xref: /openbmc/qemu/hw/scsi/lsi53c895a.c (revision db725815)
1 /*
2  * QEMU LSI53C895A SCSI Host Bus Adapter emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Written by Paul Brook
6  *
7  * This code is licensed under the LGPL.
8  */
9 
10 /* Note:
11  * LSI53C810 emulation is incorrect, in the sense that it supports
12  * features added in later evolutions. This should not be a problem,
13  * as well-behaved operating systems will not try to use them.
14  */
15 
16 #include "qemu/osdep.h"
17 
18 #include "hw/irq.h"
19 #include "hw/pci/pci.h"
20 #include "hw/scsi/scsi.h"
21 #include "migration/vmstate.h"
22 #include "sysemu/dma.h"
23 #include "qemu/log.h"
24 #include "qemu/module.h"
25 #include "trace.h"
26 
27 static const char *names[] = {
28     "SCNTL0", "SCNTL1", "SCNTL2", "SCNTL3", "SCID", "SXFER", "SDID", "GPREG",
29     "SFBR", "SOCL", "SSID", "SBCL", "DSTAT", "SSTAT0", "SSTAT1", "SSTAT2",
30     "DSA0", "DSA1", "DSA2", "DSA3", "ISTAT", "0x15", "0x16", "0x17",
31     "CTEST0", "CTEST1", "CTEST2", "CTEST3", "TEMP0", "TEMP1", "TEMP2", "TEMP3",
32     "DFIFO", "CTEST4", "CTEST5", "CTEST6", "DBC0", "DBC1", "DBC2", "DCMD",
33     "DNAD0", "DNAD1", "DNAD2", "DNAD3", "DSP0", "DSP1", "DSP2", "DSP3",
34     "DSPS0", "DSPS1", "DSPS2", "DSPS3", "SCRATCHA0", "SCRATCHA1", "SCRATCHA2", "SCRATCHA3",
35     "DMODE", "DIEN", "SBR", "DCNTL", "ADDER0", "ADDER1", "ADDER2", "ADDER3",
36     "SIEN0", "SIEN1", "SIST0", "SIST1", "SLPAR", "0x45", "MACNTL", "GPCNTL",
37     "STIME0", "STIME1", "RESPID", "0x4b", "STEST0", "STEST1", "STEST2", "STEST3",
38     "SIDL", "0x51", "0x52", "0x53", "SODL", "0x55", "0x56", "0x57",
39     "SBDL", "0x59", "0x5a", "0x5b", "SCRATCHB0", "SCRATCHB1", "SCRATCHB2", "SCRATCHB3",
40 };
41 
42 #define LSI_MAX_DEVS 7
43 
44 #define LSI_SCNTL0_TRG    0x01
45 #define LSI_SCNTL0_AAP    0x02
46 #define LSI_SCNTL0_EPC    0x08
47 #define LSI_SCNTL0_WATN   0x10
48 #define LSI_SCNTL0_START  0x20
49 
50 #define LSI_SCNTL1_SST    0x01
51 #define LSI_SCNTL1_IARB   0x02
52 #define LSI_SCNTL1_AESP   0x04
53 #define LSI_SCNTL1_RST    0x08
54 #define LSI_SCNTL1_CON    0x10
55 #define LSI_SCNTL1_DHP    0x20
56 #define LSI_SCNTL1_ADB    0x40
57 #define LSI_SCNTL1_EXC    0x80
58 
59 #define LSI_SCNTL2_WSR    0x01
60 #define LSI_SCNTL2_VUE0   0x02
61 #define LSI_SCNTL2_VUE1   0x04
62 #define LSI_SCNTL2_WSS    0x08
63 #define LSI_SCNTL2_SLPHBEN 0x10
64 #define LSI_SCNTL2_SLPMD  0x20
65 #define LSI_SCNTL2_CHM    0x40
66 #define LSI_SCNTL2_SDU    0x80
67 
68 #define LSI_ISTAT0_DIP    0x01
69 #define LSI_ISTAT0_SIP    0x02
70 #define LSI_ISTAT0_INTF   0x04
71 #define LSI_ISTAT0_CON    0x08
72 #define LSI_ISTAT0_SEM    0x10
73 #define LSI_ISTAT0_SIGP   0x20
74 #define LSI_ISTAT0_SRST   0x40
75 #define LSI_ISTAT0_ABRT   0x80
76 
77 #define LSI_ISTAT1_SI     0x01
78 #define LSI_ISTAT1_SRUN   0x02
79 #define LSI_ISTAT1_FLSH   0x04
80 
81 #define LSI_SSTAT0_SDP0   0x01
82 #define LSI_SSTAT0_RST    0x02
83 #define LSI_SSTAT0_WOA    0x04
84 #define LSI_SSTAT0_LOA    0x08
85 #define LSI_SSTAT0_AIP    0x10
86 #define LSI_SSTAT0_OLF    0x20
87 #define LSI_SSTAT0_ORF    0x40
88 #define LSI_SSTAT0_ILF    0x80
89 
90 #define LSI_SIST0_PAR     0x01
91 #define LSI_SIST0_RST     0x02
92 #define LSI_SIST0_UDC     0x04
93 #define LSI_SIST0_SGE     0x08
94 #define LSI_SIST0_RSL     0x10
95 #define LSI_SIST0_SEL     0x20
96 #define LSI_SIST0_CMP     0x40
97 #define LSI_SIST0_MA      0x80
98 
99 #define LSI_SIST1_HTH     0x01
100 #define LSI_SIST1_GEN     0x02
101 #define LSI_SIST1_STO     0x04
102 #define LSI_SIST1_SBMC    0x10
103 
104 #define LSI_SOCL_IO       0x01
105 #define LSI_SOCL_CD       0x02
106 #define LSI_SOCL_MSG      0x04
107 #define LSI_SOCL_ATN      0x08
108 #define LSI_SOCL_SEL      0x10
109 #define LSI_SOCL_BSY      0x20
110 #define LSI_SOCL_ACK      0x40
111 #define LSI_SOCL_REQ      0x80
112 
113 #define LSI_DSTAT_IID     0x01
114 #define LSI_DSTAT_SIR     0x04
115 #define LSI_DSTAT_SSI     0x08
116 #define LSI_DSTAT_ABRT    0x10
117 #define LSI_DSTAT_BF      0x20
118 #define LSI_DSTAT_MDPE    0x40
119 #define LSI_DSTAT_DFE     0x80
120 
121 #define LSI_DCNTL_COM     0x01
122 #define LSI_DCNTL_IRQD    0x02
123 #define LSI_DCNTL_STD     0x04
124 #define LSI_DCNTL_IRQM    0x08
125 #define LSI_DCNTL_SSM     0x10
126 #define LSI_DCNTL_PFEN    0x20
127 #define LSI_DCNTL_PFF     0x40
128 #define LSI_DCNTL_CLSE    0x80
129 
130 #define LSI_DMODE_MAN     0x01
131 #define LSI_DMODE_BOF     0x02
132 #define LSI_DMODE_ERMP    0x04
133 #define LSI_DMODE_ERL     0x08
134 #define LSI_DMODE_DIOM    0x10
135 #define LSI_DMODE_SIOM    0x20
136 
137 #define LSI_CTEST2_DACK   0x01
138 #define LSI_CTEST2_DREQ   0x02
139 #define LSI_CTEST2_TEOP   0x04
140 #define LSI_CTEST2_PCICIE 0x08
141 #define LSI_CTEST2_CM     0x10
142 #define LSI_CTEST2_CIO    0x20
143 #define LSI_CTEST2_SIGP   0x40
144 #define LSI_CTEST2_DDIR   0x80
145 
146 #define LSI_CTEST5_BL2    0x04
147 #define LSI_CTEST5_DDIR   0x08
148 #define LSI_CTEST5_MASR   0x10
149 #define LSI_CTEST5_DFSN   0x20
150 #define LSI_CTEST5_BBCK   0x40
151 #define LSI_CTEST5_ADCK   0x80
152 
153 #define LSI_CCNTL0_DILS   0x01
154 #define LSI_CCNTL0_DISFC  0x10
155 #define LSI_CCNTL0_ENNDJ  0x20
156 #define LSI_CCNTL0_PMJCTL 0x40
157 #define LSI_CCNTL0_ENPMJ  0x80
158 
159 #define LSI_CCNTL1_EN64DBMV  0x01
160 #define LSI_CCNTL1_EN64TIBMV 0x02
161 #define LSI_CCNTL1_64TIMOD   0x04
162 #define LSI_CCNTL1_DDAC      0x08
163 #define LSI_CCNTL1_ZMOD      0x80
164 
165 #define LSI_SBCL_ATN         0x08
166 #define LSI_SBCL_BSY         0x20
167 #define LSI_SBCL_ACK         0x40
168 #define LSI_SBCL_REQ         0x80
169 
170 /* Enable Response to Reselection */
171 #define LSI_SCID_RRE      0x60
172 
173 #define LSI_CCNTL1_40BIT (LSI_CCNTL1_EN64TIBMV|LSI_CCNTL1_64TIMOD)
174 
175 #define PHASE_DO          0
176 #define PHASE_DI          1
177 #define PHASE_CMD         2
178 #define PHASE_ST          3
179 #define PHASE_MO          6
180 #define PHASE_MI          7
181 #define PHASE_MASK        7
182 
183 /* Maximum length of MSG IN data.  */
184 #define LSI_MAX_MSGIN_LEN 8
185 
186 /* Flag set if this is a tagged command.  */
187 #define LSI_TAG_VALID     (1 << 16)
188 
189 typedef struct lsi_request {
190     SCSIRequest *req;
191     uint32_t tag;
192     uint32_t dma_len;
193     uint8_t *dma_buf;
194     uint32_t pending;
195     int out;
196     QTAILQ_ENTRY(lsi_request) next;
197 } lsi_request;
198 
199 enum {
200     LSI_NOWAIT, /* SCRIPTS are running or stopped */
201     LSI_WAIT_RESELECT, /* Wait Reselect instruction has been issued */
202     LSI_DMA_SCRIPTS, /* processing DMA from lsi_execute_script */
203     LSI_DMA_IN_PROGRESS, /* DMA operation is in progress */
204 };
205 
206 enum {
207     LSI_MSG_ACTION_COMMAND = 0,
208     LSI_MSG_ACTION_DISCONNECT = 1,
209     LSI_MSG_ACTION_DOUT = 2,
210     LSI_MSG_ACTION_DIN = 3,
211 };
212 
213 typedef struct {
214     /*< private >*/
215     PCIDevice parent_obj;
216     /*< public >*/
217 
218     qemu_irq ext_irq;
219     MemoryRegion mmio_io;
220     MemoryRegion ram_io;
221     MemoryRegion io_io;
222     AddressSpace pci_io_as;
223 
224     int carry; /* ??? Should this be an a visible register somewhere?  */
225     int status;
226     int msg_action;
227     int msg_len;
228     uint8_t msg[LSI_MAX_MSGIN_LEN];
229     int waiting;
230     SCSIBus bus;
231     int current_lun;
232     /* The tag is a combination of the device ID and the SCSI tag.  */
233     uint32_t select_tag;
234     int command_complete;
235     QTAILQ_HEAD(, lsi_request) queue;
236     lsi_request *current;
237 
238     uint32_t dsa;
239     uint32_t temp;
240     uint32_t dnad;
241     uint32_t dbc;
242     uint8_t istat0;
243     uint8_t istat1;
244     uint8_t dcmd;
245     uint8_t dstat;
246     uint8_t dien;
247     uint8_t sist0;
248     uint8_t sist1;
249     uint8_t sien0;
250     uint8_t sien1;
251     uint8_t mbox0;
252     uint8_t mbox1;
253     uint8_t dfifo;
254     uint8_t ctest2;
255     uint8_t ctest3;
256     uint8_t ctest4;
257     uint8_t ctest5;
258     uint8_t ccntl0;
259     uint8_t ccntl1;
260     uint32_t dsp;
261     uint32_t dsps;
262     uint8_t dmode;
263     uint8_t dcntl;
264     uint8_t scntl0;
265     uint8_t scntl1;
266     uint8_t scntl2;
267     uint8_t scntl3;
268     uint8_t sstat0;
269     uint8_t sstat1;
270     uint8_t scid;
271     uint8_t sxfer;
272     uint8_t socl;
273     uint8_t sdid;
274     uint8_t ssid;
275     uint8_t sfbr;
276     uint8_t sbcl;
277     uint8_t stest1;
278     uint8_t stest2;
279     uint8_t stest3;
280     uint8_t sidl;
281     uint8_t stime0;
282     uint8_t respid0;
283     uint8_t respid1;
284     uint32_t mmrs;
285     uint32_t mmws;
286     uint32_t sfs;
287     uint32_t drs;
288     uint32_t sbms;
289     uint32_t dbms;
290     uint32_t dnad64;
291     uint32_t pmjad1;
292     uint32_t pmjad2;
293     uint32_t rbc;
294     uint32_t ua;
295     uint32_t ia;
296     uint32_t sbc;
297     uint32_t csbc;
298     uint32_t scratch[18]; /* SCRATCHA-SCRATCHR */
299     uint8_t sbr;
300     uint32_t adder;
301 
302     uint8_t script_ram[2048 * sizeof(uint32_t)];
303 } LSIState;
304 
305 #define TYPE_LSI53C810  "lsi53c810"
306 #define TYPE_LSI53C895A "lsi53c895a"
307 
308 #define LSI53C895A(obj) \
309     OBJECT_CHECK(LSIState, (obj), TYPE_LSI53C895A)
310 
311 static const char *scsi_phases[] = {
312     "DOUT",
313     "DIN",
314     "CMD",
315     "STATUS",
316     "RSVOUT",
317     "RSVIN",
318     "MSGOUT",
319     "MSGIN"
320 };
321 
322 static const char *scsi_phase_name(int phase)
323 {
324     return scsi_phases[phase & PHASE_MASK];
325 }
326 
327 static inline int lsi_irq_on_rsl(LSIState *s)
328 {
329     return (s->sien0 & LSI_SIST0_RSL) && (s->scid & LSI_SCID_RRE);
330 }
331 
332 static lsi_request *get_pending_req(LSIState *s)
333 {
334     lsi_request *p;
335 
336     QTAILQ_FOREACH(p, &s->queue, next) {
337         if (p->pending) {
338             return p;
339         }
340     }
341     return NULL;
342 }
343 
344 static void lsi_soft_reset(LSIState *s)
345 {
346     trace_lsi_reset();
347     s->carry = 0;
348 
349     s->msg_action = LSI_MSG_ACTION_COMMAND;
350     s->msg_len = 0;
351     s->waiting = LSI_NOWAIT;
352     s->dsa = 0;
353     s->dnad = 0;
354     s->dbc = 0;
355     s->temp = 0;
356     memset(s->scratch, 0, sizeof(s->scratch));
357     s->istat0 = 0;
358     s->istat1 = 0;
359     s->dcmd = 0x40;
360     s->dstat = 0;
361     s->dien = 0;
362     s->sist0 = 0;
363     s->sist1 = 0;
364     s->sien0 = 0;
365     s->sien1 = 0;
366     s->mbox0 = 0;
367     s->mbox1 = 0;
368     s->dfifo = 0;
369     s->ctest2 = LSI_CTEST2_DACK;
370     s->ctest3 = 0;
371     s->ctest4 = 0;
372     s->ctest5 = 0;
373     s->ccntl0 = 0;
374     s->ccntl1 = 0;
375     s->dsp = 0;
376     s->dsps = 0;
377     s->dmode = 0;
378     s->dcntl = 0;
379     s->scntl0 = 0xc0;
380     s->scntl1 = 0;
381     s->scntl2 = 0;
382     s->scntl3 = 0;
383     s->sstat0 = 0;
384     s->sstat1 = 0;
385     s->scid = 7;
386     s->sxfer = 0;
387     s->socl = 0;
388     s->sdid = 0;
389     s->ssid = 0;
390     s->sbcl = 0;
391     s->stest1 = 0;
392     s->stest2 = 0;
393     s->stest3 = 0;
394     s->sidl = 0;
395     s->stime0 = 0;
396     s->respid0 = 0x80;
397     s->respid1 = 0;
398     s->mmrs = 0;
399     s->mmws = 0;
400     s->sfs = 0;
401     s->drs = 0;
402     s->sbms = 0;
403     s->dbms = 0;
404     s->dnad64 = 0;
405     s->pmjad1 = 0;
406     s->pmjad2 = 0;
407     s->rbc = 0;
408     s->ua = 0;
409     s->ia = 0;
410     s->sbc = 0;
411     s->csbc = 0;
412     s->sbr = 0;
413     assert(QTAILQ_EMPTY(&s->queue));
414     assert(!s->current);
415 }
416 
417 static int lsi_dma_40bit(LSIState *s)
418 {
419     if ((s->ccntl1 & LSI_CCNTL1_40BIT) == LSI_CCNTL1_40BIT)
420         return 1;
421     return 0;
422 }
423 
424 static int lsi_dma_ti64bit(LSIState *s)
425 {
426     if ((s->ccntl1 & LSI_CCNTL1_EN64TIBMV) == LSI_CCNTL1_EN64TIBMV)
427         return 1;
428     return 0;
429 }
430 
431 static int lsi_dma_64bit(LSIState *s)
432 {
433     if ((s->ccntl1 & LSI_CCNTL1_EN64DBMV) == LSI_CCNTL1_EN64DBMV)
434         return 1;
435     return 0;
436 }
437 
438 static uint8_t lsi_reg_readb(LSIState *s, int offset);
439 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val);
440 static void lsi_execute_script(LSIState *s);
441 static void lsi_reselect(LSIState *s, lsi_request *p);
442 
443 static inline void lsi_mem_read(LSIState *s, dma_addr_t addr,
444                                void *buf, dma_addr_t len)
445 {
446     if (s->dmode & LSI_DMODE_SIOM) {
447         address_space_read(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
448                            buf, len);
449     } else {
450         pci_dma_read(PCI_DEVICE(s), addr, buf, len);
451     }
452 }
453 
454 static inline void lsi_mem_write(LSIState *s, dma_addr_t addr,
455                                 const void *buf, dma_addr_t len)
456 {
457     if (s->dmode & LSI_DMODE_DIOM) {
458         address_space_write(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
459                             buf, len);
460     } else {
461         pci_dma_write(PCI_DEVICE(s), addr, buf, len);
462     }
463 }
464 
465 static inline uint32_t read_dword(LSIState *s, uint32_t addr)
466 {
467     uint32_t buf;
468 
469     pci_dma_read(PCI_DEVICE(s), addr, &buf, 4);
470     return cpu_to_le32(buf);
471 }
472 
473 static void lsi_stop_script(LSIState *s)
474 {
475     s->istat1 &= ~LSI_ISTAT1_SRUN;
476 }
477 
478 static void lsi_set_irq(LSIState *s, int level)
479 {
480     PCIDevice *d = PCI_DEVICE(s);
481 
482     if (s->ext_irq) {
483         qemu_set_irq(s->ext_irq, level);
484     } else {
485         pci_set_irq(d, level);
486     }
487 }
488 
489 static void lsi_update_irq(LSIState *s)
490 {
491     int level;
492     static int last_level;
493 
494     /* It's unclear whether the DIP/SIP bits should be cleared when the
495        Interrupt Status Registers are cleared or when istat0 is read.
496        We currently do the formwer, which seems to work.  */
497     level = 0;
498     if (s->dstat) {
499         if (s->dstat & s->dien)
500             level = 1;
501         s->istat0 |= LSI_ISTAT0_DIP;
502     } else {
503         s->istat0 &= ~LSI_ISTAT0_DIP;
504     }
505 
506     if (s->sist0 || s->sist1) {
507         if ((s->sist0 & s->sien0) || (s->sist1 & s->sien1))
508             level = 1;
509         s->istat0 |= LSI_ISTAT0_SIP;
510     } else {
511         s->istat0 &= ~LSI_ISTAT0_SIP;
512     }
513     if (s->istat0 & LSI_ISTAT0_INTF)
514         level = 1;
515 
516     if (level != last_level) {
517         trace_lsi_update_irq(level, s->dstat, s->sist1, s->sist0);
518         last_level = level;
519     }
520     lsi_set_irq(s, level);
521 
522     if (!s->current && !level && lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON)) {
523         lsi_request *p;
524 
525         trace_lsi_update_irq_disconnected();
526         p = get_pending_req(s);
527         if (p) {
528             lsi_reselect(s, p);
529         }
530     }
531 }
532 
533 /* Stop SCRIPTS execution and raise a SCSI interrupt.  */
534 static void lsi_script_scsi_interrupt(LSIState *s, int stat0, int stat1)
535 {
536     uint32_t mask0;
537     uint32_t mask1;
538 
539     trace_lsi_script_scsi_interrupt(stat1, stat0, s->sist1, s->sist0);
540     s->sist0 |= stat0;
541     s->sist1 |= stat1;
542     /* Stop processor on fatal or unmasked interrupt.  As a special hack
543        we don't stop processing when raising STO.  Instead continue
544        execution and stop at the next insn that accesses the SCSI bus.  */
545     mask0 = s->sien0 | ~(LSI_SIST0_CMP | LSI_SIST0_SEL | LSI_SIST0_RSL);
546     mask1 = s->sien1 | ~(LSI_SIST1_GEN | LSI_SIST1_HTH);
547     mask1 &= ~LSI_SIST1_STO;
548     if (s->sist0 & mask0 || s->sist1 & mask1) {
549         lsi_stop_script(s);
550     }
551     lsi_update_irq(s);
552 }
553 
554 /* Stop SCRIPTS execution and raise a DMA interrupt.  */
555 static void lsi_script_dma_interrupt(LSIState *s, int stat)
556 {
557     trace_lsi_script_dma_interrupt(stat, s->dstat);
558     s->dstat |= stat;
559     lsi_update_irq(s);
560     lsi_stop_script(s);
561 }
562 
563 static inline void lsi_set_phase(LSIState *s, int phase)
564 {
565     s->sbcl &= ~PHASE_MASK;
566     s->sbcl |= phase | LSI_SBCL_REQ;
567     s->sstat1 = (s->sstat1 & ~PHASE_MASK) | phase;
568 }
569 
570 static void lsi_bad_phase(LSIState *s, int out, int new_phase)
571 {
572     /* Trigger a phase mismatch.  */
573     if (s->ccntl0 & LSI_CCNTL0_ENPMJ) {
574         if ((s->ccntl0 & LSI_CCNTL0_PMJCTL)) {
575             s->dsp = out ? s->pmjad1 : s->pmjad2;
576         } else {
577             s->dsp = (s->scntl2 & LSI_SCNTL2_WSR ? s->pmjad2 : s->pmjad1);
578         }
579         trace_lsi_bad_phase_jump(s->dsp);
580     } else {
581         trace_lsi_bad_phase_interrupt();
582         lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
583         lsi_stop_script(s);
584     }
585     lsi_set_phase(s, new_phase);
586 }
587 
588 
589 /* Resume SCRIPTS execution after a DMA operation.  */
590 static void lsi_resume_script(LSIState *s)
591 {
592     if (s->waiting != 2) {
593         s->waiting = LSI_NOWAIT;
594         lsi_execute_script(s);
595     } else {
596         s->waiting = LSI_NOWAIT;
597     }
598 }
599 
600 static void lsi_disconnect(LSIState *s)
601 {
602     s->scntl1 &= ~LSI_SCNTL1_CON;
603     s->sstat1 &= ~PHASE_MASK;
604     s->sbcl = 0;
605 }
606 
607 static void lsi_bad_selection(LSIState *s, uint32_t id)
608 {
609     trace_lsi_bad_selection(id);
610     lsi_script_scsi_interrupt(s, 0, LSI_SIST1_STO);
611     lsi_disconnect(s);
612 }
613 
614 /* Initiate a SCSI layer data transfer.  */
615 static void lsi_do_dma(LSIState *s, int out)
616 {
617     uint32_t count;
618     dma_addr_t addr;
619     SCSIDevice *dev;
620 
621     assert(s->current);
622     if (!s->current->dma_len) {
623         /* Wait until data is available.  */
624         trace_lsi_do_dma_unavailable();
625         return;
626     }
627 
628     dev = s->current->req->dev;
629     assert(dev);
630 
631     count = s->dbc;
632     if (count > s->current->dma_len)
633         count = s->current->dma_len;
634 
635     addr = s->dnad;
636     /* both 40 and Table Indirect 64-bit DMAs store upper bits in dnad64 */
637     if (lsi_dma_40bit(s) || lsi_dma_ti64bit(s))
638         addr |= ((uint64_t)s->dnad64 << 32);
639     else if (s->dbms)
640         addr |= ((uint64_t)s->dbms << 32);
641     else if (s->sbms)
642         addr |= ((uint64_t)s->sbms << 32);
643 
644     trace_lsi_do_dma(addr, count);
645     s->csbc += count;
646     s->dnad += count;
647     s->dbc -= count;
648      if (s->current->dma_buf == NULL) {
649         s->current->dma_buf = scsi_req_get_buf(s->current->req);
650     }
651     /* ??? Set SFBR to first data byte.  */
652     if (out) {
653         lsi_mem_read(s, addr, s->current->dma_buf, count);
654     } else {
655         lsi_mem_write(s, addr, s->current->dma_buf, count);
656     }
657     s->current->dma_len -= count;
658     if (s->current->dma_len == 0) {
659         s->current->dma_buf = NULL;
660         scsi_req_continue(s->current->req);
661     } else {
662         s->current->dma_buf += count;
663         lsi_resume_script(s);
664     }
665 }
666 
667 
668 /* Add a command to the queue.  */
669 static void lsi_queue_command(LSIState *s)
670 {
671     lsi_request *p = s->current;
672 
673     trace_lsi_queue_command(p->tag);
674     assert(s->current != NULL);
675     assert(s->current->dma_len == 0);
676     QTAILQ_INSERT_TAIL(&s->queue, s->current, next);
677     s->current = NULL;
678 
679     p->pending = 0;
680     p->out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
681 }
682 
683 /* Queue a byte for a MSG IN phase.  */
684 static void lsi_add_msg_byte(LSIState *s, uint8_t data)
685 {
686     if (s->msg_len >= LSI_MAX_MSGIN_LEN) {
687         trace_lsi_add_msg_byte_error();
688     } else {
689         trace_lsi_add_msg_byte(data);
690         s->msg[s->msg_len++] = data;
691     }
692 }
693 
694 /* Perform reselection to continue a command.  */
695 static void lsi_reselect(LSIState *s, lsi_request *p)
696 {
697     int id;
698 
699     assert(s->current == NULL);
700     QTAILQ_REMOVE(&s->queue, p, next);
701     s->current = p;
702 
703     id = (p->tag >> 8) & 0xf;
704     s->ssid = id | 0x80;
705     /* LSI53C700 Family Compatibility, see LSI53C895A 4-73 */
706     if (!(s->dcntl & LSI_DCNTL_COM)) {
707         s->sfbr = 1 << (id & 0x7);
708     }
709     trace_lsi_reselect(id);
710     s->scntl1 |= LSI_SCNTL1_CON;
711     lsi_set_phase(s, PHASE_MI);
712     s->msg_action = p->out ? LSI_MSG_ACTION_DOUT : LSI_MSG_ACTION_DIN;
713     s->current->dma_len = p->pending;
714     lsi_add_msg_byte(s, 0x80);
715     if (s->current->tag & LSI_TAG_VALID) {
716         lsi_add_msg_byte(s, 0x20);
717         lsi_add_msg_byte(s, p->tag & 0xff);
718     }
719 
720     if (lsi_irq_on_rsl(s)) {
721         lsi_script_scsi_interrupt(s, LSI_SIST0_RSL, 0);
722     }
723 }
724 
725 static lsi_request *lsi_find_by_tag(LSIState *s, uint32_t tag)
726 {
727     lsi_request *p;
728 
729     QTAILQ_FOREACH(p, &s->queue, next) {
730         if (p->tag == tag) {
731             return p;
732         }
733     }
734 
735     return NULL;
736 }
737 
738 static void lsi_request_free(LSIState *s, lsi_request *p)
739 {
740     if (p == s->current) {
741         s->current = NULL;
742     } else {
743         QTAILQ_REMOVE(&s->queue, p, next);
744     }
745     g_free(p);
746 }
747 
748 static void lsi_request_cancelled(SCSIRequest *req)
749 {
750     LSIState *s = LSI53C895A(req->bus->qbus.parent);
751     lsi_request *p = req->hba_private;
752 
753     req->hba_private = NULL;
754     lsi_request_free(s, p);
755     scsi_req_unref(req);
756 }
757 
758 /* Record that data is available for a queued command.  Returns zero if
759    the device was reselected, nonzero if the IO is deferred.  */
760 static int lsi_queue_req(LSIState *s, SCSIRequest *req, uint32_t len)
761 {
762     lsi_request *p = req->hba_private;
763 
764     if (p->pending) {
765         trace_lsi_queue_req_error(p);
766     }
767     p->pending = len;
768     /* Reselect if waiting for it, or if reselection triggers an IRQ
769        and the bus is free.
770        Since no interrupt stacking is implemented in the emulation, it
771        is also required that there are no pending interrupts waiting
772        for service from the device driver. */
773     if (s->waiting == LSI_WAIT_RESELECT ||
774         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON) &&
775          !(s->istat0 & (LSI_ISTAT0_SIP | LSI_ISTAT0_DIP)))) {
776         /* Reselect device.  */
777         lsi_reselect(s, p);
778         return 0;
779     } else {
780         trace_lsi_queue_req(p->tag);
781         p->pending = len;
782         return 1;
783     }
784 }
785 
786  /* Callback to indicate that the SCSI layer has completed a command.  */
787 static void lsi_command_complete(SCSIRequest *req, uint32_t status, size_t resid)
788 {
789     LSIState *s = LSI53C895A(req->bus->qbus.parent);
790     int out;
791 
792     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
793     trace_lsi_command_complete(status);
794     s->status = status;
795     s->command_complete = 2;
796     if (s->waiting && s->dbc != 0) {
797         /* Raise phase mismatch for short transfers.  */
798         lsi_bad_phase(s, out, PHASE_ST);
799     } else {
800         lsi_set_phase(s, PHASE_ST);
801     }
802 
803     if (req->hba_private == s->current) {
804         req->hba_private = NULL;
805         lsi_request_free(s, s->current);
806         scsi_req_unref(req);
807     }
808     lsi_resume_script(s);
809 }
810 
811  /* Callback to indicate that the SCSI layer has completed a transfer.  */
812 static void lsi_transfer_data(SCSIRequest *req, uint32_t len)
813 {
814     LSIState *s = LSI53C895A(req->bus->qbus.parent);
815     int out;
816 
817     assert(req->hba_private);
818     if (s->waiting == LSI_WAIT_RESELECT || req->hba_private != s->current ||
819         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON))) {
820         if (lsi_queue_req(s, req, len)) {
821             return;
822         }
823     }
824 
825     out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
826 
827     /* host adapter (re)connected */
828     trace_lsi_transfer_data(req->tag, len);
829     s->current->dma_len = len;
830     s->command_complete = 1;
831     if (s->waiting) {
832         if (s->waiting == LSI_WAIT_RESELECT || s->dbc == 0) {
833             lsi_resume_script(s);
834         } else {
835             lsi_do_dma(s, out);
836         }
837     }
838 }
839 
840 static void lsi_do_command(LSIState *s)
841 {
842     SCSIDevice *dev;
843     uint8_t buf[16];
844     uint32_t id;
845     int n;
846 
847     trace_lsi_do_command(s->dbc);
848     if (s->dbc > 16)
849         s->dbc = 16;
850     pci_dma_read(PCI_DEVICE(s), s->dnad, buf, s->dbc);
851     s->sfbr = buf[0];
852     s->command_complete = 0;
853 
854     id = (s->select_tag >> 8) & 0xf;
855     dev = scsi_device_find(&s->bus, 0, id, s->current_lun);
856     if (!dev) {
857         lsi_bad_selection(s, id);
858         return;
859     }
860 
861     assert(s->current == NULL);
862     s->current = g_new0(lsi_request, 1);
863     s->current->tag = s->select_tag;
864     s->current->req = scsi_req_new(dev, s->current->tag, s->current_lun, buf,
865                                    s->current);
866 
867     n = scsi_req_enqueue(s->current->req);
868     if (n) {
869         if (n > 0) {
870             lsi_set_phase(s, PHASE_DI);
871         } else if (n < 0) {
872             lsi_set_phase(s, PHASE_DO);
873         }
874         scsi_req_continue(s->current->req);
875     }
876     if (!s->command_complete) {
877         if (n) {
878             /* Command did not complete immediately so disconnect.  */
879             lsi_add_msg_byte(s, 2); /* SAVE DATA POINTER */
880             lsi_add_msg_byte(s, 4); /* DISCONNECT */
881             /* wait data */
882             lsi_set_phase(s, PHASE_MI);
883             s->msg_action = LSI_MSG_ACTION_DISCONNECT;
884             lsi_queue_command(s);
885         } else {
886             /* wait command complete */
887             lsi_set_phase(s, PHASE_DI);
888         }
889     }
890 }
891 
892 static void lsi_do_status(LSIState *s)
893 {
894     uint8_t status;
895     trace_lsi_do_status(s->dbc, s->status);
896     if (s->dbc != 1) {
897         trace_lsi_do_status_error();
898     }
899     s->dbc = 1;
900     status = s->status;
901     s->sfbr = status;
902     pci_dma_write(PCI_DEVICE(s), s->dnad, &status, 1);
903     lsi_set_phase(s, PHASE_MI);
904     s->msg_action = LSI_MSG_ACTION_DISCONNECT;
905     lsi_add_msg_byte(s, 0); /* COMMAND COMPLETE */
906 }
907 
908 static void lsi_do_msgin(LSIState *s)
909 {
910     uint8_t len;
911     trace_lsi_do_msgin(s->dbc, s->msg_len);
912     s->sfbr = s->msg[0];
913     len = s->msg_len;
914     assert(len > 0 && len <= LSI_MAX_MSGIN_LEN);
915     if (len > s->dbc)
916         len = s->dbc;
917     pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
918     /* Linux drivers rely on the last byte being in the SIDL.  */
919     s->sidl = s->msg[len - 1];
920     s->msg_len -= len;
921     if (s->msg_len) {
922         memmove(s->msg, s->msg + len, s->msg_len);
923     } else {
924         /* ??? Check if ATN (not yet implemented) is asserted and maybe
925            switch to PHASE_MO.  */
926         switch (s->msg_action) {
927         case LSI_MSG_ACTION_COMMAND:
928             lsi_set_phase(s, PHASE_CMD);
929             break;
930         case LSI_MSG_ACTION_DISCONNECT:
931             lsi_disconnect(s);
932             break;
933         case LSI_MSG_ACTION_DOUT:
934             lsi_set_phase(s, PHASE_DO);
935             break;
936         case LSI_MSG_ACTION_DIN:
937             lsi_set_phase(s, PHASE_DI);
938             break;
939         default:
940             abort();
941         }
942     }
943 }
944 
945 /* Read the next byte during a MSGOUT phase.  */
946 static uint8_t lsi_get_msgbyte(LSIState *s)
947 {
948     uint8_t data;
949     pci_dma_read(PCI_DEVICE(s), s->dnad, &data, 1);
950     s->dnad++;
951     s->dbc--;
952     return data;
953 }
954 
955 /* Skip the next n bytes during a MSGOUT phase. */
956 static void lsi_skip_msgbytes(LSIState *s, unsigned int n)
957 {
958     s->dnad += n;
959     s->dbc  -= n;
960 }
961 
962 static void lsi_do_msgout(LSIState *s)
963 {
964     uint8_t msg;
965     int len;
966     uint32_t current_tag;
967     lsi_request *current_req, *p, *p_next;
968 
969     if (s->current) {
970         current_tag = s->current->tag;
971         current_req = s->current;
972     } else {
973         current_tag = s->select_tag;
974         current_req = lsi_find_by_tag(s, current_tag);
975     }
976 
977     trace_lsi_do_msgout(s->dbc);
978     while (s->dbc) {
979         msg = lsi_get_msgbyte(s);
980         s->sfbr = msg;
981 
982         switch (msg) {
983         case 0x04:
984             trace_lsi_do_msgout_disconnect();
985             lsi_disconnect(s);
986             break;
987         case 0x08:
988             trace_lsi_do_msgout_noop();
989             lsi_set_phase(s, PHASE_CMD);
990             break;
991         case 0x01:
992             len = lsi_get_msgbyte(s);
993             msg = lsi_get_msgbyte(s);
994             (void)len; /* avoid a warning about unused variable*/
995             trace_lsi_do_msgout_extended(msg, len);
996             switch (msg) {
997             case 1:
998                 trace_lsi_do_msgout_ignored("SDTR");
999                 lsi_skip_msgbytes(s, 2);
1000                 break;
1001             case 3:
1002                 trace_lsi_do_msgout_ignored("WDTR");
1003                 lsi_skip_msgbytes(s, 1);
1004                 break;
1005             case 4:
1006                 trace_lsi_do_msgout_ignored("PPR");
1007                 lsi_skip_msgbytes(s, 5);
1008                 break;
1009             default:
1010                 goto bad;
1011             }
1012             break;
1013         case 0x20: /* SIMPLE queue */
1014             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1015             trace_lsi_do_msgout_simplequeue(s->select_tag & 0xff);
1016             break;
1017         case 0x21: /* HEAD of queue */
1018             qemu_log_mask(LOG_UNIMP, "lsi_scsi: HEAD queue not implemented\n");
1019             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1020             break;
1021         case 0x22: /* ORDERED queue */
1022             qemu_log_mask(LOG_UNIMP,
1023                           "lsi_scsi: ORDERED queue not implemented\n");
1024             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1025             break;
1026         case 0x0d:
1027             /* The ABORT TAG message clears the current I/O process only. */
1028             trace_lsi_do_msgout_abort(current_tag);
1029             if (current_req) {
1030                 scsi_req_cancel(current_req->req);
1031             }
1032             lsi_disconnect(s);
1033             break;
1034         case 0x06:
1035         case 0x0e:
1036         case 0x0c:
1037             /* The ABORT message clears all I/O processes for the selecting
1038                initiator on the specified logical unit of the target. */
1039             if (msg == 0x06) {
1040                 trace_lsi_do_msgout_abort(current_tag);
1041             }
1042             /* The CLEAR QUEUE message clears all I/O processes for all
1043                initiators on the specified logical unit of the target. */
1044             if (msg == 0x0e) {
1045                 trace_lsi_do_msgout_clearqueue(current_tag);
1046             }
1047             /* The BUS DEVICE RESET message clears all I/O processes for all
1048                initiators on all logical units of the target. */
1049             if (msg == 0x0c) {
1050                 trace_lsi_do_msgout_busdevicereset(current_tag);
1051             }
1052 
1053             /* clear the current I/O process */
1054             if (s->current) {
1055                 scsi_req_cancel(s->current->req);
1056             }
1057 
1058             /* As the current implemented devices scsi_disk and scsi_generic
1059                only support one LUN, we don't need to keep track of LUNs.
1060                Clearing I/O processes for other initiators could be possible
1061                for scsi_generic by sending a SG_SCSI_RESET to the /dev/sgX
1062                device, but this is currently not implemented (and seems not
1063                to be really necessary). So let's simply clear all queued
1064                commands for the current device: */
1065             QTAILQ_FOREACH_SAFE(p, &s->queue, next, p_next) {
1066                 if ((p->tag & 0x0000ff00) == (current_tag & 0x0000ff00)) {
1067                     scsi_req_cancel(p->req);
1068                 }
1069             }
1070 
1071             lsi_disconnect(s);
1072             break;
1073         default:
1074             if ((msg & 0x80) == 0) {
1075                 goto bad;
1076             }
1077             s->current_lun = msg & 7;
1078             trace_lsi_do_msgout_select(s->current_lun);
1079             lsi_set_phase(s, PHASE_CMD);
1080             break;
1081         }
1082     }
1083     return;
1084 bad:
1085     qemu_log_mask(LOG_UNIMP, "Unimplemented message 0x%02x\n", msg);
1086     lsi_set_phase(s, PHASE_MI);
1087     lsi_add_msg_byte(s, 7); /* MESSAGE REJECT */
1088     s->msg_action = LSI_MSG_ACTION_COMMAND;
1089 }
1090 
1091 #define LSI_BUF_SIZE 4096
1092 static void lsi_memcpy(LSIState *s, uint32_t dest, uint32_t src, int count)
1093 {
1094     int n;
1095     uint8_t buf[LSI_BUF_SIZE];
1096 
1097     trace_lsi_memcpy(dest, src, count);
1098     while (count) {
1099         n = (count > LSI_BUF_SIZE) ? LSI_BUF_SIZE : count;
1100         lsi_mem_read(s, src, buf, n);
1101         lsi_mem_write(s, dest, buf, n);
1102         src += n;
1103         dest += n;
1104         count -= n;
1105     }
1106 }
1107 
1108 static void lsi_wait_reselect(LSIState *s)
1109 {
1110     lsi_request *p;
1111 
1112     trace_lsi_wait_reselect();
1113 
1114     if (s->current) {
1115         return;
1116     }
1117     p = get_pending_req(s);
1118     if (p) {
1119         lsi_reselect(s, p);
1120     }
1121     if (s->current == NULL) {
1122         s->waiting = LSI_WAIT_RESELECT;
1123     }
1124 }
1125 
1126 static void lsi_execute_script(LSIState *s)
1127 {
1128     PCIDevice *pci_dev = PCI_DEVICE(s);
1129     uint32_t insn;
1130     uint32_t addr, addr_high;
1131     int opcode;
1132     int insn_processed = 0;
1133 
1134     s->istat1 |= LSI_ISTAT1_SRUN;
1135 again:
1136     insn_processed++;
1137     insn = read_dword(s, s->dsp);
1138     if (!insn) {
1139         /* If we receive an empty opcode increment the DSP by 4 bytes
1140            instead of 8 and execute the next opcode at that location */
1141         s->dsp += 4;
1142         goto again;
1143     }
1144     addr = read_dword(s, s->dsp + 4);
1145     addr_high = 0;
1146     trace_lsi_execute_script(s->dsp, insn, addr);
1147     s->dsps = addr;
1148     s->dcmd = insn >> 24;
1149     s->dsp += 8;
1150     switch (insn >> 30) {
1151     case 0: /* Block move.  */
1152         if (s->sist1 & LSI_SIST1_STO) {
1153             trace_lsi_execute_script_blockmove_delayed();
1154             lsi_stop_script(s);
1155             break;
1156         }
1157         s->dbc = insn & 0xffffff;
1158         s->rbc = s->dbc;
1159         /* ??? Set ESA.  */
1160         s->ia = s->dsp - 8;
1161         if (insn & (1 << 29)) {
1162             /* Indirect addressing.  */
1163             addr = read_dword(s, addr);
1164         } else if (insn & (1 << 28)) {
1165             uint32_t buf[2];
1166             int32_t offset;
1167             /* Table indirect addressing.  */
1168 
1169             /* 32-bit Table indirect */
1170             offset = sextract32(addr, 0, 24);
1171             pci_dma_read(pci_dev, s->dsa + offset, buf, 8);
1172             /* byte count is stored in bits 0:23 only */
1173             s->dbc = cpu_to_le32(buf[0]) & 0xffffff;
1174             s->rbc = s->dbc;
1175             addr = cpu_to_le32(buf[1]);
1176 
1177             /* 40-bit DMA, upper addr bits [39:32] stored in first DWORD of
1178              * table, bits [31:24] */
1179             if (lsi_dma_40bit(s))
1180                 addr_high = cpu_to_le32(buf[0]) >> 24;
1181             else if (lsi_dma_ti64bit(s)) {
1182                 int selector = (cpu_to_le32(buf[0]) >> 24) & 0x1f;
1183                 switch (selector) {
1184                 case 0 ... 0x0f:
1185                     /* offset index into scratch registers since
1186                      * TI64 mode can use registers C to R */
1187                     addr_high = s->scratch[2 + selector];
1188                     break;
1189                 case 0x10:
1190                     addr_high = s->mmrs;
1191                     break;
1192                 case 0x11:
1193                     addr_high = s->mmws;
1194                     break;
1195                 case 0x12:
1196                     addr_high = s->sfs;
1197                     break;
1198                 case 0x13:
1199                     addr_high = s->drs;
1200                     break;
1201                 case 0x14:
1202                     addr_high = s->sbms;
1203                     break;
1204                 case 0x15:
1205                     addr_high = s->dbms;
1206                     break;
1207                 default:
1208                     qemu_log_mask(LOG_GUEST_ERROR,
1209                           "lsi_scsi: Illegal selector specified (0x%x > 0x15) "
1210                           "for 64-bit DMA block move", selector);
1211                     break;
1212                 }
1213             }
1214         } else if (lsi_dma_64bit(s)) {
1215             /* fetch a 3rd dword if 64-bit direct move is enabled and
1216                only if we're not doing table indirect or indirect addressing */
1217             s->dbms = read_dword(s, s->dsp);
1218             s->dsp += 4;
1219             s->ia = s->dsp - 12;
1220         }
1221         if ((s->sstat1 & PHASE_MASK) != ((insn >> 24) & 7)) {
1222             trace_lsi_execute_script_blockmove_badphase(
1223                     scsi_phase_name(s->sstat1),
1224                     scsi_phase_name(insn >> 24));
1225             lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
1226             break;
1227         }
1228         s->dnad = addr;
1229         s->dnad64 = addr_high;
1230         switch (s->sstat1 & 0x7) {
1231         case PHASE_DO:
1232             s->waiting = LSI_DMA_SCRIPTS;
1233             lsi_do_dma(s, 1);
1234             if (s->waiting)
1235                 s->waiting = LSI_DMA_IN_PROGRESS;
1236             break;
1237         case PHASE_DI:
1238             s->waiting = LSI_DMA_SCRIPTS;
1239             lsi_do_dma(s, 0);
1240             if (s->waiting)
1241                 s->waiting = LSI_DMA_IN_PROGRESS;
1242             break;
1243         case PHASE_CMD:
1244             lsi_do_command(s);
1245             break;
1246         case PHASE_ST:
1247             lsi_do_status(s);
1248             break;
1249         case PHASE_MO:
1250             lsi_do_msgout(s);
1251             break;
1252         case PHASE_MI:
1253             lsi_do_msgin(s);
1254             break;
1255         default:
1256             qemu_log_mask(LOG_UNIMP, "lsi_scsi: Unimplemented phase %s\n",
1257                           scsi_phase_name(s->sstat1));
1258         }
1259         s->dfifo = s->dbc & 0xff;
1260         s->ctest5 = (s->ctest5 & 0xfc) | ((s->dbc >> 8) & 3);
1261         s->sbc = s->dbc;
1262         s->rbc -= s->dbc;
1263         s->ua = addr + s->dbc;
1264         break;
1265 
1266     case 1: /* IO or Read/Write instruction.  */
1267         opcode = (insn >> 27) & 7;
1268         if (opcode < 5) {
1269             uint32_t id;
1270 
1271             if (insn & (1 << 25)) {
1272                 id = read_dword(s, s->dsa + sextract32(insn, 0, 24));
1273             } else {
1274                 id = insn;
1275             }
1276             id = (id >> 16) & 0xf;
1277             if (insn & (1 << 26)) {
1278                 addr = s->dsp + sextract32(addr, 0, 24);
1279             }
1280             s->dnad = addr;
1281             switch (opcode) {
1282             case 0: /* Select */
1283                 s->sdid = id;
1284                 if (s->scntl1 & LSI_SCNTL1_CON) {
1285                     trace_lsi_execute_script_io_alreadyreselected();
1286                     s->dsp = s->dnad;
1287                     break;
1288                 }
1289                 s->sstat0 |= LSI_SSTAT0_WOA;
1290                 s->scntl1 &= ~LSI_SCNTL1_IARB;
1291                 if (!scsi_device_find(&s->bus, 0, id, 0)) {
1292                     lsi_bad_selection(s, id);
1293                     break;
1294                 }
1295                 trace_lsi_execute_script_io_selected(id,
1296                                              insn & (1 << 3) ? " ATN" : "");
1297                 /* ??? Linux drivers compain when this is set.  Maybe
1298                    it only applies in low-level mode (unimplemented).
1299                 lsi_script_scsi_interrupt(s, LSI_SIST0_CMP, 0); */
1300                 s->select_tag = id << 8;
1301                 s->scntl1 |= LSI_SCNTL1_CON;
1302                 if (insn & (1 << 3)) {
1303                     s->socl |= LSI_SOCL_ATN;
1304                     s->sbcl |= LSI_SBCL_ATN;
1305                 }
1306                 s->sbcl |= LSI_SBCL_BSY;
1307                 lsi_set_phase(s, PHASE_MO);
1308                 s->waiting = LSI_NOWAIT;
1309                 break;
1310             case 1: /* Disconnect */
1311                 trace_lsi_execute_script_io_disconnect();
1312                 s->scntl1 &= ~LSI_SCNTL1_CON;
1313                 /* FIXME: this is not entirely correct; the target need not ask
1314                  * for reselection until it has to send data, while here we force a
1315                  * reselection as soon as the bus is free.  The correct flow would
1316                  * reselect before lsi_transfer_data and disconnect as soon as
1317                  * DMA ends.
1318                  */
1319                 if (!s->current) {
1320                     lsi_request *p = get_pending_req(s);
1321                     if (p) {
1322                         lsi_reselect(s, p);
1323                     }
1324                 }
1325                 break;
1326             case 2: /* Wait Reselect */
1327                 if (s->istat0 & LSI_ISTAT0_SIGP) {
1328                     s->dsp = s->dnad;
1329                 } else if (!lsi_irq_on_rsl(s)) {
1330                         lsi_wait_reselect(s);
1331                 }
1332                 break;
1333             case 3: /* Set */
1334                 trace_lsi_execute_script_io_set(
1335                         insn & (1 << 3) ? " ATN" : "",
1336                         insn & (1 << 6) ? " ACK" : "",
1337                         insn & (1 << 9) ? " TM" : "",
1338                         insn & (1 << 10) ? " CC" : "");
1339                 if (insn & (1 << 3)) {
1340                     s->socl |= LSI_SOCL_ATN;
1341                     s->sbcl |= LSI_SBCL_ATN;
1342                     lsi_set_phase(s, PHASE_MO);
1343                 }
1344 
1345                 if (insn & (1 << 6)) {
1346                     s->sbcl |= LSI_SBCL_ACK;
1347                 }
1348 
1349                 if (insn & (1 << 9)) {
1350                     qemu_log_mask(LOG_UNIMP,
1351                         "lsi_scsi: Target mode not implemented\n");
1352                 }
1353                 if (insn & (1 << 10))
1354                     s->carry = 1;
1355                 break;
1356             case 4: /* Clear */
1357                 trace_lsi_execute_script_io_clear(
1358                         insn & (1 << 3) ? " ATN" : "",
1359                         insn & (1 << 6) ? " ACK" : "",
1360                         insn & (1 << 9) ? " TM" : "",
1361                         insn & (1 << 10) ? " CC" : "");
1362                 if (insn & (1 << 3)) {
1363                     s->socl &= ~LSI_SOCL_ATN;
1364                     s->sbcl &= ~LSI_SBCL_ATN;
1365                 }
1366 
1367                 if (insn & (1 << 6)) {
1368                     s->sbcl &= ~LSI_SBCL_ACK;
1369                 }
1370 
1371                 if (insn & (1 << 10))
1372                     s->carry = 0;
1373                 break;
1374             }
1375         } else {
1376             uint8_t op0;
1377             uint8_t op1;
1378             uint8_t data8;
1379             int reg;
1380             int operator;
1381 
1382             static const char *opcode_names[3] =
1383                 {"Write", "Read", "Read-Modify-Write"};
1384             static const char *operator_names[8] =
1385                 {"MOV", "SHL", "OR", "XOR", "AND", "SHR", "ADD", "ADC"};
1386 
1387             reg = ((insn >> 16) & 0x7f) | (insn & 0x80);
1388             data8 = (insn >> 8) & 0xff;
1389             opcode = (insn >> 27) & 7;
1390             operator = (insn >> 24) & 7;
1391             trace_lsi_execute_script_io_opcode(
1392                     opcode_names[opcode - 5], reg,
1393                     operator_names[operator], data8, s->sfbr,
1394                     (insn & (1 << 23)) ? " SFBR" : "");
1395             op0 = op1 = 0;
1396             switch (opcode) {
1397             case 5: /* From SFBR */
1398                 op0 = s->sfbr;
1399                 op1 = data8;
1400                 break;
1401             case 6: /* To SFBR */
1402                 if (operator)
1403                     op0 = lsi_reg_readb(s, reg);
1404                 op1 = data8;
1405                 break;
1406             case 7: /* Read-modify-write */
1407                 if (operator)
1408                     op0 = lsi_reg_readb(s, reg);
1409                 if (insn & (1 << 23)) {
1410                     op1 = s->sfbr;
1411                 } else {
1412                     op1 = data8;
1413                 }
1414                 break;
1415             }
1416 
1417             switch (operator) {
1418             case 0: /* move */
1419                 op0 = op1;
1420                 break;
1421             case 1: /* Shift left */
1422                 op1 = op0 >> 7;
1423                 op0 = (op0 << 1) | s->carry;
1424                 s->carry = op1;
1425                 break;
1426             case 2: /* OR */
1427                 op0 |= op1;
1428                 break;
1429             case 3: /* XOR */
1430                 op0 ^= op1;
1431                 break;
1432             case 4: /* AND */
1433                 op0 &= op1;
1434                 break;
1435             case 5: /* SHR */
1436                 op1 = op0 & 1;
1437                 op0 = (op0 >> 1) | (s->carry << 7);
1438                 s->carry = op1;
1439                 break;
1440             case 6: /* ADD */
1441                 op0 += op1;
1442                 s->carry = op0 < op1;
1443                 break;
1444             case 7: /* ADC */
1445                 op0 += op1 + s->carry;
1446                 if (s->carry)
1447                     s->carry = op0 <= op1;
1448                 else
1449                     s->carry = op0 < op1;
1450                 break;
1451             }
1452 
1453             switch (opcode) {
1454             case 5: /* From SFBR */
1455             case 7: /* Read-modify-write */
1456                 lsi_reg_writeb(s, reg, op0);
1457                 break;
1458             case 6: /* To SFBR */
1459                 s->sfbr = op0;
1460                 break;
1461             }
1462         }
1463         break;
1464 
1465     case 2: /* Transfer Control.  */
1466         {
1467             int cond;
1468             int jmp;
1469 
1470             if ((insn & 0x002e0000) == 0) {
1471                 trace_lsi_execute_script_tc_nop();
1472                 break;
1473             }
1474             if (s->sist1 & LSI_SIST1_STO) {
1475                 trace_lsi_execute_script_tc_delayedselect_timeout();
1476                 lsi_stop_script(s);
1477                 break;
1478             }
1479             cond = jmp = (insn & (1 << 19)) != 0;
1480             if (cond == jmp && (insn & (1 << 21))) {
1481                 trace_lsi_execute_script_tc_compc(s->carry == jmp);
1482                 cond = s->carry != 0;
1483             }
1484             if (cond == jmp && (insn & (1 << 17))) {
1485                 trace_lsi_execute_script_tc_compp(scsi_phase_name(s->sstat1),
1486                         jmp ? '=' : '!', scsi_phase_name(insn >> 24));
1487                 cond = (s->sstat1 & PHASE_MASK) == ((insn >> 24) & 7);
1488             }
1489             if (cond == jmp && (insn & (1 << 18))) {
1490                 uint8_t mask;
1491 
1492                 mask = (~insn >> 8) & 0xff;
1493                 trace_lsi_execute_script_tc_compd(
1494                         s->sfbr, mask, jmp ? '=' : '!', insn & mask);
1495                 cond = (s->sfbr & mask) == (insn & mask);
1496             }
1497             if (cond == jmp) {
1498                 if (insn & (1 << 23)) {
1499                     /* Relative address.  */
1500                     addr = s->dsp + sextract32(addr, 0, 24);
1501                 }
1502                 switch ((insn >> 27) & 7) {
1503                 case 0: /* Jump */
1504                     trace_lsi_execute_script_tc_jump(addr);
1505                     s->adder = addr;
1506                     s->dsp = addr;
1507                     break;
1508                 case 1: /* Call */
1509                     trace_lsi_execute_script_tc_call(addr);
1510                     s->temp = s->dsp;
1511                     s->dsp = addr;
1512                     break;
1513                 case 2: /* Return */
1514                     trace_lsi_execute_script_tc_return(s->temp);
1515                     s->dsp = s->temp;
1516                     break;
1517                 case 3: /* Interrupt */
1518                     trace_lsi_execute_script_tc_interrupt(s->dsps);
1519                     if ((insn & (1 << 20)) != 0) {
1520                         s->istat0 |= LSI_ISTAT0_INTF;
1521                         lsi_update_irq(s);
1522                     } else {
1523                         lsi_script_dma_interrupt(s, LSI_DSTAT_SIR);
1524                     }
1525                     break;
1526                 default:
1527                     trace_lsi_execute_script_tc_illegal();
1528                     lsi_script_dma_interrupt(s, LSI_DSTAT_IID);
1529                     break;
1530                 }
1531             } else {
1532                 trace_lsi_execute_script_tc_cc_failed();
1533             }
1534         }
1535         break;
1536 
1537     case 3:
1538         if ((insn & (1 << 29)) == 0) {
1539             /* Memory move.  */
1540             uint32_t dest;
1541             /* ??? The docs imply the destination address is loaded into
1542                the TEMP register.  However the Linux drivers rely on
1543                the value being presrved.  */
1544             dest = read_dword(s, s->dsp);
1545             s->dsp += 4;
1546             lsi_memcpy(s, dest, addr, insn & 0xffffff);
1547         } else {
1548             uint8_t data[7];
1549             int reg;
1550             int n;
1551             int i;
1552 
1553             if (insn & (1 << 28)) {
1554                 addr = s->dsa + sextract32(addr, 0, 24);
1555             }
1556             n = (insn & 7);
1557             reg = (insn >> 16) & 0xff;
1558             if (insn & (1 << 24)) {
1559                 pci_dma_read(pci_dev, addr, data, n);
1560                 trace_lsi_execute_script_mm_load(reg, n, addr, *(int *)data);
1561                 for (i = 0; i < n; i++) {
1562                     lsi_reg_writeb(s, reg + i, data[i]);
1563                 }
1564             } else {
1565                 trace_lsi_execute_script_mm_store(reg, n, addr);
1566                 for (i = 0; i < n; i++) {
1567                     data[i] = lsi_reg_readb(s, reg + i);
1568                 }
1569                 pci_dma_write(pci_dev, addr, data, n);
1570             }
1571         }
1572     }
1573     if (insn_processed > 10000 && s->waiting == LSI_NOWAIT) {
1574         /* Some windows drivers make the device spin waiting for a memory
1575            location to change.  If we have been executed a lot of code then
1576            assume this is the case and force an unexpected device disconnect.
1577            This is apparently sufficient to beat the drivers into submission.
1578          */
1579         if (!(s->sien0 & LSI_SIST0_UDC)) {
1580             qemu_log_mask(LOG_GUEST_ERROR,
1581                           "lsi_scsi: inf. loop with UDC masked");
1582         }
1583         lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
1584         lsi_disconnect(s);
1585     } else if (s->istat1 & LSI_ISTAT1_SRUN && s->waiting == LSI_NOWAIT) {
1586         if (s->dcntl & LSI_DCNTL_SSM) {
1587             lsi_script_dma_interrupt(s, LSI_DSTAT_SSI);
1588         } else {
1589             goto again;
1590         }
1591     }
1592     trace_lsi_execute_script_stop();
1593 }
1594 
1595 static uint8_t lsi_reg_readb(LSIState *s, int offset)
1596 {
1597     uint8_t ret;
1598 
1599 #define CASE_GET_REG24(name, addr) \
1600     case addr: ret = s->name & 0xff; break; \
1601     case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1602     case addr + 2: ret = (s->name >> 16) & 0xff; break;
1603 
1604 #define CASE_GET_REG32(name, addr) \
1605     case addr: ret = s->name & 0xff; break; \
1606     case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1607     case addr + 2: ret = (s->name >> 16) & 0xff; break; \
1608     case addr + 3: ret = (s->name >> 24) & 0xff; break;
1609 
1610     switch (offset) {
1611     case 0x00: /* SCNTL0 */
1612         ret = s->scntl0;
1613         break;
1614     case 0x01: /* SCNTL1 */
1615         ret = s->scntl1;
1616         break;
1617     case 0x02: /* SCNTL2 */
1618         ret = s->scntl2;
1619         break;
1620     case 0x03: /* SCNTL3 */
1621         ret = s->scntl3;
1622         break;
1623     case 0x04: /* SCID */
1624         ret = s->scid;
1625         break;
1626     case 0x05: /* SXFER */
1627         ret = s->sxfer;
1628         break;
1629     case 0x06: /* SDID */
1630         ret = s->sdid;
1631         break;
1632     case 0x07: /* GPREG0 */
1633         ret = 0x7f;
1634         break;
1635     case 0x08: /* Revision ID */
1636         ret = 0x00;
1637         break;
1638     case 0x09: /* SOCL */
1639         ret = s->socl;
1640         break;
1641     case 0xa: /* SSID */
1642         ret = s->ssid;
1643         break;
1644     case 0xb: /* SBCL */
1645         ret = s->sbcl;
1646         break;
1647     case 0xc: /* DSTAT */
1648         ret = s->dstat | LSI_DSTAT_DFE;
1649         if ((s->istat0 & LSI_ISTAT0_INTF) == 0)
1650             s->dstat = 0;
1651         lsi_update_irq(s);
1652         break;
1653     case 0x0d: /* SSTAT0 */
1654         ret = s->sstat0;
1655         break;
1656     case 0x0e: /* SSTAT1 */
1657         ret = s->sstat1;
1658         break;
1659     case 0x0f: /* SSTAT2 */
1660         ret = s->scntl1 & LSI_SCNTL1_CON ? 0 : 2;
1661         break;
1662     CASE_GET_REG32(dsa, 0x10)
1663     case 0x14: /* ISTAT0 */
1664         ret = s->istat0;
1665         break;
1666     case 0x15: /* ISTAT1 */
1667         ret = s->istat1;
1668         break;
1669     case 0x16: /* MBOX0 */
1670         ret = s->mbox0;
1671         break;
1672     case 0x17: /* MBOX1 */
1673         ret = s->mbox1;
1674         break;
1675     case 0x18: /* CTEST0 */
1676         ret = 0xff;
1677         break;
1678     case 0x19: /* CTEST1 */
1679         ret = 0;
1680         break;
1681     case 0x1a: /* CTEST2 */
1682         ret = s->ctest2 | LSI_CTEST2_DACK | LSI_CTEST2_CM;
1683         if (s->istat0 & LSI_ISTAT0_SIGP) {
1684             s->istat0 &= ~LSI_ISTAT0_SIGP;
1685             ret |= LSI_CTEST2_SIGP;
1686         }
1687         break;
1688     case 0x1b: /* CTEST3 */
1689         ret = s->ctest3;
1690         break;
1691     CASE_GET_REG32(temp, 0x1c)
1692     case 0x20: /* DFIFO */
1693         ret = s->dfifo;
1694         break;
1695     case 0x21: /* CTEST4 */
1696         ret = s->ctest4;
1697         break;
1698     case 0x22: /* CTEST5 */
1699         ret = s->ctest5;
1700         break;
1701     case 0x23: /* CTEST6 */
1702         ret = 0;
1703         break;
1704     CASE_GET_REG24(dbc, 0x24)
1705     case 0x27: /* DCMD */
1706         ret = s->dcmd;
1707         break;
1708     CASE_GET_REG32(dnad, 0x28)
1709     CASE_GET_REG32(dsp, 0x2c)
1710     CASE_GET_REG32(dsps, 0x30)
1711     CASE_GET_REG32(scratch[0], 0x34)
1712     case 0x38: /* DMODE */
1713         ret = s->dmode;
1714         break;
1715     case 0x39: /* DIEN */
1716         ret = s->dien;
1717         break;
1718     case 0x3a: /* SBR */
1719         ret = s->sbr;
1720         break;
1721     case 0x3b: /* DCNTL */
1722         ret = s->dcntl;
1723         break;
1724     /* ADDER Output (Debug of relative jump address) */
1725     CASE_GET_REG32(adder, 0x3c)
1726     case 0x40: /* SIEN0 */
1727         ret = s->sien0;
1728         break;
1729     case 0x41: /* SIEN1 */
1730         ret = s->sien1;
1731         break;
1732     case 0x42: /* SIST0 */
1733         ret = s->sist0;
1734         s->sist0 = 0;
1735         lsi_update_irq(s);
1736         break;
1737     case 0x43: /* SIST1 */
1738         ret = s->sist1;
1739         s->sist1 = 0;
1740         lsi_update_irq(s);
1741         break;
1742     case 0x46: /* MACNTL */
1743         ret = 0x0f;
1744         break;
1745     case 0x47: /* GPCNTL0 */
1746         ret = 0x0f;
1747         break;
1748     case 0x48: /* STIME0 */
1749         ret = s->stime0;
1750         break;
1751     case 0x4a: /* RESPID0 */
1752         ret = s->respid0;
1753         break;
1754     case 0x4b: /* RESPID1 */
1755         ret = s->respid1;
1756         break;
1757     case 0x4d: /* STEST1 */
1758         ret = s->stest1;
1759         break;
1760     case 0x4e: /* STEST2 */
1761         ret = s->stest2;
1762         break;
1763     case 0x4f: /* STEST3 */
1764         ret = s->stest3;
1765         break;
1766     case 0x50: /* SIDL */
1767         /* This is needed by the linux drivers.  We currently only update it
1768            during the MSG IN phase.  */
1769         ret = s->sidl;
1770         break;
1771     case 0x52: /* STEST4 */
1772         ret = 0xe0;
1773         break;
1774     case 0x56: /* CCNTL0 */
1775         ret = s->ccntl0;
1776         break;
1777     case 0x57: /* CCNTL1 */
1778         ret = s->ccntl1;
1779         break;
1780     case 0x58: /* SBDL */
1781         /* Some drivers peek at the data bus during the MSG IN phase.  */
1782         if ((s->sstat1 & PHASE_MASK) == PHASE_MI) {
1783             assert(s->msg_len > 0);
1784             return s->msg[0];
1785         }
1786         ret = 0;
1787         break;
1788     case 0x59: /* SBDL high */
1789         ret = 0;
1790         break;
1791     CASE_GET_REG32(mmrs, 0xa0)
1792     CASE_GET_REG32(mmws, 0xa4)
1793     CASE_GET_REG32(sfs, 0xa8)
1794     CASE_GET_REG32(drs, 0xac)
1795     CASE_GET_REG32(sbms, 0xb0)
1796     CASE_GET_REG32(dbms, 0xb4)
1797     CASE_GET_REG32(dnad64, 0xb8)
1798     CASE_GET_REG32(pmjad1, 0xc0)
1799     CASE_GET_REG32(pmjad2, 0xc4)
1800     CASE_GET_REG32(rbc, 0xc8)
1801     CASE_GET_REG32(ua, 0xcc)
1802     CASE_GET_REG32(ia, 0xd4)
1803     CASE_GET_REG32(sbc, 0xd8)
1804     CASE_GET_REG32(csbc, 0xdc)
1805     case 0x5c ... 0x9f:
1806     {
1807         int n;
1808         int shift;
1809         n = (offset - 0x58) >> 2;
1810         shift = (offset & 3) * 8;
1811         ret = (s->scratch[n] >> shift) & 0xff;
1812         break;
1813     }
1814     default:
1815     {
1816         qemu_log_mask(LOG_GUEST_ERROR,
1817                       "lsi_scsi: invalid read from reg %s %x\n",
1818                       offset < ARRAY_SIZE(names) ? names[offset] : "???",
1819                       offset);
1820         ret = 0xff;
1821         break;
1822     }
1823     }
1824 #undef CASE_GET_REG24
1825 #undef CASE_GET_REG32
1826 
1827     trace_lsi_reg_read(offset < ARRAY_SIZE(names) ? names[offset] : "???",
1828                        offset, ret);
1829 
1830     return ret;
1831 }
1832 
1833 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val)
1834 {
1835 #define CASE_SET_REG24(name, addr) \
1836     case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1837     case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1838     case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break;
1839 
1840 #define CASE_SET_REG32(name, addr) \
1841     case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1842     case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1843     case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break; \
1844     case addr + 3: s->name &= 0x00ffffff; s->name |= val << 24; break;
1845 
1846     trace_lsi_reg_write(offset < ARRAY_SIZE(names) ? names[offset] : "???",
1847                         offset, val);
1848 
1849     switch (offset) {
1850     case 0x00: /* SCNTL0 */
1851         s->scntl0 = val;
1852         if (val & LSI_SCNTL0_START) {
1853             qemu_log_mask(LOG_UNIMP,
1854                           "lsi_scsi: Start sequence not implemented\n");
1855         }
1856         break;
1857     case 0x01: /* SCNTL1 */
1858         s->scntl1 = val & ~LSI_SCNTL1_SST;
1859         if (val & LSI_SCNTL1_IARB) {
1860             qemu_log_mask(LOG_UNIMP,
1861                       "lsi_scsi: Immediate Arbritration not implemented\n");
1862         }
1863         if (val & LSI_SCNTL1_RST) {
1864             if (!(s->sstat0 & LSI_SSTAT0_RST)) {
1865                 qbus_reset_all(BUS(&s->bus));
1866                 s->sstat0 |= LSI_SSTAT0_RST;
1867                 lsi_script_scsi_interrupt(s, LSI_SIST0_RST, 0);
1868             }
1869         } else {
1870             s->sstat0 &= ~LSI_SSTAT0_RST;
1871         }
1872         break;
1873     case 0x02: /* SCNTL2 */
1874         val &= ~(LSI_SCNTL2_WSR | LSI_SCNTL2_WSS);
1875         s->scntl2 = val;
1876         break;
1877     case 0x03: /* SCNTL3 */
1878         s->scntl3 = val;
1879         break;
1880     case 0x04: /* SCID */
1881         s->scid = val;
1882         break;
1883     case 0x05: /* SXFER */
1884         s->sxfer = val;
1885         break;
1886     case 0x06: /* SDID */
1887         if ((s->ssid & 0x80) && (val & 0xf) != (s->ssid & 0xf)) {
1888             qemu_log_mask(LOG_GUEST_ERROR,
1889                           "lsi_scsi: Destination ID does not match SSID\n");
1890         }
1891         s->sdid = val & 0xf;
1892         break;
1893     case 0x07: /* GPREG0 */
1894         break;
1895     case 0x08: /* SFBR */
1896         /* The CPU is not allowed to write to this register.  However the
1897            SCRIPTS register move instructions are.  */
1898         s->sfbr = val;
1899         break;
1900     case 0x0a: case 0x0b:
1901         /* Openserver writes to these readonly registers on startup */
1902         return;
1903     case 0x0c: case 0x0d: case 0x0e: case 0x0f:
1904         /* Linux writes to these readonly registers on startup.  */
1905         return;
1906     CASE_SET_REG32(dsa, 0x10)
1907     case 0x14: /* ISTAT0 */
1908         s->istat0 = (s->istat0 & 0x0f) | (val & 0xf0);
1909         if (val & LSI_ISTAT0_ABRT) {
1910             lsi_script_dma_interrupt(s, LSI_DSTAT_ABRT);
1911         }
1912         if (val & LSI_ISTAT0_INTF) {
1913             s->istat0 &= ~LSI_ISTAT0_INTF;
1914             lsi_update_irq(s);
1915         }
1916         if (s->waiting == LSI_WAIT_RESELECT && val & LSI_ISTAT0_SIGP) {
1917             trace_lsi_awoken();
1918             s->waiting = LSI_NOWAIT;
1919             s->dsp = s->dnad;
1920             lsi_execute_script(s);
1921         }
1922         if (val & LSI_ISTAT0_SRST) {
1923             qdev_reset_all(DEVICE(s));
1924         }
1925         break;
1926     case 0x16: /* MBOX0 */
1927         s->mbox0 = val;
1928         break;
1929     case 0x17: /* MBOX1 */
1930         s->mbox1 = val;
1931         break;
1932     case 0x18: /* CTEST0 */
1933         /* nothing to do */
1934         break;
1935     case 0x1a: /* CTEST2 */
1936         s->ctest2 = val & LSI_CTEST2_PCICIE;
1937         break;
1938     case 0x1b: /* CTEST3 */
1939         s->ctest3 = val & 0x0f;
1940         break;
1941     CASE_SET_REG32(temp, 0x1c)
1942     case 0x21: /* CTEST4 */
1943         if (val & 7) {
1944             qemu_log_mask(LOG_UNIMP,
1945                           "lsi_scsi: Unimplemented CTEST4-FBL 0x%x\n", val);
1946         }
1947         s->ctest4 = val;
1948         break;
1949     case 0x22: /* CTEST5 */
1950         if (val & (LSI_CTEST5_ADCK | LSI_CTEST5_BBCK)) {
1951             qemu_log_mask(LOG_UNIMP,
1952                           "lsi_scsi: CTEST5 DMA increment not implemented\n");
1953         }
1954         s->ctest5 = val;
1955         break;
1956     CASE_SET_REG24(dbc, 0x24)
1957     CASE_SET_REG32(dnad, 0x28)
1958     case 0x2c: /* DSP[0:7] */
1959         s->dsp &= 0xffffff00;
1960         s->dsp |= val;
1961         break;
1962     case 0x2d: /* DSP[8:15] */
1963         s->dsp &= 0xffff00ff;
1964         s->dsp |= val << 8;
1965         break;
1966     case 0x2e: /* DSP[16:23] */
1967         s->dsp &= 0xff00ffff;
1968         s->dsp |= val << 16;
1969         break;
1970     case 0x2f: /* DSP[24:31] */
1971         s->dsp &= 0x00ffffff;
1972         s->dsp |= val << 24;
1973         if ((s->dmode & LSI_DMODE_MAN) == 0
1974             && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
1975             lsi_execute_script(s);
1976         break;
1977     CASE_SET_REG32(dsps, 0x30)
1978     CASE_SET_REG32(scratch[0], 0x34)
1979     case 0x38: /* DMODE */
1980         s->dmode = val;
1981         break;
1982     case 0x39: /* DIEN */
1983         s->dien = val;
1984         lsi_update_irq(s);
1985         break;
1986     case 0x3a: /* SBR */
1987         s->sbr = val;
1988         break;
1989     case 0x3b: /* DCNTL */
1990         s->dcntl = val & ~(LSI_DCNTL_PFF | LSI_DCNTL_STD);
1991         if ((val & LSI_DCNTL_STD) && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
1992             lsi_execute_script(s);
1993         break;
1994     case 0x40: /* SIEN0 */
1995         s->sien0 = val;
1996         lsi_update_irq(s);
1997         break;
1998     case 0x41: /* SIEN1 */
1999         s->sien1 = val;
2000         lsi_update_irq(s);
2001         break;
2002     case 0x47: /* GPCNTL0 */
2003         break;
2004     case 0x48: /* STIME0 */
2005         s->stime0 = val;
2006         break;
2007     case 0x49: /* STIME1 */
2008         if (val & 0xf) {
2009             qemu_log_mask(LOG_UNIMP,
2010                           "lsi_scsi: General purpose timer not implemented\n");
2011             /* ??? Raising the interrupt immediately seems to be sufficient
2012                to keep the FreeBSD driver happy.  */
2013             lsi_script_scsi_interrupt(s, 0, LSI_SIST1_GEN);
2014         }
2015         break;
2016     case 0x4a: /* RESPID0 */
2017         s->respid0 = val;
2018         break;
2019     case 0x4b: /* RESPID1 */
2020         s->respid1 = val;
2021         break;
2022     case 0x4d: /* STEST1 */
2023         s->stest1 = val;
2024         break;
2025     case 0x4e: /* STEST2 */
2026         if (val & 1) {
2027             qemu_log_mask(LOG_UNIMP,
2028                           "lsi_scsi: Low level mode not implemented\n");
2029         }
2030         s->stest2 = val;
2031         break;
2032     case 0x4f: /* STEST3 */
2033         if (val & 0x41) {
2034             qemu_log_mask(LOG_UNIMP,
2035                           "lsi_scsi: SCSI FIFO test mode not implemented\n");
2036         }
2037         s->stest3 = val;
2038         break;
2039     case 0x56: /* CCNTL0 */
2040         s->ccntl0 = val;
2041         break;
2042     case 0x57: /* CCNTL1 */
2043         s->ccntl1 = val;
2044         break;
2045     CASE_SET_REG32(mmrs, 0xa0)
2046     CASE_SET_REG32(mmws, 0xa4)
2047     CASE_SET_REG32(sfs, 0xa8)
2048     CASE_SET_REG32(drs, 0xac)
2049     CASE_SET_REG32(sbms, 0xb0)
2050     CASE_SET_REG32(dbms, 0xb4)
2051     CASE_SET_REG32(dnad64, 0xb8)
2052     CASE_SET_REG32(pmjad1, 0xc0)
2053     CASE_SET_REG32(pmjad2, 0xc4)
2054     CASE_SET_REG32(rbc, 0xc8)
2055     CASE_SET_REG32(ua, 0xcc)
2056     CASE_SET_REG32(ia, 0xd4)
2057     CASE_SET_REG32(sbc, 0xd8)
2058     CASE_SET_REG32(csbc, 0xdc)
2059     default:
2060         if (offset >= 0x5c && offset < 0xa0) {
2061             int n;
2062             int shift;
2063             n = (offset - 0x58) >> 2;
2064             shift = (offset & 3) * 8;
2065             s->scratch[n] = deposit32(s->scratch[n], shift, 8, val);
2066         } else {
2067             qemu_log_mask(LOG_GUEST_ERROR,
2068                           "lsi_scsi: invalid write to reg %s %x (0x%02x)\n",
2069                           offset < ARRAY_SIZE(names) ? names[offset] : "???",
2070                           offset, val);
2071         }
2072     }
2073 #undef CASE_SET_REG24
2074 #undef CASE_SET_REG32
2075 }
2076 
2077 static void lsi_mmio_write(void *opaque, hwaddr addr,
2078                            uint64_t val, unsigned size)
2079 {
2080     LSIState *s = opaque;
2081 
2082     lsi_reg_writeb(s, addr & 0xff, val);
2083 }
2084 
2085 static uint64_t lsi_mmio_read(void *opaque, hwaddr addr,
2086                               unsigned size)
2087 {
2088     LSIState *s = opaque;
2089     return lsi_reg_readb(s, addr & 0xff);
2090 }
2091 
2092 static const MemoryRegionOps lsi_mmio_ops = {
2093     .read = lsi_mmio_read,
2094     .write = lsi_mmio_write,
2095     .endianness = DEVICE_LITTLE_ENDIAN,
2096     .impl = {
2097         .min_access_size = 1,
2098         .max_access_size = 1,
2099     },
2100 };
2101 
2102 static void lsi_ram_write(void *opaque, hwaddr addr,
2103                           uint64_t val, unsigned size)
2104 {
2105     LSIState *s = opaque;
2106     stn_le_p(s->script_ram + addr, size, val);
2107 }
2108 
2109 static uint64_t lsi_ram_read(void *opaque, hwaddr addr,
2110                              unsigned size)
2111 {
2112     LSIState *s = opaque;
2113     return ldn_le_p(s->script_ram + addr, size);
2114 }
2115 
2116 static const MemoryRegionOps lsi_ram_ops = {
2117     .read = lsi_ram_read,
2118     .write = lsi_ram_write,
2119     .endianness = DEVICE_LITTLE_ENDIAN,
2120 };
2121 
2122 static uint64_t lsi_io_read(void *opaque, hwaddr addr,
2123                             unsigned size)
2124 {
2125     LSIState *s = opaque;
2126     return lsi_reg_readb(s, addr & 0xff);
2127 }
2128 
2129 static void lsi_io_write(void *opaque, hwaddr addr,
2130                          uint64_t val, unsigned size)
2131 {
2132     LSIState *s = opaque;
2133     lsi_reg_writeb(s, addr & 0xff, val);
2134 }
2135 
2136 static const MemoryRegionOps lsi_io_ops = {
2137     .read = lsi_io_read,
2138     .write = lsi_io_write,
2139     .endianness = DEVICE_LITTLE_ENDIAN,
2140     .impl = {
2141         .min_access_size = 1,
2142         .max_access_size = 1,
2143     },
2144 };
2145 
2146 static void lsi_scsi_reset(DeviceState *dev)
2147 {
2148     LSIState *s = LSI53C895A(dev);
2149 
2150     lsi_soft_reset(s);
2151 }
2152 
2153 static int lsi_pre_save(void *opaque)
2154 {
2155     LSIState *s = opaque;
2156 
2157     if (s->current) {
2158         assert(s->current->dma_buf == NULL);
2159         assert(s->current->dma_len == 0);
2160     }
2161     assert(QTAILQ_EMPTY(&s->queue));
2162 
2163     return 0;
2164 }
2165 
2166 static int lsi_post_load(void *opaque, int version_id)
2167 {
2168     LSIState *s = opaque;
2169 
2170     if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) {
2171         return -EINVAL;
2172     }
2173 
2174     return 0;
2175 }
2176 
2177 static const VMStateDescription vmstate_lsi_scsi = {
2178     .name = "lsiscsi",
2179     .version_id = 1,
2180     .minimum_version_id = 0,
2181     .pre_save = lsi_pre_save,
2182     .post_load = lsi_post_load,
2183     .fields = (VMStateField[]) {
2184         VMSTATE_PCI_DEVICE(parent_obj, LSIState),
2185 
2186         VMSTATE_INT32(carry, LSIState),
2187         VMSTATE_INT32(status, LSIState),
2188         VMSTATE_INT32(msg_action, LSIState),
2189         VMSTATE_INT32(msg_len, LSIState),
2190         VMSTATE_BUFFER(msg, LSIState),
2191         VMSTATE_INT32(waiting, LSIState),
2192 
2193         VMSTATE_UINT32(dsa, LSIState),
2194         VMSTATE_UINT32(temp, LSIState),
2195         VMSTATE_UINT32(dnad, LSIState),
2196         VMSTATE_UINT32(dbc, LSIState),
2197         VMSTATE_UINT8(istat0, LSIState),
2198         VMSTATE_UINT8(istat1, LSIState),
2199         VMSTATE_UINT8(dcmd, LSIState),
2200         VMSTATE_UINT8(dstat, LSIState),
2201         VMSTATE_UINT8(dien, LSIState),
2202         VMSTATE_UINT8(sist0, LSIState),
2203         VMSTATE_UINT8(sist1, LSIState),
2204         VMSTATE_UINT8(sien0, LSIState),
2205         VMSTATE_UINT8(sien1, LSIState),
2206         VMSTATE_UINT8(mbox0, LSIState),
2207         VMSTATE_UINT8(mbox1, LSIState),
2208         VMSTATE_UINT8(dfifo, LSIState),
2209         VMSTATE_UINT8(ctest2, LSIState),
2210         VMSTATE_UINT8(ctest3, LSIState),
2211         VMSTATE_UINT8(ctest4, LSIState),
2212         VMSTATE_UINT8(ctest5, LSIState),
2213         VMSTATE_UINT8(ccntl0, LSIState),
2214         VMSTATE_UINT8(ccntl1, LSIState),
2215         VMSTATE_UINT32(dsp, LSIState),
2216         VMSTATE_UINT32(dsps, LSIState),
2217         VMSTATE_UINT8(dmode, LSIState),
2218         VMSTATE_UINT8(dcntl, LSIState),
2219         VMSTATE_UINT8(scntl0, LSIState),
2220         VMSTATE_UINT8(scntl1, LSIState),
2221         VMSTATE_UINT8(scntl2, LSIState),
2222         VMSTATE_UINT8(scntl3, LSIState),
2223         VMSTATE_UINT8(sstat0, LSIState),
2224         VMSTATE_UINT8(sstat1, LSIState),
2225         VMSTATE_UINT8(scid, LSIState),
2226         VMSTATE_UINT8(sxfer, LSIState),
2227         VMSTATE_UINT8(socl, LSIState),
2228         VMSTATE_UINT8(sdid, LSIState),
2229         VMSTATE_UINT8(ssid, LSIState),
2230         VMSTATE_UINT8(sfbr, LSIState),
2231         VMSTATE_UINT8(stest1, LSIState),
2232         VMSTATE_UINT8(stest2, LSIState),
2233         VMSTATE_UINT8(stest3, LSIState),
2234         VMSTATE_UINT8(sidl, LSIState),
2235         VMSTATE_UINT8(stime0, LSIState),
2236         VMSTATE_UINT8(respid0, LSIState),
2237         VMSTATE_UINT8(respid1, LSIState),
2238         VMSTATE_UINT8_V(sbcl, LSIState, 1),
2239         VMSTATE_UINT32(mmrs, LSIState),
2240         VMSTATE_UINT32(mmws, LSIState),
2241         VMSTATE_UINT32(sfs, LSIState),
2242         VMSTATE_UINT32(drs, LSIState),
2243         VMSTATE_UINT32(sbms, LSIState),
2244         VMSTATE_UINT32(dbms, LSIState),
2245         VMSTATE_UINT32(dnad64, LSIState),
2246         VMSTATE_UINT32(pmjad1, LSIState),
2247         VMSTATE_UINT32(pmjad2, LSIState),
2248         VMSTATE_UINT32(rbc, LSIState),
2249         VMSTATE_UINT32(ua, LSIState),
2250         VMSTATE_UINT32(ia, LSIState),
2251         VMSTATE_UINT32(sbc, LSIState),
2252         VMSTATE_UINT32(csbc, LSIState),
2253         VMSTATE_BUFFER_UNSAFE(scratch, LSIState, 0, 18 * sizeof(uint32_t)),
2254         VMSTATE_UINT8(sbr, LSIState),
2255 
2256         VMSTATE_BUFFER_UNSAFE(script_ram, LSIState, 0, 8192),
2257         VMSTATE_END_OF_LIST()
2258     }
2259 };
2260 
2261 static const struct SCSIBusInfo lsi_scsi_info = {
2262     .tcq = true,
2263     .max_target = LSI_MAX_DEVS,
2264     .max_lun = 0,  /* LUN support is buggy */
2265 
2266     .transfer_data = lsi_transfer_data,
2267     .complete = lsi_command_complete,
2268     .cancel = lsi_request_cancelled
2269 };
2270 
2271 static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
2272 {
2273     LSIState *s = LSI53C895A(dev);
2274     DeviceState *d = DEVICE(dev);
2275     uint8_t *pci_conf;
2276 
2277     pci_conf = dev->config;
2278 
2279     /* PCI latency timer = 255 */
2280     pci_conf[PCI_LATENCY_TIMER] = 0xff;
2281     /* Interrupt pin A */
2282     pci_conf[PCI_INTERRUPT_PIN] = 0x01;
2283 
2284     memory_region_init_io(&s->mmio_io, OBJECT(s), &lsi_mmio_ops, s,
2285                           "lsi-mmio", 0x400);
2286     memory_region_init_io(&s->ram_io, OBJECT(s), &lsi_ram_ops, s,
2287                           "lsi-ram", 0x2000);
2288     memory_region_init_io(&s->io_io, OBJECT(s), &lsi_io_ops, s,
2289                           "lsi-io", 256);
2290 
2291     address_space_init(&s->pci_io_as, pci_address_space_io(dev), "lsi-pci-io");
2292     qdev_init_gpio_out(d, &s->ext_irq, 1);
2293 
2294     pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->io_io);
2295     pci_register_bar(dev, 1, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->mmio_io);
2296     pci_register_bar(dev, 2, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->ram_io);
2297     QTAILQ_INIT(&s->queue);
2298 
2299     scsi_bus_new(&s->bus, sizeof(s->bus), d, &lsi_scsi_info, NULL);
2300 }
2301 
2302 static void lsi_scsi_unrealize(DeviceState *dev, Error **errp)
2303 {
2304     LSIState *s = LSI53C895A(dev);
2305 
2306     address_space_destroy(&s->pci_io_as);
2307 }
2308 
2309 static void lsi_class_init(ObjectClass *klass, void *data)
2310 {
2311     DeviceClass *dc = DEVICE_CLASS(klass);
2312     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2313 
2314     k->realize = lsi_scsi_realize;
2315     k->vendor_id = PCI_VENDOR_ID_LSI_LOGIC;
2316     k->device_id = PCI_DEVICE_ID_LSI_53C895A;
2317     k->class_id = PCI_CLASS_STORAGE_SCSI;
2318     k->subsystem_id = 0x1000;
2319     dc->unrealize = lsi_scsi_unrealize;
2320     dc->reset = lsi_scsi_reset;
2321     dc->vmsd = &vmstate_lsi_scsi;
2322     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2323 }
2324 
2325 static const TypeInfo lsi_info = {
2326     .name          = TYPE_LSI53C895A,
2327     .parent        = TYPE_PCI_DEVICE,
2328     .instance_size = sizeof(LSIState),
2329     .class_init    = lsi_class_init,
2330     .interfaces = (InterfaceInfo[]) {
2331         { INTERFACE_CONVENTIONAL_PCI_DEVICE },
2332         { },
2333     },
2334 };
2335 
2336 static void lsi53c810_class_init(ObjectClass *klass, void *data)
2337 {
2338     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2339 
2340     k->device_id = PCI_DEVICE_ID_LSI_53C810;
2341 }
2342 
2343 static TypeInfo lsi53c810_info = {
2344     .name          = TYPE_LSI53C810,
2345     .parent        = TYPE_LSI53C895A,
2346     .class_init    = lsi53c810_class_init,
2347 };
2348 
2349 static void lsi53c895a_register_types(void)
2350 {
2351     type_register_static(&lsi_info);
2352     type_register_static(&lsi53c810_info);
2353 }
2354 
2355 type_init(lsi53c895a_register_types)
2356 
2357 void lsi53c8xx_handle_legacy_cmdline(DeviceState *lsi_dev)
2358 {
2359     LSIState *s = LSI53C895A(lsi_dev);
2360 
2361     scsi_bus_legacy_handle_cmdline(&s->bus);
2362 }
2363