xref: /openbmc/qemu/hw/net/rtl8139.c (revision 36f96c4b)
1 /**
2  * QEMU RTL8139 emulation
3  *
4  * Copyright (c) 2006 Igor Kovalenko
5  *
6  * Permission is hereby granted, free of charge, to any person obtaining a copy
7  * of this software and associated documentation files (the "Software"), to deal
8  * in the Software without restriction, including without limitation the rights
9  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10  * copies of the Software, and to permit persons to whom the Software is
11  * furnished to do so, subject to the following conditions:
12  *
13  * The above copyright notice and this permission notice shall be included in
14  * all copies or substantial portions of the Software.
15  *
16  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22  * THE SOFTWARE.
23 
24  * Modifications:
25  *  2006-Jan-28  Mark Malakanov :   TSAD and CSCR implementation (for Windows driver)
26  *
27  *  2006-Apr-28  Juergen Lock   :   EEPROM emulation changes for FreeBSD driver
28  *                                  HW revision ID changes for FreeBSD driver
29  *
30  *  2006-Jul-01  Igor Kovalenko :   Implemented loopback mode for FreeBSD driver
31  *                                  Corrected packet transfer reassembly routine for 8139C+ mode
32  *                                  Rearranged debugging print statements
33  *                                  Implemented PCI timer interrupt (disabled by default)
34  *                                  Implemented Tally Counters, increased VM load/save version
35  *                                  Implemented IP/TCP/UDP checksum task offloading
36  *
37  *  2006-Jul-04  Igor Kovalenko :   Implemented TCP segmentation offloading
38  *                                  Fixed MTU=1500 for produced ethernet frames
39  *
40  *  2006-Jul-09  Igor Kovalenko :   Fixed TCP header length calculation while processing
41  *                                  segmentation offloading
42  *                                  Removed slirp.h dependency
43  *                                  Added rx/tx buffer reset when enabling rx/tx operation
44  *
45  *  2010-Feb-04  Frediano Ziglio:   Rewrote timer support using QEMU timer only
46  *                                  when strictly needed (required for
47  *                                  Darwin)
48  *  2011-Mar-22  Benjamin Poirier:  Implemented VLAN offloading
49  */
50 
51 /* For crc32 */
52 #include <zlib.h>
53 
54 #include "hw/hw.h"
55 #include "hw/pci/pci.h"
56 #include "sysemu/dma.h"
57 #include "qemu/timer.h"
58 #include "net/net.h"
59 #include "net/eth.h"
60 #include "hw/loader.h"
61 #include "sysemu/sysemu.h"
62 #include "qemu/iov.h"
63 
64 /* debug RTL8139 card */
65 //#define DEBUG_RTL8139 1
66 
67 #define PCI_PERIOD 30    /* 30 ns period = 33.333333 Mhz frequency */
68 
69 #define SET_MASKED(input, mask, curr) \
70     ( ( (input) & ~(mask) ) | ( (curr) & (mask) ) )
71 
72 /* arg % size for size which is a power of 2 */
73 #define MOD2(input, size) \
74     ( ( input ) & ( size - 1 )  )
75 
76 #define ETHER_TYPE_LEN 2
77 #define ETH_MTU     1500
78 
79 #define VLAN_TCI_LEN 2
80 #define VLAN_HLEN (ETHER_TYPE_LEN + VLAN_TCI_LEN)
81 
82 #if defined (DEBUG_RTL8139)
83 #  define DPRINTF(fmt, ...) \
84     do { fprintf(stderr, "RTL8139: " fmt, ## __VA_ARGS__); } while (0)
85 #else
86 static inline GCC_FMT_ATTR(1, 2) int DPRINTF(const char *fmt, ...)
87 {
88     return 0;
89 }
90 #endif
91 
92 #define TYPE_RTL8139 "rtl8139"
93 
94 #define RTL8139(obj) \
95      OBJECT_CHECK(RTL8139State, (obj), TYPE_RTL8139)
96 
97 /* Symbolic offsets to registers. */
98 enum RTL8139_registers {
99     MAC0 = 0,        /* Ethernet hardware address. */
100     MAR0 = 8,        /* Multicast filter. */
101     TxStatus0 = 0x10,/* Transmit status (Four 32bit registers). C mode only */
102                      /* Dump Tally Conter control register(64bit). C+ mode only */
103     TxAddr0 = 0x20,  /* Tx descriptors (also four 32bit). */
104     RxBuf = 0x30,
105     ChipCmd = 0x37,
106     RxBufPtr = 0x38,
107     RxBufAddr = 0x3A,
108     IntrMask = 0x3C,
109     IntrStatus = 0x3E,
110     TxConfig = 0x40,
111     RxConfig = 0x44,
112     Timer = 0x48,        /* A general-purpose counter. */
113     RxMissed = 0x4C,    /* 24 bits valid, write clears. */
114     Cfg9346 = 0x50,
115     Config0 = 0x51,
116     Config1 = 0x52,
117     FlashReg = 0x54,
118     MediaStatus = 0x58,
119     Config3 = 0x59,
120     Config4 = 0x5A,        /* absent on RTL-8139A */
121     HltClk = 0x5B,
122     MultiIntr = 0x5C,
123     PCIRevisionID = 0x5E,
124     TxSummary = 0x60, /* TSAD register. Transmit Status of All Descriptors*/
125     BasicModeCtrl = 0x62,
126     BasicModeStatus = 0x64,
127     NWayAdvert = 0x66,
128     NWayLPAR = 0x68,
129     NWayExpansion = 0x6A,
130     /* Undocumented registers, but required for proper operation. */
131     FIFOTMS = 0x70,        /* FIFO Control and test. */
132     CSCR = 0x74,        /* Chip Status and Configuration Register. */
133     PARA78 = 0x78,
134     PARA7c = 0x7c,        /* Magic transceiver parameter register. */
135     Config5 = 0xD8,        /* absent on RTL-8139A */
136     /* C+ mode */
137     TxPoll        = 0xD9,    /* Tell chip to check Tx descriptors for work */
138     RxMaxSize    = 0xDA, /* Max size of an Rx packet (8169 only) */
139     CpCmd        = 0xE0, /* C+ Command register (C+ mode only) */
140     IntrMitigate    = 0xE2,    /* rx/tx interrupt mitigation control */
141     RxRingAddrLO    = 0xE4, /* 64-bit start addr of Rx ring */
142     RxRingAddrHI    = 0xE8, /* 64-bit start addr of Rx ring */
143     TxThresh    = 0xEC, /* Early Tx threshold */
144 };
145 
146 enum ClearBitMasks {
147     MultiIntrClear = 0xF000,
148     ChipCmdClear = 0xE2,
149     Config1Clear = (1<<7)|(1<<6)|(1<<3)|(1<<2)|(1<<1),
150 };
151 
152 enum ChipCmdBits {
153     CmdReset = 0x10,
154     CmdRxEnb = 0x08,
155     CmdTxEnb = 0x04,
156     RxBufEmpty = 0x01,
157 };
158 
159 /* C+ mode */
160 enum CplusCmdBits {
161     CPlusRxVLAN   = 0x0040, /* enable receive VLAN detagging */
162     CPlusRxChkSum = 0x0020, /* enable receive checksum offloading */
163     CPlusRxEnb    = 0x0002,
164     CPlusTxEnb    = 0x0001,
165 };
166 
167 /* Interrupt register bits, using my own meaningful names. */
168 enum IntrStatusBits {
169     PCIErr = 0x8000,
170     PCSTimeout = 0x4000,
171     RxFIFOOver = 0x40,
172     RxUnderrun = 0x20, /* Packet Underrun / Link Change */
173     RxOverflow = 0x10,
174     TxErr = 0x08,
175     TxOK = 0x04,
176     RxErr = 0x02,
177     RxOK = 0x01,
178 
179     RxAckBits = RxFIFOOver | RxOverflow | RxOK,
180 };
181 
182 enum TxStatusBits {
183     TxHostOwns = 0x2000,
184     TxUnderrun = 0x4000,
185     TxStatOK = 0x8000,
186     TxOutOfWindow = 0x20000000,
187     TxAborted = 0x40000000,
188     TxCarrierLost = 0x80000000,
189 };
190 enum RxStatusBits {
191     RxMulticast = 0x8000,
192     RxPhysical = 0x4000,
193     RxBroadcast = 0x2000,
194     RxBadSymbol = 0x0020,
195     RxRunt = 0x0010,
196     RxTooLong = 0x0008,
197     RxCRCErr = 0x0004,
198     RxBadAlign = 0x0002,
199     RxStatusOK = 0x0001,
200 };
201 
202 /* Bits in RxConfig. */
203 enum rx_mode_bits {
204     AcceptErr = 0x20,
205     AcceptRunt = 0x10,
206     AcceptBroadcast = 0x08,
207     AcceptMulticast = 0x04,
208     AcceptMyPhys = 0x02,
209     AcceptAllPhys = 0x01,
210 };
211 
212 /* Bits in TxConfig. */
213 enum tx_config_bits {
214 
215         /* Interframe Gap Time. Only TxIFG96 doesn't violate IEEE 802.3 */
216         TxIFGShift = 24,
217         TxIFG84 = (0 << TxIFGShift),    /* 8.4us / 840ns (10 / 100Mbps) */
218         TxIFG88 = (1 << TxIFGShift),    /* 8.8us / 880ns (10 / 100Mbps) */
219         TxIFG92 = (2 << TxIFGShift),    /* 9.2us / 920ns (10 / 100Mbps) */
220         TxIFG96 = (3 << TxIFGShift),    /* 9.6us / 960ns (10 / 100Mbps) */
221 
222     TxLoopBack = (1 << 18) | (1 << 17), /* enable loopback test mode */
223     TxCRC = (1 << 16),    /* DISABLE appending CRC to end of Tx packets */
224     TxClearAbt = (1 << 0),    /* Clear abort (WO) */
225     TxDMAShift = 8,        /* DMA burst value (0-7) is shifted this many bits */
226     TxRetryShift = 4,    /* TXRR value (0-15) is shifted this many bits */
227 
228     TxVersionMask = 0x7C800000, /* mask out version bits 30-26, 23 */
229 };
230 
231 
232 /* Transmit Status of All Descriptors (TSAD) Register */
233 enum TSAD_bits {
234  TSAD_TOK3 = 1<<15, // TOK bit of Descriptor 3
235  TSAD_TOK2 = 1<<14, // TOK bit of Descriptor 2
236  TSAD_TOK1 = 1<<13, // TOK bit of Descriptor 1
237  TSAD_TOK0 = 1<<12, // TOK bit of Descriptor 0
238  TSAD_TUN3 = 1<<11, // TUN bit of Descriptor 3
239  TSAD_TUN2 = 1<<10, // TUN bit of Descriptor 2
240  TSAD_TUN1 = 1<<9, // TUN bit of Descriptor 1
241  TSAD_TUN0 = 1<<8, // TUN bit of Descriptor 0
242  TSAD_TABT3 = 1<<07, // TABT bit of Descriptor 3
243  TSAD_TABT2 = 1<<06, // TABT bit of Descriptor 2
244  TSAD_TABT1 = 1<<05, // TABT bit of Descriptor 1
245  TSAD_TABT0 = 1<<04, // TABT bit of Descriptor 0
246  TSAD_OWN3 = 1<<03, // OWN bit of Descriptor 3
247  TSAD_OWN2 = 1<<02, // OWN bit of Descriptor 2
248  TSAD_OWN1 = 1<<01, // OWN bit of Descriptor 1
249  TSAD_OWN0 = 1<<00, // OWN bit of Descriptor 0
250 };
251 
252 
253 /* Bits in Config1 */
254 enum Config1Bits {
255     Cfg1_PM_Enable = 0x01,
256     Cfg1_VPD_Enable = 0x02,
257     Cfg1_PIO = 0x04,
258     Cfg1_MMIO = 0x08,
259     LWAKE = 0x10,        /* not on 8139, 8139A */
260     Cfg1_Driver_Load = 0x20,
261     Cfg1_LED0 = 0x40,
262     Cfg1_LED1 = 0x80,
263     SLEEP = (1 << 1),    /* only on 8139, 8139A */
264     PWRDN = (1 << 0),    /* only on 8139, 8139A */
265 };
266 
267 /* Bits in Config3 */
268 enum Config3Bits {
269     Cfg3_FBtBEn    = (1 << 0), /* 1 = Fast Back to Back */
270     Cfg3_FuncRegEn = (1 << 1), /* 1 = enable CardBus Function registers */
271     Cfg3_CLKRUN_En = (1 << 2), /* 1 = enable CLKRUN */
272     Cfg3_CardB_En  = (1 << 3), /* 1 = enable CardBus registers */
273     Cfg3_LinkUp    = (1 << 4), /* 1 = wake up on link up */
274     Cfg3_Magic     = (1 << 5), /* 1 = wake up on Magic Packet (tm) */
275     Cfg3_PARM_En   = (1 << 6), /* 0 = software can set twister parameters */
276     Cfg3_GNTSel    = (1 << 7), /* 1 = delay 1 clock from PCI GNT signal */
277 };
278 
279 /* Bits in Config4 */
280 enum Config4Bits {
281     LWPTN = (1 << 2),    /* not on 8139, 8139A */
282 };
283 
284 /* Bits in Config5 */
285 enum Config5Bits {
286     Cfg5_PME_STS     = (1 << 0), /* 1 = PCI reset resets PME_Status */
287     Cfg5_LANWake     = (1 << 1), /* 1 = enable LANWake signal */
288     Cfg5_LDPS        = (1 << 2), /* 0 = save power when link is down */
289     Cfg5_FIFOAddrPtr = (1 << 3), /* Realtek internal SRAM testing */
290     Cfg5_UWF         = (1 << 4), /* 1 = accept unicast wakeup frame */
291     Cfg5_MWF         = (1 << 5), /* 1 = accept multicast wakeup frame */
292     Cfg5_BWF         = (1 << 6), /* 1 = accept broadcast wakeup frame */
293 };
294 
295 enum RxConfigBits {
296     /* rx fifo threshold */
297     RxCfgFIFOShift = 13,
298     RxCfgFIFONone = (7 << RxCfgFIFOShift),
299 
300     /* Max DMA burst */
301     RxCfgDMAShift = 8,
302     RxCfgDMAUnlimited = (7 << RxCfgDMAShift),
303 
304     /* rx ring buffer length */
305     RxCfgRcv8K = 0,
306     RxCfgRcv16K = (1 << 11),
307     RxCfgRcv32K = (1 << 12),
308     RxCfgRcv64K = (1 << 11) | (1 << 12),
309 
310     /* Disable packet wrap at end of Rx buffer. (not possible with 64k) */
311     RxNoWrap = (1 << 7),
312 };
313 
314 /* Twister tuning parameters from RealTek.
315    Completely undocumented, but required to tune bad links on some boards. */
316 /*
317 enum CSCRBits {
318     CSCR_LinkOKBit = 0x0400,
319     CSCR_LinkChangeBit = 0x0800,
320     CSCR_LinkStatusBits = 0x0f000,
321     CSCR_LinkDownOffCmd = 0x003c0,
322     CSCR_LinkDownCmd = 0x0f3c0,
323 */
324 enum CSCRBits {
325     CSCR_Testfun = 1<<15, /* 1 = Auto-neg speeds up internal timer, WO, def 0 */
326     CSCR_LD  = 1<<9,  /* Active low TPI link disable signal. When low, TPI still transmits link pulses and TPI stays in good link state. def 1*/
327     CSCR_HEART_BIT = 1<<8,  /* 1 = HEART BEAT enable, 0 = HEART BEAT disable. HEART BEAT function is only valid in 10Mbps mode. def 1*/
328     CSCR_JBEN = 1<<7,  /* 1 = enable jabber function. 0 = disable jabber function, def 1*/
329     CSCR_F_LINK_100 = 1<<6, /* Used to login force good link in 100Mbps for diagnostic purposes. 1 = DISABLE, 0 = ENABLE. def 1*/
330     CSCR_F_Connect  = 1<<5,  /* Assertion of this bit forces the disconnect function to be bypassed. def 0*/
331     CSCR_Con_status = 1<<3, /* This bit indicates the status of the connection. 1 = valid connected link detected; 0 = disconnected link detected. RO def 0*/
332     CSCR_Con_status_En = 1<<2, /* Assertion of this bit configures LED1 pin to indicate connection status. def 0*/
333     CSCR_PASS_SCR = 1<<0, /* Bypass Scramble, def 0*/
334 };
335 
336 enum Cfg9346Bits {
337     Cfg9346_Normal = 0x00,
338     Cfg9346_Autoload = 0x40,
339     Cfg9346_Programming = 0x80,
340     Cfg9346_ConfigWrite = 0xC0,
341 };
342 
343 typedef enum {
344     CH_8139 = 0,
345     CH_8139_K,
346     CH_8139A,
347     CH_8139A_G,
348     CH_8139B,
349     CH_8130,
350     CH_8139C,
351     CH_8100,
352     CH_8100B_8139D,
353     CH_8101,
354 } chip_t;
355 
356 enum chip_flags {
357     HasHltClk = (1 << 0),
358     HasLWake = (1 << 1),
359 };
360 
361 #define HW_REVID(b30, b29, b28, b27, b26, b23, b22) \
362     (b30<<30 | b29<<29 | b28<<28 | b27<<27 | b26<<26 | b23<<23 | b22<<22)
363 #define HW_REVID_MASK    HW_REVID(1, 1, 1, 1, 1, 1, 1)
364 
365 #define RTL8139_PCI_REVID_8139      0x10
366 #define RTL8139_PCI_REVID_8139CPLUS 0x20
367 
368 #define RTL8139_PCI_REVID           RTL8139_PCI_REVID_8139CPLUS
369 
370 /* Size is 64 * 16bit words */
371 #define EEPROM_9346_ADDR_BITS 6
372 #define EEPROM_9346_SIZE  (1 << EEPROM_9346_ADDR_BITS)
373 #define EEPROM_9346_ADDR_MASK (EEPROM_9346_SIZE - 1)
374 
375 enum Chip9346Operation
376 {
377     Chip9346_op_mask = 0xc0,          /* 10 zzzzzz */
378     Chip9346_op_read = 0x80,          /* 10 AAAAAA */
379     Chip9346_op_write = 0x40,         /* 01 AAAAAA D(15)..D(0) */
380     Chip9346_op_ext_mask = 0xf0,      /* 11 zzzzzz */
381     Chip9346_op_write_enable = 0x30,  /* 00 11zzzz */
382     Chip9346_op_write_all = 0x10,     /* 00 01zzzz */
383     Chip9346_op_write_disable = 0x00, /* 00 00zzzz */
384 };
385 
386 enum Chip9346Mode
387 {
388     Chip9346_none = 0,
389     Chip9346_enter_command_mode,
390     Chip9346_read_command,
391     Chip9346_data_read,      /* from output register */
392     Chip9346_data_write,     /* to input register, then to contents at specified address */
393     Chip9346_data_write_all, /* to input register, then filling contents */
394 };
395 
396 typedef struct EEprom9346
397 {
398     uint16_t contents[EEPROM_9346_SIZE];
399     int      mode;
400     uint32_t tick;
401     uint8_t  address;
402     uint16_t input;
403     uint16_t output;
404 
405     uint8_t eecs;
406     uint8_t eesk;
407     uint8_t eedi;
408     uint8_t eedo;
409 } EEprom9346;
410 
411 typedef struct RTL8139TallyCounters
412 {
413     /* Tally counters */
414     uint64_t   TxOk;
415     uint64_t   RxOk;
416     uint64_t   TxERR;
417     uint32_t   RxERR;
418     uint16_t   MissPkt;
419     uint16_t   FAE;
420     uint32_t   Tx1Col;
421     uint32_t   TxMCol;
422     uint64_t   RxOkPhy;
423     uint64_t   RxOkBrd;
424     uint32_t   RxOkMul;
425     uint16_t   TxAbt;
426     uint16_t   TxUndrn;
427 } RTL8139TallyCounters;
428 
429 /* Clears all tally counters */
430 static void RTL8139TallyCounters_clear(RTL8139TallyCounters* counters);
431 
432 typedef struct RTL8139State {
433     /*< private >*/
434     PCIDevice parent_obj;
435     /*< public >*/
436 
437     uint8_t phys[8]; /* mac address */
438     uint8_t mult[8]; /* multicast mask array */
439 
440     uint32_t TxStatus[4]; /* TxStatus0 in C mode*/ /* also DTCCR[0] and DTCCR[1] in C+ mode */
441     uint32_t TxAddr[4];   /* TxAddr0 */
442     uint32_t RxBuf;       /* Receive buffer */
443     uint32_t RxBufferSize;/* internal variable, receive ring buffer size in C mode */
444     uint32_t RxBufPtr;
445     uint32_t RxBufAddr;
446 
447     uint16_t IntrStatus;
448     uint16_t IntrMask;
449 
450     uint32_t TxConfig;
451     uint32_t RxConfig;
452     uint32_t RxMissed;
453 
454     uint16_t CSCR;
455 
456     uint8_t  Cfg9346;
457     uint8_t  Config0;
458     uint8_t  Config1;
459     uint8_t  Config3;
460     uint8_t  Config4;
461     uint8_t  Config5;
462 
463     uint8_t  clock_enabled;
464     uint8_t  bChipCmdState;
465 
466     uint16_t MultiIntr;
467 
468     uint16_t BasicModeCtrl;
469     uint16_t BasicModeStatus;
470     uint16_t NWayAdvert;
471     uint16_t NWayLPAR;
472     uint16_t NWayExpansion;
473 
474     uint16_t CpCmd;
475     uint8_t  TxThresh;
476 
477     NICState *nic;
478     NICConf conf;
479 
480     /* C ring mode */
481     uint32_t   currTxDesc;
482 
483     /* C+ mode */
484     uint32_t   cplus_enabled;
485 
486     uint32_t   currCPlusRxDesc;
487     uint32_t   currCPlusTxDesc;
488 
489     uint32_t   RxRingAddrLO;
490     uint32_t   RxRingAddrHI;
491 
492     EEprom9346 eeprom;
493 
494     uint32_t   TCTR;
495     uint32_t   TimerInt;
496     int64_t    TCTR_base;
497 
498     /* Tally counters */
499     RTL8139TallyCounters tally_counters;
500 
501     /* Non-persistent data */
502     uint8_t   *cplus_txbuffer;
503     int        cplus_txbuffer_len;
504     int        cplus_txbuffer_offset;
505 
506     /* PCI interrupt timer */
507     QEMUTimer *timer;
508 
509     MemoryRegion bar_io;
510     MemoryRegion bar_mem;
511 
512     /* Support migration to/from old versions */
513     int rtl8139_mmio_io_addr_dummy;
514 } RTL8139State;
515 
516 /* Writes tally counters to memory via DMA */
517 static void RTL8139TallyCounters_dma_write(RTL8139State *s, dma_addr_t tc_addr);
518 
519 static void rtl8139_set_next_tctr_time(RTL8139State *s);
520 
521 static void prom9346_decode_command(EEprom9346 *eeprom, uint8_t command)
522 {
523     DPRINTF("eeprom command 0x%02x\n", command);
524 
525     switch (command & Chip9346_op_mask)
526     {
527         case Chip9346_op_read:
528         {
529             eeprom->address = command & EEPROM_9346_ADDR_MASK;
530             eeprom->output = eeprom->contents[eeprom->address];
531             eeprom->eedo = 0;
532             eeprom->tick = 0;
533             eeprom->mode = Chip9346_data_read;
534             DPRINTF("eeprom read from address 0x%02x data=0x%04x\n",
535                 eeprom->address, eeprom->output);
536         }
537         break;
538 
539         case Chip9346_op_write:
540         {
541             eeprom->address = command & EEPROM_9346_ADDR_MASK;
542             eeprom->input = 0;
543             eeprom->tick = 0;
544             eeprom->mode = Chip9346_none; /* Chip9346_data_write */
545             DPRINTF("eeprom begin write to address 0x%02x\n",
546                 eeprom->address);
547         }
548         break;
549         default:
550             eeprom->mode = Chip9346_none;
551             switch (command & Chip9346_op_ext_mask)
552             {
553                 case Chip9346_op_write_enable:
554                     DPRINTF("eeprom write enabled\n");
555                     break;
556                 case Chip9346_op_write_all:
557                     DPRINTF("eeprom begin write all\n");
558                     break;
559                 case Chip9346_op_write_disable:
560                     DPRINTF("eeprom write disabled\n");
561                     break;
562             }
563             break;
564     }
565 }
566 
567 static void prom9346_shift_clock(EEprom9346 *eeprom)
568 {
569     int bit = eeprom->eedi?1:0;
570 
571     ++ eeprom->tick;
572 
573     DPRINTF("eeprom: tick %d eedi=%d eedo=%d\n", eeprom->tick, eeprom->eedi,
574         eeprom->eedo);
575 
576     switch (eeprom->mode)
577     {
578         case Chip9346_enter_command_mode:
579             if (bit)
580             {
581                 eeprom->mode = Chip9346_read_command;
582                 eeprom->tick = 0;
583                 eeprom->input = 0;
584                 DPRINTF("eeprom: +++ synchronized, begin command read\n");
585             }
586             break;
587 
588         case Chip9346_read_command:
589             eeprom->input = (eeprom->input << 1) | (bit & 1);
590             if (eeprom->tick == 8)
591             {
592                 prom9346_decode_command(eeprom, eeprom->input & 0xff);
593             }
594             break;
595 
596         case Chip9346_data_read:
597             eeprom->eedo = (eeprom->output & 0x8000)?1:0;
598             eeprom->output <<= 1;
599             if (eeprom->tick == 16)
600             {
601 #if 1
602         // the FreeBSD drivers (rl and re) don't explicitly toggle
603         // CS between reads (or does setting Cfg9346 to 0 count too?),
604         // so we need to enter wait-for-command state here
605                 eeprom->mode = Chip9346_enter_command_mode;
606                 eeprom->input = 0;
607                 eeprom->tick = 0;
608 
609                 DPRINTF("eeprom: +++ end of read, awaiting next command\n");
610 #else
611         // original behaviour
612                 ++eeprom->address;
613                 eeprom->address &= EEPROM_9346_ADDR_MASK;
614                 eeprom->output = eeprom->contents[eeprom->address];
615                 eeprom->tick = 0;
616 
617                 DPRINTF("eeprom: +++ read next address 0x%02x data=0x%04x\n",
618                     eeprom->address, eeprom->output);
619 #endif
620             }
621             break;
622 
623         case Chip9346_data_write:
624             eeprom->input = (eeprom->input << 1) | (bit & 1);
625             if (eeprom->tick == 16)
626             {
627                 DPRINTF("eeprom write to address 0x%02x data=0x%04x\n",
628                     eeprom->address, eeprom->input);
629 
630                 eeprom->contents[eeprom->address] = eeprom->input;
631                 eeprom->mode = Chip9346_none; /* waiting for next command after CS cycle */
632                 eeprom->tick = 0;
633                 eeprom->input = 0;
634             }
635             break;
636 
637         case Chip9346_data_write_all:
638             eeprom->input = (eeprom->input << 1) | (bit & 1);
639             if (eeprom->tick == 16)
640             {
641                 int i;
642                 for (i = 0; i < EEPROM_9346_SIZE; i++)
643                 {
644                     eeprom->contents[i] = eeprom->input;
645                 }
646                 DPRINTF("eeprom filled with data=0x%04x\n", eeprom->input);
647 
648                 eeprom->mode = Chip9346_enter_command_mode;
649                 eeprom->tick = 0;
650                 eeprom->input = 0;
651             }
652             break;
653 
654         default:
655             break;
656     }
657 }
658 
659 static int prom9346_get_wire(RTL8139State *s)
660 {
661     EEprom9346 *eeprom = &s->eeprom;
662     if (!eeprom->eecs)
663         return 0;
664 
665     return eeprom->eedo;
666 }
667 
668 /* FIXME: This should be merged into/replaced by eeprom93xx.c.  */
669 static void prom9346_set_wire(RTL8139State *s, int eecs, int eesk, int eedi)
670 {
671     EEprom9346 *eeprom = &s->eeprom;
672     uint8_t old_eecs = eeprom->eecs;
673     uint8_t old_eesk = eeprom->eesk;
674 
675     eeprom->eecs = eecs;
676     eeprom->eesk = eesk;
677     eeprom->eedi = eedi;
678 
679     DPRINTF("eeprom: +++ wires CS=%d SK=%d DI=%d DO=%d\n", eeprom->eecs,
680         eeprom->eesk, eeprom->eedi, eeprom->eedo);
681 
682     if (!old_eecs && eecs)
683     {
684         /* Synchronize start */
685         eeprom->tick = 0;
686         eeprom->input = 0;
687         eeprom->output = 0;
688         eeprom->mode = Chip9346_enter_command_mode;
689 
690         DPRINTF("=== eeprom: begin access, enter command mode\n");
691     }
692 
693     if (!eecs)
694     {
695         DPRINTF("=== eeprom: end access\n");
696         return;
697     }
698 
699     if (!old_eesk && eesk)
700     {
701         /* SK front rules */
702         prom9346_shift_clock(eeprom);
703     }
704 }
705 
706 static void rtl8139_update_irq(RTL8139State *s)
707 {
708     PCIDevice *d = PCI_DEVICE(s);
709     int isr;
710     isr = (s->IntrStatus & s->IntrMask) & 0xffff;
711 
712     DPRINTF("Set IRQ to %d (%04x %04x)\n", isr ? 1 : 0, s->IntrStatus,
713         s->IntrMask);
714 
715     pci_set_irq(d, (isr != 0));
716 }
717 
718 static int rtl8139_RxWrap(RTL8139State *s)
719 {
720     /* wrapping enabled; assume 1.5k more buffer space if size < 65536 */
721     return (s->RxConfig & (1 << 7));
722 }
723 
724 static int rtl8139_receiver_enabled(RTL8139State *s)
725 {
726     return s->bChipCmdState & CmdRxEnb;
727 }
728 
729 static int rtl8139_transmitter_enabled(RTL8139State *s)
730 {
731     return s->bChipCmdState & CmdTxEnb;
732 }
733 
734 static int rtl8139_cp_receiver_enabled(RTL8139State *s)
735 {
736     return s->CpCmd & CPlusRxEnb;
737 }
738 
739 static int rtl8139_cp_transmitter_enabled(RTL8139State *s)
740 {
741     return s->CpCmd & CPlusTxEnb;
742 }
743 
744 static void rtl8139_write_buffer(RTL8139State *s, const void *buf, int size)
745 {
746     PCIDevice *d = PCI_DEVICE(s);
747 
748     if (s->RxBufAddr + size > s->RxBufferSize)
749     {
750         int wrapped = MOD2(s->RxBufAddr + size, s->RxBufferSize);
751 
752         /* write packet data */
753         if (wrapped && !(s->RxBufferSize < 65536 && rtl8139_RxWrap(s)))
754         {
755             DPRINTF(">>> rx packet wrapped in buffer at %d\n", size - wrapped);
756 
757             if (size > wrapped)
758             {
759                 pci_dma_write(d, s->RxBuf + s->RxBufAddr,
760                               buf, size-wrapped);
761             }
762 
763             /* reset buffer pointer */
764             s->RxBufAddr = 0;
765 
766             pci_dma_write(d, s->RxBuf + s->RxBufAddr,
767                           buf + (size-wrapped), wrapped);
768 
769             s->RxBufAddr = wrapped;
770 
771             return;
772         }
773     }
774 
775     /* non-wrapping path or overwrapping enabled */
776     pci_dma_write(d, s->RxBuf + s->RxBufAddr, buf, size);
777 
778     s->RxBufAddr += size;
779 }
780 
781 #define MIN_BUF_SIZE 60
782 static inline dma_addr_t rtl8139_addr64(uint32_t low, uint32_t high)
783 {
784     return low | ((uint64_t)high << 32);
785 }
786 
787 /* Workaround for buggy guest driver such as linux who allocates rx
788  * rings after the receiver were enabled. */
789 static bool rtl8139_cp_rx_valid(RTL8139State *s)
790 {
791     return !(s->RxRingAddrLO == 0 && s->RxRingAddrHI == 0);
792 }
793 
794 static int rtl8139_can_receive(NetClientState *nc)
795 {
796     RTL8139State *s = qemu_get_nic_opaque(nc);
797     int avail;
798 
799     /* Receive (drop) packets if card is disabled.  */
800     if (!s->clock_enabled)
801       return 1;
802     if (!rtl8139_receiver_enabled(s))
803       return 1;
804 
805     if (rtl8139_cp_receiver_enabled(s) && rtl8139_cp_rx_valid(s)) {
806         /* ??? Flow control not implemented in c+ mode.
807            This is a hack to work around slirp deficiencies anyway.  */
808         return 1;
809     } else {
810         avail = MOD2(s->RxBufferSize + s->RxBufPtr - s->RxBufAddr,
811                      s->RxBufferSize);
812         return (avail == 0 || avail >= 1514 || (s->IntrMask & RxOverflow));
813     }
814 }
815 
816 static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t size_, int do_interrupt)
817 {
818     RTL8139State *s = qemu_get_nic_opaque(nc);
819     PCIDevice *d = PCI_DEVICE(s);
820     /* size is the length of the buffer passed to the driver */
821     int size = size_;
822     const uint8_t *dot1q_buf = NULL;
823 
824     uint32_t packet_header = 0;
825 
826     uint8_t buf1[MIN_BUF_SIZE + VLAN_HLEN];
827     static const uint8_t broadcast_macaddr[6] =
828         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
829 
830     DPRINTF(">>> received len=%d\n", size);
831 
832     /* test if board clock is stopped */
833     if (!s->clock_enabled)
834     {
835         DPRINTF("stopped ==========================\n");
836         return -1;
837     }
838 
839     /* first check if receiver is enabled */
840 
841     if (!rtl8139_receiver_enabled(s))
842     {
843         DPRINTF("receiver disabled ================\n");
844         return -1;
845     }
846 
847     /* XXX: check this */
848     if (s->RxConfig & AcceptAllPhys) {
849         /* promiscuous: receive all */
850         DPRINTF(">>> packet received in promiscuous mode\n");
851 
852     } else {
853         if (!memcmp(buf,  broadcast_macaddr, 6)) {
854             /* broadcast address */
855             if (!(s->RxConfig & AcceptBroadcast))
856             {
857                 DPRINTF(">>> broadcast packet rejected\n");
858 
859                 /* update tally counter */
860                 ++s->tally_counters.RxERR;
861 
862                 return size;
863             }
864 
865             packet_header |= RxBroadcast;
866 
867             DPRINTF(">>> broadcast packet received\n");
868 
869             /* update tally counter */
870             ++s->tally_counters.RxOkBrd;
871 
872         } else if (buf[0] & 0x01) {
873             /* multicast */
874             if (!(s->RxConfig & AcceptMulticast))
875             {
876                 DPRINTF(">>> multicast packet rejected\n");
877 
878                 /* update tally counter */
879                 ++s->tally_counters.RxERR;
880 
881                 return size;
882             }
883 
884             int mcast_idx = compute_mcast_idx(buf);
885 
886             if (!(s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))))
887             {
888                 DPRINTF(">>> multicast address mismatch\n");
889 
890                 /* update tally counter */
891                 ++s->tally_counters.RxERR;
892 
893                 return size;
894             }
895 
896             packet_header |= RxMulticast;
897 
898             DPRINTF(">>> multicast packet received\n");
899 
900             /* update tally counter */
901             ++s->tally_counters.RxOkMul;
902 
903         } else if (s->phys[0] == buf[0] &&
904                    s->phys[1] == buf[1] &&
905                    s->phys[2] == buf[2] &&
906                    s->phys[3] == buf[3] &&
907                    s->phys[4] == buf[4] &&
908                    s->phys[5] == buf[5]) {
909             /* match */
910             if (!(s->RxConfig & AcceptMyPhys))
911             {
912                 DPRINTF(">>> rejecting physical address matching packet\n");
913 
914                 /* update tally counter */
915                 ++s->tally_counters.RxERR;
916 
917                 return size;
918             }
919 
920             packet_header |= RxPhysical;
921 
922             DPRINTF(">>> physical address matching packet received\n");
923 
924             /* update tally counter */
925             ++s->tally_counters.RxOkPhy;
926 
927         } else {
928 
929             DPRINTF(">>> unknown packet\n");
930 
931             /* update tally counter */
932             ++s->tally_counters.RxERR;
933 
934             return size;
935         }
936     }
937 
938     /* if too small buffer, then expand it
939      * Include some tailroom in case a vlan tag is later removed. */
940     if (size < MIN_BUF_SIZE + VLAN_HLEN) {
941         memcpy(buf1, buf, size);
942         memset(buf1 + size, 0, MIN_BUF_SIZE + VLAN_HLEN - size);
943         buf = buf1;
944         if (size < MIN_BUF_SIZE) {
945             size = MIN_BUF_SIZE;
946         }
947     }
948 
949     if (rtl8139_cp_receiver_enabled(s))
950     {
951         if (!rtl8139_cp_rx_valid(s)) {
952             return size;
953         }
954 
955         DPRINTF("in C+ Rx mode ================\n");
956 
957         /* begin C+ receiver mode */
958 
959 /* w0 ownership flag */
960 #define CP_RX_OWN (1<<31)
961 /* w0 end of ring flag */
962 #define CP_RX_EOR (1<<30)
963 /* w0 bits 0...12 : buffer size */
964 #define CP_RX_BUFFER_SIZE_MASK ((1<<13) - 1)
965 /* w1 tag available flag */
966 #define CP_RX_TAVA (1<<16)
967 /* w1 bits 0...15 : VLAN tag */
968 #define CP_RX_VLAN_TAG_MASK ((1<<16) - 1)
969 /* w2 low  32bit of Rx buffer ptr */
970 /* w3 high 32bit of Rx buffer ptr */
971 
972         int descriptor = s->currCPlusRxDesc;
973         dma_addr_t cplus_rx_ring_desc;
974 
975         cplus_rx_ring_desc = rtl8139_addr64(s->RxRingAddrLO, s->RxRingAddrHI);
976         cplus_rx_ring_desc += 16 * descriptor;
977 
978         DPRINTF("+++ C+ mode reading RX descriptor %d from host memory at "
979             "%08x %08x = "DMA_ADDR_FMT"\n", descriptor, s->RxRingAddrHI,
980             s->RxRingAddrLO, cplus_rx_ring_desc);
981 
982         uint32_t val, rxdw0,rxdw1,rxbufLO,rxbufHI;
983 
984         pci_dma_read(d, cplus_rx_ring_desc, &val, 4);
985         rxdw0 = le32_to_cpu(val);
986         pci_dma_read(d, cplus_rx_ring_desc+4, &val, 4);
987         rxdw1 = le32_to_cpu(val);
988         pci_dma_read(d, cplus_rx_ring_desc+8, &val, 4);
989         rxbufLO = le32_to_cpu(val);
990         pci_dma_read(d, cplus_rx_ring_desc+12, &val, 4);
991         rxbufHI = le32_to_cpu(val);
992 
993         DPRINTF("+++ C+ mode RX descriptor %d %08x %08x %08x %08x\n",
994             descriptor, rxdw0, rxdw1, rxbufLO, rxbufHI);
995 
996         if (!(rxdw0 & CP_RX_OWN))
997         {
998             DPRINTF("C+ Rx mode : descriptor %d is owned by host\n",
999                 descriptor);
1000 
1001             s->IntrStatus |= RxOverflow;
1002             ++s->RxMissed;
1003 
1004             /* update tally counter */
1005             ++s->tally_counters.RxERR;
1006             ++s->tally_counters.MissPkt;
1007 
1008             rtl8139_update_irq(s);
1009             return size_;
1010         }
1011 
1012         uint32_t rx_space = rxdw0 & CP_RX_BUFFER_SIZE_MASK;
1013 
1014         /* write VLAN info to descriptor variables. */
1015         if (s->CpCmd & CPlusRxVLAN && be16_to_cpup((uint16_t *)
1016                 &buf[ETH_ALEN * 2]) == ETH_P_VLAN) {
1017             dot1q_buf = &buf[ETH_ALEN * 2];
1018             size -= VLAN_HLEN;
1019             /* if too small buffer, use the tailroom added duing expansion */
1020             if (size < MIN_BUF_SIZE) {
1021                 size = MIN_BUF_SIZE;
1022             }
1023 
1024             rxdw1 &= ~CP_RX_VLAN_TAG_MASK;
1025             /* BE + ~le_to_cpu()~ + cpu_to_le() = BE */
1026             rxdw1 |= CP_RX_TAVA | le16_to_cpup((uint16_t *)
1027                 &dot1q_buf[ETHER_TYPE_LEN]);
1028 
1029             DPRINTF("C+ Rx mode : extracted vlan tag with tci: ""%u\n",
1030                 be16_to_cpup((uint16_t *)&dot1q_buf[ETHER_TYPE_LEN]));
1031         } else {
1032             /* reset VLAN tag flag */
1033             rxdw1 &= ~CP_RX_TAVA;
1034         }
1035 
1036         /* TODO: scatter the packet over available receive ring descriptors space */
1037 
1038         if (size+4 > rx_space)
1039         {
1040             DPRINTF("C+ Rx mode : descriptor %d size %d received %d + 4\n",
1041                 descriptor, rx_space, size);
1042 
1043             s->IntrStatus |= RxOverflow;
1044             ++s->RxMissed;
1045 
1046             /* update tally counter */
1047             ++s->tally_counters.RxERR;
1048             ++s->tally_counters.MissPkt;
1049 
1050             rtl8139_update_irq(s);
1051             return size_;
1052         }
1053 
1054         dma_addr_t rx_addr = rtl8139_addr64(rxbufLO, rxbufHI);
1055 
1056         /* receive/copy to target memory */
1057         if (dot1q_buf) {
1058             pci_dma_write(d, rx_addr, buf, 2 * ETH_ALEN);
1059             pci_dma_write(d, rx_addr + 2 * ETH_ALEN,
1060                           buf + 2 * ETH_ALEN + VLAN_HLEN,
1061                           size - 2 * ETH_ALEN);
1062         } else {
1063             pci_dma_write(d, rx_addr, buf, size);
1064         }
1065 
1066         if (s->CpCmd & CPlusRxChkSum)
1067         {
1068             /* do some packet checksumming */
1069         }
1070 
1071         /* write checksum */
1072         val = cpu_to_le32(crc32(0, buf, size_));
1073         pci_dma_write(d, rx_addr+size, (uint8_t *)&val, 4);
1074 
1075 /* first segment of received packet flag */
1076 #define CP_RX_STATUS_FS (1<<29)
1077 /* last segment of received packet flag */
1078 #define CP_RX_STATUS_LS (1<<28)
1079 /* multicast packet flag */
1080 #define CP_RX_STATUS_MAR (1<<26)
1081 /* physical-matching packet flag */
1082 #define CP_RX_STATUS_PAM (1<<25)
1083 /* broadcast packet flag */
1084 #define CP_RX_STATUS_BAR (1<<24)
1085 /* runt packet flag */
1086 #define CP_RX_STATUS_RUNT (1<<19)
1087 /* crc error flag */
1088 #define CP_RX_STATUS_CRC (1<<18)
1089 /* IP checksum error flag */
1090 #define CP_RX_STATUS_IPF (1<<15)
1091 /* UDP checksum error flag */
1092 #define CP_RX_STATUS_UDPF (1<<14)
1093 /* TCP checksum error flag */
1094 #define CP_RX_STATUS_TCPF (1<<13)
1095 
1096         /* transfer ownership to target */
1097         rxdw0 &= ~CP_RX_OWN;
1098 
1099         /* set first segment bit */
1100         rxdw0 |= CP_RX_STATUS_FS;
1101 
1102         /* set last segment bit */
1103         rxdw0 |= CP_RX_STATUS_LS;
1104 
1105         /* set received packet type flags */
1106         if (packet_header & RxBroadcast)
1107             rxdw0 |= CP_RX_STATUS_BAR;
1108         if (packet_header & RxMulticast)
1109             rxdw0 |= CP_RX_STATUS_MAR;
1110         if (packet_header & RxPhysical)
1111             rxdw0 |= CP_RX_STATUS_PAM;
1112 
1113         /* set received size */
1114         rxdw0 &= ~CP_RX_BUFFER_SIZE_MASK;
1115         rxdw0 |= (size+4);
1116 
1117         /* update ring data */
1118         val = cpu_to_le32(rxdw0);
1119         pci_dma_write(d, cplus_rx_ring_desc, (uint8_t *)&val, 4);
1120         val = cpu_to_le32(rxdw1);
1121         pci_dma_write(d, cplus_rx_ring_desc+4, (uint8_t *)&val, 4);
1122 
1123         /* update tally counter */
1124         ++s->tally_counters.RxOk;
1125 
1126         /* seek to next Rx descriptor */
1127         if (rxdw0 & CP_RX_EOR)
1128         {
1129             s->currCPlusRxDesc = 0;
1130         }
1131         else
1132         {
1133             ++s->currCPlusRxDesc;
1134         }
1135 
1136         DPRINTF("done C+ Rx mode ----------------\n");
1137 
1138     }
1139     else
1140     {
1141         DPRINTF("in ring Rx mode ================\n");
1142 
1143         /* begin ring receiver mode */
1144         int avail = MOD2(s->RxBufferSize + s->RxBufPtr - s->RxBufAddr, s->RxBufferSize);
1145 
1146         /* if receiver buffer is empty then avail == 0 */
1147 
1148 #define RX_ALIGN(x) (((x) + 3) & ~0x3)
1149 
1150         if (avail != 0 && RX_ALIGN(size + 8) >= avail)
1151         {
1152             DPRINTF("rx overflow: rx buffer length %d head 0x%04x "
1153                 "read 0x%04x === available 0x%04x need 0x%04x\n",
1154                 s->RxBufferSize, s->RxBufAddr, s->RxBufPtr, avail, size + 8);
1155 
1156             s->IntrStatus |= RxOverflow;
1157             ++s->RxMissed;
1158             rtl8139_update_irq(s);
1159             return 0;
1160         }
1161 
1162         packet_header |= RxStatusOK;
1163 
1164         packet_header |= (((size+4) << 16) & 0xffff0000);
1165 
1166         /* write header */
1167         uint32_t val = cpu_to_le32(packet_header);
1168 
1169         rtl8139_write_buffer(s, (uint8_t *)&val, 4);
1170 
1171         rtl8139_write_buffer(s, buf, size);
1172 
1173         /* write checksum */
1174         val = cpu_to_le32(crc32(0, buf, size));
1175         rtl8139_write_buffer(s, (uint8_t *)&val, 4);
1176 
1177         /* correct buffer write pointer */
1178         s->RxBufAddr = MOD2(RX_ALIGN(s->RxBufAddr), s->RxBufferSize);
1179 
1180         /* now we can signal we have received something */
1181 
1182         DPRINTF("received: rx buffer length %d head 0x%04x read 0x%04x\n",
1183             s->RxBufferSize, s->RxBufAddr, s->RxBufPtr);
1184     }
1185 
1186     s->IntrStatus |= RxOK;
1187 
1188     if (do_interrupt)
1189     {
1190         rtl8139_update_irq(s);
1191     }
1192 
1193     return size_;
1194 }
1195 
1196 static ssize_t rtl8139_receive(NetClientState *nc, const uint8_t *buf, size_t size)
1197 {
1198     return rtl8139_do_receive(nc, buf, size, 1);
1199 }
1200 
1201 static void rtl8139_reset_rxring(RTL8139State *s, uint32_t bufferSize)
1202 {
1203     s->RxBufferSize = bufferSize;
1204     s->RxBufPtr  = 0;
1205     s->RxBufAddr = 0;
1206 }
1207 
1208 static void rtl8139_reset(DeviceState *d)
1209 {
1210     RTL8139State *s = RTL8139(d);
1211     int i;
1212 
1213     /* restore MAC address */
1214     memcpy(s->phys, s->conf.macaddr.a, 6);
1215     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->phys);
1216 
1217     /* reset interrupt mask */
1218     s->IntrStatus = 0;
1219     s->IntrMask = 0;
1220 
1221     rtl8139_update_irq(s);
1222 
1223     /* mark all status registers as owned by host */
1224     for (i = 0; i < 4; ++i)
1225     {
1226         s->TxStatus[i] = TxHostOwns;
1227     }
1228 
1229     s->currTxDesc = 0;
1230     s->currCPlusRxDesc = 0;
1231     s->currCPlusTxDesc = 0;
1232 
1233     s->RxRingAddrLO = 0;
1234     s->RxRingAddrHI = 0;
1235 
1236     s->RxBuf = 0;
1237 
1238     rtl8139_reset_rxring(s, 8192);
1239 
1240     /* ACK the reset */
1241     s->TxConfig = 0;
1242 
1243 #if 0
1244 //    s->TxConfig |= HW_REVID(1, 0, 0, 0, 0, 0, 0); // RTL-8139  HasHltClk
1245     s->clock_enabled = 0;
1246 #else
1247     s->TxConfig |= HW_REVID(1, 1, 1, 0, 1, 1, 0); // RTL-8139C+ HasLWake
1248     s->clock_enabled = 1;
1249 #endif
1250 
1251     s->bChipCmdState = CmdReset; /* RxBufEmpty bit is calculated on read from ChipCmd */;
1252 
1253     /* set initial state data */
1254     s->Config0 = 0x0; /* No boot ROM */
1255     s->Config1 = 0xC; /* IO mapped and MEM mapped registers available */
1256     s->Config3 = 0x1; /* fast back-to-back compatible */
1257     s->Config5 = 0x0;
1258 
1259     s->CSCR = CSCR_F_LINK_100 | CSCR_HEART_BIT | CSCR_LD;
1260 
1261     s->CpCmd   = 0x0; /* reset C+ mode */
1262     s->cplus_enabled = 0;
1263 
1264 
1265 //    s->BasicModeCtrl = 0x3100; // 100Mbps, full duplex, autonegotiation
1266 //    s->BasicModeCtrl = 0x2100; // 100Mbps, full duplex
1267     s->BasicModeCtrl = 0x1000; // autonegotiation
1268 
1269     s->BasicModeStatus  = 0x7809;
1270     //s->BasicModeStatus |= 0x0040; /* UTP medium */
1271     s->BasicModeStatus |= 0x0020; /* autonegotiation completed */
1272     /* preserve link state */
1273     s->BasicModeStatus |= qemu_get_queue(s->nic)->link_down ? 0 : 0x04;
1274 
1275     s->NWayAdvert    = 0x05e1; /* all modes, full duplex */
1276     s->NWayLPAR      = 0x05e1; /* all modes, full duplex */
1277     s->NWayExpansion = 0x0001; /* autonegotiation supported */
1278 
1279     /* also reset timer and disable timer interrupt */
1280     s->TCTR = 0;
1281     s->TimerInt = 0;
1282     s->TCTR_base = 0;
1283     rtl8139_set_next_tctr_time(s);
1284 
1285     /* reset tally counters */
1286     RTL8139TallyCounters_clear(&s->tally_counters);
1287 }
1288 
1289 static void RTL8139TallyCounters_clear(RTL8139TallyCounters* counters)
1290 {
1291     counters->TxOk = 0;
1292     counters->RxOk = 0;
1293     counters->TxERR = 0;
1294     counters->RxERR = 0;
1295     counters->MissPkt = 0;
1296     counters->FAE = 0;
1297     counters->Tx1Col = 0;
1298     counters->TxMCol = 0;
1299     counters->RxOkPhy = 0;
1300     counters->RxOkBrd = 0;
1301     counters->RxOkMul = 0;
1302     counters->TxAbt = 0;
1303     counters->TxUndrn = 0;
1304 }
1305 
1306 static void RTL8139TallyCounters_dma_write(RTL8139State *s, dma_addr_t tc_addr)
1307 {
1308     PCIDevice *d = PCI_DEVICE(s);
1309     RTL8139TallyCounters *tally_counters = &s->tally_counters;
1310     uint16_t val16;
1311     uint32_t val32;
1312     uint64_t val64;
1313 
1314     val64 = cpu_to_le64(tally_counters->TxOk);
1315     pci_dma_write(d, tc_addr + 0,     (uint8_t *)&val64, 8);
1316 
1317     val64 = cpu_to_le64(tally_counters->RxOk);
1318     pci_dma_write(d, tc_addr + 8,     (uint8_t *)&val64, 8);
1319 
1320     val64 = cpu_to_le64(tally_counters->TxERR);
1321     pci_dma_write(d, tc_addr + 16,    (uint8_t *)&val64, 8);
1322 
1323     val32 = cpu_to_le32(tally_counters->RxERR);
1324     pci_dma_write(d, tc_addr + 24,    (uint8_t *)&val32, 4);
1325 
1326     val16 = cpu_to_le16(tally_counters->MissPkt);
1327     pci_dma_write(d, tc_addr + 28,    (uint8_t *)&val16, 2);
1328 
1329     val16 = cpu_to_le16(tally_counters->FAE);
1330     pci_dma_write(d, tc_addr + 30,    (uint8_t *)&val16, 2);
1331 
1332     val32 = cpu_to_le32(tally_counters->Tx1Col);
1333     pci_dma_write(d, tc_addr + 32,    (uint8_t *)&val32, 4);
1334 
1335     val32 = cpu_to_le32(tally_counters->TxMCol);
1336     pci_dma_write(d, tc_addr + 36,    (uint8_t *)&val32, 4);
1337 
1338     val64 = cpu_to_le64(tally_counters->RxOkPhy);
1339     pci_dma_write(d, tc_addr + 40,    (uint8_t *)&val64, 8);
1340 
1341     val64 = cpu_to_le64(tally_counters->RxOkBrd);
1342     pci_dma_write(d, tc_addr + 48,    (uint8_t *)&val64, 8);
1343 
1344     val32 = cpu_to_le32(tally_counters->RxOkMul);
1345     pci_dma_write(d, tc_addr + 56,    (uint8_t *)&val32, 4);
1346 
1347     val16 = cpu_to_le16(tally_counters->TxAbt);
1348     pci_dma_write(d, tc_addr + 60,    (uint8_t *)&val16, 2);
1349 
1350     val16 = cpu_to_le16(tally_counters->TxUndrn);
1351     pci_dma_write(d, tc_addr + 62,    (uint8_t *)&val16, 2);
1352 }
1353 
1354 /* Loads values of tally counters from VM state file */
1355 
1356 static const VMStateDescription vmstate_tally_counters = {
1357     .name = "tally_counters",
1358     .version_id = 1,
1359     .minimum_version_id = 1,
1360     .fields = (VMStateField[]) {
1361         VMSTATE_UINT64(TxOk, RTL8139TallyCounters),
1362         VMSTATE_UINT64(RxOk, RTL8139TallyCounters),
1363         VMSTATE_UINT64(TxERR, RTL8139TallyCounters),
1364         VMSTATE_UINT32(RxERR, RTL8139TallyCounters),
1365         VMSTATE_UINT16(MissPkt, RTL8139TallyCounters),
1366         VMSTATE_UINT16(FAE, RTL8139TallyCounters),
1367         VMSTATE_UINT32(Tx1Col, RTL8139TallyCounters),
1368         VMSTATE_UINT32(TxMCol, RTL8139TallyCounters),
1369         VMSTATE_UINT64(RxOkPhy, RTL8139TallyCounters),
1370         VMSTATE_UINT64(RxOkBrd, RTL8139TallyCounters),
1371         VMSTATE_UINT16(TxAbt, RTL8139TallyCounters),
1372         VMSTATE_UINT16(TxUndrn, RTL8139TallyCounters),
1373         VMSTATE_END_OF_LIST()
1374     }
1375 };
1376 
1377 static void rtl8139_ChipCmd_write(RTL8139State *s, uint32_t val)
1378 {
1379     DeviceState *d = DEVICE(s);
1380 
1381     val &= 0xff;
1382 
1383     DPRINTF("ChipCmd write val=0x%08x\n", val);
1384 
1385     if (val & CmdReset)
1386     {
1387         DPRINTF("ChipCmd reset\n");
1388         rtl8139_reset(d);
1389     }
1390     if (val & CmdRxEnb)
1391     {
1392         DPRINTF("ChipCmd enable receiver\n");
1393 
1394         s->currCPlusRxDesc = 0;
1395     }
1396     if (val & CmdTxEnb)
1397     {
1398         DPRINTF("ChipCmd enable transmitter\n");
1399 
1400         s->currCPlusTxDesc = 0;
1401     }
1402 
1403     /* mask unwritable bits */
1404     val = SET_MASKED(val, 0xe3, s->bChipCmdState);
1405 
1406     /* Deassert reset pin before next read */
1407     val &= ~CmdReset;
1408 
1409     s->bChipCmdState = val;
1410 }
1411 
1412 static int rtl8139_RxBufferEmpty(RTL8139State *s)
1413 {
1414     int unread = MOD2(s->RxBufferSize + s->RxBufAddr - s->RxBufPtr, s->RxBufferSize);
1415 
1416     if (unread != 0)
1417     {
1418         DPRINTF("receiver buffer data available 0x%04x\n", unread);
1419         return 0;
1420     }
1421 
1422     DPRINTF("receiver buffer is empty\n");
1423 
1424     return 1;
1425 }
1426 
1427 static uint32_t rtl8139_ChipCmd_read(RTL8139State *s)
1428 {
1429     uint32_t ret = s->bChipCmdState;
1430 
1431     if (rtl8139_RxBufferEmpty(s))
1432         ret |= RxBufEmpty;
1433 
1434     DPRINTF("ChipCmd read val=0x%04x\n", ret);
1435 
1436     return ret;
1437 }
1438 
1439 static void rtl8139_CpCmd_write(RTL8139State *s, uint32_t val)
1440 {
1441     val &= 0xffff;
1442 
1443     DPRINTF("C+ command register write(w) val=0x%04x\n", val);
1444 
1445     s->cplus_enabled = 1;
1446 
1447     /* mask unwritable bits */
1448     val = SET_MASKED(val, 0xff84, s->CpCmd);
1449 
1450     s->CpCmd = val;
1451 }
1452 
1453 static uint32_t rtl8139_CpCmd_read(RTL8139State *s)
1454 {
1455     uint32_t ret = s->CpCmd;
1456 
1457     DPRINTF("C+ command register read(w) val=0x%04x\n", ret);
1458 
1459     return ret;
1460 }
1461 
1462 static void rtl8139_IntrMitigate_write(RTL8139State *s, uint32_t val)
1463 {
1464     DPRINTF("C+ IntrMitigate register write(w) val=0x%04x\n", val);
1465 }
1466 
1467 static uint32_t rtl8139_IntrMitigate_read(RTL8139State *s)
1468 {
1469     uint32_t ret = 0;
1470 
1471     DPRINTF("C+ IntrMitigate register read(w) val=0x%04x\n", ret);
1472 
1473     return ret;
1474 }
1475 
1476 static int rtl8139_config_writable(RTL8139State *s)
1477 {
1478     if ((s->Cfg9346 & Chip9346_op_mask) == Cfg9346_ConfigWrite)
1479     {
1480         return 1;
1481     }
1482 
1483     DPRINTF("Configuration registers are write-protected\n");
1484 
1485     return 0;
1486 }
1487 
1488 static void rtl8139_BasicModeCtrl_write(RTL8139State *s, uint32_t val)
1489 {
1490     val &= 0xffff;
1491 
1492     DPRINTF("BasicModeCtrl register write(w) val=0x%04x\n", val);
1493 
1494     /* mask unwritable bits */
1495     uint32_t mask = 0x4cff;
1496 
1497     if (1 || !rtl8139_config_writable(s))
1498     {
1499         /* Speed setting and autonegotiation enable bits are read-only */
1500         mask |= 0x3000;
1501         /* Duplex mode setting is read-only */
1502         mask |= 0x0100;
1503     }
1504 
1505     val = SET_MASKED(val, mask, s->BasicModeCtrl);
1506 
1507     s->BasicModeCtrl = val;
1508 }
1509 
1510 static uint32_t rtl8139_BasicModeCtrl_read(RTL8139State *s)
1511 {
1512     uint32_t ret = s->BasicModeCtrl;
1513 
1514     DPRINTF("BasicModeCtrl register read(w) val=0x%04x\n", ret);
1515 
1516     return ret;
1517 }
1518 
1519 static void rtl8139_BasicModeStatus_write(RTL8139State *s, uint32_t val)
1520 {
1521     val &= 0xffff;
1522 
1523     DPRINTF("BasicModeStatus register write(w) val=0x%04x\n", val);
1524 
1525     /* mask unwritable bits */
1526     val = SET_MASKED(val, 0xff3f, s->BasicModeStatus);
1527 
1528     s->BasicModeStatus = val;
1529 }
1530 
1531 static uint32_t rtl8139_BasicModeStatus_read(RTL8139State *s)
1532 {
1533     uint32_t ret = s->BasicModeStatus;
1534 
1535     DPRINTF("BasicModeStatus register read(w) val=0x%04x\n", ret);
1536 
1537     return ret;
1538 }
1539 
1540 static void rtl8139_Cfg9346_write(RTL8139State *s, uint32_t val)
1541 {
1542     DeviceState *d = DEVICE(s);
1543 
1544     val &= 0xff;
1545 
1546     DPRINTF("Cfg9346 write val=0x%02x\n", val);
1547 
1548     /* mask unwritable bits */
1549     val = SET_MASKED(val, 0x31, s->Cfg9346);
1550 
1551     uint32_t opmode = val & 0xc0;
1552     uint32_t eeprom_val = val & 0xf;
1553 
1554     if (opmode == 0x80) {
1555         /* eeprom access */
1556         int eecs = (eeprom_val & 0x08)?1:0;
1557         int eesk = (eeprom_val & 0x04)?1:0;
1558         int eedi = (eeprom_val & 0x02)?1:0;
1559         prom9346_set_wire(s, eecs, eesk, eedi);
1560     } else if (opmode == 0x40) {
1561         /* Reset.  */
1562         val = 0;
1563         rtl8139_reset(d);
1564     }
1565 
1566     s->Cfg9346 = val;
1567 }
1568 
1569 static uint32_t rtl8139_Cfg9346_read(RTL8139State *s)
1570 {
1571     uint32_t ret = s->Cfg9346;
1572 
1573     uint32_t opmode = ret & 0xc0;
1574 
1575     if (opmode == 0x80)
1576     {
1577         /* eeprom access */
1578         int eedo = prom9346_get_wire(s);
1579         if (eedo)
1580         {
1581             ret |=  0x01;
1582         }
1583         else
1584         {
1585             ret &= ~0x01;
1586         }
1587     }
1588 
1589     DPRINTF("Cfg9346 read val=0x%02x\n", ret);
1590 
1591     return ret;
1592 }
1593 
1594 static void rtl8139_Config0_write(RTL8139State *s, uint32_t val)
1595 {
1596     val &= 0xff;
1597 
1598     DPRINTF("Config0 write val=0x%02x\n", val);
1599 
1600     if (!rtl8139_config_writable(s)) {
1601         return;
1602     }
1603 
1604     /* mask unwritable bits */
1605     val = SET_MASKED(val, 0xf8, s->Config0);
1606 
1607     s->Config0 = val;
1608 }
1609 
1610 static uint32_t rtl8139_Config0_read(RTL8139State *s)
1611 {
1612     uint32_t ret = s->Config0;
1613 
1614     DPRINTF("Config0 read val=0x%02x\n", ret);
1615 
1616     return ret;
1617 }
1618 
1619 static void rtl8139_Config1_write(RTL8139State *s, uint32_t val)
1620 {
1621     val &= 0xff;
1622 
1623     DPRINTF("Config1 write val=0x%02x\n", val);
1624 
1625     if (!rtl8139_config_writable(s)) {
1626         return;
1627     }
1628 
1629     /* mask unwritable bits */
1630     val = SET_MASKED(val, 0xC, s->Config1);
1631 
1632     s->Config1 = val;
1633 }
1634 
1635 static uint32_t rtl8139_Config1_read(RTL8139State *s)
1636 {
1637     uint32_t ret = s->Config1;
1638 
1639     DPRINTF("Config1 read val=0x%02x\n", ret);
1640 
1641     return ret;
1642 }
1643 
1644 static void rtl8139_Config3_write(RTL8139State *s, uint32_t val)
1645 {
1646     val &= 0xff;
1647 
1648     DPRINTF("Config3 write val=0x%02x\n", val);
1649 
1650     if (!rtl8139_config_writable(s)) {
1651         return;
1652     }
1653 
1654     /* mask unwritable bits */
1655     val = SET_MASKED(val, 0x8F, s->Config3);
1656 
1657     s->Config3 = val;
1658 }
1659 
1660 static uint32_t rtl8139_Config3_read(RTL8139State *s)
1661 {
1662     uint32_t ret = s->Config3;
1663 
1664     DPRINTF("Config3 read val=0x%02x\n", ret);
1665 
1666     return ret;
1667 }
1668 
1669 static void rtl8139_Config4_write(RTL8139State *s, uint32_t val)
1670 {
1671     val &= 0xff;
1672 
1673     DPRINTF("Config4 write val=0x%02x\n", val);
1674 
1675     if (!rtl8139_config_writable(s)) {
1676         return;
1677     }
1678 
1679     /* mask unwritable bits */
1680     val = SET_MASKED(val, 0x0a, s->Config4);
1681 
1682     s->Config4 = val;
1683 }
1684 
1685 static uint32_t rtl8139_Config4_read(RTL8139State *s)
1686 {
1687     uint32_t ret = s->Config4;
1688 
1689     DPRINTF("Config4 read val=0x%02x\n", ret);
1690 
1691     return ret;
1692 }
1693 
1694 static void rtl8139_Config5_write(RTL8139State *s, uint32_t val)
1695 {
1696     val &= 0xff;
1697 
1698     DPRINTF("Config5 write val=0x%02x\n", val);
1699 
1700     /* mask unwritable bits */
1701     val = SET_MASKED(val, 0x80, s->Config5);
1702 
1703     s->Config5 = val;
1704 }
1705 
1706 static uint32_t rtl8139_Config5_read(RTL8139State *s)
1707 {
1708     uint32_t ret = s->Config5;
1709 
1710     DPRINTF("Config5 read val=0x%02x\n", ret);
1711 
1712     return ret;
1713 }
1714 
1715 static void rtl8139_TxConfig_write(RTL8139State *s, uint32_t val)
1716 {
1717     if (!rtl8139_transmitter_enabled(s))
1718     {
1719         DPRINTF("transmitter disabled; no TxConfig write val=0x%08x\n", val);
1720         return;
1721     }
1722 
1723     DPRINTF("TxConfig write val=0x%08x\n", val);
1724 
1725     val = SET_MASKED(val, TxVersionMask | 0x8070f80f, s->TxConfig);
1726 
1727     s->TxConfig = val;
1728 }
1729 
1730 static void rtl8139_TxConfig_writeb(RTL8139State *s, uint32_t val)
1731 {
1732     DPRINTF("RTL8139C TxConfig via write(b) val=0x%02x\n", val);
1733 
1734     uint32_t tc = s->TxConfig;
1735     tc &= 0xFFFFFF00;
1736     tc |= (val & 0x000000FF);
1737     rtl8139_TxConfig_write(s, tc);
1738 }
1739 
1740 static uint32_t rtl8139_TxConfig_read(RTL8139State *s)
1741 {
1742     uint32_t ret = s->TxConfig;
1743 
1744     DPRINTF("TxConfig read val=0x%04x\n", ret);
1745 
1746     return ret;
1747 }
1748 
1749 static void rtl8139_RxConfig_write(RTL8139State *s, uint32_t val)
1750 {
1751     DPRINTF("RxConfig write val=0x%08x\n", val);
1752 
1753     /* mask unwritable bits */
1754     val = SET_MASKED(val, 0xf0fc0040, s->RxConfig);
1755 
1756     s->RxConfig = val;
1757 
1758     /* reset buffer size and read/write pointers */
1759     rtl8139_reset_rxring(s, 8192 << ((s->RxConfig >> 11) & 0x3));
1760 
1761     DPRINTF("RxConfig write reset buffer size to %d\n", s->RxBufferSize);
1762 }
1763 
1764 static uint32_t rtl8139_RxConfig_read(RTL8139State *s)
1765 {
1766     uint32_t ret = s->RxConfig;
1767 
1768     DPRINTF("RxConfig read val=0x%08x\n", ret);
1769 
1770     return ret;
1771 }
1772 
1773 static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size,
1774     int do_interrupt, const uint8_t *dot1q_buf)
1775 {
1776     struct iovec *iov = NULL;
1777     struct iovec vlan_iov[3];
1778 
1779     if (!size)
1780     {
1781         DPRINTF("+++ empty ethernet frame\n");
1782         return;
1783     }
1784 
1785     if (dot1q_buf && size >= ETH_ALEN * 2) {
1786         iov = (struct iovec[3]) {
1787             { .iov_base = buf, .iov_len = ETH_ALEN * 2 },
1788             { .iov_base = (void *) dot1q_buf, .iov_len = VLAN_HLEN },
1789             { .iov_base = buf + ETH_ALEN * 2,
1790                 .iov_len = size - ETH_ALEN * 2 },
1791         };
1792 
1793         memcpy(vlan_iov, iov, sizeof(vlan_iov));
1794         iov = vlan_iov;
1795     }
1796 
1797     if (TxLoopBack == (s->TxConfig & TxLoopBack))
1798     {
1799         size_t buf2_size;
1800         uint8_t *buf2;
1801 
1802         if (iov) {
1803             buf2_size = iov_size(iov, 3);
1804             buf2 = g_malloc(buf2_size);
1805             iov_to_buf(iov, 3, 0, buf2, buf2_size);
1806             buf = buf2;
1807         }
1808 
1809         DPRINTF("+++ transmit loopback mode\n");
1810         rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt);
1811 
1812         if (iov) {
1813             g_free(buf2);
1814         }
1815     }
1816     else
1817     {
1818         if (iov) {
1819             qemu_sendv_packet(qemu_get_queue(s->nic), iov, 3);
1820         } else {
1821             qemu_send_packet(qemu_get_queue(s->nic), buf, size);
1822         }
1823     }
1824 }
1825 
1826 static int rtl8139_transmit_one(RTL8139State *s, int descriptor)
1827 {
1828     if (!rtl8139_transmitter_enabled(s))
1829     {
1830         DPRINTF("+++ cannot transmit from descriptor %d: transmitter "
1831             "disabled\n", descriptor);
1832         return 0;
1833     }
1834 
1835     if (s->TxStatus[descriptor] & TxHostOwns)
1836     {
1837         DPRINTF("+++ cannot transmit from descriptor %d: owned by host "
1838             "(%08x)\n", descriptor, s->TxStatus[descriptor]);
1839         return 0;
1840     }
1841 
1842     DPRINTF("+++ transmitting from descriptor %d\n", descriptor);
1843 
1844     PCIDevice *d = PCI_DEVICE(s);
1845     int txsize = s->TxStatus[descriptor] & 0x1fff;
1846     uint8_t txbuffer[0x2000];
1847 
1848     DPRINTF("+++ transmit reading %d bytes from host memory at 0x%08x\n",
1849         txsize, s->TxAddr[descriptor]);
1850 
1851     pci_dma_read(d, s->TxAddr[descriptor], txbuffer, txsize);
1852 
1853     /* Mark descriptor as transferred */
1854     s->TxStatus[descriptor] |= TxHostOwns;
1855     s->TxStatus[descriptor] |= TxStatOK;
1856 
1857     rtl8139_transfer_frame(s, txbuffer, txsize, 0, NULL);
1858 
1859     DPRINTF("+++ transmitted %d bytes from descriptor %d\n", txsize,
1860         descriptor);
1861 
1862     /* update interrupt */
1863     s->IntrStatus |= TxOK;
1864     rtl8139_update_irq(s);
1865 
1866     return 1;
1867 }
1868 
1869 /* structures and macros for task offloading */
1870 #define TCP_HEADER_DATA_OFFSET(tcp) (((be16_to_cpu(tcp->th_offset_flags) >> 12)&0xf) << 2)
1871 #define TCP_FLAGS_ONLY(flags) ((flags)&0x3f)
1872 #define TCP_HEADER_FLAGS(tcp) TCP_FLAGS_ONLY(be16_to_cpu(tcp->th_offset_flags))
1873 
1874 #define TCP_HEADER_CLEAR_FLAGS(tcp, off) ((tcp)->th_offset_flags &= cpu_to_be16(~TCP_FLAGS_ONLY(off)))
1875 
1876 /* produces ones' complement sum of data */
1877 static uint16_t ones_complement_sum(uint8_t *data, size_t len)
1878 {
1879     uint32_t result = 0;
1880 
1881     for (; len > 1; data+=2, len-=2)
1882     {
1883         result += *(uint16_t*)data;
1884     }
1885 
1886     /* add the remainder byte */
1887     if (len)
1888     {
1889         uint8_t odd[2] = {*data, 0};
1890         result += *(uint16_t*)odd;
1891     }
1892 
1893     while (result>>16)
1894         result = (result & 0xffff) + (result >> 16);
1895 
1896     return result;
1897 }
1898 
1899 static uint16_t ip_checksum(void *data, size_t len)
1900 {
1901     return ~ones_complement_sum((uint8_t*)data, len);
1902 }
1903 
1904 static int rtl8139_cplus_transmit_one(RTL8139State *s)
1905 {
1906     if (!rtl8139_transmitter_enabled(s))
1907     {
1908         DPRINTF("+++ C+ mode: transmitter disabled\n");
1909         return 0;
1910     }
1911 
1912     if (!rtl8139_cp_transmitter_enabled(s))
1913     {
1914         DPRINTF("+++ C+ mode: C+ transmitter disabled\n");
1915         return 0 ;
1916     }
1917 
1918     PCIDevice *d = PCI_DEVICE(s);
1919     int descriptor = s->currCPlusTxDesc;
1920 
1921     dma_addr_t cplus_tx_ring_desc = rtl8139_addr64(s->TxAddr[0], s->TxAddr[1]);
1922 
1923     /* Normal priority ring */
1924     cplus_tx_ring_desc += 16 * descriptor;
1925 
1926     DPRINTF("+++ C+ mode reading TX descriptor %d from host memory at "
1927         "%08x %08x = 0x"DMA_ADDR_FMT"\n", descriptor, s->TxAddr[1],
1928         s->TxAddr[0], cplus_tx_ring_desc);
1929 
1930     uint32_t val, txdw0,txdw1,txbufLO,txbufHI;
1931 
1932     pci_dma_read(d, cplus_tx_ring_desc,    (uint8_t *)&val, 4);
1933     txdw0 = le32_to_cpu(val);
1934     pci_dma_read(d, cplus_tx_ring_desc+4,  (uint8_t *)&val, 4);
1935     txdw1 = le32_to_cpu(val);
1936     pci_dma_read(d, cplus_tx_ring_desc+8,  (uint8_t *)&val, 4);
1937     txbufLO = le32_to_cpu(val);
1938     pci_dma_read(d, cplus_tx_ring_desc+12, (uint8_t *)&val, 4);
1939     txbufHI = le32_to_cpu(val);
1940 
1941     DPRINTF("+++ C+ mode TX descriptor %d %08x %08x %08x %08x\n", descriptor,
1942         txdw0, txdw1, txbufLO, txbufHI);
1943 
1944 /* w0 ownership flag */
1945 #define CP_TX_OWN (1<<31)
1946 /* w0 end of ring flag */
1947 #define CP_TX_EOR (1<<30)
1948 /* first segment of received packet flag */
1949 #define CP_TX_FS (1<<29)
1950 /* last segment of received packet flag */
1951 #define CP_TX_LS (1<<28)
1952 /* large send packet flag */
1953 #define CP_TX_LGSEN (1<<27)
1954 /* large send MSS mask, bits 16...25 */
1955 #define CP_TC_LGSEN_MSS_MASK ((1 << 12) - 1)
1956 
1957 /* IP checksum offload flag */
1958 #define CP_TX_IPCS (1<<18)
1959 /* UDP checksum offload flag */
1960 #define CP_TX_UDPCS (1<<17)
1961 /* TCP checksum offload flag */
1962 #define CP_TX_TCPCS (1<<16)
1963 
1964 /* w0 bits 0...15 : buffer size */
1965 #define CP_TX_BUFFER_SIZE (1<<16)
1966 #define CP_TX_BUFFER_SIZE_MASK (CP_TX_BUFFER_SIZE - 1)
1967 /* w1 add tag flag */
1968 #define CP_TX_TAGC (1<<17)
1969 /* w1 bits 0...15 : VLAN tag (big endian) */
1970 #define CP_TX_VLAN_TAG_MASK ((1<<16) - 1)
1971 /* w2 low  32bit of Rx buffer ptr */
1972 /* w3 high 32bit of Rx buffer ptr */
1973 
1974 /* set after transmission */
1975 /* FIFO underrun flag */
1976 #define CP_TX_STATUS_UNF (1<<25)
1977 /* transmit error summary flag, valid if set any of three below */
1978 #define CP_TX_STATUS_TES (1<<23)
1979 /* out-of-window collision flag */
1980 #define CP_TX_STATUS_OWC (1<<22)
1981 /* link failure flag */
1982 #define CP_TX_STATUS_LNKF (1<<21)
1983 /* excessive collisions flag */
1984 #define CP_TX_STATUS_EXC (1<<20)
1985 
1986     if (!(txdw0 & CP_TX_OWN))
1987     {
1988         DPRINTF("C+ Tx mode : descriptor %d is owned by host\n", descriptor);
1989         return 0 ;
1990     }
1991 
1992     DPRINTF("+++ C+ Tx mode : transmitting from descriptor %d\n", descriptor);
1993 
1994     if (txdw0 & CP_TX_FS)
1995     {
1996         DPRINTF("+++ C+ Tx mode : descriptor %d is first segment "
1997             "descriptor\n", descriptor);
1998 
1999         /* reset internal buffer offset */
2000         s->cplus_txbuffer_offset = 0;
2001     }
2002 
2003     int txsize = txdw0 & CP_TX_BUFFER_SIZE_MASK;
2004     dma_addr_t tx_addr = rtl8139_addr64(txbufLO, txbufHI);
2005 
2006     /* make sure we have enough space to assemble the packet */
2007     if (!s->cplus_txbuffer)
2008     {
2009         s->cplus_txbuffer_len = CP_TX_BUFFER_SIZE;
2010         s->cplus_txbuffer = g_malloc(s->cplus_txbuffer_len);
2011         s->cplus_txbuffer_offset = 0;
2012 
2013         DPRINTF("+++ C+ mode transmission buffer allocated space %d\n",
2014             s->cplus_txbuffer_len);
2015     }
2016 
2017     if (s->cplus_txbuffer_offset + txsize >= s->cplus_txbuffer_len)
2018     {
2019         /* The spec didn't tell the maximum size, stick to CP_TX_BUFFER_SIZE */
2020         txsize = s->cplus_txbuffer_len - s->cplus_txbuffer_offset;
2021         DPRINTF("+++ C+ mode transmission buffer overrun, truncated descriptor"
2022                 "length to %d\n", txsize);
2023     }
2024 
2025     /* append more data to the packet */
2026 
2027     DPRINTF("+++ C+ mode transmit reading %d bytes from host memory at "
2028             DMA_ADDR_FMT" to offset %d\n", txsize, tx_addr,
2029             s->cplus_txbuffer_offset);
2030 
2031     pci_dma_read(d, tx_addr,
2032                  s->cplus_txbuffer + s->cplus_txbuffer_offset, txsize);
2033     s->cplus_txbuffer_offset += txsize;
2034 
2035     /* seek to next Rx descriptor */
2036     if (txdw0 & CP_TX_EOR)
2037     {
2038         s->currCPlusTxDesc = 0;
2039     }
2040     else
2041     {
2042         ++s->currCPlusTxDesc;
2043         if (s->currCPlusTxDesc >= 64)
2044             s->currCPlusTxDesc = 0;
2045     }
2046 
2047     /* transfer ownership to target */
2048     txdw0 &= ~CP_RX_OWN;
2049 
2050     /* reset error indicator bits */
2051     txdw0 &= ~CP_TX_STATUS_UNF;
2052     txdw0 &= ~CP_TX_STATUS_TES;
2053     txdw0 &= ~CP_TX_STATUS_OWC;
2054     txdw0 &= ~CP_TX_STATUS_LNKF;
2055     txdw0 &= ~CP_TX_STATUS_EXC;
2056 
2057     /* update ring data */
2058     val = cpu_to_le32(txdw0);
2059     pci_dma_write(d, cplus_tx_ring_desc, (uint8_t *)&val, 4);
2060 
2061     /* Now decide if descriptor being processed is holding the last segment of packet */
2062     if (txdw0 & CP_TX_LS)
2063     {
2064         uint8_t dot1q_buffer_space[VLAN_HLEN];
2065         uint16_t *dot1q_buffer;
2066 
2067         DPRINTF("+++ C+ Tx mode : descriptor %d is last segment descriptor\n",
2068             descriptor);
2069 
2070         /* can transfer fully assembled packet */
2071 
2072         uint8_t *saved_buffer  = s->cplus_txbuffer;
2073         int      saved_size    = s->cplus_txbuffer_offset;
2074         int      saved_buffer_len = s->cplus_txbuffer_len;
2075 
2076         /* create vlan tag */
2077         if (txdw1 & CP_TX_TAGC) {
2078             /* the vlan tag is in BE byte order in the descriptor
2079              * BE + le_to_cpu() + ~swap()~ = cpu */
2080             DPRINTF("+++ C+ Tx mode : inserting vlan tag with ""tci: %u\n",
2081                 bswap16(txdw1 & CP_TX_VLAN_TAG_MASK));
2082 
2083             dot1q_buffer = (uint16_t *) dot1q_buffer_space;
2084             dot1q_buffer[0] = cpu_to_be16(ETH_P_VLAN);
2085             /* BE + le_to_cpu() + ~cpu_to_le()~ = BE */
2086             dot1q_buffer[1] = cpu_to_le16(txdw1 & CP_TX_VLAN_TAG_MASK);
2087         } else {
2088             dot1q_buffer = NULL;
2089         }
2090 
2091         /* reset the card space to protect from recursive call */
2092         s->cplus_txbuffer = NULL;
2093         s->cplus_txbuffer_offset = 0;
2094         s->cplus_txbuffer_len = 0;
2095 
2096         if (txdw0 & (CP_TX_IPCS | CP_TX_UDPCS | CP_TX_TCPCS | CP_TX_LGSEN))
2097         {
2098             DPRINTF("+++ C+ mode offloaded task checksum\n");
2099 
2100             /* Large enough for Ethernet and IP headers? */
2101             if (saved_size < ETH_HLEN + sizeof(struct ip_header)) {
2102                 goto skip_offload;
2103             }
2104 
2105             /* ip packet header */
2106             struct ip_header *ip = NULL;
2107             int hlen = 0;
2108             uint8_t  ip_protocol = 0;
2109             uint16_t ip_data_len = 0;
2110 
2111             uint8_t *eth_payload_data = NULL;
2112             size_t   eth_payload_len  = 0;
2113 
2114             int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
2115             if (proto != ETH_P_IP)
2116             {
2117                 goto skip_offload;
2118             }
2119 
2120             DPRINTF("+++ C+ mode has IP packet\n");
2121 
2122             /* Note on memory alignment: eth_payload_data is 16-bit aligned
2123              * since saved_buffer is allocated with g_malloc() and ETH_HLEN is
2124              * even.  32-bit accesses must use ldl/stl wrappers to avoid
2125              * unaligned accesses.
2126              */
2127             eth_payload_data = saved_buffer + ETH_HLEN;
2128             eth_payload_len  = saved_size   - ETH_HLEN;
2129 
2130             ip = (struct ip_header*)eth_payload_data;
2131 
2132             if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
2133                 DPRINTF("+++ C+ mode packet has bad IP version %d "
2134                     "expected %d\n", IP_HEADER_VERSION(ip),
2135                     IP_HEADER_VERSION_4);
2136                 goto skip_offload;
2137             }
2138 
2139             hlen = IP_HDR_GET_LEN(ip);
2140             if (hlen < sizeof(struct ip_header) || hlen > eth_payload_len) {
2141                 goto skip_offload;
2142             }
2143 
2144             ip_protocol = ip->ip_p;
2145 
2146             ip_data_len = be16_to_cpu(ip->ip_len);
2147             if (ip_data_len < hlen || ip_data_len > eth_payload_len) {
2148                 goto skip_offload;
2149             }
2150             ip_data_len -= hlen;
2151 
2152             if (txdw0 & CP_TX_IPCS)
2153             {
2154                 DPRINTF("+++ C+ mode need IP checksum\n");
2155 
2156                 ip->ip_sum = 0;
2157                 ip->ip_sum = ip_checksum(ip, hlen);
2158                 DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n",
2159                     hlen, ip->ip_sum);
2160             }
2161 
2162             if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP)
2163             {
2164                 /* Large enough for the TCP header? */
2165                 if (ip_data_len < sizeof(tcp_header)) {
2166                     goto skip_offload;
2167                 }
2168 
2169                 int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK;
2170 
2171                 DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d "
2172                     "frame data %d specified MSS=%d\n", ETH_MTU,
2173                     ip_data_len, saved_size - ETH_HLEN, large_send_mss);
2174 
2175                 int tcp_send_offset = 0;
2176                 int send_count = 0;
2177 
2178                 /* maximum IP header length is 60 bytes */
2179                 uint8_t saved_ip_header[60];
2180 
2181                 /* save IP header template; data area is used in tcp checksum calculation */
2182                 memcpy(saved_ip_header, eth_payload_data, hlen);
2183 
2184                 /* a placeholder for checksum calculation routine in tcp case */
2185                 uint8_t *data_to_checksum     = eth_payload_data + hlen - 12;
2186                 //                    size_t   data_to_checksum_len = eth_payload_len  - hlen + 12;
2187 
2188                 /* pointer to TCP header */
2189                 tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
2190 
2191                 int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
2192 
2193                 /* Invalid TCP data offset? */
2194                 if (tcp_hlen < sizeof(tcp_header) || tcp_hlen > ip_data_len) {
2195                     goto skip_offload;
2196                 }
2197 
2198                 /* ETH_MTU = ip header len + tcp header len + payload */
2199                 int tcp_data_len = ip_data_len - tcp_hlen;
2200                 int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen;
2201 
2202                 DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP "
2203                     "data len %d TCP chunk size %d\n", ip_data_len,
2204                     tcp_hlen, tcp_data_len, tcp_chunk_size);
2205 
2206                 /* note the cycle below overwrites IP header data,
2207                    but restores it from saved_ip_header before sending packet */
2208 
2209                 int is_last_frame = 0;
2210 
2211                 for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size)
2212                 {
2213                     uint16_t chunk_size = tcp_chunk_size;
2214 
2215                     /* check if this is the last frame */
2216                     if (tcp_send_offset + tcp_chunk_size >= tcp_data_len)
2217                     {
2218                         is_last_frame = 1;
2219                         chunk_size = tcp_data_len - tcp_send_offset;
2220                     }
2221 
2222                     DPRINTF("+++ C+ mode TSO TCP seqno %08x\n",
2223                             ldl_be_p(&p_tcp_hdr->th_seq));
2224 
2225                     /* add 4 TCP pseudoheader fields */
2226                     /* copy IP source and destination fields */
2227                     memcpy(data_to_checksum, saved_ip_header + 12, 8);
2228 
2229                     DPRINTF("+++ C+ mode TSO calculating TCP checksum for "
2230                         "packet with %d bytes data\n", tcp_hlen +
2231                         chunk_size);
2232 
2233                     if (tcp_send_offset)
2234                     {
2235                         memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size);
2236                     }
2237 
2238                     /* keep PUSH and FIN flags only for the last frame */
2239                     if (!is_last_frame)
2240                     {
2241                         TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TH_PUSH | TH_FIN);
2242                     }
2243 
2244                     /* recalculate TCP checksum */
2245                     ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum;
2246                     p_tcpip_hdr->zeros      = 0;
2247                     p_tcpip_hdr->ip_proto   = IP_PROTO_TCP;
2248                     p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size);
2249 
2250                     p_tcp_hdr->th_sum = 0;
2251 
2252                     int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12);
2253                     DPRINTF("+++ C+ mode TSO TCP checksum %04x\n",
2254                         tcp_checksum);
2255 
2256                     p_tcp_hdr->th_sum = tcp_checksum;
2257 
2258                     /* restore IP header */
2259                     memcpy(eth_payload_data, saved_ip_header, hlen);
2260 
2261                     /* set IP data length and recalculate IP checksum */
2262                     ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size);
2263 
2264                     /* increment IP id for subsequent frames */
2265                     ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id));
2266 
2267                     ip->ip_sum = 0;
2268                     ip->ip_sum = ip_checksum(eth_payload_data, hlen);
2269                     DPRINTF("+++ C+ mode TSO IP header len=%d "
2270                         "checksum=%04x\n", hlen, ip->ip_sum);
2271 
2272                     int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size;
2273                     DPRINTF("+++ C+ mode TSO transferring packet size "
2274                         "%d\n", tso_send_size);
2275                     rtl8139_transfer_frame(s, saved_buffer, tso_send_size,
2276                         0, (uint8_t *) dot1q_buffer);
2277 
2278                     /* add transferred count to TCP sequence number */
2279                     stl_be_p(&p_tcp_hdr->th_seq,
2280                              chunk_size + ldl_be_p(&p_tcp_hdr->th_seq));
2281                     ++send_count;
2282                 }
2283 
2284                 /* Stop sending this frame */
2285                 saved_size = 0;
2286             }
2287             else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS))
2288             {
2289                 DPRINTF("+++ C+ mode need TCP or UDP checksum\n");
2290 
2291                 /* maximum IP header length is 60 bytes */
2292                 uint8_t saved_ip_header[60];
2293                 memcpy(saved_ip_header, eth_payload_data, hlen);
2294 
2295                 uint8_t *data_to_checksum     = eth_payload_data + hlen - 12;
2296                 //                    size_t   data_to_checksum_len = eth_payload_len  - hlen + 12;
2297 
2298                 /* add 4 TCP pseudoheader fields */
2299                 /* copy IP source and destination fields */
2300                 memcpy(data_to_checksum, saved_ip_header + 12, 8);
2301 
2302                 if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP)
2303                 {
2304                     DPRINTF("+++ C+ mode calculating TCP checksum for "
2305                         "packet with %d bytes data\n", ip_data_len);
2306 
2307                     ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum;
2308                     p_tcpip_hdr->zeros      = 0;
2309                     p_tcpip_hdr->ip_proto   = IP_PROTO_TCP;
2310                     p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len);
2311 
2312                     tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12);
2313 
2314                     p_tcp_hdr->th_sum = 0;
2315 
2316                     int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12);
2317                     DPRINTF("+++ C+ mode TCP checksum %04x\n",
2318                         tcp_checksum);
2319 
2320                     p_tcp_hdr->th_sum = tcp_checksum;
2321                 }
2322                 else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP)
2323                 {
2324                     DPRINTF("+++ C+ mode calculating UDP checksum for "
2325                         "packet with %d bytes data\n", ip_data_len);
2326 
2327                     ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum;
2328                     p_udpip_hdr->zeros      = 0;
2329                     p_udpip_hdr->ip_proto   = IP_PROTO_UDP;
2330                     p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len);
2331 
2332                     udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12);
2333 
2334                     p_udp_hdr->uh_sum = 0;
2335 
2336                     int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12);
2337                     DPRINTF("+++ C+ mode UDP checksum %04x\n",
2338                         udp_checksum);
2339 
2340                     p_udp_hdr->uh_sum = udp_checksum;
2341                 }
2342 
2343                 /* restore IP header */
2344                 memcpy(eth_payload_data, saved_ip_header, hlen);
2345             }
2346         }
2347 
2348 skip_offload:
2349         /* update tally counter */
2350         ++s->tally_counters.TxOk;
2351 
2352         DPRINTF("+++ C+ mode transmitting %d bytes packet\n", saved_size);
2353 
2354         rtl8139_transfer_frame(s, saved_buffer, saved_size, 1,
2355             (uint8_t *) dot1q_buffer);
2356 
2357         /* restore card space if there was no recursion and reset offset */
2358         if (!s->cplus_txbuffer)
2359         {
2360             s->cplus_txbuffer        = saved_buffer;
2361             s->cplus_txbuffer_len    = saved_buffer_len;
2362             s->cplus_txbuffer_offset = 0;
2363         }
2364         else
2365         {
2366             g_free(saved_buffer);
2367         }
2368     }
2369     else
2370     {
2371         DPRINTF("+++ C+ mode transmission continue to next descriptor\n");
2372     }
2373 
2374     return 1;
2375 }
2376 
2377 static void rtl8139_cplus_transmit(RTL8139State *s)
2378 {
2379     int txcount = 0;
2380 
2381     while (rtl8139_cplus_transmit_one(s))
2382     {
2383         ++txcount;
2384     }
2385 
2386     /* Mark transfer completed */
2387     if (!txcount)
2388     {
2389         DPRINTF("C+ mode : transmitter queue stalled, current TxDesc = %d\n",
2390             s->currCPlusTxDesc);
2391     }
2392     else
2393     {
2394         /* update interrupt status */
2395         s->IntrStatus |= TxOK;
2396         rtl8139_update_irq(s);
2397     }
2398 }
2399 
2400 static void rtl8139_transmit(RTL8139State *s)
2401 {
2402     int descriptor = s->currTxDesc, txcount = 0;
2403 
2404     /*while*/
2405     if (rtl8139_transmit_one(s, descriptor))
2406     {
2407         ++s->currTxDesc;
2408         s->currTxDesc %= 4;
2409         ++txcount;
2410     }
2411 
2412     /* Mark transfer completed */
2413     if (!txcount)
2414     {
2415         DPRINTF("transmitter queue stalled, current TxDesc = %d\n",
2416             s->currTxDesc);
2417     }
2418 }
2419 
2420 static void rtl8139_TxStatus_write(RTL8139State *s, uint32_t txRegOffset, uint32_t val)
2421 {
2422 
2423     int descriptor = txRegOffset/4;
2424 
2425     /* handle C+ transmit mode register configuration */
2426 
2427     if (s->cplus_enabled)
2428     {
2429         DPRINTF("RTL8139C+ DTCCR write offset=0x%x val=0x%08x "
2430             "descriptor=%d\n", txRegOffset, val, descriptor);
2431 
2432         /* handle Dump Tally Counters command */
2433         s->TxStatus[descriptor] = val;
2434 
2435         if (descriptor == 0 && (val & 0x8))
2436         {
2437             hwaddr tc_addr = rtl8139_addr64(s->TxStatus[0] & ~0x3f, s->TxStatus[1]);
2438 
2439             /* dump tally counters to specified memory location */
2440             RTL8139TallyCounters_dma_write(s, tc_addr);
2441 
2442             /* mark dump completed */
2443             s->TxStatus[0] &= ~0x8;
2444         }
2445 
2446         return;
2447     }
2448 
2449     DPRINTF("TxStatus write offset=0x%x val=0x%08x descriptor=%d\n",
2450         txRegOffset, val, descriptor);
2451 
2452     /* mask only reserved bits */
2453     val &= ~0xff00c000; /* these bits are reset on write */
2454     val = SET_MASKED(val, 0x00c00000, s->TxStatus[descriptor]);
2455 
2456     s->TxStatus[descriptor] = val;
2457 
2458     /* attempt to start transmission */
2459     rtl8139_transmit(s);
2460 }
2461 
2462 static uint32_t rtl8139_TxStatus_TxAddr_read(RTL8139State *s, uint32_t regs[],
2463                                              uint32_t base, uint8_t addr,
2464                                              int size)
2465 {
2466     uint32_t reg = (addr - base) / 4;
2467     uint32_t offset = addr & 0x3;
2468     uint32_t ret = 0;
2469 
2470     if (addr & (size - 1)) {
2471         DPRINTF("not implemented read for TxStatus/TxAddr "
2472                 "addr=0x%x size=0x%x\n", addr, size);
2473         return ret;
2474     }
2475 
2476     switch (size) {
2477     case 1: /* fall through */
2478     case 2: /* fall through */
2479     case 4:
2480         ret = (regs[reg] >> offset * 8) & (((uint64_t)1 << (size * 8)) - 1);
2481         DPRINTF("TxStatus/TxAddr[%d] read addr=0x%x size=0x%x val=0x%08x\n",
2482                 reg, addr, size, ret);
2483         break;
2484     default:
2485         DPRINTF("unsupported size 0x%x of TxStatus/TxAddr reading\n", size);
2486         break;
2487     }
2488 
2489     return ret;
2490 }
2491 
2492 static uint16_t rtl8139_TSAD_read(RTL8139State *s)
2493 {
2494     uint16_t ret = 0;
2495 
2496     /* Simulate TSAD, it is read only anyway */
2497 
2498     ret = ((s->TxStatus[3] & TxStatOK  )?TSAD_TOK3:0)
2499          |((s->TxStatus[2] & TxStatOK  )?TSAD_TOK2:0)
2500          |((s->TxStatus[1] & TxStatOK  )?TSAD_TOK1:0)
2501          |((s->TxStatus[0] & TxStatOK  )?TSAD_TOK0:0)
2502 
2503          |((s->TxStatus[3] & TxUnderrun)?TSAD_TUN3:0)
2504          |((s->TxStatus[2] & TxUnderrun)?TSAD_TUN2:0)
2505          |((s->TxStatus[1] & TxUnderrun)?TSAD_TUN1:0)
2506          |((s->TxStatus[0] & TxUnderrun)?TSAD_TUN0:0)
2507 
2508          |((s->TxStatus[3] & TxAborted )?TSAD_TABT3:0)
2509          |((s->TxStatus[2] & TxAborted )?TSAD_TABT2:0)
2510          |((s->TxStatus[1] & TxAborted )?TSAD_TABT1:0)
2511          |((s->TxStatus[0] & TxAborted )?TSAD_TABT0:0)
2512 
2513          |((s->TxStatus[3] & TxHostOwns )?TSAD_OWN3:0)
2514          |((s->TxStatus[2] & TxHostOwns )?TSAD_OWN2:0)
2515          |((s->TxStatus[1] & TxHostOwns )?TSAD_OWN1:0)
2516          |((s->TxStatus[0] & TxHostOwns )?TSAD_OWN0:0) ;
2517 
2518 
2519     DPRINTF("TSAD read val=0x%04x\n", ret);
2520 
2521     return ret;
2522 }
2523 
2524 static uint16_t rtl8139_CSCR_read(RTL8139State *s)
2525 {
2526     uint16_t ret = s->CSCR;
2527 
2528     DPRINTF("CSCR read val=0x%04x\n", ret);
2529 
2530     return ret;
2531 }
2532 
2533 static void rtl8139_TxAddr_write(RTL8139State *s, uint32_t txAddrOffset, uint32_t val)
2534 {
2535     DPRINTF("TxAddr write offset=0x%x val=0x%08x\n", txAddrOffset, val);
2536 
2537     s->TxAddr[txAddrOffset/4] = val;
2538 }
2539 
2540 static uint32_t rtl8139_TxAddr_read(RTL8139State *s, uint32_t txAddrOffset)
2541 {
2542     uint32_t ret = s->TxAddr[txAddrOffset/4];
2543 
2544     DPRINTF("TxAddr read offset=0x%x val=0x%08x\n", txAddrOffset, ret);
2545 
2546     return ret;
2547 }
2548 
2549 static void rtl8139_RxBufPtr_write(RTL8139State *s, uint32_t val)
2550 {
2551     DPRINTF("RxBufPtr write val=0x%04x\n", val);
2552 
2553     /* this value is off by 16 */
2554     s->RxBufPtr = MOD2(val + 0x10, s->RxBufferSize);
2555 
2556     /* more buffer space may be available so try to receive */
2557     qemu_flush_queued_packets(qemu_get_queue(s->nic));
2558 
2559     DPRINTF(" CAPR write: rx buffer length %d head 0x%04x read 0x%04x\n",
2560         s->RxBufferSize, s->RxBufAddr, s->RxBufPtr);
2561 }
2562 
2563 static uint32_t rtl8139_RxBufPtr_read(RTL8139State *s)
2564 {
2565     /* this value is off by 16 */
2566     uint32_t ret = s->RxBufPtr - 0x10;
2567 
2568     DPRINTF("RxBufPtr read val=0x%04x\n", ret);
2569 
2570     return ret;
2571 }
2572 
2573 static uint32_t rtl8139_RxBufAddr_read(RTL8139State *s)
2574 {
2575     /* this value is NOT off by 16 */
2576     uint32_t ret = s->RxBufAddr;
2577 
2578     DPRINTF("RxBufAddr read val=0x%04x\n", ret);
2579 
2580     return ret;
2581 }
2582 
2583 static void rtl8139_RxBuf_write(RTL8139State *s, uint32_t val)
2584 {
2585     DPRINTF("RxBuf write val=0x%08x\n", val);
2586 
2587     s->RxBuf = val;
2588 
2589     /* may need to reset rxring here */
2590 }
2591 
2592 static uint32_t rtl8139_RxBuf_read(RTL8139State *s)
2593 {
2594     uint32_t ret = s->RxBuf;
2595 
2596     DPRINTF("RxBuf read val=0x%08x\n", ret);
2597 
2598     return ret;
2599 }
2600 
2601 static void rtl8139_IntrMask_write(RTL8139State *s, uint32_t val)
2602 {
2603     DPRINTF("IntrMask write(w) val=0x%04x\n", val);
2604 
2605     /* mask unwritable bits */
2606     val = SET_MASKED(val, 0x1e00, s->IntrMask);
2607 
2608     s->IntrMask = val;
2609 
2610     rtl8139_update_irq(s);
2611 
2612 }
2613 
2614 static uint32_t rtl8139_IntrMask_read(RTL8139State *s)
2615 {
2616     uint32_t ret = s->IntrMask;
2617 
2618     DPRINTF("IntrMask read(w) val=0x%04x\n", ret);
2619 
2620     return ret;
2621 }
2622 
2623 static void rtl8139_IntrStatus_write(RTL8139State *s, uint32_t val)
2624 {
2625     DPRINTF("IntrStatus write(w) val=0x%04x\n", val);
2626 
2627 #if 0
2628 
2629     /* writing to ISR has no effect */
2630 
2631     return;
2632 
2633 #else
2634     uint16_t newStatus = s->IntrStatus & ~val;
2635 
2636     /* mask unwritable bits */
2637     newStatus = SET_MASKED(newStatus, 0x1e00, s->IntrStatus);
2638 
2639     /* writing 1 to interrupt status register bit clears it */
2640     s->IntrStatus = 0;
2641     rtl8139_update_irq(s);
2642 
2643     s->IntrStatus = newStatus;
2644     rtl8139_set_next_tctr_time(s);
2645     rtl8139_update_irq(s);
2646 
2647 #endif
2648 }
2649 
2650 static uint32_t rtl8139_IntrStatus_read(RTL8139State *s)
2651 {
2652     uint32_t ret = s->IntrStatus;
2653 
2654     DPRINTF("IntrStatus read(w) val=0x%04x\n", ret);
2655 
2656 #if 0
2657 
2658     /* reading ISR clears all interrupts */
2659     s->IntrStatus = 0;
2660 
2661     rtl8139_update_irq(s);
2662 
2663 #endif
2664 
2665     return ret;
2666 }
2667 
2668 static void rtl8139_MultiIntr_write(RTL8139State *s, uint32_t val)
2669 {
2670     DPRINTF("MultiIntr write(w) val=0x%04x\n", val);
2671 
2672     /* mask unwritable bits */
2673     val = SET_MASKED(val, 0xf000, s->MultiIntr);
2674 
2675     s->MultiIntr = val;
2676 }
2677 
2678 static uint32_t rtl8139_MultiIntr_read(RTL8139State *s)
2679 {
2680     uint32_t ret = s->MultiIntr;
2681 
2682     DPRINTF("MultiIntr read(w) val=0x%04x\n", ret);
2683 
2684     return ret;
2685 }
2686 
2687 static void rtl8139_io_writeb(void *opaque, uint8_t addr, uint32_t val)
2688 {
2689     RTL8139State *s = opaque;
2690 
2691     switch (addr)
2692     {
2693         case MAC0 ... MAC0+4:
2694             s->phys[addr - MAC0] = val;
2695             break;
2696         case MAC0+5:
2697             s->phys[addr - MAC0] = val;
2698             qemu_format_nic_info_str(qemu_get_queue(s->nic), s->phys);
2699             break;
2700         case MAC0+6 ... MAC0+7:
2701             /* reserved */
2702             break;
2703         case MAR0 ... MAR0+7:
2704             s->mult[addr - MAR0] = val;
2705             break;
2706         case ChipCmd:
2707             rtl8139_ChipCmd_write(s, val);
2708             break;
2709         case Cfg9346:
2710             rtl8139_Cfg9346_write(s, val);
2711             break;
2712         case TxConfig: /* windows driver sometimes writes using byte-lenth call */
2713             rtl8139_TxConfig_writeb(s, val);
2714             break;
2715         case Config0:
2716             rtl8139_Config0_write(s, val);
2717             break;
2718         case Config1:
2719             rtl8139_Config1_write(s, val);
2720             break;
2721         case Config3:
2722             rtl8139_Config3_write(s, val);
2723             break;
2724         case Config4:
2725             rtl8139_Config4_write(s, val);
2726             break;
2727         case Config5:
2728             rtl8139_Config5_write(s, val);
2729             break;
2730         case MediaStatus:
2731             /* ignore */
2732             DPRINTF("not implemented write(b) to MediaStatus val=0x%02x\n",
2733                 val);
2734             break;
2735 
2736         case HltClk:
2737             DPRINTF("HltClk write val=0x%08x\n", val);
2738             if (val == 'R')
2739             {
2740                 s->clock_enabled = 1;
2741             }
2742             else if (val == 'H')
2743             {
2744                 s->clock_enabled = 0;
2745             }
2746             break;
2747 
2748         case TxThresh:
2749             DPRINTF("C+ TxThresh write(b) val=0x%02x\n", val);
2750             s->TxThresh = val;
2751             break;
2752 
2753         case TxPoll:
2754             DPRINTF("C+ TxPoll write(b) val=0x%02x\n", val);
2755             if (val & (1 << 7))
2756             {
2757                 DPRINTF("C+ TxPoll high priority transmission (not "
2758                     "implemented)\n");
2759                 //rtl8139_cplus_transmit(s);
2760             }
2761             if (val & (1 << 6))
2762             {
2763                 DPRINTF("C+ TxPoll normal priority transmission\n");
2764                 rtl8139_cplus_transmit(s);
2765             }
2766 
2767             break;
2768 
2769         default:
2770             DPRINTF("not implemented write(b) addr=0x%x val=0x%02x\n", addr,
2771                 val);
2772             break;
2773     }
2774 }
2775 
2776 static void rtl8139_io_writew(void *opaque, uint8_t addr, uint32_t val)
2777 {
2778     RTL8139State *s = opaque;
2779 
2780     switch (addr)
2781     {
2782         case IntrMask:
2783             rtl8139_IntrMask_write(s, val);
2784             break;
2785 
2786         case IntrStatus:
2787             rtl8139_IntrStatus_write(s, val);
2788             break;
2789 
2790         case MultiIntr:
2791             rtl8139_MultiIntr_write(s, val);
2792             break;
2793 
2794         case RxBufPtr:
2795             rtl8139_RxBufPtr_write(s, val);
2796             break;
2797 
2798         case BasicModeCtrl:
2799             rtl8139_BasicModeCtrl_write(s, val);
2800             break;
2801         case BasicModeStatus:
2802             rtl8139_BasicModeStatus_write(s, val);
2803             break;
2804         case NWayAdvert:
2805             DPRINTF("NWayAdvert write(w) val=0x%04x\n", val);
2806             s->NWayAdvert = val;
2807             break;
2808         case NWayLPAR:
2809             DPRINTF("forbidden NWayLPAR write(w) val=0x%04x\n", val);
2810             break;
2811         case NWayExpansion:
2812             DPRINTF("NWayExpansion write(w) val=0x%04x\n", val);
2813             s->NWayExpansion = val;
2814             break;
2815 
2816         case CpCmd:
2817             rtl8139_CpCmd_write(s, val);
2818             break;
2819 
2820         case IntrMitigate:
2821             rtl8139_IntrMitigate_write(s, val);
2822             break;
2823 
2824         default:
2825             DPRINTF("ioport write(w) addr=0x%x val=0x%04x via write(b)\n",
2826                 addr, val);
2827 
2828             rtl8139_io_writeb(opaque, addr, val & 0xff);
2829             rtl8139_io_writeb(opaque, addr + 1, (val >> 8) & 0xff);
2830             break;
2831     }
2832 }
2833 
2834 static void rtl8139_set_next_tctr_time(RTL8139State *s)
2835 {
2836     const uint64_t ns_per_period = (uint64_t)PCI_PERIOD << 32;
2837 
2838     DPRINTF("entered rtl8139_set_next_tctr_time\n");
2839 
2840     /* This function is called at least once per period, so it is a good
2841      * place to update the timer base.
2842      *
2843      * After one iteration of this loop the value in the Timer register does
2844      * not change, but the device model is counting up by 2^32 ticks (approx.
2845      * 130 seconds).
2846      */
2847     while (s->TCTR_base + ns_per_period <= qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)) {
2848         s->TCTR_base += ns_per_period;
2849     }
2850 
2851     if (!s->TimerInt) {
2852         timer_del(s->timer);
2853     } else {
2854         uint64_t delta = (uint64_t)s->TimerInt * PCI_PERIOD;
2855         if (s->TCTR_base + delta <= qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)) {
2856             delta += ns_per_period;
2857         }
2858         timer_mod(s->timer, s->TCTR_base + delta);
2859     }
2860 }
2861 
2862 static void rtl8139_io_writel(void *opaque, uint8_t addr, uint32_t val)
2863 {
2864     RTL8139State *s = opaque;
2865 
2866     switch (addr)
2867     {
2868         case RxMissed:
2869             DPRINTF("RxMissed clearing on write\n");
2870             s->RxMissed = 0;
2871             break;
2872 
2873         case TxConfig:
2874             rtl8139_TxConfig_write(s, val);
2875             break;
2876 
2877         case RxConfig:
2878             rtl8139_RxConfig_write(s, val);
2879             break;
2880 
2881         case TxStatus0 ... TxStatus0+4*4-1:
2882             rtl8139_TxStatus_write(s, addr-TxStatus0, val);
2883             break;
2884 
2885         case TxAddr0 ... TxAddr0+4*4-1:
2886             rtl8139_TxAddr_write(s, addr-TxAddr0, val);
2887             break;
2888 
2889         case RxBuf:
2890             rtl8139_RxBuf_write(s, val);
2891             break;
2892 
2893         case RxRingAddrLO:
2894             DPRINTF("C+ RxRing low bits write val=0x%08x\n", val);
2895             s->RxRingAddrLO = val;
2896             break;
2897 
2898         case RxRingAddrHI:
2899             DPRINTF("C+ RxRing high bits write val=0x%08x\n", val);
2900             s->RxRingAddrHI = val;
2901             break;
2902 
2903         case Timer:
2904             DPRINTF("TCTR Timer reset on write\n");
2905             s->TCTR_base = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
2906             rtl8139_set_next_tctr_time(s);
2907             break;
2908 
2909         case FlashReg:
2910             DPRINTF("FlashReg TimerInt write val=0x%08x\n", val);
2911             if (s->TimerInt != val) {
2912                 s->TimerInt = val;
2913                 rtl8139_set_next_tctr_time(s);
2914             }
2915             break;
2916 
2917         default:
2918             DPRINTF("ioport write(l) addr=0x%x val=0x%08x via write(b)\n",
2919                 addr, val);
2920             rtl8139_io_writeb(opaque, addr, val & 0xff);
2921             rtl8139_io_writeb(opaque, addr + 1, (val >> 8) & 0xff);
2922             rtl8139_io_writeb(opaque, addr + 2, (val >> 16) & 0xff);
2923             rtl8139_io_writeb(opaque, addr + 3, (val >> 24) & 0xff);
2924             break;
2925     }
2926 }
2927 
2928 static uint32_t rtl8139_io_readb(void *opaque, uint8_t addr)
2929 {
2930     RTL8139State *s = opaque;
2931     int ret;
2932 
2933     switch (addr)
2934     {
2935         case MAC0 ... MAC0+5:
2936             ret = s->phys[addr - MAC0];
2937             break;
2938         case MAC0+6 ... MAC0+7:
2939             ret = 0;
2940             break;
2941         case MAR0 ... MAR0+7:
2942             ret = s->mult[addr - MAR0];
2943             break;
2944         case TxStatus0 ... TxStatus0+4*4-1:
2945             ret = rtl8139_TxStatus_TxAddr_read(s, s->TxStatus, TxStatus0,
2946                                                addr, 1);
2947             break;
2948         case ChipCmd:
2949             ret = rtl8139_ChipCmd_read(s);
2950             break;
2951         case Cfg9346:
2952             ret = rtl8139_Cfg9346_read(s);
2953             break;
2954         case Config0:
2955             ret = rtl8139_Config0_read(s);
2956             break;
2957         case Config1:
2958             ret = rtl8139_Config1_read(s);
2959             break;
2960         case Config3:
2961             ret = rtl8139_Config3_read(s);
2962             break;
2963         case Config4:
2964             ret = rtl8139_Config4_read(s);
2965             break;
2966         case Config5:
2967             ret = rtl8139_Config5_read(s);
2968             break;
2969 
2970         case MediaStatus:
2971             /* The LinkDown bit of MediaStatus is inverse with link status */
2972             ret = 0xd0 | (~s->BasicModeStatus & 0x04);
2973             DPRINTF("MediaStatus read 0x%x\n", ret);
2974             break;
2975 
2976         case HltClk:
2977             ret = s->clock_enabled;
2978             DPRINTF("HltClk read 0x%x\n", ret);
2979             break;
2980 
2981         case PCIRevisionID:
2982             ret = RTL8139_PCI_REVID;
2983             DPRINTF("PCI Revision ID read 0x%x\n", ret);
2984             break;
2985 
2986         case TxThresh:
2987             ret = s->TxThresh;
2988             DPRINTF("C+ TxThresh read(b) val=0x%02x\n", ret);
2989             break;
2990 
2991         case 0x43: /* Part of TxConfig register. Windows driver tries to read it */
2992             ret = s->TxConfig >> 24;
2993             DPRINTF("RTL8139C TxConfig at 0x43 read(b) val=0x%02x\n", ret);
2994             break;
2995 
2996         default:
2997             DPRINTF("not implemented read(b) addr=0x%x\n", addr);
2998             ret = 0;
2999             break;
3000     }
3001 
3002     return ret;
3003 }
3004 
3005 static uint32_t rtl8139_io_readw(void *opaque, uint8_t addr)
3006 {
3007     RTL8139State *s = opaque;
3008     uint32_t ret;
3009 
3010     switch (addr)
3011     {
3012         case TxAddr0 ... TxAddr0+4*4-1:
3013             ret = rtl8139_TxStatus_TxAddr_read(s, s->TxAddr, TxAddr0, addr, 2);
3014             break;
3015         case IntrMask:
3016             ret = rtl8139_IntrMask_read(s);
3017             break;
3018 
3019         case IntrStatus:
3020             ret = rtl8139_IntrStatus_read(s);
3021             break;
3022 
3023         case MultiIntr:
3024             ret = rtl8139_MultiIntr_read(s);
3025             break;
3026 
3027         case RxBufPtr:
3028             ret = rtl8139_RxBufPtr_read(s);
3029             break;
3030 
3031         case RxBufAddr:
3032             ret = rtl8139_RxBufAddr_read(s);
3033             break;
3034 
3035         case BasicModeCtrl:
3036             ret = rtl8139_BasicModeCtrl_read(s);
3037             break;
3038         case BasicModeStatus:
3039             ret = rtl8139_BasicModeStatus_read(s);
3040             break;
3041         case NWayAdvert:
3042             ret = s->NWayAdvert;
3043             DPRINTF("NWayAdvert read(w) val=0x%04x\n", ret);
3044             break;
3045         case NWayLPAR:
3046             ret = s->NWayLPAR;
3047             DPRINTF("NWayLPAR read(w) val=0x%04x\n", ret);
3048             break;
3049         case NWayExpansion:
3050             ret = s->NWayExpansion;
3051             DPRINTF("NWayExpansion read(w) val=0x%04x\n", ret);
3052             break;
3053 
3054         case CpCmd:
3055             ret = rtl8139_CpCmd_read(s);
3056             break;
3057 
3058         case IntrMitigate:
3059             ret = rtl8139_IntrMitigate_read(s);
3060             break;
3061 
3062         case TxSummary:
3063             ret = rtl8139_TSAD_read(s);
3064             break;
3065 
3066         case CSCR:
3067             ret = rtl8139_CSCR_read(s);
3068             break;
3069 
3070         default:
3071             DPRINTF("ioport read(w) addr=0x%x via read(b)\n", addr);
3072 
3073             ret  = rtl8139_io_readb(opaque, addr);
3074             ret |= rtl8139_io_readb(opaque, addr + 1) << 8;
3075 
3076             DPRINTF("ioport read(w) addr=0x%x val=0x%04x\n", addr, ret);
3077             break;
3078     }
3079 
3080     return ret;
3081 }
3082 
3083 static uint32_t rtl8139_io_readl(void *opaque, uint8_t addr)
3084 {
3085     RTL8139State *s = opaque;
3086     uint32_t ret;
3087 
3088     switch (addr)
3089     {
3090         case RxMissed:
3091             ret = s->RxMissed;
3092 
3093             DPRINTF("RxMissed read val=0x%08x\n", ret);
3094             break;
3095 
3096         case TxConfig:
3097             ret = rtl8139_TxConfig_read(s);
3098             break;
3099 
3100         case RxConfig:
3101             ret = rtl8139_RxConfig_read(s);
3102             break;
3103 
3104         case TxStatus0 ... TxStatus0+4*4-1:
3105             ret = rtl8139_TxStatus_TxAddr_read(s, s->TxStatus, TxStatus0,
3106                                                addr, 4);
3107             break;
3108 
3109         case TxAddr0 ... TxAddr0+4*4-1:
3110             ret = rtl8139_TxAddr_read(s, addr-TxAddr0);
3111             break;
3112 
3113         case RxBuf:
3114             ret = rtl8139_RxBuf_read(s);
3115             break;
3116 
3117         case RxRingAddrLO:
3118             ret = s->RxRingAddrLO;
3119             DPRINTF("C+ RxRing low bits read val=0x%08x\n", ret);
3120             break;
3121 
3122         case RxRingAddrHI:
3123             ret = s->RxRingAddrHI;
3124             DPRINTF("C+ RxRing high bits read val=0x%08x\n", ret);
3125             break;
3126 
3127         case Timer:
3128             ret = (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) - s->TCTR_base) /
3129                   PCI_PERIOD;
3130             DPRINTF("TCTR Timer read val=0x%08x\n", ret);
3131             break;
3132 
3133         case FlashReg:
3134             ret = s->TimerInt;
3135             DPRINTF("FlashReg TimerInt read val=0x%08x\n", ret);
3136             break;
3137 
3138         default:
3139             DPRINTF("ioport read(l) addr=0x%x via read(b)\n", addr);
3140 
3141             ret  = rtl8139_io_readb(opaque, addr);
3142             ret |= rtl8139_io_readb(opaque, addr + 1) << 8;
3143             ret |= rtl8139_io_readb(opaque, addr + 2) << 16;
3144             ret |= rtl8139_io_readb(opaque, addr + 3) << 24;
3145 
3146             DPRINTF("read(l) addr=0x%x val=%08x\n", addr, ret);
3147             break;
3148     }
3149 
3150     return ret;
3151 }
3152 
3153 /* */
3154 
3155 static void rtl8139_mmio_writeb(void *opaque, hwaddr addr, uint32_t val)
3156 {
3157     rtl8139_io_writeb(opaque, addr & 0xFF, val);
3158 }
3159 
3160 static void rtl8139_mmio_writew(void *opaque, hwaddr addr, uint32_t val)
3161 {
3162     rtl8139_io_writew(opaque, addr & 0xFF, val);
3163 }
3164 
3165 static void rtl8139_mmio_writel(void *opaque, hwaddr addr, uint32_t val)
3166 {
3167     rtl8139_io_writel(opaque, addr & 0xFF, val);
3168 }
3169 
3170 static uint32_t rtl8139_mmio_readb(void *opaque, hwaddr addr)
3171 {
3172     return rtl8139_io_readb(opaque, addr & 0xFF);
3173 }
3174 
3175 static uint32_t rtl8139_mmio_readw(void *opaque, hwaddr addr)
3176 {
3177     uint32_t val = rtl8139_io_readw(opaque, addr & 0xFF);
3178     return val;
3179 }
3180 
3181 static uint32_t rtl8139_mmio_readl(void *opaque, hwaddr addr)
3182 {
3183     uint32_t val = rtl8139_io_readl(opaque, addr & 0xFF);
3184     return val;
3185 }
3186 
3187 static int rtl8139_post_load(void *opaque, int version_id)
3188 {
3189     RTL8139State* s = opaque;
3190     rtl8139_set_next_tctr_time(s);
3191     if (version_id < 4) {
3192         s->cplus_enabled = s->CpCmd != 0;
3193     }
3194 
3195     /* nc.link_down can't be migrated, so infer link_down according
3196      * to link status bit in BasicModeStatus */
3197     qemu_get_queue(s->nic)->link_down = (s->BasicModeStatus & 0x04) == 0;
3198 
3199     return 0;
3200 }
3201 
3202 static bool rtl8139_hotplug_ready_needed(void *opaque)
3203 {
3204     return qdev_machine_modified();
3205 }
3206 
3207 static const VMStateDescription vmstate_rtl8139_hotplug_ready ={
3208     .name = "rtl8139/hotplug_ready",
3209     .version_id = 1,
3210     .minimum_version_id = 1,
3211     .needed = rtl8139_hotplug_ready_needed,
3212     .fields = (VMStateField[]) {
3213         VMSTATE_END_OF_LIST()
3214     }
3215 };
3216 
3217 static void rtl8139_pre_save(void *opaque)
3218 {
3219     RTL8139State* s = opaque;
3220     int64_t current_time = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
3221 
3222     /* for migration to older versions */
3223     s->TCTR = (current_time - s->TCTR_base) / PCI_PERIOD;
3224     s->rtl8139_mmio_io_addr_dummy = 0;
3225 }
3226 
3227 static const VMStateDescription vmstate_rtl8139 = {
3228     .name = "rtl8139",
3229     .version_id = 4,
3230     .minimum_version_id = 3,
3231     .post_load = rtl8139_post_load,
3232     .pre_save  = rtl8139_pre_save,
3233     .fields = (VMStateField[]) {
3234         VMSTATE_PCI_DEVICE(parent_obj, RTL8139State),
3235         VMSTATE_PARTIAL_BUFFER(phys, RTL8139State, 6),
3236         VMSTATE_BUFFER(mult, RTL8139State),
3237         VMSTATE_UINT32_ARRAY(TxStatus, RTL8139State, 4),
3238         VMSTATE_UINT32_ARRAY(TxAddr, RTL8139State, 4),
3239 
3240         VMSTATE_UINT32(RxBuf, RTL8139State),
3241         VMSTATE_UINT32(RxBufferSize, RTL8139State),
3242         VMSTATE_UINT32(RxBufPtr, RTL8139State),
3243         VMSTATE_UINT32(RxBufAddr, RTL8139State),
3244 
3245         VMSTATE_UINT16(IntrStatus, RTL8139State),
3246         VMSTATE_UINT16(IntrMask, RTL8139State),
3247 
3248         VMSTATE_UINT32(TxConfig, RTL8139State),
3249         VMSTATE_UINT32(RxConfig, RTL8139State),
3250         VMSTATE_UINT32(RxMissed, RTL8139State),
3251         VMSTATE_UINT16(CSCR, RTL8139State),
3252 
3253         VMSTATE_UINT8(Cfg9346, RTL8139State),
3254         VMSTATE_UINT8(Config0, RTL8139State),
3255         VMSTATE_UINT8(Config1, RTL8139State),
3256         VMSTATE_UINT8(Config3, RTL8139State),
3257         VMSTATE_UINT8(Config4, RTL8139State),
3258         VMSTATE_UINT8(Config5, RTL8139State),
3259 
3260         VMSTATE_UINT8(clock_enabled, RTL8139State),
3261         VMSTATE_UINT8(bChipCmdState, RTL8139State),
3262 
3263         VMSTATE_UINT16(MultiIntr, RTL8139State),
3264 
3265         VMSTATE_UINT16(BasicModeCtrl, RTL8139State),
3266         VMSTATE_UINT16(BasicModeStatus, RTL8139State),
3267         VMSTATE_UINT16(NWayAdvert, RTL8139State),
3268         VMSTATE_UINT16(NWayLPAR, RTL8139State),
3269         VMSTATE_UINT16(NWayExpansion, RTL8139State),
3270 
3271         VMSTATE_UINT16(CpCmd, RTL8139State),
3272         VMSTATE_UINT8(TxThresh, RTL8139State),
3273 
3274         VMSTATE_UNUSED(4),
3275         VMSTATE_MACADDR(conf.macaddr, RTL8139State),
3276         VMSTATE_INT32(rtl8139_mmio_io_addr_dummy, RTL8139State),
3277 
3278         VMSTATE_UINT32(currTxDesc, RTL8139State),
3279         VMSTATE_UINT32(currCPlusRxDesc, RTL8139State),
3280         VMSTATE_UINT32(currCPlusTxDesc, RTL8139State),
3281         VMSTATE_UINT32(RxRingAddrLO, RTL8139State),
3282         VMSTATE_UINT32(RxRingAddrHI, RTL8139State),
3283 
3284         VMSTATE_UINT16_ARRAY(eeprom.contents, RTL8139State, EEPROM_9346_SIZE),
3285         VMSTATE_INT32(eeprom.mode, RTL8139State),
3286         VMSTATE_UINT32(eeprom.tick, RTL8139State),
3287         VMSTATE_UINT8(eeprom.address, RTL8139State),
3288         VMSTATE_UINT16(eeprom.input, RTL8139State),
3289         VMSTATE_UINT16(eeprom.output, RTL8139State),
3290 
3291         VMSTATE_UINT8(eeprom.eecs, RTL8139State),
3292         VMSTATE_UINT8(eeprom.eesk, RTL8139State),
3293         VMSTATE_UINT8(eeprom.eedi, RTL8139State),
3294         VMSTATE_UINT8(eeprom.eedo, RTL8139State),
3295 
3296         VMSTATE_UINT32(TCTR, RTL8139State),
3297         VMSTATE_UINT32(TimerInt, RTL8139State),
3298         VMSTATE_INT64(TCTR_base, RTL8139State),
3299 
3300         VMSTATE_STRUCT(tally_counters, RTL8139State, 0,
3301                        vmstate_tally_counters, RTL8139TallyCounters),
3302 
3303         VMSTATE_UINT32_V(cplus_enabled, RTL8139State, 4),
3304         VMSTATE_END_OF_LIST()
3305     },
3306     .subsections = (const VMStateDescription*[]) {
3307         &vmstate_rtl8139_hotplug_ready,
3308         NULL
3309     }
3310 };
3311 
3312 /***********************************************************/
3313 /* PCI RTL8139 definitions */
3314 
3315 static void rtl8139_ioport_write(void *opaque, hwaddr addr,
3316                                  uint64_t val, unsigned size)
3317 {
3318     switch (size) {
3319     case 1:
3320         rtl8139_io_writeb(opaque, addr, val);
3321         break;
3322     case 2:
3323         rtl8139_io_writew(opaque, addr, val);
3324         break;
3325     case 4:
3326         rtl8139_io_writel(opaque, addr, val);
3327         break;
3328     }
3329 }
3330 
3331 static uint64_t rtl8139_ioport_read(void *opaque, hwaddr addr,
3332                                     unsigned size)
3333 {
3334     switch (size) {
3335     case 1:
3336         return rtl8139_io_readb(opaque, addr);
3337     case 2:
3338         return rtl8139_io_readw(opaque, addr);
3339     case 4:
3340         return rtl8139_io_readl(opaque, addr);
3341     }
3342 
3343     return -1;
3344 }
3345 
3346 static const MemoryRegionOps rtl8139_io_ops = {
3347     .read = rtl8139_ioport_read,
3348     .write = rtl8139_ioport_write,
3349     .impl = {
3350         .min_access_size = 1,
3351         .max_access_size = 4,
3352     },
3353     .endianness = DEVICE_LITTLE_ENDIAN,
3354 };
3355 
3356 static const MemoryRegionOps rtl8139_mmio_ops = {
3357     .old_mmio = {
3358         .read = {
3359             rtl8139_mmio_readb,
3360             rtl8139_mmio_readw,
3361             rtl8139_mmio_readl,
3362         },
3363         .write = {
3364             rtl8139_mmio_writeb,
3365             rtl8139_mmio_writew,
3366             rtl8139_mmio_writel,
3367         },
3368     },
3369     .endianness = DEVICE_LITTLE_ENDIAN,
3370 };
3371 
3372 static void rtl8139_timer(void *opaque)
3373 {
3374     RTL8139State *s = opaque;
3375 
3376     if (!s->clock_enabled)
3377     {
3378         DPRINTF(">>> timer: clock is not running\n");
3379         return;
3380     }
3381 
3382     s->IntrStatus |= PCSTimeout;
3383     rtl8139_update_irq(s);
3384     rtl8139_set_next_tctr_time(s);
3385 }
3386 
3387 static void pci_rtl8139_uninit(PCIDevice *dev)
3388 {
3389     RTL8139State *s = RTL8139(dev);
3390 
3391     g_free(s->cplus_txbuffer);
3392     s->cplus_txbuffer = NULL;
3393     timer_del(s->timer);
3394     timer_free(s->timer);
3395     qemu_del_nic(s->nic);
3396 }
3397 
3398 static void rtl8139_set_link_status(NetClientState *nc)
3399 {
3400     RTL8139State *s = qemu_get_nic_opaque(nc);
3401 
3402     if (nc->link_down) {
3403         s->BasicModeStatus &= ~0x04;
3404     } else {
3405         s->BasicModeStatus |= 0x04;
3406     }
3407 
3408     s->IntrStatus |= RxUnderrun;
3409     rtl8139_update_irq(s);
3410 }
3411 
3412 static NetClientInfo net_rtl8139_info = {
3413     .type = NET_CLIENT_OPTIONS_KIND_NIC,
3414     .size = sizeof(NICState),
3415     .can_receive = rtl8139_can_receive,
3416     .receive = rtl8139_receive,
3417     .link_status_changed = rtl8139_set_link_status,
3418 };
3419 
3420 static void pci_rtl8139_realize(PCIDevice *dev, Error **errp)
3421 {
3422     RTL8139State *s = RTL8139(dev);
3423     DeviceState *d = DEVICE(dev);
3424     uint8_t *pci_conf;
3425 
3426     pci_conf = dev->config;
3427     pci_conf[PCI_INTERRUPT_PIN] = 1;    /* interrupt pin A */
3428     /* TODO: start of capability list, but no capability
3429      * list bit in status register, and offset 0xdc seems unused. */
3430     pci_conf[PCI_CAPABILITY_LIST] = 0xdc;
3431 
3432     memory_region_init_io(&s->bar_io, OBJECT(s), &rtl8139_io_ops, s,
3433                           "rtl8139", 0x100);
3434     memory_region_init_io(&s->bar_mem, OBJECT(s), &rtl8139_mmio_ops, s,
3435                           "rtl8139", 0x100);
3436     pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->bar_io);
3437     pci_register_bar(dev, 1, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->bar_mem);
3438 
3439     qemu_macaddr_default_if_unset(&s->conf.macaddr);
3440 
3441     /* prepare eeprom */
3442     s->eeprom.contents[0] = 0x8129;
3443 #if 1
3444     /* PCI vendor and device ID should be mirrored here */
3445     s->eeprom.contents[1] = PCI_VENDOR_ID_REALTEK;
3446     s->eeprom.contents[2] = PCI_DEVICE_ID_REALTEK_8139;
3447 #endif
3448     s->eeprom.contents[7] = s->conf.macaddr.a[0] | s->conf.macaddr.a[1] << 8;
3449     s->eeprom.contents[8] = s->conf.macaddr.a[2] | s->conf.macaddr.a[3] << 8;
3450     s->eeprom.contents[9] = s->conf.macaddr.a[4] | s->conf.macaddr.a[5] << 8;
3451 
3452     s->nic = qemu_new_nic(&net_rtl8139_info, &s->conf,
3453                           object_get_typename(OBJECT(dev)), d->id, s);
3454     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
3455 
3456     s->cplus_txbuffer = NULL;
3457     s->cplus_txbuffer_len = 0;
3458     s->cplus_txbuffer_offset = 0;
3459 
3460     s->timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, rtl8139_timer, s);
3461 }
3462 
3463 static void rtl8139_instance_init(Object *obj)
3464 {
3465     RTL8139State *s = RTL8139(obj);
3466 
3467     device_add_bootindex_property(obj, &s->conf.bootindex,
3468                                   "bootindex", "/ethernet-phy@0",
3469                                   DEVICE(obj), NULL);
3470 }
3471 
3472 static Property rtl8139_properties[] = {
3473     DEFINE_NIC_PROPERTIES(RTL8139State, conf),
3474     DEFINE_PROP_END_OF_LIST(),
3475 };
3476 
3477 static void rtl8139_class_init(ObjectClass *klass, void *data)
3478 {
3479     DeviceClass *dc = DEVICE_CLASS(klass);
3480     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
3481 
3482     k->realize = pci_rtl8139_realize;
3483     k->exit = pci_rtl8139_uninit;
3484     k->romfile = "efi-rtl8139.rom";
3485     k->vendor_id = PCI_VENDOR_ID_REALTEK;
3486     k->device_id = PCI_DEVICE_ID_REALTEK_8139;
3487     k->revision = RTL8139_PCI_REVID; /* >=0x20 is for 8139C+ */
3488     k->class_id = PCI_CLASS_NETWORK_ETHERNET;
3489     dc->reset = rtl8139_reset;
3490     dc->vmsd = &vmstate_rtl8139;
3491     dc->props = rtl8139_properties;
3492     set_bit(DEVICE_CATEGORY_NETWORK, dc->categories);
3493 }
3494 
3495 static const TypeInfo rtl8139_info = {
3496     .name          = TYPE_RTL8139,
3497     .parent        = TYPE_PCI_DEVICE,
3498     .instance_size = sizeof(RTL8139State),
3499     .class_init    = rtl8139_class_init,
3500     .instance_init = rtl8139_instance_init,
3501 };
3502 
3503 static void rtl8139_register_types(void)
3504 {
3505     type_register_static(&rtl8139_info);
3506 }
3507 
3508 type_init(rtl8139_register_types)
3509