| 
									
										
										
										
											2019-05-15 14:31:32 +02:00
										 |  |  | /*
 | 
					
						
							|  |  |  |  * GRLIB AHB APB PNP | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  *  Copyright (C) 2019 AdaCore | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  *  Developed by : | 
					
						
							|  |  |  |  *  Frederic Konrad   <frederic.konrad@adacore.com> | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * This program is free software; you can redistribute it and/or modify | 
					
						
							|  |  |  |  * it under the terms of the GNU General Public License as published by | 
					
						
							|  |  |  |  * the Free Software Foundation, either version 2 of the License, or | 
					
						
							|  |  |  |  * (at your option) any later version. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * This program is distributed in the hope that it will be useful, | 
					
						
							|  |  |  |  * but WITHOUT ANY WARRANTY; without even the implied warranty of | 
					
						
							|  |  |  |  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the | 
					
						
							|  |  |  |  * GNU General Public License for more details. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * You should have received a copy of the GNU General Public License along | 
					
						
							|  |  |  |  * with this program; if not, see <http://www.gnu.org/licenses/>.
 | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #include "qemu/osdep.h"
 | 
					
						
							| 
									
										
											  
											
												hw/misc/grlib_ahb_apb_pnp: Avoid crash when writing to PnP registers
Guests can crash QEMU when writting to PnP registers:
  $ echo 'writeb 0x800ff042 69' | qemu-system-sparc -M leon3_generic -S -bios /etc/magic -qtest stdio
  [I 1571938309.932255] OPENED
  [R +0.063474] writeb 0x800ff042 69
  Segmentation fault (core dumped)
  (gdb) bt
  #0  0x0000000000000000 in  ()
  #1  0x0000555f4bcdf0bc in memory_region_write_with_attrs_accessor (mr=0x555f4d7be8c0, addr=66, value=0x7fff07d00f08, size=1, shift=0, mask=255, attrs=...) at memory.c:503
  #2  0x0000555f4bcdf185 in access_with_adjusted_size (addr=66, value=0x7fff07d00f08, size=1, access_size_min=1, access_size_max=4, access_fn=0x555f4bcdeff4 <memory_region_write_with_attrs_accessor>, mr=0x555f4d7be8c0, attrs=...) at memory.c:539
  #3  0x0000555f4bce2243 in memory_region_dispatch_write (mr=0x555f4d7be8c0, addr=66, data=69, op=MO_8, attrs=...) at memory.c:1489
  #4  0x0000555f4bc80b20 in flatview_write_continue (fv=0x555f4d92c400, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1, addr1=66, l=1, mr=0x555f4d7be8c0) at exec.c:3161
  #5  0x0000555f4bc80c65 in flatview_write (fv=0x555f4d92c400, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1) at exec.c:3201
  #6  0x0000555f4bc80fb0 in address_space_write (as=0x555f4d7aa460, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1) at exec.c:3291
  #7  0x0000555f4bc8101d in address_space_rw (as=0x555f4d7aa460, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1, is_write=true) at exec.c:3301
  #8  0x0000555f4bcdb388 in qtest_process_command (chr=0x555f4c2ed7e0 <qtest_chr>, words=0x555f4db0c5d0) at qtest.c:432
Instead of crashing, log the access as unimplemented.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: KONRAD Frederic <frederic.konrad@adacore.com>
Message-Id: <20191025110114.27091-2-philmd@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
											
										 
											2019-10-25 13:01:13 +02:00
										 |  |  | #include "qemu/log.h"
 | 
					
						
							| 
									
										
										
										
											2019-05-15 14:31:32 +02:00
										 |  |  | #include "hw/sysbus.h"
 | 
					
						
							|  |  |  | #include "hw/misc/grlib_ahb_apb_pnp.h"
 | 
					
						
							| 
									
										
										
										
											2020-03-31 12:02:47 +02:00
										 |  |  | #include "trace.h"
 | 
					
						
							| 
									
										
										
										
											2019-05-15 14:31:32 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  | #define GRLIB_PNP_VENDOR_SHIFT (24)
 | 
					
						
							|  |  |  | #define GRLIB_PNP_VENDOR_SIZE   (8)
 | 
					
						
							|  |  |  | #define GRLIB_PNP_DEV_SHIFT    (12)
 | 
					
						
							|  |  |  | #define GRLIB_PNP_DEV_SIZE     (12)
 | 
					
						
							|  |  |  | #define GRLIB_PNP_VER_SHIFT     (5)
 | 
					
						
							|  |  |  | #define GRLIB_PNP_VER_SIZE      (5)
 | 
					
						
							|  |  |  | #define GRLIB_PNP_IRQ_SHIFT     (0)
 | 
					
						
							|  |  |  | #define GRLIB_PNP_IRQ_SIZE      (5)
 | 
					
						
							|  |  |  | #define GRLIB_PNP_ADDR_SHIFT   (20)
 | 
					
						
							|  |  |  | #define GRLIB_PNP_ADDR_SIZE    (12)
 | 
					
						
							|  |  |  | #define GRLIB_PNP_MASK_SHIFT    (4)
 | 
					
						
							|  |  |  | #define GRLIB_PNP_MASK_SIZE    (12)
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #define GRLIB_AHB_DEV_ADDR_SHIFT   (20)
 | 
					
						
							|  |  |  | #define GRLIB_AHB_DEV_ADDR_SIZE    (12)
 | 
					
						
							|  |  |  | #define GRLIB_AHB_ENTRY_SIZE       (0x20)
 | 
					
						
							|  |  |  | #define GRLIB_AHB_MAX_DEV          (64)
 | 
					
						
							|  |  |  | #define GRLIB_AHB_SLAVE_OFFSET     (0x800)
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #define GRLIB_APB_DEV_ADDR_SHIFT   (8)
 | 
					
						
							|  |  |  | #define GRLIB_APB_DEV_ADDR_SIZE    (12)
 | 
					
						
							|  |  |  | #define GRLIB_APB_ENTRY_SIZE       (0x08)
 | 
					
						
							|  |  |  | #define GRLIB_APB_MAX_DEV          (512)
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #define GRLIB_PNP_MAX_REGS         (0x1000)
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | typedef struct AHBPnp { | 
					
						
							|  |  |  |     SysBusDevice parent_obj; | 
					
						
							|  |  |  |     MemoryRegion iomem; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     uint32_t regs[GRLIB_PNP_MAX_REGS >> 2]; | 
					
						
							|  |  |  |     uint8_t master_count; | 
					
						
							|  |  |  |     uint8_t slave_count; | 
					
						
							|  |  |  | } AHBPnp; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | void grlib_ahb_pnp_add_entry(AHBPnp *dev, uint32_t address, uint32_t mask, | 
					
						
							|  |  |  |                              uint8_t vendor, uint16_t device, int slave, | 
					
						
							|  |  |  |                              int type) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     unsigned int reg_start; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     /*
 | 
					
						
							|  |  |  |      * AHB entries look like this: | 
					
						
							|  |  |  |      * | 
					
						
							|  |  |  |      * 31 -------- 23 -------- 11 ----- 9 -------- 4 --- 0 | 
					
						
							|  |  |  |      *  | VENDOR ID | DEVICE ID | IRQ ? | VERSION  | IRQ | | 
					
						
							|  |  |  |      *  -------------------------------------------------- | 
					
						
							|  |  |  |      *  |                      USER                      | | 
					
						
							|  |  |  |      *  -------------------------------------------------- | 
					
						
							|  |  |  |      *  |                      USER                      | | 
					
						
							|  |  |  |      *  -------------------------------------------------- | 
					
						
							|  |  |  |      *  |                      USER                      | | 
					
						
							|  |  |  |      *  -------------------------------------------------- | 
					
						
							|  |  |  |      *  |                      USER                      | | 
					
						
							|  |  |  |      *  -------------------------------------------------- | 
					
						
							|  |  |  |      * 31 ----------- 20 --- 15 ----------------- 3 ---- 0 | 
					
						
							|  |  |  |      *  | ADDR[31..12] | 00PC |        MASK       | TYPE | | 
					
						
							|  |  |  |      *  -------------------------------------------------- | 
					
						
							|  |  |  |      * 31 ----------- 20 --- 15 ----------------- 3 ---- 0 | 
					
						
							|  |  |  |      *  | ADDR[31..12] | 00PC |        MASK       | TYPE | | 
					
						
							|  |  |  |      *  -------------------------------------------------- | 
					
						
							|  |  |  |      * 31 ----------- 20 --- 15 ----------------- 3 ---- 0 | 
					
						
							|  |  |  |      *  | ADDR[31..12] | 00PC |        MASK       | TYPE | | 
					
						
							|  |  |  |      *  -------------------------------------------------- | 
					
						
							|  |  |  |      * 31 ----------- 20 --- 15 ----------------- 3 ---- 0 | 
					
						
							|  |  |  |      *  | ADDR[31..12] | 00PC |        MASK       | TYPE | | 
					
						
							|  |  |  |      *  -------------------------------------------------- | 
					
						
							|  |  |  |      */ | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     if (slave) { | 
					
						
							|  |  |  |         assert(dev->slave_count < GRLIB_AHB_MAX_DEV); | 
					
						
							|  |  |  |         reg_start = (GRLIB_AHB_SLAVE_OFFSET | 
					
						
							|  |  |  |                   + (dev->slave_count * GRLIB_AHB_ENTRY_SIZE)) >> 2; | 
					
						
							|  |  |  |         dev->slave_count++; | 
					
						
							|  |  |  |     } else { | 
					
						
							|  |  |  |         assert(dev->master_count < GRLIB_AHB_MAX_DEV); | 
					
						
							|  |  |  |         reg_start = (dev->master_count * GRLIB_AHB_ENTRY_SIZE) >> 2; | 
					
						
							|  |  |  |         dev->master_count++; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     dev->regs[reg_start] = deposit32(dev->regs[reg_start], | 
					
						
							|  |  |  |                                      GRLIB_PNP_VENDOR_SHIFT, | 
					
						
							|  |  |  |                                      GRLIB_PNP_VENDOR_SIZE, | 
					
						
							|  |  |  |                                      vendor); | 
					
						
							|  |  |  |     dev->regs[reg_start] = deposit32(dev->regs[reg_start], | 
					
						
							|  |  |  |                                      GRLIB_PNP_DEV_SHIFT, | 
					
						
							|  |  |  |                                      GRLIB_PNP_DEV_SIZE, | 
					
						
							|  |  |  |                                      device); | 
					
						
							|  |  |  |     reg_start += 4; | 
					
						
							|  |  |  |     /* AHB Memory Space */ | 
					
						
							|  |  |  |     dev->regs[reg_start] = type; | 
					
						
							|  |  |  |     dev->regs[reg_start] = deposit32(dev->regs[reg_start], | 
					
						
							|  |  |  |                                      GRLIB_PNP_ADDR_SHIFT, | 
					
						
							|  |  |  |                                      GRLIB_PNP_ADDR_SIZE, | 
					
						
							|  |  |  |                                      extract32(address, | 
					
						
							|  |  |  |                                                GRLIB_AHB_DEV_ADDR_SHIFT, | 
					
						
							|  |  |  |                                                GRLIB_AHB_DEV_ADDR_SIZE)); | 
					
						
							|  |  |  |     dev->regs[reg_start] = deposit32(dev->regs[reg_start], | 
					
						
							|  |  |  |                                      GRLIB_PNP_MASK_SHIFT, | 
					
						
							|  |  |  |                                      GRLIB_PNP_MASK_SIZE, | 
					
						
							|  |  |  |                                      mask); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | static uint64_t grlib_ahb_pnp_read(void *opaque, hwaddr offset, unsigned size) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     AHBPnp *ahb_pnp = GRLIB_AHB_PNP(opaque); | 
					
						
							| 
									
										
										
										
											2020-03-31 12:02:47 +02:00
										 |  |  |     uint32_t val; | 
					
						
							| 
									
										
										
										
											2019-05-15 14:31:32 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-03-31 12:02:47 +02:00
										 |  |  |     val = ahb_pnp->regs[offset >> 2]; | 
					
						
							| 
									
										
										
										
											2022-08-02 14:19:25 +01:00
										 |  |  |     val = extract32(val, (4 - (offset & 3) - size) * 8, size * 8); | 
					
						
							|  |  |  |     trace_grlib_ahb_pnp_read(offset, size, val); | 
					
						
							| 
									
										
										
										
											2020-03-31 12:02:47 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  |     return val; | 
					
						
							| 
									
										
										
										
											2019-05-15 14:31:32 +02:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
											  
											
												hw/misc/grlib_ahb_apb_pnp: Avoid crash when writing to AHB PnP registers
Similarly to commit 158b659451 with the APB PnP registers, guests
can crash QEMU when writting to the AHB PnP registers:
  $ echo 'writeb 0xfffff042 69' | qemu-system-sparc -M leon3_generic -S -bios /etc/magic -qtest stdio
  [I 1571938309.932255] OPENED
  [R +0.063474] writeb 0xfffff042 69
  Segmentation fault (core dumped)
  (gdb) bt
  #0  0x0000000000000000 in  ()
  #1  0x0000562999110df4 in memory_region_write_with_attrs_accessor
      (mr=mr@entry=0x56299aa28ea0, addr=66, value=value@entry=0x7fff6abe13b8, size=size@entry=1, shift=<optimized out>, mask=mask@entry=255, attrs=...) at memory.c:503
  #2  0x000056299911095e in access_with_adjusted_size
      (addr=addr@entry=66, value=value@entry=0x7fff6abe13b8, size=size@entry=1, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=access_fn@entry=
      0x562999110d70 <memory_region_write_with_attrs_accessor>, mr=0x56299aa28ea0, attrs=...) at memory.c:539
  #3  0x0000562999114fba in memory_region_dispatch_write (mr=mr@entry=0x56299aa28ea0, addr=66, data=<optimized out>, op=<optimized out>, attrs=attrs@entry=...) at memory.c:1482
  #4  0x00005629990c0860 in flatview_write_continue
      (fv=fv@entry=0x56299aa7d8a0, addr=addr@entry=4294963266, attrs=..., ptr=ptr@entry=0x7fff6abe1540, len=len@entry=1, addr1=<optimized out>, l=<optimized out>, mr=0x56299aa28ea0)
      at include/qemu/host-utils.h:164
  #5  0x00005629990c0a76 in flatview_write (fv=0x56299aa7d8a0, addr=4294963266, attrs=..., buf=0x7fff6abe1540, len=1) at exec.c:3165
  #6  0x00005629990c4c1b in address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., attrs@entry=..., buf=buf@entry=0x7fff6abe1540, len=len@entry=1) at exec.c:3256
  #7  0x000056299910f807 in qtest_process_command (chr=chr@entry=0x5629995ee920 <qtest_chr>, words=words@entry=0x56299acfcfa0) at qtest.c:437
Instead of crashing, log the access as unimplemented.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: KONRAD Frederic <frederic.konrad@adacore.com>
Message-Id: <20200331105048.27989-3-f4bug@amsat.org>
											
										 
											2020-03-31 11:56:22 +02:00
										 |  |  | static void grlib_ahb_pnp_write(void *opaque, hwaddr addr, | 
					
						
							|  |  |  |                                 uint64_t val, unsigned size) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-05-15 14:31:32 +02:00
										 |  |  | static const MemoryRegionOps grlib_ahb_pnp_ops = { | 
					
						
							|  |  |  |     .read       = grlib_ahb_pnp_read, | 
					
						
							| 
									
										
											  
											
												hw/misc/grlib_ahb_apb_pnp: Avoid crash when writing to AHB PnP registers
Similarly to commit 158b659451 with the APB PnP registers, guests
can crash QEMU when writting to the AHB PnP registers:
  $ echo 'writeb 0xfffff042 69' | qemu-system-sparc -M leon3_generic -S -bios /etc/magic -qtest stdio
  [I 1571938309.932255] OPENED
  [R +0.063474] writeb 0xfffff042 69
  Segmentation fault (core dumped)
  (gdb) bt
  #0  0x0000000000000000 in  ()
  #1  0x0000562999110df4 in memory_region_write_with_attrs_accessor
      (mr=mr@entry=0x56299aa28ea0, addr=66, value=value@entry=0x7fff6abe13b8, size=size@entry=1, shift=<optimized out>, mask=mask@entry=255, attrs=...) at memory.c:503
  #2  0x000056299911095e in access_with_adjusted_size
      (addr=addr@entry=66, value=value@entry=0x7fff6abe13b8, size=size@entry=1, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=access_fn@entry=
      0x562999110d70 <memory_region_write_with_attrs_accessor>, mr=0x56299aa28ea0, attrs=...) at memory.c:539
  #3  0x0000562999114fba in memory_region_dispatch_write (mr=mr@entry=0x56299aa28ea0, addr=66, data=<optimized out>, op=<optimized out>, attrs=attrs@entry=...) at memory.c:1482
  #4  0x00005629990c0860 in flatview_write_continue
      (fv=fv@entry=0x56299aa7d8a0, addr=addr@entry=4294963266, attrs=..., ptr=ptr@entry=0x7fff6abe1540, len=len@entry=1, addr1=<optimized out>, l=<optimized out>, mr=0x56299aa28ea0)
      at include/qemu/host-utils.h:164
  #5  0x00005629990c0a76 in flatview_write (fv=0x56299aa7d8a0, addr=4294963266, attrs=..., buf=0x7fff6abe1540, len=1) at exec.c:3165
  #6  0x00005629990c4c1b in address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., attrs@entry=..., buf=buf@entry=0x7fff6abe1540, len=len@entry=1) at exec.c:3256
  #7  0x000056299910f807 in qtest_process_command (chr=chr@entry=0x5629995ee920 <qtest_chr>, words=words@entry=0x56299acfcfa0) at qtest.c:437
Instead of crashing, log the access as unimplemented.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: KONRAD Frederic <frederic.konrad@adacore.com>
Message-Id: <20200331105048.27989-3-f4bug@amsat.org>
											
										 
											2020-03-31 11:56:22 +02:00
										 |  |  |     .write      = grlib_ahb_pnp_write, | 
					
						
							| 
									
										
										
										
											2019-05-15 14:31:32 +02:00
										 |  |  |     .endianness = DEVICE_BIG_ENDIAN, | 
					
						
							| 
									
										
										
										
											2020-03-31 11:59:49 +02:00
										 |  |  |     .impl = { | 
					
						
							| 
									
										
										
										
											2022-08-02 14:19:25 +01:00
										 |  |  |         .min_access_size = 1, | 
					
						
							| 
									
										
										
										
											2020-03-31 11:59:49 +02:00
										 |  |  |         .max_access_size = 4, | 
					
						
							|  |  |  |     }, | 
					
						
							| 
									
										
										
										
											2019-05-15 14:31:32 +02:00
										 |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | static void grlib_ahb_pnp_realize(DeviceState *dev, Error **errp) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     AHBPnp *ahb_pnp = GRLIB_AHB_PNP(dev); | 
					
						
							|  |  |  |     SysBusDevice *sbd = SYS_BUS_DEVICE(dev); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     memory_region_init_io(&ahb_pnp->iomem, OBJECT(dev), &grlib_ahb_pnp_ops, | 
					
						
							|  |  |  |                           ahb_pnp, TYPE_GRLIB_AHB_PNP, GRLIB_PNP_MAX_REGS); | 
					
						
							|  |  |  |     sysbus_init_mmio(sbd, &ahb_pnp->iomem); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | static void grlib_ahb_pnp_class_init(ObjectClass *klass, void *data) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     DeviceClass *dc = DEVICE_CLASS(klass); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     dc->realize = grlib_ahb_pnp_realize; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | static const TypeInfo grlib_ahb_pnp_info = { | 
					
						
							|  |  |  |     .name          = TYPE_GRLIB_AHB_PNP, | 
					
						
							|  |  |  |     .parent        = TYPE_SYS_BUS_DEVICE, | 
					
						
							|  |  |  |     .instance_size = sizeof(AHBPnp), | 
					
						
							|  |  |  |     .class_init    = grlib_ahb_pnp_class_init, | 
					
						
							|  |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /* APBPnp */ | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | typedef struct APBPnp { | 
					
						
							|  |  |  |     SysBusDevice parent_obj; | 
					
						
							|  |  |  |     MemoryRegion iomem; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     uint32_t regs[GRLIB_PNP_MAX_REGS >> 2]; | 
					
						
							|  |  |  |     uint32_t entry_count; | 
					
						
							|  |  |  | } APBPnp; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | void grlib_apb_pnp_add_entry(APBPnp *dev, uint32_t address, uint32_t mask, | 
					
						
							|  |  |  |                              uint8_t vendor, uint16_t device, uint8_t version, | 
					
						
							|  |  |  |                              uint8_t irq, int type) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     unsigned int reg_start; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     /*
 | 
					
						
							|  |  |  |      * APB entries look like this: | 
					
						
							|  |  |  |      * | 
					
						
							|  |  |  |      * 31 -------- 23 -------- 11 ----- 9 ------- 4 --- 0 | 
					
						
							|  |  |  |      *  | VENDOR ID | DEVICE ID | IRQ ? | VERSION | IRQ | | 
					
						
							|  |  |  |      * | 
					
						
							|  |  |  |      * 31 ---------- 20 --- 15 ----------------- 3 ---- 0 | 
					
						
							|  |  |  |      *  | ADDR[20..8] | 0000 |        MASK       | TYPE | | 
					
						
							|  |  |  |      */ | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     assert(dev->entry_count < GRLIB_APB_MAX_DEV); | 
					
						
							|  |  |  |     reg_start = (dev->entry_count * GRLIB_APB_ENTRY_SIZE) >> 2; | 
					
						
							|  |  |  |     dev->entry_count++; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     dev->regs[reg_start] = deposit32(dev->regs[reg_start], | 
					
						
							|  |  |  |                                      GRLIB_PNP_VENDOR_SHIFT, | 
					
						
							|  |  |  |                                      GRLIB_PNP_VENDOR_SIZE, | 
					
						
							|  |  |  |                                      vendor); | 
					
						
							|  |  |  |     dev->regs[reg_start] = deposit32(dev->regs[reg_start], | 
					
						
							|  |  |  |                                      GRLIB_PNP_DEV_SHIFT, | 
					
						
							|  |  |  |                                      GRLIB_PNP_DEV_SIZE, | 
					
						
							|  |  |  |                                      device); | 
					
						
							|  |  |  |     dev->regs[reg_start] = deposit32(dev->regs[reg_start], | 
					
						
							|  |  |  |                                      GRLIB_PNP_VER_SHIFT, | 
					
						
							|  |  |  |                                      GRLIB_PNP_VER_SIZE, | 
					
						
							|  |  |  |                                      version); | 
					
						
							|  |  |  |     dev->regs[reg_start] = deposit32(dev->regs[reg_start], | 
					
						
							|  |  |  |                                      GRLIB_PNP_IRQ_SHIFT, | 
					
						
							|  |  |  |                                      GRLIB_PNP_IRQ_SIZE, | 
					
						
							|  |  |  |                                      irq); | 
					
						
							|  |  |  |     reg_start += 1; | 
					
						
							|  |  |  |     dev->regs[reg_start] = type; | 
					
						
							|  |  |  |     dev->regs[reg_start] = deposit32(dev->regs[reg_start], | 
					
						
							|  |  |  |                                      GRLIB_PNP_ADDR_SHIFT, | 
					
						
							|  |  |  |                                      GRLIB_PNP_ADDR_SIZE, | 
					
						
							|  |  |  |                                      extract32(address, | 
					
						
							|  |  |  |                                                GRLIB_APB_DEV_ADDR_SHIFT, | 
					
						
							|  |  |  |                                                GRLIB_APB_DEV_ADDR_SIZE)); | 
					
						
							|  |  |  |     dev->regs[reg_start] = deposit32(dev->regs[reg_start], | 
					
						
							|  |  |  |                                      GRLIB_PNP_MASK_SHIFT, | 
					
						
							|  |  |  |                                      GRLIB_PNP_MASK_SIZE, | 
					
						
							|  |  |  |                                      mask); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | static uint64_t grlib_apb_pnp_read(void *opaque, hwaddr offset, unsigned size) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     APBPnp *apb_pnp = GRLIB_APB_PNP(opaque); | 
					
						
							| 
									
										
										
										
											2020-03-31 12:02:47 +02:00
										 |  |  |     uint32_t val; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     val = apb_pnp->regs[offset >> 2]; | 
					
						
							| 
									
										
										
										
											2022-08-02 14:19:25 +01:00
										 |  |  |     val = extract32(val, (4 - (offset & 3) - size) * 8, size * 8); | 
					
						
							|  |  |  |     trace_grlib_apb_pnp_read(offset, size, val); | 
					
						
							| 
									
										
										
										
											2019-05-15 14:31:32 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-03-31 12:02:47 +02:00
										 |  |  |     return val; | 
					
						
							| 
									
										
										
										
											2019-05-15 14:31:32 +02:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
											  
											
												hw/misc/grlib_ahb_apb_pnp: Avoid crash when writing to PnP registers
Guests can crash QEMU when writting to PnP registers:
  $ echo 'writeb 0x800ff042 69' | qemu-system-sparc -M leon3_generic -S -bios /etc/magic -qtest stdio
  [I 1571938309.932255] OPENED
  [R +0.063474] writeb 0x800ff042 69
  Segmentation fault (core dumped)
  (gdb) bt
  #0  0x0000000000000000 in  ()
  #1  0x0000555f4bcdf0bc in memory_region_write_with_attrs_accessor (mr=0x555f4d7be8c0, addr=66, value=0x7fff07d00f08, size=1, shift=0, mask=255, attrs=...) at memory.c:503
  #2  0x0000555f4bcdf185 in access_with_adjusted_size (addr=66, value=0x7fff07d00f08, size=1, access_size_min=1, access_size_max=4, access_fn=0x555f4bcdeff4 <memory_region_write_with_attrs_accessor>, mr=0x555f4d7be8c0, attrs=...) at memory.c:539
  #3  0x0000555f4bce2243 in memory_region_dispatch_write (mr=0x555f4d7be8c0, addr=66, data=69, op=MO_8, attrs=...) at memory.c:1489
  #4  0x0000555f4bc80b20 in flatview_write_continue (fv=0x555f4d92c400, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1, addr1=66, l=1, mr=0x555f4d7be8c0) at exec.c:3161
  #5  0x0000555f4bc80c65 in flatview_write (fv=0x555f4d92c400, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1) at exec.c:3201
  #6  0x0000555f4bc80fb0 in address_space_write (as=0x555f4d7aa460, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1) at exec.c:3291
  #7  0x0000555f4bc8101d in address_space_rw (as=0x555f4d7aa460, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1, is_write=true) at exec.c:3301
  #8  0x0000555f4bcdb388 in qtest_process_command (chr=0x555f4c2ed7e0 <qtest_chr>, words=0x555f4db0c5d0) at qtest.c:432
Instead of crashing, log the access as unimplemented.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: KONRAD Frederic <frederic.konrad@adacore.com>
Message-Id: <20191025110114.27091-2-philmd@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
											
										 
											2019-10-25 13:01:13 +02:00
										 |  |  | static void grlib_apb_pnp_write(void *opaque, hwaddr addr, | 
					
						
							|  |  |  |                                 uint64_t val, unsigned size) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-05-15 14:31:32 +02:00
										 |  |  | static const MemoryRegionOps grlib_apb_pnp_ops = { | 
					
						
							|  |  |  |     .read       = grlib_apb_pnp_read, | 
					
						
							| 
									
										
											  
											
												hw/misc/grlib_ahb_apb_pnp: Avoid crash when writing to PnP registers
Guests can crash QEMU when writting to PnP registers:
  $ echo 'writeb 0x800ff042 69' | qemu-system-sparc -M leon3_generic -S -bios /etc/magic -qtest stdio
  [I 1571938309.932255] OPENED
  [R +0.063474] writeb 0x800ff042 69
  Segmentation fault (core dumped)
  (gdb) bt
  #0  0x0000000000000000 in  ()
  #1  0x0000555f4bcdf0bc in memory_region_write_with_attrs_accessor (mr=0x555f4d7be8c0, addr=66, value=0x7fff07d00f08, size=1, shift=0, mask=255, attrs=...) at memory.c:503
  #2  0x0000555f4bcdf185 in access_with_adjusted_size (addr=66, value=0x7fff07d00f08, size=1, access_size_min=1, access_size_max=4, access_fn=0x555f4bcdeff4 <memory_region_write_with_attrs_accessor>, mr=0x555f4d7be8c0, attrs=...) at memory.c:539
  #3  0x0000555f4bce2243 in memory_region_dispatch_write (mr=0x555f4d7be8c0, addr=66, data=69, op=MO_8, attrs=...) at memory.c:1489
  #4  0x0000555f4bc80b20 in flatview_write_continue (fv=0x555f4d92c400, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1, addr1=66, l=1, mr=0x555f4d7be8c0) at exec.c:3161
  #5  0x0000555f4bc80c65 in flatview_write (fv=0x555f4d92c400, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1) at exec.c:3201
  #6  0x0000555f4bc80fb0 in address_space_write (as=0x555f4d7aa460, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1) at exec.c:3291
  #7  0x0000555f4bc8101d in address_space_rw (as=0x555f4d7aa460, addr=2148528194, attrs=..., buf=0x7fff07d01120 "E", len=1, is_write=true) at exec.c:3301
  #8  0x0000555f4bcdb388 in qtest_process_command (chr=0x555f4c2ed7e0 <qtest_chr>, words=0x555f4db0c5d0) at qtest.c:432
Instead of crashing, log the access as unimplemented.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: KONRAD Frederic <frederic.konrad@adacore.com>
Message-Id: <20191025110114.27091-2-philmd@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
											
										 
											2019-10-25 13:01:13 +02:00
										 |  |  |     .write      = grlib_apb_pnp_write, | 
					
						
							| 
									
										
										
										
											2019-05-15 14:31:32 +02:00
										 |  |  |     .endianness = DEVICE_BIG_ENDIAN, | 
					
						
							| 
									
										
										
										
											2019-10-25 13:01:14 +02:00
										 |  |  |     .impl = { | 
					
						
							| 
									
										
										
										
											2022-08-02 14:19:25 +01:00
										 |  |  |         .min_access_size = 1, | 
					
						
							| 
									
										
										
										
											2019-10-25 13:01:14 +02:00
										 |  |  |         .max_access_size = 4, | 
					
						
							|  |  |  |     }, | 
					
						
							| 
									
										
										
										
											2019-05-15 14:31:32 +02:00
										 |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | static void grlib_apb_pnp_realize(DeviceState *dev, Error **errp) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     APBPnp *apb_pnp = GRLIB_APB_PNP(dev); | 
					
						
							|  |  |  |     SysBusDevice *sbd = SYS_BUS_DEVICE(dev); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     memory_region_init_io(&apb_pnp->iomem, OBJECT(dev), &grlib_apb_pnp_ops, | 
					
						
							|  |  |  |                           apb_pnp, TYPE_GRLIB_APB_PNP, GRLIB_PNP_MAX_REGS); | 
					
						
							|  |  |  |     sysbus_init_mmio(sbd, &apb_pnp->iomem); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | static void grlib_apb_pnp_class_init(ObjectClass *klass, void *data) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     DeviceClass *dc = DEVICE_CLASS(klass); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     dc->realize = grlib_apb_pnp_realize; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | static const TypeInfo grlib_apb_pnp_info = { | 
					
						
							|  |  |  |     .name          = TYPE_GRLIB_APB_PNP, | 
					
						
							|  |  |  |     .parent        = TYPE_SYS_BUS_DEVICE, | 
					
						
							|  |  |  |     .instance_size = sizeof(APBPnp), | 
					
						
							|  |  |  |     .class_init    = grlib_apb_pnp_class_init, | 
					
						
							|  |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | static void grlib_ahb_apb_pnp_register_types(void) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     type_register_static(&grlib_ahb_pnp_info); | 
					
						
							|  |  |  |     type_register_static(&grlib_apb_pnp_info); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | type_init(grlib_ahb_apb_pnp_register_types) |