xref: /openbmc/qemu/hw/net/eepro100.c (revision 8d3031fa)
1 /*
2  * QEMU i8255x (PRO100) emulation
3  *
4  * Copyright (C) 2006-2011 Stefan Weil
5  *
6  * Portions of the code are copies from grub / etherboot eepro100.c
7  * and linux e100.c.
8  *
9  * SPDX-License-Identifier: GPL-2.0-or-later
10  *
11  * This program is free software: you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation, either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
23  *
24  * Tested features (i82559):
25  *      PXE boot (i386 guest, i386 / mips / mipsel / ppc host) ok
26  *      Linux networking (i386) ok
27  *
28  * Untested:
29  *      Windows networking
30  *
31  * References:
32  *
33  * Intel 8255x 10/100 Mbps Ethernet Controller Family
34  * Open Source Software Developer Manual
35  *
36  * TODO:
37  *      * PHY emulation should be separated from nic emulation.
38  *        Most nic emulations could share the same phy code.
39  *      * i82550 is untested. It is programmed like the i82559.
40  *      * i82562 is untested. It is programmed like the i82559.
41  *      * Power management (i82558 and later) is not implemented.
42  *      * Wake-on-LAN is not implemented.
43  */
44 
45 #include "qemu/osdep.h"
46 #include "qemu/units.h"
47 #include "hw/pci/pci_device.h"
48 #include "hw/qdev-properties.h"
49 #include "migration/vmstate.h"
50 #include "net/net.h"
51 #include "net/eth.h"
52 #include "hw/nvram/eeprom93xx.h"
53 #include "sysemu/sysemu.h"
54 #include "sysemu/dma.h"
55 #include "sysemu/reset.h"
56 #include "qemu/bitops.h"
57 #include "qemu/module.h"
58 #include "qapi/error.h"
59 
60 /* QEMU sends frames smaller than 60 bytes to ethernet nics.
61  * Such frames are rejected by real nics and their emulations.
62  * To avoid this behaviour, other nic emulations pad received
63  * frames. The following definition enables this padding for
64  * eepro100, too. We keep the define around in case it might
65  * become useful the future if the core networking is ever
66  * changed to pad short packets itself. */
67 #define CONFIG_PAD_RECEIVED_FRAMES
68 
69 /* Debug EEPRO100 card. */
70 #if 0
71 # define DEBUG_EEPRO100
72 #endif
73 
74 #ifdef DEBUG_EEPRO100
75 #define logout(fmt, ...) fprintf(stderr, "EE100\t%-24s" fmt, __func__, ## __VA_ARGS__)
76 #else
77 #define logout(fmt, ...) ((void)0)
78 #endif
79 
80 /* Set flags to 0 to disable debug output. */
81 #define INT     1       /* interrupt related actions */
82 #define MDI     1       /* mdi related actions */
83 #define OTHER   1
84 #define RXTX    1
85 #define EEPROM  1       /* eeprom related actions */
86 
87 #define TRACE(flag, command) ((flag) ? (command) : (void)0)
88 
89 #define missing(text) fprintf(stderr, "eepro100: feature is missing in this emulation: " text "\n")
90 
91 #define MAX_ETH_FRAME_SIZE 1514
92 
93 /* This driver supports several different devices which are declared here. */
94 #define i82550          0x82550
95 #define i82551          0x82551
96 #define i82557A         0x82557a
97 #define i82557B         0x82557b
98 #define i82557C         0x82557c
99 #define i82558A         0x82558a
100 #define i82558B         0x82558b
101 #define i82559A         0x82559a
102 #define i82559B         0x82559b
103 #define i82559C         0x82559c
104 #define i82559ER        0x82559e
105 #define i82562          0x82562
106 #define i82801          0x82801
107 
108 /* Use 64 word EEPROM. TODO: could be a runtime option. */
109 #define EEPROM_SIZE     64
110 
111 #define PCI_MEM_SIZE            (4 * KiB)
112 #define PCI_IO_SIZE             64
113 #define PCI_FLASH_SIZE          (128 * KiB)
114 
115 #define BITS(n, m) (((0xffffffffU << (31 - n)) >> (31 - n + m)) << m)
116 
117 /* The SCB accepts the following controls for the Tx and Rx units: */
118 #define  CU_NOP         0x0000  /* No operation. */
119 #define  CU_START       0x0010  /* CU start. */
120 #define  CU_RESUME      0x0020  /* CU resume. */
121 #define  CU_STATSADDR   0x0040  /* Load dump counters address. */
122 #define  CU_SHOWSTATS   0x0050  /* Dump statistical counters. */
123 #define  CU_CMD_BASE    0x0060  /* Load CU base address. */
124 #define  CU_DUMPSTATS   0x0070  /* Dump and reset statistical counters. */
125 #define  CU_SRESUME     0x00a0  /* CU static resume. */
126 
127 #define  RU_NOP         0x0000
128 #define  RX_START       0x0001
129 #define  RX_RESUME      0x0002
130 #define  RU_ABORT       0x0004
131 #define  RX_ADDR_LOAD   0x0006
132 #define  RX_RESUMENR    0x0007
133 #define INT_MASK        0x0100
134 #define DRVR_INT        0x0200  /* Driver generated interrupt. */
135 
136 typedef struct {
137     const char *name;
138     const char *desc;
139     uint16_t device_id;
140     uint8_t revision;
141     uint16_t subsystem_vendor_id;
142     uint16_t subsystem_id;
143 
144     uint32_t device;
145     uint8_t stats_size;
146     bool has_extended_tcb_support;
147     bool power_management;
148 } E100PCIDeviceInfo;
149 
150 /* Offsets to the various registers.
151    All accesses need not be longword aligned. */
152 typedef enum {
153     SCBStatus = 0,              /* Status Word. */
154     SCBAck = 1,
155     SCBCmd = 2,                 /* Rx/Command Unit command and status. */
156     SCBIntmask = 3,
157     SCBPointer = 4,             /* General purpose pointer. */
158     SCBPort = 8,                /* Misc. commands and operands.  */
159     SCBflash = 12,              /* Flash memory control. */
160     SCBeeprom = 14,             /* EEPROM control. */
161     SCBCtrlMDI = 16,            /* MDI interface control. */
162     SCBEarlyRx = 20,            /* Early receive byte count. */
163     SCBFlow = 24,               /* Flow Control. */
164     SCBpmdr = 27,               /* Power Management Driver. */
165     SCBgctrl = 28,              /* General Control. */
166     SCBgstat = 29,              /* General Status. */
167 } E100RegisterOffset;
168 
169 /* A speedo3 transmit buffer descriptor with two buffers... */
170 typedef struct {
171     uint16_t status;
172     uint16_t command;
173     uint32_t link;              /* void * */
174     uint32_t tbd_array_addr;    /* transmit buffer descriptor array address. */
175     uint16_t tcb_bytes;         /* transmit command block byte count (in lower 14 bits */
176     uint8_t tx_threshold;       /* transmit threshold */
177     uint8_t tbd_count;          /* TBD number */
178 #if 0
179     /* This constitutes two "TBD" entries: hdr and data */
180     uint32_t tx_buf_addr0;  /* void *, header of frame to be transmitted.  */
181     int32_t  tx_buf_size0;  /* Length of Tx hdr. */
182     uint32_t tx_buf_addr1;  /* void *, data to be transmitted.  */
183     int32_t  tx_buf_size1;  /* Length of Tx data. */
184 #endif
185 } eepro100_tx_t;
186 
187 /* Receive frame descriptor. */
188 typedef struct {
189     int16_t status;
190     uint16_t command;
191     uint32_t link;              /* struct RxFD * */
192     uint32_t rx_buf_addr;       /* void * */
193     uint16_t count;
194     uint16_t size;
195     /* Ethernet frame data follows. */
196 } eepro100_rx_t;
197 
198 typedef enum {
199     COMMAND_EL = BIT(15),
200     COMMAND_S = BIT(14),
201     COMMAND_I = BIT(13),
202     COMMAND_NC = BIT(4),
203     COMMAND_SF = BIT(3),
204     COMMAND_CMD = BITS(2, 0),
205 } scb_command_bit;
206 
207 typedef enum {
208     STATUS_C = BIT(15),
209     STATUS_OK = BIT(13),
210 } scb_status_bit;
211 
212 typedef struct {
213     uint32_t tx_good_frames, tx_max_collisions, tx_late_collisions,
214              tx_underruns, tx_lost_crs, tx_deferred, tx_single_collisions,
215              tx_multiple_collisions, tx_total_collisions;
216     uint32_t rx_good_frames, rx_crc_errors, rx_alignment_errors,
217              rx_resource_errors, rx_overrun_errors, rx_cdt_errors,
218              rx_short_frame_errors;
219     uint32_t fc_xmt_pause, fc_rcv_pause, fc_rcv_unsupported;
220     uint16_t xmt_tco_frames, rcv_tco_frames;
221     /* TODO: i82559 has six reserved statistics but a total of 24 dwords. */
222     uint32_t reserved[4];
223 } eepro100_stats_t;
224 
225 typedef enum {
226     cu_idle = 0,
227     cu_suspended = 1,
228     cu_active = 2,
229     cu_lpq_active = 2,
230     cu_hqp_active = 3
231 } cu_state_t;
232 
233 typedef enum {
234     ru_idle = 0,
235     ru_suspended = 1,
236     ru_no_resources = 2,
237     ru_ready = 4
238 } ru_state_t;
239 
240 typedef struct {
241     PCIDevice dev;
242     /* Hash register (multicast mask array, multiple individual addresses). */
243     uint8_t mult[8];
244     MemoryRegion mmio_bar;
245     MemoryRegion io_bar;
246     MemoryRegion flash_bar;
247     NICState *nic;
248     NICConf conf;
249     uint8_t scb_stat;           /* SCB stat/ack byte */
250     uint8_t int_stat;           /* PCI interrupt status */
251     /* region must not be saved by nic_save. */
252     uint16_t mdimem[32];
253     eeprom_t *eeprom;
254     uint32_t device;            /* device variant */
255     /* (cu_base + cu_offset) address the next command block in the command block list. */
256     uint32_t cu_base;           /* CU base address */
257     uint32_t cu_offset;         /* CU address offset */
258     /* (ru_base + ru_offset) address the RFD in the Receive Frame Area. */
259     uint32_t ru_base;           /* RU base address */
260     uint32_t ru_offset;         /* RU address offset */
261     uint32_t statsaddr;         /* pointer to eepro100_stats_t */
262 
263     /* Temporary status information (no need to save these values),
264      * used while processing CU commands. */
265     eepro100_tx_t tx;           /* transmit buffer descriptor */
266     uint32_t cb_address;        /* = cu_base + cu_offset */
267 
268     /* Statistical counters. Also used for wake-up packet (i82559). */
269     eepro100_stats_t statistics;
270 
271     /* Data in mem is always in the byte order of the controller (le).
272      * It must be dword aligned to allow direct access to 32 bit values. */
273     uint8_t mem[PCI_MEM_SIZE] __attribute__((aligned(8)));
274 
275     /* Configuration bytes. */
276     uint8_t configuration[22];
277 
278     /* vmstate for each particular nic */
279     VMStateDescription *vmstate;
280 
281     /* Quasi static device properties (no need to save them). */
282     uint16_t stats_size;
283     bool has_extended_tcb_support;
284 } EEPRO100State;
285 
286 /* Word indices in EEPROM. */
287 typedef enum {
288     EEPROM_CNFG_MDIX  = 0x03,
289     EEPROM_ID         = 0x05,
290     EEPROM_PHY_ID     = 0x06,
291     EEPROM_VENDOR_ID  = 0x0c,
292     EEPROM_CONFIG_ASF = 0x0d,
293     EEPROM_DEVICE_ID  = 0x23,
294     EEPROM_SMBUS_ADDR = 0x90,
295 } EEPROMOffset;
296 
297 /* Bit values for EEPROM ID word. */
298 typedef enum {
299     EEPROM_ID_MDM = BIT(0),     /* Modem */
300     EEPROM_ID_STB = BIT(1),     /* Standby Enable */
301     EEPROM_ID_WMR = BIT(2),     /* ??? */
302     EEPROM_ID_WOL = BIT(5),     /* Wake on LAN */
303     EEPROM_ID_DPD = BIT(6),     /* Deep Power Down */
304     EEPROM_ID_ALT = BIT(7),     /* */
305     /* BITS(10, 8) device revision */
306     EEPROM_ID_BD = BIT(11),     /* boot disable */
307     EEPROM_ID_ID = BIT(13),     /* id bit */
308     /* BITS(15, 14) signature */
309     EEPROM_ID_VALID = BIT(14),  /* signature for valid eeprom */
310 } eeprom_id_bit;
311 
312 /* Default values for MDI (PHY) registers */
313 static const uint16_t eepro100_mdi_default[] = {
314     /* MDI Registers 0 - 6, 7 */
315     0x3000, 0x780d, 0x02a8, 0x0154, 0x05e1, 0x0000, 0x0000, 0x0000,
316     /* MDI Registers 8 - 15 */
317     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
318     /* MDI Registers 16 - 31 */
319     0x0003, 0x0000, 0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
320     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
321 };
322 
323 /* Readonly mask for MDI (PHY) registers */
324 static const uint16_t eepro100_mdi_mask[] = {
325     0x0000, 0xffff, 0xffff, 0xffff, 0xc01f, 0xffff, 0xffff, 0x0000,
326     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
327     0x0fff, 0x0000, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
328     0xffff, 0xffff, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
329 };
330 
331 static E100PCIDeviceInfo *eepro100_get_class(EEPRO100State *s);
332 
333 /* Read a 16 bit control/status (CSR) register. */
334 static uint16_t e100_read_reg2(EEPRO100State *s, E100RegisterOffset addr)
335 {
336     assert(!((uintptr_t)&s->mem[addr] & 1));
337     return lduw_le_p(&s->mem[addr]);
338 }
339 
340 /* Read a 32 bit control/status (CSR) register. */
341 static uint32_t e100_read_reg4(EEPRO100State *s, E100RegisterOffset addr)
342 {
343     assert(!((uintptr_t)&s->mem[addr] & 3));
344     return ldl_le_p(&s->mem[addr]);
345 }
346 
347 /* Write a 16 bit control/status (CSR) register. */
348 static void e100_write_reg2(EEPRO100State *s, E100RegisterOffset addr,
349                             uint16_t val)
350 {
351     assert(!((uintptr_t)&s->mem[addr] & 1));
352     stw_le_p(&s->mem[addr], val);
353 }
354 
355 /* Read a 32 bit control/status (CSR) register. */
356 static void e100_write_reg4(EEPRO100State *s, E100RegisterOffset addr,
357                             uint32_t val)
358 {
359     assert(!((uintptr_t)&s->mem[addr] & 3));
360     stl_le_p(&s->mem[addr], val);
361 }
362 
363 #if defined(DEBUG_EEPRO100)
364 static const char *nic_dump(const uint8_t * buf, unsigned size)
365 {
366     static char dump[3 * 16 + 1];
367     char *p = &dump[0];
368     if (size > 16) {
369         size = 16;
370     }
371     while (size-- > 0) {
372         p += sprintf(p, " %02x", *buf++);
373     }
374     return dump;
375 }
376 #endif                          /* DEBUG_EEPRO100 */
377 
378 enum scb_stat_ack {
379     stat_ack_not_ours = 0x00,
380     stat_ack_sw_gen = 0x04,
381     stat_ack_rnr = 0x10,
382     stat_ack_cu_idle = 0x20,
383     stat_ack_frame_rx = 0x40,
384     stat_ack_cu_cmd_done = 0x80,
385     stat_ack_not_present = 0xFF,
386     stat_ack_rx = (stat_ack_sw_gen | stat_ack_rnr | stat_ack_frame_rx),
387     stat_ack_tx = (stat_ack_cu_idle | stat_ack_cu_cmd_done),
388 };
389 
390 static void disable_interrupt(EEPRO100State * s)
391 {
392     if (s->int_stat) {
393         TRACE(INT, logout("interrupt disabled\n"));
394         pci_irq_deassert(&s->dev);
395         s->int_stat = 0;
396     }
397 }
398 
399 static void enable_interrupt(EEPRO100State * s)
400 {
401     if (!s->int_stat) {
402         TRACE(INT, logout("interrupt enabled\n"));
403         pci_irq_assert(&s->dev);
404         s->int_stat = 1;
405     }
406 }
407 
408 static void eepro100_acknowledge(EEPRO100State * s)
409 {
410     s->scb_stat &= ~s->mem[SCBAck];
411     s->mem[SCBAck] = s->scb_stat;
412     if (s->scb_stat == 0) {
413         disable_interrupt(s);
414     }
415 }
416 
417 static void eepro100_interrupt(EEPRO100State * s, uint8_t status)
418 {
419     uint8_t mask = ~s->mem[SCBIntmask];
420     s->mem[SCBAck] |= status;
421     status = s->scb_stat = s->mem[SCBAck];
422     status &= (mask | 0x0f);
423 #if 0
424     status &= (~s->mem[SCBIntmask] | 0x0xf);
425 #endif
426     if (status && (mask & 0x01)) {
427         /* SCB mask and SCB Bit M do not disable interrupt. */
428         enable_interrupt(s);
429     } else if (s->int_stat) {
430         disable_interrupt(s);
431     }
432 }
433 
434 static void eepro100_cx_interrupt(EEPRO100State * s)
435 {
436     /* CU completed action command. */
437     /* Transmit not ok (82557 only, not in emulation). */
438     eepro100_interrupt(s, 0x80);
439 }
440 
441 static void eepro100_cna_interrupt(EEPRO100State * s)
442 {
443     /* CU left the active state. */
444     eepro100_interrupt(s, 0x20);
445 }
446 
447 static void eepro100_fr_interrupt(EEPRO100State * s)
448 {
449     /* RU received a complete frame. */
450     eepro100_interrupt(s, 0x40);
451 }
452 
453 static void eepro100_rnr_interrupt(EEPRO100State * s)
454 {
455     /* RU is not ready. */
456     eepro100_interrupt(s, 0x10);
457 }
458 
459 static void eepro100_mdi_interrupt(EEPRO100State * s)
460 {
461     /* MDI completed read or write cycle. */
462     eepro100_interrupt(s, 0x08);
463 }
464 
465 static void eepro100_swi_interrupt(EEPRO100State * s)
466 {
467     /* Software has requested an interrupt. */
468     eepro100_interrupt(s, 0x04);
469 }
470 
471 #if 0
472 static void eepro100_fcp_interrupt(EEPRO100State * s)
473 {
474     /* Flow control pause interrupt (82558 and later). */
475     eepro100_interrupt(s, 0x01);
476 }
477 #endif
478 
479 static void e100_pci_reset(EEPRO100State *s, Error **errp)
480 {
481     E100PCIDeviceInfo *info = eepro100_get_class(s);
482     uint32_t device = s->device;
483     uint8_t *pci_conf = s->dev.config;
484 
485     TRACE(OTHER, logout("%p\n", s));
486 
487     /* PCI Status */
488     pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_DEVSEL_MEDIUM |
489                                         PCI_STATUS_FAST_BACK);
490     /* PCI Latency Timer */
491     pci_set_byte(pci_conf + PCI_LATENCY_TIMER, 0x20);   /* latency timer = 32 clocks */
492     /* Capability Pointer is set by PCI framework. */
493     /* Interrupt Line */
494     /* Interrupt Pin */
495     pci_set_byte(pci_conf + PCI_INTERRUPT_PIN, 1);      /* interrupt pin A */
496     /* Minimum Grant */
497     pci_set_byte(pci_conf + PCI_MIN_GNT, 0x08);
498     /* Maximum Latency */
499     pci_set_byte(pci_conf + PCI_MAX_LAT, 0x18);
500 
501     s->stats_size = info->stats_size;
502     s->has_extended_tcb_support = info->has_extended_tcb_support;
503 
504     switch (device) {
505     case i82550:
506     case i82551:
507     case i82557A:
508     case i82557B:
509     case i82557C:
510     case i82558A:
511     case i82558B:
512     case i82559A:
513     case i82559B:
514     case i82559ER:
515     case i82562:
516     case i82801:
517     case i82559C:
518         break;
519     default:
520         logout("Device %X is undefined!\n", device);
521     }
522 
523     /* Standard TxCB. */
524     s->configuration[6] |= BIT(4);
525 
526     /* Standard statistical counters. */
527     s->configuration[6] |= BIT(5);
528 
529     if (s->stats_size == 80) {
530         /* TODO: check TCO Statistical Counters bit. Documentation not clear. */
531         if (s->configuration[6] & BIT(2)) {
532             /* TCO statistical counters. */
533             assert(s->configuration[6] & BIT(5));
534         } else {
535             if (s->configuration[6] & BIT(5)) {
536                 /* No extended statistical counters, i82557 compatible. */
537                 s->stats_size = 64;
538             } else {
539                 /* i82558 compatible. */
540                 s->stats_size = 76;
541             }
542         }
543     } else {
544         if (s->configuration[6] & BIT(5)) {
545             /* No extended statistical counters. */
546             s->stats_size = 64;
547         }
548     }
549     assert(s->stats_size > 0 && s->stats_size <= sizeof(s->statistics));
550 
551     if (info->power_management) {
552         /* Power Management Capabilities */
553         int cfg_offset = 0xdc;
554         int r = pci_add_capability(&s->dev, PCI_CAP_ID_PM,
555                                    cfg_offset, PCI_PM_SIZEOF,
556                                    errp);
557         if (r < 0) {
558             return;
559         }
560 
561         pci_set_word(pci_conf + cfg_offset + PCI_PM_PMC, 0x7e21);
562 #if 0 /* TODO: replace dummy code for power management emulation. */
563         /* TODO: Power Management Control / Status. */
564         pci_set_word(pci_conf + cfg_offset + PCI_PM_CTRL, 0x0000);
565         /* TODO: Ethernet Power Consumption Registers (i82559 and later). */
566         pci_set_byte(pci_conf + cfg_offset + PCI_PM_PPB_EXTENSIONS, 0x0000);
567 #endif
568     }
569 
570 #if EEPROM_SIZE > 0
571     if (device == i82557C || device == i82558B || device == i82559C) {
572         /*
573         TODO: get vendor id from EEPROM for i82557C or later.
574         TODO: get device id from EEPROM for i82557C or later.
575         TODO: status bit 4 can be disabled by EEPROM for i82558, i82559.
576         TODO: header type is determined by EEPROM for i82559.
577         TODO: get subsystem id from EEPROM for i82557C or later.
578         TODO: get subsystem vendor id from EEPROM for i82557C or later.
579         TODO: exp. rom baddr depends on a bit in EEPROM for i82558 or later.
580         TODO: capability pointer depends on EEPROM for i82558.
581         */
582         logout("Get device id and revision from EEPROM!!!\n");
583     }
584 #endif /* EEPROM_SIZE > 0 */
585 }
586 
587 static void nic_selective_reset(EEPRO100State * s)
588 {
589     size_t i;
590     uint16_t *eeprom_contents = eeprom93xx_data(s->eeprom);
591 #if 0
592     eeprom93xx_reset(s->eeprom);
593 #endif
594     memcpy(eeprom_contents, s->conf.macaddr.a, 6);
595     eeprom_contents[EEPROM_ID] = EEPROM_ID_VALID;
596     if (s->device == i82557B || s->device == i82557C)
597         eeprom_contents[5] = 0x0100;
598     eeprom_contents[EEPROM_PHY_ID] = 1;
599     uint16_t sum = 0;
600     for (i = 0; i < EEPROM_SIZE - 1; i++) {
601         sum += eeprom_contents[i];
602     }
603     eeprom_contents[EEPROM_SIZE - 1] = 0xbaba - sum;
604     TRACE(EEPROM, logout("checksum=0x%04x\n", eeprom_contents[EEPROM_SIZE - 1]));
605 
606     memset(s->mem, 0, sizeof(s->mem));
607     e100_write_reg4(s, SCBCtrlMDI, BIT(21));
608 
609     assert(sizeof(s->mdimem) == sizeof(eepro100_mdi_default));
610     memcpy(&s->mdimem[0], &eepro100_mdi_default[0], sizeof(s->mdimem));
611 }
612 
613 static void nic_reset(void *opaque)
614 {
615     EEPRO100State *s = opaque;
616     TRACE(OTHER, logout("%p\n", s));
617     /* TODO: Clearing of hash register for selective reset, too? */
618     memset(&s->mult[0], 0, sizeof(s->mult));
619     nic_selective_reset(s);
620 }
621 
622 #if defined(DEBUG_EEPRO100)
623 static const char * const e100_reg[PCI_IO_SIZE / 4] = {
624     "Command/Status",
625     "General Pointer",
626     "Port",
627     "EEPROM/Flash Control",
628     "MDI Control",
629     "Receive DMA Byte Count",
630     "Flow Control",
631     "General Status/Control"
632 };
633 
634 static char *regname(uint32_t addr)
635 {
636     static char buf[32];
637     if (addr < PCI_IO_SIZE) {
638         const char *r = e100_reg[addr / 4];
639         if (r != 0) {
640             snprintf(buf, sizeof(buf), "%s+%u", r, addr % 4);
641         } else {
642             snprintf(buf, sizeof(buf), "0x%02x", addr);
643         }
644     } else {
645         snprintf(buf, sizeof(buf), "??? 0x%08x", addr);
646     }
647     return buf;
648 }
649 #endif                          /* DEBUG_EEPRO100 */
650 
651 /*****************************************************************************
652  *
653  * Command emulation.
654  *
655  ****************************************************************************/
656 
657 #if 0
658 static uint16_t eepro100_read_command(EEPRO100State * s)
659 {
660     uint16_t val = 0xffff;
661     TRACE(OTHER, logout("val=0x%04x\n", val));
662     return val;
663 }
664 #endif
665 
666 /* Commands that can be put in a command list entry. */
667 enum commands {
668     CmdNOp = 0,
669     CmdIASetup = 1,
670     CmdConfigure = 2,
671     CmdMulticastList = 3,
672     CmdTx = 4,
673     CmdTDR = 5,                 /* load microcode */
674     CmdDump = 6,
675     CmdDiagnose = 7,
676 
677     /* And some extra flags: */
678     CmdSuspend = 0x4000,        /* Suspend after completion. */
679     CmdIntr = 0x2000,           /* Interrupt after completion. */
680     CmdTxFlex = 0x0008,         /* Use "Flexible mode" for CmdTx command. */
681 };
682 
683 static cu_state_t get_cu_state(EEPRO100State * s)
684 {
685     return ((s->mem[SCBStatus] & BITS(7, 6)) >> 6);
686 }
687 
688 static void set_cu_state(EEPRO100State * s, cu_state_t state)
689 {
690     s->mem[SCBStatus] = (s->mem[SCBStatus] & ~BITS(7, 6)) + (state << 6);
691 }
692 
693 static ru_state_t get_ru_state(EEPRO100State * s)
694 {
695     return ((s->mem[SCBStatus] & BITS(5, 2)) >> 2);
696 }
697 
698 static void set_ru_state(EEPRO100State * s, ru_state_t state)
699 {
700     s->mem[SCBStatus] = (s->mem[SCBStatus] & ~BITS(5, 2)) + (state << 2);
701 }
702 
703 static void dump_statistics(EEPRO100State * s)
704 {
705     const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
706 
707     /* Dump statistical data. Most data is never changed by the emulation
708      * and always 0, so we first just copy the whole block and then those
709      * values which really matter.
710      * Number of data should check configuration!!!
711      */
712     pci_dma_write(&s->dev, s->statsaddr, &s->statistics, s->stats_size);
713     stl_le_pci_dma(&s->dev, s->statsaddr + 0,
714                    s->statistics.tx_good_frames, attrs);
715     stl_le_pci_dma(&s->dev, s->statsaddr + 36,
716                    s->statistics.rx_good_frames, attrs);
717     stl_le_pci_dma(&s->dev, s->statsaddr + 48,
718                    s->statistics.rx_resource_errors, attrs);
719     stl_le_pci_dma(&s->dev, s->statsaddr + 60,
720                    s->statistics.rx_short_frame_errors, attrs);
721 #if 0
722     stw_le_pci_dma(&s->dev, s->statsaddr + 76,
723                    s->statistics.xmt_tco_frames, attrs);
724     stw_le_pci_dma(&s->dev, s->statsaddr + 78,
725                    s->statistics.rcv_tco_frames, attrs);
726     missing("CU dump statistical counters");
727 #endif
728 }
729 
730 static void read_cb(EEPRO100State *s)
731 {
732     pci_dma_read(&s->dev, s->cb_address, &s->tx, sizeof(s->tx));
733     s->tx.status = le16_to_cpu(s->tx.status);
734     s->tx.command = le16_to_cpu(s->tx.command);
735     s->tx.link = le32_to_cpu(s->tx.link);
736     s->tx.tbd_array_addr = le32_to_cpu(s->tx.tbd_array_addr);
737     s->tx.tcb_bytes = le16_to_cpu(s->tx.tcb_bytes);
738 }
739 
740 static void tx_command(EEPRO100State *s)
741 {
742     const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
743     uint32_t tbd_array = s->tx.tbd_array_addr;
744     uint16_t tcb_bytes = s->tx.tcb_bytes & 0x3fff;
745     /* Sends larger than MAX_ETH_FRAME_SIZE are allowed, up to 2600 bytes. */
746     uint8_t buf[2600];
747     uint16_t size = 0;
748     uint32_t tbd_address = s->cb_address + 0x10;
749     TRACE(RXTX, logout
750         ("transmit, TBD array address 0x%08x, TCB byte count 0x%04x, TBD count %u\n",
751          tbd_array, tcb_bytes, s->tx.tbd_count));
752 
753     if (tcb_bytes > 2600) {
754         logout("TCB byte count too large, using 2600\n");
755         tcb_bytes = 2600;
756     }
757     if (!((tcb_bytes > 0) || (tbd_array != 0xffffffff))) {
758         logout
759             ("illegal values of TBD array address and TCB byte count!\n");
760     }
761     assert(tcb_bytes <= sizeof(buf));
762     while (size < tcb_bytes) {
763         TRACE(RXTX, logout
764             ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
765              tbd_address, tcb_bytes));
766         pci_dma_read(&s->dev, tbd_address, &buf[size], tcb_bytes);
767         size += tcb_bytes;
768     }
769     if (tbd_array == 0xffffffff) {
770         /* Simplified mode. Was already handled by code above. */
771     } else {
772         /* Flexible mode. */
773         uint8_t tbd_count = 0;
774         uint32_t tx_buffer_address;
775         uint16_t tx_buffer_size;
776         uint16_t tx_buffer_el;
777 
778         if (s->has_extended_tcb_support && !(s->configuration[6] & BIT(4))) {
779             /* Extended Flexible TCB. */
780             for (; tbd_count < 2; tbd_count++) {
781                 ldl_le_pci_dma(&s->dev, tbd_address, &tx_buffer_address, attrs);
782                 lduw_le_pci_dma(&s->dev, tbd_address + 4, &tx_buffer_size, attrs);
783                 lduw_le_pci_dma(&s->dev, tbd_address + 6, &tx_buffer_el, attrs);
784                 tbd_address += 8;
785                 TRACE(RXTX, logout
786                     ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n",
787                      tx_buffer_address, tx_buffer_size));
788                 tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
789                 pci_dma_read(&s->dev, tx_buffer_address,
790                              &buf[size], tx_buffer_size);
791                 size += tx_buffer_size;
792                 if (tx_buffer_el & 1) {
793                     break;
794                 }
795             }
796         }
797         tbd_address = tbd_array;
798         for (; tbd_count < s->tx.tbd_count; tbd_count++) {
799             ldl_le_pci_dma(&s->dev, tbd_address, &tx_buffer_address, attrs);
800             lduw_le_pci_dma(&s->dev, tbd_address + 4, &tx_buffer_size, attrs);
801             lduw_le_pci_dma(&s->dev, tbd_address + 6, &tx_buffer_el, attrs);
802             tbd_address += 8;
803             TRACE(RXTX, logout
804                 ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n",
805                  tx_buffer_address, tx_buffer_size));
806             tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
807             pci_dma_read(&s->dev, tx_buffer_address,
808                          &buf[size], tx_buffer_size);
809             size += tx_buffer_size;
810             if (tx_buffer_el & 1) {
811                 break;
812             }
813         }
814     }
815     TRACE(RXTX, logout("%p sending frame, len=%d,%s\n", s, size, nic_dump(buf, size)));
816     qemu_send_packet(qemu_get_queue(s->nic), buf, size);
817     s->statistics.tx_good_frames++;
818     /* Transmit with bad status would raise an CX/TNO interrupt.
819      * (82557 only). Emulation never has bad status. */
820 #if 0
821     eepro100_cx_interrupt(s);
822 #endif
823 }
824 
825 static void set_multicast_list(EEPRO100State *s)
826 {
827     uint16_t multicast_count = s->tx.tbd_array_addr & BITS(13, 0);
828     uint16_t i;
829     memset(&s->mult[0], 0, sizeof(s->mult));
830     TRACE(OTHER, logout("multicast list, multicast count = %u\n", multicast_count));
831     for (i = 0; i < multicast_count; i += 6) {
832         uint8_t multicast_addr[6];
833         pci_dma_read(&s->dev, s->cb_address + 10 + i, multicast_addr, 6);
834         TRACE(OTHER, logout("multicast entry %s\n", nic_dump(multicast_addr, 6)));
835         unsigned mcast_idx = (net_crc32(multicast_addr, ETH_ALEN) &
836                               BITS(7, 2)) >> 2;
837         assert(mcast_idx < 64);
838         s->mult[mcast_idx >> 3] |= (1 << (mcast_idx & 7));
839     }
840 }
841 
842 static void action_command(EEPRO100State *s)
843 {
844     const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
845     /* The loop below won't stop if it gets special handcrafted data.
846        Therefore we limit the number of iterations. */
847     unsigned max_loop_count = 16;
848 
849     for (;;) {
850         bool bit_el;
851         bool bit_s;
852         bool bit_i;
853         bool bit_nc;
854         uint16_t ok_status = STATUS_OK;
855         s->cb_address = s->cu_base + s->cu_offset;
856         read_cb(s);
857         bit_el = ((s->tx.command & COMMAND_EL) != 0);
858         bit_s = ((s->tx.command & COMMAND_S) != 0);
859         bit_i = ((s->tx.command & COMMAND_I) != 0);
860         bit_nc = ((s->tx.command & COMMAND_NC) != 0);
861 #if 0
862         bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
863 #endif
864 
865         if (max_loop_count-- == 0) {
866             /* Prevent an endless loop. */
867             logout("loop in %s:%u\n", __FILE__, __LINE__);
868             break;
869         }
870 
871         s->cu_offset = s->tx.link;
872         TRACE(OTHER,
873               logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",
874                      s->tx.status, s->tx.command, s->tx.link));
875         switch (s->tx.command & COMMAND_CMD) {
876         case CmdNOp:
877             /* Do nothing. */
878             break;
879         case CmdIASetup:
880             pci_dma_read(&s->dev, s->cb_address + 8, &s->conf.macaddr.a[0], 6);
881             TRACE(OTHER, logout("macaddr: %s\n", nic_dump(&s->conf.macaddr.a[0], 6)));
882             break;
883         case CmdConfigure:
884             pci_dma_read(&s->dev, s->cb_address + 8,
885                          &s->configuration[0], sizeof(s->configuration));
886             TRACE(OTHER, logout("configuration: %s\n",
887                                 nic_dump(&s->configuration[0], 16)));
888             TRACE(OTHER, logout("configuration: %s\n",
889                                 nic_dump(&s->configuration[16],
890                                 ARRAY_SIZE(s->configuration) - 16)));
891             if (s->configuration[20] & BIT(6)) {
892                 TRACE(OTHER, logout("Multiple IA bit\n"));
893             }
894             break;
895         case CmdMulticastList:
896             set_multicast_list(s);
897             break;
898         case CmdTx:
899             if (bit_nc) {
900                 missing("CmdTx: NC = 0");
901                 ok_status = 0;
902                 break;
903             }
904             tx_command(s);
905             break;
906         case CmdTDR:
907             TRACE(OTHER, logout("load microcode\n"));
908             /* Starting with offset 8, the command contains
909              * 64 dwords microcode which we just ignore here. */
910             break;
911         case CmdDiagnose:
912             TRACE(OTHER, logout("diagnose\n"));
913             /* Make sure error flag is not set. */
914             s->tx.status = 0;
915             break;
916         default:
917             missing("undefined command");
918             ok_status = 0;
919             break;
920         }
921         /* Write new status. */
922         stw_le_pci_dma(&s->dev, s->cb_address,
923                        s->tx.status | ok_status | STATUS_C, attrs);
924         if (bit_i) {
925             /* CU completed action. */
926             eepro100_cx_interrupt(s);
927         }
928         if (bit_el) {
929             /* CU becomes idle. Terminate command loop. */
930             set_cu_state(s, cu_idle);
931             eepro100_cna_interrupt(s);
932             break;
933         } else if (bit_s) {
934             /* CU becomes suspended. Terminate command loop. */
935             set_cu_state(s, cu_suspended);
936             eepro100_cna_interrupt(s);
937             break;
938         } else {
939             /* More entries in list. */
940             TRACE(OTHER, logout("CU list with at least one more entry\n"));
941         }
942     }
943     TRACE(OTHER, logout("CU list empty\n"));
944     /* List is empty. Now CU is idle or suspended. */
945 }
946 
947 static void eepro100_cu_command(EEPRO100State * s, uint8_t val)
948 {
949     const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
950     cu_state_t cu_state;
951     switch (val) {
952     case CU_NOP:
953         /* No operation. */
954         break;
955     case CU_START:
956         cu_state = get_cu_state(s);
957         if (cu_state != cu_idle && cu_state != cu_suspended) {
958             /* Intel documentation says that CU must be idle or suspended
959              * for the CU start command. */
960             logout("unexpected CU state is %u\n", cu_state);
961         }
962         set_cu_state(s, cu_active);
963         s->cu_offset = e100_read_reg4(s, SCBPointer);
964         action_command(s);
965         break;
966     case CU_RESUME:
967         if (get_cu_state(s) != cu_suspended) {
968             logout("bad CU resume from CU state %u\n", get_cu_state(s));
969             /* Workaround for bad Linux eepro100 driver which resumes
970              * from idle state. */
971 #if 0
972             missing("cu resume");
973 #endif
974             set_cu_state(s, cu_suspended);
975         }
976         if (get_cu_state(s) == cu_suspended) {
977             TRACE(OTHER, logout("CU resuming\n"));
978             set_cu_state(s, cu_active);
979             action_command(s);
980         }
981         break;
982     case CU_STATSADDR:
983         /* Load dump counters address. */
984         s->statsaddr = e100_read_reg4(s, SCBPointer);
985         TRACE(OTHER, logout("val=0x%02x (dump counters address)\n", val));
986         if (s->statsaddr & 3) {
987             /* Memory must be Dword aligned. */
988             logout("unaligned dump counters address\n");
989             /* Handling of misaligned addresses is undefined.
990              * Here we align the address by ignoring the lower bits. */
991             /* TODO: Test unaligned dump counter address on real hardware. */
992             s->statsaddr &= ~3;
993         }
994         break;
995     case CU_SHOWSTATS:
996         /* Dump statistical counters. */
997         TRACE(OTHER, logout("val=0x%02x (dump stats)\n", val));
998         dump_statistics(s);
999         stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005, attrs);
1000         break;
1001     case CU_CMD_BASE:
1002         /* Load CU base. */
1003         TRACE(OTHER, logout("val=0x%02x (CU base address)\n", val));
1004         s->cu_base = e100_read_reg4(s, SCBPointer);
1005         break;
1006     case CU_DUMPSTATS:
1007         /* Dump and reset statistical counters. */
1008         TRACE(OTHER, logout("val=0x%02x (dump stats and reset)\n", val));
1009         dump_statistics(s);
1010         stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007, attrs);
1011         memset(&s->statistics, 0, sizeof(s->statistics));
1012         break;
1013     case CU_SRESUME:
1014         /* CU static resume. */
1015         missing("CU static resume");
1016         break;
1017     default:
1018         missing("Undefined CU command");
1019     }
1020 }
1021 
1022 static void eepro100_ru_command(EEPRO100State * s, uint8_t val)
1023 {
1024     switch (val) {
1025     case RU_NOP:
1026         /* No operation. */
1027         break;
1028     case RX_START:
1029         /* RU start. */
1030         if (get_ru_state(s) != ru_idle) {
1031             logout("RU state is %u, should be %u\n", get_ru_state(s), ru_idle);
1032 #if 0
1033             assert(!"wrong RU state");
1034 #endif
1035         }
1036         set_ru_state(s, ru_ready);
1037         s->ru_offset = e100_read_reg4(s, SCBPointer);
1038         qemu_flush_queued_packets(qemu_get_queue(s->nic));
1039         TRACE(OTHER, logout("val=0x%02x (rx start)\n", val));
1040         break;
1041     case RX_RESUME:
1042         /* Restart RU. */
1043         if (get_ru_state(s) != ru_suspended) {
1044             logout("RU state is %u, should be %u\n", get_ru_state(s),
1045                    ru_suspended);
1046 #if 0
1047             assert(!"wrong RU state");
1048 #endif
1049         }
1050         set_ru_state(s, ru_ready);
1051         break;
1052     case RU_ABORT:
1053         /* RU abort. */
1054         if (get_ru_state(s) == ru_ready) {
1055             eepro100_rnr_interrupt(s);
1056         }
1057         set_ru_state(s, ru_idle);
1058         break;
1059     case RX_ADDR_LOAD:
1060         /* Load RU base. */
1061         TRACE(OTHER, logout("val=0x%02x (RU base address)\n", val));
1062         s->ru_base = e100_read_reg4(s, SCBPointer);
1063         break;
1064     default:
1065         logout("val=0x%02x (undefined RU command)\n", val);
1066         missing("Undefined SU command");
1067     }
1068 }
1069 
1070 static void eepro100_write_command(EEPRO100State * s, uint8_t val)
1071 {
1072     eepro100_ru_command(s, val & 0x0f);
1073     eepro100_cu_command(s, val & 0xf0);
1074     if ((val) == 0) {
1075         TRACE(OTHER, logout("val=0x%02x\n", val));
1076     }
1077     /* Clear command byte after command was accepted. */
1078     s->mem[SCBCmd] = 0;
1079 }
1080 
1081 /*****************************************************************************
1082  *
1083  * EEPROM emulation.
1084  *
1085  ****************************************************************************/
1086 
1087 #define EEPROM_CS       0x02
1088 #define EEPROM_SK       0x01
1089 #define EEPROM_DI       0x04
1090 #define EEPROM_DO       0x08
1091 
1092 static uint16_t eepro100_read_eeprom(EEPRO100State * s)
1093 {
1094     uint16_t val = e100_read_reg2(s, SCBeeprom);
1095     if (eeprom93xx_read(s->eeprom)) {
1096         val |= EEPROM_DO;
1097     } else {
1098         val &= ~EEPROM_DO;
1099     }
1100     TRACE(EEPROM, logout("val=0x%04x\n", val));
1101     return val;
1102 }
1103 
1104 static void eepro100_write_eeprom(eeprom_t * eeprom, uint8_t val)
1105 {
1106     TRACE(EEPROM, logout("val=0x%02x\n", val));
1107 
1108     /* mask unwritable bits */
1109 #if 0
1110     val = SET_MASKED(val, 0x31, eeprom->value);
1111 #endif
1112 
1113     int eecs = ((val & EEPROM_CS) != 0);
1114     int eesk = ((val & EEPROM_SK) != 0);
1115     int eedi = ((val & EEPROM_DI) != 0);
1116     eeprom93xx_write(eeprom, eecs, eesk, eedi);
1117 }
1118 
1119 /*****************************************************************************
1120  *
1121  * MDI emulation.
1122  *
1123  ****************************************************************************/
1124 
1125 #if defined(DEBUG_EEPRO100)
1126 static const char * const mdi_op_name[] = {
1127     "opcode 0",
1128     "write",
1129     "read",
1130     "opcode 3"
1131 };
1132 
1133 static const char * const mdi_reg_name[] = {
1134     "Control",
1135     "Status",
1136     "PHY Identification (Word 1)",
1137     "PHY Identification (Word 2)",
1138     "Auto-Negotiation Advertisement",
1139     "Auto-Negotiation Link Partner Ability",
1140     "Auto-Negotiation Expansion"
1141 };
1142 
1143 static const char *reg2name(uint8_t reg)
1144 {
1145     static char buffer[10];
1146     const char *p = buffer;
1147     if (reg < ARRAY_SIZE(mdi_reg_name)) {
1148         p = mdi_reg_name[reg];
1149     } else {
1150         snprintf(buffer, sizeof(buffer), "reg=0x%02x", reg);
1151     }
1152     return p;
1153 }
1154 #endif                          /* DEBUG_EEPRO100 */
1155 
1156 static uint32_t eepro100_read_mdi(EEPRO100State * s)
1157 {
1158     uint32_t val = e100_read_reg4(s, SCBCtrlMDI);
1159 
1160 #ifdef DEBUG_EEPRO100
1161     uint8_t raiseint = (val & BIT(29)) >> 29;
1162     uint8_t opcode = (val & BITS(27, 26)) >> 26;
1163     uint8_t phy = (val & BITS(25, 21)) >> 21;
1164     uint8_t reg = (val & BITS(20, 16)) >> 16;
1165     uint16_t data = (val & BITS(15, 0));
1166 #endif
1167     /* Emulation takes no time to finish MDI transaction. */
1168     val |= BIT(28);
1169     TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1170                       val, raiseint, mdi_op_name[opcode], phy,
1171                       reg2name(reg), data));
1172     return val;
1173 }
1174 
1175 static void eepro100_write_mdi(EEPRO100State *s)
1176 {
1177     uint32_t val = e100_read_reg4(s, SCBCtrlMDI);
1178     uint8_t raiseint = (val & BIT(29)) >> 29;
1179     uint8_t opcode = (val & BITS(27, 26)) >> 26;
1180     uint8_t phy = (val & BITS(25, 21)) >> 21;
1181     uint8_t reg = (val & BITS(20, 16)) >> 16;
1182     uint16_t data = (val & BITS(15, 0));
1183     TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1184           val, raiseint, mdi_op_name[opcode], phy, reg2name(reg), data));
1185     if (phy != 1) {
1186         /* Unsupported PHY address. */
1187 #if 0
1188         logout("phy must be 1 but is %u\n", phy);
1189 #endif
1190         data = 0;
1191     } else if (opcode != 1 && opcode != 2) {
1192         /* Unsupported opcode. */
1193         logout("opcode must be 1 or 2 but is %u\n", opcode);
1194         data = 0;
1195     } else if (reg > 6) {
1196         /* Unsupported register. */
1197         logout("register must be 0...6 but is %u\n", reg);
1198         data = 0;
1199     } else {
1200         TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1201                           val, raiseint, mdi_op_name[opcode], phy,
1202                           reg2name(reg), data));
1203         if (opcode == 1) {
1204             /* MDI write */
1205             switch (reg) {
1206             case 0:            /* Control Register */
1207                 if (data & 0x8000) {
1208                     /* Reset status and control registers to default. */
1209                     s->mdimem[0] = eepro100_mdi_default[0];
1210                     s->mdimem[1] = eepro100_mdi_default[1];
1211                     data = s->mdimem[reg];
1212                 } else {
1213                     /* Restart Auto Configuration = Normal Operation */
1214                     data &= ~0x0200;
1215                 }
1216                 break;
1217             case 1:            /* Status Register */
1218                 missing("not writable");
1219                 break;
1220             case 2:            /* PHY Identification Register (Word 1) */
1221             case 3:            /* PHY Identification Register (Word 2) */
1222                 missing("not implemented");
1223                 break;
1224             case 4:            /* Auto-Negotiation Advertisement Register */
1225             case 5:            /* Auto-Negotiation Link Partner Ability Register */
1226                 break;
1227             case 6:            /* Auto-Negotiation Expansion Register */
1228             default:
1229                 missing("not implemented");
1230             }
1231             s->mdimem[reg] &= eepro100_mdi_mask[reg];
1232             s->mdimem[reg] |= data & ~eepro100_mdi_mask[reg];
1233         } else if (opcode == 2) {
1234             /* MDI read */
1235             switch (reg) {
1236             case 0:            /* Control Register */
1237                 if (data & 0x8000) {
1238                     /* Reset status and control registers to default. */
1239                     s->mdimem[0] = eepro100_mdi_default[0];
1240                     s->mdimem[1] = eepro100_mdi_default[1];
1241                 }
1242                 break;
1243             case 1:            /* Status Register */
1244                 s->mdimem[reg] |= 0x0020;
1245                 break;
1246             case 2:            /* PHY Identification Register (Word 1) */
1247             case 3:            /* PHY Identification Register (Word 2) */
1248             case 4:            /* Auto-Negotiation Advertisement Register */
1249                 break;
1250             case 5:            /* Auto-Negotiation Link Partner Ability Register */
1251                 s->mdimem[reg] = 0x41fe;
1252                 break;
1253             case 6:            /* Auto-Negotiation Expansion Register */
1254                 s->mdimem[reg] = 0x0001;
1255                 break;
1256             }
1257             data = s->mdimem[reg];
1258         }
1259         /* Emulation takes no time to finish MDI transaction.
1260          * Set MDI bit in SCB status register. */
1261         s->mem[SCBAck] |= 0x08;
1262         val |= BIT(28);
1263         if (raiseint) {
1264             eepro100_mdi_interrupt(s);
1265         }
1266     }
1267     val = (val & 0xffff0000) + data;
1268     e100_write_reg4(s, SCBCtrlMDI, val);
1269 }
1270 
1271 /*****************************************************************************
1272  *
1273  * Port emulation.
1274  *
1275  ****************************************************************************/
1276 
1277 #define PORT_SOFTWARE_RESET     0
1278 #define PORT_SELFTEST           1
1279 #define PORT_SELECTIVE_RESET    2
1280 #define PORT_DUMP               3
1281 #define PORT_SELECTION_MASK     3
1282 
1283 typedef struct {
1284     uint32_t st_sign;           /* Self Test Signature */
1285     uint32_t st_result;         /* Self Test Results */
1286 } eepro100_selftest_t;
1287 
1288 static uint32_t eepro100_read_port(EEPRO100State * s)
1289 {
1290     return 0;
1291 }
1292 
1293 static void eepro100_write_port(EEPRO100State *s)
1294 {
1295     uint32_t val = e100_read_reg4(s, SCBPort);
1296     uint32_t address = (val & ~PORT_SELECTION_MASK);
1297     uint8_t selection = (val & PORT_SELECTION_MASK);
1298     switch (selection) {
1299     case PORT_SOFTWARE_RESET:
1300         nic_reset(s);
1301         break;
1302     case PORT_SELFTEST:
1303         TRACE(OTHER, logout("selftest address=0x%08x\n", address));
1304         eepro100_selftest_t data;
1305         pci_dma_read(&s->dev, address, (uint8_t *) &data, sizeof(data));
1306         data.st_sign = 0xffffffff;
1307         data.st_result = 0;
1308         pci_dma_write(&s->dev, address, (uint8_t *) &data, sizeof(data));
1309         break;
1310     case PORT_SELECTIVE_RESET:
1311         TRACE(OTHER, logout("selective reset, selftest address=0x%08x\n", address));
1312         nic_selective_reset(s);
1313         break;
1314     default:
1315         logout("val=0x%08x\n", val);
1316         missing("unknown port selection");
1317     }
1318 }
1319 
1320 /*****************************************************************************
1321  *
1322  * General hardware emulation.
1323  *
1324  ****************************************************************************/
1325 
1326 static uint8_t eepro100_read1(EEPRO100State * s, uint32_t addr)
1327 {
1328     uint8_t val = 0;
1329     if (addr <= sizeof(s->mem) - sizeof(val)) {
1330         val = s->mem[addr];
1331     }
1332 
1333     switch (addr) {
1334     case SCBStatus:
1335     case SCBAck:
1336         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1337         break;
1338     case SCBCmd:
1339         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1340 #if 0
1341         val = eepro100_read_command(s);
1342 #endif
1343         break;
1344     case SCBIntmask:
1345         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1346         break;
1347     case SCBPort + 3:
1348         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1349         break;
1350     case SCBeeprom:
1351         val = eepro100_read_eeprom(s);
1352         break;
1353     case SCBCtrlMDI:
1354     case SCBCtrlMDI + 1:
1355     case SCBCtrlMDI + 2:
1356     case SCBCtrlMDI + 3:
1357         val = (uint8_t)(eepro100_read_mdi(s) >> (8 * (addr & 3)));
1358         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1359         break;
1360     case SCBpmdr:       /* Power Management Driver Register */
1361         val = 0;
1362         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1363         break;
1364     case SCBgctrl:      /* General Control Register */
1365         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1366         break;
1367     case SCBgstat:      /* General Status Register */
1368         /* 100 Mbps full duplex, valid link */
1369         val = 0x07;
1370         TRACE(OTHER, logout("addr=General Status val=%02x\n", val));
1371         break;
1372     default:
1373         logout("addr=%s val=0x%02x\n", regname(addr), val);
1374         missing("unknown byte read");
1375     }
1376     return val;
1377 }
1378 
1379 static uint16_t eepro100_read2(EEPRO100State * s, uint32_t addr)
1380 {
1381     uint16_t val = 0;
1382     if (addr <= sizeof(s->mem) - sizeof(val)) {
1383         val = e100_read_reg2(s, addr);
1384     }
1385 
1386     switch (addr) {
1387     case SCBStatus:
1388     case SCBCmd:
1389         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1390         break;
1391     case SCBeeprom:
1392         val = eepro100_read_eeprom(s);
1393         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1394         break;
1395     case SCBCtrlMDI:
1396     case SCBCtrlMDI + 2:
1397         val = (uint16_t)(eepro100_read_mdi(s) >> (8 * (addr & 3)));
1398         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1399         break;
1400     default:
1401         logout("addr=%s val=0x%04x\n", regname(addr), val);
1402         missing("unknown word read");
1403     }
1404     return val;
1405 }
1406 
1407 static uint32_t eepro100_read4(EEPRO100State * s, uint32_t addr)
1408 {
1409     uint32_t val = 0;
1410     if (addr <= sizeof(s->mem) - sizeof(val)) {
1411         val = e100_read_reg4(s, addr);
1412     }
1413 
1414     switch (addr) {
1415     case SCBStatus:
1416         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1417         break;
1418     case SCBPointer:
1419         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1420         break;
1421     case SCBPort:
1422         val = eepro100_read_port(s);
1423         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1424         break;
1425     case SCBflash:
1426         val = eepro100_read_eeprom(s);
1427         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1428         break;
1429     case SCBCtrlMDI:
1430         val = eepro100_read_mdi(s);
1431         break;
1432     default:
1433         logout("addr=%s val=0x%08x\n", regname(addr), val);
1434         missing("unknown longword read");
1435     }
1436     return val;
1437 }
1438 
1439 static void eepro100_write1(EEPRO100State * s, uint32_t addr, uint8_t val)
1440 {
1441     /* SCBStatus is readonly. */
1442     if (addr > SCBStatus && addr <= sizeof(s->mem) - sizeof(val)) {
1443         s->mem[addr] = val;
1444     }
1445 
1446     switch (addr) {
1447     case SCBStatus:
1448         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1449         break;
1450     case SCBAck:
1451         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1452         eepro100_acknowledge(s);
1453         break;
1454     case SCBCmd:
1455         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1456         eepro100_write_command(s, val);
1457         break;
1458     case SCBIntmask:
1459         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1460         if (val & BIT(1)) {
1461             eepro100_swi_interrupt(s);
1462         }
1463         eepro100_interrupt(s, 0);
1464         break;
1465     case SCBPointer:
1466     case SCBPointer + 1:
1467     case SCBPointer + 2:
1468     case SCBPointer + 3:
1469         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1470         break;
1471     case SCBPort:
1472     case SCBPort + 1:
1473     case SCBPort + 2:
1474         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1475         break;
1476     case SCBPort + 3:
1477         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1478         eepro100_write_port(s);
1479         break;
1480     case SCBFlow:       /* does not exist on 82557 */
1481     case SCBFlow + 1:
1482     case SCBFlow + 2:
1483     case SCBpmdr:       /* does not exist on 82557 */
1484         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1485         break;
1486     case SCBeeprom:
1487         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1488         eepro100_write_eeprom(s->eeprom, val);
1489         break;
1490     case SCBCtrlMDI:
1491     case SCBCtrlMDI + 1:
1492     case SCBCtrlMDI + 2:
1493         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1494         break;
1495     case SCBCtrlMDI + 3:
1496         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1497         eepro100_write_mdi(s);
1498         break;
1499     default:
1500         logout("addr=%s val=0x%02x\n", regname(addr), val);
1501         missing("unknown byte write");
1502     }
1503 }
1504 
1505 static void eepro100_write2(EEPRO100State * s, uint32_t addr, uint16_t val)
1506 {
1507     /* SCBStatus is readonly. */
1508     if (addr > SCBStatus && addr <= sizeof(s->mem) - sizeof(val)) {
1509         e100_write_reg2(s, addr, val);
1510     }
1511 
1512     switch (addr) {
1513     case SCBStatus:
1514         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1515         s->mem[SCBAck] = (val >> 8);
1516         eepro100_acknowledge(s);
1517         break;
1518     case SCBCmd:
1519         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1520         eepro100_write_command(s, val);
1521         eepro100_write1(s, SCBIntmask, val >> 8);
1522         break;
1523     case SCBPointer:
1524     case SCBPointer + 2:
1525         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1526         break;
1527     case SCBPort:
1528         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1529         break;
1530     case SCBPort + 2:
1531         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1532         eepro100_write_port(s);
1533         break;
1534     case SCBeeprom:
1535         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1536         eepro100_write_eeprom(s->eeprom, val);
1537         break;
1538     case SCBCtrlMDI:
1539         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1540         break;
1541     case SCBCtrlMDI + 2:
1542         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1543         eepro100_write_mdi(s);
1544         break;
1545     default:
1546         logout("addr=%s val=0x%04x\n", regname(addr), val);
1547         missing("unknown word write");
1548     }
1549 }
1550 
1551 static void eepro100_write4(EEPRO100State * s, uint32_t addr, uint32_t val)
1552 {
1553     if (addr <= sizeof(s->mem) - sizeof(val)) {
1554         e100_write_reg4(s, addr, val);
1555     }
1556 
1557     switch (addr) {
1558     case SCBPointer:
1559         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1560         break;
1561     case SCBPort:
1562         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1563         eepro100_write_port(s);
1564         break;
1565     case SCBflash:
1566         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1567         val = val >> 16;
1568         eepro100_write_eeprom(s->eeprom, val);
1569         break;
1570     case SCBCtrlMDI:
1571         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1572         eepro100_write_mdi(s);
1573         break;
1574     default:
1575         logout("addr=%s val=0x%08x\n", regname(addr), val);
1576         missing("unknown longword write");
1577     }
1578 }
1579 
1580 static uint64_t eepro100_read(void *opaque, hwaddr addr,
1581                               unsigned size)
1582 {
1583     EEPRO100State *s = opaque;
1584 
1585     switch (size) {
1586     case 1: return eepro100_read1(s, addr);
1587     case 2: return eepro100_read2(s, addr);
1588     case 4: return eepro100_read4(s, addr);
1589     default: abort();
1590     }
1591 }
1592 
1593 static void eepro100_write(void *opaque, hwaddr addr,
1594                            uint64_t data, unsigned size)
1595 {
1596     EEPRO100State *s = opaque;
1597 
1598     switch (size) {
1599     case 1:
1600         eepro100_write1(s, addr, data);
1601         break;
1602     case 2:
1603         eepro100_write2(s, addr, data);
1604         break;
1605     case 4:
1606         eepro100_write4(s, addr, data);
1607         break;
1608     default:
1609         abort();
1610     }
1611 }
1612 
1613 static const MemoryRegionOps eepro100_ops = {
1614     .read = eepro100_read,
1615     .write = eepro100_write,
1616     .endianness = DEVICE_LITTLE_ENDIAN,
1617 };
1618 
1619 static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size)
1620 {
1621     /* TODO:
1622      * - Magic packets should set bit 30 in power management driver register.
1623      * - Interesting packets should set bit 29 in power management driver register.
1624      */
1625     const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
1626     EEPRO100State *s = qemu_get_nic_opaque(nc);
1627     uint16_t rfd_status = 0xa000;
1628 #if defined(CONFIG_PAD_RECEIVED_FRAMES)
1629     uint8_t min_buf[60];
1630 #endif
1631     static const uint8_t broadcast_macaddr[6] =
1632         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1633 
1634 #if defined(CONFIG_PAD_RECEIVED_FRAMES)
1635     /* Pad to minimum Ethernet frame length */
1636     if (size < sizeof(min_buf)) {
1637         memcpy(min_buf, buf, size);
1638         memset(&min_buf[size], 0, sizeof(min_buf) - size);
1639         buf = min_buf;
1640         size = sizeof(min_buf);
1641     }
1642 #endif
1643 
1644     if (s->configuration[8] & 0x80) {
1645         /* CSMA is disabled. */
1646         logout("%p received while CSMA is disabled\n", s);
1647         return -1;
1648 #if !defined(CONFIG_PAD_RECEIVED_FRAMES)
1649     } else if (size < 64 && (s->configuration[7] & BIT(0))) {
1650         /* Short frame and configuration byte 7/0 (discard short receive) set:
1651          * Short frame is discarded */
1652         logout("%p received short frame (%zu byte)\n", s, size);
1653         s->statistics.rx_short_frame_errors++;
1654         return -1;
1655 #endif
1656     } else if ((size > MAX_ETH_FRAME_SIZE + 4) && !(s->configuration[18] & BIT(3))) {
1657         /* Long frame and configuration byte 18/3 (long receive ok) not set:
1658          * Long frames are discarded. */
1659         logout("%p received long frame (%zu byte), ignored\n", s, size);
1660         return -1;
1661     } else if (memcmp(buf, s->conf.macaddr.a, 6) == 0) {       /* !!! */
1662         /* Frame matches individual address. */
1663         /* TODO: check configuration byte 15/4 (ignore U/L). */
1664         TRACE(RXTX, logout("%p received frame for me, len=%zu\n", s, size));
1665     } else if (memcmp(buf, broadcast_macaddr, 6) == 0) {
1666         /* Broadcast frame. */
1667         TRACE(RXTX, logout("%p received broadcast, len=%zu\n", s, size));
1668         rfd_status |= 0x0002;
1669     } else if (buf[0] & 0x01) {
1670         /* Multicast frame. */
1671         TRACE(RXTX, logout("%p received multicast, len=%zu,%s\n", s, size, nic_dump(buf, size)));
1672         if (s->configuration[21] & BIT(3)) {
1673           /* Multicast all bit is set, receive all multicast frames. */
1674         } else {
1675           unsigned mcast_idx = (net_crc32(buf, ETH_ALEN) & BITS(7, 2)) >> 2;
1676           assert(mcast_idx < 64);
1677           if (s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))) {
1678             /* Multicast frame is allowed in hash table. */
1679           } else if (s->configuration[15] & BIT(0)) {
1680               /* Promiscuous: receive all. */
1681               rfd_status |= 0x0004;
1682           } else {
1683               TRACE(RXTX, logout("%p multicast ignored\n", s));
1684               return -1;
1685           }
1686         }
1687         /* TODO: Next not for promiscuous mode? */
1688         rfd_status |= 0x0002;
1689     } else if (s->configuration[15] & BIT(0)) {
1690         /* Promiscuous: receive all. */
1691         TRACE(RXTX, logout("%p received frame in promiscuous mode, len=%zu\n", s, size));
1692         rfd_status |= 0x0004;
1693     } else if (s->configuration[20] & BIT(6)) {
1694         /* Multiple IA bit set. */
1695         unsigned mcast_idx = net_crc32(buf, ETH_ALEN) >> 26;
1696         assert(mcast_idx < 64);
1697         if (s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))) {
1698             TRACE(RXTX, logout("%p accepted, multiple IA bit set\n", s));
1699         } else {
1700             TRACE(RXTX, logout("%p frame ignored, multiple IA bit set\n", s));
1701             return -1;
1702         }
1703     } else {
1704         TRACE(RXTX, logout("%p received frame, ignored, len=%zu,%s\n", s, size,
1705               nic_dump(buf, size)));
1706         return size;
1707     }
1708 
1709     if (get_ru_state(s) != ru_ready) {
1710         /* No resources available. */
1711         logout("no resources, state=%u\n", get_ru_state(s));
1712         /* TODO: RNR interrupt only at first failed frame? */
1713         eepro100_rnr_interrupt(s);
1714         s->statistics.rx_resource_errors++;
1715 #if 0
1716         assert(!"no resources");
1717 #endif
1718         return -1;
1719     }
1720     /* !!! */
1721     eepro100_rx_t rx;
1722     pci_dma_read(&s->dev, s->ru_base + s->ru_offset,
1723                  &rx, sizeof(eepro100_rx_t));
1724     uint16_t rfd_command = le16_to_cpu(rx.command);
1725     uint16_t rfd_size = le16_to_cpu(rx.size);
1726 
1727     if (size > rfd_size) {
1728         logout("Receive buffer (%" PRId16 " bytes) too small for data "
1729             "(%zu bytes); data truncated\n", rfd_size, size);
1730         size = rfd_size;
1731     }
1732 #if !defined(CONFIG_PAD_RECEIVED_FRAMES)
1733     if (size < 64) {
1734         rfd_status |= 0x0080;
1735     }
1736 #endif
1737     TRACE(OTHER, logout("command 0x%04x, link 0x%08x, addr 0x%08x, size %u\n",
1738           rfd_command, rx.link, rx.rx_buf_addr, rfd_size));
1739     stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
1740                 offsetof(eepro100_rx_t, status), rfd_status, attrs);
1741     stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
1742                 offsetof(eepro100_rx_t, count), size, attrs);
1743     /* Early receive interrupt not supported. */
1744 #if 0
1745     eepro100_er_interrupt(s);
1746 #endif
1747     /* Receive CRC Transfer not supported. */
1748     if (s->configuration[18] & BIT(2)) {
1749         missing("Receive CRC Transfer");
1750         return -1;
1751     }
1752     /* TODO: check stripping enable bit. */
1753 #if 0
1754     assert(!(s->configuration[17] & BIT(0)));
1755 #endif
1756     pci_dma_write(&s->dev, s->ru_base + s->ru_offset +
1757                   sizeof(eepro100_rx_t), buf, size);
1758     s->statistics.rx_good_frames++;
1759     eepro100_fr_interrupt(s);
1760     s->ru_offset = le32_to_cpu(rx.link);
1761     if (rfd_command & COMMAND_EL) {
1762         /* EL bit is set, so this was the last frame. */
1763         logout("receive: Running out of frames\n");
1764         set_ru_state(s, ru_no_resources);
1765         eepro100_rnr_interrupt(s);
1766     }
1767     if (rfd_command & COMMAND_S) {
1768         /* S bit is set. */
1769         set_ru_state(s, ru_suspended);
1770     }
1771     return size;
1772 }
1773 
1774 static const VMStateDescription vmstate_eepro100 = {
1775     .version_id = 3,
1776     .minimum_version_id = 2,
1777     .fields = (const VMStateField[]) {
1778         VMSTATE_PCI_DEVICE(dev, EEPRO100State),
1779         VMSTATE_UNUSED(32),
1780         VMSTATE_BUFFER(mult, EEPRO100State),
1781         VMSTATE_BUFFER(mem, EEPRO100State),
1782         /* Save all members of struct between scb_stat and mem. */
1783         VMSTATE_UINT8(scb_stat, EEPRO100State),
1784         VMSTATE_UINT8(int_stat, EEPRO100State),
1785         VMSTATE_UNUSED(3*4),
1786         VMSTATE_MACADDR(conf.macaddr, EEPRO100State),
1787         VMSTATE_UNUSED(19*4),
1788         VMSTATE_UINT16_ARRAY(mdimem, EEPRO100State, 32),
1789         /* The eeprom should be saved and restored by its own routines. */
1790         VMSTATE_UINT32(device, EEPRO100State),
1791         /* TODO check device. */
1792         VMSTATE_UINT32(cu_base, EEPRO100State),
1793         VMSTATE_UINT32(cu_offset, EEPRO100State),
1794         VMSTATE_UINT32(ru_base, EEPRO100State),
1795         VMSTATE_UINT32(ru_offset, EEPRO100State),
1796         VMSTATE_UINT32(statsaddr, EEPRO100State),
1797         /* Save eepro100_stats_t statistics. */
1798         VMSTATE_UINT32(statistics.tx_good_frames, EEPRO100State),
1799         VMSTATE_UINT32(statistics.tx_max_collisions, EEPRO100State),
1800         VMSTATE_UINT32(statistics.tx_late_collisions, EEPRO100State),
1801         VMSTATE_UINT32(statistics.tx_underruns, EEPRO100State),
1802         VMSTATE_UINT32(statistics.tx_lost_crs, EEPRO100State),
1803         VMSTATE_UINT32(statistics.tx_deferred, EEPRO100State),
1804         VMSTATE_UINT32(statistics.tx_single_collisions, EEPRO100State),
1805         VMSTATE_UINT32(statistics.tx_multiple_collisions, EEPRO100State),
1806         VMSTATE_UINT32(statistics.tx_total_collisions, EEPRO100State),
1807         VMSTATE_UINT32(statistics.rx_good_frames, EEPRO100State),
1808         VMSTATE_UINT32(statistics.rx_crc_errors, EEPRO100State),
1809         VMSTATE_UINT32(statistics.rx_alignment_errors, EEPRO100State),
1810         VMSTATE_UINT32(statistics.rx_resource_errors, EEPRO100State),
1811         VMSTATE_UINT32(statistics.rx_overrun_errors, EEPRO100State),
1812         VMSTATE_UINT32(statistics.rx_cdt_errors, EEPRO100State),
1813         VMSTATE_UINT32(statistics.rx_short_frame_errors, EEPRO100State),
1814         VMSTATE_UINT32(statistics.fc_xmt_pause, EEPRO100State),
1815         VMSTATE_UINT32(statistics.fc_rcv_pause, EEPRO100State),
1816         VMSTATE_UINT32(statistics.fc_rcv_unsupported, EEPRO100State),
1817         VMSTATE_UINT16(statistics.xmt_tco_frames, EEPRO100State),
1818         VMSTATE_UINT16(statistics.rcv_tco_frames, EEPRO100State),
1819         /* Configuration bytes. */
1820         VMSTATE_BUFFER(configuration, EEPRO100State),
1821         VMSTATE_END_OF_LIST()
1822     }
1823 };
1824 
1825 static void pci_nic_uninit(PCIDevice *pci_dev)
1826 {
1827     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
1828 
1829     vmstate_unregister(VMSTATE_IF(&pci_dev->qdev), s->vmstate, s);
1830     g_free(s->vmstate);
1831     eeprom93xx_free(&pci_dev->qdev, s->eeprom);
1832     qemu_del_nic(s->nic);
1833 }
1834 
1835 static NetClientInfo net_eepro100_info = {
1836     .type = NET_CLIENT_DRIVER_NIC,
1837     .size = sizeof(NICState),
1838     .receive = nic_receive,
1839 };
1840 
1841 static void e100_nic_realize(PCIDevice *pci_dev, Error **errp)
1842 {
1843     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
1844     E100PCIDeviceInfo *info = eepro100_get_class(s);
1845     Error *local_err = NULL;
1846 
1847     TRACE(OTHER, logout("\n"));
1848 
1849     s->device = info->device;
1850 
1851     e100_pci_reset(s, &local_err);
1852     if (local_err) {
1853         error_propagate(errp, local_err);
1854         return;
1855     }
1856 
1857     /* Add 64 * 2 EEPROM. i82557 and i82558 support a 64 word EEPROM,
1858      * i82559 and later support 64 or 256 word EEPROM. */
1859     s->eeprom = eeprom93xx_new(&pci_dev->qdev, EEPROM_SIZE);
1860 
1861     /* Handler for memory-mapped I/O */
1862     memory_region_init_io(&s->mmio_bar, OBJECT(s), &eepro100_ops, s,
1863                           "eepro100-mmio", PCI_MEM_SIZE);
1864     pci_register_bar(&s->dev, 0, PCI_BASE_ADDRESS_MEM_PREFETCH, &s->mmio_bar);
1865     memory_region_init_io(&s->io_bar, OBJECT(s), &eepro100_ops, s,
1866                           "eepro100-io", PCI_IO_SIZE);
1867     pci_register_bar(&s->dev, 1, PCI_BASE_ADDRESS_SPACE_IO, &s->io_bar);
1868     /* FIXME: flash aliases to mmio?! */
1869     memory_region_init_io(&s->flash_bar, OBJECT(s), &eepro100_ops, s,
1870                           "eepro100-flash", PCI_FLASH_SIZE);
1871     pci_register_bar(&s->dev, 2, 0, &s->flash_bar);
1872 
1873     qemu_macaddr_default_if_unset(&s->conf.macaddr);
1874     logout("macaddr: %s\n", nic_dump(&s->conf.macaddr.a[0], 6));
1875 
1876     nic_reset(s);
1877 
1878     s->nic = qemu_new_nic(&net_eepro100_info, &s->conf,
1879                           object_get_typename(OBJECT(pci_dev)),
1880                           pci_dev->qdev.id,
1881                           &pci_dev->qdev.mem_reentrancy_guard, s);
1882 
1883     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
1884     TRACE(OTHER, logout("%s\n", qemu_get_queue(s->nic)->info_str));
1885 
1886     qemu_register_reset(nic_reset, s);
1887 
1888     s->vmstate = g_memdup(&vmstate_eepro100, sizeof(vmstate_eepro100));
1889     s->vmstate->name = qemu_get_queue(s->nic)->model;
1890     vmstate_register_any(VMSTATE_IF(&pci_dev->qdev), s->vmstate, s);
1891 }
1892 
1893 static void eepro100_instance_init(Object *obj)
1894 {
1895     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, PCI_DEVICE(obj));
1896     device_add_bootindex_property(obj, &s->conf.bootindex,
1897                                   "bootindex", "/ethernet-phy@0",
1898                                   DEVICE(s));
1899 }
1900 
1901 static E100PCIDeviceInfo e100_devices[] = {
1902     {
1903         .name = "i82550",
1904         .desc = "Intel i82550 Ethernet",
1905         .device = i82550,
1906         /* TODO: check device id. */
1907         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
1908         /* Revision ID: 0x0c, 0x0d, 0x0e. */
1909         .revision = 0x0e,
1910         /* TODO: check size of statistical counters. */
1911         .stats_size = 80,
1912         /* TODO: check extended tcb support. */
1913         .has_extended_tcb_support = true,
1914         .power_management = true,
1915     },{
1916         .name = "i82551",
1917         .desc = "Intel i82551 Ethernet",
1918         .device = i82551,
1919         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
1920         /* Revision ID: 0x0f, 0x10. */
1921         .revision = 0x0f,
1922         /* TODO: check size of statistical counters. */
1923         .stats_size = 80,
1924         .has_extended_tcb_support = true,
1925         .power_management = true,
1926     },{
1927         .name = "i82557a",
1928         .desc = "Intel i82557A Ethernet",
1929         .device = i82557A,
1930         .device_id = PCI_DEVICE_ID_INTEL_82557,
1931         .revision = 0x01,
1932         .power_management = false,
1933     },{
1934         .name = "i82557b",
1935         .desc = "Intel i82557B Ethernet",
1936         .device = i82557B,
1937         .device_id = PCI_DEVICE_ID_INTEL_82557,
1938         .revision = 0x02,
1939         .power_management = false,
1940     },{
1941         .name = "i82557c",
1942         .desc = "Intel i82557C Ethernet",
1943         .device = i82557C,
1944         .device_id = PCI_DEVICE_ID_INTEL_82557,
1945         .revision = 0x03,
1946         .power_management = false,
1947     },{
1948         .name = "i82558a",
1949         .desc = "Intel i82558A Ethernet",
1950         .device = i82558A,
1951         .device_id = PCI_DEVICE_ID_INTEL_82557,
1952         .revision = 0x04,
1953         .stats_size = 76,
1954         .has_extended_tcb_support = true,
1955         .power_management = true,
1956     },{
1957         .name = "i82558b",
1958         .desc = "Intel i82558B Ethernet",
1959         .device = i82558B,
1960         .device_id = PCI_DEVICE_ID_INTEL_82557,
1961         .revision = 0x05,
1962         .stats_size = 76,
1963         .has_extended_tcb_support = true,
1964         .power_management = true,
1965     },{
1966         .name = "i82559a",
1967         .desc = "Intel i82559A Ethernet",
1968         .device = i82559A,
1969         .device_id = PCI_DEVICE_ID_INTEL_82557,
1970         .revision = 0x06,
1971         .stats_size = 80,
1972         .has_extended_tcb_support = true,
1973         .power_management = true,
1974     },{
1975         .name = "i82559b",
1976         .desc = "Intel i82559B Ethernet",
1977         .device = i82559B,
1978         .device_id = PCI_DEVICE_ID_INTEL_82557,
1979         .revision = 0x07,
1980         .stats_size = 80,
1981         .has_extended_tcb_support = true,
1982         .power_management = true,
1983     },{
1984         .name = "i82559c",
1985         .desc = "Intel i82559C Ethernet",
1986         .device = i82559C,
1987         .device_id = PCI_DEVICE_ID_INTEL_82557,
1988 #if 0
1989         .revision = 0x08,
1990 #endif
1991         /* TODO: Windows wants revision id 0x0c. */
1992         .revision = 0x0c,
1993 #if EEPROM_SIZE > 0
1994         .subsystem_vendor_id = PCI_VENDOR_ID_INTEL,
1995         .subsystem_id = 0x0040,
1996 #endif
1997         .stats_size = 80,
1998         .has_extended_tcb_support = true,
1999         .power_management = true,
2000     },{
2001         .name = "i82559er",
2002         .desc = "Intel i82559ER Ethernet",
2003         .device = i82559ER,
2004         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
2005         .revision = 0x09,
2006         .stats_size = 80,
2007         .has_extended_tcb_support = true,
2008         .power_management = true,
2009     },{
2010         .name = "i82562",
2011         .desc = "Intel i82562 Ethernet",
2012         .device = i82562,
2013         /* TODO: check device id. */
2014         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
2015         /* TODO: wrong revision id. */
2016         .revision = 0x0e,
2017         .stats_size = 80,
2018         .has_extended_tcb_support = true,
2019         .power_management = true,
2020     },{
2021         /* Toshiba Tecra 8200. */
2022         .name = "i82801",
2023         .desc = "Intel i82801 Ethernet",
2024         .device = i82801,
2025         .device_id = 0x2449,
2026         .revision = 0x03,
2027         .stats_size = 80,
2028         .has_extended_tcb_support = true,
2029         .power_management = true,
2030     }
2031 };
2032 
2033 static E100PCIDeviceInfo *eepro100_get_class_by_name(const char *typename)
2034 {
2035     E100PCIDeviceInfo *info = NULL;
2036     int i;
2037 
2038     /* This is admittedly awkward but also temporary.  QOM allows for
2039      * parameterized typing and for subclassing both of which would suitable
2040      * handle what's going on here.  But class_data is already being used as
2041      * a stop-gap hack to allow incremental qdev conversion so we cannot use it
2042      * right now.  Once we merge the final QOM series, we can come back here and
2043      * do this in a much more elegant fashion.
2044      */
2045     for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
2046         if (strcmp(e100_devices[i].name, typename) == 0) {
2047             info = &e100_devices[i];
2048             break;
2049         }
2050     }
2051     assert(info != NULL);
2052 
2053     return info;
2054 }
2055 
2056 static E100PCIDeviceInfo *eepro100_get_class(EEPRO100State *s)
2057 {
2058     return eepro100_get_class_by_name(object_get_typename(OBJECT(s)));
2059 }
2060 
2061 static Property e100_properties[] = {
2062     DEFINE_NIC_PROPERTIES(EEPRO100State, conf),
2063     DEFINE_PROP_END_OF_LIST(),
2064 };
2065 
2066 static void eepro100_class_init(ObjectClass *klass, void *data)
2067 {
2068     DeviceClass *dc = DEVICE_CLASS(klass);
2069     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2070     E100PCIDeviceInfo *info;
2071 
2072     info = eepro100_get_class_by_name(object_class_get_name(klass));
2073 
2074     set_bit(DEVICE_CATEGORY_NETWORK, dc->categories);
2075     device_class_set_props(dc, e100_properties);
2076     dc->desc = info->desc;
2077     k->vendor_id = PCI_VENDOR_ID_INTEL;
2078     k->class_id = PCI_CLASS_NETWORK_ETHERNET;
2079     k->romfile = "pxe-eepro100.rom";
2080     k->realize = e100_nic_realize;
2081     k->exit = pci_nic_uninit;
2082     k->device_id = info->device_id;
2083     k->revision = info->revision;
2084     k->subsystem_vendor_id = info->subsystem_vendor_id;
2085     k->subsystem_id = info->subsystem_id;
2086 }
2087 
2088 static void eepro100_register_types(void)
2089 {
2090     size_t i;
2091     for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
2092         TypeInfo type_info = {};
2093         E100PCIDeviceInfo *info = &e100_devices[i];
2094 
2095         type_info.name = info->name;
2096         type_info.parent = TYPE_PCI_DEVICE;
2097         type_info.class_init = eepro100_class_init;
2098         type_info.instance_size = sizeof(EEPRO100State);
2099         type_info.instance_init = eepro100_instance_init;
2100         type_info.interfaces = (InterfaceInfo[]) {
2101             { INTERFACE_CONVENTIONAL_PCI_DEVICE },
2102             { },
2103         };
2104 
2105         type_register(&type_info);
2106     }
2107 }
2108 
2109 type_init(eepro100_register_types)
2110