search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
esp: check dma length before reading scsi command(CVE-2016-4441)
[qemu/ar7.git] / hw / arm / bcm2835_peripherals.c
blob234d5184300bcafda2a4a55e27c9c37c009cbebc
1 /*
2 * Raspberry Pi emulation (c) 2012 Gregory Estrade
3 * Upstreaming code cleanup [including bcm2835_*] (c) 2013 Jan Petrous
4 *
5 * Rasperry Pi 2 emulation and refactoring Copyright (c) 2015, Microsoft
6 * Written by Andrew Baumann
7 *
8 * This code is licensed under the GNU GPLv2 and later.
9 */
10
11 #include "qemu/osdep.h"
12 #include "qapi/error.h"
13 #include "hw/arm/bcm2835_peripherals.h"
14 #include "hw/misc/bcm2835_mbox_defs.h"
15 #include "hw/arm/raspi_platform.h"
16 #include "sysemu/char.h"
17
18 /* Peripheral base address on the VC (GPU) system bus */
19 #define BCM2835_VC_PERI_BASE 0x7e000000
20
21 /* Capabilities for SD controller: no DMA, high-speed, default clocks etc. */
22 #define BCM2835_SDHC_CAPAREG 0x52034b4
23
24 static void bcm2835_peripherals_init(Object *obj)
25 {
26 BCM2835PeripheralState *s = BCM2835_PERIPHERALS(obj);
27
28 /* Memory region for peripheral devices, which we export to our parent */
29 memory_region_init(&s->peri_mr, obj,"bcm2835-peripherals", 0x1000000);
30 object_property_add_child(obj, "peripheral-io", OBJECT(&s->peri_mr), NULL);
31 sysbus_init_mmio(SYS_BUS_DEVICE(s), &s->peri_mr);
32
33 /* Internal memory region for peripheral bus addresses (not exported) */
34 memory_region_init(&s->gpu_bus_mr, obj, "bcm2835-gpu", (uint64_t)1 << 32);
35 object_property_add_child(obj, "gpu-bus", OBJECT(&s->gpu_bus_mr), NULL);
36
37 /* Internal memory region for request/response communication with
38 * mailbox-addressable peripherals (not exported)
39 */
40 memory_region_init(&s->mbox_mr, obj, "bcm2835-mbox",
41 MBOX_CHAN_COUNT << MBOX_AS_CHAN_SHIFT);
42
43 /* Interrupt Controller */
44 object_initialize(&s->ic, sizeof(s->ic), TYPE_BCM2835_IC);
45 object_property_add_child(obj, "ic", OBJECT(&s->ic), NULL);
46 qdev_set_parent_bus(DEVICE(&s->ic), sysbus_get_default());
47
48 /* UART0 */
49 s->uart0 = SYS_BUS_DEVICE(object_new("pl011"));
50 object_property_add_child(obj, "uart0", OBJECT(s->uart0), NULL);
51 qdev_set_parent_bus(DEVICE(s->uart0), sysbus_get_default());
52
53 /* AUX / UART1 */
54 object_initialize(&s->aux, sizeof(s->aux), TYPE_BCM2835_AUX);
55 object_property_add_child(obj, "aux", OBJECT(&s->aux), NULL);
56 qdev_set_parent_bus(DEVICE(&s->aux), sysbus_get_default());
57
58 /* Mailboxes */
59 object_initialize(&s->mboxes, sizeof(s->mboxes), TYPE_BCM2835_MBOX);
60 object_property_add_child(obj, "mbox", OBJECT(&s->mboxes), NULL);
61 qdev_set_parent_bus(DEVICE(&s->mboxes), sysbus_get_default());
62
63 object_property_add_const_link(OBJECT(&s->mboxes), "mbox-mr",
64 OBJECT(&s->mbox_mr), &error_abort);
65
66 /* Framebuffer */
67 object_initialize(&s->fb, sizeof(s->fb), TYPE_BCM2835_FB);
68 object_property_add_child(obj, "fb", OBJECT(&s->fb), NULL);
69 object_property_add_alias(obj, "vcram-size", OBJECT(&s->fb), "vcram-size",
70 &error_abort);
71 qdev_set_parent_bus(DEVICE(&s->fb), sysbus_get_default());
72
73 object_property_add_const_link(OBJECT(&s->fb), "dma-mr",
74 OBJECT(&s->gpu_bus_mr), &error_abort);
75
76 /* Property channel */
77 object_initialize(&s->property, sizeof(s->property), TYPE_BCM2835_PROPERTY);
78 object_property_add_child(obj, "property", OBJECT(&s->property), NULL);
79 object_property_add_alias(obj, "board-rev", OBJECT(&s->property),
80 "board-rev", &error_abort);
81 qdev_set_parent_bus(DEVICE(&s->property), sysbus_get_default());
82
83 object_property_add_const_link(OBJECT(&s->property), "fb",
84 OBJECT(&s->fb), &error_abort);
85 object_property_add_const_link(OBJECT(&s->property), "dma-mr",
86 OBJECT(&s->gpu_bus_mr), &error_abort);
87
88 /* Extended Mass Media Controller */
89 object_initialize(&s->sdhci, sizeof(s->sdhci), TYPE_SYSBUS_SDHCI);
90 object_property_add_child(obj, "sdhci", OBJECT(&s->sdhci), NULL);
91 qdev_set_parent_bus(DEVICE(&s->sdhci), sysbus_get_default());
92
93 /* DMA Channels */
94 object_initialize(&s->dma, sizeof(s->dma), TYPE_BCM2835_DMA);
95 object_property_add_child(obj, "dma", OBJECT(&s->dma), NULL);
96 qdev_set_parent_bus(DEVICE(&s->dma), sysbus_get_default());
97
98 object_property_add_const_link(OBJECT(&s->dma), "dma-mr",
99 OBJECT(&s->gpu_bus_mr), &error_abort);
100 }
101
102 static void bcm2835_peripherals_realize(DeviceState *dev, Error **errp)
103 {
104 BCM2835PeripheralState *s = BCM2835_PERIPHERALS(dev);
105 Object *obj;
106 MemoryRegion *ram;
107 Error *err = NULL;
108 uint32_t ram_size, vcram_size;
109 CharDriverState *chr;
110 int n;
111
112 obj = object_property_get_link(OBJECT(dev), "ram", &err);
113 if (obj == NULL) {
114 error_setg(errp, "%s: required ram link not found: %s",
115 __func__, error_get_pretty(err));
116 return;
117 }
118
119 ram = MEMORY_REGION(obj);
120 ram_size = memory_region_size(ram);
121
122 /* Map peripherals and RAM into the GPU address space. */
123 memory_region_init_alias(&s->peri_mr_alias, OBJECT(s),
124 "bcm2835-peripherals", &s->peri_mr, 0,
125 memory_region_size(&s->peri_mr));
126
127 memory_region_add_subregion_overlap(&s->gpu_bus_mr, BCM2835_VC_PERI_BASE,
128 &s->peri_mr_alias, 1);
129
130 /* RAM is aliased four times (different cache configurations) on the GPU */
131 for (n = 0; n < 4; n++) {
132 memory_region_init_alias(&s->ram_alias[n], OBJECT(s),
133 "bcm2835-gpu-ram-alias[*]", ram, 0, ram_size);
134 memory_region_add_subregion_overlap(&s->gpu_bus_mr, (hwaddr)n << 30,
135 &s->ram_alias[n], 0);
136 }
137
138 /* Interrupt Controller */
139 object_property_set_bool(OBJECT(&s->ic), true, "realized", &err);
140 if (err) {
141 error_propagate(errp, err);
142 return;
143 }
144
145 memory_region_add_subregion(&s->peri_mr, ARMCTRL_IC_OFFSET,
146 sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->ic), 0));
147 sysbus_pass_irq(SYS_BUS_DEVICE(s), SYS_BUS_DEVICE(&s->ic));
148
149 /* UART0 */
150 object_property_set_bool(OBJECT(s->uart0), true, "realized", &err);
151 if (err) {
152 error_propagate(errp, err);
153 return;
154 }
155
156 memory_region_add_subregion(&s->peri_mr, UART0_OFFSET,
157 sysbus_mmio_get_region(s->uart0, 0));
158 sysbus_connect_irq(s->uart0, 0,
159 qdev_get_gpio_in_named(DEVICE(&s->ic), BCM2835_IC_GPU_IRQ,
160 INTERRUPT_UART));
161
162 /* AUX / UART1 */
163 /* TODO: don't call qemu_char_get_next_serial() here, instead set
164 * chardev properties for each uart at the board level, once pl011
165 * (uart0) has been updated to avoid qemu_char_get_next_serial()
166 */
167 chr = qemu_char_get_next_serial();
168 if (chr == NULL) {
169 chr = qemu_chr_new("bcm2835.uart1", "null", NULL);
170 }
171 qdev_prop_set_chr(DEVICE(&s->aux), "chardev", chr);
172
173 object_property_set_bool(OBJECT(&s->aux), true, "realized", &err);
174 if (err) {
175 error_propagate(errp, err);
176 return;
177 }
178
179 memory_region_add_subregion(&s->peri_mr, UART1_OFFSET,
180 sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->aux), 0));
181 sysbus_connect_irq(SYS_BUS_DEVICE(&s->aux), 0,
182 qdev_get_gpio_in_named(DEVICE(&s->ic), BCM2835_IC_GPU_IRQ,
183 INTERRUPT_AUX));
184
185 /* Mailboxes */
186 object_property_set_bool(OBJECT(&s->mboxes), true, "realized", &err);
187 if (err) {
188 error_propagate(errp, err);
189 return;
190 }
191
192 memory_region_add_subregion(&s->peri_mr, ARMCTRL_0_SBM_OFFSET,
193 sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->mboxes), 0));
194 sysbus_connect_irq(SYS_BUS_DEVICE(&s->mboxes), 0,
195 qdev_get_gpio_in_named(DEVICE(&s->ic), BCM2835_IC_ARM_IRQ,
196 INTERRUPT_ARM_MAILBOX));
197
198 /* Framebuffer */
199 vcram_size = (uint32_t)object_property_get_int(OBJECT(s), "vcram-size",
200 &err);
201 if (err) {
202 error_propagate(errp, err);
203 return;
204 }
205
206 object_property_set_int(OBJECT(&s->fb), ram_size - vcram_size,
207 "vcram-base", &err);
208 if (err) {
209 error_propagate(errp, err);
210 return;
211 }
212
213 object_property_set_bool(OBJECT(&s->fb), true, "realized", &err);
214 if (err) {
215 error_propagate(errp, err);
216 return;
217 }
218
219 memory_region_add_subregion(&s->mbox_mr, MBOX_CHAN_FB << MBOX_AS_CHAN_SHIFT,
220 sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->fb), 0));
221 sysbus_connect_irq(SYS_BUS_DEVICE(&s->fb), 0,
222 qdev_get_gpio_in(DEVICE(&s->mboxes), MBOX_CHAN_FB));
223
224 /* Property channel */
225 object_property_set_bool(OBJECT(&s->property), true, "realized", &err);
226 if (err) {
227 error_propagate(errp, err);
228 return;
229 }
230
231 memory_region_add_subregion(&s->mbox_mr,
232 MBOX_CHAN_PROPERTY << MBOX_AS_CHAN_SHIFT,
233 sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->property), 0));
234 sysbus_connect_irq(SYS_BUS_DEVICE(&s->property), 0,
235 qdev_get_gpio_in(DEVICE(&s->mboxes), MBOX_CHAN_PROPERTY));
236
237 /* Extended Mass Media Controller */
238 object_property_set_int(OBJECT(&s->sdhci), BCM2835_SDHC_CAPAREG, "capareg",
239 &err);
240 if (err) {
241 error_propagate(errp, err);
242 return;
243 }
244
245 object_property_set_bool(OBJECT(&s->sdhci), true, "pending-insert-quirk",
246 &err);
247 if (err) {
248 error_propagate(errp, err);
249 return;
250 }
251
252 object_property_set_bool(OBJECT(&s->sdhci), true, "realized", &err);
253 if (err) {
254 error_propagate(errp, err);
255 return;
256 }
257
258 memory_region_add_subregion(&s->peri_mr, EMMC_OFFSET,
259 sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->sdhci), 0));
260 sysbus_connect_irq(SYS_BUS_DEVICE(&s->sdhci), 0,
261 qdev_get_gpio_in_named(DEVICE(&s->ic), BCM2835_IC_GPU_IRQ,
262 INTERRUPT_ARASANSDIO));
263 object_property_add_alias(OBJECT(s), "sd-bus", OBJECT(&s->sdhci), "sd-bus",
264 &err);
265 if (err) {
266 error_propagate(errp, err);
267 return;
268 }
269
270 /* DMA Channels */
271 object_property_set_bool(OBJECT(&s->dma), true, "realized", &err);
272 if (err) {
273 error_propagate(errp, err);
274 return;
275 }
276
277 memory_region_add_subregion(&s->peri_mr, DMA_OFFSET,
278 sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->dma), 0));
279 memory_region_add_subregion(&s->peri_mr, DMA15_OFFSET,
280 sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->dma), 1));
281
282 for (n = 0; n <= 12; n++) {
283 sysbus_connect_irq(SYS_BUS_DEVICE(&s->dma), n,
284 qdev_get_gpio_in_named(DEVICE(&s->ic),
285 BCM2835_IC_GPU_IRQ,
286 INTERRUPT_DMA0 + n));
287 }
288 }
289
290 static void bcm2835_peripherals_class_init(ObjectClass *oc, void *data)
291 {
292 DeviceClass *dc = DEVICE_CLASS(oc);
293
294 dc->realize = bcm2835_peripherals_realize;
295 /* Reason: realize() method uses qemu_char_get_next_serial() */
296 dc->cannot_instantiate_with_device_add_yet = true;
297 }
298
299 static const TypeInfo bcm2835_peripherals_type_info = {
300 .name = TYPE_BCM2835_PERIPHERALS,
301 .parent = TYPE_SYS_BUS_DEVICE,
302 .instance_size = sizeof(BCM2835PeripheralState),
303 .instance_init = bcm2835_peripherals_init,
304 .class_init = bcm2835_peripherals_class_init,
305 };
306
307 static void bcm2835_peripherals_register_types(void)
308 {
309 type_register_static(&bcm2835_peripherals_type_info);
310 }
311
312 type_init(bcm2835_peripherals_register_types)
AR7 emulation for QEMU