ppc/spapr: Fix buffer overflow in spapr_populate_drconf_memory()
[qemu/kevin.git] / hw / input / pckbd.c
blobddac69df6f67e34ab1070660174246616a76dc0d
1 /*
2 * QEMU PC keyboard emulation
4 * Copyright (c) 2003 Fabrice Bellard
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 * THE SOFTWARE.
24 #include "hw/hw.h"
25 #include "hw/isa/isa.h"
26 #include "hw/i386/pc.h"
27 #include "hw/input/ps2.h"
28 #include "sysemu/sysemu.h"
30 /* debug PC keyboard */
31 //#define DEBUG_KBD
32 #ifdef DEBUG_KBD
33 #define DPRINTF(fmt, ...) \
34 do { printf("KBD: " fmt , ## __VA_ARGS__); } while (0)
35 #else
36 #define DPRINTF(fmt, ...)
37 #endif
39 /* Keyboard Controller Commands */
40 #define KBD_CCMD_READ_MODE 0x20 /* Read mode bits */
41 #define KBD_CCMD_WRITE_MODE 0x60 /* Write mode bits */
42 #define KBD_CCMD_GET_VERSION 0xA1 /* Get controller version */
43 #define KBD_CCMD_MOUSE_DISABLE 0xA7 /* Disable mouse interface */
44 #define KBD_CCMD_MOUSE_ENABLE 0xA8 /* Enable mouse interface */
45 #define KBD_CCMD_TEST_MOUSE 0xA9 /* Mouse interface test */
46 #define KBD_CCMD_SELF_TEST 0xAA /* Controller self test */
47 #define KBD_CCMD_KBD_TEST 0xAB /* Keyboard interface test */
48 #define KBD_CCMD_KBD_DISABLE 0xAD /* Keyboard interface disable */
49 #define KBD_CCMD_KBD_ENABLE 0xAE /* Keyboard interface enable */
50 #define KBD_CCMD_READ_INPORT 0xC0 /* read input port */
51 #define KBD_CCMD_READ_OUTPORT 0xD0 /* read output port */
52 #define KBD_CCMD_WRITE_OUTPORT 0xD1 /* write output port */
53 #define KBD_CCMD_WRITE_OBUF 0xD2
54 #define KBD_CCMD_WRITE_AUX_OBUF 0xD3 /* Write to output buffer as if
55 initiated by the auxiliary device */
56 #define KBD_CCMD_WRITE_MOUSE 0xD4 /* Write the following byte to the mouse */
57 #define KBD_CCMD_DISABLE_A20 0xDD /* HP vectra only ? */
58 #define KBD_CCMD_ENABLE_A20 0xDF /* HP vectra only ? */
59 #define KBD_CCMD_PULSE_BITS_3_0 0xF0 /* Pulse bits 3-0 of the output port P2. */
60 #define KBD_CCMD_RESET 0xFE /* Pulse bit 0 of the output port P2 = CPU reset. */
61 #define KBD_CCMD_NO_OP 0xFF /* Pulse no bits of the output port P2. */
63 /* Keyboard Commands */
64 #define KBD_CMD_SET_LEDS 0xED /* Set keyboard leds */
65 #define KBD_CMD_ECHO 0xEE
66 #define KBD_CMD_GET_ID 0xF2 /* get keyboard ID */
67 #define KBD_CMD_SET_RATE 0xF3 /* Set typematic rate */
68 #define KBD_CMD_ENABLE 0xF4 /* Enable scanning */
69 #define KBD_CMD_RESET_DISABLE 0xF5 /* reset and disable scanning */
70 #define KBD_CMD_RESET_ENABLE 0xF6 /* reset and enable scanning */
71 #define KBD_CMD_RESET 0xFF /* Reset */
73 /* Keyboard Replies */
74 #define KBD_REPLY_POR 0xAA /* Power on reset */
75 #define KBD_REPLY_ACK 0xFA /* Command ACK */
76 #define KBD_REPLY_RESEND 0xFE /* Command NACK, send the cmd again */
78 /* Status Register Bits */
79 #define KBD_STAT_OBF 0x01 /* Keyboard output buffer full */
80 #define KBD_STAT_IBF 0x02 /* Keyboard input buffer full */
81 #define KBD_STAT_SELFTEST 0x04 /* Self test successful */
82 #define KBD_STAT_CMD 0x08 /* Last write was a command write (0=data) */
83 #define KBD_STAT_UNLOCKED 0x10 /* Zero if keyboard locked */
84 #define KBD_STAT_MOUSE_OBF 0x20 /* Mouse output buffer full */
85 #define KBD_STAT_GTO 0x40 /* General receive/xmit timeout */
86 #define KBD_STAT_PERR 0x80 /* Parity error */
88 /* Controller Mode Register Bits */
89 #define KBD_MODE_KBD_INT 0x01 /* Keyboard data generate IRQ1 */
90 #define KBD_MODE_MOUSE_INT 0x02 /* Mouse data generate IRQ12 */
91 #define KBD_MODE_SYS 0x04 /* The system flag (?) */
92 #define KBD_MODE_NO_KEYLOCK 0x08 /* The keylock doesn't affect the keyboard if set */
93 #define KBD_MODE_DISABLE_KBD 0x10 /* Disable keyboard interface */
94 #define KBD_MODE_DISABLE_MOUSE 0x20 /* Disable mouse interface */
95 #define KBD_MODE_KCC 0x40 /* Scan code conversion to PC format */
96 #define KBD_MODE_RFU 0x80
98 /* Output Port Bits */
99 #define KBD_OUT_RESET 0x01 /* 1=normal mode, 0=reset */
100 #define KBD_OUT_A20 0x02 /* x86 only */
101 #define KBD_OUT_OBF 0x10 /* Keyboard output buffer full */
102 #define KBD_OUT_MOUSE_OBF 0x20 /* Mouse output buffer full */
104 /* OSes typically write 0xdd/0xdf to turn the A20 line off and on.
105 * We make the default value of the outport include these four bits,
106 * so that the subsection is rarely necessary.
108 #define KBD_OUT_ONES 0xcc
110 /* Mouse Commands */
111 #define AUX_SET_SCALE11 0xE6 /* Set 1:1 scaling */
112 #define AUX_SET_SCALE21 0xE7 /* Set 2:1 scaling */
113 #define AUX_SET_RES 0xE8 /* Set resolution */
114 #define AUX_GET_SCALE 0xE9 /* Get scaling factor */
115 #define AUX_SET_STREAM 0xEA /* Set stream mode */
116 #define AUX_POLL 0xEB /* Poll */
117 #define AUX_RESET_WRAP 0xEC /* Reset wrap mode */
118 #define AUX_SET_WRAP 0xEE /* Set wrap mode */
119 #define AUX_SET_REMOTE 0xF0 /* Set remote mode */
120 #define AUX_GET_TYPE 0xF2 /* Get type */
121 #define AUX_SET_SAMPLE 0xF3 /* Set sample rate */
122 #define AUX_ENABLE_DEV 0xF4 /* Enable aux device */
123 #define AUX_DISABLE_DEV 0xF5 /* Disable aux device */
124 #define AUX_SET_DEFAULT 0xF6
125 #define AUX_RESET 0xFF /* Reset aux device */
126 #define AUX_ACK 0xFA /* Command byte ACK. */
128 #define MOUSE_STATUS_REMOTE 0x40
129 #define MOUSE_STATUS_ENABLED 0x20
130 #define MOUSE_STATUS_SCALE21 0x10
132 #define KBD_PENDING_KBD 1
133 #define KBD_PENDING_AUX 2
135 typedef struct KBDState {
136 uint8_t write_cmd; /* if non zero, write data to port 60 is expected */
137 uint8_t status;
138 uint8_t mode;
139 uint8_t outport;
140 bool outport_present;
141 /* Bitmask of devices with data available. */
142 uint8_t pending;
143 void *kbd;
144 void *mouse;
146 qemu_irq irq_kbd;
147 qemu_irq irq_mouse;
148 qemu_irq *a20_out;
149 hwaddr mask;
150 } KBDState;
152 /* update irq and KBD_STAT_[MOUSE_]OBF */
153 /* XXX: not generating the irqs if KBD_MODE_DISABLE_KBD is set may be
154 incorrect, but it avoids having to simulate exact delays */
155 static void kbd_update_irq(KBDState *s)
157 int irq_kbd_level, irq_mouse_level;
159 irq_kbd_level = 0;
160 irq_mouse_level = 0;
161 s->status &= ~(KBD_STAT_OBF | KBD_STAT_MOUSE_OBF);
162 s->outport &= ~(KBD_OUT_OBF | KBD_OUT_MOUSE_OBF);
163 if (s->pending) {
164 s->status |= KBD_STAT_OBF;
165 s->outport |= KBD_OUT_OBF;
166 /* kbd data takes priority over aux data. */
167 if (s->pending == KBD_PENDING_AUX) {
168 s->status |= KBD_STAT_MOUSE_OBF;
169 s->outport |= KBD_OUT_MOUSE_OBF;
170 if (s->mode & KBD_MODE_MOUSE_INT)
171 irq_mouse_level = 1;
172 } else {
173 if ((s->mode & KBD_MODE_KBD_INT) &&
174 !(s->mode & KBD_MODE_DISABLE_KBD))
175 irq_kbd_level = 1;
178 qemu_set_irq(s->irq_kbd, irq_kbd_level);
179 qemu_set_irq(s->irq_mouse, irq_mouse_level);
182 static void kbd_update_kbd_irq(void *opaque, int level)
184 KBDState *s = (KBDState *)opaque;
186 if (level)
187 s->pending |= KBD_PENDING_KBD;
188 else
189 s->pending &= ~KBD_PENDING_KBD;
190 kbd_update_irq(s);
193 static void kbd_update_aux_irq(void *opaque, int level)
195 KBDState *s = (KBDState *)opaque;
197 if (level)
198 s->pending |= KBD_PENDING_AUX;
199 else
200 s->pending &= ~KBD_PENDING_AUX;
201 kbd_update_irq(s);
204 static uint64_t kbd_read_status(void *opaque, hwaddr addr,
205 unsigned size)
207 KBDState *s = opaque;
208 int val;
209 val = s->status;
210 DPRINTF("kbd: read status=0x%02x\n", val);
211 return val;
214 static void kbd_queue(KBDState *s, int b, int aux)
216 if (aux)
217 ps2_queue(s->mouse, b);
218 else
219 ps2_queue(s->kbd, b);
222 static void outport_write(KBDState *s, uint32_t val)
224 DPRINTF("kbd: write outport=0x%02x\n", val);
225 s->outport = val;
226 if (s->a20_out) {
227 qemu_set_irq(*s->a20_out, (val >> 1) & 1);
229 if (!(val & 1)) {
230 qemu_system_reset_request();
234 static void kbd_write_command(void *opaque, hwaddr addr,
235 uint64_t val, unsigned size)
237 KBDState *s = opaque;
239 DPRINTF("kbd: write cmd=0x%02" PRIx64 "\n", val);
241 /* Bits 3-0 of the output port P2 of the keyboard controller may be pulsed
242 * low for approximately 6 micro seconds. Bits 3-0 of the KBD_CCMD_PULSE
243 * command specify the output port bits to be pulsed.
244 * 0: Bit should be pulsed. 1: Bit should not be modified.
245 * The only useful version of this command is pulsing bit 0,
246 * which does a CPU reset.
248 if((val & KBD_CCMD_PULSE_BITS_3_0) == KBD_CCMD_PULSE_BITS_3_0) {
249 if(!(val & 1))
250 val = KBD_CCMD_RESET;
251 else
252 val = KBD_CCMD_NO_OP;
255 switch(val) {
256 case KBD_CCMD_READ_MODE:
257 kbd_queue(s, s->mode, 0);
258 break;
259 case KBD_CCMD_WRITE_MODE:
260 case KBD_CCMD_WRITE_OBUF:
261 case KBD_CCMD_WRITE_AUX_OBUF:
262 case KBD_CCMD_WRITE_MOUSE:
263 case KBD_CCMD_WRITE_OUTPORT:
264 s->write_cmd = val;
265 break;
266 case KBD_CCMD_MOUSE_DISABLE:
267 s->mode |= KBD_MODE_DISABLE_MOUSE;
268 break;
269 case KBD_CCMD_MOUSE_ENABLE:
270 s->mode &= ~KBD_MODE_DISABLE_MOUSE;
271 break;
272 case KBD_CCMD_TEST_MOUSE:
273 kbd_queue(s, 0x00, 0);
274 break;
275 case KBD_CCMD_SELF_TEST:
276 s->status |= KBD_STAT_SELFTEST;
277 kbd_queue(s, 0x55, 0);
278 break;
279 case KBD_CCMD_KBD_TEST:
280 kbd_queue(s, 0x00, 0);
281 break;
282 case KBD_CCMD_KBD_DISABLE:
283 s->mode |= KBD_MODE_DISABLE_KBD;
284 kbd_update_irq(s);
285 break;
286 case KBD_CCMD_KBD_ENABLE:
287 s->mode &= ~KBD_MODE_DISABLE_KBD;
288 kbd_update_irq(s);
289 break;
290 case KBD_CCMD_READ_INPORT:
291 kbd_queue(s, 0x80, 0);
292 break;
293 case KBD_CCMD_READ_OUTPORT:
294 kbd_queue(s, s->outport, 0);
295 break;
296 case KBD_CCMD_ENABLE_A20:
297 if (s->a20_out) {
298 qemu_irq_raise(*s->a20_out);
300 s->outport |= KBD_OUT_A20;
301 break;
302 case KBD_CCMD_DISABLE_A20:
303 if (s->a20_out) {
304 qemu_irq_lower(*s->a20_out);
306 s->outport &= ~KBD_OUT_A20;
307 break;
308 case KBD_CCMD_RESET:
309 qemu_system_reset_request();
310 break;
311 case KBD_CCMD_NO_OP:
312 /* ignore that */
313 break;
314 default:
315 fprintf(stderr, "qemu: unsupported keyboard cmd=0x%02x\n", (int)val);
316 break;
320 static uint64_t kbd_read_data(void *opaque, hwaddr addr,
321 unsigned size)
323 KBDState *s = opaque;
324 uint32_t val;
326 if (s->pending == KBD_PENDING_AUX)
327 val = ps2_read_data(s->mouse);
328 else
329 val = ps2_read_data(s->kbd);
331 DPRINTF("kbd: read data=0x%02x\n", val);
332 return val;
335 static void kbd_write_data(void *opaque, hwaddr addr,
336 uint64_t val, unsigned size)
338 KBDState *s = opaque;
340 DPRINTF("kbd: write data=0x%02" PRIx64 "\n", val);
342 switch(s->write_cmd) {
343 case 0:
344 ps2_write_keyboard(s->kbd, val);
345 break;
346 case KBD_CCMD_WRITE_MODE:
347 s->mode = val;
348 ps2_keyboard_set_translation(s->kbd, (s->mode & KBD_MODE_KCC) != 0);
349 /* ??? */
350 kbd_update_irq(s);
351 break;
352 case KBD_CCMD_WRITE_OBUF:
353 kbd_queue(s, val, 0);
354 break;
355 case KBD_CCMD_WRITE_AUX_OBUF:
356 kbd_queue(s, val, 1);
357 break;
358 case KBD_CCMD_WRITE_OUTPORT:
359 outport_write(s, val);
360 break;
361 case KBD_CCMD_WRITE_MOUSE:
362 ps2_write_mouse(s->mouse, val);
363 break;
364 default:
365 break;
367 s->write_cmd = 0;
370 static void kbd_reset(void *opaque)
372 KBDState *s = opaque;
374 s->mode = KBD_MODE_KBD_INT | KBD_MODE_MOUSE_INT;
375 s->status = KBD_STAT_CMD | KBD_STAT_UNLOCKED;
376 s->outport = KBD_OUT_RESET | KBD_OUT_A20 | KBD_OUT_ONES;
377 s->outport_present = false;
380 static uint8_t kbd_outport_default(KBDState *s)
382 return KBD_OUT_RESET | KBD_OUT_A20 | KBD_OUT_ONES
383 | (s->status & KBD_STAT_OBF ? KBD_OUT_OBF : 0)
384 | (s->status & KBD_STAT_MOUSE_OBF ? KBD_OUT_MOUSE_OBF : 0);
387 static int kbd_outport_post_load(void *opaque, int version_id)
389 KBDState *s = opaque;
390 s->outport_present = true;
391 return 0;
394 static bool kbd_outport_needed(void *opaque)
396 KBDState *s = opaque;
397 return s->outport != kbd_outport_default(s);
400 static const VMStateDescription vmstate_kbd_outport = {
401 .name = "pckbd_outport",
402 .version_id = 1,
403 .minimum_version_id = 1,
404 .post_load = kbd_outport_post_load,
405 .needed = kbd_outport_needed,
406 .fields = (VMStateField[]) {
407 VMSTATE_UINT8(outport, KBDState),
408 VMSTATE_END_OF_LIST()
412 static int kbd_post_load(void *opaque, int version_id)
414 KBDState *s = opaque;
415 if (!s->outport_present) {
416 s->outport = kbd_outport_default(s);
418 s->outport_present = false;
419 return 0;
422 static const VMStateDescription vmstate_kbd = {
423 .name = "pckbd",
424 .version_id = 3,
425 .minimum_version_id = 3,
426 .post_load = kbd_post_load,
427 .fields = (VMStateField[]) {
428 VMSTATE_UINT8(write_cmd, KBDState),
429 VMSTATE_UINT8(status, KBDState),
430 VMSTATE_UINT8(mode, KBDState),
431 VMSTATE_UINT8(pending, KBDState),
432 VMSTATE_END_OF_LIST()
434 .subsections = (const VMStateDescription*[]) {
435 &vmstate_kbd_outport,
436 NULL
440 /* Memory mapped interface */
441 static uint32_t kbd_mm_readb (void *opaque, hwaddr addr)
443 KBDState *s = opaque;
445 if (addr & s->mask)
446 return kbd_read_status(s, 0, 1) & 0xff;
447 else
448 return kbd_read_data(s, 0, 1) & 0xff;
451 static void kbd_mm_writeb (void *opaque, hwaddr addr, uint32_t value)
453 KBDState *s = opaque;
455 if (addr & s->mask)
456 kbd_write_command(s, 0, value & 0xff, 1);
457 else
458 kbd_write_data(s, 0, value & 0xff, 1);
461 static const MemoryRegionOps i8042_mmio_ops = {
462 .endianness = DEVICE_NATIVE_ENDIAN,
463 .old_mmio = {
464 .read = { kbd_mm_readb, kbd_mm_readb, kbd_mm_readb },
465 .write = { kbd_mm_writeb, kbd_mm_writeb, kbd_mm_writeb },
469 void i8042_mm_init(qemu_irq kbd_irq, qemu_irq mouse_irq,
470 MemoryRegion *region, ram_addr_t size,
471 hwaddr mask)
473 KBDState *s = g_malloc0(sizeof(KBDState));
475 s->irq_kbd = kbd_irq;
476 s->irq_mouse = mouse_irq;
477 s->mask = mask;
479 vmstate_register(NULL, 0, &vmstate_kbd, s);
481 memory_region_init_io(region, NULL, &i8042_mmio_ops, s, "i8042", size);
483 s->kbd = ps2_kbd_init(kbd_update_kbd_irq, s);
484 s->mouse = ps2_mouse_init(kbd_update_aux_irq, s);
485 qemu_register_reset(kbd_reset, s);
488 #define TYPE_I8042 "i8042"
489 #define I8042(obj) OBJECT_CHECK(ISAKBDState, (obj), TYPE_I8042)
491 typedef struct ISAKBDState {
492 ISADevice parent_obj;
494 KBDState kbd;
495 MemoryRegion io[2];
496 } ISAKBDState;
498 void i8042_isa_mouse_fake_event(void *opaque)
500 ISADevice *dev = opaque;
501 ISAKBDState *isa = I8042(dev);
502 KBDState *s = &isa->kbd;
504 ps2_mouse_fake_event(s->mouse);
507 void i8042_setup_a20_line(ISADevice *dev, qemu_irq *a20_out)
509 ISAKBDState *isa = I8042(dev);
510 KBDState *s = &isa->kbd;
512 s->a20_out = a20_out;
515 static const VMStateDescription vmstate_kbd_isa = {
516 .name = "pckbd",
517 .version_id = 3,
518 .minimum_version_id = 3,
519 .fields = (VMStateField[]) {
520 VMSTATE_STRUCT(kbd, ISAKBDState, 0, vmstate_kbd, KBDState),
521 VMSTATE_END_OF_LIST()
525 static const MemoryRegionOps i8042_data_ops = {
526 .read = kbd_read_data,
527 .write = kbd_write_data,
528 .impl = {
529 .min_access_size = 1,
530 .max_access_size = 1,
532 .endianness = DEVICE_LITTLE_ENDIAN,
535 static const MemoryRegionOps i8042_cmd_ops = {
536 .read = kbd_read_status,
537 .write = kbd_write_command,
538 .impl = {
539 .min_access_size = 1,
540 .max_access_size = 1,
542 .endianness = DEVICE_LITTLE_ENDIAN,
545 static void i8042_initfn(Object *obj)
547 ISAKBDState *isa_s = I8042(obj);
548 KBDState *s = &isa_s->kbd;
550 memory_region_init_io(isa_s->io + 0, obj, &i8042_data_ops, s,
551 "i8042-data", 1);
552 memory_region_init_io(isa_s->io + 1, obj, &i8042_cmd_ops, s,
553 "i8042-cmd", 1);
556 static void i8042_realizefn(DeviceState *dev, Error **errp)
558 ISADevice *isadev = ISA_DEVICE(dev);
559 ISAKBDState *isa_s = I8042(dev);
560 KBDState *s = &isa_s->kbd;
562 isa_init_irq(isadev, &s->irq_kbd, 1);
563 isa_init_irq(isadev, &s->irq_mouse, 12);
565 isa_register_ioport(isadev, isa_s->io + 0, 0x60);
566 isa_register_ioport(isadev, isa_s->io + 1, 0x64);
568 s->kbd = ps2_kbd_init(kbd_update_kbd_irq, s);
569 s->mouse = ps2_mouse_init(kbd_update_aux_irq, s);
570 qemu_register_reset(kbd_reset, s);
573 static void i8042_class_initfn(ObjectClass *klass, void *data)
575 DeviceClass *dc = DEVICE_CLASS(klass);
577 dc->realize = i8042_realizefn;
578 dc->vmsd = &vmstate_kbd_isa;
581 static const TypeInfo i8042_info = {
582 .name = TYPE_I8042,
583 .parent = TYPE_ISA_DEVICE,
584 .instance_size = sizeof(ISAKBDState),
585 .instance_init = i8042_initfn,
586 .class_init = i8042_class_initfn,
589 static void i8042_register_types(void)
591 type_register_static(&i8042_info);
594 type_init(i8042_register_types)