xref: /openbmc/qemu/hw/net/eepro100.c (revision 34d49937)
1 /*
2  * QEMU i8255x (PRO100) emulation
3  *
4  * Copyright (C) 2006-2011 Stefan Weil
5  *
6  * Portions of the code are copies from grub / etherboot eepro100.c
7  * and linux e100.c.
8  *
9  * This program is free software: you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License as published by
11  * the Free Software Foundation, either version 2 of the License, or
12  * (at your option) version 3 or any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
21  *
22  * Tested features (i82559):
23  *      PXE boot (i386 guest, i386 / mips / mipsel / ppc host) ok
24  *      Linux networking (i386) ok
25  *
26  * Untested:
27  *      Windows networking
28  *
29  * References:
30  *
31  * Intel 8255x 10/100 Mbps Ethernet Controller Family
32  * Open Source Software Developer Manual
33  *
34  * TODO:
35  *      * PHY emulation should be separated from nic emulation.
36  *        Most nic emulations could share the same phy code.
37  *      * i82550 is untested. It is programmed like the i82559.
38  *      * i82562 is untested. It is programmed like the i82559.
39  *      * Power management (i82558 and later) is not implemented.
40  *      * Wake-on-LAN is not implemented.
41  */
42 
43 #include "qemu/osdep.h"
44 #include "hw/hw.h"
45 #include "hw/pci/pci.h"
46 #include "net/net.h"
47 #include "hw/nvram/eeprom93xx.h"
48 #include "sysemu/sysemu.h"
49 #include "sysemu/dma.h"
50 #include "qemu/bitops.h"
51 #include "qapi/error.h"
52 
53 /* QEMU sends frames smaller than 60 bytes to ethernet nics.
54  * Such frames are rejected by real nics and their emulations.
55  * To avoid this behaviour, other nic emulations pad received
56  * frames. The following definition enables this padding for
57  * eepro100, too. We keep the define around in case it might
58  * become useful the future if the core networking is ever
59  * changed to pad short packets itself. */
60 #define CONFIG_PAD_RECEIVED_FRAMES
61 
62 #define KiB 1024
63 
64 /* Debug EEPRO100 card. */
65 #if 0
66 # define DEBUG_EEPRO100
67 #endif
68 
69 #ifdef DEBUG_EEPRO100
70 #define logout(fmt, ...) fprintf(stderr, "EE100\t%-24s" fmt, __func__, ## __VA_ARGS__)
71 #else
72 #define logout(fmt, ...) ((void)0)
73 #endif
74 
75 /* Set flags to 0 to disable debug output. */
76 #define INT     1       /* interrupt related actions */
77 #define MDI     1       /* mdi related actions */
78 #define OTHER   1
79 #define RXTX    1
80 #define EEPROM  1       /* eeprom related actions */
81 
82 #define TRACE(flag, command) ((flag) ? (command) : (void)0)
83 
84 #define missing(text) fprintf(stderr, "eepro100: feature is missing in this emulation: " text "\n")
85 
86 #define MAX_ETH_FRAME_SIZE 1514
87 
88 /* This driver supports several different devices which are declared here. */
89 #define i82550          0x82550
90 #define i82551          0x82551
91 #define i82557A         0x82557a
92 #define i82557B         0x82557b
93 #define i82557C         0x82557c
94 #define i82558A         0x82558a
95 #define i82558B         0x82558b
96 #define i82559A         0x82559a
97 #define i82559B         0x82559b
98 #define i82559C         0x82559c
99 #define i82559ER        0x82559e
100 #define i82562          0x82562
101 #define i82801          0x82801
102 
103 /* Use 64 word EEPROM. TODO: could be a runtime option. */
104 #define EEPROM_SIZE     64
105 
106 #define PCI_MEM_SIZE            (4 * KiB)
107 #define PCI_IO_SIZE             64
108 #define PCI_FLASH_SIZE          (128 * KiB)
109 
110 #define BITS(n, m) (((0xffffffffU << (31 - n)) >> (31 - n + m)) << m)
111 
112 /* The SCB accepts the following controls for the Tx and Rx units: */
113 #define  CU_NOP         0x0000  /* No operation. */
114 #define  CU_START       0x0010  /* CU start. */
115 #define  CU_RESUME      0x0020  /* CU resume. */
116 #define  CU_STATSADDR   0x0040  /* Load dump counters address. */
117 #define  CU_SHOWSTATS   0x0050  /* Dump statistical counters. */
118 #define  CU_CMD_BASE    0x0060  /* Load CU base address. */
119 #define  CU_DUMPSTATS   0x0070  /* Dump and reset statistical counters. */
120 #define  CU_SRESUME     0x00a0  /* CU static resume. */
121 
122 #define  RU_NOP         0x0000
123 #define  RX_START       0x0001
124 #define  RX_RESUME      0x0002
125 #define  RU_ABORT       0x0004
126 #define  RX_ADDR_LOAD   0x0006
127 #define  RX_RESUMENR    0x0007
128 #define INT_MASK        0x0100
129 #define DRVR_INT        0x0200  /* Driver generated interrupt. */
130 
131 typedef struct {
132     const char *name;
133     const char *desc;
134     uint16_t device_id;
135     uint8_t revision;
136     uint16_t subsystem_vendor_id;
137     uint16_t subsystem_id;
138 
139     uint32_t device;
140     uint8_t stats_size;
141     bool has_extended_tcb_support;
142     bool power_management;
143 } E100PCIDeviceInfo;
144 
145 /* Offsets to the various registers.
146    All accesses need not be longword aligned. */
147 typedef enum {
148     SCBStatus = 0,              /* Status Word. */
149     SCBAck = 1,
150     SCBCmd = 2,                 /* Rx/Command Unit command and status. */
151     SCBIntmask = 3,
152     SCBPointer = 4,             /* General purpose pointer. */
153     SCBPort = 8,                /* Misc. commands and operands.  */
154     SCBflash = 12,              /* Flash memory control. */
155     SCBeeprom = 14,             /* EEPROM control. */
156     SCBCtrlMDI = 16,            /* MDI interface control. */
157     SCBEarlyRx = 20,            /* Early receive byte count. */
158     SCBFlow = 24,               /* Flow Control. */
159     SCBpmdr = 27,               /* Power Management Driver. */
160     SCBgctrl = 28,              /* General Control. */
161     SCBgstat = 29,              /* General Status. */
162 } E100RegisterOffset;
163 
164 /* A speedo3 transmit buffer descriptor with two buffers... */
165 typedef struct {
166     uint16_t status;
167     uint16_t command;
168     uint32_t link;              /* void * */
169     uint32_t tbd_array_addr;    /* transmit buffer descriptor array address. */
170     uint16_t tcb_bytes;         /* transmit command block byte count (in lower 14 bits */
171     uint8_t tx_threshold;       /* transmit threshold */
172     uint8_t tbd_count;          /* TBD number */
173 #if 0
174     /* This constitutes two "TBD" entries: hdr and data */
175     uint32_t tx_buf_addr0;  /* void *, header of frame to be transmitted.  */
176     int32_t  tx_buf_size0;  /* Length of Tx hdr. */
177     uint32_t tx_buf_addr1;  /* void *, data to be transmitted.  */
178     int32_t  tx_buf_size1;  /* Length of Tx data. */
179 #endif
180 } eepro100_tx_t;
181 
182 /* Receive frame descriptor. */
183 typedef struct {
184     int16_t status;
185     uint16_t command;
186     uint32_t link;              /* struct RxFD * */
187     uint32_t rx_buf_addr;       /* void * */
188     uint16_t count;
189     uint16_t size;
190     /* Ethernet frame data follows. */
191 } eepro100_rx_t;
192 
193 typedef enum {
194     COMMAND_EL = BIT(15),
195     COMMAND_S = BIT(14),
196     COMMAND_I = BIT(13),
197     COMMAND_NC = BIT(4),
198     COMMAND_SF = BIT(3),
199     COMMAND_CMD = BITS(2, 0),
200 } scb_command_bit;
201 
202 typedef enum {
203     STATUS_C = BIT(15),
204     STATUS_OK = BIT(13),
205 } scb_status_bit;
206 
207 typedef struct {
208     uint32_t tx_good_frames, tx_max_collisions, tx_late_collisions,
209              tx_underruns, tx_lost_crs, tx_deferred, tx_single_collisions,
210              tx_multiple_collisions, tx_total_collisions;
211     uint32_t rx_good_frames, rx_crc_errors, rx_alignment_errors,
212              rx_resource_errors, rx_overrun_errors, rx_cdt_errors,
213              rx_short_frame_errors;
214     uint32_t fc_xmt_pause, fc_rcv_pause, fc_rcv_unsupported;
215     uint16_t xmt_tco_frames, rcv_tco_frames;
216     /* TODO: i82559 has six reserved statistics but a total of 24 dwords. */
217     uint32_t reserved[4];
218 } eepro100_stats_t;
219 
220 typedef enum {
221     cu_idle = 0,
222     cu_suspended = 1,
223     cu_active = 2,
224     cu_lpq_active = 2,
225     cu_hqp_active = 3
226 } cu_state_t;
227 
228 typedef enum {
229     ru_idle = 0,
230     ru_suspended = 1,
231     ru_no_resources = 2,
232     ru_ready = 4
233 } ru_state_t;
234 
235 typedef struct {
236     PCIDevice dev;
237     /* Hash register (multicast mask array, multiple individual addresses). */
238     uint8_t mult[8];
239     MemoryRegion mmio_bar;
240     MemoryRegion io_bar;
241     MemoryRegion flash_bar;
242     NICState *nic;
243     NICConf conf;
244     uint8_t scb_stat;           /* SCB stat/ack byte */
245     uint8_t int_stat;           /* PCI interrupt status */
246     /* region must not be saved by nic_save. */
247     uint16_t mdimem[32];
248     eeprom_t *eeprom;
249     uint32_t device;            /* device variant */
250     /* (cu_base + cu_offset) address the next command block in the command block list. */
251     uint32_t cu_base;           /* CU base address */
252     uint32_t cu_offset;         /* CU address offset */
253     /* (ru_base + ru_offset) address the RFD in the Receive Frame Area. */
254     uint32_t ru_base;           /* RU base address */
255     uint32_t ru_offset;         /* RU address offset */
256     uint32_t statsaddr;         /* pointer to eepro100_stats_t */
257 
258     /* Temporary status information (no need to save these values),
259      * used while processing CU commands. */
260     eepro100_tx_t tx;           /* transmit buffer descriptor */
261     uint32_t cb_address;        /* = cu_base + cu_offset */
262 
263     /* Statistical counters. Also used for wake-up packet (i82559). */
264     eepro100_stats_t statistics;
265 
266     /* Data in mem is always in the byte order of the controller (le).
267      * It must be dword aligned to allow direct access to 32 bit values. */
268     uint8_t mem[PCI_MEM_SIZE] __attribute__((aligned(8)));
269 
270     /* Configuration bytes. */
271     uint8_t configuration[22];
272 
273     /* vmstate for each particular nic */
274     VMStateDescription *vmstate;
275 
276     /* Quasi static device properties (no need to save them). */
277     uint16_t stats_size;
278     bool has_extended_tcb_support;
279 } EEPRO100State;
280 
281 /* Word indices in EEPROM. */
282 typedef enum {
283     EEPROM_CNFG_MDIX  = 0x03,
284     EEPROM_ID         = 0x05,
285     EEPROM_PHY_ID     = 0x06,
286     EEPROM_VENDOR_ID  = 0x0c,
287     EEPROM_CONFIG_ASF = 0x0d,
288     EEPROM_DEVICE_ID  = 0x23,
289     EEPROM_SMBUS_ADDR = 0x90,
290 } EEPROMOffset;
291 
292 /* Bit values for EEPROM ID word. */
293 typedef enum {
294     EEPROM_ID_MDM = BIT(0),     /* Modem */
295     EEPROM_ID_STB = BIT(1),     /* Standby Enable */
296     EEPROM_ID_WMR = BIT(2),     /* ??? */
297     EEPROM_ID_WOL = BIT(5),     /* Wake on LAN */
298     EEPROM_ID_DPD = BIT(6),     /* Deep Power Down */
299     EEPROM_ID_ALT = BIT(7),     /* */
300     /* BITS(10, 8) device revision */
301     EEPROM_ID_BD = BIT(11),     /* boot disable */
302     EEPROM_ID_ID = BIT(13),     /* id bit */
303     /* BITS(15, 14) signature */
304     EEPROM_ID_VALID = BIT(14),  /* signature for valid eeprom */
305 } eeprom_id_bit;
306 
307 /* Default values for MDI (PHY) registers */
308 static const uint16_t eepro100_mdi_default[] = {
309     /* MDI Registers 0 - 6, 7 */
310     0x3000, 0x780d, 0x02a8, 0x0154, 0x05e1, 0x0000, 0x0000, 0x0000,
311     /* MDI Registers 8 - 15 */
312     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
313     /* MDI Registers 16 - 31 */
314     0x0003, 0x0000, 0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
315     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
316 };
317 
318 /* Readonly mask for MDI (PHY) registers */
319 static const uint16_t eepro100_mdi_mask[] = {
320     0x0000, 0xffff, 0xffff, 0xffff, 0xc01f, 0xffff, 0xffff, 0x0000,
321     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
322     0x0fff, 0x0000, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
323     0xffff, 0xffff, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
324 };
325 
326 #define POLYNOMIAL 0x04c11db6
327 
328 static E100PCIDeviceInfo *eepro100_get_class(EEPRO100State *s);
329 
330 /* From FreeBSD (locally modified). */
331 static unsigned e100_compute_mcast_idx(const uint8_t *ep)
332 {
333     uint32_t crc;
334     int carry, i, j;
335     uint8_t b;
336 
337     crc = 0xffffffff;
338     for (i = 0; i < 6; i++) {
339         b = *ep++;
340         for (j = 0; j < 8; j++) {
341             carry = ((crc & 0x80000000L) ? 1 : 0) ^ (b & 0x01);
342             crc <<= 1;
343             b >>= 1;
344             if (carry) {
345                 crc = ((crc ^ POLYNOMIAL) | carry);
346             }
347         }
348     }
349     return (crc & BITS(7, 2)) >> 2;
350 }
351 
352 /* Read a 16 bit control/status (CSR) register. */
353 static uint16_t e100_read_reg2(EEPRO100State *s, E100RegisterOffset addr)
354 {
355     assert(!((uintptr_t)&s->mem[addr] & 1));
356     return lduw_le_p(&s->mem[addr]);
357 }
358 
359 /* Read a 32 bit control/status (CSR) register. */
360 static uint32_t e100_read_reg4(EEPRO100State *s, E100RegisterOffset addr)
361 {
362     assert(!((uintptr_t)&s->mem[addr] & 3));
363     return ldl_le_p(&s->mem[addr]);
364 }
365 
366 /* Write a 16 bit control/status (CSR) register. */
367 static void e100_write_reg2(EEPRO100State *s, E100RegisterOffset addr,
368                             uint16_t val)
369 {
370     assert(!((uintptr_t)&s->mem[addr] & 1));
371     stw_le_p(&s->mem[addr], val);
372 }
373 
374 /* Read a 32 bit control/status (CSR) register. */
375 static void e100_write_reg4(EEPRO100State *s, E100RegisterOffset addr,
376                             uint32_t val)
377 {
378     assert(!((uintptr_t)&s->mem[addr] & 3));
379     stl_le_p(&s->mem[addr], val);
380 }
381 
382 #if defined(DEBUG_EEPRO100)
383 static const char *nic_dump(const uint8_t * buf, unsigned size)
384 {
385     static char dump[3 * 16 + 1];
386     char *p = &dump[0];
387     if (size > 16) {
388         size = 16;
389     }
390     while (size-- > 0) {
391         p += sprintf(p, " %02x", *buf++);
392     }
393     return dump;
394 }
395 #endif                          /* DEBUG_EEPRO100 */
396 
397 enum scb_stat_ack {
398     stat_ack_not_ours = 0x00,
399     stat_ack_sw_gen = 0x04,
400     stat_ack_rnr = 0x10,
401     stat_ack_cu_idle = 0x20,
402     stat_ack_frame_rx = 0x40,
403     stat_ack_cu_cmd_done = 0x80,
404     stat_ack_not_present = 0xFF,
405     stat_ack_rx = (stat_ack_sw_gen | stat_ack_rnr | stat_ack_frame_rx),
406     stat_ack_tx = (stat_ack_cu_idle | stat_ack_cu_cmd_done),
407 };
408 
409 static void disable_interrupt(EEPRO100State * s)
410 {
411     if (s->int_stat) {
412         TRACE(INT, logout("interrupt disabled\n"));
413         pci_irq_deassert(&s->dev);
414         s->int_stat = 0;
415     }
416 }
417 
418 static void enable_interrupt(EEPRO100State * s)
419 {
420     if (!s->int_stat) {
421         TRACE(INT, logout("interrupt enabled\n"));
422         pci_irq_assert(&s->dev);
423         s->int_stat = 1;
424     }
425 }
426 
427 static void eepro100_acknowledge(EEPRO100State * s)
428 {
429     s->scb_stat &= ~s->mem[SCBAck];
430     s->mem[SCBAck] = s->scb_stat;
431     if (s->scb_stat == 0) {
432         disable_interrupt(s);
433     }
434 }
435 
436 static void eepro100_interrupt(EEPRO100State * s, uint8_t status)
437 {
438     uint8_t mask = ~s->mem[SCBIntmask];
439     s->mem[SCBAck] |= status;
440     status = s->scb_stat = s->mem[SCBAck];
441     status &= (mask | 0x0f);
442 #if 0
443     status &= (~s->mem[SCBIntmask] | 0x0xf);
444 #endif
445     if (status && (mask & 0x01)) {
446         /* SCB mask and SCB Bit M do not disable interrupt. */
447         enable_interrupt(s);
448     } else if (s->int_stat) {
449         disable_interrupt(s);
450     }
451 }
452 
453 static void eepro100_cx_interrupt(EEPRO100State * s)
454 {
455     /* CU completed action command. */
456     /* Transmit not ok (82557 only, not in emulation). */
457     eepro100_interrupt(s, 0x80);
458 }
459 
460 static void eepro100_cna_interrupt(EEPRO100State * s)
461 {
462     /* CU left the active state. */
463     eepro100_interrupt(s, 0x20);
464 }
465 
466 static void eepro100_fr_interrupt(EEPRO100State * s)
467 {
468     /* RU received a complete frame. */
469     eepro100_interrupt(s, 0x40);
470 }
471 
472 static void eepro100_rnr_interrupt(EEPRO100State * s)
473 {
474     /* RU is not ready. */
475     eepro100_interrupt(s, 0x10);
476 }
477 
478 static void eepro100_mdi_interrupt(EEPRO100State * s)
479 {
480     /* MDI completed read or write cycle. */
481     eepro100_interrupt(s, 0x08);
482 }
483 
484 static void eepro100_swi_interrupt(EEPRO100State * s)
485 {
486     /* Software has requested an interrupt. */
487     eepro100_interrupt(s, 0x04);
488 }
489 
490 #if 0
491 static void eepro100_fcp_interrupt(EEPRO100State * s)
492 {
493     /* Flow control pause interrupt (82558 and later). */
494     eepro100_interrupt(s, 0x01);
495 }
496 #endif
497 
498 static void e100_pci_reset(EEPRO100State *s, Error **errp)
499 {
500     E100PCIDeviceInfo *info = eepro100_get_class(s);
501     uint32_t device = s->device;
502     uint8_t *pci_conf = s->dev.config;
503 
504     TRACE(OTHER, logout("%p\n", s));
505 
506     /* PCI Status */
507     pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_DEVSEL_MEDIUM |
508                                         PCI_STATUS_FAST_BACK);
509     /* PCI Latency Timer */
510     pci_set_byte(pci_conf + PCI_LATENCY_TIMER, 0x20);   /* latency timer = 32 clocks */
511     /* Capability Pointer is set by PCI framework. */
512     /* Interrupt Line */
513     /* Interrupt Pin */
514     pci_set_byte(pci_conf + PCI_INTERRUPT_PIN, 1);      /* interrupt pin A */
515     /* Minimum Grant */
516     pci_set_byte(pci_conf + PCI_MIN_GNT, 0x08);
517     /* Maximum Latency */
518     pci_set_byte(pci_conf + PCI_MAX_LAT, 0x18);
519 
520     s->stats_size = info->stats_size;
521     s->has_extended_tcb_support = info->has_extended_tcb_support;
522 
523     switch (device) {
524     case i82550:
525     case i82551:
526     case i82557A:
527     case i82557B:
528     case i82557C:
529     case i82558A:
530     case i82558B:
531     case i82559A:
532     case i82559B:
533     case i82559ER:
534     case i82562:
535     case i82801:
536     case i82559C:
537         break;
538     default:
539         logout("Device %X is undefined!\n", device);
540     }
541 
542     /* Standard TxCB. */
543     s->configuration[6] |= BIT(4);
544 
545     /* Standard statistical counters. */
546     s->configuration[6] |= BIT(5);
547 
548     if (s->stats_size == 80) {
549         /* TODO: check TCO Statistical Counters bit. Documentation not clear. */
550         if (s->configuration[6] & BIT(2)) {
551             /* TCO statistical counters. */
552             assert(s->configuration[6] & BIT(5));
553         } else {
554             if (s->configuration[6] & BIT(5)) {
555                 /* No extended statistical counters, i82557 compatible. */
556                 s->stats_size = 64;
557             } else {
558                 /* i82558 compatible. */
559                 s->stats_size = 76;
560             }
561         }
562     } else {
563         if (s->configuration[6] & BIT(5)) {
564             /* No extended statistical counters. */
565             s->stats_size = 64;
566         }
567     }
568     assert(s->stats_size > 0 && s->stats_size <= sizeof(s->statistics));
569 
570     if (info->power_management) {
571         /* Power Management Capabilities */
572         int cfg_offset = 0xdc;
573         int r = pci_add_capability(&s->dev, PCI_CAP_ID_PM,
574                                    cfg_offset, PCI_PM_SIZEOF,
575                                    errp);
576         if (r < 0) {
577             return;
578         }
579 
580         pci_set_word(pci_conf + cfg_offset + PCI_PM_PMC, 0x7e21);
581 #if 0 /* TODO: replace dummy code for power management emulation. */
582         /* TODO: Power Management Control / Status. */
583         pci_set_word(pci_conf + cfg_offset + PCI_PM_CTRL, 0x0000);
584         /* TODO: Ethernet Power Consumption Registers (i82559 and later). */
585         pci_set_byte(pci_conf + cfg_offset + PCI_PM_PPB_EXTENSIONS, 0x0000);
586 #endif
587     }
588 
589 #if EEPROM_SIZE > 0
590     if (device == i82557C || device == i82558B || device == i82559C) {
591         /*
592         TODO: get vendor id from EEPROM for i82557C or later.
593         TODO: get device id from EEPROM for i82557C or later.
594         TODO: status bit 4 can be disabled by EEPROM for i82558, i82559.
595         TODO: header type is determined by EEPROM for i82559.
596         TODO: get subsystem id from EEPROM for i82557C or later.
597         TODO: get subsystem vendor id from EEPROM for i82557C or later.
598         TODO: exp. rom baddr depends on a bit in EEPROM for i82558 or later.
599         TODO: capability pointer depends on EEPROM for i82558.
600         */
601         logout("Get device id and revision from EEPROM!!!\n");
602     }
603 #endif /* EEPROM_SIZE > 0 */
604 }
605 
606 static void nic_selective_reset(EEPRO100State * s)
607 {
608     size_t i;
609     uint16_t *eeprom_contents = eeprom93xx_data(s->eeprom);
610 #if 0
611     eeprom93xx_reset(s->eeprom);
612 #endif
613     memcpy(eeprom_contents, s->conf.macaddr.a, 6);
614     eeprom_contents[EEPROM_ID] = EEPROM_ID_VALID;
615     if (s->device == i82557B || s->device == i82557C)
616         eeprom_contents[5] = 0x0100;
617     eeprom_contents[EEPROM_PHY_ID] = 1;
618     uint16_t sum = 0;
619     for (i = 0; i < EEPROM_SIZE - 1; i++) {
620         sum += eeprom_contents[i];
621     }
622     eeprom_contents[EEPROM_SIZE - 1] = 0xbaba - sum;
623     TRACE(EEPROM, logout("checksum=0x%04x\n", eeprom_contents[EEPROM_SIZE - 1]));
624 
625     memset(s->mem, 0, sizeof(s->mem));
626     e100_write_reg4(s, SCBCtrlMDI, BIT(21));
627 
628     assert(sizeof(s->mdimem) == sizeof(eepro100_mdi_default));
629     memcpy(&s->mdimem[0], &eepro100_mdi_default[0], sizeof(s->mdimem));
630 }
631 
632 static void nic_reset(void *opaque)
633 {
634     EEPRO100State *s = opaque;
635     TRACE(OTHER, logout("%p\n", s));
636     /* TODO: Clearing of hash register for selective reset, too? */
637     memset(&s->mult[0], 0, sizeof(s->mult));
638     nic_selective_reset(s);
639 }
640 
641 #if defined(DEBUG_EEPRO100)
642 static const char * const e100_reg[PCI_IO_SIZE / 4] = {
643     "Command/Status",
644     "General Pointer",
645     "Port",
646     "EEPROM/Flash Control",
647     "MDI Control",
648     "Receive DMA Byte Count",
649     "Flow Control",
650     "General Status/Control"
651 };
652 
653 static char *regname(uint32_t addr)
654 {
655     static char buf[32];
656     if (addr < PCI_IO_SIZE) {
657         const char *r = e100_reg[addr / 4];
658         if (r != 0) {
659             snprintf(buf, sizeof(buf), "%s+%u", r, addr % 4);
660         } else {
661             snprintf(buf, sizeof(buf), "0x%02x", addr);
662         }
663     } else {
664         snprintf(buf, sizeof(buf), "??? 0x%08x", addr);
665     }
666     return buf;
667 }
668 #endif                          /* DEBUG_EEPRO100 */
669 
670 /*****************************************************************************
671  *
672  * Command emulation.
673  *
674  ****************************************************************************/
675 
676 #if 0
677 static uint16_t eepro100_read_command(EEPRO100State * s)
678 {
679     uint16_t val = 0xffff;
680     TRACE(OTHER, logout("val=0x%04x\n", val));
681     return val;
682 }
683 #endif
684 
685 /* Commands that can be put in a command list entry. */
686 enum commands {
687     CmdNOp = 0,
688     CmdIASetup = 1,
689     CmdConfigure = 2,
690     CmdMulticastList = 3,
691     CmdTx = 4,
692     CmdTDR = 5,                 /* load microcode */
693     CmdDump = 6,
694     CmdDiagnose = 7,
695 
696     /* And some extra flags: */
697     CmdSuspend = 0x4000,        /* Suspend after completion. */
698     CmdIntr = 0x2000,           /* Interrupt after completion. */
699     CmdTxFlex = 0x0008,         /* Use "Flexible mode" for CmdTx command. */
700 };
701 
702 static cu_state_t get_cu_state(EEPRO100State * s)
703 {
704     return ((s->mem[SCBStatus] & BITS(7, 6)) >> 6);
705 }
706 
707 static void set_cu_state(EEPRO100State * s, cu_state_t state)
708 {
709     s->mem[SCBStatus] = (s->mem[SCBStatus] & ~BITS(7, 6)) + (state << 6);
710 }
711 
712 static ru_state_t get_ru_state(EEPRO100State * s)
713 {
714     return ((s->mem[SCBStatus] & BITS(5, 2)) >> 2);
715 }
716 
717 static void set_ru_state(EEPRO100State * s, ru_state_t state)
718 {
719     s->mem[SCBStatus] = (s->mem[SCBStatus] & ~BITS(5, 2)) + (state << 2);
720 }
721 
722 static void dump_statistics(EEPRO100State * s)
723 {
724     /* Dump statistical data. Most data is never changed by the emulation
725      * and always 0, so we first just copy the whole block and then those
726      * values which really matter.
727      * Number of data should check configuration!!!
728      */
729     pci_dma_write(&s->dev, s->statsaddr, &s->statistics, s->stats_size);
730     stl_le_pci_dma(&s->dev, s->statsaddr + 0,
731                    s->statistics.tx_good_frames);
732     stl_le_pci_dma(&s->dev, s->statsaddr + 36,
733                    s->statistics.rx_good_frames);
734     stl_le_pci_dma(&s->dev, s->statsaddr + 48,
735                    s->statistics.rx_resource_errors);
736     stl_le_pci_dma(&s->dev, s->statsaddr + 60,
737                    s->statistics.rx_short_frame_errors);
738 #if 0
739     stw_le_pci_dma(&s->dev, s->statsaddr + 76, s->statistics.xmt_tco_frames);
740     stw_le_pci_dma(&s->dev, s->statsaddr + 78, s->statistics.rcv_tco_frames);
741     missing("CU dump statistical counters");
742 #endif
743 }
744 
745 static void read_cb(EEPRO100State *s)
746 {
747     pci_dma_read(&s->dev, s->cb_address, &s->tx, sizeof(s->tx));
748     s->tx.status = le16_to_cpu(s->tx.status);
749     s->tx.command = le16_to_cpu(s->tx.command);
750     s->tx.link = le32_to_cpu(s->tx.link);
751     s->tx.tbd_array_addr = le32_to_cpu(s->tx.tbd_array_addr);
752     s->tx.tcb_bytes = le16_to_cpu(s->tx.tcb_bytes);
753 }
754 
755 static void tx_command(EEPRO100State *s)
756 {
757     uint32_t tbd_array = s->tx.tbd_array_addr;
758     uint16_t tcb_bytes = s->tx.tcb_bytes & 0x3fff;
759     /* Sends larger than MAX_ETH_FRAME_SIZE are allowed, up to 2600 bytes. */
760     uint8_t buf[2600];
761     uint16_t size = 0;
762     uint32_t tbd_address = s->cb_address + 0x10;
763     TRACE(RXTX, logout
764         ("transmit, TBD array address 0x%08x, TCB byte count 0x%04x, TBD count %u\n",
765          tbd_array, tcb_bytes, s->tx.tbd_count));
766 
767     if (tcb_bytes > 2600) {
768         logout("TCB byte count too large, using 2600\n");
769         tcb_bytes = 2600;
770     }
771     if (!((tcb_bytes > 0) || (tbd_array != 0xffffffff))) {
772         logout
773             ("illegal values of TBD array address and TCB byte count!\n");
774     }
775     assert(tcb_bytes <= sizeof(buf));
776     while (size < tcb_bytes) {
777         TRACE(RXTX, logout
778             ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
779              tbd_address, tcb_bytes));
780         pci_dma_read(&s->dev, tbd_address, &buf[size], tcb_bytes);
781         size += tcb_bytes;
782     }
783     if (tbd_array == 0xffffffff) {
784         /* Simplified mode. Was already handled by code above. */
785     } else {
786         /* Flexible mode. */
787         uint8_t tbd_count = 0;
788         if (s->has_extended_tcb_support && !(s->configuration[6] & BIT(4))) {
789             /* Extended Flexible TCB. */
790             for (; tbd_count < 2; tbd_count++) {
791                 uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev,
792                                                             tbd_address);
793                 uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev,
794                                                           tbd_address + 4);
795                 uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev,
796                                                         tbd_address + 6);
797                 tbd_address += 8;
798                 TRACE(RXTX, logout
799                     ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n",
800                      tx_buffer_address, tx_buffer_size));
801                 tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
802                 pci_dma_read(&s->dev, tx_buffer_address,
803                              &buf[size], tx_buffer_size);
804                 size += tx_buffer_size;
805                 if (tx_buffer_el & 1) {
806                     break;
807                 }
808             }
809         }
810         tbd_address = tbd_array;
811         for (; tbd_count < s->tx.tbd_count; tbd_count++) {
812             uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address);
813             uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4);
814             uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
815             tbd_address += 8;
816             TRACE(RXTX, logout
817                 ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n",
818                  tx_buffer_address, tx_buffer_size));
819             tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
820             pci_dma_read(&s->dev, tx_buffer_address,
821                          &buf[size], tx_buffer_size);
822             size += tx_buffer_size;
823             if (tx_buffer_el & 1) {
824                 break;
825             }
826         }
827     }
828     TRACE(RXTX, logout("%p sending frame, len=%d,%s\n", s, size, nic_dump(buf, size)));
829     qemu_send_packet(qemu_get_queue(s->nic), buf, size);
830     s->statistics.tx_good_frames++;
831     /* Transmit with bad status would raise an CX/TNO interrupt.
832      * (82557 only). Emulation never has bad status. */
833 #if 0
834     eepro100_cx_interrupt(s);
835 #endif
836 }
837 
838 static void set_multicast_list(EEPRO100State *s)
839 {
840     uint16_t multicast_count = s->tx.tbd_array_addr & BITS(13, 0);
841     uint16_t i;
842     memset(&s->mult[0], 0, sizeof(s->mult));
843     TRACE(OTHER, logout("multicast list, multicast count = %u\n", multicast_count));
844     for (i = 0; i < multicast_count; i += 6) {
845         uint8_t multicast_addr[6];
846         pci_dma_read(&s->dev, s->cb_address + 10 + i, multicast_addr, 6);
847         TRACE(OTHER, logout("multicast entry %s\n", nic_dump(multicast_addr, 6)));
848         unsigned mcast_idx = e100_compute_mcast_idx(multicast_addr);
849         assert(mcast_idx < 64);
850         s->mult[mcast_idx >> 3] |= (1 << (mcast_idx & 7));
851     }
852 }
853 
854 static void action_command(EEPRO100State *s)
855 {
856     /* The loop below won't stop if it gets special handcrafted data.
857        Therefore we limit the number of iterations. */
858     unsigned max_loop_count = 16;
859 
860     for (;;) {
861         bool bit_el;
862         bool bit_s;
863         bool bit_i;
864         bool bit_nc;
865         uint16_t ok_status = STATUS_OK;
866         s->cb_address = s->cu_base + s->cu_offset;
867         read_cb(s);
868         bit_el = ((s->tx.command & COMMAND_EL) != 0);
869         bit_s = ((s->tx.command & COMMAND_S) != 0);
870         bit_i = ((s->tx.command & COMMAND_I) != 0);
871         bit_nc = ((s->tx.command & COMMAND_NC) != 0);
872 #if 0
873         bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
874 #endif
875 
876         if (max_loop_count-- == 0) {
877             /* Prevent an endless loop. */
878             logout("loop in %s:%u\n", __FILE__, __LINE__);
879             break;
880         }
881 
882         s->cu_offset = s->tx.link;
883         TRACE(OTHER,
884               logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",
885                      s->tx.status, s->tx.command, s->tx.link));
886         switch (s->tx.command & COMMAND_CMD) {
887         case CmdNOp:
888             /* Do nothing. */
889             break;
890         case CmdIASetup:
891             pci_dma_read(&s->dev, s->cb_address + 8, &s->conf.macaddr.a[0], 6);
892             TRACE(OTHER, logout("macaddr: %s\n", nic_dump(&s->conf.macaddr.a[0], 6)));
893             break;
894         case CmdConfigure:
895             pci_dma_read(&s->dev, s->cb_address + 8,
896                          &s->configuration[0], sizeof(s->configuration));
897             TRACE(OTHER, logout("configuration: %s\n",
898                                 nic_dump(&s->configuration[0], 16)));
899             TRACE(OTHER, logout("configuration: %s\n",
900                                 nic_dump(&s->configuration[16],
901                                 ARRAY_SIZE(s->configuration) - 16)));
902             if (s->configuration[20] & BIT(6)) {
903                 TRACE(OTHER, logout("Multiple IA bit\n"));
904             }
905             break;
906         case CmdMulticastList:
907             set_multicast_list(s);
908             break;
909         case CmdTx:
910             if (bit_nc) {
911                 missing("CmdTx: NC = 0");
912                 ok_status = 0;
913                 break;
914             }
915             tx_command(s);
916             break;
917         case CmdTDR:
918             TRACE(OTHER, logout("load microcode\n"));
919             /* Starting with offset 8, the command contains
920              * 64 dwords microcode which we just ignore here. */
921             break;
922         case CmdDiagnose:
923             TRACE(OTHER, logout("diagnose\n"));
924             /* Make sure error flag is not set. */
925             s->tx.status = 0;
926             break;
927         default:
928             missing("undefined command");
929             ok_status = 0;
930             break;
931         }
932         /* Write new status. */
933         stw_le_pci_dma(&s->dev, s->cb_address,
934                        s->tx.status | ok_status | STATUS_C);
935         if (bit_i) {
936             /* CU completed action. */
937             eepro100_cx_interrupt(s);
938         }
939         if (bit_el) {
940             /* CU becomes idle. Terminate command loop. */
941             set_cu_state(s, cu_idle);
942             eepro100_cna_interrupt(s);
943             break;
944         } else if (bit_s) {
945             /* CU becomes suspended. Terminate command loop. */
946             set_cu_state(s, cu_suspended);
947             eepro100_cna_interrupt(s);
948             break;
949         } else {
950             /* More entries in list. */
951             TRACE(OTHER, logout("CU list with at least one more entry\n"));
952         }
953     }
954     TRACE(OTHER, logout("CU list empty\n"));
955     /* List is empty. Now CU is idle or suspended. */
956 }
957 
958 static void eepro100_cu_command(EEPRO100State * s, uint8_t val)
959 {
960     cu_state_t cu_state;
961     switch (val) {
962     case CU_NOP:
963         /* No operation. */
964         break;
965     case CU_START:
966         cu_state = get_cu_state(s);
967         if (cu_state != cu_idle && cu_state != cu_suspended) {
968             /* Intel documentation says that CU must be idle or suspended
969              * for the CU start command. */
970             logout("unexpected CU state is %u\n", cu_state);
971         }
972         set_cu_state(s, cu_active);
973         s->cu_offset = e100_read_reg4(s, SCBPointer);
974         action_command(s);
975         break;
976     case CU_RESUME:
977         if (get_cu_state(s) != cu_suspended) {
978             logout("bad CU resume from CU state %u\n", get_cu_state(s));
979             /* Workaround for bad Linux eepro100 driver which resumes
980              * from idle state. */
981 #if 0
982             missing("cu resume");
983 #endif
984             set_cu_state(s, cu_suspended);
985         }
986         if (get_cu_state(s) == cu_suspended) {
987             TRACE(OTHER, logout("CU resuming\n"));
988             set_cu_state(s, cu_active);
989             action_command(s);
990         }
991         break;
992     case CU_STATSADDR:
993         /* Load dump counters address. */
994         s->statsaddr = e100_read_reg4(s, SCBPointer);
995         TRACE(OTHER, logout("val=0x%02x (dump counters address)\n", val));
996         if (s->statsaddr & 3) {
997             /* Memory must be Dword aligned. */
998             logout("unaligned dump counters address\n");
999             /* Handling of misaligned addresses is undefined.
1000              * Here we align the address by ignoring the lower bits. */
1001             /* TODO: Test unaligned dump counter address on real hardware. */
1002             s->statsaddr &= ~3;
1003         }
1004         break;
1005     case CU_SHOWSTATS:
1006         /* Dump statistical counters. */
1007         TRACE(OTHER, logout("val=0x%02x (dump stats)\n", val));
1008         dump_statistics(s);
1009         stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005);
1010         break;
1011     case CU_CMD_BASE:
1012         /* Load CU base. */
1013         TRACE(OTHER, logout("val=0x%02x (CU base address)\n", val));
1014         s->cu_base = e100_read_reg4(s, SCBPointer);
1015         break;
1016     case CU_DUMPSTATS:
1017         /* Dump and reset statistical counters. */
1018         TRACE(OTHER, logout("val=0x%02x (dump stats and reset)\n", val));
1019         dump_statistics(s);
1020         stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007);
1021         memset(&s->statistics, 0, sizeof(s->statistics));
1022         break;
1023     case CU_SRESUME:
1024         /* CU static resume. */
1025         missing("CU static resume");
1026         break;
1027     default:
1028         missing("Undefined CU command");
1029     }
1030 }
1031 
1032 static void eepro100_ru_command(EEPRO100State * s, uint8_t val)
1033 {
1034     switch (val) {
1035     case RU_NOP:
1036         /* No operation. */
1037         break;
1038     case RX_START:
1039         /* RU start. */
1040         if (get_ru_state(s) != ru_idle) {
1041             logout("RU state is %u, should be %u\n", get_ru_state(s), ru_idle);
1042 #if 0
1043             assert(!"wrong RU state");
1044 #endif
1045         }
1046         set_ru_state(s, ru_ready);
1047         s->ru_offset = e100_read_reg4(s, SCBPointer);
1048         qemu_flush_queued_packets(qemu_get_queue(s->nic));
1049         TRACE(OTHER, logout("val=0x%02x (rx start)\n", val));
1050         break;
1051     case RX_RESUME:
1052         /* Restart RU. */
1053         if (get_ru_state(s) != ru_suspended) {
1054             logout("RU state is %u, should be %u\n", get_ru_state(s),
1055                    ru_suspended);
1056 #if 0
1057             assert(!"wrong RU state");
1058 #endif
1059         }
1060         set_ru_state(s, ru_ready);
1061         break;
1062     case RU_ABORT:
1063         /* RU abort. */
1064         if (get_ru_state(s) == ru_ready) {
1065             eepro100_rnr_interrupt(s);
1066         }
1067         set_ru_state(s, ru_idle);
1068         break;
1069     case RX_ADDR_LOAD:
1070         /* Load RU base. */
1071         TRACE(OTHER, logout("val=0x%02x (RU base address)\n", val));
1072         s->ru_base = e100_read_reg4(s, SCBPointer);
1073         break;
1074     default:
1075         logout("val=0x%02x (undefined RU command)\n", val);
1076         missing("Undefined SU command");
1077     }
1078 }
1079 
1080 static void eepro100_write_command(EEPRO100State * s, uint8_t val)
1081 {
1082     eepro100_ru_command(s, val & 0x0f);
1083     eepro100_cu_command(s, val & 0xf0);
1084     if ((val) == 0) {
1085         TRACE(OTHER, logout("val=0x%02x\n", val));
1086     }
1087     /* Clear command byte after command was accepted. */
1088     s->mem[SCBCmd] = 0;
1089 }
1090 
1091 /*****************************************************************************
1092  *
1093  * EEPROM emulation.
1094  *
1095  ****************************************************************************/
1096 
1097 #define EEPROM_CS       0x02
1098 #define EEPROM_SK       0x01
1099 #define EEPROM_DI       0x04
1100 #define EEPROM_DO       0x08
1101 
1102 static uint16_t eepro100_read_eeprom(EEPRO100State * s)
1103 {
1104     uint16_t val = e100_read_reg2(s, SCBeeprom);
1105     if (eeprom93xx_read(s->eeprom)) {
1106         val |= EEPROM_DO;
1107     } else {
1108         val &= ~EEPROM_DO;
1109     }
1110     TRACE(EEPROM, logout("val=0x%04x\n", val));
1111     return val;
1112 }
1113 
1114 static void eepro100_write_eeprom(eeprom_t * eeprom, uint8_t val)
1115 {
1116     TRACE(EEPROM, logout("val=0x%02x\n", val));
1117 
1118     /* mask unwritable bits */
1119 #if 0
1120     val = SET_MASKED(val, 0x31, eeprom->value);
1121 #endif
1122 
1123     int eecs = ((val & EEPROM_CS) != 0);
1124     int eesk = ((val & EEPROM_SK) != 0);
1125     int eedi = ((val & EEPROM_DI) != 0);
1126     eeprom93xx_write(eeprom, eecs, eesk, eedi);
1127 }
1128 
1129 /*****************************************************************************
1130  *
1131  * MDI emulation.
1132  *
1133  ****************************************************************************/
1134 
1135 #if defined(DEBUG_EEPRO100)
1136 static const char * const mdi_op_name[] = {
1137     "opcode 0",
1138     "write",
1139     "read",
1140     "opcode 3"
1141 };
1142 
1143 static const char * const mdi_reg_name[] = {
1144     "Control",
1145     "Status",
1146     "PHY Identification (Word 1)",
1147     "PHY Identification (Word 2)",
1148     "Auto-Negotiation Advertisement",
1149     "Auto-Negotiation Link Partner Ability",
1150     "Auto-Negotiation Expansion"
1151 };
1152 
1153 static const char *reg2name(uint8_t reg)
1154 {
1155     static char buffer[10];
1156     const char *p = buffer;
1157     if (reg < ARRAY_SIZE(mdi_reg_name)) {
1158         p = mdi_reg_name[reg];
1159     } else {
1160         snprintf(buffer, sizeof(buffer), "reg=0x%02x", reg);
1161     }
1162     return p;
1163 }
1164 #endif                          /* DEBUG_EEPRO100 */
1165 
1166 static uint32_t eepro100_read_mdi(EEPRO100State * s)
1167 {
1168     uint32_t val = e100_read_reg4(s, SCBCtrlMDI);
1169 
1170 #ifdef DEBUG_EEPRO100
1171     uint8_t raiseint = (val & BIT(29)) >> 29;
1172     uint8_t opcode = (val & BITS(27, 26)) >> 26;
1173     uint8_t phy = (val & BITS(25, 21)) >> 21;
1174     uint8_t reg = (val & BITS(20, 16)) >> 16;
1175     uint16_t data = (val & BITS(15, 0));
1176 #endif
1177     /* Emulation takes no time to finish MDI transaction. */
1178     val |= BIT(28);
1179     TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1180                       val, raiseint, mdi_op_name[opcode], phy,
1181                       reg2name(reg), data));
1182     return val;
1183 }
1184 
1185 static void eepro100_write_mdi(EEPRO100State *s)
1186 {
1187     uint32_t val = e100_read_reg4(s, SCBCtrlMDI);
1188     uint8_t raiseint = (val & BIT(29)) >> 29;
1189     uint8_t opcode = (val & BITS(27, 26)) >> 26;
1190     uint8_t phy = (val & BITS(25, 21)) >> 21;
1191     uint8_t reg = (val & BITS(20, 16)) >> 16;
1192     uint16_t data = (val & BITS(15, 0));
1193     TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1194           val, raiseint, mdi_op_name[opcode], phy, reg2name(reg), data));
1195     if (phy != 1) {
1196         /* Unsupported PHY address. */
1197 #if 0
1198         logout("phy must be 1 but is %u\n", phy);
1199 #endif
1200         data = 0;
1201     } else if (opcode != 1 && opcode != 2) {
1202         /* Unsupported opcode. */
1203         logout("opcode must be 1 or 2 but is %u\n", opcode);
1204         data = 0;
1205     } else if (reg > 6) {
1206         /* Unsupported register. */
1207         logout("register must be 0...6 but is %u\n", reg);
1208         data = 0;
1209     } else {
1210         TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1211                           val, raiseint, mdi_op_name[opcode], phy,
1212                           reg2name(reg), data));
1213         if (opcode == 1) {
1214             /* MDI write */
1215             switch (reg) {
1216             case 0:            /* Control Register */
1217                 if (data & 0x8000) {
1218                     /* Reset status and control registers to default. */
1219                     s->mdimem[0] = eepro100_mdi_default[0];
1220                     s->mdimem[1] = eepro100_mdi_default[1];
1221                     data = s->mdimem[reg];
1222                 } else {
1223                     /* Restart Auto Configuration = Normal Operation */
1224                     data &= ~0x0200;
1225                 }
1226                 break;
1227             case 1:            /* Status Register */
1228                 missing("not writable");
1229                 break;
1230             case 2:            /* PHY Identification Register (Word 1) */
1231             case 3:            /* PHY Identification Register (Word 2) */
1232                 missing("not implemented");
1233                 break;
1234             case 4:            /* Auto-Negotiation Advertisement Register */
1235             case 5:            /* Auto-Negotiation Link Partner Ability Register */
1236                 break;
1237             case 6:            /* Auto-Negotiation Expansion Register */
1238             default:
1239                 missing("not implemented");
1240             }
1241             s->mdimem[reg] &= eepro100_mdi_mask[reg];
1242             s->mdimem[reg] |= data & ~eepro100_mdi_mask[reg];
1243         } else if (opcode == 2) {
1244             /* MDI read */
1245             switch (reg) {
1246             case 0:            /* Control Register */
1247                 if (data & 0x8000) {
1248                     /* Reset status and control registers to default. */
1249                     s->mdimem[0] = eepro100_mdi_default[0];
1250                     s->mdimem[1] = eepro100_mdi_default[1];
1251                 }
1252                 break;
1253             case 1:            /* Status Register */
1254                 s->mdimem[reg] |= 0x0020;
1255                 break;
1256             case 2:            /* PHY Identification Register (Word 1) */
1257             case 3:            /* PHY Identification Register (Word 2) */
1258             case 4:            /* Auto-Negotiation Advertisement Register */
1259                 break;
1260             case 5:            /* Auto-Negotiation Link Partner Ability Register */
1261                 s->mdimem[reg] = 0x41fe;
1262                 break;
1263             case 6:            /* Auto-Negotiation Expansion Register */
1264                 s->mdimem[reg] = 0x0001;
1265                 break;
1266             }
1267             data = s->mdimem[reg];
1268         }
1269         /* Emulation takes no time to finish MDI transaction.
1270          * Set MDI bit in SCB status register. */
1271         s->mem[SCBAck] |= 0x08;
1272         val |= BIT(28);
1273         if (raiseint) {
1274             eepro100_mdi_interrupt(s);
1275         }
1276     }
1277     val = (val & 0xffff0000) + data;
1278     e100_write_reg4(s, SCBCtrlMDI, val);
1279 }
1280 
1281 /*****************************************************************************
1282  *
1283  * Port emulation.
1284  *
1285  ****************************************************************************/
1286 
1287 #define PORT_SOFTWARE_RESET     0
1288 #define PORT_SELFTEST           1
1289 #define PORT_SELECTIVE_RESET    2
1290 #define PORT_DUMP               3
1291 #define PORT_SELECTION_MASK     3
1292 
1293 typedef struct {
1294     uint32_t st_sign;           /* Self Test Signature */
1295     uint32_t st_result;         /* Self Test Results */
1296 } eepro100_selftest_t;
1297 
1298 static uint32_t eepro100_read_port(EEPRO100State * s)
1299 {
1300     return 0;
1301 }
1302 
1303 static void eepro100_write_port(EEPRO100State *s)
1304 {
1305     uint32_t val = e100_read_reg4(s, SCBPort);
1306     uint32_t address = (val & ~PORT_SELECTION_MASK);
1307     uint8_t selection = (val & PORT_SELECTION_MASK);
1308     switch (selection) {
1309     case PORT_SOFTWARE_RESET:
1310         nic_reset(s);
1311         break;
1312     case PORT_SELFTEST:
1313         TRACE(OTHER, logout("selftest address=0x%08x\n", address));
1314         eepro100_selftest_t data;
1315         pci_dma_read(&s->dev, address, (uint8_t *) &data, sizeof(data));
1316         data.st_sign = 0xffffffff;
1317         data.st_result = 0;
1318         pci_dma_write(&s->dev, address, (uint8_t *) &data, sizeof(data));
1319         break;
1320     case PORT_SELECTIVE_RESET:
1321         TRACE(OTHER, logout("selective reset, selftest address=0x%08x\n", address));
1322         nic_selective_reset(s);
1323         break;
1324     default:
1325         logout("val=0x%08x\n", val);
1326         missing("unknown port selection");
1327     }
1328 }
1329 
1330 /*****************************************************************************
1331  *
1332  * General hardware emulation.
1333  *
1334  ****************************************************************************/
1335 
1336 static uint8_t eepro100_read1(EEPRO100State * s, uint32_t addr)
1337 {
1338     uint8_t val = 0;
1339     if (addr <= sizeof(s->mem) - sizeof(val)) {
1340         val = s->mem[addr];
1341     }
1342 
1343     switch (addr) {
1344     case SCBStatus:
1345     case SCBAck:
1346         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1347         break;
1348     case SCBCmd:
1349         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1350 #if 0
1351         val = eepro100_read_command(s);
1352 #endif
1353         break;
1354     case SCBIntmask:
1355         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1356         break;
1357     case SCBPort + 3:
1358         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1359         break;
1360     case SCBeeprom:
1361         val = eepro100_read_eeprom(s);
1362         break;
1363     case SCBCtrlMDI:
1364     case SCBCtrlMDI + 1:
1365     case SCBCtrlMDI + 2:
1366     case SCBCtrlMDI + 3:
1367         val = (uint8_t)(eepro100_read_mdi(s) >> (8 * (addr & 3)));
1368         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1369         break;
1370     case SCBpmdr:       /* Power Management Driver Register */
1371         val = 0;
1372         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1373         break;
1374     case SCBgctrl:      /* General Control Register */
1375         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1376         break;
1377     case SCBgstat:      /* General Status Register */
1378         /* 100 Mbps full duplex, valid link */
1379         val = 0x07;
1380         TRACE(OTHER, logout("addr=General Status val=%02x\n", val));
1381         break;
1382     default:
1383         logout("addr=%s val=0x%02x\n", regname(addr), val);
1384         missing("unknown byte read");
1385     }
1386     return val;
1387 }
1388 
1389 static uint16_t eepro100_read2(EEPRO100State * s, uint32_t addr)
1390 {
1391     uint16_t val = 0;
1392     if (addr <= sizeof(s->mem) - sizeof(val)) {
1393         val = e100_read_reg2(s, addr);
1394     }
1395 
1396     switch (addr) {
1397     case SCBStatus:
1398     case SCBCmd:
1399         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1400         break;
1401     case SCBeeprom:
1402         val = eepro100_read_eeprom(s);
1403         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1404         break;
1405     case SCBCtrlMDI:
1406     case SCBCtrlMDI + 2:
1407         val = (uint16_t)(eepro100_read_mdi(s) >> (8 * (addr & 3)));
1408         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1409         break;
1410     default:
1411         logout("addr=%s val=0x%04x\n", regname(addr), val);
1412         missing("unknown word read");
1413     }
1414     return val;
1415 }
1416 
1417 static uint32_t eepro100_read4(EEPRO100State * s, uint32_t addr)
1418 {
1419     uint32_t val = 0;
1420     if (addr <= sizeof(s->mem) - sizeof(val)) {
1421         val = e100_read_reg4(s, addr);
1422     }
1423 
1424     switch (addr) {
1425     case SCBStatus:
1426         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1427         break;
1428     case SCBPointer:
1429         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1430         break;
1431     case SCBPort:
1432         val = eepro100_read_port(s);
1433         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1434         break;
1435     case SCBflash:
1436         val = eepro100_read_eeprom(s);
1437         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1438         break;
1439     case SCBCtrlMDI:
1440         val = eepro100_read_mdi(s);
1441         break;
1442     default:
1443         logout("addr=%s val=0x%08x\n", regname(addr), val);
1444         missing("unknown longword read");
1445     }
1446     return val;
1447 }
1448 
1449 static void eepro100_write1(EEPRO100State * s, uint32_t addr, uint8_t val)
1450 {
1451     /* SCBStatus is readonly. */
1452     if (addr > SCBStatus && addr <= sizeof(s->mem) - sizeof(val)) {
1453         s->mem[addr] = val;
1454     }
1455 
1456     switch (addr) {
1457     case SCBStatus:
1458         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1459         break;
1460     case SCBAck:
1461         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1462         eepro100_acknowledge(s);
1463         break;
1464     case SCBCmd:
1465         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1466         eepro100_write_command(s, val);
1467         break;
1468     case SCBIntmask:
1469         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1470         if (val & BIT(1)) {
1471             eepro100_swi_interrupt(s);
1472         }
1473         eepro100_interrupt(s, 0);
1474         break;
1475     case SCBPointer:
1476     case SCBPointer + 1:
1477     case SCBPointer + 2:
1478     case SCBPointer + 3:
1479         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1480         break;
1481     case SCBPort:
1482     case SCBPort + 1:
1483     case SCBPort + 2:
1484         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1485         break;
1486     case SCBPort + 3:
1487         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1488         eepro100_write_port(s);
1489         break;
1490     case SCBFlow:       /* does not exist on 82557 */
1491     case SCBFlow + 1:
1492     case SCBFlow + 2:
1493     case SCBpmdr:       /* does not exist on 82557 */
1494         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1495         break;
1496     case SCBeeprom:
1497         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1498         eepro100_write_eeprom(s->eeprom, val);
1499         break;
1500     case SCBCtrlMDI:
1501     case SCBCtrlMDI + 1:
1502     case SCBCtrlMDI + 2:
1503         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1504         break;
1505     case SCBCtrlMDI + 3:
1506         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1507         eepro100_write_mdi(s);
1508         break;
1509     default:
1510         logout("addr=%s val=0x%02x\n", regname(addr), val);
1511         missing("unknown byte write");
1512     }
1513 }
1514 
1515 static void eepro100_write2(EEPRO100State * s, uint32_t addr, uint16_t val)
1516 {
1517     /* SCBStatus is readonly. */
1518     if (addr > SCBStatus && addr <= sizeof(s->mem) - sizeof(val)) {
1519         e100_write_reg2(s, addr, val);
1520     }
1521 
1522     switch (addr) {
1523     case SCBStatus:
1524         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1525         s->mem[SCBAck] = (val >> 8);
1526         eepro100_acknowledge(s);
1527         break;
1528     case SCBCmd:
1529         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1530         eepro100_write_command(s, val);
1531         eepro100_write1(s, SCBIntmask, val >> 8);
1532         break;
1533     case SCBPointer:
1534     case SCBPointer + 2:
1535         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1536         break;
1537     case SCBPort:
1538         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1539         break;
1540     case SCBPort + 2:
1541         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1542         eepro100_write_port(s);
1543         break;
1544     case SCBeeprom:
1545         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1546         eepro100_write_eeprom(s->eeprom, val);
1547         break;
1548     case SCBCtrlMDI:
1549         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1550         break;
1551     case SCBCtrlMDI + 2:
1552         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1553         eepro100_write_mdi(s);
1554         break;
1555     default:
1556         logout("addr=%s val=0x%04x\n", regname(addr), val);
1557         missing("unknown word write");
1558     }
1559 }
1560 
1561 static void eepro100_write4(EEPRO100State * s, uint32_t addr, uint32_t val)
1562 {
1563     if (addr <= sizeof(s->mem) - sizeof(val)) {
1564         e100_write_reg4(s, addr, val);
1565     }
1566 
1567     switch (addr) {
1568     case SCBPointer:
1569         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1570         break;
1571     case SCBPort:
1572         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1573         eepro100_write_port(s);
1574         break;
1575     case SCBflash:
1576         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1577         val = val >> 16;
1578         eepro100_write_eeprom(s->eeprom, val);
1579         break;
1580     case SCBCtrlMDI:
1581         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1582         eepro100_write_mdi(s);
1583         break;
1584     default:
1585         logout("addr=%s val=0x%08x\n", regname(addr), val);
1586         missing("unknown longword write");
1587     }
1588 }
1589 
1590 static uint64_t eepro100_read(void *opaque, hwaddr addr,
1591                               unsigned size)
1592 {
1593     EEPRO100State *s = opaque;
1594 
1595     switch (size) {
1596     case 1: return eepro100_read1(s, addr);
1597     case 2: return eepro100_read2(s, addr);
1598     case 4: return eepro100_read4(s, addr);
1599     default: abort();
1600     }
1601 }
1602 
1603 static void eepro100_write(void *opaque, hwaddr addr,
1604                            uint64_t data, unsigned size)
1605 {
1606     EEPRO100State *s = opaque;
1607 
1608     switch (size) {
1609     case 1:
1610         eepro100_write1(s, addr, data);
1611         break;
1612     case 2:
1613         eepro100_write2(s, addr, data);
1614         break;
1615     case 4:
1616         eepro100_write4(s, addr, data);
1617         break;
1618     default:
1619         abort();
1620     }
1621 }
1622 
1623 static const MemoryRegionOps eepro100_ops = {
1624     .read = eepro100_read,
1625     .write = eepro100_write,
1626     .endianness = DEVICE_LITTLE_ENDIAN,
1627 };
1628 
1629 static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size)
1630 {
1631     /* TODO:
1632      * - Magic packets should set bit 30 in power management driver register.
1633      * - Interesting packets should set bit 29 in power management driver register.
1634      */
1635     EEPRO100State *s = qemu_get_nic_opaque(nc);
1636     uint16_t rfd_status = 0xa000;
1637 #if defined(CONFIG_PAD_RECEIVED_FRAMES)
1638     uint8_t min_buf[60];
1639 #endif
1640     static const uint8_t broadcast_macaddr[6] =
1641         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1642 
1643 #if defined(CONFIG_PAD_RECEIVED_FRAMES)
1644     /* Pad to minimum Ethernet frame length */
1645     if (size < sizeof(min_buf)) {
1646         memcpy(min_buf, buf, size);
1647         memset(&min_buf[size], 0, sizeof(min_buf) - size);
1648         buf = min_buf;
1649         size = sizeof(min_buf);
1650     }
1651 #endif
1652 
1653     if (s->configuration[8] & 0x80) {
1654         /* CSMA is disabled. */
1655         logout("%p received while CSMA is disabled\n", s);
1656         return -1;
1657 #if !defined(CONFIG_PAD_RECEIVED_FRAMES)
1658     } else if (size < 64 && (s->configuration[7] & BIT(0))) {
1659         /* Short frame and configuration byte 7/0 (discard short receive) set:
1660          * Short frame is discarded */
1661         logout("%p received short frame (%zu byte)\n", s, size);
1662         s->statistics.rx_short_frame_errors++;
1663         return -1;
1664 #endif
1665     } else if ((size > MAX_ETH_FRAME_SIZE + 4) && !(s->configuration[18] & BIT(3))) {
1666         /* Long frame and configuration byte 18/3 (long receive ok) not set:
1667          * Long frames are discarded. */
1668         logout("%p received long frame (%zu byte), ignored\n", s, size);
1669         return -1;
1670     } else if (memcmp(buf, s->conf.macaddr.a, 6) == 0) {       /* !!! */
1671         /* Frame matches individual address. */
1672         /* TODO: check configuration byte 15/4 (ignore U/L). */
1673         TRACE(RXTX, logout("%p received frame for me, len=%zu\n", s, size));
1674     } else if (memcmp(buf, broadcast_macaddr, 6) == 0) {
1675         /* Broadcast frame. */
1676         TRACE(RXTX, logout("%p received broadcast, len=%zu\n", s, size));
1677         rfd_status |= 0x0002;
1678     } else if (buf[0] & 0x01) {
1679         /* Multicast frame. */
1680         TRACE(RXTX, logout("%p received multicast, len=%zu,%s\n", s, size, nic_dump(buf, size)));
1681         if (s->configuration[21] & BIT(3)) {
1682           /* Multicast all bit is set, receive all multicast frames. */
1683         } else {
1684           unsigned mcast_idx = e100_compute_mcast_idx(buf);
1685           assert(mcast_idx < 64);
1686           if (s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))) {
1687             /* Multicast frame is allowed in hash table. */
1688           } else if (s->configuration[15] & BIT(0)) {
1689               /* Promiscuous: receive all. */
1690               rfd_status |= 0x0004;
1691           } else {
1692               TRACE(RXTX, logout("%p multicast ignored\n", s));
1693               return -1;
1694           }
1695         }
1696         /* TODO: Next not for promiscuous mode? */
1697         rfd_status |= 0x0002;
1698     } else if (s->configuration[15] & BIT(0)) {
1699         /* Promiscuous: receive all. */
1700         TRACE(RXTX, logout("%p received frame in promiscuous mode, len=%zu\n", s, size));
1701         rfd_status |= 0x0004;
1702     } else if (s->configuration[20] & BIT(6)) {
1703         /* Multiple IA bit set. */
1704         unsigned mcast_idx = compute_mcast_idx(buf);
1705         assert(mcast_idx < 64);
1706         if (s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))) {
1707             TRACE(RXTX, logout("%p accepted, multiple IA bit set\n", s));
1708         } else {
1709             TRACE(RXTX, logout("%p frame ignored, multiple IA bit set\n", s));
1710             return -1;
1711         }
1712     } else {
1713         TRACE(RXTX, logout("%p received frame, ignored, len=%zu,%s\n", s, size,
1714               nic_dump(buf, size)));
1715         return size;
1716     }
1717 
1718     if (get_ru_state(s) != ru_ready) {
1719         /* No resources available. */
1720         logout("no resources, state=%u\n", get_ru_state(s));
1721         /* TODO: RNR interrupt only at first failed frame? */
1722         eepro100_rnr_interrupt(s);
1723         s->statistics.rx_resource_errors++;
1724 #if 0
1725         assert(!"no resources");
1726 #endif
1727         return -1;
1728     }
1729     /* !!! */
1730     eepro100_rx_t rx;
1731     pci_dma_read(&s->dev, s->ru_base + s->ru_offset,
1732                  &rx, sizeof(eepro100_rx_t));
1733     uint16_t rfd_command = le16_to_cpu(rx.command);
1734     uint16_t rfd_size = le16_to_cpu(rx.size);
1735 
1736     if (size > rfd_size) {
1737         logout("Receive buffer (%" PRId16 " bytes) too small for data "
1738             "(%zu bytes); data truncated\n", rfd_size, size);
1739         size = rfd_size;
1740     }
1741 #if !defined(CONFIG_PAD_RECEIVED_FRAMES)
1742     if (size < 64) {
1743         rfd_status |= 0x0080;
1744     }
1745 #endif
1746     TRACE(OTHER, logout("command 0x%04x, link 0x%08x, addr 0x%08x, size %u\n",
1747           rfd_command, rx.link, rx.rx_buf_addr, rfd_size));
1748     stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
1749                 offsetof(eepro100_rx_t, status), rfd_status);
1750     stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
1751                 offsetof(eepro100_rx_t, count), size);
1752     /* Early receive interrupt not supported. */
1753 #if 0
1754     eepro100_er_interrupt(s);
1755 #endif
1756     /* Receive CRC Transfer not supported. */
1757     if (s->configuration[18] & BIT(2)) {
1758         missing("Receive CRC Transfer");
1759         return -1;
1760     }
1761     /* TODO: check stripping enable bit. */
1762 #if 0
1763     assert(!(s->configuration[17] & BIT(0)));
1764 #endif
1765     pci_dma_write(&s->dev, s->ru_base + s->ru_offset +
1766                   sizeof(eepro100_rx_t), buf, size);
1767     s->statistics.rx_good_frames++;
1768     eepro100_fr_interrupt(s);
1769     s->ru_offset = le32_to_cpu(rx.link);
1770     if (rfd_command & COMMAND_EL) {
1771         /* EL bit is set, so this was the last frame. */
1772         logout("receive: Running out of frames\n");
1773         set_ru_state(s, ru_no_resources);
1774         eepro100_rnr_interrupt(s);
1775     }
1776     if (rfd_command & COMMAND_S) {
1777         /* S bit is set. */
1778         set_ru_state(s, ru_suspended);
1779     }
1780     return size;
1781 }
1782 
1783 static const VMStateDescription vmstate_eepro100 = {
1784     .version_id = 3,
1785     .minimum_version_id = 2,
1786     .fields = (VMStateField[]) {
1787         VMSTATE_PCI_DEVICE(dev, EEPRO100State),
1788         VMSTATE_UNUSED(32),
1789         VMSTATE_BUFFER(mult, EEPRO100State),
1790         VMSTATE_BUFFER(mem, EEPRO100State),
1791         /* Save all members of struct between scb_stat and mem. */
1792         VMSTATE_UINT8(scb_stat, EEPRO100State),
1793         VMSTATE_UINT8(int_stat, EEPRO100State),
1794         VMSTATE_UNUSED(3*4),
1795         VMSTATE_MACADDR(conf.macaddr, EEPRO100State),
1796         VMSTATE_UNUSED(19*4),
1797         VMSTATE_UINT16_ARRAY(mdimem, EEPRO100State, 32),
1798         /* The eeprom should be saved and restored by its own routines. */
1799         VMSTATE_UINT32(device, EEPRO100State),
1800         /* TODO check device. */
1801         VMSTATE_UINT32(cu_base, EEPRO100State),
1802         VMSTATE_UINT32(cu_offset, EEPRO100State),
1803         VMSTATE_UINT32(ru_base, EEPRO100State),
1804         VMSTATE_UINT32(ru_offset, EEPRO100State),
1805         VMSTATE_UINT32(statsaddr, EEPRO100State),
1806         /* Save eepro100_stats_t statistics. */
1807         VMSTATE_UINT32(statistics.tx_good_frames, EEPRO100State),
1808         VMSTATE_UINT32(statistics.tx_max_collisions, EEPRO100State),
1809         VMSTATE_UINT32(statistics.tx_late_collisions, EEPRO100State),
1810         VMSTATE_UINT32(statistics.tx_underruns, EEPRO100State),
1811         VMSTATE_UINT32(statistics.tx_lost_crs, EEPRO100State),
1812         VMSTATE_UINT32(statistics.tx_deferred, EEPRO100State),
1813         VMSTATE_UINT32(statistics.tx_single_collisions, EEPRO100State),
1814         VMSTATE_UINT32(statistics.tx_multiple_collisions, EEPRO100State),
1815         VMSTATE_UINT32(statistics.tx_total_collisions, EEPRO100State),
1816         VMSTATE_UINT32(statistics.rx_good_frames, EEPRO100State),
1817         VMSTATE_UINT32(statistics.rx_crc_errors, EEPRO100State),
1818         VMSTATE_UINT32(statistics.rx_alignment_errors, EEPRO100State),
1819         VMSTATE_UINT32(statistics.rx_resource_errors, EEPRO100State),
1820         VMSTATE_UINT32(statistics.rx_overrun_errors, EEPRO100State),
1821         VMSTATE_UINT32(statistics.rx_cdt_errors, EEPRO100State),
1822         VMSTATE_UINT32(statistics.rx_short_frame_errors, EEPRO100State),
1823         VMSTATE_UINT32(statistics.fc_xmt_pause, EEPRO100State),
1824         VMSTATE_UINT32(statistics.fc_rcv_pause, EEPRO100State),
1825         VMSTATE_UINT32(statistics.fc_rcv_unsupported, EEPRO100State),
1826         VMSTATE_UINT16(statistics.xmt_tco_frames, EEPRO100State),
1827         VMSTATE_UINT16(statistics.rcv_tco_frames, EEPRO100State),
1828         /* Configuration bytes. */
1829         VMSTATE_BUFFER(configuration, EEPRO100State),
1830         VMSTATE_END_OF_LIST()
1831     }
1832 };
1833 
1834 static void pci_nic_uninit(PCIDevice *pci_dev)
1835 {
1836     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
1837 
1838     vmstate_unregister(&pci_dev->qdev, s->vmstate, s);
1839     g_free(s->vmstate);
1840     eeprom93xx_free(&pci_dev->qdev, s->eeprom);
1841     qemu_del_nic(s->nic);
1842 }
1843 
1844 static NetClientInfo net_eepro100_info = {
1845     .type = NET_CLIENT_DRIVER_NIC,
1846     .size = sizeof(NICState),
1847     .receive = nic_receive,
1848 };
1849 
1850 static void e100_nic_realize(PCIDevice *pci_dev, Error **errp)
1851 {
1852     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
1853     E100PCIDeviceInfo *info = eepro100_get_class(s);
1854     Error *local_err = NULL;
1855 
1856     TRACE(OTHER, logout("\n"));
1857 
1858     s->device = info->device;
1859 
1860     e100_pci_reset(s, &local_err);
1861     if (local_err) {
1862         error_propagate(errp, local_err);
1863         return;
1864     }
1865 
1866     /* Add 64 * 2 EEPROM. i82557 and i82558 support a 64 word EEPROM,
1867      * i82559 and later support 64 or 256 word EEPROM. */
1868     s->eeprom = eeprom93xx_new(&pci_dev->qdev, EEPROM_SIZE);
1869 
1870     /* Handler for memory-mapped I/O */
1871     memory_region_init_io(&s->mmio_bar, OBJECT(s), &eepro100_ops, s,
1872                           "eepro100-mmio", PCI_MEM_SIZE);
1873     pci_register_bar(&s->dev, 0, PCI_BASE_ADDRESS_MEM_PREFETCH, &s->mmio_bar);
1874     memory_region_init_io(&s->io_bar, OBJECT(s), &eepro100_ops, s,
1875                           "eepro100-io", PCI_IO_SIZE);
1876     pci_register_bar(&s->dev, 1, PCI_BASE_ADDRESS_SPACE_IO, &s->io_bar);
1877     /* FIXME: flash aliases to mmio?! */
1878     memory_region_init_io(&s->flash_bar, OBJECT(s), &eepro100_ops, s,
1879                           "eepro100-flash", PCI_FLASH_SIZE);
1880     pci_register_bar(&s->dev, 2, 0, &s->flash_bar);
1881 
1882     qemu_macaddr_default_if_unset(&s->conf.macaddr);
1883     logout("macaddr: %s\n", nic_dump(&s->conf.macaddr.a[0], 6));
1884 
1885     nic_reset(s);
1886 
1887     s->nic = qemu_new_nic(&net_eepro100_info, &s->conf,
1888                           object_get_typename(OBJECT(pci_dev)), pci_dev->qdev.id, s);
1889 
1890     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
1891     TRACE(OTHER, logout("%s\n", qemu_get_queue(s->nic)->info_str));
1892 
1893     qemu_register_reset(nic_reset, s);
1894 
1895     s->vmstate = g_memdup(&vmstate_eepro100, sizeof(vmstate_eepro100));
1896     s->vmstate->name = qemu_get_queue(s->nic)->model;
1897     vmstate_register(&pci_dev->qdev, -1, s->vmstate, s);
1898 }
1899 
1900 static void eepro100_instance_init(Object *obj)
1901 {
1902     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, PCI_DEVICE(obj));
1903     device_add_bootindex_property(obj, &s->conf.bootindex,
1904                                   "bootindex", "/ethernet-phy@0",
1905                                   DEVICE(s), NULL);
1906 }
1907 
1908 static E100PCIDeviceInfo e100_devices[] = {
1909     {
1910         .name = "i82550",
1911         .desc = "Intel i82550 Ethernet",
1912         .device = i82550,
1913         /* TODO: check device id. */
1914         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
1915         /* Revision ID: 0x0c, 0x0d, 0x0e. */
1916         .revision = 0x0e,
1917         /* TODO: check size of statistical counters. */
1918         .stats_size = 80,
1919         /* TODO: check extended tcb support. */
1920         .has_extended_tcb_support = true,
1921         .power_management = true,
1922     },{
1923         .name = "i82551",
1924         .desc = "Intel i82551 Ethernet",
1925         .device = i82551,
1926         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
1927         /* Revision ID: 0x0f, 0x10. */
1928         .revision = 0x0f,
1929         /* TODO: check size of statistical counters. */
1930         .stats_size = 80,
1931         .has_extended_tcb_support = true,
1932         .power_management = true,
1933     },{
1934         .name = "i82557a",
1935         .desc = "Intel i82557A Ethernet",
1936         .device = i82557A,
1937         .device_id = PCI_DEVICE_ID_INTEL_82557,
1938         .revision = 0x01,
1939         .power_management = false,
1940     },{
1941         .name = "i82557b",
1942         .desc = "Intel i82557B Ethernet",
1943         .device = i82557B,
1944         .device_id = PCI_DEVICE_ID_INTEL_82557,
1945         .revision = 0x02,
1946         .power_management = false,
1947     },{
1948         .name = "i82557c",
1949         .desc = "Intel i82557C Ethernet",
1950         .device = i82557C,
1951         .device_id = PCI_DEVICE_ID_INTEL_82557,
1952         .revision = 0x03,
1953         .power_management = false,
1954     },{
1955         .name = "i82558a",
1956         .desc = "Intel i82558A Ethernet",
1957         .device = i82558A,
1958         .device_id = PCI_DEVICE_ID_INTEL_82557,
1959         .revision = 0x04,
1960         .stats_size = 76,
1961         .has_extended_tcb_support = true,
1962         .power_management = true,
1963     },{
1964         .name = "i82558b",
1965         .desc = "Intel i82558B Ethernet",
1966         .device = i82558B,
1967         .device_id = PCI_DEVICE_ID_INTEL_82557,
1968         .revision = 0x05,
1969         .stats_size = 76,
1970         .has_extended_tcb_support = true,
1971         .power_management = true,
1972     },{
1973         .name = "i82559a",
1974         .desc = "Intel i82559A Ethernet",
1975         .device = i82559A,
1976         .device_id = PCI_DEVICE_ID_INTEL_82557,
1977         .revision = 0x06,
1978         .stats_size = 80,
1979         .has_extended_tcb_support = true,
1980         .power_management = true,
1981     },{
1982         .name = "i82559b",
1983         .desc = "Intel i82559B Ethernet",
1984         .device = i82559B,
1985         .device_id = PCI_DEVICE_ID_INTEL_82557,
1986         .revision = 0x07,
1987         .stats_size = 80,
1988         .has_extended_tcb_support = true,
1989         .power_management = true,
1990     },{
1991         .name = "i82559c",
1992         .desc = "Intel i82559C Ethernet",
1993         .device = i82559C,
1994         .device_id = PCI_DEVICE_ID_INTEL_82557,
1995 #if 0
1996         .revision = 0x08,
1997 #endif
1998         /* TODO: Windows wants revision id 0x0c. */
1999         .revision = 0x0c,
2000 #if EEPROM_SIZE > 0
2001         .subsystem_vendor_id = PCI_VENDOR_ID_INTEL,
2002         .subsystem_id = 0x0040,
2003 #endif
2004         .stats_size = 80,
2005         .has_extended_tcb_support = true,
2006         .power_management = true,
2007     },{
2008         .name = "i82559er",
2009         .desc = "Intel i82559ER Ethernet",
2010         .device = i82559ER,
2011         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
2012         .revision = 0x09,
2013         .stats_size = 80,
2014         .has_extended_tcb_support = true,
2015         .power_management = true,
2016     },{
2017         .name = "i82562",
2018         .desc = "Intel i82562 Ethernet",
2019         .device = i82562,
2020         /* TODO: check device id. */
2021         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
2022         /* TODO: wrong revision id. */
2023         .revision = 0x0e,
2024         .stats_size = 80,
2025         .has_extended_tcb_support = true,
2026         .power_management = true,
2027     },{
2028         /* Toshiba Tecra 8200. */
2029         .name = "i82801",
2030         .desc = "Intel i82801 Ethernet",
2031         .device = i82801,
2032         .device_id = 0x2449,
2033         .revision = 0x03,
2034         .stats_size = 80,
2035         .has_extended_tcb_support = true,
2036         .power_management = true,
2037     }
2038 };
2039 
2040 static E100PCIDeviceInfo *eepro100_get_class_by_name(const char *typename)
2041 {
2042     E100PCIDeviceInfo *info = NULL;
2043     int i;
2044 
2045     /* This is admittedly awkward but also temporary.  QOM allows for
2046      * parameterized typing and for subclassing both of which would suitable
2047      * handle what's going on here.  But class_data is already being used as
2048      * a stop-gap hack to allow incremental qdev conversion so we cannot use it
2049      * right now.  Once we merge the final QOM series, we can come back here and
2050      * do this in a much more elegant fashion.
2051      */
2052     for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
2053         if (strcmp(e100_devices[i].name, typename) == 0) {
2054             info = &e100_devices[i];
2055             break;
2056         }
2057     }
2058     assert(info != NULL);
2059 
2060     return info;
2061 }
2062 
2063 static E100PCIDeviceInfo *eepro100_get_class(EEPRO100State *s)
2064 {
2065     return eepro100_get_class_by_name(object_get_typename(OBJECT(s)));
2066 }
2067 
2068 static Property e100_properties[] = {
2069     DEFINE_NIC_PROPERTIES(EEPRO100State, conf),
2070     DEFINE_PROP_END_OF_LIST(),
2071 };
2072 
2073 static void eepro100_class_init(ObjectClass *klass, void *data)
2074 {
2075     DeviceClass *dc = DEVICE_CLASS(klass);
2076     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2077     E100PCIDeviceInfo *info;
2078 
2079     info = eepro100_get_class_by_name(object_class_get_name(klass));
2080 
2081     set_bit(DEVICE_CATEGORY_NETWORK, dc->categories);
2082     dc->props = e100_properties;
2083     dc->desc = info->desc;
2084     k->vendor_id = PCI_VENDOR_ID_INTEL;
2085     k->class_id = PCI_CLASS_NETWORK_ETHERNET;
2086     k->romfile = "pxe-eepro100.rom";
2087     k->realize = e100_nic_realize;
2088     k->exit = pci_nic_uninit;
2089     k->device_id = info->device_id;
2090     k->revision = info->revision;
2091     k->subsystem_vendor_id = info->subsystem_vendor_id;
2092     k->subsystem_id = info->subsystem_id;
2093 }
2094 
2095 static void eepro100_register_types(void)
2096 {
2097     size_t i;
2098     for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
2099         TypeInfo type_info = {};
2100         E100PCIDeviceInfo *info = &e100_devices[i];
2101 
2102         type_info.name = info->name;
2103         type_info.parent = TYPE_PCI_DEVICE;
2104         type_info.class_init = eepro100_class_init;
2105         type_info.instance_size = sizeof(EEPRO100State);
2106         type_info.instance_init = eepro100_instance_init;
2107         type_info.interfaces = (InterfaceInfo[]) {
2108             { INTERFACE_CONVENTIONAL_PCI_DEVICE },
2109             { },
2110         };
2111 
2112         type_register(&type_info);
2113     }
2114 }
2115 
2116 type_init(eepro100_register_types)
2117