cachepc-qemu

Fork of AMDESE/qemu with changes for cachepc side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-qemu
Log | Files | Refs | Submodules | LICENSE | sfeed.txt

tulip.c (28059B)


      1/*
      2 * QEMU TULIP Emulation
      3 *
      4 * Copyright (c) 2019 Sven Schnelle <svens@stackframe.org>
      5 *
      6 * This work is licensed under the GNU GPL license version 2 or later.
      7 */
      8
      9#include "qemu/osdep.h"
     10#include "qemu/log.h"
     11#include "hw/irq.h"
     12#include "hw/pci/pci.h"
     13#include "hw/qdev-properties.h"
     14#include "hw/nvram/eeprom93xx.h"
     15#include "migration/vmstate.h"
     16#include "sysemu/sysemu.h"
     17#include "tulip.h"
     18#include "trace.h"
     19#include "net/eth.h"
     20
     21struct TULIPState {
     22    PCIDevice dev;
     23    MemoryRegion io;
     24    MemoryRegion memory;
     25    NICConf c;
     26    qemu_irq irq;
     27    NICState *nic;
     28    eeprom_t *eeprom;
     29    uint32_t csr[16];
     30
     31    /* state for MII */
     32    uint32_t old_csr9;
     33    uint32_t mii_word;
     34    uint32_t mii_bitcnt;
     35
     36    hwaddr current_rx_desc;
     37    hwaddr current_tx_desc;
     38
     39    uint8_t rx_frame[2048];
     40    uint8_t tx_frame[2048];
     41    uint16_t tx_frame_len;
     42    uint16_t rx_frame_len;
     43    uint16_t rx_frame_size;
     44
     45    uint32_t rx_status;
     46    uint8_t filter[16][6];
     47};
     48
     49static const VMStateDescription vmstate_pci_tulip = {
     50    .name = "tulip",
     51    .fields = (VMStateField[]) {
     52        VMSTATE_PCI_DEVICE(dev, TULIPState),
     53        VMSTATE_UINT32_ARRAY(csr, TULIPState, 16),
     54        VMSTATE_UINT32(old_csr9, TULIPState),
     55        VMSTATE_UINT32(mii_word, TULIPState),
     56        VMSTATE_UINT32(mii_bitcnt, TULIPState),
     57        VMSTATE_UINT64(current_rx_desc, TULIPState),
     58        VMSTATE_UINT64(current_tx_desc, TULIPState),
     59        VMSTATE_BUFFER(rx_frame, TULIPState),
     60        VMSTATE_BUFFER(tx_frame, TULIPState),
     61        VMSTATE_UINT16(rx_frame_len, TULIPState),
     62        VMSTATE_UINT16(tx_frame_len, TULIPState),
     63        VMSTATE_UINT16(rx_frame_size, TULIPState),
     64        VMSTATE_UINT32(rx_status, TULIPState),
     65        VMSTATE_UINT8_2DARRAY(filter, TULIPState, 16, 6),
     66        VMSTATE_END_OF_LIST()
     67    }
     68};
     69
     70static void tulip_desc_read(TULIPState *s, hwaddr p,
     71        struct tulip_descriptor *desc)
     72{
     73    if (s->csr[0] & CSR0_DBO) {
     74        desc->status = ldl_be_pci_dma(&s->dev, p);
     75        desc->control = ldl_be_pci_dma(&s->dev, p + 4);
     76        desc->buf_addr1 = ldl_be_pci_dma(&s->dev, p + 8);
     77        desc->buf_addr2 = ldl_be_pci_dma(&s->dev, p + 12);
     78    } else {
     79        desc->status = ldl_le_pci_dma(&s->dev, p);
     80        desc->control = ldl_le_pci_dma(&s->dev, p + 4);
     81        desc->buf_addr1 = ldl_le_pci_dma(&s->dev, p + 8);
     82        desc->buf_addr2 = ldl_le_pci_dma(&s->dev, p + 12);
     83    }
     84}
     85
     86static void tulip_desc_write(TULIPState *s, hwaddr p,
     87        struct tulip_descriptor *desc)
     88{
     89    if (s->csr[0] & CSR0_DBO) {
     90        stl_be_pci_dma(&s->dev, p, desc->status);
     91        stl_be_pci_dma(&s->dev, p + 4, desc->control);
     92        stl_be_pci_dma(&s->dev, p + 8, desc->buf_addr1);
     93        stl_be_pci_dma(&s->dev, p + 12, desc->buf_addr2);
     94    } else {
     95        stl_le_pci_dma(&s->dev, p, desc->status);
     96        stl_le_pci_dma(&s->dev, p + 4, desc->control);
     97        stl_le_pci_dma(&s->dev, p + 8, desc->buf_addr1);
     98        stl_le_pci_dma(&s->dev, p + 12, desc->buf_addr2);
     99    }
    100}
    101
    102static void tulip_update_int(TULIPState *s)
    103{
    104    uint32_t ie = s->csr[5] & s->csr[7];
    105    bool assert = false;
    106
    107    s->csr[5] &= ~(CSR5_AIS | CSR5_NIS);
    108
    109    if (ie & (CSR5_TI | CSR5_TU | CSR5_RI | CSR5_GTE | CSR5_ERI)) {
    110        s->csr[5] |= CSR5_NIS;
    111    }
    112
    113    if (ie & (CSR5_LC | CSR5_GPI | CSR5_FBE | CSR5_LNF | CSR5_ETI | CSR5_RWT |
    114              CSR5_RPS | CSR5_RU | CSR5_UNF | CSR5_LNP_ANC | CSR5_TJT |
    115              CSR5_TPS)) {
    116        s->csr[5] |= CSR5_AIS;
    117    }
    118
    119    assert = s->csr[5] & s->csr[7] & (CSR5_AIS | CSR5_NIS);
    120    trace_tulip_irq(s->csr[5], s->csr[7], assert ? "assert" : "deassert");
    121    qemu_set_irq(s->irq, assert);
    122}
    123
    124static bool tulip_rx_stopped(TULIPState *s)
    125{
    126    return ((s->csr[5] >> CSR5_RS_SHIFT) & CSR5_RS_MASK) == CSR5_RS_STOPPED;
    127}
    128
    129static void tulip_dump_tx_descriptor(TULIPState *s,
    130        struct tulip_descriptor *desc)
    131{
    132    trace_tulip_descriptor("TX ", s->current_tx_desc,
    133                desc->status, desc->control >> 22,
    134                desc->control & 0x7ff, (desc->control >> 11) & 0x7ff,
    135                desc->buf_addr1, desc->buf_addr2);
    136}
    137
    138static void tulip_dump_rx_descriptor(TULIPState *s,
    139        struct tulip_descriptor *desc)
    140{
    141    trace_tulip_descriptor("RX ", s->current_rx_desc,
    142                desc->status, desc->control >> 22,
    143                desc->control & 0x7ff, (desc->control >> 11) & 0x7ff,
    144                desc->buf_addr1, desc->buf_addr2);
    145}
    146
    147static void tulip_next_rx_descriptor(TULIPState *s,
    148    struct tulip_descriptor *desc)
    149{
    150    if (desc->control & RDES1_RER) {
    151        s->current_rx_desc = s->csr[3];
    152    } else if (desc->control & RDES1_RCH) {
    153        s->current_rx_desc = desc->buf_addr2;
    154    } else {
    155        s->current_rx_desc += sizeof(struct tulip_descriptor) +
    156                (((s->csr[0] >> CSR0_DSL_SHIFT) & CSR0_DSL_MASK) << 2);
    157    }
    158    s->current_rx_desc &= ~3ULL;
    159}
    160
    161static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc)
    162{
    163    int len1 = (desc->control >> RDES1_BUF1_SIZE_SHIFT) & RDES1_BUF1_SIZE_MASK;
    164    int len2 = (desc->control >> RDES1_BUF2_SIZE_SHIFT) & RDES1_BUF2_SIZE_MASK;
    165    int len;
    166
    167    if (s->rx_frame_len && len1) {
    168        if (s->rx_frame_len > len1) {
    169            len = len1;
    170        } else {
    171            len = s->rx_frame_len;
    172        }
    173
    174        pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame +
    175            (s->rx_frame_size - s->rx_frame_len), len);
    176        s->rx_frame_len -= len;
    177    }
    178
    179    if (s->rx_frame_len && len2) {
    180        if (s->rx_frame_len > len2) {
    181            len = len2;
    182        } else {
    183            len = s->rx_frame_len;
    184        }
    185
    186        pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame +
    187            (s->rx_frame_size - s->rx_frame_len), len);
    188        s->rx_frame_len -= len;
    189    }
    190}
    191
    192static bool tulip_filter_address(TULIPState *s, const uint8_t *addr)
    193{
    194    static const char broadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
    195    bool ret = false;
    196    int i;
    197
    198    for (i = 0; i < 16 && ret == false; i++) {
    199        if (!memcmp(&s->filter[i], addr, ETH_ALEN)) {
    200            ret = true;
    201        }
    202    }
    203
    204    if (!memcmp(addr, broadcast, ETH_ALEN)) {
    205        return true;
    206    }
    207
    208    if (s->csr[6] & (CSR6_PR | CSR6_RA)) {
    209        /* Promiscuous mode enabled */
    210        s->rx_status |= RDES0_FF;
    211        return true;
    212    }
    213
    214    if ((s->csr[6] & CSR6_PM) && (addr[0] & 1)) {
    215        /* Pass all Multicast enabled */
    216        s->rx_status |= RDES0_MF;
    217        return true;
    218    }
    219
    220    if (s->csr[6] & CSR6_IF) {
    221        ret ^= true;
    222    }
    223    return ret;
    224}
    225
    226static ssize_t tulip_receive(TULIPState *s, const uint8_t *buf, size_t size)
    227{
    228    struct tulip_descriptor desc;
    229
    230    trace_tulip_receive(buf, size);
    231
    232    if (size < 14 || size > sizeof(s->rx_frame) - 4
    233        || s->rx_frame_len || tulip_rx_stopped(s)) {
    234        return 0;
    235    }
    236
    237    if (!tulip_filter_address(s, buf)) {
    238        return size;
    239    }
    240
    241    do {
    242        tulip_desc_read(s, s->current_rx_desc, &desc);
    243        tulip_dump_rx_descriptor(s, &desc);
    244
    245        if (!(desc.status & RDES0_OWN)) {
    246            s->csr[5] |= CSR5_RU;
    247            tulip_update_int(s);
    248            return s->rx_frame_size - s->rx_frame_len;
    249        }
    250        desc.status = 0;
    251
    252        if (!s->rx_frame_len) {
    253            s->rx_frame_size = size + 4;
    254            s->rx_status = RDES0_LS |
    255                 ((s->rx_frame_size & RDES0_FL_MASK) << RDES0_FL_SHIFT);
    256            desc.status |= RDES0_FS;
    257            memcpy(s->rx_frame, buf, size);
    258            s->rx_frame_len = s->rx_frame_size;
    259        }
    260
    261        tulip_copy_rx_bytes(s, &desc);
    262
    263        if (!s->rx_frame_len) {
    264            desc.status |= s->rx_status;
    265            s->csr[5] |= CSR5_RI;
    266            tulip_update_int(s);
    267        }
    268        tulip_dump_rx_descriptor(s, &desc);
    269        tulip_desc_write(s, s->current_rx_desc, &desc);
    270        tulip_next_rx_descriptor(s, &desc);
    271    } while (s->rx_frame_len);
    272    return size;
    273}
    274
    275static ssize_t tulip_receive_nc(NetClientState *nc,
    276                             const uint8_t *buf, size_t size)
    277{
    278    return tulip_receive(qemu_get_nic_opaque(nc), buf, size);
    279}
    280
    281static NetClientInfo net_tulip_info = {
    282    .type = NET_CLIENT_DRIVER_NIC,
    283    .size = sizeof(NICState),
    284    .receive = tulip_receive_nc,
    285};
    286
    287static const char *tulip_reg_name(const hwaddr addr)
    288{
    289    switch (addr) {
    290    case CSR(0):
    291        return "CSR0";
    292
    293    case CSR(1):
    294        return "CSR1";
    295
    296    case CSR(2):
    297        return "CSR2";
    298
    299    case CSR(3):
    300        return "CSR3";
    301
    302    case CSR(4):
    303        return "CSR4";
    304
    305    case CSR(5):
    306        return "CSR5";
    307
    308    case CSR(6):
    309        return "CSR6";
    310
    311    case CSR(7):
    312        return "CSR7";
    313
    314    case CSR(8):
    315        return "CSR8";
    316
    317    case CSR(9):
    318        return "CSR9";
    319
    320    case CSR(10):
    321        return "CSR10";
    322
    323    case CSR(11):
    324        return "CSR11";
    325
    326    case CSR(12):
    327        return "CSR12";
    328
    329    case CSR(13):
    330        return "CSR13";
    331
    332    case CSR(14):
    333        return "CSR14";
    334
    335    case CSR(15):
    336        return "CSR15";
    337
    338    default:
    339        break;
    340    }
    341    return "";
    342}
    343
    344static const char *tulip_rx_state_name(int state)
    345{
    346    switch (state) {
    347    case CSR5_RS_STOPPED:
    348        return "STOPPED";
    349
    350    case CSR5_RS_RUNNING_FETCH:
    351        return "RUNNING/FETCH";
    352
    353    case CSR5_RS_RUNNING_CHECK_EOR:
    354        return "RUNNING/CHECK EOR";
    355
    356    case CSR5_RS_RUNNING_WAIT_RECEIVE:
    357        return "WAIT RECEIVE";
    358
    359    case CSR5_RS_SUSPENDED:
    360        return "SUSPENDED";
    361
    362    case CSR5_RS_RUNNING_CLOSE:
    363        return "RUNNING/CLOSE";
    364
    365    case CSR5_RS_RUNNING_FLUSH:
    366        return "RUNNING/FLUSH";
    367
    368    case CSR5_RS_RUNNING_QUEUE:
    369        return "RUNNING/QUEUE";
    370
    371    default:
    372        break;
    373    }
    374    return "";
    375}
    376
    377static const char *tulip_tx_state_name(int state)
    378{
    379    switch (state) {
    380    case CSR5_TS_STOPPED:
    381        return "STOPPED";
    382
    383    case CSR5_TS_RUNNING_FETCH:
    384        return "RUNNING/FETCH";
    385
    386    case CSR5_TS_RUNNING_WAIT_EOT:
    387        return "RUNNING/WAIT EOT";
    388
    389    case CSR5_TS_RUNNING_READ_BUF:
    390        return "RUNNING/READ BUF";
    391
    392    case CSR5_TS_RUNNING_SETUP:
    393        return "RUNNING/SETUP";
    394
    395    case CSR5_TS_SUSPENDED:
    396        return "SUSPENDED";
    397
    398    case CSR5_TS_RUNNING_CLOSE:
    399        return "RUNNING/CLOSE";
    400
    401    default:
    402        break;
    403    }
    404    return "";
    405}
    406
    407static void tulip_update_rs(TULIPState *s, int state)
    408{
    409    s->csr[5] &= ~(CSR5_RS_MASK << CSR5_RS_SHIFT);
    410    s->csr[5] |= (state & CSR5_RS_MASK) << CSR5_RS_SHIFT;
    411    trace_tulip_rx_state(tulip_rx_state_name(state));
    412}
    413
    414static uint16_t tulip_mdi_default[] = {
    415    /* MDI Registers 0 - 6, 7 */
    416    0x3100, 0xf02c, 0x7810, 0x0000, 0x0501, 0x4181, 0x0000, 0x0000,
    417    /* MDI Registers 8 - 15 */
    418    0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
    419    /* MDI Registers 16 - 31 */
    420    0x0003, 0x0000, 0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
    421    0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
    422};
    423
    424/* Readonly mask for MDI (PHY) registers */
    425static const uint16_t tulip_mdi_mask[] = {
    426    0x0000, 0xffff, 0xffff, 0xffff, 0xc01f, 0xffff, 0xffff, 0x0000,
    427    0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
    428    0x0fff, 0x0000, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
    429    0xffff, 0xffff, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
    430};
    431
    432static uint16_t tulip_mii_read(TULIPState *s, int phy, int reg)
    433{
    434    uint16_t ret = 0;
    435    if (phy == 1) {
    436        ret = tulip_mdi_default[reg];
    437    }
    438    trace_tulip_mii_read(phy, reg, ret);
    439    return ret;
    440}
    441
    442static void tulip_mii_write(TULIPState *s, int phy, int reg, uint16_t data)
    443{
    444    trace_tulip_mii_write(phy, reg, data);
    445
    446    if (phy != 1) {
    447        return;
    448    }
    449
    450    tulip_mdi_default[reg] &= ~tulip_mdi_mask[reg];
    451    tulip_mdi_default[reg] |= (data & tulip_mdi_mask[reg]);
    452}
    453
    454static void tulip_mii(TULIPState *s)
    455{
    456    uint32_t changed = s->old_csr9 ^ s->csr[9];
    457    uint16_t data;
    458    int op, phy, reg;
    459
    460    if (!(changed & CSR9_MDC)) {
    461        return;
    462    }
    463
    464    if (!(s->csr[9] & CSR9_MDC)) {
    465        return;
    466    }
    467
    468    s->mii_bitcnt++;
    469    s->mii_word <<= 1;
    470
    471    if (s->csr[9] & CSR9_MDO && (s->mii_bitcnt < 16 ||
    472        !(s->csr[9] & CSR9_MII))) {
    473        /* write op or address bits */
    474        s->mii_word |= 1;
    475    }
    476
    477    if (s->mii_bitcnt >= 16 && (s->csr[9] & CSR9_MII)) {
    478        if (s->mii_word & 0x8000) {
    479            s->csr[9] |= CSR9_MDI;
    480        } else {
    481            s->csr[9] &= ~CSR9_MDI;
    482        }
    483    }
    484
    485    if (s->mii_word == 0xffffffff) {
    486        s->mii_bitcnt = 0;
    487    } else if (s->mii_bitcnt == 16) {
    488        op = (s->mii_word >> 12) & 0x0f;
    489        phy = (s->mii_word >> 7) & 0x1f;
    490        reg = (s->mii_word >> 2) & 0x1f;
    491
    492        if (op == 6) {
    493            s->mii_word = tulip_mii_read(s, phy, reg);
    494        }
    495    } else if (s->mii_bitcnt == 32) {
    496            op = (s->mii_word >> 28) & 0x0f;
    497            phy = (s->mii_word >> 23) & 0x1f;
    498            reg = (s->mii_word >> 18) & 0x1f;
    499            data = s->mii_word & 0xffff;
    500
    501        if (op == 5) {
    502            tulip_mii_write(s, phy, reg, data);
    503        }
    504    }
    505}
    506
    507static uint32_t tulip_csr9_read(TULIPState *s)
    508{
    509    if (s->csr[9] & CSR9_SR) {
    510        if (eeprom93xx_read(s->eeprom)) {
    511            s->csr[9] |= CSR9_SR_DO;
    512        } else {
    513            s->csr[9] &= ~CSR9_SR_DO;
    514        }
    515    }
    516
    517    tulip_mii(s);
    518    return s->csr[9];
    519}
    520
    521static void tulip_update_ts(TULIPState *s, int state)
    522{
    523        s->csr[5] &= ~(CSR5_TS_MASK << CSR5_TS_SHIFT);
    524        s->csr[5] |= (state & CSR5_TS_MASK) << CSR5_TS_SHIFT;
    525        trace_tulip_tx_state(tulip_tx_state_name(state));
    526}
    527
    528static uint64_t tulip_read(void *opaque, hwaddr addr,
    529                              unsigned size)
    530{
    531    TULIPState *s = opaque;
    532    uint64_t data = 0;
    533
    534    switch (addr) {
    535    case CSR(9):
    536        data = tulip_csr9_read(s);
    537        break;
    538
    539    case CSR(12):
    540        /* Fake autocompletion complete until we have PHY emulation */
    541        data = 5 << CSR12_ANS_SHIFT;
    542        break;
    543
    544    default:
    545        if (addr & 7) {
    546            qemu_log_mask(LOG_GUEST_ERROR, "%s: read access at unknown address"
    547                " 0x%"PRIx64"\n", __func__, addr);
    548        } else {
    549            data = s->csr[addr >> 3];
    550        }
    551        break;
    552    }
    553    trace_tulip_reg_read(addr, tulip_reg_name(addr), size, data);
    554    return data;
    555}
    556
    557static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc)
    558{
    559    if (s->tx_frame_len) {
    560        if ((s->csr[6] >> CSR6_OM_SHIFT) & CSR6_OM_MASK) {
    561            /* Internal or external Loopback */
    562            tulip_receive(s, s->tx_frame, s->tx_frame_len);
    563        } else if (s->tx_frame_len <= sizeof(s->tx_frame)) {
    564            qemu_send_packet(qemu_get_queue(s->nic),
    565                s->tx_frame, s->tx_frame_len);
    566        }
    567    }
    568
    569    if (desc->control & TDES1_IC) {
    570        s->csr[5] |= CSR5_TI;
    571        tulip_update_int(s);
    572    }
    573}
    574
    575static int tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc)
    576{
    577    int len1 = (desc->control >> TDES1_BUF1_SIZE_SHIFT) & TDES1_BUF1_SIZE_MASK;
    578    int len2 = (desc->control >> TDES1_BUF2_SIZE_SHIFT) & TDES1_BUF2_SIZE_MASK;
    579
    580    if (s->tx_frame_len + len1 > sizeof(s->tx_frame)) {
    581        qemu_log_mask(LOG_GUEST_ERROR,
    582                      "%s: descriptor overflow (ofs: %u, len:%d, size:%zu)\n",
    583                      __func__, s->tx_frame_len, len1, sizeof(s->tx_frame));
    584        return -1;
    585    }
    586    if (len1) {
    587        pci_dma_read(&s->dev, desc->buf_addr1,
    588            s->tx_frame + s->tx_frame_len, len1);
    589        s->tx_frame_len += len1;
    590    }
    591
    592    if (s->tx_frame_len + len2 > sizeof(s->tx_frame)) {
    593        qemu_log_mask(LOG_GUEST_ERROR,
    594                      "%s: descriptor overflow (ofs: %u, len:%d, size:%zu)\n",
    595                      __func__, s->tx_frame_len, len2, sizeof(s->tx_frame));
    596        return -1;
    597    }
    598    if (len2) {
    599        pci_dma_read(&s->dev, desc->buf_addr2,
    600            s->tx_frame + s->tx_frame_len, len2);
    601        s->tx_frame_len += len2;
    602    }
    603    desc->status = (len1 + len2) ? 0 : 0x7fffffff;
    604
    605    return 0;
    606}
    607
    608static void tulip_setup_filter_addr(TULIPState *s, uint8_t *buf, int n)
    609{
    610    int offset = n * 12;
    611
    612    s->filter[n][0] = buf[offset];
    613    s->filter[n][1] = buf[offset + 1];
    614
    615    s->filter[n][2] = buf[offset + 4];
    616    s->filter[n][3] = buf[offset + 5];
    617
    618    s->filter[n][4] = buf[offset + 8];
    619    s->filter[n][5] = buf[offset + 9];
    620
    621    trace_tulip_setup_filter(n, s->filter[n][5], s->filter[n][4],
    622            s->filter[n][3], s->filter[n][2], s->filter[n][1], s->filter[n][0]);
    623}
    624
    625static void tulip_setup_frame(TULIPState *s,
    626        struct tulip_descriptor *desc)
    627{
    628    uint8_t buf[4096];
    629    int len = (desc->control >> TDES1_BUF1_SIZE_SHIFT) & TDES1_BUF1_SIZE_MASK;
    630    int i;
    631
    632    trace_tulip_setup_frame();
    633
    634    if (len == 192) {
    635        pci_dma_read(&s->dev, desc->buf_addr1, buf, len);
    636        for (i = 0; i < 16; i++) {
    637            tulip_setup_filter_addr(s, buf, i);
    638        }
    639    }
    640
    641    desc->status = 0x7fffffff;
    642
    643    if (desc->control & TDES1_IC) {
    644        s->csr[5] |= CSR5_TI;
    645        tulip_update_int(s);
    646    }
    647}
    648
    649static void tulip_next_tx_descriptor(TULIPState *s,
    650    struct tulip_descriptor *desc)
    651{
    652    if (desc->control & TDES1_TER) {
    653        s->current_tx_desc = s->csr[4];
    654    } else if (desc->control & TDES1_TCH) {
    655        s->current_tx_desc = desc->buf_addr2;
    656    } else {
    657        s->current_tx_desc += sizeof(struct tulip_descriptor) +
    658                (((s->csr[0] >> CSR0_DSL_SHIFT) & CSR0_DSL_MASK) << 2);
    659    }
    660    s->current_tx_desc &= ~3ULL;
    661}
    662
    663static uint32_t tulip_ts(TULIPState *s)
    664{
    665    return (s->csr[5] >> CSR5_TS_SHIFT) & CSR5_TS_MASK;
    666}
    667
    668static void tulip_xmit_list_update(TULIPState *s)
    669{
    670#define TULIP_DESC_MAX 128
    671    uint8_t i = 0;
    672    struct tulip_descriptor desc;
    673
    674    if (tulip_ts(s) != CSR5_TS_SUSPENDED) {
    675        return;
    676    }
    677
    678    for (i = 0; i < TULIP_DESC_MAX; i++) {
    679        tulip_desc_read(s, s->current_tx_desc, &desc);
    680        tulip_dump_tx_descriptor(s, &desc);
    681
    682        if (!(desc.status & TDES0_OWN)) {
    683            tulip_update_ts(s, CSR5_TS_SUSPENDED);
    684            s->csr[5] |= CSR5_TU;
    685            tulip_update_int(s);
    686            return;
    687        }
    688
    689        if (desc.control & TDES1_SET) {
    690            tulip_setup_frame(s, &desc);
    691        } else {
    692            if (desc.control & TDES1_FS) {
    693                s->tx_frame_len = 0;
    694            }
    695
    696            if (!tulip_copy_tx_buffers(s, &desc)) {
    697                if (desc.control & TDES1_LS) {
    698                    tulip_tx(s, &desc);
    699                }
    700            }
    701        }
    702        tulip_desc_write(s, s->current_tx_desc, &desc);
    703        tulip_next_tx_descriptor(s, &desc);
    704    }
    705}
    706
    707static void tulip_csr9_write(TULIPState *s, uint32_t old_val,
    708        uint32_t new_val)
    709{
    710    if (new_val & CSR9_SR) {
    711        eeprom93xx_write(s->eeprom,
    712            !!(new_val & CSR9_SR_CS),
    713            !!(new_val & CSR9_SR_SK),
    714            !!(new_val & CSR9_SR_DI));
    715    }
    716}
    717
    718static void tulip_reset(TULIPState *s)
    719{
    720    trace_tulip_reset();
    721
    722    s->csr[0] = 0xfe000000;
    723    s->csr[1] = 0xffffffff;
    724    s->csr[2] = 0xffffffff;
    725    s->csr[5] = 0xf0000000;
    726    s->csr[6] = 0x32000040;
    727    s->csr[7] = 0xf3fe0000;
    728    s->csr[8] = 0xe0000000;
    729    s->csr[9] = 0xfff483ff;
    730    s->csr[11] = 0xfffe0000;
    731    s->csr[12] = 0x000000c6;
    732    s->csr[13] = 0xffff0000;
    733    s->csr[14] = 0xffffffff;
    734    s->csr[15] = 0x8ff00000;
    735}
    736
    737static void tulip_qdev_reset(DeviceState *dev)
    738{
    739    PCIDevice *d = PCI_DEVICE(dev);
    740    TULIPState *s = TULIP(d);
    741
    742    tulip_reset(s);
    743}
    744
    745static void tulip_write(void *opaque, hwaddr addr,
    746                           uint64_t data, unsigned size)
    747{
    748    TULIPState *s = opaque;
    749    trace_tulip_reg_write(addr, tulip_reg_name(addr), size, data);
    750
    751    switch (addr) {
    752    case CSR(0):
    753        s->csr[0] = data;
    754        if (data & CSR0_SWR) {
    755            tulip_reset(s);
    756            tulip_update_int(s);
    757        }
    758        break;
    759
    760    case CSR(1):
    761        tulip_xmit_list_update(s);
    762        break;
    763
    764    case CSR(2):
    765        qemu_flush_queued_packets(qemu_get_queue(s->nic));
    766        break;
    767
    768    case CSR(3):
    769        s->csr[3] = data & ~3ULL;
    770        s->current_rx_desc = s->csr[3];
    771        qemu_flush_queued_packets(qemu_get_queue(s->nic));
    772        break;
    773
    774    case CSR(4):
    775        s->csr[4] = data & ~3ULL;
    776        s->current_tx_desc = s->csr[4];
    777        tulip_xmit_list_update(s);
    778        break;
    779
    780    case CSR(5):
    781        /* Status register, write clears bit */
    782        s->csr[5] &= ~(data & (CSR5_TI | CSR5_TPS | CSR5_TU | CSR5_TJT |
    783                               CSR5_LNP_ANC | CSR5_UNF | CSR5_RI | CSR5_RU |
    784                               CSR5_RPS | CSR5_RWT | CSR5_ETI | CSR5_GTE |
    785                               CSR5_LNF | CSR5_FBE | CSR5_ERI | CSR5_AIS |
    786                               CSR5_NIS | CSR5_GPI | CSR5_LC));
    787        tulip_update_int(s);
    788        break;
    789
    790    case CSR(6):
    791        s->csr[6] = data;
    792        if (s->csr[6] & CSR6_SR) {
    793            tulip_update_rs(s, CSR5_RS_RUNNING_WAIT_RECEIVE);
    794            qemu_flush_queued_packets(qemu_get_queue(s->nic));
    795        } else {
    796            tulip_update_rs(s, CSR5_RS_STOPPED);
    797        }
    798
    799        if (s->csr[6] & CSR6_ST) {
    800            tulip_update_ts(s, CSR5_TS_SUSPENDED);
    801            tulip_xmit_list_update(s);
    802        } else {
    803            tulip_update_ts(s, CSR5_TS_STOPPED);
    804        }
    805        break;
    806
    807    case CSR(7):
    808        s->csr[7] = data;
    809        tulip_update_int(s);
    810        break;
    811
    812    case CSR(8):
    813        s->csr[9] = data;
    814        break;
    815
    816    case CSR(9):
    817        tulip_csr9_write(s, s->csr[9], data);
    818        /* don't clear MII read data */
    819        s->csr[9] &= CSR9_MDI;
    820        s->csr[9] |= (data & ~CSR9_MDI);
    821        tulip_mii(s);
    822        s->old_csr9 = s->csr[9];
    823        break;
    824
    825    case CSR(10):
    826        s->csr[10] = data;
    827        break;
    828
    829    case CSR(11):
    830        s->csr[11] = data;
    831        break;
    832
    833    case CSR(12):
    834        /* SIA Status register, some bits are cleared by writing 1 */
    835        s->csr[12] &= ~(data & (CSR12_MRA | CSR12_TRA | CSR12_ARA));
    836        break;
    837
    838    case CSR(13):
    839        s->csr[13] = data;
    840        break;
    841
    842    case CSR(14):
    843        s->csr[14] = data;
    844        break;
    845
    846    case CSR(15):
    847        s->csr[15] = data;
    848        break;
    849
    850    default:
    851        qemu_log_mask(LOG_GUEST_ERROR, "%s: write to CSR at unknown address "
    852                "0x%"PRIx64"\n", __func__, addr);
    853        break;
    854    }
    855}
    856
    857static const MemoryRegionOps tulip_ops = {
    858    .read = tulip_read,
    859    .write = tulip_write,
    860    .endianness = DEVICE_LITTLE_ENDIAN,
    861    .impl = {
    862        .min_access_size = 4,
    863        .max_access_size = 4,
    864    },
    865};
    866
    867static void tulip_idblock_crc(TULIPState *s, uint16_t *srom)
    868{
    869    int word, n;
    870    int bit;
    871    unsigned char bitval, crc;
    872    const int len = 9;
    873    n = 0;
    874    crc = -1;
    875
    876    for (word = 0; word < len; word++) {
    877        for (bit = 15; bit >= 0; bit--) {
    878            if ((word == (len - 1)) && (bit == 7)) {
    879                /*
    880                 * Insert the correct CRC result into input data stream
    881                 * in place.
    882                 */
    883                srom[len - 1] = (srom[len - 1] & 0xff00) | (unsigned short)crc;
    884                break;
    885            }
    886            n++;
    887            bitval = ((srom[word] >> bit) & 1) ^ ((crc >> 7) & 1);
    888            crc = crc << 1;
    889            if (bitval == 1) {
    890                crc ^= 6;
    891                crc |= 0x01;
    892            }
    893        }
    894    }
    895}
    896
    897static uint16_t tulip_srom_crc(TULIPState *s, uint8_t *eeprom, size_t len)
    898{
    899    unsigned long crc = 0xffffffff;
    900    unsigned long flippedcrc = 0;
    901    unsigned char currentbyte;
    902    unsigned int msb, bit, i;
    903
    904    for (i = 0; i < len; i++) {
    905        currentbyte = eeprom[i];
    906        for (bit = 0; bit < 8; bit++) {
    907            msb = (crc >> 31) & 1;
    908            crc <<= 1;
    909            if (msb ^ (currentbyte & 1)) {
    910                crc ^= 0x04c11db6;
    911                crc |= 0x00000001;
    912            }
    913            currentbyte >>= 1;
    914        }
    915    }
    916
    917    for (i = 0; i < 32; i++) {
    918        flippedcrc <<= 1;
    919        bit = crc & 1;
    920        crc >>= 1;
    921        flippedcrc += bit;
    922    }
    923    return (flippedcrc ^ 0xffffffff) & 0xffff;
    924}
    925
    926static const uint8_t eeprom_default[128] = {
    927    0x3c, 0x10, 0x4f, 0x10, 0x00, 0x00, 0x00, 0x00,
    928    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    929    0x56, 0x08, 0x04, 0x01, 0x00, 0x80, 0x48, 0xb3,
    930    0x0e, 0xa7, 0x00, 0x1e, 0x00, 0x00, 0x00, 0x08,
    931    0x01, 0x8d, 0x03, 0x00, 0x00, 0x00, 0x00, 0x78,
    932    0xe0, 0x01, 0x00, 0x50, 0x00, 0x18, 0x00, 0x00,
    933    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    934    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    935    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    936    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    937    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    938    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe8, 0x6b,
    939    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
    940    0x48, 0xb3, 0x0e, 0xa7, 0x40, 0x00, 0x00, 0x00,
    941    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    942    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    943};
    944
    945static void tulip_fill_eeprom(TULIPState *s)
    946{
    947    uint16_t *eeprom = eeprom93xx_data(s->eeprom);
    948    memcpy(eeprom, eeprom_default, 128);
    949
    950    /* patch in our mac address */
    951    eeprom[10] = cpu_to_le16(s->c.macaddr.a[0] | (s->c.macaddr.a[1] << 8));
    952    eeprom[11] = cpu_to_le16(s->c.macaddr.a[2] | (s->c.macaddr.a[3] << 8));
    953    eeprom[12] = cpu_to_le16(s->c.macaddr.a[4] | (s->c.macaddr.a[5] << 8));
    954    tulip_idblock_crc(s, eeprom);
    955    eeprom[63] = cpu_to_le16(tulip_srom_crc(s, (uint8_t *)eeprom, 126));
    956}
    957
    958static void pci_tulip_realize(PCIDevice *pci_dev, Error **errp)
    959{
    960    TULIPState *s = DO_UPCAST(TULIPState, dev, pci_dev);
    961    uint8_t *pci_conf;
    962
    963    pci_conf = s->dev.config;
    964    pci_conf[PCI_INTERRUPT_PIN] = 1; /* interrupt pin A */
    965
    966    s->eeprom = eeprom93xx_new(&pci_dev->qdev, 64);
    967    tulip_fill_eeprom(s);
    968
    969    memory_region_init_io(&s->io, OBJECT(&s->dev), &tulip_ops, s,
    970            "tulip-io", 128);
    971
    972    memory_region_init_io(&s->memory, OBJECT(&s->dev), &tulip_ops, s,
    973            "tulip-mem", 128);
    974
    975    pci_register_bar(&s->dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->io);
    976    pci_register_bar(&s->dev, 1, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->memory);
    977
    978    s->irq = pci_allocate_irq(&s->dev);
    979
    980    qemu_macaddr_default_if_unset(&s->c.macaddr);
    981
    982    s->nic = qemu_new_nic(&net_tulip_info, &s->c,
    983                          object_get_typename(OBJECT(pci_dev)),
    984                          pci_dev->qdev.id, s);
    985    qemu_format_nic_info_str(qemu_get_queue(s->nic), s->c.macaddr.a);
    986}
    987
    988static void pci_tulip_exit(PCIDevice *pci_dev)
    989{
    990    TULIPState *s = DO_UPCAST(TULIPState, dev, pci_dev);
    991
    992    qemu_del_nic(s->nic);
    993    qemu_free_irq(s->irq);
    994    eeprom93xx_free(&pci_dev->qdev, s->eeprom);
    995}
    996
    997static void tulip_instance_init(Object *obj)
    998{
    999    PCIDevice *pci_dev = PCI_DEVICE(obj);
   1000    TULIPState *d = DO_UPCAST(TULIPState, dev, pci_dev);
   1001
   1002    device_add_bootindex_property(obj, &d->c.bootindex,
   1003                                  "bootindex", "/ethernet-phy@0",
   1004                                  &pci_dev->qdev);
   1005}
   1006
   1007static Property tulip_properties[] = {
   1008    DEFINE_NIC_PROPERTIES(TULIPState, c),
   1009    DEFINE_PROP_END_OF_LIST(),
   1010};
   1011
   1012static void tulip_class_init(ObjectClass *klass, void *data)
   1013{
   1014    DeviceClass *dc = DEVICE_CLASS(klass);
   1015    PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
   1016
   1017    k->realize = pci_tulip_realize;
   1018    k->exit = pci_tulip_exit;
   1019    k->vendor_id = PCI_VENDOR_ID_DEC;
   1020    k->device_id = PCI_DEVICE_ID_DEC_21143;
   1021    k->subsystem_vendor_id = 0x103c;
   1022    k->subsystem_id = 0x104f;
   1023    k->class_id = PCI_CLASS_NETWORK_ETHERNET;
   1024    dc->vmsd = &vmstate_pci_tulip;
   1025    device_class_set_props(dc, tulip_properties);
   1026    dc->reset = tulip_qdev_reset;
   1027    set_bit(DEVICE_CATEGORY_NETWORK, dc->categories);
   1028}
   1029
   1030static const TypeInfo tulip_info = {
   1031    .name          = TYPE_TULIP,
   1032    .parent        = TYPE_PCI_DEVICE,
   1033    .instance_size = sizeof(TULIPState),
   1034    .class_init    = tulip_class_init,
   1035    .instance_init = tulip_instance_init,
   1036    .interfaces = (InterfaceInfo[]) {
   1037        { INTERFACE_CONVENTIONAL_PCI_DEVICE },
   1038        { },
   1039    },
   1040};
   1041
   1042static void tulip_register_types(void)
   1043{
   1044    type_register_static(&tulip_info);
   1045}
   1046
   1047type_init(tulip_register_types)