xref: /openbmc/qemu/hw/scsi/lsi53c895a.c (revision 79e42085)
1 /*
2  * QEMU LSI53C895A SCSI Host Bus Adapter emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Written by Paul Brook
6  *
7  * This code is licensed under the LGPL.
8  */
9 
10 /* Note:
11  * LSI53C810 emulation is incorrect, in the sense that it supports
12  * features added in later evolutions. This should not be a problem,
13  * as well-behaved operating systems will not try to use them.
14  */
15 
16 #include "qemu/osdep.h"
17 
18 #include "hw/hw.h"
19 #include "hw/pci/pci.h"
20 #include "hw/scsi/scsi.h"
21 #include "sysemu/dma.h"
22 #include "qemu/log.h"
23 #include "trace.h"
24 
25 static const char *names[] = {
26     "SCNTL0", "SCNTL1", "SCNTL2", "SCNTL3", "SCID", "SXFER", "SDID", "GPREG",
27     "SFBR", "SOCL", "SSID", "SBCL", "DSTAT", "SSTAT0", "SSTAT1", "SSTAT2",
28     "DSA0", "DSA1", "DSA2", "DSA3", "ISTAT", "0x15", "0x16", "0x17",
29     "CTEST0", "CTEST1", "CTEST2", "CTEST3", "TEMP0", "TEMP1", "TEMP2", "TEMP3",
30     "DFIFO", "CTEST4", "CTEST5", "CTEST6", "DBC0", "DBC1", "DBC2", "DCMD",
31     "DNAD0", "DNAD1", "DNAD2", "DNAD3", "DSP0", "DSP1", "DSP2", "DSP3",
32     "DSPS0", "DSPS1", "DSPS2", "DSPS3", "SCRATCHA0", "SCRATCHA1", "SCRATCHA2", "SCRATCHA3",
33     "DMODE", "DIEN", "SBR", "DCNTL", "ADDER0", "ADDER1", "ADDER2", "ADDER3",
34     "SIEN0", "SIEN1", "SIST0", "SIST1", "SLPAR", "0x45", "MACNTL", "GPCNTL",
35     "STIME0", "STIME1", "RESPID", "0x4b", "STEST0", "STEST1", "STEST2", "STEST3",
36     "SIDL", "0x51", "0x52", "0x53", "SODL", "0x55", "0x56", "0x57",
37     "SBDL", "0x59", "0x5a", "0x5b", "SCRATCHB0", "SCRATCHB1", "SCRATCHB2", "SCRATCHB3",
38 };
39 
40 #define LSI_MAX_DEVS 7
41 
42 #define LSI_SCNTL0_TRG    0x01
43 #define LSI_SCNTL0_AAP    0x02
44 #define LSI_SCNTL0_EPC    0x08
45 #define LSI_SCNTL0_WATN   0x10
46 #define LSI_SCNTL0_START  0x20
47 
48 #define LSI_SCNTL1_SST    0x01
49 #define LSI_SCNTL1_IARB   0x02
50 #define LSI_SCNTL1_AESP   0x04
51 #define LSI_SCNTL1_RST    0x08
52 #define LSI_SCNTL1_CON    0x10
53 #define LSI_SCNTL1_DHP    0x20
54 #define LSI_SCNTL1_ADB    0x40
55 #define LSI_SCNTL1_EXC    0x80
56 
57 #define LSI_SCNTL2_WSR    0x01
58 #define LSI_SCNTL2_VUE0   0x02
59 #define LSI_SCNTL2_VUE1   0x04
60 #define LSI_SCNTL2_WSS    0x08
61 #define LSI_SCNTL2_SLPHBEN 0x10
62 #define LSI_SCNTL2_SLPMD  0x20
63 #define LSI_SCNTL2_CHM    0x40
64 #define LSI_SCNTL2_SDU    0x80
65 
66 #define LSI_ISTAT0_DIP    0x01
67 #define LSI_ISTAT0_SIP    0x02
68 #define LSI_ISTAT0_INTF   0x04
69 #define LSI_ISTAT0_CON    0x08
70 #define LSI_ISTAT0_SEM    0x10
71 #define LSI_ISTAT0_SIGP   0x20
72 #define LSI_ISTAT0_SRST   0x40
73 #define LSI_ISTAT0_ABRT   0x80
74 
75 #define LSI_ISTAT1_SI     0x01
76 #define LSI_ISTAT1_SRUN   0x02
77 #define LSI_ISTAT1_FLSH   0x04
78 
79 #define LSI_SSTAT0_SDP0   0x01
80 #define LSI_SSTAT0_RST    0x02
81 #define LSI_SSTAT0_WOA    0x04
82 #define LSI_SSTAT0_LOA    0x08
83 #define LSI_SSTAT0_AIP    0x10
84 #define LSI_SSTAT0_OLF    0x20
85 #define LSI_SSTAT0_ORF    0x40
86 #define LSI_SSTAT0_ILF    0x80
87 
88 #define LSI_SIST0_PAR     0x01
89 #define LSI_SIST0_RST     0x02
90 #define LSI_SIST0_UDC     0x04
91 #define LSI_SIST0_SGE     0x08
92 #define LSI_SIST0_RSL     0x10
93 #define LSI_SIST0_SEL     0x20
94 #define LSI_SIST0_CMP     0x40
95 #define LSI_SIST0_MA      0x80
96 
97 #define LSI_SIST1_HTH     0x01
98 #define LSI_SIST1_GEN     0x02
99 #define LSI_SIST1_STO     0x04
100 #define LSI_SIST1_SBMC    0x10
101 
102 #define LSI_SOCL_IO       0x01
103 #define LSI_SOCL_CD       0x02
104 #define LSI_SOCL_MSG      0x04
105 #define LSI_SOCL_ATN      0x08
106 #define LSI_SOCL_SEL      0x10
107 #define LSI_SOCL_BSY      0x20
108 #define LSI_SOCL_ACK      0x40
109 #define LSI_SOCL_REQ      0x80
110 
111 #define LSI_DSTAT_IID     0x01
112 #define LSI_DSTAT_SIR     0x04
113 #define LSI_DSTAT_SSI     0x08
114 #define LSI_DSTAT_ABRT    0x10
115 #define LSI_DSTAT_BF      0x20
116 #define LSI_DSTAT_MDPE    0x40
117 #define LSI_DSTAT_DFE     0x80
118 
119 #define LSI_DCNTL_COM     0x01
120 #define LSI_DCNTL_IRQD    0x02
121 #define LSI_DCNTL_STD     0x04
122 #define LSI_DCNTL_IRQM    0x08
123 #define LSI_DCNTL_SSM     0x10
124 #define LSI_DCNTL_PFEN    0x20
125 #define LSI_DCNTL_PFF     0x40
126 #define LSI_DCNTL_CLSE    0x80
127 
128 #define LSI_DMODE_MAN     0x01
129 #define LSI_DMODE_BOF     0x02
130 #define LSI_DMODE_ERMP    0x04
131 #define LSI_DMODE_ERL     0x08
132 #define LSI_DMODE_DIOM    0x10
133 #define LSI_DMODE_SIOM    0x20
134 
135 #define LSI_CTEST2_DACK   0x01
136 #define LSI_CTEST2_DREQ   0x02
137 #define LSI_CTEST2_TEOP   0x04
138 #define LSI_CTEST2_PCICIE 0x08
139 #define LSI_CTEST2_CM     0x10
140 #define LSI_CTEST2_CIO    0x20
141 #define LSI_CTEST2_SIGP   0x40
142 #define LSI_CTEST2_DDIR   0x80
143 
144 #define LSI_CTEST5_BL2    0x04
145 #define LSI_CTEST5_DDIR   0x08
146 #define LSI_CTEST5_MASR   0x10
147 #define LSI_CTEST5_DFSN   0x20
148 #define LSI_CTEST5_BBCK   0x40
149 #define LSI_CTEST5_ADCK   0x80
150 
151 #define LSI_CCNTL0_DILS   0x01
152 #define LSI_CCNTL0_DISFC  0x10
153 #define LSI_CCNTL0_ENNDJ  0x20
154 #define LSI_CCNTL0_PMJCTL 0x40
155 #define LSI_CCNTL0_ENPMJ  0x80
156 
157 #define LSI_CCNTL1_EN64DBMV  0x01
158 #define LSI_CCNTL1_EN64TIBMV 0x02
159 #define LSI_CCNTL1_64TIMOD   0x04
160 #define LSI_CCNTL1_DDAC      0x08
161 #define LSI_CCNTL1_ZMOD      0x80
162 
163 #define LSI_SBCL_ATN         0x08
164 #define LSI_SBCL_BSY         0x20
165 #define LSI_SBCL_ACK         0x40
166 #define LSI_SBCL_REQ         0x80
167 
168 /* Enable Response to Reselection */
169 #define LSI_SCID_RRE      0x60
170 
171 #define LSI_CCNTL1_40BIT (LSI_CCNTL1_EN64TIBMV|LSI_CCNTL1_64TIMOD)
172 
173 #define PHASE_DO          0
174 #define PHASE_DI          1
175 #define PHASE_CMD         2
176 #define PHASE_ST          3
177 #define PHASE_MO          6
178 #define PHASE_MI          7
179 #define PHASE_MASK        7
180 
181 /* Maximum length of MSG IN data.  */
182 #define LSI_MAX_MSGIN_LEN 8
183 
184 /* Flag set if this is a tagged command.  */
185 #define LSI_TAG_VALID     (1 << 16)
186 
187 typedef struct lsi_request {
188     SCSIRequest *req;
189     uint32_t tag;
190     uint32_t dma_len;
191     uint8_t *dma_buf;
192     uint32_t pending;
193     int out;
194     QTAILQ_ENTRY(lsi_request) next;
195 } lsi_request;
196 
197 enum {
198     LSI_NOWAIT, /* SCRIPTS are running or stopped */
199     LSI_WAIT_RESELECT, /* Wait Reselect instruction has been issued */
200     LSI_DMA_SCRIPTS, /* processing DMA from lsi_execute_script */
201     LSI_DMA_IN_PROGRESS, /* DMA operation is in progress */
202 };
203 
204 enum {
205     LSI_MSG_ACTION_COMMAND = 0,
206     LSI_MSG_ACTION_DISCONNECT = 1,
207     LSI_MSG_ACTION_DOUT = 2,
208     LSI_MSG_ACTION_DIN = 3,
209 };
210 
211 typedef struct {
212     /*< private >*/
213     PCIDevice parent_obj;
214     /*< public >*/
215 
216     qemu_irq ext_irq;
217     MemoryRegion mmio_io;
218     MemoryRegion ram_io;
219     MemoryRegion io_io;
220     AddressSpace pci_io_as;
221 
222     int carry; /* ??? Should this be an a visible register somewhere?  */
223     int status;
224     int msg_action;
225     int msg_len;
226     uint8_t msg[LSI_MAX_MSGIN_LEN];
227     int waiting;
228     SCSIBus bus;
229     int current_lun;
230     /* The tag is a combination of the device ID and the SCSI tag.  */
231     uint32_t select_tag;
232     int command_complete;
233     QTAILQ_HEAD(, lsi_request) queue;
234     lsi_request *current;
235 
236     uint32_t dsa;
237     uint32_t temp;
238     uint32_t dnad;
239     uint32_t dbc;
240     uint8_t istat0;
241     uint8_t istat1;
242     uint8_t dcmd;
243     uint8_t dstat;
244     uint8_t dien;
245     uint8_t sist0;
246     uint8_t sist1;
247     uint8_t sien0;
248     uint8_t sien1;
249     uint8_t mbox0;
250     uint8_t mbox1;
251     uint8_t dfifo;
252     uint8_t ctest2;
253     uint8_t ctest3;
254     uint8_t ctest4;
255     uint8_t ctest5;
256     uint8_t ccntl0;
257     uint8_t ccntl1;
258     uint32_t dsp;
259     uint32_t dsps;
260     uint8_t dmode;
261     uint8_t dcntl;
262     uint8_t scntl0;
263     uint8_t scntl1;
264     uint8_t scntl2;
265     uint8_t scntl3;
266     uint8_t sstat0;
267     uint8_t sstat1;
268     uint8_t scid;
269     uint8_t sxfer;
270     uint8_t socl;
271     uint8_t sdid;
272     uint8_t ssid;
273     uint8_t sfbr;
274     uint8_t sbcl;
275     uint8_t stest1;
276     uint8_t stest2;
277     uint8_t stest3;
278     uint8_t sidl;
279     uint8_t stime0;
280     uint8_t respid0;
281     uint8_t respid1;
282     uint32_t mmrs;
283     uint32_t mmws;
284     uint32_t sfs;
285     uint32_t drs;
286     uint32_t sbms;
287     uint32_t dbms;
288     uint32_t dnad64;
289     uint32_t pmjad1;
290     uint32_t pmjad2;
291     uint32_t rbc;
292     uint32_t ua;
293     uint32_t ia;
294     uint32_t sbc;
295     uint32_t csbc;
296     uint32_t scratch[18]; /* SCRATCHA-SCRATCHR */
297     uint8_t sbr;
298     uint32_t adder;
299 
300     uint8_t script_ram[2048 * sizeof(uint32_t)];
301 } LSIState;
302 
303 #define TYPE_LSI53C810  "lsi53c810"
304 #define TYPE_LSI53C895A "lsi53c895a"
305 
306 #define LSI53C895A(obj) \
307     OBJECT_CHECK(LSIState, (obj), TYPE_LSI53C895A)
308 
309 static const char *scsi_phases[] = {
310     "DOUT",
311     "DIN",
312     "CMD",
313     "STATUS",
314     "RSVOUT",
315     "RSVIN",
316     "MSGOUT",
317     "MSGIN"
318 };
319 
320 static const char *scsi_phase_name(int phase)
321 {
322     return scsi_phases[phase & PHASE_MASK];
323 }
324 
325 static inline int lsi_irq_on_rsl(LSIState *s)
326 {
327     return (s->sien0 & LSI_SIST0_RSL) && (s->scid & LSI_SCID_RRE);
328 }
329 
330 static lsi_request *get_pending_req(LSIState *s)
331 {
332     lsi_request *p;
333 
334     QTAILQ_FOREACH(p, &s->queue, next) {
335         if (p->pending) {
336             return p;
337         }
338     }
339     return NULL;
340 }
341 
342 static void lsi_soft_reset(LSIState *s)
343 {
344     trace_lsi_reset();
345     s->carry = 0;
346 
347     s->msg_action = LSI_MSG_ACTION_COMMAND;
348     s->msg_len = 0;
349     s->waiting = LSI_NOWAIT;
350     s->dsa = 0;
351     s->dnad = 0;
352     s->dbc = 0;
353     s->temp = 0;
354     memset(s->scratch, 0, sizeof(s->scratch));
355     s->istat0 = 0;
356     s->istat1 = 0;
357     s->dcmd = 0x40;
358     s->dstat = 0;
359     s->dien = 0;
360     s->sist0 = 0;
361     s->sist1 = 0;
362     s->sien0 = 0;
363     s->sien1 = 0;
364     s->mbox0 = 0;
365     s->mbox1 = 0;
366     s->dfifo = 0;
367     s->ctest2 = LSI_CTEST2_DACK;
368     s->ctest3 = 0;
369     s->ctest4 = 0;
370     s->ctest5 = 0;
371     s->ccntl0 = 0;
372     s->ccntl1 = 0;
373     s->dsp = 0;
374     s->dsps = 0;
375     s->dmode = 0;
376     s->dcntl = 0;
377     s->scntl0 = 0xc0;
378     s->scntl1 = 0;
379     s->scntl2 = 0;
380     s->scntl3 = 0;
381     s->sstat0 = 0;
382     s->sstat1 = 0;
383     s->scid = 7;
384     s->sxfer = 0;
385     s->socl = 0;
386     s->sdid = 0;
387     s->ssid = 0;
388     s->sbcl = 0;
389     s->stest1 = 0;
390     s->stest2 = 0;
391     s->stest3 = 0;
392     s->sidl = 0;
393     s->stime0 = 0;
394     s->respid0 = 0x80;
395     s->respid1 = 0;
396     s->mmrs = 0;
397     s->mmws = 0;
398     s->sfs = 0;
399     s->drs = 0;
400     s->sbms = 0;
401     s->dbms = 0;
402     s->dnad64 = 0;
403     s->pmjad1 = 0;
404     s->pmjad2 = 0;
405     s->rbc = 0;
406     s->ua = 0;
407     s->ia = 0;
408     s->sbc = 0;
409     s->csbc = 0;
410     s->sbr = 0;
411     assert(QTAILQ_EMPTY(&s->queue));
412     assert(!s->current);
413 }
414 
415 static int lsi_dma_40bit(LSIState *s)
416 {
417     if ((s->ccntl1 & LSI_CCNTL1_40BIT) == LSI_CCNTL1_40BIT)
418         return 1;
419     return 0;
420 }
421 
422 static int lsi_dma_ti64bit(LSIState *s)
423 {
424     if ((s->ccntl1 & LSI_CCNTL1_EN64TIBMV) == LSI_CCNTL1_EN64TIBMV)
425         return 1;
426     return 0;
427 }
428 
429 static int lsi_dma_64bit(LSIState *s)
430 {
431     if ((s->ccntl1 & LSI_CCNTL1_EN64DBMV) == LSI_CCNTL1_EN64DBMV)
432         return 1;
433     return 0;
434 }
435 
436 static uint8_t lsi_reg_readb(LSIState *s, int offset);
437 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val);
438 static void lsi_execute_script(LSIState *s);
439 static void lsi_reselect(LSIState *s, lsi_request *p);
440 
441 static inline void lsi_mem_read(LSIState *s, dma_addr_t addr,
442                                void *buf, dma_addr_t len)
443 {
444     if (s->dmode & LSI_DMODE_SIOM) {
445         address_space_read(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
446                            buf, len);
447     } else {
448         pci_dma_read(PCI_DEVICE(s), addr, buf, len);
449     }
450 }
451 
452 static inline void lsi_mem_write(LSIState *s, dma_addr_t addr,
453                                 const void *buf, dma_addr_t len)
454 {
455     if (s->dmode & LSI_DMODE_DIOM) {
456         address_space_write(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
457                             buf, len);
458     } else {
459         pci_dma_write(PCI_DEVICE(s), addr, buf, len);
460     }
461 }
462 
463 static inline uint32_t read_dword(LSIState *s, uint32_t addr)
464 {
465     uint32_t buf;
466 
467     pci_dma_read(PCI_DEVICE(s), addr, &buf, 4);
468     return cpu_to_le32(buf);
469 }
470 
471 static void lsi_stop_script(LSIState *s)
472 {
473     s->istat1 &= ~LSI_ISTAT1_SRUN;
474 }
475 
476 static void lsi_set_irq(LSIState *s, int level)
477 {
478     PCIDevice *d = PCI_DEVICE(s);
479 
480     if (s->ext_irq) {
481         qemu_set_irq(s->ext_irq, level);
482     } else {
483         pci_set_irq(d, level);
484     }
485 }
486 
487 static void lsi_update_irq(LSIState *s)
488 {
489     int level;
490     static int last_level;
491 
492     /* It's unclear whether the DIP/SIP bits should be cleared when the
493        Interrupt Status Registers are cleared or when istat0 is read.
494        We currently do the formwer, which seems to work.  */
495     level = 0;
496     if (s->dstat) {
497         if (s->dstat & s->dien)
498             level = 1;
499         s->istat0 |= LSI_ISTAT0_DIP;
500     } else {
501         s->istat0 &= ~LSI_ISTAT0_DIP;
502     }
503 
504     if (s->sist0 || s->sist1) {
505         if ((s->sist0 & s->sien0) || (s->sist1 & s->sien1))
506             level = 1;
507         s->istat0 |= LSI_ISTAT0_SIP;
508     } else {
509         s->istat0 &= ~LSI_ISTAT0_SIP;
510     }
511     if (s->istat0 & LSI_ISTAT0_INTF)
512         level = 1;
513 
514     if (level != last_level) {
515         trace_lsi_update_irq(level, s->dstat, s->sist1, s->sist0);
516         last_level = level;
517     }
518     lsi_set_irq(s, level);
519 
520     if (!s->current && !level && lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON)) {
521         lsi_request *p;
522 
523         trace_lsi_update_irq_disconnected();
524         p = get_pending_req(s);
525         if (p) {
526             lsi_reselect(s, p);
527         }
528     }
529 }
530 
531 /* Stop SCRIPTS execution and raise a SCSI interrupt.  */
532 static void lsi_script_scsi_interrupt(LSIState *s, int stat0, int stat1)
533 {
534     uint32_t mask0;
535     uint32_t mask1;
536 
537     trace_lsi_script_scsi_interrupt(stat1, stat0, s->sist1, s->sist0);
538     s->sist0 |= stat0;
539     s->sist1 |= stat1;
540     /* Stop processor on fatal or unmasked interrupt.  As a special hack
541        we don't stop processing when raising STO.  Instead continue
542        execution and stop at the next insn that accesses the SCSI bus.  */
543     mask0 = s->sien0 | ~(LSI_SIST0_CMP | LSI_SIST0_SEL | LSI_SIST0_RSL);
544     mask1 = s->sien1 | ~(LSI_SIST1_GEN | LSI_SIST1_HTH);
545     mask1 &= ~LSI_SIST1_STO;
546     if (s->sist0 & mask0 || s->sist1 & mask1) {
547         lsi_stop_script(s);
548     }
549     lsi_update_irq(s);
550 }
551 
552 /* Stop SCRIPTS execution and raise a DMA interrupt.  */
553 static void lsi_script_dma_interrupt(LSIState *s, int stat)
554 {
555     trace_lsi_script_dma_interrupt(stat, s->dstat);
556     s->dstat |= stat;
557     lsi_update_irq(s);
558     lsi_stop_script(s);
559 }
560 
561 static inline void lsi_set_phase(LSIState *s, int phase)
562 {
563     s->sbcl &= ~PHASE_MASK;
564     s->sbcl |= phase | LSI_SBCL_REQ;
565     s->sstat1 = (s->sstat1 & ~PHASE_MASK) | phase;
566 }
567 
568 static void lsi_bad_phase(LSIState *s, int out, int new_phase)
569 {
570     /* Trigger a phase mismatch.  */
571     if (s->ccntl0 & LSI_CCNTL0_ENPMJ) {
572         if ((s->ccntl0 & LSI_CCNTL0_PMJCTL)) {
573             s->dsp = out ? s->pmjad1 : s->pmjad2;
574         } else {
575             s->dsp = (s->scntl2 & LSI_SCNTL2_WSR ? s->pmjad2 : s->pmjad1);
576         }
577         trace_lsi_bad_phase_jump(s->dsp);
578     } else {
579         trace_lsi_bad_phase_interrupt();
580         lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
581         lsi_stop_script(s);
582     }
583     lsi_set_phase(s, new_phase);
584 }
585 
586 
587 /* Resume SCRIPTS execution after a DMA operation.  */
588 static void lsi_resume_script(LSIState *s)
589 {
590     if (s->waiting != 2) {
591         s->waiting = LSI_NOWAIT;
592         lsi_execute_script(s);
593     } else {
594         s->waiting = LSI_NOWAIT;
595     }
596 }
597 
598 static void lsi_disconnect(LSIState *s)
599 {
600     s->scntl1 &= ~LSI_SCNTL1_CON;
601     s->sstat1 &= ~PHASE_MASK;
602     s->sbcl = 0;
603 }
604 
605 static void lsi_bad_selection(LSIState *s, uint32_t id)
606 {
607     trace_lsi_bad_selection(id);
608     lsi_script_scsi_interrupt(s, 0, LSI_SIST1_STO);
609     lsi_disconnect(s);
610 }
611 
612 /* Initiate a SCSI layer data transfer.  */
613 static void lsi_do_dma(LSIState *s, int out)
614 {
615     uint32_t count;
616     dma_addr_t addr;
617     SCSIDevice *dev;
618 
619     assert(s->current);
620     if (!s->current->dma_len) {
621         /* Wait until data is available.  */
622         trace_lsi_do_dma_unavailable();
623         return;
624     }
625 
626     dev = s->current->req->dev;
627     assert(dev);
628 
629     count = s->dbc;
630     if (count > s->current->dma_len)
631         count = s->current->dma_len;
632 
633     addr = s->dnad;
634     /* both 40 and Table Indirect 64-bit DMAs store upper bits in dnad64 */
635     if (lsi_dma_40bit(s) || lsi_dma_ti64bit(s))
636         addr |= ((uint64_t)s->dnad64 << 32);
637     else if (s->dbms)
638         addr |= ((uint64_t)s->dbms << 32);
639     else if (s->sbms)
640         addr |= ((uint64_t)s->sbms << 32);
641 
642     trace_lsi_do_dma(addr, count);
643     s->csbc += count;
644     s->dnad += count;
645     s->dbc -= count;
646      if (s->current->dma_buf == NULL) {
647         s->current->dma_buf = scsi_req_get_buf(s->current->req);
648     }
649     /* ??? Set SFBR to first data byte.  */
650     if (out) {
651         lsi_mem_read(s, addr, s->current->dma_buf, count);
652     } else {
653         lsi_mem_write(s, addr, s->current->dma_buf, count);
654     }
655     s->current->dma_len -= count;
656     if (s->current->dma_len == 0) {
657         s->current->dma_buf = NULL;
658         scsi_req_continue(s->current->req);
659     } else {
660         s->current->dma_buf += count;
661         lsi_resume_script(s);
662     }
663 }
664 
665 
666 /* Add a command to the queue.  */
667 static void lsi_queue_command(LSIState *s)
668 {
669     lsi_request *p = s->current;
670 
671     trace_lsi_queue_command(p->tag);
672     assert(s->current != NULL);
673     assert(s->current->dma_len == 0);
674     QTAILQ_INSERT_TAIL(&s->queue, s->current, next);
675     s->current = NULL;
676 
677     p->pending = 0;
678     p->out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
679 }
680 
681 /* Queue a byte for a MSG IN phase.  */
682 static void lsi_add_msg_byte(LSIState *s, uint8_t data)
683 {
684     if (s->msg_len >= LSI_MAX_MSGIN_LEN) {
685         trace_lsi_add_msg_byte_error();
686     } else {
687         trace_lsi_add_msg_byte(data);
688         s->msg[s->msg_len++] = data;
689     }
690 }
691 
692 /* Perform reselection to continue a command.  */
693 static void lsi_reselect(LSIState *s, lsi_request *p)
694 {
695     int id;
696 
697     assert(s->current == NULL);
698     QTAILQ_REMOVE(&s->queue, p, next);
699     s->current = p;
700 
701     id = (p->tag >> 8) & 0xf;
702     s->ssid = id | 0x80;
703     /* LSI53C700 Family Compatibility, see LSI53C895A 4-73 */
704     if (!(s->dcntl & LSI_DCNTL_COM)) {
705         s->sfbr = 1 << (id & 0x7);
706     }
707     trace_lsi_reselect(id);
708     s->scntl1 |= LSI_SCNTL1_CON;
709     lsi_set_phase(s, PHASE_MI);
710     s->msg_action = p->out ? LSI_MSG_ACTION_DOUT : LSI_MSG_ACTION_DIN;
711     s->current->dma_len = p->pending;
712     lsi_add_msg_byte(s, 0x80);
713     if (s->current->tag & LSI_TAG_VALID) {
714         lsi_add_msg_byte(s, 0x20);
715         lsi_add_msg_byte(s, p->tag & 0xff);
716     }
717 
718     if (lsi_irq_on_rsl(s)) {
719         lsi_script_scsi_interrupt(s, LSI_SIST0_RSL, 0);
720     }
721 }
722 
723 static lsi_request *lsi_find_by_tag(LSIState *s, uint32_t tag)
724 {
725     lsi_request *p;
726 
727     QTAILQ_FOREACH(p, &s->queue, next) {
728         if (p->tag == tag) {
729             return p;
730         }
731     }
732 
733     return NULL;
734 }
735 
736 static void lsi_request_free(LSIState *s, lsi_request *p)
737 {
738     if (p == s->current) {
739         s->current = NULL;
740     } else {
741         QTAILQ_REMOVE(&s->queue, p, next);
742     }
743     g_free(p);
744 }
745 
746 static void lsi_request_cancelled(SCSIRequest *req)
747 {
748     LSIState *s = LSI53C895A(req->bus->qbus.parent);
749     lsi_request *p = req->hba_private;
750 
751     req->hba_private = NULL;
752     lsi_request_free(s, p);
753     scsi_req_unref(req);
754 }
755 
756 /* Record that data is available for a queued command.  Returns zero if
757    the device was reselected, nonzero if the IO is deferred.  */
758 static int lsi_queue_req(LSIState *s, SCSIRequest *req, uint32_t len)
759 {
760     lsi_request *p = req->hba_private;
761 
762     if (p->pending) {
763         trace_lsi_queue_req_error(p);
764     }
765     p->pending = len;
766     /* Reselect if waiting for it, or if reselection triggers an IRQ
767        and the bus is free.
768        Since no interrupt stacking is implemented in the emulation, it
769        is also required that there are no pending interrupts waiting
770        for service from the device driver. */
771     if (s->waiting == LSI_WAIT_RESELECT ||
772         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON) &&
773          !(s->istat0 & (LSI_ISTAT0_SIP | LSI_ISTAT0_DIP)))) {
774         /* Reselect device.  */
775         lsi_reselect(s, p);
776         return 0;
777     } else {
778         trace_lsi_queue_req(p->tag);
779         p->pending = len;
780         return 1;
781     }
782 }
783 
784  /* Callback to indicate that the SCSI layer has completed a command.  */
785 static void lsi_command_complete(SCSIRequest *req, uint32_t status, size_t resid)
786 {
787     LSIState *s = LSI53C895A(req->bus->qbus.parent);
788     int out;
789 
790     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
791     trace_lsi_command_complete(status);
792     s->status = status;
793     s->command_complete = 2;
794     if (s->waiting && s->dbc != 0) {
795         /* Raise phase mismatch for short transfers.  */
796         lsi_bad_phase(s, out, PHASE_ST);
797     } else {
798         lsi_set_phase(s, PHASE_ST);
799     }
800 
801     if (req->hba_private == s->current) {
802         req->hba_private = NULL;
803         lsi_request_free(s, s->current);
804         scsi_req_unref(req);
805     }
806     lsi_resume_script(s);
807 }
808 
809  /* Callback to indicate that the SCSI layer has completed a transfer.  */
810 static void lsi_transfer_data(SCSIRequest *req, uint32_t len)
811 {
812     LSIState *s = LSI53C895A(req->bus->qbus.parent);
813     int out;
814 
815     assert(req->hba_private);
816     if (s->waiting == LSI_WAIT_RESELECT || req->hba_private != s->current ||
817         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON))) {
818         if (lsi_queue_req(s, req, len)) {
819             return;
820         }
821     }
822 
823     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
824 
825     /* host adapter (re)connected */
826     trace_lsi_transfer_data(req->tag, len);
827     s->current->dma_len = len;
828     s->command_complete = 1;
829     if (s->waiting) {
830         if (s->waiting == LSI_WAIT_RESELECT || s->dbc == 0) {
831             lsi_resume_script(s);
832         } else {
833             lsi_do_dma(s, out);
834         }
835     }
836 }
837 
838 static void lsi_do_command(LSIState *s)
839 {
840     SCSIDevice *dev;
841     uint8_t buf[16];
842     uint32_t id;
843     int n;
844 
845     trace_lsi_do_command(s->dbc);
846     if (s->dbc > 16)
847         s->dbc = 16;
848     pci_dma_read(PCI_DEVICE(s), s->dnad, buf, s->dbc);
849     s->sfbr = buf[0];
850     s->command_complete = 0;
851 
852     id = (s->select_tag >> 8) & 0xf;
853     dev = scsi_device_find(&s->bus, 0, id, s->current_lun);
854     if (!dev) {
855         lsi_bad_selection(s, id);
856         return;
857     }
858 
859     assert(s->current == NULL);
860     s->current = g_new0(lsi_request, 1);
861     s->current->tag = s->select_tag;
862     s->current->req = scsi_req_new(dev, s->current->tag, s->current_lun, buf,
863                                    s->current);
864 
865     n = scsi_req_enqueue(s->current->req);
866     if (n) {
867         if (n > 0) {
868             lsi_set_phase(s, PHASE_DI);
869         } else if (n < 0) {
870             lsi_set_phase(s, PHASE_DO);
871         }
872         scsi_req_continue(s->current->req);
873     }
874     if (!s->command_complete) {
875         if (n) {
876             /* Command did not complete immediately so disconnect.  */
877             lsi_add_msg_byte(s, 2); /* SAVE DATA POINTER */
878             lsi_add_msg_byte(s, 4); /* DISCONNECT */
879             /* wait data */
880             lsi_set_phase(s, PHASE_MI);
881             s->msg_action = LSI_MSG_ACTION_DISCONNECT;
882             lsi_queue_command(s);
883         } else {
884             /* wait command complete */
885             lsi_set_phase(s, PHASE_DI);
886         }
887     }
888 }
889 
890 static void lsi_do_status(LSIState *s)
891 {
892     uint8_t status;
893     trace_lsi_do_status(s->dbc, s->status);
894     if (s->dbc != 1) {
895         trace_lsi_do_status_error();
896     }
897     s->dbc = 1;
898     status = s->status;
899     s->sfbr = status;
900     pci_dma_write(PCI_DEVICE(s), s->dnad, &status, 1);
901     lsi_set_phase(s, PHASE_MI);
902     s->msg_action = LSI_MSG_ACTION_DISCONNECT;
903     lsi_add_msg_byte(s, 0); /* COMMAND COMPLETE */
904 }
905 
906 static void lsi_do_msgin(LSIState *s)
907 {
908     uint8_t len;
909     trace_lsi_do_msgin(s->dbc, s->msg_len);
910     s->sfbr = s->msg[0];
911     len = s->msg_len;
912     assert(len > 0 && len <= LSI_MAX_MSGIN_LEN);
913     if (len > s->dbc)
914         len = s->dbc;
915     pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
916     /* Linux drivers rely on the last byte being in the SIDL.  */
917     s->sidl = s->msg[len - 1];
918     s->msg_len -= len;
919     if (s->msg_len) {
920         memmove(s->msg, s->msg + len, s->msg_len);
921     } else {
922         /* ??? Check if ATN (not yet implemented) is asserted and maybe
923            switch to PHASE_MO.  */
924         switch (s->msg_action) {
925         case LSI_MSG_ACTION_COMMAND:
926             lsi_set_phase(s, PHASE_CMD);
927             break;
928         case LSI_MSG_ACTION_DISCONNECT:
929             lsi_disconnect(s);
930             break;
931         case LSI_MSG_ACTION_DOUT:
932             lsi_set_phase(s, PHASE_DO);
933             break;
934         case LSI_MSG_ACTION_DIN:
935             lsi_set_phase(s, PHASE_DI);
936             break;
937         default:
938             abort();
939         }
940     }
941 }
942 
943 /* Read the next byte during a MSGOUT phase.  */
944 static uint8_t lsi_get_msgbyte(LSIState *s)
945 {
946     uint8_t data;
947     pci_dma_read(PCI_DEVICE(s), s->dnad, &data, 1);
948     s->dnad++;
949     s->dbc--;
950     return data;
951 }
952 
953 /* Skip the next n bytes during a MSGOUT phase. */
954 static void lsi_skip_msgbytes(LSIState *s, unsigned int n)
955 {
956     s->dnad += n;
957     s->dbc  -= n;
958 }
959 
960 static void lsi_do_msgout(LSIState *s)
961 {
962     uint8_t msg;
963     int len;
964     uint32_t current_tag;
965     lsi_request *current_req, *p, *p_next;
966 
967     if (s->current) {
968         current_tag = s->current->tag;
969         current_req = s->current;
970     } else {
971         current_tag = s->select_tag;
972         current_req = lsi_find_by_tag(s, current_tag);
973     }
974 
975     trace_lsi_do_msgout(s->dbc);
976     while (s->dbc) {
977         msg = lsi_get_msgbyte(s);
978         s->sfbr = msg;
979 
980         switch (msg) {
981         case 0x04:
982             trace_lsi_do_msgout_disconnect();
983             lsi_disconnect(s);
984             break;
985         case 0x08:
986             trace_lsi_do_msgout_noop();
987             lsi_set_phase(s, PHASE_CMD);
988             break;
989         case 0x01:
990             len = lsi_get_msgbyte(s);
991             msg = lsi_get_msgbyte(s);
992             (void)len; /* avoid a warning about unused variable*/
993             trace_lsi_do_msgout_extended(msg, len);
994             switch (msg) {
995             case 1:
996                 trace_lsi_do_msgout_ignored("SDTR");
997                 lsi_skip_msgbytes(s, 2);
998                 break;
999             case 3:
1000                 trace_lsi_do_msgout_ignored("WDTR");
1001                 lsi_skip_msgbytes(s, 1);
1002                 break;
1003             case 4:
1004                 trace_lsi_do_msgout_ignored("PPR");
1005                 lsi_skip_msgbytes(s, 5);
1006                 break;
1007             default:
1008                 goto bad;
1009             }
1010             break;
1011         case 0x20: /* SIMPLE queue */
1012             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1013             trace_lsi_do_msgout_simplequeue(s->select_tag & 0xff);
1014             break;
1015         case 0x21: /* HEAD of queue */
1016             qemu_log_mask(LOG_UNIMP, "lsi_scsi: HEAD queue not implemented\n");
1017             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1018             break;
1019         case 0x22: /* ORDERED queue */
1020             qemu_log_mask(LOG_UNIMP,
1021                           "lsi_scsi: ORDERED queue not implemented\n");
1022             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1023             break;
1024         case 0x0d:
1025             /* The ABORT TAG message clears the current I/O process only. */
1026             trace_lsi_do_msgout_abort(current_tag);
1027             if (current_req) {
1028                 scsi_req_cancel(current_req->req);
1029             }
1030             lsi_disconnect(s);
1031             break;
1032         case 0x06:
1033         case 0x0e:
1034         case 0x0c:
1035             /* The ABORT message clears all I/O processes for the selecting
1036                initiator on the specified logical unit of the target. */
1037             if (msg == 0x06) {
1038                 trace_lsi_do_msgout_abort(current_tag);
1039             }
1040             /* The CLEAR QUEUE message clears all I/O processes for all
1041                initiators on the specified logical unit of the target. */
1042             if (msg == 0x0e) {
1043                 trace_lsi_do_msgout_clearqueue(current_tag);
1044             }
1045             /* The BUS DEVICE RESET message clears all I/O processes for all
1046                initiators on all logical units of the target. */
1047             if (msg == 0x0c) {
1048                 trace_lsi_do_msgout_busdevicereset(current_tag);
1049             }
1050 
1051             /* clear the current I/O process */
1052             if (s->current) {
1053                 scsi_req_cancel(s->current->req);
1054             }
1055 
1056             /* As the current implemented devices scsi_disk and scsi_generic
1057                only support one LUN, we don't need to keep track of LUNs.
1058                Clearing I/O processes for other initiators could be possible
1059                for scsi_generic by sending a SG_SCSI_RESET to the /dev/sgX
1060                device, but this is currently not implemented (and seems not
1061                to be really necessary). So let's simply clear all queued
1062                commands for the current device: */
1063             QTAILQ_FOREACH_SAFE(p, &s->queue, next, p_next) {
1064                 if ((p->tag & 0x0000ff00) == (current_tag & 0x0000ff00)) {
1065                     scsi_req_cancel(p->req);
1066                 }
1067             }
1068 
1069             lsi_disconnect(s);
1070             break;
1071         default:
1072             if ((msg & 0x80) == 0) {
1073                 goto bad;
1074             }
1075             s->current_lun = msg & 7;
1076             trace_lsi_do_msgout_select(s->current_lun);
1077             lsi_set_phase(s, PHASE_CMD);
1078             break;
1079         }
1080     }
1081     return;
1082 bad:
1083     qemu_log_mask(LOG_UNIMP, "Unimplemented message 0x%02x\n", msg);
1084     lsi_set_phase(s, PHASE_MI);
1085     lsi_add_msg_byte(s, 7); /* MESSAGE REJECT */
1086     s->msg_action = LSI_MSG_ACTION_COMMAND;
1087 }
1088 
1089 #define LSI_BUF_SIZE 4096
1090 static void lsi_memcpy(LSIState *s, uint32_t dest, uint32_t src, int count)
1091 {
1092     int n;
1093     uint8_t buf[LSI_BUF_SIZE];
1094 
1095     trace_lsi_memcpy(dest, src, count);
1096     while (count) {
1097         n = (count > LSI_BUF_SIZE) ? LSI_BUF_SIZE : count;
1098         lsi_mem_read(s, src, buf, n);
1099         lsi_mem_write(s, dest, buf, n);
1100         src += n;
1101         dest += n;
1102         count -= n;
1103     }
1104 }
1105 
1106 static void lsi_wait_reselect(LSIState *s)
1107 {
1108     lsi_request *p;
1109 
1110     trace_lsi_wait_reselect();
1111 
1112     if (s->current) {
1113         return;
1114     }
1115     p = get_pending_req(s);
1116     if (p) {
1117         lsi_reselect(s, p);
1118     }
1119     if (s->current == NULL) {
1120         s->waiting = LSI_WAIT_RESELECT;
1121     }
1122 }
1123 
1124 static void lsi_execute_script(LSIState *s)
1125 {
1126     PCIDevice *pci_dev = PCI_DEVICE(s);
1127     uint32_t insn;
1128     uint32_t addr, addr_high;
1129     int opcode;
1130     int insn_processed = 0;
1131 
1132     s->istat1 |= LSI_ISTAT1_SRUN;
1133 again:
1134     insn_processed++;
1135     insn = read_dword(s, s->dsp);
1136     if (!insn) {
1137         /* If we receive an empty opcode increment the DSP by 4 bytes
1138            instead of 8 and execute the next opcode at that location */
1139         s->dsp += 4;
1140         goto again;
1141     }
1142     addr = read_dword(s, s->dsp + 4);
1143     addr_high = 0;
1144     trace_lsi_execute_script(s->dsp, insn, addr);
1145     s->dsps = addr;
1146     s->dcmd = insn >> 24;
1147     s->dsp += 8;
1148     switch (insn >> 30) {
1149     case 0: /* Block move.  */
1150         if (s->sist1 & LSI_SIST1_STO) {
1151             trace_lsi_execute_script_blockmove_delayed();
1152             lsi_stop_script(s);
1153             break;
1154         }
1155         s->dbc = insn & 0xffffff;
1156         s->rbc = s->dbc;
1157         /* ??? Set ESA.  */
1158         s->ia = s->dsp - 8;
1159         if (insn & (1 << 29)) {
1160             /* Indirect addressing.  */
1161             addr = read_dword(s, addr);
1162         } else if (insn & (1 << 28)) {
1163             uint32_t buf[2];
1164             int32_t offset;
1165             /* Table indirect addressing.  */
1166 
1167             /* 32-bit Table indirect */
1168             offset = sextract32(addr, 0, 24);
1169             pci_dma_read(pci_dev, s->dsa + offset, buf, 8);
1170             /* byte count is stored in bits 0:23 only */
1171             s->dbc = cpu_to_le32(buf[0]) & 0xffffff;
1172             s->rbc = s->dbc;
1173             addr = cpu_to_le32(buf[1]);
1174 
1175             /* 40-bit DMA, upper addr bits [39:32] stored in first DWORD of
1176              * table, bits [31:24] */
1177             if (lsi_dma_40bit(s))
1178                 addr_high = cpu_to_le32(buf[0]) >> 24;
1179             else if (lsi_dma_ti64bit(s)) {
1180                 int selector = (cpu_to_le32(buf[0]) >> 24) & 0x1f;
1181                 switch (selector) {
1182                 case 0 ... 0x0f:
1183                     /* offset index into scratch registers since
1184                      * TI64 mode can use registers C to R */
1185                     addr_high = s->scratch[2 + selector];
1186                     break;
1187                 case 0x10:
1188                     addr_high = s->mmrs;
1189                     break;
1190                 case 0x11:
1191                     addr_high = s->mmws;
1192                     break;
1193                 case 0x12:
1194                     addr_high = s->sfs;
1195                     break;
1196                 case 0x13:
1197                     addr_high = s->drs;
1198                     break;
1199                 case 0x14:
1200                     addr_high = s->sbms;
1201                     break;
1202                 case 0x15:
1203                     addr_high = s->dbms;
1204                     break;
1205                 default:
1206                     qemu_log_mask(LOG_GUEST_ERROR,
1207                           "lsi_scsi: Illegal selector specified (0x%x > 0x15) "
1208                           "for 64-bit DMA block move", selector);
1209                     break;
1210                 }
1211             }
1212         } else if (lsi_dma_64bit(s)) {
1213             /* fetch a 3rd dword if 64-bit direct move is enabled and
1214                only if we're not doing table indirect or indirect addressing */
1215             s->dbms = read_dword(s, s->dsp);
1216             s->dsp += 4;
1217             s->ia = s->dsp - 12;
1218         }
1219         if ((s->sstat1 & PHASE_MASK) != ((insn >> 24) & 7)) {
1220             trace_lsi_execute_script_blockmove_badphase(
1221                     scsi_phase_name(s->sstat1),
1222                     scsi_phase_name(insn >> 24));
1223             lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
1224             break;
1225         }
1226         s->dnad = addr;
1227         s->dnad64 = addr_high;
1228         switch (s->sstat1 & 0x7) {
1229         case PHASE_DO:
1230             s->waiting = LSI_DMA_SCRIPTS;
1231             lsi_do_dma(s, 1);
1232             if (s->waiting)
1233                 s->waiting = LSI_DMA_IN_PROGRESS;
1234             break;
1235         case PHASE_DI:
1236             s->waiting = LSI_DMA_SCRIPTS;
1237             lsi_do_dma(s, 0);
1238             if (s->waiting)
1239                 s->waiting = LSI_DMA_IN_PROGRESS;
1240             break;
1241         case PHASE_CMD:
1242             lsi_do_command(s);
1243             break;
1244         case PHASE_ST:
1245             lsi_do_status(s);
1246             break;
1247         case PHASE_MO:
1248             lsi_do_msgout(s);
1249             break;
1250         case PHASE_MI:
1251             lsi_do_msgin(s);
1252             break;
1253         default:
1254             qemu_log_mask(LOG_UNIMP, "lsi_scsi: Unimplemented phase %s\n",
1255                           scsi_phase_name(s->sstat1));
1256         }
1257         s->dfifo = s->dbc & 0xff;
1258         s->ctest5 = (s->ctest5 & 0xfc) | ((s->dbc >> 8) & 3);
1259         s->sbc = s->dbc;
1260         s->rbc -= s->dbc;
1261         s->ua = addr + s->dbc;
1262         break;
1263 
1264     case 1: /* IO or Read/Write instruction.  */
1265         opcode = (insn >> 27) & 7;
1266         if (opcode < 5) {
1267             uint32_t id;
1268 
1269             if (insn & (1 << 25)) {
1270                 id = read_dword(s, s->dsa + sextract32(insn, 0, 24));
1271             } else {
1272                 id = insn;
1273             }
1274             id = (id >> 16) & 0xf;
1275             if (insn & (1 << 26)) {
1276                 addr = s->dsp + sextract32(addr, 0, 24);
1277             }
1278             s->dnad = addr;
1279             switch (opcode) {
1280             case 0: /* Select */
1281                 s->sdid = id;
1282                 if (s->scntl1 & LSI_SCNTL1_CON) {
1283                     trace_lsi_execute_script_io_alreadyreselected();
1284                     s->dsp = s->dnad;
1285                     break;
1286                 }
1287                 s->sstat0 |= LSI_SSTAT0_WOA;
1288                 s->scntl1 &= ~LSI_SCNTL1_IARB;
1289                 if (!scsi_device_find(&s->bus, 0, id, 0)) {
1290                     lsi_bad_selection(s, id);
1291                     break;
1292                 }
1293                 trace_lsi_execute_script_io_selected(id,
1294                                              insn & (1 << 3) ? " ATN" : "");
1295                 /* ??? Linux drivers compain when this is set.  Maybe
1296                    it only applies in low-level mode (unimplemented).
1297                 lsi_script_scsi_interrupt(s, LSI_SIST0_CMP, 0); */
1298                 s->select_tag = id << 8;
1299                 s->scntl1 |= LSI_SCNTL1_CON;
1300                 if (insn & (1 << 3)) {
1301                     s->socl |= LSI_SOCL_ATN;
1302                     s->sbcl |= LSI_SBCL_ATN;
1303                 }
1304                 s->sbcl |= LSI_SBCL_BSY;
1305                 lsi_set_phase(s, PHASE_MO);
1306                 s->waiting = LSI_NOWAIT;
1307                 break;
1308             case 1: /* Disconnect */
1309                 trace_lsi_execute_script_io_disconnect();
1310                 s->scntl1 &= ~LSI_SCNTL1_CON;
1311                 /* FIXME: this is not entirely correct; the target need not ask
1312                  * for reselection until it has to send data, while here we force a
1313                  * reselection as soon as the bus is free.  The correct flow would
1314                  * reselect before lsi_transfer_data and disconnect as soon as
1315                  * DMA ends.
1316                  */
1317                 if (!s->current) {
1318                     lsi_request *p = get_pending_req(s);
1319                     if (p) {
1320                         lsi_reselect(s, p);
1321                     }
1322                 }
1323                 break;
1324             case 2: /* Wait Reselect */
1325                 if (s->istat0 & LSI_ISTAT0_SIGP) {
1326                     s->dsp = s->dnad;
1327                 } else if (!lsi_irq_on_rsl(s)) {
1328                         lsi_wait_reselect(s);
1329                 }
1330                 break;
1331             case 3: /* Set */
1332                 trace_lsi_execute_script_io_set(
1333                         insn & (1 << 3) ? " ATN" : "",
1334                         insn & (1 << 6) ? " ACK" : "",
1335                         insn & (1 << 9) ? " TM" : "",
1336                         insn & (1 << 10) ? " CC" : "");
1337                 if (insn & (1 << 3)) {
1338                     s->socl |= LSI_SOCL_ATN;
1339                     s->sbcl |= LSI_SBCL_ATN;
1340                     lsi_set_phase(s, PHASE_MO);
1341                 }
1342 
1343                 if (insn & (1 << 6)) {
1344                     s->sbcl |= LSI_SBCL_ACK;
1345                 }
1346 
1347                 if (insn & (1 << 9)) {
1348                     qemu_log_mask(LOG_UNIMP,
1349                         "lsi_scsi: Target mode not implemented\n");
1350                 }
1351                 if (insn & (1 << 10))
1352                     s->carry = 1;
1353                 break;
1354             case 4: /* Clear */
1355                 trace_lsi_execute_script_io_clear(
1356                         insn & (1 << 3) ? " ATN" : "",
1357                         insn & (1 << 6) ? " ACK" : "",
1358                         insn & (1 << 9) ? " TM" : "",
1359                         insn & (1 << 10) ? " CC" : "");
1360                 if (insn & (1 << 3)) {
1361                     s->socl &= ~LSI_SOCL_ATN;
1362                     s->sbcl &= ~LSI_SBCL_ATN;
1363                 }
1364 
1365                 if (insn & (1 << 6)) {
1366                     s->sbcl &= ~LSI_SBCL_ACK;
1367                 }
1368 
1369                 if (insn & (1 << 10))
1370                     s->carry = 0;
1371                 break;
1372             }
1373         } else {
1374             uint8_t op0;
1375             uint8_t op1;
1376             uint8_t data8;
1377             int reg;
1378             int operator;
1379 
1380             static const char *opcode_names[3] =
1381                 {"Write", "Read", "Read-Modify-Write"};
1382             static const char *operator_names[8] =
1383                 {"MOV", "SHL", "OR", "XOR", "AND", "SHR", "ADD", "ADC"};
1384 
1385             reg = ((insn >> 16) & 0x7f) | (insn & 0x80);
1386             data8 = (insn >> 8) & 0xff;
1387             opcode = (insn >> 27) & 7;
1388             operator = (insn >> 24) & 7;
1389             trace_lsi_execute_script_io_opcode(
1390                     opcode_names[opcode - 5], reg,
1391                     operator_names[operator], data8, s->sfbr,
1392                     (insn & (1 << 23)) ? " SFBR" : "");
1393             op0 = op1 = 0;
1394             switch (opcode) {
1395             case 5: /* From SFBR */
1396                 op0 = s->sfbr;
1397                 op1 = data8;
1398                 break;
1399             case 6: /* To SFBR */
1400                 if (operator)
1401                     op0 = lsi_reg_readb(s, reg);
1402                 op1 = data8;
1403                 break;
1404             case 7: /* Read-modify-write */
1405                 if (operator)
1406                     op0 = lsi_reg_readb(s, reg);
1407                 if (insn & (1 << 23)) {
1408                     op1 = s->sfbr;
1409                 } else {
1410                     op1 = data8;
1411                 }
1412                 break;
1413             }
1414 
1415             switch (operator) {
1416             case 0: /* move */
1417                 op0 = op1;
1418                 break;
1419             case 1: /* Shift left */
1420                 op1 = op0 >> 7;
1421                 op0 = (op0 << 1) | s->carry;
1422                 s->carry = op1;
1423                 break;
1424             case 2: /* OR */
1425                 op0 |= op1;
1426                 break;
1427             case 3: /* XOR */
1428                 op0 ^= op1;
1429                 break;
1430             case 4: /* AND */
1431                 op0 &= op1;
1432                 break;
1433             case 5: /* SHR */
1434                 op1 = op0 & 1;
1435                 op0 = (op0 >> 1) | (s->carry << 7);
1436                 s->carry = op1;
1437                 break;
1438             case 6: /* ADD */
1439                 op0 += op1;
1440                 s->carry = op0 < op1;
1441                 break;
1442             case 7: /* ADC */
1443                 op0 += op1 + s->carry;
1444                 if (s->carry)
1445                     s->carry = op0 <= op1;
1446                 else
1447                     s->carry = op0 < op1;
1448                 break;
1449             }
1450 
1451             switch (opcode) {
1452             case 5: /* From SFBR */
1453             case 7: /* Read-modify-write */
1454                 lsi_reg_writeb(s, reg, op0);
1455                 break;
1456             case 6: /* To SFBR */
1457                 s->sfbr = op0;
1458                 break;
1459             }
1460         }
1461         break;
1462 
1463     case 2: /* Transfer Control.  */
1464         {
1465             int cond;
1466             int jmp;
1467 
1468             if ((insn & 0x002e0000) == 0) {
1469                 trace_lsi_execute_script_tc_nop();
1470                 break;
1471             }
1472             if (s->sist1 & LSI_SIST1_STO) {
1473                 trace_lsi_execute_script_tc_delayedselect_timeout();
1474                 lsi_stop_script(s);
1475                 break;
1476             }
1477             cond = jmp = (insn & (1 << 19)) != 0;
1478             if (cond == jmp && (insn & (1 << 21))) {
1479                 trace_lsi_execute_script_tc_compc(s->carry == jmp);
1480                 cond = s->carry != 0;
1481             }
1482             if (cond == jmp && (insn & (1 << 17))) {
1483                 trace_lsi_execute_script_tc_compp(scsi_phase_name(s->sstat1),
1484                         jmp ? '=' : '!', scsi_phase_name(insn >> 24));
1485                 cond = (s->sstat1 & PHASE_MASK) == ((insn >> 24) & 7);
1486             }
1487             if (cond == jmp && (insn & (1 << 18))) {
1488                 uint8_t mask;
1489 
1490                 mask = (~insn >> 8) & 0xff;
1491                 trace_lsi_execute_script_tc_compd(
1492                         s->sfbr, mask, jmp ? '=' : '!', insn & mask);
1493                 cond = (s->sfbr & mask) == (insn & mask);
1494             }
1495             if (cond == jmp) {
1496                 if (insn & (1 << 23)) {
1497                     /* Relative address.  */
1498                     addr = s->dsp + sextract32(addr, 0, 24);
1499                 }
1500                 switch ((insn >> 27) & 7) {
1501                 case 0: /* Jump */
1502                     trace_lsi_execute_script_tc_jump(addr);
1503                     s->adder = addr;
1504                     s->dsp = addr;
1505                     break;
1506                 case 1: /* Call */
1507                     trace_lsi_execute_script_tc_call(addr);
1508                     s->temp = s->dsp;
1509                     s->dsp = addr;
1510                     break;
1511                 case 2: /* Return */
1512                     trace_lsi_execute_script_tc_return(s->temp);
1513                     s->dsp = s->temp;
1514                     break;
1515                 case 3: /* Interrupt */
1516                     trace_lsi_execute_script_tc_interrupt(s->dsps);
1517                     if ((insn & (1 << 20)) != 0) {
1518                         s->istat0 |= LSI_ISTAT0_INTF;
1519                         lsi_update_irq(s);
1520                     } else {
1521                         lsi_script_dma_interrupt(s, LSI_DSTAT_SIR);
1522                     }
1523                     break;
1524                 default:
1525                     trace_lsi_execute_script_tc_illegal();
1526                     lsi_script_dma_interrupt(s, LSI_DSTAT_IID);
1527                     break;
1528                 }
1529             } else {
1530                 trace_lsi_execute_script_tc_cc_failed();
1531             }
1532         }
1533         break;
1534 
1535     case 3:
1536         if ((insn & (1 << 29)) == 0) {
1537             /* Memory move.  */
1538             uint32_t dest;
1539             /* ??? The docs imply the destination address is loaded into
1540                the TEMP register.  However the Linux drivers rely on
1541                the value being presrved.  */
1542             dest = read_dword(s, s->dsp);
1543             s->dsp += 4;
1544             lsi_memcpy(s, dest, addr, insn & 0xffffff);
1545         } else {
1546             uint8_t data[7];
1547             int reg;
1548             int n;
1549             int i;
1550 
1551             if (insn & (1 << 28)) {
1552                 addr = s->dsa + sextract32(addr, 0, 24);
1553             }
1554             n = (insn & 7);
1555             reg = (insn >> 16) & 0xff;
1556             if (insn & (1 << 24)) {
1557                 pci_dma_read(pci_dev, addr, data, n);
1558                 trace_lsi_execute_script_mm_load(reg, n, addr, *(int *)data);
1559                 for (i = 0; i < n; i++) {
1560                     lsi_reg_writeb(s, reg + i, data[i]);
1561                 }
1562             } else {
1563                 trace_lsi_execute_script_mm_store(reg, n, addr);
1564                 for (i = 0; i < n; i++) {
1565                     data[i] = lsi_reg_readb(s, reg + i);
1566                 }
1567                 pci_dma_write(pci_dev, addr, data, n);
1568             }
1569         }
1570     }
1571     if (insn_processed > 10000 && s->waiting == LSI_NOWAIT) {
1572         /* Some windows drivers make the device spin waiting for a memory
1573            location to change.  If we have been executed a lot of code then
1574            assume this is the case and force an unexpected device disconnect.
1575            This is apparently sufficient to beat the drivers into submission.
1576          */
1577         if (!(s->sien0 & LSI_SIST0_UDC)) {
1578             qemu_log_mask(LOG_GUEST_ERROR,
1579                           "lsi_scsi: inf. loop with UDC masked");
1580         }
1581         lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
1582         lsi_disconnect(s);
1583     } else if (s->istat1 & LSI_ISTAT1_SRUN && s->waiting == LSI_NOWAIT) {
1584         if (s->dcntl & LSI_DCNTL_SSM) {
1585             lsi_script_dma_interrupt(s, LSI_DSTAT_SSI);
1586         } else {
1587             goto again;
1588         }
1589     }
1590     trace_lsi_execute_script_stop();
1591 }
1592 
1593 static uint8_t lsi_reg_readb(LSIState *s, int offset)
1594 {
1595     uint8_t ret;
1596 
1597 #define CASE_GET_REG24(name, addr) \
1598     case addr: ret = s->name & 0xff; break; \
1599     case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1600     case addr + 2: ret = (s->name >> 16) & 0xff; break;
1601 
1602 #define CASE_GET_REG32(name, addr) \
1603     case addr: ret = s->name & 0xff; break; \
1604     case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1605     case addr + 2: ret = (s->name >> 16) & 0xff; break; \
1606     case addr + 3: ret = (s->name >> 24) & 0xff; break;
1607 
1608     switch (offset) {
1609     case 0x00: /* SCNTL0 */
1610         ret = s->scntl0;
1611         break;
1612     case 0x01: /* SCNTL1 */
1613         ret = s->scntl1;
1614         break;
1615     case 0x02: /* SCNTL2 */
1616         ret = s->scntl2;
1617         break;
1618     case 0x03: /* SCNTL3 */
1619         ret = s->scntl3;
1620         break;
1621     case 0x04: /* SCID */
1622         ret = s->scid;
1623         break;
1624     case 0x05: /* SXFER */
1625         ret = s->sxfer;
1626         break;
1627     case 0x06: /* SDID */
1628         ret = s->sdid;
1629         break;
1630     case 0x07: /* GPREG0 */
1631         ret = 0x7f;
1632         break;
1633     case 0x08: /* Revision ID */
1634         ret = 0x00;
1635         break;
1636     case 0x09: /* SOCL */
1637         ret = s->socl;
1638         break;
1639     case 0xa: /* SSID */
1640         ret = s->ssid;
1641         break;
1642     case 0xb: /* SBCL */
1643         ret = s->sbcl;
1644         break;
1645     case 0xc: /* DSTAT */
1646         ret = s->dstat | LSI_DSTAT_DFE;
1647         if ((s->istat0 & LSI_ISTAT0_INTF) == 0)
1648             s->dstat = 0;
1649         lsi_update_irq(s);
1650         break;
1651     case 0x0d: /* SSTAT0 */
1652         ret = s->sstat0;
1653         break;
1654     case 0x0e: /* SSTAT1 */
1655         ret = s->sstat1;
1656         break;
1657     case 0x0f: /* SSTAT2 */
1658         ret = s->scntl1 & LSI_SCNTL1_CON ? 0 : 2;
1659         break;
1660     CASE_GET_REG32(dsa, 0x10)
1661     case 0x14: /* ISTAT0 */
1662         ret = s->istat0;
1663         break;
1664     case 0x15: /* ISTAT1 */
1665         ret = s->istat1;
1666         break;
1667     case 0x16: /* MBOX0 */
1668         ret = s->mbox0;
1669         break;
1670     case 0x17: /* MBOX1 */
1671         ret = s->mbox1;
1672         break;
1673     case 0x18: /* CTEST0 */
1674         ret = 0xff;
1675         break;
1676     case 0x19: /* CTEST1 */
1677         ret = 0;
1678         break;
1679     case 0x1a: /* CTEST2 */
1680         ret = s->ctest2 | LSI_CTEST2_DACK | LSI_CTEST2_CM;
1681         if (s->istat0 & LSI_ISTAT0_SIGP) {
1682             s->istat0 &= ~LSI_ISTAT0_SIGP;
1683             ret |= LSI_CTEST2_SIGP;
1684         }
1685         break;
1686     case 0x1b: /* CTEST3 */
1687         ret = s->ctest3;
1688         break;
1689     CASE_GET_REG32(temp, 0x1c)
1690     case 0x20: /* DFIFO */
1691         ret = s->dfifo;
1692         break;
1693     case 0x21: /* CTEST4 */
1694         ret = s->ctest4;
1695         break;
1696     case 0x22: /* CTEST5 */
1697         ret = s->ctest5;
1698         break;
1699     case 0x23: /* CTEST6 */
1700         ret = 0;
1701         break;
1702     CASE_GET_REG24(dbc, 0x24)
1703     case 0x27: /* DCMD */
1704         ret = s->dcmd;
1705         break;
1706     CASE_GET_REG32(dnad, 0x28)
1707     CASE_GET_REG32(dsp, 0x2c)
1708     CASE_GET_REG32(dsps, 0x30)
1709     CASE_GET_REG32(scratch[0], 0x34)
1710     case 0x38: /* DMODE */
1711         ret = s->dmode;
1712         break;
1713     case 0x39: /* DIEN */
1714         ret = s->dien;
1715         break;
1716     case 0x3a: /* SBR */
1717         ret = s->sbr;
1718         break;
1719     case 0x3b: /* DCNTL */
1720         ret = s->dcntl;
1721         break;
1722     /* ADDER Output (Debug of relative jump address) */
1723     CASE_GET_REG32(adder, 0x3c)
1724     case 0x40: /* SIEN0 */
1725         ret = s->sien0;
1726         break;
1727     case 0x41: /* SIEN1 */
1728         ret = s->sien1;
1729         break;
1730     case 0x42: /* SIST0 */
1731         ret = s->sist0;
1732         s->sist0 = 0;
1733         lsi_update_irq(s);
1734         break;
1735     case 0x43: /* SIST1 */
1736         ret = s->sist1;
1737         s->sist1 = 0;
1738         lsi_update_irq(s);
1739         break;
1740     case 0x46: /* MACNTL */
1741         ret = 0x0f;
1742         break;
1743     case 0x47: /* GPCNTL0 */
1744         ret = 0x0f;
1745         break;
1746     case 0x48: /* STIME0 */
1747         ret = s->stime0;
1748         break;
1749     case 0x4a: /* RESPID0 */
1750         ret = s->respid0;
1751         break;
1752     case 0x4b: /* RESPID1 */
1753         ret = s->respid1;
1754         break;
1755     case 0x4d: /* STEST1 */
1756         ret = s->stest1;
1757         break;
1758     case 0x4e: /* STEST2 */
1759         ret = s->stest2;
1760         break;
1761     case 0x4f: /* STEST3 */
1762         ret = s->stest3;
1763         break;
1764     case 0x50: /* SIDL */
1765         /* This is needed by the linux drivers.  We currently only update it
1766            during the MSG IN phase.  */
1767         ret = s->sidl;
1768         break;
1769     case 0x52: /* STEST4 */
1770         ret = 0xe0;
1771         break;
1772     case 0x56: /* CCNTL0 */
1773         ret = s->ccntl0;
1774         break;
1775     case 0x57: /* CCNTL1 */
1776         ret = s->ccntl1;
1777         break;
1778     case 0x58: /* SBDL */
1779         /* Some drivers peek at the data bus during the MSG IN phase.  */
1780         if ((s->sstat1 & PHASE_MASK) == PHASE_MI) {
1781             assert(s->msg_len > 0);
1782             return s->msg[0];
1783         }
1784         ret = 0;
1785         break;
1786     case 0x59: /* SBDL high */
1787         ret = 0;
1788         break;
1789     CASE_GET_REG32(mmrs, 0xa0)
1790     CASE_GET_REG32(mmws, 0xa4)
1791     CASE_GET_REG32(sfs, 0xa8)
1792     CASE_GET_REG32(drs, 0xac)
1793     CASE_GET_REG32(sbms, 0xb0)
1794     CASE_GET_REG32(dbms, 0xb4)
1795     CASE_GET_REG32(dnad64, 0xb8)
1796     CASE_GET_REG32(pmjad1, 0xc0)
1797     CASE_GET_REG32(pmjad2, 0xc4)
1798     CASE_GET_REG32(rbc, 0xc8)
1799     CASE_GET_REG32(ua, 0xcc)
1800     CASE_GET_REG32(ia, 0xd4)
1801     CASE_GET_REG32(sbc, 0xd8)
1802     CASE_GET_REG32(csbc, 0xdc)
1803     case 0x5c ... 0x9f:
1804     {
1805         int n;
1806         int shift;
1807         n = (offset - 0x58) >> 2;
1808         shift = (offset & 3) * 8;
1809         ret = (s->scratch[n] >> shift) & 0xff;
1810         break;
1811     }
1812     default:
1813     {
1814         qemu_log_mask(LOG_GUEST_ERROR,
1815                       "lsi_scsi: invalid read from reg %s %x\n",
1816                       offset < ARRAY_SIZE(names) ? names[offset] : "???",
1817                       offset);
1818         ret = 0xff;
1819         break;
1820     }
1821     }
1822 #undef CASE_GET_REG24
1823 #undef CASE_GET_REG32
1824 
1825     trace_lsi_reg_read(offset < ARRAY_SIZE(names) ? names[offset] : "???",
1826                        offset, ret);
1827 
1828     return ret;
1829 }
1830 
1831 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val)
1832 {
1833 #define CASE_SET_REG24(name, addr) \
1834     case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1835     case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1836     case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break;
1837 
1838 #define CASE_SET_REG32(name, addr) \
1839     case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1840     case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1841     case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break; \
1842     case addr + 3: s->name &= 0x00ffffff; s->name |= val << 24; break;
1843 
1844     trace_lsi_reg_write(offset < ARRAY_SIZE(names) ? names[offset] : "???",
1845                         offset, val);
1846 
1847     switch (offset) {
1848     case 0x00: /* SCNTL0 */
1849         s->scntl0 = val;
1850         if (val & LSI_SCNTL0_START) {
1851             qemu_log_mask(LOG_UNIMP,
1852                           "lsi_scsi: Start sequence not implemented\n");
1853         }
1854         break;
1855     case 0x01: /* SCNTL1 */
1856         s->scntl1 = val & ~LSI_SCNTL1_SST;
1857         if (val & LSI_SCNTL1_IARB) {
1858             qemu_log_mask(LOG_UNIMP,
1859                       "lsi_scsi: Immediate Arbritration not implemented\n");
1860         }
1861         if (val & LSI_SCNTL1_RST) {
1862             if (!(s->sstat0 & LSI_SSTAT0_RST)) {
1863                 qbus_reset_all(BUS(&s->bus));
1864                 s->sstat0 |= LSI_SSTAT0_RST;
1865                 lsi_script_scsi_interrupt(s, LSI_SIST0_RST, 0);
1866             }
1867         } else {
1868             s->sstat0 &= ~LSI_SSTAT0_RST;
1869         }
1870         break;
1871     case 0x02: /* SCNTL2 */
1872         val &= ~(LSI_SCNTL2_WSR | LSI_SCNTL2_WSS);
1873         s->scntl2 = val;
1874         break;
1875     case 0x03: /* SCNTL3 */
1876         s->scntl3 = val;
1877         break;
1878     case 0x04: /* SCID */
1879         s->scid = val;
1880         break;
1881     case 0x05: /* SXFER */
1882         s->sxfer = val;
1883         break;
1884     case 0x06: /* SDID */
1885         if ((s->ssid & 0x80) && (val & 0xf) != (s->ssid & 0xf)) {
1886             qemu_log_mask(LOG_GUEST_ERROR,
1887                           "lsi_scsi: Destination ID does not match SSID\n");
1888         }
1889         s->sdid = val & 0xf;
1890         break;
1891     case 0x07: /* GPREG0 */
1892         break;
1893     case 0x08: /* SFBR */
1894         /* The CPU is not allowed to write to this register.  However the
1895            SCRIPTS register move instructions are.  */
1896         s->sfbr = val;
1897         break;
1898     case 0x0a: case 0x0b:
1899         /* Openserver writes to these readonly registers on startup */
1900         return;
1901     case 0x0c: case 0x0d: case 0x0e: case 0x0f:
1902         /* Linux writes to these readonly registers on startup.  */
1903         return;
1904     CASE_SET_REG32(dsa, 0x10)
1905     case 0x14: /* ISTAT0 */
1906         s->istat0 = (s->istat0 & 0x0f) | (val & 0xf0);
1907         if (val & LSI_ISTAT0_ABRT) {
1908             lsi_script_dma_interrupt(s, LSI_DSTAT_ABRT);
1909         }
1910         if (val & LSI_ISTAT0_INTF) {
1911             s->istat0 &= ~LSI_ISTAT0_INTF;
1912             lsi_update_irq(s);
1913         }
1914         if (s->waiting == LSI_WAIT_RESELECT && val & LSI_ISTAT0_SIGP) {
1915             trace_lsi_awoken();
1916             s->waiting = LSI_NOWAIT;
1917             s->dsp = s->dnad;
1918             lsi_execute_script(s);
1919         }
1920         if (val & LSI_ISTAT0_SRST) {
1921             qdev_reset_all(DEVICE(s));
1922         }
1923         break;
1924     case 0x16: /* MBOX0 */
1925         s->mbox0 = val;
1926         break;
1927     case 0x17: /* MBOX1 */
1928         s->mbox1 = val;
1929         break;
1930     case 0x18: /* CTEST0 */
1931         /* nothing to do */
1932         break;
1933     case 0x1a: /* CTEST2 */
1934         s->ctest2 = val & LSI_CTEST2_PCICIE;
1935         break;
1936     case 0x1b: /* CTEST3 */
1937         s->ctest3 = val & 0x0f;
1938         break;
1939     CASE_SET_REG32(temp, 0x1c)
1940     case 0x21: /* CTEST4 */
1941         if (val & 7) {
1942             qemu_log_mask(LOG_UNIMP,
1943                           "lsi_scsi: Unimplemented CTEST4-FBL 0x%x\n", val);
1944         }
1945         s->ctest4 = val;
1946         break;
1947     case 0x22: /* CTEST5 */
1948         if (val & (LSI_CTEST5_ADCK | LSI_CTEST5_BBCK)) {
1949             qemu_log_mask(LOG_UNIMP,
1950                           "lsi_scsi: CTEST5 DMA increment not implemented\n");
1951         }
1952         s->ctest5 = val;
1953         break;
1954     CASE_SET_REG24(dbc, 0x24)
1955     CASE_SET_REG32(dnad, 0x28)
1956     case 0x2c: /* DSP[0:7] */
1957         s->dsp &= 0xffffff00;
1958         s->dsp |= val;
1959         break;
1960     case 0x2d: /* DSP[8:15] */
1961         s->dsp &= 0xffff00ff;
1962         s->dsp |= val << 8;
1963         break;
1964     case 0x2e: /* DSP[16:23] */
1965         s->dsp &= 0xff00ffff;
1966         s->dsp |= val << 16;
1967         break;
1968     case 0x2f: /* DSP[24:31] */
1969         s->dsp &= 0x00ffffff;
1970         s->dsp |= val << 24;
1971         if ((s->dmode & LSI_DMODE_MAN) == 0
1972             && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
1973             lsi_execute_script(s);
1974         break;
1975     CASE_SET_REG32(dsps, 0x30)
1976     CASE_SET_REG32(scratch[0], 0x34)
1977     case 0x38: /* DMODE */
1978         s->dmode = val;
1979         break;
1980     case 0x39: /* DIEN */
1981         s->dien = val;
1982         lsi_update_irq(s);
1983         break;
1984     case 0x3a: /* SBR */
1985         s->sbr = val;
1986         break;
1987     case 0x3b: /* DCNTL */
1988         s->dcntl = val & ~(LSI_DCNTL_PFF | LSI_DCNTL_STD);
1989         if ((val & LSI_DCNTL_STD) && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
1990             lsi_execute_script(s);
1991         break;
1992     case 0x40: /* SIEN0 */
1993         s->sien0 = val;
1994         lsi_update_irq(s);
1995         break;
1996     case 0x41: /* SIEN1 */
1997         s->sien1 = val;
1998         lsi_update_irq(s);
1999         break;
2000     case 0x47: /* GPCNTL0 */
2001         break;
2002     case 0x48: /* STIME0 */
2003         s->stime0 = val;
2004         break;
2005     case 0x49: /* STIME1 */
2006         if (val & 0xf) {
2007             qemu_log_mask(LOG_UNIMP,
2008                           "lsi_scsi: General purpose timer not implemented\n");
2009             /* ??? Raising the interrupt immediately seems to be sufficient
2010                to keep the FreeBSD driver happy.  */
2011             lsi_script_scsi_interrupt(s, 0, LSI_SIST1_GEN);
2012         }
2013         break;
2014     case 0x4a: /* RESPID0 */
2015         s->respid0 = val;
2016         break;
2017     case 0x4b: /* RESPID1 */
2018         s->respid1 = val;
2019         break;
2020     case 0x4d: /* STEST1 */
2021         s->stest1 = val;
2022         break;
2023     case 0x4e: /* STEST2 */
2024         if (val & 1) {
2025             qemu_log_mask(LOG_UNIMP,
2026                           "lsi_scsi: Low level mode not implemented\n");
2027         }
2028         s->stest2 = val;
2029         break;
2030     case 0x4f: /* STEST3 */
2031         if (val & 0x41) {
2032             qemu_log_mask(LOG_UNIMP,
2033                           "lsi_scsi: SCSI FIFO test mode not implemented\n");
2034         }
2035         s->stest3 = val;
2036         break;
2037     case 0x56: /* CCNTL0 */
2038         s->ccntl0 = val;
2039         break;
2040     case 0x57: /* CCNTL1 */
2041         s->ccntl1 = val;
2042         break;
2043     CASE_SET_REG32(mmrs, 0xa0)
2044     CASE_SET_REG32(mmws, 0xa4)
2045     CASE_SET_REG32(sfs, 0xa8)
2046     CASE_SET_REG32(drs, 0xac)
2047     CASE_SET_REG32(sbms, 0xb0)
2048     CASE_SET_REG32(dbms, 0xb4)
2049     CASE_SET_REG32(dnad64, 0xb8)
2050     CASE_SET_REG32(pmjad1, 0xc0)
2051     CASE_SET_REG32(pmjad2, 0xc4)
2052     CASE_SET_REG32(rbc, 0xc8)
2053     CASE_SET_REG32(ua, 0xcc)
2054     CASE_SET_REG32(ia, 0xd4)
2055     CASE_SET_REG32(sbc, 0xd8)
2056     CASE_SET_REG32(csbc, 0xdc)
2057     default:
2058         if (offset >= 0x5c && offset < 0xa0) {
2059             int n;
2060             int shift;
2061             n = (offset - 0x58) >> 2;
2062             shift = (offset & 3) * 8;
2063             s->scratch[n] = deposit32(s->scratch[n], shift, 8, val);
2064         } else {
2065             qemu_log_mask(LOG_GUEST_ERROR,
2066                           "lsi_scsi: invalid write to reg %s %x (0x%02x)\n",
2067                           offset < ARRAY_SIZE(names) ? names[offset] : "???",
2068                           offset, val);
2069         }
2070     }
2071 #undef CASE_SET_REG24
2072 #undef CASE_SET_REG32
2073 }
2074 
2075 static void lsi_mmio_write(void *opaque, hwaddr addr,
2076                            uint64_t val, unsigned size)
2077 {
2078     LSIState *s = opaque;
2079 
2080     lsi_reg_writeb(s, addr & 0xff, val);
2081 }
2082 
2083 static uint64_t lsi_mmio_read(void *opaque, hwaddr addr,
2084                               unsigned size)
2085 {
2086     LSIState *s = opaque;
2087     return lsi_reg_readb(s, addr & 0xff);
2088 }
2089 
2090 static const MemoryRegionOps lsi_mmio_ops = {
2091     .read = lsi_mmio_read,
2092     .write = lsi_mmio_write,
2093     .endianness = DEVICE_LITTLE_ENDIAN,
2094     .impl = {
2095         .min_access_size = 1,
2096         .max_access_size = 1,
2097     },
2098 };
2099 
2100 static void lsi_ram_write(void *opaque, hwaddr addr,
2101                           uint64_t val, unsigned size)
2102 {
2103     LSIState *s = opaque;
2104     stn_le_p(s->script_ram + addr, size, val);
2105 }
2106 
2107 static uint64_t lsi_ram_read(void *opaque, hwaddr addr,
2108                              unsigned size)
2109 {
2110     LSIState *s = opaque;
2111     return ldn_le_p(s->script_ram + addr, size);
2112 }
2113 
2114 static const MemoryRegionOps lsi_ram_ops = {
2115     .read = lsi_ram_read,
2116     .write = lsi_ram_write,
2117     .endianness = DEVICE_LITTLE_ENDIAN,
2118 };
2119 
2120 static uint64_t lsi_io_read(void *opaque, hwaddr addr,
2121                             unsigned size)
2122 {
2123     LSIState *s = opaque;
2124     return lsi_reg_readb(s, addr & 0xff);
2125 }
2126 
2127 static void lsi_io_write(void *opaque, hwaddr addr,
2128                          uint64_t val, unsigned size)
2129 {
2130     LSIState *s = opaque;
2131     lsi_reg_writeb(s, addr & 0xff, val);
2132 }
2133 
2134 static const MemoryRegionOps lsi_io_ops = {
2135     .read = lsi_io_read,
2136     .write = lsi_io_write,
2137     .endianness = DEVICE_LITTLE_ENDIAN,
2138     .impl = {
2139         .min_access_size = 1,
2140         .max_access_size = 1,
2141     },
2142 };
2143 
2144 static void lsi_scsi_reset(DeviceState *dev)
2145 {
2146     LSIState *s = LSI53C895A(dev);
2147 
2148     lsi_soft_reset(s);
2149 }
2150 
2151 static int lsi_pre_save(void *opaque)
2152 {
2153     LSIState *s = opaque;
2154 
2155     if (s->current) {
2156         assert(s->current->dma_buf == NULL);
2157         assert(s->current->dma_len == 0);
2158     }
2159     assert(QTAILQ_EMPTY(&s->queue));
2160 
2161     return 0;
2162 }
2163 
2164 static int lsi_post_load(void *opaque, int version_id)
2165 {
2166     LSIState *s = opaque;
2167 
2168     if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) {
2169         return -EINVAL;
2170     }
2171 
2172     return 0;
2173 }
2174 
2175 static const VMStateDescription vmstate_lsi_scsi = {
2176     .name = "lsiscsi",
2177     .version_id = 1,
2178     .minimum_version_id = 0,
2179     .pre_save = lsi_pre_save,
2180     .post_load = lsi_post_load,
2181     .fields = (VMStateField[]) {
2182         VMSTATE_PCI_DEVICE(parent_obj, LSIState),
2183 
2184         VMSTATE_INT32(carry, LSIState),
2185         VMSTATE_INT32(status, LSIState),
2186         VMSTATE_INT32(msg_action, LSIState),
2187         VMSTATE_INT32(msg_len, LSIState),
2188         VMSTATE_BUFFER(msg, LSIState),
2189         VMSTATE_INT32(waiting, LSIState),
2190 
2191         VMSTATE_UINT32(dsa, LSIState),
2192         VMSTATE_UINT32(temp, LSIState),
2193         VMSTATE_UINT32(dnad, LSIState),
2194         VMSTATE_UINT32(dbc, LSIState),
2195         VMSTATE_UINT8(istat0, LSIState),
2196         VMSTATE_UINT8(istat1, LSIState),
2197         VMSTATE_UINT8(dcmd, LSIState),
2198         VMSTATE_UINT8(dstat, LSIState),
2199         VMSTATE_UINT8(dien, LSIState),
2200         VMSTATE_UINT8(sist0, LSIState),
2201         VMSTATE_UINT8(sist1, LSIState),
2202         VMSTATE_UINT8(sien0, LSIState),
2203         VMSTATE_UINT8(sien1, LSIState),
2204         VMSTATE_UINT8(mbox0, LSIState),
2205         VMSTATE_UINT8(mbox1, LSIState),
2206         VMSTATE_UINT8(dfifo, LSIState),
2207         VMSTATE_UINT8(ctest2, LSIState),
2208         VMSTATE_UINT8(ctest3, LSIState),
2209         VMSTATE_UINT8(ctest4, LSIState),
2210         VMSTATE_UINT8(ctest5, LSIState),
2211         VMSTATE_UINT8(ccntl0, LSIState),
2212         VMSTATE_UINT8(ccntl1, LSIState),
2213         VMSTATE_UINT32(dsp, LSIState),
2214         VMSTATE_UINT32(dsps, LSIState),
2215         VMSTATE_UINT8(dmode, LSIState),
2216         VMSTATE_UINT8(dcntl, LSIState),
2217         VMSTATE_UINT8(scntl0, LSIState),
2218         VMSTATE_UINT8(scntl1, LSIState),
2219         VMSTATE_UINT8(scntl2, LSIState),
2220         VMSTATE_UINT8(scntl3, LSIState),
2221         VMSTATE_UINT8(sstat0, LSIState),
2222         VMSTATE_UINT8(sstat1, LSIState),
2223         VMSTATE_UINT8(scid, LSIState),
2224         VMSTATE_UINT8(sxfer, LSIState),
2225         VMSTATE_UINT8(socl, LSIState),
2226         VMSTATE_UINT8(sdid, LSIState),
2227         VMSTATE_UINT8(ssid, LSIState),
2228         VMSTATE_UINT8(sfbr, LSIState),
2229         VMSTATE_UINT8(stest1, LSIState),
2230         VMSTATE_UINT8(stest2, LSIState),
2231         VMSTATE_UINT8(stest3, LSIState),
2232         VMSTATE_UINT8(sidl, LSIState),
2233         VMSTATE_UINT8(stime0, LSIState),
2234         VMSTATE_UINT8(respid0, LSIState),
2235         VMSTATE_UINT8(respid1, LSIState),
2236         VMSTATE_UINT8_V(sbcl, LSIState, 1),
2237         VMSTATE_UINT32(mmrs, LSIState),
2238         VMSTATE_UINT32(mmws, LSIState),
2239         VMSTATE_UINT32(sfs, LSIState),
2240         VMSTATE_UINT32(drs, LSIState),
2241         VMSTATE_UINT32(sbms, LSIState),
2242         VMSTATE_UINT32(dbms, LSIState),
2243         VMSTATE_UINT32(dnad64, LSIState),
2244         VMSTATE_UINT32(pmjad1, LSIState),
2245         VMSTATE_UINT32(pmjad2, LSIState),
2246         VMSTATE_UINT32(rbc, LSIState),
2247         VMSTATE_UINT32(ua, LSIState),
2248         VMSTATE_UINT32(ia, LSIState),
2249         VMSTATE_UINT32(sbc, LSIState),
2250         VMSTATE_UINT32(csbc, LSIState),
2251         VMSTATE_BUFFER_UNSAFE(scratch, LSIState, 0, 18 * sizeof(uint32_t)),
2252         VMSTATE_UINT8(sbr, LSIState),
2253 
2254         VMSTATE_BUFFER_UNSAFE(script_ram, LSIState, 0, 8192),
2255         VMSTATE_END_OF_LIST()
2256     }
2257 };
2258 
2259 static const struct SCSIBusInfo lsi_scsi_info = {
2260     .tcq = true,
2261     .max_target = LSI_MAX_DEVS,
2262     .max_lun = 0,  /* LUN support is buggy */
2263 
2264     .transfer_data = lsi_transfer_data,
2265     .complete = lsi_command_complete,
2266     .cancel = lsi_request_cancelled
2267 };
2268 
2269 static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
2270 {
2271     LSIState *s = LSI53C895A(dev);
2272     DeviceState *d = DEVICE(dev);
2273     uint8_t *pci_conf;
2274 
2275     pci_conf = dev->config;
2276 
2277     /* PCI latency timer = 255 */
2278     pci_conf[PCI_LATENCY_TIMER] = 0xff;
2279     /* Interrupt pin A */
2280     pci_conf[PCI_INTERRUPT_PIN] = 0x01;
2281 
2282     memory_region_init_io(&s->mmio_io, OBJECT(s), &lsi_mmio_ops, s,
2283                           "lsi-mmio", 0x400);
2284     memory_region_init_io(&s->ram_io, OBJECT(s), &lsi_ram_ops, s,
2285                           "lsi-ram", 0x2000);
2286     memory_region_init_io(&s->io_io, OBJECT(s), &lsi_io_ops, s,
2287                           "lsi-io", 256);
2288 
2289     address_space_init(&s->pci_io_as, pci_address_space_io(dev), "lsi-pci-io");
2290     qdev_init_gpio_out(d, &s->ext_irq, 1);
2291 
2292     pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->io_io);
2293     pci_register_bar(dev, 1, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->mmio_io);
2294     pci_register_bar(dev, 2, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->ram_io);
2295     QTAILQ_INIT(&s->queue);
2296 
2297     scsi_bus_new(&s->bus, sizeof(s->bus), d, &lsi_scsi_info, NULL);
2298 }
2299 
2300 static void lsi_scsi_unrealize(DeviceState *dev, Error **errp)
2301 {
2302     LSIState *s = LSI53C895A(dev);
2303 
2304     address_space_destroy(&s->pci_io_as);
2305 }
2306 
2307 static void lsi_class_init(ObjectClass *klass, void *data)
2308 {
2309     DeviceClass *dc = DEVICE_CLASS(klass);
2310     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2311 
2312     k->realize = lsi_scsi_realize;
2313     k->vendor_id = PCI_VENDOR_ID_LSI_LOGIC;
2314     k->device_id = PCI_DEVICE_ID_LSI_53C895A;
2315     k->class_id = PCI_CLASS_STORAGE_SCSI;
2316     k->subsystem_id = 0x1000;
2317     dc->unrealize = lsi_scsi_unrealize;
2318     dc->reset = lsi_scsi_reset;
2319     dc->vmsd = &vmstate_lsi_scsi;
2320     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2321 }
2322 
2323 static const TypeInfo lsi_info = {
2324     .name          = TYPE_LSI53C895A,
2325     .parent        = TYPE_PCI_DEVICE,
2326     .instance_size = sizeof(LSIState),
2327     .class_init    = lsi_class_init,
2328     .interfaces = (InterfaceInfo[]) {
2329         { INTERFACE_CONVENTIONAL_PCI_DEVICE },
2330         { },
2331     },
2332 };
2333 
2334 static void lsi53c810_class_init(ObjectClass *klass, void *data)
2335 {
2336     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2337 
2338     k->device_id = PCI_DEVICE_ID_LSI_53C810;
2339 }
2340 
2341 static TypeInfo lsi53c810_info = {
2342     .name          = TYPE_LSI53C810,
2343     .parent        = TYPE_LSI53C895A,
2344     .class_init    = lsi53c810_class_init,
2345 };
2346 
2347 static void lsi53c895a_register_types(void)
2348 {
2349     type_register_static(&lsi_info);
2350     type_register_static(&lsi53c810_info);
2351 }
2352 
2353 type_init(lsi53c895a_register_types)
2354 
2355 void lsi53c8xx_handle_legacy_cmdline(DeviceState *lsi_dev)
2356 {
2357     LSIState *s = LSI53C895A(lsi_dev);
2358 
2359     scsi_bus_legacy_handle_cmdline(&s->bus);
2360 }
2361