cachepc-qemu

Fork of AMDESE/qemu with changes for cachepc side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-qemu
Log | Files | Refs | Submodules | LICENSE | sfeed.txt

lsi53c895a.c (69083B)


      1/*
      2 * QEMU LSI53C895A SCSI Host Bus Adapter emulation
      3 *
      4 * Copyright (c) 2006 CodeSourcery.
      5 * Written by Paul Brook
      6 *
      7 * This code is licensed under the LGPL.
      8 */
      9
     10/* Note:
     11 * LSI53C810 emulation is incorrect, in the sense that it supports
     12 * features added in later evolutions. This should not be a problem,
     13 * as well-behaved operating systems will not try to use them.
     14 */
     15
     16#include "qemu/osdep.h"
     17
     18#include "hw/irq.h"
     19#include "hw/pci/pci.h"
     20#include "hw/scsi/scsi.h"
     21#include "migration/vmstate.h"
     22#include "sysemu/dma.h"
     23#include "qemu/log.h"
     24#include "qemu/module.h"
     25#include "trace.h"
     26#include "qom/object.h"
     27
     28static const char *names[] = {
     29    "SCNTL0", "SCNTL1", "SCNTL2", "SCNTL3", "SCID", "SXFER", "SDID", "GPREG",
     30    "SFBR", "SOCL", "SSID", "SBCL", "DSTAT", "SSTAT0", "SSTAT1", "SSTAT2",
     31    "DSA0", "DSA1", "DSA2", "DSA3", "ISTAT", "0x15", "0x16", "0x17",
     32    "CTEST0", "CTEST1", "CTEST2", "CTEST3", "TEMP0", "TEMP1", "TEMP2", "TEMP3",
     33    "DFIFO", "CTEST4", "CTEST5", "CTEST6", "DBC0", "DBC1", "DBC2", "DCMD",
     34    "DNAD0", "DNAD1", "DNAD2", "DNAD3", "DSP0", "DSP1", "DSP2", "DSP3",
     35    "DSPS0", "DSPS1", "DSPS2", "DSPS3", "SCRATCHA0", "SCRATCHA1", "SCRATCHA2", "SCRATCHA3",
     36    "DMODE", "DIEN", "SBR", "DCNTL", "ADDER0", "ADDER1", "ADDER2", "ADDER3",
     37    "SIEN0", "SIEN1", "SIST0", "SIST1", "SLPAR", "0x45", "MACNTL", "GPCNTL",
     38    "STIME0", "STIME1", "RESPID", "0x4b", "STEST0", "STEST1", "STEST2", "STEST3",
     39    "SIDL", "0x51", "0x52", "0x53", "SODL", "0x55", "0x56", "0x57",
     40    "SBDL", "0x59", "0x5a", "0x5b", "SCRATCHB0", "SCRATCHB1", "SCRATCHB2", "SCRATCHB3",
     41};
     42
     43#define LSI_MAX_DEVS 7
     44
     45#define LSI_SCNTL0_TRG    0x01
     46#define LSI_SCNTL0_AAP    0x02
     47#define LSI_SCNTL0_EPC    0x08
     48#define LSI_SCNTL0_WATN   0x10
     49#define LSI_SCNTL0_START  0x20
     50
     51#define LSI_SCNTL1_SST    0x01
     52#define LSI_SCNTL1_IARB   0x02
     53#define LSI_SCNTL1_AESP   0x04
     54#define LSI_SCNTL1_RST    0x08
     55#define LSI_SCNTL1_CON    0x10
     56#define LSI_SCNTL1_DHP    0x20
     57#define LSI_SCNTL1_ADB    0x40
     58#define LSI_SCNTL1_EXC    0x80
     59
     60#define LSI_SCNTL2_WSR    0x01
     61#define LSI_SCNTL2_VUE0   0x02
     62#define LSI_SCNTL2_VUE1   0x04
     63#define LSI_SCNTL2_WSS    0x08
     64#define LSI_SCNTL2_SLPHBEN 0x10
     65#define LSI_SCNTL2_SLPMD  0x20
     66#define LSI_SCNTL2_CHM    0x40
     67#define LSI_SCNTL2_SDU    0x80
     68
     69#define LSI_ISTAT0_DIP    0x01
     70#define LSI_ISTAT0_SIP    0x02
     71#define LSI_ISTAT0_INTF   0x04
     72#define LSI_ISTAT0_CON    0x08
     73#define LSI_ISTAT0_SEM    0x10
     74#define LSI_ISTAT0_SIGP   0x20
     75#define LSI_ISTAT0_SRST   0x40
     76#define LSI_ISTAT0_ABRT   0x80
     77
     78#define LSI_ISTAT1_SI     0x01
     79#define LSI_ISTAT1_SRUN   0x02
     80#define LSI_ISTAT1_FLSH   0x04
     81
     82#define LSI_SSTAT0_SDP0   0x01
     83#define LSI_SSTAT0_RST    0x02
     84#define LSI_SSTAT0_WOA    0x04
     85#define LSI_SSTAT0_LOA    0x08
     86#define LSI_SSTAT0_AIP    0x10
     87#define LSI_SSTAT0_OLF    0x20
     88#define LSI_SSTAT0_ORF    0x40
     89#define LSI_SSTAT0_ILF    0x80
     90
     91#define LSI_SIST0_PAR     0x01
     92#define LSI_SIST0_RST     0x02
     93#define LSI_SIST0_UDC     0x04
     94#define LSI_SIST0_SGE     0x08
     95#define LSI_SIST0_RSL     0x10
     96#define LSI_SIST0_SEL     0x20
     97#define LSI_SIST0_CMP     0x40
     98#define LSI_SIST0_MA      0x80
     99
    100#define LSI_SIST1_HTH     0x01
    101#define LSI_SIST1_GEN     0x02
    102#define LSI_SIST1_STO     0x04
    103#define LSI_SIST1_SBMC    0x10
    104
    105#define LSI_SOCL_IO       0x01
    106#define LSI_SOCL_CD       0x02
    107#define LSI_SOCL_MSG      0x04
    108#define LSI_SOCL_ATN      0x08
    109#define LSI_SOCL_SEL      0x10
    110#define LSI_SOCL_BSY      0x20
    111#define LSI_SOCL_ACK      0x40
    112#define LSI_SOCL_REQ      0x80
    113
    114#define LSI_DSTAT_IID     0x01
    115#define LSI_DSTAT_SIR     0x04
    116#define LSI_DSTAT_SSI     0x08
    117#define LSI_DSTAT_ABRT    0x10
    118#define LSI_DSTAT_BF      0x20
    119#define LSI_DSTAT_MDPE    0x40
    120#define LSI_DSTAT_DFE     0x80
    121
    122#define LSI_DCNTL_COM     0x01
    123#define LSI_DCNTL_IRQD    0x02
    124#define LSI_DCNTL_STD     0x04
    125#define LSI_DCNTL_IRQM    0x08
    126#define LSI_DCNTL_SSM     0x10
    127#define LSI_DCNTL_PFEN    0x20
    128#define LSI_DCNTL_PFF     0x40
    129#define LSI_DCNTL_CLSE    0x80
    130
    131#define LSI_DMODE_MAN     0x01
    132#define LSI_DMODE_BOF     0x02
    133#define LSI_DMODE_ERMP    0x04
    134#define LSI_DMODE_ERL     0x08
    135#define LSI_DMODE_DIOM    0x10
    136#define LSI_DMODE_SIOM    0x20
    137
    138#define LSI_CTEST2_DACK   0x01
    139#define LSI_CTEST2_DREQ   0x02
    140#define LSI_CTEST2_TEOP   0x04
    141#define LSI_CTEST2_PCICIE 0x08
    142#define LSI_CTEST2_CM     0x10
    143#define LSI_CTEST2_CIO    0x20
    144#define LSI_CTEST2_SIGP   0x40
    145#define LSI_CTEST2_DDIR   0x80
    146
    147#define LSI_CTEST5_BL2    0x04
    148#define LSI_CTEST5_DDIR   0x08
    149#define LSI_CTEST5_MASR   0x10
    150#define LSI_CTEST5_DFSN   0x20
    151#define LSI_CTEST5_BBCK   0x40
    152#define LSI_CTEST5_ADCK   0x80
    153
    154#define LSI_CCNTL0_DILS   0x01
    155#define LSI_CCNTL0_DISFC  0x10
    156#define LSI_CCNTL0_ENNDJ  0x20
    157#define LSI_CCNTL0_PMJCTL 0x40
    158#define LSI_CCNTL0_ENPMJ  0x80
    159
    160#define LSI_CCNTL1_EN64DBMV  0x01
    161#define LSI_CCNTL1_EN64TIBMV 0x02
    162#define LSI_CCNTL1_64TIMOD   0x04
    163#define LSI_CCNTL1_DDAC      0x08
    164#define LSI_CCNTL1_ZMOD      0x80
    165
    166#define LSI_SBCL_ATN         0x08
    167#define LSI_SBCL_BSY         0x20
    168#define LSI_SBCL_ACK         0x40
    169#define LSI_SBCL_REQ         0x80
    170
    171/* Enable Response to Reselection */
    172#define LSI_SCID_RRE      0x60
    173
    174#define LSI_CCNTL1_40BIT (LSI_CCNTL1_EN64TIBMV|LSI_CCNTL1_64TIMOD)
    175
    176#define PHASE_DO          0
    177#define PHASE_DI          1
    178#define PHASE_CMD         2
    179#define PHASE_ST          3
    180#define PHASE_MO          6
    181#define PHASE_MI          7
    182#define PHASE_MASK        7
    183
    184/* Maximum length of MSG IN data.  */
    185#define LSI_MAX_MSGIN_LEN 8
    186
    187/* Flag set if this is a tagged command.  */
    188#define LSI_TAG_VALID     (1 << 16)
    189
    190/* Maximum instructions to process. */
    191#define LSI_MAX_INSN    10000
    192
    193typedef struct lsi_request {
    194    SCSIRequest *req;
    195    uint32_t tag;
    196    uint32_t dma_len;
    197    uint8_t *dma_buf;
    198    uint32_t pending;
    199    int out;
    200    QTAILQ_ENTRY(lsi_request) next;
    201} lsi_request;
    202
    203enum {
    204    LSI_NOWAIT, /* SCRIPTS are running or stopped */
    205    LSI_WAIT_RESELECT, /* Wait Reselect instruction has been issued */
    206    LSI_DMA_SCRIPTS, /* processing DMA from lsi_execute_script */
    207    LSI_DMA_IN_PROGRESS, /* DMA operation is in progress */
    208};
    209
    210enum {
    211    LSI_MSG_ACTION_COMMAND = 0,
    212    LSI_MSG_ACTION_DISCONNECT = 1,
    213    LSI_MSG_ACTION_DOUT = 2,
    214    LSI_MSG_ACTION_DIN = 3,
    215};
    216
    217struct LSIState {
    218    /*< private >*/
    219    PCIDevice parent_obj;
    220    /*< public >*/
    221
    222    qemu_irq ext_irq;
    223    MemoryRegion mmio_io;
    224    MemoryRegion ram_io;
    225    MemoryRegion io_io;
    226    AddressSpace pci_io_as;
    227
    228    int carry; /* ??? Should this be an a visible register somewhere?  */
    229    int status;
    230    int msg_action;
    231    int msg_len;
    232    uint8_t msg[LSI_MAX_MSGIN_LEN];
    233    int waiting;
    234    SCSIBus bus;
    235    int current_lun;
    236    /* The tag is a combination of the device ID and the SCSI tag.  */
    237    uint32_t select_tag;
    238    int command_complete;
    239    QTAILQ_HEAD(, lsi_request) queue;
    240    lsi_request *current;
    241
    242    uint32_t dsa;
    243    uint32_t temp;
    244    uint32_t dnad;
    245    uint32_t dbc;
    246    uint8_t istat0;
    247    uint8_t istat1;
    248    uint8_t dcmd;
    249    uint8_t dstat;
    250    uint8_t dien;
    251    uint8_t sist0;
    252    uint8_t sist1;
    253    uint8_t sien0;
    254    uint8_t sien1;
    255    uint8_t mbox0;
    256    uint8_t mbox1;
    257    uint8_t dfifo;
    258    uint8_t ctest2;
    259    uint8_t ctest3;
    260    uint8_t ctest4;
    261    uint8_t ctest5;
    262    uint8_t ccntl0;
    263    uint8_t ccntl1;
    264    uint32_t dsp;
    265    uint32_t dsps;
    266    uint8_t dmode;
    267    uint8_t dcntl;
    268    uint8_t scntl0;
    269    uint8_t scntl1;
    270    uint8_t scntl2;
    271    uint8_t scntl3;
    272    uint8_t sstat0;
    273    uint8_t sstat1;
    274    uint8_t scid;
    275    uint8_t sxfer;
    276    uint8_t socl;
    277    uint8_t sdid;
    278    uint8_t ssid;
    279    uint8_t sfbr;
    280    uint8_t sbcl;
    281    uint8_t stest1;
    282    uint8_t stest2;
    283    uint8_t stest3;
    284    uint8_t sidl;
    285    uint8_t stime0;
    286    uint8_t respid0;
    287    uint8_t respid1;
    288    uint32_t mmrs;
    289    uint32_t mmws;
    290    uint32_t sfs;
    291    uint32_t drs;
    292    uint32_t sbms;
    293    uint32_t dbms;
    294    uint32_t dnad64;
    295    uint32_t pmjad1;
    296    uint32_t pmjad2;
    297    uint32_t rbc;
    298    uint32_t ua;
    299    uint32_t ia;
    300    uint32_t sbc;
    301    uint32_t csbc;
    302    uint32_t scratch[18]; /* SCRATCHA-SCRATCHR */
    303    uint8_t sbr;
    304    uint32_t adder;
    305
    306    uint8_t script_ram[2048 * sizeof(uint32_t)];
    307};
    308
    309#define TYPE_LSI53C810  "lsi53c810"
    310#define TYPE_LSI53C895A "lsi53c895a"
    311
    312OBJECT_DECLARE_SIMPLE_TYPE(LSIState, LSI53C895A)
    313
    314static const char *scsi_phases[] = {
    315    "DOUT",
    316    "DIN",
    317    "CMD",
    318    "STATUS",
    319    "RSVOUT",
    320    "RSVIN",
    321    "MSGOUT",
    322    "MSGIN"
    323};
    324
    325static const char *scsi_phase_name(int phase)
    326{
    327    return scsi_phases[phase & PHASE_MASK];
    328}
    329
    330static inline int lsi_irq_on_rsl(LSIState *s)
    331{
    332    return (s->sien0 & LSI_SIST0_RSL) && (s->scid & LSI_SCID_RRE);
    333}
    334
    335static lsi_request *get_pending_req(LSIState *s)
    336{
    337    lsi_request *p;
    338
    339    QTAILQ_FOREACH(p, &s->queue, next) {
    340        if (p->pending) {
    341            return p;
    342        }
    343    }
    344    return NULL;
    345}
    346
    347static void lsi_soft_reset(LSIState *s)
    348{
    349    trace_lsi_reset();
    350    s->carry = 0;
    351
    352    s->msg_action = LSI_MSG_ACTION_COMMAND;
    353    s->msg_len = 0;
    354    s->waiting = LSI_NOWAIT;
    355    s->dsa = 0;
    356    s->dnad = 0;
    357    s->dbc = 0;
    358    s->temp = 0;
    359    memset(s->scratch, 0, sizeof(s->scratch));
    360    s->istat0 = 0;
    361    s->istat1 = 0;
    362    s->dcmd = 0x40;
    363    s->dstat = 0;
    364    s->dien = 0;
    365    s->sist0 = 0;
    366    s->sist1 = 0;
    367    s->sien0 = 0;
    368    s->sien1 = 0;
    369    s->mbox0 = 0;
    370    s->mbox1 = 0;
    371    s->dfifo = 0;
    372    s->ctest2 = LSI_CTEST2_DACK;
    373    s->ctest3 = 0;
    374    s->ctest4 = 0;
    375    s->ctest5 = 0;
    376    s->ccntl0 = 0;
    377    s->ccntl1 = 0;
    378    s->dsp = 0;
    379    s->dsps = 0;
    380    s->dmode = 0;
    381    s->dcntl = 0;
    382    s->scntl0 = 0xc0;
    383    s->scntl1 = 0;
    384    s->scntl2 = 0;
    385    s->scntl3 = 0;
    386    s->sstat0 = 0;
    387    s->sstat1 = 0;
    388    s->scid = 7;
    389    s->sxfer = 0;
    390    s->socl = 0;
    391    s->sdid = 0;
    392    s->ssid = 0;
    393    s->sbcl = 0;
    394    s->stest1 = 0;
    395    s->stest2 = 0;
    396    s->stest3 = 0;
    397    s->sidl = 0;
    398    s->stime0 = 0;
    399    s->respid0 = 0x80;
    400    s->respid1 = 0;
    401    s->mmrs = 0;
    402    s->mmws = 0;
    403    s->sfs = 0;
    404    s->drs = 0;
    405    s->sbms = 0;
    406    s->dbms = 0;
    407    s->dnad64 = 0;
    408    s->pmjad1 = 0;
    409    s->pmjad2 = 0;
    410    s->rbc = 0;
    411    s->ua = 0;
    412    s->ia = 0;
    413    s->sbc = 0;
    414    s->csbc = 0;
    415    s->sbr = 0;
    416    assert(QTAILQ_EMPTY(&s->queue));
    417    assert(!s->current);
    418}
    419
    420static int lsi_dma_40bit(LSIState *s)
    421{
    422    if ((s->ccntl1 & LSI_CCNTL1_40BIT) == LSI_CCNTL1_40BIT)
    423        return 1;
    424    return 0;
    425}
    426
    427static int lsi_dma_ti64bit(LSIState *s)
    428{
    429    if ((s->ccntl1 & LSI_CCNTL1_EN64TIBMV) == LSI_CCNTL1_EN64TIBMV)
    430        return 1;
    431    return 0;
    432}
    433
    434static int lsi_dma_64bit(LSIState *s)
    435{
    436    if ((s->ccntl1 & LSI_CCNTL1_EN64DBMV) == LSI_CCNTL1_EN64DBMV)
    437        return 1;
    438    return 0;
    439}
    440
    441static uint8_t lsi_reg_readb(LSIState *s, int offset);
    442static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val);
    443static void lsi_execute_script(LSIState *s);
    444static void lsi_reselect(LSIState *s, lsi_request *p);
    445
    446static inline void lsi_mem_read(LSIState *s, dma_addr_t addr,
    447                               void *buf, dma_addr_t len)
    448{
    449    if (s->dmode & LSI_DMODE_SIOM) {
    450        address_space_read(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
    451                           buf, len);
    452    } else {
    453        pci_dma_read(PCI_DEVICE(s), addr, buf, len);
    454    }
    455}
    456
    457static inline void lsi_mem_write(LSIState *s, dma_addr_t addr,
    458                                const void *buf, dma_addr_t len)
    459{
    460    if (s->dmode & LSI_DMODE_DIOM) {
    461        address_space_write(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
    462                            buf, len);
    463    } else {
    464        pci_dma_write(PCI_DEVICE(s), addr, buf, len);
    465    }
    466}
    467
    468static inline uint32_t read_dword(LSIState *s, uint32_t addr)
    469{
    470    uint32_t buf;
    471
    472    pci_dma_read(PCI_DEVICE(s), addr, &buf, 4);
    473    return cpu_to_le32(buf);
    474}
    475
    476static void lsi_stop_script(LSIState *s)
    477{
    478    s->istat1 &= ~LSI_ISTAT1_SRUN;
    479}
    480
    481static void lsi_set_irq(LSIState *s, int level)
    482{
    483    PCIDevice *d = PCI_DEVICE(s);
    484
    485    if (s->ext_irq) {
    486        qemu_set_irq(s->ext_irq, level);
    487    } else {
    488        pci_set_irq(d, level);
    489    }
    490}
    491
    492static void lsi_update_irq(LSIState *s)
    493{
    494    int level;
    495    static int last_level;
    496
    497    /* It's unclear whether the DIP/SIP bits should be cleared when the
    498       Interrupt Status Registers are cleared or when istat0 is read.
    499       We currently do the formwer, which seems to work.  */
    500    level = 0;
    501    if (s->dstat) {
    502        if (s->dstat & s->dien)
    503            level = 1;
    504        s->istat0 |= LSI_ISTAT0_DIP;
    505    } else {
    506        s->istat0 &= ~LSI_ISTAT0_DIP;
    507    }
    508
    509    if (s->sist0 || s->sist1) {
    510        if ((s->sist0 & s->sien0) || (s->sist1 & s->sien1))
    511            level = 1;
    512        s->istat0 |= LSI_ISTAT0_SIP;
    513    } else {
    514        s->istat0 &= ~LSI_ISTAT0_SIP;
    515    }
    516    if (s->istat0 & LSI_ISTAT0_INTF)
    517        level = 1;
    518
    519    if (level != last_level) {
    520        trace_lsi_update_irq(level, s->dstat, s->sist1, s->sist0);
    521        last_level = level;
    522    }
    523    lsi_set_irq(s, level);
    524
    525    if (!s->current && !level && lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON)) {
    526        lsi_request *p;
    527
    528        trace_lsi_update_irq_disconnected();
    529        p = get_pending_req(s);
    530        if (p) {
    531            lsi_reselect(s, p);
    532        }
    533    }
    534}
    535
    536/* Stop SCRIPTS execution and raise a SCSI interrupt.  */
    537static void lsi_script_scsi_interrupt(LSIState *s, int stat0, int stat1)
    538{
    539    uint32_t mask0;
    540    uint32_t mask1;
    541
    542    trace_lsi_script_scsi_interrupt(stat1, stat0, s->sist1, s->sist0);
    543    s->sist0 |= stat0;
    544    s->sist1 |= stat1;
    545    /* Stop processor on fatal or unmasked interrupt.  As a special hack
    546       we don't stop processing when raising STO.  Instead continue
    547       execution and stop at the next insn that accesses the SCSI bus.  */
    548    mask0 = s->sien0 | ~(LSI_SIST0_CMP | LSI_SIST0_SEL | LSI_SIST0_RSL);
    549    mask1 = s->sien1 | ~(LSI_SIST1_GEN | LSI_SIST1_HTH);
    550    mask1 &= ~LSI_SIST1_STO;
    551    if (s->sist0 & mask0 || s->sist1 & mask1) {
    552        lsi_stop_script(s);
    553    }
    554    lsi_update_irq(s);
    555}
    556
    557/* Stop SCRIPTS execution and raise a DMA interrupt.  */
    558static void lsi_script_dma_interrupt(LSIState *s, int stat)
    559{
    560    trace_lsi_script_dma_interrupt(stat, s->dstat);
    561    s->dstat |= stat;
    562    lsi_update_irq(s);
    563    lsi_stop_script(s);
    564}
    565
    566static inline void lsi_set_phase(LSIState *s, int phase)
    567{
    568    s->sbcl &= ~PHASE_MASK;
    569    s->sbcl |= phase | LSI_SBCL_REQ;
    570    s->sstat1 = (s->sstat1 & ~PHASE_MASK) | phase;
    571}
    572
    573static void lsi_bad_phase(LSIState *s, int out, int new_phase)
    574{
    575    /* Trigger a phase mismatch.  */
    576    if (s->ccntl0 & LSI_CCNTL0_ENPMJ) {
    577        if ((s->ccntl0 & LSI_CCNTL0_PMJCTL)) {
    578            s->dsp = out ? s->pmjad1 : s->pmjad2;
    579        } else {
    580            s->dsp = (s->scntl2 & LSI_SCNTL2_WSR ? s->pmjad2 : s->pmjad1);
    581        }
    582        trace_lsi_bad_phase_jump(s->dsp);
    583    } else {
    584        trace_lsi_bad_phase_interrupt();
    585        lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
    586        lsi_stop_script(s);
    587    }
    588    lsi_set_phase(s, new_phase);
    589}
    590
    591
    592/* Resume SCRIPTS execution after a DMA operation.  */
    593static void lsi_resume_script(LSIState *s)
    594{
    595    if (s->waiting != 2) {
    596        s->waiting = LSI_NOWAIT;
    597        lsi_execute_script(s);
    598    } else {
    599        s->waiting = LSI_NOWAIT;
    600    }
    601}
    602
    603static void lsi_disconnect(LSIState *s)
    604{
    605    s->scntl1 &= ~LSI_SCNTL1_CON;
    606    s->sstat1 &= ~PHASE_MASK;
    607    s->sbcl = 0;
    608}
    609
    610static void lsi_bad_selection(LSIState *s, uint32_t id)
    611{
    612    trace_lsi_bad_selection(id);
    613    lsi_script_scsi_interrupt(s, 0, LSI_SIST1_STO);
    614    lsi_disconnect(s);
    615}
    616
    617/* Initiate a SCSI layer data transfer.  */
    618static void lsi_do_dma(LSIState *s, int out)
    619{
    620    uint32_t count;
    621    dma_addr_t addr;
    622    SCSIDevice *dev;
    623
    624    assert(s->current);
    625    if (!s->current->dma_len) {
    626        /* Wait until data is available.  */
    627        trace_lsi_do_dma_unavailable();
    628        return;
    629    }
    630
    631    dev = s->current->req->dev;
    632    assert(dev);
    633
    634    count = s->dbc;
    635    if (count > s->current->dma_len)
    636        count = s->current->dma_len;
    637
    638    addr = s->dnad;
    639    /* both 40 and Table Indirect 64-bit DMAs store upper bits in dnad64 */
    640    if (lsi_dma_40bit(s) || lsi_dma_ti64bit(s))
    641        addr |= ((uint64_t)s->dnad64 << 32);
    642    else if (s->dbms)
    643        addr |= ((uint64_t)s->dbms << 32);
    644    else if (s->sbms)
    645        addr |= ((uint64_t)s->sbms << 32);
    646
    647    trace_lsi_do_dma(addr, count);
    648    s->csbc += count;
    649    s->dnad += count;
    650    s->dbc -= count;
    651     if (s->current->dma_buf == NULL) {
    652        s->current->dma_buf = scsi_req_get_buf(s->current->req);
    653    }
    654    /* ??? Set SFBR to first data byte.  */
    655    if (out) {
    656        lsi_mem_read(s, addr, s->current->dma_buf, count);
    657    } else {
    658        lsi_mem_write(s, addr, s->current->dma_buf, count);
    659    }
    660    s->current->dma_len -= count;
    661    if (s->current->dma_len == 0) {
    662        s->current->dma_buf = NULL;
    663        scsi_req_continue(s->current->req);
    664    } else {
    665        s->current->dma_buf += count;
    666        lsi_resume_script(s);
    667    }
    668}
    669
    670
    671/* Add a command to the queue.  */
    672static void lsi_queue_command(LSIState *s)
    673{
    674    lsi_request *p = s->current;
    675
    676    trace_lsi_queue_command(p->tag);
    677    assert(s->current != NULL);
    678    assert(s->current->dma_len == 0);
    679    QTAILQ_INSERT_TAIL(&s->queue, s->current, next);
    680    s->current = NULL;
    681
    682    p->pending = 0;
    683    p->out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
    684}
    685
    686/* Queue a byte for a MSG IN phase.  */
    687static void lsi_add_msg_byte(LSIState *s, uint8_t data)
    688{
    689    if (s->msg_len >= LSI_MAX_MSGIN_LEN) {
    690        trace_lsi_add_msg_byte_error();
    691    } else {
    692        trace_lsi_add_msg_byte(data);
    693        s->msg[s->msg_len++] = data;
    694    }
    695}
    696
    697/* Perform reselection to continue a command.  */
    698static void lsi_reselect(LSIState *s, lsi_request *p)
    699{
    700    int id;
    701
    702    assert(s->current == NULL);
    703    QTAILQ_REMOVE(&s->queue, p, next);
    704    s->current = p;
    705
    706    id = (p->tag >> 8) & 0xf;
    707    s->ssid = id | 0x80;
    708    /* LSI53C700 Family Compatibility, see LSI53C895A 4-73 */
    709    if (!(s->dcntl & LSI_DCNTL_COM)) {
    710        s->sfbr = 1 << (id & 0x7);
    711    }
    712    trace_lsi_reselect(id);
    713    s->scntl1 |= LSI_SCNTL1_CON;
    714    lsi_set_phase(s, PHASE_MI);
    715    s->msg_action = p->out ? LSI_MSG_ACTION_DOUT : LSI_MSG_ACTION_DIN;
    716    s->current->dma_len = p->pending;
    717    lsi_add_msg_byte(s, 0x80);
    718    if (s->current->tag & LSI_TAG_VALID) {
    719        lsi_add_msg_byte(s, 0x20);
    720        lsi_add_msg_byte(s, p->tag & 0xff);
    721    }
    722
    723    if (lsi_irq_on_rsl(s)) {
    724        lsi_script_scsi_interrupt(s, LSI_SIST0_RSL, 0);
    725    }
    726}
    727
    728static lsi_request *lsi_find_by_tag(LSIState *s, uint32_t tag)
    729{
    730    lsi_request *p;
    731
    732    QTAILQ_FOREACH(p, &s->queue, next) {
    733        if (p->tag == tag) {
    734            return p;
    735        }
    736    }
    737
    738    return NULL;
    739}
    740
    741static void lsi_request_free(LSIState *s, lsi_request *p)
    742{
    743    if (p == s->current) {
    744        s->current = NULL;
    745    } else {
    746        QTAILQ_REMOVE(&s->queue, p, next);
    747    }
    748    g_free(p);
    749}
    750
    751static void lsi_request_cancelled(SCSIRequest *req)
    752{
    753    LSIState *s = LSI53C895A(req->bus->qbus.parent);
    754    lsi_request *p = req->hba_private;
    755
    756    req->hba_private = NULL;
    757    lsi_request_free(s, p);
    758    scsi_req_unref(req);
    759}
    760
    761/* Record that data is available for a queued command.  Returns zero if
    762   the device was reselected, nonzero if the IO is deferred.  */
    763static int lsi_queue_req(LSIState *s, SCSIRequest *req, uint32_t len)
    764{
    765    lsi_request *p = req->hba_private;
    766
    767    if (p->pending) {
    768        trace_lsi_queue_req_error(p);
    769    }
    770    p->pending = len;
    771    /* Reselect if waiting for it, or if reselection triggers an IRQ
    772       and the bus is free.
    773       Since no interrupt stacking is implemented in the emulation, it
    774       is also required that there are no pending interrupts waiting
    775       for service from the device driver. */
    776    if (s->waiting == LSI_WAIT_RESELECT ||
    777        (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON) &&
    778         !(s->istat0 & (LSI_ISTAT0_SIP | LSI_ISTAT0_DIP)))) {
    779        /* Reselect device.  */
    780        lsi_reselect(s, p);
    781        return 0;
    782    } else {
    783        trace_lsi_queue_req(p->tag);
    784        p->pending = len;
    785        return 1;
    786    }
    787}
    788
    789 /* Callback to indicate that the SCSI layer has completed a command.  */
    790static void lsi_command_complete(SCSIRequest *req, size_t resid)
    791{
    792    LSIState *s = LSI53C895A(req->bus->qbus.parent);
    793    int out;
    794
    795    out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
    796    trace_lsi_command_complete(req->status);
    797    s->status = req->status;
    798    s->command_complete = 2;
    799    if (s->waiting && s->dbc != 0) {
    800        /* Raise phase mismatch for short transfers.  */
    801        lsi_bad_phase(s, out, PHASE_ST);
    802    } else {
    803        lsi_set_phase(s, PHASE_ST);
    804    }
    805
    806    if (req->hba_private == s->current) {
    807        req->hba_private = NULL;
    808        lsi_request_free(s, s->current);
    809        scsi_req_unref(req);
    810    }
    811    lsi_resume_script(s);
    812}
    813
    814 /* Callback to indicate that the SCSI layer has completed a transfer.  */
    815static void lsi_transfer_data(SCSIRequest *req, uint32_t len)
    816{
    817    LSIState *s = LSI53C895A(req->bus->qbus.parent);
    818    int out;
    819
    820    assert(req->hba_private);
    821    if (s->waiting == LSI_WAIT_RESELECT || req->hba_private != s->current ||
    822        (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON))) {
    823        if (lsi_queue_req(s, req, len)) {
    824            return;
    825        }
    826    }
    827
    828    out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
    829
    830    /* host adapter (re)connected */
    831    trace_lsi_transfer_data(req->tag, len);
    832    s->current->dma_len = len;
    833    s->command_complete = 1;
    834    if (s->waiting) {
    835        if (s->waiting == LSI_WAIT_RESELECT || s->dbc == 0) {
    836            lsi_resume_script(s);
    837        } else {
    838            lsi_do_dma(s, out);
    839        }
    840    }
    841}
    842
    843static void lsi_do_command(LSIState *s)
    844{
    845    SCSIDevice *dev;
    846    uint8_t buf[16];
    847    uint32_t id;
    848    int n;
    849
    850    trace_lsi_do_command(s->dbc);
    851    if (s->dbc > 16)
    852        s->dbc = 16;
    853    pci_dma_read(PCI_DEVICE(s), s->dnad, buf, s->dbc);
    854    s->sfbr = buf[0];
    855    s->command_complete = 0;
    856
    857    id = (s->select_tag >> 8) & 0xf;
    858    dev = scsi_device_find(&s->bus, 0, id, s->current_lun);
    859    if (!dev) {
    860        lsi_bad_selection(s, id);
    861        return;
    862    }
    863
    864    assert(s->current == NULL);
    865    s->current = g_new0(lsi_request, 1);
    866    s->current->tag = s->select_tag;
    867    s->current->req = scsi_req_new(dev, s->current->tag, s->current_lun, buf,
    868                                   s->current);
    869
    870    n = scsi_req_enqueue(s->current->req);
    871    if (n) {
    872        if (n > 0) {
    873            lsi_set_phase(s, PHASE_DI);
    874        } else if (n < 0) {
    875            lsi_set_phase(s, PHASE_DO);
    876        }
    877        scsi_req_continue(s->current->req);
    878    }
    879    if (!s->command_complete) {
    880        if (n) {
    881            /* Command did not complete immediately so disconnect.  */
    882            lsi_add_msg_byte(s, 2); /* SAVE DATA POINTER */
    883            lsi_add_msg_byte(s, 4); /* DISCONNECT */
    884            /* wait data */
    885            lsi_set_phase(s, PHASE_MI);
    886            s->msg_action = LSI_MSG_ACTION_DISCONNECT;
    887            lsi_queue_command(s);
    888        } else {
    889            /* wait command complete */
    890            lsi_set_phase(s, PHASE_DI);
    891        }
    892    }
    893}
    894
    895static void lsi_do_status(LSIState *s)
    896{
    897    uint8_t status;
    898    trace_lsi_do_status(s->dbc, s->status);
    899    if (s->dbc != 1) {
    900        trace_lsi_do_status_error();
    901    }
    902    s->dbc = 1;
    903    status = s->status;
    904    s->sfbr = status;
    905    pci_dma_write(PCI_DEVICE(s), s->dnad, &status, 1);
    906    lsi_set_phase(s, PHASE_MI);
    907    s->msg_action = LSI_MSG_ACTION_DISCONNECT;
    908    lsi_add_msg_byte(s, 0); /* COMMAND COMPLETE */
    909}
    910
    911static void lsi_do_msgin(LSIState *s)
    912{
    913    uint8_t len;
    914    trace_lsi_do_msgin(s->dbc, s->msg_len);
    915    s->sfbr = s->msg[0];
    916    len = s->msg_len;
    917    assert(len > 0 && len <= LSI_MAX_MSGIN_LEN);
    918    if (len > s->dbc)
    919        len = s->dbc;
    920    pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
    921    /* Linux drivers rely on the last byte being in the SIDL.  */
    922    s->sidl = s->msg[len - 1];
    923    s->msg_len -= len;
    924    if (s->msg_len) {
    925        memmove(s->msg, s->msg + len, s->msg_len);
    926    } else {
    927        /* ??? Check if ATN (not yet implemented) is asserted and maybe
    928           switch to PHASE_MO.  */
    929        switch (s->msg_action) {
    930        case LSI_MSG_ACTION_COMMAND:
    931            lsi_set_phase(s, PHASE_CMD);
    932            break;
    933        case LSI_MSG_ACTION_DISCONNECT:
    934            lsi_disconnect(s);
    935            break;
    936        case LSI_MSG_ACTION_DOUT:
    937            lsi_set_phase(s, PHASE_DO);
    938            break;
    939        case LSI_MSG_ACTION_DIN:
    940            lsi_set_phase(s, PHASE_DI);
    941            break;
    942        default:
    943            abort();
    944        }
    945    }
    946}
    947
    948/* Read the next byte during a MSGOUT phase.  */
    949static uint8_t lsi_get_msgbyte(LSIState *s)
    950{
    951    uint8_t data;
    952    pci_dma_read(PCI_DEVICE(s), s->dnad, &data, 1);
    953    s->dnad++;
    954    s->dbc--;
    955    return data;
    956}
    957
    958/* Skip the next n bytes during a MSGOUT phase. */
    959static void lsi_skip_msgbytes(LSIState *s, unsigned int n)
    960{
    961    s->dnad += n;
    962    s->dbc  -= n;
    963}
    964
    965static void lsi_do_msgout(LSIState *s)
    966{
    967    uint8_t msg;
    968    int len;
    969    uint32_t current_tag;
    970    lsi_request *current_req, *p, *p_next;
    971
    972    if (s->current) {
    973        current_tag = s->current->tag;
    974        current_req = s->current;
    975    } else {
    976        current_tag = s->select_tag;
    977        current_req = lsi_find_by_tag(s, current_tag);
    978    }
    979
    980    trace_lsi_do_msgout(s->dbc);
    981    while (s->dbc) {
    982        msg = lsi_get_msgbyte(s);
    983        s->sfbr = msg;
    984
    985        switch (msg) {
    986        case 0x04:
    987            trace_lsi_do_msgout_disconnect();
    988            lsi_disconnect(s);
    989            break;
    990        case 0x08:
    991            trace_lsi_do_msgout_noop();
    992            lsi_set_phase(s, PHASE_CMD);
    993            break;
    994        case 0x01:
    995            len = lsi_get_msgbyte(s);
    996            msg = lsi_get_msgbyte(s);
    997            (void)len; /* avoid a warning about unused variable*/
    998            trace_lsi_do_msgout_extended(msg, len);
    999            switch (msg) {
   1000            case 1:
   1001                trace_lsi_do_msgout_ignored("SDTR");
   1002                lsi_skip_msgbytes(s, 2);
   1003                break;
   1004            case 3:
   1005                trace_lsi_do_msgout_ignored("WDTR");
   1006                lsi_skip_msgbytes(s, 1);
   1007                break;
   1008            case 4:
   1009                trace_lsi_do_msgout_ignored("PPR");
   1010                lsi_skip_msgbytes(s, 5);
   1011                break;
   1012            default:
   1013                goto bad;
   1014            }
   1015            break;
   1016        case 0x20: /* SIMPLE queue */
   1017            s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
   1018            trace_lsi_do_msgout_simplequeue(s->select_tag & 0xff);
   1019            break;
   1020        case 0x21: /* HEAD of queue */
   1021            qemu_log_mask(LOG_UNIMP, "lsi_scsi: HEAD queue not implemented\n");
   1022            s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
   1023            break;
   1024        case 0x22: /* ORDERED queue */
   1025            qemu_log_mask(LOG_UNIMP,
   1026                          "lsi_scsi: ORDERED queue not implemented\n");
   1027            s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
   1028            break;
   1029        case 0x0d:
   1030            /* The ABORT TAG message clears the current I/O process only. */
   1031            trace_lsi_do_msgout_abort(current_tag);
   1032            if (current_req) {
   1033                scsi_req_cancel(current_req->req);
   1034            }
   1035            lsi_disconnect(s);
   1036            break;
   1037        case 0x06:
   1038        case 0x0e:
   1039        case 0x0c:
   1040            /* The ABORT message clears all I/O processes for the selecting
   1041               initiator on the specified logical unit of the target. */
   1042            if (msg == 0x06) {
   1043                trace_lsi_do_msgout_abort(current_tag);
   1044            }
   1045            /* The CLEAR QUEUE message clears all I/O processes for all
   1046               initiators on the specified logical unit of the target. */
   1047            if (msg == 0x0e) {
   1048                trace_lsi_do_msgout_clearqueue(current_tag);
   1049            }
   1050            /* The BUS DEVICE RESET message clears all I/O processes for all
   1051               initiators on all logical units of the target. */
   1052            if (msg == 0x0c) {
   1053                trace_lsi_do_msgout_busdevicereset(current_tag);
   1054            }
   1055
   1056            /* clear the current I/O process */
   1057            if (s->current) {
   1058                scsi_req_cancel(s->current->req);
   1059            }
   1060
   1061            /* As the current implemented devices scsi_disk and scsi_generic
   1062               only support one LUN, we don't need to keep track of LUNs.
   1063               Clearing I/O processes for other initiators could be possible
   1064               for scsi_generic by sending a SG_SCSI_RESET to the /dev/sgX
   1065               device, but this is currently not implemented (and seems not
   1066               to be really necessary). So let's simply clear all queued
   1067               commands for the current device: */
   1068            QTAILQ_FOREACH_SAFE(p, &s->queue, next, p_next) {
   1069                if ((p->tag & 0x0000ff00) == (current_tag & 0x0000ff00)) {
   1070                    scsi_req_cancel(p->req);
   1071                }
   1072            }
   1073
   1074            lsi_disconnect(s);
   1075            break;
   1076        default:
   1077            if ((msg & 0x80) == 0) {
   1078                goto bad;
   1079            }
   1080            s->current_lun = msg & 7;
   1081            trace_lsi_do_msgout_select(s->current_lun);
   1082            lsi_set_phase(s, PHASE_CMD);
   1083            break;
   1084        }
   1085    }
   1086    return;
   1087bad:
   1088    qemu_log_mask(LOG_UNIMP, "Unimplemented message 0x%02x\n", msg);
   1089    lsi_set_phase(s, PHASE_MI);
   1090    lsi_add_msg_byte(s, 7); /* MESSAGE REJECT */
   1091    s->msg_action = LSI_MSG_ACTION_COMMAND;
   1092}
   1093
   1094#define LSI_BUF_SIZE 4096
   1095static void lsi_memcpy(LSIState *s, uint32_t dest, uint32_t src, int count)
   1096{
   1097    int n;
   1098    uint8_t buf[LSI_BUF_SIZE];
   1099
   1100    trace_lsi_memcpy(dest, src, count);
   1101    while (count) {
   1102        n = (count > LSI_BUF_SIZE) ? LSI_BUF_SIZE : count;
   1103        lsi_mem_read(s, src, buf, n);
   1104        lsi_mem_write(s, dest, buf, n);
   1105        src += n;
   1106        dest += n;
   1107        count -= n;
   1108    }
   1109}
   1110
   1111static void lsi_wait_reselect(LSIState *s)
   1112{
   1113    lsi_request *p;
   1114
   1115    trace_lsi_wait_reselect();
   1116
   1117    if (s->current) {
   1118        return;
   1119    }
   1120    p = get_pending_req(s);
   1121    if (p) {
   1122        lsi_reselect(s, p);
   1123    }
   1124    if (s->current == NULL) {
   1125        s->waiting = LSI_WAIT_RESELECT;
   1126    }
   1127}
   1128
   1129static void lsi_execute_script(LSIState *s)
   1130{
   1131    PCIDevice *pci_dev = PCI_DEVICE(s);
   1132    uint32_t insn;
   1133    uint32_t addr, addr_high;
   1134    int opcode;
   1135    int insn_processed = 0;
   1136
   1137    s->istat1 |= LSI_ISTAT1_SRUN;
   1138again:
   1139    if (++insn_processed > LSI_MAX_INSN) {
   1140        /* Some windows drivers make the device spin waiting for a memory
   1141           location to change.  If we have been executed a lot of code then
   1142           assume this is the case and force an unexpected device disconnect.
   1143           This is apparently sufficient to beat the drivers into submission.
   1144         */
   1145        if (!(s->sien0 & LSI_SIST0_UDC)) {
   1146            qemu_log_mask(LOG_GUEST_ERROR,
   1147                          "lsi_scsi: inf. loop with UDC masked");
   1148        }
   1149        lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
   1150        lsi_disconnect(s);
   1151        trace_lsi_execute_script_stop();
   1152        return;
   1153    }
   1154    insn = read_dword(s, s->dsp);
   1155    if (!insn) {
   1156        /* If we receive an empty opcode increment the DSP by 4 bytes
   1157           instead of 8 and execute the next opcode at that location */
   1158        s->dsp += 4;
   1159        goto again;
   1160    }
   1161    addr = read_dword(s, s->dsp + 4);
   1162    addr_high = 0;
   1163    trace_lsi_execute_script(s->dsp, insn, addr);
   1164    s->dsps = addr;
   1165    s->dcmd = insn >> 24;
   1166    s->dsp += 8;
   1167    switch (insn >> 30) {
   1168    case 0: /* Block move.  */
   1169        if (s->sist1 & LSI_SIST1_STO) {
   1170            trace_lsi_execute_script_blockmove_delayed();
   1171            lsi_stop_script(s);
   1172            break;
   1173        }
   1174        s->dbc = insn & 0xffffff;
   1175        s->rbc = s->dbc;
   1176        /* ??? Set ESA.  */
   1177        s->ia = s->dsp - 8;
   1178        if (insn & (1 << 29)) {
   1179            /* Indirect addressing.  */
   1180            addr = read_dword(s, addr);
   1181        } else if (insn & (1 << 28)) {
   1182            uint32_t buf[2];
   1183            int32_t offset;
   1184            /* Table indirect addressing.  */
   1185
   1186            /* 32-bit Table indirect */
   1187            offset = sextract32(addr, 0, 24);
   1188            pci_dma_read(pci_dev, s->dsa + offset, buf, 8);
   1189            /* byte count is stored in bits 0:23 only */
   1190            s->dbc = cpu_to_le32(buf[0]) & 0xffffff;
   1191            s->rbc = s->dbc;
   1192            addr = cpu_to_le32(buf[1]);
   1193
   1194            /* 40-bit DMA, upper addr bits [39:32] stored in first DWORD of
   1195             * table, bits [31:24] */
   1196            if (lsi_dma_40bit(s))
   1197                addr_high = cpu_to_le32(buf[0]) >> 24;
   1198            else if (lsi_dma_ti64bit(s)) {
   1199                int selector = (cpu_to_le32(buf[0]) >> 24) & 0x1f;
   1200                switch (selector) {
   1201                case 0 ... 0x0f:
   1202                    /* offset index into scratch registers since
   1203                     * TI64 mode can use registers C to R */
   1204                    addr_high = s->scratch[2 + selector];
   1205                    break;
   1206                case 0x10:
   1207                    addr_high = s->mmrs;
   1208                    break;
   1209                case 0x11:
   1210                    addr_high = s->mmws;
   1211                    break;
   1212                case 0x12:
   1213                    addr_high = s->sfs;
   1214                    break;
   1215                case 0x13:
   1216                    addr_high = s->drs;
   1217                    break;
   1218                case 0x14:
   1219                    addr_high = s->sbms;
   1220                    break;
   1221                case 0x15:
   1222                    addr_high = s->dbms;
   1223                    break;
   1224                default:
   1225                    qemu_log_mask(LOG_GUEST_ERROR,
   1226                          "lsi_scsi: Illegal selector specified (0x%x > 0x15) "
   1227                          "for 64-bit DMA block move", selector);
   1228                    break;
   1229                }
   1230            }
   1231        } else if (lsi_dma_64bit(s)) {
   1232            /* fetch a 3rd dword if 64-bit direct move is enabled and
   1233               only if we're not doing table indirect or indirect addressing */
   1234            s->dbms = read_dword(s, s->dsp);
   1235            s->dsp += 4;
   1236            s->ia = s->dsp - 12;
   1237        }
   1238        if ((s->sstat1 & PHASE_MASK) != ((insn >> 24) & 7)) {
   1239            trace_lsi_execute_script_blockmove_badphase(
   1240                    scsi_phase_name(s->sstat1),
   1241                    scsi_phase_name(insn >> 24));
   1242            lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
   1243            break;
   1244        }
   1245        s->dnad = addr;
   1246        s->dnad64 = addr_high;
   1247        switch (s->sstat1 & 0x7) {
   1248        case PHASE_DO:
   1249            s->waiting = LSI_DMA_SCRIPTS;
   1250            lsi_do_dma(s, 1);
   1251            if (s->waiting)
   1252                s->waiting = LSI_DMA_IN_PROGRESS;
   1253            break;
   1254        case PHASE_DI:
   1255            s->waiting = LSI_DMA_SCRIPTS;
   1256            lsi_do_dma(s, 0);
   1257            if (s->waiting)
   1258                s->waiting = LSI_DMA_IN_PROGRESS;
   1259            break;
   1260        case PHASE_CMD:
   1261            lsi_do_command(s);
   1262            break;
   1263        case PHASE_ST:
   1264            lsi_do_status(s);
   1265            break;
   1266        case PHASE_MO:
   1267            lsi_do_msgout(s);
   1268            break;
   1269        case PHASE_MI:
   1270            lsi_do_msgin(s);
   1271            break;
   1272        default:
   1273            qemu_log_mask(LOG_UNIMP, "lsi_scsi: Unimplemented phase %s\n",
   1274                          scsi_phase_name(s->sstat1));
   1275        }
   1276        s->dfifo = s->dbc & 0xff;
   1277        s->ctest5 = (s->ctest5 & 0xfc) | ((s->dbc >> 8) & 3);
   1278        s->sbc = s->dbc;
   1279        s->rbc -= s->dbc;
   1280        s->ua = addr + s->dbc;
   1281        break;
   1282
   1283    case 1: /* IO or Read/Write instruction.  */
   1284        opcode = (insn >> 27) & 7;
   1285        if (opcode < 5) {
   1286            uint32_t id;
   1287
   1288            if (insn & (1 << 25)) {
   1289                id = read_dword(s, s->dsa + sextract32(insn, 0, 24));
   1290            } else {
   1291                id = insn;
   1292            }
   1293            id = (id >> 16) & 0xf;
   1294            if (insn & (1 << 26)) {
   1295                addr = s->dsp + sextract32(addr, 0, 24);
   1296            }
   1297            s->dnad = addr;
   1298            switch (opcode) {
   1299            case 0: /* Select */
   1300                s->sdid = id;
   1301                if (s->scntl1 & LSI_SCNTL1_CON) {
   1302                    trace_lsi_execute_script_io_alreadyreselected();
   1303                    s->dsp = s->dnad;
   1304                    break;
   1305                }
   1306                s->sstat0 |= LSI_SSTAT0_WOA;
   1307                s->scntl1 &= ~LSI_SCNTL1_IARB;
   1308                if (!scsi_device_find(&s->bus, 0, id, 0)) {
   1309                    lsi_bad_selection(s, id);
   1310                    break;
   1311                }
   1312                trace_lsi_execute_script_io_selected(id,
   1313                                             insn & (1 << 3) ? " ATN" : "");
   1314                /* ??? Linux drivers compain when this is set.  Maybe
   1315                   it only applies in low-level mode (unimplemented).
   1316                lsi_script_scsi_interrupt(s, LSI_SIST0_CMP, 0); */
   1317                s->select_tag = id << 8;
   1318                s->scntl1 |= LSI_SCNTL1_CON;
   1319                if (insn & (1 << 3)) {
   1320                    s->socl |= LSI_SOCL_ATN;
   1321                    s->sbcl |= LSI_SBCL_ATN;
   1322                }
   1323                s->sbcl |= LSI_SBCL_BSY;
   1324                lsi_set_phase(s, PHASE_MO);
   1325                s->waiting = LSI_NOWAIT;
   1326                break;
   1327            case 1: /* Disconnect */
   1328                trace_lsi_execute_script_io_disconnect();
   1329                s->scntl1 &= ~LSI_SCNTL1_CON;
   1330                /* FIXME: this is not entirely correct; the target need not ask
   1331                 * for reselection until it has to send data, while here we force a
   1332                 * reselection as soon as the bus is free.  The correct flow would
   1333                 * reselect before lsi_transfer_data and disconnect as soon as
   1334                 * DMA ends.
   1335                 */
   1336                if (!s->current) {
   1337                    lsi_request *p = get_pending_req(s);
   1338                    if (p) {
   1339                        lsi_reselect(s, p);
   1340                    }
   1341                }
   1342                break;
   1343            case 2: /* Wait Reselect */
   1344                if (s->istat0 & LSI_ISTAT0_SIGP) {
   1345                    s->dsp = s->dnad;
   1346                } else if (!lsi_irq_on_rsl(s)) {
   1347                        lsi_wait_reselect(s);
   1348                }
   1349                break;
   1350            case 3: /* Set */
   1351                trace_lsi_execute_script_io_set(
   1352                        insn & (1 << 3) ? " ATN" : "",
   1353                        insn & (1 << 6) ? " ACK" : "",
   1354                        insn & (1 << 9) ? " TM" : "",
   1355                        insn & (1 << 10) ? " CC" : "");
   1356                if (insn & (1 << 3)) {
   1357                    s->socl |= LSI_SOCL_ATN;
   1358                    s->sbcl |= LSI_SBCL_ATN;
   1359                    lsi_set_phase(s, PHASE_MO);
   1360                }
   1361
   1362                if (insn & (1 << 6)) {
   1363                    s->sbcl |= LSI_SBCL_ACK;
   1364                }
   1365
   1366                if (insn & (1 << 9)) {
   1367                    qemu_log_mask(LOG_UNIMP,
   1368                        "lsi_scsi: Target mode not implemented\n");
   1369                }
   1370                if (insn & (1 << 10))
   1371                    s->carry = 1;
   1372                break;
   1373            case 4: /* Clear */
   1374                trace_lsi_execute_script_io_clear(
   1375                        insn & (1 << 3) ? " ATN" : "",
   1376                        insn & (1 << 6) ? " ACK" : "",
   1377                        insn & (1 << 9) ? " TM" : "",
   1378                        insn & (1 << 10) ? " CC" : "");
   1379                if (insn & (1 << 3)) {
   1380                    s->socl &= ~LSI_SOCL_ATN;
   1381                    s->sbcl &= ~LSI_SBCL_ATN;
   1382                }
   1383
   1384                if (insn & (1 << 6)) {
   1385                    s->sbcl &= ~LSI_SBCL_ACK;
   1386                }
   1387
   1388                if (insn & (1 << 10))
   1389                    s->carry = 0;
   1390                break;
   1391            }
   1392        } else {
   1393            uint8_t op0;
   1394            uint8_t op1;
   1395            uint8_t data8;
   1396            int reg;
   1397            int operator;
   1398
   1399            static const char *opcode_names[3] =
   1400                {"Write", "Read", "Read-Modify-Write"};
   1401            static const char *operator_names[8] =
   1402                {"MOV", "SHL", "OR", "XOR", "AND", "SHR", "ADD", "ADC"};
   1403
   1404            reg = ((insn >> 16) & 0x7f) | (insn & 0x80);
   1405            data8 = (insn >> 8) & 0xff;
   1406            opcode = (insn >> 27) & 7;
   1407            operator = (insn >> 24) & 7;
   1408            trace_lsi_execute_script_io_opcode(
   1409                    opcode_names[opcode - 5], reg,
   1410                    operator_names[operator], data8, s->sfbr,
   1411                    (insn & (1 << 23)) ? " SFBR" : "");
   1412            op0 = op1 = 0;
   1413            switch (opcode) {
   1414            case 5: /* From SFBR */
   1415                op0 = s->sfbr;
   1416                op1 = data8;
   1417                break;
   1418            case 6: /* To SFBR */
   1419                if (operator)
   1420                    op0 = lsi_reg_readb(s, reg);
   1421                op1 = data8;
   1422                break;
   1423            case 7: /* Read-modify-write */
   1424                if (operator)
   1425                    op0 = lsi_reg_readb(s, reg);
   1426                if (insn & (1 << 23)) {
   1427                    op1 = s->sfbr;
   1428                } else {
   1429                    op1 = data8;
   1430                }
   1431                break;
   1432            }
   1433
   1434            switch (operator) {
   1435            case 0: /* move */
   1436                op0 = op1;
   1437                break;
   1438            case 1: /* Shift left */
   1439                op1 = op0 >> 7;
   1440                op0 = (op0 << 1) | s->carry;
   1441                s->carry = op1;
   1442                break;
   1443            case 2: /* OR */
   1444                op0 |= op1;
   1445                break;
   1446            case 3: /* XOR */
   1447                op0 ^= op1;
   1448                break;
   1449            case 4: /* AND */
   1450                op0 &= op1;
   1451                break;
   1452            case 5: /* SHR */
   1453                op1 = op0 & 1;
   1454                op0 = (op0 >> 1) | (s->carry << 7);
   1455                s->carry = op1;
   1456                break;
   1457            case 6: /* ADD */
   1458                op0 += op1;
   1459                s->carry = op0 < op1;
   1460                break;
   1461            case 7: /* ADC */
   1462                op0 += op1 + s->carry;
   1463                if (s->carry)
   1464                    s->carry = op0 <= op1;
   1465                else
   1466                    s->carry = op0 < op1;
   1467                break;
   1468            }
   1469
   1470            switch (opcode) {
   1471            case 5: /* From SFBR */
   1472            case 7: /* Read-modify-write */
   1473                lsi_reg_writeb(s, reg, op0);
   1474                break;
   1475            case 6: /* To SFBR */
   1476                s->sfbr = op0;
   1477                break;
   1478            }
   1479        }
   1480        break;
   1481
   1482    case 2: /* Transfer Control.  */
   1483        {
   1484            int cond;
   1485            int jmp;
   1486
   1487            if ((insn & 0x002e0000) == 0) {
   1488                trace_lsi_execute_script_tc_nop();
   1489                break;
   1490            }
   1491            if (s->sist1 & LSI_SIST1_STO) {
   1492                trace_lsi_execute_script_tc_delayedselect_timeout();
   1493                lsi_stop_script(s);
   1494                break;
   1495            }
   1496            cond = jmp = (insn & (1 << 19)) != 0;
   1497            if (cond == jmp && (insn & (1 << 21))) {
   1498                trace_lsi_execute_script_tc_compc(s->carry == jmp);
   1499                cond = s->carry != 0;
   1500            }
   1501            if (cond == jmp && (insn & (1 << 17))) {
   1502                trace_lsi_execute_script_tc_compp(scsi_phase_name(s->sstat1),
   1503                        jmp ? '=' : '!', scsi_phase_name(insn >> 24));
   1504                cond = (s->sstat1 & PHASE_MASK) == ((insn >> 24) & 7);
   1505            }
   1506            if (cond == jmp && (insn & (1 << 18))) {
   1507                uint8_t mask;
   1508
   1509                mask = (~insn >> 8) & 0xff;
   1510                trace_lsi_execute_script_tc_compd(
   1511                        s->sfbr, mask, jmp ? '=' : '!', insn & mask);
   1512                cond = (s->sfbr & mask) == (insn & mask);
   1513            }
   1514            if (cond == jmp) {
   1515                if (insn & (1 << 23)) {
   1516                    /* Relative address.  */
   1517                    addr = s->dsp + sextract32(addr, 0, 24);
   1518                }
   1519                switch ((insn >> 27) & 7) {
   1520                case 0: /* Jump */
   1521                    trace_lsi_execute_script_tc_jump(addr);
   1522                    s->adder = addr;
   1523                    s->dsp = addr;
   1524                    break;
   1525                case 1: /* Call */
   1526                    trace_lsi_execute_script_tc_call(addr);
   1527                    s->temp = s->dsp;
   1528                    s->dsp = addr;
   1529                    break;
   1530                case 2: /* Return */
   1531                    trace_lsi_execute_script_tc_return(s->temp);
   1532                    s->dsp = s->temp;
   1533                    break;
   1534                case 3: /* Interrupt */
   1535                    trace_lsi_execute_script_tc_interrupt(s->dsps);
   1536                    if ((insn & (1 << 20)) != 0) {
   1537                        s->istat0 |= LSI_ISTAT0_INTF;
   1538                        lsi_update_irq(s);
   1539                    } else {
   1540                        lsi_script_dma_interrupt(s, LSI_DSTAT_SIR);
   1541                    }
   1542                    break;
   1543                default:
   1544                    trace_lsi_execute_script_tc_illegal();
   1545                    lsi_script_dma_interrupt(s, LSI_DSTAT_IID);
   1546                    break;
   1547                }
   1548            } else {
   1549                trace_lsi_execute_script_tc_cc_failed();
   1550            }
   1551        }
   1552        break;
   1553
   1554    case 3:
   1555        if ((insn & (1 << 29)) == 0) {
   1556            /* Memory move.  */
   1557            uint32_t dest;
   1558            /* ??? The docs imply the destination address is loaded into
   1559               the TEMP register.  However the Linux drivers rely on
   1560               the value being presrved.  */
   1561            dest = read_dword(s, s->dsp);
   1562            s->dsp += 4;
   1563            lsi_memcpy(s, dest, addr, insn & 0xffffff);
   1564        } else {
   1565            uint8_t data[7];
   1566            int reg;
   1567            int n;
   1568            int i;
   1569
   1570            if (insn & (1 << 28)) {
   1571                addr = s->dsa + sextract32(addr, 0, 24);
   1572            }
   1573            n = (insn & 7);
   1574            reg = (insn >> 16) & 0xff;
   1575            if (insn & (1 << 24)) {
   1576                pci_dma_read(pci_dev, addr, data, n);
   1577                trace_lsi_execute_script_mm_load(reg, n, addr, *(int *)data);
   1578                for (i = 0; i < n; i++) {
   1579                    lsi_reg_writeb(s, reg + i, data[i]);
   1580                }
   1581            } else {
   1582                trace_lsi_execute_script_mm_store(reg, n, addr);
   1583                for (i = 0; i < n; i++) {
   1584                    data[i] = lsi_reg_readb(s, reg + i);
   1585                }
   1586                pci_dma_write(pci_dev, addr, data, n);
   1587            }
   1588        }
   1589    }
   1590    if (s->istat1 & LSI_ISTAT1_SRUN && s->waiting == LSI_NOWAIT) {
   1591        if (s->dcntl & LSI_DCNTL_SSM) {
   1592            lsi_script_dma_interrupt(s, LSI_DSTAT_SSI);
   1593        } else {
   1594            goto again;
   1595        }
   1596    }
   1597    trace_lsi_execute_script_stop();
   1598}
   1599
   1600static uint8_t lsi_reg_readb(LSIState *s, int offset)
   1601{
   1602    uint8_t ret;
   1603
   1604#define CASE_GET_REG24(name, addr) \
   1605    case addr: ret = s->name & 0xff; break; \
   1606    case addr + 1: ret = (s->name >> 8) & 0xff; break; \
   1607    case addr + 2: ret = (s->name >> 16) & 0xff; break;
   1608
   1609#define CASE_GET_REG32(name, addr) \
   1610    case addr: ret = s->name & 0xff; break; \
   1611    case addr + 1: ret = (s->name >> 8) & 0xff; break; \
   1612    case addr + 2: ret = (s->name >> 16) & 0xff; break; \
   1613    case addr + 3: ret = (s->name >> 24) & 0xff; break;
   1614
   1615    switch (offset) {
   1616    case 0x00: /* SCNTL0 */
   1617        ret = s->scntl0;
   1618        break;
   1619    case 0x01: /* SCNTL1 */
   1620        ret = s->scntl1;
   1621        break;
   1622    case 0x02: /* SCNTL2 */
   1623        ret = s->scntl2;
   1624        break;
   1625    case 0x03: /* SCNTL3 */
   1626        ret = s->scntl3;
   1627        break;
   1628    case 0x04: /* SCID */
   1629        ret = s->scid;
   1630        break;
   1631    case 0x05: /* SXFER */
   1632        ret = s->sxfer;
   1633        break;
   1634    case 0x06: /* SDID */
   1635        ret = s->sdid;
   1636        break;
   1637    case 0x07: /* GPREG0 */
   1638        ret = 0x7f;
   1639        break;
   1640    case 0x08: /* Revision ID */
   1641        ret = 0x00;
   1642        break;
   1643    case 0x09: /* SOCL */
   1644        ret = s->socl;
   1645        break;
   1646    case 0xa: /* SSID */
   1647        ret = s->ssid;
   1648        break;
   1649    case 0xb: /* SBCL */
   1650        ret = s->sbcl;
   1651        break;
   1652    case 0xc: /* DSTAT */
   1653        ret = s->dstat | LSI_DSTAT_DFE;
   1654        if ((s->istat0 & LSI_ISTAT0_INTF) == 0)
   1655            s->dstat = 0;
   1656        lsi_update_irq(s);
   1657        break;
   1658    case 0x0d: /* SSTAT0 */
   1659        ret = s->sstat0;
   1660        break;
   1661    case 0x0e: /* SSTAT1 */
   1662        ret = s->sstat1;
   1663        break;
   1664    case 0x0f: /* SSTAT2 */
   1665        ret = s->scntl1 & LSI_SCNTL1_CON ? 0 : 2;
   1666        break;
   1667    CASE_GET_REG32(dsa, 0x10)
   1668    case 0x14: /* ISTAT0 */
   1669        ret = s->istat0;
   1670        break;
   1671    case 0x15: /* ISTAT1 */
   1672        ret = s->istat1;
   1673        break;
   1674    case 0x16: /* MBOX0 */
   1675        ret = s->mbox0;
   1676        break;
   1677    case 0x17: /* MBOX1 */
   1678        ret = s->mbox1;
   1679        break;
   1680    case 0x18: /* CTEST0 */
   1681        ret = 0xff;
   1682        break;
   1683    case 0x19: /* CTEST1 */
   1684        ret = 0;
   1685        break;
   1686    case 0x1a: /* CTEST2 */
   1687        ret = s->ctest2 | LSI_CTEST2_DACK | LSI_CTEST2_CM;
   1688        if (s->istat0 & LSI_ISTAT0_SIGP) {
   1689            s->istat0 &= ~LSI_ISTAT0_SIGP;
   1690            ret |= LSI_CTEST2_SIGP;
   1691        }
   1692        break;
   1693    case 0x1b: /* CTEST3 */
   1694        ret = s->ctest3;
   1695        break;
   1696    CASE_GET_REG32(temp, 0x1c)
   1697    case 0x20: /* DFIFO */
   1698        ret = s->dfifo;
   1699        break;
   1700    case 0x21: /* CTEST4 */
   1701        ret = s->ctest4;
   1702        break;
   1703    case 0x22: /* CTEST5 */
   1704        ret = s->ctest5;
   1705        break;
   1706    case 0x23: /* CTEST6 */
   1707        ret = 0;
   1708        break;
   1709    CASE_GET_REG24(dbc, 0x24)
   1710    case 0x27: /* DCMD */
   1711        ret = s->dcmd;
   1712        break;
   1713    CASE_GET_REG32(dnad, 0x28)
   1714    CASE_GET_REG32(dsp, 0x2c)
   1715    CASE_GET_REG32(dsps, 0x30)
   1716    CASE_GET_REG32(scratch[0], 0x34)
   1717    case 0x38: /* DMODE */
   1718        ret = s->dmode;
   1719        break;
   1720    case 0x39: /* DIEN */
   1721        ret = s->dien;
   1722        break;
   1723    case 0x3a: /* SBR */
   1724        ret = s->sbr;
   1725        break;
   1726    case 0x3b: /* DCNTL */
   1727        ret = s->dcntl;
   1728        break;
   1729    /* ADDER Output (Debug of relative jump address) */
   1730    CASE_GET_REG32(adder, 0x3c)
   1731    case 0x40: /* SIEN0 */
   1732        ret = s->sien0;
   1733        break;
   1734    case 0x41: /* SIEN1 */
   1735        ret = s->sien1;
   1736        break;
   1737    case 0x42: /* SIST0 */
   1738        ret = s->sist0;
   1739        s->sist0 = 0;
   1740        lsi_update_irq(s);
   1741        break;
   1742    case 0x43: /* SIST1 */
   1743        ret = s->sist1;
   1744        s->sist1 = 0;
   1745        lsi_update_irq(s);
   1746        break;
   1747    case 0x46: /* MACNTL */
   1748        ret = 0x0f;
   1749        break;
   1750    case 0x47: /* GPCNTL0 */
   1751        ret = 0x0f;
   1752        break;
   1753    case 0x48: /* STIME0 */
   1754        ret = s->stime0;
   1755        break;
   1756    case 0x4a: /* RESPID0 */
   1757        ret = s->respid0;
   1758        break;
   1759    case 0x4b: /* RESPID1 */
   1760        ret = s->respid1;
   1761        break;
   1762    case 0x4d: /* STEST1 */
   1763        ret = s->stest1;
   1764        break;
   1765    case 0x4e: /* STEST2 */
   1766        ret = s->stest2;
   1767        break;
   1768    case 0x4f: /* STEST3 */
   1769        ret = s->stest3;
   1770        break;
   1771    case 0x50: /* SIDL */
   1772        /* This is needed by the linux drivers.  We currently only update it
   1773           during the MSG IN phase.  */
   1774        ret = s->sidl;
   1775        break;
   1776    case 0x52: /* STEST4 */
   1777        ret = 0xe0;
   1778        break;
   1779    case 0x56: /* CCNTL0 */
   1780        ret = s->ccntl0;
   1781        break;
   1782    case 0x57: /* CCNTL1 */
   1783        ret = s->ccntl1;
   1784        break;
   1785    case 0x58: /* SBDL */
   1786        /* Some drivers peek at the data bus during the MSG IN phase.  */
   1787        if ((s->sstat1 & PHASE_MASK) == PHASE_MI) {
   1788            assert(s->msg_len > 0);
   1789            return s->msg[0];
   1790        }
   1791        ret = 0;
   1792        break;
   1793    case 0x59: /* SBDL high */
   1794        ret = 0;
   1795        break;
   1796    CASE_GET_REG32(mmrs, 0xa0)
   1797    CASE_GET_REG32(mmws, 0xa4)
   1798    CASE_GET_REG32(sfs, 0xa8)
   1799    CASE_GET_REG32(drs, 0xac)
   1800    CASE_GET_REG32(sbms, 0xb0)
   1801    CASE_GET_REG32(dbms, 0xb4)
   1802    CASE_GET_REG32(dnad64, 0xb8)
   1803    CASE_GET_REG32(pmjad1, 0xc0)
   1804    CASE_GET_REG32(pmjad2, 0xc4)
   1805    CASE_GET_REG32(rbc, 0xc8)
   1806    CASE_GET_REG32(ua, 0xcc)
   1807    CASE_GET_REG32(ia, 0xd4)
   1808    CASE_GET_REG32(sbc, 0xd8)
   1809    CASE_GET_REG32(csbc, 0xdc)
   1810    case 0x5c ... 0x9f:
   1811    {
   1812        int n;
   1813        int shift;
   1814        n = (offset - 0x58) >> 2;
   1815        shift = (offset & 3) * 8;
   1816        ret = (s->scratch[n] >> shift) & 0xff;
   1817        break;
   1818    }
   1819    default:
   1820    {
   1821        qemu_log_mask(LOG_GUEST_ERROR,
   1822                      "lsi_scsi: invalid read from reg %s %x\n",
   1823                      offset < ARRAY_SIZE(names) ? names[offset] : "???",
   1824                      offset);
   1825        ret = 0xff;
   1826        break;
   1827    }
   1828    }
   1829#undef CASE_GET_REG24
   1830#undef CASE_GET_REG32
   1831
   1832    trace_lsi_reg_read(offset < ARRAY_SIZE(names) ? names[offset] : "???",
   1833                       offset, ret);
   1834
   1835    return ret;
   1836}
   1837
   1838static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val)
   1839{
   1840#define CASE_SET_REG24(name, addr) \
   1841    case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
   1842    case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
   1843    case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break;
   1844
   1845#define CASE_SET_REG32(name, addr) \
   1846    case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
   1847    case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
   1848    case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break; \
   1849    case addr + 3: s->name &= 0x00ffffff; s->name |= val << 24; break;
   1850
   1851    trace_lsi_reg_write(offset < ARRAY_SIZE(names) ? names[offset] : "???",
   1852                        offset, val);
   1853
   1854    switch (offset) {
   1855    case 0x00: /* SCNTL0 */
   1856        s->scntl0 = val;
   1857        if (val & LSI_SCNTL0_START) {
   1858            qemu_log_mask(LOG_UNIMP,
   1859                          "lsi_scsi: Start sequence not implemented\n");
   1860        }
   1861        break;
   1862    case 0x01: /* SCNTL1 */
   1863        s->scntl1 = val & ~LSI_SCNTL1_SST;
   1864        if (val & LSI_SCNTL1_IARB) {
   1865            qemu_log_mask(LOG_UNIMP,
   1866                      "lsi_scsi: Immediate Arbritration not implemented\n");
   1867        }
   1868        if (val & LSI_SCNTL1_RST) {
   1869            if (!(s->sstat0 & LSI_SSTAT0_RST)) {
   1870                qbus_reset_all(BUS(&s->bus));
   1871                s->sstat0 |= LSI_SSTAT0_RST;
   1872                lsi_script_scsi_interrupt(s, LSI_SIST0_RST, 0);
   1873            }
   1874        } else {
   1875            s->sstat0 &= ~LSI_SSTAT0_RST;
   1876        }
   1877        break;
   1878    case 0x02: /* SCNTL2 */
   1879        val &= ~(LSI_SCNTL2_WSR | LSI_SCNTL2_WSS);
   1880        s->scntl2 = val;
   1881        break;
   1882    case 0x03: /* SCNTL3 */
   1883        s->scntl3 = val;
   1884        break;
   1885    case 0x04: /* SCID */
   1886        s->scid = val;
   1887        break;
   1888    case 0x05: /* SXFER */
   1889        s->sxfer = val;
   1890        break;
   1891    case 0x06: /* SDID */
   1892        if ((s->ssid & 0x80) && (val & 0xf) != (s->ssid & 0xf)) {
   1893            qemu_log_mask(LOG_GUEST_ERROR,
   1894                          "lsi_scsi: Destination ID does not match SSID\n");
   1895        }
   1896        s->sdid = val & 0xf;
   1897        break;
   1898    case 0x07: /* GPREG0 */
   1899        break;
   1900    case 0x08: /* SFBR */
   1901        /* The CPU is not allowed to write to this register.  However the
   1902           SCRIPTS register move instructions are.  */
   1903        s->sfbr = val;
   1904        break;
   1905    case 0x0a: case 0x0b:
   1906        /* Openserver writes to these readonly registers on startup */
   1907        return;
   1908    case 0x0c: case 0x0d: case 0x0e: case 0x0f:
   1909        /* Linux writes to these readonly registers on startup.  */
   1910        return;
   1911    CASE_SET_REG32(dsa, 0x10)
   1912    case 0x14: /* ISTAT0 */
   1913        s->istat0 = (s->istat0 & 0x0f) | (val & 0xf0);
   1914        if (val & LSI_ISTAT0_ABRT) {
   1915            lsi_script_dma_interrupt(s, LSI_DSTAT_ABRT);
   1916        }
   1917        if (val & LSI_ISTAT0_INTF) {
   1918            s->istat0 &= ~LSI_ISTAT0_INTF;
   1919            lsi_update_irq(s);
   1920        }
   1921        if (s->waiting == LSI_WAIT_RESELECT && val & LSI_ISTAT0_SIGP) {
   1922            trace_lsi_awoken();
   1923            s->waiting = LSI_NOWAIT;
   1924            s->dsp = s->dnad;
   1925            lsi_execute_script(s);
   1926        }
   1927        if (val & LSI_ISTAT0_SRST) {
   1928            qdev_reset_all(DEVICE(s));
   1929        }
   1930        break;
   1931    case 0x16: /* MBOX0 */
   1932        s->mbox0 = val;
   1933        break;
   1934    case 0x17: /* MBOX1 */
   1935        s->mbox1 = val;
   1936        break;
   1937    case 0x18: /* CTEST0 */
   1938        /* nothing to do */
   1939        break;
   1940    case 0x1a: /* CTEST2 */
   1941        s->ctest2 = val & LSI_CTEST2_PCICIE;
   1942        break;
   1943    case 0x1b: /* CTEST3 */
   1944        s->ctest3 = val & 0x0f;
   1945        break;
   1946    CASE_SET_REG32(temp, 0x1c)
   1947    case 0x21: /* CTEST4 */
   1948        if (val & 7) {
   1949            qemu_log_mask(LOG_UNIMP,
   1950                          "lsi_scsi: Unimplemented CTEST4-FBL 0x%x\n", val);
   1951        }
   1952        s->ctest4 = val;
   1953        break;
   1954    case 0x22: /* CTEST5 */
   1955        if (val & (LSI_CTEST5_ADCK | LSI_CTEST5_BBCK)) {
   1956            qemu_log_mask(LOG_UNIMP,
   1957                          "lsi_scsi: CTEST5 DMA increment not implemented\n");
   1958        }
   1959        s->ctest5 = val;
   1960        break;
   1961    CASE_SET_REG24(dbc, 0x24)
   1962    CASE_SET_REG32(dnad, 0x28)
   1963    case 0x2c: /* DSP[0:7] */
   1964        s->dsp &= 0xffffff00;
   1965        s->dsp |= val;
   1966        break;
   1967    case 0x2d: /* DSP[8:15] */
   1968        s->dsp &= 0xffff00ff;
   1969        s->dsp |= val << 8;
   1970        break;
   1971    case 0x2e: /* DSP[16:23] */
   1972        s->dsp &= 0xff00ffff;
   1973        s->dsp |= val << 16;
   1974        break;
   1975    case 0x2f: /* DSP[24:31] */
   1976        s->dsp &= 0x00ffffff;
   1977        s->dsp |= val << 24;
   1978        /*
   1979         * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
   1980         * instruction.  Is this correct?
   1981         */
   1982        if ((s->dmode & LSI_DMODE_MAN) == 0
   1983            && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
   1984            lsi_execute_script(s);
   1985        break;
   1986    CASE_SET_REG32(dsps, 0x30)
   1987    CASE_SET_REG32(scratch[0], 0x34)
   1988    case 0x38: /* DMODE */
   1989        s->dmode = val;
   1990        break;
   1991    case 0x39: /* DIEN */
   1992        s->dien = val;
   1993        lsi_update_irq(s);
   1994        break;
   1995    case 0x3a: /* SBR */
   1996        s->sbr = val;
   1997        break;
   1998    case 0x3b: /* DCNTL */
   1999        s->dcntl = val & ~(LSI_DCNTL_PFF | LSI_DCNTL_STD);
   2000        /*
   2001         * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
   2002         * instruction.  Is this correct?
   2003         */
   2004        if ((val & LSI_DCNTL_STD) && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
   2005            lsi_execute_script(s);
   2006        break;
   2007    case 0x40: /* SIEN0 */
   2008        s->sien0 = val;
   2009        lsi_update_irq(s);
   2010        break;
   2011    case 0x41: /* SIEN1 */
   2012        s->sien1 = val;
   2013        lsi_update_irq(s);
   2014        break;
   2015    case 0x47: /* GPCNTL0 */
   2016        break;
   2017    case 0x48: /* STIME0 */
   2018        s->stime0 = val;
   2019        break;
   2020    case 0x49: /* STIME1 */
   2021        if (val & 0xf) {
   2022            qemu_log_mask(LOG_UNIMP,
   2023                          "lsi_scsi: General purpose timer not implemented\n");
   2024            /* ??? Raising the interrupt immediately seems to be sufficient
   2025               to keep the FreeBSD driver happy.  */
   2026            lsi_script_scsi_interrupt(s, 0, LSI_SIST1_GEN);
   2027        }
   2028        break;
   2029    case 0x4a: /* RESPID0 */
   2030        s->respid0 = val;
   2031        break;
   2032    case 0x4b: /* RESPID1 */
   2033        s->respid1 = val;
   2034        break;
   2035    case 0x4d: /* STEST1 */
   2036        s->stest1 = val;
   2037        break;
   2038    case 0x4e: /* STEST2 */
   2039        if (val & 1) {
   2040            qemu_log_mask(LOG_UNIMP,
   2041                          "lsi_scsi: Low level mode not implemented\n");
   2042        }
   2043        s->stest2 = val;
   2044        break;
   2045    case 0x4f: /* STEST3 */
   2046        if (val & 0x41) {
   2047            qemu_log_mask(LOG_UNIMP,
   2048                          "lsi_scsi: SCSI FIFO test mode not implemented\n");
   2049        }
   2050        s->stest3 = val;
   2051        break;
   2052    case 0x56: /* CCNTL0 */
   2053        s->ccntl0 = val;
   2054        break;
   2055    case 0x57: /* CCNTL1 */
   2056        s->ccntl1 = val;
   2057        break;
   2058    CASE_SET_REG32(mmrs, 0xa0)
   2059    CASE_SET_REG32(mmws, 0xa4)
   2060    CASE_SET_REG32(sfs, 0xa8)
   2061    CASE_SET_REG32(drs, 0xac)
   2062    CASE_SET_REG32(sbms, 0xb0)
   2063    CASE_SET_REG32(dbms, 0xb4)
   2064    CASE_SET_REG32(dnad64, 0xb8)
   2065    CASE_SET_REG32(pmjad1, 0xc0)
   2066    CASE_SET_REG32(pmjad2, 0xc4)
   2067    CASE_SET_REG32(rbc, 0xc8)
   2068    CASE_SET_REG32(ua, 0xcc)
   2069    CASE_SET_REG32(ia, 0xd4)
   2070    CASE_SET_REG32(sbc, 0xd8)
   2071    CASE_SET_REG32(csbc, 0xdc)
   2072    default:
   2073        if (offset >= 0x5c && offset < 0xa0) {
   2074            int n;
   2075            int shift;
   2076            n = (offset - 0x58) >> 2;
   2077            shift = (offset & 3) * 8;
   2078            s->scratch[n] = deposit32(s->scratch[n], shift, 8, val);
   2079        } else {
   2080            qemu_log_mask(LOG_GUEST_ERROR,
   2081                          "lsi_scsi: invalid write to reg %s %x (0x%02x)\n",
   2082                          offset < ARRAY_SIZE(names) ? names[offset] : "???",
   2083                          offset, val);
   2084        }
   2085    }
   2086#undef CASE_SET_REG24
   2087#undef CASE_SET_REG32
   2088}
   2089
   2090static void lsi_mmio_write(void *opaque, hwaddr addr,
   2091                           uint64_t val, unsigned size)
   2092{
   2093    LSIState *s = opaque;
   2094
   2095    lsi_reg_writeb(s, addr & 0xff, val);
   2096}
   2097
   2098static uint64_t lsi_mmio_read(void *opaque, hwaddr addr,
   2099                              unsigned size)
   2100{
   2101    LSIState *s = opaque;
   2102    return lsi_reg_readb(s, addr & 0xff);
   2103}
   2104
   2105static const MemoryRegionOps lsi_mmio_ops = {
   2106    .read = lsi_mmio_read,
   2107    .write = lsi_mmio_write,
   2108    .endianness = DEVICE_LITTLE_ENDIAN,
   2109    .impl = {
   2110        .min_access_size = 1,
   2111        .max_access_size = 1,
   2112    },
   2113};
   2114
   2115static void lsi_ram_write(void *opaque, hwaddr addr,
   2116                          uint64_t val, unsigned size)
   2117{
   2118    LSIState *s = opaque;
   2119    stn_le_p(s->script_ram + addr, size, val);
   2120}
   2121
   2122static uint64_t lsi_ram_read(void *opaque, hwaddr addr,
   2123                             unsigned size)
   2124{
   2125    LSIState *s = opaque;
   2126    return ldn_le_p(s->script_ram + addr, size);
   2127}
   2128
   2129static const MemoryRegionOps lsi_ram_ops = {
   2130    .read = lsi_ram_read,
   2131    .write = lsi_ram_write,
   2132    .endianness = DEVICE_LITTLE_ENDIAN,
   2133};
   2134
   2135static uint64_t lsi_io_read(void *opaque, hwaddr addr,
   2136                            unsigned size)
   2137{
   2138    LSIState *s = opaque;
   2139    return lsi_reg_readb(s, addr & 0xff);
   2140}
   2141
   2142static void lsi_io_write(void *opaque, hwaddr addr,
   2143                         uint64_t val, unsigned size)
   2144{
   2145    LSIState *s = opaque;
   2146    lsi_reg_writeb(s, addr & 0xff, val);
   2147}
   2148
   2149static const MemoryRegionOps lsi_io_ops = {
   2150    .read = lsi_io_read,
   2151    .write = lsi_io_write,
   2152    .endianness = DEVICE_LITTLE_ENDIAN,
   2153    .impl = {
   2154        .min_access_size = 1,
   2155        .max_access_size = 1,
   2156    },
   2157};
   2158
   2159static void lsi_scsi_reset(DeviceState *dev)
   2160{
   2161    LSIState *s = LSI53C895A(dev);
   2162
   2163    lsi_soft_reset(s);
   2164}
   2165
   2166static int lsi_pre_save(void *opaque)
   2167{
   2168    LSIState *s = opaque;
   2169
   2170    if (s->current) {
   2171        assert(s->current->dma_buf == NULL);
   2172        assert(s->current->dma_len == 0);
   2173    }
   2174    assert(QTAILQ_EMPTY(&s->queue));
   2175
   2176    return 0;
   2177}
   2178
   2179static int lsi_post_load(void *opaque, int version_id)
   2180{
   2181    LSIState *s = opaque;
   2182
   2183    if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) {
   2184        return -EINVAL;
   2185    }
   2186
   2187    return 0;
   2188}
   2189
   2190static const VMStateDescription vmstate_lsi_scsi = {
   2191    .name = "lsiscsi",
   2192    .version_id = 1,
   2193    .minimum_version_id = 0,
   2194    .pre_save = lsi_pre_save,
   2195    .post_load = lsi_post_load,
   2196    .fields = (VMStateField[]) {
   2197        VMSTATE_PCI_DEVICE(parent_obj, LSIState),
   2198
   2199        VMSTATE_INT32(carry, LSIState),
   2200        VMSTATE_INT32(status, LSIState),
   2201        VMSTATE_INT32(msg_action, LSIState),
   2202        VMSTATE_INT32(msg_len, LSIState),
   2203        VMSTATE_BUFFER(msg, LSIState),
   2204        VMSTATE_INT32(waiting, LSIState),
   2205
   2206        VMSTATE_UINT32(dsa, LSIState),
   2207        VMSTATE_UINT32(temp, LSIState),
   2208        VMSTATE_UINT32(dnad, LSIState),
   2209        VMSTATE_UINT32(dbc, LSIState),
   2210        VMSTATE_UINT8(istat0, LSIState),
   2211        VMSTATE_UINT8(istat1, LSIState),
   2212        VMSTATE_UINT8(dcmd, LSIState),
   2213        VMSTATE_UINT8(dstat, LSIState),
   2214        VMSTATE_UINT8(dien, LSIState),
   2215        VMSTATE_UINT8(sist0, LSIState),
   2216        VMSTATE_UINT8(sist1, LSIState),
   2217        VMSTATE_UINT8(sien0, LSIState),
   2218        VMSTATE_UINT8(sien1, LSIState),
   2219        VMSTATE_UINT8(mbox0, LSIState),
   2220        VMSTATE_UINT8(mbox1, LSIState),
   2221        VMSTATE_UINT8(dfifo, LSIState),
   2222        VMSTATE_UINT8(ctest2, LSIState),
   2223        VMSTATE_UINT8(ctest3, LSIState),
   2224        VMSTATE_UINT8(ctest4, LSIState),
   2225        VMSTATE_UINT8(ctest5, LSIState),
   2226        VMSTATE_UINT8(ccntl0, LSIState),
   2227        VMSTATE_UINT8(ccntl1, LSIState),
   2228        VMSTATE_UINT32(dsp, LSIState),
   2229        VMSTATE_UINT32(dsps, LSIState),
   2230        VMSTATE_UINT8(dmode, LSIState),
   2231        VMSTATE_UINT8(dcntl, LSIState),
   2232        VMSTATE_UINT8(scntl0, LSIState),
   2233        VMSTATE_UINT8(scntl1, LSIState),
   2234        VMSTATE_UINT8(scntl2, LSIState),
   2235        VMSTATE_UINT8(scntl3, LSIState),
   2236        VMSTATE_UINT8(sstat0, LSIState),
   2237        VMSTATE_UINT8(sstat1, LSIState),
   2238        VMSTATE_UINT8(scid, LSIState),
   2239        VMSTATE_UINT8(sxfer, LSIState),
   2240        VMSTATE_UINT8(socl, LSIState),
   2241        VMSTATE_UINT8(sdid, LSIState),
   2242        VMSTATE_UINT8(ssid, LSIState),
   2243        VMSTATE_UINT8(sfbr, LSIState),
   2244        VMSTATE_UINT8(stest1, LSIState),
   2245        VMSTATE_UINT8(stest2, LSIState),
   2246        VMSTATE_UINT8(stest3, LSIState),
   2247        VMSTATE_UINT8(sidl, LSIState),
   2248        VMSTATE_UINT8(stime0, LSIState),
   2249        VMSTATE_UINT8(respid0, LSIState),
   2250        VMSTATE_UINT8(respid1, LSIState),
   2251        VMSTATE_UINT8_V(sbcl, LSIState, 1),
   2252        VMSTATE_UINT32(mmrs, LSIState),
   2253        VMSTATE_UINT32(mmws, LSIState),
   2254        VMSTATE_UINT32(sfs, LSIState),
   2255        VMSTATE_UINT32(drs, LSIState),
   2256        VMSTATE_UINT32(sbms, LSIState),
   2257        VMSTATE_UINT32(dbms, LSIState),
   2258        VMSTATE_UINT32(dnad64, LSIState),
   2259        VMSTATE_UINT32(pmjad1, LSIState),
   2260        VMSTATE_UINT32(pmjad2, LSIState),
   2261        VMSTATE_UINT32(rbc, LSIState),
   2262        VMSTATE_UINT32(ua, LSIState),
   2263        VMSTATE_UINT32(ia, LSIState),
   2264        VMSTATE_UINT32(sbc, LSIState),
   2265        VMSTATE_UINT32(csbc, LSIState),
   2266        VMSTATE_BUFFER_UNSAFE(scratch, LSIState, 0, 18 * sizeof(uint32_t)),
   2267        VMSTATE_UINT8(sbr, LSIState),
   2268
   2269        VMSTATE_BUFFER_UNSAFE(script_ram, LSIState, 0, 8192),
   2270        VMSTATE_END_OF_LIST()
   2271    }
   2272};
   2273
   2274static const struct SCSIBusInfo lsi_scsi_info = {
   2275    .tcq = true,
   2276    .max_target = LSI_MAX_DEVS,
   2277    .max_lun = 0,  /* LUN support is buggy */
   2278
   2279    .transfer_data = lsi_transfer_data,
   2280    .complete = lsi_command_complete,
   2281    .cancel = lsi_request_cancelled
   2282};
   2283
   2284static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
   2285{
   2286    LSIState *s = LSI53C895A(dev);
   2287    DeviceState *d = DEVICE(dev);
   2288    uint8_t *pci_conf;
   2289
   2290    pci_conf = dev->config;
   2291
   2292    /* PCI latency timer = 255 */
   2293    pci_conf[PCI_LATENCY_TIMER] = 0xff;
   2294    /* Interrupt pin A */
   2295    pci_conf[PCI_INTERRUPT_PIN] = 0x01;
   2296
   2297    memory_region_init_io(&s->mmio_io, OBJECT(s), &lsi_mmio_ops, s,
   2298                          "lsi-mmio", 0x400);
   2299    memory_region_init_io(&s->ram_io, OBJECT(s), &lsi_ram_ops, s,
   2300                          "lsi-ram", 0x2000);
   2301    memory_region_init_io(&s->io_io, OBJECT(s), &lsi_io_ops, s,
   2302                          "lsi-io", 256);
   2303
   2304    address_space_init(&s->pci_io_as, pci_address_space_io(dev), "lsi-pci-io");
   2305    qdev_init_gpio_out(d, &s->ext_irq, 1);
   2306
   2307    pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->io_io);
   2308    pci_register_bar(dev, 1, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->mmio_io);
   2309    pci_register_bar(dev, 2, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->ram_io);
   2310    QTAILQ_INIT(&s->queue);
   2311
   2312    scsi_bus_init(&s->bus, sizeof(s->bus), d, &lsi_scsi_info);
   2313}
   2314
   2315static void lsi_scsi_exit(PCIDevice *dev)
   2316{
   2317    LSIState *s = LSI53C895A(dev);
   2318
   2319    address_space_destroy(&s->pci_io_as);
   2320}
   2321
   2322static void lsi_class_init(ObjectClass *klass, void *data)
   2323{
   2324    DeviceClass *dc = DEVICE_CLASS(klass);
   2325    PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
   2326
   2327    k->realize = lsi_scsi_realize;
   2328    k->exit = lsi_scsi_exit;
   2329    k->vendor_id = PCI_VENDOR_ID_LSI_LOGIC;
   2330    k->device_id = PCI_DEVICE_ID_LSI_53C895A;
   2331    k->class_id = PCI_CLASS_STORAGE_SCSI;
   2332    k->subsystem_id = 0x1000;
   2333    dc->reset = lsi_scsi_reset;
   2334    dc->vmsd = &vmstate_lsi_scsi;
   2335    set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
   2336}
   2337
   2338static const TypeInfo lsi_info = {
   2339    .name          = TYPE_LSI53C895A,
   2340    .parent        = TYPE_PCI_DEVICE,
   2341    .instance_size = sizeof(LSIState),
   2342    .class_init    = lsi_class_init,
   2343    .interfaces = (InterfaceInfo[]) {
   2344        { INTERFACE_CONVENTIONAL_PCI_DEVICE },
   2345        { },
   2346    },
   2347};
   2348
   2349static void lsi53c810_class_init(ObjectClass *klass, void *data)
   2350{
   2351    PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
   2352
   2353    k->device_id = PCI_DEVICE_ID_LSI_53C810;
   2354}
   2355
   2356static TypeInfo lsi53c810_info = {
   2357    .name          = TYPE_LSI53C810,
   2358    .parent        = TYPE_LSI53C895A,
   2359    .class_init    = lsi53c810_class_init,
   2360};
   2361
   2362static void lsi53c895a_register_types(void)
   2363{
   2364    type_register_static(&lsi_info);
   2365    type_register_static(&lsi53c810_info);
   2366}
   2367
   2368type_init(lsi53c895a_register_types)
   2369
   2370void lsi53c8xx_handle_legacy_cmdline(DeviceState *lsi_dev)
   2371{
   2372    LSIState *s = LSI53C895A(lsi_dev);
   2373
   2374    scsi_bus_legacy_handle_cmdline(&s->bus);
   2375}