xref: /openbmc/qemu/hw/scsi/lsi53c895a.c (revision 500eb6db)
1 /*
2  * QEMU LSI53C895A SCSI Host Bus Adapter emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Written by Paul Brook
6  *
7  * This code is licensed under the LGPL.
8  */
9 
10 /* Note:
11  * LSI53C810 emulation is incorrect, in the sense that it supports
12  * features added in later evolutions. This should not be a problem,
13  * as well-behaved operating systems will not try to use them.
14  */
15 
16 #include "qemu/osdep.h"
17 
18 #include "hw/hw.h"
19 #include "hw/pci/pci.h"
20 #include "hw/scsi/scsi.h"
21 #include "sysemu/dma.h"
22 #include "qemu/log.h"
23 #include "qemu/module.h"
24 #include "trace.h"
25 
26 static const char *names[] = {
27     "SCNTL0", "SCNTL1", "SCNTL2", "SCNTL3", "SCID", "SXFER", "SDID", "GPREG",
28     "SFBR", "SOCL", "SSID", "SBCL", "DSTAT", "SSTAT0", "SSTAT1", "SSTAT2",
29     "DSA0", "DSA1", "DSA2", "DSA3", "ISTAT", "0x15", "0x16", "0x17",
30     "CTEST0", "CTEST1", "CTEST2", "CTEST3", "TEMP0", "TEMP1", "TEMP2", "TEMP3",
31     "DFIFO", "CTEST4", "CTEST5", "CTEST6", "DBC0", "DBC1", "DBC2", "DCMD",
32     "DNAD0", "DNAD1", "DNAD2", "DNAD3", "DSP0", "DSP1", "DSP2", "DSP3",
33     "DSPS0", "DSPS1", "DSPS2", "DSPS3", "SCRATCHA0", "SCRATCHA1", "SCRATCHA2", "SCRATCHA3",
34     "DMODE", "DIEN", "SBR", "DCNTL", "ADDER0", "ADDER1", "ADDER2", "ADDER3",
35     "SIEN0", "SIEN1", "SIST0", "SIST1", "SLPAR", "0x45", "MACNTL", "GPCNTL",
36     "STIME0", "STIME1", "RESPID", "0x4b", "STEST0", "STEST1", "STEST2", "STEST3",
37     "SIDL", "0x51", "0x52", "0x53", "SODL", "0x55", "0x56", "0x57",
38     "SBDL", "0x59", "0x5a", "0x5b", "SCRATCHB0", "SCRATCHB1", "SCRATCHB2", "SCRATCHB3",
39 };
40 
41 #define LSI_MAX_DEVS 7
42 
43 #define LSI_SCNTL0_TRG    0x01
44 #define LSI_SCNTL0_AAP    0x02
45 #define LSI_SCNTL0_EPC    0x08
46 #define LSI_SCNTL0_WATN   0x10
47 #define LSI_SCNTL0_START  0x20
48 
49 #define LSI_SCNTL1_SST    0x01
50 #define LSI_SCNTL1_IARB   0x02
51 #define LSI_SCNTL1_AESP   0x04
52 #define LSI_SCNTL1_RST    0x08
53 #define LSI_SCNTL1_CON    0x10
54 #define LSI_SCNTL1_DHP    0x20
55 #define LSI_SCNTL1_ADB    0x40
56 #define LSI_SCNTL1_EXC    0x80
57 
58 #define LSI_SCNTL2_WSR    0x01
59 #define LSI_SCNTL2_VUE0   0x02
60 #define LSI_SCNTL2_VUE1   0x04
61 #define LSI_SCNTL2_WSS    0x08
62 #define LSI_SCNTL2_SLPHBEN 0x10
63 #define LSI_SCNTL2_SLPMD  0x20
64 #define LSI_SCNTL2_CHM    0x40
65 #define LSI_SCNTL2_SDU    0x80
66 
67 #define LSI_ISTAT0_DIP    0x01
68 #define LSI_ISTAT0_SIP    0x02
69 #define LSI_ISTAT0_INTF   0x04
70 #define LSI_ISTAT0_CON    0x08
71 #define LSI_ISTAT0_SEM    0x10
72 #define LSI_ISTAT0_SIGP   0x20
73 #define LSI_ISTAT0_SRST   0x40
74 #define LSI_ISTAT0_ABRT   0x80
75 
76 #define LSI_ISTAT1_SI     0x01
77 #define LSI_ISTAT1_SRUN   0x02
78 #define LSI_ISTAT1_FLSH   0x04
79 
80 #define LSI_SSTAT0_SDP0   0x01
81 #define LSI_SSTAT0_RST    0x02
82 #define LSI_SSTAT0_WOA    0x04
83 #define LSI_SSTAT0_LOA    0x08
84 #define LSI_SSTAT0_AIP    0x10
85 #define LSI_SSTAT0_OLF    0x20
86 #define LSI_SSTAT0_ORF    0x40
87 #define LSI_SSTAT0_ILF    0x80
88 
89 #define LSI_SIST0_PAR     0x01
90 #define LSI_SIST0_RST     0x02
91 #define LSI_SIST0_UDC     0x04
92 #define LSI_SIST0_SGE     0x08
93 #define LSI_SIST0_RSL     0x10
94 #define LSI_SIST0_SEL     0x20
95 #define LSI_SIST0_CMP     0x40
96 #define LSI_SIST0_MA      0x80
97 
98 #define LSI_SIST1_HTH     0x01
99 #define LSI_SIST1_GEN     0x02
100 #define LSI_SIST1_STO     0x04
101 #define LSI_SIST1_SBMC    0x10
102 
103 #define LSI_SOCL_IO       0x01
104 #define LSI_SOCL_CD       0x02
105 #define LSI_SOCL_MSG      0x04
106 #define LSI_SOCL_ATN      0x08
107 #define LSI_SOCL_SEL      0x10
108 #define LSI_SOCL_BSY      0x20
109 #define LSI_SOCL_ACK      0x40
110 #define LSI_SOCL_REQ      0x80
111 
112 #define LSI_DSTAT_IID     0x01
113 #define LSI_DSTAT_SIR     0x04
114 #define LSI_DSTAT_SSI     0x08
115 #define LSI_DSTAT_ABRT    0x10
116 #define LSI_DSTAT_BF      0x20
117 #define LSI_DSTAT_MDPE    0x40
118 #define LSI_DSTAT_DFE     0x80
119 
120 #define LSI_DCNTL_COM     0x01
121 #define LSI_DCNTL_IRQD    0x02
122 #define LSI_DCNTL_STD     0x04
123 #define LSI_DCNTL_IRQM    0x08
124 #define LSI_DCNTL_SSM     0x10
125 #define LSI_DCNTL_PFEN    0x20
126 #define LSI_DCNTL_PFF     0x40
127 #define LSI_DCNTL_CLSE    0x80
128 
129 #define LSI_DMODE_MAN     0x01
130 #define LSI_DMODE_BOF     0x02
131 #define LSI_DMODE_ERMP    0x04
132 #define LSI_DMODE_ERL     0x08
133 #define LSI_DMODE_DIOM    0x10
134 #define LSI_DMODE_SIOM    0x20
135 
136 #define LSI_CTEST2_DACK   0x01
137 #define LSI_CTEST2_DREQ   0x02
138 #define LSI_CTEST2_TEOP   0x04
139 #define LSI_CTEST2_PCICIE 0x08
140 #define LSI_CTEST2_CM     0x10
141 #define LSI_CTEST2_CIO    0x20
142 #define LSI_CTEST2_SIGP   0x40
143 #define LSI_CTEST2_DDIR   0x80
144 
145 #define LSI_CTEST5_BL2    0x04
146 #define LSI_CTEST5_DDIR   0x08
147 #define LSI_CTEST5_MASR   0x10
148 #define LSI_CTEST5_DFSN   0x20
149 #define LSI_CTEST5_BBCK   0x40
150 #define LSI_CTEST5_ADCK   0x80
151 
152 #define LSI_CCNTL0_DILS   0x01
153 #define LSI_CCNTL0_DISFC  0x10
154 #define LSI_CCNTL0_ENNDJ  0x20
155 #define LSI_CCNTL0_PMJCTL 0x40
156 #define LSI_CCNTL0_ENPMJ  0x80
157 
158 #define LSI_CCNTL1_EN64DBMV  0x01
159 #define LSI_CCNTL1_EN64TIBMV 0x02
160 #define LSI_CCNTL1_64TIMOD   0x04
161 #define LSI_CCNTL1_DDAC      0x08
162 #define LSI_CCNTL1_ZMOD      0x80
163 
164 #define LSI_SBCL_ATN         0x08
165 #define LSI_SBCL_BSY         0x20
166 #define LSI_SBCL_ACK         0x40
167 #define LSI_SBCL_REQ         0x80
168 
169 /* Enable Response to Reselection */
170 #define LSI_SCID_RRE      0x60
171 
172 #define LSI_CCNTL1_40BIT (LSI_CCNTL1_EN64TIBMV|LSI_CCNTL1_64TIMOD)
173 
174 #define PHASE_DO          0
175 #define PHASE_DI          1
176 #define PHASE_CMD         2
177 #define PHASE_ST          3
178 #define PHASE_MO          6
179 #define PHASE_MI          7
180 #define PHASE_MASK        7
181 
182 /* Maximum length of MSG IN data.  */
183 #define LSI_MAX_MSGIN_LEN 8
184 
185 /* Flag set if this is a tagged command.  */
186 #define LSI_TAG_VALID     (1 << 16)
187 
188 typedef struct lsi_request {
189     SCSIRequest *req;
190     uint32_t tag;
191     uint32_t dma_len;
192     uint8_t *dma_buf;
193     uint32_t pending;
194     int out;
195     QTAILQ_ENTRY(lsi_request) next;
196 } lsi_request;
197 
198 enum {
199     LSI_NOWAIT, /* SCRIPTS are running or stopped */
200     LSI_WAIT_RESELECT, /* Wait Reselect instruction has been issued */
201     LSI_DMA_SCRIPTS, /* processing DMA from lsi_execute_script */
202     LSI_DMA_IN_PROGRESS, /* DMA operation is in progress */
203 };
204 
205 enum {
206     LSI_MSG_ACTION_COMMAND = 0,
207     LSI_MSG_ACTION_DISCONNECT = 1,
208     LSI_MSG_ACTION_DOUT = 2,
209     LSI_MSG_ACTION_DIN = 3,
210 };
211 
212 typedef struct {
213     /*< private >*/
214     PCIDevice parent_obj;
215     /*< public >*/
216 
217     qemu_irq ext_irq;
218     MemoryRegion mmio_io;
219     MemoryRegion ram_io;
220     MemoryRegion io_io;
221     AddressSpace pci_io_as;
222 
223     int carry; /* ??? Should this be an a visible register somewhere?  */
224     int status;
225     int msg_action;
226     int msg_len;
227     uint8_t msg[LSI_MAX_MSGIN_LEN];
228     int waiting;
229     SCSIBus bus;
230     int current_lun;
231     /* The tag is a combination of the device ID and the SCSI tag.  */
232     uint32_t select_tag;
233     int command_complete;
234     QTAILQ_HEAD(, lsi_request) queue;
235     lsi_request *current;
236 
237     uint32_t dsa;
238     uint32_t temp;
239     uint32_t dnad;
240     uint32_t dbc;
241     uint8_t istat0;
242     uint8_t istat1;
243     uint8_t dcmd;
244     uint8_t dstat;
245     uint8_t dien;
246     uint8_t sist0;
247     uint8_t sist1;
248     uint8_t sien0;
249     uint8_t sien1;
250     uint8_t mbox0;
251     uint8_t mbox1;
252     uint8_t dfifo;
253     uint8_t ctest2;
254     uint8_t ctest3;
255     uint8_t ctest4;
256     uint8_t ctest5;
257     uint8_t ccntl0;
258     uint8_t ccntl1;
259     uint32_t dsp;
260     uint32_t dsps;
261     uint8_t dmode;
262     uint8_t dcntl;
263     uint8_t scntl0;
264     uint8_t scntl1;
265     uint8_t scntl2;
266     uint8_t scntl3;
267     uint8_t sstat0;
268     uint8_t sstat1;
269     uint8_t scid;
270     uint8_t sxfer;
271     uint8_t socl;
272     uint8_t sdid;
273     uint8_t ssid;
274     uint8_t sfbr;
275     uint8_t sbcl;
276     uint8_t stest1;
277     uint8_t stest2;
278     uint8_t stest3;
279     uint8_t sidl;
280     uint8_t stime0;
281     uint8_t respid0;
282     uint8_t respid1;
283     uint32_t mmrs;
284     uint32_t mmws;
285     uint32_t sfs;
286     uint32_t drs;
287     uint32_t sbms;
288     uint32_t dbms;
289     uint32_t dnad64;
290     uint32_t pmjad1;
291     uint32_t pmjad2;
292     uint32_t rbc;
293     uint32_t ua;
294     uint32_t ia;
295     uint32_t sbc;
296     uint32_t csbc;
297     uint32_t scratch[18]; /* SCRATCHA-SCRATCHR */
298     uint8_t sbr;
299     uint32_t adder;
300 
301     uint8_t script_ram[2048 * sizeof(uint32_t)];
302 } LSIState;
303 
304 #define TYPE_LSI53C810  "lsi53c810"
305 #define TYPE_LSI53C895A "lsi53c895a"
306 
307 #define LSI53C895A(obj) \
308     OBJECT_CHECK(LSIState, (obj), TYPE_LSI53C895A)
309 
310 static const char *scsi_phases[] = {
311     "DOUT",
312     "DIN",
313     "CMD",
314     "STATUS",
315     "RSVOUT",
316     "RSVIN",
317     "MSGOUT",
318     "MSGIN"
319 };
320 
321 static const char *scsi_phase_name(int phase)
322 {
323     return scsi_phases[phase & PHASE_MASK];
324 }
325 
326 static inline int lsi_irq_on_rsl(LSIState *s)
327 {
328     return (s->sien0 & LSI_SIST0_RSL) && (s->scid & LSI_SCID_RRE);
329 }
330 
331 static lsi_request *get_pending_req(LSIState *s)
332 {
333     lsi_request *p;
334 
335     QTAILQ_FOREACH(p, &s->queue, next) {
336         if (p->pending) {
337             return p;
338         }
339     }
340     return NULL;
341 }
342 
343 static void lsi_soft_reset(LSIState *s)
344 {
345     trace_lsi_reset();
346     s->carry = 0;
347 
348     s->msg_action = LSI_MSG_ACTION_COMMAND;
349     s->msg_len = 0;
350     s->waiting = LSI_NOWAIT;
351     s->dsa = 0;
352     s->dnad = 0;
353     s->dbc = 0;
354     s->temp = 0;
355     memset(s->scratch, 0, sizeof(s->scratch));
356     s->istat0 = 0;
357     s->istat1 = 0;
358     s->dcmd = 0x40;
359     s->dstat = 0;
360     s->dien = 0;
361     s->sist0 = 0;
362     s->sist1 = 0;
363     s->sien0 = 0;
364     s->sien1 = 0;
365     s->mbox0 = 0;
366     s->mbox1 = 0;
367     s->dfifo = 0;
368     s->ctest2 = LSI_CTEST2_DACK;
369     s->ctest3 = 0;
370     s->ctest4 = 0;
371     s->ctest5 = 0;
372     s->ccntl0 = 0;
373     s->ccntl1 = 0;
374     s->dsp = 0;
375     s->dsps = 0;
376     s->dmode = 0;
377     s->dcntl = 0;
378     s->scntl0 = 0xc0;
379     s->scntl1 = 0;
380     s->scntl2 = 0;
381     s->scntl3 = 0;
382     s->sstat0 = 0;
383     s->sstat1 = 0;
384     s->scid = 7;
385     s->sxfer = 0;
386     s->socl = 0;
387     s->sdid = 0;
388     s->ssid = 0;
389     s->sbcl = 0;
390     s->stest1 = 0;
391     s->stest2 = 0;
392     s->stest3 = 0;
393     s->sidl = 0;
394     s->stime0 = 0;
395     s->respid0 = 0x80;
396     s->respid1 = 0;
397     s->mmrs = 0;
398     s->mmws = 0;
399     s->sfs = 0;
400     s->drs = 0;
401     s->sbms = 0;
402     s->dbms = 0;
403     s->dnad64 = 0;
404     s->pmjad1 = 0;
405     s->pmjad2 = 0;
406     s->rbc = 0;
407     s->ua = 0;
408     s->ia = 0;
409     s->sbc = 0;
410     s->csbc = 0;
411     s->sbr = 0;
412     assert(QTAILQ_EMPTY(&s->queue));
413     assert(!s->current);
414 }
415 
416 static int lsi_dma_40bit(LSIState *s)
417 {
418     if ((s->ccntl1 & LSI_CCNTL1_40BIT) == LSI_CCNTL1_40BIT)
419         return 1;
420     return 0;
421 }
422 
423 static int lsi_dma_ti64bit(LSIState *s)
424 {
425     if ((s->ccntl1 & LSI_CCNTL1_EN64TIBMV) == LSI_CCNTL1_EN64TIBMV)
426         return 1;
427     return 0;
428 }
429 
430 static int lsi_dma_64bit(LSIState *s)
431 {
432     if ((s->ccntl1 & LSI_CCNTL1_EN64DBMV) == LSI_CCNTL1_EN64DBMV)
433         return 1;
434     return 0;
435 }
436 
437 static uint8_t lsi_reg_readb(LSIState *s, int offset);
438 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val);
439 static void lsi_execute_script(LSIState *s);
440 static void lsi_reselect(LSIState *s, lsi_request *p);
441 
442 static inline void lsi_mem_read(LSIState *s, dma_addr_t addr,
443                                void *buf, dma_addr_t len)
444 {
445     if (s->dmode & LSI_DMODE_SIOM) {
446         address_space_read(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
447                            buf, len);
448     } else {
449         pci_dma_read(PCI_DEVICE(s), addr, buf, len);
450     }
451 }
452 
453 static inline void lsi_mem_write(LSIState *s, dma_addr_t addr,
454                                 const void *buf, dma_addr_t len)
455 {
456     if (s->dmode & LSI_DMODE_DIOM) {
457         address_space_write(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
458                             buf, len);
459     } else {
460         pci_dma_write(PCI_DEVICE(s), addr, buf, len);
461     }
462 }
463 
464 static inline uint32_t read_dword(LSIState *s, uint32_t addr)
465 {
466     uint32_t buf;
467 
468     pci_dma_read(PCI_DEVICE(s), addr, &buf, 4);
469     return cpu_to_le32(buf);
470 }
471 
472 static void lsi_stop_script(LSIState *s)
473 {
474     s->istat1 &= ~LSI_ISTAT1_SRUN;
475 }
476 
477 static void lsi_set_irq(LSIState *s, int level)
478 {
479     PCIDevice *d = PCI_DEVICE(s);
480 
481     if (s->ext_irq) {
482         qemu_set_irq(s->ext_irq, level);
483     } else {
484         pci_set_irq(d, level);
485     }
486 }
487 
488 static void lsi_update_irq(LSIState *s)
489 {
490     int level;
491     static int last_level;
492 
493     /* It's unclear whether the DIP/SIP bits should be cleared when the
494        Interrupt Status Registers are cleared or when istat0 is read.
495        We currently do the formwer, which seems to work.  */
496     level = 0;
497     if (s->dstat) {
498         if (s->dstat & s->dien)
499             level = 1;
500         s->istat0 |= LSI_ISTAT0_DIP;
501     } else {
502         s->istat0 &= ~LSI_ISTAT0_DIP;
503     }
504 
505     if (s->sist0 || s->sist1) {
506         if ((s->sist0 & s->sien0) || (s->sist1 & s->sien1))
507             level = 1;
508         s->istat0 |= LSI_ISTAT0_SIP;
509     } else {
510         s->istat0 &= ~LSI_ISTAT0_SIP;
511     }
512     if (s->istat0 & LSI_ISTAT0_INTF)
513         level = 1;
514 
515     if (level != last_level) {
516         trace_lsi_update_irq(level, s->dstat, s->sist1, s->sist0);
517         last_level = level;
518     }
519     lsi_set_irq(s, level);
520 
521     if (!s->current && !level && lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON)) {
522         lsi_request *p;
523 
524         trace_lsi_update_irq_disconnected();
525         p = get_pending_req(s);
526         if (p) {
527             lsi_reselect(s, p);
528         }
529     }
530 }
531 
532 /* Stop SCRIPTS execution and raise a SCSI interrupt.  */
533 static void lsi_script_scsi_interrupt(LSIState *s, int stat0, int stat1)
534 {
535     uint32_t mask0;
536     uint32_t mask1;
537 
538     trace_lsi_script_scsi_interrupt(stat1, stat0, s->sist1, s->sist0);
539     s->sist0 |= stat0;
540     s->sist1 |= stat1;
541     /* Stop processor on fatal or unmasked interrupt.  As a special hack
542        we don't stop processing when raising STO.  Instead continue
543        execution and stop at the next insn that accesses the SCSI bus.  */
544     mask0 = s->sien0 | ~(LSI_SIST0_CMP | LSI_SIST0_SEL | LSI_SIST0_RSL);
545     mask1 = s->sien1 | ~(LSI_SIST1_GEN | LSI_SIST1_HTH);
546     mask1 &= ~LSI_SIST1_STO;
547     if (s->sist0 & mask0 || s->sist1 & mask1) {
548         lsi_stop_script(s);
549     }
550     lsi_update_irq(s);
551 }
552 
553 /* Stop SCRIPTS execution and raise a DMA interrupt.  */
554 static void lsi_script_dma_interrupt(LSIState *s, int stat)
555 {
556     trace_lsi_script_dma_interrupt(stat, s->dstat);
557     s->dstat |= stat;
558     lsi_update_irq(s);
559     lsi_stop_script(s);
560 }
561 
562 static inline void lsi_set_phase(LSIState *s, int phase)
563 {
564     s->sbcl &= ~PHASE_MASK;
565     s->sbcl |= phase | LSI_SBCL_REQ;
566     s->sstat1 = (s->sstat1 & ~PHASE_MASK) | phase;
567 }
568 
569 static void lsi_bad_phase(LSIState *s, int out, int new_phase)
570 {
571     /* Trigger a phase mismatch.  */
572     if (s->ccntl0 & LSI_CCNTL0_ENPMJ) {
573         if ((s->ccntl0 & LSI_CCNTL0_PMJCTL)) {
574             s->dsp = out ? s->pmjad1 : s->pmjad2;
575         } else {
576             s->dsp = (s->scntl2 & LSI_SCNTL2_WSR ? s->pmjad2 : s->pmjad1);
577         }
578         trace_lsi_bad_phase_jump(s->dsp);
579     } else {
580         trace_lsi_bad_phase_interrupt();
581         lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
582         lsi_stop_script(s);
583     }
584     lsi_set_phase(s, new_phase);
585 }
586 
587 
588 /* Resume SCRIPTS execution after a DMA operation.  */
589 static void lsi_resume_script(LSIState *s)
590 {
591     if (s->waiting != 2) {
592         s->waiting = LSI_NOWAIT;
593         lsi_execute_script(s);
594     } else {
595         s->waiting = LSI_NOWAIT;
596     }
597 }
598 
599 static void lsi_disconnect(LSIState *s)
600 {
601     s->scntl1 &= ~LSI_SCNTL1_CON;
602     s->sstat1 &= ~PHASE_MASK;
603     s->sbcl = 0;
604 }
605 
606 static void lsi_bad_selection(LSIState *s, uint32_t id)
607 {
608     trace_lsi_bad_selection(id);
609     lsi_script_scsi_interrupt(s, 0, LSI_SIST1_STO);
610     lsi_disconnect(s);
611 }
612 
613 /* Initiate a SCSI layer data transfer.  */
614 static void lsi_do_dma(LSIState *s, int out)
615 {
616     uint32_t count;
617     dma_addr_t addr;
618     SCSIDevice *dev;
619 
620     assert(s->current);
621     if (!s->current->dma_len) {
622         /* Wait until data is available.  */
623         trace_lsi_do_dma_unavailable();
624         return;
625     }
626 
627     dev = s->current->req->dev;
628     assert(dev);
629 
630     count = s->dbc;
631     if (count > s->current->dma_len)
632         count = s->current->dma_len;
633 
634     addr = s->dnad;
635     /* both 40 and Table Indirect 64-bit DMAs store upper bits in dnad64 */
636     if (lsi_dma_40bit(s) || lsi_dma_ti64bit(s))
637         addr |= ((uint64_t)s->dnad64 << 32);
638     else if (s->dbms)
639         addr |= ((uint64_t)s->dbms << 32);
640     else if (s->sbms)
641         addr |= ((uint64_t)s->sbms << 32);
642 
643     trace_lsi_do_dma(addr, count);
644     s->csbc += count;
645     s->dnad += count;
646     s->dbc -= count;
647      if (s->current->dma_buf == NULL) {
648         s->current->dma_buf = scsi_req_get_buf(s->current->req);
649     }
650     /* ??? Set SFBR to first data byte.  */
651     if (out) {
652         lsi_mem_read(s, addr, s->current->dma_buf, count);
653     } else {
654         lsi_mem_write(s, addr, s->current->dma_buf, count);
655     }
656     s->current->dma_len -= count;
657     if (s->current->dma_len == 0) {
658         s->current->dma_buf = NULL;
659         scsi_req_continue(s->current->req);
660     } else {
661         s->current->dma_buf += count;
662         lsi_resume_script(s);
663     }
664 }
665 
666 
667 /* Add a command to the queue.  */
668 static void lsi_queue_command(LSIState *s)
669 {
670     lsi_request *p = s->current;
671 
672     trace_lsi_queue_command(p->tag);
673     assert(s->current != NULL);
674     assert(s->current->dma_len == 0);
675     QTAILQ_INSERT_TAIL(&s->queue, s->current, next);
676     s->current = NULL;
677 
678     p->pending = 0;
679     p->out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
680 }
681 
682 /* Queue a byte for a MSG IN phase.  */
683 static void lsi_add_msg_byte(LSIState *s, uint8_t data)
684 {
685     if (s->msg_len >= LSI_MAX_MSGIN_LEN) {
686         trace_lsi_add_msg_byte_error();
687     } else {
688         trace_lsi_add_msg_byte(data);
689         s->msg[s->msg_len++] = data;
690     }
691 }
692 
693 /* Perform reselection to continue a command.  */
694 static void lsi_reselect(LSIState *s, lsi_request *p)
695 {
696     int id;
697 
698     assert(s->current == NULL);
699     QTAILQ_REMOVE(&s->queue, p, next);
700     s->current = p;
701 
702     id = (p->tag >> 8) & 0xf;
703     s->ssid = id | 0x80;
704     /* LSI53C700 Family Compatibility, see LSI53C895A 4-73 */
705     if (!(s->dcntl & LSI_DCNTL_COM)) {
706         s->sfbr = 1 << (id & 0x7);
707     }
708     trace_lsi_reselect(id);
709     s->scntl1 |= LSI_SCNTL1_CON;
710     lsi_set_phase(s, PHASE_MI);
711     s->msg_action = p->out ? LSI_MSG_ACTION_DOUT : LSI_MSG_ACTION_DIN;
712     s->current->dma_len = p->pending;
713     lsi_add_msg_byte(s, 0x80);
714     if (s->current->tag & LSI_TAG_VALID) {
715         lsi_add_msg_byte(s, 0x20);
716         lsi_add_msg_byte(s, p->tag & 0xff);
717     }
718 
719     if (lsi_irq_on_rsl(s)) {
720         lsi_script_scsi_interrupt(s, LSI_SIST0_RSL, 0);
721     }
722 }
723 
724 static lsi_request *lsi_find_by_tag(LSIState *s, uint32_t tag)
725 {
726     lsi_request *p;
727 
728     QTAILQ_FOREACH(p, &s->queue, next) {
729         if (p->tag == tag) {
730             return p;
731         }
732     }
733 
734     return NULL;
735 }
736 
737 static void lsi_request_free(LSIState *s, lsi_request *p)
738 {
739     if (p == s->current) {
740         s->current = NULL;
741     } else {
742         QTAILQ_REMOVE(&s->queue, p, next);
743     }
744     g_free(p);
745 }
746 
747 static void lsi_request_cancelled(SCSIRequest *req)
748 {
749     LSIState *s = LSI53C895A(req->bus->qbus.parent);
750     lsi_request *p = req->hba_private;
751 
752     req->hba_private = NULL;
753     lsi_request_free(s, p);
754     scsi_req_unref(req);
755 }
756 
757 /* Record that data is available for a queued command.  Returns zero if
758    the device was reselected, nonzero if the IO is deferred.  */
759 static int lsi_queue_req(LSIState *s, SCSIRequest *req, uint32_t len)
760 {
761     lsi_request *p = req->hba_private;
762 
763     if (p->pending) {
764         trace_lsi_queue_req_error(p);
765     }
766     p->pending = len;
767     /* Reselect if waiting for it, or if reselection triggers an IRQ
768        and the bus is free.
769        Since no interrupt stacking is implemented in the emulation, it
770        is also required that there are no pending interrupts waiting
771        for service from the device driver. */
772     if (s->waiting == LSI_WAIT_RESELECT ||
773         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON) &&
774          !(s->istat0 & (LSI_ISTAT0_SIP | LSI_ISTAT0_DIP)))) {
775         /* Reselect device.  */
776         lsi_reselect(s, p);
777         return 0;
778     } else {
779         trace_lsi_queue_req(p->tag);
780         p->pending = len;
781         return 1;
782     }
783 }
784 
785  /* Callback to indicate that the SCSI layer has completed a command.  */
786 static void lsi_command_complete(SCSIRequest *req, uint32_t status, size_t resid)
787 {
788     LSIState *s = LSI53C895A(req->bus->qbus.parent);
789     int out;
790 
791     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
792     trace_lsi_command_complete(status);
793     s->status = status;
794     s->command_complete = 2;
795     if (s->waiting && s->dbc != 0) {
796         /* Raise phase mismatch for short transfers.  */
797         lsi_bad_phase(s, out, PHASE_ST);
798     } else {
799         lsi_set_phase(s, PHASE_ST);
800     }
801 
802     if (req->hba_private == s->current) {
803         req->hba_private = NULL;
804         lsi_request_free(s, s->current);
805         scsi_req_unref(req);
806     }
807     lsi_resume_script(s);
808 }
809 
810  /* Callback to indicate that the SCSI layer has completed a transfer.  */
811 static void lsi_transfer_data(SCSIRequest *req, uint32_t len)
812 {
813     LSIState *s = LSI53C895A(req->bus->qbus.parent);
814     int out;
815 
816     assert(req->hba_private);
817     if (s->waiting == LSI_WAIT_RESELECT || req->hba_private != s->current ||
818         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON))) {
819         if (lsi_queue_req(s, req, len)) {
820             return;
821         }
822     }
823 
824     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
825 
826     /* host adapter (re)connected */
827     trace_lsi_transfer_data(req->tag, len);
828     s->current->dma_len = len;
829     s->command_complete = 1;
830     if (s->waiting) {
831         if (s->waiting == LSI_WAIT_RESELECT || s->dbc == 0) {
832             lsi_resume_script(s);
833         } else {
834             lsi_do_dma(s, out);
835         }
836     }
837 }
838 
839 static void lsi_do_command(LSIState *s)
840 {
841     SCSIDevice *dev;
842     uint8_t buf[16];
843     uint32_t id;
844     int n;
845 
846     trace_lsi_do_command(s->dbc);
847     if (s->dbc > 16)
848         s->dbc = 16;
849     pci_dma_read(PCI_DEVICE(s), s->dnad, buf, s->dbc);
850     s->sfbr = buf[0];
851     s->command_complete = 0;
852 
853     id = (s->select_tag >> 8) & 0xf;
854     dev = scsi_device_find(&s->bus, 0, id, s->current_lun);
855     if (!dev) {
856         lsi_bad_selection(s, id);
857         return;
858     }
859 
860     assert(s->current == NULL);
861     s->current = g_new0(lsi_request, 1);
862     s->current->tag = s->select_tag;
863     s->current->req = scsi_req_new(dev, s->current->tag, s->current_lun, buf,
864                                    s->current);
865 
866     n = scsi_req_enqueue(s->current->req);
867     if (n) {
868         if (n > 0) {
869             lsi_set_phase(s, PHASE_DI);
870         } else if (n < 0) {
871             lsi_set_phase(s, PHASE_DO);
872         }
873         scsi_req_continue(s->current->req);
874     }
875     if (!s->command_complete) {
876         if (n) {
877             /* Command did not complete immediately so disconnect.  */
878             lsi_add_msg_byte(s, 2); /* SAVE DATA POINTER */
879             lsi_add_msg_byte(s, 4); /* DISCONNECT */
880             /* wait data */
881             lsi_set_phase(s, PHASE_MI);
882             s->msg_action = LSI_MSG_ACTION_DISCONNECT;
883             lsi_queue_command(s);
884         } else {
885             /* wait command complete */
886             lsi_set_phase(s, PHASE_DI);
887         }
888     }
889 }
890 
891 static void lsi_do_status(LSIState *s)
892 {
893     uint8_t status;
894     trace_lsi_do_status(s->dbc, s->status);
895     if (s->dbc != 1) {
896         trace_lsi_do_status_error();
897     }
898     s->dbc = 1;
899     status = s->status;
900     s->sfbr = status;
901     pci_dma_write(PCI_DEVICE(s), s->dnad, &status, 1);
902     lsi_set_phase(s, PHASE_MI);
903     s->msg_action = LSI_MSG_ACTION_DISCONNECT;
904     lsi_add_msg_byte(s, 0); /* COMMAND COMPLETE */
905 }
906 
907 static void lsi_do_msgin(LSIState *s)
908 {
909     uint8_t len;
910     trace_lsi_do_msgin(s->dbc, s->msg_len);
911     s->sfbr = s->msg[0];
912     len = s->msg_len;
913     assert(len > 0 && len <= LSI_MAX_MSGIN_LEN);
914     if (len > s->dbc)
915         len = s->dbc;
916     pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
917     /* Linux drivers rely on the last byte being in the SIDL.  */
918     s->sidl = s->msg[len - 1];
919     s->msg_len -= len;
920     if (s->msg_len) {
921         memmove(s->msg, s->msg + len, s->msg_len);
922     } else {
923         /* ??? Check if ATN (not yet implemented) is asserted and maybe
924            switch to PHASE_MO.  */
925         switch (s->msg_action) {
926         case LSI_MSG_ACTION_COMMAND:
927             lsi_set_phase(s, PHASE_CMD);
928             break;
929         case LSI_MSG_ACTION_DISCONNECT:
930             lsi_disconnect(s);
931             break;
932         case LSI_MSG_ACTION_DOUT:
933             lsi_set_phase(s, PHASE_DO);
934             break;
935         case LSI_MSG_ACTION_DIN:
936             lsi_set_phase(s, PHASE_DI);
937             break;
938         default:
939             abort();
940         }
941     }
942 }
943 
944 /* Read the next byte during a MSGOUT phase.  */
945 static uint8_t lsi_get_msgbyte(LSIState *s)
946 {
947     uint8_t data;
948     pci_dma_read(PCI_DEVICE(s), s->dnad, &data, 1);
949     s->dnad++;
950     s->dbc--;
951     return data;
952 }
953 
954 /* Skip the next n bytes during a MSGOUT phase. */
955 static void lsi_skip_msgbytes(LSIState *s, unsigned int n)
956 {
957     s->dnad += n;
958     s->dbc  -= n;
959 }
960 
961 static void lsi_do_msgout(LSIState *s)
962 {
963     uint8_t msg;
964     int len;
965     uint32_t current_tag;
966     lsi_request *current_req, *p, *p_next;
967 
968     if (s->current) {
969         current_tag = s->current->tag;
970         current_req = s->current;
971     } else {
972         current_tag = s->select_tag;
973         current_req = lsi_find_by_tag(s, current_tag);
974     }
975 
976     trace_lsi_do_msgout(s->dbc);
977     while (s->dbc) {
978         msg = lsi_get_msgbyte(s);
979         s->sfbr = msg;
980 
981         switch (msg) {
982         case 0x04:
983             trace_lsi_do_msgout_disconnect();
984             lsi_disconnect(s);
985             break;
986         case 0x08:
987             trace_lsi_do_msgout_noop();
988             lsi_set_phase(s, PHASE_CMD);
989             break;
990         case 0x01:
991             len = lsi_get_msgbyte(s);
992             msg = lsi_get_msgbyte(s);
993             (void)len; /* avoid a warning about unused variable*/
994             trace_lsi_do_msgout_extended(msg, len);
995             switch (msg) {
996             case 1:
997                 trace_lsi_do_msgout_ignored("SDTR");
998                 lsi_skip_msgbytes(s, 2);
999                 break;
1000             case 3:
1001                 trace_lsi_do_msgout_ignored("WDTR");
1002                 lsi_skip_msgbytes(s, 1);
1003                 break;
1004             case 4:
1005                 trace_lsi_do_msgout_ignored("PPR");
1006                 lsi_skip_msgbytes(s, 5);
1007                 break;
1008             default:
1009                 goto bad;
1010             }
1011             break;
1012         case 0x20: /* SIMPLE queue */
1013             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1014             trace_lsi_do_msgout_simplequeue(s->select_tag & 0xff);
1015             break;
1016         case 0x21: /* HEAD of queue */
1017             qemu_log_mask(LOG_UNIMP, "lsi_scsi: HEAD queue not implemented\n");
1018             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1019             break;
1020         case 0x22: /* ORDERED queue */
1021             qemu_log_mask(LOG_UNIMP,
1022                           "lsi_scsi: ORDERED queue not implemented\n");
1023             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1024             break;
1025         case 0x0d:
1026             /* The ABORT TAG message clears the current I/O process only. */
1027             trace_lsi_do_msgout_abort(current_tag);
1028             if (current_req) {
1029                 scsi_req_cancel(current_req->req);
1030             }
1031             lsi_disconnect(s);
1032             break;
1033         case 0x06:
1034         case 0x0e:
1035         case 0x0c:
1036             /* The ABORT message clears all I/O processes for the selecting
1037                initiator on the specified logical unit of the target. */
1038             if (msg == 0x06) {
1039                 trace_lsi_do_msgout_abort(current_tag);
1040             }
1041             /* The CLEAR QUEUE message clears all I/O processes for all
1042                initiators on the specified logical unit of the target. */
1043             if (msg == 0x0e) {
1044                 trace_lsi_do_msgout_clearqueue(current_tag);
1045             }
1046             /* The BUS DEVICE RESET message clears all I/O processes for all
1047                initiators on all logical units of the target. */
1048             if (msg == 0x0c) {
1049                 trace_lsi_do_msgout_busdevicereset(current_tag);
1050             }
1051 
1052             /* clear the current I/O process */
1053             if (s->current) {
1054                 scsi_req_cancel(s->current->req);
1055             }
1056 
1057             /* As the current implemented devices scsi_disk and scsi_generic
1058                only support one LUN, we don't need to keep track of LUNs.
1059                Clearing I/O processes for other initiators could be possible
1060                for scsi_generic by sending a SG_SCSI_RESET to the /dev/sgX
1061                device, but this is currently not implemented (and seems not
1062                to be really necessary). So let's simply clear all queued
1063                commands for the current device: */
1064             QTAILQ_FOREACH_SAFE(p, &s->queue, next, p_next) {
1065                 if ((p->tag & 0x0000ff00) == (current_tag & 0x0000ff00)) {
1066                     scsi_req_cancel(p->req);
1067                 }
1068             }
1069 
1070             lsi_disconnect(s);
1071             break;
1072         default:
1073             if ((msg & 0x80) == 0) {
1074                 goto bad;
1075             }
1076             s->current_lun = msg & 7;
1077             trace_lsi_do_msgout_select(s->current_lun);
1078             lsi_set_phase(s, PHASE_CMD);
1079             break;
1080         }
1081     }
1082     return;
1083 bad:
1084     qemu_log_mask(LOG_UNIMP, "Unimplemented message 0x%02x\n", msg);
1085     lsi_set_phase(s, PHASE_MI);
1086     lsi_add_msg_byte(s, 7); /* MESSAGE REJECT */
1087     s->msg_action = LSI_MSG_ACTION_COMMAND;
1088 }
1089 
1090 #define LSI_BUF_SIZE 4096
1091 static void lsi_memcpy(LSIState *s, uint32_t dest, uint32_t src, int count)
1092 {
1093     int n;
1094     uint8_t buf[LSI_BUF_SIZE];
1095 
1096     trace_lsi_memcpy(dest, src, count);
1097     while (count) {
1098         n = (count > LSI_BUF_SIZE) ? LSI_BUF_SIZE : count;
1099         lsi_mem_read(s, src, buf, n);
1100         lsi_mem_write(s, dest, buf, n);
1101         src += n;
1102         dest += n;
1103         count -= n;
1104     }
1105 }
1106 
1107 static void lsi_wait_reselect(LSIState *s)
1108 {
1109     lsi_request *p;
1110 
1111     trace_lsi_wait_reselect();
1112 
1113     if (s->current) {
1114         return;
1115     }
1116     p = get_pending_req(s);
1117     if (p) {
1118         lsi_reselect(s, p);
1119     }
1120     if (s->current == NULL) {
1121         s->waiting = LSI_WAIT_RESELECT;
1122     }
1123 }
1124 
1125 static void lsi_execute_script(LSIState *s)
1126 {
1127     PCIDevice *pci_dev = PCI_DEVICE(s);
1128     uint32_t insn;
1129     uint32_t addr, addr_high;
1130     int opcode;
1131     int insn_processed = 0;
1132 
1133     s->istat1 |= LSI_ISTAT1_SRUN;
1134 again:
1135     insn_processed++;
1136     insn = read_dword(s, s->dsp);
1137     if (!insn) {
1138         /* If we receive an empty opcode increment the DSP by 4 bytes
1139            instead of 8 and execute the next opcode at that location */
1140         s->dsp += 4;
1141         goto again;
1142     }
1143     addr = read_dword(s, s->dsp + 4);
1144     addr_high = 0;
1145     trace_lsi_execute_script(s->dsp, insn, addr);
1146     s->dsps = addr;
1147     s->dcmd = insn >> 24;
1148     s->dsp += 8;
1149     switch (insn >> 30) {
1150     case 0: /* Block move.  */
1151         if (s->sist1 & LSI_SIST1_STO) {
1152             trace_lsi_execute_script_blockmove_delayed();
1153             lsi_stop_script(s);
1154             break;
1155         }
1156         s->dbc = insn & 0xffffff;
1157         s->rbc = s->dbc;
1158         /* ??? Set ESA.  */
1159         s->ia = s->dsp - 8;
1160         if (insn & (1 << 29)) {
1161             /* Indirect addressing.  */
1162             addr = read_dword(s, addr);
1163         } else if (insn & (1 << 28)) {
1164             uint32_t buf[2];
1165             int32_t offset;
1166             /* Table indirect addressing.  */
1167 
1168             /* 32-bit Table indirect */
1169             offset = sextract32(addr, 0, 24);
1170             pci_dma_read(pci_dev, s->dsa + offset, buf, 8);
1171             /* byte count is stored in bits 0:23 only */
1172             s->dbc = cpu_to_le32(buf[0]) & 0xffffff;
1173             s->rbc = s->dbc;
1174             addr = cpu_to_le32(buf[1]);
1175 
1176             /* 40-bit DMA, upper addr bits [39:32] stored in first DWORD of
1177              * table, bits [31:24] */
1178             if (lsi_dma_40bit(s))
1179                 addr_high = cpu_to_le32(buf[0]) >> 24;
1180             else if (lsi_dma_ti64bit(s)) {
1181                 int selector = (cpu_to_le32(buf[0]) >> 24) & 0x1f;
1182                 switch (selector) {
1183                 case 0 ... 0x0f:
1184                     /* offset index into scratch registers since
1185                      * TI64 mode can use registers C to R */
1186                     addr_high = s->scratch[2 + selector];
1187                     break;
1188                 case 0x10:
1189                     addr_high = s->mmrs;
1190                     break;
1191                 case 0x11:
1192                     addr_high = s->mmws;
1193                     break;
1194                 case 0x12:
1195                     addr_high = s->sfs;
1196                     break;
1197                 case 0x13:
1198                     addr_high = s->drs;
1199                     break;
1200                 case 0x14:
1201                     addr_high = s->sbms;
1202                     break;
1203                 case 0x15:
1204                     addr_high = s->dbms;
1205                     break;
1206                 default:
1207                     qemu_log_mask(LOG_GUEST_ERROR,
1208                           "lsi_scsi: Illegal selector specified (0x%x > 0x15) "
1209                           "for 64-bit DMA block move", selector);
1210                     break;
1211                 }
1212             }
1213         } else if (lsi_dma_64bit(s)) {
1214             /* fetch a 3rd dword if 64-bit direct move is enabled and
1215                only if we're not doing table indirect or indirect addressing */
1216             s->dbms = read_dword(s, s->dsp);
1217             s->dsp += 4;
1218             s->ia = s->dsp - 12;
1219         }
1220         if ((s->sstat1 & PHASE_MASK) != ((insn >> 24) & 7)) {
1221             trace_lsi_execute_script_blockmove_badphase(
1222                     scsi_phase_name(s->sstat1),
1223                     scsi_phase_name(insn >> 24));
1224             lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
1225             break;
1226         }
1227         s->dnad = addr;
1228         s->dnad64 = addr_high;
1229         switch (s->sstat1 & 0x7) {
1230         case PHASE_DO:
1231             s->waiting = LSI_DMA_SCRIPTS;
1232             lsi_do_dma(s, 1);
1233             if (s->waiting)
1234                 s->waiting = LSI_DMA_IN_PROGRESS;
1235             break;
1236         case PHASE_DI:
1237             s->waiting = LSI_DMA_SCRIPTS;
1238             lsi_do_dma(s, 0);
1239             if (s->waiting)
1240                 s->waiting = LSI_DMA_IN_PROGRESS;
1241             break;
1242         case PHASE_CMD:
1243             lsi_do_command(s);
1244             break;
1245         case PHASE_ST:
1246             lsi_do_status(s);
1247             break;
1248         case PHASE_MO:
1249             lsi_do_msgout(s);
1250             break;
1251         case PHASE_MI:
1252             lsi_do_msgin(s);
1253             break;
1254         default:
1255             qemu_log_mask(LOG_UNIMP, "lsi_scsi: Unimplemented phase %s\n",
1256                           scsi_phase_name(s->sstat1));
1257         }
1258         s->dfifo = s->dbc & 0xff;
1259         s->ctest5 = (s->ctest5 & 0xfc) | ((s->dbc >> 8) & 3);
1260         s->sbc = s->dbc;
1261         s->rbc -= s->dbc;
1262         s->ua = addr + s->dbc;
1263         break;
1264 
1265     case 1: /* IO or Read/Write instruction.  */
1266         opcode = (insn >> 27) & 7;
1267         if (opcode < 5) {
1268             uint32_t id;
1269 
1270             if (insn & (1 << 25)) {
1271                 id = read_dword(s, s->dsa + sextract32(insn, 0, 24));
1272             } else {
1273                 id = insn;
1274             }
1275             id = (id >> 16) & 0xf;
1276             if (insn & (1 << 26)) {
1277                 addr = s->dsp + sextract32(addr, 0, 24);
1278             }
1279             s->dnad = addr;
1280             switch (opcode) {
1281             case 0: /* Select */
1282                 s->sdid = id;
1283                 if (s->scntl1 & LSI_SCNTL1_CON) {
1284                     trace_lsi_execute_script_io_alreadyreselected();
1285                     s->dsp = s->dnad;
1286                     break;
1287                 }
1288                 s->sstat0 |= LSI_SSTAT0_WOA;
1289                 s->scntl1 &= ~LSI_SCNTL1_IARB;
1290                 if (!scsi_device_find(&s->bus, 0, id, 0)) {
1291                     lsi_bad_selection(s, id);
1292                     break;
1293                 }
1294                 trace_lsi_execute_script_io_selected(id,
1295                                              insn & (1 << 3) ? " ATN" : "");
1296                 /* ??? Linux drivers compain when this is set.  Maybe
1297                    it only applies in low-level mode (unimplemented).
1298                 lsi_script_scsi_interrupt(s, LSI_SIST0_CMP, 0); */
1299                 s->select_tag = id << 8;
1300                 s->scntl1 |= LSI_SCNTL1_CON;
1301                 if (insn & (1 << 3)) {
1302                     s->socl |= LSI_SOCL_ATN;
1303                     s->sbcl |= LSI_SBCL_ATN;
1304                 }
1305                 s->sbcl |= LSI_SBCL_BSY;
1306                 lsi_set_phase(s, PHASE_MO);
1307                 s->waiting = LSI_NOWAIT;
1308                 break;
1309             case 1: /* Disconnect */
1310                 trace_lsi_execute_script_io_disconnect();
1311                 s->scntl1 &= ~LSI_SCNTL1_CON;
1312                 /* FIXME: this is not entirely correct; the target need not ask
1313                  * for reselection until it has to send data, while here we force a
1314                  * reselection as soon as the bus is free.  The correct flow would
1315                  * reselect before lsi_transfer_data and disconnect as soon as
1316                  * DMA ends.
1317                  */
1318                 if (!s->current) {
1319                     lsi_request *p = get_pending_req(s);
1320                     if (p) {
1321                         lsi_reselect(s, p);
1322                     }
1323                 }
1324                 break;
1325             case 2: /* Wait Reselect */
1326                 if (s->istat0 & LSI_ISTAT0_SIGP) {
1327                     s->dsp = s->dnad;
1328                 } else if (!lsi_irq_on_rsl(s)) {
1329                         lsi_wait_reselect(s);
1330                 }
1331                 break;
1332             case 3: /* Set */
1333                 trace_lsi_execute_script_io_set(
1334                         insn & (1 << 3) ? " ATN" : "",
1335                         insn & (1 << 6) ? " ACK" : "",
1336                         insn & (1 << 9) ? " TM" : "",
1337                         insn & (1 << 10) ? " CC" : "");
1338                 if (insn & (1 << 3)) {
1339                     s->socl |= LSI_SOCL_ATN;
1340                     s->sbcl |= LSI_SBCL_ATN;
1341                     lsi_set_phase(s, PHASE_MO);
1342                 }
1343 
1344                 if (insn & (1 << 6)) {
1345                     s->sbcl |= LSI_SBCL_ACK;
1346                 }
1347 
1348                 if (insn & (1 << 9)) {
1349                     qemu_log_mask(LOG_UNIMP,
1350                         "lsi_scsi: Target mode not implemented\n");
1351                 }
1352                 if (insn & (1 << 10))
1353                     s->carry = 1;
1354                 break;
1355             case 4: /* Clear */
1356                 trace_lsi_execute_script_io_clear(
1357                         insn & (1 << 3) ? " ATN" : "",
1358                         insn & (1 << 6) ? " ACK" : "",
1359                         insn & (1 << 9) ? " TM" : "",
1360                         insn & (1 << 10) ? " CC" : "");
1361                 if (insn & (1 << 3)) {
1362                     s->socl &= ~LSI_SOCL_ATN;
1363                     s->sbcl &= ~LSI_SBCL_ATN;
1364                 }
1365 
1366                 if (insn & (1 << 6)) {
1367                     s->sbcl &= ~LSI_SBCL_ACK;
1368                 }
1369 
1370                 if (insn & (1 << 10))
1371                     s->carry = 0;
1372                 break;
1373             }
1374         } else {
1375             uint8_t op0;
1376             uint8_t op1;
1377             uint8_t data8;
1378             int reg;
1379             int operator;
1380 
1381             static const char *opcode_names[3] =
1382                 {"Write", "Read", "Read-Modify-Write"};
1383             static const char *operator_names[8] =
1384                 {"MOV", "SHL", "OR", "XOR", "AND", "SHR", "ADD", "ADC"};
1385 
1386             reg = ((insn >> 16) & 0x7f) | (insn & 0x80);
1387             data8 = (insn >> 8) & 0xff;
1388             opcode = (insn >> 27) & 7;
1389             operator = (insn >> 24) & 7;
1390             trace_lsi_execute_script_io_opcode(
1391                     opcode_names[opcode - 5], reg,
1392                     operator_names[operator], data8, s->sfbr,
1393                     (insn & (1 << 23)) ? " SFBR" : "");
1394             op0 = op1 = 0;
1395             switch (opcode) {
1396             case 5: /* From SFBR */
1397                 op0 = s->sfbr;
1398                 op1 = data8;
1399                 break;
1400             case 6: /* To SFBR */
1401                 if (operator)
1402                     op0 = lsi_reg_readb(s, reg);
1403                 op1 = data8;
1404                 break;
1405             case 7: /* Read-modify-write */
1406                 if (operator)
1407                     op0 = lsi_reg_readb(s, reg);
1408                 if (insn & (1 << 23)) {
1409                     op1 = s->sfbr;
1410                 } else {
1411                     op1 = data8;
1412                 }
1413                 break;
1414             }
1415 
1416             switch (operator) {
1417             case 0: /* move */
1418                 op0 = op1;
1419                 break;
1420             case 1: /* Shift left */
1421                 op1 = op0 >> 7;
1422                 op0 = (op0 << 1) | s->carry;
1423                 s->carry = op1;
1424                 break;
1425             case 2: /* OR */
1426                 op0 |= op1;
1427                 break;
1428             case 3: /* XOR */
1429                 op0 ^= op1;
1430                 break;
1431             case 4: /* AND */
1432                 op0 &= op1;
1433                 break;
1434             case 5: /* SHR */
1435                 op1 = op0 & 1;
1436                 op0 = (op0 >> 1) | (s->carry << 7);
1437                 s->carry = op1;
1438                 break;
1439             case 6: /* ADD */
1440                 op0 += op1;
1441                 s->carry = op0 < op1;
1442                 break;
1443             case 7: /* ADC */
1444                 op0 += op1 + s->carry;
1445                 if (s->carry)
1446                     s->carry = op0 <= op1;
1447                 else
1448                     s->carry = op0 < op1;
1449                 break;
1450             }
1451 
1452             switch (opcode) {
1453             case 5: /* From SFBR */
1454             case 7: /* Read-modify-write */
1455                 lsi_reg_writeb(s, reg, op0);
1456                 break;
1457             case 6: /* To SFBR */
1458                 s->sfbr = op0;
1459                 break;
1460             }
1461         }
1462         break;
1463 
1464     case 2: /* Transfer Control.  */
1465         {
1466             int cond;
1467             int jmp;
1468 
1469             if ((insn & 0x002e0000) == 0) {
1470                 trace_lsi_execute_script_tc_nop();
1471                 break;
1472             }
1473             if (s->sist1 & LSI_SIST1_STO) {
1474                 trace_lsi_execute_script_tc_delayedselect_timeout();
1475                 lsi_stop_script(s);
1476                 break;
1477             }
1478             cond = jmp = (insn & (1 << 19)) != 0;
1479             if (cond == jmp && (insn & (1 << 21))) {
1480                 trace_lsi_execute_script_tc_compc(s->carry == jmp);
1481                 cond = s->carry != 0;
1482             }
1483             if (cond == jmp && (insn & (1 << 17))) {
1484                 trace_lsi_execute_script_tc_compp(scsi_phase_name(s->sstat1),
1485                         jmp ? '=' : '!', scsi_phase_name(insn >> 24));
1486                 cond = (s->sstat1 & PHASE_MASK) == ((insn >> 24) & 7);
1487             }
1488             if (cond == jmp && (insn & (1 << 18))) {
1489                 uint8_t mask;
1490 
1491                 mask = (~insn >> 8) & 0xff;
1492                 trace_lsi_execute_script_tc_compd(
1493                         s->sfbr, mask, jmp ? '=' : '!', insn & mask);
1494                 cond = (s->sfbr & mask) == (insn & mask);
1495             }
1496             if (cond == jmp) {
1497                 if (insn & (1 << 23)) {
1498                     /* Relative address.  */
1499                     addr = s->dsp + sextract32(addr, 0, 24);
1500                 }
1501                 switch ((insn >> 27) & 7) {
1502                 case 0: /* Jump */
1503                     trace_lsi_execute_script_tc_jump(addr);
1504                     s->adder = addr;
1505                     s->dsp = addr;
1506                     break;
1507                 case 1: /* Call */
1508                     trace_lsi_execute_script_tc_call(addr);
1509                     s->temp = s->dsp;
1510                     s->dsp = addr;
1511                     break;
1512                 case 2: /* Return */
1513                     trace_lsi_execute_script_tc_return(s->temp);
1514                     s->dsp = s->temp;
1515                     break;
1516                 case 3: /* Interrupt */
1517                     trace_lsi_execute_script_tc_interrupt(s->dsps);
1518                     if ((insn & (1 << 20)) != 0) {
1519                         s->istat0 |= LSI_ISTAT0_INTF;
1520                         lsi_update_irq(s);
1521                     } else {
1522                         lsi_script_dma_interrupt(s, LSI_DSTAT_SIR);
1523                     }
1524                     break;
1525                 default:
1526                     trace_lsi_execute_script_tc_illegal();
1527                     lsi_script_dma_interrupt(s, LSI_DSTAT_IID);
1528                     break;
1529                 }
1530             } else {
1531                 trace_lsi_execute_script_tc_cc_failed();
1532             }
1533         }
1534         break;
1535 
1536     case 3:
1537         if ((insn & (1 << 29)) == 0) {
1538             /* Memory move.  */
1539             uint32_t dest;
1540             /* ??? The docs imply the destination address is loaded into
1541                the TEMP register.  However the Linux drivers rely on
1542                the value being presrved.  */
1543             dest = read_dword(s, s->dsp);
1544             s->dsp += 4;
1545             lsi_memcpy(s, dest, addr, insn & 0xffffff);
1546         } else {
1547             uint8_t data[7];
1548             int reg;
1549             int n;
1550             int i;
1551 
1552             if (insn & (1 << 28)) {
1553                 addr = s->dsa + sextract32(addr, 0, 24);
1554             }
1555             n = (insn & 7);
1556             reg = (insn >> 16) & 0xff;
1557             if (insn & (1 << 24)) {
1558                 pci_dma_read(pci_dev, addr, data, n);
1559                 trace_lsi_execute_script_mm_load(reg, n, addr, *(int *)data);
1560                 for (i = 0; i < n; i++) {
1561                     lsi_reg_writeb(s, reg + i, data[i]);
1562                 }
1563             } else {
1564                 trace_lsi_execute_script_mm_store(reg, n, addr);
1565                 for (i = 0; i < n; i++) {
1566                     data[i] = lsi_reg_readb(s, reg + i);
1567                 }
1568                 pci_dma_write(pci_dev, addr, data, n);
1569             }
1570         }
1571     }
1572     if (insn_processed > 10000 && s->waiting == LSI_NOWAIT) {
1573         /* Some windows drivers make the device spin waiting for a memory
1574            location to change.  If we have been executed a lot of code then
1575            assume this is the case and force an unexpected device disconnect.
1576            This is apparently sufficient to beat the drivers into submission.
1577          */
1578         if (!(s->sien0 & LSI_SIST0_UDC)) {
1579             qemu_log_mask(LOG_GUEST_ERROR,
1580                           "lsi_scsi: inf. loop with UDC masked");
1581         }
1582         lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
1583         lsi_disconnect(s);
1584     } else if (s->istat1 & LSI_ISTAT1_SRUN && s->waiting == LSI_NOWAIT) {
1585         if (s->dcntl & LSI_DCNTL_SSM) {
1586             lsi_script_dma_interrupt(s, LSI_DSTAT_SSI);
1587         } else {
1588             goto again;
1589         }
1590     }
1591     trace_lsi_execute_script_stop();
1592 }
1593 
1594 static uint8_t lsi_reg_readb(LSIState *s, int offset)
1595 {
1596     uint8_t ret;
1597 
1598 #define CASE_GET_REG24(name, addr) \
1599     case addr: ret = s->name & 0xff; break; \
1600     case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1601     case addr + 2: ret = (s->name >> 16) & 0xff; break;
1602 
1603 #define CASE_GET_REG32(name, addr) \
1604     case addr: ret = s->name & 0xff; break; \
1605     case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1606     case addr + 2: ret = (s->name >> 16) & 0xff; break; \
1607     case addr + 3: ret = (s->name >> 24) & 0xff; break;
1608 
1609     switch (offset) {
1610     case 0x00: /* SCNTL0 */
1611         ret = s->scntl0;
1612         break;
1613     case 0x01: /* SCNTL1 */
1614         ret = s->scntl1;
1615         break;
1616     case 0x02: /* SCNTL2 */
1617         ret = s->scntl2;
1618         break;
1619     case 0x03: /* SCNTL3 */
1620         ret = s->scntl3;
1621         break;
1622     case 0x04: /* SCID */
1623         ret = s->scid;
1624         break;
1625     case 0x05: /* SXFER */
1626         ret = s->sxfer;
1627         break;
1628     case 0x06: /* SDID */
1629         ret = s->sdid;
1630         break;
1631     case 0x07: /* GPREG0 */
1632         ret = 0x7f;
1633         break;
1634     case 0x08: /* Revision ID */
1635         ret = 0x00;
1636         break;
1637     case 0x09: /* SOCL */
1638         ret = s->socl;
1639         break;
1640     case 0xa: /* SSID */
1641         ret = s->ssid;
1642         break;
1643     case 0xb: /* SBCL */
1644         ret = s->sbcl;
1645         break;
1646     case 0xc: /* DSTAT */
1647         ret = s->dstat | LSI_DSTAT_DFE;
1648         if ((s->istat0 & LSI_ISTAT0_INTF) == 0)
1649             s->dstat = 0;
1650         lsi_update_irq(s);
1651         break;
1652     case 0x0d: /* SSTAT0 */
1653         ret = s->sstat0;
1654         break;
1655     case 0x0e: /* SSTAT1 */
1656         ret = s->sstat1;
1657         break;
1658     case 0x0f: /* SSTAT2 */
1659         ret = s->scntl1 & LSI_SCNTL1_CON ? 0 : 2;
1660         break;
1661     CASE_GET_REG32(dsa, 0x10)
1662     case 0x14: /* ISTAT0 */
1663         ret = s->istat0;
1664         break;
1665     case 0x15: /* ISTAT1 */
1666         ret = s->istat1;
1667         break;
1668     case 0x16: /* MBOX0 */
1669         ret = s->mbox0;
1670         break;
1671     case 0x17: /* MBOX1 */
1672         ret = s->mbox1;
1673         break;
1674     case 0x18: /* CTEST0 */
1675         ret = 0xff;
1676         break;
1677     case 0x19: /* CTEST1 */
1678         ret = 0;
1679         break;
1680     case 0x1a: /* CTEST2 */
1681         ret = s->ctest2 | LSI_CTEST2_DACK | LSI_CTEST2_CM;
1682         if (s->istat0 & LSI_ISTAT0_SIGP) {
1683             s->istat0 &= ~LSI_ISTAT0_SIGP;
1684             ret |= LSI_CTEST2_SIGP;
1685         }
1686         break;
1687     case 0x1b: /* CTEST3 */
1688         ret = s->ctest3;
1689         break;
1690     CASE_GET_REG32(temp, 0x1c)
1691     case 0x20: /* DFIFO */
1692         ret = s->dfifo;
1693         break;
1694     case 0x21: /* CTEST4 */
1695         ret = s->ctest4;
1696         break;
1697     case 0x22: /* CTEST5 */
1698         ret = s->ctest5;
1699         break;
1700     case 0x23: /* CTEST6 */
1701         ret = 0;
1702         break;
1703     CASE_GET_REG24(dbc, 0x24)
1704     case 0x27: /* DCMD */
1705         ret = s->dcmd;
1706         break;
1707     CASE_GET_REG32(dnad, 0x28)
1708     CASE_GET_REG32(dsp, 0x2c)
1709     CASE_GET_REG32(dsps, 0x30)
1710     CASE_GET_REG32(scratch[0], 0x34)
1711     case 0x38: /* DMODE */
1712         ret = s->dmode;
1713         break;
1714     case 0x39: /* DIEN */
1715         ret = s->dien;
1716         break;
1717     case 0x3a: /* SBR */
1718         ret = s->sbr;
1719         break;
1720     case 0x3b: /* DCNTL */
1721         ret = s->dcntl;
1722         break;
1723     /* ADDER Output (Debug of relative jump address) */
1724     CASE_GET_REG32(adder, 0x3c)
1725     case 0x40: /* SIEN0 */
1726         ret = s->sien0;
1727         break;
1728     case 0x41: /* SIEN1 */
1729         ret = s->sien1;
1730         break;
1731     case 0x42: /* SIST0 */
1732         ret = s->sist0;
1733         s->sist0 = 0;
1734         lsi_update_irq(s);
1735         break;
1736     case 0x43: /* SIST1 */
1737         ret = s->sist1;
1738         s->sist1 = 0;
1739         lsi_update_irq(s);
1740         break;
1741     case 0x46: /* MACNTL */
1742         ret = 0x0f;
1743         break;
1744     case 0x47: /* GPCNTL0 */
1745         ret = 0x0f;
1746         break;
1747     case 0x48: /* STIME0 */
1748         ret = s->stime0;
1749         break;
1750     case 0x4a: /* RESPID0 */
1751         ret = s->respid0;
1752         break;
1753     case 0x4b: /* RESPID1 */
1754         ret = s->respid1;
1755         break;
1756     case 0x4d: /* STEST1 */
1757         ret = s->stest1;
1758         break;
1759     case 0x4e: /* STEST2 */
1760         ret = s->stest2;
1761         break;
1762     case 0x4f: /* STEST3 */
1763         ret = s->stest3;
1764         break;
1765     case 0x50: /* SIDL */
1766         /* This is needed by the linux drivers.  We currently only update it
1767            during the MSG IN phase.  */
1768         ret = s->sidl;
1769         break;
1770     case 0x52: /* STEST4 */
1771         ret = 0xe0;
1772         break;
1773     case 0x56: /* CCNTL0 */
1774         ret = s->ccntl0;
1775         break;
1776     case 0x57: /* CCNTL1 */
1777         ret = s->ccntl1;
1778         break;
1779     case 0x58: /* SBDL */
1780         /* Some drivers peek at the data bus during the MSG IN phase.  */
1781         if ((s->sstat1 & PHASE_MASK) == PHASE_MI) {
1782             assert(s->msg_len > 0);
1783             return s->msg[0];
1784         }
1785         ret = 0;
1786         break;
1787     case 0x59: /* SBDL high */
1788         ret = 0;
1789         break;
1790     CASE_GET_REG32(mmrs, 0xa0)
1791     CASE_GET_REG32(mmws, 0xa4)
1792     CASE_GET_REG32(sfs, 0xa8)
1793     CASE_GET_REG32(drs, 0xac)
1794     CASE_GET_REG32(sbms, 0xb0)
1795     CASE_GET_REG32(dbms, 0xb4)
1796     CASE_GET_REG32(dnad64, 0xb8)
1797     CASE_GET_REG32(pmjad1, 0xc0)
1798     CASE_GET_REG32(pmjad2, 0xc4)
1799     CASE_GET_REG32(rbc, 0xc8)
1800     CASE_GET_REG32(ua, 0xcc)
1801     CASE_GET_REG32(ia, 0xd4)
1802     CASE_GET_REG32(sbc, 0xd8)
1803     CASE_GET_REG32(csbc, 0xdc)
1804     case 0x5c ... 0x9f:
1805     {
1806         int n;
1807         int shift;
1808         n = (offset - 0x58) >> 2;
1809         shift = (offset & 3) * 8;
1810         ret = (s->scratch[n] >> shift) & 0xff;
1811         break;
1812     }
1813     default:
1814     {
1815         qemu_log_mask(LOG_GUEST_ERROR,
1816                       "lsi_scsi: invalid read from reg %s %x\n",
1817                       offset < ARRAY_SIZE(names) ? names[offset] : "???",
1818                       offset);
1819         ret = 0xff;
1820         break;
1821     }
1822     }
1823 #undef CASE_GET_REG24
1824 #undef CASE_GET_REG32
1825 
1826     trace_lsi_reg_read(offset < ARRAY_SIZE(names) ? names[offset] : "???",
1827                        offset, ret);
1828 
1829     return ret;
1830 }
1831 
1832 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val)
1833 {
1834 #define CASE_SET_REG24(name, addr) \
1835     case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1836     case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1837     case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break;
1838 
1839 #define CASE_SET_REG32(name, addr) \
1840     case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1841     case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1842     case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break; \
1843     case addr + 3: s->name &= 0x00ffffff; s->name |= val << 24; break;
1844 
1845     trace_lsi_reg_write(offset < ARRAY_SIZE(names) ? names[offset] : "???",
1846                         offset, val);
1847 
1848     switch (offset) {
1849     case 0x00: /* SCNTL0 */
1850         s->scntl0 = val;
1851         if (val & LSI_SCNTL0_START) {
1852             qemu_log_mask(LOG_UNIMP,
1853                           "lsi_scsi: Start sequence not implemented\n");
1854         }
1855         break;
1856     case 0x01: /* SCNTL1 */
1857         s->scntl1 = val & ~LSI_SCNTL1_SST;
1858         if (val & LSI_SCNTL1_IARB) {
1859             qemu_log_mask(LOG_UNIMP,
1860                       "lsi_scsi: Immediate Arbritration not implemented\n");
1861         }
1862         if (val & LSI_SCNTL1_RST) {
1863             if (!(s->sstat0 & LSI_SSTAT0_RST)) {
1864                 qbus_reset_all(BUS(&s->bus));
1865                 s->sstat0 |= LSI_SSTAT0_RST;
1866                 lsi_script_scsi_interrupt(s, LSI_SIST0_RST, 0);
1867             }
1868         } else {
1869             s->sstat0 &= ~LSI_SSTAT0_RST;
1870         }
1871         break;
1872     case 0x02: /* SCNTL2 */
1873         val &= ~(LSI_SCNTL2_WSR | LSI_SCNTL2_WSS);
1874         s->scntl2 = val;
1875         break;
1876     case 0x03: /* SCNTL3 */
1877         s->scntl3 = val;
1878         break;
1879     case 0x04: /* SCID */
1880         s->scid = val;
1881         break;
1882     case 0x05: /* SXFER */
1883         s->sxfer = val;
1884         break;
1885     case 0x06: /* SDID */
1886         if ((s->ssid & 0x80) && (val & 0xf) != (s->ssid & 0xf)) {
1887             qemu_log_mask(LOG_GUEST_ERROR,
1888                           "lsi_scsi: Destination ID does not match SSID\n");
1889         }
1890         s->sdid = val & 0xf;
1891         break;
1892     case 0x07: /* GPREG0 */
1893         break;
1894     case 0x08: /* SFBR */
1895         /* The CPU is not allowed to write to this register.  However the
1896            SCRIPTS register move instructions are.  */
1897         s->sfbr = val;
1898         break;
1899     case 0x0a: case 0x0b:
1900         /* Openserver writes to these readonly registers on startup */
1901         return;
1902     case 0x0c: case 0x0d: case 0x0e: case 0x0f:
1903         /* Linux writes to these readonly registers on startup.  */
1904         return;
1905     CASE_SET_REG32(dsa, 0x10)
1906     case 0x14: /* ISTAT0 */
1907         s->istat0 = (s->istat0 & 0x0f) | (val & 0xf0);
1908         if (val & LSI_ISTAT0_ABRT) {
1909             lsi_script_dma_interrupt(s, LSI_DSTAT_ABRT);
1910         }
1911         if (val & LSI_ISTAT0_INTF) {
1912             s->istat0 &= ~LSI_ISTAT0_INTF;
1913             lsi_update_irq(s);
1914         }
1915         if (s->waiting == LSI_WAIT_RESELECT && val & LSI_ISTAT0_SIGP) {
1916             trace_lsi_awoken();
1917             s->waiting = LSI_NOWAIT;
1918             s->dsp = s->dnad;
1919             lsi_execute_script(s);
1920         }
1921         if (val & LSI_ISTAT0_SRST) {
1922             qdev_reset_all(DEVICE(s));
1923         }
1924         break;
1925     case 0x16: /* MBOX0 */
1926         s->mbox0 = val;
1927         break;
1928     case 0x17: /* MBOX1 */
1929         s->mbox1 = val;
1930         break;
1931     case 0x18: /* CTEST0 */
1932         /* nothing to do */
1933         break;
1934     case 0x1a: /* CTEST2 */
1935         s->ctest2 = val & LSI_CTEST2_PCICIE;
1936         break;
1937     case 0x1b: /* CTEST3 */
1938         s->ctest3 = val & 0x0f;
1939         break;
1940     CASE_SET_REG32(temp, 0x1c)
1941     case 0x21: /* CTEST4 */
1942         if (val & 7) {
1943             qemu_log_mask(LOG_UNIMP,
1944                           "lsi_scsi: Unimplemented CTEST4-FBL 0x%x\n", val);
1945         }
1946         s->ctest4 = val;
1947         break;
1948     case 0x22: /* CTEST5 */
1949         if (val & (LSI_CTEST5_ADCK | LSI_CTEST5_BBCK)) {
1950             qemu_log_mask(LOG_UNIMP,
1951                           "lsi_scsi: CTEST5 DMA increment not implemented\n");
1952         }
1953         s->ctest5 = val;
1954         break;
1955     CASE_SET_REG24(dbc, 0x24)
1956     CASE_SET_REG32(dnad, 0x28)
1957     case 0x2c: /* DSP[0:7] */
1958         s->dsp &= 0xffffff00;
1959         s->dsp |= val;
1960         break;
1961     case 0x2d: /* DSP[8:15] */
1962         s->dsp &= 0xffff00ff;
1963         s->dsp |= val << 8;
1964         break;
1965     case 0x2e: /* DSP[16:23] */
1966         s->dsp &= 0xff00ffff;
1967         s->dsp |= val << 16;
1968         break;
1969     case 0x2f: /* DSP[24:31] */
1970         s->dsp &= 0x00ffffff;
1971         s->dsp |= val << 24;
1972         if ((s->dmode & LSI_DMODE_MAN) == 0
1973             && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
1974             lsi_execute_script(s);
1975         break;
1976     CASE_SET_REG32(dsps, 0x30)
1977     CASE_SET_REG32(scratch[0], 0x34)
1978     case 0x38: /* DMODE */
1979         s->dmode = val;
1980         break;
1981     case 0x39: /* DIEN */
1982         s->dien = val;
1983         lsi_update_irq(s);
1984         break;
1985     case 0x3a: /* SBR */
1986         s->sbr = val;
1987         break;
1988     case 0x3b: /* DCNTL */
1989         s->dcntl = val & ~(LSI_DCNTL_PFF | LSI_DCNTL_STD);
1990         if ((val & LSI_DCNTL_STD) && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
1991             lsi_execute_script(s);
1992         break;
1993     case 0x40: /* SIEN0 */
1994         s->sien0 = val;
1995         lsi_update_irq(s);
1996         break;
1997     case 0x41: /* SIEN1 */
1998         s->sien1 = val;
1999         lsi_update_irq(s);
2000         break;
2001     case 0x47: /* GPCNTL0 */
2002         break;
2003     case 0x48: /* STIME0 */
2004         s->stime0 = val;
2005         break;
2006     case 0x49: /* STIME1 */
2007         if (val & 0xf) {
2008             qemu_log_mask(LOG_UNIMP,
2009                           "lsi_scsi: General purpose timer not implemented\n");
2010             /* ??? Raising the interrupt immediately seems to be sufficient
2011                to keep the FreeBSD driver happy.  */
2012             lsi_script_scsi_interrupt(s, 0, LSI_SIST1_GEN);
2013         }
2014         break;
2015     case 0x4a: /* RESPID0 */
2016         s->respid0 = val;
2017         break;
2018     case 0x4b: /* RESPID1 */
2019         s->respid1 = val;
2020         break;
2021     case 0x4d: /* STEST1 */
2022         s->stest1 = val;
2023         break;
2024     case 0x4e: /* STEST2 */
2025         if (val & 1) {
2026             qemu_log_mask(LOG_UNIMP,
2027                           "lsi_scsi: Low level mode not implemented\n");
2028         }
2029         s->stest2 = val;
2030         break;
2031     case 0x4f: /* STEST3 */
2032         if (val & 0x41) {
2033             qemu_log_mask(LOG_UNIMP,
2034                           "lsi_scsi: SCSI FIFO test mode not implemented\n");
2035         }
2036         s->stest3 = val;
2037         break;
2038     case 0x56: /* CCNTL0 */
2039         s->ccntl0 = val;
2040         break;
2041     case 0x57: /* CCNTL1 */
2042         s->ccntl1 = val;
2043         break;
2044     CASE_SET_REG32(mmrs, 0xa0)
2045     CASE_SET_REG32(mmws, 0xa4)
2046     CASE_SET_REG32(sfs, 0xa8)
2047     CASE_SET_REG32(drs, 0xac)
2048     CASE_SET_REG32(sbms, 0xb0)
2049     CASE_SET_REG32(dbms, 0xb4)
2050     CASE_SET_REG32(dnad64, 0xb8)
2051     CASE_SET_REG32(pmjad1, 0xc0)
2052     CASE_SET_REG32(pmjad2, 0xc4)
2053     CASE_SET_REG32(rbc, 0xc8)
2054     CASE_SET_REG32(ua, 0xcc)
2055     CASE_SET_REG32(ia, 0xd4)
2056     CASE_SET_REG32(sbc, 0xd8)
2057     CASE_SET_REG32(csbc, 0xdc)
2058     default:
2059         if (offset >= 0x5c && offset < 0xa0) {
2060             int n;
2061             int shift;
2062             n = (offset - 0x58) >> 2;
2063             shift = (offset & 3) * 8;
2064             s->scratch[n] = deposit32(s->scratch[n], shift, 8, val);
2065         } else {
2066             qemu_log_mask(LOG_GUEST_ERROR,
2067                           "lsi_scsi: invalid write to reg %s %x (0x%02x)\n",
2068                           offset < ARRAY_SIZE(names) ? names[offset] : "???",
2069                           offset, val);
2070         }
2071     }
2072 #undef CASE_SET_REG24
2073 #undef CASE_SET_REG32
2074 }
2075 
2076 static void lsi_mmio_write(void *opaque, hwaddr addr,
2077                            uint64_t val, unsigned size)
2078 {
2079     LSIState *s = opaque;
2080 
2081     lsi_reg_writeb(s, addr & 0xff, val);
2082 }
2083 
2084 static uint64_t lsi_mmio_read(void *opaque, hwaddr addr,
2085                               unsigned size)
2086 {
2087     LSIState *s = opaque;
2088     return lsi_reg_readb(s, addr & 0xff);
2089 }
2090 
2091 static const MemoryRegionOps lsi_mmio_ops = {
2092     .read = lsi_mmio_read,
2093     .write = lsi_mmio_write,
2094     .endianness = DEVICE_LITTLE_ENDIAN,
2095     .impl = {
2096         .min_access_size = 1,
2097         .max_access_size = 1,
2098     },
2099 };
2100 
2101 static void lsi_ram_write(void *opaque, hwaddr addr,
2102                           uint64_t val, unsigned size)
2103 {
2104     LSIState *s = opaque;
2105     stn_le_p(s->script_ram + addr, size, val);
2106 }
2107 
2108 static uint64_t lsi_ram_read(void *opaque, hwaddr addr,
2109                              unsigned size)
2110 {
2111     LSIState *s = opaque;
2112     return ldn_le_p(s->script_ram + addr, size);
2113 }
2114 
2115 static const MemoryRegionOps lsi_ram_ops = {
2116     .read = lsi_ram_read,
2117     .write = lsi_ram_write,
2118     .endianness = DEVICE_LITTLE_ENDIAN,
2119 };
2120 
2121 static uint64_t lsi_io_read(void *opaque, hwaddr addr,
2122                             unsigned size)
2123 {
2124     LSIState *s = opaque;
2125     return lsi_reg_readb(s, addr & 0xff);
2126 }
2127 
2128 static void lsi_io_write(void *opaque, hwaddr addr,
2129                          uint64_t val, unsigned size)
2130 {
2131     LSIState *s = opaque;
2132     lsi_reg_writeb(s, addr & 0xff, val);
2133 }
2134 
2135 static const MemoryRegionOps lsi_io_ops = {
2136     .read = lsi_io_read,
2137     .write = lsi_io_write,
2138     .endianness = DEVICE_LITTLE_ENDIAN,
2139     .impl = {
2140         .min_access_size = 1,
2141         .max_access_size = 1,
2142     },
2143 };
2144 
2145 static void lsi_scsi_reset(DeviceState *dev)
2146 {
2147     LSIState *s = LSI53C895A(dev);
2148 
2149     lsi_soft_reset(s);
2150 }
2151 
2152 static int lsi_pre_save(void *opaque)
2153 {
2154     LSIState *s = opaque;
2155 
2156     if (s->current) {
2157         assert(s->current->dma_buf == NULL);
2158         assert(s->current->dma_len == 0);
2159     }
2160     assert(QTAILQ_EMPTY(&s->queue));
2161 
2162     return 0;
2163 }
2164 
2165 static int lsi_post_load(void *opaque, int version_id)
2166 {
2167     LSIState *s = opaque;
2168 
2169     if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) {
2170         return -EINVAL;
2171     }
2172 
2173     return 0;
2174 }
2175 
2176 static const VMStateDescription vmstate_lsi_scsi = {
2177     .name = "lsiscsi",
2178     .version_id = 1,
2179     .minimum_version_id = 0,
2180     .pre_save = lsi_pre_save,
2181     .post_load = lsi_post_load,
2182     .fields = (VMStateField[]) {
2183         VMSTATE_PCI_DEVICE(parent_obj, LSIState),
2184 
2185         VMSTATE_INT32(carry, LSIState),
2186         VMSTATE_INT32(status, LSIState),
2187         VMSTATE_INT32(msg_action, LSIState),
2188         VMSTATE_INT32(msg_len, LSIState),
2189         VMSTATE_BUFFER(msg, LSIState),
2190         VMSTATE_INT32(waiting, LSIState),
2191 
2192         VMSTATE_UINT32(dsa, LSIState),
2193         VMSTATE_UINT32(temp, LSIState),
2194         VMSTATE_UINT32(dnad, LSIState),
2195         VMSTATE_UINT32(dbc, LSIState),
2196         VMSTATE_UINT8(istat0, LSIState),
2197         VMSTATE_UINT8(istat1, LSIState),
2198         VMSTATE_UINT8(dcmd, LSIState),
2199         VMSTATE_UINT8(dstat, LSIState),
2200         VMSTATE_UINT8(dien, LSIState),
2201         VMSTATE_UINT8(sist0, LSIState),
2202         VMSTATE_UINT8(sist1, LSIState),
2203         VMSTATE_UINT8(sien0, LSIState),
2204         VMSTATE_UINT8(sien1, LSIState),
2205         VMSTATE_UINT8(mbox0, LSIState),
2206         VMSTATE_UINT8(mbox1, LSIState),
2207         VMSTATE_UINT8(dfifo, LSIState),
2208         VMSTATE_UINT8(ctest2, LSIState),
2209         VMSTATE_UINT8(ctest3, LSIState),
2210         VMSTATE_UINT8(ctest4, LSIState),
2211         VMSTATE_UINT8(ctest5, LSIState),
2212         VMSTATE_UINT8(ccntl0, LSIState),
2213         VMSTATE_UINT8(ccntl1, LSIState),
2214         VMSTATE_UINT32(dsp, LSIState),
2215         VMSTATE_UINT32(dsps, LSIState),
2216         VMSTATE_UINT8(dmode, LSIState),
2217         VMSTATE_UINT8(dcntl, LSIState),
2218         VMSTATE_UINT8(scntl0, LSIState),
2219         VMSTATE_UINT8(scntl1, LSIState),
2220         VMSTATE_UINT8(scntl2, LSIState),
2221         VMSTATE_UINT8(scntl3, LSIState),
2222         VMSTATE_UINT8(sstat0, LSIState),
2223         VMSTATE_UINT8(sstat1, LSIState),
2224         VMSTATE_UINT8(scid, LSIState),
2225         VMSTATE_UINT8(sxfer, LSIState),
2226         VMSTATE_UINT8(socl, LSIState),
2227         VMSTATE_UINT8(sdid, LSIState),
2228         VMSTATE_UINT8(ssid, LSIState),
2229         VMSTATE_UINT8(sfbr, LSIState),
2230         VMSTATE_UINT8(stest1, LSIState),
2231         VMSTATE_UINT8(stest2, LSIState),
2232         VMSTATE_UINT8(stest3, LSIState),
2233         VMSTATE_UINT8(sidl, LSIState),
2234         VMSTATE_UINT8(stime0, LSIState),
2235         VMSTATE_UINT8(respid0, LSIState),
2236         VMSTATE_UINT8(respid1, LSIState),
2237         VMSTATE_UINT8_V(sbcl, LSIState, 1),
2238         VMSTATE_UINT32(mmrs, LSIState),
2239         VMSTATE_UINT32(mmws, LSIState),
2240         VMSTATE_UINT32(sfs, LSIState),
2241         VMSTATE_UINT32(drs, LSIState),
2242         VMSTATE_UINT32(sbms, LSIState),
2243         VMSTATE_UINT32(dbms, LSIState),
2244         VMSTATE_UINT32(dnad64, LSIState),
2245         VMSTATE_UINT32(pmjad1, LSIState),
2246         VMSTATE_UINT32(pmjad2, LSIState),
2247         VMSTATE_UINT32(rbc, LSIState),
2248         VMSTATE_UINT32(ua, LSIState),
2249         VMSTATE_UINT32(ia, LSIState),
2250         VMSTATE_UINT32(sbc, LSIState),
2251         VMSTATE_UINT32(csbc, LSIState),
2252         VMSTATE_BUFFER_UNSAFE(scratch, LSIState, 0, 18 * sizeof(uint32_t)),
2253         VMSTATE_UINT8(sbr, LSIState),
2254 
2255         VMSTATE_BUFFER_UNSAFE(script_ram, LSIState, 0, 8192),
2256         VMSTATE_END_OF_LIST()
2257     }
2258 };
2259 
2260 static const struct SCSIBusInfo lsi_scsi_info = {
2261     .tcq = true,
2262     .max_target = LSI_MAX_DEVS,
2263     .max_lun = 0,  /* LUN support is buggy */
2264 
2265     .transfer_data = lsi_transfer_data,
2266     .complete = lsi_command_complete,
2267     .cancel = lsi_request_cancelled
2268 };
2269 
2270 static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
2271 {
2272     LSIState *s = LSI53C895A(dev);
2273     DeviceState *d = DEVICE(dev);
2274     uint8_t *pci_conf;
2275 
2276     pci_conf = dev->config;
2277 
2278     /* PCI latency timer = 255 */
2279     pci_conf[PCI_LATENCY_TIMER] = 0xff;
2280     /* Interrupt pin A */
2281     pci_conf[PCI_INTERRUPT_PIN] = 0x01;
2282 
2283     memory_region_init_io(&s->mmio_io, OBJECT(s), &lsi_mmio_ops, s,
2284                           "lsi-mmio", 0x400);
2285     memory_region_init_io(&s->ram_io, OBJECT(s), &lsi_ram_ops, s,
2286                           "lsi-ram", 0x2000);
2287     memory_region_init_io(&s->io_io, OBJECT(s), &lsi_io_ops, s,
2288                           "lsi-io", 256);
2289 
2290     address_space_init(&s->pci_io_as, pci_address_space_io(dev), "lsi-pci-io");
2291     qdev_init_gpio_out(d, &s->ext_irq, 1);
2292 
2293     pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->io_io);
2294     pci_register_bar(dev, 1, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->mmio_io);
2295     pci_register_bar(dev, 2, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->ram_io);
2296     QTAILQ_INIT(&s->queue);
2297 
2298     scsi_bus_new(&s->bus, sizeof(s->bus), d, &lsi_scsi_info, NULL);
2299 }
2300 
2301 static void lsi_scsi_unrealize(DeviceState *dev, Error **errp)
2302 {
2303     LSIState *s = LSI53C895A(dev);
2304 
2305     address_space_destroy(&s->pci_io_as);
2306 }
2307 
2308 static void lsi_class_init(ObjectClass *klass, void *data)
2309 {
2310     DeviceClass *dc = DEVICE_CLASS(klass);
2311     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2312 
2313     k->realize = lsi_scsi_realize;
2314     k->vendor_id = PCI_VENDOR_ID_LSI_LOGIC;
2315     k->device_id = PCI_DEVICE_ID_LSI_53C895A;
2316     k->class_id = PCI_CLASS_STORAGE_SCSI;
2317     k->subsystem_id = 0x1000;
2318     dc->unrealize = lsi_scsi_unrealize;
2319     dc->reset = lsi_scsi_reset;
2320     dc->vmsd = &vmstate_lsi_scsi;
2321     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2322 }
2323 
2324 static const TypeInfo lsi_info = {
2325     .name          = TYPE_LSI53C895A,
2326     .parent        = TYPE_PCI_DEVICE,
2327     .instance_size = sizeof(LSIState),
2328     .class_init    = lsi_class_init,
2329     .interfaces = (InterfaceInfo[]) {
2330         { INTERFACE_CONVENTIONAL_PCI_DEVICE },
2331         { },
2332     },
2333 };
2334 
2335 static void lsi53c810_class_init(ObjectClass *klass, void *data)
2336 {
2337     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2338 
2339     k->device_id = PCI_DEVICE_ID_LSI_53C810;
2340 }
2341 
2342 static TypeInfo lsi53c810_info = {
2343     .name          = TYPE_LSI53C810,
2344     .parent        = TYPE_LSI53C895A,
2345     .class_init    = lsi53c810_class_init,
2346 };
2347 
2348 static void lsi53c895a_register_types(void)
2349 {
2350     type_register_static(&lsi_info);
2351     type_register_static(&lsi53c810_info);
2352 }
2353 
2354 type_init(lsi53c895a_register_types)
2355 
2356 void lsi53c8xx_handle_legacy_cmdline(DeviceState *lsi_dev)
2357 {
2358     LSIState *s = LSI53C895A(lsi_dev);
2359 
2360     scsi_bus_legacy_handle_cmdline(&s->bus);
2361 }
2362