search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ppc/pnv: check size before data buffer access
[qemu/ar7.git] / hw / hppa / dino.c
blob31e09942b504dfb87adc2e42ea07484eaa4a3e1d
1 /*
2 * HP-PARISC Dino PCI chipset emulation.
3 *
4 * (C) 2017 by Helge Deller <deller@gmx.de>
5 *
6 * This work is licensed under the GNU GPL license version 2 or later.
7 *
8 * Documentation available at:
9 * https://parisc.wiki.kernel.org/images-parisc/9/91/Dino_ers.pdf
10 * https://parisc.wiki.kernel.org/images-parisc/7/70/Dino_3_1_Errata.pdf
11 */
12
13 #include "qemu/osdep.h"
14 #include "qemu/units.h"
15 #include "qapi/error.h"
16 #include "cpu.h"
17 #include "hw/hw.h"
18 #include "hw/devices.h"
19 #include "sysemu/sysemu.h"
20 #include "hw/pci/pci.h"
21 #include "hw/pci/pci_bus.h"
22 #include "hppa_sys.h"
23 #include "exec/address-spaces.h"
24
25
26 #define TYPE_DINO_PCI_HOST_BRIDGE "dino-pcihost"
27
28 #define DINO_IAR0 0x004
29 #define DINO_IODC 0x008
30 #define DINO_IRR0 0x00C /* RO */
31 #define DINO_IAR1 0x010
32 #define DINO_IRR1 0x014 /* RO */
33 #define DINO_IMR 0x018
34 #define DINO_IPR 0x01C
35 #define DINO_TOC_ADDR 0x020
36 #define DINO_ICR 0x024
37 #define DINO_ILR 0x028 /* RO */
38 #define DINO_IO_COMMAND 0x030 /* WO */
39 #define DINO_IO_STATUS 0x034 /* RO */
40 #define DINO_IO_CONTROL 0x038
41 #define DINO_IO_GSC_ERR_RESP 0x040 /* RO */
42 #define DINO_IO_ERR_INFO 0x044 /* RO */
43 #define DINO_IO_PCI_ERR_RESP 0x048 /* RO */
44 #define DINO_IO_FBB_EN 0x05c
45 #define DINO_IO_ADDR_EN 0x060
46 #define DINO_PCI_CONFIG_ADDR 0x064
47 #define DINO_PCI_CONFIG_DATA 0x068
48 #define DINO_PCI_IO_DATA 0x06c
49 #define DINO_PCI_MEM_DATA 0x070 /* Dino 3.x only */
50 #define DINO_GSC2X_CONFIG 0x7b4 /* RO */
51 #define DINO_GMASK 0x800
52 #define DINO_PAMR 0x804
53 #define DINO_PAPR 0x808
54 #define DINO_DAMODE 0x80c
55 #define DINO_PCICMD 0x810
56 #define DINO_PCISTS 0x814 /* R/WC */
57 #define DINO_MLTIM 0x81c
58 #define DINO_BRDG_FEAT 0x820
59 #define DINO_PCIROR 0x824
60 #define DINO_PCIWOR 0x828
61 #define DINO_TLTIM 0x830
62
63 #define DINO_IRQS 11 /* bits 0-10 are architected */
64 #define DINO_IRR_MASK 0x5ff /* only 10 bits are implemented */
65 #define DINO_LOCAL_IRQS (DINO_IRQS + 1)
66 #define DINO_MASK_IRQ(x) (1 << (x))
67
68 #define PCIINTA 0x001
69 #define PCIINTB 0x002
70 #define PCIINTC 0x004
71 #define PCIINTD 0x008
72 #define PCIINTE 0x010
73 #define PCIINTF 0x020
74 #define GSCEXTINT 0x040
75 /* #define xxx 0x080 - bit 7 is "default" */
76 /* #define xxx 0x100 - bit 8 not used */
77 /* #define xxx 0x200 - bit 9 not used */
78 #define RS232INT 0x400
79
80 #define DINO_MEM_CHUNK_SIZE (8 * MiB)
81
82 #define DINO_PCI_HOST_BRIDGE(obj) \
83 OBJECT_CHECK(DinoState, (obj), TYPE_DINO_PCI_HOST_BRIDGE)
84
85 typedef struct DinoState {
86 PCIHostState parent_obj;
87
88 /* PCI_CONFIG_ADDR is parent_obj.config_reg, via pci_host_conf_be_ops,
89 so that we can map PCI_CONFIG_DATA to pci_host_data_be_ops. */
90
91 uint32_t iar0;
92 uint32_t iar1;
93 uint32_t imr;
94 uint32_t ipr;
95 uint32_t icr;
96 uint32_t ilr;
97 uint32_t io_addr_en;
98 uint32_t io_control;
99
100 MemoryRegion this_mem;
101 MemoryRegion pci_mem;
102 MemoryRegion pci_mem_alias[32];
103
104 AddressSpace bm_as;
105 MemoryRegion bm;
106 MemoryRegion bm_ram_alias;
107 MemoryRegion bm_pci_alias;
108
109 MemoryRegion cpu0_eir_mem;
110 } DinoState;
111
112 /*
113 * Dino can forward memory accesses from the CPU in the range between
114 * 0xf0800000 and 0xff000000 to the PCI bus.
115 */
116 static void gsc_to_pci_forwarding(DinoState *s)
117 {
118 uint32_t io_addr_en, tmp;
119 int enabled, i;
120
121 tmp = extract32(s->io_control, 7, 2);
122 enabled = (tmp == 0x01);
123 io_addr_en = s->io_addr_en;
124
125 memory_region_transaction_begin();
126 for (i = 1; i < 31; i++) {
127 MemoryRegion *mem = &s->pci_mem_alias[i];
128 if (enabled && (io_addr_en & (1U << i))) {
129 if (!memory_region_is_mapped(mem)) {
130 uint32_t addr = 0xf0000000 + i * DINO_MEM_CHUNK_SIZE;
131 memory_region_add_subregion(get_system_memory(), addr, mem);
132 }
133 } else if (memory_region_is_mapped(mem)) {
134 memory_region_del_subregion(get_system_memory(), mem);
135 }
136 }
137 memory_region_transaction_commit();
138 }
139
140 static bool dino_chip_mem_valid(void *opaque, hwaddr addr,
141 unsigned size, bool is_write,
142 MemTxAttrs attrs)
143 {
144 switch (addr) {
145 case DINO_IAR0:
146 case DINO_IAR1:
147 case DINO_IRR0:
148 case DINO_IRR1:
149 case DINO_IMR:
150 case DINO_IPR:
151 case DINO_ICR:
152 case DINO_ILR:
153 case DINO_IO_CONTROL:
154 case DINO_IO_ADDR_EN:
155 case DINO_PCI_IO_DATA:
156 return true;
157 case DINO_PCI_IO_DATA + 2:
158 return size <= 2;
159 case DINO_PCI_IO_DATA + 1:
160 case DINO_PCI_IO_DATA + 3:
161 return size == 1;
162 }
163 return false;
164 }
165
166 static MemTxResult dino_chip_read_with_attrs(void *opaque, hwaddr addr,
167 uint64_t *data, unsigned size,
168 MemTxAttrs attrs)
169 {
170 DinoState *s = opaque;
171 MemTxResult ret = MEMTX_OK;
172 AddressSpace *io;
173 uint16_t ioaddr;
174 uint32_t val;
175
176 switch (addr) {
177 case DINO_PCI_IO_DATA ... DINO_PCI_IO_DATA + 3:
178 /* Read from PCI IO space. */
179 io = &address_space_io;
180 ioaddr = s->parent_obj.config_reg;
181 switch (size) {
182 case 1:
183 val = address_space_ldub(io, ioaddr, attrs, &ret);
184 break;
185 case 2:
186 val = address_space_lduw_be(io, ioaddr, attrs, &ret);
187 break;
188 case 4:
189 val = address_space_ldl_be(io, ioaddr, attrs, &ret);
190 break;
191 default:
192 g_assert_not_reached();
193 }
194 break;
195
196 case DINO_IO_ADDR_EN:
197 val = s->io_addr_en;
198 break;
199 case DINO_IO_CONTROL:
200 val = s->io_control;
201 break;
202
203 case DINO_IAR0:
204 val = s->iar0;
205 break;
206 case DINO_IAR1:
207 val = s->iar1;
208 break;
209 case DINO_IMR:
210 val = s->imr;
211 break;
212 case DINO_ICR:
213 val = s->icr;
214 break;
215 case DINO_IPR:
216 val = s->ipr;
217 /* Any read to IPR clears the register. */
218 s->ipr = 0;
219 break;
220 case DINO_ILR:
221 val = s->ilr;
222 break;
223 case DINO_IRR0:
224 val = s->ilr & s->imr & ~s->icr;
225 break;
226 case DINO_IRR1:
227 val = s->ilr & s->imr & s->icr;
228 break;
229
230 default:
231 /* Controlled by dino_chip_mem_valid above. */
232 g_assert_not_reached();
233 }
234
235 *data = val;
236 return ret;
237 }
238
239 static MemTxResult dino_chip_write_with_attrs(void *opaque, hwaddr addr,
240 uint64_t val, unsigned size,
241 MemTxAttrs attrs)
242 {
243 DinoState *s = opaque;
244 AddressSpace *io;
245 MemTxResult ret;
246 uint16_t ioaddr;
247
248 switch (addr) {
249 case DINO_IO_DATA ... DINO_PCI_IO_DATA + 3:
250 /* Write into PCI IO space. */
251 io = &address_space_io;
252 ioaddr = s->parent_obj.config_reg;
253 switch (size) {
254 case 1:
255 address_space_stb(io, ioaddr, val, attrs, &ret);
256 break;
257 case 2:
258 address_space_stw_be(io, ioaddr, val, attrs, &ret);
259 break;
260 case 4:
261 address_space_stl_be(io, ioaddr, val, attrs, &ret);
262 break;
263 default:
264 g_assert_not_reached();
265 }
266 return ret;
267
268 case DINO_IO_ADDR_EN:
269 /* Never allow first (=firmware) and last (=Dino) areas. */
270 s->io_addr_en = val & 0x7ffffffe;
271 gsc_to_pci_forwarding(s);
272 break;
273 case DINO_IO_CONTROL:
274 s->io_control = val;
275 gsc_to_pci_forwarding(s);
276 break;
277
278 case DINO_IAR0:
279 s->iar0 = val;
280 break;
281 case DINO_IAR1:
282 s->iar1 = val;
283 break;
284 case DINO_IMR:
285 s->imr = val;
286 break;
287 case DINO_ICR:
288 s->icr = val;
289 break;
290 case DINO_IPR:
291 /* Any write to IPR clears the register. */
292 s->ipr = 0;
293 break;
294
295 case DINO_ILR:
296 case DINO_IRR0:
297 case DINO_IRR1:
298 /* These registers are read-only. */
299 break;
300
301 default:
302 /* Controlled by dino_chip_mem_valid above. */
303 g_assert_not_reached();
304 }
305 return MEMTX_OK;
306 }
307
308 static const MemoryRegionOps dino_chip_ops = {
309 .read_with_attrs = dino_chip_read_with_attrs,
310 .write_with_attrs = dino_chip_write_with_attrs,
311 .endianness = DEVICE_BIG_ENDIAN,
312 .valid = {
313 .min_access_size = 1,
314 .max_access_size = 4,
315 .accepts = dino_chip_mem_valid,
316 },
317 .impl = {
318 .min_access_size = 1,
319 .max_access_size = 4,
320 },
321 };
322
323 static const VMStateDescription vmstate_dino = {
324 .name = "Dino",
325 .version_id = 1,
326 .minimum_version_id = 1,
327 .fields = (VMStateField[]) {
328 VMSTATE_UINT32(iar0, DinoState),
329 VMSTATE_UINT32(iar1, DinoState),
330 VMSTATE_UINT32(imr, DinoState),
331 VMSTATE_UINT32(ipr, DinoState),
332 VMSTATE_UINT32(icr, DinoState),
333 VMSTATE_UINT32(ilr, DinoState),
334 VMSTATE_UINT32(io_addr_en, DinoState),
335 VMSTATE_UINT32(io_control, DinoState),
336 VMSTATE_END_OF_LIST()
337 }
338 };
339
340
341 /* Unlike pci_config_data_le_ops, no check of high bit set in config_reg. */
342
343 static uint64_t dino_config_data_read(void *opaque, hwaddr addr, unsigned len)
344 {
345 PCIHostState *s = opaque;
346 return pci_data_read(s->bus, s->config_reg | (addr & 3), len);
347 }
348
349 static void dino_config_data_write(void *opaque, hwaddr addr,
350 uint64_t val, unsigned len)
351 {
352 PCIHostState *s = opaque;
353 pci_data_write(s->bus, s->config_reg | (addr & 3), val, len);
354 }
355
356 static const MemoryRegionOps dino_config_data_ops = {
357 .read = dino_config_data_read,
358 .write = dino_config_data_write,
359 .endianness = DEVICE_LITTLE_ENDIAN,
360 };
361
362 static AddressSpace *dino_pcihost_set_iommu(PCIBus *bus, void *opaque,
363 int devfn)
364 {
365 DinoState *s = opaque;
366
367 return &s->bm_as;
368 }
369
370 /*
371 * Dino interrupts are connected as shown on Page 78, Table 23
372 * (Little-endian bit numbers)
373 * 0 PCI INTA
374 * 1 PCI INTB
375 * 2 PCI INTC
376 * 3 PCI INTD
377 * 4 PCI INTE
378 * 5 PCI INTF
379 * 6 GSC External Interrupt
380 * 7 Bus Error for "less than fatal" mode
381 * 8 PS2
382 * 9 Unused
383 * 10 RS232
384 */
385
386 static void dino_set_irq(void *opaque, int irq, int level)
387 {
388 DinoState *s = opaque;
389 uint32_t bit = 1u << irq;
390 uint32_t old_ilr = s->ilr;
391
392 if (level) {
393 uint32_t ena = bit & ~old_ilr;
394 s->ipr |= ena;
395 s->ilr = old_ilr | bit;
396 if (ena & s->imr) {
397 uint32_t iar = (ena & s->icr ? s->iar1 : s->iar0);
398 stl_be_phys(&address_space_memory, iar & -32, iar & 31);
399 }
400 } else {
401 s->ilr = old_ilr & ~bit;
402 }
403 }
404
405 static int dino_pci_map_irq(PCIDevice *d, int irq_num)
406 {
407 int slot = d->devfn >> 3;
408
409 assert(irq_num >= 0 && irq_num <= 3);
410
411 return slot & 0x03;
412 }
413
414 static void dino_set_timer_irq(void *opaque, int irq, int level)
415 {
416 /* ??? Not connected. */
417 }
418
419 static void dino_set_serial_irq(void *opaque, int irq, int level)
420 {
421 dino_set_irq(opaque, 10, level);
422 }
423
424 PCIBus *dino_init(MemoryRegion *addr_space,
425 qemu_irq *p_rtc_irq, qemu_irq *p_ser_irq)
426 {
427 DeviceState *dev;
428 DinoState *s;
429 PCIBus *b;
430 int i;
431
432 dev = qdev_create(NULL, TYPE_DINO_PCI_HOST_BRIDGE);
433 s = DINO_PCI_HOST_BRIDGE(dev);
434
435 /* Dino PCI access from main memory. */
436 memory_region_init_io(&s->this_mem, OBJECT(s), &dino_chip_ops,
437 s, "dino", 4096);
438 memory_region_add_subregion(addr_space, DINO_HPA, &s->this_mem);
439
440 /* Dino PCI config. */
441 memory_region_init_io(&s->parent_obj.conf_mem, OBJECT(&s->parent_obj),
442 &pci_host_conf_be_ops, dev, "pci-conf-idx", 4);
443 memory_region_init_io(&s->parent_obj.data_mem, OBJECT(&s->parent_obj),
444 &dino_config_data_ops, dev, "pci-conf-data", 4);
445 memory_region_add_subregion(&s->this_mem, DINO_PCI_CONFIG_ADDR,
446 &s->parent_obj.conf_mem);
447 memory_region_add_subregion(&s->this_mem, DINO_CONFIG_DATA,
448 &s->parent_obj.data_mem);
449
450 /* Dino PCI bus memory. */
451 memory_region_init(&s->pci_mem, OBJECT(s), "pci-memory", 1ull << 32);
452
453 b = pci_register_root_bus(dev, "pci", dino_set_irq, dino_pci_map_irq, s,
454 &s->pci_mem, get_system_io(),
455 PCI_DEVFN(0, 0), 32, TYPE_PCI_BUS);
456 s->parent_obj.bus = b;
457 qdev_init_nofail(dev);
458
459 /* Set up windows into PCI bus memory. */
460 for (i = 1; i < 31; i++) {
461 uint32_t addr = 0xf0000000 + i * DINO_MEM_CHUNK_SIZE;
462 char *name = g_strdup_printf("PCI Outbound Window %d", i);
463 memory_region_init_alias(&s->pci_mem_alias[i], OBJECT(s),
464 name, &s->pci_mem, addr,
465 DINO_MEM_CHUNK_SIZE);
466 }
467
468 /* Set up PCI view of memory: Bus master address space. */
469 memory_region_init(&s->bm, OBJECT(s), "bm-dino", 1ull << 32);
470 memory_region_init_alias(&s->bm_ram_alias, OBJECT(s),
471 "bm-system", addr_space, 0,
472 0xf0000000 + DINO_MEM_CHUNK_SIZE);
473 memory_region_init_alias(&s->bm_pci_alias, OBJECT(s),
474 "bm-pci", &s->pci_mem,
475 0xf0000000 + DINO_MEM_CHUNK_SIZE,
476 31 * DINO_MEM_CHUNK_SIZE);
477 memory_region_add_subregion(&s->bm, 0,
478 &s->bm_ram_alias);
479 memory_region_add_subregion(&s->bm,
480 0xf0000000 + DINO_MEM_CHUNK_SIZE,
481 &s->bm_pci_alias);
482 address_space_init(&s->bm_as, &s->bm, "pci-bm");
483 pci_setup_iommu(b, dino_pcihost_set_iommu, s);
484
485 *p_rtc_irq = qemu_allocate_irq(dino_set_timer_irq, s, 0);
486 *p_ser_irq = qemu_allocate_irq(dino_set_serial_irq, s, 0);
487
488 return b;
489 }
490
491 static void dino_pcihost_class_init(ObjectClass *klass, void *data)
492 {
493 DeviceClass *dc = DEVICE_CLASS(klass);
494
495 dc->vmsd = &vmstate_dino;
496 }
497
498 static const TypeInfo dino_pcihost_info = {
499 .name = TYPE_DINO_PCI_HOST_BRIDGE,
500 .parent = TYPE_PCI_HOST_BRIDGE,
501 .instance_size = sizeof(DinoState),
502 .class_init = dino_pcihost_class_init,
503 };
504
505 static void dino_register_types(void)
506 {
507 type_register_static(&dino_pcihost_info);
508 }
509
510 type_init(dino_register_types)
AR7 emulation for QEMU