search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
lsi53c895a: avoid out of bounds access to s->msg[]
[qemu/ar7.git] / hw / scsi / lsi53c895a.c
blobeb9828dd5ef7cf82930c3704a524605f6e43ae60
1 /*
2 * QEMU LSI53C895A SCSI Host Bus Adapter emulation
3 *
4 * Copyright (c) 2006 CodeSourcery.
5 * Written by Paul Brook
6 *
7 * This code is licensed under the LGPL.
8 */
9
10 /* Note:
11 * LSI53C810 emulation is incorrect, in the sense that it supports
12 * features added in later evolutions. This should not be a problem,
13 * as well-behaved operating systems will not try to use them.
14 */
15
16 #include "qemu/osdep.h"
17
18 #include "hw/irq.h"
19 #include "hw/pci/pci_device.h"
20 #include "hw/scsi/scsi.h"
21 #include "migration/vmstate.h"
22 #include "sysemu/dma.h"
23 #include "qemu/log.h"
24 #include "qemu/module.h"
25 #include "trace.h"
26 #include "qom/object.h"
27
28 static const char *names[] = {
29 "SCNTL0", "SCNTL1", "SCNTL2", "SCNTL3", "SCID", "SXFER", "SDID", "GPREG",
30 "SFBR", "SOCL", "SSID", "SBCL", "DSTAT", "SSTAT0", "SSTAT1", "SSTAT2",
31 "DSA0", "DSA1", "DSA2", "DSA3", "ISTAT", "0x15", "0x16", "0x17",
32 "CTEST0", "CTEST1", "CTEST2", "CTEST3", "TEMP0", "TEMP1", "TEMP2", "TEMP3",
33 "DFIFO", "CTEST4", "CTEST5", "CTEST6", "DBC0", "DBC1", "DBC2", "DCMD",
34 "DNAD0", "DNAD1", "DNAD2", "DNAD3", "DSP0", "DSP1", "DSP2", "DSP3",
35 "DSPS0", "DSPS1", "DSPS2", "DSPS3", "SCRATCHA0", "SCRATCHA1", "SCRATCHA2", "SCRATCHA3",
36 "DMODE", "DIEN", "SBR", "DCNTL", "ADDER0", "ADDER1", "ADDER2", "ADDER3",
37 "SIEN0", "SIEN1", "SIST0", "SIST1", "SLPAR", "0x45", "MACNTL", "GPCNTL",
38 "STIME0", "STIME1", "RESPID", "0x4b", "STEST0", "STEST1", "STEST2", "STEST3",
39 "SIDL", "0x51", "0x52", "0x53", "SODL", "0x55", "0x56", "0x57",
40 "SBDL", "0x59", "0x5a", "0x5b", "SCRATCHB0", "SCRATCHB1", "SCRATCHB2", "SCRATCHB3",
41 };
42
43 #define LSI_MAX_DEVS 7
44
45 #define LSI_SCNTL0_TRG 0x01
46 #define LSI_SCNTL0_AAP 0x02
47 #define LSI_SCNTL0_EPC 0x08
48 #define LSI_SCNTL0_WATN 0x10
49 #define LSI_SCNTL0_START 0x20
50
51 #define LSI_SCNTL1_SST 0x01
52 #define LSI_SCNTL1_IARB 0x02
53 #define LSI_SCNTL1_AESP 0x04
54 #define LSI_SCNTL1_RST 0x08
55 #define LSI_SCNTL1_CON 0x10
56 #define LSI_SCNTL1_DHP 0x20
57 #define LSI_SCNTL1_ADB 0x40
58 #define LSI_SCNTL1_EXC 0x80
59
60 #define LSI_SCNTL2_WSR 0x01
61 #define LSI_SCNTL2_VUE0 0x02
62 #define LSI_SCNTL2_VUE1 0x04
63 #define LSI_SCNTL2_WSS 0x08
64 #define LSI_SCNTL2_SLPHBEN 0x10
65 #define LSI_SCNTL2_SLPMD 0x20
66 #define LSI_SCNTL2_CHM 0x40
67 #define LSI_SCNTL2_SDU 0x80
68
69 #define LSI_ISTAT0_DIP 0x01
70 #define LSI_ISTAT0_SIP 0x02
71 #define LSI_ISTAT0_INTF 0x04
72 #define LSI_ISTAT0_CON 0x08
73 #define LSI_ISTAT0_SEM 0x10
74 #define LSI_ISTAT0_SIGP 0x20
75 #define LSI_ISTAT0_SRST 0x40
76 #define LSI_ISTAT0_ABRT 0x80
77
78 #define LSI_ISTAT1_SI 0x01
79 #define LSI_ISTAT1_SRUN 0x02
80 #define LSI_ISTAT1_FLSH 0x04
81
82 #define LSI_SSTAT0_SDP0 0x01
83 #define LSI_SSTAT0_RST 0x02
84 #define LSI_SSTAT0_WOA 0x04
85 #define LSI_SSTAT0_LOA 0x08
86 #define LSI_SSTAT0_AIP 0x10
87 #define LSI_SSTAT0_OLF 0x20
88 #define LSI_SSTAT0_ORF 0x40
89 #define LSI_SSTAT0_ILF 0x80
90
91 #define LSI_SIST0_PAR 0x01
92 #define LSI_SIST0_RST 0x02
93 #define LSI_SIST0_UDC 0x04
94 #define LSI_SIST0_SGE 0x08
95 #define LSI_SIST0_RSL 0x10
96 #define LSI_SIST0_SEL 0x20
97 #define LSI_SIST0_CMP 0x40
98 #define LSI_SIST0_MA 0x80
99
100 #define LSI_SIST1_HTH 0x01
101 #define LSI_SIST1_GEN 0x02
102 #define LSI_SIST1_STO 0x04
103 #define LSI_SIST1_SBMC 0x10
104
105 #define LSI_SOCL_IO 0x01
106 #define LSI_SOCL_CD 0x02
107 #define LSI_SOCL_MSG 0x04
108 #define LSI_SOCL_ATN 0x08
109 #define LSI_SOCL_SEL 0x10
110 #define LSI_SOCL_BSY 0x20
111 #define LSI_SOCL_ACK 0x40
112 #define LSI_SOCL_REQ 0x80
113
114 #define LSI_DSTAT_IID 0x01
115 #define LSI_DSTAT_SIR 0x04
116 #define LSI_DSTAT_SSI 0x08
117 #define LSI_DSTAT_ABRT 0x10
118 #define LSI_DSTAT_BF 0x20
119 #define LSI_DSTAT_MDPE 0x40
120 #define LSI_DSTAT_DFE 0x80
121
122 #define LSI_DCNTL_COM 0x01
123 #define LSI_DCNTL_IRQD 0x02
124 #define LSI_DCNTL_STD 0x04
125 #define LSI_DCNTL_IRQM 0x08
126 #define LSI_DCNTL_SSM 0x10
127 #define LSI_DCNTL_PFEN 0x20
128 #define LSI_DCNTL_PFF 0x40
129 #define LSI_DCNTL_CLSE 0x80
130
131 #define LSI_DMODE_MAN 0x01
132 #define LSI_DMODE_BOF 0x02
133 #define LSI_DMODE_ERMP 0x04
134 #define LSI_DMODE_ERL 0x08
135 #define LSI_DMODE_DIOM 0x10
136 #define LSI_DMODE_SIOM 0x20
137
138 #define LSI_CTEST2_DACK 0x01
139 #define LSI_CTEST2_DREQ 0x02
140 #define LSI_CTEST2_TEOP 0x04
141 #define LSI_CTEST2_PCICIE 0x08
142 #define LSI_CTEST2_CM 0x10
143 #define LSI_CTEST2_CIO 0x20
144 #define LSI_CTEST2_SIGP 0x40
145 #define LSI_CTEST2_DDIR 0x80
146
147 #define LSI_CTEST5_BL2 0x04
148 #define LSI_CTEST5_DDIR 0x08
149 #define LSI_CTEST5_MASR 0x10
150 #define LSI_CTEST5_DFSN 0x20
151 #define LSI_CTEST5_BBCK 0x40
152 #define LSI_CTEST5_ADCK 0x80
153
154 #define LSI_CCNTL0_DILS 0x01
155 #define LSI_CCNTL0_DISFC 0x10
156 #define LSI_CCNTL0_ENNDJ 0x20
157 #define LSI_CCNTL0_PMJCTL 0x40
158 #define LSI_CCNTL0_ENPMJ 0x80
159
160 #define LSI_CCNTL1_EN64DBMV 0x01
161 #define LSI_CCNTL1_EN64TIBMV 0x02
162 #define LSI_CCNTL1_64TIMOD 0x04
163 #define LSI_CCNTL1_DDAC 0x08
164 #define LSI_CCNTL1_ZMOD 0x80
165
166 #define LSI_SBCL_ATN 0x08
167 #define LSI_SBCL_BSY 0x20
168 #define LSI_SBCL_ACK 0x40
169 #define LSI_SBCL_REQ 0x80
170
171 /* Enable Response to Reselection */
172 #define LSI_SCID_RRE 0x60
173
174 #define LSI_CCNTL1_40BIT (LSI_CCNTL1_EN64TIBMV|LSI_CCNTL1_64TIMOD)
175
176 #define PHASE_DO 0
177 #define PHASE_DI 1
178 #define PHASE_CMD 2
179 #define PHASE_ST 3
180 #define PHASE_MO 6
181 #define PHASE_MI 7
182 #define PHASE_MASK 7
183
184 /* Maximum length of MSG IN data. */
185 #define LSI_MAX_MSGIN_LEN 8
186
187 /* Flag set if this is a tagged command. */
188 #define LSI_TAG_VALID (1 << 16)
189
190 /* Maximum instructions to process. */
191 #define LSI_MAX_INSN 100
192
193 typedef struct lsi_request {
194 SCSIRequest *req;
195 uint32_t tag;
196 uint32_t dma_len;
197 uint8_t *dma_buf;
198 uint32_t pending;
199 int out;
200 QTAILQ_ENTRY(lsi_request) next;
201 } lsi_request;
202
203 enum {
204 LSI_NOWAIT, /* SCRIPTS are running or stopped */
205 LSI_WAIT_RESELECT, /* Wait Reselect instruction has been issued */
206 LSI_DMA_SCRIPTS, /* processing DMA from lsi_execute_script */
207 LSI_DMA_IN_PROGRESS, /* DMA operation is in progress */
208 LSI_WAIT_SCRIPTS, /* SCRIPTS stopped because of instruction count limit */
209 };
210
211 enum {
212 LSI_MSG_ACTION_COMMAND = 0,
213 LSI_MSG_ACTION_DISCONNECT = 1,
214 LSI_MSG_ACTION_DOUT = 2,
215 LSI_MSG_ACTION_DIN = 3,
216 };
217
218 struct LSIState {
219 /*< private >*/
220 PCIDevice parent_obj;
221 /*< public >*/
222
223 qemu_irq ext_irq;
224 MemoryRegion mmio_io;
225 MemoryRegion ram_io;
226 MemoryRegion io_io;
227 AddressSpace pci_io_as;
228 QEMUTimer *scripts_timer;
229
230 int carry; /* ??? Should this be in a visible register somewhere? */
231 int status;
232 int msg_action;
233 int msg_len;
234 uint8_t msg[LSI_MAX_MSGIN_LEN];
235 int waiting;
236 SCSIBus bus;
237 int current_lun;
238 /* The tag is a combination of the device ID and the SCSI tag. */
239 uint32_t select_tag;
240 int command_complete;
241 QTAILQ_HEAD(, lsi_request) queue;
242 lsi_request *current;
243
244 uint32_t dsa;
245 uint32_t temp;
246 uint32_t dnad;
247 uint32_t dbc;
248 uint8_t istat0;
249 uint8_t istat1;
250 uint8_t dcmd;
251 uint8_t dstat;
252 uint8_t dien;
253 uint8_t sist0;
254 uint8_t sist1;
255 uint8_t sien0;
256 uint8_t sien1;
257 uint8_t mbox0;
258 uint8_t mbox1;
259 uint8_t dfifo;
260 uint8_t ctest2;
261 uint8_t ctest3;
262 uint8_t ctest4;
263 uint8_t ctest5;
264 uint8_t ccntl0;
265 uint8_t ccntl1;
266 uint32_t dsp;
267 uint32_t dsps;
268 uint8_t dmode;
269 uint8_t dcntl;
270 uint8_t scntl0;
271 uint8_t scntl1;
272 uint8_t scntl2;
273 uint8_t scntl3;
274 uint8_t sstat0;
275 uint8_t sstat1;
276 uint8_t scid;
277 uint8_t sxfer;
278 uint8_t socl;
279 uint8_t sdid;
280 uint8_t ssid;
281 uint8_t sfbr;
282 uint8_t sbcl;
283 uint8_t stest1;
284 uint8_t stest2;
285 uint8_t stest3;
286 uint8_t sidl;
287 uint8_t stime0;
288 uint8_t respid0;
289 uint8_t respid1;
290 uint32_t mmrs;
291 uint32_t mmws;
292 uint32_t sfs;
293 uint32_t drs;
294 uint32_t sbms;
295 uint32_t dbms;
296 uint32_t dnad64;
297 uint32_t pmjad1;
298 uint32_t pmjad2;
299 uint32_t rbc;
300 uint32_t ua;
301 uint32_t ia;
302 uint32_t sbc;
303 uint32_t csbc;
304 uint32_t scratch[18]; /* SCRATCHA-SCRATCHR */
305 uint8_t sbr;
306 uint32_t adder;
307
308 uint8_t script_ram[2048 * sizeof(uint32_t)];
309 };
310
311 #define TYPE_LSI53C810 "lsi53c810"
312 #define TYPE_LSI53C895A "lsi53c895a"
313
314 OBJECT_DECLARE_SIMPLE_TYPE(LSIState, LSI53C895A)
315
316 static const char *scsi_phases[] = {
317 "DOUT",
318 "DIN",
319 "CMD",
320 "STATUS",
321 "RSVOUT",
322 "RSVIN",
323 "MSGOUT",
324 "MSGIN"
325 };
326
327 static const char *scsi_phase_name(int phase)
328 {
329 return scsi_phases[phase & PHASE_MASK];
330 }
331
332 static inline int lsi_irq_on_rsl(LSIState *s)
333 {
334 return (s->sien0 & LSI_SIST0_RSL) && (s->scid & LSI_SCID_RRE);
335 }
336
337 static lsi_request *get_pending_req(LSIState *s)
338 {
339 lsi_request *p;
340
341 QTAILQ_FOREACH(p, &s->queue, next) {
342 if (p->pending) {
343 return p;
344 }
345 }
346 return NULL;
347 }
348
349 static void lsi_soft_reset(LSIState *s)
350 {
351 trace_lsi_reset();
352 s->carry = 0;
353
354 s->msg_action = LSI_MSG_ACTION_COMMAND;
355 s->msg_len = 0;
356 s->waiting = LSI_NOWAIT;
357 s->dsa = 0;
358 s->dnad = 0;
359 s->dbc = 0;
360 s->temp = 0;
361 memset(s->scratch, 0, sizeof(s->scratch));
362 s->istat0 = 0;
363 s->istat1 = 0;
364 s->dcmd = 0x40;
365 s->dstat = 0;
366 s->dien = 0;
367 s->sist0 = 0;
368 s->sist1 = 0;
369 s->sien0 = 0;
370 s->sien1 = 0;
371 s->mbox0 = 0;
372 s->mbox1 = 0;
373 s->dfifo = 0;
374 s->ctest2 = LSI_CTEST2_DACK;
375 s->ctest3 = 0;
376 s->ctest4 = 0;
377 s->ctest5 = 0;
378 s->ccntl0 = 0;
379 s->ccntl1 = 0;
380 s->dsp = 0;
381 s->dsps = 0;
382 s->dmode = 0;
383 s->dcntl = 0;
384 s->scntl0 = 0xc0;
385 s->scntl1 = 0;
386 s->scntl2 = 0;
387 s->scntl3 = 0;
388 s->sstat0 = 0;
389 s->sstat1 = 0;
390 s->scid = 7;
391 s->sxfer = 0;
392 s->socl = 0;
393 s->sdid = 0;
394 s->ssid = 0;
395 s->sbcl = 0;
396 s->stest1 = 0;
397 s->stest2 = 0;
398 s->stest3 = 0;
399 s->sidl = 0;
400 s->stime0 = 0;
401 s->respid0 = 0x80;
402 s->respid1 = 0;
403 s->mmrs = 0;
404 s->mmws = 0;
405 s->sfs = 0;
406 s->drs = 0;
407 s->sbms = 0;
408 s->dbms = 0;
409 s->dnad64 = 0;
410 s->pmjad1 = 0;
411 s->pmjad2 = 0;
412 s->rbc = 0;
413 s->ua = 0;
414 s->ia = 0;
415 s->sbc = 0;
416 s->csbc = 0;
417 s->sbr = 0;
418 assert(QTAILQ_EMPTY(&s->queue));
419 assert(!s->current);
420 timer_del(s->scripts_timer);
421 }
422
423 static int lsi_dma_40bit(LSIState *s)
424 {
425 if ((s->ccntl1 & LSI_CCNTL1_40BIT) == LSI_CCNTL1_40BIT)
426 return 1;
427 return 0;
428 }
429
430 static int lsi_dma_ti64bit(LSIState *s)
431 {
432 if ((s->ccntl1 & LSI_CCNTL1_EN64TIBMV) == LSI_CCNTL1_EN64TIBMV)
433 return 1;
434 return 0;
435 }
436
437 static int lsi_dma_64bit(LSIState *s)
438 {
439 if ((s->ccntl1 & LSI_CCNTL1_EN64DBMV) == LSI_CCNTL1_EN64DBMV)
440 return 1;
441 return 0;
442 }
443
444 static uint8_t lsi_reg_readb(LSIState *s, int offset);
445 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val);
446 static void lsi_execute_script(LSIState *s);
447 static void lsi_reselect(LSIState *s, lsi_request *p);
448
449 static inline void lsi_mem_read(LSIState *s, dma_addr_t addr,
450 void *buf, dma_addr_t len)
451 {
452 if (s->dmode & LSI_DMODE_SIOM) {
453 address_space_read(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
454 buf, len);
455 } else {
456 pci_dma_read(PCI_DEVICE(s), addr, buf, len);
457 }
458 }
459
460 static inline void lsi_mem_write(LSIState *s, dma_addr_t addr,
461 const void *buf, dma_addr_t len)
462 {
463 if (s->dmode & LSI_DMODE_DIOM) {
464 address_space_write(&s->pci_io_as, addr, MEMTXATTRS_UNSPECIFIED,
465 buf, len);
466 } else {
467 pci_dma_write(PCI_DEVICE(s), addr, buf, len);
468 }
469 }
470
471 static inline uint32_t read_dword(LSIState *s, uint32_t addr)
472 {
473 uint32_t buf;
474
475 pci_dma_read(PCI_DEVICE(s), addr, &buf, 4);
476 return cpu_to_le32(buf);
477 }
478
479 static void lsi_stop_script(LSIState *s)
480 {
481 s->istat1 &= ~LSI_ISTAT1_SRUN;
482 }
483
484 static void lsi_set_irq(LSIState *s, int level)
485 {
486 PCIDevice *d = PCI_DEVICE(s);
487
488 if (s->ext_irq) {
489 qemu_set_irq(s->ext_irq, level);
490 } else {
491 pci_set_irq(d, level);
492 }
493 }
494
495 static void lsi_update_irq(LSIState *s)
496 {
497 int level;
498 static int last_level;
499
500 /* It's unclear whether the DIP/SIP bits should be cleared when the
501 Interrupt Status Registers are cleared or when istat0 is read.
502 We currently do the formwer, which seems to work. */
503 level = 0;
504 if (s->dstat) {
505 if (s->dstat & s->dien)
506 level = 1;
507 s->istat0 |= LSI_ISTAT0_DIP;
508 } else {
509 s->istat0 &= ~LSI_ISTAT0_DIP;
510 }
511
512 if (s->sist0 || s->sist1) {
513 if ((s->sist0 & s->sien0) || (s->sist1 & s->sien1))
514 level = 1;
515 s->istat0 |= LSI_ISTAT0_SIP;
516 } else {
517 s->istat0 &= ~LSI_ISTAT0_SIP;
518 }
519 if (s->istat0 & LSI_ISTAT0_INTF)
520 level = 1;
521
522 if (level != last_level) {
523 trace_lsi_update_irq(level, s->dstat, s->sist1, s->sist0);
524 last_level = level;
525 }
526 lsi_set_irq(s, level);
527
528 if (!s->current && !level && lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON)) {
529 lsi_request *p;
530
531 trace_lsi_update_irq_disconnected();
532 p = get_pending_req(s);
533 if (p) {
534 lsi_reselect(s, p);
535 }
536 }
537 }
538
539 /* Stop SCRIPTS execution and raise a SCSI interrupt. */
540 static void lsi_script_scsi_interrupt(LSIState *s, int stat0, int stat1)
541 {
542 uint32_t mask0;
543 uint32_t mask1;
544
545 trace_lsi_script_scsi_interrupt(stat1, stat0, s->sist1, s->sist0);
546 s->sist0 |= stat0;
547 s->sist1 |= stat1;
548 /* Stop processor on fatal or unmasked interrupt. As a special hack
549 we don't stop processing when raising STO. Instead continue
550 execution and stop at the next insn that accesses the SCSI bus. */
551 mask0 = s->sien0 | ~(LSI_SIST0_CMP | LSI_SIST0_SEL | LSI_SIST0_RSL);
552 mask1 = s->sien1 | ~(LSI_SIST1_GEN | LSI_SIST1_HTH);
553 mask1 &= ~LSI_SIST1_STO;
554 if (s->sist0 & mask0 || s->sist1 & mask1) {
555 lsi_stop_script(s);
556 }
557 lsi_update_irq(s);
558 }
559
560 /* Stop SCRIPTS execution and raise a DMA interrupt. */
561 static void lsi_script_dma_interrupt(LSIState *s, int stat)
562 {
563 trace_lsi_script_dma_interrupt(stat, s->dstat);
564 s->dstat |= stat;
565 lsi_update_irq(s);
566 lsi_stop_script(s);
567 }
568
569 static inline void lsi_set_phase(LSIState *s, int phase)
570 {
571 s->sbcl &= ~PHASE_MASK;
572 s->sbcl |= phase | LSI_SBCL_REQ;
573 s->sstat1 = (s->sstat1 & ~PHASE_MASK) | phase;
574 }
575
576 static int lsi_bad_phase(LSIState *s, int out, int new_phase)
577 {
578 int ret = 0;
579 /* Trigger a phase mismatch. */
580 if (s->ccntl0 & LSI_CCNTL0_ENPMJ) {
581 if ((s->ccntl0 & LSI_CCNTL0_PMJCTL)) {
582 s->dsp = out ? s->pmjad1 : s->pmjad2;
583 } else {
584 s->dsp = (s->scntl2 & LSI_SCNTL2_WSR ? s->pmjad2 : s->pmjad1);
585 }
586 trace_lsi_bad_phase_jump(s->dsp);
587 } else {
588 trace_lsi_bad_phase_interrupt();
589 lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
590 lsi_stop_script(s);
591 ret = 1;
592 }
593 lsi_set_phase(s, new_phase);
594 return ret;
595 }
596
597
598 /* Resume SCRIPTS execution after a DMA operation. */
599 static void lsi_resume_script(LSIState *s)
600 {
601 if (s->waiting != 2) {
602 s->waiting = LSI_NOWAIT;
603 lsi_execute_script(s);
604 } else {
605 s->waiting = LSI_NOWAIT;
606 }
607 }
608
609 static void lsi_disconnect(LSIState *s)
610 {
611 s->scntl1 &= ~LSI_SCNTL1_CON;
612 s->sstat1 &= ~PHASE_MASK;
613 s->sbcl = 0;
614 }
615
616 static void lsi_bad_selection(LSIState *s, uint32_t id)
617 {
618 trace_lsi_bad_selection(id);
619 lsi_script_scsi_interrupt(s, 0, LSI_SIST1_STO);
620 lsi_disconnect(s);
621 }
622
623 /* Initiate a SCSI layer data transfer. */
624 static void lsi_do_dma(LSIState *s, int out)
625 {
626 uint32_t count;
627 dma_addr_t addr;
628 SCSIDevice *dev;
629
630 if (!s->current || !s->current->dma_len) {
631 /* Wait until data is available. */
632 trace_lsi_do_dma_unavailable();
633 return;
634 }
635
636 dev = s->current->req->dev;
637 assert(dev);
638
639 count = s->dbc;
640 if (count > s->current->dma_len)
641 count = s->current->dma_len;
642
643 addr = s->dnad;
644 /* both 40 and Table Indirect 64-bit DMAs store upper bits in dnad64 */
645 if (lsi_dma_40bit(s) || lsi_dma_ti64bit(s))
646 addr |= ((uint64_t)s->dnad64 << 32);
647 else if (s->dbms)
648 addr |= ((uint64_t)s->dbms << 32);
649 else if (s->sbms)
650 addr |= ((uint64_t)s->sbms << 32);
651
652 trace_lsi_do_dma(addr, count);
653 s->csbc += count;
654 s->dnad += count;
655 s->dbc -= count;
656 if (s->current->dma_buf == NULL) {
657 s->current->dma_buf = scsi_req_get_buf(s->current->req);
658 }
659 /* ??? Set SFBR to first data byte. */
660 if (out) {
661 lsi_mem_read(s, addr, s->current->dma_buf, count);
662 } else {
663 lsi_mem_write(s, addr, s->current->dma_buf, count);
664 }
665 s->current->dma_len -= count;
666 if (s->current->dma_len == 0) {
667 s->current->dma_buf = NULL;
668 scsi_req_continue(s->current->req);
669 } else {
670 s->current->dma_buf += count;
671 lsi_resume_script(s);
672 }
673 }
674
675
676 /* Add a command to the queue. */
677 static void lsi_queue_command(LSIState *s)
678 {
679 lsi_request *p = s->current;
680
681 trace_lsi_queue_command(p->tag);
682 assert(s->current != NULL);
683 assert(s->current->dma_len == 0);
684 QTAILQ_INSERT_TAIL(&s->queue, s->current, next);
685 s->current = NULL;
686
687 p->pending = 0;
688 p->out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
689 }
690
691 /* Queue a byte for a MSG IN phase. */
692 static void lsi_add_msg_byte(LSIState *s, uint8_t data)
693 {
694 if (s->msg_len >= LSI_MAX_MSGIN_LEN) {
695 trace_lsi_add_msg_byte_error();
696 } else {
697 trace_lsi_add_msg_byte(data);
698 s->msg[s->msg_len++] = data;
699 }
700 }
701
702 /* Perform reselection to continue a command. */
703 static void lsi_reselect(LSIState *s, lsi_request *p)
704 {
705 int id;
706
707 assert(s->current == NULL);
708 QTAILQ_REMOVE(&s->queue, p, next);
709 s->current = p;
710
711 id = (p->tag >> 8) & 0xf;
712 s->ssid = id | 0x80;
713 /* LSI53C700 Family Compatibility, see LSI53C895A 4-73 */
714 if (!(s->dcntl & LSI_DCNTL_COM)) {
715 s->sfbr = 1 << (id & 0x7);
716 }
717 trace_lsi_reselect(id);
718 s->scntl1 |= LSI_SCNTL1_CON;
719 lsi_set_phase(s, PHASE_MI);
720 s->msg_action = p->out ? LSI_MSG_ACTION_DOUT : LSI_MSG_ACTION_DIN;
721 s->current->dma_len = p->pending;
722 lsi_add_msg_byte(s, 0x80);
723 if (s->current->tag & LSI_TAG_VALID) {
724 lsi_add_msg_byte(s, 0x20);
725 lsi_add_msg_byte(s, p->tag & 0xff);
726 }
727
728 if (lsi_irq_on_rsl(s)) {
729 lsi_script_scsi_interrupt(s, LSI_SIST0_RSL, 0);
730 }
731 }
732
733 static lsi_request *lsi_find_by_tag(LSIState *s, uint32_t tag)
734 {
735 lsi_request *p;
736
737 QTAILQ_FOREACH(p, &s->queue, next) {
738 if (p->tag == tag) {
739 return p;
740 }
741 }
742
743 return NULL;
744 }
745
746 static void lsi_request_free(LSIState *s, lsi_request *p)
747 {
748 if (p == s->current) {
749 s->current = NULL;
750 } else {
751 QTAILQ_REMOVE(&s->queue, p, next);
752 }
753 g_free(p);
754 }
755
756 static void lsi_request_cancelled(SCSIRequest *req)
757 {
758 LSIState *s = LSI53C895A(req->bus->qbus.parent);
759 lsi_request *p = req->hba_private;
760
761 req->hba_private = NULL;
762 lsi_request_free(s, p);
763 scsi_req_unref(req);
764 }
765
766 /* Record that data is available for a queued command. Returns zero if
767 the device was reselected, nonzero if the IO is deferred. */
768 static int lsi_queue_req(LSIState *s, SCSIRequest *req, uint32_t len)
769 {
770 lsi_request *p = req->hba_private;
771
772 if (p->pending) {
773 trace_lsi_queue_req_error(p);
774 }
775 p->pending = len;
776 /* Reselect if waiting for it, or if reselection triggers an IRQ
777 and the bus is free.
778 Since no interrupt stacking is implemented in the emulation, it
779 is also required that there are no pending interrupts waiting
780 for service from the device driver. */
781 if (s->waiting == LSI_WAIT_RESELECT ||
782 (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON) &&
783 !(s->istat0 & (LSI_ISTAT0_SIP | LSI_ISTAT0_DIP)))) {
784 /* Reselect device. */
785 lsi_reselect(s, p);
786 return 0;
787 } else {
788 trace_lsi_queue_req(p->tag);
789 p->pending = len;
790 return 1;
791 }
792 }
793
794 /* Callback to indicate that the SCSI layer has completed a command. */
795 static void lsi_command_complete(SCSIRequest *req, size_t resid)
796 {
797 LSIState *s = LSI53C895A(req->bus->qbus.parent);
798 int out, stop = 0;
799
800 out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
801 trace_lsi_command_complete(req->status);
802 s->status = req->status;
803 s->command_complete = 2;
804 if (s->waiting && s->dbc != 0) {
805 /* Raise phase mismatch for short transfers. */
806 stop = lsi_bad_phase(s, out, PHASE_ST);
807 if (stop) {
808 s->waiting = 0;
809 }
810 } else {
811 lsi_set_phase(s, PHASE_ST);
812 }
813
814 if (req->hba_private == s->current) {
815 req->hba_private = NULL;
816 lsi_request_free(s, s->current);
817 scsi_req_unref(req);
818 }
819 if (!stop) {
820 lsi_resume_script(s);
821 }
822 }
823
824 /* Callback to indicate that the SCSI layer has completed a transfer. */
825 static void lsi_transfer_data(SCSIRequest *req, uint32_t len)
826 {
827 LSIState *s = LSI53C895A(req->bus->qbus.parent);
828 int out;
829
830 assert(req->hba_private);
831 if (s->waiting == LSI_WAIT_RESELECT || req->hba_private != s->current ||
832 (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON))) {
833 if (lsi_queue_req(s, req, len)) {
834 return;
835 }
836 }
837
838 out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
839
840 /* host adapter (re)connected */
841 trace_lsi_transfer_data(req->tag, len);
842 s->current->dma_len = len;
843 s->command_complete = 1;
844 if (s->waiting) {
845 if (s->waiting == LSI_WAIT_RESELECT || s->dbc == 0) {
846 lsi_resume_script(s);
847 } else {
848 lsi_do_dma(s, out);
849 }
850 }
851 }
852
853 static void lsi_do_command(LSIState *s)
854 {
855 SCSIDevice *dev;
856 uint8_t buf[16];
857 uint32_t id;
858 int n;
859
860 trace_lsi_do_command(s->dbc);
861 if (s->dbc > 16)
862 s->dbc = 16;
863 pci_dma_read(PCI_DEVICE(s), s->dnad, buf, s->dbc);
864 s->sfbr = buf[0];
865 s->command_complete = 0;
866
867 id = (s->select_tag >> 8) & 0xf;
868 dev = scsi_device_find(&s->bus, 0, id, s->current_lun);
869 if (!dev) {
870 lsi_bad_selection(s, id);
871 return;
872 }
873
874 assert(s->current == NULL);
875 s->current = g_new0(lsi_request, 1);
876 s->current->tag = s->select_tag;
877 s->current->req = scsi_req_new(dev, s->current->tag, s->current_lun, buf,
878 s->dbc, s->current);
879
880 n = scsi_req_enqueue(s->current->req);
881 if (n) {
882 if (n > 0) {
883 lsi_set_phase(s, PHASE_DI);
884 } else if (n < 0) {
885 lsi_set_phase(s, PHASE_DO);
886 }
887 scsi_req_continue(s->current->req);
888 }
889 if (!s->command_complete) {
890 if (n) {
891 /* Command did not complete immediately so disconnect. */
892 lsi_add_msg_byte(s, 2); /* SAVE DATA POINTER */
893 lsi_add_msg_byte(s, 4); /* DISCONNECT */
894 /* wait data */
895 lsi_set_phase(s, PHASE_MI);
896 s->msg_action = LSI_MSG_ACTION_DISCONNECT;
897 lsi_queue_command(s);
898 } else {
899 /* wait command complete */
900 lsi_set_phase(s, PHASE_DI);
901 }
902 }
903 }
904
905 static void lsi_do_status(LSIState *s)
906 {
907 uint8_t status;
908 trace_lsi_do_status(s->dbc, s->status);
909 if (s->dbc != 1) {
910 trace_lsi_do_status_error();
911 }
912 s->dbc = 1;
913 status = s->status;
914 s->sfbr = status;
915 pci_dma_write(PCI_DEVICE(s), s->dnad, &status, 1);
916 lsi_set_phase(s, PHASE_MI);
917 s->msg_action = LSI_MSG_ACTION_DISCONNECT;
918 lsi_add_msg_byte(s, 0); /* COMMAND COMPLETE */
919 }
920
921 static void lsi_do_msgin(LSIState *s)
922 {
923 uint8_t len;
924 trace_lsi_do_msgin(s->dbc, s->msg_len);
925 s->sfbr = s->msg[0];
926 len = s->msg_len;
927 assert(len > 0 && len <= LSI_MAX_MSGIN_LEN);
928 if (len > s->dbc)
929 len = s->dbc;
930
931 if (len) {
932 pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
933 /* Linux drivers rely on the last byte being in the SIDL. */
934 s->sidl = s->msg[len - 1];
935 s->msg_len -= len;
936 if (s->msg_len) {
937 memmove(s->msg, s->msg + len, s->msg_len);
938 }
939 }
940
941 if (!s->msg_len) {
942 /* ??? Check if ATN (not yet implemented) is asserted and maybe
943 switch to PHASE_MO. */
944 switch (s->msg_action) {
945 case LSI_MSG_ACTION_COMMAND:
946 lsi_set_phase(s, PHASE_CMD);
947 break;
948 case LSI_MSG_ACTION_DISCONNECT:
949 lsi_disconnect(s);
950 break;
951 case LSI_MSG_ACTION_DOUT:
952 lsi_set_phase(s, PHASE_DO);
953 break;
954 case LSI_MSG_ACTION_DIN:
955 lsi_set_phase(s, PHASE_DI);
956 break;
957 default:
958 abort();
959 }
960 }
961 }
962
963 /* Read the next byte during a MSGOUT phase. */
964 static uint8_t lsi_get_msgbyte(LSIState *s)
965 {
966 uint8_t data;
967 pci_dma_read(PCI_DEVICE(s), s->dnad, &data, 1);
968 s->dnad++;
969 s->dbc--;
970 return data;
971 }
972
973 /* Skip the next n bytes during a MSGOUT phase. */
974 static void lsi_skip_msgbytes(LSIState *s, unsigned int n)
975 {
976 s->dnad += n;
977 s->dbc -= n;
978 }
979
980 static void lsi_do_msgout(LSIState *s)
981 {
982 uint8_t msg;
983 int len;
984 uint32_t current_tag;
985 lsi_request *current_req, *p, *p_next;
986
987 if (s->current) {
988 current_tag = s->current->tag;
989 current_req = s->current;
990 } else {
991 current_tag = s->select_tag;
992 current_req = lsi_find_by_tag(s, current_tag);
993 }
994
995 trace_lsi_do_msgout(s->dbc);
996 while (s->dbc) {
997 msg = lsi_get_msgbyte(s);
998 s->sfbr = msg;
999
1000 switch (msg) {
1001 case 0x04:
1002 trace_lsi_do_msgout_disconnect();
1003 lsi_disconnect(s);
1004 break;
1005 case 0x08:
1006 trace_lsi_do_msgout_noop();
1007 lsi_set_phase(s, PHASE_CMD);
1008 break;
1009 case 0x01:
1010 len = lsi_get_msgbyte(s);
1011 msg = lsi_get_msgbyte(s);
1012 (void)len; /* avoid a warning about unused variable*/
1013 trace_lsi_do_msgout_extended(msg, len);
1014 switch (msg) {
1015 case 1:
1016 trace_lsi_do_msgout_ignored("SDTR");
1017 lsi_skip_msgbytes(s, 2);
1018 break;
1019 case 3:
1020 trace_lsi_do_msgout_ignored("WDTR");
1021 lsi_skip_msgbytes(s, 1);
1022 break;
1023 case 4:
1024 trace_lsi_do_msgout_ignored("PPR");
1025 lsi_skip_msgbytes(s, 5);
1026 break;
1027 default:
1028 goto bad;
1029 }
1030 break;
1031 case 0x20: /* SIMPLE queue */
1032 s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1033 trace_lsi_do_msgout_simplequeue(s->select_tag & 0xff);
1034 break;
1035 case 0x21: /* HEAD of queue */
1036 qemu_log_mask(LOG_UNIMP, "lsi_scsi: HEAD queue not implemented\n");
1037 s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1038 break;
1039 case 0x22: /* ORDERED queue */
1040 qemu_log_mask(LOG_UNIMP,
1041 "lsi_scsi: ORDERED queue not implemented\n");
1042 s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
1043 break;
1044 case 0x0d:
1045 /* The ABORT TAG message clears the current I/O process only. */
1046 trace_lsi_do_msgout_abort(current_tag);
1047 if (current_req && current_req->req) {
1048 scsi_req_cancel(current_req->req);
1049 current_req = NULL;
1050 }
1051 lsi_disconnect(s);
1052 break;
1053 case 0x06:
1054 case 0x0e:
1055 case 0x0c:
1056 /* The ABORT message clears all I/O processes for the selecting
1057 initiator on the specified logical unit of the target. */
1058 if (msg == 0x06) {
1059 trace_lsi_do_msgout_abort(current_tag);
1060 }
1061 /* The CLEAR QUEUE message clears all I/O processes for all
1062 initiators on the specified logical unit of the target. */
1063 if (msg == 0x0e) {
1064 trace_lsi_do_msgout_clearqueue(current_tag);
1065 }
1066 /* The BUS DEVICE RESET message clears all I/O processes for all
1067 initiators on all logical units of the target. */
1068 if (msg == 0x0c) {
1069 trace_lsi_do_msgout_busdevicereset(current_tag);
1070 }
1071
1072 /* clear the current I/O process */
1073 if (s->current) {
1074 scsi_req_cancel(s->current->req);
1075 current_req = NULL;
1076 }
1077
1078 /* As the current implemented devices scsi_disk and scsi_generic
1079 only support one LUN, we don't need to keep track of LUNs.
1080 Clearing I/O processes for other initiators could be possible
1081 for scsi_generic by sending a SG_SCSI_RESET to the /dev/sgX
1082 device, but this is currently not implemented (and seems not
1083 to be really necessary). So let's simply clear all queued
1084 commands for the current device: */
1085 QTAILQ_FOREACH_SAFE(p, &s->queue, next, p_next) {
1086 if ((p->tag & 0x0000ff00) == (current_tag & 0x0000ff00)) {
1087 scsi_req_cancel(p->req);
1088 }
1089 }
1090
1091 lsi_disconnect(s);
1092 break;
1093 default:
1094 if ((msg & 0x80) == 0) {
1095 goto bad;
1096 }
1097 s->current_lun = msg & 7;
1098 trace_lsi_do_msgout_select(s->current_lun);
1099 lsi_set_phase(s, PHASE_CMD);
1100 break;
1101 }
1102 }
1103 return;
1104 bad:
1105 qemu_log_mask(LOG_UNIMP, "Unimplemented message 0x%02x\n", msg);
1106 lsi_set_phase(s, PHASE_MI);
1107 lsi_add_msg_byte(s, 7); /* MESSAGE REJECT */
1108 s->msg_action = LSI_MSG_ACTION_COMMAND;
1109 }
1110
1111 #define LSI_BUF_SIZE 4096
1112 static void lsi_memcpy(LSIState *s, uint32_t dest, uint32_t src, int count)
1113 {
1114 int n;
1115 uint8_t buf[LSI_BUF_SIZE];
1116
1117 trace_lsi_memcpy(dest, src, count);
1118 while (count) {
1119 n = (count > LSI_BUF_SIZE) ? LSI_BUF_SIZE : count;
1120 lsi_mem_read(s, src, buf, n);
1121 lsi_mem_write(s, dest, buf, n);
1122 src += n;
1123 dest += n;
1124 count -= n;
1125 }
1126 }
1127
1128 static void lsi_wait_reselect(LSIState *s)
1129 {
1130 lsi_request *p;
1131
1132 trace_lsi_wait_reselect();
1133
1134 if (s->current) {
1135 return;
1136 }
1137 p = get_pending_req(s);
1138 if (p) {
1139 lsi_reselect(s, p);
1140 }
1141 if (s->current == NULL) {
1142 s->waiting = LSI_WAIT_RESELECT;
1143 }
1144 }
1145
1146 static void lsi_scripts_timer_start(LSIState *s)
1147 {
1148 trace_lsi_scripts_timer_start();
1149 timer_mod(s->scripts_timer, qemu_clock_get_us(QEMU_CLOCK_VIRTUAL) + 500);
1150 }
1151
1152 static void lsi_execute_script(LSIState *s)
1153 {
1154 PCIDevice *pci_dev = PCI_DEVICE(s);
1155 uint32_t insn;
1156 uint32_t addr, addr_high;
1157 int opcode;
1158 int insn_processed = 0;
1159 static int reentrancy_level;
1160
1161 if (s->waiting == LSI_WAIT_SCRIPTS) {
1162 timer_del(s->scripts_timer);
1163 s->waiting = LSI_NOWAIT;
1164 }
1165
1166 reentrancy_level++;
1167
1168 s->istat1 |= LSI_ISTAT1_SRUN;
1169 again:
1170 /*
1171 * Some windows drivers make the device spin waiting for a memory location
1172 * to change. If we have executed more than LSI_MAX_INSN instructions then
1173 * assume this is the case and start a timer. Until the timer fires, the
1174 * host CPU has a chance to run and change the memory location.
1175 *
1176 * Another issue (CVE-2023-0330) can occur if the script is programmed to
1177 * trigger itself again and again. Avoid this problem by stopping after
1178 * being called multiple times in a reentrant way (8 is an arbitrary value
1179 * which should be enough for all valid use cases).
1180 */
1181 if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) {
1182 s->waiting = LSI_WAIT_SCRIPTS;
1183 lsi_scripts_timer_start(s);
1184 reentrancy_level--;
1185 return;
1186 }
1187 insn = read_dword(s, s->dsp);
1188 if (!insn) {
1189 /* If we receive an empty opcode increment the DSP by 4 bytes
1190 instead of 8 and execute the next opcode at that location */
1191 s->dsp += 4;
1192 goto again;
1193 }
1194 addr = read_dword(s, s->dsp + 4);
1195 addr_high = 0;
1196 trace_lsi_execute_script(s->dsp, insn, addr);
1197 s->dsps = addr;
1198 s->dcmd = insn >> 24;
1199 s->dsp += 8;
1200 switch (insn >> 30) {
1201 case 0: /* Block move. */
1202 if (s->sist1 & LSI_SIST1_STO) {
1203 trace_lsi_execute_script_blockmove_delayed();
1204 lsi_stop_script(s);
1205 break;
1206 }
1207 s->dbc = insn & 0xffffff;
1208 s->rbc = s->dbc;
1209 /* ??? Set ESA. */
1210 s->ia = s->dsp - 8;
1211 if (insn & (1 << 29)) {
1212 /* Indirect addressing. */
1213 addr = read_dword(s, addr);
1214 } else if (insn & (1 << 28)) {
1215 uint32_t buf[2];
1216 int32_t offset;
1217 /* Table indirect addressing. */
1218
1219 /* 32-bit Table indirect */
1220 offset = sextract32(addr, 0, 24);
1221 pci_dma_read(pci_dev, s->dsa + offset, buf, 8);
1222 /* byte count is stored in bits 0:23 only */
1223 s->dbc = cpu_to_le32(buf[0]) & 0xffffff;
1224 s->rbc = s->dbc;
1225 addr = cpu_to_le32(buf[1]);
1226
1227 /* 40-bit DMA, upper addr bits [39:32] stored in first DWORD of
1228 * table, bits [31:24] */
1229 if (lsi_dma_40bit(s))
1230 addr_high = cpu_to_le32(buf[0]) >> 24;
1231 else if (lsi_dma_ti64bit(s)) {
1232 int selector = (cpu_to_le32(buf[0]) >> 24) & 0x1f;
1233 switch (selector) {
1234 case 0 ... 0x0f:
1235 /* offset index into scratch registers since
1236 * TI64 mode can use registers C to R */
1237 addr_high = s->scratch[2 + selector];
1238 break;
1239 case 0x10:
1240 addr_high = s->mmrs;
1241 break;
1242 case 0x11:
1243 addr_high = s->mmws;
1244 break;
1245 case 0x12:
1246 addr_high = s->sfs;
1247 break;
1248 case 0x13:
1249 addr_high = s->drs;
1250 break;
1251 case 0x14:
1252 addr_high = s->sbms;
1253 break;
1254 case 0x15:
1255 addr_high = s->dbms;
1256 break;
1257 default:
1258 qemu_log_mask(LOG_GUEST_ERROR,
1259 "lsi_scsi: Illegal selector specified (0x%x > 0x15) "
1260 "for 64-bit DMA block move", selector);
1261 break;
1262 }
1263 }
1264 } else if (lsi_dma_64bit(s)) {
1265 /* fetch a 3rd dword if 64-bit direct move is enabled and
1266 only if we're not doing table indirect or indirect addressing */
1267 s->dbms = read_dword(s, s->dsp);
1268 s->dsp += 4;
1269 s->ia = s->dsp - 12;
1270 }
1271 if ((s->sstat1 & PHASE_MASK) != ((insn >> 24) & 7)) {
1272 trace_lsi_execute_script_blockmove_badphase(
1273 scsi_phase_name(s->sstat1),
1274 scsi_phase_name(insn >> 24));
1275 lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
1276 break;
1277 }
1278 s->dnad = addr;
1279 s->dnad64 = addr_high;
1280 switch (s->sstat1 & 0x7) {
1281 case PHASE_DO:
1282 s->waiting = LSI_DMA_SCRIPTS;
1283 lsi_do_dma(s, 1);
1284 if (s->waiting)
1285 s->waiting = LSI_DMA_IN_PROGRESS;
1286 break;
1287 case PHASE_DI:
1288 s->waiting = LSI_DMA_SCRIPTS;
1289 lsi_do_dma(s, 0);
1290 if (s->waiting)
1291 s->waiting = LSI_DMA_IN_PROGRESS;
1292 break;
1293 case PHASE_CMD:
1294 lsi_do_command(s);
1295 break;
1296 case PHASE_ST:
1297 lsi_do_status(s);
1298 break;
1299 case PHASE_MO:
1300 lsi_do_msgout(s);
1301 break;
1302 case PHASE_MI:
1303 lsi_do_msgin(s);
1304 break;
1305 default:
1306 qemu_log_mask(LOG_UNIMP, "lsi_scsi: Unimplemented phase %s\n",
1307 scsi_phase_name(s->sstat1));
1308 }
1309 s->dfifo = s->dbc & 0xff;
1310 s->ctest5 = (s->ctest5 & 0xfc) | ((s->dbc >> 8) & 3);
1311 s->sbc = s->dbc;
1312 s->rbc -= s->dbc;
1313 s->ua = addr + s->dbc;
1314 break;
1315
1316 case 1: /* IO or Read/Write instruction. */
1317 opcode = (insn >> 27) & 7;
1318 if (opcode < 5) {
1319 uint32_t id;
1320
1321 if (insn & (1 << 25)) {
1322 id = read_dword(s, s->dsa + sextract32(insn, 0, 24));
1323 } else {
1324 id = insn;
1325 }
1326 id = (id >> 16) & 0xf;
1327 if (insn & (1 << 26)) {
1328 addr = s->dsp + sextract32(addr, 0, 24);
1329 }
1330 s->dnad = addr;
1331 switch (opcode) {
1332 case 0: /* Select */
1333 s->sdid = id;
1334 if (s->scntl1 & LSI_SCNTL1_CON) {
1335 trace_lsi_execute_script_io_alreadyreselected();
1336 s->dsp = s->dnad;
1337 break;
1338 }
1339 s->sstat0 |= LSI_SSTAT0_WOA;
1340 s->scntl1 &= ~LSI_SCNTL1_IARB;
1341 if (!scsi_device_find(&s->bus, 0, id, 0)) {
1342 lsi_bad_selection(s, id);
1343 break;
1344 }
1345 trace_lsi_execute_script_io_selected(id,
1346 insn & (1 << 3) ? " ATN" : "");
1347 /* ??? Linux drivers complain when this is set. Maybe
1348 it only applies in low-level mode (unimplemented).
1349 lsi_script_scsi_interrupt(s, LSI_SIST0_CMP, 0); */
1350 s->select_tag = id << 8;
1351 s->scntl1 |= LSI_SCNTL1_CON;
1352 if (insn & (1 << 3)) {
1353 s->socl |= LSI_SOCL_ATN;
1354 s->sbcl |= LSI_SBCL_ATN;
1355 }
1356 s->sbcl |= LSI_SBCL_BSY;
1357 lsi_set_phase(s, PHASE_MO);
1358 s->waiting = LSI_NOWAIT;
1359 break;
1360 case 1: /* Disconnect */
1361 trace_lsi_execute_script_io_disconnect();
1362 s->scntl1 &= ~LSI_SCNTL1_CON;
1363 /* FIXME: this is not entirely correct; the target need not ask
1364 * for reselection until it has to send data, while here we force a
1365 * reselection as soon as the bus is free. The correct flow would
1366 * reselect before lsi_transfer_data and disconnect as soon as
1367 * DMA ends.
1368 */
1369 if (!s->current) {
1370 lsi_request *p = get_pending_req(s);
1371 if (p) {
1372 lsi_reselect(s, p);
1373 }
1374 }
1375 break;
1376 case 2: /* Wait Reselect */
1377 if (s->istat0 & LSI_ISTAT0_SIGP) {
1378 s->dsp = s->dnad;
1379 } else if (!lsi_irq_on_rsl(s)) {
1380 lsi_wait_reselect(s);
1381 }
1382 break;
1383 case 3: /* Set */
1384 trace_lsi_execute_script_io_set(
1385 insn & (1 << 3) ? " ATN" : "",
1386 insn & (1 << 6) ? " ACK" : "",
1387 insn & (1 << 9) ? " TM" : "",
1388 insn & (1 << 10) ? " CC" : "");
1389 if (insn & (1 << 3)) {
1390 s->socl |= LSI_SOCL_ATN;
1391 s->sbcl |= LSI_SBCL_ATN;
1392 lsi_set_phase(s, PHASE_MO);
1393 }
1394
1395 if (insn & (1 << 6)) {
1396 s->sbcl |= LSI_SBCL_ACK;
1397 }
1398
1399 if (insn & (1 << 9)) {
1400 qemu_log_mask(LOG_UNIMP,
1401 "lsi_scsi: Target mode not implemented\n");
1402 }
1403 if (insn & (1 << 10))
1404 s->carry = 1;
1405 break;
1406 case 4: /* Clear */
1407 trace_lsi_execute_script_io_clear(
1408 insn & (1 << 3) ? " ATN" : "",
1409 insn & (1 << 6) ? " ACK" : "",
1410 insn & (1 << 9) ? " TM" : "",
1411 insn & (1 << 10) ? " CC" : "");
1412 if (insn & (1 << 3)) {
1413 s->socl &= ~LSI_SOCL_ATN;
1414 s->sbcl &= ~LSI_SBCL_ATN;
1415 }
1416
1417 if (insn & (1 << 6)) {
1418 s->sbcl &= ~LSI_SBCL_ACK;
1419 }
1420
1421 if (insn & (1 << 10))
1422 s->carry = 0;
1423 break;
1424 }
1425 } else {
1426 uint8_t op0;
1427 uint8_t op1;
1428 uint8_t data8;
1429 int reg;
1430 int operator;
1431
1432 static const char *opcode_names[3] =
1433 {"Write", "Read", "Read-Modify-Write"};
1434 static const char *operator_names[8] =
1435 {"MOV", "SHL", "OR", "XOR", "AND", "SHR", "ADD", "ADC"};
1436
1437 reg = ((insn >> 16) & 0x7f) | (insn & 0x80);
1438 data8 = (insn >> 8) & 0xff;
1439 opcode = (insn >> 27) & 7;
1440 operator = (insn >> 24) & 7;
1441 trace_lsi_execute_script_io_opcode(
1442 opcode_names[opcode - 5], reg,
1443 operator_names[operator], data8, s->sfbr,
1444 (insn & (1 << 23)) ? " SFBR" : "");
1445 op0 = op1 = 0;
1446 switch (opcode) {
1447 case 5: /* From SFBR */
1448 op0 = s->sfbr;
1449 op1 = data8;
1450 break;
1451 case 6: /* To SFBR */
1452 if (operator)
1453 op0 = lsi_reg_readb(s, reg);
1454 op1 = data8;
1455 break;
1456 case 7: /* Read-modify-write */
1457 if (operator)
1458 op0 = lsi_reg_readb(s, reg);
1459 if (insn & (1 << 23)) {
1460 op1 = s->sfbr;
1461 } else {
1462 op1 = data8;
1463 }
1464 break;
1465 }
1466
1467 switch (operator) {
1468 case 0: /* move */
1469 op0 = op1;
1470 break;
1471 case 1: /* Shift left */
1472 op1 = op0 >> 7;
1473 op0 = (op0 << 1) | s->carry;
1474 s->carry = op1;
1475 break;
1476 case 2: /* OR */
1477 op0 |= op1;
1478 break;
1479 case 3: /* XOR */
1480 op0 ^= op1;
1481 break;
1482 case 4: /* AND */
1483 op0 &= op1;
1484 break;
1485 case 5: /* SHR */
1486 op1 = op0 & 1;
1487 op0 = (op0 >> 1) | (s->carry << 7);
1488 s->carry = op1;
1489 break;
1490 case 6: /* ADD */
1491 op0 += op1;
1492 s->carry = op0 < op1;
1493 break;
1494 case 7: /* ADC */
1495 op0 += op1 + s->carry;
1496 if (s->carry)
1497 s->carry = op0 <= op1;
1498 else
1499 s->carry = op0 < op1;
1500 break;
1501 }
1502
1503 switch (opcode) {
1504 case 5: /* From SFBR */
1505 case 7: /* Read-modify-write */
1506 lsi_reg_writeb(s, reg, op0);
1507 break;
1508 case 6: /* To SFBR */
1509 s->sfbr = op0;
1510 break;
1511 }
1512 }
1513 break;
1514
1515 case 2: /* Transfer Control. */
1516 {
1517 int cond;
1518 int jmp;
1519
1520 if ((insn & 0x002e0000) == 0) {
1521 trace_lsi_execute_script_tc_nop();
1522 break;
1523 }
1524 if (s->sist1 & LSI_SIST1_STO) {
1525 trace_lsi_execute_script_tc_delayedselect_timeout();
1526 lsi_stop_script(s);
1527 break;
1528 }
1529 cond = jmp = (insn & (1 << 19)) != 0;
1530 if (cond == jmp && (insn & (1 << 21))) {
1531 trace_lsi_execute_script_tc_compc(s->carry == jmp);
1532 cond = s->carry != 0;
1533 }
1534 if (cond == jmp && (insn & (1 << 17))) {
1535 trace_lsi_execute_script_tc_compp(scsi_phase_name(s->sstat1),
1536 jmp ? '=' : '!', scsi_phase_name(insn >> 24));
1537 cond = (s->sstat1 & PHASE_MASK) == ((insn >> 24) & 7);
1538 }
1539 if (cond == jmp && (insn & (1 << 18))) {
1540 uint8_t mask;
1541
1542 mask = (~insn >> 8) & 0xff;
1543 trace_lsi_execute_script_tc_compd(
1544 s->sfbr, mask, jmp ? '=' : '!', insn & mask);
1545 cond = (s->sfbr & mask) == (insn & mask);
1546 }
1547 if (cond == jmp) {
1548 if (insn & (1 << 23)) {
1549 /* Relative address. */
1550 addr = s->dsp + sextract32(addr, 0, 24);
1551 }
1552 switch ((insn >> 27) & 7) {
1553 case 0: /* Jump */
1554 trace_lsi_execute_script_tc_jump(addr);
1555 s->adder = addr;
1556 s->dsp = addr;
1557 break;
1558 case 1: /* Call */
1559 trace_lsi_execute_script_tc_call(addr);
1560 s->temp = s->dsp;
1561 s->dsp = addr;
1562 break;
1563 case 2: /* Return */
1564 trace_lsi_execute_script_tc_return(s->temp);
1565 s->dsp = s->temp;
1566 break;
1567 case 3: /* Interrupt */
1568 trace_lsi_execute_script_tc_interrupt(s->dsps);
1569 if ((insn & (1 << 20)) != 0) {
1570 s->istat0 |= LSI_ISTAT0_INTF;
1571 lsi_update_irq(s);
1572 } else {
1573 lsi_script_dma_interrupt(s, LSI_DSTAT_SIR);
1574 }
1575 break;
1576 default:
1577 trace_lsi_execute_script_tc_illegal();
1578 lsi_script_dma_interrupt(s, LSI_DSTAT_IID);
1579 break;
1580 }
1581 } else {
1582 trace_lsi_execute_script_tc_cc_failed();
1583 }
1584 }
1585 break;
1586
1587 case 3:
1588 if ((insn & (1 << 29)) == 0) {
1589 /* Memory move. */
1590 uint32_t dest;
1591 /* ??? The docs imply the destination address is loaded into
1592 the TEMP register. However the Linux drivers rely on
1593 the value being presrved. */
1594 dest = read_dword(s, s->dsp);
1595 s->dsp += 4;
1596 lsi_memcpy(s, dest, addr, insn & 0xffffff);
1597 } else {
1598 uint8_t data[7];
1599 int reg;
1600 int n;
1601 int i;
1602
1603 if (insn & (1 << 28)) {
1604 addr = s->dsa + sextract32(addr, 0, 24);
1605 }
1606 n = (insn & 7);
1607 reg = (insn >> 16) & 0xff;
1608 if (insn & (1 << 24)) {
1609 pci_dma_read(pci_dev, addr, data, n);
1610 trace_lsi_execute_script_mm_load(reg, n, addr, *(int *)data);
1611 for (i = 0; i < n; i++) {
1612 lsi_reg_writeb(s, reg + i, data[i]);
1613 }
1614 } else {
1615 trace_lsi_execute_script_mm_store(reg, n, addr);
1616 for (i = 0; i < n; i++) {
1617 data[i] = lsi_reg_readb(s, reg + i);
1618 }
1619 pci_dma_write(pci_dev, addr, data, n);
1620 }
1621 }
1622 }
1623 if (s->istat1 & LSI_ISTAT1_SRUN && s->waiting == LSI_NOWAIT) {
1624 if (s->dcntl & LSI_DCNTL_SSM) {
1625 lsi_script_dma_interrupt(s, LSI_DSTAT_SSI);
1626 } else {
1627 goto again;
1628 }
1629 }
1630 trace_lsi_execute_script_stop();
1631
1632 reentrancy_level--;
1633 }
1634
1635 static uint8_t lsi_reg_readb(LSIState *s, int offset)
1636 {
1637 uint8_t ret;
1638
1639 #define CASE_GET_REG24(name, addr) \
1640 case addr: ret = s->name & 0xff; break; \
1641 case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1642 case addr + 2: ret = (s->name >> 16) & 0xff; break;
1643
1644 #define CASE_GET_REG32(name, addr) \
1645 case addr: ret = s->name & 0xff; break; \
1646 case addr + 1: ret = (s->name >> 8) & 0xff; break; \
1647 case addr + 2: ret = (s->name >> 16) & 0xff; break; \
1648 case addr + 3: ret = (s->name >> 24) & 0xff; break;
1649
1650 switch (offset) {
1651 case 0x00: /* SCNTL0 */
1652 ret = s->scntl0;
1653 break;
1654 case 0x01: /* SCNTL1 */
1655 ret = s->scntl1;
1656 break;
1657 case 0x02: /* SCNTL2 */
1658 ret = s->scntl2;
1659 break;
1660 case 0x03: /* SCNTL3 */
1661 ret = s->scntl3;
1662 break;
1663 case 0x04: /* SCID */
1664 ret = s->scid;
1665 break;
1666 case 0x05: /* SXFER */
1667 ret = s->sxfer;
1668 break;
1669 case 0x06: /* SDID */
1670 ret = s->sdid;
1671 break;
1672 case 0x07: /* GPREG0 */
1673 ret = 0x7f;
1674 break;
1675 case 0x08: /* Revision ID */
1676 ret = 0x00;
1677 break;
1678 case 0x09: /* SOCL */
1679 ret = s->socl;
1680 break;
1681 case 0xa: /* SSID */
1682 ret = s->ssid;
1683 break;
1684 case 0xb: /* SBCL */
1685 ret = s->sbcl;
1686 break;
1687 case 0xc: /* DSTAT */
1688 ret = s->dstat | LSI_DSTAT_DFE;
1689 if ((s->istat0 & LSI_ISTAT0_INTF) == 0)
1690 s->dstat = 0;
1691 lsi_update_irq(s);
1692 break;
1693 case 0x0d: /* SSTAT0 */
1694 ret = s->sstat0;
1695 break;
1696 case 0x0e: /* SSTAT1 */
1697 ret = s->sstat1;
1698 break;
1699 case 0x0f: /* SSTAT2 */
1700 ret = s->scntl1 & LSI_SCNTL1_CON ? 0 : 2;
1701 break;
1702 CASE_GET_REG32(dsa, 0x10)
1703 case 0x14: /* ISTAT0 */
1704 ret = s->istat0;
1705 break;
1706 case 0x15: /* ISTAT1 */
1707 ret = s->istat1;
1708 break;
1709 case 0x16: /* MBOX0 */
1710 ret = s->mbox0;
1711 break;
1712 case 0x17: /* MBOX1 */
1713 ret = s->mbox1;
1714 break;
1715 case 0x18: /* CTEST0 */
1716 ret = 0xff;
1717 break;
1718 case 0x19: /* CTEST1 */
1719 ret = 0;
1720 break;
1721 case 0x1a: /* CTEST2 */
1722 ret = s->ctest2 | LSI_CTEST2_DACK | LSI_CTEST2_CM;
1723 if (s->istat0 & LSI_ISTAT0_SIGP) {
1724 s->istat0 &= ~LSI_ISTAT0_SIGP;
1725 ret |= LSI_CTEST2_SIGP;
1726 }
1727 break;
1728 case 0x1b: /* CTEST3 */
1729 ret = s->ctest3;
1730 break;
1731 CASE_GET_REG32(temp, 0x1c)
1732 case 0x20: /* DFIFO */
1733 ret = s->dfifo;
1734 break;
1735 case 0x21: /* CTEST4 */
1736 ret = s->ctest4;
1737 break;
1738 case 0x22: /* CTEST5 */
1739 ret = s->ctest5;
1740 break;
1741 case 0x23: /* CTEST6 */
1742 ret = 0;
1743 break;
1744 CASE_GET_REG24(dbc, 0x24)
1745 case 0x27: /* DCMD */
1746 ret = s->dcmd;
1747 break;
1748 CASE_GET_REG32(dnad, 0x28)
1749 CASE_GET_REG32(dsp, 0x2c)
1750 CASE_GET_REG32(dsps, 0x30)
1751 CASE_GET_REG32(scratch[0], 0x34)
1752 case 0x38: /* DMODE */
1753 ret = s->dmode;
1754 break;
1755 case 0x39: /* DIEN */
1756 ret = s->dien;
1757 break;
1758 case 0x3a: /* SBR */
1759 ret = s->sbr;
1760 break;
1761 case 0x3b: /* DCNTL */
1762 ret = s->dcntl;
1763 break;
1764 /* ADDER Output (Debug of relative jump address) */
1765 CASE_GET_REG32(adder, 0x3c)
1766 case 0x40: /* SIEN0 */
1767 ret = s->sien0;
1768 break;
1769 case 0x41: /* SIEN1 */
1770 ret = s->sien1;
1771 break;
1772 case 0x42: /* SIST0 */
1773 ret = s->sist0;
1774 s->sist0 = 0;
1775 lsi_update_irq(s);
1776 break;
1777 case 0x43: /* SIST1 */
1778 ret = s->sist1;
1779 s->sist1 = 0;
1780 lsi_update_irq(s);
1781 break;
1782 case 0x46: /* MACNTL */
1783 ret = 0x0f;
1784 break;
1785 case 0x47: /* GPCNTL0 */
1786 ret = 0x0f;
1787 break;
1788 case 0x48: /* STIME0 */
1789 ret = s->stime0;
1790 break;
1791 case 0x4a: /* RESPID0 */
1792 ret = s->respid0;
1793 break;
1794 case 0x4b: /* RESPID1 */
1795 ret = s->respid1;
1796 break;
1797 case 0x4d: /* STEST1 */
1798 ret = s->stest1;
1799 break;
1800 case 0x4e: /* STEST2 */
1801 ret = s->stest2;
1802 break;
1803 case 0x4f: /* STEST3 */
1804 ret = s->stest3;
1805 break;
1806 case 0x50: /* SIDL */
1807 /* This is needed by the linux drivers. We currently only update it
1808 during the MSG IN phase. */
1809 ret = s->sidl;
1810 break;
1811 case 0x52: /* STEST4 */
1812 ret = 0xe0;
1813 break;
1814 case 0x56: /* CCNTL0 */
1815 ret = s->ccntl0;
1816 break;
1817 case 0x57: /* CCNTL1 */
1818 ret = s->ccntl1;
1819 break;
1820 case 0x58: /* SBDL */
1821 /* Some drivers peek at the data bus during the MSG IN phase. */
1822 if ((s->sstat1 & PHASE_MASK) == PHASE_MI) {
1823 assert(s->msg_len > 0);
1824 return s->msg[0];
1825 }
1826 ret = 0;
1827 break;
1828 case 0x59: /* SBDL high */
1829 ret = 0;
1830 break;
1831 CASE_GET_REG32(mmrs, 0xa0)
1832 CASE_GET_REG32(mmws, 0xa4)
1833 CASE_GET_REG32(sfs, 0xa8)
1834 CASE_GET_REG32(drs, 0xac)
1835 CASE_GET_REG32(sbms, 0xb0)
1836 CASE_GET_REG32(dbms, 0xb4)
1837 CASE_GET_REG32(dnad64, 0xb8)
1838 CASE_GET_REG32(pmjad1, 0xc0)
1839 CASE_GET_REG32(pmjad2, 0xc4)
1840 CASE_GET_REG32(rbc, 0xc8)
1841 CASE_GET_REG32(ua, 0xcc)
1842 CASE_GET_REG32(ia, 0xd4)
1843 CASE_GET_REG32(sbc, 0xd8)
1844 CASE_GET_REG32(csbc, 0xdc)
1845 case 0x5c ... 0x9f:
1846 {
1847 int n;
1848 int shift;
1849 n = (offset - 0x58) >> 2;
1850 shift = (offset & 3) * 8;
1851 ret = (s->scratch[n] >> shift) & 0xff;
1852 break;
1853 }
1854 default:
1855 {
1856 qemu_log_mask(LOG_GUEST_ERROR,
1857 "lsi_scsi: invalid read from reg %s %x\n",
1858 offset < ARRAY_SIZE(names) ? names[offset] : "???",
1859 offset);
1860 ret = 0xff;
1861 break;
1862 }
1863 }
1864 #undef CASE_GET_REG24
1865 #undef CASE_GET_REG32
1866
1867 trace_lsi_reg_read(offset < ARRAY_SIZE(names) ? names[offset] : "???",
1868 offset, ret);
1869
1870 return ret;
1871 }
1872
1873 static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val)
1874 {
1875 #define CASE_SET_REG24(name, addr) \
1876 case addr : s->name &= 0xffffff00; s->name |= val; break; \
1877 case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8; break; \
1878 case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break;
1879
1880 #define CASE_SET_REG32(name, addr) \
1881 case addr : s->name &= 0xffffff00; s->name |= val; break; \
1882 case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8; break; \
1883 case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break; \
1884 case addr + 3: s->name &= 0x00ffffff; s->name |= val << 24; break;
1885
1886 trace_lsi_reg_write(offset < ARRAY_SIZE(names) ? names[offset] : "???",
1887 offset, val);
1888
1889 switch (offset) {
1890 case 0x00: /* SCNTL0 */
1891 s->scntl0 = val;
1892 if (val & LSI_SCNTL0_START) {
1893 qemu_log_mask(LOG_UNIMP,
1894 "lsi_scsi: Start sequence not implemented\n");
1895 }
1896 break;
1897 case 0x01: /* SCNTL1 */
1898 s->scntl1 = val & ~LSI_SCNTL1_SST;
1899 if (val & LSI_SCNTL1_IARB) {
1900 qemu_log_mask(LOG_UNIMP,
1901 "lsi_scsi: Immediate Arbritration not implemented\n");
1902 }
1903 if (val & LSI_SCNTL1_RST) {
1904 if (!(s->sstat0 & LSI_SSTAT0_RST)) {
1905 bus_cold_reset(BUS(&s->bus));
1906 s->sstat0 |= LSI_SSTAT0_RST;
1907 lsi_script_scsi_interrupt(s, LSI_SIST0_RST, 0);
1908 }
1909 } else {
1910 s->sstat0 &= ~LSI_SSTAT0_RST;
1911 }
1912 break;
1913 case 0x02: /* SCNTL2 */
1914 val &= ~(LSI_SCNTL2_WSR | LSI_SCNTL2_WSS);
1915 s->scntl2 = val;
1916 break;
1917 case 0x03: /* SCNTL3 */
1918 s->scntl3 = val;
1919 break;
1920 case 0x04: /* SCID */
1921 s->scid = val;
1922 break;
1923 case 0x05: /* SXFER */
1924 s->sxfer = val;
1925 break;
1926 case 0x06: /* SDID */
1927 if ((s->ssid & 0x80) && (val & 0xf) != (s->ssid & 0xf)) {
1928 qemu_log_mask(LOG_GUEST_ERROR,
1929 "lsi_scsi: Destination ID does not match SSID\n");
1930 }
1931 s->sdid = val & 0xf;
1932 break;
1933 case 0x07: /* GPREG0 */
1934 break;
1935 case 0x08: /* SFBR */
1936 /* The CPU is not allowed to write to this register. However the
1937 SCRIPTS register move instructions are. */
1938 s->sfbr = val;
1939 break;
1940 case 0x0a: case 0x0b:
1941 /* Openserver writes to these readonly registers on startup */
1942 return;
1943 case 0x0c: case 0x0d: case 0x0e: case 0x0f:
1944 /* Linux writes to these readonly registers on startup. */
1945 return;
1946 CASE_SET_REG32(dsa, 0x10)
1947 case 0x14: /* ISTAT0 */
1948 s->istat0 = (s->istat0 & 0x0f) | (val & 0xf0);
1949 if (val & LSI_ISTAT0_ABRT) {
1950 lsi_script_dma_interrupt(s, LSI_DSTAT_ABRT);
1951 }
1952 if (val & LSI_ISTAT0_INTF) {
1953 s->istat0 &= ~LSI_ISTAT0_INTF;
1954 lsi_update_irq(s);
1955 }
1956 if (s->waiting == LSI_WAIT_RESELECT && val & LSI_ISTAT0_SIGP) {
1957 trace_lsi_awoken();
1958 s->waiting = LSI_NOWAIT;
1959 s->dsp = s->dnad;
1960 lsi_execute_script(s);
1961 }
1962 if (val & LSI_ISTAT0_SRST) {
1963 device_cold_reset(DEVICE(s));
1964 }
1965 break;
1966 case 0x16: /* MBOX0 */
1967 s->mbox0 = val;
1968 break;
1969 case 0x17: /* MBOX1 */
1970 s->mbox1 = val;
1971 break;
1972 case 0x18: /* CTEST0 */
1973 /* nothing to do */
1974 break;
1975 case 0x1a: /* CTEST2 */
1976 s->ctest2 = val & LSI_CTEST2_PCICIE;
1977 break;
1978 case 0x1b: /* CTEST3 */
1979 s->ctest3 = val & 0x0f;
1980 break;
1981 CASE_SET_REG32(temp, 0x1c)
1982 case 0x21: /* CTEST4 */
1983 if (val & 7) {
1984 qemu_log_mask(LOG_UNIMP,
1985 "lsi_scsi: Unimplemented CTEST4-FBL 0x%x\n", val);
1986 }
1987 s->ctest4 = val;
1988 break;
1989 case 0x22: /* CTEST5 */
1990 if (val & (LSI_CTEST5_ADCK | LSI_CTEST5_BBCK)) {
1991 qemu_log_mask(LOG_UNIMP,
1992 "lsi_scsi: CTEST5 DMA increment not implemented\n");
1993 }
1994 s->ctest5 = val;
1995 break;
1996 CASE_SET_REG24(dbc, 0x24)
1997 CASE_SET_REG32(dnad, 0x28)
1998 case 0x2c: /* DSP[0:7] */
1999 s->dsp &= 0xffffff00;
2000 s->dsp |= val;
2001 break;
2002 case 0x2d: /* DSP[8:15] */
2003 s->dsp &= 0xffff00ff;
2004 s->dsp |= val << 8;
2005 break;
2006 case 0x2e: /* DSP[16:23] */
2007 s->dsp &= 0xff00ffff;
2008 s->dsp |= val << 16;
2009 break;
2010 case 0x2f: /* DSP[24:31] */
2011 s->dsp &= 0x00ffffff;
2012 s->dsp |= val << 24;
2013 /*
2014 * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
2015 * instruction. Is this correct?
2016 */
2017 if ((s->dmode & LSI_DMODE_MAN) == 0
2018 && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
2019 lsi_execute_script(s);
2020 break;
2021 CASE_SET_REG32(dsps, 0x30)
2022 CASE_SET_REG32(scratch[0], 0x34)
2023 case 0x38: /* DMODE */
2024 s->dmode = val;
2025 break;
2026 case 0x39: /* DIEN */
2027 s->dien = val;
2028 lsi_update_irq(s);
2029 break;
2030 case 0x3a: /* SBR */
2031 s->sbr = val;
2032 break;
2033 case 0x3b: /* DCNTL */
2034 s->dcntl = val & ~(LSI_DCNTL_PFF | LSI_DCNTL_STD);
2035 /*
2036 * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
2037 * instruction. Is this correct?
2038 */
2039 if ((val & LSI_DCNTL_STD) && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
2040 lsi_execute_script(s);
2041 break;
2042 case 0x40: /* SIEN0 */
2043 s->sien0 = val;
2044 lsi_update_irq(s);
2045 break;
2046 case 0x41: /* SIEN1 */
2047 s->sien1 = val;
2048 lsi_update_irq(s);
2049 break;
2050 case 0x47: /* GPCNTL0 */
2051 break;
2052 case 0x48: /* STIME0 */
2053 s->stime0 = val;
2054 break;
2055 case 0x49: /* STIME1 */
2056 if (val & 0xf) {
2057 qemu_log_mask(LOG_UNIMP,
2058 "lsi_scsi: General purpose timer not implemented\n");
2059 /* ??? Raising the interrupt immediately seems to be sufficient
2060 to keep the FreeBSD driver happy. */
2061 lsi_script_scsi_interrupt(s, 0, LSI_SIST1_GEN);
2062 }
2063 break;
2064 case 0x4a: /* RESPID0 */
2065 s->respid0 = val;
2066 break;
2067 case 0x4b: /* RESPID1 */
2068 s->respid1 = val;
2069 break;
2070 case 0x4d: /* STEST1 */
2071 s->stest1 = val;
2072 break;
2073 case 0x4e: /* STEST2 */
2074 if (val & 1) {
2075 qemu_log_mask(LOG_UNIMP,
2076 "lsi_scsi: Low level mode not implemented\n");
2077 }
2078 s->stest2 = val;
2079 break;
2080 case 0x4f: /* STEST3 */
2081 if (val & 0x41) {
2082 qemu_log_mask(LOG_UNIMP,
2083 "lsi_scsi: SCSI FIFO test mode not implemented\n");
2084 }
2085 s->stest3 = val;
2086 break;
2087 case 0x56: /* CCNTL0 */
2088 s->ccntl0 = val;
2089 break;
2090 case 0x57: /* CCNTL1 */
2091 s->ccntl1 = val;
2092 break;
2093 CASE_SET_REG32(mmrs, 0xa0)
2094 CASE_SET_REG32(mmws, 0xa4)
2095 CASE_SET_REG32(sfs, 0xa8)
2096 CASE_SET_REG32(drs, 0xac)
2097 CASE_SET_REG32(sbms, 0xb0)
2098 CASE_SET_REG32(dbms, 0xb4)
2099 CASE_SET_REG32(dnad64, 0xb8)
2100 CASE_SET_REG32(pmjad1, 0xc0)
2101 CASE_SET_REG32(pmjad2, 0xc4)
2102 CASE_SET_REG32(rbc, 0xc8)
2103 CASE_SET_REG32(ua, 0xcc)
2104 CASE_SET_REG32(ia, 0xd4)
2105 CASE_SET_REG32(sbc, 0xd8)
2106 CASE_SET_REG32(csbc, 0xdc)
2107 default:
2108 if (offset >= 0x5c && offset < 0xa0) {
2109 int n;
2110 int shift;
2111 n = (offset - 0x58) >> 2;
2112 shift = (offset & 3) * 8;
2113 s->scratch[n] = deposit32(s->scratch[n], shift, 8, val);
2114 } else {
2115 qemu_log_mask(LOG_GUEST_ERROR,
2116 "lsi_scsi: invalid write to reg %s %x (0x%02x)\n",
2117 offset < ARRAY_SIZE(names) ? names[offset] : "???",
2118 offset, val);
2119 }
2120 }
2121 #undef CASE_SET_REG24
2122 #undef CASE_SET_REG32
2123 }
2124
2125 static void lsi_mmio_write(void *opaque, hwaddr addr,
2126 uint64_t val, unsigned size)
2127 {
2128 LSIState *s = opaque;
2129
2130 lsi_reg_writeb(s, addr & 0xff, val);
2131 }
2132
2133 static uint64_t lsi_mmio_read(void *opaque, hwaddr addr,
2134 unsigned size)
2135 {
2136 LSIState *s = opaque;
2137 return lsi_reg_readb(s, addr & 0xff);
2138 }
2139
2140 static const MemoryRegionOps lsi_mmio_ops = {
2141 .read = lsi_mmio_read,
2142 .write = lsi_mmio_write,
2143 .endianness = DEVICE_LITTLE_ENDIAN,
2144 .impl = {
2145 .min_access_size = 1,
2146 .max_access_size = 1,
2147 },
2148 };
2149
2150 static void lsi_ram_write(void *opaque, hwaddr addr,
2151 uint64_t val, unsigned size)
2152 {
2153 LSIState *s = opaque;
2154 stn_le_p(s->script_ram + addr, size, val);
2155 }
2156
2157 static uint64_t lsi_ram_read(void *opaque, hwaddr addr,
2158 unsigned size)
2159 {
2160 LSIState *s = opaque;
2161 return ldn_le_p(s->script_ram + addr, size);
2162 }
2163
2164 static const MemoryRegionOps lsi_ram_ops = {
2165 .read = lsi_ram_read,
2166 .write = lsi_ram_write,
2167 .endianness = DEVICE_LITTLE_ENDIAN,
2168 };
2169
2170 static uint64_t lsi_io_read(void *opaque, hwaddr addr,
2171 unsigned size)
2172 {
2173 LSIState *s = opaque;
2174 return lsi_reg_readb(s, addr & 0xff);
2175 }
2176
2177 static void lsi_io_write(void *opaque, hwaddr addr,
2178 uint64_t val, unsigned size)
2179 {
2180 LSIState *s = opaque;
2181 lsi_reg_writeb(s, addr & 0xff, val);
2182 }
2183
2184 static const MemoryRegionOps lsi_io_ops = {
2185 .read = lsi_io_read,
2186 .write = lsi_io_write,
2187 .endianness = DEVICE_LITTLE_ENDIAN,
2188 .impl = {
2189 .min_access_size = 1,
2190 .max_access_size = 1,
2191 },
2192 };
2193
2194 static void lsi_scsi_reset(DeviceState *dev)
2195 {
2196 LSIState *s = LSI53C895A(dev);
2197
2198 lsi_soft_reset(s);
2199 }
2200
2201 static int lsi_pre_save(void *opaque)
2202 {
2203 LSIState *s = opaque;
2204
2205 if (s->current) {
2206 assert(s->current->dma_buf == NULL);
2207 assert(s->current->dma_len == 0);
2208 }
2209 assert(QTAILQ_EMPTY(&s->queue));
2210
2211 return 0;
2212 }
2213
2214 static int lsi_post_load(void *opaque, int version_id)
2215 {
2216 LSIState *s = opaque;
2217
2218 if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) {
2219 return -EINVAL;
2220 }
2221
2222 if (s->waiting == LSI_WAIT_SCRIPTS) {
2223 lsi_scripts_timer_start(s);
2224 }
2225 return 0;
2226 }
2227
2228 static const VMStateDescription vmstate_lsi_scsi = {
2229 .name = "lsiscsi",
2230 .version_id = 1,
2231 .minimum_version_id = 0,
2232 .pre_save = lsi_pre_save,
2233 .post_load = lsi_post_load,
2234 .fields = (const VMStateField[]) {
2235 VMSTATE_PCI_DEVICE(parent_obj, LSIState),
2236
2237 VMSTATE_INT32(carry, LSIState),
2238 VMSTATE_INT32(status, LSIState),
2239 VMSTATE_INT32(msg_action, LSIState),
2240 VMSTATE_INT32(msg_len, LSIState),
2241 VMSTATE_BUFFER(msg, LSIState),
2242 VMSTATE_INT32(waiting, LSIState),
2243
2244 VMSTATE_UINT32(dsa, LSIState),
2245 VMSTATE_UINT32(temp, LSIState),
2246 VMSTATE_UINT32(dnad, LSIState),
2247 VMSTATE_UINT32(dbc, LSIState),
2248 VMSTATE_UINT8(istat0, LSIState),
2249 VMSTATE_UINT8(istat1, LSIState),
2250 VMSTATE_UINT8(dcmd, LSIState),
2251 VMSTATE_UINT8(dstat, LSIState),
2252 VMSTATE_UINT8(dien, LSIState),
2253 VMSTATE_UINT8(sist0, LSIState),
2254 VMSTATE_UINT8(sist1, LSIState),
2255 VMSTATE_UINT8(sien0, LSIState),
2256 VMSTATE_UINT8(sien1, LSIState),
2257 VMSTATE_UINT8(mbox0, LSIState),
2258 VMSTATE_UINT8(mbox1, LSIState),
2259 VMSTATE_UINT8(dfifo, LSIState),
2260 VMSTATE_UINT8(ctest2, LSIState),
2261 VMSTATE_UINT8(ctest3, LSIState),
2262 VMSTATE_UINT8(ctest4, LSIState),
2263 VMSTATE_UINT8(ctest5, LSIState),
2264 VMSTATE_UINT8(ccntl0, LSIState),
2265 VMSTATE_UINT8(ccntl1, LSIState),
2266 VMSTATE_UINT32(dsp, LSIState),
2267 VMSTATE_UINT32(dsps, LSIState),
2268 VMSTATE_UINT8(dmode, LSIState),
2269 VMSTATE_UINT8(dcntl, LSIState),
2270 VMSTATE_UINT8(scntl0, LSIState),
2271 VMSTATE_UINT8(scntl1, LSIState),
2272 VMSTATE_UINT8(scntl2, LSIState),
2273 VMSTATE_UINT8(scntl3, LSIState),
2274 VMSTATE_UINT8(sstat0, LSIState),
2275 VMSTATE_UINT8(sstat1, LSIState),
2276 VMSTATE_UINT8(scid, LSIState),
2277 VMSTATE_UINT8(sxfer, LSIState),
2278 VMSTATE_UINT8(socl, LSIState),
2279 VMSTATE_UINT8(sdid, LSIState),
2280 VMSTATE_UINT8(ssid, LSIState),
2281 VMSTATE_UINT8(sfbr, LSIState),
2282 VMSTATE_UINT8(stest1, LSIState),
2283 VMSTATE_UINT8(stest2, LSIState),
2284 VMSTATE_UINT8(stest3, LSIState),
2285 VMSTATE_UINT8(sidl, LSIState),
2286 VMSTATE_UINT8(stime0, LSIState),
2287 VMSTATE_UINT8(respid0, LSIState),
2288 VMSTATE_UINT8(respid1, LSIState),
2289 VMSTATE_UINT8_V(sbcl, LSIState, 1),
2290 VMSTATE_UINT32(mmrs, LSIState),
2291 VMSTATE_UINT32(mmws, LSIState),
2292 VMSTATE_UINT32(sfs, LSIState),
2293 VMSTATE_UINT32(drs, LSIState),
2294 VMSTATE_UINT32(sbms, LSIState),
2295 VMSTATE_UINT32(dbms, LSIState),
2296 VMSTATE_UINT32(dnad64, LSIState),
2297 VMSTATE_UINT32(pmjad1, LSIState),
2298 VMSTATE_UINT32(pmjad2, LSIState),
2299 VMSTATE_UINT32(rbc, LSIState),
2300 VMSTATE_UINT32(ua, LSIState),
2301 VMSTATE_UINT32(ia, LSIState),
2302 VMSTATE_UINT32(sbc, LSIState),
2303 VMSTATE_UINT32(csbc, LSIState),
2304 VMSTATE_BUFFER_UNSAFE(scratch, LSIState, 0, 18 * sizeof(uint32_t)),
2305 VMSTATE_UINT8(sbr, LSIState),
2306
2307 VMSTATE_BUFFER_UNSAFE(script_ram, LSIState, 0, 8192),
2308 VMSTATE_END_OF_LIST()
2309 }
2310 };
2311
2312 static const struct SCSIBusInfo lsi_scsi_info = {
2313 .tcq = true,
2314 .max_target = LSI_MAX_DEVS,
2315 .max_lun = 0, /* LUN support is buggy */
2316
2317 .transfer_data = lsi_transfer_data,
2318 .complete = lsi_command_complete,
2319 .cancel = lsi_request_cancelled
2320 };
2321
2322 static void scripts_timer_cb(void *opaque)
2323 {
2324 LSIState *s = opaque;
2325
2326 trace_lsi_scripts_timer_triggered();
2327 s->waiting = LSI_NOWAIT;
2328 lsi_execute_script(s);
2329 }
2330
2331 static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
2332 {
2333 LSIState *s = LSI53C895A(dev);
2334 DeviceState *d = DEVICE(dev);
2335 uint8_t *pci_conf;
2336
2337 pci_conf = dev->config;
2338
2339 /* PCI latency timer = 255 */
2340 pci_conf[PCI_LATENCY_TIMER] = 0xff;
2341 /* Interrupt pin A */
2342 pci_conf[PCI_INTERRUPT_PIN] = 0x01;
2343
2344 memory_region_init_io(&s->mmio_io, OBJECT(s), &lsi_mmio_ops, s,
2345 "lsi-mmio", 0x400);
2346 memory_region_init_io(&s->ram_io, OBJECT(s), &lsi_ram_ops, s,
2347 "lsi-ram", 0x2000);
2348 memory_region_init_io(&s->io_io, OBJECT(s), &lsi_io_ops, s,
2349 "lsi-io", 256);
2350 s->scripts_timer = timer_new_us(QEMU_CLOCK_VIRTUAL, scripts_timer_cb, s);
2351
2352 /*
2353 * Since we use the address-space API to interact with ram_io, disable the
2354 * re-entrancy guard.
2355 */
2356 s->ram_io.disable_reentrancy_guard = true;
2357 s->mmio_io.disable_reentrancy_guard = true;
2358
2359 address_space_init(&s->pci_io_as, pci_address_space_io(dev), "lsi-pci-io");
2360 qdev_init_gpio_out(d, &s->ext_irq, 1);
2361
2362 pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->io_io);
2363 pci_register_bar(dev, 1, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->mmio_io);
2364 pci_register_bar(dev, 2, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->ram_io);
2365 QTAILQ_INIT(&s->queue);
2366
2367 scsi_bus_init(&s->bus, sizeof(s->bus), d, &lsi_scsi_info);
2368 }
2369
2370 static void lsi_scsi_exit(PCIDevice *dev)
2371 {
2372 LSIState *s = LSI53C895A(dev);
2373
2374 address_space_destroy(&s->pci_io_as);
2375 timer_del(s->scripts_timer);
2376 }
2377
2378 static void lsi_class_init(ObjectClass *klass, void *data)
2379 {
2380 DeviceClass *dc = DEVICE_CLASS(klass);
2381 PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2382
2383 k->realize = lsi_scsi_realize;
2384 k->exit = lsi_scsi_exit;
2385 k->vendor_id = PCI_VENDOR_ID_LSI_LOGIC;
2386 k->device_id = PCI_DEVICE_ID_LSI_53C895A;
2387 k->class_id = PCI_CLASS_STORAGE_SCSI;
2388 k->subsystem_id = 0x1000;
2389 dc->reset = lsi_scsi_reset;
2390 dc->vmsd = &vmstate_lsi_scsi;
2391 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2392 }
2393
2394 static const TypeInfo lsi_info = {
2395 .name = TYPE_LSI53C895A,
2396 .parent = TYPE_PCI_DEVICE,
2397 .instance_size = sizeof(LSIState),
2398 .class_init = lsi_class_init,
2399 .interfaces = (InterfaceInfo[]) {
2400 { INTERFACE_CONVENTIONAL_PCI_DEVICE },
2401 { },
2402 },
2403 };
2404
2405 static void lsi53c810_class_init(ObjectClass *klass, void *data)
2406 {
2407 PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2408
2409 k->device_id = PCI_DEVICE_ID_LSI_53C810;
2410 }
2411
2412 static const TypeInfo lsi53c810_info = {
2413 .name = TYPE_LSI53C810,
2414 .parent = TYPE_LSI53C895A,
2415 .class_init = lsi53c810_class_init,
2416 };
2417
2418 static void lsi53c895a_register_types(void)
2419 {
2420 type_register_static(&lsi_info);
2421 type_register_static(&lsi53c810_info);
2422 }
2423
2424 type_init(lsi53c895a_register_types)
2425
2426 void lsi53c8xx_handle_legacy_cmdline(DeviceState *lsi_dev)
2427 {
2428 LSIState *s = LSI53C895A(lsi_dev);
2429
2430 scsi_bus_legacy_handle_cmdline(&s->bus);
2431 }
AR7 emulation for QEMU