xref: /openbmc/qemu/hw/arm/pxa2xx.c (revision 4e245a9e)
1 /*
2  * Intel XScale PXA255/270 processor support.
3  *
4  * Copyright (c) 2006 Openedhand Ltd.
5  * Written by Andrzej Zaborowski <balrog@zabor.org>
6  *
7  * This code is licensed under the GPL.
8  */
9 
10 #include "qemu/osdep.h"
11 #include "qemu/error-report.h"
12 #include "qemu/module.h"
13 #include "qapi/error.h"
14 #include "cpu.h"
15 #include "hw/sysbus.h"
16 #include "migration/vmstate.h"
17 #include "hw/arm/pxa.h"
18 #include "sysemu/sysemu.h"
19 #include "hw/char/serial.h"
20 #include "hw/i2c/i2c.h"
21 #include "hw/irq.h"
22 #include "hw/qdev-properties.h"
23 #include "hw/qdev-properties-system.h"
24 #include "hw/ssi/ssi.h"
25 #include "hw/sd/sd.h"
26 #include "chardev/char-fe.h"
27 #include "sysemu/blockdev.h"
28 #include "sysemu/qtest.h"
29 #include "sysemu/rtc.h"
30 #include "qemu/cutils.h"
31 #include "qemu/log.h"
32 #include "qom/object.h"
33 #include "target/arm/cpregs.h"
34 
35 static struct {
36     hwaddr io_base;
37     int irqn;
38 } pxa255_serial[] = {
39     { 0x40100000, PXA2XX_PIC_FFUART },
40     { 0x40200000, PXA2XX_PIC_BTUART },
41     { 0x40700000, PXA2XX_PIC_STUART },
42     { 0x41600000, PXA25X_PIC_HWUART },
43     { 0, 0 }
44 }, pxa270_serial[] = {
45     { 0x40100000, PXA2XX_PIC_FFUART },
46     { 0x40200000, PXA2XX_PIC_BTUART },
47     { 0x40700000, PXA2XX_PIC_STUART },
48     { 0, 0 }
49 };
50 
51 typedef struct PXASSPDef {
52     hwaddr io_base;
53     int irqn;
54 } PXASSPDef;
55 
56 #if 0
57 static PXASSPDef pxa250_ssp[] = {
58     { 0x41000000, PXA2XX_PIC_SSP },
59     { 0, 0 }
60 };
61 #endif
62 
63 static PXASSPDef pxa255_ssp[] = {
64     { 0x41000000, PXA2XX_PIC_SSP },
65     { 0x41400000, PXA25X_PIC_NSSP },
66     { 0, 0 }
67 };
68 
69 #if 0
70 static PXASSPDef pxa26x_ssp[] = {
71     { 0x41000000, PXA2XX_PIC_SSP },
72     { 0x41400000, PXA25X_PIC_NSSP },
73     { 0x41500000, PXA26X_PIC_ASSP },
74     { 0, 0 }
75 };
76 #endif
77 
78 static PXASSPDef pxa27x_ssp[] = {
79     { 0x41000000, PXA2XX_PIC_SSP },
80     { 0x41700000, PXA27X_PIC_SSP2 },
81     { 0x41900000, PXA2XX_PIC_SSP3 },
82     { 0, 0 }
83 };
84 
85 #define PMCR	0x00	/* Power Manager Control register */
86 #define PSSR	0x04	/* Power Manager Sleep Status register */
87 #define PSPR	0x08	/* Power Manager Scratch-Pad register */
88 #define PWER	0x0c	/* Power Manager Wake-Up Enable register */
89 #define PRER	0x10	/* Power Manager Rising-Edge Detect Enable register */
90 #define PFER	0x14	/* Power Manager Falling-Edge Detect Enable register */
91 #define PEDR	0x18	/* Power Manager Edge-Detect Status register */
92 #define PCFR	0x1c	/* Power Manager General Configuration register */
93 #define PGSR0	0x20	/* Power Manager GPIO Sleep-State register 0 */
94 #define PGSR1	0x24	/* Power Manager GPIO Sleep-State register 1 */
95 #define PGSR2	0x28	/* Power Manager GPIO Sleep-State register 2 */
96 #define PGSR3	0x2c	/* Power Manager GPIO Sleep-State register 3 */
97 #define RCSR	0x30	/* Reset Controller Status register */
98 #define PSLR	0x34	/* Power Manager Sleep Configuration register */
99 #define PTSR	0x38	/* Power Manager Standby Configuration register */
100 #define PVCR	0x40	/* Power Manager Voltage Change Control register */
101 #define PUCR	0x4c	/* Power Manager USIM Card Control/Status register */
102 #define PKWR	0x50	/* Power Manager Keyboard Wake-Up Enable register */
103 #define PKSR	0x54	/* Power Manager Keyboard Level-Detect Status */
104 #define PCMD0	0x80	/* Power Manager I2C Command register File 0 */
105 #define PCMD31	0xfc	/* Power Manager I2C Command register File 31 */
106 
107 static uint64_t pxa2xx_pm_read(void *opaque, hwaddr addr,
108                                unsigned size)
109 {
110     PXA2xxState *s = (PXA2xxState *) opaque;
111 
112     switch (addr) {
113     case PMCR ... PCMD31:
114         if (addr & 3)
115             goto fail;
116 
117         return s->pm_regs[addr >> 2];
118     default:
119     fail:
120         qemu_log_mask(LOG_GUEST_ERROR,
121                       "%s: Bad read offset 0x%"HWADDR_PRIx"\n",
122                       __func__, addr);
123         break;
124     }
125     return 0;
126 }
127 
128 static void pxa2xx_pm_write(void *opaque, hwaddr addr,
129                             uint64_t value, unsigned size)
130 {
131     PXA2xxState *s = (PXA2xxState *) opaque;
132 
133     switch (addr) {
134     case PMCR:
135         /* Clear the write-one-to-clear bits... */
136         s->pm_regs[addr >> 2] &= ~(value & 0x2a);
137         /* ...and set the plain r/w bits */
138         s->pm_regs[addr >> 2] &= ~0x15;
139         s->pm_regs[addr >> 2] |= value & 0x15;
140         break;
141 
142     case PSSR:	/* Read-clean registers */
143     case RCSR:
144     case PKSR:
145         s->pm_regs[addr >> 2] &= ~value;
146         break;
147 
148     default:	/* Read-write registers */
149         if (!(addr & 3)) {
150             s->pm_regs[addr >> 2] = value;
151             break;
152         }
153         qemu_log_mask(LOG_GUEST_ERROR,
154                       "%s: Bad write offset 0x%"HWADDR_PRIx"\n",
155                       __func__, addr);
156         break;
157     }
158 }
159 
160 static const MemoryRegionOps pxa2xx_pm_ops = {
161     .read = pxa2xx_pm_read,
162     .write = pxa2xx_pm_write,
163     .endianness = DEVICE_NATIVE_ENDIAN,
164 };
165 
166 static const VMStateDescription vmstate_pxa2xx_pm = {
167     .name = "pxa2xx_pm",
168     .version_id = 0,
169     .minimum_version_id = 0,
170     .fields = (VMStateField[]) {
171         VMSTATE_UINT32_ARRAY(pm_regs, PXA2xxState, 0x40),
172         VMSTATE_END_OF_LIST()
173     }
174 };
175 
176 #define CCCR	0x00	/* Core Clock Configuration register */
177 #define CKEN	0x04	/* Clock Enable register */
178 #define OSCC	0x08	/* Oscillator Configuration register */
179 #define CCSR	0x0c	/* Core Clock Status register */
180 
181 static uint64_t pxa2xx_cm_read(void *opaque, hwaddr addr,
182                                unsigned size)
183 {
184     PXA2xxState *s = (PXA2xxState *) opaque;
185 
186     switch (addr) {
187     case CCCR:
188     case CKEN:
189     case OSCC:
190         return s->cm_regs[addr >> 2];
191 
192     case CCSR:
193         return s->cm_regs[CCCR >> 2] | (3 << 28);
194 
195     default:
196         qemu_log_mask(LOG_GUEST_ERROR,
197                       "%s: Bad read offset 0x%"HWADDR_PRIx"\n",
198                       __func__, addr);
199         break;
200     }
201     return 0;
202 }
203 
204 static void pxa2xx_cm_write(void *opaque, hwaddr addr,
205                             uint64_t value, unsigned size)
206 {
207     PXA2xxState *s = (PXA2xxState *) opaque;
208 
209     switch (addr) {
210     case CCCR:
211     case CKEN:
212         s->cm_regs[addr >> 2] = value;
213         break;
214 
215     case OSCC:
216         s->cm_regs[addr >> 2] &= ~0x6c;
217         s->cm_regs[addr >> 2] |= value & 0x6e;
218         if ((value >> 1) & 1)			/* OON */
219             s->cm_regs[addr >> 2] |= 1 << 0;	/* Oscillator is now stable */
220         break;
221 
222     default:
223         qemu_log_mask(LOG_GUEST_ERROR,
224                       "%s: Bad write offset 0x%"HWADDR_PRIx"\n",
225                       __func__, addr);
226         break;
227     }
228 }
229 
230 static const MemoryRegionOps pxa2xx_cm_ops = {
231     .read = pxa2xx_cm_read,
232     .write = pxa2xx_cm_write,
233     .endianness = DEVICE_NATIVE_ENDIAN,
234 };
235 
236 static const VMStateDescription vmstate_pxa2xx_cm = {
237     .name = "pxa2xx_cm",
238     .version_id = 0,
239     .minimum_version_id = 0,
240     .fields = (VMStateField[]) {
241         VMSTATE_UINT32_ARRAY(cm_regs, PXA2xxState, 4),
242         VMSTATE_UINT32(clkcfg, PXA2xxState),
243         VMSTATE_UINT32(pmnc, PXA2xxState),
244         VMSTATE_END_OF_LIST()
245     }
246 };
247 
248 static uint64_t pxa2xx_clkcfg_read(CPUARMState *env, const ARMCPRegInfo *ri)
249 {
250     PXA2xxState *s = (PXA2xxState *)ri->opaque;
251     return s->clkcfg;
252 }
253 
254 static void pxa2xx_clkcfg_write(CPUARMState *env, const ARMCPRegInfo *ri,
255                                 uint64_t value)
256 {
257     PXA2xxState *s = (PXA2xxState *)ri->opaque;
258     s->clkcfg = value & 0xf;
259     if (value & 2) {
260         printf("%s: CPU frequency change attempt\n", __func__);
261     }
262 }
263 
264 static void pxa2xx_pwrmode_write(CPUARMState *env, const ARMCPRegInfo *ri,
265                                  uint64_t value)
266 {
267     PXA2xxState *s = (PXA2xxState *)ri->opaque;
268     static const char *pwrmode[8] = {
269         "Normal", "Idle", "Deep-idle", "Standby",
270         "Sleep", "reserved (!)", "reserved (!)", "Deep-sleep",
271     };
272 
273     if (value & 8) {
274         printf("%s: CPU voltage change attempt\n", __func__);
275     }
276     switch (value & 7) {
277     case 0:
278         /* Do nothing */
279         break;
280 
281     case 1:
282         /* Idle */
283         if (!(s->cm_regs[CCCR >> 2] & (1U << 31))) { /* CPDIS */
284             cpu_interrupt(CPU(s->cpu), CPU_INTERRUPT_HALT);
285             break;
286         }
287         /* Fall through.  */
288 
289     case 2:
290         /* Deep-Idle */
291         cpu_interrupt(CPU(s->cpu), CPU_INTERRUPT_HALT);
292         s->pm_regs[RCSR >> 2] |= 0x8; /* Set GPR */
293         goto message;
294 
295     case 3:
296         s->cpu->env.uncached_cpsr = ARM_CPU_MODE_SVC;
297         s->cpu->env.daif = PSTATE_A | PSTATE_F | PSTATE_I;
298         s->cpu->env.cp15.sctlr_ns = 0;
299         s->cpu->env.cp15.cpacr_el1 = 0;
300         s->cpu->env.cp15.ttbr0_el[1] = 0;
301         s->cpu->env.cp15.dacr_ns = 0;
302         s->pm_regs[PSSR >> 2] |= 0x8; /* Set STS */
303         s->pm_regs[RCSR >> 2] |= 0x8; /* Set GPR */
304 
305         /*
306          * The scratch-pad register is almost universally used
307          * for storing the return address on suspend.  For the
308          * lack of a resuming bootloader, perform a jump
309          * directly to that address.
310          */
311         memset(s->cpu->env.regs, 0, 4 * 15);
312         s->cpu->env.regs[15] = s->pm_regs[PSPR >> 2];
313 
314 #if 0
315         buffer = 0xe59ff000; /* ldr     pc, [pc, #0] */
316         cpu_physical_memory_write(0, &buffer, 4);
317         buffer = s->pm_regs[PSPR >> 2];
318         cpu_physical_memory_write(8, &buffer, 4);
319 #endif
320 
321         /* Suspend */
322         cpu_interrupt(current_cpu, CPU_INTERRUPT_HALT);
323 
324         goto message;
325 
326     default:
327     message:
328         printf("%s: machine entered %s mode\n", __func__,
329                pwrmode[value & 7]);
330     }
331 }
332 
333 static uint64_t pxa2xx_cppmnc_read(CPUARMState *env, const ARMCPRegInfo *ri)
334 {
335     PXA2xxState *s = (PXA2xxState *)ri->opaque;
336     return s->pmnc;
337 }
338 
339 static void pxa2xx_cppmnc_write(CPUARMState *env, const ARMCPRegInfo *ri,
340                                 uint64_t value)
341 {
342     PXA2xxState *s = (PXA2xxState *)ri->opaque;
343     s->pmnc = value;
344 }
345 
346 static uint64_t pxa2xx_cpccnt_read(CPUARMState *env, const ARMCPRegInfo *ri)
347 {
348     PXA2xxState *s = (PXA2xxState *)ri->opaque;
349     if (s->pmnc & 1) {
350         return qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
351     } else {
352         return 0;
353     }
354 }
355 
356 static const ARMCPRegInfo pxa_cp_reginfo[] = {
357     /* cp14 crm==1: perf registers */
358     { .name = "CPPMNC", .cp = 14, .crn = 0, .crm = 1, .opc1 = 0, .opc2 = 0,
359       .access = PL1_RW, .type = ARM_CP_IO,
360       .readfn = pxa2xx_cppmnc_read, .writefn = pxa2xx_cppmnc_write },
361     { .name = "CPCCNT", .cp = 14, .crn = 1, .crm = 1, .opc1 = 0, .opc2 = 0,
362       .access = PL1_RW, .type = ARM_CP_IO,
363       .readfn = pxa2xx_cpccnt_read, .writefn = arm_cp_write_ignore },
364     { .name = "CPINTEN", .cp = 14, .crn = 4, .crm = 1, .opc1 = 0, .opc2 = 0,
365       .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
366     { .name = "CPFLAG", .cp = 14, .crn = 5, .crm = 1, .opc1 = 0, .opc2 = 0,
367       .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
368     { .name = "CPEVTSEL", .cp = 14, .crn = 8, .crm = 1, .opc1 = 0, .opc2 = 0,
369       .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
370     /* cp14 crm==2: performance count registers */
371     { .name = "CPPMN0", .cp = 14, .crn = 0, .crm = 2, .opc1 = 0, .opc2 = 0,
372       .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
373     { .name = "CPPMN1", .cp = 14, .crn = 1, .crm = 2, .opc1 = 0, .opc2 = 0,
374       .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
375     { .name = "CPPMN2", .cp = 14, .crn = 2, .crm = 2, .opc1 = 0, .opc2 = 0,
376       .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
377     { .name = "CPPMN3", .cp = 14, .crn = 2, .crm = 3, .opc1 = 0, .opc2 = 0,
378       .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
379     /* cp14 crn==6: CLKCFG */
380     { .name = "CLKCFG", .cp = 14, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 0,
381       .access = PL1_RW, .type = ARM_CP_IO,
382       .readfn = pxa2xx_clkcfg_read, .writefn = pxa2xx_clkcfg_write },
383     /* cp14 crn==7: PWRMODE */
384     { .name = "PWRMODE", .cp = 14, .crn = 7, .crm = 0, .opc1 = 0, .opc2 = 0,
385       .access = PL1_RW, .type = ARM_CP_IO,
386       .readfn = arm_cp_read_zero, .writefn = pxa2xx_pwrmode_write },
387 };
388 
389 static void pxa2xx_setup_cp14(PXA2xxState *s)
390 {
391     define_arm_cp_regs_with_opaque(s->cpu, pxa_cp_reginfo, s);
392 }
393 
394 #define MDCNFG		0x00	/* SDRAM Configuration register */
395 #define MDREFR		0x04	/* SDRAM Refresh Control register */
396 #define MSC0		0x08	/* Static Memory Control register 0 */
397 #define MSC1		0x0c	/* Static Memory Control register 1 */
398 #define MSC2		0x10	/* Static Memory Control register 2 */
399 #define MECR		0x14	/* Expansion Memory Bus Config register */
400 #define SXCNFG		0x1c	/* Synchronous Static Memory Config register */
401 #define MCMEM0		0x28	/* PC Card Memory Socket 0 Timing register */
402 #define MCMEM1		0x2c	/* PC Card Memory Socket 1 Timing register */
403 #define MCATT0		0x30	/* PC Card Attribute Socket 0 register */
404 #define MCATT1		0x34	/* PC Card Attribute Socket 1 register */
405 #define MCIO0		0x38	/* PC Card I/O Socket 0 Timing register */
406 #define MCIO1		0x3c	/* PC Card I/O Socket 1 Timing register */
407 #define MDMRS		0x40	/* SDRAM Mode Register Set Config register */
408 #define BOOT_DEF	0x44	/* Boot-time Default Configuration register */
409 #define ARB_CNTL	0x48	/* Arbiter Control register */
410 #define BSCNTR0		0x4c	/* Memory Buffer Strength Control register 0 */
411 #define BSCNTR1		0x50	/* Memory Buffer Strength Control register 1 */
412 #define LCDBSCNTR	0x54	/* LCD Buffer Strength Control register */
413 #define MDMRSLP		0x58	/* Low Power SDRAM Mode Set Config register */
414 #define BSCNTR2		0x5c	/* Memory Buffer Strength Control register 2 */
415 #define BSCNTR3		0x60	/* Memory Buffer Strength Control register 3 */
416 #define SA1110		0x64	/* SA-1110 Memory Compatibility register */
417 
418 static uint64_t pxa2xx_mm_read(void *opaque, hwaddr addr,
419                                unsigned size)
420 {
421     PXA2xxState *s = (PXA2xxState *) opaque;
422 
423     switch (addr) {
424     case MDCNFG ... SA1110:
425         if ((addr & 3) == 0)
426             return s->mm_regs[addr >> 2];
427         /* fall through */
428     default:
429         qemu_log_mask(LOG_GUEST_ERROR,
430                       "%s: Bad read offset 0x%"HWADDR_PRIx"\n",
431                       __func__, addr);
432         break;
433     }
434     return 0;
435 }
436 
437 static void pxa2xx_mm_write(void *opaque, hwaddr addr,
438                             uint64_t value, unsigned size)
439 {
440     PXA2xxState *s = (PXA2xxState *) opaque;
441 
442     switch (addr) {
443     case MDCNFG ... SA1110:
444         if ((addr & 3) == 0) {
445             s->mm_regs[addr >> 2] = value;
446             break;
447         }
448         /* fallthrough */
449     default:
450         qemu_log_mask(LOG_GUEST_ERROR,
451                       "%s: Bad write offset 0x%"HWADDR_PRIx"\n",
452                       __func__, addr);
453         break;
454     }
455 }
456 
457 static const MemoryRegionOps pxa2xx_mm_ops = {
458     .read = pxa2xx_mm_read,
459     .write = pxa2xx_mm_write,
460     .endianness = DEVICE_NATIVE_ENDIAN,
461 };
462 
463 static const VMStateDescription vmstate_pxa2xx_mm = {
464     .name = "pxa2xx_mm",
465     .version_id = 0,
466     .minimum_version_id = 0,
467     .fields = (VMStateField[]) {
468         VMSTATE_UINT32_ARRAY(mm_regs, PXA2xxState, 0x1a),
469         VMSTATE_END_OF_LIST()
470     }
471 };
472 
473 #define TYPE_PXA2XX_SSP "pxa2xx-ssp"
474 OBJECT_DECLARE_SIMPLE_TYPE(PXA2xxSSPState, PXA2XX_SSP)
475 
476 /* Synchronous Serial Ports */
477 struct PXA2xxSSPState {
478     /*< private >*/
479     SysBusDevice parent_obj;
480     /*< public >*/
481 
482     MemoryRegion iomem;
483     qemu_irq irq;
484     uint32_t enable;
485     SSIBus *bus;
486 
487     uint32_t sscr[2];
488     uint32_t sspsp;
489     uint32_t ssto;
490     uint32_t ssitr;
491     uint32_t sssr;
492     uint8_t sstsa;
493     uint8_t ssrsa;
494     uint8_t ssacd;
495 
496     uint32_t rx_fifo[16];
497     uint32_t rx_level;
498     uint32_t rx_start;
499 };
500 
501 static bool pxa2xx_ssp_vmstate_validate(void *opaque, int version_id)
502 {
503     PXA2xxSSPState *s = opaque;
504 
505     return s->rx_start < sizeof(s->rx_fifo);
506 }
507 
508 static const VMStateDescription vmstate_pxa2xx_ssp = {
509     .name = "pxa2xx-ssp",
510     .version_id = 1,
511     .minimum_version_id = 1,
512     .fields = (VMStateField[]) {
513         VMSTATE_UINT32(enable, PXA2xxSSPState),
514         VMSTATE_UINT32_ARRAY(sscr, PXA2xxSSPState, 2),
515         VMSTATE_UINT32(sspsp, PXA2xxSSPState),
516         VMSTATE_UINT32(ssto, PXA2xxSSPState),
517         VMSTATE_UINT32(ssitr, PXA2xxSSPState),
518         VMSTATE_UINT32(sssr, PXA2xxSSPState),
519         VMSTATE_UINT8(sstsa, PXA2xxSSPState),
520         VMSTATE_UINT8(ssrsa, PXA2xxSSPState),
521         VMSTATE_UINT8(ssacd, PXA2xxSSPState),
522         VMSTATE_UINT32(rx_level, PXA2xxSSPState),
523         VMSTATE_UINT32(rx_start, PXA2xxSSPState),
524         VMSTATE_VALIDATE("fifo is 16 bytes", pxa2xx_ssp_vmstate_validate),
525         VMSTATE_UINT32_ARRAY(rx_fifo, PXA2xxSSPState, 16),
526         VMSTATE_END_OF_LIST()
527     }
528 };
529 
530 #define SSCR0	0x00	/* SSP Control register 0 */
531 #define SSCR1	0x04	/* SSP Control register 1 */
532 #define SSSR	0x08	/* SSP Status register */
533 #define SSITR	0x0c	/* SSP Interrupt Test register */
534 #define SSDR	0x10	/* SSP Data register */
535 #define SSTO	0x28	/* SSP Time-Out register */
536 #define SSPSP	0x2c	/* SSP Programmable Serial Protocol register */
537 #define SSTSA	0x30	/* SSP TX Time Slot Active register */
538 #define SSRSA	0x34	/* SSP RX Time Slot Active register */
539 #define SSTSS	0x38	/* SSP Time Slot Status register */
540 #define SSACD	0x3c	/* SSP Audio Clock Divider register */
541 
542 /* Bitfields for above registers */
543 #define SSCR0_SPI(x)	(((x) & 0x30) == 0x00)
544 #define SSCR0_SSP(x)	(((x) & 0x30) == 0x10)
545 #define SSCR0_UWIRE(x)	(((x) & 0x30) == 0x20)
546 #define SSCR0_PSP(x)	(((x) & 0x30) == 0x30)
547 #define SSCR0_SSE	(1 << 7)
548 #define SSCR0_RIM	(1 << 22)
549 #define SSCR0_TIM	(1 << 23)
550 #define SSCR0_MOD       (1U << 31)
551 #define SSCR0_DSS(x)	(((((x) >> 16) & 0x10) | ((x) & 0xf)) + 1)
552 #define SSCR1_RIE	(1 << 0)
553 #define SSCR1_TIE	(1 << 1)
554 #define SSCR1_LBM	(1 << 2)
555 #define SSCR1_MWDS	(1 << 5)
556 #define SSCR1_TFT(x)	((((x) >> 6) & 0xf) + 1)
557 #define SSCR1_RFT(x)	((((x) >> 10) & 0xf) + 1)
558 #define SSCR1_EFWR	(1 << 14)
559 #define SSCR1_PINTE	(1 << 18)
560 #define SSCR1_TINTE	(1 << 19)
561 #define SSCR1_RSRE	(1 << 20)
562 #define SSCR1_TSRE	(1 << 21)
563 #define SSCR1_EBCEI	(1 << 29)
564 #define SSITR_INT	(7 << 5)
565 #define SSSR_TNF	(1 << 2)
566 #define SSSR_RNE	(1 << 3)
567 #define SSSR_TFS	(1 << 5)
568 #define SSSR_RFS	(1 << 6)
569 #define SSSR_ROR	(1 << 7)
570 #define SSSR_PINT	(1 << 18)
571 #define SSSR_TINT	(1 << 19)
572 #define SSSR_EOC	(1 << 20)
573 #define SSSR_TUR	(1 << 21)
574 #define SSSR_BCE	(1 << 23)
575 #define SSSR_RW		0x00bc0080
576 
577 static void pxa2xx_ssp_int_update(PXA2xxSSPState *s)
578 {
579     int level = 0;
580 
581     level |= s->ssitr & SSITR_INT;
582     level |= (s->sssr & SSSR_BCE)  &&  (s->sscr[1] & SSCR1_EBCEI);
583     level |= (s->sssr & SSSR_TUR)  && !(s->sscr[0] & SSCR0_TIM);
584     level |= (s->sssr & SSSR_EOC)  &&  (s->sssr & (SSSR_TINT | SSSR_PINT));
585     level |= (s->sssr & SSSR_TINT) &&  (s->sscr[1] & SSCR1_TINTE);
586     level |= (s->sssr & SSSR_PINT) &&  (s->sscr[1] & SSCR1_PINTE);
587     level |= (s->sssr & SSSR_ROR)  && !(s->sscr[0] & SSCR0_RIM);
588     level |= (s->sssr & SSSR_RFS)  &&  (s->sscr[1] & SSCR1_RIE);
589     level |= (s->sssr & SSSR_TFS)  &&  (s->sscr[1] & SSCR1_TIE);
590     qemu_set_irq(s->irq, !!level);
591 }
592 
593 static void pxa2xx_ssp_fifo_update(PXA2xxSSPState *s)
594 {
595     s->sssr &= ~(0xf << 12);	/* Clear RFL */
596     s->sssr &= ~(0xf << 8);	/* Clear TFL */
597     s->sssr &= ~SSSR_TFS;
598     s->sssr &= ~SSSR_TNF;
599     if (s->enable) {
600         s->sssr |= ((s->rx_level - 1) & 0xf) << 12;
601         if (s->rx_level >= SSCR1_RFT(s->sscr[1]))
602             s->sssr |= SSSR_RFS;
603         else
604             s->sssr &= ~SSSR_RFS;
605         if (s->rx_level)
606             s->sssr |= SSSR_RNE;
607         else
608             s->sssr &= ~SSSR_RNE;
609         /* TX FIFO is never filled, so it is always in underrun
610            condition if SSP is enabled */
611         s->sssr |= SSSR_TFS;
612         s->sssr |= SSSR_TNF;
613     }
614 
615     pxa2xx_ssp_int_update(s);
616 }
617 
618 static uint64_t pxa2xx_ssp_read(void *opaque, hwaddr addr,
619                                 unsigned size)
620 {
621     PXA2xxSSPState *s = (PXA2xxSSPState *) opaque;
622     uint32_t retval;
623 
624     switch (addr) {
625     case SSCR0:
626         return s->sscr[0];
627     case SSCR1:
628         return s->sscr[1];
629     case SSPSP:
630         return s->sspsp;
631     case SSTO:
632         return s->ssto;
633     case SSITR:
634         return s->ssitr;
635     case SSSR:
636         return s->sssr | s->ssitr;
637     case SSDR:
638         if (!s->enable)
639             return 0xffffffff;
640         if (s->rx_level < 1) {
641             printf("%s: SSP Rx Underrun\n", __func__);
642             return 0xffffffff;
643         }
644         s->rx_level --;
645         retval = s->rx_fifo[s->rx_start ++];
646         s->rx_start &= 0xf;
647         pxa2xx_ssp_fifo_update(s);
648         return retval;
649     case SSTSA:
650         return s->sstsa;
651     case SSRSA:
652         return s->ssrsa;
653     case SSTSS:
654         return 0;
655     case SSACD:
656         return s->ssacd;
657     default:
658         qemu_log_mask(LOG_GUEST_ERROR,
659                       "%s: Bad read offset 0x%"HWADDR_PRIx"\n",
660                       __func__, addr);
661         break;
662     }
663     return 0;
664 }
665 
666 static void pxa2xx_ssp_write(void *opaque, hwaddr addr,
667                              uint64_t value64, unsigned size)
668 {
669     PXA2xxSSPState *s = (PXA2xxSSPState *) opaque;
670     uint32_t value = value64;
671 
672     switch (addr) {
673     case SSCR0:
674         s->sscr[0] = value & 0xc7ffffff;
675         s->enable = value & SSCR0_SSE;
676         if (value & SSCR0_MOD)
677             printf("%s: Attempt to use network mode\n", __func__);
678         if (s->enable && SSCR0_DSS(value) < 4)
679             printf("%s: Wrong data size: %u bits\n", __func__,
680                             SSCR0_DSS(value));
681         if (!(value & SSCR0_SSE)) {
682             s->sssr = 0;
683             s->ssitr = 0;
684             s->rx_level = 0;
685         }
686         pxa2xx_ssp_fifo_update(s);
687         break;
688 
689     case SSCR1:
690         s->sscr[1] = value;
691         if (value & (SSCR1_LBM | SSCR1_EFWR))
692             printf("%s: Attempt to use SSP test mode\n", __func__);
693         pxa2xx_ssp_fifo_update(s);
694         break;
695 
696     case SSPSP:
697         s->sspsp = value;
698         break;
699 
700     case SSTO:
701         s->ssto = value;
702         break;
703 
704     case SSITR:
705         s->ssitr = value & SSITR_INT;
706         pxa2xx_ssp_int_update(s);
707         break;
708 
709     case SSSR:
710         s->sssr &= ~(value & SSSR_RW);
711         pxa2xx_ssp_int_update(s);
712         break;
713 
714     case SSDR:
715         if (SSCR0_UWIRE(s->sscr[0])) {
716             if (s->sscr[1] & SSCR1_MWDS)
717                 value &= 0xffff;
718             else
719                 value &= 0xff;
720         } else
721             /* Note how 32bits overflow does no harm here */
722             value &= (1 << SSCR0_DSS(s->sscr[0])) - 1;
723 
724         /* Data goes from here to the Tx FIFO and is shifted out from
725          * there directly to the slave, no need to buffer it.
726          */
727         if (s->enable) {
728             uint32_t readval;
729             readval = ssi_transfer(s->bus, value);
730             if (s->rx_level < 0x10) {
731                 s->rx_fifo[(s->rx_start + s->rx_level ++) & 0xf] = readval;
732             } else {
733                 s->sssr |= SSSR_ROR;
734             }
735         }
736         pxa2xx_ssp_fifo_update(s);
737         break;
738 
739     case SSTSA:
740         s->sstsa = value;
741         break;
742 
743     case SSRSA:
744         s->ssrsa = value;
745         break;
746 
747     case SSACD:
748         s->ssacd = value;
749         break;
750 
751     default:
752         qemu_log_mask(LOG_GUEST_ERROR,
753                       "%s: Bad write offset 0x%"HWADDR_PRIx"\n",
754                       __func__, addr);
755         break;
756     }
757 }
758 
759 static const MemoryRegionOps pxa2xx_ssp_ops = {
760     .read = pxa2xx_ssp_read,
761     .write = pxa2xx_ssp_write,
762     .endianness = DEVICE_NATIVE_ENDIAN,
763 };
764 
765 static void pxa2xx_ssp_reset(DeviceState *d)
766 {
767     PXA2xxSSPState *s = PXA2XX_SSP(d);
768 
769     s->enable = 0;
770     s->sscr[0] = s->sscr[1] = 0;
771     s->sspsp = 0;
772     s->ssto = 0;
773     s->ssitr = 0;
774     s->sssr = 0;
775     s->sstsa = 0;
776     s->ssrsa = 0;
777     s->ssacd = 0;
778     s->rx_start = s->rx_level = 0;
779 }
780 
781 static void pxa2xx_ssp_init(Object *obj)
782 {
783     DeviceState *dev = DEVICE(obj);
784     PXA2xxSSPState *s = PXA2XX_SSP(obj);
785     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
786     sysbus_init_irq(sbd, &s->irq);
787 
788     memory_region_init_io(&s->iomem, obj, &pxa2xx_ssp_ops, s,
789                           "pxa2xx-ssp", 0x1000);
790     sysbus_init_mmio(sbd, &s->iomem);
791 
792     s->bus = ssi_create_bus(dev, "ssi");
793 }
794 
795 /* Real-Time Clock */
796 #define RCNR		0x00	/* RTC Counter register */
797 #define RTAR		0x04	/* RTC Alarm register */
798 #define RTSR		0x08	/* RTC Status register */
799 #define RTTR		0x0c	/* RTC Timer Trim register */
800 #define RDCR		0x10	/* RTC Day Counter register */
801 #define RYCR		0x14	/* RTC Year Counter register */
802 #define RDAR1		0x18	/* RTC Wristwatch Day Alarm register 1 */
803 #define RYAR1		0x1c	/* RTC Wristwatch Year Alarm register 1 */
804 #define RDAR2		0x20	/* RTC Wristwatch Day Alarm register 2 */
805 #define RYAR2		0x24	/* RTC Wristwatch Year Alarm register 2 */
806 #define SWCR		0x28	/* RTC Stopwatch Counter register */
807 #define SWAR1		0x2c	/* RTC Stopwatch Alarm register 1 */
808 #define SWAR2		0x30	/* RTC Stopwatch Alarm register 2 */
809 #define RTCPICR		0x34	/* RTC Periodic Interrupt Counter register */
810 #define PIAR		0x38	/* RTC Periodic Interrupt Alarm register */
811 
812 #define TYPE_PXA2XX_RTC "pxa2xx_rtc"
813 OBJECT_DECLARE_SIMPLE_TYPE(PXA2xxRTCState, PXA2XX_RTC)
814 
815 struct PXA2xxRTCState {
816     /*< private >*/
817     SysBusDevice parent_obj;
818     /*< public >*/
819 
820     MemoryRegion iomem;
821     uint32_t rttr;
822     uint32_t rtsr;
823     uint32_t rtar;
824     uint32_t rdar1;
825     uint32_t rdar2;
826     uint32_t ryar1;
827     uint32_t ryar2;
828     uint32_t swar1;
829     uint32_t swar2;
830     uint32_t piar;
831     uint32_t last_rcnr;
832     uint32_t last_rdcr;
833     uint32_t last_rycr;
834     uint32_t last_swcr;
835     uint32_t last_rtcpicr;
836     int64_t last_hz;
837     int64_t last_sw;
838     int64_t last_pi;
839     QEMUTimer *rtc_hz;
840     QEMUTimer *rtc_rdal1;
841     QEMUTimer *rtc_rdal2;
842     QEMUTimer *rtc_swal1;
843     QEMUTimer *rtc_swal2;
844     QEMUTimer *rtc_pi;
845     qemu_irq rtc_irq;
846 };
847 
848 static inline void pxa2xx_rtc_int_update(PXA2xxRTCState *s)
849 {
850     qemu_set_irq(s->rtc_irq, !!(s->rtsr & 0x2553));
851 }
852 
853 static void pxa2xx_rtc_hzupdate(PXA2xxRTCState *s)
854 {
855     int64_t rt = qemu_clock_get_ms(rtc_clock);
856     s->last_rcnr += ((rt - s->last_hz) << 15) /
857             (1000 * ((s->rttr & 0xffff) + 1));
858     s->last_rdcr += ((rt - s->last_hz) << 15) /
859             (1000 * ((s->rttr & 0xffff) + 1));
860     s->last_hz = rt;
861 }
862 
863 static void pxa2xx_rtc_swupdate(PXA2xxRTCState *s)
864 {
865     int64_t rt = qemu_clock_get_ms(rtc_clock);
866     if (s->rtsr & (1 << 12))
867         s->last_swcr += (rt - s->last_sw) / 10;
868     s->last_sw = rt;
869 }
870 
871 static void pxa2xx_rtc_piupdate(PXA2xxRTCState *s)
872 {
873     int64_t rt = qemu_clock_get_ms(rtc_clock);
874     if (s->rtsr & (1 << 15))
875         s->last_swcr += rt - s->last_pi;
876     s->last_pi = rt;
877 }
878 
879 static inline void pxa2xx_rtc_alarm_update(PXA2xxRTCState *s,
880                 uint32_t rtsr)
881 {
882     if ((rtsr & (1 << 2)) && !(rtsr & (1 << 0)))
883         timer_mod(s->rtc_hz, s->last_hz +
884                 (((s->rtar - s->last_rcnr) * 1000 *
885                   ((s->rttr & 0xffff) + 1)) >> 15));
886     else
887         timer_del(s->rtc_hz);
888 
889     if ((rtsr & (1 << 5)) && !(rtsr & (1 << 4)))
890         timer_mod(s->rtc_rdal1, s->last_hz +
891                 (((s->rdar1 - s->last_rdcr) * 1000 *
892                   ((s->rttr & 0xffff) + 1)) >> 15)); /* TODO: fixup */
893     else
894         timer_del(s->rtc_rdal1);
895 
896     if ((rtsr & (1 << 7)) && !(rtsr & (1 << 6)))
897         timer_mod(s->rtc_rdal2, s->last_hz +
898                 (((s->rdar2 - s->last_rdcr) * 1000 *
899                   ((s->rttr & 0xffff) + 1)) >> 15)); /* TODO: fixup */
900     else
901         timer_del(s->rtc_rdal2);
902 
903     if ((rtsr & 0x1200) == 0x1200 && !(rtsr & (1 << 8)))
904         timer_mod(s->rtc_swal1, s->last_sw +
905                         (s->swar1 - s->last_swcr) * 10); /* TODO: fixup */
906     else
907         timer_del(s->rtc_swal1);
908 
909     if ((rtsr & 0x1800) == 0x1800 && !(rtsr & (1 << 10)))
910         timer_mod(s->rtc_swal2, s->last_sw +
911                         (s->swar2 - s->last_swcr) * 10); /* TODO: fixup */
912     else
913         timer_del(s->rtc_swal2);
914 
915     if ((rtsr & 0xc000) == 0xc000 && !(rtsr & (1 << 13)))
916         timer_mod(s->rtc_pi, s->last_pi +
917                         (s->piar & 0xffff) - s->last_rtcpicr);
918     else
919         timer_del(s->rtc_pi);
920 }
921 
922 static inline void pxa2xx_rtc_hz_tick(void *opaque)
923 {
924     PXA2xxRTCState *s = (PXA2xxRTCState *) opaque;
925     s->rtsr |= (1 << 0);
926     pxa2xx_rtc_alarm_update(s, s->rtsr);
927     pxa2xx_rtc_int_update(s);
928 }
929 
930 static inline void pxa2xx_rtc_rdal1_tick(void *opaque)
931 {
932     PXA2xxRTCState *s = (PXA2xxRTCState *) opaque;
933     s->rtsr |= (1 << 4);
934     pxa2xx_rtc_alarm_update(s, s->rtsr);
935     pxa2xx_rtc_int_update(s);
936 }
937 
938 static inline void pxa2xx_rtc_rdal2_tick(void *opaque)
939 {
940     PXA2xxRTCState *s = (PXA2xxRTCState *) opaque;
941     s->rtsr |= (1 << 6);
942     pxa2xx_rtc_alarm_update(s, s->rtsr);
943     pxa2xx_rtc_int_update(s);
944 }
945 
946 static inline void pxa2xx_rtc_swal1_tick(void *opaque)
947 {
948     PXA2xxRTCState *s = (PXA2xxRTCState *) opaque;
949     s->rtsr |= (1 << 8);
950     pxa2xx_rtc_alarm_update(s, s->rtsr);
951     pxa2xx_rtc_int_update(s);
952 }
953 
954 static inline void pxa2xx_rtc_swal2_tick(void *opaque)
955 {
956     PXA2xxRTCState *s = (PXA2xxRTCState *) opaque;
957     s->rtsr |= (1 << 10);
958     pxa2xx_rtc_alarm_update(s, s->rtsr);
959     pxa2xx_rtc_int_update(s);
960 }
961 
962 static inline void pxa2xx_rtc_pi_tick(void *opaque)
963 {
964     PXA2xxRTCState *s = (PXA2xxRTCState *) opaque;
965     s->rtsr |= (1 << 13);
966     pxa2xx_rtc_piupdate(s);
967     s->last_rtcpicr = 0;
968     pxa2xx_rtc_alarm_update(s, s->rtsr);
969     pxa2xx_rtc_int_update(s);
970 }
971 
972 static uint64_t pxa2xx_rtc_read(void *opaque, hwaddr addr,
973                                 unsigned size)
974 {
975     PXA2xxRTCState *s = (PXA2xxRTCState *) opaque;
976 
977     switch (addr) {
978     case RTTR:
979         return s->rttr;
980     case RTSR:
981         return s->rtsr;
982     case RTAR:
983         return s->rtar;
984     case RDAR1:
985         return s->rdar1;
986     case RDAR2:
987         return s->rdar2;
988     case RYAR1:
989         return s->ryar1;
990     case RYAR2:
991         return s->ryar2;
992     case SWAR1:
993         return s->swar1;
994     case SWAR2:
995         return s->swar2;
996     case PIAR:
997         return s->piar;
998     case RCNR:
999         return s->last_rcnr +
1000             ((qemu_clock_get_ms(rtc_clock) - s->last_hz) << 15) /
1001             (1000 * ((s->rttr & 0xffff) + 1));
1002     case RDCR:
1003         return s->last_rdcr +
1004             ((qemu_clock_get_ms(rtc_clock) - s->last_hz) << 15) /
1005             (1000 * ((s->rttr & 0xffff) + 1));
1006     case RYCR:
1007         return s->last_rycr;
1008     case SWCR:
1009         if (s->rtsr & (1 << 12))
1010             return s->last_swcr +
1011                 (qemu_clock_get_ms(rtc_clock) - s->last_sw) / 10;
1012         else
1013             return s->last_swcr;
1014     default:
1015         qemu_log_mask(LOG_GUEST_ERROR,
1016                       "%s: Bad read offset 0x%"HWADDR_PRIx"\n",
1017                       __func__, addr);
1018         break;
1019     }
1020     return 0;
1021 }
1022 
1023 static void pxa2xx_rtc_write(void *opaque, hwaddr addr,
1024                              uint64_t value64, unsigned size)
1025 {
1026     PXA2xxRTCState *s = (PXA2xxRTCState *) opaque;
1027     uint32_t value = value64;
1028 
1029     switch (addr) {
1030     case RTTR:
1031         if (!(s->rttr & (1U << 31))) {
1032             pxa2xx_rtc_hzupdate(s);
1033             s->rttr = value;
1034             pxa2xx_rtc_alarm_update(s, s->rtsr);
1035         }
1036         break;
1037 
1038     case RTSR:
1039         if ((s->rtsr ^ value) & (1 << 15))
1040             pxa2xx_rtc_piupdate(s);
1041 
1042         if ((s->rtsr ^ value) & (1 << 12))
1043             pxa2xx_rtc_swupdate(s);
1044 
1045         if (((s->rtsr ^ value) & 0x4aac) | (value & ~0xdaac))
1046             pxa2xx_rtc_alarm_update(s, value);
1047 
1048         s->rtsr = (value & 0xdaac) | (s->rtsr & ~(value & ~0xdaac));
1049         pxa2xx_rtc_int_update(s);
1050         break;
1051 
1052     case RTAR:
1053         s->rtar = value;
1054         pxa2xx_rtc_alarm_update(s, s->rtsr);
1055         break;
1056 
1057     case RDAR1:
1058         s->rdar1 = value;
1059         pxa2xx_rtc_alarm_update(s, s->rtsr);
1060         break;
1061 
1062     case RDAR2:
1063         s->rdar2 = value;
1064         pxa2xx_rtc_alarm_update(s, s->rtsr);
1065         break;
1066 
1067     case RYAR1:
1068         s->ryar1 = value;
1069         pxa2xx_rtc_alarm_update(s, s->rtsr);
1070         break;
1071 
1072     case RYAR2:
1073         s->ryar2 = value;
1074         pxa2xx_rtc_alarm_update(s, s->rtsr);
1075         break;
1076 
1077     case SWAR1:
1078         pxa2xx_rtc_swupdate(s);
1079         s->swar1 = value;
1080         s->last_swcr = 0;
1081         pxa2xx_rtc_alarm_update(s, s->rtsr);
1082         break;
1083 
1084     case SWAR2:
1085         s->swar2 = value;
1086         pxa2xx_rtc_alarm_update(s, s->rtsr);
1087         break;
1088 
1089     case PIAR:
1090         s->piar = value;
1091         pxa2xx_rtc_alarm_update(s, s->rtsr);
1092         break;
1093 
1094     case RCNR:
1095         pxa2xx_rtc_hzupdate(s);
1096         s->last_rcnr = value;
1097         pxa2xx_rtc_alarm_update(s, s->rtsr);
1098         break;
1099 
1100     case RDCR:
1101         pxa2xx_rtc_hzupdate(s);
1102         s->last_rdcr = value;
1103         pxa2xx_rtc_alarm_update(s, s->rtsr);
1104         break;
1105 
1106     case RYCR:
1107         s->last_rycr = value;
1108         break;
1109 
1110     case SWCR:
1111         pxa2xx_rtc_swupdate(s);
1112         s->last_swcr = value;
1113         pxa2xx_rtc_alarm_update(s, s->rtsr);
1114         break;
1115 
1116     case RTCPICR:
1117         pxa2xx_rtc_piupdate(s);
1118         s->last_rtcpicr = value & 0xffff;
1119         pxa2xx_rtc_alarm_update(s, s->rtsr);
1120         break;
1121 
1122     default:
1123         qemu_log_mask(LOG_GUEST_ERROR,
1124                       "%s: Bad write offset 0x%"HWADDR_PRIx"\n",
1125                       __func__, addr);
1126     }
1127 }
1128 
1129 static const MemoryRegionOps pxa2xx_rtc_ops = {
1130     .read = pxa2xx_rtc_read,
1131     .write = pxa2xx_rtc_write,
1132     .endianness = DEVICE_NATIVE_ENDIAN,
1133 };
1134 
1135 static void pxa2xx_rtc_init(Object *obj)
1136 {
1137     PXA2xxRTCState *s = PXA2XX_RTC(obj);
1138     SysBusDevice *dev = SYS_BUS_DEVICE(obj);
1139     struct tm tm;
1140     int wom;
1141 
1142     s->rttr = 0x7fff;
1143     s->rtsr = 0;
1144 
1145     qemu_get_timedate(&tm, 0);
1146     wom = ((tm.tm_mday - 1) / 7) + 1;
1147 
1148     s->last_rcnr = (uint32_t) mktimegm(&tm);
1149     s->last_rdcr = (wom << 20) | ((tm.tm_wday + 1) << 17) |
1150             (tm.tm_hour << 12) | (tm.tm_min << 6) | tm.tm_sec;
1151     s->last_rycr = ((tm.tm_year + 1900) << 9) |
1152             ((tm.tm_mon + 1) << 5) | tm.tm_mday;
1153     s->last_swcr = (tm.tm_hour << 19) |
1154             (tm.tm_min << 13) | (tm.tm_sec << 7);
1155     s->last_rtcpicr = 0;
1156     s->last_hz = s->last_sw = s->last_pi = qemu_clock_get_ms(rtc_clock);
1157 
1158     sysbus_init_irq(dev, &s->rtc_irq);
1159 
1160     memory_region_init_io(&s->iomem, obj, &pxa2xx_rtc_ops, s,
1161                           "pxa2xx-rtc", 0x10000);
1162     sysbus_init_mmio(dev, &s->iomem);
1163 }
1164 
1165 static void pxa2xx_rtc_realize(DeviceState *dev, Error **errp)
1166 {
1167     PXA2xxRTCState *s = PXA2XX_RTC(dev);
1168     s->rtc_hz    = timer_new_ms(rtc_clock, pxa2xx_rtc_hz_tick,    s);
1169     s->rtc_rdal1 = timer_new_ms(rtc_clock, pxa2xx_rtc_rdal1_tick, s);
1170     s->rtc_rdal2 = timer_new_ms(rtc_clock, pxa2xx_rtc_rdal2_tick, s);
1171     s->rtc_swal1 = timer_new_ms(rtc_clock, pxa2xx_rtc_swal1_tick, s);
1172     s->rtc_swal2 = timer_new_ms(rtc_clock, pxa2xx_rtc_swal2_tick, s);
1173     s->rtc_pi    = timer_new_ms(rtc_clock, pxa2xx_rtc_pi_tick,    s);
1174 }
1175 
1176 static int pxa2xx_rtc_pre_save(void *opaque)
1177 {
1178     PXA2xxRTCState *s = (PXA2xxRTCState *) opaque;
1179 
1180     pxa2xx_rtc_hzupdate(s);
1181     pxa2xx_rtc_piupdate(s);
1182     pxa2xx_rtc_swupdate(s);
1183 
1184     return 0;
1185 }
1186 
1187 static int pxa2xx_rtc_post_load(void *opaque, int version_id)
1188 {
1189     PXA2xxRTCState *s = (PXA2xxRTCState *) opaque;
1190 
1191     pxa2xx_rtc_alarm_update(s, s->rtsr);
1192 
1193     return 0;
1194 }
1195 
1196 static const VMStateDescription vmstate_pxa2xx_rtc_regs = {
1197     .name = "pxa2xx_rtc",
1198     .version_id = 0,
1199     .minimum_version_id = 0,
1200     .pre_save = pxa2xx_rtc_pre_save,
1201     .post_load = pxa2xx_rtc_post_load,
1202     .fields = (VMStateField[]) {
1203         VMSTATE_UINT32(rttr, PXA2xxRTCState),
1204         VMSTATE_UINT32(rtsr, PXA2xxRTCState),
1205         VMSTATE_UINT32(rtar, PXA2xxRTCState),
1206         VMSTATE_UINT32(rdar1, PXA2xxRTCState),
1207         VMSTATE_UINT32(rdar2, PXA2xxRTCState),
1208         VMSTATE_UINT32(ryar1, PXA2xxRTCState),
1209         VMSTATE_UINT32(ryar2, PXA2xxRTCState),
1210         VMSTATE_UINT32(swar1, PXA2xxRTCState),
1211         VMSTATE_UINT32(swar2, PXA2xxRTCState),
1212         VMSTATE_UINT32(piar, PXA2xxRTCState),
1213         VMSTATE_UINT32(last_rcnr, PXA2xxRTCState),
1214         VMSTATE_UINT32(last_rdcr, PXA2xxRTCState),
1215         VMSTATE_UINT32(last_rycr, PXA2xxRTCState),
1216         VMSTATE_UINT32(last_swcr, PXA2xxRTCState),
1217         VMSTATE_UINT32(last_rtcpicr, PXA2xxRTCState),
1218         VMSTATE_INT64(last_hz, PXA2xxRTCState),
1219         VMSTATE_INT64(last_sw, PXA2xxRTCState),
1220         VMSTATE_INT64(last_pi, PXA2xxRTCState),
1221         VMSTATE_END_OF_LIST(),
1222     },
1223 };
1224 
1225 static void pxa2xx_rtc_sysbus_class_init(ObjectClass *klass, void *data)
1226 {
1227     DeviceClass *dc = DEVICE_CLASS(klass);
1228 
1229     dc->desc = "PXA2xx RTC Controller";
1230     dc->vmsd = &vmstate_pxa2xx_rtc_regs;
1231     dc->realize = pxa2xx_rtc_realize;
1232 }
1233 
1234 static const TypeInfo pxa2xx_rtc_sysbus_info = {
1235     .name          = TYPE_PXA2XX_RTC,
1236     .parent        = TYPE_SYS_BUS_DEVICE,
1237     .instance_size = sizeof(PXA2xxRTCState),
1238     .instance_init = pxa2xx_rtc_init,
1239     .class_init    = pxa2xx_rtc_sysbus_class_init,
1240 };
1241 
1242 /* I2C Interface */
1243 
1244 #define TYPE_PXA2XX_I2C_SLAVE "pxa2xx-i2c-slave"
1245 OBJECT_DECLARE_SIMPLE_TYPE(PXA2xxI2CSlaveState, PXA2XX_I2C_SLAVE)
1246 
1247 struct PXA2xxI2CSlaveState {
1248     I2CSlave parent_obj;
1249 
1250     PXA2xxI2CState *host;
1251 };
1252 
1253 struct PXA2xxI2CState {
1254     /*< private >*/
1255     SysBusDevice parent_obj;
1256     /*< public >*/
1257 
1258     MemoryRegion iomem;
1259     PXA2xxI2CSlaveState *slave;
1260     I2CBus *bus;
1261     qemu_irq irq;
1262     uint32_t offset;
1263     uint32_t region_size;
1264 
1265     uint16_t control;
1266     uint16_t status;
1267     uint8_t ibmr;
1268     uint8_t data;
1269 };
1270 
1271 #define IBMR	0x80	/* I2C Bus Monitor register */
1272 #define IDBR	0x88	/* I2C Data Buffer register */
1273 #define ICR	0x90	/* I2C Control register */
1274 #define ISR	0x98	/* I2C Status register */
1275 #define ISAR	0xa0	/* I2C Slave Address register */
1276 
1277 static void pxa2xx_i2c_update(PXA2xxI2CState *s)
1278 {
1279     uint16_t level = 0;
1280     level |= s->status & s->control & (1 << 10);		/* BED */
1281     level |= (s->status & (1 << 7)) && (s->control & (1 << 9));	/* IRF */
1282     level |= (s->status & (1 << 6)) && (s->control & (1 << 8));	/* ITE */
1283     level |= s->status & (1 << 9);				/* SAD */
1284     qemu_set_irq(s->irq, !!level);
1285 }
1286 
1287 /* These are only stubs now.  */
1288 static int pxa2xx_i2c_event(I2CSlave *i2c, enum i2c_event event)
1289 {
1290     PXA2xxI2CSlaveState *slave = PXA2XX_I2C_SLAVE(i2c);
1291     PXA2xxI2CState *s = slave->host;
1292 
1293     switch (event) {
1294     case I2C_START_SEND:
1295         s->status |= (1 << 9);				/* set SAD */
1296         s->status &= ~(1 << 0);				/* clear RWM */
1297         break;
1298     case I2C_START_RECV:
1299         s->status |= (1 << 9);				/* set SAD */
1300         s->status |= 1 << 0;				/* set RWM */
1301         break;
1302     case I2C_FINISH:
1303         s->status |= (1 << 4);				/* set SSD */
1304         break;
1305     case I2C_NACK:
1306         s->status |= 1 << 1;				/* set ACKNAK */
1307         break;
1308     default:
1309         return -1;
1310     }
1311     pxa2xx_i2c_update(s);
1312 
1313     return 0;
1314 }
1315 
1316 static uint8_t pxa2xx_i2c_rx(I2CSlave *i2c)
1317 {
1318     PXA2xxI2CSlaveState *slave = PXA2XX_I2C_SLAVE(i2c);
1319     PXA2xxI2CState *s = slave->host;
1320 
1321     if ((s->control & (1 << 14)) || !(s->control & (1 << 6))) {
1322         return 0;
1323     }
1324 
1325     if (s->status & (1 << 0)) {			/* RWM */
1326         s->status |= 1 << 6;			/* set ITE */
1327     }
1328     pxa2xx_i2c_update(s);
1329 
1330     return s->data;
1331 }
1332 
1333 static int pxa2xx_i2c_tx(I2CSlave *i2c, uint8_t data)
1334 {
1335     PXA2xxI2CSlaveState *slave = PXA2XX_I2C_SLAVE(i2c);
1336     PXA2xxI2CState *s = slave->host;
1337 
1338     if ((s->control & (1 << 14)) || !(s->control & (1 << 6))) {
1339         return 1;
1340     }
1341 
1342     if (!(s->status & (1 << 0))) {		/* RWM */
1343         s->status |= 1 << 7;			/* set IRF */
1344         s->data = data;
1345     }
1346     pxa2xx_i2c_update(s);
1347 
1348     return 1;
1349 }
1350 
1351 static uint64_t pxa2xx_i2c_read(void *opaque, hwaddr addr,
1352                                 unsigned size)
1353 {
1354     PXA2xxI2CState *s = (PXA2xxI2CState *) opaque;
1355     I2CSlave *slave;
1356 
1357     addr -= s->offset;
1358     switch (addr) {
1359     case ICR:
1360         return s->control;
1361     case ISR:
1362         return s->status | (i2c_bus_busy(s->bus) << 2);
1363     case ISAR:
1364         slave = I2C_SLAVE(s->slave);
1365         return slave->address;
1366     case IDBR:
1367         return s->data;
1368     case IBMR:
1369         if (s->status & (1 << 2))
1370             s->ibmr ^= 3;	/* Fake SCL and SDA pin changes */
1371         else
1372             s->ibmr = 0;
1373         return s->ibmr;
1374     default:
1375         qemu_log_mask(LOG_GUEST_ERROR,
1376                       "%s: Bad read offset 0x%"HWADDR_PRIx"\n",
1377                       __func__, addr);
1378         break;
1379     }
1380     return 0;
1381 }
1382 
1383 static void pxa2xx_i2c_write(void *opaque, hwaddr addr,
1384                              uint64_t value64, unsigned size)
1385 {
1386     PXA2xxI2CState *s = (PXA2xxI2CState *) opaque;
1387     uint32_t value = value64;
1388     int ack;
1389 
1390     addr -= s->offset;
1391     switch (addr) {
1392     case ICR:
1393         s->control = value & 0xfff7;
1394         if ((value & (1 << 3)) && (value & (1 << 6))) {	/* TB and IUE */
1395             /* TODO: slave mode */
1396             if (value & (1 << 0)) {			/* START condition */
1397                 if (s->data & 1)
1398                     s->status |= 1 << 0;		/* set RWM */
1399                 else
1400                     s->status &= ~(1 << 0);		/* clear RWM */
1401                 ack = !i2c_start_transfer(s->bus, s->data >> 1, s->data & 1);
1402             } else {
1403                 if (s->status & (1 << 0)) {		/* RWM */
1404                     s->data = i2c_recv(s->bus);
1405                     if (value & (1 << 2))		/* ACKNAK */
1406                         i2c_nack(s->bus);
1407                     ack = 1;
1408                 } else
1409                     ack = !i2c_send(s->bus, s->data);
1410             }
1411 
1412             if (value & (1 << 1))			/* STOP condition */
1413                 i2c_end_transfer(s->bus);
1414 
1415             if (ack) {
1416                 if (value & (1 << 0))			/* START condition */
1417                     s->status |= 1 << 6;		/* set ITE */
1418                 else
1419                     if (s->status & (1 << 0))		/* RWM */
1420                         s->status |= 1 << 7;		/* set IRF */
1421                     else
1422                         s->status |= 1 << 6;		/* set ITE */
1423                 s->status &= ~(1 << 1);			/* clear ACKNAK */
1424             } else {
1425                 s->status |= 1 << 6;			/* set ITE */
1426                 s->status |= 1 << 10;			/* set BED */
1427                 s->status |= 1 << 1;			/* set ACKNAK */
1428             }
1429         }
1430         if (!(value & (1 << 3)) && (value & (1 << 6)))	/* !TB and IUE */
1431             if (value & (1 << 4))			/* MA */
1432                 i2c_end_transfer(s->bus);
1433         pxa2xx_i2c_update(s);
1434         break;
1435 
1436     case ISR:
1437         s->status &= ~(value & 0x07f0);
1438         pxa2xx_i2c_update(s);
1439         break;
1440 
1441     case ISAR:
1442         i2c_slave_set_address(I2C_SLAVE(s->slave), value & 0x7f);
1443         break;
1444 
1445     case IDBR:
1446         s->data = value & 0xff;
1447         break;
1448 
1449     default:
1450         qemu_log_mask(LOG_GUEST_ERROR,
1451                       "%s: Bad write offset 0x%"HWADDR_PRIx"\n",
1452                       __func__, addr);
1453     }
1454 }
1455 
1456 static const MemoryRegionOps pxa2xx_i2c_ops = {
1457     .read = pxa2xx_i2c_read,
1458     .write = pxa2xx_i2c_write,
1459     .endianness = DEVICE_NATIVE_ENDIAN,
1460 };
1461 
1462 static const VMStateDescription vmstate_pxa2xx_i2c_slave = {
1463     .name = "pxa2xx_i2c_slave",
1464     .version_id = 1,
1465     .minimum_version_id = 1,
1466     .fields = (VMStateField[]) {
1467         VMSTATE_I2C_SLAVE(parent_obj, PXA2xxI2CSlaveState),
1468         VMSTATE_END_OF_LIST()
1469     }
1470 };
1471 
1472 static const VMStateDescription vmstate_pxa2xx_i2c = {
1473     .name = "pxa2xx_i2c",
1474     .version_id = 1,
1475     .minimum_version_id = 1,
1476     .fields = (VMStateField[]) {
1477         VMSTATE_UINT16(control, PXA2xxI2CState),
1478         VMSTATE_UINT16(status, PXA2xxI2CState),
1479         VMSTATE_UINT8(ibmr, PXA2xxI2CState),
1480         VMSTATE_UINT8(data, PXA2xxI2CState),
1481         VMSTATE_STRUCT_POINTER(slave, PXA2xxI2CState,
1482                                vmstate_pxa2xx_i2c_slave, PXA2xxI2CSlaveState),
1483         VMSTATE_END_OF_LIST()
1484     }
1485 };
1486 
1487 static void pxa2xx_i2c_slave_class_init(ObjectClass *klass, void *data)
1488 {
1489     I2CSlaveClass *k = I2C_SLAVE_CLASS(klass);
1490 
1491     k->event = pxa2xx_i2c_event;
1492     k->recv = pxa2xx_i2c_rx;
1493     k->send = pxa2xx_i2c_tx;
1494 }
1495 
1496 static const TypeInfo pxa2xx_i2c_slave_info = {
1497     .name          = TYPE_PXA2XX_I2C_SLAVE,
1498     .parent        = TYPE_I2C_SLAVE,
1499     .instance_size = sizeof(PXA2xxI2CSlaveState),
1500     .class_init    = pxa2xx_i2c_slave_class_init,
1501 };
1502 
1503 PXA2xxI2CState *pxa2xx_i2c_init(hwaddr base,
1504                 qemu_irq irq, uint32_t region_size)
1505 {
1506     DeviceState *dev;
1507     SysBusDevice *i2c_dev;
1508     PXA2xxI2CState *s;
1509     I2CBus *i2cbus;
1510 
1511     dev = qdev_new(TYPE_PXA2XX_I2C);
1512     qdev_prop_set_uint32(dev, "size", region_size + 1);
1513     qdev_prop_set_uint32(dev, "offset", base & region_size);
1514 
1515     i2c_dev = SYS_BUS_DEVICE(dev);
1516     sysbus_realize_and_unref(i2c_dev, &error_fatal);
1517     sysbus_mmio_map(i2c_dev, 0, base & ~region_size);
1518     sysbus_connect_irq(i2c_dev, 0, irq);
1519 
1520     s = PXA2XX_I2C(i2c_dev);
1521     /* FIXME: Should the slave device really be on a separate bus?  */
1522     i2cbus = i2c_init_bus(dev, "dummy");
1523     s->slave = PXA2XX_I2C_SLAVE(i2c_slave_create_simple(i2cbus,
1524                                                         TYPE_PXA2XX_I2C_SLAVE,
1525                                                         0));
1526     s->slave->host = s;
1527 
1528     return s;
1529 }
1530 
1531 static void pxa2xx_i2c_initfn(Object *obj)
1532 {
1533     DeviceState *dev = DEVICE(obj);
1534     PXA2xxI2CState *s = PXA2XX_I2C(obj);
1535     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
1536 
1537     s->bus = i2c_init_bus(dev, NULL);
1538 
1539     memory_region_init_io(&s->iomem, obj, &pxa2xx_i2c_ops, s,
1540                           "pxa2xx-i2c", s->region_size);
1541     sysbus_init_mmio(sbd, &s->iomem);
1542     sysbus_init_irq(sbd, &s->irq);
1543 }
1544 
1545 I2CBus *pxa2xx_i2c_bus(PXA2xxI2CState *s)
1546 {
1547     return s->bus;
1548 }
1549 
1550 static Property pxa2xx_i2c_properties[] = {
1551     DEFINE_PROP_UINT32("size", PXA2xxI2CState, region_size, 0x10000),
1552     DEFINE_PROP_UINT32("offset", PXA2xxI2CState, offset, 0),
1553     DEFINE_PROP_END_OF_LIST(),
1554 };
1555 
1556 static void pxa2xx_i2c_class_init(ObjectClass *klass, void *data)
1557 {
1558     DeviceClass *dc = DEVICE_CLASS(klass);
1559 
1560     dc->desc = "PXA2xx I2C Bus Controller";
1561     dc->vmsd = &vmstate_pxa2xx_i2c;
1562     device_class_set_props(dc, pxa2xx_i2c_properties);
1563 }
1564 
1565 static const TypeInfo pxa2xx_i2c_info = {
1566     .name          = TYPE_PXA2XX_I2C,
1567     .parent        = TYPE_SYS_BUS_DEVICE,
1568     .instance_size = sizeof(PXA2xxI2CState),
1569     .instance_init = pxa2xx_i2c_initfn,
1570     .class_init    = pxa2xx_i2c_class_init,
1571 };
1572 
1573 /* PXA Inter-IC Sound Controller */
1574 static void pxa2xx_i2s_reset(PXA2xxI2SState *i2s)
1575 {
1576     i2s->rx_len = 0;
1577     i2s->tx_len = 0;
1578     i2s->fifo_len = 0;
1579     i2s->clk = 0x1a;
1580     i2s->control[0] = 0x00;
1581     i2s->control[1] = 0x00;
1582     i2s->status = 0x00;
1583     i2s->mask = 0x00;
1584 }
1585 
1586 #define SACR_TFTH(val)	((val >> 8) & 0xf)
1587 #define SACR_RFTH(val)	((val >> 12) & 0xf)
1588 #define SACR_DREC(val)	(val & (1 << 3))
1589 #define SACR_DPRL(val)	(val & (1 << 4))
1590 
1591 static inline void pxa2xx_i2s_update(PXA2xxI2SState *i2s)
1592 {
1593     int rfs, tfs;
1594     rfs = SACR_RFTH(i2s->control[0]) < i2s->rx_len &&
1595             !SACR_DREC(i2s->control[1]);
1596     tfs = (i2s->tx_len || i2s->fifo_len < SACR_TFTH(i2s->control[0])) &&
1597             i2s->enable && !SACR_DPRL(i2s->control[1]);
1598 
1599     qemu_set_irq(i2s->rx_dma, rfs);
1600     qemu_set_irq(i2s->tx_dma, tfs);
1601 
1602     i2s->status &= 0xe0;
1603     if (i2s->fifo_len < 16 || !i2s->enable)
1604         i2s->status |= 1 << 0;			/* TNF */
1605     if (i2s->rx_len)
1606         i2s->status |= 1 << 1;			/* RNE */
1607     if (i2s->enable)
1608         i2s->status |= 1 << 2;			/* BSY */
1609     if (tfs)
1610         i2s->status |= 1 << 3;			/* TFS */
1611     if (rfs)
1612         i2s->status |= 1 << 4;			/* RFS */
1613     if (!(i2s->tx_len && i2s->enable))
1614         i2s->status |= i2s->fifo_len << 8;	/* TFL */
1615     i2s->status |= MAX(i2s->rx_len, 0xf) << 12;	/* RFL */
1616 
1617     qemu_set_irq(i2s->irq, i2s->status & i2s->mask);
1618 }
1619 
1620 #define SACR0	0x00	/* Serial Audio Global Control register */
1621 #define SACR1	0x04	/* Serial Audio I2S/MSB-Justified Control register */
1622 #define SASR0	0x0c	/* Serial Audio Interface and FIFO Status register */
1623 #define SAIMR	0x14	/* Serial Audio Interrupt Mask register */
1624 #define SAICR	0x18	/* Serial Audio Interrupt Clear register */
1625 #define SADIV	0x60	/* Serial Audio Clock Divider register */
1626 #define SADR	0x80	/* Serial Audio Data register */
1627 
1628 static uint64_t pxa2xx_i2s_read(void *opaque, hwaddr addr,
1629                                 unsigned size)
1630 {
1631     PXA2xxI2SState *s = (PXA2xxI2SState *) opaque;
1632 
1633     switch (addr) {
1634     case SACR0:
1635         return s->control[0];
1636     case SACR1:
1637         return s->control[1];
1638     case SASR0:
1639         return s->status;
1640     case SAIMR:
1641         return s->mask;
1642     case SAICR:
1643         return 0;
1644     case SADIV:
1645         return s->clk;
1646     case SADR:
1647         if (s->rx_len > 0) {
1648             s->rx_len --;
1649             pxa2xx_i2s_update(s);
1650             return s->codec_in(s->opaque);
1651         }
1652         return 0;
1653     default:
1654         qemu_log_mask(LOG_GUEST_ERROR,
1655                       "%s: Bad read offset 0x%"HWADDR_PRIx"\n",
1656                       __func__, addr);
1657         break;
1658     }
1659     return 0;
1660 }
1661 
1662 static void pxa2xx_i2s_write(void *opaque, hwaddr addr,
1663                              uint64_t value, unsigned size)
1664 {
1665     PXA2xxI2SState *s = (PXA2xxI2SState *) opaque;
1666     uint32_t *sample;
1667 
1668     switch (addr) {
1669     case SACR0:
1670         if (value & (1 << 3))				/* RST */
1671             pxa2xx_i2s_reset(s);
1672         s->control[0] = value & 0xff3d;
1673         if (!s->enable && (value & 1) && s->tx_len) {	/* ENB */
1674             for (sample = s->fifo; s->fifo_len > 0; s->fifo_len --, sample ++)
1675                 s->codec_out(s->opaque, *sample);
1676             s->status &= ~(1 << 7);			/* I2SOFF */
1677         }
1678         if (value & (1 << 4))				/* EFWR */
1679             printf("%s: Attempt to use special function\n", __func__);
1680         s->enable = (value & 9) == 1;			/* ENB && !RST*/
1681         pxa2xx_i2s_update(s);
1682         break;
1683     case SACR1:
1684         s->control[1] = value & 0x0039;
1685         if (value & (1 << 5))				/* ENLBF */
1686             printf("%s: Attempt to use loopback function\n", __func__);
1687         if (value & (1 << 4))				/* DPRL */
1688             s->fifo_len = 0;
1689         pxa2xx_i2s_update(s);
1690         break;
1691     case SAIMR:
1692         s->mask = value & 0x0078;
1693         pxa2xx_i2s_update(s);
1694         break;
1695     case SAICR:
1696         s->status &= ~(value & (3 << 5));
1697         pxa2xx_i2s_update(s);
1698         break;
1699     case SADIV:
1700         s->clk = value & 0x007f;
1701         break;
1702     case SADR:
1703         if (s->tx_len && s->enable) {
1704             s->tx_len --;
1705             pxa2xx_i2s_update(s);
1706             s->codec_out(s->opaque, value);
1707         } else if (s->fifo_len < 16) {
1708             s->fifo[s->fifo_len ++] = value;
1709             pxa2xx_i2s_update(s);
1710         }
1711         break;
1712     default:
1713         qemu_log_mask(LOG_GUEST_ERROR,
1714                       "%s: Bad write offset 0x%"HWADDR_PRIx"\n",
1715                       __func__, addr);
1716     }
1717 }
1718 
1719 static const MemoryRegionOps pxa2xx_i2s_ops = {
1720     .read = pxa2xx_i2s_read,
1721     .write = pxa2xx_i2s_write,
1722     .endianness = DEVICE_NATIVE_ENDIAN,
1723 };
1724 
1725 static const VMStateDescription vmstate_pxa2xx_i2s = {
1726     .name = "pxa2xx_i2s",
1727     .version_id = 0,
1728     .minimum_version_id = 0,
1729     .fields = (VMStateField[]) {
1730         VMSTATE_UINT32_ARRAY(control, PXA2xxI2SState, 2),
1731         VMSTATE_UINT32(status, PXA2xxI2SState),
1732         VMSTATE_UINT32(mask, PXA2xxI2SState),
1733         VMSTATE_UINT32(clk, PXA2xxI2SState),
1734         VMSTATE_INT32(enable, PXA2xxI2SState),
1735         VMSTATE_INT32(rx_len, PXA2xxI2SState),
1736         VMSTATE_INT32(tx_len, PXA2xxI2SState),
1737         VMSTATE_INT32(fifo_len, PXA2xxI2SState),
1738         VMSTATE_END_OF_LIST()
1739     }
1740 };
1741 
1742 static void pxa2xx_i2s_data_req(void *opaque, int tx, int rx)
1743 {
1744     PXA2xxI2SState *s = (PXA2xxI2SState *) opaque;
1745     uint32_t *sample;
1746 
1747     /* Signal FIFO errors */
1748     if (s->enable && s->tx_len)
1749         s->status |= 1 << 5;		/* TUR */
1750     if (s->enable && s->rx_len)
1751         s->status |= 1 << 6;		/* ROR */
1752 
1753     /* Should be tx - MIN(tx, s->fifo_len) but we don't really need to
1754      * handle the cases where it makes a difference.  */
1755     s->tx_len = tx - s->fifo_len;
1756     s->rx_len = rx;
1757     /* Note that is s->codec_out wasn't set, we wouldn't get called.  */
1758     if (s->enable)
1759         for (sample = s->fifo; s->fifo_len; s->fifo_len --, sample ++)
1760             s->codec_out(s->opaque, *sample);
1761     pxa2xx_i2s_update(s);
1762 }
1763 
1764 static PXA2xxI2SState *pxa2xx_i2s_init(MemoryRegion *sysmem,
1765                 hwaddr base,
1766                 qemu_irq irq, qemu_irq rx_dma, qemu_irq tx_dma)
1767 {
1768     PXA2xxI2SState *s = g_new0(PXA2xxI2SState, 1);
1769 
1770     s->irq = irq;
1771     s->rx_dma = rx_dma;
1772     s->tx_dma = tx_dma;
1773     s->data_req = pxa2xx_i2s_data_req;
1774 
1775     pxa2xx_i2s_reset(s);
1776 
1777     memory_region_init_io(&s->iomem, NULL, &pxa2xx_i2s_ops, s,
1778                           "pxa2xx-i2s", 0x100000);
1779     memory_region_add_subregion(sysmem, base, &s->iomem);
1780 
1781     vmstate_register(NULL, base, &vmstate_pxa2xx_i2s, s);
1782 
1783     return s;
1784 }
1785 
1786 /* PXA Fast Infra-red Communications Port */
1787 struct PXA2xxFIrState {
1788     /*< private >*/
1789     SysBusDevice parent_obj;
1790     /*< public >*/
1791 
1792     MemoryRegion iomem;
1793     qemu_irq irq;
1794     qemu_irq rx_dma;
1795     qemu_irq tx_dma;
1796     uint32_t enable;
1797     CharBackend chr;
1798 
1799     uint8_t control[3];
1800     uint8_t status[2];
1801 
1802     uint32_t rx_len;
1803     uint32_t rx_start;
1804     uint8_t rx_fifo[64];
1805 };
1806 
1807 static void pxa2xx_fir_reset(DeviceState *d)
1808 {
1809     PXA2xxFIrState *s = PXA2XX_FIR(d);
1810 
1811     s->control[0] = 0x00;
1812     s->control[1] = 0x00;
1813     s->control[2] = 0x00;
1814     s->status[0] = 0x00;
1815     s->status[1] = 0x00;
1816     s->enable = 0;
1817 }
1818 
1819 static inline void pxa2xx_fir_update(PXA2xxFIrState *s)
1820 {
1821     static const int tresh[4] = { 8, 16, 32, 0 };
1822     int intr = 0;
1823     if ((s->control[0] & (1 << 4)) &&			/* RXE */
1824                     s->rx_len >= tresh[s->control[2] & 3])	/* TRIG */
1825         s->status[0] |= 1 << 4;				/* RFS */
1826     else
1827         s->status[0] &= ~(1 << 4);			/* RFS */
1828     if (s->control[0] & (1 << 3))			/* TXE */
1829         s->status[0] |= 1 << 3;				/* TFS */
1830     else
1831         s->status[0] &= ~(1 << 3);			/* TFS */
1832     if (s->rx_len)
1833         s->status[1] |= 1 << 2;				/* RNE */
1834     else
1835         s->status[1] &= ~(1 << 2);			/* RNE */
1836     if (s->control[0] & (1 << 4))			/* RXE */
1837         s->status[1] |= 1 << 0;				/* RSY */
1838     else
1839         s->status[1] &= ~(1 << 0);			/* RSY */
1840 
1841     intr |= (s->control[0] & (1 << 5)) &&		/* RIE */
1842             (s->status[0] & (1 << 4));			/* RFS */
1843     intr |= (s->control[0] & (1 << 6)) &&		/* TIE */
1844             (s->status[0] & (1 << 3));			/* TFS */
1845     intr |= (s->control[2] & (1 << 4)) &&		/* TRAIL */
1846             (s->status[0] & (1 << 6));			/* EOC */
1847     intr |= (s->control[0] & (1 << 2)) &&		/* TUS */
1848             (s->status[0] & (1 << 1));			/* TUR */
1849     intr |= s->status[0] & 0x25;			/* FRE, RAB, EIF */
1850 
1851     qemu_set_irq(s->rx_dma, (s->status[0] >> 4) & 1);
1852     qemu_set_irq(s->tx_dma, (s->status[0] >> 3) & 1);
1853 
1854     qemu_set_irq(s->irq, intr && s->enable);
1855 }
1856 
1857 #define ICCR0	0x00	/* FICP Control register 0 */
1858 #define ICCR1	0x04	/* FICP Control register 1 */
1859 #define ICCR2	0x08	/* FICP Control register 2 */
1860 #define ICDR	0x0c	/* FICP Data register */
1861 #define ICSR0	0x14	/* FICP Status register 0 */
1862 #define ICSR1	0x18	/* FICP Status register 1 */
1863 #define ICFOR	0x1c	/* FICP FIFO Occupancy Status register */
1864 
1865 static uint64_t pxa2xx_fir_read(void *opaque, hwaddr addr,
1866                                 unsigned size)
1867 {
1868     PXA2xxFIrState *s = (PXA2xxFIrState *) opaque;
1869     uint8_t ret;
1870 
1871     switch (addr) {
1872     case ICCR0:
1873         return s->control[0];
1874     case ICCR1:
1875         return s->control[1];
1876     case ICCR2:
1877         return s->control[2];
1878     case ICDR:
1879         s->status[0] &= ~0x01;
1880         s->status[1] &= ~0x72;
1881         if (s->rx_len) {
1882             s->rx_len --;
1883             ret = s->rx_fifo[s->rx_start ++];
1884             s->rx_start &= 63;
1885             pxa2xx_fir_update(s);
1886             return ret;
1887         }
1888         printf("%s: Rx FIFO underrun.\n", __func__);
1889         break;
1890     case ICSR0:
1891         return s->status[0];
1892     case ICSR1:
1893         return s->status[1] | (1 << 3);			/* TNF */
1894     case ICFOR:
1895         return s->rx_len;
1896     default:
1897         qemu_log_mask(LOG_GUEST_ERROR,
1898                       "%s: Bad read offset 0x%"HWADDR_PRIx"\n",
1899                       __func__, addr);
1900         break;
1901     }
1902     return 0;
1903 }
1904 
1905 static void pxa2xx_fir_write(void *opaque, hwaddr addr,
1906                              uint64_t value64, unsigned size)
1907 {
1908     PXA2xxFIrState *s = (PXA2xxFIrState *) opaque;
1909     uint32_t value = value64;
1910     uint8_t ch;
1911 
1912     switch (addr) {
1913     case ICCR0:
1914         s->control[0] = value;
1915         if (!(value & (1 << 4)))			/* RXE */
1916             s->rx_len = s->rx_start = 0;
1917         if (!(value & (1 << 3))) {                      /* TXE */
1918             /* Nop */
1919         }
1920         s->enable = value & 1;				/* ITR */
1921         if (!s->enable)
1922             s->status[0] = 0;
1923         pxa2xx_fir_update(s);
1924         break;
1925     case ICCR1:
1926         s->control[1] = value;
1927         break;
1928     case ICCR2:
1929         s->control[2] = value & 0x3f;
1930         pxa2xx_fir_update(s);
1931         break;
1932     case ICDR:
1933         if (s->control[2] & (1 << 2)) { /* TXP */
1934             ch = value;
1935         } else {
1936             ch = ~value;
1937         }
1938         if (s->enable && (s->control[0] & (1 << 3))) { /* TXE */
1939             /* XXX this blocks entire thread. Rewrite to use
1940              * qemu_chr_fe_write and background I/O callbacks */
1941             qemu_chr_fe_write_all(&s->chr, &ch, 1);
1942         }
1943         break;
1944     case ICSR0:
1945         s->status[0] &= ~(value & 0x66);
1946         pxa2xx_fir_update(s);
1947         break;
1948     case ICFOR:
1949         break;
1950     default:
1951         qemu_log_mask(LOG_GUEST_ERROR,
1952                       "%s: Bad write offset 0x%"HWADDR_PRIx"\n",
1953                       __func__, addr);
1954     }
1955 }
1956 
1957 static const MemoryRegionOps pxa2xx_fir_ops = {
1958     .read = pxa2xx_fir_read,
1959     .write = pxa2xx_fir_write,
1960     .endianness = DEVICE_NATIVE_ENDIAN,
1961 };
1962 
1963 static int pxa2xx_fir_is_empty(void *opaque)
1964 {
1965     PXA2xxFIrState *s = (PXA2xxFIrState *) opaque;
1966     return (s->rx_len < 64);
1967 }
1968 
1969 static void pxa2xx_fir_rx(void *opaque, const uint8_t *buf, int size)
1970 {
1971     PXA2xxFIrState *s = (PXA2xxFIrState *) opaque;
1972     if (!(s->control[0] & (1 << 4)))			/* RXE */
1973         return;
1974 
1975     while (size --) {
1976         s->status[1] |= 1 << 4;				/* EOF */
1977         if (s->rx_len >= 64) {
1978             s->status[1] |= 1 << 6;			/* ROR */
1979             break;
1980         }
1981 
1982         if (s->control[2] & (1 << 3))			/* RXP */
1983             s->rx_fifo[(s->rx_start + s->rx_len ++) & 63] = *(buf ++);
1984         else
1985             s->rx_fifo[(s->rx_start + s->rx_len ++) & 63] = ~*(buf ++);
1986     }
1987 
1988     pxa2xx_fir_update(s);
1989 }
1990 
1991 static void pxa2xx_fir_event(void *opaque, QEMUChrEvent event)
1992 {
1993 }
1994 
1995 static void pxa2xx_fir_instance_init(Object *obj)
1996 {
1997     PXA2xxFIrState *s = PXA2XX_FIR(obj);
1998     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
1999 
2000     memory_region_init_io(&s->iomem, obj, &pxa2xx_fir_ops, s,
2001                           "pxa2xx-fir", 0x1000);
2002     sysbus_init_mmio(sbd, &s->iomem);
2003     sysbus_init_irq(sbd, &s->irq);
2004     sysbus_init_irq(sbd, &s->rx_dma);
2005     sysbus_init_irq(sbd, &s->tx_dma);
2006 }
2007 
2008 static void pxa2xx_fir_realize(DeviceState *dev, Error **errp)
2009 {
2010     PXA2xxFIrState *s = PXA2XX_FIR(dev);
2011 
2012     qemu_chr_fe_set_handlers(&s->chr, pxa2xx_fir_is_empty,
2013                              pxa2xx_fir_rx, pxa2xx_fir_event, NULL, s, NULL,
2014                              true);
2015 }
2016 
2017 static bool pxa2xx_fir_vmstate_validate(void *opaque, int version_id)
2018 {
2019     PXA2xxFIrState *s = opaque;
2020 
2021     return s->rx_start < ARRAY_SIZE(s->rx_fifo);
2022 }
2023 
2024 static const VMStateDescription pxa2xx_fir_vmsd = {
2025     .name = "pxa2xx-fir",
2026     .version_id = 1,
2027     .minimum_version_id = 1,
2028     .fields = (VMStateField[]) {
2029         VMSTATE_UINT32(enable, PXA2xxFIrState),
2030         VMSTATE_UINT8_ARRAY(control, PXA2xxFIrState, 3),
2031         VMSTATE_UINT8_ARRAY(status, PXA2xxFIrState, 2),
2032         VMSTATE_UINT32(rx_len, PXA2xxFIrState),
2033         VMSTATE_UINT32(rx_start, PXA2xxFIrState),
2034         VMSTATE_VALIDATE("fifo is 64 bytes", pxa2xx_fir_vmstate_validate),
2035         VMSTATE_UINT8_ARRAY(rx_fifo, PXA2xxFIrState, 64),
2036         VMSTATE_END_OF_LIST()
2037     }
2038 };
2039 
2040 static Property pxa2xx_fir_properties[] = {
2041     DEFINE_PROP_CHR("chardev", PXA2xxFIrState, chr),
2042     DEFINE_PROP_END_OF_LIST(),
2043 };
2044 
2045 static void pxa2xx_fir_class_init(ObjectClass *klass, void *data)
2046 {
2047     DeviceClass *dc = DEVICE_CLASS(klass);
2048 
2049     dc->realize = pxa2xx_fir_realize;
2050     dc->vmsd = &pxa2xx_fir_vmsd;
2051     device_class_set_props(dc, pxa2xx_fir_properties);
2052     dc->reset = pxa2xx_fir_reset;
2053 }
2054 
2055 static const TypeInfo pxa2xx_fir_info = {
2056     .name = TYPE_PXA2XX_FIR,
2057     .parent = TYPE_SYS_BUS_DEVICE,
2058     .instance_size = sizeof(PXA2xxFIrState),
2059     .class_init = pxa2xx_fir_class_init,
2060     .instance_init = pxa2xx_fir_instance_init,
2061 };
2062 
2063 static PXA2xxFIrState *pxa2xx_fir_init(MemoryRegion *sysmem,
2064                                        hwaddr base,
2065                                        qemu_irq irq, qemu_irq rx_dma,
2066                                        qemu_irq tx_dma,
2067                                        Chardev *chr)
2068 {
2069     DeviceState *dev;
2070     SysBusDevice *sbd;
2071 
2072     dev = qdev_new(TYPE_PXA2XX_FIR);
2073     qdev_prop_set_chr(dev, "chardev", chr);
2074     sbd = SYS_BUS_DEVICE(dev);
2075     sysbus_realize_and_unref(sbd, &error_fatal);
2076     sysbus_mmio_map(sbd, 0, base);
2077     sysbus_connect_irq(sbd, 0, irq);
2078     sysbus_connect_irq(sbd, 1, rx_dma);
2079     sysbus_connect_irq(sbd, 2, tx_dma);
2080     return PXA2XX_FIR(dev);
2081 }
2082 
2083 static void pxa2xx_reset(void *opaque, int line, int level)
2084 {
2085     PXA2xxState *s = (PXA2xxState *) opaque;
2086 
2087     if (level && (s->pm_regs[PCFR >> 2] & 0x10)) {	/* GPR_EN */
2088         cpu_reset(CPU(s->cpu));
2089         /* TODO: reset peripherals */
2090     }
2091 }
2092 
2093 /* Initialise a PXA270 integrated chip (ARM based core).  */
2094 PXA2xxState *pxa270_init(MemoryRegion *address_space,
2095                          unsigned int sdram_size, const char *cpu_type)
2096 {
2097     PXA2xxState *s;
2098     int i;
2099     DriveInfo *dinfo;
2100     s = g_new0(PXA2xxState, 1);
2101 
2102     if (strncmp(cpu_type, "pxa27", 5)) {
2103         error_report("Machine requires a PXA27x processor");
2104         exit(1);
2105     }
2106 
2107     s->cpu = ARM_CPU(cpu_create(cpu_type));
2108     s->reset = qemu_allocate_irq(pxa2xx_reset, s, 0);
2109 
2110     /* SDRAM & Internal Memory Storage */
2111     memory_region_init_ram(&s->sdram, NULL, "pxa270.sdram", sdram_size,
2112                            &error_fatal);
2113     memory_region_add_subregion(address_space, PXA2XX_SDRAM_BASE, &s->sdram);
2114     memory_region_init_ram(&s->internal, NULL, "pxa270.internal", 0x40000,
2115                            &error_fatal);
2116     memory_region_add_subregion(address_space, PXA2XX_INTERNAL_BASE,
2117                                 &s->internal);
2118 
2119     s->pic = pxa2xx_pic_init(0x40d00000, s->cpu);
2120 
2121     s->dma = pxa27x_dma_init(0x40000000,
2122                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_DMA));
2123 
2124     sysbus_create_varargs("pxa27x-timer", 0x40a00000,
2125                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_OST_0 + 0),
2126                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_OST_0 + 1),
2127                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_OST_0 + 2),
2128                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_OST_0 + 3),
2129                     qdev_get_gpio_in(s->pic, PXA27X_PIC_OST_4_11),
2130                     NULL);
2131 
2132     s->gpio = pxa2xx_gpio_init(0x40e00000, s->cpu, s->pic, 121);
2133 
2134     s->mmc = pxa2xx_mmci_init(address_space, 0x41100000,
2135                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_MMC),
2136                     qdev_get_gpio_in(s->dma, PXA2XX_RX_RQ_MMCI),
2137                     qdev_get_gpio_in(s->dma, PXA2XX_TX_RQ_MMCI));
2138     dinfo = drive_get(IF_SD, 0, 0);
2139     if (dinfo) {
2140         DeviceState *carddev;
2141 
2142         /* Create and plug in the sd card */
2143         carddev = qdev_new(TYPE_SD_CARD);
2144         qdev_prop_set_drive_err(carddev, "drive",
2145                                 blk_by_legacy_dinfo(dinfo), &error_fatal);
2146         qdev_realize_and_unref(carddev, qdev_get_child_bus(DEVICE(s->mmc),
2147                                                            "sd-bus"),
2148                                &error_fatal);
2149     } else if (!qtest_enabled()) {
2150         warn_report("missing SecureDigital device");
2151     }
2152 
2153     for (i = 0; pxa270_serial[i].io_base; i++) {
2154         if (serial_hd(i)) {
2155             serial_mm_init(address_space, pxa270_serial[i].io_base, 2,
2156                            qdev_get_gpio_in(s->pic, pxa270_serial[i].irqn),
2157                            14857000 / 16, serial_hd(i),
2158                            DEVICE_NATIVE_ENDIAN);
2159         } else {
2160             break;
2161         }
2162     }
2163     if (serial_hd(i))
2164         s->fir = pxa2xx_fir_init(address_space, 0x40800000,
2165                         qdev_get_gpio_in(s->pic, PXA2XX_PIC_ICP),
2166                         qdev_get_gpio_in(s->dma, PXA2XX_RX_RQ_ICP),
2167                         qdev_get_gpio_in(s->dma, PXA2XX_TX_RQ_ICP),
2168                         serial_hd(i));
2169 
2170     s->lcd = pxa2xx_lcdc_init(address_space, 0x44000000,
2171                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_LCD));
2172 
2173     s->cm_base = 0x41300000;
2174     s->cm_regs[CCCR >> 2] = 0x02000210;	/* 416.0 MHz */
2175     s->clkcfg = 0x00000009;		/* Turbo mode active */
2176     memory_region_init_io(&s->cm_iomem, NULL, &pxa2xx_cm_ops, s, "pxa2xx-cm", 0x1000);
2177     memory_region_add_subregion(address_space, s->cm_base, &s->cm_iomem);
2178     vmstate_register(NULL, 0, &vmstate_pxa2xx_cm, s);
2179 
2180     pxa2xx_setup_cp14(s);
2181 
2182     s->mm_base = 0x48000000;
2183     s->mm_regs[MDMRS >> 2] = 0x00020002;
2184     s->mm_regs[MDREFR >> 2] = 0x03ca4000;
2185     s->mm_regs[MECR >> 2] = 0x00000001;	/* Two PC Card sockets */
2186     memory_region_init_io(&s->mm_iomem, NULL, &pxa2xx_mm_ops, s, "pxa2xx-mm", 0x1000);
2187     memory_region_add_subregion(address_space, s->mm_base, &s->mm_iomem);
2188     vmstate_register(NULL, 0, &vmstate_pxa2xx_mm, s);
2189 
2190     s->pm_base = 0x40f00000;
2191     memory_region_init_io(&s->pm_iomem, NULL, &pxa2xx_pm_ops, s, "pxa2xx-pm", 0x100);
2192     memory_region_add_subregion(address_space, s->pm_base, &s->pm_iomem);
2193     vmstate_register(NULL, 0, &vmstate_pxa2xx_pm, s);
2194 
2195     for (i = 0; pxa27x_ssp[i].io_base; i ++);
2196     s->ssp = g_new0(SSIBus *, i);
2197     for (i = 0; pxa27x_ssp[i].io_base; i ++) {
2198         DeviceState *dev;
2199         dev = sysbus_create_simple(TYPE_PXA2XX_SSP, pxa27x_ssp[i].io_base,
2200                         qdev_get_gpio_in(s->pic, pxa27x_ssp[i].irqn));
2201         s->ssp[i] = (SSIBus *)qdev_get_child_bus(dev, "ssi");
2202     }
2203 
2204     sysbus_create_simple("sysbus-ohci", 0x4c000000,
2205                          qdev_get_gpio_in(s->pic, PXA2XX_PIC_USBH1));
2206 
2207     s->pcmcia[0] = pxa2xx_pcmcia_init(address_space, 0x20000000);
2208     s->pcmcia[1] = pxa2xx_pcmcia_init(address_space, 0x30000000);
2209 
2210     sysbus_create_simple(TYPE_PXA2XX_RTC, 0x40900000,
2211                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_RTCALARM));
2212 
2213     s->i2c[0] = pxa2xx_i2c_init(0x40301600,
2214                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_I2C), 0xffff);
2215     s->i2c[1] = pxa2xx_i2c_init(0x40f00100,
2216                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_PWRI2C), 0xff);
2217 
2218     s->i2s = pxa2xx_i2s_init(address_space, 0x40400000,
2219                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_I2S),
2220                     qdev_get_gpio_in(s->dma, PXA2XX_RX_RQ_I2S),
2221                     qdev_get_gpio_in(s->dma, PXA2XX_TX_RQ_I2S));
2222 
2223     s->kp = pxa27x_keypad_init(address_space, 0x41500000,
2224                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_KEYPAD));
2225 
2226     /* GPIO1 resets the processor */
2227     /* The handler can be overridden by board-specific code */
2228     qdev_connect_gpio_out(s->gpio, 1, s->reset);
2229     return s;
2230 }
2231 
2232 /* Initialise a PXA255 integrated chip (ARM based core).  */
2233 PXA2xxState *pxa255_init(MemoryRegion *address_space, unsigned int sdram_size)
2234 {
2235     PXA2xxState *s;
2236     int i;
2237     DriveInfo *dinfo;
2238 
2239     s = g_new0(PXA2xxState, 1);
2240 
2241     s->cpu = ARM_CPU(cpu_create(ARM_CPU_TYPE_NAME("pxa255")));
2242     s->reset = qemu_allocate_irq(pxa2xx_reset, s, 0);
2243 
2244     /* SDRAM & Internal Memory Storage */
2245     memory_region_init_ram(&s->sdram, NULL, "pxa255.sdram", sdram_size,
2246                            &error_fatal);
2247     memory_region_add_subregion(address_space, PXA2XX_SDRAM_BASE, &s->sdram);
2248     memory_region_init_ram(&s->internal, NULL, "pxa255.internal",
2249                            PXA2XX_INTERNAL_SIZE, &error_fatal);
2250     memory_region_add_subregion(address_space, PXA2XX_INTERNAL_BASE,
2251                                 &s->internal);
2252 
2253     s->pic = pxa2xx_pic_init(0x40d00000, s->cpu);
2254 
2255     s->dma = pxa255_dma_init(0x40000000,
2256                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_DMA));
2257 
2258     sysbus_create_varargs("pxa25x-timer", 0x40a00000,
2259                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_OST_0 + 0),
2260                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_OST_0 + 1),
2261                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_OST_0 + 2),
2262                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_OST_0 + 3),
2263                     NULL);
2264 
2265     s->gpio = pxa2xx_gpio_init(0x40e00000, s->cpu, s->pic, 85);
2266 
2267     s->mmc = pxa2xx_mmci_init(address_space, 0x41100000,
2268                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_MMC),
2269                     qdev_get_gpio_in(s->dma, PXA2XX_RX_RQ_MMCI),
2270                     qdev_get_gpio_in(s->dma, PXA2XX_TX_RQ_MMCI));
2271     dinfo = drive_get(IF_SD, 0, 0);
2272     if (dinfo) {
2273         DeviceState *carddev;
2274 
2275         /* Create and plug in the sd card */
2276         carddev = qdev_new(TYPE_SD_CARD);
2277         qdev_prop_set_drive_err(carddev, "drive",
2278                                 blk_by_legacy_dinfo(dinfo), &error_fatal);
2279         qdev_realize_and_unref(carddev, qdev_get_child_bus(DEVICE(s->mmc),
2280                                                            "sd-bus"),
2281                                &error_fatal);
2282     } else if (!qtest_enabled()) {
2283         warn_report("missing SecureDigital device");
2284     }
2285 
2286     for (i = 0; pxa255_serial[i].io_base; i++) {
2287         if (serial_hd(i)) {
2288             serial_mm_init(address_space, pxa255_serial[i].io_base, 2,
2289                            qdev_get_gpio_in(s->pic, pxa255_serial[i].irqn),
2290                            14745600 / 16, serial_hd(i),
2291                            DEVICE_NATIVE_ENDIAN);
2292         } else {
2293             break;
2294         }
2295     }
2296     if (serial_hd(i))
2297         s->fir = pxa2xx_fir_init(address_space, 0x40800000,
2298                         qdev_get_gpio_in(s->pic, PXA2XX_PIC_ICP),
2299                         qdev_get_gpio_in(s->dma, PXA2XX_RX_RQ_ICP),
2300                         qdev_get_gpio_in(s->dma, PXA2XX_TX_RQ_ICP),
2301                         serial_hd(i));
2302 
2303     s->lcd = pxa2xx_lcdc_init(address_space, 0x44000000,
2304                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_LCD));
2305 
2306     s->cm_base = 0x41300000;
2307     s->cm_regs[CCCR >> 2] = 0x00000121;         /* from datasheet */
2308     s->cm_regs[CKEN >> 2] = 0x00017def;         /* from datasheet */
2309 
2310     s->clkcfg = 0x00000009;		/* Turbo mode active */
2311     memory_region_init_io(&s->cm_iomem, NULL, &pxa2xx_cm_ops, s, "pxa2xx-cm", 0x1000);
2312     memory_region_add_subregion(address_space, s->cm_base, &s->cm_iomem);
2313     vmstate_register(NULL, 0, &vmstate_pxa2xx_cm, s);
2314 
2315     pxa2xx_setup_cp14(s);
2316 
2317     s->mm_base = 0x48000000;
2318     s->mm_regs[MDMRS >> 2] = 0x00020002;
2319     s->mm_regs[MDREFR >> 2] = 0x03ca4000;
2320     s->mm_regs[MECR >> 2] = 0x00000001;	/* Two PC Card sockets */
2321     memory_region_init_io(&s->mm_iomem, NULL, &pxa2xx_mm_ops, s, "pxa2xx-mm", 0x1000);
2322     memory_region_add_subregion(address_space, s->mm_base, &s->mm_iomem);
2323     vmstate_register(NULL, 0, &vmstate_pxa2xx_mm, s);
2324 
2325     s->pm_base = 0x40f00000;
2326     memory_region_init_io(&s->pm_iomem, NULL, &pxa2xx_pm_ops, s, "pxa2xx-pm", 0x100);
2327     memory_region_add_subregion(address_space, s->pm_base, &s->pm_iomem);
2328     vmstate_register(NULL, 0, &vmstate_pxa2xx_pm, s);
2329 
2330     for (i = 0; pxa255_ssp[i].io_base; i ++);
2331     s->ssp = g_new0(SSIBus *, i);
2332     for (i = 0; pxa255_ssp[i].io_base; i ++) {
2333         DeviceState *dev;
2334         dev = sysbus_create_simple(TYPE_PXA2XX_SSP, pxa255_ssp[i].io_base,
2335                         qdev_get_gpio_in(s->pic, pxa255_ssp[i].irqn));
2336         s->ssp[i] = (SSIBus *)qdev_get_child_bus(dev, "ssi");
2337     }
2338 
2339     s->pcmcia[0] = pxa2xx_pcmcia_init(address_space, 0x20000000);
2340     s->pcmcia[1] = pxa2xx_pcmcia_init(address_space, 0x30000000);
2341 
2342     sysbus_create_simple(TYPE_PXA2XX_RTC, 0x40900000,
2343                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_RTCALARM));
2344 
2345     s->i2c[0] = pxa2xx_i2c_init(0x40301600,
2346                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_I2C), 0xffff);
2347     s->i2c[1] = pxa2xx_i2c_init(0x40f00100,
2348                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_PWRI2C), 0xff);
2349 
2350     s->i2s = pxa2xx_i2s_init(address_space, 0x40400000,
2351                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_I2S),
2352                     qdev_get_gpio_in(s->dma, PXA2XX_RX_RQ_I2S),
2353                     qdev_get_gpio_in(s->dma, PXA2XX_TX_RQ_I2S));
2354 
2355     /* GPIO1 resets the processor */
2356     /* The handler can be overridden by board-specific code */
2357     qdev_connect_gpio_out(s->gpio, 1, s->reset);
2358     return s;
2359 }
2360 
2361 static void pxa2xx_ssp_class_init(ObjectClass *klass, void *data)
2362 {
2363     DeviceClass *dc = DEVICE_CLASS(klass);
2364 
2365     dc->reset = pxa2xx_ssp_reset;
2366     dc->vmsd = &vmstate_pxa2xx_ssp;
2367 }
2368 
2369 static const TypeInfo pxa2xx_ssp_info = {
2370     .name          = TYPE_PXA2XX_SSP,
2371     .parent        = TYPE_SYS_BUS_DEVICE,
2372     .instance_size = sizeof(PXA2xxSSPState),
2373     .instance_init = pxa2xx_ssp_init,
2374     .class_init    = pxa2xx_ssp_class_init,
2375 };
2376 
2377 static void pxa2xx_register_types(void)
2378 {
2379     type_register_static(&pxa2xx_i2c_slave_info);
2380     type_register_static(&pxa2xx_ssp_info);
2381     type_register_static(&pxa2xx_i2c_info);
2382     type_register_static(&pxa2xx_rtc_sysbus_info);
2383     type_register_static(&pxa2xx_fir_info);
2384 }
2385 
2386 type_init(pxa2xx_register_types)
2387