mirror of
				https://github.com/qemu/qemu.git
				synced 2025-10-26 12:03:40 +00:00 
			
		
		
		
	 f234501c67
			
		
	
	
		f234501c67
		
	
	
	
	
		
			
			Devices incorrectly modelled might use invalid index while calling sysbus_mmio_get_region(), leading to OOB access. Help developers by asserting the index is in range. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20200806130945.21629-3-f4bug@amsat.org> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
		
			
				
	
	
		
			366 lines
		
	
	
		
			10 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			366 lines
		
	
	
		
			10 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /*
 | |
|  *  System (CPU) Bus device support code
 | |
|  *
 | |
|  *  Copyright (c) 2009 CodeSourcery
 | |
|  *
 | |
|  * This library is free software; you can redistribute it and/or
 | |
|  * modify it under the terms of the GNU Lesser General Public
 | |
|  * License as published by the Free Software Foundation; either
 | |
|  * version 2 of the License, or (at your option) any later version.
 | |
|  *
 | |
|  * This library is distributed in the hope that it will be useful,
 | |
|  * but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
|  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 | |
|  * Lesser General Public License for more details.
 | |
|  *
 | |
|  * You should have received a copy of the GNU Lesser General Public
 | |
|  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
 | |
|  */
 | |
| 
 | |
| #include "qemu/osdep.h"
 | |
| #include "qapi/error.h"
 | |
| #include "qemu/module.h"
 | |
| #include "hw/sysbus.h"
 | |
| #include "monitor/monitor.h"
 | |
| #include "exec/address-spaces.h"
 | |
| 
 | |
| static void sysbus_dev_print(Monitor *mon, DeviceState *dev, int indent);
 | |
| static char *sysbus_get_fw_dev_path(DeviceState *dev);
 | |
| 
 | |
| typedef struct SysBusFind {
 | |
|     void *opaque;
 | |
|     FindSysbusDeviceFunc *func;
 | |
| } SysBusFind;
 | |
| 
 | |
| /* Run func() for every sysbus device, traverse the tree for everything else */
 | |
| static int find_sysbus_device(Object *obj, void *opaque)
 | |
| {
 | |
|     SysBusFind *find = opaque;
 | |
|     Object *dev;
 | |
|     SysBusDevice *sbdev;
 | |
| 
 | |
|     dev = object_dynamic_cast(obj, TYPE_SYS_BUS_DEVICE);
 | |
|     sbdev = (SysBusDevice *)dev;
 | |
| 
 | |
|     if (!sbdev) {
 | |
|         /* Container, traverse it for children */
 | |
|         return object_child_foreach(obj, find_sysbus_device, opaque);
 | |
|     }
 | |
| 
 | |
|     find->func(sbdev, find->opaque);
 | |
| 
 | |
|     return 0;
 | |
| }
 | |
| 
 | |
| /*
 | |
|  * Loop through all dynamically created sysbus devices and call
 | |
|  * func() for each instance.
 | |
|  */
 | |
| void foreach_dynamic_sysbus_device(FindSysbusDeviceFunc *func, void *opaque)
 | |
| {
 | |
|     Object *container;
 | |
|     SysBusFind find = {
 | |
|         .func = func,
 | |
|         .opaque = opaque,
 | |
|     };
 | |
| 
 | |
|     /* Loop through all sysbus devices that were spawned outside the machine */
 | |
|     container = container_get(qdev_get_machine(), "/peripheral");
 | |
|     find_sysbus_device(container, &find);
 | |
|     container = container_get(qdev_get_machine(), "/peripheral-anon");
 | |
|     find_sysbus_device(container, &find);
 | |
| }
 | |
| 
 | |
| 
 | |
| static void system_bus_class_init(ObjectClass *klass, void *data)
 | |
| {
 | |
|     BusClass *k = BUS_CLASS(klass);
 | |
| 
 | |
|     k->print_dev = sysbus_dev_print;
 | |
|     k->get_fw_dev_path = sysbus_get_fw_dev_path;
 | |
| }
 | |
| 
 | |
| static const TypeInfo system_bus_info = {
 | |
|     .name = TYPE_SYSTEM_BUS,
 | |
|     .parent = TYPE_BUS,
 | |
|     .instance_size = sizeof(BusState),
 | |
|     .class_init = system_bus_class_init,
 | |
| };
 | |
| 
 | |
| /* Check whether an IRQ source exists */
 | |
| bool sysbus_has_irq(SysBusDevice *dev, int n)
 | |
| {
 | |
|     char *prop = g_strdup_printf("%s[%d]", SYSBUS_DEVICE_GPIO_IRQ, n);
 | |
|     ObjectProperty *r;
 | |
| 
 | |
|     r = object_property_find(OBJECT(dev), prop, NULL);
 | |
|     g_free(prop);
 | |
| 
 | |
|     return (r != NULL);
 | |
| }
 | |
| 
 | |
| bool sysbus_is_irq_connected(SysBusDevice *dev, int n)
 | |
| {
 | |
|     return !!sysbus_get_connected_irq(dev, n);
 | |
| }
 | |
| 
 | |
| qemu_irq sysbus_get_connected_irq(SysBusDevice *dev, int n)
 | |
| {
 | |
|     DeviceState *d = DEVICE(dev);
 | |
|     return qdev_get_gpio_out_connector(d, SYSBUS_DEVICE_GPIO_IRQ, n);
 | |
| }
 | |
| 
 | |
| void sysbus_connect_irq(SysBusDevice *dev, int n, qemu_irq irq)
 | |
| {
 | |
|     SysBusDeviceClass *sbd = SYS_BUS_DEVICE_GET_CLASS(dev);
 | |
| 
 | |
|     qdev_connect_gpio_out_named(DEVICE(dev), SYSBUS_DEVICE_GPIO_IRQ, n, irq);
 | |
| 
 | |
|     if (sbd->connect_irq_notifier) {
 | |
|         sbd->connect_irq_notifier(dev, irq);
 | |
|     }
 | |
| }
 | |
| 
 | |
| /* Check whether an MMIO region exists */
 | |
| bool sysbus_has_mmio(SysBusDevice *dev, unsigned int n)
 | |
| {
 | |
|     return (n < dev->num_mmio);
 | |
| }
 | |
| 
 | |
| static void sysbus_mmio_map_common(SysBusDevice *dev, int n, hwaddr addr,
 | |
|                                    bool may_overlap, int priority)
 | |
| {
 | |
|     assert(n >= 0 && n < dev->num_mmio);
 | |
| 
 | |
|     if (dev->mmio[n].addr == addr) {
 | |
|         /* ??? region already mapped here.  */
 | |
|         return;
 | |
|     }
 | |
|     if (dev->mmio[n].addr != (hwaddr)-1) {
 | |
|         /* Unregister previous mapping.  */
 | |
|         memory_region_del_subregion(get_system_memory(), dev->mmio[n].memory);
 | |
|     }
 | |
|     dev->mmio[n].addr = addr;
 | |
|     if (may_overlap) {
 | |
|         memory_region_add_subregion_overlap(get_system_memory(),
 | |
|                                             addr,
 | |
|                                             dev->mmio[n].memory,
 | |
|                                             priority);
 | |
|     }
 | |
|     else {
 | |
|         memory_region_add_subregion(get_system_memory(),
 | |
|                                     addr,
 | |
|                                     dev->mmio[n].memory);
 | |
|     }
 | |
| }
 | |
| 
 | |
| void sysbus_mmio_unmap(SysBusDevice *dev, int n)
 | |
| {
 | |
|     assert(n >= 0 && n < dev->num_mmio);
 | |
| 
 | |
|     if (dev->mmio[n].addr != (hwaddr)-1) {
 | |
|         memory_region_del_subregion(get_system_memory(), dev->mmio[n].memory);
 | |
|         dev->mmio[n].addr = (hwaddr)-1;
 | |
|     }
 | |
| }
 | |
| 
 | |
| void sysbus_mmio_map(SysBusDevice *dev, int n, hwaddr addr)
 | |
| {
 | |
|     sysbus_mmio_map_common(dev, n, addr, false, 0);
 | |
| }
 | |
| 
 | |
| void sysbus_mmio_map_overlap(SysBusDevice *dev, int n, hwaddr addr,
 | |
|                              int priority)
 | |
| {
 | |
|     sysbus_mmio_map_common(dev, n, addr, true, priority);
 | |
| }
 | |
| 
 | |
| /* Request an IRQ source.  The actual IRQ object may be populated later.  */
 | |
| void sysbus_init_irq(SysBusDevice *dev, qemu_irq *p)
 | |
| {
 | |
|     qdev_init_gpio_out_named(DEVICE(dev), p, SYSBUS_DEVICE_GPIO_IRQ, 1);
 | |
| }
 | |
| 
 | |
| /* Pass IRQs from a target device.  */
 | |
| void sysbus_pass_irq(SysBusDevice *dev, SysBusDevice *target)
 | |
| {
 | |
|     qdev_pass_gpios(DEVICE(target), DEVICE(dev), SYSBUS_DEVICE_GPIO_IRQ);
 | |
| }
 | |
| 
 | |
| void sysbus_init_mmio(SysBusDevice *dev, MemoryRegion *memory)
 | |
| {
 | |
|     int n;
 | |
| 
 | |
|     assert(dev->num_mmio < QDEV_MAX_MMIO);
 | |
|     n = dev->num_mmio++;
 | |
|     dev->mmio[n].addr = -1;
 | |
|     dev->mmio[n].memory = memory;
 | |
| }
 | |
| 
 | |
| MemoryRegion *sysbus_mmio_get_region(SysBusDevice *dev, int n)
 | |
| {
 | |
|     assert(n >= 0 && n < QDEV_MAX_MMIO);
 | |
|     return dev->mmio[n].memory;
 | |
| }
 | |
| 
 | |
| void sysbus_init_ioports(SysBusDevice *dev, uint32_t ioport, uint32_t size)
 | |
| {
 | |
|     uint32_t i;
 | |
| 
 | |
|     for (i = 0; i < size; i++) {
 | |
|         assert(dev->num_pio < QDEV_MAX_PIO);
 | |
|         dev->pio[dev->num_pio++] = ioport++;
 | |
|     }
 | |
| }
 | |
| 
 | |
| /* The purpose of preserving this empty realize function
 | |
|  * is to prevent the parent_realize field of some subclasses
 | |
|  * from being set to NULL to break the normal init/realize
 | |
|  * of some devices.
 | |
|  */
 | |
| static void sysbus_device_realize(DeviceState *dev, Error **errp)
 | |
| {
 | |
| }
 | |
| 
 | |
| DeviceState *sysbus_create_varargs(const char *name,
 | |
|                                    hwaddr addr, ...)
 | |
| {
 | |
|     DeviceState *dev;
 | |
|     SysBusDevice *s;
 | |
|     va_list va;
 | |
|     qemu_irq irq;
 | |
|     int n;
 | |
| 
 | |
|     dev = qdev_new(name);
 | |
|     s = SYS_BUS_DEVICE(dev);
 | |
|     sysbus_realize_and_unref(s, &error_fatal);
 | |
|     if (addr != (hwaddr)-1) {
 | |
|         sysbus_mmio_map(s, 0, addr);
 | |
|     }
 | |
|     va_start(va, addr);
 | |
|     n = 0;
 | |
|     while (1) {
 | |
|         irq = va_arg(va, qemu_irq);
 | |
|         if (!irq) {
 | |
|             break;
 | |
|         }
 | |
|         sysbus_connect_irq(s, n, irq);
 | |
|         n++;
 | |
|     }
 | |
|     va_end(va);
 | |
|     return dev;
 | |
| }
 | |
| 
 | |
| bool sysbus_realize(SysBusDevice *dev, Error **errp)
 | |
| {
 | |
|     return qdev_realize(DEVICE(dev), sysbus_get_default(), errp);
 | |
| }
 | |
| 
 | |
| bool sysbus_realize_and_unref(SysBusDevice *dev, Error **errp)
 | |
| {
 | |
|     return qdev_realize_and_unref(DEVICE(dev), sysbus_get_default(), errp);
 | |
| }
 | |
| 
 | |
| static void sysbus_dev_print(Monitor *mon, DeviceState *dev, int indent)
 | |
| {
 | |
|     SysBusDevice *s = SYS_BUS_DEVICE(dev);
 | |
|     hwaddr size;
 | |
|     int i;
 | |
| 
 | |
|     for (i = 0; i < s->num_mmio; i++) {
 | |
|         size = memory_region_size(s->mmio[i].memory);
 | |
|         monitor_printf(mon, "%*smmio " TARGET_FMT_plx "/" TARGET_FMT_plx "\n",
 | |
|                        indent, "", s->mmio[i].addr, size);
 | |
|     }
 | |
| }
 | |
| 
 | |
| static char *sysbus_get_fw_dev_path(DeviceState *dev)
 | |
| {
 | |
|     SysBusDevice *s = SYS_BUS_DEVICE(dev);
 | |
|     SysBusDeviceClass *sbc = SYS_BUS_DEVICE_GET_CLASS(s);
 | |
|     char *addr, *fw_dev_path;
 | |
| 
 | |
|     if (sbc->explicit_ofw_unit_address) {
 | |
|         addr = sbc->explicit_ofw_unit_address(s);
 | |
|         if (addr) {
 | |
|             fw_dev_path = g_strdup_printf("%s@%s", qdev_fw_name(dev), addr);
 | |
|             g_free(addr);
 | |
|             return fw_dev_path;
 | |
|         }
 | |
|     }
 | |
|     if (s->num_mmio) {
 | |
|         return g_strdup_printf("%s@" TARGET_FMT_plx, qdev_fw_name(dev),
 | |
|                                s->mmio[0].addr);
 | |
|     }
 | |
|     if (s->num_pio) {
 | |
|         return g_strdup_printf("%s@i%04x", qdev_fw_name(dev), s->pio[0]);
 | |
|     }
 | |
|     return g_strdup(qdev_fw_name(dev));
 | |
| }
 | |
| 
 | |
| void sysbus_add_io(SysBusDevice *dev, hwaddr addr,
 | |
|                        MemoryRegion *mem)
 | |
| {
 | |
|     memory_region_add_subregion(get_system_io(), addr, mem);
 | |
| }
 | |
| 
 | |
| MemoryRegion *sysbus_address_space(SysBusDevice *dev)
 | |
| {
 | |
|     return get_system_memory();
 | |
| }
 | |
| 
 | |
| static void sysbus_device_class_init(ObjectClass *klass, void *data)
 | |
| {
 | |
|     DeviceClass *k = DEVICE_CLASS(klass);
 | |
|     k->realize = sysbus_device_realize;
 | |
|     k->bus_type = TYPE_SYSTEM_BUS;
 | |
|     /*
 | |
|      * device_add plugs devices into a suitable bus.  For "real" buses,
 | |
|      * that actually connects the device.  For sysbus, the connections
 | |
|      * need to be made separately, and device_add can't do that.  The
 | |
|      * device would be left unconnected, and will probably not work
 | |
|      *
 | |
|      * However, a few machines can handle device_add/-device with
 | |
|      * a few specific sysbus devices. In those cases, the device
 | |
|      * subclass needs to override it and set user_creatable=true.
 | |
|      */
 | |
|     k->user_creatable = false;
 | |
| }
 | |
| 
 | |
| static const TypeInfo sysbus_device_type_info = {
 | |
|     .name = TYPE_SYS_BUS_DEVICE,
 | |
|     .parent = TYPE_DEVICE,
 | |
|     .instance_size = sizeof(SysBusDevice),
 | |
|     .abstract = true,
 | |
|     .class_size = sizeof(SysBusDeviceClass),
 | |
|     .class_init = sysbus_device_class_init,
 | |
| };
 | |
| 
 | |
| static BusState *main_system_bus;
 | |
| 
 | |
| static void main_system_bus_create(void)
 | |
| {
 | |
|     /* assign main_system_bus before qbus_create_inplace()
 | |
|      * in order to make "if (bus != sysbus_get_default())" work */
 | |
|     main_system_bus = g_malloc0(system_bus_info.instance_size);
 | |
|     qbus_create_inplace(main_system_bus, system_bus_info.instance_size,
 | |
|                         TYPE_SYSTEM_BUS, NULL, "main-system-bus");
 | |
|     OBJECT(main_system_bus)->free = g_free;
 | |
| }
 | |
| 
 | |
| BusState *sysbus_get_default(void)
 | |
| {
 | |
|     if (!main_system_bus) {
 | |
|         main_system_bus_create();
 | |
|     }
 | |
|     return main_system_bus;
 | |
| }
 | |
| 
 | |
| static void sysbus_register_types(void)
 | |
| {
 | |
|     type_register_static(&system_bus_info);
 | |
|     type_register_static(&sysbus_device_type_info);
 | |
| }
 | |
| 
 | |
| type_init(sysbus_register_types)
 |