xref: /openbmc/qemu/hw/net/lan9118.c (revision 4477035ec685be4c20d1213779f7ca00e867c3b8)
1 /*
2  * SMSC LAN9118 Ethernet interface emulation
3  *
4  * Copyright (c) 2009 CodeSourcery, LLC.
5  * Written by Paul Brook
6  *
7  * This code is licensed under the GNU GPL v2
8  *
9  * Contributions after 2012-01-13 are licensed under the terms of the
10  * GNU GPL, version 2 or (at your option) any later version.
11  */
12 
13 #include "qemu/osdep.h"
14 #include "hw/sysbus.h"
15 #include "migration/vmstate.h"
16 #include "net/net.h"
17 #include "net/eth.h"
18 #include "hw/irq.h"
19 #include "hw/net/lan9118.h"
20 #include "hw/ptimer.h"
21 #include "hw/qdev-properties.h"
22 #include "qapi/error.h"
23 #include "qemu/log.h"
24 #include "qemu/module.h"
25 /* For crc32 */
26 #include <zlib.h>
27 #include "qom/object.h"
28 
29 //#define DEBUG_LAN9118
30 
31 #ifdef DEBUG_LAN9118
32 #define DPRINTF(fmt, ...) \
33 do { printf("lan9118: " fmt , ## __VA_ARGS__); } while (0)
34 #else
35 #define DPRINTF(fmt, ...) do {} while(0)
36 #endif
37 
38 /* The tx and rx fifo ports are a range of aliased 32-bit registers */
39 #define RX_DATA_FIFO_PORT_FIRST 0x00
40 #define RX_DATA_FIFO_PORT_LAST 0x1f
41 #define TX_DATA_FIFO_PORT_FIRST 0x20
42 #define TX_DATA_FIFO_PORT_LAST 0x3f
43 
44 #define RX_STATUS_FIFO_PORT 0x40
45 #define RX_STATUS_FIFO_PEEK 0x44
46 #define TX_STATUS_FIFO_PORT 0x48
47 #define TX_STATUS_FIFO_PEEK 0x4c
48 
49 #define CSR_ID_REV      0x50
50 #define CSR_IRQ_CFG     0x54
51 #define CSR_INT_STS     0x58
52 #define CSR_INT_EN      0x5c
53 #define CSR_BYTE_TEST   0x64
54 #define CSR_FIFO_INT    0x68
55 #define CSR_RX_CFG      0x6c
56 #define CSR_TX_CFG      0x70
57 #define CSR_HW_CFG      0x74
58 #define CSR_RX_DP_CTRL  0x78
59 #define CSR_RX_FIFO_INF 0x7c
60 #define CSR_TX_FIFO_INF 0x80
61 #define CSR_PMT_CTRL    0x84
62 #define CSR_GPIO_CFG    0x88
63 #define CSR_GPT_CFG     0x8c
64 #define CSR_GPT_CNT     0x90
65 #define CSR_WORD_SWAP   0x98
66 #define CSR_FREE_RUN    0x9c
67 #define CSR_RX_DROP     0xa0
68 #define CSR_MAC_CSR_CMD 0xa4
69 #define CSR_MAC_CSR_DATA 0xa8
70 #define CSR_AFC_CFG     0xac
71 #define CSR_E2P_CMD     0xb0
72 #define CSR_E2P_DATA    0xb4
73 
74 #define E2P_CMD_MAC_ADDR_LOADED 0x100
75 
76 /* IRQ_CFG */
77 #define IRQ_INT         0x00001000
78 #define IRQ_EN          0x00000100
79 #define IRQ_POL         0x00000010
80 #define IRQ_TYPE        0x00000001
81 
82 /* INT_STS/INT_EN */
83 #define SW_INT          0x80000000
84 #define TXSTOP_INT      0x02000000
85 #define RXSTOP_INT      0x01000000
86 #define RXDFH_INT       0x00800000
87 #define TX_IOC_INT      0x00200000
88 #define RXD_INT         0x00100000
89 #define GPT_INT         0x00080000
90 #define PHY_INT         0x00040000
91 #define PME_INT         0x00020000
92 #define TXSO_INT        0x00010000
93 #define RWT_INT         0x00008000
94 #define RXE_INT         0x00004000
95 #define TXE_INT         0x00002000
96 #define TDFU_INT        0x00000800
97 #define TDFO_INT        0x00000400
98 #define TDFA_INT        0x00000200
99 #define TSFF_INT        0x00000100
100 #define TSFL_INT        0x00000080
101 #define RXDF_INT        0x00000040
102 #define RDFL_INT        0x00000020
103 #define RSFF_INT        0x00000010
104 #define RSFL_INT        0x00000008
105 #define GPIO2_INT       0x00000004
106 #define GPIO1_INT       0x00000002
107 #define GPIO0_INT       0x00000001
108 #define RESERVED_INT    0x7c001000
109 
110 #define MAC_CR          1
111 #define MAC_ADDRH       2
112 #define MAC_ADDRL       3
113 #define MAC_HASHH       4
114 #define MAC_HASHL       5
115 #define MAC_MII_ACC     6
116 #define MAC_MII_DATA    7
117 #define MAC_FLOW        8
118 #define MAC_VLAN1       9 /* TODO */
119 #define MAC_VLAN2       10 /* TODO */
120 #define MAC_WUFF        11 /* TODO */
121 #define MAC_WUCSR       12 /* TODO */
122 
123 #define MAC_CR_RXALL    0x80000000
124 #define MAC_CR_RCVOWN   0x00800000
125 #define MAC_CR_LOOPBK   0x00200000
126 #define MAC_CR_FDPX     0x00100000
127 #define MAC_CR_MCPAS    0x00080000
128 #define MAC_CR_PRMS     0x00040000
129 #define MAC_CR_INVFILT  0x00020000
130 #define MAC_CR_PASSBAD  0x00010000
131 #define MAC_CR_HO       0x00008000
132 #define MAC_CR_HPFILT   0x00002000
133 #define MAC_CR_LCOLL    0x00001000
134 #define MAC_CR_BCAST    0x00000800
135 #define MAC_CR_DISRTY   0x00000400
136 #define MAC_CR_PADSTR   0x00000100
137 #define MAC_CR_BOLMT    0x000000c0
138 #define MAC_CR_DFCHK    0x00000020
139 #define MAC_CR_TXEN     0x00000008
140 #define MAC_CR_RXEN     0x00000004
141 #define MAC_CR_RESERVED 0x7f404213
142 
143 #define PHY_INT_ENERGYON            0x80
144 #define PHY_INT_AUTONEG_COMPLETE    0x40
145 #define PHY_INT_FAULT               0x20
146 #define PHY_INT_DOWN                0x10
147 #define PHY_INT_AUTONEG_LP          0x08
148 #define PHY_INT_PARFAULT            0x04
149 #define PHY_INT_AUTONEG_PAGE        0x02
150 
151 #define GPT_TIMER_EN    0x20000000
152 
153 enum tx_state {
154     TX_IDLE,
155     TX_B,
156     TX_DATA
157 };
158 
159 typedef struct {
160     /* state is a tx_state but we can't put enums in VMStateDescriptions. */
161     uint32_t state;
162     uint32_t cmd_a;
163     uint32_t cmd_b;
164     int32_t buffer_size;
165     int32_t offset;
166     int32_t pad;
167     int32_t fifo_used;
168     int32_t len;
169     uint8_t data[2048];
170 } LAN9118Packet;
171 
172 static const VMStateDescription vmstate_lan9118_packet = {
173     .name = "lan9118_packet",
174     .version_id = 1,
175     .minimum_version_id = 1,
176     .fields = (VMStateField[]) {
177         VMSTATE_UINT32(state, LAN9118Packet),
178         VMSTATE_UINT32(cmd_a, LAN9118Packet),
179         VMSTATE_UINT32(cmd_b, LAN9118Packet),
180         VMSTATE_INT32(buffer_size, LAN9118Packet),
181         VMSTATE_INT32(offset, LAN9118Packet),
182         VMSTATE_INT32(pad, LAN9118Packet),
183         VMSTATE_INT32(fifo_used, LAN9118Packet),
184         VMSTATE_INT32(len, LAN9118Packet),
185         VMSTATE_UINT8_ARRAY(data, LAN9118Packet, 2048),
186         VMSTATE_END_OF_LIST()
187     }
188 };
189 
190 OBJECT_DECLARE_SIMPLE_TYPE(lan9118_state, LAN9118)
191 
192 struct lan9118_state {
193     SysBusDevice parent_obj;
194 
195     NICState *nic;
196     NICConf conf;
197     qemu_irq irq;
198     MemoryRegion mmio;
199     ptimer_state *timer;
200 
201     uint32_t irq_cfg;
202     uint32_t int_sts;
203     uint32_t int_en;
204     uint32_t fifo_int;
205     uint32_t rx_cfg;
206     uint32_t tx_cfg;
207     uint32_t hw_cfg;
208     uint32_t pmt_ctrl;
209     uint32_t gpio_cfg;
210     uint32_t gpt_cfg;
211     uint32_t word_swap;
212     uint32_t free_timer_start;
213     uint32_t mac_cmd;
214     uint32_t mac_data;
215     uint32_t afc_cfg;
216     uint32_t e2p_cmd;
217     uint32_t e2p_data;
218 
219     uint32_t mac_cr;
220     uint32_t mac_hashh;
221     uint32_t mac_hashl;
222     uint32_t mac_mii_acc;
223     uint32_t mac_mii_data;
224     uint32_t mac_flow;
225 
226     uint32_t phy_status;
227     uint32_t phy_control;
228     uint32_t phy_advertise;
229     uint32_t phy_int;
230     uint32_t phy_int_mask;
231 
232     int32_t eeprom_writable;
233     uint8_t eeprom[128];
234 
235     int32_t tx_fifo_size;
236     LAN9118Packet *txp;
237     LAN9118Packet tx_packet;
238 
239     int32_t tx_status_fifo_used;
240     int32_t tx_status_fifo_head;
241     uint32_t tx_status_fifo[512];
242 
243     int32_t rx_status_fifo_size;
244     int32_t rx_status_fifo_used;
245     int32_t rx_status_fifo_head;
246     uint32_t rx_status_fifo[896];
247     int32_t rx_fifo_size;
248     int32_t rx_fifo_used;
249     int32_t rx_fifo_head;
250     uint32_t rx_fifo[3360];
251     int32_t rx_packet_size_head;
252     int32_t rx_packet_size_tail;
253     int32_t rx_packet_size[1024];
254 
255     int32_t rxp_offset;
256     int32_t rxp_size;
257     int32_t rxp_pad;
258 
259     uint32_t write_word_prev_offset;
260     uint32_t write_word_n;
261     uint16_t write_word_l;
262     uint16_t write_word_h;
263     uint32_t read_word_prev_offset;
264     uint32_t read_word_n;
265     uint32_t read_long;
266 
267     uint32_t mode_16bit;
268 };
269 
270 static const VMStateDescription vmstate_lan9118 = {
271     .name = "lan9118",
272     .version_id = 2,
273     .minimum_version_id = 1,
274     .fields = (VMStateField[]) {
275         VMSTATE_PTIMER(timer, lan9118_state),
276         VMSTATE_UINT32(irq_cfg, lan9118_state),
277         VMSTATE_UINT32(int_sts, lan9118_state),
278         VMSTATE_UINT32(int_en, lan9118_state),
279         VMSTATE_UINT32(fifo_int, lan9118_state),
280         VMSTATE_UINT32(rx_cfg, lan9118_state),
281         VMSTATE_UINT32(tx_cfg, lan9118_state),
282         VMSTATE_UINT32(hw_cfg, lan9118_state),
283         VMSTATE_UINT32(pmt_ctrl, lan9118_state),
284         VMSTATE_UINT32(gpio_cfg, lan9118_state),
285         VMSTATE_UINT32(gpt_cfg, lan9118_state),
286         VMSTATE_UINT32(word_swap, lan9118_state),
287         VMSTATE_UINT32(free_timer_start, lan9118_state),
288         VMSTATE_UINT32(mac_cmd, lan9118_state),
289         VMSTATE_UINT32(mac_data, lan9118_state),
290         VMSTATE_UINT32(afc_cfg, lan9118_state),
291         VMSTATE_UINT32(e2p_cmd, lan9118_state),
292         VMSTATE_UINT32(e2p_data, lan9118_state),
293         VMSTATE_UINT32(mac_cr, lan9118_state),
294         VMSTATE_UINT32(mac_hashh, lan9118_state),
295         VMSTATE_UINT32(mac_hashl, lan9118_state),
296         VMSTATE_UINT32(mac_mii_acc, lan9118_state),
297         VMSTATE_UINT32(mac_mii_data, lan9118_state),
298         VMSTATE_UINT32(mac_flow, lan9118_state),
299         VMSTATE_UINT32(phy_status, lan9118_state),
300         VMSTATE_UINT32(phy_control, lan9118_state),
301         VMSTATE_UINT32(phy_advertise, lan9118_state),
302         VMSTATE_UINT32(phy_int, lan9118_state),
303         VMSTATE_UINT32(phy_int_mask, lan9118_state),
304         VMSTATE_INT32(eeprom_writable, lan9118_state),
305         VMSTATE_UINT8_ARRAY(eeprom, lan9118_state, 128),
306         VMSTATE_INT32(tx_fifo_size, lan9118_state),
307         /* txp always points at tx_packet so need not be saved */
308         VMSTATE_STRUCT(tx_packet, lan9118_state, 0,
309                        vmstate_lan9118_packet, LAN9118Packet),
310         VMSTATE_INT32(tx_status_fifo_used, lan9118_state),
311         VMSTATE_INT32(tx_status_fifo_head, lan9118_state),
312         VMSTATE_UINT32_ARRAY(tx_status_fifo, lan9118_state, 512),
313         VMSTATE_INT32(rx_status_fifo_size, lan9118_state),
314         VMSTATE_INT32(rx_status_fifo_used, lan9118_state),
315         VMSTATE_INT32(rx_status_fifo_head, lan9118_state),
316         VMSTATE_UINT32_ARRAY(rx_status_fifo, lan9118_state, 896),
317         VMSTATE_INT32(rx_fifo_size, lan9118_state),
318         VMSTATE_INT32(rx_fifo_used, lan9118_state),
319         VMSTATE_INT32(rx_fifo_head, lan9118_state),
320         VMSTATE_UINT32_ARRAY(rx_fifo, lan9118_state, 3360),
321         VMSTATE_INT32(rx_packet_size_head, lan9118_state),
322         VMSTATE_INT32(rx_packet_size_tail, lan9118_state),
323         VMSTATE_INT32_ARRAY(rx_packet_size, lan9118_state, 1024),
324         VMSTATE_INT32(rxp_offset, lan9118_state),
325         VMSTATE_INT32(rxp_size, lan9118_state),
326         VMSTATE_INT32(rxp_pad, lan9118_state),
327         VMSTATE_UINT32_V(write_word_prev_offset, lan9118_state, 2),
328         VMSTATE_UINT32_V(write_word_n, lan9118_state, 2),
329         VMSTATE_UINT16_V(write_word_l, lan9118_state, 2),
330         VMSTATE_UINT16_V(write_word_h, lan9118_state, 2),
331         VMSTATE_UINT32_V(read_word_prev_offset, lan9118_state, 2),
332         VMSTATE_UINT32_V(read_word_n, lan9118_state, 2),
333         VMSTATE_UINT32_V(read_long, lan9118_state, 2),
334         VMSTATE_UINT32_V(mode_16bit, lan9118_state, 2),
335         VMSTATE_END_OF_LIST()
336     }
337 };
338 
339 static void lan9118_update(lan9118_state *s)
340 {
341     int level;
342 
343     /* TODO: Implement FIFO level IRQs.  */
344     level = (s->int_sts & s->int_en) != 0;
345     if (level) {
346         s->irq_cfg |= IRQ_INT;
347     } else {
348         s->irq_cfg &= ~IRQ_INT;
349     }
350     if ((s->irq_cfg & IRQ_EN) == 0) {
351         level = 0;
352     }
353     if ((s->irq_cfg & (IRQ_TYPE | IRQ_POL)) != (IRQ_TYPE | IRQ_POL)) {
354         /* Interrupt is active low unless we're configured as
355          * active-high polarity, push-pull type.
356          */
357         level = !level;
358     }
359     qemu_set_irq(s->irq, level);
360 }
361 
362 static void lan9118_mac_changed(lan9118_state *s)
363 {
364     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
365 }
366 
367 static void lan9118_reload_eeprom(lan9118_state *s)
368 {
369     int i;
370     if (s->eeprom[0] != 0xa5) {
371         s->e2p_cmd &= ~E2P_CMD_MAC_ADDR_LOADED;
372         DPRINTF("MACADDR load failed\n");
373         return;
374     }
375     for (i = 0; i < 6; i++) {
376         s->conf.macaddr.a[i] = s->eeprom[i + 1];
377     }
378     s->e2p_cmd |= E2P_CMD_MAC_ADDR_LOADED;
379     DPRINTF("MACADDR loaded from eeprom\n");
380     lan9118_mac_changed(s);
381 }
382 
383 static void phy_update_irq(lan9118_state *s)
384 {
385     if (s->phy_int & s->phy_int_mask) {
386         s->int_sts |= PHY_INT;
387     } else {
388         s->int_sts &= ~PHY_INT;
389     }
390     lan9118_update(s);
391 }
392 
393 static void phy_update_link(lan9118_state *s)
394 {
395     /* Autonegotiation status mirrors link status.  */
396     if (qemu_get_queue(s->nic)->link_down) {
397         s->phy_status &= ~0x0024;
398         s->phy_int |= PHY_INT_DOWN;
399     } else {
400         s->phy_status |= 0x0024;
401         s->phy_int |= PHY_INT_ENERGYON;
402         s->phy_int |= PHY_INT_AUTONEG_COMPLETE;
403     }
404     phy_update_irq(s);
405 }
406 
407 static void lan9118_set_link(NetClientState *nc)
408 {
409     phy_update_link(qemu_get_nic_opaque(nc));
410 }
411 
412 static void phy_reset(lan9118_state *s)
413 {
414     s->phy_status = 0x7809;
415     s->phy_control = 0x3000;
416     s->phy_advertise = 0x01e1;
417     s->phy_int_mask = 0;
418     s->phy_int = 0;
419     phy_update_link(s);
420 }
421 
422 static void lan9118_reset(DeviceState *d)
423 {
424     lan9118_state *s = LAN9118(d);
425 
426     s->irq_cfg &= (IRQ_TYPE | IRQ_POL);
427     s->int_sts = 0;
428     s->int_en = 0;
429     s->fifo_int = 0x48000000;
430     s->rx_cfg = 0;
431     s->tx_cfg = 0;
432     s->hw_cfg = s->mode_16bit ? 0x00050000 : 0x00050004;
433     s->pmt_ctrl &= 0x45;
434     s->gpio_cfg = 0;
435     s->txp->fifo_used = 0;
436     s->txp->state = TX_IDLE;
437     s->txp->cmd_a = 0xffffffffu;
438     s->txp->cmd_b = 0xffffffffu;
439     s->txp->len = 0;
440     s->txp->fifo_used = 0;
441     s->tx_fifo_size = 4608;
442     s->tx_status_fifo_used = 0;
443     s->rx_status_fifo_size = 704;
444     s->rx_fifo_size = 2640;
445     s->rx_fifo_used = 0;
446     s->rx_status_fifo_size = 176;
447     s->rx_status_fifo_used = 0;
448     s->rxp_offset = 0;
449     s->rxp_size = 0;
450     s->rxp_pad = 0;
451     s->rx_packet_size_tail = s->rx_packet_size_head;
452     s->rx_packet_size[s->rx_packet_size_head] = 0;
453     s->mac_cmd = 0;
454     s->mac_data = 0;
455     s->afc_cfg = 0;
456     s->e2p_cmd = 0;
457     s->e2p_data = 0;
458     s->free_timer_start = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / 40;
459 
460     ptimer_transaction_begin(s->timer);
461     ptimer_stop(s->timer);
462     ptimer_set_count(s->timer, 0xffff);
463     ptimer_transaction_commit(s->timer);
464     s->gpt_cfg = 0xffff;
465 
466     s->mac_cr = MAC_CR_PRMS;
467     s->mac_hashh = 0;
468     s->mac_hashl = 0;
469     s->mac_mii_acc = 0;
470     s->mac_mii_data = 0;
471     s->mac_flow = 0;
472 
473     s->read_word_n = 0;
474     s->write_word_n = 0;
475 
476     phy_reset(s);
477 
478     s->eeprom_writable = 0;
479     lan9118_reload_eeprom(s);
480 }
481 
482 static void rx_fifo_push(lan9118_state *s, uint32_t val)
483 {
484     int fifo_pos;
485     fifo_pos = s->rx_fifo_head + s->rx_fifo_used;
486     if (fifo_pos >= s->rx_fifo_size)
487       fifo_pos -= s->rx_fifo_size;
488     s->rx_fifo[fifo_pos] = val;
489     s->rx_fifo_used++;
490 }
491 
492 /* Return nonzero if the packet is accepted by the filter.  */
493 static int lan9118_filter(lan9118_state *s, const uint8_t *addr)
494 {
495     int multicast;
496     uint32_t hash;
497 
498     if (s->mac_cr & MAC_CR_PRMS) {
499         return 1;
500     }
501     if (addr[0] == 0xff && addr[1] == 0xff && addr[2] == 0xff &&
502         addr[3] == 0xff && addr[4] == 0xff && addr[5] == 0xff) {
503         return (s->mac_cr & MAC_CR_BCAST) == 0;
504     }
505 
506     multicast = addr[0] & 1;
507     if (multicast &&s->mac_cr & MAC_CR_MCPAS) {
508         return 1;
509     }
510     if (multicast ? (s->mac_cr & MAC_CR_HPFILT) == 0
511                   : (s->mac_cr & MAC_CR_HO) == 0) {
512         /* Exact matching.  */
513         hash = memcmp(addr, s->conf.macaddr.a, 6);
514         if (s->mac_cr & MAC_CR_INVFILT) {
515             return hash != 0;
516         } else {
517             return hash == 0;
518         }
519     } else {
520         /* Hash matching  */
521         hash = net_crc32(addr, ETH_ALEN) >> 26;
522         if (hash & 0x20) {
523             return (s->mac_hashh >> (hash & 0x1f)) & 1;
524         } else {
525             return (s->mac_hashl >> (hash & 0x1f)) & 1;
526         }
527     }
528 }
529 
530 static ssize_t lan9118_receive(NetClientState *nc, const uint8_t *buf,
531                                size_t size)
532 {
533     lan9118_state *s = qemu_get_nic_opaque(nc);
534     int fifo_len;
535     int offset;
536     int src_pos;
537     int n;
538     int filter;
539     uint32_t val;
540     uint32_t crc;
541     uint32_t status;
542 
543     if ((s->mac_cr & MAC_CR_RXEN) == 0) {
544         return -1;
545     }
546 
547     if (size >= 2048 || size < 14) {
548         return -1;
549     }
550 
551     /* TODO: Implement FIFO overflow notification.  */
552     if (s->rx_status_fifo_used == s->rx_status_fifo_size) {
553         return -1;
554     }
555 
556     filter = lan9118_filter(s, buf);
557     if (!filter && (s->mac_cr & MAC_CR_RXALL) == 0) {
558         return size;
559     }
560 
561     offset = (s->rx_cfg >> 8) & 0x1f;
562     n = offset & 3;
563     fifo_len = (size + n + 3) >> 2;
564     /* Add a word for the CRC.  */
565     fifo_len++;
566     if (s->rx_fifo_size - s->rx_fifo_used < fifo_len) {
567         return -1;
568     }
569 
570     DPRINTF("Got packet len:%d fifo:%d filter:%s\n",
571             (int)size, fifo_len, filter ? "pass" : "fail");
572     val = 0;
573     crc = bswap32(crc32(~0, buf, size));
574     for (src_pos = 0; src_pos < size; src_pos++) {
575         val = (val >> 8) | ((uint32_t)buf[src_pos] << 24);
576         n++;
577         if (n == 4) {
578             n = 0;
579             rx_fifo_push(s, val);
580             val = 0;
581         }
582     }
583     if (n) {
584         val >>= ((4 - n) * 8);
585         val |= crc << (n * 8);
586         rx_fifo_push(s, val);
587         val = crc >> ((4 - n) * 8);
588         rx_fifo_push(s, val);
589     } else {
590         rx_fifo_push(s, crc);
591     }
592     n = s->rx_status_fifo_head + s->rx_status_fifo_used;
593     if (n >= s->rx_status_fifo_size) {
594         n -= s->rx_status_fifo_size;
595     }
596     s->rx_packet_size[s->rx_packet_size_tail] = fifo_len;
597     s->rx_packet_size_tail = (s->rx_packet_size_tail + 1023) & 1023;
598     s->rx_status_fifo_used++;
599 
600     status = (size + 4) << 16;
601     if (buf[0] == 0xff && buf[1] == 0xff && buf[2] == 0xff &&
602         buf[3] == 0xff && buf[4] == 0xff && buf[5] == 0xff) {
603         status |= 0x00002000;
604     } else if (buf[0] & 1) {
605         status |= 0x00000400;
606     }
607     if (!filter) {
608         status |= 0x40000000;
609     }
610     s->rx_status_fifo[n] = status;
611 
612     if (s->rx_status_fifo_used > (s->fifo_int & 0xff)) {
613         s->int_sts |= RSFL_INT;
614     }
615     lan9118_update(s);
616 
617     return size;
618 }
619 
620 static uint32_t rx_fifo_pop(lan9118_state *s)
621 {
622     int n;
623     uint32_t val;
624 
625     if (s->rxp_size == 0 && s->rxp_pad == 0) {
626         s->rxp_size = s->rx_packet_size[s->rx_packet_size_head];
627         s->rx_packet_size[s->rx_packet_size_head] = 0;
628         if (s->rxp_size != 0) {
629             s->rx_packet_size_head = (s->rx_packet_size_head + 1023) & 1023;
630             s->rxp_offset = (s->rx_cfg >> 10) & 7;
631             n = s->rxp_offset + s->rxp_size;
632             switch (s->rx_cfg >> 30) {
633             case 1:
634                 n = (-n) & 3;
635                 break;
636             case 2:
637                 n = (-n) & 7;
638                 break;
639             default:
640                 n = 0;
641                 break;
642             }
643             s->rxp_pad = n;
644             DPRINTF("Pop packet size:%d offset:%d pad: %d\n",
645                     s->rxp_size, s->rxp_offset, s->rxp_pad);
646         }
647     }
648     if (s->rxp_offset > 0) {
649         s->rxp_offset--;
650         val = 0;
651     } else if (s->rxp_size > 0) {
652         s->rxp_size--;
653         val = s->rx_fifo[s->rx_fifo_head++];
654         if (s->rx_fifo_head >= s->rx_fifo_size) {
655             s->rx_fifo_head -= s->rx_fifo_size;
656         }
657         s->rx_fifo_used--;
658     } else if (s->rxp_pad > 0) {
659         s->rxp_pad--;
660         val =  0;
661     } else {
662         DPRINTF("RX underflow\n");
663         s->int_sts |= RXE_INT;
664         val =  0;
665     }
666     lan9118_update(s);
667     return val;
668 }
669 
670 static void do_tx_packet(lan9118_state *s)
671 {
672     int n;
673     uint32_t status;
674 
675     /* FIXME: Honor TX disable, and allow queueing of packets.  */
676     if (s->phy_control & 0x4000)  {
677         /* This assumes the receive routine doesn't touch the VLANClient.  */
678         qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
679     } else {
680         qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
681     }
682     s->txp->fifo_used = 0;
683 
684     if (s->tx_status_fifo_used == 512) {
685         /* Status FIFO full */
686         return;
687     }
688     /* Add entry to status FIFO.  */
689     status = s->txp->cmd_b & 0xffff0000u;
690     DPRINTF("Sent packet tag:%04x len %d\n", status >> 16, s->txp->len);
691     n = (s->tx_status_fifo_head + s->tx_status_fifo_used) & 511;
692     s->tx_status_fifo[n] = status;
693     s->tx_status_fifo_used++;
694 
695     /*
696      * Generate TSFL interrupt if TX FIFO level exceeds the level
697      * specified in the FIFO_INT TX Status Level field.
698      */
699     if (s->tx_status_fifo_used > ((s->fifo_int >> 16) & 0xff)) {
700         s->int_sts |= TSFL_INT;
701     }
702     if (s->tx_status_fifo_used == 512) {
703         s->int_sts |= TSFF_INT;
704         /* TODO: Stop transmission.  */
705     }
706 }
707 
708 static uint32_t rx_status_fifo_pop(lan9118_state *s)
709 {
710     uint32_t val;
711 
712     val = s->rx_status_fifo[s->rx_status_fifo_head];
713     if (s->rx_status_fifo_used != 0) {
714         s->rx_status_fifo_used--;
715         s->rx_status_fifo_head++;
716         if (s->rx_status_fifo_head >= s->rx_status_fifo_size) {
717             s->rx_status_fifo_head -= s->rx_status_fifo_size;
718         }
719         /* ??? What value should be returned when the FIFO is empty?  */
720         DPRINTF("RX status pop 0x%08x\n", val);
721     }
722     return val;
723 }
724 
725 static uint32_t tx_status_fifo_pop(lan9118_state *s)
726 {
727     uint32_t val;
728 
729     val = s->tx_status_fifo[s->tx_status_fifo_head];
730     if (s->tx_status_fifo_used != 0) {
731         s->tx_status_fifo_used--;
732         s->tx_status_fifo_head = (s->tx_status_fifo_head + 1) & 511;
733         /* ??? What value should be returned when the FIFO is empty?  */
734     }
735     return val;
736 }
737 
738 static void tx_fifo_push(lan9118_state *s, uint32_t val)
739 {
740     int n;
741 
742     if (s->txp->fifo_used == s->tx_fifo_size) {
743         s->int_sts |= TDFO_INT;
744         return;
745     }
746     switch (s->txp->state) {
747     case TX_IDLE:
748         s->txp->cmd_a = val & 0x831f37ff;
749         s->txp->fifo_used++;
750         s->txp->state = TX_B;
751         s->txp->buffer_size = extract32(s->txp->cmd_a, 0, 11);
752         s->txp->offset = extract32(s->txp->cmd_a, 16, 5);
753         break;
754     case TX_B:
755         if (s->txp->cmd_a & 0x2000) {
756             /* First segment */
757             s->txp->cmd_b = val;
758             s->txp->fifo_used++;
759             /* End alignment does not include command words.  */
760             n = (s->txp->buffer_size + s->txp->offset + 3) >> 2;
761             switch ((n >> 24) & 3) {
762             case 1:
763                 n = (-n) & 3;
764                 break;
765             case 2:
766                 n = (-n) & 7;
767                 break;
768             default:
769                 n = 0;
770             }
771             s->txp->pad = n;
772             s->txp->len = 0;
773         }
774         DPRINTF("Block len:%d offset:%d pad:%d cmd %08x\n",
775                 s->txp->buffer_size, s->txp->offset, s->txp->pad,
776                 s->txp->cmd_a);
777         s->txp->state = TX_DATA;
778         break;
779     case TX_DATA:
780         if (s->txp->offset >= 4) {
781             s->txp->offset -= 4;
782             break;
783         }
784         if (s->txp->buffer_size <= 0 && s->txp->pad != 0) {
785             s->txp->pad--;
786         } else {
787             n = MIN(4, s->txp->buffer_size + s->txp->offset);
788             while (s->txp->offset) {
789                 val >>= 8;
790                 n--;
791                 s->txp->offset--;
792             }
793             /* Documentation is somewhat unclear on the ordering of bytes
794                in FIFO words.  Empirical results show it to be little-endian.
795                */
796             /* TODO: FIFO overflow checking.  */
797             while (n--) {
798                 s->txp->data[s->txp->len] = val & 0xff;
799                 s->txp->len++;
800                 val >>= 8;
801                 s->txp->buffer_size--;
802             }
803             s->txp->fifo_used++;
804         }
805         if (s->txp->buffer_size <= 0 && s->txp->pad == 0) {
806             if (s->txp->cmd_a & 0x1000) {
807                 do_tx_packet(s);
808             }
809             if (s->txp->cmd_a & 0x80000000) {
810                 s->int_sts |= TX_IOC_INT;
811             }
812             s->txp->state = TX_IDLE;
813         }
814         break;
815     }
816 }
817 
818 static uint32_t do_phy_read(lan9118_state *s, int reg)
819 {
820     uint32_t val;
821 
822     switch (reg) {
823     case 0: /* Basic Control */
824         return s->phy_control;
825     case 1: /* Basic Status */
826         return s->phy_status;
827     case 2: /* ID1 */
828         return 0x0007;
829     case 3: /* ID2 */
830         return 0xc0d1;
831     case 4: /* Auto-neg advertisement */
832         return s->phy_advertise;
833     case 5: /* Auto-neg Link Partner Ability */
834         return 0x0f71;
835     case 6: /* Auto-neg Expansion */
836         return 1;
837         /* TODO 17, 18, 27, 29, 30, 31 */
838     case 29: /* Interrupt source.  */
839         val = s->phy_int;
840         s->phy_int = 0;
841         phy_update_irq(s);
842         return val;
843     case 30: /* Interrupt mask */
844         return s->phy_int_mask;
845     default:
846         qemu_log_mask(LOG_GUEST_ERROR,
847                       "do_phy_read: PHY read reg %d\n", reg);
848         return 0;
849     }
850 }
851 
852 static void do_phy_write(lan9118_state *s, int reg, uint32_t val)
853 {
854     switch (reg) {
855     case 0: /* Basic Control */
856         if (val & 0x8000) {
857             phy_reset(s);
858             break;
859         }
860         s->phy_control = val & 0x7980;
861         /* Complete autonegotiation immediately.  */
862         if (val & 0x1000) {
863             s->phy_status |= 0x0020;
864         }
865         break;
866     case 4: /* Auto-neg advertisement */
867         s->phy_advertise = (val & 0x2d7f) | 0x80;
868         break;
869         /* TODO 17, 18, 27, 31 */
870     case 30: /* Interrupt mask */
871         s->phy_int_mask = val & 0xff;
872         phy_update_irq(s);
873         break;
874     default:
875         qemu_log_mask(LOG_GUEST_ERROR,
876                       "do_phy_write: PHY write reg %d = 0x%04x\n", reg, val);
877     }
878 }
879 
880 static void do_mac_write(lan9118_state *s, int reg, uint32_t val)
881 {
882     switch (reg) {
883     case MAC_CR:
884         if ((s->mac_cr & MAC_CR_RXEN) != 0 && (val & MAC_CR_RXEN) == 0) {
885             s->int_sts |= RXSTOP_INT;
886         }
887         s->mac_cr = val & ~MAC_CR_RESERVED;
888         DPRINTF("MAC_CR: %08x\n", val);
889         break;
890     case MAC_ADDRH:
891         s->conf.macaddr.a[4] = val & 0xff;
892         s->conf.macaddr.a[5] = (val >> 8) & 0xff;
893         lan9118_mac_changed(s);
894         break;
895     case MAC_ADDRL:
896         s->conf.macaddr.a[0] = val & 0xff;
897         s->conf.macaddr.a[1] = (val >> 8) & 0xff;
898         s->conf.macaddr.a[2] = (val >> 16) & 0xff;
899         s->conf.macaddr.a[3] = (val >> 24) & 0xff;
900         lan9118_mac_changed(s);
901         break;
902     case MAC_HASHH:
903         s->mac_hashh = val;
904         break;
905     case MAC_HASHL:
906         s->mac_hashl = val;
907         break;
908     case MAC_MII_ACC:
909         s->mac_mii_acc = val & 0xffc2;
910         if (val & 2) {
911             DPRINTF("PHY write %d = 0x%04x\n",
912                     (val >> 6) & 0x1f, s->mac_mii_data);
913             do_phy_write(s, (val >> 6) & 0x1f, s->mac_mii_data);
914         } else {
915             s->mac_mii_data = do_phy_read(s, (val >> 6) & 0x1f);
916             DPRINTF("PHY read %d = 0x%04x\n",
917                     (val >> 6) & 0x1f, s->mac_mii_data);
918         }
919         break;
920     case MAC_MII_DATA:
921         s->mac_mii_data = val & 0xffff;
922         break;
923     case MAC_FLOW:
924         s->mac_flow = val & 0xffff0000;
925         break;
926     case MAC_VLAN1:
927         /* Writing to this register changes a condition for
928          * FrameTooLong bit in rx_status.  Since we do not set
929          * FrameTooLong anyway, just ignore write to this.
930          */
931         break;
932     default:
933         qemu_log_mask(LOG_GUEST_ERROR,
934                       "lan9118: Unimplemented MAC register write: %d = 0x%x\n",
935                  s->mac_cmd & 0xf, val);
936     }
937 }
938 
939 static uint32_t do_mac_read(lan9118_state *s, int reg)
940 {
941     switch (reg) {
942     case MAC_CR:
943         return s->mac_cr;
944     case MAC_ADDRH:
945         return s->conf.macaddr.a[4] | (s->conf.macaddr.a[5] << 8);
946     case MAC_ADDRL:
947         return s->conf.macaddr.a[0] | (s->conf.macaddr.a[1] << 8)
948                | (s->conf.macaddr.a[2] << 16) | (s->conf.macaddr.a[3] << 24);
949     case MAC_HASHH:
950         return s->mac_hashh;
951     case MAC_HASHL:
952         return s->mac_hashl;
953     case MAC_MII_ACC:
954         return s->mac_mii_acc;
955     case MAC_MII_DATA:
956         return s->mac_mii_data;
957     case MAC_FLOW:
958         return s->mac_flow;
959     default:
960         qemu_log_mask(LOG_GUEST_ERROR,
961                       "lan9118: Unimplemented MAC register read: %d\n",
962                  s->mac_cmd & 0xf);
963         return 0;
964     }
965 }
966 
967 static void lan9118_eeprom_cmd(lan9118_state *s, int cmd, int addr)
968 {
969     s->e2p_cmd = (s->e2p_cmd & E2P_CMD_MAC_ADDR_LOADED) | (cmd << 28) | addr;
970     switch (cmd) {
971     case 0:
972         s->e2p_data = s->eeprom[addr];
973         DPRINTF("EEPROM Read %d = 0x%02x\n", addr, s->e2p_data);
974         break;
975     case 1:
976         s->eeprom_writable = 0;
977         DPRINTF("EEPROM Write Disable\n");
978         break;
979     case 2: /* EWEN */
980         s->eeprom_writable = 1;
981         DPRINTF("EEPROM Write Enable\n");
982         break;
983     case 3: /* WRITE */
984         if (s->eeprom_writable) {
985             s->eeprom[addr] &= s->e2p_data;
986             DPRINTF("EEPROM Write %d = 0x%02x\n", addr, s->e2p_data);
987         } else {
988             DPRINTF("EEPROM Write %d (ignored)\n", addr);
989         }
990         break;
991     case 4: /* WRAL */
992         if (s->eeprom_writable) {
993             for (addr = 0; addr < 128; addr++) {
994                 s->eeprom[addr] &= s->e2p_data;
995             }
996             DPRINTF("EEPROM Write All 0x%02x\n", s->e2p_data);
997         } else {
998             DPRINTF("EEPROM Write All (ignored)\n");
999         }
1000         break;
1001     case 5: /* ERASE */
1002         if (s->eeprom_writable) {
1003             s->eeprom[addr] = 0xff;
1004             DPRINTF("EEPROM Erase %d\n", addr);
1005         } else {
1006             DPRINTF("EEPROM Erase %d (ignored)\n", addr);
1007         }
1008         break;
1009     case 6: /* ERAL */
1010         if (s->eeprom_writable) {
1011             memset(s->eeprom, 0xff, 128);
1012             DPRINTF("EEPROM Erase All\n");
1013         } else {
1014             DPRINTF("EEPROM Erase All (ignored)\n");
1015         }
1016         break;
1017     case 7: /* RELOAD */
1018         lan9118_reload_eeprom(s);
1019         break;
1020     }
1021 }
1022 
1023 static void lan9118_tick(void *opaque)
1024 {
1025     lan9118_state *s = (lan9118_state *)opaque;
1026     if (s->int_en & GPT_INT) {
1027         s->int_sts |= GPT_INT;
1028     }
1029     lan9118_update(s);
1030 }
1031 
1032 static void lan9118_writel(void *opaque, hwaddr offset,
1033                            uint64_t val, unsigned size)
1034 {
1035     lan9118_state *s = (lan9118_state *)opaque;
1036     offset &= 0xff;
1037 
1038     //DPRINTF("Write reg 0x%02x = 0x%08x\n", (int)offset, val);
1039     if (offset >= TX_DATA_FIFO_PORT_FIRST &&
1040         offset <= TX_DATA_FIFO_PORT_LAST) {
1041         /* TX FIFO */
1042         tx_fifo_push(s, val);
1043         return;
1044     }
1045     switch (offset) {
1046     case CSR_IRQ_CFG:
1047         /* TODO: Implement interrupt deassertion intervals.  */
1048         val &= (IRQ_EN | IRQ_POL | IRQ_TYPE);
1049         s->irq_cfg = (s->irq_cfg & IRQ_INT) | val;
1050         break;
1051     case CSR_INT_STS:
1052         s->int_sts &= ~val;
1053         break;
1054     case CSR_INT_EN:
1055         s->int_en = val & ~RESERVED_INT;
1056         s->int_sts |= val & SW_INT;
1057         break;
1058     case CSR_FIFO_INT:
1059         DPRINTF("FIFO INT levels %08x\n", val);
1060         s->fifo_int = val;
1061         break;
1062     case CSR_RX_CFG:
1063         if (val & 0x8000) {
1064             /* RX_DUMP */
1065             s->rx_fifo_used = 0;
1066             s->rx_status_fifo_used = 0;
1067             s->rx_packet_size_tail = s->rx_packet_size_head;
1068             s->rx_packet_size[s->rx_packet_size_head] = 0;
1069         }
1070         s->rx_cfg = val & 0xcfff1ff0;
1071         break;
1072     case CSR_TX_CFG:
1073         if (val & 0x8000) {
1074             s->tx_status_fifo_used = 0;
1075         }
1076         if (val & 0x4000) {
1077             s->txp->state = TX_IDLE;
1078             s->txp->fifo_used = 0;
1079             s->txp->cmd_a = 0xffffffff;
1080         }
1081         s->tx_cfg = val & 6;
1082         break;
1083     case CSR_HW_CFG:
1084         if (val & 1) {
1085             /* SRST */
1086             lan9118_reset(DEVICE(s));
1087         } else {
1088             s->hw_cfg = (val & 0x003f300) | (s->hw_cfg & 0x4);
1089         }
1090         break;
1091     case CSR_RX_DP_CTRL:
1092         if (val & 0x80000000) {
1093             /* Skip forward to next packet.  */
1094             s->rxp_pad = 0;
1095             s->rxp_offset = 0;
1096             if (s->rxp_size == 0) {
1097                 /* Pop a word to start the next packet.  */
1098                 rx_fifo_pop(s);
1099                 s->rxp_pad = 0;
1100                 s->rxp_offset = 0;
1101             }
1102             s->rx_fifo_head += s->rxp_size;
1103             if (s->rx_fifo_head >= s->rx_fifo_size) {
1104                 s->rx_fifo_head -= s->rx_fifo_size;
1105             }
1106         }
1107         break;
1108     case CSR_PMT_CTRL:
1109         if (val & 0x400) {
1110             phy_reset(s);
1111         }
1112         s->pmt_ctrl &= ~0x34e;
1113         s->pmt_ctrl |= (val & 0x34e);
1114         break;
1115     case CSR_GPIO_CFG:
1116         /* Probably just enabling LEDs.  */
1117         s->gpio_cfg = val & 0x7777071f;
1118         break;
1119     case CSR_GPT_CFG:
1120         if ((s->gpt_cfg ^ val) & GPT_TIMER_EN) {
1121             ptimer_transaction_begin(s->timer);
1122             if (val & GPT_TIMER_EN) {
1123                 ptimer_set_count(s->timer, val & 0xffff);
1124                 ptimer_run(s->timer, 0);
1125             } else {
1126                 ptimer_stop(s->timer);
1127                 ptimer_set_count(s->timer, 0xffff);
1128             }
1129             ptimer_transaction_commit(s->timer);
1130         }
1131         s->gpt_cfg = val & (GPT_TIMER_EN | 0xffff);
1132         break;
1133     case CSR_WORD_SWAP:
1134         /* Ignored because we're in 32-bit mode.  */
1135         s->word_swap = val;
1136         break;
1137     case CSR_MAC_CSR_CMD:
1138         s->mac_cmd = val & 0x4000000f;
1139         if (val & 0x80000000) {
1140             if (val & 0x40000000) {
1141                 s->mac_data = do_mac_read(s, val & 0xf);
1142                 DPRINTF("MAC read %d = 0x%08x\n", val & 0xf, s->mac_data);
1143             } else {
1144                 DPRINTF("MAC write %d = 0x%08x\n", val & 0xf, s->mac_data);
1145                 do_mac_write(s, val & 0xf, s->mac_data);
1146             }
1147         }
1148         break;
1149     case CSR_MAC_CSR_DATA:
1150         s->mac_data = val;
1151         break;
1152     case CSR_AFC_CFG:
1153         s->afc_cfg = val & 0x00ffffff;
1154         break;
1155     case CSR_E2P_CMD:
1156         lan9118_eeprom_cmd(s, (val >> 28) & 7, val & 0x7f);
1157         break;
1158     case CSR_E2P_DATA:
1159         s->e2p_data = val & 0xff;
1160         break;
1161 
1162     default:
1163         qemu_log_mask(LOG_GUEST_ERROR, "lan9118_write: Bad reg 0x%x = %x\n",
1164                       (int)offset, (int)val);
1165         break;
1166     }
1167     lan9118_update(s);
1168 }
1169 
1170 static void lan9118_writew(void *opaque, hwaddr offset,
1171                            uint32_t val)
1172 {
1173     lan9118_state *s = (lan9118_state *)opaque;
1174     offset &= 0xff;
1175 
1176     if (s->write_word_prev_offset != (offset & ~0x3)) {
1177         /* New offset, reset word counter */
1178         s->write_word_n = 0;
1179         s->write_word_prev_offset = offset & ~0x3;
1180     }
1181 
1182     if (offset & 0x2) {
1183         s->write_word_h = val;
1184     } else {
1185         s->write_word_l = val;
1186     }
1187 
1188     //DPRINTF("Writew reg 0x%02x = 0x%08x\n", (int)offset, val);
1189     s->write_word_n++;
1190     if (s->write_word_n == 2) {
1191         s->write_word_n = 0;
1192         lan9118_writel(s, offset & ~3, s->write_word_l +
1193                 (s->write_word_h << 16), 4);
1194     }
1195 }
1196 
1197 static void lan9118_16bit_mode_write(void *opaque, hwaddr offset,
1198                                      uint64_t val, unsigned size)
1199 {
1200     switch (size) {
1201     case 2:
1202         lan9118_writew(opaque, offset, (uint32_t)val);
1203         return;
1204     case 4:
1205         lan9118_writel(opaque, offset, val, size);
1206         return;
1207     }
1208 
1209     qemu_log_mask(LOG_GUEST_ERROR,
1210                   "lan9118_16bit_mode_write: Bad size 0x%x\n", size);
1211 }
1212 
1213 static uint64_t lan9118_readl(void *opaque, hwaddr offset,
1214                               unsigned size)
1215 {
1216     lan9118_state *s = (lan9118_state *)opaque;
1217 
1218     //DPRINTF("Read reg 0x%02x\n", (int)offset);
1219     if (offset <= RX_DATA_FIFO_PORT_LAST) {
1220         /* RX FIFO */
1221         return rx_fifo_pop(s);
1222     }
1223     switch (offset) {
1224     case RX_STATUS_FIFO_PORT:
1225         return rx_status_fifo_pop(s);
1226     case RX_STATUS_FIFO_PEEK:
1227         return s->rx_status_fifo[s->rx_status_fifo_head];
1228     case TX_STATUS_FIFO_PORT:
1229         return tx_status_fifo_pop(s);
1230     case TX_STATUS_FIFO_PEEK:
1231         return s->tx_status_fifo[s->tx_status_fifo_head];
1232     case CSR_ID_REV:
1233         return 0x01180001;
1234     case CSR_IRQ_CFG:
1235         return s->irq_cfg;
1236     case CSR_INT_STS:
1237         return s->int_sts;
1238     case CSR_INT_EN:
1239         return s->int_en;
1240     case CSR_BYTE_TEST:
1241         return 0x87654321;
1242     case CSR_FIFO_INT:
1243         return s->fifo_int;
1244     case CSR_RX_CFG:
1245         return s->rx_cfg;
1246     case CSR_TX_CFG:
1247         return s->tx_cfg;
1248     case CSR_HW_CFG:
1249         return s->hw_cfg;
1250     case CSR_RX_DP_CTRL:
1251         return 0;
1252     case CSR_RX_FIFO_INF:
1253         return (s->rx_status_fifo_used << 16) | (s->rx_fifo_used << 2);
1254     case CSR_TX_FIFO_INF:
1255         return (s->tx_status_fifo_used << 16)
1256                | (s->tx_fifo_size - s->txp->fifo_used);
1257     case CSR_PMT_CTRL:
1258         return s->pmt_ctrl;
1259     case CSR_GPIO_CFG:
1260         return s->gpio_cfg;
1261     case CSR_GPT_CFG:
1262         return s->gpt_cfg;
1263     case CSR_GPT_CNT:
1264         return ptimer_get_count(s->timer);
1265     case CSR_WORD_SWAP:
1266         return s->word_swap;
1267     case CSR_FREE_RUN:
1268         return (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / 40) - s->free_timer_start;
1269     case CSR_RX_DROP:
1270         /* TODO: Implement dropped frames counter.  */
1271         return 0;
1272     case CSR_MAC_CSR_CMD:
1273         return s->mac_cmd;
1274     case CSR_MAC_CSR_DATA:
1275         return s->mac_data;
1276     case CSR_AFC_CFG:
1277         return s->afc_cfg;
1278     case CSR_E2P_CMD:
1279         return s->e2p_cmd;
1280     case CSR_E2P_DATA:
1281         return s->e2p_data;
1282     }
1283     qemu_log_mask(LOG_GUEST_ERROR, "lan9118_read: Bad reg 0x%x\n", (int)offset);
1284     return 0;
1285 }
1286 
1287 static uint32_t lan9118_readw(void *opaque, hwaddr offset)
1288 {
1289     lan9118_state *s = (lan9118_state *)opaque;
1290     uint32_t val;
1291 
1292     if (s->read_word_prev_offset != (offset & ~0x3)) {
1293         /* New offset, reset word counter */
1294         s->read_word_n = 0;
1295         s->read_word_prev_offset = offset & ~0x3;
1296     }
1297 
1298     s->read_word_n++;
1299     if (s->read_word_n == 1) {
1300         s->read_long = lan9118_readl(s, offset & ~3, 4);
1301     } else {
1302         s->read_word_n = 0;
1303     }
1304 
1305     if (offset & 2) {
1306         val = s->read_long >> 16;
1307     } else {
1308         val = s->read_long & 0xFFFF;
1309     }
1310 
1311     //DPRINTF("Readw reg 0x%02x, val 0x%x\n", (int)offset, val);
1312     return val;
1313 }
1314 
1315 static uint64_t lan9118_16bit_mode_read(void *opaque, hwaddr offset,
1316                                         unsigned size)
1317 {
1318     switch (size) {
1319     case 2:
1320         return lan9118_readw(opaque, offset);
1321     case 4:
1322         return lan9118_readl(opaque, offset, size);
1323     }
1324 
1325     qemu_log_mask(LOG_GUEST_ERROR,
1326                   "lan9118_16bit_mode_read: Bad size 0x%x\n", size);
1327     return 0;
1328 }
1329 
1330 static const MemoryRegionOps lan9118_mem_ops = {
1331     .read = lan9118_readl,
1332     .write = lan9118_writel,
1333     .endianness = DEVICE_NATIVE_ENDIAN,
1334 };
1335 
1336 static const MemoryRegionOps lan9118_16bit_mem_ops = {
1337     .read = lan9118_16bit_mode_read,
1338     .write = lan9118_16bit_mode_write,
1339     .endianness = DEVICE_NATIVE_ENDIAN,
1340 };
1341 
1342 static NetClientInfo net_lan9118_info = {
1343     .type = NET_CLIENT_DRIVER_NIC,
1344     .size = sizeof(NICState),
1345     .receive = lan9118_receive,
1346     .link_status_changed = lan9118_set_link,
1347 };
1348 
1349 static void lan9118_realize(DeviceState *dev, Error **errp)
1350 {
1351     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
1352     lan9118_state *s = LAN9118(dev);
1353     int i;
1354     const MemoryRegionOps *mem_ops =
1355             s->mode_16bit ? &lan9118_16bit_mem_ops : &lan9118_mem_ops;
1356 
1357     memory_region_init_io(&s->mmio, OBJECT(dev), mem_ops, s,
1358                           "lan9118-mmio", 0x100);
1359     sysbus_init_mmio(sbd, &s->mmio);
1360     sysbus_init_irq(sbd, &s->irq);
1361     qemu_macaddr_default_if_unset(&s->conf.macaddr);
1362 
1363     s->nic = qemu_new_nic(&net_lan9118_info, &s->conf,
1364                           object_get_typename(OBJECT(dev)), dev->id, s);
1365     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
1366     s->eeprom[0] = 0xa5;
1367     for (i = 0; i < 6; i++) {
1368         s->eeprom[i + 1] = s->conf.macaddr.a[i];
1369     }
1370     s->pmt_ctrl = 1;
1371     s->txp = &s->tx_packet;
1372 
1373     s->timer = ptimer_init(lan9118_tick, s, PTIMER_POLICY_LEGACY);
1374     ptimer_transaction_begin(s->timer);
1375     ptimer_set_freq(s->timer, 10000);
1376     ptimer_set_limit(s->timer, 0xffff, 1);
1377     ptimer_transaction_commit(s->timer);
1378 }
1379 
1380 static Property lan9118_properties[] = {
1381     DEFINE_NIC_PROPERTIES(lan9118_state, conf),
1382     DEFINE_PROP_UINT32("mode_16bit", lan9118_state, mode_16bit, 0),
1383     DEFINE_PROP_END_OF_LIST(),
1384 };
1385 
1386 static void lan9118_class_init(ObjectClass *klass, void *data)
1387 {
1388     DeviceClass *dc = DEVICE_CLASS(klass);
1389 
1390     dc->reset = lan9118_reset;
1391     device_class_set_props(dc, lan9118_properties);
1392     dc->vmsd = &vmstate_lan9118;
1393     dc->realize = lan9118_realize;
1394 }
1395 
1396 static const TypeInfo lan9118_info = {
1397     .name          = TYPE_LAN9118,
1398     .parent        = TYPE_SYS_BUS_DEVICE,
1399     .instance_size = sizeof(lan9118_state),
1400     .class_init    = lan9118_class_init,
1401 };
1402 
1403 static void lan9118_register_types(void)
1404 {
1405     type_register_static(&lan9118_info);
1406 }
1407 
1408 /* Legacy helper function.  Should go away when machine config files are
1409    implemented.  */
1410 void lan9118_init(NICInfo *nd, uint32_t base, qemu_irq irq)
1411 {
1412     DeviceState *dev;
1413     SysBusDevice *s;
1414 
1415     qemu_check_nic_model(nd, "lan9118");
1416     dev = qdev_new(TYPE_LAN9118);
1417     qdev_set_nic_properties(dev, nd);
1418     s = SYS_BUS_DEVICE(dev);
1419     sysbus_realize_and_unref(s, &error_fatal);
1420     sysbus_mmio_map(s, 0, base);
1421     sysbus_connect_irq(s, 0, irq);
1422 }
1423 
1424 type_init(lan9118_register_types)
1425