xref: /openbmc/qemu/hw/net/eepro100.c (revision 6683d7bc)
1 /*
2  * QEMU i8255x (PRO100) emulation
3  *
4  * Copyright (C) 2006-2011 Stefan Weil
5  *
6  * Portions of the code are copies from grub / etherboot eepro100.c
7  * and linux e100.c.
8  *
9  * This program is free software: you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License as published by
11  * the Free Software Foundation, either version 2 of the License, or
12  * (at your option) version 3 or any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
21  *
22  * Tested features (i82559):
23  *      PXE boot (i386 guest, i386 / mips / mipsel / ppc host) ok
24  *      Linux networking (i386) ok
25  *
26  * Untested:
27  *      Windows networking
28  *
29  * References:
30  *
31  * Intel 8255x 10/100 Mbps Ethernet Controller Family
32  * Open Source Software Developer Manual
33  *
34  * TODO:
35  *      * PHY emulation should be separated from nic emulation.
36  *        Most nic emulations could share the same phy code.
37  *      * i82550 is untested. It is programmed like the i82559.
38  *      * i82562 is untested. It is programmed like the i82559.
39  *      * Power management (i82558 and later) is not implemented.
40  *      * Wake-on-LAN is not implemented.
41  */
42 
43 #include <stddef.h>             /* offsetof */
44 #include "hw/hw.h"
45 #include "hw/pci/pci.h"
46 #include "net/net.h"
47 #include "hw/nvram/eeprom93xx.h"
48 #include "sysemu/sysemu.h"
49 #include "sysemu/dma.h"
50 
51 /* QEMU sends frames smaller than 60 bytes to ethernet nics.
52  * Such frames are rejected by real nics and their emulations.
53  * To avoid this behaviour, other nic emulations pad received
54  * frames. The following definition enables this padding for
55  * eepro100, too. We keep the define around in case it might
56  * become useful the future if the core networking is ever
57  * changed to pad short packets itself. */
58 #define CONFIG_PAD_RECEIVED_FRAMES
59 
60 #define KiB 1024
61 
62 /* Debug EEPRO100 card. */
63 #if 0
64 # define DEBUG_EEPRO100
65 #endif
66 
67 #ifdef DEBUG_EEPRO100
68 #define logout(fmt, ...) fprintf(stderr, "EE100\t%-24s" fmt, __func__, ## __VA_ARGS__)
69 #else
70 #define logout(fmt, ...) ((void)0)
71 #endif
72 
73 /* Set flags to 0 to disable debug output. */
74 #define INT     1       /* interrupt related actions */
75 #define MDI     1       /* mdi related actions */
76 #define OTHER   1
77 #define RXTX    1
78 #define EEPROM  1       /* eeprom related actions */
79 
80 #define TRACE(flag, command) ((flag) ? (command) : (void)0)
81 
82 #define missing(text) fprintf(stderr, "eepro100: feature is missing in this emulation: " text "\n")
83 
84 #define MAX_ETH_FRAME_SIZE 1514
85 
86 /* This driver supports several different devices which are declared here. */
87 #define i82550          0x82550
88 #define i82551          0x82551
89 #define i82557A         0x82557a
90 #define i82557B         0x82557b
91 #define i82557C         0x82557c
92 #define i82558A         0x82558a
93 #define i82558B         0x82558b
94 #define i82559A         0x82559a
95 #define i82559B         0x82559b
96 #define i82559C         0x82559c
97 #define i82559ER        0x82559e
98 #define i82562          0x82562
99 #define i82801          0x82801
100 
101 /* Use 64 word EEPROM. TODO: could be a runtime option. */
102 #define EEPROM_SIZE     64
103 
104 #define PCI_MEM_SIZE            (4 * KiB)
105 #define PCI_IO_SIZE             64
106 #define PCI_FLASH_SIZE          (128 * KiB)
107 
108 #define BIT(n) (1 << (n))
109 #define BITS(n, m) (((0xffffffffU << (31 - n)) >> (31 - n + m)) << m)
110 
111 /* The SCB accepts the following controls for the Tx and Rx units: */
112 #define  CU_NOP         0x0000  /* No operation. */
113 #define  CU_START       0x0010  /* CU start. */
114 #define  CU_RESUME      0x0020  /* CU resume. */
115 #define  CU_STATSADDR   0x0040  /* Load dump counters address. */
116 #define  CU_SHOWSTATS   0x0050  /* Dump statistical counters. */
117 #define  CU_CMD_BASE    0x0060  /* Load CU base address. */
118 #define  CU_DUMPSTATS   0x0070  /* Dump and reset statistical counters. */
119 #define  CU_SRESUME     0x00a0  /* CU static resume. */
120 
121 #define  RU_NOP         0x0000
122 #define  RX_START       0x0001
123 #define  RX_RESUME      0x0002
124 #define  RU_ABORT       0x0004
125 #define  RX_ADDR_LOAD   0x0006
126 #define  RX_RESUMENR    0x0007
127 #define INT_MASK        0x0100
128 #define DRVR_INT        0x0200  /* Driver generated interrupt. */
129 
130 typedef struct {
131     const char *name;
132     const char *desc;
133     uint16_t device_id;
134     uint8_t revision;
135     uint16_t subsystem_vendor_id;
136     uint16_t subsystem_id;
137 
138     uint32_t device;
139     uint8_t stats_size;
140     bool has_extended_tcb_support;
141     bool power_management;
142 } E100PCIDeviceInfo;
143 
144 /* Offsets to the various registers.
145    All accesses need not be longword aligned. */
146 typedef enum {
147     SCBStatus = 0,              /* Status Word. */
148     SCBAck = 1,
149     SCBCmd = 2,                 /* Rx/Command Unit command and status. */
150     SCBIntmask = 3,
151     SCBPointer = 4,             /* General purpose pointer. */
152     SCBPort = 8,                /* Misc. commands and operands.  */
153     SCBflash = 12,              /* Flash memory control. */
154     SCBeeprom = 14,             /* EEPROM control. */
155     SCBCtrlMDI = 16,            /* MDI interface control. */
156     SCBEarlyRx = 20,            /* Early receive byte count. */
157     SCBFlow = 24,               /* Flow Control. */
158     SCBpmdr = 27,               /* Power Management Driver. */
159     SCBgctrl = 28,              /* General Control. */
160     SCBgstat = 29,              /* General Status. */
161 } E100RegisterOffset;
162 
163 /* A speedo3 transmit buffer descriptor with two buffers... */
164 typedef struct {
165     uint16_t status;
166     uint16_t command;
167     uint32_t link;              /* void * */
168     uint32_t tbd_array_addr;    /* transmit buffer descriptor array address. */
169     uint16_t tcb_bytes;         /* transmit command block byte count (in lower 14 bits */
170     uint8_t tx_threshold;       /* transmit threshold */
171     uint8_t tbd_count;          /* TBD number */
172 #if 0
173     /* This constitutes two "TBD" entries: hdr and data */
174     uint32_t tx_buf_addr0;  /* void *, header of frame to be transmitted.  */
175     int32_t  tx_buf_size0;  /* Length of Tx hdr. */
176     uint32_t tx_buf_addr1;  /* void *, data to be transmitted.  */
177     int32_t  tx_buf_size1;  /* Length of Tx data. */
178 #endif
179 } eepro100_tx_t;
180 
181 /* Receive frame descriptor. */
182 typedef struct {
183     int16_t status;
184     uint16_t command;
185     uint32_t link;              /* struct RxFD * */
186     uint32_t rx_buf_addr;       /* void * */
187     uint16_t count;
188     uint16_t size;
189     /* Ethernet frame data follows. */
190 } eepro100_rx_t;
191 
192 typedef enum {
193     COMMAND_EL = BIT(15),
194     COMMAND_S = BIT(14),
195     COMMAND_I = BIT(13),
196     COMMAND_NC = BIT(4),
197     COMMAND_SF = BIT(3),
198     COMMAND_CMD = BITS(2, 0),
199 } scb_command_bit;
200 
201 typedef enum {
202     STATUS_C = BIT(15),
203     STATUS_OK = BIT(13),
204 } scb_status_bit;
205 
206 typedef struct {
207     uint32_t tx_good_frames, tx_max_collisions, tx_late_collisions,
208              tx_underruns, tx_lost_crs, tx_deferred, tx_single_collisions,
209              tx_multiple_collisions, tx_total_collisions;
210     uint32_t rx_good_frames, rx_crc_errors, rx_alignment_errors,
211              rx_resource_errors, rx_overrun_errors, rx_cdt_errors,
212              rx_short_frame_errors;
213     uint32_t fc_xmt_pause, fc_rcv_pause, fc_rcv_unsupported;
214     uint16_t xmt_tco_frames, rcv_tco_frames;
215     /* TODO: i82559 has six reserved statistics but a total of 24 dwords. */
216     uint32_t reserved[4];
217 } eepro100_stats_t;
218 
219 typedef enum {
220     cu_idle = 0,
221     cu_suspended = 1,
222     cu_active = 2,
223     cu_lpq_active = 2,
224     cu_hqp_active = 3
225 } cu_state_t;
226 
227 typedef enum {
228     ru_idle = 0,
229     ru_suspended = 1,
230     ru_no_resources = 2,
231     ru_ready = 4
232 } ru_state_t;
233 
234 typedef struct {
235     PCIDevice dev;
236     /* Hash register (multicast mask array, multiple individual addresses). */
237     uint8_t mult[8];
238     MemoryRegion mmio_bar;
239     MemoryRegion io_bar;
240     MemoryRegion flash_bar;
241     NICState *nic;
242     NICConf conf;
243     uint8_t scb_stat;           /* SCB stat/ack byte */
244     uint8_t int_stat;           /* PCI interrupt status */
245     /* region must not be saved by nic_save. */
246     uint16_t mdimem[32];
247     eeprom_t *eeprom;
248     uint32_t device;            /* device variant */
249     /* (cu_base + cu_offset) address the next command block in the command block list. */
250     uint32_t cu_base;           /* CU base address */
251     uint32_t cu_offset;         /* CU address offset */
252     /* (ru_base + ru_offset) address the RFD in the Receive Frame Area. */
253     uint32_t ru_base;           /* RU base address */
254     uint32_t ru_offset;         /* RU address offset */
255     uint32_t statsaddr;         /* pointer to eepro100_stats_t */
256 
257     /* Temporary status information (no need to save these values),
258      * used while processing CU commands. */
259     eepro100_tx_t tx;           /* transmit buffer descriptor */
260     uint32_t cb_address;        /* = cu_base + cu_offset */
261 
262     /* Statistical counters. Also used for wake-up packet (i82559). */
263     eepro100_stats_t statistics;
264 
265     /* Data in mem is always in the byte order of the controller (le).
266      * It must be dword aligned to allow direct access to 32 bit values. */
267     uint8_t mem[PCI_MEM_SIZE] __attribute__((aligned(8)));
268 
269     /* Configuration bytes. */
270     uint8_t configuration[22];
271 
272     /* vmstate for each particular nic */
273     VMStateDescription *vmstate;
274 
275     /* Quasi static device properties (no need to save them). */
276     uint16_t stats_size;
277     bool has_extended_tcb_support;
278 } EEPRO100State;
279 
280 /* Word indices in EEPROM. */
281 typedef enum {
282     EEPROM_CNFG_MDIX  = 0x03,
283     EEPROM_ID         = 0x05,
284     EEPROM_PHY_ID     = 0x06,
285     EEPROM_VENDOR_ID  = 0x0c,
286     EEPROM_CONFIG_ASF = 0x0d,
287     EEPROM_DEVICE_ID  = 0x23,
288     EEPROM_SMBUS_ADDR = 0x90,
289 } EEPROMOffset;
290 
291 /* Bit values for EEPROM ID word. */
292 typedef enum {
293     EEPROM_ID_MDM = BIT(0),     /* Modem */
294     EEPROM_ID_STB = BIT(1),     /* Standby Enable */
295     EEPROM_ID_WMR = BIT(2),     /* ??? */
296     EEPROM_ID_WOL = BIT(5),     /* Wake on LAN */
297     EEPROM_ID_DPD = BIT(6),     /* Deep Power Down */
298     EEPROM_ID_ALT = BIT(7),     /* */
299     /* BITS(10, 8) device revision */
300     EEPROM_ID_BD = BIT(11),     /* boot disable */
301     EEPROM_ID_ID = BIT(13),     /* id bit */
302     /* BITS(15, 14) signature */
303     EEPROM_ID_VALID = BIT(14),  /* signature for valid eeprom */
304 } eeprom_id_bit;
305 
306 /* Default values for MDI (PHY) registers */
307 static const uint16_t eepro100_mdi_default[] = {
308     /* MDI Registers 0 - 6, 7 */
309     0x3000, 0x780d, 0x02a8, 0x0154, 0x05e1, 0x0000, 0x0000, 0x0000,
310     /* MDI Registers 8 - 15 */
311     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
312     /* MDI Registers 16 - 31 */
313     0x0003, 0x0000, 0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
314     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
315 };
316 
317 /* Readonly mask for MDI (PHY) registers */
318 static const uint16_t eepro100_mdi_mask[] = {
319     0x0000, 0xffff, 0xffff, 0xffff, 0xc01f, 0xffff, 0xffff, 0x0000,
320     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
321     0x0fff, 0x0000, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
322     0xffff, 0xffff, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
323 };
324 
325 #define POLYNOMIAL 0x04c11db6
326 
327 static E100PCIDeviceInfo *eepro100_get_class(EEPRO100State *s);
328 
329 /* From FreeBSD (locally modified). */
330 static unsigned e100_compute_mcast_idx(const uint8_t *ep)
331 {
332     uint32_t crc;
333     int carry, i, j;
334     uint8_t b;
335 
336     crc = 0xffffffff;
337     for (i = 0; i < 6; i++) {
338         b = *ep++;
339         for (j = 0; j < 8; j++) {
340             carry = ((crc & 0x80000000L) ? 1 : 0) ^ (b & 0x01);
341             crc <<= 1;
342             b >>= 1;
343             if (carry) {
344                 crc = ((crc ^ POLYNOMIAL) | carry);
345             }
346         }
347     }
348     return (crc & BITS(7, 2)) >> 2;
349 }
350 
351 /* Read a 16 bit control/status (CSR) register. */
352 static uint16_t e100_read_reg2(EEPRO100State *s, E100RegisterOffset addr)
353 {
354     assert(!((uintptr_t)&s->mem[addr] & 1));
355     return le16_to_cpup((uint16_t *)&s->mem[addr]);
356 }
357 
358 /* Read a 32 bit control/status (CSR) register. */
359 static uint32_t e100_read_reg4(EEPRO100State *s, E100RegisterOffset addr)
360 {
361     assert(!((uintptr_t)&s->mem[addr] & 3));
362     return le32_to_cpup((uint32_t *)&s->mem[addr]);
363 }
364 
365 /* Write a 16 bit control/status (CSR) register. */
366 static void e100_write_reg2(EEPRO100State *s, E100RegisterOffset addr,
367                             uint16_t val)
368 {
369     assert(!((uintptr_t)&s->mem[addr] & 1));
370     cpu_to_le16w((uint16_t *)&s->mem[addr], val);
371 }
372 
373 /* Read a 32 bit control/status (CSR) register. */
374 static void e100_write_reg4(EEPRO100State *s, E100RegisterOffset addr,
375                             uint32_t val)
376 {
377     assert(!((uintptr_t)&s->mem[addr] & 3));
378     cpu_to_le32w((uint32_t *)&s->mem[addr], val);
379 }
380 
381 #if defined(DEBUG_EEPRO100)
382 static const char *nic_dump(const uint8_t * buf, unsigned size)
383 {
384     static char dump[3 * 16 + 1];
385     char *p = &dump[0];
386     if (size > 16) {
387         size = 16;
388     }
389     while (size-- > 0) {
390         p += sprintf(p, " %02x", *buf++);
391     }
392     return dump;
393 }
394 #endif                          /* DEBUG_EEPRO100 */
395 
396 enum scb_stat_ack {
397     stat_ack_not_ours = 0x00,
398     stat_ack_sw_gen = 0x04,
399     stat_ack_rnr = 0x10,
400     stat_ack_cu_idle = 0x20,
401     stat_ack_frame_rx = 0x40,
402     stat_ack_cu_cmd_done = 0x80,
403     stat_ack_not_present = 0xFF,
404     stat_ack_rx = (stat_ack_sw_gen | stat_ack_rnr | stat_ack_frame_rx),
405     stat_ack_tx = (stat_ack_cu_idle | stat_ack_cu_cmd_done),
406 };
407 
408 static void disable_interrupt(EEPRO100State * s)
409 {
410     if (s->int_stat) {
411         TRACE(INT, logout("interrupt disabled\n"));
412         qemu_irq_lower(s->dev.irq[0]);
413         s->int_stat = 0;
414     }
415 }
416 
417 static void enable_interrupt(EEPRO100State * s)
418 {
419     if (!s->int_stat) {
420         TRACE(INT, logout("interrupt enabled\n"));
421         qemu_irq_raise(s->dev.irq[0]);
422         s->int_stat = 1;
423     }
424 }
425 
426 static void eepro100_acknowledge(EEPRO100State * s)
427 {
428     s->scb_stat &= ~s->mem[SCBAck];
429     s->mem[SCBAck] = s->scb_stat;
430     if (s->scb_stat == 0) {
431         disable_interrupt(s);
432     }
433 }
434 
435 static void eepro100_interrupt(EEPRO100State * s, uint8_t status)
436 {
437     uint8_t mask = ~s->mem[SCBIntmask];
438     s->mem[SCBAck] |= status;
439     status = s->scb_stat = s->mem[SCBAck];
440     status &= (mask | 0x0f);
441 #if 0
442     status &= (~s->mem[SCBIntmask] | 0x0xf);
443 #endif
444     if (status && (mask & 0x01)) {
445         /* SCB mask and SCB Bit M do not disable interrupt. */
446         enable_interrupt(s);
447     } else if (s->int_stat) {
448         disable_interrupt(s);
449     }
450 }
451 
452 static void eepro100_cx_interrupt(EEPRO100State * s)
453 {
454     /* CU completed action command. */
455     /* Transmit not ok (82557 only, not in emulation). */
456     eepro100_interrupt(s, 0x80);
457 }
458 
459 static void eepro100_cna_interrupt(EEPRO100State * s)
460 {
461     /* CU left the active state. */
462     eepro100_interrupt(s, 0x20);
463 }
464 
465 static void eepro100_fr_interrupt(EEPRO100State * s)
466 {
467     /* RU received a complete frame. */
468     eepro100_interrupt(s, 0x40);
469 }
470 
471 static void eepro100_rnr_interrupt(EEPRO100State * s)
472 {
473     /* RU is not ready. */
474     eepro100_interrupt(s, 0x10);
475 }
476 
477 static void eepro100_mdi_interrupt(EEPRO100State * s)
478 {
479     /* MDI completed read or write cycle. */
480     eepro100_interrupt(s, 0x08);
481 }
482 
483 static void eepro100_swi_interrupt(EEPRO100State * s)
484 {
485     /* Software has requested an interrupt. */
486     eepro100_interrupt(s, 0x04);
487 }
488 
489 #if 0
490 static void eepro100_fcp_interrupt(EEPRO100State * s)
491 {
492     /* Flow control pause interrupt (82558 and later). */
493     eepro100_interrupt(s, 0x01);
494 }
495 #endif
496 
497 static void e100_pci_reset(EEPRO100State * s)
498 {
499     E100PCIDeviceInfo *info = eepro100_get_class(s);
500     uint32_t device = s->device;
501     uint8_t *pci_conf = s->dev.config;
502 
503     TRACE(OTHER, logout("%p\n", s));
504 
505     /* PCI Status */
506     pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_DEVSEL_MEDIUM |
507                                         PCI_STATUS_FAST_BACK);
508     /* PCI Latency Timer */
509     pci_set_byte(pci_conf + PCI_LATENCY_TIMER, 0x20);   /* latency timer = 32 clocks */
510     /* Capability Pointer is set by PCI framework. */
511     /* Interrupt Line */
512     /* Interrupt Pin */
513     pci_set_byte(pci_conf + PCI_INTERRUPT_PIN, 1);      /* interrupt pin A */
514     /* Minimum Grant */
515     pci_set_byte(pci_conf + PCI_MIN_GNT, 0x08);
516     /* Maximum Latency */
517     pci_set_byte(pci_conf + PCI_MAX_LAT, 0x18);
518 
519     s->stats_size = info->stats_size;
520     s->has_extended_tcb_support = info->has_extended_tcb_support;
521 
522     switch (device) {
523     case i82550:
524     case i82551:
525     case i82557A:
526     case i82557B:
527     case i82557C:
528     case i82558A:
529     case i82558B:
530     case i82559A:
531     case i82559B:
532     case i82559ER:
533     case i82562:
534     case i82801:
535     case i82559C:
536         break;
537     default:
538         logout("Device %X is undefined!\n", device);
539     }
540 
541     /* Standard TxCB. */
542     s->configuration[6] |= BIT(4);
543 
544     /* Standard statistical counters. */
545     s->configuration[6] |= BIT(5);
546 
547     if (s->stats_size == 80) {
548         /* TODO: check TCO Statistical Counters bit. Documentation not clear. */
549         if (s->configuration[6] & BIT(2)) {
550             /* TCO statistical counters. */
551             assert(s->configuration[6] & BIT(5));
552         } else {
553             if (s->configuration[6] & BIT(5)) {
554                 /* No extended statistical counters, i82557 compatible. */
555                 s->stats_size = 64;
556             } else {
557                 /* i82558 compatible. */
558                 s->stats_size = 76;
559             }
560         }
561     } else {
562         if (s->configuration[6] & BIT(5)) {
563             /* No extended statistical counters. */
564             s->stats_size = 64;
565         }
566     }
567     assert(s->stats_size > 0 && s->stats_size <= sizeof(s->statistics));
568 
569     if (info->power_management) {
570         /* Power Management Capabilities */
571         int cfg_offset = 0xdc;
572         int r = pci_add_capability(&s->dev, PCI_CAP_ID_PM,
573                                    cfg_offset, PCI_PM_SIZEOF);
574         assert(r >= 0);
575         pci_set_word(pci_conf + cfg_offset + PCI_PM_PMC, 0x7e21);
576 #if 0 /* TODO: replace dummy code for power management emulation. */
577         /* TODO: Power Management Control / Status. */
578         pci_set_word(pci_conf + cfg_offset + PCI_PM_CTRL, 0x0000);
579         /* TODO: Ethernet Power Consumption Registers (i82559 and later). */
580         pci_set_byte(pci_conf + cfg_offset + PCI_PM_PPB_EXTENSIONS, 0x0000);
581 #endif
582     }
583 
584 #if EEPROM_SIZE > 0
585     if (device == i82557C || device == i82558B || device == i82559C) {
586         /*
587         TODO: get vendor id from EEPROM for i82557C or later.
588         TODO: get device id from EEPROM for i82557C or later.
589         TODO: status bit 4 can be disabled by EEPROM for i82558, i82559.
590         TODO: header type is determined by EEPROM for i82559.
591         TODO: get subsystem id from EEPROM for i82557C or later.
592         TODO: get subsystem vendor id from EEPROM for i82557C or later.
593         TODO: exp. rom baddr depends on a bit in EEPROM for i82558 or later.
594         TODO: capability pointer depends on EEPROM for i82558.
595         */
596         logout("Get device id and revision from EEPROM!!!\n");
597     }
598 #endif /* EEPROM_SIZE > 0 */
599 }
600 
601 static void nic_selective_reset(EEPRO100State * s)
602 {
603     size_t i;
604     uint16_t *eeprom_contents = eeprom93xx_data(s->eeprom);
605 #if 0
606     eeprom93xx_reset(s->eeprom);
607 #endif
608     memcpy(eeprom_contents, s->conf.macaddr.a, 6);
609     eeprom_contents[EEPROM_ID] = EEPROM_ID_VALID;
610     if (s->device == i82557B || s->device == i82557C)
611         eeprom_contents[5] = 0x0100;
612     eeprom_contents[EEPROM_PHY_ID] = 1;
613     uint16_t sum = 0;
614     for (i = 0; i < EEPROM_SIZE - 1; i++) {
615         sum += eeprom_contents[i];
616     }
617     eeprom_contents[EEPROM_SIZE - 1] = 0xbaba - sum;
618     TRACE(EEPROM, logout("checksum=0x%04x\n", eeprom_contents[EEPROM_SIZE - 1]));
619 
620     memset(s->mem, 0, sizeof(s->mem));
621     e100_write_reg4(s, SCBCtrlMDI, BIT(21));
622 
623     assert(sizeof(s->mdimem) == sizeof(eepro100_mdi_default));
624     memcpy(&s->mdimem[0], &eepro100_mdi_default[0], sizeof(s->mdimem));
625 }
626 
627 static void nic_reset(void *opaque)
628 {
629     EEPRO100State *s = opaque;
630     TRACE(OTHER, logout("%p\n", s));
631     /* TODO: Clearing of hash register for selective reset, too? */
632     memset(&s->mult[0], 0, sizeof(s->mult));
633     nic_selective_reset(s);
634 }
635 
636 #if defined(DEBUG_EEPRO100)
637 static const char * const e100_reg[PCI_IO_SIZE / 4] = {
638     "Command/Status",
639     "General Pointer",
640     "Port",
641     "EEPROM/Flash Control",
642     "MDI Control",
643     "Receive DMA Byte Count",
644     "Flow Control",
645     "General Status/Control"
646 };
647 
648 static char *regname(uint32_t addr)
649 {
650     static char buf[32];
651     if (addr < PCI_IO_SIZE) {
652         const char *r = e100_reg[addr / 4];
653         if (r != 0) {
654             snprintf(buf, sizeof(buf), "%s+%u", r, addr % 4);
655         } else {
656             snprintf(buf, sizeof(buf), "0x%02x", addr);
657         }
658     } else {
659         snprintf(buf, sizeof(buf), "??? 0x%08x", addr);
660     }
661     return buf;
662 }
663 #endif                          /* DEBUG_EEPRO100 */
664 
665 /*****************************************************************************
666  *
667  * Command emulation.
668  *
669  ****************************************************************************/
670 
671 #if 0
672 static uint16_t eepro100_read_command(EEPRO100State * s)
673 {
674     uint16_t val = 0xffff;
675     TRACE(OTHER, logout("val=0x%04x\n", val));
676     return val;
677 }
678 #endif
679 
680 /* Commands that can be put in a command list entry. */
681 enum commands {
682     CmdNOp = 0,
683     CmdIASetup = 1,
684     CmdConfigure = 2,
685     CmdMulticastList = 3,
686     CmdTx = 4,
687     CmdTDR = 5,                 /* load microcode */
688     CmdDump = 6,
689     CmdDiagnose = 7,
690 
691     /* And some extra flags: */
692     CmdSuspend = 0x4000,        /* Suspend after completion. */
693     CmdIntr = 0x2000,           /* Interrupt after completion. */
694     CmdTxFlex = 0x0008,         /* Use "Flexible mode" for CmdTx command. */
695 };
696 
697 static cu_state_t get_cu_state(EEPRO100State * s)
698 {
699     return ((s->mem[SCBStatus] & BITS(7, 6)) >> 6);
700 }
701 
702 static void set_cu_state(EEPRO100State * s, cu_state_t state)
703 {
704     s->mem[SCBStatus] = (s->mem[SCBStatus] & ~BITS(7, 6)) + (state << 6);
705 }
706 
707 static ru_state_t get_ru_state(EEPRO100State * s)
708 {
709     return ((s->mem[SCBStatus] & BITS(5, 2)) >> 2);
710 }
711 
712 static void set_ru_state(EEPRO100State * s, ru_state_t state)
713 {
714     s->mem[SCBStatus] = (s->mem[SCBStatus] & ~BITS(5, 2)) + (state << 2);
715 }
716 
717 static void dump_statistics(EEPRO100State * s)
718 {
719     /* Dump statistical data. Most data is never changed by the emulation
720      * and always 0, so we first just copy the whole block and then those
721      * values which really matter.
722      * Number of data should check configuration!!!
723      */
724     pci_dma_write(&s->dev, s->statsaddr, &s->statistics, s->stats_size);
725     stl_le_pci_dma(&s->dev, s->statsaddr + 0,
726                    s->statistics.tx_good_frames);
727     stl_le_pci_dma(&s->dev, s->statsaddr + 36,
728                    s->statistics.rx_good_frames);
729     stl_le_pci_dma(&s->dev, s->statsaddr + 48,
730                    s->statistics.rx_resource_errors);
731     stl_le_pci_dma(&s->dev, s->statsaddr + 60,
732                    s->statistics.rx_short_frame_errors);
733 #if 0
734     stw_le_pci_dma(&s->dev, s->statsaddr + 76, s->statistics.xmt_tco_frames);
735     stw_le_pci_dma(&s->dev, s->statsaddr + 78, s->statistics.rcv_tco_frames);
736     missing("CU dump statistical counters");
737 #endif
738 }
739 
740 static void read_cb(EEPRO100State *s)
741 {
742     pci_dma_read(&s->dev, s->cb_address, &s->tx, sizeof(s->tx));
743     s->tx.status = le16_to_cpu(s->tx.status);
744     s->tx.command = le16_to_cpu(s->tx.command);
745     s->tx.link = le32_to_cpu(s->tx.link);
746     s->tx.tbd_array_addr = le32_to_cpu(s->tx.tbd_array_addr);
747     s->tx.tcb_bytes = le16_to_cpu(s->tx.tcb_bytes);
748 }
749 
750 static void tx_command(EEPRO100State *s)
751 {
752     uint32_t tbd_array = le32_to_cpu(s->tx.tbd_array_addr);
753     uint16_t tcb_bytes = (le16_to_cpu(s->tx.tcb_bytes) & 0x3fff);
754     /* Sends larger than MAX_ETH_FRAME_SIZE are allowed, up to 2600 bytes. */
755     uint8_t buf[2600];
756     uint16_t size = 0;
757     uint32_t tbd_address = s->cb_address + 0x10;
758     TRACE(RXTX, logout
759         ("transmit, TBD array address 0x%08x, TCB byte count 0x%04x, TBD count %u\n",
760          tbd_array, tcb_bytes, s->tx.tbd_count));
761 
762     if (tcb_bytes > 2600) {
763         logout("TCB byte count too large, using 2600\n");
764         tcb_bytes = 2600;
765     }
766     if (!((tcb_bytes > 0) || (tbd_array != 0xffffffff))) {
767         logout
768             ("illegal values of TBD array address and TCB byte count!\n");
769     }
770     assert(tcb_bytes <= sizeof(buf));
771     while (size < tcb_bytes) {
772         uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address);
773         uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4);
774 #if 0
775         uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
776 #endif
777         tbd_address += 8;
778         TRACE(RXTX, logout
779             ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
780              tx_buffer_address, tx_buffer_size));
781         tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
782         pci_dma_read(&s->dev, tx_buffer_address, &buf[size], tx_buffer_size);
783         size += tx_buffer_size;
784     }
785     if (tbd_array == 0xffffffff) {
786         /* Simplified mode. Was already handled by code above. */
787     } else {
788         /* Flexible mode. */
789         uint8_t tbd_count = 0;
790         if (s->has_extended_tcb_support && !(s->configuration[6] & BIT(4))) {
791             /* Extended Flexible TCB. */
792             for (; tbd_count < 2; tbd_count++) {
793                 uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev,
794                                                             tbd_address);
795                 uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev,
796                                                           tbd_address + 4);
797                 uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev,
798                                                         tbd_address + 6);
799                 tbd_address += 8;
800                 TRACE(RXTX, logout
801                     ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n",
802                      tx_buffer_address, tx_buffer_size));
803                 tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
804                 pci_dma_read(&s->dev, tx_buffer_address,
805                              &buf[size], tx_buffer_size);
806                 size += tx_buffer_size;
807                 if (tx_buffer_el & 1) {
808                     break;
809                 }
810             }
811         }
812         tbd_address = tbd_array;
813         for (; tbd_count < s->tx.tbd_count; tbd_count++) {
814             uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address);
815             uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4);
816             uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
817             tbd_address += 8;
818             TRACE(RXTX, logout
819                 ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n",
820                  tx_buffer_address, tx_buffer_size));
821             tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
822             pci_dma_read(&s->dev, tx_buffer_address,
823                          &buf[size], tx_buffer_size);
824             size += tx_buffer_size;
825             if (tx_buffer_el & 1) {
826                 break;
827             }
828         }
829     }
830     TRACE(RXTX, logout("%p sending frame, len=%d,%s\n", s, size, nic_dump(buf, size)));
831     qemu_send_packet(qemu_get_queue(s->nic), buf, size);
832     s->statistics.tx_good_frames++;
833     /* Transmit with bad status would raise an CX/TNO interrupt.
834      * (82557 only). Emulation never has bad status. */
835 #if 0
836     eepro100_cx_interrupt(s);
837 #endif
838 }
839 
840 static void set_multicast_list(EEPRO100State *s)
841 {
842     uint16_t multicast_count = s->tx.tbd_array_addr & BITS(13, 0);
843     uint16_t i;
844     memset(&s->mult[0], 0, sizeof(s->mult));
845     TRACE(OTHER, logout("multicast list, multicast count = %u\n", multicast_count));
846     for (i = 0; i < multicast_count; i += 6) {
847         uint8_t multicast_addr[6];
848         pci_dma_read(&s->dev, s->cb_address + 10 + i, multicast_addr, 6);
849         TRACE(OTHER, logout("multicast entry %s\n", nic_dump(multicast_addr, 6)));
850         unsigned mcast_idx = e100_compute_mcast_idx(multicast_addr);
851         assert(mcast_idx < 64);
852         s->mult[mcast_idx >> 3] |= (1 << (mcast_idx & 7));
853     }
854 }
855 
856 static void action_command(EEPRO100State *s)
857 {
858     for (;;) {
859         bool bit_el;
860         bool bit_s;
861         bool bit_i;
862         bool bit_nc;
863         uint16_t ok_status = STATUS_OK;
864         s->cb_address = s->cu_base + s->cu_offset;
865         read_cb(s);
866         bit_el = ((s->tx.command & COMMAND_EL) != 0);
867         bit_s = ((s->tx.command & COMMAND_S) != 0);
868         bit_i = ((s->tx.command & COMMAND_I) != 0);
869         bit_nc = ((s->tx.command & COMMAND_NC) != 0);
870 #if 0
871         bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
872 #endif
873         s->cu_offset = s->tx.link;
874         TRACE(OTHER,
875               logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",
876                      s->tx.status, s->tx.command, s->tx.link));
877         switch (s->tx.command & COMMAND_CMD) {
878         case CmdNOp:
879             /* Do nothing. */
880             break;
881         case CmdIASetup:
882             pci_dma_read(&s->dev, s->cb_address + 8, &s->conf.macaddr.a[0], 6);
883             TRACE(OTHER, logout("macaddr: %s\n", nic_dump(&s->conf.macaddr.a[0], 6)));
884             break;
885         case CmdConfigure:
886             pci_dma_read(&s->dev, s->cb_address + 8,
887                          &s->configuration[0], sizeof(s->configuration));
888             TRACE(OTHER, logout("configuration: %s\n",
889                                 nic_dump(&s->configuration[0], 16)));
890             TRACE(OTHER, logout("configuration: %s\n",
891                                 nic_dump(&s->configuration[16],
892                                 ARRAY_SIZE(s->configuration) - 16)));
893             if (s->configuration[20] & BIT(6)) {
894                 TRACE(OTHER, logout("Multiple IA bit\n"));
895             }
896             break;
897         case CmdMulticastList:
898             set_multicast_list(s);
899             break;
900         case CmdTx:
901             if (bit_nc) {
902                 missing("CmdTx: NC = 0");
903                 ok_status = 0;
904                 break;
905             }
906             tx_command(s);
907             break;
908         case CmdTDR:
909             TRACE(OTHER, logout("load microcode\n"));
910             /* Starting with offset 8, the command contains
911              * 64 dwords microcode which we just ignore here. */
912             break;
913         case CmdDiagnose:
914             TRACE(OTHER, logout("diagnose\n"));
915             /* Make sure error flag is not set. */
916             s->tx.status = 0;
917             break;
918         default:
919             missing("undefined command");
920             ok_status = 0;
921             break;
922         }
923         /* Write new status. */
924         stw_le_pci_dma(&s->dev, s->cb_address,
925                        s->tx.status | ok_status | STATUS_C);
926         if (bit_i) {
927             /* CU completed action. */
928             eepro100_cx_interrupt(s);
929         }
930         if (bit_el) {
931             /* CU becomes idle. Terminate command loop. */
932             set_cu_state(s, cu_idle);
933             eepro100_cna_interrupt(s);
934             break;
935         } else if (bit_s) {
936             /* CU becomes suspended. Terminate command loop. */
937             set_cu_state(s, cu_suspended);
938             eepro100_cna_interrupt(s);
939             break;
940         } else {
941             /* More entries in list. */
942             TRACE(OTHER, logout("CU list with at least one more entry\n"));
943         }
944     }
945     TRACE(OTHER, logout("CU list empty\n"));
946     /* List is empty. Now CU is idle or suspended. */
947 }
948 
949 static void eepro100_cu_command(EEPRO100State * s, uint8_t val)
950 {
951     cu_state_t cu_state;
952     switch (val) {
953     case CU_NOP:
954         /* No operation. */
955         break;
956     case CU_START:
957         cu_state = get_cu_state(s);
958         if (cu_state != cu_idle && cu_state != cu_suspended) {
959             /* Intel documentation says that CU must be idle or suspended
960              * for the CU start command. */
961             logout("unexpected CU state is %u\n", cu_state);
962         }
963         set_cu_state(s, cu_active);
964         s->cu_offset = e100_read_reg4(s, SCBPointer);
965         action_command(s);
966         break;
967     case CU_RESUME:
968         if (get_cu_state(s) != cu_suspended) {
969             logout("bad CU resume from CU state %u\n", get_cu_state(s));
970             /* Workaround for bad Linux eepro100 driver which resumes
971              * from idle state. */
972 #if 0
973             missing("cu resume");
974 #endif
975             set_cu_state(s, cu_suspended);
976         }
977         if (get_cu_state(s) == cu_suspended) {
978             TRACE(OTHER, logout("CU resuming\n"));
979             set_cu_state(s, cu_active);
980             action_command(s);
981         }
982         break;
983     case CU_STATSADDR:
984         /* Load dump counters address. */
985         s->statsaddr = e100_read_reg4(s, SCBPointer);
986         TRACE(OTHER, logout("val=0x%02x (dump counters address)\n", val));
987         if (s->statsaddr & 3) {
988             /* Memory must be Dword aligned. */
989             logout("unaligned dump counters address\n");
990             /* Handling of misaligned addresses is undefined.
991              * Here we align the address by ignoring the lower bits. */
992             /* TODO: Test unaligned dump counter address on real hardware. */
993             s->statsaddr &= ~3;
994         }
995         break;
996     case CU_SHOWSTATS:
997         /* Dump statistical counters. */
998         TRACE(OTHER, logout("val=0x%02x (dump stats)\n", val));
999         dump_statistics(s);
1000         stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005);
1001         break;
1002     case CU_CMD_BASE:
1003         /* Load CU base. */
1004         TRACE(OTHER, logout("val=0x%02x (CU base address)\n", val));
1005         s->cu_base = e100_read_reg4(s, SCBPointer);
1006         break;
1007     case CU_DUMPSTATS:
1008         /* Dump and reset statistical counters. */
1009         TRACE(OTHER, logout("val=0x%02x (dump stats and reset)\n", val));
1010         dump_statistics(s);
1011         stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007);
1012         memset(&s->statistics, 0, sizeof(s->statistics));
1013         break;
1014     case CU_SRESUME:
1015         /* CU static resume. */
1016         missing("CU static resume");
1017         break;
1018     default:
1019         missing("Undefined CU command");
1020     }
1021 }
1022 
1023 static void eepro100_ru_command(EEPRO100State * s, uint8_t val)
1024 {
1025     switch (val) {
1026     case RU_NOP:
1027         /* No operation. */
1028         break;
1029     case RX_START:
1030         /* RU start. */
1031         if (get_ru_state(s) != ru_idle) {
1032             logout("RU state is %u, should be %u\n", get_ru_state(s), ru_idle);
1033 #if 0
1034             assert(!"wrong RU state");
1035 #endif
1036         }
1037         set_ru_state(s, ru_ready);
1038         s->ru_offset = e100_read_reg4(s, SCBPointer);
1039         qemu_flush_queued_packets(qemu_get_queue(s->nic));
1040         TRACE(OTHER, logout("val=0x%02x (rx start)\n", val));
1041         break;
1042     case RX_RESUME:
1043         /* Restart RU. */
1044         if (get_ru_state(s) != ru_suspended) {
1045             logout("RU state is %u, should be %u\n", get_ru_state(s),
1046                    ru_suspended);
1047 #if 0
1048             assert(!"wrong RU state");
1049 #endif
1050         }
1051         set_ru_state(s, ru_ready);
1052         break;
1053     case RU_ABORT:
1054         /* RU abort. */
1055         if (get_ru_state(s) == ru_ready) {
1056             eepro100_rnr_interrupt(s);
1057         }
1058         set_ru_state(s, ru_idle);
1059         break;
1060     case RX_ADDR_LOAD:
1061         /* Load RU base. */
1062         TRACE(OTHER, logout("val=0x%02x (RU base address)\n", val));
1063         s->ru_base = e100_read_reg4(s, SCBPointer);
1064         break;
1065     default:
1066         logout("val=0x%02x (undefined RU command)\n", val);
1067         missing("Undefined SU command");
1068     }
1069 }
1070 
1071 static void eepro100_write_command(EEPRO100State * s, uint8_t val)
1072 {
1073     eepro100_ru_command(s, val & 0x0f);
1074     eepro100_cu_command(s, val & 0xf0);
1075     if ((val) == 0) {
1076         TRACE(OTHER, logout("val=0x%02x\n", val));
1077     }
1078     /* Clear command byte after command was accepted. */
1079     s->mem[SCBCmd] = 0;
1080 }
1081 
1082 /*****************************************************************************
1083  *
1084  * EEPROM emulation.
1085  *
1086  ****************************************************************************/
1087 
1088 #define EEPROM_CS       0x02
1089 #define EEPROM_SK       0x01
1090 #define EEPROM_DI       0x04
1091 #define EEPROM_DO       0x08
1092 
1093 static uint16_t eepro100_read_eeprom(EEPRO100State * s)
1094 {
1095     uint16_t val = e100_read_reg2(s, SCBeeprom);
1096     if (eeprom93xx_read(s->eeprom)) {
1097         val |= EEPROM_DO;
1098     } else {
1099         val &= ~EEPROM_DO;
1100     }
1101     TRACE(EEPROM, logout("val=0x%04x\n", val));
1102     return val;
1103 }
1104 
1105 static void eepro100_write_eeprom(eeprom_t * eeprom, uint8_t val)
1106 {
1107     TRACE(EEPROM, logout("val=0x%02x\n", val));
1108 
1109     /* mask unwritable bits */
1110 #if 0
1111     val = SET_MASKED(val, 0x31, eeprom->value);
1112 #endif
1113 
1114     int eecs = ((val & EEPROM_CS) != 0);
1115     int eesk = ((val & EEPROM_SK) != 0);
1116     int eedi = ((val & EEPROM_DI) != 0);
1117     eeprom93xx_write(eeprom, eecs, eesk, eedi);
1118 }
1119 
1120 /*****************************************************************************
1121  *
1122  * MDI emulation.
1123  *
1124  ****************************************************************************/
1125 
1126 #if defined(DEBUG_EEPRO100)
1127 static const char * const mdi_op_name[] = {
1128     "opcode 0",
1129     "write",
1130     "read",
1131     "opcode 3"
1132 };
1133 
1134 static const char * const mdi_reg_name[] = {
1135     "Control",
1136     "Status",
1137     "PHY Identification (Word 1)",
1138     "PHY Identification (Word 2)",
1139     "Auto-Negotiation Advertisement",
1140     "Auto-Negotiation Link Partner Ability",
1141     "Auto-Negotiation Expansion"
1142 };
1143 
1144 static const char *reg2name(uint8_t reg)
1145 {
1146     static char buffer[10];
1147     const char *p = buffer;
1148     if (reg < ARRAY_SIZE(mdi_reg_name)) {
1149         p = mdi_reg_name[reg];
1150     } else {
1151         snprintf(buffer, sizeof(buffer), "reg=0x%02x", reg);
1152     }
1153     return p;
1154 }
1155 #endif                          /* DEBUG_EEPRO100 */
1156 
1157 static uint32_t eepro100_read_mdi(EEPRO100State * s)
1158 {
1159     uint32_t val = e100_read_reg4(s, SCBCtrlMDI);
1160 
1161 #ifdef DEBUG_EEPRO100
1162     uint8_t raiseint = (val & BIT(29)) >> 29;
1163     uint8_t opcode = (val & BITS(27, 26)) >> 26;
1164     uint8_t phy = (val & BITS(25, 21)) >> 21;
1165     uint8_t reg = (val & BITS(20, 16)) >> 16;
1166     uint16_t data = (val & BITS(15, 0));
1167 #endif
1168     /* Emulation takes no time to finish MDI transaction. */
1169     val |= BIT(28);
1170     TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1171                       val, raiseint, mdi_op_name[opcode], phy,
1172                       reg2name(reg), data));
1173     return val;
1174 }
1175 
1176 static void eepro100_write_mdi(EEPRO100State *s)
1177 {
1178     uint32_t val = e100_read_reg4(s, SCBCtrlMDI);
1179     uint8_t raiseint = (val & BIT(29)) >> 29;
1180     uint8_t opcode = (val & BITS(27, 26)) >> 26;
1181     uint8_t phy = (val & BITS(25, 21)) >> 21;
1182     uint8_t reg = (val & BITS(20, 16)) >> 16;
1183     uint16_t data = (val & BITS(15, 0));
1184     TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1185           val, raiseint, mdi_op_name[opcode], phy, reg2name(reg), data));
1186     if (phy != 1) {
1187         /* Unsupported PHY address. */
1188 #if 0
1189         logout("phy must be 1 but is %u\n", phy);
1190 #endif
1191         data = 0;
1192     } else if (opcode != 1 && opcode != 2) {
1193         /* Unsupported opcode. */
1194         logout("opcode must be 1 or 2 but is %u\n", opcode);
1195         data = 0;
1196     } else if (reg > 6) {
1197         /* Unsupported register. */
1198         logout("register must be 0...6 but is %u\n", reg);
1199         data = 0;
1200     } else {
1201         TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1202                           val, raiseint, mdi_op_name[opcode], phy,
1203                           reg2name(reg), data));
1204         if (opcode == 1) {
1205             /* MDI write */
1206             switch (reg) {
1207             case 0:            /* Control Register */
1208                 if (data & 0x8000) {
1209                     /* Reset status and control registers to default. */
1210                     s->mdimem[0] = eepro100_mdi_default[0];
1211                     s->mdimem[1] = eepro100_mdi_default[1];
1212                     data = s->mdimem[reg];
1213                 } else {
1214                     /* Restart Auto Configuration = Normal Operation */
1215                     data &= ~0x0200;
1216                 }
1217                 break;
1218             case 1:            /* Status Register */
1219                 missing("not writable");
1220                 data = s->mdimem[reg];
1221                 break;
1222             case 2:            /* PHY Identification Register (Word 1) */
1223             case 3:            /* PHY Identification Register (Word 2) */
1224                 missing("not implemented");
1225                 break;
1226             case 4:            /* Auto-Negotiation Advertisement Register */
1227             case 5:            /* Auto-Negotiation Link Partner Ability Register */
1228                 break;
1229             case 6:            /* Auto-Negotiation Expansion Register */
1230             default:
1231                 missing("not implemented");
1232             }
1233             s->mdimem[reg] = data;
1234         } else if (opcode == 2) {
1235             /* MDI read */
1236             switch (reg) {
1237             case 0:            /* Control Register */
1238                 if (data & 0x8000) {
1239                     /* Reset status and control registers to default. */
1240                     s->mdimem[0] = eepro100_mdi_default[0];
1241                     s->mdimem[1] = eepro100_mdi_default[1];
1242                 }
1243                 break;
1244             case 1:            /* Status Register */
1245                 s->mdimem[reg] |= 0x0020;
1246                 break;
1247             case 2:            /* PHY Identification Register (Word 1) */
1248             case 3:            /* PHY Identification Register (Word 2) */
1249             case 4:            /* Auto-Negotiation Advertisement Register */
1250                 break;
1251             case 5:            /* Auto-Negotiation Link Partner Ability Register */
1252                 s->mdimem[reg] = 0x41fe;
1253                 break;
1254             case 6:            /* Auto-Negotiation Expansion Register */
1255                 s->mdimem[reg] = 0x0001;
1256                 break;
1257             }
1258             data = s->mdimem[reg];
1259         }
1260         /* Emulation takes no time to finish MDI transaction.
1261          * Set MDI bit in SCB status register. */
1262         s->mem[SCBAck] |= 0x08;
1263         val |= BIT(28);
1264         if (raiseint) {
1265             eepro100_mdi_interrupt(s);
1266         }
1267     }
1268     val = (val & 0xffff0000) + data;
1269     e100_write_reg4(s, SCBCtrlMDI, val);
1270 }
1271 
1272 /*****************************************************************************
1273  *
1274  * Port emulation.
1275  *
1276  ****************************************************************************/
1277 
1278 #define PORT_SOFTWARE_RESET     0
1279 #define PORT_SELFTEST           1
1280 #define PORT_SELECTIVE_RESET    2
1281 #define PORT_DUMP               3
1282 #define PORT_SELECTION_MASK     3
1283 
1284 typedef struct {
1285     uint32_t st_sign;           /* Self Test Signature */
1286     uint32_t st_result;         /* Self Test Results */
1287 } eepro100_selftest_t;
1288 
1289 static uint32_t eepro100_read_port(EEPRO100State * s)
1290 {
1291     return 0;
1292 }
1293 
1294 static void eepro100_write_port(EEPRO100State *s)
1295 {
1296     uint32_t val = e100_read_reg4(s, SCBPort);
1297     uint32_t address = (val & ~PORT_SELECTION_MASK);
1298     uint8_t selection = (val & PORT_SELECTION_MASK);
1299     switch (selection) {
1300     case PORT_SOFTWARE_RESET:
1301         nic_reset(s);
1302         break;
1303     case PORT_SELFTEST:
1304         TRACE(OTHER, logout("selftest address=0x%08x\n", address));
1305         eepro100_selftest_t data;
1306         pci_dma_read(&s->dev, address, (uint8_t *) &data, sizeof(data));
1307         data.st_sign = 0xffffffff;
1308         data.st_result = 0;
1309         pci_dma_write(&s->dev, address, (uint8_t *) &data, sizeof(data));
1310         break;
1311     case PORT_SELECTIVE_RESET:
1312         TRACE(OTHER, logout("selective reset, selftest address=0x%08x\n", address));
1313         nic_selective_reset(s);
1314         break;
1315     default:
1316         logout("val=0x%08x\n", val);
1317         missing("unknown port selection");
1318     }
1319 }
1320 
1321 /*****************************************************************************
1322  *
1323  * General hardware emulation.
1324  *
1325  ****************************************************************************/
1326 
1327 static uint8_t eepro100_read1(EEPRO100State * s, uint32_t addr)
1328 {
1329     uint8_t val = 0;
1330     if (addr <= sizeof(s->mem) - sizeof(val)) {
1331         val = s->mem[addr];
1332     }
1333 
1334     switch (addr) {
1335     case SCBStatus:
1336     case SCBAck:
1337         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1338         break;
1339     case SCBCmd:
1340         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1341 #if 0
1342         val = eepro100_read_command(s);
1343 #endif
1344         break;
1345     case SCBIntmask:
1346         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1347         break;
1348     case SCBPort + 3:
1349         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1350         break;
1351     case SCBeeprom:
1352         val = eepro100_read_eeprom(s);
1353         break;
1354     case SCBCtrlMDI:
1355     case SCBCtrlMDI + 1:
1356     case SCBCtrlMDI + 2:
1357     case SCBCtrlMDI + 3:
1358         val = (uint8_t)(eepro100_read_mdi(s) >> (8 * (addr & 3)));
1359         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1360         break;
1361     case SCBpmdr:       /* Power Management Driver Register */
1362         val = 0;
1363         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1364         break;
1365     case SCBgctrl:      /* General Control Register */
1366         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1367         break;
1368     case SCBgstat:      /* General Status Register */
1369         /* 100 Mbps full duplex, valid link */
1370         val = 0x07;
1371         TRACE(OTHER, logout("addr=General Status val=%02x\n", val));
1372         break;
1373     default:
1374         logout("addr=%s val=0x%02x\n", regname(addr), val);
1375         missing("unknown byte read");
1376     }
1377     return val;
1378 }
1379 
1380 static uint16_t eepro100_read2(EEPRO100State * s, uint32_t addr)
1381 {
1382     uint16_t val = 0;
1383     if (addr <= sizeof(s->mem) - sizeof(val)) {
1384         val = e100_read_reg2(s, addr);
1385     }
1386 
1387     switch (addr) {
1388     case SCBStatus:
1389     case SCBCmd:
1390         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1391         break;
1392     case SCBeeprom:
1393         val = eepro100_read_eeprom(s);
1394         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1395         break;
1396     case SCBCtrlMDI:
1397     case SCBCtrlMDI + 2:
1398         val = (uint16_t)(eepro100_read_mdi(s) >> (8 * (addr & 3)));
1399         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1400         break;
1401     default:
1402         logout("addr=%s val=0x%04x\n", regname(addr), val);
1403         missing("unknown word read");
1404     }
1405     return val;
1406 }
1407 
1408 static uint32_t eepro100_read4(EEPRO100State * s, uint32_t addr)
1409 {
1410     uint32_t val = 0;
1411     if (addr <= sizeof(s->mem) - sizeof(val)) {
1412         val = e100_read_reg4(s, addr);
1413     }
1414 
1415     switch (addr) {
1416     case SCBStatus:
1417         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1418         break;
1419     case SCBPointer:
1420         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1421         break;
1422     case SCBPort:
1423         val = eepro100_read_port(s);
1424         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1425         break;
1426     case SCBflash:
1427         val = eepro100_read_eeprom(s);
1428         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1429         break;
1430     case SCBCtrlMDI:
1431         val = eepro100_read_mdi(s);
1432         break;
1433     default:
1434         logout("addr=%s val=0x%08x\n", regname(addr), val);
1435         missing("unknown longword read");
1436     }
1437     return val;
1438 }
1439 
1440 static void eepro100_write1(EEPRO100State * s, uint32_t addr, uint8_t val)
1441 {
1442     /* SCBStatus is readonly. */
1443     if (addr > SCBStatus && addr <= sizeof(s->mem) - sizeof(val)) {
1444         s->mem[addr] = val;
1445     }
1446 
1447     switch (addr) {
1448     case SCBStatus:
1449         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1450         break;
1451     case SCBAck:
1452         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1453         eepro100_acknowledge(s);
1454         break;
1455     case SCBCmd:
1456         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1457         eepro100_write_command(s, val);
1458         break;
1459     case SCBIntmask:
1460         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1461         if (val & BIT(1)) {
1462             eepro100_swi_interrupt(s);
1463         }
1464         eepro100_interrupt(s, 0);
1465         break;
1466     case SCBPointer:
1467     case SCBPointer + 1:
1468     case SCBPointer + 2:
1469     case SCBPointer + 3:
1470         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1471         break;
1472     case SCBPort:
1473     case SCBPort + 1:
1474     case SCBPort + 2:
1475         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1476         break;
1477     case SCBPort + 3:
1478         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1479         eepro100_write_port(s);
1480         break;
1481     case SCBFlow:       /* does not exist on 82557 */
1482     case SCBFlow + 1:
1483     case SCBFlow + 2:
1484     case SCBpmdr:       /* does not exist on 82557 */
1485         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1486         break;
1487     case SCBeeprom:
1488         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1489         eepro100_write_eeprom(s->eeprom, val);
1490         break;
1491     case SCBCtrlMDI:
1492     case SCBCtrlMDI + 1:
1493     case SCBCtrlMDI + 2:
1494         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1495         break;
1496     case SCBCtrlMDI + 3:
1497         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1498         eepro100_write_mdi(s);
1499         break;
1500     default:
1501         logout("addr=%s val=0x%02x\n", regname(addr), val);
1502         missing("unknown byte write");
1503     }
1504 }
1505 
1506 static void eepro100_write2(EEPRO100State * s, uint32_t addr, uint16_t val)
1507 {
1508     /* SCBStatus is readonly. */
1509     if (addr > SCBStatus && addr <= sizeof(s->mem) - sizeof(val)) {
1510         e100_write_reg2(s, addr, val);
1511     }
1512 
1513     switch (addr) {
1514     case SCBStatus:
1515         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1516         s->mem[SCBAck] = (val >> 8);
1517         eepro100_acknowledge(s);
1518         break;
1519     case SCBCmd:
1520         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1521         eepro100_write_command(s, val);
1522         eepro100_write1(s, SCBIntmask, val >> 8);
1523         break;
1524     case SCBPointer:
1525     case SCBPointer + 2:
1526         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1527         break;
1528     case SCBPort:
1529         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1530         break;
1531     case SCBPort + 2:
1532         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1533         eepro100_write_port(s);
1534         break;
1535     case SCBeeprom:
1536         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1537         eepro100_write_eeprom(s->eeprom, val);
1538         break;
1539     case SCBCtrlMDI:
1540         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1541         break;
1542     case SCBCtrlMDI + 2:
1543         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1544         eepro100_write_mdi(s);
1545         break;
1546     default:
1547         logout("addr=%s val=0x%04x\n", regname(addr), val);
1548         missing("unknown word write");
1549     }
1550 }
1551 
1552 static void eepro100_write4(EEPRO100State * s, uint32_t addr, uint32_t val)
1553 {
1554     if (addr <= sizeof(s->mem) - sizeof(val)) {
1555         e100_write_reg4(s, addr, val);
1556     }
1557 
1558     switch (addr) {
1559     case SCBPointer:
1560         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1561         break;
1562     case SCBPort:
1563         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1564         eepro100_write_port(s);
1565         break;
1566     case SCBflash:
1567         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1568         val = val >> 16;
1569         eepro100_write_eeprom(s->eeprom, val);
1570         break;
1571     case SCBCtrlMDI:
1572         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1573         eepro100_write_mdi(s);
1574         break;
1575     default:
1576         logout("addr=%s val=0x%08x\n", regname(addr), val);
1577         missing("unknown longword write");
1578     }
1579 }
1580 
1581 static uint64_t eepro100_read(void *opaque, hwaddr addr,
1582                               unsigned size)
1583 {
1584     EEPRO100State *s = opaque;
1585 
1586     switch (size) {
1587     case 1: return eepro100_read1(s, addr);
1588     case 2: return eepro100_read2(s, addr);
1589     case 4: return eepro100_read4(s, addr);
1590     default: abort();
1591     }
1592 }
1593 
1594 static void eepro100_write(void *opaque, hwaddr addr,
1595                            uint64_t data, unsigned size)
1596 {
1597     EEPRO100State *s = opaque;
1598 
1599     switch (size) {
1600     case 1:
1601         eepro100_write1(s, addr, data);
1602         break;
1603     case 2:
1604         eepro100_write2(s, addr, data);
1605         break;
1606     case 4:
1607         eepro100_write4(s, addr, data);
1608         break;
1609     default:
1610         abort();
1611     }
1612 }
1613 
1614 static const MemoryRegionOps eepro100_ops = {
1615     .read = eepro100_read,
1616     .write = eepro100_write,
1617     .endianness = DEVICE_LITTLE_ENDIAN,
1618 };
1619 
1620 static int nic_can_receive(NetClientState *nc)
1621 {
1622     EEPRO100State *s = qemu_get_nic_opaque(nc);
1623     TRACE(RXTX, logout("%p\n", s));
1624     return get_ru_state(s) == ru_ready;
1625 #if 0
1626     return !eepro100_buffer_full(s);
1627 #endif
1628 }
1629 
1630 static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size)
1631 {
1632     /* TODO:
1633      * - Magic packets should set bit 30 in power management driver register.
1634      * - Interesting packets should set bit 29 in power management driver register.
1635      */
1636     EEPRO100State *s = qemu_get_nic_opaque(nc);
1637     uint16_t rfd_status = 0xa000;
1638 #if defined(CONFIG_PAD_RECEIVED_FRAMES)
1639     uint8_t min_buf[60];
1640 #endif
1641     static const uint8_t broadcast_macaddr[6] =
1642         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1643 
1644 #if defined(CONFIG_PAD_RECEIVED_FRAMES)
1645     /* Pad to minimum Ethernet frame length */
1646     if (size < sizeof(min_buf)) {
1647         memcpy(min_buf, buf, size);
1648         memset(&min_buf[size], 0, sizeof(min_buf) - size);
1649         buf = min_buf;
1650         size = sizeof(min_buf);
1651     }
1652 #endif
1653 
1654     if (s->configuration[8] & 0x80) {
1655         /* CSMA is disabled. */
1656         logout("%p received while CSMA is disabled\n", s);
1657         return -1;
1658 #if !defined(CONFIG_PAD_RECEIVED_FRAMES)
1659     } else if (size < 64 && (s->configuration[7] & BIT(0))) {
1660         /* Short frame and configuration byte 7/0 (discard short receive) set:
1661          * Short frame is discarded */
1662         logout("%p received short frame (%zu byte)\n", s, size);
1663         s->statistics.rx_short_frame_errors++;
1664         return -1;
1665 #endif
1666     } else if ((size > MAX_ETH_FRAME_SIZE + 4) && !(s->configuration[18] & BIT(3))) {
1667         /* Long frame and configuration byte 18/3 (long receive ok) not set:
1668          * Long frames are discarded. */
1669         logout("%p received long frame (%zu byte), ignored\n", s, size);
1670         return -1;
1671     } else if (memcmp(buf, s->conf.macaddr.a, 6) == 0) {       /* !!! */
1672         /* Frame matches individual address. */
1673         /* TODO: check configuration byte 15/4 (ignore U/L). */
1674         TRACE(RXTX, logout("%p received frame for me, len=%zu\n", s, size));
1675     } else if (memcmp(buf, broadcast_macaddr, 6) == 0) {
1676         /* Broadcast frame. */
1677         TRACE(RXTX, logout("%p received broadcast, len=%zu\n", s, size));
1678         rfd_status |= 0x0002;
1679     } else if (buf[0] & 0x01) {
1680         /* Multicast frame. */
1681         TRACE(RXTX, logout("%p received multicast, len=%zu,%s\n", s, size, nic_dump(buf, size)));
1682         if (s->configuration[21] & BIT(3)) {
1683           /* Multicast all bit is set, receive all multicast frames. */
1684         } else {
1685           unsigned mcast_idx = e100_compute_mcast_idx(buf);
1686           assert(mcast_idx < 64);
1687           if (s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))) {
1688             /* Multicast frame is allowed in hash table. */
1689           } else if (s->configuration[15] & BIT(0)) {
1690               /* Promiscuous: receive all. */
1691               rfd_status |= 0x0004;
1692           } else {
1693               TRACE(RXTX, logout("%p multicast ignored\n", s));
1694               return -1;
1695           }
1696         }
1697         /* TODO: Next not for promiscuous mode? */
1698         rfd_status |= 0x0002;
1699     } else if (s->configuration[15] & BIT(0)) {
1700         /* Promiscuous: receive all. */
1701         TRACE(RXTX, logout("%p received frame in promiscuous mode, len=%zu\n", s, size));
1702         rfd_status |= 0x0004;
1703     } else if (s->configuration[20] & BIT(6)) {
1704         /* Multiple IA bit set. */
1705         unsigned mcast_idx = compute_mcast_idx(buf);
1706         assert(mcast_idx < 64);
1707         if (s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))) {
1708             TRACE(RXTX, logout("%p accepted, multiple IA bit set\n", s));
1709         } else {
1710             TRACE(RXTX, logout("%p frame ignored, multiple IA bit set\n", s));
1711             return -1;
1712         }
1713     } else {
1714         TRACE(RXTX, logout("%p received frame, ignored, len=%zu,%s\n", s, size,
1715               nic_dump(buf, size)));
1716         return size;
1717     }
1718 
1719     if (get_ru_state(s) != ru_ready) {
1720         /* No resources available. */
1721         logout("no resources, state=%u\n", get_ru_state(s));
1722         /* TODO: RNR interrupt only at first failed frame? */
1723         eepro100_rnr_interrupt(s);
1724         s->statistics.rx_resource_errors++;
1725 #if 0
1726         assert(!"no resources");
1727 #endif
1728         return -1;
1729     }
1730     /* !!! */
1731     eepro100_rx_t rx;
1732     pci_dma_read(&s->dev, s->ru_base + s->ru_offset,
1733                  &rx, sizeof(eepro100_rx_t));
1734     uint16_t rfd_command = le16_to_cpu(rx.command);
1735     uint16_t rfd_size = le16_to_cpu(rx.size);
1736 
1737     if (size > rfd_size) {
1738         logout("Receive buffer (%" PRId16 " bytes) too small for data "
1739             "(%zu bytes); data truncated\n", rfd_size, size);
1740         size = rfd_size;
1741     }
1742 #if !defined(CONFIG_PAD_RECEIVED_FRAMES)
1743     if (size < 64) {
1744         rfd_status |= 0x0080;
1745     }
1746 #endif
1747     TRACE(OTHER, logout("command 0x%04x, link 0x%08x, addr 0x%08x, size %u\n",
1748           rfd_command, rx.link, rx.rx_buf_addr, rfd_size));
1749     stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
1750                 offsetof(eepro100_rx_t, status), rfd_status);
1751     stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
1752                 offsetof(eepro100_rx_t, count), size);
1753     /* Early receive interrupt not supported. */
1754 #if 0
1755     eepro100_er_interrupt(s);
1756 #endif
1757     /* Receive CRC Transfer not supported. */
1758     if (s->configuration[18] & BIT(2)) {
1759         missing("Receive CRC Transfer");
1760         return -1;
1761     }
1762     /* TODO: check stripping enable bit. */
1763 #if 0
1764     assert(!(s->configuration[17] & BIT(0)));
1765 #endif
1766     pci_dma_write(&s->dev, s->ru_base + s->ru_offset +
1767                   sizeof(eepro100_rx_t), buf, size);
1768     s->statistics.rx_good_frames++;
1769     eepro100_fr_interrupt(s);
1770     s->ru_offset = le32_to_cpu(rx.link);
1771     if (rfd_command & COMMAND_EL) {
1772         /* EL bit is set, so this was the last frame. */
1773         logout("receive: Running out of frames\n");
1774         set_ru_state(s, ru_no_resources);
1775         eepro100_rnr_interrupt(s);
1776     }
1777     if (rfd_command & COMMAND_S) {
1778         /* S bit is set. */
1779         set_ru_state(s, ru_suspended);
1780     }
1781     return size;
1782 }
1783 
1784 static const VMStateDescription vmstate_eepro100 = {
1785     .version_id = 3,
1786     .minimum_version_id = 2,
1787     .minimum_version_id_old = 2,
1788     .fields      = (VMStateField []) {
1789         VMSTATE_PCI_DEVICE(dev, EEPRO100State),
1790         VMSTATE_UNUSED(32),
1791         VMSTATE_BUFFER(mult, EEPRO100State),
1792         VMSTATE_BUFFER(mem, EEPRO100State),
1793         /* Save all members of struct between scb_stat and mem. */
1794         VMSTATE_UINT8(scb_stat, EEPRO100State),
1795         VMSTATE_UINT8(int_stat, EEPRO100State),
1796         VMSTATE_UNUSED(3*4),
1797         VMSTATE_MACADDR(conf.macaddr, EEPRO100State),
1798         VMSTATE_UNUSED(19*4),
1799         VMSTATE_UINT16_ARRAY(mdimem, EEPRO100State, 32),
1800         /* The eeprom should be saved and restored by its own routines. */
1801         VMSTATE_UINT32(device, EEPRO100State),
1802         /* TODO check device. */
1803         VMSTATE_UINT32(cu_base, EEPRO100State),
1804         VMSTATE_UINT32(cu_offset, EEPRO100State),
1805         VMSTATE_UINT32(ru_base, EEPRO100State),
1806         VMSTATE_UINT32(ru_offset, EEPRO100State),
1807         VMSTATE_UINT32(statsaddr, EEPRO100State),
1808         /* Save eepro100_stats_t statistics. */
1809         VMSTATE_UINT32(statistics.tx_good_frames, EEPRO100State),
1810         VMSTATE_UINT32(statistics.tx_max_collisions, EEPRO100State),
1811         VMSTATE_UINT32(statistics.tx_late_collisions, EEPRO100State),
1812         VMSTATE_UINT32(statistics.tx_underruns, EEPRO100State),
1813         VMSTATE_UINT32(statistics.tx_lost_crs, EEPRO100State),
1814         VMSTATE_UINT32(statistics.tx_deferred, EEPRO100State),
1815         VMSTATE_UINT32(statistics.tx_single_collisions, EEPRO100State),
1816         VMSTATE_UINT32(statistics.tx_multiple_collisions, EEPRO100State),
1817         VMSTATE_UINT32(statistics.tx_total_collisions, EEPRO100State),
1818         VMSTATE_UINT32(statistics.rx_good_frames, EEPRO100State),
1819         VMSTATE_UINT32(statistics.rx_crc_errors, EEPRO100State),
1820         VMSTATE_UINT32(statistics.rx_alignment_errors, EEPRO100State),
1821         VMSTATE_UINT32(statistics.rx_resource_errors, EEPRO100State),
1822         VMSTATE_UINT32(statistics.rx_overrun_errors, EEPRO100State),
1823         VMSTATE_UINT32(statistics.rx_cdt_errors, EEPRO100State),
1824         VMSTATE_UINT32(statistics.rx_short_frame_errors, EEPRO100State),
1825         VMSTATE_UINT32(statistics.fc_xmt_pause, EEPRO100State),
1826         VMSTATE_UINT32(statistics.fc_rcv_pause, EEPRO100State),
1827         VMSTATE_UINT32(statistics.fc_rcv_unsupported, EEPRO100State),
1828         VMSTATE_UINT16(statistics.xmt_tco_frames, EEPRO100State),
1829         VMSTATE_UINT16(statistics.rcv_tco_frames, EEPRO100State),
1830         /* Configuration bytes. */
1831         VMSTATE_BUFFER(configuration, EEPRO100State),
1832         VMSTATE_END_OF_LIST()
1833     }
1834 };
1835 
1836 static void nic_cleanup(NetClientState *nc)
1837 {
1838     EEPRO100State *s = qemu_get_nic_opaque(nc);
1839 
1840     s->nic = NULL;
1841 }
1842 
1843 static void pci_nic_uninit(PCIDevice *pci_dev)
1844 {
1845     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
1846 
1847     memory_region_destroy(&s->mmio_bar);
1848     memory_region_destroy(&s->io_bar);
1849     memory_region_destroy(&s->flash_bar);
1850     vmstate_unregister(&pci_dev->qdev, s->vmstate, s);
1851     eeprom93xx_free(&pci_dev->qdev, s->eeprom);
1852     qemu_del_nic(s->nic);
1853 }
1854 
1855 static NetClientInfo net_eepro100_info = {
1856     .type = NET_CLIENT_OPTIONS_KIND_NIC,
1857     .size = sizeof(NICState),
1858     .can_receive = nic_can_receive,
1859     .receive = nic_receive,
1860     .cleanup = nic_cleanup,
1861 };
1862 
1863 static int e100_nic_init(PCIDevice *pci_dev)
1864 {
1865     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
1866     E100PCIDeviceInfo *info = eepro100_get_class(s);
1867 
1868     TRACE(OTHER, logout("\n"));
1869 
1870     s->device = info->device;
1871 
1872     e100_pci_reset(s);
1873 
1874     /* Add 64 * 2 EEPROM. i82557 and i82558 support a 64 word EEPROM,
1875      * i82559 and later support 64 or 256 word EEPROM. */
1876     s->eeprom = eeprom93xx_new(&pci_dev->qdev, EEPROM_SIZE);
1877 
1878     /* Handler for memory-mapped I/O */
1879     memory_region_init_io(&s->mmio_bar, &eepro100_ops, s, "eepro100-mmio",
1880                           PCI_MEM_SIZE);
1881     pci_register_bar(&s->dev, 0, PCI_BASE_ADDRESS_MEM_PREFETCH, &s->mmio_bar);
1882     memory_region_init_io(&s->io_bar, &eepro100_ops, s, "eepro100-io",
1883                           PCI_IO_SIZE);
1884     pci_register_bar(&s->dev, 1, PCI_BASE_ADDRESS_SPACE_IO, &s->io_bar);
1885     /* FIXME: flash aliases to mmio?! */
1886     memory_region_init_io(&s->flash_bar, &eepro100_ops, s, "eepro100-flash",
1887                           PCI_FLASH_SIZE);
1888     pci_register_bar(&s->dev, 2, 0, &s->flash_bar);
1889 
1890     qemu_macaddr_default_if_unset(&s->conf.macaddr);
1891     logout("macaddr: %s\n", nic_dump(&s->conf.macaddr.a[0], 6));
1892 
1893     nic_reset(s);
1894 
1895     s->nic = qemu_new_nic(&net_eepro100_info, &s->conf,
1896                           object_get_typename(OBJECT(pci_dev)), pci_dev->qdev.id, s);
1897 
1898     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
1899     TRACE(OTHER, logout("%s\n", qemu_get_queue(s->nic)->info_str));
1900 
1901     qemu_register_reset(nic_reset, s);
1902 
1903     s->vmstate = g_malloc(sizeof(vmstate_eepro100));
1904     memcpy(s->vmstate, &vmstate_eepro100, sizeof(vmstate_eepro100));
1905     s->vmstate->name = qemu_get_queue(s->nic)->model;
1906     vmstate_register(&pci_dev->qdev, -1, s->vmstate, s);
1907 
1908     add_boot_device_path(s->conf.bootindex, &pci_dev->qdev, "/ethernet-phy@0");
1909 
1910     return 0;
1911 }
1912 
1913 static E100PCIDeviceInfo e100_devices[] = {
1914     {
1915         .name = "i82550",
1916         .desc = "Intel i82550 Ethernet",
1917         .device = i82550,
1918         /* TODO: check device id. */
1919         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
1920         /* Revision ID: 0x0c, 0x0d, 0x0e. */
1921         .revision = 0x0e,
1922         /* TODO: check size of statistical counters. */
1923         .stats_size = 80,
1924         /* TODO: check extended tcb support. */
1925         .has_extended_tcb_support = true,
1926         .power_management = true,
1927     },{
1928         .name = "i82551",
1929         .desc = "Intel i82551 Ethernet",
1930         .device = i82551,
1931         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
1932         /* Revision ID: 0x0f, 0x10. */
1933         .revision = 0x0f,
1934         /* TODO: check size of statistical counters. */
1935         .stats_size = 80,
1936         .has_extended_tcb_support = true,
1937         .power_management = true,
1938     },{
1939         .name = "i82557a",
1940         .desc = "Intel i82557A Ethernet",
1941         .device = i82557A,
1942         .device_id = PCI_DEVICE_ID_INTEL_82557,
1943         .revision = 0x01,
1944         .power_management = false,
1945     },{
1946         .name = "i82557b",
1947         .desc = "Intel i82557B Ethernet",
1948         .device = i82557B,
1949         .device_id = PCI_DEVICE_ID_INTEL_82557,
1950         .revision = 0x02,
1951         .power_management = false,
1952     },{
1953         .name = "i82557c",
1954         .desc = "Intel i82557C Ethernet",
1955         .device = i82557C,
1956         .device_id = PCI_DEVICE_ID_INTEL_82557,
1957         .revision = 0x03,
1958         .power_management = false,
1959     },{
1960         .name = "i82558a",
1961         .desc = "Intel i82558A Ethernet",
1962         .device = i82558A,
1963         .device_id = PCI_DEVICE_ID_INTEL_82557,
1964         .revision = 0x04,
1965         .stats_size = 76,
1966         .has_extended_tcb_support = true,
1967         .power_management = true,
1968     },{
1969         .name = "i82558b",
1970         .desc = "Intel i82558B Ethernet",
1971         .device = i82558B,
1972         .device_id = PCI_DEVICE_ID_INTEL_82557,
1973         .revision = 0x05,
1974         .stats_size = 76,
1975         .has_extended_tcb_support = true,
1976         .power_management = true,
1977     },{
1978         .name = "i82559a",
1979         .desc = "Intel i82559A Ethernet",
1980         .device = i82559A,
1981         .device_id = PCI_DEVICE_ID_INTEL_82557,
1982         .revision = 0x06,
1983         .stats_size = 80,
1984         .has_extended_tcb_support = true,
1985         .power_management = true,
1986     },{
1987         .name = "i82559b",
1988         .desc = "Intel i82559B Ethernet",
1989         .device = i82559B,
1990         .device_id = PCI_DEVICE_ID_INTEL_82557,
1991         .revision = 0x07,
1992         .stats_size = 80,
1993         .has_extended_tcb_support = true,
1994         .power_management = true,
1995     },{
1996         .name = "i82559c",
1997         .desc = "Intel i82559C Ethernet",
1998         .device = i82559C,
1999         .device_id = PCI_DEVICE_ID_INTEL_82557,
2000 #if 0
2001         .revision = 0x08,
2002 #endif
2003         /* TODO: Windows wants revision id 0x0c. */
2004         .revision = 0x0c,
2005 #if EEPROM_SIZE > 0
2006         .subsystem_vendor_id = PCI_VENDOR_ID_INTEL,
2007         .subsystem_id = 0x0040,
2008 #endif
2009         .stats_size = 80,
2010         .has_extended_tcb_support = true,
2011         .power_management = true,
2012     },{
2013         .name = "i82559er",
2014         .desc = "Intel i82559ER Ethernet",
2015         .device = i82559ER,
2016         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
2017         .revision = 0x09,
2018         .stats_size = 80,
2019         .has_extended_tcb_support = true,
2020         .power_management = true,
2021     },{
2022         .name = "i82562",
2023         .desc = "Intel i82562 Ethernet",
2024         .device = i82562,
2025         /* TODO: check device id. */
2026         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
2027         /* TODO: wrong revision id. */
2028         .revision = 0x0e,
2029         .stats_size = 80,
2030         .has_extended_tcb_support = true,
2031         .power_management = true,
2032     },{
2033         /* Toshiba Tecra 8200. */
2034         .name = "i82801",
2035         .desc = "Intel i82801 Ethernet",
2036         .device = i82801,
2037         .device_id = 0x2449,
2038         .revision = 0x03,
2039         .stats_size = 80,
2040         .has_extended_tcb_support = true,
2041         .power_management = true,
2042     }
2043 };
2044 
2045 static E100PCIDeviceInfo *eepro100_get_class_by_name(const char *typename)
2046 {
2047     E100PCIDeviceInfo *info = NULL;
2048     int i;
2049 
2050     /* This is admittedly awkward but also temporary.  QOM allows for
2051      * parameterized typing and for subclassing both of which would suitable
2052      * handle what's going on here.  But class_data is already being used as
2053      * a stop-gap hack to allow incremental qdev conversion so we cannot use it
2054      * right now.  Once we merge the final QOM series, we can come back here and
2055      * do this in a much more elegant fashion.
2056      */
2057     for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
2058         if (strcmp(e100_devices[i].name, typename) == 0) {
2059             info = &e100_devices[i];
2060             break;
2061         }
2062     }
2063     assert(info != NULL);
2064 
2065     return info;
2066 }
2067 
2068 static E100PCIDeviceInfo *eepro100_get_class(EEPRO100State *s)
2069 {
2070     return eepro100_get_class_by_name(object_get_typename(OBJECT(s)));
2071 }
2072 
2073 static Property e100_properties[] = {
2074     DEFINE_NIC_PROPERTIES(EEPRO100State, conf),
2075     DEFINE_PROP_END_OF_LIST(),
2076 };
2077 
2078 static void eepro100_class_init(ObjectClass *klass, void *data)
2079 {
2080     DeviceClass *dc = DEVICE_CLASS(klass);
2081     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2082     E100PCIDeviceInfo *info;
2083 
2084     info = eepro100_get_class_by_name(object_class_get_name(klass));
2085 
2086     dc->props = e100_properties;
2087     dc->desc = info->desc;
2088     k->vendor_id = PCI_VENDOR_ID_INTEL;
2089     k->class_id = PCI_CLASS_NETWORK_ETHERNET;
2090     k->romfile = "pxe-eepro100.rom";
2091     k->init = e100_nic_init;
2092     k->exit = pci_nic_uninit;
2093     k->device_id = info->device_id;
2094     k->revision = info->revision;
2095     k->subsystem_vendor_id = info->subsystem_vendor_id;
2096     k->subsystem_id = info->subsystem_id;
2097 }
2098 
2099 static void eepro100_register_types(void)
2100 {
2101     size_t i;
2102     for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
2103         TypeInfo type_info = {};
2104         E100PCIDeviceInfo *info = &e100_devices[i];
2105 
2106         type_info.name = info->name;
2107         type_info.parent = TYPE_PCI_DEVICE;
2108         type_info.class_init = eepro100_class_init;
2109         type_info.instance_size = sizeof(EEPRO100State);
2110 
2111         type_register(&type_info);
2112     }
2113 }
2114 
2115 type_init(eepro100_register_types)
2116