1 /* 2 * QEMU LSI53C895A SCSI Host Bus Adapter emulation 3 * 4 * Copyright (c) 2006 CodeSourcery. 5 * Written by Paul Brook 6 * 7 * This code is licensed under the LGPL. 8 */ 9 10 /* Note: 11 * LSI53C810 emulation is incorrect, in the sense that it supports 12 * features added in later evolutions. This should not be a problem, 13 * as well-behaved operating systems will not try to use them. 14 */ 15 16 #include "qemu/osdep.h" 17 18 #include "hw/irq.h" 19 #include "hw/pci/pci_device.h" 20 #include "hw/scsi/scsi.h" 21 #include "migration/vmstate.h" 22 #include "sysemu/dma.h" 23 #include "qemu/log.h" 24 #include "qemu/module.h" 25 #include "trace.h" 26 #include "qom/object.h" 27 28 static const char *names[] = { 29 "SCNTL0", "SCNTL1", "SCNTL2", "SCNTL3", "SCID", "SXFER", "SDID", "GPREG", 30 "SFBR", "SOCL", "SSID", "SBCL", "DSTAT", "SSTAT0", "SSTAT1", "SSTAT2", 31 "DSA0", "DSA1", "DSA2", "DSA3", "ISTAT", "0x15", "0x16", "0x17", 32 "CTEST0", "CTEST1", "CTEST2", "CTEST3", "TEMP0", "TEMP1", "TEMP2", "TEMP3", 33 "DFIFO", "CTEST4", "CTEST5", "CTEST6", "DBC0", "DBC1", "DBC2", "DCMD", 34 "DNAD0", "DNAD1", "DNAD2", "DNAD3", "DSP0", "DSP1", "DSP2", "DSP3", 35 "DSPS0", "DSPS1", "DSPS2", "DSPS3", "SCRATCHA0", "SCRATCHA1", "SCRATCHA2", "SCRATCHA3", 36 "DMODE", "DIEN", "SBR", "DCNTL", "ADDER0", "ADDER1", "ADDER2", "ADDER3", 37 "SIEN0", "SIEN1", "SIST0", "SIST1", "SLPAR", "0x45", "MACNTL", "GPCNTL", 38 "STIME0", "STIME1", "RESPID", "0x4b", "STEST0", "STEST1", "STEST2", "STEST3", 39 "SIDL", "0x51", "0x52", "0x53", "SODL", "0x55", "0x56", "0x57", 40 "SBDL", "0x59", "0x5a", "0x5b", "SCRATCHB0", "SCRATCHB1", "SCRATCHB2", "SCRATCHB3", 41 }; 42 43 #define LSI_MAX_DEVS 7 44 45 #define LSI_SCNTL0_TRG 0x01 46 #define LSI_SCNTL0_AAP 0x02 47 #define LSI_SCNTL0_EPC 0x08 48 #define LSI_SCNTL0_WATN 0x10 49 #define LSI_SCNTL0_START 0x20 50 51 #define LSI_SCNTL1_SST 0x01 52 #define LSI_SCNTL1_IARB 0x02 53 #define LSI_SCNTL1_AESP 0x04 54 #define LSI_SCNTL1_RST 0x08 55 #define LSI_SCNTL1_CON 0x10 56 #define LSI_SCNTL1_DHP 0x20 57 #define LSI_SCNTL1_ADB 0x40 58 #define LSI_SCNTL1_EXC 0x80 59 60 #define LSI_SCNTL2_WSR 0x01 61 #define LSI_SCNTL2_VUE0 0x02 62 #define LSI_SCNTL2_VUE1 0x04 63 #define LSI_SCNTL2_WSS 0x08 64 #define LSI_SCNTL2_SLPHBEN 0x10 65 #define LSI_SCNTL2_SLPMD 0x20 66 #define LSI_SCNTL2_CHM 0x40 67 #define LSI_SCNTL2_SDU 0x80 68 69 #define LSI_ISTAT0_DIP 0x01 70 #define LSI_ISTAT0_SIP 0x02 71 #define LSI_ISTAT0_INTF 0x04 72 #define LSI_ISTAT0_CON 0x08 73 #define LSI_ISTAT0_SEM 0x10 74 #define LSI_ISTAT0_SIGP 0x20 75 #define LSI_ISTAT0_SRST 0x40 76 #define LSI_ISTAT0_ABRT 0x80 77 78 #define LSI_ISTAT1_SI 0x01 79 #define LSI_ISTAT1_SRUN 0x02 80 #define LSI_ISTAT1_FLSH 0x04 81 82 #define LSI_SSTAT0_SDP0 0x01 83 #define LSI_SSTAT0_RST 0x02 84 #define LSI_SSTAT0_WOA 0x04 85 #define LSI_SSTAT0_LOA 0x08 86 #define LSI_SSTAT0_AIP 0x10 87 #define LSI_SSTAT0_OLF 0x20 88 #define LSI_SSTAT0_ORF 0x40 89 #define LSI_SSTAT0_ILF 0x80 90 91 #define LSI_SIST0_PAR 0x01 92 #define LSI_SIST0_RST 0x02 93 #define LSI_SIST0_UDC 0x04 94 #define LSI_SIST0_SGE 0x08 95 #define LSI_SIST0_RSL 0x10 96 #define LSI_SIST0_SEL 0x20 97 #define LSI_SIST0_CMP 0x40 98 #define LSI_SIST0_MA 0x80 99 100 #define LSI_SIST1_HTH 0x01 101 #define LSI_SIST1_GEN 0x02 102 #define LSI_SIST1_STO 0x04 103 #define LSI_SIST1_SBMC 0x10 104 105 #define LSI_SOCL_IO 0x01 106 #define LSI_SOCL_CD 0x02 107 #define LSI_SOCL_MSG 0x04 108 #define LSI_SOCL_ATN 0x08 109 #define LSI_SOCL_SEL 0x10 110 #define LSI_SOCL_BSY 0x20 111 #define LSI_SOCL_ACK 0x40 112 #define LSI_SOCL_REQ 0x80 113 114 #define LSI_DSTAT_IID 0x01 115 #define LSI_DSTAT_SIR 0x04 116 #define LSI_DSTAT_SSI 0x08 117 #define LSI_DSTAT_ABRT 0x10 118 #define LSI_DSTAT_BF 0x20 119 #define LSI_DSTAT_MDPE 0x40 120 #define LSI_DSTAT_DFE 0x80 121 122 #define LSI_DCNTL_COM 0x01 123 #define LSI_DCNTL_IRQD 0x02 124 #define LSI_DCNTL_STD 0x04 125 #define LSI_DCNTL_IRQM 0x08 126 #define LSI_DCNTL_SSM 0x10 127 #define LSI_DCNTL_PFEN 0x20 128 #define LSI_DCNTL_PFF 0x40 129 #define LSI_DCNTL_CLSE 0x80 130 131 #define LSI_DMODE_MAN 0x01 132 #define LSI_DMODE_BOF 0x02 133 #define LSI_DMODE_ERMP 0x04 134 #define LSI_DMODE_ERL 0x08 135 #define LSI_DMODE_DIOM 0x10 136 #define LSI_DMODE_SIOM 0x20 137 138 #define LSI_CTEST2_DACK 0x01 139 #define LSI_CTEST2_DREQ 0x02 140 #define LSI_CTEST2_TEOP 0x04 141 #define LSI_CTEST2_PCICIE 0x08 142 #define LSI_CTEST2_CM 0x10 143 #define LSI_CTEST2_CIO 0x20 144 #define LSI_CTEST2_SIGP 0x40 145 #define LSI_CTEST2_DDIR 0x80 146 147 #define LSI_CTEST5_BL2 0x04 148 #define LSI_CTEST5_DDIR 0x08 149 #define LSI_CTEST5_MASR 0x10 150 #define LSI_CTEST5_DFSN 0x20 151 #define LSI_CTEST5_BBCK 0x40 152 #define LSI_CTEST5_ADCK 0x80 153 154 #define LSI_CCNTL0_DILS 0x01 155 #define LSI_CCNTL0_DISFC 0x10 156 #define LSI_CCNTL0_ENNDJ 0x20 157 #define LSI_CCNTL0_PMJCTL 0x40 158 #define LSI_CCNTL0_ENPMJ 0x80 159 160 #define LSI_CCNTL1_EN64DBMV 0x01 161 #define LSI_CCNTL1_EN64TIBMV 0x02 162 #define LSI_CCNTL1_64TIMOD 0x04 163 #define LSI_CCNTL1_DDAC 0x08 164 #define LSI_CCNTL1_ZMOD 0x80 165 166 #define LSI_SBCL_ATN 0x08 167 #define LSI_SBCL_BSY 0x20 168 #define LSI_SBCL_ACK 0x40 169 #define LSI_SBCL_REQ 0x80 170 171 /* Enable Response to Reselection */ 172 #define LSI_SCID_RRE 0x60 173 174 #define LSI_CCNTL1_40BIT (LSI_CCNTL1_EN64TIBMV|LSI_CCNTL1_64TIMOD) 175 176 #define PHASE_DO 0 177 #define PHASE_DI 1 178 #define PHASE_CMD 2 179 #define PHASE_ST 3 180 #define PHASE_MO 6 181 #define PHASE_MI 7 182 #define PHASE_MASK 7 183 184 /* Maximum length of MSG IN data. */ 185 #define LSI_MAX_MSGIN_LEN 8 186 187 /* Flag set if this is a tagged command. */ 188 #define LSI_TAG_VALID (1 << 16) 189 190 /* Maximum instructions to process. */ 191 #define LSI_MAX_INSN 100 192 193 typedef struct lsi_request { 194 SCSIRequest *req; 195 uint32_t tag; 196 uint32_t dma_len; 197 uint8_t *dma_buf; 198 uint32_t pending; 199 int out; 200 QTAILQ_ENTRY(lsi_request) next; 201 } lsi_request; 202 203 enum { 204 LSI_NOWAIT, /* SCRIPTS are running or stopped */ 205 LSI_WAIT_RESELECT, /* Wait Reselect instruction has been issued */ 206 LSI_DMA_SCRIPTS, /* processing DMA from lsi_execute_script */ 207 LSI_DMA_IN_PROGRESS, /* DMA operation is in progress */ 208 LSI_WAIT_SCRIPTS, /* SCRIPTS stopped because of instruction count limit */ 209 }; 210 211 enum { 212 LSI_MSG_ACTION_COMMAND = 0, 213 LSI_MSG_ACTION_DISCONNECT = 1, 214 LSI_MSG_ACTION_DOUT = 2, 215 LSI_MSG_ACTION_DIN = 3, 216 }; 217 218 struct LSIState { 219 /*< private >*/ 220 PCIDevice parent_obj; 221 /*< public >*/ 222 223 qemu_irq ext_irq; 224 MemoryRegion mmio_io; 225 MemoryRegion ram_io; 226 MemoryRegion io_io; 227 AddressSpace pci_io_as; 228 QEMUTimer *scripts_timer; 229 230 int carry; /* ??? Should this be in a visible register somewhere? */ 231 int status; 232 int msg_action; 233 int msg_len; 234 uint8_t msg[LSI_MAX_MSGIN_LEN]; 235 int waiting; 236 SCSIBus bus; 237 int current_lun; 238 /* The tag is a combination of the device ID and the SCSI tag. */ 239 uint32_t select_tag; 240 int command_complete; 241 QTAILQ_HEAD(, lsi_request) queue; 242 lsi_request *current; 243 244 uint32_t dsa; 245 uint32_t temp; 246 uint32_t dnad; 247 uint32_t dbc; 248 uint8_t istat0; 249 uint8_t istat1; 250 uint8_t dcmd; 251 uint8_t dstat; 252 uint8_t dien; 253 uint8_t sist0; 254 uint8_t sist1; 255 uint8_t sien0; 256 uint8_t sien1; 257 uint8_t mbox0; 258 uint8_t mbox1; 259 uint8_t dfifo; 260 uint8_t ctest2; 261 uint8_t ctest3; 262 uint8_t ctest4; 263 uint8_t ctest5; 264 uint8_t ccntl0; 265 uint8_t ccntl1; 266 uint32_t dsp; 267 uint32_t dsps; 268 uint8_t dmode; 269 uint8_t dcntl; 270 uint8_t scntl0; 271 uint8_t scntl1; 272 uint8_t scntl2; 273 uint8_t scntl3; 274 uint8_t sstat0; 275 uint8_t sstat1; 276 uint8_t scid; 277 uint8_t sxfer; 278 uint8_t socl; 279 uint8_t sdid; 280 uint8_t ssid; 281 uint8_t sfbr; 282 uint8_t sbcl; 283 uint8_t stest1; 284 uint8_t stest2; 285 uint8_t stest3; 286 uint8_t sidl; 287 uint8_t stime0; 288 uint8_t respid0; 289 uint8_t respid1; 290 uint32_t mmrs; 291 uint32_t mmws; 292 uint32_t sfs; 293 uint32_t drs; 294 uint32_t sbms; 295 uint32_t dbms; 296 uint32_t dnad64; 297 uint32_t pmjad1; 298 uint32_t pmjad2; 299 uint32_t rbc; 300 uint32_t ua; 301 uint32_t ia; 302 uint32_t sbc; 303 uint32_t csbc; 304 uint32_t scratch[18]; /* SCRATCHA-SCRATCHR */ 305 uint8_t sbr; 306 uint32_t adder; 307 308 uint8_t script_ram[2048 * sizeof(uint32_t)]; 309 }; 310 311 #define TYPE_LSI53C810 "lsi53c810" 312 #define TYPE_LSI53C895A "lsi53c895a" 313 314 OBJECT_DECLARE_SIMPLE_TYPE(LSIState, LSI53C895A) 315 316 static const char *scsi_phases[] = { 317 "DOUT", 318 "DIN", 319 "CMD", 320 "STATUS", 321 "RSVOUT", 322 "RSVIN", 323 "MSGOUT", 324 "MSGIN" 325 }; 326 327 static const char *scsi_phase_name(int phase) 328 { 329 return scsi_phases[phase & PHASE_MASK]; 330 } 331 332 static inline int lsi_irq_on_rsl(LSIState *s) 333 { 334 return (s->sien0 & LSI_SIST0_RSL) && (s->scid & LSI_SCID_RRE); 335 } 336 337 static lsi_request *get_pending_req(LSIState *s) 338 { 339 lsi_request *p; 340 341 QTAILQ_FOREACH(p, &s->queue, next) { 342 if (p->pending) { 343 return p; 344 } 345 } 346 return NULL; 347 } 348 349 static void lsi_soft_reset(LSIState *s) 350 { 351 trace_lsi_reset(); 352 s->carry = 0; 353 354 s->msg_action = LSI_MSG_ACTION_COMMAND; 355 s->msg_len = 0; 356 s->waiting = LSI_NOWAIT; 357 s->dsa = 0; 358 s->dnad = 0; 359 s->dbc = 0; 360 s->temp = 0; 361 memset(s->scratch, 0, sizeof(s->scratch)); 362 s->istat0 = 0; 363 s->istat1 = 0; 364 s->dcmd = 0x40; 365 s->dstat = 0; 366 s->dien = 0; 367 s->sist0 = 0; 368 s->sist1 = 0; 369 s->sien0 = 0; 370 s->sien1 = 0; 371 s->mbox0 = 0; 372 s->mbox1 = 0; 373 s->dfifo = 0; 374 s->ctest2 = LSI_CTEST2_DACK; 375 s->ctest3 = 0; 376 s->ctest4 = 0; 377 s->ctest5 = 0; 378 s->ccntl0 = 0; 379 s->ccntl1 = 0; 380 s->dsp = 0; 381 s->dsps = 0; 382 s->dmode = 0; 383 s->dcntl = 0; 384 s->scntl0 = 0xc0; 385 s->scntl1 = 0; 386 s->scntl2 = 0; 387 s->scntl3 = 0; 388 s->sstat0 = 0; 389 s->sstat1 = 0; 390 s->scid = 7; 391 s->sxfer = 0; 392 s->socl = 0; 393 s->sdid = 0; 394 s->ssid = 0; 395 s->sbcl = 0; 396 s->stest1 = 0; 397 s->stest2 = 0; 398 s->stest3 = 0; 399 s->sidl = 0; 400 s->stime0 = 0; 401 s->respid0 = 0x80; 402 s->respid1 = 0; 403 s->mmrs = 0; 404 s->mmws = 0; 405 s->sfs = 0; 406 s->drs = 0; 407 s->sbms = 0; 408 s->dbms = 0; 409 s->dnad64 = 0; 410 s->pmjad1 = 0; 411 s->pmjad2 = 0; 412 s->rbc = 0; 413 s->ua = 0; 414 s->ia = 0; 415 s->sbc = 0; 416 s->csbc = 0; 417 s->sbr = 0; 418 assert(QTAILQ_EMPTY(&s->queue)); 419 assert(!s->current); 420 timer_del(s->scripts_timer); 421 } 422 423 static int lsi_dma_40bit(LSIState *s) 424 { 425 if ((s->ccntl1 & LSI_CCNTL1_40BIT) == LSI_CCNTL1_40BIT) 426 return 1; 427 return 0; 428 } 429 430 static int lsi_dma_ti64bit(LSIState *s) 431 { 432 if ((s->ccntl1 & LSI_CCNTL1_EN64TIBMV) == LSI_CCNTL1_EN64TIBMV) 433 return 1; 434 return 0; 435 } 436 437 static int lsi_dma_64bit(LSIState *s) 438 { 439 if ((s->ccntl1 & LSI_CCNTL1_EN64DBMV) == LSI_CCNTL1_EN64DBMV) 440 return 1; 441 return 0; 442 } 443 444 static uint8_t lsi_reg_readb(LSIState *s, int offset); 445 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val); 446 static void lsi_execute_script(LSIState *s); 447 static void lsi_reselect(LSIState *s, lsi_request *p); 448 449 static inline void lsi_mem_read(LSIState *s, dma_addr_t addr, 450 void *buf, dma_addr_t len) 451 { 452 if (s->dmode & LSI_DMODE_SIOM) { 453 address_space_read(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED, 454 buf, len); 455 } else { 456 pci_dma_read(PCI_DEVICE(s), addr, buf, len); 457 } 458 } 459 460 static inline void lsi_mem_write(LSIState *s, dma_addr_t addr, 461 const void *buf, dma_addr_t len) 462 { 463 if (s->dmode & LSI_DMODE_DIOM) { 464 address_space_write(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED, 465 buf, len); 466 } else { 467 pci_dma_write(PCI_DEVICE(s), addr, buf, len); 468 } 469 } 470 471 static inline uint32_t read_dword(LSIState *s, uint32_t addr) 472 { 473 uint32_t buf; 474 475 pci_dma_read(PCI_DEVICE(s), addr, &buf, 4); 476 return cpu_to_le32(buf); 477 } 478 479 static void lsi_stop_script(LSIState *s) 480 { 481 s->istat1 &= ~LSI_ISTAT1_SRUN; 482 } 483 484 static void lsi_set_irq(LSIState *s, int level) 485 { 486 PCIDevice *d = PCI_DEVICE(s); 487 488 if (s->ext_irq) { 489 qemu_set_irq(s->ext_irq, level); 490 } else { 491 pci_set_irq(d, level); 492 } 493 } 494 495 static void lsi_update_irq(LSIState *s) 496 { 497 int level; 498 static int last_level; 499 500 /* It's unclear whether the DIP/SIP bits should be cleared when the 501 Interrupt Status Registers are cleared or when istat0 is read. 502 We currently do the formwer, which seems to work. */ 503 level = 0; 504 if (s->dstat) { 505 if (s->dstat & s->dien) 506 level = 1; 507 s->istat0 |= LSI_ISTAT0_DIP; 508 } else { 509 s->istat0 &= ~LSI_ISTAT0_DIP; 510 } 511 512 if (s->sist0 || s->sist1) { 513 if ((s->sist0 & s->sien0) || (s->sist1 & s->sien1)) 514 level = 1; 515 s->istat0 |= LSI_ISTAT0_SIP; 516 } else { 517 s->istat0 &= ~LSI_ISTAT0_SIP; 518 } 519 if (s->istat0 & LSI_ISTAT0_INTF) 520 level = 1; 521 522 if (level != last_level) { 523 trace_lsi_update_irq(level, s->dstat, s->sist1, s->sist0); 524 last_level = level; 525 } 526 lsi_set_irq(s, level); 527 528 if (!s->current && !level && lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON)) { 529 lsi_request *p; 530 531 trace_lsi_update_irq_disconnected(); 532 p = get_pending_req(s); 533 if (p) { 534 lsi_reselect(s, p); 535 } 536 } 537 } 538 539 /* Stop SCRIPTS execution and raise a SCSI interrupt. */ 540 static void lsi_script_scsi_interrupt(LSIState *s, int stat0, int stat1) 541 { 542 uint32_t mask0; 543 uint32_t mask1; 544 545 trace_lsi_script_scsi_interrupt(stat1, stat0, s->sist1, s->sist0); 546 s->sist0 |= stat0; 547 s->sist1 |= stat1; 548 /* Stop processor on fatal or unmasked interrupt. As a special hack 549 we don't stop processing when raising STO. Instead continue 550 execution and stop at the next insn that accesses the SCSI bus. */ 551 mask0 = s->sien0 | ~(LSI_SIST0_CMP | LSI_SIST0_SEL | LSI_SIST0_RSL); 552 mask1 = s->sien1 | ~(LSI_SIST1_GEN | LSI_SIST1_HTH); 553 mask1 &= ~LSI_SIST1_STO; 554 if (s->sist0 & mask0 || s->sist1 & mask1) { 555 lsi_stop_script(s); 556 } 557 lsi_update_irq(s); 558 } 559 560 /* Stop SCRIPTS execution and raise a DMA interrupt. */ 561 static void lsi_script_dma_interrupt(LSIState *s, int stat) 562 { 563 trace_lsi_script_dma_interrupt(stat, s->dstat); 564 s->dstat |= stat; 565 lsi_update_irq(s); 566 lsi_stop_script(s); 567 } 568 569 static inline void lsi_set_phase(LSIState *s, int phase) 570 { 571 s->sbcl &= ~PHASE_MASK; 572 s->sbcl |= phase | LSI_SBCL_REQ; 573 s->sstat1 = (s->sstat1 & ~PHASE_MASK) | phase; 574 } 575 576 static int lsi_bad_phase(LSIState *s, int out, int new_phase) 577 { 578 int ret = 0; 579 /* Trigger a phase mismatch. */ 580 if (s->ccntl0 & LSI_CCNTL0_ENPMJ) { 581 if ((s->ccntl0 & LSI_CCNTL0_PMJCTL)) { 582 s->dsp = out ? s->pmjad1 : s->pmjad2; 583 } else { 584 s->dsp = (s->scntl2 & LSI_SCNTL2_WSR ? s->pmjad2 : s->pmjad1); 585 } 586 trace_lsi_bad_phase_jump(s->dsp); 587 } else { 588 trace_lsi_bad_phase_interrupt(); 589 lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0); 590 lsi_stop_script(s); 591 ret = 1; 592 } 593 lsi_set_phase(s, new_phase); 594 return ret; 595 } 596 597 598 /* Resume SCRIPTS execution after a DMA operation. */ 599 static void lsi_resume_script(LSIState *s) 600 { 601 if (s->waiting != 2) { 602 s->waiting = LSI_NOWAIT; 603 lsi_execute_script(s); 604 } else { 605 s->waiting = LSI_NOWAIT; 606 } 607 } 608 609 static void lsi_disconnect(LSIState *s) 610 { 611 s->scntl1 &= ~LSI_SCNTL1_CON; 612 s->sstat1 &= ~PHASE_MASK; 613 s->sbcl = 0; 614 } 615 616 static void lsi_bad_selection(LSIState *s, uint32_t id) 617 { 618 trace_lsi_bad_selection(id); 619 lsi_script_scsi_interrupt(s, 0, LSI_SIST1_STO); 620 lsi_disconnect(s); 621 } 622 623 /* Initiate a SCSI layer data transfer. */ 624 static void lsi_do_dma(LSIState *s, int out) 625 { 626 uint32_t count; 627 dma_addr_t addr; 628 SCSIDevice *dev; 629 630 if (!s->current || !s->current->dma_len) { 631 /* Wait until data is available. */ 632 trace_lsi_do_dma_unavailable(); 633 return; 634 } 635 636 dev = s->current->req->dev; 637 assert(dev); 638 639 count = s->dbc; 640 if (count > s->current->dma_len) 641 count = s->current->dma_len; 642 643 addr = s->dnad; 644 /* both 40 and Table Indirect 64-bit DMAs store upper bits in dnad64 */ 645 if (lsi_dma_40bit(s) || lsi_dma_ti64bit(s)) 646 addr |= ((uint64_t)s->dnad64 << 32); 647 else if (s->dbms) 648 addr |= ((uint64_t)s->dbms << 32); 649 else if (s->sbms) 650 addr |= ((uint64_t)s->sbms << 32); 651 652 trace_lsi_do_dma(addr, count); 653 s->csbc += count; 654 s->dnad += count; 655 s->dbc -= count; 656 if (s->current->dma_buf == NULL) { 657 s->current->dma_buf = scsi_req_get_buf(s->current->req); 658 } 659 /* ??? Set SFBR to first data byte. */ 660 if (out) { 661 lsi_mem_read(s, addr, s->current->dma_buf, count); 662 } else { 663 lsi_mem_write(s, addr, s->current->dma_buf, count); 664 } 665 s->current->dma_len -= count; 666 if (s->current->dma_len == 0) { 667 s->current->dma_buf = NULL; 668 scsi_req_continue(s->current->req); 669 } else { 670 s->current->dma_buf += count; 671 lsi_resume_script(s); 672 } 673 } 674 675 676 /* Add a command to the queue. */ 677 static void lsi_queue_command(LSIState *s) 678 { 679 lsi_request *p = s->current; 680 681 trace_lsi_queue_command(p->tag); 682 assert(s->current != NULL); 683 assert(s->current->dma_len == 0); 684 QTAILQ_INSERT_TAIL(&s->queue, s->current, next); 685 s->current = NULL; 686 687 p->pending = 0; 688 p->out = (s->sstat1 & PHASE_MASK) == PHASE_DO; 689 } 690 691 /* Queue a byte for a MSG IN phase. */ 692 static void lsi_add_msg_byte(LSIState *s, uint8_t data) 693 { 694 if (s->msg_len >= LSI_MAX_MSGIN_LEN) { 695 trace_lsi_add_msg_byte_error(); 696 } else { 697 trace_lsi_add_msg_byte(data); 698 s->msg[s->msg_len++] = data; 699 } 700 } 701 702 /* Perform reselection to continue a command. */ 703 static void lsi_reselect(LSIState *s, lsi_request *p) 704 { 705 int id; 706 707 assert(s->current == NULL); 708 QTAILQ_REMOVE(&s->queue, p, next); 709 s->current = p; 710 711 id = (p->tag >> 8) & 0xf; 712 s->ssid = id | 0x80; 713 /* LSI53C700 Family Compatibility, see LSI53C895A 4-73 */ 714 if (!(s->dcntl & LSI_DCNTL_COM)) { 715 s->sfbr = 1 << (id & 0x7); 716 } 717 trace_lsi_reselect(id); 718 s->scntl1 |= LSI_SCNTL1_CON; 719 lsi_set_phase(s, PHASE_MI); 720 s->msg_action = p->out ? LSI_MSG_ACTION_DOUT : LSI_MSG_ACTION_DIN; 721 s->current->dma_len = p->pending; 722 lsi_add_msg_byte(s, 0x80); 723 if (s->current->tag & LSI_TAG_VALID) { 724 lsi_add_msg_byte(s, 0x20); 725 lsi_add_msg_byte(s, p->tag & 0xff); 726 } 727 728 if (lsi_irq_on_rsl(s)) { 729 lsi_script_scsi_interrupt(s, LSI_SIST0_RSL, 0); 730 } 731 } 732 733 static lsi_request *lsi_find_by_tag(LSIState *s, uint32_t tag) 734 { 735 lsi_request *p; 736 737 QTAILQ_FOREACH(p, &s->queue, next) { 738 if (p->tag == tag) { 739 return p; 740 } 741 } 742 743 return NULL; 744 } 745 746 static void lsi_request_free(LSIState *s, lsi_request *p) 747 { 748 if (p == s->current) { 749 s->current = NULL; 750 } else { 751 QTAILQ_REMOVE(&s->queue, p, next); 752 } 753 g_free(p); 754 } 755 756 static void lsi_request_cancelled(SCSIRequest *req) 757 { 758 LSIState *s = LSI53C895A(req->bus->qbus.parent); 759 lsi_request *p = req->hba_private; 760 761 req->hba_private = NULL; 762 lsi_request_free(s, p); 763 scsi_req_unref(req); 764 } 765 766 /* Record that data is available for a queued command. Returns zero if 767 the device was reselected, nonzero if the IO is deferred. */ 768 static int lsi_queue_req(LSIState *s, SCSIRequest *req, uint32_t len) 769 { 770 lsi_request *p = req->hba_private; 771 772 if (p->pending) { 773 trace_lsi_queue_req_error(p); 774 } 775 p->pending = len; 776 /* Reselect if waiting for it, or if reselection triggers an IRQ 777 and the bus is free. 778 Since no interrupt stacking is implemented in the emulation, it 779 is also required that there are no pending interrupts waiting 780 for service from the device driver. */ 781 if (s->waiting == LSI_WAIT_RESELECT || 782 (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON) && 783 !(s->istat0 & (LSI_ISTAT0_SIP | LSI_ISTAT0_DIP)))) { 784 /* Reselect device. */ 785 lsi_reselect(s, p); 786 return 0; 787 } else { 788 trace_lsi_queue_req(p->tag); 789 p->pending = len; 790 return 1; 791 } 792 } 793 794 /* Callback to indicate that the SCSI layer has completed a command. */ 795 static void lsi_command_complete(SCSIRequest *req, size_t resid) 796 { 797 LSIState *s = LSI53C895A(req->bus->qbus.parent); 798 int out, stop = 0; 799 800 out = (s->sstat1 & PHASE_MASK) == PHASE_DO; 801 trace_lsi_command_complete(req->status); 802 s->status = req->status; 803 s->command_complete = 2; 804 if (s->waiting && s->dbc != 0) { 805 /* Raise phase mismatch for short transfers. */ 806 stop = lsi_bad_phase(s, out, PHASE_ST); 807 if (stop) { 808 s->waiting = 0; 809 } 810 } else { 811 lsi_set_phase(s, PHASE_ST); 812 } 813 814 if (req->hba_private == s->current) { 815 req->hba_private = NULL; 816 lsi_request_free(s, s->current); 817 scsi_req_unref(req); 818 } 819 if (!stop) { 820 lsi_resume_script(s); 821 } 822 } 823 824 /* Callback to indicate that the SCSI layer has completed a transfer. */ 825 static void lsi_transfer_data(SCSIRequest *req, uint32_t len) 826 { 827 LSIState *s = LSI53C895A(req->bus->qbus.parent); 828 int out; 829 830 assert(req->hba_private); 831 if (s->waiting == LSI_WAIT_RESELECT || req->hba_private != s->current || 832 (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON))) { 833 if (lsi_queue_req(s, req, len)) { 834 return; 835 } 836 } 837 838 out = (s->sstat1 & PHASE_MASK) == PHASE_DO; 839 840 /* host adapter (re)connected */ 841 trace_lsi_transfer_data(req->tag, len); 842 s->current->dma_len = len; 843 s->command_complete = 1; 844 if (s->waiting) { 845 if (s->waiting == LSI_WAIT_RESELECT || s->dbc == 0) { 846 lsi_resume_script(s); 847 } else { 848 lsi_do_dma(s, out); 849 } 850 } 851 } 852 853 static void lsi_do_command(LSIState *s) 854 { 855 SCSIDevice *dev; 856 uint8_t buf[16]; 857 uint32_t id; 858 int n; 859 860 trace_lsi_do_command(s->dbc); 861 if (s->dbc > 16) 862 s->dbc = 16; 863 pci_dma_read(PCI_DEVICE(s), s->dnad, buf, s->dbc); 864 s->sfbr = buf[0]; 865 s->command_complete = 0; 866 867 id = (s->select_tag >> 8) & 0xf; 868 dev = scsi_device_find(&s->bus, 0, id, s->current_lun); 869 if (!dev) { 870 lsi_bad_selection(s, id); 871 return; 872 } 873 874 assert(s->current == NULL); 875 s->current = g_new0(lsi_request, 1); 876 s->current->tag = s->select_tag; 877 s->current->req = scsi_req_new(dev, s->current->tag, s->current_lun, buf, 878 s->dbc, s->current); 879 880 n = scsi_req_enqueue(s->current->req); 881 if (n) { 882 if (n > 0) { 883 lsi_set_phase(s, PHASE_DI); 884 } else if (n < 0) { 885 lsi_set_phase(s, PHASE_DO); 886 } 887 scsi_req_continue(s->current->req); 888 } 889 if (!s->command_complete) { 890 if (n) { 891 /* Command did not complete immediately so disconnect. */ 892 lsi_add_msg_byte(s, 2); /* SAVE DATA POINTER */ 893 lsi_add_msg_byte(s, 4); /* DISCONNECT */ 894 /* wait data */ 895 lsi_set_phase(s, PHASE_MI); 896 s->msg_action = LSI_MSG_ACTION_DISCONNECT; 897 lsi_queue_command(s); 898 } else { 899 /* wait command complete */ 900 lsi_set_phase(s, PHASE_DI); 901 } 902 } 903 } 904 905 static void lsi_do_status(LSIState *s) 906 { 907 uint8_t status; 908 trace_lsi_do_status(s->dbc, s->status); 909 if (s->dbc != 1) { 910 trace_lsi_do_status_error(); 911 } 912 s->dbc = 1; 913 status = s->status; 914 s->sfbr = status; 915 pci_dma_write(PCI_DEVICE(s), s->dnad, &status, 1); 916 lsi_set_phase(s, PHASE_MI); 917 s->msg_action = LSI_MSG_ACTION_DISCONNECT; 918 lsi_add_msg_byte(s, 0); /* COMMAND COMPLETE */ 919 } 920 921 static void lsi_do_msgin(LSIState *s) 922 { 923 uint8_t len; 924 trace_lsi_do_msgin(s->dbc, s->msg_len); 925 s->sfbr = s->msg[0]; 926 len = s->msg_len; 927 assert(len > 0 && len <= LSI_MAX_MSGIN_LEN); 928 if (len > s->dbc) 929 len = s->dbc; 930 pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len); 931 /* Linux drivers rely on the last byte being in the SIDL. */ 932 s->sidl = s->msg[len - 1]; 933 s->msg_len -= len; 934 if (s->msg_len) { 935 memmove(s->msg, s->msg + len, s->msg_len); 936 } else { 937 /* ??? Check if ATN (not yet implemented) is asserted and maybe 938 switch to PHASE_MO. */ 939 switch (s->msg_action) { 940 case LSI_MSG_ACTION_COMMAND: 941 lsi_set_phase(s, PHASE_CMD); 942 break; 943 case LSI_MSG_ACTION_DISCONNECT: 944 lsi_disconnect(s); 945 break; 946 case LSI_MSG_ACTION_DOUT: 947 lsi_set_phase(s, PHASE_DO); 948 break; 949 case LSI_MSG_ACTION_DIN: 950 lsi_set_phase(s, PHASE_DI); 951 break; 952 default: 953 abort(); 954 } 955 } 956 } 957 958 /* Read the next byte during a MSGOUT phase. */ 959 static uint8_t lsi_get_msgbyte(LSIState *s) 960 { 961 uint8_t data; 962 pci_dma_read(PCI_DEVICE(s), s->dnad, &data, 1); 963 s->dnad++; 964 s->dbc--; 965 return data; 966 } 967 968 /* Skip the next n bytes during a MSGOUT phase. */ 969 static void lsi_skip_msgbytes(LSIState *s, unsigned int n) 970 { 971 s->dnad += n; 972 s->dbc -= n; 973 } 974 975 static void lsi_do_msgout(LSIState *s) 976 { 977 uint8_t msg; 978 int len; 979 uint32_t current_tag; 980 lsi_request *current_req, *p, *p_next; 981 982 if (s->current) { 983 current_tag = s->current->tag; 984 current_req = s->current; 985 } else { 986 current_tag = s->select_tag; 987 current_req = lsi_find_by_tag(s, current_tag); 988 } 989 990 trace_lsi_do_msgout(s->dbc); 991 while (s->dbc) { 992 msg = lsi_get_msgbyte(s); 993 s->sfbr = msg; 994 995 switch (msg) { 996 case 0x04: 997 trace_lsi_do_msgout_disconnect(); 998 lsi_disconnect(s); 999 break; 1000 case 0x08: 1001 trace_lsi_do_msgout_noop(); 1002 lsi_set_phase(s, PHASE_CMD); 1003 break; 1004 case 0x01: 1005 len = lsi_get_msgbyte(s); 1006 msg = lsi_get_msgbyte(s); 1007 (void)len; /* avoid a warning about unused variable*/ 1008 trace_lsi_do_msgout_extended(msg, len); 1009 switch (msg) { 1010 case 1: 1011 trace_lsi_do_msgout_ignored("SDTR"); 1012 lsi_skip_msgbytes(s, 2); 1013 break; 1014 case 3: 1015 trace_lsi_do_msgout_ignored("WDTR"); 1016 lsi_skip_msgbytes(s, 1); 1017 break; 1018 case 4: 1019 trace_lsi_do_msgout_ignored("PPR"); 1020 lsi_skip_msgbytes(s, 5); 1021 break; 1022 default: 1023 goto bad; 1024 } 1025 break; 1026 case 0x20: /* SIMPLE queue */ 1027 s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID; 1028 trace_lsi_do_msgout_simplequeue(s->select_tag & 0xff); 1029 break; 1030 case 0x21: /* HEAD of queue */ 1031 qemu_log_mask(LOG_UNIMP, "lsi_scsi: HEAD queue not implemented\n"); 1032 s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID; 1033 break; 1034 case 0x22: /* ORDERED queue */ 1035 qemu_log_mask(LOG_UNIMP, 1036 "lsi_scsi: ORDERED queue not implemented\n"); 1037 s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID; 1038 break; 1039 case 0x0d: 1040 /* The ABORT TAG message clears the current I/O process only. */ 1041 trace_lsi_do_msgout_abort(current_tag); 1042 if (current_req && current_req->req) { 1043 scsi_req_cancel(current_req->req); 1044 current_req = NULL; 1045 } 1046 lsi_disconnect(s); 1047 break; 1048 case 0x06: 1049 case 0x0e: 1050 case 0x0c: 1051 /* The ABORT message clears all I/O processes for the selecting 1052 initiator on the specified logical unit of the target. */ 1053 if (msg == 0x06) { 1054 trace_lsi_do_msgout_abort(current_tag); 1055 } 1056 /* The CLEAR QUEUE message clears all I/O processes for all 1057 initiators on the specified logical unit of the target. */ 1058 if (msg == 0x0e) { 1059 trace_lsi_do_msgout_clearqueue(current_tag); 1060 } 1061 /* The BUS DEVICE RESET message clears all I/O processes for all 1062 initiators on all logical units of the target. */ 1063 if (msg == 0x0c) { 1064 trace_lsi_do_msgout_busdevicereset(current_tag); 1065 } 1066 1067 /* clear the current I/O process */ 1068 if (s->current) { 1069 scsi_req_cancel(s->current->req); 1070 current_req = NULL; 1071 } 1072 1073 /* As the current implemented devices scsi_disk and scsi_generic 1074 only support one LUN, we don't need to keep track of LUNs. 1075 Clearing I/O processes for other initiators could be possible 1076 for scsi_generic by sending a SG_SCSI_RESET to the /dev/sgX 1077 device, but this is currently not implemented (and seems not 1078 to be really necessary). So let's simply clear all queued 1079 commands for the current device: */ 1080 QTAILQ_FOREACH_SAFE(p, &s->queue, next, p_next) { 1081 if ((p->tag & 0x0000ff00) == (current_tag & 0x0000ff00)) { 1082 scsi_req_cancel(p->req); 1083 } 1084 } 1085 1086 lsi_disconnect(s); 1087 break; 1088 default: 1089 if ((msg & 0x80) == 0) { 1090 goto bad; 1091 } 1092 s->current_lun = msg & 7; 1093 trace_lsi_do_msgout_select(s->current_lun); 1094 lsi_set_phase(s, PHASE_CMD); 1095 break; 1096 } 1097 } 1098 return; 1099 bad: 1100 qemu_log_mask(LOG_UNIMP, "Unimplemented message 0x%02x\n", msg); 1101 lsi_set_phase(s, PHASE_MI); 1102 lsi_add_msg_byte(s, 7); /* MESSAGE REJECT */ 1103 s->msg_action = LSI_MSG_ACTION_COMMAND; 1104 } 1105 1106 #define LSI_BUF_SIZE 4096 1107 static void lsi_memcpy(LSIState *s, uint32_t dest, uint32_t src, int count) 1108 { 1109 int n; 1110 uint8_t buf[LSI_BUF_SIZE]; 1111 1112 trace_lsi_memcpy(dest, src, count); 1113 while (count) { 1114 n = (count > LSI_BUF_SIZE) ? LSI_BUF_SIZE : count; 1115 lsi_mem_read(s, src, buf, n); 1116 lsi_mem_write(s, dest, buf, n); 1117 src += n; 1118 dest += n; 1119 count -= n; 1120 } 1121 } 1122 1123 static void lsi_wait_reselect(LSIState *s) 1124 { 1125 lsi_request *p; 1126 1127 trace_lsi_wait_reselect(); 1128 1129 if (s->current) { 1130 return; 1131 } 1132 p = get_pending_req(s); 1133 if (p) { 1134 lsi_reselect(s, p); 1135 } 1136 if (s->current == NULL) { 1137 s->waiting = LSI_WAIT_RESELECT; 1138 } 1139 } 1140 1141 static void lsi_scripts_timer_start(LSIState *s) 1142 { 1143 trace_lsi_scripts_timer_start(); 1144 timer_mod(s->scripts_timer, qemu_clock_get_us(QEMU_CLOCK_VIRTUAL) + 500); 1145 } 1146 1147 static void lsi_execute_script(LSIState *s) 1148 { 1149 PCIDevice *pci_dev = PCI_DEVICE(s); 1150 uint32_t insn; 1151 uint32_t addr, addr_high; 1152 int opcode; 1153 int insn_processed = 0; 1154 static int reentrancy_level; 1155 1156 if (s->waiting == LSI_WAIT_SCRIPTS) { 1157 timer_del(s->scripts_timer); 1158 s->waiting = LSI_NOWAIT; 1159 } 1160 1161 reentrancy_level++; 1162 1163 s->istat1 |= LSI_ISTAT1_SRUN; 1164 again: 1165 /* 1166 * Some windows drivers make the device spin waiting for a memory location 1167 * to change. If we have executed more than LSI_MAX_INSN instructions then 1168 * assume this is the case and start a timer. Until the timer fires, the 1169 * host CPU has a chance to run and change the memory location. 1170 * 1171 * Another issue (CVE-2023-0330) can occur if the script is programmed to 1172 * trigger itself again and again. Avoid this problem by stopping after 1173 * being called multiple times in a reentrant way (8 is an arbitrary value 1174 * which should be enough for all valid use cases). 1175 */ 1176 if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) { 1177 s->waiting = LSI_WAIT_SCRIPTS; 1178 lsi_scripts_timer_start(s); 1179 reentrancy_level--; 1180 return; 1181 } 1182 insn = read_dword(s, s->dsp); 1183 if (!insn) { 1184 /* If we receive an empty opcode increment the DSP by 4 bytes 1185 instead of 8 and execute the next opcode at that location */ 1186 s->dsp += 4; 1187 goto again; 1188 } 1189 addr = read_dword(s, s->dsp + 4); 1190 addr_high = 0; 1191 trace_lsi_execute_script(s->dsp, insn, addr); 1192 s->dsps = addr; 1193 s->dcmd = insn >> 24; 1194 s->dsp += 8; 1195 switch (insn >> 30) { 1196 case 0: /* Block move. */ 1197 if (s->sist1 & LSI_SIST1_STO) { 1198 trace_lsi_execute_script_blockmove_delayed(); 1199 lsi_stop_script(s); 1200 break; 1201 } 1202 s->dbc = insn & 0xffffff; 1203 s->rbc = s->dbc; 1204 /* ??? Set ESA. */ 1205 s->ia = s->dsp - 8; 1206 if (insn & (1 << 29)) { 1207 /* Indirect addressing. */ 1208 addr = read_dword(s, addr); 1209 } else if (insn & (1 << 28)) { 1210 uint32_t buf[2]; 1211 int32_t offset; 1212 /* Table indirect addressing. */ 1213 1214 /* 32-bit Table indirect */ 1215 offset = sextract32(addr, 0, 24); 1216 pci_dma_read(pci_dev, s->dsa + offset, buf, 8); 1217 /* byte count is stored in bits 0:23 only */ 1218 s->dbc = cpu_to_le32(buf[0]) & 0xffffff; 1219 s->rbc = s->dbc; 1220 addr = cpu_to_le32(buf[1]); 1221 1222 /* 40-bit DMA, upper addr bits [39:32] stored in first DWORD of 1223 * table, bits [31:24] */ 1224 if (lsi_dma_40bit(s)) 1225 addr_high = cpu_to_le32(buf[0]) >> 24; 1226 else if (lsi_dma_ti64bit(s)) { 1227 int selector = (cpu_to_le32(buf[0]) >> 24) & 0x1f; 1228 switch (selector) { 1229 case 0 ... 0x0f: 1230 /* offset index into scratch registers since 1231 * TI64 mode can use registers C to R */ 1232 addr_high = s->scratch[2 + selector]; 1233 break; 1234 case 0x10: 1235 addr_high = s->mmrs; 1236 break; 1237 case 0x11: 1238 addr_high = s->mmws; 1239 break; 1240 case 0x12: 1241 addr_high = s->sfs; 1242 break; 1243 case 0x13: 1244 addr_high = s->drs; 1245 break; 1246 case 0x14: 1247 addr_high = s->sbms; 1248 break; 1249 case 0x15: 1250 addr_high = s->dbms; 1251 break; 1252 default: 1253 qemu_log_mask(LOG_GUEST_ERROR, 1254 "lsi_scsi: Illegal selector specified (0x%x > 0x15) " 1255 "for 64-bit DMA block move", selector); 1256 break; 1257 } 1258 } 1259 } else if (lsi_dma_64bit(s)) { 1260 /* fetch a 3rd dword if 64-bit direct move is enabled and 1261 only if we're not doing table indirect or indirect addressing */ 1262 s->dbms = read_dword(s, s->dsp); 1263 s->dsp += 4; 1264 s->ia = s->dsp - 12; 1265 } 1266 if ((s->sstat1 & PHASE_MASK) != ((insn >> 24) & 7)) { 1267 trace_lsi_execute_script_blockmove_badphase( 1268 scsi_phase_name(s->sstat1), 1269 scsi_phase_name(insn >> 24)); 1270 lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0); 1271 break; 1272 } 1273 s->dnad = addr; 1274 s->dnad64 = addr_high; 1275 switch (s->sstat1 & 0x7) { 1276 case PHASE_DO: 1277 s->waiting = LSI_DMA_SCRIPTS; 1278 lsi_do_dma(s, 1); 1279 if (s->waiting) 1280 s->waiting = LSI_DMA_IN_PROGRESS; 1281 break; 1282 case PHASE_DI: 1283 s->waiting = LSI_DMA_SCRIPTS; 1284 lsi_do_dma(s, 0); 1285 if (s->waiting) 1286 s->waiting = LSI_DMA_IN_PROGRESS; 1287 break; 1288 case PHASE_CMD: 1289 lsi_do_command(s); 1290 break; 1291 case PHASE_ST: 1292 lsi_do_status(s); 1293 break; 1294 case PHASE_MO: 1295 lsi_do_msgout(s); 1296 break; 1297 case PHASE_MI: 1298 lsi_do_msgin(s); 1299 break; 1300 default: 1301 qemu_log_mask(LOG_UNIMP, "lsi_scsi: Unimplemented phase %s\n", 1302 scsi_phase_name(s->sstat1)); 1303 } 1304 s->dfifo = s->dbc & 0xff; 1305 s->ctest5 = (s->ctest5 & 0xfc) | ((s->dbc >> 8) & 3); 1306 s->sbc = s->dbc; 1307 s->rbc -= s->dbc; 1308 s->ua = addr + s->dbc; 1309 break; 1310 1311 case 1: /* IO or Read/Write instruction. */ 1312 opcode = (insn >> 27) & 7; 1313 if (opcode < 5) { 1314 uint32_t id; 1315 1316 if (insn & (1 << 25)) { 1317 id = read_dword(s, s->dsa + sextract32(insn, 0, 24)); 1318 } else { 1319 id = insn; 1320 } 1321 id = (id >> 16) & 0xf; 1322 if (insn & (1 << 26)) { 1323 addr = s->dsp + sextract32(addr, 0, 24); 1324 } 1325 s->dnad = addr; 1326 switch (opcode) { 1327 case 0: /* Select */ 1328 s->sdid = id; 1329 if (s->scntl1 & LSI_SCNTL1_CON) { 1330 trace_lsi_execute_script_io_alreadyreselected(); 1331 s->dsp = s->dnad; 1332 break; 1333 } 1334 s->sstat0 |= LSI_SSTAT0_WOA; 1335 s->scntl1 &= ~LSI_SCNTL1_IARB; 1336 if (!scsi_device_find(&s->bus, 0, id, 0)) { 1337 lsi_bad_selection(s, id); 1338 break; 1339 } 1340 trace_lsi_execute_script_io_selected(id, 1341 insn & (1 << 3) ? " ATN" : ""); 1342 /* ??? Linux drivers complain when this is set. Maybe 1343 it only applies in low-level mode (unimplemented). 1344 lsi_script_scsi_interrupt(s, LSI_SIST0_CMP, 0); */ 1345 s->select_tag = id << 8; 1346 s->scntl1 |= LSI_SCNTL1_CON; 1347 if (insn & (1 << 3)) { 1348 s->socl |= LSI_SOCL_ATN; 1349 s->sbcl |= LSI_SBCL_ATN; 1350 } 1351 s->sbcl |= LSI_SBCL_BSY; 1352 lsi_set_phase(s, PHASE_MO); 1353 s->waiting = LSI_NOWAIT; 1354 break; 1355 case 1: /* Disconnect */ 1356 trace_lsi_execute_script_io_disconnect(); 1357 s->scntl1 &= ~LSI_SCNTL1_CON; 1358 /* FIXME: this is not entirely correct; the target need not ask 1359 * for reselection until it has to send data, while here we force a 1360 * reselection as soon as the bus is free. The correct flow would 1361 * reselect before lsi_transfer_data and disconnect as soon as 1362 * DMA ends. 1363 */ 1364 if (!s->current) { 1365 lsi_request *p = get_pending_req(s); 1366 if (p) { 1367 lsi_reselect(s, p); 1368 } 1369 } 1370 break; 1371 case 2: /* Wait Reselect */ 1372 if (s->istat0 & LSI_ISTAT0_SIGP) { 1373 s->dsp = s->dnad; 1374 } else if (!lsi_irq_on_rsl(s)) { 1375 lsi_wait_reselect(s); 1376 } 1377 break; 1378 case 3: /* Set */ 1379 trace_lsi_execute_script_io_set( 1380 insn & (1 << 3) ? " ATN" : "", 1381 insn & (1 << 6) ? " ACK" : "", 1382 insn & (1 << 9) ? " TM" : "", 1383 insn & (1 << 10) ? " CC" : ""); 1384 if (insn & (1 << 3)) { 1385 s->socl |= LSI_SOCL_ATN; 1386 s->sbcl |= LSI_SBCL_ATN; 1387 lsi_set_phase(s, PHASE_MO); 1388 } 1389 1390 if (insn & (1 << 6)) { 1391 s->sbcl |= LSI_SBCL_ACK; 1392 } 1393 1394 if (insn & (1 << 9)) { 1395 qemu_log_mask(LOG_UNIMP, 1396 "lsi_scsi: Target mode not implemented\n"); 1397 } 1398 if (insn & (1 << 10)) 1399 s->carry = 1; 1400 break; 1401 case 4: /* Clear */ 1402 trace_lsi_execute_script_io_clear( 1403 insn & (1 << 3) ? " ATN" : "", 1404 insn & (1 << 6) ? " ACK" : "", 1405 insn & (1 << 9) ? " TM" : "", 1406 insn & (1 << 10) ? " CC" : ""); 1407 if (insn & (1 << 3)) { 1408 s->socl &= ~LSI_SOCL_ATN; 1409 s->sbcl &= ~LSI_SBCL_ATN; 1410 } 1411 1412 if (insn & (1 << 6)) { 1413 s->sbcl &= ~LSI_SBCL_ACK; 1414 } 1415 1416 if (insn & (1 << 10)) 1417 s->carry = 0; 1418 break; 1419 } 1420 } else { 1421 uint8_t op0; 1422 uint8_t op1; 1423 uint8_t data8; 1424 int reg; 1425 int operator; 1426 1427 static const char *opcode_names[3] = 1428 {"Write", "Read", "Read-Modify-Write"}; 1429 static const char *operator_names[8] = 1430 {"MOV", "SHL", "OR", "XOR", "AND", "SHR", "ADD", "ADC"}; 1431 1432 reg = ((insn >> 16) & 0x7f) | (insn & 0x80); 1433 data8 = (insn >> 8) & 0xff; 1434 opcode = (insn >> 27) & 7; 1435 operator = (insn >> 24) & 7; 1436 trace_lsi_execute_script_io_opcode( 1437 opcode_names[opcode - 5], reg, 1438 operator_names[operator], data8, s->sfbr, 1439 (insn & (1 << 23)) ? " SFBR" : ""); 1440 op0 = op1 = 0; 1441 switch (opcode) { 1442 case 5: /* From SFBR */ 1443 op0 = s->sfbr; 1444 op1 = data8; 1445 break; 1446 case 6: /* To SFBR */ 1447 if (operator) 1448 op0 = lsi_reg_readb(s, reg); 1449 op1 = data8; 1450 break; 1451 case 7: /* Read-modify-write */ 1452 if (operator) 1453 op0 = lsi_reg_readb(s, reg); 1454 if (insn & (1 << 23)) { 1455 op1 = s->sfbr; 1456 } else { 1457 op1 = data8; 1458 } 1459 break; 1460 } 1461 1462 switch (operator) { 1463 case 0: /* move */ 1464 op0 = op1; 1465 break; 1466 case 1: /* Shift left */ 1467 op1 = op0 >> 7; 1468 op0 = (op0 << 1) | s->carry; 1469 s->carry = op1; 1470 break; 1471 case 2: /* OR */ 1472 op0 |= op1; 1473 break; 1474 case 3: /* XOR */ 1475 op0 ^= op1; 1476 break; 1477 case 4: /* AND */ 1478 op0 &= op1; 1479 break; 1480 case 5: /* SHR */ 1481 op1 = op0 & 1; 1482 op0 = (op0 >> 1) | (s->carry << 7); 1483 s->carry = op1; 1484 break; 1485 case 6: /* ADD */ 1486 op0 += op1; 1487 s->carry = op0 < op1; 1488 break; 1489 case 7: /* ADC */ 1490 op0 += op1 + s->carry; 1491 if (s->carry) 1492 s->carry = op0 <= op1; 1493 else 1494 s->carry = op0 < op1; 1495 break; 1496 } 1497 1498 switch (opcode) { 1499 case 5: /* From SFBR */ 1500 case 7: /* Read-modify-write */ 1501 lsi_reg_writeb(s, reg, op0); 1502 break; 1503 case 6: /* To SFBR */ 1504 s->sfbr = op0; 1505 break; 1506 } 1507 } 1508 break; 1509 1510 case 2: /* Transfer Control. */ 1511 { 1512 int cond; 1513 int jmp; 1514 1515 if ((insn & 0x002e0000) == 0) { 1516 trace_lsi_execute_script_tc_nop(); 1517 break; 1518 } 1519 if (s->sist1 & LSI_SIST1_STO) { 1520 trace_lsi_execute_script_tc_delayedselect_timeout(); 1521 lsi_stop_script(s); 1522 break; 1523 } 1524 cond = jmp = (insn & (1 << 19)) != 0; 1525 if (cond == jmp && (insn & (1 << 21))) { 1526 trace_lsi_execute_script_tc_compc(s->carry == jmp); 1527 cond = s->carry != 0; 1528 } 1529 if (cond == jmp && (insn & (1 << 17))) { 1530 trace_lsi_execute_script_tc_compp(scsi_phase_name(s->sstat1), 1531 jmp ? '=' : '!', scsi_phase_name(insn >> 24)); 1532 cond = (s->sstat1 & PHASE_MASK) == ((insn >> 24) & 7); 1533 } 1534 if (cond == jmp && (insn & (1 << 18))) { 1535 uint8_t mask; 1536 1537 mask = (~insn >> 8) & 0xff; 1538 trace_lsi_execute_script_tc_compd( 1539 s->sfbr, mask, jmp ? '=' : '!', insn & mask); 1540 cond = (s->sfbr & mask) == (insn & mask); 1541 } 1542 if (cond == jmp) { 1543 if (insn & (1 << 23)) { 1544 /* Relative address. */ 1545 addr = s->dsp + sextract32(addr, 0, 24); 1546 } 1547 switch ((insn >> 27) & 7) { 1548 case 0: /* Jump */ 1549 trace_lsi_execute_script_tc_jump(addr); 1550 s->adder = addr; 1551 s->dsp = addr; 1552 break; 1553 case 1: /* Call */ 1554 trace_lsi_execute_script_tc_call(addr); 1555 s->temp = s->dsp; 1556 s->dsp = addr; 1557 break; 1558 case 2: /* Return */ 1559 trace_lsi_execute_script_tc_return(s->temp); 1560 s->dsp = s->temp; 1561 break; 1562 case 3: /* Interrupt */ 1563 trace_lsi_execute_script_tc_interrupt(s->dsps); 1564 if ((insn & (1 << 20)) != 0) { 1565 s->istat0 |= LSI_ISTAT0_INTF; 1566 lsi_update_irq(s); 1567 } else { 1568 lsi_script_dma_interrupt(s, LSI_DSTAT_SIR); 1569 } 1570 break; 1571 default: 1572 trace_lsi_execute_script_tc_illegal(); 1573 lsi_script_dma_interrupt(s, LSI_DSTAT_IID); 1574 break; 1575 } 1576 } else { 1577 trace_lsi_execute_script_tc_cc_failed(); 1578 } 1579 } 1580 break; 1581 1582 case 3: 1583 if ((insn & (1 << 29)) == 0) { 1584 /* Memory move. */ 1585 uint32_t dest; 1586 /* ??? The docs imply the destination address is loaded into 1587 the TEMP register. However the Linux drivers rely on 1588 the value being presrved. */ 1589 dest = read_dword(s, s->dsp); 1590 s->dsp += 4; 1591 lsi_memcpy(s, dest, addr, insn & 0xffffff); 1592 } else { 1593 uint8_t data[7]; 1594 int reg; 1595 int n; 1596 int i; 1597 1598 if (insn & (1 << 28)) { 1599 addr = s->dsa + sextract32(addr, 0, 24); 1600 } 1601 n = (insn & 7); 1602 reg = (insn >> 16) & 0xff; 1603 if (insn & (1 << 24)) { 1604 pci_dma_read(pci_dev, addr, data, n); 1605 trace_lsi_execute_script_mm_load(reg, n, addr, *(int *)data); 1606 for (i = 0; i < n; i++) { 1607 lsi_reg_writeb(s, reg + i, data[i]); 1608 } 1609 } else { 1610 trace_lsi_execute_script_mm_store(reg, n, addr); 1611 for (i = 0; i < n; i++) { 1612 data[i] = lsi_reg_readb(s, reg + i); 1613 } 1614 pci_dma_write(pci_dev, addr, data, n); 1615 } 1616 } 1617 } 1618 if (s->istat1 & LSI_ISTAT1_SRUN && s->waiting == LSI_NOWAIT) { 1619 if (s->dcntl & LSI_DCNTL_SSM) { 1620 lsi_script_dma_interrupt(s, LSI_DSTAT_SSI); 1621 } else { 1622 goto again; 1623 } 1624 } 1625 trace_lsi_execute_script_stop(); 1626 1627 reentrancy_level--; 1628 } 1629 1630 static uint8_t lsi_reg_readb(LSIState *s, int offset) 1631 { 1632 uint8_t ret; 1633 1634 #define CASE_GET_REG24(name, addr) \ 1635 case addr: ret = s->name & 0xff; break; \ 1636 case addr + 1: ret = (s->name >> 8) & 0xff; break; \ 1637 case addr + 2: ret = (s->name >> 16) & 0xff; break; 1638 1639 #define CASE_GET_REG32(name, addr) \ 1640 case addr: ret = s->name & 0xff; break; \ 1641 case addr + 1: ret = (s->name >> 8) & 0xff; break; \ 1642 case addr + 2: ret = (s->name >> 16) & 0xff; break; \ 1643 case addr + 3: ret = (s->name >> 24) & 0xff; break; 1644 1645 switch (offset) { 1646 case 0x00: /* SCNTL0 */ 1647 ret = s->scntl0; 1648 break; 1649 case 0x01: /* SCNTL1 */ 1650 ret = s->scntl1; 1651 break; 1652 case 0x02: /* SCNTL2 */ 1653 ret = s->scntl2; 1654 break; 1655 case 0x03: /* SCNTL3 */ 1656 ret = s->scntl3; 1657 break; 1658 case 0x04: /* SCID */ 1659 ret = s->scid; 1660 break; 1661 case 0x05: /* SXFER */ 1662 ret = s->sxfer; 1663 break; 1664 case 0x06: /* SDID */ 1665 ret = s->sdid; 1666 break; 1667 case 0x07: /* GPREG0 */ 1668 ret = 0x7f; 1669 break; 1670 case 0x08: /* Revision ID */ 1671 ret = 0x00; 1672 break; 1673 case 0x09: /* SOCL */ 1674 ret = s->socl; 1675 break; 1676 case 0xa: /* SSID */ 1677 ret = s->ssid; 1678 break; 1679 case 0xb: /* SBCL */ 1680 ret = s->sbcl; 1681 break; 1682 case 0xc: /* DSTAT */ 1683 ret = s->dstat | LSI_DSTAT_DFE; 1684 if ((s->istat0 & LSI_ISTAT0_INTF) == 0) 1685 s->dstat = 0; 1686 lsi_update_irq(s); 1687 break; 1688 case 0x0d: /* SSTAT0 */ 1689 ret = s->sstat0; 1690 break; 1691 case 0x0e: /* SSTAT1 */ 1692 ret = s->sstat1; 1693 break; 1694 case 0x0f: /* SSTAT2 */ 1695 ret = s->scntl1 & LSI_SCNTL1_CON ? 0 : 2; 1696 break; 1697 CASE_GET_REG32(dsa, 0x10) 1698 case 0x14: /* ISTAT0 */ 1699 ret = s->istat0; 1700 break; 1701 case 0x15: /* ISTAT1 */ 1702 ret = s->istat1; 1703 break; 1704 case 0x16: /* MBOX0 */ 1705 ret = s->mbox0; 1706 break; 1707 case 0x17: /* MBOX1 */ 1708 ret = s->mbox1; 1709 break; 1710 case 0x18: /* CTEST0 */ 1711 ret = 0xff; 1712 break; 1713 case 0x19: /* CTEST1 */ 1714 ret = 0; 1715 break; 1716 case 0x1a: /* CTEST2 */ 1717 ret = s->ctest2 | LSI_CTEST2_DACK | LSI_CTEST2_CM; 1718 if (s->istat0 & LSI_ISTAT0_SIGP) { 1719 s->istat0 &= ~LSI_ISTAT0_SIGP; 1720 ret |= LSI_CTEST2_SIGP; 1721 } 1722 break; 1723 case 0x1b: /* CTEST3 */ 1724 ret = s->ctest3; 1725 break; 1726 CASE_GET_REG32(temp, 0x1c) 1727 case 0x20: /* DFIFO */ 1728 ret = s->dfifo; 1729 break; 1730 case 0x21: /* CTEST4 */ 1731 ret = s->ctest4; 1732 break; 1733 case 0x22: /* CTEST5 */ 1734 ret = s->ctest5; 1735 break; 1736 case 0x23: /* CTEST6 */ 1737 ret = 0; 1738 break; 1739 CASE_GET_REG24(dbc, 0x24) 1740 case 0x27: /* DCMD */ 1741 ret = s->dcmd; 1742 break; 1743 CASE_GET_REG32(dnad, 0x28) 1744 CASE_GET_REG32(dsp, 0x2c) 1745 CASE_GET_REG32(dsps, 0x30) 1746 CASE_GET_REG32(scratch[0], 0x34) 1747 case 0x38: /* DMODE */ 1748 ret = s->dmode; 1749 break; 1750 case 0x39: /* DIEN */ 1751 ret = s->dien; 1752 break; 1753 case 0x3a: /* SBR */ 1754 ret = s->sbr; 1755 break; 1756 case 0x3b: /* DCNTL */ 1757 ret = s->dcntl; 1758 break; 1759 /* ADDER Output (Debug of relative jump address) */ 1760 CASE_GET_REG32(adder, 0x3c) 1761 case 0x40: /* SIEN0 */ 1762 ret = s->sien0; 1763 break; 1764 case 0x41: /* SIEN1 */ 1765 ret = s->sien1; 1766 break; 1767 case 0x42: /* SIST0 */ 1768 ret = s->sist0; 1769 s->sist0 = 0; 1770 lsi_update_irq(s); 1771 break; 1772 case 0x43: /* SIST1 */ 1773 ret = s->sist1; 1774 s->sist1 = 0; 1775 lsi_update_irq(s); 1776 break; 1777 case 0x46: /* MACNTL */ 1778 ret = 0x0f; 1779 break; 1780 case 0x47: /* GPCNTL0 */ 1781 ret = 0x0f; 1782 break; 1783 case 0x48: /* STIME0 */ 1784 ret = s->stime0; 1785 break; 1786 case 0x4a: /* RESPID0 */ 1787 ret = s->respid0; 1788 break; 1789 case 0x4b: /* RESPID1 */ 1790 ret = s->respid1; 1791 break; 1792 case 0x4d: /* STEST1 */ 1793 ret = s->stest1; 1794 break; 1795 case 0x4e: /* STEST2 */ 1796 ret = s->stest2; 1797 break; 1798 case 0x4f: /* STEST3 */ 1799 ret = s->stest3; 1800 break; 1801 case 0x50: /* SIDL */ 1802 /* This is needed by the linux drivers. We currently only update it 1803 during the MSG IN phase. */ 1804 ret = s->sidl; 1805 break; 1806 case 0x52: /* STEST4 */ 1807 ret = 0xe0; 1808 break; 1809 case 0x56: /* CCNTL0 */ 1810 ret = s->ccntl0; 1811 break; 1812 case 0x57: /* CCNTL1 */ 1813 ret = s->ccntl1; 1814 break; 1815 case 0x58: /* SBDL */ 1816 /* Some drivers peek at the data bus during the MSG IN phase. */ 1817 if ((s->sstat1 & PHASE_MASK) == PHASE_MI) { 1818 assert(s->msg_len > 0); 1819 return s->msg[0]; 1820 } 1821 ret = 0; 1822 break; 1823 case 0x59: /* SBDL high */ 1824 ret = 0; 1825 break; 1826 CASE_GET_REG32(mmrs, 0xa0) 1827 CASE_GET_REG32(mmws, 0xa4) 1828 CASE_GET_REG32(sfs, 0xa8) 1829 CASE_GET_REG32(drs, 0xac) 1830 CASE_GET_REG32(sbms, 0xb0) 1831 CASE_GET_REG32(dbms, 0xb4) 1832 CASE_GET_REG32(dnad64, 0xb8) 1833 CASE_GET_REG32(pmjad1, 0xc0) 1834 CASE_GET_REG32(pmjad2, 0xc4) 1835 CASE_GET_REG32(rbc, 0xc8) 1836 CASE_GET_REG32(ua, 0xcc) 1837 CASE_GET_REG32(ia, 0xd4) 1838 CASE_GET_REG32(sbc, 0xd8) 1839 CASE_GET_REG32(csbc, 0xdc) 1840 case 0x5c ... 0x9f: 1841 { 1842 int n; 1843 int shift; 1844 n = (offset - 0x58) >> 2; 1845 shift = (offset & 3) * 8; 1846 ret = (s->scratch[n] >> shift) & 0xff; 1847 break; 1848 } 1849 default: 1850 { 1851 qemu_log_mask(LOG_GUEST_ERROR, 1852 "lsi_scsi: invalid read from reg %s %x\n", 1853 offset < ARRAY_SIZE(names) ? names[offset] : "???", 1854 offset); 1855 ret = 0xff; 1856 break; 1857 } 1858 } 1859 #undef CASE_GET_REG24 1860 #undef CASE_GET_REG32 1861 1862 trace_lsi_reg_read(offset < ARRAY_SIZE(names) ? names[offset] : "???", 1863 offset, ret); 1864 1865 return ret; 1866 } 1867 1868 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val) 1869 { 1870 #define CASE_SET_REG24(name, addr) \ 1871 case addr : s->name &= 0xffffff00; s->name |= val; break; \ 1872 case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8; break; \ 1873 case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break; 1874 1875 #define CASE_SET_REG32(name, addr) \ 1876 case addr : s->name &= 0xffffff00; s->name |= val; break; \ 1877 case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8; break; \ 1878 case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break; \ 1879 case addr + 3: s->name &= 0x00ffffff; s->name |= val << 24; break; 1880 1881 trace_lsi_reg_write(offset < ARRAY_SIZE(names) ? names[offset] : "???", 1882 offset, val); 1883 1884 switch (offset) { 1885 case 0x00: /* SCNTL0 */ 1886 s->scntl0 = val; 1887 if (val & LSI_SCNTL0_START) { 1888 qemu_log_mask(LOG_UNIMP, 1889 "lsi_scsi: Start sequence not implemented\n"); 1890 } 1891 break; 1892 case 0x01: /* SCNTL1 */ 1893 s->scntl1 = val & ~LSI_SCNTL1_SST; 1894 if (val & LSI_SCNTL1_IARB) { 1895 qemu_log_mask(LOG_UNIMP, 1896 "lsi_scsi: Immediate Arbritration not implemented\n"); 1897 } 1898 if (val & LSI_SCNTL1_RST) { 1899 if (!(s->sstat0 & LSI_SSTAT0_RST)) { 1900 bus_cold_reset(BUS(&s->bus)); 1901 s->sstat0 |= LSI_SSTAT0_RST; 1902 lsi_script_scsi_interrupt(s, LSI_SIST0_RST, 0); 1903 } 1904 } else { 1905 s->sstat0 &= ~LSI_SSTAT0_RST; 1906 } 1907 break; 1908 case 0x02: /* SCNTL2 */ 1909 val &= ~(LSI_SCNTL2_WSR | LSI_SCNTL2_WSS); 1910 s->scntl2 = val; 1911 break; 1912 case 0x03: /* SCNTL3 */ 1913 s->scntl3 = val; 1914 break; 1915 case 0x04: /* SCID */ 1916 s->scid = val; 1917 break; 1918 case 0x05: /* SXFER */ 1919 s->sxfer = val; 1920 break; 1921 case 0x06: /* SDID */ 1922 if ((s->ssid & 0x80) && (val & 0xf) != (s->ssid & 0xf)) { 1923 qemu_log_mask(LOG_GUEST_ERROR, 1924 "lsi_scsi: Destination ID does not match SSID\n"); 1925 } 1926 s->sdid = val & 0xf; 1927 break; 1928 case 0x07: /* GPREG0 */ 1929 break; 1930 case 0x08: /* SFBR */ 1931 /* The CPU is not allowed to write to this register. However the 1932 SCRIPTS register move instructions are. */ 1933 s->sfbr = val; 1934 break; 1935 case 0x0a: case 0x0b: 1936 /* Openserver writes to these readonly registers on startup */ 1937 return; 1938 case 0x0c: case 0x0d: case 0x0e: case 0x0f: 1939 /* Linux writes to these readonly registers on startup. */ 1940 return; 1941 CASE_SET_REG32(dsa, 0x10) 1942 case 0x14: /* ISTAT0 */ 1943 s->istat0 = (s->istat0 & 0x0f) | (val & 0xf0); 1944 if (val & LSI_ISTAT0_ABRT) { 1945 lsi_script_dma_interrupt(s, LSI_DSTAT_ABRT); 1946 } 1947 if (val & LSI_ISTAT0_INTF) { 1948 s->istat0 &= ~LSI_ISTAT0_INTF; 1949 lsi_update_irq(s); 1950 } 1951 if (s->waiting == LSI_WAIT_RESELECT && val & LSI_ISTAT0_SIGP) { 1952 trace_lsi_awoken(); 1953 s->waiting = LSI_NOWAIT; 1954 s->dsp = s->dnad; 1955 lsi_execute_script(s); 1956 } 1957 if (val & LSI_ISTAT0_SRST) { 1958 device_cold_reset(DEVICE(s)); 1959 } 1960 break; 1961 case 0x16: /* MBOX0 */ 1962 s->mbox0 = val; 1963 break; 1964 case 0x17: /* MBOX1 */ 1965 s->mbox1 = val; 1966 break; 1967 case 0x18: /* CTEST0 */ 1968 /* nothing to do */ 1969 break; 1970 case 0x1a: /* CTEST2 */ 1971 s->ctest2 = val & LSI_CTEST2_PCICIE; 1972 break; 1973 case 0x1b: /* CTEST3 */ 1974 s->ctest3 = val & 0x0f; 1975 break; 1976 CASE_SET_REG32(temp, 0x1c) 1977 case 0x21: /* CTEST4 */ 1978 if (val & 7) { 1979 qemu_log_mask(LOG_UNIMP, 1980 "lsi_scsi: Unimplemented CTEST4-FBL 0x%x\n", val); 1981 } 1982 s->ctest4 = val; 1983 break; 1984 case 0x22: /* CTEST5 */ 1985 if (val & (LSI_CTEST5_ADCK | LSI_CTEST5_BBCK)) { 1986 qemu_log_mask(LOG_UNIMP, 1987 "lsi_scsi: CTEST5 DMA increment not implemented\n"); 1988 } 1989 s->ctest5 = val; 1990 break; 1991 CASE_SET_REG24(dbc, 0x24) 1992 CASE_SET_REG32(dnad, 0x28) 1993 case 0x2c: /* DSP[0:7] */ 1994 s->dsp &= 0xffffff00; 1995 s->dsp |= val; 1996 break; 1997 case 0x2d: /* DSP[8:15] */ 1998 s->dsp &= 0xffff00ff; 1999 s->dsp |= val << 8; 2000 break; 2001 case 0x2e: /* DSP[16:23] */ 2002 s->dsp &= 0xff00ffff; 2003 s->dsp |= val << 16; 2004 break; 2005 case 0x2f: /* DSP[24:31] */ 2006 s->dsp &= 0x00ffffff; 2007 s->dsp |= val << 24; 2008 /* 2009 * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one 2010 * instruction. Is this correct? 2011 */ 2012 if ((s->dmode & LSI_DMODE_MAN) == 0 2013 && (s->istat1 & LSI_ISTAT1_SRUN) == 0) 2014 lsi_execute_script(s); 2015 break; 2016 CASE_SET_REG32(dsps, 0x30) 2017 CASE_SET_REG32(scratch[0], 0x34) 2018 case 0x38: /* DMODE */ 2019 s->dmode = val; 2020 break; 2021 case 0x39: /* DIEN */ 2022 s->dien = val; 2023 lsi_update_irq(s); 2024 break; 2025 case 0x3a: /* SBR */ 2026 s->sbr = val; 2027 break; 2028 case 0x3b: /* DCNTL */ 2029 s->dcntl = val & ~(LSI_DCNTL_PFF | LSI_DCNTL_STD); 2030 /* 2031 * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one 2032 * instruction. Is this correct? 2033 */ 2034 if ((val & LSI_DCNTL_STD) && (s->istat1 & LSI_ISTAT1_SRUN) == 0) 2035 lsi_execute_script(s); 2036 break; 2037 case 0x40: /* SIEN0 */ 2038 s->sien0 = val; 2039 lsi_update_irq(s); 2040 break; 2041 case 0x41: /* SIEN1 */ 2042 s->sien1 = val; 2043 lsi_update_irq(s); 2044 break; 2045 case 0x47: /* GPCNTL0 */ 2046 break; 2047 case 0x48: /* STIME0 */ 2048 s->stime0 = val; 2049 break; 2050 case 0x49: /* STIME1 */ 2051 if (val & 0xf) { 2052 qemu_log_mask(LOG_UNIMP, 2053 "lsi_scsi: General purpose timer not implemented\n"); 2054 /* ??? Raising the interrupt immediately seems to be sufficient 2055 to keep the FreeBSD driver happy. */ 2056 lsi_script_scsi_interrupt(s, 0, LSI_SIST1_GEN); 2057 } 2058 break; 2059 case 0x4a: /* RESPID0 */ 2060 s->respid0 = val; 2061 break; 2062 case 0x4b: /* RESPID1 */ 2063 s->respid1 = val; 2064 break; 2065 case 0x4d: /* STEST1 */ 2066 s->stest1 = val; 2067 break; 2068 case 0x4e: /* STEST2 */ 2069 if (val & 1) { 2070 qemu_log_mask(LOG_UNIMP, 2071 "lsi_scsi: Low level mode not implemented\n"); 2072 } 2073 s->stest2 = val; 2074 break; 2075 case 0x4f: /* STEST3 */ 2076 if (val & 0x41) { 2077 qemu_log_mask(LOG_UNIMP, 2078 "lsi_scsi: SCSI FIFO test mode not implemented\n"); 2079 } 2080 s->stest3 = val; 2081 break; 2082 case 0x56: /* CCNTL0 */ 2083 s->ccntl0 = val; 2084 break; 2085 case 0x57: /* CCNTL1 */ 2086 s->ccntl1 = val; 2087 break; 2088 CASE_SET_REG32(mmrs, 0xa0) 2089 CASE_SET_REG32(mmws, 0xa4) 2090 CASE_SET_REG32(sfs, 0xa8) 2091 CASE_SET_REG32(drs, 0xac) 2092 CASE_SET_REG32(sbms, 0xb0) 2093 CASE_SET_REG32(dbms, 0xb4) 2094 CASE_SET_REG32(dnad64, 0xb8) 2095 CASE_SET_REG32(pmjad1, 0xc0) 2096 CASE_SET_REG32(pmjad2, 0xc4) 2097 CASE_SET_REG32(rbc, 0xc8) 2098 CASE_SET_REG32(ua, 0xcc) 2099 CASE_SET_REG32(ia, 0xd4) 2100 CASE_SET_REG32(sbc, 0xd8) 2101 CASE_SET_REG32(csbc, 0xdc) 2102 default: 2103 if (offset >= 0x5c && offset < 0xa0) { 2104 int n; 2105 int shift; 2106 n = (offset - 0x58) >> 2; 2107 shift = (offset & 3) * 8; 2108 s->scratch[n] = deposit32(s->scratch[n], shift, 8, val); 2109 } else { 2110 qemu_log_mask(LOG_GUEST_ERROR, 2111 "lsi_scsi: invalid write to reg %s %x (0x%02x)\n", 2112 offset < ARRAY_SIZE(names) ? names[offset] : "???", 2113 offset, val); 2114 } 2115 } 2116 #undef CASE_SET_REG24 2117 #undef CASE_SET_REG32 2118 } 2119 2120 static void lsi_mmio_write(void *opaque, hwaddr addr, 2121 uint64_t val, unsigned size) 2122 { 2123 LSIState *s = opaque; 2124 2125 lsi_reg_writeb(s, addr & 0xff, val); 2126 } 2127 2128 static uint64_t lsi_mmio_read(void *opaque, hwaddr addr, 2129 unsigned size) 2130 { 2131 LSIState *s = opaque; 2132 return lsi_reg_readb(s, addr & 0xff); 2133 } 2134 2135 static const MemoryRegionOps lsi_mmio_ops = { 2136 .read = lsi_mmio_read, 2137 .write = lsi_mmio_write, 2138 .endianness = DEVICE_LITTLE_ENDIAN, 2139 .impl = { 2140 .min_access_size = 1, 2141 .max_access_size = 1, 2142 }, 2143 }; 2144 2145 static void lsi_ram_write(void *opaque, hwaddr addr, 2146 uint64_t val, unsigned size) 2147 { 2148 LSIState *s = opaque; 2149 stn_le_p(s->script_ram + addr, size, val); 2150 } 2151 2152 static uint64_t lsi_ram_read(void *opaque, hwaddr addr, 2153 unsigned size) 2154 { 2155 LSIState *s = opaque; 2156 return ldn_le_p(s->script_ram + addr, size); 2157 } 2158 2159 static const MemoryRegionOps lsi_ram_ops = { 2160 .read = lsi_ram_read, 2161 .write = lsi_ram_write, 2162 .endianness = DEVICE_LITTLE_ENDIAN, 2163 }; 2164 2165 static uint64_t lsi_io_read(void *opaque, hwaddr addr, 2166 unsigned size) 2167 { 2168 LSIState *s = opaque; 2169 return lsi_reg_readb(s, addr & 0xff); 2170 } 2171 2172 static void lsi_io_write(void *opaque, hwaddr addr, 2173 uint64_t val, unsigned size) 2174 { 2175 LSIState *s = opaque; 2176 lsi_reg_writeb(s, addr & 0xff, val); 2177 } 2178 2179 static const MemoryRegionOps lsi_io_ops = { 2180 .read = lsi_io_read, 2181 .write = lsi_io_write, 2182 .endianness = DEVICE_LITTLE_ENDIAN, 2183 .impl = { 2184 .min_access_size = 1, 2185 .max_access_size = 1, 2186 }, 2187 }; 2188 2189 static void lsi_scsi_reset(DeviceState *dev) 2190 { 2191 LSIState *s = LSI53C895A(dev); 2192 2193 lsi_soft_reset(s); 2194 } 2195 2196 static int lsi_pre_save(void *opaque) 2197 { 2198 LSIState *s = opaque; 2199 2200 if (s->current) { 2201 assert(s->current->dma_buf == NULL); 2202 assert(s->current->dma_len == 0); 2203 } 2204 assert(QTAILQ_EMPTY(&s->queue)); 2205 2206 return 0; 2207 } 2208 2209 static int lsi_post_load(void *opaque, int version_id) 2210 { 2211 LSIState *s = opaque; 2212 2213 if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) { 2214 return -EINVAL; 2215 } 2216 2217 if (s->waiting == LSI_WAIT_SCRIPTS) { 2218 lsi_scripts_timer_start(s); 2219 } 2220 return 0; 2221 } 2222 2223 static const VMStateDescription vmstate_lsi_scsi = { 2224 .name = "lsiscsi", 2225 .version_id = 1, 2226 .minimum_version_id = 0, 2227 .pre_save = lsi_pre_save, 2228 .post_load = lsi_post_load, 2229 .fields = (const VMStateField[]) { 2230 VMSTATE_PCI_DEVICE(parent_obj, LSIState), 2231 2232 VMSTATE_INT32(carry, LSIState), 2233 VMSTATE_INT32(status, LSIState), 2234 VMSTATE_INT32(msg_action, LSIState), 2235 VMSTATE_INT32(msg_len, LSIState), 2236 VMSTATE_BUFFER(msg, LSIState), 2237 VMSTATE_INT32(waiting, LSIState), 2238 2239 VMSTATE_UINT32(dsa, LSIState), 2240 VMSTATE_UINT32(temp, LSIState), 2241 VMSTATE_UINT32(dnad, LSIState), 2242 VMSTATE_UINT32(dbc, LSIState), 2243 VMSTATE_UINT8(istat0, LSIState), 2244 VMSTATE_UINT8(istat1, LSIState), 2245 VMSTATE_UINT8(dcmd, LSIState), 2246 VMSTATE_UINT8(dstat, LSIState), 2247 VMSTATE_UINT8(dien, LSIState), 2248 VMSTATE_UINT8(sist0, LSIState), 2249 VMSTATE_UINT8(sist1, LSIState), 2250 VMSTATE_UINT8(sien0, LSIState), 2251 VMSTATE_UINT8(sien1, LSIState), 2252 VMSTATE_UINT8(mbox0, LSIState), 2253 VMSTATE_UINT8(mbox1, LSIState), 2254 VMSTATE_UINT8(dfifo, LSIState), 2255 VMSTATE_UINT8(ctest2, LSIState), 2256 VMSTATE_UINT8(ctest3, LSIState), 2257 VMSTATE_UINT8(ctest4, LSIState), 2258 VMSTATE_UINT8(ctest5, LSIState), 2259 VMSTATE_UINT8(ccntl0, LSIState), 2260 VMSTATE_UINT8(ccntl1, LSIState), 2261 VMSTATE_UINT32(dsp, LSIState), 2262 VMSTATE_UINT32(dsps, LSIState), 2263 VMSTATE_UINT8(dmode, LSIState), 2264 VMSTATE_UINT8(dcntl, LSIState), 2265 VMSTATE_UINT8(scntl0, LSIState), 2266 VMSTATE_UINT8(scntl1, LSIState), 2267 VMSTATE_UINT8(scntl2, LSIState), 2268 VMSTATE_UINT8(scntl3, LSIState), 2269 VMSTATE_UINT8(sstat0, LSIState), 2270 VMSTATE_UINT8(sstat1, LSIState), 2271 VMSTATE_UINT8(scid, LSIState), 2272 VMSTATE_UINT8(sxfer, LSIState), 2273 VMSTATE_UINT8(socl, LSIState), 2274 VMSTATE_UINT8(sdid, LSIState), 2275 VMSTATE_UINT8(ssid, LSIState), 2276 VMSTATE_UINT8(sfbr, LSIState), 2277 VMSTATE_UINT8(stest1, LSIState), 2278 VMSTATE_UINT8(stest2, LSIState), 2279 VMSTATE_UINT8(stest3, LSIState), 2280 VMSTATE_UINT8(sidl, LSIState), 2281 VMSTATE_UINT8(stime0, LSIState), 2282 VMSTATE_UINT8(respid0, LSIState), 2283 VMSTATE_UINT8(respid1, LSIState), 2284 VMSTATE_UINT8_V(sbcl, LSIState, 1), 2285 VMSTATE_UINT32(mmrs, LSIState), 2286 VMSTATE_UINT32(mmws, LSIState), 2287 VMSTATE_UINT32(sfs, LSIState), 2288 VMSTATE_UINT32(drs, LSIState), 2289 VMSTATE_UINT32(sbms, LSIState), 2290 VMSTATE_UINT32(dbms, LSIState), 2291 VMSTATE_UINT32(dnad64, LSIState), 2292 VMSTATE_UINT32(pmjad1, LSIState), 2293 VMSTATE_UINT32(pmjad2, LSIState), 2294 VMSTATE_UINT32(rbc, LSIState), 2295 VMSTATE_UINT32(ua, LSIState), 2296 VMSTATE_UINT32(ia, LSIState), 2297 VMSTATE_UINT32(sbc, LSIState), 2298 VMSTATE_UINT32(csbc, LSIState), 2299 VMSTATE_BUFFER_UNSAFE(scratch, LSIState, 0, 18 * sizeof(uint32_t)), 2300 VMSTATE_UINT8(sbr, LSIState), 2301 2302 VMSTATE_BUFFER_UNSAFE(script_ram, LSIState, 0, 8192), 2303 VMSTATE_END_OF_LIST() 2304 } 2305 }; 2306 2307 static const struct SCSIBusInfo lsi_scsi_info = { 2308 .tcq = true, 2309 .max_target = LSI_MAX_DEVS, 2310 .max_lun = 0, /* LUN support is buggy */ 2311 2312 .transfer_data = lsi_transfer_data, 2313 .complete = lsi_command_complete, 2314 .cancel = lsi_request_cancelled 2315 }; 2316 2317 static void scripts_timer_cb(void *opaque) 2318 { 2319 LSIState *s = opaque; 2320 2321 trace_lsi_scripts_timer_triggered(); 2322 s->waiting = LSI_NOWAIT; 2323 lsi_execute_script(s); 2324 } 2325 2326 static void lsi_scsi_realize(PCIDevice *dev, Error **errp) 2327 { 2328 LSIState *s = LSI53C895A(dev); 2329 DeviceState *d = DEVICE(dev); 2330 uint8_t *pci_conf; 2331 2332 pci_conf = dev->config; 2333 2334 /* PCI latency timer = 255 */ 2335 pci_conf[PCI_LATENCY_TIMER] = 0xff; 2336 /* Interrupt pin A */ 2337 pci_conf[PCI_INTERRUPT_PIN] = 0x01; 2338 2339 memory_region_init_io(&s->mmio_io, OBJECT(s), &lsi_mmio_ops, s, 2340 "lsi-mmio", 0x400); 2341 memory_region_init_io(&s->ram_io, OBJECT(s), &lsi_ram_ops, s, 2342 "lsi-ram", 0x2000); 2343 memory_region_init_io(&s->io_io, OBJECT(s), &lsi_io_ops, s, 2344 "lsi-io", 256); 2345 s->scripts_timer = timer_new_us(QEMU_CLOCK_VIRTUAL, scripts_timer_cb, s); 2346 2347 /* 2348 * Since we use the address-space API to interact with ram_io, disable the 2349 * re-entrancy guard. 2350 */ 2351 s->ram_io.disable_reentrancy_guard = true; 2352 s->mmio_io.disable_reentrancy_guard = true; 2353 2354 address_space_init(&s->pci_io_as, pci_address_space_io(dev), "lsi-pci-io"); 2355 qdev_init_gpio_out(d, &s->ext_irq, 1); 2356 2357 pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->io_io); 2358 pci_register_bar(dev, 1, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->mmio_io); 2359 pci_register_bar(dev, 2, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->ram_io); 2360 QTAILQ_INIT(&s->queue); 2361 2362 scsi_bus_init(&s->bus, sizeof(s->bus), d, &lsi_scsi_info); 2363 } 2364 2365 static void lsi_scsi_exit(PCIDevice *dev) 2366 { 2367 LSIState *s = LSI53C895A(dev); 2368 2369 address_space_destroy(&s->pci_io_as); 2370 timer_del(s->scripts_timer); 2371 } 2372 2373 static void lsi_class_init(ObjectClass *klass, void *data) 2374 { 2375 DeviceClass *dc = DEVICE_CLASS(klass); 2376 PCIDeviceClass *k = PCI_DEVICE_CLASS(klass); 2377 2378 k->realize = lsi_scsi_realize; 2379 k->exit = lsi_scsi_exit; 2380 k->vendor_id = PCI_VENDOR_ID_LSI_LOGIC; 2381 k->device_id = PCI_DEVICE_ID_LSI_53C895A; 2382 k->class_id = PCI_CLASS_STORAGE_SCSI; 2383 k->subsystem_id = 0x1000; 2384 dc->reset = lsi_scsi_reset; 2385 dc->vmsd = &vmstate_lsi_scsi; 2386 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); 2387 } 2388 2389 static const TypeInfo lsi_info = { 2390 .name = TYPE_LSI53C895A, 2391 .parent = TYPE_PCI_DEVICE, 2392 .instance_size = sizeof(LSIState), 2393 .class_init = lsi_class_init, 2394 .interfaces = (InterfaceInfo[]) { 2395 { INTERFACE_CONVENTIONAL_PCI_DEVICE }, 2396 { }, 2397 }, 2398 }; 2399 2400 static void lsi53c810_class_init(ObjectClass *klass, void *data) 2401 { 2402 PCIDeviceClass *k = PCI_DEVICE_CLASS(klass); 2403 2404 k->device_id = PCI_DEVICE_ID_LSI_53C810; 2405 } 2406 2407 static const TypeInfo lsi53c810_info = { 2408 .name = TYPE_LSI53C810, 2409 .parent = TYPE_LSI53C895A, 2410 .class_init = lsi53c810_class_init, 2411 }; 2412 2413 static void lsi53c895a_register_types(void) 2414 { 2415 type_register_static(&lsi_info); 2416 type_register_static(&lsi53c810_info); 2417 } 2418 2419 type_init(lsi53c895a_register_types) 2420 2421 void lsi53c8xx_handle_legacy_cmdline(DeviceState *lsi_dev) 2422 { 2423 LSIState *s = LSI53C895A(lsi_dev); 2424 2425 scsi_bus_legacy_handle_cmdline(&s->bus); 2426 } 2427