xref: /openbmc/qemu/hw/scsi/esp.c (revision d98883d1)
1 /*
2  * QEMU ESP/NCR53C9x emulation
3  *
4  * Copyright (c) 2005-2006 Fabrice Bellard
5  * Copyright (c) 2012 Herve Poussineau
6  * Copyright (c) 2023 Mark Cave-Ayland
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "hw/sysbus.h"
29 #include "migration/vmstate.h"
30 #include "hw/irq.h"
31 #include "hw/scsi/esp.h"
32 #include "trace.h"
33 #include "qemu/log.h"
34 #include "qemu/module.h"
35 
36 /*
37  * On Sparc32, this is the ESP (NCR53C90) part of chip STP2000 (Master I/O),
38  * also produced as NCR89C100. See
39  * http://www.ibiblio.org/pub/historic-linux/early-ports/Sparc/NCR/NCR89C100.txt
40  * and
41  * http://www.ibiblio.org/pub/historic-linux/early-ports/Sparc/NCR/NCR53C9X.txt
42  *
43  * On Macintosh Quadra it is a NCR53C96.
44  */
45 
46 static void esp_raise_irq(ESPState *s)
47 {
48     if (!(s->rregs[ESP_RSTAT] & STAT_INT)) {
49         s->rregs[ESP_RSTAT] |= STAT_INT;
50         qemu_irq_raise(s->irq);
51         trace_esp_raise_irq();
52     }
53 }
54 
55 static void esp_lower_irq(ESPState *s)
56 {
57     if (s->rregs[ESP_RSTAT] & STAT_INT) {
58         s->rregs[ESP_RSTAT] &= ~STAT_INT;
59         qemu_irq_lower(s->irq);
60         trace_esp_lower_irq();
61     }
62 }
63 
64 static void esp_raise_drq(ESPState *s)
65 {
66     if (!(s->drq_state)) {
67         qemu_irq_raise(s->drq_irq);
68         trace_esp_raise_drq();
69         s->drq_state = true;
70     }
71 }
72 
73 static void esp_lower_drq(ESPState *s)
74 {
75     if (s->drq_state) {
76         qemu_irq_lower(s->drq_irq);
77         trace_esp_lower_drq();
78         s->drq_state = false;
79     }
80 }
81 
82 static const char *esp_phase_names[8] = {
83     "DATA OUT", "DATA IN", "COMMAND", "STATUS",
84     "(reserved)", "(reserved)", "MESSAGE OUT", "MESSAGE IN"
85 };
86 
87 static void esp_set_phase(ESPState *s, uint8_t phase)
88 {
89     s->rregs[ESP_RSTAT] &= ~7;
90     s->rregs[ESP_RSTAT] |= phase;
91 
92     trace_esp_set_phase(esp_phase_names[phase]);
93 }
94 
95 static uint8_t esp_get_phase(ESPState *s)
96 {
97     return s->rregs[ESP_RSTAT] & 7;
98 }
99 
100 void esp_dma_enable(ESPState *s, int irq, int level)
101 {
102     if (level) {
103         s->dma_enabled = 1;
104         trace_esp_dma_enable();
105         if (s->dma_cb) {
106             s->dma_cb(s);
107             s->dma_cb = NULL;
108         }
109     } else {
110         trace_esp_dma_disable();
111         s->dma_enabled = 0;
112     }
113 }
114 
115 void esp_request_cancelled(SCSIRequest *req)
116 {
117     ESPState *s = req->hba_private;
118 
119     if (req == s->current_req) {
120         scsi_req_unref(s->current_req);
121         s->current_req = NULL;
122         s->current_dev = NULL;
123         s->async_len = 0;
124     }
125 }
126 
127 static void esp_update_drq(ESPState *s)
128 {
129     bool to_device;
130 
131     switch (esp_get_phase(s)) {
132     case STAT_MO:
133     case STAT_CD:
134     case STAT_DO:
135         to_device = true;
136         break;
137 
138     case STAT_DI:
139     case STAT_ST:
140     case STAT_MI:
141         to_device = false;
142         break;
143 
144     default:
145         return;
146     }
147 
148     if (s->dma) {
149         /* DMA request so update DRQ according to transfer direction */
150         if (to_device) {
151             if (fifo8_num_free(&s->fifo) < 2) {
152                 esp_lower_drq(s);
153             } else {
154                 esp_raise_drq(s);
155             }
156         } else {
157             if (fifo8_num_used(&s->fifo) < 2) {
158                 esp_lower_drq(s);
159             } else {
160                 esp_raise_drq(s);
161             }
162         }
163     } else {
164         /* Not a DMA request */
165         esp_lower_drq(s);
166     }
167 }
168 
169 static void esp_fifo_push(ESPState *s, uint8_t val)
170 {
171     if (fifo8_num_used(&s->fifo) == s->fifo.capacity) {
172         trace_esp_error_fifo_overrun();
173     } else {
174         fifo8_push(&s->fifo, val);
175     }
176 
177     esp_update_drq(s);
178 }
179 
180 static void esp_fifo_push_buf(ESPState *s, uint8_t *buf, int len)
181 {
182     fifo8_push_all(&s->fifo, buf, len);
183     esp_update_drq(s);
184 }
185 
186 static uint8_t esp_fifo_pop(ESPState *s)
187 {
188     uint8_t val;
189 
190     if (fifo8_is_empty(&s->fifo)) {
191         val = 0;
192     } else {
193         val = fifo8_pop(&s->fifo);
194     }
195 
196     esp_update_drq(s);
197     return val;
198 }
199 
200 static uint32_t esp_fifo8_pop_buf(Fifo8 *fifo, uint8_t *dest, int maxlen)
201 {
202     const uint8_t *buf;
203     uint32_t n, n2;
204     int len;
205 
206     if (maxlen == 0) {
207         return 0;
208     }
209 
210     len = maxlen;
211     buf = fifo8_pop_buf(fifo, len, &n);
212     if (dest) {
213         memcpy(dest, buf, n);
214     }
215 
216     /* Add FIFO wraparound if needed */
217     len -= n;
218     len = MIN(len, fifo8_num_used(fifo));
219     if (len) {
220         buf = fifo8_pop_buf(fifo, len, &n2);
221         if (dest) {
222             memcpy(&dest[n], buf, n2);
223         }
224         n += n2;
225     }
226 
227     return n;
228 }
229 
230 static uint32_t esp_fifo_pop_buf(ESPState *s, uint8_t *dest, int maxlen)
231 {
232     uint32_t len = esp_fifo8_pop_buf(&s->fifo, dest, maxlen);
233 
234     esp_update_drq(s);
235     return len;
236 }
237 
238 static uint32_t esp_get_tc(ESPState *s)
239 {
240     uint32_t dmalen;
241 
242     dmalen = s->rregs[ESP_TCLO];
243     dmalen |= s->rregs[ESP_TCMID] << 8;
244     dmalen |= s->rregs[ESP_TCHI] << 16;
245 
246     return dmalen;
247 }
248 
249 static void esp_set_tc(ESPState *s, uint32_t dmalen)
250 {
251     uint32_t old_tc = esp_get_tc(s);
252 
253     s->rregs[ESP_TCLO] = dmalen;
254     s->rregs[ESP_TCMID] = dmalen >> 8;
255     s->rregs[ESP_TCHI] = dmalen >> 16;
256 
257     if (old_tc && dmalen == 0) {
258         s->rregs[ESP_RSTAT] |= STAT_TC;
259     }
260 }
261 
262 static uint32_t esp_get_stc(ESPState *s)
263 {
264     uint32_t dmalen;
265 
266     dmalen = s->wregs[ESP_TCLO];
267     dmalen |= s->wregs[ESP_TCMID] << 8;
268     dmalen |= s->wregs[ESP_TCHI] << 16;
269 
270     return dmalen;
271 }
272 
273 static uint8_t esp_pdma_read(ESPState *s)
274 {
275     uint8_t val;
276 
277     val = esp_fifo_pop(s);
278     return val;
279 }
280 
281 static void esp_pdma_write(ESPState *s, uint8_t val)
282 {
283     uint32_t dmalen = esp_get_tc(s);
284 
285     esp_fifo_push(s, val);
286 
287     if (dmalen && s->drq_state) {
288         dmalen--;
289         esp_set_tc(s, dmalen);
290     }
291 }
292 
293 static int esp_select(ESPState *s)
294 {
295     int target;
296 
297     target = s->wregs[ESP_WBUSID] & BUSID_DID;
298 
299     s->ti_size = 0;
300     s->rregs[ESP_RSEQ] = SEQ_0;
301 
302     if (s->current_req) {
303         /* Started a new command before the old one finished. Cancel it. */
304         scsi_req_cancel(s->current_req);
305     }
306 
307     s->current_dev = scsi_device_find(&s->bus, 0, target, 0);
308     if (!s->current_dev) {
309         /* No such drive */
310         s->rregs[ESP_RSTAT] = 0;
311         s->rregs[ESP_RINTR] = INTR_DC;
312         esp_raise_irq(s);
313         return -1;
314     }
315 
316     /*
317      * Note that we deliberately don't raise the IRQ here: this will be done
318      * either in esp_transfer_data() or esp_command_complete()
319      */
320     return 0;
321 }
322 
323 static void esp_do_dma(ESPState *s);
324 static void esp_do_nodma(ESPState *s);
325 
326 static void do_command_phase(ESPState *s)
327 {
328     uint32_t cmdlen;
329     int32_t datalen;
330     SCSIDevice *current_lun;
331     uint8_t buf[ESP_CMDFIFO_SZ];
332 
333     trace_esp_do_command_phase(s->lun);
334     cmdlen = fifo8_num_used(&s->cmdfifo);
335     if (!cmdlen || !s->current_dev) {
336         return;
337     }
338     esp_fifo8_pop_buf(&s->cmdfifo, buf, cmdlen);
339 
340     current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, s->lun);
341     if (!current_lun) {
342         /* No such drive */
343         s->rregs[ESP_RSTAT] = 0;
344         s->rregs[ESP_RINTR] = INTR_DC;
345         s->rregs[ESP_RSEQ] = SEQ_0;
346         esp_raise_irq(s);
347         return;
348     }
349 
350     s->current_req = scsi_req_new(current_lun, 0, s->lun, buf, cmdlen, s);
351     datalen = scsi_req_enqueue(s->current_req);
352     s->ti_size = datalen;
353     fifo8_reset(&s->cmdfifo);
354     s->data_ready = false;
355     if (datalen != 0) {
356         /*
357          * Switch to DATA phase but wait until initial data xfer is
358          * complete before raising the command completion interrupt
359          */
360         if (datalen > 0) {
361             esp_set_phase(s, STAT_DI);
362         } else {
363             esp_set_phase(s, STAT_DO);
364         }
365         scsi_req_continue(s->current_req);
366         return;
367     }
368 }
369 
370 static void do_message_phase(ESPState *s)
371 {
372     if (s->cmdfifo_cdb_offset) {
373         uint8_t message = fifo8_is_empty(&s->cmdfifo) ? 0 :
374                           fifo8_pop(&s->cmdfifo);
375 
376         trace_esp_do_identify(message);
377         s->lun = message & 7;
378         s->cmdfifo_cdb_offset--;
379     }
380 
381     /* Ignore extended messages for now */
382     if (s->cmdfifo_cdb_offset) {
383         int len = MIN(s->cmdfifo_cdb_offset, fifo8_num_used(&s->cmdfifo));
384         esp_fifo8_pop_buf(&s->cmdfifo, NULL, len);
385         s->cmdfifo_cdb_offset = 0;
386     }
387 }
388 
389 static void do_cmd(ESPState *s)
390 {
391     do_message_phase(s);
392     assert(s->cmdfifo_cdb_offset == 0);
393     do_command_phase(s);
394 }
395 
396 static void handle_satn(ESPState *s)
397 {
398     if (s->dma && !s->dma_enabled) {
399         s->dma_cb = handle_satn;
400         return;
401     }
402 
403     if (esp_select(s) < 0) {
404         return;
405     }
406 
407     esp_set_phase(s, STAT_MO);
408 
409     if (s->dma) {
410         esp_do_dma(s);
411     } else {
412         esp_do_nodma(s);
413     }
414 }
415 
416 static void handle_s_without_atn(ESPState *s)
417 {
418     if (s->dma && !s->dma_enabled) {
419         s->dma_cb = handle_s_without_atn;
420         return;
421     }
422 
423     if (esp_select(s) < 0) {
424         return;
425     }
426 
427     esp_set_phase(s, STAT_CD);
428     s->cmdfifo_cdb_offset = 0;
429 
430     if (s->dma) {
431         esp_do_dma(s);
432     } else {
433         esp_do_nodma(s);
434     }
435 }
436 
437 static void handle_satn_stop(ESPState *s)
438 {
439     if (s->dma && !s->dma_enabled) {
440         s->dma_cb = handle_satn_stop;
441         return;
442     }
443 
444     if (esp_select(s) < 0) {
445         return;
446     }
447 
448     esp_set_phase(s, STAT_MO);
449     s->cmdfifo_cdb_offset = 0;
450 
451     if (s->dma) {
452         esp_do_dma(s);
453     } else {
454         esp_do_nodma(s);
455     }
456 }
457 
458 static void handle_pad(ESPState *s)
459 {
460     if (s->dma) {
461         esp_do_dma(s);
462     } else {
463         esp_do_nodma(s);
464     }
465 }
466 
467 static void write_response(ESPState *s)
468 {
469     trace_esp_write_response(s->status);
470 
471     if (s->dma) {
472         esp_do_dma(s);
473     } else {
474         esp_do_nodma(s);
475     }
476 }
477 
478 static bool esp_cdb_ready(ESPState *s)
479 {
480     int len = fifo8_num_used(&s->cmdfifo) - s->cmdfifo_cdb_offset;
481     const uint8_t *pbuf;
482     uint32_t n;
483     int cdblen;
484 
485     if (len <= 0) {
486         return false;
487     }
488 
489     pbuf = fifo8_peek_buf(&s->cmdfifo, len, &n);
490     if (n < len) {
491         /*
492          * In normal use the cmdfifo should never wrap, but include this check
493          * to prevent a malicious guest from reading past the end of the
494          * cmdfifo data buffer below
495          */
496         return false;
497     }
498 
499     cdblen = scsi_cdb_length((uint8_t *)&pbuf[s->cmdfifo_cdb_offset]);
500 
501     return cdblen < 0 ? false : (len >= cdblen);
502 }
503 
504 static void esp_dma_ti_check(ESPState *s)
505 {
506     if (esp_get_tc(s) == 0 && fifo8_num_used(&s->fifo) < 2) {
507         s->rregs[ESP_RINTR] |= INTR_BS;
508         esp_raise_irq(s);
509     }
510 }
511 
512 static void esp_do_dma(ESPState *s)
513 {
514     uint32_t len, cmdlen;
515     uint8_t buf[ESP_CMDFIFO_SZ];
516 
517     len = esp_get_tc(s);
518 
519     switch (esp_get_phase(s)) {
520     case STAT_MO:
521         if (s->dma_memory_read) {
522             len = MIN(len, fifo8_num_free(&s->cmdfifo));
523             s->dma_memory_read(s->dma_opaque, buf, len);
524             esp_set_tc(s, esp_get_tc(s) - len);
525         } else {
526             len = esp_fifo_pop_buf(s, buf, fifo8_num_used(&s->fifo));
527             len = MIN(fifo8_num_free(&s->cmdfifo), len);
528         }
529 
530         fifo8_push_all(&s->cmdfifo, buf, len);
531         s->cmdfifo_cdb_offset += len;
532 
533         switch (s->rregs[ESP_CMD]) {
534         case CMD_SELATN | CMD_DMA:
535             if (fifo8_num_used(&s->cmdfifo) >= 1) {
536                 /* First byte received, switch to command phase */
537                 esp_set_phase(s, STAT_CD);
538                 s->rregs[ESP_RSEQ] = SEQ_CD;
539                 s->cmdfifo_cdb_offset = 1;
540 
541                 if (fifo8_num_used(&s->cmdfifo) > 1) {
542                     /* Process any additional command phase data */
543                     esp_do_dma(s);
544                 }
545             }
546             break;
547 
548         case CMD_SELATNS | CMD_DMA:
549             if (fifo8_num_used(&s->cmdfifo) == 1) {
550                 /* First byte received, stop in message out phase */
551                 s->rregs[ESP_RSEQ] = SEQ_MO;
552                 s->cmdfifo_cdb_offset = 1;
553 
554                 /* Raise command completion interrupt */
555                 s->rregs[ESP_RINTR] |= INTR_BS | INTR_FC;
556                 esp_raise_irq(s);
557             }
558             break;
559 
560         case CMD_TI | CMD_DMA:
561             /* ATN remains asserted until TC == 0 */
562             if (esp_get_tc(s) == 0) {
563                 esp_set_phase(s, STAT_CD);
564                 s->rregs[ESP_CMD] = 0;
565                 s->rregs[ESP_RINTR] |= INTR_BS;
566                 esp_raise_irq(s);
567             }
568             break;
569         }
570         break;
571 
572     case STAT_CD:
573         cmdlen = fifo8_num_used(&s->cmdfifo);
574         trace_esp_do_dma(cmdlen, len);
575         if (s->dma_memory_read) {
576             len = MIN(len, fifo8_num_free(&s->cmdfifo));
577             s->dma_memory_read(s->dma_opaque, buf, len);
578             fifo8_push_all(&s->cmdfifo, buf, len);
579             esp_set_tc(s, esp_get_tc(s) - len);
580         } else {
581             len = esp_fifo_pop_buf(s, buf, fifo8_num_used(&s->fifo));
582             len = MIN(fifo8_num_free(&s->cmdfifo), len);
583             fifo8_push_all(&s->cmdfifo, buf, len);
584         }
585         trace_esp_handle_ti_cmd(cmdlen);
586         s->ti_size = 0;
587         if (esp_get_tc(s) == 0) {
588             /* Command has been received */
589             do_cmd(s);
590         }
591         break;
592 
593     case STAT_DO:
594         if (!s->current_req) {
595             return;
596         }
597         if (s->async_len == 0 && esp_get_tc(s)) {
598             /* Defer until data is available.  */
599             return;
600         }
601         if (len > s->async_len) {
602             len = s->async_len;
603         }
604 
605         switch (s->rregs[ESP_CMD]) {
606         case CMD_TI | CMD_DMA:
607             if (s->dma_memory_read) {
608                 s->dma_memory_read(s->dma_opaque, s->async_buf, len);
609                 esp_set_tc(s, esp_get_tc(s) - len);
610             } else {
611                 /* Copy FIFO data to device */
612                 len = MIN(s->async_len, ESP_FIFO_SZ);
613                 len = MIN(len, fifo8_num_used(&s->fifo));
614                 len = esp_fifo_pop_buf(s, s->async_buf, len);
615             }
616 
617             s->async_buf += len;
618             s->async_len -= len;
619             s->ti_size += len;
620             break;
621 
622         case CMD_PAD | CMD_DMA:
623             /* Copy TC zero bytes into the incoming stream */
624             if (!s->dma_memory_read) {
625                 len = MIN(s->async_len, ESP_FIFO_SZ);
626                 len = MIN(len, fifo8_num_free(&s->fifo));
627             }
628 
629             memset(s->async_buf, 0, len);
630 
631             s->async_buf += len;
632             s->async_len -= len;
633             s->ti_size += len;
634             break;
635         }
636 
637         if (s->async_len == 0 && fifo8_num_used(&s->fifo) < 2) {
638             /* Defer until the scsi layer has completed */
639             scsi_req_continue(s->current_req);
640             return;
641         }
642 
643         esp_dma_ti_check(s);
644         break;
645 
646     case STAT_DI:
647         if (!s->current_req) {
648             return;
649         }
650         if (s->async_len == 0 && esp_get_tc(s)) {
651             /* Defer until data is available.  */
652             return;
653         }
654         if (len > s->async_len) {
655             len = s->async_len;
656         }
657 
658         switch (s->rregs[ESP_CMD]) {
659         case CMD_TI | CMD_DMA:
660             if (s->dma_memory_write) {
661                 s->dma_memory_write(s->dma_opaque, s->async_buf, len);
662             } else {
663                 /* Copy device data to FIFO */
664                 len = MIN(len, fifo8_num_free(&s->fifo));
665                 esp_fifo_push_buf(s, s->async_buf, len);
666             }
667 
668             s->async_buf += len;
669             s->async_len -= len;
670             s->ti_size -= len;
671             esp_set_tc(s, esp_get_tc(s) - len);
672             break;
673 
674         case CMD_PAD | CMD_DMA:
675             /* Drop TC bytes from the incoming stream */
676             if (!s->dma_memory_write) {
677                 len = MIN(len, fifo8_num_free(&s->fifo));
678             }
679 
680             s->async_buf += len;
681             s->async_len -= len;
682             s->ti_size -= len;
683             esp_set_tc(s, esp_get_tc(s) - len);
684             break;
685         }
686 
687         if (s->async_len == 0 && s->ti_size == 0 && esp_get_tc(s)) {
688             /* If the guest underflows TC then terminate SCSI request */
689             scsi_req_continue(s->current_req);
690             return;
691         }
692 
693         if (s->async_len == 0 && fifo8_num_used(&s->fifo) < 2) {
694             /* Defer until the scsi layer has completed */
695             scsi_req_continue(s->current_req);
696             return;
697         }
698 
699         esp_dma_ti_check(s);
700         break;
701 
702     case STAT_ST:
703         switch (s->rregs[ESP_CMD]) {
704         case CMD_ICCS | CMD_DMA:
705             len = MIN(len, 1);
706 
707             if (len) {
708                 buf[0] = s->status;
709 
710                 if (s->dma_memory_write) {
711                     s->dma_memory_write(s->dma_opaque, buf, len);
712                 } else {
713                     esp_fifo_push_buf(s, buf, len);
714                 }
715 
716                 esp_set_tc(s, esp_get_tc(s) - len);
717                 esp_set_phase(s, STAT_MI);
718 
719                 if (esp_get_tc(s) > 0) {
720                     /* Process any message in phase data */
721                     esp_do_dma(s);
722                 }
723             }
724             break;
725 
726         default:
727             /* Consume remaining data if the guest underflows TC */
728             if (fifo8_num_used(&s->fifo) < 2) {
729                 s->rregs[ESP_RINTR] |= INTR_BS;
730                 esp_raise_irq(s);
731             }
732             break;
733         }
734         break;
735 
736     case STAT_MI:
737         switch (s->rregs[ESP_CMD]) {
738         case CMD_ICCS | CMD_DMA:
739             len = MIN(len, 1);
740 
741             if (len) {
742                 buf[0] = 0;
743 
744                 if (s->dma_memory_write) {
745                     s->dma_memory_write(s->dma_opaque, buf, len);
746                 } else {
747                     esp_fifo_push_buf(s, buf, len);
748                 }
749 
750                 esp_set_tc(s, esp_get_tc(s) - len);
751 
752                 /* Raise end of command interrupt */
753                 s->rregs[ESP_RINTR] |= INTR_FC;
754                 esp_raise_irq(s);
755             }
756             break;
757         }
758         break;
759     }
760 }
761 
762 static void esp_nodma_ti_dataout(ESPState *s)
763 {
764     int len;
765 
766     if (!s->current_req) {
767         return;
768     }
769     if (s->async_len == 0) {
770         /* Defer until data is available.  */
771         return;
772     }
773     len = MIN(s->async_len, ESP_FIFO_SZ);
774     len = MIN(len, fifo8_num_used(&s->fifo));
775     esp_fifo_pop_buf(s, s->async_buf, len);
776     s->async_buf += len;
777     s->async_len -= len;
778     s->ti_size += len;
779 
780     if (s->async_len == 0) {
781         scsi_req_continue(s->current_req);
782         return;
783     }
784 
785     s->rregs[ESP_RINTR] |= INTR_BS;
786     esp_raise_irq(s);
787 }
788 
789 static void esp_do_nodma(ESPState *s)
790 {
791     uint8_t buf[ESP_FIFO_SZ];
792     uint32_t cmdlen;
793     int len;
794 
795     switch (esp_get_phase(s)) {
796     case STAT_MO:
797         switch (s->rregs[ESP_CMD]) {
798         case CMD_SELATN:
799             /* Copy FIFO into cmdfifo */
800             len = esp_fifo_pop_buf(s, buf, fifo8_num_used(&s->fifo));
801             len = MIN(fifo8_num_free(&s->cmdfifo), len);
802             fifo8_push_all(&s->cmdfifo, buf, len);
803 
804             if (fifo8_num_used(&s->cmdfifo) >= 1) {
805                 /* First byte received, switch to command phase */
806                 esp_set_phase(s, STAT_CD);
807                 s->rregs[ESP_RSEQ] = SEQ_CD;
808                 s->cmdfifo_cdb_offset = 1;
809 
810                 if (fifo8_num_used(&s->cmdfifo) > 1) {
811                     /* Process any additional command phase data */
812                     esp_do_nodma(s);
813                 }
814             }
815             break;
816 
817         case CMD_SELATNS:
818             /* Copy one byte from FIFO into cmdfifo */
819             len = esp_fifo_pop_buf(s, buf,
820                                    MIN(fifo8_num_used(&s->fifo), 1));
821             len = MIN(fifo8_num_free(&s->cmdfifo), len);
822             fifo8_push_all(&s->cmdfifo, buf, len);
823 
824             if (fifo8_num_used(&s->cmdfifo) >= 1) {
825                 /* First byte received, stop in message out phase */
826                 s->rregs[ESP_RSEQ] = SEQ_MO;
827                 s->cmdfifo_cdb_offset = 1;
828 
829                 /* Raise command completion interrupt */
830                 s->rregs[ESP_RINTR] |= INTR_BS | INTR_FC;
831                 esp_raise_irq(s);
832             }
833             break;
834 
835         case CMD_TI:
836             /* Copy FIFO into cmdfifo */
837             len = esp_fifo_pop_buf(s, buf, fifo8_num_used(&s->fifo));
838             len = MIN(fifo8_num_free(&s->cmdfifo), len);
839             fifo8_push_all(&s->cmdfifo, buf, len);
840 
841             /* ATN remains asserted until FIFO empty */
842             s->cmdfifo_cdb_offset = fifo8_num_used(&s->cmdfifo);
843             esp_set_phase(s, STAT_CD);
844             s->rregs[ESP_CMD] = 0;
845             s->rregs[ESP_RINTR] |= INTR_BS;
846             esp_raise_irq(s);
847             break;
848         }
849         break;
850 
851     case STAT_CD:
852         switch (s->rregs[ESP_CMD]) {
853         case CMD_TI:
854             /* Copy FIFO into cmdfifo */
855             len = esp_fifo_pop_buf(s, buf, fifo8_num_used(&s->fifo));
856             len = MIN(fifo8_num_free(&s->cmdfifo), len);
857             fifo8_push_all(&s->cmdfifo, buf, len);
858 
859             cmdlen = fifo8_num_used(&s->cmdfifo);
860             trace_esp_handle_ti_cmd(cmdlen);
861 
862             /* CDB may be transferred in one or more TI commands */
863             if (esp_cdb_ready(s)) {
864                 /* Command has been received */
865                 do_cmd(s);
866             } else {
867                 /*
868                  * If data was transferred from the FIFO then raise bus
869                  * service interrupt to indicate transfer complete. Otherwise
870                  * defer until the next FIFO write.
871                  */
872                 if (len) {
873                     /* Raise interrupt to indicate transfer complete */
874                     s->rregs[ESP_RINTR] |= INTR_BS;
875                     esp_raise_irq(s);
876                 }
877             }
878             break;
879 
880         case CMD_SEL | CMD_DMA:
881         case CMD_SELATN | CMD_DMA:
882             /* Copy FIFO into cmdfifo */
883             len = esp_fifo_pop_buf(s, buf, fifo8_num_used(&s->fifo));
884             len = MIN(fifo8_num_free(&s->cmdfifo), len);
885             fifo8_push_all(&s->cmdfifo, buf, len);
886 
887             /* Handle when DMA transfer is terminated by non-DMA FIFO write */
888             if (esp_cdb_ready(s)) {
889                 /* Command has been received */
890                 do_cmd(s);
891             }
892             break;
893 
894         case CMD_SEL:
895         case CMD_SELATN:
896             /* FIFO already contain entire CDB: copy to cmdfifo and execute */
897             len = esp_fifo_pop_buf(s, buf, fifo8_num_used(&s->fifo));
898             len = MIN(fifo8_num_free(&s->cmdfifo), len);
899             fifo8_push_all(&s->cmdfifo, buf, len);
900 
901             do_cmd(s);
902             break;
903         }
904         break;
905 
906     case STAT_DO:
907         /* Accumulate data in FIFO until non-DMA TI is executed */
908         break;
909 
910     case STAT_DI:
911         if (!s->current_req) {
912             return;
913         }
914         if (s->async_len == 0) {
915             /* Defer until data is available.  */
916             return;
917         }
918         if (fifo8_is_empty(&s->fifo)) {
919             esp_fifo_push(s, s->async_buf[0]);
920             s->async_buf++;
921             s->async_len--;
922             s->ti_size--;
923         }
924 
925         if (s->async_len == 0) {
926             scsi_req_continue(s->current_req);
927             return;
928         }
929 
930         /* If preloading the FIFO, defer until TI command issued */
931         if (s->rregs[ESP_CMD] != CMD_TI) {
932             return;
933         }
934 
935         s->rregs[ESP_RINTR] |= INTR_BS;
936         esp_raise_irq(s);
937         break;
938 
939     case STAT_ST:
940         switch (s->rregs[ESP_CMD]) {
941         case CMD_ICCS:
942             esp_fifo_push(s, s->status);
943             esp_set_phase(s, STAT_MI);
944 
945             /* Process any message in phase data */
946             esp_do_nodma(s);
947             break;
948         }
949         break;
950 
951     case STAT_MI:
952         switch (s->rregs[ESP_CMD]) {
953         case CMD_ICCS:
954             esp_fifo_push(s, 0);
955 
956             /* Raise end of command interrupt */
957             s->rregs[ESP_RINTR] |= INTR_FC;
958             esp_raise_irq(s);
959             break;
960         }
961         break;
962     }
963 }
964 
965 void esp_command_complete(SCSIRequest *req, size_t resid)
966 {
967     ESPState *s = req->hba_private;
968     int to_device = (esp_get_phase(s) == STAT_DO);
969 
970     trace_esp_command_complete();
971 
972     /*
973      * Non-DMA transfers from the target will leave the last byte in
974      * the FIFO so don't reset ti_size in this case
975      */
976     if (s->dma || to_device) {
977         if (s->ti_size != 0) {
978             trace_esp_command_complete_unexpected();
979         }
980     }
981 
982     s->async_len = 0;
983     if (req->status) {
984         trace_esp_command_complete_fail();
985     }
986     s->status = req->status;
987 
988     /*
989      * Switch to status phase. For non-DMA transfers from the target the last
990      * byte is still in the FIFO
991      */
992     s->ti_size = 0;
993 
994     switch (s->rregs[ESP_CMD]) {
995     case CMD_SEL | CMD_DMA:
996     case CMD_SEL:
997     case CMD_SELATN | CMD_DMA:
998     case CMD_SELATN:
999         /*
1000          * No data phase for sequencer command so raise deferred bus service
1001          * and function complete interrupt
1002          */
1003         s->rregs[ESP_RINTR] |= INTR_BS | INTR_FC;
1004         s->rregs[ESP_RSEQ] = SEQ_CD;
1005         break;
1006 
1007     case CMD_TI | CMD_DMA:
1008     case CMD_TI:
1009         s->rregs[ESP_CMD] = 0;
1010         break;
1011     }
1012 
1013     /* Raise bus service interrupt to indicate change to STATUS phase */
1014     esp_set_phase(s, STAT_ST);
1015     s->rregs[ESP_RINTR] |= INTR_BS;
1016     esp_raise_irq(s);
1017 
1018     if (s->current_req) {
1019         scsi_req_unref(s->current_req);
1020         s->current_req = NULL;
1021         s->current_dev = NULL;
1022     }
1023 }
1024 
1025 void esp_transfer_data(SCSIRequest *req, uint32_t len)
1026 {
1027     ESPState *s = req->hba_private;
1028     uint32_t dmalen = esp_get_tc(s);
1029 
1030     trace_esp_transfer_data(dmalen, s->ti_size);
1031     s->async_len = len;
1032     s->async_buf = scsi_req_get_buf(req);
1033 
1034     if (!s->data_ready) {
1035         s->data_ready = true;
1036 
1037         switch (s->rregs[ESP_CMD]) {
1038         case CMD_SEL | CMD_DMA:
1039         case CMD_SEL:
1040         case CMD_SELATN | CMD_DMA:
1041         case CMD_SELATN:
1042             /*
1043              * Initial incoming data xfer is complete for sequencer command
1044              * so raise deferred bus service and function complete interrupt
1045              */
1046              s->rregs[ESP_RINTR] |= INTR_BS | INTR_FC;
1047              s->rregs[ESP_RSEQ] = SEQ_CD;
1048              break;
1049 
1050         case CMD_SELATNS | CMD_DMA:
1051         case CMD_SELATNS:
1052             /*
1053              * Initial incoming data xfer is complete so raise command
1054              * completion interrupt
1055              */
1056              s->rregs[ESP_RINTR] |= INTR_BS;
1057              s->rregs[ESP_RSEQ] = SEQ_MO;
1058              break;
1059 
1060         case CMD_TI | CMD_DMA:
1061         case CMD_TI:
1062             /*
1063              * Bus service interrupt raised because of initial change to
1064              * DATA phase
1065              */
1066             s->rregs[ESP_CMD] = 0;
1067             s->rregs[ESP_RINTR] |= INTR_BS;
1068             break;
1069         }
1070 
1071         esp_raise_irq(s);
1072     }
1073 
1074     /*
1075      * Always perform the initial transfer upon reception of the next TI
1076      * command to ensure the DMA/non-DMA status of the command is correct.
1077      * It is not possible to use s->dma directly in the section below as
1078      * some OSs send non-DMA NOP commands after a DMA transfer. Hence if the
1079      * async data transfer is delayed then s->dma is set incorrectly.
1080      */
1081 
1082     if (s->rregs[ESP_CMD] == (CMD_TI | CMD_DMA)) {
1083         /* When the SCSI layer returns more data, raise deferred INTR_BS */
1084         esp_dma_ti_check(s);
1085 
1086         esp_do_dma(s);
1087     } else if (s->rregs[ESP_CMD] == CMD_TI) {
1088         esp_do_nodma(s);
1089     }
1090 }
1091 
1092 static void handle_ti(ESPState *s)
1093 {
1094     uint32_t dmalen;
1095 
1096     if (s->dma && !s->dma_enabled) {
1097         s->dma_cb = handle_ti;
1098         return;
1099     }
1100 
1101     if (s->dma) {
1102         dmalen = esp_get_tc(s);
1103         trace_esp_handle_ti(dmalen);
1104         esp_do_dma(s);
1105     } else {
1106         trace_esp_handle_ti(s->ti_size);
1107         esp_do_nodma(s);
1108 
1109         if (esp_get_phase(s) == STAT_DO) {
1110             esp_nodma_ti_dataout(s);
1111         }
1112     }
1113 }
1114 
1115 void esp_hard_reset(ESPState *s)
1116 {
1117     memset(s->rregs, 0, ESP_REGS);
1118     memset(s->wregs, 0, ESP_REGS);
1119     s->tchi_written = 0;
1120     s->ti_size = 0;
1121     s->async_len = 0;
1122     fifo8_reset(&s->fifo);
1123     fifo8_reset(&s->cmdfifo);
1124     s->dma = 0;
1125     s->dma_cb = NULL;
1126 
1127     s->rregs[ESP_CFG1] = 7;
1128 }
1129 
1130 static void esp_soft_reset(ESPState *s)
1131 {
1132     qemu_irq_lower(s->irq);
1133     qemu_irq_lower(s->drq_irq);
1134     esp_hard_reset(s);
1135 }
1136 
1137 static void esp_bus_reset(ESPState *s)
1138 {
1139     bus_cold_reset(BUS(&s->bus));
1140 }
1141 
1142 static void parent_esp_reset(ESPState *s, int irq, int level)
1143 {
1144     if (level) {
1145         esp_soft_reset(s);
1146     }
1147 }
1148 
1149 static void esp_run_cmd(ESPState *s)
1150 {
1151     uint8_t cmd = s->rregs[ESP_CMD];
1152 
1153     if (cmd & CMD_DMA) {
1154         s->dma = 1;
1155         /* Reload DMA counter.  */
1156         if (esp_get_stc(s) == 0) {
1157             esp_set_tc(s, 0x10000);
1158         } else {
1159             esp_set_tc(s, esp_get_stc(s));
1160         }
1161     } else {
1162         s->dma = 0;
1163     }
1164     switch (cmd & CMD_CMD) {
1165     case CMD_NOP:
1166         trace_esp_mem_writeb_cmd_nop(cmd);
1167         break;
1168     case CMD_FLUSH:
1169         trace_esp_mem_writeb_cmd_flush(cmd);
1170         fifo8_reset(&s->fifo);
1171         break;
1172     case CMD_RESET:
1173         trace_esp_mem_writeb_cmd_reset(cmd);
1174         esp_soft_reset(s);
1175         break;
1176     case CMD_BUSRESET:
1177         trace_esp_mem_writeb_cmd_bus_reset(cmd);
1178         esp_bus_reset(s);
1179         if (!(s->wregs[ESP_CFG1] & CFG1_RESREPT)) {
1180             s->rregs[ESP_RINTR] |= INTR_RST;
1181             esp_raise_irq(s);
1182         }
1183         break;
1184     case CMD_TI:
1185         trace_esp_mem_writeb_cmd_ti(cmd);
1186         handle_ti(s);
1187         break;
1188     case CMD_ICCS:
1189         trace_esp_mem_writeb_cmd_iccs(cmd);
1190         write_response(s);
1191         break;
1192     case CMD_MSGACC:
1193         trace_esp_mem_writeb_cmd_msgacc(cmd);
1194         s->rregs[ESP_RINTR] |= INTR_DC;
1195         s->rregs[ESP_RSEQ] = 0;
1196         s->rregs[ESP_RFLAGS] = 0;
1197         esp_raise_irq(s);
1198         break;
1199     case CMD_PAD:
1200         trace_esp_mem_writeb_cmd_pad(cmd);
1201         handle_pad(s);
1202         break;
1203     case CMD_SATN:
1204         trace_esp_mem_writeb_cmd_satn(cmd);
1205         break;
1206     case CMD_RSTATN:
1207         trace_esp_mem_writeb_cmd_rstatn(cmd);
1208         break;
1209     case CMD_SEL:
1210         trace_esp_mem_writeb_cmd_sel(cmd);
1211         handle_s_without_atn(s);
1212         break;
1213     case CMD_SELATN:
1214         trace_esp_mem_writeb_cmd_selatn(cmd);
1215         handle_satn(s);
1216         break;
1217     case CMD_SELATNS:
1218         trace_esp_mem_writeb_cmd_selatns(cmd);
1219         handle_satn_stop(s);
1220         break;
1221     case CMD_ENSEL:
1222         trace_esp_mem_writeb_cmd_ensel(cmd);
1223         s->rregs[ESP_RINTR] = 0;
1224         break;
1225     case CMD_DISSEL:
1226         trace_esp_mem_writeb_cmd_dissel(cmd);
1227         s->rregs[ESP_RINTR] = 0;
1228         esp_raise_irq(s);
1229         break;
1230     default:
1231         trace_esp_error_unhandled_command(cmd);
1232         break;
1233     }
1234 }
1235 
1236 uint64_t esp_reg_read(ESPState *s, uint32_t saddr)
1237 {
1238     uint32_t val;
1239 
1240     switch (saddr) {
1241     case ESP_FIFO:
1242         s->rregs[ESP_FIFO] = esp_fifo_pop(s);
1243         val = s->rregs[ESP_FIFO];
1244         break;
1245     case ESP_RINTR:
1246         /*
1247          * Clear sequence step, interrupt register and all status bits
1248          * except TC
1249          */
1250         val = s->rregs[ESP_RINTR];
1251         s->rregs[ESP_RINTR] = 0;
1252         esp_lower_irq(s);
1253         s->rregs[ESP_RSTAT] &= STAT_TC | 7;
1254         /*
1255          * According to the datasheet ESP_RSEQ should be cleared, but as the
1256          * emulation currently defers information transfers to the next TI
1257          * command leave it for now so that pedantic guests such as the old
1258          * Linux 2.6 driver see the correct flags before the next SCSI phase
1259          * transition.
1260          *
1261          * s->rregs[ESP_RSEQ] = SEQ_0;
1262          */
1263         break;
1264     case ESP_TCHI:
1265         /* Return the unique id if the value has never been written */
1266         if (!s->tchi_written) {
1267             val = s->chip_id;
1268         } else {
1269             val = s->rregs[saddr];
1270         }
1271         break;
1272      case ESP_RFLAGS:
1273         /* Bottom 5 bits indicate number of bytes in FIFO */
1274         val = fifo8_num_used(&s->fifo);
1275         break;
1276     default:
1277         val = s->rregs[saddr];
1278         break;
1279     }
1280 
1281     trace_esp_mem_readb(saddr, val);
1282     return val;
1283 }
1284 
1285 void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
1286 {
1287     trace_esp_mem_writeb(saddr, s->wregs[saddr], val);
1288     switch (saddr) {
1289     case ESP_TCHI:
1290         s->tchi_written = true;
1291         /* fall through */
1292     case ESP_TCLO:
1293     case ESP_TCMID:
1294         s->rregs[ESP_RSTAT] &= ~STAT_TC;
1295         break;
1296     case ESP_FIFO:
1297         if (!fifo8_is_full(&s->fifo)) {
1298             esp_fifo_push(s, val);
1299         }
1300         esp_do_nodma(s);
1301         break;
1302     case ESP_CMD:
1303         s->rregs[saddr] = val;
1304         esp_run_cmd(s);
1305         break;
1306     case ESP_WBUSID ... ESP_WSYNO:
1307         break;
1308     case ESP_CFG1:
1309     case ESP_CFG2: case ESP_CFG3:
1310     case ESP_RES3: case ESP_RES4:
1311         s->rregs[saddr] = val;
1312         break;
1313     case ESP_WCCF ... ESP_WTEST:
1314         break;
1315     default:
1316         trace_esp_error_invalid_write(val, saddr);
1317         return;
1318     }
1319     s->wregs[saddr] = val;
1320 }
1321 
1322 static bool esp_mem_accepts(void *opaque, hwaddr addr,
1323                             unsigned size, bool is_write,
1324                             MemTxAttrs attrs)
1325 {
1326     return (size == 1) || (is_write && size == 4);
1327 }
1328 
1329 static bool esp_is_before_version_5(void *opaque, int version_id)
1330 {
1331     ESPState *s = ESP(opaque);
1332 
1333     version_id = MIN(version_id, s->mig_version_id);
1334     return version_id < 5;
1335 }
1336 
1337 static bool esp_is_version_5(void *opaque, int version_id)
1338 {
1339     ESPState *s = ESP(opaque);
1340 
1341     version_id = MIN(version_id, s->mig_version_id);
1342     return version_id >= 5;
1343 }
1344 
1345 static bool esp_is_version_6(void *opaque, int version_id)
1346 {
1347     ESPState *s = ESP(opaque);
1348 
1349     version_id = MIN(version_id, s->mig_version_id);
1350     return version_id >= 6;
1351 }
1352 
1353 static bool esp_is_between_version_5_and_6(void *opaque, int version_id)
1354 {
1355     ESPState *s = ESP(opaque);
1356 
1357     version_id = MIN(version_id, s->mig_version_id);
1358     return version_id >= 5 && version_id <= 6;
1359 }
1360 
1361 int esp_pre_save(void *opaque)
1362 {
1363     ESPState *s = ESP(object_resolve_path_component(
1364                       OBJECT(opaque), "esp"));
1365 
1366     s->mig_version_id = vmstate_esp.version_id;
1367     return 0;
1368 }
1369 
1370 static int esp_post_load(void *opaque, int version_id)
1371 {
1372     ESPState *s = ESP(opaque);
1373     int len, i;
1374 
1375     version_id = MIN(version_id, s->mig_version_id);
1376 
1377     if (version_id < 5) {
1378         esp_set_tc(s, s->mig_dma_left);
1379 
1380         /* Migrate ti_buf to fifo */
1381         len = s->mig_ti_wptr - s->mig_ti_rptr;
1382         for (i = 0; i < len; i++) {
1383             fifo8_push(&s->fifo, s->mig_ti_buf[i]);
1384         }
1385 
1386         /* Migrate cmdbuf to cmdfifo */
1387         for (i = 0; i < s->mig_cmdlen; i++) {
1388             fifo8_push(&s->cmdfifo, s->mig_cmdbuf[i]);
1389         }
1390     }
1391 
1392     s->mig_version_id = vmstate_esp.version_id;
1393     return 0;
1394 }
1395 
1396 const VMStateDescription vmstate_esp = {
1397     .name = "esp",
1398     .version_id = 7,
1399     .minimum_version_id = 3,
1400     .post_load = esp_post_load,
1401     .fields = (const VMStateField[]) {
1402         VMSTATE_BUFFER(rregs, ESPState),
1403         VMSTATE_BUFFER(wregs, ESPState),
1404         VMSTATE_INT32(ti_size, ESPState),
1405         VMSTATE_UINT32_TEST(mig_ti_rptr, ESPState, esp_is_before_version_5),
1406         VMSTATE_UINT32_TEST(mig_ti_wptr, ESPState, esp_is_before_version_5),
1407         VMSTATE_BUFFER_TEST(mig_ti_buf, ESPState, esp_is_before_version_5),
1408         VMSTATE_UINT32(status, ESPState),
1409         VMSTATE_UINT32_TEST(mig_deferred_status, ESPState,
1410                             esp_is_before_version_5),
1411         VMSTATE_BOOL_TEST(mig_deferred_complete, ESPState,
1412                           esp_is_before_version_5),
1413         VMSTATE_UINT32(dma, ESPState),
1414         VMSTATE_STATIC_BUFFER(mig_cmdbuf, ESPState, 0,
1415                               esp_is_before_version_5, 0, 16),
1416         VMSTATE_STATIC_BUFFER(mig_cmdbuf, ESPState, 4,
1417                               esp_is_before_version_5, 16,
1418                               sizeof(typeof_field(ESPState, mig_cmdbuf))),
1419         VMSTATE_UINT32_TEST(mig_cmdlen, ESPState, esp_is_before_version_5),
1420         VMSTATE_UINT32(do_cmd, ESPState),
1421         VMSTATE_UINT32_TEST(mig_dma_left, ESPState, esp_is_before_version_5),
1422         VMSTATE_BOOL_TEST(data_ready, ESPState, esp_is_version_5),
1423         VMSTATE_UINT8_TEST(cmdfifo_cdb_offset, ESPState, esp_is_version_5),
1424         VMSTATE_FIFO8_TEST(fifo, ESPState, esp_is_version_5),
1425         VMSTATE_FIFO8_TEST(cmdfifo, ESPState, esp_is_version_5),
1426         VMSTATE_UINT8_TEST(mig_ti_cmd, ESPState,
1427                            esp_is_between_version_5_and_6),
1428         VMSTATE_UINT8_TEST(lun, ESPState, esp_is_version_6),
1429         VMSTATE_BOOL(drq_state, ESPState),
1430         VMSTATE_END_OF_LIST()
1431     },
1432 };
1433 
1434 static void sysbus_esp_mem_write(void *opaque, hwaddr addr,
1435                                  uint64_t val, unsigned int size)
1436 {
1437     SysBusESPState *sysbus = opaque;
1438     ESPState *s = ESP(&sysbus->esp);
1439     uint32_t saddr;
1440 
1441     saddr = addr >> sysbus->it_shift;
1442     esp_reg_write(s, saddr, val);
1443 }
1444 
1445 static uint64_t sysbus_esp_mem_read(void *opaque, hwaddr addr,
1446                                     unsigned int size)
1447 {
1448     SysBusESPState *sysbus = opaque;
1449     ESPState *s = ESP(&sysbus->esp);
1450     uint32_t saddr;
1451 
1452     saddr = addr >> sysbus->it_shift;
1453     return esp_reg_read(s, saddr);
1454 }
1455 
1456 static const MemoryRegionOps sysbus_esp_mem_ops = {
1457     .read = sysbus_esp_mem_read,
1458     .write = sysbus_esp_mem_write,
1459     .endianness = DEVICE_NATIVE_ENDIAN,
1460     .valid.accepts = esp_mem_accepts,
1461 };
1462 
1463 static void sysbus_esp_pdma_write(void *opaque, hwaddr addr,
1464                                   uint64_t val, unsigned int size)
1465 {
1466     SysBusESPState *sysbus = opaque;
1467     ESPState *s = ESP(&sysbus->esp);
1468 
1469     trace_esp_pdma_write(size);
1470 
1471     switch (size) {
1472     case 1:
1473         esp_pdma_write(s, val);
1474         break;
1475     case 2:
1476         esp_pdma_write(s, val >> 8);
1477         esp_pdma_write(s, val);
1478         break;
1479     }
1480     esp_do_dma(s);
1481 }
1482 
1483 static uint64_t sysbus_esp_pdma_read(void *opaque, hwaddr addr,
1484                                      unsigned int size)
1485 {
1486     SysBusESPState *sysbus = opaque;
1487     ESPState *s = ESP(&sysbus->esp);
1488     uint64_t val = 0;
1489 
1490     trace_esp_pdma_read(size);
1491 
1492     switch (size) {
1493     case 1:
1494         val = esp_pdma_read(s);
1495         break;
1496     case 2:
1497         val = esp_pdma_read(s);
1498         val = (val << 8) | esp_pdma_read(s);
1499         break;
1500     }
1501     esp_do_dma(s);
1502     return val;
1503 }
1504 
1505 static void *esp_load_request(QEMUFile *f, SCSIRequest *req)
1506 {
1507     ESPState *s = container_of(req->bus, ESPState, bus);
1508 
1509     scsi_req_ref(req);
1510     s->current_req = req;
1511     return s;
1512 }
1513 
1514 static const MemoryRegionOps sysbus_esp_pdma_ops = {
1515     .read = sysbus_esp_pdma_read,
1516     .write = sysbus_esp_pdma_write,
1517     .endianness = DEVICE_NATIVE_ENDIAN,
1518     .valid.min_access_size = 1,
1519     .valid.max_access_size = 4,
1520     .impl.min_access_size = 1,
1521     .impl.max_access_size = 2,
1522 };
1523 
1524 static const struct SCSIBusInfo esp_scsi_info = {
1525     .tcq = false,
1526     .max_target = ESP_MAX_DEVS,
1527     .max_lun = 7,
1528 
1529     .load_request = esp_load_request,
1530     .transfer_data = esp_transfer_data,
1531     .complete = esp_command_complete,
1532     .cancel = esp_request_cancelled
1533 };
1534 
1535 static void sysbus_esp_gpio_demux(void *opaque, int irq, int level)
1536 {
1537     SysBusESPState *sysbus = SYSBUS_ESP(opaque);
1538     ESPState *s = ESP(&sysbus->esp);
1539 
1540     switch (irq) {
1541     case 0:
1542         parent_esp_reset(s, irq, level);
1543         break;
1544     case 1:
1545         esp_dma_enable(s, irq, level);
1546         break;
1547     }
1548 }
1549 
1550 static void sysbus_esp_realize(DeviceState *dev, Error **errp)
1551 {
1552     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
1553     SysBusESPState *sysbus = SYSBUS_ESP(dev);
1554     ESPState *s = ESP(&sysbus->esp);
1555 
1556     if (!qdev_realize(DEVICE(s), NULL, errp)) {
1557         return;
1558     }
1559 
1560     sysbus_init_irq(sbd, &s->irq);
1561     sysbus_init_irq(sbd, &s->drq_irq);
1562     assert(sysbus->it_shift != -1);
1563 
1564     s->chip_id = TCHI_FAS100A;
1565     memory_region_init_io(&sysbus->iomem, OBJECT(sysbus), &sysbus_esp_mem_ops,
1566                           sysbus, "esp-regs", ESP_REGS << sysbus->it_shift);
1567     sysbus_init_mmio(sbd, &sysbus->iomem);
1568     memory_region_init_io(&sysbus->pdma, OBJECT(sysbus), &sysbus_esp_pdma_ops,
1569                           sysbus, "esp-pdma", 4);
1570     sysbus_init_mmio(sbd, &sysbus->pdma);
1571 
1572     qdev_init_gpio_in(dev, sysbus_esp_gpio_demux, 2);
1573 
1574     scsi_bus_init(&s->bus, sizeof(s->bus), dev, &esp_scsi_info);
1575 }
1576 
1577 static void sysbus_esp_hard_reset(DeviceState *dev)
1578 {
1579     SysBusESPState *sysbus = SYSBUS_ESP(dev);
1580     ESPState *s = ESP(&sysbus->esp);
1581 
1582     esp_hard_reset(s);
1583 }
1584 
1585 static void sysbus_esp_init(Object *obj)
1586 {
1587     SysBusESPState *sysbus = SYSBUS_ESP(obj);
1588 
1589     object_initialize_child(obj, "esp", &sysbus->esp, TYPE_ESP);
1590 }
1591 
1592 static const VMStateDescription vmstate_sysbus_esp_scsi = {
1593     .name = "sysbusespscsi",
1594     .version_id = 2,
1595     .minimum_version_id = 1,
1596     .pre_save = esp_pre_save,
1597     .fields = (const VMStateField[]) {
1598         VMSTATE_UINT8_V(esp.mig_version_id, SysBusESPState, 2),
1599         VMSTATE_STRUCT(esp, SysBusESPState, 0, vmstate_esp, ESPState),
1600         VMSTATE_END_OF_LIST()
1601     }
1602 };
1603 
1604 static void sysbus_esp_class_init(ObjectClass *klass, void *data)
1605 {
1606     DeviceClass *dc = DEVICE_CLASS(klass);
1607 
1608     dc->realize = sysbus_esp_realize;
1609     dc->reset = sysbus_esp_hard_reset;
1610     dc->vmsd = &vmstate_sysbus_esp_scsi;
1611     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
1612 }
1613 
1614 static void esp_finalize(Object *obj)
1615 {
1616     ESPState *s = ESP(obj);
1617 
1618     fifo8_destroy(&s->fifo);
1619     fifo8_destroy(&s->cmdfifo);
1620 }
1621 
1622 static void esp_init(Object *obj)
1623 {
1624     ESPState *s = ESP(obj);
1625 
1626     fifo8_create(&s->fifo, ESP_FIFO_SZ);
1627     fifo8_create(&s->cmdfifo, ESP_CMDFIFO_SZ);
1628 }
1629 
1630 static void esp_class_init(ObjectClass *klass, void *data)
1631 {
1632     DeviceClass *dc = DEVICE_CLASS(klass);
1633 
1634     /* internal device for sysbusesp/pciespscsi, not user-creatable */
1635     dc->user_creatable = false;
1636     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
1637 }
1638 
1639 static const TypeInfo esp_info_types[] = {
1640     {
1641         .name          = TYPE_SYSBUS_ESP,
1642         .parent        = TYPE_SYS_BUS_DEVICE,
1643         .instance_init = sysbus_esp_init,
1644         .instance_size = sizeof(SysBusESPState),
1645         .class_init    = sysbus_esp_class_init,
1646     },
1647     {
1648         .name = TYPE_ESP,
1649         .parent = TYPE_DEVICE,
1650         .instance_init = esp_init,
1651         .instance_finalize = esp_finalize,
1652         .instance_size = sizeof(ESPState),
1653         .class_init = esp_class_init,
1654     },
1655 };
1656 
1657 DEFINE_TYPES(esp_info_types)
1658