1 /*
2 * Raspberry Pi emulation (c) 2012 Gregory Estrade
3 *
4 * This file models the system mailboxes, which are used for
5 * communication with low-bandwidth GPU peripherals. Refs:
6 * https://github.com/raspberrypi/firmware/wiki/Mailboxes
7 * https://github.com/raspberrypi/firmware/wiki/Accessing-mailboxes
8 *
9 * This work is licensed under the terms of the GNU GPL, version 2 or later.
10 * See the COPYING file in the top-level directory.
11 */
12
13 #include "qemu/osdep.h"
14 #include "qapi/error.h"
15 #include "hw/irq.h"
16 #include "hw/misc/bcm2835_mbox.h"
17 #include "migration/vmstate.h"
18 #include "qemu/log.h"
19 #include "qemu/module.h"
20 #include "trace.h"
21
22 #define MAIL0_PEEK 0x90
23 #define MAIL0_SENDER 0x94
24 #define MAIL1_STATUS 0xb8
25
26 /* Mailbox status register */
27 #define MAIL0_STATUS 0x98
28 #define ARM_MS_FULL 0x80000000
29 #define ARM_MS_EMPTY 0x40000000
30 #define ARM_MS_LEVEL 0x400000FF /* Max. value depends on mailbox depth */
31
32 /* MAILBOX config/status register */
33 #define MAIL0_CONFIG 0x9c
34 /* ANY write to this register clears the error bits! */
35 #define ARM_MC_IHAVEDATAIRQEN 0x00000001 /* mbox irq enable: has data */
36 #define ARM_MC_IHAVESPACEIRQEN 0x00000002 /* mbox irq enable: has space */
37 #define ARM_MC_OPPISEMPTYIRQEN 0x00000004 /* mbox irq enable: Opp is empty */
38 #define ARM_MC_MAIL_CLEAR 0x00000008 /* mbox clear write 1, then 0 */
39 #define ARM_MC_IHAVEDATAIRQPEND 0x00000010 /* mbox irq pending: has space */
40 #define ARM_MC_IHAVESPACEIRQPEND 0x00000020 /* mbox irq pending: Opp is empty */
41 #define ARM_MC_OPPISEMPTYIRQPEND 0x00000040 /* mbox irq pending */
42 /* Bit 7 is unused */
43 #define ARM_MC_ERRNOOWN 0x00000100 /* error : none owner read from mailbox */
44 #define ARM_MC_ERROVERFLW 0x00000200 /* error : write to fill mailbox */
45 #define ARM_MC_ERRUNDRFLW 0x00000400 /* error : read from empty mailbox */
46
mbox_update_status(BCM2835Mbox * mb)47 static void mbox_update_status(BCM2835Mbox *mb)
48 {
49 mb->status &= ~(ARM_MS_EMPTY | ARM_MS_FULL);
50 if (mb->count == 0) {
51 mb->status |= ARM_MS_EMPTY;
52 } else if (mb->count == MBOX_SIZE) {
53 mb->status |= ARM_MS_FULL;
54 }
55 }
56
mbox_reset(BCM2835Mbox * mb)57 static void mbox_reset(BCM2835Mbox *mb)
58 {
59 int n;
60
61 mb->count = 0;
62 mb->config = 0;
63 for (n = 0; n < MBOX_SIZE; n++) {
64 mb->reg[n] = MBOX_INVALID_DATA;
65 }
66 mbox_update_status(mb);
67 }
68
mbox_pull(BCM2835Mbox * mb,int index)69 static uint32_t mbox_pull(BCM2835Mbox *mb, int index)
70 {
71 int n;
72 uint32_t val;
73
74 assert(mb->count > 0);
75 assert(index < mb->count);
76
77 val = mb->reg[index];
78 for (n = index + 1; n < mb->count; n++) {
79 mb->reg[n - 1] = mb->reg[n];
80 }
81 mb->count--;
82 mb->reg[mb->count] = MBOX_INVALID_DATA;
83
84 mbox_update_status(mb);
85
86 return val;
87 }
88
mbox_push(BCM2835Mbox * mb,uint32_t val)89 static void mbox_push(BCM2835Mbox *mb, uint32_t val)
90 {
91 assert(mb->count < MBOX_SIZE);
92 mb->reg[mb->count++] = val;
93 mbox_update_status(mb);
94 }
95
bcm2835_mbox_update(BCM2835MboxState * s)96 static void bcm2835_mbox_update(BCM2835MboxState *s)
97 {
98 uint32_t value;
99 bool set;
100 int n;
101
102 s->mbox_irq_disabled = true;
103
104 /* Get pending responses and put them in the vc->arm mbox,
105 * as long as it's not full
106 */
107 for (n = 0; n < MBOX_CHAN_COUNT; n++) {
108 while (s->available[n] && !(s->mbox[0].status & ARM_MS_FULL)) {
109 value = ldl_le_phys(&s->mbox_as, n << MBOX_AS_CHAN_SHIFT);
110 assert(value != MBOX_INVALID_DATA); /* Pending interrupt but no data */
111 mbox_push(&s->mbox[0], value);
112 }
113 }
114
115 /* TODO (?): Try to push pending requests from the arm->vc mbox */
116
117 /* Re-enable calls from the IRQ routine */
118 s->mbox_irq_disabled = false;
119
120 /* Update ARM IRQ status */
121 set = false;
122 s->mbox[0].config &= ~ARM_MC_IHAVEDATAIRQPEND;
123 if (!(s->mbox[0].status & ARM_MS_EMPTY)) {
124 s->mbox[0].config |= ARM_MC_IHAVEDATAIRQPEND;
125 if (s->mbox[0].config & ARM_MC_IHAVEDATAIRQEN) {
126 set = true;
127 }
128 }
129 trace_bcm2835_mbox_irq(set);
130 qemu_set_irq(s->arm_irq, set);
131 }
132
bcm2835_mbox_set_irq(void * opaque,int irq,int level)133 static void bcm2835_mbox_set_irq(void *opaque, int irq, int level)
134 {
135 BCM2835MboxState *s = opaque;
136
137 s->available[irq] = level;
138
139 /* avoid recursively calling bcm2835_mbox_update when the interrupt
140 * status changes due to the ldl_phys call within that function
141 */
142 if (!s->mbox_irq_disabled) {
143 bcm2835_mbox_update(s);
144 }
145 }
146
bcm2835_mbox_read(void * opaque,hwaddr offset,unsigned size)147 static uint64_t bcm2835_mbox_read(void *opaque, hwaddr offset, unsigned size)
148 {
149 BCM2835MboxState *s = opaque;
150 uint32_t res = 0;
151
152 offset &= 0xff;
153
154 switch (offset) {
155 case 0x80 ... 0x8c: /* MAIL0_READ */
156 if (s->mbox[0].status & ARM_MS_EMPTY) {
157 res = MBOX_INVALID_DATA;
158 } else {
159 res = mbox_pull(&s->mbox[0], 0);
160 }
161 break;
162
163 case MAIL0_PEEK:
164 res = s->mbox[0].reg[0];
165 break;
166
167 case MAIL0_SENDER:
168 break;
169
170 case MAIL0_STATUS:
171 res = s->mbox[0].status;
172 break;
173
174 case MAIL0_CONFIG:
175 res = s->mbox[0].config;
176 break;
177
178 case MAIL1_STATUS:
179 res = s->mbox[1].status;
180 break;
181
182 default:
183 qemu_log_mask(LOG_UNIMP, "%s: Unsupported offset 0x%"HWADDR_PRIx"\n",
184 __func__, offset);
185 trace_bcm2835_mbox_read(size, offset, res);
186 return 0;
187 }
188 trace_bcm2835_mbox_read(size, offset, res);
189
190 bcm2835_mbox_update(s);
191
192 return res;
193 }
194
bcm2835_mbox_write(void * opaque,hwaddr offset,uint64_t value,unsigned size)195 static void bcm2835_mbox_write(void *opaque, hwaddr offset,
196 uint64_t value, unsigned size)
197 {
198 BCM2835MboxState *s = opaque;
199 hwaddr childaddr;
200 uint8_t ch;
201
202 offset &= 0xff;
203
204 trace_bcm2835_mbox_write(size, offset, value);
205 switch (offset) {
206 case MAIL0_SENDER:
207 break;
208
209 case MAIL0_CONFIG:
210 s->mbox[0].config &= ~ARM_MC_IHAVEDATAIRQEN;
211 s->mbox[0].config |= value & ARM_MC_IHAVEDATAIRQEN;
212 break;
213
214 case 0xa0 ... 0xac: /* MAIL1_WRITE */
215 if (s->mbox[1].status & ARM_MS_FULL) {
216 /* Mailbox full */
217 qemu_log_mask(LOG_GUEST_ERROR, "%s: mailbox full\n", __func__);
218 } else {
219 ch = value & 0xf;
220 if (ch < MBOX_CHAN_COUNT) {
221 childaddr = ch << MBOX_AS_CHAN_SHIFT;
222 if (ldl_le_phys(&s->mbox_as, childaddr + MBOX_AS_PENDING)) {
223 /* Child busy, push delayed. Push it in the arm->vc mbox */
224 mbox_push(&s->mbox[1], value);
225 } else {
226 /* Push it directly to the child device */
227 stl_le_phys(&s->mbox_as, childaddr, value);
228 }
229 } else {
230 /* Invalid channel number */
231 qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid channel %u\n",
232 __func__, ch);
233 }
234 }
235 break;
236
237 default:
238 qemu_log_mask(LOG_UNIMP, "%s: Unsupported offset 0x%"HWADDR_PRIx
239 " value 0x%"PRIx64"\n",
240 __func__, offset, value);
241 return;
242 }
243
244 bcm2835_mbox_update(s);
245 }
246
247 static const MemoryRegionOps bcm2835_mbox_ops = {
248 .read = bcm2835_mbox_read,
249 .write = bcm2835_mbox_write,
250 .endianness = DEVICE_NATIVE_ENDIAN,
251 .valid.min_access_size = 4,
252 .valid.max_access_size = 4,
253 };
254
255 /* vmstate of a single mailbox */
256 static const VMStateDescription vmstate_bcm2835_mbox_box = {
257 .name = TYPE_BCM2835_MBOX "_box",
258 .version_id = 1,
259 .minimum_version_id = 1,
260 .fields = (const VMStateField[]) {
261 VMSTATE_UINT32_ARRAY(reg, BCM2835Mbox, MBOX_SIZE),
262 VMSTATE_UINT32(count, BCM2835Mbox),
263 VMSTATE_UINT32(status, BCM2835Mbox),
264 VMSTATE_UINT32(config, BCM2835Mbox),
265 VMSTATE_END_OF_LIST()
266 }
267 };
268
269 /* vmstate of the entire device */
270 static const VMStateDescription vmstate_bcm2835_mbox = {
271 .name = TYPE_BCM2835_MBOX,
272 .version_id = 1,
273 .minimum_version_id = 1,
274 .fields = (const VMStateField[]) {
275 VMSTATE_BOOL_ARRAY(available, BCM2835MboxState, MBOX_CHAN_COUNT),
276 VMSTATE_STRUCT_ARRAY(mbox, BCM2835MboxState, 2, 1,
277 vmstate_bcm2835_mbox_box, BCM2835Mbox),
278 VMSTATE_END_OF_LIST()
279 }
280 };
281
bcm2835_mbox_init(Object * obj)282 static void bcm2835_mbox_init(Object *obj)
283 {
284 BCM2835MboxState *s = BCM2835_MBOX(obj);
285
286 memory_region_init_io(&s->iomem, obj, &bcm2835_mbox_ops, s,
287 TYPE_BCM2835_MBOX, 0x400);
288 sysbus_init_mmio(SYS_BUS_DEVICE(s), &s->iomem);
289 sysbus_init_irq(SYS_BUS_DEVICE(s), &s->arm_irq);
290 qdev_init_gpio_in(DEVICE(s), bcm2835_mbox_set_irq, MBOX_CHAN_COUNT);
291 }
292
bcm2835_mbox_reset(DeviceState * dev)293 static void bcm2835_mbox_reset(DeviceState *dev)
294 {
295 BCM2835MboxState *s = BCM2835_MBOX(dev);
296 int n;
297
298 mbox_reset(&s->mbox[0]);
299 mbox_reset(&s->mbox[1]);
300 s->mbox_irq_disabled = false;
301 for (n = 0; n < MBOX_CHAN_COUNT; n++) {
302 s->available[n] = false;
303 }
304 }
305
bcm2835_mbox_realize(DeviceState * dev,Error ** errp)306 static void bcm2835_mbox_realize(DeviceState *dev, Error **errp)
307 {
308 BCM2835MboxState *s = BCM2835_MBOX(dev);
309 Object *obj;
310
311 obj = object_property_get_link(OBJECT(dev), "mbox-mr", &error_abort);
312 s->mbox_mr = MEMORY_REGION(obj);
313 address_space_init(&s->mbox_as, s->mbox_mr, TYPE_BCM2835_MBOX "-memory");
314 bcm2835_mbox_reset(dev);
315 }
316
bcm2835_mbox_class_init(ObjectClass * klass,void * data)317 static void bcm2835_mbox_class_init(ObjectClass *klass, void *data)
318 {
319 DeviceClass *dc = DEVICE_CLASS(klass);
320
321 dc->realize = bcm2835_mbox_realize;
322 device_class_set_legacy_reset(dc, bcm2835_mbox_reset);
323 dc->vmsd = &vmstate_bcm2835_mbox;
324 }
325
326 static const TypeInfo bcm2835_mbox_info = {
327 .name = TYPE_BCM2835_MBOX,
328 .parent = TYPE_SYS_BUS_DEVICE,
329 .instance_size = sizeof(BCM2835MboxState),
330 .class_init = bcm2835_mbox_class_init,
331 .instance_init = bcm2835_mbox_init,
332 };
333
bcm2835_mbox_register_types(void)334 static void bcm2835_mbox_register_types(void)
335 {
336 type_register_static(&bcm2835_mbox_info);
337 }
338
339 type_init(bcm2835_mbox_register_types)
340