usb: limit combined packets to 1 MiB (CVE-2021-3527)
[qemu/kevin.git] / hw / scsi / esp-pci.c
blob9db10b1a48767c8a6d741c5bbf49e571d021521a
1 /*
2 * QEMU ESP/NCR53C9x emulation
4 * Copyright (c) 2005-2006 Fabrice Bellard
5 * Copyright (c) 2012 Herve Poussineau
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
20 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
23 * THE SOFTWARE.
26 #include "qemu/osdep.h"
27 #include "hw/pci/pci.h"
28 #include "hw/irq.h"
29 #include "hw/nvram/eeprom93xx.h"
30 #include "hw/scsi/esp.h"
31 #include "migration/vmstate.h"
32 #include "trace.h"
33 #include "qapi/error.h"
34 #include "qemu/log.h"
35 #include "qemu/module.h"
36 #include "qom/object.h"
38 #define TYPE_AM53C974_DEVICE "am53c974"
40 typedef struct PCIESPState PCIESPState;
41 DECLARE_INSTANCE_CHECKER(PCIESPState, PCI_ESP,
42 TYPE_AM53C974_DEVICE)
44 #define DMA_CMD 0x0
45 #define DMA_STC 0x1
46 #define DMA_SPA 0x2
47 #define DMA_WBC 0x3
48 #define DMA_WAC 0x4
49 #define DMA_STAT 0x5
50 #define DMA_SMDLA 0x6
51 #define DMA_WMAC 0x7
53 #define DMA_CMD_MASK 0x03
54 #define DMA_CMD_DIAG 0x04
55 #define DMA_CMD_MDL 0x10
56 #define DMA_CMD_INTE_P 0x20
57 #define DMA_CMD_INTE_D 0x40
58 #define DMA_CMD_DIR 0x80
60 #define DMA_STAT_PWDN 0x01
61 #define DMA_STAT_ERROR 0x02
62 #define DMA_STAT_ABORT 0x04
63 #define DMA_STAT_DONE 0x08
64 #define DMA_STAT_SCSIINT 0x10
65 #define DMA_STAT_BCMBLT 0x20
67 #define SBAC_STATUS (1 << 24)
69 struct PCIESPState {
70 /*< private >*/
71 PCIDevice parent_obj;
72 /*< public >*/
74 MemoryRegion io;
75 uint32_t dma_regs[8];
76 uint32_t sbac;
77 ESPState esp;
80 static void esp_pci_handle_idle(PCIESPState *pci, uint32_t val)
82 ESPState *s = ESP(&pci->esp);
84 trace_esp_pci_dma_idle(val);
85 esp_dma_enable(s, 0, 0);
88 static void esp_pci_handle_blast(PCIESPState *pci, uint32_t val)
90 trace_esp_pci_dma_blast(val);
91 qemu_log_mask(LOG_UNIMP, "am53c974: cmd BLAST not implemented\n");
94 static void esp_pci_handle_abort(PCIESPState *pci, uint32_t val)
96 ESPState *s = ESP(&pci->esp);
98 trace_esp_pci_dma_abort(val);
99 if (s->current_req) {
100 scsi_req_cancel(s->current_req);
104 static void esp_pci_handle_start(PCIESPState *pci, uint32_t val)
106 ESPState *s = ESP(&pci->esp);
108 trace_esp_pci_dma_start(val);
110 pci->dma_regs[DMA_WBC] = pci->dma_regs[DMA_STC];
111 pci->dma_regs[DMA_WAC] = pci->dma_regs[DMA_SPA];
112 pci->dma_regs[DMA_WMAC] = pci->dma_regs[DMA_SMDLA];
114 pci->dma_regs[DMA_STAT] &= ~(DMA_STAT_BCMBLT | DMA_STAT_SCSIINT
115 | DMA_STAT_DONE | DMA_STAT_ABORT
116 | DMA_STAT_ERROR | DMA_STAT_PWDN);
118 esp_dma_enable(s, 0, 1);
121 static void esp_pci_dma_write(PCIESPState *pci, uint32_t saddr, uint32_t val)
123 trace_esp_pci_dma_write(saddr, pci->dma_regs[saddr], val);
124 switch (saddr) {
125 case DMA_CMD:
126 pci->dma_regs[saddr] = val;
127 switch (val & DMA_CMD_MASK) {
128 case 0x0: /* IDLE */
129 esp_pci_handle_idle(pci, val);
130 break;
131 case 0x1: /* BLAST */
132 esp_pci_handle_blast(pci, val);
133 break;
134 case 0x2: /* ABORT */
135 esp_pci_handle_abort(pci, val);
136 break;
137 case 0x3: /* START */
138 esp_pci_handle_start(pci, val);
139 break;
140 default: /* can't happen */
141 abort();
143 break;
144 case DMA_STC:
145 case DMA_SPA:
146 case DMA_SMDLA:
147 pci->dma_regs[saddr] = val;
148 break;
149 case DMA_STAT:
150 if (pci->sbac & SBAC_STATUS) {
151 /* clear some bits on write */
152 uint32_t mask = DMA_STAT_ERROR | DMA_STAT_ABORT | DMA_STAT_DONE;
153 pci->dma_regs[DMA_STAT] &= ~(val & mask);
155 break;
156 default:
157 trace_esp_pci_error_invalid_write_dma(val, saddr);
158 return;
162 static uint32_t esp_pci_dma_read(PCIESPState *pci, uint32_t saddr)
164 ESPState *s = ESP(&pci->esp);
165 uint32_t val;
167 val = pci->dma_regs[saddr];
168 if (saddr == DMA_STAT) {
169 if (s->rregs[ESP_RSTAT] & STAT_INT) {
170 val |= DMA_STAT_SCSIINT;
172 if (!(pci->sbac & SBAC_STATUS)) {
173 pci->dma_regs[DMA_STAT] &= ~(DMA_STAT_ERROR | DMA_STAT_ABORT |
174 DMA_STAT_DONE);
178 trace_esp_pci_dma_read(saddr, val);
179 return val;
182 static void esp_pci_io_write(void *opaque, hwaddr addr,
183 uint64_t val, unsigned int size)
185 PCIESPState *pci = opaque;
186 ESPState *s = ESP(&pci->esp);
188 if (size < 4 || addr & 3) {
189 /* need to upgrade request: we only support 4-bytes accesses */
190 uint32_t current = 0, mask;
191 int shift;
193 if (addr < 0x40) {
194 current = s->wregs[addr >> 2];
195 } else if (addr < 0x60) {
196 current = pci->dma_regs[(addr - 0x40) >> 2];
197 } else if (addr < 0x74) {
198 current = pci->sbac;
201 shift = (4 - size) * 8;
202 mask = (~(uint32_t)0 << shift) >> shift;
204 shift = ((4 - (addr & 3)) & 3) * 8;
205 val <<= shift;
206 val |= current & ~(mask << shift);
207 addr &= ~3;
208 size = 4;
210 g_assert(size >= 4);
212 if (addr < 0x40) {
213 /* SCSI core reg */
214 esp_reg_write(s, addr >> 2, val);
215 } else if (addr < 0x60) {
216 /* PCI DMA CCB */
217 esp_pci_dma_write(pci, (addr - 0x40) >> 2, val);
218 } else if (addr == 0x70) {
219 /* DMA SCSI Bus and control */
220 trace_esp_pci_sbac_write(pci->sbac, val);
221 pci->sbac = val;
222 } else {
223 trace_esp_pci_error_invalid_write((int)addr);
227 static uint64_t esp_pci_io_read(void *opaque, hwaddr addr,
228 unsigned int size)
230 PCIESPState *pci = opaque;
231 ESPState *s = ESP(&pci->esp);
232 uint32_t ret;
234 if (addr < 0x40) {
235 /* SCSI core reg */
236 ret = esp_reg_read(s, addr >> 2);
237 } else if (addr < 0x60) {
238 /* PCI DMA CCB */
239 ret = esp_pci_dma_read(pci, (addr - 0x40) >> 2);
240 } else if (addr == 0x70) {
241 /* DMA SCSI Bus and control */
242 trace_esp_pci_sbac_read(pci->sbac);
243 ret = pci->sbac;
244 } else {
245 /* Invalid region */
246 trace_esp_pci_error_invalid_read((int)addr);
247 ret = 0;
250 /* give only requested data */
251 ret >>= (addr & 3) * 8;
252 ret &= ~(~(uint64_t)0 << (8 * size));
254 return ret;
257 static void esp_pci_dma_memory_rw(PCIESPState *pci, uint8_t *buf, int len,
258 DMADirection dir)
260 dma_addr_t addr;
261 DMADirection expected_dir;
263 if (pci->dma_regs[DMA_CMD] & DMA_CMD_DIR) {
264 expected_dir = DMA_DIRECTION_FROM_DEVICE;
265 } else {
266 expected_dir = DMA_DIRECTION_TO_DEVICE;
269 if (dir != expected_dir) {
270 trace_esp_pci_error_invalid_dma_direction();
271 return;
274 if (pci->dma_regs[DMA_STAT] & DMA_CMD_MDL) {
275 qemu_log_mask(LOG_UNIMP, "am53c974: MDL transfer not implemented\n");
278 addr = pci->dma_regs[DMA_SPA];
279 if (pci->dma_regs[DMA_WBC] < len) {
280 len = pci->dma_regs[DMA_WBC];
283 pci_dma_rw(PCI_DEVICE(pci), addr, buf, len, dir);
285 /* update status registers */
286 pci->dma_regs[DMA_WBC] -= len;
287 pci->dma_regs[DMA_WAC] += len;
288 if (pci->dma_regs[DMA_WBC] == 0) {
289 pci->dma_regs[DMA_STAT] |= DMA_STAT_DONE;
293 static void esp_pci_dma_memory_read(void *opaque, uint8_t *buf, int len)
295 PCIESPState *pci = opaque;
296 esp_pci_dma_memory_rw(pci, buf, len, DMA_DIRECTION_TO_DEVICE);
299 static void esp_pci_dma_memory_write(void *opaque, uint8_t *buf, int len)
301 PCIESPState *pci = opaque;
302 esp_pci_dma_memory_rw(pci, buf, len, DMA_DIRECTION_FROM_DEVICE);
305 static const MemoryRegionOps esp_pci_io_ops = {
306 .read = esp_pci_io_read,
307 .write = esp_pci_io_write,
308 .endianness = DEVICE_LITTLE_ENDIAN,
309 .impl = {
310 .min_access_size = 1,
311 .max_access_size = 4,
315 static void esp_pci_hard_reset(DeviceState *dev)
317 PCIESPState *pci = PCI_ESP(dev);
318 ESPState *s = ESP(&pci->esp);
320 esp_hard_reset(s);
321 pci->dma_regs[DMA_CMD] &= ~(DMA_CMD_DIR | DMA_CMD_INTE_D | DMA_CMD_INTE_P
322 | DMA_CMD_MDL | DMA_CMD_DIAG | DMA_CMD_MASK);
323 pci->dma_regs[DMA_WBC] &= ~0xffff;
324 pci->dma_regs[DMA_WAC] = 0xffffffff;
325 pci->dma_regs[DMA_STAT] &= ~(DMA_STAT_BCMBLT | DMA_STAT_SCSIINT
326 | DMA_STAT_DONE | DMA_STAT_ABORT
327 | DMA_STAT_ERROR);
328 pci->dma_regs[DMA_WMAC] = 0xfffffffd;
331 static const VMStateDescription vmstate_esp_pci_scsi = {
332 .name = "pciespscsi",
333 .version_id = 2,
334 .minimum_version_id = 1,
335 .pre_save = esp_pre_save,
336 .fields = (VMStateField[]) {
337 VMSTATE_PCI_DEVICE(parent_obj, PCIESPState),
338 VMSTATE_BUFFER_UNSAFE(dma_regs, PCIESPState, 0, 8 * sizeof(uint32_t)),
339 VMSTATE_UINT8_V(esp.mig_version_id, PCIESPState, 2),
340 VMSTATE_STRUCT(esp, PCIESPState, 0, vmstate_esp, ESPState),
341 VMSTATE_END_OF_LIST()
345 static void esp_pci_command_complete(SCSIRequest *req, size_t resid)
347 ESPState *s = req->hba_private;
348 PCIESPState *pci = container_of(s, PCIESPState, esp);
350 esp_command_complete(req, resid);
351 pci->dma_regs[DMA_WBC] = 0;
352 pci->dma_regs[DMA_STAT] |= DMA_STAT_DONE;
355 static const struct SCSIBusInfo esp_pci_scsi_info = {
356 .tcq = false,
357 .max_target = ESP_MAX_DEVS,
358 .max_lun = 7,
360 .transfer_data = esp_transfer_data,
361 .complete = esp_pci_command_complete,
362 .cancel = esp_request_cancelled,
365 static void esp_pci_scsi_realize(PCIDevice *dev, Error **errp)
367 PCIESPState *pci = PCI_ESP(dev);
368 DeviceState *d = DEVICE(dev);
369 ESPState *s = ESP(&pci->esp);
370 uint8_t *pci_conf;
372 if (!qdev_realize(DEVICE(s), NULL, errp)) {
373 return;
376 pci_conf = dev->config;
378 /* Interrupt pin A */
379 pci_conf[PCI_INTERRUPT_PIN] = 0x01;
381 s->dma_memory_read = esp_pci_dma_memory_read;
382 s->dma_memory_write = esp_pci_dma_memory_write;
383 s->dma_opaque = pci;
384 s->chip_id = TCHI_AM53C974;
385 memory_region_init_io(&pci->io, OBJECT(pci), &esp_pci_io_ops, pci,
386 "esp-io", 0x80);
388 pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &pci->io);
389 s->irq = pci_allocate_irq(dev);
391 scsi_bus_new(&s->bus, sizeof(s->bus), d, &esp_pci_scsi_info, NULL);
394 static void esp_pci_scsi_exit(PCIDevice *d)
396 PCIESPState *pci = PCI_ESP(d);
397 ESPState *s = ESP(&pci->esp);
399 qemu_free_irq(s->irq);
402 static void esp_pci_init(Object *obj)
404 PCIESPState *pci = PCI_ESP(obj);
406 object_initialize_child(obj, "esp", &pci->esp, TYPE_ESP);
409 static void esp_pci_class_init(ObjectClass *klass, void *data)
411 DeviceClass *dc = DEVICE_CLASS(klass);
412 PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
414 k->realize = esp_pci_scsi_realize;
415 k->exit = esp_pci_scsi_exit;
416 k->vendor_id = PCI_VENDOR_ID_AMD;
417 k->device_id = PCI_DEVICE_ID_AMD_SCSI;
418 k->revision = 0x10;
419 k->class_id = PCI_CLASS_STORAGE_SCSI;
420 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
421 dc->desc = "AMD Am53c974 PCscsi-PCI SCSI adapter";
422 dc->reset = esp_pci_hard_reset;
423 dc->vmsd = &vmstate_esp_pci_scsi;
426 static const TypeInfo esp_pci_info = {
427 .name = TYPE_AM53C974_DEVICE,
428 .parent = TYPE_PCI_DEVICE,
429 .instance_init = esp_pci_init,
430 .instance_size = sizeof(PCIESPState),
431 .class_init = esp_pci_class_init,
432 .interfaces = (InterfaceInfo[]) {
433 { INTERFACE_CONVENTIONAL_PCI_DEVICE },
434 { },
438 struct DC390State {
439 PCIESPState pci;
440 eeprom_t *eeprom;
442 typedef struct DC390State DC390State;
444 #define TYPE_DC390_DEVICE "dc390"
445 DECLARE_INSTANCE_CHECKER(DC390State, DC390,
446 TYPE_DC390_DEVICE)
448 #define EE_ADAPT_SCSI_ID 64
449 #define EE_MODE2 65
450 #define EE_DELAY 66
451 #define EE_TAG_CMD_NUM 67
452 #define EE_ADAPT_OPTIONS 68
453 #define EE_BOOT_SCSI_ID 69
454 #define EE_BOOT_SCSI_LUN 70
455 #define EE_CHKSUM1 126
456 #define EE_CHKSUM2 127
458 #define EE_ADAPT_OPTION_F6_F8_AT_BOOT 0x01
459 #define EE_ADAPT_OPTION_BOOT_FROM_CDROM 0x02
460 #define EE_ADAPT_OPTION_INT13 0x04
461 #define EE_ADAPT_OPTION_SCAM_SUPPORT 0x08
464 static uint32_t dc390_read_config(PCIDevice *dev, uint32_t addr, int l)
466 DC390State *pci = DC390(dev);
467 uint32_t val;
469 val = pci_default_read_config(dev, addr, l);
471 if (addr == 0x00 && l == 1) {
472 /* First byte of address space is AND-ed with EEPROM DO line */
473 if (!eeprom93xx_read(pci->eeprom)) {
474 val &= ~0xff;
478 return val;
481 static void dc390_write_config(PCIDevice *dev,
482 uint32_t addr, uint32_t val, int l)
484 DC390State *pci = DC390(dev);
485 if (addr == 0x80) {
486 /* EEPROM write */
487 int eesk = val & 0x80 ? 1 : 0;
488 int eedi = val & 0x40 ? 1 : 0;
489 eeprom93xx_write(pci->eeprom, 1, eesk, eedi);
490 } else if (addr == 0xc0) {
491 /* EEPROM CS low */
492 eeprom93xx_write(pci->eeprom, 0, 0, 0);
493 } else {
494 pci_default_write_config(dev, addr, val, l);
498 static void dc390_scsi_realize(PCIDevice *dev, Error **errp)
500 DC390State *pci = DC390(dev);
501 Error *err = NULL;
502 uint8_t *contents;
503 uint16_t chksum = 0;
504 int i;
506 /* init base class */
507 esp_pci_scsi_realize(dev, &err);
508 if (err) {
509 error_propagate(errp, err);
510 return;
513 /* EEPROM */
514 pci->eeprom = eeprom93xx_new(DEVICE(dev), 64);
516 /* set default eeprom values */
517 contents = (uint8_t *)eeprom93xx_data(pci->eeprom);
519 for (i = 0; i < 16; i++) {
520 contents[i * 2] = 0x57;
521 contents[i * 2 + 1] = 0x00;
523 contents[EE_ADAPT_SCSI_ID] = 7;
524 contents[EE_MODE2] = 0x0f;
525 contents[EE_TAG_CMD_NUM] = 0x04;
526 contents[EE_ADAPT_OPTIONS] = EE_ADAPT_OPTION_F6_F8_AT_BOOT
527 | EE_ADAPT_OPTION_BOOT_FROM_CDROM
528 | EE_ADAPT_OPTION_INT13;
530 /* update eeprom checksum */
531 for (i = 0; i < EE_CHKSUM1; i += 2) {
532 chksum += contents[i] + (((uint16_t)contents[i + 1]) << 8);
534 chksum = 0x1234 - chksum;
535 contents[EE_CHKSUM1] = chksum & 0xff;
536 contents[EE_CHKSUM2] = chksum >> 8;
539 static void dc390_class_init(ObjectClass *klass, void *data)
541 DeviceClass *dc = DEVICE_CLASS(klass);
542 PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
544 k->realize = dc390_scsi_realize;
545 k->config_read = dc390_read_config;
546 k->config_write = dc390_write_config;
547 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
548 dc->desc = "Tekram DC-390 SCSI adapter";
551 static const TypeInfo dc390_info = {
552 .name = TYPE_DC390_DEVICE,
553 .parent = TYPE_AM53C974_DEVICE,
554 .instance_size = sizeof(DC390State),
555 .class_init = dc390_class_init,
558 static void esp_pci_register_types(void)
560 type_register_static(&esp_pci_info);
561 type_register_static(&dc390_info);
564 type_init(esp_pci_register_types)