lsi: Fix value overflow in request tag processing
[qemu/mdroth.git] / hw / pckbd.c
blob381228479efcdc0fa4c46d838370175e722fa44b
1 /*
2 * QEMU PC keyboard emulation
4 * Copyright (c) 2003 Fabrice Bellard
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 * THE SOFTWARE.
24 #include "hw.h"
25 #include "isa.h"
26 #include "pc.h"
27 #include "ps2.h"
28 #include "sysemu.h"
30 /* debug PC keyboard */
31 //#define DEBUG_KBD
32 #ifdef DEBUG_KBD
33 #define DPRINTF(fmt, ...) \
34 do { printf("KBD: " fmt , ## __VA_ARGS__); } while (0)
35 #else
36 #define DPRINTF(fmt, ...)
37 #endif
39 /* Keyboard Controller Commands */
40 #define KBD_CCMD_READ_MODE 0x20 /* Read mode bits */
41 #define KBD_CCMD_WRITE_MODE 0x60 /* Write mode bits */
42 #define KBD_CCMD_GET_VERSION 0xA1 /* Get controller version */
43 #define KBD_CCMD_MOUSE_DISABLE 0xA7 /* Disable mouse interface */
44 #define KBD_CCMD_MOUSE_ENABLE 0xA8 /* Enable mouse interface */
45 #define KBD_CCMD_TEST_MOUSE 0xA9 /* Mouse interface test */
46 #define KBD_CCMD_SELF_TEST 0xAA /* Controller self test */
47 #define KBD_CCMD_KBD_TEST 0xAB /* Keyboard interface test */
48 #define KBD_CCMD_KBD_DISABLE 0xAD /* Keyboard interface disable */
49 #define KBD_CCMD_KBD_ENABLE 0xAE /* Keyboard interface enable */
50 #define KBD_CCMD_READ_INPORT 0xC0 /* read input port */
51 #define KBD_CCMD_READ_OUTPORT 0xD0 /* read output port */
52 #define KBD_CCMD_WRITE_OUTPORT 0xD1 /* write output port */
53 #define KBD_CCMD_WRITE_OBUF 0xD2
54 #define KBD_CCMD_WRITE_AUX_OBUF 0xD3 /* Write to output buffer as if
55 initiated by the auxiliary device */
56 #define KBD_CCMD_WRITE_MOUSE 0xD4 /* Write the following byte to the mouse */
57 #define KBD_CCMD_DISABLE_A20 0xDD /* HP vectra only ? */
58 #define KBD_CCMD_ENABLE_A20 0xDF /* HP vectra only ? */
59 #define KBD_CCMD_RESET 0xFE
61 /* Keyboard Commands */
62 #define KBD_CMD_SET_LEDS 0xED /* Set keyboard leds */
63 #define KBD_CMD_ECHO 0xEE
64 #define KBD_CMD_GET_ID 0xF2 /* get keyboard ID */
65 #define KBD_CMD_SET_RATE 0xF3 /* Set typematic rate */
66 #define KBD_CMD_ENABLE 0xF4 /* Enable scanning */
67 #define KBD_CMD_RESET_DISABLE 0xF5 /* reset and disable scanning */
68 #define KBD_CMD_RESET_ENABLE 0xF6 /* reset and enable scanning */
69 #define KBD_CMD_RESET 0xFF /* Reset */
71 /* Keyboard Replies */
72 #define KBD_REPLY_POR 0xAA /* Power on reset */
73 #define KBD_REPLY_ACK 0xFA /* Command ACK */
74 #define KBD_REPLY_RESEND 0xFE /* Command NACK, send the cmd again */
76 /* Status Register Bits */
77 #define KBD_STAT_OBF 0x01 /* Keyboard output buffer full */
78 #define KBD_STAT_IBF 0x02 /* Keyboard input buffer full */
79 #define KBD_STAT_SELFTEST 0x04 /* Self test successful */
80 #define KBD_STAT_CMD 0x08 /* Last write was a command write (0=data) */
81 #define KBD_STAT_UNLOCKED 0x10 /* Zero if keyboard locked */
82 #define KBD_STAT_MOUSE_OBF 0x20 /* Mouse output buffer full */
83 #define KBD_STAT_GTO 0x40 /* General receive/xmit timeout */
84 #define KBD_STAT_PERR 0x80 /* Parity error */
86 /* Controller Mode Register Bits */
87 #define KBD_MODE_KBD_INT 0x01 /* Keyboard data generate IRQ1 */
88 #define KBD_MODE_MOUSE_INT 0x02 /* Mouse data generate IRQ12 */
89 #define KBD_MODE_SYS 0x04 /* The system flag (?) */
90 #define KBD_MODE_NO_KEYLOCK 0x08 /* The keylock doesn't affect the keyboard if set */
91 #define KBD_MODE_DISABLE_KBD 0x10 /* Disable keyboard interface */
92 #define KBD_MODE_DISABLE_MOUSE 0x20 /* Disable mouse interface */
93 #define KBD_MODE_KCC 0x40 /* Scan code conversion to PC format */
94 #define KBD_MODE_RFU 0x80
96 /* Output Port Bits */
97 #define KBD_OUT_RESET 0x01 /* 1=normal mode, 0=reset */
98 #define KBD_OUT_A20 0x02 /* x86 only */
99 #define KBD_OUT_OBF 0x10 /* Keyboard output buffer full */
100 #define KBD_OUT_MOUSE_OBF 0x20 /* Mouse output buffer full */
102 /* Mouse Commands */
103 #define AUX_SET_SCALE11 0xE6 /* Set 1:1 scaling */
104 #define AUX_SET_SCALE21 0xE7 /* Set 2:1 scaling */
105 #define AUX_SET_RES 0xE8 /* Set resolution */
106 #define AUX_GET_SCALE 0xE9 /* Get scaling factor */
107 #define AUX_SET_STREAM 0xEA /* Set stream mode */
108 #define AUX_POLL 0xEB /* Poll */
109 #define AUX_RESET_WRAP 0xEC /* Reset wrap mode */
110 #define AUX_SET_WRAP 0xEE /* Set wrap mode */
111 #define AUX_SET_REMOTE 0xF0 /* Set remote mode */
112 #define AUX_GET_TYPE 0xF2 /* Get type */
113 #define AUX_SET_SAMPLE 0xF3 /* Set sample rate */
114 #define AUX_ENABLE_DEV 0xF4 /* Enable aux device */
115 #define AUX_DISABLE_DEV 0xF5 /* Disable aux device */
116 #define AUX_SET_DEFAULT 0xF6
117 #define AUX_RESET 0xFF /* Reset aux device */
118 #define AUX_ACK 0xFA /* Command byte ACK. */
120 #define MOUSE_STATUS_REMOTE 0x40
121 #define MOUSE_STATUS_ENABLED 0x20
122 #define MOUSE_STATUS_SCALE21 0x10
124 #define KBD_PENDING_KBD 1
125 #define KBD_PENDING_AUX 2
127 typedef struct KBDState {
128 uint8_t write_cmd; /* if non zero, write data to port 60 is expected */
129 uint8_t status;
130 uint8_t mode;
131 uint8_t outport;
132 /* Bitmask of devices with data available. */
133 uint8_t pending;
134 void *kbd;
135 void *mouse;
137 qemu_irq irq_kbd;
138 qemu_irq irq_mouse;
139 qemu_irq *a20_out;
140 target_phys_addr_t mask;
141 } KBDState;
143 /* update irq and KBD_STAT_[MOUSE_]OBF */
144 /* XXX: not generating the irqs if KBD_MODE_DISABLE_KBD is set may be
145 incorrect, but it avoids having to simulate exact delays */
146 static void kbd_update_irq(KBDState *s)
148 int irq_kbd_level, irq_mouse_level;
150 irq_kbd_level = 0;
151 irq_mouse_level = 0;
152 s->status &= ~(KBD_STAT_OBF | KBD_STAT_MOUSE_OBF);
153 s->outport &= ~(KBD_OUT_OBF | KBD_OUT_MOUSE_OBF);
154 if (s->pending) {
155 s->status |= KBD_STAT_OBF;
156 s->outport |= KBD_OUT_OBF;
157 /* kbd data takes priority over aux data. */
158 if (s->pending == KBD_PENDING_AUX) {
159 s->status |= KBD_STAT_MOUSE_OBF;
160 s->outport |= KBD_OUT_MOUSE_OBF;
161 if (s->mode & KBD_MODE_MOUSE_INT)
162 irq_mouse_level = 1;
163 } else {
164 if ((s->mode & KBD_MODE_KBD_INT) &&
165 !(s->mode & KBD_MODE_DISABLE_KBD))
166 irq_kbd_level = 1;
169 qemu_set_irq(s->irq_kbd, irq_kbd_level);
170 qemu_set_irq(s->irq_mouse, irq_mouse_level);
173 static void kbd_update_kbd_irq(void *opaque, int level)
175 KBDState *s = (KBDState *)opaque;
177 if (level)
178 s->pending |= KBD_PENDING_KBD;
179 else
180 s->pending &= ~KBD_PENDING_KBD;
181 kbd_update_irq(s);
184 static void kbd_update_aux_irq(void *opaque, int level)
186 KBDState *s = (KBDState *)opaque;
188 if (level)
189 s->pending |= KBD_PENDING_AUX;
190 else
191 s->pending &= ~KBD_PENDING_AUX;
192 kbd_update_irq(s);
195 static uint32_t kbd_read_status(void *opaque, uint32_t addr)
197 KBDState *s = opaque;
198 int val;
199 val = s->status;
200 DPRINTF("kbd: read status=0x%02x\n", val);
201 return val;
204 static void kbd_queue(KBDState *s, int b, int aux)
206 if (aux)
207 ps2_queue(s->mouse, b);
208 else
209 ps2_queue(s->kbd, b);
212 static void ioport92_write(void *opaque, uint32_t addr, uint32_t val)
214 KBDState *s = opaque;
216 DPRINTF("kbd: write outport=0x%02x\n", val);
217 s->outport = val;
218 if (s->a20_out) {
219 qemu_set_irq(*s->a20_out, (val >> 1) & 1);
221 if (!(val & 1)) {
222 qemu_system_reset_request();
226 static uint32_t ioport92_read(void *opaque, uint32_t addr)
228 KBDState *s = opaque;
229 uint32_t ret;
231 ret = s->outport;
232 DPRINTF("kbd: read outport=0x%02x\n", ret);
233 return ret;
236 static void kbd_write_command(void *opaque, uint32_t addr, uint32_t val)
238 KBDState *s = opaque;
240 DPRINTF("kbd: write cmd=0x%02x\n", val);
241 switch(val) {
242 case KBD_CCMD_READ_MODE:
243 kbd_queue(s, s->mode, 0);
244 break;
245 case KBD_CCMD_WRITE_MODE:
246 case KBD_CCMD_WRITE_OBUF:
247 case KBD_CCMD_WRITE_AUX_OBUF:
248 case KBD_CCMD_WRITE_MOUSE:
249 case KBD_CCMD_WRITE_OUTPORT:
250 s->write_cmd = val;
251 break;
252 case KBD_CCMD_MOUSE_DISABLE:
253 s->mode |= KBD_MODE_DISABLE_MOUSE;
254 break;
255 case KBD_CCMD_MOUSE_ENABLE:
256 s->mode &= ~KBD_MODE_DISABLE_MOUSE;
257 break;
258 case KBD_CCMD_TEST_MOUSE:
259 kbd_queue(s, 0x00, 0);
260 break;
261 case KBD_CCMD_SELF_TEST:
262 s->status |= KBD_STAT_SELFTEST;
263 kbd_queue(s, 0x55, 0);
264 break;
265 case KBD_CCMD_KBD_TEST:
266 kbd_queue(s, 0x00, 0);
267 break;
268 case KBD_CCMD_KBD_DISABLE:
269 s->mode |= KBD_MODE_DISABLE_KBD;
270 kbd_update_irq(s);
271 break;
272 case KBD_CCMD_KBD_ENABLE:
273 s->mode &= ~KBD_MODE_DISABLE_KBD;
274 kbd_update_irq(s);
275 break;
276 case KBD_CCMD_READ_INPORT:
277 kbd_queue(s, 0x00, 0);
278 break;
279 case KBD_CCMD_READ_OUTPORT:
280 kbd_queue(s, s->outport, 0);
281 break;
282 case KBD_CCMD_ENABLE_A20:
283 if (s->a20_out) {
284 qemu_irq_raise(*s->a20_out);
286 s->outport |= KBD_OUT_A20;
287 break;
288 case KBD_CCMD_DISABLE_A20:
289 if (s->a20_out) {
290 qemu_irq_lower(*s->a20_out);
292 s->outport &= ~KBD_OUT_A20;
293 break;
294 case KBD_CCMD_RESET:
295 qemu_system_reset_request();
296 break;
297 case 0xff:
298 /* ignore that - I don't know what is its use */
299 break;
300 default:
301 fprintf(stderr, "qemu: unsupported keyboard cmd=0x%02x\n", val);
302 break;
306 static uint32_t kbd_read_data(void *opaque, uint32_t addr)
308 KBDState *s = opaque;
309 uint32_t val;
311 if (s->pending == KBD_PENDING_AUX)
312 val = ps2_read_data(s->mouse);
313 else
314 val = ps2_read_data(s->kbd);
316 DPRINTF("kbd: read data=0x%02x\n", val);
317 return val;
320 static void kbd_write_data(void *opaque, uint32_t addr, uint32_t val)
322 KBDState *s = opaque;
324 DPRINTF("kbd: write data=0x%02x\n", val);
326 switch(s->write_cmd) {
327 case 0:
328 ps2_write_keyboard(s->kbd, val);
329 break;
330 case KBD_CCMD_WRITE_MODE:
331 s->mode = val;
332 ps2_keyboard_set_translation(s->kbd, (s->mode & KBD_MODE_KCC) != 0);
333 /* ??? */
334 kbd_update_irq(s);
335 break;
336 case KBD_CCMD_WRITE_OBUF:
337 kbd_queue(s, val, 0);
338 break;
339 case KBD_CCMD_WRITE_AUX_OBUF:
340 kbd_queue(s, val, 1);
341 break;
342 case KBD_CCMD_WRITE_OUTPORT:
343 ioport92_write(s, 0, val);
344 break;
345 case KBD_CCMD_WRITE_MOUSE:
346 ps2_write_mouse(s->mouse, val);
347 break;
348 default:
349 break;
351 s->write_cmd = 0;
354 static void kbd_reset(void *opaque)
356 KBDState *s = opaque;
358 s->mode = KBD_MODE_KBD_INT | KBD_MODE_MOUSE_INT;
359 s->status = KBD_STAT_CMD | KBD_STAT_UNLOCKED;
360 s->outport = KBD_OUT_RESET | KBD_OUT_A20;
363 static const VMStateDescription vmstate_kbd = {
364 .name = "pckbd",
365 .version_id = 3,
366 .minimum_version_id = 3,
367 .minimum_version_id_old = 3,
368 .fields = (VMStateField []) {
369 VMSTATE_UINT8(write_cmd, KBDState),
370 VMSTATE_UINT8(status, KBDState),
371 VMSTATE_UINT8(mode, KBDState),
372 VMSTATE_UINT8(pending, KBDState),
373 VMSTATE_END_OF_LIST()
377 /* Memory mapped interface */
378 static uint32_t kbd_mm_readb (void *opaque, target_phys_addr_t addr)
380 KBDState *s = opaque;
382 if (addr & s->mask)
383 return kbd_read_status(s, 0) & 0xff;
384 else
385 return kbd_read_data(s, 0) & 0xff;
388 static void kbd_mm_writeb (void *opaque, target_phys_addr_t addr, uint32_t value)
390 KBDState *s = opaque;
392 if (addr & s->mask)
393 kbd_write_command(s, 0, value & 0xff);
394 else
395 kbd_write_data(s, 0, value & 0xff);
398 static CPUReadMemoryFunc * const kbd_mm_read[] = {
399 &kbd_mm_readb,
400 &kbd_mm_readb,
401 &kbd_mm_readb,
404 static CPUWriteMemoryFunc * const kbd_mm_write[] = {
405 &kbd_mm_writeb,
406 &kbd_mm_writeb,
407 &kbd_mm_writeb,
410 void i8042_mm_init(qemu_irq kbd_irq, qemu_irq mouse_irq,
411 target_phys_addr_t base, ram_addr_t size,
412 target_phys_addr_t mask)
414 KBDState *s = qemu_mallocz(sizeof(KBDState));
415 int s_io_memory;
417 s->irq_kbd = kbd_irq;
418 s->irq_mouse = mouse_irq;
419 s->mask = mask;
421 vmstate_register(0, &vmstate_kbd, s);
422 s_io_memory = cpu_register_io_memory(kbd_mm_read, kbd_mm_write, s);
423 cpu_register_physical_memory(base, size, s_io_memory);
425 s->kbd = ps2_kbd_init(kbd_update_kbd_irq, s);
426 s->mouse = ps2_mouse_init(kbd_update_aux_irq, s);
427 qemu_register_reset(kbd_reset, s);
430 typedef struct ISAKBDState {
431 ISADevice dev;
432 KBDState kbd;
433 } ISAKBDState;
435 void i8042_isa_mouse_fake_event(void *opaque)
437 ISADevice *dev = opaque;
438 KBDState *s = &(DO_UPCAST(ISAKBDState, dev, dev)->kbd);
440 ps2_mouse_fake_event(s->mouse);
443 void i8042_setup_a20_line(ISADevice *dev, qemu_irq *a20_out)
445 KBDState *s = &(DO_UPCAST(ISAKBDState, dev, dev)->kbd);
447 s->a20_out = a20_out;
450 static const VMStateDescription vmstate_kbd_isa = {
451 .name = "pckbd",
452 .version_id = 3,
453 .minimum_version_id = 3,
454 .minimum_version_id_old = 3,
455 .fields = (VMStateField []) {
456 VMSTATE_STRUCT(kbd, ISAKBDState, 0, vmstate_kbd, KBDState),
457 VMSTATE_END_OF_LIST()
461 static int i8042_initfn(ISADevice *dev)
463 KBDState *s = &(DO_UPCAST(ISAKBDState, dev, dev)->kbd);
465 isa_init_irq(dev, &s->irq_kbd, 1);
466 isa_init_irq(dev, &s->irq_mouse, 12);
468 register_ioport_read(0x60, 1, 1, kbd_read_data, s);
469 register_ioport_write(0x60, 1, 1, kbd_write_data, s);
470 register_ioport_read(0x64, 1, 1, kbd_read_status, s);
471 register_ioport_write(0x64, 1, 1, kbd_write_command, s);
472 register_ioport_read(0x92, 1, 1, ioport92_read, s);
473 register_ioport_write(0x92, 1, 1, ioport92_write, s);
475 s->kbd = ps2_kbd_init(kbd_update_kbd_irq, s);
476 s->mouse = ps2_mouse_init(kbd_update_aux_irq, s);
477 qemu_register_reset(kbd_reset, s);
478 return 0;
481 static ISADeviceInfo i8042_info = {
482 .qdev.name = "i8042",
483 .qdev.size = sizeof(ISAKBDState),
484 .qdev.vmsd = &vmstate_kbd_isa,
485 .qdev.no_user = 1,
486 .init = i8042_initfn,
489 static void i8042_register(void)
491 isa_qdev_register(&i8042_info);
493 device_init(i8042_register)