xref: /openbmc/qemu/hw/ufs/ufs.c (revision 2b74dd918007d91f5fee94ad0034b5e7a30ed777)
1 /*
2  * QEMU Universal Flash Storage (UFS) Controller
3  *
4  * Copyright (c) 2023 Samsung Electronics Co., Ltd. All rights reserved.
5  *
6  * Written by Jeuk Kim <jeuk20.kim@samsung.com>
7  *
8  * SPDX-License-Identifier: GPL-2.0-or-later
9  */
10 
11 /**
12  * Reference Specs: https://www.jedec.org/, 4.0
13  *
14  * Usage
15  * -----
16  *
17  * Add options:
18  *      -drive file=<file>,if=none,id=<drive_id>
19  *      -device ufs,serial=<serial>,id=<bus_name>, \
20  *              nutrs=<N[optional]>,nutmrs=<N[optional]>
21  *      -device ufs-lu,drive=<drive_id>,bus=<bus_name>
22  */
23 
24 #include "qemu/osdep.h"
25 #include "qapi/error.h"
26 #include "migration/vmstate.h"
27 #include "scsi/constants.h"
28 #include "trace.h"
29 #include "ufs.h"
30 
31 /* The QEMU-UFS device follows spec version 4.0 */
32 #define UFS_SPEC_VER 0x0400
33 #define UFS_MAX_NUTRS 32
34 #define UFS_MAX_NUTMRS 8
35 #define UFS_MCQ_QCFGPTR 2
36 
37 static void ufs_exec_req(UfsRequest *req);
38 static void ufs_clear_req(UfsRequest *req);
39 
40 static inline uint64_t ufs_mcq_reg_addr(UfsHc *u, int qid)
41 {
42     /* Submission Queue MCQ Registers offset (400h) */
43     return (UFS_MCQ_QCFGPTR * 0x200) + qid * 0x40;
44 }
45 
46 static inline uint64_t ufs_mcq_op_reg_addr(UfsHc *u, int qid)
47 {
48     /* MCQ Operation & Runtime Registers offset (1000h) */
49     return UFS_MCQ_OPR_START + qid * 48;
50 }
51 
52 static inline uint64_t ufs_reg_size(UfsHc *u)
53 {
54     /* Total UFS HCI Register size in bytes */
55     return ufs_mcq_op_reg_addr(u, 0) + sizeof(u->mcq_op_reg);
56 }
57 
58 static inline bool ufs_is_mcq_reg(UfsHc *u, uint64_t addr, unsigned size)
59 {
60     uint64_t mcq_reg_addr;
61 
62     if (!u->params.mcq) {
63         return false;
64     }
65 
66     mcq_reg_addr = ufs_mcq_reg_addr(u, 0);
67     return (addr >= mcq_reg_addr &&
68             addr + size <= mcq_reg_addr + sizeof(u->mcq_reg));
69 }
70 
71 static inline bool ufs_is_mcq_op_reg(UfsHc *u, uint64_t addr, unsigned size)
72 {
73     uint64_t mcq_op_reg_addr;
74 
75     if (!u->params.mcq) {
76         return false;
77     }
78 
79     mcq_op_reg_addr = ufs_mcq_op_reg_addr(u, 0);
80     return (addr >= mcq_op_reg_addr &&
81             addr + size <= mcq_op_reg_addr + sizeof(u->mcq_op_reg));
82 }
83 
84 static MemTxResult ufs_addr_read(UfsHc *u, hwaddr addr, void *buf, int size)
85 {
86     hwaddr hi = addr + size - 1;
87 
88     if (hi < addr) {
89         return MEMTX_DECODE_ERROR;
90     }
91 
92     if (!FIELD_EX32(u->reg.cap, CAP, 64AS) && (hi >> 32)) {
93         return MEMTX_DECODE_ERROR;
94     }
95 
96     return pci_dma_read(PCI_DEVICE(u), addr, buf, size);
97 }
98 
99 static MemTxResult ufs_addr_write(UfsHc *u, hwaddr addr, const void *buf,
100                                   int size)
101 {
102     hwaddr hi = addr + size - 1;
103     if (hi < addr) {
104         return MEMTX_DECODE_ERROR;
105     }
106 
107     if (!FIELD_EX32(u->reg.cap, CAP, 64AS) && (hi >> 32)) {
108         return MEMTX_DECODE_ERROR;
109     }
110 
111     return pci_dma_write(PCI_DEVICE(u), addr, buf, size);
112 }
113 
114 static inline hwaddr ufs_get_utrd_addr(UfsHc *u, uint32_t slot)
115 {
116     hwaddr utrl_base_addr = (((hwaddr)u->reg.utrlbau) << 32) + u->reg.utrlba;
117     hwaddr utrd_addr = utrl_base_addr + slot * sizeof(UtpTransferReqDesc);
118 
119     return utrd_addr;
120 }
121 
122 static inline hwaddr ufs_get_req_upiu_base_addr(const UtpTransferReqDesc *utrd)
123 {
124     uint32_t cmd_desc_base_addr_lo =
125         le32_to_cpu(utrd->command_desc_base_addr_lo);
126     uint32_t cmd_desc_base_addr_hi =
127         le32_to_cpu(utrd->command_desc_base_addr_hi);
128 
129     return (((hwaddr)cmd_desc_base_addr_hi) << 32) + cmd_desc_base_addr_lo;
130 }
131 
132 static inline hwaddr ufs_get_rsp_upiu_base_addr(const UtpTransferReqDesc *utrd)
133 {
134     hwaddr req_upiu_base_addr = ufs_get_req_upiu_base_addr(utrd);
135     uint32_t rsp_upiu_byte_off =
136         le16_to_cpu(utrd->response_upiu_offset) * sizeof(uint32_t);
137     return req_upiu_base_addr + rsp_upiu_byte_off;
138 }
139 
140 static MemTxResult ufs_dma_read_utrd(UfsRequest *req)
141 {
142     UfsHc *u = req->hc;
143     hwaddr utrd_addr = ufs_get_utrd_addr(u, req->slot);
144     MemTxResult ret;
145 
146     ret = ufs_addr_read(u, utrd_addr, &req->utrd, sizeof(req->utrd));
147     if (ret) {
148         trace_ufs_err_dma_read_utrd(req->slot, utrd_addr);
149     }
150     return ret;
151 }
152 
153 static MemTxResult ufs_dma_read_req_upiu(UfsRequest *req)
154 {
155     UfsHc *u = req->hc;
156     hwaddr req_upiu_base_addr = ufs_get_req_upiu_base_addr(&req->utrd);
157     UtpUpiuReq *req_upiu = &req->req_upiu;
158     uint32_t copy_size;
159     uint16_t data_segment_length;
160     MemTxResult ret;
161 
162     /*
163      * To know the size of the req_upiu, we need to read the
164      * data_segment_length in the header first.
165      */
166     ret = ufs_addr_read(u, req_upiu_base_addr, &req_upiu->header,
167                         sizeof(UtpUpiuHeader));
168     if (ret) {
169         trace_ufs_err_dma_read_req_upiu(req->slot, req_upiu_base_addr);
170         return ret;
171     }
172     data_segment_length = be16_to_cpu(req_upiu->header.data_segment_length);
173 
174     copy_size = sizeof(UtpUpiuHeader) + UFS_TRANSACTION_SPECIFIC_FIELD_SIZE +
175                 data_segment_length;
176 
177     if (copy_size > sizeof(req->req_upiu)) {
178         copy_size = sizeof(req->req_upiu);
179     }
180 
181     ret = ufs_addr_read(u, req_upiu_base_addr, &req->req_upiu, copy_size);
182     if (ret) {
183         trace_ufs_err_dma_read_req_upiu(req->slot, req_upiu_base_addr);
184     }
185     return ret;
186 }
187 
188 static MemTxResult ufs_dma_read_prdt(UfsRequest *req)
189 {
190     UfsHc *u = req->hc;
191     uint16_t prdt_len = le16_to_cpu(req->utrd.prd_table_length);
192     uint16_t prdt_byte_off =
193         le16_to_cpu(req->utrd.prd_table_offset) * sizeof(uint32_t);
194     uint32_t prdt_size = prdt_len * sizeof(UfshcdSgEntry);
195     g_autofree UfshcdSgEntry *prd_entries = NULL;
196     hwaddr req_upiu_base_addr, prdt_base_addr;
197     int err;
198 
199     assert(!req->sg);
200 
201     if (prdt_size == 0) {
202         return MEMTX_OK;
203     }
204     prd_entries = g_new(UfshcdSgEntry, prdt_size);
205 
206     req_upiu_base_addr = ufs_get_req_upiu_base_addr(&req->utrd);
207     prdt_base_addr = req_upiu_base_addr + prdt_byte_off;
208 
209     err = ufs_addr_read(u, prdt_base_addr, prd_entries, prdt_size);
210     if (err) {
211         trace_ufs_err_dma_read_prdt(req->slot, prdt_base_addr);
212         return err;
213     }
214 
215     req->sg = g_malloc0(sizeof(QEMUSGList));
216     pci_dma_sglist_init(req->sg, PCI_DEVICE(u), prdt_len);
217     req->data_len = 0;
218 
219     for (uint16_t i = 0; i < prdt_len; ++i) {
220         hwaddr data_dma_addr = le64_to_cpu(prd_entries[i].addr);
221         uint32_t data_byte_count = le32_to_cpu(prd_entries[i].size) + 1;
222         qemu_sglist_add(req->sg, data_dma_addr, data_byte_count);
223         req->data_len += data_byte_count;
224     }
225     return MEMTX_OK;
226 }
227 
228 static MemTxResult ufs_dma_read_upiu(UfsRequest *req)
229 {
230     MemTxResult ret;
231 
232     /*
233      * In case of MCQ, UTRD has already been read from a SQ, so skip it.
234      */
235     if (!ufs_mcq_req(req)) {
236         ret = ufs_dma_read_utrd(req);
237         if (ret) {
238             return ret;
239         }
240     }
241 
242     ret = ufs_dma_read_req_upiu(req);
243     if (ret) {
244         return ret;
245     }
246 
247     ret = ufs_dma_read_prdt(req);
248     if (ret) {
249         return ret;
250     }
251 
252     return 0;
253 }
254 
255 static MemTxResult ufs_dma_write_utrd(UfsRequest *req)
256 {
257     UfsHc *u = req->hc;
258     hwaddr utrd_addr = ufs_get_utrd_addr(u, req->slot);
259     MemTxResult ret;
260 
261     ret = ufs_addr_write(u, utrd_addr, &req->utrd, sizeof(req->utrd));
262     if (ret) {
263         trace_ufs_err_dma_write_utrd(req->slot, utrd_addr);
264     }
265     return ret;
266 }
267 
268 static MemTxResult ufs_dma_write_rsp_upiu(UfsRequest *req)
269 {
270     UfsHc *u = req->hc;
271     hwaddr rsp_upiu_base_addr = ufs_get_rsp_upiu_base_addr(&req->utrd);
272     uint32_t rsp_upiu_byte_len =
273         le16_to_cpu(req->utrd.response_upiu_length) * sizeof(uint32_t);
274     uint16_t data_segment_length =
275         be16_to_cpu(req->rsp_upiu.header.data_segment_length);
276     uint32_t copy_size = sizeof(UtpUpiuHeader) +
277                          UFS_TRANSACTION_SPECIFIC_FIELD_SIZE +
278                          data_segment_length;
279     MemTxResult ret;
280 
281     if (copy_size > rsp_upiu_byte_len) {
282         copy_size = rsp_upiu_byte_len;
283     }
284 
285     if (copy_size > sizeof(req->rsp_upiu)) {
286         copy_size = sizeof(req->rsp_upiu);
287     }
288 
289     ret = ufs_addr_write(u, rsp_upiu_base_addr, &req->rsp_upiu, copy_size);
290     if (ret) {
291         trace_ufs_err_dma_write_rsp_upiu(req->slot, rsp_upiu_base_addr);
292     }
293     return ret;
294 }
295 
296 static MemTxResult ufs_dma_write_upiu(UfsRequest *req)
297 {
298     MemTxResult ret;
299 
300     ret = ufs_dma_write_rsp_upiu(req);
301     if (ret) {
302         return ret;
303     }
304 
305     return ufs_dma_write_utrd(req);
306 }
307 
308 static void ufs_irq_check(UfsHc *u)
309 {
310     PCIDevice *pci = PCI_DEVICE(u);
311 
312     if ((u->reg.is & UFS_INTR_MASK) & u->reg.ie) {
313         trace_ufs_irq_raise();
314         pci_irq_assert(pci);
315     } else {
316         trace_ufs_irq_lower();
317         pci_irq_deassert(pci);
318     }
319 }
320 
321 static void ufs_process_db(UfsHc *u, uint32_t val)
322 {
323     DECLARE_BITMAP(doorbell, UFS_MAX_NUTRS);
324     uint32_t slot;
325     uint32_t nutrs = u->params.nutrs;
326     UfsRequest *req;
327 
328     val &= ~u->reg.utrldbr;
329     if (!val) {
330         return;
331     }
332 
333     doorbell[0] = val;
334     slot = find_first_bit(doorbell, nutrs);
335 
336     while (slot < nutrs) {
337         req = &u->req_list[slot];
338         if (req->state == UFS_REQUEST_ERROR) {
339             trace_ufs_err_utrl_slot_error(req->slot);
340             return;
341         }
342 
343         if (req->state != UFS_REQUEST_IDLE) {
344             trace_ufs_err_utrl_slot_busy(req->slot);
345             return;
346         }
347 
348         trace_ufs_process_db(slot);
349         req->state = UFS_REQUEST_READY;
350         slot = find_next_bit(doorbell, nutrs, slot + 1);
351     }
352 
353     qemu_bh_schedule(u->doorbell_bh);
354 }
355 
356 static void ufs_process_uiccmd(UfsHc *u, uint32_t val)
357 {
358     trace_ufs_process_uiccmd(val, u->reg.ucmdarg1, u->reg.ucmdarg2,
359                              u->reg.ucmdarg3);
360     /*
361      * Only the essential uic commands for running drivers on Linux and Windows
362      * are implemented.
363      */
364     switch (val) {
365     case UFS_UIC_CMD_DME_LINK_STARTUP:
366         u->reg.hcs = FIELD_DP32(u->reg.hcs, HCS, DP, 1);
367         u->reg.hcs = FIELD_DP32(u->reg.hcs, HCS, UTRLRDY, 1);
368         u->reg.hcs = FIELD_DP32(u->reg.hcs, HCS, UTMRLRDY, 1);
369         u->reg.ucmdarg2 = UFS_UIC_CMD_RESULT_SUCCESS;
370         break;
371     /* TODO: Revisit it when Power Management is implemented */
372     case UFS_UIC_CMD_DME_HIBER_ENTER:
373         u->reg.is = FIELD_DP32(u->reg.is, IS, UHES, 1);
374         u->reg.hcs = FIELD_DP32(u->reg.hcs, HCS, UPMCRS, UFS_PWR_LOCAL);
375         u->reg.ucmdarg2 = UFS_UIC_CMD_RESULT_SUCCESS;
376         break;
377     case UFS_UIC_CMD_DME_HIBER_EXIT:
378         u->reg.is = FIELD_DP32(u->reg.is, IS, UHXS, 1);
379         u->reg.hcs = FIELD_DP32(u->reg.hcs, HCS, UPMCRS, UFS_PWR_LOCAL);
380         u->reg.ucmdarg2 = UFS_UIC_CMD_RESULT_SUCCESS;
381         break;
382     default:
383         u->reg.ucmdarg2 = UFS_UIC_CMD_RESULT_FAILURE;
384     }
385 
386     u->reg.is = FIELD_DP32(u->reg.is, IS, UCCS, 1);
387 
388     ufs_irq_check(u);
389 }
390 
391 static void ufs_mcq_init_req(UfsHc *u, UfsRequest *req, UfsSq *sq)
392 {
393     memset(req, 0, sizeof(*req));
394 
395     req->hc = u;
396     req->state = UFS_REQUEST_IDLE;
397     req->slot = UFS_INVALID_SLOT;
398     req->sq = sq;
399 }
400 
401 static void ufs_mcq_process_sq(void *opaque)
402 {
403     UfsSq *sq = opaque;
404     UfsHc *u = sq->u;
405     UfsSqEntry sqe;
406     UfsRequest *req;
407     hwaddr addr;
408     uint16_t head = ufs_mcq_sq_head(u, sq->sqid);
409     int err;
410 
411     while (!(ufs_mcq_sq_empty(u, sq->sqid) || QTAILQ_EMPTY(&sq->req_list))) {
412         addr = sq->addr + head;
413         err = ufs_addr_read(sq->u, addr, (void *)&sqe, sizeof(sqe));
414         if (err) {
415             trace_ufs_err_dma_read_sq(sq->sqid, addr);
416             return;
417         }
418 
419         head = (head + sizeof(sqe)) % (sq->size * sizeof(sqe));
420         ufs_mcq_update_sq_head(u, sq->sqid, head);
421 
422         req = QTAILQ_FIRST(&sq->req_list);
423         QTAILQ_REMOVE(&sq->req_list, req, entry);
424 
425         ufs_mcq_init_req(sq->u, req, sq);
426         memcpy(&req->utrd, &sqe, sizeof(req->utrd));
427 
428         req->state = UFS_REQUEST_RUNNING;
429         ufs_exec_req(req);
430     }
431 }
432 
433 static void ufs_mcq_process_cq(void *opaque)
434 {
435     UfsCq *cq = opaque;
436     UfsHc *u = cq->u;
437     UfsRequest *req, *next;
438     MemTxResult ret;
439     uint32_t tail = ufs_mcq_cq_tail(u, cq->cqid);
440 
441     QTAILQ_FOREACH_SAFE(req, &cq->req_list, entry, next)
442     {
443         ufs_dma_write_rsp_upiu(req);
444 
445         req->cqe.utp_addr =
446             ((uint64_t)req->utrd.command_desc_base_addr_hi << 32ULL) |
447             req->utrd.command_desc_base_addr_lo;
448         req->cqe.utp_addr |= req->sq->sqid;
449         req->cqe.resp_len = req->utrd.response_upiu_length;
450         req->cqe.resp_off = req->utrd.response_upiu_offset;
451         req->cqe.prdt_len = req->utrd.prd_table_length;
452         req->cqe.prdt_off = req->utrd.prd_table_offset;
453         req->cqe.status = req->utrd.header.dword_2 & 0xf;
454         req->cqe.error = 0;
455 
456         ret = ufs_addr_write(u, cq->addr + tail, &req->cqe, sizeof(req->cqe));
457         if (ret) {
458             trace_ufs_err_dma_write_cq(cq->cqid, cq->addr + tail);
459         }
460         QTAILQ_REMOVE(&cq->req_list, req, entry);
461 
462         tail = (tail + sizeof(req->cqe)) % (cq->size * sizeof(req->cqe));
463         ufs_mcq_update_cq_tail(u, cq->cqid, tail);
464 
465         ufs_clear_req(req);
466         QTAILQ_INSERT_TAIL(&req->sq->req_list, req, entry);
467     }
468 
469     if (!ufs_mcq_cq_empty(u, cq->cqid)) {
470         u->mcq_op_reg[cq->cqid].cq_int.is =
471             FIELD_DP32(u->mcq_op_reg[cq->cqid].cq_int.is, CQIS, TEPS, 1);
472 
473         u->reg.is = FIELD_DP32(u->reg.is, IS, CQES, 1);
474         ufs_irq_check(u);
475     }
476 }
477 
478 static bool ufs_mcq_create_sq(UfsHc *u, uint8_t qid, uint32_t attr)
479 {
480     UfsMcqReg *reg = &u->mcq_reg[qid];
481     UfsSq *sq;
482     uint8_t cqid = FIELD_EX32(attr, SQATTR, CQID);
483 
484     if (qid >= u->params.mcq_maxq) {
485         trace_ufs_err_mcq_create_sq_invalid_sqid(qid);
486         return false;
487     }
488 
489     if (u->sq[qid]) {
490         trace_ufs_err_mcq_create_sq_already_exists(qid);
491         return false;
492     }
493 
494     if (!u->cq[cqid]) {
495         trace_ufs_err_mcq_create_sq_invalid_cqid(qid);
496         return false;
497     }
498 
499     sq = g_malloc0(sizeof(*sq));
500     sq->u = u;
501     sq->sqid = qid;
502     sq->cq = u->cq[cqid];
503     sq->addr = ((uint64_t)reg->squba << 32) | reg->sqlba;
504     sq->size = ((FIELD_EX32(attr, SQATTR, SIZE) + 1) << 2) / sizeof(UfsSqEntry);
505 
506     sq->bh = qemu_bh_new_guarded(ufs_mcq_process_sq, sq,
507                                  &DEVICE(u)->mem_reentrancy_guard);
508     sq->req = g_new0(UfsRequest, sq->size);
509     QTAILQ_INIT(&sq->req_list);
510     for (int i = 0; i < sq->size; i++) {
511         ufs_mcq_init_req(u, &sq->req[i], sq);
512         QTAILQ_INSERT_TAIL(&sq->req_list, &sq->req[i], entry);
513     }
514 
515     u->sq[qid] = sq;
516 
517     trace_ufs_mcq_create_sq(sq->sqid, sq->cq->cqid, sq->addr, sq->size);
518     return true;
519 }
520 
521 static bool ufs_mcq_delete_sq(UfsHc *u, uint8_t qid)
522 {
523     UfsSq *sq;
524 
525     if (qid >= u->params.mcq_maxq) {
526         trace_ufs_err_mcq_delete_sq_invalid_sqid(qid);
527         return false;
528     }
529 
530     if (!u->sq[qid]) {
531         trace_ufs_err_mcq_delete_sq_not_exists(qid);
532         return false;
533     }
534 
535     sq = u->sq[qid];
536 
537     qemu_bh_delete(sq->bh);
538     g_free(sq->req);
539     g_free(sq);
540     u->sq[qid] = NULL;
541     return true;
542 }
543 
544 static bool ufs_mcq_create_cq(UfsHc *u, uint8_t qid, uint32_t attr)
545 {
546     UfsMcqReg *reg = &u->mcq_reg[qid];
547     UfsCq *cq;
548 
549     if (qid >= u->params.mcq_maxq) {
550         trace_ufs_err_mcq_create_cq_invalid_cqid(qid);
551         return false;
552     }
553 
554     if (u->cq[qid]) {
555         trace_ufs_err_mcq_create_cq_already_exists(qid);
556         return false;
557     }
558 
559     cq = g_malloc0(sizeof(*cq));
560     cq->u = u;
561     cq->cqid = qid;
562     cq->addr = ((uint64_t)reg->cquba << 32) | reg->cqlba;
563     cq->size = ((FIELD_EX32(attr, CQATTR, SIZE) + 1) << 2) / sizeof(UfsCqEntry);
564 
565     cq->bh = qemu_bh_new_guarded(ufs_mcq_process_cq, cq,
566                                  &DEVICE(u)->mem_reentrancy_guard);
567     QTAILQ_INIT(&cq->req_list);
568 
569     u->cq[qid] = cq;
570 
571     trace_ufs_mcq_create_cq(cq->cqid, cq->addr, cq->size);
572     return true;
573 }
574 
575 static bool ufs_mcq_delete_cq(UfsHc *u, uint8_t qid)
576 {
577     UfsCq *cq;
578 
579     if (qid >= u->params.mcq_maxq) {
580         trace_ufs_err_mcq_delete_cq_invalid_cqid(qid);
581         return false;
582     }
583 
584     if (!u->cq[qid]) {
585         trace_ufs_err_mcq_delete_cq_not_exists(qid);
586         return false;
587     }
588 
589     for (int i = 0; i < ARRAY_SIZE(u->sq); i++) {
590         if (u->sq[i] && u->sq[i]->cq->cqid == qid) {
591             trace_ufs_err_mcq_delete_cq_sq_not_deleted(i, qid);
592             return false;
593         }
594     }
595 
596     cq = u->cq[qid];
597 
598     qemu_bh_delete(cq->bh);
599     g_free(cq);
600     u->cq[qid] = NULL;
601     return true;
602 }
603 
604 static void ufs_write_reg(UfsHc *u, hwaddr offset, uint32_t data, unsigned size)
605 {
606     switch (offset) {
607     case A_IS:
608         u->reg.is &= ~data;
609         ufs_irq_check(u);
610         break;
611     case A_IE:
612         u->reg.ie = data;
613         ufs_irq_check(u);
614         break;
615     case A_HCE:
616         if (!FIELD_EX32(u->reg.hce, HCE, HCE) && FIELD_EX32(data, HCE, HCE)) {
617             u->reg.hcs = FIELD_DP32(u->reg.hcs, HCS, UCRDY, 1);
618             u->reg.hce = FIELD_DP32(u->reg.hce, HCE, HCE, 1);
619         } else if (FIELD_EX32(u->reg.hce, HCE, HCE) &&
620                    !FIELD_EX32(data, HCE, HCE)) {
621             u->reg.hcs = 0;
622             u->reg.hce = FIELD_DP32(u->reg.hce, HCE, HCE, 0);
623         }
624         break;
625     case A_UTRLBA:
626         u->reg.utrlba = data & R_UTRLBA_UTRLBA_MASK;
627         break;
628     case A_UTRLBAU:
629         u->reg.utrlbau = data;
630         break;
631     case A_UTRLDBR:
632         ufs_process_db(u, data);
633         u->reg.utrldbr |= data;
634         break;
635     case A_UTRLRSR:
636         u->reg.utrlrsr = data;
637         break;
638     case A_UTRLCNR:
639         u->reg.utrlcnr &= ~data;
640         break;
641     case A_UTMRLBA:
642         u->reg.utmrlba = data & R_UTMRLBA_UTMRLBA_MASK;
643         break;
644     case A_UTMRLBAU:
645         u->reg.utmrlbau = data;
646         break;
647     case A_UICCMD:
648         ufs_process_uiccmd(u, data);
649         break;
650     case A_UCMDARG1:
651         u->reg.ucmdarg1 = data;
652         break;
653     case A_UCMDARG2:
654         u->reg.ucmdarg2 = data;
655         break;
656     case A_UCMDARG3:
657         u->reg.ucmdarg3 = data;
658         break;
659     case A_CONFIG:
660         u->reg.config = data;
661         break;
662     case A_MCQCONFIG:
663         u->reg.mcqconfig = data;
664         break;
665     case A_UTRLCLR:
666     case A_UTMRLDBR:
667     case A_UTMRLCLR:
668     case A_UTMRLRSR:
669         trace_ufs_err_unsupport_register_offset(offset);
670         break;
671     default:
672         trace_ufs_err_invalid_register_offset(offset);
673         break;
674     }
675 }
676 
677 static void ufs_write_mcq_reg(UfsHc *u, hwaddr offset, uint32_t data,
678                               unsigned size)
679 {
680     int qid = offset / sizeof(UfsMcqReg);
681     UfsMcqReg *reg = &u->mcq_reg[qid];
682 
683     switch (offset % sizeof(UfsMcqReg)) {
684     case A_SQATTR:
685         if (!FIELD_EX32(reg->sqattr, SQATTR, SQEN) &&
686             FIELD_EX32(data, SQATTR, SQEN)) {
687             if (!ufs_mcq_create_sq(u, qid, data)) {
688                 break;
689             }
690         } else if (FIELD_EX32(reg->sqattr, SQATTR, SQEN) &&
691                    !FIELD_EX32(data, SQATTR, SQEN)) {
692             if (!ufs_mcq_delete_sq(u, qid)) {
693                 break;
694             }
695         }
696         reg->sqattr = data;
697         break;
698     case A_SQLBA:
699         reg->sqlba = data;
700         break;
701     case A_SQUBA:
702         reg->squba = data;
703         break;
704     case A_SQCFG:
705         reg->sqcfg = data;
706         break;
707     case A_CQATTR:
708         if (!FIELD_EX32(reg->cqattr, CQATTR, CQEN) &&
709             FIELD_EX32(data, CQATTR, CQEN)) {
710             if (!ufs_mcq_create_cq(u, qid, data)) {
711                 break;
712             }
713         } else if (FIELD_EX32(reg->cqattr, CQATTR, CQEN) &&
714                    !FIELD_EX32(data, CQATTR, CQEN)) {
715             if (!ufs_mcq_delete_cq(u, qid)) {
716                 break;
717             }
718         }
719         reg->cqattr = data;
720         break;
721     case A_CQLBA:
722         reg->cqlba = data;
723         break;
724     case A_CQUBA:
725         reg->cquba = data;
726         break;
727     case A_CQCFG:
728         reg->cqcfg = data;
729         break;
730     case A_SQDAO:
731     case A_SQISAO:
732     case A_CQDAO:
733     case A_CQISAO:
734         trace_ufs_err_unsupport_register_offset(offset);
735         break;
736     default:
737         trace_ufs_err_invalid_register_offset(offset);
738         break;
739     }
740 }
741 
742 static void ufs_mcq_process_db(UfsHc *u, uint8_t qid, uint32_t db)
743 {
744     UfsSq *sq;
745 
746     if (qid >= u->params.mcq_maxq) {
747         trace_ufs_err_mcq_db_wr_invalid_sqid(qid);
748         return;
749     }
750 
751     sq = u->sq[qid];
752     if (sq->size * sizeof(UfsSqEntry) <= db) {
753         trace_ufs_err_mcq_db_wr_invalid_db(qid, db);
754         return;
755     }
756 
757     ufs_mcq_update_sq_tail(u, sq->sqid, db);
758     qemu_bh_schedule(sq->bh);
759 }
760 
761 static void ufs_write_mcq_op_reg(UfsHc *u, hwaddr offset, uint32_t data,
762                                  unsigned size)
763 {
764     int qid = offset / sizeof(UfsMcqOpReg);
765     UfsMcqOpReg *opr = &u->mcq_op_reg[qid];
766 
767     switch (offset % sizeof(UfsMcqOpReg)) {
768     case offsetof(UfsMcqOpReg, sq.tp):
769         if (opr->sq.tp != data) {
770             ufs_mcq_process_db(u, qid, data);
771         }
772         opr->sq.tp = data;
773         break;
774     case offsetof(UfsMcqOpReg, cq.hp):
775         opr->cq.hp = data;
776         ufs_mcq_update_cq_head(u, qid, data);
777         break;
778     case offsetof(UfsMcqOpReg, cq_int.is):
779         opr->cq_int.is &= ~data;
780         break;
781     default:
782         trace_ufs_err_invalid_register_offset(offset);
783         break;
784     }
785 }
786 
787 static uint64_t ufs_mmio_read(void *opaque, hwaddr addr, unsigned size)
788 {
789     UfsHc *u = (UfsHc *)opaque;
790     uint32_t *ptr;
791     uint64_t value;
792     uint64_t offset;
793 
794     if (addr + size <= sizeof(u->reg)) {
795         offset = addr;
796         ptr = (uint32_t *)&u->reg;
797     } else if (ufs_is_mcq_reg(u, addr, size)) {
798         offset = addr - ufs_mcq_reg_addr(u, 0);
799         ptr = (uint32_t *)&u->mcq_reg;
800     } else if (ufs_is_mcq_op_reg(u, addr, size)) {
801         offset = addr - ufs_mcq_op_reg_addr(u, 0);
802         ptr = (uint32_t *)&u->mcq_op_reg;
803     } else {
804         trace_ufs_err_invalid_register_offset(addr);
805         return 0;
806     }
807 
808     value = ptr[offset >> 2];
809     trace_ufs_mmio_read(addr, value, size);
810     return value;
811 }
812 
813 static void ufs_mmio_write(void *opaque, hwaddr addr, uint64_t data,
814                            unsigned size)
815 {
816     UfsHc *u = (UfsHc *)opaque;
817 
818     trace_ufs_mmio_write(addr, data, size);
819 
820     if (addr + size <= sizeof(u->reg)) {
821         ufs_write_reg(u, addr, data, size);
822     } else if (ufs_is_mcq_reg(u, addr, size)) {
823         ufs_write_mcq_reg(u, addr - ufs_mcq_reg_addr(u, 0), data, size);
824     } else if (ufs_is_mcq_op_reg(u, addr, size)) {
825         ufs_write_mcq_op_reg(u, addr - ufs_mcq_op_reg_addr(u, 0), data, size);
826     } else {
827         trace_ufs_err_invalid_register_offset(addr);
828     }
829 }
830 
831 static const MemoryRegionOps ufs_mmio_ops = {
832     .read = ufs_mmio_read,
833     .write = ufs_mmio_write,
834     .endianness = DEVICE_LITTLE_ENDIAN,
835     .impl = {
836         .min_access_size = 4,
837         .max_access_size = 4,
838     },
839 };
840 
841 
842 void ufs_build_upiu_header(UfsRequest *req, uint8_t trans_type, uint8_t flags,
843                            uint8_t response, uint8_t scsi_status,
844                            uint16_t data_segment_length)
845 {
846     memcpy(&req->rsp_upiu.header, &req->req_upiu.header, sizeof(UtpUpiuHeader));
847     req->rsp_upiu.header.trans_type = trans_type;
848     req->rsp_upiu.header.flags = flags;
849     req->rsp_upiu.header.response = response;
850     req->rsp_upiu.header.scsi_status = scsi_status;
851     req->rsp_upiu.header.data_segment_length = cpu_to_be16(data_segment_length);
852 }
853 
854 void ufs_build_query_response(UfsRequest *req)
855 {
856     req->rsp_upiu.qr.opcode = req->req_upiu.qr.opcode;
857     req->rsp_upiu.qr.idn = req->req_upiu.qr.idn;
858     req->rsp_upiu.qr.index = req->req_upiu.qr.index;
859     req->rsp_upiu.qr.selector = req->req_upiu.qr.selector;
860 }
861 
862 static UfsReqResult ufs_exec_scsi_cmd(UfsRequest *req)
863 {
864     UfsHc *u = req->hc;
865     uint8_t lun = req->req_upiu.header.lun;
866 
867     UfsLu *lu = NULL;
868 
869     trace_ufs_exec_scsi_cmd(req->slot, lun, req->req_upiu.sc.cdb[0]);
870 
871     if (!is_wlun(lun) && (lun >= UFS_MAX_LUS || u->lus[lun] == NULL)) {
872         trace_ufs_err_scsi_cmd_invalid_lun(lun);
873         return UFS_REQUEST_FAIL;
874     }
875 
876     switch (lun) {
877     case UFS_UPIU_REPORT_LUNS_WLUN:
878         lu = &u->report_wlu;
879         break;
880     case UFS_UPIU_UFS_DEVICE_WLUN:
881         lu = &u->dev_wlu;
882         break;
883     case UFS_UPIU_BOOT_WLUN:
884         lu = &u->boot_wlu;
885         break;
886     case UFS_UPIU_RPMB_WLUN:
887         lu = &u->rpmb_wlu;
888         break;
889     default:
890         lu = u->lus[lun];
891     }
892 
893     return lu->scsi_op(lu, req);
894 }
895 
896 static UfsReqResult ufs_exec_nop_cmd(UfsRequest *req)
897 {
898     trace_ufs_exec_nop_cmd(req->slot);
899     ufs_build_upiu_header(req, UFS_UPIU_TRANSACTION_NOP_IN, 0, 0, 0, 0);
900     return UFS_REQUEST_SUCCESS;
901 }
902 
903 /*
904  * This defines the permission of flags based on their IDN. There are some
905  * things that are declared read-only, which is inconsistent with the ufs spec,
906  * because we want to return an error for features that are not yet supported.
907  */
908 static const int flag_permission[UFS_QUERY_FLAG_IDN_COUNT] = {
909     [UFS_QUERY_FLAG_IDN_FDEVICEINIT] = UFS_QUERY_FLAG_READ | UFS_QUERY_FLAG_SET,
910     /* Write protection is not supported */
911     [UFS_QUERY_FLAG_IDN_PERMANENT_WPE] = UFS_QUERY_FLAG_READ,
912     [UFS_QUERY_FLAG_IDN_PWR_ON_WPE] = UFS_QUERY_FLAG_READ,
913     [UFS_QUERY_FLAG_IDN_BKOPS_EN] = UFS_QUERY_FLAG_READ | UFS_QUERY_FLAG_SET |
914                                     UFS_QUERY_FLAG_CLEAR |
915                                     UFS_QUERY_FLAG_TOGGLE,
916     [UFS_QUERY_FLAG_IDN_LIFE_SPAN_MODE_ENABLE] =
917         UFS_QUERY_FLAG_READ | UFS_QUERY_FLAG_SET | UFS_QUERY_FLAG_CLEAR |
918         UFS_QUERY_FLAG_TOGGLE,
919     /* Purge Operation is not supported */
920     [UFS_QUERY_FLAG_IDN_PURGE_ENABLE] = UFS_QUERY_FLAG_NONE,
921     /* Refresh Operation is not supported */
922     [UFS_QUERY_FLAG_IDN_REFRESH_ENABLE] = UFS_QUERY_FLAG_NONE,
923     /* Physical Resource Removal is not supported */
924     [UFS_QUERY_FLAG_IDN_FPHYRESOURCEREMOVAL] = UFS_QUERY_FLAG_READ,
925     [UFS_QUERY_FLAG_IDN_BUSY_RTC] = UFS_QUERY_FLAG_READ,
926     [UFS_QUERY_FLAG_IDN_PERMANENTLY_DISABLE_FW_UPDATE] = UFS_QUERY_FLAG_READ,
927     /* Write Booster is not supported */
928     [UFS_QUERY_FLAG_IDN_WB_EN] = UFS_QUERY_FLAG_READ,
929     [UFS_QUERY_FLAG_IDN_WB_BUFF_FLUSH_EN] = UFS_QUERY_FLAG_READ,
930     [UFS_QUERY_FLAG_IDN_WB_BUFF_FLUSH_DURING_HIBERN8] = UFS_QUERY_FLAG_READ,
931 };
932 
933 static inline QueryRespCode ufs_flag_check_idn_valid(uint8_t idn, int op)
934 {
935     if (idn >= UFS_QUERY_FLAG_IDN_COUNT) {
936         return UFS_QUERY_RESULT_INVALID_IDN;
937     }
938 
939     if (!(flag_permission[idn] & op)) {
940         if (op == UFS_QUERY_FLAG_READ) {
941             trace_ufs_err_query_flag_not_readable(idn);
942             return UFS_QUERY_RESULT_NOT_READABLE;
943         }
944         trace_ufs_err_query_flag_not_writable(idn);
945         return UFS_QUERY_RESULT_NOT_WRITEABLE;
946     }
947 
948     return UFS_QUERY_RESULT_SUCCESS;
949 }
950 
951 static const int attr_permission[UFS_QUERY_ATTR_IDN_COUNT] = {
952     /* booting is not supported */
953     [UFS_QUERY_ATTR_IDN_BOOT_LU_EN] = UFS_QUERY_ATTR_READ,
954     [UFS_QUERY_ATTR_IDN_POWER_MODE] = UFS_QUERY_ATTR_READ,
955     [UFS_QUERY_ATTR_IDN_ACTIVE_ICC_LVL] =
956         UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
957     [UFS_QUERY_ATTR_IDN_OOO_DATA_EN] = UFS_QUERY_ATTR_READ,
958     [UFS_QUERY_ATTR_IDN_BKOPS_STATUS] = UFS_QUERY_ATTR_READ,
959     [UFS_QUERY_ATTR_IDN_PURGE_STATUS] = UFS_QUERY_ATTR_READ,
960     [UFS_QUERY_ATTR_IDN_MAX_DATA_IN] =
961         UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
962     [UFS_QUERY_ATTR_IDN_MAX_DATA_OUT] =
963         UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
964     [UFS_QUERY_ATTR_IDN_DYN_CAP_NEEDED] = UFS_QUERY_ATTR_READ,
965     [UFS_QUERY_ATTR_IDN_REF_CLK_FREQ] =
966         UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
967     [UFS_QUERY_ATTR_IDN_CONF_DESC_LOCK] = UFS_QUERY_ATTR_READ,
968     [UFS_QUERY_ATTR_IDN_MAX_NUM_OF_RTT] =
969         UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
970     [UFS_QUERY_ATTR_IDN_EE_CONTROL] =
971         UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
972     [UFS_QUERY_ATTR_IDN_EE_STATUS] = UFS_QUERY_ATTR_READ,
973     [UFS_QUERY_ATTR_IDN_SECONDS_PASSED] = UFS_QUERY_ATTR_WRITE,
974     [UFS_QUERY_ATTR_IDN_CNTX_CONF] = UFS_QUERY_ATTR_READ,
975     [UFS_QUERY_ATTR_IDN_FFU_STATUS] = UFS_QUERY_ATTR_READ,
976     [UFS_QUERY_ATTR_IDN_PSA_STATE] = UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
977     [UFS_QUERY_ATTR_IDN_PSA_DATA_SIZE] =
978         UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
979     [UFS_QUERY_ATTR_IDN_REF_CLK_GATING_WAIT_TIME] = UFS_QUERY_ATTR_READ,
980     [UFS_QUERY_ATTR_IDN_CASE_ROUGH_TEMP] = UFS_QUERY_ATTR_READ,
981     [UFS_QUERY_ATTR_IDN_HIGH_TEMP_BOUND] = UFS_QUERY_ATTR_READ,
982     [UFS_QUERY_ATTR_IDN_LOW_TEMP_BOUND] = UFS_QUERY_ATTR_READ,
983     [UFS_QUERY_ATTR_IDN_THROTTLING_STATUS] = UFS_QUERY_ATTR_READ,
984     [UFS_QUERY_ATTR_IDN_WB_FLUSH_STATUS] = UFS_QUERY_ATTR_READ,
985     [UFS_QUERY_ATTR_IDN_AVAIL_WB_BUFF_SIZE] = UFS_QUERY_ATTR_READ,
986     [UFS_QUERY_ATTR_IDN_WB_BUFF_LIFE_TIME_EST] = UFS_QUERY_ATTR_READ,
987     [UFS_QUERY_ATTR_IDN_CURR_WB_BUFF_SIZE] = UFS_QUERY_ATTR_READ,
988     /* refresh operation is not supported */
989     [UFS_QUERY_ATTR_IDN_REFRESH_STATUS] = UFS_QUERY_ATTR_READ,
990     [UFS_QUERY_ATTR_IDN_REFRESH_FREQ] = UFS_QUERY_ATTR_READ,
991     [UFS_QUERY_ATTR_IDN_REFRESH_UNIT] = UFS_QUERY_ATTR_READ,
992 };
993 
994 static inline QueryRespCode ufs_attr_check_idn_valid(uint8_t idn, int op)
995 {
996     if (idn >= UFS_QUERY_ATTR_IDN_COUNT) {
997         return UFS_QUERY_RESULT_INVALID_IDN;
998     }
999 
1000     if (!(attr_permission[idn] & op)) {
1001         if (op == UFS_QUERY_ATTR_READ) {
1002             trace_ufs_err_query_attr_not_readable(idn);
1003             return UFS_QUERY_RESULT_NOT_READABLE;
1004         }
1005         trace_ufs_err_query_attr_not_writable(idn);
1006         return UFS_QUERY_RESULT_NOT_WRITEABLE;
1007     }
1008 
1009     return UFS_QUERY_RESULT_SUCCESS;
1010 }
1011 
1012 static QueryRespCode ufs_exec_query_flag(UfsRequest *req, int op)
1013 {
1014     UfsHc *u = req->hc;
1015     uint8_t idn = req->req_upiu.qr.idn;
1016     uint32_t value;
1017     QueryRespCode ret;
1018 
1019     ret = ufs_flag_check_idn_valid(idn, op);
1020     if (ret) {
1021         return ret;
1022     }
1023 
1024     if (idn == UFS_QUERY_FLAG_IDN_FDEVICEINIT) {
1025         value = 0;
1026     } else if (op == UFS_QUERY_FLAG_READ) {
1027         value = *(((uint8_t *)&u->flags) + idn);
1028     } else if (op == UFS_QUERY_FLAG_SET) {
1029         value = 1;
1030     } else if (op == UFS_QUERY_FLAG_CLEAR) {
1031         value = 0;
1032     } else if (op == UFS_QUERY_FLAG_TOGGLE) {
1033         value = *(((uint8_t *)&u->flags) + idn);
1034         value = !value;
1035     } else {
1036         trace_ufs_err_query_invalid_opcode(op);
1037         return UFS_QUERY_RESULT_INVALID_OPCODE;
1038     }
1039 
1040     *(((uint8_t *)&u->flags) + idn) = value;
1041     req->rsp_upiu.qr.value = cpu_to_be32(value);
1042     return UFS_QUERY_RESULT_SUCCESS;
1043 }
1044 
1045 static uint32_t ufs_read_attr_value(UfsHc *u, uint8_t idn)
1046 {
1047     switch (idn) {
1048     case UFS_QUERY_ATTR_IDN_BOOT_LU_EN:
1049         return u->attributes.boot_lun_en;
1050     case UFS_QUERY_ATTR_IDN_POWER_MODE:
1051         return u->attributes.current_power_mode;
1052     case UFS_QUERY_ATTR_IDN_ACTIVE_ICC_LVL:
1053         return u->attributes.active_icc_level;
1054     case UFS_QUERY_ATTR_IDN_OOO_DATA_EN:
1055         return u->attributes.out_of_order_data_en;
1056     case UFS_QUERY_ATTR_IDN_BKOPS_STATUS:
1057         return u->attributes.background_op_status;
1058     case UFS_QUERY_ATTR_IDN_PURGE_STATUS:
1059         return u->attributes.purge_status;
1060     case UFS_QUERY_ATTR_IDN_MAX_DATA_IN:
1061         return u->attributes.max_data_in_size;
1062     case UFS_QUERY_ATTR_IDN_MAX_DATA_OUT:
1063         return u->attributes.max_data_out_size;
1064     case UFS_QUERY_ATTR_IDN_DYN_CAP_NEEDED:
1065         return be32_to_cpu(u->attributes.dyn_cap_needed);
1066     case UFS_QUERY_ATTR_IDN_REF_CLK_FREQ:
1067         return u->attributes.ref_clk_freq;
1068     case UFS_QUERY_ATTR_IDN_CONF_DESC_LOCK:
1069         return u->attributes.config_descr_lock;
1070     case UFS_QUERY_ATTR_IDN_MAX_NUM_OF_RTT:
1071         return u->attributes.max_num_of_rtt;
1072     case UFS_QUERY_ATTR_IDN_EE_CONTROL:
1073         return be16_to_cpu(u->attributes.exception_event_control);
1074     case UFS_QUERY_ATTR_IDN_EE_STATUS:
1075         return be16_to_cpu(u->attributes.exception_event_status);
1076     case UFS_QUERY_ATTR_IDN_SECONDS_PASSED:
1077         return be32_to_cpu(u->attributes.seconds_passed);
1078     case UFS_QUERY_ATTR_IDN_CNTX_CONF:
1079         return be16_to_cpu(u->attributes.context_conf);
1080     case UFS_QUERY_ATTR_IDN_FFU_STATUS:
1081         return u->attributes.device_ffu_status;
1082     case UFS_QUERY_ATTR_IDN_PSA_STATE:
1083         return be32_to_cpu(u->attributes.psa_state);
1084     case UFS_QUERY_ATTR_IDN_PSA_DATA_SIZE:
1085         return be32_to_cpu(u->attributes.psa_data_size);
1086     case UFS_QUERY_ATTR_IDN_REF_CLK_GATING_WAIT_TIME:
1087         return u->attributes.ref_clk_gating_wait_time;
1088     case UFS_QUERY_ATTR_IDN_CASE_ROUGH_TEMP:
1089         return u->attributes.device_case_rough_temperaure;
1090     case UFS_QUERY_ATTR_IDN_HIGH_TEMP_BOUND:
1091         return u->attributes.device_too_high_temp_boundary;
1092     case UFS_QUERY_ATTR_IDN_LOW_TEMP_BOUND:
1093         return u->attributes.device_too_low_temp_boundary;
1094     case UFS_QUERY_ATTR_IDN_THROTTLING_STATUS:
1095         return u->attributes.throttling_status;
1096     case UFS_QUERY_ATTR_IDN_WB_FLUSH_STATUS:
1097         return u->attributes.wb_buffer_flush_status;
1098     case UFS_QUERY_ATTR_IDN_AVAIL_WB_BUFF_SIZE:
1099         return u->attributes.available_wb_buffer_size;
1100     case UFS_QUERY_ATTR_IDN_WB_BUFF_LIFE_TIME_EST:
1101         return u->attributes.wb_buffer_life_time_est;
1102     case UFS_QUERY_ATTR_IDN_CURR_WB_BUFF_SIZE:
1103         return be32_to_cpu(u->attributes.current_wb_buffer_size);
1104     case UFS_QUERY_ATTR_IDN_REFRESH_STATUS:
1105         return u->attributes.refresh_status;
1106     case UFS_QUERY_ATTR_IDN_REFRESH_FREQ:
1107         return u->attributes.refresh_freq;
1108     case UFS_QUERY_ATTR_IDN_REFRESH_UNIT:
1109         return u->attributes.refresh_unit;
1110     }
1111     return 0;
1112 }
1113 
1114 static QueryRespCode ufs_write_attr_value(UfsHc *u, uint8_t idn, uint32_t value)
1115 {
1116     switch (idn) {
1117     case UFS_QUERY_ATTR_IDN_ACTIVE_ICC_LVL:
1118         if (value > UFS_QUERY_ATTR_ACTIVE_ICC_MAXVALUE) {
1119             return UFS_QUERY_RESULT_INVALID_VALUE;
1120         }
1121         u->attributes.active_icc_level = value;
1122         break;
1123     case UFS_QUERY_ATTR_IDN_MAX_DATA_IN:
1124         u->attributes.max_data_in_size = value;
1125         break;
1126     case UFS_QUERY_ATTR_IDN_MAX_DATA_OUT:
1127         u->attributes.max_data_out_size = value;
1128         break;
1129     case UFS_QUERY_ATTR_IDN_REF_CLK_FREQ:
1130         u->attributes.ref_clk_freq = value;
1131         break;
1132     case UFS_QUERY_ATTR_IDN_MAX_NUM_OF_RTT:
1133         u->attributes.max_num_of_rtt = value;
1134         break;
1135     case UFS_QUERY_ATTR_IDN_EE_CONTROL:
1136         u->attributes.exception_event_control = cpu_to_be16(value);
1137         break;
1138     case UFS_QUERY_ATTR_IDN_SECONDS_PASSED:
1139         u->attributes.seconds_passed = cpu_to_be32(value);
1140         break;
1141     case UFS_QUERY_ATTR_IDN_PSA_STATE:
1142         u->attributes.psa_state = value;
1143         break;
1144     case UFS_QUERY_ATTR_IDN_PSA_DATA_SIZE:
1145         u->attributes.psa_data_size = cpu_to_be32(value);
1146         break;
1147     }
1148     return UFS_QUERY_RESULT_SUCCESS;
1149 }
1150 
1151 static QueryRespCode ufs_exec_query_attr(UfsRequest *req, int op)
1152 {
1153     UfsHc *u = req->hc;
1154     uint8_t idn = req->req_upiu.qr.idn;
1155     uint32_t value;
1156     QueryRespCode ret;
1157 
1158     ret = ufs_attr_check_idn_valid(idn, op);
1159     if (ret) {
1160         return ret;
1161     }
1162 
1163     if (op == UFS_QUERY_ATTR_READ) {
1164         value = ufs_read_attr_value(u, idn);
1165         ret = UFS_QUERY_RESULT_SUCCESS;
1166     } else {
1167         value = req->req_upiu.qr.value;
1168         ret = ufs_write_attr_value(u, idn, value);
1169     }
1170     req->rsp_upiu.qr.value = cpu_to_be32(value);
1171     return ret;
1172 }
1173 
1174 static const RpmbUnitDescriptor rpmb_unit_desc = {
1175     .length = sizeof(RpmbUnitDescriptor),
1176     .descriptor_idn = 2,
1177     .unit_index = UFS_UPIU_RPMB_WLUN,
1178     .lu_enable = 0,
1179 };
1180 
1181 static QueryRespCode ufs_read_unit_desc(UfsRequest *req)
1182 {
1183     UfsHc *u = req->hc;
1184     uint8_t lun = req->req_upiu.qr.index;
1185 
1186     if (lun != UFS_UPIU_RPMB_WLUN &&
1187         (lun >= UFS_MAX_LUS || u->lus[lun] == NULL)) {
1188         trace_ufs_err_query_invalid_index(req->req_upiu.qr.opcode, lun);
1189         return UFS_QUERY_RESULT_INVALID_INDEX;
1190     }
1191 
1192     if (lun == UFS_UPIU_RPMB_WLUN) {
1193         memcpy(&req->rsp_upiu.qr.data, &rpmb_unit_desc, rpmb_unit_desc.length);
1194     } else {
1195         memcpy(&req->rsp_upiu.qr.data, &u->lus[lun]->unit_desc,
1196                sizeof(u->lus[lun]->unit_desc));
1197     }
1198 
1199     return UFS_QUERY_RESULT_SUCCESS;
1200 }
1201 
1202 static inline StringDescriptor manufacturer_str_desc(void)
1203 {
1204     StringDescriptor desc = {
1205         .length = 0x12,
1206         .descriptor_idn = UFS_QUERY_DESC_IDN_STRING,
1207     };
1208     desc.UC[0] = cpu_to_be16('R');
1209     desc.UC[1] = cpu_to_be16('E');
1210     desc.UC[2] = cpu_to_be16('D');
1211     desc.UC[3] = cpu_to_be16('H');
1212     desc.UC[4] = cpu_to_be16('A');
1213     desc.UC[5] = cpu_to_be16('T');
1214     return desc;
1215 }
1216 
1217 static inline StringDescriptor product_name_str_desc(void)
1218 {
1219     StringDescriptor desc = {
1220         .length = 0x22,
1221         .descriptor_idn = UFS_QUERY_DESC_IDN_STRING,
1222     };
1223     desc.UC[0] = cpu_to_be16('Q');
1224     desc.UC[1] = cpu_to_be16('E');
1225     desc.UC[2] = cpu_to_be16('M');
1226     desc.UC[3] = cpu_to_be16('U');
1227     desc.UC[4] = cpu_to_be16(' ');
1228     desc.UC[5] = cpu_to_be16('U');
1229     desc.UC[6] = cpu_to_be16('F');
1230     desc.UC[7] = cpu_to_be16('S');
1231     return desc;
1232 }
1233 
1234 static inline StringDescriptor product_rev_level_str_desc(void)
1235 {
1236     StringDescriptor desc = {
1237         .length = 0x0a,
1238         .descriptor_idn = UFS_QUERY_DESC_IDN_STRING,
1239     };
1240     desc.UC[0] = cpu_to_be16('0');
1241     desc.UC[1] = cpu_to_be16('0');
1242     desc.UC[2] = cpu_to_be16('0');
1243     desc.UC[3] = cpu_to_be16('1');
1244     return desc;
1245 }
1246 
1247 static const StringDescriptor null_str_desc = {
1248     .length = 0x02,
1249     .descriptor_idn = UFS_QUERY_DESC_IDN_STRING,
1250 };
1251 
1252 static QueryRespCode ufs_read_string_desc(UfsRequest *req)
1253 {
1254     UfsHc *u = req->hc;
1255     uint8_t index = req->req_upiu.qr.index;
1256     StringDescriptor desc;
1257 
1258     if (index == u->device_desc.manufacturer_name) {
1259         desc = manufacturer_str_desc();
1260         memcpy(&req->rsp_upiu.qr.data, &desc, desc.length);
1261     } else if (index == u->device_desc.product_name) {
1262         desc = product_name_str_desc();
1263         memcpy(&req->rsp_upiu.qr.data, &desc, desc.length);
1264     } else if (index == u->device_desc.serial_number) {
1265         memcpy(&req->rsp_upiu.qr.data, &null_str_desc, null_str_desc.length);
1266     } else if (index == u->device_desc.oem_id) {
1267         memcpy(&req->rsp_upiu.qr.data, &null_str_desc, null_str_desc.length);
1268     } else if (index == u->device_desc.product_revision_level) {
1269         desc = product_rev_level_str_desc();
1270         memcpy(&req->rsp_upiu.qr.data, &desc, desc.length);
1271     } else {
1272         trace_ufs_err_query_invalid_index(req->req_upiu.qr.opcode, index);
1273         return UFS_QUERY_RESULT_INVALID_INDEX;
1274     }
1275     return UFS_QUERY_RESULT_SUCCESS;
1276 }
1277 
1278 static inline InterconnectDescriptor interconnect_desc(void)
1279 {
1280     InterconnectDescriptor desc = {
1281         .length = sizeof(InterconnectDescriptor),
1282         .descriptor_idn = UFS_QUERY_DESC_IDN_INTERCONNECT,
1283     };
1284     desc.bcd_unipro_version = cpu_to_be16(0x180);
1285     desc.bcd_mphy_version = cpu_to_be16(0x410);
1286     return desc;
1287 }
1288 
1289 static QueryRespCode ufs_read_desc(UfsRequest *req)
1290 {
1291     UfsHc *u = req->hc;
1292     QueryRespCode status;
1293     uint8_t idn = req->req_upiu.qr.idn;
1294     uint8_t selector = req->req_upiu.qr.selector;
1295     uint16_t length = be16_to_cpu(req->req_upiu.qr.length);
1296     InterconnectDescriptor desc;
1297     if (selector != 0) {
1298         return UFS_QUERY_RESULT_INVALID_SELECTOR;
1299     }
1300     switch (idn) {
1301     case UFS_QUERY_DESC_IDN_DEVICE:
1302         memcpy(&req->rsp_upiu.qr.data, &u->device_desc, sizeof(u->device_desc));
1303         status = UFS_QUERY_RESULT_SUCCESS;
1304         break;
1305     case UFS_QUERY_DESC_IDN_UNIT:
1306         status = ufs_read_unit_desc(req);
1307         break;
1308     case UFS_QUERY_DESC_IDN_GEOMETRY:
1309         memcpy(&req->rsp_upiu.qr.data, &u->geometry_desc,
1310                sizeof(u->geometry_desc));
1311         status = UFS_QUERY_RESULT_SUCCESS;
1312         break;
1313     case UFS_QUERY_DESC_IDN_INTERCONNECT: {
1314         desc = interconnect_desc();
1315         memcpy(&req->rsp_upiu.qr.data, &desc, sizeof(InterconnectDescriptor));
1316         status = UFS_QUERY_RESULT_SUCCESS;
1317         break;
1318     }
1319     case UFS_QUERY_DESC_IDN_STRING:
1320         status = ufs_read_string_desc(req);
1321         break;
1322     case UFS_QUERY_DESC_IDN_POWER:
1323         /* mocking of power descriptor is not supported */
1324         memset(&req->rsp_upiu.qr.data, 0, sizeof(PowerParametersDescriptor));
1325         req->rsp_upiu.qr.data[0] = sizeof(PowerParametersDescriptor);
1326         req->rsp_upiu.qr.data[1] = UFS_QUERY_DESC_IDN_POWER;
1327         status = UFS_QUERY_RESULT_SUCCESS;
1328         break;
1329     case UFS_QUERY_DESC_IDN_HEALTH:
1330         /* mocking of health descriptor is not supported */
1331         memset(&req->rsp_upiu.qr.data, 0, sizeof(DeviceHealthDescriptor));
1332         req->rsp_upiu.qr.data[0] = sizeof(DeviceHealthDescriptor);
1333         req->rsp_upiu.qr.data[1] = UFS_QUERY_DESC_IDN_HEALTH;
1334         status = UFS_QUERY_RESULT_SUCCESS;
1335         break;
1336     default:
1337         length = 0;
1338         trace_ufs_err_query_invalid_idn(req->req_upiu.qr.opcode, idn);
1339         status = UFS_QUERY_RESULT_INVALID_IDN;
1340     }
1341 
1342     if (length > req->rsp_upiu.qr.data[0]) {
1343         length = req->rsp_upiu.qr.data[0];
1344     }
1345     req->rsp_upiu.qr.length = cpu_to_be16(length);
1346 
1347     return status;
1348 }
1349 
1350 static QueryRespCode ufs_exec_query_read(UfsRequest *req)
1351 {
1352     QueryRespCode status;
1353     switch (req->req_upiu.qr.opcode) {
1354     case UFS_UPIU_QUERY_OPCODE_NOP:
1355         status = UFS_QUERY_RESULT_SUCCESS;
1356         break;
1357     case UFS_UPIU_QUERY_OPCODE_READ_DESC:
1358         status = ufs_read_desc(req);
1359         break;
1360     case UFS_UPIU_QUERY_OPCODE_READ_ATTR:
1361         status = ufs_exec_query_attr(req, UFS_QUERY_ATTR_READ);
1362         break;
1363     case UFS_UPIU_QUERY_OPCODE_READ_FLAG:
1364         status = ufs_exec_query_flag(req, UFS_QUERY_FLAG_READ);
1365         break;
1366     default:
1367         trace_ufs_err_query_invalid_opcode(req->req_upiu.qr.opcode);
1368         status = UFS_QUERY_RESULT_INVALID_OPCODE;
1369         break;
1370     }
1371 
1372     return status;
1373 }
1374 
1375 static QueryRespCode ufs_exec_query_write(UfsRequest *req)
1376 {
1377     QueryRespCode status;
1378     switch (req->req_upiu.qr.opcode) {
1379     case UFS_UPIU_QUERY_OPCODE_NOP:
1380         status = UFS_QUERY_RESULT_SUCCESS;
1381         break;
1382     case UFS_UPIU_QUERY_OPCODE_WRITE_DESC:
1383         /* write descriptor is not supported */
1384         status = UFS_QUERY_RESULT_NOT_WRITEABLE;
1385         break;
1386     case UFS_UPIU_QUERY_OPCODE_WRITE_ATTR:
1387         status = ufs_exec_query_attr(req, UFS_QUERY_ATTR_WRITE);
1388         break;
1389     case UFS_UPIU_QUERY_OPCODE_SET_FLAG:
1390         status = ufs_exec_query_flag(req, UFS_QUERY_FLAG_SET);
1391         break;
1392     case UFS_UPIU_QUERY_OPCODE_CLEAR_FLAG:
1393         status = ufs_exec_query_flag(req, UFS_QUERY_FLAG_CLEAR);
1394         break;
1395     case UFS_UPIU_QUERY_OPCODE_TOGGLE_FLAG:
1396         status = ufs_exec_query_flag(req, UFS_QUERY_FLAG_TOGGLE);
1397         break;
1398     default:
1399         trace_ufs_err_query_invalid_opcode(req->req_upiu.qr.opcode);
1400         status = UFS_QUERY_RESULT_INVALID_OPCODE;
1401         break;
1402     }
1403 
1404     return status;
1405 }
1406 
1407 static UfsReqResult ufs_exec_query_cmd(UfsRequest *req)
1408 {
1409     uint8_t query_func = req->req_upiu.header.query_func;
1410     uint16_t data_segment_length;
1411     QueryRespCode status;
1412 
1413     trace_ufs_exec_query_cmd(req->slot, req->req_upiu.qr.opcode);
1414     if (query_func == UFS_UPIU_QUERY_FUNC_STANDARD_READ_REQUEST) {
1415         status = ufs_exec_query_read(req);
1416     } else if (query_func == UFS_UPIU_QUERY_FUNC_STANDARD_WRITE_REQUEST) {
1417         status = ufs_exec_query_write(req);
1418     } else {
1419         status = UFS_QUERY_RESULT_GENERAL_FAILURE;
1420     }
1421 
1422     data_segment_length = be16_to_cpu(req->rsp_upiu.qr.length);
1423     ufs_build_upiu_header(req, UFS_UPIU_TRANSACTION_QUERY_RSP, 0, status, 0,
1424                           data_segment_length);
1425     ufs_build_query_response(req);
1426 
1427     if (status != UFS_QUERY_RESULT_SUCCESS) {
1428         return UFS_REQUEST_FAIL;
1429     }
1430     return UFS_REQUEST_SUCCESS;
1431 }
1432 
1433 static void ufs_exec_req(UfsRequest *req)
1434 {
1435     UfsReqResult req_result;
1436 
1437     if (ufs_dma_read_upiu(req)) {
1438         return;
1439     }
1440 
1441     switch (req->req_upiu.header.trans_type) {
1442     case UFS_UPIU_TRANSACTION_NOP_OUT:
1443         req_result = ufs_exec_nop_cmd(req);
1444         break;
1445     case UFS_UPIU_TRANSACTION_COMMAND:
1446         req_result = ufs_exec_scsi_cmd(req);
1447         break;
1448     case UFS_UPIU_TRANSACTION_QUERY_REQ:
1449         req_result = ufs_exec_query_cmd(req);
1450         break;
1451     default:
1452         trace_ufs_err_invalid_trans_code(req->slot,
1453                                          req->req_upiu.header.trans_type);
1454         req_result = UFS_REQUEST_FAIL;
1455     }
1456 
1457     /*
1458      * The ufs_complete_req for scsi commands is handled by the
1459      * ufs_scsi_command_complete() callback function. Therefore, to avoid
1460      * duplicate processing, ufs_complete_req() is not called for scsi commands.
1461      */
1462     if (req_result != UFS_REQUEST_NO_COMPLETE) {
1463         ufs_complete_req(req, req_result);
1464     }
1465 }
1466 
1467 static void ufs_process_req(void *opaque)
1468 {
1469     UfsHc *u = opaque;
1470     UfsRequest *req;
1471     int slot;
1472 
1473     for (slot = 0; slot < u->params.nutrs; slot++) {
1474         req = &u->req_list[slot];
1475 
1476         if (req->state != UFS_REQUEST_READY) {
1477             continue;
1478         }
1479         trace_ufs_process_req(slot);
1480         req->state = UFS_REQUEST_RUNNING;
1481 
1482         ufs_exec_req(req);
1483     }
1484 }
1485 
1486 void ufs_complete_req(UfsRequest *req, UfsReqResult req_result)
1487 {
1488     UfsHc *u = req->hc;
1489     assert(req->state == UFS_REQUEST_RUNNING);
1490 
1491     if (req_result == UFS_REQUEST_SUCCESS) {
1492         req->utrd.header.dword_2 = cpu_to_le32(UFS_OCS_SUCCESS);
1493     } else {
1494         req->utrd.header.dword_2 = cpu_to_le32(UFS_OCS_INVALID_CMD_TABLE_ATTR);
1495     }
1496 
1497     req->state = UFS_REQUEST_COMPLETE;
1498 
1499     if (ufs_mcq_req(req)) {
1500         trace_ufs_mcq_complete_req(req->sq->sqid);
1501         QTAILQ_INSERT_TAIL(&req->sq->cq->req_list, req, entry);
1502         qemu_bh_schedule(req->sq->cq->bh);
1503     } else {
1504         trace_ufs_complete_req(req->slot);
1505         qemu_bh_schedule(u->complete_bh);
1506     }
1507 }
1508 
1509 static void ufs_clear_req(UfsRequest *req)
1510 {
1511     if (req->sg != NULL) {
1512         qemu_sglist_destroy(req->sg);
1513         g_free(req->sg);
1514         req->sg = NULL;
1515         req->data_len = 0;
1516     }
1517 
1518     memset(&req->utrd, 0, sizeof(req->utrd));
1519     memset(&req->req_upiu, 0, sizeof(req->req_upiu));
1520     memset(&req->rsp_upiu, 0, sizeof(req->rsp_upiu));
1521 }
1522 
1523 static void ufs_sendback_req(void *opaque)
1524 {
1525     UfsHc *u = opaque;
1526     UfsRequest *req;
1527     int slot;
1528 
1529     for (slot = 0; slot < u->params.nutrs; slot++) {
1530         req = &u->req_list[slot];
1531 
1532         if (req->state != UFS_REQUEST_COMPLETE) {
1533             continue;
1534         }
1535 
1536         if (ufs_dma_write_upiu(req)) {
1537             req->state = UFS_REQUEST_ERROR;
1538             continue;
1539         }
1540 
1541         /*
1542          * TODO: UTP Transfer Request Interrupt Aggregation Control is not yet
1543          * supported
1544          */
1545         if (le32_to_cpu(req->utrd.header.dword_2) != UFS_OCS_SUCCESS ||
1546             le32_to_cpu(req->utrd.header.dword_0) & UFS_UTP_REQ_DESC_INT_CMD) {
1547             u->reg.is = FIELD_DP32(u->reg.is, IS, UTRCS, 1);
1548         }
1549 
1550         u->reg.utrldbr &= ~(1 << slot);
1551         u->reg.utrlcnr |= (1 << slot);
1552 
1553         trace_ufs_sendback_req(req->slot);
1554 
1555         ufs_clear_req(req);
1556         req->state = UFS_REQUEST_IDLE;
1557     }
1558 
1559     ufs_irq_check(u);
1560 }
1561 
1562 static bool ufs_check_constraints(UfsHc *u, Error **errp)
1563 {
1564     if (u->params.nutrs > UFS_MAX_NUTRS) {
1565         error_setg(errp, "nutrs must be less than or equal to %d",
1566                    UFS_MAX_NUTRS);
1567         return false;
1568     }
1569 
1570     if (u->params.nutmrs > UFS_MAX_NUTMRS) {
1571         error_setg(errp, "nutmrs must be less than or equal to %d",
1572                    UFS_MAX_NUTMRS);
1573         return false;
1574     }
1575 
1576     if (u->params.mcq_maxq >= UFS_MAX_MCQ_QNUM) {
1577         error_setg(errp, "mcq-maxq must be less than %d", UFS_MAX_MCQ_QNUM);
1578         return false;
1579     }
1580 
1581     return true;
1582 }
1583 
1584 static void ufs_init_pci(UfsHc *u, PCIDevice *pci_dev)
1585 {
1586     uint8_t *pci_conf = pci_dev->config;
1587 
1588     pci_conf[PCI_INTERRUPT_PIN] = 1;
1589     pci_config_set_prog_interface(pci_conf, 0x1);
1590 
1591     memory_region_init_io(&u->iomem, OBJECT(u), &ufs_mmio_ops, u, "ufs",
1592                           u->reg_size);
1593     pci_register_bar(pci_dev, 0, PCI_BASE_ADDRESS_SPACE_MEMORY, &u->iomem);
1594     u->irq = pci_allocate_irq(pci_dev);
1595 }
1596 
1597 static void ufs_init_state(UfsHc *u)
1598 {
1599     u->req_list = g_new0(UfsRequest, u->params.nutrs);
1600 
1601     for (int i = 0; i < u->params.nutrs; i++) {
1602         u->req_list[i].hc = u;
1603         u->req_list[i].slot = i;
1604         u->req_list[i].sg = NULL;
1605         u->req_list[i].state = UFS_REQUEST_IDLE;
1606     }
1607 
1608     u->doorbell_bh = qemu_bh_new_guarded(ufs_process_req, u,
1609                                          &DEVICE(u)->mem_reentrancy_guard);
1610     u->complete_bh = qemu_bh_new_guarded(ufs_sendback_req, u,
1611                                          &DEVICE(u)->mem_reentrancy_guard);
1612 
1613     if (u->params.mcq) {
1614         memset(u->sq, 0, sizeof(u->sq));
1615         memset(u->cq, 0, sizeof(u->cq));
1616     }
1617 }
1618 
1619 static void ufs_init_hc(UfsHc *u)
1620 {
1621     uint32_t cap = 0;
1622     uint32_t mcqconfig = 0;
1623     uint32_t mcqcap = 0;
1624 
1625     u->reg_size = pow2ceil(ufs_reg_size(u));
1626 
1627     memset(&u->reg, 0, sizeof(u->reg));
1628     memset(&u->mcq_reg, 0, sizeof(u->mcq_reg));
1629     memset(&u->mcq_op_reg, 0, sizeof(u->mcq_op_reg));
1630     cap = FIELD_DP32(cap, CAP, NUTRS, (u->params.nutrs - 1));
1631     cap = FIELD_DP32(cap, CAP, RTT, 2);
1632     cap = FIELD_DP32(cap, CAP, NUTMRS, (u->params.nutmrs - 1));
1633     cap = FIELD_DP32(cap, CAP, AUTOH8, 0);
1634     cap = FIELD_DP32(cap, CAP, 64AS, 1);
1635     cap = FIELD_DP32(cap, CAP, OODDS, 0);
1636     cap = FIELD_DP32(cap, CAP, UICDMETMS, 0);
1637     cap = FIELD_DP32(cap, CAP, CS, 0);
1638     cap = FIELD_DP32(cap, CAP, LSDBS, 1);
1639     cap = FIELD_DP32(cap, CAP, MCQS, u->params.mcq);
1640     u->reg.cap = cap;
1641 
1642     if (u->params.mcq) {
1643         mcqconfig = FIELD_DP32(mcqconfig, MCQCONFIG, MAC, 0x1f);
1644         u->reg.mcqconfig = mcqconfig;
1645 
1646         mcqcap = FIELD_DP32(mcqcap, MCQCAP, MAXQ, u->params.mcq_maxq - 1);
1647         mcqcap = FIELD_DP32(mcqcap, MCQCAP, RRP, 1);
1648         mcqcap = FIELD_DP32(mcqcap, MCQCAP, QCFGPTR, UFS_MCQ_QCFGPTR);
1649         u->reg.mcqcap = mcqcap;
1650 
1651         for (int i = 0; i < ARRAY_SIZE(u->mcq_reg); i++) {
1652             uint64_t addr = ufs_mcq_op_reg_addr(u, i);
1653             u->mcq_reg[i].sqdao = addr;
1654             u->mcq_reg[i].sqisao = addr + sizeof(UfsMcqSqReg);
1655             addr += sizeof(UfsMcqSqReg);
1656             u->mcq_reg[i].cqdao = addr + sizeof(UfsMcqSqIntReg);
1657             addr += sizeof(UfsMcqSqIntReg);
1658             u->mcq_reg[i].cqisao = addr + sizeof(UfsMcqCqReg);
1659         }
1660     }
1661     u->reg.ver = UFS_SPEC_VER;
1662 
1663     memset(&u->device_desc, 0, sizeof(DeviceDescriptor));
1664     u->device_desc.length = sizeof(DeviceDescriptor);
1665     u->device_desc.descriptor_idn = UFS_QUERY_DESC_IDN_DEVICE;
1666     u->device_desc.device_sub_class = 0x01;
1667     u->device_desc.number_lu = 0x00;
1668     u->device_desc.number_wlu = 0x04;
1669     /* TODO: Revisit it when Power Management is implemented */
1670     u->device_desc.init_power_mode = 0x01; /* Active Mode */
1671     u->device_desc.high_priority_lun = 0x7F; /* Same Priority */
1672     u->device_desc.spec_version = cpu_to_be16(UFS_SPEC_VER);
1673     u->device_desc.manufacturer_name = 0x00;
1674     u->device_desc.product_name = 0x01;
1675     u->device_desc.serial_number = 0x02;
1676     u->device_desc.oem_id = 0x03;
1677     u->device_desc.ud_0_base_offset = 0x16;
1678     u->device_desc.ud_config_p_length = 0x1A;
1679     u->device_desc.device_rtt_cap = 0x02;
1680     u->device_desc.queue_depth = u->params.nutrs;
1681     u->device_desc.product_revision_level = 0x04;
1682 
1683     memset(&u->geometry_desc, 0, sizeof(GeometryDescriptor));
1684     u->geometry_desc.length = sizeof(GeometryDescriptor);
1685     u->geometry_desc.descriptor_idn = UFS_QUERY_DESC_IDN_GEOMETRY;
1686     u->geometry_desc.max_number_lu = (UFS_MAX_LUS == 32) ? 0x1 : 0x0;
1687     u->geometry_desc.segment_size = cpu_to_be32(0x2000); /* 4KB */
1688     u->geometry_desc.allocation_unit_size = 0x1; /* 4KB */
1689     u->geometry_desc.min_addr_block_size = 0x8; /* 4KB */
1690     u->geometry_desc.max_in_buffer_size = 0x8;
1691     u->geometry_desc.max_out_buffer_size = 0x8;
1692     u->geometry_desc.rpmb_read_write_size = 0x40;
1693     u->geometry_desc.data_ordering =
1694         0x0; /* out-of-order data transfer is not supported */
1695     u->geometry_desc.max_context_id_number = 0x5;
1696     u->geometry_desc.supported_memory_types = cpu_to_be16(0x8001);
1697 
1698     memset(&u->attributes, 0, sizeof(u->attributes));
1699     u->attributes.max_data_in_size = 0x08;
1700     u->attributes.max_data_out_size = 0x08;
1701     u->attributes.ref_clk_freq = 0x01; /* 26 MHz */
1702     /* configure descriptor is not supported */
1703     u->attributes.config_descr_lock = 0x01;
1704     u->attributes.max_num_of_rtt = 0x02;
1705 
1706     memset(&u->flags, 0, sizeof(u->flags));
1707     u->flags.permanently_disable_fw_update = 1;
1708 }
1709 
1710 static void ufs_realize(PCIDevice *pci_dev, Error **errp)
1711 {
1712     UfsHc *u = UFS(pci_dev);
1713 
1714     if (!ufs_check_constraints(u, errp)) {
1715         return;
1716     }
1717 
1718     qbus_init(&u->bus, sizeof(UfsBus), TYPE_UFS_BUS, &pci_dev->qdev,
1719               u->parent_obj.qdev.id);
1720 
1721     ufs_init_state(u);
1722     ufs_init_hc(u);
1723     ufs_init_pci(u, pci_dev);
1724 
1725     ufs_init_wlu(&u->report_wlu, UFS_UPIU_REPORT_LUNS_WLUN);
1726     ufs_init_wlu(&u->dev_wlu, UFS_UPIU_UFS_DEVICE_WLUN);
1727     ufs_init_wlu(&u->boot_wlu, UFS_UPIU_BOOT_WLUN);
1728     ufs_init_wlu(&u->rpmb_wlu, UFS_UPIU_RPMB_WLUN);
1729 }
1730 
1731 static void ufs_exit(PCIDevice *pci_dev)
1732 {
1733     UfsHc *u = UFS(pci_dev);
1734 
1735     qemu_bh_delete(u->doorbell_bh);
1736     qemu_bh_delete(u->complete_bh);
1737 
1738     for (int i = 0; i < u->params.nutrs; i++) {
1739         ufs_clear_req(&u->req_list[i]);
1740     }
1741     g_free(u->req_list);
1742 
1743     for (int i = 0; i < ARRAY_SIZE(u->sq); i++) {
1744         if (u->sq[i]) {
1745             ufs_mcq_delete_sq(u, i);
1746         }
1747     }
1748     for (int i = 0; i < ARRAY_SIZE(u->cq); i++) {
1749         if (u->cq[i]) {
1750             ufs_mcq_delete_cq(u, i);
1751         }
1752     }
1753 }
1754 
1755 static Property ufs_props[] = {
1756     DEFINE_PROP_STRING("serial", UfsHc, params.serial),
1757     DEFINE_PROP_UINT8("nutrs", UfsHc, params.nutrs, 32),
1758     DEFINE_PROP_UINT8("nutmrs", UfsHc, params.nutmrs, 8),
1759     DEFINE_PROP_BOOL("mcq", UfsHc, params.mcq, false),
1760     DEFINE_PROP_UINT8("mcq-maxq", UfsHc, params.mcq_maxq, 2),
1761     DEFINE_PROP_END_OF_LIST(),
1762 };
1763 
1764 static const VMStateDescription ufs_vmstate = {
1765     .name = "ufs",
1766     .unmigratable = 1,
1767 };
1768 
1769 static void ufs_class_init(ObjectClass *oc, void *data)
1770 {
1771     DeviceClass *dc = DEVICE_CLASS(oc);
1772     PCIDeviceClass *pc = PCI_DEVICE_CLASS(oc);
1773 
1774     pc->realize = ufs_realize;
1775     pc->exit = ufs_exit;
1776     pc->vendor_id = PCI_VENDOR_ID_REDHAT;
1777     pc->device_id = PCI_DEVICE_ID_REDHAT_UFS;
1778     pc->class_id = PCI_CLASS_STORAGE_UFS;
1779 
1780     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
1781     dc->desc = "Universal Flash Storage";
1782     device_class_set_props(dc, ufs_props);
1783     dc->vmsd = &ufs_vmstate;
1784 }
1785 
1786 static bool ufs_bus_check_address(BusState *qbus, DeviceState *qdev,
1787                                   Error **errp)
1788 {
1789     if (strcmp(object_get_typename(OBJECT(qdev)), TYPE_UFS_LU) != 0) {
1790         error_setg(errp, "%s cannot be connected to ufs-bus",
1791                    object_get_typename(OBJECT(qdev)));
1792         return false;
1793     }
1794 
1795     return true;
1796 }
1797 
1798 static char *ufs_bus_get_dev_path(DeviceState *dev)
1799 {
1800     BusState *bus = qdev_get_parent_bus(dev);
1801 
1802     return qdev_get_dev_path(bus->parent);
1803 }
1804 
1805 static void ufs_bus_class_init(ObjectClass *class, void *data)
1806 {
1807     BusClass *bc = BUS_CLASS(class);
1808     bc->get_dev_path = ufs_bus_get_dev_path;
1809     bc->check_address = ufs_bus_check_address;
1810 }
1811 
1812 static const TypeInfo ufs_info = {
1813     .name = TYPE_UFS,
1814     .parent = TYPE_PCI_DEVICE,
1815     .class_init = ufs_class_init,
1816     .instance_size = sizeof(UfsHc),
1817     .interfaces = (InterfaceInfo[]){ { INTERFACE_PCIE_DEVICE }, {} },
1818 };
1819 
1820 static const TypeInfo ufs_bus_info = {
1821     .name = TYPE_UFS_BUS,
1822     .parent = TYPE_BUS,
1823     .class_init = ufs_bus_class_init,
1824     .class_size = sizeof(UfsBusClass),
1825     .instance_size = sizeof(UfsBus),
1826 };
1827 
1828 static void ufs_register_types(void)
1829 {
1830     type_register_static(&ufs_info);
1831     type_register_static(&ufs_bus_info);
1832 }
1833 
1834 type_init(ufs_register_types)
1835