search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
vt82c686: avoid out-of-bounds read
[qemu/ar7.git] / hw / isa / vt82c686.c
blob2f53bf8194a200f8724819943d8e87d69253d1c7
1 /*
2 * VT82C686B south bridge support
3 *
4 * Copyright (c) 2008 yajin (yajin@vm-kernel.org)
5 * Copyright (c) 2009 chenming (chenming@rdc.faw.com.cn)
6 * Copyright (c) 2010 Huacai Chen (zltjiangshi@gmail.com)
7 * This code is licensed under the GNU GPL v2.
8 *
9 * Contributions after 2012-01-13 are licensed under the terms of the
10 * GNU GPL, version 2 or (at your option) any later version.
11 */
12
13 #include "hw/hw.h"
14 #include "hw/i386/pc.h"
15 #include "hw/isa/vt82c686.h"
16 #include "hw/i2c/i2c.h"
17 #include "hw/i2c/smbus.h"
18 #include "hw/pci/pci.h"
19 #include "hw/isa/isa.h"
20 #include "hw/sysbus.h"
21 #include "hw/mips/mips.h"
22 #include "hw/isa/apm.h"
23 #include "hw/acpi/acpi.h"
24 #include "hw/i2c/pm_smbus.h"
25 #include "sysemu/sysemu.h"
26 #include "qemu/timer.h"
27 #include "exec/address-spaces.h"
28
29 //#define DEBUG_VT82C686B
30
31 #ifdef DEBUG_VT82C686B
32 #define DPRINTF(fmt, ...) fprintf(stderr, "%s: " fmt, __FUNCTION__, ##__VA_ARGS__)
33 #else
34 #define DPRINTF(fmt, ...)
35 #endif
36
37 typedef struct SuperIOConfig
38 {
39 uint8_t config[0x100];
40 uint8_t index;
41 uint8_t data;
42 } SuperIOConfig;
43
44 typedef struct VT82C686BState {
45 PCIDevice dev;
46 MemoryRegion superio;
47 SuperIOConfig superio_conf;
48 } VT82C686BState;
49
50 static void superio_ioport_writeb(void *opaque, hwaddr addr, uint64_t data,
51 unsigned size)
52 {
53 SuperIOConfig *superio_conf = opaque;
54
55 DPRINTF("superio_ioport_writeb address 0x%x val 0x%x\n", addr, data);
56 if (addr == 0x3f0) {
57 superio_conf->index = data & 0xff;
58 } else {
59 bool can_write = true;
60 /* 0x3f1 */
61 switch (superio_conf->index) {
62 case 0x00 ... 0xdf:
63 case 0xe4:
64 case 0xe5:
65 case 0xe9 ... 0xed:
66 case 0xf3:
67 case 0xf5:
68 case 0xf7:
69 case 0xf9 ... 0xfb:
70 case 0xfd ... 0xff:
71 can_write = false;
72 break;
73 case 0xe7:
74 if ((data & 0xff) != 0xfe) {
75 DPRINTF("change uart 1 base. unsupported yet\n");
76 can_write = false;
77 }
78 break;
79 case 0xe8:
80 if ((data & 0xff) != 0xbe) {
81 DPRINTF("change uart 2 base. unsupported yet\n");
82 can_write = false;
83 }
84 break;
85 default:
86 break;
87
88 }
89 if (can_write) {
90 superio_conf->config[superio_conf->index] = data & 0xff;
91 }
92 }
93 }
94
95 static uint64_t superio_ioport_readb(void *opaque, hwaddr addr, unsigned size)
96 {
97 SuperIOConfig *superio_conf = opaque;
98
99 DPRINTF("superio_ioport_readb address 0x%x\n", addr);
100 return (superio_conf->config[superio_conf->index]);
101 }
102
103 static const MemoryRegionOps superio_ops = {
104 .read = superio_ioport_readb,
105 .write = superio_ioport_writeb,
106 .endianness = DEVICE_NATIVE_ENDIAN,
107 .impl = {
108 .min_access_size = 1,
109 .max_access_size = 1,
110 },
111 };
112
113 static void vt82c686b_reset(void * opaque)
114 {
115 PCIDevice *d = opaque;
116 uint8_t *pci_conf = d->config;
117 VT82C686BState *vt82c = DO_UPCAST(VT82C686BState, dev, d);
118
119 pci_set_long(pci_conf + PCI_CAPABILITY_LIST, 0x000000c0);
120 pci_set_word(pci_conf + PCI_COMMAND, PCI_COMMAND_IO | PCI_COMMAND_MEMORY |
121 PCI_COMMAND_MASTER | PCI_COMMAND_SPECIAL);
122 pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_DEVSEL_MEDIUM);
123
124 pci_conf[0x48] = 0x01; /* Miscellaneous Control 3 */
125 pci_conf[0x4a] = 0x04; /* IDE interrupt Routing */
126 pci_conf[0x4f] = 0x03; /* DMA/Master Mem Access Control 3 */
127 pci_conf[0x50] = 0x2d; /* PnP DMA Request Control */
128 pci_conf[0x59] = 0x04;
129 pci_conf[0x5a] = 0x04; /* KBC/RTC Control*/
130 pci_conf[0x5f] = 0x04;
131 pci_conf[0x77] = 0x10; /* GPIO Control 1/2/3/4 */
132
133 vt82c->superio_conf.config[0xe0] = 0x3c;
134 vt82c->superio_conf.config[0xe2] = 0x03;
135 vt82c->superio_conf.config[0xe3] = 0xfc;
136 vt82c->superio_conf.config[0xe6] = 0xde;
137 vt82c->superio_conf.config[0xe7] = 0xfe;
138 vt82c->superio_conf.config[0xe8] = 0xbe;
139 }
140
141 /* write config pci function0 registers. PCI-ISA bridge */
142 static void vt82c686b_write_config(PCIDevice * d, uint32_t address,
143 uint32_t val, int len)
144 {
145 VT82C686BState *vt686 = DO_UPCAST(VT82C686BState, dev, d);
146
147 DPRINTF("vt82c686b_write_config address 0x%x val 0x%x len 0x%x\n",
148 address, val, len);
149
150 pci_default_write_config(d, address, val, len);
151 if (address == 0x85) { /* enable or disable super IO configure */
152 memory_region_set_enabled(&vt686->superio, val & 0x2);
153 }
154 }
155
156 #define ACPI_DBG_IO_ADDR 0xb044
157
158 typedef struct VT686PMState {
159 PCIDevice dev;
160 MemoryRegion io;
161 ACPIREGS ar;
162 APMState apm;
163 PMSMBus smb;
164 uint32_t smb_io_base;
165 } VT686PMState;
166
167 typedef struct VT686AC97State {
168 PCIDevice dev;
169 } VT686AC97State;
170
171 typedef struct VT686MC97State {
172 PCIDevice dev;
173 } VT686MC97State;
174
175 static void pm_update_sci(VT686PMState *s)
176 {
177 int sci_level, pmsts;
178
179 pmsts = acpi_pm1_evt_get_sts(&s->ar);
180 sci_level = (((pmsts & s->ar.pm1.evt.en) &
181 (ACPI_BITMASK_RT_CLOCK_ENABLE |
182 ACPI_BITMASK_POWER_BUTTON_ENABLE |
183 ACPI_BITMASK_GLOBAL_LOCK_ENABLE |
184 ACPI_BITMASK_TIMER_ENABLE)) != 0);
185 pci_set_irq(&s->dev, sci_level);
186 /* schedule a timer interruption if needed */
187 acpi_pm_tmr_update(&s->ar, (s->ar.pm1.evt.en & ACPI_BITMASK_TIMER_ENABLE) &&
188 !(pmsts & ACPI_BITMASK_TIMER_STATUS));
189 }
190
191 static void pm_tmr_timer(ACPIREGS *ar)
192 {
193 VT686PMState *s = container_of(ar, VT686PMState, ar);
194 pm_update_sci(s);
195 }
196
197 static void pm_io_space_update(VT686PMState *s)
198 {
199 uint32_t pm_io_base;
200
201 pm_io_base = pci_get_long(s->dev.config + 0x40);
202 pm_io_base &= 0xffc0;
203
204 memory_region_transaction_begin();
205 memory_region_set_enabled(&s->io, s->dev.config[0x80] & 1);
206 memory_region_set_address(&s->io, pm_io_base);
207 memory_region_transaction_commit();
208 }
209
210 static void pm_write_config(PCIDevice *d,
211 uint32_t address, uint32_t val, int len)
212 {
213 DPRINTF("pm_write_config address 0x%x val 0x%x len 0x%x\n",
214 address, val, len);
215 pci_default_write_config(d, address, val, len);
216 }
217
218 static int vmstate_acpi_post_load(void *opaque, int version_id)
219 {
220 VT686PMState *s = opaque;
221
222 pm_io_space_update(s);
223 return 0;
224 }
225
226 static const VMStateDescription vmstate_acpi = {
227 .name = "vt82c686b_pm",
228 .version_id = 1,
229 .minimum_version_id = 1,
230 .post_load = vmstate_acpi_post_load,
231 .fields = (VMStateField[]) {
232 VMSTATE_PCI_DEVICE(dev, VT686PMState),
233 VMSTATE_UINT16(ar.pm1.evt.sts, VT686PMState),
234 VMSTATE_UINT16(ar.pm1.evt.en, VT686PMState),
235 VMSTATE_UINT16(ar.pm1.cnt.cnt, VT686PMState),
236 VMSTATE_STRUCT(apm, VT686PMState, 0, vmstate_apm, APMState),
237 VMSTATE_TIMER(ar.tmr.timer, VT686PMState),
238 VMSTATE_INT64(ar.tmr.overflow_time, VT686PMState),
239 VMSTATE_END_OF_LIST()
240 }
241 };
242
243 /*
244 * TODO: vt82c686b_ac97_init() and vt82c686b_mc97_init()
245 * just register a PCI device now, functionalities will be implemented later.
246 */
247
248 static int vt82c686b_ac97_initfn(PCIDevice *dev)
249 {
250 VT686AC97State *s = DO_UPCAST(VT686AC97State, dev, dev);
251 uint8_t *pci_conf = s->dev.config;
252
253 pci_set_word(pci_conf + PCI_COMMAND, PCI_COMMAND_INVALIDATE |
254 PCI_COMMAND_PARITY);
255 pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_CAP_LIST |
256 PCI_STATUS_DEVSEL_MEDIUM);
257 pci_set_long(pci_conf + PCI_INTERRUPT_PIN, 0x03);
258
259 return 0;
260 }
261
262 void vt82c686b_ac97_init(PCIBus *bus, int devfn)
263 {
264 PCIDevice *dev;
265
266 dev = pci_create(bus, devfn, "VT82C686B_AC97");
267 qdev_init_nofail(&dev->qdev);
268 }
269
270 static void via_ac97_class_init(ObjectClass *klass, void *data)
271 {
272 DeviceClass *dc = DEVICE_CLASS(klass);
273 PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
274
275 k->init = vt82c686b_ac97_initfn;
276 k->vendor_id = PCI_VENDOR_ID_VIA;
277 k->device_id = PCI_DEVICE_ID_VIA_AC97;
278 k->revision = 0x50;
279 k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO;
280 set_bit(DEVICE_CATEGORY_SOUND, dc->categories);
281 dc->desc = "AC97";
282 }
283
284 static const TypeInfo via_ac97_info = {
285 .name = "VT82C686B_AC97",
286 .parent = TYPE_PCI_DEVICE,
287 .instance_size = sizeof(VT686AC97State),
288 .class_init = via_ac97_class_init,
289 };
290
291 static int vt82c686b_mc97_initfn(PCIDevice *dev)
292 {
293 VT686MC97State *s = DO_UPCAST(VT686MC97State, dev, dev);
294 uint8_t *pci_conf = s->dev.config;
295
296 pci_set_word(pci_conf + PCI_COMMAND, PCI_COMMAND_INVALIDATE |
297 PCI_COMMAND_VGA_PALETTE);
298 pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_DEVSEL_MEDIUM);
299 pci_set_long(pci_conf + PCI_INTERRUPT_PIN, 0x03);
300
301 return 0;
302 }
303
304 void vt82c686b_mc97_init(PCIBus *bus, int devfn)
305 {
306 PCIDevice *dev;
307
308 dev = pci_create(bus, devfn, "VT82C686B_MC97");
309 qdev_init_nofail(&dev->qdev);
310 }
311
312 static void via_mc97_class_init(ObjectClass *klass, void *data)
313 {
314 DeviceClass *dc = DEVICE_CLASS(klass);
315 PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
316
317 k->init = vt82c686b_mc97_initfn;
318 k->vendor_id = PCI_VENDOR_ID_VIA;
319 k->device_id = PCI_DEVICE_ID_VIA_MC97;
320 k->class_id = PCI_CLASS_COMMUNICATION_OTHER;
321 k->revision = 0x30;
322 set_bit(DEVICE_CATEGORY_NETWORK, dc->categories);
323 dc->desc = "MC97";
324 }
325
326 static const TypeInfo via_mc97_info = {
327 .name = "VT82C686B_MC97",
328 .parent = TYPE_PCI_DEVICE,
329 .instance_size = sizeof(VT686MC97State),
330 .class_init = via_mc97_class_init,
331 };
332
333 /* vt82c686 pm init */
334 static int vt82c686b_pm_initfn(PCIDevice *dev)
335 {
336 VT686PMState *s = DO_UPCAST(VT686PMState, dev, dev);
337 uint8_t *pci_conf;
338
339 pci_conf = s->dev.config;
340 pci_set_word(pci_conf + PCI_COMMAND, 0);
341 pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_FAST_BACK |
342 PCI_STATUS_DEVSEL_MEDIUM);
343
344 /* 0x48-0x4B is Power Management I/O Base */
345 pci_set_long(pci_conf + 0x48, 0x00000001);
346
347 /* SMB ports:0xeee0~0xeeef */
348 s->smb_io_base =((s->smb_io_base & 0xfff0) + 0x0);
349 pci_conf[0x90] = s->smb_io_base | 1;
350 pci_conf[0x91] = s->smb_io_base >> 8;
351 pci_conf[0xd2] = 0x90;
352 pm_smbus_init(&s->dev.qdev, &s->smb);
353 memory_region_add_subregion(get_system_io(), s->smb_io_base, &s->smb.io);
354
355 apm_init(dev, &s->apm, NULL, s);
356
357 memory_region_init(&s->io, OBJECT(dev), "vt82c686-pm", 64);
358 memory_region_set_enabled(&s->io, false);
359 memory_region_add_subregion(get_system_io(), 0, &s->io);
360
361 acpi_pm_tmr_init(&s->ar, pm_tmr_timer, &s->io);
362 acpi_pm1_evt_init(&s->ar, pm_tmr_timer, &s->io);
363 acpi_pm1_cnt_init(&s->ar, &s->io, 2);
364
365 return 0;
366 }
367
368 I2CBus *vt82c686b_pm_init(PCIBus *bus, int devfn, uint32_t smb_io_base,
369 qemu_irq sci_irq)
370 {
371 PCIDevice *dev;
372 VT686PMState *s;
373
374 dev = pci_create(bus, devfn, "VT82C686B_PM");
375 qdev_prop_set_uint32(&dev->qdev, "smb_io_base", smb_io_base);
376
377 s = DO_UPCAST(VT686PMState, dev, dev);
378
379 qdev_init_nofail(&dev->qdev);
380
381 return s->smb.smbus;
382 }
383
384 static Property via_pm_properties[] = {
385 DEFINE_PROP_UINT32("smb_io_base", VT686PMState, smb_io_base, 0),
386 DEFINE_PROP_END_OF_LIST(),
387 };
388
389 static void via_pm_class_init(ObjectClass *klass, void *data)
390 {
391 DeviceClass *dc = DEVICE_CLASS(klass);
392 PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
393
394 k->init = vt82c686b_pm_initfn;
395 k->config_write = pm_write_config;
396 k->vendor_id = PCI_VENDOR_ID_VIA;
397 k->device_id = PCI_DEVICE_ID_VIA_ACPI;
398 k->class_id = PCI_CLASS_BRIDGE_OTHER;
399 k->revision = 0x40;
400 dc->desc = "PM";
401 dc->vmsd = &vmstate_acpi;
402 set_bit(DEVICE_CATEGORY_BRIDGE, dc->categories);
403 dc->props = via_pm_properties;
404 }
405
406 static const TypeInfo via_pm_info = {
407 .name = "VT82C686B_PM",
408 .parent = TYPE_PCI_DEVICE,
409 .instance_size = sizeof(VT686PMState),
410 .class_init = via_pm_class_init,
411 };
412
413 static const VMStateDescription vmstate_via = {
414 .name = "vt82c686b",
415 .version_id = 1,
416 .minimum_version_id = 1,
417 .fields = (VMStateField[]) {
418 VMSTATE_PCI_DEVICE(dev, VT82C686BState),
419 VMSTATE_END_OF_LIST()
420 }
421 };
422
423 /* init the PCI-to-ISA bridge */
424 static int vt82c686b_initfn(PCIDevice *d)
425 {
426 VT82C686BState *vt82c = DO_UPCAST(VT82C686BState, dev, d);
427 uint8_t *pci_conf;
428 ISABus *isa_bus;
429 uint8_t *wmask;
430 int i;
431
432 isa_bus = isa_bus_new(&d->qdev, pci_address_space_io(d));
433
434 pci_conf = d->config;
435 pci_config_set_prog_interface(pci_conf, 0x0);
436
437 wmask = d->wmask;
438 for (i = 0x00; i < 0xff; i++) {
439 if (i<=0x03 || (i>=0x08 && i<=0x3f)) {
440 wmask[i] = 0x00;
441 }
442 }
443
444 memory_region_init_io(&vt82c->superio, OBJECT(d), &superio_ops,
445 &vt82c->superio_conf, "superio", 2);
446 memory_region_set_enabled(&vt82c->superio, false);
447 /* The floppy also uses 0x3f0 and 0x3f1.
448 * But we do not emulate a floppy, so just set it here. */
449 memory_region_add_subregion(isa_bus->address_space_io, 0x3f0,
450 &vt82c->superio);
451
452 qemu_register_reset(vt82c686b_reset, d);
453
454 return 0;
455 }
456
457 ISABus *vt82c686b_init(PCIBus *bus, int devfn)
458 {
459 PCIDevice *d;
460
461 d = pci_create_simple_multifunction(bus, devfn, true, "VT82C686B");
462
463 return ISA_BUS(qdev_get_child_bus(DEVICE(d), "isa.0"));
464 }
465
466 static void via_class_init(ObjectClass *klass, void *data)
467 {
468 DeviceClass *dc = DEVICE_CLASS(klass);
469 PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
470
471 k->init = vt82c686b_initfn;
472 k->config_write = vt82c686b_write_config;
473 k->vendor_id = PCI_VENDOR_ID_VIA;
474 k->device_id = PCI_DEVICE_ID_VIA_ISA_BRIDGE;
475 k->class_id = PCI_CLASS_BRIDGE_ISA;
476 k->revision = 0x40;
477 dc->desc = "ISA bridge";
478 dc->vmsd = &vmstate_via;
479 /*
480 * Reason: part of VIA VT82C686 southbridge, needs to be wired up,
481 * e.g. by mips_fulong2e_init()
482 */
483 dc->cannot_instantiate_with_device_add_yet = true;
484 }
485
486 static const TypeInfo via_info = {
487 .name = "VT82C686B",
488 .parent = TYPE_PCI_DEVICE,
489 .instance_size = sizeof(VT82C686BState),
490 .class_init = via_class_init,
491 };
492
493 static void vt82c686b_register_types(void)
494 {
495 type_register_static(&via_ac97_info);
496 type_register_static(&via_mc97_info);
497 type_register_static(&via_pm_info);
498 type_register_static(&via_info);
499 }
500
501 type_init(vt82c686b_register_types)
AR7 emulation for QEMU