search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
esp: check dma length before reading scsi command(CVE-2016-4441)
[qemu/ar7.git] / hw / arm / musicpal.c
blob7a4cc07dd51039b657c60e062a46c88c0a609546
1 /*
2 * Marvell MV88W8618 / Freecom MusicPal emulation.
3 *
4 * Copyright (c) 2008 Jan Kiszka
5 *
6 * This code is licensed under the GNU GPL v2.
7 *
8 * Contributions after 2012-01-13 are licensed under the terms of the
9 * GNU GPL, version 2 or (at your option) any later version.
10 */
11
12 #include "qemu/osdep.h"
13 #include "qapi/error.h"
14 #include "qemu-common.h"
15 #include "cpu.h"
16 #include "hw/sysbus.h"
17 #include "hw/arm/arm.h"
18 #include "hw/devices.h"
19 #include "net/net.h"
20 #include "sysemu/sysemu.h"
21 #include "hw/boards.h"
22 #include "hw/char/serial.h"
23 #include "qemu/timer.h"
24 #include "hw/ptimer.h"
25 #include "hw/block/flash.h"
26 #include "ui/console.h"
27 #include "hw/i2c/i2c.h"
28 #include "sysemu/block-backend.h"
29 #include "exec/address-spaces.h"
30 #include "ui/pixel_ops.h"
31
32 #define MP_MISC_BASE 0x80002000
33 #define MP_MISC_SIZE 0x00001000
34
35 #define MP_ETH_BASE 0x80008000
36 #define MP_ETH_SIZE 0x00001000
37
38 #define MP_WLAN_BASE 0x8000C000
39 #define MP_WLAN_SIZE 0x00000800
40
41 #define MP_UART1_BASE 0x8000C840
42 #define MP_UART2_BASE 0x8000C940
43
44 #define MP_GPIO_BASE 0x8000D000
45 #define MP_GPIO_SIZE 0x00001000
46
47 #define MP_FLASHCFG_BASE 0x90006000
48 #define MP_FLASHCFG_SIZE 0x00001000
49
50 #define MP_AUDIO_BASE 0x90007000
51
52 #define MP_PIC_BASE 0x90008000
53 #define MP_PIC_SIZE 0x00001000
54
55 #define MP_PIT_BASE 0x90009000
56 #define MP_PIT_SIZE 0x00001000
57
58 #define MP_LCD_BASE 0x9000c000
59 #define MP_LCD_SIZE 0x00001000
60
61 #define MP_SRAM_BASE 0xC0000000
62 #define MP_SRAM_SIZE 0x00020000
63
64 #define MP_RAM_DEFAULT_SIZE 32*1024*1024
65 #define MP_FLASH_SIZE_MAX 32*1024*1024
66
67 #define MP_TIMER1_IRQ 4
68 #define MP_TIMER2_IRQ 5
69 #define MP_TIMER3_IRQ 6
70 #define MP_TIMER4_IRQ 7
71 #define MP_EHCI_IRQ 8
72 #define MP_ETH_IRQ 9
73 #define MP_UART1_IRQ 11
74 #define MP_UART2_IRQ 11
75 #define MP_GPIO_IRQ 12
76 #define MP_RTC_IRQ 28
77 #define MP_AUDIO_IRQ 30
78
79 /* Wolfson 8750 I2C address */
80 #define MP_WM_ADDR 0x1A
81
82 /* Ethernet register offsets */
83 #define MP_ETH_SMIR 0x010
84 #define MP_ETH_PCXR 0x408
85 #define MP_ETH_SDCMR 0x448
86 #define MP_ETH_ICR 0x450
87 #define MP_ETH_IMR 0x458
88 #define MP_ETH_FRDP0 0x480
89 #define MP_ETH_FRDP1 0x484
90 #define MP_ETH_FRDP2 0x488
91 #define MP_ETH_FRDP3 0x48C
92 #define MP_ETH_CRDP0 0x4A0
93 #define MP_ETH_CRDP1 0x4A4
94 #define MP_ETH_CRDP2 0x4A8
95 #define MP_ETH_CRDP3 0x4AC
96 #define MP_ETH_CTDP0 0x4E0
97 #define MP_ETH_CTDP1 0x4E4
98
99 /* MII PHY access */
100 #define MP_ETH_SMIR_DATA 0x0000FFFF
101 #define MP_ETH_SMIR_ADDR 0x03FF0000
102 #define MP_ETH_SMIR_OPCODE (1 << 26) /* Read value */
103 #define MP_ETH_SMIR_RDVALID (1 << 27)
104
105 /* PHY registers */
106 #define MP_ETH_PHY1_BMSR 0x00210000
107 #define MP_ETH_PHY1_PHYSID1 0x00410000
108 #define MP_ETH_PHY1_PHYSID2 0x00610000
109
110 #define MP_PHY_BMSR_LINK 0x0004
111 #define MP_PHY_BMSR_AUTONEG 0x0008
112
113 #define MP_PHY_88E3015 0x01410E20
114
115 /* TX descriptor status */
116 #define MP_ETH_TX_OWN (1U << 31)
117
118 /* RX descriptor status */
119 #define MP_ETH_RX_OWN (1U << 31)
120
121 /* Interrupt cause/mask bits */
122 #define MP_ETH_IRQ_RX_BIT 0
123 #define MP_ETH_IRQ_RX (1 << MP_ETH_IRQ_RX_BIT)
124 #define MP_ETH_IRQ_TXHI_BIT 2
125 #define MP_ETH_IRQ_TXLO_BIT 3
126
127 /* Port config bits */
128 #define MP_ETH_PCXR_2BSM_BIT 28 /* 2-byte incoming suffix */
129
130 /* SDMA command bits */
131 #define MP_ETH_CMD_TXHI (1 << 23)
132 #define MP_ETH_CMD_TXLO (1 << 22)
133
134 typedef struct mv88w8618_tx_desc {
135 uint32_t cmdstat;
136 uint16_t res;
137 uint16_t bytes;
138 uint32_t buffer;
139 uint32_t next;
140 } mv88w8618_tx_desc;
141
142 typedef struct mv88w8618_rx_desc {
143 uint32_t cmdstat;
144 uint16_t bytes;
145 uint16_t buffer_size;
146 uint32_t buffer;
147 uint32_t next;
148 } mv88w8618_rx_desc;
149
150 #define TYPE_MV88W8618_ETH "mv88w8618_eth"
151 #define MV88W8618_ETH(obj) \
152 OBJECT_CHECK(mv88w8618_eth_state, (obj), TYPE_MV88W8618_ETH)
153
154 typedef struct mv88w8618_eth_state {
155 /*< private >*/
156 SysBusDevice parent_obj;
157 /*< public >*/
158
159 MemoryRegion iomem;
160 qemu_irq irq;
161 uint32_t smir;
162 uint32_t icr;
163 uint32_t imr;
164 int mmio_index;
165 uint32_t vlan_header;
166 uint32_t tx_queue[2];
167 uint32_t rx_queue[4];
168 uint32_t frx_queue[4];
169 uint32_t cur_rx[4];
170 NICState *nic;
171 NICConf conf;
172 } mv88w8618_eth_state;
173
174 static void eth_rx_desc_put(uint32_t addr, mv88w8618_rx_desc *desc)
175 {
176 cpu_to_le32s(&desc->cmdstat);
177 cpu_to_le16s(&desc->bytes);
178 cpu_to_le16s(&desc->buffer_size);
179 cpu_to_le32s(&desc->buffer);
180 cpu_to_le32s(&desc->next);
181 cpu_physical_memory_write(addr, desc, sizeof(*desc));
182 }
183
184 static void eth_rx_desc_get(uint32_t addr, mv88w8618_rx_desc *desc)
185 {
186 cpu_physical_memory_read(addr, desc, sizeof(*desc));
187 le32_to_cpus(&desc->cmdstat);
188 le16_to_cpus(&desc->bytes);
189 le16_to_cpus(&desc->buffer_size);
190 le32_to_cpus(&desc->buffer);
191 le32_to_cpus(&desc->next);
192 }
193
194 static ssize_t eth_receive(NetClientState *nc, const uint8_t *buf, size_t size)
195 {
196 mv88w8618_eth_state *s = qemu_get_nic_opaque(nc);
197 uint32_t desc_addr;
198 mv88w8618_rx_desc desc;
199 int i;
200
201 for (i = 0; i < 4; i++) {
202 desc_addr = s->cur_rx[i];
203 if (!desc_addr) {
204 continue;
205 }
206 do {
207 eth_rx_desc_get(desc_addr, &desc);
208 if ((desc.cmdstat & MP_ETH_RX_OWN) && desc.buffer_size >= size) {
209 cpu_physical_memory_write(desc.buffer + s->vlan_header,
210 buf, size);
211 desc.bytes = size + s->vlan_header;
212 desc.cmdstat &= ~MP_ETH_RX_OWN;
213 s->cur_rx[i] = desc.next;
214
215 s->icr |= MP_ETH_IRQ_RX;
216 if (s->icr & s->imr) {
217 qemu_irq_raise(s->irq);
218 }
219 eth_rx_desc_put(desc_addr, &desc);
220 return size;
221 }
222 desc_addr = desc.next;
223 } while (desc_addr != s->rx_queue[i]);
224 }
225 return size;
226 }
227
228 static void eth_tx_desc_put(uint32_t addr, mv88w8618_tx_desc *desc)
229 {
230 cpu_to_le32s(&desc->cmdstat);
231 cpu_to_le16s(&desc->res);
232 cpu_to_le16s(&desc->bytes);
233 cpu_to_le32s(&desc->buffer);
234 cpu_to_le32s(&desc->next);
235 cpu_physical_memory_write(addr, desc, sizeof(*desc));
236 }
237
238 static void eth_tx_desc_get(uint32_t addr, mv88w8618_tx_desc *desc)
239 {
240 cpu_physical_memory_read(addr, desc, sizeof(*desc));
241 le32_to_cpus(&desc->cmdstat);
242 le16_to_cpus(&desc->res);
243 le16_to_cpus(&desc->bytes);
244 le32_to_cpus(&desc->buffer);
245 le32_to_cpus(&desc->next);
246 }
247
248 static void eth_send(mv88w8618_eth_state *s, int queue_index)
249 {
250 uint32_t desc_addr = s->tx_queue[queue_index];
251 mv88w8618_tx_desc desc;
252 uint32_t next_desc;
253 uint8_t buf[2048];
254 int len;
255
256 do {
257 eth_tx_desc_get(desc_addr, &desc);
258 next_desc = desc.next;
259 if (desc.cmdstat & MP_ETH_TX_OWN) {
260 len = desc.bytes;
261 if (len < 2048) {
262 cpu_physical_memory_read(desc.buffer, buf, len);
263 qemu_send_packet(qemu_get_queue(s->nic), buf, len);
264 }
265 desc.cmdstat &= ~MP_ETH_TX_OWN;
266 s->icr |= 1 << (MP_ETH_IRQ_TXLO_BIT - queue_index);
267 eth_tx_desc_put(desc_addr, &desc);
268 }
269 desc_addr = next_desc;
270 } while (desc_addr != s->tx_queue[queue_index]);
271 }
272
273 static uint64_t mv88w8618_eth_read(void *opaque, hwaddr offset,
274 unsigned size)
275 {
276 mv88w8618_eth_state *s = opaque;
277
278 switch (offset) {
279 case MP_ETH_SMIR:
280 if (s->smir & MP_ETH_SMIR_OPCODE) {
281 switch (s->smir & MP_ETH_SMIR_ADDR) {
282 case MP_ETH_PHY1_BMSR:
283 return MP_PHY_BMSR_LINK | MP_PHY_BMSR_AUTONEG |
284 MP_ETH_SMIR_RDVALID;
285 case MP_ETH_PHY1_PHYSID1:
286 return (MP_PHY_88E3015 >> 16) | MP_ETH_SMIR_RDVALID;
287 case MP_ETH_PHY1_PHYSID2:
288 return (MP_PHY_88E3015 & 0xFFFF) | MP_ETH_SMIR_RDVALID;
289 default:
290 return MP_ETH_SMIR_RDVALID;
291 }
292 }
293 return 0;
294
295 case MP_ETH_ICR:
296 return s->icr;
297
298 case MP_ETH_IMR:
299 return s->imr;
300
301 case MP_ETH_FRDP0 ... MP_ETH_FRDP3:
302 return s->frx_queue[(offset - MP_ETH_FRDP0)/4];
303
304 case MP_ETH_CRDP0 ... MP_ETH_CRDP3:
305 return s->rx_queue[(offset - MP_ETH_CRDP0)/4];
306
307 case MP_ETH_CTDP0 ... MP_ETH_CTDP1:
308 return s->tx_queue[(offset - MP_ETH_CTDP0)/4];
309
310 default:
311 return 0;
312 }
313 }
314
315 static void mv88w8618_eth_write(void *opaque, hwaddr offset,
316 uint64_t value, unsigned size)
317 {
318 mv88w8618_eth_state *s = opaque;
319
320 switch (offset) {
321 case MP_ETH_SMIR:
322 s->smir = value;
323 break;
324
325 case MP_ETH_PCXR:
326 s->vlan_header = ((value >> MP_ETH_PCXR_2BSM_BIT) & 1) * 2;
327 break;
328
329 case MP_ETH_SDCMR:
330 if (value & MP_ETH_CMD_TXHI) {
331 eth_send(s, 1);
332 }
333 if (value & MP_ETH_CMD_TXLO) {
334 eth_send(s, 0);
335 }
336 if (value & (MP_ETH_CMD_TXHI | MP_ETH_CMD_TXLO) && s->icr & s->imr) {
337 qemu_irq_raise(s->irq);
338 }
339 break;
340
341 case MP_ETH_ICR:
342 s->icr &= value;
343 break;
344
345 case MP_ETH_IMR:
346 s->imr = value;
347 if (s->icr & s->imr) {
348 qemu_irq_raise(s->irq);
349 }
350 break;
351
352 case MP_ETH_FRDP0 ... MP_ETH_FRDP3:
353 s->frx_queue[(offset - MP_ETH_FRDP0)/4] = value;
354 break;
355
356 case MP_ETH_CRDP0 ... MP_ETH_CRDP3:
357 s->rx_queue[(offset - MP_ETH_CRDP0)/4] =
358 s->cur_rx[(offset - MP_ETH_CRDP0)/4] = value;
359 break;
360
361 case MP_ETH_CTDP0 ... MP_ETH_CTDP1:
362 s->tx_queue[(offset - MP_ETH_CTDP0)/4] = value;
363 break;
364 }
365 }
366
367 static const MemoryRegionOps mv88w8618_eth_ops = {
368 .read = mv88w8618_eth_read,
369 .write = mv88w8618_eth_write,
370 .endianness = DEVICE_NATIVE_ENDIAN,
371 };
372
373 static void eth_cleanup(NetClientState *nc)
374 {
375 mv88w8618_eth_state *s = qemu_get_nic_opaque(nc);
376
377 s->nic = NULL;
378 }
379
380 static NetClientInfo net_mv88w8618_info = {
381 .type = NET_CLIENT_OPTIONS_KIND_NIC,
382 .size = sizeof(NICState),
383 .receive = eth_receive,
384 .cleanup = eth_cleanup,
385 };
386
387 static int mv88w8618_eth_init(SysBusDevice *sbd)
388 {
389 DeviceState *dev = DEVICE(sbd);
390 mv88w8618_eth_state *s = MV88W8618_ETH(dev);
391
392 sysbus_init_irq(sbd, &s->irq);
393 s->nic = qemu_new_nic(&net_mv88w8618_info, &s->conf,
394 object_get_typename(OBJECT(dev)), dev->id, s);
395 memory_region_init_io(&s->iomem, OBJECT(s), &mv88w8618_eth_ops, s,
396 "mv88w8618-eth", MP_ETH_SIZE);
397 sysbus_init_mmio(sbd, &s->iomem);
398 return 0;
399 }
400
401 static const VMStateDescription mv88w8618_eth_vmsd = {
402 .name = "mv88w8618_eth",
403 .version_id = 1,
404 .minimum_version_id = 1,
405 .fields = (VMStateField[]) {
406 VMSTATE_UINT32(smir, mv88w8618_eth_state),
407 VMSTATE_UINT32(icr, mv88w8618_eth_state),
408 VMSTATE_UINT32(imr, mv88w8618_eth_state),
409 VMSTATE_UINT32(vlan_header, mv88w8618_eth_state),
410 VMSTATE_UINT32_ARRAY(tx_queue, mv88w8618_eth_state, 2),
411 VMSTATE_UINT32_ARRAY(rx_queue, mv88w8618_eth_state, 4),
412 VMSTATE_UINT32_ARRAY(frx_queue, mv88w8618_eth_state, 4),
413 VMSTATE_UINT32_ARRAY(cur_rx, mv88w8618_eth_state, 4),
414 VMSTATE_END_OF_LIST()
415 }
416 };
417
418 static Property mv88w8618_eth_properties[] = {
419 DEFINE_NIC_PROPERTIES(mv88w8618_eth_state, conf),
420 DEFINE_PROP_END_OF_LIST(),
421 };
422
423 static void mv88w8618_eth_class_init(ObjectClass *klass, void *data)
424 {
425 DeviceClass *dc = DEVICE_CLASS(klass);
426 SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
427
428 k->init = mv88w8618_eth_init;
429 dc->vmsd = &mv88w8618_eth_vmsd;
430 dc->props = mv88w8618_eth_properties;
431 }
432
433 static const TypeInfo mv88w8618_eth_info = {
434 .name = TYPE_MV88W8618_ETH,
435 .parent = TYPE_SYS_BUS_DEVICE,
436 .instance_size = sizeof(mv88w8618_eth_state),
437 .class_init = mv88w8618_eth_class_init,
438 };
439
440 /* LCD register offsets */
441 #define MP_LCD_IRQCTRL 0x180
442 #define MP_LCD_IRQSTAT 0x184
443 #define MP_LCD_SPICTRL 0x1ac
444 #define MP_LCD_INST 0x1bc
445 #define MP_LCD_DATA 0x1c0
446
447 /* Mode magics */
448 #define MP_LCD_SPI_DATA 0x00100011
449 #define MP_LCD_SPI_CMD 0x00104011
450 #define MP_LCD_SPI_INVALID 0x00000000
451
452 /* Commmands */
453 #define MP_LCD_INST_SETPAGE0 0xB0
454 /* ... */
455 #define MP_LCD_INST_SETPAGE7 0xB7
456
457 #define MP_LCD_TEXTCOLOR 0xe0e0ff /* RRGGBB */
458
459 #define TYPE_MUSICPAL_LCD "musicpal_lcd"
460 #define MUSICPAL_LCD(obj) \
461 OBJECT_CHECK(musicpal_lcd_state, (obj), TYPE_MUSICPAL_LCD)
462
463 typedef struct musicpal_lcd_state {
464 /*< private >*/
465 SysBusDevice parent_obj;
466 /*< public >*/
467
468 MemoryRegion iomem;
469 uint32_t brightness;
470 uint32_t mode;
471 uint32_t irqctrl;
472 uint32_t page;
473 uint32_t page_off;
474 QemuConsole *con;
475 uint8_t video_ram[128*64/8];
476 } musicpal_lcd_state;
477
478 static uint8_t scale_lcd_color(musicpal_lcd_state *s, uint8_t col)
479 {
480 switch (s->brightness) {
481 case 7:
482 return col;
483 case 0:
484 return 0;
485 default:
486 return (col * s->brightness) / 7;
487 }
488 }
489
490 #define SET_LCD_PIXEL(depth, type) \
491 static inline void glue(set_lcd_pixel, depth) \
492 (musicpal_lcd_state *s, int x, int y, type col) \
493 { \
494 int dx, dy; \
495 DisplaySurface *surface = qemu_console_surface(s->con); \
496 type *pixel = &((type *) surface_data(surface))[(y * 128 * 3 + x) * 3]; \
497 \
498 for (dy = 0; dy < 3; dy++, pixel += 127 * 3) \
499 for (dx = 0; dx < 3; dx++, pixel++) \
500 *pixel = col; \
501 }
502 SET_LCD_PIXEL(8, uint8_t)
503 SET_LCD_PIXEL(16, uint16_t)
504 SET_LCD_PIXEL(32, uint32_t)
505
506 static void lcd_refresh(void *opaque)
507 {
508 musicpal_lcd_state *s = opaque;
509 DisplaySurface *surface = qemu_console_surface(s->con);
510 int x, y, col;
511
512 switch (surface_bits_per_pixel(surface)) {
513 case 0:
514 return;
515 #define LCD_REFRESH(depth, func) \
516 case depth: \
517 col = func(scale_lcd_color(s, (MP_LCD_TEXTCOLOR >> 16) & 0xff), \
518 scale_lcd_color(s, (MP_LCD_TEXTCOLOR >> 8) & 0xff), \
519 scale_lcd_color(s, MP_LCD_TEXTCOLOR & 0xff)); \
520 for (x = 0; x < 128; x++) { \
521 for (y = 0; y < 64; y++) { \
522 if (s->video_ram[x + (y/8)*128] & (1 << (y % 8))) { \
523 glue(set_lcd_pixel, depth)(s, x, y, col); \
524 } else { \
525 glue(set_lcd_pixel, depth)(s, x, y, 0); \
526 } \
527 } \
528 } \
529 break;
530 LCD_REFRESH(8, rgb_to_pixel8)
531 LCD_REFRESH(16, rgb_to_pixel16)
532 LCD_REFRESH(32, (is_surface_bgr(surface) ?
533 rgb_to_pixel32bgr : rgb_to_pixel32))
534 default:
535 hw_error("unsupported colour depth %i\n",
536 surface_bits_per_pixel(surface));
537 }
538
539 dpy_gfx_update(s->con, 0, 0, 128*3, 64*3);
540 }
541
542 static void lcd_invalidate(void *opaque)
543 {
544 }
545
546 static void musicpal_lcd_gpio_brightness_in(void *opaque, int irq, int level)
547 {
548 musicpal_lcd_state *s = opaque;
549 s->brightness &= ~(1 << irq);
550 s->brightness |= level << irq;
551 }
552
553 static uint64_t musicpal_lcd_read(void *opaque, hwaddr offset,
554 unsigned size)
555 {
556 musicpal_lcd_state *s = opaque;
557
558 switch (offset) {
559 case MP_LCD_IRQCTRL:
560 return s->irqctrl;
561
562 default:
563 return 0;
564 }
565 }
566
567 static void musicpal_lcd_write(void *opaque, hwaddr offset,
568 uint64_t value, unsigned size)
569 {
570 musicpal_lcd_state *s = opaque;
571
572 switch (offset) {
573 case MP_LCD_IRQCTRL:
574 s->irqctrl = value;
575 break;
576
577 case MP_LCD_SPICTRL:
578 if (value == MP_LCD_SPI_DATA || value == MP_LCD_SPI_CMD) {
579 s->mode = value;
580 } else {
581 s->mode = MP_LCD_SPI_INVALID;
582 }
583 break;
584
585 case MP_LCD_INST:
586 if (value >= MP_LCD_INST_SETPAGE0 && value <= MP_LCD_INST_SETPAGE7) {
587 s->page = value - MP_LCD_INST_SETPAGE0;
588 s->page_off = 0;
589 }
590 break;
591
592 case MP_LCD_DATA:
593 if (s->mode == MP_LCD_SPI_CMD) {
594 if (value >= MP_LCD_INST_SETPAGE0 &&
595 value <= MP_LCD_INST_SETPAGE7) {
596 s->page = value - MP_LCD_INST_SETPAGE0;
597 s->page_off = 0;
598 }
599 } else if (s->mode == MP_LCD_SPI_DATA) {
600 s->video_ram[s->page*128 + s->page_off] = value;
601 s->page_off = (s->page_off + 1) & 127;
602 }
603 break;
604 }
605 }
606
607 static const MemoryRegionOps musicpal_lcd_ops = {
608 .read = musicpal_lcd_read,
609 .write = musicpal_lcd_write,
610 .endianness = DEVICE_NATIVE_ENDIAN,
611 };
612
613 static const GraphicHwOps musicpal_gfx_ops = {
614 .invalidate = lcd_invalidate,
615 .gfx_update = lcd_refresh,
616 };
617
618 static int musicpal_lcd_init(SysBusDevice *sbd)
619 {
620 DeviceState *dev = DEVICE(sbd);
621 musicpal_lcd_state *s = MUSICPAL_LCD(dev);
622
623 s->brightness = 7;
624
625 memory_region_init_io(&s->iomem, OBJECT(s), &musicpal_lcd_ops, s,
626 "musicpal-lcd", MP_LCD_SIZE);
627 sysbus_init_mmio(sbd, &s->iomem);
628
629 s->con = graphic_console_init(dev, 0, &musicpal_gfx_ops, s);
630 qemu_console_resize(s->con, 128*3, 64*3);
631
632 qdev_init_gpio_in(dev, musicpal_lcd_gpio_brightness_in, 3);
633
634 return 0;
635 }
636
637 static const VMStateDescription musicpal_lcd_vmsd = {
638 .name = "musicpal_lcd",
639 .version_id = 1,
640 .minimum_version_id = 1,
641 .fields = (VMStateField[]) {
642 VMSTATE_UINT32(brightness, musicpal_lcd_state),
643 VMSTATE_UINT32(mode, musicpal_lcd_state),
644 VMSTATE_UINT32(irqctrl, musicpal_lcd_state),
645 VMSTATE_UINT32(page, musicpal_lcd_state),
646 VMSTATE_UINT32(page_off, musicpal_lcd_state),
647 VMSTATE_BUFFER(video_ram, musicpal_lcd_state),
648 VMSTATE_END_OF_LIST()
649 }
650 };
651
652 static void musicpal_lcd_class_init(ObjectClass *klass, void *data)
653 {
654 DeviceClass *dc = DEVICE_CLASS(klass);
655 SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
656
657 k->init = musicpal_lcd_init;
658 dc->vmsd = &musicpal_lcd_vmsd;
659 }
660
661 static const TypeInfo musicpal_lcd_info = {
662 .name = TYPE_MUSICPAL_LCD,
663 .parent = TYPE_SYS_BUS_DEVICE,
664 .instance_size = sizeof(musicpal_lcd_state),
665 .class_init = musicpal_lcd_class_init,
666 };
667
668 /* PIC register offsets */
669 #define MP_PIC_STATUS 0x00
670 #define MP_PIC_ENABLE_SET 0x08
671 #define MP_PIC_ENABLE_CLR 0x0C
672
673 #define TYPE_MV88W8618_PIC "mv88w8618_pic"
674 #define MV88W8618_PIC(obj) \
675 OBJECT_CHECK(mv88w8618_pic_state, (obj), TYPE_MV88W8618_PIC)
676
677 typedef struct mv88w8618_pic_state {
678 /*< private >*/
679 SysBusDevice parent_obj;
680 /*< public >*/
681
682 MemoryRegion iomem;
683 uint32_t level;
684 uint32_t enabled;
685 qemu_irq parent_irq;
686 } mv88w8618_pic_state;
687
688 static void mv88w8618_pic_update(mv88w8618_pic_state *s)
689 {
690 qemu_set_irq(s->parent_irq, (s->level & s->enabled));
691 }
692
693 static void mv88w8618_pic_set_irq(void *opaque, int irq, int level)
694 {
695 mv88w8618_pic_state *s = opaque;
696
697 if (level) {
698 s->level |= 1 << irq;
699 } else {
700 s->level &= ~(1 << irq);
701 }
702 mv88w8618_pic_update(s);
703 }
704
705 static uint64_t mv88w8618_pic_read(void *opaque, hwaddr offset,
706 unsigned size)
707 {
708 mv88w8618_pic_state *s = opaque;
709
710 switch (offset) {
711 case MP_PIC_STATUS:
712 return s->level & s->enabled;
713
714 default:
715 return 0;
716 }
717 }
718
719 static void mv88w8618_pic_write(void *opaque, hwaddr offset,
720 uint64_t value, unsigned size)
721 {
722 mv88w8618_pic_state *s = opaque;
723
724 switch (offset) {
725 case MP_PIC_ENABLE_SET:
726 s->enabled |= value;
727 break;
728
729 case MP_PIC_ENABLE_CLR:
730 s->enabled &= ~value;
731 s->level &= ~value;
732 break;
733 }
734 mv88w8618_pic_update(s);
735 }
736
737 static void mv88w8618_pic_reset(DeviceState *d)
738 {
739 mv88w8618_pic_state *s = MV88W8618_PIC(d);
740
741 s->level = 0;
742 s->enabled = 0;
743 }
744
745 static const MemoryRegionOps mv88w8618_pic_ops = {
746 .read = mv88w8618_pic_read,
747 .write = mv88w8618_pic_write,
748 .endianness = DEVICE_NATIVE_ENDIAN,
749 };
750
751 static int mv88w8618_pic_init(SysBusDevice *dev)
752 {
753 mv88w8618_pic_state *s = MV88W8618_PIC(dev);
754
755 qdev_init_gpio_in(DEVICE(dev), mv88w8618_pic_set_irq, 32);
756 sysbus_init_irq(dev, &s->parent_irq);
757 memory_region_init_io(&s->iomem, OBJECT(s), &mv88w8618_pic_ops, s,
758 "musicpal-pic", MP_PIC_SIZE);
759 sysbus_init_mmio(dev, &s->iomem);
760 return 0;
761 }
762
763 static const VMStateDescription mv88w8618_pic_vmsd = {
764 .name = "mv88w8618_pic",
765 .version_id = 1,
766 .minimum_version_id = 1,
767 .fields = (VMStateField[]) {
768 VMSTATE_UINT32(level, mv88w8618_pic_state),
769 VMSTATE_UINT32(enabled, mv88w8618_pic_state),
770 VMSTATE_END_OF_LIST()
771 }
772 };
773
774 static void mv88w8618_pic_class_init(ObjectClass *klass, void *data)
775 {
776 DeviceClass *dc = DEVICE_CLASS(klass);
777 SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
778
779 k->init = mv88w8618_pic_init;
780 dc->reset = mv88w8618_pic_reset;
781 dc->vmsd = &mv88w8618_pic_vmsd;
782 }
783
784 static const TypeInfo mv88w8618_pic_info = {
785 .name = TYPE_MV88W8618_PIC,
786 .parent = TYPE_SYS_BUS_DEVICE,
787 .instance_size = sizeof(mv88w8618_pic_state),
788 .class_init = mv88w8618_pic_class_init,
789 };
790
791 /* PIT register offsets */
792 #define MP_PIT_TIMER1_LENGTH 0x00
793 /* ... */
794 #define MP_PIT_TIMER4_LENGTH 0x0C
795 #define MP_PIT_CONTROL 0x10
796 #define MP_PIT_TIMER1_VALUE 0x14
797 /* ... */
798 #define MP_PIT_TIMER4_VALUE 0x20
799 #define MP_BOARD_RESET 0x34
800
801 /* Magic board reset value (probably some watchdog behind it) */
802 #define MP_BOARD_RESET_MAGIC 0x10000
803
804 typedef struct mv88w8618_timer_state {
805 ptimer_state *ptimer;
806 uint32_t limit;
807 int freq;
808 qemu_irq irq;
809 } mv88w8618_timer_state;
810
811 #define TYPE_MV88W8618_PIT "mv88w8618_pit"
812 #define MV88W8618_PIT(obj) \
813 OBJECT_CHECK(mv88w8618_pit_state, (obj), TYPE_MV88W8618_PIT)
814
815 typedef struct mv88w8618_pit_state {
816 /*< private >*/
817 SysBusDevice parent_obj;
818 /*< public >*/
819
820 MemoryRegion iomem;
821 mv88w8618_timer_state timer[4];
822 } mv88w8618_pit_state;
823
824 static void mv88w8618_timer_tick(void *opaque)
825 {
826 mv88w8618_timer_state *s = opaque;
827
828 qemu_irq_raise(s->irq);
829 }
830
831 static void mv88w8618_timer_init(SysBusDevice *dev, mv88w8618_timer_state *s,
832 uint32_t freq)
833 {
834 QEMUBH *bh;
835
836 sysbus_init_irq(dev, &s->irq);
837 s->freq = freq;
838
839 bh = qemu_bh_new(mv88w8618_timer_tick, s);
840 s->ptimer = ptimer_init(bh);
841 }
842
843 static uint64_t mv88w8618_pit_read(void *opaque, hwaddr offset,
844 unsigned size)
845 {
846 mv88w8618_pit_state *s = opaque;
847 mv88w8618_timer_state *t;
848
849 switch (offset) {
850 case MP_PIT_TIMER1_VALUE ... MP_PIT_TIMER4_VALUE:
851 t = &s->timer[(offset-MP_PIT_TIMER1_VALUE) >> 2];
852 return ptimer_get_count(t->ptimer);
853
854 default:
855 return 0;
856 }
857 }
858
859 static void mv88w8618_pit_write(void *opaque, hwaddr offset,
860 uint64_t value, unsigned size)
861 {
862 mv88w8618_pit_state *s = opaque;
863 mv88w8618_timer_state *t;
864 int i;
865
866 switch (offset) {
867 case MP_PIT_TIMER1_LENGTH ... MP_PIT_TIMER4_LENGTH:
868 t = &s->timer[offset >> 2];
869 t->limit = value;
870 if (t->limit > 0) {
871 ptimer_set_limit(t->ptimer, t->limit, 1);
872 } else {
873 ptimer_stop(t->ptimer);
874 }
875 break;
876
877 case MP_PIT_CONTROL:
878 for (i = 0; i < 4; i++) {
879 t = &s->timer[i];
880 if (value & 0xf && t->limit > 0) {
881 ptimer_set_limit(t->ptimer, t->limit, 0);
882 ptimer_set_freq(t->ptimer, t->freq);
883 ptimer_run(t->ptimer, 0);
884 } else {
885 ptimer_stop(t->ptimer);
886 }
887 value >>= 4;
888 }
889 break;
890
891 case MP_BOARD_RESET:
892 if (value == MP_BOARD_RESET_MAGIC) {
893 qemu_system_reset_request();
894 }
895 break;
896 }
897 }
898
899 static void mv88w8618_pit_reset(DeviceState *d)
900 {
901 mv88w8618_pit_state *s = MV88W8618_PIT(d);
902 int i;
903
904 for (i = 0; i < 4; i++) {
905 ptimer_stop(s->timer[i].ptimer);
906 s->timer[i].limit = 0;
907 }
908 }
909
910 static const MemoryRegionOps mv88w8618_pit_ops = {
911 .read = mv88w8618_pit_read,
912 .write = mv88w8618_pit_write,
913 .endianness = DEVICE_NATIVE_ENDIAN,
914 };
915
916 static int mv88w8618_pit_init(SysBusDevice *dev)
917 {
918 mv88w8618_pit_state *s = MV88W8618_PIT(dev);
919 int i;
920
921 /* Letting them all run at 1 MHz is likely just a pragmatic
922 * simplification. */
923 for (i = 0; i < 4; i++) {
924 mv88w8618_timer_init(dev, &s->timer[i], 1000000);
925 }
926
927 memory_region_init_io(&s->iomem, OBJECT(s), &mv88w8618_pit_ops, s,
928 "musicpal-pit", MP_PIT_SIZE);
929 sysbus_init_mmio(dev, &s->iomem);
930 return 0;
931 }
932
933 static const VMStateDescription mv88w8618_timer_vmsd = {
934 .name = "timer",
935 .version_id = 1,
936 .minimum_version_id = 1,
937 .fields = (VMStateField[]) {
938 VMSTATE_PTIMER(ptimer, mv88w8618_timer_state),
939 VMSTATE_UINT32(limit, mv88w8618_timer_state),
940 VMSTATE_END_OF_LIST()
941 }
942 };
943
944 static const VMStateDescription mv88w8618_pit_vmsd = {
945 .name = "mv88w8618_pit",
946 .version_id = 1,
947 .minimum_version_id = 1,
948 .fields = (VMStateField[]) {
949 VMSTATE_STRUCT_ARRAY(timer, mv88w8618_pit_state, 4, 1,
950 mv88w8618_timer_vmsd, mv88w8618_timer_state),
951 VMSTATE_END_OF_LIST()
952 }
953 };
954
955 static void mv88w8618_pit_class_init(ObjectClass *klass, void *data)
956 {
957 DeviceClass *dc = DEVICE_CLASS(klass);
958 SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
959
960 k->init = mv88w8618_pit_init;
961 dc->reset = mv88w8618_pit_reset;
962 dc->vmsd = &mv88w8618_pit_vmsd;
963 }
964
965 static const TypeInfo mv88w8618_pit_info = {
966 .name = TYPE_MV88W8618_PIT,
967 .parent = TYPE_SYS_BUS_DEVICE,
968 .instance_size = sizeof(mv88w8618_pit_state),
969 .class_init = mv88w8618_pit_class_init,
970 };
971
972 /* Flash config register offsets */
973 #define MP_FLASHCFG_CFGR0 0x04
974
975 #define TYPE_MV88W8618_FLASHCFG "mv88w8618_flashcfg"
976 #define MV88W8618_FLASHCFG(obj) \
977 OBJECT_CHECK(mv88w8618_flashcfg_state, (obj), TYPE_MV88W8618_FLASHCFG)
978
979 typedef struct mv88w8618_flashcfg_state {
980 /*< private >*/
981 SysBusDevice parent_obj;
982 /*< public >*/
983
984 MemoryRegion iomem;
985 uint32_t cfgr0;
986 } mv88w8618_flashcfg_state;
987
988 static uint64_t mv88w8618_flashcfg_read(void *opaque,
989 hwaddr offset,
990 unsigned size)
991 {
992 mv88w8618_flashcfg_state *s = opaque;
993
994 switch (offset) {
995 case MP_FLASHCFG_CFGR0:
996 return s->cfgr0;
997
998 default:
999 return 0;
1000 }
1001 }
1002
1003 static void mv88w8618_flashcfg_write(void *opaque, hwaddr offset,
1004 uint64_t value, unsigned size)
1005 {
1006 mv88w8618_flashcfg_state *s = opaque;
1007
1008 switch (offset) {
1009 case MP_FLASHCFG_CFGR0:
1010 s->cfgr0 = value;
1011 break;
1012 }
1013 }
1014
1015 static const MemoryRegionOps mv88w8618_flashcfg_ops = {
1016 .read = mv88w8618_flashcfg_read,
1017 .write = mv88w8618_flashcfg_write,
1018 .endianness = DEVICE_NATIVE_ENDIAN,
1019 };
1020
1021 static int mv88w8618_flashcfg_init(SysBusDevice *dev)
1022 {
1023 mv88w8618_flashcfg_state *s = MV88W8618_FLASHCFG(dev);
1024
1025 s->cfgr0 = 0xfffe4285; /* Default as set by U-Boot for 8 MB flash */
1026 memory_region_init_io(&s->iomem, OBJECT(s), &mv88w8618_flashcfg_ops, s,
1027 "musicpal-flashcfg", MP_FLASHCFG_SIZE);
1028 sysbus_init_mmio(dev, &s->iomem);
1029 return 0;
1030 }
1031
1032 static const VMStateDescription mv88w8618_flashcfg_vmsd = {
1033 .name = "mv88w8618_flashcfg",
1034 .version_id = 1,
1035 .minimum_version_id = 1,
1036 .fields = (VMStateField[]) {
1037 VMSTATE_UINT32(cfgr0, mv88w8618_flashcfg_state),
1038 VMSTATE_END_OF_LIST()
1039 }
1040 };
1041
1042 static void mv88w8618_flashcfg_class_init(ObjectClass *klass, void *data)
1043 {
1044 DeviceClass *dc = DEVICE_CLASS(klass);
1045 SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
1046
1047 k->init = mv88w8618_flashcfg_init;
1048 dc->vmsd = &mv88w8618_flashcfg_vmsd;
1049 }
1050
1051 static const TypeInfo mv88w8618_flashcfg_info = {
1052 .name = TYPE_MV88W8618_FLASHCFG,
1053 .parent = TYPE_SYS_BUS_DEVICE,
1054 .instance_size = sizeof(mv88w8618_flashcfg_state),
1055 .class_init = mv88w8618_flashcfg_class_init,
1056 };
1057
1058 /* Misc register offsets */
1059 #define MP_MISC_BOARD_REVISION 0x18
1060
1061 #define MP_BOARD_REVISION 0x31
1062
1063 typedef struct {
1064 SysBusDevice parent_obj;
1065 MemoryRegion iomem;
1066 } MusicPalMiscState;
1067
1068 #define TYPE_MUSICPAL_MISC "musicpal-misc"
1069 #define MUSICPAL_MISC(obj) \
1070 OBJECT_CHECK(MusicPalMiscState, (obj), TYPE_MUSICPAL_MISC)
1071
1072 static uint64_t musicpal_misc_read(void *opaque, hwaddr offset,
1073 unsigned size)
1074 {
1075 switch (offset) {
1076 case MP_MISC_BOARD_REVISION:
1077 return MP_BOARD_REVISION;
1078
1079 default:
1080 return 0;
1081 }
1082 }
1083
1084 static void musicpal_misc_write(void *opaque, hwaddr offset,
1085 uint64_t value, unsigned size)
1086 {
1087 }
1088
1089 static const MemoryRegionOps musicpal_misc_ops = {
1090 .read = musicpal_misc_read,
1091 .write = musicpal_misc_write,
1092 .endianness = DEVICE_NATIVE_ENDIAN,
1093 };
1094
1095 static void musicpal_misc_init(Object *obj)
1096 {
1097 SysBusDevice *sd = SYS_BUS_DEVICE(obj);
1098 MusicPalMiscState *s = MUSICPAL_MISC(obj);
1099
1100 memory_region_init_io(&s->iomem, OBJECT(s), &musicpal_misc_ops, NULL,
1101 "musicpal-misc", MP_MISC_SIZE);
1102 sysbus_init_mmio(sd, &s->iomem);
1103 }
1104
1105 static const TypeInfo musicpal_misc_info = {
1106 .name = TYPE_MUSICPAL_MISC,
1107 .parent = TYPE_SYS_BUS_DEVICE,
1108 .instance_init = musicpal_misc_init,
1109 .instance_size = sizeof(MusicPalMiscState),
1110 };
1111
1112 /* WLAN register offsets */
1113 #define MP_WLAN_MAGIC1 0x11c
1114 #define MP_WLAN_MAGIC2 0x124
1115
1116 static uint64_t mv88w8618_wlan_read(void *opaque, hwaddr offset,
1117 unsigned size)
1118 {
1119 switch (offset) {
1120 /* Workaround to allow loading the binary-only wlandrv.ko crap
1121 * from the original Freecom firmware. */
1122 case MP_WLAN_MAGIC1:
1123 return ~3;
1124 case MP_WLAN_MAGIC2:
1125 return -1;
1126
1127 default:
1128 return 0;
1129 }
1130 }
1131
1132 static void mv88w8618_wlan_write(void *opaque, hwaddr offset,
1133 uint64_t value, unsigned size)
1134 {
1135 }
1136
1137 static const MemoryRegionOps mv88w8618_wlan_ops = {
1138 .read = mv88w8618_wlan_read,
1139 .write =mv88w8618_wlan_write,
1140 .endianness = DEVICE_NATIVE_ENDIAN,
1141 };
1142
1143 static int mv88w8618_wlan_init(SysBusDevice *dev)
1144 {
1145 MemoryRegion *iomem = g_new(MemoryRegion, 1);
1146
1147 memory_region_init_io(iomem, OBJECT(dev), &mv88w8618_wlan_ops, NULL,
1148 "musicpal-wlan", MP_WLAN_SIZE);
1149 sysbus_init_mmio(dev, iomem);
1150 return 0;
1151 }
1152
1153 /* GPIO register offsets */
1154 #define MP_GPIO_OE_LO 0x008
1155 #define MP_GPIO_OUT_LO 0x00c
1156 #define MP_GPIO_IN_LO 0x010
1157 #define MP_GPIO_IER_LO 0x014
1158 #define MP_GPIO_IMR_LO 0x018
1159 #define MP_GPIO_ISR_LO 0x020
1160 #define MP_GPIO_OE_HI 0x508
1161 #define MP_GPIO_OUT_HI 0x50c
1162 #define MP_GPIO_IN_HI 0x510
1163 #define MP_GPIO_IER_HI 0x514
1164 #define MP_GPIO_IMR_HI 0x518
1165 #define MP_GPIO_ISR_HI 0x520
1166
1167 /* GPIO bits & masks */
1168 #define MP_GPIO_LCD_BRIGHTNESS 0x00070000
1169 #define MP_GPIO_I2C_DATA_BIT 29
1170 #define MP_GPIO_I2C_CLOCK_BIT 30
1171
1172 /* LCD brightness bits in GPIO_OE_HI */
1173 #define MP_OE_LCD_BRIGHTNESS 0x0007
1174
1175 #define TYPE_MUSICPAL_GPIO "musicpal_gpio"
1176 #define MUSICPAL_GPIO(obj) \
1177 OBJECT_CHECK(musicpal_gpio_state, (obj), TYPE_MUSICPAL_GPIO)
1178
1179 typedef struct musicpal_gpio_state {
1180 /*< private >*/
1181 SysBusDevice parent_obj;
1182 /*< public >*/
1183
1184 MemoryRegion iomem;
1185 uint32_t lcd_brightness;
1186 uint32_t out_state;
1187 uint32_t in_state;
1188 uint32_t ier;
1189 uint32_t imr;
1190 uint32_t isr;
1191 qemu_irq irq;
1192 qemu_irq out[5]; /* 3 brightness out + 2 lcd (data and clock ) */
1193 } musicpal_gpio_state;
1194
1195 static void musicpal_gpio_brightness_update(musicpal_gpio_state *s) {
1196 int i;
1197 uint32_t brightness;
1198
1199 /* compute brightness ratio */
1200 switch (s->lcd_brightness) {
1201 case 0x00000007:
1202 brightness = 0;
1203 break;
1204
1205 case 0x00020000:
1206 brightness = 1;
1207 break;
1208
1209 case 0x00020001:
1210 brightness = 2;
1211 break;
1212
1213 case 0x00040000:
1214 brightness = 3;
1215 break;
1216
1217 case 0x00010006:
1218 brightness = 4;
1219 break;
1220
1221 case 0x00020005:
1222 brightness = 5;
1223 break;
1224
1225 case 0x00040003:
1226 brightness = 6;
1227 break;
1228
1229 case 0x00030004:
1230 default:
1231 brightness = 7;
1232 }
1233
1234 /* set lcd brightness GPIOs */
1235 for (i = 0; i <= 2; i++) {
1236 qemu_set_irq(s->out[i], (brightness >> i) & 1);
1237 }
1238 }
1239
1240 static void musicpal_gpio_pin_event(void *opaque, int pin, int level)
1241 {
1242 musicpal_gpio_state *s = opaque;
1243 uint32_t mask = 1 << pin;
1244 uint32_t delta = level << pin;
1245 uint32_t old = s->in_state & mask;
1246
1247 s->in_state &= ~mask;
1248 s->in_state |= delta;
1249
1250 if ((old ^ delta) &&
1251 ((level && (s->imr & mask)) || (!level && (s->ier & mask)))) {
1252 s->isr = mask;
1253 qemu_irq_raise(s->irq);
1254 }
1255 }
1256
1257 static uint64_t musicpal_gpio_read(void *opaque, hwaddr offset,
1258 unsigned size)
1259 {
1260 musicpal_gpio_state *s = opaque;
1261
1262 switch (offset) {
1263 case MP_GPIO_OE_HI: /* used for LCD brightness control */
1264 return s->lcd_brightness & MP_OE_LCD_BRIGHTNESS;
1265
1266 case MP_GPIO_OUT_LO:
1267 return s->out_state & 0xFFFF;
1268 case MP_GPIO_OUT_HI:
1269 return s->out_state >> 16;
1270
1271 case MP_GPIO_IN_LO:
1272 return s->in_state & 0xFFFF;
1273 case MP_GPIO_IN_HI:
1274 return s->in_state >> 16;
1275
1276 case MP_GPIO_IER_LO:
1277 return s->ier & 0xFFFF;
1278 case MP_GPIO_IER_HI:
1279 return s->ier >> 16;
1280
1281 case MP_GPIO_IMR_LO:
1282 return s->imr & 0xFFFF;
1283 case MP_GPIO_IMR_HI:
1284 return s->imr >> 16;
1285
1286 case MP_GPIO_ISR_LO:
1287 return s->isr & 0xFFFF;
1288 case MP_GPIO_ISR_HI:
1289 return s->isr >> 16;
1290
1291 default:
1292 return 0;
1293 }
1294 }
1295
1296 static void musicpal_gpio_write(void *opaque, hwaddr offset,
1297 uint64_t value, unsigned size)
1298 {
1299 musicpal_gpio_state *s = opaque;
1300 switch (offset) {
1301 case MP_GPIO_OE_HI: /* used for LCD brightness control */
1302 s->lcd_brightness = (s->lcd_brightness & MP_GPIO_LCD_BRIGHTNESS) |
1303 (value & MP_OE_LCD_BRIGHTNESS);
1304 musicpal_gpio_brightness_update(s);
1305 break;
1306
1307 case MP_GPIO_OUT_LO:
1308 s->out_state = (s->out_state & 0xFFFF0000) | (value & 0xFFFF);
1309 break;
1310 case MP_GPIO_OUT_HI:
1311 s->out_state = (s->out_state & 0xFFFF) | (value << 16);
1312 s->lcd_brightness = (s->lcd_brightness & 0xFFFF) |
1313 (s->out_state & MP_GPIO_LCD_BRIGHTNESS);
1314 musicpal_gpio_brightness_update(s);
1315 qemu_set_irq(s->out[3], (s->out_state >> MP_GPIO_I2C_DATA_BIT) & 1);
1316 qemu_set_irq(s->out[4], (s->out_state >> MP_GPIO_I2C_CLOCK_BIT) & 1);
1317 break;
1318
1319 case MP_GPIO_IER_LO:
1320 s->ier = (s->ier & 0xFFFF0000) | (value & 0xFFFF);
1321 break;
1322 case MP_GPIO_IER_HI:
1323 s->ier = (s->ier & 0xFFFF) | (value << 16);
1324 break;
1325
1326 case MP_GPIO_IMR_LO:
1327 s->imr = (s->imr & 0xFFFF0000) | (value & 0xFFFF);
1328 break;
1329 case MP_GPIO_IMR_HI:
1330 s->imr = (s->imr & 0xFFFF) | (value << 16);
1331 break;
1332 }
1333 }
1334
1335 static const MemoryRegionOps musicpal_gpio_ops = {
1336 .read = musicpal_gpio_read,
1337 .write = musicpal_gpio_write,
1338 .endianness = DEVICE_NATIVE_ENDIAN,
1339 };
1340
1341 static void musicpal_gpio_reset(DeviceState *d)
1342 {
1343 musicpal_gpio_state *s = MUSICPAL_GPIO(d);
1344
1345 s->lcd_brightness = 0;
1346 s->out_state = 0;
1347 s->in_state = 0xffffffff;
1348 s->ier = 0;
1349 s->imr = 0;
1350 s->isr = 0;
1351 }
1352
1353 static int musicpal_gpio_init(SysBusDevice *sbd)
1354 {
1355 DeviceState *dev = DEVICE(sbd);
1356 musicpal_gpio_state *s = MUSICPAL_GPIO(dev);
1357
1358 sysbus_init_irq(sbd, &s->irq);
1359
1360 memory_region_init_io(&s->iomem, OBJECT(s), &musicpal_gpio_ops, s,
1361 "musicpal-gpio", MP_GPIO_SIZE);
1362 sysbus_init_mmio(sbd, &s->iomem);
1363
1364 qdev_init_gpio_out(dev, s->out, ARRAY_SIZE(s->out));
1365
1366 qdev_init_gpio_in(dev, musicpal_gpio_pin_event, 32);
1367
1368 return 0;
1369 }
1370
1371 static const VMStateDescription musicpal_gpio_vmsd = {
1372 .name = "musicpal_gpio",
1373 .version_id = 1,
1374 .minimum_version_id = 1,
1375 .fields = (VMStateField[]) {
1376 VMSTATE_UINT32(lcd_brightness, musicpal_gpio_state),
1377 VMSTATE_UINT32(out_state, musicpal_gpio_state),
1378 VMSTATE_UINT32(in_state, musicpal_gpio_state),
1379 VMSTATE_UINT32(ier, musicpal_gpio_state),
1380 VMSTATE_UINT32(imr, musicpal_gpio_state),
1381 VMSTATE_UINT32(isr, musicpal_gpio_state),
1382 VMSTATE_END_OF_LIST()
1383 }
1384 };
1385
1386 static void musicpal_gpio_class_init(ObjectClass *klass, void *data)
1387 {
1388 DeviceClass *dc = DEVICE_CLASS(klass);
1389 SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
1390
1391 k->init = musicpal_gpio_init;
1392 dc->reset = musicpal_gpio_reset;
1393 dc->vmsd = &musicpal_gpio_vmsd;
1394 }
1395
1396 static const TypeInfo musicpal_gpio_info = {
1397 .name = TYPE_MUSICPAL_GPIO,
1398 .parent = TYPE_SYS_BUS_DEVICE,
1399 .instance_size = sizeof(musicpal_gpio_state),
1400 .class_init = musicpal_gpio_class_init,
1401 };
1402
1403 /* Keyboard codes & masks */
1404 #define KEY_RELEASED 0x80
1405 #define KEY_CODE 0x7f
1406
1407 #define KEYCODE_TAB 0x0f
1408 #define KEYCODE_ENTER 0x1c
1409 #define KEYCODE_F 0x21
1410 #define KEYCODE_M 0x32
1411
1412 #define KEYCODE_EXTENDED 0xe0
1413 #define KEYCODE_UP 0x48
1414 #define KEYCODE_DOWN 0x50
1415 #define KEYCODE_LEFT 0x4b
1416 #define KEYCODE_RIGHT 0x4d
1417
1418 #define MP_KEY_WHEEL_VOL (1 << 0)
1419 #define MP_KEY_WHEEL_VOL_INV (1 << 1)
1420 #define MP_KEY_WHEEL_NAV (1 << 2)
1421 #define MP_KEY_WHEEL_NAV_INV (1 << 3)
1422 #define MP_KEY_BTN_FAVORITS (1 << 4)
1423 #define MP_KEY_BTN_MENU (1 << 5)
1424 #define MP_KEY_BTN_VOLUME (1 << 6)
1425 #define MP_KEY_BTN_NAVIGATION (1 << 7)
1426
1427 #define TYPE_MUSICPAL_KEY "musicpal_key"
1428 #define MUSICPAL_KEY(obj) \
1429 OBJECT_CHECK(musicpal_key_state, (obj), TYPE_MUSICPAL_KEY)
1430
1431 typedef struct musicpal_key_state {
1432 /*< private >*/
1433 SysBusDevice parent_obj;
1434 /*< public >*/
1435
1436 MemoryRegion iomem;
1437 uint32_t kbd_extended;
1438 uint32_t pressed_keys;
1439 qemu_irq out[8];
1440 } musicpal_key_state;
1441
1442 static void musicpal_key_event(void *opaque, int keycode)
1443 {
1444 musicpal_key_state *s = opaque;
1445 uint32_t event = 0;
1446 int i;
1447
1448 if (keycode == KEYCODE_EXTENDED) {
1449 s->kbd_extended = 1;
1450 return;
1451 }
1452
1453 if (s->kbd_extended) {
1454 switch (keycode & KEY_CODE) {
1455 case KEYCODE_UP:
1456 event = MP_KEY_WHEEL_NAV | MP_KEY_WHEEL_NAV_INV;
1457 break;
1458
1459 case KEYCODE_DOWN:
1460 event = MP_KEY_WHEEL_NAV;
1461 break;
1462
1463 case KEYCODE_LEFT:
1464 event = MP_KEY_WHEEL_VOL | MP_KEY_WHEEL_VOL_INV;
1465 break;
1466
1467 case KEYCODE_RIGHT:
1468 event = MP_KEY_WHEEL_VOL;
1469 break;
1470 }
1471 } else {
1472 switch (keycode & KEY_CODE) {
1473 case KEYCODE_F:
1474 event = MP_KEY_BTN_FAVORITS;
1475 break;
1476
1477 case KEYCODE_TAB:
1478 event = MP_KEY_BTN_VOLUME;
1479 break;
1480
1481 case KEYCODE_ENTER:
1482 event = MP_KEY_BTN_NAVIGATION;
1483 break;
1484
1485 case KEYCODE_M:
1486 event = MP_KEY_BTN_MENU;
1487 break;
1488 }
1489 /* Do not repeat already pressed buttons */
1490 if (!(keycode & KEY_RELEASED) && (s->pressed_keys & event)) {
1491 event = 0;
1492 }
1493 }
1494
1495 if (event) {
1496 /* Raise GPIO pin first if repeating a key */
1497 if (!(keycode & KEY_RELEASED) && (s->pressed_keys & event)) {
1498 for (i = 0; i <= 7; i++) {
1499 if (event & (1 << i)) {
1500 qemu_set_irq(s->out[i], 1);
1501 }
1502 }
1503 }
1504 for (i = 0; i <= 7; i++) {
1505 if (event & (1 << i)) {
1506 qemu_set_irq(s->out[i], !!(keycode & KEY_RELEASED));
1507 }
1508 }
1509 if (keycode & KEY_RELEASED) {
1510 s->pressed_keys &= ~event;
1511 } else {
1512 s->pressed_keys |= event;
1513 }
1514 }
1515
1516 s->kbd_extended = 0;
1517 }
1518
1519 static int musicpal_key_init(SysBusDevice *sbd)
1520 {
1521 DeviceState *dev = DEVICE(sbd);
1522 musicpal_key_state *s = MUSICPAL_KEY(dev);
1523
1524 memory_region_init(&s->iomem, OBJECT(s), "dummy", 0);
1525 sysbus_init_mmio(sbd, &s->iomem);
1526
1527 s->kbd_extended = 0;
1528 s->pressed_keys = 0;
1529
1530 qdev_init_gpio_out(dev, s->out, ARRAY_SIZE(s->out));
1531
1532 qemu_add_kbd_event_handler(musicpal_key_event, s);
1533
1534 return 0;
1535 }
1536
1537 static const VMStateDescription musicpal_key_vmsd = {
1538 .name = "musicpal_key",
1539 .version_id = 1,
1540 .minimum_version_id = 1,
1541 .fields = (VMStateField[]) {
1542 VMSTATE_UINT32(kbd_extended, musicpal_key_state),
1543 VMSTATE_UINT32(pressed_keys, musicpal_key_state),
1544 VMSTATE_END_OF_LIST()
1545 }
1546 };
1547
1548 static void musicpal_key_class_init(ObjectClass *klass, void *data)
1549 {
1550 DeviceClass *dc = DEVICE_CLASS(klass);
1551 SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
1552
1553 k->init = musicpal_key_init;
1554 dc->vmsd = &musicpal_key_vmsd;
1555 }
1556
1557 static const TypeInfo musicpal_key_info = {
1558 .name = TYPE_MUSICPAL_KEY,
1559 .parent = TYPE_SYS_BUS_DEVICE,
1560 .instance_size = sizeof(musicpal_key_state),
1561 .class_init = musicpal_key_class_init,
1562 };
1563
1564 static struct arm_boot_info musicpal_binfo = {
1565 .loader_start = 0x0,
1566 .board_id = 0x20e,
1567 };
1568
1569 static void musicpal_init(MachineState *machine)
1570 {
1571 const char *cpu_model = machine->cpu_model;
1572 const char *kernel_filename = machine->kernel_filename;
1573 const char *kernel_cmdline = machine->kernel_cmdline;
1574 const char *initrd_filename = machine->initrd_filename;
1575 ARMCPU *cpu;
1576 qemu_irq pic[32];
1577 DeviceState *dev;
1578 DeviceState *i2c_dev;
1579 DeviceState *lcd_dev;
1580 DeviceState *key_dev;
1581 DeviceState *wm8750_dev;
1582 SysBusDevice *s;
1583 I2CBus *i2c;
1584 int i;
1585 unsigned long flash_size;
1586 DriveInfo *dinfo;
1587 MemoryRegion *address_space_mem = get_system_memory();
1588 MemoryRegion *ram = g_new(MemoryRegion, 1);
1589 MemoryRegion *sram = g_new(MemoryRegion, 1);
1590
1591 if (!cpu_model) {
1592 cpu_model = "arm926";
1593 }
1594 cpu = cpu_arm_init(cpu_model);
1595 if (!cpu) {
1596 fprintf(stderr, "Unable to find CPU definition\n");
1597 exit(1);
1598 }
1599
1600 /* For now we use a fixed - the original - RAM size */
1601 memory_region_allocate_system_memory(ram, NULL, "musicpal.ram",
1602 MP_RAM_DEFAULT_SIZE);
1603 memory_region_add_subregion(address_space_mem, 0, ram);
1604
1605 memory_region_init_ram(sram, NULL, "musicpal.sram", MP_SRAM_SIZE,
1606 &error_fatal);
1607 vmstate_register_ram_global(sram);
1608 memory_region_add_subregion(address_space_mem, MP_SRAM_BASE, sram);
1609
1610 dev = sysbus_create_simple(TYPE_MV88W8618_PIC, MP_PIC_BASE,
1611 qdev_get_gpio_in(DEVICE(cpu), ARM_CPU_IRQ));
1612 for (i = 0; i < 32; i++) {
1613 pic[i] = qdev_get_gpio_in(dev, i);
1614 }
1615 sysbus_create_varargs(TYPE_MV88W8618_PIT, MP_PIT_BASE, pic[MP_TIMER1_IRQ],
1616 pic[MP_TIMER2_IRQ], pic[MP_TIMER3_IRQ],
1617 pic[MP_TIMER4_IRQ], NULL);
1618
1619 if (serial_hds[0]) {
1620 serial_mm_init(address_space_mem, MP_UART1_BASE, 2, pic[MP_UART1_IRQ],
1621 1825000, serial_hds[0], DEVICE_NATIVE_ENDIAN);
1622 }
1623 if (serial_hds[1]) {
1624 serial_mm_init(address_space_mem, MP_UART2_BASE, 2, pic[MP_UART2_IRQ],
1625 1825000, serial_hds[1], DEVICE_NATIVE_ENDIAN);
1626 }
1627
1628 /* Register flash */
1629 dinfo = drive_get(IF_PFLASH, 0, 0);
1630 if (dinfo) {
1631 BlockBackend *blk = blk_by_legacy_dinfo(dinfo);
1632
1633 flash_size = blk_getlength(blk);
1634 if (flash_size != 8*1024*1024 && flash_size != 16*1024*1024 &&
1635 flash_size != 32*1024*1024) {
1636 fprintf(stderr, "Invalid flash image size\n");
1637 exit(1);
1638 }
1639
1640 /*
1641 * The original U-Boot accesses the flash at 0xFE000000 instead of
1642 * 0xFF800000 (if there is 8 MB flash). So remap flash access if the
1643 * image is smaller than 32 MB.
1644 */
1645 #ifdef TARGET_WORDS_BIGENDIAN
1646 pflash_cfi02_register(0x100000000ULL-MP_FLASH_SIZE_MAX, NULL,
1647 "musicpal.flash", flash_size,
1648 blk, 0x10000, (flash_size + 0xffff) >> 16,
1649 MP_FLASH_SIZE_MAX / flash_size,
1650 2, 0x00BF, 0x236D, 0x0000, 0x0000,
1651 0x5555, 0x2AAA, 1);
1652 #else
1653 pflash_cfi02_register(0x100000000ULL-MP_FLASH_SIZE_MAX, NULL,
1654 "musicpal.flash", flash_size,
1655 blk, 0x10000, (flash_size + 0xffff) >> 16,
1656 MP_FLASH_SIZE_MAX / flash_size,
1657 2, 0x00BF, 0x236D, 0x0000, 0x0000,
1658 0x5555, 0x2AAA, 0);
1659 #endif
1660
1661 }
1662 sysbus_create_simple(TYPE_MV88W8618_FLASHCFG, MP_FLASHCFG_BASE, NULL);
1663
1664 qemu_check_nic_model(&nd_table[0], "mv88w8618");
1665 dev = qdev_create(NULL, TYPE_MV88W8618_ETH);
1666 qdev_set_nic_properties(dev, &nd_table[0]);
1667 qdev_init_nofail(dev);
1668 sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, MP_ETH_BASE);
1669 sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, pic[MP_ETH_IRQ]);
1670
1671 sysbus_create_simple("mv88w8618_wlan", MP_WLAN_BASE, NULL);
1672
1673 sysbus_create_simple(TYPE_MUSICPAL_MISC, MP_MISC_BASE, NULL);
1674
1675 dev = sysbus_create_simple(TYPE_MUSICPAL_GPIO, MP_GPIO_BASE,
1676 pic[MP_GPIO_IRQ]);
1677 i2c_dev = sysbus_create_simple("gpio_i2c", -1, NULL);
1678 i2c = (I2CBus *)qdev_get_child_bus(i2c_dev, "i2c");
1679
1680 lcd_dev = sysbus_create_simple(TYPE_MUSICPAL_LCD, MP_LCD_BASE, NULL);
1681 key_dev = sysbus_create_simple(TYPE_MUSICPAL_KEY, -1, NULL);
1682
1683 /* I2C read data */
1684 qdev_connect_gpio_out(i2c_dev, 0,
1685 qdev_get_gpio_in(dev, MP_GPIO_I2C_DATA_BIT));
1686 /* I2C data */
1687 qdev_connect_gpio_out(dev, 3, qdev_get_gpio_in(i2c_dev, 0));
1688 /* I2C clock */
1689 qdev_connect_gpio_out(dev, 4, qdev_get_gpio_in(i2c_dev, 1));
1690
1691 for (i = 0; i < 3; i++) {
1692 qdev_connect_gpio_out(dev, i, qdev_get_gpio_in(lcd_dev, i));
1693 }
1694 for (i = 0; i < 4; i++) {
1695 qdev_connect_gpio_out(key_dev, i, qdev_get_gpio_in(dev, i + 8));
1696 }
1697 for (i = 4; i < 8; i++) {
1698 qdev_connect_gpio_out(key_dev, i, qdev_get_gpio_in(dev, i + 15));
1699 }
1700
1701 wm8750_dev = i2c_create_slave(i2c, "wm8750", MP_WM_ADDR);
1702 dev = qdev_create(NULL, "mv88w8618_audio");
1703 s = SYS_BUS_DEVICE(dev);
1704 qdev_prop_set_ptr(dev, "wm8750", wm8750_dev);
1705 qdev_init_nofail(dev);
1706 sysbus_mmio_map(s, 0, MP_AUDIO_BASE);
1707 sysbus_connect_irq(s, 0, pic[MP_AUDIO_IRQ]);
1708
1709 musicpal_binfo.ram_size = MP_RAM_DEFAULT_SIZE;
1710 musicpal_binfo.kernel_filename = kernel_filename;
1711 musicpal_binfo.kernel_cmdline = kernel_cmdline;
1712 musicpal_binfo.initrd_filename = initrd_filename;
1713 arm_load_kernel(cpu, &musicpal_binfo);
1714 }
1715
1716 static void musicpal_machine_init(MachineClass *mc)
1717 {
1718 mc->desc = "Marvell 88w8618 / MusicPal (ARM926EJ-S)";
1719 mc->init = musicpal_init;
1720 }
1721
1722 DEFINE_MACHINE("musicpal", musicpal_machine_init)
1723
1724 static void mv88w8618_wlan_class_init(ObjectClass *klass, void *data)
1725 {
1726 SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
1727
1728 sdc->init = mv88w8618_wlan_init;
1729 }
1730
1731 static const TypeInfo mv88w8618_wlan_info = {
1732 .name = "mv88w8618_wlan",
1733 .parent = TYPE_SYS_BUS_DEVICE,
1734 .instance_size = sizeof(SysBusDevice),
1735 .class_init = mv88w8618_wlan_class_init,
1736 };
1737
1738 static void musicpal_register_types(void)
1739 {
1740 type_register_static(&mv88w8618_pic_info);
1741 type_register_static(&mv88w8618_pit_info);
1742 type_register_static(&mv88w8618_flashcfg_info);
1743 type_register_static(&mv88w8618_eth_info);
1744 type_register_static(&mv88w8618_wlan_info);
1745 type_register_static(&musicpal_lcd_info);
1746 type_register_static(&musicpal_gpio_info);
1747 type_register_static(&musicpal_key_info);
1748 type_register_static(&musicpal_misc_info);
1749 }
1750
1751 type_init(musicpal_register_types)
AR7 emulation for QEMU