apb: Fix out-of-bounds array write access
[qemu.git] / hw / pci-host / apb.c
1 /*
2 * QEMU Ultrasparc APB PCI host
3 *
4 * Copyright (c) 2006 Fabrice Bellard
5 * Copyright (c) 2012,2013 Artyom Tarasenko
6 *
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
20 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
23 * THE SOFTWARE.
24 */
25
26 /* XXX This file and most of its contents are somewhat misnamed. The
27 Ultrasparc PCI host is called the PCI Bus Module (PBM). The APB is
28 the secondary PCI bridge. */
29
30 #include "hw/sysbus.h"
31 #include "hw/pci/pci.h"
32 #include "hw/pci/pci_host.h"
33 #include "hw/pci/pci_bridge.h"
34 #include "hw/pci/pci_bus.h"
35 #include "hw/pci-host/apb.h"
36 #include "sysemu/sysemu.h"
37 #include "exec/address-spaces.h"
38
39 /* debug APB */
40 //#define DEBUG_APB
41
42 #ifdef DEBUG_APB
43 #define APB_DPRINTF(fmt, ...) \
44 do { printf("APB: " fmt , ## __VA_ARGS__); } while (0)
45 #else
46 #define APB_DPRINTF(fmt, ...)
47 #endif
48
49 /* debug IOMMU */
50 //#define DEBUG_IOMMU
51
52 #ifdef DEBUG_IOMMU
53 #define IOMMU_DPRINTF(fmt, ...) \
54 do { printf("IOMMU: " fmt , ## __VA_ARGS__); } while (0)
55 #else
56 #define IOMMU_DPRINTF(fmt, ...)
57 #endif
58
59 /*
60 * Chipset docs:
61 * PBM: "UltraSPARC IIi User's Manual",
62 * http://www.sun.com/processors/manuals/805-0087.pdf
63 *
64 * APB: "Advanced PCI Bridge (APB) User's Manual",
65 * http://www.sun.com/processors/manuals/805-1251.pdf
66 */
67
68 #define PBM_PCI_IMR_MASK 0x7fffffff
69 #define PBM_PCI_IMR_ENABLED 0x80000000
70
71 #define POR (1U << 31)
72 #define SOFT_POR (1U << 30)
73 #define SOFT_XIR (1U << 29)
74 #define BTN_POR (1U << 28)
75 #define BTN_XIR (1U << 27)
76 #define RESET_MASK 0xf8000000
77 #define RESET_WCMASK 0x98000000
78 #define RESET_WMASK 0x60000000
79
80 #define MAX_IVEC 0x40
81 #define NO_IRQ_REQUEST (MAX_IVEC + 1)
82
83 #define IOMMU_PAGE_SIZE_8K (1ULL << 13)
84 #define IOMMU_PAGE_MASK_8K (~(IOMMU_PAGE_SIZE_8K - 1))
85 #define IOMMU_PAGE_SIZE_64K (1ULL << 16)
86 #define IOMMU_PAGE_MASK_64K (~(IOMMU_PAGE_SIZE_64K - 1))
87
88 #define IOMMU_NREGS 3
89
90 #define IOMMU_CTRL 0x0
91 #define IOMMU_CTRL_TBW_SIZE (1ULL << 2)
92 #define IOMMU_CTRL_MMU_EN (1ULL)
93
94 #define IOMMU_CTRL_TSB_SHIFT 16
95
96 #define IOMMU_BASE 0x8
97
98 #define IOMMU_TTE_DATA_V (1ULL << 63)
99 #define IOMMU_TTE_DATA_SIZE (1ULL << 61)
100 #define IOMMU_TTE_DATA_W (1ULL << 1)
101
102 #define IOMMU_TTE_PHYS_MASK_8K 0x1ffffffe000ULL
103 #define IOMMU_TTE_PHYS_MASK_64K 0x1ffffff8000ULL
104
105 #define IOMMU_TSB_8K_OFFSET_MASK_8M 0x00000000007fe000ULL
106 #define IOMMU_TSB_8K_OFFSET_MASK_16M 0x0000000000ffe000ULL
107 #define IOMMU_TSB_8K_OFFSET_MASK_32M 0x0000000001ffe000ULL
108 #define IOMMU_TSB_8K_OFFSET_MASK_64M 0x0000000003ffe000ULL
109 #define IOMMU_TSB_8K_OFFSET_MASK_128M 0x0000000007ffe000ULL
110 #define IOMMU_TSB_8K_OFFSET_MASK_256M 0x000000000fffe000ULL
111 #define IOMMU_TSB_8K_OFFSET_MASK_512M 0x000000001fffe000ULL
112 #define IOMMU_TSB_8K_OFFSET_MASK_1G 0x000000003fffe000ULL
113
114 #define IOMMU_TSB_64K_OFFSET_MASK_64M 0x0000000003ff0000ULL
115 #define IOMMU_TSB_64K_OFFSET_MASK_128M 0x0000000007ff0000ULL
116 #define IOMMU_TSB_64K_OFFSET_MASK_256M 0x000000000fff0000ULL
117 #define IOMMU_TSB_64K_OFFSET_MASK_512M 0x000000001fff0000ULL
118 #define IOMMU_TSB_64K_OFFSET_MASK_1G 0x000000003fff0000ULL
119 #define IOMMU_TSB_64K_OFFSET_MASK_2G 0x000000007fff0000ULL
120
121 typedef struct IOMMUState {
122 AddressSpace iommu_as;
123 MemoryRegion iommu;
124
125 uint64_t regs[IOMMU_NREGS];
126 } IOMMUState;
127
128 #define TYPE_APB "pbm"
129
130 #define APB_DEVICE(obj) \
131 OBJECT_CHECK(APBState, (obj), TYPE_APB)
132
133 typedef struct APBState {
134 PCIHostState parent_obj;
135
136 MemoryRegion apb_config;
137 MemoryRegion pci_config;
138 MemoryRegion pci_mmio;
139 MemoryRegion pci_ioport;
140 uint64_t pci_irq_in;
141 IOMMUState iommu;
142 uint32_t pci_control[16];
143 uint32_t pci_irq_map[8];
144 uint32_t obio_irq_map[32];
145 qemu_irq *pbm_irqs;
146 qemu_irq *ivec_irqs;
147 unsigned int irq_request;
148 uint32_t reset_control;
149 unsigned int nr_resets;
150 } APBState;
151
152 static inline void pbm_set_request(APBState *s, unsigned int irq_num)
153 {
154 APB_DPRINTF("%s: request irq %d\n", __func__, irq_num);
155
156 s->irq_request = irq_num;
157 qemu_set_irq(s->ivec_irqs[irq_num], 1);
158 }
159
160 static inline void pbm_check_irqs(APBState *s)
161 {
162
163 unsigned int i;
164
165 /* Previous request is not acknowledged, resubmit */
166 if (s->irq_request != NO_IRQ_REQUEST) {
167 pbm_set_request(s, s->irq_request);
168 return;
169 }
170 /* no request pending */
171 if (s->pci_irq_in == 0ULL) {
172 return;
173 }
174 for (i = 0; i < 32; i++) {
175 if (s->pci_irq_in & (1ULL << i)) {
176 if (s->pci_irq_map[i >> 2] & PBM_PCI_IMR_ENABLED) {
177 pbm_set_request(s, i);
178 return;
179 }
180 }
181 }
182 for (i = 32; i < 64; i++) {
183 if (s->pci_irq_in & (1ULL << i)) {
184 if (s->obio_irq_map[i - 32] & PBM_PCI_IMR_ENABLED) {
185 pbm_set_request(s, i);
186 break;
187 }
188 }
189 }
190 }
191
192 static inline void pbm_clear_request(APBState *s, unsigned int irq_num)
193 {
194 APB_DPRINTF("%s: clear request irq %d\n", __func__, irq_num);
195 qemu_set_irq(s->ivec_irqs[irq_num], 0);
196 s->irq_request = NO_IRQ_REQUEST;
197 }
198
199 static AddressSpace *pbm_pci_dma_iommu(PCIBus *bus, void *opaque, int devfn)
200 {
201 IOMMUState *is = opaque;
202
203 return &is->iommu_as;
204 }
205
206 static IOMMUTLBEntry pbm_translate_iommu(MemoryRegion *iommu, hwaddr addr)
207 {
208 IOMMUState *is = container_of(iommu, IOMMUState, iommu);
209 hwaddr baseaddr, offset;
210 uint64_t tte;
211 uint32_t tsbsize;
212 IOMMUTLBEntry ret = {
213 .target_as = &address_space_memory,
214 .iova = 0,
215 .translated_addr = 0,
216 .addr_mask = ~(hwaddr)0,
217 .perm = IOMMU_NONE,
218 };
219
220 if (!(is->regs[IOMMU_CTRL >> 3] & IOMMU_CTRL_MMU_EN)) {
221 /* IOMMU disabled, passthrough using standard 8K page */
222 ret.iova = addr & IOMMU_PAGE_MASK_8K;
223 ret.translated_addr = addr;
224 ret.addr_mask = IOMMU_PAGE_MASK_8K;
225 ret.perm = IOMMU_RW;
226
227 return ret;
228 }
229
230 baseaddr = is->regs[IOMMU_BASE >> 3];
231 tsbsize = (is->regs[IOMMU_CTRL >> 3] >> IOMMU_CTRL_TSB_SHIFT) & 0x7;
232
233 if (is->regs[IOMMU_CTRL >> 3] & IOMMU_CTRL_TBW_SIZE) {
234 /* 64K */
235 switch (tsbsize) {
236 case 0:
237 offset = (addr & IOMMU_TSB_64K_OFFSET_MASK_64M) >> 13;
238 break;
239 case 1:
240 offset = (addr & IOMMU_TSB_64K_OFFSET_MASK_128M) >> 13;
241 break;
242 case 2:
243 offset = (addr & IOMMU_TSB_64K_OFFSET_MASK_256M) >> 13;
244 break;
245 case 3:
246 offset = (addr & IOMMU_TSB_64K_OFFSET_MASK_512M) >> 13;
247 break;
248 case 4:
249 offset = (addr & IOMMU_TSB_64K_OFFSET_MASK_1G) >> 13;
250 break;
251 case 5:
252 offset = (addr & IOMMU_TSB_64K_OFFSET_MASK_2G) >> 13;
253 break;
254 default:
255 /* Not implemented, error */
256 return ret;
257 }
258 } else {
259 /* 8K */
260 switch (tsbsize) {
261 case 0:
262 offset = (addr & IOMMU_TSB_8K_OFFSET_MASK_8M) >> 10;
263 break;
264 case 1:
265 offset = (addr & IOMMU_TSB_8K_OFFSET_MASK_16M) >> 10;
266 break;
267 case 2:
268 offset = (addr & IOMMU_TSB_8K_OFFSET_MASK_32M) >> 10;
269 break;
270 case 3:
271 offset = (addr & IOMMU_TSB_8K_OFFSET_MASK_64M) >> 10;
272 break;
273 case 4:
274 offset = (addr & IOMMU_TSB_8K_OFFSET_MASK_128M) >> 10;
275 break;
276 case 5:
277 offset = (addr & IOMMU_TSB_8K_OFFSET_MASK_256M) >> 10;
278 break;
279 case 6:
280 offset = (addr & IOMMU_TSB_8K_OFFSET_MASK_512M) >> 10;
281 break;
282 case 7:
283 offset = (addr & IOMMU_TSB_8K_OFFSET_MASK_1G) >> 10;
284 break;
285 }
286 }
287
288 tte = ldq_be_phys(&address_space_memory, baseaddr + offset);
289
290 if (!(tte & IOMMU_TTE_DATA_V)) {
291 /* Invalid mapping */
292 return ret;
293 }
294
295 if (tte & IOMMU_TTE_DATA_W) {
296 /* Writeable */
297 ret.perm = IOMMU_RW;
298 } else {
299 ret.perm = IOMMU_RO;
300 }
301
302 /* Extract phys */
303 if (tte & IOMMU_TTE_DATA_SIZE) {
304 /* 64K */
305 ret.iova = addr & IOMMU_PAGE_MASK_64K;
306 ret.translated_addr = tte & IOMMU_TTE_PHYS_MASK_64K;
307 ret.addr_mask = (IOMMU_PAGE_SIZE_64K - 1);
308 } else {
309 /* 8K */
310 ret.iova = addr & IOMMU_PAGE_MASK_8K;
311 ret.translated_addr = tte & IOMMU_TTE_PHYS_MASK_8K;
312 ret.addr_mask = (IOMMU_PAGE_SIZE_8K - 1);
313 }
314
315 return ret;
316 }
317
318 static MemoryRegionIOMMUOps pbm_iommu_ops = {
319 .translate = pbm_translate_iommu,
320 };
321
322 static void iommu_config_write(void *opaque, hwaddr addr,
323 uint64_t val, unsigned size)
324 {
325 IOMMUState *is = opaque;
326
327 IOMMU_DPRINTF("IOMMU config write: 0x%" HWADDR_PRIx " val: %" PRIx64
328 " size: %d\n", addr, val, size);
329
330 switch (addr) {
331 case IOMMU_CTRL:
332 if (size == 4) {
333 is->regs[IOMMU_CTRL >> 3] &= 0xffffffffULL;
334 is->regs[IOMMU_CTRL >> 3] |= val << 32;
335 } else {
336 is->regs[IOMMU_CTRL >> 3] = val;
337 }
338 break;
339 case IOMMU_CTRL + 0x4:
340 is->regs[IOMMU_CTRL >> 3] &= 0xffffffff00000000ULL;
341 is->regs[IOMMU_CTRL >> 3] |= val & 0xffffffffULL;
342 break;
343 case IOMMU_BASE:
344 if (size == 4) {
345 is->regs[IOMMU_BASE >> 3] &= 0xffffffffULL;
346 is->regs[IOMMU_BASE >> 3] |= val << 32;
347 } else {
348 is->regs[IOMMU_BASE >> 3] = val;
349 }
350 break;
351 case IOMMU_BASE + 0x4:
352 is->regs[IOMMU_BASE >> 3] &= 0xffffffff00000000ULL;
353 is->regs[IOMMU_BASE >> 3] |= val & 0xffffffffULL;
354 break;
355 default:
356 qemu_log_mask(LOG_UNIMP,
357 "apb iommu: Unimplemented register write "
358 "reg 0x%" HWADDR_PRIx " size 0x%x value 0x%" PRIx64 "\n",
359 addr, size, val);
360 break;
361 }
362 }
363
364 static uint64_t iommu_config_read(void *opaque, hwaddr addr, unsigned size)
365 {
366 IOMMUState *is = opaque;
367 uint64_t val;
368
369 switch (addr) {
370 case IOMMU_CTRL:
371 if (size == 4) {
372 val = is->regs[IOMMU_CTRL >> 3] >> 32;
373 } else {
374 val = is->regs[IOMMU_CTRL >> 3];
375 }
376 break;
377 case IOMMU_CTRL + 0x4:
378 val = is->regs[IOMMU_CTRL >> 3] & 0xffffffffULL;
379 break;
380 case IOMMU_BASE:
381 if (size == 4) {
382 val = is->regs[IOMMU_BASE >> 3] >> 32;
383 } else {
384 val = is->regs[IOMMU_BASE >> 3];
385 }
386 break;
387 case IOMMU_BASE + 0x4:
388 val = is->regs[IOMMU_BASE >> 3] & 0xffffffffULL;
389 break;
390 default:
391 qemu_log_mask(LOG_UNIMP,
392 "apb iommu: Unimplemented register read "
393 "reg 0x%" HWADDR_PRIx " size 0x%x\n",
394 addr, size);
395 val = 0;
396 break;
397 }
398
399 IOMMU_DPRINTF("IOMMU config read: 0x%" HWADDR_PRIx " val: %" PRIx64
400 " size: %d\n", addr, val, size);
401
402 return val;
403 }
404
405 static void apb_config_writel (void *opaque, hwaddr addr,
406 uint64_t val, unsigned size)
407 {
408 APBState *s = opaque;
409 IOMMUState *is = &s->iommu;
410
411 APB_DPRINTF("%s: addr " TARGET_FMT_plx " val %" PRIx64 "\n", __func__, addr, val);
412
413 switch (addr & 0xffff) {
414 case 0x30 ... 0x4f: /* DMA error registers */
415 /* XXX: not implemented yet */
416 break;
417 case 0x200 ... 0x217: /* IOMMU */
418 iommu_config_write(is, (addr & 0xf), val, size);
419 break;
420 case 0xc00 ... 0xc3f: /* PCI interrupt control */
421 if (addr & 4) {
422 unsigned int ino = (addr & 0x3f) >> 3;
423 s->pci_irq_map[ino] &= PBM_PCI_IMR_MASK;
424 s->pci_irq_map[ino] |= val & ~PBM_PCI_IMR_MASK;
425 if ((s->irq_request == ino) && !(val & ~PBM_PCI_IMR_MASK)) {
426 pbm_clear_request(s, ino);
427 }
428 pbm_check_irqs(s);
429 }
430 break;
431 case 0x1000 ... 0x1080: /* OBIO interrupt control */
432 if (addr & 4) {
433 unsigned int ino = ((addr & 0xff) >> 3);
434 s->obio_irq_map[ino] &= PBM_PCI_IMR_MASK;
435 s->obio_irq_map[ino] |= val & ~PBM_PCI_IMR_MASK;
436 if ((s->irq_request == (ino | 0x20))
437 && !(val & ~PBM_PCI_IMR_MASK)) {
438 pbm_clear_request(s, ino | 0x20);
439 }
440 pbm_check_irqs(s);
441 }
442 break;
443 case 0x1400 ... 0x14ff: /* PCI interrupt clear */
444 if (addr & 4) {
445 unsigned int ino = (addr & 0xff) >> 5;
446 if ((s->irq_request / 4) == ino) {
447 pbm_clear_request(s, s->irq_request);
448 pbm_check_irqs(s);
449 }
450 }
451 break;
452 case 0x1800 ... 0x1860: /* OBIO interrupt clear */
453 if (addr & 4) {
454 unsigned int ino = ((addr & 0xff) >> 3) | 0x20;
455 if (s->irq_request == ino) {
456 pbm_clear_request(s, ino);
457 pbm_check_irqs(s);
458 }
459 }
460 break;
461 case 0x2000 ... 0x202f: /* PCI control */
462 s->pci_control[(addr & 0x3f) >> 2] = val;
463 break;
464 case 0xf020 ... 0xf027: /* Reset control */
465 if (addr & 4) {
466 val &= RESET_MASK;
467 s->reset_control &= ~(val & RESET_WCMASK);
468 s->reset_control |= val & RESET_WMASK;
469 if (val & SOFT_POR) {
470 s->nr_resets = 0;
471 qemu_system_reset_request();
472 } else if (val & SOFT_XIR) {
473 qemu_system_reset_request();
474 }
475 }
476 break;
477 case 0x5000 ... 0x51cf: /* PIO/DMA diagnostics */
478 case 0xa400 ... 0xa67f: /* IOMMU diagnostics */
479 case 0xa800 ... 0xa80f: /* Interrupt diagnostics */
480 case 0xf000 ... 0xf01f: /* FFB config, memory control */
481 /* we don't care */
482 default:
483 break;
484 }
485 }
486
487 static uint64_t apb_config_readl (void *opaque,
488 hwaddr addr, unsigned size)
489 {
490 APBState *s = opaque;
491 IOMMUState *is = &s->iommu;
492 uint32_t val;
493
494 switch (addr & 0xffff) {
495 case 0x30 ... 0x4f: /* DMA error registers */
496 val = 0;
497 /* XXX: not implemented yet */
498 break;
499 case 0x200 ... 0x217: /* IOMMU */
500 val = iommu_config_read(is, (addr & 0xf), size);
501 break;
502 case 0xc00 ... 0xc3f: /* PCI interrupt control */
503 if (addr & 4) {
504 val = s->pci_irq_map[(addr & 0x3f) >> 3];
505 } else {
506 val = 0;
507 }
508 break;
509 case 0x1000 ... 0x1080: /* OBIO interrupt control */
510 if (addr & 4) {
511 val = s->obio_irq_map[(addr & 0xff) >> 3];
512 } else {
513 val = 0;
514 }
515 break;
516 case 0x2000 ... 0x202f: /* PCI control */
517 val = s->pci_control[(addr & 0x3f) >> 2];
518 break;
519 case 0xf020 ... 0xf027: /* Reset control */
520 if (addr & 4) {
521 val = s->reset_control;
522 } else {
523 val = 0;
524 }
525 break;
526 case 0x5000 ... 0x51cf: /* PIO/DMA diagnostics */
527 case 0xa400 ... 0xa67f: /* IOMMU diagnostics */
528 case 0xa800 ... 0xa80f: /* Interrupt diagnostics */
529 case 0xf000 ... 0xf01f: /* FFB config, memory control */
530 /* we don't care */
531 default:
532 val = 0;
533 break;
534 }
535 APB_DPRINTF("%s: addr " TARGET_FMT_plx " -> %x\n", __func__, addr, val);
536
537 return val;
538 }
539
540 static const MemoryRegionOps apb_config_ops = {
541 .read = apb_config_readl,
542 .write = apb_config_writel,
543 .endianness = DEVICE_NATIVE_ENDIAN,
544 };
545
546 static void apb_pci_config_write(void *opaque, hwaddr addr,
547 uint64_t val, unsigned size)
548 {
549 APBState *s = opaque;
550 PCIHostState *phb = PCI_HOST_BRIDGE(s);
551
552 val = qemu_bswap_len(val, size);
553 APB_DPRINTF("%s: addr " TARGET_FMT_plx " val %" PRIx64 "\n", __func__, addr, val);
554 pci_data_write(phb->bus, addr, val, size);
555 }
556
557 static uint64_t apb_pci_config_read(void *opaque, hwaddr addr,
558 unsigned size)
559 {
560 uint32_t ret;
561 APBState *s = opaque;
562 PCIHostState *phb = PCI_HOST_BRIDGE(s);
563
564 ret = pci_data_read(phb->bus, addr, size);
565 ret = qemu_bswap_len(ret, size);
566 APB_DPRINTF("%s: addr " TARGET_FMT_plx " -> %x\n", __func__, addr, ret);
567 return ret;
568 }
569
570 /* The APB host has an IRQ line for each IRQ line of each slot. */
571 static int pci_apb_map_irq(PCIDevice *pci_dev, int irq_num)
572 {
573 return ((pci_dev->devfn & 0x18) >> 1) + irq_num;
574 }
575
576 static int pci_pbm_map_irq(PCIDevice *pci_dev, int irq_num)
577 {
578 int bus_offset;
579 if (pci_dev->devfn & 1)
580 bus_offset = 16;
581 else
582 bus_offset = 0;
583 return (bus_offset + (PCI_SLOT(pci_dev->devfn) << 2) + irq_num) & 0x1f;
584 }
585
586 static void pci_apb_set_irq(void *opaque, int irq_num, int level)
587 {
588 APBState *s = opaque;
589
590 APB_DPRINTF("%s: set irq_in %d level %d\n", __func__, irq_num, level);
591 /* PCI IRQ map onto the first 32 INO. */
592 if (irq_num < 32) {
593 if (level) {
594 s->pci_irq_in |= 1ULL << irq_num;
595 if (s->pci_irq_map[irq_num >> 2] & PBM_PCI_IMR_ENABLED) {
596 pbm_set_request(s, irq_num);
597 }
598 } else {
599 s->pci_irq_in &= ~(1ULL << irq_num);
600 }
601 } else {
602 /* OBIO IRQ map onto the next 32 INO. */
603 if (level) {
604 APB_DPRINTF("%s: set irq %d level %d\n", __func__, irq_num, level);
605 s->pci_irq_in |= 1ULL << irq_num;
606 if ((s->irq_request == NO_IRQ_REQUEST)
607 && (s->obio_irq_map[irq_num - 32] & PBM_PCI_IMR_ENABLED)) {
608 pbm_set_request(s, irq_num);
609 }
610 } else {
611 s->pci_irq_in &= ~(1ULL << irq_num);
612 }
613 }
614 }
615
616 static int apb_pci_bridge_initfn(PCIDevice *dev)
617 {
618 int rc;
619
620 rc = pci_bridge_initfn(dev, TYPE_PCI_BUS);
621 if (rc < 0) {
622 return rc;
623 }
624
625 /*
626 * command register:
627 * According to PCI bridge spec, after reset
628 * bus master bit is off
629 * memory space enable bit is off
630 * According to manual (805-1251.pdf).
631 * the reset value should be zero unless the boot pin is tied high
632 * (which is true) and thus it should be PCI_COMMAND_MEMORY.
633 */
634 pci_set_word(dev->config + PCI_COMMAND,
635 PCI_COMMAND_MEMORY);
636 pci_set_word(dev->config + PCI_STATUS,
637 PCI_STATUS_FAST_BACK | PCI_STATUS_66MHZ |
638 PCI_STATUS_DEVSEL_MEDIUM);
639 return 0;
640 }
641
642 PCIBus *pci_apb_init(hwaddr special_base,
643 hwaddr mem_base,
644 qemu_irq *ivec_irqs, PCIBus **bus2, PCIBus **bus3,
645 qemu_irq **pbm_irqs)
646 {
647 DeviceState *dev;
648 SysBusDevice *s;
649 PCIHostState *phb;
650 APBState *d;
651 IOMMUState *is;
652 PCIDevice *pci_dev;
653 PCIBridge *br;
654
655 /* Ultrasparc PBM main bus */
656 dev = qdev_create(NULL, TYPE_APB);
657 qdev_init_nofail(dev);
658 s = SYS_BUS_DEVICE(dev);
659 /* apb_config */
660 sysbus_mmio_map(s, 0, special_base);
661 /* PCI configuration space */
662 sysbus_mmio_map(s, 1, special_base + 0x1000000ULL);
663 /* pci_ioport */
664 sysbus_mmio_map(s, 2, special_base + 0x2000000ULL);
665 d = APB_DEVICE(dev);
666
667 memory_region_init(&d->pci_mmio, OBJECT(s), "pci-mmio", 0x100000000ULL);
668 memory_region_add_subregion(get_system_memory(), mem_base, &d->pci_mmio);
669
670 phb = PCI_HOST_BRIDGE(dev);
671 phb->bus = pci_register_bus(DEVICE(phb), "pci",
672 pci_apb_set_irq, pci_pbm_map_irq, d,
673 &d->pci_mmio,
674 get_system_io(),
675 0, 32, TYPE_PCI_BUS);
676
677 *pbm_irqs = d->pbm_irqs;
678 d->ivec_irqs = ivec_irqs;
679
680 pci_create_simple(phb->bus, 0, "pbm-pci");
681
682 /* APB IOMMU */
683 is = &d->iommu;
684 memset(is, 0, sizeof(IOMMUState));
685
686 memory_region_init_iommu(&is->iommu, OBJECT(dev), &pbm_iommu_ops,
687 "iommu-apb", UINT64_MAX);
688 address_space_init(&is->iommu_as, &is->iommu, "pbm-as");
689 pci_setup_iommu(phb->bus, pbm_pci_dma_iommu, is);
690
691 /* APB secondary busses */
692 pci_dev = pci_create_multifunction(phb->bus, PCI_DEVFN(1, 0), true,
693 "pbm-bridge");
694 br = PCI_BRIDGE(pci_dev);
695 pci_bridge_map_irq(br, "Advanced PCI Bus secondary bridge 1",
696 pci_apb_map_irq);
697 qdev_init_nofail(&pci_dev->qdev);
698 *bus2 = pci_bridge_get_sec_bus(br);
699
700 pci_dev = pci_create_multifunction(phb->bus, PCI_DEVFN(1, 1), true,
701 "pbm-bridge");
702 br = PCI_BRIDGE(pci_dev);
703 pci_bridge_map_irq(br, "Advanced PCI Bus secondary bridge 2",
704 pci_apb_map_irq);
705 qdev_init_nofail(&pci_dev->qdev);
706 *bus3 = pci_bridge_get_sec_bus(br);
707
708 return phb->bus;
709 }
710
711 static void pci_pbm_reset(DeviceState *d)
712 {
713 unsigned int i;
714 APBState *s = APB_DEVICE(d);
715
716 for (i = 0; i < 8; i++) {
717 s->pci_irq_map[i] &= PBM_PCI_IMR_MASK;
718 }
719 for (i = 0; i < 32; i++) {
720 s->obio_irq_map[i] &= PBM_PCI_IMR_MASK;
721 }
722
723 s->irq_request = NO_IRQ_REQUEST;
724 s->pci_irq_in = 0ULL;
725
726 if (s->nr_resets++ == 0) {
727 /* Power on reset */
728 s->reset_control = POR;
729 }
730 }
731
732 static const MemoryRegionOps pci_config_ops = {
733 .read = apb_pci_config_read,
734 .write = apb_pci_config_write,
735 .endianness = DEVICE_NATIVE_ENDIAN,
736 };
737
738 static int pci_pbm_init_device(SysBusDevice *dev)
739 {
740 APBState *s;
741 unsigned int i;
742
743 s = APB_DEVICE(dev);
744 for (i = 0; i < 8; i++) {
745 s->pci_irq_map[i] = (0x1f << 6) | (i << 2);
746 }
747 for (i = 0; i < 32; i++) {
748 s->obio_irq_map[i] = ((0x1f << 6) | 0x20) + i;
749 }
750 s->pbm_irqs = qemu_allocate_irqs(pci_apb_set_irq, s, MAX_IVEC);
751 s->irq_request = NO_IRQ_REQUEST;
752 s->pci_irq_in = 0ULL;
753
754 /* apb_config */
755 memory_region_init_io(&s->apb_config, OBJECT(s), &apb_config_ops, s,
756 "apb-config", 0x10000);
757 /* at region 0 */
758 sysbus_init_mmio(dev, &s->apb_config);
759
760 memory_region_init_io(&s->pci_config, OBJECT(s), &pci_config_ops, s,
761 "apb-pci-config", 0x1000000);
762 /* at region 1 */
763 sysbus_init_mmio(dev, &s->pci_config);
764
765 /* pci_ioport */
766 memory_region_init_alias(&s->pci_ioport, OBJECT(s), "apb-pci-ioport",
767 get_system_io(), 0, 0x10000);
768 /* at region 2 */
769 sysbus_init_mmio(dev, &s->pci_ioport);
770
771 return 0;
772 }
773
774 static int pbm_pci_host_init(PCIDevice *d)
775 {
776 pci_set_word(d->config + PCI_COMMAND,
777 PCI_COMMAND_MEMORY | PCI_COMMAND_MASTER);
778 pci_set_word(d->config + PCI_STATUS,
779 PCI_STATUS_FAST_BACK | PCI_STATUS_66MHZ |
780 PCI_STATUS_DEVSEL_MEDIUM);
781 return 0;
782 }
783
784 static void pbm_pci_host_class_init(ObjectClass *klass, void *data)
785 {
786 PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
787 DeviceClass *dc = DEVICE_CLASS(klass);
788
789 k->init = pbm_pci_host_init;
790 k->vendor_id = PCI_VENDOR_ID_SUN;
791 k->device_id = PCI_DEVICE_ID_SUN_SABRE;
792 k->class_id = PCI_CLASS_BRIDGE_HOST;
793 /*
794 * PCI-facing part of the host bridge, not usable without the
795 * host-facing part, which can't be device_add'ed, yet.
796 */
797 dc->cannot_instantiate_with_device_add_yet = true;
798 }
799
800 static const TypeInfo pbm_pci_host_info = {
801 .name = "pbm-pci",
802 .parent = TYPE_PCI_DEVICE,
803 .instance_size = sizeof(PCIDevice),
804 .class_init = pbm_pci_host_class_init,
805 };
806
807 static void pbm_host_class_init(ObjectClass *klass, void *data)
808 {
809 DeviceClass *dc = DEVICE_CLASS(klass);
810 SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
811
812 k->init = pci_pbm_init_device;
813 set_bit(DEVICE_CATEGORY_BRIDGE, dc->categories);
814 dc->reset = pci_pbm_reset;
815 }
816
817 static const TypeInfo pbm_host_info = {
818 .name = TYPE_APB,
819 .parent = TYPE_PCI_HOST_BRIDGE,
820 .instance_size = sizeof(APBState),
821 .class_init = pbm_host_class_init,
822 };
823
824 static void pbm_pci_bridge_class_init(ObjectClass *klass, void *data)
825 {
826 DeviceClass *dc = DEVICE_CLASS(klass);
827 PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
828
829 k->init = apb_pci_bridge_initfn;
830 k->exit = pci_bridge_exitfn;
831 k->vendor_id = PCI_VENDOR_ID_SUN;
832 k->device_id = PCI_DEVICE_ID_SUN_SIMBA;
833 k->revision = 0x11;
834 k->config_write = pci_bridge_write_config;
835 k->is_bridge = 1;
836 set_bit(DEVICE_CATEGORY_BRIDGE, dc->categories);
837 dc->reset = pci_bridge_reset;
838 dc->vmsd = &vmstate_pci_device;
839 }
840
841 static const TypeInfo pbm_pci_bridge_info = {
842 .name = "pbm-bridge",
843 .parent = TYPE_PCI_BRIDGE,
844 .class_init = pbm_pci_bridge_class_init,
845 };
846
847 static void pbm_register_types(void)
848 {
849 type_register_static(&pbm_host_info);
850 type_register_static(&pbm_pci_host_info);
851 type_register_static(&pbm_pci_bridge_info);
852 }
853
854 type_init(pbm_register_types)