xref: /openbmc/qemu/hw/net/eepro100.c (revision c39f95dc)
1 /*
2  * QEMU i8255x (PRO100) emulation
3  *
4  * Copyright (C) 2006-2011 Stefan Weil
5  *
6  * Portions of the code are copies from grub / etherboot eepro100.c
7  * and linux e100.c.
8  *
9  * This program is free software: you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License as published by
11  * the Free Software Foundation, either version 2 of the License, or
12  * (at your option) version 3 or any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
21  *
22  * Tested features (i82559):
23  *      PXE boot (i386 guest, i386 / mips / mipsel / ppc host) ok
24  *      Linux networking (i386) ok
25  *
26  * Untested:
27  *      Windows networking
28  *
29  * References:
30  *
31  * Intel 8255x 10/100 Mbps Ethernet Controller Family
32  * Open Source Software Developer Manual
33  *
34  * TODO:
35  *      * PHY emulation should be separated from nic emulation.
36  *        Most nic emulations could share the same phy code.
37  *      * i82550 is untested. It is programmed like the i82559.
38  *      * i82562 is untested. It is programmed like the i82559.
39  *      * Power management (i82558 and later) is not implemented.
40  *      * Wake-on-LAN is not implemented.
41  */
42 
43 #include "qemu/osdep.h"
44 #include "hw/hw.h"
45 #include "hw/pci/pci.h"
46 #include "net/net.h"
47 #include "hw/nvram/eeprom93xx.h"
48 #include "sysemu/sysemu.h"
49 #include "sysemu/dma.h"
50 #include "qemu/bitops.h"
51 #include "qapi/error.h"
52 
53 /* QEMU sends frames smaller than 60 bytes to ethernet nics.
54  * Such frames are rejected by real nics and their emulations.
55  * To avoid this behaviour, other nic emulations pad received
56  * frames. The following definition enables this padding for
57  * eepro100, too. We keep the define around in case it might
58  * become useful the future if the core networking is ever
59  * changed to pad short packets itself. */
60 #define CONFIG_PAD_RECEIVED_FRAMES
61 
62 #define KiB 1024
63 
64 /* Debug EEPRO100 card. */
65 #if 0
66 # define DEBUG_EEPRO100
67 #endif
68 
69 #ifdef DEBUG_EEPRO100
70 #define logout(fmt, ...) fprintf(stderr, "EE100\t%-24s" fmt, __func__, ## __VA_ARGS__)
71 #else
72 #define logout(fmt, ...) ((void)0)
73 #endif
74 
75 /* Set flags to 0 to disable debug output. */
76 #define INT     1       /* interrupt related actions */
77 #define MDI     1       /* mdi related actions */
78 #define OTHER   1
79 #define RXTX    1
80 #define EEPROM  1       /* eeprom related actions */
81 
82 #define TRACE(flag, command) ((flag) ? (command) : (void)0)
83 
84 #define missing(text) fprintf(stderr, "eepro100: feature is missing in this emulation: " text "\n")
85 
86 #define MAX_ETH_FRAME_SIZE 1514
87 
88 /* This driver supports several different devices which are declared here. */
89 #define i82550          0x82550
90 #define i82551          0x82551
91 #define i82557A         0x82557a
92 #define i82557B         0x82557b
93 #define i82557C         0x82557c
94 #define i82558A         0x82558a
95 #define i82558B         0x82558b
96 #define i82559A         0x82559a
97 #define i82559B         0x82559b
98 #define i82559C         0x82559c
99 #define i82559ER        0x82559e
100 #define i82562          0x82562
101 #define i82801          0x82801
102 
103 /* Use 64 word EEPROM. TODO: could be a runtime option. */
104 #define EEPROM_SIZE     64
105 
106 #define PCI_MEM_SIZE            (4 * KiB)
107 #define PCI_IO_SIZE             64
108 #define PCI_FLASH_SIZE          (128 * KiB)
109 
110 #define BITS(n, m) (((0xffffffffU << (31 - n)) >> (31 - n + m)) << m)
111 
112 /* The SCB accepts the following controls for the Tx and Rx units: */
113 #define  CU_NOP         0x0000  /* No operation. */
114 #define  CU_START       0x0010  /* CU start. */
115 #define  CU_RESUME      0x0020  /* CU resume. */
116 #define  CU_STATSADDR   0x0040  /* Load dump counters address. */
117 #define  CU_SHOWSTATS   0x0050  /* Dump statistical counters. */
118 #define  CU_CMD_BASE    0x0060  /* Load CU base address. */
119 #define  CU_DUMPSTATS   0x0070  /* Dump and reset statistical counters. */
120 #define  CU_SRESUME     0x00a0  /* CU static resume. */
121 
122 #define  RU_NOP         0x0000
123 #define  RX_START       0x0001
124 #define  RX_RESUME      0x0002
125 #define  RU_ABORT       0x0004
126 #define  RX_ADDR_LOAD   0x0006
127 #define  RX_RESUMENR    0x0007
128 #define INT_MASK        0x0100
129 #define DRVR_INT        0x0200  /* Driver generated interrupt. */
130 
131 typedef struct {
132     const char *name;
133     const char *desc;
134     uint16_t device_id;
135     uint8_t revision;
136     uint16_t subsystem_vendor_id;
137     uint16_t subsystem_id;
138 
139     uint32_t device;
140     uint8_t stats_size;
141     bool has_extended_tcb_support;
142     bool power_management;
143 } E100PCIDeviceInfo;
144 
145 /* Offsets to the various registers.
146    All accesses need not be longword aligned. */
147 typedef enum {
148     SCBStatus = 0,              /* Status Word. */
149     SCBAck = 1,
150     SCBCmd = 2,                 /* Rx/Command Unit command and status. */
151     SCBIntmask = 3,
152     SCBPointer = 4,             /* General purpose pointer. */
153     SCBPort = 8,                /* Misc. commands and operands.  */
154     SCBflash = 12,              /* Flash memory control. */
155     SCBeeprom = 14,             /* EEPROM control. */
156     SCBCtrlMDI = 16,            /* MDI interface control. */
157     SCBEarlyRx = 20,            /* Early receive byte count. */
158     SCBFlow = 24,               /* Flow Control. */
159     SCBpmdr = 27,               /* Power Management Driver. */
160     SCBgctrl = 28,              /* General Control. */
161     SCBgstat = 29,              /* General Status. */
162 } E100RegisterOffset;
163 
164 /* A speedo3 transmit buffer descriptor with two buffers... */
165 typedef struct {
166     uint16_t status;
167     uint16_t command;
168     uint32_t link;              /* void * */
169     uint32_t tbd_array_addr;    /* transmit buffer descriptor array address. */
170     uint16_t tcb_bytes;         /* transmit command block byte count (in lower 14 bits */
171     uint8_t tx_threshold;       /* transmit threshold */
172     uint8_t tbd_count;          /* TBD number */
173 #if 0
174     /* This constitutes two "TBD" entries: hdr and data */
175     uint32_t tx_buf_addr0;  /* void *, header of frame to be transmitted.  */
176     int32_t  tx_buf_size0;  /* Length of Tx hdr. */
177     uint32_t tx_buf_addr1;  /* void *, data to be transmitted.  */
178     int32_t  tx_buf_size1;  /* Length of Tx data. */
179 #endif
180 } eepro100_tx_t;
181 
182 /* Receive frame descriptor. */
183 typedef struct {
184     int16_t status;
185     uint16_t command;
186     uint32_t link;              /* struct RxFD * */
187     uint32_t rx_buf_addr;       /* void * */
188     uint16_t count;
189     uint16_t size;
190     /* Ethernet frame data follows. */
191 } eepro100_rx_t;
192 
193 typedef enum {
194     COMMAND_EL = BIT(15),
195     COMMAND_S = BIT(14),
196     COMMAND_I = BIT(13),
197     COMMAND_NC = BIT(4),
198     COMMAND_SF = BIT(3),
199     COMMAND_CMD = BITS(2, 0),
200 } scb_command_bit;
201 
202 typedef enum {
203     STATUS_C = BIT(15),
204     STATUS_OK = BIT(13),
205 } scb_status_bit;
206 
207 typedef struct {
208     uint32_t tx_good_frames, tx_max_collisions, tx_late_collisions,
209              tx_underruns, tx_lost_crs, tx_deferred, tx_single_collisions,
210              tx_multiple_collisions, tx_total_collisions;
211     uint32_t rx_good_frames, rx_crc_errors, rx_alignment_errors,
212              rx_resource_errors, rx_overrun_errors, rx_cdt_errors,
213              rx_short_frame_errors;
214     uint32_t fc_xmt_pause, fc_rcv_pause, fc_rcv_unsupported;
215     uint16_t xmt_tco_frames, rcv_tco_frames;
216     /* TODO: i82559 has six reserved statistics but a total of 24 dwords. */
217     uint32_t reserved[4];
218 } eepro100_stats_t;
219 
220 typedef enum {
221     cu_idle = 0,
222     cu_suspended = 1,
223     cu_active = 2,
224     cu_lpq_active = 2,
225     cu_hqp_active = 3
226 } cu_state_t;
227 
228 typedef enum {
229     ru_idle = 0,
230     ru_suspended = 1,
231     ru_no_resources = 2,
232     ru_ready = 4
233 } ru_state_t;
234 
235 typedef struct {
236     PCIDevice dev;
237     /* Hash register (multicast mask array, multiple individual addresses). */
238     uint8_t mult[8];
239     MemoryRegion mmio_bar;
240     MemoryRegion io_bar;
241     MemoryRegion flash_bar;
242     NICState *nic;
243     NICConf conf;
244     uint8_t scb_stat;           /* SCB stat/ack byte */
245     uint8_t int_stat;           /* PCI interrupt status */
246     /* region must not be saved by nic_save. */
247     uint16_t mdimem[32];
248     eeprom_t *eeprom;
249     uint32_t device;            /* device variant */
250     /* (cu_base + cu_offset) address the next command block in the command block list. */
251     uint32_t cu_base;           /* CU base address */
252     uint32_t cu_offset;         /* CU address offset */
253     /* (ru_base + ru_offset) address the RFD in the Receive Frame Area. */
254     uint32_t ru_base;           /* RU base address */
255     uint32_t ru_offset;         /* RU address offset */
256     uint32_t statsaddr;         /* pointer to eepro100_stats_t */
257 
258     /* Temporary status information (no need to save these values),
259      * used while processing CU commands. */
260     eepro100_tx_t tx;           /* transmit buffer descriptor */
261     uint32_t cb_address;        /* = cu_base + cu_offset */
262 
263     /* Statistical counters. Also used for wake-up packet (i82559). */
264     eepro100_stats_t statistics;
265 
266     /* Data in mem is always in the byte order of the controller (le).
267      * It must be dword aligned to allow direct access to 32 bit values. */
268     uint8_t mem[PCI_MEM_SIZE] __attribute__((aligned(8)));
269 
270     /* Configuration bytes. */
271     uint8_t configuration[22];
272 
273     /* vmstate for each particular nic */
274     VMStateDescription *vmstate;
275 
276     /* Quasi static device properties (no need to save them). */
277     uint16_t stats_size;
278     bool has_extended_tcb_support;
279 } EEPRO100State;
280 
281 /* Word indices in EEPROM. */
282 typedef enum {
283     EEPROM_CNFG_MDIX  = 0x03,
284     EEPROM_ID         = 0x05,
285     EEPROM_PHY_ID     = 0x06,
286     EEPROM_VENDOR_ID  = 0x0c,
287     EEPROM_CONFIG_ASF = 0x0d,
288     EEPROM_DEVICE_ID  = 0x23,
289     EEPROM_SMBUS_ADDR = 0x90,
290 } EEPROMOffset;
291 
292 /* Bit values for EEPROM ID word. */
293 typedef enum {
294     EEPROM_ID_MDM = BIT(0),     /* Modem */
295     EEPROM_ID_STB = BIT(1),     /* Standby Enable */
296     EEPROM_ID_WMR = BIT(2),     /* ??? */
297     EEPROM_ID_WOL = BIT(5),     /* Wake on LAN */
298     EEPROM_ID_DPD = BIT(6),     /* Deep Power Down */
299     EEPROM_ID_ALT = BIT(7),     /* */
300     /* BITS(10, 8) device revision */
301     EEPROM_ID_BD = BIT(11),     /* boot disable */
302     EEPROM_ID_ID = BIT(13),     /* id bit */
303     /* BITS(15, 14) signature */
304     EEPROM_ID_VALID = BIT(14),  /* signature for valid eeprom */
305 } eeprom_id_bit;
306 
307 /* Default values for MDI (PHY) registers */
308 static const uint16_t eepro100_mdi_default[] = {
309     /* MDI Registers 0 - 6, 7 */
310     0x3000, 0x780d, 0x02a8, 0x0154, 0x05e1, 0x0000, 0x0000, 0x0000,
311     /* MDI Registers 8 - 15 */
312     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
313     /* MDI Registers 16 - 31 */
314     0x0003, 0x0000, 0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
315     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
316 };
317 
318 /* Readonly mask for MDI (PHY) registers */
319 static const uint16_t eepro100_mdi_mask[] = {
320     0x0000, 0xffff, 0xffff, 0xffff, 0xc01f, 0xffff, 0xffff, 0x0000,
321     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
322     0x0fff, 0x0000, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
323     0xffff, 0xffff, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
324 };
325 
326 #define POLYNOMIAL 0x04c11db6
327 
328 static E100PCIDeviceInfo *eepro100_get_class(EEPRO100State *s);
329 
330 /* From FreeBSD (locally modified). */
331 static unsigned e100_compute_mcast_idx(const uint8_t *ep)
332 {
333     uint32_t crc;
334     int carry, i, j;
335     uint8_t b;
336 
337     crc = 0xffffffff;
338     for (i = 0; i < 6; i++) {
339         b = *ep++;
340         for (j = 0; j < 8; j++) {
341             carry = ((crc & 0x80000000L) ? 1 : 0) ^ (b & 0x01);
342             crc <<= 1;
343             b >>= 1;
344             if (carry) {
345                 crc = ((crc ^ POLYNOMIAL) | carry);
346             }
347         }
348     }
349     return (crc & BITS(7, 2)) >> 2;
350 }
351 
352 /* Read a 16 bit control/status (CSR) register. */
353 static uint16_t e100_read_reg2(EEPRO100State *s, E100RegisterOffset addr)
354 {
355     assert(!((uintptr_t)&s->mem[addr] & 1));
356     return lduw_le_p(&s->mem[addr]);
357 }
358 
359 /* Read a 32 bit control/status (CSR) register. */
360 static uint32_t e100_read_reg4(EEPRO100State *s, E100RegisterOffset addr)
361 {
362     assert(!((uintptr_t)&s->mem[addr] & 3));
363     return ldl_le_p(&s->mem[addr]);
364 }
365 
366 /* Write a 16 bit control/status (CSR) register. */
367 static void e100_write_reg2(EEPRO100State *s, E100RegisterOffset addr,
368                             uint16_t val)
369 {
370     assert(!((uintptr_t)&s->mem[addr] & 1));
371     stw_le_p(&s->mem[addr], val);
372 }
373 
374 /* Read a 32 bit control/status (CSR) register. */
375 static void e100_write_reg4(EEPRO100State *s, E100RegisterOffset addr,
376                             uint32_t val)
377 {
378     assert(!((uintptr_t)&s->mem[addr] & 3));
379     stl_le_p(&s->mem[addr], val);
380 }
381 
382 #if defined(DEBUG_EEPRO100)
383 static const char *nic_dump(const uint8_t * buf, unsigned size)
384 {
385     static char dump[3 * 16 + 1];
386     char *p = &dump[0];
387     if (size > 16) {
388         size = 16;
389     }
390     while (size-- > 0) {
391         p += sprintf(p, " %02x", *buf++);
392     }
393     return dump;
394 }
395 #endif                          /* DEBUG_EEPRO100 */
396 
397 enum scb_stat_ack {
398     stat_ack_not_ours = 0x00,
399     stat_ack_sw_gen = 0x04,
400     stat_ack_rnr = 0x10,
401     stat_ack_cu_idle = 0x20,
402     stat_ack_frame_rx = 0x40,
403     stat_ack_cu_cmd_done = 0x80,
404     stat_ack_not_present = 0xFF,
405     stat_ack_rx = (stat_ack_sw_gen | stat_ack_rnr | stat_ack_frame_rx),
406     stat_ack_tx = (stat_ack_cu_idle | stat_ack_cu_cmd_done),
407 };
408 
409 static void disable_interrupt(EEPRO100State * s)
410 {
411     if (s->int_stat) {
412         TRACE(INT, logout("interrupt disabled\n"));
413         pci_irq_deassert(&s->dev);
414         s->int_stat = 0;
415     }
416 }
417 
418 static void enable_interrupt(EEPRO100State * s)
419 {
420     if (!s->int_stat) {
421         TRACE(INT, logout("interrupt enabled\n"));
422         pci_irq_assert(&s->dev);
423         s->int_stat = 1;
424     }
425 }
426 
427 static void eepro100_acknowledge(EEPRO100State * s)
428 {
429     s->scb_stat &= ~s->mem[SCBAck];
430     s->mem[SCBAck] = s->scb_stat;
431     if (s->scb_stat == 0) {
432         disable_interrupt(s);
433     }
434 }
435 
436 static void eepro100_interrupt(EEPRO100State * s, uint8_t status)
437 {
438     uint8_t mask = ~s->mem[SCBIntmask];
439     s->mem[SCBAck] |= status;
440     status = s->scb_stat = s->mem[SCBAck];
441     status &= (mask | 0x0f);
442 #if 0
443     status &= (~s->mem[SCBIntmask] | 0x0xf);
444 #endif
445     if (status && (mask & 0x01)) {
446         /* SCB mask and SCB Bit M do not disable interrupt. */
447         enable_interrupt(s);
448     } else if (s->int_stat) {
449         disable_interrupt(s);
450     }
451 }
452 
453 static void eepro100_cx_interrupt(EEPRO100State * s)
454 {
455     /* CU completed action command. */
456     /* Transmit not ok (82557 only, not in emulation). */
457     eepro100_interrupt(s, 0x80);
458 }
459 
460 static void eepro100_cna_interrupt(EEPRO100State * s)
461 {
462     /* CU left the active state. */
463     eepro100_interrupt(s, 0x20);
464 }
465 
466 static void eepro100_fr_interrupt(EEPRO100State * s)
467 {
468     /* RU received a complete frame. */
469     eepro100_interrupt(s, 0x40);
470 }
471 
472 static void eepro100_rnr_interrupt(EEPRO100State * s)
473 {
474     /* RU is not ready. */
475     eepro100_interrupt(s, 0x10);
476 }
477 
478 static void eepro100_mdi_interrupt(EEPRO100State * s)
479 {
480     /* MDI completed read or write cycle. */
481     eepro100_interrupt(s, 0x08);
482 }
483 
484 static void eepro100_swi_interrupt(EEPRO100State * s)
485 {
486     /* Software has requested an interrupt. */
487     eepro100_interrupt(s, 0x04);
488 }
489 
490 #if 0
491 static void eepro100_fcp_interrupt(EEPRO100State * s)
492 {
493     /* Flow control pause interrupt (82558 and later). */
494     eepro100_interrupt(s, 0x01);
495 }
496 #endif
497 
498 static void e100_pci_reset(EEPRO100State *s, Error **errp)
499 {
500     E100PCIDeviceInfo *info = eepro100_get_class(s);
501     uint32_t device = s->device;
502     uint8_t *pci_conf = s->dev.config;
503 
504     TRACE(OTHER, logout("%p\n", s));
505 
506     /* PCI Status */
507     pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_DEVSEL_MEDIUM |
508                                         PCI_STATUS_FAST_BACK);
509     /* PCI Latency Timer */
510     pci_set_byte(pci_conf + PCI_LATENCY_TIMER, 0x20);   /* latency timer = 32 clocks */
511     /* Capability Pointer is set by PCI framework. */
512     /* Interrupt Line */
513     /* Interrupt Pin */
514     pci_set_byte(pci_conf + PCI_INTERRUPT_PIN, 1);      /* interrupt pin A */
515     /* Minimum Grant */
516     pci_set_byte(pci_conf + PCI_MIN_GNT, 0x08);
517     /* Maximum Latency */
518     pci_set_byte(pci_conf + PCI_MAX_LAT, 0x18);
519 
520     s->stats_size = info->stats_size;
521     s->has_extended_tcb_support = info->has_extended_tcb_support;
522 
523     switch (device) {
524     case i82550:
525     case i82551:
526     case i82557A:
527     case i82557B:
528     case i82557C:
529     case i82558A:
530     case i82558B:
531     case i82559A:
532     case i82559B:
533     case i82559ER:
534     case i82562:
535     case i82801:
536     case i82559C:
537         break;
538     default:
539         logout("Device %X is undefined!\n", device);
540     }
541 
542     /* Standard TxCB. */
543     s->configuration[6] |= BIT(4);
544 
545     /* Standard statistical counters. */
546     s->configuration[6] |= BIT(5);
547 
548     if (s->stats_size == 80) {
549         /* TODO: check TCO Statistical Counters bit. Documentation not clear. */
550         if (s->configuration[6] & BIT(2)) {
551             /* TCO statistical counters. */
552             assert(s->configuration[6] & BIT(5));
553         } else {
554             if (s->configuration[6] & BIT(5)) {
555                 /* No extended statistical counters, i82557 compatible. */
556                 s->stats_size = 64;
557             } else {
558                 /* i82558 compatible. */
559                 s->stats_size = 76;
560             }
561         }
562     } else {
563         if (s->configuration[6] & BIT(5)) {
564             /* No extended statistical counters. */
565             s->stats_size = 64;
566         }
567     }
568     assert(s->stats_size > 0 && s->stats_size <= sizeof(s->statistics));
569 
570     if (info->power_management) {
571         /* Power Management Capabilities */
572         int cfg_offset = 0xdc;
573         int r = pci_add_capability(&s->dev, PCI_CAP_ID_PM,
574                                    cfg_offset, PCI_PM_SIZEOF,
575                                    errp);
576         if (r < 0) {
577             return;
578         }
579 
580         pci_set_word(pci_conf + cfg_offset + PCI_PM_PMC, 0x7e21);
581 #if 0 /* TODO: replace dummy code for power management emulation. */
582         /* TODO: Power Management Control / Status. */
583         pci_set_word(pci_conf + cfg_offset + PCI_PM_CTRL, 0x0000);
584         /* TODO: Ethernet Power Consumption Registers (i82559 and later). */
585         pci_set_byte(pci_conf + cfg_offset + PCI_PM_PPB_EXTENSIONS, 0x0000);
586 #endif
587     }
588 
589 #if EEPROM_SIZE > 0
590     if (device == i82557C || device == i82558B || device == i82559C) {
591         /*
592         TODO: get vendor id from EEPROM for i82557C or later.
593         TODO: get device id from EEPROM for i82557C or later.
594         TODO: status bit 4 can be disabled by EEPROM for i82558, i82559.
595         TODO: header type is determined by EEPROM for i82559.
596         TODO: get subsystem id from EEPROM for i82557C or later.
597         TODO: get subsystem vendor id from EEPROM for i82557C or later.
598         TODO: exp. rom baddr depends on a bit in EEPROM for i82558 or later.
599         TODO: capability pointer depends on EEPROM for i82558.
600         */
601         logout("Get device id and revision from EEPROM!!!\n");
602     }
603 #endif /* EEPROM_SIZE > 0 */
604 }
605 
606 static void nic_selective_reset(EEPRO100State * s)
607 {
608     size_t i;
609     uint16_t *eeprom_contents = eeprom93xx_data(s->eeprom);
610 #if 0
611     eeprom93xx_reset(s->eeprom);
612 #endif
613     memcpy(eeprom_contents, s->conf.macaddr.a, 6);
614     eeprom_contents[EEPROM_ID] = EEPROM_ID_VALID;
615     if (s->device == i82557B || s->device == i82557C)
616         eeprom_contents[5] = 0x0100;
617     eeprom_contents[EEPROM_PHY_ID] = 1;
618     uint16_t sum = 0;
619     for (i = 0; i < EEPROM_SIZE - 1; i++) {
620         sum += eeprom_contents[i];
621     }
622     eeprom_contents[EEPROM_SIZE - 1] = 0xbaba - sum;
623     TRACE(EEPROM, logout("checksum=0x%04x\n", eeprom_contents[EEPROM_SIZE - 1]));
624 
625     memset(s->mem, 0, sizeof(s->mem));
626     e100_write_reg4(s, SCBCtrlMDI, BIT(21));
627 
628     assert(sizeof(s->mdimem) == sizeof(eepro100_mdi_default));
629     memcpy(&s->mdimem[0], &eepro100_mdi_default[0], sizeof(s->mdimem));
630 }
631 
632 static void nic_reset(void *opaque)
633 {
634     EEPRO100State *s = opaque;
635     TRACE(OTHER, logout("%p\n", s));
636     /* TODO: Clearing of hash register for selective reset, too? */
637     memset(&s->mult[0], 0, sizeof(s->mult));
638     nic_selective_reset(s);
639 }
640 
641 #if defined(DEBUG_EEPRO100)
642 static const char * const e100_reg[PCI_IO_SIZE / 4] = {
643     "Command/Status",
644     "General Pointer",
645     "Port",
646     "EEPROM/Flash Control",
647     "MDI Control",
648     "Receive DMA Byte Count",
649     "Flow Control",
650     "General Status/Control"
651 };
652 
653 static char *regname(uint32_t addr)
654 {
655     static char buf[32];
656     if (addr < PCI_IO_SIZE) {
657         const char *r = e100_reg[addr / 4];
658         if (r != 0) {
659             snprintf(buf, sizeof(buf), "%s+%u", r, addr % 4);
660         } else {
661             snprintf(buf, sizeof(buf), "0x%02x", addr);
662         }
663     } else {
664         snprintf(buf, sizeof(buf), "??? 0x%08x", addr);
665     }
666     return buf;
667 }
668 #endif                          /* DEBUG_EEPRO100 */
669 
670 /*****************************************************************************
671  *
672  * Command emulation.
673  *
674  ****************************************************************************/
675 
676 #if 0
677 static uint16_t eepro100_read_command(EEPRO100State * s)
678 {
679     uint16_t val = 0xffff;
680     TRACE(OTHER, logout("val=0x%04x\n", val));
681     return val;
682 }
683 #endif
684 
685 /* Commands that can be put in a command list entry. */
686 enum commands {
687     CmdNOp = 0,
688     CmdIASetup = 1,
689     CmdConfigure = 2,
690     CmdMulticastList = 3,
691     CmdTx = 4,
692     CmdTDR = 5,                 /* load microcode */
693     CmdDump = 6,
694     CmdDiagnose = 7,
695 
696     /* And some extra flags: */
697     CmdSuspend = 0x4000,        /* Suspend after completion. */
698     CmdIntr = 0x2000,           /* Interrupt after completion. */
699     CmdTxFlex = 0x0008,         /* Use "Flexible mode" for CmdTx command. */
700 };
701 
702 static cu_state_t get_cu_state(EEPRO100State * s)
703 {
704     return ((s->mem[SCBStatus] & BITS(7, 6)) >> 6);
705 }
706 
707 static void set_cu_state(EEPRO100State * s, cu_state_t state)
708 {
709     s->mem[SCBStatus] = (s->mem[SCBStatus] & ~BITS(7, 6)) + (state << 6);
710 }
711 
712 static ru_state_t get_ru_state(EEPRO100State * s)
713 {
714     return ((s->mem[SCBStatus] & BITS(5, 2)) >> 2);
715 }
716 
717 static void set_ru_state(EEPRO100State * s, ru_state_t state)
718 {
719     s->mem[SCBStatus] = (s->mem[SCBStatus] & ~BITS(5, 2)) + (state << 2);
720 }
721 
722 static void dump_statistics(EEPRO100State * s)
723 {
724     /* Dump statistical data. Most data is never changed by the emulation
725      * and always 0, so we first just copy the whole block and then those
726      * values which really matter.
727      * Number of data should check configuration!!!
728      */
729     pci_dma_write(&s->dev, s->statsaddr, &s->statistics, s->stats_size);
730     stl_le_pci_dma(&s->dev, s->statsaddr + 0,
731                    s->statistics.tx_good_frames);
732     stl_le_pci_dma(&s->dev, s->statsaddr + 36,
733                    s->statistics.rx_good_frames);
734     stl_le_pci_dma(&s->dev, s->statsaddr + 48,
735                    s->statistics.rx_resource_errors);
736     stl_le_pci_dma(&s->dev, s->statsaddr + 60,
737                    s->statistics.rx_short_frame_errors);
738 #if 0
739     stw_le_pci_dma(&s->dev, s->statsaddr + 76, s->statistics.xmt_tco_frames);
740     stw_le_pci_dma(&s->dev, s->statsaddr + 78, s->statistics.rcv_tco_frames);
741     missing("CU dump statistical counters");
742 #endif
743 }
744 
745 static void read_cb(EEPRO100State *s)
746 {
747     pci_dma_read(&s->dev, s->cb_address, &s->tx, sizeof(s->tx));
748     s->tx.status = le16_to_cpu(s->tx.status);
749     s->tx.command = le16_to_cpu(s->tx.command);
750     s->tx.link = le32_to_cpu(s->tx.link);
751     s->tx.tbd_array_addr = le32_to_cpu(s->tx.tbd_array_addr);
752     s->tx.tcb_bytes = le16_to_cpu(s->tx.tcb_bytes);
753 }
754 
755 static void tx_command(EEPRO100State *s)
756 {
757     uint32_t tbd_array = le32_to_cpu(s->tx.tbd_array_addr);
758     uint16_t tcb_bytes = (le16_to_cpu(s->tx.tcb_bytes) & 0x3fff);
759     /* Sends larger than MAX_ETH_FRAME_SIZE are allowed, up to 2600 bytes. */
760     uint8_t buf[2600];
761     uint16_t size = 0;
762     uint32_t tbd_address = s->cb_address + 0x10;
763     TRACE(RXTX, logout
764         ("transmit, TBD array address 0x%08x, TCB byte count 0x%04x, TBD count %u\n",
765          tbd_array, tcb_bytes, s->tx.tbd_count));
766 
767     if (tcb_bytes > 2600) {
768         logout("TCB byte count too large, using 2600\n");
769         tcb_bytes = 2600;
770     }
771     if (!((tcb_bytes > 0) || (tbd_array != 0xffffffff))) {
772         logout
773             ("illegal values of TBD array address and TCB byte count!\n");
774     }
775     assert(tcb_bytes <= sizeof(buf));
776     while (size < tcb_bytes) {
777         uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address);
778         uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4);
779 #if 0
780         uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
781 #endif
782         if (tx_buffer_size == 0) {
783             /* Prevent an endless loop. */
784             logout("loop in %s:%u\n", __FILE__, __LINE__);
785             break;
786         }
787         tbd_address += 8;
788         TRACE(RXTX, logout
789             ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
790              tx_buffer_address, tx_buffer_size));
791         tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
792         pci_dma_read(&s->dev, tx_buffer_address, &buf[size], tx_buffer_size);
793         size += tx_buffer_size;
794     }
795     if (tbd_array == 0xffffffff) {
796         /* Simplified mode. Was already handled by code above. */
797     } else {
798         /* Flexible mode. */
799         uint8_t tbd_count = 0;
800         if (s->has_extended_tcb_support && !(s->configuration[6] & BIT(4))) {
801             /* Extended Flexible TCB. */
802             for (; tbd_count < 2; tbd_count++) {
803                 uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev,
804                                                             tbd_address);
805                 uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev,
806                                                           tbd_address + 4);
807                 uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev,
808                                                         tbd_address + 6);
809                 tbd_address += 8;
810                 TRACE(RXTX, logout
811                     ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n",
812                      tx_buffer_address, tx_buffer_size));
813                 tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
814                 pci_dma_read(&s->dev, tx_buffer_address,
815                              &buf[size], tx_buffer_size);
816                 size += tx_buffer_size;
817                 if (tx_buffer_el & 1) {
818                     break;
819                 }
820             }
821         }
822         tbd_address = tbd_array;
823         for (; tbd_count < s->tx.tbd_count; tbd_count++) {
824             uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address);
825             uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4);
826             uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
827             tbd_address += 8;
828             TRACE(RXTX, logout
829                 ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n",
830                  tx_buffer_address, tx_buffer_size));
831             tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
832             pci_dma_read(&s->dev, tx_buffer_address,
833                          &buf[size], tx_buffer_size);
834             size += tx_buffer_size;
835             if (tx_buffer_el & 1) {
836                 break;
837             }
838         }
839     }
840     TRACE(RXTX, logout("%p sending frame, len=%d,%s\n", s, size, nic_dump(buf, size)));
841     qemu_send_packet(qemu_get_queue(s->nic), buf, size);
842     s->statistics.tx_good_frames++;
843     /* Transmit with bad status would raise an CX/TNO interrupt.
844      * (82557 only). Emulation never has bad status. */
845 #if 0
846     eepro100_cx_interrupt(s);
847 #endif
848 }
849 
850 static void set_multicast_list(EEPRO100State *s)
851 {
852     uint16_t multicast_count = s->tx.tbd_array_addr & BITS(13, 0);
853     uint16_t i;
854     memset(&s->mult[0], 0, sizeof(s->mult));
855     TRACE(OTHER, logout("multicast list, multicast count = %u\n", multicast_count));
856     for (i = 0; i < multicast_count; i += 6) {
857         uint8_t multicast_addr[6];
858         pci_dma_read(&s->dev, s->cb_address + 10 + i, multicast_addr, 6);
859         TRACE(OTHER, logout("multicast entry %s\n", nic_dump(multicast_addr, 6)));
860         unsigned mcast_idx = e100_compute_mcast_idx(multicast_addr);
861         assert(mcast_idx < 64);
862         s->mult[mcast_idx >> 3] |= (1 << (mcast_idx & 7));
863     }
864 }
865 
866 static void action_command(EEPRO100State *s)
867 {
868     /* The loop below won't stop if it gets special handcrafted data.
869        Therefore we limit the number of iterations. */
870     unsigned max_loop_count = 16;
871 
872     for (;;) {
873         bool bit_el;
874         bool bit_s;
875         bool bit_i;
876         bool bit_nc;
877         uint16_t ok_status = STATUS_OK;
878         s->cb_address = s->cu_base + s->cu_offset;
879         read_cb(s);
880         bit_el = ((s->tx.command & COMMAND_EL) != 0);
881         bit_s = ((s->tx.command & COMMAND_S) != 0);
882         bit_i = ((s->tx.command & COMMAND_I) != 0);
883         bit_nc = ((s->tx.command & COMMAND_NC) != 0);
884 #if 0
885         bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
886 #endif
887 
888         if (max_loop_count-- == 0) {
889             /* Prevent an endless loop. */
890             logout("loop in %s:%u\n", __FILE__, __LINE__);
891             break;
892         }
893 
894         s->cu_offset = s->tx.link;
895         TRACE(OTHER,
896               logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",
897                      s->tx.status, s->tx.command, s->tx.link));
898         switch (s->tx.command & COMMAND_CMD) {
899         case CmdNOp:
900             /* Do nothing. */
901             break;
902         case CmdIASetup:
903             pci_dma_read(&s->dev, s->cb_address + 8, &s->conf.macaddr.a[0], 6);
904             TRACE(OTHER, logout("macaddr: %s\n", nic_dump(&s->conf.macaddr.a[0], 6)));
905             break;
906         case CmdConfigure:
907             pci_dma_read(&s->dev, s->cb_address + 8,
908                          &s->configuration[0], sizeof(s->configuration));
909             TRACE(OTHER, logout("configuration: %s\n",
910                                 nic_dump(&s->configuration[0], 16)));
911             TRACE(OTHER, logout("configuration: %s\n",
912                                 nic_dump(&s->configuration[16],
913                                 ARRAY_SIZE(s->configuration) - 16)));
914             if (s->configuration[20] & BIT(6)) {
915                 TRACE(OTHER, logout("Multiple IA bit\n"));
916             }
917             break;
918         case CmdMulticastList:
919             set_multicast_list(s);
920             break;
921         case CmdTx:
922             if (bit_nc) {
923                 missing("CmdTx: NC = 0");
924                 ok_status = 0;
925                 break;
926             }
927             tx_command(s);
928             break;
929         case CmdTDR:
930             TRACE(OTHER, logout("load microcode\n"));
931             /* Starting with offset 8, the command contains
932              * 64 dwords microcode which we just ignore here. */
933             break;
934         case CmdDiagnose:
935             TRACE(OTHER, logout("diagnose\n"));
936             /* Make sure error flag is not set. */
937             s->tx.status = 0;
938             break;
939         default:
940             missing("undefined command");
941             ok_status = 0;
942             break;
943         }
944         /* Write new status. */
945         stw_le_pci_dma(&s->dev, s->cb_address,
946                        s->tx.status | ok_status | STATUS_C);
947         if (bit_i) {
948             /* CU completed action. */
949             eepro100_cx_interrupt(s);
950         }
951         if (bit_el) {
952             /* CU becomes idle. Terminate command loop. */
953             set_cu_state(s, cu_idle);
954             eepro100_cna_interrupt(s);
955             break;
956         } else if (bit_s) {
957             /* CU becomes suspended. Terminate command loop. */
958             set_cu_state(s, cu_suspended);
959             eepro100_cna_interrupt(s);
960             break;
961         } else {
962             /* More entries in list. */
963             TRACE(OTHER, logout("CU list with at least one more entry\n"));
964         }
965     }
966     TRACE(OTHER, logout("CU list empty\n"));
967     /* List is empty. Now CU is idle or suspended. */
968 }
969 
970 static void eepro100_cu_command(EEPRO100State * s, uint8_t val)
971 {
972     cu_state_t cu_state;
973     switch (val) {
974     case CU_NOP:
975         /* No operation. */
976         break;
977     case CU_START:
978         cu_state = get_cu_state(s);
979         if (cu_state != cu_idle && cu_state != cu_suspended) {
980             /* Intel documentation says that CU must be idle or suspended
981              * for the CU start command. */
982             logout("unexpected CU state is %u\n", cu_state);
983         }
984         set_cu_state(s, cu_active);
985         s->cu_offset = e100_read_reg4(s, SCBPointer);
986         action_command(s);
987         break;
988     case CU_RESUME:
989         if (get_cu_state(s) != cu_suspended) {
990             logout("bad CU resume from CU state %u\n", get_cu_state(s));
991             /* Workaround for bad Linux eepro100 driver which resumes
992              * from idle state. */
993 #if 0
994             missing("cu resume");
995 #endif
996             set_cu_state(s, cu_suspended);
997         }
998         if (get_cu_state(s) == cu_suspended) {
999             TRACE(OTHER, logout("CU resuming\n"));
1000             set_cu_state(s, cu_active);
1001             action_command(s);
1002         }
1003         break;
1004     case CU_STATSADDR:
1005         /* Load dump counters address. */
1006         s->statsaddr = e100_read_reg4(s, SCBPointer);
1007         TRACE(OTHER, logout("val=0x%02x (dump counters address)\n", val));
1008         if (s->statsaddr & 3) {
1009             /* Memory must be Dword aligned. */
1010             logout("unaligned dump counters address\n");
1011             /* Handling of misaligned addresses is undefined.
1012              * Here we align the address by ignoring the lower bits. */
1013             /* TODO: Test unaligned dump counter address on real hardware. */
1014             s->statsaddr &= ~3;
1015         }
1016         break;
1017     case CU_SHOWSTATS:
1018         /* Dump statistical counters. */
1019         TRACE(OTHER, logout("val=0x%02x (dump stats)\n", val));
1020         dump_statistics(s);
1021         stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005);
1022         break;
1023     case CU_CMD_BASE:
1024         /* Load CU base. */
1025         TRACE(OTHER, logout("val=0x%02x (CU base address)\n", val));
1026         s->cu_base = e100_read_reg4(s, SCBPointer);
1027         break;
1028     case CU_DUMPSTATS:
1029         /* Dump and reset statistical counters. */
1030         TRACE(OTHER, logout("val=0x%02x (dump stats and reset)\n", val));
1031         dump_statistics(s);
1032         stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007);
1033         memset(&s->statistics, 0, sizeof(s->statistics));
1034         break;
1035     case CU_SRESUME:
1036         /* CU static resume. */
1037         missing("CU static resume");
1038         break;
1039     default:
1040         missing("Undefined CU command");
1041     }
1042 }
1043 
1044 static void eepro100_ru_command(EEPRO100State * s, uint8_t val)
1045 {
1046     switch (val) {
1047     case RU_NOP:
1048         /* No operation. */
1049         break;
1050     case RX_START:
1051         /* RU start. */
1052         if (get_ru_state(s) != ru_idle) {
1053             logout("RU state is %u, should be %u\n", get_ru_state(s), ru_idle);
1054 #if 0
1055             assert(!"wrong RU state");
1056 #endif
1057         }
1058         set_ru_state(s, ru_ready);
1059         s->ru_offset = e100_read_reg4(s, SCBPointer);
1060         qemu_flush_queued_packets(qemu_get_queue(s->nic));
1061         TRACE(OTHER, logout("val=0x%02x (rx start)\n", val));
1062         break;
1063     case RX_RESUME:
1064         /* Restart RU. */
1065         if (get_ru_state(s) != ru_suspended) {
1066             logout("RU state is %u, should be %u\n", get_ru_state(s),
1067                    ru_suspended);
1068 #if 0
1069             assert(!"wrong RU state");
1070 #endif
1071         }
1072         set_ru_state(s, ru_ready);
1073         break;
1074     case RU_ABORT:
1075         /* RU abort. */
1076         if (get_ru_state(s) == ru_ready) {
1077             eepro100_rnr_interrupt(s);
1078         }
1079         set_ru_state(s, ru_idle);
1080         break;
1081     case RX_ADDR_LOAD:
1082         /* Load RU base. */
1083         TRACE(OTHER, logout("val=0x%02x (RU base address)\n", val));
1084         s->ru_base = e100_read_reg4(s, SCBPointer);
1085         break;
1086     default:
1087         logout("val=0x%02x (undefined RU command)\n", val);
1088         missing("Undefined SU command");
1089     }
1090 }
1091 
1092 static void eepro100_write_command(EEPRO100State * s, uint8_t val)
1093 {
1094     eepro100_ru_command(s, val & 0x0f);
1095     eepro100_cu_command(s, val & 0xf0);
1096     if ((val) == 0) {
1097         TRACE(OTHER, logout("val=0x%02x\n", val));
1098     }
1099     /* Clear command byte after command was accepted. */
1100     s->mem[SCBCmd] = 0;
1101 }
1102 
1103 /*****************************************************************************
1104  *
1105  * EEPROM emulation.
1106  *
1107  ****************************************************************************/
1108 
1109 #define EEPROM_CS       0x02
1110 #define EEPROM_SK       0x01
1111 #define EEPROM_DI       0x04
1112 #define EEPROM_DO       0x08
1113 
1114 static uint16_t eepro100_read_eeprom(EEPRO100State * s)
1115 {
1116     uint16_t val = e100_read_reg2(s, SCBeeprom);
1117     if (eeprom93xx_read(s->eeprom)) {
1118         val |= EEPROM_DO;
1119     } else {
1120         val &= ~EEPROM_DO;
1121     }
1122     TRACE(EEPROM, logout("val=0x%04x\n", val));
1123     return val;
1124 }
1125 
1126 static void eepro100_write_eeprom(eeprom_t * eeprom, uint8_t val)
1127 {
1128     TRACE(EEPROM, logout("val=0x%02x\n", val));
1129 
1130     /* mask unwritable bits */
1131 #if 0
1132     val = SET_MASKED(val, 0x31, eeprom->value);
1133 #endif
1134 
1135     int eecs = ((val & EEPROM_CS) != 0);
1136     int eesk = ((val & EEPROM_SK) != 0);
1137     int eedi = ((val & EEPROM_DI) != 0);
1138     eeprom93xx_write(eeprom, eecs, eesk, eedi);
1139 }
1140 
1141 /*****************************************************************************
1142  *
1143  * MDI emulation.
1144  *
1145  ****************************************************************************/
1146 
1147 #if defined(DEBUG_EEPRO100)
1148 static const char * const mdi_op_name[] = {
1149     "opcode 0",
1150     "write",
1151     "read",
1152     "opcode 3"
1153 };
1154 
1155 static const char * const mdi_reg_name[] = {
1156     "Control",
1157     "Status",
1158     "PHY Identification (Word 1)",
1159     "PHY Identification (Word 2)",
1160     "Auto-Negotiation Advertisement",
1161     "Auto-Negotiation Link Partner Ability",
1162     "Auto-Negotiation Expansion"
1163 };
1164 
1165 static const char *reg2name(uint8_t reg)
1166 {
1167     static char buffer[10];
1168     const char *p = buffer;
1169     if (reg < ARRAY_SIZE(mdi_reg_name)) {
1170         p = mdi_reg_name[reg];
1171     } else {
1172         snprintf(buffer, sizeof(buffer), "reg=0x%02x", reg);
1173     }
1174     return p;
1175 }
1176 #endif                          /* DEBUG_EEPRO100 */
1177 
1178 static uint32_t eepro100_read_mdi(EEPRO100State * s)
1179 {
1180     uint32_t val = e100_read_reg4(s, SCBCtrlMDI);
1181 
1182 #ifdef DEBUG_EEPRO100
1183     uint8_t raiseint = (val & BIT(29)) >> 29;
1184     uint8_t opcode = (val & BITS(27, 26)) >> 26;
1185     uint8_t phy = (val & BITS(25, 21)) >> 21;
1186     uint8_t reg = (val & BITS(20, 16)) >> 16;
1187     uint16_t data = (val & BITS(15, 0));
1188 #endif
1189     /* Emulation takes no time to finish MDI transaction. */
1190     val |= BIT(28);
1191     TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1192                       val, raiseint, mdi_op_name[opcode], phy,
1193                       reg2name(reg), data));
1194     return val;
1195 }
1196 
1197 static void eepro100_write_mdi(EEPRO100State *s)
1198 {
1199     uint32_t val = e100_read_reg4(s, SCBCtrlMDI);
1200     uint8_t raiseint = (val & BIT(29)) >> 29;
1201     uint8_t opcode = (val & BITS(27, 26)) >> 26;
1202     uint8_t phy = (val & BITS(25, 21)) >> 21;
1203     uint8_t reg = (val & BITS(20, 16)) >> 16;
1204     uint16_t data = (val & BITS(15, 0));
1205     TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1206           val, raiseint, mdi_op_name[opcode], phy, reg2name(reg), data));
1207     if (phy != 1) {
1208         /* Unsupported PHY address. */
1209 #if 0
1210         logout("phy must be 1 but is %u\n", phy);
1211 #endif
1212         data = 0;
1213     } else if (opcode != 1 && opcode != 2) {
1214         /* Unsupported opcode. */
1215         logout("opcode must be 1 or 2 but is %u\n", opcode);
1216         data = 0;
1217     } else if (reg > 6) {
1218         /* Unsupported register. */
1219         logout("register must be 0...6 but is %u\n", reg);
1220         data = 0;
1221     } else {
1222         TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1223                           val, raiseint, mdi_op_name[opcode], phy,
1224                           reg2name(reg), data));
1225         if (opcode == 1) {
1226             /* MDI write */
1227             switch (reg) {
1228             case 0:            /* Control Register */
1229                 if (data & 0x8000) {
1230                     /* Reset status and control registers to default. */
1231                     s->mdimem[0] = eepro100_mdi_default[0];
1232                     s->mdimem[1] = eepro100_mdi_default[1];
1233                     data = s->mdimem[reg];
1234                 } else {
1235                     /* Restart Auto Configuration = Normal Operation */
1236                     data &= ~0x0200;
1237                 }
1238                 break;
1239             case 1:            /* Status Register */
1240                 missing("not writable");
1241                 break;
1242             case 2:            /* PHY Identification Register (Word 1) */
1243             case 3:            /* PHY Identification Register (Word 2) */
1244                 missing("not implemented");
1245                 break;
1246             case 4:            /* Auto-Negotiation Advertisement Register */
1247             case 5:            /* Auto-Negotiation Link Partner Ability Register */
1248                 break;
1249             case 6:            /* Auto-Negotiation Expansion Register */
1250             default:
1251                 missing("not implemented");
1252             }
1253             s->mdimem[reg] &= eepro100_mdi_mask[reg];
1254             s->mdimem[reg] |= data & ~eepro100_mdi_mask[reg];
1255         } else if (opcode == 2) {
1256             /* MDI read */
1257             switch (reg) {
1258             case 0:            /* Control Register */
1259                 if (data & 0x8000) {
1260                     /* Reset status and control registers to default. */
1261                     s->mdimem[0] = eepro100_mdi_default[0];
1262                     s->mdimem[1] = eepro100_mdi_default[1];
1263                 }
1264                 break;
1265             case 1:            /* Status Register */
1266                 s->mdimem[reg] |= 0x0020;
1267                 break;
1268             case 2:            /* PHY Identification Register (Word 1) */
1269             case 3:            /* PHY Identification Register (Word 2) */
1270             case 4:            /* Auto-Negotiation Advertisement Register */
1271                 break;
1272             case 5:            /* Auto-Negotiation Link Partner Ability Register */
1273                 s->mdimem[reg] = 0x41fe;
1274                 break;
1275             case 6:            /* Auto-Negotiation Expansion Register */
1276                 s->mdimem[reg] = 0x0001;
1277                 break;
1278             }
1279             data = s->mdimem[reg];
1280         }
1281         /* Emulation takes no time to finish MDI transaction.
1282          * Set MDI bit in SCB status register. */
1283         s->mem[SCBAck] |= 0x08;
1284         val |= BIT(28);
1285         if (raiseint) {
1286             eepro100_mdi_interrupt(s);
1287         }
1288     }
1289     val = (val & 0xffff0000) + data;
1290     e100_write_reg4(s, SCBCtrlMDI, val);
1291 }
1292 
1293 /*****************************************************************************
1294  *
1295  * Port emulation.
1296  *
1297  ****************************************************************************/
1298 
1299 #define PORT_SOFTWARE_RESET     0
1300 #define PORT_SELFTEST           1
1301 #define PORT_SELECTIVE_RESET    2
1302 #define PORT_DUMP               3
1303 #define PORT_SELECTION_MASK     3
1304 
1305 typedef struct {
1306     uint32_t st_sign;           /* Self Test Signature */
1307     uint32_t st_result;         /* Self Test Results */
1308 } eepro100_selftest_t;
1309 
1310 static uint32_t eepro100_read_port(EEPRO100State * s)
1311 {
1312     return 0;
1313 }
1314 
1315 static void eepro100_write_port(EEPRO100State *s)
1316 {
1317     uint32_t val = e100_read_reg4(s, SCBPort);
1318     uint32_t address = (val & ~PORT_SELECTION_MASK);
1319     uint8_t selection = (val & PORT_SELECTION_MASK);
1320     switch (selection) {
1321     case PORT_SOFTWARE_RESET:
1322         nic_reset(s);
1323         break;
1324     case PORT_SELFTEST:
1325         TRACE(OTHER, logout("selftest address=0x%08x\n", address));
1326         eepro100_selftest_t data;
1327         pci_dma_read(&s->dev, address, (uint8_t *) &data, sizeof(data));
1328         data.st_sign = 0xffffffff;
1329         data.st_result = 0;
1330         pci_dma_write(&s->dev, address, (uint8_t *) &data, sizeof(data));
1331         break;
1332     case PORT_SELECTIVE_RESET:
1333         TRACE(OTHER, logout("selective reset, selftest address=0x%08x\n", address));
1334         nic_selective_reset(s);
1335         break;
1336     default:
1337         logout("val=0x%08x\n", val);
1338         missing("unknown port selection");
1339     }
1340 }
1341 
1342 /*****************************************************************************
1343  *
1344  * General hardware emulation.
1345  *
1346  ****************************************************************************/
1347 
1348 static uint8_t eepro100_read1(EEPRO100State * s, uint32_t addr)
1349 {
1350     uint8_t val = 0;
1351     if (addr <= sizeof(s->mem) - sizeof(val)) {
1352         val = s->mem[addr];
1353     }
1354 
1355     switch (addr) {
1356     case SCBStatus:
1357     case SCBAck:
1358         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1359         break;
1360     case SCBCmd:
1361         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1362 #if 0
1363         val = eepro100_read_command(s);
1364 #endif
1365         break;
1366     case SCBIntmask:
1367         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1368         break;
1369     case SCBPort + 3:
1370         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1371         break;
1372     case SCBeeprom:
1373         val = eepro100_read_eeprom(s);
1374         break;
1375     case SCBCtrlMDI:
1376     case SCBCtrlMDI + 1:
1377     case SCBCtrlMDI + 2:
1378     case SCBCtrlMDI + 3:
1379         val = (uint8_t)(eepro100_read_mdi(s) >> (8 * (addr & 3)));
1380         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1381         break;
1382     case SCBpmdr:       /* Power Management Driver Register */
1383         val = 0;
1384         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1385         break;
1386     case SCBgctrl:      /* General Control Register */
1387         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1388         break;
1389     case SCBgstat:      /* General Status Register */
1390         /* 100 Mbps full duplex, valid link */
1391         val = 0x07;
1392         TRACE(OTHER, logout("addr=General Status val=%02x\n", val));
1393         break;
1394     default:
1395         logout("addr=%s val=0x%02x\n", regname(addr), val);
1396         missing("unknown byte read");
1397     }
1398     return val;
1399 }
1400 
1401 static uint16_t eepro100_read2(EEPRO100State * s, uint32_t addr)
1402 {
1403     uint16_t val = 0;
1404     if (addr <= sizeof(s->mem) - sizeof(val)) {
1405         val = e100_read_reg2(s, addr);
1406     }
1407 
1408     switch (addr) {
1409     case SCBStatus:
1410     case SCBCmd:
1411         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1412         break;
1413     case SCBeeprom:
1414         val = eepro100_read_eeprom(s);
1415         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1416         break;
1417     case SCBCtrlMDI:
1418     case SCBCtrlMDI + 2:
1419         val = (uint16_t)(eepro100_read_mdi(s) >> (8 * (addr & 3)));
1420         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1421         break;
1422     default:
1423         logout("addr=%s val=0x%04x\n", regname(addr), val);
1424         missing("unknown word read");
1425     }
1426     return val;
1427 }
1428 
1429 static uint32_t eepro100_read4(EEPRO100State * s, uint32_t addr)
1430 {
1431     uint32_t val = 0;
1432     if (addr <= sizeof(s->mem) - sizeof(val)) {
1433         val = e100_read_reg4(s, addr);
1434     }
1435 
1436     switch (addr) {
1437     case SCBStatus:
1438         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1439         break;
1440     case SCBPointer:
1441         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1442         break;
1443     case SCBPort:
1444         val = eepro100_read_port(s);
1445         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1446         break;
1447     case SCBflash:
1448         val = eepro100_read_eeprom(s);
1449         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1450         break;
1451     case SCBCtrlMDI:
1452         val = eepro100_read_mdi(s);
1453         break;
1454     default:
1455         logout("addr=%s val=0x%08x\n", regname(addr), val);
1456         missing("unknown longword read");
1457     }
1458     return val;
1459 }
1460 
1461 static void eepro100_write1(EEPRO100State * s, uint32_t addr, uint8_t val)
1462 {
1463     /* SCBStatus is readonly. */
1464     if (addr > SCBStatus && addr <= sizeof(s->mem) - sizeof(val)) {
1465         s->mem[addr] = val;
1466     }
1467 
1468     switch (addr) {
1469     case SCBStatus:
1470         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1471         break;
1472     case SCBAck:
1473         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1474         eepro100_acknowledge(s);
1475         break;
1476     case SCBCmd:
1477         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1478         eepro100_write_command(s, val);
1479         break;
1480     case SCBIntmask:
1481         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1482         if (val & BIT(1)) {
1483             eepro100_swi_interrupt(s);
1484         }
1485         eepro100_interrupt(s, 0);
1486         break;
1487     case SCBPointer:
1488     case SCBPointer + 1:
1489     case SCBPointer + 2:
1490     case SCBPointer + 3:
1491         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1492         break;
1493     case SCBPort:
1494     case SCBPort + 1:
1495     case SCBPort + 2:
1496         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1497         break;
1498     case SCBPort + 3:
1499         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1500         eepro100_write_port(s);
1501         break;
1502     case SCBFlow:       /* does not exist on 82557 */
1503     case SCBFlow + 1:
1504     case SCBFlow + 2:
1505     case SCBpmdr:       /* does not exist on 82557 */
1506         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1507         break;
1508     case SCBeeprom:
1509         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1510         eepro100_write_eeprom(s->eeprom, val);
1511         break;
1512     case SCBCtrlMDI:
1513     case SCBCtrlMDI + 1:
1514     case SCBCtrlMDI + 2:
1515         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1516         break;
1517     case SCBCtrlMDI + 3:
1518         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1519         eepro100_write_mdi(s);
1520         break;
1521     default:
1522         logout("addr=%s val=0x%02x\n", regname(addr), val);
1523         missing("unknown byte write");
1524     }
1525 }
1526 
1527 static void eepro100_write2(EEPRO100State * s, uint32_t addr, uint16_t val)
1528 {
1529     /* SCBStatus is readonly. */
1530     if (addr > SCBStatus && addr <= sizeof(s->mem) - sizeof(val)) {
1531         e100_write_reg2(s, addr, val);
1532     }
1533 
1534     switch (addr) {
1535     case SCBStatus:
1536         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1537         s->mem[SCBAck] = (val >> 8);
1538         eepro100_acknowledge(s);
1539         break;
1540     case SCBCmd:
1541         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1542         eepro100_write_command(s, val);
1543         eepro100_write1(s, SCBIntmask, val >> 8);
1544         break;
1545     case SCBPointer:
1546     case SCBPointer + 2:
1547         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1548         break;
1549     case SCBPort:
1550         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1551         break;
1552     case SCBPort + 2:
1553         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1554         eepro100_write_port(s);
1555         break;
1556     case SCBeeprom:
1557         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1558         eepro100_write_eeprom(s->eeprom, val);
1559         break;
1560     case SCBCtrlMDI:
1561         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1562         break;
1563     case SCBCtrlMDI + 2:
1564         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1565         eepro100_write_mdi(s);
1566         break;
1567     default:
1568         logout("addr=%s val=0x%04x\n", regname(addr), val);
1569         missing("unknown word write");
1570     }
1571 }
1572 
1573 static void eepro100_write4(EEPRO100State * s, uint32_t addr, uint32_t val)
1574 {
1575     if (addr <= sizeof(s->mem) - sizeof(val)) {
1576         e100_write_reg4(s, addr, val);
1577     }
1578 
1579     switch (addr) {
1580     case SCBPointer:
1581         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1582         break;
1583     case SCBPort:
1584         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1585         eepro100_write_port(s);
1586         break;
1587     case SCBflash:
1588         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1589         val = val >> 16;
1590         eepro100_write_eeprom(s->eeprom, val);
1591         break;
1592     case SCBCtrlMDI:
1593         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1594         eepro100_write_mdi(s);
1595         break;
1596     default:
1597         logout("addr=%s val=0x%08x\n", regname(addr), val);
1598         missing("unknown longword write");
1599     }
1600 }
1601 
1602 static uint64_t eepro100_read(void *opaque, hwaddr addr,
1603                               unsigned size)
1604 {
1605     EEPRO100State *s = opaque;
1606 
1607     switch (size) {
1608     case 1: return eepro100_read1(s, addr);
1609     case 2: return eepro100_read2(s, addr);
1610     case 4: return eepro100_read4(s, addr);
1611     default: abort();
1612     }
1613 }
1614 
1615 static void eepro100_write(void *opaque, hwaddr addr,
1616                            uint64_t data, unsigned size)
1617 {
1618     EEPRO100State *s = opaque;
1619 
1620     switch (size) {
1621     case 1:
1622         eepro100_write1(s, addr, data);
1623         break;
1624     case 2:
1625         eepro100_write2(s, addr, data);
1626         break;
1627     case 4:
1628         eepro100_write4(s, addr, data);
1629         break;
1630     default:
1631         abort();
1632     }
1633 }
1634 
1635 static const MemoryRegionOps eepro100_ops = {
1636     .read = eepro100_read,
1637     .write = eepro100_write,
1638     .endianness = DEVICE_LITTLE_ENDIAN,
1639 };
1640 
1641 static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size)
1642 {
1643     /* TODO:
1644      * - Magic packets should set bit 30 in power management driver register.
1645      * - Interesting packets should set bit 29 in power management driver register.
1646      */
1647     EEPRO100State *s = qemu_get_nic_opaque(nc);
1648     uint16_t rfd_status = 0xa000;
1649 #if defined(CONFIG_PAD_RECEIVED_FRAMES)
1650     uint8_t min_buf[60];
1651 #endif
1652     static const uint8_t broadcast_macaddr[6] =
1653         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1654 
1655 #if defined(CONFIG_PAD_RECEIVED_FRAMES)
1656     /* Pad to minimum Ethernet frame length */
1657     if (size < sizeof(min_buf)) {
1658         memcpy(min_buf, buf, size);
1659         memset(&min_buf[size], 0, sizeof(min_buf) - size);
1660         buf = min_buf;
1661         size = sizeof(min_buf);
1662     }
1663 #endif
1664 
1665     if (s->configuration[8] & 0x80) {
1666         /* CSMA is disabled. */
1667         logout("%p received while CSMA is disabled\n", s);
1668         return -1;
1669 #if !defined(CONFIG_PAD_RECEIVED_FRAMES)
1670     } else if (size < 64 && (s->configuration[7] & BIT(0))) {
1671         /* Short frame and configuration byte 7/0 (discard short receive) set:
1672          * Short frame is discarded */
1673         logout("%p received short frame (%zu byte)\n", s, size);
1674         s->statistics.rx_short_frame_errors++;
1675         return -1;
1676 #endif
1677     } else if ((size > MAX_ETH_FRAME_SIZE + 4) && !(s->configuration[18] & BIT(3))) {
1678         /* Long frame and configuration byte 18/3 (long receive ok) not set:
1679          * Long frames are discarded. */
1680         logout("%p received long frame (%zu byte), ignored\n", s, size);
1681         return -1;
1682     } else if (memcmp(buf, s->conf.macaddr.a, 6) == 0) {       /* !!! */
1683         /* Frame matches individual address. */
1684         /* TODO: check configuration byte 15/4 (ignore U/L). */
1685         TRACE(RXTX, logout("%p received frame for me, len=%zu\n", s, size));
1686     } else if (memcmp(buf, broadcast_macaddr, 6) == 0) {
1687         /* Broadcast frame. */
1688         TRACE(RXTX, logout("%p received broadcast, len=%zu\n", s, size));
1689         rfd_status |= 0x0002;
1690     } else if (buf[0] & 0x01) {
1691         /* Multicast frame. */
1692         TRACE(RXTX, logout("%p received multicast, len=%zu,%s\n", s, size, nic_dump(buf, size)));
1693         if (s->configuration[21] & BIT(3)) {
1694           /* Multicast all bit is set, receive all multicast frames. */
1695         } else {
1696           unsigned mcast_idx = e100_compute_mcast_idx(buf);
1697           assert(mcast_idx < 64);
1698           if (s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))) {
1699             /* Multicast frame is allowed in hash table. */
1700           } else if (s->configuration[15] & BIT(0)) {
1701               /* Promiscuous: receive all. */
1702               rfd_status |= 0x0004;
1703           } else {
1704               TRACE(RXTX, logout("%p multicast ignored\n", s));
1705               return -1;
1706           }
1707         }
1708         /* TODO: Next not for promiscuous mode? */
1709         rfd_status |= 0x0002;
1710     } else if (s->configuration[15] & BIT(0)) {
1711         /* Promiscuous: receive all. */
1712         TRACE(RXTX, logout("%p received frame in promiscuous mode, len=%zu\n", s, size));
1713         rfd_status |= 0x0004;
1714     } else if (s->configuration[20] & BIT(6)) {
1715         /* Multiple IA bit set. */
1716         unsigned mcast_idx = compute_mcast_idx(buf);
1717         assert(mcast_idx < 64);
1718         if (s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))) {
1719             TRACE(RXTX, logout("%p accepted, multiple IA bit set\n", s));
1720         } else {
1721             TRACE(RXTX, logout("%p frame ignored, multiple IA bit set\n", s));
1722             return -1;
1723         }
1724     } else {
1725         TRACE(RXTX, logout("%p received frame, ignored, len=%zu,%s\n", s, size,
1726               nic_dump(buf, size)));
1727         return size;
1728     }
1729 
1730     if (get_ru_state(s) != ru_ready) {
1731         /* No resources available. */
1732         logout("no resources, state=%u\n", get_ru_state(s));
1733         /* TODO: RNR interrupt only at first failed frame? */
1734         eepro100_rnr_interrupt(s);
1735         s->statistics.rx_resource_errors++;
1736 #if 0
1737         assert(!"no resources");
1738 #endif
1739         return -1;
1740     }
1741     /* !!! */
1742     eepro100_rx_t rx;
1743     pci_dma_read(&s->dev, s->ru_base + s->ru_offset,
1744                  &rx, sizeof(eepro100_rx_t));
1745     uint16_t rfd_command = le16_to_cpu(rx.command);
1746     uint16_t rfd_size = le16_to_cpu(rx.size);
1747 
1748     if (size > rfd_size) {
1749         logout("Receive buffer (%" PRId16 " bytes) too small for data "
1750             "(%zu bytes); data truncated\n", rfd_size, size);
1751         size = rfd_size;
1752     }
1753 #if !defined(CONFIG_PAD_RECEIVED_FRAMES)
1754     if (size < 64) {
1755         rfd_status |= 0x0080;
1756     }
1757 #endif
1758     TRACE(OTHER, logout("command 0x%04x, link 0x%08x, addr 0x%08x, size %u\n",
1759           rfd_command, rx.link, rx.rx_buf_addr, rfd_size));
1760     stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
1761                 offsetof(eepro100_rx_t, status), rfd_status);
1762     stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
1763                 offsetof(eepro100_rx_t, count), size);
1764     /* Early receive interrupt not supported. */
1765 #if 0
1766     eepro100_er_interrupt(s);
1767 #endif
1768     /* Receive CRC Transfer not supported. */
1769     if (s->configuration[18] & BIT(2)) {
1770         missing("Receive CRC Transfer");
1771         return -1;
1772     }
1773     /* TODO: check stripping enable bit. */
1774 #if 0
1775     assert(!(s->configuration[17] & BIT(0)));
1776 #endif
1777     pci_dma_write(&s->dev, s->ru_base + s->ru_offset +
1778                   sizeof(eepro100_rx_t), buf, size);
1779     s->statistics.rx_good_frames++;
1780     eepro100_fr_interrupt(s);
1781     s->ru_offset = le32_to_cpu(rx.link);
1782     if (rfd_command & COMMAND_EL) {
1783         /* EL bit is set, so this was the last frame. */
1784         logout("receive: Running out of frames\n");
1785         set_ru_state(s, ru_no_resources);
1786         eepro100_rnr_interrupt(s);
1787     }
1788     if (rfd_command & COMMAND_S) {
1789         /* S bit is set. */
1790         set_ru_state(s, ru_suspended);
1791     }
1792     return size;
1793 }
1794 
1795 static const VMStateDescription vmstate_eepro100 = {
1796     .version_id = 3,
1797     .minimum_version_id = 2,
1798     .fields = (VMStateField[]) {
1799         VMSTATE_PCI_DEVICE(dev, EEPRO100State),
1800         VMSTATE_UNUSED(32),
1801         VMSTATE_BUFFER(mult, EEPRO100State),
1802         VMSTATE_BUFFER(mem, EEPRO100State),
1803         /* Save all members of struct between scb_stat and mem. */
1804         VMSTATE_UINT8(scb_stat, EEPRO100State),
1805         VMSTATE_UINT8(int_stat, EEPRO100State),
1806         VMSTATE_UNUSED(3*4),
1807         VMSTATE_MACADDR(conf.macaddr, EEPRO100State),
1808         VMSTATE_UNUSED(19*4),
1809         VMSTATE_UINT16_ARRAY(mdimem, EEPRO100State, 32),
1810         /* The eeprom should be saved and restored by its own routines. */
1811         VMSTATE_UINT32(device, EEPRO100State),
1812         /* TODO check device. */
1813         VMSTATE_UINT32(cu_base, EEPRO100State),
1814         VMSTATE_UINT32(cu_offset, EEPRO100State),
1815         VMSTATE_UINT32(ru_base, EEPRO100State),
1816         VMSTATE_UINT32(ru_offset, EEPRO100State),
1817         VMSTATE_UINT32(statsaddr, EEPRO100State),
1818         /* Save eepro100_stats_t statistics. */
1819         VMSTATE_UINT32(statistics.tx_good_frames, EEPRO100State),
1820         VMSTATE_UINT32(statistics.tx_max_collisions, EEPRO100State),
1821         VMSTATE_UINT32(statistics.tx_late_collisions, EEPRO100State),
1822         VMSTATE_UINT32(statistics.tx_underruns, EEPRO100State),
1823         VMSTATE_UINT32(statistics.tx_lost_crs, EEPRO100State),
1824         VMSTATE_UINT32(statistics.tx_deferred, EEPRO100State),
1825         VMSTATE_UINT32(statistics.tx_single_collisions, EEPRO100State),
1826         VMSTATE_UINT32(statistics.tx_multiple_collisions, EEPRO100State),
1827         VMSTATE_UINT32(statistics.tx_total_collisions, EEPRO100State),
1828         VMSTATE_UINT32(statistics.rx_good_frames, EEPRO100State),
1829         VMSTATE_UINT32(statistics.rx_crc_errors, EEPRO100State),
1830         VMSTATE_UINT32(statistics.rx_alignment_errors, EEPRO100State),
1831         VMSTATE_UINT32(statistics.rx_resource_errors, EEPRO100State),
1832         VMSTATE_UINT32(statistics.rx_overrun_errors, EEPRO100State),
1833         VMSTATE_UINT32(statistics.rx_cdt_errors, EEPRO100State),
1834         VMSTATE_UINT32(statistics.rx_short_frame_errors, EEPRO100State),
1835         VMSTATE_UINT32(statistics.fc_xmt_pause, EEPRO100State),
1836         VMSTATE_UINT32(statistics.fc_rcv_pause, EEPRO100State),
1837         VMSTATE_UINT32(statistics.fc_rcv_unsupported, EEPRO100State),
1838         VMSTATE_UINT16(statistics.xmt_tco_frames, EEPRO100State),
1839         VMSTATE_UINT16(statistics.rcv_tco_frames, EEPRO100State),
1840         /* Configuration bytes. */
1841         VMSTATE_BUFFER(configuration, EEPRO100State),
1842         VMSTATE_END_OF_LIST()
1843     }
1844 };
1845 
1846 static void pci_nic_uninit(PCIDevice *pci_dev)
1847 {
1848     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
1849 
1850     vmstate_unregister(&pci_dev->qdev, s->vmstate, s);
1851     g_free(s->vmstate);
1852     eeprom93xx_free(&pci_dev->qdev, s->eeprom);
1853     qemu_del_nic(s->nic);
1854 }
1855 
1856 static NetClientInfo net_eepro100_info = {
1857     .type = NET_CLIENT_DRIVER_NIC,
1858     .size = sizeof(NICState),
1859     .receive = nic_receive,
1860 };
1861 
1862 static void e100_nic_realize(PCIDevice *pci_dev, Error **errp)
1863 {
1864     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
1865     E100PCIDeviceInfo *info = eepro100_get_class(s);
1866     Error *local_err = NULL;
1867 
1868     TRACE(OTHER, logout("\n"));
1869 
1870     s->device = info->device;
1871 
1872     e100_pci_reset(s, &local_err);
1873     if (local_err) {
1874         error_propagate(errp, local_err);
1875         return;
1876     }
1877 
1878     /* Add 64 * 2 EEPROM. i82557 and i82558 support a 64 word EEPROM,
1879      * i82559 and later support 64 or 256 word EEPROM. */
1880     s->eeprom = eeprom93xx_new(&pci_dev->qdev, EEPROM_SIZE);
1881 
1882     /* Handler for memory-mapped I/O */
1883     memory_region_init_io(&s->mmio_bar, OBJECT(s), &eepro100_ops, s,
1884                           "eepro100-mmio", PCI_MEM_SIZE);
1885     pci_register_bar(&s->dev, 0, PCI_BASE_ADDRESS_MEM_PREFETCH, &s->mmio_bar);
1886     memory_region_init_io(&s->io_bar, OBJECT(s), &eepro100_ops, s,
1887                           "eepro100-io", PCI_IO_SIZE);
1888     pci_register_bar(&s->dev, 1, PCI_BASE_ADDRESS_SPACE_IO, &s->io_bar);
1889     /* FIXME: flash aliases to mmio?! */
1890     memory_region_init_io(&s->flash_bar, OBJECT(s), &eepro100_ops, s,
1891                           "eepro100-flash", PCI_FLASH_SIZE);
1892     pci_register_bar(&s->dev, 2, 0, &s->flash_bar);
1893 
1894     qemu_macaddr_default_if_unset(&s->conf.macaddr);
1895     logout("macaddr: %s\n", nic_dump(&s->conf.macaddr.a[0], 6));
1896 
1897     nic_reset(s);
1898 
1899     s->nic = qemu_new_nic(&net_eepro100_info, &s->conf,
1900                           object_get_typename(OBJECT(pci_dev)), pci_dev->qdev.id, s);
1901 
1902     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
1903     TRACE(OTHER, logout("%s\n", qemu_get_queue(s->nic)->info_str));
1904 
1905     qemu_register_reset(nic_reset, s);
1906 
1907     s->vmstate = g_memdup(&vmstate_eepro100, sizeof(vmstate_eepro100));
1908     s->vmstate->name = qemu_get_queue(s->nic)->model;
1909     vmstate_register(&pci_dev->qdev, -1, s->vmstate, s);
1910 }
1911 
1912 static void eepro100_instance_init(Object *obj)
1913 {
1914     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, PCI_DEVICE(obj));
1915     device_add_bootindex_property(obj, &s->conf.bootindex,
1916                                   "bootindex", "/ethernet-phy@0",
1917                                   DEVICE(s), NULL);
1918 }
1919 
1920 static E100PCIDeviceInfo e100_devices[] = {
1921     {
1922         .name = "i82550",
1923         .desc = "Intel i82550 Ethernet",
1924         .device = i82550,
1925         /* TODO: check device id. */
1926         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
1927         /* Revision ID: 0x0c, 0x0d, 0x0e. */
1928         .revision = 0x0e,
1929         /* TODO: check size of statistical counters. */
1930         .stats_size = 80,
1931         /* TODO: check extended tcb support. */
1932         .has_extended_tcb_support = true,
1933         .power_management = true,
1934     },{
1935         .name = "i82551",
1936         .desc = "Intel i82551 Ethernet",
1937         .device = i82551,
1938         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
1939         /* Revision ID: 0x0f, 0x10. */
1940         .revision = 0x0f,
1941         /* TODO: check size of statistical counters. */
1942         .stats_size = 80,
1943         .has_extended_tcb_support = true,
1944         .power_management = true,
1945     },{
1946         .name = "i82557a",
1947         .desc = "Intel i82557A Ethernet",
1948         .device = i82557A,
1949         .device_id = PCI_DEVICE_ID_INTEL_82557,
1950         .revision = 0x01,
1951         .power_management = false,
1952     },{
1953         .name = "i82557b",
1954         .desc = "Intel i82557B Ethernet",
1955         .device = i82557B,
1956         .device_id = PCI_DEVICE_ID_INTEL_82557,
1957         .revision = 0x02,
1958         .power_management = false,
1959     },{
1960         .name = "i82557c",
1961         .desc = "Intel i82557C Ethernet",
1962         .device = i82557C,
1963         .device_id = PCI_DEVICE_ID_INTEL_82557,
1964         .revision = 0x03,
1965         .power_management = false,
1966     },{
1967         .name = "i82558a",
1968         .desc = "Intel i82558A Ethernet",
1969         .device = i82558A,
1970         .device_id = PCI_DEVICE_ID_INTEL_82557,
1971         .revision = 0x04,
1972         .stats_size = 76,
1973         .has_extended_tcb_support = true,
1974         .power_management = true,
1975     },{
1976         .name = "i82558b",
1977         .desc = "Intel i82558B Ethernet",
1978         .device = i82558B,
1979         .device_id = PCI_DEVICE_ID_INTEL_82557,
1980         .revision = 0x05,
1981         .stats_size = 76,
1982         .has_extended_tcb_support = true,
1983         .power_management = true,
1984     },{
1985         .name = "i82559a",
1986         .desc = "Intel i82559A Ethernet",
1987         .device = i82559A,
1988         .device_id = PCI_DEVICE_ID_INTEL_82557,
1989         .revision = 0x06,
1990         .stats_size = 80,
1991         .has_extended_tcb_support = true,
1992         .power_management = true,
1993     },{
1994         .name = "i82559b",
1995         .desc = "Intel i82559B Ethernet",
1996         .device = i82559B,
1997         .device_id = PCI_DEVICE_ID_INTEL_82557,
1998         .revision = 0x07,
1999         .stats_size = 80,
2000         .has_extended_tcb_support = true,
2001         .power_management = true,
2002     },{
2003         .name = "i82559c",
2004         .desc = "Intel i82559C Ethernet",
2005         .device = i82559C,
2006         .device_id = PCI_DEVICE_ID_INTEL_82557,
2007 #if 0
2008         .revision = 0x08,
2009 #endif
2010         /* TODO: Windows wants revision id 0x0c. */
2011         .revision = 0x0c,
2012 #if EEPROM_SIZE > 0
2013         .subsystem_vendor_id = PCI_VENDOR_ID_INTEL,
2014         .subsystem_id = 0x0040,
2015 #endif
2016         .stats_size = 80,
2017         .has_extended_tcb_support = true,
2018         .power_management = true,
2019     },{
2020         .name = "i82559er",
2021         .desc = "Intel i82559ER Ethernet",
2022         .device = i82559ER,
2023         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
2024         .revision = 0x09,
2025         .stats_size = 80,
2026         .has_extended_tcb_support = true,
2027         .power_management = true,
2028     },{
2029         .name = "i82562",
2030         .desc = "Intel i82562 Ethernet",
2031         .device = i82562,
2032         /* TODO: check device id. */
2033         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
2034         /* TODO: wrong revision id. */
2035         .revision = 0x0e,
2036         .stats_size = 80,
2037         .has_extended_tcb_support = true,
2038         .power_management = true,
2039     },{
2040         /* Toshiba Tecra 8200. */
2041         .name = "i82801",
2042         .desc = "Intel i82801 Ethernet",
2043         .device = i82801,
2044         .device_id = 0x2449,
2045         .revision = 0x03,
2046         .stats_size = 80,
2047         .has_extended_tcb_support = true,
2048         .power_management = true,
2049     }
2050 };
2051 
2052 static E100PCIDeviceInfo *eepro100_get_class_by_name(const char *typename)
2053 {
2054     E100PCIDeviceInfo *info = NULL;
2055     int i;
2056 
2057     /* This is admittedly awkward but also temporary.  QOM allows for
2058      * parameterized typing and for subclassing both of which would suitable
2059      * handle what's going on here.  But class_data is already being used as
2060      * a stop-gap hack to allow incremental qdev conversion so we cannot use it
2061      * right now.  Once we merge the final QOM series, we can come back here and
2062      * do this in a much more elegant fashion.
2063      */
2064     for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
2065         if (strcmp(e100_devices[i].name, typename) == 0) {
2066             info = &e100_devices[i];
2067             break;
2068         }
2069     }
2070     assert(info != NULL);
2071 
2072     return info;
2073 }
2074 
2075 static E100PCIDeviceInfo *eepro100_get_class(EEPRO100State *s)
2076 {
2077     return eepro100_get_class_by_name(object_get_typename(OBJECT(s)));
2078 }
2079 
2080 static Property e100_properties[] = {
2081     DEFINE_NIC_PROPERTIES(EEPRO100State, conf),
2082     DEFINE_PROP_END_OF_LIST(),
2083 };
2084 
2085 static void eepro100_class_init(ObjectClass *klass, void *data)
2086 {
2087     DeviceClass *dc = DEVICE_CLASS(klass);
2088     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2089     E100PCIDeviceInfo *info;
2090 
2091     info = eepro100_get_class_by_name(object_class_get_name(klass));
2092 
2093     set_bit(DEVICE_CATEGORY_NETWORK, dc->categories);
2094     dc->props = e100_properties;
2095     dc->desc = info->desc;
2096     k->vendor_id = PCI_VENDOR_ID_INTEL;
2097     k->class_id = PCI_CLASS_NETWORK_ETHERNET;
2098     k->romfile = "pxe-eepro100.rom";
2099     k->realize = e100_nic_realize;
2100     k->exit = pci_nic_uninit;
2101     k->device_id = info->device_id;
2102     k->revision = info->revision;
2103     k->subsystem_vendor_id = info->subsystem_vendor_id;
2104     k->subsystem_id = info->subsystem_id;
2105 }
2106 
2107 static void eepro100_register_types(void)
2108 {
2109     size_t i;
2110     for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
2111         TypeInfo type_info = {};
2112         E100PCIDeviceInfo *info = &e100_devices[i];
2113 
2114         type_info.name = info->name;
2115         type_info.parent = TYPE_PCI_DEVICE;
2116         type_info.class_init = eepro100_class_init;
2117         type_info.instance_size = sizeof(EEPRO100State);
2118         type_info.instance_init = eepro100_instance_init;
2119         type_info.interfaces = (InterfaceInfo[]) {
2120             { INTERFACE_CONVENTIONAL_PCI_DEVICE },
2121             { },
2122         };
2123 
2124         type_register(&type_info);
2125     }
2126 }
2127 
2128 type_init(eepro100_register_types)
2129