xref: /openbmc/qemu/hw/scsi/lsi53c895a.c (revision 26fcd766)
1 /*
2  * QEMU LSI53C895A SCSI Host Bus Adapter emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Written by Paul Brook
6  *
7  * This code is licensed under the LGPL.
8  */
9 
10 /* Note:
11  * LSI53C810 emulation is incorrect, in the sense that it supports
12  * features added in later evolutions. This should not be a problem,
13  * as well-behaved operating systems will not try to use them.
14  */
15 
16 #include "qemu/osdep.h"
17 
18 #include "hw/irq.h"
19 #include "hw/pci/pci.h"
20 #include "hw/scsi/scsi.h"
21 #include "migration/vmstate.h"
22 #include "sysemu/dma.h"
23 #include "qemu/log.h"
24 #include "qemu/module.h"
25 #include "trace.h"
26 #include "qom/object.h"
27 
28 static const char *names[] = {
29     "SCNTL0", "SCNTL1", "SCNTL2", "SCNTL3", "SCID", "SXFER", "SDID", "GPREG",
30     "SFBR", "SOCL", "SSID", "SBCL", "DSTAT", "SSTAT0", "SSTAT1", "SSTAT2",
31     "DSA0", "DSA1", "DSA2", "DSA3", "ISTAT", "0x15", "0x16", "0x17",
32     "CTEST0", "CTEST1", "CTEST2", "CTEST3", "TEMP0", "TEMP1", "TEMP2", "TEMP3",
33     "DFIFO", "CTEST4", "CTEST5", "CTEST6", "DBC0", "DBC1", "DBC2", "DCMD",
34     "DNAD0", "DNAD1", "DNAD2", "DNAD3", "DSP0", "DSP1", "DSP2", "DSP3",
35     "DSPS0", "DSPS1", "DSPS2", "DSPS3", "SCRATCHA0", "SCRATCHA1", "SCRATCHA2", "SCRATCHA3",
36     "DMODE", "DIEN", "SBR", "DCNTL", "ADDER0", "ADDER1", "ADDER2", "ADDER3",
37     "SIEN0", "SIEN1", "SIST0", "SIST1", "SLPAR", "0x45", "MACNTL", "GPCNTL",
38     "STIME0", "STIME1", "RESPID", "0x4b", "STEST0", "STEST1", "STEST2", "STEST3",
39     "SIDL", "0x51", "0x52", "0x53", "SODL", "0x55", "0x56", "0x57",
40     "SBDL", "0x59", "0x5a", "0x5b", "SCRATCHB0", "SCRATCHB1", "SCRATCHB2", "SCRATCHB3",
41 };
42 
43 #define LSI_MAX_DEVS 7
44 
45 #define LSI_SCNTL0_TRG    0x01
46 #define LSI_SCNTL0_AAP    0x02
47 #define LSI_SCNTL0_EPC    0x08
48 #define LSI_SCNTL0_WATN   0x10
49 #define LSI_SCNTL0_START  0x20
50 
51 #define LSI_SCNTL1_SST    0x01
52 #define LSI_SCNTL1_IARB   0x02
53 #define LSI_SCNTL1_AESP   0x04
54 #define LSI_SCNTL1_RST    0x08
55 #define LSI_SCNTL1_CON    0x10
56 #define LSI_SCNTL1_DHP    0x20
57 #define LSI_SCNTL1_ADB    0x40
58 #define LSI_SCNTL1_EXC    0x80
59 
60 #define LSI_SCNTL2_WSR    0x01
61 #define LSI_SCNTL2_VUE0   0x02
62 #define LSI_SCNTL2_VUE1   0x04
63 #define LSI_SCNTL2_WSS    0x08
64 #define LSI_SCNTL2_SLPHBEN 0x10
65 #define LSI_SCNTL2_SLPMD  0x20
66 #define LSI_SCNTL2_CHM    0x40
67 #define LSI_SCNTL2_SDU    0x80
68 
69 #define LSI_ISTAT0_DIP    0x01
70 #define LSI_ISTAT0_SIP    0x02
71 #define LSI_ISTAT0_INTF   0x04
72 #define LSI_ISTAT0_CON    0x08
73 #define LSI_ISTAT0_SEM    0x10
74 #define LSI_ISTAT0_SIGP   0x20
75 #define LSI_ISTAT0_SRST   0x40
76 #define LSI_ISTAT0_ABRT   0x80
77 
78 #define LSI_ISTAT1_SI     0x01
79 #define LSI_ISTAT1_SRUN   0x02
80 #define LSI_ISTAT1_FLSH   0x04
81 
82 #define LSI_SSTAT0_SDP0   0x01
83 #define LSI_SSTAT0_RST    0x02
84 #define LSI_SSTAT0_WOA    0x04
85 #define LSI_SSTAT0_LOA    0x08
86 #define LSI_SSTAT0_AIP    0x10
87 #define LSI_SSTAT0_OLF    0x20
88 #define LSI_SSTAT0_ORF    0x40
89 #define LSI_SSTAT0_ILF    0x80
90 
91 #define LSI_SIST0_PAR     0x01
92 #define LSI_SIST0_RST     0x02
93 #define LSI_SIST0_UDC     0x04
94 #define LSI_SIST0_SGE     0x08
95 #define LSI_SIST0_RSL     0x10
96 #define LSI_SIST0_SEL     0x20
97 #define LSI_SIST0_CMP     0x40
98 #define LSI_SIST0_MA      0x80
99 
100 #define LSI_SIST1_HTH     0x01
101 #define LSI_SIST1_GEN     0x02
102 #define LSI_SIST1_STO     0x04
103 #define LSI_SIST1_SBMC    0x10
104 
105 #define LSI_SOCL_IO       0x01
106 #define LSI_SOCL_CD       0x02
107 #define LSI_SOCL_MSG      0x04
108 #define LSI_SOCL_ATN      0x08
109 #define LSI_SOCL_SEL      0x10
110 #define LSI_SOCL_BSY      0x20
111 #define LSI_SOCL_ACK      0x40
112 #define LSI_SOCL_REQ      0x80
113 
114 #define LSI_DSTAT_IID     0x01
115 #define LSI_DSTAT_SIR     0x04
116 #define LSI_DSTAT_SSI     0x08
117 #define LSI_DSTAT_ABRT    0x10
118 #define LSI_DSTAT_BF      0x20
119 #define LSI_DSTAT_MDPE    0x40
120 #define LSI_DSTAT_DFE     0x80
121 
122 #define LSI_DCNTL_COM     0x01
123 #define LSI_DCNTL_IRQD    0x02
124 #define LSI_DCNTL_STD     0x04
125 #define LSI_DCNTL_IRQM    0x08
126 #define LSI_DCNTL_SSM     0x10
127 #define LSI_DCNTL_PFEN    0x20
128 #define LSI_DCNTL_PFF     0x40
129 #define LSI_DCNTL_CLSE    0x80
130 
131 #define LSI_DMODE_MAN     0x01
132 #define LSI_DMODE_BOF     0x02
133 #define LSI_DMODE_ERMP    0x04
134 #define LSI_DMODE_ERL     0x08
135 #define LSI_DMODE_DIOM    0x10
136 #define LSI_DMODE_SIOM    0x20
137 
138 #define LSI_CTEST2_DACK   0x01
139 #define LSI_CTEST2_DREQ   0x02
140 #define LSI_CTEST2_TEOP   0x04
141 #define LSI_CTEST2_PCICIE 0x08
142 #define LSI_CTEST2_CM     0x10
143 #define LSI_CTEST2_CIO    0x20
144 #define LSI_CTEST2_SIGP   0x40
145 #define LSI_CTEST2_DDIR   0x80
146 
147 #define LSI_CTEST5_BL2    0x04
148 #define LSI_CTEST5_DDIR   0x08
149 #define LSI_CTEST5_MASR   0x10
150 #define LSI_CTEST5_DFSN   0x20
151 #define LSI_CTEST5_BBCK   0x40
152 #define LSI_CTEST5_ADCK   0x80
153 
154 #define LSI_CCNTL0_DILS   0x01
155 #define LSI_CCNTL0_DISFC  0x10
156 #define LSI_CCNTL0_ENNDJ  0x20
157 #define LSI_CCNTL0_PMJCTL 0x40
158 #define LSI_CCNTL0_ENPMJ  0x80
159 
160 #define LSI_CCNTL1_EN64DBMV  0x01
161 #define LSI_CCNTL1_EN64TIBMV 0x02
162 #define LSI_CCNTL1_64TIMOD   0x04
163 #define LSI_CCNTL1_DDAC      0x08
164 #define LSI_CCNTL1_ZMOD      0x80
165 
166 #define LSI_SBCL_ATN         0x08
167 #define LSI_SBCL_BSY         0x20
168 #define LSI_SBCL_ACK         0x40
169 #define LSI_SBCL_REQ         0x80
170 
171 /* Enable Response to Reselection */
172 #define LSI_SCID_RRE      0x60
173 
174 #define LSI_CCNTL1_40BIT (LSI_CCNTL1_EN64TIBMV|LSI_CCNTL1_64TIMOD)
175 
176 #define PHASE_DO          0
177 #define PHASE_DI          1
178 #define PHASE_CMD         2
179 #define PHASE_ST          3
180 #define PHASE_MO          6
181 #define PHASE_MI          7
182 #define PHASE_MASK        7
183 
184 /* Maximum length of MSG IN data.  */
185 #define LSI_MAX_MSGIN_LEN 8
186 
187 /* Flag set if this is a tagged command.  */
188 #define LSI_TAG_VALID     (1 << 16)
189 
190 /* Maximum instructions to process. */
191 #define LSI_MAX_INSN    10000
192 
193 typedef struct lsi_request {
194     SCSIRequest *req;
195     uint32_t tag;
196     uint32_t dma_len;
197     uint8_t *dma_buf;
198     uint32_t pending;
199     int out;
200     QTAILQ_ENTRY(lsi_request) next;
201 } lsi_request;
202 
203 enum {
204     LSI_NOWAIT, /* SCRIPTS are running or stopped */
205     LSI_WAIT_RESELECT, /* Wait Reselect instruction has been issued */
206     LSI_DMA_SCRIPTS, /* processing DMA from lsi_execute_script */
207     LSI_DMA_IN_PROGRESS, /* DMA operation is in progress */
208 };
209 
210 enum {
211     LSI_MSG_ACTION_COMMAND = 0,
212     LSI_MSG_ACTION_DISCONNECT = 1,
213     LSI_MSG_ACTION_DOUT = 2,
214     LSI_MSG_ACTION_DIN = 3,
215 };
216 
217 struct LSIState {
218     /*< private >*/
219     PCIDevice parent_obj;
220     /*< public >*/
221 
222     qemu_irq ext_irq;
223     MemoryRegion mmio_io;
224     MemoryRegion ram_io;
225     MemoryRegion io_io;
226     AddressSpace pci_io_as;
227 
228     int carry; /* ??? Should this be an a visible register somewhere?  */
229     int status;
230     int msg_action;
231     int msg_len;
232     uint8_t msg[LSI_MAX_MSGIN_LEN];
233     int waiting;
234     SCSIBus bus;
235     int current_lun;
236     /* The tag is a combination of the device ID and the SCSI tag.  */
237     uint32_t select_tag;
238     int command_complete;
239     QTAILQ_HEAD(, lsi_request) queue;
240     lsi_request *current;
241 
242     uint32_t dsa;
243     uint32_t temp;
244     uint32_t dnad;
245     uint32_t dbc;
246     uint8_t istat0;
247     uint8_t istat1;
248     uint8_t dcmd;
249     uint8_t dstat;
250     uint8_t dien;
251     uint8_t sist0;
252     uint8_t sist1;
253     uint8_t sien0;
254     uint8_t sien1;
255     uint8_t mbox0;
256     uint8_t mbox1;
257     uint8_t dfifo;
258     uint8_t ctest2;
259     uint8_t ctest3;
260     uint8_t ctest4;
261     uint8_t ctest5;
262     uint8_t ccntl0;
263     uint8_t ccntl1;
264     uint32_t dsp;
265     uint32_t dsps;
266     uint8_t dmode;
267     uint8_t dcntl;
268     uint8_t scntl0;
269     uint8_t scntl1;
270     uint8_t scntl2;
271     uint8_t scntl3;
272     uint8_t sstat0;
273     uint8_t sstat1;
274     uint8_t scid;
275     uint8_t sxfer;
276     uint8_t socl;
277     uint8_t sdid;
278     uint8_t ssid;
279     uint8_t sfbr;
280     uint8_t sbcl;
281     uint8_t stest1;
282     uint8_t stest2;
283     uint8_t stest3;
284     uint8_t sidl;
285     uint8_t stime0;
286     uint8_t respid0;
287     uint8_t respid1;
288     uint32_t mmrs;
289     uint32_t mmws;
290     uint32_t sfs;
291     uint32_t drs;
292     uint32_t sbms;
293     uint32_t dbms;
294     uint32_t dnad64;
295     uint32_t pmjad1;
296     uint32_t pmjad2;
297     uint32_t rbc;
298     uint32_t ua;
299     uint32_t ia;
300     uint32_t sbc;
301     uint32_t csbc;
302     uint32_t scratch[18]; /* SCRATCHA-SCRATCHR */
303     uint8_t sbr;
304     uint32_t adder;
305 
306     uint8_t script_ram[2048 * sizeof(uint32_t)];
307 };
308 
309 #define TYPE_LSI53C810  "lsi53c810"
310 #define TYPE_LSI53C895A "lsi53c895a"
311 
312 OBJECT_DECLARE_SIMPLE_TYPE(LSIState, LSI53C895A)
313 
314 static const char *scsi_phases[] = {
315     "DOUT",
316     "DIN",
317     "CMD",
318     "STATUS",
319     "RSVOUT",
320     "RSVIN",
321     "MSGOUT",
322     "MSGIN"
323 };
324 
325 static const char *scsi_phase_name(int phase)
326 {
327     return scsi_phases[phase & PHASE_MASK];
328 }
329 
330 static inline int lsi_irq_on_rsl(LSIState *s)
331 {
332     return (s->sien0 & LSI_SIST0_RSL) && (s->scid & LSI_SCID_RRE);
333 }
334 
335 static lsi_request *get_pending_req(LSIState *s)
336 {
337     lsi_request *p;
338 
339     QTAILQ_FOREACH(p, &s->queue, next) {
340         if (p->pending) {
341             return p;
342         }
343     }
344     return NULL;
345 }
346 
347 static void lsi_soft_reset(LSIState *s)
348 {
349     trace_lsi_reset();
350     s->carry = 0;
351 
352     s->msg_action = LSI_MSG_ACTION_COMMAND;
353     s->msg_len = 0;
354     s->waiting = LSI_NOWAIT;
355     s->dsa = 0;
356     s->dnad = 0;
357     s->dbc = 0;
358     s->temp = 0;
359     memset(s->scratch, 0, sizeof(s->scratch));
360     s->istat0 = 0;
361     s->istat1 = 0;
362     s->dcmd = 0x40;
363     s->dstat = 0;
364     s->dien = 0;
365     s->sist0 = 0;
366     s->sist1 = 0;
367     s->sien0 = 0;
368     s->sien1 = 0;
369     s->mbox0 = 0;
370     s->mbox1 = 0;
371     s->dfifo = 0;
372     s->ctest2 = LSI_CTEST2_DACK;
373     s->ctest3 = 0;
374     s->ctest4 = 0;
375     s->ctest5 = 0;
376     s->ccntl0 = 0;
377     s->ccntl1 = 0;
378     s->dsp = 0;
379     s->dsps = 0;
380     s->dmode = 0;
381     s->dcntl = 0;
382     s->scntl0 = 0xc0;
383     s->scntl1 = 0;
384     s->scntl2 = 0;
385     s->scntl3 = 0;
386     s->sstat0 = 0;
387     s->sstat1 = 0;
388     s->scid = 7;
389     s->sxfer = 0;
390     s->socl = 0;
391     s->sdid = 0;
392     s->ssid = 0;
393     s->sbcl = 0;
394     s->stest1 = 0;
395     s->stest2 = 0;
396     s->stest3 = 0;
397     s->sidl = 0;
398     s->stime0 = 0;
399     s->respid0 = 0x80;
400     s->respid1 = 0;
401     s->mmrs = 0;
402     s->mmws = 0;
403     s->sfs = 0;
404     s->drs = 0;
405     s->sbms = 0;
406     s->dbms = 0;
407     s->dnad64 = 0;
408     s->pmjad1 = 0;
409     s->pmjad2 = 0;
410     s->rbc = 0;
411     s->ua = 0;
412     s->ia = 0;
413     s->sbc = 0;
414     s->csbc = 0;
415     s->sbr = 0;
416     assert(QTAILQ_EMPTY(&s->queue));
417     assert(!s->current);
418 }
419 
420 static int lsi_dma_40bit(LSIState *s)
421 {
422     if ((s->ccntl1 & LSI_CCNTL1_40BIT) == LSI_CCNTL1_40BIT)
423         return 1;
424     return 0;
425 }
426 
427 static int lsi_dma_ti64bit(LSIState *s)
428 {
429     if ((s->ccntl1 & LSI_CCNTL1_EN64TIBMV) == LSI_CCNTL1_EN64TIBMV)
430         return 1;
431     return 0;
432 }
433 
434 static int lsi_dma_64bit(LSIState *s)
435 {
436     if ((s->ccntl1 & LSI_CCNTL1_EN64DBMV) == LSI_CCNTL1_EN64DBMV)
437         return 1;
438     return 0;
439 }
440 
441 static uint8_t lsi_reg_readb(LSIState *s, int offset);
442 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val);
443 static void lsi_execute_script(LSIState *s);
444 static void lsi_reselect(LSIState *s, lsi_request *p);
445 
446 static inline void lsi_mem_read(LSIState *s, dma_addr_t addr,
447                                void *buf, dma_addr_t len)
448 {
449     if (s->dmode & LSI_DMODE_SIOM) {
450         address_space_read(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
451                            buf, len);
452     } else {
453         pci_dma_read(PCI_DEVICE(s), addr, buf, len);
454     }
455 }
456 
457 static inline void lsi_mem_write(LSIState *s, dma_addr_t addr,
458                                 const void *buf, dma_addr_t len)
459 {
460     if (s->dmode & LSI_DMODE_DIOM) {
461         address_space_write(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
462                             buf, len);
463     } else {
464         pci_dma_write(PCI_DEVICE(s), addr, buf, len);
465     }
466 }
467 
468 static inline uint32_t read_dword(LSIState *s, uint32_t addr)
469 {
470     uint32_t buf;
471 
472     pci_dma_read(PCI_DEVICE(s), addr, &buf, 4);
473     return cpu_to_le32(buf);
474 }
475 
476 static void lsi_stop_script(LSIState *s)
477 {
478     s->istat1 &= ~LSI_ISTAT1_SRUN;
479 }
480 
481 static void lsi_set_irq(LSIState *s, int level)
482 {
483     PCIDevice *d = PCI_DEVICE(s);
484 
485     if (s->ext_irq) {
486         qemu_set_irq(s->ext_irq, level);
487     } else {
488         pci_set_irq(d, level);
489     }
490 }
491 
492 static void lsi_update_irq(LSIState *s)
493 {
494     int level;
495     static int last_level;
496 
497     /* It's unclear whether the DIP/SIP bits should be cleared when the
498        Interrupt Status Registers are cleared or when istat0 is read.
499        We currently do the formwer, which seems to work.  */
500     level = 0;
501     if (s->dstat) {
502         if (s->dstat & s->dien)
503             level = 1;
504         s->istat0 |= LSI_ISTAT0_DIP;
505     } else {
506         s->istat0 &= ~LSI_ISTAT0_DIP;
507     }
508 
509     if (s->sist0 || s->sist1) {
510         if ((s->sist0 & s->sien0) || (s->sist1 & s->sien1))
511             level = 1;
512         s->istat0 |= LSI_ISTAT0_SIP;
513     } else {
514         s->istat0 &= ~LSI_ISTAT0_SIP;
515     }
516     if (s->istat0 & LSI_ISTAT0_INTF)
517         level = 1;
518 
519     if (level != last_level) {
520         trace_lsi_update_irq(level, s->dstat, s->sist1, s->sist0);
521         last_level = level;
522     }
523     lsi_set_irq(s, level);
524 
525     if (!s->current && !level && lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON)) {
526         lsi_request *p;
527 
528         trace_lsi_update_irq_disconnected();
529         p = get_pending_req(s);
530         if (p) {
531             lsi_reselect(s, p);
532         }
533     }
534 }
535 
536 /* Stop SCRIPTS execution and raise a SCSI interrupt.  */
537 static void lsi_script_scsi_interrupt(LSIState *s, int stat0, int stat1)
538 {
539     uint32_t mask0;
540     uint32_t mask1;
541 
542     trace_lsi_script_scsi_interrupt(stat1, stat0, s->sist1, s->sist0);
543     s->sist0 |= stat0;
544     s->sist1 |= stat1;
545     /* Stop processor on fatal or unmasked interrupt.  As a special hack
546        we don't stop processing when raising STO.  Instead continue
547        execution and stop at the next insn that accesses the SCSI bus.  */
548     mask0 = s->sien0 | ~(LSI_SIST0_CMP | LSI_SIST0_SEL | LSI_SIST0_RSL);
549     mask1 = s->sien1 | ~(LSI_SIST1_GEN | LSI_SIST1_HTH);
550     mask1 &= ~LSI_SIST1_STO;
551     if (s->sist0 & mask0 || s->sist1 & mask1) {
552         lsi_stop_script(s);
553     }
554     lsi_update_irq(s);
555 }
556 
557 /* Stop SCRIPTS execution and raise a DMA interrupt.  */
558 static void lsi_script_dma_interrupt(LSIState *s, int stat)
559 {
560     trace_lsi_script_dma_interrupt(stat, s->dstat);
561     s->dstat |= stat;
562     lsi_update_irq(s);
563     lsi_stop_script(s);
564 }
565 
566 static inline void lsi_set_phase(LSIState *s, int phase)
567 {
568     s->sbcl &= ~PHASE_MASK;
569     s->sbcl |= phase | LSI_SBCL_REQ;
570     s->sstat1 = (s->sstat1 & ~PHASE_MASK) | phase;
571 }
572 
573 static void lsi_bad_phase(LSIState *s, int out, int new_phase)
574 {
575     /* Trigger a phase mismatch.  */
576     if (s->ccntl0 & LSI_CCNTL0_ENPMJ) {
577         if ((s->ccntl0 & LSI_CCNTL0_PMJCTL)) {
578             s->dsp = out ? s->pmjad1 : s->pmjad2;
579         } else {
580             s->dsp = (s->scntl2 & LSI_SCNTL2_WSR ? s->pmjad2 : s->pmjad1);
581         }
582         trace_lsi_bad_phase_jump(s->dsp);
583     } else {
584         trace_lsi_bad_phase_interrupt();
585         lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
586         lsi_stop_script(s);
587     }
588     lsi_set_phase(s, new_phase);
589 }
590 
591 
592 /* Resume SCRIPTS execution after a DMA operation.  */
593 static void lsi_resume_script(LSIState *s)
594 {
595     if (s->waiting != 2) {
596         s->waiting = LSI_NOWAIT;
597         lsi_execute_script(s);
598     } else {
599         s->waiting = LSI_NOWAIT;
600     }
601 }
602 
603 static void lsi_disconnect(LSIState *s)
604 {
605     s->scntl1 &= ~LSI_SCNTL1_CON;
606     s->sstat1 &= ~PHASE_MASK;
607     s->sbcl = 0;
608 }
609 
610 static void lsi_bad_selection(LSIState *s, uint32_t id)
611 {
612     trace_lsi_bad_selection(id);
613     lsi_script_scsi_interrupt(s, 0, LSI_SIST1_STO);
614     lsi_disconnect(s);
615 }
616 
617 /* Initiate a SCSI layer data transfer.  */
618 static void lsi_do_dma(LSIState *s, int out)
619 {
620     uint32_t count;
621     dma_addr_t addr;
622     SCSIDevice *dev;
623 
624     if (!s->current || !s->current->dma_len) {
625         /* Wait until data is available.  */
626         trace_lsi_do_dma_unavailable();
627         return;
628     }
629 
630     dev = s->current->req->dev;
631     assert(dev);
632 
633     count = s->dbc;
634     if (count > s->current->dma_len)
635         count = s->current->dma_len;
636 
637     addr = s->dnad;
638     /* both 40 and Table Indirect 64-bit DMAs store upper bits in dnad64 */
639     if (lsi_dma_40bit(s) || lsi_dma_ti64bit(s))
640         addr |= ((uint64_t)s->dnad64 << 32);
641     else if (s->dbms)
642         addr |= ((uint64_t)s->dbms << 32);
643     else if (s->sbms)
644         addr |= ((uint64_t)s->sbms << 32);
645 
646     trace_lsi_do_dma(addr, count);
647     s->csbc += count;
648     s->dnad += count;
649     s->dbc -= count;
650      if (s->current->dma_buf == NULL) {
651         s->current->dma_buf = scsi_req_get_buf(s->current->req);
652     }
653     /* ??? Set SFBR to first data byte.  */
654     if (out) {
655         lsi_mem_read(s, addr, s->current->dma_buf, count);
656     } else {
657         lsi_mem_write(s, addr, s->current->dma_buf, count);
658     }
659     s->current->dma_len -= count;
660     if (s->current->dma_len == 0) {
661         s->current->dma_buf = NULL;
662         scsi_req_continue(s->current->req);
663     } else {
664         s->current->dma_buf += count;
665         lsi_resume_script(s);
666     }
667 }
668 
669 
670 /* Add a command to the queue.  */
671 static void lsi_queue_command(LSIState *s)
672 {
673     lsi_request *p = s->current;
674 
675     trace_lsi_queue_command(p->tag);
676     assert(s->current != NULL);
677     assert(s->current->dma_len == 0);
678     QTAILQ_INSERT_TAIL(&s->queue, s->current, next);
679     s->current = NULL;
680 
681     p->pending = 0;
682     p->out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
683 }
684 
685 /* Queue a byte for a MSG IN phase.  */
686 static void lsi_add_msg_byte(LSIState *s, uint8_t data)
687 {
688     if (s->msg_len >= LSI_MAX_MSGIN_LEN) {
689         trace_lsi_add_msg_byte_error();
690     } else {
691         trace_lsi_add_msg_byte(data);
692         s->msg[s->msg_len++] = data;
693     }
694 }
695 
696 /* Perform reselection to continue a command.  */
697 static void lsi_reselect(LSIState *s, lsi_request *p)
698 {
699     int id;
700 
701     assert(s->current == NULL);
702     QTAILQ_REMOVE(&s->queue, p, next);
703     s->current = p;
704 
705     id = (p->tag >> 8) & 0xf;
706     s->ssid = id | 0x80;
707     /* LSI53C700 Family Compatibility, see LSI53C895A 4-73 */
708     if (!(s->dcntl & LSI_DCNTL_COM)) {
709         s->sfbr = 1 << (id & 0x7);
710     }
711     trace_lsi_reselect(id);
712     s->scntl1 |= LSI_SCNTL1_CON;
713     lsi_set_phase(s, PHASE_MI);
714     s->msg_action = p->out ? LSI_MSG_ACTION_DOUT : LSI_MSG_ACTION_DIN;
715     s->current->dma_len = p->pending;
716     lsi_add_msg_byte(s, 0x80);
717     if (s->current->tag & LSI_TAG_VALID) {
718         lsi_add_msg_byte(s, 0x20);
719         lsi_add_msg_byte(s, p->tag & 0xff);
720     }
721 
722     if (lsi_irq_on_rsl(s)) {
723         lsi_script_scsi_interrupt(s, LSI_SIST0_RSL, 0);
724     }
725 }
726 
727 static lsi_request *lsi_find_by_tag(LSIState *s, uint32_t tag)
728 {
729     lsi_request *p;
730 
731     QTAILQ_FOREACH(p, &s->queue, next) {
732         if (p->tag == tag) {
733             return p;
734         }
735     }
736 
737     return NULL;
738 }
739 
740 static void lsi_request_free(LSIState *s, lsi_request *p)
741 {
742     if (p == s->current) {
743         s->current = NULL;
744     } else {
745         QTAILQ_REMOVE(&s->queue, p, next);
746     }
747     g_free(p);
748 }
749 
750 static void lsi_request_cancelled(SCSIRequest *req)
751 {
752     LSIState *s = LSI53C895A(req->bus->qbus.parent);
753     lsi_request *p = req->hba_private;
754 
755     req->hba_private = NULL;
756     lsi_request_free(s, p);
757     scsi_req_unref(req);
758 }
759 
760 /* Record that data is available for a queued command.  Returns zero if
761    the device was reselected, nonzero if the IO is deferred.  */
762 static int lsi_queue_req(LSIState *s, SCSIRequest *req, uint32_t len)
763 {
764     lsi_request *p = req->hba_private;
765 
766     if (p->pending) {
767         trace_lsi_queue_req_error(p);
768     }
769     p->pending = len;
770     /* Reselect if waiting for it, or if reselection triggers an IRQ
771        and the bus is free.
772        Since no interrupt stacking is implemented in the emulation, it
773        is also required that there are no pending interrupts waiting
774        for service from the device driver. */
775     if (s->waiting == LSI_WAIT_RESELECT ||
776         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON) &&
777          !(s->istat0 & (LSI_ISTAT0_SIP | LSI_ISTAT0_DIP)))) {
778         /* Reselect device.  */
779         lsi_reselect(s, p);
780         return 0;
781     } else {
782         trace_lsi_queue_req(p->tag);
783         p->pending = len;
784         return 1;
785     }
786 }
787 
788  /* Callback to indicate that the SCSI layer has completed a command.  */
789 static void lsi_command_complete(SCSIRequest *req, size_t resid)
790 {
791     LSIState *s = LSI53C895A(req->bus->qbus.parent);
792     int out;
793 
794     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
795     trace_lsi_command_complete(req->status);
796     s->status = req->status;
797     s->command_complete = 2;
798     if (s->waiting && s->dbc != 0) {
799         /* Raise phase mismatch for short transfers.  */
800         lsi_bad_phase(s, out, PHASE_ST);
801     } else {
802         lsi_set_phase(s, PHASE_ST);
803     }
804 
805     if (req->hba_private == s->current) {
806         req->hba_private = NULL;
807         lsi_request_free(s, s->current);
808         scsi_req_unref(req);
809     }
810     lsi_resume_script(s);
811 }
812 
813  /* Callback to indicate that the SCSI layer has completed a transfer.  */
814 static void lsi_transfer_data(SCSIRequest *req, uint32_t len)
815 {
816     LSIState *s = LSI53C895A(req->bus->qbus.parent);
817     int out;
818 
819     assert(req->hba_private);
820     if (s->waiting == LSI_WAIT_RESELECT || req->hba_private != s->current ||
821         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON))) {
822         if (lsi_queue_req(s, req, len)) {
823             return;
824         }
825     }
826 
827     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
828 
829     /* host adapter (re)connected */
830     trace_lsi_transfer_data(req->tag, len);
831     s->current->dma_len = len;
832     s->command_complete = 1;
833     if (s->waiting) {
834         if (s->waiting == LSI_WAIT_RESELECT || s->dbc == 0) {
835             lsi_resume_script(s);
836         } else {
837             lsi_do_dma(s, out);
838         }
839     }
840 }
841 
842 static void lsi_do_command(LSIState *s)
843 {
844     SCSIDevice *dev;
845     uint8_t buf[16];
846     uint32_t id;
847     int n;
848 
849     trace_lsi_do_command(s->dbc);
850     if (s->dbc > 16)
851         s->dbc = 16;
852     pci_dma_read(PCI_DEVICE(s), s->dnad, buf, s->dbc);
853     s->sfbr = buf[0];
854     s->command_complete = 0;
855 
856     id = (s->select_tag >> 8) & 0xf;
857     dev = scsi_device_find(&s->bus, 0, id, s->current_lun);
858     if (!dev) {
859         lsi_bad_selection(s, id);
860         return;
861     }
862 
863     assert(s->current == NULL);
864     s->current = g_new0(lsi_request, 1);
865     s->current->tag = s->select_tag;
866     s->current->req = scsi_req_new(dev, s->current->tag, s->current_lun, buf,
867                                    s->current);
868 
869     n = scsi_req_enqueue(s->current->req);
870     if (n) {
871         if (n > 0) {
872             lsi_set_phase(s, PHASE_DI);
873         } else if (n < 0) {
874             lsi_set_phase(s, PHASE_DO);
875         }
876         scsi_req_continue(s->current->req);
877     }
878     if (!s->command_complete) {
879         if (n) {
880             /* Command did not complete immediately so disconnect.  */
881             lsi_add_msg_byte(s, 2); /* SAVE DATA POINTER */
882             lsi_add_msg_byte(s, 4); /* DISCONNECT */
883             /* wait data */
884             lsi_set_phase(s, PHASE_MI);
885             s->msg_action = LSI_MSG_ACTION_DISCONNECT;
886             lsi_queue_command(s);
887         } else {
888             /* wait command complete */
889             lsi_set_phase(s, PHASE_DI);
890         }
891     }
892 }
893 
894 static void lsi_do_status(LSIState *s)
895 {
896     uint8_t status;
897     trace_lsi_do_status(s->dbc, s->status);
898     if (s->dbc != 1) {
899         trace_lsi_do_status_error();
900     }
901     s->dbc = 1;
902     status = s->status;
903     s->sfbr = status;
904     pci_dma_write(PCI_DEVICE(s), s->dnad, &status, 1);
905     lsi_set_phase(s, PHASE_MI);
906     s->msg_action = LSI_MSG_ACTION_DISCONNECT;
907     lsi_add_msg_byte(s, 0); /* COMMAND COMPLETE */
908 }
909 
910 static void lsi_do_msgin(LSIState *s)
911 {
912     uint8_t len;
913     trace_lsi_do_msgin(s->dbc, s->msg_len);
914     s->sfbr = s->msg[0];
915     len = s->msg_len;
916     assert(len > 0 && len <= LSI_MAX_MSGIN_LEN);
917     if (len > s->dbc)
918         len = s->dbc;
919     pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
920     /* Linux drivers rely on the last byte being in the SIDL.  */
921     s->sidl = s->msg[len - 1];
922     s->msg_len -= len;
923     if (s->msg_len) {
924         memmove(s->msg, s->msg + len, s->msg_len);
925     } else {
926         /* ??? Check if ATN (not yet implemented) is asserted and maybe
927            switch to PHASE_MO.  */
928         switch (s->msg_action) {
929         case LSI_MSG_ACTION_COMMAND:
930             lsi_set_phase(s, PHASE_CMD);
931             break;
932         case LSI_MSG_ACTION_DISCONNECT:
933             lsi_disconnect(s);
934             break;
935         case LSI_MSG_ACTION_DOUT:
936             lsi_set_phase(s, PHASE_DO);
937             break;
938         case LSI_MSG_ACTION_DIN:
939             lsi_set_phase(s, PHASE_DI);
940             break;
941         default:
942             abort();
943         }
944     }
945 }
946 
947 /* Read the next byte during a MSGOUT phase.  */
948 static uint8_t lsi_get_msgbyte(LSIState *s)
949 {
950     uint8_t data;
951     pci_dma_read(PCI_DEVICE(s), s->dnad, &data, 1);
952     s->dnad++;
953     s->dbc--;
954     return data;
955 }
956 
957 /* Skip the next n bytes during a MSGOUT phase. */
958 static void lsi_skip_msgbytes(LSIState *s, unsigned int n)
959 {
960     s->dnad += n;
961     s->dbc  -= n;
962 }
963 
964 static void lsi_do_msgout(LSIState *s)
965 {
966     uint8_t msg;
967     int len;
968     uint32_t current_tag;
969     lsi_request *current_req, *p, *p_next;
970 
971     if (s->current) {
972         current_tag = s->current->tag;
973         current_req = s->current;
974     } else {
975         current_tag = s->select_tag;
976         current_req = lsi_find_by_tag(s, current_tag);
977     }
978 
979     trace_lsi_do_msgout(s->dbc);
980     while (s->dbc) {
981         msg = lsi_get_msgbyte(s);
982         s->sfbr = msg;
983 
984         switch (msg) {
985         case 0x04:
986             trace_lsi_do_msgout_disconnect();
987             lsi_disconnect(s);
988             break;
989         case 0x08:
990             trace_lsi_do_msgout_noop();
991             lsi_set_phase(s, PHASE_CMD);
992             break;
993         case 0x01:
994             len = lsi_get_msgbyte(s);
995             msg = lsi_get_msgbyte(s);
996             (void)len; /* avoid a warning about unused variable*/
997             trace_lsi_do_msgout_extended(msg, len);
998             switch (msg) {
999             case 1:
1000                 trace_lsi_do_msgout_ignored("SDTR");
1001                 lsi_skip_msgbytes(s, 2);
1002                 break;
1003             case 3:
1004                 trace_lsi_do_msgout_ignored("WDTR");
1005                 lsi_skip_msgbytes(s, 1);
1006                 break;
1007             case 4:
1008                 trace_lsi_do_msgout_ignored("PPR");
1009                 lsi_skip_msgbytes(s, 5);
1010                 break;
1011             default:
1012                 goto bad;
1013             }
1014             break;
1015         case 0x20: /* SIMPLE queue */
1016             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1017             trace_lsi_do_msgout_simplequeue(s->select_tag & 0xff);
1018             break;
1019         case 0x21: /* HEAD of queue */
1020             qemu_log_mask(LOG_UNIMP, "lsi_scsi: HEAD queue not implemented\n");
1021             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1022             break;
1023         case 0x22: /* ORDERED queue */
1024             qemu_log_mask(LOG_UNIMP,
1025                           "lsi_scsi: ORDERED queue not implemented\n");
1026             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1027             break;
1028         case 0x0d:
1029             /* The ABORT TAG message clears the current I/O process only. */
1030             trace_lsi_do_msgout_abort(current_tag);
1031             if (current_req) {
1032                 scsi_req_cancel(current_req->req);
1033             }
1034             lsi_disconnect(s);
1035             break;
1036         case 0x06:
1037         case 0x0e:
1038         case 0x0c:
1039             /* The ABORT message clears all I/O processes for the selecting
1040                initiator on the specified logical unit of the target. */
1041             if (msg == 0x06) {
1042                 trace_lsi_do_msgout_abort(current_tag);
1043             }
1044             /* The CLEAR QUEUE message clears all I/O processes for all
1045                initiators on the specified logical unit of the target. */
1046             if (msg == 0x0e) {
1047                 trace_lsi_do_msgout_clearqueue(current_tag);
1048             }
1049             /* The BUS DEVICE RESET message clears all I/O processes for all
1050                initiators on all logical units of the target. */
1051             if (msg == 0x0c) {
1052                 trace_lsi_do_msgout_busdevicereset(current_tag);
1053             }
1054 
1055             /* clear the current I/O process */
1056             if (s->current) {
1057                 scsi_req_cancel(s->current->req);
1058             }
1059 
1060             /* As the current implemented devices scsi_disk and scsi_generic
1061                only support one LUN, we don't need to keep track of LUNs.
1062                Clearing I/O processes for other initiators could be possible
1063                for scsi_generic by sending a SG_SCSI_RESET to the /dev/sgX
1064                device, but this is currently not implemented (and seems not
1065                to be really necessary). So let's simply clear all queued
1066                commands for the current device: */
1067             QTAILQ_FOREACH_SAFE(p, &s->queue, next, p_next) {
1068                 if ((p->tag & 0x0000ff00) == (current_tag & 0x0000ff00)) {
1069                     scsi_req_cancel(p->req);
1070                 }
1071             }
1072 
1073             lsi_disconnect(s);
1074             break;
1075         default:
1076             if ((msg & 0x80) == 0) {
1077                 goto bad;
1078             }
1079             s->current_lun = msg & 7;
1080             trace_lsi_do_msgout_select(s->current_lun);
1081             lsi_set_phase(s, PHASE_CMD);
1082             break;
1083         }
1084     }
1085     return;
1086 bad:
1087     qemu_log_mask(LOG_UNIMP, "Unimplemented message 0x%02x\n", msg);
1088     lsi_set_phase(s, PHASE_MI);
1089     lsi_add_msg_byte(s, 7); /* MESSAGE REJECT */
1090     s->msg_action = LSI_MSG_ACTION_COMMAND;
1091 }
1092 
1093 #define LSI_BUF_SIZE 4096
1094 static void lsi_memcpy(LSIState *s, uint32_t dest, uint32_t src, int count)
1095 {
1096     int n;
1097     uint8_t buf[LSI_BUF_SIZE];
1098 
1099     trace_lsi_memcpy(dest, src, count);
1100     while (count) {
1101         n = (count > LSI_BUF_SIZE) ? LSI_BUF_SIZE : count;
1102         lsi_mem_read(s, src, buf, n);
1103         lsi_mem_write(s, dest, buf, n);
1104         src += n;
1105         dest += n;
1106         count -= n;
1107     }
1108 }
1109 
1110 static void lsi_wait_reselect(LSIState *s)
1111 {
1112     lsi_request *p;
1113 
1114     trace_lsi_wait_reselect();
1115 
1116     if (s->current) {
1117         return;
1118     }
1119     p = get_pending_req(s);
1120     if (p) {
1121         lsi_reselect(s, p);
1122     }
1123     if (s->current == NULL) {
1124         s->waiting = LSI_WAIT_RESELECT;
1125     }
1126 }
1127 
1128 static void lsi_execute_script(LSIState *s)
1129 {
1130     PCIDevice *pci_dev = PCI_DEVICE(s);
1131     uint32_t insn;
1132     uint32_t addr, addr_high;
1133     int opcode;
1134     int insn_processed = 0;
1135 
1136     s->istat1 |= LSI_ISTAT1_SRUN;
1137 again:
1138     if (++insn_processed > LSI_MAX_INSN) {
1139         /* Some windows drivers make the device spin waiting for a memory
1140            location to change.  If we have been executed a lot of code then
1141            assume this is the case and force an unexpected device disconnect.
1142            This is apparently sufficient to beat the drivers into submission.
1143          */
1144         if (!(s->sien0 & LSI_SIST0_UDC)) {
1145             qemu_log_mask(LOG_GUEST_ERROR,
1146                           "lsi_scsi: inf. loop with UDC masked");
1147         }
1148         lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
1149         lsi_disconnect(s);
1150         trace_lsi_execute_script_stop();
1151         return;
1152     }
1153     insn = read_dword(s, s->dsp);
1154     if (!insn) {
1155         /* If we receive an empty opcode increment the DSP by 4 bytes
1156            instead of 8 and execute the next opcode at that location */
1157         s->dsp += 4;
1158         goto again;
1159     }
1160     addr = read_dword(s, s->dsp + 4);
1161     addr_high = 0;
1162     trace_lsi_execute_script(s->dsp, insn, addr);
1163     s->dsps = addr;
1164     s->dcmd = insn >> 24;
1165     s->dsp += 8;
1166     switch (insn >> 30) {
1167     case 0: /* Block move.  */
1168         if (s->sist1 & LSI_SIST1_STO) {
1169             trace_lsi_execute_script_blockmove_delayed();
1170             lsi_stop_script(s);
1171             break;
1172         }
1173         s->dbc = insn & 0xffffff;
1174         s->rbc = s->dbc;
1175         /* ??? Set ESA.  */
1176         s->ia = s->dsp - 8;
1177         if (insn & (1 << 29)) {
1178             /* Indirect addressing.  */
1179             addr = read_dword(s, addr);
1180         } else if (insn & (1 << 28)) {
1181             uint32_t buf[2];
1182             int32_t offset;
1183             /* Table indirect addressing.  */
1184 
1185             /* 32-bit Table indirect */
1186             offset = sextract32(addr, 0, 24);
1187             pci_dma_read(pci_dev, s->dsa + offset, buf, 8);
1188             /* byte count is stored in bits 0:23 only */
1189             s->dbc = cpu_to_le32(buf[0]) & 0xffffff;
1190             s->rbc = s->dbc;
1191             addr = cpu_to_le32(buf[1]);
1192 
1193             /* 40-bit DMA, upper addr bits [39:32] stored in first DWORD of
1194              * table, bits [31:24] */
1195             if (lsi_dma_40bit(s))
1196                 addr_high = cpu_to_le32(buf[0]) >> 24;
1197             else if (lsi_dma_ti64bit(s)) {
1198                 int selector = (cpu_to_le32(buf[0]) >> 24) & 0x1f;
1199                 switch (selector) {
1200                 case 0 ... 0x0f:
1201                     /* offset index into scratch registers since
1202                      * TI64 mode can use registers C to R */
1203                     addr_high = s->scratch[2 + selector];
1204                     break;
1205                 case 0x10:
1206                     addr_high = s->mmrs;
1207                     break;
1208                 case 0x11:
1209                     addr_high = s->mmws;
1210                     break;
1211                 case 0x12:
1212                     addr_high = s->sfs;
1213                     break;
1214                 case 0x13:
1215                     addr_high = s->drs;
1216                     break;
1217                 case 0x14:
1218                     addr_high = s->sbms;
1219                     break;
1220                 case 0x15:
1221                     addr_high = s->dbms;
1222                     break;
1223                 default:
1224                     qemu_log_mask(LOG_GUEST_ERROR,
1225                           "lsi_scsi: Illegal selector specified (0x%x > 0x15) "
1226                           "for 64-bit DMA block move", selector);
1227                     break;
1228                 }
1229             }
1230         } else if (lsi_dma_64bit(s)) {
1231             /* fetch a 3rd dword if 64-bit direct move is enabled and
1232                only if we're not doing table indirect or indirect addressing */
1233             s->dbms = read_dword(s, s->dsp);
1234             s->dsp += 4;
1235             s->ia = s->dsp - 12;
1236         }
1237         if ((s->sstat1 & PHASE_MASK) != ((insn >> 24) & 7)) {
1238             trace_lsi_execute_script_blockmove_badphase(
1239                     scsi_phase_name(s->sstat1),
1240                     scsi_phase_name(insn >> 24));
1241             lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
1242             break;
1243         }
1244         s->dnad = addr;
1245         s->dnad64 = addr_high;
1246         switch (s->sstat1 & 0x7) {
1247         case PHASE_DO:
1248             s->waiting = LSI_DMA_SCRIPTS;
1249             lsi_do_dma(s, 1);
1250             if (s->waiting)
1251                 s->waiting = LSI_DMA_IN_PROGRESS;
1252             break;
1253         case PHASE_DI:
1254             s->waiting = LSI_DMA_SCRIPTS;
1255             lsi_do_dma(s, 0);
1256             if (s->waiting)
1257                 s->waiting = LSI_DMA_IN_PROGRESS;
1258             break;
1259         case PHASE_CMD:
1260             lsi_do_command(s);
1261             break;
1262         case PHASE_ST:
1263             lsi_do_status(s);
1264             break;
1265         case PHASE_MO:
1266             lsi_do_msgout(s);
1267             break;
1268         case PHASE_MI:
1269             lsi_do_msgin(s);
1270             break;
1271         default:
1272             qemu_log_mask(LOG_UNIMP, "lsi_scsi: Unimplemented phase %s\n",
1273                           scsi_phase_name(s->sstat1));
1274         }
1275         s->dfifo = s->dbc & 0xff;
1276         s->ctest5 = (s->ctest5 & 0xfc) | ((s->dbc >> 8) & 3);
1277         s->sbc = s->dbc;
1278         s->rbc -= s->dbc;
1279         s->ua = addr + s->dbc;
1280         break;
1281 
1282     case 1: /* IO or Read/Write instruction.  */
1283         opcode = (insn >> 27) & 7;
1284         if (opcode < 5) {
1285             uint32_t id;
1286 
1287             if (insn & (1 << 25)) {
1288                 id = read_dword(s, s->dsa + sextract32(insn, 0, 24));
1289             } else {
1290                 id = insn;
1291             }
1292             id = (id >> 16) & 0xf;
1293             if (insn & (1 << 26)) {
1294                 addr = s->dsp + sextract32(addr, 0, 24);
1295             }
1296             s->dnad = addr;
1297             switch (opcode) {
1298             case 0: /* Select */
1299                 s->sdid = id;
1300                 if (s->scntl1 & LSI_SCNTL1_CON) {
1301                     trace_lsi_execute_script_io_alreadyreselected();
1302                     s->dsp = s->dnad;
1303                     break;
1304                 }
1305                 s->sstat0 |= LSI_SSTAT0_WOA;
1306                 s->scntl1 &= ~LSI_SCNTL1_IARB;
1307                 if (!scsi_device_find(&s->bus, 0, id, 0)) {
1308                     lsi_bad_selection(s, id);
1309                     break;
1310                 }
1311                 trace_lsi_execute_script_io_selected(id,
1312                                              insn & (1 << 3) ? " ATN" : "");
1313                 /* ??? Linux drivers compain when this is set.  Maybe
1314                    it only applies in low-level mode (unimplemented).
1315                 lsi_script_scsi_interrupt(s, LSI_SIST0_CMP, 0); */
1316                 s->select_tag = id << 8;
1317                 s->scntl1 |= LSI_SCNTL1_CON;
1318                 if (insn & (1 << 3)) {
1319                     s->socl |= LSI_SOCL_ATN;
1320                     s->sbcl |= LSI_SBCL_ATN;
1321                 }
1322                 s->sbcl |= LSI_SBCL_BSY;
1323                 lsi_set_phase(s, PHASE_MO);
1324                 s->waiting = LSI_NOWAIT;
1325                 break;
1326             case 1: /* Disconnect */
1327                 trace_lsi_execute_script_io_disconnect();
1328                 s->scntl1 &= ~LSI_SCNTL1_CON;
1329                 /* FIXME: this is not entirely correct; the target need not ask
1330                  * for reselection until it has to send data, while here we force a
1331                  * reselection as soon as the bus is free.  The correct flow would
1332                  * reselect before lsi_transfer_data and disconnect as soon as
1333                  * DMA ends.
1334                  */
1335                 if (!s->current) {
1336                     lsi_request *p = get_pending_req(s);
1337                     if (p) {
1338                         lsi_reselect(s, p);
1339                     }
1340                 }
1341                 break;
1342             case 2: /* Wait Reselect */
1343                 if (s->istat0 & LSI_ISTAT0_SIGP) {
1344                     s->dsp = s->dnad;
1345                 } else if (!lsi_irq_on_rsl(s)) {
1346                         lsi_wait_reselect(s);
1347                 }
1348                 break;
1349             case 3: /* Set */
1350                 trace_lsi_execute_script_io_set(
1351                         insn & (1 << 3) ? " ATN" : "",
1352                         insn & (1 << 6) ? " ACK" : "",
1353                         insn & (1 << 9) ? " TM" : "",
1354                         insn & (1 << 10) ? " CC" : "");
1355                 if (insn & (1 << 3)) {
1356                     s->socl |= LSI_SOCL_ATN;
1357                     s->sbcl |= LSI_SBCL_ATN;
1358                     lsi_set_phase(s, PHASE_MO);
1359                 }
1360 
1361                 if (insn & (1 << 6)) {
1362                     s->sbcl |= LSI_SBCL_ACK;
1363                 }
1364 
1365                 if (insn & (1 << 9)) {
1366                     qemu_log_mask(LOG_UNIMP,
1367                         "lsi_scsi: Target mode not implemented\n");
1368                 }
1369                 if (insn & (1 << 10))
1370                     s->carry = 1;
1371                 break;
1372             case 4: /* Clear */
1373                 trace_lsi_execute_script_io_clear(
1374                         insn & (1 << 3) ? " ATN" : "",
1375                         insn & (1 << 6) ? " ACK" : "",
1376                         insn & (1 << 9) ? " TM" : "",
1377                         insn & (1 << 10) ? " CC" : "");
1378                 if (insn & (1 << 3)) {
1379                     s->socl &= ~LSI_SOCL_ATN;
1380                     s->sbcl &= ~LSI_SBCL_ATN;
1381                 }
1382 
1383                 if (insn & (1 << 6)) {
1384                     s->sbcl &= ~LSI_SBCL_ACK;
1385                 }
1386 
1387                 if (insn & (1 << 10))
1388                     s->carry = 0;
1389                 break;
1390             }
1391         } else {
1392             uint8_t op0;
1393             uint8_t op1;
1394             uint8_t data8;
1395             int reg;
1396             int operator;
1397 
1398             static const char *opcode_names[3] =
1399                 {"Write", "Read", "Read-Modify-Write"};
1400             static const char *operator_names[8] =
1401                 {"MOV", "SHL", "OR", "XOR", "AND", "SHR", "ADD", "ADC"};
1402 
1403             reg = ((insn >> 16) & 0x7f) | (insn & 0x80);
1404             data8 = (insn >> 8) & 0xff;
1405             opcode = (insn >> 27) & 7;
1406             operator = (insn >> 24) & 7;
1407             trace_lsi_execute_script_io_opcode(
1408                     opcode_names[opcode - 5], reg,
1409                     operator_names[operator], data8, s->sfbr,
1410                     (insn & (1 << 23)) ? " SFBR" : "");
1411             op0 = op1 = 0;
1412             switch (opcode) {
1413             case 5: /* From SFBR */
1414                 op0 = s->sfbr;
1415                 op1 = data8;
1416                 break;
1417             case 6: /* To SFBR */
1418                 if (operator)
1419                     op0 = lsi_reg_readb(s, reg);
1420                 op1 = data8;
1421                 break;
1422             case 7: /* Read-modify-write */
1423                 if (operator)
1424                     op0 = lsi_reg_readb(s, reg);
1425                 if (insn & (1 << 23)) {
1426                     op1 = s->sfbr;
1427                 } else {
1428                     op1 = data8;
1429                 }
1430                 break;
1431             }
1432 
1433             switch (operator) {
1434             case 0: /* move */
1435                 op0 = op1;
1436                 break;
1437             case 1: /* Shift left */
1438                 op1 = op0 >> 7;
1439                 op0 = (op0 << 1) | s->carry;
1440                 s->carry = op1;
1441                 break;
1442             case 2: /* OR */
1443                 op0 |= op1;
1444                 break;
1445             case 3: /* XOR */
1446                 op0 ^= op1;
1447                 break;
1448             case 4: /* AND */
1449                 op0 &= op1;
1450                 break;
1451             case 5: /* SHR */
1452                 op1 = op0 & 1;
1453                 op0 = (op0 >> 1) | (s->carry << 7);
1454                 s->carry = op1;
1455                 break;
1456             case 6: /* ADD */
1457                 op0 += op1;
1458                 s->carry = op0 < op1;
1459                 break;
1460             case 7: /* ADC */
1461                 op0 += op1 + s->carry;
1462                 if (s->carry)
1463                     s->carry = op0 <= op1;
1464                 else
1465                     s->carry = op0 < op1;
1466                 break;
1467             }
1468 
1469             switch (opcode) {
1470             case 5: /* From SFBR */
1471             case 7: /* Read-modify-write */
1472                 lsi_reg_writeb(s, reg, op0);
1473                 break;
1474             case 6: /* To SFBR */
1475                 s->sfbr = op0;
1476                 break;
1477             }
1478         }
1479         break;
1480 
1481     case 2: /* Transfer Control.  */
1482         {
1483             int cond;
1484             int jmp;
1485 
1486             if ((insn & 0x002e0000) == 0) {
1487                 trace_lsi_execute_script_tc_nop();
1488                 break;
1489             }
1490             if (s->sist1 & LSI_SIST1_STO) {
1491                 trace_lsi_execute_script_tc_delayedselect_timeout();
1492                 lsi_stop_script(s);
1493                 break;
1494             }
1495             cond = jmp = (insn & (1 << 19)) != 0;
1496             if (cond == jmp && (insn & (1 << 21))) {
1497                 trace_lsi_execute_script_tc_compc(s->carry == jmp);
1498                 cond = s->carry != 0;
1499             }
1500             if (cond == jmp && (insn & (1 << 17))) {
1501                 trace_lsi_execute_script_tc_compp(scsi_phase_name(s->sstat1),
1502                         jmp ? '=' : '!', scsi_phase_name(insn >> 24));
1503                 cond = (s->sstat1 & PHASE_MASK) == ((insn >> 24) & 7);
1504             }
1505             if (cond == jmp && (insn & (1 << 18))) {
1506                 uint8_t mask;
1507 
1508                 mask = (~insn >> 8) & 0xff;
1509                 trace_lsi_execute_script_tc_compd(
1510                         s->sfbr, mask, jmp ? '=' : '!', insn & mask);
1511                 cond = (s->sfbr & mask) == (insn & mask);
1512             }
1513             if (cond == jmp) {
1514                 if (insn & (1 << 23)) {
1515                     /* Relative address.  */
1516                     addr = s->dsp + sextract32(addr, 0, 24);
1517                 }
1518                 switch ((insn >> 27) & 7) {
1519                 case 0: /* Jump */
1520                     trace_lsi_execute_script_tc_jump(addr);
1521                     s->adder = addr;
1522                     s->dsp = addr;
1523                     break;
1524                 case 1: /* Call */
1525                     trace_lsi_execute_script_tc_call(addr);
1526                     s->temp = s->dsp;
1527                     s->dsp = addr;
1528                     break;
1529                 case 2: /* Return */
1530                     trace_lsi_execute_script_tc_return(s->temp);
1531                     s->dsp = s->temp;
1532                     break;
1533                 case 3: /* Interrupt */
1534                     trace_lsi_execute_script_tc_interrupt(s->dsps);
1535                     if ((insn & (1 << 20)) != 0) {
1536                         s->istat0 |= LSI_ISTAT0_INTF;
1537                         lsi_update_irq(s);
1538                     } else {
1539                         lsi_script_dma_interrupt(s, LSI_DSTAT_SIR);
1540                     }
1541                     break;
1542                 default:
1543                     trace_lsi_execute_script_tc_illegal();
1544                     lsi_script_dma_interrupt(s, LSI_DSTAT_IID);
1545                     break;
1546                 }
1547             } else {
1548                 trace_lsi_execute_script_tc_cc_failed();
1549             }
1550         }
1551         break;
1552 
1553     case 3:
1554         if ((insn & (1 << 29)) == 0) {
1555             /* Memory move.  */
1556             uint32_t dest;
1557             /* ??? The docs imply the destination address is loaded into
1558                the TEMP register.  However the Linux drivers rely on
1559                the value being presrved.  */
1560             dest = read_dword(s, s->dsp);
1561             s->dsp += 4;
1562             lsi_memcpy(s, dest, addr, insn & 0xffffff);
1563         } else {
1564             uint8_t data[7];
1565             int reg;
1566             int n;
1567             int i;
1568 
1569             if (insn & (1 << 28)) {
1570                 addr = s->dsa + sextract32(addr, 0, 24);
1571             }
1572             n = (insn & 7);
1573             reg = (insn >> 16) & 0xff;
1574             if (insn & (1 << 24)) {
1575                 pci_dma_read(pci_dev, addr, data, n);
1576                 trace_lsi_execute_script_mm_load(reg, n, addr, *(int *)data);
1577                 for (i = 0; i < n; i++) {
1578                     lsi_reg_writeb(s, reg + i, data[i]);
1579                 }
1580             } else {
1581                 trace_lsi_execute_script_mm_store(reg, n, addr);
1582                 for (i = 0; i < n; i++) {
1583                     data[i] = lsi_reg_readb(s, reg + i);
1584                 }
1585                 pci_dma_write(pci_dev, addr, data, n);
1586             }
1587         }
1588     }
1589     if (s->istat1 & LSI_ISTAT1_SRUN && s->waiting == LSI_NOWAIT) {
1590         if (s->dcntl & LSI_DCNTL_SSM) {
1591             lsi_script_dma_interrupt(s, LSI_DSTAT_SSI);
1592         } else {
1593             goto again;
1594         }
1595     }
1596     trace_lsi_execute_script_stop();
1597 }
1598 
1599 static uint8_t lsi_reg_readb(LSIState *s, int offset)
1600 {
1601     uint8_t ret;
1602 
1603 #define CASE_GET_REG24(name, addr) \
1604     case addr: ret = s->name & 0xff; break; \
1605     case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1606     case addr + 2: ret = (s->name >> 16) & 0xff; break;
1607 
1608 #define CASE_GET_REG32(name, addr) \
1609     case addr: ret = s->name & 0xff; break; \
1610     case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1611     case addr + 2: ret = (s->name >> 16) & 0xff; break; \
1612     case addr + 3: ret = (s->name >> 24) & 0xff; break;
1613 
1614     switch (offset) {
1615     case 0x00: /* SCNTL0 */
1616         ret = s->scntl0;
1617         break;
1618     case 0x01: /* SCNTL1 */
1619         ret = s->scntl1;
1620         break;
1621     case 0x02: /* SCNTL2 */
1622         ret = s->scntl2;
1623         break;
1624     case 0x03: /* SCNTL3 */
1625         ret = s->scntl3;
1626         break;
1627     case 0x04: /* SCID */
1628         ret = s->scid;
1629         break;
1630     case 0x05: /* SXFER */
1631         ret = s->sxfer;
1632         break;
1633     case 0x06: /* SDID */
1634         ret = s->sdid;
1635         break;
1636     case 0x07: /* GPREG0 */
1637         ret = 0x7f;
1638         break;
1639     case 0x08: /* Revision ID */
1640         ret = 0x00;
1641         break;
1642     case 0x09: /* SOCL */
1643         ret = s->socl;
1644         break;
1645     case 0xa: /* SSID */
1646         ret = s->ssid;
1647         break;
1648     case 0xb: /* SBCL */
1649         ret = s->sbcl;
1650         break;
1651     case 0xc: /* DSTAT */
1652         ret = s->dstat | LSI_DSTAT_DFE;
1653         if ((s->istat0 & LSI_ISTAT0_INTF) == 0)
1654             s->dstat = 0;
1655         lsi_update_irq(s);
1656         break;
1657     case 0x0d: /* SSTAT0 */
1658         ret = s->sstat0;
1659         break;
1660     case 0x0e: /* SSTAT1 */
1661         ret = s->sstat1;
1662         break;
1663     case 0x0f: /* SSTAT2 */
1664         ret = s->scntl1 & LSI_SCNTL1_CON ? 0 : 2;
1665         break;
1666     CASE_GET_REG32(dsa, 0x10)
1667     case 0x14: /* ISTAT0 */
1668         ret = s->istat0;
1669         break;
1670     case 0x15: /* ISTAT1 */
1671         ret = s->istat1;
1672         break;
1673     case 0x16: /* MBOX0 */
1674         ret = s->mbox0;
1675         break;
1676     case 0x17: /* MBOX1 */
1677         ret = s->mbox1;
1678         break;
1679     case 0x18: /* CTEST0 */
1680         ret = 0xff;
1681         break;
1682     case 0x19: /* CTEST1 */
1683         ret = 0;
1684         break;
1685     case 0x1a: /* CTEST2 */
1686         ret = s->ctest2 | LSI_CTEST2_DACK | LSI_CTEST2_CM;
1687         if (s->istat0 & LSI_ISTAT0_SIGP) {
1688             s->istat0 &= ~LSI_ISTAT0_SIGP;
1689             ret |= LSI_CTEST2_SIGP;
1690         }
1691         break;
1692     case 0x1b: /* CTEST3 */
1693         ret = s->ctest3;
1694         break;
1695     CASE_GET_REG32(temp, 0x1c)
1696     case 0x20: /* DFIFO */
1697         ret = s->dfifo;
1698         break;
1699     case 0x21: /* CTEST4 */
1700         ret = s->ctest4;
1701         break;
1702     case 0x22: /* CTEST5 */
1703         ret = s->ctest5;
1704         break;
1705     case 0x23: /* CTEST6 */
1706         ret = 0;
1707         break;
1708     CASE_GET_REG24(dbc, 0x24)
1709     case 0x27: /* DCMD */
1710         ret = s->dcmd;
1711         break;
1712     CASE_GET_REG32(dnad, 0x28)
1713     CASE_GET_REG32(dsp, 0x2c)
1714     CASE_GET_REG32(dsps, 0x30)
1715     CASE_GET_REG32(scratch[0], 0x34)
1716     case 0x38: /* DMODE */
1717         ret = s->dmode;
1718         break;
1719     case 0x39: /* DIEN */
1720         ret = s->dien;
1721         break;
1722     case 0x3a: /* SBR */
1723         ret = s->sbr;
1724         break;
1725     case 0x3b: /* DCNTL */
1726         ret = s->dcntl;
1727         break;
1728     /* ADDER Output (Debug of relative jump address) */
1729     CASE_GET_REG32(adder, 0x3c)
1730     case 0x40: /* SIEN0 */
1731         ret = s->sien0;
1732         break;
1733     case 0x41: /* SIEN1 */
1734         ret = s->sien1;
1735         break;
1736     case 0x42: /* SIST0 */
1737         ret = s->sist0;
1738         s->sist0 = 0;
1739         lsi_update_irq(s);
1740         break;
1741     case 0x43: /* SIST1 */
1742         ret = s->sist1;
1743         s->sist1 = 0;
1744         lsi_update_irq(s);
1745         break;
1746     case 0x46: /* MACNTL */
1747         ret = 0x0f;
1748         break;
1749     case 0x47: /* GPCNTL0 */
1750         ret = 0x0f;
1751         break;
1752     case 0x48: /* STIME0 */
1753         ret = s->stime0;
1754         break;
1755     case 0x4a: /* RESPID0 */
1756         ret = s->respid0;
1757         break;
1758     case 0x4b: /* RESPID1 */
1759         ret = s->respid1;
1760         break;
1761     case 0x4d: /* STEST1 */
1762         ret = s->stest1;
1763         break;
1764     case 0x4e: /* STEST2 */
1765         ret = s->stest2;
1766         break;
1767     case 0x4f: /* STEST3 */
1768         ret = s->stest3;
1769         break;
1770     case 0x50: /* SIDL */
1771         /* This is needed by the linux drivers.  We currently only update it
1772            during the MSG IN phase.  */
1773         ret = s->sidl;
1774         break;
1775     case 0x52: /* STEST4 */
1776         ret = 0xe0;
1777         break;
1778     case 0x56: /* CCNTL0 */
1779         ret = s->ccntl0;
1780         break;
1781     case 0x57: /* CCNTL1 */
1782         ret = s->ccntl1;
1783         break;
1784     case 0x58: /* SBDL */
1785         /* Some drivers peek at the data bus during the MSG IN phase.  */
1786         if ((s->sstat1 & PHASE_MASK) == PHASE_MI) {
1787             assert(s->msg_len > 0);
1788             return s->msg[0];
1789         }
1790         ret = 0;
1791         break;
1792     case 0x59: /* SBDL high */
1793         ret = 0;
1794         break;
1795     CASE_GET_REG32(mmrs, 0xa0)
1796     CASE_GET_REG32(mmws, 0xa4)
1797     CASE_GET_REG32(sfs, 0xa8)
1798     CASE_GET_REG32(drs, 0xac)
1799     CASE_GET_REG32(sbms, 0xb0)
1800     CASE_GET_REG32(dbms, 0xb4)
1801     CASE_GET_REG32(dnad64, 0xb8)
1802     CASE_GET_REG32(pmjad1, 0xc0)
1803     CASE_GET_REG32(pmjad2, 0xc4)
1804     CASE_GET_REG32(rbc, 0xc8)
1805     CASE_GET_REG32(ua, 0xcc)
1806     CASE_GET_REG32(ia, 0xd4)
1807     CASE_GET_REG32(sbc, 0xd8)
1808     CASE_GET_REG32(csbc, 0xdc)
1809     case 0x5c ... 0x9f:
1810     {
1811         int n;
1812         int shift;
1813         n = (offset - 0x58) >> 2;
1814         shift = (offset & 3) * 8;
1815         ret = (s->scratch[n] >> shift) & 0xff;
1816         break;
1817     }
1818     default:
1819     {
1820         qemu_log_mask(LOG_GUEST_ERROR,
1821                       "lsi_scsi: invalid read from reg %s %x\n",
1822                       offset < ARRAY_SIZE(names) ? names[offset] : "???",
1823                       offset);
1824         ret = 0xff;
1825         break;
1826     }
1827     }
1828 #undef CASE_GET_REG24
1829 #undef CASE_GET_REG32
1830 
1831     trace_lsi_reg_read(offset < ARRAY_SIZE(names) ? names[offset] : "???",
1832                        offset, ret);
1833 
1834     return ret;
1835 }
1836 
1837 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val)
1838 {
1839 #define CASE_SET_REG24(name, addr) \
1840     case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1841     case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1842     case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break;
1843 
1844 #define CASE_SET_REG32(name, addr) \
1845     case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1846     case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1847     case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break; \
1848     case addr + 3: s->name &= 0x00ffffff; s->name |= val << 24; break;
1849 
1850     trace_lsi_reg_write(offset < ARRAY_SIZE(names) ? names[offset] : "???",
1851                         offset, val);
1852 
1853     switch (offset) {
1854     case 0x00: /* SCNTL0 */
1855         s->scntl0 = val;
1856         if (val & LSI_SCNTL0_START) {
1857             qemu_log_mask(LOG_UNIMP,
1858                           "lsi_scsi: Start sequence not implemented\n");
1859         }
1860         break;
1861     case 0x01: /* SCNTL1 */
1862         s->scntl1 = val & ~LSI_SCNTL1_SST;
1863         if (val & LSI_SCNTL1_IARB) {
1864             qemu_log_mask(LOG_UNIMP,
1865                       "lsi_scsi: Immediate Arbritration not implemented\n");
1866         }
1867         if (val & LSI_SCNTL1_RST) {
1868             if (!(s->sstat0 & LSI_SSTAT0_RST)) {
1869                 qbus_reset_all(BUS(&s->bus));
1870                 s->sstat0 |= LSI_SSTAT0_RST;
1871                 lsi_script_scsi_interrupt(s, LSI_SIST0_RST, 0);
1872             }
1873         } else {
1874             s->sstat0 &= ~LSI_SSTAT0_RST;
1875         }
1876         break;
1877     case 0x02: /* SCNTL2 */
1878         val &= ~(LSI_SCNTL2_WSR | LSI_SCNTL2_WSS);
1879         s->scntl2 = val;
1880         break;
1881     case 0x03: /* SCNTL3 */
1882         s->scntl3 = val;
1883         break;
1884     case 0x04: /* SCID */
1885         s->scid = val;
1886         break;
1887     case 0x05: /* SXFER */
1888         s->sxfer = val;
1889         break;
1890     case 0x06: /* SDID */
1891         if ((s->ssid & 0x80) && (val & 0xf) != (s->ssid & 0xf)) {
1892             qemu_log_mask(LOG_GUEST_ERROR,
1893                           "lsi_scsi: Destination ID does not match SSID\n");
1894         }
1895         s->sdid = val & 0xf;
1896         break;
1897     case 0x07: /* GPREG0 */
1898         break;
1899     case 0x08: /* SFBR */
1900         /* The CPU is not allowed to write to this register.  However the
1901            SCRIPTS register move instructions are.  */
1902         s->sfbr = val;
1903         break;
1904     case 0x0a: case 0x0b:
1905         /* Openserver writes to these readonly registers on startup */
1906         return;
1907     case 0x0c: case 0x0d: case 0x0e: case 0x0f:
1908         /* Linux writes to these readonly registers on startup.  */
1909         return;
1910     CASE_SET_REG32(dsa, 0x10)
1911     case 0x14: /* ISTAT0 */
1912         s->istat0 = (s->istat0 & 0x0f) | (val & 0xf0);
1913         if (val & LSI_ISTAT0_ABRT) {
1914             lsi_script_dma_interrupt(s, LSI_DSTAT_ABRT);
1915         }
1916         if (val & LSI_ISTAT0_INTF) {
1917             s->istat0 &= ~LSI_ISTAT0_INTF;
1918             lsi_update_irq(s);
1919         }
1920         if (s->waiting == LSI_WAIT_RESELECT && val & LSI_ISTAT0_SIGP) {
1921             trace_lsi_awoken();
1922             s->waiting = LSI_NOWAIT;
1923             s->dsp = s->dnad;
1924             lsi_execute_script(s);
1925         }
1926         if (val & LSI_ISTAT0_SRST) {
1927             qdev_reset_all(DEVICE(s));
1928         }
1929         break;
1930     case 0x16: /* MBOX0 */
1931         s->mbox0 = val;
1932         break;
1933     case 0x17: /* MBOX1 */
1934         s->mbox1 = val;
1935         break;
1936     case 0x18: /* CTEST0 */
1937         /* nothing to do */
1938         break;
1939     case 0x1a: /* CTEST2 */
1940         s->ctest2 = val & LSI_CTEST2_PCICIE;
1941         break;
1942     case 0x1b: /* CTEST3 */
1943         s->ctest3 = val & 0x0f;
1944         break;
1945     CASE_SET_REG32(temp, 0x1c)
1946     case 0x21: /* CTEST4 */
1947         if (val & 7) {
1948             qemu_log_mask(LOG_UNIMP,
1949                           "lsi_scsi: Unimplemented CTEST4-FBL 0x%x\n", val);
1950         }
1951         s->ctest4 = val;
1952         break;
1953     case 0x22: /* CTEST5 */
1954         if (val & (LSI_CTEST5_ADCK | LSI_CTEST5_BBCK)) {
1955             qemu_log_mask(LOG_UNIMP,
1956                           "lsi_scsi: CTEST5 DMA increment not implemented\n");
1957         }
1958         s->ctest5 = val;
1959         break;
1960     CASE_SET_REG24(dbc, 0x24)
1961     CASE_SET_REG32(dnad, 0x28)
1962     case 0x2c: /* DSP[0:7] */
1963         s->dsp &= 0xffffff00;
1964         s->dsp |= val;
1965         break;
1966     case 0x2d: /* DSP[8:15] */
1967         s->dsp &= 0xffff00ff;
1968         s->dsp |= val << 8;
1969         break;
1970     case 0x2e: /* DSP[16:23] */
1971         s->dsp &= 0xff00ffff;
1972         s->dsp |= val << 16;
1973         break;
1974     case 0x2f: /* DSP[24:31] */
1975         s->dsp &= 0x00ffffff;
1976         s->dsp |= val << 24;
1977         /*
1978          * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
1979          * instruction.  Is this correct?
1980          */
1981         if ((s->dmode & LSI_DMODE_MAN) == 0
1982             && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
1983             lsi_execute_script(s);
1984         break;
1985     CASE_SET_REG32(dsps, 0x30)
1986     CASE_SET_REG32(scratch[0], 0x34)
1987     case 0x38: /* DMODE */
1988         s->dmode = val;
1989         break;
1990     case 0x39: /* DIEN */
1991         s->dien = val;
1992         lsi_update_irq(s);
1993         break;
1994     case 0x3a: /* SBR */
1995         s->sbr = val;
1996         break;
1997     case 0x3b: /* DCNTL */
1998         s->dcntl = val & ~(LSI_DCNTL_PFF | LSI_DCNTL_STD);
1999         /*
2000          * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
2001          * instruction.  Is this correct?
2002          */
2003         if ((val & LSI_DCNTL_STD) && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
2004             lsi_execute_script(s);
2005         break;
2006     case 0x40: /* SIEN0 */
2007         s->sien0 = val;
2008         lsi_update_irq(s);
2009         break;
2010     case 0x41: /* SIEN1 */
2011         s->sien1 = val;
2012         lsi_update_irq(s);
2013         break;
2014     case 0x47: /* GPCNTL0 */
2015         break;
2016     case 0x48: /* STIME0 */
2017         s->stime0 = val;
2018         break;
2019     case 0x49: /* STIME1 */
2020         if (val & 0xf) {
2021             qemu_log_mask(LOG_UNIMP,
2022                           "lsi_scsi: General purpose timer not implemented\n");
2023             /* ??? Raising the interrupt immediately seems to be sufficient
2024                to keep the FreeBSD driver happy.  */
2025             lsi_script_scsi_interrupt(s, 0, LSI_SIST1_GEN);
2026         }
2027         break;
2028     case 0x4a: /* RESPID0 */
2029         s->respid0 = val;
2030         break;
2031     case 0x4b: /* RESPID1 */
2032         s->respid1 = val;
2033         break;
2034     case 0x4d: /* STEST1 */
2035         s->stest1 = val;
2036         break;
2037     case 0x4e: /* STEST2 */
2038         if (val & 1) {
2039             qemu_log_mask(LOG_UNIMP,
2040                           "lsi_scsi: Low level mode not implemented\n");
2041         }
2042         s->stest2 = val;
2043         break;
2044     case 0x4f: /* STEST3 */
2045         if (val & 0x41) {
2046             qemu_log_mask(LOG_UNIMP,
2047                           "lsi_scsi: SCSI FIFO test mode not implemented\n");
2048         }
2049         s->stest3 = val;
2050         break;
2051     case 0x56: /* CCNTL0 */
2052         s->ccntl0 = val;
2053         break;
2054     case 0x57: /* CCNTL1 */
2055         s->ccntl1 = val;
2056         break;
2057     CASE_SET_REG32(mmrs, 0xa0)
2058     CASE_SET_REG32(mmws, 0xa4)
2059     CASE_SET_REG32(sfs, 0xa8)
2060     CASE_SET_REG32(drs, 0xac)
2061     CASE_SET_REG32(sbms, 0xb0)
2062     CASE_SET_REG32(dbms, 0xb4)
2063     CASE_SET_REG32(dnad64, 0xb8)
2064     CASE_SET_REG32(pmjad1, 0xc0)
2065     CASE_SET_REG32(pmjad2, 0xc4)
2066     CASE_SET_REG32(rbc, 0xc8)
2067     CASE_SET_REG32(ua, 0xcc)
2068     CASE_SET_REG32(ia, 0xd4)
2069     CASE_SET_REG32(sbc, 0xd8)
2070     CASE_SET_REG32(csbc, 0xdc)
2071     default:
2072         if (offset >= 0x5c && offset < 0xa0) {
2073             int n;
2074             int shift;
2075             n = (offset - 0x58) >> 2;
2076             shift = (offset & 3) * 8;
2077             s->scratch[n] = deposit32(s->scratch[n], shift, 8, val);
2078         } else {
2079             qemu_log_mask(LOG_GUEST_ERROR,
2080                           "lsi_scsi: invalid write to reg %s %x (0x%02x)\n",
2081                           offset < ARRAY_SIZE(names) ? names[offset] : "???",
2082                           offset, val);
2083         }
2084     }
2085 #undef CASE_SET_REG24
2086 #undef CASE_SET_REG32
2087 }
2088 
2089 static void lsi_mmio_write(void *opaque, hwaddr addr,
2090                            uint64_t val, unsigned size)
2091 {
2092     LSIState *s = opaque;
2093 
2094     lsi_reg_writeb(s, addr & 0xff, val);
2095 }
2096 
2097 static uint64_t lsi_mmio_read(void *opaque, hwaddr addr,
2098                               unsigned size)
2099 {
2100     LSIState *s = opaque;
2101     return lsi_reg_readb(s, addr & 0xff);
2102 }
2103 
2104 static const MemoryRegionOps lsi_mmio_ops = {
2105     .read = lsi_mmio_read,
2106     .write = lsi_mmio_write,
2107     .endianness = DEVICE_LITTLE_ENDIAN,
2108     .impl = {
2109         .min_access_size = 1,
2110         .max_access_size = 1,
2111     },
2112 };
2113 
2114 static void lsi_ram_write(void *opaque, hwaddr addr,
2115                           uint64_t val, unsigned size)
2116 {
2117     LSIState *s = opaque;
2118     stn_le_p(s->script_ram + addr, size, val);
2119 }
2120 
2121 static uint64_t lsi_ram_read(void *opaque, hwaddr addr,
2122                              unsigned size)
2123 {
2124     LSIState *s = opaque;
2125     return ldn_le_p(s->script_ram + addr, size);
2126 }
2127 
2128 static const MemoryRegionOps lsi_ram_ops = {
2129     .read = lsi_ram_read,
2130     .write = lsi_ram_write,
2131     .endianness = DEVICE_LITTLE_ENDIAN,
2132 };
2133 
2134 static uint64_t lsi_io_read(void *opaque, hwaddr addr,
2135                             unsigned size)
2136 {
2137     LSIState *s = opaque;
2138     return lsi_reg_readb(s, addr & 0xff);
2139 }
2140 
2141 static void lsi_io_write(void *opaque, hwaddr addr,
2142                          uint64_t val, unsigned size)
2143 {
2144     LSIState *s = opaque;
2145     lsi_reg_writeb(s, addr & 0xff, val);
2146 }
2147 
2148 static const MemoryRegionOps lsi_io_ops = {
2149     .read = lsi_io_read,
2150     .write = lsi_io_write,
2151     .endianness = DEVICE_LITTLE_ENDIAN,
2152     .impl = {
2153         .min_access_size = 1,
2154         .max_access_size = 1,
2155     },
2156 };
2157 
2158 static void lsi_scsi_reset(DeviceState *dev)
2159 {
2160     LSIState *s = LSI53C895A(dev);
2161 
2162     lsi_soft_reset(s);
2163 }
2164 
2165 static int lsi_pre_save(void *opaque)
2166 {
2167     LSIState *s = opaque;
2168 
2169     if (s->current) {
2170         assert(s->current->dma_buf == NULL);
2171         assert(s->current->dma_len == 0);
2172     }
2173     assert(QTAILQ_EMPTY(&s->queue));
2174 
2175     return 0;
2176 }
2177 
2178 static int lsi_post_load(void *opaque, int version_id)
2179 {
2180     LSIState *s = opaque;
2181 
2182     if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) {
2183         return -EINVAL;
2184     }
2185 
2186     return 0;
2187 }
2188 
2189 static const VMStateDescription vmstate_lsi_scsi = {
2190     .name = "lsiscsi",
2191     .version_id = 1,
2192     .minimum_version_id = 0,
2193     .pre_save = lsi_pre_save,
2194     .post_load = lsi_post_load,
2195     .fields = (VMStateField[]) {
2196         VMSTATE_PCI_DEVICE(parent_obj, LSIState),
2197 
2198         VMSTATE_INT32(carry, LSIState),
2199         VMSTATE_INT32(status, LSIState),
2200         VMSTATE_INT32(msg_action, LSIState),
2201         VMSTATE_INT32(msg_len, LSIState),
2202         VMSTATE_BUFFER(msg, LSIState),
2203         VMSTATE_INT32(waiting, LSIState),
2204 
2205         VMSTATE_UINT32(dsa, LSIState),
2206         VMSTATE_UINT32(temp, LSIState),
2207         VMSTATE_UINT32(dnad, LSIState),
2208         VMSTATE_UINT32(dbc, LSIState),
2209         VMSTATE_UINT8(istat0, LSIState),
2210         VMSTATE_UINT8(istat1, LSIState),
2211         VMSTATE_UINT8(dcmd, LSIState),
2212         VMSTATE_UINT8(dstat, LSIState),
2213         VMSTATE_UINT8(dien, LSIState),
2214         VMSTATE_UINT8(sist0, LSIState),
2215         VMSTATE_UINT8(sist1, LSIState),
2216         VMSTATE_UINT8(sien0, LSIState),
2217         VMSTATE_UINT8(sien1, LSIState),
2218         VMSTATE_UINT8(mbox0, LSIState),
2219         VMSTATE_UINT8(mbox1, LSIState),
2220         VMSTATE_UINT8(dfifo, LSIState),
2221         VMSTATE_UINT8(ctest2, LSIState),
2222         VMSTATE_UINT8(ctest3, LSIState),
2223         VMSTATE_UINT8(ctest4, LSIState),
2224         VMSTATE_UINT8(ctest5, LSIState),
2225         VMSTATE_UINT8(ccntl0, LSIState),
2226         VMSTATE_UINT8(ccntl1, LSIState),
2227         VMSTATE_UINT32(dsp, LSIState),
2228         VMSTATE_UINT32(dsps, LSIState),
2229         VMSTATE_UINT8(dmode, LSIState),
2230         VMSTATE_UINT8(dcntl, LSIState),
2231         VMSTATE_UINT8(scntl0, LSIState),
2232         VMSTATE_UINT8(scntl1, LSIState),
2233         VMSTATE_UINT8(scntl2, LSIState),
2234         VMSTATE_UINT8(scntl3, LSIState),
2235         VMSTATE_UINT8(sstat0, LSIState),
2236         VMSTATE_UINT8(sstat1, LSIState),
2237         VMSTATE_UINT8(scid, LSIState),
2238         VMSTATE_UINT8(sxfer, LSIState),
2239         VMSTATE_UINT8(socl, LSIState),
2240         VMSTATE_UINT8(sdid, LSIState),
2241         VMSTATE_UINT8(ssid, LSIState),
2242         VMSTATE_UINT8(sfbr, LSIState),
2243         VMSTATE_UINT8(stest1, LSIState),
2244         VMSTATE_UINT8(stest2, LSIState),
2245         VMSTATE_UINT8(stest3, LSIState),
2246         VMSTATE_UINT8(sidl, LSIState),
2247         VMSTATE_UINT8(stime0, LSIState),
2248         VMSTATE_UINT8(respid0, LSIState),
2249         VMSTATE_UINT8(respid1, LSIState),
2250         VMSTATE_UINT8_V(sbcl, LSIState, 1),
2251         VMSTATE_UINT32(mmrs, LSIState),
2252         VMSTATE_UINT32(mmws, LSIState),
2253         VMSTATE_UINT32(sfs, LSIState),
2254         VMSTATE_UINT32(drs, LSIState),
2255         VMSTATE_UINT32(sbms, LSIState),
2256         VMSTATE_UINT32(dbms, LSIState),
2257         VMSTATE_UINT32(dnad64, LSIState),
2258         VMSTATE_UINT32(pmjad1, LSIState),
2259         VMSTATE_UINT32(pmjad2, LSIState),
2260         VMSTATE_UINT32(rbc, LSIState),
2261         VMSTATE_UINT32(ua, LSIState),
2262         VMSTATE_UINT32(ia, LSIState),
2263         VMSTATE_UINT32(sbc, LSIState),
2264         VMSTATE_UINT32(csbc, LSIState),
2265         VMSTATE_BUFFER_UNSAFE(scratch, LSIState, 0, 18 * sizeof(uint32_t)),
2266         VMSTATE_UINT8(sbr, LSIState),
2267 
2268         VMSTATE_BUFFER_UNSAFE(script_ram, LSIState, 0, 8192),
2269         VMSTATE_END_OF_LIST()
2270     }
2271 };
2272 
2273 static const struct SCSIBusInfo lsi_scsi_info = {
2274     .tcq = true,
2275     .max_target = LSI_MAX_DEVS,
2276     .max_lun = 0,  /* LUN support is buggy */
2277 
2278     .transfer_data = lsi_transfer_data,
2279     .complete = lsi_command_complete,
2280     .cancel = lsi_request_cancelled
2281 };
2282 
2283 static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
2284 {
2285     LSIState *s = LSI53C895A(dev);
2286     DeviceState *d = DEVICE(dev);
2287     uint8_t *pci_conf;
2288 
2289     pci_conf = dev->config;
2290 
2291     /* PCI latency timer = 255 */
2292     pci_conf[PCI_LATENCY_TIMER] = 0xff;
2293     /* Interrupt pin A */
2294     pci_conf[PCI_INTERRUPT_PIN] = 0x01;
2295 
2296     memory_region_init_io(&s->mmio_io, OBJECT(s), &lsi_mmio_ops, s,
2297                           "lsi-mmio", 0x400);
2298     memory_region_init_io(&s->ram_io, OBJECT(s), &lsi_ram_ops, s,
2299                           "lsi-ram", 0x2000);
2300     memory_region_init_io(&s->io_io, OBJECT(s), &lsi_io_ops, s,
2301                           "lsi-io", 256);
2302 
2303     address_space_init(&s->pci_io_as, pci_address_space_io(dev), "lsi-pci-io");
2304     qdev_init_gpio_out(d, &s->ext_irq, 1);
2305 
2306     pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->io_io);
2307     pci_register_bar(dev, 1, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->mmio_io);
2308     pci_register_bar(dev, 2, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->ram_io);
2309     QTAILQ_INIT(&s->queue);
2310 
2311     scsi_bus_init(&s->bus, sizeof(s->bus), d, &lsi_scsi_info);
2312 }
2313 
2314 static void lsi_scsi_exit(PCIDevice *dev)
2315 {
2316     LSIState *s = LSI53C895A(dev);
2317 
2318     address_space_destroy(&s->pci_io_as);
2319 }
2320 
2321 static void lsi_class_init(ObjectClass *klass, void *data)
2322 {
2323     DeviceClass *dc = DEVICE_CLASS(klass);
2324     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2325 
2326     k->realize = lsi_scsi_realize;
2327     k->exit = lsi_scsi_exit;
2328     k->vendor_id = PCI_VENDOR_ID_LSI_LOGIC;
2329     k->device_id = PCI_DEVICE_ID_LSI_53C895A;
2330     k->class_id = PCI_CLASS_STORAGE_SCSI;
2331     k->subsystem_id = 0x1000;
2332     dc->reset = lsi_scsi_reset;
2333     dc->vmsd = &vmstate_lsi_scsi;
2334     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2335 }
2336 
2337 static const TypeInfo lsi_info = {
2338     .name          = TYPE_LSI53C895A,
2339     .parent        = TYPE_PCI_DEVICE,
2340     .instance_size = sizeof(LSIState),
2341     .class_init    = lsi_class_init,
2342     .interfaces = (InterfaceInfo[]) {
2343         { INTERFACE_CONVENTIONAL_PCI_DEVICE },
2344         { },
2345     },
2346 };
2347 
2348 static void lsi53c810_class_init(ObjectClass *klass, void *data)
2349 {
2350     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2351 
2352     k->device_id = PCI_DEVICE_ID_LSI_53C810;
2353 }
2354 
2355 static const TypeInfo lsi53c810_info = {
2356     .name          = TYPE_LSI53C810,
2357     .parent        = TYPE_LSI53C895A,
2358     .class_init    = lsi53c810_class_init,
2359 };
2360 
2361 static void lsi53c895a_register_types(void)
2362 {
2363     type_register_static(&lsi_info);
2364     type_register_static(&lsi53c810_info);
2365 }
2366 
2367 type_init(lsi53c895a_register_types)
2368 
2369 void lsi53c8xx_handle_legacy_cmdline(DeviceState *lsi_dev)
2370 {
2371     LSIState *s = LSI53C895A(lsi_dev);
2372 
2373     scsi_bus_legacy_handle_cmdline(&s->bus);
2374 }
2375