xref: /openbmc/qemu/hw/scsi/lsi53c895a.c (revision d2dfe0b5)
1 /*
2  * QEMU LSI53C895A SCSI Host Bus Adapter emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Written by Paul Brook
6  *
7  * This code is licensed under the LGPL.
8  */
9 
10 /* Note:
11  * LSI53C810 emulation is incorrect, in the sense that it supports
12  * features added in later evolutions. This should not be a problem,
13  * as well-behaved operating systems will not try to use them.
14  */
15 
16 #include "qemu/osdep.h"
17 
18 #include "hw/irq.h"
19 #include "hw/pci/pci_device.h"
20 #include "hw/scsi/scsi.h"
21 #include "migration/vmstate.h"
22 #include "sysemu/dma.h"
23 #include "qemu/log.h"
24 #include "qemu/module.h"
25 #include "trace.h"
26 #include "qom/object.h"
27 
28 static const char *names[] = {
29     "SCNTL0", "SCNTL1", "SCNTL2", "SCNTL3", "SCID", "SXFER", "SDID", "GPREG",
30     "SFBR", "SOCL", "SSID", "SBCL", "DSTAT", "SSTAT0", "SSTAT1", "SSTAT2",
31     "DSA0", "DSA1", "DSA2", "DSA3", "ISTAT", "0x15", "0x16", "0x17",
32     "CTEST0", "CTEST1", "CTEST2", "CTEST3", "TEMP0", "TEMP1", "TEMP2", "TEMP3",
33     "DFIFO", "CTEST4", "CTEST5", "CTEST6", "DBC0", "DBC1", "DBC2", "DCMD",
34     "DNAD0", "DNAD1", "DNAD2", "DNAD3", "DSP0", "DSP1", "DSP2", "DSP3",
35     "DSPS0", "DSPS1", "DSPS2", "DSPS3", "SCRATCHA0", "SCRATCHA1", "SCRATCHA2", "SCRATCHA3",
36     "DMODE", "DIEN", "SBR", "DCNTL", "ADDER0", "ADDER1", "ADDER2", "ADDER3",
37     "SIEN0", "SIEN1", "SIST0", "SIST1", "SLPAR", "0x45", "MACNTL", "GPCNTL",
38     "STIME0", "STIME1", "RESPID", "0x4b", "STEST0", "STEST1", "STEST2", "STEST3",
39     "SIDL", "0x51", "0x52", "0x53", "SODL", "0x55", "0x56", "0x57",
40     "SBDL", "0x59", "0x5a", "0x5b", "SCRATCHB0", "SCRATCHB1", "SCRATCHB2", "SCRATCHB3",
41 };
42 
43 #define LSI_MAX_DEVS 7
44 
45 #define LSI_SCNTL0_TRG    0x01
46 #define LSI_SCNTL0_AAP    0x02
47 #define LSI_SCNTL0_EPC    0x08
48 #define LSI_SCNTL0_WATN   0x10
49 #define LSI_SCNTL0_START  0x20
50 
51 #define LSI_SCNTL1_SST    0x01
52 #define LSI_SCNTL1_IARB   0x02
53 #define LSI_SCNTL1_AESP   0x04
54 #define LSI_SCNTL1_RST    0x08
55 #define LSI_SCNTL1_CON    0x10
56 #define LSI_SCNTL1_DHP    0x20
57 #define LSI_SCNTL1_ADB    0x40
58 #define LSI_SCNTL1_EXC    0x80
59 
60 #define LSI_SCNTL2_WSR    0x01
61 #define LSI_SCNTL2_VUE0   0x02
62 #define LSI_SCNTL2_VUE1   0x04
63 #define LSI_SCNTL2_WSS    0x08
64 #define LSI_SCNTL2_SLPHBEN 0x10
65 #define LSI_SCNTL2_SLPMD  0x20
66 #define LSI_SCNTL2_CHM    0x40
67 #define LSI_SCNTL2_SDU    0x80
68 
69 #define LSI_ISTAT0_DIP    0x01
70 #define LSI_ISTAT0_SIP    0x02
71 #define LSI_ISTAT0_INTF   0x04
72 #define LSI_ISTAT0_CON    0x08
73 #define LSI_ISTAT0_SEM    0x10
74 #define LSI_ISTAT0_SIGP   0x20
75 #define LSI_ISTAT0_SRST   0x40
76 #define LSI_ISTAT0_ABRT   0x80
77 
78 #define LSI_ISTAT1_SI     0x01
79 #define LSI_ISTAT1_SRUN   0x02
80 #define LSI_ISTAT1_FLSH   0x04
81 
82 #define LSI_SSTAT0_SDP0   0x01
83 #define LSI_SSTAT0_RST    0x02
84 #define LSI_SSTAT0_WOA    0x04
85 #define LSI_SSTAT0_LOA    0x08
86 #define LSI_SSTAT0_AIP    0x10
87 #define LSI_SSTAT0_OLF    0x20
88 #define LSI_SSTAT0_ORF    0x40
89 #define LSI_SSTAT0_ILF    0x80
90 
91 #define LSI_SIST0_PAR     0x01
92 #define LSI_SIST0_RST     0x02
93 #define LSI_SIST0_UDC     0x04
94 #define LSI_SIST0_SGE     0x08
95 #define LSI_SIST0_RSL     0x10
96 #define LSI_SIST0_SEL     0x20
97 #define LSI_SIST0_CMP     0x40
98 #define LSI_SIST0_MA      0x80
99 
100 #define LSI_SIST1_HTH     0x01
101 #define LSI_SIST1_GEN     0x02
102 #define LSI_SIST1_STO     0x04
103 #define LSI_SIST1_SBMC    0x10
104 
105 #define LSI_SOCL_IO       0x01
106 #define LSI_SOCL_CD       0x02
107 #define LSI_SOCL_MSG      0x04
108 #define LSI_SOCL_ATN      0x08
109 #define LSI_SOCL_SEL      0x10
110 #define LSI_SOCL_BSY      0x20
111 #define LSI_SOCL_ACK      0x40
112 #define LSI_SOCL_REQ      0x80
113 
114 #define LSI_DSTAT_IID     0x01
115 #define LSI_DSTAT_SIR     0x04
116 #define LSI_DSTAT_SSI     0x08
117 #define LSI_DSTAT_ABRT    0x10
118 #define LSI_DSTAT_BF      0x20
119 #define LSI_DSTAT_MDPE    0x40
120 #define LSI_DSTAT_DFE     0x80
121 
122 #define LSI_DCNTL_COM     0x01
123 #define LSI_DCNTL_IRQD    0x02
124 #define LSI_DCNTL_STD     0x04
125 #define LSI_DCNTL_IRQM    0x08
126 #define LSI_DCNTL_SSM     0x10
127 #define LSI_DCNTL_PFEN    0x20
128 #define LSI_DCNTL_PFF     0x40
129 #define LSI_DCNTL_CLSE    0x80
130 
131 #define LSI_DMODE_MAN     0x01
132 #define LSI_DMODE_BOF     0x02
133 #define LSI_DMODE_ERMP    0x04
134 #define LSI_DMODE_ERL     0x08
135 #define LSI_DMODE_DIOM    0x10
136 #define LSI_DMODE_SIOM    0x20
137 
138 #define LSI_CTEST2_DACK   0x01
139 #define LSI_CTEST2_DREQ   0x02
140 #define LSI_CTEST2_TEOP   0x04
141 #define LSI_CTEST2_PCICIE 0x08
142 #define LSI_CTEST2_CM     0x10
143 #define LSI_CTEST2_CIO    0x20
144 #define LSI_CTEST2_SIGP   0x40
145 #define LSI_CTEST2_DDIR   0x80
146 
147 #define LSI_CTEST5_BL2    0x04
148 #define LSI_CTEST5_DDIR   0x08
149 #define LSI_CTEST5_MASR   0x10
150 #define LSI_CTEST5_DFSN   0x20
151 #define LSI_CTEST5_BBCK   0x40
152 #define LSI_CTEST5_ADCK   0x80
153 
154 #define LSI_CCNTL0_DILS   0x01
155 #define LSI_CCNTL0_DISFC  0x10
156 #define LSI_CCNTL0_ENNDJ  0x20
157 #define LSI_CCNTL0_PMJCTL 0x40
158 #define LSI_CCNTL0_ENPMJ  0x80
159 
160 #define LSI_CCNTL1_EN64DBMV  0x01
161 #define LSI_CCNTL1_EN64TIBMV 0x02
162 #define LSI_CCNTL1_64TIMOD   0x04
163 #define LSI_CCNTL1_DDAC      0x08
164 #define LSI_CCNTL1_ZMOD      0x80
165 
166 #define LSI_SBCL_ATN         0x08
167 #define LSI_SBCL_BSY         0x20
168 #define LSI_SBCL_ACK         0x40
169 #define LSI_SBCL_REQ         0x80
170 
171 /* Enable Response to Reselection */
172 #define LSI_SCID_RRE      0x60
173 
174 #define LSI_CCNTL1_40BIT (LSI_CCNTL1_EN64TIBMV|LSI_CCNTL1_64TIMOD)
175 
176 #define PHASE_DO          0
177 #define PHASE_DI          1
178 #define PHASE_CMD         2
179 #define PHASE_ST          3
180 #define PHASE_MO          6
181 #define PHASE_MI          7
182 #define PHASE_MASK        7
183 
184 /* Maximum length of MSG IN data.  */
185 #define LSI_MAX_MSGIN_LEN 8
186 
187 /* Flag set if this is a tagged command.  */
188 #define LSI_TAG_VALID     (1 << 16)
189 
190 /* Maximum instructions to process. */
191 #define LSI_MAX_INSN    10000
192 
193 typedef struct lsi_request {
194     SCSIRequest *req;
195     uint32_t tag;
196     uint32_t dma_len;
197     uint8_t *dma_buf;
198     uint32_t pending;
199     int out;
200     QTAILQ_ENTRY(lsi_request) next;
201 } lsi_request;
202 
203 enum {
204     LSI_NOWAIT, /* SCRIPTS are running or stopped */
205     LSI_WAIT_RESELECT, /* Wait Reselect instruction has been issued */
206     LSI_DMA_SCRIPTS, /* processing DMA from lsi_execute_script */
207     LSI_DMA_IN_PROGRESS, /* DMA operation is in progress */
208 };
209 
210 enum {
211     LSI_MSG_ACTION_COMMAND = 0,
212     LSI_MSG_ACTION_DISCONNECT = 1,
213     LSI_MSG_ACTION_DOUT = 2,
214     LSI_MSG_ACTION_DIN = 3,
215 };
216 
217 struct LSIState {
218     /*< private >*/
219     PCIDevice parent_obj;
220     /*< public >*/
221 
222     qemu_irq ext_irq;
223     MemoryRegion mmio_io;
224     MemoryRegion ram_io;
225     MemoryRegion io_io;
226     AddressSpace pci_io_as;
227 
228     int carry; /* ??? Should this be an a visible register somewhere?  */
229     int status;
230     int msg_action;
231     int msg_len;
232     uint8_t msg[LSI_MAX_MSGIN_LEN];
233     int waiting;
234     SCSIBus bus;
235     int current_lun;
236     /* The tag is a combination of the device ID and the SCSI tag.  */
237     uint32_t select_tag;
238     int command_complete;
239     QTAILQ_HEAD(, lsi_request) queue;
240     lsi_request *current;
241 
242     uint32_t dsa;
243     uint32_t temp;
244     uint32_t dnad;
245     uint32_t dbc;
246     uint8_t istat0;
247     uint8_t istat1;
248     uint8_t dcmd;
249     uint8_t dstat;
250     uint8_t dien;
251     uint8_t sist0;
252     uint8_t sist1;
253     uint8_t sien0;
254     uint8_t sien1;
255     uint8_t mbox0;
256     uint8_t mbox1;
257     uint8_t dfifo;
258     uint8_t ctest2;
259     uint8_t ctest3;
260     uint8_t ctest4;
261     uint8_t ctest5;
262     uint8_t ccntl0;
263     uint8_t ccntl1;
264     uint32_t dsp;
265     uint32_t dsps;
266     uint8_t dmode;
267     uint8_t dcntl;
268     uint8_t scntl0;
269     uint8_t scntl1;
270     uint8_t scntl2;
271     uint8_t scntl3;
272     uint8_t sstat0;
273     uint8_t sstat1;
274     uint8_t scid;
275     uint8_t sxfer;
276     uint8_t socl;
277     uint8_t sdid;
278     uint8_t ssid;
279     uint8_t sfbr;
280     uint8_t sbcl;
281     uint8_t stest1;
282     uint8_t stest2;
283     uint8_t stest3;
284     uint8_t sidl;
285     uint8_t stime0;
286     uint8_t respid0;
287     uint8_t respid1;
288     uint32_t mmrs;
289     uint32_t mmws;
290     uint32_t sfs;
291     uint32_t drs;
292     uint32_t sbms;
293     uint32_t dbms;
294     uint32_t dnad64;
295     uint32_t pmjad1;
296     uint32_t pmjad2;
297     uint32_t rbc;
298     uint32_t ua;
299     uint32_t ia;
300     uint32_t sbc;
301     uint32_t csbc;
302     uint32_t scratch[18]; /* SCRATCHA-SCRATCHR */
303     uint8_t sbr;
304     uint32_t adder;
305 
306     uint8_t script_ram[2048 * sizeof(uint32_t)];
307 };
308 
309 #define TYPE_LSI53C810  "lsi53c810"
310 #define TYPE_LSI53C895A "lsi53c895a"
311 
312 OBJECT_DECLARE_SIMPLE_TYPE(LSIState, LSI53C895A)
313 
314 static const char *scsi_phases[] = {
315     "DOUT",
316     "DIN",
317     "CMD",
318     "STATUS",
319     "RSVOUT",
320     "RSVIN",
321     "MSGOUT",
322     "MSGIN"
323 };
324 
325 static const char *scsi_phase_name(int phase)
326 {
327     return scsi_phases[phase & PHASE_MASK];
328 }
329 
330 static inline int lsi_irq_on_rsl(LSIState *s)
331 {
332     return (s->sien0 & LSI_SIST0_RSL) && (s->scid & LSI_SCID_RRE);
333 }
334 
335 static lsi_request *get_pending_req(LSIState *s)
336 {
337     lsi_request *p;
338 
339     QTAILQ_FOREACH(p, &s->queue, next) {
340         if (p->pending) {
341             return p;
342         }
343     }
344     return NULL;
345 }
346 
347 static void lsi_soft_reset(LSIState *s)
348 {
349     trace_lsi_reset();
350     s->carry = 0;
351 
352     s->msg_action = LSI_MSG_ACTION_COMMAND;
353     s->msg_len = 0;
354     s->waiting = LSI_NOWAIT;
355     s->dsa = 0;
356     s->dnad = 0;
357     s->dbc = 0;
358     s->temp = 0;
359     memset(s->scratch, 0, sizeof(s->scratch));
360     s->istat0 = 0;
361     s->istat1 = 0;
362     s->dcmd = 0x40;
363     s->dstat = 0;
364     s->dien = 0;
365     s->sist0 = 0;
366     s->sist1 = 0;
367     s->sien0 = 0;
368     s->sien1 = 0;
369     s->mbox0 = 0;
370     s->mbox1 = 0;
371     s->dfifo = 0;
372     s->ctest2 = LSI_CTEST2_DACK;
373     s->ctest3 = 0;
374     s->ctest4 = 0;
375     s->ctest5 = 0;
376     s->ccntl0 = 0;
377     s->ccntl1 = 0;
378     s->dsp = 0;
379     s->dsps = 0;
380     s->dmode = 0;
381     s->dcntl = 0;
382     s->scntl0 = 0xc0;
383     s->scntl1 = 0;
384     s->scntl2 = 0;
385     s->scntl3 = 0;
386     s->sstat0 = 0;
387     s->sstat1 = 0;
388     s->scid = 7;
389     s->sxfer = 0;
390     s->socl = 0;
391     s->sdid = 0;
392     s->ssid = 0;
393     s->sbcl = 0;
394     s->stest1 = 0;
395     s->stest2 = 0;
396     s->stest3 = 0;
397     s->sidl = 0;
398     s->stime0 = 0;
399     s->respid0 = 0x80;
400     s->respid1 = 0;
401     s->mmrs = 0;
402     s->mmws = 0;
403     s->sfs = 0;
404     s->drs = 0;
405     s->sbms = 0;
406     s->dbms = 0;
407     s->dnad64 = 0;
408     s->pmjad1 = 0;
409     s->pmjad2 = 0;
410     s->rbc = 0;
411     s->ua = 0;
412     s->ia = 0;
413     s->sbc = 0;
414     s->csbc = 0;
415     s->sbr = 0;
416     assert(QTAILQ_EMPTY(&s->queue));
417     assert(!s->current);
418 }
419 
420 static int lsi_dma_40bit(LSIState *s)
421 {
422     if ((s->ccntl1 & LSI_CCNTL1_40BIT) == LSI_CCNTL1_40BIT)
423         return 1;
424     return 0;
425 }
426 
427 static int lsi_dma_ti64bit(LSIState *s)
428 {
429     if ((s->ccntl1 & LSI_CCNTL1_EN64TIBMV) == LSI_CCNTL1_EN64TIBMV)
430         return 1;
431     return 0;
432 }
433 
434 static int lsi_dma_64bit(LSIState *s)
435 {
436     if ((s->ccntl1 & LSI_CCNTL1_EN64DBMV) == LSI_CCNTL1_EN64DBMV)
437         return 1;
438     return 0;
439 }
440 
441 static uint8_t lsi_reg_readb(LSIState *s, int offset);
442 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val);
443 static void lsi_execute_script(LSIState *s);
444 static void lsi_reselect(LSIState *s, lsi_request *p);
445 
446 static inline void lsi_mem_read(LSIState *s, dma_addr_t addr,
447                                void *buf, dma_addr_t len)
448 {
449     if (s->dmode & LSI_DMODE_SIOM) {
450         address_space_read(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
451                            buf, len);
452     } else {
453         pci_dma_read(PCI_DEVICE(s), addr, buf, len);
454     }
455 }
456 
457 static inline void lsi_mem_write(LSIState *s, dma_addr_t addr,
458                                 const void *buf, dma_addr_t len)
459 {
460     if (s->dmode & LSI_DMODE_DIOM) {
461         address_space_write(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
462                             buf, len);
463     } else {
464         pci_dma_write(PCI_DEVICE(s), addr, buf, len);
465     }
466 }
467 
468 static inline uint32_t read_dword(LSIState *s, uint32_t addr)
469 {
470     uint32_t buf;
471 
472     pci_dma_read(PCI_DEVICE(s), addr, &buf, 4);
473     return cpu_to_le32(buf);
474 }
475 
476 static void lsi_stop_script(LSIState *s)
477 {
478     s->istat1 &= ~LSI_ISTAT1_SRUN;
479 }
480 
481 static void lsi_set_irq(LSIState *s, int level)
482 {
483     PCIDevice *d = PCI_DEVICE(s);
484 
485     if (s->ext_irq) {
486         qemu_set_irq(s->ext_irq, level);
487     } else {
488         pci_set_irq(d, level);
489     }
490 }
491 
492 static void lsi_update_irq(LSIState *s)
493 {
494     int level;
495     static int last_level;
496 
497     /* It's unclear whether the DIP/SIP bits should be cleared when the
498        Interrupt Status Registers are cleared or when istat0 is read.
499        We currently do the formwer, which seems to work.  */
500     level = 0;
501     if (s->dstat) {
502         if (s->dstat & s->dien)
503             level = 1;
504         s->istat0 |= LSI_ISTAT0_DIP;
505     } else {
506         s->istat0 &= ~LSI_ISTAT0_DIP;
507     }
508 
509     if (s->sist0 || s->sist1) {
510         if ((s->sist0 & s->sien0) || (s->sist1 & s->sien1))
511             level = 1;
512         s->istat0 |= LSI_ISTAT0_SIP;
513     } else {
514         s->istat0 &= ~LSI_ISTAT0_SIP;
515     }
516     if (s->istat0 & LSI_ISTAT0_INTF)
517         level = 1;
518 
519     if (level != last_level) {
520         trace_lsi_update_irq(level, s->dstat, s->sist1, s->sist0);
521         last_level = level;
522     }
523     lsi_set_irq(s, level);
524 
525     if (!s->current && !level && lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON)) {
526         lsi_request *p;
527 
528         trace_lsi_update_irq_disconnected();
529         p = get_pending_req(s);
530         if (p) {
531             lsi_reselect(s, p);
532         }
533     }
534 }
535 
536 /* Stop SCRIPTS execution and raise a SCSI interrupt.  */
537 static void lsi_script_scsi_interrupt(LSIState *s, int stat0, int stat1)
538 {
539     uint32_t mask0;
540     uint32_t mask1;
541 
542     trace_lsi_script_scsi_interrupt(stat1, stat0, s->sist1, s->sist0);
543     s->sist0 |= stat0;
544     s->sist1 |= stat1;
545     /* Stop processor on fatal or unmasked interrupt.  As a special hack
546        we don't stop processing when raising STO.  Instead continue
547        execution and stop at the next insn that accesses the SCSI bus.  */
548     mask0 = s->sien0 | ~(LSI_SIST0_CMP | LSI_SIST0_SEL | LSI_SIST0_RSL);
549     mask1 = s->sien1 | ~(LSI_SIST1_GEN | LSI_SIST1_HTH);
550     mask1 &= ~LSI_SIST1_STO;
551     if (s->sist0 & mask0 || s->sist1 & mask1) {
552         lsi_stop_script(s);
553     }
554     lsi_update_irq(s);
555 }
556 
557 /* Stop SCRIPTS execution and raise a DMA interrupt.  */
558 static void lsi_script_dma_interrupt(LSIState *s, int stat)
559 {
560     trace_lsi_script_dma_interrupt(stat, s->dstat);
561     s->dstat |= stat;
562     lsi_update_irq(s);
563     lsi_stop_script(s);
564 }
565 
566 static inline void lsi_set_phase(LSIState *s, int phase)
567 {
568     s->sbcl &= ~PHASE_MASK;
569     s->sbcl |= phase | LSI_SBCL_REQ;
570     s->sstat1 = (s->sstat1 & ~PHASE_MASK) | phase;
571 }
572 
573 static void lsi_bad_phase(LSIState *s, int out, int new_phase)
574 {
575     /* Trigger a phase mismatch.  */
576     if (s->ccntl0 & LSI_CCNTL0_ENPMJ) {
577         if ((s->ccntl0 & LSI_CCNTL0_PMJCTL)) {
578             s->dsp = out ? s->pmjad1 : s->pmjad2;
579         } else {
580             s->dsp = (s->scntl2 & LSI_SCNTL2_WSR ? s->pmjad2 : s->pmjad1);
581         }
582         trace_lsi_bad_phase_jump(s->dsp);
583     } else {
584         trace_lsi_bad_phase_interrupt();
585         lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
586         lsi_stop_script(s);
587     }
588     lsi_set_phase(s, new_phase);
589 }
590 
591 
592 /* Resume SCRIPTS execution after a DMA operation.  */
593 static void lsi_resume_script(LSIState *s)
594 {
595     if (s->waiting != 2) {
596         s->waiting = LSI_NOWAIT;
597         lsi_execute_script(s);
598     } else {
599         s->waiting = LSI_NOWAIT;
600     }
601 }
602 
603 static void lsi_disconnect(LSIState *s)
604 {
605     s->scntl1 &= ~LSI_SCNTL1_CON;
606     s->sstat1 &= ~PHASE_MASK;
607     s->sbcl = 0;
608 }
609 
610 static void lsi_bad_selection(LSIState *s, uint32_t id)
611 {
612     trace_lsi_bad_selection(id);
613     lsi_script_scsi_interrupt(s, 0, LSI_SIST1_STO);
614     lsi_disconnect(s);
615 }
616 
617 /* Initiate a SCSI layer data transfer.  */
618 static void lsi_do_dma(LSIState *s, int out)
619 {
620     uint32_t count;
621     dma_addr_t addr;
622     SCSIDevice *dev;
623 
624     if (!s->current || !s->current->dma_len) {
625         /* Wait until data is available.  */
626         trace_lsi_do_dma_unavailable();
627         return;
628     }
629 
630     dev = s->current->req->dev;
631     assert(dev);
632 
633     count = s->dbc;
634     if (count > s->current->dma_len)
635         count = s->current->dma_len;
636 
637     addr = s->dnad;
638     /* both 40 and Table Indirect 64-bit DMAs store upper bits in dnad64 */
639     if (lsi_dma_40bit(s) || lsi_dma_ti64bit(s))
640         addr |= ((uint64_t)s->dnad64 << 32);
641     else if (s->dbms)
642         addr |= ((uint64_t)s->dbms << 32);
643     else if (s->sbms)
644         addr |= ((uint64_t)s->sbms << 32);
645 
646     trace_lsi_do_dma(addr, count);
647     s->csbc += count;
648     s->dnad += count;
649     s->dbc -= count;
650      if (s->current->dma_buf == NULL) {
651         s->current->dma_buf = scsi_req_get_buf(s->current->req);
652     }
653     /* ??? Set SFBR to first data byte.  */
654     if (out) {
655         lsi_mem_read(s, addr, s->current->dma_buf, count);
656     } else {
657         lsi_mem_write(s, addr, s->current->dma_buf, count);
658     }
659     s->current->dma_len -= count;
660     if (s->current->dma_len == 0) {
661         s->current->dma_buf = NULL;
662         scsi_req_continue(s->current->req);
663     } else {
664         s->current->dma_buf += count;
665         lsi_resume_script(s);
666     }
667 }
668 
669 
670 /* Add a command to the queue.  */
671 static void lsi_queue_command(LSIState *s)
672 {
673     lsi_request *p = s->current;
674 
675     trace_lsi_queue_command(p->tag);
676     assert(s->current != NULL);
677     assert(s->current->dma_len == 0);
678     QTAILQ_INSERT_TAIL(&s->queue, s->current, next);
679     s->current = NULL;
680 
681     p->pending = 0;
682     p->out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
683 }
684 
685 /* Queue a byte for a MSG IN phase.  */
686 static void lsi_add_msg_byte(LSIState *s, uint8_t data)
687 {
688     if (s->msg_len >= LSI_MAX_MSGIN_LEN) {
689         trace_lsi_add_msg_byte_error();
690     } else {
691         trace_lsi_add_msg_byte(data);
692         s->msg[s->msg_len++] = data;
693     }
694 }
695 
696 /* Perform reselection to continue a command.  */
697 static void lsi_reselect(LSIState *s, lsi_request *p)
698 {
699     int id;
700 
701     assert(s->current == NULL);
702     QTAILQ_REMOVE(&s->queue, p, next);
703     s->current = p;
704 
705     id = (p->tag >> 8) & 0xf;
706     s->ssid = id | 0x80;
707     /* LSI53C700 Family Compatibility, see LSI53C895A 4-73 */
708     if (!(s->dcntl & LSI_DCNTL_COM)) {
709         s->sfbr = 1 << (id & 0x7);
710     }
711     trace_lsi_reselect(id);
712     s->scntl1 |= LSI_SCNTL1_CON;
713     lsi_set_phase(s, PHASE_MI);
714     s->msg_action = p->out ? LSI_MSG_ACTION_DOUT : LSI_MSG_ACTION_DIN;
715     s->current->dma_len = p->pending;
716     lsi_add_msg_byte(s, 0x80);
717     if (s->current->tag & LSI_TAG_VALID) {
718         lsi_add_msg_byte(s, 0x20);
719         lsi_add_msg_byte(s, p->tag & 0xff);
720     }
721 
722     if (lsi_irq_on_rsl(s)) {
723         lsi_script_scsi_interrupt(s, LSI_SIST0_RSL, 0);
724     }
725 }
726 
727 static lsi_request *lsi_find_by_tag(LSIState *s, uint32_t tag)
728 {
729     lsi_request *p;
730 
731     QTAILQ_FOREACH(p, &s->queue, next) {
732         if (p->tag == tag) {
733             return p;
734         }
735     }
736 
737     return NULL;
738 }
739 
740 static void lsi_request_free(LSIState *s, lsi_request *p)
741 {
742     if (p == s->current) {
743         s->current = NULL;
744     } else {
745         QTAILQ_REMOVE(&s->queue, p, next);
746     }
747     g_free(p);
748 }
749 
750 static void lsi_request_cancelled(SCSIRequest *req)
751 {
752     LSIState *s = LSI53C895A(req->bus->qbus.parent);
753     lsi_request *p = req->hba_private;
754 
755     req->hba_private = NULL;
756     lsi_request_free(s, p);
757     scsi_req_unref(req);
758 }
759 
760 /* Record that data is available for a queued command.  Returns zero if
761    the device was reselected, nonzero if the IO is deferred.  */
762 static int lsi_queue_req(LSIState *s, SCSIRequest *req, uint32_t len)
763 {
764     lsi_request *p = req->hba_private;
765 
766     if (p->pending) {
767         trace_lsi_queue_req_error(p);
768     }
769     p->pending = len;
770     /* Reselect if waiting for it, or if reselection triggers an IRQ
771        and the bus is free.
772        Since no interrupt stacking is implemented in the emulation, it
773        is also required that there are no pending interrupts waiting
774        for service from the device driver. */
775     if (s->waiting == LSI_WAIT_RESELECT ||
776         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON) &&
777          !(s->istat0 & (LSI_ISTAT0_SIP | LSI_ISTAT0_DIP)))) {
778         /* Reselect device.  */
779         lsi_reselect(s, p);
780         return 0;
781     } else {
782         trace_lsi_queue_req(p->tag);
783         p->pending = len;
784         return 1;
785     }
786 }
787 
788  /* Callback to indicate that the SCSI layer has completed a command.  */
789 static void lsi_command_complete(SCSIRequest *req, size_t resid)
790 {
791     LSIState *s = LSI53C895A(req->bus->qbus.parent);
792     int out;
793 
794     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
795     trace_lsi_command_complete(req->status);
796     s->status = req->status;
797     s->command_complete = 2;
798     if (s->waiting && s->dbc != 0) {
799         /* Raise phase mismatch for short transfers.  */
800         lsi_bad_phase(s, out, PHASE_ST);
801     } else {
802         lsi_set_phase(s, PHASE_ST);
803     }
804 
805     if (req->hba_private == s->current) {
806         req->hba_private = NULL;
807         lsi_request_free(s, s->current);
808         scsi_req_unref(req);
809     }
810     lsi_resume_script(s);
811 }
812 
813  /* Callback to indicate that the SCSI layer has completed a transfer.  */
814 static void lsi_transfer_data(SCSIRequest *req, uint32_t len)
815 {
816     LSIState *s = LSI53C895A(req->bus->qbus.parent);
817     int out;
818 
819     assert(req->hba_private);
820     if (s->waiting == LSI_WAIT_RESELECT || req->hba_private != s->current ||
821         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON))) {
822         if (lsi_queue_req(s, req, len)) {
823             return;
824         }
825     }
826 
827     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
828 
829     /* host adapter (re)connected */
830     trace_lsi_transfer_data(req->tag, len);
831     s->current->dma_len = len;
832     s->command_complete = 1;
833     if (s->waiting) {
834         if (s->waiting == LSI_WAIT_RESELECT || s->dbc == 0) {
835             lsi_resume_script(s);
836         } else {
837             lsi_do_dma(s, out);
838         }
839     }
840 }
841 
842 static void lsi_do_command(LSIState *s)
843 {
844     SCSIDevice *dev;
845     uint8_t buf[16];
846     uint32_t id;
847     int n;
848 
849     trace_lsi_do_command(s->dbc);
850     if (s->dbc > 16)
851         s->dbc = 16;
852     pci_dma_read(PCI_DEVICE(s), s->dnad, buf, s->dbc);
853     s->sfbr = buf[0];
854     s->command_complete = 0;
855 
856     id = (s->select_tag >> 8) & 0xf;
857     dev = scsi_device_find(&s->bus, 0, id, s->current_lun);
858     if (!dev) {
859         lsi_bad_selection(s, id);
860         return;
861     }
862 
863     assert(s->current == NULL);
864     s->current = g_new0(lsi_request, 1);
865     s->current->tag = s->select_tag;
866     s->current->req = scsi_req_new(dev, s->current->tag, s->current_lun, buf,
867                                    s->dbc, s->current);
868 
869     n = scsi_req_enqueue(s->current->req);
870     if (n) {
871         if (n > 0) {
872             lsi_set_phase(s, PHASE_DI);
873         } else if (n < 0) {
874             lsi_set_phase(s, PHASE_DO);
875         }
876         scsi_req_continue(s->current->req);
877     }
878     if (!s->command_complete) {
879         if (n) {
880             /* Command did not complete immediately so disconnect.  */
881             lsi_add_msg_byte(s, 2); /* SAVE DATA POINTER */
882             lsi_add_msg_byte(s, 4); /* DISCONNECT */
883             /* wait data */
884             lsi_set_phase(s, PHASE_MI);
885             s->msg_action = LSI_MSG_ACTION_DISCONNECT;
886             lsi_queue_command(s);
887         } else {
888             /* wait command complete */
889             lsi_set_phase(s, PHASE_DI);
890         }
891     }
892 }
893 
894 static void lsi_do_status(LSIState *s)
895 {
896     uint8_t status;
897     trace_lsi_do_status(s->dbc, s->status);
898     if (s->dbc != 1) {
899         trace_lsi_do_status_error();
900     }
901     s->dbc = 1;
902     status = s->status;
903     s->sfbr = status;
904     pci_dma_write(PCI_DEVICE(s), s->dnad, &status, 1);
905     lsi_set_phase(s, PHASE_MI);
906     s->msg_action = LSI_MSG_ACTION_DISCONNECT;
907     lsi_add_msg_byte(s, 0); /* COMMAND COMPLETE */
908 }
909 
910 static void lsi_do_msgin(LSIState *s)
911 {
912     uint8_t len;
913     trace_lsi_do_msgin(s->dbc, s->msg_len);
914     s->sfbr = s->msg[0];
915     len = s->msg_len;
916     assert(len > 0 && len <= LSI_MAX_MSGIN_LEN);
917     if (len > s->dbc)
918         len = s->dbc;
919     pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
920     /* Linux drivers rely on the last byte being in the SIDL.  */
921     s->sidl = s->msg[len - 1];
922     s->msg_len -= len;
923     if (s->msg_len) {
924         memmove(s->msg, s->msg + len, s->msg_len);
925     } else {
926         /* ??? Check if ATN (not yet implemented) is asserted and maybe
927            switch to PHASE_MO.  */
928         switch (s->msg_action) {
929         case LSI_MSG_ACTION_COMMAND:
930             lsi_set_phase(s, PHASE_CMD);
931             break;
932         case LSI_MSG_ACTION_DISCONNECT:
933             lsi_disconnect(s);
934             break;
935         case LSI_MSG_ACTION_DOUT:
936             lsi_set_phase(s, PHASE_DO);
937             break;
938         case LSI_MSG_ACTION_DIN:
939             lsi_set_phase(s, PHASE_DI);
940             break;
941         default:
942             abort();
943         }
944     }
945 }
946 
947 /* Read the next byte during a MSGOUT phase.  */
948 static uint8_t lsi_get_msgbyte(LSIState *s)
949 {
950     uint8_t data;
951     pci_dma_read(PCI_DEVICE(s), s->dnad, &data, 1);
952     s->dnad++;
953     s->dbc--;
954     return data;
955 }
956 
957 /* Skip the next n bytes during a MSGOUT phase. */
958 static void lsi_skip_msgbytes(LSIState *s, unsigned int n)
959 {
960     s->dnad += n;
961     s->dbc  -= n;
962 }
963 
964 static void lsi_do_msgout(LSIState *s)
965 {
966     uint8_t msg;
967     int len;
968     uint32_t current_tag;
969     lsi_request *current_req, *p, *p_next;
970 
971     if (s->current) {
972         current_tag = s->current->tag;
973         current_req = s->current;
974     } else {
975         current_tag = s->select_tag;
976         current_req = lsi_find_by_tag(s, current_tag);
977     }
978 
979     trace_lsi_do_msgout(s->dbc);
980     while (s->dbc) {
981         msg = lsi_get_msgbyte(s);
982         s->sfbr = msg;
983 
984         switch (msg) {
985         case 0x04:
986             trace_lsi_do_msgout_disconnect();
987             lsi_disconnect(s);
988             break;
989         case 0x08:
990             trace_lsi_do_msgout_noop();
991             lsi_set_phase(s, PHASE_CMD);
992             break;
993         case 0x01:
994             len = lsi_get_msgbyte(s);
995             msg = lsi_get_msgbyte(s);
996             (void)len; /* avoid a warning about unused variable*/
997             trace_lsi_do_msgout_extended(msg, len);
998             switch (msg) {
999             case 1:
1000                 trace_lsi_do_msgout_ignored("SDTR");
1001                 lsi_skip_msgbytes(s, 2);
1002                 break;
1003             case 3:
1004                 trace_lsi_do_msgout_ignored("WDTR");
1005                 lsi_skip_msgbytes(s, 1);
1006                 break;
1007             case 4:
1008                 trace_lsi_do_msgout_ignored("PPR");
1009                 lsi_skip_msgbytes(s, 5);
1010                 break;
1011             default:
1012                 goto bad;
1013             }
1014             break;
1015         case 0x20: /* SIMPLE queue */
1016             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1017             trace_lsi_do_msgout_simplequeue(s->select_tag & 0xff);
1018             break;
1019         case 0x21: /* HEAD of queue */
1020             qemu_log_mask(LOG_UNIMP, "lsi_scsi: HEAD queue not implemented\n");
1021             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1022             break;
1023         case 0x22: /* ORDERED queue */
1024             qemu_log_mask(LOG_UNIMP,
1025                           "lsi_scsi: ORDERED queue not implemented\n");
1026             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1027             break;
1028         case 0x0d:
1029             /* The ABORT TAG message clears the current I/O process only. */
1030             trace_lsi_do_msgout_abort(current_tag);
1031             if (current_req && current_req->req) {
1032                 scsi_req_cancel(current_req->req);
1033                 current_req = NULL;
1034             }
1035             lsi_disconnect(s);
1036             break;
1037         case 0x06:
1038         case 0x0e:
1039         case 0x0c:
1040             /* The ABORT message clears all I/O processes for the selecting
1041                initiator on the specified logical unit of the target. */
1042             if (msg == 0x06) {
1043                 trace_lsi_do_msgout_abort(current_tag);
1044             }
1045             /* The CLEAR QUEUE message clears all I/O processes for all
1046                initiators on the specified logical unit of the target. */
1047             if (msg == 0x0e) {
1048                 trace_lsi_do_msgout_clearqueue(current_tag);
1049             }
1050             /* The BUS DEVICE RESET message clears all I/O processes for all
1051                initiators on all logical units of the target. */
1052             if (msg == 0x0c) {
1053                 trace_lsi_do_msgout_busdevicereset(current_tag);
1054             }
1055 
1056             /* clear the current I/O process */
1057             if (s->current) {
1058                 scsi_req_cancel(s->current->req);
1059                 current_req = NULL;
1060             }
1061 
1062             /* As the current implemented devices scsi_disk and scsi_generic
1063                only support one LUN, we don't need to keep track of LUNs.
1064                Clearing I/O processes for other initiators could be possible
1065                for scsi_generic by sending a SG_SCSI_RESET to the /dev/sgX
1066                device, but this is currently not implemented (and seems not
1067                to be really necessary). So let's simply clear all queued
1068                commands for the current device: */
1069             QTAILQ_FOREACH_SAFE(p, &s->queue, next, p_next) {
1070                 if ((p->tag & 0x0000ff00) == (current_tag & 0x0000ff00)) {
1071                     scsi_req_cancel(p->req);
1072                 }
1073             }
1074 
1075             lsi_disconnect(s);
1076             break;
1077         default:
1078             if ((msg & 0x80) == 0) {
1079                 goto bad;
1080             }
1081             s->current_lun = msg & 7;
1082             trace_lsi_do_msgout_select(s->current_lun);
1083             lsi_set_phase(s, PHASE_CMD);
1084             break;
1085         }
1086     }
1087     return;
1088 bad:
1089     qemu_log_mask(LOG_UNIMP, "Unimplemented message 0x%02x\n", msg);
1090     lsi_set_phase(s, PHASE_MI);
1091     lsi_add_msg_byte(s, 7); /* MESSAGE REJECT */
1092     s->msg_action = LSI_MSG_ACTION_COMMAND;
1093 }
1094 
1095 #define LSI_BUF_SIZE 4096
1096 static void lsi_memcpy(LSIState *s, uint32_t dest, uint32_t src, int count)
1097 {
1098     int n;
1099     uint8_t buf[LSI_BUF_SIZE];
1100 
1101     trace_lsi_memcpy(dest, src, count);
1102     while (count) {
1103         n = (count > LSI_BUF_SIZE) ? LSI_BUF_SIZE : count;
1104         lsi_mem_read(s, src, buf, n);
1105         lsi_mem_write(s, dest, buf, n);
1106         src += n;
1107         dest += n;
1108         count -= n;
1109     }
1110 }
1111 
1112 static void lsi_wait_reselect(LSIState *s)
1113 {
1114     lsi_request *p;
1115 
1116     trace_lsi_wait_reselect();
1117 
1118     if (s->current) {
1119         return;
1120     }
1121     p = get_pending_req(s);
1122     if (p) {
1123         lsi_reselect(s, p);
1124     }
1125     if (s->current == NULL) {
1126         s->waiting = LSI_WAIT_RESELECT;
1127     }
1128 }
1129 
1130 static void lsi_execute_script(LSIState *s)
1131 {
1132     PCIDevice *pci_dev = PCI_DEVICE(s);
1133     uint32_t insn;
1134     uint32_t addr, addr_high;
1135     int opcode;
1136     int insn_processed = 0;
1137     static int reentrancy_level;
1138 
1139     reentrancy_level++;
1140 
1141     s->istat1 |= LSI_ISTAT1_SRUN;
1142 again:
1143     /*
1144      * Some windows drivers make the device spin waiting for a memory location
1145      * to change. If we have executed more than LSI_MAX_INSN instructions then
1146      * assume this is the case and force an unexpected device disconnect. This
1147      * is apparently sufficient to beat the drivers into submission.
1148      *
1149      * Another issue (CVE-2023-0330) can occur if the script is programmed to
1150      * trigger itself again and again. Avoid this problem by stopping after
1151      * being called multiple times in a reentrant way (8 is an arbitrary value
1152      * which should be enough for all valid use cases).
1153      */
1154     if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) {
1155         if (!(s->sien0 & LSI_SIST0_UDC)) {
1156             qemu_log_mask(LOG_GUEST_ERROR,
1157                           "lsi_scsi: inf. loop with UDC masked");
1158         }
1159         lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
1160         lsi_disconnect(s);
1161         trace_lsi_execute_script_stop();
1162         return;
1163     }
1164     insn = read_dword(s, s->dsp);
1165     if (!insn) {
1166         /* If we receive an empty opcode increment the DSP by 4 bytes
1167            instead of 8 and execute the next opcode at that location */
1168         s->dsp += 4;
1169         goto again;
1170     }
1171     addr = read_dword(s, s->dsp + 4);
1172     addr_high = 0;
1173     trace_lsi_execute_script(s->dsp, insn, addr);
1174     s->dsps = addr;
1175     s->dcmd = insn >> 24;
1176     s->dsp += 8;
1177     switch (insn >> 30) {
1178     case 0: /* Block move.  */
1179         if (s->sist1 & LSI_SIST1_STO) {
1180             trace_lsi_execute_script_blockmove_delayed();
1181             lsi_stop_script(s);
1182             break;
1183         }
1184         s->dbc = insn & 0xffffff;
1185         s->rbc = s->dbc;
1186         /* ??? Set ESA.  */
1187         s->ia = s->dsp - 8;
1188         if (insn & (1 << 29)) {
1189             /* Indirect addressing.  */
1190             addr = read_dword(s, addr);
1191         } else if (insn & (1 << 28)) {
1192             uint32_t buf[2];
1193             int32_t offset;
1194             /* Table indirect addressing.  */
1195 
1196             /* 32-bit Table indirect */
1197             offset = sextract32(addr, 0, 24);
1198             pci_dma_read(pci_dev, s->dsa + offset, buf, 8);
1199             /* byte count is stored in bits 0:23 only */
1200             s->dbc = cpu_to_le32(buf[0]) & 0xffffff;
1201             s->rbc = s->dbc;
1202             addr = cpu_to_le32(buf[1]);
1203 
1204             /* 40-bit DMA, upper addr bits [39:32] stored in first DWORD of
1205              * table, bits [31:24] */
1206             if (lsi_dma_40bit(s))
1207                 addr_high = cpu_to_le32(buf[0]) >> 24;
1208             else if (lsi_dma_ti64bit(s)) {
1209                 int selector = (cpu_to_le32(buf[0]) >> 24) & 0x1f;
1210                 switch (selector) {
1211                 case 0 ... 0x0f:
1212                     /* offset index into scratch registers since
1213                      * TI64 mode can use registers C to R */
1214                     addr_high = s->scratch[2 + selector];
1215                     break;
1216                 case 0x10:
1217                     addr_high = s->mmrs;
1218                     break;
1219                 case 0x11:
1220                     addr_high = s->mmws;
1221                     break;
1222                 case 0x12:
1223                     addr_high = s->sfs;
1224                     break;
1225                 case 0x13:
1226                     addr_high = s->drs;
1227                     break;
1228                 case 0x14:
1229                     addr_high = s->sbms;
1230                     break;
1231                 case 0x15:
1232                     addr_high = s->dbms;
1233                     break;
1234                 default:
1235                     qemu_log_mask(LOG_GUEST_ERROR,
1236                           "lsi_scsi: Illegal selector specified (0x%x > 0x15) "
1237                           "for 64-bit DMA block move", selector);
1238                     break;
1239                 }
1240             }
1241         } else if (lsi_dma_64bit(s)) {
1242             /* fetch a 3rd dword if 64-bit direct move is enabled and
1243                only if we're not doing table indirect or indirect addressing */
1244             s->dbms = read_dword(s, s->dsp);
1245             s->dsp += 4;
1246             s->ia = s->dsp - 12;
1247         }
1248         if ((s->sstat1 & PHASE_MASK) != ((insn >> 24) & 7)) {
1249             trace_lsi_execute_script_blockmove_badphase(
1250                     scsi_phase_name(s->sstat1),
1251                     scsi_phase_name(insn >> 24));
1252             lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
1253             break;
1254         }
1255         s->dnad = addr;
1256         s->dnad64 = addr_high;
1257         switch (s->sstat1 & 0x7) {
1258         case PHASE_DO:
1259             s->waiting = LSI_DMA_SCRIPTS;
1260             lsi_do_dma(s, 1);
1261             if (s->waiting)
1262                 s->waiting = LSI_DMA_IN_PROGRESS;
1263             break;
1264         case PHASE_DI:
1265             s->waiting = LSI_DMA_SCRIPTS;
1266             lsi_do_dma(s, 0);
1267             if (s->waiting)
1268                 s->waiting = LSI_DMA_IN_PROGRESS;
1269             break;
1270         case PHASE_CMD:
1271             lsi_do_command(s);
1272             break;
1273         case PHASE_ST:
1274             lsi_do_status(s);
1275             break;
1276         case PHASE_MO:
1277             lsi_do_msgout(s);
1278             break;
1279         case PHASE_MI:
1280             lsi_do_msgin(s);
1281             break;
1282         default:
1283             qemu_log_mask(LOG_UNIMP, "lsi_scsi: Unimplemented phase %s\n",
1284                           scsi_phase_name(s->sstat1));
1285         }
1286         s->dfifo = s->dbc & 0xff;
1287         s->ctest5 = (s->ctest5 & 0xfc) | ((s->dbc >> 8) & 3);
1288         s->sbc = s->dbc;
1289         s->rbc -= s->dbc;
1290         s->ua = addr + s->dbc;
1291         break;
1292 
1293     case 1: /* IO or Read/Write instruction.  */
1294         opcode = (insn >> 27) & 7;
1295         if (opcode < 5) {
1296             uint32_t id;
1297 
1298             if (insn & (1 << 25)) {
1299                 id = read_dword(s, s->dsa + sextract32(insn, 0, 24));
1300             } else {
1301                 id = insn;
1302             }
1303             id = (id >> 16) & 0xf;
1304             if (insn & (1 << 26)) {
1305                 addr = s->dsp + sextract32(addr, 0, 24);
1306             }
1307             s->dnad = addr;
1308             switch (opcode) {
1309             case 0: /* Select */
1310                 s->sdid = id;
1311                 if (s->scntl1 & LSI_SCNTL1_CON) {
1312                     trace_lsi_execute_script_io_alreadyreselected();
1313                     s->dsp = s->dnad;
1314                     break;
1315                 }
1316                 s->sstat0 |= LSI_SSTAT0_WOA;
1317                 s->scntl1 &= ~LSI_SCNTL1_IARB;
1318                 if (!scsi_device_find(&s->bus, 0, id, 0)) {
1319                     lsi_bad_selection(s, id);
1320                     break;
1321                 }
1322                 trace_lsi_execute_script_io_selected(id,
1323                                              insn & (1 << 3) ? " ATN" : "");
1324                 /* ??? Linux drivers compain when this is set.  Maybe
1325                    it only applies in low-level mode (unimplemented).
1326                 lsi_script_scsi_interrupt(s, LSI_SIST0_CMP, 0); */
1327                 s->select_tag = id << 8;
1328                 s->scntl1 |= LSI_SCNTL1_CON;
1329                 if (insn & (1 << 3)) {
1330                     s->socl |= LSI_SOCL_ATN;
1331                     s->sbcl |= LSI_SBCL_ATN;
1332                 }
1333                 s->sbcl |= LSI_SBCL_BSY;
1334                 lsi_set_phase(s, PHASE_MO);
1335                 s->waiting = LSI_NOWAIT;
1336                 break;
1337             case 1: /* Disconnect */
1338                 trace_lsi_execute_script_io_disconnect();
1339                 s->scntl1 &= ~LSI_SCNTL1_CON;
1340                 /* FIXME: this is not entirely correct; the target need not ask
1341                  * for reselection until it has to send data, while here we force a
1342                  * reselection as soon as the bus is free.  The correct flow would
1343                  * reselect before lsi_transfer_data and disconnect as soon as
1344                  * DMA ends.
1345                  */
1346                 if (!s->current) {
1347                     lsi_request *p = get_pending_req(s);
1348                     if (p) {
1349                         lsi_reselect(s, p);
1350                     }
1351                 }
1352                 break;
1353             case 2: /* Wait Reselect */
1354                 if (s->istat0 & LSI_ISTAT0_SIGP) {
1355                     s->dsp = s->dnad;
1356                 } else if (!lsi_irq_on_rsl(s)) {
1357                         lsi_wait_reselect(s);
1358                 }
1359                 break;
1360             case 3: /* Set */
1361                 trace_lsi_execute_script_io_set(
1362                         insn & (1 << 3) ? " ATN" : "",
1363                         insn & (1 << 6) ? " ACK" : "",
1364                         insn & (1 << 9) ? " TM" : "",
1365                         insn & (1 << 10) ? " CC" : "");
1366                 if (insn & (1 << 3)) {
1367                     s->socl |= LSI_SOCL_ATN;
1368                     s->sbcl |= LSI_SBCL_ATN;
1369                     lsi_set_phase(s, PHASE_MO);
1370                 }
1371 
1372                 if (insn & (1 << 6)) {
1373                     s->sbcl |= LSI_SBCL_ACK;
1374                 }
1375 
1376                 if (insn & (1 << 9)) {
1377                     qemu_log_mask(LOG_UNIMP,
1378                         "lsi_scsi: Target mode not implemented\n");
1379                 }
1380                 if (insn & (1 << 10))
1381                     s->carry = 1;
1382                 break;
1383             case 4: /* Clear */
1384                 trace_lsi_execute_script_io_clear(
1385                         insn & (1 << 3) ? " ATN" : "",
1386                         insn & (1 << 6) ? " ACK" : "",
1387                         insn & (1 << 9) ? " TM" : "",
1388                         insn & (1 << 10) ? " CC" : "");
1389                 if (insn & (1 << 3)) {
1390                     s->socl &= ~LSI_SOCL_ATN;
1391                     s->sbcl &= ~LSI_SBCL_ATN;
1392                 }
1393 
1394                 if (insn & (1 << 6)) {
1395                     s->sbcl &= ~LSI_SBCL_ACK;
1396                 }
1397 
1398                 if (insn & (1 << 10))
1399                     s->carry = 0;
1400                 break;
1401             }
1402         } else {
1403             uint8_t op0;
1404             uint8_t op1;
1405             uint8_t data8;
1406             int reg;
1407             int operator;
1408 
1409             static const char *opcode_names[3] =
1410                 {"Write", "Read", "Read-Modify-Write"};
1411             static const char *operator_names[8] =
1412                 {"MOV", "SHL", "OR", "XOR", "AND", "SHR", "ADD", "ADC"};
1413 
1414             reg = ((insn >> 16) & 0x7f) | (insn & 0x80);
1415             data8 = (insn >> 8) & 0xff;
1416             opcode = (insn >> 27) & 7;
1417             operator = (insn >> 24) & 7;
1418             trace_lsi_execute_script_io_opcode(
1419                     opcode_names[opcode - 5], reg,
1420                     operator_names[operator], data8, s->sfbr,
1421                     (insn & (1 << 23)) ? " SFBR" : "");
1422             op0 = op1 = 0;
1423             switch (opcode) {
1424             case 5: /* From SFBR */
1425                 op0 = s->sfbr;
1426                 op1 = data8;
1427                 break;
1428             case 6: /* To SFBR */
1429                 if (operator)
1430                     op0 = lsi_reg_readb(s, reg);
1431                 op1 = data8;
1432                 break;
1433             case 7: /* Read-modify-write */
1434                 if (operator)
1435                     op0 = lsi_reg_readb(s, reg);
1436                 if (insn & (1 << 23)) {
1437                     op1 = s->sfbr;
1438                 } else {
1439                     op1 = data8;
1440                 }
1441                 break;
1442             }
1443 
1444             switch (operator) {
1445             case 0: /* move */
1446                 op0 = op1;
1447                 break;
1448             case 1: /* Shift left */
1449                 op1 = op0 >> 7;
1450                 op0 = (op0 << 1) | s->carry;
1451                 s->carry = op1;
1452                 break;
1453             case 2: /* OR */
1454                 op0 |= op1;
1455                 break;
1456             case 3: /* XOR */
1457                 op0 ^= op1;
1458                 break;
1459             case 4: /* AND */
1460                 op0 &= op1;
1461                 break;
1462             case 5: /* SHR */
1463                 op1 = op0 & 1;
1464                 op0 = (op0 >> 1) | (s->carry << 7);
1465                 s->carry = op1;
1466                 break;
1467             case 6: /* ADD */
1468                 op0 += op1;
1469                 s->carry = op0 < op1;
1470                 break;
1471             case 7: /* ADC */
1472                 op0 += op1 + s->carry;
1473                 if (s->carry)
1474                     s->carry = op0 <= op1;
1475                 else
1476                     s->carry = op0 < op1;
1477                 break;
1478             }
1479 
1480             switch (opcode) {
1481             case 5: /* From SFBR */
1482             case 7: /* Read-modify-write */
1483                 lsi_reg_writeb(s, reg, op0);
1484                 break;
1485             case 6: /* To SFBR */
1486                 s->sfbr = op0;
1487                 break;
1488             }
1489         }
1490         break;
1491 
1492     case 2: /* Transfer Control.  */
1493         {
1494             int cond;
1495             int jmp;
1496 
1497             if ((insn & 0x002e0000) == 0) {
1498                 trace_lsi_execute_script_tc_nop();
1499                 break;
1500             }
1501             if (s->sist1 & LSI_SIST1_STO) {
1502                 trace_lsi_execute_script_tc_delayedselect_timeout();
1503                 lsi_stop_script(s);
1504                 break;
1505             }
1506             cond = jmp = (insn & (1 << 19)) != 0;
1507             if (cond == jmp && (insn & (1 << 21))) {
1508                 trace_lsi_execute_script_tc_compc(s->carry == jmp);
1509                 cond = s->carry != 0;
1510             }
1511             if (cond == jmp && (insn & (1 << 17))) {
1512                 trace_lsi_execute_script_tc_compp(scsi_phase_name(s->sstat1),
1513                         jmp ? '=' : '!', scsi_phase_name(insn >> 24));
1514                 cond = (s->sstat1 & PHASE_MASK) == ((insn >> 24) & 7);
1515             }
1516             if (cond == jmp && (insn & (1 << 18))) {
1517                 uint8_t mask;
1518 
1519                 mask = (~insn >> 8) & 0xff;
1520                 trace_lsi_execute_script_tc_compd(
1521                         s->sfbr, mask, jmp ? '=' : '!', insn & mask);
1522                 cond = (s->sfbr & mask) == (insn & mask);
1523             }
1524             if (cond == jmp) {
1525                 if (insn & (1 << 23)) {
1526                     /* Relative address.  */
1527                     addr = s->dsp + sextract32(addr, 0, 24);
1528                 }
1529                 switch ((insn >> 27) & 7) {
1530                 case 0: /* Jump */
1531                     trace_lsi_execute_script_tc_jump(addr);
1532                     s->adder = addr;
1533                     s->dsp = addr;
1534                     break;
1535                 case 1: /* Call */
1536                     trace_lsi_execute_script_tc_call(addr);
1537                     s->temp = s->dsp;
1538                     s->dsp = addr;
1539                     break;
1540                 case 2: /* Return */
1541                     trace_lsi_execute_script_tc_return(s->temp);
1542                     s->dsp = s->temp;
1543                     break;
1544                 case 3: /* Interrupt */
1545                     trace_lsi_execute_script_tc_interrupt(s->dsps);
1546                     if ((insn & (1 << 20)) != 0) {
1547                         s->istat0 |= LSI_ISTAT0_INTF;
1548                         lsi_update_irq(s);
1549                     } else {
1550                         lsi_script_dma_interrupt(s, LSI_DSTAT_SIR);
1551                     }
1552                     break;
1553                 default:
1554                     trace_lsi_execute_script_tc_illegal();
1555                     lsi_script_dma_interrupt(s, LSI_DSTAT_IID);
1556                     break;
1557                 }
1558             } else {
1559                 trace_lsi_execute_script_tc_cc_failed();
1560             }
1561         }
1562         break;
1563 
1564     case 3:
1565         if ((insn & (1 << 29)) == 0) {
1566             /* Memory move.  */
1567             uint32_t dest;
1568             /* ??? The docs imply the destination address is loaded into
1569                the TEMP register.  However the Linux drivers rely on
1570                the value being presrved.  */
1571             dest = read_dword(s, s->dsp);
1572             s->dsp += 4;
1573             lsi_memcpy(s, dest, addr, insn & 0xffffff);
1574         } else {
1575             uint8_t data[7];
1576             int reg;
1577             int n;
1578             int i;
1579 
1580             if (insn & (1 << 28)) {
1581                 addr = s->dsa + sextract32(addr, 0, 24);
1582             }
1583             n = (insn & 7);
1584             reg = (insn >> 16) & 0xff;
1585             if (insn & (1 << 24)) {
1586                 pci_dma_read(pci_dev, addr, data, n);
1587                 trace_lsi_execute_script_mm_load(reg, n, addr, *(int *)data);
1588                 for (i = 0; i < n; i++) {
1589                     lsi_reg_writeb(s, reg + i, data[i]);
1590                 }
1591             } else {
1592                 trace_lsi_execute_script_mm_store(reg, n, addr);
1593                 for (i = 0; i < n; i++) {
1594                     data[i] = lsi_reg_readb(s, reg + i);
1595                 }
1596                 pci_dma_write(pci_dev, addr, data, n);
1597             }
1598         }
1599     }
1600     if (s->istat1 & LSI_ISTAT1_SRUN && s->waiting == LSI_NOWAIT) {
1601         if (s->dcntl & LSI_DCNTL_SSM) {
1602             lsi_script_dma_interrupt(s, LSI_DSTAT_SSI);
1603         } else {
1604             goto again;
1605         }
1606     }
1607     trace_lsi_execute_script_stop();
1608 
1609     reentrancy_level--;
1610 }
1611 
1612 static uint8_t lsi_reg_readb(LSIState *s, int offset)
1613 {
1614     uint8_t ret;
1615 
1616 #define CASE_GET_REG24(name, addr) \
1617     case addr: ret = s->name & 0xff; break; \
1618     case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1619     case addr + 2: ret = (s->name >> 16) & 0xff; break;
1620 
1621 #define CASE_GET_REG32(name, addr) \
1622     case addr: ret = s->name & 0xff; break; \
1623     case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1624     case addr + 2: ret = (s->name >> 16) & 0xff; break; \
1625     case addr + 3: ret = (s->name >> 24) & 0xff; break;
1626 
1627     switch (offset) {
1628     case 0x00: /* SCNTL0 */
1629         ret = s->scntl0;
1630         break;
1631     case 0x01: /* SCNTL1 */
1632         ret = s->scntl1;
1633         break;
1634     case 0x02: /* SCNTL2 */
1635         ret = s->scntl2;
1636         break;
1637     case 0x03: /* SCNTL3 */
1638         ret = s->scntl3;
1639         break;
1640     case 0x04: /* SCID */
1641         ret = s->scid;
1642         break;
1643     case 0x05: /* SXFER */
1644         ret = s->sxfer;
1645         break;
1646     case 0x06: /* SDID */
1647         ret = s->sdid;
1648         break;
1649     case 0x07: /* GPREG0 */
1650         ret = 0x7f;
1651         break;
1652     case 0x08: /* Revision ID */
1653         ret = 0x00;
1654         break;
1655     case 0x09: /* SOCL */
1656         ret = s->socl;
1657         break;
1658     case 0xa: /* SSID */
1659         ret = s->ssid;
1660         break;
1661     case 0xb: /* SBCL */
1662         ret = s->sbcl;
1663         break;
1664     case 0xc: /* DSTAT */
1665         ret = s->dstat | LSI_DSTAT_DFE;
1666         if ((s->istat0 & LSI_ISTAT0_INTF) == 0)
1667             s->dstat = 0;
1668         lsi_update_irq(s);
1669         break;
1670     case 0x0d: /* SSTAT0 */
1671         ret = s->sstat0;
1672         break;
1673     case 0x0e: /* SSTAT1 */
1674         ret = s->sstat1;
1675         break;
1676     case 0x0f: /* SSTAT2 */
1677         ret = s->scntl1 & LSI_SCNTL1_CON ? 0 : 2;
1678         break;
1679     CASE_GET_REG32(dsa, 0x10)
1680     case 0x14: /* ISTAT0 */
1681         ret = s->istat0;
1682         break;
1683     case 0x15: /* ISTAT1 */
1684         ret = s->istat1;
1685         break;
1686     case 0x16: /* MBOX0 */
1687         ret = s->mbox0;
1688         break;
1689     case 0x17: /* MBOX1 */
1690         ret = s->mbox1;
1691         break;
1692     case 0x18: /* CTEST0 */
1693         ret = 0xff;
1694         break;
1695     case 0x19: /* CTEST1 */
1696         ret = 0;
1697         break;
1698     case 0x1a: /* CTEST2 */
1699         ret = s->ctest2 | LSI_CTEST2_DACK | LSI_CTEST2_CM;
1700         if (s->istat0 & LSI_ISTAT0_SIGP) {
1701             s->istat0 &= ~LSI_ISTAT0_SIGP;
1702             ret |= LSI_CTEST2_SIGP;
1703         }
1704         break;
1705     case 0x1b: /* CTEST3 */
1706         ret = s->ctest3;
1707         break;
1708     CASE_GET_REG32(temp, 0x1c)
1709     case 0x20: /* DFIFO */
1710         ret = s->dfifo;
1711         break;
1712     case 0x21: /* CTEST4 */
1713         ret = s->ctest4;
1714         break;
1715     case 0x22: /* CTEST5 */
1716         ret = s->ctest5;
1717         break;
1718     case 0x23: /* CTEST6 */
1719         ret = 0;
1720         break;
1721     CASE_GET_REG24(dbc, 0x24)
1722     case 0x27: /* DCMD */
1723         ret = s->dcmd;
1724         break;
1725     CASE_GET_REG32(dnad, 0x28)
1726     CASE_GET_REG32(dsp, 0x2c)
1727     CASE_GET_REG32(dsps, 0x30)
1728     CASE_GET_REG32(scratch[0], 0x34)
1729     case 0x38: /* DMODE */
1730         ret = s->dmode;
1731         break;
1732     case 0x39: /* DIEN */
1733         ret = s->dien;
1734         break;
1735     case 0x3a: /* SBR */
1736         ret = s->sbr;
1737         break;
1738     case 0x3b: /* DCNTL */
1739         ret = s->dcntl;
1740         break;
1741     /* ADDER Output (Debug of relative jump address) */
1742     CASE_GET_REG32(adder, 0x3c)
1743     case 0x40: /* SIEN0 */
1744         ret = s->sien0;
1745         break;
1746     case 0x41: /* SIEN1 */
1747         ret = s->sien1;
1748         break;
1749     case 0x42: /* SIST0 */
1750         ret = s->sist0;
1751         s->sist0 = 0;
1752         lsi_update_irq(s);
1753         break;
1754     case 0x43: /* SIST1 */
1755         ret = s->sist1;
1756         s->sist1 = 0;
1757         lsi_update_irq(s);
1758         break;
1759     case 0x46: /* MACNTL */
1760         ret = 0x0f;
1761         break;
1762     case 0x47: /* GPCNTL0 */
1763         ret = 0x0f;
1764         break;
1765     case 0x48: /* STIME0 */
1766         ret = s->stime0;
1767         break;
1768     case 0x4a: /* RESPID0 */
1769         ret = s->respid0;
1770         break;
1771     case 0x4b: /* RESPID1 */
1772         ret = s->respid1;
1773         break;
1774     case 0x4d: /* STEST1 */
1775         ret = s->stest1;
1776         break;
1777     case 0x4e: /* STEST2 */
1778         ret = s->stest2;
1779         break;
1780     case 0x4f: /* STEST3 */
1781         ret = s->stest3;
1782         break;
1783     case 0x50: /* SIDL */
1784         /* This is needed by the linux drivers.  We currently only update it
1785            during the MSG IN phase.  */
1786         ret = s->sidl;
1787         break;
1788     case 0x52: /* STEST4 */
1789         ret = 0xe0;
1790         break;
1791     case 0x56: /* CCNTL0 */
1792         ret = s->ccntl0;
1793         break;
1794     case 0x57: /* CCNTL1 */
1795         ret = s->ccntl1;
1796         break;
1797     case 0x58: /* SBDL */
1798         /* Some drivers peek at the data bus during the MSG IN phase.  */
1799         if ((s->sstat1 & PHASE_MASK) == PHASE_MI) {
1800             assert(s->msg_len > 0);
1801             return s->msg[0];
1802         }
1803         ret = 0;
1804         break;
1805     case 0x59: /* SBDL high */
1806         ret = 0;
1807         break;
1808     CASE_GET_REG32(mmrs, 0xa0)
1809     CASE_GET_REG32(mmws, 0xa4)
1810     CASE_GET_REG32(sfs, 0xa8)
1811     CASE_GET_REG32(drs, 0xac)
1812     CASE_GET_REG32(sbms, 0xb0)
1813     CASE_GET_REG32(dbms, 0xb4)
1814     CASE_GET_REG32(dnad64, 0xb8)
1815     CASE_GET_REG32(pmjad1, 0xc0)
1816     CASE_GET_REG32(pmjad2, 0xc4)
1817     CASE_GET_REG32(rbc, 0xc8)
1818     CASE_GET_REG32(ua, 0xcc)
1819     CASE_GET_REG32(ia, 0xd4)
1820     CASE_GET_REG32(sbc, 0xd8)
1821     CASE_GET_REG32(csbc, 0xdc)
1822     case 0x5c ... 0x9f:
1823     {
1824         int n;
1825         int shift;
1826         n = (offset - 0x58) >> 2;
1827         shift = (offset & 3) * 8;
1828         ret = (s->scratch[n] >> shift) & 0xff;
1829         break;
1830     }
1831     default:
1832     {
1833         qemu_log_mask(LOG_GUEST_ERROR,
1834                       "lsi_scsi: invalid read from reg %s %x\n",
1835                       offset < ARRAY_SIZE(names) ? names[offset] : "???",
1836                       offset);
1837         ret = 0xff;
1838         break;
1839     }
1840     }
1841 #undef CASE_GET_REG24
1842 #undef CASE_GET_REG32
1843 
1844     trace_lsi_reg_read(offset < ARRAY_SIZE(names) ? names[offset] : "???",
1845                        offset, ret);
1846 
1847     return ret;
1848 }
1849 
1850 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val)
1851 {
1852 #define CASE_SET_REG24(name, addr) \
1853     case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1854     case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1855     case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break;
1856 
1857 #define CASE_SET_REG32(name, addr) \
1858     case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1859     case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1860     case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break; \
1861     case addr + 3: s->name &= 0x00ffffff; s->name |= val << 24; break;
1862 
1863     trace_lsi_reg_write(offset < ARRAY_SIZE(names) ? names[offset] : "???",
1864                         offset, val);
1865 
1866     switch (offset) {
1867     case 0x00: /* SCNTL0 */
1868         s->scntl0 = val;
1869         if (val & LSI_SCNTL0_START) {
1870             qemu_log_mask(LOG_UNIMP,
1871                           "lsi_scsi: Start sequence not implemented\n");
1872         }
1873         break;
1874     case 0x01: /* SCNTL1 */
1875         s->scntl1 = val & ~LSI_SCNTL1_SST;
1876         if (val & LSI_SCNTL1_IARB) {
1877             qemu_log_mask(LOG_UNIMP,
1878                       "lsi_scsi: Immediate Arbritration not implemented\n");
1879         }
1880         if (val & LSI_SCNTL1_RST) {
1881             if (!(s->sstat0 & LSI_SSTAT0_RST)) {
1882                 bus_cold_reset(BUS(&s->bus));
1883                 s->sstat0 |= LSI_SSTAT0_RST;
1884                 lsi_script_scsi_interrupt(s, LSI_SIST0_RST, 0);
1885             }
1886         } else {
1887             s->sstat0 &= ~LSI_SSTAT0_RST;
1888         }
1889         break;
1890     case 0x02: /* SCNTL2 */
1891         val &= ~(LSI_SCNTL2_WSR | LSI_SCNTL2_WSS);
1892         s->scntl2 = val;
1893         break;
1894     case 0x03: /* SCNTL3 */
1895         s->scntl3 = val;
1896         break;
1897     case 0x04: /* SCID */
1898         s->scid = val;
1899         break;
1900     case 0x05: /* SXFER */
1901         s->sxfer = val;
1902         break;
1903     case 0x06: /* SDID */
1904         if ((s->ssid & 0x80) && (val & 0xf) != (s->ssid & 0xf)) {
1905             qemu_log_mask(LOG_GUEST_ERROR,
1906                           "lsi_scsi: Destination ID does not match SSID\n");
1907         }
1908         s->sdid = val & 0xf;
1909         break;
1910     case 0x07: /* GPREG0 */
1911         break;
1912     case 0x08: /* SFBR */
1913         /* The CPU is not allowed to write to this register.  However the
1914            SCRIPTS register move instructions are.  */
1915         s->sfbr = val;
1916         break;
1917     case 0x0a: case 0x0b:
1918         /* Openserver writes to these readonly registers on startup */
1919         return;
1920     case 0x0c: case 0x0d: case 0x0e: case 0x0f:
1921         /* Linux writes to these readonly registers on startup.  */
1922         return;
1923     CASE_SET_REG32(dsa, 0x10)
1924     case 0x14: /* ISTAT0 */
1925         s->istat0 = (s->istat0 & 0x0f) | (val & 0xf0);
1926         if (val & LSI_ISTAT0_ABRT) {
1927             lsi_script_dma_interrupt(s, LSI_DSTAT_ABRT);
1928         }
1929         if (val & LSI_ISTAT0_INTF) {
1930             s->istat0 &= ~LSI_ISTAT0_INTF;
1931             lsi_update_irq(s);
1932         }
1933         if (s->waiting == LSI_WAIT_RESELECT && val & LSI_ISTAT0_SIGP) {
1934             trace_lsi_awoken();
1935             s->waiting = LSI_NOWAIT;
1936             s->dsp = s->dnad;
1937             lsi_execute_script(s);
1938         }
1939         if (val & LSI_ISTAT0_SRST) {
1940             device_cold_reset(DEVICE(s));
1941         }
1942         break;
1943     case 0x16: /* MBOX0 */
1944         s->mbox0 = val;
1945         break;
1946     case 0x17: /* MBOX1 */
1947         s->mbox1 = val;
1948         break;
1949     case 0x18: /* CTEST0 */
1950         /* nothing to do */
1951         break;
1952     case 0x1a: /* CTEST2 */
1953         s->ctest2 = val & LSI_CTEST2_PCICIE;
1954         break;
1955     case 0x1b: /* CTEST3 */
1956         s->ctest3 = val & 0x0f;
1957         break;
1958     CASE_SET_REG32(temp, 0x1c)
1959     case 0x21: /* CTEST4 */
1960         if (val & 7) {
1961             qemu_log_mask(LOG_UNIMP,
1962                           "lsi_scsi: Unimplemented CTEST4-FBL 0x%x\n", val);
1963         }
1964         s->ctest4 = val;
1965         break;
1966     case 0x22: /* CTEST5 */
1967         if (val & (LSI_CTEST5_ADCK | LSI_CTEST5_BBCK)) {
1968             qemu_log_mask(LOG_UNIMP,
1969                           "lsi_scsi: CTEST5 DMA increment not implemented\n");
1970         }
1971         s->ctest5 = val;
1972         break;
1973     CASE_SET_REG24(dbc, 0x24)
1974     CASE_SET_REG32(dnad, 0x28)
1975     case 0x2c: /* DSP[0:7] */
1976         s->dsp &= 0xffffff00;
1977         s->dsp |= val;
1978         break;
1979     case 0x2d: /* DSP[8:15] */
1980         s->dsp &= 0xffff00ff;
1981         s->dsp |= val << 8;
1982         break;
1983     case 0x2e: /* DSP[16:23] */
1984         s->dsp &= 0xff00ffff;
1985         s->dsp |= val << 16;
1986         break;
1987     case 0x2f: /* DSP[24:31] */
1988         s->dsp &= 0x00ffffff;
1989         s->dsp |= val << 24;
1990         /*
1991          * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
1992          * instruction.  Is this correct?
1993          */
1994         if ((s->dmode & LSI_DMODE_MAN) == 0
1995             && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
1996             lsi_execute_script(s);
1997         break;
1998     CASE_SET_REG32(dsps, 0x30)
1999     CASE_SET_REG32(scratch[0], 0x34)
2000     case 0x38: /* DMODE */
2001         s->dmode = val;
2002         break;
2003     case 0x39: /* DIEN */
2004         s->dien = val;
2005         lsi_update_irq(s);
2006         break;
2007     case 0x3a: /* SBR */
2008         s->sbr = val;
2009         break;
2010     case 0x3b: /* DCNTL */
2011         s->dcntl = val & ~(LSI_DCNTL_PFF | LSI_DCNTL_STD);
2012         /*
2013          * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
2014          * instruction.  Is this correct?
2015          */
2016         if ((val & LSI_DCNTL_STD) && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
2017             lsi_execute_script(s);
2018         break;
2019     case 0x40: /* SIEN0 */
2020         s->sien0 = val;
2021         lsi_update_irq(s);
2022         break;
2023     case 0x41: /* SIEN1 */
2024         s->sien1 = val;
2025         lsi_update_irq(s);
2026         break;
2027     case 0x47: /* GPCNTL0 */
2028         break;
2029     case 0x48: /* STIME0 */
2030         s->stime0 = val;
2031         break;
2032     case 0x49: /* STIME1 */
2033         if (val & 0xf) {
2034             qemu_log_mask(LOG_UNIMP,
2035                           "lsi_scsi: General purpose timer not implemented\n");
2036             /* ??? Raising the interrupt immediately seems to be sufficient
2037                to keep the FreeBSD driver happy.  */
2038             lsi_script_scsi_interrupt(s, 0, LSI_SIST1_GEN);
2039         }
2040         break;
2041     case 0x4a: /* RESPID0 */
2042         s->respid0 = val;
2043         break;
2044     case 0x4b: /* RESPID1 */
2045         s->respid1 = val;
2046         break;
2047     case 0x4d: /* STEST1 */
2048         s->stest1 = val;
2049         break;
2050     case 0x4e: /* STEST2 */
2051         if (val & 1) {
2052             qemu_log_mask(LOG_UNIMP,
2053                           "lsi_scsi: Low level mode not implemented\n");
2054         }
2055         s->stest2 = val;
2056         break;
2057     case 0x4f: /* STEST3 */
2058         if (val & 0x41) {
2059             qemu_log_mask(LOG_UNIMP,
2060                           "lsi_scsi: SCSI FIFO test mode not implemented\n");
2061         }
2062         s->stest3 = val;
2063         break;
2064     case 0x56: /* CCNTL0 */
2065         s->ccntl0 = val;
2066         break;
2067     case 0x57: /* CCNTL1 */
2068         s->ccntl1 = val;
2069         break;
2070     CASE_SET_REG32(mmrs, 0xa0)
2071     CASE_SET_REG32(mmws, 0xa4)
2072     CASE_SET_REG32(sfs, 0xa8)
2073     CASE_SET_REG32(drs, 0xac)
2074     CASE_SET_REG32(sbms, 0xb0)
2075     CASE_SET_REG32(dbms, 0xb4)
2076     CASE_SET_REG32(dnad64, 0xb8)
2077     CASE_SET_REG32(pmjad1, 0xc0)
2078     CASE_SET_REG32(pmjad2, 0xc4)
2079     CASE_SET_REG32(rbc, 0xc8)
2080     CASE_SET_REG32(ua, 0xcc)
2081     CASE_SET_REG32(ia, 0xd4)
2082     CASE_SET_REG32(sbc, 0xd8)
2083     CASE_SET_REG32(csbc, 0xdc)
2084     default:
2085         if (offset >= 0x5c && offset < 0xa0) {
2086             int n;
2087             int shift;
2088             n = (offset - 0x58) >> 2;
2089             shift = (offset & 3) * 8;
2090             s->scratch[n] = deposit32(s->scratch[n], shift, 8, val);
2091         } else {
2092             qemu_log_mask(LOG_GUEST_ERROR,
2093                           "lsi_scsi: invalid write to reg %s %x (0x%02x)\n",
2094                           offset < ARRAY_SIZE(names) ? names[offset] : "???",
2095                           offset, val);
2096         }
2097     }
2098 #undef CASE_SET_REG24
2099 #undef CASE_SET_REG32
2100 }
2101 
2102 static void lsi_mmio_write(void *opaque, hwaddr addr,
2103                            uint64_t val, unsigned size)
2104 {
2105     LSIState *s = opaque;
2106 
2107     lsi_reg_writeb(s, addr & 0xff, val);
2108 }
2109 
2110 static uint64_t lsi_mmio_read(void *opaque, hwaddr addr,
2111                               unsigned size)
2112 {
2113     LSIState *s = opaque;
2114     return lsi_reg_readb(s, addr & 0xff);
2115 }
2116 
2117 static const MemoryRegionOps lsi_mmio_ops = {
2118     .read = lsi_mmio_read,
2119     .write = lsi_mmio_write,
2120     .endianness = DEVICE_LITTLE_ENDIAN,
2121     .impl = {
2122         .min_access_size = 1,
2123         .max_access_size = 1,
2124     },
2125 };
2126 
2127 static void lsi_ram_write(void *opaque, hwaddr addr,
2128                           uint64_t val, unsigned size)
2129 {
2130     LSIState *s = opaque;
2131     stn_le_p(s->script_ram + addr, size, val);
2132 }
2133 
2134 static uint64_t lsi_ram_read(void *opaque, hwaddr addr,
2135                              unsigned size)
2136 {
2137     LSIState *s = opaque;
2138     return ldn_le_p(s->script_ram + addr, size);
2139 }
2140 
2141 static const MemoryRegionOps lsi_ram_ops = {
2142     .read = lsi_ram_read,
2143     .write = lsi_ram_write,
2144     .endianness = DEVICE_LITTLE_ENDIAN,
2145 };
2146 
2147 static uint64_t lsi_io_read(void *opaque, hwaddr addr,
2148                             unsigned size)
2149 {
2150     LSIState *s = opaque;
2151     return lsi_reg_readb(s, addr & 0xff);
2152 }
2153 
2154 static void lsi_io_write(void *opaque, hwaddr addr,
2155                          uint64_t val, unsigned size)
2156 {
2157     LSIState *s = opaque;
2158     lsi_reg_writeb(s, addr & 0xff, val);
2159 }
2160 
2161 static const MemoryRegionOps lsi_io_ops = {
2162     .read = lsi_io_read,
2163     .write = lsi_io_write,
2164     .endianness = DEVICE_LITTLE_ENDIAN,
2165     .impl = {
2166         .min_access_size = 1,
2167         .max_access_size = 1,
2168     },
2169 };
2170 
2171 static void lsi_scsi_reset(DeviceState *dev)
2172 {
2173     LSIState *s = LSI53C895A(dev);
2174 
2175     lsi_soft_reset(s);
2176 }
2177 
2178 static int lsi_pre_save(void *opaque)
2179 {
2180     LSIState *s = opaque;
2181 
2182     if (s->current) {
2183         assert(s->current->dma_buf == NULL);
2184         assert(s->current->dma_len == 0);
2185     }
2186     assert(QTAILQ_EMPTY(&s->queue));
2187 
2188     return 0;
2189 }
2190 
2191 static int lsi_post_load(void *opaque, int version_id)
2192 {
2193     LSIState *s = opaque;
2194 
2195     if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) {
2196         return -EINVAL;
2197     }
2198 
2199     return 0;
2200 }
2201 
2202 static const VMStateDescription vmstate_lsi_scsi = {
2203     .name = "lsiscsi",
2204     .version_id = 1,
2205     .minimum_version_id = 0,
2206     .pre_save = lsi_pre_save,
2207     .post_load = lsi_post_load,
2208     .fields = (VMStateField[]) {
2209         VMSTATE_PCI_DEVICE(parent_obj, LSIState),
2210 
2211         VMSTATE_INT32(carry, LSIState),
2212         VMSTATE_INT32(status, LSIState),
2213         VMSTATE_INT32(msg_action, LSIState),
2214         VMSTATE_INT32(msg_len, LSIState),
2215         VMSTATE_BUFFER(msg, LSIState),
2216         VMSTATE_INT32(waiting, LSIState),
2217 
2218         VMSTATE_UINT32(dsa, LSIState),
2219         VMSTATE_UINT32(temp, LSIState),
2220         VMSTATE_UINT32(dnad, LSIState),
2221         VMSTATE_UINT32(dbc, LSIState),
2222         VMSTATE_UINT8(istat0, LSIState),
2223         VMSTATE_UINT8(istat1, LSIState),
2224         VMSTATE_UINT8(dcmd, LSIState),
2225         VMSTATE_UINT8(dstat, LSIState),
2226         VMSTATE_UINT8(dien, LSIState),
2227         VMSTATE_UINT8(sist0, LSIState),
2228         VMSTATE_UINT8(sist1, LSIState),
2229         VMSTATE_UINT8(sien0, LSIState),
2230         VMSTATE_UINT8(sien1, LSIState),
2231         VMSTATE_UINT8(mbox0, LSIState),
2232         VMSTATE_UINT8(mbox1, LSIState),
2233         VMSTATE_UINT8(dfifo, LSIState),
2234         VMSTATE_UINT8(ctest2, LSIState),
2235         VMSTATE_UINT8(ctest3, LSIState),
2236         VMSTATE_UINT8(ctest4, LSIState),
2237         VMSTATE_UINT8(ctest5, LSIState),
2238         VMSTATE_UINT8(ccntl0, LSIState),
2239         VMSTATE_UINT8(ccntl1, LSIState),
2240         VMSTATE_UINT32(dsp, LSIState),
2241         VMSTATE_UINT32(dsps, LSIState),
2242         VMSTATE_UINT8(dmode, LSIState),
2243         VMSTATE_UINT8(dcntl, LSIState),
2244         VMSTATE_UINT8(scntl0, LSIState),
2245         VMSTATE_UINT8(scntl1, LSIState),
2246         VMSTATE_UINT8(scntl2, LSIState),
2247         VMSTATE_UINT8(scntl3, LSIState),
2248         VMSTATE_UINT8(sstat0, LSIState),
2249         VMSTATE_UINT8(sstat1, LSIState),
2250         VMSTATE_UINT8(scid, LSIState),
2251         VMSTATE_UINT8(sxfer, LSIState),
2252         VMSTATE_UINT8(socl, LSIState),
2253         VMSTATE_UINT8(sdid, LSIState),
2254         VMSTATE_UINT8(ssid, LSIState),
2255         VMSTATE_UINT8(sfbr, LSIState),
2256         VMSTATE_UINT8(stest1, LSIState),
2257         VMSTATE_UINT8(stest2, LSIState),
2258         VMSTATE_UINT8(stest3, LSIState),
2259         VMSTATE_UINT8(sidl, LSIState),
2260         VMSTATE_UINT8(stime0, LSIState),
2261         VMSTATE_UINT8(respid0, LSIState),
2262         VMSTATE_UINT8(respid1, LSIState),
2263         VMSTATE_UINT8_V(sbcl, LSIState, 1),
2264         VMSTATE_UINT32(mmrs, LSIState),
2265         VMSTATE_UINT32(mmws, LSIState),
2266         VMSTATE_UINT32(sfs, LSIState),
2267         VMSTATE_UINT32(drs, LSIState),
2268         VMSTATE_UINT32(sbms, LSIState),
2269         VMSTATE_UINT32(dbms, LSIState),
2270         VMSTATE_UINT32(dnad64, LSIState),
2271         VMSTATE_UINT32(pmjad1, LSIState),
2272         VMSTATE_UINT32(pmjad2, LSIState),
2273         VMSTATE_UINT32(rbc, LSIState),
2274         VMSTATE_UINT32(ua, LSIState),
2275         VMSTATE_UINT32(ia, LSIState),
2276         VMSTATE_UINT32(sbc, LSIState),
2277         VMSTATE_UINT32(csbc, LSIState),
2278         VMSTATE_BUFFER_UNSAFE(scratch, LSIState, 0, 18 * sizeof(uint32_t)),
2279         VMSTATE_UINT8(sbr, LSIState),
2280 
2281         VMSTATE_BUFFER_UNSAFE(script_ram, LSIState, 0, 8192),
2282         VMSTATE_END_OF_LIST()
2283     }
2284 };
2285 
2286 static const struct SCSIBusInfo lsi_scsi_info = {
2287     .tcq = true,
2288     .max_target = LSI_MAX_DEVS,
2289     .max_lun = 0,  /* LUN support is buggy */
2290 
2291     .transfer_data = lsi_transfer_data,
2292     .complete = lsi_command_complete,
2293     .cancel = lsi_request_cancelled
2294 };
2295 
2296 static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
2297 {
2298     LSIState *s = LSI53C895A(dev);
2299     DeviceState *d = DEVICE(dev);
2300     uint8_t *pci_conf;
2301 
2302     pci_conf = dev->config;
2303 
2304     /* PCI latency timer = 255 */
2305     pci_conf[PCI_LATENCY_TIMER] = 0xff;
2306     /* Interrupt pin A */
2307     pci_conf[PCI_INTERRUPT_PIN] = 0x01;
2308 
2309     memory_region_init_io(&s->mmio_io, OBJECT(s), &lsi_mmio_ops, s,
2310                           "lsi-mmio", 0x400);
2311     memory_region_init_io(&s->ram_io, OBJECT(s), &lsi_ram_ops, s,
2312                           "lsi-ram", 0x2000);
2313     memory_region_init_io(&s->io_io, OBJECT(s), &lsi_io_ops, s,
2314                           "lsi-io", 256);
2315 
2316     /*
2317      * Since we use the address-space API to interact with ram_io, disable the
2318      * re-entrancy guard.
2319      */
2320     s->ram_io.disable_reentrancy_guard = true;
2321     s->mmio_io.disable_reentrancy_guard = true;
2322 
2323     address_space_init(&s->pci_io_as, pci_address_space_io(dev), "lsi-pci-io");
2324     qdev_init_gpio_out(d, &s->ext_irq, 1);
2325 
2326     pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->io_io);
2327     pci_register_bar(dev, 1, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->mmio_io);
2328     pci_register_bar(dev, 2, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->ram_io);
2329     QTAILQ_INIT(&s->queue);
2330 
2331     scsi_bus_init(&s->bus, sizeof(s->bus), d, &lsi_scsi_info);
2332 }
2333 
2334 static void lsi_scsi_exit(PCIDevice *dev)
2335 {
2336     LSIState *s = LSI53C895A(dev);
2337 
2338     address_space_destroy(&s->pci_io_as);
2339 }
2340 
2341 static void lsi_class_init(ObjectClass *klass, void *data)
2342 {
2343     DeviceClass *dc = DEVICE_CLASS(klass);
2344     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2345 
2346     k->realize = lsi_scsi_realize;
2347     k->exit = lsi_scsi_exit;
2348     k->vendor_id = PCI_VENDOR_ID_LSI_LOGIC;
2349     k->device_id = PCI_DEVICE_ID_LSI_53C895A;
2350     k->class_id = PCI_CLASS_STORAGE_SCSI;
2351     k->subsystem_id = 0x1000;
2352     dc->reset = lsi_scsi_reset;
2353     dc->vmsd = &vmstate_lsi_scsi;
2354     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2355 }
2356 
2357 static const TypeInfo lsi_info = {
2358     .name          = TYPE_LSI53C895A,
2359     .parent        = TYPE_PCI_DEVICE,
2360     .instance_size = sizeof(LSIState),
2361     .class_init    = lsi_class_init,
2362     .interfaces = (InterfaceInfo[]) {
2363         { INTERFACE_CONVENTIONAL_PCI_DEVICE },
2364         { },
2365     },
2366 };
2367 
2368 static void lsi53c810_class_init(ObjectClass *klass, void *data)
2369 {
2370     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2371 
2372     k->device_id = PCI_DEVICE_ID_LSI_53C810;
2373 }
2374 
2375 static const TypeInfo lsi53c810_info = {
2376     .name          = TYPE_LSI53C810,
2377     .parent        = TYPE_LSI53C895A,
2378     .class_init    = lsi53c810_class_init,
2379 };
2380 
2381 static void lsi53c895a_register_types(void)
2382 {
2383     type_register_static(&lsi_info);
2384     type_register_static(&lsi53c810_info);
2385 }
2386 
2387 type_init(lsi53c895a_register_types)
2388 
2389 void lsi53c8xx_handle_legacy_cmdline(DeviceState *lsi_dev)
2390 {
2391     LSIState *s = LSI53C895A(lsi_dev);
2392 
2393     scsi_bus_legacy_handle_cmdline(&s->bus);
2394 }
2395