vvfat: fat_chksum(): fix access above array bounds
[qemu.git] / hw / sparc32_dma.c
blobb52170787b7bbfb30469a4272808eb4b940ea87f
1 /*
2 * QEMU Sparc32 DMA controller emulation
4 * Copyright (c) 2006 Fabrice Bellard
6 * Modifications:
7 * 2010-Feb-14 Artyom Tarasenko : reworked irq generation
9 * Permission is hereby granted, free of charge, to any person obtaining a copy
10 * of this software and associated documentation files (the "Software"), to deal
11 * in the Software without restriction, including without limitation the rights
12 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
13 * copies of the Software, and to permit persons to whom the Software is
14 * furnished to do so, subject to the following conditions:
16 * The above copyright notice and this permission notice shall be included in
17 * all copies or substantial portions of the Software.
19 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
20 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
21 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
22 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
23 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
24 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
25 * THE SOFTWARE.
28 #include "hw.h"
29 #include "sparc32_dma.h"
30 #include "sun4m.h"
31 #include "sysbus.h"
33 /* debug DMA */
34 //#define DEBUG_DMA
37 * This is the DMA controller part of chip STP2000 (Master I/O), also
38 * produced as NCR89C100. See
39 * http://www.ibiblio.org/pub/historic-linux/early-ports/Sparc/NCR/NCR89C100.txt
40 * and
41 * http://www.ibiblio.org/pub/historic-linux/early-ports/Sparc/NCR/DMA2.txt
44 #ifdef DEBUG_DMA
45 #define DPRINTF(fmt, ...) \
46 do { printf("DMA: " fmt , ## __VA_ARGS__); } while (0)
47 #else
48 #define DPRINTF(fmt, ...)
49 #endif
51 #define DMA_REGS 4
52 #define DMA_SIZE (4 * sizeof(uint32_t))
53 /* We need the mask, because one instance of the device is not page
54 aligned (ledma, start address 0x0010) */
55 #define DMA_MASK (DMA_SIZE - 1)
57 #define DMA_VER 0xa0000000
58 #define DMA_INTR 1
59 #define DMA_INTREN 0x10
60 #define DMA_WRITE_MEM 0x100
61 #define DMA_LOADED 0x04000000
62 #define DMA_DRAIN_FIFO 0x40
63 #define DMA_RESET 0x80
65 /* XXX SCSI and ethernet should have different read-only bit masks */
66 #define DMA_CSR_RO_MASK 0xfe000007
68 typedef struct DMAState DMAState;
70 struct DMAState {
71 SysBusDevice busdev;
72 uint32_t dmaregs[DMA_REGS];
73 qemu_irq irq;
74 void *iommu;
75 qemu_irq dev_reset;
78 /* Note: on sparc, the lance 16 bit bus is swapped */
79 void ledma_memory_read(void *opaque, target_phys_addr_t addr,
80 uint8_t *buf, int len, int do_bswap)
82 DMAState *s = opaque;
83 int i;
85 DPRINTF("DMA write, direction: %c, addr 0x%8.8x\n",
86 s->dmaregs[0] & DMA_WRITE_MEM ? 'w': 'r', s->dmaregs[1]);
87 addr |= s->dmaregs[3];
88 if (do_bswap) {
89 sparc_iommu_memory_read(s->iommu, addr, buf, len);
90 } else {
91 addr &= ~1;
92 len &= ~1;
93 sparc_iommu_memory_read(s->iommu, addr, buf, len);
94 for(i = 0; i < len; i += 2) {
95 bswap16s((uint16_t *)(buf + i));
100 void ledma_memory_write(void *opaque, target_phys_addr_t addr,
101 uint8_t *buf, int len, int do_bswap)
103 DMAState *s = opaque;
104 int l, i;
105 uint16_t tmp_buf[32];
107 DPRINTF("DMA read, direction: %c, addr 0x%8.8x\n",
108 s->dmaregs[0] & DMA_WRITE_MEM ? 'w': 'r', s->dmaregs[1]);
109 addr |= s->dmaregs[3];
110 if (do_bswap) {
111 sparc_iommu_memory_write(s->iommu, addr, buf, len);
112 } else {
113 addr &= ~1;
114 len &= ~1;
115 while (len > 0) {
116 l = len;
117 if (l > sizeof(tmp_buf))
118 l = sizeof(tmp_buf);
119 for(i = 0; i < l; i += 2) {
120 tmp_buf[i >> 1] = bswap16(*(uint16_t *)(buf + i));
122 sparc_iommu_memory_write(s->iommu, addr, (uint8_t *)tmp_buf, l);
123 len -= l;
124 buf += l;
125 addr += l;
130 static void dma_set_irq(void *opaque, int irq, int level)
132 DMAState *s = opaque;
133 if (level) {
134 s->dmaregs[0] |= DMA_INTR;
135 if (s->dmaregs[0] & DMA_INTREN) {
136 DPRINTF("Raise IRQ\n");
137 qemu_irq_raise(s->irq);
139 } else {
140 if (s->dmaregs[0] & DMA_INTR) {
141 s->dmaregs[0] &= ~DMA_INTR;
142 if (s->dmaregs[0] & DMA_INTREN) {
143 DPRINTF("Lower IRQ\n");
144 qemu_irq_lower(s->irq);
150 void espdma_memory_read(void *opaque, uint8_t *buf, int len)
152 DMAState *s = opaque;
154 DPRINTF("DMA read, direction: %c, addr 0x%8.8x\n",
155 s->dmaregs[0] & DMA_WRITE_MEM ? 'w': 'r', s->dmaregs[1]);
156 sparc_iommu_memory_read(s->iommu, s->dmaregs[1], buf, len);
157 s->dmaregs[1] += len;
160 void espdma_memory_write(void *opaque, uint8_t *buf, int len)
162 DMAState *s = opaque;
164 DPRINTF("DMA write, direction: %c, addr 0x%8.8x\n",
165 s->dmaregs[0] & DMA_WRITE_MEM ? 'w': 'r', s->dmaregs[1]);
166 sparc_iommu_memory_write(s->iommu, s->dmaregs[1], buf, len);
167 s->dmaregs[1] += len;
170 static uint32_t dma_mem_readl(void *opaque, target_phys_addr_t addr)
172 DMAState *s = opaque;
173 uint32_t saddr;
175 saddr = (addr & DMA_MASK) >> 2;
176 DPRINTF("read dmareg " TARGET_FMT_plx ": 0x%8.8x\n", addr,
177 s->dmaregs[saddr]);
179 return s->dmaregs[saddr];
182 static void dma_mem_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
184 DMAState *s = opaque;
185 uint32_t saddr;
187 saddr = (addr & DMA_MASK) >> 2;
188 DPRINTF("write dmareg " TARGET_FMT_plx ": 0x%8.8x -> 0x%8.8x\n", addr,
189 s->dmaregs[saddr], val);
190 switch (saddr) {
191 case 0:
192 if (val & DMA_INTREN) {
193 if (s->dmaregs[0] & DMA_INTR) {
194 DPRINTF("Raise IRQ\n");
195 qemu_irq_raise(s->irq);
197 } else {
198 if (s->dmaregs[0] & (DMA_INTR | DMA_INTREN)) {
199 DPRINTF("Lower IRQ\n");
200 qemu_irq_lower(s->irq);
203 if (val & DMA_RESET) {
204 qemu_irq_raise(s->dev_reset);
205 qemu_irq_lower(s->dev_reset);
206 } else if (val & DMA_DRAIN_FIFO) {
207 val &= ~DMA_DRAIN_FIFO;
208 } else if (val == 0)
209 val = DMA_DRAIN_FIFO;
210 val &= ~DMA_CSR_RO_MASK;
211 val |= DMA_VER;
212 s->dmaregs[0] = (s->dmaregs[0] & DMA_CSR_RO_MASK) | val;
213 break;
214 case 1:
215 s->dmaregs[0] |= DMA_LOADED;
216 /* fall through */
217 default:
218 s->dmaregs[saddr] = val;
219 break;
223 static CPUReadMemoryFunc * const dma_mem_read[3] = {
224 NULL,
225 NULL,
226 dma_mem_readl,
229 static CPUWriteMemoryFunc * const dma_mem_write[3] = {
230 NULL,
231 NULL,
232 dma_mem_writel,
235 static void dma_reset(DeviceState *d)
237 DMAState *s = container_of(d, DMAState, busdev.qdev);
239 memset(s->dmaregs, 0, DMA_SIZE);
240 s->dmaregs[0] = DMA_VER;
243 static const VMStateDescription vmstate_dma = {
244 .name ="sparc32_dma",
245 .version_id = 2,
246 .minimum_version_id = 2,
247 .minimum_version_id_old = 2,
248 .fields = (VMStateField []) {
249 VMSTATE_UINT32_ARRAY(dmaregs, DMAState, DMA_REGS),
250 VMSTATE_END_OF_LIST()
254 static int sparc32_dma_init1(SysBusDevice *dev)
256 DMAState *s = FROM_SYSBUS(DMAState, dev);
257 int dma_io_memory;
259 sysbus_init_irq(dev, &s->irq);
261 dma_io_memory = cpu_register_io_memory(dma_mem_read, dma_mem_write, s);
262 sysbus_init_mmio(dev, DMA_SIZE, dma_io_memory);
264 qdev_init_gpio_in(&dev->qdev, dma_set_irq, 1);
265 qdev_init_gpio_out(&dev->qdev, &s->dev_reset, 1);
267 return 0;
270 static SysBusDeviceInfo sparc32_dma_info = {
271 .init = sparc32_dma_init1,
272 .qdev.name = "sparc32_dma",
273 .qdev.size = sizeof(DMAState),
274 .qdev.vmsd = &vmstate_dma,
275 .qdev.reset = dma_reset,
276 .qdev.props = (Property[]) {
277 DEFINE_PROP_PTR("iommu_opaque", DMAState, iommu),
278 DEFINE_PROP_END_OF_LIST(),
282 static void sparc32_dma_register_devices(void)
284 sysbus_register_withprop(&sparc32_dma_info);
287 device_init(sparc32_dma_register_devices)