xref: /openbmc/qemu/hw/net/lan9118.c (revision 9022e80a4235f272799720ee4e9037f6dae7cf0e)
1 /*
2  * SMSC LAN9118 Ethernet interface emulation
3  *
4  * Copyright (c) 2009 CodeSourcery, LLC.
5  * Written by Paul Brook
6  *
7  * This code is licensed under the GNU GPL v2
8  *
9  * Contributions after 2012-01-13 are licensed under the terms of the
10  * GNU GPL, version 2 or (at your option) any later version.
11  */
12 
13 #include "qemu/osdep.h"
14 #include "hw/sysbus.h"
15 #include "migration/vmstate.h"
16 #include "net/net.h"
17 #include "net/eth.h"
18 #include "hw/irq.h"
19 #include "hw/net/lan9118.h"
20 #include "hw/ptimer.h"
21 #include "hw/qdev-properties.h"
22 #include "qapi/error.h"
23 #include "qemu/log.h"
24 #include "qemu/module.h"
25 #include <zlib.h> /* for crc32 */
26 #include "qom/object.h"
27 
28 //#define DEBUG_LAN9118
29 
30 #ifdef DEBUG_LAN9118
31 #define DPRINTF(fmt, ...) \
32 do { printf("lan9118: " fmt , ## __VA_ARGS__); } while (0)
33 #else
34 #define DPRINTF(fmt, ...) do {} while(0)
35 #endif
36 
37 /* The tx and rx fifo ports are a range of aliased 32-bit registers */
38 #define RX_DATA_FIFO_PORT_FIRST 0x00
39 #define RX_DATA_FIFO_PORT_LAST 0x1f
40 #define TX_DATA_FIFO_PORT_FIRST 0x20
41 #define TX_DATA_FIFO_PORT_LAST 0x3f
42 
43 #define RX_STATUS_FIFO_PORT 0x40
44 #define RX_STATUS_FIFO_PEEK 0x44
45 #define TX_STATUS_FIFO_PORT 0x48
46 #define TX_STATUS_FIFO_PEEK 0x4c
47 
48 #define CSR_ID_REV      0x50
49 #define CSR_IRQ_CFG     0x54
50 #define CSR_INT_STS     0x58
51 #define CSR_INT_EN      0x5c
52 #define CSR_BYTE_TEST   0x64
53 #define CSR_FIFO_INT    0x68
54 #define CSR_RX_CFG      0x6c
55 #define CSR_TX_CFG      0x70
56 #define CSR_HW_CFG      0x74
57 #define CSR_RX_DP_CTRL  0x78
58 #define CSR_RX_FIFO_INF 0x7c
59 #define CSR_TX_FIFO_INF 0x80
60 #define CSR_PMT_CTRL    0x84
61 #define CSR_GPIO_CFG    0x88
62 #define CSR_GPT_CFG     0x8c
63 #define CSR_GPT_CNT     0x90
64 #define CSR_WORD_SWAP   0x98
65 #define CSR_FREE_RUN    0x9c
66 #define CSR_RX_DROP     0xa0
67 #define CSR_MAC_CSR_CMD 0xa4
68 #define CSR_MAC_CSR_DATA 0xa8
69 #define CSR_AFC_CFG     0xac
70 #define CSR_E2P_CMD     0xb0
71 #define CSR_E2P_DATA    0xb4
72 
73 #define E2P_CMD_MAC_ADDR_LOADED 0x100
74 
75 /* IRQ_CFG */
76 #define IRQ_INT         0x00001000
77 #define IRQ_EN          0x00000100
78 #define IRQ_POL         0x00000010
79 #define IRQ_TYPE        0x00000001
80 
81 /* INT_STS/INT_EN */
82 #define SW_INT          0x80000000
83 #define TXSTOP_INT      0x02000000
84 #define RXSTOP_INT      0x01000000
85 #define RXDFH_INT       0x00800000
86 #define TX_IOC_INT      0x00200000
87 #define RXD_INT         0x00100000
88 #define GPT_INT         0x00080000
89 #define PHY_INT         0x00040000
90 #define PME_INT         0x00020000
91 #define TXSO_INT        0x00010000
92 #define RWT_INT         0x00008000
93 #define RXE_INT         0x00004000
94 #define TXE_INT         0x00002000
95 #define TDFU_INT        0x00000800
96 #define TDFO_INT        0x00000400
97 #define TDFA_INT        0x00000200
98 #define TSFF_INT        0x00000100
99 #define TSFL_INT        0x00000080
100 #define RXDF_INT        0x00000040
101 #define RDFL_INT        0x00000020
102 #define RSFF_INT        0x00000010
103 #define RSFL_INT        0x00000008
104 #define GPIO2_INT       0x00000004
105 #define GPIO1_INT       0x00000002
106 #define GPIO0_INT       0x00000001
107 #define RESERVED_INT    0x7c001000
108 
109 #define MAC_CR          1
110 #define MAC_ADDRH       2
111 #define MAC_ADDRL       3
112 #define MAC_HASHH       4
113 #define MAC_HASHL       5
114 #define MAC_MII_ACC     6
115 #define MAC_MII_DATA    7
116 #define MAC_FLOW        8
117 #define MAC_VLAN1       9 /* TODO */
118 #define MAC_VLAN2       10 /* TODO */
119 #define MAC_WUFF        11 /* TODO */
120 #define MAC_WUCSR       12 /* TODO */
121 
122 #define MAC_CR_RXALL    0x80000000
123 #define MAC_CR_RCVOWN   0x00800000
124 #define MAC_CR_LOOPBK   0x00200000
125 #define MAC_CR_FDPX     0x00100000
126 #define MAC_CR_MCPAS    0x00080000
127 #define MAC_CR_PRMS     0x00040000
128 #define MAC_CR_INVFILT  0x00020000
129 #define MAC_CR_PASSBAD  0x00010000
130 #define MAC_CR_HO       0x00008000
131 #define MAC_CR_HPFILT   0x00002000
132 #define MAC_CR_LCOLL    0x00001000
133 #define MAC_CR_BCAST    0x00000800
134 #define MAC_CR_DISRTY   0x00000400
135 #define MAC_CR_PADSTR   0x00000100
136 #define MAC_CR_BOLMT    0x000000c0
137 #define MAC_CR_DFCHK    0x00000020
138 #define MAC_CR_TXEN     0x00000008
139 #define MAC_CR_RXEN     0x00000004
140 #define MAC_CR_RESERVED 0x7f404213
141 
142 #define PHY_INT_ENERGYON            0x80
143 #define PHY_INT_AUTONEG_COMPLETE    0x40
144 #define PHY_INT_FAULT               0x20
145 #define PHY_INT_DOWN                0x10
146 #define PHY_INT_AUTONEG_LP          0x08
147 #define PHY_INT_PARFAULT            0x04
148 #define PHY_INT_AUTONEG_PAGE        0x02
149 
150 #define GPT_TIMER_EN    0x20000000
151 
152 /*
153  * The MAC Interface Layer (MIL), within the MAC, contains a 2K Byte transmit
154  * and a 128 Byte receive FIFO which is separate from the TX and RX FIFOs.
155  */
156 #define MIL_TXFIFO_SIZE         2048
157 
158 enum tx_state {
159     TX_IDLE,
160     TX_B,
161     TX_DATA
162 };
163 
164 typedef struct {
165     /* state is a tx_state but we can't put enums in VMStateDescriptions. */
166     uint32_t state;
167     uint32_t cmd_a;
168     uint32_t cmd_b;
169     int32_t buffer_size;
170     int32_t offset;
171     int32_t pad;
172     int32_t fifo_used;
173     int32_t len;
174     uint8_t data[MIL_TXFIFO_SIZE];
175 } LAN9118Packet;
176 
177 static const VMStateDescription vmstate_lan9118_packet = {
178     .name = "lan9118_packet",
179     .version_id = 1,
180     .minimum_version_id = 1,
181     .fields = (const VMStateField[]) {
182         VMSTATE_UINT32(state, LAN9118Packet),
183         VMSTATE_UINT32(cmd_a, LAN9118Packet),
184         VMSTATE_UINT32(cmd_b, LAN9118Packet),
185         VMSTATE_INT32(buffer_size, LAN9118Packet),
186         VMSTATE_INT32(offset, LAN9118Packet),
187         VMSTATE_INT32(pad, LAN9118Packet),
188         VMSTATE_INT32(fifo_used, LAN9118Packet),
189         VMSTATE_INT32(len, LAN9118Packet),
190         VMSTATE_UINT8_ARRAY(data, LAN9118Packet, MIL_TXFIFO_SIZE),
191         VMSTATE_END_OF_LIST()
192     }
193 };
194 
195 OBJECT_DECLARE_SIMPLE_TYPE(lan9118_state, LAN9118)
196 
197 struct lan9118_state {
198     SysBusDevice parent_obj;
199 
200     NICState *nic;
201     NICConf conf;
202     qemu_irq irq;
203     MemoryRegion mmio;
204     ptimer_state *timer;
205 
206     uint32_t irq_cfg;
207     uint32_t int_sts;
208     uint32_t int_en;
209     uint32_t fifo_int;
210     uint32_t rx_cfg;
211     uint32_t tx_cfg;
212     uint32_t hw_cfg;
213     uint32_t pmt_ctrl;
214     uint32_t gpio_cfg;
215     uint32_t gpt_cfg;
216     uint32_t word_swap;
217     uint32_t free_timer_start;
218     uint32_t mac_cmd;
219     uint32_t mac_data;
220     uint32_t afc_cfg;
221     uint32_t e2p_cmd;
222     uint32_t e2p_data;
223 
224     uint32_t mac_cr;
225     uint32_t mac_hashh;
226     uint32_t mac_hashl;
227     uint32_t mac_mii_acc;
228     uint32_t mac_mii_data;
229     uint32_t mac_flow;
230 
231     uint32_t phy_status;
232     uint32_t phy_control;
233     uint32_t phy_advertise;
234     uint32_t phy_int;
235     uint32_t phy_int_mask;
236 
237     int32_t eeprom_writable;
238     uint8_t eeprom[128];
239 
240     int32_t tx_fifo_size;
241     LAN9118Packet *txp;
242     LAN9118Packet tx_packet;
243 
244     int32_t tx_status_fifo_used;
245     int32_t tx_status_fifo_head;
246     uint32_t tx_status_fifo[512];
247 
248     int32_t rx_status_fifo_size;
249     int32_t rx_status_fifo_used;
250     int32_t rx_status_fifo_head;
251     uint32_t rx_status_fifo[896];
252     int32_t rx_fifo_size;
253     int32_t rx_fifo_used;
254     int32_t rx_fifo_head;
255     uint32_t rx_fifo[3360];
256     int32_t rx_packet_size_head;
257     int32_t rx_packet_size_tail;
258     int32_t rx_packet_size[1024];
259 
260     int32_t rxp_offset;
261     int32_t rxp_size;
262     int32_t rxp_pad;
263 
264     uint32_t write_word_prev_offset;
265     uint32_t write_word_n;
266     uint16_t write_word_l;
267     uint16_t write_word_h;
268     uint32_t read_word_prev_offset;
269     uint32_t read_word_n;
270     uint32_t read_long;
271 
272     uint32_t mode_16bit;
273 };
274 
275 static const VMStateDescription vmstate_lan9118 = {
276     .name = "lan9118",
277     .version_id = 2,
278     .minimum_version_id = 1,
279     .fields = (const VMStateField[]) {
280         VMSTATE_PTIMER(timer, lan9118_state),
281         VMSTATE_UINT32(irq_cfg, lan9118_state),
282         VMSTATE_UINT32(int_sts, lan9118_state),
283         VMSTATE_UINT32(int_en, lan9118_state),
284         VMSTATE_UINT32(fifo_int, lan9118_state),
285         VMSTATE_UINT32(rx_cfg, lan9118_state),
286         VMSTATE_UINT32(tx_cfg, lan9118_state),
287         VMSTATE_UINT32(hw_cfg, lan9118_state),
288         VMSTATE_UINT32(pmt_ctrl, lan9118_state),
289         VMSTATE_UINT32(gpio_cfg, lan9118_state),
290         VMSTATE_UINT32(gpt_cfg, lan9118_state),
291         VMSTATE_UINT32(word_swap, lan9118_state),
292         VMSTATE_UINT32(free_timer_start, lan9118_state),
293         VMSTATE_UINT32(mac_cmd, lan9118_state),
294         VMSTATE_UINT32(mac_data, lan9118_state),
295         VMSTATE_UINT32(afc_cfg, lan9118_state),
296         VMSTATE_UINT32(e2p_cmd, lan9118_state),
297         VMSTATE_UINT32(e2p_data, lan9118_state),
298         VMSTATE_UINT32(mac_cr, lan9118_state),
299         VMSTATE_UINT32(mac_hashh, lan9118_state),
300         VMSTATE_UINT32(mac_hashl, lan9118_state),
301         VMSTATE_UINT32(mac_mii_acc, lan9118_state),
302         VMSTATE_UINT32(mac_mii_data, lan9118_state),
303         VMSTATE_UINT32(mac_flow, lan9118_state),
304         VMSTATE_UINT32(phy_status, lan9118_state),
305         VMSTATE_UINT32(phy_control, lan9118_state),
306         VMSTATE_UINT32(phy_advertise, lan9118_state),
307         VMSTATE_UINT32(phy_int, lan9118_state),
308         VMSTATE_UINT32(phy_int_mask, lan9118_state),
309         VMSTATE_INT32(eeprom_writable, lan9118_state),
310         VMSTATE_UINT8_ARRAY(eeprom, lan9118_state, 128),
311         VMSTATE_INT32(tx_fifo_size, lan9118_state),
312         /* txp always points at tx_packet so need not be saved */
313         VMSTATE_STRUCT(tx_packet, lan9118_state, 0,
314                        vmstate_lan9118_packet, LAN9118Packet),
315         VMSTATE_INT32(tx_status_fifo_used, lan9118_state),
316         VMSTATE_INT32(tx_status_fifo_head, lan9118_state),
317         VMSTATE_UINT32_ARRAY(tx_status_fifo, lan9118_state, 512),
318         VMSTATE_INT32(rx_status_fifo_size, lan9118_state),
319         VMSTATE_INT32(rx_status_fifo_used, lan9118_state),
320         VMSTATE_INT32(rx_status_fifo_head, lan9118_state),
321         VMSTATE_UINT32_ARRAY(rx_status_fifo, lan9118_state, 896),
322         VMSTATE_INT32(rx_fifo_size, lan9118_state),
323         VMSTATE_INT32(rx_fifo_used, lan9118_state),
324         VMSTATE_INT32(rx_fifo_head, lan9118_state),
325         VMSTATE_UINT32_ARRAY(rx_fifo, lan9118_state, 3360),
326         VMSTATE_INT32(rx_packet_size_head, lan9118_state),
327         VMSTATE_INT32(rx_packet_size_tail, lan9118_state),
328         VMSTATE_INT32_ARRAY(rx_packet_size, lan9118_state, 1024),
329         VMSTATE_INT32(rxp_offset, lan9118_state),
330         VMSTATE_INT32(rxp_size, lan9118_state),
331         VMSTATE_INT32(rxp_pad, lan9118_state),
332         VMSTATE_UINT32_V(write_word_prev_offset, lan9118_state, 2),
333         VMSTATE_UINT32_V(write_word_n, lan9118_state, 2),
334         VMSTATE_UINT16_V(write_word_l, lan9118_state, 2),
335         VMSTATE_UINT16_V(write_word_h, lan9118_state, 2),
336         VMSTATE_UINT32_V(read_word_prev_offset, lan9118_state, 2),
337         VMSTATE_UINT32_V(read_word_n, lan9118_state, 2),
338         VMSTATE_UINT32_V(read_long, lan9118_state, 2),
339         VMSTATE_UINT32_V(mode_16bit, lan9118_state, 2),
340         VMSTATE_END_OF_LIST()
341     }
342 };
343 
344 static void lan9118_update(lan9118_state *s)
345 {
346     int level;
347 
348     /* TODO: Implement FIFO level IRQs.  */
349     level = (s->int_sts & s->int_en) != 0;
350     if (level) {
351         s->irq_cfg |= IRQ_INT;
352     } else {
353         s->irq_cfg &= ~IRQ_INT;
354     }
355     if ((s->irq_cfg & IRQ_EN) == 0) {
356         level = 0;
357     }
358     if ((s->irq_cfg & (IRQ_TYPE | IRQ_POL)) != (IRQ_TYPE | IRQ_POL)) {
359         /* Interrupt is active low unless we're configured as
360          * active-high polarity, push-pull type.
361          */
362         level = !level;
363     }
364     qemu_set_irq(s->irq, level);
365 }
366 
367 static void lan9118_mac_changed(lan9118_state *s)
368 {
369     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
370 }
371 
372 static void lan9118_reload_eeprom(lan9118_state *s)
373 {
374     int i;
375     if (s->eeprom[0] != 0xa5) {
376         s->e2p_cmd &= ~E2P_CMD_MAC_ADDR_LOADED;
377         DPRINTF("MACADDR load failed\n");
378         return;
379     }
380     for (i = 0; i < 6; i++) {
381         s->conf.macaddr.a[i] = s->eeprom[i + 1];
382     }
383     s->e2p_cmd |= E2P_CMD_MAC_ADDR_LOADED;
384     DPRINTF("MACADDR loaded from eeprom\n");
385     lan9118_mac_changed(s);
386 }
387 
388 static void phy_update_irq(lan9118_state *s)
389 {
390     if (s->phy_int & s->phy_int_mask) {
391         s->int_sts |= PHY_INT;
392     } else {
393         s->int_sts &= ~PHY_INT;
394     }
395     lan9118_update(s);
396 }
397 
398 static void phy_update_link(lan9118_state *s)
399 {
400     /* Autonegotiation status mirrors link status.  */
401     if (qemu_get_queue(s->nic)->link_down) {
402         s->phy_status &= ~0x0024;
403         s->phy_int |= PHY_INT_DOWN;
404     } else {
405         s->phy_status |= 0x0024;
406         s->phy_int |= PHY_INT_ENERGYON;
407         s->phy_int |= PHY_INT_AUTONEG_COMPLETE;
408     }
409     phy_update_irq(s);
410 }
411 
412 static void lan9118_set_link(NetClientState *nc)
413 {
414     phy_update_link(qemu_get_nic_opaque(nc));
415 }
416 
417 static void phy_reset(lan9118_state *s)
418 {
419     s->phy_status = 0x7809;
420     s->phy_control = 0x3000;
421     s->phy_advertise = 0x01e1;
422     s->phy_int_mask = 0;
423     s->phy_int = 0;
424     phy_update_link(s);
425 }
426 
427 static void lan9118_reset(DeviceState *d)
428 {
429     lan9118_state *s = LAN9118(d);
430 
431     s->irq_cfg &= (IRQ_TYPE | IRQ_POL);
432     s->int_sts = 0;
433     s->int_en = 0;
434     s->fifo_int = 0x48000000;
435     s->rx_cfg = 0;
436     s->tx_cfg = 0;
437     s->hw_cfg = s->mode_16bit ? 0x00050000 : 0x00050004;
438     s->pmt_ctrl &= 0x45;
439     s->gpio_cfg = 0;
440     s->txp->fifo_used = 0;
441     s->txp->state = TX_IDLE;
442     s->txp->cmd_a = 0xffffffffu;
443     s->txp->cmd_b = 0xffffffffu;
444     s->txp->len = 0;
445     s->txp->fifo_used = 0;
446     s->tx_fifo_size = 4608;
447     s->tx_status_fifo_used = 0;
448     s->rx_status_fifo_size = 704;
449     s->rx_fifo_size = 2640;
450     s->rx_fifo_used = 0;
451     s->rx_status_fifo_size = 176;
452     s->rx_status_fifo_used = 0;
453     s->rxp_offset = 0;
454     s->rxp_size = 0;
455     s->rxp_pad = 0;
456     s->rx_packet_size_tail = s->rx_packet_size_head;
457     s->rx_packet_size[s->rx_packet_size_head] = 0;
458     s->mac_cmd = 0;
459     s->mac_data = 0;
460     s->afc_cfg = 0;
461     s->e2p_cmd = 0;
462     s->e2p_data = 0;
463     s->free_timer_start = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / 40;
464 
465     ptimer_transaction_begin(s->timer);
466     ptimer_stop(s->timer);
467     ptimer_set_count(s->timer, 0xffff);
468     ptimer_transaction_commit(s->timer);
469     s->gpt_cfg = 0xffff;
470 
471     s->mac_cr = MAC_CR_PRMS;
472     s->mac_hashh = 0;
473     s->mac_hashl = 0;
474     s->mac_mii_acc = 0;
475     s->mac_mii_data = 0;
476     s->mac_flow = 0;
477 
478     s->read_word_n = 0;
479     s->write_word_n = 0;
480 
481     phy_reset(s);
482 
483     s->eeprom_writable = 0;
484     lan9118_reload_eeprom(s);
485 }
486 
487 static void rx_fifo_push(lan9118_state *s, uint32_t val)
488 {
489     int fifo_pos;
490     fifo_pos = s->rx_fifo_head + s->rx_fifo_used;
491     if (fifo_pos >= s->rx_fifo_size)
492       fifo_pos -= s->rx_fifo_size;
493     s->rx_fifo[fifo_pos] = val;
494     s->rx_fifo_used++;
495 }
496 
497 /* Return nonzero if the packet is accepted by the filter.  */
498 static int lan9118_filter(lan9118_state *s, const uint8_t *addr)
499 {
500     int multicast;
501     uint32_t hash;
502 
503     if (s->mac_cr & MAC_CR_PRMS) {
504         return 1;
505     }
506     if (addr[0] == 0xff && addr[1] == 0xff && addr[2] == 0xff &&
507         addr[3] == 0xff && addr[4] == 0xff && addr[5] == 0xff) {
508         return (s->mac_cr & MAC_CR_BCAST) == 0;
509     }
510 
511     multicast = addr[0] & 1;
512     if (multicast &&s->mac_cr & MAC_CR_MCPAS) {
513         return 1;
514     }
515     if (multicast ? (s->mac_cr & MAC_CR_HPFILT) == 0
516                   : (s->mac_cr & MAC_CR_HO) == 0) {
517         /* Exact matching.  */
518         hash = memcmp(addr, s->conf.macaddr.a, 6);
519         if (s->mac_cr & MAC_CR_INVFILT) {
520             return hash != 0;
521         } else {
522             return hash == 0;
523         }
524     } else {
525         /* Hash matching  */
526         hash = net_crc32(addr, ETH_ALEN) >> 26;
527         if (hash & 0x20) {
528             return (s->mac_hashh >> (hash & 0x1f)) & 1;
529         } else {
530             return (s->mac_hashl >> (hash & 0x1f)) & 1;
531         }
532     }
533 }
534 
535 static ssize_t lan9118_receive(NetClientState *nc, const uint8_t *buf,
536                                size_t size)
537 {
538     lan9118_state *s = qemu_get_nic_opaque(nc);
539     int fifo_len;
540     int offset;
541     int src_pos;
542     int n;
543     int filter;
544     uint32_t val;
545     uint32_t crc;
546     uint32_t status;
547 
548     if ((s->mac_cr & MAC_CR_RXEN) == 0) {
549         return -1;
550     }
551 
552     if (size >= MIL_TXFIFO_SIZE || size < 14) {
553         return -1;
554     }
555 
556     /* TODO: Implement FIFO overflow notification.  */
557     if (s->rx_status_fifo_used == s->rx_status_fifo_size) {
558         return -1;
559     }
560 
561     filter = lan9118_filter(s, buf);
562     if (!filter && (s->mac_cr & MAC_CR_RXALL) == 0) {
563         return size;
564     }
565 
566     offset = (s->rx_cfg >> 8) & 0x1f;
567     n = offset & 3;
568     fifo_len = (size + n + 3) >> 2;
569     /* Add a word for the CRC.  */
570     fifo_len++;
571     if (s->rx_fifo_size - s->rx_fifo_used < fifo_len) {
572         return -1;
573     }
574 
575     DPRINTF("Got packet len:%d fifo:%d filter:%s\n",
576             (int)size, fifo_len, filter ? "pass" : "fail");
577     val = 0;
578     crc = bswap32(crc32(~0, buf, size));
579     for (src_pos = 0; src_pos < size; src_pos++) {
580         val = (val >> 8) | ((uint32_t)buf[src_pos] << 24);
581         n++;
582         if (n == 4) {
583             n = 0;
584             rx_fifo_push(s, val);
585             val = 0;
586         }
587     }
588     if (n) {
589         val >>= ((4 - n) * 8);
590         val |= crc << (n * 8);
591         rx_fifo_push(s, val);
592         val = crc >> ((4 - n) * 8);
593         rx_fifo_push(s, val);
594     } else {
595         rx_fifo_push(s, crc);
596     }
597     n = s->rx_status_fifo_head + s->rx_status_fifo_used;
598     if (n >= s->rx_status_fifo_size) {
599         n -= s->rx_status_fifo_size;
600     }
601     s->rx_packet_size[s->rx_packet_size_tail] = fifo_len;
602     s->rx_packet_size_tail = (s->rx_packet_size_tail + 1023) & 1023;
603     s->rx_status_fifo_used++;
604 
605     status = (size + 4) << 16;
606     if (buf[0] == 0xff && buf[1] == 0xff && buf[2] == 0xff &&
607         buf[3] == 0xff && buf[4] == 0xff && buf[5] == 0xff) {
608         status |= 0x00002000;
609     } else if (buf[0] & 1) {
610         status |= 0x00000400;
611     }
612     if (!filter) {
613         status |= 0x40000000;
614     }
615     s->rx_status_fifo[n] = status;
616 
617     if (s->rx_status_fifo_used > (s->fifo_int & 0xff)) {
618         s->int_sts |= RSFL_INT;
619     }
620     lan9118_update(s);
621 
622     return size;
623 }
624 
625 static uint32_t rx_fifo_pop(lan9118_state *s)
626 {
627     int n;
628     uint32_t val;
629 
630     if (s->rxp_size == 0 && s->rxp_pad == 0) {
631         s->rxp_size = s->rx_packet_size[s->rx_packet_size_head];
632         s->rx_packet_size[s->rx_packet_size_head] = 0;
633         if (s->rxp_size != 0) {
634             s->rx_packet_size_head = (s->rx_packet_size_head + 1023) & 1023;
635             s->rxp_offset = (s->rx_cfg >> 10) & 7;
636             n = s->rxp_offset + s->rxp_size;
637             switch (s->rx_cfg >> 30) {
638             case 1:
639                 n = (-n) & 3;
640                 break;
641             case 2:
642                 n = (-n) & 7;
643                 break;
644             default:
645                 n = 0;
646                 break;
647             }
648             s->rxp_pad = n;
649             DPRINTF("Pop packet size:%d offset:%d pad: %d\n",
650                     s->rxp_size, s->rxp_offset, s->rxp_pad);
651         }
652     }
653     if (s->rxp_offset > 0) {
654         s->rxp_offset--;
655         val = 0;
656     } else if (s->rxp_size > 0) {
657         s->rxp_size--;
658         val = s->rx_fifo[s->rx_fifo_head++];
659         if (s->rx_fifo_head >= s->rx_fifo_size) {
660             s->rx_fifo_head -= s->rx_fifo_size;
661         }
662         s->rx_fifo_used--;
663     } else if (s->rxp_pad > 0) {
664         s->rxp_pad--;
665         val =  0;
666     } else {
667         DPRINTF("RX underflow\n");
668         s->int_sts |= RXE_INT;
669         val =  0;
670     }
671     lan9118_update(s);
672     return val;
673 }
674 
675 static void do_tx_packet(lan9118_state *s)
676 {
677     int n;
678     uint32_t status;
679 
680     /* FIXME: Honor TX disable, and allow queueing of packets.  */
681     if (s->phy_control & 0x4000)  {
682         /* This assumes the receive routine doesn't touch the VLANClient.  */
683         qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
684     } else {
685         qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
686     }
687     s->txp->fifo_used = 0;
688 
689     if (s->tx_status_fifo_used == 512) {
690         /* Status FIFO full */
691         return;
692     }
693     /* Add entry to status FIFO.  */
694     status = s->txp->cmd_b & 0xffff0000u;
695     DPRINTF("Sent packet tag:%04x len %d\n", status >> 16, s->txp->len);
696     n = (s->tx_status_fifo_head + s->tx_status_fifo_used) & 511;
697     s->tx_status_fifo[n] = status;
698     s->tx_status_fifo_used++;
699 
700     /*
701      * Generate TSFL interrupt if TX FIFO level exceeds the level
702      * specified in the FIFO_INT TX Status Level field.
703      */
704     if (s->tx_status_fifo_used > ((s->fifo_int >> 16) & 0xff)) {
705         s->int_sts |= TSFL_INT;
706     }
707     if (s->tx_status_fifo_used == 512) {
708         s->int_sts |= TSFF_INT;
709         /* TODO: Stop transmission.  */
710     }
711 }
712 
713 static uint32_t rx_status_fifo_pop(lan9118_state *s)
714 {
715     uint32_t val;
716 
717     val = s->rx_status_fifo[s->rx_status_fifo_head];
718     if (s->rx_status_fifo_used != 0) {
719         s->rx_status_fifo_used--;
720         s->rx_status_fifo_head++;
721         if (s->rx_status_fifo_head >= s->rx_status_fifo_size) {
722             s->rx_status_fifo_head -= s->rx_status_fifo_size;
723         }
724         /* ??? What value should be returned when the FIFO is empty?  */
725         DPRINTF("RX status pop 0x%08x\n", val);
726     }
727     return val;
728 }
729 
730 static uint32_t tx_status_fifo_pop(lan9118_state *s)
731 {
732     uint32_t val;
733 
734     val = s->tx_status_fifo[s->tx_status_fifo_head];
735     if (s->tx_status_fifo_used != 0) {
736         s->tx_status_fifo_used--;
737         s->tx_status_fifo_head = (s->tx_status_fifo_head + 1) & 511;
738         /* ??? What value should be returned when the FIFO is empty?  */
739     }
740     return val;
741 }
742 
743 static void tx_fifo_push(lan9118_state *s, uint32_t val)
744 {
745     int n;
746 
747     if (s->txp->fifo_used == s->tx_fifo_size) {
748         s->int_sts |= TDFO_INT;
749         return;
750     }
751     switch (s->txp->state) {
752     case TX_IDLE:
753         s->txp->cmd_a = val & 0x831f37ff;
754         s->txp->fifo_used++;
755         s->txp->state = TX_B;
756         s->txp->buffer_size = extract32(s->txp->cmd_a, 0, 11);
757         s->txp->offset = extract32(s->txp->cmd_a, 16, 5);
758         break;
759     case TX_B:
760         if (s->txp->cmd_a & 0x2000) {
761             /* First segment */
762             s->txp->cmd_b = val;
763             s->txp->fifo_used++;
764             /* End alignment does not include command words.  */
765             n = (s->txp->buffer_size + s->txp->offset + 3) >> 2;
766             switch ((n >> 24) & 3) {
767             case 1:
768                 n = (-n) & 3;
769                 break;
770             case 2:
771                 n = (-n) & 7;
772                 break;
773             default:
774                 n = 0;
775             }
776             s->txp->pad = n;
777             s->txp->len = 0;
778         }
779         DPRINTF("Block len:%d offset:%d pad:%d cmd %08x\n",
780                 s->txp->buffer_size, s->txp->offset, s->txp->pad,
781                 s->txp->cmd_a);
782         s->txp->state = TX_DATA;
783         break;
784     case TX_DATA:
785         if (s->txp->offset >= 4) {
786             s->txp->offset -= 4;
787             break;
788         }
789         if (s->txp->buffer_size <= 0 && s->txp->pad != 0) {
790             s->txp->pad--;
791         } else {
792             n = MIN(4, s->txp->buffer_size + s->txp->offset);
793             while (s->txp->offset) {
794                 val >>= 8;
795                 n--;
796                 s->txp->offset--;
797             }
798             /* Documentation is somewhat unclear on the ordering of bytes
799                in FIFO words.  Empirical results show it to be little-endian.
800                */
801             while (n--) {
802                 if (s->txp->len == MIL_TXFIFO_SIZE) {
803                     /*
804                      * No more space in the FIFO. The datasheet is not
805                      * precise about this case. We choose what is easiest
806                      * to model: the packet is truncated, and TXE is raised.
807                      *
808                      * Note, it could be a fragmented packet, but we currently
809                      * do not handle that (see earlier TX_B case).
810                      */
811                     qemu_log_mask(LOG_GUEST_ERROR,
812                                   "MIL TX FIFO overrun, discarding %u byte%s\n",
813                                   n, n > 1 ? "s" : "");
814                     s->int_sts |= TXE_INT;
815                     break;
816                 }
817                 s->txp->data[s->txp->len] = val & 0xff;
818                 s->txp->len++;
819                 val >>= 8;
820                 s->txp->buffer_size--;
821             }
822             s->txp->fifo_used++;
823         }
824         if (s->txp->buffer_size <= 0 && s->txp->pad == 0) {
825             if (s->txp->cmd_a & 0x1000) {
826                 do_tx_packet(s);
827             }
828             if (s->txp->cmd_a & 0x80000000) {
829                 s->int_sts |= TX_IOC_INT;
830             }
831             s->txp->state = TX_IDLE;
832         }
833         break;
834     }
835 }
836 
837 static uint32_t do_phy_read(lan9118_state *s, int reg)
838 {
839     uint32_t val;
840 
841     switch (reg) {
842     case 0: /* Basic Control */
843         return s->phy_control;
844     case 1: /* Basic Status */
845         return s->phy_status;
846     case 2: /* ID1 */
847         return 0x0007;
848     case 3: /* ID2 */
849         return 0xc0d1;
850     case 4: /* Auto-neg advertisement */
851         return s->phy_advertise;
852     case 5: /* Auto-neg Link Partner Ability */
853         return 0x0f71;
854     case 6: /* Auto-neg Expansion */
855         return 1;
856         /* TODO 17, 18, 27, 29, 30, 31 */
857     case 29: /* Interrupt source.  */
858         val = s->phy_int;
859         s->phy_int = 0;
860         phy_update_irq(s);
861         return val;
862     case 30: /* Interrupt mask */
863         return s->phy_int_mask;
864     default:
865         qemu_log_mask(LOG_GUEST_ERROR,
866                       "do_phy_read: PHY read reg %d\n", reg);
867         return 0;
868     }
869 }
870 
871 static void do_phy_write(lan9118_state *s, int reg, uint32_t val)
872 {
873     switch (reg) {
874     case 0: /* Basic Control */
875         if (val & 0x8000) {
876             phy_reset(s);
877             break;
878         }
879         s->phy_control = val & 0x7980;
880         /* Complete autonegotiation immediately.  */
881         if (val & 0x1000) {
882             s->phy_status |= 0x0020;
883         }
884         break;
885     case 4: /* Auto-neg advertisement */
886         s->phy_advertise = (val & 0x2d7f) | 0x80;
887         break;
888         /* TODO 17, 18, 27, 31 */
889     case 30: /* Interrupt mask */
890         s->phy_int_mask = val & 0xff;
891         phy_update_irq(s);
892         break;
893     default:
894         qemu_log_mask(LOG_GUEST_ERROR,
895                       "do_phy_write: PHY write reg %d = 0x%04x\n", reg, val);
896     }
897 }
898 
899 static void do_mac_write(lan9118_state *s, int reg, uint32_t val)
900 {
901     switch (reg) {
902     case MAC_CR:
903         if ((s->mac_cr & MAC_CR_RXEN) != 0 && (val & MAC_CR_RXEN) == 0) {
904             s->int_sts |= RXSTOP_INT;
905         }
906         s->mac_cr = val & ~MAC_CR_RESERVED;
907         DPRINTF("MAC_CR: %08x\n", val);
908         break;
909     case MAC_ADDRH:
910         s->conf.macaddr.a[4] = val & 0xff;
911         s->conf.macaddr.a[5] = (val >> 8) & 0xff;
912         lan9118_mac_changed(s);
913         break;
914     case MAC_ADDRL:
915         s->conf.macaddr.a[0] = val & 0xff;
916         s->conf.macaddr.a[1] = (val >> 8) & 0xff;
917         s->conf.macaddr.a[2] = (val >> 16) & 0xff;
918         s->conf.macaddr.a[3] = (val >> 24) & 0xff;
919         lan9118_mac_changed(s);
920         break;
921     case MAC_HASHH:
922         s->mac_hashh = val;
923         break;
924     case MAC_HASHL:
925         s->mac_hashl = val;
926         break;
927     case MAC_MII_ACC:
928         s->mac_mii_acc = val & 0xffc2;
929         if (val & 2) {
930             DPRINTF("PHY write %d = 0x%04x\n",
931                     (val >> 6) & 0x1f, s->mac_mii_data);
932             do_phy_write(s, (val >> 6) & 0x1f, s->mac_mii_data);
933         } else {
934             s->mac_mii_data = do_phy_read(s, (val >> 6) & 0x1f);
935             DPRINTF("PHY read %d = 0x%04x\n",
936                     (val >> 6) & 0x1f, s->mac_mii_data);
937         }
938         break;
939     case MAC_MII_DATA:
940         s->mac_mii_data = val & 0xffff;
941         break;
942     case MAC_FLOW:
943         s->mac_flow = val & 0xffff0000;
944         break;
945     case MAC_VLAN1:
946         /* Writing to this register changes a condition for
947          * FrameTooLong bit in rx_status.  Since we do not set
948          * FrameTooLong anyway, just ignore write to this.
949          */
950         break;
951     default:
952         qemu_log_mask(LOG_GUEST_ERROR,
953                       "lan9118: Unimplemented MAC register write: %d = 0x%x\n",
954                  s->mac_cmd & 0xf, val);
955     }
956 }
957 
958 static uint32_t do_mac_read(lan9118_state *s, int reg)
959 {
960     switch (reg) {
961     case MAC_CR:
962         return s->mac_cr;
963     case MAC_ADDRH:
964         return s->conf.macaddr.a[4] | (s->conf.macaddr.a[5] << 8);
965     case MAC_ADDRL:
966         return s->conf.macaddr.a[0] | (s->conf.macaddr.a[1] << 8)
967                | (s->conf.macaddr.a[2] << 16) | (s->conf.macaddr.a[3] << 24);
968     case MAC_HASHH:
969         return s->mac_hashh;
970     case MAC_HASHL:
971         return s->mac_hashl;
972     case MAC_MII_ACC:
973         return s->mac_mii_acc;
974     case MAC_MII_DATA:
975         return s->mac_mii_data;
976     case MAC_FLOW:
977         return s->mac_flow;
978     default:
979         qemu_log_mask(LOG_GUEST_ERROR,
980                       "lan9118: Unimplemented MAC register read: %d\n",
981                  s->mac_cmd & 0xf);
982         return 0;
983     }
984 }
985 
986 static void lan9118_eeprom_cmd(lan9118_state *s, int cmd, int addr)
987 {
988     s->e2p_cmd = (s->e2p_cmd & E2P_CMD_MAC_ADDR_LOADED) | (cmd << 28) | addr;
989     switch (cmd) {
990     case 0:
991         s->e2p_data = s->eeprom[addr];
992         DPRINTF("EEPROM Read %d = 0x%02x\n", addr, s->e2p_data);
993         break;
994     case 1:
995         s->eeprom_writable = 0;
996         DPRINTF("EEPROM Write Disable\n");
997         break;
998     case 2: /* EWEN */
999         s->eeprom_writable = 1;
1000         DPRINTF("EEPROM Write Enable\n");
1001         break;
1002     case 3: /* WRITE */
1003         if (s->eeprom_writable) {
1004             s->eeprom[addr] &= s->e2p_data;
1005             DPRINTF("EEPROM Write %d = 0x%02x\n", addr, s->e2p_data);
1006         } else {
1007             DPRINTF("EEPROM Write %d (ignored)\n", addr);
1008         }
1009         break;
1010     case 4: /* WRAL */
1011         if (s->eeprom_writable) {
1012             for (addr = 0; addr < 128; addr++) {
1013                 s->eeprom[addr] &= s->e2p_data;
1014             }
1015             DPRINTF("EEPROM Write All 0x%02x\n", s->e2p_data);
1016         } else {
1017             DPRINTF("EEPROM Write All (ignored)\n");
1018         }
1019         break;
1020     case 5: /* ERASE */
1021         if (s->eeprom_writable) {
1022             s->eeprom[addr] = 0xff;
1023             DPRINTF("EEPROM Erase %d\n", addr);
1024         } else {
1025             DPRINTF("EEPROM Erase %d (ignored)\n", addr);
1026         }
1027         break;
1028     case 6: /* ERAL */
1029         if (s->eeprom_writable) {
1030             memset(s->eeprom, 0xff, 128);
1031             DPRINTF("EEPROM Erase All\n");
1032         } else {
1033             DPRINTF("EEPROM Erase All (ignored)\n");
1034         }
1035         break;
1036     case 7: /* RELOAD */
1037         lan9118_reload_eeprom(s);
1038         break;
1039     }
1040 }
1041 
1042 static void lan9118_tick(void *opaque)
1043 {
1044     lan9118_state *s = (lan9118_state *)opaque;
1045     if (s->int_en & GPT_INT) {
1046         s->int_sts |= GPT_INT;
1047     }
1048     lan9118_update(s);
1049 }
1050 
1051 static void lan9118_writel(void *opaque, hwaddr offset,
1052                            uint64_t val, unsigned size)
1053 {
1054     lan9118_state *s = (lan9118_state *)opaque;
1055     offset &= 0xff;
1056 
1057     //DPRINTF("Write reg 0x%02x = 0x%08x\n", (int)offset, val);
1058     if (offset >= TX_DATA_FIFO_PORT_FIRST &&
1059         offset <= TX_DATA_FIFO_PORT_LAST) {
1060         /* TX FIFO */
1061         tx_fifo_push(s, val);
1062         return;
1063     }
1064     switch (offset) {
1065     case CSR_IRQ_CFG:
1066         /* TODO: Implement interrupt deassertion intervals.  */
1067         val &= (IRQ_EN | IRQ_POL | IRQ_TYPE);
1068         s->irq_cfg = (s->irq_cfg & IRQ_INT) | val;
1069         break;
1070     case CSR_INT_STS:
1071         s->int_sts &= ~val;
1072         break;
1073     case CSR_INT_EN:
1074         s->int_en = val & ~RESERVED_INT;
1075         s->int_sts |= val & SW_INT;
1076         break;
1077     case CSR_FIFO_INT:
1078         DPRINTF("FIFO INT levels %08x\n", val);
1079         s->fifo_int = val;
1080         break;
1081     case CSR_RX_CFG:
1082         if (val & 0x8000) {
1083             /* RX_DUMP */
1084             s->rx_fifo_used = 0;
1085             s->rx_status_fifo_used = 0;
1086             s->rx_packet_size_tail = s->rx_packet_size_head;
1087             s->rx_packet_size[s->rx_packet_size_head] = 0;
1088         }
1089         s->rx_cfg = val & 0xcfff1ff0;
1090         break;
1091     case CSR_TX_CFG:
1092         if (val & 0x8000) {
1093             s->tx_status_fifo_used = 0;
1094         }
1095         if (val & 0x4000) {
1096             s->txp->state = TX_IDLE;
1097             s->txp->fifo_used = 0;
1098             s->txp->cmd_a = 0xffffffff;
1099         }
1100         s->tx_cfg = val & 6;
1101         break;
1102     case CSR_HW_CFG:
1103         if (val & 1) {
1104             /* SRST */
1105             lan9118_reset(DEVICE(s));
1106         } else {
1107             s->hw_cfg = (val & 0x003f300) | (s->hw_cfg & 0x4);
1108         }
1109         break;
1110     case CSR_RX_DP_CTRL:
1111         if (val & 0x80000000) {
1112             /* Skip forward to next packet.  */
1113             s->rxp_pad = 0;
1114             s->rxp_offset = 0;
1115             if (s->rxp_size == 0) {
1116                 /* Pop a word to start the next packet.  */
1117                 rx_fifo_pop(s);
1118                 s->rxp_pad = 0;
1119                 s->rxp_offset = 0;
1120             }
1121             s->rx_fifo_head += s->rxp_size;
1122             if (s->rx_fifo_head >= s->rx_fifo_size) {
1123                 s->rx_fifo_head -= s->rx_fifo_size;
1124             }
1125         }
1126         break;
1127     case CSR_PMT_CTRL:
1128         if (val & 0x400) {
1129             phy_reset(s);
1130         }
1131         s->pmt_ctrl &= ~0x34e;
1132         s->pmt_ctrl |= (val & 0x34e);
1133         break;
1134     case CSR_GPIO_CFG:
1135         /* Probably just enabling LEDs.  */
1136         s->gpio_cfg = val & 0x7777071f;
1137         break;
1138     case CSR_GPT_CFG:
1139         if ((s->gpt_cfg ^ val) & GPT_TIMER_EN) {
1140             ptimer_transaction_begin(s->timer);
1141             if (val & GPT_TIMER_EN) {
1142                 ptimer_set_count(s->timer, val & 0xffff);
1143                 ptimer_run(s->timer, 0);
1144             } else {
1145                 ptimer_stop(s->timer);
1146                 ptimer_set_count(s->timer, 0xffff);
1147             }
1148             ptimer_transaction_commit(s->timer);
1149         }
1150         s->gpt_cfg = val & (GPT_TIMER_EN | 0xffff);
1151         break;
1152     case CSR_WORD_SWAP:
1153         /* Ignored because we're in 32-bit mode.  */
1154         s->word_swap = val;
1155         break;
1156     case CSR_MAC_CSR_CMD:
1157         s->mac_cmd = val & 0x4000000f;
1158         if (val & 0x80000000) {
1159             if (val & 0x40000000) {
1160                 s->mac_data = do_mac_read(s, val & 0xf);
1161                 DPRINTF("MAC read %d = 0x%08x\n", val & 0xf, s->mac_data);
1162             } else {
1163                 DPRINTF("MAC write %d = 0x%08x\n", val & 0xf, s->mac_data);
1164                 do_mac_write(s, val & 0xf, s->mac_data);
1165             }
1166         }
1167         break;
1168     case CSR_MAC_CSR_DATA:
1169         s->mac_data = val;
1170         break;
1171     case CSR_AFC_CFG:
1172         s->afc_cfg = val & 0x00ffffff;
1173         break;
1174     case CSR_E2P_CMD:
1175         lan9118_eeprom_cmd(s, (val >> 28) & 7, val & 0x7f);
1176         break;
1177     case CSR_E2P_DATA:
1178         s->e2p_data = val & 0xff;
1179         break;
1180 
1181     default:
1182         qemu_log_mask(LOG_GUEST_ERROR, "lan9118_write: Bad reg 0x%x = %x\n",
1183                       (int)offset, (int)val);
1184         break;
1185     }
1186     lan9118_update(s);
1187 }
1188 
1189 static void lan9118_writew(void *opaque, hwaddr offset,
1190                            uint32_t val)
1191 {
1192     lan9118_state *s = (lan9118_state *)opaque;
1193     offset &= 0xff;
1194 
1195     if (s->write_word_prev_offset != (offset & ~0x3)) {
1196         /* New offset, reset word counter */
1197         s->write_word_n = 0;
1198         s->write_word_prev_offset = offset & ~0x3;
1199     }
1200 
1201     if (offset & 0x2) {
1202         s->write_word_h = val;
1203     } else {
1204         s->write_word_l = val;
1205     }
1206 
1207     //DPRINTF("Writew reg 0x%02x = 0x%08x\n", (int)offset, val);
1208     s->write_word_n++;
1209     if (s->write_word_n == 2) {
1210         s->write_word_n = 0;
1211         lan9118_writel(s, offset & ~3, s->write_word_l +
1212                 (s->write_word_h << 16), 4);
1213     }
1214 }
1215 
1216 static void lan9118_16bit_mode_write(void *opaque, hwaddr offset,
1217                                      uint64_t val, unsigned size)
1218 {
1219     switch (size) {
1220     case 2:
1221         lan9118_writew(opaque, offset, (uint32_t)val);
1222         return;
1223     case 4:
1224         lan9118_writel(opaque, offset, val, size);
1225         return;
1226     }
1227 
1228     qemu_log_mask(LOG_GUEST_ERROR,
1229                   "lan9118_16bit_mode_write: Bad size 0x%x\n", size);
1230 }
1231 
1232 static uint64_t lan9118_readl(void *opaque, hwaddr offset,
1233                               unsigned size)
1234 {
1235     lan9118_state *s = (lan9118_state *)opaque;
1236 
1237     //DPRINTF("Read reg 0x%02x\n", (int)offset);
1238     if (offset <= RX_DATA_FIFO_PORT_LAST) {
1239         /* RX FIFO */
1240         return rx_fifo_pop(s);
1241     }
1242     switch (offset) {
1243     case RX_STATUS_FIFO_PORT:
1244         return rx_status_fifo_pop(s);
1245     case RX_STATUS_FIFO_PEEK:
1246         return s->rx_status_fifo[s->rx_status_fifo_head];
1247     case TX_STATUS_FIFO_PORT:
1248         return tx_status_fifo_pop(s);
1249     case TX_STATUS_FIFO_PEEK:
1250         return s->tx_status_fifo[s->tx_status_fifo_head];
1251     case CSR_ID_REV:
1252         return 0x01180001;
1253     case CSR_IRQ_CFG:
1254         return s->irq_cfg;
1255     case CSR_INT_STS:
1256         return s->int_sts;
1257     case CSR_INT_EN:
1258         return s->int_en;
1259     case CSR_BYTE_TEST:
1260         return 0x87654321;
1261     case CSR_FIFO_INT:
1262         return s->fifo_int;
1263     case CSR_RX_CFG:
1264         return s->rx_cfg;
1265     case CSR_TX_CFG:
1266         return s->tx_cfg;
1267     case CSR_HW_CFG:
1268         return s->hw_cfg;
1269     case CSR_RX_DP_CTRL:
1270         return 0;
1271     case CSR_RX_FIFO_INF:
1272         return (s->rx_status_fifo_used << 16) | (s->rx_fifo_used << 2);
1273     case CSR_TX_FIFO_INF:
1274         return (s->tx_status_fifo_used << 16)
1275                | (s->tx_fifo_size - s->txp->fifo_used);
1276     case CSR_PMT_CTRL:
1277         return s->pmt_ctrl;
1278     case CSR_GPIO_CFG:
1279         return s->gpio_cfg;
1280     case CSR_GPT_CFG:
1281         return s->gpt_cfg;
1282     case CSR_GPT_CNT:
1283         return ptimer_get_count(s->timer);
1284     case CSR_WORD_SWAP:
1285         return s->word_swap;
1286     case CSR_FREE_RUN:
1287         return (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / 40) - s->free_timer_start;
1288     case CSR_RX_DROP:
1289         /* TODO: Implement dropped frames counter.  */
1290         return 0;
1291     case CSR_MAC_CSR_CMD:
1292         return s->mac_cmd;
1293     case CSR_MAC_CSR_DATA:
1294         return s->mac_data;
1295     case CSR_AFC_CFG:
1296         return s->afc_cfg;
1297     case CSR_E2P_CMD:
1298         return s->e2p_cmd;
1299     case CSR_E2P_DATA:
1300         return s->e2p_data;
1301     }
1302     qemu_log_mask(LOG_GUEST_ERROR, "lan9118_read: Bad reg 0x%x\n", (int)offset);
1303     return 0;
1304 }
1305 
1306 static uint32_t lan9118_readw(void *opaque, hwaddr offset)
1307 {
1308     lan9118_state *s = (lan9118_state *)opaque;
1309     uint32_t val;
1310 
1311     if (s->read_word_prev_offset != (offset & ~0x3)) {
1312         /* New offset, reset word counter */
1313         s->read_word_n = 0;
1314         s->read_word_prev_offset = offset & ~0x3;
1315     }
1316 
1317     s->read_word_n++;
1318     if (s->read_word_n == 1) {
1319         s->read_long = lan9118_readl(s, offset & ~3, 4);
1320     } else {
1321         s->read_word_n = 0;
1322     }
1323 
1324     if (offset & 2) {
1325         val = s->read_long >> 16;
1326     } else {
1327         val = s->read_long & 0xFFFF;
1328     }
1329 
1330     //DPRINTF("Readw reg 0x%02x, val 0x%x\n", (int)offset, val);
1331     return val;
1332 }
1333 
1334 static uint64_t lan9118_16bit_mode_read(void *opaque, hwaddr offset,
1335                                         unsigned size)
1336 {
1337     switch (size) {
1338     case 2:
1339         return lan9118_readw(opaque, offset);
1340     case 4:
1341         return lan9118_readl(opaque, offset, size);
1342     }
1343 
1344     qemu_log_mask(LOG_GUEST_ERROR,
1345                   "lan9118_16bit_mode_read: Bad size 0x%x\n", size);
1346     return 0;
1347 }
1348 
1349 static const MemoryRegionOps lan9118_mem_ops = {
1350     .read = lan9118_readl,
1351     .write = lan9118_writel,
1352     .endianness = DEVICE_NATIVE_ENDIAN,
1353 };
1354 
1355 static const MemoryRegionOps lan9118_16bit_mem_ops = {
1356     .read = lan9118_16bit_mode_read,
1357     .write = lan9118_16bit_mode_write,
1358     .endianness = DEVICE_NATIVE_ENDIAN,
1359 };
1360 
1361 static NetClientInfo net_lan9118_info = {
1362     .type = NET_CLIENT_DRIVER_NIC,
1363     .size = sizeof(NICState),
1364     .receive = lan9118_receive,
1365     .link_status_changed = lan9118_set_link,
1366 };
1367 
1368 static void lan9118_realize(DeviceState *dev, Error **errp)
1369 {
1370     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
1371     lan9118_state *s = LAN9118(dev);
1372     int i;
1373     const MemoryRegionOps *mem_ops =
1374             s->mode_16bit ? &lan9118_16bit_mem_ops : &lan9118_mem_ops;
1375 
1376     memory_region_init_io(&s->mmio, OBJECT(dev), mem_ops, s,
1377                           "lan9118-mmio", 0x100);
1378     sysbus_init_mmio(sbd, &s->mmio);
1379     sysbus_init_irq(sbd, &s->irq);
1380     qemu_macaddr_default_if_unset(&s->conf.macaddr);
1381 
1382     s->nic = qemu_new_nic(&net_lan9118_info, &s->conf,
1383                           object_get_typename(OBJECT(dev)), dev->id,
1384                           &dev->mem_reentrancy_guard, s);
1385     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
1386     s->eeprom[0] = 0xa5;
1387     for (i = 0; i < 6; i++) {
1388         s->eeprom[i + 1] = s->conf.macaddr.a[i];
1389     }
1390     s->pmt_ctrl = 1;
1391     s->txp = &s->tx_packet;
1392 
1393     s->timer = ptimer_init(lan9118_tick, s, PTIMER_POLICY_LEGACY);
1394     ptimer_transaction_begin(s->timer);
1395     ptimer_set_freq(s->timer, 10000);
1396     ptimer_set_limit(s->timer, 0xffff, 1);
1397     ptimer_transaction_commit(s->timer);
1398 }
1399 
1400 static Property lan9118_properties[] = {
1401     DEFINE_NIC_PROPERTIES(lan9118_state, conf),
1402     DEFINE_PROP_UINT32("mode_16bit", lan9118_state, mode_16bit, 0),
1403     DEFINE_PROP_END_OF_LIST(),
1404 };
1405 
1406 static void lan9118_class_init(ObjectClass *klass, void *data)
1407 {
1408     DeviceClass *dc = DEVICE_CLASS(klass);
1409 
1410     device_class_set_legacy_reset(dc, lan9118_reset);
1411     device_class_set_props(dc, lan9118_properties);
1412     dc->vmsd = &vmstate_lan9118;
1413     dc->realize = lan9118_realize;
1414 }
1415 
1416 static const TypeInfo lan9118_info = {
1417     .name          = TYPE_LAN9118,
1418     .parent        = TYPE_SYS_BUS_DEVICE,
1419     .instance_size = sizeof(lan9118_state),
1420     .class_init    = lan9118_class_init,
1421 };
1422 
1423 static void lan9118_register_types(void)
1424 {
1425     type_register_static(&lan9118_info);
1426 }
1427 
1428 /* Legacy helper function.  Should go away when machine config files are
1429    implemented.  */
1430 void lan9118_init(uint32_t base, qemu_irq irq)
1431 {
1432     DeviceState *dev;
1433     SysBusDevice *s;
1434 
1435     dev = qdev_new(TYPE_LAN9118);
1436     qemu_configure_nic_device(dev, true, NULL);
1437     s = SYS_BUS_DEVICE(dev);
1438     sysbus_realize_and_unref(s, &error_fatal);
1439     sysbus_mmio_map(s, 0, base);
1440     sysbus_connect_irq(s, 0, irq);
1441 }
1442 
1443 type_init(lan9118_register_types)
1444