSTOPEN)
221 ch->state |= DCSR_STOPINTR;
222 if ((ch->state & DCSR_EORJMPEN) &&
223 !(ch->state & DCSR_NODESCFETCH))
224 pxa2xx_dma_descriptor_fetch(s, c);
225 break;
229 ch->cmd = (ch->cmd & ~DCMD_LEN) | length;
231 /* Is the transfer complete now? */
232 if (!length) {
233 if (ch->cmd & DCMD_ENDIRQEN)
234 ch->state |= DCSR_ENDINTR;
236 if ((ch->state & DCSR_NODESCFETCH) ||
237 (ch->descr & DDADR_STOP) ||
238 (ch->state & DCSR_EORSTOPEN)) {
239 ch->state |= DCSR_STOPINTR;
240 ch->state &= ~DCSR_RUN;
242 break;
245 ch->state |= DCSR_STOPINTR;
246 break;
251 s->running --;
255 static uint32_t pxa2xx_dma_read(void *opaque, target_phys_addr_t offset)
257 PXA2xxDMAState *s = (PXA2xxDMAState *) opaque;
258 unsigned int channel;
260 switch (offset) {
261 case DRCMR64 ... DRCMR74:
262 offset -= DRCMR64 - DRCMR0 - (64 << 2);
263 /* Fall through */
264 case DRCMR0 ... DRCMR63:
265 channel = (offset - DRCMR0) >> 2;
266 return s->req[channel];
268 case DRQSR0:
269 case DRQSR1:
270 case DRQSR2:
271 return 0;
273 case DCSR0 ... DCSR31:
274 channel = offset >> 2;
275 if (s->chan[channel].request)
276 return s->chan[channel].state | DCSR_REQPEND;
277 return s->chan[channel].state;
279 case DINT:
280 return s->stopintr | s->eorintr | s->rasintr |
281 s->startintr | s->endintr;
283 case DALGN:
284 return s->align;
286 case DPCSR:
287 return s->pio;
290 if (offset >= D_CH0 && offset < D_CH0 + (s->channels << 4)) {
291 channel = (offset - D_CH0) >> 4;
292 switch ((offset & 0x0f) >> 2) {
293 case DDADR:
294 return s->chan[channel].descr;
295 case DSADR:
296 return s->chan[channel].src;
297 case DTADR:
298 return s->chan[channel].dest;
299 case DCMD:
300 return s->chan[channel].cmd;
304 hw_error("%s: Bad offset 0x" TARGET_FMT_plx "\n", __FUNCTION__, offset);
305 return 7;
308 static void pxa2xx_dma_write(void *opaque,
309 target_phys_addr_t offset, uint32_t value)
311 PXA2xxDMAState *s = (PXA2xxDMAState *) opaque;
312 unsigned int channel;
314 switch (offset) {
315 case DRCMR64 ... DRCMR74:
316 offset -= DRCMR64 - DRCMR0 - (64 << 2);
317 /* Fall through */
318 case DRCMR0 ... DRCMR63:
319 channel = (offset - DRCMR0) >> 2;
321 if (value & DRCMR_MAPVLD)
322 if ((value & DRCMR_CHLNUM) > s->channels)
323 hw_error("%s: Bad DMA channel %i\n",
324 __FUNCTION__, value & DRCMR_CHLNUM);
326 s->req[channel] = value;
327 break;
329 case DRQSR0:
330 case DRQSR1:
331 case DRQSR2:
332 /* Nothing to do */
333 break;
335 case DCSR0 ... DCSR31:
336 channel = offset >> 2;
337 s->chan[channel].state &= 0x0000071f & ~(value &
338 (DCSR_EORINT | DCSR_ENDINTR |
339 DCSR_STARTINTR | DCSR_BUSERRINTR));
340 s->chan[channel].state |= value & 0xfc800000;
342 if (s->chan[channel].state & DCSR_STOPIRQEN)
343 s->chan[channel].state &= ~DCSR_STOPINTR;
345 if (value & DCSR_NODESCFETCH) {
346 /* No-descriptor-fetch mode */
347 if (value & DCSR_RUN) {
348 s->chan[channel].state &= ~DCSR_STOPINTR;
349 pxa2xx_dma_run(s);
351 } else {
352 /* Descriptor-fetch mode */
353 if (value & DCSR_RUN) {
354 s->chan[channel].state &= ~DCSR_STOPINTR;
355 pxa2xx_dma_descriptor_fetch(s, channel);
356 pxa2xx_dma_run(s);
360 /* Shouldn't matter as our DMA is synchronous. */
361 if (!(value & (DCSR_RUN | DCSR_MASKRUN)))
362 s->chan[channel].state |= DCSR_STOPINTR;
364 if (value & DCSR_CLRCMPST)
365 s->chan[channel].state &= ~DCSR_CMPST;
366 if (value & DCSR_SETCMPST)
367 s->chan[channel].state |= DCSR_CMPST;
369 pxa2xx_dma_update(s, channel);
370 break;
372 case DALGN:
373 s->align = value;
374 break;
376 case DPCSR:
377 s->pio = value & 0x80000001;
378 break;
380 default:
381 if (offset >= D_CH0 && offset < D_CH0 + (s->channels << 4)) {
382 channel = (offset - D_CH0) >> 4;
383 switch ((offset & 0x0f) >> 2) {
384 case DDADR:
385 s->chan[channel].descr = value;
386 break;
387 case DSADR:
388 s->chan[channel].src = value;
389 break;
390 case DTADR:
391 s->chan[channel].dest = value;
392 break;
393 case DCMD:
394 s->chan[channel].cmd = value;
395 break;
396 default:
397 goto fail;
400 break;
402 fail:
403 hw_error("%s: Bad offset " TARGET_FMT_plx "\n", __FUNCTION__, offset);
407 static uint32_t pxa2xx_dma_readbad(void *opaque, target_phys_addr_t offset)
409 hw_error("%s: Bad access width\n", __FUNCTION__);
410 return 5;
413 static void pxa2xx_dma_writebad(void *opaque,
414 target_phys_addr_t offset, uint32_t value)
416 hw_error("%s: Bad access width\n", __FUNCTION__);
419 static CPUReadMemoryFunc * const pxa2xx_dma_readfn[] = {
420 pxa2xx_dma_readbad,
421 pxa2xx_dma_readbad,
422 pxa2xx_dma_read
425 static CPUWriteMemoryFunc * const pxa2xx_dma_writefn[] = {
426 pxa2xx_dma_writebad,
427 pxa2xx_dma_writebad,
428 pxa2xx_dma_write
431 static void pxa2xx_dma_save(QEMUFile *f, void *opaque)
433 PXA2xxDMAState *s = (PXA2xxDMAState *) opaque;
434 int i;
436 qemu_put_be32(f, s->channels);
438 qemu_put_be32s(f, &s->stopintr);
439 qemu_put_be32s(f, &s->eorintr);
440 qemu_put_be32s(f, &s->rasintr);
441 qemu_put_be32s(f, &s->startintr);
442 qemu_put_be32s(f, &s->endintr);
443 qemu_put_be32s(f, &s->align);
444 qemu_put_be32s(f, &s->pio);
446 qemu_put_buffer(f, s->req, PXA2XX_DMA_NUM_REQUESTS);
447 for (i = 0; i < s->channels; i ++) {
448 qemu_put_betl(f, s->chan[i].descr);
449 qemu_put_betl(f, s->chan[i].src);
450 qemu_put_betl(f, s->chan[i].dest);
451 qemu_put_be32s(f, &s->chan[i].cmd);
452 qemu_put_be32s(f, &s->chan[i].state);
453 qemu_put_be32(f, s->chan[i].request);
457 static int pxa2xx_dma_load(QEMUFile *f, void *opaque, int version_id)
459 PXA2xxDMAState *s = (PXA2xxDMAState *) opaque;
460 int i;
462 if (qemu_get_be32(f) != s->channels)
463 return -EINVAL;
465 qemu_get_be32s(f, &s->stopintr);
466 qemu_get_be32s(f, &s->eorintr);
467 qemu_get_be32s(f, &s->rasintr);
468 qemu_get_be32s(f, &s->startintr);
469 qemu_get_be32s(f, &s->endintr);
470 qemu_get_be32s(f, &s->align);
471 qemu_get_be32s(f, &s->pio);
473 qemu_get_buffer(f, s->req, PXA2XX_DMA_NUM_REQUESTS);
474 for (i = 0; i < s->channels; i ++) {
475 s->chan[i].descr = qemu_get_betl(f);
476 s->chan[i].src = qemu_get_betl(f);
477 s->chan[i].dest = qemu_get_betl(f);
478 qemu_get_be32s(f, &s->chan[i].cmd);
479 qemu_get_be32s(f, &s->chan[i].state);
480 s->chan[i].request = qemu_get_be32(f);
483 return 0;
486 static PXA2xxDMAState *pxa2xx_dma_init(target_phys_addr_t base,
487 qemu_irq irq, int channels)
489 int i, iomemtype;
490 PXA2xxDMAState *s;
491 s = (PXA2xxDMAState *)
492 qemu_mallocz(sizeof(PXA2xxDMAState));
494 s->channels = channels;
495 s->chan = qemu_mallocz(sizeof(PXA2xxDMAChannel) * s->channels);
496 s->irq = irq;
497 s->handler = (pxa2xx_dma_handler_t) pxa2xx_dma_request;
498 s->req = qemu_mallocz(sizeof(uint8_t) * PXA2XX_DMA_NUM_REQUESTS);
500 memset(s->chan, 0, sizeof(PXA2xxDMAChannel) * s->channels);
501 for (i = 0; i < s->channels; i ++)
502 s->chan[i].state = DCSR_STOPINTR;
504 memset(s->req, 0, sizeof(uint8_t) * PXA2XX_DMA_NUM_REQUESTS);
506 iomemtype = cpu_register_io_memory(pxa2xx_dma_readfn,
507 pxa2xx_dma_writefn, s);
508 cpu_register_physical_memory(base, 0x00010000, iomemtype);
510 register_savevm(NULL, "pxa2xx_dma", 0, 0, pxa2xx_dma_save, pxa2xx_dma_load, s);
512 return s;
515 PXA2xxDMAState *pxa27x_dma_init(target_phys_addr_t base,
516 qemu_irq irq)
518 return pxa2xx_dma_init(base, irq, PXA27X_DMA_NUM_CHANNELS);
521 PXA2xxDMAState *pxa255_dma_init(target_phys_addr_t base,
522 qemu_irq irq)
524 return pxa2xx_dma_init(base, irq, PXA255_DMA_NUM_CHANNELS);
527 void pxa2xx_dma_request(PXA2xxDMAState *s, int req_num, int on)
529 int ch;
530 if (req_num < 0 || req_num >= PXA2XX_DMA_NUM_REQUESTS)
531 hw_error("%s: Bad DMA request %i\n", __FUNCTION__, req_num);
533 if (!(s->req[req_num] & DRCMR_MAPVLD))
534 return;
535 ch = s->req[req_num] & DRCMR_CHLNUM;
537 if (!s->chan[ch].request && on)
538 s->chan[ch].state |= DCSR_RASINTR;
539 else
540 s->chan[ch].state &= ~DCSR_RASINTR;
541 if (s->chan[ch].request && !on)
542 s->chan[ch].state |= DCSR_EORINT;
544 s->chan[ch].request = on;
545 if (on) {
546 pxa2xx_dma_run(s);
547 pxa2xx_dma_update(s, ch);