2 * Raspberry Pi emulation (c) 2012 Gregory Estrade
3 * This code is licensed under the GNU GPLv2 and later.
5 * This file models the system mailboxes, which are used for
6 * communication with low-bandwidth GPU peripherals. Refs:
7 * https://github.com/raspberrypi/firmware/wiki/Mailboxes
8 * https://github.com/raspberrypi/firmware/wiki/Accessing-mailboxes
11 #include "qemu/osdep.h"
12 #include "qapi/error.h"
13 #include "hw/misc/bcm2835_mbox.h"
15 #include "qemu/module.h"
17 #define MAIL0_PEEK 0x90
18 #define MAIL0_SENDER 0x94
19 #define MAIL1_STATUS 0xb8
21 /* Mailbox status register */
22 #define MAIL0_STATUS 0x98
23 #define ARM_MS_FULL 0x80000000
24 #define ARM_MS_EMPTY 0x40000000
25 #define ARM_MS_LEVEL 0x400000FF /* Max. value depends on mailbox depth */
27 /* MAILBOX config/status register */
28 #define MAIL0_CONFIG 0x9c
29 /* ANY write to this register clears the error bits! */
30 #define ARM_MC_IHAVEDATAIRQEN 0x00000001 /* mbox irq enable: has data */
31 #define ARM_MC_IHAVESPACEIRQEN 0x00000002 /* mbox irq enable: has space */
32 #define ARM_MC_OPPISEMPTYIRQEN 0x00000004 /* mbox irq enable: Opp is empty */
33 #define ARM_MC_MAIL_CLEAR 0x00000008 /* mbox clear write 1, then 0 */
34 #define ARM_MC_IHAVEDATAIRQPEND 0x00000010 /* mbox irq pending: has space */
35 #define ARM_MC_IHAVESPACEIRQPEND 0x00000020 /* mbox irq pending: Opp is empty */
36 #define ARM_MC_OPPISEMPTYIRQPEND 0x00000040 /* mbox irq pending */
38 #define ARM_MC_ERRNOOWN 0x00000100 /* error : none owner read from mailbox */
39 #define ARM_MC_ERROVERFLW 0x00000200 /* error : write to fill mailbox */
40 #define ARM_MC_ERRUNDRFLW 0x00000400 /* error : read from empty mailbox */
42 static void mbox_update_status(BCM2835Mbox
*mb
)
44 mb
->status
&= ~(ARM_MS_EMPTY
| ARM_MS_FULL
);
46 mb
->status
|= ARM_MS_EMPTY
;
47 } else if (mb
->count
== MBOX_SIZE
) {
48 mb
->status
|= ARM_MS_FULL
;
52 static void mbox_reset(BCM2835Mbox
*mb
)
58 for (n
= 0; n
< MBOX_SIZE
; n
++) {
59 mb
->reg
[n
] = MBOX_INVALID_DATA
;
61 mbox_update_status(mb
);
64 static uint32_t mbox_pull(BCM2835Mbox
*mb
, int index
)
69 assert(mb
->count
> 0);
70 assert(index
< mb
->count
);
73 for (n
= index
+ 1; n
< mb
->count
; n
++) {
74 mb
->reg
[n
- 1] = mb
->reg
[n
];
77 mb
->reg
[mb
->count
] = MBOX_INVALID_DATA
;
79 mbox_update_status(mb
);
84 static void mbox_push(BCM2835Mbox
*mb
, uint32_t val
)
86 assert(mb
->count
< MBOX_SIZE
);
87 mb
->reg
[mb
->count
++] = val
;
88 mbox_update_status(mb
);
91 static void bcm2835_mbox_update(BCM2835MboxState
*s
)
97 s
->mbox_irq_disabled
= true;
99 /* Get pending responses and put them in the vc->arm mbox,
100 * as long as it's not full
102 for (n
= 0; n
< MBOX_CHAN_COUNT
; n
++) {
103 while (s
->available
[n
] && !(s
->mbox
[0].status
& ARM_MS_FULL
)) {
104 value
= ldl_le_phys(&s
->mbox_as
, n
<< MBOX_AS_CHAN_SHIFT
);
105 assert(value
!= MBOX_INVALID_DATA
); /* Pending interrupt but no data */
106 mbox_push(&s
->mbox
[0], value
);
110 /* TODO (?): Try to push pending requests from the arm->vc mbox */
112 /* Re-enable calls from the IRQ routine */
113 s
->mbox_irq_disabled
= false;
115 /* Update ARM IRQ status */
117 s
->mbox
[0].config
&= ~ARM_MC_IHAVEDATAIRQPEND
;
118 if (!(s
->mbox
[0].status
& ARM_MS_EMPTY
)) {
119 s
->mbox
[0].config
|= ARM_MC_IHAVEDATAIRQPEND
;
120 if (s
->mbox
[0].config
& ARM_MC_IHAVEDATAIRQEN
) {
124 qemu_set_irq(s
->arm_irq
, set
);
127 static void bcm2835_mbox_set_irq(void *opaque
, int irq
, int level
)
129 BCM2835MboxState
*s
= opaque
;
131 s
->available
[irq
] = level
;
133 /* avoid recursively calling bcm2835_mbox_update when the interrupt
134 * status changes due to the ldl_phys call within that function
136 if (!s
->mbox_irq_disabled
) {
137 bcm2835_mbox_update(s
);
141 static uint64_t bcm2835_mbox_read(void *opaque
, hwaddr offset
, unsigned size
)
143 BCM2835MboxState
*s
= opaque
;
149 case 0x80 ... 0x8c: /* MAIL0_READ */
150 if (s
->mbox
[0].status
& ARM_MS_EMPTY
) {
151 res
= MBOX_INVALID_DATA
;
153 res
= mbox_pull(&s
->mbox
[0], 0);
158 res
= s
->mbox
[0].reg
[0];
165 res
= s
->mbox
[0].status
;
169 res
= s
->mbox
[0].config
;
173 res
= s
->mbox
[1].status
;
177 qemu_log_mask(LOG_GUEST_ERROR
, "%s: Bad offset %"HWADDR_PRIx
"\n",
182 bcm2835_mbox_update(s
);
187 static void bcm2835_mbox_write(void *opaque
, hwaddr offset
,
188 uint64_t value
, unsigned size
)
190 BCM2835MboxState
*s
= opaque
;
201 s
->mbox
[0].config
&= ~ARM_MC_IHAVEDATAIRQEN
;
202 s
->mbox
[0].config
|= value
& ARM_MC_IHAVEDATAIRQEN
;
205 case 0xa0 ... 0xac: /* MAIL1_WRITE */
206 if (s
->mbox
[1].status
& ARM_MS_FULL
) {
208 qemu_log_mask(LOG_GUEST_ERROR
, "%s: mailbox full\n", __func__
);
211 if (ch
< MBOX_CHAN_COUNT
) {
212 childaddr
= ch
<< MBOX_AS_CHAN_SHIFT
;
213 if (ldl_le_phys(&s
->mbox_as
, childaddr
+ MBOX_AS_PENDING
)) {
214 /* Child busy, push delayed. Push it in the arm->vc mbox */
215 mbox_push(&s
->mbox
[1], value
);
217 /* Push it directly to the child device */
218 stl_le_phys(&s
->mbox_as
, childaddr
, value
);
221 /* Invalid channel number */
222 qemu_log_mask(LOG_GUEST_ERROR
, "%s: invalid channel %u\n",
229 qemu_log_mask(LOG_GUEST_ERROR
, "%s: Bad offset %"HWADDR_PRIx
"\n",
234 bcm2835_mbox_update(s
);
237 static const MemoryRegionOps bcm2835_mbox_ops
= {
238 .read
= bcm2835_mbox_read
,
239 .write
= bcm2835_mbox_write
,
240 .endianness
= DEVICE_NATIVE_ENDIAN
,
241 .valid
.min_access_size
= 4,
242 .valid
.max_access_size
= 4,
245 /* vmstate of a single mailbox */
246 static const VMStateDescription vmstate_bcm2835_mbox_box
= {
247 .name
= TYPE_BCM2835_MBOX
"_box",
249 .minimum_version_id
= 1,
250 .fields
= (VMStateField
[]) {
251 VMSTATE_UINT32_ARRAY(reg
, BCM2835Mbox
, MBOX_SIZE
),
252 VMSTATE_UINT32(count
, BCM2835Mbox
),
253 VMSTATE_UINT32(status
, BCM2835Mbox
),
254 VMSTATE_UINT32(config
, BCM2835Mbox
),
255 VMSTATE_END_OF_LIST()
259 /* vmstate of the entire device */
260 static const VMStateDescription vmstate_bcm2835_mbox
= {
261 .name
= TYPE_BCM2835_MBOX
,
263 .minimum_version_id
= 1,
264 .minimum_version_id_old
= 1,
265 .fields
= (VMStateField
[]) {
266 VMSTATE_BOOL_ARRAY(available
, BCM2835MboxState
, MBOX_CHAN_COUNT
),
267 VMSTATE_STRUCT_ARRAY(mbox
, BCM2835MboxState
, 2, 1,
268 vmstate_bcm2835_mbox_box
, BCM2835Mbox
),
269 VMSTATE_END_OF_LIST()
273 static void bcm2835_mbox_init(Object
*obj
)
275 BCM2835MboxState
*s
= BCM2835_MBOX(obj
);
277 memory_region_init_io(&s
->iomem
, obj
, &bcm2835_mbox_ops
, s
,
278 TYPE_BCM2835_MBOX
, 0x400);
279 sysbus_init_mmio(SYS_BUS_DEVICE(s
), &s
->iomem
);
280 sysbus_init_irq(SYS_BUS_DEVICE(s
), &s
->arm_irq
);
281 qdev_init_gpio_in(DEVICE(s
), bcm2835_mbox_set_irq
, MBOX_CHAN_COUNT
);
284 static void bcm2835_mbox_reset(DeviceState
*dev
)
286 BCM2835MboxState
*s
= BCM2835_MBOX(dev
);
289 mbox_reset(&s
->mbox
[0]);
290 mbox_reset(&s
->mbox
[1]);
291 s
->mbox_irq_disabled
= false;
292 for (n
= 0; n
< MBOX_CHAN_COUNT
; n
++) {
293 s
->available
[n
] = false;
297 static void bcm2835_mbox_realize(DeviceState
*dev
, Error
**errp
)
299 BCM2835MboxState
*s
= BCM2835_MBOX(dev
);
303 obj
= object_property_get_link(OBJECT(dev
), "mbox-mr", &err
);
305 error_setg(errp
, "%s: required mbox-mr link not found: %s",
306 __func__
, error_get_pretty(err
));
310 s
->mbox_mr
= MEMORY_REGION(obj
);
311 address_space_init(&s
->mbox_as
, s
->mbox_mr
, NULL
);
312 bcm2835_mbox_reset(dev
);
315 static void bcm2835_mbox_class_init(ObjectClass
*klass
, void *data
)
317 DeviceClass
*dc
= DEVICE_CLASS(klass
);
319 dc
->realize
= bcm2835_mbox_realize
;
320 dc
->reset
= bcm2835_mbox_reset
;
321 dc
->vmsd
= &vmstate_bcm2835_mbox
;
324 static TypeInfo bcm2835_mbox_info
= {
325 .name
= TYPE_BCM2835_MBOX
,
326 .parent
= TYPE_SYS_BUS_DEVICE
,
327 .instance_size
= sizeof(BCM2835MboxState
),
328 .class_init
= bcm2835_mbox_class_init
,
329 .instance_init
= bcm2835_mbox_init
,
332 static void bcm2835_mbox_register_types(void)
334 type_register_static(&bcm2835_mbox_info
);
337 type_init(bcm2835_mbox_register_types
)