qemu-e2k/hw/display/omap_lcdc.c
AlexChen 0080edc45e hw/display/omap_lcdc: Fix potential NULL pointer dereference
In omap_lcd_interrupts(), the pointer omap_lcd is dereferinced before
being check if it is valid, which may lead to NULL pointer dereference.
So move the assignment to surface after checking that the omap_lcd is valid
and move surface_bits_per_pixel(surface) to after the surface assignment.

Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: AlexChen <alex.chen@huawei.com>
Message-id: 5F9CDB8A.9000001@huawei.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-11-02 16:52:17 +00:00

388 lines
10 KiB
C

/*
* OMAP LCD controller.
*
* Copyright (C) 2006-2007 Andrzej Zaborowski <balrog@zabor.org>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; either version 2 of
* the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include "qemu/osdep.h"
#include "hw/irq.h"
#include "ui/console.h"
#include "hw/arm/omap.h"
#include "framebuffer.h"
#include "ui/pixel_ops.h"
struct omap_lcd_panel_s {
MemoryRegion *sysmem;
MemoryRegion iomem;
MemoryRegionSection fbsection;
qemu_irq irq;
QemuConsole *con;
int plm;
int tft;
int mono;
int enable;
int width;
int height;
int interrupts;
uint32_t timing[3];
uint32_t subpanel;
uint32_t ctrl;
struct omap_dma_lcd_channel_s *dma;
uint16_t palette[256];
int palette_done;
int frame_done;
int invalidate;
int sync_error;
};
static void omap_lcd_interrupts(struct omap_lcd_panel_s *s)
{
if (s->frame_done && (s->interrupts & 1)) {
qemu_irq_raise(s->irq);
return;
}
if (s->palette_done && (s->interrupts & 2)) {
qemu_irq_raise(s->irq);
return;
}
if (s->sync_error) {
qemu_irq_raise(s->irq);
return;
}
qemu_irq_lower(s->irq);
}
#define draw_line_func drawfn
#define DEPTH 32
#include "omap_lcd_template.h"
static void omap_update_display(void *opaque)
{
struct omap_lcd_panel_s *omap_lcd = (struct omap_lcd_panel_s *) opaque;
DisplaySurface *surface;
draw_line_func draw_line;
int size, height, first, last;
int width, linesize, step, bpp, frame_offset;
hwaddr frame_base;
if (!omap_lcd || omap_lcd->plm == 1 || !omap_lcd->enable) {
return;
}
surface = qemu_console_surface(omap_lcd->con);
if (!surface_bits_per_pixel(surface)) {
return;
}
frame_offset = 0;
if (omap_lcd->plm != 2) {
cpu_physical_memory_read(
omap_lcd->dma->phys_framebuffer[omap_lcd->dma->current_frame],
omap_lcd->palette, 0x200);
switch (omap_lcd->palette[0] >> 12 & 7) {
case 3 ... 7:
frame_offset += 0x200;
break;
default:
frame_offset += 0x20;
}
}
/* Colour depth */
switch ((omap_lcd->palette[0] >> 12) & 7) {
case 1:
draw_line = draw_line2_32;
bpp = 2;
break;
case 2:
draw_line = draw_line4_32;
bpp = 4;
break;
case 3:
draw_line = draw_line8_32;
bpp = 8;
break;
case 4 ... 7:
if (!omap_lcd->tft)
draw_line = draw_line12_32;
else
draw_line = draw_line16_32;
bpp = 16;
break;
default:
/* Unsupported at the moment. */
return;
}
/* Resolution */
width = omap_lcd->width;
if (width != surface_width(surface) ||
omap_lcd->height != surface_height(surface)) {
qemu_console_resize(omap_lcd->con,
omap_lcd->width, omap_lcd->height);
surface = qemu_console_surface(omap_lcd->con);
omap_lcd->invalidate = 1;
}
if (omap_lcd->dma->current_frame == 0)
size = omap_lcd->dma->src_f1_bottom - omap_lcd->dma->src_f1_top;
else
size = omap_lcd->dma->src_f2_bottom - omap_lcd->dma->src_f2_top;
if (frame_offset + ((width * omap_lcd->height * bpp) >> 3) > size + 2) {
omap_lcd->sync_error = 1;
omap_lcd_interrupts(omap_lcd);
omap_lcd->enable = 0;
return;
}
/* Content */
frame_base = omap_lcd->dma->phys_framebuffer[
omap_lcd->dma->current_frame] + frame_offset;
omap_lcd->dma->condition |= 1 << omap_lcd->dma->current_frame;
if (omap_lcd->dma->interrupts & 1)
qemu_irq_raise(omap_lcd->dma->irq);
if (omap_lcd->dma->dual)
omap_lcd->dma->current_frame ^= 1;
if (!surface_bits_per_pixel(surface)) {
return;
}
first = 0;
height = omap_lcd->height;
if (omap_lcd->subpanel & (1 << 31)) {
if (omap_lcd->subpanel & (1 << 29))
first = (omap_lcd->subpanel >> 16) & 0x3ff;
else
height = (omap_lcd->subpanel >> 16) & 0x3ff;
/* TODO: fill the rest of the panel with DPD */
}
step = width * bpp >> 3;
linesize = surface_stride(surface);
if (omap_lcd->invalidate) {
framebuffer_update_memory_section(&omap_lcd->fbsection,
omap_lcd->sysmem, frame_base,
height, step);
}
framebuffer_update_display(surface, &omap_lcd->fbsection,
width, height,
step, linesize, 0,
omap_lcd->invalidate,
draw_line, omap_lcd->palette,
&first, &last);
if (first >= 0) {
dpy_gfx_update(omap_lcd->con, 0, first, width, last - first + 1);
}
omap_lcd->invalidate = 0;
}
static void omap_invalidate_display(void *opaque) {
struct omap_lcd_panel_s *omap_lcd = opaque;
omap_lcd->invalidate = 1;
}
static void omap_lcd_update(struct omap_lcd_panel_s *s) {
if (!s->enable) {
s->dma->current_frame = -1;
s->sync_error = 0;
if (s->plm != 1)
s->frame_done = 1;
omap_lcd_interrupts(s);
return;
}
if (s->dma->current_frame == -1) {
s->frame_done = 0;
s->palette_done = 0;
s->dma->current_frame = 0;
}
if (!s->dma->mpu->port[s->dma->src].addr_valid(s->dma->mpu,
s->dma->src_f1_top) ||
!s->dma->mpu->port[
s->dma->src].addr_valid(s->dma->mpu,
s->dma->src_f1_bottom) ||
(s->dma->dual &&
(!s->dma->mpu->port[
s->dma->src].addr_valid(s->dma->mpu,
s->dma->src_f2_top) ||
!s->dma->mpu->port[
s->dma->src].addr_valid(s->dma->mpu,
s->dma->src_f2_bottom)))) {
s->dma->condition |= 1 << 2;
if (s->dma->interrupts & (1 << 1))
qemu_irq_raise(s->dma->irq);
s->enable = 0;
return;
}
s->dma->phys_framebuffer[0] = s->dma->src_f1_top;
s->dma->phys_framebuffer[1] = s->dma->src_f2_top;
if (s->plm != 2 && !s->palette_done) {
cpu_physical_memory_read(
s->dma->phys_framebuffer[s->dma->current_frame],
s->palette, 0x200);
s->palette_done = 1;
omap_lcd_interrupts(s);
}
}
static uint64_t omap_lcdc_read(void *opaque, hwaddr addr,
unsigned size)
{
struct omap_lcd_panel_s *s = (struct omap_lcd_panel_s *) opaque;
switch (addr) {
case 0x00: /* LCD_CONTROL */
return (s->tft << 23) | (s->plm << 20) |
(s->tft << 7) | (s->interrupts << 3) |
(s->mono << 1) | s->enable | s->ctrl | 0xfe000c34;
case 0x04: /* LCD_TIMING0 */
return (s->timing[0] << 10) | (s->width - 1) | 0x0000000f;
case 0x08: /* LCD_TIMING1 */
return (s->timing[1] << 10) | (s->height - 1);
case 0x0c: /* LCD_TIMING2 */
return s->timing[2] | 0xfc000000;
case 0x10: /* LCD_STATUS */
return (s->palette_done << 6) | (s->sync_error << 2) | s->frame_done;
case 0x14: /* LCD_SUBPANEL */
return s->subpanel;
default:
break;
}
OMAP_BAD_REG(addr);
return 0;
}
static void omap_lcdc_write(void *opaque, hwaddr addr,
uint64_t value, unsigned size)
{
struct omap_lcd_panel_s *s = (struct omap_lcd_panel_s *) opaque;
switch (addr) {
case 0x00: /* LCD_CONTROL */
s->plm = (value >> 20) & 3;
s->tft = (value >> 7) & 1;
s->interrupts = (value >> 3) & 3;
s->mono = (value >> 1) & 1;
s->ctrl = value & 0x01cff300;
if (s->enable != (value & 1)) {
s->enable = value & 1;
omap_lcd_update(s);
}
break;
case 0x04: /* LCD_TIMING0 */
s->timing[0] = value >> 10;
s->width = (value & 0x3ff) + 1;
break;
case 0x08: /* LCD_TIMING1 */
s->timing[1] = value >> 10;
s->height = (value & 0x3ff) + 1;
break;
case 0x0c: /* LCD_TIMING2 */
s->timing[2] = value;
break;
case 0x10: /* LCD_STATUS */
break;
case 0x14: /* LCD_SUBPANEL */
s->subpanel = value & 0xa1ffffff;
break;
default:
OMAP_BAD_REG(addr);
}
}
static const MemoryRegionOps omap_lcdc_ops = {
.read = omap_lcdc_read,
.write = omap_lcdc_write,
.endianness = DEVICE_NATIVE_ENDIAN,
};
void omap_lcdc_reset(struct omap_lcd_panel_s *s)
{
s->dma->current_frame = -1;
s->plm = 0;
s->tft = 0;
s->mono = 0;
s->enable = 0;
s->width = 0;
s->height = 0;
s->interrupts = 0;
s->timing[0] = 0;
s->timing[1] = 0;
s->timing[2] = 0;
s->subpanel = 0;
s->palette_done = 0;
s->frame_done = 0;
s->sync_error = 0;
s->invalidate = 1;
s->subpanel = 0;
s->ctrl = 0;
}
static const GraphicHwOps omap_ops = {
.invalidate = omap_invalidate_display,
.gfx_update = omap_update_display,
};
struct omap_lcd_panel_s *omap_lcdc_init(MemoryRegion *sysmem,
hwaddr base,
qemu_irq irq,
struct omap_dma_lcd_channel_s *dma,
omap_clk clk)
{
struct omap_lcd_panel_s *s = g_new0(struct omap_lcd_panel_s, 1);
s->irq = irq;
s->dma = dma;
s->sysmem = sysmem;
omap_lcdc_reset(s);
memory_region_init_io(&s->iomem, NULL, &omap_lcdc_ops, s, "omap.lcdc", 0x100);
memory_region_add_subregion(sysmem, base, &s->iomem);
s->con = graphic_console_init(NULL, 0, &omap_ops, s);
return s;
}