search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ati-vga: check mm_index before recursive call (CVE-2020-13800)
[qemu/ar7.git] / hw / display / ati.c
blob67604e68deb16d100d25a080a96f6f5f3ebbd872
1 /*
2 * QEMU ATI SVGA emulation
3 *
4 * Copyright (c) 2019 BALATON Zoltan
5 *
6 * This work is licensed under the GNU GPL license version 2 or later.
7 */
8
9 /*
10 * WARNING:
11 * This is very incomplete and only enough for Linux console and some
12 * unaccelerated X output at the moment.
13 * Currently it's little more than a frame buffer with minimal functions,
14 * other more advanced features of the hardware are yet to be implemented.
15 * We only aim for Rage 128 Pro (and some RV100) and 2D only at first,
16 * No 3D at all yet (maybe after 2D works, but feel free to improve it)
17 */
18
19 #include "qemu/osdep.h"
20 #include "ati_int.h"
21 #include "ati_regs.h"
22 #include "vga-access.h"
23 #include "hw/qdev-properties.h"
24 #include "vga_regs.h"
25 #include "qemu/log.h"
26 #include "qemu/module.h"
27 #include "qemu/error-report.h"
28 #include "qapi/error.h"
29 #include "ui/console.h"
30 #include "hw/display/i2c-ddc.h"
31 #include "trace.h"
32
33 #define ATI_DEBUG_HW_CURSOR 0
34
35 static const struct {
36 const char *name;
37 uint16_t dev_id;
38 } ati_model_aliases[] = {
39 { "rage128p", PCI_DEVICE_ID_ATI_RAGE128_PF },
40 { "rv100", PCI_DEVICE_ID_ATI_RADEON_QY },
41 };
42
43 enum { VGA_MODE, EXT_MODE };
44
45 static void ati_vga_switch_mode(ATIVGAState *s)
46 {
47 DPRINTF("%d -> %d\n",
48 s->mode, !!(s->regs.crtc_gen_cntl & CRTC2_EXT_DISP_EN));
49 if (s->regs.crtc_gen_cntl & CRTC2_EXT_DISP_EN) {
50 /* Extended mode enabled */
51 s->mode = EXT_MODE;
52 if (s->regs.crtc_gen_cntl & CRTC2_EN) {
53 /* CRT controller enabled, use CRTC values */
54 /* FIXME Should these be the same as VGA CRTC regs? */
55 uint32_t offs = s->regs.crtc_offset & 0x07ffffff;
56 int stride = (s->regs.crtc_pitch & 0x7ff) * 8;
57 int bpp = 0;
58 int h, v;
59
60 if (s->regs.crtc_h_total_disp == 0) {
61 s->regs.crtc_h_total_disp = ((640 / 8) - 1) << 16;
62 }
63 if (s->regs.crtc_v_total_disp == 0) {
64 s->regs.crtc_v_total_disp = (480 - 1) << 16;
65 }
66 h = ((s->regs.crtc_h_total_disp >> 16) + 1) * 8;
67 v = (s->regs.crtc_v_total_disp >> 16) + 1;
68 switch (s->regs.crtc_gen_cntl & CRTC_PIX_WIDTH_MASK) {
69 case CRTC_PIX_WIDTH_4BPP:
70 bpp = 4;
71 break;
72 case CRTC_PIX_WIDTH_8BPP:
73 bpp = 8;
74 break;
75 case CRTC_PIX_WIDTH_15BPP:
76 bpp = 15;
77 break;
78 case CRTC_PIX_WIDTH_16BPP:
79 bpp = 16;
80 break;
81 case CRTC_PIX_WIDTH_24BPP:
82 bpp = 24;
83 break;
84 case CRTC_PIX_WIDTH_32BPP:
85 bpp = 32;
86 break;
87 default:
88 qemu_log_mask(LOG_UNIMP, "Unsupported bpp value\n");
89 }
90 assert(bpp != 0);
91 DPRINTF("Switching to %dx%d %d %d @ %x\n", h, v, stride, bpp, offs);
92 vbe_ioport_write_index(&s->vga, 0, VBE_DISPI_INDEX_ENABLE);
93 vbe_ioport_write_data(&s->vga, 0, VBE_DISPI_DISABLED);
94 s->vga.big_endian_fb = (s->regs.config_cntl & APER_0_ENDIAN ||
95 s->regs.config_cntl & APER_1_ENDIAN ?
96 true : false);
97 /* reset VBE regs then set up mode */
98 s->vga.vbe_regs[VBE_DISPI_INDEX_XRES] = h;
99 s->vga.vbe_regs[VBE_DISPI_INDEX_YRES] = v;
100 s->vga.vbe_regs[VBE_DISPI_INDEX_BPP] = bpp;
101 /* enable mode via ioport so it updates vga regs */
102 vbe_ioport_write_index(&s->vga, 0, VBE_DISPI_INDEX_ENABLE);
103 vbe_ioport_write_data(&s->vga, 0, VBE_DISPI_ENABLED |
104 VBE_DISPI_LFB_ENABLED | VBE_DISPI_NOCLEARMEM |
105 (s->regs.dac_cntl & DAC_8BIT_EN ? VBE_DISPI_8BIT_DAC : 0));
106 /* now set offset and stride after enable as that resets these */
107 if (stride) {
108 int bypp = DIV_ROUND_UP(bpp, BITS_PER_BYTE);
109
110 vbe_ioport_write_index(&s->vga, 0, VBE_DISPI_INDEX_VIRT_WIDTH);
111 vbe_ioport_write_data(&s->vga, 0, stride);
112 stride *= bypp;
113 if (offs % stride) {
114 DPRINTF("CRTC offset is not multiple of pitch\n");
115 vbe_ioport_write_index(&s->vga, 0,
116 VBE_DISPI_INDEX_X_OFFSET);
117 vbe_ioport_write_data(&s->vga, 0, offs % stride / bypp);
118 }
119 vbe_ioport_write_index(&s->vga, 0, VBE_DISPI_INDEX_Y_OFFSET);
120 vbe_ioport_write_data(&s->vga, 0, offs / stride);
121 DPRINTF("VBE offset (%d,%d), vbe_start_addr=%x\n",
122 s->vga.vbe_regs[VBE_DISPI_INDEX_X_OFFSET],
123 s->vga.vbe_regs[VBE_DISPI_INDEX_Y_OFFSET],
124 s->vga.vbe_start_addr);
125 }
126 }
127 } else {
128 /* VGA mode enabled */
129 s->mode = VGA_MODE;
130 vbe_ioport_write_index(&s->vga, 0, VBE_DISPI_INDEX_ENABLE);
131 vbe_ioport_write_data(&s->vga, 0, VBE_DISPI_DISABLED);
132 }
133 }
134
135 /* Used by host side hardware cursor */
136 static void ati_cursor_define(ATIVGAState *s)
137 {
138 uint8_t data[1024];
139 uint32_t srcoff;
140 int i, j, idx = 0;
141
142 if ((s->regs.cur_offset & BIT(31)) || s->cursor_guest_mode) {
143 return; /* Do not update cursor if locked or rendered by guest */
144 }
145 /* FIXME handle cur_hv_offs correctly */
146 srcoff = s->regs.cur_offset -
147 (s->regs.cur_hv_offs >> 16) - (s->regs.cur_hv_offs & 0xffff) * 16;
148 for (i = 0; i < 64; i++) {
149 for (j = 0; j < 8; j++, idx++) {
150 data[idx] = vga_read_byte(&s->vga, srcoff + i * 16 + j);
151 data[512 + idx] = vga_read_byte(&s->vga, srcoff + i * 16 + j + 8);
152 }
153 }
154 if (!s->cursor) {
155 s->cursor = cursor_alloc(64, 64);
156 }
157 cursor_set_mono(s->cursor, s->regs.cur_color1, s->regs.cur_color0,
158 &data[512], 1, &data[0]);
159 dpy_cursor_define(s->vga.con, s->cursor);
160 }
161
162 /* Alternatively support guest rendered hardware cursor */
163 static void ati_cursor_invalidate(VGACommonState *vga)
164 {
165 ATIVGAState *s = container_of(vga, ATIVGAState, vga);
166 int size = (s->regs.crtc_gen_cntl & CRTC2_CUR_EN) ? 64 : 0;
167
168 if (s->regs.cur_offset & BIT(31)) {
169 return; /* Do not update cursor if locked */
170 }
171 if (s->cursor_size != size ||
172 vga->hw_cursor_x != s->regs.cur_hv_pos >> 16 ||
173 vga->hw_cursor_y != (s->regs.cur_hv_pos & 0xffff) ||
174 s->cursor_offset != s->regs.cur_offset - (s->regs.cur_hv_offs >> 16) -
175 (s->regs.cur_hv_offs & 0xffff) * 16) {
176 /* Remove old cursor then update and show new one if needed */
177 vga_invalidate_scanlines(vga, vga->hw_cursor_y, vga->hw_cursor_y + 63);
178 vga->hw_cursor_x = s->regs.cur_hv_pos >> 16;
179 vga->hw_cursor_y = s->regs.cur_hv_pos & 0xffff;
180 s->cursor_offset = s->regs.cur_offset - (s->regs.cur_hv_offs >> 16) -
181 (s->regs.cur_hv_offs & 0xffff) * 16;
182 s->cursor_size = size;
183 if (size) {
184 vga_invalidate_scanlines(vga,
185 vga->hw_cursor_y, vga->hw_cursor_y + 63);
186 }
187 }
188 }
189
190 static void ati_cursor_draw_line(VGACommonState *vga, uint8_t *d, int scr_y)
191 {
192 ATIVGAState *s = container_of(vga, ATIVGAState, vga);
193 uint32_t srcoff;
194 uint32_t *dp = (uint32_t *)d;
195 int i, j, h;
196
197 if (!(s->regs.crtc_gen_cntl & CRTC2_CUR_EN) ||
198 scr_y < vga->hw_cursor_y || scr_y >= vga->hw_cursor_y + 64 ||
199 scr_y > s->regs.crtc_v_total_disp >> 16) {
200 return;
201 }
202 /* FIXME handle cur_hv_offs correctly */
203 srcoff = s->cursor_offset + (scr_y - vga->hw_cursor_y) * 16;
204 dp = &dp[vga->hw_cursor_x];
205 h = ((s->regs.crtc_h_total_disp >> 16) + 1) * 8;
206 for (i = 0; i < 8; i++) {
207 uint32_t color;
208 uint8_t abits = vga_read_byte(vga, srcoff + i);
209 uint8_t xbits = vga_read_byte(vga, srcoff + i + 8);
210 for (j = 0; j < 8; j++, abits <<= 1, xbits <<= 1) {
211 if (abits & BIT(7)) {
212 if (xbits & BIT(7)) {
213 color = dp[i * 8 + j] ^ 0xffffffff; /* complement */
214 } else {
215 continue; /* transparent, no change */
216 }
217 } else {
218 color = (xbits & BIT(7) ? s->regs.cur_color1 :
219 s->regs.cur_color0) | 0xff000000;
220 }
221 if (vga->hw_cursor_x + i * 8 + j >= h) {
222 return; /* end of screen, don't span to next line */
223 }
224 dp[i * 8 + j] = color;
225 }
226 }
227 }
228
229 static uint64_t ati_i2c(bitbang_i2c_interface *i2c, uint64_t data, int base)
230 {
231 bool c = (data & BIT(base + 17) ? !!(data & BIT(base + 1)) : 1);
232 bool d = (data & BIT(base + 16) ? !!(data & BIT(base)) : 1);
233
234 bitbang_i2c_set(i2c, BITBANG_I2C_SCL, c);
235 d = bitbang_i2c_set(i2c, BITBANG_I2C_SDA, d);
236
237 data &= ~0xf00ULL;
238 if (c) {
239 data |= BIT(base + 9);
240 }
241 if (d) {
242 data |= BIT(base + 8);
243 }
244 return data;
245 }
246
247 static void ati_vga_update_irq(ATIVGAState *s)
248 {
249 pci_set_irq(&s->dev, !!(s->regs.gen_int_status & s->regs.gen_int_cntl));
250 }
251
252 static void ati_vga_vblank_irq(void *opaque)
253 {
254 ATIVGAState *s = opaque;
255
256 timer_mod(&s->vblank_timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
257 NANOSECONDS_PER_SECOND / 60);
258 s->regs.gen_int_status |= CRTC_VBLANK_INT;
259 ati_vga_update_irq(s);
260 }
261
262 static inline uint64_t ati_reg_read_offs(uint32_t reg, int offs,
263 unsigned int size)
264 {
265 if (offs == 0 && size == 4) {
266 return reg;
267 } else {
268 return extract32(reg, offs * BITS_PER_BYTE, size * BITS_PER_BYTE);
269 }
270 }
271
272 static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
273 {
274 ATIVGAState *s = opaque;
275 uint64_t val = 0;
276
277 switch (addr) {
278 case MM_INDEX:
279 val = s->regs.mm_index;
280 break;
281 case MM_DATA ... MM_DATA + 3:
282 /* indexed access to regs or memory */
283 if (s->regs.mm_index & BIT(31)) {
284 uint32_t idx = s->regs.mm_index & ~BIT(31);
285 if (idx <= s->vga.vram_size - size) {
286 val = ldn_le_p(s->vga.vram_ptr + idx, size);
287 }
288 } else if (s->regs.mm_index > MM_DATA + 3) {
289 val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
290 } else {
291 qemu_log_mask(LOG_GUEST_ERROR,
292 "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index);
293 }
294 break;
295 case BIOS_0_SCRATCH ... BUS_CNTL - 1:
296 {
297 int i = (addr - BIOS_0_SCRATCH) / 4;
298 if (s->dev_id == PCI_DEVICE_ID_ATI_RAGE128_PF && i > 3) {
299 break;
300 }
301 val = ati_reg_read_offs(s->regs.bios_scratch[i],
302 addr - (BIOS_0_SCRATCH + i * 4), size);
303 break;
304 }
305 case GEN_INT_CNTL:
306 val = s->regs.gen_int_cntl;
307 break;
308 case GEN_INT_STATUS:
309 val = s->regs.gen_int_status;
310 break;
311 case CRTC_GEN_CNTL ... CRTC_GEN_CNTL + 3:
312 val = ati_reg_read_offs(s->regs.crtc_gen_cntl,
313 addr - CRTC_GEN_CNTL, size);
314 break;
315 case CRTC_EXT_CNTL ... CRTC_EXT_CNTL + 3:
316 val = ati_reg_read_offs(s->regs.crtc_ext_cntl,
317 addr - CRTC_EXT_CNTL, size);
318 break;
319 case DAC_CNTL:
320 val = s->regs.dac_cntl;
321 break;
322 case GPIO_VGA_DDC:
323 val = s->regs.gpio_vga_ddc;
324 break;
325 case GPIO_DVI_DDC:
326 val = s->regs.gpio_dvi_ddc;
327 break;
328 case GPIO_MONID ... GPIO_MONID + 3:
329 val = ati_reg_read_offs(s->regs.gpio_monid,
330 addr - GPIO_MONID, size);
331 break;
332 case PALETTE_INDEX:
333 /* FIXME unaligned access */
334 val = vga_ioport_read(&s->vga, VGA_PEL_IR) << 16;
335 val |= vga_ioport_read(&s->vga, VGA_PEL_IW) & 0xff;
336 break;
337 case PALETTE_DATA:
338 val = vga_ioport_read(&s->vga, VGA_PEL_D);
339 break;
340 case CNFG_CNTL:
341 val = s->regs.config_cntl;
342 break;
343 case CNFG_MEMSIZE:
344 val = s->vga.vram_size;
345 break;
346 case CONFIG_APER_0_BASE:
347 case CONFIG_APER_1_BASE:
348 val = pci_default_read_config(&s->dev,
349 PCI_BASE_ADDRESS_0, size) & 0xfffffff0;
350 break;
351 case CONFIG_APER_SIZE:
352 val = s->vga.vram_size;
353 break;
354 case CONFIG_REG_1_BASE:
355 val = pci_default_read_config(&s->dev,
356 PCI_BASE_ADDRESS_2, size) & 0xfffffff0;
357 break;
358 case CONFIG_REG_APER_SIZE:
359 val = memory_region_size(&s->mm);
360 break;
361 case MC_STATUS:
362 val = 5;
363 break;
364 case RBBM_STATUS:
365 case GUI_STAT:
366 val = 64; /* free CMDFIFO entries */
367 break;
368 case CRTC_H_TOTAL_DISP:
369 val = s->regs.crtc_h_total_disp;
370 break;
371 case CRTC_H_SYNC_STRT_WID:
372 val = s->regs.crtc_h_sync_strt_wid;
373 break;
374 case CRTC_V_TOTAL_DISP:
375 val = s->regs.crtc_v_total_disp;
376 break;
377 case CRTC_V_SYNC_STRT_WID:
378 val = s->regs.crtc_v_sync_strt_wid;
379 break;
380 case CRTC_OFFSET:
381 val = s->regs.crtc_offset;
382 break;
383 case CRTC_OFFSET_CNTL:
384 val = s->regs.crtc_offset_cntl;
385 break;
386 case CRTC_PITCH:
387 val = s->regs.crtc_pitch;
388 break;
389 case 0xf00 ... 0xfff:
390 val = pci_default_read_config(&s->dev, addr - 0xf00, size);
391 break;
392 case CUR_OFFSET:
393 val = s->regs.cur_offset;
394 break;
395 case CUR_HORZ_VERT_POSN:
396 val = s->regs.cur_hv_pos;
397 val |= s->regs.cur_offset & BIT(31);
398 break;
399 case CUR_HORZ_VERT_OFF:
400 val = s->regs.cur_hv_offs;
401 val |= s->regs.cur_offset & BIT(31);
402 break;
403 case CUR_CLR0:
404 val = s->regs.cur_color0;
405 break;
406 case CUR_CLR1:
407 val = s->regs.cur_color1;
408 break;
409 case DST_OFFSET:
410 val = s->regs.dst_offset;
411 break;
412 case DST_PITCH:
413 val = s->regs.dst_pitch;
414 if (s->dev_id == PCI_DEVICE_ID_ATI_RAGE128_PF) {
415 val &= s->regs.dst_tile << 16;
416 }
417 break;
418 case DST_WIDTH:
419 val = s->regs.dst_width;
420 break;
421 case DST_HEIGHT:
422 val = s->regs.dst_height;
423 break;
424 case SRC_X:
425 val = s->regs.src_x;
426 break;
427 case SRC_Y:
428 val = s->regs.src_y;
429 break;
430 case DST_X:
431 val = s->regs.dst_x;
432 break;
433 case DST_Y:
434 val = s->regs.dst_y;
435 break;
436 case DP_GUI_MASTER_CNTL:
437 val = s->regs.dp_gui_master_cntl;
438 break;
439 case SRC_OFFSET:
440 val = s->regs.src_offset;
441 break;
442 case SRC_PITCH:
443 val = s->regs.src_pitch;
444 if (s->dev_id == PCI_DEVICE_ID_ATI_RAGE128_PF) {
445 val &= s->regs.src_tile << 16;
446 }
447 break;
448 case DP_BRUSH_BKGD_CLR:
449 val = s->regs.dp_brush_bkgd_clr;
450 break;
451 case DP_BRUSH_FRGD_CLR:
452 val = s->regs.dp_brush_frgd_clr;
453 break;
454 case DP_SRC_FRGD_CLR:
455 val = s->regs.dp_src_frgd_clr;
456 break;
457 case DP_SRC_BKGD_CLR:
458 val = s->regs.dp_src_bkgd_clr;
459 break;
460 case DP_CNTL:
461 val = s->regs.dp_cntl;
462 break;
463 case DP_DATATYPE:
464 val = s->regs.dp_datatype;
465 break;
466 case DP_MIX:
467 val = s->regs.dp_mix;
468 break;
469 case DP_WRITE_MASK:
470 val = s->regs.dp_write_mask;
471 break;
472 case DEFAULT_OFFSET:
473 val = s->regs.default_offset;
474 if (s->dev_id != PCI_DEVICE_ID_ATI_RAGE128_PF) {
475 val >>= 10;
476 val |= s->regs.default_pitch << 16;
477 val |= s->regs.default_tile << 30;
478 }
479 break;
480 case DEFAULT_PITCH:
481 val = s->regs.default_pitch;
482 val |= s->regs.default_tile << 16;
483 break;
484 case DEFAULT_SC_BOTTOM_RIGHT:
485 val = s->regs.default_sc_bottom_right;
486 break;
487 default:
488 break;
489 }
490 if (addr < CUR_OFFSET || addr > CUR_CLR1 || ATI_DEBUG_HW_CURSOR) {
491 trace_ati_mm_read(size, addr, ati_reg_name(addr & ~3ULL), val);
492 }
493 return val;
494 }
495
496 static inline void ati_reg_write_offs(uint32_t *reg, int offs,
497 uint64_t data, unsigned int size)
498 {
499 if (offs == 0 && size == 4) {
500 *reg = data;
501 } else {
502 *reg = deposit32(*reg, offs * BITS_PER_BYTE, size * BITS_PER_BYTE,
503 data);
504 }
505 }
506
507 static void ati_mm_write(void *opaque, hwaddr addr,
508 uint64_t data, unsigned int size)
509 {
510 ATIVGAState *s = opaque;
511
512 if (addr < CUR_OFFSET || addr > CUR_CLR1 || ATI_DEBUG_HW_CURSOR) {
513 trace_ati_mm_write(size, addr, ati_reg_name(addr & ~3ULL), data);
514 }
515 switch (addr) {
516 case MM_INDEX:
517 s->regs.mm_index = data & ~3;
518 break;
519 case MM_DATA ... MM_DATA + 3:
520 /* indexed access to regs or memory */
521 if (s->regs.mm_index & BIT(31)) {
522 uint32_t idx = s->regs.mm_index & ~BIT(31);
523 if (idx <= s->vga.vram_size - size) {
524 stn_le_p(s->vga.vram_ptr + idx, size, data);
525 }
526 } else if (s->regs.mm_index > MM_DATA + 3) {
527 ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
528 } else {
529 qemu_log_mask(LOG_GUEST_ERROR,
530 "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index);
531 }
532 break;
533 case BIOS_0_SCRATCH ... BUS_CNTL - 1:
534 {
535 int i = (addr - BIOS_0_SCRATCH) / 4;
536 if (s->dev_id == PCI_DEVICE_ID_ATI_RAGE128_PF && i > 3) {
537 break;
538 }
539 ati_reg_write_offs(&s->regs.bios_scratch[i],
540 addr - (BIOS_0_SCRATCH + i * 4), data, size);
541 break;
542 }
543 case GEN_INT_CNTL:
544 s->regs.gen_int_cntl = data;
545 if (data & CRTC_VBLANK_INT) {
546 ati_vga_vblank_irq(s);
547 } else {
548 timer_del(&s->vblank_timer);
549 ati_vga_update_irq(s);
550 }
551 break;
552 case GEN_INT_STATUS:
553 data &= (s->dev_id == PCI_DEVICE_ID_ATI_RAGE128_PF ?
554 0x000f040fUL : 0xfc080effUL);
555 s->regs.gen_int_status &= ~data;
556 ati_vga_update_irq(s);
557 break;
558 case CRTC_GEN_CNTL ... CRTC_GEN_CNTL + 3:
559 {
560 uint32_t val = s->regs.crtc_gen_cntl;
561 ati_reg_write_offs(&s->regs.crtc_gen_cntl,
562 addr - CRTC_GEN_CNTL, data, size);
563 if ((val & CRTC2_CUR_EN) != (s->regs.crtc_gen_cntl & CRTC2_CUR_EN)) {
564 if (s->cursor_guest_mode) {
565 s->vga.force_shadow = !!(s->regs.crtc_gen_cntl & CRTC2_CUR_EN);
566 } else {
567 if (s->regs.crtc_gen_cntl & CRTC2_CUR_EN) {
568 ati_cursor_define(s);
569 }
570 dpy_mouse_set(s->vga.con, s->regs.cur_hv_pos >> 16,
571 s->regs.cur_hv_pos & 0xffff,
572 (s->regs.crtc_gen_cntl & CRTC2_CUR_EN) != 0);
573 }
574 }
575 if ((val & (CRTC2_EXT_DISP_EN | CRTC2_EN)) !=
576 (s->regs.crtc_gen_cntl & (CRTC2_EXT_DISP_EN | CRTC2_EN))) {
577 ati_vga_switch_mode(s);
578 }
579 break;
580 }
581 case CRTC_EXT_CNTL ... CRTC_EXT_CNTL + 3:
582 {
583 uint32_t val = s->regs.crtc_ext_cntl;
584 ati_reg_write_offs(&s->regs.crtc_ext_cntl,
585 addr - CRTC_EXT_CNTL, data, size);
586 if (s->regs.crtc_ext_cntl & CRT_CRTC_DISPLAY_DIS) {
587 DPRINTF("Display disabled\n");
588 s->vga.ar_index &= ~BIT(5);
589 } else {
590 DPRINTF("Display enabled\n");
591 s->vga.ar_index |= BIT(5);
592 ati_vga_switch_mode(s);
593 }
594 if ((val & CRT_CRTC_DISPLAY_DIS) !=
595 (s->regs.crtc_ext_cntl & CRT_CRTC_DISPLAY_DIS)) {
596 ati_vga_switch_mode(s);
597 }
598 break;
599 }
600 case DAC_CNTL:
601 s->regs.dac_cntl = data & 0xffffe3ff;
602 s->vga.dac_8bit = !!(data & DAC_8BIT_EN);
603 break;
604 case GPIO_VGA_DDC:
605 if (s->dev_id != PCI_DEVICE_ID_ATI_RAGE128_PF) {
606 /* FIXME: Maybe add a property to select VGA or DVI port? */
607 }
608 break;
609 case GPIO_DVI_DDC:
610 if (s->dev_id != PCI_DEVICE_ID_ATI_RAGE128_PF) {
611 s->regs.gpio_dvi_ddc = ati_i2c(&s->bbi2c, data, 0);
612 }
613 break;
614 case GPIO_MONID ... GPIO_MONID + 3:
615 /* FIXME What does Radeon have here? */
616 if (s->dev_id == PCI_DEVICE_ID_ATI_RAGE128_PF) {
617 ati_reg_write_offs(&s->regs.gpio_monid,
618 addr - GPIO_MONID, data, size);
619 /*
620 * Rage128p accesses DDC used to get EDID via these bits.
621 * Because some drivers access this via multiple byte writes
622 * we have to be careful when we send bits to avoid spurious
623 * changes in bitbang_i2c state. So only do it when mask is set
624 * and either the enable bits are changed or output bits changed
625 * while enabled.
626 */
627 if ((s->regs.gpio_monid & BIT(25)) &&
628 ((addr <= GPIO_MONID + 2 && addr + size > GPIO_MONID + 2) ||
629 (addr == GPIO_MONID && (s->regs.gpio_monid & 0x60000)))) {
630 s->regs.gpio_monid = ati_i2c(&s->bbi2c, s->regs.gpio_monid, 1);
631 }
632 }
633 break;
634 case PALETTE_INDEX ... PALETTE_INDEX + 3:
635 if (size == 4) {
636 vga_ioport_write(&s->vga, VGA_PEL_IR, (data >> 16) & 0xff);
637 vga_ioport_write(&s->vga, VGA_PEL_IW, data & 0xff);
638 } else {
639 if (addr == PALETTE_INDEX) {
640 vga_ioport_write(&s->vga, VGA_PEL_IW, data & 0xff);
641 } else {
642 vga_ioport_write(&s->vga, VGA_PEL_IR, data & 0xff);
643 }
644 }
645 break;
646 case PALETTE_DATA ... PALETTE_DATA + 3:
647 data <<= addr - PALETTE_DATA;
648 data = bswap32(data) >> 8;
649 vga_ioport_write(&s->vga, VGA_PEL_D, data & 0xff);
650 data >>= 8;
651 vga_ioport_write(&s->vga, VGA_PEL_D, data & 0xff);
652 data >>= 8;
653 vga_ioport_write(&s->vga, VGA_PEL_D, data & 0xff);
654 break;
655 case CNFG_CNTL:
656 s->regs.config_cntl = data;
657 break;
658 case CRTC_H_TOTAL_DISP:
659 s->regs.crtc_h_total_disp = data & 0x07ff07ff;
660 break;
661 case CRTC_H_SYNC_STRT_WID:
662 s->regs.crtc_h_sync_strt_wid = data & 0x17bf1fff;
663 break;
664 case CRTC_V_TOTAL_DISP:
665 s->regs.crtc_v_total_disp = data & 0x0fff0fff;
666 break;
667 case CRTC_V_SYNC_STRT_WID:
668 s->regs.crtc_v_sync_strt_wid = data & 0x9f0fff;
669 break;
670 case CRTC_OFFSET:
671 s->regs.crtc_offset = data & 0xc7ffffff;
672 break;
673 case CRTC_OFFSET_CNTL:
674 s->regs.crtc_offset_cntl = data; /* FIXME */
675 break;
676 case CRTC_PITCH:
677 s->regs.crtc_pitch = data & 0x07ff07ff;
678 break;
679 case 0xf00 ... 0xfff:
680 /* read-only copy of PCI config space so ignore writes */
681 break;
682 case CUR_OFFSET:
683 if (s->regs.cur_offset != (data & 0x87fffff0)) {
684 s->regs.cur_offset = data & 0x87fffff0;
685 ati_cursor_define(s);
686 }
687 break;
688 case CUR_HORZ_VERT_POSN:
689 s->regs.cur_hv_pos = data & 0x3fff0fff;
690 if (data & BIT(31)) {
691 s->regs.cur_offset |= data & BIT(31);
692 } else if (s->regs.cur_offset & BIT(31)) {
693 s->regs.cur_offset &= ~BIT(31);
694 ati_cursor_define(s);
695 }
696 if (!s->cursor_guest_mode &&
697 (s->regs.crtc_gen_cntl & CRTC2_CUR_EN) && !(data & BIT(31))) {
698 dpy_mouse_set(s->vga.con, s->regs.cur_hv_pos >> 16,
699 s->regs.cur_hv_pos & 0xffff, 1);
700 }
701 break;
702 case CUR_HORZ_VERT_OFF:
703 s->regs.cur_hv_offs = data & 0x3f003f;
704 if (data & BIT(31)) {
705 s->regs.cur_offset |= data & BIT(31);
706 } else if (s->regs.cur_offset & BIT(31)) {
707 s->regs.cur_offset &= ~BIT(31);
708 ati_cursor_define(s);
709 }
710 break;
711 case CUR_CLR0:
712 if (s->regs.cur_color0 != (data & 0xffffff)) {
713 s->regs.cur_color0 = data & 0xffffff;
714 ati_cursor_define(s);
715 }
716 break;
717 case CUR_CLR1:
718 /*
719 * Update cursor unconditionally here because some clients set up
720 * other registers before actually writing cursor data to memory at
721 * offset so we would miss cursor change unless always updating here
722 */
723 s->regs.cur_color1 = data & 0xffffff;
724 ati_cursor_define(s);
725 break;
726 case DST_OFFSET:
727 if (s->dev_id == PCI_DEVICE_ID_ATI_RAGE128_PF) {
728 s->regs.dst_offset = data & 0xfffffff0;
729 } else {
730 s->regs.dst_offset = data & 0xfffffc00;
731 }
732 break;
733 case DST_PITCH:
734 if (s->dev_id == PCI_DEVICE_ID_ATI_RAGE128_PF) {
735 s->regs.dst_pitch = data & 0x3fff;
736 s->regs.dst_tile = (data >> 16) & 1;
737 } else {
738 s->regs.dst_pitch = data & 0x3ff0;
739 }
740 break;
741 case DST_TILE:
742 if (s->dev_id == PCI_DEVICE_ID_ATI_RADEON_QY) {
743 s->regs.dst_tile = data & 3;
744 }
745 break;
746 case DST_WIDTH:
747 s->regs.dst_width = data & 0x3fff;
748 ati_2d_blt(s);
749 break;
750 case DST_HEIGHT:
751 s->regs.dst_height = data & 0x3fff;
752 break;
753 case SRC_X:
754 s->regs.src_x = data & 0x3fff;
755 break;
756 case SRC_Y:
757 s->regs.src_y = data & 0x3fff;
758 break;
759 case DST_X:
760 s->regs.dst_x = data & 0x3fff;
761 break;
762 case DST_Y:
763 s->regs.dst_y = data & 0x3fff;
764 break;
765 case SRC_PITCH_OFFSET:
766 if (s->dev_id == PCI_DEVICE_ID_ATI_RAGE128_PF) {
767 s->regs.src_offset = (data & 0x1fffff) << 5;
768 s->regs.src_pitch = (data & 0x7fe00000) >> 21;
769 s->regs.src_tile = data >> 31;
770 } else {
771 s->regs.src_offset = (data & 0x3fffff) << 10;
772 s->regs.src_pitch = (data & 0x3fc00000) >> 16;
773 s->regs.src_tile = (data >> 30) & 1;
774 }
775 break;
776 case DST_PITCH_OFFSET:
777 if (s->dev_id == PCI_DEVICE_ID_ATI_RAGE128_PF) {
778 s->regs.dst_offset = (data & 0x1fffff) << 5;
779 s->regs.dst_pitch = (data & 0x7fe00000) >> 21;
780 s->regs.dst_tile = data >> 31;
781 } else {
782 s->regs.dst_offset = (data & 0x3fffff) << 10;
783 s->regs.dst_pitch = (data & 0x3fc00000) >> 16;
784 s->regs.dst_tile = data >> 30;
785 }
786 break;
787 case SRC_Y_X:
788 s->regs.src_x = data & 0x3fff;
789 s->regs.src_y = (data >> 16) & 0x3fff;
790 break;
791 case DST_Y_X:
792 s->regs.dst_x = data & 0x3fff;
793 s->regs.dst_y = (data >> 16) & 0x3fff;
794 break;
795 case DST_HEIGHT_WIDTH:
796 s->regs.dst_width = data & 0x3fff;
797 s->regs.dst_height = (data >> 16) & 0x3fff;
798 ati_2d_blt(s);
799 break;
800 case DP_GUI_MASTER_CNTL:
801 s->regs.dp_gui_master_cntl = data & 0xf800000f;
802 s->regs.dp_datatype = (data & 0x0f00) >> 8 | (data & 0x30f0) << 4 |
803 (data & 0x4000) << 16;
804 s->regs.dp_mix = (data & GMC_ROP3_MASK) | (data & 0x7000000) >> 16;
805 break;
806 case DST_WIDTH_X:
807 s->regs.dst_x = data & 0x3fff;
808 s->regs.dst_width = (data >> 16) & 0x3fff;
809 ati_2d_blt(s);
810 break;
811 case SRC_X_Y:
812 s->regs.src_y = data & 0x3fff;
813 s->regs.src_x = (data >> 16) & 0x3fff;
814 break;
815 case DST_X_Y:
816 s->regs.dst_y = data & 0x3fff;
817 s->regs.dst_x = (data >> 16) & 0x3fff;
818 break;
819 case DST_WIDTH_HEIGHT:
820 s->regs.dst_height = data & 0x3fff;
821 s->regs.dst_width = (data >> 16) & 0x3fff;
822 ati_2d_blt(s);
823 break;
824 case DST_HEIGHT_Y:
825 s->regs.dst_y = data & 0x3fff;
826 s->regs.dst_height = (data >> 16) & 0x3fff;
827 break;
828 case SRC_OFFSET:
829 if (s->dev_id == PCI_DEVICE_ID_ATI_RAGE128_PF) {
830 s->regs.src_offset = data & 0xfffffff0;
831 } else {
832 s->regs.src_offset = data & 0xfffffc00;
833 }
834 break;
835 case SRC_PITCH:
836 if (s->dev_id == PCI_DEVICE_ID_ATI_RAGE128_PF) {
837 s->regs.src_pitch = data & 0x3fff;
838 s->regs.src_tile = (data >> 16) & 1;
839 } else {
840 s->regs.src_pitch = data & 0x3ff0;
841 }
842 break;
843 case DP_BRUSH_BKGD_CLR:
844 s->regs.dp_brush_bkgd_clr = data;
845 break;
846 case DP_BRUSH_FRGD_CLR:
847 s->regs.dp_brush_frgd_clr = data;
848 break;
849 case DP_CNTL:
850 s->regs.dp_cntl = data;
851 break;
852 case DP_DATATYPE:
853 s->regs.dp_datatype = data & 0xe0070f0f;
854 break;
855 case DP_MIX:
856 s->regs.dp_mix = data & 0x00ff0700;
857 break;
858 case DP_WRITE_MASK:
859 s->regs.dp_write_mask = data;
860 break;
861 case DEFAULT_OFFSET:
862 if (s->dev_id == PCI_DEVICE_ID_ATI_RAGE128_PF) {
863 s->regs.default_offset = data & 0xfffffff0;
864 } else {
865 /* Radeon has DEFAULT_PITCH_OFFSET here like DST_PITCH_OFFSET */
866 s->regs.default_offset = (data & 0x3fffff) << 10;
867 s->regs.default_pitch = (data & 0x3fc00000) >> 16;
868 s->regs.default_tile = data >> 30;
869 }
870 break;
871 case DEFAULT_PITCH:
872 if (s->dev_id == PCI_DEVICE_ID_ATI_RAGE128_PF) {
873 s->regs.default_pitch = data & 0x3fff;
874 s->regs.default_tile = (data >> 16) & 1;
875 }
876 break;
877 case DEFAULT_SC_BOTTOM_RIGHT:
878 s->regs.default_sc_bottom_right = data & 0x3fff3fff;
879 break;
880 default:
881 break;
882 }
883 }
884
885 static const MemoryRegionOps ati_mm_ops = {
886 .read = ati_mm_read,
887 .write = ati_mm_write,
888 .endianness = DEVICE_LITTLE_ENDIAN,
889 };
890
891 static void ati_vga_realize(PCIDevice *dev, Error **errp)
892 {
893 ATIVGAState *s = ATI_VGA(dev);
894 VGACommonState *vga = &s->vga;
895
896 if (s->model) {
897 int i;
898 for (i = 0; i < ARRAY_SIZE(ati_model_aliases); i++) {
899 if (!strcmp(s->model, ati_model_aliases[i].name)) {
900 s->dev_id = ati_model_aliases[i].dev_id;
901 break;
902 }
903 }
904 if (i >= ARRAY_SIZE(ati_model_aliases)) {
905 warn_report("Unknown ATI VGA model name, "
906 "using default rage128p");
907 }
908 }
909 if (s->dev_id != PCI_DEVICE_ID_ATI_RAGE128_PF &&
910 s->dev_id != PCI_DEVICE_ID_ATI_RADEON_QY) {
911 error_setg(errp, "Unknown ATI VGA device id, "
912 "only 0x5046 and 0x5159 are supported");
913 return;
914 }
915 pci_set_word(dev->config + PCI_DEVICE_ID, s->dev_id);
916
917 if (s->dev_id == PCI_DEVICE_ID_ATI_RADEON_QY &&
918 s->vga.vram_size_mb < 16) {
919 warn_report("Too small video memory for device id");
920 s->vga.vram_size_mb = 16;
921 }
922
923 /* init vga bits */
924 vga_common_init(vga, OBJECT(s));
925 vga_init(vga, OBJECT(s), pci_address_space(dev),
926 pci_address_space_io(dev), true);
927 vga->con = graphic_console_init(DEVICE(s), 0, s->vga.hw_ops, &s->vga);
928 if (s->cursor_guest_mode) {
929 vga->cursor_invalidate = ati_cursor_invalidate;
930 vga->cursor_draw_line = ati_cursor_draw_line;
931 }
932
933 /* ddc, edid */
934 I2CBus *i2cbus = i2c_init_bus(DEVICE(s), "ati-vga.ddc");
935 bitbang_i2c_init(&s->bbi2c, i2cbus);
936 I2CSlave *i2cddc = I2C_SLAVE(qdev_create(BUS(i2cbus), TYPE_I2CDDC));
937 i2c_set_slave_address(i2cddc, 0x50);
938
939 /* mmio register space */
940 memory_region_init_io(&s->mm, OBJECT(s), &ati_mm_ops, s,
941 "ati.mmregs", 0x4000);
942 /* io space is alias to beginning of mmregs */
943 memory_region_init_alias(&s->io, OBJECT(s), "ati.io", &s->mm, 0, 0x100);
944
945 pci_register_bar(dev, 0, PCI_BASE_ADDRESS_MEM_PREFETCH, &vga->vram);
946 pci_register_bar(dev, 1, PCI_BASE_ADDRESS_SPACE_IO, &s->io);
947 pci_register_bar(dev, 2, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->mm);
948
949 /* most interrupts are not yet emulated but MacOS needs at least VBlank */
950 dev->config[PCI_INTERRUPT_PIN] = 1;
951 timer_init_ns(&s->vblank_timer, QEMU_CLOCK_VIRTUAL, ati_vga_vblank_irq, s);
952 }
953
954 static void ati_vga_reset(DeviceState *dev)
955 {
956 ATIVGAState *s = ATI_VGA(dev);
957
958 timer_del(&s->vblank_timer);
959 ati_vga_update_irq(s);
960
961 /* reset vga */
962 vga_common_reset(&s->vga);
963 s->mode = VGA_MODE;
964 }
965
966 static void ati_vga_exit(PCIDevice *dev)
967 {
968 ATIVGAState *s = ATI_VGA(dev);
969
970 timer_del(&s->vblank_timer);
971 graphic_console_close(s->vga.con);
972 }
973
974 static Property ati_vga_properties[] = {
975 DEFINE_PROP_UINT32("vgamem_mb", ATIVGAState, vga.vram_size_mb, 16),
976 DEFINE_PROP_STRING("model", ATIVGAState, model),
977 DEFINE_PROP_UINT16("x-device-id", ATIVGAState, dev_id,
978 PCI_DEVICE_ID_ATI_RAGE128_PF),
979 DEFINE_PROP_BOOL("guest_hwcursor", ATIVGAState, cursor_guest_mode, false),
980 DEFINE_PROP_END_OF_LIST()
981 };
982
983 static void ati_vga_class_init(ObjectClass *klass, void *data)
984 {
985 DeviceClass *dc = DEVICE_CLASS(klass);
986 PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
987
988 dc->reset = ati_vga_reset;
989 device_class_set_props(dc, ati_vga_properties);
990 dc->hotpluggable = false;
991 set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories);
992
993 k->class_id = PCI_CLASS_DISPLAY_VGA;
994 k->vendor_id = PCI_VENDOR_ID_ATI;
995 k->device_id = PCI_DEVICE_ID_ATI_RAGE128_PF;
996 k->romfile = "vgabios-ati.bin";
997 k->realize = ati_vga_realize;
998 k->exit = ati_vga_exit;
999 }
1000
1001 static const TypeInfo ati_vga_info = {
1002 .name = TYPE_ATI_VGA,
1003 .parent = TYPE_PCI_DEVICE,
1004 .instance_size = sizeof(ATIVGAState),
1005 .class_init = ati_vga_class_init,
1006 .interfaces = (InterfaceInfo[]) {
1007 { INTERFACE_CONVENTIONAL_PCI_DEVICE },
1008 { },
1009 },
1010 };
1011
1012 static void ati_vga_register_types(void)
1013 {
1014 type_register_static(&ati_vga_info);
1015 }
1016
1017 type_init(ati_vga_register_types)
AR7 emulation for QEMU