xref: /openbmc/qemu/hw/net/eepro100.c (revision 64552b6b)
1 /*
2  * QEMU i8255x (PRO100) emulation
3  *
4  * Copyright (C) 2006-2011 Stefan Weil
5  *
6  * Portions of the code are copies from grub / etherboot eepro100.c
7  * and linux e100.c.
8  *
9  * This program is free software: you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License as published by
11  * the Free Software Foundation, either version 2 of the License, or
12  * (at your option) version 3 or any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
21  *
22  * Tested features (i82559):
23  *      PXE boot (i386 guest, i386 / mips / mipsel / ppc host) ok
24  *      Linux networking (i386) ok
25  *
26  * Untested:
27  *      Windows networking
28  *
29  * References:
30  *
31  * Intel 8255x 10/100 Mbps Ethernet Controller Family
32  * Open Source Software Developer Manual
33  *
34  * TODO:
35  *      * PHY emulation should be separated from nic emulation.
36  *        Most nic emulations could share the same phy code.
37  *      * i82550 is untested. It is programmed like the i82559.
38  *      * i82562 is untested. It is programmed like the i82559.
39  *      * Power management (i82558 and later) is not implemented.
40  *      * Wake-on-LAN is not implemented.
41  */
42 
43 #include "qemu/osdep.h"
44 #include "qemu/units.h"
45 #include "hw/hw.h"
46 #include "hw/pci/pci.h"
47 #include "net/net.h"
48 #include "net/eth.h"
49 #include "hw/nvram/eeprom93xx.h"
50 #include "sysemu/sysemu.h"
51 #include "sysemu/dma.h"
52 #include "sysemu/reset.h"
53 #include "qemu/bitops.h"
54 #include "qemu/module.h"
55 #include "qapi/error.h"
56 
57 /* QEMU sends frames smaller than 60 bytes to ethernet nics.
58  * Such frames are rejected by real nics and their emulations.
59  * To avoid this behaviour, other nic emulations pad received
60  * frames. The following definition enables this padding for
61  * eepro100, too. We keep the define around in case it might
62  * become useful the future if the core networking is ever
63  * changed to pad short packets itself. */
64 #define CONFIG_PAD_RECEIVED_FRAMES
65 
66 /* Debug EEPRO100 card. */
67 #if 0
68 # define DEBUG_EEPRO100
69 #endif
70 
71 #ifdef DEBUG_EEPRO100
72 #define logout(fmt, ...) fprintf(stderr, "EE100\t%-24s" fmt, __func__, ## __VA_ARGS__)
73 #else
74 #define logout(fmt, ...) ((void)0)
75 #endif
76 
77 /* Set flags to 0 to disable debug output. */
78 #define INT     1       /* interrupt related actions */
79 #define MDI     1       /* mdi related actions */
80 #define OTHER   1
81 #define RXTX    1
82 #define EEPROM  1       /* eeprom related actions */
83 
84 #define TRACE(flag, command) ((flag) ? (command) : (void)0)
85 
86 #define missing(text) fprintf(stderr, "eepro100: feature is missing in this emulation: " text "\n")
87 
88 #define MAX_ETH_FRAME_SIZE 1514
89 
90 /* This driver supports several different devices which are declared here. */
91 #define i82550          0x82550
92 #define i82551          0x82551
93 #define i82557A         0x82557a
94 #define i82557B         0x82557b
95 #define i82557C         0x82557c
96 #define i82558A         0x82558a
97 #define i82558B         0x82558b
98 #define i82559A         0x82559a
99 #define i82559B         0x82559b
100 #define i82559C         0x82559c
101 #define i82559ER        0x82559e
102 #define i82562          0x82562
103 #define i82801          0x82801
104 
105 /* Use 64 word EEPROM. TODO: could be a runtime option. */
106 #define EEPROM_SIZE     64
107 
108 #define PCI_MEM_SIZE            (4 * KiB)
109 #define PCI_IO_SIZE             64
110 #define PCI_FLASH_SIZE          (128 * KiB)
111 
112 #define BITS(n, m) (((0xffffffffU << (31 - n)) >> (31 - n + m)) << m)
113 
114 /* The SCB accepts the following controls for the Tx and Rx units: */
115 #define  CU_NOP         0x0000  /* No operation. */
116 #define  CU_START       0x0010  /* CU start. */
117 #define  CU_RESUME      0x0020  /* CU resume. */
118 #define  CU_STATSADDR   0x0040  /* Load dump counters address. */
119 #define  CU_SHOWSTATS   0x0050  /* Dump statistical counters. */
120 #define  CU_CMD_BASE    0x0060  /* Load CU base address. */
121 #define  CU_DUMPSTATS   0x0070  /* Dump and reset statistical counters. */
122 #define  CU_SRESUME     0x00a0  /* CU static resume. */
123 
124 #define  RU_NOP         0x0000
125 #define  RX_START       0x0001
126 #define  RX_RESUME      0x0002
127 #define  RU_ABORT       0x0004
128 #define  RX_ADDR_LOAD   0x0006
129 #define  RX_RESUMENR    0x0007
130 #define INT_MASK        0x0100
131 #define DRVR_INT        0x0200  /* Driver generated interrupt. */
132 
133 typedef struct {
134     const char *name;
135     const char *desc;
136     uint16_t device_id;
137     uint8_t revision;
138     uint16_t subsystem_vendor_id;
139     uint16_t subsystem_id;
140 
141     uint32_t device;
142     uint8_t stats_size;
143     bool has_extended_tcb_support;
144     bool power_management;
145 } E100PCIDeviceInfo;
146 
147 /* Offsets to the various registers.
148    All accesses need not be longword aligned. */
149 typedef enum {
150     SCBStatus = 0,              /* Status Word. */
151     SCBAck = 1,
152     SCBCmd = 2,                 /* Rx/Command Unit command and status. */
153     SCBIntmask = 3,
154     SCBPointer = 4,             /* General purpose pointer. */
155     SCBPort = 8,                /* Misc. commands and operands.  */
156     SCBflash = 12,              /* Flash memory control. */
157     SCBeeprom = 14,             /* EEPROM control. */
158     SCBCtrlMDI = 16,            /* MDI interface control. */
159     SCBEarlyRx = 20,            /* Early receive byte count. */
160     SCBFlow = 24,               /* Flow Control. */
161     SCBpmdr = 27,               /* Power Management Driver. */
162     SCBgctrl = 28,              /* General Control. */
163     SCBgstat = 29,              /* General Status. */
164 } E100RegisterOffset;
165 
166 /* A speedo3 transmit buffer descriptor with two buffers... */
167 typedef struct {
168     uint16_t status;
169     uint16_t command;
170     uint32_t link;              /* void * */
171     uint32_t tbd_array_addr;    /* transmit buffer descriptor array address. */
172     uint16_t tcb_bytes;         /* transmit command block byte count (in lower 14 bits */
173     uint8_t tx_threshold;       /* transmit threshold */
174     uint8_t tbd_count;          /* TBD number */
175 #if 0
176     /* This constitutes two "TBD" entries: hdr and data */
177     uint32_t tx_buf_addr0;  /* void *, header of frame to be transmitted.  */
178     int32_t  tx_buf_size0;  /* Length of Tx hdr. */
179     uint32_t tx_buf_addr1;  /* void *, data to be transmitted.  */
180     int32_t  tx_buf_size1;  /* Length of Tx data. */
181 #endif
182 } eepro100_tx_t;
183 
184 /* Receive frame descriptor. */
185 typedef struct {
186     int16_t status;
187     uint16_t command;
188     uint32_t link;              /* struct RxFD * */
189     uint32_t rx_buf_addr;       /* void * */
190     uint16_t count;
191     uint16_t size;
192     /* Ethernet frame data follows. */
193 } eepro100_rx_t;
194 
195 typedef enum {
196     COMMAND_EL = BIT(15),
197     COMMAND_S = BIT(14),
198     COMMAND_I = BIT(13),
199     COMMAND_NC = BIT(4),
200     COMMAND_SF = BIT(3),
201     COMMAND_CMD = BITS(2, 0),
202 } scb_command_bit;
203 
204 typedef enum {
205     STATUS_C = BIT(15),
206     STATUS_OK = BIT(13),
207 } scb_status_bit;
208 
209 typedef struct {
210     uint32_t tx_good_frames, tx_max_collisions, tx_late_collisions,
211              tx_underruns, tx_lost_crs, tx_deferred, tx_single_collisions,
212              tx_multiple_collisions, tx_total_collisions;
213     uint32_t rx_good_frames, rx_crc_errors, rx_alignment_errors,
214              rx_resource_errors, rx_overrun_errors, rx_cdt_errors,
215              rx_short_frame_errors;
216     uint32_t fc_xmt_pause, fc_rcv_pause, fc_rcv_unsupported;
217     uint16_t xmt_tco_frames, rcv_tco_frames;
218     /* TODO: i82559 has six reserved statistics but a total of 24 dwords. */
219     uint32_t reserved[4];
220 } eepro100_stats_t;
221 
222 typedef enum {
223     cu_idle = 0,
224     cu_suspended = 1,
225     cu_active = 2,
226     cu_lpq_active = 2,
227     cu_hqp_active = 3
228 } cu_state_t;
229 
230 typedef enum {
231     ru_idle = 0,
232     ru_suspended = 1,
233     ru_no_resources = 2,
234     ru_ready = 4
235 } ru_state_t;
236 
237 typedef struct {
238     PCIDevice dev;
239     /* Hash register (multicast mask array, multiple individual addresses). */
240     uint8_t mult[8];
241     MemoryRegion mmio_bar;
242     MemoryRegion io_bar;
243     MemoryRegion flash_bar;
244     NICState *nic;
245     NICConf conf;
246     uint8_t scb_stat;           /* SCB stat/ack byte */
247     uint8_t int_stat;           /* PCI interrupt status */
248     /* region must not be saved by nic_save. */
249     uint16_t mdimem[32];
250     eeprom_t *eeprom;
251     uint32_t device;            /* device variant */
252     /* (cu_base + cu_offset) address the next command block in the command block list. */
253     uint32_t cu_base;           /* CU base address */
254     uint32_t cu_offset;         /* CU address offset */
255     /* (ru_base + ru_offset) address the RFD in the Receive Frame Area. */
256     uint32_t ru_base;           /* RU base address */
257     uint32_t ru_offset;         /* RU address offset */
258     uint32_t statsaddr;         /* pointer to eepro100_stats_t */
259 
260     /* Temporary status information (no need to save these values),
261      * used while processing CU commands. */
262     eepro100_tx_t tx;           /* transmit buffer descriptor */
263     uint32_t cb_address;        /* = cu_base + cu_offset */
264 
265     /* Statistical counters. Also used for wake-up packet (i82559). */
266     eepro100_stats_t statistics;
267 
268     /* Data in mem is always in the byte order of the controller (le).
269      * It must be dword aligned to allow direct access to 32 bit values. */
270     uint8_t mem[PCI_MEM_SIZE] __attribute__((aligned(8)));
271 
272     /* Configuration bytes. */
273     uint8_t configuration[22];
274 
275     /* vmstate for each particular nic */
276     VMStateDescription *vmstate;
277 
278     /* Quasi static device properties (no need to save them). */
279     uint16_t stats_size;
280     bool has_extended_tcb_support;
281 } EEPRO100State;
282 
283 /* Word indices in EEPROM. */
284 typedef enum {
285     EEPROM_CNFG_MDIX  = 0x03,
286     EEPROM_ID         = 0x05,
287     EEPROM_PHY_ID     = 0x06,
288     EEPROM_VENDOR_ID  = 0x0c,
289     EEPROM_CONFIG_ASF = 0x0d,
290     EEPROM_DEVICE_ID  = 0x23,
291     EEPROM_SMBUS_ADDR = 0x90,
292 } EEPROMOffset;
293 
294 /* Bit values for EEPROM ID word. */
295 typedef enum {
296     EEPROM_ID_MDM = BIT(0),     /* Modem */
297     EEPROM_ID_STB = BIT(1),     /* Standby Enable */
298     EEPROM_ID_WMR = BIT(2),     /* ??? */
299     EEPROM_ID_WOL = BIT(5),     /* Wake on LAN */
300     EEPROM_ID_DPD = BIT(6),     /* Deep Power Down */
301     EEPROM_ID_ALT = BIT(7),     /* */
302     /* BITS(10, 8) device revision */
303     EEPROM_ID_BD = BIT(11),     /* boot disable */
304     EEPROM_ID_ID = BIT(13),     /* id bit */
305     /* BITS(15, 14) signature */
306     EEPROM_ID_VALID = BIT(14),  /* signature for valid eeprom */
307 } eeprom_id_bit;
308 
309 /* Default values for MDI (PHY) registers */
310 static const uint16_t eepro100_mdi_default[] = {
311     /* MDI Registers 0 - 6, 7 */
312     0x3000, 0x780d, 0x02a8, 0x0154, 0x05e1, 0x0000, 0x0000, 0x0000,
313     /* MDI Registers 8 - 15 */
314     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
315     /* MDI Registers 16 - 31 */
316     0x0003, 0x0000, 0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
317     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
318 };
319 
320 /* Readonly mask for MDI (PHY) registers */
321 static const uint16_t eepro100_mdi_mask[] = {
322     0x0000, 0xffff, 0xffff, 0xffff, 0xc01f, 0xffff, 0xffff, 0x0000,
323     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
324     0x0fff, 0x0000, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
325     0xffff, 0xffff, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
326 };
327 
328 static E100PCIDeviceInfo *eepro100_get_class(EEPRO100State *s);
329 
330 /* Read a 16 bit control/status (CSR) register. */
331 static uint16_t e100_read_reg2(EEPRO100State *s, E100RegisterOffset addr)
332 {
333     assert(!((uintptr_t)&s->mem[addr] & 1));
334     return lduw_le_p(&s->mem[addr]);
335 }
336 
337 /* Read a 32 bit control/status (CSR) register. */
338 static uint32_t e100_read_reg4(EEPRO100State *s, E100RegisterOffset addr)
339 {
340     assert(!((uintptr_t)&s->mem[addr] & 3));
341     return ldl_le_p(&s->mem[addr]);
342 }
343 
344 /* Write a 16 bit control/status (CSR) register. */
345 static void e100_write_reg2(EEPRO100State *s, E100RegisterOffset addr,
346                             uint16_t val)
347 {
348     assert(!((uintptr_t)&s->mem[addr] & 1));
349     stw_le_p(&s->mem[addr], val);
350 }
351 
352 /* Read a 32 bit control/status (CSR) register. */
353 static void e100_write_reg4(EEPRO100State *s, E100RegisterOffset addr,
354                             uint32_t val)
355 {
356     assert(!((uintptr_t)&s->mem[addr] & 3));
357     stl_le_p(&s->mem[addr], val);
358 }
359 
360 #if defined(DEBUG_EEPRO100)
361 static const char *nic_dump(const uint8_t * buf, unsigned size)
362 {
363     static char dump[3 * 16 + 1];
364     char *p = &dump[0];
365     if (size > 16) {
366         size = 16;
367     }
368     while (size-- > 0) {
369         p += sprintf(p, " %02x", *buf++);
370     }
371     return dump;
372 }
373 #endif                          /* DEBUG_EEPRO100 */
374 
375 enum scb_stat_ack {
376     stat_ack_not_ours = 0x00,
377     stat_ack_sw_gen = 0x04,
378     stat_ack_rnr = 0x10,
379     stat_ack_cu_idle = 0x20,
380     stat_ack_frame_rx = 0x40,
381     stat_ack_cu_cmd_done = 0x80,
382     stat_ack_not_present = 0xFF,
383     stat_ack_rx = (stat_ack_sw_gen | stat_ack_rnr | stat_ack_frame_rx),
384     stat_ack_tx = (stat_ack_cu_idle | stat_ack_cu_cmd_done),
385 };
386 
387 static void disable_interrupt(EEPRO100State * s)
388 {
389     if (s->int_stat) {
390         TRACE(INT, logout("interrupt disabled\n"));
391         pci_irq_deassert(&s->dev);
392         s->int_stat = 0;
393     }
394 }
395 
396 static void enable_interrupt(EEPRO100State * s)
397 {
398     if (!s->int_stat) {
399         TRACE(INT, logout("interrupt enabled\n"));
400         pci_irq_assert(&s->dev);
401         s->int_stat = 1;
402     }
403 }
404 
405 static void eepro100_acknowledge(EEPRO100State * s)
406 {
407     s->scb_stat &= ~s->mem[SCBAck];
408     s->mem[SCBAck] = s->scb_stat;
409     if (s->scb_stat == 0) {
410         disable_interrupt(s);
411     }
412 }
413 
414 static void eepro100_interrupt(EEPRO100State * s, uint8_t status)
415 {
416     uint8_t mask = ~s->mem[SCBIntmask];
417     s->mem[SCBAck] |= status;
418     status = s->scb_stat = s->mem[SCBAck];
419     status &= (mask | 0x0f);
420 #if 0
421     status &= (~s->mem[SCBIntmask] | 0x0xf);
422 #endif
423     if (status && (mask & 0x01)) {
424         /* SCB mask and SCB Bit M do not disable interrupt. */
425         enable_interrupt(s);
426     } else if (s->int_stat) {
427         disable_interrupt(s);
428     }
429 }
430 
431 static void eepro100_cx_interrupt(EEPRO100State * s)
432 {
433     /* CU completed action command. */
434     /* Transmit not ok (82557 only, not in emulation). */
435     eepro100_interrupt(s, 0x80);
436 }
437 
438 static void eepro100_cna_interrupt(EEPRO100State * s)
439 {
440     /* CU left the active state. */
441     eepro100_interrupt(s, 0x20);
442 }
443 
444 static void eepro100_fr_interrupt(EEPRO100State * s)
445 {
446     /* RU received a complete frame. */
447     eepro100_interrupt(s, 0x40);
448 }
449 
450 static void eepro100_rnr_interrupt(EEPRO100State * s)
451 {
452     /* RU is not ready. */
453     eepro100_interrupt(s, 0x10);
454 }
455 
456 static void eepro100_mdi_interrupt(EEPRO100State * s)
457 {
458     /* MDI completed read or write cycle. */
459     eepro100_interrupt(s, 0x08);
460 }
461 
462 static void eepro100_swi_interrupt(EEPRO100State * s)
463 {
464     /* Software has requested an interrupt. */
465     eepro100_interrupt(s, 0x04);
466 }
467 
468 #if 0
469 static void eepro100_fcp_interrupt(EEPRO100State * s)
470 {
471     /* Flow control pause interrupt (82558 and later). */
472     eepro100_interrupt(s, 0x01);
473 }
474 #endif
475 
476 static void e100_pci_reset(EEPRO100State *s, Error **errp)
477 {
478     E100PCIDeviceInfo *info = eepro100_get_class(s);
479     uint32_t device = s->device;
480     uint8_t *pci_conf = s->dev.config;
481 
482     TRACE(OTHER, logout("%p\n", s));
483 
484     /* PCI Status */
485     pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_DEVSEL_MEDIUM |
486                                         PCI_STATUS_FAST_BACK);
487     /* PCI Latency Timer */
488     pci_set_byte(pci_conf + PCI_LATENCY_TIMER, 0x20);   /* latency timer = 32 clocks */
489     /* Capability Pointer is set by PCI framework. */
490     /* Interrupt Line */
491     /* Interrupt Pin */
492     pci_set_byte(pci_conf + PCI_INTERRUPT_PIN, 1);      /* interrupt pin A */
493     /* Minimum Grant */
494     pci_set_byte(pci_conf + PCI_MIN_GNT, 0x08);
495     /* Maximum Latency */
496     pci_set_byte(pci_conf + PCI_MAX_LAT, 0x18);
497 
498     s->stats_size = info->stats_size;
499     s->has_extended_tcb_support = info->has_extended_tcb_support;
500 
501     switch (device) {
502     case i82550:
503     case i82551:
504     case i82557A:
505     case i82557B:
506     case i82557C:
507     case i82558A:
508     case i82558B:
509     case i82559A:
510     case i82559B:
511     case i82559ER:
512     case i82562:
513     case i82801:
514     case i82559C:
515         break;
516     default:
517         logout("Device %X is undefined!\n", device);
518     }
519 
520     /* Standard TxCB. */
521     s->configuration[6] |= BIT(4);
522 
523     /* Standard statistical counters. */
524     s->configuration[6] |= BIT(5);
525 
526     if (s->stats_size == 80) {
527         /* TODO: check TCO Statistical Counters bit. Documentation not clear. */
528         if (s->configuration[6] & BIT(2)) {
529             /* TCO statistical counters. */
530             assert(s->configuration[6] & BIT(5));
531         } else {
532             if (s->configuration[6] & BIT(5)) {
533                 /* No extended statistical counters, i82557 compatible. */
534                 s->stats_size = 64;
535             } else {
536                 /* i82558 compatible. */
537                 s->stats_size = 76;
538             }
539         }
540     } else {
541         if (s->configuration[6] & BIT(5)) {
542             /* No extended statistical counters. */
543             s->stats_size = 64;
544         }
545     }
546     assert(s->stats_size > 0 && s->stats_size <= sizeof(s->statistics));
547 
548     if (info->power_management) {
549         /* Power Management Capabilities */
550         int cfg_offset = 0xdc;
551         int r = pci_add_capability(&s->dev, PCI_CAP_ID_PM,
552                                    cfg_offset, PCI_PM_SIZEOF,
553                                    errp);
554         if (r < 0) {
555             return;
556         }
557 
558         pci_set_word(pci_conf + cfg_offset + PCI_PM_PMC, 0x7e21);
559 #if 0 /* TODO: replace dummy code for power management emulation. */
560         /* TODO: Power Management Control / Status. */
561         pci_set_word(pci_conf + cfg_offset + PCI_PM_CTRL, 0x0000);
562         /* TODO: Ethernet Power Consumption Registers (i82559 and later). */
563         pci_set_byte(pci_conf + cfg_offset + PCI_PM_PPB_EXTENSIONS, 0x0000);
564 #endif
565     }
566 
567 #if EEPROM_SIZE > 0
568     if (device == i82557C || device == i82558B || device == i82559C) {
569         /*
570         TODO: get vendor id from EEPROM for i82557C or later.
571         TODO: get device id from EEPROM for i82557C or later.
572         TODO: status bit 4 can be disabled by EEPROM for i82558, i82559.
573         TODO: header type is determined by EEPROM for i82559.
574         TODO: get subsystem id from EEPROM for i82557C or later.
575         TODO: get subsystem vendor id from EEPROM for i82557C or later.
576         TODO: exp. rom baddr depends on a bit in EEPROM for i82558 or later.
577         TODO: capability pointer depends on EEPROM for i82558.
578         */
579         logout("Get device id and revision from EEPROM!!!\n");
580     }
581 #endif /* EEPROM_SIZE > 0 */
582 }
583 
584 static void nic_selective_reset(EEPRO100State * s)
585 {
586     size_t i;
587     uint16_t *eeprom_contents = eeprom93xx_data(s->eeprom);
588 #if 0
589     eeprom93xx_reset(s->eeprom);
590 #endif
591     memcpy(eeprom_contents, s->conf.macaddr.a, 6);
592     eeprom_contents[EEPROM_ID] = EEPROM_ID_VALID;
593     if (s->device == i82557B || s->device == i82557C)
594         eeprom_contents[5] = 0x0100;
595     eeprom_contents[EEPROM_PHY_ID] = 1;
596     uint16_t sum = 0;
597     for (i = 0; i < EEPROM_SIZE - 1; i++) {
598         sum += eeprom_contents[i];
599     }
600     eeprom_contents[EEPROM_SIZE - 1] = 0xbaba - sum;
601     TRACE(EEPROM, logout("checksum=0x%04x\n", eeprom_contents[EEPROM_SIZE - 1]));
602 
603     memset(s->mem, 0, sizeof(s->mem));
604     e100_write_reg4(s, SCBCtrlMDI, BIT(21));
605 
606     assert(sizeof(s->mdimem) == sizeof(eepro100_mdi_default));
607     memcpy(&s->mdimem[0], &eepro100_mdi_default[0], sizeof(s->mdimem));
608 }
609 
610 static void nic_reset(void *opaque)
611 {
612     EEPRO100State *s = opaque;
613     TRACE(OTHER, logout("%p\n", s));
614     /* TODO: Clearing of hash register for selective reset, too? */
615     memset(&s->mult[0], 0, sizeof(s->mult));
616     nic_selective_reset(s);
617 }
618 
619 #if defined(DEBUG_EEPRO100)
620 static const char * const e100_reg[PCI_IO_SIZE / 4] = {
621     "Command/Status",
622     "General Pointer",
623     "Port",
624     "EEPROM/Flash Control",
625     "MDI Control",
626     "Receive DMA Byte Count",
627     "Flow Control",
628     "General Status/Control"
629 };
630 
631 static char *regname(uint32_t addr)
632 {
633     static char buf[32];
634     if (addr < PCI_IO_SIZE) {
635         const char *r = e100_reg[addr / 4];
636         if (r != 0) {
637             snprintf(buf, sizeof(buf), "%s+%u", r, addr % 4);
638         } else {
639             snprintf(buf, sizeof(buf), "0x%02x", addr);
640         }
641     } else {
642         snprintf(buf, sizeof(buf), "??? 0x%08x", addr);
643     }
644     return buf;
645 }
646 #endif                          /* DEBUG_EEPRO100 */
647 
648 /*****************************************************************************
649  *
650  * Command emulation.
651  *
652  ****************************************************************************/
653 
654 #if 0
655 static uint16_t eepro100_read_command(EEPRO100State * s)
656 {
657     uint16_t val = 0xffff;
658     TRACE(OTHER, logout("val=0x%04x\n", val));
659     return val;
660 }
661 #endif
662 
663 /* Commands that can be put in a command list entry. */
664 enum commands {
665     CmdNOp = 0,
666     CmdIASetup = 1,
667     CmdConfigure = 2,
668     CmdMulticastList = 3,
669     CmdTx = 4,
670     CmdTDR = 5,                 /* load microcode */
671     CmdDump = 6,
672     CmdDiagnose = 7,
673 
674     /* And some extra flags: */
675     CmdSuspend = 0x4000,        /* Suspend after completion. */
676     CmdIntr = 0x2000,           /* Interrupt after completion. */
677     CmdTxFlex = 0x0008,         /* Use "Flexible mode" for CmdTx command. */
678 };
679 
680 static cu_state_t get_cu_state(EEPRO100State * s)
681 {
682     return ((s->mem[SCBStatus] & BITS(7, 6)) >> 6);
683 }
684 
685 static void set_cu_state(EEPRO100State * s, cu_state_t state)
686 {
687     s->mem[SCBStatus] = (s->mem[SCBStatus] & ~BITS(7, 6)) + (state << 6);
688 }
689 
690 static ru_state_t get_ru_state(EEPRO100State * s)
691 {
692     return ((s->mem[SCBStatus] & BITS(5, 2)) >> 2);
693 }
694 
695 static void set_ru_state(EEPRO100State * s, ru_state_t state)
696 {
697     s->mem[SCBStatus] = (s->mem[SCBStatus] & ~BITS(5, 2)) + (state << 2);
698 }
699 
700 static void dump_statistics(EEPRO100State * s)
701 {
702     /* Dump statistical data. Most data is never changed by the emulation
703      * and always 0, so we first just copy the whole block and then those
704      * values which really matter.
705      * Number of data should check configuration!!!
706      */
707     pci_dma_write(&s->dev, s->statsaddr, &s->statistics, s->stats_size);
708     stl_le_pci_dma(&s->dev, s->statsaddr + 0,
709                    s->statistics.tx_good_frames);
710     stl_le_pci_dma(&s->dev, s->statsaddr + 36,
711                    s->statistics.rx_good_frames);
712     stl_le_pci_dma(&s->dev, s->statsaddr + 48,
713                    s->statistics.rx_resource_errors);
714     stl_le_pci_dma(&s->dev, s->statsaddr + 60,
715                    s->statistics.rx_short_frame_errors);
716 #if 0
717     stw_le_pci_dma(&s->dev, s->statsaddr + 76, s->statistics.xmt_tco_frames);
718     stw_le_pci_dma(&s->dev, s->statsaddr + 78, s->statistics.rcv_tco_frames);
719     missing("CU dump statistical counters");
720 #endif
721 }
722 
723 static void read_cb(EEPRO100State *s)
724 {
725     pci_dma_read(&s->dev, s->cb_address, &s->tx, sizeof(s->tx));
726     s->tx.status = le16_to_cpu(s->tx.status);
727     s->tx.command = le16_to_cpu(s->tx.command);
728     s->tx.link = le32_to_cpu(s->tx.link);
729     s->tx.tbd_array_addr = le32_to_cpu(s->tx.tbd_array_addr);
730     s->tx.tcb_bytes = le16_to_cpu(s->tx.tcb_bytes);
731 }
732 
733 static void tx_command(EEPRO100State *s)
734 {
735     uint32_t tbd_array = s->tx.tbd_array_addr;
736     uint16_t tcb_bytes = s->tx.tcb_bytes & 0x3fff;
737     /* Sends larger than MAX_ETH_FRAME_SIZE are allowed, up to 2600 bytes. */
738     uint8_t buf[2600];
739     uint16_t size = 0;
740     uint32_t tbd_address = s->cb_address + 0x10;
741     TRACE(RXTX, logout
742         ("transmit, TBD array address 0x%08x, TCB byte count 0x%04x, TBD count %u\n",
743          tbd_array, tcb_bytes, s->tx.tbd_count));
744 
745     if (tcb_bytes > 2600) {
746         logout("TCB byte count too large, using 2600\n");
747         tcb_bytes = 2600;
748     }
749     if (!((tcb_bytes > 0) || (tbd_array != 0xffffffff))) {
750         logout
751             ("illegal values of TBD array address and TCB byte count!\n");
752     }
753     assert(tcb_bytes <= sizeof(buf));
754     while (size < tcb_bytes) {
755         TRACE(RXTX, logout
756             ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
757              tbd_address, tcb_bytes));
758         pci_dma_read(&s->dev, tbd_address, &buf[size], tcb_bytes);
759         size += tcb_bytes;
760     }
761     if (tbd_array == 0xffffffff) {
762         /* Simplified mode. Was already handled by code above. */
763     } else {
764         /* Flexible mode. */
765         uint8_t tbd_count = 0;
766         if (s->has_extended_tcb_support && !(s->configuration[6] & BIT(4))) {
767             /* Extended Flexible TCB. */
768             for (; tbd_count < 2; tbd_count++) {
769                 uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev,
770                                                             tbd_address);
771                 uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev,
772                                                           tbd_address + 4);
773                 uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev,
774                                                         tbd_address + 6);
775                 tbd_address += 8;
776                 TRACE(RXTX, logout
777                     ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n",
778                      tx_buffer_address, tx_buffer_size));
779                 tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
780                 pci_dma_read(&s->dev, tx_buffer_address,
781                              &buf[size], tx_buffer_size);
782                 size += tx_buffer_size;
783                 if (tx_buffer_el & 1) {
784                     break;
785                 }
786             }
787         }
788         tbd_address = tbd_array;
789         for (; tbd_count < s->tx.tbd_count; tbd_count++) {
790             uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address);
791             uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4);
792             uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
793             tbd_address += 8;
794             TRACE(RXTX, logout
795                 ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n",
796                  tx_buffer_address, tx_buffer_size));
797             tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
798             pci_dma_read(&s->dev, tx_buffer_address,
799                          &buf[size], tx_buffer_size);
800             size += tx_buffer_size;
801             if (tx_buffer_el & 1) {
802                 break;
803             }
804         }
805     }
806     TRACE(RXTX, logout("%p sending frame, len=%d,%s\n", s, size, nic_dump(buf, size)));
807     qemu_send_packet(qemu_get_queue(s->nic), buf, size);
808     s->statistics.tx_good_frames++;
809     /* Transmit with bad status would raise an CX/TNO interrupt.
810      * (82557 only). Emulation never has bad status. */
811 #if 0
812     eepro100_cx_interrupt(s);
813 #endif
814 }
815 
816 static void set_multicast_list(EEPRO100State *s)
817 {
818     uint16_t multicast_count = s->tx.tbd_array_addr & BITS(13, 0);
819     uint16_t i;
820     memset(&s->mult[0], 0, sizeof(s->mult));
821     TRACE(OTHER, logout("multicast list, multicast count = %u\n", multicast_count));
822     for (i = 0; i < multicast_count; i += 6) {
823         uint8_t multicast_addr[6];
824         pci_dma_read(&s->dev, s->cb_address + 10 + i, multicast_addr, 6);
825         TRACE(OTHER, logout("multicast entry %s\n", nic_dump(multicast_addr, 6)));
826         unsigned mcast_idx = (net_crc32(multicast_addr, ETH_ALEN) &
827                               BITS(7, 2)) >> 2;
828         assert(mcast_idx < 64);
829         s->mult[mcast_idx >> 3] |= (1 << (mcast_idx & 7));
830     }
831 }
832 
833 static void action_command(EEPRO100State *s)
834 {
835     /* The loop below won't stop if it gets special handcrafted data.
836        Therefore we limit the number of iterations. */
837     unsigned max_loop_count = 16;
838 
839     for (;;) {
840         bool bit_el;
841         bool bit_s;
842         bool bit_i;
843         bool bit_nc;
844         uint16_t ok_status = STATUS_OK;
845         s->cb_address = s->cu_base + s->cu_offset;
846         read_cb(s);
847         bit_el = ((s->tx.command & COMMAND_EL) != 0);
848         bit_s = ((s->tx.command & COMMAND_S) != 0);
849         bit_i = ((s->tx.command & COMMAND_I) != 0);
850         bit_nc = ((s->tx.command & COMMAND_NC) != 0);
851 #if 0
852         bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
853 #endif
854 
855         if (max_loop_count-- == 0) {
856             /* Prevent an endless loop. */
857             logout("loop in %s:%u\n", __FILE__, __LINE__);
858             break;
859         }
860 
861         s->cu_offset = s->tx.link;
862         TRACE(OTHER,
863               logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",
864                      s->tx.status, s->tx.command, s->tx.link));
865         switch (s->tx.command & COMMAND_CMD) {
866         case CmdNOp:
867             /* Do nothing. */
868             break;
869         case CmdIASetup:
870             pci_dma_read(&s->dev, s->cb_address + 8, &s->conf.macaddr.a[0], 6);
871             TRACE(OTHER, logout("macaddr: %s\n", nic_dump(&s->conf.macaddr.a[0], 6)));
872             break;
873         case CmdConfigure:
874             pci_dma_read(&s->dev, s->cb_address + 8,
875                          &s->configuration[0], sizeof(s->configuration));
876             TRACE(OTHER, logout("configuration: %s\n",
877                                 nic_dump(&s->configuration[0], 16)));
878             TRACE(OTHER, logout("configuration: %s\n",
879                                 nic_dump(&s->configuration[16],
880                                 ARRAY_SIZE(s->configuration) - 16)));
881             if (s->configuration[20] & BIT(6)) {
882                 TRACE(OTHER, logout("Multiple IA bit\n"));
883             }
884             break;
885         case CmdMulticastList:
886             set_multicast_list(s);
887             break;
888         case CmdTx:
889             if (bit_nc) {
890                 missing("CmdTx: NC = 0");
891                 ok_status = 0;
892                 break;
893             }
894             tx_command(s);
895             break;
896         case CmdTDR:
897             TRACE(OTHER, logout("load microcode\n"));
898             /* Starting with offset 8, the command contains
899              * 64 dwords microcode which we just ignore here. */
900             break;
901         case CmdDiagnose:
902             TRACE(OTHER, logout("diagnose\n"));
903             /* Make sure error flag is not set. */
904             s->tx.status = 0;
905             break;
906         default:
907             missing("undefined command");
908             ok_status = 0;
909             break;
910         }
911         /* Write new status. */
912         stw_le_pci_dma(&s->dev, s->cb_address,
913                        s->tx.status | ok_status | STATUS_C);
914         if (bit_i) {
915             /* CU completed action. */
916             eepro100_cx_interrupt(s);
917         }
918         if (bit_el) {
919             /* CU becomes idle. Terminate command loop. */
920             set_cu_state(s, cu_idle);
921             eepro100_cna_interrupt(s);
922             break;
923         } else if (bit_s) {
924             /* CU becomes suspended. Terminate command loop. */
925             set_cu_state(s, cu_suspended);
926             eepro100_cna_interrupt(s);
927             break;
928         } else {
929             /* More entries in list. */
930             TRACE(OTHER, logout("CU list with at least one more entry\n"));
931         }
932     }
933     TRACE(OTHER, logout("CU list empty\n"));
934     /* List is empty. Now CU is idle or suspended. */
935 }
936 
937 static void eepro100_cu_command(EEPRO100State * s, uint8_t val)
938 {
939     cu_state_t cu_state;
940     switch (val) {
941     case CU_NOP:
942         /* No operation. */
943         break;
944     case CU_START:
945         cu_state = get_cu_state(s);
946         if (cu_state != cu_idle && cu_state != cu_suspended) {
947             /* Intel documentation says that CU must be idle or suspended
948              * for the CU start command. */
949             logout("unexpected CU state is %u\n", cu_state);
950         }
951         set_cu_state(s, cu_active);
952         s->cu_offset = e100_read_reg4(s, SCBPointer);
953         action_command(s);
954         break;
955     case CU_RESUME:
956         if (get_cu_state(s) != cu_suspended) {
957             logout("bad CU resume from CU state %u\n", get_cu_state(s));
958             /* Workaround for bad Linux eepro100 driver which resumes
959              * from idle state. */
960 #if 0
961             missing("cu resume");
962 #endif
963             set_cu_state(s, cu_suspended);
964         }
965         if (get_cu_state(s) == cu_suspended) {
966             TRACE(OTHER, logout("CU resuming\n"));
967             set_cu_state(s, cu_active);
968             action_command(s);
969         }
970         break;
971     case CU_STATSADDR:
972         /* Load dump counters address. */
973         s->statsaddr = e100_read_reg4(s, SCBPointer);
974         TRACE(OTHER, logout("val=0x%02x (dump counters address)\n", val));
975         if (s->statsaddr & 3) {
976             /* Memory must be Dword aligned. */
977             logout("unaligned dump counters address\n");
978             /* Handling of misaligned addresses is undefined.
979              * Here we align the address by ignoring the lower bits. */
980             /* TODO: Test unaligned dump counter address on real hardware. */
981             s->statsaddr &= ~3;
982         }
983         break;
984     case CU_SHOWSTATS:
985         /* Dump statistical counters. */
986         TRACE(OTHER, logout("val=0x%02x (dump stats)\n", val));
987         dump_statistics(s);
988         stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005);
989         break;
990     case CU_CMD_BASE:
991         /* Load CU base. */
992         TRACE(OTHER, logout("val=0x%02x (CU base address)\n", val));
993         s->cu_base = e100_read_reg4(s, SCBPointer);
994         break;
995     case CU_DUMPSTATS:
996         /* Dump and reset statistical counters. */
997         TRACE(OTHER, logout("val=0x%02x (dump stats and reset)\n", val));
998         dump_statistics(s);
999         stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007);
1000         memset(&s->statistics, 0, sizeof(s->statistics));
1001         break;
1002     case CU_SRESUME:
1003         /* CU static resume. */
1004         missing("CU static resume");
1005         break;
1006     default:
1007         missing("Undefined CU command");
1008     }
1009 }
1010 
1011 static void eepro100_ru_command(EEPRO100State * s, uint8_t val)
1012 {
1013     switch (val) {
1014     case RU_NOP:
1015         /* No operation. */
1016         break;
1017     case RX_START:
1018         /* RU start. */
1019         if (get_ru_state(s) != ru_idle) {
1020             logout("RU state is %u, should be %u\n", get_ru_state(s), ru_idle);
1021 #if 0
1022             assert(!"wrong RU state");
1023 #endif
1024         }
1025         set_ru_state(s, ru_ready);
1026         s->ru_offset = e100_read_reg4(s, SCBPointer);
1027         qemu_flush_queued_packets(qemu_get_queue(s->nic));
1028         TRACE(OTHER, logout("val=0x%02x (rx start)\n", val));
1029         break;
1030     case RX_RESUME:
1031         /* Restart RU. */
1032         if (get_ru_state(s) != ru_suspended) {
1033             logout("RU state is %u, should be %u\n", get_ru_state(s),
1034                    ru_suspended);
1035 #if 0
1036             assert(!"wrong RU state");
1037 #endif
1038         }
1039         set_ru_state(s, ru_ready);
1040         break;
1041     case RU_ABORT:
1042         /* RU abort. */
1043         if (get_ru_state(s) == ru_ready) {
1044             eepro100_rnr_interrupt(s);
1045         }
1046         set_ru_state(s, ru_idle);
1047         break;
1048     case RX_ADDR_LOAD:
1049         /* Load RU base. */
1050         TRACE(OTHER, logout("val=0x%02x (RU base address)\n", val));
1051         s->ru_base = e100_read_reg4(s, SCBPointer);
1052         break;
1053     default:
1054         logout("val=0x%02x (undefined RU command)\n", val);
1055         missing("Undefined SU command");
1056     }
1057 }
1058 
1059 static void eepro100_write_command(EEPRO100State * s, uint8_t val)
1060 {
1061     eepro100_ru_command(s, val & 0x0f);
1062     eepro100_cu_command(s, val & 0xf0);
1063     if ((val) == 0) {
1064         TRACE(OTHER, logout("val=0x%02x\n", val));
1065     }
1066     /* Clear command byte after command was accepted. */
1067     s->mem[SCBCmd] = 0;
1068 }
1069 
1070 /*****************************************************************************
1071  *
1072  * EEPROM emulation.
1073  *
1074  ****************************************************************************/
1075 
1076 #define EEPROM_CS       0x02
1077 #define EEPROM_SK       0x01
1078 #define EEPROM_DI       0x04
1079 #define EEPROM_DO       0x08
1080 
1081 static uint16_t eepro100_read_eeprom(EEPRO100State * s)
1082 {
1083     uint16_t val = e100_read_reg2(s, SCBeeprom);
1084     if (eeprom93xx_read(s->eeprom)) {
1085         val |= EEPROM_DO;
1086     } else {
1087         val &= ~EEPROM_DO;
1088     }
1089     TRACE(EEPROM, logout("val=0x%04x\n", val));
1090     return val;
1091 }
1092 
1093 static void eepro100_write_eeprom(eeprom_t * eeprom, uint8_t val)
1094 {
1095     TRACE(EEPROM, logout("val=0x%02x\n", val));
1096 
1097     /* mask unwritable bits */
1098 #if 0
1099     val = SET_MASKED(val, 0x31, eeprom->value);
1100 #endif
1101 
1102     int eecs = ((val & EEPROM_CS) != 0);
1103     int eesk = ((val & EEPROM_SK) != 0);
1104     int eedi = ((val & EEPROM_DI) != 0);
1105     eeprom93xx_write(eeprom, eecs, eesk, eedi);
1106 }
1107 
1108 /*****************************************************************************
1109  *
1110  * MDI emulation.
1111  *
1112  ****************************************************************************/
1113 
1114 #if defined(DEBUG_EEPRO100)
1115 static const char * const mdi_op_name[] = {
1116     "opcode 0",
1117     "write",
1118     "read",
1119     "opcode 3"
1120 };
1121 
1122 static const char * const mdi_reg_name[] = {
1123     "Control",
1124     "Status",
1125     "PHY Identification (Word 1)",
1126     "PHY Identification (Word 2)",
1127     "Auto-Negotiation Advertisement",
1128     "Auto-Negotiation Link Partner Ability",
1129     "Auto-Negotiation Expansion"
1130 };
1131 
1132 static const char *reg2name(uint8_t reg)
1133 {
1134     static char buffer[10];
1135     const char *p = buffer;
1136     if (reg < ARRAY_SIZE(mdi_reg_name)) {
1137         p = mdi_reg_name[reg];
1138     } else {
1139         snprintf(buffer, sizeof(buffer), "reg=0x%02x", reg);
1140     }
1141     return p;
1142 }
1143 #endif                          /* DEBUG_EEPRO100 */
1144 
1145 static uint32_t eepro100_read_mdi(EEPRO100State * s)
1146 {
1147     uint32_t val = e100_read_reg4(s, SCBCtrlMDI);
1148 
1149 #ifdef DEBUG_EEPRO100
1150     uint8_t raiseint = (val & BIT(29)) >> 29;
1151     uint8_t opcode = (val & BITS(27, 26)) >> 26;
1152     uint8_t phy = (val & BITS(25, 21)) >> 21;
1153     uint8_t reg = (val & BITS(20, 16)) >> 16;
1154     uint16_t data = (val & BITS(15, 0));
1155 #endif
1156     /* Emulation takes no time to finish MDI transaction. */
1157     val |= BIT(28);
1158     TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1159                       val, raiseint, mdi_op_name[opcode], phy,
1160                       reg2name(reg), data));
1161     return val;
1162 }
1163 
1164 static void eepro100_write_mdi(EEPRO100State *s)
1165 {
1166     uint32_t val = e100_read_reg4(s, SCBCtrlMDI);
1167     uint8_t raiseint = (val & BIT(29)) >> 29;
1168     uint8_t opcode = (val & BITS(27, 26)) >> 26;
1169     uint8_t phy = (val & BITS(25, 21)) >> 21;
1170     uint8_t reg = (val & BITS(20, 16)) >> 16;
1171     uint16_t data = (val & BITS(15, 0));
1172     TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1173           val, raiseint, mdi_op_name[opcode], phy, reg2name(reg), data));
1174     if (phy != 1) {
1175         /* Unsupported PHY address. */
1176 #if 0
1177         logout("phy must be 1 but is %u\n", phy);
1178 #endif
1179         data = 0;
1180     } else if (opcode != 1 && opcode != 2) {
1181         /* Unsupported opcode. */
1182         logout("opcode must be 1 or 2 but is %u\n", opcode);
1183         data = 0;
1184     } else if (reg > 6) {
1185         /* Unsupported register. */
1186         logout("register must be 0...6 but is %u\n", reg);
1187         data = 0;
1188     } else {
1189         TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1190                           val, raiseint, mdi_op_name[opcode], phy,
1191                           reg2name(reg), data));
1192         if (opcode == 1) {
1193             /* MDI write */
1194             switch (reg) {
1195             case 0:            /* Control Register */
1196                 if (data & 0x8000) {
1197                     /* Reset status and control registers to default. */
1198                     s->mdimem[0] = eepro100_mdi_default[0];
1199                     s->mdimem[1] = eepro100_mdi_default[1];
1200                     data = s->mdimem[reg];
1201                 } else {
1202                     /* Restart Auto Configuration = Normal Operation */
1203                     data &= ~0x0200;
1204                 }
1205                 break;
1206             case 1:            /* Status Register */
1207                 missing("not writable");
1208                 break;
1209             case 2:            /* PHY Identification Register (Word 1) */
1210             case 3:            /* PHY Identification Register (Word 2) */
1211                 missing("not implemented");
1212                 break;
1213             case 4:            /* Auto-Negotiation Advertisement Register */
1214             case 5:            /* Auto-Negotiation Link Partner Ability Register */
1215                 break;
1216             case 6:            /* Auto-Negotiation Expansion Register */
1217             default:
1218                 missing("not implemented");
1219             }
1220             s->mdimem[reg] &= eepro100_mdi_mask[reg];
1221             s->mdimem[reg] |= data & ~eepro100_mdi_mask[reg];
1222         } else if (opcode == 2) {
1223             /* MDI read */
1224             switch (reg) {
1225             case 0:            /* Control Register */
1226                 if (data & 0x8000) {
1227                     /* Reset status and control registers to default. */
1228                     s->mdimem[0] = eepro100_mdi_default[0];
1229                     s->mdimem[1] = eepro100_mdi_default[1];
1230                 }
1231                 break;
1232             case 1:            /* Status Register */
1233                 s->mdimem[reg] |= 0x0020;
1234                 break;
1235             case 2:            /* PHY Identification Register (Word 1) */
1236             case 3:            /* PHY Identification Register (Word 2) */
1237             case 4:            /* Auto-Negotiation Advertisement Register */
1238                 break;
1239             case 5:            /* Auto-Negotiation Link Partner Ability Register */
1240                 s->mdimem[reg] = 0x41fe;
1241                 break;
1242             case 6:            /* Auto-Negotiation Expansion Register */
1243                 s->mdimem[reg] = 0x0001;
1244                 break;
1245             }
1246             data = s->mdimem[reg];
1247         }
1248         /* Emulation takes no time to finish MDI transaction.
1249          * Set MDI bit in SCB status register. */
1250         s->mem[SCBAck] |= 0x08;
1251         val |= BIT(28);
1252         if (raiseint) {
1253             eepro100_mdi_interrupt(s);
1254         }
1255     }
1256     val = (val & 0xffff0000) + data;
1257     e100_write_reg4(s, SCBCtrlMDI, val);
1258 }
1259 
1260 /*****************************************************************************
1261  *
1262  * Port emulation.
1263  *
1264  ****************************************************************************/
1265 
1266 #define PORT_SOFTWARE_RESET     0
1267 #define PORT_SELFTEST           1
1268 #define PORT_SELECTIVE_RESET    2
1269 #define PORT_DUMP               3
1270 #define PORT_SELECTION_MASK     3
1271 
1272 typedef struct {
1273     uint32_t st_sign;           /* Self Test Signature */
1274     uint32_t st_result;         /* Self Test Results */
1275 } eepro100_selftest_t;
1276 
1277 static uint32_t eepro100_read_port(EEPRO100State * s)
1278 {
1279     return 0;
1280 }
1281 
1282 static void eepro100_write_port(EEPRO100State *s)
1283 {
1284     uint32_t val = e100_read_reg4(s, SCBPort);
1285     uint32_t address = (val & ~PORT_SELECTION_MASK);
1286     uint8_t selection = (val & PORT_SELECTION_MASK);
1287     switch (selection) {
1288     case PORT_SOFTWARE_RESET:
1289         nic_reset(s);
1290         break;
1291     case PORT_SELFTEST:
1292         TRACE(OTHER, logout("selftest address=0x%08x\n", address));
1293         eepro100_selftest_t data;
1294         pci_dma_read(&s->dev, address, (uint8_t *) &data, sizeof(data));
1295         data.st_sign = 0xffffffff;
1296         data.st_result = 0;
1297         pci_dma_write(&s->dev, address, (uint8_t *) &data, sizeof(data));
1298         break;
1299     case PORT_SELECTIVE_RESET:
1300         TRACE(OTHER, logout("selective reset, selftest address=0x%08x\n", address));
1301         nic_selective_reset(s);
1302         break;
1303     default:
1304         logout("val=0x%08x\n", val);
1305         missing("unknown port selection");
1306     }
1307 }
1308 
1309 /*****************************************************************************
1310  *
1311  * General hardware emulation.
1312  *
1313  ****************************************************************************/
1314 
1315 static uint8_t eepro100_read1(EEPRO100State * s, uint32_t addr)
1316 {
1317     uint8_t val = 0;
1318     if (addr <= sizeof(s->mem) - sizeof(val)) {
1319         val = s->mem[addr];
1320     }
1321 
1322     switch (addr) {
1323     case SCBStatus:
1324     case SCBAck:
1325         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1326         break;
1327     case SCBCmd:
1328         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1329 #if 0
1330         val = eepro100_read_command(s);
1331 #endif
1332         break;
1333     case SCBIntmask:
1334         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1335         break;
1336     case SCBPort + 3:
1337         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1338         break;
1339     case SCBeeprom:
1340         val = eepro100_read_eeprom(s);
1341         break;
1342     case SCBCtrlMDI:
1343     case SCBCtrlMDI + 1:
1344     case SCBCtrlMDI + 2:
1345     case SCBCtrlMDI + 3:
1346         val = (uint8_t)(eepro100_read_mdi(s) >> (8 * (addr & 3)));
1347         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1348         break;
1349     case SCBpmdr:       /* Power Management Driver Register */
1350         val = 0;
1351         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1352         break;
1353     case SCBgctrl:      /* General Control Register */
1354         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1355         break;
1356     case SCBgstat:      /* General Status Register */
1357         /* 100 Mbps full duplex, valid link */
1358         val = 0x07;
1359         TRACE(OTHER, logout("addr=General Status val=%02x\n", val));
1360         break;
1361     default:
1362         logout("addr=%s val=0x%02x\n", regname(addr), val);
1363         missing("unknown byte read");
1364     }
1365     return val;
1366 }
1367 
1368 static uint16_t eepro100_read2(EEPRO100State * s, uint32_t addr)
1369 {
1370     uint16_t val = 0;
1371     if (addr <= sizeof(s->mem) - sizeof(val)) {
1372         val = e100_read_reg2(s, addr);
1373     }
1374 
1375     switch (addr) {
1376     case SCBStatus:
1377     case SCBCmd:
1378         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1379         break;
1380     case SCBeeprom:
1381         val = eepro100_read_eeprom(s);
1382         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1383         break;
1384     case SCBCtrlMDI:
1385     case SCBCtrlMDI + 2:
1386         val = (uint16_t)(eepro100_read_mdi(s) >> (8 * (addr & 3)));
1387         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1388         break;
1389     default:
1390         logout("addr=%s val=0x%04x\n", regname(addr), val);
1391         missing("unknown word read");
1392     }
1393     return val;
1394 }
1395 
1396 static uint32_t eepro100_read4(EEPRO100State * s, uint32_t addr)
1397 {
1398     uint32_t val = 0;
1399     if (addr <= sizeof(s->mem) - sizeof(val)) {
1400         val = e100_read_reg4(s, addr);
1401     }
1402 
1403     switch (addr) {
1404     case SCBStatus:
1405         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1406         break;
1407     case SCBPointer:
1408         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1409         break;
1410     case SCBPort:
1411         val = eepro100_read_port(s);
1412         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1413         break;
1414     case SCBflash:
1415         val = eepro100_read_eeprom(s);
1416         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1417         break;
1418     case SCBCtrlMDI:
1419         val = eepro100_read_mdi(s);
1420         break;
1421     default:
1422         logout("addr=%s val=0x%08x\n", regname(addr), val);
1423         missing("unknown longword read");
1424     }
1425     return val;
1426 }
1427 
1428 static void eepro100_write1(EEPRO100State * s, uint32_t addr, uint8_t val)
1429 {
1430     /* SCBStatus is readonly. */
1431     if (addr > SCBStatus && addr <= sizeof(s->mem) - sizeof(val)) {
1432         s->mem[addr] = val;
1433     }
1434 
1435     switch (addr) {
1436     case SCBStatus:
1437         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1438         break;
1439     case SCBAck:
1440         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1441         eepro100_acknowledge(s);
1442         break;
1443     case SCBCmd:
1444         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1445         eepro100_write_command(s, val);
1446         break;
1447     case SCBIntmask:
1448         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1449         if (val & BIT(1)) {
1450             eepro100_swi_interrupt(s);
1451         }
1452         eepro100_interrupt(s, 0);
1453         break;
1454     case SCBPointer:
1455     case SCBPointer + 1:
1456     case SCBPointer + 2:
1457     case SCBPointer + 3:
1458         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1459         break;
1460     case SCBPort:
1461     case SCBPort + 1:
1462     case SCBPort + 2:
1463         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1464         break;
1465     case SCBPort + 3:
1466         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1467         eepro100_write_port(s);
1468         break;
1469     case SCBFlow:       /* does not exist on 82557 */
1470     case SCBFlow + 1:
1471     case SCBFlow + 2:
1472     case SCBpmdr:       /* does not exist on 82557 */
1473         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1474         break;
1475     case SCBeeprom:
1476         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1477         eepro100_write_eeprom(s->eeprom, val);
1478         break;
1479     case SCBCtrlMDI:
1480     case SCBCtrlMDI + 1:
1481     case SCBCtrlMDI + 2:
1482         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1483         break;
1484     case SCBCtrlMDI + 3:
1485         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1486         eepro100_write_mdi(s);
1487         break;
1488     default:
1489         logout("addr=%s val=0x%02x\n", regname(addr), val);
1490         missing("unknown byte write");
1491     }
1492 }
1493 
1494 static void eepro100_write2(EEPRO100State * s, uint32_t addr, uint16_t val)
1495 {
1496     /* SCBStatus is readonly. */
1497     if (addr > SCBStatus && addr <= sizeof(s->mem) - sizeof(val)) {
1498         e100_write_reg2(s, addr, val);
1499     }
1500 
1501     switch (addr) {
1502     case SCBStatus:
1503         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1504         s->mem[SCBAck] = (val >> 8);
1505         eepro100_acknowledge(s);
1506         break;
1507     case SCBCmd:
1508         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1509         eepro100_write_command(s, val);
1510         eepro100_write1(s, SCBIntmask, val >> 8);
1511         break;
1512     case SCBPointer:
1513     case SCBPointer + 2:
1514         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1515         break;
1516     case SCBPort:
1517         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1518         break;
1519     case SCBPort + 2:
1520         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1521         eepro100_write_port(s);
1522         break;
1523     case SCBeeprom:
1524         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1525         eepro100_write_eeprom(s->eeprom, val);
1526         break;
1527     case SCBCtrlMDI:
1528         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1529         break;
1530     case SCBCtrlMDI + 2:
1531         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1532         eepro100_write_mdi(s);
1533         break;
1534     default:
1535         logout("addr=%s val=0x%04x\n", regname(addr), val);
1536         missing("unknown word write");
1537     }
1538 }
1539 
1540 static void eepro100_write4(EEPRO100State * s, uint32_t addr, uint32_t val)
1541 {
1542     if (addr <= sizeof(s->mem) - sizeof(val)) {
1543         e100_write_reg4(s, addr, val);
1544     }
1545 
1546     switch (addr) {
1547     case SCBPointer:
1548         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1549         break;
1550     case SCBPort:
1551         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1552         eepro100_write_port(s);
1553         break;
1554     case SCBflash:
1555         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1556         val = val >> 16;
1557         eepro100_write_eeprom(s->eeprom, val);
1558         break;
1559     case SCBCtrlMDI:
1560         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1561         eepro100_write_mdi(s);
1562         break;
1563     default:
1564         logout("addr=%s val=0x%08x\n", regname(addr), val);
1565         missing("unknown longword write");
1566     }
1567 }
1568 
1569 static uint64_t eepro100_read(void *opaque, hwaddr addr,
1570                               unsigned size)
1571 {
1572     EEPRO100State *s = opaque;
1573 
1574     switch (size) {
1575     case 1: return eepro100_read1(s, addr);
1576     case 2: return eepro100_read2(s, addr);
1577     case 4: return eepro100_read4(s, addr);
1578     default: abort();
1579     }
1580 }
1581 
1582 static void eepro100_write(void *opaque, hwaddr addr,
1583                            uint64_t data, unsigned size)
1584 {
1585     EEPRO100State *s = opaque;
1586 
1587     switch (size) {
1588     case 1:
1589         eepro100_write1(s, addr, data);
1590         break;
1591     case 2:
1592         eepro100_write2(s, addr, data);
1593         break;
1594     case 4:
1595         eepro100_write4(s, addr, data);
1596         break;
1597     default:
1598         abort();
1599     }
1600 }
1601 
1602 static const MemoryRegionOps eepro100_ops = {
1603     .read = eepro100_read,
1604     .write = eepro100_write,
1605     .endianness = DEVICE_LITTLE_ENDIAN,
1606 };
1607 
1608 static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size)
1609 {
1610     /* TODO:
1611      * - Magic packets should set bit 30 in power management driver register.
1612      * - Interesting packets should set bit 29 in power management driver register.
1613      */
1614     EEPRO100State *s = qemu_get_nic_opaque(nc);
1615     uint16_t rfd_status = 0xa000;
1616 #if defined(CONFIG_PAD_RECEIVED_FRAMES)
1617     uint8_t min_buf[60];
1618 #endif
1619     static const uint8_t broadcast_macaddr[6] =
1620         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1621 
1622 #if defined(CONFIG_PAD_RECEIVED_FRAMES)
1623     /* Pad to minimum Ethernet frame length */
1624     if (size < sizeof(min_buf)) {
1625         memcpy(min_buf, buf, size);
1626         memset(&min_buf[size], 0, sizeof(min_buf) - size);
1627         buf = min_buf;
1628         size = sizeof(min_buf);
1629     }
1630 #endif
1631 
1632     if (s->configuration[8] & 0x80) {
1633         /* CSMA is disabled. */
1634         logout("%p received while CSMA is disabled\n", s);
1635         return -1;
1636 #if !defined(CONFIG_PAD_RECEIVED_FRAMES)
1637     } else if (size < 64 && (s->configuration[7] & BIT(0))) {
1638         /* Short frame and configuration byte 7/0 (discard short receive) set:
1639          * Short frame is discarded */
1640         logout("%p received short frame (%zu byte)\n", s, size);
1641         s->statistics.rx_short_frame_errors++;
1642         return -1;
1643 #endif
1644     } else if ((size > MAX_ETH_FRAME_SIZE + 4) && !(s->configuration[18] & BIT(3))) {
1645         /* Long frame and configuration byte 18/3 (long receive ok) not set:
1646          * Long frames are discarded. */
1647         logout("%p received long frame (%zu byte), ignored\n", s, size);
1648         return -1;
1649     } else if (memcmp(buf, s->conf.macaddr.a, 6) == 0) {       /* !!! */
1650         /* Frame matches individual address. */
1651         /* TODO: check configuration byte 15/4 (ignore U/L). */
1652         TRACE(RXTX, logout("%p received frame for me, len=%zu\n", s, size));
1653     } else if (memcmp(buf, broadcast_macaddr, 6) == 0) {
1654         /* Broadcast frame. */
1655         TRACE(RXTX, logout("%p received broadcast, len=%zu\n", s, size));
1656         rfd_status |= 0x0002;
1657     } else if (buf[0] & 0x01) {
1658         /* Multicast frame. */
1659         TRACE(RXTX, logout("%p received multicast, len=%zu,%s\n", s, size, nic_dump(buf, size)));
1660         if (s->configuration[21] & BIT(3)) {
1661           /* Multicast all bit is set, receive all multicast frames. */
1662         } else {
1663           unsigned mcast_idx = (net_crc32(buf, ETH_ALEN) & BITS(7, 2)) >> 2;
1664           assert(mcast_idx < 64);
1665           if (s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))) {
1666             /* Multicast frame is allowed in hash table. */
1667           } else if (s->configuration[15] & BIT(0)) {
1668               /* Promiscuous: receive all. */
1669               rfd_status |= 0x0004;
1670           } else {
1671               TRACE(RXTX, logout("%p multicast ignored\n", s));
1672               return -1;
1673           }
1674         }
1675         /* TODO: Next not for promiscuous mode? */
1676         rfd_status |= 0x0002;
1677     } else if (s->configuration[15] & BIT(0)) {
1678         /* Promiscuous: receive all. */
1679         TRACE(RXTX, logout("%p received frame in promiscuous mode, len=%zu\n", s, size));
1680         rfd_status |= 0x0004;
1681     } else if (s->configuration[20] & BIT(6)) {
1682         /* Multiple IA bit set. */
1683         unsigned mcast_idx = net_crc32(buf, ETH_ALEN) >> 26;
1684         assert(mcast_idx < 64);
1685         if (s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))) {
1686             TRACE(RXTX, logout("%p accepted, multiple IA bit set\n", s));
1687         } else {
1688             TRACE(RXTX, logout("%p frame ignored, multiple IA bit set\n", s));
1689             return -1;
1690         }
1691     } else {
1692         TRACE(RXTX, logout("%p received frame, ignored, len=%zu,%s\n", s, size,
1693               nic_dump(buf, size)));
1694         return size;
1695     }
1696 
1697     if (get_ru_state(s) != ru_ready) {
1698         /* No resources available. */
1699         logout("no resources, state=%u\n", get_ru_state(s));
1700         /* TODO: RNR interrupt only at first failed frame? */
1701         eepro100_rnr_interrupt(s);
1702         s->statistics.rx_resource_errors++;
1703 #if 0
1704         assert(!"no resources");
1705 #endif
1706         return -1;
1707     }
1708     /* !!! */
1709     eepro100_rx_t rx;
1710     pci_dma_read(&s->dev, s->ru_base + s->ru_offset,
1711                  &rx, sizeof(eepro100_rx_t));
1712     uint16_t rfd_command = le16_to_cpu(rx.command);
1713     uint16_t rfd_size = le16_to_cpu(rx.size);
1714 
1715     if (size > rfd_size) {
1716         logout("Receive buffer (%" PRId16 " bytes) too small for data "
1717             "(%zu bytes); data truncated\n", rfd_size, size);
1718         size = rfd_size;
1719     }
1720 #if !defined(CONFIG_PAD_RECEIVED_FRAMES)
1721     if (size < 64) {
1722         rfd_status |= 0x0080;
1723     }
1724 #endif
1725     TRACE(OTHER, logout("command 0x%04x, link 0x%08x, addr 0x%08x, size %u\n",
1726           rfd_command, rx.link, rx.rx_buf_addr, rfd_size));
1727     stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
1728                 offsetof(eepro100_rx_t, status), rfd_status);
1729     stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
1730                 offsetof(eepro100_rx_t, count), size);
1731     /* Early receive interrupt not supported. */
1732 #if 0
1733     eepro100_er_interrupt(s);
1734 #endif
1735     /* Receive CRC Transfer not supported. */
1736     if (s->configuration[18] & BIT(2)) {
1737         missing("Receive CRC Transfer");
1738         return -1;
1739     }
1740     /* TODO: check stripping enable bit. */
1741 #if 0
1742     assert(!(s->configuration[17] & BIT(0)));
1743 #endif
1744     pci_dma_write(&s->dev, s->ru_base + s->ru_offset +
1745                   sizeof(eepro100_rx_t), buf, size);
1746     s->statistics.rx_good_frames++;
1747     eepro100_fr_interrupt(s);
1748     s->ru_offset = le32_to_cpu(rx.link);
1749     if (rfd_command & COMMAND_EL) {
1750         /* EL bit is set, so this was the last frame. */
1751         logout("receive: Running out of frames\n");
1752         set_ru_state(s, ru_no_resources);
1753         eepro100_rnr_interrupt(s);
1754     }
1755     if (rfd_command & COMMAND_S) {
1756         /* S bit is set. */
1757         set_ru_state(s, ru_suspended);
1758     }
1759     return size;
1760 }
1761 
1762 static const VMStateDescription vmstate_eepro100 = {
1763     .version_id = 3,
1764     .minimum_version_id = 2,
1765     .fields = (VMStateField[]) {
1766         VMSTATE_PCI_DEVICE(dev, EEPRO100State),
1767         VMSTATE_UNUSED(32),
1768         VMSTATE_BUFFER(mult, EEPRO100State),
1769         VMSTATE_BUFFER(mem, EEPRO100State),
1770         /* Save all members of struct between scb_stat and mem. */
1771         VMSTATE_UINT8(scb_stat, EEPRO100State),
1772         VMSTATE_UINT8(int_stat, EEPRO100State),
1773         VMSTATE_UNUSED(3*4),
1774         VMSTATE_MACADDR(conf.macaddr, EEPRO100State),
1775         VMSTATE_UNUSED(19*4),
1776         VMSTATE_UINT16_ARRAY(mdimem, EEPRO100State, 32),
1777         /* The eeprom should be saved and restored by its own routines. */
1778         VMSTATE_UINT32(device, EEPRO100State),
1779         /* TODO check device. */
1780         VMSTATE_UINT32(cu_base, EEPRO100State),
1781         VMSTATE_UINT32(cu_offset, EEPRO100State),
1782         VMSTATE_UINT32(ru_base, EEPRO100State),
1783         VMSTATE_UINT32(ru_offset, EEPRO100State),
1784         VMSTATE_UINT32(statsaddr, EEPRO100State),
1785         /* Save eepro100_stats_t statistics. */
1786         VMSTATE_UINT32(statistics.tx_good_frames, EEPRO100State),
1787         VMSTATE_UINT32(statistics.tx_max_collisions, EEPRO100State),
1788         VMSTATE_UINT32(statistics.tx_late_collisions, EEPRO100State),
1789         VMSTATE_UINT32(statistics.tx_underruns, EEPRO100State),
1790         VMSTATE_UINT32(statistics.tx_lost_crs, EEPRO100State),
1791         VMSTATE_UINT32(statistics.tx_deferred, EEPRO100State),
1792         VMSTATE_UINT32(statistics.tx_single_collisions, EEPRO100State),
1793         VMSTATE_UINT32(statistics.tx_multiple_collisions, EEPRO100State),
1794         VMSTATE_UINT32(statistics.tx_total_collisions, EEPRO100State),
1795         VMSTATE_UINT32(statistics.rx_good_frames, EEPRO100State),
1796         VMSTATE_UINT32(statistics.rx_crc_errors, EEPRO100State),
1797         VMSTATE_UINT32(statistics.rx_alignment_errors, EEPRO100State),
1798         VMSTATE_UINT32(statistics.rx_resource_errors, EEPRO100State),
1799         VMSTATE_UINT32(statistics.rx_overrun_errors, EEPRO100State),
1800         VMSTATE_UINT32(statistics.rx_cdt_errors, EEPRO100State),
1801         VMSTATE_UINT32(statistics.rx_short_frame_errors, EEPRO100State),
1802         VMSTATE_UINT32(statistics.fc_xmt_pause, EEPRO100State),
1803         VMSTATE_UINT32(statistics.fc_rcv_pause, EEPRO100State),
1804         VMSTATE_UINT32(statistics.fc_rcv_unsupported, EEPRO100State),
1805         VMSTATE_UINT16(statistics.xmt_tco_frames, EEPRO100State),
1806         VMSTATE_UINT16(statistics.rcv_tco_frames, EEPRO100State),
1807         /* Configuration bytes. */
1808         VMSTATE_BUFFER(configuration, EEPRO100State),
1809         VMSTATE_END_OF_LIST()
1810     }
1811 };
1812 
1813 static void pci_nic_uninit(PCIDevice *pci_dev)
1814 {
1815     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
1816 
1817     vmstate_unregister(&pci_dev->qdev, s->vmstate, s);
1818     g_free(s->vmstate);
1819     eeprom93xx_free(&pci_dev->qdev, s->eeprom);
1820     qemu_del_nic(s->nic);
1821 }
1822 
1823 static NetClientInfo net_eepro100_info = {
1824     .type = NET_CLIENT_DRIVER_NIC,
1825     .size = sizeof(NICState),
1826     .receive = nic_receive,
1827 };
1828 
1829 static void e100_nic_realize(PCIDevice *pci_dev, Error **errp)
1830 {
1831     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
1832     E100PCIDeviceInfo *info = eepro100_get_class(s);
1833     Error *local_err = NULL;
1834 
1835     TRACE(OTHER, logout("\n"));
1836 
1837     s->device = info->device;
1838 
1839     e100_pci_reset(s, &local_err);
1840     if (local_err) {
1841         error_propagate(errp, local_err);
1842         return;
1843     }
1844 
1845     /* Add 64 * 2 EEPROM. i82557 and i82558 support a 64 word EEPROM,
1846      * i82559 and later support 64 or 256 word EEPROM. */
1847     s->eeprom = eeprom93xx_new(&pci_dev->qdev, EEPROM_SIZE);
1848 
1849     /* Handler for memory-mapped I/O */
1850     memory_region_init_io(&s->mmio_bar, OBJECT(s), &eepro100_ops, s,
1851                           "eepro100-mmio", PCI_MEM_SIZE);
1852     pci_register_bar(&s->dev, 0, PCI_BASE_ADDRESS_MEM_PREFETCH, &s->mmio_bar);
1853     memory_region_init_io(&s->io_bar, OBJECT(s), &eepro100_ops, s,
1854                           "eepro100-io", PCI_IO_SIZE);
1855     pci_register_bar(&s->dev, 1, PCI_BASE_ADDRESS_SPACE_IO, &s->io_bar);
1856     /* FIXME: flash aliases to mmio?! */
1857     memory_region_init_io(&s->flash_bar, OBJECT(s), &eepro100_ops, s,
1858                           "eepro100-flash", PCI_FLASH_SIZE);
1859     pci_register_bar(&s->dev, 2, 0, &s->flash_bar);
1860 
1861     qemu_macaddr_default_if_unset(&s->conf.macaddr);
1862     logout("macaddr: %s\n", nic_dump(&s->conf.macaddr.a[0], 6));
1863 
1864     nic_reset(s);
1865 
1866     s->nic = qemu_new_nic(&net_eepro100_info, &s->conf,
1867                           object_get_typename(OBJECT(pci_dev)), pci_dev->qdev.id, s);
1868 
1869     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
1870     TRACE(OTHER, logout("%s\n", qemu_get_queue(s->nic)->info_str));
1871 
1872     qemu_register_reset(nic_reset, s);
1873 
1874     s->vmstate = g_memdup(&vmstate_eepro100, sizeof(vmstate_eepro100));
1875     s->vmstate->name = qemu_get_queue(s->nic)->model;
1876     vmstate_register(&pci_dev->qdev, -1, s->vmstate, s);
1877 }
1878 
1879 static void eepro100_instance_init(Object *obj)
1880 {
1881     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, PCI_DEVICE(obj));
1882     device_add_bootindex_property(obj, &s->conf.bootindex,
1883                                   "bootindex", "/ethernet-phy@0",
1884                                   DEVICE(s), NULL);
1885 }
1886 
1887 static E100PCIDeviceInfo e100_devices[] = {
1888     {
1889         .name = "i82550",
1890         .desc = "Intel i82550 Ethernet",
1891         .device = i82550,
1892         /* TODO: check device id. */
1893         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
1894         /* Revision ID: 0x0c, 0x0d, 0x0e. */
1895         .revision = 0x0e,
1896         /* TODO: check size of statistical counters. */
1897         .stats_size = 80,
1898         /* TODO: check extended tcb support. */
1899         .has_extended_tcb_support = true,
1900         .power_management = true,
1901     },{
1902         .name = "i82551",
1903         .desc = "Intel i82551 Ethernet",
1904         .device = i82551,
1905         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
1906         /* Revision ID: 0x0f, 0x10. */
1907         .revision = 0x0f,
1908         /* TODO: check size of statistical counters. */
1909         .stats_size = 80,
1910         .has_extended_tcb_support = true,
1911         .power_management = true,
1912     },{
1913         .name = "i82557a",
1914         .desc = "Intel i82557A Ethernet",
1915         .device = i82557A,
1916         .device_id = PCI_DEVICE_ID_INTEL_82557,
1917         .revision = 0x01,
1918         .power_management = false,
1919     },{
1920         .name = "i82557b",
1921         .desc = "Intel i82557B Ethernet",
1922         .device = i82557B,
1923         .device_id = PCI_DEVICE_ID_INTEL_82557,
1924         .revision = 0x02,
1925         .power_management = false,
1926     },{
1927         .name = "i82557c",
1928         .desc = "Intel i82557C Ethernet",
1929         .device = i82557C,
1930         .device_id = PCI_DEVICE_ID_INTEL_82557,
1931         .revision = 0x03,
1932         .power_management = false,
1933     },{
1934         .name = "i82558a",
1935         .desc = "Intel i82558A Ethernet",
1936         .device = i82558A,
1937         .device_id = PCI_DEVICE_ID_INTEL_82557,
1938         .revision = 0x04,
1939         .stats_size = 76,
1940         .has_extended_tcb_support = true,
1941         .power_management = true,
1942     },{
1943         .name = "i82558b",
1944         .desc = "Intel i82558B Ethernet",
1945         .device = i82558B,
1946         .device_id = PCI_DEVICE_ID_INTEL_82557,
1947         .revision = 0x05,
1948         .stats_size = 76,
1949         .has_extended_tcb_support = true,
1950         .power_management = true,
1951     },{
1952         .name = "i82559a",
1953         .desc = "Intel i82559A Ethernet",
1954         .device = i82559A,
1955         .device_id = PCI_DEVICE_ID_INTEL_82557,
1956         .revision = 0x06,
1957         .stats_size = 80,
1958         .has_extended_tcb_support = true,
1959         .power_management = true,
1960     },{
1961         .name = "i82559b",
1962         .desc = "Intel i82559B Ethernet",
1963         .device = i82559B,
1964         .device_id = PCI_DEVICE_ID_INTEL_82557,
1965         .revision = 0x07,
1966         .stats_size = 80,
1967         .has_extended_tcb_support = true,
1968         .power_management = true,
1969     },{
1970         .name = "i82559c",
1971         .desc = "Intel i82559C Ethernet",
1972         .device = i82559C,
1973         .device_id = PCI_DEVICE_ID_INTEL_82557,
1974 #if 0
1975         .revision = 0x08,
1976 #endif
1977         /* TODO: Windows wants revision id 0x0c. */
1978         .revision = 0x0c,
1979 #if EEPROM_SIZE > 0
1980         .subsystem_vendor_id = PCI_VENDOR_ID_INTEL,
1981         .subsystem_id = 0x0040,
1982 #endif
1983         .stats_size = 80,
1984         .has_extended_tcb_support = true,
1985         .power_management = true,
1986     },{
1987         .name = "i82559er",
1988         .desc = "Intel i82559ER Ethernet",
1989         .device = i82559ER,
1990         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
1991         .revision = 0x09,
1992         .stats_size = 80,
1993         .has_extended_tcb_support = true,
1994         .power_management = true,
1995     },{
1996         .name = "i82562",
1997         .desc = "Intel i82562 Ethernet",
1998         .device = i82562,
1999         /* TODO: check device id. */
2000         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
2001         /* TODO: wrong revision id. */
2002         .revision = 0x0e,
2003         .stats_size = 80,
2004         .has_extended_tcb_support = true,
2005         .power_management = true,
2006     },{
2007         /* Toshiba Tecra 8200. */
2008         .name = "i82801",
2009         .desc = "Intel i82801 Ethernet",
2010         .device = i82801,
2011         .device_id = 0x2449,
2012         .revision = 0x03,
2013         .stats_size = 80,
2014         .has_extended_tcb_support = true,
2015         .power_management = true,
2016     }
2017 };
2018 
2019 static E100PCIDeviceInfo *eepro100_get_class_by_name(const char *typename)
2020 {
2021     E100PCIDeviceInfo *info = NULL;
2022     int i;
2023 
2024     /* This is admittedly awkward but also temporary.  QOM allows for
2025      * parameterized typing and for subclassing both of which would suitable
2026      * handle what's going on here.  But class_data is already being used as
2027      * a stop-gap hack to allow incremental qdev conversion so we cannot use it
2028      * right now.  Once we merge the final QOM series, we can come back here and
2029      * do this in a much more elegant fashion.
2030      */
2031     for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
2032         if (strcmp(e100_devices[i].name, typename) == 0) {
2033             info = &e100_devices[i];
2034             break;
2035         }
2036     }
2037     assert(info != NULL);
2038 
2039     return info;
2040 }
2041 
2042 static E100PCIDeviceInfo *eepro100_get_class(EEPRO100State *s)
2043 {
2044     return eepro100_get_class_by_name(object_get_typename(OBJECT(s)));
2045 }
2046 
2047 static Property e100_properties[] = {
2048     DEFINE_NIC_PROPERTIES(EEPRO100State, conf),
2049     DEFINE_PROP_END_OF_LIST(),
2050 };
2051 
2052 static void eepro100_class_init(ObjectClass *klass, void *data)
2053 {
2054     DeviceClass *dc = DEVICE_CLASS(klass);
2055     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2056     E100PCIDeviceInfo *info;
2057 
2058     info = eepro100_get_class_by_name(object_class_get_name(klass));
2059 
2060     set_bit(DEVICE_CATEGORY_NETWORK, dc->categories);
2061     dc->props = e100_properties;
2062     dc->desc = info->desc;
2063     k->vendor_id = PCI_VENDOR_ID_INTEL;
2064     k->class_id = PCI_CLASS_NETWORK_ETHERNET;
2065     k->romfile = "pxe-eepro100.rom";
2066     k->realize = e100_nic_realize;
2067     k->exit = pci_nic_uninit;
2068     k->device_id = info->device_id;
2069     k->revision = info->revision;
2070     k->subsystem_vendor_id = info->subsystem_vendor_id;
2071     k->subsystem_id = info->subsystem_id;
2072 }
2073 
2074 static void eepro100_register_types(void)
2075 {
2076     size_t i;
2077     for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
2078         TypeInfo type_info = {};
2079         E100PCIDeviceInfo *info = &e100_devices[i];
2080 
2081         type_info.name = info->name;
2082         type_info.parent = TYPE_PCI_DEVICE;
2083         type_info.class_init = eepro100_class_init;
2084         type_info.instance_size = sizeof(EEPRO100State);
2085         type_info.instance_init = eepro100_instance_init;
2086         type_info.interfaces = (InterfaceInfo[]) {
2087             { INTERFACE_CONVENTIONAL_PCI_DEVICE },
2088             { },
2089         };
2090 
2091         type_register(&type_info);
2092     }
2093 }
2094 
2095 type_init(eepro100_register_types)
2096