net: mipsnet: check packet length against buffer
[qemu.git] / hw / net / mipsnet.c
1 #include "qemu/osdep.h"
2 #include "hw/hw.h"
3 #include "net/net.h"
4 #include "trace.h"
5 #include "hw/sysbus.h"
6
7 /* MIPSnet register offsets */
8
9 #define MIPSNET_DEV_ID 0x00
10 #define MIPSNET_BUSY 0x08
11 #define MIPSNET_RX_DATA_COUNT 0x0c
12 #define MIPSNET_TX_DATA_COUNT 0x10
13 #define MIPSNET_INT_CTL 0x14
14 # define MIPSNET_INTCTL_TXDONE 0x00000001
15 # define MIPSNET_INTCTL_RXDONE 0x00000002
16 # define MIPSNET_INTCTL_TESTBIT 0x80000000
17 #define MIPSNET_INTERRUPT_INFO 0x18
18 #define MIPSNET_RX_DATA_BUFFER 0x1c
19 #define MIPSNET_TX_DATA_BUFFER 0x20
20
21 #define MAX_ETH_FRAME_SIZE 1514
22
23 #define TYPE_MIPS_NET "mipsnet"
24 #define MIPS_NET(obj) OBJECT_CHECK(MIPSnetState, (obj), TYPE_MIPS_NET)
25
26 typedef struct MIPSnetState {
27 SysBusDevice parent_obj;
28
29 uint32_t busy;
30 uint32_t rx_count;
31 uint32_t rx_read;
32 uint32_t tx_count;
33 uint32_t tx_written;
34 uint32_t intctl;
35 uint8_t rx_buffer[MAX_ETH_FRAME_SIZE];
36 uint8_t tx_buffer[MAX_ETH_FRAME_SIZE];
37 MemoryRegion io;
38 qemu_irq irq;
39 NICState *nic;
40 NICConf conf;
41 } MIPSnetState;
42
43 static void mipsnet_reset(MIPSnetState *s)
44 {
45 s->busy = 1;
46 s->rx_count = 0;
47 s->rx_read = 0;
48 s->tx_count = 0;
49 s->tx_written = 0;
50 s->intctl = 0;
51 memset(s->rx_buffer, 0, MAX_ETH_FRAME_SIZE);
52 memset(s->tx_buffer, 0, MAX_ETH_FRAME_SIZE);
53 }
54
55 static void mipsnet_update_irq(MIPSnetState *s)
56 {
57 int isr = !!s->intctl;
58 trace_mipsnet_irq(isr, s->intctl);
59 qemu_set_irq(s->irq, isr);
60 }
61
62 static int mipsnet_buffer_full(MIPSnetState *s)
63 {
64 if (s->rx_count >= MAX_ETH_FRAME_SIZE)
65 return 1;
66 return 0;
67 }
68
69 static int mipsnet_can_receive(NetClientState *nc)
70 {
71 MIPSnetState *s = qemu_get_nic_opaque(nc);
72
73 if (s->busy)
74 return 0;
75 return !mipsnet_buffer_full(s);
76 }
77
78 static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t size)
79 {
80 MIPSnetState *s = qemu_get_nic_opaque(nc);
81
82 trace_mipsnet_receive(size);
83 if (!mipsnet_can_receive(nc))
84 return 0;
85
86 if (size >= sizeof(s->rx_buffer)) {
87 return 0;
88 }
89 s->busy = 1;
90
91 /* Just accept everything. */
92
93 /* Write packet data. */
94 memcpy(s->rx_buffer, buf, size);
95
96 s->rx_count = size;
97 s->rx_read = 0;
98
99 /* Now we can signal we have received something. */
100 s->intctl |= MIPSNET_INTCTL_RXDONE;
101 mipsnet_update_irq(s);
102
103 return size;
104 }
105
106 static uint64_t mipsnet_ioport_read(void *opaque, hwaddr addr,
107 unsigned int size)
108 {
109 MIPSnetState *s = opaque;
110 int ret = 0;
111
112 addr &= 0x3f;
113 switch (addr) {
114 case MIPSNET_DEV_ID:
115 ret = be32_to_cpu(0x4d495053); /* MIPS */
116 break;
117 case MIPSNET_DEV_ID + 4:
118 ret = be32_to_cpu(0x4e455430); /* NET0 */
119 break;
120 case MIPSNET_BUSY:
121 ret = s->busy;
122 break;
123 case MIPSNET_RX_DATA_COUNT:
124 ret = s->rx_count;
125 break;
126 case MIPSNET_TX_DATA_COUNT:
127 ret = s->tx_count;
128 break;
129 case MIPSNET_INT_CTL:
130 ret = s->intctl;
131 s->intctl &= ~MIPSNET_INTCTL_TESTBIT;
132 break;
133 case MIPSNET_INTERRUPT_INFO:
134 /* XXX: This seems to be a per-VPE interrupt number. */
135 ret = 0;
136 break;
137 case MIPSNET_RX_DATA_BUFFER:
138 if (s->rx_count) {
139 s->rx_count--;
140 ret = s->rx_buffer[s->rx_read++];
141 if (mipsnet_can_receive(s->nic->ncs)) {
142 qemu_flush_queued_packets(qemu_get_queue(s->nic));
143 }
144 }
145 break;
146 /* Reads as zero. */
147 case MIPSNET_TX_DATA_BUFFER:
148 default:
149 break;
150 }
151 trace_mipsnet_read(addr, ret);
152 return ret;
153 }
154
155 static void mipsnet_ioport_write(void *opaque, hwaddr addr,
156 uint64_t val, unsigned int size)
157 {
158 MIPSnetState *s = opaque;
159
160 addr &= 0x3f;
161 trace_mipsnet_write(addr, val);
162 switch (addr) {
163 case MIPSNET_TX_DATA_COUNT:
164 s->tx_count = (val <= MAX_ETH_FRAME_SIZE) ? val : 0;
165 s->tx_written = 0;
166 break;
167 case MIPSNET_INT_CTL:
168 if (val & MIPSNET_INTCTL_TXDONE) {
169 s->intctl &= ~MIPSNET_INTCTL_TXDONE;
170 } else if (val & MIPSNET_INTCTL_RXDONE) {
171 s->intctl &= ~MIPSNET_INTCTL_RXDONE;
172 } else if (val & MIPSNET_INTCTL_TESTBIT) {
173 mipsnet_reset(s);
174 s->intctl |= MIPSNET_INTCTL_TESTBIT;
175 } else if (!val) {
176 /* ACK testbit interrupt, flag was cleared on read. */
177 }
178 s->busy = !!s->intctl;
179 mipsnet_update_irq(s);
180 if (mipsnet_can_receive(s->nic->ncs)) {
181 qemu_flush_queued_packets(qemu_get_queue(s->nic));
182 }
183 break;
184 case MIPSNET_TX_DATA_BUFFER:
185 s->tx_buffer[s->tx_written++] = val;
186 if (s->tx_written == s->tx_count) {
187 /* Send buffer. */
188 trace_mipsnet_send(s->tx_count);
189 qemu_send_packet(qemu_get_queue(s->nic), s->tx_buffer, s->tx_count);
190 s->tx_count = s->tx_written = 0;
191 s->intctl |= MIPSNET_INTCTL_TXDONE;
192 s->busy = 1;
193 mipsnet_update_irq(s);
194 }
195 break;
196 /* Read-only registers */
197 case MIPSNET_DEV_ID:
198 case MIPSNET_BUSY:
199 case MIPSNET_RX_DATA_COUNT:
200 case MIPSNET_INTERRUPT_INFO:
201 case MIPSNET_RX_DATA_BUFFER:
202 default:
203 break;
204 }
205 }
206
207 static const VMStateDescription vmstate_mipsnet = {
208 .name = "mipsnet",
209 .version_id = 0,
210 .minimum_version_id = 0,
211 .fields = (VMStateField[]) {
212 VMSTATE_UINT32(busy, MIPSnetState),
213 VMSTATE_UINT32(rx_count, MIPSnetState),
214 VMSTATE_UINT32(rx_read, MIPSnetState),
215 VMSTATE_UINT32(tx_count, MIPSnetState),
216 VMSTATE_UINT32(tx_written, MIPSnetState),
217 VMSTATE_UINT32(intctl, MIPSnetState),
218 VMSTATE_BUFFER(rx_buffer, MIPSnetState),
219 VMSTATE_BUFFER(tx_buffer, MIPSnetState),
220 VMSTATE_END_OF_LIST()
221 }
222 };
223
224 static NetClientInfo net_mipsnet_info = {
225 .type = NET_CLIENT_OPTIONS_KIND_NIC,
226 .size = sizeof(NICState),
227 .receive = mipsnet_receive,
228 };
229
230 static const MemoryRegionOps mipsnet_ioport_ops = {
231 .read = mipsnet_ioport_read,
232 .write = mipsnet_ioport_write,
233 .impl.min_access_size = 1,
234 .impl.max_access_size = 4,
235 };
236
237 static int mipsnet_sysbus_init(SysBusDevice *sbd)
238 {
239 DeviceState *dev = DEVICE(sbd);
240 MIPSnetState *s = MIPS_NET(dev);
241
242 memory_region_init_io(&s->io, OBJECT(dev), &mipsnet_ioport_ops, s,
243 "mipsnet-io", 36);
244 sysbus_init_mmio(sbd, &s->io);
245 sysbus_init_irq(sbd, &s->irq);
246
247 s->nic = qemu_new_nic(&net_mipsnet_info, &s->conf,
248 object_get_typename(OBJECT(dev)), dev->id, s);
249 qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
250
251 return 0;
252 }
253
254 static void mipsnet_sysbus_reset(DeviceState *dev)
255 {
256 MIPSnetState *s = MIPS_NET(dev);
257 mipsnet_reset(s);
258 }
259
260 static Property mipsnet_properties[] = {
261 DEFINE_NIC_PROPERTIES(MIPSnetState, conf),
262 DEFINE_PROP_END_OF_LIST(),
263 };
264
265 static void mipsnet_class_init(ObjectClass *klass, void *data)
266 {
267 DeviceClass *dc = DEVICE_CLASS(klass);
268 SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
269
270 k->init = mipsnet_sysbus_init;
271 set_bit(DEVICE_CATEGORY_NETWORK, dc->categories);
272 dc->desc = "MIPS Simulator network device";
273 dc->reset = mipsnet_sysbus_reset;
274 dc->vmsd = &vmstate_mipsnet;
275 dc->props = mipsnet_properties;
276 }
277
278 static const TypeInfo mipsnet_info = {
279 .name = TYPE_MIPS_NET,
280 .parent = TYPE_SYS_BUS_DEVICE,
281 .instance_size = sizeof(MIPSnetState),
282 .class_init = mipsnet_class_init,
283 };
284
285 static void mipsnet_register_types(void)
286 {
287 type_register_static(&mipsnet_info);
288 }
289
290 type_init(mipsnet_register_types)