xref: /openbmc/qemu/hw/scsi/lsi53c895a.c (revision 2df1eb27)
1 /*
2  * QEMU LSI53C895A SCSI Host Bus Adapter emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Written by Paul Brook
6  *
7  * This code is licensed under the LGPL.
8  */
9 
10 /* Note:
11  * LSI53C810 emulation is incorrect, in the sense that it supports
12  * features added in later evolutions. This should not be a problem,
13  * as well-behaved operating systems will not try to use them.
14  */
15 
16 #include "qemu/osdep.h"
17 
18 #include "hw/irq.h"
19 #include "hw/pci/pci_device.h"
20 #include "hw/scsi/scsi.h"
21 #include "migration/vmstate.h"
22 #include "sysemu/dma.h"
23 #include "qemu/log.h"
24 #include "qemu/module.h"
25 #include "trace.h"
26 #include "qom/object.h"
27 
28 static const char *names[] = {
29     "SCNTL0", "SCNTL1", "SCNTL2", "SCNTL3", "SCID", "SXFER", "SDID", "GPREG",
30     "SFBR", "SOCL", "SSID", "SBCL", "DSTAT", "SSTAT0", "SSTAT1", "SSTAT2",
31     "DSA0", "DSA1", "DSA2", "DSA3", "ISTAT", "0x15", "0x16", "0x17",
32     "CTEST0", "CTEST1", "CTEST2", "CTEST3", "TEMP0", "TEMP1", "TEMP2", "TEMP3",
33     "DFIFO", "CTEST4", "CTEST5", "CTEST6", "DBC0", "DBC1", "DBC2", "DCMD",
34     "DNAD0", "DNAD1", "DNAD2", "DNAD3", "DSP0", "DSP1", "DSP2", "DSP3",
35     "DSPS0", "DSPS1", "DSPS2", "DSPS3", "SCRATCHA0", "SCRATCHA1", "SCRATCHA2", "SCRATCHA3",
36     "DMODE", "DIEN", "SBR", "DCNTL", "ADDER0", "ADDER1", "ADDER2", "ADDER3",
37     "SIEN0", "SIEN1", "SIST0", "SIST1", "SLPAR", "0x45", "MACNTL", "GPCNTL",
38     "STIME0", "STIME1", "RESPID", "0x4b", "STEST0", "STEST1", "STEST2", "STEST3",
39     "SIDL", "0x51", "0x52", "0x53", "SODL", "0x55", "0x56", "0x57",
40     "SBDL", "0x59", "0x5a", "0x5b", "SCRATCHB0", "SCRATCHB1", "SCRATCHB2", "SCRATCHB3",
41 };
42 
43 #define LSI_MAX_DEVS 7
44 
45 #define LSI_SCNTL0_TRG    0x01
46 #define LSI_SCNTL0_AAP    0x02
47 #define LSI_SCNTL0_EPC    0x08
48 #define LSI_SCNTL0_WATN   0x10
49 #define LSI_SCNTL0_START  0x20
50 
51 #define LSI_SCNTL1_SST    0x01
52 #define LSI_SCNTL1_IARB   0x02
53 #define LSI_SCNTL1_AESP   0x04
54 #define LSI_SCNTL1_RST    0x08
55 #define LSI_SCNTL1_CON    0x10
56 #define LSI_SCNTL1_DHP    0x20
57 #define LSI_SCNTL1_ADB    0x40
58 #define LSI_SCNTL1_EXC    0x80
59 
60 #define LSI_SCNTL2_WSR    0x01
61 #define LSI_SCNTL2_VUE0   0x02
62 #define LSI_SCNTL2_VUE1   0x04
63 #define LSI_SCNTL2_WSS    0x08
64 #define LSI_SCNTL2_SLPHBEN 0x10
65 #define LSI_SCNTL2_SLPMD  0x20
66 #define LSI_SCNTL2_CHM    0x40
67 #define LSI_SCNTL2_SDU    0x80
68 
69 #define LSI_ISTAT0_DIP    0x01
70 #define LSI_ISTAT0_SIP    0x02
71 #define LSI_ISTAT0_INTF   0x04
72 #define LSI_ISTAT0_CON    0x08
73 #define LSI_ISTAT0_SEM    0x10
74 #define LSI_ISTAT0_SIGP   0x20
75 #define LSI_ISTAT0_SRST   0x40
76 #define LSI_ISTAT0_ABRT   0x80
77 
78 #define LSI_ISTAT1_SI     0x01
79 #define LSI_ISTAT1_SRUN   0x02
80 #define LSI_ISTAT1_FLSH   0x04
81 
82 #define LSI_SSTAT0_SDP0   0x01
83 #define LSI_SSTAT0_RST    0x02
84 #define LSI_SSTAT0_WOA    0x04
85 #define LSI_SSTAT0_LOA    0x08
86 #define LSI_SSTAT0_AIP    0x10
87 #define LSI_SSTAT0_OLF    0x20
88 #define LSI_SSTAT0_ORF    0x40
89 #define LSI_SSTAT0_ILF    0x80
90 
91 #define LSI_SIST0_PAR     0x01
92 #define LSI_SIST0_RST     0x02
93 #define LSI_SIST0_UDC     0x04
94 #define LSI_SIST0_SGE     0x08
95 #define LSI_SIST0_RSL     0x10
96 #define LSI_SIST0_SEL     0x20
97 #define LSI_SIST0_CMP     0x40
98 #define LSI_SIST0_MA      0x80
99 
100 #define LSI_SIST1_HTH     0x01
101 #define LSI_SIST1_GEN     0x02
102 #define LSI_SIST1_STO     0x04
103 #define LSI_SIST1_SBMC    0x10
104 
105 #define LSI_SOCL_IO       0x01
106 #define LSI_SOCL_CD       0x02
107 #define LSI_SOCL_MSG      0x04
108 #define LSI_SOCL_ATN      0x08
109 #define LSI_SOCL_SEL      0x10
110 #define LSI_SOCL_BSY      0x20
111 #define LSI_SOCL_ACK      0x40
112 #define LSI_SOCL_REQ      0x80
113 
114 #define LSI_DSTAT_IID     0x01
115 #define LSI_DSTAT_SIR     0x04
116 #define LSI_DSTAT_SSI     0x08
117 #define LSI_DSTAT_ABRT    0x10
118 #define LSI_DSTAT_BF      0x20
119 #define LSI_DSTAT_MDPE    0x40
120 #define LSI_DSTAT_DFE     0x80
121 
122 #define LSI_DCNTL_COM     0x01
123 #define LSI_DCNTL_IRQD    0x02
124 #define LSI_DCNTL_STD     0x04
125 #define LSI_DCNTL_IRQM    0x08
126 #define LSI_DCNTL_SSM     0x10
127 #define LSI_DCNTL_PFEN    0x20
128 #define LSI_DCNTL_PFF     0x40
129 #define LSI_DCNTL_CLSE    0x80
130 
131 #define LSI_DMODE_MAN     0x01
132 #define LSI_DMODE_BOF     0x02
133 #define LSI_DMODE_ERMP    0x04
134 #define LSI_DMODE_ERL     0x08
135 #define LSI_DMODE_DIOM    0x10
136 #define LSI_DMODE_SIOM    0x20
137 
138 #define LSI_CTEST2_DACK   0x01
139 #define LSI_CTEST2_DREQ   0x02
140 #define LSI_CTEST2_TEOP   0x04
141 #define LSI_CTEST2_PCICIE 0x08
142 #define LSI_CTEST2_CM     0x10
143 #define LSI_CTEST2_CIO    0x20
144 #define LSI_CTEST2_SIGP   0x40
145 #define LSI_CTEST2_DDIR   0x80
146 
147 #define LSI_CTEST5_BL2    0x04
148 #define LSI_CTEST5_DDIR   0x08
149 #define LSI_CTEST5_MASR   0x10
150 #define LSI_CTEST5_DFSN   0x20
151 #define LSI_CTEST5_BBCK   0x40
152 #define LSI_CTEST5_ADCK   0x80
153 
154 #define LSI_CCNTL0_DILS   0x01
155 #define LSI_CCNTL0_DISFC  0x10
156 #define LSI_CCNTL0_ENNDJ  0x20
157 #define LSI_CCNTL0_PMJCTL 0x40
158 #define LSI_CCNTL0_ENPMJ  0x80
159 
160 #define LSI_CCNTL1_EN64DBMV  0x01
161 #define LSI_CCNTL1_EN64TIBMV 0x02
162 #define LSI_CCNTL1_64TIMOD   0x04
163 #define LSI_CCNTL1_DDAC      0x08
164 #define LSI_CCNTL1_ZMOD      0x80
165 
166 #define LSI_SBCL_ATN         0x08
167 #define LSI_SBCL_BSY         0x20
168 #define LSI_SBCL_ACK         0x40
169 #define LSI_SBCL_REQ         0x80
170 
171 /* Enable Response to Reselection */
172 #define LSI_SCID_RRE      0x60
173 
174 #define LSI_CCNTL1_40BIT (LSI_CCNTL1_EN64TIBMV|LSI_CCNTL1_64TIMOD)
175 
176 #define PHASE_DO          0
177 #define PHASE_DI          1
178 #define PHASE_CMD         2
179 #define PHASE_ST          3
180 #define PHASE_MO          6
181 #define PHASE_MI          7
182 #define PHASE_MASK        7
183 
184 /* Maximum length of MSG IN data.  */
185 #define LSI_MAX_MSGIN_LEN 8
186 
187 /* Flag set if this is a tagged command.  */
188 #define LSI_TAG_VALID     (1 << 16)
189 
190 /* Maximum instructions to process. */
191 #define LSI_MAX_INSN    10000
192 
193 typedef struct lsi_request {
194     SCSIRequest *req;
195     uint32_t tag;
196     uint32_t dma_len;
197     uint8_t *dma_buf;
198     uint32_t pending;
199     int out;
200     QTAILQ_ENTRY(lsi_request) next;
201 } lsi_request;
202 
203 enum {
204     LSI_NOWAIT, /* SCRIPTS are running or stopped */
205     LSI_WAIT_RESELECT, /* Wait Reselect instruction has been issued */
206     LSI_DMA_SCRIPTS, /* processing DMA from lsi_execute_script */
207     LSI_DMA_IN_PROGRESS, /* DMA operation is in progress */
208 };
209 
210 enum {
211     LSI_MSG_ACTION_COMMAND = 0,
212     LSI_MSG_ACTION_DISCONNECT = 1,
213     LSI_MSG_ACTION_DOUT = 2,
214     LSI_MSG_ACTION_DIN = 3,
215 };
216 
217 struct LSIState {
218     /*< private >*/
219     PCIDevice parent_obj;
220     /*< public >*/
221 
222     qemu_irq ext_irq;
223     MemoryRegion mmio_io;
224     MemoryRegion ram_io;
225     MemoryRegion io_io;
226     AddressSpace pci_io_as;
227 
228     int carry; /* ??? Should this be an a visible register somewhere?  */
229     int status;
230     int msg_action;
231     int msg_len;
232     uint8_t msg[LSI_MAX_MSGIN_LEN];
233     int waiting;
234     SCSIBus bus;
235     int current_lun;
236     /* The tag is a combination of the device ID and the SCSI tag.  */
237     uint32_t select_tag;
238     int command_complete;
239     QTAILQ_HEAD(, lsi_request) queue;
240     lsi_request *current;
241 
242     uint32_t dsa;
243     uint32_t temp;
244     uint32_t dnad;
245     uint32_t dbc;
246     uint8_t istat0;
247     uint8_t istat1;
248     uint8_t dcmd;
249     uint8_t dstat;
250     uint8_t dien;
251     uint8_t sist0;
252     uint8_t sist1;
253     uint8_t sien0;
254     uint8_t sien1;
255     uint8_t mbox0;
256     uint8_t mbox1;
257     uint8_t dfifo;
258     uint8_t ctest2;
259     uint8_t ctest3;
260     uint8_t ctest4;
261     uint8_t ctest5;
262     uint8_t ccntl0;
263     uint8_t ccntl1;
264     uint32_t dsp;
265     uint32_t dsps;
266     uint8_t dmode;
267     uint8_t dcntl;
268     uint8_t scntl0;
269     uint8_t scntl1;
270     uint8_t scntl2;
271     uint8_t scntl3;
272     uint8_t sstat0;
273     uint8_t sstat1;
274     uint8_t scid;
275     uint8_t sxfer;
276     uint8_t socl;
277     uint8_t sdid;
278     uint8_t ssid;
279     uint8_t sfbr;
280     uint8_t sbcl;
281     uint8_t stest1;
282     uint8_t stest2;
283     uint8_t stest3;
284     uint8_t sidl;
285     uint8_t stime0;
286     uint8_t respid0;
287     uint8_t respid1;
288     uint32_t mmrs;
289     uint32_t mmws;
290     uint32_t sfs;
291     uint32_t drs;
292     uint32_t sbms;
293     uint32_t dbms;
294     uint32_t dnad64;
295     uint32_t pmjad1;
296     uint32_t pmjad2;
297     uint32_t rbc;
298     uint32_t ua;
299     uint32_t ia;
300     uint32_t sbc;
301     uint32_t csbc;
302     uint32_t scratch[18]; /* SCRATCHA-SCRATCHR */
303     uint8_t sbr;
304     uint32_t adder;
305 
306     uint8_t script_ram[2048 * sizeof(uint32_t)];
307 };
308 
309 #define TYPE_LSI53C810  "lsi53c810"
310 #define TYPE_LSI53C895A "lsi53c895a"
311 
312 OBJECT_DECLARE_SIMPLE_TYPE(LSIState, LSI53C895A)
313 
314 static const char *scsi_phases[] = {
315     "DOUT",
316     "DIN",
317     "CMD",
318     "STATUS",
319     "RSVOUT",
320     "RSVIN",
321     "MSGOUT",
322     "MSGIN"
323 };
324 
325 static const char *scsi_phase_name(int phase)
326 {
327     return scsi_phases[phase & PHASE_MASK];
328 }
329 
330 static inline int lsi_irq_on_rsl(LSIState *s)
331 {
332     return (s->sien0 & LSI_SIST0_RSL) && (s->scid & LSI_SCID_RRE);
333 }
334 
335 static lsi_request *get_pending_req(LSIState *s)
336 {
337     lsi_request *p;
338 
339     QTAILQ_FOREACH(p, &s->queue, next) {
340         if (p->pending) {
341             return p;
342         }
343     }
344     return NULL;
345 }
346 
347 static void lsi_soft_reset(LSIState *s)
348 {
349     trace_lsi_reset();
350     s->carry = 0;
351 
352     s->msg_action = LSI_MSG_ACTION_COMMAND;
353     s->msg_len = 0;
354     s->waiting = LSI_NOWAIT;
355     s->dsa = 0;
356     s->dnad = 0;
357     s->dbc = 0;
358     s->temp = 0;
359     memset(s->scratch, 0, sizeof(s->scratch));
360     s->istat0 = 0;
361     s->istat1 = 0;
362     s->dcmd = 0x40;
363     s->dstat = 0;
364     s->dien = 0;
365     s->sist0 = 0;
366     s->sist1 = 0;
367     s->sien0 = 0;
368     s->sien1 = 0;
369     s->mbox0 = 0;
370     s->mbox1 = 0;
371     s->dfifo = 0;
372     s->ctest2 = LSI_CTEST2_DACK;
373     s->ctest3 = 0;
374     s->ctest4 = 0;
375     s->ctest5 = 0;
376     s->ccntl0 = 0;
377     s->ccntl1 = 0;
378     s->dsp = 0;
379     s->dsps = 0;
380     s->dmode = 0;
381     s->dcntl = 0;
382     s->scntl0 = 0xc0;
383     s->scntl1 = 0;
384     s->scntl2 = 0;
385     s->scntl3 = 0;
386     s->sstat0 = 0;
387     s->sstat1 = 0;
388     s->scid = 7;
389     s->sxfer = 0;
390     s->socl = 0;
391     s->sdid = 0;
392     s->ssid = 0;
393     s->sbcl = 0;
394     s->stest1 = 0;
395     s->stest2 = 0;
396     s->stest3 = 0;
397     s->sidl = 0;
398     s->stime0 = 0;
399     s->respid0 = 0x80;
400     s->respid1 = 0;
401     s->mmrs = 0;
402     s->mmws = 0;
403     s->sfs = 0;
404     s->drs = 0;
405     s->sbms = 0;
406     s->dbms = 0;
407     s->dnad64 = 0;
408     s->pmjad1 = 0;
409     s->pmjad2 = 0;
410     s->rbc = 0;
411     s->ua = 0;
412     s->ia = 0;
413     s->sbc = 0;
414     s->csbc = 0;
415     s->sbr = 0;
416     assert(QTAILQ_EMPTY(&s->queue));
417     assert(!s->current);
418 }
419 
420 static int lsi_dma_40bit(LSIState *s)
421 {
422     if ((s->ccntl1 & LSI_CCNTL1_40BIT) == LSI_CCNTL1_40BIT)
423         return 1;
424     return 0;
425 }
426 
427 static int lsi_dma_ti64bit(LSIState *s)
428 {
429     if ((s->ccntl1 & LSI_CCNTL1_EN64TIBMV) == LSI_CCNTL1_EN64TIBMV)
430         return 1;
431     return 0;
432 }
433 
434 static int lsi_dma_64bit(LSIState *s)
435 {
436     if ((s->ccntl1 & LSI_CCNTL1_EN64DBMV) == LSI_CCNTL1_EN64DBMV)
437         return 1;
438     return 0;
439 }
440 
441 static uint8_t lsi_reg_readb(LSIState *s, int offset);
442 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val);
443 static void lsi_execute_script(LSIState *s);
444 static void lsi_reselect(LSIState *s, lsi_request *p);
445 
446 static inline void lsi_mem_read(LSIState *s, dma_addr_t addr,
447                                void *buf, dma_addr_t len)
448 {
449     if (s->dmode & LSI_DMODE_SIOM) {
450         address_space_read(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
451                            buf, len);
452     } else {
453         pci_dma_read(PCI_DEVICE(s), addr, buf, len);
454     }
455 }
456 
457 static inline void lsi_mem_write(LSIState *s, dma_addr_t addr,
458                                 const void *buf, dma_addr_t len)
459 {
460     if (s->dmode & LSI_DMODE_DIOM) {
461         address_space_write(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
462                             buf, len);
463     } else {
464         pci_dma_write(PCI_DEVICE(s), addr, buf, len);
465     }
466 }
467 
468 static inline uint32_t read_dword(LSIState *s, uint32_t addr)
469 {
470     uint32_t buf;
471 
472     pci_dma_read(PCI_DEVICE(s), addr, &buf, 4);
473     return cpu_to_le32(buf);
474 }
475 
476 static void lsi_stop_script(LSIState *s)
477 {
478     s->istat1 &= ~LSI_ISTAT1_SRUN;
479 }
480 
481 static void lsi_set_irq(LSIState *s, int level)
482 {
483     PCIDevice *d = PCI_DEVICE(s);
484 
485     if (s->ext_irq) {
486         qemu_set_irq(s->ext_irq, level);
487     } else {
488         pci_set_irq(d, level);
489     }
490 }
491 
492 static void lsi_update_irq(LSIState *s)
493 {
494     int level;
495     static int last_level;
496 
497     /* It's unclear whether the DIP/SIP bits should be cleared when the
498        Interrupt Status Registers are cleared or when istat0 is read.
499        We currently do the formwer, which seems to work.  */
500     level = 0;
501     if (s->dstat) {
502         if (s->dstat & s->dien)
503             level = 1;
504         s->istat0 |= LSI_ISTAT0_DIP;
505     } else {
506         s->istat0 &= ~LSI_ISTAT0_DIP;
507     }
508 
509     if (s->sist0 || s->sist1) {
510         if ((s->sist0 & s->sien0) || (s->sist1 & s->sien1))
511             level = 1;
512         s->istat0 |= LSI_ISTAT0_SIP;
513     } else {
514         s->istat0 &= ~LSI_ISTAT0_SIP;
515     }
516     if (s->istat0 & LSI_ISTAT0_INTF)
517         level = 1;
518 
519     if (level != last_level) {
520         trace_lsi_update_irq(level, s->dstat, s->sist1, s->sist0);
521         last_level = level;
522     }
523     lsi_set_irq(s, level);
524 
525     if (!s->current && !level && lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON)) {
526         lsi_request *p;
527 
528         trace_lsi_update_irq_disconnected();
529         p = get_pending_req(s);
530         if (p) {
531             lsi_reselect(s, p);
532         }
533     }
534 }
535 
536 /* Stop SCRIPTS execution and raise a SCSI interrupt.  */
537 static void lsi_script_scsi_interrupt(LSIState *s, int stat0, int stat1)
538 {
539     uint32_t mask0;
540     uint32_t mask1;
541 
542     trace_lsi_script_scsi_interrupt(stat1, stat0, s->sist1, s->sist0);
543     s->sist0 |= stat0;
544     s->sist1 |= stat1;
545     /* Stop processor on fatal or unmasked interrupt.  As a special hack
546        we don't stop processing when raising STO.  Instead continue
547        execution and stop at the next insn that accesses the SCSI bus.  */
548     mask0 = s->sien0 | ~(LSI_SIST0_CMP | LSI_SIST0_SEL | LSI_SIST0_RSL);
549     mask1 = s->sien1 | ~(LSI_SIST1_GEN | LSI_SIST1_HTH);
550     mask1 &= ~LSI_SIST1_STO;
551     if (s->sist0 & mask0 || s->sist1 & mask1) {
552         lsi_stop_script(s);
553     }
554     lsi_update_irq(s);
555 }
556 
557 /* Stop SCRIPTS execution and raise a DMA interrupt.  */
558 static void lsi_script_dma_interrupt(LSIState *s, int stat)
559 {
560     trace_lsi_script_dma_interrupt(stat, s->dstat);
561     s->dstat |= stat;
562     lsi_update_irq(s);
563     lsi_stop_script(s);
564 }
565 
566 static inline void lsi_set_phase(LSIState *s, int phase)
567 {
568     s->sbcl &= ~PHASE_MASK;
569     s->sbcl |= phase | LSI_SBCL_REQ;
570     s->sstat1 = (s->sstat1 & ~PHASE_MASK) | phase;
571 }
572 
573 static void lsi_bad_phase(LSIState *s, int out, int new_phase)
574 {
575     /* Trigger a phase mismatch.  */
576     if (s->ccntl0 & LSI_CCNTL0_ENPMJ) {
577         if ((s->ccntl0 & LSI_CCNTL0_PMJCTL)) {
578             s->dsp = out ? s->pmjad1 : s->pmjad2;
579         } else {
580             s->dsp = (s->scntl2 & LSI_SCNTL2_WSR ? s->pmjad2 : s->pmjad1);
581         }
582         trace_lsi_bad_phase_jump(s->dsp);
583     } else {
584         trace_lsi_bad_phase_interrupt();
585         lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
586         lsi_stop_script(s);
587     }
588     lsi_set_phase(s, new_phase);
589 }
590 
591 
592 /* Resume SCRIPTS execution after a DMA operation.  */
593 static void lsi_resume_script(LSIState *s)
594 {
595     if (s->waiting != 2) {
596         s->waiting = LSI_NOWAIT;
597         lsi_execute_script(s);
598     } else {
599         s->waiting = LSI_NOWAIT;
600     }
601 }
602 
603 static void lsi_disconnect(LSIState *s)
604 {
605     s->scntl1 &= ~LSI_SCNTL1_CON;
606     s->sstat1 &= ~PHASE_MASK;
607     s->sbcl = 0;
608 }
609 
610 static void lsi_bad_selection(LSIState *s, uint32_t id)
611 {
612     trace_lsi_bad_selection(id);
613     lsi_script_scsi_interrupt(s, 0, LSI_SIST1_STO);
614     lsi_disconnect(s);
615 }
616 
617 /* Initiate a SCSI layer data transfer.  */
618 static void lsi_do_dma(LSIState *s, int out)
619 {
620     uint32_t count;
621     dma_addr_t addr;
622     SCSIDevice *dev;
623 
624     if (!s->current || !s->current->dma_len) {
625         /* Wait until data is available.  */
626         trace_lsi_do_dma_unavailable();
627         return;
628     }
629 
630     dev = s->current->req->dev;
631     assert(dev);
632 
633     count = s->dbc;
634     if (count > s->current->dma_len)
635         count = s->current->dma_len;
636 
637     addr = s->dnad;
638     /* both 40 and Table Indirect 64-bit DMAs store upper bits in dnad64 */
639     if (lsi_dma_40bit(s) || lsi_dma_ti64bit(s))
640         addr |= ((uint64_t)s->dnad64 << 32);
641     else if (s->dbms)
642         addr |= ((uint64_t)s->dbms << 32);
643     else if (s->sbms)
644         addr |= ((uint64_t)s->sbms << 32);
645 
646     trace_lsi_do_dma(addr, count);
647     s->csbc += count;
648     s->dnad += count;
649     s->dbc -= count;
650      if (s->current->dma_buf == NULL) {
651         s->current->dma_buf = scsi_req_get_buf(s->current->req);
652     }
653     /* ??? Set SFBR to first data byte.  */
654     if (out) {
655         lsi_mem_read(s, addr, s->current->dma_buf, count);
656     } else {
657         lsi_mem_write(s, addr, s->current->dma_buf, count);
658     }
659     s->current->dma_len -= count;
660     if (s->current->dma_len == 0) {
661         s->current->dma_buf = NULL;
662         scsi_req_continue(s->current->req);
663     } else {
664         s->current->dma_buf += count;
665         lsi_resume_script(s);
666     }
667 }
668 
669 
670 /* Add a command to the queue.  */
671 static void lsi_queue_command(LSIState *s)
672 {
673     lsi_request *p = s->current;
674 
675     trace_lsi_queue_command(p->tag);
676     assert(s->current != NULL);
677     assert(s->current->dma_len == 0);
678     QTAILQ_INSERT_TAIL(&s->queue, s->current, next);
679     s->current = NULL;
680 
681     p->pending = 0;
682     p->out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
683 }
684 
685 /* Queue a byte for a MSG IN phase.  */
686 static void lsi_add_msg_byte(LSIState *s, uint8_t data)
687 {
688     if (s->msg_len >= LSI_MAX_MSGIN_LEN) {
689         trace_lsi_add_msg_byte_error();
690     } else {
691         trace_lsi_add_msg_byte(data);
692         s->msg[s->msg_len++] = data;
693     }
694 }
695 
696 /* Perform reselection to continue a command.  */
697 static void lsi_reselect(LSIState *s, lsi_request *p)
698 {
699     int id;
700 
701     assert(s->current == NULL);
702     QTAILQ_REMOVE(&s->queue, p, next);
703     s->current = p;
704 
705     id = (p->tag >> 8) & 0xf;
706     s->ssid = id | 0x80;
707     /* LSI53C700 Family Compatibility, see LSI53C895A 4-73 */
708     if (!(s->dcntl & LSI_DCNTL_COM)) {
709         s->sfbr = 1 << (id & 0x7);
710     }
711     trace_lsi_reselect(id);
712     s->scntl1 |= LSI_SCNTL1_CON;
713     lsi_set_phase(s, PHASE_MI);
714     s->msg_action = p->out ? LSI_MSG_ACTION_DOUT : LSI_MSG_ACTION_DIN;
715     s->current->dma_len = p->pending;
716     lsi_add_msg_byte(s, 0x80);
717     if (s->current->tag & LSI_TAG_VALID) {
718         lsi_add_msg_byte(s, 0x20);
719         lsi_add_msg_byte(s, p->tag & 0xff);
720     }
721 
722     if (lsi_irq_on_rsl(s)) {
723         lsi_script_scsi_interrupt(s, LSI_SIST0_RSL, 0);
724     }
725 }
726 
727 static lsi_request *lsi_find_by_tag(LSIState *s, uint32_t tag)
728 {
729     lsi_request *p;
730 
731     QTAILQ_FOREACH(p, &s->queue, next) {
732         if (p->tag == tag) {
733             return p;
734         }
735     }
736 
737     return NULL;
738 }
739 
740 static void lsi_request_free(LSIState *s, lsi_request *p)
741 {
742     if (p == s->current) {
743         s->current = NULL;
744     } else {
745         QTAILQ_REMOVE(&s->queue, p, next);
746     }
747     g_free(p);
748 }
749 
750 static void lsi_request_cancelled(SCSIRequest *req)
751 {
752     LSIState *s = LSI53C895A(req->bus->qbus.parent);
753     lsi_request *p = req->hba_private;
754 
755     req->hba_private = NULL;
756     lsi_request_free(s, p);
757     scsi_req_unref(req);
758 }
759 
760 /* Record that data is available for a queued command.  Returns zero if
761    the device was reselected, nonzero if the IO is deferred.  */
762 static int lsi_queue_req(LSIState *s, SCSIRequest *req, uint32_t len)
763 {
764     lsi_request *p = req->hba_private;
765 
766     if (p->pending) {
767         trace_lsi_queue_req_error(p);
768     }
769     p->pending = len;
770     /* Reselect if waiting for it, or if reselection triggers an IRQ
771        and the bus is free.
772        Since no interrupt stacking is implemented in the emulation, it
773        is also required that there are no pending interrupts waiting
774        for service from the device driver. */
775     if (s->waiting == LSI_WAIT_RESELECT ||
776         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON) &&
777          !(s->istat0 & (LSI_ISTAT0_SIP | LSI_ISTAT0_DIP)))) {
778         /* Reselect device.  */
779         lsi_reselect(s, p);
780         return 0;
781     } else {
782         trace_lsi_queue_req(p->tag);
783         p->pending = len;
784         return 1;
785     }
786 }
787 
788  /* Callback to indicate that the SCSI layer has completed a command.  */
789 static void lsi_command_complete(SCSIRequest *req, size_t resid)
790 {
791     LSIState *s = LSI53C895A(req->bus->qbus.parent);
792     int out;
793 
794     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
795     trace_lsi_command_complete(req->status);
796     s->status = req->status;
797     s->command_complete = 2;
798     if (s->waiting && s->dbc != 0) {
799         /* Raise phase mismatch for short transfers.  */
800         lsi_bad_phase(s, out, PHASE_ST);
801     } else {
802         lsi_set_phase(s, PHASE_ST);
803     }
804 
805     if (req->hba_private == s->current) {
806         req->hba_private = NULL;
807         lsi_request_free(s, s->current);
808         scsi_req_unref(req);
809     }
810     lsi_resume_script(s);
811 }
812 
813  /* Callback to indicate that the SCSI layer has completed a transfer.  */
814 static void lsi_transfer_data(SCSIRequest *req, uint32_t len)
815 {
816     LSIState *s = LSI53C895A(req->bus->qbus.parent);
817     int out;
818 
819     assert(req->hba_private);
820     if (s->waiting == LSI_WAIT_RESELECT || req->hba_private != s->current ||
821         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON))) {
822         if (lsi_queue_req(s, req, len)) {
823             return;
824         }
825     }
826 
827     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
828 
829     /* host adapter (re)connected */
830     trace_lsi_transfer_data(req->tag, len);
831     s->current->dma_len = len;
832     s->command_complete = 1;
833     if (s->waiting) {
834         if (s->waiting == LSI_WAIT_RESELECT || s->dbc == 0) {
835             lsi_resume_script(s);
836         } else {
837             lsi_do_dma(s, out);
838         }
839     }
840 }
841 
842 static void lsi_do_command(LSIState *s)
843 {
844     SCSIDevice *dev;
845     uint8_t buf[16];
846     uint32_t id;
847     int n;
848 
849     trace_lsi_do_command(s->dbc);
850     if (s->dbc > 16)
851         s->dbc = 16;
852     pci_dma_read(PCI_DEVICE(s), s->dnad, buf, s->dbc);
853     s->sfbr = buf[0];
854     s->command_complete = 0;
855 
856     id = (s->select_tag >> 8) & 0xf;
857     dev = scsi_device_find(&s->bus, 0, id, s->current_lun);
858     if (!dev) {
859         lsi_bad_selection(s, id);
860         return;
861     }
862 
863     assert(s->current == NULL);
864     s->current = g_new0(lsi_request, 1);
865     s->current->tag = s->select_tag;
866     s->current->req = scsi_req_new(dev, s->current->tag, s->current_lun, buf,
867                                    s->dbc, s->current);
868 
869     n = scsi_req_enqueue(s->current->req);
870     if (n) {
871         if (n > 0) {
872             lsi_set_phase(s, PHASE_DI);
873         } else if (n < 0) {
874             lsi_set_phase(s, PHASE_DO);
875         }
876         scsi_req_continue(s->current->req);
877     }
878     if (!s->command_complete) {
879         if (n) {
880             /* Command did not complete immediately so disconnect.  */
881             lsi_add_msg_byte(s, 2); /* SAVE DATA POINTER */
882             lsi_add_msg_byte(s, 4); /* DISCONNECT */
883             /* wait data */
884             lsi_set_phase(s, PHASE_MI);
885             s->msg_action = LSI_MSG_ACTION_DISCONNECT;
886             lsi_queue_command(s);
887         } else {
888             /* wait command complete */
889             lsi_set_phase(s, PHASE_DI);
890         }
891     }
892 }
893 
894 static void lsi_do_status(LSIState *s)
895 {
896     uint8_t status;
897     trace_lsi_do_status(s->dbc, s->status);
898     if (s->dbc != 1) {
899         trace_lsi_do_status_error();
900     }
901     s->dbc = 1;
902     status = s->status;
903     s->sfbr = status;
904     pci_dma_write(PCI_DEVICE(s), s->dnad, &status, 1);
905     lsi_set_phase(s, PHASE_MI);
906     s->msg_action = LSI_MSG_ACTION_DISCONNECT;
907     lsi_add_msg_byte(s, 0); /* COMMAND COMPLETE */
908 }
909 
910 static void lsi_do_msgin(LSIState *s)
911 {
912     uint8_t len;
913     trace_lsi_do_msgin(s->dbc, s->msg_len);
914     s->sfbr = s->msg[0];
915     len = s->msg_len;
916     assert(len > 0 && len <= LSI_MAX_MSGIN_LEN);
917     if (len > s->dbc)
918         len = s->dbc;
919     pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
920     /* Linux drivers rely on the last byte being in the SIDL.  */
921     s->sidl = s->msg[len - 1];
922     s->msg_len -= len;
923     if (s->msg_len) {
924         memmove(s->msg, s->msg + len, s->msg_len);
925     } else {
926         /* ??? Check if ATN (not yet implemented) is asserted and maybe
927            switch to PHASE_MO.  */
928         switch (s->msg_action) {
929         case LSI_MSG_ACTION_COMMAND:
930             lsi_set_phase(s, PHASE_CMD);
931             break;
932         case LSI_MSG_ACTION_DISCONNECT:
933             lsi_disconnect(s);
934             break;
935         case LSI_MSG_ACTION_DOUT:
936             lsi_set_phase(s, PHASE_DO);
937             break;
938         case LSI_MSG_ACTION_DIN:
939             lsi_set_phase(s, PHASE_DI);
940             break;
941         default:
942             abort();
943         }
944     }
945 }
946 
947 /* Read the next byte during a MSGOUT phase.  */
948 static uint8_t lsi_get_msgbyte(LSIState *s)
949 {
950     uint8_t data;
951     pci_dma_read(PCI_DEVICE(s), s->dnad, &data, 1);
952     s->dnad++;
953     s->dbc--;
954     return data;
955 }
956 
957 /* Skip the next n bytes during a MSGOUT phase. */
958 static void lsi_skip_msgbytes(LSIState *s, unsigned int n)
959 {
960     s->dnad += n;
961     s->dbc  -= n;
962 }
963 
964 static void lsi_do_msgout(LSIState *s)
965 {
966     uint8_t msg;
967     int len;
968     uint32_t current_tag;
969     lsi_request *current_req, *p, *p_next;
970 
971     if (s->current) {
972         current_tag = s->current->tag;
973         current_req = s->current;
974     } else {
975         current_tag = s->select_tag;
976         current_req = lsi_find_by_tag(s, current_tag);
977     }
978 
979     trace_lsi_do_msgout(s->dbc);
980     while (s->dbc) {
981         msg = lsi_get_msgbyte(s);
982         s->sfbr = msg;
983 
984         switch (msg) {
985         case 0x04:
986             trace_lsi_do_msgout_disconnect();
987             lsi_disconnect(s);
988             break;
989         case 0x08:
990             trace_lsi_do_msgout_noop();
991             lsi_set_phase(s, PHASE_CMD);
992             break;
993         case 0x01:
994             len = lsi_get_msgbyte(s);
995             msg = lsi_get_msgbyte(s);
996             (void)len; /* avoid a warning about unused variable*/
997             trace_lsi_do_msgout_extended(msg, len);
998             switch (msg) {
999             case 1:
1000                 trace_lsi_do_msgout_ignored("SDTR");
1001                 lsi_skip_msgbytes(s, 2);
1002                 break;
1003             case 3:
1004                 trace_lsi_do_msgout_ignored("WDTR");
1005                 lsi_skip_msgbytes(s, 1);
1006                 break;
1007             case 4:
1008                 trace_lsi_do_msgout_ignored("PPR");
1009                 lsi_skip_msgbytes(s, 5);
1010                 break;
1011             default:
1012                 goto bad;
1013             }
1014             break;
1015         case 0x20: /* SIMPLE queue */
1016             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1017             trace_lsi_do_msgout_simplequeue(s->select_tag & 0xff);
1018             break;
1019         case 0x21: /* HEAD of queue */
1020             qemu_log_mask(LOG_UNIMP, "lsi_scsi: HEAD queue not implemented\n");
1021             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1022             break;
1023         case 0x22: /* ORDERED queue */
1024             qemu_log_mask(LOG_UNIMP,
1025                           "lsi_scsi: ORDERED queue not implemented\n");
1026             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1027             break;
1028         case 0x0d:
1029             /* The ABORT TAG message clears the current I/O process only. */
1030             trace_lsi_do_msgout_abort(current_tag);
1031             if (current_req && current_req->req) {
1032                 scsi_req_cancel(current_req->req);
1033                 current_req = NULL;
1034             }
1035             lsi_disconnect(s);
1036             break;
1037         case 0x06:
1038         case 0x0e:
1039         case 0x0c:
1040             /* The ABORT message clears all I/O processes for the selecting
1041                initiator on the specified logical unit of the target. */
1042             if (msg == 0x06) {
1043                 trace_lsi_do_msgout_abort(current_tag);
1044             }
1045             /* The CLEAR QUEUE message clears all I/O processes for all
1046                initiators on the specified logical unit of the target. */
1047             if (msg == 0x0e) {
1048                 trace_lsi_do_msgout_clearqueue(current_tag);
1049             }
1050             /* The BUS DEVICE RESET message clears all I/O processes for all
1051                initiators on all logical units of the target. */
1052             if (msg == 0x0c) {
1053                 trace_lsi_do_msgout_busdevicereset(current_tag);
1054             }
1055 
1056             /* clear the current I/O process */
1057             if (s->current) {
1058                 scsi_req_cancel(s->current->req);
1059                 current_req = NULL;
1060             }
1061 
1062             /* As the current implemented devices scsi_disk and scsi_generic
1063                only support one LUN, we don't need to keep track of LUNs.
1064                Clearing I/O processes for other initiators could be possible
1065                for scsi_generic by sending a SG_SCSI_RESET to the /dev/sgX
1066                device, but this is currently not implemented (and seems not
1067                to be really necessary). So let's simply clear all queued
1068                commands for the current device: */
1069             QTAILQ_FOREACH_SAFE(p, &s->queue, next, p_next) {
1070                 if ((p->tag & 0x0000ff00) == (current_tag & 0x0000ff00)) {
1071                     scsi_req_cancel(p->req);
1072                 }
1073             }
1074 
1075             lsi_disconnect(s);
1076             break;
1077         default:
1078             if ((msg & 0x80) == 0) {
1079                 goto bad;
1080             }
1081             s->current_lun = msg & 7;
1082             trace_lsi_do_msgout_select(s->current_lun);
1083             lsi_set_phase(s, PHASE_CMD);
1084             break;
1085         }
1086     }
1087     return;
1088 bad:
1089     qemu_log_mask(LOG_UNIMP, "Unimplemented message 0x%02x\n", msg);
1090     lsi_set_phase(s, PHASE_MI);
1091     lsi_add_msg_byte(s, 7); /* MESSAGE REJECT */
1092     s->msg_action = LSI_MSG_ACTION_COMMAND;
1093 }
1094 
1095 #define LSI_BUF_SIZE 4096
1096 static void lsi_memcpy(LSIState *s, uint32_t dest, uint32_t src, int count)
1097 {
1098     int n;
1099     uint8_t buf[LSI_BUF_SIZE];
1100 
1101     trace_lsi_memcpy(dest, src, count);
1102     while (count) {
1103         n = (count > LSI_BUF_SIZE) ? LSI_BUF_SIZE : count;
1104         lsi_mem_read(s, src, buf, n);
1105         lsi_mem_write(s, dest, buf, n);
1106         src += n;
1107         dest += n;
1108         count -= n;
1109     }
1110 }
1111 
1112 static void lsi_wait_reselect(LSIState *s)
1113 {
1114     lsi_request *p;
1115 
1116     trace_lsi_wait_reselect();
1117 
1118     if (s->current) {
1119         return;
1120     }
1121     p = get_pending_req(s);
1122     if (p) {
1123         lsi_reselect(s, p);
1124     }
1125     if (s->current == NULL) {
1126         s->waiting = LSI_WAIT_RESELECT;
1127     }
1128 }
1129 
1130 static void lsi_execute_script(LSIState *s)
1131 {
1132     PCIDevice *pci_dev = PCI_DEVICE(s);
1133     uint32_t insn;
1134     uint32_t addr, addr_high;
1135     int opcode;
1136     int insn_processed = 0;
1137     static int reentrancy_level;
1138 
1139     reentrancy_level++;
1140 
1141     s->istat1 |= LSI_ISTAT1_SRUN;
1142 again:
1143     /*
1144      * Some windows drivers make the device spin waiting for a memory location
1145      * to change. If we have executed more than LSI_MAX_INSN instructions then
1146      * assume this is the case and force an unexpected device disconnect. This
1147      * is apparently sufficient to beat the drivers into submission.
1148      *
1149      * Another issue (CVE-2023-0330) can occur if the script is programmed to
1150      * trigger itself again and again. Avoid this problem by stopping after
1151      * being called multiple times in a reentrant way (8 is an arbitrary value
1152      * which should be enough for all valid use cases).
1153      */
1154     if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) {
1155         if (!(s->sien0 & LSI_SIST0_UDC)) {
1156             qemu_log_mask(LOG_GUEST_ERROR,
1157                           "lsi_scsi: inf. loop with UDC masked");
1158         }
1159         lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
1160         lsi_disconnect(s);
1161         trace_lsi_execute_script_stop();
1162         reentrancy_level--;
1163         return;
1164     }
1165     insn = read_dword(s, s->dsp);
1166     if (!insn) {
1167         /* If we receive an empty opcode increment the DSP by 4 bytes
1168            instead of 8 and execute the next opcode at that location */
1169         s->dsp += 4;
1170         goto again;
1171     }
1172     addr = read_dword(s, s->dsp + 4);
1173     addr_high = 0;
1174     trace_lsi_execute_script(s->dsp, insn, addr);
1175     s->dsps = addr;
1176     s->dcmd = insn >> 24;
1177     s->dsp += 8;
1178     switch (insn >> 30) {
1179     case 0: /* Block move.  */
1180         if (s->sist1 & LSI_SIST1_STO) {
1181             trace_lsi_execute_script_blockmove_delayed();
1182             lsi_stop_script(s);
1183             break;
1184         }
1185         s->dbc = insn & 0xffffff;
1186         s->rbc = s->dbc;
1187         /* ??? Set ESA.  */
1188         s->ia = s->dsp - 8;
1189         if (insn & (1 << 29)) {
1190             /* Indirect addressing.  */
1191             addr = read_dword(s, addr);
1192         } else if (insn & (1 << 28)) {
1193             uint32_t buf[2];
1194             int32_t offset;
1195             /* Table indirect addressing.  */
1196 
1197             /* 32-bit Table indirect */
1198             offset = sextract32(addr, 0, 24);
1199             pci_dma_read(pci_dev, s->dsa + offset, buf, 8);
1200             /* byte count is stored in bits 0:23 only */
1201             s->dbc = cpu_to_le32(buf[0]) & 0xffffff;
1202             s->rbc = s->dbc;
1203             addr = cpu_to_le32(buf[1]);
1204 
1205             /* 40-bit DMA, upper addr bits [39:32] stored in first DWORD of
1206              * table, bits [31:24] */
1207             if (lsi_dma_40bit(s))
1208                 addr_high = cpu_to_le32(buf[0]) >> 24;
1209             else if (lsi_dma_ti64bit(s)) {
1210                 int selector = (cpu_to_le32(buf[0]) >> 24) & 0x1f;
1211                 switch (selector) {
1212                 case 0 ... 0x0f:
1213                     /* offset index into scratch registers since
1214                      * TI64 mode can use registers C to R */
1215                     addr_high = s->scratch[2 + selector];
1216                     break;
1217                 case 0x10:
1218                     addr_high = s->mmrs;
1219                     break;
1220                 case 0x11:
1221                     addr_high = s->mmws;
1222                     break;
1223                 case 0x12:
1224                     addr_high = s->sfs;
1225                     break;
1226                 case 0x13:
1227                     addr_high = s->drs;
1228                     break;
1229                 case 0x14:
1230                     addr_high = s->sbms;
1231                     break;
1232                 case 0x15:
1233                     addr_high = s->dbms;
1234                     break;
1235                 default:
1236                     qemu_log_mask(LOG_GUEST_ERROR,
1237                           "lsi_scsi: Illegal selector specified (0x%x > 0x15) "
1238                           "for 64-bit DMA block move", selector);
1239                     break;
1240                 }
1241             }
1242         } else if (lsi_dma_64bit(s)) {
1243             /* fetch a 3rd dword if 64-bit direct move is enabled and
1244                only if we're not doing table indirect or indirect addressing */
1245             s->dbms = read_dword(s, s->dsp);
1246             s->dsp += 4;
1247             s->ia = s->dsp - 12;
1248         }
1249         if ((s->sstat1 & PHASE_MASK) != ((insn >> 24) & 7)) {
1250             trace_lsi_execute_script_blockmove_badphase(
1251                     scsi_phase_name(s->sstat1),
1252                     scsi_phase_name(insn >> 24));
1253             lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
1254             break;
1255         }
1256         s->dnad = addr;
1257         s->dnad64 = addr_high;
1258         switch (s->sstat1 & 0x7) {
1259         case PHASE_DO:
1260             s->waiting = LSI_DMA_SCRIPTS;
1261             lsi_do_dma(s, 1);
1262             if (s->waiting)
1263                 s->waiting = LSI_DMA_IN_PROGRESS;
1264             break;
1265         case PHASE_DI:
1266             s->waiting = LSI_DMA_SCRIPTS;
1267             lsi_do_dma(s, 0);
1268             if (s->waiting)
1269                 s->waiting = LSI_DMA_IN_PROGRESS;
1270             break;
1271         case PHASE_CMD:
1272             lsi_do_command(s);
1273             break;
1274         case PHASE_ST:
1275             lsi_do_status(s);
1276             break;
1277         case PHASE_MO:
1278             lsi_do_msgout(s);
1279             break;
1280         case PHASE_MI:
1281             lsi_do_msgin(s);
1282             break;
1283         default:
1284             qemu_log_mask(LOG_UNIMP, "lsi_scsi: Unimplemented phase %s\n",
1285                           scsi_phase_name(s->sstat1));
1286         }
1287         s->dfifo = s->dbc & 0xff;
1288         s->ctest5 = (s->ctest5 & 0xfc) | ((s->dbc >> 8) & 3);
1289         s->sbc = s->dbc;
1290         s->rbc -= s->dbc;
1291         s->ua = addr + s->dbc;
1292         break;
1293 
1294     case 1: /* IO or Read/Write instruction.  */
1295         opcode = (insn >> 27) & 7;
1296         if (opcode < 5) {
1297             uint32_t id;
1298 
1299             if (insn & (1 << 25)) {
1300                 id = read_dword(s, s->dsa + sextract32(insn, 0, 24));
1301             } else {
1302                 id = insn;
1303             }
1304             id = (id >> 16) & 0xf;
1305             if (insn & (1 << 26)) {
1306                 addr = s->dsp + sextract32(addr, 0, 24);
1307             }
1308             s->dnad = addr;
1309             switch (opcode) {
1310             case 0: /* Select */
1311                 s->sdid = id;
1312                 if (s->scntl1 & LSI_SCNTL1_CON) {
1313                     trace_lsi_execute_script_io_alreadyreselected();
1314                     s->dsp = s->dnad;
1315                     break;
1316                 }
1317                 s->sstat0 |= LSI_SSTAT0_WOA;
1318                 s->scntl1 &= ~LSI_SCNTL1_IARB;
1319                 if (!scsi_device_find(&s->bus, 0, id, 0)) {
1320                     lsi_bad_selection(s, id);
1321                     break;
1322                 }
1323                 trace_lsi_execute_script_io_selected(id,
1324                                              insn & (1 << 3) ? " ATN" : "");
1325                 /* ??? Linux drivers complain when this is set.  Maybe
1326                    it only applies in low-level mode (unimplemented).
1327                 lsi_script_scsi_interrupt(s, LSI_SIST0_CMP, 0); */
1328                 s->select_tag = id << 8;
1329                 s->scntl1 |= LSI_SCNTL1_CON;
1330                 if (insn & (1 << 3)) {
1331                     s->socl |= LSI_SOCL_ATN;
1332                     s->sbcl |= LSI_SBCL_ATN;
1333                 }
1334                 s->sbcl |= LSI_SBCL_BSY;
1335                 lsi_set_phase(s, PHASE_MO);
1336                 s->waiting = LSI_NOWAIT;
1337                 break;
1338             case 1: /* Disconnect */
1339                 trace_lsi_execute_script_io_disconnect();
1340                 s->scntl1 &= ~LSI_SCNTL1_CON;
1341                 /* FIXME: this is not entirely correct; the target need not ask
1342                  * for reselection until it has to send data, while here we force a
1343                  * reselection as soon as the bus is free.  The correct flow would
1344                  * reselect before lsi_transfer_data and disconnect as soon as
1345                  * DMA ends.
1346                  */
1347                 if (!s->current) {
1348                     lsi_request *p = get_pending_req(s);
1349                     if (p) {
1350                         lsi_reselect(s, p);
1351                     }
1352                 }
1353                 break;
1354             case 2: /* Wait Reselect */
1355                 if (s->istat0 & LSI_ISTAT0_SIGP) {
1356                     s->dsp = s->dnad;
1357                 } else if (!lsi_irq_on_rsl(s)) {
1358                         lsi_wait_reselect(s);
1359                 }
1360                 break;
1361             case 3: /* Set */
1362                 trace_lsi_execute_script_io_set(
1363                         insn & (1 << 3) ? " ATN" : "",
1364                         insn & (1 << 6) ? " ACK" : "",
1365                         insn & (1 << 9) ? " TM" : "",
1366                         insn & (1 << 10) ? " CC" : "");
1367                 if (insn & (1 << 3)) {
1368                     s->socl |= LSI_SOCL_ATN;
1369                     s->sbcl |= LSI_SBCL_ATN;
1370                     lsi_set_phase(s, PHASE_MO);
1371                 }
1372 
1373                 if (insn & (1 << 6)) {
1374                     s->sbcl |= LSI_SBCL_ACK;
1375                 }
1376 
1377                 if (insn & (1 << 9)) {
1378                     qemu_log_mask(LOG_UNIMP,
1379                         "lsi_scsi: Target mode not implemented\n");
1380                 }
1381                 if (insn & (1 << 10))
1382                     s->carry = 1;
1383                 break;
1384             case 4: /* Clear */
1385                 trace_lsi_execute_script_io_clear(
1386                         insn & (1 << 3) ? " ATN" : "",
1387                         insn & (1 << 6) ? " ACK" : "",
1388                         insn & (1 << 9) ? " TM" : "",
1389                         insn & (1 << 10) ? " CC" : "");
1390                 if (insn & (1 << 3)) {
1391                     s->socl &= ~LSI_SOCL_ATN;
1392                     s->sbcl &= ~LSI_SBCL_ATN;
1393                 }
1394 
1395                 if (insn & (1 << 6)) {
1396                     s->sbcl &= ~LSI_SBCL_ACK;
1397                 }
1398 
1399                 if (insn & (1 << 10))
1400                     s->carry = 0;
1401                 break;
1402             }
1403         } else {
1404             uint8_t op0;
1405             uint8_t op1;
1406             uint8_t data8;
1407             int reg;
1408             int operator;
1409 
1410             static const char *opcode_names[3] =
1411                 {"Write", "Read", "Read-Modify-Write"};
1412             static const char *operator_names[8] =
1413                 {"MOV", "SHL", "OR", "XOR", "AND", "SHR", "ADD", "ADC"};
1414 
1415             reg = ((insn >> 16) & 0x7f) | (insn & 0x80);
1416             data8 = (insn >> 8) & 0xff;
1417             opcode = (insn >> 27) & 7;
1418             operator = (insn >> 24) & 7;
1419             trace_lsi_execute_script_io_opcode(
1420                     opcode_names[opcode - 5], reg,
1421                     operator_names[operator], data8, s->sfbr,
1422                     (insn & (1 << 23)) ? " SFBR" : "");
1423             op0 = op1 = 0;
1424             switch (opcode) {
1425             case 5: /* From SFBR */
1426                 op0 = s->sfbr;
1427                 op1 = data8;
1428                 break;
1429             case 6: /* To SFBR */
1430                 if (operator)
1431                     op0 = lsi_reg_readb(s, reg);
1432                 op1 = data8;
1433                 break;
1434             case 7: /* Read-modify-write */
1435                 if (operator)
1436                     op0 = lsi_reg_readb(s, reg);
1437                 if (insn & (1 << 23)) {
1438                     op1 = s->sfbr;
1439                 } else {
1440                     op1 = data8;
1441                 }
1442                 break;
1443             }
1444 
1445             switch (operator) {
1446             case 0: /* move */
1447                 op0 = op1;
1448                 break;
1449             case 1: /* Shift left */
1450                 op1 = op0 >> 7;
1451                 op0 = (op0 << 1) | s->carry;
1452                 s->carry = op1;
1453                 break;
1454             case 2: /* OR */
1455                 op0 |= op1;
1456                 break;
1457             case 3: /* XOR */
1458                 op0 ^= op1;
1459                 break;
1460             case 4: /* AND */
1461                 op0 &= op1;
1462                 break;
1463             case 5: /* SHR */
1464                 op1 = op0 & 1;
1465                 op0 = (op0 >> 1) | (s->carry << 7);
1466                 s->carry = op1;
1467                 break;
1468             case 6: /* ADD */
1469                 op0 += op1;
1470                 s->carry = op0 < op1;
1471                 break;
1472             case 7: /* ADC */
1473                 op0 += op1 + s->carry;
1474                 if (s->carry)
1475                     s->carry = op0 <= op1;
1476                 else
1477                     s->carry = op0 < op1;
1478                 break;
1479             }
1480 
1481             switch (opcode) {
1482             case 5: /* From SFBR */
1483             case 7: /* Read-modify-write */
1484                 lsi_reg_writeb(s, reg, op0);
1485                 break;
1486             case 6: /* To SFBR */
1487                 s->sfbr = op0;
1488                 break;
1489             }
1490         }
1491         break;
1492 
1493     case 2: /* Transfer Control.  */
1494         {
1495             int cond;
1496             int jmp;
1497 
1498             if ((insn & 0x002e0000) == 0) {
1499                 trace_lsi_execute_script_tc_nop();
1500                 break;
1501             }
1502             if (s->sist1 & LSI_SIST1_STO) {
1503                 trace_lsi_execute_script_tc_delayedselect_timeout();
1504                 lsi_stop_script(s);
1505                 break;
1506             }
1507             cond = jmp = (insn & (1 << 19)) != 0;
1508             if (cond == jmp && (insn & (1 << 21))) {
1509                 trace_lsi_execute_script_tc_compc(s->carry == jmp);
1510                 cond = s->carry != 0;
1511             }
1512             if (cond == jmp && (insn & (1 << 17))) {
1513                 trace_lsi_execute_script_tc_compp(scsi_phase_name(s->sstat1),
1514                         jmp ? '=' : '!', scsi_phase_name(insn >> 24));
1515                 cond = (s->sstat1 & PHASE_MASK) == ((insn >> 24) & 7);
1516             }
1517             if (cond == jmp && (insn & (1 << 18))) {
1518                 uint8_t mask;
1519 
1520                 mask = (~insn >> 8) & 0xff;
1521                 trace_lsi_execute_script_tc_compd(
1522                         s->sfbr, mask, jmp ? '=' : '!', insn & mask);
1523                 cond = (s->sfbr & mask) == (insn & mask);
1524             }
1525             if (cond == jmp) {
1526                 if (insn & (1 << 23)) {
1527                     /* Relative address.  */
1528                     addr = s->dsp + sextract32(addr, 0, 24);
1529                 }
1530                 switch ((insn >> 27) & 7) {
1531                 case 0: /* Jump */
1532                     trace_lsi_execute_script_tc_jump(addr);
1533                     s->adder = addr;
1534                     s->dsp = addr;
1535                     break;
1536                 case 1: /* Call */
1537                     trace_lsi_execute_script_tc_call(addr);
1538                     s->temp = s->dsp;
1539                     s->dsp = addr;
1540                     break;
1541                 case 2: /* Return */
1542                     trace_lsi_execute_script_tc_return(s->temp);
1543                     s->dsp = s->temp;
1544                     break;
1545                 case 3: /* Interrupt */
1546                     trace_lsi_execute_script_tc_interrupt(s->dsps);
1547                     if ((insn & (1 << 20)) != 0) {
1548                         s->istat0 |= LSI_ISTAT0_INTF;
1549                         lsi_update_irq(s);
1550                     } else {
1551                         lsi_script_dma_interrupt(s, LSI_DSTAT_SIR);
1552                     }
1553                     break;
1554                 default:
1555                     trace_lsi_execute_script_tc_illegal();
1556                     lsi_script_dma_interrupt(s, LSI_DSTAT_IID);
1557                     break;
1558                 }
1559             } else {
1560                 trace_lsi_execute_script_tc_cc_failed();
1561             }
1562         }
1563         break;
1564 
1565     case 3:
1566         if ((insn & (1 << 29)) == 0) {
1567             /* Memory move.  */
1568             uint32_t dest;
1569             /* ??? The docs imply the destination address is loaded into
1570                the TEMP register.  However the Linux drivers rely on
1571                the value being presrved.  */
1572             dest = read_dword(s, s->dsp);
1573             s->dsp += 4;
1574             lsi_memcpy(s, dest, addr, insn & 0xffffff);
1575         } else {
1576             uint8_t data[7];
1577             int reg;
1578             int n;
1579             int i;
1580 
1581             if (insn & (1 << 28)) {
1582                 addr = s->dsa + sextract32(addr, 0, 24);
1583             }
1584             n = (insn & 7);
1585             reg = (insn >> 16) & 0xff;
1586             if (insn & (1 << 24)) {
1587                 pci_dma_read(pci_dev, addr, data, n);
1588                 trace_lsi_execute_script_mm_load(reg, n, addr, *(int *)data);
1589                 for (i = 0; i < n; i++) {
1590                     lsi_reg_writeb(s, reg + i, data[i]);
1591                 }
1592             } else {
1593                 trace_lsi_execute_script_mm_store(reg, n, addr);
1594                 for (i = 0; i < n; i++) {
1595                     data[i] = lsi_reg_readb(s, reg + i);
1596                 }
1597                 pci_dma_write(pci_dev, addr, data, n);
1598             }
1599         }
1600     }
1601     if (s->istat1 & LSI_ISTAT1_SRUN && s->waiting == LSI_NOWAIT) {
1602         if (s->dcntl & LSI_DCNTL_SSM) {
1603             lsi_script_dma_interrupt(s, LSI_DSTAT_SSI);
1604         } else {
1605             goto again;
1606         }
1607     }
1608     trace_lsi_execute_script_stop();
1609 
1610     reentrancy_level--;
1611 }
1612 
1613 static uint8_t lsi_reg_readb(LSIState *s, int offset)
1614 {
1615     uint8_t ret;
1616 
1617 #define CASE_GET_REG24(name, addr) \
1618     case addr: ret = s->name & 0xff; break; \
1619     case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1620     case addr + 2: ret = (s->name >> 16) & 0xff; break;
1621 
1622 #define CASE_GET_REG32(name, addr) \
1623     case addr: ret = s->name & 0xff; break; \
1624     case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1625     case addr + 2: ret = (s->name >> 16) & 0xff; break; \
1626     case addr + 3: ret = (s->name >> 24) & 0xff; break;
1627 
1628     switch (offset) {
1629     case 0x00: /* SCNTL0 */
1630         ret = s->scntl0;
1631         break;
1632     case 0x01: /* SCNTL1 */
1633         ret = s->scntl1;
1634         break;
1635     case 0x02: /* SCNTL2 */
1636         ret = s->scntl2;
1637         break;
1638     case 0x03: /* SCNTL3 */
1639         ret = s->scntl3;
1640         break;
1641     case 0x04: /* SCID */
1642         ret = s->scid;
1643         break;
1644     case 0x05: /* SXFER */
1645         ret = s->sxfer;
1646         break;
1647     case 0x06: /* SDID */
1648         ret = s->sdid;
1649         break;
1650     case 0x07: /* GPREG0 */
1651         ret = 0x7f;
1652         break;
1653     case 0x08: /* Revision ID */
1654         ret = 0x00;
1655         break;
1656     case 0x09: /* SOCL */
1657         ret = s->socl;
1658         break;
1659     case 0xa: /* SSID */
1660         ret = s->ssid;
1661         break;
1662     case 0xb: /* SBCL */
1663         ret = s->sbcl;
1664         break;
1665     case 0xc: /* DSTAT */
1666         ret = s->dstat | LSI_DSTAT_DFE;
1667         if ((s->istat0 & LSI_ISTAT0_INTF) == 0)
1668             s->dstat = 0;
1669         lsi_update_irq(s);
1670         break;
1671     case 0x0d: /* SSTAT0 */
1672         ret = s->sstat0;
1673         break;
1674     case 0x0e: /* SSTAT1 */
1675         ret = s->sstat1;
1676         break;
1677     case 0x0f: /* SSTAT2 */
1678         ret = s->scntl1 & LSI_SCNTL1_CON ? 0 : 2;
1679         break;
1680     CASE_GET_REG32(dsa, 0x10)
1681     case 0x14: /* ISTAT0 */
1682         ret = s->istat0;
1683         break;
1684     case 0x15: /* ISTAT1 */
1685         ret = s->istat1;
1686         break;
1687     case 0x16: /* MBOX0 */
1688         ret = s->mbox0;
1689         break;
1690     case 0x17: /* MBOX1 */
1691         ret = s->mbox1;
1692         break;
1693     case 0x18: /* CTEST0 */
1694         ret = 0xff;
1695         break;
1696     case 0x19: /* CTEST1 */
1697         ret = 0;
1698         break;
1699     case 0x1a: /* CTEST2 */
1700         ret = s->ctest2 | LSI_CTEST2_DACK | LSI_CTEST2_CM;
1701         if (s->istat0 & LSI_ISTAT0_SIGP) {
1702             s->istat0 &= ~LSI_ISTAT0_SIGP;
1703             ret |= LSI_CTEST2_SIGP;
1704         }
1705         break;
1706     case 0x1b: /* CTEST3 */
1707         ret = s->ctest3;
1708         break;
1709     CASE_GET_REG32(temp, 0x1c)
1710     case 0x20: /* DFIFO */
1711         ret = s->dfifo;
1712         break;
1713     case 0x21: /* CTEST4 */
1714         ret = s->ctest4;
1715         break;
1716     case 0x22: /* CTEST5 */
1717         ret = s->ctest5;
1718         break;
1719     case 0x23: /* CTEST6 */
1720         ret = 0;
1721         break;
1722     CASE_GET_REG24(dbc, 0x24)
1723     case 0x27: /* DCMD */
1724         ret = s->dcmd;
1725         break;
1726     CASE_GET_REG32(dnad, 0x28)
1727     CASE_GET_REG32(dsp, 0x2c)
1728     CASE_GET_REG32(dsps, 0x30)
1729     CASE_GET_REG32(scratch[0], 0x34)
1730     case 0x38: /* DMODE */
1731         ret = s->dmode;
1732         break;
1733     case 0x39: /* DIEN */
1734         ret = s->dien;
1735         break;
1736     case 0x3a: /* SBR */
1737         ret = s->sbr;
1738         break;
1739     case 0x3b: /* DCNTL */
1740         ret = s->dcntl;
1741         break;
1742     /* ADDER Output (Debug of relative jump address) */
1743     CASE_GET_REG32(adder, 0x3c)
1744     case 0x40: /* SIEN0 */
1745         ret = s->sien0;
1746         break;
1747     case 0x41: /* SIEN1 */
1748         ret = s->sien1;
1749         break;
1750     case 0x42: /* SIST0 */
1751         ret = s->sist0;
1752         s->sist0 = 0;
1753         lsi_update_irq(s);
1754         break;
1755     case 0x43: /* SIST1 */
1756         ret = s->sist1;
1757         s->sist1 = 0;
1758         lsi_update_irq(s);
1759         break;
1760     case 0x46: /* MACNTL */
1761         ret = 0x0f;
1762         break;
1763     case 0x47: /* GPCNTL0 */
1764         ret = 0x0f;
1765         break;
1766     case 0x48: /* STIME0 */
1767         ret = s->stime0;
1768         break;
1769     case 0x4a: /* RESPID0 */
1770         ret = s->respid0;
1771         break;
1772     case 0x4b: /* RESPID1 */
1773         ret = s->respid1;
1774         break;
1775     case 0x4d: /* STEST1 */
1776         ret = s->stest1;
1777         break;
1778     case 0x4e: /* STEST2 */
1779         ret = s->stest2;
1780         break;
1781     case 0x4f: /* STEST3 */
1782         ret = s->stest3;
1783         break;
1784     case 0x50: /* SIDL */
1785         /* This is needed by the linux drivers.  We currently only update it
1786            during the MSG IN phase.  */
1787         ret = s->sidl;
1788         break;
1789     case 0x52: /* STEST4 */
1790         ret = 0xe0;
1791         break;
1792     case 0x56: /* CCNTL0 */
1793         ret = s->ccntl0;
1794         break;
1795     case 0x57: /* CCNTL1 */
1796         ret = s->ccntl1;
1797         break;
1798     case 0x58: /* SBDL */
1799         /* Some drivers peek at the data bus during the MSG IN phase.  */
1800         if ((s->sstat1 & PHASE_MASK) == PHASE_MI) {
1801             assert(s->msg_len > 0);
1802             return s->msg[0];
1803         }
1804         ret = 0;
1805         break;
1806     case 0x59: /* SBDL high */
1807         ret = 0;
1808         break;
1809     CASE_GET_REG32(mmrs, 0xa0)
1810     CASE_GET_REG32(mmws, 0xa4)
1811     CASE_GET_REG32(sfs, 0xa8)
1812     CASE_GET_REG32(drs, 0xac)
1813     CASE_GET_REG32(sbms, 0xb0)
1814     CASE_GET_REG32(dbms, 0xb4)
1815     CASE_GET_REG32(dnad64, 0xb8)
1816     CASE_GET_REG32(pmjad1, 0xc0)
1817     CASE_GET_REG32(pmjad2, 0xc4)
1818     CASE_GET_REG32(rbc, 0xc8)
1819     CASE_GET_REG32(ua, 0xcc)
1820     CASE_GET_REG32(ia, 0xd4)
1821     CASE_GET_REG32(sbc, 0xd8)
1822     CASE_GET_REG32(csbc, 0xdc)
1823     case 0x5c ... 0x9f:
1824     {
1825         int n;
1826         int shift;
1827         n = (offset - 0x58) >> 2;
1828         shift = (offset & 3) * 8;
1829         ret = (s->scratch[n] >> shift) & 0xff;
1830         break;
1831     }
1832     default:
1833     {
1834         qemu_log_mask(LOG_GUEST_ERROR,
1835                       "lsi_scsi: invalid read from reg %s %x\n",
1836                       offset < ARRAY_SIZE(names) ? names[offset] : "???",
1837                       offset);
1838         ret = 0xff;
1839         break;
1840     }
1841     }
1842 #undef CASE_GET_REG24
1843 #undef CASE_GET_REG32
1844 
1845     trace_lsi_reg_read(offset < ARRAY_SIZE(names) ? names[offset] : "???",
1846                        offset, ret);
1847 
1848     return ret;
1849 }
1850 
1851 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val)
1852 {
1853 #define CASE_SET_REG24(name, addr) \
1854     case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1855     case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1856     case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break;
1857 
1858 #define CASE_SET_REG32(name, addr) \
1859     case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1860     case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1861     case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break; \
1862     case addr + 3: s->name &= 0x00ffffff; s->name |= val << 24; break;
1863 
1864     trace_lsi_reg_write(offset < ARRAY_SIZE(names) ? names[offset] : "???",
1865                         offset, val);
1866 
1867     switch (offset) {
1868     case 0x00: /* SCNTL0 */
1869         s->scntl0 = val;
1870         if (val & LSI_SCNTL0_START) {
1871             qemu_log_mask(LOG_UNIMP,
1872                           "lsi_scsi: Start sequence not implemented\n");
1873         }
1874         break;
1875     case 0x01: /* SCNTL1 */
1876         s->scntl1 = val & ~LSI_SCNTL1_SST;
1877         if (val & LSI_SCNTL1_IARB) {
1878             qemu_log_mask(LOG_UNIMP,
1879                       "lsi_scsi: Immediate Arbritration not implemented\n");
1880         }
1881         if (val & LSI_SCNTL1_RST) {
1882             if (!(s->sstat0 & LSI_SSTAT0_RST)) {
1883                 bus_cold_reset(BUS(&s->bus));
1884                 s->sstat0 |= LSI_SSTAT0_RST;
1885                 lsi_script_scsi_interrupt(s, LSI_SIST0_RST, 0);
1886             }
1887         } else {
1888             s->sstat0 &= ~LSI_SSTAT0_RST;
1889         }
1890         break;
1891     case 0x02: /* SCNTL2 */
1892         val &= ~(LSI_SCNTL2_WSR | LSI_SCNTL2_WSS);
1893         s->scntl2 = val;
1894         break;
1895     case 0x03: /* SCNTL3 */
1896         s->scntl3 = val;
1897         break;
1898     case 0x04: /* SCID */
1899         s->scid = val;
1900         break;
1901     case 0x05: /* SXFER */
1902         s->sxfer = val;
1903         break;
1904     case 0x06: /* SDID */
1905         if ((s->ssid & 0x80) && (val & 0xf) != (s->ssid & 0xf)) {
1906             qemu_log_mask(LOG_GUEST_ERROR,
1907                           "lsi_scsi: Destination ID does not match SSID\n");
1908         }
1909         s->sdid = val & 0xf;
1910         break;
1911     case 0x07: /* GPREG0 */
1912         break;
1913     case 0x08: /* SFBR */
1914         /* The CPU is not allowed to write to this register.  However the
1915            SCRIPTS register move instructions are.  */
1916         s->sfbr = val;
1917         break;
1918     case 0x0a: case 0x0b:
1919         /* Openserver writes to these readonly registers on startup */
1920         return;
1921     case 0x0c: case 0x0d: case 0x0e: case 0x0f:
1922         /* Linux writes to these readonly registers on startup.  */
1923         return;
1924     CASE_SET_REG32(dsa, 0x10)
1925     case 0x14: /* ISTAT0 */
1926         s->istat0 = (s->istat0 & 0x0f) | (val & 0xf0);
1927         if (val & LSI_ISTAT0_ABRT) {
1928             lsi_script_dma_interrupt(s, LSI_DSTAT_ABRT);
1929         }
1930         if (val & LSI_ISTAT0_INTF) {
1931             s->istat0 &= ~LSI_ISTAT0_INTF;
1932             lsi_update_irq(s);
1933         }
1934         if (s->waiting == LSI_WAIT_RESELECT && val & LSI_ISTAT0_SIGP) {
1935             trace_lsi_awoken();
1936             s->waiting = LSI_NOWAIT;
1937             s->dsp = s->dnad;
1938             lsi_execute_script(s);
1939         }
1940         if (val & LSI_ISTAT0_SRST) {
1941             device_cold_reset(DEVICE(s));
1942         }
1943         break;
1944     case 0x16: /* MBOX0 */
1945         s->mbox0 = val;
1946         break;
1947     case 0x17: /* MBOX1 */
1948         s->mbox1 = val;
1949         break;
1950     case 0x18: /* CTEST0 */
1951         /* nothing to do */
1952         break;
1953     case 0x1a: /* CTEST2 */
1954         s->ctest2 = val & LSI_CTEST2_PCICIE;
1955         break;
1956     case 0x1b: /* CTEST3 */
1957         s->ctest3 = val & 0x0f;
1958         break;
1959     CASE_SET_REG32(temp, 0x1c)
1960     case 0x21: /* CTEST4 */
1961         if (val & 7) {
1962             qemu_log_mask(LOG_UNIMP,
1963                           "lsi_scsi: Unimplemented CTEST4-FBL 0x%x\n", val);
1964         }
1965         s->ctest4 = val;
1966         break;
1967     case 0x22: /* CTEST5 */
1968         if (val & (LSI_CTEST5_ADCK | LSI_CTEST5_BBCK)) {
1969             qemu_log_mask(LOG_UNIMP,
1970                           "lsi_scsi: CTEST5 DMA increment not implemented\n");
1971         }
1972         s->ctest5 = val;
1973         break;
1974     CASE_SET_REG24(dbc, 0x24)
1975     CASE_SET_REG32(dnad, 0x28)
1976     case 0x2c: /* DSP[0:7] */
1977         s->dsp &= 0xffffff00;
1978         s->dsp |= val;
1979         break;
1980     case 0x2d: /* DSP[8:15] */
1981         s->dsp &= 0xffff00ff;
1982         s->dsp |= val << 8;
1983         break;
1984     case 0x2e: /* DSP[16:23] */
1985         s->dsp &= 0xff00ffff;
1986         s->dsp |= val << 16;
1987         break;
1988     case 0x2f: /* DSP[24:31] */
1989         s->dsp &= 0x00ffffff;
1990         s->dsp |= val << 24;
1991         /*
1992          * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
1993          * instruction.  Is this correct?
1994          */
1995         if ((s->dmode & LSI_DMODE_MAN) == 0
1996             && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
1997             lsi_execute_script(s);
1998         break;
1999     CASE_SET_REG32(dsps, 0x30)
2000     CASE_SET_REG32(scratch[0], 0x34)
2001     case 0x38: /* DMODE */
2002         s->dmode = val;
2003         break;
2004     case 0x39: /* DIEN */
2005         s->dien = val;
2006         lsi_update_irq(s);
2007         break;
2008     case 0x3a: /* SBR */
2009         s->sbr = val;
2010         break;
2011     case 0x3b: /* DCNTL */
2012         s->dcntl = val & ~(LSI_DCNTL_PFF | LSI_DCNTL_STD);
2013         /*
2014          * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
2015          * instruction.  Is this correct?
2016          */
2017         if ((val & LSI_DCNTL_STD) && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
2018             lsi_execute_script(s);
2019         break;
2020     case 0x40: /* SIEN0 */
2021         s->sien0 = val;
2022         lsi_update_irq(s);
2023         break;
2024     case 0x41: /* SIEN1 */
2025         s->sien1 = val;
2026         lsi_update_irq(s);
2027         break;
2028     case 0x47: /* GPCNTL0 */
2029         break;
2030     case 0x48: /* STIME0 */
2031         s->stime0 = val;
2032         break;
2033     case 0x49: /* STIME1 */
2034         if (val & 0xf) {
2035             qemu_log_mask(LOG_UNIMP,
2036                           "lsi_scsi: General purpose timer not implemented\n");
2037             /* ??? Raising the interrupt immediately seems to be sufficient
2038                to keep the FreeBSD driver happy.  */
2039             lsi_script_scsi_interrupt(s, 0, LSI_SIST1_GEN);
2040         }
2041         break;
2042     case 0x4a: /* RESPID0 */
2043         s->respid0 = val;
2044         break;
2045     case 0x4b: /* RESPID1 */
2046         s->respid1 = val;
2047         break;
2048     case 0x4d: /* STEST1 */
2049         s->stest1 = val;
2050         break;
2051     case 0x4e: /* STEST2 */
2052         if (val & 1) {
2053             qemu_log_mask(LOG_UNIMP,
2054                           "lsi_scsi: Low level mode not implemented\n");
2055         }
2056         s->stest2 = val;
2057         break;
2058     case 0x4f: /* STEST3 */
2059         if (val & 0x41) {
2060             qemu_log_mask(LOG_UNIMP,
2061                           "lsi_scsi: SCSI FIFO test mode not implemented\n");
2062         }
2063         s->stest3 = val;
2064         break;
2065     case 0x56: /* CCNTL0 */
2066         s->ccntl0 = val;
2067         break;
2068     case 0x57: /* CCNTL1 */
2069         s->ccntl1 = val;
2070         break;
2071     CASE_SET_REG32(mmrs, 0xa0)
2072     CASE_SET_REG32(mmws, 0xa4)
2073     CASE_SET_REG32(sfs, 0xa8)
2074     CASE_SET_REG32(drs, 0xac)
2075     CASE_SET_REG32(sbms, 0xb0)
2076     CASE_SET_REG32(dbms, 0xb4)
2077     CASE_SET_REG32(dnad64, 0xb8)
2078     CASE_SET_REG32(pmjad1, 0xc0)
2079     CASE_SET_REG32(pmjad2, 0xc4)
2080     CASE_SET_REG32(rbc, 0xc8)
2081     CASE_SET_REG32(ua, 0xcc)
2082     CASE_SET_REG32(ia, 0xd4)
2083     CASE_SET_REG32(sbc, 0xd8)
2084     CASE_SET_REG32(csbc, 0xdc)
2085     default:
2086         if (offset >= 0x5c && offset < 0xa0) {
2087             int n;
2088             int shift;
2089             n = (offset - 0x58) >> 2;
2090             shift = (offset & 3) * 8;
2091             s->scratch[n] = deposit32(s->scratch[n], shift, 8, val);
2092         } else {
2093             qemu_log_mask(LOG_GUEST_ERROR,
2094                           "lsi_scsi: invalid write to reg %s %x (0x%02x)\n",
2095                           offset < ARRAY_SIZE(names) ? names[offset] : "???",
2096                           offset, val);
2097         }
2098     }
2099 #undef CASE_SET_REG24
2100 #undef CASE_SET_REG32
2101 }
2102 
2103 static void lsi_mmio_write(void *opaque, hwaddr addr,
2104                            uint64_t val, unsigned size)
2105 {
2106     LSIState *s = opaque;
2107 
2108     lsi_reg_writeb(s, addr & 0xff, val);
2109 }
2110 
2111 static uint64_t lsi_mmio_read(void *opaque, hwaddr addr,
2112                               unsigned size)
2113 {
2114     LSIState *s = opaque;
2115     return lsi_reg_readb(s, addr & 0xff);
2116 }
2117 
2118 static const MemoryRegionOps lsi_mmio_ops = {
2119     .read = lsi_mmio_read,
2120     .write = lsi_mmio_write,
2121     .endianness = DEVICE_LITTLE_ENDIAN,
2122     .impl = {
2123         .min_access_size = 1,
2124         .max_access_size = 1,
2125     },
2126 };
2127 
2128 static void lsi_ram_write(void *opaque, hwaddr addr,
2129                           uint64_t val, unsigned size)
2130 {
2131     LSIState *s = opaque;
2132     stn_le_p(s->script_ram + addr, size, val);
2133 }
2134 
2135 static uint64_t lsi_ram_read(void *opaque, hwaddr addr,
2136                              unsigned size)
2137 {
2138     LSIState *s = opaque;
2139     return ldn_le_p(s->script_ram + addr, size);
2140 }
2141 
2142 static const MemoryRegionOps lsi_ram_ops = {
2143     .read = lsi_ram_read,
2144     .write = lsi_ram_write,
2145     .endianness = DEVICE_LITTLE_ENDIAN,
2146 };
2147 
2148 static uint64_t lsi_io_read(void *opaque, hwaddr addr,
2149                             unsigned size)
2150 {
2151     LSIState *s = opaque;
2152     return lsi_reg_readb(s, addr & 0xff);
2153 }
2154 
2155 static void lsi_io_write(void *opaque, hwaddr addr,
2156                          uint64_t val, unsigned size)
2157 {
2158     LSIState *s = opaque;
2159     lsi_reg_writeb(s, addr & 0xff, val);
2160 }
2161 
2162 static const MemoryRegionOps lsi_io_ops = {
2163     .read = lsi_io_read,
2164     .write = lsi_io_write,
2165     .endianness = DEVICE_LITTLE_ENDIAN,
2166     .impl = {
2167         .min_access_size = 1,
2168         .max_access_size = 1,
2169     },
2170 };
2171 
2172 static void lsi_scsi_reset(DeviceState *dev)
2173 {
2174     LSIState *s = LSI53C895A(dev);
2175 
2176     lsi_soft_reset(s);
2177 }
2178 
2179 static int lsi_pre_save(void *opaque)
2180 {
2181     LSIState *s = opaque;
2182 
2183     if (s->current) {
2184         assert(s->current->dma_buf == NULL);
2185         assert(s->current->dma_len == 0);
2186     }
2187     assert(QTAILQ_EMPTY(&s->queue));
2188 
2189     return 0;
2190 }
2191 
2192 static int lsi_post_load(void *opaque, int version_id)
2193 {
2194     LSIState *s = opaque;
2195 
2196     if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) {
2197         return -EINVAL;
2198     }
2199 
2200     return 0;
2201 }
2202 
2203 static const VMStateDescription vmstate_lsi_scsi = {
2204     .name = "lsiscsi",
2205     .version_id = 1,
2206     .minimum_version_id = 0,
2207     .pre_save = lsi_pre_save,
2208     .post_load = lsi_post_load,
2209     .fields = (const VMStateField[]) {
2210         VMSTATE_PCI_DEVICE(parent_obj, LSIState),
2211 
2212         VMSTATE_INT32(carry, LSIState),
2213         VMSTATE_INT32(status, LSIState),
2214         VMSTATE_INT32(msg_action, LSIState),
2215         VMSTATE_INT32(msg_len, LSIState),
2216         VMSTATE_BUFFER(msg, LSIState),
2217         VMSTATE_INT32(waiting, LSIState),
2218 
2219         VMSTATE_UINT32(dsa, LSIState),
2220         VMSTATE_UINT32(temp, LSIState),
2221         VMSTATE_UINT32(dnad, LSIState),
2222         VMSTATE_UINT32(dbc, LSIState),
2223         VMSTATE_UINT8(istat0, LSIState),
2224         VMSTATE_UINT8(istat1, LSIState),
2225         VMSTATE_UINT8(dcmd, LSIState),
2226         VMSTATE_UINT8(dstat, LSIState),
2227         VMSTATE_UINT8(dien, LSIState),
2228         VMSTATE_UINT8(sist0, LSIState),
2229         VMSTATE_UINT8(sist1, LSIState),
2230         VMSTATE_UINT8(sien0, LSIState),
2231         VMSTATE_UINT8(sien1, LSIState),
2232         VMSTATE_UINT8(mbox0, LSIState),
2233         VMSTATE_UINT8(mbox1, LSIState),
2234         VMSTATE_UINT8(dfifo, LSIState),
2235         VMSTATE_UINT8(ctest2, LSIState),
2236         VMSTATE_UINT8(ctest3, LSIState),
2237         VMSTATE_UINT8(ctest4, LSIState),
2238         VMSTATE_UINT8(ctest5, LSIState),
2239         VMSTATE_UINT8(ccntl0, LSIState),
2240         VMSTATE_UINT8(ccntl1, LSIState),
2241         VMSTATE_UINT32(dsp, LSIState),
2242         VMSTATE_UINT32(dsps, LSIState),
2243         VMSTATE_UINT8(dmode, LSIState),
2244         VMSTATE_UINT8(dcntl, LSIState),
2245         VMSTATE_UINT8(scntl0, LSIState),
2246         VMSTATE_UINT8(scntl1, LSIState),
2247         VMSTATE_UINT8(scntl2, LSIState),
2248         VMSTATE_UINT8(scntl3, LSIState),
2249         VMSTATE_UINT8(sstat0, LSIState),
2250         VMSTATE_UINT8(sstat1, LSIState),
2251         VMSTATE_UINT8(scid, LSIState),
2252         VMSTATE_UINT8(sxfer, LSIState),
2253         VMSTATE_UINT8(socl, LSIState),
2254         VMSTATE_UINT8(sdid, LSIState),
2255         VMSTATE_UINT8(ssid, LSIState),
2256         VMSTATE_UINT8(sfbr, LSIState),
2257         VMSTATE_UINT8(stest1, LSIState),
2258         VMSTATE_UINT8(stest2, LSIState),
2259         VMSTATE_UINT8(stest3, LSIState),
2260         VMSTATE_UINT8(sidl, LSIState),
2261         VMSTATE_UINT8(stime0, LSIState),
2262         VMSTATE_UINT8(respid0, LSIState),
2263         VMSTATE_UINT8(respid1, LSIState),
2264         VMSTATE_UINT8_V(sbcl, LSIState, 1),
2265         VMSTATE_UINT32(mmrs, LSIState),
2266         VMSTATE_UINT32(mmws, LSIState),
2267         VMSTATE_UINT32(sfs, LSIState),
2268         VMSTATE_UINT32(drs, LSIState),
2269         VMSTATE_UINT32(sbms, LSIState),
2270         VMSTATE_UINT32(dbms, LSIState),
2271         VMSTATE_UINT32(dnad64, LSIState),
2272         VMSTATE_UINT32(pmjad1, LSIState),
2273         VMSTATE_UINT32(pmjad2, LSIState),
2274         VMSTATE_UINT32(rbc, LSIState),
2275         VMSTATE_UINT32(ua, LSIState),
2276         VMSTATE_UINT32(ia, LSIState),
2277         VMSTATE_UINT32(sbc, LSIState),
2278         VMSTATE_UINT32(csbc, LSIState),
2279         VMSTATE_BUFFER_UNSAFE(scratch, LSIState, 0, 18 * sizeof(uint32_t)),
2280         VMSTATE_UINT8(sbr, LSIState),
2281 
2282         VMSTATE_BUFFER_UNSAFE(script_ram, LSIState, 0, 8192),
2283         VMSTATE_END_OF_LIST()
2284     }
2285 };
2286 
2287 static const struct SCSIBusInfo lsi_scsi_info = {
2288     .tcq = true,
2289     .max_target = LSI_MAX_DEVS,
2290     .max_lun = 0,  /* LUN support is buggy */
2291 
2292     .transfer_data = lsi_transfer_data,
2293     .complete = lsi_command_complete,
2294     .cancel = lsi_request_cancelled
2295 };
2296 
2297 static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
2298 {
2299     LSIState *s = LSI53C895A(dev);
2300     DeviceState *d = DEVICE(dev);
2301     uint8_t *pci_conf;
2302 
2303     pci_conf = dev->config;
2304 
2305     /* PCI latency timer = 255 */
2306     pci_conf[PCI_LATENCY_TIMER] = 0xff;
2307     /* Interrupt pin A */
2308     pci_conf[PCI_INTERRUPT_PIN] = 0x01;
2309 
2310     memory_region_init_io(&s->mmio_io, OBJECT(s), &lsi_mmio_ops, s,
2311                           "lsi-mmio", 0x400);
2312     memory_region_init_io(&s->ram_io, OBJECT(s), &lsi_ram_ops, s,
2313                           "lsi-ram", 0x2000);
2314     memory_region_init_io(&s->io_io, OBJECT(s), &lsi_io_ops, s,
2315                           "lsi-io", 256);
2316 
2317     /*
2318      * Since we use the address-space API to interact with ram_io, disable the
2319      * re-entrancy guard.
2320      */
2321     s->ram_io.disable_reentrancy_guard = true;
2322     s->mmio_io.disable_reentrancy_guard = true;
2323 
2324     address_space_init(&s->pci_io_as, pci_address_space_io(dev), "lsi-pci-io");
2325     qdev_init_gpio_out(d, &s->ext_irq, 1);
2326 
2327     pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->io_io);
2328     pci_register_bar(dev, 1, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->mmio_io);
2329     pci_register_bar(dev, 2, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->ram_io);
2330     QTAILQ_INIT(&s->queue);
2331 
2332     scsi_bus_init(&s->bus, sizeof(s->bus), d, &lsi_scsi_info);
2333 }
2334 
2335 static void lsi_scsi_exit(PCIDevice *dev)
2336 {
2337     LSIState *s = LSI53C895A(dev);
2338 
2339     address_space_destroy(&s->pci_io_as);
2340 }
2341 
2342 static void lsi_class_init(ObjectClass *klass, void *data)
2343 {
2344     DeviceClass *dc = DEVICE_CLASS(klass);
2345     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2346 
2347     k->realize = lsi_scsi_realize;
2348     k->exit = lsi_scsi_exit;
2349     k->vendor_id = PCI_VENDOR_ID_LSI_LOGIC;
2350     k->device_id = PCI_DEVICE_ID_LSI_53C895A;
2351     k->class_id = PCI_CLASS_STORAGE_SCSI;
2352     k->subsystem_id = 0x1000;
2353     dc->reset = lsi_scsi_reset;
2354     dc->vmsd = &vmstate_lsi_scsi;
2355     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2356 }
2357 
2358 static const TypeInfo lsi_info = {
2359     .name          = TYPE_LSI53C895A,
2360     .parent        = TYPE_PCI_DEVICE,
2361     .instance_size = sizeof(LSIState),
2362     .class_init    = lsi_class_init,
2363     .interfaces = (InterfaceInfo[]) {
2364         { INTERFACE_CONVENTIONAL_PCI_DEVICE },
2365         { },
2366     },
2367 };
2368 
2369 static void lsi53c810_class_init(ObjectClass *klass, void *data)
2370 {
2371     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2372 
2373     k->device_id = PCI_DEVICE_ID_LSI_53C810;
2374 }
2375 
2376 static const TypeInfo lsi53c810_info = {
2377     .name          = TYPE_LSI53C810,
2378     .parent        = TYPE_LSI53C895A,
2379     .class_init    = lsi53c810_class_init,
2380 };
2381 
2382 static void lsi53c895a_register_types(void)
2383 {
2384     type_register_static(&lsi_info);
2385     type_register_static(&lsi53c810_info);
2386 }
2387 
2388 type_init(lsi53c895a_register_types)
2389 
2390 void lsi53c8xx_handle_legacy_cmdline(DeviceState *lsi_dev)
2391 {
2392     LSIState *s = LSI53C895A(lsi_dev);
2393 
2394     scsi_bus_legacy_handle_cmdline(&s->bus);
2395 }
2396