xref: /openbmc/qemu/hw/ufs/ufs.c (revision c80e2251)
1 /*
2  * QEMU Universal Flash Storage (UFS) Controller
3  *
4  * Copyright (c) 2023 Samsung Electronics Co., Ltd. All rights reserved.
5  *
6  * Written by Jeuk Kim <jeuk20.kim@samsung.com>
7  *
8  * SPDX-License-Identifier: GPL-2.0-or-later
9  */
10 
11 /**
12  * Reference Specs: https://www.jedec.org/, 4.0
13  *
14  * Usage
15  * -----
16  *
17  * Add options:
18  *      -drive file=<file>,if=none,id=<drive_id>
19  *      -device ufs,serial=<serial>,id=<bus_name>, \
20  *              nutrs=<N[optional]>,nutmrs=<N[optional]>
21  *      -device ufs-lu,drive=<drive_id>,bus=<bus_name>
22  */
23 
24 #include "qemu/osdep.h"
25 #include "qapi/error.h"
26 #include "migration/vmstate.h"
27 #include "scsi/constants.h"
28 #include "trace.h"
29 #include "ufs.h"
30 
31 /* The QEMU-UFS device follows spec version 4.0 */
32 #define UFS_SPEC_VER 0x0400
33 #define UFS_MAX_NUTRS 32
34 #define UFS_MAX_NUTMRS 8
35 #define UFS_MCQ_QCFGPTR 2
36 
37 static void ufs_exec_req(UfsRequest *req);
38 static void ufs_clear_req(UfsRequest *req);
39 
40 static inline uint64_t ufs_mcq_reg_addr(UfsHc *u, int qid)
41 {
42     /* Submission Queue MCQ Registers offset (400h) */
43     return (UFS_MCQ_QCFGPTR * 0x200) + qid * 0x40;
44 }
45 
46 static inline uint64_t ufs_mcq_op_reg_addr(UfsHc *u, int qid)
47 {
48     /* MCQ Operation & Runtime Registers offset (1000h) */
49     return UFS_MCQ_OPR_START + qid * 48;
50 }
51 
52 static inline uint64_t ufs_reg_size(UfsHc *u)
53 {
54     /* Total UFS HCI Register size in bytes */
55     return ufs_mcq_op_reg_addr(u, 0) + sizeof(u->mcq_op_reg);
56 }
57 
58 static inline bool ufs_is_mcq_reg(UfsHc *u, uint64_t addr, unsigned size)
59 {
60     uint64_t mcq_reg_addr;
61 
62     if (!u->params.mcq) {
63         return false;
64     }
65 
66     mcq_reg_addr = ufs_mcq_reg_addr(u, 0);
67     return (addr >= mcq_reg_addr &&
68             addr + size <= mcq_reg_addr + sizeof(u->mcq_reg));
69 }
70 
71 static inline bool ufs_is_mcq_op_reg(UfsHc *u, uint64_t addr, unsigned size)
72 {
73     uint64_t mcq_op_reg_addr;
74 
75     if (!u->params.mcq) {
76         return false;
77     }
78 
79     mcq_op_reg_addr = ufs_mcq_op_reg_addr(u, 0);
80     return (addr >= mcq_op_reg_addr &&
81             addr + size <= mcq_op_reg_addr + sizeof(u->mcq_op_reg));
82 }
83 
84 static MemTxResult ufs_addr_read(UfsHc *u, hwaddr addr, void *buf, int size)
85 {
86     hwaddr hi = addr + size - 1;
87 
88     if (hi < addr) {
89         return MEMTX_DECODE_ERROR;
90     }
91 
92     if (!FIELD_EX32(u->reg.cap, CAP, 64AS) && (hi >> 32)) {
93         return MEMTX_DECODE_ERROR;
94     }
95 
96     return pci_dma_read(PCI_DEVICE(u), addr, buf, size);
97 }
98 
99 static MemTxResult ufs_addr_write(UfsHc *u, hwaddr addr, const void *buf,
100                                   int size)
101 {
102     hwaddr hi = addr + size - 1;
103     if (hi < addr) {
104         return MEMTX_DECODE_ERROR;
105     }
106 
107     if (!FIELD_EX32(u->reg.cap, CAP, 64AS) && (hi >> 32)) {
108         return MEMTX_DECODE_ERROR;
109     }
110 
111     return pci_dma_write(PCI_DEVICE(u), addr, buf, size);
112 }
113 
114 static inline hwaddr ufs_get_utrd_addr(UfsHc *u, uint32_t slot)
115 {
116     hwaddr utrl_base_addr = (((hwaddr)u->reg.utrlbau) << 32) + u->reg.utrlba;
117     hwaddr utrd_addr = utrl_base_addr + slot * sizeof(UtpTransferReqDesc);
118 
119     return utrd_addr;
120 }
121 
122 static inline hwaddr ufs_get_req_upiu_base_addr(const UtpTransferReqDesc *utrd)
123 {
124     uint32_t cmd_desc_base_addr_lo =
125         le32_to_cpu(utrd->command_desc_base_addr_lo);
126     uint32_t cmd_desc_base_addr_hi =
127         le32_to_cpu(utrd->command_desc_base_addr_hi);
128 
129     return (((hwaddr)cmd_desc_base_addr_hi) << 32) + cmd_desc_base_addr_lo;
130 }
131 
132 static inline hwaddr ufs_get_rsp_upiu_base_addr(const UtpTransferReqDesc *utrd)
133 {
134     hwaddr req_upiu_base_addr = ufs_get_req_upiu_base_addr(utrd);
135     uint32_t rsp_upiu_byte_off =
136         le16_to_cpu(utrd->response_upiu_offset) * sizeof(uint32_t);
137     return req_upiu_base_addr + rsp_upiu_byte_off;
138 }
139 
140 static MemTxResult ufs_dma_read_utrd(UfsRequest *req)
141 {
142     UfsHc *u = req->hc;
143     hwaddr utrd_addr = ufs_get_utrd_addr(u, req->slot);
144     MemTxResult ret;
145 
146     ret = ufs_addr_read(u, utrd_addr, &req->utrd, sizeof(req->utrd));
147     if (ret) {
148         trace_ufs_err_dma_read_utrd(req->slot, utrd_addr);
149     }
150     return ret;
151 }
152 
153 static MemTxResult ufs_dma_read_req_upiu(UfsRequest *req)
154 {
155     UfsHc *u = req->hc;
156     hwaddr req_upiu_base_addr = ufs_get_req_upiu_base_addr(&req->utrd);
157     UtpUpiuReq *req_upiu = &req->req_upiu;
158     uint32_t copy_size;
159     uint16_t data_segment_length;
160     MemTxResult ret;
161 
162     /*
163      * To know the size of the req_upiu, we need to read the
164      * data_segment_length in the header first.
165      */
166     ret = ufs_addr_read(u, req_upiu_base_addr, &req_upiu->header,
167                         sizeof(UtpUpiuHeader));
168     if (ret) {
169         trace_ufs_err_dma_read_req_upiu(req->slot, req_upiu_base_addr);
170         return ret;
171     }
172     data_segment_length = be16_to_cpu(req_upiu->header.data_segment_length);
173 
174     copy_size = sizeof(UtpUpiuHeader) + UFS_TRANSACTION_SPECIFIC_FIELD_SIZE +
175                 data_segment_length;
176 
177     if (copy_size > sizeof(req->req_upiu)) {
178         copy_size = sizeof(req->req_upiu);
179     }
180 
181     ret = ufs_addr_read(u, req_upiu_base_addr, &req->req_upiu, copy_size);
182     if (ret) {
183         trace_ufs_err_dma_read_req_upiu(req->slot, req_upiu_base_addr);
184     }
185     return ret;
186 }
187 
188 static MemTxResult ufs_dma_read_prdt(UfsRequest *req)
189 {
190     UfsHc *u = req->hc;
191     uint16_t prdt_len = le16_to_cpu(req->utrd.prd_table_length);
192     uint16_t prdt_byte_off =
193         le16_to_cpu(req->utrd.prd_table_offset) * sizeof(uint32_t);
194     uint32_t prdt_size = prdt_len * sizeof(UfshcdSgEntry);
195     g_autofree UfshcdSgEntry *prd_entries = NULL;
196     hwaddr req_upiu_base_addr, prdt_base_addr;
197     int err;
198 
199     assert(!req->sg);
200 
201     if (prdt_size == 0) {
202         return MEMTX_OK;
203     }
204     prd_entries = g_new(UfshcdSgEntry, prdt_size);
205 
206     req_upiu_base_addr = ufs_get_req_upiu_base_addr(&req->utrd);
207     prdt_base_addr = req_upiu_base_addr + prdt_byte_off;
208 
209     err = ufs_addr_read(u, prdt_base_addr, prd_entries, prdt_size);
210     if (err) {
211         trace_ufs_err_dma_read_prdt(req->slot, prdt_base_addr);
212         return err;
213     }
214 
215     req->sg = g_malloc0(sizeof(QEMUSGList));
216     pci_dma_sglist_init(req->sg, PCI_DEVICE(u), prdt_len);
217     req->data_len = 0;
218 
219     for (uint16_t i = 0; i < prdt_len; ++i) {
220         hwaddr data_dma_addr = le64_to_cpu(prd_entries[i].addr);
221         uint32_t data_byte_count = le32_to_cpu(prd_entries[i].size) + 1;
222         qemu_sglist_add(req->sg, data_dma_addr, data_byte_count);
223         req->data_len += data_byte_count;
224     }
225     return MEMTX_OK;
226 }
227 
228 static MemTxResult ufs_dma_read_upiu(UfsRequest *req)
229 {
230     MemTxResult ret;
231 
232     /*
233      * In case of MCQ, UTRD has already been read from a SQ, so skip it.
234      */
235     if (!ufs_mcq_req(req)) {
236         ret = ufs_dma_read_utrd(req);
237         if (ret) {
238             return ret;
239         }
240     }
241 
242     ret = ufs_dma_read_req_upiu(req);
243     if (ret) {
244         return ret;
245     }
246 
247     ret = ufs_dma_read_prdt(req);
248     if (ret) {
249         return ret;
250     }
251 
252     return 0;
253 }
254 
255 static MemTxResult ufs_dma_write_utrd(UfsRequest *req)
256 {
257     UfsHc *u = req->hc;
258     hwaddr utrd_addr = ufs_get_utrd_addr(u, req->slot);
259     MemTxResult ret;
260 
261     ret = ufs_addr_write(u, utrd_addr, &req->utrd, sizeof(req->utrd));
262     if (ret) {
263         trace_ufs_err_dma_write_utrd(req->slot, utrd_addr);
264     }
265     return ret;
266 }
267 
268 static MemTxResult ufs_dma_write_rsp_upiu(UfsRequest *req)
269 {
270     UfsHc *u = req->hc;
271     hwaddr rsp_upiu_base_addr = ufs_get_rsp_upiu_base_addr(&req->utrd);
272     uint32_t rsp_upiu_byte_len =
273         le16_to_cpu(req->utrd.response_upiu_length) * sizeof(uint32_t);
274     uint16_t data_segment_length =
275         be16_to_cpu(req->rsp_upiu.header.data_segment_length);
276     uint32_t copy_size = sizeof(UtpUpiuHeader) +
277                          UFS_TRANSACTION_SPECIFIC_FIELD_SIZE +
278                          data_segment_length;
279     MemTxResult ret;
280 
281     if (copy_size > rsp_upiu_byte_len) {
282         copy_size = rsp_upiu_byte_len;
283     }
284 
285     if (copy_size > sizeof(req->rsp_upiu)) {
286         copy_size = sizeof(req->rsp_upiu);
287     }
288 
289     ret = ufs_addr_write(u, rsp_upiu_base_addr, &req->rsp_upiu, copy_size);
290     if (ret) {
291         trace_ufs_err_dma_write_rsp_upiu(req->slot, rsp_upiu_base_addr);
292     }
293     return ret;
294 }
295 
296 static MemTxResult ufs_dma_write_upiu(UfsRequest *req)
297 {
298     MemTxResult ret;
299 
300     ret = ufs_dma_write_rsp_upiu(req);
301     if (ret) {
302         return ret;
303     }
304 
305     return ufs_dma_write_utrd(req);
306 }
307 
308 static void ufs_irq_check(UfsHc *u)
309 {
310     PCIDevice *pci = PCI_DEVICE(u);
311 
312     if ((u->reg.is & UFS_INTR_MASK) & u->reg.ie) {
313         trace_ufs_irq_raise();
314         pci_irq_assert(pci);
315     } else {
316         trace_ufs_irq_lower();
317         pci_irq_deassert(pci);
318     }
319 }
320 
321 static void ufs_process_db(UfsHc *u, uint32_t val)
322 {
323     DECLARE_BITMAP(doorbell, UFS_MAX_NUTRS);
324     uint32_t slot;
325     uint32_t nutrs = u->params.nutrs;
326     UfsRequest *req;
327 
328     val &= ~u->reg.utrldbr;
329     if (!val) {
330         return;
331     }
332 
333     doorbell[0] = val;
334     slot = find_first_bit(doorbell, nutrs);
335 
336     while (slot < nutrs) {
337         req = &u->req_list[slot];
338         if (req->state == UFS_REQUEST_ERROR) {
339             trace_ufs_err_utrl_slot_error(req->slot);
340             return;
341         }
342 
343         if (req->state != UFS_REQUEST_IDLE) {
344             trace_ufs_err_utrl_slot_busy(req->slot);
345             return;
346         }
347 
348         trace_ufs_process_db(slot);
349         req->state = UFS_REQUEST_READY;
350         slot = find_next_bit(doorbell, nutrs, slot + 1);
351     }
352 
353     qemu_bh_schedule(u->doorbell_bh);
354 }
355 
356 static void ufs_process_uiccmd(UfsHc *u, uint32_t val)
357 {
358     trace_ufs_process_uiccmd(val, u->reg.ucmdarg1, u->reg.ucmdarg2,
359                              u->reg.ucmdarg3);
360     /*
361      * Only the essential uic commands for running drivers on Linux and Windows
362      * are implemented.
363      */
364     switch (val) {
365     case UFS_UIC_CMD_DME_LINK_STARTUP:
366         u->reg.hcs = FIELD_DP32(u->reg.hcs, HCS, DP, 1);
367         u->reg.hcs = FIELD_DP32(u->reg.hcs, HCS, UTRLRDY, 1);
368         u->reg.hcs = FIELD_DP32(u->reg.hcs, HCS, UTMRLRDY, 1);
369         u->reg.ucmdarg2 = UFS_UIC_CMD_RESULT_SUCCESS;
370         break;
371     /* TODO: Revisit it when Power Management is implemented */
372     case UFS_UIC_CMD_DME_HIBER_ENTER:
373         u->reg.is = FIELD_DP32(u->reg.is, IS, UHES, 1);
374         u->reg.hcs = FIELD_DP32(u->reg.hcs, HCS, UPMCRS, UFS_PWR_LOCAL);
375         u->reg.ucmdarg2 = UFS_UIC_CMD_RESULT_SUCCESS;
376         break;
377     case UFS_UIC_CMD_DME_HIBER_EXIT:
378         u->reg.is = FIELD_DP32(u->reg.is, IS, UHXS, 1);
379         u->reg.hcs = FIELD_DP32(u->reg.hcs, HCS, UPMCRS, UFS_PWR_LOCAL);
380         u->reg.ucmdarg2 = UFS_UIC_CMD_RESULT_SUCCESS;
381         break;
382     default:
383         u->reg.ucmdarg2 = UFS_UIC_CMD_RESULT_FAILURE;
384     }
385 
386     u->reg.is = FIELD_DP32(u->reg.is, IS, UCCS, 1);
387 
388     ufs_irq_check(u);
389 }
390 
391 static void ufs_mcq_init_req(UfsHc *u, UfsRequest *req, UfsSq *sq)
392 {
393     memset(req, 0, sizeof(*req));
394 
395     req->hc = u;
396     req->state = UFS_REQUEST_IDLE;
397     req->slot = UFS_INVALID_SLOT;
398     req->sq = sq;
399 }
400 
401 static void ufs_mcq_process_sq(void *opaque)
402 {
403     UfsSq *sq = opaque;
404     UfsHc *u = sq->u;
405     UfsSqEntry sqe;
406     UfsRequest *req;
407     hwaddr addr;
408     uint16_t head = ufs_mcq_sq_head(u, sq->sqid);
409     int err;
410 
411     while (!(ufs_mcq_sq_empty(u, sq->sqid) || QTAILQ_EMPTY(&sq->req_list))) {
412         addr = sq->addr + head;
413         err = ufs_addr_read(sq->u, addr, (void *)&sqe, sizeof(sqe));
414         if (err) {
415             trace_ufs_err_dma_read_sq(sq->sqid, addr);
416             return;
417         }
418 
419         head = (head + sizeof(sqe)) % (sq->size * sizeof(sqe));
420         ufs_mcq_update_sq_head(u, sq->sqid, head);
421 
422         req = QTAILQ_FIRST(&sq->req_list);
423         QTAILQ_REMOVE(&sq->req_list, req, entry);
424 
425         ufs_mcq_init_req(sq->u, req, sq);
426         memcpy(&req->utrd, &sqe, sizeof(req->utrd));
427 
428         req->state = UFS_REQUEST_RUNNING;
429         ufs_exec_req(req);
430     }
431 }
432 
433 static void ufs_mcq_process_cq(void *opaque)
434 {
435     UfsCq *cq = opaque;
436     UfsHc *u = cq->u;
437     UfsRequest *req, *next;
438     MemTxResult ret;
439     uint32_t tail = ufs_mcq_cq_tail(u, cq->cqid);
440 
441     QTAILQ_FOREACH_SAFE(req, &cq->req_list, entry, next)
442     {
443         ufs_dma_write_rsp_upiu(req);
444 
445         req->cqe.utp_addr =
446             ((uint64_t)req->utrd.command_desc_base_addr_hi << 32ULL) |
447             req->utrd.command_desc_base_addr_lo;
448         req->cqe.utp_addr |= req->sq->sqid;
449         req->cqe.resp_len = req->utrd.response_upiu_length;
450         req->cqe.resp_off = req->utrd.response_upiu_offset;
451         req->cqe.prdt_len = req->utrd.prd_table_length;
452         req->cqe.prdt_off = req->utrd.prd_table_offset;
453         req->cqe.status = req->utrd.header.dword_2 & 0xf;
454         req->cqe.error = 0;
455 
456         ret = ufs_addr_write(u, cq->addr + tail, &req->cqe, sizeof(req->cqe));
457         if (ret) {
458             trace_ufs_err_dma_write_cq(cq->cqid, cq->addr + tail);
459         }
460         QTAILQ_REMOVE(&cq->req_list, req, entry);
461 
462         tail = (tail + sizeof(req->cqe)) % (cq->size * sizeof(req->cqe));
463         ufs_mcq_update_cq_tail(u, cq->cqid, tail);
464 
465         ufs_clear_req(req);
466         QTAILQ_INSERT_TAIL(&req->sq->req_list, req, entry);
467     }
468 
469     if (!ufs_mcq_cq_empty(u, cq->cqid)) {
470         u->mcq_op_reg[cq->cqid].cq_int.is =
471             FIELD_DP32(u->mcq_op_reg[cq->cqid].cq_int.is, CQIS, TEPS, 1);
472 
473         u->reg.is = FIELD_DP32(u->reg.is, IS, CQES, 1);
474         ufs_irq_check(u);
475     }
476 }
477 
478 static bool ufs_mcq_create_sq(UfsHc *u, uint8_t qid, uint32_t attr)
479 {
480     UfsMcqReg *reg = &u->mcq_reg[qid];
481     UfsSq *sq;
482     uint8_t cqid = FIELD_EX32(attr, SQATTR, CQID);
483 
484     if (qid >= u->params.mcq_maxq) {
485         trace_ufs_err_mcq_create_sq_invalid_sqid(qid);
486         return false;
487     }
488 
489     if (u->sq[qid]) {
490         trace_ufs_err_mcq_create_sq_already_exists(qid);
491         return false;
492     }
493 
494     if (!u->cq[cqid]) {
495         trace_ufs_err_mcq_create_sq_invalid_cqid(qid);
496         return false;
497     }
498 
499     sq = g_malloc0(sizeof(*sq));
500     sq->u = u;
501     sq->sqid = qid;
502     sq->cq = u->cq[cqid];
503     sq->addr = ((uint64_t)reg->squba << 32) | reg->sqlba;
504     sq->size = ((FIELD_EX32(attr, SQATTR, SIZE) + 1) << 2) / sizeof(UfsSqEntry);
505 
506     sq->bh = qemu_bh_new_guarded(ufs_mcq_process_sq, sq,
507                                  &DEVICE(u)->mem_reentrancy_guard);
508     sq->req = g_new0(UfsRequest, sq->size);
509     QTAILQ_INIT(&sq->req_list);
510     for (int i = 0; i < sq->size; i++) {
511         ufs_mcq_init_req(u, &sq->req[i], sq);
512         QTAILQ_INSERT_TAIL(&sq->req_list, &sq->req[i], entry);
513     }
514 
515     u->sq[qid] = sq;
516 
517     trace_ufs_mcq_create_sq(sq->sqid, sq->cq->cqid, sq->addr, sq->size);
518     return true;
519 }
520 
521 static bool ufs_mcq_delete_sq(UfsHc *u, uint8_t qid)
522 {
523     UfsSq *sq;
524 
525     if (qid >= u->params.mcq_maxq) {
526         trace_ufs_err_mcq_delete_sq_invalid_sqid(qid);
527         return false;
528     }
529 
530     if (!u->sq[qid]) {
531         trace_ufs_err_mcq_delete_sq_not_exists(qid);
532         return false;
533     }
534 
535     sq = u->sq[qid];
536 
537     qemu_bh_delete(sq->bh);
538     g_free(sq->req);
539     g_free(sq);
540     u->sq[qid] = NULL;
541     return true;
542 }
543 
544 static bool ufs_mcq_create_cq(UfsHc *u, uint8_t qid, uint32_t attr)
545 {
546     UfsMcqReg *reg = &u->mcq_reg[qid];
547     UfsCq *cq;
548 
549     if (qid >= u->params.mcq_maxq) {
550         trace_ufs_err_mcq_create_cq_invalid_cqid(qid);
551         return false;
552     }
553 
554     if (u->cq[qid]) {
555         trace_ufs_err_mcq_create_cq_already_exists(qid);
556         return false;
557     }
558 
559     cq = g_malloc0(sizeof(*cq));
560     cq->u = u;
561     cq->cqid = qid;
562     cq->addr = ((uint64_t)reg->cquba << 32) | reg->cqlba;
563     cq->size = ((FIELD_EX32(attr, CQATTR, SIZE) + 1) << 2) / sizeof(UfsCqEntry);
564 
565     cq->bh = qemu_bh_new_guarded(ufs_mcq_process_cq, cq,
566                                  &DEVICE(u)->mem_reentrancy_guard);
567     QTAILQ_INIT(&cq->req_list);
568 
569     u->cq[qid] = cq;
570 
571     trace_ufs_mcq_create_cq(cq->cqid, cq->addr, cq->size);
572     return true;
573 }
574 
575 static bool ufs_mcq_delete_cq(UfsHc *u, uint8_t qid)
576 {
577     UfsCq *cq;
578 
579     if (qid >= u->params.mcq_maxq) {
580         trace_ufs_err_mcq_delete_cq_invalid_cqid(qid);
581         return false;
582     }
583 
584     if (!u->cq[qid]) {
585         trace_ufs_err_mcq_delete_cq_not_exists(qid);
586         return false;
587     }
588 
589     for (int i = 0; i < ARRAY_SIZE(u->sq); i++) {
590         if (u->sq[i] && u->sq[i]->cq->cqid == qid) {
591             trace_ufs_err_mcq_delete_cq_sq_not_deleted(i, qid);
592             return false;
593         }
594     }
595 
596     cq = u->cq[qid];
597 
598     qemu_bh_delete(cq->bh);
599     g_free(cq);
600     u->cq[qid] = NULL;
601     return true;
602 }
603 
604 static void ufs_write_reg(UfsHc *u, hwaddr offset, uint32_t data, unsigned size)
605 {
606     switch (offset) {
607     case A_IS:
608         u->reg.is &= ~data;
609         ufs_irq_check(u);
610         break;
611     case A_IE:
612         u->reg.ie = data;
613         ufs_irq_check(u);
614         break;
615     case A_HCE:
616         if (!FIELD_EX32(u->reg.hce, HCE, HCE) && FIELD_EX32(data, HCE, HCE)) {
617             u->reg.hcs = FIELD_DP32(u->reg.hcs, HCS, UCRDY, 1);
618             u->reg.hce = FIELD_DP32(u->reg.hce, HCE, HCE, 1);
619         } else if (FIELD_EX32(u->reg.hce, HCE, HCE) &&
620                    !FIELD_EX32(data, HCE, HCE)) {
621             u->reg.hcs = 0;
622             u->reg.hce = FIELD_DP32(u->reg.hce, HCE, HCE, 0);
623         }
624         break;
625     case A_UTRLBA:
626         u->reg.utrlba = data & R_UTRLBA_UTRLBA_MASK;
627         break;
628     case A_UTRLBAU:
629         u->reg.utrlbau = data;
630         break;
631     case A_UTRLDBR:
632         ufs_process_db(u, data);
633         u->reg.utrldbr |= data;
634         break;
635     case A_UTRLRSR:
636         u->reg.utrlrsr = data;
637         break;
638     case A_UTRLCNR:
639         u->reg.utrlcnr &= ~data;
640         break;
641     case A_UTMRLBA:
642         u->reg.utmrlba = data & R_UTMRLBA_UTMRLBA_MASK;
643         break;
644     case A_UTMRLBAU:
645         u->reg.utmrlbau = data;
646         break;
647     case A_UICCMD:
648         ufs_process_uiccmd(u, data);
649         break;
650     case A_UCMDARG1:
651         u->reg.ucmdarg1 = data;
652         break;
653     case A_UCMDARG2:
654         u->reg.ucmdarg2 = data;
655         break;
656     case A_UCMDARG3:
657         u->reg.ucmdarg3 = data;
658         break;
659     case A_CONFIG:
660         u->reg.config = data;
661         break;
662     case A_MCQCONFIG:
663         u->reg.mcqconfig = data;
664         break;
665     case A_UTRLCLR:
666     case A_UTMRLDBR:
667     case A_UTMRLCLR:
668     case A_UTMRLRSR:
669         trace_ufs_err_unsupport_register_offset(offset);
670         break;
671     default:
672         trace_ufs_err_invalid_register_offset(offset);
673         break;
674     }
675 }
676 
677 static void ufs_write_mcq_reg(UfsHc *u, hwaddr offset, uint32_t data,
678                               unsigned size)
679 {
680     int qid = offset / sizeof(UfsMcqReg);
681     UfsMcqReg *reg = &u->mcq_reg[qid];
682 
683     switch (offset % sizeof(UfsMcqReg)) {
684     case A_SQATTR:
685         if (!FIELD_EX32(reg->sqattr, SQATTR, SQEN) &&
686             FIELD_EX32(data, SQATTR, SQEN)) {
687             if (!ufs_mcq_create_sq(u, qid, data)) {
688                 break;
689             }
690         } else if (FIELD_EX32(reg->sqattr, SQATTR, SQEN) &&
691                    !FIELD_EX32(data, SQATTR, SQEN)) {
692             if (!ufs_mcq_delete_sq(u, qid)) {
693                 break;
694             }
695         }
696         reg->sqattr = data;
697         break;
698     case A_SQLBA:
699         reg->sqlba = data;
700         break;
701     case A_SQUBA:
702         reg->squba = data;
703         break;
704     case A_SQCFG:
705         reg->sqcfg = data;
706         break;
707     case A_CQATTR:
708         if (!FIELD_EX32(reg->cqattr, CQATTR, CQEN) &&
709             FIELD_EX32(data, CQATTR, CQEN)) {
710             if (!ufs_mcq_create_cq(u, qid, data)) {
711                 break;
712             }
713         } else if (FIELD_EX32(reg->cqattr, CQATTR, CQEN) &&
714                    !FIELD_EX32(data, CQATTR, CQEN)) {
715             if (!ufs_mcq_delete_cq(u, qid)) {
716                 break;
717             }
718         }
719         reg->cqattr = data;
720         break;
721     case A_CQLBA:
722         reg->cqlba = data;
723         break;
724     case A_CQUBA:
725         reg->cquba = data;
726         break;
727     case A_CQCFG:
728         reg->cqcfg = data;
729         break;
730     case A_SQDAO:
731     case A_SQISAO:
732     case A_CQDAO:
733     case A_CQISAO:
734         trace_ufs_err_unsupport_register_offset(offset);
735         break;
736     default:
737         trace_ufs_err_invalid_register_offset(offset);
738         break;
739     }
740 }
741 
742 static void ufs_mcq_process_db(UfsHc *u, uint8_t qid, uint32_t db)
743 {
744     UfsSq *sq;
745 
746     if (qid >= u->params.mcq_maxq) {
747         trace_ufs_err_mcq_db_wr_invalid_sqid(qid);
748         return;
749     }
750 
751     sq = u->sq[qid];
752     if (sq->size * sizeof(UfsSqEntry) <= db) {
753         trace_ufs_err_mcq_db_wr_invalid_db(qid, db);
754         return;
755     }
756 
757     ufs_mcq_update_sq_tail(u, sq->sqid, db);
758     qemu_bh_schedule(sq->bh);
759 }
760 
761 static void ufs_write_mcq_op_reg(UfsHc *u, hwaddr offset, uint32_t data,
762                                  unsigned size)
763 {
764     int qid = offset / sizeof(UfsMcqOpReg);
765     UfsMcqOpReg *opr = &u->mcq_op_reg[qid];
766 
767     switch (offset % sizeof(UfsMcqOpReg)) {
768     case offsetof(UfsMcqOpReg, sq.tp):
769         if (opr->sq.tp != data) {
770             ufs_mcq_process_db(u, qid, data);
771         }
772         opr->sq.tp = data;
773         break;
774     case offsetof(UfsMcqOpReg, cq.hp):
775         opr->cq.hp = data;
776         ufs_mcq_update_cq_head(u, qid, data);
777         break;
778     case offsetof(UfsMcqOpReg, cq_int.is):
779         opr->cq_int.is &= ~data;
780         break;
781     default:
782         trace_ufs_err_invalid_register_offset(offset);
783         break;
784     }
785 }
786 
787 static uint64_t ufs_mmio_read(void *opaque, hwaddr addr, unsigned size)
788 {
789     UfsHc *u = (UfsHc *)opaque;
790     uint32_t *ptr;
791     uint64_t value;
792     uint64_t offset;
793 
794     if (addr + size <= sizeof(u->reg)) {
795         offset = addr;
796         ptr = (uint32_t *)&u->reg;
797     } else if (ufs_is_mcq_reg(u, addr, size)) {
798         offset = addr - ufs_mcq_reg_addr(u, 0);
799         ptr = (uint32_t *)&u->mcq_reg;
800     } else if (ufs_is_mcq_op_reg(u, addr, size)) {
801         offset = addr - ufs_mcq_op_reg_addr(u, 0);
802         ptr = (uint32_t *)&u->mcq_op_reg;
803     } else {
804         trace_ufs_err_invalid_register_offset(addr);
805         return 0;
806     }
807 
808     value = ptr[offset >> 2];
809     trace_ufs_mmio_read(addr, value, size);
810     return value;
811 }
812 
813 static void ufs_mmio_write(void *opaque, hwaddr addr, uint64_t data,
814                            unsigned size)
815 {
816     UfsHc *u = (UfsHc *)opaque;
817 
818     trace_ufs_mmio_write(addr, data, size);
819 
820     if (addr + size <= sizeof(u->reg)) {
821         ufs_write_reg(u, addr, data, size);
822     } else if (ufs_is_mcq_reg(u, addr, size)) {
823         ufs_write_mcq_reg(u, addr - ufs_mcq_reg_addr(u, 0), data, size);
824     } else if (ufs_is_mcq_op_reg(u, addr, size)) {
825         ufs_write_mcq_op_reg(u, addr - ufs_mcq_op_reg_addr(u, 0), data, size);
826     } else {
827         trace_ufs_err_invalid_register_offset(addr);
828     }
829 }
830 
831 static const MemoryRegionOps ufs_mmio_ops = {
832     .read = ufs_mmio_read,
833     .write = ufs_mmio_write,
834     .endianness = DEVICE_LITTLE_ENDIAN,
835     .impl = {
836         .min_access_size = 4,
837         .max_access_size = 4,
838     },
839 };
840 
841 
842 void ufs_build_upiu_header(UfsRequest *req, uint8_t trans_type, uint8_t flags,
843                            uint8_t response, uint8_t scsi_status,
844                            uint16_t data_segment_length)
845 {
846     memcpy(&req->rsp_upiu.header, &req->req_upiu.header, sizeof(UtpUpiuHeader));
847     req->rsp_upiu.header.trans_type = trans_type;
848     req->rsp_upiu.header.flags = flags;
849     req->rsp_upiu.header.response = response;
850     req->rsp_upiu.header.scsi_status = scsi_status;
851     req->rsp_upiu.header.data_segment_length = cpu_to_be16(data_segment_length);
852 }
853 
854 static UfsReqResult ufs_exec_scsi_cmd(UfsRequest *req)
855 {
856     UfsHc *u = req->hc;
857     uint8_t lun = req->req_upiu.header.lun;
858 
859     UfsLu *lu = NULL;
860 
861     trace_ufs_exec_scsi_cmd(req->slot, lun, req->req_upiu.sc.cdb[0]);
862 
863     if (!is_wlun(lun) && (lun >= UFS_MAX_LUS || u->lus[lun] == NULL)) {
864         trace_ufs_err_scsi_cmd_invalid_lun(lun);
865         return UFS_REQUEST_FAIL;
866     }
867 
868     switch (lun) {
869     case UFS_UPIU_REPORT_LUNS_WLUN:
870         lu = &u->report_wlu;
871         break;
872     case UFS_UPIU_UFS_DEVICE_WLUN:
873         lu = &u->dev_wlu;
874         break;
875     case UFS_UPIU_BOOT_WLUN:
876         lu = &u->boot_wlu;
877         break;
878     case UFS_UPIU_RPMB_WLUN:
879         lu = &u->rpmb_wlu;
880         break;
881     default:
882         lu = u->lus[lun];
883     }
884 
885     return lu->scsi_op(lu, req);
886 }
887 
888 static UfsReqResult ufs_exec_nop_cmd(UfsRequest *req)
889 {
890     trace_ufs_exec_nop_cmd(req->slot);
891     ufs_build_upiu_header(req, UFS_UPIU_TRANSACTION_NOP_IN, 0, 0, 0, 0);
892     return UFS_REQUEST_SUCCESS;
893 }
894 
895 /*
896  * This defines the permission of flags based on their IDN. There are some
897  * things that are declared read-only, which is inconsistent with the ufs spec,
898  * because we want to return an error for features that are not yet supported.
899  */
900 static const int flag_permission[UFS_QUERY_FLAG_IDN_COUNT] = {
901     [UFS_QUERY_FLAG_IDN_FDEVICEINIT] = UFS_QUERY_FLAG_READ | UFS_QUERY_FLAG_SET,
902     /* Write protection is not supported */
903     [UFS_QUERY_FLAG_IDN_PERMANENT_WPE] = UFS_QUERY_FLAG_READ,
904     [UFS_QUERY_FLAG_IDN_PWR_ON_WPE] = UFS_QUERY_FLAG_READ,
905     [UFS_QUERY_FLAG_IDN_BKOPS_EN] = UFS_QUERY_FLAG_READ | UFS_QUERY_FLAG_SET |
906                                     UFS_QUERY_FLAG_CLEAR |
907                                     UFS_QUERY_FLAG_TOGGLE,
908     [UFS_QUERY_FLAG_IDN_LIFE_SPAN_MODE_ENABLE] =
909         UFS_QUERY_FLAG_READ | UFS_QUERY_FLAG_SET | UFS_QUERY_FLAG_CLEAR |
910         UFS_QUERY_FLAG_TOGGLE,
911     /* Purge Operation is not supported */
912     [UFS_QUERY_FLAG_IDN_PURGE_ENABLE] = UFS_QUERY_FLAG_NONE,
913     /* Refresh Operation is not supported */
914     [UFS_QUERY_FLAG_IDN_REFRESH_ENABLE] = UFS_QUERY_FLAG_NONE,
915     /* Physical Resource Removal is not supported */
916     [UFS_QUERY_FLAG_IDN_FPHYRESOURCEREMOVAL] = UFS_QUERY_FLAG_READ,
917     [UFS_QUERY_FLAG_IDN_BUSY_RTC] = UFS_QUERY_FLAG_READ,
918     [UFS_QUERY_FLAG_IDN_PERMANENTLY_DISABLE_FW_UPDATE] = UFS_QUERY_FLAG_READ,
919     /* Write Booster is not supported */
920     [UFS_QUERY_FLAG_IDN_WB_EN] = UFS_QUERY_FLAG_READ,
921     [UFS_QUERY_FLAG_IDN_WB_BUFF_FLUSH_EN] = UFS_QUERY_FLAG_READ,
922     [UFS_QUERY_FLAG_IDN_WB_BUFF_FLUSH_DURING_HIBERN8] = UFS_QUERY_FLAG_READ,
923 };
924 
925 static inline QueryRespCode ufs_flag_check_idn_valid(uint8_t idn, int op)
926 {
927     if (idn >= UFS_QUERY_FLAG_IDN_COUNT) {
928         return UFS_QUERY_RESULT_INVALID_IDN;
929     }
930 
931     if (!(flag_permission[idn] & op)) {
932         if (op == UFS_QUERY_FLAG_READ) {
933             trace_ufs_err_query_flag_not_readable(idn);
934             return UFS_QUERY_RESULT_NOT_READABLE;
935         }
936         trace_ufs_err_query_flag_not_writable(idn);
937         return UFS_QUERY_RESULT_NOT_WRITEABLE;
938     }
939 
940     return UFS_QUERY_RESULT_SUCCESS;
941 }
942 
943 static const int attr_permission[UFS_QUERY_ATTR_IDN_COUNT] = {
944     /* booting is not supported */
945     [UFS_QUERY_ATTR_IDN_BOOT_LU_EN] = UFS_QUERY_ATTR_READ,
946     [UFS_QUERY_ATTR_IDN_POWER_MODE] = UFS_QUERY_ATTR_READ,
947     [UFS_QUERY_ATTR_IDN_ACTIVE_ICC_LVL] =
948         UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
949     [UFS_QUERY_ATTR_IDN_OOO_DATA_EN] = UFS_QUERY_ATTR_READ,
950     [UFS_QUERY_ATTR_IDN_BKOPS_STATUS] = UFS_QUERY_ATTR_READ,
951     [UFS_QUERY_ATTR_IDN_PURGE_STATUS] = UFS_QUERY_ATTR_READ,
952     [UFS_QUERY_ATTR_IDN_MAX_DATA_IN] =
953         UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
954     [UFS_QUERY_ATTR_IDN_MAX_DATA_OUT] =
955         UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
956     [UFS_QUERY_ATTR_IDN_DYN_CAP_NEEDED] = UFS_QUERY_ATTR_READ,
957     [UFS_QUERY_ATTR_IDN_REF_CLK_FREQ] =
958         UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
959     [UFS_QUERY_ATTR_IDN_CONF_DESC_LOCK] = UFS_QUERY_ATTR_READ,
960     [UFS_QUERY_ATTR_IDN_MAX_NUM_OF_RTT] =
961         UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
962     [UFS_QUERY_ATTR_IDN_EE_CONTROL] =
963         UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
964     [UFS_QUERY_ATTR_IDN_EE_STATUS] = UFS_QUERY_ATTR_READ,
965     [UFS_QUERY_ATTR_IDN_SECONDS_PASSED] = UFS_QUERY_ATTR_WRITE,
966     [UFS_QUERY_ATTR_IDN_CNTX_CONF] = UFS_QUERY_ATTR_READ,
967     [UFS_QUERY_ATTR_IDN_FFU_STATUS] = UFS_QUERY_ATTR_READ,
968     [UFS_QUERY_ATTR_IDN_PSA_STATE] = UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
969     [UFS_QUERY_ATTR_IDN_PSA_DATA_SIZE] =
970         UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
971     [UFS_QUERY_ATTR_IDN_REF_CLK_GATING_WAIT_TIME] = UFS_QUERY_ATTR_READ,
972     [UFS_QUERY_ATTR_IDN_CASE_ROUGH_TEMP] = UFS_QUERY_ATTR_READ,
973     [UFS_QUERY_ATTR_IDN_HIGH_TEMP_BOUND] = UFS_QUERY_ATTR_READ,
974     [UFS_QUERY_ATTR_IDN_LOW_TEMP_BOUND] = UFS_QUERY_ATTR_READ,
975     [UFS_QUERY_ATTR_IDN_THROTTLING_STATUS] = UFS_QUERY_ATTR_READ,
976     [UFS_QUERY_ATTR_IDN_WB_FLUSH_STATUS] = UFS_QUERY_ATTR_READ,
977     [UFS_QUERY_ATTR_IDN_AVAIL_WB_BUFF_SIZE] = UFS_QUERY_ATTR_READ,
978     [UFS_QUERY_ATTR_IDN_WB_BUFF_LIFE_TIME_EST] = UFS_QUERY_ATTR_READ,
979     [UFS_QUERY_ATTR_IDN_CURR_WB_BUFF_SIZE] = UFS_QUERY_ATTR_READ,
980     /* refresh operation is not supported */
981     [UFS_QUERY_ATTR_IDN_REFRESH_STATUS] = UFS_QUERY_ATTR_READ,
982     [UFS_QUERY_ATTR_IDN_REFRESH_FREQ] = UFS_QUERY_ATTR_READ,
983     [UFS_QUERY_ATTR_IDN_REFRESH_UNIT] = UFS_QUERY_ATTR_READ,
984 };
985 
986 static inline QueryRespCode ufs_attr_check_idn_valid(uint8_t idn, int op)
987 {
988     if (idn >= UFS_QUERY_ATTR_IDN_COUNT) {
989         return UFS_QUERY_RESULT_INVALID_IDN;
990     }
991 
992     if (!(attr_permission[idn] & op)) {
993         if (op == UFS_QUERY_ATTR_READ) {
994             trace_ufs_err_query_attr_not_readable(idn);
995             return UFS_QUERY_RESULT_NOT_READABLE;
996         }
997         trace_ufs_err_query_attr_not_writable(idn);
998         return UFS_QUERY_RESULT_NOT_WRITEABLE;
999     }
1000 
1001     return UFS_QUERY_RESULT_SUCCESS;
1002 }
1003 
1004 static QueryRespCode ufs_exec_query_flag(UfsRequest *req, int op)
1005 {
1006     UfsHc *u = req->hc;
1007     uint8_t idn = req->req_upiu.qr.idn;
1008     uint32_t value;
1009     QueryRespCode ret;
1010 
1011     ret = ufs_flag_check_idn_valid(idn, op);
1012     if (ret) {
1013         return ret;
1014     }
1015 
1016     if (idn == UFS_QUERY_FLAG_IDN_FDEVICEINIT) {
1017         value = 0;
1018     } else if (op == UFS_QUERY_FLAG_READ) {
1019         value = *(((uint8_t *)&u->flags) + idn);
1020     } else if (op == UFS_QUERY_FLAG_SET) {
1021         value = 1;
1022     } else if (op == UFS_QUERY_FLAG_CLEAR) {
1023         value = 0;
1024     } else if (op == UFS_QUERY_FLAG_TOGGLE) {
1025         value = *(((uint8_t *)&u->flags) + idn);
1026         value = !value;
1027     } else {
1028         trace_ufs_err_query_invalid_opcode(op);
1029         return UFS_QUERY_RESULT_INVALID_OPCODE;
1030     }
1031 
1032     *(((uint8_t *)&u->flags) + idn) = value;
1033     req->rsp_upiu.qr.value = cpu_to_be32(value);
1034     return UFS_QUERY_RESULT_SUCCESS;
1035 }
1036 
1037 static uint32_t ufs_read_attr_value(UfsHc *u, uint8_t idn)
1038 {
1039     switch (idn) {
1040     case UFS_QUERY_ATTR_IDN_BOOT_LU_EN:
1041         return u->attributes.boot_lun_en;
1042     case UFS_QUERY_ATTR_IDN_POWER_MODE:
1043         return u->attributes.current_power_mode;
1044     case UFS_QUERY_ATTR_IDN_ACTIVE_ICC_LVL:
1045         return u->attributes.active_icc_level;
1046     case UFS_QUERY_ATTR_IDN_OOO_DATA_EN:
1047         return u->attributes.out_of_order_data_en;
1048     case UFS_QUERY_ATTR_IDN_BKOPS_STATUS:
1049         return u->attributes.background_op_status;
1050     case UFS_QUERY_ATTR_IDN_PURGE_STATUS:
1051         return u->attributes.purge_status;
1052     case UFS_QUERY_ATTR_IDN_MAX_DATA_IN:
1053         return u->attributes.max_data_in_size;
1054     case UFS_QUERY_ATTR_IDN_MAX_DATA_OUT:
1055         return u->attributes.max_data_out_size;
1056     case UFS_QUERY_ATTR_IDN_DYN_CAP_NEEDED:
1057         return be32_to_cpu(u->attributes.dyn_cap_needed);
1058     case UFS_QUERY_ATTR_IDN_REF_CLK_FREQ:
1059         return u->attributes.ref_clk_freq;
1060     case UFS_QUERY_ATTR_IDN_CONF_DESC_LOCK:
1061         return u->attributes.config_descr_lock;
1062     case UFS_QUERY_ATTR_IDN_MAX_NUM_OF_RTT:
1063         return u->attributes.max_num_of_rtt;
1064     case UFS_QUERY_ATTR_IDN_EE_CONTROL:
1065         return be16_to_cpu(u->attributes.exception_event_control);
1066     case UFS_QUERY_ATTR_IDN_EE_STATUS:
1067         return be16_to_cpu(u->attributes.exception_event_status);
1068     case UFS_QUERY_ATTR_IDN_SECONDS_PASSED:
1069         return be32_to_cpu(u->attributes.seconds_passed);
1070     case UFS_QUERY_ATTR_IDN_CNTX_CONF:
1071         return be16_to_cpu(u->attributes.context_conf);
1072     case UFS_QUERY_ATTR_IDN_FFU_STATUS:
1073         return u->attributes.device_ffu_status;
1074     case UFS_QUERY_ATTR_IDN_PSA_STATE:
1075         return be32_to_cpu(u->attributes.psa_state);
1076     case UFS_QUERY_ATTR_IDN_PSA_DATA_SIZE:
1077         return be32_to_cpu(u->attributes.psa_data_size);
1078     case UFS_QUERY_ATTR_IDN_REF_CLK_GATING_WAIT_TIME:
1079         return u->attributes.ref_clk_gating_wait_time;
1080     case UFS_QUERY_ATTR_IDN_CASE_ROUGH_TEMP:
1081         return u->attributes.device_case_rough_temperaure;
1082     case UFS_QUERY_ATTR_IDN_HIGH_TEMP_BOUND:
1083         return u->attributes.device_too_high_temp_boundary;
1084     case UFS_QUERY_ATTR_IDN_LOW_TEMP_BOUND:
1085         return u->attributes.device_too_low_temp_boundary;
1086     case UFS_QUERY_ATTR_IDN_THROTTLING_STATUS:
1087         return u->attributes.throttling_status;
1088     case UFS_QUERY_ATTR_IDN_WB_FLUSH_STATUS:
1089         return u->attributes.wb_buffer_flush_status;
1090     case UFS_QUERY_ATTR_IDN_AVAIL_WB_BUFF_SIZE:
1091         return u->attributes.available_wb_buffer_size;
1092     case UFS_QUERY_ATTR_IDN_WB_BUFF_LIFE_TIME_EST:
1093         return u->attributes.wb_buffer_life_time_est;
1094     case UFS_QUERY_ATTR_IDN_CURR_WB_BUFF_SIZE:
1095         return be32_to_cpu(u->attributes.current_wb_buffer_size);
1096     case UFS_QUERY_ATTR_IDN_REFRESH_STATUS:
1097         return u->attributes.refresh_status;
1098     case UFS_QUERY_ATTR_IDN_REFRESH_FREQ:
1099         return u->attributes.refresh_freq;
1100     case UFS_QUERY_ATTR_IDN_REFRESH_UNIT:
1101         return u->attributes.refresh_unit;
1102     }
1103     return 0;
1104 }
1105 
1106 static void ufs_write_attr_value(UfsHc *u, uint8_t idn, uint32_t value)
1107 {
1108     switch (idn) {
1109     case UFS_QUERY_ATTR_IDN_ACTIVE_ICC_LVL:
1110         u->attributes.active_icc_level = value;
1111         break;
1112     case UFS_QUERY_ATTR_IDN_MAX_DATA_IN:
1113         u->attributes.max_data_in_size = value;
1114         break;
1115     case UFS_QUERY_ATTR_IDN_MAX_DATA_OUT:
1116         u->attributes.max_data_out_size = value;
1117         break;
1118     case UFS_QUERY_ATTR_IDN_REF_CLK_FREQ:
1119         u->attributes.ref_clk_freq = value;
1120         break;
1121     case UFS_QUERY_ATTR_IDN_MAX_NUM_OF_RTT:
1122         u->attributes.max_num_of_rtt = value;
1123         break;
1124     case UFS_QUERY_ATTR_IDN_EE_CONTROL:
1125         u->attributes.exception_event_control = cpu_to_be16(value);
1126         break;
1127     case UFS_QUERY_ATTR_IDN_SECONDS_PASSED:
1128         u->attributes.seconds_passed = cpu_to_be32(value);
1129         break;
1130     case UFS_QUERY_ATTR_IDN_PSA_STATE:
1131         u->attributes.psa_state = value;
1132         break;
1133     case UFS_QUERY_ATTR_IDN_PSA_DATA_SIZE:
1134         u->attributes.psa_data_size = cpu_to_be32(value);
1135         break;
1136     }
1137 }
1138 
1139 static QueryRespCode ufs_exec_query_attr(UfsRequest *req, int op)
1140 {
1141     UfsHc *u = req->hc;
1142     uint8_t idn = req->req_upiu.qr.idn;
1143     uint32_t value;
1144     QueryRespCode ret;
1145 
1146     ret = ufs_attr_check_idn_valid(idn, op);
1147     if (ret) {
1148         return ret;
1149     }
1150 
1151     if (op == UFS_QUERY_ATTR_READ) {
1152         value = ufs_read_attr_value(u, idn);
1153     } else {
1154         value = be32_to_cpu(req->req_upiu.qr.value);
1155         ufs_write_attr_value(u, idn, value);
1156     }
1157 
1158     req->rsp_upiu.qr.value = cpu_to_be32(value);
1159     return UFS_QUERY_RESULT_SUCCESS;
1160 }
1161 
1162 static const RpmbUnitDescriptor rpmb_unit_desc = {
1163     .length = sizeof(RpmbUnitDescriptor),
1164     .descriptor_idn = 2,
1165     .unit_index = UFS_UPIU_RPMB_WLUN,
1166     .lu_enable = 0,
1167 };
1168 
1169 static QueryRespCode ufs_read_unit_desc(UfsRequest *req)
1170 {
1171     UfsHc *u = req->hc;
1172     uint8_t lun = req->req_upiu.qr.index;
1173 
1174     if (lun != UFS_UPIU_RPMB_WLUN &&
1175         (lun >= UFS_MAX_LUS || u->lus[lun] == NULL)) {
1176         trace_ufs_err_query_invalid_index(req->req_upiu.qr.opcode, lun);
1177         return UFS_QUERY_RESULT_INVALID_INDEX;
1178     }
1179 
1180     if (lun == UFS_UPIU_RPMB_WLUN) {
1181         memcpy(&req->rsp_upiu.qr.data, &rpmb_unit_desc, rpmb_unit_desc.length);
1182     } else {
1183         memcpy(&req->rsp_upiu.qr.data, &u->lus[lun]->unit_desc,
1184                sizeof(u->lus[lun]->unit_desc));
1185     }
1186 
1187     return UFS_QUERY_RESULT_SUCCESS;
1188 }
1189 
1190 static inline StringDescriptor manufacturer_str_desc(void)
1191 {
1192     StringDescriptor desc = {
1193         .length = 0x12,
1194         .descriptor_idn = UFS_QUERY_DESC_IDN_STRING,
1195     };
1196     desc.UC[0] = cpu_to_be16('R');
1197     desc.UC[1] = cpu_to_be16('E');
1198     desc.UC[2] = cpu_to_be16('D');
1199     desc.UC[3] = cpu_to_be16('H');
1200     desc.UC[4] = cpu_to_be16('A');
1201     desc.UC[5] = cpu_to_be16('T');
1202     return desc;
1203 }
1204 
1205 static inline StringDescriptor product_name_str_desc(void)
1206 {
1207     StringDescriptor desc = {
1208         .length = 0x22,
1209         .descriptor_idn = UFS_QUERY_DESC_IDN_STRING,
1210     };
1211     desc.UC[0] = cpu_to_be16('Q');
1212     desc.UC[1] = cpu_to_be16('E');
1213     desc.UC[2] = cpu_to_be16('M');
1214     desc.UC[3] = cpu_to_be16('U');
1215     desc.UC[4] = cpu_to_be16(' ');
1216     desc.UC[5] = cpu_to_be16('U');
1217     desc.UC[6] = cpu_to_be16('F');
1218     desc.UC[7] = cpu_to_be16('S');
1219     return desc;
1220 }
1221 
1222 static inline StringDescriptor product_rev_level_str_desc(void)
1223 {
1224     StringDescriptor desc = {
1225         .length = 0x0a,
1226         .descriptor_idn = UFS_QUERY_DESC_IDN_STRING,
1227     };
1228     desc.UC[0] = cpu_to_be16('0');
1229     desc.UC[1] = cpu_to_be16('0');
1230     desc.UC[2] = cpu_to_be16('0');
1231     desc.UC[3] = cpu_to_be16('1');
1232     return desc;
1233 }
1234 
1235 static const StringDescriptor null_str_desc = {
1236     .length = 0x02,
1237     .descriptor_idn = UFS_QUERY_DESC_IDN_STRING,
1238 };
1239 
1240 static QueryRespCode ufs_read_string_desc(UfsRequest *req)
1241 {
1242     UfsHc *u = req->hc;
1243     uint8_t index = req->req_upiu.qr.index;
1244     StringDescriptor desc;
1245 
1246     if (index == u->device_desc.manufacturer_name) {
1247         desc = manufacturer_str_desc();
1248         memcpy(&req->rsp_upiu.qr.data, &desc, desc.length);
1249     } else if (index == u->device_desc.product_name) {
1250         desc = product_name_str_desc();
1251         memcpy(&req->rsp_upiu.qr.data, &desc, desc.length);
1252     } else if (index == u->device_desc.serial_number) {
1253         memcpy(&req->rsp_upiu.qr.data, &null_str_desc, null_str_desc.length);
1254     } else if (index == u->device_desc.oem_id) {
1255         memcpy(&req->rsp_upiu.qr.data, &null_str_desc, null_str_desc.length);
1256     } else if (index == u->device_desc.product_revision_level) {
1257         desc = product_rev_level_str_desc();
1258         memcpy(&req->rsp_upiu.qr.data, &desc, desc.length);
1259     } else {
1260         trace_ufs_err_query_invalid_index(req->req_upiu.qr.opcode, index);
1261         return UFS_QUERY_RESULT_INVALID_INDEX;
1262     }
1263     return UFS_QUERY_RESULT_SUCCESS;
1264 }
1265 
1266 static inline InterconnectDescriptor interconnect_desc(void)
1267 {
1268     InterconnectDescriptor desc = {
1269         .length = sizeof(InterconnectDescriptor),
1270         .descriptor_idn = UFS_QUERY_DESC_IDN_INTERCONNECT,
1271     };
1272     desc.bcd_unipro_version = cpu_to_be16(0x180);
1273     desc.bcd_mphy_version = cpu_to_be16(0x410);
1274     return desc;
1275 }
1276 
1277 static QueryRespCode ufs_read_desc(UfsRequest *req)
1278 {
1279     UfsHc *u = req->hc;
1280     QueryRespCode status;
1281     uint8_t idn = req->req_upiu.qr.idn;
1282     uint16_t length = be16_to_cpu(req->req_upiu.qr.length);
1283     InterconnectDescriptor desc;
1284 
1285     switch (idn) {
1286     case UFS_QUERY_DESC_IDN_DEVICE:
1287         memcpy(&req->rsp_upiu.qr.data, &u->device_desc, sizeof(u->device_desc));
1288         status = UFS_QUERY_RESULT_SUCCESS;
1289         break;
1290     case UFS_QUERY_DESC_IDN_UNIT:
1291         status = ufs_read_unit_desc(req);
1292         break;
1293     case UFS_QUERY_DESC_IDN_GEOMETRY:
1294         memcpy(&req->rsp_upiu.qr.data, &u->geometry_desc,
1295                sizeof(u->geometry_desc));
1296         status = UFS_QUERY_RESULT_SUCCESS;
1297         break;
1298     case UFS_QUERY_DESC_IDN_INTERCONNECT: {
1299         desc = interconnect_desc();
1300         memcpy(&req->rsp_upiu.qr.data, &desc, sizeof(InterconnectDescriptor));
1301         status = UFS_QUERY_RESULT_SUCCESS;
1302         break;
1303     }
1304     case UFS_QUERY_DESC_IDN_STRING:
1305         status = ufs_read_string_desc(req);
1306         break;
1307     case UFS_QUERY_DESC_IDN_POWER:
1308         /* mocking of power descriptor is not supported */
1309         memset(&req->rsp_upiu.qr.data, 0, sizeof(PowerParametersDescriptor));
1310         req->rsp_upiu.qr.data[0] = sizeof(PowerParametersDescriptor);
1311         req->rsp_upiu.qr.data[1] = UFS_QUERY_DESC_IDN_POWER;
1312         status = UFS_QUERY_RESULT_SUCCESS;
1313         break;
1314     case UFS_QUERY_DESC_IDN_HEALTH:
1315         /* mocking of health descriptor is not supported */
1316         memset(&req->rsp_upiu.qr.data, 0, sizeof(DeviceHealthDescriptor));
1317         req->rsp_upiu.qr.data[0] = sizeof(DeviceHealthDescriptor);
1318         req->rsp_upiu.qr.data[1] = UFS_QUERY_DESC_IDN_HEALTH;
1319         status = UFS_QUERY_RESULT_SUCCESS;
1320         break;
1321     default:
1322         length = 0;
1323         trace_ufs_err_query_invalid_idn(req->req_upiu.qr.opcode, idn);
1324         status = UFS_QUERY_RESULT_INVALID_IDN;
1325     }
1326 
1327     if (length > req->rsp_upiu.qr.data[0]) {
1328         length = req->rsp_upiu.qr.data[0];
1329     }
1330     req->rsp_upiu.qr.opcode = req->req_upiu.qr.opcode;
1331     req->rsp_upiu.qr.idn = req->req_upiu.qr.idn;
1332     req->rsp_upiu.qr.index = req->req_upiu.qr.index;
1333     req->rsp_upiu.qr.selector = req->req_upiu.qr.selector;
1334     req->rsp_upiu.qr.length = cpu_to_be16(length);
1335 
1336     return status;
1337 }
1338 
1339 static QueryRespCode ufs_exec_query_read(UfsRequest *req)
1340 {
1341     QueryRespCode status;
1342     switch (req->req_upiu.qr.opcode) {
1343     case UFS_UPIU_QUERY_OPCODE_NOP:
1344         status = UFS_QUERY_RESULT_SUCCESS;
1345         break;
1346     case UFS_UPIU_QUERY_OPCODE_READ_DESC:
1347         status = ufs_read_desc(req);
1348         break;
1349     case UFS_UPIU_QUERY_OPCODE_READ_ATTR:
1350         status = ufs_exec_query_attr(req, UFS_QUERY_ATTR_READ);
1351         break;
1352     case UFS_UPIU_QUERY_OPCODE_READ_FLAG:
1353         status = ufs_exec_query_flag(req, UFS_QUERY_FLAG_READ);
1354         break;
1355     default:
1356         trace_ufs_err_query_invalid_opcode(req->req_upiu.qr.opcode);
1357         status = UFS_QUERY_RESULT_INVALID_OPCODE;
1358         break;
1359     }
1360 
1361     return status;
1362 }
1363 
1364 static QueryRespCode ufs_exec_query_write(UfsRequest *req)
1365 {
1366     QueryRespCode status;
1367     switch (req->req_upiu.qr.opcode) {
1368     case UFS_UPIU_QUERY_OPCODE_NOP:
1369         status = UFS_QUERY_RESULT_SUCCESS;
1370         break;
1371     case UFS_UPIU_QUERY_OPCODE_WRITE_DESC:
1372         /* write descriptor is not supported */
1373         status = UFS_QUERY_RESULT_NOT_WRITEABLE;
1374         break;
1375     case UFS_UPIU_QUERY_OPCODE_WRITE_ATTR:
1376         status = ufs_exec_query_attr(req, UFS_QUERY_ATTR_WRITE);
1377         break;
1378     case UFS_UPIU_QUERY_OPCODE_SET_FLAG:
1379         status = ufs_exec_query_flag(req, UFS_QUERY_FLAG_SET);
1380         break;
1381     case UFS_UPIU_QUERY_OPCODE_CLEAR_FLAG:
1382         status = ufs_exec_query_flag(req, UFS_QUERY_FLAG_CLEAR);
1383         break;
1384     case UFS_UPIU_QUERY_OPCODE_TOGGLE_FLAG:
1385         status = ufs_exec_query_flag(req, UFS_QUERY_FLAG_TOGGLE);
1386         break;
1387     default:
1388         trace_ufs_err_query_invalid_opcode(req->req_upiu.qr.opcode);
1389         status = UFS_QUERY_RESULT_INVALID_OPCODE;
1390         break;
1391     }
1392 
1393     return status;
1394 }
1395 
1396 static UfsReqResult ufs_exec_query_cmd(UfsRequest *req)
1397 {
1398     uint8_t query_func = req->req_upiu.header.query_func;
1399     uint16_t data_segment_length;
1400     QueryRespCode status;
1401 
1402     trace_ufs_exec_query_cmd(req->slot, req->req_upiu.qr.opcode);
1403     if (query_func == UFS_UPIU_QUERY_FUNC_STANDARD_READ_REQUEST) {
1404         status = ufs_exec_query_read(req);
1405     } else if (query_func == UFS_UPIU_QUERY_FUNC_STANDARD_WRITE_REQUEST) {
1406         status = ufs_exec_query_write(req);
1407     } else {
1408         status = UFS_QUERY_RESULT_GENERAL_FAILURE;
1409     }
1410 
1411     data_segment_length = be16_to_cpu(req->rsp_upiu.qr.length);
1412     ufs_build_upiu_header(req, UFS_UPIU_TRANSACTION_QUERY_RSP, 0, status, 0,
1413                           data_segment_length);
1414 
1415     if (status != UFS_QUERY_RESULT_SUCCESS) {
1416         return UFS_REQUEST_FAIL;
1417     }
1418     return UFS_REQUEST_SUCCESS;
1419 }
1420 
1421 static void ufs_exec_req(UfsRequest *req)
1422 {
1423     UfsReqResult req_result;
1424 
1425     if (ufs_dma_read_upiu(req)) {
1426         return;
1427     }
1428 
1429     switch (req->req_upiu.header.trans_type) {
1430     case UFS_UPIU_TRANSACTION_NOP_OUT:
1431         req_result = ufs_exec_nop_cmd(req);
1432         break;
1433     case UFS_UPIU_TRANSACTION_COMMAND:
1434         req_result = ufs_exec_scsi_cmd(req);
1435         break;
1436     case UFS_UPIU_TRANSACTION_QUERY_REQ:
1437         req_result = ufs_exec_query_cmd(req);
1438         break;
1439     default:
1440         trace_ufs_err_invalid_trans_code(req->slot,
1441                                          req->req_upiu.header.trans_type);
1442         req_result = UFS_REQUEST_FAIL;
1443     }
1444 
1445     /*
1446      * The ufs_complete_req for scsi commands is handled by the
1447      * ufs_scsi_command_complete() callback function. Therefore, to avoid
1448      * duplicate processing, ufs_complete_req() is not called for scsi commands.
1449      */
1450     if (req_result != UFS_REQUEST_NO_COMPLETE) {
1451         ufs_complete_req(req, req_result);
1452     }
1453 }
1454 
1455 static void ufs_process_req(void *opaque)
1456 {
1457     UfsHc *u = opaque;
1458     UfsRequest *req;
1459     int slot;
1460 
1461     for (slot = 0; slot < u->params.nutrs; slot++) {
1462         req = &u->req_list[slot];
1463 
1464         if (req->state != UFS_REQUEST_READY) {
1465             continue;
1466         }
1467         trace_ufs_process_req(slot);
1468         req->state = UFS_REQUEST_RUNNING;
1469 
1470         ufs_exec_req(req);
1471     }
1472 }
1473 
1474 void ufs_complete_req(UfsRequest *req, UfsReqResult req_result)
1475 {
1476     UfsHc *u = req->hc;
1477     assert(req->state == UFS_REQUEST_RUNNING);
1478 
1479     if (req_result == UFS_REQUEST_SUCCESS) {
1480         req->utrd.header.dword_2 = cpu_to_le32(UFS_OCS_SUCCESS);
1481     } else {
1482         req->utrd.header.dword_2 = cpu_to_le32(UFS_OCS_INVALID_CMD_TABLE_ATTR);
1483     }
1484 
1485     req->state = UFS_REQUEST_COMPLETE;
1486 
1487     if (ufs_mcq_req(req)) {
1488         trace_ufs_mcq_complete_req(req->sq->sqid);
1489         QTAILQ_INSERT_TAIL(&req->sq->cq->req_list, req, entry);
1490         qemu_bh_schedule(req->sq->cq->bh);
1491     } else {
1492         trace_ufs_complete_req(req->slot);
1493         qemu_bh_schedule(u->complete_bh);
1494     }
1495 }
1496 
1497 static void ufs_clear_req(UfsRequest *req)
1498 {
1499     if (req->sg != NULL) {
1500         qemu_sglist_destroy(req->sg);
1501         g_free(req->sg);
1502         req->sg = NULL;
1503         req->data_len = 0;
1504     }
1505 
1506     memset(&req->utrd, 0, sizeof(req->utrd));
1507     memset(&req->req_upiu, 0, sizeof(req->req_upiu));
1508     memset(&req->rsp_upiu, 0, sizeof(req->rsp_upiu));
1509 }
1510 
1511 static void ufs_sendback_req(void *opaque)
1512 {
1513     UfsHc *u = opaque;
1514     UfsRequest *req;
1515     int slot;
1516 
1517     for (slot = 0; slot < u->params.nutrs; slot++) {
1518         req = &u->req_list[slot];
1519 
1520         if (req->state != UFS_REQUEST_COMPLETE) {
1521             continue;
1522         }
1523 
1524         if (ufs_dma_write_upiu(req)) {
1525             req->state = UFS_REQUEST_ERROR;
1526             continue;
1527         }
1528 
1529         /*
1530          * TODO: UTP Transfer Request Interrupt Aggregation Control is not yet
1531          * supported
1532          */
1533         if (le32_to_cpu(req->utrd.header.dword_2) != UFS_OCS_SUCCESS ||
1534             le32_to_cpu(req->utrd.header.dword_0) & UFS_UTP_REQ_DESC_INT_CMD) {
1535             u->reg.is = FIELD_DP32(u->reg.is, IS, UTRCS, 1);
1536         }
1537 
1538         u->reg.utrldbr &= ~(1 << slot);
1539         u->reg.utrlcnr |= (1 << slot);
1540 
1541         trace_ufs_sendback_req(req->slot);
1542 
1543         ufs_clear_req(req);
1544         req->state = UFS_REQUEST_IDLE;
1545     }
1546 
1547     ufs_irq_check(u);
1548 }
1549 
1550 static bool ufs_check_constraints(UfsHc *u, Error **errp)
1551 {
1552     if (u->params.nutrs > UFS_MAX_NUTRS) {
1553         error_setg(errp, "nutrs must be less than or equal to %d",
1554                    UFS_MAX_NUTRS);
1555         return false;
1556     }
1557 
1558     if (u->params.nutmrs > UFS_MAX_NUTMRS) {
1559         error_setg(errp, "nutmrs must be less than or equal to %d",
1560                    UFS_MAX_NUTMRS);
1561         return false;
1562     }
1563 
1564     if (u->params.mcq_maxq >= UFS_MAX_MCQ_QNUM) {
1565         error_setg(errp, "mcq-maxq must be less than %d", UFS_MAX_MCQ_QNUM);
1566         return false;
1567     }
1568 
1569     return true;
1570 }
1571 
1572 static void ufs_init_pci(UfsHc *u, PCIDevice *pci_dev)
1573 {
1574     uint8_t *pci_conf = pci_dev->config;
1575 
1576     pci_conf[PCI_INTERRUPT_PIN] = 1;
1577     pci_config_set_prog_interface(pci_conf, 0x1);
1578 
1579     memory_region_init_io(&u->iomem, OBJECT(u), &ufs_mmio_ops, u, "ufs",
1580                           u->reg_size);
1581     pci_register_bar(pci_dev, 0, PCI_BASE_ADDRESS_SPACE_MEMORY, &u->iomem);
1582     u->irq = pci_allocate_irq(pci_dev);
1583 }
1584 
1585 static void ufs_init_state(UfsHc *u)
1586 {
1587     u->req_list = g_new0(UfsRequest, u->params.nutrs);
1588 
1589     for (int i = 0; i < u->params.nutrs; i++) {
1590         u->req_list[i].hc = u;
1591         u->req_list[i].slot = i;
1592         u->req_list[i].sg = NULL;
1593         u->req_list[i].state = UFS_REQUEST_IDLE;
1594     }
1595 
1596     u->doorbell_bh = qemu_bh_new_guarded(ufs_process_req, u,
1597                                          &DEVICE(u)->mem_reentrancy_guard);
1598     u->complete_bh = qemu_bh_new_guarded(ufs_sendback_req, u,
1599                                          &DEVICE(u)->mem_reentrancy_guard);
1600 
1601     if (u->params.mcq) {
1602         memset(u->sq, 0, sizeof(u->sq));
1603         memset(u->cq, 0, sizeof(u->cq));
1604     }
1605 }
1606 
1607 static void ufs_init_hc(UfsHc *u)
1608 {
1609     uint32_t cap = 0;
1610     uint32_t mcqconfig = 0;
1611     uint32_t mcqcap = 0;
1612 
1613     u->reg_size = pow2ceil(ufs_reg_size(u));
1614 
1615     memset(&u->reg, 0, sizeof(u->reg));
1616     memset(&u->mcq_reg, 0, sizeof(u->mcq_reg));
1617     memset(&u->mcq_op_reg, 0, sizeof(u->mcq_op_reg));
1618     cap = FIELD_DP32(cap, CAP, NUTRS, (u->params.nutrs - 1));
1619     cap = FIELD_DP32(cap, CAP, RTT, 2);
1620     cap = FIELD_DP32(cap, CAP, NUTMRS, (u->params.nutmrs - 1));
1621     cap = FIELD_DP32(cap, CAP, AUTOH8, 0);
1622     cap = FIELD_DP32(cap, CAP, 64AS, 1);
1623     cap = FIELD_DP32(cap, CAP, OODDS, 0);
1624     cap = FIELD_DP32(cap, CAP, UICDMETMS, 0);
1625     cap = FIELD_DP32(cap, CAP, CS, 0);
1626     cap = FIELD_DP32(cap, CAP, LSDBS, 1);
1627     cap = FIELD_DP32(cap, CAP, MCQS, u->params.mcq);
1628     u->reg.cap = cap;
1629 
1630     if (u->params.mcq) {
1631         mcqconfig = FIELD_DP32(mcqconfig, MCQCONFIG, MAC, 0x1f);
1632         u->reg.mcqconfig = mcqconfig;
1633 
1634         mcqcap = FIELD_DP32(mcqcap, MCQCAP, MAXQ, u->params.mcq_maxq - 1);
1635         mcqcap = FIELD_DP32(mcqcap, MCQCAP, RRP, 1);
1636         mcqcap = FIELD_DP32(mcqcap, MCQCAP, QCFGPTR, UFS_MCQ_QCFGPTR);
1637         u->reg.mcqcap = mcqcap;
1638 
1639         for (int i = 0; i < ARRAY_SIZE(u->mcq_reg); i++) {
1640             uint64_t addr = ufs_mcq_op_reg_addr(u, i);
1641             u->mcq_reg[i].sqdao = addr;
1642             u->mcq_reg[i].sqisao = addr + sizeof(UfsMcqSqReg);
1643             addr += sizeof(UfsMcqSqReg);
1644             u->mcq_reg[i].cqdao = addr + sizeof(UfsMcqSqIntReg);
1645             addr += sizeof(UfsMcqSqIntReg);
1646             u->mcq_reg[i].cqisao = addr + sizeof(UfsMcqCqReg);
1647         }
1648     }
1649     u->reg.ver = UFS_SPEC_VER;
1650 
1651     memset(&u->device_desc, 0, sizeof(DeviceDescriptor));
1652     u->device_desc.length = sizeof(DeviceDescriptor);
1653     u->device_desc.descriptor_idn = UFS_QUERY_DESC_IDN_DEVICE;
1654     u->device_desc.device_sub_class = 0x01;
1655     u->device_desc.number_lu = 0x00;
1656     u->device_desc.number_wlu = 0x04;
1657     /* TODO: Revisit it when Power Management is implemented */
1658     u->device_desc.init_power_mode = 0x01; /* Active Mode */
1659     u->device_desc.high_priority_lun = 0x7F; /* Same Priority */
1660     u->device_desc.spec_version = cpu_to_be16(UFS_SPEC_VER);
1661     u->device_desc.manufacturer_name = 0x00;
1662     u->device_desc.product_name = 0x01;
1663     u->device_desc.serial_number = 0x02;
1664     u->device_desc.oem_id = 0x03;
1665     u->device_desc.ud_0_base_offset = 0x16;
1666     u->device_desc.ud_config_p_length = 0x1A;
1667     u->device_desc.device_rtt_cap = 0x02;
1668     u->device_desc.queue_depth = u->params.nutrs;
1669     u->device_desc.product_revision_level = 0x04;
1670 
1671     memset(&u->geometry_desc, 0, sizeof(GeometryDescriptor));
1672     u->geometry_desc.length = sizeof(GeometryDescriptor);
1673     u->geometry_desc.descriptor_idn = UFS_QUERY_DESC_IDN_GEOMETRY;
1674     u->geometry_desc.max_number_lu = (UFS_MAX_LUS == 32) ? 0x1 : 0x0;
1675     u->geometry_desc.segment_size = cpu_to_be32(0x2000); /* 4KB */
1676     u->geometry_desc.allocation_unit_size = 0x1; /* 4KB */
1677     u->geometry_desc.min_addr_block_size = 0x8; /* 4KB */
1678     u->geometry_desc.max_in_buffer_size = 0x8;
1679     u->geometry_desc.max_out_buffer_size = 0x8;
1680     u->geometry_desc.rpmb_read_write_size = 0x40;
1681     u->geometry_desc.data_ordering =
1682         0x0; /* out-of-order data transfer is not supported */
1683     u->geometry_desc.max_context_id_number = 0x5;
1684     u->geometry_desc.supported_memory_types = cpu_to_be16(0x8001);
1685 
1686     memset(&u->attributes, 0, sizeof(u->attributes));
1687     u->attributes.max_data_in_size = 0x08;
1688     u->attributes.max_data_out_size = 0x08;
1689     u->attributes.ref_clk_freq = 0x01; /* 26 MHz */
1690     /* configure descriptor is not supported */
1691     u->attributes.config_descr_lock = 0x01;
1692     u->attributes.max_num_of_rtt = 0x02;
1693 
1694     memset(&u->flags, 0, sizeof(u->flags));
1695     u->flags.permanently_disable_fw_update = 1;
1696 }
1697 
1698 static void ufs_realize(PCIDevice *pci_dev, Error **errp)
1699 {
1700     UfsHc *u = UFS(pci_dev);
1701 
1702     if (!ufs_check_constraints(u, errp)) {
1703         return;
1704     }
1705 
1706     qbus_init(&u->bus, sizeof(UfsBus), TYPE_UFS_BUS, &pci_dev->qdev,
1707               u->parent_obj.qdev.id);
1708 
1709     ufs_init_state(u);
1710     ufs_init_hc(u);
1711     ufs_init_pci(u, pci_dev);
1712 
1713     ufs_init_wlu(&u->report_wlu, UFS_UPIU_REPORT_LUNS_WLUN);
1714     ufs_init_wlu(&u->dev_wlu, UFS_UPIU_UFS_DEVICE_WLUN);
1715     ufs_init_wlu(&u->boot_wlu, UFS_UPIU_BOOT_WLUN);
1716     ufs_init_wlu(&u->rpmb_wlu, UFS_UPIU_RPMB_WLUN);
1717 }
1718 
1719 static void ufs_exit(PCIDevice *pci_dev)
1720 {
1721     UfsHc *u = UFS(pci_dev);
1722 
1723     qemu_bh_delete(u->doorbell_bh);
1724     qemu_bh_delete(u->complete_bh);
1725 
1726     for (int i = 0; i < u->params.nutrs; i++) {
1727         ufs_clear_req(&u->req_list[i]);
1728     }
1729     g_free(u->req_list);
1730 
1731     for (int i = 0; i < ARRAY_SIZE(u->sq); i++) {
1732         if (u->sq[i]) {
1733             ufs_mcq_delete_sq(u, i);
1734         }
1735     }
1736     for (int i = 0; i < ARRAY_SIZE(u->cq); i++) {
1737         if (u->cq[i]) {
1738             ufs_mcq_delete_cq(u, i);
1739         }
1740     }
1741 }
1742 
1743 static Property ufs_props[] = {
1744     DEFINE_PROP_STRING("serial", UfsHc, params.serial),
1745     DEFINE_PROP_UINT8("nutrs", UfsHc, params.nutrs, 32),
1746     DEFINE_PROP_UINT8("nutmrs", UfsHc, params.nutmrs, 8),
1747     DEFINE_PROP_BOOL("mcq", UfsHc, params.mcq, false),
1748     DEFINE_PROP_UINT8("mcq-maxq", UfsHc, params.mcq_maxq, 2),
1749     DEFINE_PROP_END_OF_LIST(),
1750 };
1751 
1752 static const VMStateDescription ufs_vmstate = {
1753     .name = "ufs",
1754     .unmigratable = 1,
1755 };
1756 
1757 static void ufs_class_init(ObjectClass *oc, void *data)
1758 {
1759     DeviceClass *dc = DEVICE_CLASS(oc);
1760     PCIDeviceClass *pc = PCI_DEVICE_CLASS(oc);
1761 
1762     pc->realize = ufs_realize;
1763     pc->exit = ufs_exit;
1764     pc->vendor_id = PCI_VENDOR_ID_REDHAT;
1765     pc->device_id = PCI_DEVICE_ID_REDHAT_UFS;
1766     pc->class_id = PCI_CLASS_STORAGE_UFS;
1767 
1768     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
1769     dc->desc = "Universal Flash Storage";
1770     device_class_set_props(dc, ufs_props);
1771     dc->vmsd = &ufs_vmstate;
1772 }
1773 
1774 static bool ufs_bus_check_address(BusState *qbus, DeviceState *qdev,
1775                                   Error **errp)
1776 {
1777     if (strcmp(object_get_typename(OBJECT(qdev)), TYPE_UFS_LU) != 0) {
1778         error_setg(errp, "%s cannot be connected to ufs-bus",
1779                    object_get_typename(OBJECT(qdev)));
1780         return false;
1781     }
1782 
1783     return true;
1784 }
1785 
1786 static char *ufs_bus_get_dev_path(DeviceState *dev)
1787 {
1788     BusState *bus = qdev_get_parent_bus(dev);
1789 
1790     return qdev_get_dev_path(bus->parent);
1791 }
1792 
1793 static void ufs_bus_class_init(ObjectClass *class, void *data)
1794 {
1795     BusClass *bc = BUS_CLASS(class);
1796     bc->get_dev_path = ufs_bus_get_dev_path;
1797     bc->check_address = ufs_bus_check_address;
1798 }
1799 
1800 static const TypeInfo ufs_info = {
1801     .name = TYPE_UFS,
1802     .parent = TYPE_PCI_DEVICE,
1803     .class_init = ufs_class_init,
1804     .instance_size = sizeof(UfsHc),
1805     .interfaces = (InterfaceInfo[]){ { INTERFACE_PCIE_DEVICE }, {} },
1806 };
1807 
1808 static const TypeInfo ufs_bus_info = {
1809     .name = TYPE_UFS_BUS,
1810     .parent = TYPE_BUS,
1811     .class_init = ufs_bus_class_init,
1812     .class_size = sizeof(UfsBusClass),
1813     .instance_size = sizeof(UfsBus),
1814 };
1815 
1816 static void ufs_register_types(void)
1817 {
1818     type_register_static(&ufs_info);
1819     type_register_static(&ufs_bus_info);
1820 }
1821 
1822 type_init(ufs_register_types)
1823