3202b2628b
The i.MX USB Phy driver does not check register ranges, resulting in out of bounds accesses if an attempt is made to access non-existing PHY registers. Add range check and conditionally report bad accesses to fix the problem. While at it, also conditionally log attempted writes to non-existing or read-only registers. Reported-by: Qiang Liu <cyruscyliu@gmail.com> Signed-off-by: Guenter Roeck <linux@roeck-us.net> Tested-by: Qiang Liu <cyruscyliu@gmail.com> Message-id: 20230316234926.208874-1-linux@roeck-us.net Link: https://gitlab.com/qemu-project/qemu/-/issues/1408 Fixes: 0701a5efa015 ("hw/usb: Add basic i.MX USB Phy support") Signed-off-by: Guenter Roeck <linux@roeck-us.net> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
240 lines
6.8 KiB
C
240 lines
6.8 KiB
C
/*
|
|
* i.MX USB PHY
|
|
*
|
|
* Copyright (c) 2020 Guenter Roeck <linux@roeck-us.net>
|
|
*
|
|
* This work is licensed under the terms of the GNU GPL, version 2 or later.
|
|
* See the COPYING file in the top-level directory.
|
|
*
|
|
* We need to implement basic reset control in the PHY control register.
|
|
* For everything else, it is sufficient to set whatever is written.
|
|
*/
|
|
|
|
#include "qemu/osdep.h"
|
|
#include "hw/usb/imx-usb-phy.h"
|
|
#include "migration/vmstate.h"
|
|
#include "qemu/log.h"
|
|
#include "qemu/module.h"
|
|
|
|
static const VMStateDescription vmstate_imx_usbphy = {
|
|
.name = TYPE_IMX_USBPHY,
|
|
.version_id = 1,
|
|
.minimum_version_id = 1,
|
|
.fields = (VMStateField[]) {
|
|
VMSTATE_UINT32_ARRAY(usbphy, IMXUSBPHYState, USBPHY_MAX),
|
|
VMSTATE_END_OF_LIST()
|
|
},
|
|
};
|
|
|
|
static void imx_usbphy_softreset(IMXUSBPHYState *s)
|
|
{
|
|
s->usbphy[USBPHY_PWD] = 0x001e1c00;
|
|
s->usbphy[USBPHY_TX] = 0x10060607;
|
|
s->usbphy[USBPHY_RX] = 0x00000000;
|
|
s->usbphy[USBPHY_CTRL] = 0xc0200000;
|
|
}
|
|
|
|
static void imx_usbphy_reset(DeviceState *dev)
|
|
{
|
|
IMXUSBPHYState *s = IMX_USBPHY(dev);
|
|
|
|
s->usbphy[USBPHY_STATUS] = 0x00000000;
|
|
s->usbphy[USBPHY_DEBUG] = 0x7f180000;
|
|
s->usbphy[USBPHY_DEBUG0_STATUS] = 0x00000000;
|
|
s->usbphy[USBPHY_DEBUG1] = 0x00001000;
|
|
s->usbphy[USBPHY_VERSION] = 0x04020000;
|
|
|
|
imx_usbphy_softreset(s);
|
|
}
|
|
|
|
static uint64_t imx_usbphy_read(void *opaque, hwaddr offset, unsigned size)
|
|
{
|
|
IMXUSBPHYState *s = (IMXUSBPHYState *)opaque;
|
|
uint32_t index = offset >> 2;
|
|
uint32_t value;
|
|
|
|
switch (index) {
|
|
case USBPHY_PWD_SET:
|
|
case USBPHY_TX_SET:
|
|
case USBPHY_RX_SET:
|
|
case USBPHY_CTRL_SET:
|
|
case USBPHY_DEBUG_SET:
|
|
case USBPHY_DEBUG1_SET:
|
|
/*
|
|
* All REG_NAME_SET register access are in fact targeting the
|
|
* REG_NAME register.
|
|
*/
|
|
value = s->usbphy[index - 1];
|
|
break;
|
|
case USBPHY_PWD_CLR:
|
|
case USBPHY_TX_CLR:
|
|
case USBPHY_RX_CLR:
|
|
case USBPHY_CTRL_CLR:
|
|
case USBPHY_DEBUG_CLR:
|
|
case USBPHY_DEBUG1_CLR:
|
|
/*
|
|
* All REG_NAME_CLR register access are in fact targeting the
|
|
* REG_NAME register.
|
|
*/
|
|
value = s->usbphy[index - 2];
|
|
break;
|
|
case USBPHY_PWD_TOG:
|
|
case USBPHY_TX_TOG:
|
|
case USBPHY_RX_TOG:
|
|
case USBPHY_CTRL_TOG:
|
|
case USBPHY_DEBUG_TOG:
|
|
case USBPHY_DEBUG1_TOG:
|
|
/*
|
|
* All REG_NAME_TOG register access are in fact targeting the
|
|
* REG_NAME register.
|
|
*/
|
|
value = s->usbphy[index - 3];
|
|
break;
|
|
default:
|
|
if (index < USBPHY_MAX) {
|
|
value = s->usbphy[index];
|
|
} else {
|
|
qemu_log_mask(LOG_GUEST_ERROR,
|
|
"%s: Read from non-existing USB PHY register 0x%"
|
|
HWADDR_PRIx "\n",
|
|
__func__, offset);
|
|
value = 0;
|
|
}
|
|
break;
|
|
}
|
|
return (uint64_t)value;
|
|
}
|
|
|
|
static void imx_usbphy_write(void *opaque, hwaddr offset, uint64_t value,
|
|
unsigned size)
|
|
{
|
|
IMXUSBPHYState *s = (IMXUSBPHYState *)opaque;
|
|
uint32_t index = offset >> 2;
|
|
|
|
switch (index) {
|
|
case USBPHY_CTRL:
|
|
s->usbphy[index] = value;
|
|
if (value & USBPHY_CTRL_SFTRST) {
|
|
imx_usbphy_softreset(s);
|
|
}
|
|
break;
|
|
case USBPHY_PWD:
|
|
case USBPHY_TX:
|
|
case USBPHY_RX:
|
|
case USBPHY_STATUS:
|
|
case USBPHY_DEBUG:
|
|
case USBPHY_DEBUG1:
|
|
s->usbphy[index] = value;
|
|
break;
|
|
case USBPHY_CTRL_SET:
|
|
s->usbphy[index - 1] |= value;
|
|
if (value & USBPHY_CTRL_SFTRST) {
|
|
imx_usbphy_softreset(s);
|
|
}
|
|
break;
|
|
case USBPHY_PWD_SET:
|
|
case USBPHY_TX_SET:
|
|
case USBPHY_RX_SET:
|
|
case USBPHY_DEBUG_SET:
|
|
case USBPHY_DEBUG1_SET:
|
|
/*
|
|
* All REG_NAME_SET register access are in fact targeting the
|
|
* REG_NAME register. So we change the value of the REG_NAME
|
|
* register, setting bits passed in the value.
|
|
*/
|
|
s->usbphy[index - 1] |= value;
|
|
break;
|
|
case USBPHY_PWD_CLR:
|
|
case USBPHY_TX_CLR:
|
|
case USBPHY_RX_CLR:
|
|
case USBPHY_CTRL_CLR:
|
|
case USBPHY_DEBUG_CLR:
|
|
case USBPHY_DEBUG1_CLR:
|
|
/*
|
|
* All REG_NAME_CLR register access are in fact targeting the
|
|
* REG_NAME register. So we change the value of the REG_NAME
|
|
* register, unsetting bits passed in the value.
|
|
*/
|
|
s->usbphy[index - 2] &= ~value;
|
|
break;
|
|
case USBPHY_CTRL_TOG:
|
|
s->usbphy[index - 3] ^= value;
|
|
if ((value & USBPHY_CTRL_SFTRST) &&
|
|
(s->usbphy[index - 3] & USBPHY_CTRL_SFTRST)) {
|
|
imx_usbphy_softreset(s);
|
|
}
|
|
break;
|
|
case USBPHY_PWD_TOG:
|
|
case USBPHY_TX_TOG:
|
|
case USBPHY_RX_TOG:
|
|
case USBPHY_DEBUG_TOG:
|
|
case USBPHY_DEBUG1_TOG:
|
|
/*
|
|
* All REG_NAME_TOG register access are in fact targeting the
|
|
* REG_NAME register. So we change the value of the REG_NAME
|
|
* register, toggling bits passed in the value.
|
|
*/
|
|
s->usbphy[index - 3] ^= value;
|
|
break;
|
|
default:
|
|
/* Other registers are read-only or do not exist */
|
|
qemu_log_mask(LOG_GUEST_ERROR,
|
|
"%s: Write to %s USB PHY register 0x%"
|
|
HWADDR_PRIx "\n",
|
|
__func__,
|
|
index >= USBPHY_MAX ? "non-existing" : "read-only",
|
|
offset);
|
|
break;
|
|
}
|
|
}
|
|
|
|
static const struct MemoryRegionOps imx_usbphy_ops = {
|
|
.read = imx_usbphy_read,
|
|
.write = imx_usbphy_write,
|
|
.endianness = DEVICE_NATIVE_ENDIAN,
|
|
.valid = {
|
|
/*
|
|
* Our device would not work correctly if the guest was doing
|
|
* unaligned access. This might not be a limitation on the real
|
|
* device but in practice there is no reason for a guest to access
|
|
* this device unaligned.
|
|
*/
|
|
.min_access_size = 4,
|
|
.max_access_size = 4,
|
|
.unaligned = false,
|
|
},
|
|
};
|
|
|
|
static void imx_usbphy_realize(DeviceState *dev, Error **errp)
|
|
{
|
|
IMXUSBPHYState *s = IMX_USBPHY(dev);
|
|
|
|
memory_region_init_io(&s->iomem, OBJECT(s), &imx_usbphy_ops, s,
|
|
"imx-usbphy", 0x1000);
|
|
sysbus_init_mmio(SYS_BUS_DEVICE(s), &s->iomem);
|
|
}
|
|
|
|
static void imx_usbphy_class_init(ObjectClass *klass, void *data)
|
|
{
|
|
DeviceClass *dc = DEVICE_CLASS(klass);
|
|
|
|
dc->reset = imx_usbphy_reset;
|
|
dc->vmsd = &vmstate_imx_usbphy;
|
|
dc->desc = "i.MX USB PHY Module";
|
|
dc->realize = imx_usbphy_realize;
|
|
}
|
|
|
|
static const TypeInfo imx_usbphy_info = {
|
|
.name = TYPE_IMX_USBPHY,
|
|
.parent = TYPE_SYS_BUS_DEVICE,
|
|
.instance_size = sizeof(IMXUSBPHYState),
|
|
.class_init = imx_usbphy_class_init,
|
|
};
|
|
|
|
static void imx_usbphy_register_types(void)
|
|
{
|
|
type_register_static(&imx_usbphy_info);
|
|
}
|
|
|
|
type_init(imx_usbphy_register_types)
|