xref: /openbmc/qemu/hw/net/eepro100.c (revision c5a5839856119a3644dcc0775a046ed0ee3081c3)
1 /*
2  * QEMU i8255x (PRO100) emulation
3  *
4  * Copyright (C) 2006-2011 Stefan Weil
5  *
6  * Portions of the code are copies from grub / etherboot eepro100.c
7  * and linux e100.c.
8  *
9  * This program is free software: you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License as published by
11  * the Free Software Foundation, either version 2 of the License, or
12  * (at your option) version 3 or any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
21  *
22  * Tested features (i82559):
23  *      PXE boot (i386 guest, i386 / mips / mipsel / ppc host) ok
24  *      Linux networking (i386) ok
25  *
26  * Untested:
27  *      Windows networking
28  *
29  * References:
30  *
31  * Intel 8255x 10/100 Mbps Ethernet Controller Family
32  * Open Source Software Developer Manual
33  *
34  * TODO:
35  *      * PHY emulation should be separated from nic emulation.
36  *        Most nic emulations could share the same phy code.
37  *      * i82550 is untested. It is programmed like the i82559.
38  *      * i82562 is untested. It is programmed like the i82559.
39  *      * Power management (i82558 and later) is not implemented.
40  *      * Wake-on-LAN is not implemented.
41  */
42 
43 #include "qemu/osdep.h"
44 #include "qemu/units.h"
45 #include "hw/pci/pci.h"
46 #include "hw/qdev-properties.h"
47 #include "migration/vmstate.h"
48 #include "net/net.h"
49 #include "net/eth.h"
50 #include "hw/nvram/eeprom93xx.h"
51 #include "sysemu/sysemu.h"
52 #include "sysemu/dma.h"
53 #include "sysemu/reset.h"
54 #include "qemu/bitops.h"
55 #include "qemu/module.h"
56 #include "qapi/error.h"
57 
58 /* QEMU sends frames smaller than 60 bytes to ethernet nics.
59  * Such frames are rejected by real nics and their emulations.
60  * To avoid this behaviour, other nic emulations pad received
61  * frames. The following definition enables this padding for
62  * eepro100, too. We keep the define around in case it might
63  * become useful the future if the core networking is ever
64  * changed to pad short packets itself. */
65 #define CONFIG_PAD_RECEIVED_FRAMES
66 
67 /* Debug EEPRO100 card. */
68 #if 0
69 # define DEBUG_EEPRO100
70 #endif
71 
72 #ifdef DEBUG_EEPRO100
73 #define logout(fmt, ...) fprintf(stderr, "EE100\t%-24s" fmt, __func__, ## __VA_ARGS__)
74 #else
75 #define logout(fmt, ...) ((void)0)
76 #endif
77 
78 /* Set flags to 0 to disable debug output. */
79 #define INT     1       /* interrupt related actions */
80 #define MDI     1       /* mdi related actions */
81 #define OTHER   1
82 #define RXTX    1
83 #define EEPROM  1       /* eeprom related actions */
84 
85 #define TRACE(flag, command) ((flag) ? (command) : (void)0)
86 
87 #define missing(text) fprintf(stderr, "eepro100: feature is missing in this emulation: " text "\n")
88 
89 #define MAX_ETH_FRAME_SIZE 1514
90 
91 /* This driver supports several different devices which are declared here. */
92 #define i82550          0x82550
93 #define i82551          0x82551
94 #define i82557A         0x82557a
95 #define i82557B         0x82557b
96 #define i82557C         0x82557c
97 #define i82558A         0x82558a
98 #define i82558B         0x82558b
99 #define i82559A         0x82559a
100 #define i82559B         0x82559b
101 #define i82559C         0x82559c
102 #define i82559ER        0x82559e
103 #define i82562          0x82562
104 #define i82801          0x82801
105 
106 /* Use 64 word EEPROM. TODO: could be a runtime option. */
107 #define EEPROM_SIZE     64
108 
109 #define PCI_MEM_SIZE            (4 * KiB)
110 #define PCI_IO_SIZE             64
111 #define PCI_FLASH_SIZE          (128 * KiB)
112 
113 #define BITS(n, m) (((0xffffffffU << (31 - n)) >> (31 - n + m)) << m)
114 
115 /* The SCB accepts the following controls for the Tx and Rx units: */
116 #define  CU_NOP         0x0000  /* No operation. */
117 #define  CU_START       0x0010  /* CU start. */
118 #define  CU_RESUME      0x0020  /* CU resume. */
119 #define  CU_STATSADDR   0x0040  /* Load dump counters address. */
120 #define  CU_SHOWSTATS   0x0050  /* Dump statistical counters. */
121 #define  CU_CMD_BASE    0x0060  /* Load CU base address. */
122 #define  CU_DUMPSTATS   0x0070  /* Dump and reset statistical counters. */
123 #define  CU_SRESUME     0x00a0  /* CU static resume. */
124 
125 #define  RU_NOP         0x0000
126 #define  RX_START       0x0001
127 #define  RX_RESUME      0x0002
128 #define  RU_ABORT       0x0004
129 #define  RX_ADDR_LOAD   0x0006
130 #define  RX_RESUMENR    0x0007
131 #define INT_MASK        0x0100
132 #define DRVR_INT        0x0200  /* Driver generated interrupt. */
133 
134 typedef struct {
135     const char *name;
136     const char *desc;
137     uint16_t device_id;
138     uint8_t revision;
139     uint16_t subsystem_vendor_id;
140     uint16_t subsystem_id;
141 
142     uint32_t device;
143     uint8_t stats_size;
144     bool has_extended_tcb_support;
145     bool power_management;
146 } E100PCIDeviceInfo;
147 
148 /* Offsets to the various registers.
149    All accesses need not be longword aligned. */
150 typedef enum {
151     SCBStatus = 0,              /* Status Word. */
152     SCBAck = 1,
153     SCBCmd = 2,                 /* Rx/Command Unit command and status. */
154     SCBIntmask = 3,
155     SCBPointer = 4,             /* General purpose pointer. */
156     SCBPort = 8,                /* Misc. commands and operands.  */
157     SCBflash = 12,              /* Flash memory control. */
158     SCBeeprom = 14,             /* EEPROM control. */
159     SCBCtrlMDI = 16,            /* MDI interface control. */
160     SCBEarlyRx = 20,            /* Early receive byte count. */
161     SCBFlow = 24,               /* Flow Control. */
162     SCBpmdr = 27,               /* Power Management Driver. */
163     SCBgctrl = 28,              /* General Control. */
164     SCBgstat = 29,              /* General Status. */
165 } E100RegisterOffset;
166 
167 /* A speedo3 transmit buffer descriptor with two buffers... */
168 typedef struct {
169     uint16_t status;
170     uint16_t command;
171     uint32_t link;              /* void * */
172     uint32_t tbd_array_addr;    /* transmit buffer descriptor array address. */
173     uint16_t tcb_bytes;         /* transmit command block byte count (in lower 14 bits */
174     uint8_t tx_threshold;       /* transmit threshold */
175     uint8_t tbd_count;          /* TBD number */
176 #if 0
177     /* This constitutes two "TBD" entries: hdr and data */
178     uint32_t tx_buf_addr0;  /* void *, header of frame to be transmitted.  */
179     int32_t  tx_buf_size0;  /* Length of Tx hdr. */
180     uint32_t tx_buf_addr1;  /* void *, data to be transmitted.  */
181     int32_t  tx_buf_size1;  /* Length of Tx data. */
182 #endif
183 } eepro100_tx_t;
184 
185 /* Receive frame descriptor. */
186 typedef struct {
187     int16_t status;
188     uint16_t command;
189     uint32_t link;              /* struct RxFD * */
190     uint32_t rx_buf_addr;       /* void * */
191     uint16_t count;
192     uint16_t size;
193     /* Ethernet frame data follows. */
194 } eepro100_rx_t;
195 
196 typedef enum {
197     COMMAND_EL = BIT(15),
198     COMMAND_S = BIT(14),
199     COMMAND_I = BIT(13),
200     COMMAND_NC = BIT(4),
201     COMMAND_SF = BIT(3),
202     COMMAND_CMD = BITS(2, 0),
203 } scb_command_bit;
204 
205 typedef enum {
206     STATUS_C = BIT(15),
207     STATUS_OK = BIT(13),
208 } scb_status_bit;
209 
210 typedef struct {
211     uint32_t tx_good_frames, tx_max_collisions, tx_late_collisions,
212              tx_underruns, tx_lost_crs, tx_deferred, tx_single_collisions,
213              tx_multiple_collisions, tx_total_collisions;
214     uint32_t rx_good_frames, rx_crc_errors, rx_alignment_errors,
215              rx_resource_errors, rx_overrun_errors, rx_cdt_errors,
216              rx_short_frame_errors;
217     uint32_t fc_xmt_pause, fc_rcv_pause, fc_rcv_unsupported;
218     uint16_t xmt_tco_frames, rcv_tco_frames;
219     /* TODO: i82559 has six reserved statistics but a total of 24 dwords. */
220     uint32_t reserved[4];
221 } eepro100_stats_t;
222 
223 typedef enum {
224     cu_idle = 0,
225     cu_suspended = 1,
226     cu_active = 2,
227     cu_lpq_active = 2,
228     cu_hqp_active = 3
229 } cu_state_t;
230 
231 typedef enum {
232     ru_idle = 0,
233     ru_suspended = 1,
234     ru_no_resources = 2,
235     ru_ready = 4
236 } ru_state_t;
237 
238 typedef struct {
239     PCIDevice dev;
240     /* Hash register (multicast mask array, multiple individual addresses). */
241     uint8_t mult[8];
242     MemoryRegion mmio_bar;
243     MemoryRegion io_bar;
244     MemoryRegion flash_bar;
245     NICState *nic;
246     NICConf conf;
247     uint8_t scb_stat;           /* SCB stat/ack byte */
248     uint8_t int_stat;           /* PCI interrupt status */
249     /* region must not be saved by nic_save. */
250     uint16_t mdimem[32];
251     eeprom_t *eeprom;
252     uint32_t device;            /* device variant */
253     /* (cu_base + cu_offset) address the next command block in the command block list. */
254     uint32_t cu_base;           /* CU base address */
255     uint32_t cu_offset;         /* CU address offset */
256     /* (ru_base + ru_offset) address the RFD in the Receive Frame Area. */
257     uint32_t ru_base;           /* RU base address */
258     uint32_t ru_offset;         /* RU address offset */
259     uint32_t statsaddr;         /* pointer to eepro100_stats_t */
260 
261     /* Temporary status information (no need to save these values),
262      * used while processing CU commands. */
263     eepro100_tx_t tx;           /* transmit buffer descriptor */
264     uint32_t cb_address;        /* = cu_base + cu_offset */
265 
266     /* Statistical counters. Also used for wake-up packet (i82559). */
267     eepro100_stats_t statistics;
268 
269     /* Data in mem is always in the byte order of the controller (le).
270      * It must be dword aligned to allow direct access to 32 bit values. */
271     uint8_t mem[PCI_MEM_SIZE] __attribute__((aligned(8)));
272 
273     /* Configuration bytes. */
274     uint8_t configuration[22];
275 
276     /* vmstate for each particular nic */
277     VMStateDescription *vmstate;
278 
279     /* Quasi static device properties (no need to save them). */
280     uint16_t stats_size;
281     bool has_extended_tcb_support;
282 } EEPRO100State;
283 
284 /* Word indices in EEPROM. */
285 typedef enum {
286     EEPROM_CNFG_MDIX  = 0x03,
287     EEPROM_ID         = 0x05,
288     EEPROM_PHY_ID     = 0x06,
289     EEPROM_VENDOR_ID  = 0x0c,
290     EEPROM_CONFIG_ASF = 0x0d,
291     EEPROM_DEVICE_ID  = 0x23,
292     EEPROM_SMBUS_ADDR = 0x90,
293 } EEPROMOffset;
294 
295 /* Bit values for EEPROM ID word. */
296 typedef enum {
297     EEPROM_ID_MDM = BIT(0),     /* Modem */
298     EEPROM_ID_STB = BIT(1),     /* Standby Enable */
299     EEPROM_ID_WMR = BIT(2),     /* ??? */
300     EEPROM_ID_WOL = BIT(5),     /* Wake on LAN */
301     EEPROM_ID_DPD = BIT(6),     /* Deep Power Down */
302     EEPROM_ID_ALT = BIT(7),     /* */
303     /* BITS(10, 8) device revision */
304     EEPROM_ID_BD = BIT(11),     /* boot disable */
305     EEPROM_ID_ID = BIT(13),     /* id bit */
306     /* BITS(15, 14) signature */
307     EEPROM_ID_VALID = BIT(14),  /* signature for valid eeprom */
308 } eeprom_id_bit;
309 
310 /* Default values for MDI (PHY) registers */
311 static const uint16_t eepro100_mdi_default[] = {
312     /* MDI Registers 0 - 6, 7 */
313     0x3000, 0x780d, 0x02a8, 0x0154, 0x05e1, 0x0000, 0x0000, 0x0000,
314     /* MDI Registers 8 - 15 */
315     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
316     /* MDI Registers 16 - 31 */
317     0x0003, 0x0000, 0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
318     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
319 };
320 
321 /* Readonly mask for MDI (PHY) registers */
322 static const uint16_t eepro100_mdi_mask[] = {
323     0x0000, 0xffff, 0xffff, 0xffff, 0xc01f, 0xffff, 0xffff, 0x0000,
324     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
325     0x0fff, 0x0000, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
326     0xffff, 0xffff, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
327 };
328 
329 static E100PCIDeviceInfo *eepro100_get_class(EEPRO100State *s);
330 
331 /* Read a 16 bit control/status (CSR) register. */
332 static uint16_t e100_read_reg2(EEPRO100State *s, E100RegisterOffset addr)
333 {
334     assert(!((uintptr_t)&s->mem[addr] & 1));
335     return lduw_le_p(&s->mem[addr]);
336 }
337 
338 /* Read a 32 bit control/status (CSR) register. */
339 static uint32_t e100_read_reg4(EEPRO100State *s, E100RegisterOffset addr)
340 {
341     assert(!((uintptr_t)&s->mem[addr] & 3));
342     return ldl_le_p(&s->mem[addr]);
343 }
344 
345 /* Write a 16 bit control/status (CSR) register. */
346 static void e100_write_reg2(EEPRO100State *s, E100RegisterOffset addr,
347                             uint16_t val)
348 {
349     assert(!((uintptr_t)&s->mem[addr] & 1));
350     stw_le_p(&s->mem[addr], val);
351 }
352 
353 /* Read a 32 bit control/status (CSR) register. */
354 static void e100_write_reg4(EEPRO100State *s, E100RegisterOffset addr,
355                             uint32_t val)
356 {
357     assert(!((uintptr_t)&s->mem[addr] & 3));
358     stl_le_p(&s->mem[addr], val);
359 }
360 
361 #if defined(DEBUG_EEPRO100)
362 static const char *nic_dump(const uint8_t * buf, unsigned size)
363 {
364     static char dump[3 * 16 + 1];
365     char *p = &dump[0];
366     if (size > 16) {
367         size = 16;
368     }
369     while (size-- > 0) {
370         p += sprintf(p, " %02x", *buf++);
371     }
372     return dump;
373 }
374 #endif                          /* DEBUG_EEPRO100 */
375 
376 enum scb_stat_ack {
377     stat_ack_not_ours = 0x00,
378     stat_ack_sw_gen = 0x04,
379     stat_ack_rnr = 0x10,
380     stat_ack_cu_idle = 0x20,
381     stat_ack_frame_rx = 0x40,
382     stat_ack_cu_cmd_done = 0x80,
383     stat_ack_not_present = 0xFF,
384     stat_ack_rx = (stat_ack_sw_gen | stat_ack_rnr | stat_ack_frame_rx),
385     stat_ack_tx = (stat_ack_cu_idle | stat_ack_cu_cmd_done),
386 };
387 
388 static void disable_interrupt(EEPRO100State * s)
389 {
390     if (s->int_stat) {
391         TRACE(INT, logout("interrupt disabled\n"));
392         pci_irq_deassert(&s->dev);
393         s->int_stat = 0;
394     }
395 }
396 
397 static void enable_interrupt(EEPRO100State * s)
398 {
399     if (!s->int_stat) {
400         TRACE(INT, logout("interrupt enabled\n"));
401         pci_irq_assert(&s->dev);
402         s->int_stat = 1;
403     }
404 }
405 
406 static void eepro100_acknowledge(EEPRO100State * s)
407 {
408     s->scb_stat &= ~s->mem[SCBAck];
409     s->mem[SCBAck] = s->scb_stat;
410     if (s->scb_stat == 0) {
411         disable_interrupt(s);
412     }
413 }
414 
415 static void eepro100_interrupt(EEPRO100State * s, uint8_t status)
416 {
417     uint8_t mask = ~s->mem[SCBIntmask];
418     s->mem[SCBAck] |= status;
419     status = s->scb_stat = s->mem[SCBAck];
420     status &= (mask | 0x0f);
421 #if 0
422     status &= (~s->mem[SCBIntmask] | 0x0xf);
423 #endif
424     if (status && (mask & 0x01)) {
425         /* SCB mask and SCB Bit M do not disable interrupt. */
426         enable_interrupt(s);
427     } else if (s->int_stat) {
428         disable_interrupt(s);
429     }
430 }
431 
432 static void eepro100_cx_interrupt(EEPRO100State * s)
433 {
434     /* CU completed action command. */
435     /* Transmit not ok (82557 only, not in emulation). */
436     eepro100_interrupt(s, 0x80);
437 }
438 
439 static void eepro100_cna_interrupt(EEPRO100State * s)
440 {
441     /* CU left the active state. */
442     eepro100_interrupt(s, 0x20);
443 }
444 
445 static void eepro100_fr_interrupt(EEPRO100State * s)
446 {
447     /* RU received a complete frame. */
448     eepro100_interrupt(s, 0x40);
449 }
450 
451 static void eepro100_rnr_interrupt(EEPRO100State * s)
452 {
453     /* RU is not ready. */
454     eepro100_interrupt(s, 0x10);
455 }
456 
457 static void eepro100_mdi_interrupt(EEPRO100State * s)
458 {
459     /* MDI completed read or write cycle. */
460     eepro100_interrupt(s, 0x08);
461 }
462 
463 static void eepro100_swi_interrupt(EEPRO100State * s)
464 {
465     /* Software has requested an interrupt. */
466     eepro100_interrupt(s, 0x04);
467 }
468 
469 #if 0
470 static void eepro100_fcp_interrupt(EEPRO100State * s)
471 {
472     /* Flow control pause interrupt (82558 and later). */
473     eepro100_interrupt(s, 0x01);
474 }
475 #endif
476 
477 static void e100_pci_reset(EEPRO100State *s, Error **errp)
478 {
479     E100PCIDeviceInfo *info = eepro100_get_class(s);
480     uint32_t device = s->device;
481     uint8_t *pci_conf = s->dev.config;
482 
483     TRACE(OTHER, logout("%p\n", s));
484 
485     /* PCI Status */
486     pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_DEVSEL_MEDIUM |
487                                         PCI_STATUS_FAST_BACK);
488     /* PCI Latency Timer */
489     pci_set_byte(pci_conf + PCI_LATENCY_TIMER, 0x20);   /* latency timer = 32 clocks */
490     /* Capability Pointer is set by PCI framework. */
491     /* Interrupt Line */
492     /* Interrupt Pin */
493     pci_set_byte(pci_conf + PCI_INTERRUPT_PIN, 1);      /* interrupt pin A */
494     /* Minimum Grant */
495     pci_set_byte(pci_conf + PCI_MIN_GNT, 0x08);
496     /* Maximum Latency */
497     pci_set_byte(pci_conf + PCI_MAX_LAT, 0x18);
498 
499     s->stats_size = info->stats_size;
500     s->has_extended_tcb_support = info->has_extended_tcb_support;
501 
502     switch (device) {
503     case i82550:
504     case i82551:
505     case i82557A:
506     case i82557B:
507     case i82557C:
508     case i82558A:
509     case i82558B:
510     case i82559A:
511     case i82559B:
512     case i82559ER:
513     case i82562:
514     case i82801:
515     case i82559C:
516         break;
517     default:
518         logout("Device %X is undefined!\n", device);
519     }
520 
521     /* Standard TxCB. */
522     s->configuration[6] |= BIT(4);
523 
524     /* Standard statistical counters. */
525     s->configuration[6] |= BIT(5);
526 
527     if (s->stats_size == 80) {
528         /* TODO: check TCO Statistical Counters bit. Documentation not clear. */
529         if (s->configuration[6] & BIT(2)) {
530             /* TCO statistical counters. */
531             assert(s->configuration[6] & BIT(5));
532         } else {
533             if (s->configuration[6] & BIT(5)) {
534                 /* No extended statistical counters, i82557 compatible. */
535                 s->stats_size = 64;
536             } else {
537                 /* i82558 compatible. */
538                 s->stats_size = 76;
539             }
540         }
541     } else {
542         if (s->configuration[6] & BIT(5)) {
543             /* No extended statistical counters. */
544             s->stats_size = 64;
545         }
546     }
547     assert(s->stats_size > 0 && s->stats_size <= sizeof(s->statistics));
548 
549     if (info->power_management) {
550         /* Power Management Capabilities */
551         int cfg_offset = 0xdc;
552         int r = pci_add_capability(&s->dev, PCI_CAP_ID_PM,
553                                    cfg_offset, PCI_PM_SIZEOF,
554                                    errp);
555         if (r < 0) {
556             return;
557         }
558 
559         pci_set_word(pci_conf + cfg_offset + PCI_PM_PMC, 0x7e21);
560 #if 0 /* TODO: replace dummy code for power management emulation. */
561         /* TODO: Power Management Control / Status. */
562         pci_set_word(pci_conf + cfg_offset + PCI_PM_CTRL, 0x0000);
563         /* TODO: Ethernet Power Consumption Registers (i82559 and later). */
564         pci_set_byte(pci_conf + cfg_offset + PCI_PM_PPB_EXTENSIONS, 0x0000);
565 #endif
566     }
567 
568 #if EEPROM_SIZE > 0
569     if (device == i82557C || device == i82558B || device == i82559C) {
570         /*
571         TODO: get vendor id from EEPROM for i82557C or later.
572         TODO: get device id from EEPROM for i82557C or later.
573         TODO: status bit 4 can be disabled by EEPROM for i82558, i82559.
574         TODO: header type is determined by EEPROM for i82559.
575         TODO: get subsystem id from EEPROM for i82557C or later.
576         TODO: get subsystem vendor id from EEPROM for i82557C or later.
577         TODO: exp. rom baddr depends on a bit in EEPROM for i82558 or later.
578         TODO: capability pointer depends on EEPROM for i82558.
579         */
580         logout("Get device id and revision from EEPROM!!!\n");
581     }
582 #endif /* EEPROM_SIZE > 0 */
583 }
584 
585 static void nic_selective_reset(EEPRO100State * s)
586 {
587     size_t i;
588     uint16_t *eeprom_contents = eeprom93xx_data(s->eeprom);
589 #if 0
590     eeprom93xx_reset(s->eeprom);
591 #endif
592     memcpy(eeprom_contents, s->conf.macaddr.a, 6);
593     eeprom_contents[EEPROM_ID] = EEPROM_ID_VALID;
594     if (s->device == i82557B || s->device == i82557C)
595         eeprom_contents[5] = 0x0100;
596     eeprom_contents[EEPROM_PHY_ID] = 1;
597     uint16_t sum = 0;
598     for (i = 0; i < EEPROM_SIZE - 1; i++) {
599         sum += eeprom_contents[i];
600     }
601     eeprom_contents[EEPROM_SIZE - 1] = 0xbaba - sum;
602     TRACE(EEPROM, logout("checksum=0x%04x\n", eeprom_contents[EEPROM_SIZE - 1]));
603 
604     memset(s->mem, 0, sizeof(s->mem));
605     e100_write_reg4(s, SCBCtrlMDI, BIT(21));
606 
607     assert(sizeof(s->mdimem) == sizeof(eepro100_mdi_default));
608     memcpy(&s->mdimem[0], &eepro100_mdi_default[0], sizeof(s->mdimem));
609 }
610 
611 static void nic_reset(void *opaque)
612 {
613     EEPRO100State *s = opaque;
614     TRACE(OTHER, logout("%p\n", s));
615     /* TODO: Clearing of hash register for selective reset, too? */
616     memset(&s->mult[0], 0, sizeof(s->mult));
617     nic_selective_reset(s);
618 }
619 
620 #if defined(DEBUG_EEPRO100)
621 static const char * const e100_reg[PCI_IO_SIZE / 4] = {
622     "Command/Status",
623     "General Pointer",
624     "Port",
625     "EEPROM/Flash Control",
626     "MDI Control",
627     "Receive DMA Byte Count",
628     "Flow Control",
629     "General Status/Control"
630 };
631 
632 static char *regname(uint32_t addr)
633 {
634     static char buf[32];
635     if (addr < PCI_IO_SIZE) {
636         const char *r = e100_reg[addr / 4];
637         if (r != 0) {
638             snprintf(buf, sizeof(buf), "%s+%u", r, addr % 4);
639         } else {
640             snprintf(buf, sizeof(buf), "0x%02x", addr);
641         }
642     } else {
643         snprintf(buf, sizeof(buf), "??? 0x%08x", addr);
644     }
645     return buf;
646 }
647 #endif                          /* DEBUG_EEPRO100 */
648 
649 /*****************************************************************************
650  *
651  * Command emulation.
652  *
653  ****************************************************************************/
654 
655 #if 0
656 static uint16_t eepro100_read_command(EEPRO100State * s)
657 {
658     uint16_t val = 0xffff;
659     TRACE(OTHER, logout("val=0x%04x\n", val));
660     return val;
661 }
662 #endif
663 
664 /* Commands that can be put in a command list entry. */
665 enum commands {
666     CmdNOp = 0,
667     CmdIASetup = 1,
668     CmdConfigure = 2,
669     CmdMulticastList = 3,
670     CmdTx = 4,
671     CmdTDR = 5,                 /* load microcode */
672     CmdDump = 6,
673     CmdDiagnose = 7,
674 
675     /* And some extra flags: */
676     CmdSuspend = 0x4000,        /* Suspend after completion. */
677     CmdIntr = 0x2000,           /* Interrupt after completion. */
678     CmdTxFlex = 0x0008,         /* Use "Flexible mode" for CmdTx command. */
679 };
680 
681 static cu_state_t get_cu_state(EEPRO100State * s)
682 {
683     return ((s->mem[SCBStatus] & BITS(7, 6)) >> 6);
684 }
685 
686 static void set_cu_state(EEPRO100State * s, cu_state_t state)
687 {
688     s->mem[SCBStatus] = (s->mem[SCBStatus] & ~BITS(7, 6)) + (state << 6);
689 }
690 
691 static ru_state_t get_ru_state(EEPRO100State * s)
692 {
693     return ((s->mem[SCBStatus] & BITS(5, 2)) >> 2);
694 }
695 
696 static void set_ru_state(EEPRO100State * s, ru_state_t state)
697 {
698     s->mem[SCBStatus] = (s->mem[SCBStatus] & ~BITS(5, 2)) + (state << 2);
699 }
700 
701 static void dump_statistics(EEPRO100State * s)
702 {
703     /* Dump statistical data. Most data is never changed by the emulation
704      * and always 0, so we first just copy the whole block and then those
705      * values which really matter.
706      * Number of data should check configuration!!!
707      */
708     pci_dma_write(&s->dev, s->statsaddr, &s->statistics, s->stats_size);
709     stl_le_pci_dma(&s->dev, s->statsaddr + 0,
710                    s->statistics.tx_good_frames);
711     stl_le_pci_dma(&s->dev, s->statsaddr + 36,
712                    s->statistics.rx_good_frames);
713     stl_le_pci_dma(&s->dev, s->statsaddr + 48,
714                    s->statistics.rx_resource_errors);
715     stl_le_pci_dma(&s->dev, s->statsaddr + 60,
716                    s->statistics.rx_short_frame_errors);
717 #if 0
718     stw_le_pci_dma(&s->dev, s->statsaddr + 76, s->statistics.xmt_tco_frames);
719     stw_le_pci_dma(&s->dev, s->statsaddr + 78, s->statistics.rcv_tco_frames);
720     missing("CU dump statistical counters");
721 #endif
722 }
723 
724 static void read_cb(EEPRO100State *s)
725 {
726     pci_dma_read(&s->dev, s->cb_address, &s->tx, sizeof(s->tx));
727     s->tx.status = le16_to_cpu(s->tx.status);
728     s->tx.command = le16_to_cpu(s->tx.command);
729     s->tx.link = le32_to_cpu(s->tx.link);
730     s->tx.tbd_array_addr = le32_to_cpu(s->tx.tbd_array_addr);
731     s->tx.tcb_bytes = le16_to_cpu(s->tx.tcb_bytes);
732 }
733 
734 static void tx_command(EEPRO100State *s)
735 {
736     uint32_t tbd_array = s->tx.tbd_array_addr;
737     uint16_t tcb_bytes = s->tx.tcb_bytes & 0x3fff;
738     /* Sends larger than MAX_ETH_FRAME_SIZE are allowed, up to 2600 bytes. */
739     uint8_t buf[2600];
740     uint16_t size = 0;
741     uint32_t tbd_address = s->cb_address + 0x10;
742     TRACE(RXTX, logout
743         ("transmit, TBD array address 0x%08x, TCB byte count 0x%04x, TBD count %u\n",
744          tbd_array, tcb_bytes, s->tx.tbd_count));
745 
746     if (tcb_bytes > 2600) {
747         logout("TCB byte count too large, using 2600\n");
748         tcb_bytes = 2600;
749     }
750     if (!((tcb_bytes > 0) || (tbd_array != 0xffffffff))) {
751         logout
752             ("illegal values of TBD array address and TCB byte count!\n");
753     }
754     assert(tcb_bytes <= sizeof(buf));
755     while (size < tcb_bytes) {
756         TRACE(RXTX, logout
757             ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
758              tbd_address, tcb_bytes));
759         pci_dma_read(&s->dev, tbd_address, &buf[size], tcb_bytes);
760         size += tcb_bytes;
761     }
762     if (tbd_array == 0xffffffff) {
763         /* Simplified mode. Was already handled by code above. */
764     } else {
765         /* Flexible mode. */
766         uint8_t tbd_count = 0;
767         if (s->has_extended_tcb_support && !(s->configuration[6] & BIT(4))) {
768             /* Extended Flexible TCB. */
769             for (; tbd_count < 2; tbd_count++) {
770                 uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev,
771                                                             tbd_address);
772                 uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev,
773                                                           tbd_address + 4);
774                 uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev,
775                                                         tbd_address + 6);
776                 tbd_address += 8;
777                 TRACE(RXTX, logout
778                     ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n",
779                      tx_buffer_address, tx_buffer_size));
780                 tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
781                 pci_dma_read(&s->dev, tx_buffer_address,
782                              &buf[size], tx_buffer_size);
783                 size += tx_buffer_size;
784                 if (tx_buffer_el & 1) {
785                     break;
786                 }
787             }
788         }
789         tbd_address = tbd_array;
790         for (; tbd_count < s->tx.tbd_count; tbd_count++) {
791             uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address);
792             uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4);
793             uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
794             tbd_address += 8;
795             TRACE(RXTX, logout
796                 ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n",
797                  tx_buffer_address, tx_buffer_size));
798             tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
799             pci_dma_read(&s->dev, tx_buffer_address,
800                          &buf[size], tx_buffer_size);
801             size += tx_buffer_size;
802             if (tx_buffer_el & 1) {
803                 break;
804             }
805         }
806     }
807     TRACE(RXTX, logout("%p sending frame, len=%d,%s\n", s, size, nic_dump(buf, size)));
808     qemu_send_packet(qemu_get_queue(s->nic), buf, size);
809     s->statistics.tx_good_frames++;
810     /* Transmit with bad status would raise an CX/TNO interrupt.
811      * (82557 only). Emulation never has bad status. */
812 #if 0
813     eepro100_cx_interrupt(s);
814 #endif
815 }
816 
817 static void set_multicast_list(EEPRO100State *s)
818 {
819     uint16_t multicast_count = s->tx.tbd_array_addr & BITS(13, 0);
820     uint16_t i;
821     memset(&s->mult[0], 0, sizeof(s->mult));
822     TRACE(OTHER, logout("multicast list, multicast count = %u\n", multicast_count));
823     for (i = 0; i < multicast_count; i += 6) {
824         uint8_t multicast_addr[6];
825         pci_dma_read(&s->dev, s->cb_address + 10 + i, multicast_addr, 6);
826         TRACE(OTHER, logout("multicast entry %s\n", nic_dump(multicast_addr, 6)));
827         unsigned mcast_idx = (net_crc32(multicast_addr, ETH_ALEN) &
828                               BITS(7, 2)) >> 2;
829         assert(mcast_idx < 64);
830         s->mult[mcast_idx >> 3] |= (1 << (mcast_idx & 7));
831     }
832 }
833 
834 static void action_command(EEPRO100State *s)
835 {
836     /* The loop below won't stop if it gets special handcrafted data.
837        Therefore we limit the number of iterations. */
838     unsigned max_loop_count = 16;
839 
840     for (;;) {
841         bool bit_el;
842         bool bit_s;
843         bool bit_i;
844         bool bit_nc;
845         uint16_t ok_status = STATUS_OK;
846         s->cb_address = s->cu_base + s->cu_offset;
847         read_cb(s);
848         bit_el = ((s->tx.command & COMMAND_EL) != 0);
849         bit_s = ((s->tx.command & COMMAND_S) != 0);
850         bit_i = ((s->tx.command & COMMAND_I) != 0);
851         bit_nc = ((s->tx.command & COMMAND_NC) != 0);
852 #if 0
853         bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
854 #endif
855 
856         if (max_loop_count-- == 0) {
857             /* Prevent an endless loop. */
858             logout("loop in %s:%u\n", __FILE__, __LINE__);
859             break;
860         }
861 
862         s->cu_offset = s->tx.link;
863         TRACE(OTHER,
864               logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",
865                      s->tx.status, s->tx.command, s->tx.link));
866         switch (s->tx.command & COMMAND_CMD) {
867         case CmdNOp:
868             /* Do nothing. */
869             break;
870         case CmdIASetup:
871             pci_dma_read(&s->dev, s->cb_address + 8, &s->conf.macaddr.a[0], 6);
872             TRACE(OTHER, logout("macaddr: %s\n", nic_dump(&s->conf.macaddr.a[0], 6)));
873             break;
874         case CmdConfigure:
875             pci_dma_read(&s->dev, s->cb_address + 8,
876                          &s->configuration[0], sizeof(s->configuration));
877             TRACE(OTHER, logout("configuration: %s\n",
878                                 nic_dump(&s->configuration[0], 16)));
879             TRACE(OTHER, logout("configuration: %s\n",
880                                 nic_dump(&s->configuration[16],
881                                 ARRAY_SIZE(s->configuration) - 16)));
882             if (s->configuration[20] & BIT(6)) {
883                 TRACE(OTHER, logout("Multiple IA bit\n"));
884             }
885             break;
886         case CmdMulticastList:
887             set_multicast_list(s);
888             break;
889         case CmdTx:
890             if (bit_nc) {
891                 missing("CmdTx: NC = 0");
892                 ok_status = 0;
893                 break;
894             }
895             tx_command(s);
896             break;
897         case CmdTDR:
898             TRACE(OTHER, logout("load microcode\n"));
899             /* Starting with offset 8, the command contains
900              * 64 dwords microcode which we just ignore here. */
901             break;
902         case CmdDiagnose:
903             TRACE(OTHER, logout("diagnose\n"));
904             /* Make sure error flag is not set. */
905             s->tx.status = 0;
906             break;
907         default:
908             missing("undefined command");
909             ok_status = 0;
910             break;
911         }
912         /* Write new status. */
913         stw_le_pci_dma(&s->dev, s->cb_address,
914                        s->tx.status | ok_status | STATUS_C);
915         if (bit_i) {
916             /* CU completed action. */
917             eepro100_cx_interrupt(s);
918         }
919         if (bit_el) {
920             /* CU becomes idle. Terminate command loop. */
921             set_cu_state(s, cu_idle);
922             eepro100_cna_interrupt(s);
923             break;
924         } else if (bit_s) {
925             /* CU becomes suspended. Terminate command loop. */
926             set_cu_state(s, cu_suspended);
927             eepro100_cna_interrupt(s);
928             break;
929         } else {
930             /* More entries in list. */
931             TRACE(OTHER, logout("CU list with at least one more entry\n"));
932         }
933     }
934     TRACE(OTHER, logout("CU list empty\n"));
935     /* List is empty. Now CU is idle or suspended. */
936 }
937 
938 static void eepro100_cu_command(EEPRO100State * s, uint8_t val)
939 {
940     cu_state_t cu_state;
941     switch (val) {
942     case CU_NOP:
943         /* No operation. */
944         break;
945     case CU_START:
946         cu_state = get_cu_state(s);
947         if (cu_state != cu_idle && cu_state != cu_suspended) {
948             /* Intel documentation says that CU must be idle or suspended
949              * for the CU start command. */
950             logout("unexpected CU state is %u\n", cu_state);
951         }
952         set_cu_state(s, cu_active);
953         s->cu_offset = e100_read_reg4(s, SCBPointer);
954         action_command(s);
955         break;
956     case CU_RESUME:
957         if (get_cu_state(s) != cu_suspended) {
958             logout("bad CU resume from CU state %u\n", get_cu_state(s));
959             /* Workaround for bad Linux eepro100 driver which resumes
960              * from idle state. */
961 #if 0
962             missing("cu resume");
963 #endif
964             set_cu_state(s, cu_suspended);
965         }
966         if (get_cu_state(s) == cu_suspended) {
967             TRACE(OTHER, logout("CU resuming\n"));
968             set_cu_state(s, cu_active);
969             action_command(s);
970         }
971         break;
972     case CU_STATSADDR:
973         /* Load dump counters address. */
974         s->statsaddr = e100_read_reg4(s, SCBPointer);
975         TRACE(OTHER, logout("val=0x%02x (dump counters address)\n", val));
976         if (s->statsaddr & 3) {
977             /* Memory must be Dword aligned. */
978             logout("unaligned dump counters address\n");
979             /* Handling of misaligned addresses is undefined.
980              * Here we align the address by ignoring the lower bits. */
981             /* TODO: Test unaligned dump counter address on real hardware. */
982             s->statsaddr &= ~3;
983         }
984         break;
985     case CU_SHOWSTATS:
986         /* Dump statistical counters. */
987         TRACE(OTHER, logout("val=0x%02x (dump stats)\n", val));
988         dump_statistics(s);
989         stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005);
990         break;
991     case CU_CMD_BASE:
992         /* Load CU base. */
993         TRACE(OTHER, logout("val=0x%02x (CU base address)\n", val));
994         s->cu_base = e100_read_reg4(s, SCBPointer);
995         break;
996     case CU_DUMPSTATS:
997         /* Dump and reset statistical counters. */
998         TRACE(OTHER, logout("val=0x%02x (dump stats and reset)\n", val));
999         dump_statistics(s);
1000         stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007);
1001         memset(&s->statistics, 0, sizeof(s->statistics));
1002         break;
1003     case CU_SRESUME:
1004         /* CU static resume. */
1005         missing("CU static resume");
1006         break;
1007     default:
1008         missing("Undefined CU command");
1009     }
1010 }
1011 
1012 static void eepro100_ru_command(EEPRO100State * s, uint8_t val)
1013 {
1014     switch (val) {
1015     case RU_NOP:
1016         /* No operation. */
1017         break;
1018     case RX_START:
1019         /* RU start. */
1020         if (get_ru_state(s) != ru_idle) {
1021             logout("RU state is %u, should be %u\n", get_ru_state(s), ru_idle);
1022 #if 0
1023             assert(!"wrong RU state");
1024 #endif
1025         }
1026         set_ru_state(s, ru_ready);
1027         s->ru_offset = e100_read_reg4(s, SCBPointer);
1028         qemu_flush_queued_packets(qemu_get_queue(s->nic));
1029         TRACE(OTHER, logout("val=0x%02x (rx start)\n", val));
1030         break;
1031     case RX_RESUME:
1032         /* Restart RU. */
1033         if (get_ru_state(s) != ru_suspended) {
1034             logout("RU state is %u, should be %u\n", get_ru_state(s),
1035                    ru_suspended);
1036 #if 0
1037             assert(!"wrong RU state");
1038 #endif
1039         }
1040         set_ru_state(s, ru_ready);
1041         break;
1042     case RU_ABORT:
1043         /* RU abort. */
1044         if (get_ru_state(s) == ru_ready) {
1045             eepro100_rnr_interrupt(s);
1046         }
1047         set_ru_state(s, ru_idle);
1048         break;
1049     case RX_ADDR_LOAD:
1050         /* Load RU base. */
1051         TRACE(OTHER, logout("val=0x%02x (RU base address)\n", val));
1052         s->ru_base = e100_read_reg4(s, SCBPointer);
1053         break;
1054     default:
1055         logout("val=0x%02x (undefined RU command)\n", val);
1056         missing("Undefined SU command");
1057     }
1058 }
1059 
1060 static void eepro100_write_command(EEPRO100State * s, uint8_t val)
1061 {
1062     eepro100_ru_command(s, val & 0x0f);
1063     eepro100_cu_command(s, val & 0xf0);
1064     if ((val) == 0) {
1065         TRACE(OTHER, logout("val=0x%02x\n", val));
1066     }
1067     /* Clear command byte after command was accepted. */
1068     s->mem[SCBCmd] = 0;
1069 }
1070 
1071 /*****************************************************************************
1072  *
1073  * EEPROM emulation.
1074  *
1075  ****************************************************************************/
1076 
1077 #define EEPROM_CS       0x02
1078 #define EEPROM_SK       0x01
1079 #define EEPROM_DI       0x04
1080 #define EEPROM_DO       0x08
1081 
1082 static uint16_t eepro100_read_eeprom(EEPRO100State * s)
1083 {
1084     uint16_t val = e100_read_reg2(s, SCBeeprom);
1085     if (eeprom93xx_read(s->eeprom)) {
1086         val |= EEPROM_DO;
1087     } else {
1088         val &= ~EEPROM_DO;
1089     }
1090     TRACE(EEPROM, logout("val=0x%04x\n", val));
1091     return val;
1092 }
1093 
1094 static void eepro100_write_eeprom(eeprom_t * eeprom, uint8_t val)
1095 {
1096     TRACE(EEPROM, logout("val=0x%02x\n", val));
1097 
1098     /* mask unwritable bits */
1099 #if 0
1100     val = SET_MASKED(val, 0x31, eeprom->value);
1101 #endif
1102 
1103     int eecs = ((val & EEPROM_CS) != 0);
1104     int eesk = ((val & EEPROM_SK) != 0);
1105     int eedi = ((val & EEPROM_DI) != 0);
1106     eeprom93xx_write(eeprom, eecs, eesk, eedi);
1107 }
1108 
1109 /*****************************************************************************
1110  *
1111  * MDI emulation.
1112  *
1113  ****************************************************************************/
1114 
1115 #if defined(DEBUG_EEPRO100)
1116 static const char * const mdi_op_name[] = {
1117     "opcode 0",
1118     "write",
1119     "read",
1120     "opcode 3"
1121 };
1122 
1123 static const char * const mdi_reg_name[] = {
1124     "Control",
1125     "Status",
1126     "PHY Identification (Word 1)",
1127     "PHY Identification (Word 2)",
1128     "Auto-Negotiation Advertisement",
1129     "Auto-Negotiation Link Partner Ability",
1130     "Auto-Negotiation Expansion"
1131 };
1132 
1133 static const char *reg2name(uint8_t reg)
1134 {
1135     static char buffer[10];
1136     const char *p = buffer;
1137     if (reg < ARRAY_SIZE(mdi_reg_name)) {
1138         p = mdi_reg_name[reg];
1139     } else {
1140         snprintf(buffer, sizeof(buffer), "reg=0x%02x", reg);
1141     }
1142     return p;
1143 }
1144 #endif                          /* DEBUG_EEPRO100 */
1145 
1146 static uint32_t eepro100_read_mdi(EEPRO100State * s)
1147 {
1148     uint32_t val = e100_read_reg4(s, SCBCtrlMDI);
1149 
1150 #ifdef DEBUG_EEPRO100
1151     uint8_t raiseint = (val & BIT(29)) >> 29;
1152     uint8_t opcode = (val & BITS(27, 26)) >> 26;
1153     uint8_t phy = (val & BITS(25, 21)) >> 21;
1154     uint8_t reg = (val & BITS(20, 16)) >> 16;
1155     uint16_t data = (val & BITS(15, 0));
1156 #endif
1157     /* Emulation takes no time to finish MDI transaction. */
1158     val |= BIT(28);
1159     TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1160                       val, raiseint, mdi_op_name[opcode], phy,
1161                       reg2name(reg), data));
1162     return val;
1163 }
1164 
1165 static void eepro100_write_mdi(EEPRO100State *s)
1166 {
1167     uint32_t val = e100_read_reg4(s, SCBCtrlMDI);
1168     uint8_t raiseint = (val & BIT(29)) >> 29;
1169     uint8_t opcode = (val & BITS(27, 26)) >> 26;
1170     uint8_t phy = (val & BITS(25, 21)) >> 21;
1171     uint8_t reg = (val & BITS(20, 16)) >> 16;
1172     uint16_t data = (val & BITS(15, 0));
1173     TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1174           val, raiseint, mdi_op_name[opcode], phy, reg2name(reg), data));
1175     if (phy != 1) {
1176         /* Unsupported PHY address. */
1177 #if 0
1178         logout("phy must be 1 but is %u\n", phy);
1179 #endif
1180         data = 0;
1181     } else if (opcode != 1 && opcode != 2) {
1182         /* Unsupported opcode. */
1183         logout("opcode must be 1 or 2 but is %u\n", opcode);
1184         data = 0;
1185     } else if (reg > 6) {
1186         /* Unsupported register. */
1187         logout("register must be 0...6 but is %u\n", reg);
1188         data = 0;
1189     } else {
1190         TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1191                           val, raiseint, mdi_op_name[opcode], phy,
1192                           reg2name(reg), data));
1193         if (opcode == 1) {
1194             /* MDI write */
1195             switch (reg) {
1196             case 0:            /* Control Register */
1197                 if (data & 0x8000) {
1198                     /* Reset status and control registers to default. */
1199                     s->mdimem[0] = eepro100_mdi_default[0];
1200                     s->mdimem[1] = eepro100_mdi_default[1];
1201                     data = s->mdimem[reg];
1202                 } else {
1203                     /* Restart Auto Configuration = Normal Operation */
1204                     data &= ~0x0200;
1205                 }
1206                 break;
1207             case 1:            /* Status Register */
1208                 missing("not writable");
1209                 break;
1210             case 2:            /* PHY Identification Register (Word 1) */
1211             case 3:            /* PHY Identification Register (Word 2) */
1212                 missing("not implemented");
1213                 break;
1214             case 4:            /* Auto-Negotiation Advertisement Register */
1215             case 5:            /* Auto-Negotiation Link Partner Ability Register */
1216                 break;
1217             case 6:            /* Auto-Negotiation Expansion Register */
1218             default:
1219                 missing("not implemented");
1220             }
1221             s->mdimem[reg] &= eepro100_mdi_mask[reg];
1222             s->mdimem[reg] |= data & ~eepro100_mdi_mask[reg];
1223         } else if (opcode == 2) {
1224             /* MDI read */
1225             switch (reg) {
1226             case 0:            /* Control Register */
1227                 if (data & 0x8000) {
1228                     /* Reset status and control registers to default. */
1229                     s->mdimem[0] = eepro100_mdi_default[0];
1230                     s->mdimem[1] = eepro100_mdi_default[1];
1231                 }
1232                 break;
1233             case 1:            /* Status Register */
1234                 s->mdimem[reg] |= 0x0020;
1235                 break;
1236             case 2:            /* PHY Identification Register (Word 1) */
1237             case 3:            /* PHY Identification Register (Word 2) */
1238             case 4:            /* Auto-Negotiation Advertisement Register */
1239                 break;
1240             case 5:            /* Auto-Negotiation Link Partner Ability Register */
1241                 s->mdimem[reg] = 0x41fe;
1242                 break;
1243             case 6:            /* Auto-Negotiation Expansion Register */
1244                 s->mdimem[reg] = 0x0001;
1245                 break;
1246             }
1247             data = s->mdimem[reg];
1248         }
1249         /* Emulation takes no time to finish MDI transaction.
1250          * Set MDI bit in SCB status register. */
1251         s->mem[SCBAck] |= 0x08;
1252         val |= BIT(28);
1253         if (raiseint) {
1254             eepro100_mdi_interrupt(s);
1255         }
1256     }
1257     val = (val & 0xffff0000) + data;
1258     e100_write_reg4(s, SCBCtrlMDI, val);
1259 }
1260 
1261 /*****************************************************************************
1262  *
1263  * Port emulation.
1264  *
1265  ****************************************************************************/
1266 
1267 #define PORT_SOFTWARE_RESET     0
1268 #define PORT_SELFTEST           1
1269 #define PORT_SELECTIVE_RESET    2
1270 #define PORT_DUMP               3
1271 #define PORT_SELECTION_MASK     3
1272 
1273 typedef struct {
1274     uint32_t st_sign;           /* Self Test Signature */
1275     uint32_t st_result;         /* Self Test Results */
1276 } eepro100_selftest_t;
1277 
1278 static uint32_t eepro100_read_port(EEPRO100State * s)
1279 {
1280     return 0;
1281 }
1282 
1283 static void eepro100_write_port(EEPRO100State *s)
1284 {
1285     uint32_t val = e100_read_reg4(s, SCBPort);
1286     uint32_t address = (val & ~PORT_SELECTION_MASK);
1287     uint8_t selection = (val & PORT_SELECTION_MASK);
1288     switch (selection) {
1289     case PORT_SOFTWARE_RESET:
1290         nic_reset(s);
1291         break;
1292     case PORT_SELFTEST:
1293         TRACE(OTHER, logout("selftest address=0x%08x\n", address));
1294         eepro100_selftest_t data;
1295         pci_dma_read(&s->dev, address, (uint8_t *) &data, sizeof(data));
1296         data.st_sign = 0xffffffff;
1297         data.st_result = 0;
1298         pci_dma_write(&s->dev, address, (uint8_t *) &data, sizeof(data));
1299         break;
1300     case PORT_SELECTIVE_RESET:
1301         TRACE(OTHER, logout("selective reset, selftest address=0x%08x\n", address));
1302         nic_selective_reset(s);
1303         break;
1304     default:
1305         logout("val=0x%08x\n", val);
1306         missing("unknown port selection");
1307     }
1308 }
1309 
1310 /*****************************************************************************
1311  *
1312  * General hardware emulation.
1313  *
1314  ****************************************************************************/
1315 
1316 static uint8_t eepro100_read1(EEPRO100State * s, uint32_t addr)
1317 {
1318     uint8_t val = 0;
1319     if (addr <= sizeof(s->mem) - sizeof(val)) {
1320         val = s->mem[addr];
1321     }
1322 
1323     switch (addr) {
1324     case SCBStatus:
1325     case SCBAck:
1326         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1327         break;
1328     case SCBCmd:
1329         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1330 #if 0
1331         val = eepro100_read_command(s);
1332 #endif
1333         break;
1334     case SCBIntmask:
1335         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1336         break;
1337     case SCBPort + 3:
1338         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1339         break;
1340     case SCBeeprom:
1341         val = eepro100_read_eeprom(s);
1342         break;
1343     case SCBCtrlMDI:
1344     case SCBCtrlMDI + 1:
1345     case SCBCtrlMDI + 2:
1346     case SCBCtrlMDI + 3:
1347         val = (uint8_t)(eepro100_read_mdi(s) >> (8 * (addr & 3)));
1348         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1349         break;
1350     case SCBpmdr:       /* Power Management Driver Register */
1351         val = 0;
1352         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1353         break;
1354     case SCBgctrl:      /* General Control Register */
1355         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1356         break;
1357     case SCBgstat:      /* General Status Register */
1358         /* 100 Mbps full duplex, valid link */
1359         val = 0x07;
1360         TRACE(OTHER, logout("addr=General Status val=%02x\n", val));
1361         break;
1362     default:
1363         logout("addr=%s val=0x%02x\n", regname(addr), val);
1364         missing("unknown byte read");
1365     }
1366     return val;
1367 }
1368 
1369 static uint16_t eepro100_read2(EEPRO100State * s, uint32_t addr)
1370 {
1371     uint16_t val = 0;
1372     if (addr <= sizeof(s->mem) - sizeof(val)) {
1373         val = e100_read_reg2(s, addr);
1374     }
1375 
1376     switch (addr) {
1377     case SCBStatus:
1378     case SCBCmd:
1379         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1380         break;
1381     case SCBeeprom:
1382         val = eepro100_read_eeprom(s);
1383         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1384         break;
1385     case SCBCtrlMDI:
1386     case SCBCtrlMDI + 2:
1387         val = (uint16_t)(eepro100_read_mdi(s) >> (8 * (addr & 3)));
1388         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1389         break;
1390     default:
1391         logout("addr=%s val=0x%04x\n", regname(addr), val);
1392         missing("unknown word read");
1393     }
1394     return val;
1395 }
1396 
1397 static uint32_t eepro100_read4(EEPRO100State * s, uint32_t addr)
1398 {
1399     uint32_t val = 0;
1400     if (addr <= sizeof(s->mem) - sizeof(val)) {
1401         val = e100_read_reg4(s, addr);
1402     }
1403 
1404     switch (addr) {
1405     case SCBStatus:
1406         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1407         break;
1408     case SCBPointer:
1409         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1410         break;
1411     case SCBPort:
1412         val = eepro100_read_port(s);
1413         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1414         break;
1415     case SCBflash:
1416         val = eepro100_read_eeprom(s);
1417         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1418         break;
1419     case SCBCtrlMDI:
1420         val = eepro100_read_mdi(s);
1421         break;
1422     default:
1423         logout("addr=%s val=0x%08x\n", regname(addr), val);
1424         missing("unknown longword read");
1425     }
1426     return val;
1427 }
1428 
1429 static void eepro100_write1(EEPRO100State * s, uint32_t addr, uint8_t val)
1430 {
1431     /* SCBStatus is readonly. */
1432     if (addr > SCBStatus && addr <= sizeof(s->mem) - sizeof(val)) {
1433         s->mem[addr] = val;
1434     }
1435 
1436     switch (addr) {
1437     case SCBStatus:
1438         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1439         break;
1440     case SCBAck:
1441         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1442         eepro100_acknowledge(s);
1443         break;
1444     case SCBCmd:
1445         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1446         eepro100_write_command(s, val);
1447         break;
1448     case SCBIntmask:
1449         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1450         if (val & BIT(1)) {
1451             eepro100_swi_interrupt(s);
1452         }
1453         eepro100_interrupt(s, 0);
1454         break;
1455     case SCBPointer:
1456     case SCBPointer + 1:
1457     case SCBPointer + 2:
1458     case SCBPointer + 3:
1459         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1460         break;
1461     case SCBPort:
1462     case SCBPort + 1:
1463     case SCBPort + 2:
1464         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1465         break;
1466     case SCBPort + 3:
1467         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1468         eepro100_write_port(s);
1469         break;
1470     case SCBFlow:       /* does not exist on 82557 */
1471     case SCBFlow + 1:
1472     case SCBFlow + 2:
1473     case SCBpmdr:       /* does not exist on 82557 */
1474         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1475         break;
1476     case SCBeeprom:
1477         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1478         eepro100_write_eeprom(s->eeprom, val);
1479         break;
1480     case SCBCtrlMDI:
1481     case SCBCtrlMDI + 1:
1482     case SCBCtrlMDI + 2:
1483         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1484         break;
1485     case SCBCtrlMDI + 3:
1486         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1487         eepro100_write_mdi(s);
1488         break;
1489     default:
1490         logout("addr=%s val=0x%02x\n", regname(addr), val);
1491         missing("unknown byte write");
1492     }
1493 }
1494 
1495 static void eepro100_write2(EEPRO100State * s, uint32_t addr, uint16_t val)
1496 {
1497     /* SCBStatus is readonly. */
1498     if (addr > SCBStatus && addr <= sizeof(s->mem) - sizeof(val)) {
1499         e100_write_reg2(s, addr, val);
1500     }
1501 
1502     switch (addr) {
1503     case SCBStatus:
1504         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1505         s->mem[SCBAck] = (val >> 8);
1506         eepro100_acknowledge(s);
1507         break;
1508     case SCBCmd:
1509         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1510         eepro100_write_command(s, val);
1511         eepro100_write1(s, SCBIntmask, val >> 8);
1512         break;
1513     case SCBPointer:
1514     case SCBPointer + 2:
1515         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1516         break;
1517     case SCBPort:
1518         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1519         break;
1520     case SCBPort + 2:
1521         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1522         eepro100_write_port(s);
1523         break;
1524     case SCBeeprom:
1525         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1526         eepro100_write_eeprom(s->eeprom, val);
1527         break;
1528     case SCBCtrlMDI:
1529         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1530         break;
1531     case SCBCtrlMDI + 2:
1532         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1533         eepro100_write_mdi(s);
1534         break;
1535     default:
1536         logout("addr=%s val=0x%04x\n", regname(addr), val);
1537         missing("unknown word write");
1538     }
1539 }
1540 
1541 static void eepro100_write4(EEPRO100State * s, uint32_t addr, uint32_t val)
1542 {
1543     if (addr <= sizeof(s->mem) - sizeof(val)) {
1544         e100_write_reg4(s, addr, val);
1545     }
1546 
1547     switch (addr) {
1548     case SCBPointer:
1549         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1550         break;
1551     case SCBPort:
1552         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1553         eepro100_write_port(s);
1554         break;
1555     case SCBflash:
1556         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1557         val = val >> 16;
1558         eepro100_write_eeprom(s->eeprom, val);
1559         break;
1560     case SCBCtrlMDI:
1561         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1562         eepro100_write_mdi(s);
1563         break;
1564     default:
1565         logout("addr=%s val=0x%08x\n", regname(addr), val);
1566         missing("unknown longword write");
1567     }
1568 }
1569 
1570 static uint64_t eepro100_read(void *opaque, hwaddr addr,
1571                               unsigned size)
1572 {
1573     EEPRO100State *s = opaque;
1574 
1575     switch (size) {
1576     case 1: return eepro100_read1(s, addr);
1577     case 2: return eepro100_read2(s, addr);
1578     case 4: return eepro100_read4(s, addr);
1579     default: abort();
1580     }
1581 }
1582 
1583 static void eepro100_write(void *opaque, hwaddr addr,
1584                            uint64_t data, unsigned size)
1585 {
1586     EEPRO100State *s = opaque;
1587 
1588     switch (size) {
1589     case 1:
1590         eepro100_write1(s, addr, data);
1591         break;
1592     case 2:
1593         eepro100_write2(s, addr, data);
1594         break;
1595     case 4:
1596         eepro100_write4(s, addr, data);
1597         break;
1598     default:
1599         abort();
1600     }
1601 }
1602 
1603 static const MemoryRegionOps eepro100_ops = {
1604     .read = eepro100_read,
1605     .write = eepro100_write,
1606     .endianness = DEVICE_LITTLE_ENDIAN,
1607 };
1608 
1609 static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size)
1610 {
1611     /* TODO:
1612      * - Magic packets should set bit 30 in power management driver register.
1613      * - Interesting packets should set bit 29 in power management driver register.
1614      */
1615     EEPRO100State *s = qemu_get_nic_opaque(nc);
1616     uint16_t rfd_status = 0xa000;
1617 #if defined(CONFIG_PAD_RECEIVED_FRAMES)
1618     uint8_t min_buf[60];
1619 #endif
1620     static const uint8_t broadcast_macaddr[6] =
1621         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1622 
1623 #if defined(CONFIG_PAD_RECEIVED_FRAMES)
1624     /* Pad to minimum Ethernet frame length */
1625     if (size < sizeof(min_buf)) {
1626         memcpy(min_buf, buf, size);
1627         memset(&min_buf[size], 0, sizeof(min_buf) - size);
1628         buf = min_buf;
1629         size = sizeof(min_buf);
1630     }
1631 #endif
1632 
1633     if (s->configuration[8] & 0x80) {
1634         /* CSMA is disabled. */
1635         logout("%p received while CSMA is disabled\n", s);
1636         return -1;
1637 #if !defined(CONFIG_PAD_RECEIVED_FRAMES)
1638     } else if (size < 64 && (s->configuration[7] & BIT(0))) {
1639         /* Short frame and configuration byte 7/0 (discard short receive) set:
1640          * Short frame is discarded */
1641         logout("%p received short frame (%zu byte)\n", s, size);
1642         s->statistics.rx_short_frame_errors++;
1643         return -1;
1644 #endif
1645     } else if ((size > MAX_ETH_FRAME_SIZE + 4) && !(s->configuration[18] & BIT(3))) {
1646         /* Long frame and configuration byte 18/3 (long receive ok) not set:
1647          * Long frames are discarded. */
1648         logout("%p received long frame (%zu byte), ignored\n", s, size);
1649         return -1;
1650     } else if (memcmp(buf, s->conf.macaddr.a, 6) == 0) {       /* !!! */
1651         /* Frame matches individual address. */
1652         /* TODO: check configuration byte 15/4 (ignore U/L). */
1653         TRACE(RXTX, logout("%p received frame for me, len=%zu\n", s, size));
1654     } else if (memcmp(buf, broadcast_macaddr, 6) == 0) {
1655         /* Broadcast frame. */
1656         TRACE(RXTX, logout("%p received broadcast, len=%zu\n", s, size));
1657         rfd_status |= 0x0002;
1658     } else if (buf[0] & 0x01) {
1659         /* Multicast frame. */
1660         TRACE(RXTX, logout("%p received multicast, len=%zu,%s\n", s, size, nic_dump(buf, size)));
1661         if (s->configuration[21] & BIT(3)) {
1662           /* Multicast all bit is set, receive all multicast frames. */
1663         } else {
1664           unsigned mcast_idx = (net_crc32(buf, ETH_ALEN) & BITS(7, 2)) >> 2;
1665           assert(mcast_idx < 64);
1666           if (s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))) {
1667             /* Multicast frame is allowed in hash table. */
1668           } else if (s->configuration[15] & BIT(0)) {
1669               /* Promiscuous: receive all. */
1670               rfd_status |= 0x0004;
1671           } else {
1672               TRACE(RXTX, logout("%p multicast ignored\n", s));
1673               return -1;
1674           }
1675         }
1676         /* TODO: Next not for promiscuous mode? */
1677         rfd_status |= 0x0002;
1678     } else if (s->configuration[15] & BIT(0)) {
1679         /* Promiscuous: receive all. */
1680         TRACE(RXTX, logout("%p received frame in promiscuous mode, len=%zu\n", s, size));
1681         rfd_status |= 0x0004;
1682     } else if (s->configuration[20] & BIT(6)) {
1683         /* Multiple IA bit set. */
1684         unsigned mcast_idx = net_crc32(buf, ETH_ALEN) >> 26;
1685         assert(mcast_idx < 64);
1686         if (s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))) {
1687             TRACE(RXTX, logout("%p accepted, multiple IA bit set\n", s));
1688         } else {
1689             TRACE(RXTX, logout("%p frame ignored, multiple IA bit set\n", s));
1690             return -1;
1691         }
1692     } else {
1693         TRACE(RXTX, logout("%p received frame, ignored, len=%zu,%s\n", s, size,
1694               nic_dump(buf, size)));
1695         return size;
1696     }
1697 
1698     if (get_ru_state(s) != ru_ready) {
1699         /* No resources available. */
1700         logout("no resources, state=%u\n", get_ru_state(s));
1701         /* TODO: RNR interrupt only at first failed frame? */
1702         eepro100_rnr_interrupt(s);
1703         s->statistics.rx_resource_errors++;
1704 #if 0
1705         assert(!"no resources");
1706 #endif
1707         return -1;
1708     }
1709     /* !!! */
1710     eepro100_rx_t rx;
1711     pci_dma_read(&s->dev, s->ru_base + s->ru_offset,
1712                  &rx, sizeof(eepro100_rx_t));
1713     uint16_t rfd_command = le16_to_cpu(rx.command);
1714     uint16_t rfd_size = le16_to_cpu(rx.size);
1715 
1716     if (size > rfd_size) {
1717         logout("Receive buffer (%" PRId16 " bytes) too small for data "
1718             "(%zu bytes); data truncated\n", rfd_size, size);
1719         size = rfd_size;
1720     }
1721 #if !defined(CONFIG_PAD_RECEIVED_FRAMES)
1722     if (size < 64) {
1723         rfd_status |= 0x0080;
1724     }
1725 #endif
1726     TRACE(OTHER, logout("command 0x%04x, link 0x%08x, addr 0x%08x, size %u\n",
1727           rfd_command, rx.link, rx.rx_buf_addr, rfd_size));
1728     stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
1729                 offsetof(eepro100_rx_t, status), rfd_status);
1730     stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
1731                 offsetof(eepro100_rx_t, count), size);
1732     /* Early receive interrupt not supported. */
1733 #if 0
1734     eepro100_er_interrupt(s);
1735 #endif
1736     /* Receive CRC Transfer not supported. */
1737     if (s->configuration[18] & BIT(2)) {
1738         missing("Receive CRC Transfer");
1739         return -1;
1740     }
1741     /* TODO: check stripping enable bit. */
1742 #if 0
1743     assert(!(s->configuration[17] & BIT(0)));
1744 #endif
1745     pci_dma_write(&s->dev, s->ru_base + s->ru_offset +
1746                   sizeof(eepro100_rx_t), buf, size);
1747     s->statistics.rx_good_frames++;
1748     eepro100_fr_interrupt(s);
1749     s->ru_offset = le32_to_cpu(rx.link);
1750     if (rfd_command & COMMAND_EL) {
1751         /* EL bit is set, so this was the last frame. */
1752         logout("receive: Running out of frames\n");
1753         set_ru_state(s, ru_no_resources);
1754         eepro100_rnr_interrupt(s);
1755     }
1756     if (rfd_command & COMMAND_S) {
1757         /* S bit is set. */
1758         set_ru_state(s, ru_suspended);
1759     }
1760     return size;
1761 }
1762 
1763 static const VMStateDescription vmstate_eepro100 = {
1764     .version_id = 3,
1765     .minimum_version_id = 2,
1766     .fields = (VMStateField[]) {
1767         VMSTATE_PCI_DEVICE(dev, EEPRO100State),
1768         VMSTATE_UNUSED(32),
1769         VMSTATE_BUFFER(mult, EEPRO100State),
1770         VMSTATE_BUFFER(mem, EEPRO100State),
1771         /* Save all members of struct between scb_stat and mem. */
1772         VMSTATE_UINT8(scb_stat, EEPRO100State),
1773         VMSTATE_UINT8(int_stat, EEPRO100State),
1774         VMSTATE_UNUSED(3*4),
1775         VMSTATE_MACADDR(conf.macaddr, EEPRO100State),
1776         VMSTATE_UNUSED(19*4),
1777         VMSTATE_UINT16_ARRAY(mdimem, EEPRO100State, 32),
1778         /* The eeprom should be saved and restored by its own routines. */
1779         VMSTATE_UINT32(device, EEPRO100State),
1780         /* TODO check device. */
1781         VMSTATE_UINT32(cu_base, EEPRO100State),
1782         VMSTATE_UINT32(cu_offset, EEPRO100State),
1783         VMSTATE_UINT32(ru_base, EEPRO100State),
1784         VMSTATE_UINT32(ru_offset, EEPRO100State),
1785         VMSTATE_UINT32(statsaddr, EEPRO100State),
1786         /* Save eepro100_stats_t statistics. */
1787         VMSTATE_UINT32(statistics.tx_good_frames, EEPRO100State),
1788         VMSTATE_UINT32(statistics.tx_max_collisions, EEPRO100State),
1789         VMSTATE_UINT32(statistics.tx_late_collisions, EEPRO100State),
1790         VMSTATE_UINT32(statistics.tx_underruns, EEPRO100State),
1791         VMSTATE_UINT32(statistics.tx_lost_crs, EEPRO100State),
1792         VMSTATE_UINT32(statistics.tx_deferred, EEPRO100State),
1793         VMSTATE_UINT32(statistics.tx_single_collisions, EEPRO100State),
1794         VMSTATE_UINT32(statistics.tx_multiple_collisions, EEPRO100State),
1795         VMSTATE_UINT32(statistics.tx_total_collisions, EEPRO100State),
1796         VMSTATE_UINT32(statistics.rx_good_frames, EEPRO100State),
1797         VMSTATE_UINT32(statistics.rx_crc_errors, EEPRO100State),
1798         VMSTATE_UINT32(statistics.rx_alignment_errors, EEPRO100State),
1799         VMSTATE_UINT32(statistics.rx_resource_errors, EEPRO100State),
1800         VMSTATE_UINT32(statistics.rx_overrun_errors, EEPRO100State),
1801         VMSTATE_UINT32(statistics.rx_cdt_errors, EEPRO100State),
1802         VMSTATE_UINT32(statistics.rx_short_frame_errors, EEPRO100State),
1803         VMSTATE_UINT32(statistics.fc_xmt_pause, EEPRO100State),
1804         VMSTATE_UINT32(statistics.fc_rcv_pause, EEPRO100State),
1805         VMSTATE_UINT32(statistics.fc_rcv_unsupported, EEPRO100State),
1806         VMSTATE_UINT16(statistics.xmt_tco_frames, EEPRO100State),
1807         VMSTATE_UINT16(statistics.rcv_tco_frames, EEPRO100State),
1808         /* Configuration bytes. */
1809         VMSTATE_BUFFER(configuration, EEPRO100State),
1810         VMSTATE_END_OF_LIST()
1811     }
1812 };
1813 
1814 static void pci_nic_uninit(PCIDevice *pci_dev)
1815 {
1816     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
1817 
1818     vmstate_unregister(VMSTATE_IF(&pci_dev->qdev), s->vmstate, s);
1819     g_free(s->vmstate);
1820     eeprom93xx_free(&pci_dev->qdev, s->eeprom);
1821     qemu_del_nic(s->nic);
1822 }
1823 
1824 static NetClientInfo net_eepro100_info = {
1825     .type = NET_CLIENT_DRIVER_NIC,
1826     .size = sizeof(NICState),
1827     .receive = nic_receive,
1828 };
1829 
1830 static void e100_nic_realize(PCIDevice *pci_dev, Error **errp)
1831 {
1832     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
1833     E100PCIDeviceInfo *info = eepro100_get_class(s);
1834     Error *local_err = NULL;
1835 
1836     TRACE(OTHER, logout("\n"));
1837 
1838     s->device = info->device;
1839 
1840     e100_pci_reset(s, &local_err);
1841     if (local_err) {
1842         error_propagate(errp, local_err);
1843         return;
1844     }
1845 
1846     /* Add 64 * 2 EEPROM. i82557 and i82558 support a 64 word EEPROM,
1847      * i82559 and later support 64 or 256 word EEPROM. */
1848     s->eeprom = eeprom93xx_new(&pci_dev->qdev, EEPROM_SIZE);
1849 
1850     /* Handler for memory-mapped I/O */
1851     memory_region_init_io(&s->mmio_bar, OBJECT(s), &eepro100_ops, s,
1852                           "eepro100-mmio", PCI_MEM_SIZE);
1853     pci_register_bar(&s->dev, 0, PCI_BASE_ADDRESS_MEM_PREFETCH, &s->mmio_bar);
1854     memory_region_init_io(&s->io_bar, OBJECT(s), &eepro100_ops, s,
1855                           "eepro100-io", PCI_IO_SIZE);
1856     pci_register_bar(&s->dev, 1, PCI_BASE_ADDRESS_SPACE_IO, &s->io_bar);
1857     /* FIXME: flash aliases to mmio?! */
1858     memory_region_init_io(&s->flash_bar, OBJECT(s), &eepro100_ops, s,
1859                           "eepro100-flash", PCI_FLASH_SIZE);
1860     pci_register_bar(&s->dev, 2, 0, &s->flash_bar);
1861 
1862     qemu_macaddr_default_if_unset(&s->conf.macaddr);
1863     logout("macaddr: %s\n", nic_dump(&s->conf.macaddr.a[0], 6));
1864 
1865     nic_reset(s);
1866 
1867     s->nic = qemu_new_nic(&net_eepro100_info, &s->conf,
1868                           object_get_typename(OBJECT(pci_dev)), pci_dev->qdev.id, s);
1869 
1870     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
1871     TRACE(OTHER, logout("%s\n", qemu_get_queue(s->nic)->info_str));
1872 
1873     qemu_register_reset(nic_reset, s);
1874 
1875     s->vmstate = g_memdup(&vmstate_eepro100, sizeof(vmstate_eepro100));
1876     s->vmstate->name = qemu_get_queue(s->nic)->model;
1877     vmstate_register(VMSTATE_IF(&pci_dev->qdev), VMSTATE_INSTANCE_ID_ANY,
1878                      s->vmstate, s);
1879 }
1880 
1881 static void eepro100_instance_init(Object *obj)
1882 {
1883     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, PCI_DEVICE(obj));
1884     device_add_bootindex_property(obj, &s->conf.bootindex,
1885                                   "bootindex", "/ethernet-phy@0",
1886                                   DEVICE(s));
1887 }
1888 
1889 static E100PCIDeviceInfo e100_devices[] = {
1890     {
1891         .name = "i82550",
1892         .desc = "Intel i82550 Ethernet",
1893         .device = i82550,
1894         /* TODO: check device id. */
1895         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
1896         /* Revision ID: 0x0c, 0x0d, 0x0e. */
1897         .revision = 0x0e,
1898         /* TODO: check size of statistical counters. */
1899         .stats_size = 80,
1900         /* TODO: check extended tcb support. */
1901         .has_extended_tcb_support = true,
1902         .power_management = true,
1903     },{
1904         .name = "i82551",
1905         .desc = "Intel i82551 Ethernet",
1906         .device = i82551,
1907         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
1908         /* Revision ID: 0x0f, 0x10. */
1909         .revision = 0x0f,
1910         /* TODO: check size of statistical counters. */
1911         .stats_size = 80,
1912         .has_extended_tcb_support = true,
1913         .power_management = true,
1914     },{
1915         .name = "i82557a",
1916         .desc = "Intel i82557A Ethernet",
1917         .device = i82557A,
1918         .device_id = PCI_DEVICE_ID_INTEL_82557,
1919         .revision = 0x01,
1920         .power_management = false,
1921     },{
1922         .name = "i82557b",
1923         .desc = "Intel i82557B Ethernet",
1924         .device = i82557B,
1925         .device_id = PCI_DEVICE_ID_INTEL_82557,
1926         .revision = 0x02,
1927         .power_management = false,
1928     },{
1929         .name = "i82557c",
1930         .desc = "Intel i82557C Ethernet",
1931         .device = i82557C,
1932         .device_id = PCI_DEVICE_ID_INTEL_82557,
1933         .revision = 0x03,
1934         .power_management = false,
1935     },{
1936         .name = "i82558a",
1937         .desc = "Intel i82558A Ethernet",
1938         .device = i82558A,
1939         .device_id = PCI_DEVICE_ID_INTEL_82557,
1940         .revision = 0x04,
1941         .stats_size = 76,
1942         .has_extended_tcb_support = true,
1943         .power_management = true,
1944     },{
1945         .name = "i82558b",
1946         .desc = "Intel i82558B Ethernet",
1947         .device = i82558B,
1948         .device_id = PCI_DEVICE_ID_INTEL_82557,
1949         .revision = 0x05,
1950         .stats_size = 76,
1951         .has_extended_tcb_support = true,
1952         .power_management = true,
1953     },{
1954         .name = "i82559a",
1955         .desc = "Intel i82559A Ethernet",
1956         .device = i82559A,
1957         .device_id = PCI_DEVICE_ID_INTEL_82557,
1958         .revision = 0x06,
1959         .stats_size = 80,
1960         .has_extended_tcb_support = true,
1961         .power_management = true,
1962     },{
1963         .name = "i82559b",
1964         .desc = "Intel i82559B Ethernet",
1965         .device = i82559B,
1966         .device_id = PCI_DEVICE_ID_INTEL_82557,
1967         .revision = 0x07,
1968         .stats_size = 80,
1969         .has_extended_tcb_support = true,
1970         .power_management = true,
1971     },{
1972         .name = "i82559c",
1973         .desc = "Intel i82559C Ethernet",
1974         .device = i82559C,
1975         .device_id = PCI_DEVICE_ID_INTEL_82557,
1976 #if 0
1977         .revision = 0x08,
1978 #endif
1979         /* TODO: Windows wants revision id 0x0c. */
1980         .revision = 0x0c,
1981 #if EEPROM_SIZE > 0
1982         .subsystem_vendor_id = PCI_VENDOR_ID_INTEL,
1983         .subsystem_id = 0x0040,
1984 #endif
1985         .stats_size = 80,
1986         .has_extended_tcb_support = true,
1987         .power_management = true,
1988     },{
1989         .name = "i82559er",
1990         .desc = "Intel i82559ER Ethernet",
1991         .device = i82559ER,
1992         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
1993         .revision = 0x09,
1994         .stats_size = 80,
1995         .has_extended_tcb_support = true,
1996         .power_management = true,
1997     },{
1998         .name = "i82562",
1999         .desc = "Intel i82562 Ethernet",
2000         .device = i82562,
2001         /* TODO: check device id. */
2002         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
2003         /* TODO: wrong revision id. */
2004         .revision = 0x0e,
2005         .stats_size = 80,
2006         .has_extended_tcb_support = true,
2007         .power_management = true,
2008     },{
2009         /* Toshiba Tecra 8200. */
2010         .name = "i82801",
2011         .desc = "Intel i82801 Ethernet",
2012         .device = i82801,
2013         .device_id = 0x2449,
2014         .revision = 0x03,
2015         .stats_size = 80,
2016         .has_extended_tcb_support = true,
2017         .power_management = true,
2018     }
2019 };
2020 
2021 static E100PCIDeviceInfo *eepro100_get_class_by_name(const char *typename)
2022 {
2023     E100PCIDeviceInfo *info = NULL;
2024     int i;
2025 
2026     /* This is admittedly awkward but also temporary.  QOM allows for
2027      * parameterized typing and for subclassing both of which would suitable
2028      * handle what's going on here.  But class_data is already being used as
2029      * a stop-gap hack to allow incremental qdev conversion so we cannot use it
2030      * right now.  Once we merge the final QOM series, we can come back here and
2031      * do this in a much more elegant fashion.
2032      */
2033     for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
2034         if (strcmp(e100_devices[i].name, typename) == 0) {
2035             info = &e100_devices[i];
2036             break;
2037         }
2038     }
2039     assert(info != NULL);
2040 
2041     return info;
2042 }
2043 
2044 static E100PCIDeviceInfo *eepro100_get_class(EEPRO100State *s)
2045 {
2046     return eepro100_get_class_by_name(object_get_typename(OBJECT(s)));
2047 }
2048 
2049 static Property e100_properties[] = {
2050     DEFINE_NIC_PROPERTIES(EEPRO100State, conf),
2051     DEFINE_PROP_END_OF_LIST(),
2052 };
2053 
2054 static void eepro100_class_init(ObjectClass *klass, void *data)
2055 {
2056     DeviceClass *dc = DEVICE_CLASS(klass);
2057     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2058     E100PCIDeviceInfo *info;
2059 
2060     info = eepro100_get_class_by_name(object_class_get_name(klass));
2061 
2062     set_bit(DEVICE_CATEGORY_NETWORK, dc->categories);
2063     device_class_set_props(dc, e100_properties);
2064     dc->desc = info->desc;
2065     k->vendor_id = PCI_VENDOR_ID_INTEL;
2066     k->class_id = PCI_CLASS_NETWORK_ETHERNET;
2067     k->romfile = "pxe-eepro100.rom";
2068     k->realize = e100_nic_realize;
2069     k->exit = pci_nic_uninit;
2070     k->device_id = info->device_id;
2071     k->revision = info->revision;
2072     k->subsystem_vendor_id = info->subsystem_vendor_id;
2073     k->subsystem_id = info->subsystem_id;
2074 }
2075 
2076 static void eepro100_register_types(void)
2077 {
2078     size_t i;
2079     for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
2080         TypeInfo type_info = {};
2081         E100PCIDeviceInfo *info = &e100_devices[i];
2082 
2083         type_info.name = info->name;
2084         type_info.parent = TYPE_PCI_DEVICE;
2085         type_info.class_init = eepro100_class_init;
2086         type_info.instance_size = sizeof(EEPRO100State);
2087         type_info.instance_init = eepro100_instance_init;
2088         type_info.interfaces = (InterfaceInfo[]) {
2089             { INTERFACE_CONVENTIONAL_PCI_DEVICE },
2090             { },
2091         };
2092 
2093         type_register(&type_info);
2094     }
2095 }
2096 
2097 type_init(eepro100_register_types)
2098