cachepc-qemu

Fork of AMDESE/qemu with changes for cachepc side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-qemu
Log | Files | Refs | Submodules | LICENSE | sfeed.txt

eepro100.c (70485B)


      1/*
      2 * QEMU i8255x (PRO100) emulation
      3 *
      4 * Copyright (C) 2006-2011 Stefan Weil
      5 *
      6 * Portions of the code are copies from grub / etherboot eepro100.c
      7 * and linux e100.c.
      8 *
      9 * This program is free software: you can redistribute it and/or modify
     10 * it under the terms of the GNU General Public License as published by
     11 * the Free Software Foundation, either version 2 of the License, or
     12 * (at your option) version 3 or any later version.
     13 *
     14 * This program is distributed in the hope that it will be useful,
     15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
     16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     17 * GNU General Public License for more details.
     18 *
     19 * You should have received a copy of the GNU General Public License
     20 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
     21 *
     22 * Tested features (i82559):
     23 *      PXE boot (i386 guest, i386 / mips / mipsel / ppc host) ok
     24 *      Linux networking (i386) ok
     25 *
     26 * Untested:
     27 *      Windows networking
     28 *
     29 * References:
     30 *
     31 * Intel 8255x 10/100 Mbps Ethernet Controller Family
     32 * Open Source Software Developer Manual
     33 *
     34 * TODO:
     35 *      * PHY emulation should be separated from nic emulation.
     36 *        Most nic emulations could share the same phy code.
     37 *      * i82550 is untested. It is programmed like the i82559.
     38 *      * i82562 is untested. It is programmed like the i82559.
     39 *      * Power management (i82558 and later) is not implemented.
     40 *      * Wake-on-LAN is not implemented.
     41 */
     42
     43#include "qemu/osdep.h"
     44#include "qemu/units.h"
     45#include "hw/pci/pci.h"
     46#include "hw/qdev-properties.h"
     47#include "migration/vmstate.h"
     48#include "net/net.h"
     49#include "net/eth.h"
     50#include "hw/nvram/eeprom93xx.h"
     51#include "sysemu/sysemu.h"
     52#include "sysemu/dma.h"
     53#include "sysemu/reset.h"
     54#include "qemu/bitops.h"
     55#include "qemu/module.h"
     56#include "qapi/error.h"
     57
     58/* QEMU sends frames smaller than 60 bytes to ethernet nics.
     59 * Such frames are rejected by real nics and their emulations.
     60 * To avoid this behaviour, other nic emulations pad received
     61 * frames. The following definition enables this padding for
     62 * eepro100, too. We keep the define around in case it might
     63 * become useful the future if the core networking is ever
     64 * changed to pad short packets itself. */
     65#define CONFIG_PAD_RECEIVED_FRAMES
     66
     67/* Debug EEPRO100 card. */
     68#if 0
     69# define DEBUG_EEPRO100
     70#endif
     71
     72#ifdef DEBUG_EEPRO100
     73#define logout(fmt, ...) fprintf(stderr, "EE100\t%-24s" fmt, __func__, ## __VA_ARGS__)
     74#else
     75#define logout(fmt, ...) ((void)0)
     76#endif
     77
     78/* Set flags to 0 to disable debug output. */
     79#define INT     1       /* interrupt related actions */
     80#define MDI     1       /* mdi related actions */
     81#define OTHER   1
     82#define RXTX    1
     83#define EEPROM  1       /* eeprom related actions */
     84
     85#define TRACE(flag, command) ((flag) ? (command) : (void)0)
     86
     87#define missing(text) fprintf(stderr, "eepro100: feature is missing in this emulation: " text "\n")
     88
     89#define MAX_ETH_FRAME_SIZE 1514
     90
     91/* This driver supports several different devices which are declared here. */
     92#define i82550          0x82550
     93#define i82551          0x82551
     94#define i82557A         0x82557a
     95#define i82557B         0x82557b
     96#define i82557C         0x82557c
     97#define i82558A         0x82558a
     98#define i82558B         0x82558b
     99#define i82559A         0x82559a
    100#define i82559B         0x82559b
    101#define i82559C         0x82559c
    102#define i82559ER        0x82559e
    103#define i82562          0x82562
    104#define i82801          0x82801
    105
    106/* Use 64 word EEPROM. TODO: could be a runtime option. */
    107#define EEPROM_SIZE     64
    108
    109#define PCI_MEM_SIZE            (4 * KiB)
    110#define PCI_IO_SIZE             64
    111#define PCI_FLASH_SIZE          (128 * KiB)
    112
    113#define BITS(n, m) (((0xffffffffU << (31 - n)) >> (31 - n + m)) << m)
    114
    115/* The SCB accepts the following controls for the Tx and Rx units: */
    116#define  CU_NOP         0x0000  /* No operation. */
    117#define  CU_START       0x0010  /* CU start. */
    118#define  CU_RESUME      0x0020  /* CU resume. */
    119#define  CU_STATSADDR   0x0040  /* Load dump counters address. */
    120#define  CU_SHOWSTATS   0x0050  /* Dump statistical counters. */
    121#define  CU_CMD_BASE    0x0060  /* Load CU base address. */
    122#define  CU_DUMPSTATS   0x0070  /* Dump and reset statistical counters. */
    123#define  CU_SRESUME     0x00a0  /* CU static resume. */
    124
    125#define  RU_NOP         0x0000
    126#define  RX_START       0x0001
    127#define  RX_RESUME      0x0002
    128#define  RU_ABORT       0x0004
    129#define  RX_ADDR_LOAD   0x0006
    130#define  RX_RESUMENR    0x0007
    131#define INT_MASK        0x0100
    132#define DRVR_INT        0x0200  /* Driver generated interrupt. */
    133
    134typedef struct {
    135    const char *name;
    136    const char *desc;
    137    uint16_t device_id;
    138    uint8_t revision;
    139    uint16_t subsystem_vendor_id;
    140    uint16_t subsystem_id;
    141
    142    uint32_t device;
    143    uint8_t stats_size;
    144    bool has_extended_tcb_support;
    145    bool power_management;
    146} E100PCIDeviceInfo;
    147
    148/* Offsets to the various registers.
    149   All accesses need not be longword aligned. */
    150typedef enum {
    151    SCBStatus = 0,              /* Status Word. */
    152    SCBAck = 1,
    153    SCBCmd = 2,                 /* Rx/Command Unit command and status. */
    154    SCBIntmask = 3,
    155    SCBPointer = 4,             /* General purpose pointer. */
    156    SCBPort = 8,                /* Misc. commands and operands.  */
    157    SCBflash = 12,              /* Flash memory control. */
    158    SCBeeprom = 14,             /* EEPROM control. */
    159    SCBCtrlMDI = 16,            /* MDI interface control. */
    160    SCBEarlyRx = 20,            /* Early receive byte count. */
    161    SCBFlow = 24,               /* Flow Control. */
    162    SCBpmdr = 27,               /* Power Management Driver. */
    163    SCBgctrl = 28,              /* General Control. */
    164    SCBgstat = 29,              /* General Status. */
    165} E100RegisterOffset;
    166
    167/* A speedo3 transmit buffer descriptor with two buffers... */
    168typedef struct {
    169    uint16_t status;
    170    uint16_t command;
    171    uint32_t link;              /* void * */
    172    uint32_t tbd_array_addr;    /* transmit buffer descriptor array address. */
    173    uint16_t tcb_bytes;         /* transmit command block byte count (in lower 14 bits */
    174    uint8_t tx_threshold;       /* transmit threshold */
    175    uint8_t tbd_count;          /* TBD number */
    176#if 0
    177    /* This constitutes two "TBD" entries: hdr and data */
    178    uint32_t tx_buf_addr0;  /* void *, header of frame to be transmitted.  */
    179    int32_t  tx_buf_size0;  /* Length of Tx hdr. */
    180    uint32_t tx_buf_addr1;  /* void *, data to be transmitted.  */
    181    int32_t  tx_buf_size1;  /* Length of Tx data. */
    182#endif
    183} eepro100_tx_t;
    184
    185/* Receive frame descriptor. */
    186typedef struct {
    187    int16_t status;
    188    uint16_t command;
    189    uint32_t link;              /* struct RxFD * */
    190    uint32_t rx_buf_addr;       /* void * */
    191    uint16_t count;
    192    uint16_t size;
    193    /* Ethernet frame data follows. */
    194} eepro100_rx_t;
    195
    196typedef enum {
    197    COMMAND_EL = BIT(15),
    198    COMMAND_S = BIT(14),
    199    COMMAND_I = BIT(13),
    200    COMMAND_NC = BIT(4),
    201    COMMAND_SF = BIT(3),
    202    COMMAND_CMD = BITS(2, 0),
    203} scb_command_bit;
    204
    205typedef enum {
    206    STATUS_C = BIT(15),
    207    STATUS_OK = BIT(13),
    208} scb_status_bit;
    209
    210typedef struct {
    211    uint32_t tx_good_frames, tx_max_collisions, tx_late_collisions,
    212             tx_underruns, tx_lost_crs, tx_deferred, tx_single_collisions,
    213             tx_multiple_collisions, tx_total_collisions;
    214    uint32_t rx_good_frames, rx_crc_errors, rx_alignment_errors,
    215             rx_resource_errors, rx_overrun_errors, rx_cdt_errors,
    216             rx_short_frame_errors;
    217    uint32_t fc_xmt_pause, fc_rcv_pause, fc_rcv_unsupported;
    218    uint16_t xmt_tco_frames, rcv_tco_frames;
    219    /* TODO: i82559 has six reserved statistics but a total of 24 dwords. */
    220    uint32_t reserved[4];
    221} eepro100_stats_t;
    222
    223typedef enum {
    224    cu_idle = 0,
    225    cu_suspended = 1,
    226    cu_active = 2,
    227    cu_lpq_active = 2,
    228    cu_hqp_active = 3
    229} cu_state_t;
    230
    231typedef enum {
    232    ru_idle = 0,
    233    ru_suspended = 1,
    234    ru_no_resources = 2,
    235    ru_ready = 4
    236} ru_state_t;
    237
    238typedef struct {
    239    PCIDevice dev;
    240    /* Hash register (multicast mask array, multiple individual addresses). */
    241    uint8_t mult[8];
    242    MemoryRegion mmio_bar;
    243    MemoryRegion io_bar;
    244    MemoryRegion flash_bar;
    245    NICState *nic;
    246    NICConf conf;
    247    uint8_t scb_stat;           /* SCB stat/ack byte */
    248    uint8_t int_stat;           /* PCI interrupt status */
    249    /* region must not be saved by nic_save. */
    250    uint16_t mdimem[32];
    251    eeprom_t *eeprom;
    252    uint32_t device;            /* device variant */
    253    /* (cu_base + cu_offset) address the next command block in the command block list. */
    254    uint32_t cu_base;           /* CU base address */
    255    uint32_t cu_offset;         /* CU address offset */
    256    /* (ru_base + ru_offset) address the RFD in the Receive Frame Area. */
    257    uint32_t ru_base;           /* RU base address */
    258    uint32_t ru_offset;         /* RU address offset */
    259    uint32_t statsaddr;         /* pointer to eepro100_stats_t */
    260
    261    /* Temporary status information (no need to save these values),
    262     * used while processing CU commands. */
    263    eepro100_tx_t tx;           /* transmit buffer descriptor */
    264    uint32_t cb_address;        /* = cu_base + cu_offset */
    265
    266    /* Statistical counters. Also used for wake-up packet (i82559). */
    267    eepro100_stats_t statistics;
    268
    269    /* Data in mem is always in the byte order of the controller (le).
    270     * It must be dword aligned to allow direct access to 32 bit values. */
    271    uint8_t mem[PCI_MEM_SIZE] __attribute__((aligned(8)));
    272
    273    /* Configuration bytes. */
    274    uint8_t configuration[22];
    275
    276    /* vmstate for each particular nic */
    277    VMStateDescription *vmstate;
    278
    279    /* Quasi static device properties (no need to save them). */
    280    uint16_t stats_size;
    281    bool has_extended_tcb_support;
    282} EEPRO100State;
    283
    284/* Word indices in EEPROM. */
    285typedef enum {
    286    EEPROM_CNFG_MDIX  = 0x03,
    287    EEPROM_ID         = 0x05,
    288    EEPROM_PHY_ID     = 0x06,
    289    EEPROM_VENDOR_ID  = 0x0c,
    290    EEPROM_CONFIG_ASF = 0x0d,
    291    EEPROM_DEVICE_ID  = 0x23,
    292    EEPROM_SMBUS_ADDR = 0x90,
    293} EEPROMOffset;
    294
    295/* Bit values for EEPROM ID word. */
    296typedef enum {
    297    EEPROM_ID_MDM = BIT(0),     /* Modem */
    298    EEPROM_ID_STB = BIT(1),     /* Standby Enable */
    299    EEPROM_ID_WMR = BIT(2),     /* ??? */
    300    EEPROM_ID_WOL = BIT(5),     /* Wake on LAN */
    301    EEPROM_ID_DPD = BIT(6),     /* Deep Power Down */
    302    EEPROM_ID_ALT = BIT(7),     /* */
    303    /* BITS(10, 8) device revision */
    304    EEPROM_ID_BD = BIT(11),     /* boot disable */
    305    EEPROM_ID_ID = BIT(13),     /* id bit */
    306    /* BITS(15, 14) signature */
    307    EEPROM_ID_VALID = BIT(14),  /* signature for valid eeprom */
    308} eeprom_id_bit;
    309
    310/* Default values for MDI (PHY) registers */
    311static const uint16_t eepro100_mdi_default[] = {
    312    /* MDI Registers 0 - 6, 7 */
    313    0x3000, 0x780d, 0x02a8, 0x0154, 0x05e1, 0x0000, 0x0000, 0x0000,
    314    /* MDI Registers 8 - 15 */
    315    0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
    316    /* MDI Registers 16 - 31 */
    317    0x0003, 0x0000, 0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
    318    0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
    319};
    320
    321/* Readonly mask for MDI (PHY) registers */
    322static const uint16_t eepro100_mdi_mask[] = {
    323    0x0000, 0xffff, 0xffff, 0xffff, 0xc01f, 0xffff, 0xffff, 0x0000,
    324    0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
    325    0x0fff, 0x0000, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
    326    0xffff, 0xffff, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
    327};
    328
    329static E100PCIDeviceInfo *eepro100_get_class(EEPRO100State *s);
    330
    331/* Read a 16 bit control/status (CSR) register. */
    332static uint16_t e100_read_reg2(EEPRO100State *s, E100RegisterOffset addr)
    333{
    334    assert(!((uintptr_t)&s->mem[addr] & 1));
    335    return lduw_le_p(&s->mem[addr]);
    336}
    337
    338/* Read a 32 bit control/status (CSR) register. */
    339static uint32_t e100_read_reg4(EEPRO100State *s, E100RegisterOffset addr)
    340{
    341    assert(!((uintptr_t)&s->mem[addr] & 3));
    342    return ldl_le_p(&s->mem[addr]);
    343}
    344
    345/* Write a 16 bit control/status (CSR) register. */
    346static void e100_write_reg2(EEPRO100State *s, E100RegisterOffset addr,
    347                            uint16_t val)
    348{
    349    assert(!((uintptr_t)&s->mem[addr] & 1));
    350    stw_le_p(&s->mem[addr], val);
    351}
    352
    353/* Read a 32 bit control/status (CSR) register. */
    354static void e100_write_reg4(EEPRO100State *s, E100RegisterOffset addr,
    355                            uint32_t val)
    356{
    357    assert(!((uintptr_t)&s->mem[addr] & 3));
    358    stl_le_p(&s->mem[addr], val);
    359}
    360
    361#if defined(DEBUG_EEPRO100)
    362static const char *nic_dump(const uint8_t * buf, unsigned size)
    363{
    364    static char dump[3 * 16 + 1];
    365    char *p = &dump[0];
    366    if (size > 16) {
    367        size = 16;
    368    }
    369    while (size-- > 0) {
    370        p += sprintf(p, " %02x", *buf++);
    371    }
    372    return dump;
    373}
    374#endif                          /* DEBUG_EEPRO100 */
    375
    376enum scb_stat_ack {
    377    stat_ack_not_ours = 0x00,
    378    stat_ack_sw_gen = 0x04,
    379    stat_ack_rnr = 0x10,
    380    stat_ack_cu_idle = 0x20,
    381    stat_ack_frame_rx = 0x40,
    382    stat_ack_cu_cmd_done = 0x80,
    383    stat_ack_not_present = 0xFF,
    384    stat_ack_rx = (stat_ack_sw_gen | stat_ack_rnr | stat_ack_frame_rx),
    385    stat_ack_tx = (stat_ack_cu_idle | stat_ack_cu_cmd_done),
    386};
    387
    388static void disable_interrupt(EEPRO100State * s)
    389{
    390    if (s->int_stat) {
    391        TRACE(INT, logout("interrupt disabled\n"));
    392        pci_irq_deassert(&s->dev);
    393        s->int_stat = 0;
    394    }
    395}
    396
    397static void enable_interrupt(EEPRO100State * s)
    398{
    399    if (!s->int_stat) {
    400        TRACE(INT, logout("interrupt enabled\n"));
    401        pci_irq_assert(&s->dev);
    402        s->int_stat = 1;
    403    }
    404}
    405
    406static void eepro100_acknowledge(EEPRO100State * s)
    407{
    408    s->scb_stat &= ~s->mem[SCBAck];
    409    s->mem[SCBAck] = s->scb_stat;
    410    if (s->scb_stat == 0) {
    411        disable_interrupt(s);
    412    }
    413}
    414
    415static void eepro100_interrupt(EEPRO100State * s, uint8_t status)
    416{
    417    uint8_t mask = ~s->mem[SCBIntmask];
    418    s->mem[SCBAck] |= status;
    419    status = s->scb_stat = s->mem[SCBAck];
    420    status &= (mask | 0x0f);
    421#if 0
    422    status &= (~s->mem[SCBIntmask] | 0x0xf);
    423#endif
    424    if (status && (mask & 0x01)) {
    425        /* SCB mask and SCB Bit M do not disable interrupt. */
    426        enable_interrupt(s);
    427    } else if (s->int_stat) {
    428        disable_interrupt(s);
    429    }
    430}
    431
    432static void eepro100_cx_interrupt(EEPRO100State * s)
    433{
    434    /* CU completed action command. */
    435    /* Transmit not ok (82557 only, not in emulation). */
    436    eepro100_interrupt(s, 0x80);
    437}
    438
    439static void eepro100_cna_interrupt(EEPRO100State * s)
    440{
    441    /* CU left the active state. */
    442    eepro100_interrupt(s, 0x20);
    443}
    444
    445static void eepro100_fr_interrupt(EEPRO100State * s)
    446{
    447    /* RU received a complete frame. */
    448    eepro100_interrupt(s, 0x40);
    449}
    450
    451static void eepro100_rnr_interrupt(EEPRO100State * s)
    452{
    453    /* RU is not ready. */
    454    eepro100_interrupt(s, 0x10);
    455}
    456
    457static void eepro100_mdi_interrupt(EEPRO100State * s)
    458{
    459    /* MDI completed read or write cycle. */
    460    eepro100_interrupt(s, 0x08);
    461}
    462
    463static void eepro100_swi_interrupt(EEPRO100State * s)
    464{
    465    /* Software has requested an interrupt. */
    466    eepro100_interrupt(s, 0x04);
    467}
    468
    469#if 0
    470static void eepro100_fcp_interrupt(EEPRO100State * s)
    471{
    472    /* Flow control pause interrupt (82558 and later). */
    473    eepro100_interrupt(s, 0x01);
    474}
    475#endif
    476
    477static void e100_pci_reset(EEPRO100State *s, Error **errp)
    478{
    479    E100PCIDeviceInfo *info = eepro100_get_class(s);
    480    uint32_t device = s->device;
    481    uint8_t *pci_conf = s->dev.config;
    482
    483    TRACE(OTHER, logout("%p\n", s));
    484
    485    /* PCI Status */
    486    pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_DEVSEL_MEDIUM |
    487                                        PCI_STATUS_FAST_BACK);
    488    /* PCI Latency Timer */
    489    pci_set_byte(pci_conf + PCI_LATENCY_TIMER, 0x20);   /* latency timer = 32 clocks */
    490    /* Capability Pointer is set by PCI framework. */
    491    /* Interrupt Line */
    492    /* Interrupt Pin */
    493    pci_set_byte(pci_conf + PCI_INTERRUPT_PIN, 1);      /* interrupt pin A */
    494    /* Minimum Grant */
    495    pci_set_byte(pci_conf + PCI_MIN_GNT, 0x08);
    496    /* Maximum Latency */
    497    pci_set_byte(pci_conf + PCI_MAX_LAT, 0x18);
    498
    499    s->stats_size = info->stats_size;
    500    s->has_extended_tcb_support = info->has_extended_tcb_support;
    501
    502    switch (device) {
    503    case i82550:
    504    case i82551:
    505    case i82557A:
    506    case i82557B:
    507    case i82557C:
    508    case i82558A:
    509    case i82558B:
    510    case i82559A:
    511    case i82559B:
    512    case i82559ER:
    513    case i82562:
    514    case i82801:
    515    case i82559C:
    516        break;
    517    default:
    518        logout("Device %X is undefined!\n", device);
    519    }
    520
    521    /* Standard TxCB. */
    522    s->configuration[6] |= BIT(4);
    523
    524    /* Standard statistical counters. */
    525    s->configuration[6] |= BIT(5);
    526
    527    if (s->stats_size == 80) {
    528        /* TODO: check TCO Statistical Counters bit. Documentation not clear. */
    529        if (s->configuration[6] & BIT(2)) {
    530            /* TCO statistical counters. */
    531            assert(s->configuration[6] & BIT(5));
    532        } else {
    533            if (s->configuration[6] & BIT(5)) {
    534                /* No extended statistical counters, i82557 compatible. */
    535                s->stats_size = 64;
    536            } else {
    537                /* i82558 compatible. */
    538                s->stats_size = 76;
    539            }
    540        }
    541    } else {
    542        if (s->configuration[6] & BIT(5)) {
    543            /* No extended statistical counters. */
    544            s->stats_size = 64;
    545        }
    546    }
    547    assert(s->stats_size > 0 && s->stats_size <= sizeof(s->statistics));
    548
    549    if (info->power_management) {
    550        /* Power Management Capabilities */
    551        int cfg_offset = 0xdc;
    552        int r = pci_add_capability(&s->dev, PCI_CAP_ID_PM,
    553                                   cfg_offset, PCI_PM_SIZEOF,
    554                                   errp);
    555        if (r < 0) {
    556            return;
    557        }
    558
    559        pci_set_word(pci_conf + cfg_offset + PCI_PM_PMC, 0x7e21);
    560#if 0 /* TODO: replace dummy code for power management emulation. */
    561        /* TODO: Power Management Control / Status. */
    562        pci_set_word(pci_conf + cfg_offset + PCI_PM_CTRL, 0x0000);
    563        /* TODO: Ethernet Power Consumption Registers (i82559 and later). */
    564        pci_set_byte(pci_conf + cfg_offset + PCI_PM_PPB_EXTENSIONS, 0x0000);
    565#endif
    566    }
    567
    568#if EEPROM_SIZE > 0
    569    if (device == i82557C || device == i82558B || device == i82559C) {
    570        /*
    571        TODO: get vendor id from EEPROM for i82557C or later.
    572        TODO: get device id from EEPROM for i82557C or later.
    573        TODO: status bit 4 can be disabled by EEPROM for i82558, i82559.
    574        TODO: header type is determined by EEPROM for i82559.
    575        TODO: get subsystem id from EEPROM for i82557C or later.
    576        TODO: get subsystem vendor id from EEPROM for i82557C or later.
    577        TODO: exp. rom baddr depends on a bit in EEPROM for i82558 or later.
    578        TODO: capability pointer depends on EEPROM for i82558.
    579        */
    580        logout("Get device id and revision from EEPROM!!!\n");
    581    }
    582#endif /* EEPROM_SIZE > 0 */
    583}
    584
    585static void nic_selective_reset(EEPRO100State * s)
    586{
    587    size_t i;
    588    uint16_t *eeprom_contents = eeprom93xx_data(s->eeprom);
    589#if 0
    590    eeprom93xx_reset(s->eeprom);
    591#endif
    592    memcpy(eeprom_contents, s->conf.macaddr.a, 6);
    593    eeprom_contents[EEPROM_ID] = EEPROM_ID_VALID;
    594    if (s->device == i82557B || s->device == i82557C)
    595        eeprom_contents[5] = 0x0100;
    596    eeprom_contents[EEPROM_PHY_ID] = 1;
    597    uint16_t sum = 0;
    598    for (i = 0; i < EEPROM_SIZE - 1; i++) {
    599        sum += eeprom_contents[i];
    600    }
    601    eeprom_contents[EEPROM_SIZE - 1] = 0xbaba - sum;
    602    TRACE(EEPROM, logout("checksum=0x%04x\n", eeprom_contents[EEPROM_SIZE - 1]));
    603
    604    memset(s->mem, 0, sizeof(s->mem));
    605    e100_write_reg4(s, SCBCtrlMDI, BIT(21));
    606
    607    assert(sizeof(s->mdimem) == sizeof(eepro100_mdi_default));
    608    memcpy(&s->mdimem[0], &eepro100_mdi_default[0], sizeof(s->mdimem));
    609}
    610
    611static void nic_reset(void *opaque)
    612{
    613    EEPRO100State *s = opaque;
    614    TRACE(OTHER, logout("%p\n", s));
    615    /* TODO: Clearing of hash register for selective reset, too? */
    616    memset(&s->mult[0], 0, sizeof(s->mult));
    617    nic_selective_reset(s);
    618}
    619
    620#if defined(DEBUG_EEPRO100)
    621static const char * const e100_reg[PCI_IO_SIZE / 4] = {
    622    "Command/Status",
    623    "General Pointer",
    624    "Port",
    625    "EEPROM/Flash Control",
    626    "MDI Control",
    627    "Receive DMA Byte Count",
    628    "Flow Control",
    629    "General Status/Control"
    630};
    631
    632static char *regname(uint32_t addr)
    633{
    634    static char buf[32];
    635    if (addr < PCI_IO_SIZE) {
    636        const char *r = e100_reg[addr / 4];
    637        if (r != 0) {
    638            snprintf(buf, sizeof(buf), "%s+%u", r, addr % 4);
    639        } else {
    640            snprintf(buf, sizeof(buf), "0x%02x", addr);
    641        }
    642    } else {
    643        snprintf(buf, sizeof(buf), "??? 0x%08x", addr);
    644    }
    645    return buf;
    646}
    647#endif                          /* DEBUG_EEPRO100 */
    648
    649/*****************************************************************************
    650 *
    651 * Command emulation.
    652 *
    653 ****************************************************************************/
    654
    655#if 0
    656static uint16_t eepro100_read_command(EEPRO100State * s)
    657{
    658    uint16_t val = 0xffff;
    659    TRACE(OTHER, logout("val=0x%04x\n", val));
    660    return val;
    661}
    662#endif
    663
    664/* Commands that can be put in a command list entry. */
    665enum commands {
    666    CmdNOp = 0,
    667    CmdIASetup = 1,
    668    CmdConfigure = 2,
    669    CmdMulticastList = 3,
    670    CmdTx = 4,
    671    CmdTDR = 5,                 /* load microcode */
    672    CmdDump = 6,
    673    CmdDiagnose = 7,
    674
    675    /* And some extra flags: */
    676    CmdSuspend = 0x4000,        /* Suspend after completion. */
    677    CmdIntr = 0x2000,           /* Interrupt after completion. */
    678    CmdTxFlex = 0x0008,         /* Use "Flexible mode" for CmdTx command. */
    679};
    680
    681static cu_state_t get_cu_state(EEPRO100State * s)
    682{
    683    return ((s->mem[SCBStatus] & BITS(7, 6)) >> 6);
    684}
    685
    686static void set_cu_state(EEPRO100State * s, cu_state_t state)
    687{
    688    s->mem[SCBStatus] = (s->mem[SCBStatus] & ~BITS(7, 6)) + (state << 6);
    689}
    690
    691static ru_state_t get_ru_state(EEPRO100State * s)
    692{
    693    return ((s->mem[SCBStatus] & BITS(5, 2)) >> 2);
    694}
    695
    696static void set_ru_state(EEPRO100State * s, ru_state_t state)
    697{
    698    s->mem[SCBStatus] = (s->mem[SCBStatus] & ~BITS(5, 2)) + (state << 2);
    699}
    700
    701static void dump_statistics(EEPRO100State * s)
    702{
    703    /* Dump statistical data. Most data is never changed by the emulation
    704     * and always 0, so we first just copy the whole block and then those
    705     * values which really matter.
    706     * Number of data should check configuration!!!
    707     */
    708    pci_dma_write(&s->dev, s->statsaddr, &s->statistics, s->stats_size);
    709    stl_le_pci_dma(&s->dev, s->statsaddr + 0,
    710                   s->statistics.tx_good_frames);
    711    stl_le_pci_dma(&s->dev, s->statsaddr + 36,
    712                   s->statistics.rx_good_frames);
    713    stl_le_pci_dma(&s->dev, s->statsaddr + 48,
    714                   s->statistics.rx_resource_errors);
    715    stl_le_pci_dma(&s->dev, s->statsaddr + 60,
    716                   s->statistics.rx_short_frame_errors);
    717#if 0
    718    stw_le_pci_dma(&s->dev, s->statsaddr + 76, s->statistics.xmt_tco_frames);
    719    stw_le_pci_dma(&s->dev, s->statsaddr + 78, s->statistics.rcv_tco_frames);
    720    missing("CU dump statistical counters");
    721#endif
    722}
    723
    724static void read_cb(EEPRO100State *s)
    725{
    726    pci_dma_read(&s->dev, s->cb_address, &s->tx, sizeof(s->tx));
    727    s->tx.status = le16_to_cpu(s->tx.status);
    728    s->tx.command = le16_to_cpu(s->tx.command);
    729    s->tx.link = le32_to_cpu(s->tx.link);
    730    s->tx.tbd_array_addr = le32_to_cpu(s->tx.tbd_array_addr);
    731    s->tx.tcb_bytes = le16_to_cpu(s->tx.tcb_bytes);
    732}
    733
    734static void tx_command(EEPRO100State *s)
    735{
    736    uint32_t tbd_array = s->tx.tbd_array_addr;
    737    uint16_t tcb_bytes = s->tx.tcb_bytes & 0x3fff;
    738    /* Sends larger than MAX_ETH_FRAME_SIZE are allowed, up to 2600 bytes. */
    739    uint8_t buf[2600];
    740    uint16_t size = 0;
    741    uint32_t tbd_address = s->cb_address + 0x10;
    742    TRACE(RXTX, logout
    743        ("transmit, TBD array address 0x%08x, TCB byte count 0x%04x, TBD count %u\n",
    744         tbd_array, tcb_bytes, s->tx.tbd_count));
    745
    746    if (tcb_bytes > 2600) {
    747        logout("TCB byte count too large, using 2600\n");
    748        tcb_bytes = 2600;
    749    }
    750    if (!((tcb_bytes > 0) || (tbd_array != 0xffffffff))) {
    751        logout
    752            ("illegal values of TBD array address and TCB byte count!\n");
    753    }
    754    assert(tcb_bytes <= sizeof(buf));
    755    while (size < tcb_bytes) {
    756        TRACE(RXTX, logout
    757            ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
    758             tbd_address, tcb_bytes));
    759        pci_dma_read(&s->dev, tbd_address, &buf[size], tcb_bytes);
    760        size += tcb_bytes;
    761    }
    762    if (tbd_array == 0xffffffff) {
    763        /* Simplified mode. Was already handled by code above. */
    764    } else {
    765        /* Flexible mode. */
    766        uint8_t tbd_count = 0;
    767        if (s->has_extended_tcb_support && !(s->configuration[6] & BIT(4))) {
    768            /* Extended Flexible TCB. */
    769            for (; tbd_count < 2; tbd_count++) {
    770                uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev,
    771                                                            tbd_address);
    772                uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev,
    773                                                          tbd_address + 4);
    774                uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev,
    775                                                        tbd_address + 6);
    776                tbd_address += 8;
    777                TRACE(RXTX, logout
    778                    ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n",
    779                     tx_buffer_address, tx_buffer_size));
    780                tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
    781                pci_dma_read(&s->dev, tx_buffer_address,
    782                             &buf[size], tx_buffer_size);
    783                size += tx_buffer_size;
    784                if (tx_buffer_el & 1) {
    785                    break;
    786                }
    787            }
    788        }
    789        tbd_address = tbd_array;
    790        for (; tbd_count < s->tx.tbd_count; tbd_count++) {
    791            uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address);
    792            uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4);
    793            uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
    794            tbd_address += 8;
    795            TRACE(RXTX, logout
    796                ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n",
    797                 tx_buffer_address, tx_buffer_size));
    798            tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
    799            pci_dma_read(&s->dev, tx_buffer_address,
    800                         &buf[size], tx_buffer_size);
    801            size += tx_buffer_size;
    802            if (tx_buffer_el & 1) {
    803                break;
    804            }
    805        }
    806    }
    807    TRACE(RXTX, logout("%p sending frame, len=%d,%s\n", s, size, nic_dump(buf, size)));
    808    qemu_send_packet(qemu_get_queue(s->nic), buf, size);
    809    s->statistics.tx_good_frames++;
    810    /* Transmit with bad status would raise an CX/TNO interrupt.
    811     * (82557 only). Emulation never has bad status. */
    812#if 0
    813    eepro100_cx_interrupt(s);
    814#endif
    815}
    816
    817static void set_multicast_list(EEPRO100State *s)
    818{
    819    uint16_t multicast_count = s->tx.tbd_array_addr & BITS(13, 0);
    820    uint16_t i;
    821    memset(&s->mult[0], 0, sizeof(s->mult));
    822    TRACE(OTHER, logout("multicast list, multicast count = %u\n", multicast_count));
    823    for (i = 0; i < multicast_count; i += 6) {
    824        uint8_t multicast_addr[6];
    825        pci_dma_read(&s->dev, s->cb_address + 10 + i, multicast_addr, 6);
    826        TRACE(OTHER, logout("multicast entry %s\n", nic_dump(multicast_addr, 6)));
    827        unsigned mcast_idx = (net_crc32(multicast_addr, ETH_ALEN) &
    828                              BITS(7, 2)) >> 2;
    829        assert(mcast_idx < 64);
    830        s->mult[mcast_idx >> 3] |= (1 << (mcast_idx & 7));
    831    }
    832}
    833
    834static void action_command(EEPRO100State *s)
    835{
    836    /* The loop below won't stop if it gets special handcrafted data.
    837       Therefore we limit the number of iterations. */
    838    unsigned max_loop_count = 16;
    839
    840    for (;;) {
    841        bool bit_el;
    842        bool bit_s;
    843        bool bit_i;
    844        bool bit_nc;
    845        uint16_t ok_status = STATUS_OK;
    846        s->cb_address = s->cu_base + s->cu_offset;
    847        read_cb(s);
    848        bit_el = ((s->tx.command & COMMAND_EL) != 0);
    849        bit_s = ((s->tx.command & COMMAND_S) != 0);
    850        bit_i = ((s->tx.command & COMMAND_I) != 0);
    851        bit_nc = ((s->tx.command & COMMAND_NC) != 0);
    852#if 0
    853        bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
    854#endif
    855
    856        if (max_loop_count-- == 0) {
    857            /* Prevent an endless loop. */
    858            logout("loop in %s:%u\n", __FILE__, __LINE__);
    859            break;
    860        }
    861
    862        s->cu_offset = s->tx.link;
    863        TRACE(OTHER,
    864              logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",
    865                     s->tx.status, s->tx.command, s->tx.link));
    866        switch (s->tx.command & COMMAND_CMD) {
    867        case CmdNOp:
    868            /* Do nothing. */
    869            break;
    870        case CmdIASetup:
    871            pci_dma_read(&s->dev, s->cb_address + 8, &s->conf.macaddr.a[0], 6);
    872            TRACE(OTHER, logout("macaddr: %s\n", nic_dump(&s->conf.macaddr.a[0], 6)));
    873            break;
    874        case CmdConfigure:
    875            pci_dma_read(&s->dev, s->cb_address + 8,
    876                         &s->configuration[0], sizeof(s->configuration));
    877            TRACE(OTHER, logout("configuration: %s\n",
    878                                nic_dump(&s->configuration[0], 16)));
    879            TRACE(OTHER, logout("configuration: %s\n",
    880                                nic_dump(&s->configuration[16],
    881                                ARRAY_SIZE(s->configuration) - 16)));
    882            if (s->configuration[20] & BIT(6)) {
    883                TRACE(OTHER, logout("Multiple IA bit\n"));
    884            }
    885            break;
    886        case CmdMulticastList:
    887            set_multicast_list(s);
    888            break;
    889        case CmdTx:
    890            if (bit_nc) {
    891                missing("CmdTx: NC = 0");
    892                ok_status = 0;
    893                break;
    894            }
    895            tx_command(s);
    896            break;
    897        case CmdTDR:
    898            TRACE(OTHER, logout("load microcode\n"));
    899            /* Starting with offset 8, the command contains
    900             * 64 dwords microcode which we just ignore here. */
    901            break;
    902        case CmdDiagnose:
    903            TRACE(OTHER, logout("diagnose\n"));
    904            /* Make sure error flag is not set. */
    905            s->tx.status = 0;
    906            break;
    907        default:
    908            missing("undefined command");
    909            ok_status = 0;
    910            break;
    911        }
    912        /* Write new status. */
    913        stw_le_pci_dma(&s->dev, s->cb_address,
    914                       s->tx.status | ok_status | STATUS_C);
    915        if (bit_i) {
    916            /* CU completed action. */
    917            eepro100_cx_interrupt(s);
    918        }
    919        if (bit_el) {
    920            /* CU becomes idle. Terminate command loop. */
    921            set_cu_state(s, cu_idle);
    922            eepro100_cna_interrupt(s);
    923            break;
    924        } else if (bit_s) {
    925            /* CU becomes suspended. Terminate command loop. */
    926            set_cu_state(s, cu_suspended);
    927            eepro100_cna_interrupt(s);
    928            break;
    929        } else {
    930            /* More entries in list. */
    931            TRACE(OTHER, logout("CU list with at least one more entry\n"));
    932        }
    933    }
    934    TRACE(OTHER, logout("CU list empty\n"));
    935    /* List is empty. Now CU is idle or suspended. */
    936}
    937
    938static void eepro100_cu_command(EEPRO100State * s, uint8_t val)
    939{
    940    cu_state_t cu_state;
    941    switch (val) {
    942    case CU_NOP:
    943        /* No operation. */
    944        break;
    945    case CU_START:
    946        cu_state = get_cu_state(s);
    947        if (cu_state != cu_idle && cu_state != cu_suspended) {
    948            /* Intel documentation says that CU must be idle or suspended
    949             * for the CU start command. */
    950            logout("unexpected CU state is %u\n", cu_state);
    951        }
    952        set_cu_state(s, cu_active);
    953        s->cu_offset = e100_read_reg4(s, SCBPointer);
    954        action_command(s);
    955        break;
    956    case CU_RESUME:
    957        if (get_cu_state(s) != cu_suspended) {
    958            logout("bad CU resume from CU state %u\n", get_cu_state(s));
    959            /* Workaround for bad Linux eepro100 driver which resumes
    960             * from idle state. */
    961#if 0
    962            missing("cu resume");
    963#endif
    964            set_cu_state(s, cu_suspended);
    965        }
    966        if (get_cu_state(s) == cu_suspended) {
    967            TRACE(OTHER, logout("CU resuming\n"));
    968            set_cu_state(s, cu_active);
    969            action_command(s);
    970        }
    971        break;
    972    case CU_STATSADDR:
    973        /* Load dump counters address. */
    974        s->statsaddr = e100_read_reg4(s, SCBPointer);
    975        TRACE(OTHER, logout("val=0x%02x (dump counters address)\n", val));
    976        if (s->statsaddr & 3) {
    977            /* Memory must be Dword aligned. */
    978            logout("unaligned dump counters address\n");
    979            /* Handling of misaligned addresses is undefined.
    980             * Here we align the address by ignoring the lower bits. */
    981            /* TODO: Test unaligned dump counter address on real hardware. */
    982            s->statsaddr &= ~3;
    983        }
    984        break;
    985    case CU_SHOWSTATS:
    986        /* Dump statistical counters. */
    987        TRACE(OTHER, logout("val=0x%02x (dump stats)\n", val));
    988        dump_statistics(s);
    989        stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005);
    990        break;
    991    case CU_CMD_BASE:
    992        /* Load CU base. */
    993        TRACE(OTHER, logout("val=0x%02x (CU base address)\n", val));
    994        s->cu_base = e100_read_reg4(s, SCBPointer);
    995        break;
    996    case CU_DUMPSTATS:
    997        /* Dump and reset statistical counters. */
    998        TRACE(OTHER, logout("val=0x%02x (dump stats and reset)\n", val));
    999        dump_statistics(s);
   1000        stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007);
   1001        memset(&s->statistics, 0, sizeof(s->statistics));
   1002        break;
   1003    case CU_SRESUME:
   1004        /* CU static resume. */
   1005        missing("CU static resume");
   1006        break;
   1007    default:
   1008        missing("Undefined CU command");
   1009    }
   1010}
   1011
   1012static void eepro100_ru_command(EEPRO100State * s, uint8_t val)
   1013{
   1014    switch (val) {
   1015    case RU_NOP:
   1016        /* No operation. */
   1017        break;
   1018    case RX_START:
   1019        /* RU start. */
   1020        if (get_ru_state(s) != ru_idle) {
   1021            logout("RU state is %u, should be %u\n", get_ru_state(s), ru_idle);
   1022#if 0
   1023            assert(!"wrong RU state");
   1024#endif
   1025        }
   1026        set_ru_state(s, ru_ready);
   1027        s->ru_offset = e100_read_reg4(s, SCBPointer);
   1028        qemu_flush_queued_packets(qemu_get_queue(s->nic));
   1029        TRACE(OTHER, logout("val=0x%02x (rx start)\n", val));
   1030        break;
   1031    case RX_RESUME:
   1032        /* Restart RU. */
   1033        if (get_ru_state(s) != ru_suspended) {
   1034            logout("RU state is %u, should be %u\n", get_ru_state(s),
   1035                   ru_suspended);
   1036#if 0
   1037            assert(!"wrong RU state");
   1038#endif
   1039        }
   1040        set_ru_state(s, ru_ready);
   1041        break;
   1042    case RU_ABORT:
   1043        /* RU abort. */
   1044        if (get_ru_state(s) == ru_ready) {
   1045            eepro100_rnr_interrupt(s);
   1046        }
   1047        set_ru_state(s, ru_idle);
   1048        break;
   1049    case RX_ADDR_LOAD:
   1050        /* Load RU base. */
   1051        TRACE(OTHER, logout("val=0x%02x (RU base address)\n", val));
   1052        s->ru_base = e100_read_reg4(s, SCBPointer);
   1053        break;
   1054    default:
   1055        logout("val=0x%02x (undefined RU command)\n", val);
   1056        missing("Undefined SU command");
   1057    }
   1058}
   1059
   1060static void eepro100_write_command(EEPRO100State * s, uint8_t val)
   1061{
   1062    eepro100_ru_command(s, val & 0x0f);
   1063    eepro100_cu_command(s, val & 0xf0);
   1064    if ((val) == 0) {
   1065        TRACE(OTHER, logout("val=0x%02x\n", val));
   1066    }
   1067    /* Clear command byte after command was accepted. */
   1068    s->mem[SCBCmd] = 0;
   1069}
   1070
   1071/*****************************************************************************
   1072 *
   1073 * EEPROM emulation.
   1074 *
   1075 ****************************************************************************/
   1076
   1077#define EEPROM_CS       0x02
   1078#define EEPROM_SK       0x01
   1079#define EEPROM_DI       0x04
   1080#define EEPROM_DO       0x08
   1081
   1082static uint16_t eepro100_read_eeprom(EEPRO100State * s)
   1083{
   1084    uint16_t val = e100_read_reg2(s, SCBeeprom);
   1085    if (eeprom93xx_read(s->eeprom)) {
   1086        val |= EEPROM_DO;
   1087    } else {
   1088        val &= ~EEPROM_DO;
   1089    }
   1090    TRACE(EEPROM, logout("val=0x%04x\n", val));
   1091    return val;
   1092}
   1093
   1094static void eepro100_write_eeprom(eeprom_t * eeprom, uint8_t val)
   1095{
   1096    TRACE(EEPROM, logout("val=0x%02x\n", val));
   1097
   1098    /* mask unwritable bits */
   1099#if 0
   1100    val = SET_MASKED(val, 0x31, eeprom->value);
   1101#endif
   1102
   1103    int eecs = ((val & EEPROM_CS) != 0);
   1104    int eesk = ((val & EEPROM_SK) != 0);
   1105    int eedi = ((val & EEPROM_DI) != 0);
   1106    eeprom93xx_write(eeprom, eecs, eesk, eedi);
   1107}
   1108
   1109/*****************************************************************************
   1110 *
   1111 * MDI emulation.
   1112 *
   1113 ****************************************************************************/
   1114
   1115#if defined(DEBUG_EEPRO100)
   1116static const char * const mdi_op_name[] = {
   1117    "opcode 0",
   1118    "write",
   1119    "read",
   1120    "opcode 3"
   1121};
   1122
   1123static const char * const mdi_reg_name[] = {
   1124    "Control",
   1125    "Status",
   1126    "PHY Identification (Word 1)",
   1127    "PHY Identification (Word 2)",
   1128    "Auto-Negotiation Advertisement",
   1129    "Auto-Negotiation Link Partner Ability",
   1130    "Auto-Negotiation Expansion"
   1131};
   1132
   1133static const char *reg2name(uint8_t reg)
   1134{
   1135    static char buffer[10];
   1136    const char *p = buffer;
   1137    if (reg < ARRAY_SIZE(mdi_reg_name)) {
   1138        p = mdi_reg_name[reg];
   1139    } else {
   1140        snprintf(buffer, sizeof(buffer), "reg=0x%02x", reg);
   1141    }
   1142    return p;
   1143}
   1144#endif                          /* DEBUG_EEPRO100 */
   1145
   1146static uint32_t eepro100_read_mdi(EEPRO100State * s)
   1147{
   1148    uint32_t val = e100_read_reg4(s, SCBCtrlMDI);
   1149
   1150#ifdef DEBUG_EEPRO100
   1151    uint8_t raiseint = (val & BIT(29)) >> 29;
   1152    uint8_t opcode = (val & BITS(27, 26)) >> 26;
   1153    uint8_t phy = (val & BITS(25, 21)) >> 21;
   1154    uint8_t reg = (val & BITS(20, 16)) >> 16;
   1155    uint16_t data = (val & BITS(15, 0));
   1156#endif
   1157    /* Emulation takes no time to finish MDI transaction. */
   1158    val |= BIT(28);
   1159    TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
   1160                      val, raiseint, mdi_op_name[opcode], phy,
   1161                      reg2name(reg), data));
   1162    return val;
   1163}
   1164
   1165static void eepro100_write_mdi(EEPRO100State *s)
   1166{
   1167    uint32_t val = e100_read_reg4(s, SCBCtrlMDI);
   1168    uint8_t raiseint = (val & BIT(29)) >> 29;
   1169    uint8_t opcode = (val & BITS(27, 26)) >> 26;
   1170    uint8_t phy = (val & BITS(25, 21)) >> 21;
   1171    uint8_t reg = (val & BITS(20, 16)) >> 16;
   1172    uint16_t data = (val & BITS(15, 0));
   1173    TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
   1174          val, raiseint, mdi_op_name[opcode], phy, reg2name(reg), data));
   1175    if (phy != 1) {
   1176        /* Unsupported PHY address. */
   1177#if 0
   1178        logout("phy must be 1 but is %u\n", phy);
   1179#endif
   1180        data = 0;
   1181    } else if (opcode != 1 && opcode != 2) {
   1182        /* Unsupported opcode. */
   1183        logout("opcode must be 1 or 2 but is %u\n", opcode);
   1184        data = 0;
   1185    } else if (reg > 6) {
   1186        /* Unsupported register. */
   1187        logout("register must be 0...6 but is %u\n", reg);
   1188        data = 0;
   1189    } else {
   1190        TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
   1191                          val, raiseint, mdi_op_name[opcode], phy,
   1192                          reg2name(reg), data));
   1193        if (opcode == 1) {
   1194            /* MDI write */
   1195            switch (reg) {
   1196            case 0:            /* Control Register */
   1197                if (data & 0x8000) {
   1198                    /* Reset status and control registers to default. */
   1199                    s->mdimem[0] = eepro100_mdi_default[0];
   1200                    s->mdimem[1] = eepro100_mdi_default[1];
   1201                    data = s->mdimem[reg];
   1202                } else {
   1203                    /* Restart Auto Configuration = Normal Operation */
   1204                    data &= ~0x0200;
   1205                }
   1206                break;
   1207            case 1:            /* Status Register */
   1208                missing("not writable");
   1209                break;
   1210            case 2:            /* PHY Identification Register (Word 1) */
   1211            case 3:            /* PHY Identification Register (Word 2) */
   1212                missing("not implemented");
   1213                break;
   1214            case 4:            /* Auto-Negotiation Advertisement Register */
   1215            case 5:            /* Auto-Negotiation Link Partner Ability Register */
   1216                break;
   1217            case 6:            /* Auto-Negotiation Expansion Register */
   1218            default:
   1219                missing("not implemented");
   1220            }
   1221            s->mdimem[reg] &= eepro100_mdi_mask[reg];
   1222            s->mdimem[reg] |= data & ~eepro100_mdi_mask[reg];
   1223        } else if (opcode == 2) {
   1224            /* MDI read */
   1225            switch (reg) {
   1226            case 0:            /* Control Register */
   1227                if (data & 0x8000) {
   1228                    /* Reset status and control registers to default. */
   1229                    s->mdimem[0] = eepro100_mdi_default[0];
   1230                    s->mdimem[1] = eepro100_mdi_default[1];
   1231                }
   1232                break;
   1233            case 1:            /* Status Register */
   1234                s->mdimem[reg] |= 0x0020;
   1235                break;
   1236            case 2:            /* PHY Identification Register (Word 1) */
   1237            case 3:            /* PHY Identification Register (Word 2) */
   1238            case 4:            /* Auto-Negotiation Advertisement Register */
   1239                break;
   1240            case 5:            /* Auto-Negotiation Link Partner Ability Register */
   1241                s->mdimem[reg] = 0x41fe;
   1242                break;
   1243            case 6:            /* Auto-Negotiation Expansion Register */
   1244                s->mdimem[reg] = 0x0001;
   1245                break;
   1246            }
   1247            data = s->mdimem[reg];
   1248        }
   1249        /* Emulation takes no time to finish MDI transaction.
   1250         * Set MDI bit in SCB status register. */
   1251        s->mem[SCBAck] |= 0x08;
   1252        val |= BIT(28);
   1253        if (raiseint) {
   1254            eepro100_mdi_interrupt(s);
   1255        }
   1256    }
   1257    val = (val & 0xffff0000) + data;
   1258    e100_write_reg4(s, SCBCtrlMDI, val);
   1259}
   1260
   1261/*****************************************************************************
   1262 *
   1263 * Port emulation.
   1264 *
   1265 ****************************************************************************/
   1266
   1267#define PORT_SOFTWARE_RESET     0
   1268#define PORT_SELFTEST           1
   1269#define PORT_SELECTIVE_RESET    2
   1270#define PORT_DUMP               3
   1271#define PORT_SELECTION_MASK     3
   1272
   1273typedef struct {
   1274    uint32_t st_sign;           /* Self Test Signature */
   1275    uint32_t st_result;         /* Self Test Results */
   1276} eepro100_selftest_t;
   1277
   1278static uint32_t eepro100_read_port(EEPRO100State * s)
   1279{
   1280    return 0;
   1281}
   1282
   1283static void eepro100_write_port(EEPRO100State *s)
   1284{
   1285    uint32_t val = e100_read_reg4(s, SCBPort);
   1286    uint32_t address = (val & ~PORT_SELECTION_MASK);
   1287    uint8_t selection = (val & PORT_SELECTION_MASK);
   1288    switch (selection) {
   1289    case PORT_SOFTWARE_RESET:
   1290        nic_reset(s);
   1291        break;
   1292    case PORT_SELFTEST:
   1293        TRACE(OTHER, logout("selftest address=0x%08x\n", address));
   1294        eepro100_selftest_t data;
   1295        pci_dma_read(&s->dev, address, (uint8_t *) &data, sizeof(data));
   1296        data.st_sign = 0xffffffff;
   1297        data.st_result = 0;
   1298        pci_dma_write(&s->dev, address, (uint8_t *) &data, sizeof(data));
   1299        break;
   1300    case PORT_SELECTIVE_RESET:
   1301        TRACE(OTHER, logout("selective reset, selftest address=0x%08x\n", address));
   1302        nic_selective_reset(s);
   1303        break;
   1304    default:
   1305        logout("val=0x%08x\n", val);
   1306        missing("unknown port selection");
   1307    }
   1308}
   1309
   1310/*****************************************************************************
   1311 *
   1312 * General hardware emulation.
   1313 *
   1314 ****************************************************************************/
   1315
   1316static uint8_t eepro100_read1(EEPRO100State * s, uint32_t addr)
   1317{
   1318    uint8_t val = 0;
   1319    if (addr <= sizeof(s->mem) - sizeof(val)) {
   1320        val = s->mem[addr];
   1321    }
   1322
   1323    switch (addr) {
   1324    case SCBStatus:
   1325    case SCBAck:
   1326        TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
   1327        break;
   1328    case SCBCmd:
   1329        TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
   1330#if 0
   1331        val = eepro100_read_command(s);
   1332#endif
   1333        break;
   1334    case SCBIntmask:
   1335        TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
   1336        break;
   1337    case SCBPort + 3:
   1338        TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
   1339        break;
   1340    case SCBeeprom:
   1341        val = eepro100_read_eeprom(s);
   1342        break;
   1343    case SCBCtrlMDI:
   1344    case SCBCtrlMDI + 1:
   1345    case SCBCtrlMDI + 2:
   1346    case SCBCtrlMDI + 3:
   1347        val = (uint8_t)(eepro100_read_mdi(s) >> (8 * (addr & 3)));
   1348        TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
   1349        break;
   1350    case SCBpmdr:       /* Power Management Driver Register */
   1351        val = 0;
   1352        TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
   1353        break;
   1354    case SCBgctrl:      /* General Control Register */
   1355        TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
   1356        break;
   1357    case SCBgstat:      /* General Status Register */
   1358        /* 100 Mbps full duplex, valid link */
   1359        val = 0x07;
   1360        TRACE(OTHER, logout("addr=General Status val=%02x\n", val));
   1361        break;
   1362    default:
   1363        logout("addr=%s val=0x%02x\n", regname(addr), val);
   1364        missing("unknown byte read");
   1365    }
   1366    return val;
   1367}
   1368
   1369static uint16_t eepro100_read2(EEPRO100State * s, uint32_t addr)
   1370{
   1371    uint16_t val = 0;
   1372    if (addr <= sizeof(s->mem) - sizeof(val)) {
   1373        val = e100_read_reg2(s, addr);
   1374    }
   1375
   1376    switch (addr) {
   1377    case SCBStatus:
   1378    case SCBCmd:
   1379        TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
   1380        break;
   1381    case SCBeeprom:
   1382        val = eepro100_read_eeprom(s);
   1383        TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
   1384        break;
   1385    case SCBCtrlMDI:
   1386    case SCBCtrlMDI + 2:
   1387        val = (uint16_t)(eepro100_read_mdi(s) >> (8 * (addr & 3)));
   1388        TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
   1389        break;
   1390    default:
   1391        logout("addr=%s val=0x%04x\n", regname(addr), val);
   1392        missing("unknown word read");
   1393    }
   1394    return val;
   1395}
   1396
   1397static uint32_t eepro100_read4(EEPRO100State * s, uint32_t addr)
   1398{
   1399    uint32_t val = 0;
   1400    if (addr <= sizeof(s->mem) - sizeof(val)) {
   1401        val = e100_read_reg4(s, addr);
   1402    }
   1403
   1404    switch (addr) {
   1405    case SCBStatus:
   1406        TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
   1407        break;
   1408    case SCBPointer:
   1409        TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
   1410        break;
   1411    case SCBPort:
   1412        val = eepro100_read_port(s);
   1413        TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
   1414        break;
   1415    case SCBflash:
   1416        val = eepro100_read_eeprom(s);
   1417        TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
   1418        break;
   1419    case SCBCtrlMDI:
   1420        val = eepro100_read_mdi(s);
   1421        break;
   1422    default:
   1423        logout("addr=%s val=0x%08x\n", regname(addr), val);
   1424        missing("unknown longword read");
   1425    }
   1426    return val;
   1427}
   1428
   1429static void eepro100_write1(EEPRO100State * s, uint32_t addr, uint8_t val)
   1430{
   1431    /* SCBStatus is readonly. */
   1432    if (addr > SCBStatus && addr <= sizeof(s->mem) - sizeof(val)) {
   1433        s->mem[addr] = val;
   1434    }
   1435
   1436    switch (addr) {
   1437    case SCBStatus:
   1438        TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
   1439        break;
   1440    case SCBAck:
   1441        TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
   1442        eepro100_acknowledge(s);
   1443        break;
   1444    case SCBCmd:
   1445        TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
   1446        eepro100_write_command(s, val);
   1447        break;
   1448    case SCBIntmask:
   1449        TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
   1450        if (val & BIT(1)) {
   1451            eepro100_swi_interrupt(s);
   1452        }
   1453        eepro100_interrupt(s, 0);
   1454        break;
   1455    case SCBPointer:
   1456    case SCBPointer + 1:
   1457    case SCBPointer + 2:
   1458    case SCBPointer + 3:
   1459        TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
   1460        break;
   1461    case SCBPort:
   1462    case SCBPort + 1:
   1463    case SCBPort + 2:
   1464        TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
   1465        break;
   1466    case SCBPort + 3:
   1467        TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
   1468        eepro100_write_port(s);
   1469        break;
   1470    case SCBFlow:       /* does not exist on 82557 */
   1471    case SCBFlow + 1:
   1472    case SCBFlow + 2:
   1473    case SCBpmdr:       /* does not exist on 82557 */
   1474        TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
   1475        break;
   1476    case SCBeeprom:
   1477        TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
   1478        eepro100_write_eeprom(s->eeprom, val);
   1479        break;
   1480    case SCBCtrlMDI:
   1481    case SCBCtrlMDI + 1:
   1482    case SCBCtrlMDI + 2:
   1483        TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
   1484        break;
   1485    case SCBCtrlMDI + 3:
   1486        TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
   1487        eepro100_write_mdi(s);
   1488        break;
   1489    default:
   1490        logout("addr=%s val=0x%02x\n", regname(addr), val);
   1491        missing("unknown byte write");
   1492    }
   1493}
   1494
   1495static void eepro100_write2(EEPRO100State * s, uint32_t addr, uint16_t val)
   1496{
   1497    /* SCBStatus is readonly. */
   1498    if (addr > SCBStatus && addr <= sizeof(s->mem) - sizeof(val)) {
   1499        e100_write_reg2(s, addr, val);
   1500    }
   1501
   1502    switch (addr) {
   1503    case SCBStatus:
   1504        TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
   1505        s->mem[SCBAck] = (val >> 8);
   1506        eepro100_acknowledge(s);
   1507        break;
   1508    case SCBCmd:
   1509        TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
   1510        eepro100_write_command(s, val);
   1511        eepro100_write1(s, SCBIntmask, val >> 8);
   1512        break;
   1513    case SCBPointer:
   1514    case SCBPointer + 2:
   1515        TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
   1516        break;
   1517    case SCBPort:
   1518        TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
   1519        break;
   1520    case SCBPort + 2:
   1521        TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
   1522        eepro100_write_port(s);
   1523        break;
   1524    case SCBeeprom:
   1525        TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
   1526        eepro100_write_eeprom(s->eeprom, val);
   1527        break;
   1528    case SCBCtrlMDI:
   1529        TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
   1530        break;
   1531    case SCBCtrlMDI + 2:
   1532        TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
   1533        eepro100_write_mdi(s);
   1534        break;
   1535    default:
   1536        logout("addr=%s val=0x%04x\n", regname(addr), val);
   1537        missing("unknown word write");
   1538    }
   1539}
   1540
   1541static void eepro100_write4(EEPRO100State * s, uint32_t addr, uint32_t val)
   1542{
   1543    if (addr <= sizeof(s->mem) - sizeof(val)) {
   1544        e100_write_reg4(s, addr, val);
   1545    }
   1546
   1547    switch (addr) {
   1548    case SCBPointer:
   1549        TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
   1550        break;
   1551    case SCBPort:
   1552        TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
   1553        eepro100_write_port(s);
   1554        break;
   1555    case SCBflash:
   1556        TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
   1557        val = val >> 16;
   1558        eepro100_write_eeprom(s->eeprom, val);
   1559        break;
   1560    case SCBCtrlMDI:
   1561        TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
   1562        eepro100_write_mdi(s);
   1563        break;
   1564    default:
   1565        logout("addr=%s val=0x%08x\n", regname(addr), val);
   1566        missing("unknown longword write");
   1567    }
   1568}
   1569
   1570static uint64_t eepro100_read(void *opaque, hwaddr addr,
   1571                              unsigned size)
   1572{
   1573    EEPRO100State *s = opaque;
   1574
   1575    switch (size) {
   1576    case 1: return eepro100_read1(s, addr);
   1577    case 2: return eepro100_read2(s, addr);
   1578    case 4: return eepro100_read4(s, addr);
   1579    default: abort();
   1580    }
   1581}
   1582
   1583static void eepro100_write(void *opaque, hwaddr addr,
   1584                           uint64_t data, unsigned size)
   1585{
   1586    EEPRO100State *s = opaque;
   1587
   1588    switch (size) {
   1589    case 1:
   1590        eepro100_write1(s, addr, data);
   1591        break;
   1592    case 2:
   1593        eepro100_write2(s, addr, data);
   1594        break;
   1595    case 4:
   1596        eepro100_write4(s, addr, data);
   1597        break;
   1598    default:
   1599        abort();
   1600    }
   1601}
   1602
   1603static const MemoryRegionOps eepro100_ops = {
   1604    .read = eepro100_read,
   1605    .write = eepro100_write,
   1606    .endianness = DEVICE_LITTLE_ENDIAN,
   1607};
   1608
   1609static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size)
   1610{
   1611    /* TODO:
   1612     * - Magic packets should set bit 30 in power management driver register.
   1613     * - Interesting packets should set bit 29 in power management driver register.
   1614     */
   1615    EEPRO100State *s = qemu_get_nic_opaque(nc);
   1616    uint16_t rfd_status = 0xa000;
   1617#if defined(CONFIG_PAD_RECEIVED_FRAMES)
   1618    uint8_t min_buf[60];
   1619#endif
   1620    static const uint8_t broadcast_macaddr[6] =
   1621        { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
   1622
   1623#if defined(CONFIG_PAD_RECEIVED_FRAMES)
   1624    /* Pad to minimum Ethernet frame length */
   1625    if (size < sizeof(min_buf)) {
   1626        memcpy(min_buf, buf, size);
   1627        memset(&min_buf[size], 0, sizeof(min_buf) - size);
   1628        buf = min_buf;
   1629        size = sizeof(min_buf);
   1630    }
   1631#endif
   1632
   1633    if (s->configuration[8] & 0x80) {
   1634        /* CSMA is disabled. */
   1635        logout("%p received while CSMA is disabled\n", s);
   1636        return -1;
   1637#if !defined(CONFIG_PAD_RECEIVED_FRAMES)
   1638    } else if (size < 64 && (s->configuration[7] & BIT(0))) {
   1639        /* Short frame and configuration byte 7/0 (discard short receive) set:
   1640         * Short frame is discarded */
   1641        logout("%p received short frame (%zu byte)\n", s, size);
   1642        s->statistics.rx_short_frame_errors++;
   1643        return -1;
   1644#endif
   1645    } else if ((size > MAX_ETH_FRAME_SIZE + 4) && !(s->configuration[18] & BIT(3))) {
   1646        /* Long frame and configuration byte 18/3 (long receive ok) not set:
   1647         * Long frames are discarded. */
   1648        logout("%p received long frame (%zu byte), ignored\n", s, size);
   1649        return -1;
   1650    } else if (memcmp(buf, s->conf.macaddr.a, 6) == 0) {       /* !!! */
   1651        /* Frame matches individual address. */
   1652        /* TODO: check configuration byte 15/4 (ignore U/L). */
   1653        TRACE(RXTX, logout("%p received frame for me, len=%zu\n", s, size));
   1654    } else if (memcmp(buf, broadcast_macaddr, 6) == 0) {
   1655        /* Broadcast frame. */
   1656        TRACE(RXTX, logout("%p received broadcast, len=%zu\n", s, size));
   1657        rfd_status |= 0x0002;
   1658    } else if (buf[0] & 0x01) {
   1659        /* Multicast frame. */
   1660        TRACE(RXTX, logout("%p received multicast, len=%zu,%s\n", s, size, nic_dump(buf, size)));
   1661        if (s->configuration[21] & BIT(3)) {
   1662          /* Multicast all bit is set, receive all multicast frames. */
   1663        } else {
   1664          unsigned mcast_idx = (net_crc32(buf, ETH_ALEN) & BITS(7, 2)) >> 2;
   1665          assert(mcast_idx < 64);
   1666          if (s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))) {
   1667            /* Multicast frame is allowed in hash table. */
   1668          } else if (s->configuration[15] & BIT(0)) {
   1669              /* Promiscuous: receive all. */
   1670              rfd_status |= 0x0004;
   1671          } else {
   1672              TRACE(RXTX, logout("%p multicast ignored\n", s));
   1673              return -1;
   1674          }
   1675        }
   1676        /* TODO: Next not for promiscuous mode? */
   1677        rfd_status |= 0x0002;
   1678    } else if (s->configuration[15] & BIT(0)) {
   1679        /* Promiscuous: receive all. */
   1680        TRACE(RXTX, logout("%p received frame in promiscuous mode, len=%zu\n", s, size));
   1681        rfd_status |= 0x0004;
   1682    } else if (s->configuration[20] & BIT(6)) {
   1683        /* Multiple IA bit set. */
   1684        unsigned mcast_idx = net_crc32(buf, ETH_ALEN) >> 26;
   1685        assert(mcast_idx < 64);
   1686        if (s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))) {
   1687            TRACE(RXTX, logout("%p accepted, multiple IA bit set\n", s));
   1688        } else {
   1689            TRACE(RXTX, logout("%p frame ignored, multiple IA bit set\n", s));
   1690            return -1;
   1691        }
   1692    } else {
   1693        TRACE(RXTX, logout("%p received frame, ignored, len=%zu,%s\n", s, size,
   1694              nic_dump(buf, size)));
   1695        return size;
   1696    }
   1697
   1698    if (get_ru_state(s) != ru_ready) {
   1699        /* No resources available. */
   1700        logout("no resources, state=%u\n", get_ru_state(s));
   1701        /* TODO: RNR interrupt only at first failed frame? */
   1702        eepro100_rnr_interrupt(s);
   1703        s->statistics.rx_resource_errors++;
   1704#if 0
   1705        assert(!"no resources");
   1706#endif
   1707        return -1;
   1708    }
   1709    /* !!! */
   1710    eepro100_rx_t rx;
   1711    pci_dma_read(&s->dev, s->ru_base + s->ru_offset,
   1712                 &rx, sizeof(eepro100_rx_t));
   1713    uint16_t rfd_command = le16_to_cpu(rx.command);
   1714    uint16_t rfd_size = le16_to_cpu(rx.size);
   1715
   1716    if (size > rfd_size) {
   1717        logout("Receive buffer (%" PRId16 " bytes) too small for data "
   1718            "(%zu bytes); data truncated\n", rfd_size, size);
   1719        size = rfd_size;
   1720    }
   1721#if !defined(CONFIG_PAD_RECEIVED_FRAMES)
   1722    if (size < 64) {
   1723        rfd_status |= 0x0080;
   1724    }
   1725#endif
   1726    TRACE(OTHER, logout("command 0x%04x, link 0x%08x, addr 0x%08x, size %u\n",
   1727          rfd_command, rx.link, rx.rx_buf_addr, rfd_size));
   1728    stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
   1729                offsetof(eepro100_rx_t, status), rfd_status);
   1730    stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
   1731                offsetof(eepro100_rx_t, count), size);
   1732    /* Early receive interrupt not supported. */
   1733#if 0
   1734    eepro100_er_interrupt(s);
   1735#endif
   1736    /* Receive CRC Transfer not supported. */
   1737    if (s->configuration[18] & BIT(2)) {
   1738        missing("Receive CRC Transfer");
   1739        return -1;
   1740    }
   1741    /* TODO: check stripping enable bit. */
   1742#if 0
   1743    assert(!(s->configuration[17] & BIT(0)));
   1744#endif
   1745    pci_dma_write(&s->dev, s->ru_base + s->ru_offset +
   1746                  sizeof(eepro100_rx_t), buf, size);
   1747    s->statistics.rx_good_frames++;
   1748    eepro100_fr_interrupt(s);
   1749    s->ru_offset = le32_to_cpu(rx.link);
   1750    if (rfd_command & COMMAND_EL) {
   1751        /* EL bit is set, so this was the last frame. */
   1752        logout("receive: Running out of frames\n");
   1753        set_ru_state(s, ru_no_resources);
   1754        eepro100_rnr_interrupt(s);
   1755    }
   1756    if (rfd_command & COMMAND_S) {
   1757        /* S bit is set. */
   1758        set_ru_state(s, ru_suspended);
   1759    }
   1760    return size;
   1761}
   1762
   1763static const VMStateDescription vmstate_eepro100 = {
   1764    .version_id = 3,
   1765    .minimum_version_id = 2,
   1766    .fields = (VMStateField[]) {
   1767        VMSTATE_PCI_DEVICE(dev, EEPRO100State),
   1768        VMSTATE_UNUSED(32),
   1769        VMSTATE_BUFFER(mult, EEPRO100State),
   1770        VMSTATE_BUFFER(mem, EEPRO100State),
   1771        /* Save all members of struct between scb_stat and mem. */
   1772        VMSTATE_UINT8(scb_stat, EEPRO100State),
   1773        VMSTATE_UINT8(int_stat, EEPRO100State),
   1774        VMSTATE_UNUSED(3*4),
   1775        VMSTATE_MACADDR(conf.macaddr, EEPRO100State),
   1776        VMSTATE_UNUSED(19*4),
   1777        VMSTATE_UINT16_ARRAY(mdimem, EEPRO100State, 32),
   1778        /* The eeprom should be saved and restored by its own routines. */
   1779        VMSTATE_UINT32(device, EEPRO100State),
   1780        /* TODO check device. */
   1781        VMSTATE_UINT32(cu_base, EEPRO100State),
   1782        VMSTATE_UINT32(cu_offset, EEPRO100State),
   1783        VMSTATE_UINT32(ru_base, EEPRO100State),
   1784        VMSTATE_UINT32(ru_offset, EEPRO100State),
   1785        VMSTATE_UINT32(statsaddr, EEPRO100State),
   1786        /* Save eepro100_stats_t statistics. */
   1787        VMSTATE_UINT32(statistics.tx_good_frames, EEPRO100State),
   1788        VMSTATE_UINT32(statistics.tx_max_collisions, EEPRO100State),
   1789        VMSTATE_UINT32(statistics.tx_late_collisions, EEPRO100State),
   1790        VMSTATE_UINT32(statistics.tx_underruns, EEPRO100State),
   1791        VMSTATE_UINT32(statistics.tx_lost_crs, EEPRO100State),
   1792        VMSTATE_UINT32(statistics.tx_deferred, EEPRO100State),
   1793        VMSTATE_UINT32(statistics.tx_single_collisions, EEPRO100State),
   1794        VMSTATE_UINT32(statistics.tx_multiple_collisions, EEPRO100State),
   1795        VMSTATE_UINT32(statistics.tx_total_collisions, EEPRO100State),
   1796        VMSTATE_UINT32(statistics.rx_good_frames, EEPRO100State),
   1797        VMSTATE_UINT32(statistics.rx_crc_errors, EEPRO100State),
   1798        VMSTATE_UINT32(statistics.rx_alignment_errors, EEPRO100State),
   1799        VMSTATE_UINT32(statistics.rx_resource_errors, EEPRO100State),
   1800        VMSTATE_UINT32(statistics.rx_overrun_errors, EEPRO100State),
   1801        VMSTATE_UINT32(statistics.rx_cdt_errors, EEPRO100State),
   1802        VMSTATE_UINT32(statistics.rx_short_frame_errors, EEPRO100State),
   1803        VMSTATE_UINT32(statistics.fc_xmt_pause, EEPRO100State),
   1804        VMSTATE_UINT32(statistics.fc_rcv_pause, EEPRO100State),
   1805        VMSTATE_UINT32(statistics.fc_rcv_unsupported, EEPRO100State),
   1806        VMSTATE_UINT16(statistics.xmt_tco_frames, EEPRO100State),
   1807        VMSTATE_UINT16(statistics.rcv_tco_frames, EEPRO100State),
   1808        /* Configuration bytes. */
   1809        VMSTATE_BUFFER(configuration, EEPRO100State),
   1810        VMSTATE_END_OF_LIST()
   1811    }
   1812};
   1813
   1814static void pci_nic_uninit(PCIDevice *pci_dev)
   1815{
   1816    EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
   1817
   1818    vmstate_unregister(VMSTATE_IF(&pci_dev->qdev), s->vmstate, s);
   1819    g_free(s->vmstate);
   1820    eeprom93xx_free(&pci_dev->qdev, s->eeprom);
   1821    qemu_del_nic(s->nic);
   1822}
   1823
   1824static NetClientInfo net_eepro100_info = {
   1825    .type = NET_CLIENT_DRIVER_NIC,
   1826    .size = sizeof(NICState),
   1827    .receive = nic_receive,
   1828};
   1829
   1830static void e100_nic_realize(PCIDevice *pci_dev, Error **errp)
   1831{
   1832    EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
   1833    E100PCIDeviceInfo *info = eepro100_get_class(s);
   1834    Error *local_err = NULL;
   1835
   1836    TRACE(OTHER, logout("\n"));
   1837
   1838    s->device = info->device;
   1839
   1840    e100_pci_reset(s, &local_err);
   1841    if (local_err) {
   1842        error_propagate(errp, local_err);
   1843        return;
   1844    }
   1845
   1846    /* Add 64 * 2 EEPROM. i82557 and i82558 support a 64 word EEPROM,
   1847     * i82559 and later support 64 or 256 word EEPROM. */
   1848    s->eeprom = eeprom93xx_new(&pci_dev->qdev, EEPROM_SIZE);
   1849
   1850    /* Handler for memory-mapped I/O */
   1851    memory_region_init_io(&s->mmio_bar, OBJECT(s), &eepro100_ops, s,
   1852                          "eepro100-mmio", PCI_MEM_SIZE);
   1853    pci_register_bar(&s->dev, 0, PCI_BASE_ADDRESS_MEM_PREFETCH, &s->mmio_bar);
   1854    memory_region_init_io(&s->io_bar, OBJECT(s), &eepro100_ops, s,
   1855                          "eepro100-io", PCI_IO_SIZE);
   1856    pci_register_bar(&s->dev, 1, PCI_BASE_ADDRESS_SPACE_IO, &s->io_bar);
   1857    /* FIXME: flash aliases to mmio?! */
   1858    memory_region_init_io(&s->flash_bar, OBJECT(s), &eepro100_ops, s,
   1859                          "eepro100-flash", PCI_FLASH_SIZE);
   1860    pci_register_bar(&s->dev, 2, 0, &s->flash_bar);
   1861
   1862    qemu_macaddr_default_if_unset(&s->conf.macaddr);
   1863    logout("macaddr: %s\n", nic_dump(&s->conf.macaddr.a[0], 6));
   1864
   1865    nic_reset(s);
   1866
   1867    s->nic = qemu_new_nic(&net_eepro100_info, &s->conf,
   1868                          object_get_typename(OBJECT(pci_dev)), pci_dev->qdev.id, s);
   1869
   1870    qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
   1871    TRACE(OTHER, logout("%s\n", qemu_get_queue(s->nic)->info_str));
   1872
   1873    qemu_register_reset(nic_reset, s);
   1874
   1875    s->vmstate = g_memdup(&vmstate_eepro100, sizeof(vmstate_eepro100));
   1876    s->vmstate->name = qemu_get_queue(s->nic)->model;
   1877    vmstate_register(VMSTATE_IF(&pci_dev->qdev), VMSTATE_INSTANCE_ID_ANY,
   1878                     s->vmstate, s);
   1879}
   1880
   1881static void eepro100_instance_init(Object *obj)
   1882{
   1883    EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, PCI_DEVICE(obj));
   1884    device_add_bootindex_property(obj, &s->conf.bootindex,
   1885                                  "bootindex", "/ethernet-phy@0",
   1886                                  DEVICE(s));
   1887}
   1888
   1889static E100PCIDeviceInfo e100_devices[] = {
   1890    {
   1891        .name = "i82550",
   1892        .desc = "Intel i82550 Ethernet",
   1893        .device = i82550,
   1894        /* TODO: check device id. */
   1895        .device_id = PCI_DEVICE_ID_INTEL_82551IT,
   1896        /* Revision ID: 0x0c, 0x0d, 0x0e. */
   1897        .revision = 0x0e,
   1898        /* TODO: check size of statistical counters. */
   1899        .stats_size = 80,
   1900        /* TODO: check extended tcb support. */
   1901        .has_extended_tcb_support = true,
   1902        .power_management = true,
   1903    },{
   1904        .name = "i82551",
   1905        .desc = "Intel i82551 Ethernet",
   1906        .device = i82551,
   1907        .device_id = PCI_DEVICE_ID_INTEL_82551IT,
   1908        /* Revision ID: 0x0f, 0x10. */
   1909        .revision = 0x0f,
   1910        /* TODO: check size of statistical counters. */
   1911        .stats_size = 80,
   1912        .has_extended_tcb_support = true,
   1913        .power_management = true,
   1914    },{
   1915        .name = "i82557a",
   1916        .desc = "Intel i82557A Ethernet",
   1917        .device = i82557A,
   1918        .device_id = PCI_DEVICE_ID_INTEL_82557,
   1919        .revision = 0x01,
   1920        .power_management = false,
   1921    },{
   1922        .name = "i82557b",
   1923        .desc = "Intel i82557B Ethernet",
   1924        .device = i82557B,
   1925        .device_id = PCI_DEVICE_ID_INTEL_82557,
   1926        .revision = 0x02,
   1927        .power_management = false,
   1928    },{
   1929        .name = "i82557c",
   1930        .desc = "Intel i82557C Ethernet",
   1931        .device = i82557C,
   1932        .device_id = PCI_DEVICE_ID_INTEL_82557,
   1933        .revision = 0x03,
   1934        .power_management = false,
   1935    },{
   1936        .name = "i82558a",
   1937        .desc = "Intel i82558A Ethernet",
   1938        .device = i82558A,
   1939        .device_id = PCI_DEVICE_ID_INTEL_82557,
   1940        .revision = 0x04,
   1941        .stats_size = 76,
   1942        .has_extended_tcb_support = true,
   1943        .power_management = true,
   1944    },{
   1945        .name = "i82558b",
   1946        .desc = "Intel i82558B Ethernet",
   1947        .device = i82558B,
   1948        .device_id = PCI_DEVICE_ID_INTEL_82557,
   1949        .revision = 0x05,
   1950        .stats_size = 76,
   1951        .has_extended_tcb_support = true,
   1952        .power_management = true,
   1953    },{
   1954        .name = "i82559a",
   1955        .desc = "Intel i82559A Ethernet",
   1956        .device = i82559A,
   1957        .device_id = PCI_DEVICE_ID_INTEL_82557,
   1958        .revision = 0x06,
   1959        .stats_size = 80,
   1960        .has_extended_tcb_support = true,
   1961        .power_management = true,
   1962    },{
   1963        .name = "i82559b",
   1964        .desc = "Intel i82559B Ethernet",
   1965        .device = i82559B,
   1966        .device_id = PCI_DEVICE_ID_INTEL_82557,
   1967        .revision = 0x07,
   1968        .stats_size = 80,
   1969        .has_extended_tcb_support = true,
   1970        .power_management = true,
   1971    },{
   1972        .name = "i82559c",
   1973        .desc = "Intel i82559C Ethernet",
   1974        .device = i82559C,
   1975        .device_id = PCI_DEVICE_ID_INTEL_82557,
   1976#if 0
   1977        .revision = 0x08,
   1978#endif
   1979        /* TODO: Windows wants revision id 0x0c. */
   1980        .revision = 0x0c,
   1981#if EEPROM_SIZE > 0
   1982        .subsystem_vendor_id = PCI_VENDOR_ID_INTEL,
   1983        .subsystem_id = 0x0040,
   1984#endif
   1985        .stats_size = 80,
   1986        .has_extended_tcb_support = true,
   1987        .power_management = true,
   1988    },{
   1989        .name = "i82559er",
   1990        .desc = "Intel i82559ER Ethernet",
   1991        .device = i82559ER,
   1992        .device_id = PCI_DEVICE_ID_INTEL_82551IT,
   1993        .revision = 0x09,
   1994        .stats_size = 80,
   1995        .has_extended_tcb_support = true,
   1996        .power_management = true,
   1997    },{
   1998        .name = "i82562",
   1999        .desc = "Intel i82562 Ethernet",
   2000        .device = i82562,
   2001        /* TODO: check device id. */
   2002        .device_id = PCI_DEVICE_ID_INTEL_82551IT,
   2003        /* TODO: wrong revision id. */
   2004        .revision = 0x0e,
   2005        .stats_size = 80,
   2006        .has_extended_tcb_support = true,
   2007        .power_management = true,
   2008    },{
   2009        /* Toshiba Tecra 8200. */
   2010        .name = "i82801",
   2011        .desc = "Intel i82801 Ethernet",
   2012        .device = i82801,
   2013        .device_id = 0x2449,
   2014        .revision = 0x03,
   2015        .stats_size = 80,
   2016        .has_extended_tcb_support = true,
   2017        .power_management = true,
   2018    }
   2019};
   2020
   2021static E100PCIDeviceInfo *eepro100_get_class_by_name(const char *typename)
   2022{
   2023    E100PCIDeviceInfo *info = NULL;
   2024    int i;
   2025
   2026    /* This is admittedly awkward but also temporary.  QOM allows for
   2027     * parameterized typing and for subclassing both of which would suitable
   2028     * handle what's going on here.  But class_data is already being used as
   2029     * a stop-gap hack to allow incremental qdev conversion so we cannot use it
   2030     * right now.  Once we merge the final QOM series, we can come back here and
   2031     * do this in a much more elegant fashion.
   2032     */
   2033    for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
   2034        if (strcmp(e100_devices[i].name, typename) == 0) {
   2035            info = &e100_devices[i];
   2036            break;
   2037        }
   2038    }
   2039    assert(info != NULL);
   2040
   2041    return info;
   2042}
   2043
   2044static E100PCIDeviceInfo *eepro100_get_class(EEPRO100State *s)
   2045{
   2046    return eepro100_get_class_by_name(object_get_typename(OBJECT(s)));
   2047}
   2048
   2049static Property e100_properties[] = {
   2050    DEFINE_NIC_PROPERTIES(EEPRO100State, conf),
   2051    DEFINE_PROP_END_OF_LIST(),
   2052};
   2053
   2054static void eepro100_class_init(ObjectClass *klass, void *data)
   2055{
   2056    DeviceClass *dc = DEVICE_CLASS(klass);
   2057    PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
   2058    E100PCIDeviceInfo *info;
   2059
   2060    info = eepro100_get_class_by_name(object_class_get_name(klass));
   2061
   2062    set_bit(DEVICE_CATEGORY_NETWORK, dc->categories);
   2063    device_class_set_props(dc, e100_properties);
   2064    dc->desc = info->desc;
   2065    k->vendor_id = PCI_VENDOR_ID_INTEL;
   2066    k->class_id = PCI_CLASS_NETWORK_ETHERNET;
   2067    k->romfile = "pxe-eepro100.rom";
   2068    k->realize = e100_nic_realize;
   2069    k->exit = pci_nic_uninit;
   2070    k->device_id = info->device_id;
   2071    k->revision = info->revision;
   2072    k->subsystem_vendor_id = info->subsystem_vendor_id;
   2073    k->subsystem_id = info->subsystem_id;
   2074}
   2075
   2076static void eepro100_register_types(void)
   2077{
   2078    size_t i;
   2079    for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
   2080        TypeInfo type_info = {};
   2081        E100PCIDeviceInfo *info = &e100_devices[i];
   2082
   2083        type_info.name = info->name;
   2084        type_info.parent = TYPE_PCI_DEVICE;
   2085        type_info.class_init = eepro100_class_init;
   2086        type_info.instance_size = sizeof(EEPRO100State);
   2087        type_info.instance_init = eepro100_instance_init;
   2088        type_info.interfaces = (InterfaceInfo[]) {
   2089            { INTERFACE_CONVENTIONAL_PCI_DEVICE },
   2090            { },
   2091        };
   2092
   2093        type_register(&type_info);
   2094    }
   2095}
   2096
   2097type_init(eepro100_register_types)