qemu/hw/ssi/mss-spi.c
Philippe Mathieu-Daudé c0bccee9b4 hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
Reading the RX_DATA register when the RX_FIFO is empty triggers
an abort. This can be easily reproduced:

  $ qemu-system-arm -M emcraft-sf2 -monitor stdio -S
  QEMU 4.0.50 monitor - type 'help' for more information
  (qemu) x 0x40001010
  Aborted (core dumped)

  (gdb) bt
  #1  0x00007f035874f895 in abort () at /lib64/libc.so.6
  #2  0x00005628686591ff in fifo8_pop (fifo=0x56286a9a4c68) at util/fifo8.c:66
  #3  0x00005628683e0b8e in fifo32_pop (fifo=0x56286a9a4c68) at include/qemu/fifo32.h:137
  #4  0x00005628683e0efb in spi_read (opaque=0x56286a9a4850, addr=4, size=4) at hw/ssi/mss-spi.c:168
  #5  0x0000562867f96801 in memory_region_read_accessor (mr=0x56286a9a4b60, addr=16, value=0x7ffeecb0c5c8, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439
  #6  0x0000562867f96cdb in access_with_adjusted_size (addr=16, value=0x7ffeecb0c5c8, size=4, access_size_min=1, access_size_max=4, access_fn=0x562867f967c3 <memory_region_read_accessor>, mr=0x56286a9a4b60, attrs=...) at memory.c:569
  #7  0x0000562867f99940 in memory_region_dispatch_read1 (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1420
  #8  0x0000562867f99a08 in memory_region_dispatch_read (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1447
  #9  0x0000562867f38721 in flatview_read_continue (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, addr1=16, l=4, mr=0x56286a9a4b60) at exec.c:3385
  #10 0x0000562867f38874 in flatview_read (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3423
  #11 0x0000562867f388ea in address_space_read_full (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3436
  #12 0x0000562867f389c5 in address_space_rw (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=false) at exec.c:3466
  #13 0x0000562867f3bdd7 in cpu_memory_rw_debug (cpu=0x56286aa19d00, addr=1073745936, buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=0) at exec.c:3976
  #14 0x000056286811ed51 in memory_dump (mon=0x56286a8c32d0, count=1, format=120, wsize=4, addr=1073745936, is_physical=0) at monitor/misc.c:730
  #15 0x000056286811eff1 in hmp_memory_dump (mon=0x56286a8c32d0, qdict=0x56286b15c400) at monitor/misc.c:785
  #16 0x00005628684740ee in handle_hmp_command (mon=0x56286a8c32d0, cmdline=0x56286a8caeb2 "0x40001010") at monitor/hmp.c:1082

From the datasheet "Actel SmartFusion Microcontroller Subsystem
User's Guide" Rev.1, Table 13-3 "SPI Register Summary", this
register has a reset value of 0.

Check the FIFO is not empty before accessing it, else log an
error message.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20190709113715.7761-3-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2019-07-15 14:17:03 +01:00

422 lines
12 KiB
C

/*
* Block model of SPI controller present in
* Microsemi's SmartFusion2 and SmartFusion SoCs.
*
* Copyright (C) 2017 Subbaraya Sundeep <sundeep.lkml@gmail.com>
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
#include "qemu/osdep.h"
#include "hw/ssi/mss-spi.h"
#include "qemu/log.h"
#include "qemu/module.h"
#ifndef MSS_SPI_ERR_DEBUG
#define MSS_SPI_ERR_DEBUG 0
#endif
#define DB_PRINT_L(lvl, fmt, args...) do { \
if (MSS_SPI_ERR_DEBUG >= lvl) { \
qemu_log("%s: " fmt "\n", __func__, ## args); \
} \
} while (0)
#define DB_PRINT(fmt, args...) DB_PRINT_L(1, fmt, ## args)
#define FIFO_CAPACITY 32
#define R_SPI_CONTROL 0
#define R_SPI_DFSIZE 1
#define R_SPI_STATUS 2
#define R_SPI_INTCLR 3
#define R_SPI_RX 4
#define R_SPI_TX 5
#define R_SPI_CLKGEN 6
#define R_SPI_SS 7
#define R_SPI_MIS 8
#define R_SPI_RIS 9
#define S_TXDONE (1 << 0)
#define S_RXRDY (1 << 1)
#define S_RXCHOVRF (1 << 2)
#define S_RXFIFOFUL (1 << 4)
#define S_RXFIFOFULNXT (1 << 5)
#define S_RXFIFOEMP (1 << 6)
#define S_RXFIFOEMPNXT (1 << 7)
#define S_TXFIFOFUL (1 << 8)
#define S_TXFIFOFULNXT (1 << 9)
#define S_TXFIFOEMP (1 << 10)
#define S_TXFIFOEMPNXT (1 << 11)
#define S_FRAMESTART (1 << 12)
#define S_SSEL (1 << 13)
#define S_ACTIVE (1 << 14)
#define C_ENABLE (1 << 0)
#define C_MODE (1 << 1)
#define C_INTRXDATA (1 << 4)
#define C_INTTXDATA (1 << 5)
#define C_INTRXOVRFLO (1 << 6)
#define C_SPS (1 << 26)
#define C_BIGFIFO (1 << 29)
#define C_RESET (1 << 31)
#define FRAMESZ_MASK 0x3F
#define FMCOUNT_MASK 0x00FFFF00
#define FMCOUNT_SHIFT 8
#define FRAMESZ_MAX 32
static void txfifo_reset(MSSSpiState *s)
{
fifo32_reset(&s->tx_fifo);
s->regs[R_SPI_STATUS] &= ~S_TXFIFOFUL;
s->regs[R_SPI_STATUS] |= S_TXFIFOEMP;
}
static void rxfifo_reset(MSSSpiState *s)
{
fifo32_reset(&s->rx_fifo);
s->regs[R_SPI_STATUS] &= ~S_RXFIFOFUL;
s->regs[R_SPI_STATUS] |= S_RXFIFOEMP;
}
static void set_fifodepth(MSSSpiState *s)
{
unsigned int size = s->regs[R_SPI_DFSIZE] & FRAMESZ_MASK;
if (size <= 8) {
s->fifo_depth = 32;
} else if (size <= 16) {
s->fifo_depth = 16;
} else {
s->fifo_depth = 8;
}
}
static void update_mis(MSSSpiState *s)
{
uint32_t reg = s->regs[R_SPI_CONTROL];
uint32_t tmp;
/*
* form the Control register interrupt enable bits
* same as RIS, MIS and Interrupt clear registers for simplicity
*/
tmp = ((reg & C_INTRXOVRFLO) >> 4) | ((reg & C_INTRXDATA) >> 3) |
((reg & C_INTTXDATA) >> 5);
s->regs[R_SPI_MIS] |= tmp & s->regs[R_SPI_RIS];
}
static void spi_update_irq(MSSSpiState *s)
{
int irq;
update_mis(s);
irq = !!(s->regs[R_SPI_MIS]);
qemu_set_irq(s->irq, irq);
}
static void mss_spi_reset(DeviceState *d)
{
MSSSpiState *s = MSS_SPI(d);
memset(s->regs, 0, sizeof s->regs);
s->regs[R_SPI_CONTROL] = 0x80000102;
s->regs[R_SPI_DFSIZE] = 0x4;
s->regs[R_SPI_STATUS] = S_SSEL | S_TXFIFOEMP | S_RXFIFOEMP;
s->regs[R_SPI_CLKGEN] = 0x7;
s->regs[R_SPI_RIS] = 0x0;
s->fifo_depth = 4;
s->frame_count = 1;
s->enabled = false;
rxfifo_reset(s);
txfifo_reset(s);
}
static uint64_t
spi_read(void *opaque, hwaddr addr, unsigned int size)
{
MSSSpiState *s = opaque;
uint32_t ret = 0;
addr >>= 2;
switch (addr) {
case R_SPI_RX:
s->regs[R_SPI_STATUS] &= ~S_RXFIFOFUL;
s->regs[R_SPI_STATUS] &= ~S_RXCHOVRF;
if (fifo32_is_empty(&s->rx_fifo)) {
qemu_log_mask(LOG_GUEST_ERROR,
"%s: Reading empty RX_FIFO\n",
__func__);
} else {
ret = fifo32_pop(&s->rx_fifo);
}
if (fifo32_is_empty(&s->rx_fifo)) {
s->regs[R_SPI_STATUS] |= S_RXFIFOEMP;
}
break;
case R_SPI_MIS:
update_mis(s);
ret = s->regs[R_SPI_MIS];
break;
default:
if (addr < ARRAY_SIZE(s->regs)) {
ret = s->regs[addr];
} else {
qemu_log_mask(LOG_GUEST_ERROR,
"%s: Bad offset 0x%" HWADDR_PRIx "\n", __func__,
addr * 4);
return ret;
}
break;
}
DB_PRINT("addr=0x%" HWADDR_PRIx " = 0x%" PRIx32, addr * 4, ret);
spi_update_irq(s);
return ret;
}
static void assert_cs(MSSSpiState *s)
{
qemu_set_irq(s->cs_line, 0);
}
static void deassert_cs(MSSSpiState *s)
{
qemu_set_irq(s->cs_line, 1);
}
static void spi_flush_txfifo(MSSSpiState *s)
{
uint32_t tx;
uint32_t rx;
bool sps = !!(s->regs[R_SPI_CONTROL] & C_SPS);
/*
* Chip Select(CS) is automatically controlled by this controller.
* If SPS bit is set in Control register then CS is asserted
* until all the frames set in frame count of Control register are
* transferred. If SPS is not set then CS pulses between frames.
* Note that Slave Select register specifies which of the CS line
* has to be controlled automatically by controller. Bits SS[7:1] are for
* masters in FPGA fabric since we model only Microcontroller subsystem
* of Smartfusion2 we control only one CS(SS[0]) line.
*/
while (!fifo32_is_empty(&s->tx_fifo) && s->frame_count) {
assert_cs(s);
s->regs[R_SPI_STATUS] &= ~(S_TXDONE | S_RXRDY);
tx = fifo32_pop(&s->tx_fifo);
DB_PRINT("data tx:0x%" PRIx32, tx);
rx = ssi_transfer(s->spi, tx);
DB_PRINT("data rx:0x%" PRIx32, rx);
if (fifo32_num_used(&s->rx_fifo) == s->fifo_depth) {
s->regs[R_SPI_STATUS] |= S_RXCHOVRF;
s->regs[R_SPI_RIS] |= S_RXCHOVRF;
} else {
fifo32_push(&s->rx_fifo, rx);
s->regs[R_SPI_STATUS] &= ~S_RXFIFOEMP;
if (fifo32_num_used(&s->rx_fifo) == (s->fifo_depth - 1)) {
s->regs[R_SPI_STATUS] |= S_RXFIFOFULNXT;
} else if (fifo32_num_used(&s->rx_fifo) == s->fifo_depth) {
s->regs[R_SPI_STATUS] |= S_RXFIFOFUL;
}
}
s->frame_count--;
if (!sps) {
deassert_cs(s);
}
}
if (!s->frame_count) {
s->frame_count = (s->regs[R_SPI_CONTROL] & FMCOUNT_MASK) >>
FMCOUNT_SHIFT;
deassert_cs(s);
s->regs[R_SPI_RIS] |= S_TXDONE | S_RXRDY;
s->regs[R_SPI_STATUS] |= S_TXDONE | S_RXRDY;
}
}
static void spi_write(void *opaque, hwaddr addr,
uint64_t val64, unsigned int size)
{
MSSSpiState *s = opaque;
uint32_t value = val64;
DB_PRINT("addr=0x%" HWADDR_PRIx " =0x%" PRIx32, addr, value);
addr >>= 2;
switch (addr) {
case R_SPI_TX:
/* adding to already full FIFO */
if (fifo32_num_used(&s->tx_fifo) == s->fifo_depth) {
break;
}
s->regs[R_SPI_STATUS] &= ~S_TXFIFOEMP;
fifo32_push(&s->tx_fifo, value);
if (fifo32_num_used(&s->tx_fifo) == (s->fifo_depth - 1)) {
s->regs[R_SPI_STATUS] |= S_TXFIFOFULNXT;
} else if (fifo32_num_used(&s->tx_fifo) == s->fifo_depth) {
s->regs[R_SPI_STATUS] |= S_TXFIFOFUL;
}
if (s->enabled) {
spi_flush_txfifo(s);
}
break;
case R_SPI_CONTROL:
s->regs[R_SPI_CONTROL] = value;
if (value & C_BIGFIFO) {
set_fifodepth(s);
} else {
s->fifo_depth = 4;
}
s->enabled = value & C_ENABLE;
s->frame_count = (value & FMCOUNT_MASK) >> FMCOUNT_SHIFT;
if (value & C_RESET) {
mss_spi_reset(DEVICE(s));
}
break;
case R_SPI_DFSIZE:
if (s->enabled) {
break;
}
/*
* [31:6] bits are reserved bits and for future use.
* [5:0] are for frame size. Only [5:0] bits are validated
* during write, [31:6] bits are untouched.
*/
if ((value & FRAMESZ_MASK) > FRAMESZ_MAX) {
qemu_log_mask(LOG_GUEST_ERROR, "%s: Incorrect size %u provided."
"Maximum frame size is %u\n",
__func__, value & FRAMESZ_MASK, FRAMESZ_MAX);
break;
}
s->regs[R_SPI_DFSIZE] = value;
break;
case R_SPI_INTCLR:
s->regs[R_SPI_INTCLR] = value;
if (value & S_TXDONE) {
s->regs[R_SPI_RIS] &= ~S_TXDONE;
}
if (value & S_RXRDY) {
s->regs[R_SPI_RIS] &= ~S_RXRDY;
}
if (value & S_RXCHOVRF) {
s->regs[R_SPI_RIS] &= ~S_RXCHOVRF;
}
break;
case R_SPI_MIS:
case R_SPI_STATUS:
case R_SPI_RIS:
qemu_log_mask(LOG_GUEST_ERROR,
"%s: Write to read only register 0x%" HWADDR_PRIx "\n",
__func__, addr * 4);
break;
default:
if (addr < ARRAY_SIZE(s->regs)) {
s->regs[addr] = value;
} else {
qemu_log_mask(LOG_GUEST_ERROR,
"%s: Bad offset 0x%" HWADDR_PRIx "\n", __func__,
addr * 4);
}
break;
}
spi_update_irq(s);
}
static const MemoryRegionOps spi_ops = {
.read = spi_read,
.write = spi_write,
.endianness = DEVICE_NATIVE_ENDIAN,
.valid = {
.min_access_size = 1,
.max_access_size = 4
}
};
static void mss_spi_realize(DeviceState *dev, Error **errp)
{
MSSSpiState *s = MSS_SPI(dev);
SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
s->spi = ssi_create_bus(dev, "spi");
sysbus_init_irq(sbd, &s->irq);
ssi_auto_connect_slaves(dev, &s->cs_line, s->spi);
sysbus_init_irq(sbd, &s->cs_line);
memory_region_init_io(&s->mmio, OBJECT(s), &spi_ops, s,
TYPE_MSS_SPI, R_SPI_MAX * 4);
sysbus_init_mmio(sbd, &s->mmio);
fifo32_create(&s->tx_fifo, FIFO_CAPACITY);
fifo32_create(&s->rx_fifo, FIFO_CAPACITY);
}
static const VMStateDescription vmstate_mss_spi = {
.name = TYPE_MSS_SPI,
.version_id = 1,
.minimum_version_id = 1,
.fields = (VMStateField[]) {
VMSTATE_FIFO32(tx_fifo, MSSSpiState),
VMSTATE_FIFO32(rx_fifo, MSSSpiState),
VMSTATE_UINT32_ARRAY(regs, MSSSpiState, R_SPI_MAX),
VMSTATE_END_OF_LIST()
}
};
static void mss_spi_class_init(ObjectClass *klass, void *data)
{
DeviceClass *dc = DEVICE_CLASS(klass);
dc->realize = mss_spi_realize;
dc->reset = mss_spi_reset;
dc->vmsd = &vmstate_mss_spi;
}
static const TypeInfo mss_spi_info = {
.name = TYPE_MSS_SPI,
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(MSSSpiState),
.class_init = mss_spi_class_init,
};
static void mss_spi_register_types(void)
{
type_register_static(&mss_spi_info);
}
type_init(mss_spi_register_types)