search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
net: stellaris_enet: check packet length against receive buffer
[qemu/ar7.git] / hw / net / stellaris_enet.c
blob6880894945432a104d6d7a0fa5b4d12972fe7ed6
1 /*
2 * Luminary Micro Stellaris Ethernet Controller
3 *
4 * Copyright (c) 2007 CodeSourcery.
5 * Written by Paul Brook
6 *
7 * This code is licensed under the GPL.
8 */
9 #include "qemu/osdep.h"
10 #include "hw/sysbus.h"
11 #include "net/net.h"
12 #include <zlib.h>
13
14 //#define DEBUG_STELLARIS_ENET 1
15
16 #ifdef DEBUG_STELLARIS_ENET
17 #define DPRINTF(fmt, ...) \
18 do { printf("stellaris_enet: " fmt , ## __VA_ARGS__); } while (0)
19 #define BADF(fmt, ...) \
20 do { fprintf(stderr, "stellaris_enet: error: " fmt , ## __VA_ARGS__); exit(1);} while (0)
21 #else
22 #define DPRINTF(fmt, ...) do {} while(0)
23 #define BADF(fmt, ...) \
24 do { fprintf(stderr, "stellaris_enet: error: " fmt , ## __VA_ARGS__);} while (0)
25 #endif
26
27 #define SE_INT_RX 0x01
28 #define SE_INT_TXER 0x02
29 #define SE_INT_TXEMP 0x04
30 #define SE_INT_FOV 0x08
31 #define SE_INT_RXER 0x10
32 #define SE_INT_MD 0x20
33 #define SE_INT_PHY 0x40
34
35 #define SE_RCTL_RXEN 0x01
36 #define SE_RCTL_AMUL 0x02
37 #define SE_RCTL_PRMS 0x04
38 #define SE_RCTL_BADCRC 0x08
39 #define SE_RCTL_RSTFIFO 0x10
40
41 #define SE_TCTL_TXEN 0x01
42 #define SE_TCTL_PADEN 0x02
43 #define SE_TCTL_CRC 0x04
44 #define SE_TCTL_DUPLEX 0x08
45
46 #define TYPE_STELLARIS_ENET "stellaris_enet"
47 #define STELLARIS_ENET(obj) \
48 OBJECT_CHECK(stellaris_enet_state, (obj), TYPE_STELLARIS_ENET)
49
50 typedef struct {
51 uint8_t data[2048];
52 uint32_t len;
53 } StellarisEnetRxFrame;
54
55 typedef struct {
56 SysBusDevice parent_obj;
57
58 uint32_t ris;
59 uint32_t im;
60 uint32_t rctl;
61 uint32_t tctl;
62 uint32_t thr;
63 uint32_t mctl;
64 uint32_t mdv;
65 uint32_t mtxd;
66 uint32_t mrxd;
67 uint32_t np;
68 uint32_t tx_fifo_len;
69 uint8_t tx_fifo[2048];
70 /* Real hardware has a 2k fifo, which works out to be at most 31 packets.
71 We implement a full 31 packet fifo. */
72 StellarisEnetRxFrame rx[31];
73 uint32_t rx_fifo_offset;
74 uint32_t next_packet;
75 NICState *nic;
76 NICConf conf;
77 qemu_irq irq;
78 MemoryRegion mmio;
79 } stellaris_enet_state;
80
81 static const VMStateDescription vmstate_rx_frame = {
82 .name = "stellaris_enet/rx_frame",
83 .version_id = 1,
84 .minimum_version_id = 1,
85 .fields = (VMStateField[]) {
86 VMSTATE_UINT8_ARRAY(data, StellarisEnetRxFrame, 2048),
87 VMSTATE_UINT32(len, StellarisEnetRxFrame),
88 VMSTATE_END_OF_LIST()
89 }
90 };
91
92 static int stellaris_enet_post_load(void *opaque, int version_id)
93 {
94 stellaris_enet_state *s = opaque;
95 int i;
96
97 /* Sanitize inbound state. Note that next_packet is an index but
98 * np is a size; hence their valid upper bounds differ.
99 */
100 if (s->next_packet >= ARRAY_SIZE(s->rx)) {
101 return -1;
102 }
103
104 if (s->np > ARRAY_SIZE(s->rx)) {
105 return -1;
106 }
107
108 for (i = 0; i < ARRAY_SIZE(s->rx); i++) {
109 if (s->rx[i].len > ARRAY_SIZE(s->rx[i].data)) {
110 return -1;
111 }
112 }
113
114 if (s->rx_fifo_offset > ARRAY_SIZE(s->rx[0].data) - 4) {
115 return -1;
116 }
117
118 if (s->tx_fifo_len > ARRAY_SIZE(s->tx_fifo)) {
119 return -1;
120 }
121
122 return 0;
123 }
124
125 static const VMStateDescription vmstate_stellaris_enet = {
126 .name = "stellaris_enet",
127 .version_id = 2,
128 .minimum_version_id = 2,
129 .post_load = stellaris_enet_post_load,
130 .fields = (VMStateField[]) {
131 VMSTATE_UINT32(ris, stellaris_enet_state),
132 VMSTATE_UINT32(im, stellaris_enet_state),
133 VMSTATE_UINT32(rctl, stellaris_enet_state),
134 VMSTATE_UINT32(tctl, stellaris_enet_state),
135 VMSTATE_UINT32(thr, stellaris_enet_state),
136 VMSTATE_UINT32(mctl, stellaris_enet_state),
137 VMSTATE_UINT32(mdv, stellaris_enet_state),
138 VMSTATE_UINT32(mtxd, stellaris_enet_state),
139 VMSTATE_UINT32(mrxd, stellaris_enet_state),
140 VMSTATE_UINT32(np, stellaris_enet_state),
141 VMSTATE_UINT32(tx_fifo_len, stellaris_enet_state),
142 VMSTATE_UINT8_ARRAY(tx_fifo, stellaris_enet_state, 2048),
143 VMSTATE_STRUCT_ARRAY(rx, stellaris_enet_state, 31, 1,
144 vmstate_rx_frame, StellarisEnetRxFrame),
145 VMSTATE_UINT32(rx_fifo_offset, stellaris_enet_state),
146 VMSTATE_UINT32(next_packet, stellaris_enet_state),
147 VMSTATE_END_OF_LIST()
148 }
149 };
150
151 static void stellaris_enet_update(stellaris_enet_state *s)
152 {
153 qemu_set_irq(s->irq, (s->ris & s->im) != 0);
154 }
155
156 /* Return the data length of the packet currently being assembled
157 * in the TX fifo.
158 */
159 static inline int stellaris_txpacket_datalen(stellaris_enet_state *s)
160 {
161 return s->tx_fifo[0] | (s->tx_fifo[1] << 8);
162 }
163
164 /* Return true if the packet currently in the TX FIFO is complete,
165 * ie the FIFO holds enough bytes for the data length, ethernet header,
166 * payload and optionally CRC.
167 */
168 static inline bool stellaris_txpacket_complete(stellaris_enet_state *s)
169 {
170 int framelen = stellaris_txpacket_datalen(s);
171 framelen += 16;
172 if (!(s->tctl & SE_TCTL_CRC)) {
173 framelen += 4;
174 }
175 /* Cover the corner case of a 2032 byte payload with auto-CRC disabled:
176 * this requires more bytes than will fit in the FIFO. It's not totally
177 * clear how the h/w handles this, but if using threshold-based TX
178 * it will definitely try to transmit something.
179 */
180 framelen = MIN(framelen, ARRAY_SIZE(s->tx_fifo));
181 return s->tx_fifo_len >= framelen;
182 }
183
184 /* Return true if the TX FIFO threshold is enabled and the FIFO
185 * has filled enough to reach it.
186 */
187 static inline bool stellaris_tx_thr_reached(stellaris_enet_state *s)
188 {
189 return (s->thr < 0x3f &&
190 (s->tx_fifo_len >= 4 * (s->thr * 8 + 1)));
191 }
192
193 /* Send the packet currently in the TX FIFO */
194 static void stellaris_enet_send(stellaris_enet_state *s)
195 {
196 int framelen = stellaris_txpacket_datalen(s);
197
198 /* Ethernet header is in the FIFO but not in the datacount.
199 * We don't implement explicit CRC, so just ignore any
200 * CRC value in the FIFO.
201 */
202 framelen += 14;
203 if ((s->tctl & SE_TCTL_PADEN) && framelen < 60) {
204 memset(&s->tx_fifo[framelen + 2], 0, 60 - framelen);
205 framelen = 60;
206 }
207 /* This MIN will have no effect unless the FIFO data is corrupt
208 * (eg bad data from an incoming migration); otherwise the check
209 * on the datalen at the start of writing the data into the FIFO
210 * will have caught this. Silently write a corrupt half-packet,
211 * which is what the hardware does in FIFO underrun situations.
212 */
213 framelen = MIN(framelen, ARRAY_SIZE(s->tx_fifo) - 2);
214 qemu_send_packet(qemu_get_queue(s->nic), s->tx_fifo + 2, framelen);
215 s->tx_fifo_len = 0;
216 s->ris |= SE_INT_TXEMP;
217 stellaris_enet_update(s);
218 DPRINTF("Done TX\n");
219 }
220
221 /* TODO: Implement MAC address filtering. */
222 static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, size_t size)
223 {
224 stellaris_enet_state *s = qemu_get_nic_opaque(nc);
225 int n;
226 uint8_t *p;
227 uint32_t crc;
228
229 if ((s->rctl & SE_RCTL_RXEN) == 0)
230 return -1;
231 if (s->np >= 31) {
232 return 0;
233 }
234
235 DPRINTF("Received packet len=%zu\n", size);
236 n = s->next_packet + s->np;
237 if (n >= 31)
238 n -= 31;
239
240 if (size >= sizeof(s->rx[n].data) - 6) {
241 /* If the packet won't fit into the
242 * emulated 2K RAM, this is reported
243 * as a FIFO overrun error.
244 */
245 s->ris |= SE_INT_FOV;
246 stellaris_enet_update(s);
247 return -1;
248 }
249
250 s->np++;
251 s->rx[n].len = size + 6;
252 p = s->rx[n].data;
253 *(p++) = (size + 6);
254 *(p++) = (size + 6) >> 8;
255 memcpy (p, buf, size);
256 p += size;
257 crc = crc32(~0, buf, size);
258 *(p++) = crc;
259 *(p++) = crc >> 8;
260 *(p++) = crc >> 16;
261 *(p++) = crc >> 24;
262 /* Clear the remaining bytes in the last word. */
263 if ((size & 3) != 2) {
264 memset(p, 0, (6 - size) & 3);
265 }
266
267 s->ris |= SE_INT_RX;
268 stellaris_enet_update(s);
269
270 return size;
271 }
272
273 static int stellaris_enet_can_receive(stellaris_enet_state *s)
274 {
275 return (s->np < 31);
276 }
277
278 static uint64_t stellaris_enet_read(void *opaque, hwaddr offset,
279 unsigned size)
280 {
281 stellaris_enet_state *s = (stellaris_enet_state *)opaque;
282 uint32_t val;
283
284 switch (offset) {
285 case 0x00: /* RIS */
286 DPRINTF("IRQ status %02x\n", s->ris);
287 return s->ris;
288 case 0x04: /* IM */
289 return s->im;
290 case 0x08: /* RCTL */
291 return s->rctl;
292 case 0x0c: /* TCTL */
293 return s->tctl;
294 case 0x10: /* DATA */
295 {
296 uint8_t *rx_fifo;
297
298 if (s->np == 0) {
299 BADF("RX underflow\n");
300 return 0;
301 }
302
303 rx_fifo = s->rx[s->next_packet].data + s->rx_fifo_offset;
304
305 val = rx_fifo[0] | (rx_fifo[1] << 8) | (rx_fifo[2] << 16)
306 | (rx_fifo[3] << 24);
307 s->rx_fifo_offset += 4;
308 if (s->rx_fifo_offset >= s->rx[s->next_packet].len) {
309 s->rx_fifo_offset = 0;
310 s->next_packet++;
311 if (s->next_packet >= 31)
312 s->next_packet = 0;
313 s->np--;
314 DPRINTF("RX done np=%d\n", s->np);
315 if (!s->np && stellaris_enet_can_receive(s)) {
316 qemu_flush_queued_packets(qemu_get_queue(s->nic));
317 }
318 }
319 return val;
320 }
321 case 0x14: /* IA0 */
322 return s->conf.macaddr.a[0] | (s->conf.macaddr.a[1] << 8)
323 | (s->conf.macaddr.a[2] << 16)
324 | ((uint32_t)s->conf.macaddr.a[3] << 24);
325 case 0x18: /* IA1 */
326 return s->conf.macaddr.a[4] | (s->conf.macaddr.a[5] << 8);
327 case 0x1c: /* THR */
328 return s->thr;
329 case 0x20: /* MCTL */
330 return s->mctl;
331 case 0x24: /* MDV */
332 return s->mdv;
333 case 0x28: /* MADD */
334 return 0;
335 case 0x2c: /* MTXD */
336 return s->mtxd;
337 case 0x30: /* MRXD */
338 return s->mrxd;
339 case 0x34: /* NP */
340 return s->np;
341 case 0x38: /* TR */
342 return 0;
343 case 0x3c: /* Undocuented: Timestamp? */
344 return 0;
345 default:
346 hw_error("stellaris_enet_read: Bad offset %x\n", (int)offset);
347 return 0;
348 }
349 }
350
351 static void stellaris_enet_write(void *opaque, hwaddr offset,
352 uint64_t value, unsigned size)
353 {
354 stellaris_enet_state *s = (stellaris_enet_state *)opaque;
355
356 switch (offset) {
357 case 0x00: /* IACK */
358 s->ris &= ~value;
359 DPRINTF("IRQ ack %02" PRIx64 "/%02x\n", value, s->ris);
360 stellaris_enet_update(s);
361 /* Clearing TXER also resets the TX fifo. */
362 if (value & SE_INT_TXER) {
363 s->tx_fifo_len = 0;
364 }
365 break;
366 case 0x04: /* IM */
367 DPRINTF("IRQ mask %02" PRIx64 "/%02x\n", value, s->ris);
368 s->im = value;
369 stellaris_enet_update(s);
370 break;
371 case 0x08: /* RCTL */
372 s->rctl = value;
373 if (value & SE_RCTL_RSTFIFO) {
374 s->np = 0;
375 s->rx_fifo_offset = 0;
376 stellaris_enet_update(s);
377 }
378 break;
379 case 0x0c: /* TCTL */
380 s->tctl = value;
381 break;
382 case 0x10: /* DATA */
383 if (s->tx_fifo_len == 0) {
384 /* The first word is special, it contains the data length */
385 int framelen = value & 0xffff;
386 if (framelen > 2032) {
387 DPRINTF("TX frame too long (%d)\n", framelen);
388 s->ris |= SE_INT_TXER;
389 stellaris_enet_update(s);
390 break;
391 }
392 }
393
394 if (s->tx_fifo_len + 4 <= ARRAY_SIZE(s->tx_fifo)) {
395 s->tx_fifo[s->tx_fifo_len++] = value;
396 s->tx_fifo[s->tx_fifo_len++] = value >> 8;
397 s->tx_fifo[s->tx_fifo_len++] = value >> 16;
398 s->tx_fifo[s->tx_fifo_len++] = value >> 24;
399 }
400
401 if (stellaris_tx_thr_reached(s) && stellaris_txpacket_complete(s)) {
402 stellaris_enet_send(s);
403 }
404 break;
405 case 0x14: /* IA0 */
406 s->conf.macaddr.a[0] = value;
407 s->conf.macaddr.a[1] = value >> 8;
408 s->conf.macaddr.a[2] = value >> 16;
409 s->conf.macaddr.a[3] = value >> 24;
410 break;
411 case 0x18: /* IA1 */
412 s->conf.macaddr.a[4] = value;
413 s->conf.macaddr.a[5] = value >> 8;
414 break;
415 case 0x1c: /* THR */
416 s->thr = value;
417 break;
418 case 0x20: /* MCTL */
419 s->mctl = value;
420 break;
421 case 0x24: /* MDV */
422 s->mdv = value;
423 break;
424 case 0x28: /* MADD */
425 /* ignored. */
426 break;
427 case 0x2c: /* MTXD */
428 s->mtxd = value & 0xff;
429 break;
430 case 0x38: /* TR */
431 if (value & 1) {
432 stellaris_enet_send(s);
433 }
434 break;
435 case 0x30: /* MRXD */
436 case 0x34: /* NP */
437 /* Ignored. */
438 case 0x3c: /* Undocuented: Timestamp? */
439 /* Ignored. */
440 break;
441 default:
442 hw_error("stellaris_enet_write: Bad offset %x\n", (int)offset);
443 }
444 }
445
446 static const MemoryRegionOps stellaris_enet_ops = {
447 .read = stellaris_enet_read,
448 .write = stellaris_enet_write,
449 .endianness = DEVICE_NATIVE_ENDIAN,
450 };
451
452 static void stellaris_enet_reset(stellaris_enet_state *s)
453 {
454 s->mdv = 0x80;
455 s->rctl = SE_RCTL_BADCRC;
456 s->im = SE_INT_PHY | SE_INT_MD | SE_INT_RXER | SE_INT_FOV | SE_INT_TXEMP
457 | SE_INT_TXER | SE_INT_RX;
458 s->thr = 0x3f;
459 s->tx_fifo_len = 0;
460 }
461
462 static NetClientInfo net_stellaris_enet_info = {
463 .type = NET_CLIENT_OPTIONS_KIND_NIC,
464 .size = sizeof(NICState),
465 .receive = stellaris_enet_receive,
466 };
467
468 static int stellaris_enet_init(SysBusDevice *sbd)
469 {
470 DeviceState *dev = DEVICE(sbd);
471 stellaris_enet_state *s = STELLARIS_ENET(dev);
472
473 memory_region_init_io(&s->mmio, OBJECT(s), &stellaris_enet_ops, s,
474 "stellaris_enet", 0x1000);
475 sysbus_init_mmio(sbd, &s->mmio);
476 sysbus_init_irq(sbd, &s->irq);
477 qemu_macaddr_default_if_unset(&s->conf.macaddr);
478
479 s->nic = qemu_new_nic(&net_stellaris_enet_info, &s->conf,
480 object_get_typename(OBJECT(dev)), dev->id, s);
481 qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
482
483 stellaris_enet_reset(s);
484 return 0;
485 }
486
487 static Property stellaris_enet_properties[] = {
488 DEFINE_NIC_PROPERTIES(stellaris_enet_state, conf),
489 DEFINE_PROP_END_OF_LIST(),
490 };
491
492 static void stellaris_enet_class_init(ObjectClass *klass, void *data)
493 {
494 DeviceClass *dc = DEVICE_CLASS(klass);
495 SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
496
497 k->init = stellaris_enet_init;
498 dc->props = stellaris_enet_properties;
499 dc->vmsd = &vmstate_stellaris_enet;
500 }
501
502 static const TypeInfo stellaris_enet_info = {
503 .name = TYPE_STELLARIS_ENET,
504 .parent = TYPE_SYS_BUS_DEVICE,
505 .instance_size = sizeof(stellaris_enet_state),
506 .class_init = stellaris_enet_class_init,
507 };
508
509 static void stellaris_enet_register_types(void)
510 {
511 type_register_static(&stellaris_enet_info);
512 }
513
514 type_init(stellaris_enet_register_types)
AR7 emulation for QEMU