]> git.proxmox.com Git - mirror_qemu.git/blob - hw/acpi/pcihp.c
projects / mirror_qemu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
pcihp: fix possible array out of bounds
[mirror_qemu.git] / hw / acpi / pcihp.c
1 /*
2 * QEMU<->ACPI BIOS PCI hotplug interface
3 *
4 * QEMU supports PCI hotplug via ACPI. This module
5 * implements the interface between QEMU and the ACPI BIOS.
6 * Interface specification - see docs/specs/acpi_pci_hotplug.txt
7 *
8 * Copyright (c) 2013, Red Hat Inc, Michael S. Tsirkin (mst@redhat.com)
9 * Copyright (c) 2006 Fabrice Bellard
10 *
11 * This library is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU Lesser General Public
13 * License version 2 as published by the Free Software Foundation.
14 *
15 * This library is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 * Lesser General Public License for more details.
19 *
20 * You should have received a copy of the GNU Lesser General Public
21 * License along with this library; if not, see <http://www.gnu.org/licenses/>
22 *
23 * Contributions after 2012-01-13 are licensed under the terms of the
24 * GNU GPL, version 2 or (at your option) any later version.
25 */
26
27 #include "hw/acpi/pcihp.h"
28
29 #include "hw/hw.h"
30 #include "hw/i386/pc.h"
31 #include "hw/pci/pci.h"
32 #include "hw/acpi/acpi.h"
33 #include "sysemu/sysemu.h"
34 #include "qemu/range.h"
35 #include "exec/ioport.h"
36 #include "exec/address-spaces.h"
37 #include "hw/pci/pci_bus.h"
38 #include "qom/qom-qobject.h"
39 #include "qapi/qmp/qint.h"
40
41 //#define DEBUG
42
43 #ifdef DEBUG
44 # define ACPI_PCIHP_DPRINTF(format, ...) printf(format, ## __VA_ARGS__)
45 #else
46 # define ACPI_PCIHP_DPRINTF(format, ...) do { } while (0)
47 #endif
48
49 #define ACPI_PCI_HOTPLUG_STATUS 2
50 #define ACPI_PCIHP_ADDR 0xae00
51 #define ACPI_PCIHP_SIZE 0x0014
52 #define ACPI_PCIHP_LEGACY_SIZE 0x000f
53 #define PCI_UP_BASE 0x0000
54 #define PCI_DOWN_BASE 0x0004
55 #define PCI_EJ_BASE 0x0008
56 #define PCI_RMV_BASE 0x000c
57 #define PCI_SEL_BASE 0x0010
58
59 typedef struct AcpiPciHpFind {
60 int bsel;
61 PCIBus *bus;
62 } AcpiPciHpFind;
63
64 static int acpi_pcihp_get_bsel(PCIBus *bus)
65 {
66 Error *local_err = NULL;
67 int64_t bsel = object_property_get_int(OBJECT(bus), ACPI_PCIHP_PROP_BSEL,
68 &local_err);
69
70 if (local_err || bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) {
71 if (local_err) {
72 error_free(local_err);
73 }
74 return -1;
75 } else {
76 return bsel;
77 }
78 }
79
80 static void acpi_pcihp_test_hotplug_bus(PCIBus *bus, void *opaque)
81 {
82 AcpiPciHpFind *find = opaque;
83 if (find->bsel == acpi_pcihp_get_bsel(bus)) {
84 find->bus = bus;
85 }
86 }
87
88 static PCIBus *acpi_pcihp_find_hotplug_bus(AcpiPciHpState *s, int bsel)
89 {
90 AcpiPciHpFind find = { .bsel = bsel, .bus = NULL };
91
92 if (bsel < 0) {
93 return NULL;
94 }
95
96 pci_for_each_bus(s->root, acpi_pcihp_test_hotplug_bus, &find);
97
98 /* Make bsel 0 eject root bus if bsel property is not set,
99 * for compatibility with non acpi setups.
100 * TODO: really needed?
101 */
102 if (!bsel && !find.bus) {
103 find.bus = s->root;
104 }
105 return find.bus;
106 }
107
108 static bool acpi_pcihp_pc_no_hotplug(AcpiPciHpState *s, PCIDevice *dev)
109 {
110 PCIDeviceClass *pc = PCI_DEVICE_GET_CLASS(dev);
111 DeviceClass *dc = DEVICE_GET_CLASS(dev);
112 /*
113 * ACPI doesn't allow hotplug of bridge devices. Don't allow
114 * hot-unplug of bridge devices unless they were added by hotplug
115 * (and so, not described by acpi).
116 */
117 return (pc->is_bridge && !dev->qdev.hotplugged) || !dc->hotpluggable;
118 }
119
120 static void acpi_pcihp_eject_slot(AcpiPciHpState *s, unsigned bsel, unsigned slots)
121 {
122 BusChild *kid, *next;
123 int slot = ffs(slots) - 1;
124 PCIBus *bus = acpi_pcihp_find_hotplug_bus(s, bsel);
125
126 if (!bus) {
127 return;
128 }
129
130 /* Mark request as complete */
131 s->acpi_pcihp_pci_status[bsel].down &= ~(1U << slot);
132 s->acpi_pcihp_pci_status[bsel].up &= ~(1U << slot);
133
134 QTAILQ_FOREACH_SAFE(kid, &bus->qbus.children, sibling, next) {
135 DeviceState *qdev = kid->child;
136 PCIDevice *dev = PCI_DEVICE(qdev);
137 if (PCI_SLOT(dev->devfn) == slot) {
138 if (!acpi_pcihp_pc_no_hotplug(s, dev)) {
139 object_unparent(OBJECT(qdev));
140 }
141 }
142 }
143 }
144
145 static void acpi_pcihp_update_hotplug_bus(AcpiPciHpState *s, int bsel)
146 {
147 BusChild *kid, *next;
148 PCIBus *bus = acpi_pcihp_find_hotplug_bus(s, bsel);
149
150 /* Execute any pending removes during reset */
151 while (s->acpi_pcihp_pci_status[bsel].down) {
152 acpi_pcihp_eject_slot(s, bsel, s->acpi_pcihp_pci_status[bsel].down);
153 }
154
155 s->acpi_pcihp_pci_status[bsel].hotplug_enable = ~0;
156
157 if (!bus) {
158 return;
159 }
160 QTAILQ_FOREACH_SAFE(kid, &bus->qbus.children, sibling, next) {
161 DeviceState *qdev = kid->child;
162 PCIDevice *pdev = PCI_DEVICE(qdev);
163 int slot = PCI_SLOT(pdev->devfn);
164
165 if (acpi_pcihp_pc_no_hotplug(s, pdev)) {
166 s->acpi_pcihp_pci_status[bsel].hotplug_enable &= ~(1U << slot);
167 }
168 }
169 }
170
171 static void acpi_pcihp_update(AcpiPciHpState *s)
172 {
173 int i;
174
175 for (i = 0; i < ACPI_PCIHP_MAX_HOTPLUG_BUS; ++i) {
176 acpi_pcihp_update_hotplug_bus(s, i);
177 }
178 }
179
180 void acpi_pcihp_reset(AcpiPciHpState *s)
181 {
182 acpi_pcihp_update(s);
183 }
184
185 void acpi_pcihp_device_plug_cb(ACPIREGS *ar, qemu_irq irq, AcpiPciHpState *s,
186 DeviceState *dev, Error **errp)
187 {
188 PCIDevice *pdev = PCI_DEVICE(dev);
189 int slot = PCI_SLOT(pdev->devfn);
190 int bsel = acpi_pcihp_get_bsel(pdev->bus);
191 if (bsel < 0) {
192 error_setg(errp, "Unsupported bus. Bus doesn't have property '"
193 ACPI_PCIHP_PROP_BSEL "' set");
194 return;
195 }
196
197 /* Don't send event when device is enabled during qemu machine creation:
198 * it is present on boot, no hotplug event is necessary. We do send an
199 * event when the device is disabled later. */
200 if (!dev->hotplugged) {
201 return;
202 }
203
204 s->acpi_pcihp_pci_status[bsel].up |= (1U << slot);
205
206 ar->gpe.sts[0] |= ACPI_PCI_HOTPLUG_STATUS;
207 acpi_update_sci(ar, irq);
208 }
209
210 void acpi_pcihp_device_unplug_cb(ACPIREGS *ar, qemu_irq irq, AcpiPciHpState *s,
211 DeviceState *dev, Error **errp)
212 {
213 PCIDevice *pdev = PCI_DEVICE(dev);
214 int slot = PCI_SLOT(pdev->devfn);
215 int bsel = acpi_pcihp_get_bsel(pdev->bus);
216 if (bsel < 0) {
217 error_setg(errp, "Unsupported bus. Bus doesn't have property '"
218 ACPI_PCIHP_PROP_BSEL "' set");
219 return;
220 }
221
222 s->acpi_pcihp_pci_status[bsel].down |= (1U << slot);
223
224 ar->gpe.sts[0] |= ACPI_PCI_HOTPLUG_STATUS;
225 acpi_update_sci(ar, irq);
226 }
227
228 static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size)
229 {
230 AcpiPciHpState *s = opaque;
231 uint32_t val = 0;
232 int bsel = s->hotplug_select;
233
234 if (bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) {
235 return 0;
236 }
237
238 switch (addr) {
239 case PCI_UP_BASE:
240 val = s->acpi_pcihp_pci_status[bsel].up;
241 if (!s->legacy_piix) {
242 s->acpi_pcihp_pci_status[bsel].up = 0;
243 }
244 ACPI_PCIHP_DPRINTF("pci_up_read %" PRIu32 "\n", val);
245 break;
246 case PCI_DOWN_BASE:
247 val = s->acpi_pcihp_pci_status[bsel].down;
248 ACPI_PCIHP_DPRINTF("pci_down_read %" PRIu32 "\n", val);
249 break;
250 case PCI_EJ_BASE:
251 /* No feature defined yet */
252 ACPI_PCIHP_DPRINTF("pci_features_read %" PRIu32 "\n", val);
253 break;
254 case PCI_RMV_BASE:
255 val = s->acpi_pcihp_pci_status[bsel].hotplug_enable;
256 ACPI_PCIHP_DPRINTF("pci_rmv_read %" PRIu32 "\n", val);
257 break;
258 case PCI_SEL_BASE:
259 val = s->hotplug_select;
260 ACPI_PCIHP_DPRINTF("pci_sel_read %" PRIu32 "\n", val);
261 default:
262 break;
263 }
264
265 return val;
266 }
267
268 static void pci_write(void *opaque, hwaddr addr, uint64_t data,
269 unsigned int size)
270 {
271 AcpiPciHpState *s = opaque;
272 switch (addr) {
273 case PCI_EJ_BASE:
274 if (s->hotplug_select >= ACPI_PCIHP_MAX_HOTPLUG_BUS) {
275 break;
276 }
277 acpi_pcihp_eject_slot(s, s->hotplug_select, data);
278 ACPI_PCIHP_DPRINTF("pciej write %" HWADDR_PRIx " <== %" PRIu64 "\n",
279 addr, data);
280 break;
281 case PCI_SEL_BASE:
282 s->hotplug_select = data;
283 ACPI_PCIHP_DPRINTF("pcisel write %" HWADDR_PRIx " <== %" PRIu64 "\n",
284 addr, data);
285 default:
286 break;
287 }
288 }
289
290 static const MemoryRegionOps acpi_pcihp_io_ops = {
291 .read = pci_read,
292 .write = pci_write,
293 .endianness = DEVICE_LITTLE_ENDIAN,
294 .valid = {
295 .min_access_size = 4,
296 .max_access_size = 4,
297 },
298 };
299
300 void acpi_pcihp_init(AcpiPciHpState *s, PCIBus *root_bus,
301 MemoryRegion *address_space_io, bool bridges_enabled)
302 {
303 uint16_t io_size = ACPI_PCIHP_SIZE;
304
305 s->root= root_bus;
306 s->legacy_piix = !bridges_enabled;
307
308 if (s->legacy_piix) {
309 unsigned *bus_bsel = g_malloc(sizeof *bus_bsel);
310
311 io_size = ACPI_PCIHP_LEGACY_SIZE;
312
313 *bus_bsel = ACPI_PCIHP_BSEL_DEFAULT;
314 object_property_add_uint32_ptr(OBJECT(root_bus), ACPI_PCIHP_PROP_BSEL,
315 bus_bsel, NULL);
316 }
317
318 memory_region_init_io(&s->io, NULL, &acpi_pcihp_io_ops, s,
319 "acpi-pci-hotplug", io_size);
320 memory_region_add_subregion(address_space_io, ACPI_PCIHP_ADDR, &s->io);
321 }
322
323 const VMStateDescription vmstate_acpi_pcihp_pci_status = {
324 .name = "acpi_pcihp_pci_status",
325 .version_id = 1,
326 .minimum_version_id = 1,
327 .fields = (VMStateField[]) {
328 VMSTATE_UINT32(up, AcpiPciHpPciStatus),
329 VMSTATE_UINT32(down, AcpiPciHpPciStatus),
330 VMSTATE_END_OF_LIST()
331 }
332 };
QEMU mirror