fuzz: Add support for custom fuzzing library
[qemu/ar7.git] / hw / net / imx_fec.c
blob2c1480404140f525e05b008231cba236ea677864
1 /*
2 * i.MX Fast Ethernet Controller emulation.
4 * Copyright (c) 2013 Jean-Christophe Dubois. <jcd@tribudubois.net>
6 * Based on Coldfire Fast Ethernet Controller emulation.
8 * Copyright (c) 2007 CodeSourcery.
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful, but WITHOUT
16 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
17 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, see <http://www.gnu.org/licenses/>.
24 #include "qemu/osdep.h"
25 #include "hw/irq.h"
26 #include "hw/net/imx_fec.h"
27 #include "hw/qdev-properties.h"
28 #include "migration/vmstate.h"
29 #include "sysemu/dma.h"
30 #include "qemu/log.h"
31 #include "qemu/module.h"
32 #include "net/checksum.h"
33 #include "net/eth.h"
34 #include "trace.h"
36 /* For crc32 */
37 #include <zlib.h>
39 #define IMX_MAX_DESC 1024
41 static const char *imx_default_reg_name(IMXFECState *s, uint32_t index)
43 static char tmp[20];
44 sprintf(tmp, "index %d", index);
45 return tmp;
48 static const char *imx_fec_reg_name(IMXFECState *s, uint32_t index)
50 switch (index) {
51 case ENET_FRBR:
52 return "FRBR";
53 case ENET_FRSR:
54 return "FRSR";
55 case ENET_MIIGSK_CFGR:
56 return "MIIGSK_CFGR";
57 case ENET_MIIGSK_ENR:
58 return "MIIGSK_ENR";
59 default:
60 return imx_default_reg_name(s, index);
64 static const char *imx_enet_reg_name(IMXFECState *s, uint32_t index)
66 switch (index) {
67 case ENET_RSFL:
68 return "RSFL";
69 case ENET_RSEM:
70 return "RSEM";
71 case ENET_RAEM:
72 return "RAEM";
73 case ENET_RAFL:
74 return "RAFL";
75 case ENET_TSEM:
76 return "TSEM";
77 case ENET_TAEM:
78 return "TAEM";
79 case ENET_TAFL:
80 return "TAFL";
81 case ENET_TIPG:
82 return "TIPG";
83 case ENET_FTRL:
84 return "FTRL";
85 case ENET_TACC:
86 return "TACC";
87 case ENET_RACC:
88 return "RACC";
89 case ENET_ATCR:
90 return "ATCR";
91 case ENET_ATVR:
92 return "ATVR";
93 case ENET_ATOFF:
94 return "ATOFF";
95 case ENET_ATPER:
96 return "ATPER";
97 case ENET_ATCOR:
98 return "ATCOR";
99 case ENET_ATINC:
100 return "ATINC";
101 case ENET_ATSTMP:
102 return "ATSTMP";
103 case ENET_TGSR:
104 return "TGSR";
105 case ENET_TCSR0:
106 return "TCSR0";
107 case ENET_TCCR0:
108 return "TCCR0";
109 case ENET_TCSR1:
110 return "TCSR1";
111 case ENET_TCCR1:
112 return "TCCR1";
113 case ENET_TCSR2:
114 return "TCSR2";
115 case ENET_TCCR2:
116 return "TCCR2";
117 case ENET_TCSR3:
118 return "TCSR3";
119 case ENET_TCCR3:
120 return "TCCR3";
121 default:
122 return imx_default_reg_name(s, index);
126 static const char *imx_eth_reg_name(IMXFECState *s, uint32_t index)
128 switch (index) {
129 case ENET_EIR:
130 return "EIR";
131 case ENET_EIMR:
132 return "EIMR";
133 case ENET_RDAR:
134 return "RDAR";
135 case ENET_TDAR:
136 return "TDAR";
137 case ENET_ECR:
138 return "ECR";
139 case ENET_MMFR:
140 return "MMFR";
141 case ENET_MSCR:
142 return "MSCR";
143 case ENET_MIBC:
144 return "MIBC";
145 case ENET_RCR:
146 return "RCR";
147 case ENET_TCR:
148 return "TCR";
149 case ENET_PALR:
150 return "PALR";
151 case ENET_PAUR:
152 return "PAUR";
153 case ENET_OPD:
154 return "OPD";
155 case ENET_IAUR:
156 return "IAUR";
157 case ENET_IALR:
158 return "IALR";
159 case ENET_GAUR:
160 return "GAUR";
161 case ENET_GALR:
162 return "GALR";
163 case ENET_TFWR:
164 return "TFWR";
165 case ENET_RDSR:
166 return "RDSR";
167 case ENET_TDSR:
168 return "TDSR";
169 case ENET_MRBR:
170 return "MRBR";
171 default:
172 if (s->is_fec) {
173 return imx_fec_reg_name(s, index);
174 } else {
175 return imx_enet_reg_name(s, index);
181 * Versions of this device with more than one TX descriptor save the
182 * 2nd and 3rd descriptors in a subsection, to maintain migration
183 * compatibility with previous versions of the device that only
184 * supported a single descriptor.
186 static bool imx_eth_is_multi_tx_ring(void *opaque)
188 IMXFECState *s = IMX_FEC(opaque);
190 return s->tx_ring_num > 1;
193 static const VMStateDescription vmstate_imx_eth_txdescs = {
194 .name = "imx.fec/txdescs",
195 .version_id = 1,
196 .minimum_version_id = 1,
197 .needed = imx_eth_is_multi_tx_ring,
198 .fields = (VMStateField[]) {
199 VMSTATE_UINT32(tx_descriptor[1], IMXFECState),
200 VMSTATE_UINT32(tx_descriptor[2], IMXFECState),
201 VMSTATE_END_OF_LIST()
205 static const VMStateDescription vmstate_imx_eth = {
206 .name = TYPE_IMX_FEC,
207 .version_id = 2,
208 .minimum_version_id = 2,
209 .fields = (VMStateField[]) {
210 VMSTATE_UINT32_ARRAY(regs, IMXFECState, ENET_MAX),
211 VMSTATE_UINT32(rx_descriptor, IMXFECState),
212 VMSTATE_UINT32(tx_descriptor[0], IMXFECState),
213 VMSTATE_UINT32(phy_status, IMXFECState),
214 VMSTATE_UINT32(phy_control, IMXFECState),
215 VMSTATE_UINT32(phy_advertise, IMXFECState),
216 VMSTATE_UINT32(phy_int, IMXFECState),
217 VMSTATE_UINT32(phy_int_mask, IMXFECState),
218 VMSTATE_END_OF_LIST()
220 .subsections = (const VMStateDescription * []) {
221 &vmstate_imx_eth_txdescs,
222 NULL
226 #define PHY_INT_ENERGYON (1 << 7)
227 #define PHY_INT_AUTONEG_COMPLETE (1 << 6)
228 #define PHY_INT_FAULT (1 << 5)
229 #define PHY_INT_DOWN (1 << 4)
230 #define PHY_INT_AUTONEG_LP (1 << 3)
231 #define PHY_INT_PARFAULT (1 << 2)
232 #define PHY_INT_AUTONEG_PAGE (1 << 1)
234 static void imx_eth_update(IMXFECState *s);
237 * The MII phy could raise a GPIO to the processor which in turn
238 * could be handled as an interrpt by the OS.
239 * For now we don't handle any GPIO/interrupt line, so the OS will
240 * have to poll for the PHY status.
242 static void imx_phy_update_irq(IMXFECState *s)
244 imx_eth_update(s);
247 static void imx_phy_update_link(IMXFECState *s)
249 /* Autonegotiation status mirrors link status. */
250 if (qemu_get_queue(s->nic)->link_down) {
251 trace_imx_phy_update_link("down");
252 s->phy_status &= ~0x0024;
253 s->phy_int |= PHY_INT_DOWN;
254 } else {
255 trace_imx_phy_update_link("up");
256 s->phy_status |= 0x0024;
257 s->phy_int |= PHY_INT_ENERGYON;
258 s->phy_int |= PHY_INT_AUTONEG_COMPLETE;
260 imx_phy_update_irq(s);
263 static void imx_eth_set_link(NetClientState *nc)
265 imx_phy_update_link(IMX_FEC(qemu_get_nic_opaque(nc)));
268 static void imx_phy_reset(IMXFECState *s)
270 trace_imx_phy_reset();
272 s->phy_status = 0x7809;
273 s->phy_control = 0x3000;
274 s->phy_advertise = 0x01e1;
275 s->phy_int_mask = 0;
276 s->phy_int = 0;
277 imx_phy_update_link(s);
280 static uint32_t imx_phy_read(IMXFECState *s, int reg)
282 uint32_t val;
283 uint32_t phy = reg / 32;
285 if (phy != s->phy_num) {
286 qemu_log_mask(LOG_GUEST_ERROR, "[%s.phy]%s: Bad phy num %u\n",
287 TYPE_IMX_FEC, __func__, phy);
288 return 0;
291 reg %= 32;
293 switch (reg) {
294 case 0: /* Basic Control */
295 val = s->phy_control;
296 break;
297 case 1: /* Basic Status */
298 val = s->phy_status;
299 break;
300 case 2: /* ID1 */
301 val = 0x0007;
302 break;
303 case 3: /* ID2 */
304 val = 0xc0d1;
305 break;
306 case 4: /* Auto-neg advertisement */
307 val = s->phy_advertise;
308 break;
309 case 5: /* Auto-neg Link Partner Ability */
310 val = 0x0f71;
311 break;
312 case 6: /* Auto-neg Expansion */
313 val = 1;
314 break;
315 case 29: /* Interrupt source. */
316 val = s->phy_int;
317 s->phy_int = 0;
318 imx_phy_update_irq(s);
319 break;
320 case 30: /* Interrupt mask */
321 val = s->phy_int_mask;
322 break;
323 case 17:
324 case 18:
325 case 27:
326 case 31:
327 qemu_log_mask(LOG_UNIMP, "[%s.phy]%s: reg %d not implemented\n",
328 TYPE_IMX_FEC, __func__, reg);
329 val = 0;
330 break;
331 default:
332 qemu_log_mask(LOG_GUEST_ERROR, "[%s.phy]%s: Bad address at offset %d\n",
333 TYPE_IMX_FEC, __func__, reg);
334 val = 0;
335 break;
338 trace_imx_phy_read(val, phy, reg);
340 return val;
343 static void imx_phy_write(IMXFECState *s, int reg, uint32_t val)
345 uint32_t phy = reg / 32;
347 if (phy != s->phy_num) {
348 qemu_log_mask(LOG_GUEST_ERROR, "[%s.phy]%s: Bad phy num %u\n",
349 TYPE_IMX_FEC, __func__, phy);
350 return;
353 reg %= 32;
355 trace_imx_phy_write(val, phy, reg);
357 switch (reg) {
358 case 0: /* Basic Control */
359 if (val & 0x8000) {
360 imx_phy_reset(s);
361 } else {
362 s->phy_control = val & 0x7980;
363 /* Complete autonegotiation immediately. */
364 if (val & 0x1000) {
365 s->phy_status |= 0x0020;
368 break;
369 case 4: /* Auto-neg advertisement */
370 s->phy_advertise = (val & 0x2d7f) | 0x80;
371 break;
372 case 30: /* Interrupt mask */
373 s->phy_int_mask = val & 0xff;
374 imx_phy_update_irq(s);
375 break;
376 case 17:
377 case 18:
378 case 27:
379 case 31:
380 qemu_log_mask(LOG_UNIMP, "[%s.phy)%s: reg %d not implemented\n",
381 TYPE_IMX_FEC, __func__, reg);
382 break;
383 default:
384 qemu_log_mask(LOG_GUEST_ERROR, "[%s.phy]%s: Bad address at offset %d\n",
385 TYPE_IMX_FEC, __func__, reg);
386 break;
390 static void imx_fec_read_bd(IMXFECBufDesc *bd, dma_addr_t addr)
392 dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd));
394 trace_imx_fec_read_bd(addr, bd->flags, bd->length, bd->data);
397 static void imx_fec_write_bd(IMXFECBufDesc *bd, dma_addr_t addr)
399 dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd));
402 static void imx_enet_read_bd(IMXENETBufDesc *bd, dma_addr_t addr)
404 dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd));
406 trace_imx_enet_read_bd(addr, bd->flags, bd->length, bd->data,
407 bd->option, bd->status);
410 static void imx_enet_write_bd(IMXENETBufDesc *bd, dma_addr_t addr)
412 dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd));
415 static void imx_eth_update(IMXFECState *s)
418 * Previous versions of qemu had the ENET_INT_MAC and ENET_INT_TS_TIMER
419 * interrupts swapped. This worked with older versions of Linux (4.14
420 * and older) since Linux associated both interrupt lines with Ethernet
421 * MAC interrupts. Specifically,
422 * - Linux 4.15 and later have separate interrupt handlers for the MAC and
423 * timer interrupts. Those versions of Linux fail with versions of QEMU
424 * with swapped interrupt assignments.
425 * - In linux 4.14, both interrupt lines were registered with the Ethernet
426 * MAC interrupt handler. As a result, all versions of qemu happen to
427 * work, though that is accidental.
428 * - In Linux 4.9 and older, the timer interrupt was registered directly
429 * with the Ethernet MAC interrupt handler. The MAC interrupt was
430 * redirected to a GPIO interrupt to work around erratum ERR006687.
431 * This was implemented using the SOC's IOMUX block. In qemu, this GPIO
432 * interrupt never fired since IOMUX is currently not supported in qemu.
433 * Linux instead received MAC interrupts on the timer interrupt.
434 * As a result, qemu versions with the swapped interrupt assignment work,
435 * albeit accidentally, but qemu versions with the correct interrupt
436 * assignment fail.
438 * To ensure that all versions of Linux work, generate ENET_INT_MAC
439 * interrrupts on both interrupt lines. This should be changed if and when
440 * qemu supports IOMUX.
442 if (s->regs[ENET_EIR] & s->regs[ENET_EIMR] &
443 (ENET_INT_MAC | ENET_INT_TS_TIMER)) {
444 qemu_set_irq(s->irq[1], 1);
445 } else {
446 qemu_set_irq(s->irq[1], 0);
449 if (s->regs[ENET_EIR] & s->regs[ENET_EIMR] & ENET_INT_MAC) {
450 qemu_set_irq(s->irq[0], 1);
451 } else {
452 qemu_set_irq(s->irq[0], 0);
456 static void imx_fec_do_tx(IMXFECState *s)
458 int frame_size = 0, descnt = 0;
459 uint8_t *ptr = s->frame;
460 uint32_t addr = s->tx_descriptor[0];
462 while (descnt++ < IMX_MAX_DESC) {
463 IMXFECBufDesc bd;
464 int len;
466 imx_fec_read_bd(&bd, addr);
467 if ((bd.flags & ENET_BD_R) == 0) {
469 /* Run out of descriptors to transmit. */
470 trace_imx_eth_tx_bd_busy();
472 break;
474 len = bd.length;
475 if (frame_size + len > ENET_MAX_FRAME_SIZE) {
476 len = ENET_MAX_FRAME_SIZE - frame_size;
477 s->regs[ENET_EIR] |= ENET_INT_BABT;
479 dma_memory_read(&address_space_memory, bd.data, ptr, len);
480 ptr += len;
481 frame_size += len;
482 if (bd.flags & ENET_BD_L) {
483 /* Last buffer in frame. */
484 qemu_send_packet(qemu_get_queue(s->nic), s->frame, frame_size);
485 ptr = s->frame;
486 frame_size = 0;
487 s->regs[ENET_EIR] |= ENET_INT_TXF;
489 s->regs[ENET_EIR] |= ENET_INT_TXB;
490 bd.flags &= ~ENET_BD_R;
491 /* Write back the modified descriptor. */
492 imx_fec_write_bd(&bd, addr);
493 /* Advance to the next descriptor. */
494 if ((bd.flags & ENET_BD_W) != 0) {
495 addr = s->regs[ENET_TDSR];
496 } else {
497 addr += sizeof(bd);
501 s->tx_descriptor[0] = addr;
503 imx_eth_update(s);
506 static void imx_enet_do_tx(IMXFECState *s, uint32_t index)
508 int frame_size = 0, descnt = 0;
510 uint8_t *ptr = s->frame;
511 uint32_t addr, int_txb, int_txf, tdsr;
512 size_t ring;
514 switch (index) {
515 case ENET_TDAR:
516 ring = 0;
517 int_txb = ENET_INT_TXB;
518 int_txf = ENET_INT_TXF;
519 tdsr = ENET_TDSR;
520 break;
521 case ENET_TDAR1:
522 ring = 1;
523 int_txb = ENET_INT_TXB1;
524 int_txf = ENET_INT_TXF1;
525 tdsr = ENET_TDSR1;
526 break;
527 case ENET_TDAR2:
528 ring = 2;
529 int_txb = ENET_INT_TXB2;
530 int_txf = ENET_INT_TXF2;
531 tdsr = ENET_TDSR2;
532 break;
533 default:
534 qemu_log_mask(LOG_GUEST_ERROR,
535 "%s: bogus value for index %x\n",
536 __func__, index);
537 abort();
538 break;
541 addr = s->tx_descriptor[ring];
543 while (descnt++ < IMX_MAX_DESC) {
544 IMXENETBufDesc bd;
545 int len;
547 imx_enet_read_bd(&bd, addr);
548 if ((bd.flags & ENET_BD_R) == 0) {
549 /* Run out of descriptors to transmit. */
551 trace_imx_eth_tx_bd_busy();
553 break;
555 len = bd.length;
556 if (frame_size + len > ENET_MAX_FRAME_SIZE) {
557 len = ENET_MAX_FRAME_SIZE - frame_size;
558 s->regs[ENET_EIR] |= ENET_INT_BABT;
560 dma_memory_read(&address_space_memory, bd.data, ptr, len);
561 ptr += len;
562 frame_size += len;
563 if (bd.flags & ENET_BD_L) {
564 if (bd.option & ENET_BD_PINS) {
565 struct ip_header *ip_hd = PKT_GET_IP_HDR(s->frame);
566 if (IP_HEADER_VERSION(ip_hd) == 4) {
567 net_checksum_calculate(s->frame, frame_size);
570 if (bd.option & ENET_BD_IINS) {
571 struct ip_header *ip_hd = PKT_GET_IP_HDR(s->frame);
572 /* We compute checksum only for IPv4 frames */
573 if (IP_HEADER_VERSION(ip_hd) == 4) {
574 uint16_t csum;
575 ip_hd->ip_sum = 0;
576 csum = net_raw_checksum((uint8_t *)ip_hd, sizeof(*ip_hd));
577 ip_hd->ip_sum = cpu_to_be16(csum);
580 /* Last buffer in frame. */
582 qemu_send_packet(qemu_get_queue(s->nic), s->frame, frame_size);
583 ptr = s->frame;
585 frame_size = 0;
586 if (bd.option & ENET_BD_TX_INT) {
587 s->regs[ENET_EIR] |= int_txf;
589 /* Indicate that we've updated the last buffer descriptor. */
590 bd.last_buffer = ENET_BD_BDU;
592 if (bd.option & ENET_BD_TX_INT) {
593 s->regs[ENET_EIR] |= int_txb;
595 bd.flags &= ~ENET_BD_R;
596 /* Write back the modified descriptor. */
597 imx_enet_write_bd(&bd, addr);
598 /* Advance to the next descriptor. */
599 if ((bd.flags & ENET_BD_W) != 0) {
600 addr = s->regs[tdsr];
601 } else {
602 addr += sizeof(bd);
606 s->tx_descriptor[ring] = addr;
608 imx_eth_update(s);
611 static void imx_eth_do_tx(IMXFECState *s, uint32_t index)
613 if (!s->is_fec && (s->regs[ENET_ECR] & ENET_ECR_EN1588)) {
614 imx_enet_do_tx(s, index);
615 } else {
616 imx_fec_do_tx(s);
620 static void imx_eth_enable_rx(IMXFECState *s, bool flush)
622 IMXFECBufDesc bd;
624 imx_fec_read_bd(&bd, s->rx_descriptor);
626 s->regs[ENET_RDAR] = (bd.flags & ENET_BD_E) ? ENET_RDAR_RDAR : 0;
628 if (!s->regs[ENET_RDAR]) {
629 trace_imx_eth_rx_bd_full();
630 } else if (flush) {
631 qemu_flush_queued_packets(qemu_get_queue(s->nic));
635 static void imx_eth_reset(DeviceState *d)
637 IMXFECState *s = IMX_FEC(d);
639 /* Reset the Device */
640 memset(s->regs, 0, sizeof(s->regs));
641 s->regs[ENET_ECR] = 0xf0000000;
642 s->regs[ENET_MIBC] = 0xc0000000;
643 s->regs[ENET_RCR] = 0x05ee0001;
644 s->regs[ENET_OPD] = 0x00010000;
646 s->regs[ENET_PALR] = (s->conf.macaddr.a[0] << 24)
647 | (s->conf.macaddr.a[1] << 16)
648 | (s->conf.macaddr.a[2] << 8)
649 | s->conf.macaddr.a[3];
650 s->regs[ENET_PAUR] = (s->conf.macaddr.a[4] << 24)
651 | (s->conf.macaddr.a[5] << 16)
652 | 0x8808;
654 if (s->is_fec) {
655 s->regs[ENET_FRBR] = 0x00000600;
656 s->regs[ENET_FRSR] = 0x00000500;
657 s->regs[ENET_MIIGSK_ENR] = 0x00000006;
658 } else {
659 s->regs[ENET_RAEM] = 0x00000004;
660 s->regs[ENET_RAFL] = 0x00000004;
661 s->regs[ENET_TAEM] = 0x00000004;
662 s->regs[ENET_TAFL] = 0x00000008;
663 s->regs[ENET_TIPG] = 0x0000000c;
664 s->regs[ENET_FTRL] = 0x000007ff;
665 s->regs[ENET_ATPER] = 0x3b9aca00;
668 s->rx_descriptor = 0;
669 memset(s->tx_descriptor, 0, sizeof(s->tx_descriptor));
671 /* We also reset the PHY */
672 imx_phy_reset(s);
675 static uint32_t imx_default_read(IMXFECState *s, uint32_t index)
677 qemu_log_mask(LOG_GUEST_ERROR, "[%s]%s: Bad register at offset 0x%"
678 PRIx32 "\n", TYPE_IMX_FEC, __func__, index * 4);
679 return 0;
682 static uint32_t imx_fec_read(IMXFECState *s, uint32_t index)
684 switch (index) {
685 case ENET_FRBR:
686 case ENET_FRSR:
687 case ENET_MIIGSK_CFGR:
688 case ENET_MIIGSK_ENR:
689 return s->regs[index];
690 default:
691 return imx_default_read(s, index);
695 static uint32_t imx_enet_read(IMXFECState *s, uint32_t index)
697 switch (index) {
698 case ENET_RSFL:
699 case ENET_RSEM:
700 case ENET_RAEM:
701 case ENET_RAFL:
702 case ENET_TSEM:
703 case ENET_TAEM:
704 case ENET_TAFL:
705 case ENET_TIPG:
706 case ENET_FTRL:
707 case ENET_TACC:
708 case ENET_RACC:
709 case ENET_ATCR:
710 case ENET_ATVR:
711 case ENET_ATOFF:
712 case ENET_ATPER:
713 case ENET_ATCOR:
714 case ENET_ATINC:
715 case ENET_ATSTMP:
716 case ENET_TGSR:
717 case ENET_TCSR0:
718 case ENET_TCCR0:
719 case ENET_TCSR1:
720 case ENET_TCCR1:
721 case ENET_TCSR2:
722 case ENET_TCCR2:
723 case ENET_TCSR3:
724 case ENET_TCCR3:
725 return s->regs[index];
726 default:
727 return imx_default_read(s, index);
731 static uint64_t imx_eth_read(void *opaque, hwaddr offset, unsigned size)
733 uint32_t value = 0;
734 IMXFECState *s = IMX_FEC(opaque);
735 uint32_t index = offset >> 2;
737 switch (index) {
738 case ENET_EIR:
739 case ENET_EIMR:
740 case ENET_RDAR:
741 case ENET_TDAR:
742 case ENET_ECR:
743 case ENET_MMFR:
744 case ENET_MSCR:
745 case ENET_MIBC:
746 case ENET_RCR:
747 case ENET_TCR:
748 case ENET_PALR:
749 case ENET_PAUR:
750 case ENET_OPD:
751 case ENET_IAUR:
752 case ENET_IALR:
753 case ENET_GAUR:
754 case ENET_GALR:
755 case ENET_TFWR:
756 case ENET_RDSR:
757 case ENET_TDSR:
758 case ENET_MRBR:
759 value = s->regs[index];
760 break;
761 default:
762 if (s->is_fec) {
763 value = imx_fec_read(s, index);
764 } else {
765 value = imx_enet_read(s, index);
767 break;
770 trace_imx_eth_read(index, imx_eth_reg_name(s, index), value);
772 return value;
775 static void imx_default_write(IMXFECState *s, uint32_t index, uint32_t value)
777 qemu_log_mask(LOG_GUEST_ERROR, "[%s]%s: Bad address at offset 0x%"
778 PRIx32 "\n", TYPE_IMX_FEC, __func__, index * 4);
779 return;
782 static void imx_fec_write(IMXFECState *s, uint32_t index, uint32_t value)
784 switch (index) {
785 case ENET_FRBR:
786 /* FRBR is read only */
787 qemu_log_mask(LOG_GUEST_ERROR, "[%s]%s: Register FRBR is read only\n",
788 TYPE_IMX_FEC, __func__);
789 break;
790 case ENET_FRSR:
791 s->regs[index] = (value & 0x000003fc) | 0x00000400;
792 break;
793 case ENET_MIIGSK_CFGR:
794 s->regs[index] = value & 0x00000053;
795 break;
796 case ENET_MIIGSK_ENR:
797 s->regs[index] = (value & 0x00000002) ? 0x00000006 : 0;
798 break;
799 default:
800 imx_default_write(s, index, value);
801 break;
805 static void imx_enet_write(IMXFECState *s, uint32_t index, uint32_t value)
807 switch (index) {
808 case ENET_RSFL:
809 case ENET_RSEM:
810 case ENET_RAEM:
811 case ENET_RAFL:
812 case ENET_TSEM:
813 case ENET_TAEM:
814 case ENET_TAFL:
815 s->regs[index] = value & 0x000001ff;
816 break;
817 case ENET_TIPG:
818 s->regs[index] = value & 0x0000001f;
819 break;
820 case ENET_FTRL:
821 s->regs[index] = value & 0x00003fff;
822 break;
823 case ENET_TACC:
824 s->regs[index] = value & 0x00000019;
825 break;
826 case ENET_RACC:
827 s->regs[index] = value & 0x000000C7;
828 break;
829 case ENET_ATCR:
830 s->regs[index] = value & 0x00002a9d;
831 break;
832 case ENET_ATVR:
833 case ENET_ATOFF:
834 case ENET_ATPER:
835 s->regs[index] = value;
836 break;
837 case ENET_ATSTMP:
838 /* ATSTMP is read only */
839 qemu_log_mask(LOG_GUEST_ERROR, "[%s]%s: Register ATSTMP is read only\n",
840 TYPE_IMX_FEC, __func__);
841 break;
842 case ENET_ATCOR:
843 s->regs[index] = value & 0x7fffffff;
844 break;
845 case ENET_ATINC:
846 s->regs[index] = value & 0x00007f7f;
847 break;
848 case ENET_TGSR:
849 /* implement clear timer flag */
850 s->regs[index] &= ~(value & 0x0000000f); /* all bits W1C */
851 break;
852 case ENET_TCSR0:
853 case ENET_TCSR1:
854 case ENET_TCSR2:
855 case ENET_TCSR3:
856 s->regs[index] &= ~(value & 0x00000080); /* W1C bits */
857 s->regs[index] &= ~0x0000007d; /* writable fields */
858 s->regs[index] |= (value & 0x0000007d);
859 break;
860 case ENET_TCCR0:
861 case ENET_TCCR1:
862 case ENET_TCCR2:
863 case ENET_TCCR3:
864 s->regs[index] = value;
865 break;
866 default:
867 imx_default_write(s, index, value);
868 break;
872 static void imx_eth_write(void *opaque, hwaddr offset, uint64_t value,
873 unsigned size)
875 IMXFECState *s = IMX_FEC(opaque);
876 const bool single_tx_ring = !imx_eth_is_multi_tx_ring(s);
877 uint32_t index = offset >> 2;
879 trace_imx_eth_write(index, imx_eth_reg_name(s, index), value);
881 switch (index) {
882 case ENET_EIR:
883 s->regs[index] &= ~value;
884 break;
885 case ENET_EIMR:
886 s->regs[index] = value;
887 break;
888 case ENET_RDAR:
889 if (s->regs[ENET_ECR] & ENET_ECR_ETHEREN) {
890 if (!s->regs[index]) {
891 imx_eth_enable_rx(s, true);
893 } else {
894 s->regs[index] = 0;
896 break;
897 case ENET_TDAR1:
898 case ENET_TDAR2:
899 if (unlikely(single_tx_ring)) {
900 qemu_log_mask(LOG_GUEST_ERROR,
901 "[%s]%s: trying to access TDAR2 or TDAR1\n",
902 TYPE_IMX_FEC, __func__);
903 return;
905 /* fall through */
906 case ENET_TDAR:
907 if (s->regs[ENET_ECR] & ENET_ECR_ETHEREN) {
908 s->regs[index] = ENET_TDAR_TDAR;
909 imx_eth_do_tx(s, index);
911 s->regs[index] = 0;
912 break;
913 case ENET_ECR:
914 if (value & ENET_ECR_RESET) {
915 return imx_eth_reset(DEVICE(s));
917 s->regs[index] = value;
918 if ((s->regs[index] & ENET_ECR_ETHEREN) == 0) {
919 s->regs[ENET_RDAR] = 0;
920 s->rx_descriptor = s->regs[ENET_RDSR];
921 s->regs[ENET_TDAR] = 0;
922 s->regs[ENET_TDAR1] = 0;
923 s->regs[ENET_TDAR2] = 0;
924 s->tx_descriptor[0] = s->regs[ENET_TDSR];
925 s->tx_descriptor[1] = s->regs[ENET_TDSR1];
926 s->tx_descriptor[2] = s->regs[ENET_TDSR2];
928 break;
929 case ENET_MMFR:
930 s->regs[index] = value;
931 if (extract32(value, 29, 1)) {
932 /* This is a read operation */
933 s->regs[ENET_MMFR] = deposit32(s->regs[ENET_MMFR], 0, 16,
934 imx_phy_read(s,
935 extract32(value,
936 18, 10)));
937 } else {
938 /* This is a write operation */
939 imx_phy_write(s, extract32(value, 18, 10), extract32(value, 0, 16));
941 /* raise the interrupt as the PHY operation is done */
942 s->regs[ENET_EIR] |= ENET_INT_MII;
943 break;
944 case ENET_MSCR:
945 s->regs[index] = value & 0xfe;
946 break;
947 case ENET_MIBC:
948 /* TODO: Implement MIB. */
949 s->regs[index] = (value & 0x80000000) ? 0xc0000000 : 0;
950 break;
951 case ENET_RCR:
952 s->regs[index] = value & 0x07ff003f;
953 /* TODO: Implement LOOP mode. */
954 break;
955 case ENET_TCR:
956 /* We transmit immediately, so raise GRA immediately. */
957 s->regs[index] = value;
958 if (value & 1) {
959 s->regs[ENET_EIR] |= ENET_INT_GRA;
961 break;
962 case ENET_PALR:
963 s->regs[index] = value;
964 s->conf.macaddr.a[0] = value >> 24;
965 s->conf.macaddr.a[1] = value >> 16;
966 s->conf.macaddr.a[2] = value >> 8;
967 s->conf.macaddr.a[3] = value;
968 break;
969 case ENET_PAUR:
970 s->regs[index] = (value | 0x0000ffff) & 0xffff8808;
971 s->conf.macaddr.a[4] = value >> 24;
972 s->conf.macaddr.a[5] = value >> 16;
973 break;
974 case ENET_OPD:
975 s->regs[index] = (value & 0x0000ffff) | 0x00010000;
976 break;
977 case ENET_IAUR:
978 case ENET_IALR:
979 case ENET_GAUR:
980 case ENET_GALR:
981 /* TODO: implement MAC hash filtering. */
982 break;
983 case ENET_TFWR:
984 if (s->is_fec) {
985 s->regs[index] = value & 0x3;
986 } else {
987 s->regs[index] = value & 0x13f;
989 break;
990 case ENET_RDSR:
991 if (s->is_fec) {
992 s->regs[index] = value & ~3;
993 } else {
994 s->regs[index] = value & ~7;
996 s->rx_descriptor = s->regs[index];
997 break;
998 case ENET_TDSR:
999 if (s->is_fec) {
1000 s->regs[index] = value & ~3;
1001 } else {
1002 s->regs[index] = value & ~7;
1004 s->tx_descriptor[0] = s->regs[index];
1005 break;
1006 case ENET_TDSR1:
1007 if (unlikely(single_tx_ring)) {
1008 qemu_log_mask(LOG_GUEST_ERROR,
1009 "[%s]%s: trying to access TDSR1\n",
1010 TYPE_IMX_FEC, __func__);
1011 return;
1014 s->regs[index] = value & ~7;
1015 s->tx_descriptor[1] = s->regs[index];
1016 break;
1017 case ENET_TDSR2:
1018 if (unlikely(single_tx_ring)) {
1019 qemu_log_mask(LOG_GUEST_ERROR,
1020 "[%s]%s: trying to access TDSR2\n",
1021 TYPE_IMX_FEC, __func__);
1022 return;
1025 s->regs[index] = value & ~7;
1026 s->tx_descriptor[2] = s->regs[index];
1027 break;
1028 case ENET_MRBR:
1029 s->regs[index] = value & 0x00003ff0;
1030 break;
1031 default:
1032 if (s->is_fec) {
1033 imx_fec_write(s, index, value);
1034 } else {
1035 imx_enet_write(s, index, value);
1037 return;
1040 imx_eth_update(s);
1043 static bool imx_eth_can_receive(NetClientState *nc)
1045 IMXFECState *s = IMX_FEC(qemu_get_nic_opaque(nc));
1047 return !!s->regs[ENET_RDAR];
1050 static ssize_t imx_fec_receive(NetClientState *nc, const uint8_t *buf,
1051 size_t len)
1053 IMXFECState *s = IMX_FEC(qemu_get_nic_opaque(nc));
1054 IMXFECBufDesc bd;
1055 uint32_t flags = 0;
1056 uint32_t addr;
1057 uint32_t crc;
1058 uint32_t buf_addr;
1059 uint8_t *crc_ptr;
1060 unsigned int buf_len;
1061 size_t size = len;
1063 trace_imx_fec_receive(size);
1065 if (!s->regs[ENET_RDAR]) {
1066 qemu_log_mask(LOG_GUEST_ERROR, "[%s]%s: Unexpected packet\n",
1067 TYPE_IMX_FEC, __func__);
1068 return 0;
1071 /* 4 bytes for the CRC. */
1072 size += 4;
1073 crc = cpu_to_be32(crc32(~0, buf, size));
1074 crc_ptr = (uint8_t *) &crc;
1076 /* Huge frames are truncated. */
1077 if (size > ENET_MAX_FRAME_SIZE) {
1078 size = ENET_MAX_FRAME_SIZE;
1079 flags |= ENET_BD_TR | ENET_BD_LG;
1082 /* Frames larger than the user limit just set error flags. */
1083 if (size > (s->regs[ENET_RCR] >> 16)) {
1084 flags |= ENET_BD_LG;
1087 addr = s->rx_descriptor;
1088 while (size > 0) {
1089 imx_fec_read_bd(&bd, addr);
1090 if ((bd.flags & ENET_BD_E) == 0) {
1091 /* No descriptors available. Bail out. */
1093 * FIXME: This is wrong. We should probably either
1094 * save the remainder for when more RX buffers are
1095 * available, or flag an error.
1097 qemu_log_mask(LOG_GUEST_ERROR, "[%s]%s: Lost end of frame\n",
1098 TYPE_IMX_FEC, __func__);
1099 break;
1101 buf_len = (size <= s->regs[ENET_MRBR]) ? size : s->regs[ENET_MRBR];
1102 bd.length = buf_len;
1103 size -= buf_len;
1105 trace_imx_fec_receive_len(addr, bd.length);
1107 /* The last 4 bytes are the CRC. */
1108 if (size < 4) {
1109 buf_len += size - 4;
1111 buf_addr = bd.data;
1112 dma_memory_write(&address_space_memory, buf_addr, buf, buf_len);
1113 buf += buf_len;
1114 if (size < 4) {
1115 dma_memory_write(&address_space_memory, buf_addr + buf_len,
1116 crc_ptr, 4 - size);
1117 crc_ptr += 4 - size;
1119 bd.flags &= ~ENET_BD_E;
1120 if (size == 0) {
1121 /* Last buffer in frame. */
1122 bd.flags |= flags | ENET_BD_L;
1124 trace_imx_fec_receive_last(bd.flags);
1126 s->regs[ENET_EIR] |= ENET_INT_RXF;
1127 } else {
1128 s->regs[ENET_EIR] |= ENET_INT_RXB;
1130 imx_fec_write_bd(&bd, addr);
1131 /* Advance to the next descriptor. */
1132 if ((bd.flags & ENET_BD_W) != 0) {
1133 addr = s->regs[ENET_RDSR];
1134 } else {
1135 addr += sizeof(bd);
1138 s->rx_descriptor = addr;
1139 imx_eth_enable_rx(s, false);
1140 imx_eth_update(s);
1141 return len;
1144 static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
1145 size_t len)
1147 IMXFECState *s = IMX_FEC(qemu_get_nic_opaque(nc));
1148 IMXENETBufDesc bd;
1149 uint32_t flags = 0;
1150 uint32_t addr;
1151 uint32_t crc;
1152 uint32_t buf_addr;
1153 uint8_t *crc_ptr;
1154 unsigned int buf_len;
1155 size_t size = len;
1156 bool shift16 = s->regs[ENET_RACC] & ENET_RACC_SHIFT16;
1158 trace_imx_enet_receive(size);
1160 if (!s->regs[ENET_RDAR]) {
1161 qemu_log_mask(LOG_GUEST_ERROR, "[%s]%s: Unexpected packet\n",
1162 TYPE_IMX_FEC, __func__);
1163 return 0;
1166 /* 4 bytes for the CRC. */
1167 size += 4;
1168 crc = cpu_to_be32(crc32(~0, buf, size));
1169 crc_ptr = (uint8_t *) &crc;
1171 if (shift16) {
1172 size += 2;
1175 /* Huge frames are truncated. */
1176 if (size > s->regs[ENET_FTRL]) {
1177 size = s->regs[ENET_FTRL];
1178 flags |= ENET_BD_TR | ENET_BD_LG;
1181 /* Frames larger than the user limit just set error flags. */
1182 if (size > (s->regs[ENET_RCR] >> 16)) {
1183 flags |= ENET_BD_LG;
1186 addr = s->rx_descriptor;
1187 while (size > 0) {
1188 imx_enet_read_bd(&bd, addr);
1189 if ((bd.flags & ENET_BD_E) == 0) {
1190 /* No descriptors available. Bail out. */
1192 * FIXME: This is wrong. We should probably either
1193 * save the remainder for when more RX buffers are
1194 * available, or flag an error.
1196 qemu_log_mask(LOG_GUEST_ERROR, "[%s]%s: Lost end of frame\n",
1197 TYPE_IMX_FEC, __func__);
1198 break;
1200 buf_len = MIN(size, s->regs[ENET_MRBR]);
1201 bd.length = buf_len;
1202 size -= buf_len;
1204 trace_imx_enet_receive_len(addr, bd.length);
1206 /* The last 4 bytes are the CRC. */
1207 if (size < 4) {
1208 buf_len += size - 4;
1210 buf_addr = bd.data;
1212 if (shift16) {
1214 * If SHIFT16 bit of ENETx_RACC register is set we need to
1215 * align the payload to 4-byte boundary.
1217 const uint8_t zeros[2] = { 0 };
1219 dma_memory_write(&address_space_memory, buf_addr,
1220 zeros, sizeof(zeros));
1222 buf_addr += sizeof(zeros);
1223 buf_len -= sizeof(zeros);
1225 /* We only do this once per Ethernet frame */
1226 shift16 = false;
1229 dma_memory_write(&address_space_memory, buf_addr, buf, buf_len);
1230 buf += buf_len;
1231 if (size < 4) {
1232 dma_memory_write(&address_space_memory, buf_addr + buf_len,
1233 crc_ptr, 4 - size);
1234 crc_ptr += 4 - size;
1236 bd.flags &= ~ENET_BD_E;
1237 if (size == 0) {
1238 /* Last buffer in frame. */
1239 bd.flags |= flags | ENET_BD_L;
1241 trace_imx_enet_receive_last(bd.flags);
1243 /* Indicate that we've updated the last buffer descriptor. */
1244 bd.last_buffer = ENET_BD_BDU;
1245 if (bd.option & ENET_BD_RX_INT) {
1246 s->regs[ENET_EIR] |= ENET_INT_RXF;
1248 } else {
1249 if (bd.option & ENET_BD_RX_INT) {
1250 s->regs[ENET_EIR] |= ENET_INT_RXB;
1253 imx_enet_write_bd(&bd, addr);
1254 /* Advance to the next descriptor. */
1255 if ((bd.flags & ENET_BD_W) != 0) {
1256 addr = s->regs[ENET_RDSR];
1257 } else {
1258 addr += sizeof(bd);
1261 s->rx_descriptor = addr;
1262 imx_eth_enable_rx(s, false);
1263 imx_eth_update(s);
1264 return len;
1267 static ssize_t imx_eth_receive(NetClientState *nc, const uint8_t *buf,
1268 size_t len)
1270 IMXFECState *s = IMX_FEC(qemu_get_nic_opaque(nc));
1272 if (!s->is_fec && (s->regs[ENET_ECR] & ENET_ECR_EN1588)) {
1273 return imx_enet_receive(nc, buf, len);
1274 } else {
1275 return imx_fec_receive(nc, buf, len);
1279 static const MemoryRegionOps imx_eth_ops = {
1280 .read = imx_eth_read,
1281 .write = imx_eth_write,
1282 .valid.min_access_size = 4,
1283 .valid.max_access_size = 4,
1284 .endianness = DEVICE_NATIVE_ENDIAN,
1287 static void imx_eth_cleanup(NetClientState *nc)
1289 IMXFECState *s = IMX_FEC(qemu_get_nic_opaque(nc));
1291 s->nic = NULL;
1294 static NetClientInfo imx_eth_net_info = {
1295 .type = NET_CLIENT_DRIVER_NIC,
1296 .size = sizeof(NICState),
1297 .can_receive = imx_eth_can_receive,
1298 .receive = imx_eth_receive,
1299 .cleanup = imx_eth_cleanup,
1300 .link_status_changed = imx_eth_set_link,
1304 static void imx_eth_realize(DeviceState *dev, Error **errp)
1306 IMXFECState *s = IMX_FEC(dev);
1307 SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
1309 memory_region_init_io(&s->iomem, OBJECT(dev), &imx_eth_ops, s,
1310 TYPE_IMX_FEC, FSL_IMX25_FEC_SIZE);
1311 sysbus_init_mmio(sbd, &s->iomem);
1312 sysbus_init_irq(sbd, &s->irq[0]);
1313 sysbus_init_irq(sbd, &s->irq[1]);
1315 qemu_macaddr_default_if_unset(&s->conf.macaddr);
1317 s->nic = qemu_new_nic(&imx_eth_net_info, &s->conf,
1318 object_get_typename(OBJECT(dev)),
1319 dev->id, s);
1321 qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
1324 static Property imx_eth_properties[] = {
1325 DEFINE_NIC_PROPERTIES(IMXFECState, conf),
1326 DEFINE_PROP_UINT32("tx-ring-num", IMXFECState, tx_ring_num, 1),
1327 DEFINE_PROP_UINT32("phy-num", IMXFECState, phy_num, 0),
1328 DEFINE_PROP_END_OF_LIST(),
1331 static void imx_eth_class_init(ObjectClass *klass, void *data)
1333 DeviceClass *dc = DEVICE_CLASS(klass);
1335 dc->vmsd = &vmstate_imx_eth;
1336 dc->reset = imx_eth_reset;
1337 device_class_set_props(dc, imx_eth_properties);
1338 dc->realize = imx_eth_realize;
1339 dc->desc = "i.MX FEC/ENET Ethernet Controller";
1342 static void imx_fec_init(Object *obj)
1344 IMXFECState *s = IMX_FEC(obj);
1346 s->is_fec = true;
1349 static void imx_enet_init(Object *obj)
1351 IMXFECState *s = IMX_FEC(obj);
1353 s->is_fec = false;
1356 static const TypeInfo imx_fec_info = {
1357 .name = TYPE_IMX_FEC,
1358 .parent = TYPE_SYS_BUS_DEVICE,
1359 .instance_size = sizeof(IMXFECState),
1360 .instance_init = imx_fec_init,
1361 .class_init = imx_eth_class_init,
1364 static const TypeInfo imx_enet_info = {
1365 .name = TYPE_IMX_ENET,
1366 .parent = TYPE_IMX_FEC,
1367 .instance_init = imx_enet_init,
1370 static void imx_eth_register_types(void)
1372 type_register_static(&imx_fec_info);
1373 type_register_static(&imx_enet_info);
1376 type_init(imx_eth_register_types)