xref: /openbmc/qemu/hw/net/lan9118.c (revision 52f2b8961409be834abaee5189bff2cc9e372851)
1 /*
2  * SMSC LAN9118 Ethernet interface emulation
3  *
4  * Copyright (c) 2009 CodeSourcery, LLC.
5  * Written by Paul Brook
6  *
7  * This code is licensed under the GNU GPL v2
8  *
9  * Contributions after 2012-01-13 are licensed under the terms of the
10  * GNU GPL, version 2 or (at your option) any later version.
11  */
12 
13 #include "qemu/osdep.h"
14 #include "hw/sysbus.h"
15 #include "net/net.h"
16 #include "net/eth.h"
17 #include "hw/net/lan9118.h"
18 #include "sysemu/sysemu.h"
19 #include "hw/ptimer.h"
20 #include "qemu/log.h"
21 /* For crc32 */
22 #include <zlib.h>
23 
24 //#define DEBUG_LAN9118
25 
26 #ifdef DEBUG_LAN9118
27 #define DPRINTF(fmt, ...) \
28 do { printf("lan9118: " fmt , ## __VA_ARGS__); } while (0)
29 #define BADF(fmt, ...) \
30 do { hw_error("lan9118: error: " fmt , ## __VA_ARGS__);} while (0)
31 #else
32 #define DPRINTF(fmt, ...) do {} while(0)
33 #define BADF(fmt, ...) \
34 do { fprintf(stderr, "lan9118: error: " fmt , ## __VA_ARGS__);} while (0)
35 #endif
36 
37 #define CSR_ID_REV      0x50
38 #define CSR_IRQ_CFG     0x54
39 #define CSR_INT_STS     0x58
40 #define CSR_INT_EN      0x5c
41 #define CSR_BYTE_TEST   0x64
42 #define CSR_FIFO_INT    0x68
43 #define CSR_RX_CFG      0x6c
44 #define CSR_TX_CFG      0x70
45 #define CSR_HW_CFG      0x74
46 #define CSR_RX_DP_CTRL  0x78
47 #define CSR_RX_FIFO_INF 0x7c
48 #define CSR_TX_FIFO_INF 0x80
49 #define CSR_PMT_CTRL    0x84
50 #define CSR_GPIO_CFG    0x88
51 #define CSR_GPT_CFG     0x8c
52 #define CSR_GPT_CNT     0x90
53 #define CSR_WORD_SWAP   0x98
54 #define CSR_FREE_RUN    0x9c
55 #define CSR_RX_DROP     0xa0
56 #define CSR_MAC_CSR_CMD 0xa4
57 #define CSR_MAC_CSR_DATA 0xa8
58 #define CSR_AFC_CFG     0xac
59 #define CSR_E2P_CMD     0xb0
60 #define CSR_E2P_DATA    0xb4
61 
62 #define E2P_CMD_MAC_ADDR_LOADED 0x100
63 
64 /* IRQ_CFG */
65 #define IRQ_INT         0x00001000
66 #define IRQ_EN          0x00000100
67 #define IRQ_POL         0x00000010
68 #define IRQ_TYPE        0x00000001
69 
70 /* INT_STS/INT_EN */
71 #define SW_INT          0x80000000
72 #define TXSTOP_INT      0x02000000
73 #define RXSTOP_INT      0x01000000
74 #define RXDFH_INT       0x00800000
75 #define TX_IOC_INT      0x00200000
76 #define RXD_INT         0x00100000
77 #define GPT_INT         0x00080000
78 #define PHY_INT         0x00040000
79 #define PME_INT         0x00020000
80 #define TXSO_INT        0x00010000
81 #define RWT_INT         0x00008000
82 #define RXE_INT         0x00004000
83 #define TXE_INT         0x00002000
84 #define TDFU_INT        0x00000800
85 #define TDFO_INT        0x00000400
86 #define TDFA_INT        0x00000200
87 #define TSFF_INT        0x00000100
88 #define TSFL_INT        0x00000080
89 #define RXDF_INT        0x00000040
90 #define RDFL_INT        0x00000020
91 #define RSFF_INT        0x00000010
92 #define RSFL_INT        0x00000008
93 #define GPIO2_INT       0x00000004
94 #define GPIO1_INT       0x00000002
95 #define GPIO0_INT       0x00000001
96 #define RESERVED_INT    0x7c001000
97 
98 #define MAC_CR          1
99 #define MAC_ADDRH       2
100 #define MAC_ADDRL       3
101 #define MAC_HASHH       4
102 #define MAC_HASHL       5
103 #define MAC_MII_ACC     6
104 #define MAC_MII_DATA    7
105 #define MAC_FLOW        8
106 #define MAC_VLAN1       9 /* TODO */
107 #define MAC_VLAN2       10 /* TODO */
108 #define MAC_WUFF        11 /* TODO */
109 #define MAC_WUCSR       12 /* TODO */
110 
111 #define MAC_CR_RXALL    0x80000000
112 #define MAC_CR_RCVOWN   0x00800000
113 #define MAC_CR_LOOPBK   0x00200000
114 #define MAC_CR_FDPX     0x00100000
115 #define MAC_CR_MCPAS    0x00080000
116 #define MAC_CR_PRMS     0x00040000
117 #define MAC_CR_INVFILT  0x00020000
118 #define MAC_CR_PASSBAD  0x00010000
119 #define MAC_CR_HO       0x00008000
120 #define MAC_CR_HPFILT   0x00002000
121 #define MAC_CR_LCOLL    0x00001000
122 #define MAC_CR_BCAST    0x00000800
123 #define MAC_CR_DISRTY   0x00000400
124 #define MAC_CR_PADSTR   0x00000100
125 #define MAC_CR_BOLMT    0x000000c0
126 #define MAC_CR_DFCHK    0x00000020
127 #define MAC_CR_TXEN     0x00000008
128 #define MAC_CR_RXEN     0x00000004
129 #define MAC_CR_RESERVED 0x7f404213
130 
131 #define PHY_INT_ENERGYON            0x80
132 #define PHY_INT_AUTONEG_COMPLETE    0x40
133 #define PHY_INT_FAULT               0x20
134 #define PHY_INT_DOWN                0x10
135 #define PHY_INT_AUTONEG_LP          0x08
136 #define PHY_INT_PARFAULT            0x04
137 #define PHY_INT_AUTONEG_PAGE        0x02
138 
139 #define GPT_TIMER_EN    0x20000000
140 
141 enum tx_state {
142     TX_IDLE,
143     TX_B,
144     TX_DATA
145 };
146 
147 typedef struct {
148     /* state is a tx_state but we can't put enums in VMStateDescriptions. */
149     uint32_t state;
150     uint32_t cmd_a;
151     uint32_t cmd_b;
152     int32_t buffer_size;
153     int32_t offset;
154     int32_t pad;
155     int32_t fifo_used;
156     int32_t len;
157     uint8_t data[2048];
158 } LAN9118Packet;
159 
160 static const VMStateDescription vmstate_lan9118_packet = {
161     .name = "lan9118_packet",
162     .version_id = 1,
163     .minimum_version_id = 1,
164     .fields = (VMStateField[]) {
165         VMSTATE_UINT32(state, LAN9118Packet),
166         VMSTATE_UINT32(cmd_a, LAN9118Packet),
167         VMSTATE_UINT32(cmd_b, LAN9118Packet),
168         VMSTATE_INT32(buffer_size, LAN9118Packet),
169         VMSTATE_INT32(offset, LAN9118Packet),
170         VMSTATE_INT32(pad, LAN9118Packet),
171         VMSTATE_INT32(fifo_used, LAN9118Packet),
172         VMSTATE_INT32(len, LAN9118Packet),
173         VMSTATE_UINT8_ARRAY(data, LAN9118Packet, 2048),
174         VMSTATE_END_OF_LIST()
175     }
176 };
177 
178 #define LAN9118(obj) OBJECT_CHECK(lan9118_state, (obj), TYPE_LAN9118)
179 
180 typedef struct {
181     SysBusDevice parent_obj;
182 
183     NICState *nic;
184     NICConf conf;
185     qemu_irq irq;
186     MemoryRegion mmio;
187     ptimer_state *timer;
188 
189     uint32_t irq_cfg;
190     uint32_t int_sts;
191     uint32_t int_en;
192     uint32_t fifo_int;
193     uint32_t rx_cfg;
194     uint32_t tx_cfg;
195     uint32_t hw_cfg;
196     uint32_t pmt_ctrl;
197     uint32_t gpio_cfg;
198     uint32_t gpt_cfg;
199     uint32_t word_swap;
200     uint32_t free_timer_start;
201     uint32_t mac_cmd;
202     uint32_t mac_data;
203     uint32_t afc_cfg;
204     uint32_t e2p_cmd;
205     uint32_t e2p_data;
206 
207     uint32_t mac_cr;
208     uint32_t mac_hashh;
209     uint32_t mac_hashl;
210     uint32_t mac_mii_acc;
211     uint32_t mac_mii_data;
212     uint32_t mac_flow;
213 
214     uint32_t phy_status;
215     uint32_t phy_control;
216     uint32_t phy_advertise;
217     uint32_t phy_int;
218     uint32_t phy_int_mask;
219 
220     int32_t eeprom_writable;
221     uint8_t eeprom[128];
222 
223     int32_t tx_fifo_size;
224     LAN9118Packet *txp;
225     LAN9118Packet tx_packet;
226 
227     int32_t tx_status_fifo_used;
228     int32_t tx_status_fifo_head;
229     uint32_t tx_status_fifo[512];
230 
231     int32_t rx_status_fifo_size;
232     int32_t rx_status_fifo_used;
233     int32_t rx_status_fifo_head;
234     uint32_t rx_status_fifo[896];
235     int32_t rx_fifo_size;
236     int32_t rx_fifo_used;
237     int32_t rx_fifo_head;
238     uint32_t rx_fifo[3360];
239     int32_t rx_packet_size_head;
240     int32_t rx_packet_size_tail;
241     int32_t rx_packet_size[1024];
242 
243     int32_t rxp_offset;
244     int32_t rxp_size;
245     int32_t rxp_pad;
246 
247     uint32_t write_word_prev_offset;
248     uint32_t write_word_n;
249     uint16_t write_word_l;
250     uint16_t write_word_h;
251     uint32_t read_word_prev_offset;
252     uint32_t read_word_n;
253     uint32_t read_long;
254 
255     uint32_t mode_16bit;
256 } lan9118_state;
257 
258 static const VMStateDescription vmstate_lan9118 = {
259     .name = "lan9118",
260     .version_id = 2,
261     .minimum_version_id = 1,
262     .fields = (VMStateField[]) {
263         VMSTATE_PTIMER(timer, lan9118_state),
264         VMSTATE_UINT32(irq_cfg, lan9118_state),
265         VMSTATE_UINT32(int_sts, lan9118_state),
266         VMSTATE_UINT32(int_en, lan9118_state),
267         VMSTATE_UINT32(fifo_int, lan9118_state),
268         VMSTATE_UINT32(rx_cfg, lan9118_state),
269         VMSTATE_UINT32(tx_cfg, lan9118_state),
270         VMSTATE_UINT32(hw_cfg, lan9118_state),
271         VMSTATE_UINT32(pmt_ctrl, lan9118_state),
272         VMSTATE_UINT32(gpio_cfg, lan9118_state),
273         VMSTATE_UINT32(gpt_cfg, lan9118_state),
274         VMSTATE_UINT32(word_swap, lan9118_state),
275         VMSTATE_UINT32(free_timer_start, lan9118_state),
276         VMSTATE_UINT32(mac_cmd, lan9118_state),
277         VMSTATE_UINT32(mac_data, lan9118_state),
278         VMSTATE_UINT32(afc_cfg, lan9118_state),
279         VMSTATE_UINT32(e2p_cmd, lan9118_state),
280         VMSTATE_UINT32(e2p_data, lan9118_state),
281         VMSTATE_UINT32(mac_cr, lan9118_state),
282         VMSTATE_UINT32(mac_hashh, lan9118_state),
283         VMSTATE_UINT32(mac_hashl, lan9118_state),
284         VMSTATE_UINT32(mac_mii_acc, lan9118_state),
285         VMSTATE_UINT32(mac_mii_data, lan9118_state),
286         VMSTATE_UINT32(mac_flow, lan9118_state),
287         VMSTATE_UINT32(phy_status, lan9118_state),
288         VMSTATE_UINT32(phy_control, lan9118_state),
289         VMSTATE_UINT32(phy_advertise, lan9118_state),
290         VMSTATE_UINT32(phy_int, lan9118_state),
291         VMSTATE_UINT32(phy_int_mask, lan9118_state),
292         VMSTATE_INT32(eeprom_writable, lan9118_state),
293         VMSTATE_UINT8_ARRAY(eeprom, lan9118_state, 128),
294         VMSTATE_INT32(tx_fifo_size, lan9118_state),
295         /* txp always points at tx_packet so need not be saved */
296         VMSTATE_STRUCT(tx_packet, lan9118_state, 0,
297                        vmstate_lan9118_packet, LAN9118Packet),
298         VMSTATE_INT32(tx_status_fifo_used, lan9118_state),
299         VMSTATE_INT32(tx_status_fifo_head, lan9118_state),
300         VMSTATE_UINT32_ARRAY(tx_status_fifo, lan9118_state, 512),
301         VMSTATE_INT32(rx_status_fifo_size, lan9118_state),
302         VMSTATE_INT32(rx_status_fifo_used, lan9118_state),
303         VMSTATE_INT32(rx_status_fifo_head, lan9118_state),
304         VMSTATE_UINT32_ARRAY(rx_status_fifo, lan9118_state, 896),
305         VMSTATE_INT32(rx_fifo_size, lan9118_state),
306         VMSTATE_INT32(rx_fifo_used, lan9118_state),
307         VMSTATE_INT32(rx_fifo_head, lan9118_state),
308         VMSTATE_UINT32_ARRAY(rx_fifo, lan9118_state, 3360),
309         VMSTATE_INT32(rx_packet_size_head, lan9118_state),
310         VMSTATE_INT32(rx_packet_size_tail, lan9118_state),
311         VMSTATE_INT32_ARRAY(rx_packet_size, lan9118_state, 1024),
312         VMSTATE_INT32(rxp_offset, lan9118_state),
313         VMSTATE_INT32(rxp_size, lan9118_state),
314         VMSTATE_INT32(rxp_pad, lan9118_state),
315         VMSTATE_UINT32_V(write_word_prev_offset, lan9118_state, 2),
316         VMSTATE_UINT32_V(write_word_n, lan9118_state, 2),
317         VMSTATE_UINT16_V(write_word_l, lan9118_state, 2),
318         VMSTATE_UINT16_V(write_word_h, lan9118_state, 2),
319         VMSTATE_UINT32_V(read_word_prev_offset, lan9118_state, 2),
320         VMSTATE_UINT32_V(read_word_n, lan9118_state, 2),
321         VMSTATE_UINT32_V(read_long, lan9118_state, 2),
322         VMSTATE_UINT32_V(mode_16bit, lan9118_state, 2),
323         VMSTATE_END_OF_LIST()
324     }
325 };
326 
327 static void lan9118_update(lan9118_state *s)
328 {
329     int level;
330 
331     /* TODO: Implement FIFO level IRQs.  */
332     level = (s->int_sts & s->int_en) != 0;
333     if (level) {
334         s->irq_cfg |= IRQ_INT;
335     } else {
336         s->irq_cfg &= ~IRQ_INT;
337     }
338     if ((s->irq_cfg & IRQ_EN) == 0) {
339         level = 0;
340     }
341     if ((s->irq_cfg & (IRQ_TYPE | IRQ_POL)) != (IRQ_TYPE | IRQ_POL)) {
342         /* Interrupt is active low unless we're configured as
343          * active-high polarity, push-pull type.
344          */
345         level = !level;
346     }
347     qemu_set_irq(s->irq, level);
348 }
349 
350 static void lan9118_mac_changed(lan9118_state *s)
351 {
352     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
353 }
354 
355 static void lan9118_reload_eeprom(lan9118_state *s)
356 {
357     int i;
358     if (s->eeprom[0] != 0xa5) {
359         s->e2p_cmd &= ~E2P_CMD_MAC_ADDR_LOADED;
360         DPRINTF("MACADDR load failed\n");
361         return;
362     }
363     for (i = 0; i < 6; i++) {
364         s->conf.macaddr.a[i] = s->eeprom[i + 1];
365     }
366     s->e2p_cmd |= E2P_CMD_MAC_ADDR_LOADED;
367     DPRINTF("MACADDR loaded from eeprom\n");
368     lan9118_mac_changed(s);
369 }
370 
371 static void phy_update_irq(lan9118_state *s)
372 {
373     if (s->phy_int & s->phy_int_mask) {
374         s->int_sts |= PHY_INT;
375     } else {
376         s->int_sts &= ~PHY_INT;
377     }
378     lan9118_update(s);
379 }
380 
381 static void phy_update_link(lan9118_state *s)
382 {
383     /* Autonegotiation status mirrors link status.  */
384     if (qemu_get_queue(s->nic)->link_down) {
385         s->phy_status &= ~0x0024;
386         s->phy_int |= PHY_INT_DOWN;
387     } else {
388         s->phy_status |= 0x0024;
389         s->phy_int |= PHY_INT_ENERGYON;
390         s->phy_int |= PHY_INT_AUTONEG_COMPLETE;
391     }
392     phy_update_irq(s);
393 }
394 
395 static void lan9118_set_link(NetClientState *nc)
396 {
397     phy_update_link(qemu_get_nic_opaque(nc));
398 }
399 
400 static void phy_reset(lan9118_state *s)
401 {
402     s->phy_status = 0x7809;
403     s->phy_control = 0x3000;
404     s->phy_advertise = 0x01e1;
405     s->phy_int_mask = 0;
406     s->phy_int = 0;
407     phy_update_link(s);
408 }
409 
410 static void lan9118_reset(DeviceState *d)
411 {
412     lan9118_state *s = LAN9118(d);
413 
414     s->irq_cfg &= (IRQ_TYPE | IRQ_POL);
415     s->int_sts = 0;
416     s->int_en = 0;
417     s->fifo_int = 0x48000000;
418     s->rx_cfg = 0;
419     s->tx_cfg = 0;
420     s->hw_cfg = s->mode_16bit ? 0x00050000 : 0x00050004;
421     s->pmt_ctrl &= 0x45;
422     s->gpio_cfg = 0;
423     s->txp->fifo_used = 0;
424     s->txp->state = TX_IDLE;
425     s->txp->cmd_a = 0xffffffffu;
426     s->txp->cmd_b = 0xffffffffu;
427     s->txp->len = 0;
428     s->txp->fifo_used = 0;
429     s->tx_fifo_size = 4608;
430     s->tx_status_fifo_used = 0;
431     s->rx_status_fifo_size = 704;
432     s->rx_fifo_size = 2640;
433     s->rx_fifo_used = 0;
434     s->rx_status_fifo_size = 176;
435     s->rx_status_fifo_used = 0;
436     s->rxp_offset = 0;
437     s->rxp_size = 0;
438     s->rxp_pad = 0;
439     s->rx_packet_size_tail = s->rx_packet_size_head;
440     s->rx_packet_size[s->rx_packet_size_head] = 0;
441     s->mac_cmd = 0;
442     s->mac_data = 0;
443     s->afc_cfg = 0;
444     s->e2p_cmd = 0;
445     s->e2p_data = 0;
446     s->free_timer_start = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / 40;
447 
448     ptimer_stop(s->timer);
449     ptimer_set_count(s->timer, 0xffff);
450     s->gpt_cfg = 0xffff;
451 
452     s->mac_cr = MAC_CR_PRMS;
453     s->mac_hashh = 0;
454     s->mac_hashl = 0;
455     s->mac_mii_acc = 0;
456     s->mac_mii_data = 0;
457     s->mac_flow = 0;
458 
459     s->read_word_n = 0;
460     s->write_word_n = 0;
461 
462     phy_reset(s);
463 
464     s->eeprom_writable = 0;
465     lan9118_reload_eeprom(s);
466 }
467 
468 static void rx_fifo_push(lan9118_state *s, uint32_t val)
469 {
470     int fifo_pos;
471     fifo_pos = s->rx_fifo_head + s->rx_fifo_used;
472     if (fifo_pos >= s->rx_fifo_size)
473       fifo_pos -= s->rx_fifo_size;
474     s->rx_fifo[fifo_pos] = val;
475     s->rx_fifo_used++;
476 }
477 
478 /* Return nonzero if the packet is accepted by the filter.  */
479 static int lan9118_filter(lan9118_state *s, const uint8_t *addr)
480 {
481     int multicast;
482     uint32_t hash;
483 
484     if (s->mac_cr & MAC_CR_PRMS) {
485         return 1;
486     }
487     if (addr[0] == 0xff && addr[1] == 0xff && addr[2] == 0xff &&
488         addr[3] == 0xff && addr[4] == 0xff && addr[5] == 0xff) {
489         return (s->mac_cr & MAC_CR_BCAST) == 0;
490     }
491 
492     multicast = addr[0] & 1;
493     if (multicast &&s->mac_cr & MAC_CR_MCPAS) {
494         return 1;
495     }
496     if (multicast ? (s->mac_cr & MAC_CR_HPFILT) == 0
497                   : (s->mac_cr & MAC_CR_HO) == 0) {
498         /* Exact matching.  */
499         hash = memcmp(addr, s->conf.macaddr.a, 6);
500         if (s->mac_cr & MAC_CR_INVFILT) {
501             return hash != 0;
502         } else {
503             return hash == 0;
504         }
505     } else {
506         /* Hash matching  */
507         hash = net_crc32(addr, ETH_ALEN) >> 26;
508         if (hash & 0x20) {
509             return (s->mac_hashh >> (hash & 0x1f)) & 1;
510         } else {
511             return (s->mac_hashl >> (hash & 0x1f)) & 1;
512         }
513     }
514 }
515 
516 static ssize_t lan9118_receive(NetClientState *nc, const uint8_t *buf,
517                                size_t size)
518 {
519     lan9118_state *s = qemu_get_nic_opaque(nc);
520     int fifo_len;
521     int offset;
522     int src_pos;
523     int n;
524     int filter;
525     uint32_t val;
526     uint32_t crc;
527     uint32_t status;
528 
529     if ((s->mac_cr & MAC_CR_RXEN) == 0) {
530         return -1;
531     }
532 
533     if (size >= 2048 || size < 14) {
534         return -1;
535     }
536 
537     /* TODO: Implement FIFO overflow notification.  */
538     if (s->rx_status_fifo_used == s->rx_status_fifo_size) {
539         return -1;
540     }
541 
542     filter = lan9118_filter(s, buf);
543     if (!filter && (s->mac_cr & MAC_CR_RXALL) == 0) {
544         return size;
545     }
546 
547     offset = (s->rx_cfg >> 8) & 0x1f;
548     n = offset & 3;
549     fifo_len = (size + n + 3) >> 2;
550     /* Add a word for the CRC.  */
551     fifo_len++;
552     if (s->rx_fifo_size - s->rx_fifo_used < fifo_len) {
553         return -1;
554     }
555 
556     DPRINTF("Got packet len:%d fifo:%d filter:%s\n",
557             (int)size, fifo_len, filter ? "pass" : "fail");
558     val = 0;
559     crc = bswap32(crc32(~0, buf, size));
560     for (src_pos = 0; src_pos < size; src_pos++) {
561         val = (val >> 8) | ((uint32_t)buf[src_pos] << 24);
562         n++;
563         if (n == 4) {
564             n = 0;
565             rx_fifo_push(s, val);
566             val = 0;
567         }
568     }
569     if (n) {
570         val >>= ((4 - n) * 8);
571         val |= crc << (n * 8);
572         rx_fifo_push(s, val);
573         val = crc >> ((4 - n) * 8);
574         rx_fifo_push(s, val);
575     } else {
576         rx_fifo_push(s, crc);
577     }
578     n = s->rx_status_fifo_head + s->rx_status_fifo_used;
579     if (n >= s->rx_status_fifo_size) {
580         n -= s->rx_status_fifo_size;
581     }
582     s->rx_packet_size[s->rx_packet_size_tail] = fifo_len;
583     s->rx_packet_size_tail = (s->rx_packet_size_tail + 1023) & 1023;
584     s->rx_status_fifo_used++;
585 
586     status = (size + 4) << 16;
587     if (buf[0] == 0xff && buf[1] == 0xff && buf[2] == 0xff &&
588         buf[3] == 0xff && buf[4] == 0xff && buf[5] == 0xff) {
589         status |= 0x00002000;
590     } else if (buf[0] & 1) {
591         status |= 0x00000400;
592     }
593     if (!filter) {
594         status |= 0x40000000;
595     }
596     s->rx_status_fifo[n] = status;
597 
598     if (s->rx_status_fifo_used > (s->fifo_int & 0xff)) {
599         s->int_sts |= RSFL_INT;
600     }
601     lan9118_update(s);
602 
603     return size;
604 }
605 
606 static uint32_t rx_fifo_pop(lan9118_state *s)
607 {
608     int n;
609     uint32_t val;
610 
611     if (s->rxp_size == 0 && s->rxp_pad == 0) {
612         s->rxp_size = s->rx_packet_size[s->rx_packet_size_head];
613         s->rx_packet_size[s->rx_packet_size_head] = 0;
614         if (s->rxp_size != 0) {
615             s->rx_packet_size_head = (s->rx_packet_size_head + 1023) & 1023;
616             s->rxp_offset = (s->rx_cfg >> 10) & 7;
617             n = s->rxp_offset + s->rxp_size;
618             switch (s->rx_cfg >> 30) {
619             case 1:
620                 n = (-n) & 3;
621                 break;
622             case 2:
623                 n = (-n) & 7;
624                 break;
625             default:
626                 n = 0;
627                 break;
628             }
629             s->rxp_pad = n;
630             DPRINTF("Pop packet size:%d offset:%d pad: %d\n",
631                     s->rxp_size, s->rxp_offset, s->rxp_pad);
632         }
633     }
634     if (s->rxp_offset > 0) {
635         s->rxp_offset--;
636         val = 0;
637     } else if (s->rxp_size > 0) {
638         s->rxp_size--;
639         val = s->rx_fifo[s->rx_fifo_head++];
640         if (s->rx_fifo_head >= s->rx_fifo_size) {
641             s->rx_fifo_head -= s->rx_fifo_size;
642         }
643         s->rx_fifo_used--;
644     } else if (s->rxp_pad > 0) {
645         s->rxp_pad--;
646         val =  0;
647     } else {
648         DPRINTF("RX underflow\n");
649         s->int_sts |= RXE_INT;
650         val =  0;
651     }
652     lan9118_update(s);
653     return val;
654 }
655 
656 static void do_tx_packet(lan9118_state *s)
657 {
658     int n;
659     uint32_t status;
660 
661     /* FIXME: Honor TX disable, and allow queueing of packets.  */
662     if (s->phy_control & 0x4000)  {
663         /* This assumes the receive routine doesn't touch the VLANClient.  */
664         lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
665     } else {
666         qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
667     }
668     s->txp->fifo_used = 0;
669 
670     if (s->tx_status_fifo_used == 512) {
671         /* Status FIFO full */
672         return;
673     }
674     /* Add entry to status FIFO.  */
675     status = s->txp->cmd_b & 0xffff0000u;
676     DPRINTF("Sent packet tag:%04x len %d\n", status >> 16, s->txp->len);
677     n = (s->tx_status_fifo_head + s->tx_status_fifo_used) & 511;
678     s->tx_status_fifo[n] = status;
679     s->tx_status_fifo_used++;
680     if (s->tx_status_fifo_used == 512) {
681         s->int_sts |= TSFF_INT;
682         /* TODO: Stop transmission.  */
683     }
684 }
685 
686 static uint32_t rx_status_fifo_pop(lan9118_state *s)
687 {
688     uint32_t val;
689 
690     val = s->rx_status_fifo[s->rx_status_fifo_head];
691     if (s->rx_status_fifo_used != 0) {
692         s->rx_status_fifo_used--;
693         s->rx_status_fifo_head++;
694         if (s->rx_status_fifo_head >= s->rx_status_fifo_size) {
695             s->rx_status_fifo_head -= s->rx_status_fifo_size;
696         }
697         /* ??? What value should be returned when the FIFO is empty?  */
698         DPRINTF("RX status pop 0x%08x\n", val);
699     }
700     return val;
701 }
702 
703 static uint32_t tx_status_fifo_pop(lan9118_state *s)
704 {
705     uint32_t val;
706 
707     val = s->tx_status_fifo[s->tx_status_fifo_head];
708     if (s->tx_status_fifo_used != 0) {
709         s->tx_status_fifo_used--;
710         s->tx_status_fifo_head = (s->tx_status_fifo_head + 1) & 511;
711         /* ??? What value should be returned when the FIFO is empty?  */
712     }
713     return val;
714 }
715 
716 static void tx_fifo_push(lan9118_state *s, uint32_t val)
717 {
718     int n;
719 
720     if (s->txp->fifo_used == s->tx_fifo_size) {
721         s->int_sts |= TDFO_INT;
722         return;
723     }
724     switch (s->txp->state) {
725     case TX_IDLE:
726         s->txp->cmd_a = val & 0x831f37ff;
727         s->txp->fifo_used++;
728         s->txp->state = TX_B;
729         s->txp->buffer_size = extract32(s->txp->cmd_a, 0, 11);
730         s->txp->offset = extract32(s->txp->cmd_a, 16, 5);
731         break;
732     case TX_B:
733         if (s->txp->cmd_a & 0x2000) {
734             /* First segment */
735             s->txp->cmd_b = val;
736             s->txp->fifo_used++;
737             /* End alignment does not include command words.  */
738             n = (s->txp->buffer_size + s->txp->offset + 3) >> 2;
739             switch ((n >> 24) & 3) {
740             case 1:
741                 n = (-n) & 3;
742                 break;
743             case 2:
744                 n = (-n) & 7;
745                 break;
746             default:
747                 n = 0;
748             }
749             s->txp->pad = n;
750             s->txp->len = 0;
751         }
752         DPRINTF("Block len:%d offset:%d pad:%d cmd %08x\n",
753                 s->txp->buffer_size, s->txp->offset, s->txp->pad,
754                 s->txp->cmd_a);
755         s->txp->state = TX_DATA;
756         break;
757     case TX_DATA:
758         if (s->txp->offset >= 4) {
759             s->txp->offset -= 4;
760             break;
761         }
762         if (s->txp->buffer_size <= 0 && s->txp->pad != 0) {
763             s->txp->pad--;
764         } else {
765             n = MIN(4, s->txp->buffer_size + s->txp->offset);
766             while (s->txp->offset) {
767                 val >>= 8;
768                 n--;
769                 s->txp->offset--;
770             }
771             /* Documentation is somewhat unclear on the ordering of bytes
772                in FIFO words.  Empirical results show it to be little-endian.
773                */
774             /* TODO: FIFO overflow checking.  */
775             while (n--) {
776                 s->txp->data[s->txp->len] = val & 0xff;
777                 s->txp->len++;
778                 val >>= 8;
779                 s->txp->buffer_size--;
780             }
781             s->txp->fifo_used++;
782         }
783         if (s->txp->buffer_size <= 0 && s->txp->pad == 0) {
784             if (s->txp->cmd_a & 0x1000) {
785                 do_tx_packet(s);
786             }
787             if (s->txp->cmd_a & 0x80000000) {
788                 s->int_sts |= TX_IOC_INT;
789             }
790             s->txp->state = TX_IDLE;
791         }
792         break;
793     }
794 }
795 
796 static uint32_t do_phy_read(lan9118_state *s, int reg)
797 {
798     uint32_t val;
799 
800     switch (reg) {
801     case 0: /* Basic Control */
802         return s->phy_control;
803     case 1: /* Basic Status */
804         return s->phy_status;
805     case 2: /* ID1 */
806         return 0x0007;
807     case 3: /* ID2 */
808         return 0xc0d1;
809     case 4: /* Auto-neg advertisement */
810         return s->phy_advertise;
811     case 5: /* Auto-neg Link Partner Ability */
812         return 0x0f71;
813     case 6: /* Auto-neg Expansion */
814         return 1;
815         /* TODO 17, 18, 27, 29, 30, 31 */
816     case 29: /* Interrupt source.  */
817         val = s->phy_int;
818         s->phy_int = 0;
819         phy_update_irq(s);
820         return val;
821     case 30: /* Interrupt mask */
822         return s->phy_int_mask;
823     default:
824         BADF("PHY read reg %d\n", reg);
825         return 0;
826     }
827 }
828 
829 static void do_phy_write(lan9118_state *s, int reg, uint32_t val)
830 {
831     switch (reg) {
832     case 0: /* Basic Control */
833         if (val & 0x8000) {
834             phy_reset(s);
835             break;
836         }
837         s->phy_control = val & 0x7980;
838         /* Complete autonegotiation immediately.  */
839         if (val & 0x1000) {
840             s->phy_status |= 0x0020;
841         }
842         break;
843     case 4: /* Auto-neg advertisement */
844         s->phy_advertise = (val & 0x2d7f) | 0x80;
845         break;
846         /* TODO 17, 18, 27, 31 */
847     case 30: /* Interrupt mask */
848         s->phy_int_mask = val & 0xff;
849         phy_update_irq(s);
850         break;
851     default:
852         BADF("PHY write reg %d = 0x%04x\n", reg, val);
853     }
854 }
855 
856 static void do_mac_write(lan9118_state *s, int reg, uint32_t val)
857 {
858     switch (reg) {
859     case MAC_CR:
860         if ((s->mac_cr & MAC_CR_RXEN) != 0 && (val & MAC_CR_RXEN) == 0) {
861             s->int_sts |= RXSTOP_INT;
862         }
863         s->mac_cr = val & ~MAC_CR_RESERVED;
864         DPRINTF("MAC_CR: %08x\n", val);
865         break;
866     case MAC_ADDRH:
867         s->conf.macaddr.a[4] = val & 0xff;
868         s->conf.macaddr.a[5] = (val >> 8) & 0xff;
869         lan9118_mac_changed(s);
870         break;
871     case MAC_ADDRL:
872         s->conf.macaddr.a[0] = val & 0xff;
873         s->conf.macaddr.a[1] = (val >> 8) & 0xff;
874         s->conf.macaddr.a[2] = (val >> 16) & 0xff;
875         s->conf.macaddr.a[3] = (val >> 24) & 0xff;
876         lan9118_mac_changed(s);
877         break;
878     case MAC_HASHH:
879         s->mac_hashh = val;
880         break;
881     case MAC_HASHL:
882         s->mac_hashl = val;
883         break;
884     case MAC_MII_ACC:
885         s->mac_mii_acc = val & 0xffc2;
886         if (val & 2) {
887             DPRINTF("PHY write %d = 0x%04x\n",
888                     (val >> 6) & 0x1f, s->mac_mii_data);
889             do_phy_write(s, (val >> 6) & 0x1f, s->mac_mii_data);
890         } else {
891             s->mac_mii_data = do_phy_read(s, (val >> 6) & 0x1f);
892             DPRINTF("PHY read %d = 0x%04x\n",
893                     (val >> 6) & 0x1f, s->mac_mii_data);
894         }
895         break;
896     case MAC_MII_DATA:
897         s->mac_mii_data = val & 0xffff;
898         break;
899     case MAC_FLOW:
900         s->mac_flow = val & 0xffff0000;
901         break;
902     case MAC_VLAN1:
903         /* Writing to this register changes a condition for
904          * FrameTooLong bit in rx_status.  Since we do not set
905          * FrameTooLong anyway, just ignore write to this.
906          */
907         break;
908     default:
909         qemu_log_mask(LOG_GUEST_ERROR,
910                       "lan9118: Unimplemented MAC register write: %d = 0x%x\n",
911                  s->mac_cmd & 0xf, val);
912     }
913 }
914 
915 static uint32_t do_mac_read(lan9118_state *s, int reg)
916 {
917     switch (reg) {
918     case MAC_CR:
919         return s->mac_cr;
920     case MAC_ADDRH:
921         return s->conf.macaddr.a[4] | (s->conf.macaddr.a[5] << 8);
922     case MAC_ADDRL:
923         return s->conf.macaddr.a[0] | (s->conf.macaddr.a[1] << 8)
924                | (s->conf.macaddr.a[2] << 16) | (s->conf.macaddr.a[3] << 24);
925     case MAC_HASHH:
926         return s->mac_hashh;
927         break;
928     case MAC_HASHL:
929         return s->mac_hashl;
930         break;
931     case MAC_MII_ACC:
932         return s->mac_mii_acc;
933     case MAC_MII_DATA:
934         return s->mac_mii_data;
935     case MAC_FLOW:
936         return s->mac_flow;
937     default:
938         qemu_log_mask(LOG_GUEST_ERROR,
939                       "lan9118: Unimplemented MAC register read: %d\n",
940                  s->mac_cmd & 0xf);
941         return 0;
942     }
943 }
944 
945 static void lan9118_eeprom_cmd(lan9118_state *s, int cmd, int addr)
946 {
947     s->e2p_cmd = (s->e2p_cmd & E2P_CMD_MAC_ADDR_LOADED) | (cmd << 28) | addr;
948     switch (cmd) {
949     case 0:
950         s->e2p_data = s->eeprom[addr];
951         DPRINTF("EEPROM Read %d = 0x%02x\n", addr, s->e2p_data);
952         break;
953     case 1:
954         s->eeprom_writable = 0;
955         DPRINTF("EEPROM Write Disable\n");
956         break;
957     case 2: /* EWEN */
958         s->eeprom_writable = 1;
959         DPRINTF("EEPROM Write Enable\n");
960         break;
961     case 3: /* WRITE */
962         if (s->eeprom_writable) {
963             s->eeprom[addr] &= s->e2p_data;
964             DPRINTF("EEPROM Write %d = 0x%02x\n", addr, s->e2p_data);
965         } else {
966             DPRINTF("EEPROM Write %d (ignored)\n", addr);
967         }
968         break;
969     case 4: /* WRAL */
970         if (s->eeprom_writable) {
971             for (addr = 0; addr < 128; addr++) {
972                 s->eeprom[addr] &= s->e2p_data;
973             }
974             DPRINTF("EEPROM Write All 0x%02x\n", s->e2p_data);
975         } else {
976             DPRINTF("EEPROM Write All (ignored)\n");
977         }
978         break;
979     case 5: /* ERASE */
980         if (s->eeprom_writable) {
981             s->eeprom[addr] = 0xff;
982             DPRINTF("EEPROM Erase %d\n", addr);
983         } else {
984             DPRINTF("EEPROM Erase %d (ignored)\n", addr);
985         }
986         break;
987     case 6: /* ERAL */
988         if (s->eeprom_writable) {
989             memset(s->eeprom, 0xff, 128);
990             DPRINTF("EEPROM Erase All\n");
991         } else {
992             DPRINTF("EEPROM Erase All (ignored)\n");
993         }
994         break;
995     case 7: /* RELOAD */
996         lan9118_reload_eeprom(s);
997         break;
998     }
999 }
1000 
1001 static void lan9118_tick(void *opaque)
1002 {
1003     lan9118_state *s = (lan9118_state *)opaque;
1004     if (s->int_en & GPT_INT) {
1005         s->int_sts |= GPT_INT;
1006     }
1007     lan9118_update(s);
1008 }
1009 
1010 static void lan9118_writel(void *opaque, hwaddr offset,
1011                            uint64_t val, unsigned size)
1012 {
1013     lan9118_state *s = (lan9118_state *)opaque;
1014     offset &= 0xff;
1015 
1016     //DPRINTF("Write reg 0x%02x = 0x%08x\n", (int)offset, val);
1017     if (offset >= 0x20 && offset < 0x40) {
1018         /* TX FIFO */
1019         tx_fifo_push(s, val);
1020         return;
1021     }
1022     switch (offset) {
1023     case CSR_IRQ_CFG:
1024         /* TODO: Implement interrupt deassertion intervals.  */
1025         val &= (IRQ_EN | IRQ_POL | IRQ_TYPE);
1026         s->irq_cfg = (s->irq_cfg & IRQ_INT) | val;
1027         break;
1028     case CSR_INT_STS:
1029         s->int_sts &= ~val;
1030         break;
1031     case CSR_INT_EN:
1032         s->int_en = val & ~RESERVED_INT;
1033         s->int_sts |= val & SW_INT;
1034         break;
1035     case CSR_FIFO_INT:
1036         DPRINTF("FIFO INT levels %08x\n", val);
1037         s->fifo_int = val;
1038         break;
1039     case CSR_RX_CFG:
1040         if (val & 0x8000) {
1041             /* RX_DUMP */
1042             s->rx_fifo_used = 0;
1043             s->rx_status_fifo_used = 0;
1044             s->rx_packet_size_tail = s->rx_packet_size_head;
1045             s->rx_packet_size[s->rx_packet_size_head] = 0;
1046         }
1047         s->rx_cfg = val & 0xcfff1ff0;
1048         break;
1049     case CSR_TX_CFG:
1050         if (val & 0x8000) {
1051             s->tx_status_fifo_used = 0;
1052         }
1053         if (val & 0x4000) {
1054             s->txp->state = TX_IDLE;
1055             s->txp->fifo_used = 0;
1056             s->txp->cmd_a = 0xffffffff;
1057         }
1058         s->tx_cfg = val & 6;
1059         break;
1060     case CSR_HW_CFG:
1061         if (val & 1) {
1062             /* SRST */
1063             lan9118_reset(DEVICE(s));
1064         } else {
1065             s->hw_cfg = (val & 0x003f300) | (s->hw_cfg & 0x4);
1066         }
1067         break;
1068     case CSR_RX_DP_CTRL:
1069         if (val & 0x80000000) {
1070             /* Skip forward to next packet.  */
1071             s->rxp_pad = 0;
1072             s->rxp_offset = 0;
1073             if (s->rxp_size == 0) {
1074                 /* Pop a word to start the next packet.  */
1075                 rx_fifo_pop(s);
1076                 s->rxp_pad = 0;
1077                 s->rxp_offset = 0;
1078             }
1079             s->rx_fifo_head += s->rxp_size;
1080             if (s->rx_fifo_head >= s->rx_fifo_size) {
1081                 s->rx_fifo_head -= s->rx_fifo_size;
1082             }
1083         }
1084         break;
1085     case CSR_PMT_CTRL:
1086         if (val & 0x400) {
1087             phy_reset(s);
1088         }
1089         s->pmt_ctrl &= ~0x34e;
1090         s->pmt_ctrl |= (val & 0x34e);
1091         break;
1092     case CSR_GPIO_CFG:
1093         /* Probably just enabling LEDs.  */
1094         s->gpio_cfg = val & 0x7777071f;
1095         break;
1096     case CSR_GPT_CFG:
1097         if ((s->gpt_cfg ^ val) & GPT_TIMER_EN) {
1098             if (val & GPT_TIMER_EN) {
1099                 ptimer_set_count(s->timer, val & 0xffff);
1100                 ptimer_run(s->timer, 0);
1101             } else {
1102                 ptimer_stop(s->timer);
1103                 ptimer_set_count(s->timer, 0xffff);
1104             }
1105         }
1106         s->gpt_cfg = val & (GPT_TIMER_EN | 0xffff);
1107         break;
1108     case CSR_WORD_SWAP:
1109         /* Ignored because we're in 32-bit mode.  */
1110         s->word_swap = val;
1111         break;
1112     case CSR_MAC_CSR_CMD:
1113         s->mac_cmd = val & 0x4000000f;
1114         if (val & 0x80000000) {
1115             if (val & 0x40000000) {
1116                 s->mac_data = do_mac_read(s, val & 0xf);
1117                 DPRINTF("MAC read %d = 0x%08x\n", val & 0xf, s->mac_data);
1118             } else {
1119                 DPRINTF("MAC write %d = 0x%08x\n", val & 0xf, s->mac_data);
1120                 do_mac_write(s, val & 0xf, s->mac_data);
1121             }
1122         }
1123         break;
1124     case CSR_MAC_CSR_DATA:
1125         s->mac_data = val;
1126         break;
1127     case CSR_AFC_CFG:
1128         s->afc_cfg = val & 0x00ffffff;
1129         break;
1130     case CSR_E2P_CMD:
1131         lan9118_eeprom_cmd(s, (val >> 28) & 7, val & 0x7f);
1132         break;
1133     case CSR_E2P_DATA:
1134         s->e2p_data = val & 0xff;
1135         break;
1136 
1137     default:
1138         qemu_log_mask(LOG_GUEST_ERROR, "lan9118_write: Bad reg 0x%x = %x\n",
1139                       (int)offset, (int)val);
1140         break;
1141     }
1142     lan9118_update(s);
1143 }
1144 
1145 static void lan9118_writew(void *opaque, hwaddr offset,
1146                            uint32_t val)
1147 {
1148     lan9118_state *s = (lan9118_state *)opaque;
1149     offset &= 0xff;
1150 
1151     if (s->write_word_prev_offset != (offset & ~0x3)) {
1152         /* New offset, reset word counter */
1153         s->write_word_n = 0;
1154         s->write_word_prev_offset = offset & ~0x3;
1155     }
1156 
1157     if (offset & 0x2) {
1158         s->write_word_h = val;
1159     } else {
1160         s->write_word_l = val;
1161     }
1162 
1163     //DPRINTF("Writew reg 0x%02x = 0x%08x\n", (int)offset, val);
1164     s->write_word_n++;
1165     if (s->write_word_n == 2) {
1166         s->write_word_n = 0;
1167         lan9118_writel(s, offset & ~3, s->write_word_l +
1168                 (s->write_word_h << 16), 4);
1169     }
1170 }
1171 
1172 static void lan9118_16bit_mode_write(void *opaque, hwaddr offset,
1173                                      uint64_t val, unsigned size)
1174 {
1175     switch (size) {
1176     case 2:
1177         lan9118_writew(opaque, offset, (uint32_t)val);
1178         return;
1179     case 4:
1180         lan9118_writel(opaque, offset, val, size);
1181         return;
1182     }
1183 
1184     hw_error("lan9118_write: Bad size 0x%x\n", size);
1185 }
1186 
1187 static uint64_t lan9118_readl(void *opaque, hwaddr offset,
1188                               unsigned size)
1189 {
1190     lan9118_state *s = (lan9118_state *)opaque;
1191 
1192     //DPRINTF("Read reg 0x%02x\n", (int)offset);
1193     if (offset < 0x20) {
1194         /* RX FIFO */
1195         return rx_fifo_pop(s);
1196     }
1197     switch (offset) {
1198     case 0x40:
1199         return rx_status_fifo_pop(s);
1200     case 0x44:
1201         return s->rx_status_fifo[s->tx_status_fifo_head];
1202     case 0x48:
1203         return tx_status_fifo_pop(s);
1204     case 0x4c:
1205         return s->tx_status_fifo[s->tx_status_fifo_head];
1206     case CSR_ID_REV:
1207         return 0x01180001;
1208     case CSR_IRQ_CFG:
1209         return s->irq_cfg;
1210     case CSR_INT_STS:
1211         return s->int_sts;
1212     case CSR_INT_EN:
1213         return s->int_en;
1214     case CSR_BYTE_TEST:
1215         return 0x87654321;
1216     case CSR_FIFO_INT:
1217         return s->fifo_int;
1218     case CSR_RX_CFG:
1219         return s->rx_cfg;
1220     case CSR_TX_CFG:
1221         return s->tx_cfg;
1222     case CSR_HW_CFG:
1223         return s->hw_cfg;
1224     case CSR_RX_DP_CTRL:
1225         return 0;
1226     case CSR_RX_FIFO_INF:
1227         return (s->rx_status_fifo_used << 16) | (s->rx_fifo_used << 2);
1228     case CSR_TX_FIFO_INF:
1229         return (s->tx_status_fifo_used << 16)
1230                | (s->tx_fifo_size - s->txp->fifo_used);
1231     case CSR_PMT_CTRL:
1232         return s->pmt_ctrl;
1233     case CSR_GPIO_CFG:
1234         return s->gpio_cfg;
1235     case CSR_GPT_CFG:
1236         return s->gpt_cfg;
1237     case CSR_GPT_CNT:
1238         return ptimer_get_count(s->timer);
1239     case CSR_WORD_SWAP:
1240         return s->word_swap;
1241     case CSR_FREE_RUN:
1242         return (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / 40) - s->free_timer_start;
1243     case CSR_RX_DROP:
1244         /* TODO: Implement dropped frames counter.  */
1245         return 0;
1246     case CSR_MAC_CSR_CMD:
1247         return s->mac_cmd;
1248     case CSR_MAC_CSR_DATA:
1249         return s->mac_data;
1250     case CSR_AFC_CFG:
1251         return s->afc_cfg;
1252     case CSR_E2P_CMD:
1253         return s->e2p_cmd;
1254     case CSR_E2P_DATA:
1255         return s->e2p_data;
1256     }
1257     qemu_log_mask(LOG_GUEST_ERROR, "lan9118_read: Bad reg 0x%x\n", (int)offset);
1258     return 0;
1259 }
1260 
1261 static uint32_t lan9118_readw(void *opaque, hwaddr offset)
1262 {
1263     lan9118_state *s = (lan9118_state *)opaque;
1264     uint32_t val;
1265 
1266     if (s->read_word_prev_offset != (offset & ~0x3)) {
1267         /* New offset, reset word counter */
1268         s->read_word_n = 0;
1269         s->read_word_prev_offset = offset & ~0x3;
1270     }
1271 
1272     s->read_word_n++;
1273     if (s->read_word_n == 1) {
1274         s->read_long = lan9118_readl(s, offset & ~3, 4);
1275     } else {
1276         s->read_word_n = 0;
1277     }
1278 
1279     if (offset & 2) {
1280         val = s->read_long >> 16;
1281     } else {
1282         val = s->read_long & 0xFFFF;
1283     }
1284 
1285     //DPRINTF("Readw reg 0x%02x, val 0x%x\n", (int)offset, val);
1286     return val;
1287 }
1288 
1289 static uint64_t lan9118_16bit_mode_read(void *opaque, hwaddr offset,
1290                                         unsigned size)
1291 {
1292     switch (size) {
1293     case 2:
1294         return lan9118_readw(opaque, offset);
1295     case 4:
1296         return lan9118_readl(opaque, offset, size);
1297     }
1298 
1299     hw_error("lan9118_read: Bad size 0x%x\n", size);
1300     return 0;
1301 }
1302 
1303 static const MemoryRegionOps lan9118_mem_ops = {
1304     .read = lan9118_readl,
1305     .write = lan9118_writel,
1306     .endianness = DEVICE_NATIVE_ENDIAN,
1307 };
1308 
1309 static const MemoryRegionOps lan9118_16bit_mem_ops = {
1310     .read = lan9118_16bit_mode_read,
1311     .write = lan9118_16bit_mode_write,
1312     .endianness = DEVICE_NATIVE_ENDIAN,
1313 };
1314 
1315 static NetClientInfo net_lan9118_info = {
1316     .type = NET_CLIENT_DRIVER_NIC,
1317     .size = sizeof(NICState),
1318     .receive = lan9118_receive,
1319     .link_status_changed = lan9118_set_link,
1320 };
1321 
1322 static void lan9118_realize(DeviceState *dev, Error **errp)
1323 {
1324     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
1325     lan9118_state *s = LAN9118(dev);
1326     QEMUBH *bh;
1327     int i;
1328     const MemoryRegionOps *mem_ops =
1329             s->mode_16bit ? &lan9118_16bit_mem_ops : &lan9118_mem_ops;
1330 
1331     memory_region_init_io(&s->mmio, OBJECT(dev), mem_ops, s,
1332                           "lan9118-mmio", 0x100);
1333     sysbus_init_mmio(sbd, &s->mmio);
1334     sysbus_init_irq(sbd, &s->irq);
1335     qemu_macaddr_default_if_unset(&s->conf.macaddr);
1336 
1337     s->nic = qemu_new_nic(&net_lan9118_info, &s->conf,
1338                           object_get_typename(OBJECT(dev)), dev->id, s);
1339     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
1340     s->eeprom[0] = 0xa5;
1341     for (i = 0; i < 6; i++) {
1342         s->eeprom[i + 1] = s->conf.macaddr.a[i];
1343     }
1344     s->pmt_ctrl = 1;
1345     s->txp = &s->tx_packet;
1346 
1347     bh = qemu_bh_new(lan9118_tick, s);
1348     s->timer = ptimer_init(bh, PTIMER_POLICY_DEFAULT);
1349     ptimer_set_freq(s->timer, 10000);
1350     ptimer_set_limit(s->timer, 0xffff, 1);
1351 }
1352 
1353 static Property lan9118_properties[] = {
1354     DEFINE_NIC_PROPERTIES(lan9118_state, conf),
1355     DEFINE_PROP_UINT32("mode_16bit", lan9118_state, mode_16bit, 0),
1356     DEFINE_PROP_END_OF_LIST(),
1357 };
1358 
1359 static void lan9118_class_init(ObjectClass *klass, void *data)
1360 {
1361     DeviceClass *dc = DEVICE_CLASS(klass);
1362 
1363     dc->reset = lan9118_reset;
1364     dc->props = lan9118_properties;
1365     dc->vmsd = &vmstate_lan9118;
1366     dc->realize = lan9118_realize;
1367 }
1368 
1369 static const TypeInfo lan9118_info = {
1370     .name          = TYPE_LAN9118,
1371     .parent        = TYPE_SYS_BUS_DEVICE,
1372     .instance_size = sizeof(lan9118_state),
1373     .class_init    = lan9118_class_init,
1374 };
1375 
1376 static void lan9118_register_types(void)
1377 {
1378     type_register_static(&lan9118_info);
1379 }
1380 
1381 /* Legacy helper function.  Should go away when machine config files are
1382    implemented.  */
1383 void lan9118_init(NICInfo *nd, uint32_t base, qemu_irq irq)
1384 {
1385     DeviceState *dev;
1386     SysBusDevice *s;
1387 
1388     qemu_check_nic_model(nd, "lan9118");
1389     dev = qdev_create(NULL, TYPE_LAN9118);
1390     qdev_set_nic_properties(dev, nd);
1391     qdev_init_nofail(dev);
1392     s = SYS_BUS_DEVICE(dev);
1393     sysbus_mmio_map(s, 0, base);
1394     sysbus_connect_irq(s, 0, irq);
1395 }
1396 
1397 type_init(lan9118_register_types)
1398