xref: /openbmc/qemu/hw/scsi/lsi53c895a.c (revision 709395f8)
1 /*
2  * QEMU LSI53C895A SCSI Host Bus Adapter emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Written by Paul Brook
6  *
7  * This code is licensed under the LGPL.
8  */
9 
10 /* Note:
11  * LSI53C810 emulation is incorrect, in the sense that it supports
12  * features added in later evolutions. This should not be a problem,
13  * as well-behaved operating systems will not try to use them.
14  */
15 
16 #include "qemu/osdep.h"
17 
18 #include "hw/hw.h"
19 #include "hw/pci/pci.h"
20 #include "hw/scsi/scsi.h"
21 #include "sysemu/dma.h"
22 #include "qemu/log.h"
23 #include "trace.h"
24 
25 static const char *names[] = {
26     "SCNTL0", "SCNTL1", "SCNTL2", "SCNTL3", "SCID", "SXFER", "SDID", "GPREG",
27     "SFBR", "SOCL", "SSID", "SBCL", "DSTAT", "SSTAT0", "SSTAT1", "SSTAT2",
28     "DSA0", "DSA1", "DSA2", "DSA3", "ISTAT", "0x15", "0x16", "0x17",
29     "CTEST0", "CTEST1", "CTEST2", "CTEST3", "TEMP0", "TEMP1", "TEMP2", "TEMP3",
30     "DFIFO", "CTEST4", "CTEST5", "CTEST6", "DBC0", "DBC1", "DBC2", "DCMD",
31     "DNAD0", "DNAD1", "DNAD2", "DNAD3", "DSP0", "DSP1", "DSP2", "DSP3",
32     "DSPS0", "DSPS1", "DSPS2", "DSPS3", "SCRATCHA0", "SCRATCHA1", "SCRATCHA2", "SCRATCHA3",
33     "DMODE", "DIEN", "SBR", "DCNTL", "ADDER0", "ADDER1", "ADDER2", "ADDER3",
34     "SIEN0", "SIEN1", "SIST0", "SIST1", "SLPAR", "0x45", "MACNTL", "GPCNTL",
35     "STIME0", "STIME1", "RESPID", "0x4b", "STEST0", "STEST1", "STEST2", "STEST3",
36     "SIDL", "0x51", "0x52", "0x53", "SODL", "0x55", "0x56", "0x57",
37     "SBDL", "0x59", "0x5a", "0x5b", "SCRATCHB0", "SCRATCHB1", "SCRATCHB2", "SCRATCHB3",
38 };
39 
40 #define LSI_MAX_DEVS 7
41 
42 #define LSI_SCNTL0_TRG    0x01
43 #define LSI_SCNTL0_AAP    0x02
44 #define LSI_SCNTL0_EPC    0x08
45 #define LSI_SCNTL0_WATN   0x10
46 #define LSI_SCNTL0_START  0x20
47 
48 #define LSI_SCNTL1_SST    0x01
49 #define LSI_SCNTL1_IARB   0x02
50 #define LSI_SCNTL1_AESP   0x04
51 #define LSI_SCNTL1_RST    0x08
52 #define LSI_SCNTL1_CON    0x10
53 #define LSI_SCNTL1_DHP    0x20
54 #define LSI_SCNTL1_ADB    0x40
55 #define LSI_SCNTL1_EXC    0x80
56 
57 #define LSI_SCNTL2_WSR    0x01
58 #define LSI_SCNTL2_VUE0   0x02
59 #define LSI_SCNTL2_VUE1   0x04
60 #define LSI_SCNTL2_WSS    0x08
61 #define LSI_SCNTL2_SLPHBEN 0x10
62 #define LSI_SCNTL2_SLPMD  0x20
63 #define LSI_SCNTL2_CHM    0x40
64 #define LSI_SCNTL2_SDU    0x80
65 
66 #define LSI_ISTAT0_DIP    0x01
67 #define LSI_ISTAT0_SIP    0x02
68 #define LSI_ISTAT0_INTF   0x04
69 #define LSI_ISTAT0_CON    0x08
70 #define LSI_ISTAT0_SEM    0x10
71 #define LSI_ISTAT0_SIGP   0x20
72 #define LSI_ISTAT0_SRST   0x40
73 #define LSI_ISTAT0_ABRT   0x80
74 
75 #define LSI_ISTAT1_SI     0x01
76 #define LSI_ISTAT1_SRUN   0x02
77 #define LSI_ISTAT1_FLSH   0x04
78 
79 #define LSI_SSTAT0_SDP0   0x01
80 #define LSI_SSTAT0_RST    0x02
81 #define LSI_SSTAT0_WOA    0x04
82 #define LSI_SSTAT0_LOA    0x08
83 #define LSI_SSTAT0_AIP    0x10
84 #define LSI_SSTAT0_OLF    0x20
85 #define LSI_SSTAT0_ORF    0x40
86 #define LSI_SSTAT0_ILF    0x80
87 
88 #define LSI_SIST0_PAR     0x01
89 #define LSI_SIST0_RST     0x02
90 #define LSI_SIST0_UDC     0x04
91 #define LSI_SIST0_SGE     0x08
92 #define LSI_SIST0_RSL     0x10
93 #define LSI_SIST0_SEL     0x20
94 #define LSI_SIST0_CMP     0x40
95 #define LSI_SIST0_MA      0x80
96 
97 #define LSI_SIST1_HTH     0x01
98 #define LSI_SIST1_GEN     0x02
99 #define LSI_SIST1_STO     0x04
100 #define LSI_SIST1_SBMC    0x10
101 
102 #define LSI_SOCL_IO       0x01
103 #define LSI_SOCL_CD       0x02
104 #define LSI_SOCL_MSG      0x04
105 #define LSI_SOCL_ATN      0x08
106 #define LSI_SOCL_SEL      0x10
107 #define LSI_SOCL_BSY      0x20
108 #define LSI_SOCL_ACK      0x40
109 #define LSI_SOCL_REQ      0x80
110 
111 #define LSI_DSTAT_IID     0x01
112 #define LSI_DSTAT_SIR     0x04
113 #define LSI_DSTAT_SSI     0x08
114 #define LSI_DSTAT_ABRT    0x10
115 #define LSI_DSTAT_BF      0x20
116 #define LSI_DSTAT_MDPE    0x40
117 #define LSI_DSTAT_DFE     0x80
118 
119 #define LSI_DCNTL_COM     0x01
120 #define LSI_DCNTL_IRQD    0x02
121 #define LSI_DCNTL_STD     0x04
122 #define LSI_DCNTL_IRQM    0x08
123 #define LSI_DCNTL_SSM     0x10
124 #define LSI_DCNTL_PFEN    0x20
125 #define LSI_DCNTL_PFF     0x40
126 #define LSI_DCNTL_CLSE    0x80
127 
128 #define LSI_DMODE_MAN     0x01
129 #define LSI_DMODE_BOF     0x02
130 #define LSI_DMODE_ERMP    0x04
131 #define LSI_DMODE_ERL     0x08
132 #define LSI_DMODE_DIOM    0x10
133 #define LSI_DMODE_SIOM    0x20
134 
135 #define LSI_CTEST2_DACK   0x01
136 #define LSI_CTEST2_DREQ   0x02
137 #define LSI_CTEST2_TEOP   0x04
138 #define LSI_CTEST2_PCICIE 0x08
139 #define LSI_CTEST2_CM     0x10
140 #define LSI_CTEST2_CIO    0x20
141 #define LSI_CTEST2_SIGP   0x40
142 #define LSI_CTEST2_DDIR   0x80
143 
144 #define LSI_CTEST5_BL2    0x04
145 #define LSI_CTEST5_DDIR   0x08
146 #define LSI_CTEST5_MASR   0x10
147 #define LSI_CTEST5_DFSN   0x20
148 #define LSI_CTEST5_BBCK   0x40
149 #define LSI_CTEST5_ADCK   0x80
150 
151 #define LSI_CCNTL0_DILS   0x01
152 #define LSI_CCNTL0_DISFC  0x10
153 #define LSI_CCNTL0_ENNDJ  0x20
154 #define LSI_CCNTL0_PMJCTL 0x40
155 #define LSI_CCNTL0_ENPMJ  0x80
156 
157 #define LSI_CCNTL1_EN64DBMV  0x01
158 #define LSI_CCNTL1_EN64TIBMV 0x02
159 #define LSI_CCNTL1_64TIMOD   0x04
160 #define LSI_CCNTL1_DDAC      0x08
161 #define LSI_CCNTL1_ZMOD      0x80
162 
163 /* Enable Response to Reselection */
164 #define LSI_SCID_RRE      0x60
165 
166 #define LSI_CCNTL1_40BIT (LSI_CCNTL1_EN64TIBMV|LSI_CCNTL1_64TIMOD)
167 
168 #define PHASE_DO          0
169 #define PHASE_DI          1
170 #define PHASE_CMD         2
171 #define PHASE_ST          3
172 #define PHASE_MO          6
173 #define PHASE_MI          7
174 #define PHASE_MASK        7
175 
176 /* Maximum length of MSG IN data.  */
177 #define LSI_MAX_MSGIN_LEN 8
178 
179 /* Flag set if this is a tagged command.  */
180 #define LSI_TAG_VALID     (1 << 16)
181 
182 typedef struct lsi_request {
183     SCSIRequest *req;
184     uint32_t tag;
185     uint32_t dma_len;
186     uint8_t *dma_buf;
187     uint32_t pending;
188     int out;
189     QTAILQ_ENTRY(lsi_request) next;
190 } lsi_request;
191 
192 typedef struct {
193     /*< private >*/
194     PCIDevice parent_obj;
195     /*< public >*/
196 
197     qemu_irq ext_irq;
198     MemoryRegion mmio_io;
199     MemoryRegion ram_io;
200     MemoryRegion io_io;
201     AddressSpace pci_io_as;
202 
203     int carry; /* ??? Should this be an a visible register somewhere?  */
204     int status;
205     /* Action to take at the end of a MSG IN phase.
206        0 = COMMAND, 1 = disconnect, 2 = DATA OUT, 3 = DATA IN.  */
207     int msg_action;
208     int msg_len;
209     uint8_t msg[LSI_MAX_MSGIN_LEN];
210     /* 0 if SCRIPTS are running or stopped.
211      * 1 if a Wait Reselect instruction has been issued.
212      * 2 if processing DMA from lsi_execute_script.
213      * 3 if a DMA operation is in progress.  */
214     int waiting;
215     SCSIBus bus;
216     int current_lun;
217     /* The tag is a combination of the device ID and the SCSI tag.  */
218     uint32_t select_tag;
219     int command_complete;
220     QTAILQ_HEAD(, lsi_request) queue;
221     lsi_request *current;
222 
223     uint32_t dsa;
224     uint32_t temp;
225     uint32_t dnad;
226     uint32_t dbc;
227     uint8_t istat0;
228     uint8_t istat1;
229     uint8_t dcmd;
230     uint8_t dstat;
231     uint8_t dien;
232     uint8_t sist0;
233     uint8_t sist1;
234     uint8_t sien0;
235     uint8_t sien1;
236     uint8_t mbox0;
237     uint8_t mbox1;
238     uint8_t dfifo;
239     uint8_t ctest2;
240     uint8_t ctest3;
241     uint8_t ctest4;
242     uint8_t ctest5;
243     uint8_t ccntl0;
244     uint8_t ccntl1;
245     uint32_t dsp;
246     uint32_t dsps;
247     uint8_t dmode;
248     uint8_t dcntl;
249     uint8_t scntl0;
250     uint8_t scntl1;
251     uint8_t scntl2;
252     uint8_t scntl3;
253     uint8_t sstat0;
254     uint8_t sstat1;
255     uint8_t scid;
256     uint8_t sxfer;
257     uint8_t socl;
258     uint8_t sdid;
259     uint8_t ssid;
260     uint8_t sfbr;
261     uint8_t stest1;
262     uint8_t stest2;
263     uint8_t stest3;
264     uint8_t sidl;
265     uint8_t stime0;
266     uint8_t respid0;
267     uint8_t respid1;
268     uint32_t mmrs;
269     uint32_t mmws;
270     uint32_t sfs;
271     uint32_t drs;
272     uint32_t sbms;
273     uint32_t dbms;
274     uint32_t dnad64;
275     uint32_t pmjad1;
276     uint32_t pmjad2;
277     uint32_t rbc;
278     uint32_t ua;
279     uint32_t ia;
280     uint32_t sbc;
281     uint32_t csbc;
282     uint32_t scratch[18]; /* SCRATCHA-SCRATCHR */
283     uint8_t sbr;
284     uint32_t adder;
285 
286     /* Script ram is stored as 32-bit words in host byteorder.  */
287     uint32_t script_ram[2048];
288 } LSIState;
289 
290 #define TYPE_LSI53C810  "lsi53c810"
291 #define TYPE_LSI53C895A "lsi53c895a"
292 
293 #define LSI53C895A(obj) \
294     OBJECT_CHECK(LSIState, (obj), TYPE_LSI53C895A)
295 
296 static inline int lsi_irq_on_rsl(LSIState *s)
297 {
298     return (s->sien0 & LSI_SIST0_RSL) && (s->scid & LSI_SCID_RRE);
299 }
300 
301 static lsi_request *get_pending_req(LSIState *s)
302 {
303     lsi_request *p;
304 
305     QTAILQ_FOREACH(p, &s->queue, next) {
306         if (p->pending) {
307             return p;
308         }
309     }
310     return NULL;
311 }
312 
313 static void lsi_soft_reset(LSIState *s)
314 {
315     trace_lsi_reset();
316     s->carry = 0;
317 
318     s->msg_action = 0;
319     s->msg_len = 0;
320     s->waiting = 0;
321     s->dsa = 0;
322     s->dnad = 0;
323     s->dbc = 0;
324     s->temp = 0;
325     memset(s->scratch, 0, sizeof(s->scratch));
326     s->istat0 = 0;
327     s->istat1 = 0;
328     s->dcmd = 0x40;
329     s->dstat = 0;
330     s->dien = 0;
331     s->sist0 = 0;
332     s->sist1 = 0;
333     s->sien0 = 0;
334     s->sien1 = 0;
335     s->mbox0 = 0;
336     s->mbox1 = 0;
337     s->dfifo = 0;
338     s->ctest2 = LSI_CTEST2_DACK;
339     s->ctest3 = 0;
340     s->ctest4 = 0;
341     s->ctest5 = 0;
342     s->ccntl0 = 0;
343     s->ccntl1 = 0;
344     s->dsp = 0;
345     s->dsps = 0;
346     s->dmode = 0;
347     s->dcntl = 0;
348     s->scntl0 = 0xc0;
349     s->scntl1 = 0;
350     s->scntl2 = 0;
351     s->scntl3 = 0;
352     s->sstat0 = 0;
353     s->sstat1 = 0;
354     s->scid = 7;
355     s->sxfer = 0;
356     s->socl = 0;
357     s->sdid = 0;
358     s->ssid = 0;
359     s->stest1 = 0;
360     s->stest2 = 0;
361     s->stest3 = 0;
362     s->sidl = 0;
363     s->stime0 = 0;
364     s->respid0 = 0x80;
365     s->respid1 = 0;
366     s->mmrs = 0;
367     s->mmws = 0;
368     s->sfs = 0;
369     s->drs = 0;
370     s->sbms = 0;
371     s->dbms = 0;
372     s->dnad64 = 0;
373     s->pmjad1 = 0;
374     s->pmjad2 = 0;
375     s->rbc = 0;
376     s->ua = 0;
377     s->ia = 0;
378     s->sbc = 0;
379     s->csbc = 0;
380     s->sbr = 0;
381     assert(QTAILQ_EMPTY(&s->queue));
382     assert(!s->current);
383 }
384 
385 static int lsi_dma_40bit(LSIState *s)
386 {
387     if ((s->ccntl1 & LSI_CCNTL1_40BIT) == LSI_CCNTL1_40BIT)
388         return 1;
389     return 0;
390 }
391 
392 static int lsi_dma_ti64bit(LSIState *s)
393 {
394     if ((s->ccntl1 & LSI_CCNTL1_EN64TIBMV) == LSI_CCNTL1_EN64TIBMV)
395         return 1;
396     return 0;
397 }
398 
399 static int lsi_dma_64bit(LSIState *s)
400 {
401     if ((s->ccntl1 & LSI_CCNTL1_EN64DBMV) == LSI_CCNTL1_EN64DBMV)
402         return 1;
403     return 0;
404 }
405 
406 static uint8_t lsi_reg_readb(LSIState *s, int offset);
407 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val);
408 static void lsi_execute_script(LSIState *s);
409 static void lsi_reselect(LSIState *s, lsi_request *p);
410 
411 static inline void lsi_mem_read(LSIState *s, dma_addr_t addr,
412                                void *buf, dma_addr_t len)
413 {
414     if (s->dmode & LSI_DMODE_SIOM) {
415         address_space_read(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
416                            buf, len);
417     } else {
418         pci_dma_read(PCI_DEVICE(s), addr, buf, len);
419     }
420 }
421 
422 static inline void lsi_mem_write(LSIState *s, dma_addr_t addr,
423                                 const void *buf, dma_addr_t len)
424 {
425     if (s->dmode & LSI_DMODE_DIOM) {
426         address_space_write(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
427                             buf, len);
428     } else {
429         pci_dma_write(PCI_DEVICE(s), addr, buf, len);
430     }
431 }
432 
433 static inline uint32_t read_dword(LSIState *s, uint32_t addr)
434 {
435     uint32_t buf;
436 
437     pci_dma_read(PCI_DEVICE(s), addr, &buf, 4);
438     return cpu_to_le32(buf);
439 }
440 
441 static void lsi_stop_script(LSIState *s)
442 {
443     s->istat1 &= ~LSI_ISTAT1_SRUN;
444 }
445 
446 static void lsi_set_irq(LSIState *s, int level)
447 {
448     PCIDevice *d = PCI_DEVICE(s);
449 
450     if (s->ext_irq) {
451         qemu_set_irq(s->ext_irq, level);
452     } else {
453         pci_set_irq(d, level);
454     }
455 }
456 
457 static void lsi_update_irq(LSIState *s)
458 {
459     int level;
460     static int last_level;
461 
462     /* It's unclear whether the DIP/SIP bits should be cleared when the
463        Interrupt Status Registers are cleared or when istat0 is read.
464        We currently do the formwer, which seems to work.  */
465     level = 0;
466     if (s->dstat) {
467         if (s->dstat & s->dien)
468             level = 1;
469         s->istat0 |= LSI_ISTAT0_DIP;
470     } else {
471         s->istat0 &= ~LSI_ISTAT0_DIP;
472     }
473 
474     if (s->sist0 || s->sist1) {
475         if ((s->sist0 & s->sien0) || (s->sist1 & s->sien1))
476             level = 1;
477         s->istat0 |= LSI_ISTAT0_SIP;
478     } else {
479         s->istat0 &= ~LSI_ISTAT0_SIP;
480     }
481     if (s->istat0 & LSI_ISTAT0_INTF)
482         level = 1;
483 
484     if (level != last_level) {
485         trace_lsi_update_irq(level, s->dstat, s->sist1, s->sist0);
486         last_level = level;
487     }
488     lsi_set_irq(s, level);
489 
490     if (!s->current && !level && lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON)) {
491         lsi_request *p;
492 
493         trace_lsi_update_irq_disconnected();
494         p = get_pending_req(s);
495         if (p) {
496             lsi_reselect(s, p);
497         }
498     }
499 }
500 
501 /* Stop SCRIPTS execution and raise a SCSI interrupt.  */
502 static void lsi_script_scsi_interrupt(LSIState *s, int stat0, int stat1)
503 {
504     uint32_t mask0;
505     uint32_t mask1;
506 
507     trace_lsi_script_scsi_interrupt(stat1, stat0, s->sist1, s->sist0);
508     s->sist0 |= stat0;
509     s->sist1 |= stat1;
510     /* Stop processor on fatal or unmasked interrupt.  As a special hack
511        we don't stop processing when raising STO.  Instead continue
512        execution and stop at the next insn that accesses the SCSI bus.  */
513     mask0 = s->sien0 | ~(LSI_SIST0_CMP | LSI_SIST0_SEL | LSI_SIST0_RSL);
514     mask1 = s->sien1 | ~(LSI_SIST1_GEN | LSI_SIST1_HTH);
515     mask1 &= ~LSI_SIST1_STO;
516     if (s->sist0 & mask0 || s->sist1 & mask1) {
517         lsi_stop_script(s);
518     }
519     lsi_update_irq(s);
520 }
521 
522 /* Stop SCRIPTS execution and raise a DMA interrupt.  */
523 static void lsi_script_dma_interrupt(LSIState *s, int stat)
524 {
525     trace_lsi_script_dma_interrupt(stat, s->dstat);
526     s->dstat |= stat;
527     lsi_update_irq(s);
528     lsi_stop_script(s);
529 }
530 
531 static inline void lsi_set_phase(LSIState *s, int phase)
532 {
533     s->sstat1 = (s->sstat1 & ~PHASE_MASK) | phase;
534 }
535 
536 static void lsi_bad_phase(LSIState *s, int out, int new_phase)
537 {
538     /* Trigger a phase mismatch.  */
539     if (s->ccntl0 & LSI_CCNTL0_ENPMJ) {
540         if ((s->ccntl0 & LSI_CCNTL0_PMJCTL)) {
541             s->dsp = out ? s->pmjad1 : s->pmjad2;
542         } else {
543             s->dsp = (s->scntl2 & LSI_SCNTL2_WSR ? s->pmjad2 : s->pmjad1);
544         }
545         trace_lsi_bad_phase_jump(s->dsp);
546     } else {
547         trace_lsi_bad_phase_interrupt();
548         lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
549         lsi_stop_script(s);
550     }
551     lsi_set_phase(s, new_phase);
552 }
553 
554 
555 /* Resume SCRIPTS execution after a DMA operation.  */
556 static void lsi_resume_script(LSIState *s)
557 {
558     if (s->waiting != 2) {
559         s->waiting = 0;
560         lsi_execute_script(s);
561     } else {
562         s->waiting = 0;
563     }
564 }
565 
566 static void lsi_disconnect(LSIState *s)
567 {
568     s->scntl1 &= ~LSI_SCNTL1_CON;
569     s->sstat1 &= ~PHASE_MASK;
570 }
571 
572 static void lsi_bad_selection(LSIState *s, uint32_t id)
573 {
574     trace_lsi_bad_selection(id);
575     lsi_script_scsi_interrupt(s, 0, LSI_SIST1_STO);
576     lsi_disconnect(s);
577 }
578 
579 /* Initiate a SCSI layer data transfer.  */
580 static void lsi_do_dma(LSIState *s, int out)
581 {
582     uint32_t count;
583     dma_addr_t addr;
584     SCSIDevice *dev;
585 
586     assert(s->current);
587     if (!s->current->dma_len) {
588         /* Wait until data is available.  */
589         trace_lsi_do_dma_unavailable();
590         return;
591     }
592 
593     dev = s->current->req->dev;
594     assert(dev);
595 
596     count = s->dbc;
597     if (count > s->current->dma_len)
598         count = s->current->dma_len;
599 
600     addr = s->dnad;
601     /* both 40 and Table Indirect 64-bit DMAs store upper bits in dnad64 */
602     if (lsi_dma_40bit(s) || lsi_dma_ti64bit(s))
603         addr |= ((uint64_t)s->dnad64 << 32);
604     else if (s->dbms)
605         addr |= ((uint64_t)s->dbms << 32);
606     else if (s->sbms)
607         addr |= ((uint64_t)s->sbms << 32);
608 
609     trace_lsi_do_dma(addr, count);
610     s->csbc += count;
611     s->dnad += count;
612     s->dbc -= count;
613      if (s->current->dma_buf == NULL) {
614         s->current->dma_buf = scsi_req_get_buf(s->current->req);
615     }
616     /* ??? Set SFBR to first data byte.  */
617     if (out) {
618         lsi_mem_read(s, addr, s->current->dma_buf, count);
619     } else {
620         lsi_mem_write(s, addr, s->current->dma_buf, count);
621     }
622     s->current->dma_len -= count;
623     if (s->current->dma_len == 0) {
624         s->current->dma_buf = NULL;
625         scsi_req_continue(s->current->req);
626     } else {
627         s->current->dma_buf += count;
628         lsi_resume_script(s);
629     }
630 }
631 
632 
633 /* Add a command to the queue.  */
634 static void lsi_queue_command(LSIState *s)
635 {
636     lsi_request *p = s->current;
637 
638     trace_lsi_queue_command(p->tag);
639     assert(s->current != NULL);
640     assert(s->current->dma_len == 0);
641     QTAILQ_INSERT_TAIL(&s->queue, s->current, next);
642     s->current = NULL;
643 
644     p->pending = 0;
645     p->out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
646 }
647 
648 /* Queue a byte for a MSG IN phase.  */
649 static void lsi_add_msg_byte(LSIState *s, uint8_t data)
650 {
651     if (s->msg_len >= LSI_MAX_MSGIN_LEN) {
652         trace_lsi_add_msg_byte_error();
653     } else {
654         trace_lsi_add_msg_byte(data);
655         s->msg[s->msg_len++] = data;
656     }
657 }
658 
659 /* Perform reselection to continue a command.  */
660 static void lsi_reselect(LSIState *s, lsi_request *p)
661 {
662     int id;
663 
664     assert(s->current == NULL);
665     QTAILQ_REMOVE(&s->queue, p, next);
666     s->current = p;
667 
668     id = (p->tag >> 8) & 0xf;
669     s->ssid = id | 0x80;
670     /* LSI53C700 Family Compatibility, see LSI53C895A 4-73 */
671     if (!(s->dcntl & LSI_DCNTL_COM)) {
672         s->sfbr = 1 << (id & 0x7);
673     }
674     trace_lsi_reselect(id);
675     s->scntl1 |= LSI_SCNTL1_CON;
676     lsi_set_phase(s, PHASE_MI);
677     s->msg_action = p->out ? 2 : 3;
678     s->current->dma_len = p->pending;
679     lsi_add_msg_byte(s, 0x80);
680     if (s->current->tag & LSI_TAG_VALID) {
681         lsi_add_msg_byte(s, 0x20);
682         lsi_add_msg_byte(s, p->tag & 0xff);
683     }
684 
685     if (lsi_irq_on_rsl(s)) {
686         lsi_script_scsi_interrupt(s, LSI_SIST0_RSL, 0);
687     }
688 }
689 
690 static lsi_request *lsi_find_by_tag(LSIState *s, uint32_t tag)
691 {
692     lsi_request *p;
693 
694     QTAILQ_FOREACH(p, &s->queue, next) {
695         if (p->tag == tag) {
696             return p;
697         }
698     }
699 
700     return NULL;
701 }
702 
703 static void lsi_request_free(LSIState *s, lsi_request *p)
704 {
705     if (p == s->current) {
706         s->current = NULL;
707     } else {
708         QTAILQ_REMOVE(&s->queue, p, next);
709     }
710     g_free(p);
711 }
712 
713 static void lsi_request_cancelled(SCSIRequest *req)
714 {
715     LSIState *s = LSI53C895A(req->bus->qbus.parent);
716     lsi_request *p = req->hba_private;
717 
718     req->hba_private = NULL;
719     lsi_request_free(s, p);
720     scsi_req_unref(req);
721 }
722 
723 /* Record that data is available for a queued command.  Returns zero if
724    the device was reselected, nonzero if the IO is deferred.  */
725 static int lsi_queue_req(LSIState *s, SCSIRequest *req, uint32_t len)
726 {
727     lsi_request *p = req->hba_private;
728 
729     if (p->pending) {
730         trace_lsi_queue_req_error(p);
731     }
732     p->pending = len;
733     /* Reselect if waiting for it, or if reselection triggers an IRQ
734        and the bus is free.
735        Since no interrupt stacking is implemented in the emulation, it
736        is also required that there are no pending interrupts waiting
737        for service from the device driver. */
738     if (s->waiting == 1 ||
739         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON) &&
740          !(s->istat0 & (LSI_ISTAT0_SIP | LSI_ISTAT0_DIP)))) {
741         /* Reselect device.  */
742         lsi_reselect(s, p);
743         return 0;
744     } else {
745         trace_lsi_queue_req(p->tag);
746         p->pending = len;
747         return 1;
748     }
749 }
750 
751  /* Callback to indicate that the SCSI layer has completed a command.  */
752 static void lsi_command_complete(SCSIRequest *req, uint32_t status, size_t resid)
753 {
754     LSIState *s = LSI53C895A(req->bus->qbus.parent);
755     int out;
756 
757     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
758     trace_lsi_command_complete(status);
759     s->status = status;
760     s->command_complete = 2;
761     if (s->waiting && s->dbc != 0) {
762         /* Raise phase mismatch for short transfers.  */
763         lsi_bad_phase(s, out, PHASE_ST);
764     } else {
765         lsi_set_phase(s, PHASE_ST);
766     }
767 
768     if (req->hba_private == s->current) {
769         req->hba_private = NULL;
770         lsi_request_free(s, s->current);
771         scsi_req_unref(req);
772     }
773     lsi_resume_script(s);
774 }
775 
776  /* Callback to indicate that the SCSI layer has completed a transfer.  */
777 static void lsi_transfer_data(SCSIRequest *req, uint32_t len)
778 {
779     LSIState *s = LSI53C895A(req->bus->qbus.parent);
780     int out;
781 
782     assert(req->hba_private);
783     if (s->waiting == 1 || req->hba_private != s->current ||
784         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON))) {
785         if (lsi_queue_req(s, req, len)) {
786             return;
787         }
788     }
789 
790     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
791 
792     /* host adapter (re)connected */
793     trace_lsi_transfer_data(req->tag, len);
794     s->current->dma_len = len;
795     s->command_complete = 1;
796     if (s->waiting) {
797         if (s->waiting == 1 || s->dbc == 0) {
798             lsi_resume_script(s);
799         } else {
800             lsi_do_dma(s, out);
801         }
802     }
803 }
804 
805 static void lsi_do_command(LSIState *s)
806 {
807     SCSIDevice *dev;
808     uint8_t buf[16];
809     uint32_t id;
810     int n;
811 
812     trace_lsi_do_command(s->dbc);
813     if (s->dbc > 16)
814         s->dbc = 16;
815     pci_dma_read(PCI_DEVICE(s), s->dnad, buf, s->dbc);
816     s->sfbr = buf[0];
817     s->command_complete = 0;
818 
819     id = (s->select_tag >> 8) & 0xf;
820     dev = scsi_device_find(&s->bus, 0, id, s->current_lun);
821     if (!dev) {
822         lsi_bad_selection(s, id);
823         return;
824     }
825 
826     assert(s->current == NULL);
827     s->current = g_new0(lsi_request, 1);
828     s->current->tag = s->select_tag;
829     s->current->req = scsi_req_new(dev, s->current->tag, s->current_lun, buf,
830                                    s->current);
831 
832     n = scsi_req_enqueue(s->current->req);
833     if (n) {
834         if (n > 0) {
835             lsi_set_phase(s, PHASE_DI);
836         } else if (n < 0) {
837             lsi_set_phase(s, PHASE_DO);
838         }
839         scsi_req_continue(s->current->req);
840     }
841     if (!s->command_complete) {
842         if (n) {
843             /* Command did not complete immediately so disconnect.  */
844             lsi_add_msg_byte(s, 2); /* SAVE DATA POINTER */
845             lsi_add_msg_byte(s, 4); /* DISCONNECT */
846             /* wait data */
847             lsi_set_phase(s, PHASE_MI);
848             s->msg_action = 1;
849             lsi_queue_command(s);
850         } else {
851             /* wait command complete */
852             lsi_set_phase(s, PHASE_DI);
853         }
854     }
855 }
856 
857 static void lsi_do_status(LSIState *s)
858 {
859     uint8_t status;
860     trace_lsi_do_status(s->dbc, s->status);
861     if (s->dbc != 1) {
862         trace_lsi_do_status_error();
863     }
864     s->dbc = 1;
865     status = s->status;
866     s->sfbr = status;
867     pci_dma_write(PCI_DEVICE(s), s->dnad, &status, 1);
868     lsi_set_phase(s, PHASE_MI);
869     s->msg_action = 1;
870     lsi_add_msg_byte(s, 0); /* COMMAND COMPLETE */
871 }
872 
873 static void lsi_do_msgin(LSIState *s)
874 {
875     uint8_t len;
876     trace_lsi_do_msgin(s->dbc, s->msg_len);
877     s->sfbr = s->msg[0];
878     len = s->msg_len;
879     assert(len > 0 && len <= LSI_MAX_MSGIN_LEN);
880     if (len > s->dbc)
881         len = s->dbc;
882     pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
883     /* Linux drivers rely on the last byte being in the SIDL.  */
884     s->sidl = s->msg[len - 1];
885     s->msg_len -= len;
886     if (s->msg_len) {
887         memmove(s->msg, s->msg + len, s->msg_len);
888     } else {
889         /* ??? Check if ATN (not yet implemented) is asserted and maybe
890            switch to PHASE_MO.  */
891         switch (s->msg_action) {
892         case 0:
893             lsi_set_phase(s, PHASE_CMD);
894             break;
895         case 1:
896             lsi_disconnect(s);
897             break;
898         case 2:
899             lsi_set_phase(s, PHASE_DO);
900             break;
901         case 3:
902             lsi_set_phase(s, PHASE_DI);
903             break;
904         default:
905             abort();
906         }
907     }
908 }
909 
910 /* Read the next byte during a MSGOUT phase.  */
911 static uint8_t lsi_get_msgbyte(LSIState *s)
912 {
913     uint8_t data;
914     pci_dma_read(PCI_DEVICE(s), s->dnad, &data, 1);
915     s->dnad++;
916     s->dbc--;
917     return data;
918 }
919 
920 /* Skip the next n bytes during a MSGOUT phase. */
921 static void lsi_skip_msgbytes(LSIState *s, unsigned int n)
922 {
923     s->dnad += n;
924     s->dbc  -= n;
925 }
926 
927 static void lsi_do_msgout(LSIState *s)
928 {
929     uint8_t msg;
930     int len;
931     uint32_t current_tag;
932     lsi_request *current_req, *p, *p_next;
933 
934     if (s->current) {
935         current_tag = s->current->tag;
936         current_req = s->current;
937     } else {
938         current_tag = s->select_tag;
939         current_req = lsi_find_by_tag(s, current_tag);
940     }
941 
942     trace_lsi_do_msgout(s->dbc);
943     while (s->dbc) {
944         msg = lsi_get_msgbyte(s);
945         s->sfbr = msg;
946 
947         switch (msg) {
948         case 0x04:
949             trace_lsi_do_msgout_disconnect();
950             lsi_disconnect(s);
951             break;
952         case 0x08:
953             trace_lsi_do_msgout_noop();
954             lsi_set_phase(s, PHASE_CMD);
955             break;
956         case 0x01:
957             len = lsi_get_msgbyte(s);
958             msg = lsi_get_msgbyte(s);
959             (void)len; /* avoid a warning about unused variable*/
960             trace_lsi_do_msgout_extended(msg, len);
961             switch (msg) {
962             case 1:
963                 trace_lsi_do_msgout_ignored("SDTR");
964                 lsi_skip_msgbytes(s, 2);
965                 break;
966             case 3:
967                 trace_lsi_do_msgout_ignored("WDTR");
968                 lsi_skip_msgbytes(s, 1);
969                 break;
970             case 4:
971                 trace_lsi_do_msgout_ignored("PPR");
972                 lsi_skip_msgbytes(s, 5);
973                 break;
974             default:
975                 goto bad;
976             }
977             break;
978         case 0x20: /* SIMPLE queue */
979             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
980             trace_lsi_do_msgout_simplequeue(s->select_tag & 0xff);
981             break;
982         case 0x21: /* HEAD of queue */
983             qemu_log_mask(LOG_UNIMP, "lsi_scsi: HEAD queue not implemented\n");
984             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
985             break;
986         case 0x22: /* ORDERED queue */
987             qemu_log_mask(LOG_UNIMP,
988                           "lsi_scsi: ORDERED queue not implemented\n");
989             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
990             break;
991         case 0x0d:
992             /* The ABORT TAG message clears the current I/O process only. */
993             trace_lsi_do_msgout_abort(current_tag);
994             if (current_req) {
995                 scsi_req_cancel(current_req->req);
996             }
997             lsi_disconnect(s);
998             break;
999         case 0x06:
1000         case 0x0e:
1001         case 0x0c:
1002             /* The ABORT message clears all I/O processes for the selecting
1003                initiator on the specified logical unit of the target. */
1004             if (msg == 0x06) {
1005                 trace_lsi_do_msgout_abort(current_tag);
1006             }
1007             /* The CLEAR QUEUE message clears all I/O processes for all
1008                initiators on the specified logical unit of the target. */
1009             if (msg == 0x0e) {
1010                 trace_lsi_do_msgout_clearqueue(current_tag);
1011             }
1012             /* The BUS DEVICE RESET message clears all I/O processes for all
1013                initiators on all logical units of the target. */
1014             if (msg == 0x0c) {
1015                 trace_lsi_do_msgout_busdevicereset(current_tag);
1016             }
1017 
1018             /* clear the current I/O process */
1019             if (s->current) {
1020                 scsi_req_cancel(s->current->req);
1021             }
1022 
1023             /* As the current implemented devices scsi_disk and scsi_generic
1024                only support one LUN, we don't need to keep track of LUNs.
1025                Clearing I/O processes for other initiators could be possible
1026                for scsi_generic by sending a SG_SCSI_RESET to the /dev/sgX
1027                device, but this is currently not implemented (and seems not
1028                to be really necessary). So let's simply clear all queued
1029                commands for the current device: */
1030             QTAILQ_FOREACH_SAFE(p, &s->queue, next, p_next) {
1031                 if ((p->tag & 0x0000ff00) == (current_tag & 0x0000ff00)) {
1032                     scsi_req_cancel(p->req);
1033                 }
1034             }
1035 
1036             lsi_disconnect(s);
1037             break;
1038         default:
1039             if ((msg & 0x80) == 0) {
1040                 goto bad;
1041             }
1042             s->current_lun = msg & 7;
1043             trace_lsi_do_msgout_select(s->current_lun);
1044             lsi_set_phase(s, PHASE_CMD);
1045             break;
1046         }
1047     }
1048     return;
1049 bad:
1050     qemu_log_mask(LOG_UNIMP, "Unimplemented message 0x%02x\n", msg);
1051     lsi_set_phase(s, PHASE_MI);
1052     lsi_add_msg_byte(s, 7); /* MESSAGE REJECT */
1053     s->msg_action = 0;
1054 }
1055 
1056 #define LSI_BUF_SIZE 4096
1057 static void lsi_memcpy(LSIState *s, uint32_t dest, uint32_t src, int count)
1058 {
1059     int n;
1060     uint8_t buf[LSI_BUF_SIZE];
1061 
1062     trace_lsi_memcpy(dest, src, count);
1063     while (count) {
1064         n = (count > LSI_BUF_SIZE) ? LSI_BUF_SIZE : count;
1065         lsi_mem_read(s, src, buf, n);
1066         lsi_mem_write(s, dest, buf, n);
1067         src += n;
1068         dest += n;
1069         count -= n;
1070     }
1071 }
1072 
1073 static void lsi_wait_reselect(LSIState *s)
1074 {
1075     lsi_request *p;
1076 
1077     trace_lsi_wait_reselect();
1078 
1079     if (s->current) {
1080         return;
1081     }
1082     p = get_pending_req(s);
1083     if (p) {
1084         lsi_reselect(s, p);
1085     }
1086     if (s->current == NULL) {
1087         s->waiting = 1;
1088     }
1089 }
1090 
1091 static void lsi_execute_script(LSIState *s)
1092 {
1093     PCIDevice *pci_dev = PCI_DEVICE(s);
1094     uint32_t insn;
1095     uint32_t addr, addr_high;
1096     int opcode;
1097     int insn_processed = 0;
1098 
1099     s->istat1 |= LSI_ISTAT1_SRUN;
1100 again:
1101     insn_processed++;
1102     insn = read_dword(s, s->dsp);
1103     if (!insn) {
1104         /* If we receive an empty opcode increment the DSP by 4 bytes
1105            instead of 8 and execute the next opcode at that location */
1106         s->dsp += 4;
1107         goto again;
1108     }
1109     addr = read_dword(s, s->dsp + 4);
1110     addr_high = 0;
1111     trace_lsi_execute_script(s->dsp, insn, addr);
1112     s->dsps = addr;
1113     s->dcmd = insn >> 24;
1114     s->dsp += 8;
1115     switch (insn >> 30) {
1116     case 0: /* Block move.  */
1117         if (s->sist1 & LSI_SIST1_STO) {
1118             trace_lsi_execute_script_blockmove_delayed();
1119             lsi_stop_script(s);
1120             break;
1121         }
1122         s->dbc = insn & 0xffffff;
1123         s->rbc = s->dbc;
1124         /* ??? Set ESA.  */
1125         s->ia = s->dsp - 8;
1126         if (insn & (1 << 29)) {
1127             /* Indirect addressing.  */
1128             addr = read_dword(s, addr);
1129         } else if (insn & (1 << 28)) {
1130             uint32_t buf[2];
1131             int32_t offset;
1132             /* Table indirect addressing.  */
1133 
1134             /* 32-bit Table indirect */
1135             offset = sextract32(addr, 0, 24);
1136             pci_dma_read(pci_dev, s->dsa + offset, buf, 8);
1137             /* byte count is stored in bits 0:23 only */
1138             s->dbc = cpu_to_le32(buf[0]) & 0xffffff;
1139             s->rbc = s->dbc;
1140             addr = cpu_to_le32(buf[1]);
1141 
1142             /* 40-bit DMA, upper addr bits [39:32] stored in first DWORD of
1143              * table, bits [31:24] */
1144             if (lsi_dma_40bit(s))
1145                 addr_high = cpu_to_le32(buf[0]) >> 24;
1146             else if (lsi_dma_ti64bit(s)) {
1147                 int selector = (cpu_to_le32(buf[0]) >> 24) & 0x1f;
1148                 switch (selector) {
1149                 case 0 ... 0x0f:
1150                     /* offset index into scratch registers since
1151                      * TI64 mode can use registers C to R */
1152                     addr_high = s->scratch[2 + selector];
1153                     break;
1154                 case 0x10:
1155                     addr_high = s->mmrs;
1156                     break;
1157                 case 0x11:
1158                     addr_high = s->mmws;
1159                     break;
1160                 case 0x12:
1161                     addr_high = s->sfs;
1162                     break;
1163                 case 0x13:
1164                     addr_high = s->drs;
1165                     break;
1166                 case 0x14:
1167                     addr_high = s->sbms;
1168                     break;
1169                 case 0x15:
1170                     addr_high = s->dbms;
1171                     break;
1172                 default:
1173                     qemu_log_mask(LOG_GUEST_ERROR,
1174                           "lsi_scsi: Illegal selector specified (0x%x > 0x15) "
1175                           "for 64-bit DMA block move", selector);
1176                     break;
1177                 }
1178             }
1179         } else if (lsi_dma_64bit(s)) {
1180             /* fetch a 3rd dword if 64-bit direct move is enabled and
1181                only if we're not doing table indirect or indirect addressing */
1182             s->dbms = read_dword(s, s->dsp);
1183             s->dsp += 4;
1184             s->ia = s->dsp - 12;
1185         }
1186         if ((s->sstat1 & PHASE_MASK) != ((insn >> 24) & 7)) {
1187             trace_lsi_execute_script_blockmove_badphase(s->sstat1 & PHASE_MASK,
1188                                                         (insn >> 24) & 7);
1189             lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
1190             break;
1191         }
1192         s->dnad = addr;
1193         s->dnad64 = addr_high;
1194         switch (s->sstat1 & 0x7) {
1195         case PHASE_DO:
1196             s->waiting = 2;
1197             lsi_do_dma(s, 1);
1198             if (s->waiting)
1199                 s->waiting = 3;
1200             break;
1201         case PHASE_DI:
1202             s->waiting = 2;
1203             lsi_do_dma(s, 0);
1204             if (s->waiting)
1205                 s->waiting = 3;
1206             break;
1207         case PHASE_CMD:
1208             lsi_do_command(s);
1209             break;
1210         case PHASE_ST:
1211             lsi_do_status(s);
1212             break;
1213         case PHASE_MO:
1214             lsi_do_msgout(s);
1215             break;
1216         case PHASE_MI:
1217             lsi_do_msgin(s);
1218             break;
1219         default:
1220             qemu_log_mask(LOG_UNIMP, "lsi_scsi: Unimplemented phase %d\n",
1221                           s->sstat1 & PHASE_MASK);
1222         }
1223         s->dfifo = s->dbc & 0xff;
1224         s->ctest5 = (s->ctest5 & 0xfc) | ((s->dbc >> 8) & 3);
1225         s->sbc = s->dbc;
1226         s->rbc -= s->dbc;
1227         s->ua = addr + s->dbc;
1228         break;
1229 
1230     case 1: /* IO or Read/Write instruction.  */
1231         opcode = (insn >> 27) & 7;
1232         if (opcode < 5) {
1233             uint32_t id;
1234 
1235             if (insn & (1 << 25)) {
1236                 id = read_dword(s, s->dsa + sextract32(insn, 0, 24));
1237             } else {
1238                 id = insn;
1239             }
1240             id = (id >> 16) & 0xf;
1241             if (insn & (1 << 26)) {
1242                 addr = s->dsp + sextract32(addr, 0, 24);
1243             }
1244             s->dnad = addr;
1245             switch (opcode) {
1246             case 0: /* Select */
1247                 s->sdid = id;
1248                 if (s->scntl1 & LSI_SCNTL1_CON) {
1249                     trace_lsi_execute_script_io_alreadyreselected();
1250                     s->dsp = s->dnad;
1251                     break;
1252                 }
1253                 s->sstat0 |= LSI_SSTAT0_WOA;
1254                 s->scntl1 &= ~LSI_SCNTL1_IARB;
1255                 if (!scsi_device_find(&s->bus, 0, id, 0)) {
1256                     lsi_bad_selection(s, id);
1257                     break;
1258                 }
1259                 trace_lsi_execute_script_io_selected(id,
1260                                              insn & (1 << 3) ? " ATN" : "");
1261                 /* ??? Linux drivers compain when this is set.  Maybe
1262                    it only applies in low-level mode (unimplemented).
1263                 lsi_script_scsi_interrupt(s, LSI_SIST0_CMP, 0); */
1264                 s->select_tag = id << 8;
1265                 s->scntl1 |= LSI_SCNTL1_CON;
1266                 if (insn & (1 << 3)) {
1267                     s->socl |= LSI_SOCL_ATN;
1268                 }
1269                 lsi_set_phase(s, PHASE_MO);
1270                 break;
1271             case 1: /* Disconnect */
1272                 trace_lsi_execute_script_io_disconnect();
1273                 s->scntl1 &= ~LSI_SCNTL1_CON;
1274                 /* FIXME: this is not entirely correct; the target need not ask
1275                  * for reselection until it has to send data, while here we force a
1276                  * reselection as soon as the bus is free.  The correct flow would
1277                  * reselect before lsi_transfer_data and disconnect as soon as
1278                  * DMA ends.
1279                  */
1280                 if (!s->current) {
1281                     lsi_request *p = get_pending_req(s);
1282                     if (p) {
1283                         lsi_reselect(s, p);
1284                     }
1285                 }
1286                 break;
1287             case 2: /* Wait Reselect */
1288                 if (!lsi_irq_on_rsl(s)) {
1289                     lsi_wait_reselect(s);
1290                 }
1291                 break;
1292             case 3: /* Set */
1293                 trace_lsi_execute_script_io_set(
1294                         insn & (1 << 3) ? " ATN" : "",
1295                         insn & (1 << 6) ? " ACK" : "",
1296                         insn & (1 << 9) ? " TM" : "",
1297                         insn & (1 << 10) ? " CC" : "");
1298                 if (insn & (1 << 3)) {
1299                     s->socl |= LSI_SOCL_ATN;
1300                     lsi_set_phase(s, PHASE_MO);
1301                 }
1302                 if (insn & (1 << 9)) {
1303                     qemu_log_mask(LOG_UNIMP,
1304                         "lsi_scsi: Target mode not implemented\n");
1305                 }
1306                 if (insn & (1 << 10))
1307                     s->carry = 1;
1308                 break;
1309             case 4: /* Clear */
1310                 trace_lsi_execute_script_io_clear(
1311                         insn & (1 << 3) ? " ATN" : "",
1312                         insn & (1 << 6) ? " ACK" : "",
1313                         insn & (1 << 9) ? " TM" : "",
1314                         insn & (1 << 10) ? " CC" : "");
1315                 if (insn & (1 << 3)) {
1316                     s->socl &= ~LSI_SOCL_ATN;
1317                 }
1318                 if (insn & (1 << 10))
1319                     s->carry = 0;
1320                 break;
1321             }
1322         } else {
1323             uint8_t op0;
1324             uint8_t op1;
1325             uint8_t data8;
1326             int reg;
1327             int operator;
1328 
1329             static const char *opcode_names[3] =
1330                 {"Write", "Read", "Read-Modify-Write"};
1331             static const char *operator_names[8] =
1332                 {"MOV", "SHL", "OR", "XOR", "AND", "SHR", "ADD", "ADC"};
1333 
1334             reg = ((insn >> 16) & 0x7f) | (insn & 0x80);
1335             data8 = (insn >> 8) & 0xff;
1336             opcode = (insn >> 27) & 7;
1337             operator = (insn >> 24) & 7;
1338             trace_lsi_execute_script_io_opcode(
1339                     opcode_names[opcode - 5], reg,
1340                     operator_names[operator], data8, s->sfbr,
1341                     (insn & (1 << 23)) ? " SFBR" : "");
1342             op0 = op1 = 0;
1343             switch (opcode) {
1344             case 5: /* From SFBR */
1345                 op0 = s->sfbr;
1346                 op1 = data8;
1347                 break;
1348             case 6: /* To SFBR */
1349                 if (operator)
1350                     op0 = lsi_reg_readb(s, reg);
1351                 op1 = data8;
1352                 break;
1353             case 7: /* Read-modify-write */
1354                 if (operator)
1355                     op0 = lsi_reg_readb(s, reg);
1356                 if (insn & (1 << 23)) {
1357                     op1 = s->sfbr;
1358                 } else {
1359                     op1 = data8;
1360                 }
1361                 break;
1362             }
1363 
1364             switch (operator) {
1365             case 0: /* move */
1366                 op0 = op1;
1367                 break;
1368             case 1: /* Shift left */
1369                 op1 = op0 >> 7;
1370                 op0 = (op0 << 1) | s->carry;
1371                 s->carry = op1;
1372                 break;
1373             case 2: /* OR */
1374                 op0 |= op1;
1375                 break;
1376             case 3: /* XOR */
1377                 op0 ^= op1;
1378                 break;
1379             case 4: /* AND */
1380                 op0 &= op1;
1381                 break;
1382             case 5: /* SHR */
1383                 op1 = op0 & 1;
1384                 op0 = (op0 >> 1) | (s->carry << 7);
1385                 s->carry = op1;
1386                 break;
1387             case 6: /* ADD */
1388                 op0 += op1;
1389                 s->carry = op0 < op1;
1390                 break;
1391             case 7: /* ADC */
1392                 op0 += op1 + s->carry;
1393                 if (s->carry)
1394                     s->carry = op0 <= op1;
1395                 else
1396                     s->carry = op0 < op1;
1397                 break;
1398             }
1399 
1400             switch (opcode) {
1401             case 5: /* From SFBR */
1402             case 7: /* Read-modify-write */
1403                 lsi_reg_writeb(s, reg, op0);
1404                 break;
1405             case 6: /* To SFBR */
1406                 s->sfbr = op0;
1407                 break;
1408             }
1409         }
1410         break;
1411 
1412     case 2: /* Transfer Control.  */
1413         {
1414             int cond;
1415             int jmp;
1416 
1417             if ((insn & 0x002e0000) == 0) {
1418                 trace_lsi_execute_script_tc_nop();
1419                 break;
1420             }
1421             if (s->sist1 & LSI_SIST1_STO) {
1422                 trace_lsi_execute_script_tc_delayedselect_timeout();
1423                 lsi_stop_script(s);
1424                 break;
1425             }
1426             cond = jmp = (insn & (1 << 19)) != 0;
1427             if (cond == jmp && (insn & (1 << 21))) {
1428                 trace_lsi_execute_script_tc_compc(s->carry == jmp);
1429                 cond = s->carry != 0;
1430             }
1431             if (cond == jmp && (insn & (1 << 17))) {
1432                 trace_lsi_execute_script_tc_compp(
1433                         (s->sstat1 & PHASE_MASK),
1434                         jmp ? '=' : '!',
1435                         ((insn >> 24) & 7));
1436                 cond = (s->sstat1 & PHASE_MASK) == ((insn >> 24) & 7);
1437             }
1438             if (cond == jmp && (insn & (1 << 18))) {
1439                 uint8_t mask;
1440 
1441                 mask = (~insn >> 8) & 0xff;
1442                 trace_lsi_execute_script_tc_compd(
1443                         s->sfbr, mask, jmp ? '=' : '!', insn & mask);
1444                 cond = (s->sfbr & mask) == (insn & mask);
1445             }
1446             if (cond == jmp) {
1447                 if (insn & (1 << 23)) {
1448                     /* Relative address.  */
1449                     addr = s->dsp + sextract32(addr, 0, 24);
1450                 }
1451                 switch ((insn >> 27) & 7) {
1452                 case 0: /* Jump */
1453                     trace_lsi_execute_script_tc_jump(addr);
1454                     s->adder = addr;
1455                     s->dsp = addr;
1456                     break;
1457                 case 1: /* Call */
1458                     trace_lsi_execute_script_tc_call(addr);
1459                     s->temp = s->dsp;
1460                     s->dsp = addr;
1461                     break;
1462                 case 2: /* Return */
1463                     trace_lsi_execute_script_tc_return(s->temp);
1464                     s->dsp = s->temp;
1465                     break;
1466                 case 3: /* Interrupt */
1467                     trace_lsi_execute_script_tc_interrupt(s->dsps);
1468                     if ((insn & (1 << 20)) != 0) {
1469                         s->istat0 |= LSI_ISTAT0_INTF;
1470                         lsi_update_irq(s);
1471                     } else {
1472                         lsi_script_dma_interrupt(s, LSI_DSTAT_SIR);
1473                     }
1474                     break;
1475                 default:
1476                     trace_lsi_execute_script_tc_illegal();
1477                     lsi_script_dma_interrupt(s, LSI_DSTAT_IID);
1478                     break;
1479                 }
1480             } else {
1481                 trace_lsi_execute_script_tc_cc_failed();
1482             }
1483         }
1484         break;
1485 
1486     case 3:
1487         if ((insn & (1 << 29)) == 0) {
1488             /* Memory move.  */
1489             uint32_t dest;
1490             /* ??? The docs imply the destination address is loaded into
1491                the TEMP register.  However the Linux drivers rely on
1492                the value being presrved.  */
1493             dest = read_dword(s, s->dsp);
1494             s->dsp += 4;
1495             lsi_memcpy(s, dest, addr, insn & 0xffffff);
1496         } else {
1497             uint8_t data[7];
1498             int reg;
1499             int n;
1500             int i;
1501 
1502             if (insn & (1 << 28)) {
1503                 addr = s->dsa + sextract32(addr, 0, 24);
1504             }
1505             n = (insn & 7);
1506             reg = (insn >> 16) & 0xff;
1507             if (insn & (1 << 24)) {
1508                 pci_dma_read(pci_dev, addr, data, n);
1509                 trace_lsi_execute_script_mm_load(reg, n, addr, *(int *)data);
1510                 for (i = 0; i < n; i++) {
1511                     lsi_reg_writeb(s, reg + i, data[i]);
1512                 }
1513             } else {
1514                 trace_lsi_execute_script_mm_store(reg, n, addr);
1515                 for (i = 0; i < n; i++) {
1516                     data[i] = lsi_reg_readb(s, reg + i);
1517                 }
1518                 pci_dma_write(pci_dev, addr, data, n);
1519             }
1520         }
1521     }
1522     if (insn_processed > 10000 && !s->waiting) {
1523         /* Some windows drivers make the device spin waiting for a memory
1524            location to change.  If we have been executed a lot of code then
1525            assume this is the case and force an unexpected device disconnect.
1526            This is apparently sufficient to beat the drivers into submission.
1527          */
1528         if (!(s->sien0 & LSI_SIST0_UDC)) {
1529             qemu_log_mask(LOG_GUEST_ERROR,
1530                           "lsi_scsi: inf. loop with UDC masked");
1531         }
1532         lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
1533         lsi_disconnect(s);
1534     } else if (s->istat1 & LSI_ISTAT1_SRUN && !s->waiting) {
1535         if (s->dcntl & LSI_DCNTL_SSM) {
1536             lsi_script_dma_interrupt(s, LSI_DSTAT_SSI);
1537         } else {
1538             goto again;
1539         }
1540     }
1541     trace_lsi_execute_script_stop();
1542 }
1543 
1544 static uint8_t lsi_reg_readb(LSIState *s, int offset)
1545 {
1546     uint8_t ret;
1547 
1548 #define CASE_GET_REG24(name, addr) \
1549     case addr: ret = s->name & 0xff; break; \
1550     case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1551     case addr + 2: ret = (s->name >> 16) & 0xff; break;
1552 
1553 #define CASE_GET_REG32(name, addr) \
1554     case addr: ret = s->name & 0xff; break; \
1555     case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1556     case addr + 2: ret = (s->name >> 16) & 0xff; break; \
1557     case addr + 3: ret = (s->name >> 24) & 0xff; break;
1558 
1559     switch (offset) {
1560     case 0x00: /* SCNTL0 */
1561         ret = s->scntl0;
1562         break;
1563     case 0x01: /* SCNTL1 */
1564         ret = s->scntl1;
1565         break;
1566     case 0x02: /* SCNTL2 */
1567         ret = s->scntl2;
1568         break;
1569     case 0x03: /* SCNTL3 */
1570         ret = s->scntl3;
1571         break;
1572     case 0x04: /* SCID */
1573         ret = s->scid;
1574         break;
1575     case 0x05: /* SXFER */
1576         ret = s->sxfer;
1577         break;
1578     case 0x06: /* SDID */
1579         ret = s->sdid;
1580         break;
1581     case 0x07: /* GPREG0 */
1582         ret = 0x7f;
1583         break;
1584     case 0x08: /* Revision ID */
1585         ret = 0x00;
1586         break;
1587     case 0x09: /* SOCL */
1588         ret = s->socl;
1589         break;
1590     case 0xa: /* SSID */
1591         ret = s->ssid;
1592         break;
1593     case 0xb: /* SBCL */
1594         /* ??? This is not correct. However it's (hopefully) only
1595            used for diagnostics, so should be ok.  */
1596         ret = 0;
1597         break;
1598     case 0xc: /* DSTAT */
1599         ret = s->dstat | LSI_DSTAT_DFE;
1600         if ((s->istat0 & LSI_ISTAT0_INTF) == 0)
1601             s->dstat = 0;
1602         lsi_update_irq(s);
1603         break;
1604     case 0x0d: /* SSTAT0 */
1605         ret = s->sstat0;
1606         break;
1607     case 0x0e: /* SSTAT1 */
1608         ret = s->sstat1;
1609         break;
1610     case 0x0f: /* SSTAT2 */
1611         ret = s->scntl1 & LSI_SCNTL1_CON ? 0 : 2;
1612         break;
1613     CASE_GET_REG32(dsa, 0x10)
1614     case 0x14: /* ISTAT0 */
1615         ret = s->istat0;
1616         break;
1617     case 0x15: /* ISTAT1 */
1618         ret = s->istat1;
1619         break;
1620     case 0x16: /* MBOX0 */
1621         ret = s->mbox0;
1622         break;
1623     case 0x17: /* MBOX1 */
1624         ret = s->mbox1;
1625         break;
1626     case 0x18: /* CTEST0 */
1627         ret = 0xff;
1628         break;
1629     case 0x19: /* CTEST1 */
1630         ret = 0;
1631         break;
1632     case 0x1a: /* CTEST2 */
1633         ret = s->ctest2 | LSI_CTEST2_DACK | LSI_CTEST2_CM;
1634         if (s->istat0 & LSI_ISTAT0_SIGP) {
1635             s->istat0 &= ~LSI_ISTAT0_SIGP;
1636             ret |= LSI_CTEST2_SIGP;
1637         }
1638         break;
1639     case 0x1b: /* CTEST3 */
1640         ret = s->ctest3;
1641         break;
1642     CASE_GET_REG32(temp, 0x1c)
1643     case 0x20: /* DFIFO */
1644         ret = 0;
1645         break;
1646     case 0x21: /* CTEST4 */
1647         ret = s->ctest4;
1648         break;
1649     case 0x22: /* CTEST5 */
1650         ret = s->ctest5;
1651         break;
1652     case 0x23: /* CTEST6 */
1653         ret = 0;
1654         break;
1655     CASE_GET_REG24(dbc, 0x24)
1656     case 0x27: /* DCMD */
1657         ret = s->dcmd;
1658         break;
1659     CASE_GET_REG32(dnad, 0x28)
1660     CASE_GET_REG32(dsp, 0x2c)
1661     CASE_GET_REG32(dsps, 0x30)
1662     CASE_GET_REG32(scratch[0], 0x34)
1663     case 0x38: /* DMODE */
1664         ret = s->dmode;
1665         break;
1666     case 0x39: /* DIEN */
1667         ret = s->dien;
1668         break;
1669     case 0x3a: /* SBR */
1670         ret = s->sbr;
1671         break;
1672     case 0x3b: /* DCNTL */
1673         ret = s->dcntl;
1674         break;
1675     /* ADDER Output (Debug of relative jump address) */
1676     CASE_GET_REG32(adder, 0x3c)
1677     case 0x40: /* SIEN0 */
1678         ret = s->sien0;
1679         break;
1680     case 0x41: /* SIEN1 */
1681         ret = s->sien1;
1682         break;
1683     case 0x42: /* SIST0 */
1684         ret = s->sist0;
1685         s->sist0 = 0;
1686         lsi_update_irq(s);
1687         break;
1688     case 0x43: /* SIST1 */
1689         ret = s->sist1;
1690         s->sist1 = 0;
1691         lsi_update_irq(s);
1692         break;
1693     case 0x46: /* MACNTL */
1694         ret = 0x0f;
1695         break;
1696     case 0x47: /* GPCNTL0 */
1697         ret = 0x0f;
1698         break;
1699     case 0x48: /* STIME0 */
1700         ret = s->stime0;
1701         break;
1702     case 0x4a: /* RESPID0 */
1703         ret = s->respid0;
1704         break;
1705     case 0x4b: /* RESPID1 */
1706         ret = s->respid1;
1707         break;
1708     case 0x4d: /* STEST1 */
1709         ret = s->stest1;
1710         break;
1711     case 0x4e: /* STEST2 */
1712         ret = s->stest2;
1713         break;
1714     case 0x4f: /* STEST3 */
1715         ret = s->stest3;
1716         break;
1717     case 0x50: /* SIDL */
1718         /* This is needed by the linux drivers.  We currently only update it
1719            during the MSG IN phase.  */
1720         ret = s->sidl;
1721         break;
1722     case 0x52: /* STEST4 */
1723         ret = 0xe0;
1724         break;
1725     case 0x56: /* CCNTL0 */
1726         ret = s->ccntl0;
1727         break;
1728     case 0x57: /* CCNTL1 */
1729         ret = s->ccntl1;
1730         break;
1731     case 0x58: /* SBDL */
1732         /* Some drivers peek at the data bus during the MSG IN phase.  */
1733         if ((s->sstat1 & PHASE_MASK) == PHASE_MI) {
1734             assert(s->msg_len > 0);
1735             return s->msg[0];
1736         }
1737         ret = 0;
1738         break;
1739     case 0x59: /* SBDL high */
1740         ret = 0;
1741         break;
1742     CASE_GET_REG32(mmrs, 0xa0)
1743     CASE_GET_REG32(mmws, 0xa4)
1744     CASE_GET_REG32(sfs, 0xa8)
1745     CASE_GET_REG32(drs, 0xac)
1746     CASE_GET_REG32(sbms, 0xb0)
1747     CASE_GET_REG32(dbms, 0xb4)
1748     CASE_GET_REG32(dnad64, 0xb8)
1749     CASE_GET_REG32(pmjad1, 0xc0)
1750     CASE_GET_REG32(pmjad2, 0xc4)
1751     CASE_GET_REG32(rbc, 0xc8)
1752     CASE_GET_REG32(ua, 0xcc)
1753     CASE_GET_REG32(ia, 0xd4)
1754     CASE_GET_REG32(sbc, 0xd8)
1755     CASE_GET_REG32(csbc, 0xdc)
1756     case 0x5c ... 0x9f:
1757     {
1758         int n;
1759         int shift;
1760         n = (offset - 0x58) >> 2;
1761         shift = (offset & 3) * 8;
1762         ret = (s->scratch[n] >> shift) & 0xff;
1763         break;
1764     }
1765     default:
1766     {
1767         qemu_log_mask(LOG_GUEST_ERROR,
1768                       "lsi_scsi: invalid read from reg %s %x\n",
1769                       offset < ARRAY_SIZE(names) ? names[offset] : "???",
1770                       offset);
1771         ret = 0xff;
1772         break;
1773     }
1774     }
1775 #undef CASE_GET_REG24
1776 #undef CASE_GET_REG32
1777 
1778     trace_lsi_reg_read(offset < ARRAY_SIZE(names) ? names[offset] : "???",
1779                        offset, ret);
1780 
1781     return ret;
1782 }
1783 
1784 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val)
1785 {
1786 #define CASE_SET_REG24(name, addr) \
1787     case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1788     case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1789     case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break;
1790 
1791 #define CASE_SET_REG32(name, addr) \
1792     case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1793     case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1794     case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break; \
1795     case addr + 3: s->name &= 0x00ffffff; s->name |= val << 24; break;
1796 
1797     trace_lsi_reg_write(offset < ARRAY_SIZE(names) ? names[offset] : "???",
1798                         offset, val);
1799 
1800     switch (offset) {
1801     case 0x00: /* SCNTL0 */
1802         s->scntl0 = val;
1803         if (val & LSI_SCNTL0_START) {
1804             qemu_log_mask(LOG_UNIMP,
1805                           "lsi_scsi: Start sequence not implemented\n");
1806         }
1807         break;
1808     case 0x01: /* SCNTL1 */
1809         s->scntl1 = val & ~LSI_SCNTL1_SST;
1810         if (val & LSI_SCNTL1_IARB) {
1811             qemu_log_mask(LOG_UNIMP,
1812                       "lsi_scsi: Immediate Arbritration not implemented\n");
1813         }
1814         if (val & LSI_SCNTL1_RST) {
1815             if (!(s->sstat0 & LSI_SSTAT0_RST)) {
1816                 qbus_reset_all(&s->bus.qbus);
1817                 s->sstat0 |= LSI_SSTAT0_RST;
1818                 lsi_script_scsi_interrupt(s, LSI_SIST0_RST, 0);
1819             }
1820         } else {
1821             s->sstat0 &= ~LSI_SSTAT0_RST;
1822         }
1823         break;
1824     case 0x02: /* SCNTL2 */
1825         val &= ~(LSI_SCNTL2_WSR | LSI_SCNTL2_WSS);
1826         s->scntl2 = val;
1827         break;
1828     case 0x03: /* SCNTL3 */
1829         s->scntl3 = val;
1830         break;
1831     case 0x04: /* SCID */
1832         s->scid = val;
1833         break;
1834     case 0x05: /* SXFER */
1835         s->sxfer = val;
1836         break;
1837     case 0x06: /* SDID */
1838         if ((s->ssid & 0x80) && (val & 0xf) != (s->ssid & 0xf)) {
1839             qemu_log_mask(LOG_GUEST_ERROR,
1840                           "lsi_scsi: Destination ID does not match SSID\n");
1841         }
1842         s->sdid = val & 0xf;
1843         break;
1844     case 0x07: /* GPREG0 */
1845         break;
1846     case 0x08: /* SFBR */
1847         /* The CPU is not allowed to write to this register.  However the
1848            SCRIPTS register move instructions are.  */
1849         s->sfbr = val;
1850         break;
1851     case 0x0a: case 0x0b:
1852         /* Openserver writes to these readonly registers on startup */
1853         return;
1854     case 0x0c: case 0x0d: case 0x0e: case 0x0f:
1855         /* Linux writes to these readonly registers on startup.  */
1856         return;
1857     CASE_SET_REG32(dsa, 0x10)
1858     case 0x14: /* ISTAT0 */
1859         s->istat0 = (s->istat0 & 0x0f) | (val & 0xf0);
1860         if (val & LSI_ISTAT0_ABRT) {
1861             lsi_script_dma_interrupt(s, LSI_DSTAT_ABRT);
1862         }
1863         if (val & LSI_ISTAT0_INTF) {
1864             s->istat0 &= ~LSI_ISTAT0_INTF;
1865             lsi_update_irq(s);
1866         }
1867         if (s->waiting == 1 && val & LSI_ISTAT0_SIGP) {
1868             trace_lsi_awoken();
1869             s->waiting = 0;
1870             s->dsp = s->dnad;
1871             lsi_execute_script(s);
1872         }
1873         if (val & LSI_ISTAT0_SRST) {
1874             qdev_reset_all(DEVICE(s));
1875         }
1876         break;
1877     case 0x16: /* MBOX0 */
1878         s->mbox0 = val;
1879         break;
1880     case 0x17: /* MBOX1 */
1881         s->mbox1 = val;
1882         break;
1883     case 0x18: /* CTEST0 */
1884         /* nothing to do */
1885         break;
1886     case 0x1a: /* CTEST2 */
1887         s->ctest2 = val & LSI_CTEST2_PCICIE;
1888         break;
1889     case 0x1b: /* CTEST3 */
1890         s->ctest3 = val & 0x0f;
1891         break;
1892     CASE_SET_REG32(temp, 0x1c)
1893     case 0x21: /* CTEST4 */
1894         if (val & 7) {
1895             qemu_log_mask(LOG_UNIMP,
1896                           "lsi_scsi: Unimplemented CTEST4-FBL 0x%x\n", val);
1897         }
1898         s->ctest4 = val;
1899         break;
1900     case 0x22: /* CTEST5 */
1901         if (val & (LSI_CTEST5_ADCK | LSI_CTEST5_BBCK)) {
1902             qemu_log_mask(LOG_UNIMP,
1903                           "lsi_scsi: CTEST5 DMA increment not implemented\n");
1904         }
1905         s->ctest5 = val;
1906         break;
1907     CASE_SET_REG24(dbc, 0x24)
1908     CASE_SET_REG32(dnad, 0x28)
1909     case 0x2c: /* DSP[0:7] */
1910         s->dsp &= 0xffffff00;
1911         s->dsp |= val;
1912         break;
1913     case 0x2d: /* DSP[8:15] */
1914         s->dsp &= 0xffff00ff;
1915         s->dsp |= val << 8;
1916         break;
1917     case 0x2e: /* DSP[16:23] */
1918         s->dsp &= 0xff00ffff;
1919         s->dsp |= val << 16;
1920         break;
1921     case 0x2f: /* DSP[24:31] */
1922         s->dsp &= 0x00ffffff;
1923         s->dsp |= val << 24;
1924         if ((s->dmode & LSI_DMODE_MAN) == 0
1925             && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
1926             lsi_execute_script(s);
1927         break;
1928     CASE_SET_REG32(dsps, 0x30)
1929     CASE_SET_REG32(scratch[0], 0x34)
1930     case 0x38: /* DMODE */
1931         s->dmode = val;
1932         break;
1933     case 0x39: /* DIEN */
1934         s->dien = val;
1935         lsi_update_irq(s);
1936         break;
1937     case 0x3a: /* SBR */
1938         s->sbr = val;
1939         break;
1940     case 0x3b: /* DCNTL */
1941         s->dcntl = val & ~(LSI_DCNTL_PFF | LSI_DCNTL_STD);
1942         if ((val & LSI_DCNTL_STD) && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
1943             lsi_execute_script(s);
1944         break;
1945     case 0x40: /* SIEN0 */
1946         s->sien0 = val;
1947         lsi_update_irq(s);
1948         break;
1949     case 0x41: /* SIEN1 */
1950         s->sien1 = val;
1951         lsi_update_irq(s);
1952         break;
1953     case 0x47: /* GPCNTL0 */
1954         break;
1955     case 0x48: /* STIME0 */
1956         s->stime0 = val;
1957         break;
1958     case 0x49: /* STIME1 */
1959         if (val & 0xf) {
1960             qemu_log_mask(LOG_UNIMP,
1961                           "lsi_scsi: General purpose timer not implemented\n");
1962             /* ??? Raising the interrupt immediately seems to be sufficient
1963                to keep the FreeBSD driver happy.  */
1964             lsi_script_scsi_interrupt(s, 0, LSI_SIST1_GEN);
1965         }
1966         break;
1967     case 0x4a: /* RESPID0 */
1968         s->respid0 = val;
1969         break;
1970     case 0x4b: /* RESPID1 */
1971         s->respid1 = val;
1972         break;
1973     case 0x4d: /* STEST1 */
1974         s->stest1 = val;
1975         break;
1976     case 0x4e: /* STEST2 */
1977         if (val & 1) {
1978             qemu_log_mask(LOG_UNIMP,
1979                           "lsi_scsi: Low level mode not implemented\n");
1980         }
1981         s->stest2 = val;
1982         break;
1983     case 0x4f: /* STEST3 */
1984         if (val & 0x41) {
1985             qemu_log_mask(LOG_UNIMP,
1986                           "lsi_scsi: SCSI FIFO test mode not implemented\n");
1987         }
1988         s->stest3 = val;
1989         break;
1990     case 0x56: /* CCNTL0 */
1991         s->ccntl0 = val;
1992         break;
1993     case 0x57: /* CCNTL1 */
1994         s->ccntl1 = val;
1995         break;
1996     CASE_SET_REG32(mmrs, 0xa0)
1997     CASE_SET_REG32(mmws, 0xa4)
1998     CASE_SET_REG32(sfs, 0xa8)
1999     CASE_SET_REG32(drs, 0xac)
2000     CASE_SET_REG32(sbms, 0xb0)
2001     CASE_SET_REG32(dbms, 0xb4)
2002     CASE_SET_REG32(dnad64, 0xb8)
2003     CASE_SET_REG32(pmjad1, 0xc0)
2004     CASE_SET_REG32(pmjad2, 0xc4)
2005     CASE_SET_REG32(rbc, 0xc8)
2006     CASE_SET_REG32(ua, 0xcc)
2007     CASE_SET_REG32(ia, 0xd4)
2008     CASE_SET_REG32(sbc, 0xd8)
2009     CASE_SET_REG32(csbc, 0xdc)
2010     default:
2011         if (offset >= 0x5c && offset < 0xa0) {
2012             int n;
2013             int shift;
2014             n = (offset - 0x58) >> 2;
2015             shift = (offset & 3) * 8;
2016             s->scratch[n] = deposit32(s->scratch[n], shift, 8, val);
2017         } else {
2018             qemu_log_mask(LOG_GUEST_ERROR,
2019                           "lsi_scsi: invalid write to reg %s %x (0x%02x)\n",
2020                           offset < ARRAY_SIZE(names) ? names[offset] : "???",
2021                           offset, val);
2022         }
2023     }
2024 #undef CASE_SET_REG24
2025 #undef CASE_SET_REG32
2026 }
2027 
2028 static void lsi_mmio_write(void *opaque, hwaddr addr,
2029                            uint64_t val, unsigned size)
2030 {
2031     LSIState *s = opaque;
2032 
2033     lsi_reg_writeb(s, addr & 0xff, val);
2034 }
2035 
2036 static uint64_t lsi_mmio_read(void *opaque, hwaddr addr,
2037                               unsigned size)
2038 {
2039     LSIState *s = opaque;
2040 
2041     return lsi_reg_readb(s, addr & 0xff);
2042 }
2043 
2044 static const MemoryRegionOps lsi_mmio_ops = {
2045     .read = lsi_mmio_read,
2046     .write = lsi_mmio_write,
2047     .endianness = DEVICE_NATIVE_ENDIAN,
2048     .impl = {
2049         .min_access_size = 1,
2050         .max_access_size = 1,
2051     },
2052 };
2053 
2054 static void lsi_ram_write(void *opaque, hwaddr addr,
2055                           uint64_t val, unsigned size)
2056 {
2057     LSIState *s = opaque;
2058     uint32_t newval;
2059     uint32_t mask;
2060     int shift;
2061 
2062     newval = s->script_ram[addr >> 2];
2063     shift = (addr & 3) * 8;
2064     mask = ((uint64_t)1 << (size * 8)) - 1;
2065     newval &= ~(mask << shift);
2066     newval |= val << shift;
2067     s->script_ram[addr >> 2] = newval;
2068 }
2069 
2070 static uint64_t lsi_ram_read(void *opaque, hwaddr addr,
2071                              unsigned size)
2072 {
2073     LSIState *s = opaque;
2074     uint32_t val;
2075     uint32_t mask;
2076 
2077     val = s->script_ram[addr >> 2];
2078     mask = ((uint64_t)1 << (size * 8)) - 1;
2079     val >>= (addr & 3) * 8;
2080     return val & mask;
2081 }
2082 
2083 static const MemoryRegionOps lsi_ram_ops = {
2084     .read = lsi_ram_read,
2085     .write = lsi_ram_write,
2086     .endianness = DEVICE_NATIVE_ENDIAN,
2087 };
2088 
2089 static uint64_t lsi_io_read(void *opaque, hwaddr addr,
2090                             unsigned size)
2091 {
2092     LSIState *s = opaque;
2093     return lsi_reg_readb(s, addr & 0xff);
2094 }
2095 
2096 static void lsi_io_write(void *opaque, hwaddr addr,
2097                          uint64_t val, unsigned size)
2098 {
2099     LSIState *s = opaque;
2100     lsi_reg_writeb(s, addr & 0xff, val);
2101 }
2102 
2103 static const MemoryRegionOps lsi_io_ops = {
2104     .read = lsi_io_read,
2105     .write = lsi_io_write,
2106     .endianness = DEVICE_NATIVE_ENDIAN,
2107     .impl = {
2108         .min_access_size = 1,
2109         .max_access_size = 1,
2110     },
2111 };
2112 
2113 static void lsi_scsi_reset(DeviceState *dev)
2114 {
2115     LSIState *s = LSI53C895A(dev);
2116 
2117     lsi_soft_reset(s);
2118 }
2119 
2120 static int lsi_pre_save(void *opaque)
2121 {
2122     LSIState *s = opaque;
2123 
2124     if (s->current) {
2125         assert(s->current->dma_buf == NULL);
2126         assert(s->current->dma_len == 0);
2127     }
2128     assert(QTAILQ_EMPTY(&s->queue));
2129 
2130     return 0;
2131 }
2132 
2133 static int lsi_post_load(void *opaque, int version_id)
2134 {
2135     LSIState *s = opaque;
2136 
2137     if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) {
2138         return -EINVAL;
2139     }
2140 
2141     return 0;
2142 }
2143 
2144 static const VMStateDescription vmstate_lsi_scsi = {
2145     .name = "lsiscsi",
2146     .version_id = 0,
2147     .minimum_version_id = 0,
2148     .pre_save = lsi_pre_save,
2149     .post_load = lsi_post_load,
2150     .fields = (VMStateField[]) {
2151         VMSTATE_PCI_DEVICE(parent_obj, LSIState),
2152 
2153         VMSTATE_INT32(carry, LSIState),
2154         VMSTATE_INT32(status, LSIState),
2155         VMSTATE_INT32(msg_action, LSIState),
2156         VMSTATE_INT32(msg_len, LSIState),
2157         VMSTATE_BUFFER(msg, LSIState),
2158         VMSTATE_INT32(waiting, LSIState),
2159 
2160         VMSTATE_UINT32(dsa, LSIState),
2161         VMSTATE_UINT32(temp, LSIState),
2162         VMSTATE_UINT32(dnad, LSIState),
2163         VMSTATE_UINT32(dbc, LSIState),
2164         VMSTATE_UINT8(istat0, LSIState),
2165         VMSTATE_UINT8(istat1, LSIState),
2166         VMSTATE_UINT8(dcmd, LSIState),
2167         VMSTATE_UINT8(dstat, LSIState),
2168         VMSTATE_UINT8(dien, LSIState),
2169         VMSTATE_UINT8(sist0, LSIState),
2170         VMSTATE_UINT8(sist1, LSIState),
2171         VMSTATE_UINT8(sien0, LSIState),
2172         VMSTATE_UINT8(sien1, LSIState),
2173         VMSTATE_UINT8(mbox0, LSIState),
2174         VMSTATE_UINT8(mbox1, LSIState),
2175         VMSTATE_UINT8(dfifo, LSIState),
2176         VMSTATE_UINT8(ctest2, LSIState),
2177         VMSTATE_UINT8(ctest3, LSIState),
2178         VMSTATE_UINT8(ctest4, LSIState),
2179         VMSTATE_UINT8(ctest5, LSIState),
2180         VMSTATE_UINT8(ccntl0, LSIState),
2181         VMSTATE_UINT8(ccntl1, LSIState),
2182         VMSTATE_UINT32(dsp, LSIState),
2183         VMSTATE_UINT32(dsps, LSIState),
2184         VMSTATE_UINT8(dmode, LSIState),
2185         VMSTATE_UINT8(dcntl, LSIState),
2186         VMSTATE_UINT8(scntl0, LSIState),
2187         VMSTATE_UINT8(scntl1, LSIState),
2188         VMSTATE_UINT8(scntl2, LSIState),
2189         VMSTATE_UINT8(scntl3, LSIState),
2190         VMSTATE_UINT8(sstat0, LSIState),
2191         VMSTATE_UINT8(sstat1, LSIState),
2192         VMSTATE_UINT8(scid, LSIState),
2193         VMSTATE_UINT8(sxfer, LSIState),
2194         VMSTATE_UINT8(socl, LSIState),
2195         VMSTATE_UINT8(sdid, LSIState),
2196         VMSTATE_UINT8(ssid, LSIState),
2197         VMSTATE_UINT8(sfbr, LSIState),
2198         VMSTATE_UINT8(stest1, LSIState),
2199         VMSTATE_UINT8(stest2, LSIState),
2200         VMSTATE_UINT8(stest3, LSIState),
2201         VMSTATE_UINT8(sidl, LSIState),
2202         VMSTATE_UINT8(stime0, LSIState),
2203         VMSTATE_UINT8(respid0, LSIState),
2204         VMSTATE_UINT8(respid1, LSIState),
2205         VMSTATE_UINT32(mmrs, LSIState),
2206         VMSTATE_UINT32(mmws, LSIState),
2207         VMSTATE_UINT32(sfs, LSIState),
2208         VMSTATE_UINT32(drs, LSIState),
2209         VMSTATE_UINT32(sbms, LSIState),
2210         VMSTATE_UINT32(dbms, LSIState),
2211         VMSTATE_UINT32(dnad64, LSIState),
2212         VMSTATE_UINT32(pmjad1, LSIState),
2213         VMSTATE_UINT32(pmjad2, LSIState),
2214         VMSTATE_UINT32(rbc, LSIState),
2215         VMSTATE_UINT32(ua, LSIState),
2216         VMSTATE_UINT32(ia, LSIState),
2217         VMSTATE_UINT32(sbc, LSIState),
2218         VMSTATE_UINT32(csbc, LSIState),
2219         VMSTATE_BUFFER_UNSAFE(scratch, LSIState, 0, 18 * sizeof(uint32_t)),
2220         VMSTATE_UINT8(sbr, LSIState),
2221 
2222         VMSTATE_BUFFER_UNSAFE(script_ram, LSIState, 0, 2048 * sizeof(uint32_t)),
2223         VMSTATE_END_OF_LIST()
2224     }
2225 };
2226 
2227 static const struct SCSIBusInfo lsi_scsi_info = {
2228     .tcq = true,
2229     .max_target = LSI_MAX_DEVS,
2230     .max_lun = 0,  /* LUN support is buggy */
2231 
2232     .transfer_data = lsi_transfer_data,
2233     .complete = lsi_command_complete,
2234     .cancel = lsi_request_cancelled
2235 };
2236 
2237 static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
2238 {
2239     LSIState *s = LSI53C895A(dev);
2240     DeviceState *d = DEVICE(dev);
2241     uint8_t *pci_conf;
2242 
2243     pci_conf = dev->config;
2244 
2245     /* PCI latency timer = 255 */
2246     pci_conf[PCI_LATENCY_TIMER] = 0xff;
2247     /* Interrupt pin A */
2248     pci_conf[PCI_INTERRUPT_PIN] = 0x01;
2249 
2250     memory_region_init_io(&s->mmio_io, OBJECT(s), &lsi_mmio_ops, s,
2251                           "lsi-mmio", 0x400);
2252     memory_region_init_io(&s->ram_io, OBJECT(s), &lsi_ram_ops, s,
2253                           "lsi-ram", 0x2000);
2254     memory_region_init_io(&s->io_io, OBJECT(s), &lsi_io_ops, s,
2255                           "lsi-io", 256);
2256 
2257     address_space_init(&s->pci_io_as, pci_address_space_io(dev), "lsi-pci-io");
2258     qdev_init_gpio_out(d, &s->ext_irq, 1);
2259 
2260     pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->io_io);
2261     pci_register_bar(dev, 1, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->mmio_io);
2262     pci_register_bar(dev, 2, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->ram_io);
2263     QTAILQ_INIT(&s->queue);
2264 
2265     scsi_bus_new(&s->bus, sizeof(s->bus), d, &lsi_scsi_info, NULL);
2266 }
2267 
2268 static void lsi_scsi_unrealize(DeviceState *dev, Error **errp)
2269 {
2270     LSIState *s = LSI53C895A(dev);
2271 
2272     address_space_destroy(&s->pci_io_as);
2273 }
2274 
2275 static void lsi_class_init(ObjectClass *klass, void *data)
2276 {
2277     DeviceClass *dc = DEVICE_CLASS(klass);
2278     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2279 
2280     k->realize = lsi_scsi_realize;
2281     k->vendor_id = PCI_VENDOR_ID_LSI_LOGIC;
2282     k->device_id = PCI_DEVICE_ID_LSI_53C895A;
2283     k->class_id = PCI_CLASS_STORAGE_SCSI;
2284     k->subsystem_id = 0x1000;
2285     dc->unrealize = lsi_scsi_unrealize;
2286     dc->reset = lsi_scsi_reset;
2287     dc->vmsd = &vmstate_lsi_scsi;
2288     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2289 }
2290 
2291 static const TypeInfo lsi_info = {
2292     .name          = TYPE_LSI53C895A,
2293     .parent        = TYPE_PCI_DEVICE,
2294     .instance_size = sizeof(LSIState),
2295     .class_init    = lsi_class_init,
2296     .interfaces = (InterfaceInfo[]) {
2297         { INTERFACE_CONVENTIONAL_PCI_DEVICE },
2298         { },
2299     },
2300 };
2301 
2302 static void lsi53c810_class_init(ObjectClass *klass, void *data)
2303 {
2304     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2305 
2306     k->device_id = PCI_DEVICE_ID_LSI_53C810;
2307 }
2308 
2309 static TypeInfo lsi53c810_info = {
2310     .name          = TYPE_LSI53C810,
2311     .parent        = TYPE_LSI53C895A,
2312     .class_init    = lsi53c810_class_init,
2313 };
2314 
2315 static void lsi53c895a_register_types(void)
2316 {
2317     type_register_static(&lsi_info);
2318     type_register_static(&lsi53c810_info);
2319 }
2320 
2321 type_init(lsi53c895a_register_types)
2322 
2323 void lsi53c8xx_handle_legacy_cmdline(DeviceState *lsi_dev)
2324 {
2325     LSIState *s = LSI53C895A(lsi_dev);
2326 
2327     scsi_bus_legacy_handle_cmdline(&s->bus);
2328 }
2329