vvfat: fat_chksum(): fix access above array bounds
[qemu.git] / hw / lan9118.c
blobb996dc4f0c98c1c39964cde6087eb5d638a87be5
1 /*
2 * SMSC LAN9118 Ethernet interface emulation
4 * Copyright (c) 2009 CodeSourcery, LLC.
5 * Written by Paul Brook
7 * This code is licenced under the GNU GPL v2
8 */
10 #include "sysbus.h"
11 #include "net.h"
12 #include "devices.h"
13 #include "sysemu.h"
14 /* For crc32 */
15 #include <zlib.h>
17 //#define DEBUG_LAN9118
19 #ifdef DEBUG_LAN9118
20 #define DPRINTF(fmt, ...) \
21 do { printf("lan9118: " fmt , ## __VA_ARGS__); } while (0)
22 #define BADF(fmt, ...) \
23 do { hw_error("lan9118: error: " fmt , ## __VA_ARGS__);} while (0)
24 #else
25 #define DPRINTF(fmt, ...) do {} while(0)
26 #define BADF(fmt, ...) \
27 do { fprintf(stderr, "lan9118: error: " fmt , ## __VA_ARGS__);} while (0)
28 #endif
30 #define CSR_ID_REV 0x50
31 #define CSR_IRQ_CFG 0x54
32 #define CSR_INT_STS 0x58
33 #define CSR_INT_EN 0x5c
34 #define CSR_BYTE_TEST 0x64
35 #define CSR_FIFO_INT 0x68
36 #define CSR_RX_CFG 0x6c
37 #define CSR_TX_CFG 0x70
38 #define CSR_HW_CFG 0x74
39 #define CSR_RX_DP_CTRL 0x78
40 #define CSR_RX_FIFO_INF 0x7c
41 #define CSR_TX_FIFO_INF 0x80
42 #define CSR_PMT_CTRL 0x84
43 #define CSR_GPIO_CFG 0x88
44 #define CSR_GPT_CFG 0x8c
45 #define CSR_GPT_CNT 0x90
46 #define CSR_WORD_SWAP 0x98
47 #define CSR_FREE_RUN 0x9c
48 #define CSR_RX_DROP 0xa0
49 #define CSR_MAC_CSR_CMD 0xa4
50 #define CSR_MAC_CSR_DATA 0xa8
51 #define CSR_AFC_CFG 0xac
52 #define CSR_E2P_CMD 0xb0
53 #define CSR_E2P_DATA 0xb4
55 /* IRQ_CFG */
56 #define IRQ_INT 0x00001000
57 #define IRQ_EN 0x00000100
58 #define IRQ_POL 0x00000010
59 #define IRQ_TYPE 0x00000001
61 /* INT_STS/INT_EN */
62 #define SW_INT 0x80000000
63 #define TXSTOP_INT 0x02000000
64 #define RXSTOP_INT 0x01000000
65 #define RXDFH_INT 0x00800000
66 #define TX_IOC_INT 0x00200000
67 #define RXD_INT 0x00100000
68 #define GPT_INT 0x00080000
69 #define PHY_INT 0x00040000
70 #define PME_INT 0x00020000
71 #define TXSO_INT 0x00010000
72 #define RWT_INT 0x00008000
73 #define RXE_INT 0x00004000
74 #define TXE_INT 0x00002000
75 #define TDFU_INT 0x00000800
76 #define TDFO_INT 0x00000400
77 #define TDFA_INT 0x00000200
78 #define TSFF_INT 0x00000100
79 #define TSFL_INT 0x00000080
80 #define RXDF_INT 0x00000040
81 #define RDFL_INT 0x00000020
82 #define RSFF_INT 0x00000010
83 #define RSFL_INT 0x00000008
84 #define GPIO2_INT 0x00000004
85 #define GPIO1_INT 0x00000002
86 #define GPIO0_INT 0x00000001
87 #define RESERVED_INT 0x7c001000
89 #define MAC_CR 1
90 #define MAC_ADDRH 2
91 #define MAC_ADDRL 3
92 #define MAC_HASHH 4
93 #define MAC_HASHL 5
94 #define MAC_MII_ACC 6
95 #define MAC_MII_DATA 7
96 #define MAC_FLOW 8
97 #define MAC_VLAN1 9 /* TODO */
98 #define MAC_VLAN2 10 /* TODO */
99 #define MAC_WUFF 11 /* TODO */
100 #define MAC_WUCSR 12 /* TODO */
102 #define MAC_CR_RXALL 0x80000000
103 #define MAC_CR_RCVOWN 0x00800000
104 #define MAC_CR_LOOPBK 0x00200000
105 #define MAC_CR_FDPX 0x00100000
106 #define MAC_CR_MCPAS 0x00080000
107 #define MAC_CR_PRMS 0x00040000
108 #define MAC_CR_INVFILT 0x00020000
109 #define MAC_CR_PASSBAD 0x00010000
110 #define MAC_CR_HO 0x00008000
111 #define MAC_CR_HPFILT 0x00002000
112 #define MAC_CR_LCOLL 0x00001000
113 #define MAC_CR_BCAST 0x00000800
114 #define MAC_CR_DISRTY 0x00000400
115 #define MAC_CR_PADSTR 0x00000100
116 #define MAC_CR_BOLMT 0x000000c0
117 #define MAC_CR_DFCHK 0x00000020
118 #define MAC_CR_TXEN 0x00000008
119 #define MAC_CR_RXEN 0x00000004
120 #define MAC_CR_RESERVED 0x7f404213
122 #define PHY_INT_ENERGYON 0x80
123 #define PHY_INT_AUTONEG_COMPLETE 0x40
124 #define PHY_INT_FAULT 0x20
125 #define PHY_INT_DOWN 0x10
126 #define PHY_INT_AUTONEG_LP 0x08
127 #define PHY_INT_PARFAULT 0x04
128 #define PHY_INT_AUTONEG_PAGE 0x02
130 #define GPT_TIMER_EN 0x20000000
132 enum tx_state {
133 TX_IDLE,
134 TX_B,
135 TX_DATA
138 typedef struct {
139 enum tx_state state;
140 uint32_t cmd_a;
141 uint32_t cmd_b;
142 int buffer_size;
143 int offset;
144 int pad;
145 int fifo_used;
146 int len;
147 uint8_t data[2048];
148 } LAN9118Packet;
150 typedef struct {
151 SysBusDevice busdev;
152 NICState *nic;
153 NICConf conf;
154 qemu_irq irq;
155 int mmio_index;
156 ptimer_state *timer;
158 uint32_t irq_cfg;
159 uint32_t int_sts;
160 uint32_t int_en;
161 uint32_t fifo_int;
162 uint32_t rx_cfg;
163 uint32_t tx_cfg;
164 uint32_t hw_cfg;
165 uint32_t pmt_ctrl;
166 uint32_t gpio_cfg;
167 uint32_t gpt_cfg;
168 uint32_t word_swap;
169 uint32_t free_timer_start;
170 uint32_t mac_cmd;
171 uint32_t mac_data;
172 uint32_t afc_cfg;
173 uint32_t e2p_cmd;
174 uint32_t e2p_data;
176 uint32_t mac_cr;
177 uint32_t mac_hashh;
178 uint32_t mac_hashl;
179 uint32_t mac_mii_acc;
180 uint32_t mac_mii_data;
181 uint32_t mac_flow;
183 uint32_t phy_status;
184 uint32_t phy_control;
185 uint32_t phy_advertise;
186 uint32_t phy_int;
187 uint32_t phy_int_mask;
189 int eeprom_writable;
190 uint8_t eeprom[8];
192 int tx_fifo_size;
193 LAN9118Packet *txp;
194 LAN9118Packet tx_packet;
196 int tx_status_fifo_used;
197 int tx_status_fifo_head;
198 uint32_t tx_status_fifo[512];
200 int rx_status_fifo_size;
201 int rx_status_fifo_used;
202 int rx_status_fifo_head;
203 uint32_t rx_status_fifo[896];
204 int rx_fifo_size;
205 int rx_fifo_used;
206 int rx_fifo_head;
207 uint32_t rx_fifo[3360];
208 int rx_packet_size_head;
209 int rx_packet_size_tail;
210 int rx_packet_size[1024];
212 int rxp_offset;
213 int rxp_size;
214 int rxp_pad;
215 } lan9118_state;
217 static void lan9118_update(lan9118_state *s)
219 int level;
221 /* TODO: Implement FIFO level IRQs. */
222 level = (s->int_sts & s->int_en) != 0;
223 if (level) {
224 s->irq_cfg |= IRQ_INT;
225 } else {
226 s->irq_cfg &= ~IRQ_INT;
228 if ((s->irq_cfg & IRQ_EN) == 0) {
229 level = 0;
231 qemu_set_irq(s->irq, level);
234 static void lan9118_mac_changed(lan9118_state *s)
236 qemu_format_nic_info_str(&s->nic->nc, s->conf.macaddr.a);
239 static void lan9118_reload_eeprom(lan9118_state *s)
241 int i;
242 if (s->eeprom[0] != 0xa5) {
243 s->e2p_cmd &= ~0x10;
244 DPRINTF("MACADDR load failed\n");
245 return;
247 for (i = 0; i < 6; i++) {
248 s->conf.macaddr.a[i] = s->eeprom[i + 1];
250 s->e2p_cmd |= 0x10;
251 DPRINTF("MACADDR loaded from eeprom\n");
252 lan9118_mac_changed(s);
255 static void phy_update_irq(lan9118_state *s)
257 if (s->phy_int & s->phy_int_mask) {
258 s->int_sts |= PHY_INT;
259 } else {
260 s->int_sts &= ~PHY_INT;
262 lan9118_update(s);
265 static void phy_update_link(lan9118_state *s)
267 /* Autonegotiation status mirrors link status. */
268 if (s->nic->nc.link_down) {
269 s->phy_status &= ~0x0024;
270 s->phy_int |= PHY_INT_DOWN;
271 } else {
272 s->phy_status |= 0x0024;
273 s->phy_int |= PHY_INT_ENERGYON;
274 s->phy_int |= PHY_INT_AUTONEG_COMPLETE;
276 phy_update_irq(s);
279 static void lan9118_set_link(VLANClientState *nc)
281 phy_update_link(DO_UPCAST(NICState, nc, nc)->opaque);
284 static void phy_reset(lan9118_state *s)
286 s->phy_status = 0x7809;
287 s->phy_control = 0x3000;
288 s->phy_advertise = 0x01e1;
289 s->phy_int_mask = 0;
290 s->phy_int = 0;
291 phy_update_link(s);
294 static void lan9118_reset(DeviceState *d)
296 lan9118_state *s = FROM_SYSBUS(lan9118_state, sysbus_from_qdev(d));
298 s->irq_cfg &= ~(IRQ_TYPE | IRQ_POL);
299 s->int_sts = 0;
300 s->int_en = 0;
301 s->fifo_int = 0x48000000;
302 s->rx_cfg = 0;
303 s->tx_cfg = 0;
304 s->hw_cfg = 0x00050000;
305 s->pmt_ctrl &= 0x45;
306 s->gpio_cfg = 0;
307 s->txp->fifo_used = 0;
308 s->txp->state = TX_IDLE;
309 s->txp->cmd_a = 0xffffffffu;
310 s->txp->cmd_b = 0xffffffffu;
311 s->txp->len = 0;
312 s->txp->fifo_used = 0;
313 s->tx_fifo_size = 4608;
314 s->tx_status_fifo_used = 0;
315 s->rx_status_fifo_size = 704;
316 s->rx_fifo_size = 2640;
317 s->rx_fifo_used = 0;
318 s->rx_status_fifo_size = 176;
319 s->rx_status_fifo_used = 0;
320 s->rxp_offset = 0;
321 s->rxp_size = 0;
322 s->rxp_pad = 0;
323 s->rx_packet_size_tail = s->rx_packet_size_head;
324 s->rx_packet_size[s->rx_packet_size_head] = 0;
325 s->mac_cmd = 0;
326 s->mac_data = 0;
327 s->afc_cfg = 0;
328 s->e2p_cmd = 0;
329 s->e2p_data = 0;
330 s->free_timer_start = qemu_get_clock(vm_clock) / 40;
332 ptimer_stop(s->timer);
333 ptimer_set_count(s->timer, 0xffff);
334 s->gpt_cfg = 0xffff;
336 s->mac_cr = MAC_CR_PRMS;
337 s->mac_hashh = 0;
338 s->mac_hashl = 0;
339 s->mac_mii_acc = 0;
340 s->mac_mii_data = 0;
341 s->mac_flow = 0;
343 phy_reset(s);
345 s->eeprom_writable = 0;
346 lan9118_reload_eeprom(s);
349 static int lan9118_can_receive(VLANClientState *nc)
351 return 1;
354 static void rx_fifo_push(lan9118_state *s, uint32_t val)
356 int fifo_pos;
357 fifo_pos = s->rx_fifo_head + s->rx_fifo_used;
358 if (fifo_pos >= s->rx_fifo_size)
359 fifo_pos -= s->rx_fifo_size;
360 s->rx_fifo[fifo_pos] = val;
361 s->rx_fifo_used++;
364 /* Return nonzero if the packet is accepted by the filter. */
365 static int lan9118_filter(lan9118_state *s, const uint8_t *addr)
367 int multicast;
368 uint32_t hash;
370 if (s->mac_cr & MAC_CR_PRMS) {
371 return 1;
373 if (addr[0] == 0xff && addr[1] == 0xff && addr[2] == 0xff &&
374 addr[3] == 0xff && addr[4] == 0xff && addr[5] == 0xff) {
375 return (s->mac_cr & MAC_CR_BCAST) == 0;
378 multicast = addr[0] & 1;
379 if (multicast &&s->mac_cr & MAC_CR_MCPAS) {
380 return 1;
382 if (multicast ? (s->mac_cr & MAC_CR_HPFILT) == 0
383 : (s->mac_cr & MAC_CR_HO) == 0) {
384 /* Exact matching. */
385 hash = memcmp(addr, s->conf.macaddr.a, 6);
386 if (s->mac_cr & MAC_CR_INVFILT) {
387 return hash != 0;
388 } else {
389 return hash == 0;
391 } else {
392 /* Hash matching */
393 hash = (crc32(~0, addr, 6) >> 26);
394 if (hash & 0x20) {
395 return (s->mac_hashh >> (hash & 0x1f)) & 1;
396 } else {
397 return (s->mac_hashl >> (hash & 0x1f)) & 1;
402 static ssize_t lan9118_receive(VLANClientState *nc, const uint8_t *buf,
403 size_t size)
405 lan9118_state *s = DO_UPCAST(NICState, nc, nc)->opaque;
406 int fifo_len;
407 int offset;
408 int src_pos;
409 int n;
410 int filter;
411 uint32_t val;
412 uint32_t crc;
413 uint32_t status;
415 if ((s->mac_cr & MAC_CR_RXEN) == 0) {
416 return -1;
419 if (size >= 2048 || size < 14) {
420 return -1;
423 /* TODO: Implement FIFO overflow notification. */
424 if (s->rx_status_fifo_used == s->rx_status_fifo_size) {
425 return -1;
428 filter = lan9118_filter(s, buf);
429 if (!filter && (s->mac_cr & MAC_CR_RXALL) == 0) {
430 return size;
433 offset = (s->rx_cfg >> 8) & 0x1f;
434 n = offset & 3;
435 fifo_len = (size + n + 3) >> 2;
436 /* Add a word for the CRC. */
437 fifo_len++;
438 if (s->rx_fifo_size - s->rx_fifo_used < fifo_len) {
439 return -1;
442 DPRINTF("Got packet len:%d fifo:%d filter:%s\n",
443 (int)size, fifo_len, filter ? "pass" : "fail");
444 val = 0;
445 crc = bswap32(crc32(~0, buf, size));
446 for (src_pos = 0; src_pos < size; src_pos++) {
447 val = (val >> 8) | ((uint32_t)buf[src_pos] << 24);
448 n++;
449 if (n == 4) {
450 n = 0;
451 rx_fifo_push(s, val);
452 val = 0;
455 if (n) {
456 val >>= ((4 - n) * 8);
457 val |= crc << (n * 8);
458 rx_fifo_push(s, val);
459 val = crc >> ((4 - n) * 8);
460 rx_fifo_push(s, val);
461 } else {
462 rx_fifo_push(s, crc);
464 n = s->rx_status_fifo_head + s->rx_status_fifo_used;
465 if (n >= s->rx_status_fifo_size) {
466 n -= s->rx_status_fifo_size;
468 s->rx_packet_size[s->rx_packet_size_tail] = fifo_len;
469 s->rx_packet_size_tail = (s->rx_packet_size_tail + 1023) & 1023;
470 s->rx_status_fifo_used++;
472 status = (size + 4) << 16;
473 if (buf[0] == 0xff && buf[1] == 0xff && buf[2] == 0xff &&
474 buf[3] == 0xff && buf[4] == 0xff && buf[5] == 0xff) {
475 status |= 0x00002000;
476 } else if (buf[0] & 1) {
477 status |= 0x00000400;
479 if (!filter) {
480 status |= 0x40000000;
482 s->rx_status_fifo[n] = status;
484 if (s->rx_status_fifo_used > (s->fifo_int & 0xff)) {
485 s->int_sts |= RSFL_INT;
487 lan9118_update(s);
489 return size;
492 static uint32_t rx_fifo_pop(lan9118_state *s)
494 int n;
495 uint32_t val;
497 if (s->rxp_size == 0 && s->rxp_pad == 0) {
498 s->rxp_size = s->rx_packet_size[s->rx_packet_size_head];
499 s->rx_packet_size[s->rx_packet_size_head] = 0;
500 if (s->rxp_size != 0) {
501 s->rx_packet_size_head = (s->rx_packet_size_head + 1023) & 1023;
502 s->rxp_offset = (s->rx_cfg >> 10) & 7;
503 n = s->rxp_offset + s->rxp_size;
504 switch (s->rx_cfg >> 30) {
505 case 1:
506 n = (-n) & 3;
507 break;
508 case 2:
509 n = (-n) & 7;
510 break;
511 default:
512 n = 0;
513 break;
515 s->rxp_pad = n;
516 DPRINTF("Pop packet size:%d offset:%d pad: %d\n",
517 s->rxp_size, s->rxp_offset, s->rxp_pad);
520 if (s->rxp_offset > 0) {
521 s->rxp_offset--;
522 val = 0;
523 } else if (s->rxp_size > 0) {
524 s->rxp_size--;
525 val = s->rx_fifo[s->rx_fifo_head++];
526 if (s->rx_fifo_head >= s->rx_fifo_size) {
527 s->rx_fifo_head -= s->rx_fifo_size;
529 s->rx_fifo_used--;
530 } else if (s->rxp_pad > 0) {
531 s->rxp_pad--;
532 val = 0;
533 } else {
534 DPRINTF("RX underflow\n");
535 s->int_sts |= RXE_INT;
536 val = 0;
538 lan9118_update(s);
539 return val;
542 static void do_tx_packet(lan9118_state *s)
544 int n;
545 uint32_t status;
547 /* FIXME: Honor TX disable, and allow queueing of packets. */
548 if (s->phy_control & 0x4000) {
549 /* This assumes the receive routine doesn't touch the VLANClient. */
550 lan9118_receive(&s->nic->nc, s->txp->data, s->txp->len);
551 } else {
552 qemu_send_packet(&s->nic->nc, s->txp->data, s->txp->len);
554 s->txp->fifo_used = 0;
556 if (s->tx_status_fifo_used == 512) {
557 /* Status FIFO full */
558 return;
560 /* Add entry to status FIFO. */
561 status = s->txp->cmd_b & 0xffff0000u;
562 DPRINTF("Sent packet tag:%04x len %d\n", status >> 16, s->txp->len);
563 n = (s->tx_status_fifo_head + s->tx_status_fifo_used) & 511;
564 s->tx_status_fifo[n] = status;
565 s->tx_status_fifo_used++;
566 if (s->tx_status_fifo_used == 512) {
567 s->int_sts |= TSFF_INT;
568 /* TODO: Stop transmission. */
572 static uint32_t rx_status_fifo_pop(lan9118_state *s)
574 uint32_t val;
576 val = s->rx_status_fifo[s->rx_status_fifo_head];
577 if (s->rx_status_fifo_used != 0) {
578 s->rx_status_fifo_used--;
579 s->rx_status_fifo_head++;
580 if (s->rx_status_fifo_head >= s->rx_status_fifo_size) {
581 s->rx_status_fifo_head -= s->rx_status_fifo_size;
583 /* ??? What value should be returned when the FIFO is empty? */
584 DPRINTF("RX status pop 0x%08x\n", val);
586 return val;
589 static uint32_t tx_status_fifo_pop(lan9118_state *s)
591 uint32_t val;
593 val = s->tx_status_fifo[s->tx_status_fifo_head];
594 if (s->tx_status_fifo_used != 0) {
595 s->tx_status_fifo_used--;
596 s->tx_status_fifo_head = (s->tx_status_fifo_head + 1) & 511;
597 /* ??? What value should be returned when the FIFO is empty? */
599 return val;
602 static void tx_fifo_push(lan9118_state *s, uint32_t val)
604 int n;
606 if (s->txp->fifo_used == s->tx_fifo_size) {
607 s->int_sts |= TDFO_INT;
608 return;
610 switch (s->txp->state) {
611 case TX_IDLE:
612 s->txp->cmd_a = val & 0x831f37ff;
613 s->txp->fifo_used++;
614 s->txp->state = TX_B;
615 break;
616 case TX_B:
617 if (s->txp->cmd_a & 0x2000) {
618 /* First segment */
619 s->txp->cmd_b = val;
620 s->txp->fifo_used++;
621 s->txp->buffer_size = s->txp->cmd_a & 0x7ff;
622 s->txp->offset = (s->txp->cmd_a >> 16) & 0x1f;
623 /* End alignment does not include command words. */
624 n = (s->txp->buffer_size + s->txp->offset + 3) >> 2;
625 switch ((n >> 24) & 3) {
626 case 1:
627 n = (-n) & 3;
628 break;
629 case 2:
630 n = (-n) & 7;
631 break;
632 default:
633 n = 0;
635 s->txp->pad = n;
636 s->txp->len = 0;
638 DPRINTF("Block len:%d offset:%d pad:%d cmd %08x\n",
639 s->txp->buffer_size, s->txp->offset, s->txp->pad,
640 s->txp->cmd_a);
641 s->txp->state = TX_DATA;
642 break;
643 case TX_DATA:
644 if (s->txp->offset >= 4) {
645 s->txp->offset -= 4;
646 break;
648 if (s->txp->buffer_size <= 0 && s->txp->pad != 0) {
649 s->txp->pad--;
650 } else {
651 n = 4;
652 while (s->txp->offset) {
653 val >>= 8;
654 n--;
655 s->txp->offset--;
657 /* Documentation is somewhat unclear on the ordering of bytes
658 in FIFO words. Empirical results show it to be little-endian.
660 /* TODO: FIFO overflow checking. */
661 while (n--) {
662 s->txp->data[s->txp->len] = val & 0xff;
663 s->txp->len++;
664 val >>= 8;
665 s->txp->buffer_size--;
667 s->txp->fifo_used++;
669 if (s->txp->buffer_size <= 0 && s->txp->pad == 0) {
670 if (s->txp->cmd_a & 0x1000) {
671 do_tx_packet(s);
673 if (s->txp->cmd_a & 0x80000000) {
674 s->int_sts |= TX_IOC_INT;
676 s->txp->state = TX_IDLE;
678 break;
682 static uint32_t do_phy_read(lan9118_state *s, int reg)
684 uint32_t val;
686 switch (reg) {
687 case 0: /* Basic Control */
688 return s->phy_control;
689 case 1: /* Basic Status */
690 return s->phy_status;
691 case 2: /* ID1 */
692 return 0x0007;
693 case 3: /* ID2 */
694 return 0xc0d1;
695 case 4: /* Auto-neg advertisment */
696 return s->phy_advertise;
697 case 5: /* Auto-neg Link Partner Ability */
698 return 0x0f71;
699 case 6: /* Auto-neg Expansion */
700 return 1;
701 /* TODO 17, 18, 27, 29, 30, 31 */
702 case 29: /* Interrupt source. */
703 val = s->phy_int;
704 s->phy_int = 0;
705 phy_update_irq(s);
706 return val;
707 case 30: /* Interrupt mask */
708 return s->phy_int_mask;
709 default:
710 BADF("PHY read reg %d\n", reg);
711 return 0;
715 static void do_phy_write(lan9118_state *s, int reg, uint32_t val)
717 switch (reg) {
718 case 0: /* Basic Control */
719 if (val & 0x8000) {
720 phy_reset(s);
721 break;
723 s->phy_control = val & 0x7980;
724 /* Complete autonegotiation imediately. */
725 if (val & 0x1000) {
726 s->phy_status |= 0x0020;
728 break;
729 case 4: /* Auto-neg advertisment */
730 s->phy_advertise = (val & 0x2d7f) | 0x80;
731 break;
732 /* TODO 17, 18, 27, 31 */
733 case 30: /* Interrupt mask */
734 s->phy_int_mask = val & 0xff;
735 phy_update_irq(s);
736 break;
737 default:
738 BADF("PHY write reg %d = 0x%04x\n", reg, val);
742 static void do_mac_write(lan9118_state *s, int reg, uint32_t val)
744 switch (reg) {
745 case MAC_CR:
746 if ((s->mac_cr & MAC_CR_RXEN) != 0 && (val & MAC_CR_RXEN) == 0) {
747 s->int_sts |= RXSTOP_INT;
749 s->mac_cr = val & ~MAC_CR_RESERVED;
750 DPRINTF("MAC_CR: %08x\n", val);
751 break;
752 case MAC_ADDRH:
753 s->conf.macaddr.a[4] = val & 0xff;
754 s->conf.macaddr.a[5] = (val >> 8) & 0xff;
755 lan9118_mac_changed(s);
756 break;
757 case MAC_ADDRL:
758 s->conf.macaddr.a[0] = val & 0xff;
759 s->conf.macaddr.a[1] = (val >> 8) & 0xff;
760 s->conf.macaddr.a[2] = (val >> 16) & 0xff;
761 s->conf.macaddr.a[3] = (val >> 24) & 0xff;
762 lan9118_mac_changed(s);
763 break;
764 case MAC_HASHH:
765 s->mac_hashh = val;
766 break;
767 case MAC_HASHL:
768 s->mac_hashl = val;
769 break;
770 case MAC_MII_ACC:
771 s->mac_mii_acc = val & 0xffc2;
772 if (val & 2) {
773 DPRINTF("PHY write %d = 0x%04x\n",
774 (val >> 6) & 0x1f, s->mac_mii_data);
775 do_phy_write(s, (val >> 6) & 0x1f, s->mac_mii_data);
776 } else {
777 s->mac_mii_data = do_phy_read(s, (val >> 6) & 0x1f);
778 DPRINTF("PHY read %d = 0x%04x\n",
779 (val >> 6) & 0x1f, s->mac_mii_data);
781 break;
782 case MAC_MII_DATA:
783 s->mac_mii_data = val & 0xffff;
784 break;
785 case MAC_FLOW:
786 s->mac_flow = val & 0xffff0000;
787 break;
788 default:
789 hw_error("lan9118: Unimplemented MAC register write: %d = 0x%x\n",
790 s->mac_cmd & 0xf, val);
794 static uint32_t do_mac_read(lan9118_state *s, int reg)
796 switch (reg) {
797 case MAC_CR:
798 return s->mac_cr;
799 case MAC_ADDRH:
800 return s->conf.macaddr.a[4] | (s->conf.macaddr.a[5] << 8);
801 case MAC_ADDRL:
802 return s->conf.macaddr.a[0] | (s->conf.macaddr.a[1] << 8)
803 | (s->conf.macaddr.a[2] << 16) | (s->conf.macaddr.a[3] << 24);
804 case MAC_HASHH:
805 return s->mac_hashh;
806 break;
807 case MAC_HASHL:
808 return s->mac_hashl;
809 break;
810 case MAC_MII_ACC:
811 return s->mac_mii_acc;
812 case MAC_MII_DATA:
813 return s->mac_mii_data;
814 case MAC_FLOW:
815 return s->mac_flow;
816 default:
817 hw_error("lan9118: Unimplemented MAC register read: %d\n",
818 s->mac_cmd & 0xf);
822 static void lan9118_eeprom_cmd(lan9118_state *s, int cmd, int addr)
824 s->e2p_cmd = (s->e2p_cmd & 0x10) | (cmd << 28) | addr;
825 switch (cmd) {
826 case 0:
827 s->e2p_data = s->eeprom[addr];
828 DPRINTF("EEPROM Read %d = 0x%02x\n", addr, s->e2p_data);
829 break;
830 case 1:
831 s->eeprom_writable = 0;
832 DPRINTF("EEPROM Write Disable\n");
833 break;
834 case 2: /* EWEN */
835 s->eeprom_writable = 1;
836 DPRINTF("EEPROM Write Enable\n");
837 break;
838 case 3: /* WRITE */
839 if (s->eeprom_writable) {
840 s->eeprom[addr] &= s->e2p_data;
841 DPRINTF("EEPROM Write %d = 0x%02x\n", addr, s->e2p_data);
842 } else {
843 DPRINTF("EEPROM Write %d (ignored)\n", addr);
845 break;
846 case 4: /* WRAL */
847 if (s->eeprom_writable) {
848 for (addr = 0; addr < 128; addr++) {
849 s->eeprom[addr] &= s->e2p_data;
851 DPRINTF("EEPROM Write All 0x%02x\n", s->e2p_data);
852 } else {
853 DPRINTF("EEPROM Write All (ignored)\n");
855 case 5: /* ERASE */
856 if (s->eeprom_writable) {
857 s->eeprom[addr] = 0xff;
858 DPRINTF("EEPROM Erase %d\n", addr);
859 } else {
860 DPRINTF("EEPROM Erase %d (ignored)\n", addr);
862 break;
863 case 6: /* ERAL */
864 if (s->eeprom_writable) {
865 memset(s->eeprom, 0xff, 128);
866 DPRINTF("EEPROM Erase All\n");
867 } else {
868 DPRINTF("EEPROM Erase All (ignored)\n");
870 break;
871 case 7: /* RELOAD */
872 lan9118_reload_eeprom(s);
873 break;
877 static void lan9118_tick(void *opaque)
879 lan9118_state *s = (lan9118_state *)opaque;
880 if (s->int_en & GPT_INT) {
881 s->int_sts |= GPT_INT;
883 lan9118_update(s);
886 static void lan9118_writel(void *opaque, target_phys_addr_t offset,
887 uint32_t val)
889 lan9118_state *s = (lan9118_state *)opaque;
890 offset &= 0xff;
892 //DPRINTF("Write reg 0x%02x = 0x%08x\n", (int)offset, val);
893 if (offset >= 0x20 && offset < 0x40) {
894 /* TX FIFO */
895 tx_fifo_push(s, val);
896 return;
898 switch (offset) {
899 case CSR_IRQ_CFG:
900 /* TODO: Implement interrupt deassertion intervals. */
901 s->irq_cfg = (s->irq_cfg & IRQ_INT) | (val & IRQ_EN);
902 break;
903 case CSR_INT_STS:
904 s->int_sts &= ~val;
905 break;
906 case CSR_INT_EN:
907 s->int_en = val & ~RESERVED_INT;
908 s->int_sts |= val & SW_INT;
909 break;
910 case CSR_FIFO_INT:
911 DPRINTF("FIFO INT levels %08x\n", val);
912 s->fifo_int = val;
913 break;
914 case CSR_RX_CFG:
915 if (val & 0x8000) {
916 /* RX_DUMP */
917 s->rx_fifo_used = 0;
918 s->rx_status_fifo_used = 0;
919 s->rx_packet_size_tail = s->rx_packet_size_head;
920 s->rx_packet_size[s->rx_packet_size_head] = 0;
922 s->rx_cfg = val & 0xcfff1ff0;
923 break;
924 case CSR_TX_CFG:
925 if (val & 0x8000) {
926 s->tx_status_fifo_used = 0;
928 if (val & 0x4000) {
929 s->txp->state = TX_IDLE;
930 s->txp->fifo_used = 0;
931 s->txp->cmd_a = 0xffffffff;
933 s->tx_cfg = val & 6;
934 break;
935 case CSR_HW_CFG:
936 if (val & 1) {
937 /* SRST */
938 lan9118_reset(&s->busdev.qdev);
939 } else {
940 s->hw_cfg = val & 0x003f300;
942 break;
943 case CSR_RX_DP_CTRL:
944 if (val & 0x80000000) {
945 /* Skip forward to next packet. */
946 s->rxp_pad = 0;
947 s->rxp_offset = 0;
948 if (s->rxp_size == 0) {
949 /* Pop a word to start the next packet. */
950 rx_fifo_pop(s);
951 s->rxp_pad = 0;
952 s->rxp_offset = 0;
954 s->rx_fifo_head += s->rxp_size;
955 if (s->rx_fifo_head >= s->rx_fifo_size) {
956 s->rx_fifo_head -= s->rx_fifo_size;
959 break;
960 case CSR_PMT_CTRL:
961 if (val & 0x400) {
962 phy_reset(s);
964 s->pmt_ctrl &= ~0x34e;
965 s->pmt_ctrl |= (val & 0x34e);
966 break;
967 case CSR_GPIO_CFG:
968 /* Probably just enabling LEDs. */
969 s->gpio_cfg = val & 0x7777071f;
970 break;
971 case CSR_GPT_CFG:
972 if ((s->gpt_cfg ^ val) & GPT_TIMER_EN) {
973 if (val & GPT_TIMER_EN) {
974 ptimer_set_count(s->timer, val & 0xffff);
975 ptimer_run(s->timer, 0);
976 } else {
977 ptimer_stop(s->timer);
978 ptimer_set_count(s->timer, 0xffff);
981 s->gpt_cfg = val & (GPT_TIMER_EN | 0xffff);
982 break;
983 case CSR_WORD_SWAP:
984 /* Ignored because we're in 32-bit mode. */
985 s->word_swap = val;
986 break;
987 case CSR_MAC_CSR_CMD:
988 s->mac_cmd = val & 0x4000000f;
989 if (val & 0x80000000) {
990 if (val & 0x40000000) {
991 s->mac_data = do_mac_read(s, val & 0xf);
992 DPRINTF("MAC read %d = 0x%08x\n", val & 0xf, s->mac_data);
993 } else {
994 DPRINTF("MAC write %d = 0x%08x\n", val & 0xf, s->mac_data);
995 do_mac_write(s, val & 0xf, s->mac_data);
998 break;
999 case CSR_MAC_CSR_DATA:
1000 s->mac_data = val;
1001 break;
1002 case CSR_AFC_CFG:
1003 s->afc_cfg = val & 0x00ffffff;
1004 break;
1005 case CSR_E2P_CMD:
1006 lan9118_eeprom_cmd(s, (val >> 28) & 7, val & 0xff);
1007 break;
1008 case CSR_E2P_DATA:
1009 s->e2p_data = val & 0xff;
1010 break;
1012 default:
1013 hw_error("lan9118_write: Bad reg 0x%x = %x\n", (int)offset, val);
1014 break;
1016 lan9118_update(s);
1019 static uint32_t lan9118_readl(void *opaque, target_phys_addr_t offset)
1021 lan9118_state *s = (lan9118_state *)opaque;
1023 //DPRINTF("Read reg 0x%02x\n", (int)offset);
1024 if (offset < 0x20) {
1025 /* RX FIFO */
1026 return rx_fifo_pop(s);
1028 switch (offset) {
1029 case 0x40:
1030 return rx_status_fifo_pop(s);
1031 case 0x44:
1032 return s->rx_status_fifo[s->tx_status_fifo_head];
1033 case 0x48:
1034 return tx_status_fifo_pop(s);
1035 case 0x4c:
1036 return s->tx_status_fifo[s->tx_status_fifo_head];
1037 case CSR_ID_REV:
1038 return 0x01180001;
1039 case CSR_IRQ_CFG:
1040 return s->irq_cfg;
1041 case CSR_INT_STS:
1042 return s->int_sts;
1043 case CSR_INT_EN:
1044 return s->int_en;
1045 case CSR_BYTE_TEST:
1046 return 0x87654321;
1047 case CSR_FIFO_INT:
1048 return s->fifo_int;
1049 case CSR_RX_CFG:
1050 return s->rx_cfg;
1051 case CSR_TX_CFG:
1052 return s->tx_cfg;
1053 case CSR_HW_CFG:
1054 return s->hw_cfg | 0x4;
1055 case CSR_RX_DP_CTRL:
1056 return 0;
1057 case CSR_RX_FIFO_INF:
1058 return (s->rx_status_fifo_used << 16) | (s->rx_fifo_used << 2);
1059 case CSR_TX_FIFO_INF:
1060 return (s->tx_status_fifo_used << 16)
1061 | (s->tx_fifo_size - s->txp->fifo_used);
1062 case CSR_PMT_CTRL:
1063 return s->pmt_ctrl;
1064 case CSR_GPIO_CFG:
1065 return s->gpio_cfg;
1066 case CSR_GPT_CFG:
1067 return s->gpt_cfg;
1068 case CSR_GPT_CNT:
1069 return ptimer_get_count(s->timer);
1070 case CSR_WORD_SWAP:
1071 return s->word_swap;
1072 case CSR_FREE_RUN:
1073 return (qemu_get_clock(vm_clock) / 40) - s->free_timer_start;
1074 case CSR_RX_DROP:
1075 /* TODO: Implement dropped frames counter. */
1076 return 0;
1077 case CSR_MAC_CSR_CMD:
1078 return s->mac_cmd;
1079 case CSR_MAC_CSR_DATA:
1080 return s->mac_data;
1081 case CSR_AFC_CFG:
1082 return s->afc_cfg;
1083 case CSR_E2P_CMD:
1084 return s->e2p_cmd;
1085 case CSR_E2P_DATA:
1086 return s->e2p_data;
1088 hw_error("lan9118_read: Bad reg 0x%x\n", (int)offset);
1089 return 0;
1092 static CPUReadMemoryFunc * const lan9118_readfn[] = {
1093 lan9118_readl,
1094 lan9118_readl,
1095 lan9118_readl
1098 static CPUWriteMemoryFunc * const lan9118_writefn[] = {
1099 lan9118_writel,
1100 lan9118_writel,
1101 lan9118_writel
1104 static void lan9118_cleanup(VLANClientState *nc)
1106 lan9118_state *s = DO_UPCAST(NICState, nc, nc)->opaque;
1108 s->nic = NULL;
1111 static NetClientInfo net_lan9118_info = {
1112 .type = NET_CLIENT_TYPE_NIC,
1113 .size = sizeof(NICState),
1114 .can_receive = lan9118_can_receive,
1115 .receive = lan9118_receive,
1116 .cleanup = lan9118_cleanup,
1117 .link_status_changed = lan9118_set_link,
1120 static int lan9118_init1(SysBusDevice *dev)
1122 lan9118_state *s = FROM_SYSBUS(lan9118_state, dev);
1123 QEMUBH *bh;
1124 int i;
1126 s->mmio_index = cpu_register_io_memory(lan9118_readfn,
1127 lan9118_writefn, s);
1128 sysbus_init_mmio(dev, 0x100, s->mmio_index);
1129 sysbus_init_irq(dev, &s->irq);
1130 qemu_macaddr_default_if_unset(&s->conf.macaddr);
1132 s->nic = qemu_new_nic(&net_lan9118_info, &s->conf,
1133 dev->qdev.info->name, dev->qdev.id, s);
1134 qemu_format_nic_info_str(&s->nic->nc, s->conf.macaddr.a);
1135 s->eeprom[0] = 0xa5;
1136 for (i = 0; i < 6; i++) {
1137 s->eeprom[i + 1] = s->conf.macaddr.a[i];
1139 s->pmt_ctrl = 1;
1140 s->txp = &s->tx_packet;
1142 bh = qemu_bh_new(lan9118_tick, s);
1143 s->timer = ptimer_init(bh);
1144 ptimer_set_freq(s->timer, 10000);
1145 ptimer_set_limit(s->timer, 0xffff, 1);
1147 /* ??? Save/restore. */
1148 return 0;
1151 static SysBusDeviceInfo lan9118_info = {
1152 .init = lan9118_init1,
1153 .qdev.name = "lan9118",
1154 .qdev.size = sizeof(lan9118_state),
1155 .qdev.reset = lan9118_reset,
1156 .qdev.props = (Property[]) {
1157 DEFINE_NIC_PROPERTIES(lan9118_state, conf),
1158 DEFINE_PROP_END_OF_LIST(),
1162 static void lan9118_register_devices(void)
1164 sysbus_register_withprop(&lan9118_info);
1167 /* Legacy helper function. Should go away when machine config files are
1168 implemented. */
1169 void lan9118_init(NICInfo *nd, uint32_t base, qemu_irq irq)
1171 DeviceState *dev;
1172 SysBusDevice *s;
1174 qemu_check_nic_model(nd, "lan9118");
1175 dev = qdev_create(NULL, "lan9118");
1176 qdev_set_nic_properties(dev, nd);
1177 qdev_init_nofail(dev);
1178 s = sysbus_from_qdev(dev);
1179 sysbus_mmio_map(s, 0, base);
1180 sysbus_connect_irq(s, 0, irq);
1183 device_init(lan9118_register_devices)