qemu/hw/misc/grlib_ahb_apb_pnp.c

302 lines
10 KiB
C
Raw Normal View History

/*
* GRLIB AHB APB PNP
*
* Copyright (C) 2019 AdaCore
*
* Developed by :
* Frederic Konrad <frederic.konrad@adacore.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses/>.
*
*/
#include "qemu/osdep.h"
hw/misc/grlib_ahb_apb_pnp: Avoid crash when writing to PnP registers Guests can crash QEMU when writting to PnP registers: $ echo 'writeb 0x800ff042 69' | qemu-system-sparc -M leon3_generic -S -bios /etc/magic -qtest stdio [I 1571938309.932255] OPENED [R +0.063474] writeb 0x800ff042 69 Segmentation fault (core dumped) (gdb) bt #0 0x0000000000000000 in () #1 0x0000555f4bcdf0bc in memory_region_write_with_attrs_accessor (mr=0x555f4d7be8c0, addr=66, value=0x7fff07d00f08, size=1, shift=0, mask=255, attrs=...) at memory.c:503 #2 0x0000555f4bcdf185 in access_with_adjusted_size (addr=66, value=0x7fff07d00f08, size=1, access_size_min=1, access_size_max=4, access_fn=0x555f4bcdeff4 <memory_region_write_with_attrs_accessor>, mr=0x555f4d7be8c0, attrs=...) at memory.c:539 #3 0x0000555f4bce2243 in memory_region_dispatch_write (mr=0x555f4d7be8c0, addr=66, data=69, op=MO_8, attrs=...) at memory.c:1489 #4 0x0000555f4bc80b20 in flatview_write_continue (fv=0x555f4d92c400, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1, addr1=66, l=1, mr=0x555f4d7be8c0) at exec.c:3161 #5 0x0000555f4bc80c65 in flatview_write (fv=0x555f4d92c400, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1) at exec.c:3201 #6 0x0000555f4bc80fb0 in address_space_write (as=0x555f4d7aa460, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1) at exec.c:3291 #7 0x0000555f4bc8101d in address_space_rw (as=0x555f4d7aa460, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1, is_write=true) at exec.c:3301 #8 0x0000555f4bcdb388 in qtest_process_command (chr=0x555f4c2ed7e0 <qtest_chr>, words=0x555f4db0c5d0) at qtest.c:432 Instead of crashing, log the access as unimplemented. Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: KONRAD Frederic <frederic.konrad@adacore.com> Message-Id: <20191025110114.27091-2-philmd@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2019-10-25 14:01:13 +03:00
#include "qemu/log.h"
#include "hw/sysbus.h"
#include "hw/misc/grlib_ahb_apb_pnp.h"
#include "trace.h"
#define GRLIB_PNP_VENDOR_SHIFT (24)
#define GRLIB_PNP_VENDOR_SIZE (8)
#define GRLIB_PNP_DEV_SHIFT (12)
#define GRLIB_PNP_DEV_SIZE (12)
#define GRLIB_PNP_VER_SHIFT (5)
#define GRLIB_PNP_VER_SIZE (5)
#define GRLIB_PNP_IRQ_SHIFT (0)
#define GRLIB_PNP_IRQ_SIZE (5)
#define GRLIB_PNP_ADDR_SHIFT (20)
#define GRLIB_PNP_ADDR_SIZE (12)
#define GRLIB_PNP_MASK_SHIFT (4)
#define GRLIB_PNP_MASK_SIZE (12)
#define GRLIB_AHB_DEV_ADDR_SHIFT (20)
#define GRLIB_AHB_DEV_ADDR_SIZE (12)
#define GRLIB_AHB_ENTRY_SIZE (0x20)
#define GRLIB_AHB_MAX_DEV (64)
#define GRLIB_AHB_SLAVE_OFFSET (0x800)
#define GRLIB_APB_DEV_ADDR_SHIFT (8)
#define GRLIB_APB_DEV_ADDR_SIZE (12)
#define GRLIB_APB_ENTRY_SIZE (0x08)
#define GRLIB_APB_MAX_DEV (512)
#define GRLIB_PNP_MAX_REGS (0x1000)
typedef struct AHBPnp {
SysBusDevice parent_obj;
MemoryRegion iomem;
uint32_t regs[GRLIB_PNP_MAX_REGS >> 2];
uint8_t master_count;
uint8_t slave_count;
} AHBPnp;
void grlib_ahb_pnp_add_entry(AHBPnp *dev, uint32_t address, uint32_t mask,
uint8_t vendor, uint16_t device, int slave,
int type)
{
unsigned int reg_start;
/*
* AHB entries look like this:
*
* 31 -------- 23 -------- 11 ----- 9 -------- 4 --- 0
* | VENDOR ID | DEVICE ID | IRQ ? | VERSION | IRQ |
* --------------------------------------------------
* | USER |
* --------------------------------------------------
* | USER |
* --------------------------------------------------
* | USER |
* --------------------------------------------------
* | USER |
* --------------------------------------------------
* 31 ----------- 20 --- 15 ----------------- 3 ---- 0
* | ADDR[31..12] | 00PC | MASK | TYPE |
* --------------------------------------------------
* 31 ----------- 20 --- 15 ----------------- 3 ---- 0
* | ADDR[31..12] | 00PC | MASK | TYPE |
* --------------------------------------------------
* 31 ----------- 20 --- 15 ----------------- 3 ---- 0
* | ADDR[31..12] | 00PC | MASK | TYPE |
* --------------------------------------------------
* 31 ----------- 20 --- 15 ----------------- 3 ---- 0
* | ADDR[31..12] | 00PC | MASK | TYPE |
* --------------------------------------------------
*/
if (slave) {
assert(dev->slave_count < GRLIB_AHB_MAX_DEV);
reg_start = (GRLIB_AHB_SLAVE_OFFSET
+ (dev->slave_count * GRLIB_AHB_ENTRY_SIZE)) >> 2;
dev->slave_count++;
} else {
assert(dev->master_count < GRLIB_AHB_MAX_DEV);
reg_start = (dev->master_count * GRLIB_AHB_ENTRY_SIZE) >> 2;
dev->master_count++;
}
dev->regs[reg_start] = deposit32(dev->regs[reg_start],
GRLIB_PNP_VENDOR_SHIFT,
GRLIB_PNP_VENDOR_SIZE,
vendor);
dev->regs[reg_start] = deposit32(dev->regs[reg_start],
GRLIB_PNP_DEV_SHIFT,
GRLIB_PNP_DEV_SIZE,
device);
reg_start += 4;
/* AHB Memory Space */
dev->regs[reg_start] = type;
dev->regs[reg_start] = deposit32(dev->regs[reg_start],
GRLIB_PNP_ADDR_SHIFT,
GRLIB_PNP_ADDR_SIZE,
extract32(address,
GRLIB_AHB_DEV_ADDR_SHIFT,
GRLIB_AHB_DEV_ADDR_SIZE));
dev->regs[reg_start] = deposit32(dev->regs[reg_start],
GRLIB_PNP_MASK_SHIFT,
GRLIB_PNP_MASK_SIZE,
mask);
}
static uint64_t grlib_ahb_pnp_read(void *opaque, hwaddr offset, unsigned size)
{
AHBPnp *ahb_pnp = GRLIB_AHB_PNP(opaque);
uint32_t val;
val = ahb_pnp->regs[offset >> 2];
trace_grlib_ahb_pnp_read(offset, val);
return val;
}
hw/misc/grlib_ahb_apb_pnp: Avoid crash when writing to AHB PnP registers Similarly to commit 158b659451 with the APB PnP registers, guests can crash QEMU when writting to the AHB PnP registers: $ echo 'writeb 0xfffff042 69' | qemu-system-sparc -M leon3_generic -S -bios /etc/magic -qtest stdio [I 1571938309.932255] OPENED [R +0.063474] writeb 0xfffff042 69 Segmentation fault (core dumped) (gdb) bt #0 0x0000000000000000 in () #1 0x0000562999110df4 in memory_region_write_with_attrs_accessor (mr=mr@entry=0x56299aa28ea0, addr=66, value=value@entry=0x7fff6abe13b8, size=size@entry=1, shift=<optimized out>, mask=mask@entry=255, attrs=...) at memory.c:503 #2 0x000056299911095e in access_with_adjusted_size (addr=addr@entry=66, value=value@entry=0x7fff6abe13b8, size=size@entry=1, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=access_fn@entry= 0x562999110d70 <memory_region_write_with_attrs_accessor>, mr=0x56299aa28ea0, attrs=...) at memory.c:539 #3 0x0000562999114fba in memory_region_dispatch_write (mr=mr@entry=0x56299aa28ea0, addr=66, data=<optimized out>, op=<optimized out>, attrs=attrs@entry=...) at memory.c:1482 #4 0x00005629990c0860 in flatview_write_continue (fv=fv@entry=0x56299aa7d8a0, addr=addr@entry=4294963266, attrs=..., ptr=ptr@entry=0x7fff6abe1540, len=len@entry=1, addr1=<optimized out>, l=<optimized out>, mr=0x56299aa28ea0) at include/qemu/host-utils.h:164 #5 0x00005629990c0a76 in flatview_write (fv=0x56299aa7d8a0, addr=4294963266, attrs=..., buf=0x7fff6abe1540, len=1) at exec.c:3165 #6 0x00005629990c4c1b in address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., attrs@entry=..., buf=buf@entry=0x7fff6abe1540, len=len@entry=1) at exec.c:3256 #7 0x000056299910f807 in qtest_process_command (chr=chr@entry=0x5629995ee920 <qtest_chr>, words=words@entry=0x56299acfcfa0) at qtest.c:437 Instead of crashing, log the access as unimplemented. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: KONRAD Frederic <frederic.konrad@adacore.com> Message-Id: <20200331105048.27989-3-f4bug@amsat.org>
2020-03-31 12:56:22 +03:00
static void grlib_ahb_pnp_write(void *opaque, hwaddr addr,
uint64_t val, unsigned size)
{
qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__);
}
static const MemoryRegionOps grlib_ahb_pnp_ops = {
.read = grlib_ahb_pnp_read,
hw/misc/grlib_ahb_apb_pnp: Avoid crash when writing to AHB PnP registers Similarly to commit 158b659451 with the APB PnP registers, guests can crash QEMU when writting to the AHB PnP registers: $ echo 'writeb 0xfffff042 69' | qemu-system-sparc -M leon3_generic -S -bios /etc/magic -qtest stdio [I 1571938309.932255] OPENED [R +0.063474] writeb 0xfffff042 69 Segmentation fault (core dumped) (gdb) bt #0 0x0000000000000000 in () #1 0x0000562999110df4 in memory_region_write_with_attrs_accessor (mr=mr@entry=0x56299aa28ea0, addr=66, value=value@entry=0x7fff6abe13b8, size=size@entry=1, shift=<optimized out>, mask=mask@entry=255, attrs=...) at memory.c:503 #2 0x000056299911095e in access_with_adjusted_size (addr=addr@entry=66, value=value@entry=0x7fff6abe13b8, size=size@entry=1, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=access_fn@entry= 0x562999110d70 <memory_region_write_with_attrs_accessor>, mr=0x56299aa28ea0, attrs=...) at memory.c:539 #3 0x0000562999114fba in memory_region_dispatch_write (mr=mr@entry=0x56299aa28ea0, addr=66, data=<optimized out>, op=<optimized out>, attrs=attrs@entry=...) at memory.c:1482 #4 0x00005629990c0860 in flatview_write_continue (fv=fv@entry=0x56299aa7d8a0, addr=addr@entry=4294963266, attrs=..., ptr=ptr@entry=0x7fff6abe1540, len=len@entry=1, addr1=<optimized out>, l=<optimized out>, mr=0x56299aa28ea0) at include/qemu/host-utils.h:164 #5 0x00005629990c0a76 in flatview_write (fv=0x56299aa7d8a0, addr=4294963266, attrs=..., buf=0x7fff6abe1540, len=1) at exec.c:3165 #6 0x00005629990c4c1b in address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., attrs@entry=..., buf=buf@entry=0x7fff6abe1540, len=len@entry=1) at exec.c:3256 #7 0x000056299910f807 in qtest_process_command (chr=chr@entry=0x5629995ee920 <qtest_chr>, words=words@entry=0x56299acfcfa0) at qtest.c:437 Instead of crashing, log the access as unimplemented. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: KONRAD Frederic <frederic.konrad@adacore.com> Message-Id: <20200331105048.27989-3-f4bug@amsat.org>
2020-03-31 12:56:22 +03:00
.write = grlib_ahb_pnp_write,
.endianness = DEVICE_BIG_ENDIAN,
.impl = {
.min_access_size = 4,
.max_access_size = 4,
},
};
static void grlib_ahb_pnp_realize(DeviceState *dev, Error **errp)
{
AHBPnp *ahb_pnp = GRLIB_AHB_PNP(dev);
SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
memory_region_init_io(&ahb_pnp->iomem, OBJECT(dev), &grlib_ahb_pnp_ops,
ahb_pnp, TYPE_GRLIB_AHB_PNP, GRLIB_PNP_MAX_REGS);
sysbus_init_mmio(sbd, &ahb_pnp->iomem);
}
static void grlib_ahb_pnp_class_init(ObjectClass *klass, void *data)
{
DeviceClass *dc = DEVICE_CLASS(klass);
dc->realize = grlib_ahb_pnp_realize;
}
static const TypeInfo grlib_ahb_pnp_info = {
.name = TYPE_GRLIB_AHB_PNP,
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(AHBPnp),
.class_init = grlib_ahb_pnp_class_init,
};
/* APBPnp */
typedef struct APBPnp {
SysBusDevice parent_obj;
MemoryRegion iomem;
uint32_t regs[GRLIB_PNP_MAX_REGS >> 2];
uint32_t entry_count;
} APBPnp;
void grlib_apb_pnp_add_entry(APBPnp *dev, uint32_t address, uint32_t mask,
uint8_t vendor, uint16_t device, uint8_t version,
uint8_t irq, int type)
{
unsigned int reg_start;
/*
* APB entries look like this:
*
* 31 -------- 23 -------- 11 ----- 9 ------- 4 --- 0
* | VENDOR ID | DEVICE ID | IRQ ? | VERSION | IRQ |
*
* 31 ---------- 20 --- 15 ----------------- 3 ---- 0
* | ADDR[20..8] | 0000 | MASK | TYPE |
*/
assert(dev->entry_count < GRLIB_APB_MAX_DEV);
reg_start = (dev->entry_count * GRLIB_APB_ENTRY_SIZE) >> 2;
dev->entry_count++;
dev->regs[reg_start] = deposit32(dev->regs[reg_start],
GRLIB_PNP_VENDOR_SHIFT,
GRLIB_PNP_VENDOR_SIZE,
vendor);
dev->regs[reg_start] = deposit32(dev->regs[reg_start],
GRLIB_PNP_DEV_SHIFT,
GRLIB_PNP_DEV_SIZE,
device);
dev->regs[reg_start] = deposit32(dev->regs[reg_start],
GRLIB_PNP_VER_SHIFT,
GRLIB_PNP_VER_SIZE,
version);
dev->regs[reg_start] = deposit32(dev->regs[reg_start],
GRLIB_PNP_IRQ_SHIFT,
GRLIB_PNP_IRQ_SIZE,
irq);
reg_start += 1;
dev->regs[reg_start] = type;
dev->regs[reg_start] = deposit32(dev->regs[reg_start],
GRLIB_PNP_ADDR_SHIFT,
GRLIB_PNP_ADDR_SIZE,
extract32(address,
GRLIB_APB_DEV_ADDR_SHIFT,
GRLIB_APB_DEV_ADDR_SIZE));
dev->regs[reg_start] = deposit32(dev->regs[reg_start],
GRLIB_PNP_MASK_SHIFT,
GRLIB_PNP_MASK_SIZE,
mask);
}
static uint64_t grlib_apb_pnp_read(void *opaque, hwaddr offset, unsigned size)
{
APBPnp *apb_pnp = GRLIB_APB_PNP(opaque);
uint32_t val;
val = apb_pnp->regs[offset >> 2];
trace_grlib_apb_pnp_read(offset, val);
return val;
}
hw/misc/grlib_ahb_apb_pnp: Avoid crash when writing to PnP registers Guests can crash QEMU when writting to PnP registers: $ echo 'writeb 0x800ff042 69' | qemu-system-sparc -M leon3_generic -S -bios /etc/magic -qtest stdio [I 1571938309.932255] OPENED [R +0.063474] writeb 0x800ff042 69 Segmentation fault (core dumped) (gdb) bt #0 0x0000000000000000 in () #1 0x0000555f4bcdf0bc in memory_region_write_with_attrs_accessor (mr=0x555f4d7be8c0, addr=66, value=0x7fff07d00f08, size=1, shift=0, mask=255, attrs=...) at memory.c:503 #2 0x0000555f4bcdf185 in access_with_adjusted_size (addr=66, value=0x7fff07d00f08, size=1, access_size_min=1, access_size_max=4, access_fn=0x555f4bcdeff4 <memory_region_write_with_attrs_accessor>, mr=0x555f4d7be8c0, attrs=...) at memory.c:539 #3 0x0000555f4bce2243 in memory_region_dispatch_write (mr=0x555f4d7be8c0, addr=66, data=69, op=MO_8, attrs=...) at memory.c:1489 #4 0x0000555f4bc80b20 in flatview_write_continue (fv=0x555f4d92c400, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1, addr1=66, l=1, mr=0x555f4d7be8c0) at exec.c:3161 #5 0x0000555f4bc80c65 in flatview_write (fv=0x555f4d92c400, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1) at exec.c:3201 #6 0x0000555f4bc80fb0 in address_space_write (as=0x555f4d7aa460, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1) at exec.c:3291 #7 0x0000555f4bc8101d in address_space_rw (as=0x555f4d7aa460, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1, is_write=true) at exec.c:3301 #8 0x0000555f4bcdb388 in qtest_process_command (chr=0x555f4c2ed7e0 <qtest_chr>, words=0x555f4db0c5d0) at qtest.c:432 Instead of crashing, log the access as unimplemented. Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: KONRAD Frederic <frederic.konrad@adacore.com> Message-Id: <20191025110114.27091-2-philmd@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2019-10-25 14:01:13 +03:00
static void grlib_apb_pnp_write(void *opaque, hwaddr addr,
uint64_t val, unsigned size)
{
qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__);
}
static const MemoryRegionOps grlib_apb_pnp_ops = {
.read = grlib_apb_pnp_read,
hw/misc/grlib_ahb_apb_pnp: Avoid crash when writing to PnP registers Guests can crash QEMU when writting to PnP registers: $ echo 'writeb 0x800ff042 69' | qemu-system-sparc -M leon3_generic -S -bios /etc/magic -qtest stdio [I 1571938309.932255] OPENED [R +0.063474] writeb 0x800ff042 69 Segmentation fault (core dumped) (gdb) bt #0 0x0000000000000000 in () #1 0x0000555f4bcdf0bc in memory_region_write_with_attrs_accessor (mr=0x555f4d7be8c0, addr=66, value=0x7fff07d00f08, size=1, shift=0, mask=255, attrs=...) at memory.c:503 #2 0x0000555f4bcdf185 in access_with_adjusted_size (addr=66, value=0x7fff07d00f08, size=1, access_size_min=1, access_size_max=4, access_fn=0x555f4bcdeff4 <memory_region_write_with_attrs_accessor>, mr=0x555f4d7be8c0, attrs=...) at memory.c:539 #3 0x0000555f4bce2243 in memory_region_dispatch_write (mr=0x555f4d7be8c0, addr=66, data=69, op=MO_8, attrs=...) at memory.c:1489 #4 0x0000555f4bc80b20 in flatview_write_continue (fv=0x555f4d92c400, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1, addr1=66, l=1, mr=0x555f4d7be8c0) at exec.c:3161 #5 0x0000555f4bc80c65 in flatview_write (fv=0x555f4d92c400, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1) at exec.c:3201 #6 0x0000555f4bc80fb0 in address_space_write (as=0x555f4d7aa460, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1) at exec.c:3291 #7 0x0000555f4bc8101d in address_space_rw (as=0x555f4d7aa460, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1, is_write=true) at exec.c:3301 #8 0x0000555f4bcdb388 in qtest_process_command (chr=0x555f4c2ed7e0 <qtest_chr>, words=0x555f4db0c5d0) at qtest.c:432 Instead of crashing, log the access as unimplemented. Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: KONRAD Frederic <frederic.konrad@adacore.com> Message-Id: <20191025110114.27091-2-philmd@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2019-10-25 14:01:13 +03:00
.write = grlib_apb_pnp_write,
.endianness = DEVICE_BIG_ENDIAN,
.impl = {
.min_access_size = 4,
.max_access_size = 4,
},
};
static void grlib_apb_pnp_realize(DeviceState *dev, Error **errp)
{
APBPnp *apb_pnp = GRLIB_APB_PNP(dev);
SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
memory_region_init_io(&apb_pnp->iomem, OBJECT(dev), &grlib_apb_pnp_ops,
apb_pnp, TYPE_GRLIB_APB_PNP, GRLIB_PNP_MAX_REGS);
sysbus_init_mmio(sbd, &apb_pnp->iomem);
}
static void grlib_apb_pnp_class_init(ObjectClass *klass, void *data)
{
DeviceClass *dc = DEVICE_CLASS(klass);
dc->realize = grlib_apb_pnp_realize;
}
static const TypeInfo grlib_apb_pnp_info = {
.name = TYPE_GRLIB_APB_PNP,
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(APBPnp),
.class_init = grlib_apb_pnp_class_init,
};
static void grlib_ahb_apb_pnp_register_types(void)
{
type_register_static(&grlib_ahb_pnp_info);
type_register_static(&grlib_apb_pnp_info);
}
type_init(grlib_ahb_apb_pnp_register_types)