xref: /openbmc/qemu/hw/net/eepro100.c (revision 7a5951f651ad5f158631a826070b24631e733763)
1 /*
2  * QEMU i8255x (PRO100) emulation
3  *
4  * Copyright (C) 2006-2011 Stefan Weil
5  *
6  * Portions of the code are copies from grub / etherboot eepro100.c
7  * and linux e100.c.
8  *
9  * This program is free software: you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License as published by
11  * the Free Software Foundation, either version 2 of the License, or
12  * (at your option) version 3 or any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
21  *
22  * Tested features (i82559):
23  *      PXE boot (i386 guest, i386 / mips / mipsel / ppc host) ok
24  *      Linux networking (i386) ok
25  *
26  * Untested:
27  *      Windows networking
28  *
29  * References:
30  *
31  * Intel 8255x 10/100 Mbps Ethernet Controller Family
32  * Open Source Software Developer Manual
33  *
34  * TODO:
35  *      * PHY emulation should be separated from nic emulation.
36  *        Most nic emulations could share the same phy code.
37  *      * i82550 is untested. It is programmed like the i82559.
38  *      * i82562 is untested. It is programmed like the i82559.
39  *      * Power management (i82558 and later) is not implemented.
40  *      * Wake-on-LAN is not implemented.
41  */
42 
43 #include "qemu/osdep.h"
44 #include "qemu/units.h"
45 #include "hw/pci/pci_device.h"
46 #include "hw/qdev-properties.h"
47 #include "migration/vmstate.h"
48 #include "net/net.h"
49 #include "net/eth.h"
50 #include "hw/nvram/eeprom93xx.h"
51 #include "sysemu/sysemu.h"
52 #include "sysemu/dma.h"
53 #include "sysemu/reset.h"
54 #include "qemu/bitops.h"
55 #include "qemu/module.h"
56 #include "qapi/error.h"
57 
58 /* QEMU sends frames smaller than 60 bytes to ethernet nics.
59  * Such frames are rejected by real nics and their emulations.
60  * To avoid this behaviour, other nic emulations pad received
61  * frames. The following definition enables this padding for
62  * eepro100, too. We keep the define around in case it might
63  * become useful the future if the core networking is ever
64  * changed to pad short packets itself. */
65 #define CONFIG_PAD_RECEIVED_FRAMES
66 
67 /* Debug EEPRO100 card. */
68 #if 0
69 # define DEBUG_EEPRO100
70 #endif
71 
72 #ifdef DEBUG_EEPRO100
73 #define logout(fmt, ...) fprintf(stderr, "EE100\t%-24s" fmt, __func__, ## __VA_ARGS__)
74 #else
75 #define logout(fmt, ...) ((void)0)
76 #endif
77 
78 /* Set flags to 0 to disable debug output. */
79 #define INT     1       /* interrupt related actions */
80 #define MDI     1       /* mdi related actions */
81 #define OTHER   1
82 #define RXTX    1
83 #define EEPROM  1       /* eeprom related actions */
84 
85 #define TRACE(flag, command) ((flag) ? (command) : (void)0)
86 
87 #define missing(text) fprintf(stderr, "eepro100: feature is missing in this emulation: " text "\n")
88 
89 #define MAX_ETH_FRAME_SIZE 1514
90 
91 /* This driver supports several different devices which are declared here. */
92 #define i82550          0x82550
93 #define i82551          0x82551
94 #define i82557A         0x82557a
95 #define i82557B         0x82557b
96 #define i82557C         0x82557c
97 #define i82558A         0x82558a
98 #define i82558B         0x82558b
99 #define i82559A         0x82559a
100 #define i82559B         0x82559b
101 #define i82559C         0x82559c
102 #define i82559ER        0x82559e
103 #define i82562          0x82562
104 #define i82801          0x82801
105 
106 /* Use 64 word EEPROM. TODO: could be a runtime option. */
107 #define EEPROM_SIZE     64
108 
109 #define PCI_MEM_SIZE            (4 * KiB)
110 #define PCI_IO_SIZE             64
111 #define PCI_FLASH_SIZE          (128 * KiB)
112 
113 #define BITS(n, m) (((0xffffffffU << (31 - n)) >> (31 - n + m)) << m)
114 
115 /* The SCB accepts the following controls for the Tx and Rx units: */
116 #define  CU_NOP         0x0000  /* No operation. */
117 #define  CU_START       0x0010  /* CU start. */
118 #define  CU_RESUME      0x0020  /* CU resume. */
119 #define  CU_STATSADDR   0x0040  /* Load dump counters address. */
120 #define  CU_SHOWSTATS   0x0050  /* Dump statistical counters. */
121 #define  CU_CMD_BASE    0x0060  /* Load CU base address. */
122 #define  CU_DUMPSTATS   0x0070  /* Dump and reset statistical counters. */
123 #define  CU_SRESUME     0x00a0  /* CU static resume. */
124 
125 #define  RU_NOP         0x0000
126 #define  RX_START       0x0001
127 #define  RX_RESUME      0x0002
128 #define  RU_ABORT       0x0004
129 #define  RX_ADDR_LOAD   0x0006
130 #define  RX_RESUMENR    0x0007
131 #define INT_MASK        0x0100
132 #define DRVR_INT        0x0200  /* Driver generated interrupt. */
133 
134 typedef struct {
135     const char *name;
136     const char *desc;
137     uint16_t device_id;
138     uint8_t revision;
139     uint16_t subsystem_vendor_id;
140     uint16_t subsystem_id;
141 
142     uint32_t device;
143     uint8_t stats_size;
144     bool has_extended_tcb_support;
145     bool power_management;
146 } E100PCIDeviceInfo;
147 
148 /* Offsets to the various registers.
149    All accesses need not be longword aligned. */
150 typedef enum {
151     SCBStatus = 0,              /* Status Word. */
152     SCBAck = 1,
153     SCBCmd = 2,                 /* Rx/Command Unit command and status. */
154     SCBIntmask = 3,
155     SCBPointer = 4,             /* General purpose pointer. */
156     SCBPort = 8,                /* Misc. commands and operands.  */
157     SCBflash = 12,              /* Flash memory control. */
158     SCBeeprom = 14,             /* EEPROM control. */
159     SCBCtrlMDI = 16,            /* MDI interface control. */
160     SCBEarlyRx = 20,            /* Early receive byte count. */
161     SCBFlow = 24,               /* Flow Control. */
162     SCBpmdr = 27,               /* Power Management Driver. */
163     SCBgctrl = 28,              /* General Control. */
164     SCBgstat = 29,              /* General Status. */
165 } E100RegisterOffset;
166 
167 /* A speedo3 transmit buffer descriptor with two buffers... */
168 typedef struct {
169     uint16_t status;
170     uint16_t command;
171     uint32_t link;              /* void * */
172     uint32_t tbd_array_addr;    /* transmit buffer descriptor array address. */
173     uint16_t tcb_bytes;         /* transmit command block byte count (in lower 14 bits */
174     uint8_t tx_threshold;       /* transmit threshold */
175     uint8_t tbd_count;          /* TBD number */
176 #if 0
177     /* This constitutes two "TBD" entries: hdr and data */
178     uint32_t tx_buf_addr0;  /* void *, header of frame to be transmitted.  */
179     int32_t  tx_buf_size0;  /* Length of Tx hdr. */
180     uint32_t tx_buf_addr1;  /* void *, data to be transmitted.  */
181     int32_t  tx_buf_size1;  /* Length of Tx data. */
182 #endif
183 } eepro100_tx_t;
184 
185 /* Receive frame descriptor. */
186 typedef struct {
187     int16_t status;
188     uint16_t command;
189     uint32_t link;              /* struct RxFD * */
190     uint32_t rx_buf_addr;       /* void * */
191     uint16_t count;
192     uint16_t size;
193     /* Ethernet frame data follows. */
194 } eepro100_rx_t;
195 
196 typedef enum {
197     COMMAND_EL = BIT(15),
198     COMMAND_S = BIT(14),
199     COMMAND_I = BIT(13),
200     COMMAND_NC = BIT(4),
201     COMMAND_SF = BIT(3),
202     COMMAND_CMD = BITS(2, 0),
203 } scb_command_bit;
204 
205 typedef enum {
206     STATUS_C = BIT(15),
207     STATUS_OK = BIT(13),
208 } scb_status_bit;
209 
210 typedef struct {
211     uint32_t tx_good_frames, tx_max_collisions, tx_late_collisions,
212              tx_underruns, tx_lost_crs, tx_deferred, tx_single_collisions,
213              tx_multiple_collisions, tx_total_collisions;
214     uint32_t rx_good_frames, rx_crc_errors, rx_alignment_errors,
215              rx_resource_errors, rx_overrun_errors, rx_cdt_errors,
216              rx_short_frame_errors;
217     uint32_t fc_xmt_pause, fc_rcv_pause, fc_rcv_unsupported;
218     uint16_t xmt_tco_frames, rcv_tco_frames;
219     /* TODO: i82559 has six reserved statistics but a total of 24 dwords. */
220     uint32_t reserved[4];
221 } eepro100_stats_t;
222 
223 typedef enum {
224     cu_idle = 0,
225     cu_suspended = 1,
226     cu_active = 2,
227     cu_lpq_active = 2,
228     cu_hqp_active = 3
229 } cu_state_t;
230 
231 typedef enum {
232     ru_idle = 0,
233     ru_suspended = 1,
234     ru_no_resources = 2,
235     ru_ready = 4
236 } ru_state_t;
237 
238 typedef struct {
239     PCIDevice dev;
240     /* Hash register (multicast mask array, multiple individual addresses). */
241     uint8_t mult[8];
242     MemoryRegion mmio_bar;
243     MemoryRegion io_bar;
244     MemoryRegion flash_bar;
245     NICState *nic;
246     NICConf conf;
247     uint8_t scb_stat;           /* SCB stat/ack byte */
248     uint8_t int_stat;           /* PCI interrupt status */
249     /* region must not be saved by nic_save. */
250     uint16_t mdimem[32];
251     eeprom_t *eeprom;
252     uint32_t device;            /* device variant */
253     /* (cu_base + cu_offset) address the next command block in the command block list. */
254     uint32_t cu_base;           /* CU base address */
255     uint32_t cu_offset;         /* CU address offset */
256     /* (ru_base + ru_offset) address the RFD in the Receive Frame Area. */
257     uint32_t ru_base;           /* RU base address */
258     uint32_t ru_offset;         /* RU address offset */
259     uint32_t statsaddr;         /* pointer to eepro100_stats_t */
260 
261     /* Temporary status information (no need to save these values),
262      * used while processing CU commands. */
263     eepro100_tx_t tx;           /* transmit buffer descriptor */
264     uint32_t cb_address;        /* = cu_base + cu_offset */
265 
266     /* Statistical counters. Also used for wake-up packet (i82559). */
267     eepro100_stats_t statistics;
268 
269     /* Data in mem is always in the byte order of the controller (le).
270      * It must be dword aligned to allow direct access to 32 bit values. */
271     uint8_t mem[PCI_MEM_SIZE] __attribute__((aligned(8)));
272 
273     /* Configuration bytes. */
274     uint8_t configuration[22];
275 
276     /* vmstate for each particular nic */
277     VMStateDescription *vmstate;
278 
279     /* Quasi static device properties (no need to save them). */
280     uint16_t stats_size;
281     bool has_extended_tcb_support;
282 } EEPRO100State;
283 
284 /* Word indices in EEPROM. */
285 typedef enum {
286     EEPROM_CNFG_MDIX  = 0x03,
287     EEPROM_ID         = 0x05,
288     EEPROM_PHY_ID     = 0x06,
289     EEPROM_VENDOR_ID  = 0x0c,
290     EEPROM_CONFIG_ASF = 0x0d,
291     EEPROM_DEVICE_ID  = 0x23,
292     EEPROM_SMBUS_ADDR = 0x90,
293 } EEPROMOffset;
294 
295 /* Bit values for EEPROM ID word. */
296 typedef enum {
297     EEPROM_ID_MDM = BIT(0),     /* Modem */
298     EEPROM_ID_STB = BIT(1),     /* Standby Enable */
299     EEPROM_ID_WMR = BIT(2),     /* ??? */
300     EEPROM_ID_WOL = BIT(5),     /* Wake on LAN */
301     EEPROM_ID_DPD = BIT(6),     /* Deep Power Down */
302     EEPROM_ID_ALT = BIT(7),     /* */
303     /* BITS(10, 8) device revision */
304     EEPROM_ID_BD = BIT(11),     /* boot disable */
305     EEPROM_ID_ID = BIT(13),     /* id bit */
306     /* BITS(15, 14) signature */
307     EEPROM_ID_VALID = BIT(14),  /* signature for valid eeprom */
308 } eeprom_id_bit;
309 
310 /* Default values for MDI (PHY) registers */
311 static const uint16_t eepro100_mdi_default[] = {
312     /* MDI Registers 0 - 6, 7 */
313     0x3000, 0x780d, 0x02a8, 0x0154, 0x05e1, 0x0000, 0x0000, 0x0000,
314     /* MDI Registers 8 - 15 */
315     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
316     /* MDI Registers 16 - 31 */
317     0x0003, 0x0000, 0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
318     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
319 };
320 
321 /* Readonly mask for MDI (PHY) registers */
322 static const uint16_t eepro100_mdi_mask[] = {
323     0x0000, 0xffff, 0xffff, 0xffff, 0xc01f, 0xffff, 0xffff, 0x0000,
324     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
325     0x0fff, 0x0000, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
326     0xffff, 0xffff, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
327 };
328 
329 static E100PCIDeviceInfo *eepro100_get_class(EEPRO100State *s);
330 
331 /* Read a 16 bit control/status (CSR) register. */
332 static uint16_t e100_read_reg2(EEPRO100State *s, E100RegisterOffset addr)
333 {
334     assert(!((uintptr_t)&s->mem[addr] & 1));
335     return lduw_le_p(&s->mem[addr]);
336 }
337 
338 /* Read a 32 bit control/status (CSR) register. */
339 static uint32_t e100_read_reg4(EEPRO100State *s, E100RegisterOffset addr)
340 {
341     assert(!((uintptr_t)&s->mem[addr] & 3));
342     return ldl_le_p(&s->mem[addr]);
343 }
344 
345 /* Write a 16 bit control/status (CSR) register. */
346 static void e100_write_reg2(EEPRO100State *s, E100RegisterOffset addr,
347                             uint16_t val)
348 {
349     assert(!((uintptr_t)&s->mem[addr] & 1));
350     stw_le_p(&s->mem[addr], val);
351 }
352 
353 /* Read a 32 bit control/status (CSR) register. */
354 static void e100_write_reg4(EEPRO100State *s, E100RegisterOffset addr,
355                             uint32_t val)
356 {
357     assert(!((uintptr_t)&s->mem[addr] & 3));
358     stl_le_p(&s->mem[addr], val);
359 }
360 
361 #if defined(DEBUG_EEPRO100)
362 static const char *nic_dump(const uint8_t * buf, unsigned size)
363 {
364     static char dump[3 * 16 + 1];
365     char *p = &dump[0];
366     if (size > 16) {
367         size = 16;
368     }
369     while (size-- > 0) {
370         p += sprintf(p, " %02x", *buf++);
371     }
372     return dump;
373 }
374 #endif                          /* DEBUG_EEPRO100 */
375 
376 enum scb_stat_ack {
377     stat_ack_not_ours = 0x00,
378     stat_ack_sw_gen = 0x04,
379     stat_ack_rnr = 0x10,
380     stat_ack_cu_idle = 0x20,
381     stat_ack_frame_rx = 0x40,
382     stat_ack_cu_cmd_done = 0x80,
383     stat_ack_not_present = 0xFF,
384     stat_ack_rx = (stat_ack_sw_gen | stat_ack_rnr | stat_ack_frame_rx),
385     stat_ack_tx = (stat_ack_cu_idle | stat_ack_cu_cmd_done),
386 };
387 
388 static void disable_interrupt(EEPRO100State * s)
389 {
390     if (s->int_stat) {
391         TRACE(INT, logout("interrupt disabled\n"));
392         pci_irq_deassert(&s->dev);
393         s->int_stat = 0;
394     }
395 }
396 
397 static void enable_interrupt(EEPRO100State * s)
398 {
399     if (!s->int_stat) {
400         TRACE(INT, logout("interrupt enabled\n"));
401         pci_irq_assert(&s->dev);
402         s->int_stat = 1;
403     }
404 }
405 
406 static void eepro100_acknowledge(EEPRO100State * s)
407 {
408     s->scb_stat &= ~s->mem[SCBAck];
409     s->mem[SCBAck] = s->scb_stat;
410     if (s->scb_stat == 0) {
411         disable_interrupt(s);
412     }
413 }
414 
415 static void eepro100_interrupt(EEPRO100State * s, uint8_t status)
416 {
417     uint8_t mask = ~s->mem[SCBIntmask];
418     s->mem[SCBAck] |= status;
419     status = s->scb_stat = s->mem[SCBAck];
420     status &= (mask | 0x0f);
421 #if 0
422     status &= (~s->mem[SCBIntmask] | 0x0xf);
423 #endif
424     if (status && (mask & 0x01)) {
425         /* SCB mask and SCB Bit M do not disable interrupt. */
426         enable_interrupt(s);
427     } else if (s->int_stat) {
428         disable_interrupt(s);
429     }
430 }
431 
432 static void eepro100_cx_interrupt(EEPRO100State * s)
433 {
434     /* CU completed action command. */
435     /* Transmit not ok (82557 only, not in emulation). */
436     eepro100_interrupt(s, 0x80);
437 }
438 
439 static void eepro100_cna_interrupt(EEPRO100State * s)
440 {
441     /* CU left the active state. */
442     eepro100_interrupt(s, 0x20);
443 }
444 
445 static void eepro100_fr_interrupt(EEPRO100State * s)
446 {
447     /* RU received a complete frame. */
448     eepro100_interrupt(s, 0x40);
449 }
450 
451 static void eepro100_rnr_interrupt(EEPRO100State * s)
452 {
453     /* RU is not ready. */
454     eepro100_interrupt(s, 0x10);
455 }
456 
457 static void eepro100_mdi_interrupt(EEPRO100State * s)
458 {
459     /* MDI completed read or write cycle. */
460     eepro100_interrupt(s, 0x08);
461 }
462 
463 static void eepro100_swi_interrupt(EEPRO100State * s)
464 {
465     /* Software has requested an interrupt. */
466     eepro100_interrupt(s, 0x04);
467 }
468 
469 #if 0
470 static void eepro100_fcp_interrupt(EEPRO100State * s)
471 {
472     /* Flow control pause interrupt (82558 and later). */
473     eepro100_interrupt(s, 0x01);
474 }
475 #endif
476 
477 static void e100_pci_reset(EEPRO100State *s, Error **errp)
478 {
479     E100PCIDeviceInfo *info = eepro100_get_class(s);
480     uint32_t device = s->device;
481     uint8_t *pci_conf = s->dev.config;
482 
483     TRACE(OTHER, logout("%p\n", s));
484 
485     /* PCI Status */
486     pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_DEVSEL_MEDIUM |
487                                         PCI_STATUS_FAST_BACK);
488     /* PCI Latency Timer */
489     pci_set_byte(pci_conf + PCI_LATENCY_TIMER, 0x20);   /* latency timer = 32 clocks */
490     /* Capability Pointer is set by PCI framework. */
491     /* Interrupt Line */
492     /* Interrupt Pin */
493     pci_set_byte(pci_conf + PCI_INTERRUPT_PIN, 1);      /* interrupt pin A */
494     /* Minimum Grant */
495     pci_set_byte(pci_conf + PCI_MIN_GNT, 0x08);
496     /* Maximum Latency */
497     pci_set_byte(pci_conf + PCI_MAX_LAT, 0x18);
498 
499     s->stats_size = info->stats_size;
500     s->has_extended_tcb_support = info->has_extended_tcb_support;
501 
502     switch (device) {
503     case i82550:
504     case i82551:
505     case i82557A:
506     case i82557B:
507     case i82557C:
508     case i82558A:
509     case i82558B:
510     case i82559A:
511     case i82559B:
512     case i82559ER:
513     case i82562:
514     case i82801:
515     case i82559C:
516         break;
517     default:
518         logout("Device %X is undefined!\n", device);
519     }
520 
521     /* Standard TxCB. */
522     s->configuration[6] |= BIT(4);
523 
524     /* Standard statistical counters. */
525     s->configuration[6] |= BIT(5);
526 
527     if (s->stats_size == 80) {
528         /* TODO: check TCO Statistical Counters bit. Documentation not clear. */
529         if (s->configuration[6] & BIT(2)) {
530             /* TCO statistical counters. */
531             assert(s->configuration[6] & BIT(5));
532         } else {
533             if (s->configuration[6] & BIT(5)) {
534                 /* No extended statistical counters, i82557 compatible. */
535                 s->stats_size = 64;
536             } else {
537                 /* i82558 compatible. */
538                 s->stats_size = 76;
539             }
540         }
541     } else {
542         if (s->configuration[6] & BIT(5)) {
543             /* No extended statistical counters. */
544             s->stats_size = 64;
545         }
546     }
547     assert(s->stats_size > 0 && s->stats_size <= sizeof(s->statistics));
548 
549     if (info->power_management) {
550         /* Power Management Capabilities */
551         int cfg_offset = 0xdc;
552         int r = pci_add_capability(&s->dev, PCI_CAP_ID_PM,
553                                    cfg_offset, PCI_PM_SIZEOF,
554                                    errp);
555         if (r < 0) {
556             return;
557         }
558 
559         pci_set_word(pci_conf + cfg_offset + PCI_PM_PMC, 0x7e21);
560 #if 0 /* TODO: replace dummy code for power management emulation. */
561         /* TODO: Power Management Control / Status. */
562         pci_set_word(pci_conf + cfg_offset + PCI_PM_CTRL, 0x0000);
563         /* TODO: Ethernet Power Consumption Registers (i82559 and later). */
564         pci_set_byte(pci_conf + cfg_offset + PCI_PM_PPB_EXTENSIONS, 0x0000);
565 #endif
566     }
567 
568 #if EEPROM_SIZE > 0
569     if (device == i82557C || device == i82558B || device == i82559C) {
570         /*
571         TODO: get vendor id from EEPROM for i82557C or later.
572         TODO: get device id from EEPROM for i82557C or later.
573         TODO: status bit 4 can be disabled by EEPROM for i82558, i82559.
574         TODO: header type is determined by EEPROM for i82559.
575         TODO: get subsystem id from EEPROM for i82557C or later.
576         TODO: get subsystem vendor id from EEPROM for i82557C or later.
577         TODO: exp. rom baddr depends on a bit in EEPROM for i82558 or later.
578         TODO: capability pointer depends on EEPROM for i82558.
579         */
580         logout("Get device id and revision from EEPROM!!!\n");
581     }
582 #endif /* EEPROM_SIZE > 0 */
583 }
584 
585 static void nic_selective_reset(EEPRO100State * s)
586 {
587     size_t i;
588     uint16_t *eeprom_contents = eeprom93xx_data(s->eeprom);
589 #if 0
590     eeprom93xx_reset(s->eeprom);
591 #endif
592     memcpy(eeprom_contents, s->conf.macaddr.a, 6);
593     eeprom_contents[EEPROM_ID] = EEPROM_ID_VALID;
594     if (s->device == i82557B || s->device == i82557C)
595         eeprom_contents[5] = 0x0100;
596     eeprom_contents[EEPROM_PHY_ID] = 1;
597     uint16_t sum = 0;
598     for (i = 0; i < EEPROM_SIZE - 1; i++) {
599         sum += eeprom_contents[i];
600     }
601     eeprom_contents[EEPROM_SIZE - 1] = 0xbaba - sum;
602     TRACE(EEPROM, logout("checksum=0x%04x\n", eeprom_contents[EEPROM_SIZE - 1]));
603 
604     memset(s->mem, 0, sizeof(s->mem));
605     e100_write_reg4(s, SCBCtrlMDI, BIT(21));
606 
607     assert(sizeof(s->mdimem) == sizeof(eepro100_mdi_default));
608     memcpy(&s->mdimem[0], &eepro100_mdi_default[0], sizeof(s->mdimem));
609 }
610 
611 static void nic_reset(void *opaque)
612 {
613     EEPRO100State *s = opaque;
614     TRACE(OTHER, logout("%p\n", s));
615     /* TODO: Clearing of hash register for selective reset, too? */
616     memset(&s->mult[0], 0, sizeof(s->mult));
617     nic_selective_reset(s);
618 }
619 
620 #if defined(DEBUG_EEPRO100)
621 static const char * const e100_reg[PCI_IO_SIZE / 4] = {
622     "Command/Status",
623     "General Pointer",
624     "Port",
625     "EEPROM/Flash Control",
626     "MDI Control",
627     "Receive DMA Byte Count",
628     "Flow Control",
629     "General Status/Control"
630 };
631 
632 static char *regname(uint32_t addr)
633 {
634     static char buf[32];
635     if (addr < PCI_IO_SIZE) {
636         const char *r = e100_reg[addr / 4];
637         if (r != 0) {
638             snprintf(buf, sizeof(buf), "%s+%u", r, addr % 4);
639         } else {
640             snprintf(buf, sizeof(buf), "0x%02x", addr);
641         }
642     } else {
643         snprintf(buf, sizeof(buf), "??? 0x%08x", addr);
644     }
645     return buf;
646 }
647 #endif                          /* DEBUG_EEPRO100 */
648 
649 /*****************************************************************************
650  *
651  * Command emulation.
652  *
653  ****************************************************************************/
654 
655 #if 0
656 static uint16_t eepro100_read_command(EEPRO100State * s)
657 {
658     uint16_t val = 0xffff;
659     TRACE(OTHER, logout("val=0x%04x\n", val));
660     return val;
661 }
662 #endif
663 
664 /* Commands that can be put in a command list entry. */
665 enum commands {
666     CmdNOp = 0,
667     CmdIASetup = 1,
668     CmdConfigure = 2,
669     CmdMulticastList = 3,
670     CmdTx = 4,
671     CmdTDR = 5,                 /* load microcode */
672     CmdDump = 6,
673     CmdDiagnose = 7,
674 
675     /* And some extra flags: */
676     CmdSuspend = 0x4000,        /* Suspend after completion. */
677     CmdIntr = 0x2000,           /* Interrupt after completion. */
678     CmdTxFlex = 0x0008,         /* Use "Flexible mode" for CmdTx command. */
679 };
680 
681 static cu_state_t get_cu_state(EEPRO100State * s)
682 {
683     return ((s->mem[SCBStatus] & BITS(7, 6)) >> 6);
684 }
685 
686 static void set_cu_state(EEPRO100State * s, cu_state_t state)
687 {
688     s->mem[SCBStatus] = (s->mem[SCBStatus] & ~BITS(7, 6)) + (state << 6);
689 }
690 
691 static ru_state_t get_ru_state(EEPRO100State * s)
692 {
693     return ((s->mem[SCBStatus] & BITS(5, 2)) >> 2);
694 }
695 
696 static void set_ru_state(EEPRO100State * s, ru_state_t state)
697 {
698     s->mem[SCBStatus] = (s->mem[SCBStatus] & ~BITS(5, 2)) + (state << 2);
699 }
700 
701 static void dump_statistics(EEPRO100State * s)
702 {
703     const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
704 
705     /* Dump statistical data. Most data is never changed by the emulation
706      * and always 0, so we first just copy the whole block and then those
707      * values which really matter.
708      * Number of data should check configuration!!!
709      */
710     pci_dma_write(&s->dev, s->statsaddr, &s->statistics, s->stats_size);
711     stl_le_pci_dma(&s->dev, s->statsaddr + 0,
712                    s->statistics.tx_good_frames, attrs);
713     stl_le_pci_dma(&s->dev, s->statsaddr + 36,
714                    s->statistics.rx_good_frames, attrs);
715     stl_le_pci_dma(&s->dev, s->statsaddr + 48,
716                    s->statistics.rx_resource_errors, attrs);
717     stl_le_pci_dma(&s->dev, s->statsaddr + 60,
718                    s->statistics.rx_short_frame_errors, attrs);
719 #if 0
720     stw_le_pci_dma(&s->dev, s->statsaddr + 76,
721                    s->statistics.xmt_tco_frames, attrs);
722     stw_le_pci_dma(&s->dev, s->statsaddr + 78,
723                    s->statistics.rcv_tco_frames, attrs);
724     missing("CU dump statistical counters");
725 #endif
726 }
727 
728 static void read_cb(EEPRO100State *s)
729 {
730     pci_dma_read(&s->dev, s->cb_address, &s->tx, sizeof(s->tx));
731     s->tx.status = le16_to_cpu(s->tx.status);
732     s->tx.command = le16_to_cpu(s->tx.command);
733     s->tx.link = le32_to_cpu(s->tx.link);
734     s->tx.tbd_array_addr = le32_to_cpu(s->tx.tbd_array_addr);
735     s->tx.tcb_bytes = le16_to_cpu(s->tx.tcb_bytes);
736 }
737 
738 static void tx_command(EEPRO100State *s)
739 {
740     const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
741     uint32_t tbd_array = s->tx.tbd_array_addr;
742     uint16_t tcb_bytes = s->tx.tcb_bytes & 0x3fff;
743     /* Sends larger than MAX_ETH_FRAME_SIZE are allowed, up to 2600 bytes. */
744     uint8_t buf[2600];
745     uint16_t size = 0;
746     uint32_t tbd_address = s->cb_address + 0x10;
747     TRACE(RXTX, logout
748         ("transmit, TBD array address 0x%08x, TCB byte count 0x%04x, TBD count %u\n",
749          tbd_array, tcb_bytes, s->tx.tbd_count));
750 
751     if (tcb_bytes > 2600) {
752         logout("TCB byte count too large, using 2600\n");
753         tcb_bytes = 2600;
754     }
755     if (!((tcb_bytes > 0) || (tbd_array != 0xffffffff))) {
756         logout
757             ("illegal values of TBD array address and TCB byte count!\n");
758     }
759     assert(tcb_bytes <= sizeof(buf));
760     while (size < tcb_bytes) {
761         TRACE(RXTX, logout
762             ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
763              tbd_address, tcb_bytes));
764         pci_dma_read(&s->dev, tbd_address, &buf[size], tcb_bytes);
765         size += tcb_bytes;
766     }
767     if (tbd_array == 0xffffffff) {
768         /* Simplified mode. Was already handled by code above. */
769     } else {
770         /* Flexible mode. */
771         uint8_t tbd_count = 0;
772         uint32_t tx_buffer_address;
773         uint16_t tx_buffer_size;
774         uint16_t tx_buffer_el;
775 
776         if (s->has_extended_tcb_support && !(s->configuration[6] & BIT(4))) {
777             /* Extended Flexible TCB. */
778             for (; tbd_count < 2; tbd_count++) {
779                 ldl_le_pci_dma(&s->dev, tbd_address, &tx_buffer_address, attrs);
780                 lduw_le_pci_dma(&s->dev, tbd_address + 4, &tx_buffer_size, attrs);
781                 lduw_le_pci_dma(&s->dev, tbd_address + 6, &tx_buffer_el, attrs);
782                 tbd_address += 8;
783                 TRACE(RXTX, logout
784                     ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n",
785                      tx_buffer_address, tx_buffer_size));
786                 tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
787                 pci_dma_read(&s->dev, tx_buffer_address,
788                              &buf[size], tx_buffer_size);
789                 size += tx_buffer_size;
790                 if (tx_buffer_el & 1) {
791                     break;
792                 }
793             }
794         }
795         tbd_address = tbd_array;
796         for (; tbd_count < s->tx.tbd_count; tbd_count++) {
797             ldl_le_pci_dma(&s->dev, tbd_address, &tx_buffer_address, attrs);
798             lduw_le_pci_dma(&s->dev, tbd_address + 4, &tx_buffer_size, attrs);
799             lduw_le_pci_dma(&s->dev, tbd_address + 6, &tx_buffer_el, attrs);
800             tbd_address += 8;
801             TRACE(RXTX, logout
802                 ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n",
803                  tx_buffer_address, tx_buffer_size));
804             tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
805             pci_dma_read(&s->dev, tx_buffer_address,
806                          &buf[size], tx_buffer_size);
807             size += tx_buffer_size;
808             if (tx_buffer_el & 1) {
809                 break;
810             }
811         }
812     }
813     TRACE(RXTX, logout("%p sending frame, len=%d,%s\n", s, size, nic_dump(buf, size)));
814     qemu_send_packet(qemu_get_queue(s->nic), buf, size);
815     s->statistics.tx_good_frames++;
816     /* Transmit with bad status would raise an CX/TNO interrupt.
817      * (82557 only). Emulation never has bad status. */
818 #if 0
819     eepro100_cx_interrupt(s);
820 #endif
821 }
822 
823 static void set_multicast_list(EEPRO100State *s)
824 {
825     uint16_t multicast_count = s->tx.tbd_array_addr & BITS(13, 0);
826     uint16_t i;
827     memset(&s->mult[0], 0, sizeof(s->mult));
828     TRACE(OTHER, logout("multicast list, multicast count = %u\n", multicast_count));
829     for (i = 0; i < multicast_count; i += 6) {
830         uint8_t multicast_addr[6];
831         pci_dma_read(&s->dev, s->cb_address + 10 + i, multicast_addr, 6);
832         TRACE(OTHER, logout("multicast entry %s\n", nic_dump(multicast_addr, 6)));
833         unsigned mcast_idx = (net_crc32(multicast_addr, ETH_ALEN) &
834                               BITS(7, 2)) >> 2;
835         assert(mcast_idx < 64);
836         s->mult[mcast_idx >> 3] |= (1 << (mcast_idx & 7));
837     }
838 }
839 
840 static void action_command(EEPRO100State *s)
841 {
842     const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
843     /* The loop below won't stop if it gets special handcrafted data.
844        Therefore we limit the number of iterations. */
845     unsigned max_loop_count = 16;
846 
847     for (;;) {
848         bool bit_el;
849         bool bit_s;
850         bool bit_i;
851         bool bit_nc;
852         uint16_t ok_status = STATUS_OK;
853         s->cb_address = s->cu_base + s->cu_offset;
854         read_cb(s);
855         bit_el = ((s->tx.command & COMMAND_EL) != 0);
856         bit_s = ((s->tx.command & COMMAND_S) != 0);
857         bit_i = ((s->tx.command & COMMAND_I) != 0);
858         bit_nc = ((s->tx.command & COMMAND_NC) != 0);
859 #if 0
860         bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
861 #endif
862 
863         if (max_loop_count-- == 0) {
864             /* Prevent an endless loop. */
865             logout("loop in %s:%u\n", __FILE__, __LINE__);
866             break;
867         }
868 
869         s->cu_offset = s->tx.link;
870         TRACE(OTHER,
871               logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",
872                      s->tx.status, s->tx.command, s->tx.link));
873         switch (s->tx.command & COMMAND_CMD) {
874         case CmdNOp:
875             /* Do nothing. */
876             break;
877         case CmdIASetup:
878             pci_dma_read(&s->dev, s->cb_address + 8, &s->conf.macaddr.a[0], 6);
879             TRACE(OTHER, logout("macaddr: %s\n", nic_dump(&s->conf.macaddr.a[0], 6)));
880             break;
881         case CmdConfigure:
882             pci_dma_read(&s->dev, s->cb_address + 8,
883                          &s->configuration[0], sizeof(s->configuration));
884             TRACE(OTHER, logout("configuration: %s\n",
885                                 nic_dump(&s->configuration[0], 16)));
886             TRACE(OTHER, logout("configuration: %s\n",
887                                 nic_dump(&s->configuration[16],
888                                 ARRAY_SIZE(s->configuration) - 16)));
889             if (s->configuration[20] & BIT(6)) {
890                 TRACE(OTHER, logout("Multiple IA bit\n"));
891             }
892             break;
893         case CmdMulticastList:
894             set_multicast_list(s);
895             break;
896         case CmdTx:
897             if (bit_nc) {
898                 missing("CmdTx: NC = 0");
899                 ok_status = 0;
900                 break;
901             }
902             tx_command(s);
903             break;
904         case CmdTDR:
905             TRACE(OTHER, logout("load microcode\n"));
906             /* Starting with offset 8, the command contains
907              * 64 dwords microcode which we just ignore here. */
908             break;
909         case CmdDiagnose:
910             TRACE(OTHER, logout("diagnose\n"));
911             /* Make sure error flag is not set. */
912             s->tx.status = 0;
913             break;
914         default:
915             missing("undefined command");
916             ok_status = 0;
917             break;
918         }
919         /* Write new status. */
920         stw_le_pci_dma(&s->dev, s->cb_address,
921                        s->tx.status | ok_status | STATUS_C, attrs);
922         if (bit_i) {
923             /* CU completed action. */
924             eepro100_cx_interrupt(s);
925         }
926         if (bit_el) {
927             /* CU becomes idle. Terminate command loop. */
928             set_cu_state(s, cu_idle);
929             eepro100_cna_interrupt(s);
930             break;
931         } else if (bit_s) {
932             /* CU becomes suspended. Terminate command loop. */
933             set_cu_state(s, cu_suspended);
934             eepro100_cna_interrupt(s);
935             break;
936         } else {
937             /* More entries in list. */
938             TRACE(OTHER, logout("CU list with at least one more entry\n"));
939         }
940     }
941     TRACE(OTHER, logout("CU list empty\n"));
942     /* List is empty. Now CU is idle or suspended. */
943 }
944 
945 static void eepro100_cu_command(EEPRO100State * s, uint8_t val)
946 {
947     const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
948     cu_state_t cu_state;
949     switch (val) {
950     case CU_NOP:
951         /* No operation. */
952         break;
953     case CU_START:
954         cu_state = get_cu_state(s);
955         if (cu_state != cu_idle && cu_state != cu_suspended) {
956             /* Intel documentation says that CU must be idle or suspended
957              * for the CU start command. */
958             logout("unexpected CU state is %u\n", cu_state);
959         }
960         set_cu_state(s, cu_active);
961         s->cu_offset = e100_read_reg4(s, SCBPointer);
962         action_command(s);
963         break;
964     case CU_RESUME:
965         if (get_cu_state(s) != cu_suspended) {
966             logout("bad CU resume from CU state %u\n", get_cu_state(s));
967             /* Workaround for bad Linux eepro100 driver which resumes
968              * from idle state. */
969 #if 0
970             missing("cu resume");
971 #endif
972             set_cu_state(s, cu_suspended);
973         }
974         if (get_cu_state(s) == cu_suspended) {
975             TRACE(OTHER, logout("CU resuming\n"));
976             set_cu_state(s, cu_active);
977             action_command(s);
978         }
979         break;
980     case CU_STATSADDR:
981         /* Load dump counters address. */
982         s->statsaddr = e100_read_reg4(s, SCBPointer);
983         TRACE(OTHER, logout("val=0x%02x (dump counters address)\n", val));
984         if (s->statsaddr & 3) {
985             /* Memory must be Dword aligned. */
986             logout("unaligned dump counters address\n");
987             /* Handling of misaligned addresses is undefined.
988              * Here we align the address by ignoring the lower bits. */
989             /* TODO: Test unaligned dump counter address on real hardware. */
990             s->statsaddr &= ~3;
991         }
992         break;
993     case CU_SHOWSTATS:
994         /* Dump statistical counters. */
995         TRACE(OTHER, logout("val=0x%02x (dump stats)\n", val));
996         dump_statistics(s);
997         stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005, attrs);
998         break;
999     case CU_CMD_BASE:
1000         /* Load CU base. */
1001         TRACE(OTHER, logout("val=0x%02x (CU base address)\n", val));
1002         s->cu_base = e100_read_reg4(s, SCBPointer);
1003         break;
1004     case CU_DUMPSTATS:
1005         /* Dump and reset statistical counters. */
1006         TRACE(OTHER, logout("val=0x%02x (dump stats and reset)\n", val));
1007         dump_statistics(s);
1008         stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007, attrs);
1009         memset(&s->statistics, 0, sizeof(s->statistics));
1010         break;
1011     case CU_SRESUME:
1012         /* CU static resume. */
1013         missing("CU static resume");
1014         break;
1015     default:
1016         missing("Undefined CU command");
1017     }
1018 }
1019 
1020 static void eepro100_ru_command(EEPRO100State * s, uint8_t val)
1021 {
1022     switch (val) {
1023     case RU_NOP:
1024         /* No operation. */
1025         break;
1026     case RX_START:
1027         /* RU start. */
1028         if (get_ru_state(s) != ru_idle) {
1029             logout("RU state is %u, should be %u\n", get_ru_state(s), ru_idle);
1030 #if 0
1031             assert(!"wrong RU state");
1032 #endif
1033         }
1034         set_ru_state(s, ru_ready);
1035         s->ru_offset = e100_read_reg4(s, SCBPointer);
1036         qemu_flush_queued_packets(qemu_get_queue(s->nic));
1037         TRACE(OTHER, logout("val=0x%02x (rx start)\n", val));
1038         break;
1039     case RX_RESUME:
1040         /* Restart RU. */
1041         if (get_ru_state(s) != ru_suspended) {
1042             logout("RU state is %u, should be %u\n", get_ru_state(s),
1043                    ru_suspended);
1044 #if 0
1045             assert(!"wrong RU state");
1046 #endif
1047         }
1048         set_ru_state(s, ru_ready);
1049         break;
1050     case RU_ABORT:
1051         /* RU abort. */
1052         if (get_ru_state(s) == ru_ready) {
1053             eepro100_rnr_interrupt(s);
1054         }
1055         set_ru_state(s, ru_idle);
1056         break;
1057     case RX_ADDR_LOAD:
1058         /* Load RU base. */
1059         TRACE(OTHER, logout("val=0x%02x (RU base address)\n", val));
1060         s->ru_base = e100_read_reg4(s, SCBPointer);
1061         break;
1062     default:
1063         logout("val=0x%02x (undefined RU command)\n", val);
1064         missing("Undefined SU command");
1065     }
1066 }
1067 
1068 static void eepro100_write_command(EEPRO100State * s, uint8_t val)
1069 {
1070     eepro100_ru_command(s, val & 0x0f);
1071     eepro100_cu_command(s, val & 0xf0);
1072     if ((val) == 0) {
1073         TRACE(OTHER, logout("val=0x%02x\n", val));
1074     }
1075     /* Clear command byte after command was accepted. */
1076     s->mem[SCBCmd] = 0;
1077 }
1078 
1079 /*****************************************************************************
1080  *
1081  * EEPROM emulation.
1082  *
1083  ****************************************************************************/
1084 
1085 #define EEPROM_CS       0x02
1086 #define EEPROM_SK       0x01
1087 #define EEPROM_DI       0x04
1088 #define EEPROM_DO       0x08
1089 
1090 static uint16_t eepro100_read_eeprom(EEPRO100State * s)
1091 {
1092     uint16_t val = e100_read_reg2(s, SCBeeprom);
1093     if (eeprom93xx_read(s->eeprom)) {
1094         val |= EEPROM_DO;
1095     } else {
1096         val &= ~EEPROM_DO;
1097     }
1098     TRACE(EEPROM, logout("val=0x%04x\n", val));
1099     return val;
1100 }
1101 
1102 static void eepro100_write_eeprom(eeprom_t * eeprom, uint8_t val)
1103 {
1104     TRACE(EEPROM, logout("val=0x%02x\n", val));
1105 
1106     /* mask unwritable bits */
1107 #if 0
1108     val = SET_MASKED(val, 0x31, eeprom->value);
1109 #endif
1110 
1111     int eecs = ((val & EEPROM_CS) != 0);
1112     int eesk = ((val & EEPROM_SK) != 0);
1113     int eedi = ((val & EEPROM_DI) != 0);
1114     eeprom93xx_write(eeprom, eecs, eesk, eedi);
1115 }
1116 
1117 /*****************************************************************************
1118  *
1119  * MDI emulation.
1120  *
1121  ****************************************************************************/
1122 
1123 #if defined(DEBUG_EEPRO100)
1124 static const char * const mdi_op_name[] = {
1125     "opcode 0",
1126     "write",
1127     "read",
1128     "opcode 3"
1129 };
1130 
1131 static const char * const mdi_reg_name[] = {
1132     "Control",
1133     "Status",
1134     "PHY Identification (Word 1)",
1135     "PHY Identification (Word 2)",
1136     "Auto-Negotiation Advertisement",
1137     "Auto-Negotiation Link Partner Ability",
1138     "Auto-Negotiation Expansion"
1139 };
1140 
1141 static const char *reg2name(uint8_t reg)
1142 {
1143     static char buffer[10];
1144     const char *p = buffer;
1145     if (reg < ARRAY_SIZE(mdi_reg_name)) {
1146         p = mdi_reg_name[reg];
1147     } else {
1148         snprintf(buffer, sizeof(buffer), "reg=0x%02x", reg);
1149     }
1150     return p;
1151 }
1152 #endif                          /* DEBUG_EEPRO100 */
1153 
1154 static uint32_t eepro100_read_mdi(EEPRO100State * s)
1155 {
1156     uint32_t val = e100_read_reg4(s, SCBCtrlMDI);
1157 
1158 #ifdef DEBUG_EEPRO100
1159     uint8_t raiseint = (val & BIT(29)) >> 29;
1160     uint8_t opcode = (val & BITS(27, 26)) >> 26;
1161     uint8_t phy = (val & BITS(25, 21)) >> 21;
1162     uint8_t reg = (val & BITS(20, 16)) >> 16;
1163     uint16_t data = (val & BITS(15, 0));
1164 #endif
1165     /* Emulation takes no time to finish MDI transaction. */
1166     val |= BIT(28);
1167     TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1168                       val, raiseint, mdi_op_name[opcode], phy,
1169                       reg2name(reg), data));
1170     return val;
1171 }
1172 
1173 static void eepro100_write_mdi(EEPRO100State *s)
1174 {
1175     uint32_t val = e100_read_reg4(s, SCBCtrlMDI);
1176     uint8_t raiseint = (val & BIT(29)) >> 29;
1177     uint8_t opcode = (val & BITS(27, 26)) >> 26;
1178     uint8_t phy = (val & BITS(25, 21)) >> 21;
1179     uint8_t reg = (val & BITS(20, 16)) >> 16;
1180     uint16_t data = (val & BITS(15, 0));
1181     TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1182           val, raiseint, mdi_op_name[opcode], phy, reg2name(reg), data));
1183     if (phy != 1) {
1184         /* Unsupported PHY address. */
1185 #if 0
1186         logout("phy must be 1 but is %u\n", phy);
1187 #endif
1188         data = 0;
1189     } else if (opcode != 1 && opcode != 2) {
1190         /* Unsupported opcode. */
1191         logout("opcode must be 1 or 2 but is %u\n", opcode);
1192         data = 0;
1193     } else if (reg > 6) {
1194         /* Unsupported register. */
1195         logout("register must be 0...6 but is %u\n", reg);
1196         data = 0;
1197     } else {
1198         TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1199                           val, raiseint, mdi_op_name[opcode], phy,
1200                           reg2name(reg), data));
1201         if (opcode == 1) {
1202             /* MDI write */
1203             switch (reg) {
1204             case 0:            /* Control Register */
1205                 if (data & 0x8000) {
1206                     /* Reset status and control registers to default. */
1207                     s->mdimem[0] = eepro100_mdi_default[0];
1208                     s->mdimem[1] = eepro100_mdi_default[1];
1209                     data = s->mdimem[reg];
1210                 } else {
1211                     /* Restart Auto Configuration = Normal Operation */
1212                     data &= ~0x0200;
1213                 }
1214                 break;
1215             case 1:            /* Status Register */
1216                 missing("not writable");
1217                 break;
1218             case 2:            /* PHY Identification Register (Word 1) */
1219             case 3:            /* PHY Identification Register (Word 2) */
1220                 missing("not implemented");
1221                 break;
1222             case 4:            /* Auto-Negotiation Advertisement Register */
1223             case 5:            /* Auto-Negotiation Link Partner Ability Register */
1224                 break;
1225             case 6:            /* Auto-Negotiation Expansion Register */
1226             default:
1227                 missing("not implemented");
1228             }
1229             s->mdimem[reg] &= eepro100_mdi_mask[reg];
1230             s->mdimem[reg] |= data & ~eepro100_mdi_mask[reg];
1231         } else if (opcode == 2) {
1232             /* MDI read */
1233             switch (reg) {
1234             case 0:            /* Control Register */
1235                 if (data & 0x8000) {
1236                     /* Reset status and control registers to default. */
1237                     s->mdimem[0] = eepro100_mdi_default[0];
1238                     s->mdimem[1] = eepro100_mdi_default[1];
1239                 }
1240                 break;
1241             case 1:            /* Status Register */
1242                 s->mdimem[reg] |= 0x0020;
1243                 break;
1244             case 2:            /* PHY Identification Register (Word 1) */
1245             case 3:            /* PHY Identification Register (Word 2) */
1246             case 4:            /* Auto-Negotiation Advertisement Register */
1247                 break;
1248             case 5:            /* Auto-Negotiation Link Partner Ability Register */
1249                 s->mdimem[reg] = 0x41fe;
1250                 break;
1251             case 6:            /* Auto-Negotiation Expansion Register */
1252                 s->mdimem[reg] = 0x0001;
1253                 break;
1254             }
1255             data = s->mdimem[reg];
1256         }
1257         /* Emulation takes no time to finish MDI transaction.
1258          * Set MDI bit in SCB status register. */
1259         s->mem[SCBAck] |= 0x08;
1260         val |= BIT(28);
1261         if (raiseint) {
1262             eepro100_mdi_interrupt(s);
1263         }
1264     }
1265     val = (val & 0xffff0000) + data;
1266     e100_write_reg4(s, SCBCtrlMDI, val);
1267 }
1268 
1269 /*****************************************************************************
1270  *
1271  * Port emulation.
1272  *
1273  ****************************************************************************/
1274 
1275 #define PORT_SOFTWARE_RESET     0
1276 #define PORT_SELFTEST           1
1277 #define PORT_SELECTIVE_RESET    2
1278 #define PORT_DUMP               3
1279 #define PORT_SELECTION_MASK     3
1280 
1281 typedef struct {
1282     uint32_t st_sign;           /* Self Test Signature */
1283     uint32_t st_result;         /* Self Test Results */
1284 } eepro100_selftest_t;
1285 
1286 static uint32_t eepro100_read_port(EEPRO100State * s)
1287 {
1288     return 0;
1289 }
1290 
1291 static void eepro100_write_port(EEPRO100State *s)
1292 {
1293     uint32_t val = e100_read_reg4(s, SCBPort);
1294     uint32_t address = (val & ~PORT_SELECTION_MASK);
1295     uint8_t selection = (val & PORT_SELECTION_MASK);
1296     switch (selection) {
1297     case PORT_SOFTWARE_RESET:
1298         nic_reset(s);
1299         break;
1300     case PORT_SELFTEST:
1301         TRACE(OTHER, logout("selftest address=0x%08x\n", address));
1302         eepro100_selftest_t data;
1303         pci_dma_read(&s->dev, address, (uint8_t *) &data, sizeof(data));
1304         data.st_sign = 0xffffffff;
1305         data.st_result = 0;
1306         pci_dma_write(&s->dev, address, (uint8_t *) &data, sizeof(data));
1307         break;
1308     case PORT_SELECTIVE_RESET:
1309         TRACE(OTHER, logout("selective reset, selftest address=0x%08x\n", address));
1310         nic_selective_reset(s);
1311         break;
1312     default:
1313         logout("val=0x%08x\n", val);
1314         missing("unknown port selection");
1315     }
1316 }
1317 
1318 /*****************************************************************************
1319  *
1320  * General hardware emulation.
1321  *
1322  ****************************************************************************/
1323 
1324 static uint8_t eepro100_read1(EEPRO100State * s, uint32_t addr)
1325 {
1326     uint8_t val = 0;
1327     if (addr <= sizeof(s->mem) - sizeof(val)) {
1328         val = s->mem[addr];
1329     }
1330 
1331     switch (addr) {
1332     case SCBStatus:
1333     case SCBAck:
1334         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1335         break;
1336     case SCBCmd:
1337         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1338 #if 0
1339         val = eepro100_read_command(s);
1340 #endif
1341         break;
1342     case SCBIntmask:
1343         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1344         break;
1345     case SCBPort + 3:
1346         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1347         break;
1348     case SCBeeprom:
1349         val = eepro100_read_eeprom(s);
1350         break;
1351     case SCBCtrlMDI:
1352     case SCBCtrlMDI + 1:
1353     case SCBCtrlMDI + 2:
1354     case SCBCtrlMDI + 3:
1355         val = (uint8_t)(eepro100_read_mdi(s) >> (8 * (addr & 3)));
1356         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1357         break;
1358     case SCBpmdr:       /* Power Management Driver Register */
1359         val = 0;
1360         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1361         break;
1362     case SCBgctrl:      /* General Control Register */
1363         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1364         break;
1365     case SCBgstat:      /* General Status Register */
1366         /* 100 Mbps full duplex, valid link */
1367         val = 0x07;
1368         TRACE(OTHER, logout("addr=General Status val=%02x\n", val));
1369         break;
1370     default:
1371         logout("addr=%s val=0x%02x\n", regname(addr), val);
1372         missing("unknown byte read");
1373     }
1374     return val;
1375 }
1376 
1377 static uint16_t eepro100_read2(EEPRO100State * s, uint32_t addr)
1378 {
1379     uint16_t val = 0;
1380     if (addr <= sizeof(s->mem) - sizeof(val)) {
1381         val = e100_read_reg2(s, addr);
1382     }
1383 
1384     switch (addr) {
1385     case SCBStatus:
1386     case SCBCmd:
1387         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1388         break;
1389     case SCBeeprom:
1390         val = eepro100_read_eeprom(s);
1391         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1392         break;
1393     case SCBCtrlMDI:
1394     case SCBCtrlMDI + 2:
1395         val = (uint16_t)(eepro100_read_mdi(s) >> (8 * (addr & 3)));
1396         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1397         break;
1398     default:
1399         logout("addr=%s val=0x%04x\n", regname(addr), val);
1400         missing("unknown word read");
1401     }
1402     return val;
1403 }
1404 
1405 static uint32_t eepro100_read4(EEPRO100State * s, uint32_t addr)
1406 {
1407     uint32_t val = 0;
1408     if (addr <= sizeof(s->mem) - sizeof(val)) {
1409         val = e100_read_reg4(s, addr);
1410     }
1411 
1412     switch (addr) {
1413     case SCBStatus:
1414         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1415         break;
1416     case SCBPointer:
1417         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1418         break;
1419     case SCBPort:
1420         val = eepro100_read_port(s);
1421         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1422         break;
1423     case SCBflash:
1424         val = eepro100_read_eeprom(s);
1425         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1426         break;
1427     case SCBCtrlMDI:
1428         val = eepro100_read_mdi(s);
1429         break;
1430     default:
1431         logout("addr=%s val=0x%08x\n", regname(addr), val);
1432         missing("unknown longword read");
1433     }
1434     return val;
1435 }
1436 
1437 static void eepro100_write1(EEPRO100State * s, uint32_t addr, uint8_t val)
1438 {
1439     /* SCBStatus is readonly. */
1440     if (addr > SCBStatus && addr <= sizeof(s->mem) - sizeof(val)) {
1441         s->mem[addr] = val;
1442     }
1443 
1444     switch (addr) {
1445     case SCBStatus:
1446         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1447         break;
1448     case SCBAck:
1449         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1450         eepro100_acknowledge(s);
1451         break;
1452     case SCBCmd:
1453         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1454         eepro100_write_command(s, val);
1455         break;
1456     case SCBIntmask:
1457         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1458         if (val & BIT(1)) {
1459             eepro100_swi_interrupt(s);
1460         }
1461         eepro100_interrupt(s, 0);
1462         break;
1463     case SCBPointer:
1464     case SCBPointer + 1:
1465     case SCBPointer + 2:
1466     case SCBPointer + 3:
1467         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1468         break;
1469     case SCBPort:
1470     case SCBPort + 1:
1471     case SCBPort + 2:
1472         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1473         break;
1474     case SCBPort + 3:
1475         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1476         eepro100_write_port(s);
1477         break;
1478     case SCBFlow:       /* does not exist on 82557 */
1479     case SCBFlow + 1:
1480     case SCBFlow + 2:
1481     case SCBpmdr:       /* does not exist on 82557 */
1482         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1483         break;
1484     case SCBeeprom:
1485         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1486         eepro100_write_eeprom(s->eeprom, val);
1487         break;
1488     case SCBCtrlMDI:
1489     case SCBCtrlMDI + 1:
1490     case SCBCtrlMDI + 2:
1491         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1492         break;
1493     case SCBCtrlMDI + 3:
1494         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1495         eepro100_write_mdi(s);
1496         break;
1497     default:
1498         logout("addr=%s val=0x%02x\n", regname(addr), val);
1499         missing("unknown byte write");
1500     }
1501 }
1502 
1503 static void eepro100_write2(EEPRO100State * s, uint32_t addr, uint16_t val)
1504 {
1505     /* SCBStatus is readonly. */
1506     if (addr > SCBStatus && addr <= sizeof(s->mem) - sizeof(val)) {
1507         e100_write_reg2(s, addr, val);
1508     }
1509 
1510     switch (addr) {
1511     case SCBStatus:
1512         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1513         s->mem[SCBAck] = (val >> 8);
1514         eepro100_acknowledge(s);
1515         break;
1516     case SCBCmd:
1517         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1518         eepro100_write_command(s, val);
1519         eepro100_write1(s, SCBIntmask, val >> 8);
1520         break;
1521     case SCBPointer:
1522     case SCBPointer + 2:
1523         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1524         break;
1525     case SCBPort:
1526         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1527         break;
1528     case SCBPort + 2:
1529         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1530         eepro100_write_port(s);
1531         break;
1532     case SCBeeprom:
1533         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1534         eepro100_write_eeprom(s->eeprom, val);
1535         break;
1536     case SCBCtrlMDI:
1537         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1538         break;
1539     case SCBCtrlMDI + 2:
1540         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1541         eepro100_write_mdi(s);
1542         break;
1543     default:
1544         logout("addr=%s val=0x%04x\n", regname(addr), val);
1545         missing("unknown word write");
1546     }
1547 }
1548 
1549 static void eepro100_write4(EEPRO100State * s, uint32_t addr, uint32_t val)
1550 {
1551     if (addr <= sizeof(s->mem) - sizeof(val)) {
1552         e100_write_reg4(s, addr, val);
1553     }
1554 
1555     switch (addr) {
1556     case SCBPointer:
1557         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1558         break;
1559     case SCBPort:
1560         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1561         eepro100_write_port(s);
1562         break;
1563     case SCBflash:
1564         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1565         val = val >> 16;
1566         eepro100_write_eeprom(s->eeprom, val);
1567         break;
1568     case SCBCtrlMDI:
1569         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1570         eepro100_write_mdi(s);
1571         break;
1572     default:
1573         logout("addr=%s val=0x%08x\n", regname(addr), val);
1574         missing("unknown longword write");
1575     }
1576 }
1577 
1578 static uint64_t eepro100_read(void *opaque, hwaddr addr,
1579                               unsigned size)
1580 {
1581     EEPRO100State *s = opaque;
1582 
1583     switch (size) {
1584     case 1: return eepro100_read1(s, addr);
1585     case 2: return eepro100_read2(s, addr);
1586     case 4: return eepro100_read4(s, addr);
1587     default: abort();
1588     }
1589 }
1590 
1591 static void eepro100_write(void *opaque, hwaddr addr,
1592                            uint64_t data, unsigned size)
1593 {
1594     EEPRO100State *s = opaque;
1595 
1596     switch (size) {
1597     case 1:
1598         eepro100_write1(s, addr, data);
1599         break;
1600     case 2:
1601         eepro100_write2(s, addr, data);
1602         break;
1603     case 4:
1604         eepro100_write4(s, addr, data);
1605         break;
1606     default:
1607         abort();
1608     }
1609 }
1610 
1611 static const MemoryRegionOps eepro100_ops = {
1612     .read = eepro100_read,
1613     .write = eepro100_write,
1614     .endianness = DEVICE_LITTLE_ENDIAN,
1615 };
1616 
1617 static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size)
1618 {
1619     /* TODO:
1620      * - Magic packets should set bit 30 in power management driver register.
1621      * - Interesting packets should set bit 29 in power management driver register.
1622      */
1623     const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
1624     EEPRO100State *s = qemu_get_nic_opaque(nc);
1625     uint16_t rfd_status = 0xa000;
1626 #if defined(CONFIG_PAD_RECEIVED_FRAMES)
1627     uint8_t min_buf[60];
1628 #endif
1629     static const uint8_t broadcast_macaddr[6] =
1630         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1631 
1632 #if defined(CONFIG_PAD_RECEIVED_FRAMES)
1633     /* Pad to minimum Ethernet frame length */
1634     if (size < sizeof(min_buf)) {
1635         memcpy(min_buf, buf, size);
1636         memset(&min_buf[size], 0, sizeof(min_buf) - size);
1637         buf = min_buf;
1638         size = sizeof(min_buf);
1639     }
1640 #endif
1641 
1642     if (s->configuration[8] & 0x80) {
1643         /* CSMA is disabled. */
1644         logout("%p received while CSMA is disabled\n", s);
1645         return -1;
1646 #if !defined(CONFIG_PAD_RECEIVED_FRAMES)
1647     } else if (size < 64 && (s->configuration[7] & BIT(0))) {
1648         /* Short frame and configuration byte 7/0 (discard short receive) set:
1649          * Short frame is discarded */
1650         logout("%p received short frame (%zu byte)\n", s, size);
1651         s->statistics.rx_short_frame_errors++;
1652         return -1;
1653 #endif
1654     } else if ((size > MAX_ETH_FRAME_SIZE + 4) && !(s->configuration[18] & BIT(3))) {
1655         /* Long frame and configuration byte 18/3 (long receive ok) not set:
1656          * Long frames are discarded. */
1657         logout("%p received long frame (%zu byte), ignored\n", s, size);
1658         return -1;
1659     } else if (memcmp(buf, s->conf.macaddr.a, 6) == 0) {       /* !!! */
1660         /* Frame matches individual address. */
1661         /* TODO: check configuration byte 15/4 (ignore U/L). */
1662         TRACE(RXTX, logout("%p received frame for me, len=%zu\n", s, size));
1663     } else if (memcmp(buf, broadcast_macaddr, 6) == 0) {
1664         /* Broadcast frame. */
1665         TRACE(RXTX, logout("%p received broadcast, len=%zu\n", s, size));
1666         rfd_status |= 0x0002;
1667     } else if (buf[0] & 0x01) {
1668         /* Multicast frame. */
1669         TRACE(RXTX, logout("%p received multicast, len=%zu,%s\n", s, size, nic_dump(buf, size)));
1670         if (s->configuration[21] & BIT(3)) {
1671           /* Multicast all bit is set, receive all multicast frames. */
1672         } else {
1673           unsigned mcast_idx = (net_crc32(buf, ETH_ALEN) & BITS(7, 2)) >> 2;
1674           assert(mcast_idx < 64);
1675           if (s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))) {
1676             /* Multicast frame is allowed in hash table. */
1677           } else if (s->configuration[15] & BIT(0)) {
1678               /* Promiscuous: receive all. */
1679               rfd_status |= 0x0004;
1680           } else {
1681               TRACE(RXTX, logout("%p multicast ignored\n", s));
1682               return -1;
1683           }
1684         }
1685         /* TODO: Next not for promiscuous mode? */
1686         rfd_status |= 0x0002;
1687     } else if (s->configuration[15] & BIT(0)) {
1688         /* Promiscuous: receive all. */
1689         TRACE(RXTX, logout("%p received frame in promiscuous mode, len=%zu\n", s, size));
1690         rfd_status |= 0x0004;
1691     } else if (s->configuration[20] & BIT(6)) {
1692         /* Multiple IA bit set. */
1693         unsigned mcast_idx = net_crc32(buf, ETH_ALEN) >> 26;
1694         assert(mcast_idx < 64);
1695         if (s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))) {
1696             TRACE(RXTX, logout("%p accepted, multiple IA bit set\n", s));
1697         } else {
1698             TRACE(RXTX, logout("%p frame ignored, multiple IA bit set\n", s));
1699             return -1;
1700         }
1701     } else {
1702         TRACE(RXTX, logout("%p received frame, ignored, len=%zu,%s\n", s, size,
1703               nic_dump(buf, size)));
1704         return size;
1705     }
1706 
1707     if (get_ru_state(s) != ru_ready) {
1708         /* No resources available. */
1709         logout("no resources, state=%u\n", get_ru_state(s));
1710         /* TODO: RNR interrupt only at first failed frame? */
1711         eepro100_rnr_interrupt(s);
1712         s->statistics.rx_resource_errors++;
1713 #if 0
1714         assert(!"no resources");
1715 #endif
1716         return -1;
1717     }
1718     /* !!! */
1719     eepro100_rx_t rx;
1720     pci_dma_read(&s->dev, s->ru_base + s->ru_offset,
1721                  &rx, sizeof(eepro100_rx_t));
1722     uint16_t rfd_command = le16_to_cpu(rx.command);
1723     uint16_t rfd_size = le16_to_cpu(rx.size);
1724 
1725     if (size > rfd_size) {
1726         logout("Receive buffer (%" PRId16 " bytes) too small for data "
1727             "(%zu bytes); data truncated\n", rfd_size, size);
1728         size = rfd_size;
1729     }
1730 #if !defined(CONFIG_PAD_RECEIVED_FRAMES)
1731     if (size < 64) {
1732         rfd_status |= 0x0080;
1733     }
1734 #endif
1735     TRACE(OTHER, logout("command 0x%04x, link 0x%08x, addr 0x%08x, size %u\n",
1736           rfd_command, rx.link, rx.rx_buf_addr, rfd_size));
1737     stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
1738                 offsetof(eepro100_rx_t, status), rfd_status, attrs);
1739     stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
1740                 offsetof(eepro100_rx_t, count), size, attrs);
1741     /* Early receive interrupt not supported. */
1742 #if 0
1743     eepro100_er_interrupt(s);
1744 #endif
1745     /* Receive CRC Transfer not supported. */
1746     if (s->configuration[18] & BIT(2)) {
1747         missing("Receive CRC Transfer");
1748         return -1;
1749     }
1750     /* TODO: check stripping enable bit. */
1751 #if 0
1752     assert(!(s->configuration[17] & BIT(0)));
1753 #endif
1754     pci_dma_write(&s->dev, s->ru_base + s->ru_offset +
1755                   sizeof(eepro100_rx_t), buf, size);
1756     s->statistics.rx_good_frames++;
1757     eepro100_fr_interrupt(s);
1758     s->ru_offset = le32_to_cpu(rx.link);
1759     if (rfd_command & COMMAND_EL) {
1760         /* EL bit is set, so this was the last frame. */
1761         logout("receive: Running out of frames\n");
1762         set_ru_state(s, ru_no_resources);
1763         eepro100_rnr_interrupt(s);
1764     }
1765     if (rfd_command & COMMAND_S) {
1766         /* S bit is set. */
1767         set_ru_state(s, ru_suspended);
1768     }
1769     return size;
1770 }
1771 
1772 static const VMStateDescription vmstate_eepro100 = {
1773     .version_id = 3,
1774     .minimum_version_id = 2,
1775     .fields = (VMStateField[]) {
1776         VMSTATE_PCI_DEVICE(dev, EEPRO100State),
1777         VMSTATE_UNUSED(32),
1778         VMSTATE_BUFFER(mult, EEPRO100State),
1779         VMSTATE_BUFFER(mem, EEPRO100State),
1780         /* Save all members of struct between scb_stat and mem. */
1781         VMSTATE_UINT8(scb_stat, EEPRO100State),
1782         VMSTATE_UINT8(int_stat, EEPRO100State),
1783         VMSTATE_UNUSED(3*4),
1784         VMSTATE_MACADDR(conf.macaddr, EEPRO100State),
1785         VMSTATE_UNUSED(19*4),
1786         VMSTATE_UINT16_ARRAY(mdimem, EEPRO100State, 32),
1787         /* The eeprom should be saved and restored by its own routines. */
1788         VMSTATE_UINT32(device, EEPRO100State),
1789         /* TODO check device. */
1790         VMSTATE_UINT32(cu_base, EEPRO100State),
1791         VMSTATE_UINT32(cu_offset, EEPRO100State),
1792         VMSTATE_UINT32(ru_base, EEPRO100State),
1793         VMSTATE_UINT32(ru_offset, EEPRO100State),
1794         VMSTATE_UINT32(statsaddr, EEPRO100State),
1795         /* Save eepro100_stats_t statistics. */
1796         VMSTATE_UINT32(statistics.tx_good_frames, EEPRO100State),
1797         VMSTATE_UINT32(statistics.tx_max_collisions, EEPRO100State),
1798         VMSTATE_UINT32(statistics.tx_late_collisions, EEPRO100State),
1799         VMSTATE_UINT32(statistics.tx_underruns, EEPRO100State),
1800         VMSTATE_UINT32(statistics.tx_lost_crs, EEPRO100State),
1801         VMSTATE_UINT32(statistics.tx_deferred, EEPRO100State),
1802         VMSTATE_UINT32(statistics.tx_single_collisions, EEPRO100State),
1803         VMSTATE_UINT32(statistics.tx_multiple_collisions, EEPRO100State),
1804         VMSTATE_UINT32(statistics.tx_total_collisions, EEPRO100State),
1805         VMSTATE_UINT32(statistics.rx_good_frames, EEPRO100State),
1806         VMSTATE_UINT32(statistics.rx_crc_errors, EEPRO100State),
1807         VMSTATE_UINT32(statistics.rx_alignment_errors, EEPRO100State),
1808         VMSTATE_UINT32(statistics.rx_resource_errors, EEPRO100State),
1809         VMSTATE_UINT32(statistics.rx_overrun_errors, EEPRO100State),
1810         VMSTATE_UINT32(statistics.rx_cdt_errors, EEPRO100State),
1811         VMSTATE_UINT32(statistics.rx_short_frame_errors, EEPRO100State),
1812         VMSTATE_UINT32(statistics.fc_xmt_pause, EEPRO100State),
1813         VMSTATE_UINT32(statistics.fc_rcv_pause, EEPRO100State),
1814         VMSTATE_UINT32(statistics.fc_rcv_unsupported, EEPRO100State),
1815         VMSTATE_UINT16(statistics.xmt_tco_frames, EEPRO100State),
1816         VMSTATE_UINT16(statistics.rcv_tco_frames, EEPRO100State),
1817         /* Configuration bytes. */
1818         VMSTATE_BUFFER(configuration, EEPRO100State),
1819         VMSTATE_END_OF_LIST()
1820     }
1821 };
1822 
1823 static void pci_nic_uninit(PCIDevice *pci_dev)
1824 {
1825     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
1826 
1827     vmstate_unregister(VMSTATE_IF(&pci_dev->qdev), s->vmstate, s);
1828     g_free(s->vmstate);
1829     eeprom93xx_free(&pci_dev->qdev, s->eeprom);
1830     qemu_del_nic(s->nic);
1831 }
1832 
1833 static NetClientInfo net_eepro100_info = {
1834     .type = NET_CLIENT_DRIVER_NIC,
1835     .size = sizeof(NICState),
1836     .receive = nic_receive,
1837 };
1838 
1839 static void e100_nic_realize(PCIDevice *pci_dev, Error **errp)
1840 {
1841     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
1842     E100PCIDeviceInfo *info = eepro100_get_class(s);
1843     Error *local_err = NULL;
1844 
1845     TRACE(OTHER, logout("\n"));
1846 
1847     s->device = info->device;
1848 
1849     e100_pci_reset(s, &local_err);
1850     if (local_err) {
1851         error_propagate(errp, local_err);
1852         return;
1853     }
1854 
1855     /* Add 64 * 2 EEPROM. i82557 and i82558 support a 64 word EEPROM,
1856      * i82559 and later support 64 or 256 word EEPROM. */
1857     s->eeprom = eeprom93xx_new(&pci_dev->qdev, EEPROM_SIZE);
1858 
1859     /* Handler for memory-mapped I/O */
1860     memory_region_init_io(&s->mmio_bar, OBJECT(s), &eepro100_ops, s,
1861                           "eepro100-mmio", PCI_MEM_SIZE);
1862     pci_register_bar(&s->dev, 0, PCI_BASE_ADDRESS_MEM_PREFETCH, &s->mmio_bar);
1863     memory_region_init_io(&s->io_bar, OBJECT(s), &eepro100_ops, s,
1864                           "eepro100-io", PCI_IO_SIZE);
1865     pci_register_bar(&s->dev, 1, PCI_BASE_ADDRESS_SPACE_IO, &s->io_bar);
1866     /* FIXME: flash aliases to mmio?! */
1867     memory_region_init_io(&s->flash_bar, OBJECT(s), &eepro100_ops, s,
1868                           "eepro100-flash", PCI_FLASH_SIZE);
1869     pci_register_bar(&s->dev, 2, 0, &s->flash_bar);
1870 
1871     qemu_macaddr_default_if_unset(&s->conf.macaddr);
1872     logout("macaddr: %s\n", nic_dump(&s->conf.macaddr.a[0], 6));
1873 
1874     nic_reset(s);
1875 
1876     s->nic = qemu_new_nic(&net_eepro100_info, &s->conf,
1877                           object_get_typename(OBJECT(pci_dev)), pci_dev->qdev.id, s);
1878 
1879     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
1880     TRACE(OTHER, logout("%s\n", qemu_get_queue(s->nic)->info_str));
1881 
1882     qemu_register_reset(nic_reset, s);
1883 
1884     s->vmstate = g_memdup(&vmstate_eepro100, sizeof(vmstate_eepro100));
1885     s->vmstate->name = qemu_get_queue(s->nic)->model;
1886     vmstate_register(VMSTATE_IF(&pci_dev->qdev), VMSTATE_INSTANCE_ID_ANY,
1887                      s->vmstate, s);
1888 }
1889 
1890 static void eepro100_instance_init(Object *obj)
1891 {
1892     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, PCI_DEVICE(obj));
1893     device_add_bootindex_property(obj, &s->conf.bootindex,
1894                                   "bootindex", "/ethernet-phy@0",
1895                                   DEVICE(s));
1896 }
1897 
1898 static E100PCIDeviceInfo e100_devices[] = {
1899     {
1900         .name = "i82550",
1901         .desc = "Intel i82550 Ethernet",
1902         .device = i82550,
1903         /* TODO: check device id. */
1904         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
1905         /* Revision ID: 0x0c, 0x0d, 0x0e. */
1906         .revision = 0x0e,
1907         /* TODO: check size of statistical counters. */
1908         .stats_size = 80,
1909         /* TODO: check extended tcb support. */
1910         .has_extended_tcb_support = true,
1911         .power_management = true,
1912     },{
1913         .name = "i82551",
1914         .desc = "Intel i82551 Ethernet",
1915         .device = i82551,
1916         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
1917         /* Revision ID: 0x0f, 0x10. */
1918         .revision = 0x0f,
1919         /* TODO: check size of statistical counters. */
1920         .stats_size = 80,
1921         .has_extended_tcb_support = true,
1922         .power_management = true,
1923     },{
1924         .name = "i82557a",
1925         .desc = "Intel i82557A Ethernet",
1926         .device = i82557A,
1927         .device_id = PCI_DEVICE_ID_INTEL_82557,
1928         .revision = 0x01,
1929         .power_management = false,
1930     },{
1931         .name = "i82557b",
1932         .desc = "Intel i82557B Ethernet",
1933         .device = i82557B,
1934         .device_id = PCI_DEVICE_ID_INTEL_82557,
1935         .revision = 0x02,
1936         .power_management = false,
1937     },{
1938         .name = "i82557c",
1939         .desc = "Intel i82557C Ethernet",
1940         .device = i82557C,
1941         .device_id = PCI_DEVICE_ID_INTEL_82557,
1942         .revision = 0x03,
1943         .power_management = false,
1944     },{
1945         .name = "i82558a",
1946         .desc = "Intel i82558A Ethernet",
1947         .device = i82558A,
1948         .device_id = PCI_DEVICE_ID_INTEL_82557,
1949         .revision = 0x04,
1950         .stats_size = 76,
1951         .has_extended_tcb_support = true,
1952         .power_management = true,
1953     },{
1954         .name = "i82558b",
1955         .desc = "Intel i82558B Ethernet",
1956         .device = i82558B,
1957         .device_id = PCI_DEVICE_ID_INTEL_82557,
1958         .revision = 0x05,
1959         .stats_size = 76,
1960         .has_extended_tcb_support = true,
1961         .power_management = true,
1962     },{
1963         .name = "i82559a",
1964         .desc = "Intel i82559A Ethernet",
1965         .device = i82559A,
1966         .device_id = PCI_DEVICE_ID_INTEL_82557,
1967         .revision = 0x06,
1968         .stats_size = 80,
1969         .has_extended_tcb_support = true,
1970         .power_management = true,
1971     },{
1972         .name = "i82559b",
1973         .desc = "Intel i82559B Ethernet",
1974         .device = i82559B,
1975         .device_id = PCI_DEVICE_ID_INTEL_82557,
1976         .revision = 0x07,
1977         .stats_size = 80,
1978         .has_extended_tcb_support = true,
1979         .power_management = true,
1980     },{
1981         .name = "i82559c",
1982         .desc = "Intel i82559C Ethernet",
1983         .device = i82559C,
1984         .device_id = PCI_DEVICE_ID_INTEL_82557,
1985 #if 0
1986         .revision = 0x08,
1987 #endif
1988         /* TODO: Windows wants revision id 0x0c. */
1989         .revision = 0x0c,
1990 #if EEPROM_SIZE > 0
1991         .subsystem_vendor_id = PCI_VENDOR_ID_INTEL,
1992         .subsystem_id = 0x0040,
1993 #endif
1994         .stats_size = 80,
1995         .has_extended_tcb_support = true,
1996         .power_management = true,
1997     },{
1998         .name = "i82559er",
1999         .desc = "Intel i82559ER Ethernet",
2000         .device = i82559ER,
2001         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
2002         .revision = 0x09,
2003         .stats_size = 80,
2004         .has_extended_tcb_support = true,
2005         .power_management = true,
2006     },{
2007         .name = "i82562",
2008         .desc = "Intel i82562 Ethernet",
2009         .device = i82562,
2010         /* TODO: check device id. */
2011         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
2012         /* TODO: wrong revision id. */
2013         .revision = 0x0e,
2014         .stats_size = 80,
2015         .has_extended_tcb_support = true,
2016         .power_management = true,
2017     },{
2018         /* Toshiba Tecra 8200. */
2019         .name = "i82801",
2020         .desc = "Intel i82801 Ethernet",
2021         .device = i82801,
2022         .device_id = 0x2449,
2023         .revision = 0x03,
2024         .stats_size = 80,
2025         .has_extended_tcb_support = true,
2026         .power_management = true,
2027     }
2028 };
2029 
2030 static E100PCIDeviceInfo *eepro100_get_class_by_name(const char *typename)
2031 {
2032     E100PCIDeviceInfo *info = NULL;
2033     int i;
2034 
2035     /* This is admittedly awkward but also temporary.  QOM allows for
2036      * parameterized typing and for subclassing both of which would suitable
2037      * handle what's going on here.  But class_data is already being used as
2038      * a stop-gap hack to allow incremental qdev conversion so we cannot use it
2039      * right now.  Once we merge the final QOM series, we can come back here and
2040      * do this in a much more elegant fashion.
2041      */
2042     for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
2043         if (strcmp(e100_devices[i].name, typename) == 0) {
2044             info = &e100_devices[i];
2045             break;
2046         }
2047     }
2048     assert(info != NULL);
2049 
2050     return info;
2051 }
2052 
2053 static E100PCIDeviceInfo *eepro100_get_class(EEPRO100State *s)
2054 {
2055     return eepro100_get_class_by_name(object_get_typename(OBJECT(s)));
2056 }
2057 
2058 static Property e100_properties[] = {
2059     DEFINE_NIC_PROPERTIES(EEPRO100State, conf),
2060     DEFINE_PROP_END_OF_LIST(),
2061 };
2062 
2063 static void eepro100_class_init(ObjectClass *klass, void *data)
2064 {
2065     DeviceClass *dc = DEVICE_CLASS(klass);
2066     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2067     E100PCIDeviceInfo *info;
2068 
2069     info = eepro100_get_class_by_name(object_class_get_name(klass));
2070 
2071     set_bit(DEVICE_CATEGORY_NETWORK, dc->categories);
2072     device_class_set_props(dc, e100_properties);
2073     dc->desc = info->desc;
2074     k->vendor_id = PCI_VENDOR_ID_INTEL;
2075     k->class_id = PCI_CLASS_NETWORK_ETHERNET;
2076     k->romfile = "pxe-eepro100.rom";
2077     k->realize = e100_nic_realize;
2078     k->exit = pci_nic_uninit;
2079     k->device_id = info->device_id;
2080     k->revision = info->revision;
2081     k->subsystem_vendor_id = info->subsystem_vendor_id;
2082     k->subsystem_id = info->subsystem_id;
2083 }
2084 
2085 static void eepro100_register_types(void)
2086 {
2087     size_t i;
2088     for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
2089         TypeInfo type_info = {};
2090         E100PCIDeviceInfo *info = &e100_devices[i];
2091 
2092         type_info.name = info->name;
2093         type_info.parent = TYPE_PCI_DEVICE;
2094         type_info.class_init = eepro100_class_init;
2095         type_info.instance_size = sizeof(EEPRO100State);
2096         type_info.instance_init = eepro100_instance_init;
2097         type_info.interfaces = (InterfaceInfo[]) {
2098             { INTERFACE_CONVENTIONAL_PCI_DEVICE },
2099             { },
2100         };
2101 
2102         type_register(&type_info);
2103     }
2104 }
2105 
2106 type_init(eepro100_register_types)
2107