2007-09-17 01:08:06 +04:00
|
|
|
/*
|
2007-04-06 20:49:48 +04:00
|
|
|
* SD Memory Card emulation as defined in the "SD Memory Card Physical
|
2018-06-08 15:15:33 +03:00
|
|
|
* layer specification, Version 2.00."
|
2007-04-06 20:49:48 +04:00
|
|
|
*
|
|
|
|
* Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
|
|
|
|
* Copyright (c) 2007 CodeSourcery
|
2018-06-08 15:15:33 +03:00
|
|
|
* Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
|
2007-04-06 20:49:48 +04:00
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
*
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in
|
|
|
|
* the documentation and/or other materials provided with the
|
|
|
|
* distribution.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
|
|
|
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
|
|
|
|
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
|
|
|
|
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
|
|
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
*/
|
|
|
|
|
2016-01-26 21:17:30 +03:00
|
|
|
#include "qemu/osdep.h"
|
2018-06-25 15:42:28 +03:00
|
|
|
#include "qemu/units.h"
|
hw/sd/sdcard: Do not allow invalid SD card sizes
QEMU allows to create SD card with unrealistic sizes. This could
work, but some guests (at least Linux) consider sizes that are not
a power of 2 as a firmware bug and fix the card size to the next
power of 2.
While the possibility to use small SD card images has been seen as
a feature, it became a bug with CVE-2020-13253, where the guest is
able to do OOB read/write accesses past the image size end.
In a pair of commits we will fix CVE-2020-13253 as:
Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
WP_VIOLATION errors are not modified: the error bit is set, we
stay in receive-data state, wait for a stop command. All further
data transfer is ignored. See the check on sd->card_status at the
beginning of sd_read_data() and sd_write_data().
While this is the correct behavior, in case QEMU create smaller SD
cards, guests still try to access past the image size end, and QEMU
considers this is an invalid address, thus "all further data transfer
is ignored". This is wrong and make the guest looping until
eventually timeouts.
Fix by not allowing invalid SD card sizes (suggesting the expected
size as a hint):
$ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw
qemu-system-arm: Invalid SD card size: 60 MiB
SD card size has to be a power of 2, e.g. 64 MiB.
You can resize disk images with 'qemu-img resize <imagefile> <new-size>'
(note that this will lose data if you make the image smaller than it currently is).
Cc: qemu-stable@nongnu.org
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20200713183209.26308-8-f4bug@amsat.org>
2020-07-07 14:02:34 +03:00
|
|
|
#include "qemu/cutils.h"
|
2019-08-12 08:23:42 +03:00
|
|
|
#include "hw/irq.h"
|
2018-02-22 18:12:52 +03:00
|
|
|
#include "hw/registerfields.h"
|
2014-10-07 15:59:18 +04:00
|
|
|
#include "sysemu/block-backend.h"
|
2015-10-08 16:21:01 +03:00
|
|
|
#include "hw/sd/sd.h"
|
2017-12-23 23:29:33 +03:00
|
|
|
#include "hw/sd/sdcard_legacy.h"
|
2019-08-12 08:23:45 +03:00
|
|
|
#include "migration/vmstate.h"
|
include/qemu/osdep.h: Don't include qapi/error.h
Commit 57cb38b included qapi/error.h into qemu/osdep.h to get the
Error typedef. Since then, we've moved to include qemu/osdep.h
everywhere. Its file comment explains: "To avoid getting into
possible circular include dependencies, this file should not include
any other QEMU headers, with the exceptions of config-host.h,
compiler.h, os-posix.h and os-win32.h, all of which are doing a
similar job to this file and are under similar constraints."
qapi/error.h doesn't do a similar job, and it doesn't adhere to
similar constraints: it includes qapi-types.h. That's in excess of
100KiB of crap most .c files don't actually need.
Add the typedef to qemu/typedefs.h, and include that instead of
qapi/error.h. Include qapi/error.h in .c files that need it and don't
get it now. Include qapi-types.h in qom/object.h for uint16List.
Update scripts/clean-includes accordingly. Update it further to match
reality: replace config.h by config-target.h, add sysemu/os-posix.h,
sysemu/os-win32.h. Update the list of includes in the qemu/osdep.h
comment quoted above similarly.
This reduces the number of objects depending on qapi/error.h from "all
of them" to less than a third. Unfortunately, the number depending on
qapi-types.h shrinks only a little. More work is needed for that one.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
[Fix compilation without the spice devel packages. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-03-14 11:01:28 +03:00
|
|
|
#include "qapi/error.h"
|
2012-12-17 21:20:00 +04:00
|
|
|
#include "qemu/bitmap.h"
|
2016-02-18 17:16:18 +03:00
|
|
|
#include "hw/qdev-properties.h"
|
2020-12-12 01:05:12 +03:00
|
|
|
#include "hw/qdev-properties-system.h"
|
2016-02-18 17:16:18 +03:00
|
|
|
#include "qemu/error-report.h"
|
2016-02-18 17:16:20 +03:00
|
|
|
#include "qemu/timer.h"
|
2015-12-15 15:16:16 +03:00
|
|
|
#include "qemu/log.h"
|
2019-05-23 17:35:07 +03:00
|
|
|
#include "qemu/module.h"
|
2018-02-22 18:12:52 +03:00
|
|
|
#include "sdmmc-internal.h"
|
2018-02-22 18:12:52 +03:00
|
|
|
#include "trace.h"
|
2007-04-06 20:49:48 +04:00
|
|
|
|
|
|
|
//#define DEBUG_SD 1
|
|
|
|
|
2020-08-21 17:45:36 +03:00
|
|
|
#define SDSC_MAX_CAPACITY (2 * GiB)
|
|
|
|
|
2020-09-18 20:06:41 +03:00
|
|
|
#define INVALID_ADDRESS UINT32_MAX
|
2020-09-18 20:05:20 +03:00
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
typedef enum {
|
|
|
|
sd_r0 = 0, /* no response */
|
|
|
|
sd_r1, /* normal response command */
|
|
|
|
sd_r2_i, /* CID register */
|
|
|
|
sd_r2_s, /* CSD register */
|
|
|
|
sd_r3, /* OCR register */
|
|
|
|
sd_r6 = 6, /* Published RCA response */
|
2007-12-24 17:41:39 +03:00
|
|
|
sd_r7, /* Operating voltage */
|
2007-04-06 20:49:48 +04:00
|
|
|
sd_r1b = -1,
|
2011-12-19 00:37:55 +04:00
|
|
|
sd_illegal = -2,
|
2009-10-02 01:12:16 +04:00
|
|
|
} sd_rsp_type_t;
|
2007-04-06 20:49:48 +04:00
|
|
|
|
2012-10-30 11:45:12 +04:00
|
|
|
enum SDCardModes {
|
|
|
|
sd_inactive,
|
|
|
|
sd_card_identification_mode,
|
|
|
|
sd_data_transfer_mode,
|
|
|
|
};
|
|
|
|
|
|
|
|
enum SDCardStates {
|
2024-06-24 21:18:46 +03:00
|
|
|
sd_inactive_state = -1,
|
|
|
|
sd_idle_state = 0,
|
|
|
|
sd_ready_state = 1,
|
|
|
|
sd_identification_state = 2,
|
|
|
|
sd_standby_state = 3,
|
|
|
|
sd_transfer_state = 4,
|
|
|
|
sd_sendingdata_state = 5,
|
|
|
|
sd_receivingdata_state = 6,
|
|
|
|
sd_programming_state = 7,
|
|
|
|
sd_disconnect_state = 8,
|
2012-10-30 11:45:12 +04:00
|
|
|
};
|
|
|
|
|
2021-06-24 14:00:08 +03:00
|
|
|
typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req);
|
|
|
|
|
2022-05-30 20:09:27 +03:00
|
|
|
typedef struct SDProto {
|
|
|
|
const char *name;
|
2021-06-24 14:00:08 +03:00
|
|
|
sd_cmd_handler cmd[SDMMC_CMD_MAX];
|
|
|
|
sd_cmd_handler acmd[SDMMC_CMD_MAX];
|
2022-05-30 20:09:27 +03:00
|
|
|
} SDProto;
|
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
struct SDState {
|
2016-02-18 17:16:18 +03:00
|
|
|
DeviceState parent_obj;
|
|
|
|
|
sd: Hide the qdev-but-not-quite thing created by sd_init()
Commit 260bc9d8aa "hw/sd/sd.c: QOMify" QOMified only the device
itself, not its users. It kept sd_init() around for non-QOMified
users.
More than four years later, three such users remain: omap1 (machines
cheetah, sx1, sx1-v1) and omap2 (machines n800, n810) are not
QOMified, and pl181 (machines integratorcp, realview-eb,
realview-eb-mpcore, realview-pb-a8 realview-pbx-a9, versatileab,
versatilepb, vexpress-a15, vexpress-a9) is not QOMified properly.
The issue I presently have with this: an "sd-card" device should plug
into an "sd-bus" (its DeviceClass member bus_type says so), but
sd_init() leaves it unplugged. This is normally a bug (I just fixed
some instances), and I'd like to assert proper pluggedness to prevent
regressions. However, the qdev-but-not-quite thing returned by
sd_init() would fail the assertion. Meh.
Make sd_init() hide it from QOM/qdev. Visible in "info qom-tree",
here's the change for cheetah:
/machine (cheetah-machine)
[...]
/unattached (container)
[...]
/device[5] (serial-mm)
/serial (serial)
/serial[0] (qemu:memory-region)
- /device[6] (sd-card)
- /device[7] (omap-gpio)
+ /device[6] (omap-gpio)
[rest of device[*] renumbered...]
Cc: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20200609122339.937862-24-armbru@redhat.com>
2020-06-09 15:23:38 +03:00
|
|
|
/* If true, created by sd_init() for a non-qdevified caller */
|
|
|
|
/* TODO purge them with fire */
|
|
|
|
bool me_no_qdev_me_kill_mammoth_with_rocks;
|
|
|
|
|
2018-02-22 18:12:52 +03:00
|
|
|
/* SD Memory Card Registers */
|
2007-04-06 20:49:48 +04:00
|
|
|
uint32_t ocr;
|
|
|
|
uint8_t scr[8];
|
|
|
|
uint8_t cid[16];
|
|
|
|
uint8_t csd[16];
|
|
|
|
uint16_t rca;
|
|
|
|
uint32_t card_status;
|
|
|
|
uint8_t sd_status[64];
|
2018-02-22 18:12:52 +03:00
|
|
|
|
2018-05-09 08:19:41 +03:00
|
|
|
/* Static properties */
|
|
|
|
|
2018-06-08 15:15:33 +03:00
|
|
|
uint8_t spec_version;
|
2018-02-22 18:12:52 +03:00
|
|
|
BlockBackend *blk;
|
|
|
|
|
2024-06-24 21:19:10 +03:00
|
|
|
const SDProto *proto;
|
|
|
|
|
2018-05-09 08:19:41 +03:00
|
|
|
/* Runtime changeables */
|
|
|
|
|
2018-02-22 18:12:52 +03:00
|
|
|
uint32_t mode; /* current card mode, one of SDCardModes */
|
|
|
|
int32_t state; /* current card state, one of SDCardStates */
|
2007-12-24 17:41:39 +03:00
|
|
|
uint32_t vhs;
|
2012-08-13 14:04:06 +04:00
|
|
|
bool wp_switch;
|
2021-07-28 20:42:24 +03:00
|
|
|
unsigned long *wp_group_bmap;
|
|
|
|
int32_t wp_group_bits;
|
2009-11-03 17:28:19 +03:00
|
|
|
uint64_t size;
|
2012-10-30 11:45:12 +04:00
|
|
|
uint32_t blk_len;
|
2016-02-18 17:16:19 +03:00
|
|
|
uint32_t multi_blk_cnt;
|
2007-04-06 20:49:48 +04:00
|
|
|
uint32_t erase_start;
|
|
|
|
uint32_t erase_end;
|
|
|
|
uint8_t pwd[16];
|
2012-10-30 11:45:12 +04:00
|
|
|
uint32_t pwd_len;
|
|
|
|
uint8_t function_group[6];
|
|
|
|
uint8_t current_cmd;
|
2024-06-14 02:44:28 +03:00
|
|
|
const char *last_cmd_name;
|
2011-12-19 00:37:59 +04:00
|
|
|
/* True if we will handle the next command as an ACMD. Note that this does
|
|
|
|
* *not* track the APP_CMD status bit!
|
|
|
|
*/
|
2012-08-13 14:04:06 +04:00
|
|
|
bool expecting_acmd;
|
2012-10-30 11:45:12 +04:00
|
|
|
uint32_t blk_written;
|
2024-06-13 17:21:12 +03:00
|
|
|
|
2009-11-03 17:28:19 +03:00
|
|
|
uint64_t data_start;
|
2007-04-06 20:49:48 +04:00
|
|
|
uint32_t data_offset;
|
2024-06-13 17:21:12 +03:00
|
|
|
size_t data_size;
|
2007-04-06 20:49:48 +04:00
|
|
|
uint8_t data[512];
|
2007-11-17 17:34:44 +03:00
|
|
|
qemu_irq readonly_cb;
|
|
|
|
qemu_irq inserted_cb;
|
2018-02-22 18:12:52 +03:00
|
|
|
QEMUTimer *ocr_power_timer;
|
2012-08-13 14:04:06 +04:00
|
|
|
bool enable;
|
2018-02-08 19:48:10 +03:00
|
|
|
uint8_t dat_lines;
|
|
|
|
bool cmd_line;
|
2007-04-06 20:49:48 +04:00
|
|
|
};
|
|
|
|
|
sd: Hide the qdev-but-not-quite thing created by sd_init()
Commit 260bc9d8aa "hw/sd/sd.c: QOMify" QOMified only the device
itself, not its users. It kept sd_init() around for non-QOMified
users.
More than four years later, three such users remain: omap1 (machines
cheetah, sx1, sx1-v1) and omap2 (machines n800, n810) are not
QOMified, and pl181 (machines integratorcp, realview-eb,
realview-eb-mpcore, realview-pb-a8 realview-pbx-a9, versatileab,
versatilepb, vexpress-a15, vexpress-a9) is not QOMified properly.
The issue I presently have with this: an "sd-card" device should plug
into an "sd-bus" (its DeviceClass member bus_type says so), but
sd_init() leaves it unplugged. This is normally a bug (I just fixed
some instances), and I'd like to assert proper pluggedness to prevent
regressions. However, the qdev-but-not-quite thing returned by
sd_init() would fail the assertion. Meh.
Make sd_init() hide it from QOM/qdev. Visible in "info qom-tree",
here's the change for cheetah:
/machine (cheetah-machine)
[...]
/unattached (container)
[...]
/device[5] (serial-mm)
/serial (serial)
/serial[0] (qemu:memory-region)
- /device[6] (sd-card)
- /device[7] (omap-gpio)
+ /device[6] (omap-gpio)
[rest of device[*] renumbered...]
Cc: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20200609122339.937862-24-armbru@redhat.com>
2020-06-09 15:23:38 +03:00
|
|
|
static void sd_realize(DeviceState *dev, Error **errp);
|
|
|
|
|
2023-07-03 09:00:08 +03:00
|
|
|
static const SDProto sd_proto_spi;
|
|
|
|
|
|
|
|
static bool sd_is_spi(SDState *sd)
|
|
|
|
{
|
2024-06-24 21:19:10 +03:00
|
|
|
return sd->proto == &sd_proto_spi;
|
2023-07-03 09:00:08 +03:00
|
|
|
}
|
|
|
|
|
2022-05-30 19:56:06 +03:00
|
|
|
static const char *sd_version_str(enum SDPhySpecificationVersion version)
|
|
|
|
{
|
|
|
|
static const char *sdphy_version[] = {
|
|
|
|
[SD_PHY_SPECv1_10_VERS] = "v1.10",
|
|
|
|
[SD_PHY_SPECv2_00_VERS] = "v2.00",
|
|
|
|
[SD_PHY_SPECv3_01_VERS] = "v3.01",
|
|
|
|
};
|
|
|
|
if (version >= ARRAY_SIZE(sdphy_version)) {
|
|
|
|
return "unsupported version";
|
|
|
|
}
|
|
|
|
return sdphy_version[version];
|
|
|
|
}
|
|
|
|
|
2024-06-13 23:45:43 +03:00
|
|
|
static const char *sd_mode_name(enum SDCardModes mode)
|
|
|
|
{
|
|
|
|
static const char *mode_name[] = {
|
|
|
|
[sd_inactive] = "inactive",
|
|
|
|
[sd_card_identification_mode] = "identification",
|
|
|
|
[sd_data_transfer_mode] = "transfer",
|
|
|
|
};
|
|
|
|
assert(mode < ARRAY_SIZE(mode_name));
|
|
|
|
return mode_name[mode];
|
|
|
|
}
|
|
|
|
|
2018-02-22 18:12:52 +03:00
|
|
|
static const char *sd_state_name(enum SDCardStates state)
|
|
|
|
{
|
|
|
|
static const char *state_name[] = {
|
|
|
|
[sd_idle_state] = "idle",
|
|
|
|
[sd_ready_state] = "ready",
|
|
|
|
[sd_identification_state] = "identification",
|
|
|
|
[sd_standby_state] = "standby",
|
|
|
|
[sd_transfer_state] = "transfer",
|
|
|
|
[sd_sendingdata_state] = "sendingdata",
|
|
|
|
[sd_receivingdata_state] = "receivingdata",
|
|
|
|
[sd_programming_state] = "programming",
|
|
|
|
[sd_disconnect_state] = "disconnect",
|
|
|
|
};
|
|
|
|
if (state == sd_inactive_state) {
|
|
|
|
return "inactive";
|
|
|
|
}
|
2019-06-19 22:14:46 +03:00
|
|
|
assert(state < ARRAY_SIZE(state_name));
|
2018-02-22 18:12:52 +03:00
|
|
|
return state_name[state];
|
|
|
|
}
|
|
|
|
|
2018-02-22 18:12:52 +03:00
|
|
|
static const char *sd_response_name(sd_rsp_type_t rsp)
|
|
|
|
{
|
|
|
|
static const char *response_name[] = {
|
|
|
|
[sd_r0] = "RESP#0 (no response)",
|
|
|
|
[sd_r1] = "RESP#1 (normal cmd)",
|
|
|
|
[sd_r2_i] = "RESP#2 (CID reg)",
|
|
|
|
[sd_r2_s] = "RESP#2 (CSD reg)",
|
|
|
|
[sd_r3] = "RESP#3 (OCR reg)",
|
|
|
|
[sd_r6] = "RESP#6 (RCA)",
|
|
|
|
[sd_r7] = "RESP#7 (operating voltage)",
|
|
|
|
};
|
|
|
|
if (rsp == sd_illegal) {
|
|
|
|
return "ILLEGAL RESP";
|
|
|
|
}
|
|
|
|
if (rsp == sd_r1b) {
|
|
|
|
rsp = sd_r1;
|
|
|
|
}
|
2019-06-19 22:14:46 +03:00
|
|
|
assert(rsp < ARRAY_SIZE(response_name));
|
2018-02-22 18:12:52 +03:00
|
|
|
return response_name[rsp];
|
|
|
|
}
|
|
|
|
|
2018-02-08 19:48:10 +03:00
|
|
|
static uint8_t sd_get_dat_lines(SDState *sd)
|
|
|
|
{
|
|
|
|
return sd->enable ? sd->dat_lines : 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool sd_get_cmd_line(SDState *sd)
|
|
|
|
{
|
|
|
|
return sd->enable ? sd->cmd_line : false;
|
|
|
|
}
|
|
|
|
|
2018-02-08 19:48:09 +03:00
|
|
|
static void sd_set_voltage(SDState *sd, uint16_t millivolts)
|
|
|
|
{
|
2018-02-22 18:12:52 +03:00
|
|
|
trace_sdcard_set_voltage(millivolts);
|
|
|
|
|
2018-02-08 19:48:09 +03:00
|
|
|
switch (millivolts) {
|
|
|
|
case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
|
|
|
|
case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
|
|
|
|
millivolts / 1000.f);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-12-19 00:37:58 +04:00
|
|
|
static void sd_set_mode(SDState *sd)
|
2007-04-06 20:49:48 +04:00
|
|
|
{
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_inactive_state:
|
|
|
|
sd->mode = sd_inactive;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case sd_idle_state:
|
|
|
|
case sd_ready_state:
|
|
|
|
case sd_identification_state:
|
|
|
|
sd->mode = sd_card_identification_mode;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case sd_standby_state:
|
|
|
|
case sd_transfer_state:
|
|
|
|
case sd_sendingdata_state:
|
|
|
|
case sd_receivingdata_state:
|
|
|
|
case sd_programming_state:
|
|
|
|
case sd_disconnect_state:
|
|
|
|
sd->mode = sd_data_transfer_mode;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-02-22 18:12:52 +03:00
|
|
|
static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
|
2007-04-06 20:49:48 +04:00
|
|
|
sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
|
2007-12-24 17:41:39 +03:00
|
|
|
sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
|
2018-02-22 18:12:52 +03:00
|
|
|
/* 16 */
|
2007-04-06 20:49:48 +04:00
|
|
|
sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
|
|
|
|
sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
|
2018-02-22 18:12:52 +03:00
|
|
|
/* 32 */
|
2007-04-06 20:49:48 +04:00
|
|
|
sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
|
|
|
|
sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
|
2018-02-22 18:12:52 +03:00
|
|
|
/* 48 */
|
2007-04-06 20:49:48 +04:00
|
|
|
sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
|
|
|
|
sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
|
|
|
|
};
|
|
|
|
|
2018-02-22 18:12:52 +03:00
|
|
|
static const int sd_cmd_class[SDMMC_CMD_MAX] = {
|
2007-04-06 20:49:48 +04:00
|
|
|
0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
|
|
|
|
2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
|
|
|
|
5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
|
|
|
|
7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
|
|
|
|
};
|
|
|
|
|
2018-05-02 22:45:37 +03:00
|
|
|
static uint8_t sd_crc7(const void *message, size_t width)
|
2007-04-06 20:49:48 +04:00
|
|
|
{
|
|
|
|
int i, bit;
|
|
|
|
uint8_t shift_reg = 0x00;
|
2018-05-02 22:45:37 +03:00
|
|
|
const uint8_t *msg = (const uint8_t *)message;
|
2007-04-06 20:49:48 +04:00
|
|
|
|
|
|
|
for (i = 0; i < width; i ++, msg ++)
|
|
|
|
for (bit = 7; bit >= 0; bit --) {
|
|
|
|
shift_reg <<= 1;
|
|
|
|
if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
|
|
|
|
shift_reg ^= 0x89;
|
|
|
|
}
|
|
|
|
|
|
|
|
return shift_reg;
|
|
|
|
}
|
|
|
|
|
2020-10-25 22:17:47 +03:00
|
|
|
/* Operation Conditions register */
|
|
|
|
|
2018-02-22 18:12:52 +03:00
|
|
|
#define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
|
|
|
|
|
2018-02-22 18:12:53 +03:00
|
|
|
FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
|
|
|
|
FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
|
|
|
|
FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
|
|
|
|
FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
|
|
|
|
FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
|
|
|
|
FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
|
2018-02-22 18:12:52 +03:00
|
|
|
FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
|
|
|
|
FIELD(OCR, CARD_POWER_UP, 31, 1)
|
|
|
|
|
2018-02-22 18:12:53 +03:00
|
|
|
#define ACMD41_ENQUIRY_MASK 0x00ffffff
|
|
|
|
#define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
|
|
|
|
| R_OCR_ACCEPT_SWITCH_1V8_MASK \
|
|
|
|
| R_OCR_UHS_II_CARD_MASK \
|
|
|
|
| R_OCR_CARD_CAPACITY_MASK \
|
|
|
|
| R_OCR_CARD_POWER_UP_MASK)
|
|
|
|
|
2016-02-18 17:16:20 +03:00
|
|
|
static void sd_ocr_powerup(void *opaque)
|
|
|
|
{
|
|
|
|
SDState *sd = opaque;
|
|
|
|
|
2018-02-22 18:12:52 +03:00
|
|
|
trace_sdcard_powerup();
|
2018-02-22 18:12:52 +03:00
|
|
|
assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
|
|
|
|
|
|
|
|
/* card power-up OK */
|
|
|
|
sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
|
2018-02-22 18:12:52 +03:00
|
|
|
|
2020-08-21 17:45:36 +03:00
|
|
|
if (sd->size > SDSC_MAX_CAPACITY) {
|
2018-02-22 18:12:52 +03:00
|
|
|
sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
|
|
|
|
}
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
|
|
|
|
2021-12-28 15:57:17 +03:00
|
|
|
static void sd_set_ocr(SDState *sd)
|
|
|
|
{
|
|
|
|
/* All voltages OK */
|
|
|
|
sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
|
|
|
|
|
2023-07-03 09:00:08 +03:00
|
|
|
if (sd_is_spi(sd)) {
|
2021-12-28 15:57:17 +03:00
|
|
|
/*
|
|
|
|
* We don't need to emulate power up sequence in SPI-mode.
|
|
|
|
* Thus, the card's power up status bit should be set to 1 when reset.
|
|
|
|
* The card's capacity status bit should also be set if SD card size
|
|
|
|
* is larger than 2GB for SDHC support.
|
|
|
|
*/
|
|
|
|
sd_ocr_powerup(sd);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-10-25 22:17:47 +03:00
|
|
|
/* SD Configuration register */
|
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
static void sd_set_scr(SDState *sd)
|
|
|
|
{
|
2018-06-08 15:15:33 +03:00
|
|
|
sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
|
|
|
|
if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
|
|
|
|
sd->scr[0] |= 1; /* Spec Version 1.10 */
|
|
|
|
} else {
|
2018-06-08 15:15:34 +03:00
|
|
|
sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
|
2018-06-08 15:15:33 +03:00
|
|
|
}
|
2018-02-22 18:12:53 +03:00
|
|
|
sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
|
|
|
|
| 0b0101; /* 1-bit or 4-bit width bus modes */
|
|
|
|
sd->scr[2] = 0x00; /* Extended Security is not supported. */
|
2018-06-08 15:15:34 +03:00
|
|
|
if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
|
|
|
|
sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
|
|
|
|
}
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->scr[3] = 0x00;
|
2018-02-22 18:12:53 +03:00
|
|
|
/* reserved for manufacturer usage */
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->scr[4] = 0x00;
|
|
|
|
sd->scr[5] = 0x00;
|
|
|
|
sd->scr[6] = 0x00;
|
|
|
|
sd->scr[7] = 0x00;
|
|
|
|
}
|
|
|
|
|
2020-10-25 22:17:47 +03:00
|
|
|
/* Card IDentification register */
|
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
#define MID 0xaa
|
|
|
|
#define OID "XY"
|
|
|
|
#define PNM "QEMU!"
|
|
|
|
#define PRV 0x01
|
|
|
|
#define MDT_YR 2006
|
|
|
|
#define MDT_MON 2
|
|
|
|
|
|
|
|
static void sd_set_cid(SDState *sd)
|
|
|
|
{
|
|
|
|
sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
|
|
|
|
sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
|
|
|
|
sd->cid[2] = OID[1];
|
|
|
|
sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
|
|
|
|
sd->cid[4] = PNM[1];
|
|
|
|
sd->cid[5] = PNM[2];
|
|
|
|
sd->cid[6] = PNM[3];
|
|
|
|
sd->cid[7] = PNM[4];
|
|
|
|
sd->cid[8] = PRV; /* Fake product revision (PRV) */
|
2024-06-20 19:47:27 +03:00
|
|
|
stl_be_p(&sd->cid[9], 0xdeadbeef); /* Fake serial number (PSN) */
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
|
|
|
|
((MDT_YR - 2000) / 10);
|
|
|
|
sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
|
|
|
|
sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
|
|
|
|
}
|
|
|
|
|
2020-10-25 22:17:47 +03:00
|
|
|
/* Card-Specific Data register */
|
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
#define HWBLOCK_SHIFT 9 /* 512 bytes */
|
|
|
|
#define SECTOR_SHIFT 5 /* 16 kilobytes */
|
|
|
|
#define WPGROUP_SHIFT 7 /* 2 megs */
|
|
|
|
#define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
|
|
|
|
#define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
|
|
|
|
|
|
|
|
static const uint8_t sd_csd_rw_mask[16] = {
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
|
|
|
|
};
|
|
|
|
|
2009-11-03 17:28:19 +03:00
|
|
|
static void sd_set_csd(SDState *sd, uint64_t size)
|
2007-04-06 20:49:48 +04:00
|
|
|
{
|
2020-10-25 18:23:57 +03:00
|
|
|
int hwblock_shift = HWBLOCK_SHIFT;
|
|
|
|
uint32_t csize;
|
2007-04-06 20:49:48 +04:00
|
|
|
uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
|
|
|
|
uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
|
|
|
|
|
2020-10-25 18:23:57 +03:00
|
|
|
/* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
|
|
|
|
if (size == SDSC_MAX_CAPACITY) {
|
|
|
|
hwblock_shift += 1;
|
|
|
|
}
|
|
|
|
csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1;
|
|
|
|
|
2020-08-21 17:45:36 +03:00
|
|
|
if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
|
2009-11-03 17:28:19 +03:00
|
|
|
sd->csd[0] = 0x00; /* CSD structure */
|
|
|
|
sd->csd[1] = 0x26; /* Data read access-time-1 */
|
|
|
|
sd->csd[2] = 0x00; /* Data read access-time-2 */
|
2018-02-22 18:12:53 +03:00
|
|
|
sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
|
2009-11-03 17:28:19 +03:00
|
|
|
sd->csd[4] = 0x5f; /* Card Command Classes */
|
|
|
|
sd->csd[5] = 0x50 | /* Max. read data block length */
|
2020-10-25 18:23:57 +03:00
|
|
|
hwblock_shift;
|
2009-11-03 17:28:19 +03:00
|
|
|
sd->csd[6] = 0xe0 | /* Partial block for read allowed */
|
|
|
|
((csize >> 10) & 0x03);
|
|
|
|
sd->csd[7] = 0x00 | /* Device size */
|
|
|
|
((csize >> 2) & 0xff);
|
|
|
|
sd->csd[8] = 0x3f | /* Max. read current */
|
|
|
|
((csize << 6) & 0xc0);
|
|
|
|
sd->csd[9] = 0xfc | /* Max. write current */
|
|
|
|
((CMULT_SHIFT - 2) >> 1);
|
|
|
|
sd->csd[10] = 0x40 | /* Erase sector size */
|
|
|
|
(((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
|
|
|
|
sd->csd[11] = 0x00 | /* Write protect group size */
|
|
|
|
((sectsize << 7) & 0x80) | wpsize;
|
|
|
|
sd->csd[12] = 0x90 | /* Write speed factor */
|
2020-10-25 18:23:57 +03:00
|
|
|
(hwblock_shift >> 2);
|
2009-11-03 17:28:19 +03:00
|
|
|
sd->csd[13] = 0x20 | /* Max. write data block length */
|
2020-10-25 18:23:57 +03:00
|
|
|
((hwblock_shift << 6) & 0xc0);
|
2009-11-03 17:28:19 +03:00
|
|
|
sd->csd[14] = 0x00; /* File format group */
|
|
|
|
} else { /* SDHC */
|
2018-06-25 15:42:28 +03:00
|
|
|
size /= 512 * KiB;
|
2009-11-03 17:28:19 +03:00
|
|
|
size -= 1;
|
|
|
|
sd->csd[0] = 0x40;
|
|
|
|
sd->csd[1] = 0x0e;
|
|
|
|
sd->csd[2] = 0x00;
|
|
|
|
sd->csd[3] = 0x32;
|
|
|
|
sd->csd[4] = 0x5b;
|
|
|
|
sd->csd[5] = 0x59;
|
|
|
|
sd->csd[6] = 0x00;
|
2024-06-20 19:47:27 +03:00
|
|
|
st24_be_p(&sd->csd[7], size);
|
2009-11-03 17:28:19 +03:00
|
|
|
sd->csd[10] = 0x7f;
|
|
|
|
sd->csd[11] = 0x80;
|
|
|
|
sd->csd[12] = 0x0a;
|
|
|
|
sd->csd[13] = 0x40;
|
|
|
|
sd->csd[14] = 0x00;
|
|
|
|
}
|
2018-02-22 18:12:53 +03:00
|
|
|
sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
|
|
|
|
2020-10-25 22:17:47 +03:00
|
|
|
/* Relative Card Address register */
|
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
static void sd_set_rca(SDState *sd)
|
|
|
|
{
|
|
|
|
sd->rca += 0x4567;
|
|
|
|
}
|
|
|
|
|
2024-06-11 17:38:01 +03:00
|
|
|
static uint16_t sd_req_get_rca(SDState *s, SDRequest req)
|
|
|
|
{
|
|
|
|
if (sd_cmd_type[req.cmd] == sd_ac || sd_cmd_type[req.cmd] == sd_adtc) {
|
|
|
|
return req.arg >> 16;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2020-10-25 22:17:47 +03:00
|
|
|
/* Card Status register */
|
|
|
|
|
2018-02-22 18:12:53 +03:00
|
|
|
FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
|
|
|
|
FIELD(CSR, APP_CMD, 5, 1)
|
|
|
|
FIELD(CSR, FX_EVENT, 6, 1)
|
|
|
|
FIELD(CSR, READY_FOR_DATA, 8, 1)
|
|
|
|
FIELD(CSR, CURRENT_STATE, 9, 4)
|
|
|
|
FIELD(CSR, ERASE_RESET, 13, 1)
|
|
|
|
FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
|
|
|
|
FIELD(CSR, WP_ERASE_SKIP, 15, 1)
|
|
|
|
FIELD(CSR, CSD_OVERWRITE, 16, 1)
|
|
|
|
FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
|
|
|
|
FIELD(CSR, ERROR, 19, 1)
|
|
|
|
FIELD(CSR, CC_ERROR, 20, 1)
|
|
|
|
FIELD(CSR, CARD_ECC_FAILED, 21, 1)
|
|
|
|
FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
|
|
|
|
FIELD(CSR, COM_CRC_ERROR, 23, 1)
|
|
|
|
FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
|
|
|
|
FIELD(CSR, CARD_IS_LOCKED, 25, 1)
|
|
|
|
FIELD(CSR, WP_VIOLATION, 26, 1)
|
|
|
|
FIELD(CSR, ERASE_PARAM, 27, 1)
|
|
|
|
FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
|
|
|
|
FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
|
|
|
|
FIELD(CSR, ADDRESS_ERROR, 30, 1)
|
|
|
|
FIELD(CSR, OUT_OF_RANGE, 31, 1)
|
|
|
|
|
2011-12-19 00:37:52 +04:00
|
|
|
/* Card status bits, split by clear condition:
|
|
|
|
* A : According to the card current state
|
|
|
|
* B : Always related to the previous command
|
|
|
|
* C : Cleared by read
|
|
|
|
*/
|
2018-02-22 18:12:53 +03:00
|
|
|
#define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
|
|
|
|
| R_CSR_CARD_ECC_DISABLED_MASK \
|
|
|
|
| R_CSR_CARD_IS_LOCKED_MASK)
|
|
|
|
#define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
|
|
|
|
| R_CSR_ILLEGAL_COMMAND_MASK \
|
|
|
|
| R_CSR_COM_CRC_ERROR_MASK)
|
|
|
|
#define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
|
|
|
|
| R_CSR_APP_CMD_MASK \
|
|
|
|
| R_CSR_ERASE_RESET_MASK \
|
|
|
|
| R_CSR_WP_ERASE_SKIP_MASK \
|
|
|
|
| R_CSR_CSD_OVERWRITE_MASK \
|
|
|
|
| R_CSR_ERROR_MASK \
|
|
|
|
| R_CSR_CC_ERROR_MASK \
|
|
|
|
| R_CSR_CARD_ECC_FAILED_MASK \
|
|
|
|
| R_CSR_LOCK_UNLOCK_FAILED_MASK \
|
|
|
|
| R_CSR_WP_VIOLATION_MASK \
|
|
|
|
| R_CSR_ERASE_PARAM_MASK \
|
|
|
|
| R_CSR_ERASE_SEQ_ERROR_MASK \
|
|
|
|
| R_CSR_BLOCK_LEN_ERROR_MASK \
|
|
|
|
| R_CSR_ADDRESS_ERROR_MASK \
|
|
|
|
| R_CSR_OUT_OF_RANGE_MASK)
|
2007-04-06 20:49:48 +04:00
|
|
|
|
|
|
|
static void sd_set_cardstatus(SDState *sd)
|
|
|
|
{
|
2024-06-24 17:41:10 +03:00
|
|
|
sd->card_status = READY_FOR_DATA;
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
static void sd_set_sdstatus(SDState *sd)
|
|
|
|
{
|
|
|
|
memset(sd->sd_status, 0, 64);
|
|
|
|
}
|
|
|
|
|
2022-06-01 08:15:10 +03:00
|
|
|
static const uint8_t sd_tuning_block_pattern4[64] = {
|
|
|
|
/*
|
|
|
|
* See: Physical Layer Simplified Specification Version 3.01,
|
|
|
|
* Table 4-2.
|
|
|
|
*/
|
|
|
|
0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
|
|
|
|
0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
|
|
|
|
0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
|
|
|
|
0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
|
|
|
|
0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
|
|
|
|
0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
|
|
|
|
0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
|
|
|
|
0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde
|
|
|
|
};
|
|
|
|
|
2009-05-10 04:44:56 +04:00
|
|
|
static int sd_req_crc_validate(SDRequest *req)
|
2007-04-06 20:49:48 +04:00
|
|
|
{
|
|
|
|
uint8_t buffer[5];
|
|
|
|
buffer[0] = 0x40 | req->cmd;
|
2018-02-22 18:12:53 +03:00
|
|
|
stl_be_p(&buffer[1], req->arg);
|
2007-04-06 20:49:48 +04:00
|
|
|
return 0;
|
|
|
|
return sd_crc7(buffer, 5) != req->crc; /* TODO */
|
|
|
|
}
|
|
|
|
|
2011-12-19 00:37:58 +04:00
|
|
|
static void sd_response_r1_make(SDState *sd, uint8_t *response)
|
2007-04-06 20:49:48 +04:00
|
|
|
{
|
2018-02-22 18:12:53 +03:00
|
|
|
stl_be_p(response, sd->card_status);
|
|
|
|
|
2011-12-19 00:37:59 +04:00
|
|
|
/* Clear the "clear on read" status bits */
|
|
|
|
sd->card_status &= ~CARD_STATUS_C;
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
|
|
|
|
2007-11-18 04:44:38 +03:00
|
|
|
static void sd_response_r3_make(SDState *sd, uint8_t *response)
|
2007-04-06 20:49:48 +04:00
|
|
|
{
|
2018-02-22 18:12:53 +03:00
|
|
|
stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
|
|
|
|
2007-11-18 04:44:38 +03:00
|
|
|
static void sd_response_r6_make(SDState *sd, uint8_t *response)
|
2007-04-06 20:49:48 +04:00
|
|
|
{
|
|
|
|
uint16_t status;
|
|
|
|
|
|
|
|
status = ((sd->card_status >> 8) & 0xc000) |
|
|
|
|
((sd->card_status >> 6) & 0x2000) |
|
|
|
|
(sd->card_status & 0x1fff);
|
2011-12-19 00:38:00 +04:00
|
|
|
sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
|
2018-02-22 18:12:53 +03:00
|
|
|
stw_be_p(response + 0, sd->rca);
|
|
|
|
stw_be_p(response + 2, status);
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
|
|
|
|
2007-12-24 17:41:39 +03:00
|
|
|
static void sd_response_r7_make(SDState *sd, uint8_t *response)
|
|
|
|
{
|
2018-02-22 18:12:53 +03:00
|
|
|
stl_be_p(response, sd->vhs);
|
2007-12-24 17:41:39 +03:00
|
|
|
}
|
|
|
|
|
2020-10-26 03:32:52 +03:00
|
|
|
static uint32_t sd_blk_len(SDState *sd)
|
|
|
|
{
|
|
|
|
if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
|
|
|
|
return 1 << HWBLOCK_SHIFT;
|
|
|
|
}
|
|
|
|
return sd->blk_len;
|
|
|
|
}
|
|
|
|
|
2024-06-11 17:50:30 +03:00
|
|
|
static uint64_t sd_req_get_address(SDState *sd, SDRequest req)
|
|
|
|
{
|
2024-06-20 10:43:26 +03:00
|
|
|
uint64_t addr;
|
|
|
|
|
2024-06-11 17:50:30 +03:00
|
|
|
if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
|
2024-06-20 10:43:26 +03:00
|
|
|
addr = (uint64_t) req.arg << HWBLOCK_SHIFT;
|
|
|
|
} else {
|
|
|
|
addr = req.arg;
|
2024-06-11 17:50:30 +03:00
|
|
|
}
|
2024-06-20 10:43:26 +03:00
|
|
|
trace_sdcard_req_addr(req.arg, addr);
|
|
|
|
return addr;
|
2024-06-11 17:50:30 +03:00
|
|
|
}
|
|
|
|
|
2012-08-13 14:04:06 +04:00
|
|
|
static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
|
|
|
|
{
|
|
|
|
return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
|
|
|
|
}
|
|
|
|
|
2016-02-18 17:16:18 +03:00
|
|
|
static void sd_reset(DeviceState *dev)
|
2007-04-06 20:49:48 +04:00
|
|
|
{
|
2016-02-18 17:16:18 +03:00
|
|
|
SDState *sd = SD_CARD(dev);
|
2009-11-03 17:28:19 +03:00
|
|
|
uint64_t size;
|
2007-04-06 20:49:48 +04:00
|
|
|
uint64_t sect;
|
|
|
|
|
2018-02-22 18:12:52 +03:00
|
|
|
trace_sdcard_reset();
|
2015-05-12 13:57:16 +03:00
|
|
|
if (sd->blk) {
|
|
|
|
blk_get_geometry(sd->blk, §);
|
2009-05-03 19:52:16 +04:00
|
|
|
} else {
|
|
|
|
sect = 0;
|
|
|
|
}
|
2020-10-25 21:36:59 +03:00
|
|
|
size = sect << HWBLOCK_SHIFT;
|
2007-04-06 20:49:48 +04:00
|
|
|
|
2012-08-13 14:04:06 +04:00
|
|
|
sect = sd_addr_to_wpnum(size) + 1;
|
2007-04-06 20:49:48 +04:00
|
|
|
|
|
|
|
sd->state = sd_idle_state;
|
2020-10-25 22:17:47 +03:00
|
|
|
|
|
|
|
/* card registers */
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->rca = 0x0000;
|
2021-12-28 15:57:17 +03:00
|
|
|
sd->size = size;
|
2007-04-06 20:49:48 +04:00
|
|
|
sd_set_ocr(sd);
|
|
|
|
sd_set_scr(sd);
|
|
|
|
sd_set_cid(sd);
|
|
|
|
sd_set_csd(sd, size);
|
|
|
|
sd_set_cardstatus(sd);
|
|
|
|
sd_set_sdstatus(sd);
|
|
|
|
|
2021-07-28 20:42:24 +03:00
|
|
|
g_free(sd->wp_group_bmap);
|
2021-01-18 15:34:47 +03:00
|
|
|
sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
|
2021-07-28 20:42:24 +03:00
|
|
|
sd->wp_group_bits = sect;
|
|
|
|
sd->wp_group_bmap = bitmap_new(sd->wp_group_bits);
|
2012-10-30 11:45:12 +04:00
|
|
|
memset(sd->function_group, 0, sizeof(sd->function_group));
|
2020-09-18 20:05:20 +03:00
|
|
|
sd->erase_start = INVALID_ADDRESS;
|
|
|
|
sd->erase_end = INVALID_ADDRESS;
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->blk_len = 0x200;
|
|
|
|
sd->pwd_len = 0;
|
2012-08-13 14:04:06 +04:00
|
|
|
sd->expecting_acmd = false;
|
2018-02-08 19:48:10 +03:00
|
|
|
sd->dat_lines = 0xf;
|
|
|
|
sd->cmd_line = true;
|
2016-02-18 17:16:19 +03:00
|
|
|
sd->multi_blk_cnt = 0;
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
|
|
|
|
2016-02-18 17:16:18 +03:00
|
|
|
static bool sd_get_inserted(SDState *sd)
|
|
|
|
{
|
2016-03-04 14:30:17 +03:00
|
|
|
return sd->blk && blk_is_inserted(sd->blk);
|
2016-02-18 17:16:18 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
static bool sd_get_readonly(SDState *sd)
|
|
|
|
{
|
|
|
|
return sd->wp_switch;
|
|
|
|
}
|
|
|
|
|
2017-01-24 16:21:41 +03:00
|
|
|
static void sd_cardchange(void *opaque, bool load, Error **errp)
|
2007-04-06 20:49:48 +04:00
|
|
|
{
|
|
|
|
SDState *sd = opaque;
|
2016-02-18 17:16:18 +03:00
|
|
|
DeviceState *dev = DEVICE(sd);
|
sd: Hide the qdev-but-not-quite thing created by sd_init()
Commit 260bc9d8aa "hw/sd/sd.c: QOMify" QOMified only the device
itself, not its users. It kept sd_init() around for non-QOMified
users.
More than four years later, three such users remain: omap1 (machines
cheetah, sx1, sx1-v1) and omap2 (machines n800, n810) are not
QOMified, and pl181 (machines integratorcp, realview-eb,
realview-eb-mpcore, realview-pb-a8 realview-pbx-a9, versatileab,
versatilepb, vexpress-a15, vexpress-a9) is not QOMified properly.
The issue I presently have with this: an "sd-card" device should plug
into an "sd-bus" (its DeviceClass member bus_type says so), but
sd_init() leaves it unplugged. This is normally a bug (I just fixed
some instances), and I'd like to assert proper pluggedness to prevent
regressions. However, the qdev-but-not-quite thing returned by
sd_init() would fail the assertion. Meh.
Make sd_init() hide it from QOM/qdev. Visible in "info qom-tree",
here's the change for cheetah:
/machine (cheetah-machine)
[...]
/unattached (container)
[...]
/device[5] (serial-mm)
/serial (serial)
/serial[0] (qemu:memory-region)
- /device[6] (sd-card)
- /device[7] (omap-gpio)
+ /device[6] (omap-gpio)
[rest of device[*] renumbered...]
Cc: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20200609122339.937862-24-armbru@redhat.com>
2020-06-09 15:23:38 +03:00
|
|
|
SDBus *sdbus;
|
2016-02-18 17:16:18 +03:00
|
|
|
bool inserted = sd_get_inserted(sd);
|
|
|
|
bool readonly = sd_get_readonly(sd);
|
2011-01-24 15:32:41 +03:00
|
|
|
|
2016-02-18 17:16:18 +03:00
|
|
|
if (inserted) {
|
2018-02-22 18:12:52 +03:00
|
|
|
trace_sdcard_inserted(readonly);
|
2016-02-18 17:16:18 +03:00
|
|
|
sd_reset(dev);
|
2018-02-22 18:12:52 +03:00
|
|
|
} else {
|
|
|
|
trace_sdcard_ejected();
|
2016-02-18 17:16:18 +03:00
|
|
|
}
|
|
|
|
|
sd: Hide the qdev-but-not-quite thing created by sd_init()
Commit 260bc9d8aa "hw/sd/sd.c: QOMify" QOMified only the device
itself, not its users. It kept sd_init() around for non-QOMified
users.
More than four years later, three such users remain: omap1 (machines
cheetah, sx1, sx1-v1) and omap2 (machines n800, n810) are not
QOMified, and pl181 (machines integratorcp, realview-eb,
realview-eb-mpcore, realview-pb-a8 realview-pbx-a9, versatileab,
versatilepb, vexpress-a15, vexpress-a9) is not QOMified properly.
The issue I presently have with this: an "sd-card" device should plug
into an "sd-bus" (its DeviceClass member bus_type says so), but
sd_init() leaves it unplugged. This is normally a bug (I just fixed
some instances), and I'd like to assert proper pluggedness to prevent
regressions. However, the qdev-but-not-quite thing returned by
sd_init() would fail the assertion. Meh.
Make sd_init() hide it from QOM/qdev. Visible in "info qom-tree",
here's the change for cheetah:
/machine (cheetah-machine)
[...]
/unattached (container)
[...]
/device[5] (serial-mm)
/serial (serial)
/serial[0] (qemu:memory-region)
- /device[6] (sd-card)
- /device[7] (omap-gpio)
+ /device[6] (omap-gpio)
[rest of device[*] renumbered...]
Cc: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20200609122339.937862-24-armbru@redhat.com>
2020-06-09 15:23:38 +03:00
|
|
|
if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
|
|
|
|
qemu_set_irq(sd->inserted_cb, inserted);
|
2016-02-18 17:16:18 +03:00
|
|
|
if (inserted) {
|
sd: Hide the qdev-but-not-quite thing created by sd_init()
Commit 260bc9d8aa "hw/sd/sd.c: QOMify" QOMified only the device
itself, not its users. It kept sd_init() around for non-QOMified
users.
More than four years later, three such users remain: omap1 (machines
cheetah, sx1, sx1-v1) and omap2 (machines n800, n810) are not
QOMified, and pl181 (machines integratorcp, realview-eb,
realview-eb-mpcore, realview-pb-a8 realview-pbx-a9, versatileab,
versatilepb, vexpress-a15, vexpress-a9) is not QOMified properly.
The issue I presently have with this: an "sd-card" device should plug
into an "sd-bus" (its DeviceClass member bus_type says so), but
sd_init() leaves it unplugged. This is normally a bug (I just fixed
some instances), and I'd like to assert proper pluggedness to prevent
regressions. However, the qdev-but-not-quite thing returned by
sd_init() would fail the assertion. Meh.
Make sd_init() hide it from QOM/qdev. Visible in "info qom-tree",
here's the change for cheetah:
/machine (cheetah-machine)
[...]
/unattached (container)
[...]
/device[5] (serial-mm)
/serial (serial)
/serial[0] (qemu:memory-region)
- /device[6] (sd-card)
- /device[7] (omap-gpio)
+ /device[6] (omap-gpio)
[rest of device[*] renumbered...]
Cc: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20200609122339.937862-24-armbru@redhat.com>
2020-06-09 15:23:38 +03:00
|
|
|
qemu_set_irq(sd->readonly_cb, readonly);
|
2016-02-18 17:16:18 +03:00
|
|
|
}
|
|
|
|
} else {
|
sd: Hide the qdev-but-not-quite thing created by sd_init()
Commit 260bc9d8aa "hw/sd/sd.c: QOMify" QOMified only the device
itself, not its users. It kept sd_init() around for non-QOMified
users.
More than four years later, three such users remain: omap1 (machines
cheetah, sx1, sx1-v1) and omap2 (machines n800, n810) are not
QOMified, and pl181 (machines integratorcp, realview-eb,
realview-eb-mpcore, realview-pb-a8 realview-pbx-a9, versatileab,
versatilepb, vexpress-a15, vexpress-a9) is not QOMified properly.
The issue I presently have with this: an "sd-card" device should plug
into an "sd-bus" (its DeviceClass member bus_type says so), but
sd_init() leaves it unplugged. This is normally a bug (I just fixed
some instances), and I'd like to assert proper pluggedness to prevent
regressions. However, the qdev-but-not-quite thing returned by
sd_init() would fail the assertion. Meh.
Make sd_init() hide it from QOM/qdev. Visible in "info qom-tree",
here's the change for cheetah:
/machine (cheetah-machine)
[...]
/unattached (container)
[...]
/device[5] (serial-mm)
/serial (serial)
/serial[0] (qemu:memory-region)
- /device[6] (sd-card)
- /device[7] (omap-gpio)
+ /device[6] (omap-gpio)
[rest of device[*] renumbered...]
Cc: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20200609122339.937862-24-armbru@redhat.com>
2020-06-09 15:23:38 +03:00
|
|
|
sdbus = SD_BUS(qdev_get_parent_bus(dev));
|
|
|
|
sdbus_set_inserted(sdbus, inserted);
|
2016-02-18 17:16:18 +03:00
|
|
|
if (inserted) {
|
sd: Hide the qdev-but-not-quite thing created by sd_init()
Commit 260bc9d8aa "hw/sd/sd.c: QOMify" QOMified only the device
itself, not its users. It kept sd_init() around for non-QOMified
users.
More than four years later, three such users remain: omap1 (machines
cheetah, sx1, sx1-v1) and omap2 (machines n800, n810) are not
QOMified, and pl181 (machines integratorcp, realview-eb,
realview-eb-mpcore, realview-pb-a8 realview-pbx-a9, versatileab,
versatilepb, vexpress-a15, vexpress-a9) is not QOMified properly.
The issue I presently have with this: an "sd-card" device should plug
into an "sd-bus" (its DeviceClass member bus_type says so), but
sd_init() leaves it unplugged. This is normally a bug (I just fixed
some instances), and I'd like to assert proper pluggedness to prevent
regressions. However, the qdev-but-not-quite thing returned by
sd_init() would fail the assertion. Meh.
Make sd_init() hide it from QOM/qdev. Visible in "info qom-tree",
here's the change for cheetah:
/machine (cheetah-machine)
[...]
/unattached (container)
[...]
/device[5] (serial-mm)
/serial (serial)
/serial[0] (qemu:memory-region)
- /device[6] (sd-card)
- /device[7] (omap-gpio)
+ /device[6] (omap-gpio)
[rest of device[*] renumbered...]
Cc: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20200609122339.937862-24-armbru@redhat.com>
2020-06-09 15:23:38 +03:00
|
|
|
sdbus_set_readonly(sdbus, readonly);
|
2016-02-18 17:16:18 +03:00
|
|
|
}
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-08-03 17:07:41 +04:00
|
|
|
static const BlockDevOps sd_block_ops = {
|
2011-08-03 17:07:42 +04:00
|
|
|
.change_media_cb = sd_cardchange,
|
2011-08-03 17:07:41 +04:00
|
|
|
};
|
|
|
|
|
2016-02-18 17:16:20 +03:00
|
|
|
static bool sd_ocr_vmstate_needed(void *opaque)
|
|
|
|
{
|
|
|
|
SDState *sd = opaque;
|
|
|
|
|
|
|
|
/* Include the OCR state (and timer) if it is not yet powered up */
|
2018-02-22 18:12:52 +03:00
|
|
|
return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
|
2016-02-18 17:16:20 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
static const VMStateDescription sd_ocr_vmstate = {
|
|
|
|
.name = "sd-card/ocr-state",
|
|
|
|
.version_id = 1,
|
|
|
|
.minimum_version_id = 1,
|
|
|
|
.needed = sd_ocr_vmstate_needed,
|
2023-12-21 06:16:33 +03:00
|
|
|
.fields = (const VMStateField[]) {
|
2016-02-18 17:16:20 +03:00
|
|
|
VMSTATE_UINT32(ocr, SDState),
|
|
|
|
VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
|
|
|
|
VMSTATE_END_OF_LIST()
|
|
|
|
},
|
|
|
|
};
|
|
|
|
|
|
|
|
static int sd_vmstate_pre_load(void *opaque)
|
|
|
|
{
|
|
|
|
SDState *sd = opaque;
|
|
|
|
|
|
|
|
/* If the OCR state is not included (prior versions, or not
|
|
|
|
* needed), then the OCR must be set as powered up. If the OCR state
|
|
|
|
* is included, this will be replaced by the state restore.
|
|
|
|
*/
|
|
|
|
sd_ocr_powerup(sd);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2012-10-30 11:45:12 +04:00
|
|
|
static const VMStateDescription sd_vmstate = {
|
|
|
|
.name = "sd-card",
|
2020-09-18 20:06:41 +03:00
|
|
|
.version_id = 2,
|
|
|
|
.minimum_version_id = 2,
|
2016-02-18 17:16:20 +03:00
|
|
|
.pre_load = sd_vmstate_pre_load,
|
2023-12-21 06:16:33 +03:00
|
|
|
.fields = (const VMStateField[]) {
|
2012-10-30 11:45:12 +04:00
|
|
|
VMSTATE_UINT32(mode, SDState),
|
|
|
|
VMSTATE_INT32(state, SDState),
|
|
|
|
VMSTATE_UINT8_ARRAY(cid, SDState, 16),
|
|
|
|
VMSTATE_UINT8_ARRAY(csd, SDState, 16),
|
|
|
|
VMSTATE_UINT16(rca, SDState),
|
|
|
|
VMSTATE_UINT32(card_status, SDState),
|
|
|
|
VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
|
|
|
|
VMSTATE_UINT32(vhs, SDState),
|
2021-07-28 20:42:24 +03:00
|
|
|
VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits),
|
2012-10-30 11:45:12 +04:00
|
|
|
VMSTATE_UINT32(blk_len, SDState),
|
2016-02-18 17:16:19 +03:00
|
|
|
VMSTATE_UINT32(multi_blk_cnt, SDState),
|
2012-10-30 11:45:12 +04:00
|
|
|
VMSTATE_UINT32(erase_start, SDState),
|
|
|
|
VMSTATE_UINT32(erase_end, SDState),
|
|
|
|
VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
|
|
|
|
VMSTATE_UINT32(pwd_len, SDState),
|
|
|
|
VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
|
|
|
|
VMSTATE_UINT8(current_cmd, SDState),
|
|
|
|
VMSTATE_BOOL(expecting_acmd, SDState),
|
|
|
|
VMSTATE_UINT32(blk_written, SDState),
|
|
|
|
VMSTATE_UINT64(data_start, SDState),
|
|
|
|
VMSTATE_UINT32(data_offset, SDState),
|
|
|
|
VMSTATE_UINT8_ARRAY(data, SDState, 512),
|
2016-05-06 19:26:39 +03:00
|
|
|
VMSTATE_UNUSED_V(1, 512),
|
2012-10-30 11:45:12 +04:00
|
|
|
VMSTATE_BOOL(enable, SDState),
|
|
|
|
VMSTATE_END_OF_LIST()
|
2016-02-18 17:16:20 +03:00
|
|
|
},
|
2023-12-21 06:16:33 +03:00
|
|
|
.subsections = (const VMStateDescription * const []) {
|
2016-02-18 17:16:20 +03:00
|
|
|
&sd_ocr_vmstate,
|
|
|
|
NULL
|
|
|
|
},
|
2012-10-30 11:45:12 +04:00
|
|
|
};
|
|
|
|
|
2016-02-18 17:16:18 +03:00
|
|
|
/* Legacy initialization function for use by non-qdevified callers */
|
2014-10-07 15:59:18 +04:00
|
|
|
SDState *sd_init(BlockBackend *blk, bool is_spi)
|
2007-04-06 20:49:48 +04:00
|
|
|
{
|
2016-03-16 20:06:02 +03:00
|
|
|
Object *obj;
|
2016-02-18 17:16:18 +03:00
|
|
|
DeviceState *dev;
|
sd: Hide the qdev-but-not-quite thing created by sd_init()
Commit 260bc9d8aa "hw/sd/sd.c: QOMify" QOMified only the device
itself, not its users. It kept sd_init() around for non-QOMified
users.
More than four years later, three such users remain: omap1 (machines
cheetah, sx1, sx1-v1) and omap2 (machines n800, n810) are not
QOMified, and pl181 (machines integratorcp, realview-eb,
realview-eb-mpcore, realview-pb-a8 realview-pbx-a9, versatileab,
versatilepb, vexpress-a15, vexpress-a9) is not QOMified properly.
The issue I presently have with this: an "sd-card" device should plug
into an "sd-bus" (its DeviceClass member bus_type says so), but
sd_init() leaves it unplugged. This is normally a bug (I just fixed
some instances), and I'd like to assert proper pluggedness to prevent
regressions. However, the qdev-but-not-quite thing returned by
sd_init() would fail the assertion. Meh.
Make sd_init() hide it from QOM/qdev. Visible in "info qom-tree",
here's the change for cheetah:
/machine (cheetah-machine)
[...]
/unattached (container)
[...]
/device[5] (serial-mm)
/serial (serial)
/serial[0] (qemu:memory-region)
- /device[6] (sd-card)
- /device[7] (omap-gpio)
+ /device[6] (omap-gpio)
[rest of device[*] renumbered...]
Cc: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20200609122339.937862-24-armbru@redhat.com>
2020-06-09 15:23:38 +03:00
|
|
|
SDState *sd;
|
2016-02-18 17:16:18 +03:00
|
|
|
Error *err = NULL;
|
2007-04-06 20:49:48 +04:00
|
|
|
|
2023-07-03 09:00:08 +03:00
|
|
|
obj = object_new(is_spi ? TYPE_SD_CARD_SPI : TYPE_SD_CARD);
|
2016-03-16 20:06:02 +03:00
|
|
|
dev = DEVICE(obj);
|
2020-07-07 19:06:00 +03:00
|
|
|
if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
|
2020-05-05 13:19:03 +03:00
|
|
|
error_reportf_err(err, "sd_init failed: ");
|
2013-09-13 17:51:47 +04:00
|
|
|
return NULL;
|
|
|
|
}
|
sd: Hide the qdev-but-not-quite thing created by sd_init()
Commit 260bc9d8aa "hw/sd/sd.c: QOMify" QOMified only the device
itself, not its users. It kept sd_init() around for non-QOMified
users.
More than four years later, three such users remain: omap1 (machines
cheetah, sx1, sx1-v1) and omap2 (machines n800, n810) are not
QOMified, and pl181 (machines integratorcp, realview-eb,
realview-eb-mpcore, realview-pb-a8 realview-pbx-a9, versatileab,
versatilepb, vexpress-a15, vexpress-a9) is not QOMified properly.
The issue I presently have with this: an "sd-card" device should plug
into an "sd-bus" (its DeviceClass member bus_type says so), but
sd_init() leaves it unplugged. This is normally a bug (I just fixed
some instances), and I'd like to assert proper pluggedness to prevent
regressions. However, the qdev-but-not-quite thing returned by
sd_init() would fail the assertion. Meh.
Make sd_init() hide it from QOM/qdev. Visible in "info qom-tree",
here's the change for cheetah:
/machine (cheetah-machine)
[...]
/unattached (container)
[...]
/device[5] (serial-mm)
/serial (serial)
/serial[0] (qemu:memory-region)
- /device[6] (sd-card)
- /device[7] (omap-gpio)
+ /device[6] (omap-gpio)
[rest of device[*] renumbered...]
Cc: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20200609122339.937862-24-armbru@redhat.com>
2020-06-09 15:23:38 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Realizing the device properly would put it into the QOM
|
|
|
|
* composition tree even though it is not plugged into an
|
|
|
|
* appropriate bus. That's a no-no. Hide the device from
|
|
|
|
* QOM/qdev, and call its qdev realize callback directly.
|
|
|
|
*/
|
|
|
|
object_ref(obj);
|
|
|
|
object_unparent(obj);
|
|
|
|
sd_realize(dev, &err);
|
2016-02-18 17:16:18 +03:00
|
|
|
if (err) {
|
2020-05-05 13:19:03 +03:00
|
|
|
error_reportf_err(err, "sd_init failed: ");
|
2016-02-18 17:16:18 +03:00
|
|
|
return NULL;
|
2009-05-03 19:52:16 +04:00
|
|
|
}
|
2016-02-18 17:16:18 +03:00
|
|
|
|
sd: Hide the qdev-but-not-quite thing created by sd_init()
Commit 260bc9d8aa "hw/sd/sd.c: QOMify" QOMified only the device
itself, not its users. It kept sd_init() around for non-QOMified
users.
More than four years later, three such users remain: omap1 (machines
cheetah, sx1, sx1-v1) and omap2 (machines n800, n810) are not
QOMified, and pl181 (machines integratorcp, realview-eb,
realview-eb-mpcore, realview-pb-a8 realview-pbx-a9, versatileab,
versatilepb, vexpress-a15, vexpress-a9) is not QOMified properly.
The issue I presently have with this: an "sd-card" device should plug
into an "sd-bus" (its DeviceClass member bus_type says so), but
sd_init() leaves it unplugged. This is normally a bug (I just fixed
some instances), and I'd like to assert proper pluggedness to prevent
regressions. However, the qdev-but-not-quite thing returned by
sd_init() would fail the assertion. Meh.
Make sd_init() hide it from QOM/qdev. Visible in "info qom-tree",
here's the change for cheetah:
/machine (cheetah-machine)
[...]
/unattached (container)
[...]
/device[5] (serial-mm)
/serial (serial)
/serial[0] (qemu:memory-region)
- /device[6] (sd-card)
- /device[7] (omap-gpio)
+ /device[6] (omap-gpio)
[rest of device[*] renumbered...]
Cc: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20200609122339.937862-24-armbru@redhat.com>
2020-06-09 15:23:38 +03:00
|
|
|
sd = SD_CARD(dev);
|
|
|
|
sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
|
|
|
|
return sd;
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
|
|
|
|
2007-11-17 17:34:44 +03:00
|
|
|
void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
|
2007-04-06 20:49:48 +04:00
|
|
|
{
|
2007-11-17 17:34:44 +03:00
|
|
|
sd->readonly_cb = readonly;
|
|
|
|
sd->inserted_cb = insert;
|
2021-01-18 15:34:47 +03:00
|
|
|
qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0);
|
2014-10-07 15:59:18 +04:00
|
|
|
qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
|
|
|
|
2021-02-16 18:02:21 +03:00
|
|
|
static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
|
|
|
|
{
|
|
|
|
trace_sdcard_read_block(addr, len);
|
block: Change blk_{pread,pwrite}() param order
Swap 'buf' and 'bytes' around for consistency with
blk_co_{pread,pwrite}(), and in preparation to implement these functions
using generated_co_wrapper.
Callers were updated using this Coccinelle script:
@@ expression blk, offset, buf, bytes, flags; @@
- blk_pread(blk, offset, buf, bytes, flags)
+ blk_pread(blk, offset, bytes, buf, flags)
@@ expression blk, offset, buf, bytes, flags; @@
- blk_pwrite(blk, offset, buf, bytes, flags)
+ blk_pwrite(blk, offset, bytes, buf, flags)
It had no effect on hw/block/nand.c, presumably due to the #if, so that
file was updated manually.
Overly-long lines were then fixed by hand.
Signed-off-by: Alberto Faria <afaria@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Hanna Reitz <hreitz@redhat.com>
Message-Id: <20220705161527.1054072-4-afaria@redhat.com>
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
2022-07-05 19:15:11 +03:00
|
|
|
if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) {
|
2021-02-16 18:02:21 +03:00
|
|
|
fprintf(stderr, "sd_blk_read: read error on host side\n");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
|
|
|
|
{
|
|
|
|
trace_sdcard_write_block(addr, len);
|
block: Change blk_{pread,pwrite}() param order
Swap 'buf' and 'bytes' around for consistency with
blk_co_{pread,pwrite}(), and in preparation to implement these functions
using generated_co_wrapper.
Callers were updated using this Coccinelle script:
@@ expression blk, offset, buf, bytes, flags; @@
- blk_pread(blk, offset, buf, bytes, flags)
+ blk_pread(blk, offset, bytes, buf, flags)
@@ expression blk, offset, buf, bytes, flags; @@
- blk_pwrite(blk, offset, buf, bytes, flags)
+ blk_pwrite(blk, offset, bytes, buf, flags)
It had no effect on hw/block/nand.c, presumably due to the #if, so that
file was updated manually.
Overly-long lines were then fixed by hand.
Signed-off-by: Alberto Faria <afaria@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Hanna Reitz <hreitz@redhat.com>
Message-Id: <20220705161527.1054072-4-afaria@redhat.com>
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
2022-07-05 19:15:11 +03:00
|
|
|
if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) {
|
2021-02-16 18:02:21 +03:00
|
|
|
fprintf(stderr, "sd_blk_write: write error on host side\n");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
#define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
|
|
|
|
#define APP_WRITE_BLOCK(a, len)
|
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
static void sd_erase(SDState *sd)
|
|
|
|
{
|
2012-10-30 11:45:12 +04:00
|
|
|
uint64_t erase_start = sd->erase_start;
|
|
|
|
uint64_t erase_end = sd->erase_end;
|
2021-02-16 18:02:22 +03:00
|
|
|
bool sdsc = true;
|
2021-02-20 11:58:13 +03:00
|
|
|
uint64_t wpnum;
|
|
|
|
uint64_t erase_addr;
|
|
|
|
int erase_len = 1 << HWBLOCK_SHIFT;
|
2012-10-30 11:45:12 +04:00
|
|
|
|
2020-09-13 14:18:19 +03:00
|
|
|
trace_sdcard_erase(sd->erase_start, sd->erase_end);
|
2020-09-18 20:05:20 +03:00
|
|
|
if (sd->erase_start == INVALID_ADDRESS
|
|
|
|
|| sd->erase_end == INVALID_ADDRESS) {
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->card_status |= ERASE_SEQ_ERROR;
|
2020-09-13 14:18:31 +03:00
|
|
|
sd->erase_start = INVALID_ADDRESS;
|
|
|
|
sd->erase_end = INVALID_ADDRESS;
|
2007-04-06 20:49:48 +04:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2018-02-22 18:12:52 +03:00
|
|
|
if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
|
2012-10-30 11:45:12 +04:00
|
|
|
/* High capacity memory card: erase units are 512 byte blocks */
|
2020-10-25 21:36:59 +03:00
|
|
|
erase_start <<= HWBLOCK_SHIFT;
|
|
|
|
erase_end <<= HWBLOCK_SHIFT;
|
2021-02-16 18:02:22 +03:00
|
|
|
sdsc = false;
|
2012-10-30 11:45:12 +04:00
|
|
|
}
|
|
|
|
|
2021-02-16 18:02:18 +03:00
|
|
|
if (erase_start > sd->size || erase_end > sd->size) {
|
2020-09-13 14:18:52 +03:00
|
|
|
sd->card_status |= OUT_OF_RANGE;
|
|
|
|
sd->erase_start = INVALID_ADDRESS;
|
|
|
|
sd->erase_end = INVALID_ADDRESS;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2020-09-18 20:05:20 +03:00
|
|
|
sd->erase_start = INVALID_ADDRESS;
|
|
|
|
sd->erase_end = INVALID_ADDRESS;
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->csd[14] |= 0x40;
|
|
|
|
|
2021-02-20 11:58:13 +03:00
|
|
|
memset(sd->data, 0xff, erase_len);
|
|
|
|
for (erase_addr = erase_start; erase_addr <= erase_end;
|
|
|
|
erase_addr += erase_len) {
|
|
|
|
if (sdsc) {
|
|
|
|
/* Only SDSC cards support write protect groups */
|
|
|
|
wpnum = sd_addr_to_wpnum(erase_addr);
|
2021-07-28 20:42:24 +03:00
|
|
|
assert(wpnum < sd->wp_group_bits);
|
|
|
|
if (test_bit(wpnum, sd->wp_group_bmap)) {
|
2021-02-16 18:02:22 +03:00
|
|
|
sd->card_status |= WP_ERASE_SKIP;
|
2021-02-20 11:58:13 +03:00
|
|
|
continue;
|
2021-02-16 18:02:22 +03:00
|
|
|
}
|
2012-08-13 14:04:06 +04:00
|
|
|
}
|
2024-04-08 16:41:56 +03:00
|
|
|
sd_blk_write(sd, erase_addr, erase_len);
|
2012-08-13 14:04:06 +04:00
|
|
|
}
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
|
|
|
|
2009-11-03 17:28:19 +03:00
|
|
|
static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
|
2007-04-06 20:49:48 +04:00
|
|
|
{
|
|
|
|
uint32_t i, wpnum;
|
|
|
|
uint32_t ret = 0;
|
|
|
|
|
2012-08-13 14:04:06 +04:00
|
|
|
wpnum = sd_addr_to_wpnum(addr);
|
2007-04-06 20:49:48 +04:00
|
|
|
|
2012-08-13 14:04:06 +04:00
|
|
|
for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
|
2021-07-28 20:38:05 +03:00
|
|
|
if (addr >= sd->size) {
|
|
|
|
/*
|
|
|
|
* If the addresses of the last groups are outside the valid range,
|
|
|
|
* then the corresponding write protection bits shall be set to 0.
|
|
|
|
*/
|
|
|
|
continue;
|
|
|
|
}
|
2021-07-28 20:42:24 +03:00
|
|
|
assert(wpnum < sd->wp_group_bits);
|
|
|
|
if (test_bit(wpnum, sd->wp_group_bmap)) {
|
2007-04-06 20:49:48 +04:00
|
|
|
ret |= (1 << i);
|
2012-08-13 14:04:06 +04:00
|
|
|
}
|
|
|
|
}
|
2007-04-06 20:49:48 +04:00
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void sd_function_switch(SDState *sd, uint32_t arg)
|
|
|
|
{
|
2018-02-22 18:12:53 +03:00
|
|
|
int i, mode, new_func;
|
2007-04-06 20:49:48 +04:00
|
|
|
mode = !!(arg & 0x80000000);
|
|
|
|
|
|
|
|
sd->data[0] = 0x00; /* Maximum current consumption */
|
|
|
|
sd->data[1] = 0x01;
|
|
|
|
sd->data[2] = 0x80; /* Supported group 6 functions */
|
|
|
|
sd->data[3] = 0x01;
|
|
|
|
sd->data[4] = 0x80; /* Supported group 5 functions */
|
|
|
|
sd->data[5] = 0x01;
|
|
|
|
sd->data[6] = 0x80; /* Supported group 4 functions */
|
|
|
|
sd->data[7] = 0x01;
|
|
|
|
sd->data[8] = 0x80; /* Supported group 3 functions */
|
|
|
|
sd->data[9] = 0x01;
|
|
|
|
sd->data[10] = 0x80; /* Supported group 2 functions */
|
|
|
|
sd->data[11] = 0x43;
|
|
|
|
sd->data[12] = 0x80; /* Supported group 1 functions */
|
|
|
|
sd->data[13] = 0x03;
|
2020-08-21 17:45:35 +03:00
|
|
|
|
2020-10-24 04:49:54 +03:00
|
|
|
memset(&sd->data[14], 0, 3);
|
2007-04-06 20:49:48 +04:00
|
|
|
for (i = 0; i < 6; i ++) {
|
|
|
|
new_func = (arg >> (i * 4)) & 0x0f;
|
|
|
|
if (mode && new_func != 0x0f)
|
|
|
|
sd->function_group[i] = new_func;
|
2020-08-21 17:45:35 +03:00
|
|
|
sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
|
|
|
memset(&sd->data[17], 0, 47);
|
|
|
|
}
|
|
|
|
|
2012-08-13 14:04:07 +04:00
|
|
|
static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
|
2007-04-06 20:49:48 +04:00
|
|
|
{
|
2021-07-28 20:42:24 +03:00
|
|
|
return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
static void sd_lock_command(SDState *sd)
|
|
|
|
{
|
|
|
|
int erase, lock, clr_pwd, set_pwd, pwd_len;
|
|
|
|
erase = !!(sd->data[0] & 0x08);
|
|
|
|
lock = sd->data[0] & 0x04;
|
|
|
|
clr_pwd = sd->data[0] & 0x02;
|
|
|
|
set_pwd = sd->data[0] & 0x01;
|
|
|
|
|
|
|
|
if (sd->blk_len > 1)
|
|
|
|
pwd_len = sd->data[1];
|
|
|
|
else
|
|
|
|
pwd_len = 0;
|
|
|
|
|
2018-02-22 18:12:52 +03:00
|
|
|
if (lock) {
|
|
|
|
trace_sdcard_lock();
|
|
|
|
} else {
|
|
|
|
trace_sdcard_unlock();
|
|
|
|
}
|
2007-04-06 20:49:48 +04:00
|
|
|
if (erase) {
|
|
|
|
if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
|
|
|
|
set_pwd || clr_pwd || lock || sd->wp_switch ||
|
|
|
|
(sd->csd[14] & 0x20)) {
|
|
|
|
sd->card_status |= LOCK_UNLOCK_FAILED;
|
|
|
|
return;
|
|
|
|
}
|
2021-07-28 20:42:24 +03:00
|
|
|
bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits);
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->csd[14] &= ~0x10;
|
|
|
|
sd->card_status &= ~CARD_IS_LOCKED;
|
|
|
|
sd->pwd_len = 0;
|
|
|
|
/* Erasing the entire card here! */
|
2008-04-15 01:05:22 +04:00
|
|
|
fprintf(stderr, "SD: Card force-erased by CMD42\n");
|
2007-04-06 20:49:48 +04:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (sd->blk_len < 2 + pwd_len ||
|
|
|
|
pwd_len <= sd->pwd_len ||
|
|
|
|
pwd_len > sd->pwd_len + 16) {
|
|
|
|
sd->card_status |= LOCK_UNLOCK_FAILED;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
|
|
|
|
sd->card_status |= LOCK_UNLOCK_FAILED;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
pwd_len -= sd->pwd_len;
|
|
|
|
if ((pwd_len && !set_pwd) ||
|
|
|
|
(clr_pwd && (set_pwd || lock)) ||
|
|
|
|
(lock && !sd->pwd_len && !set_pwd) ||
|
|
|
|
(!set_pwd && !clr_pwd &&
|
|
|
|
(((sd->card_status & CARD_IS_LOCKED) && lock) ||
|
|
|
|
(!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
|
|
|
|
sd->card_status |= LOCK_UNLOCK_FAILED;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (set_pwd) {
|
|
|
|
memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
|
|
|
|
sd->pwd_len = pwd_len;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (clr_pwd) {
|
|
|
|
sd->pwd_len = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (lock)
|
|
|
|
sd->card_status |= CARD_IS_LOCKED;
|
|
|
|
else
|
|
|
|
sd->card_status &= ~CARD_IS_LOCKED;
|
|
|
|
}
|
|
|
|
|
2021-06-07 16:32:06 +03:00
|
|
|
static bool address_in_range(SDState *sd, const char *desc,
|
|
|
|
uint64_t addr, uint32_t length)
|
|
|
|
{
|
|
|
|
if (addr + length > sd->size) {
|
|
|
|
qemu_log_mask(LOG_GUEST_ERROR,
|
|
|
|
"%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n",
|
|
|
|
desc, addr, sd->size, length);
|
|
|
|
sd->card_status |= ADDRESS_ERROR;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2021-06-07 18:24:58 +03:00
|
|
|
static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req)
|
|
|
|
{
|
2022-05-30 20:09:27 +03:00
|
|
|
qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n",
|
2024-06-24 21:19:10 +03:00
|
|
|
sd->proto->name, req.cmd, sd_state_name(sd->state),
|
2022-05-30 19:56:06 +03:00
|
|
|
sd_version_str(sd->spec_version));
|
2021-06-07 18:24:58 +03:00
|
|
|
|
|
|
|
return sd_illegal;
|
|
|
|
}
|
|
|
|
|
2024-06-13 23:45:43 +03:00
|
|
|
static sd_rsp_type_t sd_invalid_mode_for_cmd(SDState *sd, SDRequest req)
|
|
|
|
{
|
|
|
|
qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong mode: %s (spec %s)\n",
|
2024-06-24 21:19:10 +03:00
|
|
|
sd->proto->name, req.cmd, sd_mode_name(sd->mode),
|
2024-06-13 23:45:43 +03:00
|
|
|
sd_version_str(sd->spec_version));
|
|
|
|
|
|
|
|
return sd_illegal;
|
|
|
|
}
|
|
|
|
|
2021-06-24 14:22:40 +03:00
|
|
|
static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req)
|
|
|
|
{
|
|
|
|
qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n",
|
2024-06-24 21:19:10 +03:00
|
|
|
sd->proto->name, req.cmd,
|
2021-06-24 14:22:40 +03:00
|
|
|
sd_version_str(sd->spec_version));
|
|
|
|
|
|
|
|
return sd_illegal;
|
|
|
|
}
|
|
|
|
|
2021-06-24 14:29:49 +03:00
|
|
|
/* Commands that are recognised but not yet implemented. */
|
2024-06-20 15:43:13 +03:00
|
|
|
__attribute__((unused))
|
2021-06-24 14:29:49 +03:00
|
|
|
static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req)
|
|
|
|
{
|
|
|
|
qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n",
|
2024-06-24 21:19:10 +03:00
|
|
|
sd->proto->name, req.cmd);
|
2021-06-24 14:29:49 +03:00
|
|
|
|
|
|
|
return sd_illegal;
|
|
|
|
}
|
|
|
|
|
2024-06-13 17:21:50 +03:00
|
|
|
/* Configure fields for following sd_generic_write_byte() calls */
|
|
|
|
__attribute__((unused))
|
|
|
|
static sd_rsp_type_t sd_cmd_to_receivingdata(SDState *sd, SDRequest req,
|
|
|
|
uint64_t start, size_t size)
|
|
|
|
{
|
|
|
|
if (sd->state != sd_transfer_state) {
|
|
|
|
return sd_invalid_state_for_cmd(sd, req);
|
|
|
|
}
|
|
|
|
sd->state = sd_receivingdata_state;
|
|
|
|
sd->data_start = start;
|
|
|
|
sd->data_offset = 0;
|
|
|
|
/* sd->data[] used as receive buffer */
|
|
|
|
sd->data_size = size ?: sizeof(sd->data);
|
|
|
|
return sd_r1;
|
|
|
|
}
|
|
|
|
|
2024-06-13 17:21:12 +03:00
|
|
|
/* Configure fields for following sd_generic_read_byte() calls */
|
|
|
|
static sd_rsp_type_t sd_cmd_to_sendingdata(SDState *sd, SDRequest req,
|
|
|
|
uint64_t start,
|
|
|
|
const void *data, size_t size)
|
|
|
|
{
|
|
|
|
if (sd->state != sd_transfer_state) {
|
|
|
|
sd_invalid_state_for_cmd(sd, req);
|
|
|
|
}
|
|
|
|
|
|
|
|
sd->state = sd_sendingdata_state;
|
|
|
|
sd->data_start = start;
|
|
|
|
sd->data_offset = 0;
|
|
|
|
if (data) {
|
|
|
|
assert(size > 0 && size <= sizeof(sd->data));
|
|
|
|
memcpy(sd->data, data, size);
|
|
|
|
}
|
|
|
|
if (size) {
|
|
|
|
sd->data_size = size;
|
|
|
|
}
|
|
|
|
return sd_r1;
|
|
|
|
}
|
|
|
|
|
2020-10-25 22:17:47 +03:00
|
|
|
/* CMD0 */
|
2021-06-24 16:48:55 +03:00
|
|
|
static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req)
|
|
|
|
{
|
2024-06-25 06:50:16 +03:00
|
|
|
sd->state = sd_idle_state;
|
|
|
|
sd_reset(DEVICE(sd));
|
2021-06-24 16:48:55 +03:00
|
|
|
|
2023-07-03 09:00:08 +03:00
|
|
|
return sd_is_spi(sd) ? sd_r1 : sd_r0;
|
2021-06-24 16:48:55 +03:00
|
|
|
}
|
|
|
|
|
2020-10-25 22:17:47 +03:00
|
|
|
/* CMD1 */
|
2024-06-17 06:11:12 +03:00
|
|
|
static sd_rsp_type_t spi_cmd_SEND_OP_COND(SDState *sd, SDRequest req)
|
2021-06-24 16:29:27 +03:00
|
|
|
{
|
|
|
|
sd->state = sd_transfer_state;
|
|
|
|
|
|
|
|
return sd_r1;
|
|
|
|
}
|
|
|
|
|
2020-10-25 22:17:47 +03:00
|
|
|
/* CMD2 */
|
2021-06-24 16:36:03 +03:00
|
|
|
static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req)
|
|
|
|
{
|
2024-06-17 17:58:29 +03:00
|
|
|
switch (sd->state) {
|
|
|
|
case sd_ready_state:
|
|
|
|
sd->state = sd_identification_state;
|
|
|
|
return sd_r2_i;
|
|
|
|
default:
|
2021-06-24 16:36:03 +03:00
|
|
|
return sd_invalid_state_for_cmd(sd, req);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-10-25 22:17:47 +03:00
|
|
|
/* CMD3 */
|
2021-06-24 16:46:29 +03:00
|
|
|
static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req)
|
|
|
|
{
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_identification_state:
|
|
|
|
case sd_standby_state:
|
|
|
|
sd->state = sd_standby_state;
|
|
|
|
sd_set_rca(sd);
|
|
|
|
return sd_r6;
|
|
|
|
|
|
|
|
default:
|
|
|
|
return sd_invalid_state_for_cmd(sd, req);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-10-25 22:17:47 +03:00
|
|
|
/* CMD19 */
|
2022-05-25 10:21:21 +03:00
|
|
|
static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req)
|
|
|
|
{
|
2024-06-11 17:19:41 +03:00
|
|
|
if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
|
|
|
|
return sd_cmd_illegal(sd, req);
|
|
|
|
}
|
2022-05-25 10:21:21 +03:00
|
|
|
|
2022-06-01 08:15:10 +03:00
|
|
|
return sd_cmd_to_sendingdata(sd, req, 0,
|
|
|
|
sd_tuning_block_pattern4,
|
|
|
|
sizeof(sd_tuning_block_pattern4));
|
2022-05-25 10:21:21 +03:00
|
|
|
}
|
|
|
|
|
2020-10-25 22:17:47 +03:00
|
|
|
/* CMD23 */
|
2022-05-30 20:20:25 +03:00
|
|
|
static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req)
|
|
|
|
{
|
2024-06-11 17:19:41 +03:00
|
|
|
if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
|
|
|
|
return sd_cmd_illegal(sd, req);
|
|
|
|
}
|
2022-05-30 20:20:25 +03:00
|
|
|
|
2024-06-11 17:19:41 +03:00
|
|
|
if (sd->state != sd_transfer_state) {
|
|
|
|
return sd_invalid_state_for_cmd(sd, req);
|
|
|
|
}
|
2022-05-30 20:20:25 +03:00
|
|
|
|
2024-06-11 17:19:41 +03:00
|
|
|
sd->multi_blk_cnt = req.arg;
|
2024-06-14 02:20:22 +03:00
|
|
|
trace_sdcard_set_block_count(sd->multi_blk_cnt);
|
2022-05-30 20:20:25 +03:00
|
|
|
|
2024-06-11 17:19:41 +03:00
|
|
|
return sd_r1;
|
2022-05-30 20:20:25 +03:00
|
|
|
}
|
|
|
|
|
2018-03-09 20:09:44 +03:00
|
|
|
static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
|
2007-04-06 20:49:48 +04:00
|
|
|
{
|
2024-06-19 23:12:35 +03:00
|
|
|
uint16_t rca;
|
2024-06-20 15:29:46 +03:00
|
|
|
uint64_t addr;
|
2024-06-13 00:28:24 +03:00
|
|
|
uint32_t data;
|
2007-04-06 20:49:48 +04:00
|
|
|
|
2024-06-14 02:44:28 +03:00
|
|
|
sd->last_cmd_name = sd_cmd_name(req.cmd);
|
2018-03-09 20:09:44 +03:00
|
|
|
/* CMD55 precedes an ACMD, so we are not interested in tracing it.
|
|
|
|
* However there is no ACMD55, so we want to trace this particular case.
|
|
|
|
*/
|
|
|
|
if (req.cmd != 55 || sd->expecting_acmd) {
|
2024-06-24 21:19:10 +03:00
|
|
|
trace_sdcard_normal_command(sd->proto->name,
|
2024-06-14 02:44:28 +03:00
|
|
|
sd->last_cmd_name, req.cmd,
|
2018-03-09 20:09:44 +03:00
|
|
|
req.arg, sd_state_name(sd->state));
|
2018-03-09 20:09:44 +03:00
|
|
|
}
|
2018-02-22 18:12:52 +03:00
|
|
|
|
2011-12-19 00:37:59 +04:00
|
|
|
/* Not interpreting this as an app command */
|
|
|
|
sd->card_status &= ~APP_CMD;
|
|
|
|
|
2016-02-18 17:16:19 +03:00
|
|
|
/* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
|
|
|
|
* if not, its effects are cancelled */
|
|
|
|
if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
|
|
|
|
sd->multi_blk_cnt = 0;
|
|
|
|
}
|
|
|
|
|
2020-06-03 20:59:16 +03:00
|
|
|
if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
|
|
|
|
/* Only Standard Capacity cards support class 6 commands */
|
|
|
|
return sd_illegal;
|
|
|
|
}
|
|
|
|
|
2024-06-24 21:19:10 +03:00
|
|
|
if (sd->proto->cmd[req.cmd]) {
|
|
|
|
return sd->proto->cmd[req.cmd](sd, req);
|
2021-06-24 14:00:08 +03:00
|
|
|
}
|
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
switch (req.cmd) {
|
|
|
|
/* Basic commands (Class 0 and Class 1) */
|
|
|
|
case 4: /* CMD4: SEND_DSR */
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_standby_state:
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 6: /* CMD6: SWITCH_FUNCTION */
|
2024-06-13 23:45:43 +03:00
|
|
|
if (sd->mode != sd_data_transfer_mode) {
|
|
|
|
return sd_invalid_mode_for_cmd(sd, req);
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
2024-06-25 05:48:12 +03:00
|
|
|
if (sd->state != sd_transfer_state) {
|
|
|
|
return sd_invalid_state_for_cmd(sd, req);
|
|
|
|
}
|
|
|
|
|
2024-06-13 23:45:43 +03:00
|
|
|
sd_function_switch(sd, req.arg);
|
2024-06-13 00:09:08 +03:00
|
|
|
return sd_cmd_to_sendingdata(sd, req, 0, NULL, 64);
|
2007-04-06 20:49:48 +04:00
|
|
|
|
|
|
|
case 7: /* CMD7: SELECT/DESELECT_CARD */
|
2024-06-19 23:12:35 +03:00
|
|
|
rca = sd_req_get_rca(sd, req);
|
2007-04-06 20:49:48 +04:00
|
|
|
switch (sd->state) {
|
|
|
|
case sd_standby_state:
|
|
|
|
if (sd->rca != rca)
|
|
|
|
return sd_r0;
|
|
|
|
|
|
|
|
sd->state = sd_transfer_state;
|
|
|
|
return sd_r1b;
|
|
|
|
|
|
|
|
case sd_transfer_state:
|
|
|
|
case sd_sendingdata_state:
|
|
|
|
if (sd->rca == rca)
|
|
|
|
break;
|
|
|
|
|
|
|
|
sd->state = sd_standby_state;
|
|
|
|
return sd_r1b;
|
|
|
|
|
|
|
|
case sd_disconnect_state:
|
|
|
|
if (sd->rca != rca)
|
|
|
|
return sd_r0;
|
|
|
|
|
|
|
|
sd->state = sd_programming_state;
|
|
|
|
return sd_r1b;
|
|
|
|
|
|
|
|
case sd_programming_state:
|
|
|
|
if (sd->rca == rca)
|
|
|
|
break;
|
|
|
|
|
|
|
|
sd->state = sd_disconnect_state;
|
|
|
|
return sd_r1b;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
2007-12-24 17:41:39 +03:00
|
|
|
case 8: /* CMD8: SEND_IF_COND */
|
2018-06-08 15:15:34 +03:00
|
|
|
if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
|
|
|
|
break;
|
|
|
|
}
|
2018-02-22 18:12:54 +03:00
|
|
|
if (sd->state != sd_idle_state) {
|
2007-12-24 17:41:39 +03:00
|
|
|
break;
|
|
|
|
}
|
2018-02-22 18:12:54 +03:00
|
|
|
sd->vhs = 0;
|
|
|
|
|
|
|
|
/* No response if not exactly one VHS bit is set. */
|
|
|
|
if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
|
2023-07-03 09:00:08 +03:00
|
|
|
return sd_is_spi(sd) ? sd_r7 : sd_r0;
|
2018-02-22 18:12:54 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Accept. */
|
|
|
|
sd->vhs = req.arg;
|
|
|
|
return sd_r7;
|
2007-12-24 17:41:39 +03:00
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
case 9: /* CMD9: SEND_CSD */
|
2024-06-19 23:12:35 +03:00
|
|
|
rca = sd_req_get_rca(sd, req);
|
2007-04-06 20:49:48 +04:00
|
|
|
switch (sd->state) {
|
|
|
|
case sd_standby_state:
|
|
|
|
if (sd->rca != rca)
|
|
|
|
return sd_r0;
|
|
|
|
|
|
|
|
return sd_r2_s;
|
|
|
|
|
2007-11-25 02:35:08 +03:00
|
|
|
case sd_transfer_state:
|
2023-07-03 09:00:08 +03:00
|
|
|
if (!sd_is_spi(sd)) {
|
2007-11-25 02:35:08 +03:00
|
|
|
break;
|
2023-07-03 09:00:08 +03:00
|
|
|
}
|
2022-06-01 08:13:05 +03:00
|
|
|
return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req),
|
|
|
|
sd->csd, 16);
|
2007-11-25 02:35:08 +03:00
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 10: /* CMD10: SEND_CID */
|
2024-06-19 23:12:35 +03:00
|
|
|
rca = sd_req_get_rca(sd, req);
|
2007-04-06 20:49:48 +04:00
|
|
|
switch (sd->state) {
|
|
|
|
case sd_standby_state:
|
|
|
|
if (sd->rca != rca)
|
|
|
|
return sd_r0;
|
|
|
|
|
|
|
|
return sd_r2_i;
|
|
|
|
|
2007-11-25 02:35:08 +03:00
|
|
|
case sd_transfer_state:
|
2023-07-03 09:00:08 +03:00
|
|
|
if (!sd_is_spi(sd)) {
|
2007-11-25 02:35:08 +03:00
|
|
|
break;
|
2023-07-03 09:00:08 +03:00
|
|
|
}
|
2022-06-01 08:13:05 +03:00
|
|
|
return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req),
|
|
|
|
sd->cid, 16);
|
2007-11-25 02:35:08 +03:00
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 12: /* CMD12: STOP_TRANSMISSION */
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_sendingdata_state:
|
|
|
|
sd->state = sd_transfer_state;
|
|
|
|
return sd_r1b;
|
|
|
|
|
|
|
|
case sd_receivingdata_state:
|
|
|
|
sd->state = sd_programming_state;
|
|
|
|
/* Bzzzzzzztt .... Operation complete. */
|
|
|
|
sd->state = sd_transfer_state;
|
|
|
|
return sd_r1b;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 13: /* CMD13: SEND_STATUS */
|
2024-06-19 23:12:35 +03:00
|
|
|
rca = sd_req_get_rca(sd, req);
|
2024-06-13 23:45:43 +03:00
|
|
|
if (sd->mode != sd_data_transfer_mode) {
|
|
|
|
return sd_invalid_mode_for_cmd(sd, req);
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
2024-06-13 23:45:43 +03:00
|
|
|
if (!sd_is_spi(sd) && sd->rca != rca) {
|
|
|
|
return sd_r0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return sd_r1;
|
2007-04-06 20:49:48 +04:00
|
|
|
|
|
|
|
case 15: /* CMD15: GO_INACTIVE_STATE */
|
2024-06-13 23:45:43 +03:00
|
|
|
if (sd->mode != sd_data_transfer_mode) {
|
|
|
|
return sd_invalid_mode_for_cmd(sd, req);
|
|
|
|
}
|
2024-06-19 23:12:35 +03:00
|
|
|
rca = sd_req_get_rca(sd, req);
|
2024-06-13 23:45:43 +03:00
|
|
|
if (sd->rca == rca) {
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->state = sd_inactive_state;
|
|
|
|
}
|
2024-06-13 23:45:43 +03:00
|
|
|
return sd_r0;
|
2007-04-06 20:49:48 +04:00
|
|
|
|
2023-08-23 09:53:30 +03:00
|
|
|
/* Block read commands (Class 2) */
|
2007-04-06 20:49:48 +04:00
|
|
|
case 16: /* CMD16: SET_BLOCKLEN */
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
2018-02-22 18:12:52 +03:00
|
|
|
if (req.arg > (1 << HWBLOCK_SHIFT)) {
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->card_status |= BLOCK_LEN_ERROR;
|
2018-02-22 18:12:52 +03:00
|
|
|
} else {
|
|
|
|
trace_sdcard_set_blocklen(req.arg);
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->blk_len = req.arg;
|
2018-02-22 18:12:52 +03:00
|
|
|
}
|
2007-04-06 20:49:48 +04:00
|
|
|
|
|
|
|
return sd_r1;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 17: /* CMD17: READ_SINGLE_BLOCK */
|
2024-06-25 06:36:27 +03:00
|
|
|
addr = sd_req_get_address(sd, req);
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
|
|
|
|
|
|
|
if (!address_in_range(sd, "READ_SINGLE_BLOCK", addr, sd->blk_len)) {
|
|
|
|
return sd_r1;
|
|
|
|
}
|
2022-06-01 08:27:51 +03:00
|
|
|
sd_blk_read(sd, addr, sd->blk_len);
|
|
|
|
return sd_cmd_to_sendingdata(sd, req, addr, NULL, sd->blk_len);
|
2024-06-25 06:36:27 +03:00
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
case 18: /* CMD18: READ_MULTIPLE_BLOCK */
|
2024-06-20 15:29:46 +03:00
|
|
|
addr = sd_req_get_address(sd, req);
|
2007-04-06 20:49:48 +04:00
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
|
|
|
|
2021-06-07 16:32:06 +03:00
|
|
|
if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) {
|
2020-06-04 20:22:29 +03:00
|
|
|
return sd_r1;
|
2020-07-13 10:27:35 +03:00
|
|
|
}
|
2020-06-04 20:22:29 +03:00
|
|
|
|
|
|
|
sd->state = sd_sendingdata_state;
|
|
|
|
sd->data_start = addr;
|
|
|
|
sd->data_offset = 0;
|
2007-04-06 20:49:48 +04:00
|
|
|
return sd_r1;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
/* Block write commands (Class 4) */
|
|
|
|
case 24: /* CMD24: WRITE_SINGLE_BLOCK */
|
2024-06-25 10:14:09 +03:00
|
|
|
addr = sd_req_get_address(sd, req);
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
|
|
|
|
|
|
|
if (!address_in_range(sd, "WRITE_SINGLE_BLOCK", addr,
|
|
|
|
sd->blk_len)) {
|
|
|
|
return sd_r1;
|
|
|
|
}
|
|
|
|
|
|
|
|
sd->state = sd_receivingdata_state;
|
|
|
|
sd->data_start = addr;
|
|
|
|
sd->data_offset = 0;
|
|
|
|
|
|
|
|
if (sd->size <= SDSC_MAX_CAPACITY) {
|
|
|
|
if (sd_wp_addr(sd, sd->data_start)) {
|
|
|
|
sd->card_status |= WP_VIOLATION;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (sd->csd[14] & 0x30) {
|
|
|
|
sd->card_status |= WP_VIOLATION;
|
|
|
|
}
|
|
|
|
sd->blk_written = 0;
|
|
|
|
return sd_r1;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
|
2024-06-20 15:29:46 +03:00
|
|
|
addr = sd_req_get_address(sd, req);
|
2007-04-06 20:49:48 +04:00
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
2020-06-04 20:22:29 +03:00
|
|
|
|
2021-06-07 16:32:06 +03:00
|
|
|
if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) {
|
2020-06-04 20:22:29 +03:00
|
|
|
return sd_r1;
|
|
|
|
}
|
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->state = sd_receivingdata_state;
|
2009-11-03 17:28:19 +03:00
|
|
|
sd->data_start = addr;
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->data_offset = 0;
|
|
|
|
sd->blk_written = 0;
|
|
|
|
|
2021-02-16 18:02:24 +03:00
|
|
|
if (sd->size <= SDSC_MAX_CAPACITY) {
|
|
|
|
if (sd_wp_addr(sd, sd->data_start)) {
|
|
|
|
sd->card_status |= WP_VIOLATION;
|
|
|
|
}
|
2020-07-13 10:27:35 +03:00
|
|
|
}
|
|
|
|
if (sd->csd[14] & 0x30) {
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->card_status |= WP_VIOLATION;
|
2020-07-13 10:27:35 +03:00
|
|
|
}
|
2007-04-06 20:49:48 +04:00
|
|
|
return sd_r1;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 26: /* CMD26: PROGRAM_CID */
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
|
|
|
sd->state = sd_receivingdata_state;
|
|
|
|
sd->data_start = 0;
|
|
|
|
sd->data_offset = 0;
|
|
|
|
return sd_r1;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 27: /* CMD27: PROGRAM_CSD */
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
|
|
|
sd->state = sd_receivingdata_state;
|
|
|
|
sd->data_start = 0;
|
|
|
|
sd->data_offset = 0;
|
|
|
|
return sd_r1;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
/* Write protection (Class 6) */
|
|
|
|
case 28: /* CMD28: SET_WRITE_PROT */
|
2021-02-16 18:02:19 +03:00
|
|
|
if (sd->size > SDSC_MAX_CAPACITY) {
|
|
|
|
return sd_illegal;
|
|
|
|
}
|
2024-06-20 15:29:46 +03:00
|
|
|
addr = sd_req_get_address(sd, req);
|
2007-04-06 20:49:48 +04:00
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
2021-06-07 16:32:06 +03:00
|
|
|
if (!address_in_range(sd, "SET_WRITE_PROT", addr, 1)) {
|
2007-04-06 20:49:48 +04:00
|
|
|
return sd_r1b;
|
|
|
|
}
|
|
|
|
|
|
|
|
sd->state = sd_programming_state;
|
2021-07-28 20:42:24 +03:00
|
|
|
set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
|
2007-04-06 20:49:48 +04:00
|
|
|
/* Bzzzzzzztt .... Operation complete. */
|
|
|
|
sd->state = sd_transfer_state;
|
|
|
|
return sd_r1b;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 29: /* CMD29: CLR_WRITE_PROT */
|
2021-02-16 18:02:19 +03:00
|
|
|
if (sd->size > SDSC_MAX_CAPACITY) {
|
|
|
|
return sd_illegal;
|
|
|
|
}
|
2024-06-20 15:29:46 +03:00
|
|
|
addr = sd_req_get_address(sd, req);
|
2007-04-06 20:49:48 +04:00
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
2021-06-07 16:32:06 +03:00
|
|
|
if (!address_in_range(sd, "CLR_WRITE_PROT", addr, 1)) {
|
2007-04-06 20:49:48 +04:00
|
|
|
return sd_r1b;
|
|
|
|
}
|
|
|
|
|
|
|
|
sd->state = sd_programming_state;
|
2021-07-28 20:42:24 +03:00
|
|
|
clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap);
|
2007-04-06 20:49:48 +04:00
|
|
|
/* Bzzzzzzztt .... Operation complete. */
|
|
|
|
sd->state = sd_transfer_state;
|
|
|
|
return sd_r1b;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 30: /* CMD30: SEND_WRITE_PROT */
|
2021-02-16 18:02:19 +03:00
|
|
|
if (sd->size > SDSC_MAX_CAPACITY) {
|
|
|
|
return sd_illegal;
|
|
|
|
}
|
2024-06-20 15:29:46 +03:00
|
|
|
addr = sd_req_get_address(sd, req);
|
2007-04-06 20:49:48 +04:00
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
2021-06-29 11:09:28 +03:00
|
|
|
if (!address_in_range(sd, "SEND_WRITE_PROT",
|
|
|
|
req.arg, sd->blk_len)) {
|
|
|
|
return sd_r1;
|
|
|
|
}
|
2024-06-13 00:28:24 +03:00
|
|
|
data = sd_wpbits(sd, req.arg);
|
|
|
|
return sd_cmd_to_sendingdata(sd, req, addr, &data, sizeof(data));
|
2007-04-06 20:49:48 +04:00
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
/* Erase commands (Class 5) */
|
|
|
|
case 32: /* CMD32: ERASE_WR_BLK_START */
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
|
|
|
sd->erase_start = req.arg;
|
|
|
|
return sd_r1;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 33: /* CMD33: ERASE_WR_BLK_END */
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
|
|
|
sd->erase_end = req.arg;
|
|
|
|
return sd_r1;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 38: /* CMD38: ERASE */
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
|
|
|
if (sd->csd[14] & 0x30) {
|
|
|
|
sd->card_status |= WP_VIOLATION;
|
|
|
|
return sd_r1b;
|
|
|
|
}
|
|
|
|
|
|
|
|
sd->state = sd_programming_state;
|
|
|
|
sd_erase(sd);
|
|
|
|
/* Bzzzzzzztt .... Operation complete. */
|
|
|
|
sd->state = sd_transfer_state;
|
|
|
|
return sd_r1b;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
/* Lock card commands (Class 7) */
|
|
|
|
case 42: /* CMD42: LOCK_UNLOCK */
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
|
|
|
sd->state = sd_receivingdata_state;
|
|
|
|
sd->data_start = 0;
|
|
|
|
sd->data_offset = 0;
|
|
|
|
return sd_r1;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
/* Application specific commands (Class 8) */
|
|
|
|
case 55: /* CMD55: APP_CMD */
|
2024-06-19 23:12:35 +03:00
|
|
|
rca = sd_req_get_rca(sd, req);
|
2018-02-22 18:12:54 +03:00
|
|
|
switch (sd->state) {
|
|
|
|
case sd_ready_state:
|
|
|
|
case sd_identification_state:
|
|
|
|
return sd_illegal;
|
2018-02-22 18:12:54 +03:00
|
|
|
case sd_idle_state:
|
|
|
|
if (rca) {
|
|
|
|
qemu_log_mask(LOG_GUEST_ERROR,
|
|
|
|
"SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
|
|
|
|
}
|
2018-02-22 18:12:54 +03:00
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
2023-07-03 09:00:08 +03:00
|
|
|
if (!sd_is_spi(sd)) {
|
2018-02-22 18:12:53 +03:00
|
|
|
if (sd->rca != rca) {
|
|
|
|
return sd_r0;
|
|
|
|
}
|
|
|
|
}
|
2012-08-13 14:04:06 +04:00
|
|
|
sd->expecting_acmd = true;
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->card_status |= APP_CMD;
|
|
|
|
return sd_r1;
|
|
|
|
|
|
|
|
case 56: /* CMD56: GEN_CMD */
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
|
|
|
sd->data_offset = 0;
|
|
|
|
if (req.arg & 1)
|
|
|
|
sd->state = sd_sendingdata_state;
|
|
|
|
else
|
|
|
|
sd->state = sd_receivingdata_state;
|
|
|
|
return sd_r1;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
2018-02-22 18:12:53 +03:00
|
|
|
case 58: /* CMD58: READ_OCR (SPI) */
|
|
|
|
return sd_r3;
|
|
|
|
|
|
|
|
case 59: /* CMD59: CRC_ON_OFF (SPI) */
|
2021-01-23 13:39:55 +03:00
|
|
|
return sd_r1;
|
2018-02-22 18:12:53 +03:00
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
default:
|
2016-02-18 17:16:20 +03:00
|
|
|
qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
|
2011-12-19 00:37:55 +04:00
|
|
|
return sd_illegal;
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
|
|
|
|
2021-06-07 18:24:58 +03:00
|
|
|
return sd_invalid_state_for_cmd(sd, req);
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
|
|
|
|
2009-10-02 01:12:16 +04:00
|
|
|
static sd_rsp_type_t sd_app_command(SDState *sd,
|
2010-04-25 23:31:06 +04:00
|
|
|
SDRequest req)
|
|
|
|
{
|
2024-06-14 02:44:28 +03:00
|
|
|
sd->last_cmd_name = sd_acmd_name(req.cmd);
|
2024-06-24 21:19:10 +03:00
|
|
|
trace_sdcard_app_command(sd->proto->name, sd->last_cmd_name,
|
2018-03-09 20:09:44 +03:00
|
|
|
req.cmd, req.arg, sd_state_name(sd->state));
|
2011-12-19 00:37:59 +04:00
|
|
|
sd->card_status |= APP_CMD;
|
2021-06-24 14:00:08 +03:00
|
|
|
|
2024-06-24 21:19:10 +03:00
|
|
|
if (sd->proto->acmd[req.cmd]) {
|
|
|
|
return sd->proto->acmd[req.cmd](sd, req);
|
2021-06-24 14:00:08 +03:00
|
|
|
}
|
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
switch (req.cmd) {
|
|
|
|
case 6: /* ACMD6: SET_BUS_WIDTH */
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
|
|
|
sd->sd_status[0] &= 0x3f;
|
|
|
|
sd->sd_status[0] |= (req.arg & 0x03) << 6;
|
|
|
|
return sd_r1;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 13: /* ACMD13: SD_STATUS */
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
2022-06-01 08:25:08 +03:00
|
|
|
return sd_cmd_to_sendingdata(sd, req, 0,
|
|
|
|
sd->sd_status,
|
|
|
|
sizeof(sd->sd_status));
|
2007-04-06 20:49:48 +04:00
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
2024-06-13 00:44:53 +03:00
|
|
|
return sd_cmd_to_sendingdata(sd, req, 0,
|
|
|
|
&sd->blk_written,
|
|
|
|
sizeof(sd->blk_written));
|
2007-04-06 20:49:48 +04:00
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
|
|
|
return sd_r1;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 41: /* ACMD41: SD_APP_OP_COND */
|
2018-02-22 18:12:54 +03:00
|
|
|
if (sd->state != sd_idle_state) {
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
/* If it's the first ACMD41 since reset, we need to decide
|
|
|
|
* whether to power up. If this is not an enquiry ACMD41,
|
|
|
|
* we immediately report power on and proceed below to the
|
|
|
|
* ready state, but if it is, we set a timer to model a
|
|
|
|
* delay for power up. This works around a bug in EDK2
|
|
|
|
* UEFI, which sends an initial enquiry ACMD41, but
|
|
|
|
* assumes that the card is in ready state as soon as it
|
|
|
|
* sees the power up bit set. */
|
|
|
|
if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
|
|
|
|
if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
|
|
|
|
timer_del(sd->ocr_power_timer);
|
|
|
|
sd_ocr_powerup(sd);
|
|
|
|
} else {
|
|
|
|
trace_sdcard_inquiry_cmd41();
|
|
|
|
if (!timer_pending(sd->ocr_power_timer)) {
|
|
|
|
timer_mod_ns(sd->ocr_power_timer,
|
|
|
|
(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
|
|
|
|
+ OCR_POWER_DELAY_NS));
|
2016-02-18 17:16:20 +03:00
|
|
|
}
|
|
|
|
}
|
2018-02-22 18:12:54 +03:00
|
|
|
}
|
2016-02-18 17:16:20 +03:00
|
|
|
|
2018-02-22 18:12:54 +03:00
|
|
|
if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
|
2013-06-03 20:17:45 +04:00
|
|
|
/* We accept any voltage. 10000 V is nothing.
|
|
|
|
*
|
2016-02-18 17:16:20 +03:00
|
|
|
* Once we're powered up, we advance straight to ready state
|
2013-06-03 20:17:45 +04:00
|
|
|
* unless it's an enquiry ACMD41 (bits 23:0 == 0).
|
|
|
|
*/
|
2018-02-22 18:12:54 +03:00
|
|
|
sd->state = sd_ready_state;
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
2018-02-22 18:12:54 +03:00
|
|
|
|
|
|
|
return sd_r3;
|
2007-04-06 20:49:48 +04:00
|
|
|
|
|
|
|
case 42: /* ACMD42: SET_CLR_CARD_DETECT */
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
|
|
|
/* Bringing in the 50KOhm pull-up resistor... Done. */
|
|
|
|
return sd_r1;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 51: /* ACMD51: SEND_SCR */
|
|
|
|
switch (sd->state) {
|
|
|
|
case sd_transfer_state:
|
2022-06-01 08:24:07 +03:00
|
|
|
return sd_cmd_to_sendingdata(sd, req, 0, sd->scr, sizeof(sd->scr));
|
2007-04-06 20:49:48 +04:00
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
2018-02-22 18:12:53 +03:00
|
|
|
case 18: /* Reserved for SD security applications */
|
|
|
|
case 25:
|
|
|
|
case 26:
|
|
|
|
case 38:
|
|
|
|
case 43 ... 49:
|
|
|
|
/* Refer to the "SD Specifications Part3 Security Specification" for
|
|
|
|
* information about the SD Security Features.
|
|
|
|
*/
|
|
|
|
qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
|
|
|
|
req.cmd);
|
|
|
|
return sd_illegal;
|
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
default:
|
|
|
|
/* Fall back to standard commands. */
|
|
|
|
return sd_normal_command(sd, req);
|
|
|
|
}
|
|
|
|
|
2016-02-18 17:16:20 +03:00
|
|
|
qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
|
2011-12-19 00:37:57 +04:00
|
|
|
return sd_illegal;
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
|
|
|
|
2024-06-17 06:28:51 +03:00
|
|
|
static bool cmd_valid_while_locked(SDState *sd, unsigned cmd)
|
2011-12-19 00:37:51 +04:00
|
|
|
{
|
|
|
|
/* Valid commands in locked state:
|
|
|
|
* basic class (0)
|
|
|
|
* lock card class (7)
|
|
|
|
* CMD16
|
|
|
|
* implicitly, the ACMD prefix CMD55
|
|
|
|
* ACMD41 and ACMD42
|
|
|
|
* Anything else provokes an "illegal command" response.
|
|
|
|
*/
|
2011-12-19 00:37:59 +04:00
|
|
|
if (sd->expecting_acmd) {
|
2018-06-26 20:46:44 +03:00
|
|
|
return cmd == 41 || cmd == 42;
|
2011-12-19 00:37:51 +04:00
|
|
|
}
|
2018-06-26 20:46:44 +03:00
|
|
|
if (cmd == 16 || cmd == 55) {
|
2024-06-17 06:28:51 +03:00
|
|
|
return true;
|
2011-12-19 00:37:51 +04:00
|
|
|
}
|
2018-06-26 20:46:44 +03:00
|
|
|
return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7;
|
2011-12-19 00:37:51 +04:00
|
|
|
}
|
|
|
|
|
2009-05-10 04:44:56 +04:00
|
|
|
int sd_do_command(SDState *sd, SDRequest *req,
|
2007-04-06 20:49:48 +04:00
|
|
|
uint8_t *response) {
|
2011-12-19 00:37:58 +04:00
|
|
|
int last_state;
|
2009-10-02 01:12:16 +04:00
|
|
|
sd_rsp_type_t rtype;
|
2007-04-06 20:49:48 +04:00
|
|
|
int rsplen;
|
|
|
|
|
2014-10-07 15:59:18 +04:00
|
|
|
if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
|
2007-04-06 20:49:48 +04:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2024-06-25 06:50:16 +03:00
|
|
|
if (sd->state == sd_inactive_state) {
|
|
|
|
rtype = sd_illegal;
|
|
|
|
goto send_response;
|
|
|
|
}
|
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
if (sd_req_crc_validate(req)) {
|
2011-12-19 00:37:53 +04:00
|
|
|
sd->card_status |= COM_CRC_ERROR;
|
2011-12-19 00:37:56 +04:00
|
|
|
rtype = sd_illegal;
|
|
|
|
goto send_response;
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
|
|
|
|
2018-02-22 18:12:52 +03:00
|
|
|
if (req->cmd >= SDMMC_CMD_MAX) {
|
|
|
|
qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
|
|
|
|
req->cmd);
|
|
|
|
req->cmd &= 0x3f;
|
|
|
|
}
|
|
|
|
|
2011-12-19 00:37:58 +04:00
|
|
|
if (sd->card_status & CARD_IS_LOCKED) {
|
2018-06-26 20:46:44 +03:00
|
|
|
if (!cmd_valid_while_locked(sd, req->cmd)) {
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->card_status |= ILLEGAL_COMMAND;
|
2012-08-13 14:04:06 +04:00
|
|
|
sd->expecting_acmd = false;
|
2016-02-18 17:16:20 +03:00
|
|
|
qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
|
2011-12-19 00:37:56 +04:00
|
|
|
rtype = sd_illegal;
|
|
|
|
goto send_response;
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
2011-12-19 00:37:51 +04:00
|
|
|
}
|
2007-04-06 20:49:48 +04:00
|
|
|
|
2011-12-19 00:37:58 +04:00
|
|
|
last_state = sd->state;
|
|
|
|
sd_set_mode(sd);
|
|
|
|
|
2011-12-19 00:37:59 +04:00
|
|
|
if (sd->expecting_acmd) {
|
2012-08-13 14:04:06 +04:00
|
|
|
sd->expecting_acmd = false;
|
2007-04-06 20:49:48 +04:00
|
|
|
rtype = sd_app_command(sd, *req);
|
2011-12-19 00:37:59 +04:00
|
|
|
} else {
|
2007-04-06 20:49:48 +04:00
|
|
|
rtype = sd_normal_command(sd, *req);
|
2011-12-19 00:37:59 +04:00
|
|
|
}
|
2007-04-06 20:49:48 +04:00
|
|
|
|
2011-12-19 00:37:55 +04:00
|
|
|
if (rtype == sd_illegal) {
|
|
|
|
sd->card_status |= ILLEGAL_COMMAND;
|
2011-12-19 00:37:58 +04:00
|
|
|
} else {
|
|
|
|
/* Valid command, we can update the 'state before command' bits.
|
|
|
|
* (Do this now so they appear in r1 responses.)
|
|
|
|
*/
|
|
|
|
sd->current_cmd = req->cmd;
|
2024-06-17 14:03:56 +03:00
|
|
|
sd->card_status = FIELD_DP32(sd->card_status, CSR,
|
|
|
|
CURRENT_STATE, last_state);
|
2011-12-19 00:37:55 +04:00
|
|
|
}
|
|
|
|
|
2011-12-19 00:37:56 +04:00
|
|
|
send_response:
|
2007-04-06 20:49:48 +04:00
|
|
|
switch (rtype) {
|
|
|
|
case sd_r1:
|
|
|
|
case sd_r1b:
|
2011-12-19 00:37:58 +04:00
|
|
|
sd_response_r1_make(sd, response);
|
2007-04-06 20:49:48 +04:00
|
|
|
rsplen = 4;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case sd_r2_i:
|
|
|
|
memcpy(response, sd->cid, sizeof(sd->cid));
|
|
|
|
rsplen = 16;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case sd_r2_s:
|
|
|
|
memcpy(response, sd->csd, sizeof(sd->csd));
|
|
|
|
rsplen = 16;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case sd_r3:
|
|
|
|
sd_response_r3_make(sd, response);
|
|
|
|
rsplen = 4;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case sd_r6:
|
|
|
|
sd_response_r6_make(sd, response);
|
|
|
|
rsplen = 4;
|
|
|
|
break;
|
|
|
|
|
2007-12-24 17:41:39 +03:00
|
|
|
case sd_r7:
|
|
|
|
sd_response_r7_make(sd, response);
|
|
|
|
rsplen = 4;
|
|
|
|
break;
|
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
case sd_r0:
|
hw/sd/sdcard: Avoid OOB in sd_read_byte() during unexpected CMD switch
For multi-bytes commands, our implementation uses the @data_start
and @data_offset fields to track byte access. We initialize the
command start/offset in buffer once. Malicious guest might abuse
by switching command while staying in the 'transfer' state, switching
command buffer size, and our implementation can access out of buffer
boundary. For example, CMD17 (READ_SINGLE_BLOCK) allows to read up to
512 bytes, and CMD13 (SEND_STATUS) up to 64 bytes. By switching from
CMD17 to CMD13 (see reproducer below), bytes [64-511] are out of the
'status' buffer.
Our implementation return R0 status code for unexpected commands.
Such in-transaction command switch is unexpected and returns R0.
This is a good place to reset the start/offset fields to avoid
malicious accesses.
Can be reproduced running:
$ export UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1
$ cat << EOF | qemu-system-i386 \
-display none -nographic \
-machine accel=qtest -m 512M \
-nodefaults \
-device sdhci-pci,sd-spec-version=3 \
-device sd-card,drive=mydrive \
-drive if=none,index=0,file=null-co://,format=raw,id=mydrive \
-qtest stdio -trace sd\* -trace -sdbus_read
outl 0xcf8 0x80001010
outl 0xcfc 0xe0000000
outl 0xcf8 0x80001004
outw 0xcfc 0x02
write 0xe000002c 0x1 0x05
write 0xe000000f 0x1 0x37
write 0xe000000a 0x1 0x01
write 0xe000000f 0x1 0x29
write 0xe000000f 0x1 0x02
write 0xe000000f 0x1 0x03
write 0xe000000c 0x1 0x32
write 0xe000000f 0x1 0x06
write 0xe0000005 0x1 0x01
write 0xe0000007 0x1 0x01
write 0xe0000003 0x1 0x00
write 0xe000000f 0x1 0x11
write 0xe000002a 0x1 0x01
write 0xe000002a 0x1 0x02
write 0xe000000f 0x1 0x0d
write 0xe000002a 0x1 0x01
write 0xe000002a 0x1 0x02
EOF
hw/sd/sd.c:1984:15: runtime error: index 256 out of bounds for type 'uint8_t [64]'
#0 sd_read_byte hw/sd/sd.c:1984:15
#1 sdbus_read_data hw/sd/core.c:157:23
#2 sdhci_read_block_from_card hw/sd/sdhci.c:423:9
#3 sdhci_blkgap_write hw/sd/sdhci.c:1074:13
#4 sdhci_write hw/sd/sdhci.c:1195:13
#5 memory_region_write_accessor softmmu/memory.c:492:5
#6 access_with_adjusted_size softmmu/memory.c:554:18
#7 memory_region_dispatch_write softmmu/memory.c
#8 flatview_write_continue softmmu/physmem.c:2778:23
#9 flatview_write softmmu/physmem.c:2818:14
#10 address_space_write softmmu/physmem.c:2910:18
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hw/sd/sd.c:1984:15
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/487
Buglink: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36240
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20240408141717.66154-2-philmd@linaro.org>
2024-04-08 16:38:11 +03:00
|
|
|
/*
|
|
|
|
* Invalid state transition, reset implementation
|
|
|
|
* fields to avoid OOB abuse.
|
|
|
|
*/
|
|
|
|
sd->data_start = 0;
|
|
|
|
sd->data_offset = 0;
|
|
|
|
/* fall-through */
|
2011-12-19 00:37:55 +04:00
|
|
|
case sd_illegal:
|
2007-04-06 20:49:48 +04:00
|
|
|
rsplen = 0;
|
|
|
|
break;
|
2018-02-22 18:12:52 +03:00
|
|
|
default:
|
|
|
|
g_assert_not_reached();
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
2018-02-22 18:12:52 +03:00
|
|
|
trace_sdcard_response(sd_response_name(rtype), rsplen);
|
2007-04-06 20:49:48 +04:00
|
|
|
|
2011-12-19 00:37:58 +04:00
|
|
|
if (rtype != sd_illegal) {
|
|
|
|
/* Clear the "clear on valid command" status bits now we've
|
|
|
|
* sent any response
|
|
|
|
*/
|
|
|
|
sd->card_status &= ~CARD_STATUS_B;
|
|
|
|
}
|
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
#ifdef DEBUG_SD
|
2020-08-22 21:09:50 +03:00
|
|
|
qemu_hexdump(stderr, "Response", response, rsplen);
|
2007-04-06 20:49:48 +04:00
|
|
|
#endif
|
|
|
|
|
|
|
|
return rsplen;
|
|
|
|
}
|
|
|
|
|
2024-06-13 17:21:50 +03:00
|
|
|
/* Return true if buffer is consumed. Configured by sd_cmd_to_receivingdata() */
|
|
|
|
__attribute__((unused))
|
|
|
|
static bool sd_generic_write_byte(SDState *sd, uint8_t value)
|
|
|
|
{
|
|
|
|
sd->data[sd->data_offset] = value;
|
|
|
|
|
|
|
|
if (++sd->data_offset >= sd->data_size) {
|
|
|
|
sd->state = sd_transfer_state;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2024-06-13 17:21:12 +03:00
|
|
|
/* Return true when buffer is consumed. Configured by sd_cmd_to_sendingdata() */
|
|
|
|
static bool sd_generic_read_byte(SDState *sd, uint8_t *value)
|
|
|
|
{
|
|
|
|
*value = sd->data[sd->data_offset];
|
|
|
|
|
|
|
|
if (++sd->data_offset >= sd->data_size) {
|
|
|
|
sd->state = sd_transfer_state;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2020-08-14 12:23:40 +03:00
|
|
|
void sd_write_byte(SDState *sd, uint8_t value)
|
2007-04-06 20:49:48 +04:00
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
2014-10-07 15:59:18 +04:00
|
|
|
if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
|
2007-04-06 20:49:48 +04:00
|
|
|
return;
|
|
|
|
|
|
|
|
if (sd->state != sd_receivingdata_state) {
|
2016-02-18 17:16:20 +03:00
|
|
|
qemu_log_mask(LOG_GUEST_ERROR,
|
2020-08-14 12:23:40 +03:00
|
|
|
"%s: not in Receiving-Data state\n", __func__);
|
2007-04-06 20:49:48 +04:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
|
|
|
|
return;
|
|
|
|
|
2024-06-24 21:19:10 +03:00
|
|
|
trace_sdcard_write_data(sd->proto->name,
|
2024-06-14 02:44:28 +03:00
|
|
|
sd->last_cmd_name,
|
2024-06-19 21:26:47 +03:00
|
|
|
sd->current_cmd, sd->data_offset, value);
|
2007-04-06 20:49:48 +04:00
|
|
|
switch (sd->current_cmd) {
|
|
|
|
case 24: /* CMD24: WRITE_SINGLE_BLOCK */
|
|
|
|
sd->data[sd->data_offset ++] = value;
|
|
|
|
if (sd->data_offset >= sd->blk_len) {
|
|
|
|
/* TODO: Check CRC before committing */
|
|
|
|
sd->state = sd_programming_state;
|
2024-04-08 16:41:56 +03:00
|
|
|
sd_blk_write(sd, sd->data_start, sd->data_offset);
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->blk_written ++;
|
|
|
|
sd->csd[14] |= 0x40;
|
|
|
|
/* Bzzzzzzztt .... Operation complete. */
|
|
|
|
sd->state = sd_transfer_state;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
|
2011-07-25 16:21:30 +04:00
|
|
|
if (sd->data_offset == 0) {
|
2013-04-09 15:48:19 +04:00
|
|
|
/* Start of the block - let's check the address is valid */
|
2021-06-07 16:32:06 +03:00
|
|
|
if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK",
|
|
|
|
sd->data_start, sd->blk_len)) {
|
2007-04-06 20:49:48 +04:00
|
|
|
break;
|
|
|
|
}
|
2021-02-16 18:02:24 +03:00
|
|
|
if (sd->size <= SDSC_MAX_CAPACITY) {
|
|
|
|
if (sd_wp_addr(sd, sd->data_start)) {
|
|
|
|
sd->card_status |= WP_VIOLATION;
|
|
|
|
break;
|
|
|
|
}
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
2011-07-25 16:21:30 +04:00
|
|
|
}
|
|
|
|
sd->data[sd->data_offset++] = value;
|
|
|
|
if (sd->data_offset >= sd->blk_len) {
|
|
|
|
/* TODO: Check CRC before committing */
|
|
|
|
sd->state = sd_programming_state;
|
2024-04-08 16:41:56 +03:00
|
|
|
sd_blk_write(sd, sd->data_start, sd->data_offset);
|
2011-07-25 16:21:30 +04:00
|
|
|
sd->blk_written++;
|
|
|
|
sd->data_start += sd->blk_len;
|
|
|
|
sd->data_offset = 0;
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->csd[14] |= 0x40;
|
|
|
|
|
|
|
|
/* Bzzzzzzztt .... Operation complete. */
|
2016-02-18 17:16:19 +03:00
|
|
|
if (sd->multi_blk_cnt != 0) {
|
|
|
|
if (--sd->multi_blk_cnt == 0) {
|
|
|
|
/* Stop! */
|
|
|
|
sd->state = sd_transfer_state;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->state = sd_receivingdata_state;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 26: /* CMD26: PROGRAM_CID */
|
|
|
|
sd->data[sd->data_offset ++] = value;
|
|
|
|
if (sd->data_offset >= sizeof(sd->cid)) {
|
|
|
|
/* TODO: Check CRC before committing */
|
|
|
|
sd->state = sd_programming_state;
|
|
|
|
for (i = 0; i < sizeof(sd->cid); i ++)
|
|
|
|
if ((sd->cid[i] | 0x00) != sd->data[i])
|
|
|
|
sd->card_status |= CID_CSD_OVERWRITE;
|
|
|
|
|
|
|
|
if (!(sd->card_status & CID_CSD_OVERWRITE))
|
|
|
|
for (i = 0; i < sizeof(sd->cid); i ++) {
|
|
|
|
sd->cid[i] |= 0x00;
|
|
|
|
sd->cid[i] &= sd->data[i];
|
|
|
|
}
|
|
|
|
/* Bzzzzzzztt .... Operation complete. */
|
|
|
|
sd->state = sd_transfer_state;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 27: /* CMD27: PROGRAM_CSD */
|
|
|
|
sd->data[sd->data_offset ++] = value;
|
|
|
|
if (sd->data_offset >= sizeof(sd->csd)) {
|
|
|
|
/* TODO: Check CRC before committing */
|
|
|
|
sd->state = sd_programming_state;
|
|
|
|
for (i = 0; i < sizeof(sd->csd); i ++)
|
|
|
|
if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
|
|
|
|
(sd->data[i] | sd_csd_rw_mask[i]))
|
|
|
|
sd->card_status |= CID_CSD_OVERWRITE;
|
|
|
|
|
|
|
|
/* Copy flag (OTP) & Permanent write protect */
|
|
|
|
if (sd->csd[14] & ~sd->data[14] & 0x60)
|
|
|
|
sd->card_status |= CID_CSD_OVERWRITE;
|
|
|
|
|
|
|
|
if (!(sd->card_status & CID_CSD_OVERWRITE))
|
|
|
|
for (i = 0; i < sizeof(sd->csd); i ++) {
|
|
|
|
sd->csd[i] |= sd_csd_rw_mask[i];
|
|
|
|
sd->csd[i] &= sd->data[i];
|
|
|
|
}
|
|
|
|
/* Bzzzzzzztt .... Operation complete. */
|
|
|
|
sd->state = sd_transfer_state;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 42: /* CMD42: LOCK_UNLOCK */
|
|
|
|
sd->data[sd->data_offset ++] = value;
|
|
|
|
if (sd->data_offset >= sd->blk_len) {
|
|
|
|
/* TODO: Check CRC before committing */
|
|
|
|
sd->state = sd_programming_state;
|
|
|
|
sd_lock_command(sd);
|
|
|
|
/* Bzzzzzzztt .... Operation complete. */
|
|
|
|
sd->state = sd_transfer_state;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 56: /* CMD56: GEN_CMD */
|
|
|
|
sd->data[sd->data_offset ++] = value;
|
|
|
|
if (sd->data_offset >= sd->blk_len) {
|
|
|
|
APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
|
|
|
|
sd->state = sd_transfer_state;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
2020-08-14 12:23:40 +03:00
|
|
|
qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
|
2007-04-06 20:49:48 +04:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-08-14 12:23:40 +03:00
|
|
|
uint8_t sd_read_byte(SDState *sd)
|
2007-04-06 20:49:48 +04:00
|
|
|
{
|
|
|
|
/* TODO: Append CRCs */
|
|
|
|
uint8_t ret;
|
2020-07-07 07:12:58 +03:00
|
|
|
uint32_t io_len;
|
2007-04-06 20:49:48 +04:00
|
|
|
|
2014-10-07 15:59:18 +04:00
|
|
|
if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
|
2007-04-06 20:49:48 +04:00
|
|
|
return 0x00;
|
|
|
|
|
|
|
|
if (sd->state != sd_sendingdata_state) {
|
2016-02-18 17:16:20 +03:00
|
|
|
qemu_log_mask(LOG_GUEST_ERROR,
|
2020-08-14 12:23:40 +03:00
|
|
|
"%s: not in Sending-Data state\n", __func__);
|
2007-04-06 20:49:48 +04:00
|
|
|
return 0x00;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
|
|
|
|
return 0x00;
|
|
|
|
|
2020-10-26 03:32:52 +03:00
|
|
|
io_len = sd_blk_len(sd);
|
2009-11-03 17:28:19 +03:00
|
|
|
|
2024-06-24 21:19:10 +03:00
|
|
|
trace_sdcard_read_data(sd->proto->name,
|
2024-06-14 02:44:28 +03:00
|
|
|
sd->last_cmd_name,
|
2024-06-19 21:26:47 +03:00
|
|
|
sd->current_cmd, sd->data_offset, io_len);
|
2007-04-06 20:49:48 +04:00
|
|
|
switch (sd->current_cmd) {
|
|
|
|
case 6: /* CMD6: SWITCH_FUNCTION */
|
2007-11-25 02:35:08 +03:00
|
|
|
case 9: /* CMD9: SEND_CSD */
|
2022-06-01 08:13:05 +03:00
|
|
|
case 10: /* CMD10: SEND_CID */
|
2022-06-01 08:25:08 +03:00
|
|
|
case 13: /* ACMD13: SD_STATUS */
|
2022-06-01 08:27:51 +03:00
|
|
|
case 17: /* CMD17: READ_SINGLE_BLOCK */
|
2022-06-01 08:15:10 +03:00
|
|
|
case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
|
2024-06-13 00:44:53 +03:00
|
|
|
case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
|
2024-06-13 00:28:24 +03:00
|
|
|
case 30: /* CMD30: SEND_WRITE_PROT */
|
2022-06-01 08:24:07 +03:00
|
|
|
case 51: /* ACMD51: SEND_SCR */
|
2022-06-01 08:13:05 +03:00
|
|
|
sd_generic_read_byte(sd, &ret);
|
2007-11-25 02:35:08 +03:00
|
|
|
break;
|
|
|
|
|
2007-04-06 20:49:48 +04:00
|
|
|
case 18: /* CMD18: READ_MULTIPLE_BLOCK */
|
2017-10-06 18:46:47 +03:00
|
|
|
if (sd->data_offset == 0) {
|
2021-06-07 16:32:06 +03:00
|
|
|
if (!address_in_range(sd, "READ_MULTIPLE_BLOCK",
|
|
|
|
sd->data_start, io_len)) {
|
2017-10-06 18:46:47 +03:00
|
|
|
return 0x00;
|
|
|
|
}
|
2024-04-08 16:41:56 +03:00
|
|
|
sd_blk_read(sd, sd->data_start, io_len);
|
2017-10-06 18:46:47 +03:00
|
|
|
}
|
2007-04-06 20:49:48 +04:00
|
|
|
ret = sd->data[sd->data_offset ++];
|
|
|
|
|
2009-11-03 17:28:19 +03:00
|
|
|
if (sd->data_offset >= io_len) {
|
|
|
|
sd->data_start += io_len;
|
2007-04-06 20:49:48 +04:00
|
|
|
sd->data_offset = 0;
|
2016-02-18 17:16:19 +03:00
|
|
|
|
|
|
|
if (sd->multi_blk_cnt != 0) {
|
|
|
|
if (--sd->multi_blk_cnt == 0) {
|
|
|
|
/* Stop! */
|
|
|
|
sd->state = sd_transfer_state;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
2007-04-06 20:49:48 +04:00
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 56: /* CMD56: GEN_CMD */
|
|
|
|
if (sd->data_offset == 0)
|
|
|
|
APP_READ_BLOCK(sd->data_start, sd->blk_len);
|
|
|
|
ret = sd->data[sd->data_offset ++];
|
|
|
|
|
|
|
|
if (sd->data_offset >= sd->blk_len)
|
|
|
|
sd->state = sd_transfer_state;
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
2020-08-14 12:23:40 +03:00
|
|
|
qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
|
2007-04-06 20:49:48 +04:00
|
|
|
return 0x00;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2021-01-28 09:30:30 +03:00
|
|
|
static bool sd_receive_ready(SDState *sd)
|
|
|
|
{
|
|
|
|
return sd->state == sd_receivingdata_state;
|
|
|
|
}
|
|
|
|
|
2018-02-16 05:01:26 +03:00
|
|
|
static bool sd_data_ready(SDState *sd)
|
2007-04-06 20:49:48 +04:00
|
|
|
{
|
|
|
|
return sd->state == sd_sendingdata_state;
|
|
|
|
}
|
2008-04-15 01:05:22 +04:00
|
|
|
|
2012-08-13 14:04:06 +04:00
|
|
|
void sd_enable(SDState *sd, bool enable)
|
2008-04-15 01:05:22 +04:00
|
|
|
{
|
|
|
|
sd->enable = enable;
|
|
|
|
}
|
2016-02-18 17:16:18 +03:00
|
|
|
|
2022-05-30 20:09:27 +03:00
|
|
|
static const SDProto sd_proto_spi = {
|
|
|
|
.name = "SPI",
|
2021-06-24 14:22:40 +03:00
|
|
|
.cmd = {
|
2021-06-24 16:48:55 +03:00
|
|
|
[0] = sd_cmd_GO_IDLE_STATE,
|
2024-06-17 06:11:12 +03:00
|
|
|
[1] = spi_cmd_SEND_OP_COND,
|
2021-06-24 14:22:40 +03:00
|
|
|
},
|
2021-06-24 14:29:49 +03:00
|
|
|
.acmd = {
|
2024-06-17 06:11:12 +03:00
|
|
|
[41] = spi_cmd_SEND_OP_COND,
|
2021-06-24 14:29:49 +03:00
|
|
|
},
|
2022-05-30 20:09:27 +03:00
|
|
|
};
|
|
|
|
|
|
|
|
static const SDProto sd_proto_sd = {
|
|
|
|
.name = "SD",
|
2021-06-24 14:22:40 +03:00
|
|
|
.cmd = {
|
2021-06-24 16:48:55 +03:00
|
|
|
[0] = sd_cmd_GO_IDLE_STATE,
|
2021-06-24 16:36:03 +03:00
|
|
|
[2] = sd_cmd_ALL_SEND_CID,
|
2021-06-24 16:46:29 +03:00
|
|
|
[3] = sd_cmd_SEND_RELATIVE_ADDR,
|
2022-05-25 10:21:21 +03:00
|
|
|
[19] = sd_cmd_SEND_TUNING_BLOCK,
|
2022-05-30 20:20:25 +03:00
|
|
|
[23] = sd_cmd_SET_BLOCK_COUNT,
|
2021-06-24 14:22:40 +03:00
|
|
|
},
|
2022-05-30 20:09:27 +03:00
|
|
|
};
|
|
|
|
|
2016-02-18 17:16:18 +03:00
|
|
|
static void sd_instance_init(Object *obj)
|
|
|
|
{
|
|
|
|
SDState *sd = SD_CARD(obj);
|
2024-06-24 21:19:10 +03:00
|
|
|
SDCardClass *sc = SD_CARD_GET_CLASS(sd);
|
2016-02-18 17:16:18 +03:00
|
|
|
|
2024-06-24 21:19:10 +03:00
|
|
|
sd->proto = sc->proto;
|
2024-06-14 02:44:28 +03:00
|
|
|
sd->last_cmd_name = "UNSET";
|
2016-02-18 17:16:18 +03:00
|
|
|
sd->enable = true;
|
2016-02-18 17:16:20 +03:00
|
|
|
sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
|
2016-02-18 17:16:18 +03:00
|
|
|
}
|
|
|
|
|
2016-07-14 19:03:49 +03:00
|
|
|
static void sd_instance_finalize(Object *obj)
|
|
|
|
{
|
|
|
|
SDState *sd = SD_CARD(obj);
|
|
|
|
|
|
|
|
timer_free(sd->ocr_power_timer);
|
|
|
|
}
|
|
|
|
|
2016-02-18 17:16:18 +03:00
|
|
|
static void sd_realize(DeviceState *dev, Error **errp)
|
|
|
|
{
|
|
|
|
SDState *sd = SD_CARD(dev);
|
2017-01-24 15:43:31 +03:00
|
|
|
int ret;
|
2016-02-18 17:16:18 +03:00
|
|
|
|
2018-06-08 15:15:33 +03:00
|
|
|
switch (sd->spec_version) {
|
|
|
|
case SD_PHY_SPECv1_10_VERS
|
2018-06-08 15:15:34 +03:00
|
|
|
... SD_PHY_SPECv3_01_VERS:
|
2018-06-08 15:15:33 +03:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2016-02-18 17:16:18 +03:00
|
|
|
if (sd->blk) {
|
hw/sd/sdcard: Do not allow invalid SD card sizes
QEMU allows to create SD card with unrealistic sizes. This could
work, but some guests (at least Linux) consider sizes that are not
a power of 2 as a firmware bug and fix the card size to the next
power of 2.
While the possibility to use small SD card images has been seen as
a feature, it became a bug with CVE-2020-13253, where the guest is
able to do OOB read/write accesses past the image size end.
In a pair of commits we will fix CVE-2020-13253 as:
Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
WP_VIOLATION errors are not modified: the error bit is set, we
stay in receive-data state, wait for a stop command. All further
data transfer is ignored. See the check on sd->card_status at the
beginning of sd_read_data() and sd_write_data().
While this is the correct behavior, in case QEMU create smaller SD
cards, guests still try to access past the image size end, and QEMU
considers this is an invalid address, thus "all further data transfer
is ignored". This is wrong and make the guest looping until
eventually timeouts.
Fix by not allowing invalid SD card sizes (suggesting the expected
size as a hint):
$ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw
qemu-system-arm: Invalid SD card size: 60 MiB
SD card size has to be a power of 2, e.g. 64 MiB.
You can resize disk images with 'qemu-img resize <imagefile> <new-size>'
(note that this will lose data if you make the image smaller than it currently is).
Cc: qemu-stable@nongnu.org
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20200713183209.26308-8-f4bug@amsat.org>
2020-07-07 14:02:34 +03:00
|
|
|
int64_t blk_size;
|
|
|
|
|
2021-01-18 15:34:47 +03:00
|
|
|
if (!blk_supports_write_perm(sd->blk)) {
|
2018-06-06 04:28:51 +03:00
|
|
|
error_setg(errp, "Cannot use read-only drive as SD card");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
hw/sd/sdcard: Do not allow invalid SD card sizes
QEMU allows to create SD card with unrealistic sizes. This could
work, but some guests (at least Linux) consider sizes that are not
a power of 2 as a firmware bug and fix the card size to the next
power of 2.
While the possibility to use small SD card images has been seen as
a feature, it became a bug with CVE-2020-13253, where the guest is
able to do OOB read/write accesses past the image size end.
In a pair of commits we will fix CVE-2020-13253 as:
Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
WP_VIOLATION errors are not modified: the error bit is set, we
stay in receive-data state, wait for a stop command. All further
data transfer is ignored. See the check on sd->card_status at the
beginning of sd_read_data() and sd_write_data().
While this is the correct behavior, in case QEMU create smaller SD
cards, guests still try to access past the image size end, and QEMU
considers this is an invalid address, thus "all further data transfer
is ignored". This is wrong and make the guest looping until
eventually timeouts.
Fix by not allowing invalid SD card sizes (suggesting the expected
size as a hint):
$ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw
qemu-system-arm: Invalid SD card size: 60 MiB
SD card size has to be a power of 2, e.g. 64 MiB.
You can resize disk images with 'qemu-img resize <imagefile> <new-size>'
(note that this will lose data if you make the image smaller than it currently is).
Cc: qemu-stable@nongnu.org
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20200713183209.26308-8-f4bug@amsat.org>
2020-07-07 14:02:34 +03:00
|
|
|
blk_size = blk_getlength(sd->blk);
|
|
|
|
if (blk_size > 0 && !is_power_of_2(blk_size)) {
|
|
|
|
int64_t blk_size_aligned = pow2ceil(blk_size);
|
|
|
|
char *blk_size_str;
|
|
|
|
|
|
|
|
blk_size_str = size_to_str(blk_size);
|
|
|
|
error_setg(errp, "Invalid SD card size: %s", blk_size_str);
|
|
|
|
g_free(blk_size_str);
|
|
|
|
|
|
|
|
blk_size_str = size_to_str(blk_size_aligned);
|
|
|
|
error_append_hint(errp,
|
|
|
|
"SD card size has to be a power of 2, e.g. %s.\n"
|
|
|
|
"You can resize disk images with"
|
|
|
|
" 'qemu-img resize <imagefile> <new-size>'\n"
|
|
|
|
"(note that this will lose data if you make the"
|
|
|
|
" image smaller than it currently is).\n",
|
|
|
|
blk_size_str);
|
|
|
|
g_free(blk_size_str);
|
|
|
|
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2017-01-24 15:43:31 +03:00
|
|
|
ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
|
|
|
|
BLK_PERM_ALL, errp);
|
|
|
|
if (ret < 0) {
|
|
|
|
return;
|
|
|
|
}
|
2016-02-18 17:16:18 +03:00
|
|
|
blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static Property sd_properties[] = {
|
2018-06-08 15:15:33 +03:00
|
|
|
DEFINE_PROP_UINT8("spec_version", SDState,
|
|
|
|
spec_version, SD_PHY_SPECv2_00_VERS),
|
2016-02-18 17:16:18 +03:00
|
|
|
DEFINE_PROP_DRIVE("drive", SDState, blk),
|
|
|
|
/* We do not model the chip select pin, so allow the board to select
|
|
|
|
* whether card should be in SSI or MMC/SD mode. It is also up to the
|
|
|
|
* board to ensure that ssi transfers only occur when the chip select
|
|
|
|
* is asserted. */
|
|
|
|
DEFINE_PROP_END_OF_LIST()
|
|
|
|
};
|
|
|
|
|
|
|
|
static void sd_class_init(ObjectClass *klass, void *data)
|
|
|
|
{
|
|
|
|
DeviceClass *dc = DEVICE_CLASS(klass);
|
2016-02-18 17:16:18 +03:00
|
|
|
SDCardClass *sc = SD_CARD_CLASS(klass);
|
2016-02-18 17:16:18 +03:00
|
|
|
|
|
|
|
dc->realize = sd_realize;
|
2020-01-10 18:30:32 +03:00
|
|
|
device_class_set_props(dc, sd_properties);
|
2016-02-18 17:16:18 +03:00
|
|
|
dc->vmsd = &sd_vmstate;
|
2016-02-18 17:16:18 +03:00
|
|
|
dc->reset = sd_reset;
|
2016-02-18 17:16:18 +03:00
|
|
|
dc->bus_type = TYPE_SD_BUS;
|
2019-01-24 19:20:45 +03:00
|
|
|
set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
|
2016-02-18 17:16:18 +03:00
|
|
|
|
2018-02-08 19:48:09 +03:00
|
|
|
sc->set_voltage = sd_set_voltage;
|
2018-02-08 19:48:10 +03:00
|
|
|
sc->get_dat_lines = sd_get_dat_lines;
|
|
|
|
sc->get_cmd_line = sd_get_cmd_line;
|
2016-02-18 17:16:18 +03:00
|
|
|
sc->do_command = sd_do_command;
|
2020-08-14 12:23:40 +03:00
|
|
|
sc->write_byte = sd_write_byte;
|
|
|
|
sc->read_byte = sd_read_byte;
|
2021-01-28 09:30:30 +03:00
|
|
|
sc->receive_ready = sd_receive_ready;
|
2016-02-18 17:16:18 +03:00
|
|
|
sc->data_ready = sd_data_ready;
|
|
|
|
sc->enable = sd_enable;
|
|
|
|
sc->get_inserted = sd_get_inserted;
|
|
|
|
sc->get_readonly = sd_get_readonly;
|
2023-07-03 09:00:08 +03:00
|
|
|
sc->proto = &sd_proto_sd;
|
2016-02-18 17:16:18 +03:00
|
|
|
}
|
|
|
|
|
2023-07-03 09:00:08 +03:00
|
|
|
/*
|
|
|
|
* We do not model the chip select pin, so allow the board to select
|
|
|
|
* whether card should be in SSI or MMC/SD mode. It is also up to the
|
|
|
|
* board to ensure that ssi transfers only occur when the chip select
|
|
|
|
* is asserted.
|
|
|
|
*/
|
|
|
|
static void sd_spi_class_init(ObjectClass *klass, void *data)
|
|
|
|
{
|
|
|
|
DeviceClass *dc = DEVICE_CLASS(klass);
|
|
|
|
SDCardClass *sc = SD_CARD_CLASS(klass);
|
|
|
|
|
|
|
|
dc->desc = "SD SPI";
|
|
|
|
sc->proto = &sd_proto_spi;
|
|
|
|
}
|
|
|
|
|
2023-10-31 08:55:39 +03:00
|
|
|
static const TypeInfo sd_types[] = {
|
|
|
|
{
|
|
|
|
.name = TYPE_SD_CARD,
|
|
|
|
.parent = TYPE_DEVICE,
|
|
|
|
.instance_size = sizeof(SDState),
|
|
|
|
.class_size = sizeof(SDCardClass),
|
|
|
|
.class_init = sd_class_init,
|
|
|
|
.instance_init = sd_instance_init,
|
|
|
|
.instance_finalize = sd_instance_finalize,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.name = TYPE_SD_CARD_SPI,
|
|
|
|
.parent = TYPE_SD_CARD,
|
|
|
|
.class_init = sd_spi_class_init,
|
|
|
|
},
|
2023-07-03 09:00:08 +03:00
|
|
|
};
|
|
|
|
|
2023-10-31 08:55:39 +03:00
|
|
|
DEFINE_TYPES(sd_types)
|