xref: /openbmc/qemu/hw/net/eepro100.c (revision e4370165)
1 /*
2  * QEMU i8255x (PRO100) emulation
3  *
4  * Copyright (C) 2006-2011 Stefan Weil
5  *
6  * Portions of the code are copies from grub / etherboot eepro100.c
7  * and linux e100.c.
8  *
9  * This program is free software: you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License as published by
11  * the Free Software Foundation, either version 2 of the License, or
12  * (at your option) version 3 or any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
21  *
22  * Tested features (i82559):
23  *      PXE boot (i386 guest, i386 / mips / mipsel / ppc host) ok
24  *      Linux networking (i386) ok
25  *
26  * Untested:
27  *      Windows networking
28  *
29  * References:
30  *
31  * Intel 8255x 10/100 Mbps Ethernet Controller Family
32  * Open Source Software Developer Manual
33  *
34  * TODO:
35  *      * PHY emulation should be separated from nic emulation.
36  *        Most nic emulations could share the same phy code.
37  *      * i82550 is untested. It is programmed like the i82559.
38  *      * i82562 is untested. It is programmed like the i82559.
39  *      * Power management (i82558 and later) is not implemented.
40  *      * Wake-on-LAN is not implemented.
41  */
42 
43 #include "qemu/osdep.h"
44 #include "hw/hw.h"
45 #include "hw/pci/pci.h"
46 #include "net/net.h"
47 #include "hw/nvram/eeprom93xx.h"
48 #include "sysemu/sysemu.h"
49 #include "sysemu/dma.h"
50 #include "qemu/bitops.h"
51 
52 /* QEMU sends frames smaller than 60 bytes to ethernet nics.
53  * Such frames are rejected by real nics and their emulations.
54  * To avoid this behaviour, other nic emulations pad received
55  * frames. The following definition enables this padding for
56  * eepro100, too. We keep the define around in case it might
57  * become useful the future if the core networking is ever
58  * changed to pad short packets itself. */
59 #define CONFIG_PAD_RECEIVED_FRAMES
60 
61 #define KiB 1024
62 
63 /* Debug EEPRO100 card. */
64 #if 0
65 # define DEBUG_EEPRO100
66 #endif
67 
68 #ifdef DEBUG_EEPRO100
69 #define logout(fmt, ...) fprintf(stderr, "EE100\t%-24s" fmt, __func__, ## __VA_ARGS__)
70 #else
71 #define logout(fmt, ...) ((void)0)
72 #endif
73 
74 /* Set flags to 0 to disable debug output. */
75 #define INT     1       /* interrupt related actions */
76 #define MDI     1       /* mdi related actions */
77 #define OTHER   1
78 #define RXTX    1
79 #define EEPROM  1       /* eeprom related actions */
80 
81 #define TRACE(flag, command) ((flag) ? (command) : (void)0)
82 
83 #define missing(text) fprintf(stderr, "eepro100: feature is missing in this emulation: " text "\n")
84 
85 #define MAX_ETH_FRAME_SIZE 1514
86 
87 /* This driver supports several different devices which are declared here. */
88 #define i82550          0x82550
89 #define i82551          0x82551
90 #define i82557A         0x82557a
91 #define i82557B         0x82557b
92 #define i82557C         0x82557c
93 #define i82558A         0x82558a
94 #define i82558B         0x82558b
95 #define i82559A         0x82559a
96 #define i82559B         0x82559b
97 #define i82559C         0x82559c
98 #define i82559ER        0x82559e
99 #define i82562          0x82562
100 #define i82801          0x82801
101 
102 /* Use 64 word EEPROM. TODO: could be a runtime option. */
103 #define EEPROM_SIZE     64
104 
105 #define PCI_MEM_SIZE            (4 * KiB)
106 #define PCI_IO_SIZE             64
107 #define PCI_FLASH_SIZE          (128 * KiB)
108 
109 #define BITS(n, m) (((0xffffffffU << (31 - n)) >> (31 - n + m)) << m)
110 
111 /* The SCB accepts the following controls for the Tx and Rx units: */
112 #define  CU_NOP         0x0000  /* No operation. */
113 #define  CU_START       0x0010  /* CU start. */
114 #define  CU_RESUME      0x0020  /* CU resume. */
115 #define  CU_STATSADDR   0x0040  /* Load dump counters address. */
116 #define  CU_SHOWSTATS   0x0050  /* Dump statistical counters. */
117 #define  CU_CMD_BASE    0x0060  /* Load CU base address. */
118 #define  CU_DUMPSTATS   0x0070  /* Dump and reset statistical counters. */
119 #define  CU_SRESUME     0x00a0  /* CU static resume. */
120 
121 #define  RU_NOP         0x0000
122 #define  RX_START       0x0001
123 #define  RX_RESUME      0x0002
124 #define  RU_ABORT       0x0004
125 #define  RX_ADDR_LOAD   0x0006
126 #define  RX_RESUMENR    0x0007
127 #define INT_MASK        0x0100
128 #define DRVR_INT        0x0200  /* Driver generated interrupt. */
129 
130 typedef struct {
131     const char *name;
132     const char *desc;
133     uint16_t device_id;
134     uint8_t revision;
135     uint16_t subsystem_vendor_id;
136     uint16_t subsystem_id;
137 
138     uint32_t device;
139     uint8_t stats_size;
140     bool has_extended_tcb_support;
141     bool power_management;
142 } E100PCIDeviceInfo;
143 
144 /* Offsets to the various registers.
145    All accesses need not be longword aligned. */
146 typedef enum {
147     SCBStatus = 0,              /* Status Word. */
148     SCBAck = 1,
149     SCBCmd = 2,                 /* Rx/Command Unit command and status. */
150     SCBIntmask = 3,
151     SCBPointer = 4,             /* General purpose pointer. */
152     SCBPort = 8,                /* Misc. commands and operands.  */
153     SCBflash = 12,              /* Flash memory control. */
154     SCBeeprom = 14,             /* EEPROM control. */
155     SCBCtrlMDI = 16,            /* MDI interface control. */
156     SCBEarlyRx = 20,            /* Early receive byte count. */
157     SCBFlow = 24,               /* Flow Control. */
158     SCBpmdr = 27,               /* Power Management Driver. */
159     SCBgctrl = 28,              /* General Control. */
160     SCBgstat = 29,              /* General Status. */
161 } E100RegisterOffset;
162 
163 /* A speedo3 transmit buffer descriptor with two buffers... */
164 typedef struct {
165     uint16_t status;
166     uint16_t command;
167     uint32_t link;              /* void * */
168     uint32_t tbd_array_addr;    /* transmit buffer descriptor array address. */
169     uint16_t tcb_bytes;         /* transmit command block byte count (in lower 14 bits */
170     uint8_t tx_threshold;       /* transmit threshold */
171     uint8_t tbd_count;          /* TBD number */
172 #if 0
173     /* This constitutes two "TBD" entries: hdr and data */
174     uint32_t tx_buf_addr0;  /* void *, header of frame to be transmitted.  */
175     int32_t  tx_buf_size0;  /* Length of Tx hdr. */
176     uint32_t tx_buf_addr1;  /* void *, data to be transmitted.  */
177     int32_t  tx_buf_size1;  /* Length of Tx data. */
178 #endif
179 } eepro100_tx_t;
180 
181 /* Receive frame descriptor. */
182 typedef struct {
183     int16_t status;
184     uint16_t command;
185     uint32_t link;              /* struct RxFD * */
186     uint32_t rx_buf_addr;       /* void * */
187     uint16_t count;
188     uint16_t size;
189     /* Ethernet frame data follows. */
190 } eepro100_rx_t;
191 
192 typedef enum {
193     COMMAND_EL = BIT(15),
194     COMMAND_S = BIT(14),
195     COMMAND_I = BIT(13),
196     COMMAND_NC = BIT(4),
197     COMMAND_SF = BIT(3),
198     COMMAND_CMD = BITS(2, 0),
199 } scb_command_bit;
200 
201 typedef enum {
202     STATUS_C = BIT(15),
203     STATUS_OK = BIT(13),
204 } scb_status_bit;
205 
206 typedef struct {
207     uint32_t tx_good_frames, tx_max_collisions, tx_late_collisions,
208              tx_underruns, tx_lost_crs, tx_deferred, tx_single_collisions,
209              tx_multiple_collisions, tx_total_collisions;
210     uint32_t rx_good_frames, rx_crc_errors, rx_alignment_errors,
211              rx_resource_errors, rx_overrun_errors, rx_cdt_errors,
212              rx_short_frame_errors;
213     uint32_t fc_xmt_pause, fc_rcv_pause, fc_rcv_unsupported;
214     uint16_t xmt_tco_frames, rcv_tco_frames;
215     /* TODO: i82559 has six reserved statistics but a total of 24 dwords. */
216     uint32_t reserved[4];
217 } eepro100_stats_t;
218 
219 typedef enum {
220     cu_idle = 0,
221     cu_suspended = 1,
222     cu_active = 2,
223     cu_lpq_active = 2,
224     cu_hqp_active = 3
225 } cu_state_t;
226 
227 typedef enum {
228     ru_idle = 0,
229     ru_suspended = 1,
230     ru_no_resources = 2,
231     ru_ready = 4
232 } ru_state_t;
233 
234 typedef struct {
235     PCIDevice dev;
236     /* Hash register (multicast mask array, multiple individual addresses). */
237     uint8_t mult[8];
238     MemoryRegion mmio_bar;
239     MemoryRegion io_bar;
240     MemoryRegion flash_bar;
241     NICState *nic;
242     NICConf conf;
243     uint8_t scb_stat;           /* SCB stat/ack byte */
244     uint8_t int_stat;           /* PCI interrupt status */
245     /* region must not be saved by nic_save. */
246     uint16_t mdimem[32];
247     eeprom_t *eeprom;
248     uint32_t device;            /* device variant */
249     /* (cu_base + cu_offset) address the next command block in the command block list. */
250     uint32_t cu_base;           /* CU base address */
251     uint32_t cu_offset;         /* CU address offset */
252     /* (ru_base + ru_offset) address the RFD in the Receive Frame Area. */
253     uint32_t ru_base;           /* RU base address */
254     uint32_t ru_offset;         /* RU address offset */
255     uint32_t statsaddr;         /* pointer to eepro100_stats_t */
256 
257     /* Temporary status information (no need to save these values),
258      * used while processing CU commands. */
259     eepro100_tx_t tx;           /* transmit buffer descriptor */
260     uint32_t cb_address;        /* = cu_base + cu_offset */
261 
262     /* Statistical counters. Also used for wake-up packet (i82559). */
263     eepro100_stats_t statistics;
264 
265     /* Data in mem is always in the byte order of the controller (le).
266      * It must be dword aligned to allow direct access to 32 bit values. */
267     uint8_t mem[PCI_MEM_SIZE] __attribute__((aligned(8)));
268 
269     /* Configuration bytes. */
270     uint8_t configuration[22];
271 
272     /* vmstate for each particular nic */
273     VMStateDescription *vmstate;
274 
275     /* Quasi static device properties (no need to save them). */
276     uint16_t stats_size;
277     bool has_extended_tcb_support;
278 } EEPRO100State;
279 
280 /* Word indices in EEPROM. */
281 typedef enum {
282     EEPROM_CNFG_MDIX  = 0x03,
283     EEPROM_ID         = 0x05,
284     EEPROM_PHY_ID     = 0x06,
285     EEPROM_VENDOR_ID  = 0x0c,
286     EEPROM_CONFIG_ASF = 0x0d,
287     EEPROM_DEVICE_ID  = 0x23,
288     EEPROM_SMBUS_ADDR = 0x90,
289 } EEPROMOffset;
290 
291 /* Bit values for EEPROM ID word. */
292 typedef enum {
293     EEPROM_ID_MDM = BIT(0),     /* Modem */
294     EEPROM_ID_STB = BIT(1),     /* Standby Enable */
295     EEPROM_ID_WMR = BIT(2),     /* ??? */
296     EEPROM_ID_WOL = BIT(5),     /* Wake on LAN */
297     EEPROM_ID_DPD = BIT(6),     /* Deep Power Down */
298     EEPROM_ID_ALT = BIT(7),     /* */
299     /* BITS(10, 8) device revision */
300     EEPROM_ID_BD = BIT(11),     /* boot disable */
301     EEPROM_ID_ID = BIT(13),     /* id bit */
302     /* BITS(15, 14) signature */
303     EEPROM_ID_VALID = BIT(14),  /* signature for valid eeprom */
304 } eeprom_id_bit;
305 
306 /* Default values for MDI (PHY) registers */
307 static const uint16_t eepro100_mdi_default[] = {
308     /* MDI Registers 0 - 6, 7 */
309     0x3000, 0x780d, 0x02a8, 0x0154, 0x05e1, 0x0000, 0x0000, 0x0000,
310     /* MDI Registers 8 - 15 */
311     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
312     /* MDI Registers 16 - 31 */
313     0x0003, 0x0000, 0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
314     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
315 };
316 
317 /* Readonly mask for MDI (PHY) registers */
318 static const uint16_t eepro100_mdi_mask[] = {
319     0x0000, 0xffff, 0xffff, 0xffff, 0xc01f, 0xffff, 0xffff, 0x0000,
320     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
321     0x0fff, 0x0000, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
322     0xffff, 0xffff, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
323 };
324 
325 #define POLYNOMIAL 0x04c11db6
326 
327 static E100PCIDeviceInfo *eepro100_get_class(EEPRO100State *s);
328 
329 /* From FreeBSD (locally modified). */
330 static unsigned e100_compute_mcast_idx(const uint8_t *ep)
331 {
332     uint32_t crc;
333     int carry, i, j;
334     uint8_t b;
335 
336     crc = 0xffffffff;
337     for (i = 0; i < 6; i++) {
338         b = *ep++;
339         for (j = 0; j < 8; j++) {
340             carry = ((crc & 0x80000000L) ? 1 : 0) ^ (b & 0x01);
341             crc <<= 1;
342             b >>= 1;
343             if (carry) {
344                 crc = ((crc ^ POLYNOMIAL) | carry);
345             }
346         }
347     }
348     return (crc & BITS(7, 2)) >> 2;
349 }
350 
351 /* Read a 16 bit control/status (CSR) register. */
352 static uint16_t e100_read_reg2(EEPRO100State *s, E100RegisterOffset addr)
353 {
354     assert(!((uintptr_t)&s->mem[addr] & 1));
355     return lduw_le_p(&s->mem[addr]);
356 }
357 
358 /* Read a 32 bit control/status (CSR) register. */
359 static uint32_t e100_read_reg4(EEPRO100State *s, E100RegisterOffset addr)
360 {
361     assert(!((uintptr_t)&s->mem[addr] & 3));
362     return ldl_le_p(&s->mem[addr]);
363 }
364 
365 /* Write a 16 bit control/status (CSR) register. */
366 static void e100_write_reg2(EEPRO100State *s, E100RegisterOffset addr,
367                             uint16_t val)
368 {
369     assert(!((uintptr_t)&s->mem[addr] & 1));
370     stw_le_p(&s->mem[addr], val);
371 }
372 
373 /* Read a 32 bit control/status (CSR) register. */
374 static void e100_write_reg4(EEPRO100State *s, E100RegisterOffset addr,
375                             uint32_t val)
376 {
377     assert(!((uintptr_t)&s->mem[addr] & 3));
378     stl_le_p(&s->mem[addr], val);
379 }
380 
381 #if defined(DEBUG_EEPRO100)
382 static const char *nic_dump(const uint8_t * buf, unsigned size)
383 {
384     static char dump[3 * 16 + 1];
385     char *p = &dump[0];
386     if (size > 16) {
387         size = 16;
388     }
389     while (size-- > 0) {
390         p += sprintf(p, " %02x", *buf++);
391     }
392     return dump;
393 }
394 #endif                          /* DEBUG_EEPRO100 */
395 
396 enum scb_stat_ack {
397     stat_ack_not_ours = 0x00,
398     stat_ack_sw_gen = 0x04,
399     stat_ack_rnr = 0x10,
400     stat_ack_cu_idle = 0x20,
401     stat_ack_frame_rx = 0x40,
402     stat_ack_cu_cmd_done = 0x80,
403     stat_ack_not_present = 0xFF,
404     stat_ack_rx = (stat_ack_sw_gen | stat_ack_rnr | stat_ack_frame_rx),
405     stat_ack_tx = (stat_ack_cu_idle | stat_ack_cu_cmd_done),
406 };
407 
408 static void disable_interrupt(EEPRO100State * s)
409 {
410     if (s->int_stat) {
411         TRACE(INT, logout("interrupt disabled\n"));
412         pci_irq_deassert(&s->dev);
413         s->int_stat = 0;
414     }
415 }
416 
417 static void enable_interrupt(EEPRO100State * s)
418 {
419     if (!s->int_stat) {
420         TRACE(INT, logout("interrupt enabled\n"));
421         pci_irq_assert(&s->dev);
422         s->int_stat = 1;
423     }
424 }
425 
426 static void eepro100_acknowledge(EEPRO100State * s)
427 {
428     s->scb_stat &= ~s->mem[SCBAck];
429     s->mem[SCBAck] = s->scb_stat;
430     if (s->scb_stat == 0) {
431         disable_interrupt(s);
432     }
433 }
434 
435 static void eepro100_interrupt(EEPRO100State * s, uint8_t status)
436 {
437     uint8_t mask = ~s->mem[SCBIntmask];
438     s->mem[SCBAck] |= status;
439     status = s->scb_stat = s->mem[SCBAck];
440     status &= (mask | 0x0f);
441 #if 0
442     status &= (~s->mem[SCBIntmask] | 0x0xf);
443 #endif
444     if (status && (mask & 0x01)) {
445         /* SCB mask and SCB Bit M do not disable interrupt. */
446         enable_interrupt(s);
447     } else if (s->int_stat) {
448         disable_interrupt(s);
449     }
450 }
451 
452 static void eepro100_cx_interrupt(EEPRO100State * s)
453 {
454     /* CU completed action command. */
455     /* Transmit not ok (82557 only, not in emulation). */
456     eepro100_interrupt(s, 0x80);
457 }
458 
459 static void eepro100_cna_interrupt(EEPRO100State * s)
460 {
461     /* CU left the active state. */
462     eepro100_interrupt(s, 0x20);
463 }
464 
465 static void eepro100_fr_interrupt(EEPRO100State * s)
466 {
467     /* RU received a complete frame. */
468     eepro100_interrupt(s, 0x40);
469 }
470 
471 static void eepro100_rnr_interrupt(EEPRO100State * s)
472 {
473     /* RU is not ready. */
474     eepro100_interrupt(s, 0x10);
475 }
476 
477 static void eepro100_mdi_interrupt(EEPRO100State * s)
478 {
479     /* MDI completed read or write cycle. */
480     eepro100_interrupt(s, 0x08);
481 }
482 
483 static void eepro100_swi_interrupt(EEPRO100State * s)
484 {
485     /* Software has requested an interrupt. */
486     eepro100_interrupt(s, 0x04);
487 }
488 
489 #if 0
490 static void eepro100_fcp_interrupt(EEPRO100State * s)
491 {
492     /* Flow control pause interrupt (82558 and later). */
493     eepro100_interrupt(s, 0x01);
494 }
495 #endif
496 
497 static void e100_pci_reset(EEPRO100State * s)
498 {
499     E100PCIDeviceInfo *info = eepro100_get_class(s);
500     uint32_t device = s->device;
501     uint8_t *pci_conf = s->dev.config;
502 
503     TRACE(OTHER, logout("%p\n", s));
504 
505     /* PCI Status */
506     pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_DEVSEL_MEDIUM |
507                                         PCI_STATUS_FAST_BACK);
508     /* PCI Latency Timer */
509     pci_set_byte(pci_conf + PCI_LATENCY_TIMER, 0x20);   /* latency timer = 32 clocks */
510     /* Capability Pointer is set by PCI framework. */
511     /* Interrupt Line */
512     /* Interrupt Pin */
513     pci_set_byte(pci_conf + PCI_INTERRUPT_PIN, 1);      /* interrupt pin A */
514     /* Minimum Grant */
515     pci_set_byte(pci_conf + PCI_MIN_GNT, 0x08);
516     /* Maximum Latency */
517     pci_set_byte(pci_conf + PCI_MAX_LAT, 0x18);
518 
519     s->stats_size = info->stats_size;
520     s->has_extended_tcb_support = info->has_extended_tcb_support;
521 
522     switch (device) {
523     case i82550:
524     case i82551:
525     case i82557A:
526     case i82557B:
527     case i82557C:
528     case i82558A:
529     case i82558B:
530     case i82559A:
531     case i82559B:
532     case i82559ER:
533     case i82562:
534     case i82801:
535     case i82559C:
536         break;
537     default:
538         logout("Device %X is undefined!\n", device);
539     }
540 
541     /* Standard TxCB. */
542     s->configuration[6] |= BIT(4);
543 
544     /* Standard statistical counters. */
545     s->configuration[6] |= BIT(5);
546 
547     if (s->stats_size == 80) {
548         /* TODO: check TCO Statistical Counters bit. Documentation not clear. */
549         if (s->configuration[6] & BIT(2)) {
550             /* TCO statistical counters. */
551             assert(s->configuration[6] & BIT(5));
552         } else {
553             if (s->configuration[6] & BIT(5)) {
554                 /* No extended statistical counters, i82557 compatible. */
555                 s->stats_size = 64;
556             } else {
557                 /* i82558 compatible. */
558                 s->stats_size = 76;
559             }
560         }
561     } else {
562         if (s->configuration[6] & BIT(5)) {
563             /* No extended statistical counters. */
564             s->stats_size = 64;
565         }
566     }
567     assert(s->stats_size > 0 && s->stats_size <= sizeof(s->statistics));
568 
569     if (info->power_management) {
570         /* Power Management Capabilities */
571         int cfg_offset = 0xdc;
572         int r = pci_add_capability(&s->dev, PCI_CAP_ID_PM,
573                                    cfg_offset, PCI_PM_SIZEOF);
574         assert(r >= 0);
575         pci_set_word(pci_conf + cfg_offset + PCI_PM_PMC, 0x7e21);
576 #if 0 /* TODO: replace dummy code for power management emulation. */
577         /* TODO: Power Management Control / Status. */
578         pci_set_word(pci_conf + cfg_offset + PCI_PM_CTRL, 0x0000);
579         /* TODO: Ethernet Power Consumption Registers (i82559 and later). */
580         pci_set_byte(pci_conf + cfg_offset + PCI_PM_PPB_EXTENSIONS, 0x0000);
581 #endif
582     }
583 
584 #if EEPROM_SIZE > 0
585     if (device == i82557C || device == i82558B || device == i82559C) {
586         /*
587         TODO: get vendor id from EEPROM for i82557C or later.
588         TODO: get device id from EEPROM for i82557C or later.
589         TODO: status bit 4 can be disabled by EEPROM for i82558, i82559.
590         TODO: header type is determined by EEPROM for i82559.
591         TODO: get subsystem id from EEPROM for i82557C or later.
592         TODO: get subsystem vendor id from EEPROM for i82557C or later.
593         TODO: exp. rom baddr depends on a bit in EEPROM for i82558 or later.
594         TODO: capability pointer depends on EEPROM for i82558.
595         */
596         logout("Get device id and revision from EEPROM!!!\n");
597     }
598 #endif /* EEPROM_SIZE > 0 */
599 }
600 
601 static void nic_selective_reset(EEPRO100State * s)
602 {
603     size_t i;
604     uint16_t *eeprom_contents = eeprom93xx_data(s->eeprom);
605 #if 0
606     eeprom93xx_reset(s->eeprom);
607 #endif
608     memcpy(eeprom_contents, s->conf.macaddr.a, 6);
609     eeprom_contents[EEPROM_ID] = EEPROM_ID_VALID;
610     if (s->device == i82557B || s->device == i82557C)
611         eeprom_contents[5] = 0x0100;
612     eeprom_contents[EEPROM_PHY_ID] = 1;
613     uint16_t sum = 0;
614     for (i = 0; i < EEPROM_SIZE - 1; i++) {
615         sum += eeprom_contents[i];
616     }
617     eeprom_contents[EEPROM_SIZE - 1] = 0xbaba - sum;
618     TRACE(EEPROM, logout("checksum=0x%04x\n", eeprom_contents[EEPROM_SIZE - 1]));
619 
620     memset(s->mem, 0, sizeof(s->mem));
621     e100_write_reg4(s, SCBCtrlMDI, BIT(21));
622 
623     assert(sizeof(s->mdimem) == sizeof(eepro100_mdi_default));
624     memcpy(&s->mdimem[0], &eepro100_mdi_default[0], sizeof(s->mdimem));
625 }
626 
627 static void nic_reset(void *opaque)
628 {
629     EEPRO100State *s = opaque;
630     TRACE(OTHER, logout("%p\n", s));
631     /* TODO: Clearing of hash register for selective reset, too? */
632     memset(&s->mult[0], 0, sizeof(s->mult));
633     nic_selective_reset(s);
634 }
635 
636 #if defined(DEBUG_EEPRO100)
637 static const char * const e100_reg[PCI_IO_SIZE / 4] = {
638     "Command/Status",
639     "General Pointer",
640     "Port",
641     "EEPROM/Flash Control",
642     "MDI Control",
643     "Receive DMA Byte Count",
644     "Flow Control",
645     "General Status/Control"
646 };
647 
648 static char *regname(uint32_t addr)
649 {
650     static char buf[32];
651     if (addr < PCI_IO_SIZE) {
652         const char *r = e100_reg[addr / 4];
653         if (r != 0) {
654             snprintf(buf, sizeof(buf), "%s+%u", r, addr % 4);
655         } else {
656             snprintf(buf, sizeof(buf), "0x%02x", addr);
657         }
658     } else {
659         snprintf(buf, sizeof(buf), "??? 0x%08x", addr);
660     }
661     return buf;
662 }
663 #endif                          /* DEBUG_EEPRO100 */
664 
665 /*****************************************************************************
666  *
667  * Command emulation.
668  *
669  ****************************************************************************/
670 
671 #if 0
672 static uint16_t eepro100_read_command(EEPRO100State * s)
673 {
674     uint16_t val = 0xffff;
675     TRACE(OTHER, logout("val=0x%04x\n", val));
676     return val;
677 }
678 #endif
679 
680 /* Commands that can be put in a command list entry. */
681 enum commands {
682     CmdNOp = 0,
683     CmdIASetup = 1,
684     CmdConfigure = 2,
685     CmdMulticastList = 3,
686     CmdTx = 4,
687     CmdTDR = 5,                 /* load microcode */
688     CmdDump = 6,
689     CmdDiagnose = 7,
690 
691     /* And some extra flags: */
692     CmdSuspend = 0x4000,        /* Suspend after completion. */
693     CmdIntr = 0x2000,           /* Interrupt after completion. */
694     CmdTxFlex = 0x0008,         /* Use "Flexible mode" for CmdTx command. */
695 };
696 
697 static cu_state_t get_cu_state(EEPRO100State * s)
698 {
699     return ((s->mem[SCBStatus] & BITS(7, 6)) >> 6);
700 }
701 
702 static void set_cu_state(EEPRO100State * s, cu_state_t state)
703 {
704     s->mem[SCBStatus] = (s->mem[SCBStatus] & ~BITS(7, 6)) + (state << 6);
705 }
706 
707 static ru_state_t get_ru_state(EEPRO100State * s)
708 {
709     return ((s->mem[SCBStatus] & BITS(5, 2)) >> 2);
710 }
711 
712 static void set_ru_state(EEPRO100State * s, ru_state_t state)
713 {
714     s->mem[SCBStatus] = (s->mem[SCBStatus] & ~BITS(5, 2)) + (state << 2);
715 }
716 
717 static void dump_statistics(EEPRO100State * s)
718 {
719     /* Dump statistical data. Most data is never changed by the emulation
720      * and always 0, so we first just copy the whole block and then those
721      * values which really matter.
722      * Number of data should check configuration!!!
723      */
724     pci_dma_write(&s->dev, s->statsaddr, &s->statistics, s->stats_size);
725     stl_le_pci_dma(&s->dev, s->statsaddr + 0,
726                    s->statistics.tx_good_frames);
727     stl_le_pci_dma(&s->dev, s->statsaddr + 36,
728                    s->statistics.rx_good_frames);
729     stl_le_pci_dma(&s->dev, s->statsaddr + 48,
730                    s->statistics.rx_resource_errors);
731     stl_le_pci_dma(&s->dev, s->statsaddr + 60,
732                    s->statistics.rx_short_frame_errors);
733 #if 0
734     stw_le_pci_dma(&s->dev, s->statsaddr + 76, s->statistics.xmt_tco_frames);
735     stw_le_pci_dma(&s->dev, s->statsaddr + 78, s->statistics.rcv_tco_frames);
736     missing("CU dump statistical counters");
737 #endif
738 }
739 
740 static void read_cb(EEPRO100State *s)
741 {
742     pci_dma_read(&s->dev, s->cb_address, &s->tx, sizeof(s->tx));
743     s->tx.status = le16_to_cpu(s->tx.status);
744     s->tx.command = le16_to_cpu(s->tx.command);
745     s->tx.link = le32_to_cpu(s->tx.link);
746     s->tx.tbd_array_addr = le32_to_cpu(s->tx.tbd_array_addr);
747     s->tx.tcb_bytes = le16_to_cpu(s->tx.tcb_bytes);
748 }
749 
750 static void tx_command(EEPRO100State *s)
751 {
752     uint32_t tbd_array = le32_to_cpu(s->tx.tbd_array_addr);
753     uint16_t tcb_bytes = (le16_to_cpu(s->tx.tcb_bytes) & 0x3fff);
754     /* Sends larger than MAX_ETH_FRAME_SIZE are allowed, up to 2600 bytes. */
755     uint8_t buf[2600];
756     uint16_t size = 0;
757     uint32_t tbd_address = s->cb_address + 0x10;
758     TRACE(RXTX, logout
759         ("transmit, TBD array address 0x%08x, TCB byte count 0x%04x, TBD count %u\n",
760          tbd_array, tcb_bytes, s->tx.tbd_count));
761 
762     if (tcb_bytes > 2600) {
763         logout("TCB byte count too large, using 2600\n");
764         tcb_bytes = 2600;
765     }
766     if (!((tcb_bytes > 0) || (tbd_array != 0xffffffff))) {
767         logout
768             ("illegal values of TBD array address and TCB byte count!\n");
769     }
770     assert(tcb_bytes <= sizeof(buf));
771     while (size < tcb_bytes) {
772         uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address);
773         uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4);
774 #if 0
775         uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
776 #endif
777         if (tx_buffer_size == 0) {
778             /* Prevent an endless loop. */
779             logout("loop in %s:%u\n", __FILE__, __LINE__);
780             break;
781         }
782         tbd_address += 8;
783         TRACE(RXTX, logout
784             ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
785              tx_buffer_address, tx_buffer_size));
786         tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
787         pci_dma_read(&s->dev, tx_buffer_address, &buf[size], tx_buffer_size);
788         size += tx_buffer_size;
789     }
790     if (tbd_array == 0xffffffff) {
791         /* Simplified mode. Was already handled by code above. */
792     } else {
793         /* Flexible mode. */
794         uint8_t tbd_count = 0;
795         if (s->has_extended_tcb_support && !(s->configuration[6] & BIT(4))) {
796             /* Extended Flexible TCB. */
797             for (; tbd_count < 2; tbd_count++) {
798                 uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev,
799                                                             tbd_address);
800                 uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev,
801                                                           tbd_address + 4);
802                 uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev,
803                                                         tbd_address + 6);
804                 tbd_address += 8;
805                 TRACE(RXTX, logout
806                     ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n",
807                      tx_buffer_address, tx_buffer_size));
808                 tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
809                 pci_dma_read(&s->dev, tx_buffer_address,
810                              &buf[size], tx_buffer_size);
811                 size += tx_buffer_size;
812                 if (tx_buffer_el & 1) {
813                     break;
814                 }
815             }
816         }
817         tbd_address = tbd_array;
818         for (; tbd_count < s->tx.tbd_count; tbd_count++) {
819             uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address);
820             uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4);
821             uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
822             tbd_address += 8;
823             TRACE(RXTX, logout
824                 ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n",
825                  tx_buffer_address, tx_buffer_size));
826             tx_buffer_size = MIN(tx_buffer_size, sizeof(buf) - size);
827             pci_dma_read(&s->dev, tx_buffer_address,
828                          &buf[size], tx_buffer_size);
829             size += tx_buffer_size;
830             if (tx_buffer_el & 1) {
831                 break;
832             }
833         }
834     }
835     TRACE(RXTX, logout("%p sending frame, len=%d,%s\n", s, size, nic_dump(buf, size)));
836     qemu_send_packet(qemu_get_queue(s->nic), buf, size);
837     s->statistics.tx_good_frames++;
838     /* Transmit with bad status would raise an CX/TNO interrupt.
839      * (82557 only). Emulation never has bad status. */
840 #if 0
841     eepro100_cx_interrupt(s);
842 #endif
843 }
844 
845 static void set_multicast_list(EEPRO100State *s)
846 {
847     uint16_t multicast_count = s->tx.tbd_array_addr & BITS(13, 0);
848     uint16_t i;
849     memset(&s->mult[0], 0, sizeof(s->mult));
850     TRACE(OTHER, logout("multicast list, multicast count = %u\n", multicast_count));
851     for (i = 0; i < multicast_count; i += 6) {
852         uint8_t multicast_addr[6];
853         pci_dma_read(&s->dev, s->cb_address + 10 + i, multicast_addr, 6);
854         TRACE(OTHER, logout("multicast entry %s\n", nic_dump(multicast_addr, 6)));
855         unsigned mcast_idx = e100_compute_mcast_idx(multicast_addr);
856         assert(mcast_idx < 64);
857         s->mult[mcast_idx >> 3] |= (1 << (mcast_idx & 7));
858     }
859 }
860 
861 static void action_command(EEPRO100State *s)
862 {
863     /* The loop below won't stop if it gets special handcrafted data.
864        Therefore we limit the number of iterations. */
865     unsigned max_loop_count = 16;
866 
867     for (;;) {
868         bool bit_el;
869         bool bit_s;
870         bool bit_i;
871         bool bit_nc;
872         uint16_t ok_status = STATUS_OK;
873         s->cb_address = s->cu_base + s->cu_offset;
874         read_cb(s);
875         bit_el = ((s->tx.command & COMMAND_EL) != 0);
876         bit_s = ((s->tx.command & COMMAND_S) != 0);
877         bit_i = ((s->tx.command & COMMAND_I) != 0);
878         bit_nc = ((s->tx.command & COMMAND_NC) != 0);
879 #if 0
880         bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
881 #endif
882 
883         if (max_loop_count-- == 0) {
884             /* Prevent an endless loop. */
885             logout("loop in %s:%u\n", __FILE__, __LINE__);
886             break;
887         }
888 
889         s->cu_offset = s->tx.link;
890         TRACE(OTHER,
891               logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",
892                      s->tx.status, s->tx.command, s->tx.link));
893         switch (s->tx.command & COMMAND_CMD) {
894         case CmdNOp:
895             /* Do nothing. */
896             break;
897         case CmdIASetup:
898             pci_dma_read(&s->dev, s->cb_address + 8, &s->conf.macaddr.a[0], 6);
899             TRACE(OTHER, logout("macaddr: %s\n", nic_dump(&s->conf.macaddr.a[0], 6)));
900             break;
901         case CmdConfigure:
902             pci_dma_read(&s->dev, s->cb_address + 8,
903                          &s->configuration[0], sizeof(s->configuration));
904             TRACE(OTHER, logout("configuration: %s\n",
905                                 nic_dump(&s->configuration[0], 16)));
906             TRACE(OTHER, logout("configuration: %s\n",
907                                 nic_dump(&s->configuration[16],
908                                 ARRAY_SIZE(s->configuration) - 16)));
909             if (s->configuration[20] & BIT(6)) {
910                 TRACE(OTHER, logout("Multiple IA bit\n"));
911             }
912             break;
913         case CmdMulticastList:
914             set_multicast_list(s);
915             break;
916         case CmdTx:
917             if (bit_nc) {
918                 missing("CmdTx: NC = 0");
919                 ok_status = 0;
920                 break;
921             }
922             tx_command(s);
923             break;
924         case CmdTDR:
925             TRACE(OTHER, logout("load microcode\n"));
926             /* Starting with offset 8, the command contains
927              * 64 dwords microcode which we just ignore here. */
928             break;
929         case CmdDiagnose:
930             TRACE(OTHER, logout("diagnose\n"));
931             /* Make sure error flag is not set. */
932             s->tx.status = 0;
933             break;
934         default:
935             missing("undefined command");
936             ok_status = 0;
937             break;
938         }
939         /* Write new status. */
940         stw_le_pci_dma(&s->dev, s->cb_address,
941                        s->tx.status | ok_status | STATUS_C);
942         if (bit_i) {
943             /* CU completed action. */
944             eepro100_cx_interrupt(s);
945         }
946         if (bit_el) {
947             /* CU becomes idle. Terminate command loop. */
948             set_cu_state(s, cu_idle);
949             eepro100_cna_interrupt(s);
950             break;
951         } else if (bit_s) {
952             /* CU becomes suspended. Terminate command loop. */
953             set_cu_state(s, cu_suspended);
954             eepro100_cna_interrupt(s);
955             break;
956         } else {
957             /* More entries in list. */
958             TRACE(OTHER, logout("CU list with at least one more entry\n"));
959         }
960     }
961     TRACE(OTHER, logout("CU list empty\n"));
962     /* List is empty. Now CU is idle or suspended. */
963 }
964 
965 static void eepro100_cu_command(EEPRO100State * s, uint8_t val)
966 {
967     cu_state_t cu_state;
968     switch (val) {
969     case CU_NOP:
970         /* No operation. */
971         break;
972     case CU_START:
973         cu_state = get_cu_state(s);
974         if (cu_state != cu_idle && cu_state != cu_suspended) {
975             /* Intel documentation says that CU must be idle or suspended
976              * for the CU start command. */
977             logout("unexpected CU state is %u\n", cu_state);
978         }
979         set_cu_state(s, cu_active);
980         s->cu_offset = e100_read_reg4(s, SCBPointer);
981         action_command(s);
982         break;
983     case CU_RESUME:
984         if (get_cu_state(s) != cu_suspended) {
985             logout("bad CU resume from CU state %u\n", get_cu_state(s));
986             /* Workaround for bad Linux eepro100 driver which resumes
987              * from idle state. */
988 #if 0
989             missing("cu resume");
990 #endif
991             set_cu_state(s, cu_suspended);
992         }
993         if (get_cu_state(s) == cu_suspended) {
994             TRACE(OTHER, logout("CU resuming\n"));
995             set_cu_state(s, cu_active);
996             action_command(s);
997         }
998         break;
999     case CU_STATSADDR:
1000         /* Load dump counters address. */
1001         s->statsaddr = e100_read_reg4(s, SCBPointer);
1002         TRACE(OTHER, logout("val=0x%02x (dump counters address)\n", val));
1003         if (s->statsaddr & 3) {
1004             /* Memory must be Dword aligned. */
1005             logout("unaligned dump counters address\n");
1006             /* Handling of misaligned addresses is undefined.
1007              * Here we align the address by ignoring the lower bits. */
1008             /* TODO: Test unaligned dump counter address on real hardware. */
1009             s->statsaddr &= ~3;
1010         }
1011         break;
1012     case CU_SHOWSTATS:
1013         /* Dump statistical counters. */
1014         TRACE(OTHER, logout("val=0x%02x (dump stats)\n", val));
1015         dump_statistics(s);
1016         stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005);
1017         break;
1018     case CU_CMD_BASE:
1019         /* Load CU base. */
1020         TRACE(OTHER, logout("val=0x%02x (CU base address)\n", val));
1021         s->cu_base = e100_read_reg4(s, SCBPointer);
1022         break;
1023     case CU_DUMPSTATS:
1024         /* Dump and reset statistical counters. */
1025         TRACE(OTHER, logout("val=0x%02x (dump stats and reset)\n", val));
1026         dump_statistics(s);
1027         stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007);
1028         memset(&s->statistics, 0, sizeof(s->statistics));
1029         break;
1030     case CU_SRESUME:
1031         /* CU static resume. */
1032         missing("CU static resume");
1033         break;
1034     default:
1035         missing("Undefined CU command");
1036     }
1037 }
1038 
1039 static void eepro100_ru_command(EEPRO100State * s, uint8_t val)
1040 {
1041     switch (val) {
1042     case RU_NOP:
1043         /* No operation. */
1044         break;
1045     case RX_START:
1046         /* RU start. */
1047         if (get_ru_state(s) != ru_idle) {
1048             logout("RU state is %u, should be %u\n", get_ru_state(s), ru_idle);
1049 #if 0
1050             assert(!"wrong RU state");
1051 #endif
1052         }
1053         set_ru_state(s, ru_ready);
1054         s->ru_offset = e100_read_reg4(s, SCBPointer);
1055         qemu_flush_queued_packets(qemu_get_queue(s->nic));
1056         TRACE(OTHER, logout("val=0x%02x (rx start)\n", val));
1057         break;
1058     case RX_RESUME:
1059         /* Restart RU. */
1060         if (get_ru_state(s) != ru_suspended) {
1061             logout("RU state is %u, should be %u\n", get_ru_state(s),
1062                    ru_suspended);
1063 #if 0
1064             assert(!"wrong RU state");
1065 #endif
1066         }
1067         set_ru_state(s, ru_ready);
1068         break;
1069     case RU_ABORT:
1070         /* RU abort. */
1071         if (get_ru_state(s) == ru_ready) {
1072             eepro100_rnr_interrupt(s);
1073         }
1074         set_ru_state(s, ru_idle);
1075         break;
1076     case RX_ADDR_LOAD:
1077         /* Load RU base. */
1078         TRACE(OTHER, logout("val=0x%02x (RU base address)\n", val));
1079         s->ru_base = e100_read_reg4(s, SCBPointer);
1080         break;
1081     default:
1082         logout("val=0x%02x (undefined RU command)\n", val);
1083         missing("Undefined SU command");
1084     }
1085 }
1086 
1087 static void eepro100_write_command(EEPRO100State * s, uint8_t val)
1088 {
1089     eepro100_ru_command(s, val & 0x0f);
1090     eepro100_cu_command(s, val & 0xf0);
1091     if ((val) == 0) {
1092         TRACE(OTHER, logout("val=0x%02x\n", val));
1093     }
1094     /* Clear command byte after command was accepted. */
1095     s->mem[SCBCmd] = 0;
1096 }
1097 
1098 /*****************************************************************************
1099  *
1100  * EEPROM emulation.
1101  *
1102  ****************************************************************************/
1103 
1104 #define EEPROM_CS       0x02
1105 #define EEPROM_SK       0x01
1106 #define EEPROM_DI       0x04
1107 #define EEPROM_DO       0x08
1108 
1109 static uint16_t eepro100_read_eeprom(EEPRO100State * s)
1110 {
1111     uint16_t val = e100_read_reg2(s, SCBeeprom);
1112     if (eeprom93xx_read(s->eeprom)) {
1113         val |= EEPROM_DO;
1114     } else {
1115         val &= ~EEPROM_DO;
1116     }
1117     TRACE(EEPROM, logout("val=0x%04x\n", val));
1118     return val;
1119 }
1120 
1121 static void eepro100_write_eeprom(eeprom_t * eeprom, uint8_t val)
1122 {
1123     TRACE(EEPROM, logout("val=0x%02x\n", val));
1124 
1125     /* mask unwritable bits */
1126 #if 0
1127     val = SET_MASKED(val, 0x31, eeprom->value);
1128 #endif
1129 
1130     int eecs = ((val & EEPROM_CS) != 0);
1131     int eesk = ((val & EEPROM_SK) != 0);
1132     int eedi = ((val & EEPROM_DI) != 0);
1133     eeprom93xx_write(eeprom, eecs, eesk, eedi);
1134 }
1135 
1136 /*****************************************************************************
1137  *
1138  * MDI emulation.
1139  *
1140  ****************************************************************************/
1141 
1142 #if defined(DEBUG_EEPRO100)
1143 static const char * const mdi_op_name[] = {
1144     "opcode 0",
1145     "write",
1146     "read",
1147     "opcode 3"
1148 };
1149 
1150 static const char * const mdi_reg_name[] = {
1151     "Control",
1152     "Status",
1153     "PHY Identification (Word 1)",
1154     "PHY Identification (Word 2)",
1155     "Auto-Negotiation Advertisement",
1156     "Auto-Negotiation Link Partner Ability",
1157     "Auto-Negotiation Expansion"
1158 };
1159 
1160 static const char *reg2name(uint8_t reg)
1161 {
1162     static char buffer[10];
1163     const char *p = buffer;
1164     if (reg < ARRAY_SIZE(mdi_reg_name)) {
1165         p = mdi_reg_name[reg];
1166     } else {
1167         snprintf(buffer, sizeof(buffer), "reg=0x%02x", reg);
1168     }
1169     return p;
1170 }
1171 #endif                          /* DEBUG_EEPRO100 */
1172 
1173 static uint32_t eepro100_read_mdi(EEPRO100State * s)
1174 {
1175     uint32_t val = e100_read_reg4(s, SCBCtrlMDI);
1176 
1177 #ifdef DEBUG_EEPRO100
1178     uint8_t raiseint = (val & BIT(29)) >> 29;
1179     uint8_t opcode = (val & BITS(27, 26)) >> 26;
1180     uint8_t phy = (val & BITS(25, 21)) >> 21;
1181     uint8_t reg = (val & BITS(20, 16)) >> 16;
1182     uint16_t data = (val & BITS(15, 0));
1183 #endif
1184     /* Emulation takes no time to finish MDI transaction. */
1185     val |= BIT(28);
1186     TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1187                       val, raiseint, mdi_op_name[opcode], phy,
1188                       reg2name(reg), data));
1189     return val;
1190 }
1191 
1192 static void eepro100_write_mdi(EEPRO100State *s)
1193 {
1194     uint32_t val = e100_read_reg4(s, SCBCtrlMDI);
1195     uint8_t raiseint = (val & BIT(29)) >> 29;
1196     uint8_t opcode = (val & BITS(27, 26)) >> 26;
1197     uint8_t phy = (val & BITS(25, 21)) >> 21;
1198     uint8_t reg = (val & BITS(20, 16)) >> 16;
1199     uint16_t data = (val & BITS(15, 0));
1200     TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1201           val, raiseint, mdi_op_name[opcode], phy, reg2name(reg), data));
1202     if (phy != 1) {
1203         /* Unsupported PHY address. */
1204 #if 0
1205         logout("phy must be 1 but is %u\n", phy);
1206 #endif
1207         data = 0;
1208     } else if (opcode != 1 && opcode != 2) {
1209         /* Unsupported opcode. */
1210         logout("opcode must be 1 or 2 but is %u\n", opcode);
1211         data = 0;
1212     } else if (reg > 6) {
1213         /* Unsupported register. */
1214         logout("register must be 0...6 but is %u\n", reg);
1215         data = 0;
1216     } else {
1217         TRACE(MDI, logout("val=0x%08x (int=%u, %s, phy=%u, %s, data=0x%04x\n",
1218                           val, raiseint, mdi_op_name[opcode], phy,
1219                           reg2name(reg), data));
1220         if (opcode == 1) {
1221             /* MDI write */
1222             switch (reg) {
1223             case 0:            /* Control Register */
1224                 if (data & 0x8000) {
1225                     /* Reset status and control registers to default. */
1226                     s->mdimem[0] = eepro100_mdi_default[0];
1227                     s->mdimem[1] = eepro100_mdi_default[1];
1228                     data = s->mdimem[reg];
1229                 } else {
1230                     /* Restart Auto Configuration = Normal Operation */
1231                     data &= ~0x0200;
1232                 }
1233                 break;
1234             case 1:            /* Status Register */
1235                 missing("not writable");
1236                 break;
1237             case 2:            /* PHY Identification Register (Word 1) */
1238             case 3:            /* PHY Identification Register (Word 2) */
1239                 missing("not implemented");
1240                 break;
1241             case 4:            /* Auto-Negotiation Advertisement Register */
1242             case 5:            /* Auto-Negotiation Link Partner Ability Register */
1243                 break;
1244             case 6:            /* Auto-Negotiation Expansion Register */
1245             default:
1246                 missing("not implemented");
1247             }
1248             s->mdimem[reg] &= eepro100_mdi_mask[reg];
1249             s->mdimem[reg] |= data & ~eepro100_mdi_mask[reg];
1250         } else if (opcode == 2) {
1251             /* MDI read */
1252             switch (reg) {
1253             case 0:            /* Control Register */
1254                 if (data & 0x8000) {
1255                     /* Reset status and control registers to default. */
1256                     s->mdimem[0] = eepro100_mdi_default[0];
1257                     s->mdimem[1] = eepro100_mdi_default[1];
1258                 }
1259                 break;
1260             case 1:            /* Status Register */
1261                 s->mdimem[reg] |= 0x0020;
1262                 break;
1263             case 2:            /* PHY Identification Register (Word 1) */
1264             case 3:            /* PHY Identification Register (Word 2) */
1265             case 4:            /* Auto-Negotiation Advertisement Register */
1266                 break;
1267             case 5:            /* Auto-Negotiation Link Partner Ability Register */
1268                 s->mdimem[reg] = 0x41fe;
1269                 break;
1270             case 6:            /* Auto-Negotiation Expansion Register */
1271                 s->mdimem[reg] = 0x0001;
1272                 break;
1273             }
1274             data = s->mdimem[reg];
1275         }
1276         /* Emulation takes no time to finish MDI transaction.
1277          * Set MDI bit in SCB status register. */
1278         s->mem[SCBAck] |= 0x08;
1279         val |= BIT(28);
1280         if (raiseint) {
1281             eepro100_mdi_interrupt(s);
1282         }
1283     }
1284     val = (val & 0xffff0000) + data;
1285     e100_write_reg4(s, SCBCtrlMDI, val);
1286 }
1287 
1288 /*****************************************************************************
1289  *
1290  * Port emulation.
1291  *
1292  ****************************************************************************/
1293 
1294 #define PORT_SOFTWARE_RESET     0
1295 #define PORT_SELFTEST           1
1296 #define PORT_SELECTIVE_RESET    2
1297 #define PORT_DUMP               3
1298 #define PORT_SELECTION_MASK     3
1299 
1300 typedef struct {
1301     uint32_t st_sign;           /* Self Test Signature */
1302     uint32_t st_result;         /* Self Test Results */
1303 } eepro100_selftest_t;
1304 
1305 static uint32_t eepro100_read_port(EEPRO100State * s)
1306 {
1307     return 0;
1308 }
1309 
1310 static void eepro100_write_port(EEPRO100State *s)
1311 {
1312     uint32_t val = e100_read_reg4(s, SCBPort);
1313     uint32_t address = (val & ~PORT_SELECTION_MASK);
1314     uint8_t selection = (val & PORT_SELECTION_MASK);
1315     switch (selection) {
1316     case PORT_SOFTWARE_RESET:
1317         nic_reset(s);
1318         break;
1319     case PORT_SELFTEST:
1320         TRACE(OTHER, logout("selftest address=0x%08x\n", address));
1321         eepro100_selftest_t data;
1322         pci_dma_read(&s->dev, address, (uint8_t *) &data, sizeof(data));
1323         data.st_sign = 0xffffffff;
1324         data.st_result = 0;
1325         pci_dma_write(&s->dev, address, (uint8_t *) &data, sizeof(data));
1326         break;
1327     case PORT_SELECTIVE_RESET:
1328         TRACE(OTHER, logout("selective reset, selftest address=0x%08x\n", address));
1329         nic_selective_reset(s);
1330         break;
1331     default:
1332         logout("val=0x%08x\n", val);
1333         missing("unknown port selection");
1334     }
1335 }
1336 
1337 /*****************************************************************************
1338  *
1339  * General hardware emulation.
1340  *
1341  ****************************************************************************/
1342 
1343 static uint8_t eepro100_read1(EEPRO100State * s, uint32_t addr)
1344 {
1345     uint8_t val = 0;
1346     if (addr <= sizeof(s->mem) - sizeof(val)) {
1347         val = s->mem[addr];
1348     }
1349 
1350     switch (addr) {
1351     case SCBStatus:
1352     case SCBAck:
1353         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1354         break;
1355     case SCBCmd:
1356         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1357 #if 0
1358         val = eepro100_read_command(s);
1359 #endif
1360         break;
1361     case SCBIntmask:
1362         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1363         break;
1364     case SCBPort + 3:
1365         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1366         break;
1367     case SCBeeprom:
1368         val = eepro100_read_eeprom(s);
1369         break;
1370     case SCBCtrlMDI:
1371     case SCBCtrlMDI + 1:
1372     case SCBCtrlMDI + 2:
1373     case SCBCtrlMDI + 3:
1374         val = (uint8_t)(eepro100_read_mdi(s) >> (8 * (addr & 3)));
1375         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1376         break;
1377     case SCBpmdr:       /* Power Management Driver Register */
1378         val = 0;
1379         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1380         break;
1381     case SCBgctrl:      /* General Control Register */
1382         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1383         break;
1384     case SCBgstat:      /* General Status Register */
1385         /* 100 Mbps full duplex, valid link */
1386         val = 0x07;
1387         TRACE(OTHER, logout("addr=General Status val=%02x\n", val));
1388         break;
1389     default:
1390         logout("addr=%s val=0x%02x\n", regname(addr), val);
1391         missing("unknown byte read");
1392     }
1393     return val;
1394 }
1395 
1396 static uint16_t eepro100_read2(EEPRO100State * s, uint32_t addr)
1397 {
1398     uint16_t val = 0;
1399     if (addr <= sizeof(s->mem) - sizeof(val)) {
1400         val = e100_read_reg2(s, addr);
1401     }
1402 
1403     switch (addr) {
1404     case SCBStatus:
1405     case SCBCmd:
1406         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1407         break;
1408     case SCBeeprom:
1409         val = eepro100_read_eeprom(s);
1410         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1411         break;
1412     case SCBCtrlMDI:
1413     case SCBCtrlMDI + 2:
1414         val = (uint16_t)(eepro100_read_mdi(s) >> (8 * (addr & 3)));
1415         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1416         break;
1417     default:
1418         logout("addr=%s val=0x%04x\n", regname(addr), val);
1419         missing("unknown word read");
1420     }
1421     return val;
1422 }
1423 
1424 static uint32_t eepro100_read4(EEPRO100State * s, uint32_t addr)
1425 {
1426     uint32_t val = 0;
1427     if (addr <= sizeof(s->mem) - sizeof(val)) {
1428         val = e100_read_reg4(s, addr);
1429     }
1430 
1431     switch (addr) {
1432     case SCBStatus:
1433         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1434         break;
1435     case SCBPointer:
1436         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1437         break;
1438     case SCBPort:
1439         val = eepro100_read_port(s);
1440         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1441         break;
1442     case SCBflash:
1443         val = eepro100_read_eeprom(s);
1444         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1445         break;
1446     case SCBCtrlMDI:
1447         val = eepro100_read_mdi(s);
1448         break;
1449     default:
1450         logout("addr=%s val=0x%08x\n", regname(addr), val);
1451         missing("unknown longword read");
1452     }
1453     return val;
1454 }
1455 
1456 static void eepro100_write1(EEPRO100State * s, uint32_t addr, uint8_t val)
1457 {
1458     /* SCBStatus is readonly. */
1459     if (addr > SCBStatus && addr <= sizeof(s->mem) - sizeof(val)) {
1460         s->mem[addr] = val;
1461     }
1462 
1463     switch (addr) {
1464     case SCBStatus:
1465         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1466         break;
1467     case SCBAck:
1468         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1469         eepro100_acknowledge(s);
1470         break;
1471     case SCBCmd:
1472         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1473         eepro100_write_command(s, val);
1474         break;
1475     case SCBIntmask:
1476         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1477         if (val & BIT(1)) {
1478             eepro100_swi_interrupt(s);
1479         }
1480         eepro100_interrupt(s, 0);
1481         break;
1482     case SCBPointer:
1483     case SCBPointer + 1:
1484     case SCBPointer + 2:
1485     case SCBPointer + 3:
1486         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1487         break;
1488     case SCBPort:
1489     case SCBPort + 1:
1490     case SCBPort + 2:
1491         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1492         break;
1493     case SCBPort + 3:
1494         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1495         eepro100_write_port(s);
1496         break;
1497     case SCBFlow:       /* does not exist on 82557 */
1498     case SCBFlow + 1:
1499     case SCBFlow + 2:
1500     case SCBpmdr:       /* does not exist on 82557 */
1501         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1502         break;
1503     case SCBeeprom:
1504         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1505         eepro100_write_eeprom(s->eeprom, val);
1506         break;
1507     case SCBCtrlMDI:
1508     case SCBCtrlMDI + 1:
1509     case SCBCtrlMDI + 2:
1510         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1511         break;
1512     case SCBCtrlMDI + 3:
1513         TRACE(OTHER, logout("addr=%s val=0x%02x\n", regname(addr), val));
1514         eepro100_write_mdi(s);
1515         break;
1516     default:
1517         logout("addr=%s val=0x%02x\n", regname(addr), val);
1518         missing("unknown byte write");
1519     }
1520 }
1521 
1522 static void eepro100_write2(EEPRO100State * s, uint32_t addr, uint16_t val)
1523 {
1524     /* SCBStatus is readonly. */
1525     if (addr > SCBStatus && addr <= sizeof(s->mem) - sizeof(val)) {
1526         e100_write_reg2(s, addr, val);
1527     }
1528 
1529     switch (addr) {
1530     case SCBStatus:
1531         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1532         s->mem[SCBAck] = (val >> 8);
1533         eepro100_acknowledge(s);
1534         break;
1535     case SCBCmd:
1536         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1537         eepro100_write_command(s, val);
1538         eepro100_write1(s, SCBIntmask, val >> 8);
1539         break;
1540     case SCBPointer:
1541     case SCBPointer + 2:
1542         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1543         break;
1544     case SCBPort:
1545         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1546         break;
1547     case SCBPort + 2:
1548         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1549         eepro100_write_port(s);
1550         break;
1551     case SCBeeprom:
1552         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1553         eepro100_write_eeprom(s->eeprom, val);
1554         break;
1555     case SCBCtrlMDI:
1556         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1557         break;
1558     case SCBCtrlMDI + 2:
1559         TRACE(OTHER, logout("addr=%s val=0x%04x\n", regname(addr), val));
1560         eepro100_write_mdi(s);
1561         break;
1562     default:
1563         logout("addr=%s val=0x%04x\n", regname(addr), val);
1564         missing("unknown word write");
1565     }
1566 }
1567 
1568 static void eepro100_write4(EEPRO100State * s, uint32_t addr, uint32_t val)
1569 {
1570     if (addr <= sizeof(s->mem) - sizeof(val)) {
1571         e100_write_reg4(s, addr, val);
1572     }
1573 
1574     switch (addr) {
1575     case SCBPointer:
1576         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1577         break;
1578     case SCBPort:
1579         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1580         eepro100_write_port(s);
1581         break;
1582     case SCBflash:
1583         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1584         val = val >> 16;
1585         eepro100_write_eeprom(s->eeprom, val);
1586         break;
1587     case SCBCtrlMDI:
1588         TRACE(OTHER, logout("addr=%s val=0x%08x\n", regname(addr), val));
1589         eepro100_write_mdi(s);
1590         break;
1591     default:
1592         logout("addr=%s val=0x%08x\n", regname(addr), val);
1593         missing("unknown longword write");
1594     }
1595 }
1596 
1597 static uint64_t eepro100_read(void *opaque, hwaddr addr,
1598                               unsigned size)
1599 {
1600     EEPRO100State *s = opaque;
1601 
1602     switch (size) {
1603     case 1: return eepro100_read1(s, addr);
1604     case 2: return eepro100_read2(s, addr);
1605     case 4: return eepro100_read4(s, addr);
1606     default: abort();
1607     }
1608 }
1609 
1610 static void eepro100_write(void *opaque, hwaddr addr,
1611                            uint64_t data, unsigned size)
1612 {
1613     EEPRO100State *s = opaque;
1614 
1615     switch (size) {
1616     case 1:
1617         eepro100_write1(s, addr, data);
1618         break;
1619     case 2:
1620         eepro100_write2(s, addr, data);
1621         break;
1622     case 4:
1623         eepro100_write4(s, addr, data);
1624         break;
1625     default:
1626         abort();
1627     }
1628 }
1629 
1630 static const MemoryRegionOps eepro100_ops = {
1631     .read = eepro100_read,
1632     .write = eepro100_write,
1633     .endianness = DEVICE_LITTLE_ENDIAN,
1634 };
1635 
1636 static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size)
1637 {
1638     /* TODO:
1639      * - Magic packets should set bit 30 in power management driver register.
1640      * - Interesting packets should set bit 29 in power management driver register.
1641      */
1642     EEPRO100State *s = qemu_get_nic_opaque(nc);
1643     uint16_t rfd_status = 0xa000;
1644 #if defined(CONFIG_PAD_RECEIVED_FRAMES)
1645     uint8_t min_buf[60];
1646 #endif
1647     static const uint8_t broadcast_macaddr[6] =
1648         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1649 
1650 #if defined(CONFIG_PAD_RECEIVED_FRAMES)
1651     /* Pad to minimum Ethernet frame length */
1652     if (size < sizeof(min_buf)) {
1653         memcpy(min_buf, buf, size);
1654         memset(&min_buf[size], 0, sizeof(min_buf) - size);
1655         buf = min_buf;
1656         size = sizeof(min_buf);
1657     }
1658 #endif
1659 
1660     if (s->configuration[8] & 0x80) {
1661         /* CSMA is disabled. */
1662         logout("%p received while CSMA is disabled\n", s);
1663         return -1;
1664 #if !defined(CONFIG_PAD_RECEIVED_FRAMES)
1665     } else if (size < 64 && (s->configuration[7] & BIT(0))) {
1666         /* Short frame and configuration byte 7/0 (discard short receive) set:
1667          * Short frame is discarded */
1668         logout("%p received short frame (%zu byte)\n", s, size);
1669         s->statistics.rx_short_frame_errors++;
1670         return -1;
1671 #endif
1672     } else if ((size > MAX_ETH_FRAME_SIZE + 4) && !(s->configuration[18] & BIT(3))) {
1673         /* Long frame and configuration byte 18/3 (long receive ok) not set:
1674          * Long frames are discarded. */
1675         logout("%p received long frame (%zu byte), ignored\n", s, size);
1676         return -1;
1677     } else if (memcmp(buf, s->conf.macaddr.a, 6) == 0) {       /* !!! */
1678         /* Frame matches individual address. */
1679         /* TODO: check configuration byte 15/4 (ignore U/L). */
1680         TRACE(RXTX, logout("%p received frame for me, len=%zu\n", s, size));
1681     } else if (memcmp(buf, broadcast_macaddr, 6) == 0) {
1682         /* Broadcast frame. */
1683         TRACE(RXTX, logout("%p received broadcast, len=%zu\n", s, size));
1684         rfd_status |= 0x0002;
1685     } else if (buf[0] & 0x01) {
1686         /* Multicast frame. */
1687         TRACE(RXTX, logout("%p received multicast, len=%zu,%s\n", s, size, nic_dump(buf, size)));
1688         if (s->configuration[21] & BIT(3)) {
1689           /* Multicast all bit is set, receive all multicast frames. */
1690         } else {
1691           unsigned mcast_idx = e100_compute_mcast_idx(buf);
1692           assert(mcast_idx < 64);
1693           if (s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))) {
1694             /* Multicast frame is allowed in hash table. */
1695           } else if (s->configuration[15] & BIT(0)) {
1696               /* Promiscuous: receive all. */
1697               rfd_status |= 0x0004;
1698           } else {
1699               TRACE(RXTX, logout("%p multicast ignored\n", s));
1700               return -1;
1701           }
1702         }
1703         /* TODO: Next not for promiscuous mode? */
1704         rfd_status |= 0x0002;
1705     } else if (s->configuration[15] & BIT(0)) {
1706         /* Promiscuous: receive all. */
1707         TRACE(RXTX, logout("%p received frame in promiscuous mode, len=%zu\n", s, size));
1708         rfd_status |= 0x0004;
1709     } else if (s->configuration[20] & BIT(6)) {
1710         /* Multiple IA bit set. */
1711         unsigned mcast_idx = compute_mcast_idx(buf);
1712         assert(mcast_idx < 64);
1713         if (s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))) {
1714             TRACE(RXTX, logout("%p accepted, multiple IA bit set\n", s));
1715         } else {
1716             TRACE(RXTX, logout("%p frame ignored, multiple IA bit set\n", s));
1717             return -1;
1718         }
1719     } else {
1720         TRACE(RXTX, logout("%p received frame, ignored, len=%zu,%s\n", s, size,
1721               nic_dump(buf, size)));
1722         return size;
1723     }
1724 
1725     if (get_ru_state(s) != ru_ready) {
1726         /* No resources available. */
1727         logout("no resources, state=%u\n", get_ru_state(s));
1728         /* TODO: RNR interrupt only at first failed frame? */
1729         eepro100_rnr_interrupt(s);
1730         s->statistics.rx_resource_errors++;
1731 #if 0
1732         assert(!"no resources");
1733 #endif
1734         return -1;
1735     }
1736     /* !!! */
1737     eepro100_rx_t rx;
1738     pci_dma_read(&s->dev, s->ru_base + s->ru_offset,
1739                  &rx, sizeof(eepro100_rx_t));
1740     uint16_t rfd_command = le16_to_cpu(rx.command);
1741     uint16_t rfd_size = le16_to_cpu(rx.size);
1742 
1743     if (size > rfd_size) {
1744         logout("Receive buffer (%" PRId16 " bytes) too small for data "
1745             "(%zu bytes); data truncated\n", rfd_size, size);
1746         size = rfd_size;
1747     }
1748 #if !defined(CONFIG_PAD_RECEIVED_FRAMES)
1749     if (size < 64) {
1750         rfd_status |= 0x0080;
1751     }
1752 #endif
1753     TRACE(OTHER, logout("command 0x%04x, link 0x%08x, addr 0x%08x, size %u\n",
1754           rfd_command, rx.link, rx.rx_buf_addr, rfd_size));
1755     stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
1756                 offsetof(eepro100_rx_t, status), rfd_status);
1757     stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
1758                 offsetof(eepro100_rx_t, count), size);
1759     /* Early receive interrupt not supported. */
1760 #if 0
1761     eepro100_er_interrupt(s);
1762 #endif
1763     /* Receive CRC Transfer not supported. */
1764     if (s->configuration[18] & BIT(2)) {
1765         missing("Receive CRC Transfer");
1766         return -1;
1767     }
1768     /* TODO: check stripping enable bit. */
1769 #if 0
1770     assert(!(s->configuration[17] & BIT(0)));
1771 #endif
1772     pci_dma_write(&s->dev, s->ru_base + s->ru_offset +
1773                   sizeof(eepro100_rx_t), buf, size);
1774     s->statistics.rx_good_frames++;
1775     eepro100_fr_interrupt(s);
1776     s->ru_offset = le32_to_cpu(rx.link);
1777     if (rfd_command & COMMAND_EL) {
1778         /* EL bit is set, so this was the last frame. */
1779         logout("receive: Running out of frames\n");
1780         set_ru_state(s, ru_no_resources);
1781         eepro100_rnr_interrupt(s);
1782     }
1783     if (rfd_command & COMMAND_S) {
1784         /* S bit is set. */
1785         set_ru_state(s, ru_suspended);
1786     }
1787     return size;
1788 }
1789 
1790 static const VMStateDescription vmstate_eepro100 = {
1791     .version_id = 3,
1792     .minimum_version_id = 2,
1793     .fields = (VMStateField[]) {
1794         VMSTATE_PCI_DEVICE(dev, EEPRO100State),
1795         VMSTATE_UNUSED(32),
1796         VMSTATE_BUFFER(mult, EEPRO100State),
1797         VMSTATE_BUFFER(mem, EEPRO100State),
1798         /* Save all members of struct between scb_stat and mem. */
1799         VMSTATE_UINT8(scb_stat, EEPRO100State),
1800         VMSTATE_UINT8(int_stat, EEPRO100State),
1801         VMSTATE_UNUSED(3*4),
1802         VMSTATE_MACADDR(conf.macaddr, EEPRO100State),
1803         VMSTATE_UNUSED(19*4),
1804         VMSTATE_UINT16_ARRAY(mdimem, EEPRO100State, 32),
1805         /* The eeprom should be saved and restored by its own routines. */
1806         VMSTATE_UINT32(device, EEPRO100State),
1807         /* TODO check device. */
1808         VMSTATE_UINT32(cu_base, EEPRO100State),
1809         VMSTATE_UINT32(cu_offset, EEPRO100State),
1810         VMSTATE_UINT32(ru_base, EEPRO100State),
1811         VMSTATE_UINT32(ru_offset, EEPRO100State),
1812         VMSTATE_UINT32(statsaddr, EEPRO100State),
1813         /* Save eepro100_stats_t statistics. */
1814         VMSTATE_UINT32(statistics.tx_good_frames, EEPRO100State),
1815         VMSTATE_UINT32(statistics.tx_max_collisions, EEPRO100State),
1816         VMSTATE_UINT32(statistics.tx_late_collisions, EEPRO100State),
1817         VMSTATE_UINT32(statistics.tx_underruns, EEPRO100State),
1818         VMSTATE_UINT32(statistics.tx_lost_crs, EEPRO100State),
1819         VMSTATE_UINT32(statistics.tx_deferred, EEPRO100State),
1820         VMSTATE_UINT32(statistics.tx_single_collisions, EEPRO100State),
1821         VMSTATE_UINT32(statistics.tx_multiple_collisions, EEPRO100State),
1822         VMSTATE_UINT32(statistics.tx_total_collisions, EEPRO100State),
1823         VMSTATE_UINT32(statistics.rx_good_frames, EEPRO100State),
1824         VMSTATE_UINT32(statistics.rx_crc_errors, EEPRO100State),
1825         VMSTATE_UINT32(statistics.rx_alignment_errors, EEPRO100State),
1826         VMSTATE_UINT32(statistics.rx_resource_errors, EEPRO100State),
1827         VMSTATE_UINT32(statistics.rx_overrun_errors, EEPRO100State),
1828         VMSTATE_UINT32(statistics.rx_cdt_errors, EEPRO100State),
1829         VMSTATE_UINT32(statistics.rx_short_frame_errors, EEPRO100State),
1830         VMSTATE_UINT32(statistics.fc_xmt_pause, EEPRO100State),
1831         VMSTATE_UINT32(statistics.fc_rcv_pause, EEPRO100State),
1832         VMSTATE_UINT32(statistics.fc_rcv_unsupported, EEPRO100State),
1833         VMSTATE_UINT16(statistics.xmt_tco_frames, EEPRO100State),
1834         VMSTATE_UINT16(statistics.rcv_tco_frames, EEPRO100State),
1835         /* Configuration bytes. */
1836         VMSTATE_BUFFER(configuration, EEPRO100State),
1837         VMSTATE_END_OF_LIST()
1838     }
1839 };
1840 
1841 static void pci_nic_uninit(PCIDevice *pci_dev)
1842 {
1843     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
1844 
1845     vmstate_unregister(&pci_dev->qdev, s->vmstate, s);
1846     g_free(s->vmstate);
1847     eeprom93xx_free(&pci_dev->qdev, s->eeprom);
1848     qemu_del_nic(s->nic);
1849 }
1850 
1851 static NetClientInfo net_eepro100_info = {
1852     .type = NET_CLIENT_DRIVER_NIC,
1853     .size = sizeof(NICState),
1854     .receive = nic_receive,
1855 };
1856 
1857 static void e100_nic_realize(PCIDevice *pci_dev, Error **errp)
1858 {
1859     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
1860     E100PCIDeviceInfo *info = eepro100_get_class(s);
1861 
1862     TRACE(OTHER, logout("\n"));
1863 
1864     s->device = info->device;
1865 
1866     e100_pci_reset(s);
1867 
1868     /* Add 64 * 2 EEPROM. i82557 and i82558 support a 64 word EEPROM,
1869      * i82559 and later support 64 or 256 word EEPROM. */
1870     s->eeprom = eeprom93xx_new(&pci_dev->qdev, EEPROM_SIZE);
1871 
1872     /* Handler for memory-mapped I/O */
1873     memory_region_init_io(&s->mmio_bar, OBJECT(s), &eepro100_ops, s,
1874                           "eepro100-mmio", PCI_MEM_SIZE);
1875     pci_register_bar(&s->dev, 0, PCI_BASE_ADDRESS_MEM_PREFETCH, &s->mmio_bar);
1876     memory_region_init_io(&s->io_bar, OBJECT(s), &eepro100_ops, s,
1877                           "eepro100-io", PCI_IO_SIZE);
1878     pci_register_bar(&s->dev, 1, PCI_BASE_ADDRESS_SPACE_IO, &s->io_bar);
1879     /* FIXME: flash aliases to mmio?! */
1880     memory_region_init_io(&s->flash_bar, OBJECT(s), &eepro100_ops, s,
1881                           "eepro100-flash", PCI_FLASH_SIZE);
1882     pci_register_bar(&s->dev, 2, 0, &s->flash_bar);
1883 
1884     qemu_macaddr_default_if_unset(&s->conf.macaddr);
1885     logout("macaddr: %s\n", nic_dump(&s->conf.macaddr.a[0], 6));
1886 
1887     nic_reset(s);
1888 
1889     s->nic = qemu_new_nic(&net_eepro100_info, &s->conf,
1890                           object_get_typename(OBJECT(pci_dev)), pci_dev->qdev.id, s);
1891 
1892     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
1893     TRACE(OTHER, logout("%s\n", qemu_get_queue(s->nic)->info_str));
1894 
1895     qemu_register_reset(nic_reset, s);
1896 
1897     s->vmstate = g_malloc(sizeof(vmstate_eepro100));
1898     memcpy(s->vmstate, &vmstate_eepro100, sizeof(vmstate_eepro100));
1899     s->vmstate->name = qemu_get_queue(s->nic)->model;
1900     vmstate_register(&pci_dev->qdev, -1, s->vmstate, s);
1901 }
1902 
1903 static void eepro100_instance_init(Object *obj)
1904 {
1905     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, PCI_DEVICE(obj));
1906     device_add_bootindex_property(obj, &s->conf.bootindex,
1907                                   "bootindex", "/ethernet-phy@0",
1908                                   DEVICE(s), NULL);
1909 }
1910 
1911 static E100PCIDeviceInfo e100_devices[] = {
1912     {
1913         .name = "i82550",
1914         .desc = "Intel i82550 Ethernet",
1915         .device = i82550,
1916         /* TODO: check device id. */
1917         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
1918         /* Revision ID: 0x0c, 0x0d, 0x0e. */
1919         .revision = 0x0e,
1920         /* TODO: check size of statistical counters. */
1921         .stats_size = 80,
1922         /* TODO: check extended tcb support. */
1923         .has_extended_tcb_support = true,
1924         .power_management = true,
1925     },{
1926         .name = "i82551",
1927         .desc = "Intel i82551 Ethernet",
1928         .device = i82551,
1929         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
1930         /* Revision ID: 0x0f, 0x10. */
1931         .revision = 0x0f,
1932         /* TODO: check size of statistical counters. */
1933         .stats_size = 80,
1934         .has_extended_tcb_support = true,
1935         .power_management = true,
1936     },{
1937         .name = "i82557a",
1938         .desc = "Intel i82557A Ethernet",
1939         .device = i82557A,
1940         .device_id = PCI_DEVICE_ID_INTEL_82557,
1941         .revision = 0x01,
1942         .power_management = false,
1943     },{
1944         .name = "i82557b",
1945         .desc = "Intel i82557B Ethernet",
1946         .device = i82557B,
1947         .device_id = PCI_DEVICE_ID_INTEL_82557,
1948         .revision = 0x02,
1949         .power_management = false,
1950     },{
1951         .name = "i82557c",
1952         .desc = "Intel i82557C Ethernet",
1953         .device = i82557C,
1954         .device_id = PCI_DEVICE_ID_INTEL_82557,
1955         .revision = 0x03,
1956         .power_management = false,
1957     },{
1958         .name = "i82558a",
1959         .desc = "Intel i82558A Ethernet",
1960         .device = i82558A,
1961         .device_id = PCI_DEVICE_ID_INTEL_82557,
1962         .revision = 0x04,
1963         .stats_size = 76,
1964         .has_extended_tcb_support = true,
1965         .power_management = true,
1966     },{
1967         .name = "i82558b",
1968         .desc = "Intel i82558B Ethernet",
1969         .device = i82558B,
1970         .device_id = PCI_DEVICE_ID_INTEL_82557,
1971         .revision = 0x05,
1972         .stats_size = 76,
1973         .has_extended_tcb_support = true,
1974         .power_management = true,
1975     },{
1976         .name = "i82559a",
1977         .desc = "Intel i82559A Ethernet",
1978         .device = i82559A,
1979         .device_id = PCI_DEVICE_ID_INTEL_82557,
1980         .revision = 0x06,
1981         .stats_size = 80,
1982         .has_extended_tcb_support = true,
1983         .power_management = true,
1984     },{
1985         .name = "i82559b",
1986         .desc = "Intel i82559B Ethernet",
1987         .device = i82559B,
1988         .device_id = PCI_DEVICE_ID_INTEL_82557,
1989         .revision = 0x07,
1990         .stats_size = 80,
1991         .has_extended_tcb_support = true,
1992         .power_management = true,
1993     },{
1994         .name = "i82559c",
1995         .desc = "Intel i82559C Ethernet",
1996         .device = i82559C,
1997         .device_id = PCI_DEVICE_ID_INTEL_82557,
1998 #if 0
1999         .revision = 0x08,
2000 #endif
2001         /* TODO: Windows wants revision id 0x0c. */
2002         .revision = 0x0c,
2003 #if EEPROM_SIZE > 0
2004         .subsystem_vendor_id = PCI_VENDOR_ID_INTEL,
2005         .subsystem_id = 0x0040,
2006 #endif
2007         .stats_size = 80,
2008         .has_extended_tcb_support = true,
2009         .power_management = true,
2010     },{
2011         .name = "i82559er",
2012         .desc = "Intel i82559ER Ethernet",
2013         .device = i82559ER,
2014         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
2015         .revision = 0x09,
2016         .stats_size = 80,
2017         .has_extended_tcb_support = true,
2018         .power_management = true,
2019     },{
2020         .name = "i82562",
2021         .desc = "Intel i82562 Ethernet",
2022         .device = i82562,
2023         /* TODO: check device id. */
2024         .device_id = PCI_DEVICE_ID_INTEL_82551IT,
2025         /* TODO: wrong revision id. */
2026         .revision = 0x0e,
2027         .stats_size = 80,
2028         .has_extended_tcb_support = true,
2029         .power_management = true,
2030     },{
2031         /* Toshiba Tecra 8200. */
2032         .name = "i82801",
2033         .desc = "Intel i82801 Ethernet",
2034         .device = i82801,
2035         .device_id = 0x2449,
2036         .revision = 0x03,
2037         .stats_size = 80,
2038         .has_extended_tcb_support = true,
2039         .power_management = true,
2040     }
2041 };
2042 
2043 static E100PCIDeviceInfo *eepro100_get_class_by_name(const char *typename)
2044 {
2045     E100PCIDeviceInfo *info = NULL;
2046     int i;
2047 
2048     /* This is admittedly awkward but also temporary.  QOM allows for
2049      * parameterized typing and for subclassing both of which would suitable
2050      * handle what's going on here.  But class_data is already being used as
2051      * a stop-gap hack to allow incremental qdev conversion so we cannot use it
2052      * right now.  Once we merge the final QOM series, we can come back here and
2053      * do this in a much more elegant fashion.
2054      */
2055     for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
2056         if (strcmp(e100_devices[i].name, typename) == 0) {
2057             info = &e100_devices[i];
2058             break;
2059         }
2060     }
2061     assert(info != NULL);
2062 
2063     return info;
2064 }
2065 
2066 static E100PCIDeviceInfo *eepro100_get_class(EEPRO100State *s)
2067 {
2068     return eepro100_get_class_by_name(object_get_typename(OBJECT(s)));
2069 }
2070 
2071 static Property e100_properties[] = {
2072     DEFINE_NIC_PROPERTIES(EEPRO100State, conf),
2073     DEFINE_PROP_END_OF_LIST(),
2074 };
2075 
2076 static void eepro100_class_init(ObjectClass *klass, void *data)
2077 {
2078     DeviceClass *dc = DEVICE_CLASS(klass);
2079     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2080     E100PCIDeviceInfo *info;
2081 
2082     info = eepro100_get_class_by_name(object_class_get_name(klass));
2083 
2084     set_bit(DEVICE_CATEGORY_NETWORK, dc->categories);
2085     dc->props = e100_properties;
2086     dc->desc = info->desc;
2087     k->vendor_id = PCI_VENDOR_ID_INTEL;
2088     k->class_id = PCI_CLASS_NETWORK_ETHERNET;
2089     k->romfile = "pxe-eepro100.rom";
2090     k->realize = e100_nic_realize;
2091     k->exit = pci_nic_uninit;
2092     k->device_id = info->device_id;
2093     k->revision = info->revision;
2094     k->subsystem_vendor_id = info->subsystem_vendor_id;
2095     k->subsystem_id = info->subsystem_id;
2096 }
2097 
2098 static void eepro100_register_types(void)
2099 {
2100     size_t i;
2101     for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
2102         TypeInfo type_info = {};
2103         E100PCIDeviceInfo *info = &e100_devices[i];
2104 
2105         type_info.name = info->name;
2106         type_info.parent = TYPE_PCI_DEVICE;
2107         type_info.class_init = eepro100_class_init;
2108         type_info.instance_size = sizeof(EEPRO100State);
2109         type_info.instance_init = eepro100_instance_init;
2110 
2111         type_register(&type_info);
2112     }
2113 }
2114 
2115 type_init(eepro100_register_types)
2116