xref: /openbmc/qemu/hw/scsi/lsi53c895a.c (revision 62dd4eda)
1 /*
2  * QEMU LSI53C895A SCSI Host Bus Adapter emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Written by Paul Brook
6  *
7  * This code is licensed under the LGPL.
8  */
9 
10 /* Note:
11  * LSI53C810 emulation is incorrect, in the sense that it supports
12  * features added in later evolutions. This should not be a problem,
13  * as well-behaved operating systems will not try to use them.
14  */
15 
16 #include "qemu/osdep.h"
17 
18 #include "hw/hw.h"
19 #include "hw/pci/pci.h"
20 #include "hw/scsi/scsi.h"
21 #include "sysemu/dma.h"
22 #include "qemu/log.h"
23 
24 //#define DEBUG_LSI
25 //#define DEBUG_LSI_REG
26 
27 #ifdef DEBUG_LSI
28 #define DPRINTF(fmt, ...) \
29 do { printf("lsi_scsi: " fmt , ## __VA_ARGS__); } while (0)
30 #define BADF(fmt, ...) \
31 do { fprintf(stderr, "lsi_scsi: error: " fmt , ## __VA_ARGS__); exit(1);} while (0)
32 #else
33 #define DPRINTF(fmt, ...) do {} while(0)
34 #define BADF(fmt, ...) \
35 do { fprintf(stderr, "lsi_scsi: error: " fmt , ## __VA_ARGS__);} while (0)
36 #endif
37 
38 static const char *names[] = {
39     "SCNTL0", "SCNTL1", "SCNTL2", "SCNTL3", "SCID", "SXFER", "SDID", "GPREG",
40     "SFBR", "SOCL", "SSID", "SBCL", "DSTAT", "SSTAT0", "SSTAT1", "SSTAT2",
41     "DSA0", "DSA1", "DSA2", "DSA3", "ISTAT", "0x15", "0x16", "0x17",
42     "CTEST0", "CTEST1", "CTEST2", "CTEST3", "TEMP0", "TEMP1", "TEMP2", "TEMP3",
43     "DFIFO", "CTEST4", "CTEST5", "CTEST6", "DBC0", "DBC1", "DBC2", "DCMD",
44     "DNAD0", "DNAD1", "DNAD2", "DNAD3", "DSP0", "DSP1", "DSP2", "DSP3",
45     "DSPS0", "DSPS1", "DSPS2", "DSPS3", "SCRATCHA0", "SCRATCHA1", "SCRATCHA2", "SCRATCHA3",
46     "DMODE", "DIEN", "SBR", "DCNTL", "ADDER0", "ADDER1", "ADDER2", "ADDER3",
47     "SIEN0", "SIEN1", "SIST0", "SIST1", "SLPAR", "0x45", "MACNTL", "GPCNTL",
48     "STIME0", "STIME1", "RESPID", "0x4b", "STEST0", "STEST1", "STEST2", "STEST3",
49     "SIDL", "0x51", "0x52", "0x53", "SODL", "0x55", "0x56", "0x57",
50     "SBDL", "0x59", "0x5a", "0x5b", "SCRATCHB0", "SCRATCHB1", "SCRATCHB2", "SCRATCHB3",
51 };
52 
53 #define LSI_MAX_DEVS 7
54 
55 #define LSI_SCNTL0_TRG    0x01
56 #define LSI_SCNTL0_AAP    0x02
57 #define LSI_SCNTL0_EPC    0x08
58 #define LSI_SCNTL0_WATN   0x10
59 #define LSI_SCNTL0_START  0x20
60 
61 #define LSI_SCNTL1_SST    0x01
62 #define LSI_SCNTL1_IARB   0x02
63 #define LSI_SCNTL1_AESP   0x04
64 #define LSI_SCNTL1_RST    0x08
65 #define LSI_SCNTL1_CON    0x10
66 #define LSI_SCNTL1_DHP    0x20
67 #define LSI_SCNTL1_ADB    0x40
68 #define LSI_SCNTL1_EXC    0x80
69 
70 #define LSI_SCNTL2_WSR    0x01
71 #define LSI_SCNTL2_VUE0   0x02
72 #define LSI_SCNTL2_VUE1   0x04
73 #define LSI_SCNTL2_WSS    0x08
74 #define LSI_SCNTL2_SLPHBEN 0x10
75 #define LSI_SCNTL2_SLPMD  0x20
76 #define LSI_SCNTL2_CHM    0x40
77 #define LSI_SCNTL2_SDU    0x80
78 
79 #define LSI_ISTAT0_DIP    0x01
80 #define LSI_ISTAT0_SIP    0x02
81 #define LSI_ISTAT0_INTF   0x04
82 #define LSI_ISTAT0_CON    0x08
83 #define LSI_ISTAT0_SEM    0x10
84 #define LSI_ISTAT0_SIGP   0x20
85 #define LSI_ISTAT0_SRST   0x40
86 #define LSI_ISTAT0_ABRT   0x80
87 
88 #define LSI_ISTAT1_SI     0x01
89 #define LSI_ISTAT1_SRUN   0x02
90 #define LSI_ISTAT1_FLSH   0x04
91 
92 #define LSI_SSTAT0_SDP0   0x01
93 #define LSI_SSTAT0_RST    0x02
94 #define LSI_SSTAT0_WOA    0x04
95 #define LSI_SSTAT0_LOA    0x08
96 #define LSI_SSTAT0_AIP    0x10
97 #define LSI_SSTAT0_OLF    0x20
98 #define LSI_SSTAT0_ORF    0x40
99 #define LSI_SSTAT0_ILF    0x80
100 
101 #define LSI_SIST0_PAR     0x01
102 #define LSI_SIST0_RST     0x02
103 #define LSI_SIST0_UDC     0x04
104 #define LSI_SIST0_SGE     0x08
105 #define LSI_SIST0_RSL     0x10
106 #define LSI_SIST0_SEL     0x20
107 #define LSI_SIST0_CMP     0x40
108 #define LSI_SIST0_MA      0x80
109 
110 #define LSI_SIST1_HTH     0x01
111 #define LSI_SIST1_GEN     0x02
112 #define LSI_SIST1_STO     0x04
113 #define LSI_SIST1_SBMC    0x10
114 
115 #define LSI_SOCL_IO       0x01
116 #define LSI_SOCL_CD       0x02
117 #define LSI_SOCL_MSG      0x04
118 #define LSI_SOCL_ATN      0x08
119 #define LSI_SOCL_SEL      0x10
120 #define LSI_SOCL_BSY      0x20
121 #define LSI_SOCL_ACK      0x40
122 #define LSI_SOCL_REQ      0x80
123 
124 #define LSI_DSTAT_IID     0x01
125 #define LSI_DSTAT_SIR     0x04
126 #define LSI_DSTAT_SSI     0x08
127 #define LSI_DSTAT_ABRT    0x10
128 #define LSI_DSTAT_BF      0x20
129 #define LSI_DSTAT_MDPE    0x40
130 #define LSI_DSTAT_DFE     0x80
131 
132 #define LSI_DCNTL_COM     0x01
133 #define LSI_DCNTL_IRQD    0x02
134 #define LSI_DCNTL_STD     0x04
135 #define LSI_DCNTL_IRQM    0x08
136 #define LSI_DCNTL_SSM     0x10
137 #define LSI_DCNTL_PFEN    0x20
138 #define LSI_DCNTL_PFF     0x40
139 #define LSI_DCNTL_CLSE    0x80
140 
141 #define LSI_DMODE_MAN     0x01
142 #define LSI_DMODE_BOF     0x02
143 #define LSI_DMODE_ERMP    0x04
144 #define LSI_DMODE_ERL     0x08
145 #define LSI_DMODE_DIOM    0x10
146 #define LSI_DMODE_SIOM    0x20
147 
148 #define LSI_CTEST2_DACK   0x01
149 #define LSI_CTEST2_DREQ   0x02
150 #define LSI_CTEST2_TEOP   0x04
151 #define LSI_CTEST2_PCICIE 0x08
152 #define LSI_CTEST2_CM     0x10
153 #define LSI_CTEST2_CIO    0x20
154 #define LSI_CTEST2_SIGP   0x40
155 #define LSI_CTEST2_DDIR   0x80
156 
157 #define LSI_CTEST5_BL2    0x04
158 #define LSI_CTEST5_DDIR   0x08
159 #define LSI_CTEST5_MASR   0x10
160 #define LSI_CTEST5_DFSN   0x20
161 #define LSI_CTEST5_BBCK   0x40
162 #define LSI_CTEST5_ADCK   0x80
163 
164 #define LSI_CCNTL0_DILS   0x01
165 #define LSI_CCNTL0_DISFC  0x10
166 #define LSI_CCNTL0_ENNDJ  0x20
167 #define LSI_CCNTL0_PMJCTL 0x40
168 #define LSI_CCNTL0_ENPMJ  0x80
169 
170 #define LSI_CCNTL1_EN64DBMV  0x01
171 #define LSI_CCNTL1_EN64TIBMV 0x02
172 #define LSI_CCNTL1_64TIMOD   0x04
173 #define LSI_CCNTL1_DDAC      0x08
174 #define LSI_CCNTL1_ZMOD      0x80
175 
176 /* Enable Response to Reselection */
177 #define LSI_SCID_RRE      0x60
178 
179 #define LSI_CCNTL1_40BIT (LSI_CCNTL1_EN64TIBMV|LSI_CCNTL1_64TIMOD)
180 
181 #define PHASE_DO          0
182 #define PHASE_DI          1
183 #define PHASE_CMD         2
184 #define PHASE_ST          3
185 #define PHASE_MO          6
186 #define PHASE_MI          7
187 #define PHASE_MASK        7
188 
189 /* Maximum length of MSG IN data.  */
190 #define LSI_MAX_MSGIN_LEN 8
191 
192 /* Flag set if this is a tagged command.  */
193 #define LSI_TAG_VALID     (1 << 16)
194 
195 typedef struct lsi_request {
196     SCSIRequest *req;
197     uint32_t tag;
198     uint32_t dma_len;
199     uint8_t *dma_buf;
200     uint32_t pending;
201     int out;
202     QTAILQ_ENTRY(lsi_request) next;
203 } lsi_request;
204 
205 typedef struct {
206     /*< private >*/
207     PCIDevice parent_obj;
208     /*< public >*/
209 
210     MemoryRegion mmio_io;
211     MemoryRegion ram_io;
212     MemoryRegion io_io;
213     AddressSpace pci_io_as;
214 
215     int carry; /* ??? Should this be an a visible register somewhere?  */
216     int status;
217     /* Action to take at the end of a MSG IN phase.
218        0 = COMMAND, 1 = disconnect, 2 = DATA OUT, 3 = DATA IN.  */
219     int msg_action;
220     int msg_len;
221     uint8_t msg[LSI_MAX_MSGIN_LEN];
222     /* 0 if SCRIPTS are running or stopped.
223      * 1 if a Wait Reselect instruction has been issued.
224      * 2 if processing DMA from lsi_execute_script.
225      * 3 if a DMA operation is in progress.  */
226     int waiting;
227     SCSIBus bus;
228     int current_lun;
229     /* The tag is a combination of the device ID and the SCSI tag.  */
230     uint32_t select_tag;
231     int command_complete;
232     QTAILQ_HEAD(, lsi_request) queue;
233     lsi_request *current;
234 
235     uint32_t dsa;
236     uint32_t temp;
237     uint32_t dnad;
238     uint32_t dbc;
239     uint8_t istat0;
240     uint8_t istat1;
241     uint8_t dcmd;
242     uint8_t dstat;
243     uint8_t dien;
244     uint8_t sist0;
245     uint8_t sist1;
246     uint8_t sien0;
247     uint8_t sien1;
248     uint8_t mbox0;
249     uint8_t mbox1;
250     uint8_t dfifo;
251     uint8_t ctest2;
252     uint8_t ctest3;
253     uint8_t ctest4;
254     uint8_t ctest5;
255     uint8_t ccntl0;
256     uint8_t ccntl1;
257     uint32_t dsp;
258     uint32_t dsps;
259     uint8_t dmode;
260     uint8_t dcntl;
261     uint8_t scntl0;
262     uint8_t scntl1;
263     uint8_t scntl2;
264     uint8_t scntl3;
265     uint8_t sstat0;
266     uint8_t sstat1;
267     uint8_t scid;
268     uint8_t sxfer;
269     uint8_t socl;
270     uint8_t sdid;
271     uint8_t ssid;
272     uint8_t sfbr;
273     uint8_t stest1;
274     uint8_t stest2;
275     uint8_t stest3;
276     uint8_t sidl;
277     uint8_t stime0;
278     uint8_t respid0;
279     uint8_t respid1;
280     uint32_t mmrs;
281     uint32_t mmws;
282     uint32_t sfs;
283     uint32_t drs;
284     uint32_t sbms;
285     uint32_t dbms;
286     uint32_t dnad64;
287     uint32_t pmjad1;
288     uint32_t pmjad2;
289     uint32_t rbc;
290     uint32_t ua;
291     uint32_t ia;
292     uint32_t sbc;
293     uint32_t csbc;
294     uint32_t scratch[18]; /* SCRATCHA-SCRATCHR */
295     uint8_t sbr;
296     uint32_t adder;
297 
298     /* Script ram is stored as 32-bit words in host byteorder.  */
299     uint32_t script_ram[2048];
300 } LSIState;
301 
302 #define TYPE_LSI53C810  "lsi53c810"
303 #define TYPE_LSI53C895A "lsi53c895a"
304 
305 #define LSI53C895A(obj) \
306     OBJECT_CHECK(LSIState, (obj), TYPE_LSI53C895A)
307 
308 static inline int lsi_irq_on_rsl(LSIState *s)
309 {
310     return (s->sien0 & LSI_SIST0_RSL) && (s->scid & LSI_SCID_RRE);
311 }
312 
313 static void lsi_soft_reset(LSIState *s)
314 {
315     DPRINTF("Reset\n");
316     s->carry = 0;
317 
318     s->msg_action = 0;
319     s->msg_len = 0;
320     s->waiting = 0;
321     s->dsa = 0;
322     s->dnad = 0;
323     s->dbc = 0;
324     s->temp = 0;
325     memset(s->scratch, 0, sizeof(s->scratch));
326     s->istat0 = 0;
327     s->istat1 = 0;
328     s->dcmd = 0x40;
329     s->dstat = 0;
330     s->dien = 0;
331     s->sist0 = 0;
332     s->sist1 = 0;
333     s->sien0 = 0;
334     s->sien1 = 0;
335     s->mbox0 = 0;
336     s->mbox1 = 0;
337     s->dfifo = 0;
338     s->ctest2 = LSI_CTEST2_DACK;
339     s->ctest3 = 0;
340     s->ctest4 = 0;
341     s->ctest5 = 0;
342     s->ccntl0 = 0;
343     s->ccntl1 = 0;
344     s->dsp = 0;
345     s->dsps = 0;
346     s->dmode = 0;
347     s->dcntl = 0;
348     s->scntl0 = 0xc0;
349     s->scntl1 = 0;
350     s->scntl2 = 0;
351     s->scntl3 = 0;
352     s->sstat0 = 0;
353     s->sstat1 = 0;
354     s->scid = 7;
355     s->sxfer = 0;
356     s->socl = 0;
357     s->sdid = 0;
358     s->ssid = 0;
359     s->stest1 = 0;
360     s->stest2 = 0;
361     s->stest3 = 0;
362     s->sidl = 0;
363     s->stime0 = 0;
364     s->respid0 = 0x80;
365     s->respid1 = 0;
366     s->mmrs = 0;
367     s->mmws = 0;
368     s->sfs = 0;
369     s->drs = 0;
370     s->sbms = 0;
371     s->dbms = 0;
372     s->dnad64 = 0;
373     s->pmjad1 = 0;
374     s->pmjad2 = 0;
375     s->rbc = 0;
376     s->ua = 0;
377     s->ia = 0;
378     s->sbc = 0;
379     s->csbc = 0;
380     s->sbr = 0;
381     assert(QTAILQ_EMPTY(&s->queue));
382     assert(!s->current);
383 }
384 
385 static int lsi_dma_40bit(LSIState *s)
386 {
387     if ((s->ccntl1 & LSI_CCNTL1_40BIT) == LSI_CCNTL1_40BIT)
388         return 1;
389     return 0;
390 }
391 
392 static int lsi_dma_ti64bit(LSIState *s)
393 {
394     if ((s->ccntl1 & LSI_CCNTL1_EN64TIBMV) == LSI_CCNTL1_EN64TIBMV)
395         return 1;
396     return 0;
397 }
398 
399 static int lsi_dma_64bit(LSIState *s)
400 {
401     if ((s->ccntl1 & LSI_CCNTL1_EN64DBMV) == LSI_CCNTL1_EN64DBMV)
402         return 1;
403     return 0;
404 }
405 
406 static uint8_t lsi_reg_readb(LSIState *s, int offset);
407 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val);
408 static void lsi_execute_script(LSIState *s);
409 static void lsi_reselect(LSIState *s, lsi_request *p);
410 
411 static inline void lsi_mem_read(LSIState *s, dma_addr_t addr,
412                                void *buf, dma_addr_t len)
413 {
414     if (s->dmode & LSI_DMODE_SIOM) {
415         address_space_read(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
416                            buf, len);
417     } else {
418         pci_dma_read(PCI_DEVICE(s), addr, buf, len);
419     }
420 }
421 
422 static inline void lsi_mem_write(LSIState *s, dma_addr_t addr,
423                                 const void *buf, dma_addr_t len)
424 {
425     if (s->dmode & LSI_DMODE_DIOM) {
426         address_space_write(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
427                             buf, len);
428     } else {
429         pci_dma_write(PCI_DEVICE(s), addr, buf, len);
430     }
431 }
432 
433 static inline uint32_t read_dword(LSIState *s, uint32_t addr)
434 {
435     uint32_t buf;
436 
437     pci_dma_read(PCI_DEVICE(s), addr, &buf, 4);
438     return cpu_to_le32(buf);
439 }
440 
441 static void lsi_stop_script(LSIState *s)
442 {
443     s->istat1 &= ~LSI_ISTAT1_SRUN;
444 }
445 
446 static void lsi_update_irq(LSIState *s)
447 {
448     PCIDevice *d = PCI_DEVICE(s);
449     int level;
450     static int last_level;
451     lsi_request *p;
452 
453     /* It's unclear whether the DIP/SIP bits should be cleared when the
454        Interrupt Status Registers are cleared or when istat0 is read.
455        We currently do the formwer, which seems to work.  */
456     level = 0;
457     if (s->dstat) {
458         if (s->dstat & s->dien)
459             level = 1;
460         s->istat0 |= LSI_ISTAT0_DIP;
461     } else {
462         s->istat0 &= ~LSI_ISTAT0_DIP;
463     }
464 
465     if (s->sist0 || s->sist1) {
466         if ((s->sist0 & s->sien0) || (s->sist1 & s->sien1))
467             level = 1;
468         s->istat0 |= LSI_ISTAT0_SIP;
469     } else {
470         s->istat0 &= ~LSI_ISTAT0_SIP;
471     }
472     if (s->istat0 & LSI_ISTAT0_INTF)
473         level = 1;
474 
475     if (level != last_level) {
476         DPRINTF("Update IRQ level %d dstat %02x sist %02x%02x\n",
477                 level, s->dstat, s->sist1, s->sist0);
478         last_level = level;
479     }
480     pci_set_irq(d, level);
481 
482     if (!level && lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON)) {
483         DPRINTF("Handled IRQs & disconnected, looking for pending "
484                 "processes\n");
485         QTAILQ_FOREACH(p, &s->queue, next) {
486             if (p->pending) {
487                 lsi_reselect(s, p);
488                 break;
489             }
490         }
491     }
492 }
493 
494 /* Stop SCRIPTS execution and raise a SCSI interrupt.  */
495 static void lsi_script_scsi_interrupt(LSIState *s, int stat0, int stat1)
496 {
497     uint32_t mask0;
498     uint32_t mask1;
499 
500     DPRINTF("SCSI Interrupt 0x%02x%02x prev 0x%02x%02x\n",
501             stat1, stat0, s->sist1, s->sist0);
502     s->sist0 |= stat0;
503     s->sist1 |= stat1;
504     /* Stop processor on fatal or unmasked interrupt.  As a special hack
505        we don't stop processing when raising STO.  Instead continue
506        execution and stop at the next insn that accesses the SCSI bus.  */
507     mask0 = s->sien0 | ~(LSI_SIST0_CMP | LSI_SIST0_SEL | LSI_SIST0_RSL);
508     mask1 = s->sien1 | ~(LSI_SIST1_GEN | LSI_SIST1_HTH);
509     mask1 &= ~LSI_SIST1_STO;
510     if (s->sist0 & mask0 || s->sist1 & mask1) {
511         lsi_stop_script(s);
512     }
513     lsi_update_irq(s);
514 }
515 
516 /* Stop SCRIPTS execution and raise a DMA interrupt.  */
517 static void lsi_script_dma_interrupt(LSIState *s, int stat)
518 {
519     DPRINTF("DMA Interrupt 0x%x prev 0x%x\n", stat, s->dstat);
520     s->dstat |= stat;
521     lsi_update_irq(s);
522     lsi_stop_script(s);
523 }
524 
525 static inline void lsi_set_phase(LSIState *s, int phase)
526 {
527     s->sstat1 = (s->sstat1 & ~PHASE_MASK) | phase;
528 }
529 
530 static void lsi_bad_phase(LSIState *s, int out, int new_phase)
531 {
532     /* Trigger a phase mismatch.  */
533     if (s->ccntl0 & LSI_CCNTL0_ENPMJ) {
534         if ((s->ccntl0 & LSI_CCNTL0_PMJCTL)) {
535             s->dsp = out ? s->pmjad1 : s->pmjad2;
536         } else {
537             s->dsp = (s->scntl2 & LSI_SCNTL2_WSR ? s->pmjad2 : s->pmjad1);
538         }
539         DPRINTF("Data phase mismatch jump to %08x\n", s->dsp);
540     } else {
541         DPRINTF("Phase mismatch interrupt\n");
542         lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
543         lsi_stop_script(s);
544     }
545     lsi_set_phase(s, new_phase);
546 }
547 
548 
549 /* Resume SCRIPTS execution after a DMA operation.  */
550 static void lsi_resume_script(LSIState *s)
551 {
552     if (s->waiting != 2) {
553         s->waiting = 0;
554         lsi_execute_script(s);
555     } else {
556         s->waiting = 0;
557     }
558 }
559 
560 static void lsi_disconnect(LSIState *s)
561 {
562     s->scntl1 &= ~LSI_SCNTL1_CON;
563     s->sstat1 &= ~PHASE_MASK;
564 }
565 
566 static void lsi_bad_selection(LSIState *s, uint32_t id)
567 {
568     DPRINTF("Selected absent target %d\n", id);
569     lsi_script_scsi_interrupt(s, 0, LSI_SIST1_STO);
570     lsi_disconnect(s);
571 }
572 
573 /* Initiate a SCSI layer data transfer.  */
574 static void lsi_do_dma(LSIState *s, int out)
575 {
576     uint32_t count;
577     dma_addr_t addr;
578     SCSIDevice *dev;
579 
580     assert(s->current);
581     if (!s->current->dma_len) {
582         /* Wait until data is available.  */
583         DPRINTF("DMA no data available\n");
584         return;
585     }
586 
587     dev = s->current->req->dev;
588     assert(dev);
589 
590     count = s->dbc;
591     if (count > s->current->dma_len)
592         count = s->current->dma_len;
593 
594     addr = s->dnad;
595     /* both 40 and Table Indirect 64-bit DMAs store upper bits in dnad64 */
596     if (lsi_dma_40bit(s) || lsi_dma_ti64bit(s))
597         addr |= ((uint64_t)s->dnad64 << 32);
598     else if (s->dbms)
599         addr |= ((uint64_t)s->dbms << 32);
600     else if (s->sbms)
601         addr |= ((uint64_t)s->sbms << 32);
602 
603     DPRINTF("DMA addr=0x" DMA_ADDR_FMT " len=%d\n", addr, count);
604     s->csbc += count;
605     s->dnad += count;
606     s->dbc -= count;
607      if (s->current->dma_buf == NULL) {
608         s->current->dma_buf = scsi_req_get_buf(s->current->req);
609     }
610     /* ??? Set SFBR to first data byte.  */
611     if (out) {
612         lsi_mem_read(s, addr, s->current->dma_buf, count);
613     } else {
614         lsi_mem_write(s, addr, s->current->dma_buf, count);
615     }
616     s->current->dma_len -= count;
617     if (s->current->dma_len == 0) {
618         s->current->dma_buf = NULL;
619         scsi_req_continue(s->current->req);
620     } else {
621         s->current->dma_buf += count;
622         lsi_resume_script(s);
623     }
624 }
625 
626 
627 /* Add a command to the queue.  */
628 static void lsi_queue_command(LSIState *s)
629 {
630     lsi_request *p = s->current;
631 
632     DPRINTF("Queueing tag=0x%x\n", p->tag);
633     assert(s->current != NULL);
634     assert(s->current->dma_len == 0);
635     QTAILQ_INSERT_TAIL(&s->queue, s->current, next);
636     s->current = NULL;
637 
638     p->pending = 0;
639     p->out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
640 }
641 
642 /* Queue a byte for a MSG IN phase.  */
643 static void lsi_add_msg_byte(LSIState *s, uint8_t data)
644 {
645     if (s->msg_len >= LSI_MAX_MSGIN_LEN) {
646         BADF("MSG IN data too long\n");
647     } else {
648         DPRINTF("MSG IN 0x%02x\n", data);
649         s->msg[s->msg_len++] = data;
650     }
651 }
652 
653 /* Perform reselection to continue a command.  */
654 static void lsi_reselect(LSIState *s, lsi_request *p)
655 {
656     int id;
657 
658     assert(s->current == NULL);
659     QTAILQ_REMOVE(&s->queue, p, next);
660     s->current = p;
661 
662     id = (p->tag >> 8) & 0xf;
663     s->ssid = id | 0x80;
664     /* LSI53C700 Family Compatibility, see LSI53C895A 4-73 */
665     if (!(s->dcntl & LSI_DCNTL_COM)) {
666         s->sfbr = 1 << (id & 0x7);
667     }
668     DPRINTF("Reselected target %d\n", id);
669     s->scntl1 |= LSI_SCNTL1_CON;
670     lsi_set_phase(s, PHASE_MI);
671     s->msg_action = p->out ? 2 : 3;
672     s->current->dma_len = p->pending;
673     lsi_add_msg_byte(s, 0x80);
674     if (s->current->tag & LSI_TAG_VALID) {
675         lsi_add_msg_byte(s, 0x20);
676         lsi_add_msg_byte(s, p->tag & 0xff);
677     }
678 
679     if (lsi_irq_on_rsl(s)) {
680         lsi_script_scsi_interrupt(s, LSI_SIST0_RSL, 0);
681     }
682 }
683 
684 static lsi_request *lsi_find_by_tag(LSIState *s, uint32_t tag)
685 {
686     lsi_request *p;
687 
688     QTAILQ_FOREACH(p, &s->queue, next) {
689         if (p->tag == tag) {
690             return p;
691         }
692     }
693 
694     return NULL;
695 }
696 
697 static void lsi_request_free(LSIState *s, lsi_request *p)
698 {
699     if (p == s->current) {
700         s->current = NULL;
701     } else {
702         QTAILQ_REMOVE(&s->queue, p, next);
703     }
704     g_free(p);
705 }
706 
707 static void lsi_request_cancelled(SCSIRequest *req)
708 {
709     LSIState *s = LSI53C895A(req->bus->qbus.parent);
710     lsi_request *p = req->hba_private;
711 
712     req->hba_private = NULL;
713     lsi_request_free(s, p);
714     scsi_req_unref(req);
715 }
716 
717 /* Record that data is available for a queued command.  Returns zero if
718    the device was reselected, nonzero if the IO is deferred.  */
719 static int lsi_queue_req(LSIState *s, SCSIRequest *req, uint32_t len)
720 {
721     lsi_request *p = req->hba_private;
722 
723     if (p->pending) {
724         BADF("Multiple IO pending for request %p\n", p);
725     }
726     p->pending = len;
727     /* Reselect if waiting for it, or if reselection triggers an IRQ
728        and the bus is free.
729        Since no interrupt stacking is implemented in the emulation, it
730        is also required that there are no pending interrupts waiting
731        for service from the device driver. */
732     if (s->waiting == 1 ||
733         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON) &&
734          !(s->istat0 & (LSI_ISTAT0_SIP | LSI_ISTAT0_DIP)))) {
735         /* Reselect device.  */
736         lsi_reselect(s, p);
737         return 0;
738     } else {
739         DPRINTF("Queueing IO tag=0x%x\n", p->tag);
740         p->pending = len;
741         return 1;
742     }
743 }
744 
745  /* Callback to indicate that the SCSI layer has completed a command.  */
746 static void lsi_command_complete(SCSIRequest *req, uint32_t status, size_t resid)
747 {
748     LSIState *s = LSI53C895A(req->bus->qbus.parent);
749     int out;
750 
751     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
752     DPRINTF("Command complete status=%d\n", (int)status);
753     s->status = status;
754     s->command_complete = 2;
755     if (s->waiting && s->dbc != 0) {
756         /* Raise phase mismatch for short transfers.  */
757         lsi_bad_phase(s, out, PHASE_ST);
758     } else {
759         lsi_set_phase(s, PHASE_ST);
760     }
761 
762     if (req->hba_private == s->current) {
763         req->hba_private = NULL;
764         lsi_request_free(s, s->current);
765         scsi_req_unref(req);
766     }
767     lsi_resume_script(s);
768 }
769 
770  /* Callback to indicate that the SCSI layer has completed a transfer.  */
771 static void lsi_transfer_data(SCSIRequest *req, uint32_t len)
772 {
773     LSIState *s = LSI53C895A(req->bus->qbus.parent);
774     int out;
775 
776     assert(req->hba_private);
777     if (s->waiting == 1 || req->hba_private != s->current ||
778         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON))) {
779         if (lsi_queue_req(s, req, len)) {
780             return;
781         }
782     }
783 
784     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
785 
786     /* host adapter (re)connected */
787     DPRINTF("Data ready tag=0x%x len=%d\n", req->tag, len);
788     s->current->dma_len = len;
789     s->command_complete = 1;
790     if (s->waiting) {
791         if (s->waiting == 1 || s->dbc == 0) {
792             lsi_resume_script(s);
793         } else {
794             lsi_do_dma(s, out);
795         }
796     }
797 }
798 
799 static void lsi_do_command(LSIState *s)
800 {
801     SCSIDevice *dev;
802     uint8_t buf[16];
803     uint32_t id;
804     int n;
805 
806     DPRINTF("Send command len=%d\n", s->dbc);
807     if (s->dbc > 16)
808         s->dbc = 16;
809     pci_dma_read(PCI_DEVICE(s), s->dnad, buf, s->dbc);
810     s->sfbr = buf[0];
811     s->command_complete = 0;
812 
813     id = (s->select_tag >> 8) & 0xf;
814     dev = scsi_device_find(&s->bus, 0, id, s->current_lun);
815     if (!dev) {
816         lsi_bad_selection(s, id);
817         return;
818     }
819 
820     assert(s->current == NULL);
821     s->current = g_new0(lsi_request, 1);
822     s->current->tag = s->select_tag;
823     s->current->req = scsi_req_new(dev, s->current->tag, s->current_lun, buf,
824                                    s->current);
825 
826     n = scsi_req_enqueue(s->current->req);
827     if (n) {
828         if (n > 0) {
829             lsi_set_phase(s, PHASE_DI);
830         } else if (n < 0) {
831             lsi_set_phase(s, PHASE_DO);
832         }
833         scsi_req_continue(s->current->req);
834     }
835     if (!s->command_complete) {
836         if (n) {
837             /* Command did not complete immediately so disconnect.  */
838             lsi_add_msg_byte(s, 2); /* SAVE DATA POINTER */
839             lsi_add_msg_byte(s, 4); /* DISCONNECT */
840             /* wait data */
841             lsi_set_phase(s, PHASE_MI);
842             s->msg_action = 1;
843             lsi_queue_command(s);
844         } else {
845             /* wait command complete */
846             lsi_set_phase(s, PHASE_DI);
847         }
848     }
849 }
850 
851 static void lsi_do_status(LSIState *s)
852 {
853     uint8_t status;
854     DPRINTF("Get status len=%d status=%d\n", s->dbc, s->status);
855     if (s->dbc != 1)
856         BADF("Bad Status move\n");
857     s->dbc = 1;
858     status = s->status;
859     s->sfbr = status;
860     pci_dma_write(PCI_DEVICE(s), s->dnad, &status, 1);
861     lsi_set_phase(s, PHASE_MI);
862     s->msg_action = 1;
863     lsi_add_msg_byte(s, 0); /* COMMAND COMPLETE */
864 }
865 
866 static void lsi_do_msgin(LSIState *s)
867 {
868     int len;
869     DPRINTF("Message in len=%d/%d\n", s->dbc, s->msg_len);
870     s->sfbr = s->msg[0];
871     len = s->msg_len;
872     if (len > s->dbc)
873         len = s->dbc;
874     pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
875     /* Linux drivers rely on the last byte being in the SIDL.  */
876     s->sidl = s->msg[len - 1];
877     s->msg_len -= len;
878     if (s->msg_len) {
879         memmove(s->msg, s->msg + len, s->msg_len);
880     } else {
881         /* ??? Check if ATN (not yet implemented) is asserted and maybe
882            switch to PHASE_MO.  */
883         switch (s->msg_action) {
884         case 0:
885             lsi_set_phase(s, PHASE_CMD);
886             break;
887         case 1:
888             lsi_disconnect(s);
889             break;
890         case 2:
891             lsi_set_phase(s, PHASE_DO);
892             break;
893         case 3:
894             lsi_set_phase(s, PHASE_DI);
895             break;
896         default:
897             abort();
898         }
899     }
900 }
901 
902 /* Read the next byte during a MSGOUT phase.  */
903 static uint8_t lsi_get_msgbyte(LSIState *s)
904 {
905     uint8_t data;
906     pci_dma_read(PCI_DEVICE(s), s->dnad, &data, 1);
907     s->dnad++;
908     s->dbc--;
909     return data;
910 }
911 
912 /* Skip the next n bytes during a MSGOUT phase. */
913 static void lsi_skip_msgbytes(LSIState *s, unsigned int n)
914 {
915     s->dnad += n;
916     s->dbc  -= n;
917 }
918 
919 static void lsi_do_msgout(LSIState *s)
920 {
921     uint8_t msg;
922     int len;
923     uint32_t current_tag;
924     lsi_request *current_req, *p, *p_next;
925 
926     if (s->current) {
927         current_tag = s->current->tag;
928         current_req = s->current;
929     } else {
930         current_tag = s->select_tag;
931         current_req = lsi_find_by_tag(s, current_tag);
932     }
933 
934     DPRINTF("MSG out len=%d\n", s->dbc);
935     while (s->dbc) {
936         msg = lsi_get_msgbyte(s);
937         s->sfbr = msg;
938 
939         switch (msg) {
940         case 0x04:
941             DPRINTF("MSG: Disconnect\n");
942             lsi_disconnect(s);
943             break;
944         case 0x08:
945             DPRINTF("MSG: No Operation\n");
946             lsi_set_phase(s, PHASE_CMD);
947             break;
948         case 0x01:
949             len = lsi_get_msgbyte(s);
950             msg = lsi_get_msgbyte(s);
951             (void)len; /* avoid a warning about unused variable*/
952             DPRINTF("Extended message 0x%x (len %d)\n", msg, len);
953             switch (msg) {
954             case 1:
955                 DPRINTF("SDTR (ignored)\n");
956                 lsi_skip_msgbytes(s, 2);
957                 break;
958             case 3:
959                 DPRINTF("WDTR (ignored)\n");
960                 lsi_skip_msgbytes(s, 1);
961                 break;
962             default:
963                 goto bad;
964             }
965             break;
966         case 0x20: /* SIMPLE queue */
967             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
968             DPRINTF("SIMPLE queue tag=0x%x\n", s->select_tag & 0xff);
969             break;
970         case 0x21: /* HEAD of queue */
971             BADF("HEAD queue not implemented\n");
972             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
973             break;
974         case 0x22: /* ORDERED queue */
975             BADF("ORDERED queue not implemented\n");
976             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
977             break;
978         case 0x0d:
979             /* The ABORT TAG message clears the current I/O process only. */
980             DPRINTF("MSG: ABORT TAG tag=0x%x\n", current_tag);
981             if (current_req) {
982                 scsi_req_cancel(current_req->req);
983             }
984             lsi_disconnect(s);
985             break;
986         case 0x06:
987         case 0x0e:
988         case 0x0c:
989             /* The ABORT message clears all I/O processes for the selecting
990                initiator on the specified logical unit of the target. */
991             if (msg == 0x06) {
992                 DPRINTF("MSG: ABORT tag=0x%x\n", current_tag);
993             }
994             /* The CLEAR QUEUE message clears all I/O processes for all
995                initiators on the specified logical unit of the target. */
996             if (msg == 0x0e) {
997                 DPRINTF("MSG: CLEAR QUEUE tag=0x%x\n", current_tag);
998             }
999             /* The BUS DEVICE RESET message clears all I/O processes for all
1000                initiators on all logical units of the target. */
1001             if (msg == 0x0c) {
1002                 DPRINTF("MSG: BUS DEVICE RESET tag=0x%x\n", current_tag);
1003             }
1004 
1005             /* clear the current I/O process */
1006             if (s->current) {
1007                 scsi_req_cancel(s->current->req);
1008             }
1009 
1010             /* As the current implemented devices scsi_disk and scsi_generic
1011                only support one LUN, we don't need to keep track of LUNs.
1012                Clearing I/O processes for other initiators could be possible
1013                for scsi_generic by sending a SG_SCSI_RESET to the /dev/sgX
1014                device, but this is currently not implemented (and seems not
1015                to be really necessary). So let's simply clear all queued
1016                commands for the current device: */
1017             QTAILQ_FOREACH_SAFE(p, &s->queue, next, p_next) {
1018                 if ((p->tag & 0x0000ff00) == (current_tag & 0x0000ff00)) {
1019                     scsi_req_cancel(p->req);
1020                 }
1021             }
1022 
1023             lsi_disconnect(s);
1024             break;
1025         default:
1026             if ((msg & 0x80) == 0) {
1027                 goto bad;
1028             }
1029             s->current_lun = msg & 7;
1030             DPRINTF("Select LUN %d\n", s->current_lun);
1031             lsi_set_phase(s, PHASE_CMD);
1032             break;
1033         }
1034     }
1035     return;
1036 bad:
1037     BADF("Unimplemented message 0x%02x\n", msg);
1038     lsi_set_phase(s, PHASE_MI);
1039     lsi_add_msg_byte(s, 7); /* MESSAGE REJECT */
1040     s->msg_action = 0;
1041 }
1042 
1043 #define LSI_BUF_SIZE 4096
1044 static void lsi_memcpy(LSIState *s, uint32_t dest, uint32_t src, int count)
1045 {
1046     int n;
1047     uint8_t buf[LSI_BUF_SIZE];
1048 
1049     DPRINTF("memcpy dest 0x%08x src 0x%08x count %d\n", dest, src, count);
1050     while (count) {
1051         n = (count > LSI_BUF_SIZE) ? LSI_BUF_SIZE : count;
1052         lsi_mem_read(s, src, buf, n);
1053         lsi_mem_write(s, dest, buf, n);
1054         src += n;
1055         dest += n;
1056         count -= n;
1057     }
1058 }
1059 
1060 static void lsi_wait_reselect(LSIState *s)
1061 {
1062     lsi_request *p;
1063 
1064     DPRINTF("Wait Reselect\n");
1065 
1066     QTAILQ_FOREACH(p, &s->queue, next) {
1067         if (p->pending) {
1068             lsi_reselect(s, p);
1069             break;
1070         }
1071     }
1072     if (s->current == NULL) {
1073         s->waiting = 1;
1074     }
1075 }
1076 
1077 static void lsi_execute_script(LSIState *s)
1078 {
1079     PCIDevice *pci_dev = PCI_DEVICE(s);
1080     uint32_t insn;
1081     uint32_t addr, addr_high;
1082     int opcode;
1083     int insn_processed = 0;
1084 
1085     s->istat1 |= LSI_ISTAT1_SRUN;
1086 again:
1087     insn_processed++;
1088     insn = read_dword(s, s->dsp);
1089     if (!insn) {
1090         /* If we receive an empty opcode increment the DSP by 4 bytes
1091            instead of 8 and execute the next opcode at that location */
1092         s->dsp += 4;
1093         goto again;
1094     }
1095     addr = read_dword(s, s->dsp + 4);
1096     addr_high = 0;
1097     DPRINTF("SCRIPTS dsp=%08x opcode %08x arg %08x\n", s->dsp, insn, addr);
1098     s->dsps = addr;
1099     s->dcmd = insn >> 24;
1100     s->dsp += 8;
1101     switch (insn >> 30) {
1102     case 0: /* Block move.  */
1103         if (s->sist1 & LSI_SIST1_STO) {
1104             DPRINTF("Delayed select timeout\n");
1105             lsi_stop_script(s);
1106             break;
1107         }
1108         s->dbc = insn & 0xffffff;
1109         s->rbc = s->dbc;
1110         /* ??? Set ESA.  */
1111         s->ia = s->dsp - 8;
1112         if (insn & (1 << 29)) {
1113             /* Indirect addressing.  */
1114             addr = read_dword(s, addr);
1115         } else if (insn & (1 << 28)) {
1116             uint32_t buf[2];
1117             int32_t offset;
1118             /* Table indirect addressing.  */
1119 
1120             /* 32-bit Table indirect */
1121             offset = sextract32(addr, 0, 24);
1122             pci_dma_read(pci_dev, s->dsa + offset, buf, 8);
1123             /* byte count is stored in bits 0:23 only */
1124             s->dbc = cpu_to_le32(buf[0]) & 0xffffff;
1125             s->rbc = s->dbc;
1126             addr = cpu_to_le32(buf[1]);
1127 
1128             /* 40-bit DMA, upper addr bits [39:32] stored in first DWORD of
1129              * table, bits [31:24] */
1130             if (lsi_dma_40bit(s))
1131                 addr_high = cpu_to_le32(buf[0]) >> 24;
1132             else if (lsi_dma_ti64bit(s)) {
1133                 int selector = (cpu_to_le32(buf[0]) >> 24) & 0x1f;
1134                 switch (selector) {
1135                 case 0 ... 0x0f:
1136                     /* offset index into scratch registers since
1137                      * TI64 mode can use registers C to R */
1138                     addr_high = s->scratch[2 + selector];
1139                     break;
1140                 case 0x10:
1141                     addr_high = s->mmrs;
1142                     break;
1143                 case 0x11:
1144                     addr_high = s->mmws;
1145                     break;
1146                 case 0x12:
1147                     addr_high = s->sfs;
1148                     break;
1149                 case 0x13:
1150                     addr_high = s->drs;
1151                     break;
1152                 case 0x14:
1153                     addr_high = s->sbms;
1154                     break;
1155                 case 0x15:
1156                     addr_high = s->dbms;
1157                     break;
1158                 default:
1159                     BADF("Illegal selector specified (0x%x > 0x15)"
1160                          " for 64-bit DMA block move", selector);
1161                     break;
1162                 }
1163             }
1164         } else if (lsi_dma_64bit(s)) {
1165             /* fetch a 3rd dword if 64-bit direct move is enabled and
1166                only if we're not doing table indirect or indirect addressing */
1167             s->dbms = read_dword(s, s->dsp);
1168             s->dsp += 4;
1169             s->ia = s->dsp - 12;
1170         }
1171         if ((s->sstat1 & PHASE_MASK) != ((insn >> 24) & 7)) {
1172             DPRINTF("Wrong phase got %d expected %d\n",
1173                     s->sstat1 & PHASE_MASK, (insn >> 24) & 7);
1174             lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
1175             break;
1176         }
1177         s->dnad = addr;
1178         s->dnad64 = addr_high;
1179         switch (s->sstat1 & 0x7) {
1180         case PHASE_DO:
1181             s->waiting = 2;
1182             lsi_do_dma(s, 1);
1183             if (s->waiting)
1184                 s->waiting = 3;
1185             break;
1186         case PHASE_DI:
1187             s->waiting = 2;
1188             lsi_do_dma(s, 0);
1189             if (s->waiting)
1190                 s->waiting = 3;
1191             break;
1192         case PHASE_CMD:
1193             lsi_do_command(s);
1194             break;
1195         case PHASE_ST:
1196             lsi_do_status(s);
1197             break;
1198         case PHASE_MO:
1199             lsi_do_msgout(s);
1200             break;
1201         case PHASE_MI:
1202             lsi_do_msgin(s);
1203             break;
1204         default:
1205             BADF("Unimplemented phase %d\n", s->sstat1 & PHASE_MASK);
1206             exit(1);
1207         }
1208         s->dfifo = s->dbc & 0xff;
1209         s->ctest5 = (s->ctest5 & 0xfc) | ((s->dbc >> 8) & 3);
1210         s->sbc = s->dbc;
1211         s->rbc -= s->dbc;
1212         s->ua = addr + s->dbc;
1213         break;
1214 
1215     case 1: /* IO or Read/Write instruction.  */
1216         opcode = (insn >> 27) & 7;
1217         if (opcode < 5) {
1218             uint32_t id;
1219 
1220             if (insn & (1 << 25)) {
1221                 id = read_dword(s, s->dsa + sextract32(insn, 0, 24));
1222             } else {
1223                 id = insn;
1224             }
1225             id = (id >> 16) & 0xf;
1226             if (insn & (1 << 26)) {
1227                 addr = s->dsp + sextract32(addr, 0, 24);
1228             }
1229             s->dnad = addr;
1230             switch (opcode) {
1231             case 0: /* Select */
1232                 s->sdid = id;
1233                 if (s->scntl1 & LSI_SCNTL1_CON) {
1234                     DPRINTF("Already reselected, jumping to alternative address\n");
1235                     s->dsp = s->dnad;
1236                     break;
1237                 }
1238                 s->sstat0 |= LSI_SSTAT0_WOA;
1239                 s->scntl1 &= ~LSI_SCNTL1_IARB;
1240                 if (!scsi_device_find(&s->bus, 0, id, 0)) {
1241                     lsi_bad_selection(s, id);
1242                     break;
1243                 }
1244                 DPRINTF("Selected target %d%s\n",
1245                         id, insn & (1 << 3) ? " ATN" : "");
1246                 /* ??? Linux drivers compain when this is set.  Maybe
1247                    it only applies in low-level mode (unimplemented).
1248                 lsi_script_scsi_interrupt(s, LSI_SIST0_CMP, 0); */
1249                 s->select_tag = id << 8;
1250                 s->scntl1 |= LSI_SCNTL1_CON;
1251                 if (insn & (1 << 3)) {
1252                     s->socl |= LSI_SOCL_ATN;
1253                 }
1254                 lsi_set_phase(s, PHASE_MO);
1255                 break;
1256             case 1: /* Disconnect */
1257                 DPRINTF("Wait Disconnect\n");
1258                 s->scntl1 &= ~LSI_SCNTL1_CON;
1259                 break;
1260             case 2: /* Wait Reselect */
1261                 if (!lsi_irq_on_rsl(s)) {
1262                     lsi_wait_reselect(s);
1263                 }
1264                 break;
1265             case 3: /* Set */
1266                 DPRINTF("Set%s%s%s%s\n",
1267                         insn & (1 << 3) ? " ATN" : "",
1268                         insn & (1 << 6) ? " ACK" : "",
1269                         insn & (1 << 9) ? " TM" : "",
1270                         insn & (1 << 10) ? " CC" : "");
1271                 if (insn & (1 << 3)) {
1272                     s->socl |= LSI_SOCL_ATN;
1273                     lsi_set_phase(s, PHASE_MO);
1274                 }
1275                 if (insn & (1 << 9)) {
1276                     BADF("Target mode not implemented\n");
1277                     exit(1);
1278                 }
1279                 if (insn & (1 << 10))
1280                     s->carry = 1;
1281                 break;
1282             case 4: /* Clear */
1283                 DPRINTF("Clear%s%s%s%s\n",
1284                         insn & (1 << 3) ? " ATN" : "",
1285                         insn & (1 << 6) ? " ACK" : "",
1286                         insn & (1 << 9) ? " TM" : "",
1287                         insn & (1 << 10) ? " CC" : "");
1288                 if (insn & (1 << 3)) {
1289                     s->socl &= ~LSI_SOCL_ATN;
1290                 }
1291                 if (insn & (1 << 10))
1292                     s->carry = 0;
1293                 break;
1294             }
1295         } else {
1296             uint8_t op0;
1297             uint8_t op1;
1298             uint8_t data8;
1299             int reg;
1300             int operator;
1301 #ifdef DEBUG_LSI
1302             static const char *opcode_names[3] =
1303                 {"Write", "Read", "Read-Modify-Write"};
1304             static const char *operator_names[8] =
1305                 {"MOV", "SHL", "OR", "XOR", "AND", "SHR", "ADD", "ADC"};
1306 #endif
1307 
1308             reg = ((insn >> 16) & 0x7f) | (insn & 0x80);
1309             data8 = (insn >> 8) & 0xff;
1310             opcode = (insn >> 27) & 7;
1311             operator = (insn >> 24) & 7;
1312             DPRINTF("%s reg 0x%x %s data8=0x%02x sfbr=0x%02x%s\n",
1313                     opcode_names[opcode - 5], reg,
1314                     operator_names[operator], data8, s->sfbr,
1315                     (insn & (1 << 23)) ? " SFBR" : "");
1316             op0 = op1 = 0;
1317             switch (opcode) {
1318             case 5: /* From SFBR */
1319                 op0 = s->sfbr;
1320                 op1 = data8;
1321                 break;
1322             case 6: /* To SFBR */
1323                 if (operator)
1324                     op0 = lsi_reg_readb(s, reg);
1325                 op1 = data8;
1326                 break;
1327             case 7: /* Read-modify-write */
1328                 if (operator)
1329                     op0 = lsi_reg_readb(s, reg);
1330                 if (insn & (1 << 23)) {
1331                     op1 = s->sfbr;
1332                 } else {
1333                     op1 = data8;
1334                 }
1335                 break;
1336             }
1337 
1338             switch (operator) {
1339             case 0: /* move */
1340                 op0 = op1;
1341                 break;
1342             case 1: /* Shift left */
1343                 op1 = op0 >> 7;
1344                 op0 = (op0 << 1) | s->carry;
1345                 s->carry = op1;
1346                 break;
1347             case 2: /* OR */
1348                 op0 |= op1;
1349                 break;
1350             case 3: /* XOR */
1351                 op0 ^= op1;
1352                 break;
1353             case 4: /* AND */
1354                 op0 &= op1;
1355                 break;
1356             case 5: /* SHR */
1357                 op1 = op0 & 1;
1358                 op0 = (op0 >> 1) | (s->carry << 7);
1359                 s->carry = op1;
1360                 break;
1361             case 6: /* ADD */
1362                 op0 += op1;
1363                 s->carry = op0 < op1;
1364                 break;
1365             case 7: /* ADC */
1366                 op0 += op1 + s->carry;
1367                 if (s->carry)
1368                     s->carry = op0 <= op1;
1369                 else
1370                     s->carry = op0 < op1;
1371                 break;
1372             }
1373 
1374             switch (opcode) {
1375             case 5: /* From SFBR */
1376             case 7: /* Read-modify-write */
1377                 lsi_reg_writeb(s, reg, op0);
1378                 break;
1379             case 6: /* To SFBR */
1380                 s->sfbr = op0;
1381                 break;
1382             }
1383         }
1384         break;
1385 
1386     case 2: /* Transfer Control.  */
1387         {
1388             int cond;
1389             int jmp;
1390 
1391             if ((insn & 0x002e0000) == 0) {
1392                 DPRINTF("NOP\n");
1393                 break;
1394             }
1395             if (s->sist1 & LSI_SIST1_STO) {
1396                 DPRINTF("Delayed select timeout\n");
1397                 lsi_stop_script(s);
1398                 break;
1399             }
1400             cond = jmp = (insn & (1 << 19)) != 0;
1401             if (cond == jmp && (insn & (1 << 21))) {
1402                 DPRINTF("Compare carry %d\n", s->carry == jmp);
1403                 cond = s->carry != 0;
1404             }
1405             if (cond == jmp && (insn & (1 << 17))) {
1406                 DPRINTF("Compare phase %d %c= %d\n",
1407                         (s->sstat1 & PHASE_MASK),
1408                         jmp ? '=' : '!',
1409                         ((insn >> 24) & 7));
1410                 cond = (s->sstat1 & PHASE_MASK) == ((insn >> 24) & 7);
1411             }
1412             if (cond == jmp && (insn & (1 << 18))) {
1413                 uint8_t mask;
1414 
1415                 mask = (~insn >> 8) & 0xff;
1416                 DPRINTF("Compare data 0x%x & 0x%x %c= 0x%x\n",
1417                         s->sfbr, mask, jmp ? '=' : '!', insn & mask);
1418                 cond = (s->sfbr & mask) == (insn & mask);
1419             }
1420             if (cond == jmp) {
1421                 if (insn & (1 << 23)) {
1422                     /* Relative address.  */
1423                     addr = s->dsp + sextract32(addr, 0, 24);
1424                 }
1425                 switch ((insn >> 27) & 7) {
1426                 case 0: /* Jump */
1427                     DPRINTF("Jump to 0x%08x\n", addr);
1428                     s->adder = addr;
1429                     s->dsp = addr;
1430                     break;
1431                 case 1: /* Call */
1432                     DPRINTF("Call 0x%08x\n", addr);
1433                     s->temp = s->dsp;
1434                     s->dsp = addr;
1435                     break;
1436                 case 2: /* Return */
1437                     DPRINTF("Return to 0x%08x\n", s->temp);
1438                     s->dsp = s->temp;
1439                     break;
1440                 case 3: /* Interrupt */
1441                     DPRINTF("Interrupt 0x%08x\n", s->dsps);
1442                     if ((insn & (1 << 20)) != 0) {
1443                         s->istat0 |= LSI_ISTAT0_INTF;
1444                         lsi_update_irq(s);
1445                     } else {
1446                         lsi_script_dma_interrupt(s, LSI_DSTAT_SIR);
1447                     }
1448                     break;
1449                 default:
1450                     DPRINTF("Illegal transfer control\n");
1451                     lsi_script_dma_interrupt(s, LSI_DSTAT_IID);
1452                     break;
1453                 }
1454             } else {
1455                 DPRINTF("Control condition failed\n");
1456             }
1457         }
1458         break;
1459 
1460     case 3:
1461         if ((insn & (1 << 29)) == 0) {
1462             /* Memory move.  */
1463             uint32_t dest;
1464             /* ??? The docs imply the destination address is loaded into
1465                the TEMP register.  However the Linux drivers rely on
1466                the value being presrved.  */
1467             dest = read_dword(s, s->dsp);
1468             s->dsp += 4;
1469             lsi_memcpy(s, dest, addr, insn & 0xffffff);
1470         } else {
1471             uint8_t data[7];
1472             int reg;
1473             int n;
1474             int i;
1475 
1476             if (insn & (1 << 28)) {
1477                 addr = s->dsa + sextract32(addr, 0, 24);
1478             }
1479             n = (insn & 7);
1480             reg = (insn >> 16) & 0xff;
1481             if (insn & (1 << 24)) {
1482                 pci_dma_read(pci_dev, addr, data, n);
1483                 DPRINTF("Load reg 0x%x size %d addr 0x%08x = %08x\n", reg, n,
1484                         addr, *(int *)data);
1485                 for (i = 0; i < n; i++) {
1486                     lsi_reg_writeb(s, reg + i, data[i]);
1487                 }
1488             } else {
1489                 DPRINTF("Store reg 0x%x size %d addr 0x%08x\n", reg, n, addr);
1490                 for (i = 0; i < n; i++) {
1491                     data[i] = lsi_reg_readb(s, reg + i);
1492                 }
1493                 pci_dma_write(pci_dev, addr, data, n);
1494             }
1495         }
1496     }
1497     if (insn_processed > 10000 && !s->waiting) {
1498         /* Some windows drivers make the device spin waiting for a memory
1499            location to change.  If we have been executed a lot of code then
1500            assume this is the case and force an unexpected device disconnect.
1501            This is apparently sufficient to beat the drivers into submission.
1502          */
1503         if (!(s->sien0 & LSI_SIST0_UDC))
1504             fprintf(stderr, "inf. loop with UDC masked\n");
1505         lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
1506         lsi_disconnect(s);
1507     } else if (s->istat1 & LSI_ISTAT1_SRUN && !s->waiting) {
1508         if (s->dcntl & LSI_DCNTL_SSM) {
1509             lsi_script_dma_interrupt(s, LSI_DSTAT_SSI);
1510         } else {
1511             goto again;
1512         }
1513     }
1514     DPRINTF("SCRIPTS execution stopped\n");
1515 }
1516 
1517 static uint8_t lsi_reg_readb(LSIState *s, int offset)
1518 {
1519     uint8_t ret;
1520 
1521 #define CASE_GET_REG24(name, addr) \
1522     case addr: ret = s->name & 0xff; break; \
1523     case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1524     case addr + 2: ret = (s->name >> 16) & 0xff; break;
1525 
1526 #define CASE_GET_REG32(name, addr) \
1527     case addr: ret = s->name & 0xff; break; \
1528     case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1529     case addr + 2: ret = (s->name >> 16) & 0xff; break; \
1530     case addr + 3: ret = (s->name >> 24) & 0xff; break;
1531 
1532     switch (offset) {
1533     case 0x00: /* SCNTL0 */
1534         ret = s->scntl0;
1535         break;
1536     case 0x01: /* SCNTL1 */
1537         ret = s->scntl1;
1538         break;
1539     case 0x02: /* SCNTL2 */
1540         ret = s->scntl2;
1541         break;
1542     case 0x03: /* SCNTL3 */
1543         ret = s->scntl3;
1544         break;
1545     case 0x04: /* SCID */
1546         ret = s->scid;
1547         break;
1548     case 0x05: /* SXFER */
1549         ret = s->sxfer;
1550         break;
1551     case 0x06: /* SDID */
1552         ret = s->sdid;
1553         break;
1554     case 0x07: /* GPREG0 */
1555         ret = 0x7f;
1556         break;
1557     case 0x08: /* Revision ID */
1558         ret = 0x00;
1559         break;
1560     case 0x09: /* SOCL */
1561         ret = s->socl;
1562         break;
1563     case 0xa: /* SSID */
1564         ret = s->ssid;
1565         break;
1566     case 0xb: /* SBCL */
1567         /* ??? This is not correct. However it's (hopefully) only
1568            used for diagnostics, so should be ok.  */
1569         ret = 0;
1570         break;
1571     case 0xc: /* DSTAT */
1572         ret = s->dstat | LSI_DSTAT_DFE;
1573         if ((s->istat0 & LSI_ISTAT0_INTF) == 0)
1574             s->dstat = 0;
1575         lsi_update_irq(s);
1576         break;
1577     case 0x0d: /* SSTAT0 */
1578         ret = s->sstat0;
1579         break;
1580     case 0x0e: /* SSTAT1 */
1581         ret = s->sstat1;
1582         break;
1583     case 0x0f: /* SSTAT2 */
1584         ret = s->scntl1 & LSI_SCNTL1_CON ? 0 : 2;
1585         break;
1586     CASE_GET_REG32(dsa, 0x10)
1587     case 0x14: /* ISTAT0 */
1588         ret = s->istat0;
1589         break;
1590     case 0x15: /* ISTAT1 */
1591         ret = s->istat1;
1592         break;
1593     case 0x16: /* MBOX0 */
1594         ret = s->mbox0;
1595         break;
1596     case 0x17: /* MBOX1 */
1597         ret = s->mbox1;
1598         break;
1599     case 0x18: /* CTEST0 */
1600         ret = 0xff;
1601         break;
1602     case 0x19: /* CTEST1 */
1603         ret = 0;
1604         break;
1605     case 0x1a: /* CTEST2 */
1606         ret = s->ctest2 | LSI_CTEST2_DACK | LSI_CTEST2_CM;
1607         if (s->istat0 & LSI_ISTAT0_SIGP) {
1608             s->istat0 &= ~LSI_ISTAT0_SIGP;
1609             ret |= LSI_CTEST2_SIGP;
1610         }
1611         break;
1612     case 0x1b: /* CTEST3 */
1613         ret = s->ctest3;
1614         break;
1615     CASE_GET_REG32(temp, 0x1c)
1616     case 0x20: /* DFIFO */
1617         ret = 0;
1618         break;
1619     case 0x21: /* CTEST4 */
1620         ret = s->ctest4;
1621         break;
1622     case 0x22: /* CTEST5 */
1623         ret = s->ctest5;
1624         break;
1625     case 0x23: /* CTEST6 */
1626         ret = 0;
1627         break;
1628     CASE_GET_REG24(dbc, 0x24)
1629     case 0x27: /* DCMD */
1630         ret = s->dcmd;
1631         break;
1632     CASE_GET_REG32(dnad, 0x28)
1633     CASE_GET_REG32(dsp, 0x2c)
1634     CASE_GET_REG32(dsps, 0x30)
1635     CASE_GET_REG32(scratch[0], 0x34)
1636     case 0x38: /* DMODE */
1637         ret = s->dmode;
1638         break;
1639     case 0x39: /* DIEN */
1640         ret = s->dien;
1641         break;
1642     case 0x3a: /* SBR */
1643         ret = s->sbr;
1644         break;
1645     case 0x3b: /* DCNTL */
1646         ret = s->dcntl;
1647         break;
1648     /* ADDER Output (Debug of relative jump address) */
1649     CASE_GET_REG32(adder, 0x3c)
1650     case 0x40: /* SIEN0 */
1651         ret = s->sien0;
1652         break;
1653     case 0x41: /* SIEN1 */
1654         ret = s->sien1;
1655         break;
1656     case 0x42: /* SIST0 */
1657         ret = s->sist0;
1658         s->sist0 = 0;
1659         lsi_update_irq(s);
1660         break;
1661     case 0x43: /* SIST1 */
1662         ret = s->sist1;
1663         s->sist1 = 0;
1664         lsi_update_irq(s);
1665         break;
1666     case 0x46: /* MACNTL */
1667         ret = 0x0f;
1668         break;
1669     case 0x47: /* GPCNTL0 */
1670         ret = 0x0f;
1671         break;
1672     case 0x48: /* STIME0 */
1673         ret = s->stime0;
1674         break;
1675     case 0x4a: /* RESPID0 */
1676         ret = s->respid0;
1677         break;
1678     case 0x4b: /* RESPID1 */
1679         ret = s->respid1;
1680         break;
1681     case 0x4d: /* STEST1 */
1682         ret = s->stest1;
1683         break;
1684     case 0x4e: /* STEST2 */
1685         ret = s->stest2;
1686         break;
1687     case 0x4f: /* STEST3 */
1688         ret = s->stest3;
1689         break;
1690     case 0x50: /* SIDL */
1691         /* This is needed by the linux drivers.  We currently only update it
1692            during the MSG IN phase.  */
1693         ret = s->sidl;
1694         break;
1695     case 0x52: /* STEST4 */
1696         ret = 0xe0;
1697         break;
1698     case 0x56: /* CCNTL0 */
1699         ret = s->ccntl0;
1700         break;
1701     case 0x57: /* CCNTL1 */
1702         ret = s->ccntl1;
1703         break;
1704     case 0x58: /* SBDL */
1705         /* Some drivers peek at the data bus during the MSG IN phase.  */
1706         if ((s->sstat1 & PHASE_MASK) == PHASE_MI)
1707             return s->msg[0];
1708         ret = 0;
1709         break;
1710     case 0x59: /* SBDL high */
1711         ret = 0;
1712         break;
1713     CASE_GET_REG32(mmrs, 0xa0)
1714     CASE_GET_REG32(mmws, 0xa4)
1715     CASE_GET_REG32(sfs, 0xa8)
1716     CASE_GET_REG32(drs, 0xac)
1717     CASE_GET_REG32(sbms, 0xb0)
1718     CASE_GET_REG32(dbms, 0xb4)
1719     CASE_GET_REG32(dnad64, 0xb8)
1720     CASE_GET_REG32(pmjad1, 0xc0)
1721     CASE_GET_REG32(pmjad2, 0xc4)
1722     CASE_GET_REG32(rbc, 0xc8)
1723     CASE_GET_REG32(ua, 0xcc)
1724     CASE_GET_REG32(ia, 0xd4)
1725     CASE_GET_REG32(sbc, 0xd8)
1726     CASE_GET_REG32(csbc, 0xdc)
1727     case 0x5c ... 0x9f:
1728     {
1729         int n;
1730         int shift;
1731         n = (offset - 0x58) >> 2;
1732         shift = (offset & 3) * 8;
1733         ret = (s->scratch[n] >> shift) & 0xff;
1734         break;
1735     }
1736     default:
1737     {
1738         qemu_log_mask(LOG_GUEST_ERROR,
1739                       "lsi_scsi: invalid read from reg %s %x\n",
1740                       offset < ARRAY_SIZE(names) ? names[offset] : "???",
1741                       offset);
1742         ret = 0xff;
1743         break;
1744     }
1745     }
1746 #undef CASE_GET_REG24
1747 #undef CASE_GET_REG32
1748 
1749 #ifdef DEBUG_LSI_REG
1750     DPRINTF("Read reg %s %x = %02x\n",
1751             offset < ARRAY_SIZE(names) ? names[offset] : "???", offset, ret);
1752 #endif
1753 
1754     return ret;
1755 }
1756 
1757 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val)
1758 {
1759 #define CASE_SET_REG24(name, addr) \
1760     case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1761     case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1762     case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break;
1763 
1764 #define CASE_SET_REG32(name, addr) \
1765     case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1766     case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1767     case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break; \
1768     case addr + 3: s->name &= 0x00ffffff; s->name |= val << 24; break;
1769 
1770 #ifdef DEBUG_LSI_REG
1771     DPRINTF("Write reg %s %x = %02x\n",
1772             offset < ARRAY_SIZE(names) ? names[offset] : "???", offset, val);
1773 #endif
1774     switch (offset) {
1775     case 0x00: /* SCNTL0 */
1776         s->scntl0 = val;
1777         if (val & LSI_SCNTL0_START) {
1778             BADF("Start sequence not implemented\n");
1779         }
1780         break;
1781     case 0x01: /* SCNTL1 */
1782         s->scntl1 = val & ~LSI_SCNTL1_SST;
1783         if (val & LSI_SCNTL1_IARB) {
1784             BADF("Immediate Arbritration not implemented\n");
1785         }
1786         if (val & LSI_SCNTL1_RST) {
1787             if (!(s->sstat0 & LSI_SSTAT0_RST)) {
1788                 qbus_reset_all(&s->bus.qbus);
1789                 s->sstat0 |= LSI_SSTAT0_RST;
1790                 lsi_script_scsi_interrupt(s, LSI_SIST0_RST, 0);
1791             }
1792         } else {
1793             s->sstat0 &= ~LSI_SSTAT0_RST;
1794         }
1795         break;
1796     case 0x02: /* SCNTL2 */
1797         val &= ~(LSI_SCNTL2_WSR | LSI_SCNTL2_WSS);
1798         s->scntl2 = val;
1799         break;
1800     case 0x03: /* SCNTL3 */
1801         s->scntl3 = val;
1802         break;
1803     case 0x04: /* SCID */
1804         s->scid = val;
1805         break;
1806     case 0x05: /* SXFER */
1807         s->sxfer = val;
1808         break;
1809     case 0x06: /* SDID */
1810         if ((s->ssid & 0x80) && (val & 0xf) != (s->ssid & 0xf)) {
1811             BADF("Destination ID does not match SSID\n");
1812         }
1813         s->sdid = val & 0xf;
1814         break;
1815     case 0x07: /* GPREG0 */
1816         break;
1817     case 0x08: /* SFBR */
1818         /* The CPU is not allowed to write to this register.  However the
1819            SCRIPTS register move instructions are.  */
1820         s->sfbr = val;
1821         break;
1822     case 0x0a: case 0x0b:
1823         /* Openserver writes to these readonly registers on startup */
1824 	return;
1825     case 0x0c: case 0x0d: case 0x0e: case 0x0f:
1826         /* Linux writes to these readonly registers on startup.  */
1827         return;
1828     CASE_SET_REG32(dsa, 0x10)
1829     case 0x14: /* ISTAT0 */
1830         s->istat0 = (s->istat0 & 0x0f) | (val & 0xf0);
1831         if (val & LSI_ISTAT0_ABRT) {
1832             lsi_script_dma_interrupt(s, LSI_DSTAT_ABRT);
1833         }
1834         if (val & LSI_ISTAT0_INTF) {
1835             s->istat0 &= ~LSI_ISTAT0_INTF;
1836             lsi_update_irq(s);
1837         }
1838         if (s->waiting == 1 && val & LSI_ISTAT0_SIGP) {
1839             DPRINTF("Woken by SIGP\n");
1840             s->waiting = 0;
1841             s->dsp = s->dnad;
1842             lsi_execute_script(s);
1843         }
1844         if (val & LSI_ISTAT0_SRST) {
1845             qdev_reset_all(DEVICE(s));
1846         }
1847         break;
1848     case 0x16: /* MBOX0 */
1849         s->mbox0 = val;
1850         break;
1851     case 0x17: /* MBOX1 */
1852         s->mbox1 = val;
1853         break;
1854     case 0x18: /* CTEST0 */
1855         /* nothing to do */
1856         break;
1857     case 0x1a: /* CTEST2 */
1858 	s->ctest2 = val & LSI_CTEST2_PCICIE;
1859 	break;
1860     case 0x1b: /* CTEST3 */
1861         s->ctest3 = val & 0x0f;
1862         break;
1863     CASE_SET_REG32(temp, 0x1c)
1864     case 0x21: /* CTEST4 */
1865         if (val & 7) {
1866            BADF("Unimplemented CTEST4-FBL 0x%x\n", val);
1867         }
1868         s->ctest4 = val;
1869         break;
1870     case 0x22: /* CTEST5 */
1871         if (val & (LSI_CTEST5_ADCK | LSI_CTEST5_BBCK)) {
1872             BADF("CTEST5 DMA increment not implemented\n");
1873         }
1874         s->ctest5 = val;
1875         break;
1876     CASE_SET_REG24(dbc, 0x24)
1877     CASE_SET_REG32(dnad, 0x28)
1878     case 0x2c: /* DSP[0:7] */
1879         s->dsp &= 0xffffff00;
1880         s->dsp |= val;
1881         break;
1882     case 0x2d: /* DSP[8:15] */
1883         s->dsp &= 0xffff00ff;
1884         s->dsp |= val << 8;
1885         break;
1886     case 0x2e: /* DSP[16:23] */
1887         s->dsp &= 0xff00ffff;
1888         s->dsp |= val << 16;
1889         break;
1890     case 0x2f: /* DSP[24:31] */
1891         s->dsp &= 0x00ffffff;
1892         s->dsp |= val << 24;
1893         if ((s->dmode & LSI_DMODE_MAN) == 0
1894             && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
1895             lsi_execute_script(s);
1896         break;
1897     CASE_SET_REG32(dsps, 0x30)
1898     CASE_SET_REG32(scratch[0], 0x34)
1899     case 0x38: /* DMODE */
1900         s->dmode = val;
1901         break;
1902     case 0x39: /* DIEN */
1903         s->dien = val;
1904         lsi_update_irq(s);
1905         break;
1906     case 0x3a: /* SBR */
1907         s->sbr = val;
1908         break;
1909     case 0x3b: /* DCNTL */
1910         s->dcntl = val & ~(LSI_DCNTL_PFF | LSI_DCNTL_STD);
1911         if ((val & LSI_DCNTL_STD) && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
1912             lsi_execute_script(s);
1913         break;
1914     case 0x40: /* SIEN0 */
1915         s->sien0 = val;
1916         lsi_update_irq(s);
1917         break;
1918     case 0x41: /* SIEN1 */
1919         s->sien1 = val;
1920         lsi_update_irq(s);
1921         break;
1922     case 0x47: /* GPCNTL0 */
1923         break;
1924     case 0x48: /* STIME0 */
1925         s->stime0 = val;
1926         break;
1927     case 0x49: /* STIME1 */
1928         if (val & 0xf) {
1929             DPRINTF("General purpose timer not implemented\n");
1930             /* ??? Raising the interrupt immediately seems to be sufficient
1931                to keep the FreeBSD driver happy.  */
1932             lsi_script_scsi_interrupt(s, 0, LSI_SIST1_GEN);
1933         }
1934         break;
1935     case 0x4a: /* RESPID0 */
1936         s->respid0 = val;
1937         break;
1938     case 0x4b: /* RESPID1 */
1939         s->respid1 = val;
1940         break;
1941     case 0x4d: /* STEST1 */
1942         s->stest1 = val;
1943         break;
1944     case 0x4e: /* STEST2 */
1945         if (val & 1) {
1946             BADF("Low level mode not implemented\n");
1947         }
1948         s->stest2 = val;
1949         break;
1950     case 0x4f: /* STEST3 */
1951         if (val & 0x41) {
1952             BADF("SCSI FIFO test mode not implemented\n");
1953         }
1954         s->stest3 = val;
1955         break;
1956     case 0x56: /* CCNTL0 */
1957         s->ccntl0 = val;
1958         break;
1959     case 0x57: /* CCNTL1 */
1960         s->ccntl1 = val;
1961         break;
1962     CASE_SET_REG32(mmrs, 0xa0)
1963     CASE_SET_REG32(mmws, 0xa4)
1964     CASE_SET_REG32(sfs, 0xa8)
1965     CASE_SET_REG32(drs, 0xac)
1966     CASE_SET_REG32(sbms, 0xb0)
1967     CASE_SET_REG32(dbms, 0xb4)
1968     CASE_SET_REG32(dnad64, 0xb8)
1969     CASE_SET_REG32(pmjad1, 0xc0)
1970     CASE_SET_REG32(pmjad2, 0xc4)
1971     CASE_SET_REG32(rbc, 0xc8)
1972     CASE_SET_REG32(ua, 0xcc)
1973     CASE_SET_REG32(ia, 0xd4)
1974     CASE_SET_REG32(sbc, 0xd8)
1975     CASE_SET_REG32(csbc, 0xdc)
1976     default:
1977         if (offset >= 0x5c && offset < 0xa0) {
1978             int n;
1979             int shift;
1980             n = (offset - 0x58) >> 2;
1981             shift = (offset & 3) * 8;
1982             s->scratch[n] = deposit32(s->scratch[n], shift, 8, val);
1983         } else {
1984             qemu_log_mask(LOG_GUEST_ERROR,
1985                           "lsi_scsi: invalid write to reg %s %x (0x%02x)\n",
1986                           offset < ARRAY_SIZE(names) ? names[offset] : "???",
1987                           offset, val);
1988         }
1989     }
1990 #undef CASE_SET_REG24
1991 #undef CASE_SET_REG32
1992 }
1993 
1994 static void lsi_mmio_write(void *opaque, hwaddr addr,
1995                            uint64_t val, unsigned size)
1996 {
1997     LSIState *s = opaque;
1998 
1999     lsi_reg_writeb(s, addr & 0xff, val);
2000 }
2001 
2002 static uint64_t lsi_mmio_read(void *opaque, hwaddr addr,
2003                               unsigned size)
2004 {
2005     LSIState *s = opaque;
2006 
2007     return lsi_reg_readb(s, addr & 0xff);
2008 }
2009 
2010 static const MemoryRegionOps lsi_mmio_ops = {
2011     .read = lsi_mmio_read,
2012     .write = lsi_mmio_write,
2013     .endianness = DEVICE_NATIVE_ENDIAN,
2014     .impl = {
2015         .min_access_size = 1,
2016         .max_access_size = 1,
2017     },
2018 };
2019 
2020 static void lsi_ram_write(void *opaque, hwaddr addr,
2021                           uint64_t val, unsigned size)
2022 {
2023     LSIState *s = opaque;
2024     uint32_t newval;
2025     uint32_t mask;
2026     int shift;
2027 
2028     newval = s->script_ram[addr >> 2];
2029     shift = (addr & 3) * 8;
2030     mask = ((uint64_t)1 << (size * 8)) - 1;
2031     newval &= ~(mask << shift);
2032     newval |= val << shift;
2033     s->script_ram[addr >> 2] = newval;
2034 }
2035 
2036 static uint64_t lsi_ram_read(void *opaque, hwaddr addr,
2037                              unsigned size)
2038 {
2039     LSIState *s = opaque;
2040     uint32_t val;
2041     uint32_t mask;
2042 
2043     val = s->script_ram[addr >> 2];
2044     mask = ((uint64_t)1 << (size * 8)) - 1;
2045     val >>= (addr & 3) * 8;
2046     return val & mask;
2047 }
2048 
2049 static const MemoryRegionOps lsi_ram_ops = {
2050     .read = lsi_ram_read,
2051     .write = lsi_ram_write,
2052     .endianness = DEVICE_NATIVE_ENDIAN,
2053 };
2054 
2055 static uint64_t lsi_io_read(void *opaque, hwaddr addr,
2056                             unsigned size)
2057 {
2058     LSIState *s = opaque;
2059     return lsi_reg_readb(s, addr & 0xff);
2060 }
2061 
2062 static void lsi_io_write(void *opaque, hwaddr addr,
2063                          uint64_t val, unsigned size)
2064 {
2065     LSIState *s = opaque;
2066     lsi_reg_writeb(s, addr & 0xff, val);
2067 }
2068 
2069 static const MemoryRegionOps lsi_io_ops = {
2070     .read = lsi_io_read,
2071     .write = lsi_io_write,
2072     .endianness = DEVICE_NATIVE_ENDIAN,
2073     .impl = {
2074         .min_access_size = 1,
2075         .max_access_size = 1,
2076     },
2077 };
2078 
2079 static void lsi_scsi_reset(DeviceState *dev)
2080 {
2081     LSIState *s = LSI53C895A(dev);
2082 
2083     lsi_soft_reset(s);
2084 }
2085 
2086 static int lsi_pre_save(void *opaque)
2087 {
2088     LSIState *s = opaque;
2089 
2090     if (s->current) {
2091         assert(s->current->dma_buf == NULL);
2092         assert(s->current->dma_len == 0);
2093     }
2094     assert(QTAILQ_EMPTY(&s->queue));
2095 
2096     return 0;
2097 }
2098 
2099 static const VMStateDescription vmstate_lsi_scsi = {
2100     .name = "lsiscsi",
2101     .version_id = 0,
2102     .minimum_version_id = 0,
2103     .pre_save = lsi_pre_save,
2104     .fields = (VMStateField[]) {
2105         VMSTATE_PCI_DEVICE(parent_obj, LSIState),
2106 
2107         VMSTATE_INT32(carry, LSIState),
2108         VMSTATE_INT32(status, LSIState),
2109         VMSTATE_INT32(msg_action, LSIState),
2110         VMSTATE_INT32(msg_len, LSIState),
2111         VMSTATE_BUFFER(msg, LSIState),
2112         VMSTATE_INT32(waiting, LSIState),
2113 
2114         VMSTATE_UINT32(dsa, LSIState),
2115         VMSTATE_UINT32(temp, LSIState),
2116         VMSTATE_UINT32(dnad, LSIState),
2117         VMSTATE_UINT32(dbc, LSIState),
2118         VMSTATE_UINT8(istat0, LSIState),
2119         VMSTATE_UINT8(istat1, LSIState),
2120         VMSTATE_UINT8(dcmd, LSIState),
2121         VMSTATE_UINT8(dstat, LSIState),
2122         VMSTATE_UINT8(dien, LSIState),
2123         VMSTATE_UINT8(sist0, LSIState),
2124         VMSTATE_UINT8(sist1, LSIState),
2125         VMSTATE_UINT8(sien0, LSIState),
2126         VMSTATE_UINT8(sien1, LSIState),
2127         VMSTATE_UINT8(mbox0, LSIState),
2128         VMSTATE_UINT8(mbox1, LSIState),
2129         VMSTATE_UINT8(dfifo, LSIState),
2130         VMSTATE_UINT8(ctest2, LSIState),
2131         VMSTATE_UINT8(ctest3, LSIState),
2132         VMSTATE_UINT8(ctest4, LSIState),
2133         VMSTATE_UINT8(ctest5, LSIState),
2134         VMSTATE_UINT8(ccntl0, LSIState),
2135         VMSTATE_UINT8(ccntl1, LSIState),
2136         VMSTATE_UINT32(dsp, LSIState),
2137         VMSTATE_UINT32(dsps, LSIState),
2138         VMSTATE_UINT8(dmode, LSIState),
2139         VMSTATE_UINT8(dcntl, LSIState),
2140         VMSTATE_UINT8(scntl0, LSIState),
2141         VMSTATE_UINT8(scntl1, LSIState),
2142         VMSTATE_UINT8(scntl2, LSIState),
2143         VMSTATE_UINT8(scntl3, LSIState),
2144         VMSTATE_UINT8(sstat0, LSIState),
2145         VMSTATE_UINT8(sstat1, LSIState),
2146         VMSTATE_UINT8(scid, LSIState),
2147         VMSTATE_UINT8(sxfer, LSIState),
2148         VMSTATE_UINT8(socl, LSIState),
2149         VMSTATE_UINT8(sdid, LSIState),
2150         VMSTATE_UINT8(ssid, LSIState),
2151         VMSTATE_UINT8(sfbr, LSIState),
2152         VMSTATE_UINT8(stest1, LSIState),
2153         VMSTATE_UINT8(stest2, LSIState),
2154         VMSTATE_UINT8(stest3, LSIState),
2155         VMSTATE_UINT8(sidl, LSIState),
2156         VMSTATE_UINT8(stime0, LSIState),
2157         VMSTATE_UINT8(respid0, LSIState),
2158         VMSTATE_UINT8(respid1, LSIState),
2159         VMSTATE_UINT32(mmrs, LSIState),
2160         VMSTATE_UINT32(mmws, LSIState),
2161         VMSTATE_UINT32(sfs, LSIState),
2162         VMSTATE_UINT32(drs, LSIState),
2163         VMSTATE_UINT32(sbms, LSIState),
2164         VMSTATE_UINT32(dbms, LSIState),
2165         VMSTATE_UINT32(dnad64, LSIState),
2166         VMSTATE_UINT32(pmjad1, LSIState),
2167         VMSTATE_UINT32(pmjad2, LSIState),
2168         VMSTATE_UINT32(rbc, LSIState),
2169         VMSTATE_UINT32(ua, LSIState),
2170         VMSTATE_UINT32(ia, LSIState),
2171         VMSTATE_UINT32(sbc, LSIState),
2172         VMSTATE_UINT32(csbc, LSIState),
2173         VMSTATE_BUFFER_UNSAFE(scratch, LSIState, 0, 18 * sizeof(uint32_t)),
2174         VMSTATE_UINT8(sbr, LSIState),
2175 
2176         VMSTATE_BUFFER_UNSAFE(script_ram, LSIState, 0, 2048 * sizeof(uint32_t)),
2177         VMSTATE_END_OF_LIST()
2178     }
2179 };
2180 
2181 static const struct SCSIBusInfo lsi_scsi_info = {
2182     .tcq = true,
2183     .max_target = LSI_MAX_DEVS,
2184     .max_lun = 0,  /* LUN support is buggy */
2185 
2186     .transfer_data = lsi_transfer_data,
2187     .complete = lsi_command_complete,
2188     .cancel = lsi_request_cancelled
2189 };
2190 
2191 static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
2192 {
2193     LSIState *s = LSI53C895A(dev);
2194     DeviceState *d = DEVICE(dev);
2195     uint8_t *pci_conf;
2196 
2197     pci_conf = dev->config;
2198 
2199     /* PCI latency timer = 255 */
2200     pci_conf[PCI_LATENCY_TIMER] = 0xff;
2201     /* Interrupt pin A */
2202     pci_conf[PCI_INTERRUPT_PIN] = 0x01;
2203 
2204     memory_region_init_io(&s->mmio_io, OBJECT(s), &lsi_mmio_ops, s,
2205                           "lsi-mmio", 0x400);
2206     memory_region_init_io(&s->ram_io, OBJECT(s), &lsi_ram_ops, s,
2207                           "lsi-ram", 0x2000);
2208     memory_region_init_io(&s->io_io, OBJECT(s), &lsi_io_ops, s,
2209                           "lsi-io", 256);
2210 
2211     address_space_init(&s->pci_io_as, pci_address_space_io(dev), "lsi-pci-io");
2212 
2213     pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->io_io);
2214     pci_register_bar(dev, 1, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->mmio_io);
2215     pci_register_bar(dev, 2, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->ram_io);
2216     QTAILQ_INIT(&s->queue);
2217 
2218     scsi_bus_new(&s->bus, sizeof(s->bus), d, &lsi_scsi_info, NULL);
2219 }
2220 
2221 static void lsi_scsi_unrealize(DeviceState *dev, Error **errp)
2222 {
2223     LSIState *s = LSI53C895A(dev);
2224 
2225     address_space_destroy(&s->pci_io_as);
2226 }
2227 
2228 static void lsi_class_init(ObjectClass *klass, void *data)
2229 {
2230     DeviceClass *dc = DEVICE_CLASS(klass);
2231     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2232 
2233     k->realize = lsi_scsi_realize;
2234     k->vendor_id = PCI_VENDOR_ID_LSI_LOGIC;
2235     k->device_id = PCI_DEVICE_ID_LSI_53C895A;
2236     k->class_id = PCI_CLASS_STORAGE_SCSI;
2237     k->subsystem_id = 0x1000;
2238     dc->unrealize = lsi_scsi_unrealize;
2239     dc->reset = lsi_scsi_reset;
2240     dc->vmsd = &vmstate_lsi_scsi;
2241     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2242 }
2243 
2244 static const TypeInfo lsi_info = {
2245     .name          = TYPE_LSI53C895A,
2246     .parent        = TYPE_PCI_DEVICE,
2247     .instance_size = sizeof(LSIState),
2248     .class_init    = lsi_class_init,
2249 };
2250 
2251 static void lsi53c810_class_init(ObjectClass *klass, void *data)
2252 {
2253     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2254 
2255     k->device_id = PCI_DEVICE_ID_LSI_53C810;
2256 }
2257 
2258 static TypeInfo lsi53c810_info = {
2259     .name          = TYPE_LSI53C810,
2260     .parent        = TYPE_LSI53C895A,
2261     .class_init    = lsi53c810_class_init,
2262 };
2263 
2264 static void lsi53c895a_register_types(void)
2265 {
2266     type_register_static(&lsi_info);
2267     type_register_static(&lsi53c810_info);
2268 }
2269 
2270 type_init(lsi53c895a_register_types)
2271 
2272 void lsi53c895a_create(PCIBus *bus)
2273 {
2274     LSIState *s = LSI53C895A(pci_create_simple(bus, -1, "lsi53c895a"));
2275 
2276     scsi_bus_legacy_handle_cmdline(&s->bus, false);
2277 }
2278