search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
sd: limit 'req.cmd' while using as an array index
[qemu/kevin.git] / hw / misc / bcm2835_mbox.c
blobdf1d6e6ad6a7c218d1b67ca3db7460fe0c4243d6
1 /*
2 * Raspberry Pi emulation (c) 2012 Gregory Estrade
3 * This code is licensed under the GNU GPLv2 and later.
4 *
5 * This file models the system mailboxes, which are used for
6 * communication with low-bandwidth GPU peripherals. Refs:
7 * https://github.com/raspberrypi/firmware/wiki/Mailboxes
8 * https://github.com/raspberrypi/firmware/wiki/Accessing-mailboxes
9 */
10
11 #include "hw/misc/bcm2835_mbox.h"
12
13 #define MAIL0_PEEK 0x90
14 #define MAIL0_SENDER 0x94
15 #define MAIL1_STATUS 0xb8
16
17 /* Mailbox status register */
18 #define MAIL0_STATUS 0x98
19 #define ARM_MS_FULL 0x80000000
20 #define ARM_MS_EMPTY 0x40000000
21 #define ARM_MS_LEVEL 0x400000FF /* Max. value depends on mailbox depth */
22
23 /* MAILBOX config/status register */
24 #define MAIL0_CONFIG 0x9c
25 /* ANY write to this register clears the error bits! */
26 #define ARM_MC_IHAVEDATAIRQEN 0x00000001 /* mbox irq enable: has data */
27 #define ARM_MC_IHAVESPACEIRQEN 0x00000002 /* mbox irq enable: has space */
28 #define ARM_MC_OPPISEMPTYIRQEN 0x00000004 /* mbox irq enable: Opp is empty */
29 #define ARM_MC_MAIL_CLEAR 0x00000008 /* mbox clear write 1, then 0 */
30 #define ARM_MC_IHAVEDATAIRQPEND 0x00000010 /* mbox irq pending: has space */
31 #define ARM_MC_IHAVESPACEIRQPEND 0x00000020 /* mbox irq pending: Opp is empty */
32 #define ARM_MC_OPPISEMPTYIRQPEND 0x00000040 /* mbox irq pending */
33 /* Bit 7 is unused */
34 #define ARM_MC_ERRNOOWN 0x00000100 /* error : none owner read from mailbox */
35 #define ARM_MC_ERROVERFLW 0x00000200 /* error : write to fill mailbox */
36 #define ARM_MC_ERRUNDRFLW 0x00000400 /* error : read from empty mailbox */
37
38 static void mbox_update_status(BCM2835Mbox *mb)
39 {
40 mb->status &= ~(ARM_MS_EMPTY | ARM_MS_FULL);
41 if (mb->count == 0) {
42 mb->status |= ARM_MS_EMPTY;
43 } else if (mb->count == MBOX_SIZE) {
44 mb->status |= ARM_MS_FULL;
45 }
46 }
47
48 static void mbox_reset(BCM2835Mbox *mb)
49 {
50 int n;
51
52 mb->count = 0;
53 mb->config = 0;
54 for (n = 0; n < MBOX_SIZE; n++) {
55 mb->reg[n] = MBOX_INVALID_DATA;
56 }
57 mbox_update_status(mb);
58 }
59
60 static uint32_t mbox_pull(BCM2835Mbox *mb, int index)
61 {
62 int n;
63 uint32_t val;
64
65 assert(mb->count > 0);
66 assert(index < mb->count);
67
68 val = mb->reg[index];
69 for (n = index + 1; n < mb->count; n++) {
70 mb->reg[n - 1] = mb->reg[n];
71 }
72 mb->count--;
73 mb->reg[mb->count] = MBOX_INVALID_DATA;
74
75 mbox_update_status(mb);
76
77 return val;
78 }
79
80 static void mbox_push(BCM2835Mbox *mb, uint32_t val)
81 {
82 assert(mb->count < MBOX_SIZE);
83 mb->reg[mb->count++] = val;
84 mbox_update_status(mb);
85 }
86
87 static void bcm2835_mbox_update(BCM2835MboxState *s)
88 {
89 uint32_t value;
90 bool set;
91 int n;
92
93 s->mbox_irq_disabled = true;
94
95 /* Get pending responses and put them in the vc->arm mbox,
96 * as long as it's not full
97 */
98 for (n = 0; n < MBOX_CHAN_COUNT; n++) {
99 while (s->available[n] && !(s->mbox[0].status & ARM_MS_FULL)) {
100 value = ldl_phys(&s->mbox_as, n << MBOX_AS_CHAN_SHIFT);
101 assert(value != MBOX_INVALID_DATA); /* Pending interrupt but no data */
102 mbox_push(&s->mbox[0], value);
103 }
104 }
105
106 /* TODO (?): Try to push pending requests from the arm->vc mbox */
107
108 /* Re-enable calls from the IRQ routine */
109 s->mbox_irq_disabled = false;
110
111 /* Update ARM IRQ status */
112 set = false;
113 s->mbox[0].config &= ~ARM_MC_IHAVEDATAIRQPEND;
114 if (!(s->mbox[0].status & ARM_MS_EMPTY)) {
115 s->mbox[0].config |= ARM_MC_IHAVEDATAIRQPEND;
116 if (s->mbox[0].config & ARM_MC_IHAVEDATAIRQEN) {
117 set = true;
118 }
119 }
120 qemu_set_irq(s->arm_irq, set);
121 }
122
123 static void bcm2835_mbox_set_irq(void *opaque, int irq, int level)
124 {
125 BCM2835MboxState *s = opaque;
126
127 s->available[irq] = level;
128
129 /* avoid recursively calling bcm2835_mbox_update when the interrupt
130 * status changes due to the ldl_phys call within that function
131 */
132 if (!s->mbox_irq_disabled) {
133 bcm2835_mbox_update(s);
134 }
135 }
136
137 static uint64_t bcm2835_mbox_read(void *opaque, hwaddr offset, unsigned size)
138 {
139 BCM2835MboxState *s = opaque;
140 uint32_t res = 0;
141
142 offset &= 0xff;
143
144 switch (offset) {
145 case 0x80 ... 0x8c: /* MAIL0_READ */
146 if (s->mbox[0].status & ARM_MS_EMPTY) {
147 res = MBOX_INVALID_DATA;
148 } else {
149 res = mbox_pull(&s->mbox[0], 0);
150 }
151 break;
152
153 case MAIL0_PEEK:
154 res = s->mbox[0].reg[0];
155 break;
156
157 case MAIL0_SENDER:
158 break;
159
160 case MAIL0_STATUS:
161 res = s->mbox[0].status;
162 break;
163
164 case MAIL0_CONFIG:
165 res = s->mbox[0].config;
166 break;
167
168 case MAIL1_STATUS:
169 res = s->mbox[1].status;
170 break;
171
172 default:
173 qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad offset %"HWADDR_PRIx"\n",
174 __func__, offset);
175 return 0;
176 }
177
178 bcm2835_mbox_update(s);
179
180 return res;
181 }
182
183 static void bcm2835_mbox_write(void *opaque, hwaddr offset,
184 uint64_t value, unsigned size)
185 {
186 BCM2835MboxState *s = opaque;
187 hwaddr childaddr;
188 uint8_t ch;
189
190 offset &= 0xff;
191
192 switch (offset) {
193 case MAIL0_SENDER:
194 break;
195
196 case MAIL0_CONFIG:
197 s->mbox[0].config &= ~ARM_MC_IHAVEDATAIRQEN;
198 s->mbox[0].config |= value & ARM_MC_IHAVEDATAIRQEN;
199 break;
200
201 case 0xa0 ... 0xac: /* MAIL1_WRITE */
202 if (s->mbox[1].status & ARM_MS_FULL) {
203 /* Mailbox full */
204 qemu_log_mask(LOG_GUEST_ERROR, "%s: mailbox full\n", __func__);
205 } else {
206 ch = value & 0xf;
207 if (ch < MBOX_CHAN_COUNT) {
208 childaddr = ch << MBOX_AS_CHAN_SHIFT;
209 if (ldl_phys(&s->mbox_as, childaddr + MBOX_AS_PENDING)) {
210 /* Child busy, push delayed. Push it in the arm->vc mbox */
211 mbox_push(&s->mbox[1], value);
212 } else {
213 /* Push it directly to the child device */
214 stl_phys(&s->mbox_as, childaddr, value);
215 }
216 } else {
217 /* Invalid channel number */
218 qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid channel %u\n",
219 __func__, ch);
220 }
221 }
222 break;
223
224 default:
225 qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad offset %"HWADDR_PRIx"\n",
226 __func__, offset);
227 return;
228 }
229
230 bcm2835_mbox_update(s);
231 }
232
233 static const MemoryRegionOps bcm2835_mbox_ops = {
234 .read = bcm2835_mbox_read,
235 .write = bcm2835_mbox_write,
236 .endianness = DEVICE_NATIVE_ENDIAN,
237 .valid.min_access_size = 4,
238 .valid.max_access_size = 4,
239 };
240
241 /* vmstate of a single mailbox */
242 static const VMStateDescription vmstate_bcm2835_mbox_box = {
243 .name = TYPE_BCM2835_MBOX "_box",
244 .version_id = 1,
245 .minimum_version_id = 1,
246 .fields = (VMStateField[]) {
247 VMSTATE_UINT32_ARRAY(reg, BCM2835Mbox, MBOX_SIZE),
248 VMSTATE_UINT32(count, BCM2835Mbox),
249 VMSTATE_UINT32(status, BCM2835Mbox),
250 VMSTATE_UINT32(config, BCM2835Mbox),
251 VMSTATE_END_OF_LIST()
252 }
253 };
254
255 /* vmstate of the entire device */
256 static const VMStateDescription vmstate_bcm2835_mbox = {
257 .name = TYPE_BCM2835_MBOX,
258 .version_id = 1,
259 .minimum_version_id = 1,
260 .minimum_version_id_old = 1,
261 .fields = (VMStateField[]) {
262 VMSTATE_BOOL_ARRAY(available, BCM2835MboxState, MBOX_CHAN_COUNT),
263 VMSTATE_STRUCT_ARRAY(mbox, BCM2835MboxState, 2, 1,
264 vmstate_bcm2835_mbox_box, BCM2835Mbox),
265 VMSTATE_END_OF_LIST()
266 }
267 };
268
269 static void bcm2835_mbox_init(Object *obj)
270 {
271 BCM2835MboxState *s = BCM2835_MBOX(obj);
272
273 memory_region_init_io(&s->iomem, obj, &bcm2835_mbox_ops, s,
274 TYPE_BCM2835_MBOX, 0x400);
275 sysbus_init_mmio(SYS_BUS_DEVICE(s), &s->iomem);
276 sysbus_init_irq(SYS_BUS_DEVICE(s), &s->arm_irq);
277 qdev_init_gpio_in(DEVICE(s), bcm2835_mbox_set_irq, MBOX_CHAN_COUNT);
278 }
279
280 static void bcm2835_mbox_reset(DeviceState *dev)
281 {
282 BCM2835MboxState *s = BCM2835_MBOX(dev);
283 int n;
284
285 mbox_reset(&s->mbox[0]);
286 mbox_reset(&s->mbox[1]);
287 s->mbox_irq_disabled = false;
288 for (n = 0; n < MBOX_CHAN_COUNT; n++) {
289 s->available[n] = false;
290 }
291 }
292
293 static void bcm2835_mbox_realize(DeviceState *dev, Error **errp)
294 {
295 BCM2835MboxState *s = BCM2835_MBOX(dev);
296 Object *obj;
297 Error *err = NULL;
298
299 obj = object_property_get_link(OBJECT(dev), "mbox-mr", &err);
300 if (obj == NULL) {
301 error_setg(errp, "%s: required mbox-mr link not found: %s",
302 __func__, error_get_pretty(err));
303 return;
304 }
305
306 s->mbox_mr = MEMORY_REGION(obj);
307 address_space_init(&s->mbox_as, s->mbox_mr, NULL);
308 bcm2835_mbox_reset(dev);
309 }
310
311 static void bcm2835_mbox_class_init(ObjectClass *klass, void *data)
312 {
313 DeviceClass *dc = DEVICE_CLASS(klass);
314
315 dc->realize = bcm2835_mbox_realize;
316 dc->reset = bcm2835_mbox_reset;
317 dc->vmsd = &vmstate_bcm2835_mbox;
318 }
319
320 static TypeInfo bcm2835_mbox_info = {
321 .name = TYPE_BCM2835_MBOX,
322 .parent = TYPE_SYS_BUS_DEVICE,
323 .instance_size = sizeof(BCM2835MboxState),
324 .class_init = bcm2835_mbox_class_init,
325 .instance_init = bcm2835_mbox_init,
326 };
327
328 static void bcm2835_mbox_register_types(void)
329 {
330 type_register_static(&bcm2835_mbox_info);
331 }
332
333 type_init(bcm2835_mbox_register_types)
Random patches