vvfat: fat_chksum(): fix access above array bounds
[qemu.git] / hw / xilinx_ethlite.c
blob37e33ec011cbf656779745441fe95ed24a716384
1 /*
2 * QEMU model of the Xilinx Ethernet Lite MAC.
4 * Copyright (c) 2009 Edgar E. Iglesias.
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 * THE SOFTWARE.
25 #include "sysbus.h"
26 #include "hw.h"
27 #include "net.h"
29 #define D(x)
30 #define R_TX_BUF0 0
31 #define R_TX_LEN0 (0x07f4 / 4)
32 #define R_TX_GIE0 (0x07f8 / 4)
33 #define R_TX_CTRL0 (0x07fc / 4)
34 #define R_TX_BUF1 (0x0800 / 4)
35 #define R_TX_LEN1 (0x0ff4 / 4)
36 #define R_TX_CTRL1 (0x0ffc / 4)
38 #define R_RX_BUF0 (0x1000 / 4)
39 #define R_RX_CTRL0 (0x17fc / 4)
40 #define R_RX_BUF1 (0x1800 / 4)
41 #define R_RX_CTRL1 (0x1ffc / 4)
42 #define R_MAX (0x2000 / 4)
44 #define GIE_GIE 0x80000000
46 #define CTRL_I 0x8
47 #define CTRL_P 0x2
48 #define CTRL_S 0x1
50 struct xlx_ethlite
52 SysBusDevice busdev;
53 qemu_irq irq;
54 NICState *nic;
55 NICConf conf;
57 uint32_t c_tx_pingpong;
58 uint32_t c_rx_pingpong;
59 unsigned int txbuf;
60 unsigned int rxbuf;
62 uint32_t regs[R_MAX];
65 static inline void eth_pulse_irq(struct xlx_ethlite *s)
67 /* Only the first gie reg is active. */
68 if (s->regs[R_TX_GIE0] & GIE_GIE) {
69 qemu_irq_pulse(s->irq);
73 static uint32_t eth_readl (void *opaque, target_phys_addr_t addr)
75 struct xlx_ethlite *s = opaque;
76 uint32_t r = 0;
78 addr >>= 2;
80 switch (addr)
82 case R_TX_GIE0:
83 case R_TX_LEN0:
84 case R_TX_LEN1:
85 case R_TX_CTRL1:
86 case R_TX_CTRL0:
87 case R_RX_CTRL1:
88 case R_RX_CTRL0:
89 r = s->regs[addr];
90 D(qemu_log("%s %x=%x\n", __func__, addr * 4, r));
91 break;
93 /* Rx packet data is endian fixed at the way into the rx rams. This
94 * speeds things up because the ethlite MAC does not have a len
95 * register. That means the CPU will issue MMIO reads for the entire
96 * 2k rx buffer even for small packets.
98 default:
99 r = s->regs[addr];
100 break;
102 return r;
105 static void
106 eth_writel (void *opaque, target_phys_addr_t addr, uint32_t value)
108 struct xlx_ethlite *s = opaque;
109 unsigned int base = 0;
111 addr >>= 2;
112 switch (addr)
114 case R_TX_CTRL0:
115 case R_TX_CTRL1:
116 if (addr == R_TX_CTRL1)
117 base = 0x800 / 4;
119 D(qemu_log("%s addr=%x val=%x\n", __func__, addr * 4, value));
120 if ((value & (CTRL_P | CTRL_S)) == CTRL_S) {
121 qemu_send_packet(&s->nic->nc,
122 (void *) &s->regs[base],
123 s->regs[base + R_TX_LEN0]);
124 D(qemu_log("eth_tx %d\n", s->regs[base + R_TX_LEN0]));
125 if (s->regs[base + R_TX_CTRL0] & CTRL_I)
126 eth_pulse_irq(s);
127 } else if ((value & (CTRL_P | CTRL_S)) == (CTRL_P | CTRL_S)) {
128 memcpy(&s->conf.macaddr.a[0], &s->regs[base], 6);
129 if (s->regs[base + R_TX_CTRL0] & CTRL_I)
130 eth_pulse_irq(s);
133 /* We are fast and get ready pretty much immediately so
134 we actually never flip the S nor P bits to one. */
135 s->regs[addr] = value & ~(CTRL_P | CTRL_S);
136 break;
138 /* Keep these native. */
139 case R_TX_LEN0:
140 case R_TX_LEN1:
141 case R_TX_GIE0:
142 case R_RX_CTRL0:
143 case R_RX_CTRL1:
144 D(qemu_log("%s addr=%x val=%x\n", __func__, addr * 4, value));
145 s->regs[addr] = value;
146 break;
148 /* Packet data, make sure it stays BE. */
149 default:
150 s->regs[addr] = cpu_to_be32(value);
151 break;
155 static CPUReadMemoryFunc * const eth_read[] = {
156 NULL, NULL, &eth_readl,
159 static CPUWriteMemoryFunc * const eth_write[] = {
160 NULL, NULL, &eth_writel,
163 static int eth_can_rx(VLANClientState *nc)
165 struct xlx_ethlite *s = DO_UPCAST(NICState, nc, nc)->opaque;
166 int r;
167 r = !(s->regs[R_RX_CTRL0] & CTRL_S);
168 return r;
171 static ssize_t eth_rx(VLANClientState *nc, const uint8_t *buf, size_t size)
173 struct xlx_ethlite *s = DO_UPCAST(NICState, nc, nc)->opaque;
174 unsigned int rxbase = s->rxbuf * (0x800 / 4);
175 int i;
177 /* DA filter. */
178 if (!(buf[0] & 0x80) && memcmp(&s->conf.macaddr.a[0], buf, 6))
179 return size;
181 if (s->regs[rxbase + R_RX_CTRL0] & CTRL_S) {
182 D(qemu_log("ethlite lost packet %x\n", s->regs[R_RX_CTRL0]));
183 return -1;
186 D(qemu_log("%s %d rxbase=%x\n", __func__, size, rxbase));
187 memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
189 /* Bring it into host endianess. */
190 for (i = 0; i < ((size + 3) / 4); i++) {
191 uint32_t d = s->regs[rxbase + R_RX_BUF0 + i];
192 s->regs[rxbase + R_RX_BUF0 + i] = be32_to_cpu(d);
195 s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
196 if (s->regs[rxbase + R_RX_CTRL0] & CTRL_I)
197 eth_pulse_irq(s);
199 /* If c_rx_pingpong was set flip buffers. */
200 s->rxbuf ^= s->c_rx_pingpong;
201 return size;
204 static void eth_cleanup(VLANClientState *nc)
206 struct xlx_ethlite *s = DO_UPCAST(NICState, nc, nc)->opaque;
208 s->nic = NULL;
211 static NetClientInfo net_xilinx_ethlite_info = {
212 .type = NET_CLIENT_TYPE_NIC,
213 .size = sizeof(NICState),
214 .can_receive = eth_can_rx,
215 .receive = eth_rx,
216 .cleanup = eth_cleanup,
219 static int xilinx_ethlite_init(SysBusDevice *dev)
221 struct xlx_ethlite *s = FROM_SYSBUS(typeof (*s), dev);
222 int regs;
224 sysbus_init_irq(dev, &s->irq);
225 s->rxbuf = 0;
227 regs = cpu_register_io_memory(eth_read, eth_write, s);
228 sysbus_init_mmio(dev, R_MAX * 4, regs);
230 qemu_macaddr_default_if_unset(&s->conf.macaddr);
231 s->nic = qemu_new_nic(&net_xilinx_ethlite_info, &s->conf,
232 dev->qdev.info->name, dev->qdev.id, s);
233 qemu_format_nic_info_str(&s->nic->nc, s->conf.macaddr.a);
234 return 0;
237 static SysBusDeviceInfo xilinx_ethlite_info = {
238 .init = xilinx_ethlite_init,
239 .qdev.name = "xilinx,ethlite",
240 .qdev.size = sizeof(struct xlx_ethlite),
241 .qdev.props = (Property[]) {
242 DEFINE_PROP_UINT32("txpingpong", struct xlx_ethlite, c_tx_pingpong, 1),
243 DEFINE_PROP_UINT32("rxpingpong", struct xlx_ethlite, c_rx_pingpong, 1),
244 DEFINE_NIC_PROPERTIES(struct xlx_ethlite, conf),
245 DEFINE_PROP_END_OF_LIST(),
249 static void xilinx_ethlite_register(void)
251 sysbus_register_withprop(&xilinx_ethlite_info);
254 device_init(xilinx_ethlite_register)