1 /* 2 * QEMU LSI53C895A SCSI Host Bus Adapter emulation 3 * 4 * Copyright (c) 2006 CodeSourcery. 5 * Written by Paul Brook 6 * 7 * This code is licensed under the LGPL. 8 */ 9 10 /* Note: 11 * LSI53C810 emulation is incorrect, in the sense that it supports 12 * features added in later evolutions. This should not be a problem, 13 * as well-behaved operating systems will not try to use them. 14 */ 15 16 #include "qemu/osdep.h" 17 18 #include "hw/irq.h" 19 #include "hw/pci/pci_device.h" 20 #include "hw/scsi/scsi.h" 21 #include "migration/vmstate.h" 22 #include "sysemu/dma.h" 23 #include "qemu/log.h" 24 #include "qemu/module.h" 25 #include "trace.h" 26 #include "qom/object.h" 27 28 static const char *names[] = { 29 "SCNTL0", "SCNTL1", "SCNTL2", "SCNTL3", "SCID", "SXFER", "SDID", "GPREG", 30 "SFBR", "SOCL", "SSID", "SBCL", "DSTAT", "SSTAT0", "SSTAT1", "SSTAT2", 31 "DSA0", "DSA1", "DSA2", "DSA3", "ISTAT", "0x15", "0x16", "0x17", 32 "CTEST0", "CTEST1", "CTEST2", "CTEST3", "TEMP0", "TEMP1", "TEMP2", "TEMP3", 33 "DFIFO", "CTEST4", "CTEST5", "CTEST6", "DBC0", "DBC1", "DBC2", "DCMD", 34 "DNAD0", "DNAD1", "DNAD2", "DNAD3", "DSP0", "DSP1", "DSP2", "DSP3", 35 "DSPS0", "DSPS1", "DSPS2", "DSPS3", "SCRATCHA0", "SCRATCHA1", "SCRATCHA2", "SCRATCHA3", 36 "DMODE", "DIEN", "SBR", "DCNTL", "ADDER0", "ADDER1", "ADDER2", "ADDER3", 37 "SIEN0", "SIEN1", "SIST0", "SIST1", "SLPAR", "0x45", "MACNTL", "GPCNTL", 38 "STIME0", "STIME1", "RESPID", "0x4b", "STEST0", "STEST1", "STEST2", "STEST3", 39 "SIDL", "0x51", "0x52", "0x53", "SODL", "0x55", "0x56", "0x57", 40 "SBDL", "0x59", "0x5a", "0x5b", "SCRATCHB0", "SCRATCHB1", "SCRATCHB2", "SCRATCHB3", 41 }; 42 43 #define LSI_MAX_DEVS 7 44 45 #define LSI_SCNTL0_TRG 0x01 46 #define LSI_SCNTL0_AAP 0x02 47 #define LSI_SCNTL0_EPC 0x08 48 #define LSI_SCNTL0_WATN 0x10 49 #define LSI_SCNTL0_START 0x20 50 51 #define LSI_SCNTL1_SST 0x01 52 #define LSI_SCNTL1_IARB 0x02 53 #define LSI_SCNTL1_AESP 0x04 54 #define LSI_SCNTL1_RST 0x08 55 #define LSI_SCNTL1_CON 0x10 56 #define LSI_SCNTL1_DHP 0x20 57 #define LSI_SCNTL1_ADB 0x40 58 #define LSI_SCNTL1_EXC 0x80 59 60 #define LSI_SCNTL2_WSR 0x01 61 #define LSI_SCNTL2_VUE0 0x02 62 #define LSI_SCNTL2_VUE1 0x04 63 #define LSI_SCNTL2_WSS 0x08 64 #define LSI_SCNTL2_SLPHBEN 0x10 65 #define LSI_SCNTL2_SLPMD 0x20 66 #define LSI_SCNTL2_CHM 0x40 67 #define LSI_SCNTL2_SDU 0x80 68 69 #define LSI_ISTAT0_DIP 0x01 70 #define LSI_ISTAT0_SIP 0x02 71 #define LSI_ISTAT0_INTF 0x04 72 #define LSI_ISTAT0_CON 0x08 73 #define LSI_ISTAT0_SEM 0x10 74 #define LSI_ISTAT0_SIGP 0x20 75 #define LSI_ISTAT0_SRST 0x40 76 #define LSI_ISTAT0_ABRT 0x80 77 78 #define LSI_ISTAT1_SI 0x01 79 #define LSI_ISTAT1_SRUN 0x02 80 #define LSI_ISTAT1_FLSH 0x04 81 82 #define LSI_SSTAT0_SDP0 0x01 83 #define LSI_SSTAT0_RST 0x02 84 #define LSI_SSTAT0_WOA 0x04 85 #define LSI_SSTAT0_LOA 0x08 86 #define LSI_SSTAT0_AIP 0x10 87 #define LSI_SSTAT0_OLF 0x20 88 #define LSI_SSTAT0_ORF 0x40 89 #define LSI_SSTAT0_ILF 0x80 90 91 #define LSI_SIST0_PAR 0x01 92 #define LSI_SIST0_RST 0x02 93 #define LSI_SIST0_UDC 0x04 94 #define LSI_SIST0_SGE 0x08 95 #define LSI_SIST0_RSL 0x10 96 #define LSI_SIST0_SEL 0x20 97 #define LSI_SIST0_CMP 0x40 98 #define LSI_SIST0_MA 0x80 99 100 #define LSI_SIST1_HTH 0x01 101 #define LSI_SIST1_GEN 0x02 102 #define LSI_SIST1_STO 0x04 103 #define LSI_SIST1_SBMC 0x10 104 105 #define LSI_SOCL_IO 0x01 106 #define LSI_SOCL_CD 0x02 107 #define LSI_SOCL_MSG 0x04 108 #define LSI_SOCL_ATN 0x08 109 #define LSI_SOCL_SEL 0x10 110 #define LSI_SOCL_BSY 0x20 111 #define LSI_SOCL_ACK 0x40 112 #define LSI_SOCL_REQ 0x80 113 114 #define LSI_DSTAT_IID 0x01 115 #define LSI_DSTAT_SIR 0x04 116 #define LSI_DSTAT_SSI 0x08 117 #define LSI_DSTAT_ABRT 0x10 118 #define LSI_DSTAT_BF 0x20 119 #define LSI_DSTAT_MDPE 0x40 120 #define LSI_DSTAT_DFE 0x80 121 122 #define LSI_DCNTL_COM 0x01 123 #define LSI_DCNTL_IRQD 0x02 124 #define LSI_DCNTL_STD 0x04 125 #define LSI_DCNTL_IRQM 0x08 126 #define LSI_DCNTL_SSM 0x10 127 #define LSI_DCNTL_PFEN 0x20 128 #define LSI_DCNTL_PFF 0x40 129 #define LSI_DCNTL_CLSE 0x80 130 131 #define LSI_DMODE_MAN 0x01 132 #define LSI_DMODE_BOF 0x02 133 #define LSI_DMODE_ERMP 0x04 134 #define LSI_DMODE_ERL 0x08 135 #define LSI_DMODE_DIOM 0x10 136 #define LSI_DMODE_SIOM 0x20 137 138 #define LSI_CTEST2_DACK 0x01 139 #define LSI_CTEST2_DREQ 0x02 140 #define LSI_CTEST2_TEOP 0x04 141 #define LSI_CTEST2_PCICIE 0x08 142 #define LSI_CTEST2_CM 0x10 143 #define LSI_CTEST2_CIO 0x20 144 #define LSI_CTEST2_SIGP 0x40 145 #define LSI_CTEST2_DDIR 0x80 146 147 #define LSI_CTEST5_BL2 0x04 148 #define LSI_CTEST5_DDIR 0x08 149 #define LSI_CTEST5_MASR 0x10 150 #define LSI_CTEST5_DFSN 0x20 151 #define LSI_CTEST5_BBCK 0x40 152 #define LSI_CTEST5_ADCK 0x80 153 154 #define LSI_CCNTL0_DILS 0x01 155 #define LSI_CCNTL0_DISFC 0x10 156 #define LSI_CCNTL0_ENNDJ 0x20 157 #define LSI_CCNTL0_PMJCTL 0x40 158 #define LSI_CCNTL0_ENPMJ 0x80 159 160 #define LSI_CCNTL1_EN64DBMV 0x01 161 #define LSI_CCNTL1_EN64TIBMV 0x02 162 #define LSI_CCNTL1_64TIMOD 0x04 163 #define LSI_CCNTL1_DDAC 0x08 164 #define LSI_CCNTL1_ZMOD 0x80 165 166 #define LSI_SBCL_ATN 0x08 167 #define LSI_SBCL_BSY 0x20 168 #define LSI_SBCL_ACK 0x40 169 #define LSI_SBCL_REQ 0x80 170 171 /* Enable Response to Reselection */ 172 #define LSI_SCID_RRE 0x60 173 174 #define LSI_CCNTL1_40BIT (LSI_CCNTL1_EN64TIBMV|LSI_CCNTL1_64TIMOD) 175 176 #define PHASE_DO 0 177 #define PHASE_DI 1 178 #define PHASE_CMD 2 179 #define PHASE_ST 3 180 #define PHASE_MO 6 181 #define PHASE_MI 7 182 #define PHASE_MASK 7 183 184 /* Maximum length of MSG IN data. */ 185 #define LSI_MAX_MSGIN_LEN 8 186 187 /* Flag set if this is a tagged command. */ 188 #define LSI_TAG_VALID (1 << 16) 189 190 /* Maximum instructions to process. */ 191 #define LSI_MAX_INSN 10000 192 193 typedef struct lsi_request { 194 SCSIRequest *req; 195 uint32_t tag; 196 uint32_t dma_len; 197 uint8_t *dma_buf; 198 uint32_t pending; 199 int out; 200 QTAILQ_ENTRY(lsi_request) next; 201 } lsi_request; 202 203 enum { 204 LSI_NOWAIT, /* SCRIPTS are running or stopped */ 205 LSI_WAIT_RESELECT, /* Wait Reselect instruction has been issued */ 206 LSI_DMA_SCRIPTS, /* processing DMA from lsi_execute_script */ 207 LSI_DMA_IN_PROGRESS, /* DMA operation is in progress */ 208 }; 209 210 enum { 211 LSI_MSG_ACTION_COMMAND = 0, 212 LSI_MSG_ACTION_DISCONNECT = 1, 213 LSI_MSG_ACTION_DOUT = 2, 214 LSI_MSG_ACTION_DIN = 3, 215 }; 216 217 struct LSIState { 218 /*< private >*/ 219 PCIDevice parent_obj; 220 /*< public >*/ 221 222 qemu_irq ext_irq; 223 MemoryRegion mmio_io; 224 MemoryRegion ram_io; 225 MemoryRegion io_io; 226 AddressSpace pci_io_as; 227 228 int carry; /* ??? Should this be an a visible register somewhere? */ 229 int status; 230 int msg_action; 231 int msg_len; 232 uint8_t msg[LSI_MAX_MSGIN_LEN]; 233 int waiting; 234 SCSIBus bus; 235 int current_lun; 236 /* The tag is a combination of the device ID and the SCSI tag. */ 237 uint32_t select_tag; 238 int command_complete; 239 QTAILQ_HEAD(, lsi_request) queue; 240 lsi_request *current; 241 242 uint32_t dsa; 243 uint32_t temp; 244 uint32_t dnad; 245 uint32_t dbc; 246 uint8_t istat0; 247 uint8_t istat1; 248 uint8_t dcmd; 249 uint8_t dstat; 250 uint8_t dien; 251 uint8_t sist0; 252 uint8_t sist1; 253 uint8_t sien0; 254 uint8_t sien1; 255 uint8_t mbox0; 256 uint8_t mbox1; 257 uint8_t dfifo; 258 uint8_t ctest2; 259 uint8_t ctest3; 260 uint8_t ctest4; 261 uint8_t ctest5; 262 uint8_t ccntl0; 263 uint8_t ccntl1; 264 uint32_t dsp; 265 uint32_t dsps; 266 uint8_t dmode; 267 uint8_t dcntl; 268 uint8_t scntl0; 269 uint8_t scntl1; 270 uint8_t scntl2; 271 uint8_t scntl3; 272 uint8_t sstat0; 273 uint8_t sstat1; 274 uint8_t scid; 275 uint8_t sxfer; 276 uint8_t socl; 277 uint8_t sdid; 278 uint8_t ssid; 279 uint8_t sfbr; 280 uint8_t sbcl; 281 uint8_t stest1; 282 uint8_t stest2; 283 uint8_t stest3; 284 uint8_t sidl; 285 uint8_t stime0; 286 uint8_t respid0; 287 uint8_t respid1; 288 uint32_t mmrs; 289 uint32_t mmws; 290 uint32_t sfs; 291 uint32_t drs; 292 uint32_t sbms; 293 uint32_t dbms; 294 uint32_t dnad64; 295 uint32_t pmjad1; 296 uint32_t pmjad2; 297 uint32_t rbc; 298 uint32_t ua; 299 uint32_t ia; 300 uint32_t sbc; 301 uint32_t csbc; 302 uint32_t scratch[18]; /* SCRATCHA-SCRATCHR */ 303 uint8_t sbr; 304 uint32_t adder; 305 306 uint8_t script_ram[2048 * sizeof(uint32_t)]; 307 }; 308 309 #define TYPE_LSI53C810 "lsi53c810" 310 #define TYPE_LSI53C895A "lsi53c895a" 311 312 OBJECT_DECLARE_SIMPLE_TYPE(LSIState, LSI53C895A) 313 314 static const char *scsi_phases[] = { 315 "DOUT", 316 "DIN", 317 "CMD", 318 "STATUS", 319 "RSVOUT", 320 "RSVIN", 321 "MSGOUT", 322 "MSGIN" 323 }; 324 325 static const char *scsi_phase_name(int phase) 326 { 327 return scsi_phases[phase & PHASE_MASK]; 328 } 329 330 static inline int lsi_irq_on_rsl(LSIState *s) 331 { 332 return (s->sien0 & LSI_SIST0_RSL) && (s->scid & LSI_SCID_RRE); 333 } 334 335 static lsi_request *get_pending_req(LSIState *s) 336 { 337 lsi_request *p; 338 339 QTAILQ_FOREACH(p, &s->queue, next) { 340 if (p->pending) { 341 return p; 342 } 343 } 344 return NULL; 345 } 346 347 static void lsi_soft_reset(LSIState *s) 348 { 349 trace_lsi_reset(); 350 s->carry = 0; 351 352 s->msg_action = LSI_MSG_ACTION_COMMAND; 353 s->msg_len = 0; 354 s->waiting = LSI_NOWAIT; 355 s->dsa = 0; 356 s->dnad = 0; 357 s->dbc = 0; 358 s->temp = 0; 359 memset(s->scratch, 0, sizeof(s->scratch)); 360 s->istat0 = 0; 361 s->istat1 = 0; 362 s->dcmd = 0x40; 363 s->dstat = 0; 364 s->dien = 0; 365 s->sist0 = 0; 366 s->sist1 = 0; 367 s->sien0 = 0; 368 s->sien1 = 0; 369 s->mbox0 = 0; 370 s->mbox1 = 0; 371 s->dfifo = 0; 372 s->ctest2 = LSI_CTEST2_DACK; 373 s->ctest3 = 0; 374 s->ctest4 = 0; 375 s->ctest5 = 0; 376 s->ccntl0 = 0; 377 s->ccntl1 = 0; 378 s->dsp = 0; 379 s->dsps = 0; 380 s->dmode = 0; 381 s->dcntl = 0; 382 s->scntl0 = 0xc0; 383 s->scntl1 = 0; 384 s->scntl2 = 0; 385 s->scntl3 = 0; 386 s->sstat0 = 0; 387 s->sstat1 = 0; 388 s->scid = 7; 389 s->sxfer = 0; 390 s->socl = 0; 391 s->sdid = 0; 392 s->ssid = 0; 393 s->sbcl = 0; 394 s->stest1 = 0; 395 s->stest2 = 0; 396 s->stest3 = 0; 397 s->sidl = 0; 398 s->stime0 = 0; 399 s->respid0 = 0x80; 400 s->respid1 = 0; 401 s->mmrs = 0; 402 s->mmws = 0; 403 s->sfs = 0; 404 s->drs = 0; 405 s->sbms = 0; 406 s->dbms = 0; 407 s->dnad64 = 0; 408 s->pmjad1 = 0; 409 s->pmjad2 = 0; 410 s->rbc = 0; 411 s->ua = 0; 412 s->ia = 0; 413 s->sbc = 0; 414 s->csbc = 0; 415 s->sbr = 0; 416 assert(QTAILQ_EMPTY(&s->queue)); 417 assert(!s->current); 418 } 419 420 static int lsi_dma_40bit(LSIState *s) 421 { 422 if ((s->ccntl1 & LSI_CCNTL1_40BIT) == LSI_CCNTL1_40BIT) 423 return 1; 424 return 0; 425 } 426 427 static int lsi_dma_ti64bit(LSIState *s) 428 { 429 if ((s->ccntl1 & LSI_CCNTL1_EN64TIBMV) == LSI_CCNTL1_EN64TIBMV) 430 return 1; 431 return 0; 432 } 433 434 static int lsi_dma_64bit(LSIState *s) 435 { 436 if ((s->ccntl1 & LSI_CCNTL1_EN64DBMV) == LSI_CCNTL1_EN64DBMV) 437 return 1; 438 return 0; 439 } 440 441 static uint8_t lsi_reg_readb(LSIState *s, int offset); 442 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val); 443 static void lsi_execute_script(LSIState *s); 444 static void lsi_reselect(LSIState *s, lsi_request *p); 445 446 static inline void lsi_mem_read(LSIState *s, dma_addr_t addr, 447 void *buf, dma_addr_t len) 448 { 449 if (s->dmode & LSI_DMODE_SIOM) { 450 address_space_read(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED, 451 buf, len); 452 } else { 453 pci_dma_read(PCI_DEVICE(s), addr, buf, len); 454 } 455 } 456 457 static inline void lsi_mem_write(LSIState *s, dma_addr_t addr, 458 const void *buf, dma_addr_t len) 459 { 460 if (s->dmode & LSI_DMODE_DIOM) { 461 address_space_write(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED, 462 buf, len); 463 } else { 464 pci_dma_write(PCI_DEVICE(s), addr, buf, len); 465 } 466 } 467 468 static inline uint32_t read_dword(LSIState *s, uint32_t addr) 469 { 470 uint32_t buf; 471 472 pci_dma_read(PCI_DEVICE(s), addr, &buf, 4); 473 return cpu_to_le32(buf); 474 } 475 476 static void lsi_stop_script(LSIState *s) 477 { 478 s->istat1 &= ~LSI_ISTAT1_SRUN; 479 } 480 481 static void lsi_set_irq(LSIState *s, int level) 482 { 483 PCIDevice *d = PCI_DEVICE(s); 484 485 if (s->ext_irq) { 486 qemu_set_irq(s->ext_irq, level); 487 } else { 488 pci_set_irq(d, level); 489 } 490 } 491 492 static void lsi_update_irq(LSIState *s) 493 { 494 int level; 495 static int last_level; 496 497 /* It's unclear whether the DIP/SIP bits should be cleared when the 498 Interrupt Status Registers are cleared or when istat0 is read. 499 We currently do the formwer, which seems to work. */ 500 level = 0; 501 if (s->dstat) { 502 if (s->dstat & s->dien) 503 level = 1; 504 s->istat0 |= LSI_ISTAT0_DIP; 505 } else { 506 s->istat0 &= ~LSI_ISTAT0_DIP; 507 } 508 509 if (s->sist0 || s->sist1) { 510 if ((s->sist0 & s->sien0) || (s->sist1 & s->sien1)) 511 level = 1; 512 s->istat0 |= LSI_ISTAT0_SIP; 513 } else { 514 s->istat0 &= ~LSI_ISTAT0_SIP; 515 } 516 if (s->istat0 & LSI_ISTAT0_INTF) 517 level = 1; 518 519 if (level != last_level) { 520 trace_lsi_update_irq(level, s->dstat, s->sist1, s->sist0); 521 last_level = level; 522 } 523 lsi_set_irq(s, level); 524 525 if (!s->current && !level && lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON)) { 526 lsi_request *p; 527 528 trace_lsi_update_irq_disconnected(); 529 p = get_pending_req(s); 530 if (p) { 531 lsi_reselect(s, p); 532 } 533 } 534 } 535 536 /* Stop SCRIPTS execution and raise a SCSI interrupt. */ 537 static void lsi_script_scsi_interrupt(LSIState *s, int stat0, int stat1) 538 { 539 uint32_t mask0; 540 uint32_t mask1; 541 542 trace_lsi_script_scsi_interrupt(stat1, stat0, s->sist1, s->sist0); 543 s->sist0 |= stat0; 544 s->sist1 |= stat1; 545 /* Stop processor on fatal or unmasked interrupt. As a special hack 546 we don't stop processing when raising STO. Instead continue 547 execution and stop at the next insn that accesses the SCSI bus. */ 548 mask0 = s->sien0 | ~(LSI_SIST0_CMP | LSI_SIST0_SEL | LSI_SIST0_RSL); 549 mask1 = s->sien1 | ~(LSI_SIST1_GEN | LSI_SIST1_HTH); 550 mask1 &= ~LSI_SIST1_STO; 551 if (s->sist0 & mask0 || s->sist1 & mask1) { 552 lsi_stop_script(s); 553 } 554 lsi_update_irq(s); 555 } 556 557 /* Stop SCRIPTS execution and raise a DMA interrupt. */ 558 static void lsi_script_dma_interrupt(LSIState *s, int stat) 559 { 560 trace_lsi_script_dma_interrupt(stat, s->dstat); 561 s->dstat |= stat; 562 lsi_update_irq(s); 563 lsi_stop_script(s); 564 } 565 566 static inline void lsi_set_phase(LSIState *s, int phase) 567 { 568 s->sbcl &= ~PHASE_MASK; 569 s->sbcl |= phase | LSI_SBCL_REQ; 570 s->sstat1 = (s->sstat1 & ~PHASE_MASK) | phase; 571 } 572 573 static void lsi_bad_phase(LSIState *s, int out, int new_phase) 574 { 575 /* Trigger a phase mismatch. */ 576 if (s->ccntl0 & LSI_CCNTL0_ENPMJ) { 577 if ((s->ccntl0 & LSI_CCNTL0_PMJCTL)) { 578 s->dsp = out ? s->pmjad1 : s->pmjad2; 579 } else { 580 s->dsp = (s->scntl2 & LSI_SCNTL2_WSR ? s->pmjad2 : s->pmjad1); 581 } 582 trace_lsi_bad_phase_jump(s->dsp); 583 } else { 584 trace_lsi_bad_phase_interrupt(); 585 lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0); 586 lsi_stop_script(s); 587 } 588 lsi_set_phase(s, new_phase); 589 } 590 591 592 /* Resume SCRIPTS execution after a DMA operation. */ 593 static void lsi_resume_script(LSIState *s) 594 { 595 if (s->waiting != 2) { 596 s->waiting = LSI_NOWAIT; 597 lsi_execute_script(s); 598 } else { 599 s->waiting = LSI_NOWAIT; 600 } 601 } 602 603 static void lsi_disconnect(LSIState *s) 604 { 605 s->scntl1 &= ~LSI_SCNTL1_CON; 606 s->sstat1 &= ~PHASE_MASK; 607 s->sbcl = 0; 608 } 609 610 static void lsi_bad_selection(LSIState *s, uint32_t id) 611 { 612 trace_lsi_bad_selection(id); 613 lsi_script_scsi_interrupt(s, 0, LSI_SIST1_STO); 614 lsi_disconnect(s); 615 } 616 617 /* Initiate a SCSI layer data transfer. */ 618 static void lsi_do_dma(LSIState *s, int out) 619 { 620 uint32_t count; 621 dma_addr_t addr; 622 SCSIDevice *dev; 623 624 if (!s->current || !s->current->dma_len) { 625 /* Wait until data is available. */ 626 trace_lsi_do_dma_unavailable(); 627 return; 628 } 629 630 dev = s->current->req->dev; 631 assert(dev); 632 633 count = s->dbc; 634 if (count > s->current->dma_len) 635 count = s->current->dma_len; 636 637 addr = s->dnad; 638 /* both 40 and Table Indirect 64-bit DMAs store upper bits in dnad64 */ 639 if (lsi_dma_40bit(s) || lsi_dma_ti64bit(s)) 640 addr |= ((uint64_t)s->dnad64 << 32); 641 else if (s->dbms) 642 addr |= ((uint64_t)s->dbms << 32); 643 else if (s->sbms) 644 addr |= ((uint64_t)s->sbms << 32); 645 646 trace_lsi_do_dma(addr, count); 647 s->csbc += count; 648 s->dnad += count; 649 s->dbc -= count; 650 if (s->current->dma_buf == NULL) { 651 s->current->dma_buf = scsi_req_get_buf(s->current->req); 652 } 653 /* ??? Set SFBR to first data byte. */ 654 if (out) { 655 lsi_mem_read(s, addr, s->current->dma_buf, count); 656 } else { 657 lsi_mem_write(s, addr, s->current->dma_buf, count); 658 } 659 s->current->dma_len -= count; 660 if (s->current->dma_len == 0) { 661 s->current->dma_buf = NULL; 662 scsi_req_continue(s->current->req); 663 } else { 664 s->current->dma_buf += count; 665 lsi_resume_script(s); 666 } 667 } 668 669 670 /* Add a command to the queue. */ 671 static void lsi_queue_command(LSIState *s) 672 { 673 lsi_request *p = s->current; 674 675 trace_lsi_queue_command(p->tag); 676 assert(s->current != NULL); 677 assert(s->current->dma_len == 0); 678 QTAILQ_INSERT_TAIL(&s->queue, s->current, next); 679 s->current = NULL; 680 681 p->pending = 0; 682 p->out = (s->sstat1 & PHASE_MASK) == PHASE_DO; 683 } 684 685 /* Queue a byte for a MSG IN phase. */ 686 static void lsi_add_msg_byte(LSIState *s, uint8_t data) 687 { 688 if (s->msg_len >= LSI_MAX_MSGIN_LEN) { 689 trace_lsi_add_msg_byte_error(); 690 } else { 691 trace_lsi_add_msg_byte(data); 692 s->msg[s->msg_len++] = data; 693 } 694 } 695 696 /* Perform reselection to continue a command. */ 697 static void lsi_reselect(LSIState *s, lsi_request *p) 698 { 699 int id; 700 701 assert(s->current == NULL); 702 QTAILQ_REMOVE(&s->queue, p, next); 703 s->current = p; 704 705 id = (p->tag >> 8) & 0xf; 706 s->ssid = id | 0x80; 707 /* LSI53C700 Family Compatibility, see LSI53C895A 4-73 */ 708 if (!(s->dcntl & LSI_DCNTL_COM)) { 709 s->sfbr = 1 << (id & 0x7); 710 } 711 trace_lsi_reselect(id); 712 s->scntl1 |= LSI_SCNTL1_CON; 713 lsi_set_phase(s, PHASE_MI); 714 s->msg_action = p->out ? LSI_MSG_ACTION_DOUT : LSI_MSG_ACTION_DIN; 715 s->current->dma_len = p->pending; 716 lsi_add_msg_byte(s, 0x80); 717 if (s->current->tag & LSI_TAG_VALID) { 718 lsi_add_msg_byte(s, 0x20); 719 lsi_add_msg_byte(s, p->tag & 0xff); 720 } 721 722 if (lsi_irq_on_rsl(s)) { 723 lsi_script_scsi_interrupt(s, LSI_SIST0_RSL, 0); 724 } 725 } 726 727 static lsi_request *lsi_find_by_tag(LSIState *s, uint32_t tag) 728 { 729 lsi_request *p; 730 731 QTAILQ_FOREACH(p, &s->queue, next) { 732 if (p->tag == tag) { 733 return p; 734 } 735 } 736 737 return NULL; 738 } 739 740 static void lsi_request_free(LSIState *s, lsi_request *p) 741 { 742 if (p == s->current) { 743 s->current = NULL; 744 } else { 745 QTAILQ_REMOVE(&s->queue, p, next); 746 } 747 g_free(p); 748 } 749 750 static void lsi_request_cancelled(SCSIRequest *req) 751 { 752 LSIState *s = LSI53C895A(req->bus->qbus.parent); 753 lsi_request *p = req->hba_private; 754 755 req->hba_private = NULL; 756 lsi_request_free(s, p); 757 scsi_req_unref(req); 758 } 759 760 /* Record that data is available for a queued command. Returns zero if 761 the device was reselected, nonzero if the IO is deferred. */ 762 static int lsi_queue_req(LSIState *s, SCSIRequest *req, uint32_t len) 763 { 764 lsi_request *p = req->hba_private; 765 766 if (p->pending) { 767 trace_lsi_queue_req_error(p); 768 } 769 p->pending = len; 770 /* Reselect if waiting for it, or if reselection triggers an IRQ 771 and the bus is free. 772 Since no interrupt stacking is implemented in the emulation, it 773 is also required that there are no pending interrupts waiting 774 for service from the device driver. */ 775 if (s->waiting == LSI_WAIT_RESELECT || 776 (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON) && 777 !(s->istat0 & (LSI_ISTAT0_SIP | LSI_ISTAT0_DIP)))) { 778 /* Reselect device. */ 779 lsi_reselect(s, p); 780 return 0; 781 } else { 782 trace_lsi_queue_req(p->tag); 783 p->pending = len; 784 return 1; 785 } 786 } 787 788 /* Callback to indicate that the SCSI layer has completed a command. */ 789 static void lsi_command_complete(SCSIRequest *req, size_t resid) 790 { 791 LSIState *s = LSI53C895A(req->bus->qbus.parent); 792 int out; 793 794 out = (s->sstat1 & PHASE_MASK) == PHASE_DO; 795 trace_lsi_command_complete(req->status); 796 s->status = req->status; 797 s->command_complete = 2; 798 if (s->waiting && s->dbc != 0) { 799 /* Raise phase mismatch for short transfers. */ 800 lsi_bad_phase(s, out, PHASE_ST); 801 } else { 802 lsi_set_phase(s, PHASE_ST); 803 } 804 805 if (req->hba_private == s->current) { 806 req->hba_private = NULL; 807 lsi_request_free(s, s->current); 808 scsi_req_unref(req); 809 } 810 lsi_resume_script(s); 811 } 812 813 /* Callback to indicate that the SCSI layer has completed a transfer. */ 814 static void lsi_transfer_data(SCSIRequest *req, uint32_t len) 815 { 816 LSIState *s = LSI53C895A(req->bus->qbus.parent); 817 int out; 818 819 assert(req->hba_private); 820 if (s->waiting == LSI_WAIT_RESELECT || req->hba_private != s->current || 821 (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON))) { 822 if (lsi_queue_req(s, req, len)) { 823 return; 824 } 825 } 826 827 out = (s->sstat1 & PHASE_MASK) == PHASE_DO; 828 829 /* host adapter (re)connected */ 830 trace_lsi_transfer_data(req->tag, len); 831 s->current->dma_len = len; 832 s->command_complete = 1; 833 if (s->waiting) { 834 if (s->waiting == LSI_WAIT_RESELECT || s->dbc == 0) { 835 lsi_resume_script(s); 836 } else { 837 lsi_do_dma(s, out); 838 } 839 } 840 } 841 842 static void lsi_do_command(LSIState *s) 843 { 844 SCSIDevice *dev; 845 uint8_t buf[16]; 846 uint32_t id; 847 int n; 848 849 trace_lsi_do_command(s->dbc); 850 if (s->dbc > 16) 851 s->dbc = 16; 852 pci_dma_read(PCI_DEVICE(s), s->dnad, buf, s->dbc); 853 s->sfbr = buf[0]; 854 s->command_complete = 0; 855 856 id = (s->select_tag >> 8) & 0xf; 857 dev = scsi_device_find(&s->bus, 0, id, s->current_lun); 858 if (!dev) { 859 lsi_bad_selection(s, id); 860 return; 861 } 862 863 assert(s->current == NULL); 864 s->current = g_new0(lsi_request, 1); 865 s->current->tag = s->select_tag; 866 s->current->req = scsi_req_new(dev, s->current->tag, s->current_lun, buf, 867 s->dbc, s->current); 868 869 n = scsi_req_enqueue(s->current->req); 870 if (n) { 871 if (n > 0) { 872 lsi_set_phase(s, PHASE_DI); 873 } else if (n < 0) { 874 lsi_set_phase(s, PHASE_DO); 875 } 876 scsi_req_continue(s->current->req); 877 } 878 if (!s->command_complete) { 879 if (n) { 880 /* Command did not complete immediately so disconnect. */ 881 lsi_add_msg_byte(s, 2); /* SAVE DATA POINTER */ 882 lsi_add_msg_byte(s, 4); /* DISCONNECT */ 883 /* wait data */ 884 lsi_set_phase(s, PHASE_MI); 885 s->msg_action = LSI_MSG_ACTION_DISCONNECT; 886 lsi_queue_command(s); 887 } else { 888 /* wait command complete */ 889 lsi_set_phase(s, PHASE_DI); 890 } 891 } 892 } 893 894 static void lsi_do_status(LSIState *s) 895 { 896 uint8_t status; 897 trace_lsi_do_status(s->dbc, s->status); 898 if (s->dbc != 1) { 899 trace_lsi_do_status_error(); 900 } 901 s->dbc = 1; 902 status = s->status; 903 s->sfbr = status; 904 pci_dma_write(PCI_DEVICE(s), s->dnad, &status, 1); 905 lsi_set_phase(s, PHASE_MI); 906 s->msg_action = LSI_MSG_ACTION_DISCONNECT; 907 lsi_add_msg_byte(s, 0); /* COMMAND COMPLETE */ 908 } 909 910 static void lsi_do_msgin(LSIState *s) 911 { 912 uint8_t len; 913 trace_lsi_do_msgin(s->dbc, s->msg_len); 914 s->sfbr = s->msg[0]; 915 len = s->msg_len; 916 assert(len > 0 && len <= LSI_MAX_MSGIN_LEN); 917 if (len > s->dbc) 918 len = s->dbc; 919 pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len); 920 /* Linux drivers rely on the last byte being in the SIDL. */ 921 s->sidl = s->msg[len - 1]; 922 s->msg_len -= len; 923 if (s->msg_len) { 924 memmove(s->msg, s->msg + len, s->msg_len); 925 } else { 926 /* ??? Check if ATN (not yet implemented) is asserted and maybe 927 switch to PHASE_MO. */ 928 switch (s->msg_action) { 929 case LSI_MSG_ACTION_COMMAND: 930 lsi_set_phase(s, PHASE_CMD); 931 break; 932 case LSI_MSG_ACTION_DISCONNECT: 933 lsi_disconnect(s); 934 break; 935 case LSI_MSG_ACTION_DOUT: 936 lsi_set_phase(s, PHASE_DO); 937 break; 938 case LSI_MSG_ACTION_DIN: 939 lsi_set_phase(s, PHASE_DI); 940 break; 941 default: 942 abort(); 943 } 944 } 945 } 946 947 /* Read the next byte during a MSGOUT phase. */ 948 static uint8_t lsi_get_msgbyte(LSIState *s) 949 { 950 uint8_t data; 951 pci_dma_read(PCI_DEVICE(s), s->dnad, &data, 1); 952 s->dnad++; 953 s->dbc--; 954 return data; 955 } 956 957 /* Skip the next n bytes during a MSGOUT phase. */ 958 static void lsi_skip_msgbytes(LSIState *s, unsigned int n) 959 { 960 s->dnad += n; 961 s->dbc -= n; 962 } 963 964 static void lsi_do_msgout(LSIState *s) 965 { 966 uint8_t msg; 967 int len; 968 uint32_t current_tag; 969 lsi_request *current_req, *p, *p_next; 970 971 if (s->current) { 972 current_tag = s->current->tag; 973 current_req = s->current; 974 } else { 975 current_tag = s->select_tag; 976 current_req = lsi_find_by_tag(s, current_tag); 977 } 978 979 trace_lsi_do_msgout(s->dbc); 980 while (s->dbc) { 981 msg = lsi_get_msgbyte(s); 982 s->sfbr = msg; 983 984 switch (msg) { 985 case 0x04: 986 trace_lsi_do_msgout_disconnect(); 987 lsi_disconnect(s); 988 break; 989 case 0x08: 990 trace_lsi_do_msgout_noop(); 991 lsi_set_phase(s, PHASE_CMD); 992 break; 993 case 0x01: 994 len = lsi_get_msgbyte(s); 995 msg = lsi_get_msgbyte(s); 996 (void)len; /* avoid a warning about unused variable*/ 997 trace_lsi_do_msgout_extended(msg, len); 998 switch (msg) { 999 case 1: 1000 trace_lsi_do_msgout_ignored("SDTR"); 1001 lsi_skip_msgbytes(s, 2); 1002 break; 1003 case 3: 1004 trace_lsi_do_msgout_ignored("WDTR"); 1005 lsi_skip_msgbytes(s, 1); 1006 break; 1007 case 4: 1008 trace_lsi_do_msgout_ignored("PPR"); 1009 lsi_skip_msgbytes(s, 5); 1010 break; 1011 default: 1012 goto bad; 1013 } 1014 break; 1015 case 0x20: /* SIMPLE queue */ 1016 s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID; 1017 trace_lsi_do_msgout_simplequeue(s->select_tag & 0xff); 1018 break; 1019 case 0x21: /* HEAD of queue */ 1020 qemu_log_mask(LOG_UNIMP, "lsi_scsi: HEAD queue not implemented\n"); 1021 s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID; 1022 break; 1023 case 0x22: /* ORDERED queue */ 1024 qemu_log_mask(LOG_UNIMP, 1025 "lsi_scsi: ORDERED queue not implemented\n"); 1026 s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID; 1027 break; 1028 case 0x0d: 1029 /* The ABORT TAG message clears the current I/O process only. */ 1030 trace_lsi_do_msgout_abort(current_tag); 1031 if (current_req && current_req->req) { 1032 scsi_req_cancel(current_req->req); 1033 current_req = NULL; 1034 } 1035 lsi_disconnect(s); 1036 break; 1037 case 0x06: 1038 case 0x0e: 1039 case 0x0c: 1040 /* The ABORT message clears all I/O processes for the selecting 1041 initiator on the specified logical unit of the target. */ 1042 if (msg == 0x06) { 1043 trace_lsi_do_msgout_abort(current_tag); 1044 } 1045 /* The CLEAR QUEUE message clears all I/O processes for all 1046 initiators on the specified logical unit of the target. */ 1047 if (msg == 0x0e) { 1048 trace_lsi_do_msgout_clearqueue(current_tag); 1049 } 1050 /* The BUS DEVICE RESET message clears all I/O processes for all 1051 initiators on all logical units of the target. */ 1052 if (msg == 0x0c) { 1053 trace_lsi_do_msgout_busdevicereset(current_tag); 1054 } 1055 1056 /* clear the current I/O process */ 1057 if (s->current) { 1058 scsi_req_cancel(s->current->req); 1059 current_req = NULL; 1060 } 1061 1062 /* As the current implemented devices scsi_disk and scsi_generic 1063 only support one LUN, we don't need to keep track of LUNs. 1064 Clearing I/O processes for other initiators could be possible 1065 for scsi_generic by sending a SG_SCSI_RESET to the /dev/sgX 1066 device, but this is currently not implemented (and seems not 1067 to be really necessary). So let's simply clear all queued 1068 commands for the current device: */ 1069 QTAILQ_FOREACH_SAFE(p, &s->queue, next, p_next) { 1070 if ((p->tag & 0x0000ff00) == (current_tag & 0x0000ff00)) { 1071 scsi_req_cancel(p->req); 1072 } 1073 } 1074 1075 lsi_disconnect(s); 1076 break; 1077 default: 1078 if ((msg & 0x80) == 0) { 1079 goto bad; 1080 } 1081 s->current_lun = msg & 7; 1082 trace_lsi_do_msgout_select(s->current_lun); 1083 lsi_set_phase(s, PHASE_CMD); 1084 break; 1085 } 1086 } 1087 return; 1088 bad: 1089 qemu_log_mask(LOG_UNIMP, "Unimplemented message 0x%02x\n", msg); 1090 lsi_set_phase(s, PHASE_MI); 1091 lsi_add_msg_byte(s, 7); /* MESSAGE REJECT */ 1092 s->msg_action = LSI_MSG_ACTION_COMMAND; 1093 } 1094 1095 #define LSI_BUF_SIZE 4096 1096 static void lsi_memcpy(LSIState *s, uint32_t dest, uint32_t src, int count) 1097 { 1098 int n; 1099 uint8_t buf[LSI_BUF_SIZE]; 1100 1101 trace_lsi_memcpy(dest, src, count); 1102 while (count) { 1103 n = (count > LSI_BUF_SIZE) ? LSI_BUF_SIZE : count; 1104 lsi_mem_read(s, src, buf, n); 1105 lsi_mem_write(s, dest, buf, n); 1106 src += n; 1107 dest += n; 1108 count -= n; 1109 } 1110 } 1111 1112 static void lsi_wait_reselect(LSIState *s) 1113 { 1114 lsi_request *p; 1115 1116 trace_lsi_wait_reselect(); 1117 1118 if (s->current) { 1119 return; 1120 } 1121 p = get_pending_req(s); 1122 if (p) { 1123 lsi_reselect(s, p); 1124 } 1125 if (s->current == NULL) { 1126 s->waiting = LSI_WAIT_RESELECT; 1127 } 1128 } 1129 1130 static void lsi_execute_script(LSIState *s) 1131 { 1132 PCIDevice *pci_dev = PCI_DEVICE(s); 1133 uint32_t insn; 1134 uint32_t addr, addr_high; 1135 int opcode; 1136 int insn_processed = 0; 1137 static int reentrancy_level; 1138 1139 reentrancy_level++; 1140 1141 s->istat1 |= LSI_ISTAT1_SRUN; 1142 again: 1143 /* 1144 * Some windows drivers make the device spin waiting for a memory location 1145 * to change. If we have executed more than LSI_MAX_INSN instructions then 1146 * assume this is the case and force an unexpected device disconnect. This 1147 * is apparently sufficient to beat the drivers into submission. 1148 * 1149 * Another issue (CVE-2023-0330) can occur if the script is programmed to 1150 * trigger itself again and again. Avoid this problem by stopping after 1151 * being called multiple times in a reentrant way (8 is an arbitrary value 1152 * which should be enough for all valid use cases). 1153 */ 1154 if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) { 1155 if (!(s->sien0 & LSI_SIST0_UDC)) { 1156 qemu_log_mask(LOG_GUEST_ERROR, 1157 "lsi_scsi: inf. loop with UDC masked"); 1158 } 1159 lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0); 1160 lsi_disconnect(s); 1161 trace_lsi_execute_script_stop(); 1162 reentrancy_level--; 1163 return; 1164 } 1165 insn = read_dword(s, s->dsp); 1166 if (!insn) { 1167 /* If we receive an empty opcode increment the DSP by 4 bytes 1168 instead of 8 and execute the next opcode at that location */ 1169 s->dsp += 4; 1170 goto again; 1171 } 1172 addr = read_dword(s, s->dsp + 4); 1173 addr_high = 0; 1174 trace_lsi_execute_script(s->dsp, insn, addr); 1175 s->dsps = addr; 1176 s->dcmd = insn >> 24; 1177 s->dsp += 8; 1178 switch (insn >> 30) { 1179 case 0: /* Block move. */ 1180 if (s->sist1 & LSI_SIST1_STO) { 1181 trace_lsi_execute_script_blockmove_delayed(); 1182 lsi_stop_script(s); 1183 break; 1184 } 1185 s->dbc = insn & 0xffffff; 1186 s->rbc = s->dbc; 1187 /* ??? Set ESA. */ 1188 s->ia = s->dsp - 8; 1189 if (insn & (1 << 29)) { 1190 /* Indirect addressing. */ 1191 addr = read_dword(s, addr); 1192 } else if (insn & (1 << 28)) { 1193 uint32_t buf[2]; 1194 int32_t offset; 1195 /* Table indirect addressing. */ 1196 1197 /* 32-bit Table indirect */ 1198 offset = sextract32(addr, 0, 24); 1199 pci_dma_read(pci_dev, s->dsa + offset, buf, 8); 1200 /* byte count is stored in bits 0:23 only */ 1201 s->dbc = cpu_to_le32(buf[0]) & 0xffffff; 1202 s->rbc = s->dbc; 1203 addr = cpu_to_le32(buf[1]); 1204 1205 /* 40-bit DMA, upper addr bits [39:32] stored in first DWORD of 1206 * table, bits [31:24] */ 1207 if (lsi_dma_40bit(s)) 1208 addr_high = cpu_to_le32(buf[0]) >> 24; 1209 else if (lsi_dma_ti64bit(s)) { 1210 int selector = (cpu_to_le32(buf[0]) >> 24) & 0x1f; 1211 switch (selector) { 1212 case 0 ... 0x0f: 1213 /* offset index into scratch registers since 1214 * TI64 mode can use registers C to R */ 1215 addr_high = s->scratch[2 + selector]; 1216 break; 1217 case 0x10: 1218 addr_high = s->mmrs; 1219 break; 1220 case 0x11: 1221 addr_high = s->mmws; 1222 break; 1223 case 0x12: 1224 addr_high = s->sfs; 1225 break; 1226 case 0x13: 1227 addr_high = s->drs; 1228 break; 1229 case 0x14: 1230 addr_high = s->sbms; 1231 break; 1232 case 0x15: 1233 addr_high = s->dbms; 1234 break; 1235 default: 1236 qemu_log_mask(LOG_GUEST_ERROR, 1237 "lsi_scsi: Illegal selector specified (0x%x > 0x15) " 1238 "for 64-bit DMA block move", selector); 1239 break; 1240 } 1241 } 1242 } else if (lsi_dma_64bit(s)) { 1243 /* fetch a 3rd dword if 64-bit direct move is enabled and 1244 only if we're not doing table indirect or indirect addressing */ 1245 s->dbms = read_dword(s, s->dsp); 1246 s->dsp += 4; 1247 s->ia = s->dsp - 12; 1248 } 1249 if ((s->sstat1 & PHASE_MASK) != ((insn >> 24) & 7)) { 1250 trace_lsi_execute_script_blockmove_badphase( 1251 scsi_phase_name(s->sstat1), 1252 scsi_phase_name(insn >> 24)); 1253 lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0); 1254 break; 1255 } 1256 s->dnad = addr; 1257 s->dnad64 = addr_high; 1258 switch (s->sstat1 & 0x7) { 1259 case PHASE_DO: 1260 s->waiting = LSI_DMA_SCRIPTS; 1261 lsi_do_dma(s, 1); 1262 if (s->waiting) 1263 s->waiting = LSI_DMA_IN_PROGRESS; 1264 break; 1265 case PHASE_DI: 1266 s->waiting = LSI_DMA_SCRIPTS; 1267 lsi_do_dma(s, 0); 1268 if (s->waiting) 1269 s->waiting = LSI_DMA_IN_PROGRESS; 1270 break; 1271 case PHASE_CMD: 1272 lsi_do_command(s); 1273 break; 1274 case PHASE_ST: 1275 lsi_do_status(s); 1276 break; 1277 case PHASE_MO: 1278 lsi_do_msgout(s); 1279 break; 1280 case PHASE_MI: 1281 lsi_do_msgin(s); 1282 break; 1283 default: 1284 qemu_log_mask(LOG_UNIMP, "lsi_scsi: Unimplemented phase %s\n", 1285 scsi_phase_name(s->sstat1)); 1286 } 1287 s->dfifo = s->dbc & 0xff; 1288 s->ctest5 = (s->ctest5 & 0xfc) | ((s->dbc >> 8) & 3); 1289 s->sbc = s->dbc; 1290 s->rbc -= s->dbc; 1291 s->ua = addr + s->dbc; 1292 break; 1293 1294 case 1: /* IO or Read/Write instruction. */ 1295 opcode = (insn >> 27) & 7; 1296 if (opcode < 5) { 1297 uint32_t id; 1298 1299 if (insn & (1 << 25)) { 1300 id = read_dword(s, s->dsa + sextract32(insn, 0, 24)); 1301 } else { 1302 id = insn; 1303 } 1304 id = (id >> 16) & 0xf; 1305 if (insn & (1 << 26)) { 1306 addr = s->dsp + sextract32(addr, 0, 24); 1307 } 1308 s->dnad = addr; 1309 switch (opcode) { 1310 case 0: /* Select */ 1311 s->sdid = id; 1312 if (s->scntl1 & LSI_SCNTL1_CON) { 1313 trace_lsi_execute_script_io_alreadyreselected(); 1314 s->dsp = s->dnad; 1315 break; 1316 } 1317 s->sstat0 |= LSI_SSTAT0_WOA; 1318 s->scntl1 &= ~LSI_SCNTL1_IARB; 1319 if (!scsi_device_find(&s->bus, 0, id, 0)) { 1320 lsi_bad_selection(s, id); 1321 break; 1322 } 1323 trace_lsi_execute_script_io_selected(id, 1324 insn & (1 << 3) ? " ATN" : ""); 1325 /* ??? Linux drivers complain when this is set. Maybe 1326 it only applies in low-level mode (unimplemented). 1327 lsi_script_scsi_interrupt(s, LSI_SIST0_CMP, 0); */ 1328 s->select_tag = id << 8; 1329 s->scntl1 |= LSI_SCNTL1_CON; 1330 if (insn & (1 << 3)) { 1331 s->socl |= LSI_SOCL_ATN; 1332 s->sbcl |= LSI_SBCL_ATN; 1333 } 1334 s->sbcl |= LSI_SBCL_BSY; 1335 lsi_set_phase(s, PHASE_MO); 1336 s->waiting = LSI_NOWAIT; 1337 break; 1338 case 1: /* Disconnect */ 1339 trace_lsi_execute_script_io_disconnect(); 1340 s->scntl1 &= ~LSI_SCNTL1_CON; 1341 /* FIXME: this is not entirely correct; the target need not ask 1342 * for reselection until it has to send data, while here we force a 1343 * reselection as soon as the bus is free. The correct flow would 1344 * reselect before lsi_transfer_data and disconnect as soon as 1345 * DMA ends. 1346 */ 1347 if (!s->current) { 1348 lsi_request *p = get_pending_req(s); 1349 if (p) { 1350 lsi_reselect(s, p); 1351 } 1352 } 1353 break; 1354 case 2: /* Wait Reselect */ 1355 if (s->istat0 & LSI_ISTAT0_SIGP) { 1356 s->dsp = s->dnad; 1357 } else if (!lsi_irq_on_rsl(s)) { 1358 lsi_wait_reselect(s); 1359 } 1360 break; 1361 case 3: /* Set */ 1362 trace_lsi_execute_script_io_set( 1363 insn & (1 << 3) ? " ATN" : "", 1364 insn & (1 << 6) ? " ACK" : "", 1365 insn & (1 << 9) ? " TM" : "", 1366 insn & (1 << 10) ? " CC" : ""); 1367 if (insn & (1 << 3)) { 1368 s->socl |= LSI_SOCL_ATN; 1369 s->sbcl |= LSI_SBCL_ATN; 1370 lsi_set_phase(s, PHASE_MO); 1371 } 1372 1373 if (insn & (1 << 6)) { 1374 s->sbcl |= LSI_SBCL_ACK; 1375 } 1376 1377 if (insn & (1 << 9)) { 1378 qemu_log_mask(LOG_UNIMP, 1379 "lsi_scsi: Target mode not implemented\n"); 1380 } 1381 if (insn & (1 << 10)) 1382 s->carry = 1; 1383 break; 1384 case 4: /* Clear */ 1385 trace_lsi_execute_script_io_clear( 1386 insn & (1 << 3) ? " ATN" : "", 1387 insn & (1 << 6) ? " ACK" : "", 1388 insn & (1 << 9) ? " TM" : "", 1389 insn & (1 << 10) ? " CC" : ""); 1390 if (insn & (1 << 3)) { 1391 s->socl &= ~LSI_SOCL_ATN; 1392 s->sbcl &= ~LSI_SBCL_ATN; 1393 } 1394 1395 if (insn & (1 << 6)) { 1396 s->sbcl &= ~LSI_SBCL_ACK; 1397 } 1398 1399 if (insn & (1 << 10)) 1400 s->carry = 0; 1401 break; 1402 } 1403 } else { 1404 uint8_t op0; 1405 uint8_t op1; 1406 uint8_t data8; 1407 int reg; 1408 int operator; 1409 1410 static const char *opcode_names[3] = 1411 {"Write", "Read", "Read-Modify-Write"}; 1412 static const char *operator_names[8] = 1413 {"MOV", "SHL", "OR", "XOR", "AND", "SHR", "ADD", "ADC"}; 1414 1415 reg = ((insn >> 16) & 0x7f) | (insn & 0x80); 1416 data8 = (insn >> 8) & 0xff; 1417 opcode = (insn >> 27) & 7; 1418 operator = (insn >> 24) & 7; 1419 trace_lsi_execute_script_io_opcode( 1420 opcode_names[opcode - 5], reg, 1421 operator_names[operator], data8, s->sfbr, 1422 (insn & (1 << 23)) ? " SFBR" : ""); 1423 op0 = op1 = 0; 1424 switch (opcode) { 1425 case 5: /* From SFBR */ 1426 op0 = s->sfbr; 1427 op1 = data8; 1428 break; 1429 case 6: /* To SFBR */ 1430 if (operator) 1431 op0 = lsi_reg_readb(s, reg); 1432 op1 = data8; 1433 break; 1434 case 7: /* Read-modify-write */ 1435 if (operator) 1436 op0 = lsi_reg_readb(s, reg); 1437 if (insn & (1 << 23)) { 1438 op1 = s->sfbr; 1439 } else { 1440 op1 = data8; 1441 } 1442 break; 1443 } 1444 1445 switch (operator) { 1446 case 0: /* move */ 1447 op0 = op1; 1448 break; 1449 case 1: /* Shift left */ 1450 op1 = op0 >> 7; 1451 op0 = (op0 << 1) | s->carry; 1452 s->carry = op1; 1453 break; 1454 case 2: /* OR */ 1455 op0 |= op1; 1456 break; 1457 case 3: /* XOR */ 1458 op0 ^= op1; 1459 break; 1460 case 4: /* AND */ 1461 op0 &= op1; 1462 break; 1463 case 5: /* SHR */ 1464 op1 = op0 & 1; 1465 op0 = (op0 >> 1) | (s->carry << 7); 1466 s->carry = op1; 1467 break; 1468 case 6: /* ADD */ 1469 op0 += op1; 1470 s->carry = op0 < op1; 1471 break; 1472 case 7: /* ADC */ 1473 op0 += op1 + s->carry; 1474 if (s->carry) 1475 s->carry = op0 <= op1; 1476 else 1477 s->carry = op0 < op1; 1478 break; 1479 } 1480 1481 switch (opcode) { 1482 case 5: /* From SFBR */ 1483 case 7: /* Read-modify-write */ 1484 lsi_reg_writeb(s, reg, op0); 1485 break; 1486 case 6: /* To SFBR */ 1487 s->sfbr = op0; 1488 break; 1489 } 1490 } 1491 break; 1492 1493 case 2: /* Transfer Control. */ 1494 { 1495 int cond; 1496 int jmp; 1497 1498 if ((insn & 0x002e0000) == 0) { 1499 trace_lsi_execute_script_tc_nop(); 1500 break; 1501 } 1502 if (s->sist1 & LSI_SIST1_STO) { 1503 trace_lsi_execute_script_tc_delayedselect_timeout(); 1504 lsi_stop_script(s); 1505 break; 1506 } 1507 cond = jmp = (insn & (1 << 19)) != 0; 1508 if (cond == jmp && (insn & (1 << 21))) { 1509 trace_lsi_execute_script_tc_compc(s->carry == jmp); 1510 cond = s->carry != 0; 1511 } 1512 if (cond == jmp && (insn & (1 << 17))) { 1513 trace_lsi_execute_script_tc_compp(scsi_phase_name(s->sstat1), 1514 jmp ? '=' : '!', scsi_phase_name(insn >> 24)); 1515 cond = (s->sstat1 & PHASE_MASK) == ((insn >> 24) & 7); 1516 } 1517 if (cond == jmp && (insn & (1 << 18))) { 1518 uint8_t mask; 1519 1520 mask = (~insn >> 8) & 0xff; 1521 trace_lsi_execute_script_tc_compd( 1522 s->sfbr, mask, jmp ? '=' : '!', insn & mask); 1523 cond = (s->sfbr & mask) == (insn & mask); 1524 } 1525 if (cond == jmp) { 1526 if (insn & (1 << 23)) { 1527 /* Relative address. */ 1528 addr = s->dsp + sextract32(addr, 0, 24); 1529 } 1530 switch ((insn >> 27) & 7) { 1531 case 0: /* Jump */ 1532 trace_lsi_execute_script_tc_jump(addr); 1533 s->adder = addr; 1534 s->dsp = addr; 1535 break; 1536 case 1: /* Call */ 1537 trace_lsi_execute_script_tc_call(addr); 1538 s->temp = s->dsp; 1539 s->dsp = addr; 1540 break; 1541 case 2: /* Return */ 1542 trace_lsi_execute_script_tc_return(s->temp); 1543 s->dsp = s->temp; 1544 break; 1545 case 3: /* Interrupt */ 1546 trace_lsi_execute_script_tc_interrupt(s->dsps); 1547 if ((insn & (1 << 20)) != 0) { 1548 s->istat0 |= LSI_ISTAT0_INTF; 1549 lsi_update_irq(s); 1550 } else { 1551 lsi_script_dma_interrupt(s, LSI_DSTAT_SIR); 1552 } 1553 break; 1554 default: 1555 trace_lsi_execute_script_tc_illegal(); 1556 lsi_script_dma_interrupt(s, LSI_DSTAT_IID); 1557 break; 1558 } 1559 } else { 1560 trace_lsi_execute_script_tc_cc_failed(); 1561 } 1562 } 1563 break; 1564 1565 case 3: 1566 if ((insn & (1 << 29)) == 0) { 1567 /* Memory move. */ 1568 uint32_t dest; 1569 /* ??? The docs imply the destination address is loaded into 1570 the TEMP register. However the Linux drivers rely on 1571 the value being presrved. */ 1572 dest = read_dword(s, s->dsp); 1573 s->dsp += 4; 1574 lsi_memcpy(s, dest, addr, insn & 0xffffff); 1575 } else { 1576 uint8_t data[7]; 1577 int reg; 1578 int n; 1579 int i; 1580 1581 if (insn & (1 << 28)) { 1582 addr = s->dsa + sextract32(addr, 0, 24); 1583 } 1584 n = (insn & 7); 1585 reg = (insn >> 16) & 0xff; 1586 if (insn & (1 << 24)) { 1587 pci_dma_read(pci_dev, addr, data, n); 1588 trace_lsi_execute_script_mm_load(reg, n, addr, *(int *)data); 1589 for (i = 0; i < n; i++) { 1590 lsi_reg_writeb(s, reg + i, data[i]); 1591 } 1592 } else { 1593 trace_lsi_execute_script_mm_store(reg, n, addr); 1594 for (i = 0; i < n; i++) { 1595 data[i] = lsi_reg_readb(s, reg + i); 1596 } 1597 pci_dma_write(pci_dev, addr, data, n); 1598 } 1599 } 1600 } 1601 if (s->istat1 & LSI_ISTAT1_SRUN && s->waiting == LSI_NOWAIT) { 1602 if (s->dcntl & LSI_DCNTL_SSM) { 1603 lsi_script_dma_interrupt(s, LSI_DSTAT_SSI); 1604 } else { 1605 goto again; 1606 } 1607 } 1608 trace_lsi_execute_script_stop(); 1609 1610 reentrancy_level--; 1611 } 1612 1613 static uint8_t lsi_reg_readb(LSIState *s, int offset) 1614 { 1615 uint8_t ret; 1616 1617 #define CASE_GET_REG24(name, addr) \ 1618 case addr: ret = s->name & 0xff; break; \ 1619 case addr + 1: ret = (s->name >> 8) & 0xff; break; \ 1620 case addr + 2: ret = (s->name >> 16) & 0xff; break; 1621 1622 #define CASE_GET_REG32(name, addr) \ 1623 case addr: ret = s->name & 0xff; break; \ 1624 case addr + 1: ret = (s->name >> 8) & 0xff; break; \ 1625 case addr + 2: ret = (s->name >> 16) & 0xff; break; \ 1626 case addr + 3: ret = (s->name >> 24) & 0xff; break; 1627 1628 switch (offset) { 1629 case 0x00: /* SCNTL0 */ 1630 ret = s->scntl0; 1631 break; 1632 case 0x01: /* SCNTL1 */ 1633 ret = s->scntl1; 1634 break; 1635 case 0x02: /* SCNTL2 */ 1636 ret = s->scntl2; 1637 break; 1638 case 0x03: /* SCNTL3 */ 1639 ret = s->scntl3; 1640 break; 1641 case 0x04: /* SCID */ 1642 ret = s->scid; 1643 break; 1644 case 0x05: /* SXFER */ 1645 ret = s->sxfer; 1646 break; 1647 case 0x06: /* SDID */ 1648 ret = s->sdid; 1649 break; 1650 case 0x07: /* GPREG0 */ 1651 ret = 0x7f; 1652 break; 1653 case 0x08: /* Revision ID */ 1654 ret = 0x00; 1655 break; 1656 case 0x09: /* SOCL */ 1657 ret = s->socl; 1658 break; 1659 case 0xa: /* SSID */ 1660 ret = s->ssid; 1661 break; 1662 case 0xb: /* SBCL */ 1663 ret = s->sbcl; 1664 break; 1665 case 0xc: /* DSTAT */ 1666 ret = s->dstat | LSI_DSTAT_DFE; 1667 if ((s->istat0 & LSI_ISTAT0_INTF) == 0) 1668 s->dstat = 0; 1669 lsi_update_irq(s); 1670 break; 1671 case 0x0d: /* SSTAT0 */ 1672 ret = s->sstat0; 1673 break; 1674 case 0x0e: /* SSTAT1 */ 1675 ret = s->sstat1; 1676 break; 1677 case 0x0f: /* SSTAT2 */ 1678 ret = s->scntl1 & LSI_SCNTL1_CON ? 0 : 2; 1679 break; 1680 CASE_GET_REG32(dsa, 0x10) 1681 case 0x14: /* ISTAT0 */ 1682 ret = s->istat0; 1683 break; 1684 case 0x15: /* ISTAT1 */ 1685 ret = s->istat1; 1686 break; 1687 case 0x16: /* MBOX0 */ 1688 ret = s->mbox0; 1689 break; 1690 case 0x17: /* MBOX1 */ 1691 ret = s->mbox1; 1692 break; 1693 case 0x18: /* CTEST0 */ 1694 ret = 0xff; 1695 break; 1696 case 0x19: /* CTEST1 */ 1697 ret = 0; 1698 break; 1699 case 0x1a: /* CTEST2 */ 1700 ret = s->ctest2 | LSI_CTEST2_DACK | LSI_CTEST2_CM; 1701 if (s->istat0 & LSI_ISTAT0_SIGP) { 1702 s->istat0 &= ~LSI_ISTAT0_SIGP; 1703 ret |= LSI_CTEST2_SIGP; 1704 } 1705 break; 1706 case 0x1b: /* CTEST3 */ 1707 ret = s->ctest3; 1708 break; 1709 CASE_GET_REG32(temp, 0x1c) 1710 case 0x20: /* DFIFO */ 1711 ret = s->dfifo; 1712 break; 1713 case 0x21: /* CTEST4 */ 1714 ret = s->ctest4; 1715 break; 1716 case 0x22: /* CTEST5 */ 1717 ret = s->ctest5; 1718 break; 1719 case 0x23: /* CTEST6 */ 1720 ret = 0; 1721 break; 1722 CASE_GET_REG24(dbc, 0x24) 1723 case 0x27: /* DCMD */ 1724 ret = s->dcmd; 1725 break; 1726 CASE_GET_REG32(dnad, 0x28) 1727 CASE_GET_REG32(dsp, 0x2c) 1728 CASE_GET_REG32(dsps, 0x30) 1729 CASE_GET_REG32(scratch[0], 0x34) 1730 case 0x38: /* DMODE */ 1731 ret = s->dmode; 1732 break; 1733 case 0x39: /* DIEN */ 1734 ret = s->dien; 1735 break; 1736 case 0x3a: /* SBR */ 1737 ret = s->sbr; 1738 break; 1739 case 0x3b: /* DCNTL */ 1740 ret = s->dcntl; 1741 break; 1742 /* ADDER Output (Debug of relative jump address) */ 1743 CASE_GET_REG32(adder, 0x3c) 1744 case 0x40: /* SIEN0 */ 1745 ret = s->sien0; 1746 break; 1747 case 0x41: /* SIEN1 */ 1748 ret = s->sien1; 1749 break; 1750 case 0x42: /* SIST0 */ 1751 ret = s->sist0; 1752 s->sist0 = 0; 1753 lsi_update_irq(s); 1754 break; 1755 case 0x43: /* SIST1 */ 1756 ret = s->sist1; 1757 s->sist1 = 0; 1758 lsi_update_irq(s); 1759 break; 1760 case 0x46: /* MACNTL */ 1761 ret = 0x0f; 1762 break; 1763 case 0x47: /* GPCNTL0 */ 1764 ret = 0x0f; 1765 break; 1766 case 0x48: /* STIME0 */ 1767 ret = s->stime0; 1768 break; 1769 case 0x4a: /* RESPID0 */ 1770 ret = s->respid0; 1771 break; 1772 case 0x4b: /* RESPID1 */ 1773 ret = s->respid1; 1774 break; 1775 case 0x4d: /* STEST1 */ 1776 ret = s->stest1; 1777 break; 1778 case 0x4e: /* STEST2 */ 1779 ret = s->stest2; 1780 break; 1781 case 0x4f: /* STEST3 */ 1782 ret = s->stest3; 1783 break; 1784 case 0x50: /* SIDL */ 1785 /* This is needed by the linux drivers. We currently only update it 1786 during the MSG IN phase. */ 1787 ret = s->sidl; 1788 break; 1789 case 0x52: /* STEST4 */ 1790 ret = 0xe0; 1791 break; 1792 case 0x56: /* CCNTL0 */ 1793 ret = s->ccntl0; 1794 break; 1795 case 0x57: /* CCNTL1 */ 1796 ret = s->ccntl1; 1797 break; 1798 case 0x58: /* SBDL */ 1799 /* Some drivers peek at the data bus during the MSG IN phase. */ 1800 if ((s->sstat1 & PHASE_MASK) == PHASE_MI) { 1801 assert(s->msg_len > 0); 1802 return s->msg[0]; 1803 } 1804 ret = 0; 1805 break; 1806 case 0x59: /* SBDL high */ 1807 ret = 0; 1808 break; 1809 CASE_GET_REG32(mmrs, 0xa0) 1810 CASE_GET_REG32(mmws, 0xa4) 1811 CASE_GET_REG32(sfs, 0xa8) 1812 CASE_GET_REG32(drs, 0xac) 1813 CASE_GET_REG32(sbms, 0xb0) 1814 CASE_GET_REG32(dbms, 0xb4) 1815 CASE_GET_REG32(dnad64, 0xb8) 1816 CASE_GET_REG32(pmjad1, 0xc0) 1817 CASE_GET_REG32(pmjad2, 0xc4) 1818 CASE_GET_REG32(rbc, 0xc8) 1819 CASE_GET_REG32(ua, 0xcc) 1820 CASE_GET_REG32(ia, 0xd4) 1821 CASE_GET_REG32(sbc, 0xd8) 1822 CASE_GET_REG32(csbc, 0xdc) 1823 case 0x5c ... 0x9f: 1824 { 1825 int n; 1826 int shift; 1827 n = (offset - 0x58) >> 2; 1828 shift = (offset & 3) * 8; 1829 ret = (s->scratch[n] >> shift) & 0xff; 1830 break; 1831 } 1832 default: 1833 { 1834 qemu_log_mask(LOG_GUEST_ERROR, 1835 "lsi_scsi: invalid read from reg %s %x\n", 1836 offset < ARRAY_SIZE(names) ? names[offset] : "???", 1837 offset); 1838 ret = 0xff; 1839 break; 1840 } 1841 } 1842 #undef CASE_GET_REG24 1843 #undef CASE_GET_REG32 1844 1845 trace_lsi_reg_read(offset < ARRAY_SIZE(names) ? names[offset] : "???", 1846 offset, ret); 1847 1848 return ret; 1849 } 1850 1851 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val) 1852 { 1853 #define CASE_SET_REG24(name, addr) \ 1854 case addr : s->name &= 0xffffff00; s->name |= val; break; \ 1855 case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8; break; \ 1856 case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break; 1857 1858 #define CASE_SET_REG32(name, addr) \ 1859 case addr : s->name &= 0xffffff00; s->name |= val; break; \ 1860 case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8; break; \ 1861 case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break; \ 1862 case addr + 3: s->name &= 0x00ffffff; s->name |= val << 24; break; 1863 1864 trace_lsi_reg_write(offset < ARRAY_SIZE(names) ? names[offset] : "???", 1865 offset, val); 1866 1867 switch (offset) { 1868 case 0x00: /* SCNTL0 */ 1869 s->scntl0 = val; 1870 if (val & LSI_SCNTL0_START) { 1871 qemu_log_mask(LOG_UNIMP, 1872 "lsi_scsi: Start sequence not implemented\n"); 1873 } 1874 break; 1875 case 0x01: /* SCNTL1 */ 1876 s->scntl1 = val & ~LSI_SCNTL1_SST; 1877 if (val & LSI_SCNTL1_IARB) { 1878 qemu_log_mask(LOG_UNIMP, 1879 "lsi_scsi: Immediate Arbritration not implemented\n"); 1880 } 1881 if (val & LSI_SCNTL1_RST) { 1882 if (!(s->sstat0 & LSI_SSTAT0_RST)) { 1883 bus_cold_reset(BUS(&s->bus)); 1884 s->sstat0 |= LSI_SSTAT0_RST; 1885 lsi_script_scsi_interrupt(s, LSI_SIST0_RST, 0); 1886 } 1887 } else { 1888 s->sstat0 &= ~LSI_SSTAT0_RST; 1889 } 1890 break; 1891 case 0x02: /* SCNTL2 */ 1892 val &= ~(LSI_SCNTL2_WSR | LSI_SCNTL2_WSS); 1893 s->scntl2 = val; 1894 break; 1895 case 0x03: /* SCNTL3 */ 1896 s->scntl3 = val; 1897 break; 1898 case 0x04: /* SCID */ 1899 s->scid = val; 1900 break; 1901 case 0x05: /* SXFER */ 1902 s->sxfer = val; 1903 break; 1904 case 0x06: /* SDID */ 1905 if ((s->ssid & 0x80) && (val & 0xf) != (s->ssid & 0xf)) { 1906 qemu_log_mask(LOG_GUEST_ERROR, 1907 "lsi_scsi: Destination ID does not match SSID\n"); 1908 } 1909 s->sdid = val & 0xf; 1910 break; 1911 case 0x07: /* GPREG0 */ 1912 break; 1913 case 0x08: /* SFBR */ 1914 /* The CPU is not allowed to write to this register. However the 1915 SCRIPTS register move instructions are. */ 1916 s->sfbr = val; 1917 break; 1918 case 0x0a: case 0x0b: 1919 /* Openserver writes to these readonly registers on startup */ 1920 return; 1921 case 0x0c: case 0x0d: case 0x0e: case 0x0f: 1922 /* Linux writes to these readonly registers on startup. */ 1923 return; 1924 CASE_SET_REG32(dsa, 0x10) 1925 case 0x14: /* ISTAT0 */ 1926 s->istat0 = (s->istat0 & 0x0f) | (val & 0xf0); 1927 if (val & LSI_ISTAT0_ABRT) { 1928 lsi_script_dma_interrupt(s, LSI_DSTAT_ABRT); 1929 } 1930 if (val & LSI_ISTAT0_INTF) { 1931 s->istat0 &= ~LSI_ISTAT0_INTF; 1932 lsi_update_irq(s); 1933 } 1934 if (s->waiting == LSI_WAIT_RESELECT && val & LSI_ISTAT0_SIGP) { 1935 trace_lsi_awoken(); 1936 s->waiting = LSI_NOWAIT; 1937 s->dsp = s->dnad; 1938 lsi_execute_script(s); 1939 } 1940 if (val & LSI_ISTAT0_SRST) { 1941 device_cold_reset(DEVICE(s)); 1942 } 1943 break; 1944 case 0x16: /* MBOX0 */ 1945 s->mbox0 = val; 1946 break; 1947 case 0x17: /* MBOX1 */ 1948 s->mbox1 = val; 1949 break; 1950 case 0x18: /* CTEST0 */ 1951 /* nothing to do */ 1952 break; 1953 case 0x1a: /* CTEST2 */ 1954 s->ctest2 = val & LSI_CTEST2_PCICIE; 1955 break; 1956 case 0x1b: /* CTEST3 */ 1957 s->ctest3 = val & 0x0f; 1958 break; 1959 CASE_SET_REG32(temp, 0x1c) 1960 case 0x21: /* CTEST4 */ 1961 if (val & 7) { 1962 qemu_log_mask(LOG_UNIMP, 1963 "lsi_scsi: Unimplemented CTEST4-FBL 0x%x\n", val); 1964 } 1965 s->ctest4 = val; 1966 break; 1967 case 0x22: /* CTEST5 */ 1968 if (val & (LSI_CTEST5_ADCK | LSI_CTEST5_BBCK)) { 1969 qemu_log_mask(LOG_UNIMP, 1970 "lsi_scsi: CTEST5 DMA increment not implemented\n"); 1971 } 1972 s->ctest5 = val; 1973 break; 1974 CASE_SET_REG24(dbc, 0x24) 1975 CASE_SET_REG32(dnad, 0x28) 1976 case 0x2c: /* DSP[0:7] */ 1977 s->dsp &= 0xffffff00; 1978 s->dsp |= val; 1979 break; 1980 case 0x2d: /* DSP[8:15] */ 1981 s->dsp &= 0xffff00ff; 1982 s->dsp |= val << 8; 1983 break; 1984 case 0x2e: /* DSP[16:23] */ 1985 s->dsp &= 0xff00ffff; 1986 s->dsp |= val << 16; 1987 break; 1988 case 0x2f: /* DSP[24:31] */ 1989 s->dsp &= 0x00ffffff; 1990 s->dsp |= val << 24; 1991 /* 1992 * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one 1993 * instruction. Is this correct? 1994 */ 1995 if ((s->dmode & LSI_DMODE_MAN) == 0 1996 && (s->istat1 & LSI_ISTAT1_SRUN) == 0) 1997 lsi_execute_script(s); 1998 break; 1999 CASE_SET_REG32(dsps, 0x30) 2000 CASE_SET_REG32(scratch[0], 0x34) 2001 case 0x38: /* DMODE */ 2002 s->dmode = val; 2003 break; 2004 case 0x39: /* DIEN */ 2005 s->dien = val; 2006 lsi_update_irq(s); 2007 break; 2008 case 0x3a: /* SBR */ 2009 s->sbr = val; 2010 break; 2011 case 0x3b: /* DCNTL */ 2012 s->dcntl = val & ~(LSI_DCNTL_PFF | LSI_DCNTL_STD); 2013 /* 2014 * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one 2015 * instruction. Is this correct? 2016 */ 2017 if ((val & LSI_DCNTL_STD) && (s->istat1 & LSI_ISTAT1_SRUN) == 0) 2018 lsi_execute_script(s); 2019 break; 2020 case 0x40: /* SIEN0 */ 2021 s->sien0 = val; 2022 lsi_update_irq(s); 2023 break; 2024 case 0x41: /* SIEN1 */ 2025 s->sien1 = val; 2026 lsi_update_irq(s); 2027 break; 2028 case 0x47: /* GPCNTL0 */ 2029 break; 2030 case 0x48: /* STIME0 */ 2031 s->stime0 = val; 2032 break; 2033 case 0x49: /* STIME1 */ 2034 if (val & 0xf) { 2035 qemu_log_mask(LOG_UNIMP, 2036 "lsi_scsi: General purpose timer not implemented\n"); 2037 /* ??? Raising the interrupt immediately seems to be sufficient 2038 to keep the FreeBSD driver happy. */ 2039 lsi_script_scsi_interrupt(s, 0, LSI_SIST1_GEN); 2040 } 2041 break; 2042 case 0x4a: /* RESPID0 */ 2043 s->respid0 = val; 2044 break; 2045 case 0x4b: /* RESPID1 */ 2046 s->respid1 = val; 2047 break; 2048 case 0x4d: /* STEST1 */ 2049 s->stest1 = val; 2050 break; 2051 case 0x4e: /* STEST2 */ 2052 if (val & 1) { 2053 qemu_log_mask(LOG_UNIMP, 2054 "lsi_scsi: Low level mode not implemented\n"); 2055 } 2056 s->stest2 = val; 2057 break; 2058 case 0x4f: /* STEST3 */ 2059 if (val & 0x41) { 2060 qemu_log_mask(LOG_UNIMP, 2061 "lsi_scsi: SCSI FIFO test mode not implemented\n"); 2062 } 2063 s->stest3 = val; 2064 break; 2065 case 0x56: /* CCNTL0 */ 2066 s->ccntl0 = val; 2067 break; 2068 case 0x57: /* CCNTL1 */ 2069 s->ccntl1 = val; 2070 break; 2071 CASE_SET_REG32(mmrs, 0xa0) 2072 CASE_SET_REG32(mmws, 0xa4) 2073 CASE_SET_REG32(sfs, 0xa8) 2074 CASE_SET_REG32(drs, 0xac) 2075 CASE_SET_REG32(sbms, 0xb0) 2076 CASE_SET_REG32(dbms, 0xb4) 2077 CASE_SET_REG32(dnad64, 0xb8) 2078 CASE_SET_REG32(pmjad1, 0xc0) 2079 CASE_SET_REG32(pmjad2, 0xc4) 2080 CASE_SET_REG32(rbc, 0xc8) 2081 CASE_SET_REG32(ua, 0xcc) 2082 CASE_SET_REG32(ia, 0xd4) 2083 CASE_SET_REG32(sbc, 0xd8) 2084 CASE_SET_REG32(csbc, 0xdc) 2085 default: 2086 if (offset >= 0x5c && offset < 0xa0) { 2087 int n; 2088 int shift; 2089 n = (offset - 0x58) >> 2; 2090 shift = (offset & 3) * 8; 2091 s->scratch[n] = deposit32(s->scratch[n], shift, 8, val); 2092 } else { 2093 qemu_log_mask(LOG_GUEST_ERROR, 2094 "lsi_scsi: invalid write to reg %s %x (0x%02x)\n", 2095 offset < ARRAY_SIZE(names) ? names[offset] : "???", 2096 offset, val); 2097 } 2098 } 2099 #undef CASE_SET_REG24 2100 #undef CASE_SET_REG32 2101 } 2102 2103 static void lsi_mmio_write(void *opaque, hwaddr addr, 2104 uint64_t val, unsigned size) 2105 { 2106 LSIState *s = opaque; 2107 2108 lsi_reg_writeb(s, addr & 0xff, val); 2109 } 2110 2111 static uint64_t lsi_mmio_read(void *opaque, hwaddr addr, 2112 unsigned size) 2113 { 2114 LSIState *s = opaque; 2115 return lsi_reg_readb(s, addr & 0xff); 2116 } 2117 2118 static const MemoryRegionOps lsi_mmio_ops = { 2119 .read = lsi_mmio_read, 2120 .write = lsi_mmio_write, 2121 .endianness = DEVICE_LITTLE_ENDIAN, 2122 .impl = { 2123 .min_access_size = 1, 2124 .max_access_size = 1, 2125 }, 2126 }; 2127 2128 static void lsi_ram_write(void *opaque, hwaddr addr, 2129 uint64_t val, unsigned size) 2130 { 2131 LSIState *s = opaque; 2132 stn_le_p(s->script_ram + addr, size, val); 2133 } 2134 2135 static uint64_t lsi_ram_read(void *opaque, hwaddr addr, 2136 unsigned size) 2137 { 2138 LSIState *s = opaque; 2139 return ldn_le_p(s->script_ram + addr, size); 2140 } 2141 2142 static const MemoryRegionOps lsi_ram_ops = { 2143 .read = lsi_ram_read, 2144 .write = lsi_ram_write, 2145 .endianness = DEVICE_LITTLE_ENDIAN, 2146 }; 2147 2148 static uint64_t lsi_io_read(void *opaque, hwaddr addr, 2149 unsigned size) 2150 { 2151 LSIState *s = opaque; 2152 return lsi_reg_readb(s, addr & 0xff); 2153 } 2154 2155 static void lsi_io_write(void *opaque, hwaddr addr, 2156 uint64_t val, unsigned size) 2157 { 2158 LSIState *s = opaque; 2159 lsi_reg_writeb(s, addr & 0xff, val); 2160 } 2161 2162 static const MemoryRegionOps lsi_io_ops = { 2163 .read = lsi_io_read, 2164 .write = lsi_io_write, 2165 .endianness = DEVICE_LITTLE_ENDIAN, 2166 .impl = { 2167 .min_access_size = 1, 2168 .max_access_size = 1, 2169 }, 2170 }; 2171 2172 static void lsi_scsi_reset(DeviceState *dev) 2173 { 2174 LSIState *s = LSI53C895A(dev); 2175 2176 lsi_soft_reset(s); 2177 } 2178 2179 static int lsi_pre_save(void *opaque) 2180 { 2181 LSIState *s = opaque; 2182 2183 if (s->current) { 2184 assert(s->current->dma_buf == NULL); 2185 assert(s->current->dma_len == 0); 2186 } 2187 assert(QTAILQ_EMPTY(&s->queue)); 2188 2189 return 0; 2190 } 2191 2192 static int lsi_post_load(void *opaque, int version_id) 2193 { 2194 LSIState *s = opaque; 2195 2196 if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) { 2197 return -EINVAL; 2198 } 2199 2200 return 0; 2201 } 2202 2203 static const VMStateDescription vmstate_lsi_scsi = { 2204 .name = "lsiscsi", 2205 .version_id = 1, 2206 .minimum_version_id = 0, 2207 .pre_save = lsi_pre_save, 2208 .post_load = lsi_post_load, 2209 .fields = (const VMStateField[]) { 2210 VMSTATE_PCI_DEVICE(parent_obj, LSIState), 2211 2212 VMSTATE_INT32(carry, LSIState), 2213 VMSTATE_INT32(status, LSIState), 2214 VMSTATE_INT32(msg_action, LSIState), 2215 VMSTATE_INT32(msg_len, LSIState), 2216 VMSTATE_BUFFER(msg, LSIState), 2217 VMSTATE_INT32(waiting, LSIState), 2218 2219 VMSTATE_UINT32(dsa, LSIState), 2220 VMSTATE_UINT32(temp, LSIState), 2221 VMSTATE_UINT32(dnad, LSIState), 2222 VMSTATE_UINT32(dbc, LSIState), 2223 VMSTATE_UINT8(istat0, LSIState), 2224 VMSTATE_UINT8(istat1, LSIState), 2225 VMSTATE_UINT8(dcmd, LSIState), 2226 VMSTATE_UINT8(dstat, LSIState), 2227 VMSTATE_UINT8(dien, LSIState), 2228 VMSTATE_UINT8(sist0, LSIState), 2229 VMSTATE_UINT8(sist1, LSIState), 2230 VMSTATE_UINT8(sien0, LSIState), 2231 VMSTATE_UINT8(sien1, LSIState), 2232 VMSTATE_UINT8(mbox0, LSIState), 2233 VMSTATE_UINT8(mbox1, LSIState), 2234 VMSTATE_UINT8(dfifo, LSIState), 2235 VMSTATE_UINT8(ctest2, LSIState), 2236 VMSTATE_UINT8(ctest3, LSIState), 2237 VMSTATE_UINT8(ctest4, LSIState), 2238 VMSTATE_UINT8(ctest5, LSIState), 2239 VMSTATE_UINT8(ccntl0, LSIState), 2240 VMSTATE_UINT8(ccntl1, LSIState), 2241 VMSTATE_UINT32(dsp, LSIState), 2242 VMSTATE_UINT32(dsps, LSIState), 2243 VMSTATE_UINT8(dmode, LSIState), 2244 VMSTATE_UINT8(dcntl, LSIState), 2245 VMSTATE_UINT8(scntl0, LSIState), 2246 VMSTATE_UINT8(scntl1, LSIState), 2247 VMSTATE_UINT8(scntl2, LSIState), 2248 VMSTATE_UINT8(scntl3, LSIState), 2249 VMSTATE_UINT8(sstat0, LSIState), 2250 VMSTATE_UINT8(sstat1, LSIState), 2251 VMSTATE_UINT8(scid, LSIState), 2252 VMSTATE_UINT8(sxfer, LSIState), 2253 VMSTATE_UINT8(socl, LSIState), 2254 VMSTATE_UINT8(sdid, LSIState), 2255 VMSTATE_UINT8(ssid, LSIState), 2256 VMSTATE_UINT8(sfbr, LSIState), 2257 VMSTATE_UINT8(stest1, LSIState), 2258 VMSTATE_UINT8(stest2, LSIState), 2259 VMSTATE_UINT8(stest3, LSIState), 2260 VMSTATE_UINT8(sidl, LSIState), 2261 VMSTATE_UINT8(stime0, LSIState), 2262 VMSTATE_UINT8(respid0, LSIState), 2263 VMSTATE_UINT8(respid1, LSIState), 2264 VMSTATE_UINT8_V(sbcl, LSIState, 1), 2265 VMSTATE_UINT32(mmrs, LSIState), 2266 VMSTATE_UINT32(mmws, LSIState), 2267 VMSTATE_UINT32(sfs, LSIState), 2268 VMSTATE_UINT32(drs, LSIState), 2269 VMSTATE_UINT32(sbms, LSIState), 2270 VMSTATE_UINT32(dbms, LSIState), 2271 VMSTATE_UINT32(dnad64, LSIState), 2272 VMSTATE_UINT32(pmjad1, LSIState), 2273 VMSTATE_UINT32(pmjad2, LSIState), 2274 VMSTATE_UINT32(rbc, LSIState), 2275 VMSTATE_UINT32(ua, LSIState), 2276 VMSTATE_UINT32(ia, LSIState), 2277 VMSTATE_UINT32(sbc, LSIState), 2278 VMSTATE_UINT32(csbc, LSIState), 2279 VMSTATE_BUFFER_UNSAFE(scratch, LSIState, 0, 18 * sizeof(uint32_t)), 2280 VMSTATE_UINT8(sbr, LSIState), 2281 2282 VMSTATE_BUFFER_UNSAFE(script_ram, LSIState, 0, 8192), 2283 VMSTATE_END_OF_LIST() 2284 } 2285 }; 2286 2287 static const struct SCSIBusInfo lsi_scsi_info = { 2288 .tcq = true, 2289 .max_target = LSI_MAX_DEVS, 2290 .max_lun = 0, /* LUN support is buggy */ 2291 2292 .transfer_data = lsi_transfer_data, 2293 .complete = lsi_command_complete, 2294 .cancel = lsi_request_cancelled 2295 }; 2296 2297 static void lsi_scsi_realize(PCIDevice *dev, Error **errp) 2298 { 2299 LSIState *s = LSI53C895A(dev); 2300 DeviceState *d = DEVICE(dev); 2301 uint8_t *pci_conf; 2302 2303 pci_conf = dev->config; 2304 2305 /* PCI latency timer = 255 */ 2306 pci_conf[PCI_LATENCY_TIMER] = 0xff; 2307 /* Interrupt pin A */ 2308 pci_conf[PCI_INTERRUPT_PIN] = 0x01; 2309 2310 memory_region_init_io(&s->mmio_io, OBJECT(s), &lsi_mmio_ops, s, 2311 "lsi-mmio", 0x400); 2312 memory_region_init_io(&s->ram_io, OBJECT(s), &lsi_ram_ops, s, 2313 "lsi-ram", 0x2000); 2314 memory_region_init_io(&s->io_io, OBJECT(s), &lsi_io_ops, s, 2315 "lsi-io", 256); 2316 2317 /* 2318 * Since we use the address-space API to interact with ram_io, disable the 2319 * re-entrancy guard. 2320 */ 2321 s->ram_io.disable_reentrancy_guard = true; 2322 s->mmio_io.disable_reentrancy_guard = true; 2323 2324 address_space_init(&s->pci_io_as, pci_address_space_io(dev), "lsi-pci-io"); 2325 qdev_init_gpio_out(d, &s->ext_irq, 1); 2326 2327 pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->io_io); 2328 pci_register_bar(dev, 1, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->mmio_io); 2329 pci_register_bar(dev, 2, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->ram_io); 2330 QTAILQ_INIT(&s->queue); 2331 2332 scsi_bus_init(&s->bus, sizeof(s->bus), d, &lsi_scsi_info); 2333 } 2334 2335 static void lsi_scsi_exit(PCIDevice *dev) 2336 { 2337 LSIState *s = LSI53C895A(dev); 2338 2339 address_space_destroy(&s->pci_io_as); 2340 } 2341 2342 static void lsi_class_init(ObjectClass *klass, void *data) 2343 { 2344 DeviceClass *dc = DEVICE_CLASS(klass); 2345 PCIDeviceClass *k = PCI_DEVICE_CLASS(klass); 2346 2347 k->realize = lsi_scsi_realize; 2348 k->exit = lsi_scsi_exit; 2349 k->vendor_id = PCI_VENDOR_ID_LSI_LOGIC; 2350 k->device_id = PCI_DEVICE_ID_LSI_53C895A; 2351 k->class_id = PCI_CLASS_STORAGE_SCSI; 2352 k->subsystem_id = 0x1000; 2353 dc->reset = lsi_scsi_reset; 2354 dc->vmsd = &vmstate_lsi_scsi; 2355 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); 2356 } 2357 2358 static const TypeInfo lsi_info = { 2359 .name = TYPE_LSI53C895A, 2360 .parent = TYPE_PCI_DEVICE, 2361 .instance_size = sizeof(LSIState), 2362 .class_init = lsi_class_init, 2363 .interfaces = (InterfaceInfo[]) { 2364 { INTERFACE_CONVENTIONAL_PCI_DEVICE }, 2365 { }, 2366 }, 2367 }; 2368 2369 static void lsi53c810_class_init(ObjectClass *klass, void *data) 2370 { 2371 PCIDeviceClass *k = PCI_DEVICE_CLASS(klass); 2372 2373 k->device_id = PCI_DEVICE_ID_LSI_53C810; 2374 } 2375 2376 static const TypeInfo lsi53c810_info = { 2377 .name = TYPE_LSI53C810, 2378 .parent = TYPE_LSI53C895A, 2379 .class_init = lsi53c810_class_init, 2380 }; 2381 2382 static void lsi53c895a_register_types(void) 2383 { 2384 type_register_static(&lsi_info); 2385 type_register_static(&lsi53c810_info); 2386 } 2387 2388 type_init(lsi53c895a_register_types) 2389 2390 void lsi53c8xx_handle_legacy_cmdline(DeviceState *lsi_dev) 2391 { 2392 LSIState *s = LSI53C895A(lsi_dev); 2393 2394 scsi_bus_legacy_handle_cmdline(&s->bus); 2395 } 2396