xref: /openbmc/qemu/hw/scsi/lsi53c895a.c (revision 0221d73ce6a8e075adaa0a35a6ef853d2652b855)
1 /*
2  * QEMU LSI53C895A SCSI Host Bus Adapter emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Written by Paul Brook
6  *
7  * This code is licensed under the LGPL.
8  */
9 
10 /* Note:
11  * LSI53C810 emulation is incorrect, in the sense that it supports
12  * features added in later evolutions. This should not be a problem,
13  * as well-behaved operating systems will not try to use them.
14  */
15 
16 #include "qemu/osdep.h"
17 
18 #include "hw/irq.h"
19 #include "hw/pci/pci.h"
20 #include "hw/scsi/scsi.h"
21 #include "migration/vmstate.h"
22 #include "sysemu/dma.h"
23 #include "qemu/log.h"
24 #include "qemu/module.h"
25 #include "trace.h"
26 
27 static const char *names[] = {
28     "SCNTL0", "SCNTL1", "SCNTL2", "SCNTL3", "SCID", "SXFER", "SDID", "GPREG",
29     "SFBR", "SOCL", "SSID", "SBCL", "DSTAT", "SSTAT0", "SSTAT1", "SSTAT2",
30     "DSA0", "DSA1", "DSA2", "DSA3", "ISTAT", "0x15", "0x16", "0x17",
31     "CTEST0", "CTEST1", "CTEST2", "CTEST3", "TEMP0", "TEMP1", "TEMP2", "TEMP3",
32     "DFIFO", "CTEST4", "CTEST5", "CTEST6", "DBC0", "DBC1", "DBC2", "DCMD",
33     "DNAD0", "DNAD1", "DNAD2", "DNAD3", "DSP0", "DSP1", "DSP2", "DSP3",
34     "DSPS0", "DSPS1", "DSPS2", "DSPS3", "SCRATCHA0", "SCRATCHA1", "SCRATCHA2", "SCRATCHA3",
35     "DMODE", "DIEN", "SBR", "DCNTL", "ADDER0", "ADDER1", "ADDER2", "ADDER3",
36     "SIEN0", "SIEN1", "SIST0", "SIST1", "SLPAR", "0x45", "MACNTL", "GPCNTL",
37     "STIME0", "STIME1", "RESPID", "0x4b", "STEST0", "STEST1", "STEST2", "STEST3",
38     "SIDL", "0x51", "0x52", "0x53", "SODL", "0x55", "0x56", "0x57",
39     "SBDL", "0x59", "0x5a", "0x5b", "SCRATCHB0", "SCRATCHB1", "SCRATCHB2", "SCRATCHB3",
40 };
41 
42 #define LSI_MAX_DEVS 7
43 
44 #define LSI_SCNTL0_TRG    0x01
45 #define LSI_SCNTL0_AAP    0x02
46 #define LSI_SCNTL0_EPC    0x08
47 #define LSI_SCNTL0_WATN   0x10
48 #define LSI_SCNTL0_START  0x20
49 
50 #define LSI_SCNTL1_SST    0x01
51 #define LSI_SCNTL1_IARB   0x02
52 #define LSI_SCNTL1_AESP   0x04
53 #define LSI_SCNTL1_RST    0x08
54 #define LSI_SCNTL1_CON    0x10
55 #define LSI_SCNTL1_DHP    0x20
56 #define LSI_SCNTL1_ADB    0x40
57 #define LSI_SCNTL1_EXC    0x80
58 
59 #define LSI_SCNTL2_WSR    0x01
60 #define LSI_SCNTL2_VUE0   0x02
61 #define LSI_SCNTL2_VUE1   0x04
62 #define LSI_SCNTL2_WSS    0x08
63 #define LSI_SCNTL2_SLPHBEN 0x10
64 #define LSI_SCNTL2_SLPMD  0x20
65 #define LSI_SCNTL2_CHM    0x40
66 #define LSI_SCNTL2_SDU    0x80
67 
68 #define LSI_ISTAT0_DIP    0x01
69 #define LSI_ISTAT0_SIP    0x02
70 #define LSI_ISTAT0_INTF   0x04
71 #define LSI_ISTAT0_CON    0x08
72 #define LSI_ISTAT0_SEM    0x10
73 #define LSI_ISTAT0_SIGP   0x20
74 #define LSI_ISTAT0_SRST   0x40
75 #define LSI_ISTAT0_ABRT   0x80
76 
77 #define LSI_ISTAT1_SI     0x01
78 #define LSI_ISTAT1_SRUN   0x02
79 #define LSI_ISTAT1_FLSH   0x04
80 
81 #define LSI_SSTAT0_SDP0   0x01
82 #define LSI_SSTAT0_RST    0x02
83 #define LSI_SSTAT0_WOA    0x04
84 #define LSI_SSTAT0_LOA    0x08
85 #define LSI_SSTAT0_AIP    0x10
86 #define LSI_SSTAT0_OLF    0x20
87 #define LSI_SSTAT0_ORF    0x40
88 #define LSI_SSTAT0_ILF    0x80
89 
90 #define LSI_SIST0_PAR     0x01
91 #define LSI_SIST0_RST     0x02
92 #define LSI_SIST0_UDC     0x04
93 #define LSI_SIST0_SGE     0x08
94 #define LSI_SIST0_RSL     0x10
95 #define LSI_SIST0_SEL     0x20
96 #define LSI_SIST0_CMP     0x40
97 #define LSI_SIST0_MA      0x80
98 
99 #define LSI_SIST1_HTH     0x01
100 #define LSI_SIST1_GEN     0x02
101 #define LSI_SIST1_STO     0x04
102 #define LSI_SIST1_SBMC    0x10
103 
104 #define LSI_SOCL_IO       0x01
105 #define LSI_SOCL_CD       0x02
106 #define LSI_SOCL_MSG      0x04
107 #define LSI_SOCL_ATN      0x08
108 #define LSI_SOCL_SEL      0x10
109 #define LSI_SOCL_BSY      0x20
110 #define LSI_SOCL_ACK      0x40
111 #define LSI_SOCL_REQ      0x80
112 
113 #define LSI_DSTAT_IID     0x01
114 #define LSI_DSTAT_SIR     0x04
115 #define LSI_DSTAT_SSI     0x08
116 #define LSI_DSTAT_ABRT    0x10
117 #define LSI_DSTAT_BF      0x20
118 #define LSI_DSTAT_MDPE    0x40
119 #define LSI_DSTAT_DFE     0x80
120 
121 #define LSI_DCNTL_COM     0x01
122 #define LSI_DCNTL_IRQD    0x02
123 #define LSI_DCNTL_STD     0x04
124 #define LSI_DCNTL_IRQM    0x08
125 #define LSI_DCNTL_SSM     0x10
126 #define LSI_DCNTL_PFEN    0x20
127 #define LSI_DCNTL_PFF     0x40
128 #define LSI_DCNTL_CLSE    0x80
129 
130 #define LSI_DMODE_MAN     0x01
131 #define LSI_DMODE_BOF     0x02
132 #define LSI_DMODE_ERMP    0x04
133 #define LSI_DMODE_ERL     0x08
134 #define LSI_DMODE_DIOM    0x10
135 #define LSI_DMODE_SIOM    0x20
136 
137 #define LSI_CTEST2_DACK   0x01
138 #define LSI_CTEST2_DREQ   0x02
139 #define LSI_CTEST2_TEOP   0x04
140 #define LSI_CTEST2_PCICIE 0x08
141 #define LSI_CTEST2_CM     0x10
142 #define LSI_CTEST2_CIO    0x20
143 #define LSI_CTEST2_SIGP   0x40
144 #define LSI_CTEST2_DDIR   0x80
145 
146 #define LSI_CTEST5_BL2    0x04
147 #define LSI_CTEST5_DDIR   0x08
148 #define LSI_CTEST5_MASR   0x10
149 #define LSI_CTEST5_DFSN   0x20
150 #define LSI_CTEST5_BBCK   0x40
151 #define LSI_CTEST5_ADCK   0x80
152 
153 #define LSI_CCNTL0_DILS   0x01
154 #define LSI_CCNTL0_DISFC  0x10
155 #define LSI_CCNTL0_ENNDJ  0x20
156 #define LSI_CCNTL0_PMJCTL 0x40
157 #define LSI_CCNTL0_ENPMJ  0x80
158 
159 #define LSI_CCNTL1_EN64DBMV  0x01
160 #define LSI_CCNTL1_EN64TIBMV 0x02
161 #define LSI_CCNTL1_64TIMOD   0x04
162 #define LSI_CCNTL1_DDAC      0x08
163 #define LSI_CCNTL1_ZMOD      0x80
164 
165 #define LSI_SBCL_ATN         0x08
166 #define LSI_SBCL_BSY         0x20
167 #define LSI_SBCL_ACK         0x40
168 #define LSI_SBCL_REQ         0x80
169 
170 /* Enable Response to Reselection */
171 #define LSI_SCID_RRE      0x60
172 
173 #define LSI_CCNTL1_40BIT (LSI_CCNTL1_EN64TIBMV|LSI_CCNTL1_64TIMOD)
174 
175 #define PHASE_DO          0
176 #define PHASE_DI          1
177 #define PHASE_CMD         2
178 #define PHASE_ST          3
179 #define PHASE_MO          6
180 #define PHASE_MI          7
181 #define PHASE_MASK        7
182 
183 /* Maximum length of MSG IN data.  */
184 #define LSI_MAX_MSGIN_LEN 8
185 
186 /* Flag set if this is a tagged command.  */
187 #define LSI_TAG_VALID     (1 << 16)
188 
189 /* Maximum instructions to process. */
190 #define LSI_MAX_INSN    10000
191 
192 typedef struct lsi_request {
193     SCSIRequest *req;
194     uint32_t tag;
195     uint32_t dma_len;
196     uint8_t *dma_buf;
197     uint32_t pending;
198     int out;
199     QTAILQ_ENTRY(lsi_request) next;
200 } lsi_request;
201 
202 enum {
203     LSI_NOWAIT, /* SCRIPTS are running or stopped */
204     LSI_WAIT_RESELECT, /* Wait Reselect instruction has been issued */
205     LSI_DMA_SCRIPTS, /* processing DMA from lsi_execute_script */
206     LSI_DMA_IN_PROGRESS, /* DMA operation is in progress */
207 };
208 
209 enum {
210     LSI_MSG_ACTION_COMMAND = 0,
211     LSI_MSG_ACTION_DISCONNECT = 1,
212     LSI_MSG_ACTION_DOUT = 2,
213     LSI_MSG_ACTION_DIN = 3,
214 };
215 
216 typedef struct {
217     /*< private >*/
218     PCIDevice parent_obj;
219     /*< public >*/
220 
221     qemu_irq ext_irq;
222     MemoryRegion mmio_io;
223     MemoryRegion ram_io;
224     MemoryRegion io_io;
225     AddressSpace pci_io_as;
226 
227     int carry; /* ??? Should this be an a visible register somewhere?  */
228     int status;
229     int msg_action;
230     int msg_len;
231     uint8_t msg[LSI_MAX_MSGIN_LEN];
232     int waiting;
233     SCSIBus bus;
234     int current_lun;
235     /* The tag is a combination of the device ID and the SCSI tag.  */
236     uint32_t select_tag;
237     int command_complete;
238     QTAILQ_HEAD(, lsi_request) queue;
239     lsi_request *current;
240 
241     uint32_t dsa;
242     uint32_t temp;
243     uint32_t dnad;
244     uint32_t dbc;
245     uint8_t istat0;
246     uint8_t istat1;
247     uint8_t dcmd;
248     uint8_t dstat;
249     uint8_t dien;
250     uint8_t sist0;
251     uint8_t sist1;
252     uint8_t sien0;
253     uint8_t sien1;
254     uint8_t mbox0;
255     uint8_t mbox1;
256     uint8_t dfifo;
257     uint8_t ctest2;
258     uint8_t ctest3;
259     uint8_t ctest4;
260     uint8_t ctest5;
261     uint8_t ccntl0;
262     uint8_t ccntl1;
263     uint32_t dsp;
264     uint32_t dsps;
265     uint8_t dmode;
266     uint8_t dcntl;
267     uint8_t scntl0;
268     uint8_t scntl1;
269     uint8_t scntl2;
270     uint8_t scntl3;
271     uint8_t sstat0;
272     uint8_t sstat1;
273     uint8_t scid;
274     uint8_t sxfer;
275     uint8_t socl;
276     uint8_t sdid;
277     uint8_t ssid;
278     uint8_t sfbr;
279     uint8_t sbcl;
280     uint8_t stest1;
281     uint8_t stest2;
282     uint8_t stest3;
283     uint8_t sidl;
284     uint8_t stime0;
285     uint8_t respid0;
286     uint8_t respid1;
287     uint32_t mmrs;
288     uint32_t mmws;
289     uint32_t sfs;
290     uint32_t drs;
291     uint32_t sbms;
292     uint32_t dbms;
293     uint32_t dnad64;
294     uint32_t pmjad1;
295     uint32_t pmjad2;
296     uint32_t rbc;
297     uint32_t ua;
298     uint32_t ia;
299     uint32_t sbc;
300     uint32_t csbc;
301     uint32_t scratch[18]; /* SCRATCHA-SCRATCHR */
302     uint8_t sbr;
303     uint32_t adder;
304 
305     uint8_t script_ram[2048 * sizeof(uint32_t)];
306 } LSIState;
307 
308 #define TYPE_LSI53C810  "lsi53c810"
309 #define TYPE_LSI53C895A "lsi53c895a"
310 
311 #define LSI53C895A(obj) \
312     OBJECT_CHECK(LSIState, (obj), TYPE_LSI53C895A)
313 
314 static const char *scsi_phases[] = {
315     "DOUT",
316     "DIN",
317     "CMD",
318     "STATUS",
319     "RSVOUT",
320     "RSVIN",
321     "MSGOUT",
322     "MSGIN"
323 };
324 
325 static const char *scsi_phase_name(int phase)
326 {
327     return scsi_phases[phase & PHASE_MASK];
328 }
329 
330 static inline int lsi_irq_on_rsl(LSIState *s)
331 {
332     return (s->sien0 & LSI_SIST0_RSL) && (s->scid & LSI_SCID_RRE);
333 }
334 
335 static lsi_request *get_pending_req(LSIState *s)
336 {
337     lsi_request *p;
338 
339     QTAILQ_FOREACH(p, &s->queue, next) {
340         if (p->pending) {
341             return p;
342         }
343     }
344     return NULL;
345 }
346 
347 static void lsi_soft_reset(LSIState *s)
348 {
349     trace_lsi_reset();
350     s->carry = 0;
351 
352     s->msg_action = LSI_MSG_ACTION_COMMAND;
353     s->msg_len = 0;
354     s->waiting = LSI_NOWAIT;
355     s->dsa = 0;
356     s->dnad = 0;
357     s->dbc = 0;
358     s->temp = 0;
359     memset(s->scratch, 0, sizeof(s->scratch));
360     s->istat0 = 0;
361     s->istat1 = 0;
362     s->dcmd = 0x40;
363     s->dstat = 0;
364     s->dien = 0;
365     s->sist0 = 0;
366     s->sist1 = 0;
367     s->sien0 = 0;
368     s->sien1 = 0;
369     s->mbox0 = 0;
370     s->mbox1 = 0;
371     s->dfifo = 0;
372     s->ctest2 = LSI_CTEST2_DACK;
373     s->ctest3 = 0;
374     s->ctest4 = 0;
375     s->ctest5 = 0;
376     s->ccntl0 = 0;
377     s->ccntl1 = 0;
378     s->dsp = 0;
379     s->dsps = 0;
380     s->dmode = 0;
381     s->dcntl = 0;
382     s->scntl0 = 0xc0;
383     s->scntl1 = 0;
384     s->scntl2 = 0;
385     s->scntl3 = 0;
386     s->sstat0 = 0;
387     s->sstat1 = 0;
388     s->scid = 7;
389     s->sxfer = 0;
390     s->socl = 0;
391     s->sdid = 0;
392     s->ssid = 0;
393     s->sbcl = 0;
394     s->stest1 = 0;
395     s->stest2 = 0;
396     s->stest3 = 0;
397     s->sidl = 0;
398     s->stime0 = 0;
399     s->respid0 = 0x80;
400     s->respid1 = 0;
401     s->mmrs = 0;
402     s->mmws = 0;
403     s->sfs = 0;
404     s->drs = 0;
405     s->sbms = 0;
406     s->dbms = 0;
407     s->dnad64 = 0;
408     s->pmjad1 = 0;
409     s->pmjad2 = 0;
410     s->rbc = 0;
411     s->ua = 0;
412     s->ia = 0;
413     s->sbc = 0;
414     s->csbc = 0;
415     s->sbr = 0;
416     assert(QTAILQ_EMPTY(&s->queue));
417     assert(!s->current);
418 }
419 
420 static int lsi_dma_40bit(LSIState *s)
421 {
422     if ((s->ccntl1 & LSI_CCNTL1_40BIT) == LSI_CCNTL1_40BIT)
423         return 1;
424     return 0;
425 }
426 
427 static int lsi_dma_ti64bit(LSIState *s)
428 {
429     if ((s->ccntl1 & LSI_CCNTL1_EN64TIBMV) == LSI_CCNTL1_EN64TIBMV)
430         return 1;
431     return 0;
432 }
433 
434 static int lsi_dma_64bit(LSIState *s)
435 {
436     if ((s->ccntl1 & LSI_CCNTL1_EN64DBMV) == LSI_CCNTL1_EN64DBMV)
437         return 1;
438     return 0;
439 }
440 
441 static uint8_t lsi_reg_readb(LSIState *s, int offset);
442 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val);
443 static void lsi_execute_script(LSIState *s);
444 static void lsi_reselect(LSIState *s, lsi_request *p);
445 
446 static inline void lsi_mem_read(LSIState *s, dma_addr_t addr,
447                                void *buf, dma_addr_t len)
448 {
449     if (s->dmode & LSI_DMODE_SIOM) {
450         address_space_read(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
451                            buf, len);
452     } else {
453         pci_dma_read(PCI_DEVICE(s), addr, buf, len);
454     }
455 }
456 
457 static inline void lsi_mem_write(LSIState *s, dma_addr_t addr,
458                                 const void *buf, dma_addr_t len)
459 {
460     if (s->dmode & LSI_DMODE_DIOM) {
461         address_space_write(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
462                             buf, len);
463     } else {
464         pci_dma_write(PCI_DEVICE(s), addr, buf, len);
465     }
466 }
467 
468 static inline uint32_t read_dword(LSIState *s, uint32_t addr)
469 {
470     uint32_t buf;
471 
472     pci_dma_read(PCI_DEVICE(s), addr, &buf, 4);
473     return cpu_to_le32(buf);
474 }
475 
476 static void lsi_stop_script(LSIState *s)
477 {
478     s->istat1 &= ~LSI_ISTAT1_SRUN;
479 }
480 
481 static void lsi_set_irq(LSIState *s, int level)
482 {
483     PCIDevice *d = PCI_DEVICE(s);
484 
485     if (s->ext_irq) {
486         qemu_set_irq(s->ext_irq, level);
487     } else {
488         pci_set_irq(d, level);
489     }
490 }
491 
492 static void lsi_update_irq(LSIState *s)
493 {
494     int level;
495     static int last_level;
496 
497     /* It's unclear whether the DIP/SIP bits should be cleared when the
498        Interrupt Status Registers are cleared or when istat0 is read.
499        We currently do the formwer, which seems to work.  */
500     level = 0;
501     if (s->dstat) {
502         if (s->dstat & s->dien)
503             level = 1;
504         s->istat0 |= LSI_ISTAT0_DIP;
505     } else {
506         s->istat0 &= ~LSI_ISTAT0_DIP;
507     }
508 
509     if (s->sist0 || s->sist1) {
510         if ((s->sist0 & s->sien0) || (s->sist1 & s->sien1))
511             level = 1;
512         s->istat0 |= LSI_ISTAT0_SIP;
513     } else {
514         s->istat0 &= ~LSI_ISTAT0_SIP;
515     }
516     if (s->istat0 & LSI_ISTAT0_INTF)
517         level = 1;
518 
519     if (level != last_level) {
520         trace_lsi_update_irq(level, s->dstat, s->sist1, s->sist0);
521         last_level = level;
522     }
523     lsi_set_irq(s, level);
524 
525     if (!s->current && !level && lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON)) {
526         lsi_request *p;
527 
528         trace_lsi_update_irq_disconnected();
529         p = get_pending_req(s);
530         if (p) {
531             lsi_reselect(s, p);
532         }
533     }
534 }
535 
536 /* Stop SCRIPTS execution and raise a SCSI interrupt.  */
537 static void lsi_script_scsi_interrupt(LSIState *s, int stat0, int stat1)
538 {
539     uint32_t mask0;
540     uint32_t mask1;
541 
542     trace_lsi_script_scsi_interrupt(stat1, stat0, s->sist1, s->sist0);
543     s->sist0 |= stat0;
544     s->sist1 |= stat1;
545     /* Stop processor on fatal or unmasked interrupt.  As a special hack
546        we don't stop processing when raising STO.  Instead continue
547        execution and stop at the next insn that accesses the SCSI bus.  */
548     mask0 = s->sien0 | ~(LSI_SIST0_CMP | LSI_SIST0_SEL | LSI_SIST0_RSL);
549     mask1 = s->sien1 | ~(LSI_SIST1_GEN | LSI_SIST1_HTH);
550     mask1 &= ~LSI_SIST1_STO;
551     if (s->sist0 & mask0 || s->sist1 & mask1) {
552         lsi_stop_script(s);
553     }
554     lsi_update_irq(s);
555 }
556 
557 /* Stop SCRIPTS execution and raise a DMA interrupt.  */
558 static void lsi_script_dma_interrupt(LSIState *s, int stat)
559 {
560     trace_lsi_script_dma_interrupt(stat, s->dstat);
561     s->dstat |= stat;
562     lsi_update_irq(s);
563     lsi_stop_script(s);
564 }
565 
566 static inline void lsi_set_phase(LSIState *s, int phase)
567 {
568     s->sbcl &= ~PHASE_MASK;
569     s->sbcl |= phase | LSI_SBCL_REQ;
570     s->sstat1 = (s->sstat1 & ~PHASE_MASK) | phase;
571 }
572 
573 static void lsi_bad_phase(LSIState *s, int out, int new_phase)
574 {
575     /* Trigger a phase mismatch.  */
576     if (s->ccntl0 & LSI_CCNTL0_ENPMJ) {
577         if ((s->ccntl0 & LSI_CCNTL0_PMJCTL)) {
578             s->dsp = out ? s->pmjad1 : s->pmjad2;
579         } else {
580             s->dsp = (s->scntl2 & LSI_SCNTL2_WSR ? s->pmjad2 : s->pmjad1);
581         }
582         trace_lsi_bad_phase_jump(s->dsp);
583     } else {
584         trace_lsi_bad_phase_interrupt();
585         lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
586         lsi_stop_script(s);
587     }
588     lsi_set_phase(s, new_phase);
589 }
590 
591 
592 /* Resume SCRIPTS execution after a DMA operation.  */
593 static void lsi_resume_script(LSIState *s)
594 {
595     if (s->waiting != 2) {
596         s->waiting = LSI_NOWAIT;
597         lsi_execute_script(s);
598     } else {
599         s->waiting = LSI_NOWAIT;
600     }
601 }
602 
603 static void lsi_disconnect(LSIState *s)
604 {
605     s->scntl1 &= ~LSI_SCNTL1_CON;
606     s->sstat1 &= ~PHASE_MASK;
607     s->sbcl = 0;
608 }
609 
610 static void lsi_bad_selection(LSIState *s, uint32_t id)
611 {
612     trace_lsi_bad_selection(id);
613     lsi_script_scsi_interrupt(s, 0, LSI_SIST1_STO);
614     lsi_disconnect(s);
615 }
616 
617 /* Initiate a SCSI layer data transfer.  */
618 static void lsi_do_dma(LSIState *s, int out)
619 {
620     uint32_t count;
621     dma_addr_t addr;
622     SCSIDevice *dev;
623 
624     assert(s->current);
625     if (!s->current->dma_len) {
626         /* Wait until data is available.  */
627         trace_lsi_do_dma_unavailable();
628         return;
629     }
630 
631     dev = s->current->req->dev;
632     assert(dev);
633 
634     count = s->dbc;
635     if (count > s->current->dma_len)
636         count = s->current->dma_len;
637 
638     addr = s->dnad;
639     /* both 40 and Table Indirect 64-bit DMAs store upper bits in dnad64 */
640     if (lsi_dma_40bit(s) || lsi_dma_ti64bit(s))
641         addr |= ((uint64_t)s->dnad64 << 32);
642     else if (s->dbms)
643         addr |= ((uint64_t)s->dbms << 32);
644     else if (s->sbms)
645         addr |= ((uint64_t)s->sbms << 32);
646 
647     trace_lsi_do_dma(addr, count);
648     s->csbc += count;
649     s->dnad += count;
650     s->dbc -= count;
651      if (s->current->dma_buf == NULL) {
652         s->current->dma_buf = scsi_req_get_buf(s->current->req);
653     }
654     /* ??? Set SFBR to first data byte.  */
655     if (out) {
656         lsi_mem_read(s, addr, s->current->dma_buf, count);
657     } else {
658         lsi_mem_write(s, addr, s->current->dma_buf, count);
659     }
660     s->current->dma_len -= count;
661     if (s->current->dma_len == 0) {
662         s->current->dma_buf = NULL;
663         scsi_req_continue(s->current->req);
664     } else {
665         s->current->dma_buf += count;
666         lsi_resume_script(s);
667     }
668 }
669 
670 
671 /* Add a command to the queue.  */
672 static void lsi_queue_command(LSIState *s)
673 {
674     lsi_request *p = s->current;
675 
676     trace_lsi_queue_command(p->tag);
677     assert(s->current != NULL);
678     assert(s->current->dma_len == 0);
679     QTAILQ_INSERT_TAIL(&s->queue, s->current, next);
680     s->current = NULL;
681 
682     p->pending = 0;
683     p->out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
684 }
685 
686 /* Queue a byte for a MSG IN phase.  */
687 static void lsi_add_msg_byte(LSIState *s, uint8_t data)
688 {
689     if (s->msg_len >= LSI_MAX_MSGIN_LEN) {
690         trace_lsi_add_msg_byte_error();
691     } else {
692         trace_lsi_add_msg_byte(data);
693         s->msg[s->msg_len++] = data;
694     }
695 }
696 
697 /* Perform reselection to continue a command.  */
698 static void lsi_reselect(LSIState *s, lsi_request *p)
699 {
700     int id;
701 
702     assert(s->current == NULL);
703     QTAILQ_REMOVE(&s->queue, p, next);
704     s->current = p;
705 
706     id = (p->tag >> 8) & 0xf;
707     s->ssid = id | 0x80;
708     /* LSI53C700 Family Compatibility, see LSI53C895A 4-73 */
709     if (!(s->dcntl & LSI_DCNTL_COM)) {
710         s->sfbr = 1 << (id & 0x7);
711     }
712     trace_lsi_reselect(id);
713     s->scntl1 |= LSI_SCNTL1_CON;
714     lsi_set_phase(s, PHASE_MI);
715     s->msg_action = p->out ? LSI_MSG_ACTION_DOUT : LSI_MSG_ACTION_DIN;
716     s->current->dma_len = p->pending;
717     lsi_add_msg_byte(s, 0x80);
718     if (s->current->tag & LSI_TAG_VALID) {
719         lsi_add_msg_byte(s, 0x20);
720         lsi_add_msg_byte(s, p->tag & 0xff);
721     }
722 
723     if (lsi_irq_on_rsl(s)) {
724         lsi_script_scsi_interrupt(s, LSI_SIST0_RSL, 0);
725     }
726 }
727 
728 static lsi_request *lsi_find_by_tag(LSIState *s, uint32_t tag)
729 {
730     lsi_request *p;
731 
732     QTAILQ_FOREACH(p, &s->queue, next) {
733         if (p->tag == tag) {
734             return p;
735         }
736     }
737 
738     return NULL;
739 }
740 
741 static void lsi_request_free(LSIState *s, lsi_request *p)
742 {
743     if (p == s->current) {
744         s->current = NULL;
745     } else {
746         QTAILQ_REMOVE(&s->queue, p, next);
747     }
748     g_free(p);
749 }
750 
751 static void lsi_request_cancelled(SCSIRequest *req)
752 {
753     LSIState *s = LSI53C895A(req->bus->qbus.parent);
754     lsi_request *p = req->hba_private;
755 
756     req->hba_private = NULL;
757     lsi_request_free(s, p);
758     scsi_req_unref(req);
759 }
760 
761 /* Record that data is available for a queued command.  Returns zero if
762    the device was reselected, nonzero if the IO is deferred.  */
763 static int lsi_queue_req(LSIState *s, SCSIRequest *req, uint32_t len)
764 {
765     lsi_request *p = req->hba_private;
766 
767     if (p->pending) {
768         trace_lsi_queue_req_error(p);
769     }
770     p->pending = len;
771     /* Reselect if waiting for it, or if reselection triggers an IRQ
772        and the bus is free.
773        Since no interrupt stacking is implemented in the emulation, it
774        is also required that there are no pending interrupts waiting
775        for service from the device driver. */
776     if (s->waiting == LSI_WAIT_RESELECT ||
777         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON) &&
778          !(s->istat0 & (LSI_ISTAT0_SIP | LSI_ISTAT0_DIP)))) {
779         /* Reselect device.  */
780         lsi_reselect(s, p);
781         return 0;
782     } else {
783         trace_lsi_queue_req(p->tag);
784         p->pending = len;
785         return 1;
786     }
787 }
788 
789  /* Callback to indicate that the SCSI layer has completed a command.  */
790 static void lsi_command_complete(SCSIRequest *req, uint32_t status, size_t resid)
791 {
792     LSIState *s = LSI53C895A(req->bus->qbus.parent);
793     int out;
794 
795     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
796     trace_lsi_command_complete(status);
797     s->status = status;
798     s->command_complete = 2;
799     if (s->waiting && s->dbc != 0) {
800         /* Raise phase mismatch for short transfers.  */
801         lsi_bad_phase(s, out, PHASE_ST);
802     } else {
803         lsi_set_phase(s, PHASE_ST);
804     }
805 
806     if (req->hba_private == s->current) {
807         req->hba_private = NULL;
808         lsi_request_free(s, s->current);
809         scsi_req_unref(req);
810     }
811     lsi_resume_script(s);
812 }
813 
814  /* Callback to indicate that the SCSI layer has completed a transfer.  */
815 static void lsi_transfer_data(SCSIRequest *req, uint32_t len)
816 {
817     LSIState *s = LSI53C895A(req->bus->qbus.parent);
818     int out;
819 
820     assert(req->hba_private);
821     if (s->waiting == LSI_WAIT_RESELECT || req->hba_private != s->current ||
822         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON))) {
823         if (lsi_queue_req(s, req, len)) {
824             return;
825         }
826     }
827 
828     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
829 
830     /* host adapter (re)connected */
831     trace_lsi_transfer_data(req->tag, len);
832     s->current->dma_len = len;
833     s->command_complete = 1;
834     if (s->waiting) {
835         if (s->waiting == LSI_WAIT_RESELECT || s->dbc == 0) {
836             lsi_resume_script(s);
837         } else {
838             lsi_do_dma(s, out);
839         }
840     }
841 }
842 
843 static void lsi_do_command(LSIState *s)
844 {
845     SCSIDevice *dev;
846     uint8_t buf[16];
847     uint32_t id;
848     int n;
849 
850     trace_lsi_do_command(s->dbc);
851     if (s->dbc > 16)
852         s->dbc = 16;
853     pci_dma_read(PCI_DEVICE(s), s->dnad, buf, s->dbc);
854     s->sfbr = buf[0];
855     s->command_complete = 0;
856 
857     id = (s->select_tag >> 8) & 0xf;
858     dev = scsi_device_find(&s->bus, 0, id, s->current_lun);
859     if (!dev) {
860         lsi_bad_selection(s, id);
861         return;
862     }
863 
864     assert(s->current == NULL);
865     s->current = g_new0(lsi_request, 1);
866     s->current->tag = s->select_tag;
867     s->current->req = scsi_req_new(dev, s->current->tag, s->current_lun, buf,
868                                    s->current);
869 
870     n = scsi_req_enqueue(s->current->req);
871     if (n) {
872         if (n > 0) {
873             lsi_set_phase(s, PHASE_DI);
874         } else if (n < 0) {
875             lsi_set_phase(s, PHASE_DO);
876         }
877         scsi_req_continue(s->current->req);
878     }
879     if (!s->command_complete) {
880         if (n) {
881             /* Command did not complete immediately so disconnect.  */
882             lsi_add_msg_byte(s, 2); /* SAVE DATA POINTER */
883             lsi_add_msg_byte(s, 4); /* DISCONNECT */
884             /* wait data */
885             lsi_set_phase(s, PHASE_MI);
886             s->msg_action = LSI_MSG_ACTION_DISCONNECT;
887             lsi_queue_command(s);
888         } else {
889             /* wait command complete */
890             lsi_set_phase(s, PHASE_DI);
891         }
892     }
893 }
894 
895 static void lsi_do_status(LSIState *s)
896 {
897     uint8_t status;
898     trace_lsi_do_status(s->dbc, s->status);
899     if (s->dbc != 1) {
900         trace_lsi_do_status_error();
901     }
902     s->dbc = 1;
903     status = s->status;
904     s->sfbr = status;
905     pci_dma_write(PCI_DEVICE(s), s->dnad, &status, 1);
906     lsi_set_phase(s, PHASE_MI);
907     s->msg_action = LSI_MSG_ACTION_DISCONNECT;
908     lsi_add_msg_byte(s, 0); /* COMMAND COMPLETE */
909 }
910 
911 static void lsi_do_msgin(LSIState *s)
912 {
913     uint8_t len;
914     trace_lsi_do_msgin(s->dbc, s->msg_len);
915     s->sfbr = s->msg[0];
916     len = s->msg_len;
917     assert(len > 0 && len <= LSI_MAX_MSGIN_LEN);
918     if (len > s->dbc)
919         len = s->dbc;
920     pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
921     /* Linux drivers rely on the last byte being in the SIDL.  */
922     s->sidl = s->msg[len - 1];
923     s->msg_len -= len;
924     if (s->msg_len) {
925         memmove(s->msg, s->msg + len, s->msg_len);
926     } else {
927         /* ??? Check if ATN (not yet implemented) is asserted and maybe
928            switch to PHASE_MO.  */
929         switch (s->msg_action) {
930         case LSI_MSG_ACTION_COMMAND:
931             lsi_set_phase(s, PHASE_CMD);
932             break;
933         case LSI_MSG_ACTION_DISCONNECT:
934             lsi_disconnect(s);
935             break;
936         case LSI_MSG_ACTION_DOUT:
937             lsi_set_phase(s, PHASE_DO);
938             break;
939         case LSI_MSG_ACTION_DIN:
940             lsi_set_phase(s, PHASE_DI);
941             break;
942         default:
943             abort();
944         }
945     }
946 }
947 
948 /* Read the next byte during a MSGOUT phase.  */
949 static uint8_t lsi_get_msgbyte(LSIState *s)
950 {
951     uint8_t data;
952     pci_dma_read(PCI_DEVICE(s), s->dnad, &data, 1);
953     s->dnad++;
954     s->dbc--;
955     return data;
956 }
957 
958 /* Skip the next n bytes during a MSGOUT phase. */
959 static void lsi_skip_msgbytes(LSIState *s, unsigned int n)
960 {
961     s->dnad += n;
962     s->dbc  -= n;
963 }
964 
965 static void lsi_do_msgout(LSIState *s)
966 {
967     uint8_t msg;
968     int len;
969     uint32_t current_tag;
970     lsi_request *current_req, *p, *p_next;
971 
972     if (s->current) {
973         current_tag = s->current->tag;
974         current_req = s->current;
975     } else {
976         current_tag = s->select_tag;
977         current_req = lsi_find_by_tag(s, current_tag);
978     }
979 
980     trace_lsi_do_msgout(s->dbc);
981     while (s->dbc) {
982         msg = lsi_get_msgbyte(s);
983         s->sfbr = msg;
984 
985         switch (msg) {
986         case 0x04:
987             trace_lsi_do_msgout_disconnect();
988             lsi_disconnect(s);
989             break;
990         case 0x08:
991             trace_lsi_do_msgout_noop();
992             lsi_set_phase(s, PHASE_CMD);
993             break;
994         case 0x01:
995             len = lsi_get_msgbyte(s);
996             msg = lsi_get_msgbyte(s);
997             (void)len; /* avoid a warning about unused variable*/
998             trace_lsi_do_msgout_extended(msg, len);
999             switch (msg) {
1000             case 1:
1001                 trace_lsi_do_msgout_ignored("SDTR");
1002                 lsi_skip_msgbytes(s, 2);
1003                 break;
1004             case 3:
1005                 trace_lsi_do_msgout_ignored("WDTR");
1006                 lsi_skip_msgbytes(s, 1);
1007                 break;
1008             case 4:
1009                 trace_lsi_do_msgout_ignored("PPR");
1010                 lsi_skip_msgbytes(s, 5);
1011                 break;
1012             default:
1013                 goto bad;
1014             }
1015             break;
1016         case 0x20: /* SIMPLE queue */
1017             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1018             trace_lsi_do_msgout_simplequeue(s->select_tag & 0xff);
1019             break;
1020         case 0x21: /* HEAD of queue */
1021             qemu_log_mask(LOG_UNIMP, "lsi_scsi: HEAD queue not implemented\n");
1022             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1023             break;
1024         case 0x22: /* ORDERED queue */
1025             qemu_log_mask(LOG_UNIMP,
1026                           "lsi_scsi: ORDERED queue not implemented\n");
1027             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1028             break;
1029         case 0x0d:
1030             /* The ABORT TAG message clears the current I/O process only. */
1031             trace_lsi_do_msgout_abort(current_tag);
1032             if (current_req) {
1033                 scsi_req_cancel(current_req->req);
1034             }
1035             lsi_disconnect(s);
1036             break;
1037         case 0x06:
1038         case 0x0e:
1039         case 0x0c:
1040             /* The ABORT message clears all I/O processes for the selecting
1041                initiator on the specified logical unit of the target. */
1042             if (msg == 0x06) {
1043                 trace_lsi_do_msgout_abort(current_tag);
1044             }
1045             /* The CLEAR QUEUE message clears all I/O processes for all
1046                initiators on the specified logical unit of the target. */
1047             if (msg == 0x0e) {
1048                 trace_lsi_do_msgout_clearqueue(current_tag);
1049             }
1050             /* The BUS DEVICE RESET message clears all I/O processes for all
1051                initiators on all logical units of the target. */
1052             if (msg == 0x0c) {
1053                 trace_lsi_do_msgout_busdevicereset(current_tag);
1054             }
1055 
1056             /* clear the current I/O process */
1057             if (s->current) {
1058                 scsi_req_cancel(s->current->req);
1059             }
1060 
1061             /* As the current implemented devices scsi_disk and scsi_generic
1062                only support one LUN, we don't need to keep track of LUNs.
1063                Clearing I/O processes for other initiators could be possible
1064                for scsi_generic by sending a SG_SCSI_RESET to the /dev/sgX
1065                device, but this is currently not implemented (and seems not
1066                to be really necessary). So let's simply clear all queued
1067                commands for the current device: */
1068             QTAILQ_FOREACH_SAFE(p, &s->queue, next, p_next) {
1069                 if ((p->tag & 0x0000ff00) == (current_tag & 0x0000ff00)) {
1070                     scsi_req_cancel(p->req);
1071                 }
1072             }
1073 
1074             lsi_disconnect(s);
1075             break;
1076         default:
1077             if ((msg & 0x80) == 0) {
1078                 goto bad;
1079             }
1080             s->current_lun = msg & 7;
1081             trace_lsi_do_msgout_select(s->current_lun);
1082             lsi_set_phase(s, PHASE_CMD);
1083             break;
1084         }
1085     }
1086     return;
1087 bad:
1088     qemu_log_mask(LOG_UNIMP, "Unimplemented message 0x%02x\n", msg);
1089     lsi_set_phase(s, PHASE_MI);
1090     lsi_add_msg_byte(s, 7); /* MESSAGE REJECT */
1091     s->msg_action = LSI_MSG_ACTION_COMMAND;
1092 }
1093 
1094 #define LSI_BUF_SIZE 4096
1095 static void lsi_memcpy(LSIState *s, uint32_t dest, uint32_t src, int count)
1096 {
1097     int n;
1098     uint8_t buf[LSI_BUF_SIZE];
1099 
1100     trace_lsi_memcpy(dest, src, count);
1101     while (count) {
1102         n = (count > LSI_BUF_SIZE) ? LSI_BUF_SIZE : count;
1103         lsi_mem_read(s, src, buf, n);
1104         lsi_mem_write(s, dest, buf, n);
1105         src += n;
1106         dest += n;
1107         count -= n;
1108     }
1109 }
1110 
1111 static void lsi_wait_reselect(LSIState *s)
1112 {
1113     lsi_request *p;
1114 
1115     trace_lsi_wait_reselect();
1116 
1117     if (s->current) {
1118         return;
1119     }
1120     p = get_pending_req(s);
1121     if (p) {
1122         lsi_reselect(s, p);
1123     }
1124     if (s->current == NULL) {
1125         s->waiting = LSI_WAIT_RESELECT;
1126     }
1127 }
1128 
1129 static void lsi_execute_script(LSIState *s)
1130 {
1131     PCIDevice *pci_dev = PCI_DEVICE(s);
1132     uint32_t insn;
1133     uint32_t addr, addr_high;
1134     int opcode;
1135     int insn_processed = 0;
1136 
1137     s->istat1 |= LSI_ISTAT1_SRUN;
1138 again:
1139     if (++insn_processed > LSI_MAX_INSN) {
1140         /* Some windows drivers make the device spin waiting for a memory
1141            location to change.  If we have been executed a lot of code then
1142            assume this is the case and force an unexpected device disconnect.
1143            This is apparently sufficient to beat the drivers into submission.
1144          */
1145         if (!(s->sien0 & LSI_SIST0_UDC)) {
1146             qemu_log_mask(LOG_GUEST_ERROR,
1147                           "lsi_scsi: inf. loop with UDC masked");
1148         }
1149         lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
1150         lsi_disconnect(s);
1151         trace_lsi_execute_script_stop();
1152         return;
1153     }
1154     insn = read_dword(s, s->dsp);
1155     if (!insn) {
1156         /* If we receive an empty opcode increment the DSP by 4 bytes
1157            instead of 8 and execute the next opcode at that location */
1158         s->dsp += 4;
1159         goto again;
1160     }
1161     addr = read_dword(s, s->dsp + 4);
1162     addr_high = 0;
1163     trace_lsi_execute_script(s->dsp, insn, addr);
1164     s->dsps = addr;
1165     s->dcmd = insn >> 24;
1166     s->dsp += 8;
1167     switch (insn >> 30) {
1168     case 0: /* Block move.  */
1169         if (s->sist1 & LSI_SIST1_STO) {
1170             trace_lsi_execute_script_blockmove_delayed();
1171             lsi_stop_script(s);
1172             break;
1173         }
1174         s->dbc = insn & 0xffffff;
1175         s->rbc = s->dbc;
1176         /* ??? Set ESA.  */
1177         s->ia = s->dsp - 8;
1178         if (insn & (1 << 29)) {
1179             /* Indirect addressing.  */
1180             addr = read_dword(s, addr);
1181         } else if (insn & (1 << 28)) {
1182             uint32_t buf[2];
1183             int32_t offset;
1184             /* Table indirect addressing.  */
1185 
1186             /* 32-bit Table indirect */
1187             offset = sextract32(addr, 0, 24);
1188             pci_dma_read(pci_dev, s->dsa + offset, buf, 8);
1189             /* byte count is stored in bits 0:23 only */
1190             s->dbc = cpu_to_le32(buf[0]) & 0xffffff;
1191             s->rbc = s->dbc;
1192             addr = cpu_to_le32(buf[1]);
1193 
1194             /* 40-bit DMA, upper addr bits [39:32] stored in first DWORD of
1195              * table, bits [31:24] */
1196             if (lsi_dma_40bit(s))
1197                 addr_high = cpu_to_le32(buf[0]) >> 24;
1198             else if (lsi_dma_ti64bit(s)) {
1199                 int selector = (cpu_to_le32(buf[0]) >> 24) & 0x1f;
1200                 switch (selector) {
1201                 case 0 ... 0x0f:
1202                     /* offset index into scratch registers since
1203                      * TI64 mode can use registers C to R */
1204                     addr_high = s->scratch[2 + selector];
1205                     break;
1206                 case 0x10:
1207                     addr_high = s->mmrs;
1208                     break;
1209                 case 0x11:
1210                     addr_high = s->mmws;
1211                     break;
1212                 case 0x12:
1213                     addr_high = s->sfs;
1214                     break;
1215                 case 0x13:
1216                     addr_high = s->drs;
1217                     break;
1218                 case 0x14:
1219                     addr_high = s->sbms;
1220                     break;
1221                 case 0x15:
1222                     addr_high = s->dbms;
1223                     break;
1224                 default:
1225                     qemu_log_mask(LOG_GUEST_ERROR,
1226                           "lsi_scsi: Illegal selector specified (0x%x > 0x15) "
1227                           "for 64-bit DMA block move", selector);
1228                     break;
1229                 }
1230             }
1231         } else if (lsi_dma_64bit(s)) {
1232             /* fetch a 3rd dword if 64-bit direct move is enabled and
1233                only if we're not doing table indirect or indirect addressing */
1234             s->dbms = read_dword(s, s->dsp);
1235             s->dsp += 4;
1236             s->ia = s->dsp - 12;
1237         }
1238         if ((s->sstat1 & PHASE_MASK) != ((insn >> 24) & 7)) {
1239             trace_lsi_execute_script_blockmove_badphase(
1240                     scsi_phase_name(s->sstat1),
1241                     scsi_phase_name(insn >> 24));
1242             lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
1243             break;
1244         }
1245         s->dnad = addr;
1246         s->dnad64 = addr_high;
1247         switch (s->sstat1 & 0x7) {
1248         case PHASE_DO:
1249             s->waiting = LSI_DMA_SCRIPTS;
1250             lsi_do_dma(s, 1);
1251             if (s->waiting)
1252                 s->waiting = LSI_DMA_IN_PROGRESS;
1253             break;
1254         case PHASE_DI:
1255             s->waiting = LSI_DMA_SCRIPTS;
1256             lsi_do_dma(s, 0);
1257             if (s->waiting)
1258                 s->waiting = LSI_DMA_IN_PROGRESS;
1259             break;
1260         case PHASE_CMD:
1261             lsi_do_command(s);
1262             break;
1263         case PHASE_ST:
1264             lsi_do_status(s);
1265             break;
1266         case PHASE_MO:
1267             lsi_do_msgout(s);
1268             break;
1269         case PHASE_MI:
1270             lsi_do_msgin(s);
1271             break;
1272         default:
1273             qemu_log_mask(LOG_UNIMP, "lsi_scsi: Unimplemented phase %s\n",
1274                           scsi_phase_name(s->sstat1));
1275         }
1276         s->dfifo = s->dbc & 0xff;
1277         s->ctest5 = (s->ctest5 & 0xfc) | ((s->dbc >> 8) & 3);
1278         s->sbc = s->dbc;
1279         s->rbc -= s->dbc;
1280         s->ua = addr + s->dbc;
1281         break;
1282 
1283     case 1: /* IO or Read/Write instruction.  */
1284         opcode = (insn >> 27) & 7;
1285         if (opcode < 5) {
1286             uint32_t id;
1287 
1288             if (insn & (1 << 25)) {
1289                 id = read_dword(s, s->dsa + sextract32(insn, 0, 24));
1290             } else {
1291                 id = insn;
1292             }
1293             id = (id >> 16) & 0xf;
1294             if (insn & (1 << 26)) {
1295                 addr = s->dsp + sextract32(addr, 0, 24);
1296             }
1297             s->dnad = addr;
1298             switch (opcode) {
1299             case 0: /* Select */
1300                 s->sdid = id;
1301                 if (s->scntl1 & LSI_SCNTL1_CON) {
1302                     trace_lsi_execute_script_io_alreadyreselected();
1303                     s->dsp = s->dnad;
1304                     break;
1305                 }
1306                 s->sstat0 |= LSI_SSTAT0_WOA;
1307                 s->scntl1 &= ~LSI_SCNTL1_IARB;
1308                 if (!scsi_device_find(&s->bus, 0, id, 0)) {
1309                     lsi_bad_selection(s, id);
1310                     break;
1311                 }
1312                 trace_lsi_execute_script_io_selected(id,
1313                                              insn & (1 << 3) ? " ATN" : "");
1314                 /* ??? Linux drivers compain when this is set.  Maybe
1315                    it only applies in low-level mode (unimplemented).
1316                 lsi_script_scsi_interrupt(s, LSI_SIST0_CMP, 0); */
1317                 s->select_tag = id << 8;
1318                 s->scntl1 |= LSI_SCNTL1_CON;
1319                 if (insn & (1 << 3)) {
1320                     s->socl |= LSI_SOCL_ATN;
1321                     s->sbcl |= LSI_SBCL_ATN;
1322                 }
1323                 s->sbcl |= LSI_SBCL_BSY;
1324                 lsi_set_phase(s, PHASE_MO);
1325                 s->waiting = LSI_NOWAIT;
1326                 break;
1327             case 1: /* Disconnect */
1328                 trace_lsi_execute_script_io_disconnect();
1329                 s->scntl1 &= ~LSI_SCNTL1_CON;
1330                 /* FIXME: this is not entirely correct; the target need not ask
1331                  * for reselection until it has to send data, while here we force a
1332                  * reselection as soon as the bus is free.  The correct flow would
1333                  * reselect before lsi_transfer_data and disconnect as soon as
1334                  * DMA ends.
1335                  */
1336                 if (!s->current) {
1337                     lsi_request *p = get_pending_req(s);
1338                     if (p) {
1339                         lsi_reselect(s, p);
1340                     }
1341                 }
1342                 break;
1343             case 2: /* Wait Reselect */
1344                 if (s->istat0 & LSI_ISTAT0_SIGP) {
1345                     s->dsp = s->dnad;
1346                 } else if (!lsi_irq_on_rsl(s)) {
1347                         lsi_wait_reselect(s);
1348                 }
1349                 break;
1350             case 3: /* Set */
1351                 trace_lsi_execute_script_io_set(
1352                         insn & (1 << 3) ? " ATN" : "",
1353                         insn & (1 << 6) ? " ACK" : "",
1354                         insn & (1 << 9) ? " TM" : "",
1355                         insn & (1 << 10) ? " CC" : "");
1356                 if (insn & (1 << 3)) {
1357                     s->socl |= LSI_SOCL_ATN;
1358                     s->sbcl |= LSI_SBCL_ATN;
1359                     lsi_set_phase(s, PHASE_MO);
1360                 }
1361 
1362                 if (insn & (1 << 6)) {
1363                     s->sbcl |= LSI_SBCL_ACK;
1364                 }
1365 
1366                 if (insn & (1 << 9)) {
1367                     qemu_log_mask(LOG_UNIMP,
1368                         "lsi_scsi: Target mode not implemented\n");
1369                 }
1370                 if (insn & (1 << 10))
1371                     s->carry = 1;
1372                 break;
1373             case 4: /* Clear */
1374                 trace_lsi_execute_script_io_clear(
1375                         insn & (1 << 3) ? " ATN" : "",
1376                         insn & (1 << 6) ? " ACK" : "",
1377                         insn & (1 << 9) ? " TM" : "",
1378                         insn & (1 << 10) ? " CC" : "");
1379                 if (insn & (1 << 3)) {
1380                     s->socl &= ~LSI_SOCL_ATN;
1381                     s->sbcl &= ~LSI_SBCL_ATN;
1382                 }
1383 
1384                 if (insn & (1 << 6)) {
1385                     s->sbcl &= ~LSI_SBCL_ACK;
1386                 }
1387 
1388                 if (insn & (1 << 10))
1389                     s->carry = 0;
1390                 break;
1391             }
1392         } else {
1393             uint8_t op0;
1394             uint8_t op1;
1395             uint8_t data8;
1396             int reg;
1397             int operator;
1398 
1399             static const char *opcode_names[3] =
1400                 {"Write", "Read", "Read-Modify-Write"};
1401             static const char *operator_names[8] =
1402                 {"MOV", "SHL", "OR", "XOR", "AND", "SHR", "ADD", "ADC"};
1403 
1404             reg = ((insn >> 16) & 0x7f) | (insn & 0x80);
1405             data8 = (insn >> 8) & 0xff;
1406             opcode = (insn >> 27) & 7;
1407             operator = (insn >> 24) & 7;
1408             trace_lsi_execute_script_io_opcode(
1409                     opcode_names[opcode - 5], reg,
1410                     operator_names[operator], data8, s->sfbr,
1411                     (insn & (1 << 23)) ? " SFBR" : "");
1412             op0 = op1 = 0;
1413             switch (opcode) {
1414             case 5: /* From SFBR */
1415                 op0 = s->sfbr;
1416                 op1 = data8;
1417                 break;
1418             case 6: /* To SFBR */
1419                 if (operator)
1420                     op0 = lsi_reg_readb(s, reg);
1421                 op1 = data8;
1422                 break;
1423             case 7: /* Read-modify-write */
1424                 if (operator)
1425                     op0 = lsi_reg_readb(s, reg);
1426                 if (insn & (1 << 23)) {
1427                     op1 = s->sfbr;
1428                 } else {
1429                     op1 = data8;
1430                 }
1431                 break;
1432             }
1433 
1434             switch (operator) {
1435             case 0: /* move */
1436                 op0 = op1;
1437                 break;
1438             case 1: /* Shift left */
1439                 op1 = op0 >> 7;
1440                 op0 = (op0 << 1) | s->carry;
1441                 s->carry = op1;
1442                 break;
1443             case 2: /* OR */
1444                 op0 |= op1;
1445                 break;
1446             case 3: /* XOR */
1447                 op0 ^= op1;
1448                 break;
1449             case 4: /* AND */
1450                 op0 &= op1;
1451                 break;
1452             case 5: /* SHR */
1453                 op1 = op0 & 1;
1454                 op0 = (op0 >> 1) | (s->carry << 7);
1455                 s->carry = op1;
1456                 break;
1457             case 6: /* ADD */
1458                 op0 += op1;
1459                 s->carry = op0 < op1;
1460                 break;
1461             case 7: /* ADC */
1462                 op0 += op1 + s->carry;
1463                 if (s->carry)
1464                     s->carry = op0 <= op1;
1465                 else
1466                     s->carry = op0 < op1;
1467                 break;
1468             }
1469 
1470             switch (opcode) {
1471             case 5: /* From SFBR */
1472             case 7: /* Read-modify-write */
1473                 lsi_reg_writeb(s, reg, op0);
1474                 break;
1475             case 6: /* To SFBR */
1476                 s->sfbr = op0;
1477                 break;
1478             }
1479         }
1480         break;
1481 
1482     case 2: /* Transfer Control.  */
1483         {
1484             int cond;
1485             int jmp;
1486 
1487             if ((insn & 0x002e0000) == 0) {
1488                 trace_lsi_execute_script_tc_nop();
1489                 break;
1490             }
1491             if (s->sist1 & LSI_SIST1_STO) {
1492                 trace_lsi_execute_script_tc_delayedselect_timeout();
1493                 lsi_stop_script(s);
1494                 break;
1495             }
1496             cond = jmp = (insn & (1 << 19)) != 0;
1497             if (cond == jmp && (insn & (1 << 21))) {
1498                 trace_lsi_execute_script_tc_compc(s->carry == jmp);
1499                 cond = s->carry != 0;
1500             }
1501             if (cond == jmp && (insn & (1 << 17))) {
1502                 trace_lsi_execute_script_tc_compp(scsi_phase_name(s->sstat1),
1503                         jmp ? '=' : '!', scsi_phase_name(insn >> 24));
1504                 cond = (s->sstat1 & PHASE_MASK) == ((insn >> 24) & 7);
1505             }
1506             if (cond == jmp && (insn & (1 << 18))) {
1507                 uint8_t mask;
1508 
1509                 mask = (~insn >> 8) & 0xff;
1510                 trace_lsi_execute_script_tc_compd(
1511                         s->sfbr, mask, jmp ? '=' : '!', insn & mask);
1512                 cond = (s->sfbr & mask) == (insn & mask);
1513             }
1514             if (cond == jmp) {
1515                 if (insn & (1 << 23)) {
1516                     /* Relative address.  */
1517                     addr = s->dsp + sextract32(addr, 0, 24);
1518                 }
1519                 switch ((insn >> 27) & 7) {
1520                 case 0: /* Jump */
1521                     trace_lsi_execute_script_tc_jump(addr);
1522                     s->adder = addr;
1523                     s->dsp = addr;
1524                     break;
1525                 case 1: /* Call */
1526                     trace_lsi_execute_script_tc_call(addr);
1527                     s->temp = s->dsp;
1528                     s->dsp = addr;
1529                     break;
1530                 case 2: /* Return */
1531                     trace_lsi_execute_script_tc_return(s->temp);
1532                     s->dsp = s->temp;
1533                     break;
1534                 case 3: /* Interrupt */
1535                     trace_lsi_execute_script_tc_interrupt(s->dsps);
1536                     if ((insn & (1 << 20)) != 0) {
1537                         s->istat0 |= LSI_ISTAT0_INTF;
1538                         lsi_update_irq(s);
1539                     } else {
1540                         lsi_script_dma_interrupt(s, LSI_DSTAT_SIR);
1541                     }
1542                     break;
1543                 default:
1544                     trace_lsi_execute_script_tc_illegal();
1545                     lsi_script_dma_interrupt(s, LSI_DSTAT_IID);
1546                     break;
1547                 }
1548             } else {
1549                 trace_lsi_execute_script_tc_cc_failed();
1550             }
1551         }
1552         break;
1553 
1554     case 3:
1555         if ((insn & (1 << 29)) == 0) {
1556             /* Memory move.  */
1557             uint32_t dest;
1558             /* ??? The docs imply the destination address is loaded into
1559                the TEMP register.  However the Linux drivers rely on
1560                the value being presrved.  */
1561             dest = read_dword(s, s->dsp);
1562             s->dsp += 4;
1563             lsi_memcpy(s, dest, addr, insn & 0xffffff);
1564         } else {
1565             uint8_t data[7];
1566             int reg;
1567             int n;
1568             int i;
1569 
1570             if (insn & (1 << 28)) {
1571                 addr = s->dsa + sextract32(addr, 0, 24);
1572             }
1573             n = (insn & 7);
1574             reg = (insn >> 16) & 0xff;
1575             if (insn & (1 << 24)) {
1576                 pci_dma_read(pci_dev, addr, data, n);
1577                 trace_lsi_execute_script_mm_load(reg, n, addr, *(int *)data);
1578                 for (i = 0; i < n; i++) {
1579                     lsi_reg_writeb(s, reg + i, data[i]);
1580                 }
1581             } else {
1582                 trace_lsi_execute_script_mm_store(reg, n, addr);
1583                 for (i = 0; i < n; i++) {
1584                     data[i] = lsi_reg_readb(s, reg + i);
1585                 }
1586                 pci_dma_write(pci_dev, addr, data, n);
1587             }
1588         }
1589     }
1590     if (s->istat1 & LSI_ISTAT1_SRUN && s->waiting == LSI_NOWAIT) {
1591         if (s->dcntl & LSI_DCNTL_SSM) {
1592             lsi_script_dma_interrupt(s, LSI_DSTAT_SSI);
1593         } else {
1594             goto again;
1595         }
1596     }
1597     trace_lsi_execute_script_stop();
1598 }
1599 
1600 static uint8_t lsi_reg_readb(LSIState *s, int offset)
1601 {
1602     uint8_t ret;
1603 
1604 #define CASE_GET_REG24(name, addr) \
1605     case addr: ret = s->name & 0xff; break; \
1606     case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1607     case addr + 2: ret = (s->name >> 16) & 0xff; break;
1608 
1609 #define CASE_GET_REG32(name, addr) \
1610     case addr: ret = s->name & 0xff; break; \
1611     case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1612     case addr + 2: ret = (s->name >> 16) & 0xff; break; \
1613     case addr + 3: ret = (s->name >> 24) & 0xff; break;
1614 
1615     switch (offset) {
1616     case 0x00: /* SCNTL0 */
1617         ret = s->scntl0;
1618         break;
1619     case 0x01: /* SCNTL1 */
1620         ret = s->scntl1;
1621         break;
1622     case 0x02: /* SCNTL2 */
1623         ret = s->scntl2;
1624         break;
1625     case 0x03: /* SCNTL3 */
1626         ret = s->scntl3;
1627         break;
1628     case 0x04: /* SCID */
1629         ret = s->scid;
1630         break;
1631     case 0x05: /* SXFER */
1632         ret = s->sxfer;
1633         break;
1634     case 0x06: /* SDID */
1635         ret = s->sdid;
1636         break;
1637     case 0x07: /* GPREG0 */
1638         ret = 0x7f;
1639         break;
1640     case 0x08: /* Revision ID */
1641         ret = 0x00;
1642         break;
1643     case 0x09: /* SOCL */
1644         ret = s->socl;
1645         break;
1646     case 0xa: /* SSID */
1647         ret = s->ssid;
1648         break;
1649     case 0xb: /* SBCL */
1650         ret = s->sbcl;
1651         break;
1652     case 0xc: /* DSTAT */
1653         ret = s->dstat | LSI_DSTAT_DFE;
1654         if ((s->istat0 & LSI_ISTAT0_INTF) == 0)
1655             s->dstat = 0;
1656         lsi_update_irq(s);
1657         break;
1658     case 0x0d: /* SSTAT0 */
1659         ret = s->sstat0;
1660         break;
1661     case 0x0e: /* SSTAT1 */
1662         ret = s->sstat1;
1663         break;
1664     case 0x0f: /* SSTAT2 */
1665         ret = s->scntl1 & LSI_SCNTL1_CON ? 0 : 2;
1666         break;
1667     CASE_GET_REG32(dsa, 0x10)
1668     case 0x14: /* ISTAT0 */
1669         ret = s->istat0;
1670         break;
1671     case 0x15: /* ISTAT1 */
1672         ret = s->istat1;
1673         break;
1674     case 0x16: /* MBOX0 */
1675         ret = s->mbox0;
1676         break;
1677     case 0x17: /* MBOX1 */
1678         ret = s->mbox1;
1679         break;
1680     case 0x18: /* CTEST0 */
1681         ret = 0xff;
1682         break;
1683     case 0x19: /* CTEST1 */
1684         ret = 0;
1685         break;
1686     case 0x1a: /* CTEST2 */
1687         ret = s->ctest2 | LSI_CTEST2_DACK | LSI_CTEST2_CM;
1688         if (s->istat0 & LSI_ISTAT0_SIGP) {
1689             s->istat0 &= ~LSI_ISTAT0_SIGP;
1690             ret |= LSI_CTEST2_SIGP;
1691         }
1692         break;
1693     case 0x1b: /* CTEST3 */
1694         ret = s->ctest3;
1695         break;
1696     CASE_GET_REG32(temp, 0x1c)
1697     case 0x20: /* DFIFO */
1698         ret = s->dfifo;
1699         break;
1700     case 0x21: /* CTEST4 */
1701         ret = s->ctest4;
1702         break;
1703     case 0x22: /* CTEST5 */
1704         ret = s->ctest5;
1705         break;
1706     case 0x23: /* CTEST6 */
1707         ret = 0;
1708         break;
1709     CASE_GET_REG24(dbc, 0x24)
1710     case 0x27: /* DCMD */
1711         ret = s->dcmd;
1712         break;
1713     CASE_GET_REG32(dnad, 0x28)
1714     CASE_GET_REG32(dsp, 0x2c)
1715     CASE_GET_REG32(dsps, 0x30)
1716     CASE_GET_REG32(scratch[0], 0x34)
1717     case 0x38: /* DMODE */
1718         ret = s->dmode;
1719         break;
1720     case 0x39: /* DIEN */
1721         ret = s->dien;
1722         break;
1723     case 0x3a: /* SBR */
1724         ret = s->sbr;
1725         break;
1726     case 0x3b: /* DCNTL */
1727         ret = s->dcntl;
1728         break;
1729     /* ADDER Output (Debug of relative jump address) */
1730     CASE_GET_REG32(adder, 0x3c)
1731     case 0x40: /* SIEN0 */
1732         ret = s->sien0;
1733         break;
1734     case 0x41: /* SIEN1 */
1735         ret = s->sien1;
1736         break;
1737     case 0x42: /* SIST0 */
1738         ret = s->sist0;
1739         s->sist0 = 0;
1740         lsi_update_irq(s);
1741         break;
1742     case 0x43: /* SIST1 */
1743         ret = s->sist1;
1744         s->sist1 = 0;
1745         lsi_update_irq(s);
1746         break;
1747     case 0x46: /* MACNTL */
1748         ret = 0x0f;
1749         break;
1750     case 0x47: /* GPCNTL0 */
1751         ret = 0x0f;
1752         break;
1753     case 0x48: /* STIME0 */
1754         ret = s->stime0;
1755         break;
1756     case 0x4a: /* RESPID0 */
1757         ret = s->respid0;
1758         break;
1759     case 0x4b: /* RESPID1 */
1760         ret = s->respid1;
1761         break;
1762     case 0x4d: /* STEST1 */
1763         ret = s->stest1;
1764         break;
1765     case 0x4e: /* STEST2 */
1766         ret = s->stest2;
1767         break;
1768     case 0x4f: /* STEST3 */
1769         ret = s->stest3;
1770         break;
1771     case 0x50: /* SIDL */
1772         /* This is needed by the linux drivers.  We currently only update it
1773            during the MSG IN phase.  */
1774         ret = s->sidl;
1775         break;
1776     case 0x52: /* STEST4 */
1777         ret = 0xe0;
1778         break;
1779     case 0x56: /* CCNTL0 */
1780         ret = s->ccntl0;
1781         break;
1782     case 0x57: /* CCNTL1 */
1783         ret = s->ccntl1;
1784         break;
1785     case 0x58: /* SBDL */
1786         /* Some drivers peek at the data bus during the MSG IN phase.  */
1787         if ((s->sstat1 & PHASE_MASK) == PHASE_MI) {
1788             assert(s->msg_len > 0);
1789             return s->msg[0];
1790         }
1791         ret = 0;
1792         break;
1793     case 0x59: /* SBDL high */
1794         ret = 0;
1795         break;
1796     CASE_GET_REG32(mmrs, 0xa0)
1797     CASE_GET_REG32(mmws, 0xa4)
1798     CASE_GET_REG32(sfs, 0xa8)
1799     CASE_GET_REG32(drs, 0xac)
1800     CASE_GET_REG32(sbms, 0xb0)
1801     CASE_GET_REG32(dbms, 0xb4)
1802     CASE_GET_REG32(dnad64, 0xb8)
1803     CASE_GET_REG32(pmjad1, 0xc0)
1804     CASE_GET_REG32(pmjad2, 0xc4)
1805     CASE_GET_REG32(rbc, 0xc8)
1806     CASE_GET_REG32(ua, 0xcc)
1807     CASE_GET_REG32(ia, 0xd4)
1808     CASE_GET_REG32(sbc, 0xd8)
1809     CASE_GET_REG32(csbc, 0xdc)
1810     case 0x5c ... 0x9f:
1811     {
1812         int n;
1813         int shift;
1814         n = (offset - 0x58) >> 2;
1815         shift = (offset & 3) * 8;
1816         ret = (s->scratch[n] >> shift) & 0xff;
1817         break;
1818     }
1819     default:
1820     {
1821         qemu_log_mask(LOG_GUEST_ERROR,
1822                       "lsi_scsi: invalid read from reg %s %x\n",
1823                       offset < ARRAY_SIZE(names) ? names[offset] : "???",
1824                       offset);
1825         ret = 0xff;
1826         break;
1827     }
1828     }
1829 #undef CASE_GET_REG24
1830 #undef CASE_GET_REG32
1831 
1832     trace_lsi_reg_read(offset < ARRAY_SIZE(names) ? names[offset] : "???",
1833                        offset, ret);
1834 
1835     return ret;
1836 }
1837 
1838 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val)
1839 {
1840 #define CASE_SET_REG24(name, addr) \
1841     case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1842     case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1843     case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break;
1844 
1845 #define CASE_SET_REG32(name, addr) \
1846     case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1847     case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1848     case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break; \
1849     case addr + 3: s->name &= 0x00ffffff; s->name |= val << 24; break;
1850 
1851     trace_lsi_reg_write(offset < ARRAY_SIZE(names) ? names[offset] : "???",
1852                         offset, val);
1853 
1854     switch (offset) {
1855     case 0x00: /* SCNTL0 */
1856         s->scntl0 = val;
1857         if (val & LSI_SCNTL0_START) {
1858             qemu_log_mask(LOG_UNIMP,
1859                           "lsi_scsi: Start sequence not implemented\n");
1860         }
1861         break;
1862     case 0x01: /* SCNTL1 */
1863         s->scntl1 = val & ~LSI_SCNTL1_SST;
1864         if (val & LSI_SCNTL1_IARB) {
1865             qemu_log_mask(LOG_UNIMP,
1866                       "lsi_scsi: Immediate Arbritration not implemented\n");
1867         }
1868         if (val & LSI_SCNTL1_RST) {
1869             if (!(s->sstat0 & LSI_SSTAT0_RST)) {
1870                 qbus_reset_all(BUS(&s->bus));
1871                 s->sstat0 |= LSI_SSTAT0_RST;
1872                 lsi_script_scsi_interrupt(s, LSI_SIST0_RST, 0);
1873             }
1874         } else {
1875             s->sstat0 &= ~LSI_SSTAT0_RST;
1876         }
1877         break;
1878     case 0x02: /* SCNTL2 */
1879         val &= ~(LSI_SCNTL2_WSR | LSI_SCNTL2_WSS);
1880         s->scntl2 = val;
1881         break;
1882     case 0x03: /* SCNTL3 */
1883         s->scntl3 = val;
1884         break;
1885     case 0x04: /* SCID */
1886         s->scid = val;
1887         break;
1888     case 0x05: /* SXFER */
1889         s->sxfer = val;
1890         break;
1891     case 0x06: /* SDID */
1892         if ((s->ssid & 0x80) && (val & 0xf) != (s->ssid & 0xf)) {
1893             qemu_log_mask(LOG_GUEST_ERROR,
1894                           "lsi_scsi: Destination ID does not match SSID\n");
1895         }
1896         s->sdid = val & 0xf;
1897         break;
1898     case 0x07: /* GPREG0 */
1899         break;
1900     case 0x08: /* SFBR */
1901         /* The CPU is not allowed to write to this register.  However the
1902            SCRIPTS register move instructions are.  */
1903         s->sfbr = val;
1904         break;
1905     case 0x0a: case 0x0b:
1906         /* Openserver writes to these readonly registers on startup */
1907         return;
1908     case 0x0c: case 0x0d: case 0x0e: case 0x0f:
1909         /* Linux writes to these readonly registers on startup.  */
1910         return;
1911     CASE_SET_REG32(dsa, 0x10)
1912     case 0x14: /* ISTAT0 */
1913         s->istat0 = (s->istat0 & 0x0f) | (val & 0xf0);
1914         if (val & LSI_ISTAT0_ABRT) {
1915             lsi_script_dma_interrupt(s, LSI_DSTAT_ABRT);
1916         }
1917         if (val & LSI_ISTAT0_INTF) {
1918             s->istat0 &= ~LSI_ISTAT0_INTF;
1919             lsi_update_irq(s);
1920         }
1921         if (s->waiting == LSI_WAIT_RESELECT && val & LSI_ISTAT0_SIGP) {
1922             trace_lsi_awoken();
1923             s->waiting = LSI_NOWAIT;
1924             s->dsp = s->dnad;
1925             lsi_execute_script(s);
1926         }
1927         if (val & LSI_ISTAT0_SRST) {
1928             qdev_reset_all(DEVICE(s));
1929         }
1930         break;
1931     case 0x16: /* MBOX0 */
1932         s->mbox0 = val;
1933         break;
1934     case 0x17: /* MBOX1 */
1935         s->mbox1 = val;
1936         break;
1937     case 0x18: /* CTEST0 */
1938         /* nothing to do */
1939         break;
1940     case 0x1a: /* CTEST2 */
1941         s->ctest2 = val & LSI_CTEST2_PCICIE;
1942         break;
1943     case 0x1b: /* CTEST3 */
1944         s->ctest3 = val & 0x0f;
1945         break;
1946     CASE_SET_REG32(temp, 0x1c)
1947     case 0x21: /* CTEST4 */
1948         if (val & 7) {
1949             qemu_log_mask(LOG_UNIMP,
1950                           "lsi_scsi: Unimplemented CTEST4-FBL 0x%x\n", val);
1951         }
1952         s->ctest4 = val;
1953         break;
1954     case 0x22: /* CTEST5 */
1955         if (val & (LSI_CTEST5_ADCK | LSI_CTEST5_BBCK)) {
1956             qemu_log_mask(LOG_UNIMP,
1957                           "lsi_scsi: CTEST5 DMA increment not implemented\n");
1958         }
1959         s->ctest5 = val;
1960         break;
1961     CASE_SET_REG24(dbc, 0x24)
1962     CASE_SET_REG32(dnad, 0x28)
1963     case 0x2c: /* DSP[0:7] */
1964         s->dsp &= 0xffffff00;
1965         s->dsp |= val;
1966         break;
1967     case 0x2d: /* DSP[8:15] */
1968         s->dsp &= 0xffff00ff;
1969         s->dsp |= val << 8;
1970         break;
1971     case 0x2e: /* DSP[16:23] */
1972         s->dsp &= 0xff00ffff;
1973         s->dsp |= val << 16;
1974         break;
1975     case 0x2f: /* DSP[24:31] */
1976         s->dsp &= 0x00ffffff;
1977         s->dsp |= val << 24;
1978         /*
1979          * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
1980          * instruction.  Is this correct?
1981          */
1982         if ((s->dmode & LSI_DMODE_MAN) == 0
1983             && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
1984             lsi_execute_script(s);
1985         break;
1986     CASE_SET_REG32(dsps, 0x30)
1987     CASE_SET_REG32(scratch[0], 0x34)
1988     case 0x38: /* DMODE */
1989         s->dmode = val;
1990         break;
1991     case 0x39: /* DIEN */
1992         s->dien = val;
1993         lsi_update_irq(s);
1994         break;
1995     case 0x3a: /* SBR */
1996         s->sbr = val;
1997         break;
1998     case 0x3b: /* DCNTL */
1999         s->dcntl = val & ~(LSI_DCNTL_PFF | LSI_DCNTL_STD);
2000         /*
2001          * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
2002          * instruction.  Is this correct?
2003          */
2004         if ((val & LSI_DCNTL_STD) && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
2005             lsi_execute_script(s);
2006         break;
2007     case 0x40: /* SIEN0 */
2008         s->sien0 = val;
2009         lsi_update_irq(s);
2010         break;
2011     case 0x41: /* SIEN1 */
2012         s->sien1 = val;
2013         lsi_update_irq(s);
2014         break;
2015     case 0x47: /* GPCNTL0 */
2016         break;
2017     case 0x48: /* STIME0 */
2018         s->stime0 = val;
2019         break;
2020     case 0x49: /* STIME1 */
2021         if (val & 0xf) {
2022             qemu_log_mask(LOG_UNIMP,
2023                           "lsi_scsi: General purpose timer not implemented\n");
2024             /* ??? Raising the interrupt immediately seems to be sufficient
2025                to keep the FreeBSD driver happy.  */
2026             lsi_script_scsi_interrupt(s, 0, LSI_SIST1_GEN);
2027         }
2028         break;
2029     case 0x4a: /* RESPID0 */
2030         s->respid0 = val;
2031         break;
2032     case 0x4b: /* RESPID1 */
2033         s->respid1 = val;
2034         break;
2035     case 0x4d: /* STEST1 */
2036         s->stest1 = val;
2037         break;
2038     case 0x4e: /* STEST2 */
2039         if (val & 1) {
2040             qemu_log_mask(LOG_UNIMP,
2041                           "lsi_scsi: Low level mode not implemented\n");
2042         }
2043         s->stest2 = val;
2044         break;
2045     case 0x4f: /* STEST3 */
2046         if (val & 0x41) {
2047             qemu_log_mask(LOG_UNIMP,
2048                           "lsi_scsi: SCSI FIFO test mode not implemented\n");
2049         }
2050         s->stest3 = val;
2051         break;
2052     case 0x56: /* CCNTL0 */
2053         s->ccntl0 = val;
2054         break;
2055     case 0x57: /* CCNTL1 */
2056         s->ccntl1 = val;
2057         break;
2058     CASE_SET_REG32(mmrs, 0xa0)
2059     CASE_SET_REG32(mmws, 0xa4)
2060     CASE_SET_REG32(sfs, 0xa8)
2061     CASE_SET_REG32(drs, 0xac)
2062     CASE_SET_REG32(sbms, 0xb0)
2063     CASE_SET_REG32(dbms, 0xb4)
2064     CASE_SET_REG32(dnad64, 0xb8)
2065     CASE_SET_REG32(pmjad1, 0xc0)
2066     CASE_SET_REG32(pmjad2, 0xc4)
2067     CASE_SET_REG32(rbc, 0xc8)
2068     CASE_SET_REG32(ua, 0xcc)
2069     CASE_SET_REG32(ia, 0xd4)
2070     CASE_SET_REG32(sbc, 0xd8)
2071     CASE_SET_REG32(csbc, 0xdc)
2072     default:
2073         if (offset >= 0x5c && offset < 0xa0) {
2074             int n;
2075             int shift;
2076             n = (offset - 0x58) >> 2;
2077             shift = (offset & 3) * 8;
2078             s->scratch[n] = deposit32(s->scratch[n], shift, 8, val);
2079         } else {
2080             qemu_log_mask(LOG_GUEST_ERROR,
2081                           "lsi_scsi: invalid write to reg %s %x (0x%02x)\n",
2082                           offset < ARRAY_SIZE(names) ? names[offset] : "???",
2083                           offset, val);
2084         }
2085     }
2086 #undef CASE_SET_REG24
2087 #undef CASE_SET_REG32
2088 }
2089 
2090 static void lsi_mmio_write(void *opaque, hwaddr addr,
2091                            uint64_t val, unsigned size)
2092 {
2093     LSIState *s = opaque;
2094 
2095     lsi_reg_writeb(s, addr & 0xff, val);
2096 }
2097 
2098 static uint64_t lsi_mmio_read(void *opaque, hwaddr addr,
2099                               unsigned size)
2100 {
2101     LSIState *s = opaque;
2102     return lsi_reg_readb(s, addr & 0xff);
2103 }
2104 
2105 static const MemoryRegionOps lsi_mmio_ops = {
2106     .read = lsi_mmio_read,
2107     .write = lsi_mmio_write,
2108     .endianness = DEVICE_LITTLE_ENDIAN,
2109     .impl = {
2110         .min_access_size = 1,
2111         .max_access_size = 1,
2112     },
2113 };
2114 
2115 static void lsi_ram_write(void *opaque, hwaddr addr,
2116                           uint64_t val, unsigned size)
2117 {
2118     LSIState *s = opaque;
2119     stn_le_p(s->script_ram + addr, size, val);
2120 }
2121 
2122 static uint64_t lsi_ram_read(void *opaque, hwaddr addr,
2123                              unsigned size)
2124 {
2125     LSIState *s = opaque;
2126     return ldn_le_p(s->script_ram + addr, size);
2127 }
2128 
2129 static const MemoryRegionOps lsi_ram_ops = {
2130     .read = lsi_ram_read,
2131     .write = lsi_ram_write,
2132     .endianness = DEVICE_LITTLE_ENDIAN,
2133 };
2134 
2135 static uint64_t lsi_io_read(void *opaque, hwaddr addr,
2136                             unsigned size)
2137 {
2138     LSIState *s = opaque;
2139     return lsi_reg_readb(s, addr & 0xff);
2140 }
2141 
2142 static void lsi_io_write(void *opaque, hwaddr addr,
2143                          uint64_t val, unsigned size)
2144 {
2145     LSIState *s = opaque;
2146     lsi_reg_writeb(s, addr & 0xff, val);
2147 }
2148 
2149 static const MemoryRegionOps lsi_io_ops = {
2150     .read = lsi_io_read,
2151     .write = lsi_io_write,
2152     .endianness = DEVICE_LITTLE_ENDIAN,
2153     .impl = {
2154         .min_access_size = 1,
2155         .max_access_size = 1,
2156     },
2157 };
2158 
2159 static void lsi_scsi_reset(DeviceState *dev)
2160 {
2161     LSIState *s = LSI53C895A(dev);
2162 
2163     lsi_soft_reset(s);
2164 }
2165 
2166 static int lsi_pre_save(void *opaque)
2167 {
2168     LSIState *s = opaque;
2169 
2170     if (s->current) {
2171         assert(s->current->dma_buf == NULL);
2172         assert(s->current->dma_len == 0);
2173     }
2174     assert(QTAILQ_EMPTY(&s->queue));
2175 
2176     return 0;
2177 }
2178 
2179 static int lsi_post_load(void *opaque, int version_id)
2180 {
2181     LSIState *s = opaque;
2182 
2183     if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) {
2184         return -EINVAL;
2185     }
2186 
2187     return 0;
2188 }
2189 
2190 static const VMStateDescription vmstate_lsi_scsi = {
2191     .name = "lsiscsi",
2192     .version_id = 1,
2193     .minimum_version_id = 0,
2194     .pre_save = lsi_pre_save,
2195     .post_load = lsi_post_load,
2196     .fields = (VMStateField[]) {
2197         VMSTATE_PCI_DEVICE(parent_obj, LSIState),
2198 
2199         VMSTATE_INT32(carry, LSIState),
2200         VMSTATE_INT32(status, LSIState),
2201         VMSTATE_INT32(msg_action, LSIState),
2202         VMSTATE_INT32(msg_len, LSIState),
2203         VMSTATE_BUFFER(msg, LSIState),
2204         VMSTATE_INT32(waiting, LSIState),
2205 
2206         VMSTATE_UINT32(dsa, LSIState),
2207         VMSTATE_UINT32(temp, LSIState),
2208         VMSTATE_UINT32(dnad, LSIState),
2209         VMSTATE_UINT32(dbc, LSIState),
2210         VMSTATE_UINT8(istat0, LSIState),
2211         VMSTATE_UINT8(istat1, LSIState),
2212         VMSTATE_UINT8(dcmd, LSIState),
2213         VMSTATE_UINT8(dstat, LSIState),
2214         VMSTATE_UINT8(dien, LSIState),
2215         VMSTATE_UINT8(sist0, LSIState),
2216         VMSTATE_UINT8(sist1, LSIState),
2217         VMSTATE_UINT8(sien0, LSIState),
2218         VMSTATE_UINT8(sien1, LSIState),
2219         VMSTATE_UINT8(mbox0, LSIState),
2220         VMSTATE_UINT8(mbox1, LSIState),
2221         VMSTATE_UINT8(dfifo, LSIState),
2222         VMSTATE_UINT8(ctest2, LSIState),
2223         VMSTATE_UINT8(ctest3, LSIState),
2224         VMSTATE_UINT8(ctest4, LSIState),
2225         VMSTATE_UINT8(ctest5, LSIState),
2226         VMSTATE_UINT8(ccntl0, LSIState),
2227         VMSTATE_UINT8(ccntl1, LSIState),
2228         VMSTATE_UINT32(dsp, LSIState),
2229         VMSTATE_UINT32(dsps, LSIState),
2230         VMSTATE_UINT8(dmode, LSIState),
2231         VMSTATE_UINT8(dcntl, LSIState),
2232         VMSTATE_UINT8(scntl0, LSIState),
2233         VMSTATE_UINT8(scntl1, LSIState),
2234         VMSTATE_UINT8(scntl2, LSIState),
2235         VMSTATE_UINT8(scntl3, LSIState),
2236         VMSTATE_UINT8(sstat0, LSIState),
2237         VMSTATE_UINT8(sstat1, LSIState),
2238         VMSTATE_UINT8(scid, LSIState),
2239         VMSTATE_UINT8(sxfer, LSIState),
2240         VMSTATE_UINT8(socl, LSIState),
2241         VMSTATE_UINT8(sdid, LSIState),
2242         VMSTATE_UINT8(ssid, LSIState),
2243         VMSTATE_UINT8(sfbr, LSIState),
2244         VMSTATE_UINT8(stest1, LSIState),
2245         VMSTATE_UINT8(stest2, LSIState),
2246         VMSTATE_UINT8(stest3, LSIState),
2247         VMSTATE_UINT8(sidl, LSIState),
2248         VMSTATE_UINT8(stime0, LSIState),
2249         VMSTATE_UINT8(respid0, LSIState),
2250         VMSTATE_UINT8(respid1, LSIState),
2251         VMSTATE_UINT8_V(sbcl, LSIState, 1),
2252         VMSTATE_UINT32(mmrs, LSIState),
2253         VMSTATE_UINT32(mmws, LSIState),
2254         VMSTATE_UINT32(sfs, LSIState),
2255         VMSTATE_UINT32(drs, LSIState),
2256         VMSTATE_UINT32(sbms, LSIState),
2257         VMSTATE_UINT32(dbms, LSIState),
2258         VMSTATE_UINT32(dnad64, LSIState),
2259         VMSTATE_UINT32(pmjad1, LSIState),
2260         VMSTATE_UINT32(pmjad2, LSIState),
2261         VMSTATE_UINT32(rbc, LSIState),
2262         VMSTATE_UINT32(ua, LSIState),
2263         VMSTATE_UINT32(ia, LSIState),
2264         VMSTATE_UINT32(sbc, LSIState),
2265         VMSTATE_UINT32(csbc, LSIState),
2266         VMSTATE_BUFFER_UNSAFE(scratch, LSIState, 0, 18 * sizeof(uint32_t)),
2267         VMSTATE_UINT8(sbr, LSIState),
2268 
2269         VMSTATE_BUFFER_UNSAFE(script_ram, LSIState, 0, 8192),
2270         VMSTATE_END_OF_LIST()
2271     }
2272 };
2273 
2274 static const struct SCSIBusInfo lsi_scsi_info = {
2275     .tcq = true,
2276     .max_target = LSI_MAX_DEVS,
2277     .max_lun = 0,  /* LUN support is buggy */
2278 
2279     .transfer_data = lsi_transfer_data,
2280     .complete = lsi_command_complete,
2281     .cancel = lsi_request_cancelled
2282 };
2283 
2284 static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
2285 {
2286     LSIState *s = LSI53C895A(dev);
2287     DeviceState *d = DEVICE(dev);
2288     uint8_t *pci_conf;
2289 
2290     pci_conf = dev->config;
2291 
2292     /* PCI latency timer = 255 */
2293     pci_conf[PCI_LATENCY_TIMER] = 0xff;
2294     /* Interrupt pin A */
2295     pci_conf[PCI_INTERRUPT_PIN] = 0x01;
2296 
2297     memory_region_init_io(&s->mmio_io, OBJECT(s), &lsi_mmio_ops, s,
2298                           "lsi-mmio", 0x400);
2299     memory_region_init_io(&s->ram_io, OBJECT(s), &lsi_ram_ops, s,
2300                           "lsi-ram", 0x2000);
2301     memory_region_init_io(&s->io_io, OBJECT(s), &lsi_io_ops, s,
2302                           "lsi-io", 256);
2303 
2304     address_space_init(&s->pci_io_as, pci_address_space_io(dev), "lsi-pci-io");
2305     qdev_init_gpio_out(d, &s->ext_irq, 1);
2306 
2307     pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->io_io);
2308     pci_register_bar(dev, 1, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->mmio_io);
2309     pci_register_bar(dev, 2, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->ram_io);
2310     QTAILQ_INIT(&s->queue);
2311 
2312     scsi_bus_new(&s->bus, sizeof(s->bus), d, &lsi_scsi_info, NULL);
2313 }
2314 
2315 static void lsi_scsi_unrealize(DeviceState *dev, Error **errp)
2316 {
2317     LSIState *s = LSI53C895A(dev);
2318 
2319     address_space_destroy(&s->pci_io_as);
2320 }
2321 
2322 static void lsi_class_init(ObjectClass *klass, void *data)
2323 {
2324     DeviceClass *dc = DEVICE_CLASS(klass);
2325     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2326 
2327     k->realize = lsi_scsi_realize;
2328     k->vendor_id = PCI_VENDOR_ID_LSI_LOGIC;
2329     k->device_id = PCI_DEVICE_ID_LSI_53C895A;
2330     k->class_id = PCI_CLASS_STORAGE_SCSI;
2331     k->subsystem_id = 0x1000;
2332     dc->unrealize = lsi_scsi_unrealize;
2333     dc->reset = lsi_scsi_reset;
2334     dc->vmsd = &vmstate_lsi_scsi;
2335     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2336 }
2337 
2338 static const TypeInfo lsi_info = {
2339     .name          = TYPE_LSI53C895A,
2340     .parent        = TYPE_PCI_DEVICE,
2341     .instance_size = sizeof(LSIState),
2342     .class_init    = lsi_class_init,
2343     .interfaces = (InterfaceInfo[]) {
2344         { INTERFACE_CONVENTIONAL_PCI_DEVICE },
2345         { },
2346     },
2347 };
2348 
2349 static void lsi53c810_class_init(ObjectClass *klass, void *data)
2350 {
2351     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2352 
2353     k->device_id = PCI_DEVICE_ID_LSI_53C810;
2354 }
2355 
2356 static TypeInfo lsi53c810_info = {
2357     .name          = TYPE_LSI53C810,
2358     .parent        = TYPE_LSI53C895A,
2359     .class_init    = lsi53c810_class_init,
2360 };
2361 
2362 static void lsi53c895a_register_types(void)
2363 {
2364     type_register_static(&lsi_info);
2365     type_register_static(&lsi53c810_info);
2366 }
2367 
2368 type_init(lsi53c895a_register_types)
2369 
2370 void lsi53c8xx_handle_legacy_cmdline(DeviceState *lsi_dev)
2371 {
2372     LSIState *s = LSI53C895A(lsi_dev);
2373 
2374     scsi_bus_legacy_handle_cmdline(&s->bus);
2375 }
2376