search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
xen-pt: fix Out-of-bounds read
[qemu/ar7.git] / hw / ssi / xilinx_spi.c
blob620573cacac8865d037a034bf20be1b382e0e3e1
1 /*
2 * QEMU model of the Xilinx SPI Controller
3 *
4 * Copyright (C) 2010 Edgar E. Iglesias.
5 * Copyright (C) 2012 Peter A. G. Crosthwaite <peter.crosthwaite@petalogix.com>
6 * Copyright (C) 2012 PetaLogix
7 *
8 * Permission is hereby granted, free of charge, to any person obtaining a copy
9 * of this software and associated documentation files (the "Software"), to deal
10 * in the Software without restriction, including without limitation the rights
11 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12 * copies of the Software, and to permit persons to whom the Software is
13 * furnished to do so, subject to the following conditions:
14 *
15 * The above copyright notice and this permission notice shall be included in
16 * all copies or substantial portions of the Software.
17 *
18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24 * THE SOFTWARE.
25 */
26
27 #include "hw/sysbus.h"
28 #include "sysemu/sysemu.h"
29 #include "qemu/log.h"
30 #include "qemu/fifo8.h"
31
32 #include "hw/ssi.h"
33
34 #ifdef XILINX_SPI_ERR_DEBUG
35 #define DB_PRINT(...) do { \
36 fprintf(stderr, ": %s: ", __func__); \
37 fprintf(stderr, ## __VA_ARGS__); \
38 } while (0);
39 #else
40 #define DB_PRINT(...)
41 #endif
42
43 #define R_DGIER (0x1c / 4)
44 #define R_DGIER_IE (1 << 31)
45
46 #define R_IPISR (0x20 / 4)
47 #define IRQ_DRR_NOT_EMPTY (1 << (31 - 23))
48 #define IRQ_DRR_OVERRUN (1 << (31 - 26))
49 #define IRQ_DRR_FULL (1 << (31 - 27))
50 #define IRQ_TX_FF_HALF_EMPTY (1 << 6)
51 #define IRQ_DTR_UNDERRUN (1 << 3)
52 #define IRQ_DTR_EMPTY (1 << (31 - 29))
53
54 #define R_IPIER (0x28 / 4)
55 #define R_SRR (0x40 / 4)
56 #define R_SPICR (0x60 / 4)
57 #define R_SPICR_TXFF_RST (1 << 5)
58 #define R_SPICR_RXFF_RST (1 << 6)
59 #define R_SPICR_MTI (1 << 8)
60
61 #define R_SPISR (0x64 / 4)
62 #define SR_TX_FULL (1 << 3)
63 #define SR_TX_EMPTY (1 << 2)
64 #define SR_RX_FULL (1 << 1)
65 #define SR_RX_EMPTY (1 << 0)
66
67 #define R_SPIDTR (0x68 / 4)
68 #define R_SPIDRR (0x6C / 4)
69 #define R_SPISSR (0x70 / 4)
70 #define R_TX_FF_OCY (0x74 / 4)
71 #define R_RX_FF_OCY (0x78 / 4)
72 #define R_MAX (0x7C / 4)
73
74 #define FIFO_CAPACITY 256
75
76 #define TYPE_XILINX_SPI "xlnx.xps-spi"
77 #define XILINX_SPI(obj) OBJECT_CHECK(XilinxSPI, (obj), TYPE_XILINX_SPI)
78
79 typedef struct XilinxSPI {
80 SysBusDevice parent_obj;
81
82 MemoryRegion mmio;
83
84 qemu_irq irq;
85 int irqline;
86
87 uint8_t num_cs;
88 qemu_irq *cs_lines;
89
90 SSIBus *spi;
91
92 Fifo8 rx_fifo;
93 Fifo8 tx_fifo;
94
95 uint32_t regs[R_MAX];
96 } XilinxSPI;
97
98 static void txfifo_reset(XilinxSPI *s)
99 {
100 fifo8_reset(&s->tx_fifo);
101
102 s->regs[R_SPISR] &= ~SR_TX_FULL;
103 s->regs[R_SPISR] |= SR_TX_EMPTY;
104 }
105
106 static void rxfifo_reset(XilinxSPI *s)
107 {
108 fifo8_reset(&s->rx_fifo);
109
110 s->regs[R_SPISR] |= SR_RX_EMPTY;
111 s->regs[R_SPISR] &= ~SR_RX_FULL;
112 }
113
114 static void xlx_spi_update_cs(XilinxSPI *s)
115 {
116 int i;
117
118 for (i = 0; i < s->num_cs; ++i) {
119 qemu_set_irq(s->cs_lines[i], !(~s->regs[R_SPISSR] & 1 << i));
120 }
121 }
122
123 static void xlx_spi_update_irq(XilinxSPI *s)
124 {
125 uint32_t pending;
126
127 s->regs[R_IPISR] |=
128 (!fifo8_is_empty(&s->rx_fifo) ? IRQ_DRR_NOT_EMPTY : 0) |
129 (fifo8_is_full(&s->rx_fifo) ? IRQ_DRR_FULL : 0);
130
131 pending = s->regs[R_IPISR] & s->regs[R_IPIER];
132
133 pending = pending && (s->regs[R_DGIER] & R_DGIER_IE);
134 pending = !!pending;
135
136 /* This call lies right in the data paths so don't call the
137 irq chain unless things really changed. */
138 if (pending != s->irqline) {
139 s->irqline = pending;
140 DB_PRINT("irq_change of state %d ISR:%x IER:%X\n",
141 pending, s->regs[R_IPISR], s->regs[R_IPIER]);
142 qemu_set_irq(s->irq, pending);
143 }
144
145 }
146
147 static void xlx_spi_do_reset(XilinxSPI *s)
148 {
149 memset(s->regs, 0, sizeof s->regs);
150
151 rxfifo_reset(s);
152 txfifo_reset(s);
153
154 s->regs[R_SPISSR] = ~0;
155 xlx_spi_update_irq(s);
156 xlx_spi_update_cs(s);
157 }
158
159 static void xlx_spi_reset(DeviceState *d)
160 {
161 xlx_spi_do_reset(XILINX_SPI(d));
162 }
163
164 static inline int spi_master_enabled(XilinxSPI *s)
165 {
166 return !(s->regs[R_SPICR] & R_SPICR_MTI);
167 }
168
169 static void spi_flush_txfifo(XilinxSPI *s)
170 {
171 uint32_t tx;
172 uint32_t rx;
173
174 while (!fifo8_is_empty(&s->tx_fifo)) {
175 tx = (uint32_t)fifo8_pop(&s->tx_fifo);
176 DB_PRINT("data tx:%x\n", tx);
177 rx = ssi_transfer(s->spi, tx);
178 DB_PRINT("data rx:%x\n", rx);
179 if (fifo8_is_full(&s->rx_fifo)) {
180 s->regs[R_IPISR] |= IRQ_DRR_OVERRUN;
181 } else {
182 fifo8_push(&s->rx_fifo, (uint8_t)rx);
183 if (fifo8_is_full(&s->rx_fifo)) {
184 s->regs[R_SPISR] |= SR_RX_FULL;
185 s->regs[R_IPISR] |= IRQ_DRR_FULL;
186 }
187 }
188
189 s->regs[R_SPISR] &= ~SR_RX_EMPTY;
190 s->regs[R_SPISR] &= ~SR_TX_FULL;
191 s->regs[R_SPISR] |= SR_TX_EMPTY;
192
193 s->regs[R_IPISR] |= IRQ_DTR_EMPTY;
194 s->regs[R_IPISR] |= IRQ_DRR_NOT_EMPTY;
195 }
196
197 }
198
199 static uint64_t
200 spi_read(void *opaque, hwaddr addr, unsigned int size)
201 {
202 XilinxSPI *s = opaque;
203 uint32_t r = 0;
204
205 addr >>= 2;
206 switch (addr) {
207 case R_SPIDRR:
208 if (fifo8_is_empty(&s->rx_fifo)) {
209 DB_PRINT("Read from empty FIFO!\n");
210 return 0xdeadbeef;
211 }
212
213 s->regs[R_SPISR] &= ~SR_RX_FULL;
214 r = fifo8_pop(&s->rx_fifo);
215 if (fifo8_is_empty(&s->rx_fifo)) {
216 s->regs[R_SPISR] |= SR_RX_EMPTY;
217 }
218 break;
219
220 case R_SPISR:
221 r = s->regs[addr];
222 break;
223
224 default:
225 if (addr < ARRAY_SIZE(s->regs)) {
226 r = s->regs[addr];
227 }
228 break;
229
230 }
231 DB_PRINT("addr=" TARGET_FMT_plx " = %x\n", addr * 4, r);
232 xlx_spi_update_irq(s);
233 return r;
234 }
235
236 static void
237 spi_write(void *opaque, hwaddr addr,
238 uint64_t val64, unsigned int size)
239 {
240 XilinxSPI *s = opaque;
241 uint32_t value = val64;
242
243 DB_PRINT("addr=" TARGET_FMT_plx " = %x\n", addr, value);
244 addr >>= 2;
245 switch (addr) {
246 case R_SRR:
247 if (value != 0xa) {
248 DB_PRINT("Invalid write to SRR %x\n", value);
249 } else {
250 xlx_spi_do_reset(s);
251 }
252 break;
253
254 case R_SPIDTR:
255 s->regs[R_SPISR] &= ~SR_TX_EMPTY;
256 fifo8_push(&s->tx_fifo, (uint8_t)value);
257 if (fifo8_is_full(&s->tx_fifo)) {
258 s->regs[R_SPISR] |= SR_TX_FULL;
259 }
260 if (!spi_master_enabled(s)) {
261 goto done;
262 } else {
263 DB_PRINT("DTR and master enabled\n");
264 }
265 spi_flush_txfifo(s);
266 break;
267
268 case R_SPISR:
269 DB_PRINT("Invalid write to SPISR %x\n", value);
270 break;
271
272 case R_IPISR:
273 /* Toggle the bits. */
274 s->regs[addr] ^= value;
275 break;
276
277 /* Slave Select Register. */
278 case R_SPISSR:
279 s->regs[addr] = value;
280 xlx_spi_update_cs(s);
281 break;
282
283 case R_SPICR:
284 /* FIXME: reset irq and sr state to empty queues. */
285 if (value & R_SPICR_RXFF_RST) {
286 rxfifo_reset(s);
287 }
288
289 if (value & R_SPICR_TXFF_RST) {
290 txfifo_reset(s);
291 }
292 value &= ~(R_SPICR_RXFF_RST | R_SPICR_TXFF_RST);
293 s->regs[addr] = value;
294
295 if (!(value & R_SPICR_MTI)) {
296 spi_flush_txfifo(s);
297 }
298 break;
299
300 default:
301 if (addr < ARRAY_SIZE(s->regs)) {
302 s->regs[addr] = value;
303 }
304 break;
305 }
306
307 done:
308 xlx_spi_update_irq(s);
309 }
310
311 static const MemoryRegionOps spi_ops = {
312 .read = spi_read,
313 .write = spi_write,
314 .endianness = DEVICE_NATIVE_ENDIAN,
315 .valid = {
316 .min_access_size = 4,
317 .max_access_size = 4
318 }
319 };
320
321 static int xilinx_spi_init(SysBusDevice *sbd)
322 {
323 DeviceState *dev = DEVICE(sbd);
324 XilinxSPI *s = XILINX_SPI(dev);
325 int i;
326
327 DB_PRINT("\n");
328
329 s->spi = ssi_create_bus(dev, "spi");
330
331 sysbus_init_irq(sbd, &s->irq);
332 s->cs_lines = g_new0(qemu_irq, s->num_cs);
333 ssi_auto_connect_slaves(dev, s->cs_lines, s->spi);
334 for (i = 0; i < s->num_cs; ++i) {
335 sysbus_init_irq(sbd, &s->cs_lines[i]);
336 }
337
338 memory_region_init_io(&s->mmio, OBJECT(s), &spi_ops, s,
339 "xilinx-spi", R_MAX * 4);
340 sysbus_init_mmio(sbd, &s->mmio);
341
342 s->irqline = -1;
343
344 fifo8_create(&s->tx_fifo, FIFO_CAPACITY);
345 fifo8_create(&s->rx_fifo, FIFO_CAPACITY);
346
347 return 0;
348 }
349
350 static const VMStateDescription vmstate_xilinx_spi = {
351 .name = "xilinx_spi",
352 .version_id = 1,
353 .minimum_version_id = 1,
354 .fields = (VMStateField[]) {
355 VMSTATE_FIFO8(tx_fifo, XilinxSPI),
356 VMSTATE_FIFO8(rx_fifo, XilinxSPI),
357 VMSTATE_UINT32_ARRAY(regs, XilinxSPI, R_MAX),
358 VMSTATE_END_OF_LIST()
359 }
360 };
361
362 static Property xilinx_spi_properties[] = {
363 DEFINE_PROP_UINT8("num-ss-bits", XilinxSPI, num_cs, 1),
364 DEFINE_PROP_END_OF_LIST(),
365 };
366
367 static void xilinx_spi_class_init(ObjectClass *klass, void *data)
368 {
369 DeviceClass *dc = DEVICE_CLASS(klass);
370 SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
371
372 k->init = xilinx_spi_init;
373 dc->reset = xlx_spi_reset;
374 dc->props = xilinx_spi_properties;
375 dc->vmsd = &vmstate_xilinx_spi;
376 }
377
378 static const TypeInfo xilinx_spi_info = {
379 .name = TYPE_XILINX_SPI,
380 .parent = TYPE_SYS_BUS_DEVICE,
381 .instance_size = sizeof(XilinxSPI),
382 .class_init = xilinx_spi_class_init,
383 };
384
385 static void xilinx_spi_register_types(void)
386 {
387 type_register_static(&xilinx_spi_info);
388 }
389
390 type_init(xilinx_spi_register_types)
AR7 emulation for QEMU