xref: /openbmc/qemu/hw/net/lan9118.c (revision 8fa3b702)
1 /*
2  * SMSC LAN9118 Ethernet interface emulation
3  *
4  * Copyright (c) 2009 CodeSourcery, LLC.
5  * Written by Paul Brook
6  *
7  * This code is licensed under the GNU GPL v2
8  *
9  * Contributions after 2012-01-13 are licensed under the terms of the
10  * GNU GPL, version 2 or (at your option) any later version.
11  */
12 
13 #include "qemu/osdep.h"
14 #include "hw/sysbus.h"
15 #include "migration/vmstate.h"
16 #include "net/net.h"
17 #include "net/eth.h"
18 #include "hw/hw.h"
19 #include "hw/irq.h"
20 #include "hw/net/lan9118.h"
21 #include "hw/ptimer.h"
22 #include "hw/qdev-properties.h"
23 #include "qapi/error.h"
24 #include "qemu/log.h"
25 #include "qemu/module.h"
26 /* For crc32 */
27 #include <zlib.h>
28 #include "qom/object.h"
29 
30 //#define DEBUG_LAN9118
31 
32 #ifdef DEBUG_LAN9118
33 #define DPRINTF(fmt, ...) \
34 do { printf("lan9118: " fmt , ## __VA_ARGS__); } while (0)
35 #define BADF(fmt, ...) \
36 do { hw_error("lan9118: error: " fmt , ## __VA_ARGS__);} while (0)
37 #else
38 #define DPRINTF(fmt, ...) do {} while(0)
39 #define BADF(fmt, ...) \
40 do { fprintf(stderr, "lan9118: error: " fmt , ## __VA_ARGS__);} while (0)
41 #endif
42 
43 #define CSR_ID_REV      0x50
44 #define CSR_IRQ_CFG     0x54
45 #define CSR_INT_STS     0x58
46 #define CSR_INT_EN      0x5c
47 #define CSR_BYTE_TEST   0x64
48 #define CSR_FIFO_INT    0x68
49 #define CSR_RX_CFG      0x6c
50 #define CSR_TX_CFG      0x70
51 #define CSR_HW_CFG      0x74
52 #define CSR_RX_DP_CTRL  0x78
53 #define CSR_RX_FIFO_INF 0x7c
54 #define CSR_TX_FIFO_INF 0x80
55 #define CSR_PMT_CTRL    0x84
56 #define CSR_GPIO_CFG    0x88
57 #define CSR_GPT_CFG     0x8c
58 #define CSR_GPT_CNT     0x90
59 #define CSR_WORD_SWAP   0x98
60 #define CSR_FREE_RUN    0x9c
61 #define CSR_RX_DROP     0xa0
62 #define CSR_MAC_CSR_CMD 0xa4
63 #define CSR_MAC_CSR_DATA 0xa8
64 #define CSR_AFC_CFG     0xac
65 #define CSR_E2P_CMD     0xb0
66 #define CSR_E2P_DATA    0xb4
67 
68 #define E2P_CMD_MAC_ADDR_LOADED 0x100
69 
70 /* IRQ_CFG */
71 #define IRQ_INT         0x00001000
72 #define IRQ_EN          0x00000100
73 #define IRQ_POL         0x00000010
74 #define IRQ_TYPE        0x00000001
75 
76 /* INT_STS/INT_EN */
77 #define SW_INT          0x80000000
78 #define TXSTOP_INT      0x02000000
79 #define RXSTOP_INT      0x01000000
80 #define RXDFH_INT       0x00800000
81 #define TX_IOC_INT      0x00200000
82 #define RXD_INT         0x00100000
83 #define GPT_INT         0x00080000
84 #define PHY_INT         0x00040000
85 #define PME_INT         0x00020000
86 #define TXSO_INT        0x00010000
87 #define RWT_INT         0x00008000
88 #define RXE_INT         0x00004000
89 #define TXE_INT         0x00002000
90 #define TDFU_INT        0x00000800
91 #define TDFO_INT        0x00000400
92 #define TDFA_INT        0x00000200
93 #define TSFF_INT        0x00000100
94 #define TSFL_INT        0x00000080
95 #define RXDF_INT        0x00000040
96 #define RDFL_INT        0x00000020
97 #define RSFF_INT        0x00000010
98 #define RSFL_INT        0x00000008
99 #define GPIO2_INT       0x00000004
100 #define GPIO1_INT       0x00000002
101 #define GPIO0_INT       0x00000001
102 #define RESERVED_INT    0x7c001000
103 
104 #define MAC_CR          1
105 #define MAC_ADDRH       2
106 #define MAC_ADDRL       3
107 #define MAC_HASHH       4
108 #define MAC_HASHL       5
109 #define MAC_MII_ACC     6
110 #define MAC_MII_DATA    7
111 #define MAC_FLOW        8
112 #define MAC_VLAN1       9 /* TODO */
113 #define MAC_VLAN2       10 /* TODO */
114 #define MAC_WUFF        11 /* TODO */
115 #define MAC_WUCSR       12 /* TODO */
116 
117 #define MAC_CR_RXALL    0x80000000
118 #define MAC_CR_RCVOWN   0x00800000
119 #define MAC_CR_LOOPBK   0x00200000
120 #define MAC_CR_FDPX     0x00100000
121 #define MAC_CR_MCPAS    0x00080000
122 #define MAC_CR_PRMS     0x00040000
123 #define MAC_CR_INVFILT  0x00020000
124 #define MAC_CR_PASSBAD  0x00010000
125 #define MAC_CR_HO       0x00008000
126 #define MAC_CR_HPFILT   0x00002000
127 #define MAC_CR_LCOLL    0x00001000
128 #define MAC_CR_BCAST    0x00000800
129 #define MAC_CR_DISRTY   0x00000400
130 #define MAC_CR_PADSTR   0x00000100
131 #define MAC_CR_BOLMT    0x000000c0
132 #define MAC_CR_DFCHK    0x00000020
133 #define MAC_CR_TXEN     0x00000008
134 #define MAC_CR_RXEN     0x00000004
135 #define MAC_CR_RESERVED 0x7f404213
136 
137 #define PHY_INT_ENERGYON            0x80
138 #define PHY_INT_AUTONEG_COMPLETE    0x40
139 #define PHY_INT_FAULT               0x20
140 #define PHY_INT_DOWN                0x10
141 #define PHY_INT_AUTONEG_LP          0x08
142 #define PHY_INT_PARFAULT            0x04
143 #define PHY_INT_AUTONEG_PAGE        0x02
144 
145 #define GPT_TIMER_EN    0x20000000
146 
147 enum tx_state {
148     TX_IDLE,
149     TX_B,
150     TX_DATA
151 };
152 
153 typedef struct {
154     /* state is a tx_state but we can't put enums in VMStateDescriptions. */
155     uint32_t state;
156     uint32_t cmd_a;
157     uint32_t cmd_b;
158     int32_t buffer_size;
159     int32_t offset;
160     int32_t pad;
161     int32_t fifo_used;
162     int32_t len;
163     uint8_t data[2048];
164 } LAN9118Packet;
165 
166 static const VMStateDescription vmstate_lan9118_packet = {
167     .name = "lan9118_packet",
168     .version_id = 1,
169     .minimum_version_id = 1,
170     .fields = (VMStateField[]) {
171         VMSTATE_UINT32(state, LAN9118Packet),
172         VMSTATE_UINT32(cmd_a, LAN9118Packet),
173         VMSTATE_UINT32(cmd_b, LAN9118Packet),
174         VMSTATE_INT32(buffer_size, LAN9118Packet),
175         VMSTATE_INT32(offset, LAN9118Packet),
176         VMSTATE_INT32(pad, LAN9118Packet),
177         VMSTATE_INT32(fifo_used, LAN9118Packet),
178         VMSTATE_INT32(len, LAN9118Packet),
179         VMSTATE_UINT8_ARRAY(data, LAN9118Packet, 2048),
180         VMSTATE_END_OF_LIST()
181     }
182 };
183 
184 typedef struct lan9118_state lan9118_state;
185 DECLARE_INSTANCE_CHECKER(lan9118_state, LAN9118,
186                          TYPE_LAN9118)
187 
188 struct lan9118_state {
189     SysBusDevice parent_obj;
190 
191     NICState *nic;
192     NICConf conf;
193     qemu_irq irq;
194     MemoryRegion mmio;
195     ptimer_state *timer;
196 
197     uint32_t irq_cfg;
198     uint32_t int_sts;
199     uint32_t int_en;
200     uint32_t fifo_int;
201     uint32_t rx_cfg;
202     uint32_t tx_cfg;
203     uint32_t hw_cfg;
204     uint32_t pmt_ctrl;
205     uint32_t gpio_cfg;
206     uint32_t gpt_cfg;
207     uint32_t word_swap;
208     uint32_t free_timer_start;
209     uint32_t mac_cmd;
210     uint32_t mac_data;
211     uint32_t afc_cfg;
212     uint32_t e2p_cmd;
213     uint32_t e2p_data;
214 
215     uint32_t mac_cr;
216     uint32_t mac_hashh;
217     uint32_t mac_hashl;
218     uint32_t mac_mii_acc;
219     uint32_t mac_mii_data;
220     uint32_t mac_flow;
221 
222     uint32_t phy_status;
223     uint32_t phy_control;
224     uint32_t phy_advertise;
225     uint32_t phy_int;
226     uint32_t phy_int_mask;
227 
228     int32_t eeprom_writable;
229     uint8_t eeprom[128];
230 
231     int32_t tx_fifo_size;
232     LAN9118Packet *txp;
233     LAN9118Packet tx_packet;
234 
235     int32_t tx_status_fifo_used;
236     int32_t tx_status_fifo_head;
237     uint32_t tx_status_fifo[512];
238 
239     int32_t rx_status_fifo_size;
240     int32_t rx_status_fifo_used;
241     int32_t rx_status_fifo_head;
242     uint32_t rx_status_fifo[896];
243     int32_t rx_fifo_size;
244     int32_t rx_fifo_used;
245     int32_t rx_fifo_head;
246     uint32_t rx_fifo[3360];
247     int32_t rx_packet_size_head;
248     int32_t rx_packet_size_tail;
249     int32_t rx_packet_size[1024];
250 
251     int32_t rxp_offset;
252     int32_t rxp_size;
253     int32_t rxp_pad;
254 
255     uint32_t write_word_prev_offset;
256     uint32_t write_word_n;
257     uint16_t write_word_l;
258     uint16_t write_word_h;
259     uint32_t read_word_prev_offset;
260     uint32_t read_word_n;
261     uint32_t read_long;
262 
263     uint32_t mode_16bit;
264 };
265 
266 static const VMStateDescription vmstate_lan9118 = {
267     .name = "lan9118",
268     .version_id = 2,
269     .minimum_version_id = 1,
270     .fields = (VMStateField[]) {
271         VMSTATE_PTIMER(timer, lan9118_state),
272         VMSTATE_UINT32(irq_cfg, lan9118_state),
273         VMSTATE_UINT32(int_sts, lan9118_state),
274         VMSTATE_UINT32(int_en, lan9118_state),
275         VMSTATE_UINT32(fifo_int, lan9118_state),
276         VMSTATE_UINT32(rx_cfg, lan9118_state),
277         VMSTATE_UINT32(tx_cfg, lan9118_state),
278         VMSTATE_UINT32(hw_cfg, lan9118_state),
279         VMSTATE_UINT32(pmt_ctrl, lan9118_state),
280         VMSTATE_UINT32(gpio_cfg, lan9118_state),
281         VMSTATE_UINT32(gpt_cfg, lan9118_state),
282         VMSTATE_UINT32(word_swap, lan9118_state),
283         VMSTATE_UINT32(free_timer_start, lan9118_state),
284         VMSTATE_UINT32(mac_cmd, lan9118_state),
285         VMSTATE_UINT32(mac_data, lan9118_state),
286         VMSTATE_UINT32(afc_cfg, lan9118_state),
287         VMSTATE_UINT32(e2p_cmd, lan9118_state),
288         VMSTATE_UINT32(e2p_data, lan9118_state),
289         VMSTATE_UINT32(mac_cr, lan9118_state),
290         VMSTATE_UINT32(mac_hashh, lan9118_state),
291         VMSTATE_UINT32(mac_hashl, lan9118_state),
292         VMSTATE_UINT32(mac_mii_acc, lan9118_state),
293         VMSTATE_UINT32(mac_mii_data, lan9118_state),
294         VMSTATE_UINT32(mac_flow, lan9118_state),
295         VMSTATE_UINT32(phy_status, lan9118_state),
296         VMSTATE_UINT32(phy_control, lan9118_state),
297         VMSTATE_UINT32(phy_advertise, lan9118_state),
298         VMSTATE_UINT32(phy_int, lan9118_state),
299         VMSTATE_UINT32(phy_int_mask, lan9118_state),
300         VMSTATE_INT32(eeprom_writable, lan9118_state),
301         VMSTATE_UINT8_ARRAY(eeprom, lan9118_state, 128),
302         VMSTATE_INT32(tx_fifo_size, lan9118_state),
303         /* txp always points at tx_packet so need not be saved */
304         VMSTATE_STRUCT(tx_packet, lan9118_state, 0,
305                        vmstate_lan9118_packet, LAN9118Packet),
306         VMSTATE_INT32(tx_status_fifo_used, lan9118_state),
307         VMSTATE_INT32(tx_status_fifo_head, lan9118_state),
308         VMSTATE_UINT32_ARRAY(tx_status_fifo, lan9118_state, 512),
309         VMSTATE_INT32(rx_status_fifo_size, lan9118_state),
310         VMSTATE_INT32(rx_status_fifo_used, lan9118_state),
311         VMSTATE_INT32(rx_status_fifo_head, lan9118_state),
312         VMSTATE_UINT32_ARRAY(rx_status_fifo, lan9118_state, 896),
313         VMSTATE_INT32(rx_fifo_size, lan9118_state),
314         VMSTATE_INT32(rx_fifo_used, lan9118_state),
315         VMSTATE_INT32(rx_fifo_head, lan9118_state),
316         VMSTATE_UINT32_ARRAY(rx_fifo, lan9118_state, 3360),
317         VMSTATE_INT32(rx_packet_size_head, lan9118_state),
318         VMSTATE_INT32(rx_packet_size_tail, lan9118_state),
319         VMSTATE_INT32_ARRAY(rx_packet_size, lan9118_state, 1024),
320         VMSTATE_INT32(rxp_offset, lan9118_state),
321         VMSTATE_INT32(rxp_size, lan9118_state),
322         VMSTATE_INT32(rxp_pad, lan9118_state),
323         VMSTATE_UINT32_V(write_word_prev_offset, lan9118_state, 2),
324         VMSTATE_UINT32_V(write_word_n, lan9118_state, 2),
325         VMSTATE_UINT16_V(write_word_l, lan9118_state, 2),
326         VMSTATE_UINT16_V(write_word_h, lan9118_state, 2),
327         VMSTATE_UINT32_V(read_word_prev_offset, lan9118_state, 2),
328         VMSTATE_UINT32_V(read_word_n, lan9118_state, 2),
329         VMSTATE_UINT32_V(read_long, lan9118_state, 2),
330         VMSTATE_UINT32_V(mode_16bit, lan9118_state, 2),
331         VMSTATE_END_OF_LIST()
332     }
333 };
334 
335 static void lan9118_update(lan9118_state *s)
336 {
337     int level;
338 
339     /* TODO: Implement FIFO level IRQs.  */
340     level = (s->int_sts & s->int_en) != 0;
341     if (level) {
342         s->irq_cfg |= IRQ_INT;
343     } else {
344         s->irq_cfg &= ~IRQ_INT;
345     }
346     if ((s->irq_cfg & IRQ_EN) == 0) {
347         level = 0;
348     }
349     if ((s->irq_cfg & (IRQ_TYPE | IRQ_POL)) != (IRQ_TYPE | IRQ_POL)) {
350         /* Interrupt is active low unless we're configured as
351          * active-high polarity, push-pull type.
352          */
353         level = !level;
354     }
355     qemu_set_irq(s->irq, level);
356 }
357 
358 static void lan9118_mac_changed(lan9118_state *s)
359 {
360     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
361 }
362 
363 static void lan9118_reload_eeprom(lan9118_state *s)
364 {
365     int i;
366     if (s->eeprom[0] != 0xa5) {
367         s->e2p_cmd &= ~E2P_CMD_MAC_ADDR_LOADED;
368         DPRINTF("MACADDR load failed\n");
369         return;
370     }
371     for (i = 0; i < 6; i++) {
372         s->conf.macaddr.a[i] = s->eeprom[i + 1];
373     }
374     s->e2p_cmd |= E2P_CMD_MAC_ADDR_LOADED;
375     DPRINTF("MACADDR loaded from eeprom\n");
376     lan9118_mac_changed(s);
377 }
378 
379 static void phy_update_irq(lan9118_state *s)
380 {
381     if (s->phy_int & s->phy_int_mask) {
382         s->int_sts |= PHY_INT;
383     } else {
384         s->int_sts &= ~PHY_INT;
385     }
386     lan9118_update(s);
387 }
388 
389 static void phy_update_link(lan9118_state *s)
390 {
391     /* Autonegotiation status mirrors link status.  */
392     if (qemu_get_queue(s->nic)->link_down) {
393         s->phy_status &= ~0x0024;
394         s->phy_int |= PHY_INT_DOWN;
395     } else {
396         s->phy_status |= 0x0024;
397         s->phy_int |= PHY_INT_ENERGYON;
398         s->phy_int |= PHY_INT_AUTONEG_COMPLETE;
399     }
400     phy_update_irq(s);
401 }
402 
403 static void lan9118_set_link(NetClientState *nc)
404 {
405     phy_update_link(qemu_get_nic_opaque(nc));
406 }
407 
408 static void phy_reset(lan9118_state *s)
409 {
410     s->phy_status = 0x7809;
411     s->phy_control = 0x3000;
412     s->phy_advertise = 0x01e1;
413     s->phy_int_mask = 0;
414     s->phy_int = 0;
415     phy_update_link(s);
416 }
417 
418 static void lan9118_reset(DeviceState *d)
419 {
420     lan9118_state *s = LAN9118(d);
421 
422     s->irq_cfg &= (IRQ_TYPE | IRQ_POL);
423     s->int_sts = 0;
424     s->int_en = 0;
425     s->fifo_int = 0x48000000;
426     s->rx_cfg = 0;
427     s->tx_cfg = 0;
428     s->hw_cfg = s->mode_16bit ? 0x00050000 : 0x00050004;
429     s->pmt_ctrl &= 0x45;
430     s->gpio_cfg = 0;
431     s->txp->fifo_used = 0;
432     s->txp->state = TX_IDLE;
433     s->txp->cmd_a = 0xffffffffu;
434     s->txp->cmd_b = 0xffffffffu;
435     s->txp->len = 0;
436     s->txp->fifo_used = 0;
437     s->tx_fifo_size = 4608;
438     s->tx_status_fifo_used = 0;
439     s->rx_status_fifo_size = 704;
440     s->rx_fifo_size = 2640;
441     s->rx_fifo_used = 0;
442     s->rx_status_fifo_size = 176;
443     s->rx_status_fifo_used = 0;
444     s->rxp_offset = 0;
445     s->rxp_size = 0;
446     s->rxp_pad = 0;
447     s->rx_packet_size_tail = s->rx_packet_size_head;
448     s->rx_packet_size[s->rx_packet_size_head] = 0;
449     s->mac_cmd = 0;
450     s->mac_data = 0;
451     s->afc_cfg = 0;
452     s->e2p_cmd = 0;
453     s->e2p_data = 0;
454     s->free_timer_start = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / 40;
455 
456     ptimer_transaction_begin(s->timer);
457     ptimer_stop(s->timer);
458     ptimer_set_count(s->timer, 0xffff);
459     ptimer_transaction_commit(s->timer);
460     s->gpt_cfg = 0xffff;
461 
462     s->mac_cr = MAC_CR_PRMS;
463     s->mac_hashh = 0;
464     s->mac_hashl = 0;
465     s->mac_mii_acc = 0;
466     s->mac_mii_data = 0;
467     s->mac_flow = 0;
468 
469     s->read_word_n = 0;
470     s->write_word_n = 0;
471 
472     phy_reset(s);
473 
474     s->eeprom_writable = 0;
475     lan9118_reload_eeprom(s);
476 }
477 
478 static void rx_fifo_push(lan9118_state *s, uint32_t val)
479 {
480     int fifo_pos;
481     fifo_pos = s->rx_fifo_head + s->rx_fifo_used;
482     if (fifo_pos >= s->rx_fifo_size)
483       fifo_pos -= s->rx_fifo_size;
484     s->rx_fifo[fifo_pos] = val;
485     s->rx_fifo_used++;
486 }
487 
488 /* Return nonzero if the packet is accepted by the filter.  */
489 static int lan9118_filter(lan9118_state *s, const uint8_t *addr)
490 {
491     int multicast;
492     uint32_t hash;
493 
494     if (s->mac_cr & MAC_CR_PRMS) {
495         return 1;
496     }
497     if (addr[0] == 0xff && addr[1] == 0xff && addr[2] == 0xff &&
498         addr[3] == 0xff && addr[4] == 0xff && addr[5] == 0xff) {
499         return (s->mac_cr & MAC_CR_BCAST) == 0;
500     }
501 
502     multicast = addr[0] & 1;
503     if (multicast &&s->mac_cr & MAC_CR_MCPAS) {
504         return 1;
505     }
506     if (multicast ? (s->mac_cr & MAC_CR_HPFILT) == 0
507                   : (s->mac_cr & MAC_CR_HO) == 0) {
508         /* Exact matching.  */
509         hash = memcmp(addr, s->conf.macaddr.a, 6);
510         if (s->mac_cr & MAC_CR_INVFILT) {
511             return hash != 0;
512         } else {
513             return hash == 0;
514         }
515     } else {
516         /* Hash matching  */
517         hash = net_crc32(addr, ETH_ALEN) >> 26;
518         if (hash & 0x20) {
519             return (s->mac_hashh >> (hash & 0x1f)) & 1;
520         } else {
521             return (s->mac_hashl >> (hash & 0x1f)) & 1;
522         }
523     }
524 }
525 
526 static ssize_t lan9118_receive(NetClientState *nc, const uint8_t *buf,
527                                size_t size)
528 {
529     lan9118_state *s = qemu_get_nic_opaque(nc);
530     int fifo_len;
531     int offset;
532     int src_pos;
533     int n;
534     int filter;
535     uint32_t val;
536     uint32_t crc;
537     uint32_t status;
538 
539     if ((s->mac_cr & MAC_CR_RXEN) == 0) {
540         return -1;
541     }
542 
543     if (size >= 2048 || size < 14) {
544         return -1;
545     }
546 
547     /* TODO: Implement FIFO overflow notification.  */
548     if (s->rx_status_fifo_used == s->rx_status_fifo_size) {
549         return -1;
550     }
551 
552     filter = lan9118_filter(s, buf);
553     if (!filter && (s->mac_cr & MAC_CR_RXALL) == 0) {
554         return size;
555     }
556 
557     offset = (s->rx_cfg >> 8) & 0x1f;
558     n = offset & 3;
559     fifo_len = (size + n + 3) >> 2;
560     /* Add a word for the CRC.  */
561     fifo_len++;
562     if (s->rx_fifo_size - s->rx_fifo_used < fifo_len) {
563         return -1;
564     }
565 
566     DPRINTF("Got packet len:%d fifo:%d filter:%s\n",
567             (int)size, fifo_len, filter ? "pass" : "fail");
568     val = 0;
569     crc = bswap32(crc32(~0, buf, size));
570     for (src_pos = 0; src_pos < size; src_pos++) {
571         val = (val >> 8) | ((uint32_t)buf[src_pos] << 24);
572         n++;
573         if (n == 4) {
574             n = 0;
575             rx_fifo_push(s, val);
576             val = 0;
577         }
578     }
579     if (n) {
580         val >>= ((4 - n) * 8);
581         val |= crc << (n * 8);
582         rx_fifo_push(s, val);
583         val = crc >> ((4 - n) * 8);
584         rx_fifo_push(s, val);
585     } else {
586         rx_fifo_push(s, crc);
587     }
588     n = s->rx_status_fifo_head + s->rx_status_fifo_used;
589     if (n >= s->rx_status_fifo_size) {
590         n -= s->rx_status_fifo_size;
591     }
592     s->rx_packet_size[s->rx_packet_size_tail] = fifo_len;
593     s->rx_packet_size_tail = (s->rx_packet_size_tail + 1023) & 1023;
594     s->rx_status_fifo_used++;
595 
596     status = (size + 4) << 16;
597     if (buf[0] == 0xff && buf[1] == 0xff && buf[2] == 0xff &&
598         buf[3] == 0xff && buf[4] == 0xff && buf[5] == 0xff) {
599         status |= 0x00002000;
600     } else if (buf[0] & 1) {
601         status |= 0x00000400;
602     }
603     if (!filter) {
604         status |= 0x40000000;
605     }
606     s->rx_status_fifo[n] = status;
607 
608     if (s->rx_status_fifo_used > (s->fifo_int & 0xff)) {
609         s->int_sts |= RSFL_INT;
610     }
611     lan9118_update(s);
612 
613     return size;
614 }
615 
616 static uint32_t rx_fifo_pop(lan9118_state *s)
617 {
618     int n;
619     uint32_t val;
620 
621     if (s->rxp_size == 0 && s->rxp_pad == 0) {
622         s->rxp_size = s->rx_packet_size[s->rx_packet_size_head];
623         s->rx_packet_size[s->rx_packet_size_head] = 0;
624         if (s->rxp_size != 0) {
625             s->rx_packet_size_head = (s->rx_packet_size_head + 1023) & 1023;
626             s->rxp_offset = (s->rx_cfg >> 10) & 7;
627             n = s->rxp_offset + s->rxp_size;
628             switch (s->rx_cfg >> 30) {
629             case 1:
630                 n = (-n) & 3;
631                 break;
632             case 2:
633                 n = (-n) & 7;
634                 break;
635             default:
636                 n = 0;
637                 break;
638             }
639             s->rxp_pad = n;
640             DPRINTF("Pop packet size:%d offset:%d pad: %d\n",
641                     s->rxp_size, s->rxp_offset, s->rxp_pad);
642         }
643     }
644     if (s->rxp_offset > 0) {
645         s->rxp_offset--;
646         val = 0;
647     } else if (s->rxp_size > 0) {
648         s->rxp_size--;
649         val = s->rx_fifo[s->rx_fifo_head++];
650         if (s->rx_fifo_head >= s->rx_fifo_size) {
651             s->rx_fifo_head -= s->rx_fifo_size;
652         }
653         s->rx_fifo_used--;
654     } else if (s->rxp_pad > 0) {
655         s->rxp_pad--;
656         val =  0;
657     } else {
658         DPRINTF("RX underflow\n");
659         s->int_sts |= RXE_INT;
660         val =  0;
661     }
662     lan9118_update(s);
663     return val;
664 }
665 
666 static void do_tx_packet(lan9118_state *s)
667 {
668     int n;
669     uint32_t status;
670 
671     /* FIXME: Honor TX disable, and allow queueing of packets.  */
672     if (s->phy_control & 0x4000)  {
673         /* This assumes the receive routine doesn't touch the VLANClient.  */
674         lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
675     } else {
676         qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
677     }
678     s->txp->fifo_used = 0;
679 
680     if (s->tx_status_fifo_used == 512) {
681         /* Status FIFO full */
682         return;
683     }
684     /* Add entry to status FIFO.  */
685     status = s->txp->cmd_b & 0xffff0000u;
686     DPRINTF("Sent packet tag:%04x len %d\n", status >> 16, s->txp->len);
687     n = (s->tx_status_fifo_head + s->tx_status_fifo_used) & 511;
688     s->tx_status_fifo[n] = status;
689     s->tx_status_fifo_used++;
690     if (s->tx_status_fifo_used == 512) {
691         s->int_sts |= TSFF_INT;
692         /* TODO: Stop transmission.  */
693     }
694 }
695 
696 static uint32_t rx_status_fifo_pop(lan9118_state *s)
697 {
698     uint32_t val;
699 
700     val = s->rx_status_fifo[s->rx_status_fifo_head];
701     if (s->rx_status_fifo_used != 0) {
702         s->rx_status_fifo_used--;
703         s->rx_status_fifo_head++;
704         if (s->rx_status_fifo_head >= s->rx_status_fifo_size) {
705             s->rx_status_fifo_head -= s->rx_status_fifo_size;
706         }
707         /* ??? What value should be returned when the FIFO is empty?  */
708         DPRINTF("RX status pop 0x%08x\n", val);
709     }
710     return val;
711 }
712 
713 static uint32_t tx_status_fifo_pop(lan9118_state *s)
714 {
715     uint32_t val;
716 
717     val = s->tx_status_fifo[s->tx_status_fifo_head];
718     if (s->tx_status_fifo_used != 0) {
719         s->tx_status_fifo_used--;
720         s->tx_status_fifo_head = (s->tx_status_fifo_head + 1) & 511;
721         /* ??? What value should be returned when the FIFO is empty?  */
722     }
723     return val;
724 }
725 
726 static void tx_fifo_push(lan9118_state *s, uint32_t val)
727 {
728     int n;
729 
730     if (s->txp->fifo_used == s->tx_fifo_size) {
731         s->int_sts |= TDFO_INT;
732         return;
733     }
734     switch (s->txp->state) {
735     case TX_IDLE:
736         s->txp->cmd_a = val & 0x831f37ff;
737         s->txp->fifo_used++;
738         s->txp->state = TX_B;
739         s->txp->buffer_size = extract32(s->txp->cmd_a, 0, 11);
740         s->txp->offset = extract32(s->txp->cmd_a, 16, 5);
741         break;
742     case TX_B:
743         if (s->txp->cmd_a & 0x2000) {
744             /* First segment */
745             s->txp->cmd_b = val;
746             s->txp->fifo_used++;
747             /* End alignment does not include command words.  */
748             n = (s->txp->buffer_size + s->txp->offset + 3) >> 2;
749             switch ((n >> 24) & 3) {
750             case 1:
751                 n = (-n) & 3;
752                 break;
753             case 2:
754                 n = (-n) & 7;
755                 break;
756             default:
757                 n = 0;
758             }
759             s->txp->pad = n;
760             s->txp->len = 0;
761         }
762         DPRINTF("Block len:%d offset:%d pad:%d cmd %08x\n",
763                 s->txp->buffer_size, s->txp->offset, s->txp->pad,
764                 s->txp->cmd_a);
765         s->txp->state = TX_DATA;
766         break;
767     case TX_DATA:
768         if (s->txp->offset >= 4) {
769             s->txp->offset -= 4;
770             break;
771         }
772         if (s->txp->buffer_size <= 0 && s->txp->pad != 0) {
773             s->txp->pad--;
774         } else {
775             n = MIN(4, s->txp->buffer_size + s->txp->offset);
776             while (s->txp->offset) {
777                 val >>= 8;
778                 n--;
779                 s->txp->offset--;
780             }
781             /* Documentation is somewhat unclear on the ordering of bytes
782                in FIFO words.  Empirical results show it to be little-endian.
783                */
784             /* TODO: FIFO overflow checking.  */
785             while (n--) {
786                 s->txp->data[s->txp->len] = val & 0xff;
787                 s->txp->len++;
788                 val >>= 8;
789                 s->txp->buffer_size--;
790             }
791             s->txp->fifo_used++;
792         }
793         if (s->txp->buffer_size <= 0 && s->txp->pad == 0) {
794             if (s->txp->cmd_a & 0x1000) {
795                 do_tx_packet(s);
796             }
797             if (s->txp->cmd_a & 0x80000000) {
798                 s->int_sts |= TX_IOC_INT;
799             }
800             s->txp->state = TX_IDLE;
801         }
802         break;
803     }
804 }
805 
806 static uint32_t do_phy_read(lan9118_state *s, int reg)
807 {
808     uint32_t val;
809 
810     switch (reg) {
811     case 0: /* Basic Control */
812         return s->phy_control;
813     case 1: /* Basic Status */
814         return s->phy_status;
815     case 2: /* ID1 */
816         return 0x0007;
817     case 3: /* ID2 */
818         return 0xc0d1;
819     case 4: /* Auto-neg advertisement */
820         return s->phy_advertise;
821     case 5: /* Auto-neg Link Partner Ability */
822         return 0x0f71;
823     case 6: /* Auto-neg Expansion */
824         return 1;
825         /* TODO 17, 18, 27, 29, 30, 31 */
826     case 29: /* Interrupt source.  */
827         val = s->phy_int;
828         s->phy_int = 0;
829         phy_update_irq(s);
830         return val;
831     case 30: /* Interrupt mask */
832         return s->phy_int_mask;
833     default:
834         BADF("PHY read reg %d\n", reg);
835         return 0;
836     }
837 }
838 
839 static void do_phy_write(lan9118_state *s, int reg, uint32_t val)
840 {
841     switch (reg) {
842     case 0: /* Basic Control */
843         if (val & 0x8000) {
844             phy_reset(s);
845             break;
846         }
847         s->phy_control = val & 0x7980;
848         /* Complete autonegotiation immediately.  */
849         if (val & 0x1000) {
850             s->phy_status |= 0x0020;
851         }
852         break;
853     case 4: /* Auto-neg advertisement */
854         s->phy_advertise = (val & 0x2d7f) | 0x80;
855         break;
856         /* TODO 17, 18, 27, 31 */
857     case 30: /* Interrupt mask */
858         s->phy_int_mask = val & 0xff;
859         phy_update_irq(s);
860         break;
861     default:
862         BADF("PHY write reg %d = 0x%04x\n", reg, val);
863     }
864 }
865 
866 static void do_mac_write(lan9118_state *s, int reg, uint32_t val)
867 {
868     switch (reg) {
869     case MAC_CR:
870         if ((s->mac_cr & MAC_CR_RXEN) != 0 && (val & MAC_CR_RXEN) == 0) {
871             s->int_sts |= RXSTOP_INT;
872         }
873         s->mac_cr = val & ~MAC_CR_RESERVED;
874         DPRINTF("MAC_CR: %08x\n", val);
875         break;
876     case MAC_ADDRH:
877         s->conf.macaddr.a[4] = val & 0xff;
878         s->conf.macaddr.a[5] = (val >> 8) & 0xff;
879         lan9118_mac_changed(s);
880         break;
881     case MAC_ADDRL:
882         s->conf.macaddr.a[0] = val & 0xff;
883         s->conf.macaddr.a[1] = (val >> 8) & 0xff;
884         s->conf.macaddr.a[2] = (val >> 16) & 0xff;
885         s->conf.macaddr.a[3] = (val >> 24) & 0xff;
886         lan9118_mac_changed(s);
887         break;
888     case MAC_HASHH:
889         s->mac_hashh = val;
890         break;
891     case MAC_HASHL:
892         s->mac_hashl = val;
893         break;
894     case MAC_MII_ACC:
895         s->mac_mii_acc = val & 0xffc2;
896         if (val & 2) {
897             DPRINTF("PHY write %d = 0x%04x\n",
898                     (val >> 6) & 0x1f, s->mac_mii_data);
899             do_phy_write(s, (val >> 6) & 0x1f, s->mac_mii_data);
900         } else {
901             s->mac_mii_data = do_phy_read(s, (val >> 6) & 0x1f);
902             DPRINTF("PHY read %d = 0x%04x\n",
903                     (val >> 6) & 0x1f, s->mac_mii_data);
904         }
905         break;
906     case MAC_MII_DATA:
907         s->mac_mii_data = val & 0xffff;
908         break;
909     case MAC_FLOW:
910         s->mac_flow = val & 0xffff0000;
911         break;
912     case MAC_VLAN1:
913         /* Writing to this register changes a condition for
914          * FrameTooLong bit in rx_status.  Since we do not set
915          * FrameTooLong anyway, just ignore write to this.
916          */
917         break;
918     default:
919         qemu_log_mask(LOG_GUEST_ERROR,
920                       "lan9118: Unimplemented MAC register write: %d = 0x%x\n",
921                  s->mac_cmd & 0xf, val);
922     }
923 }
924 
925 static uint32_t do_mac_read(lan9118_state *s, int reg)
926 {
927     switch (reg) {
928     case MAC_CR:
929         return s->mac_cr;
930     case MAC_ADDRH:
931         return s->conf.macaddr.a[4] | (s->conf.macaddr.a[5] << 8);
932     case MAC_ADDRL:
933         return s->conf.macaddr.a[0] | (s->conf.macaddr.a[1] << 8)
934                | (s->conf.macaddr.a[2] << 16) | (s->conf.macaddr.a[3] << 24);
935     case MAC_HASHH:
936         return s->mac_hashh;
937     case MAC_HASHL:
938         return s->mac_hashl;
939     case MAC_MII_ACC:
940         return s->mac_mii_acc;
941     case MAC_MII_DATA:
942         return s->mac_mii_data;
943     case MAC_FLOW:
944         return s->mac_flow;
945     default:
946         qemu_log_mask(LOG_GUEST_ERROR,
947                       "lan9118: Unimplemented MAC register read: %d\n",
948                  s->mac_cmd & 0xf);
949         return 0;
950     }
951 }
952 
953 static void lan9118_eeprom_cmd(lan9118_state *s, int cmd, int addr)
954 {
955     s->e2p_cmd = (s->e2p_cmd & E2P_CMD_MAC_ADDR_LOADED) | (cmd << 28) | addr;
956     switch (cmd) {
957     case 0:
958         s->e2p_data = s->eeprom[addr];
959         DPRINTF("EEPROM Read %d = 0x%02x\n", addr, s->e2p_data);
960         break;
961     case 1:
962         s->eeprom_writable = 0;
963         DPRINTF("EEPROM Write Disable\n");
964         break;
965     case 2: /* EWEN */
966         s->eeprom_writable = 1;
967         DPRINTF("EEPROM Write Enable\n");
968         break;
969     case 3: /* WRITE */
970         if (s->eeprom_writable) {
971             s->eeprom[addr] &= s->e2p_data;
972             DPRINTF("EEPROM Write %d = 0x%02x\n", addr, s->e2p_data);
973         } else {
974             DPRINTF("EEPROM Write %d (ignored)\n", addr);
975         }
976         break;
977     case 4: /* WRAL */
978         if (s->eeprom_writable) {
979             for (addr = 0; addr < 128; addr++) {
980                 s->eeprom[addr] &= s->e2p_data;
981             }
982             DPRINTF("EEPROM Write All 0x%02x\n", s->e2p_data);
983         } else {
984             DPRINTF("EEPROM Write All (ignored)\n");
985         }
986         break;
987     case 5: /* ERASE */
988         if (s->eeprom_writable) {
989             s->eeprom[addr] = 0xff;
990             DPRINTF("EEPROM Erase %d\n", addr);
991         } else {
992             DPRINTF("EEPROM Erase %d (ignored)\n", addr);
993         }
994         break;
995     case 6: /* ERAL */
996         if (s->eeprom_writable) {
997             memset(s->eeprom, 0xff, 128);
998             DPRINTF("EEPROM Erase All\n");
999         } else {
1000             DPRINTF("EEPROM Erase All (ignored)\n");
1001         }
1002         break;
1003     case 7: /* RELOAD */
1004         lan9118_reload_eeprom(s);
1005         break;
1006     }
1007 }
1008 
1009 static void lan9118_tick(void *opaque)
1010 {
1011     lan9118_state *s = (lan9118_state *)opaque;
1012     if (s->int_en & GPT_INT) {
1013         s->int_sts |= GPT_INT;
1014     }
1015     lan9118_update(s);
1016 }
1017 
1018 static void lan9118_writel(void *opaque, hwaddr offset,
1019                            uint64_t val, unsigned size)
1020 {
1021     lan9118_state *s = (lan9118_state *)opaque;
1022     offset &= 0xff;
1023 
1024     //DPRINTF("Write reg 0x%02x = 0x%08x\n", (int)offset, val);
1025     if (offset >= 0x20 && offset < 0x40) {
1026         /* TX FIFO */
1027         tx_fifo_push(s, val);
1028         return;
1029     }
1030     switch (offset) {
1031     case CSR_IRQ_CFG:
1032         /* TODO: Implement interrupt deassertion intervals.  */
1033         val &= (IRQ_EN | IRQ_POL | IRQ_TYPE);
1034         s->irq_cfg = (s->irq_cfg & IRQ_INT) | val;
1035         break;
1036     case CSR_INT_STS:
1037         s->int_sts &= ~val;
1038         break;
1039     case CSR_INT_EN:
1040         s->int_en = val & ~RESERVED_INT;
1041         s->int_sts |= val & SW_INT;
1042         break;
1043     case CSR_FIFO_INT:
1044         DPRINTF("FIFO INT levels %08x\n", val);
1045         s->fifo_int = val;
1046         break;
1047     case CSR_RX_CFG:
1048         if (val & 0x8000) {
1049             /* RX_DUMP */
1050             s->rx_fifo_used = 0;
1051             s->rx_status_fifo_used = 0;
1052             s->rx_packet_size_tail = s->rx_packet_size_head;
1053             s->rx_packet_size[s->rx_packet_size_head] = 0;
1054         }
1055         s->rx_cfg = val & 0xcfff1ff0;
1056         break;
1057     case CSR_TX_CFG:
1058         if (val & 0x8000) {
1059             s->tx_status_fifo_used = 0;
1060         }
1061         if (val & 0x4000) {
1062             s->txp->state = TX_IDLE;
1063             s->txp->fifo_used = 0;
1064             s->txp->cmd_a = 0xffffffff;
1065         }
1066         s->tx_cfg = val & 6;
1067         break;
1068     case CSR_HW_CFG:
1069         if (val & 1) {
1070             /* SRST */
1071             lan9118_reset(DEVICE(s));
1072         } else {
1073             s->hw_cfg = (val & 0x003f300) | (s->hw_cfg & 0x4);
1074         }
1075         break;
1076     case CSR_RX_DP_CTRL:
1077         if (val & 0x80000000) {
1078             /* Skip forward to next packet.  */
1079             s->rxp_pad = 0;
1080             s->rxp_offset = 0;
1081             if (s->rxp_size == 0) {
1082                 /* Pop a word to start the next packet.  */
1083                 rx_fifo_pop(s);
1084                 s->rxp_pad = 0;
1085                 s->rxp_offset = 0;
1086             }
1087             s->rx_fifo_head += s->rxp_size;
1088             if (s->rx_fifo_head >= s->rx_fifo_size) {
1089                 s->rx_fifo_head -= s->rx_fifo_size;
1090             }
1091         }
1092         break;
1093     case CSR_PMT_CTRL:
1094         if (val & 0x400) {
1095             phy_reset(s);
1096         }
1097         s->pmt_ctrl &= ~0x34e;
1098         s->pmt_ctrl |= (val & 0x34e);
1099         break;
1100     case CSR_GPIO_CFG:
1101         /* Probably just enabling LEDs.  */
1102         s->gpio_cfg = val & 0x7777071f;
1103         break;
1104     case CSR_GPT_CFG:
1105         if ((s->gpt_cfg ^ val) & GPT_TIMER_EN) {
1106             ptimer_transaction_begin(s->timer);
1107             if (val & GPT_TIMER_EN) {
1108                 ptimer_set_count(s->timer, val & 0xffff);
1109                 ptimer_run(s->timer, 0);
1110             } else {
1111                 ptimer_stop(s->timer);
1112                 ptimer_set_count(s->timer, 0xffff);
1113             }
1114             ptimer_transaction_commit(s->timer);
1115         }
1116         s->gpt_cfg = val & (GPT_TIMER_EN | 0xffff);
1117         break;
1118     case CSR_WORD_SWAP:
1119         /* Ignored because we're in 32-bit mode.  */
1120         s->word_swap = val;
1121         break;
1122     case CSR_MAC_CSR_CMD:
1123         s->mac_cmd = val & 0x4000000f;
1124         if (val & 0x80000000) {
1125             if (val & 0x40000000) {
1126                 s->mac_data = do_mac_read(s, val & 0xf);
1127                 DPRINTF("MAC read %d = 0x%08x\n", val & 0xf, s->mac_data);
1128             } else {
1129                 DPRINTF("MAC write %d = 0x%08x\n", val & 0xf, s->mac_data);
1130                 do_mac_write(s, val & 0xf, s->mac_data);
1131             }
1132         }
1133         break;
1134     case CSR_MAC_CSR_DATA:
1135         s->mac_data = val;
1136         break;
1137     case CSR_AFC_CFG:
1138         s->afc_cfg = val & 0x00ffffff;
1139         break;
1140     case CSR_E2P_CMD:
1141         lan9118_eeprom_cmd(s, (val >> 28) & 7, val & 0x7f);
1142         break;
1143     case CSR_E2P_DATA:
1144         s->e2p_data = val & 0xff;
1145         break;
1146 
1147     default:
1148         qemu_log_mask(LOG_GUEST_ERROR, "lan9118_write: Bad reg 0x%x = %x\n",
1149                       (int)offset, (int)val);
1150         break;
1151     }
1152     lan9118_update(s);
1153 }
1154 
1155 static void lan9118_writew(void *opaque, hwaddr offset,
1156                            uint32_t val)
1157 {
1158     lan9118_state *s = (lan9118_state *)opaque;
1159     offset &= 0xff;
1160 
1161     if (s->write_word_prev_offset != (offset & ~0x3)) {
1162         /* New offset, reset word counter */
1163         s->write_word_n = 0;
1164         s->write_word_prev_offset = offset & ~0x3;
1165     }
1166 
1167     if (offset & 0x2) {
1168         s->write_word_h = val;
1169     } else {
1170         s->write_word_l = val;
1171     }
1172 
1173     //DPRINTF("Writew reg 0x%02x = 0x%08x\n", (int)offset, val);
1174     s->write_word_n++;
1175     if (s->write_word_n == 2) {
1176         s->write_word_n = 0;
1177         lan9118_writel(s, offset & ~3, s->write_word_l +
1178                 (s->write_word_h << 16), 4);
1179     }
1180 }
1181 
1182 static void lan9118_16bit_mode_write(void *opaque, hwaddr offset,
1183                                      uint64_t val, unsigned size)
1184 {
1185     switch (size) {
1186     case 2:
1187         lan9118_writew(opaque, offset, (uint32_t)val);
1188         return;
1189     case 4:
1190         lan9118_writel(opaque, offset, val, size);
1191         return;
1192     }
1193 
1194     hw_error("lan9118_write: Bad size 0x%x\n", size);
1195 }
1196 
1197 static uint64_t lan9118_readl(void *opaque, hwaddr offset,
1198                               unsigned size)
1199 {
1200     lan9118_state *s = (lan9118_state *)opaque;
1201 
1202     //DPRINTF("Read reg 0x%02x\n", (int)offset);
1203     if (offset < 0x20) {
1204         /* RX FIFO */
1205         return rx_fifo_pop(s);
1206     }
1207     switch (offset) {
1208     case 0x40:
1209         return rx_status_fifo_pop(s);
1210     case 0x44:
1211         return s->rx_status_fifo[s->tx_status_fifo_head];
1212     case 0x48:
1213         return tx_status_fifo_pop(s);
1214     case 0x4c:
1215         return s->tx_status_fifo[s->tx_status_fifo_head];
1216     case CSR_ID_REV:
1217         return 0x01180001;
1218     case CSR_IRQ_CFG:
1219         return s->irq_cfg;
1220     case CSR_INT_STS:
1221         return s->int_sts;
1222     case CSR_INT_EN:
1223         return s->int_en;
1224     case CSR_BYTE_TEST:
1225         return 0x87654321;
1226     case CSR_FIFO_INT:
1227         return s->fifo_int;
1228     case CSR_RX_CFG:
1229         return s->rx_cfg;
1230     case CSR_TX_CFG:
1231         return s->tx_cfg;
1232     case CSR_HW_CFG:
1233         return s->hw_cfg;
1234     case CSR_RX_DP_CTRL:
1235         return 0;
1236     case CSR_RX_FIFO_INF:
1237         return (s->rx_status_fifo_used << 16) | (s->rx_fifo_used << 2);
1238     case CSR_TX_FIFO_INF:
1239         return (s->tx_status_fifo_used << 16)
1240                | (s->tx_fifo_size - s->txp->fifo_used);
1241     case CSR_PMT_CTRL:
1242         return s->pmt_ctrl;
1243     case CSR_GPIO_CFG:
1244         return s->gpio_cfg;
1245     case CSR_GPT_CFG:
1246         return s->gpt_cfg;
1247     case CSR_GPT_CNT:
1248         return ptimer_get_count(s->timer);
1249     case CSR_WORD_SWAP:
1250         return s->word_swap;
1251     case CSR_FREE_RUN:
1252         return (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / 40) - s->free_timer_start;
1253     case CSR_RX_DROP:
1254         /* TODO: Implement dropped frames counter.  */
1255         return 0;
1256     case CSR_MAC_CSR_CMD:
1257         return s->mac_cmd;
1258     case CSR_MAC_CSR_DATA:
1259         return s->mac_data;
1260     case CSR_AFC_CFG:
1261         return s->afc_cfg;
1262     case CSR_E2P_CMD:
1263         return s->e2p_cmd;
1264     case CSR_E2P_DATA:
1265         return s->e2p_data;
1266     }
1267     qemu_log_mask(LOG_GUEST_ERROR, "lan9118_read: Bad reg 0x%x\n", (int)offset);
1268     return 0;
1269 }
1270 
1271 static uint32_t lan9118_readw(void *opaque, hwaddr offset)
1272 {
1273     lan9118_state *s = (lan9118_state *)opaque;
1274     uint32_t val;
1275 
1276     if (s->read_word_prev_offset != (offset & ~0x3)) {
1277         /* New offset, reset word counter */
1278         s->read_word_n = 0;
1279         s->read_word_prev_offset = offset & ~0x3;
1280     }
1281 
1282     s->read_word_n++;
1283     if (s->read_word_n == 1) {
1284         s->read_long = lan9118_readl(s, offset & ~3, 4);
1285     } else {
1286         s->read_word_n = 0;
1287     }
1288 
1289     if (offset & 2) {
1290         val = s->read_long >> 16;
1291     } else {
1292         val = s->read_long & 0xFFFF;
1293     }
1294 
1295     //DPRINTF("Readw reg 0x%02x, val 0x%x\n", (int)offset, val);
1296     return val;
1297 }
1298 
1299 static uint64_t lan9118_16bit_mode_read(void *opaque, hwaddr offset,
1300                                         unsigned size)
1301 {
1302     switch (size) {
1303     case 2:
1304         return lan9118_readw(opaque, offset);
1305     case 4:
1306         return lan9118_readl(opaque, offset, size);
1307     }
1308 
1309     hw_error("lan9118_read: Bad size 0x%x\n", size);
1310     return 0;
1311 }
1312 
1313 static const MemoryRegionOps lan9118_mem_ops = {
1314     .read = lan9118_readl,
1315     .write = lan9118_writel,
1316     .endianness = DEVICE_NATIVE_ENDIAN,
1317 };
1318 
1319 static const MemoryRegionOps lan9118_16bit_mem_ops = {
1320     .read = lan9118_16bit_mode_read,
1321     .write = lan9118_16bit_mode_write,
1322     .endianness = DEVICE_NATIVE_ENDIAN,
1323 };
1324 
1325 static NetClientInfo net_lan9118_info = {
1326     .type = NET_CLIENT_DRIVER_NIC,
1327     .size = sizeof(NICState),
1328     .receive = lan9118_receive,
1329     .link_status_changed = lan9118_set_link,
1330 };
1331 
1332 static void lan9118_realize(DeviceState *dev, Error **errp)
1333 {
1334     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
1335     lan9118_state *s = LAN9118(dev);
1336     int i;
1337     const MemoryRegionOps *mem_ops =
1338             s->mode_16bit ? &lan9118_16bit_mem_ops : &lan9118_mem_ops;
1339 
1340     memory_region_init_io(&s->mmio, OBJECT(dev), mem_ops, s,
1341                           "lan9118-mmio", 0x100);
1342     sysbus_init_mmio(sbd, &s->mmio);
1343     sysbus_init_irq(sbd, &s->irq);
1344     qemu_macaddr_default_if_unset(&s->conf.macaddr);
1345 
1346     s->nic = qemu_new_nic(&net_lan9118_info, &s->conf,
1347                           object_get_typename(OBJECT(dev)), dev->id, s);
1348     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
1349     s->eeprom[0] = 0xa5;
1350     for (i = 0; i < 6; i++) {
1351         s->eeprom[i + 1] = s->conf.macaddr.a[i];
1352     }
1353     s->pmt_ctrl = 1;
1354     s->txp = &s->tx_packet;
1355 
1356     s->timer = ptimer_init(lan9118_tick, s, PTIMER_POLICY_DEFAULT);
1357     ptimer_transaction_begin(s->timer);
1358     ptimer_set_freq(s->timer, 10000);
1359     ptimer_set_limit(s->timer, 0xffff, 1);
1360     ptimer_transaction_commit(s->timer);
1361 }
1362 
1363 static Property lan9118_properties[] = {
1364     DEFINE_NIC_PROPERTIES(lan9118_state, conf),
1365     DEFINE_PROP_UINT32("mode_16bit", lan9118_state, mode_16bit, 0),
1366     DEFINE_PROP_END_OF_LIST(),
1367 };
1368 
1369 static void lan9118_class_init(ObjectClass *klass, void *data)
1370 {
1371     DeviceClass *dc = DEVICE_CLASS(klass);
1372 
1373     dc->reset = lan9118_reset;
1374     device_class_set_props(dc, lan9118_properties);
1375     dc->vmsd = &vmstate_lan9118;
1376     dc->realize = lan9118_realize;
1377 }
1378 
1379 static const TypeInfo lan9118_info = {
1380     .name          = TYPE_LAN9118,
1381     .parent        = TYPE_SYS_BUS_DEVICE,
1382     .instance_size = sizeof(lan9118_state),
1383     .class_init    = lan9118_class_init,
1384 };
1385 
1386 static void lan9118_register_types(void)
1387 {
1388     type_register_static(&lan9118_info);
1389 }
1390 
1391 /* Legacy helper function.  Should go away when machine config files are
1392    implemented.  */
1393 void lan9118_init(NICInfo *nd, uint32_t base, qemu_irq irq)
1394 {
1395     DeviceState *dev;
1396     SysBusDevice *s;
1397 
1398     qemu_check_nic_model(nd, "lan9118");
1399     dev = qdev_new(TYPE_LAN9118);
1400     qdev_set_nic_properties(dev, nd);
1401     s = SYS_BUS_DEVICE(dev);
1402     sysbus_realize_and_unref(s, &error_fatal);
1403     sysbus_mmio_map(s, 0, base);
1404     sysbus_connect_irq(s, 0, irq);
1405 }
1406 
1407 type_init(lan9118_register_types)
1408