LXR qemu/hw/lsi53c895a.c

   1/*
   2 * QEMU LSI53C895A SCSI Host Bus Adapter emulation
   3 *
   4 * Copyright (c) 2006 CodeSourcery.
   5 * Written by Paul Brook
   6 *
   7 * This code is licensed under the LGPL.
   8 */
   9
  10/* ??? Need to check if the {read,write}[wl] routines work properly on
  11   big-endian targets.  */
  12
  13#include <assert.h>
  14
  15#include "hw.h"
  16#include "pci/pci.h"
  17#include "scsi.h"
  18#include "sysemu/dma.h"
  19
  20//#define DEBUG_LSI
  21//#define DEBUG_LSI_REG
  22
  23#ifdef DEBUG_LSI
  24#define DPRINTF(fmt, ...) \
  25do { printf("lsi_scsi: " fmt , ## __VA_ARGS__); } while (0)
  26#define BADF(fmt, ...) \
  27do { fprintf(stderr, "lsi_scsi: error: " fmt , ## __VA_ARGS__); exit(1);} while (0)
  28#else
  29#define DPRINTF(fmt, ...) do {} while(0)
  30#define BADF(fmt, ...) \
  31do { fprintf(stderr, "lsi_scsi: error: " fmt , ## __VA_ARGS__);} while (0)
  32#endif
  33
  34#define LSI_MAX_DEVS 7
  35
  36#define LSI_SCNTL0_TRG    0x01
  37#define LSI_SCNTL0_AAP    0x02
  38#define LSI_SCNTL0_EPC    0x08
  39#define LSI_SCNTL0_WATN   0x10
  40#define LSI_SCNTL0_START  0x20
  41
  42#define LSI_SCNTL1_SST    0x01
  43#define LSI_SCNTL1_IARB   0x02
  44#define LSI_SCNTL1_AESP   0x04
  45#define LSI_SCNTL1_RST    0x08
  46#define LSI_SCNTL1_CON    0x10
  47#define LSI_SCNTL1_DHP    0x20
  48#define LSI_SCNTL1_ADB    0x40
  49#define LSI_SCNTL1_EXC    0x80
  50
  51#define LSI_SCNTL2_WSR    0x01
  52#define LSI_SCNTL2_VUE0   0x02
  53#define LSI_SCNTL2_VUE1   0x04
  54#define LSI_SCNTL2_WSS    0x08
  55#define LSI_SCNTL2_SLPHBEN 0x10
  56#define LSI_SCNTL2_SLPMD  0x20
  57#define LSI_SCNTL2_CHM    0x40
  58#define LSI_SCNTL2_SDU    0x80
  59
  60#define LSI_ISTAT0_DIP    0x01
  61#define LSI_ISTAT0_SIP    0x02
  62#define LSI_ISTAT0_INTF   0x04
  63#define LSI_ISTAT0_CON    0x08
  64#define LSI_ISTAT0_SEM    0x10
  65#define LSI_ISTAT0_SIGP   0x20
  66#define LSI_ISTAT0_SRST   0x40
  67#define LSI_ISTAT0_ABRT   0x80
  68
  69#define LSI_ISTAT1_SI     0x01
  70#define LSI_ISTAT1_SRUN   0x02
  71#define LSI_ISTAT1_FLSH   0x04
  72
  73#define LSI_SSTAT0_SDP0   0x01
  74#define LSI_SSTAT0_RST    0x02
  75#define LSI_SSTAT0_WOA    0x04
  76#define LSI_SSTAT0_LOA    0x08
  77#define LSI_SSTAT0_AIP    0x10
  78#define LSI_SSTAT0_OLF    0x20
  79#define LSI_SSTAT0_ORF    0x40
  80#define LSI_SSTAT0_ILF    0x80
  81
  82#define LSI_SIST0_PAR     0x01
  83#define LSI_SIST0_RST     0x02
  84#define LSI_SIST0_UDC     0x04
  85#define LSI_SIST0_SGE     0x08
  86#define LSI_SIST0_RSL     0x10
  87#define LSI_SIST0_SEL     0x20
  88#define LSI_SIST0_CMP     0x40
  89#define LSI_SIST0_MA      0x80
  90
  91#define LSI_SIST1_HTH     0x01
  92#define LSI_SIST1_GEN     0x02
  93#define LSI_SIST1_STO     0x04
  94#define LSI_SIST1_SBMC    0x10
  95
  96#define LSI_SOCL_IO       0x01
  97#define LSI_SOCL_CD       0x02
  98#define LSI_SOCL_MSG      0x04
  99#define LSI_SOCL_ATN      0x08
 100#define LSI_SOCL_SEL      0x10
 101#define LSI_SOCL_BSY      0x20
 102#define LSI_SOCL_ACK      0x40
 103#define LSI_SOCL_REQ      0x80
 104
 105#define LSI_DSTAT_IID     0x01
 106#define LSI_DSTAT_SIR     0x04
 107#define LSI_DSTAT_SSI     0x08
 108#define LSI_DSTAT_ABRT    0x10
 109#define LSI_DSTAT_BF      0x20
 110#define LSI_DSTAT_MDPE    0x40
 111#define LSI_DSTAT_DFE     0x80
 112
 113#define LSI_DCNTL_COM     0x01
 114#define LSI_DCNTL_IRQD    0x02
 115#define LSI_DCNTL_STD     0x04
 116#define LSI_DCNTL_IRQM    0x08
 117#define LSI_DCNTL_SSM     0x10
 118#define LSI_DCNTL_PFEN    0x20
 119#define LSI_DCNTL_PFF     0x40
 120#define LSI_DCNTL_CLSE    0x80
 121
 122#define LSI_DMODE_MAN     0x01
 123#define LSI_DMODE_BOF     0x02
 124#define LSI_DMODE_ERMP    0x04
 125#define LSI_DMODE_ERL     0x08
 126#define LSI_DMODE_DIOM    0x10
 127#define LSI_DMODE_SIOM    0x20
 128
 129#define LSI_CTEST2_DACK   0x01
 130#define LSI_CTEST2_DREQ   0x02
 131#define LSI_CTEST2_TEOP   0x04
 132#define LSI_CTEST2_PCICIE 0x08
 133#define LSI_CTEST2_CM     0x10
 134#define LSI_CTEST2_CIO    0x20
 135#define LSI_CTEST2_SIGP   0x40
 136#define LSI_CTEST2_DDIR   0x80
 137
 138#define LSI_CTEST5_BL2    0x04
 139#define LSI_CTEST5_DDIR   0x08
 140#define LSI_CTEST5_MASR   0x10
 141#define LSI_CTEST5_DFSN   0x20
 142#define LSI_CTEST5_BBCK   0x40
 143#define LSI_CTEST5_ADCK   0x80
 144
 145#define LSI_CCNTL0_DILS   0x01
 146#define LSI_CCNTL0_DISFC  0x10
 147#define LSI_CCNTL0_ENNDJ  0x20
 148#define LSI_CCNTL0_PMJCTL 0x40
 149#define LSI_CCNTL0_ENPMJ  0x80
 150
 151#define LSI_CCNTL1_EN64DBMV  0x01
 152#define LSI_CCNTL1_EN64TIBMV 0x02
 153#define LSI_CCNTL1_64TIMOD   0x04
 154#define LSI_CCNTL1_DDAC      0x08
 155#define LSI_CCNTL1_ZMOD      0x80
 156
 157/* Enable Response to Reselection */
 158#define LSI_SCID_RRE      0x60
 159
 160#define LSI_CCNTL1_40BIT (LSI_CCNTL1_EN64TIBMV|LSI_CCNTL1_64TIMOD)
 161
 162#define PHASE_DO          0
 163#define PHASE_DI          1
 164#define PHASE_CMD         2
 165#define PHASE_ST          3
 166#define PHASE_MO          6
 167#define PHASE_MI          7
 168#define PHASE_MASK        7
 169
 170/* Maximum length of MSG IN data.  */
 171#define LSI_MAX_MSGIN_LEN 8
 172
 173/* Flag set if this is a tagged command.  */
 174#define LSI_TAG_VALID     (1 << 16)
 175
 176typedef struct lsi_request {
 177    SCSIRequest *req;
 178    uint32_t tag;
 179    uint32_t dma_len;
 180    uint8_t *dma_buf;
 181    uint32_t pending;
 182    int out;
 183    QTAILQ_ENTRY(lsi_request) next;
 184} lsi_request;
 185
 186typedef struct {
 187    PCIDevice dev;
 188    MemoryRegion mmio_io;
 189    MemoryRegion ram_io;
 190    MemoryRegion io_io;
 191
 192    int carry; /* ??? Should this be an a visible register somewhere?  */
 193    int status;
 194    /* Action to take at the end of a MSG IN phase.
 195       0 = COMMAND, 1 = disconnect, 2 = DATA OUT, 3 = DATA IN.  */
 196    int msg_action;
 197    int msg_len;
 198    uint8_t msg[LSI_MAX_MSGIN_LEN];
 199    /* 0 if SCRIPTS are running or stopped.
 200     * 1 if a Wait Reselect instruction has been issued.
 201     * 2 if processing DMA from lsi_execute_script.
 202     * 3 if a DMA operation is in progress.  */
 203    int waiting;
 204    SCSIBus bus;
 205    int current_lun;
 206    /* The tag is a combination of the device ID and the SCSI tag.  */
 207    uint32_t select_tag;
 208    int command_complete;
 209    QTAILQ_HEAD(, lsi_request) queue;
 210    lsi_request *current;
 211
 212    uint32_t dsa;
 213    uint32_t temp;
 214    uint32_t dnad;
 215    uint32_t dbc;
 216    uint8_t istat0;
 217    uint8_t istat1;
 218    uint8_t dcmd;
 219    uint8_t dstat;
 220    uint8_t dien;
 221    uint8_t sist0;
 222    uint8_t sist1;
 223    uint8_t sien0;
 224    uint8_t sien1;
 225    uint8_t mbox0;
 226    uint8_t mbox1;
 227    uint8_t dfifo;
 228    uint8_t ctest2;
 229    uint8_t ctest3;
 230    uint8_t ctest4;
 231    uint8_t ctest5;
 232    uint8_t ccntl0;
 233    uint8_t ccntl1;
 234    uint32_t dsp;
 235    uint32_t dsps;
 236    uint8_t dmode;
 237    uint8_t dcntl;
 238    uint8_t scntl0;
 239    uint8_t scntl1;
 240    uint8_t scntl2;
 241    uint8_t scntl3;
 242    uint8_t sstat0;
 243    uint8_t sstat1;
 244    uint8_t scid;
 245    uint8_t sxfer;
 246    uint8_t socl;
 247    uint8_t sdid;
 248    uint8_t ssid;
 249    uint8_t sfbr;
 250    uint8_t stest1;
 251    uint8_t stest2;
 252    uint8_t stest3;
 253    uint8_t sidl;
 254    uint8_t stime0;
 255    uint8_t respid0;
 256    uint8_t respid1;
 257    uint32_t mmrs;
 258    uint32_t mmws;
 259    uint32_t sfs;
 260    uint32_t drs;
 261    uint32_t sbms;
 262    uint32_t dbms;
 263    uint32_t dnad64;
 264    uint32_t pmjad1;
 265    uint32_t pmjad2;
 266    uint32_t rbc;
 267    uint32_t ua;
 268    uint32_t ia;
 269    uint32_t sbc;
 270    uint32_t csbc;
 271    uint32_t scratch[18]; /* SCRATCHA-SCRATCHR */
 272    uint8_t sbr;
 273
 274    /* Script ram is stored as 32-bit words in host byteorder.  */
 275    uint32_t script_ram[2048];
 276} LSIState;
 277
 278static inline int lsi_irq_on_rsl(LSIState *s)
 279{
 280    return (s->sien0 & LSI_SIST0_RSL) && (s->scid & LSI_SCID_RRE);
 281}
 282
 283static void lsi_soft_reset(LSIState *s)
 284{
 285    DPRINTF("Reset\n");
 286    s->carry = 0;
 287
 288    s->msg_action = 0;
 289    s->msg_len = 0;
 290    s->waiting = 0;
 291    s->dsa = 0;
 292    s->dnad = 0;
 293    s->dbc = 0;
 294    s->temp = 0;
 295    memset(s->scratch, 0, sizeof(s->scratch));
 296    s->istat0 = 0;
 297    s->istat1 = 0;
 298    s->dcmd = 0x40;
 299    s->dstat = LSI_DSTAT_DFE;
 300    s->dien = 0;
 301    s->sist0 = 0;
 302    s->sist1 = 0;
 303    s->sien0 = 0;
 304    s->sien1 = 0;
 305    s->mbox0 = 0;
 306    s->mbox1 = 0;
 307    s->dfifo = 0;
 308    s->ctest2 = LSI_CTEST2_DACK;
 309    s->ctest3 = 0;
 310    s->ctest4 = 0;
 311    s->ctest5 = 0;
 312    s->ccntl0 = 0;
 313    s->ccntl1 = 0;
 314    s->dsp = 0;
 315    s->dsps = 0;
 316    s->dmode = 0;
 317    s->dcntl = 0;
 318    s->scntl0 = 0xc0;
 319    s->scntl1 = 0;
 320    s->scntl2 = 0;
 321    s->scntl3 = 0;
 322    s->sstat0 = 0;
 323    s->sstat1 = 0;
 324    s->scid = 7;
 325    s->sxfer = 0;
 326    s->socl = 0;
 327    s->sdid = 0;
 328    s->ssid = 0;
 329    s->stest1 = 0;
 330    s->stest2 = 0;
 331    s->stest3 = 0;
 332    s->sidl = 0;
 333    s->stime0 = 0;
 334    s->respid0 = 0x80;
 335    s->respid1 = 0;
 336    s->mmrs = 0;
 337    s->mmws = 0;
 338    s->sfs = 0;
 339    s->drs = 0;
 340    s->sbms = 0;
 341    s->dbms = 0;
 342    s->dnad64 = 0;
 343    s->pmjad1 = 0;
 344    s->pmjad2 = 0;
 345    s->rbc = 0;
 346    s->ua = 0;
 347    s->ia = 0;
 348    s->sbc = 0;
 349    s->csbc = 0;
 350    s->sbr = 0;
 351    assert(QTAILQ_EMPTY(&s->queue));
 352    assert(!s->current);
 353}
 354
 355static int lsi_dma_40bit(LSIState *s)
 356{
 357    if ((s->ccntl1 & LSI_CCNTL1_40BIT) == LSI_CCNTL1_40BIT)
 358        return 1;
 359    return 0;
 360}
 361
 362static int lsi_dma_ti64bit(LSIState *s)
 363{
 364    if ((s->ccntl1 & LSI_CCNTL1_EN64TIBMV) == LSI_CCNTL1_EN64TIBMV)
 365        return 1;
 366    return 0;
 367}
 368
 369static int lsi_dma_64bit(LSIState *s)
 370{
 371    if ((s->ccntl1 & LSI_CCNTL1_EN64DBMV) == LSI_CCNTL1_EN64DBMV)
 372        return 1;
 373    return 0;
 374}
 375
 376static uint8_t lsi_reg_readb(LSIState *s, int offset);
 377static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val);
 378static void lsi_execute_script(LSIState *s);
 379static void lsi_reselect(LSIState *s, lsi_request *p);
 380
 381static inline uint32_t read_dword(LSIState *s, uint32_t addr)
 382{
 383    uint32_t buf;
 384
 385    pci_dma_read(&s->dev, addr, &buf, 4);
 386    return cpu_to_le32(buf);
 387}
 388
 389static void lsi_stop_script(LSIState *s)
 390{
 391    s->istat1 &= ~LSI_ISTAT1_SRUN;
 392}
 393
 394static void lsi_update_irq(LSIState *s)
 395{
 396    int level;
 397    static int last_level;
 398    lsi_request *p;
 399
 400    /* It's unclear whether the DIP/SIP bits should be cleared when the
 401       Interrupt Status Registers are cleared or when istat0 is read.
 402       We currently do the formwer, which seems to work.  */
 403    level = 0;
 404    if (s->dstat) {
 405        if (s->dstat & s->dien)
 406            level = 1;
 407        s->istat0 |= LSI_ISTAT0_DIP;
 408    } else {
 409        s->istat0 &= ~LSI_ISTAT0_DIP;
 410    }
 411
 412    if (s->sist0 || s->sist1) {
 413        if ((s->sist0 & s->sien0) || (s->sist1 & s->sien1))
 414            level = 1;
 415        s->istat0 |= LSI_ISTAT0_SIP;
 416    } else {
 417        s->istat0 &= ~LSI_ISTAT0_SIP;
 418    }
 419    if (s->istat0 & LSI_ISTAT0_INTF)
 420        level = 1;
 421
 422    if (level != last_level) {
 423        DPRINTF("Update IRQ level %d dstat %02x sist %02x%02x\n",
 424                level, s->dstat, s->sist1, s->sist0);
 425        last_level = level;
 426    }
 427    qemu_set_irq(s->dev.irq[0], level);
 428
 429    if (!level && lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON)) {
 430        DPRINTF("Handled IRQs & disconnected, looking for pending "
 431                "processes\n");
 432        QTAILQ_FOREACH(p, &s->queue, next) {
 433            if (p->pending) {
 434                lsi_reselect(s, p);
 435                break;
 436            }
 437        }
 438    }
 439}
 440
 441/* Stop SCRIPTS execution and raise a SCSI interrupt.  */
 442static void lsi_script_scsi_interrupt(LSIState *s, int stat0, int stat1)
 443{
 444    uint32_t mask0;
 445    uint32_t mask1;
 446
 447    DPRINTF("SCSI Interrupt 0x%02x%02x prev 0x%02x%02x\n",
 448            stat1, stat0, s->sist1, s->sist0);
 449    s->sist0 |= stat0;
 450    s->sist1 |= stat1;
 451    /* Stop processor on fatal or unmasked interrupt.  As a special hack
 452       we don't stop processing when raising STO.  Instead continue
 453       execution and stop at the next insn that accesses the SCSI bus.  */
 454    mask0 = s->sien0 | ~(LSI_SIST0_CMP | LSI_SIST0_SEL | LSI_SIST0_RSL);
 455    mask1 = s->sien1 | ~(LSI_SIST1_GEN | LSI_SIST1_HTH);
 456    mask1 &= ~LSI_SIST1_STO;
 457    if (s->sist0 & mask0 || s->sist1 & mask1) {
 458        lsi_stop_script(s);
 459    }
 460    lsi_update_irq(s);
 461}
 462
 463/* Stop SCRIPTS execution and raise a DMA interrupt.  */
 464static void lsi_script_dma_interrupt(LSIState *s, int stat)
 465{
 466    DPRINTF("DMA Interrupt 0x%x prev 0x%x\n", stat, s->dstat);
 467    s->dstat |= stat;
 468    lsi_update_irq(s);
 469    lsi_stop_script(s);
 470}
 471
 472static inline void lsi_set_phase(LSIState *s, int phase)
 473{
 474    s->sstat1 = (s->sstat1 & ~PHASE_MASK) | phase;
 475}
 476
 477static void lsi_bad_phase(LSIState *s, int out, int new_phase)
 478{
 479    /* Trigger a phase mismatch.  */
 480    if (s->ccntl0 & LSI_CCNTL0_ENPMJ) {
 481        if ((s->ccntl0 & LSI_CCNTL0_PMJCTL)) {
 482            s->dsp = out ? s->pmjad1 : s->pmjad2;
 483        } else {
 484            s->dsp = (s->scntl2 & LSI_SCNTL2_WSR ? s->pmjad2 : s->pmjad1);
 485        }
 486        DPRINTF("Data phase mismatch jump to %08x\n", s->dsp);
 487    } else {
 488        DPRINTF("Phase mismatch interrupt\n");
 489        lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
 490        lsi_stop_script(s);
 491    }
 492    lsi_set_phase(s, new_phase);
 493}
 494
 495
 496/* Resume SCRIPTS execution after a DMA operation.  */
 497static void lsi_resume_script(LSIState *s)
 498{
 499    if (s->waiting != 2) {
 500        s->waiting = 0;
 501        lsi_execute_script(s);
 502    } else {
 503        s->waiting = 0;
 504    }
 505}
 506
 507static void lsi_disconnect(LSIState *s)
 508{
 509    s->scntl1 &= ~LSI_SCNTL1_CON;
 510    s->sstat1 &= ~PHASE_MASK;
 511}
 512
 513static void lsi_bad_selection(LSIState *s, uint32_t id)
 514{
 515    DPRINTF("Selected absent target %d\n", id);
 516    lsi_script_scsi_interrupt(s, 0, LSI_SIST1_STO);
 517    lsi_disconnect(s);
 518}
 519
 520/* Initiate a SCSI layer data transfer.  */
 521static void lsi_do_dma(LSIState *s, int out)
 522{
 523    uint32_t count;
 524    dma_addr_t addr;
 525    SCSIDevice *dev;
 526
 527    assert(s->current);
 528    if (!s->current->dma_len) {
 529        /* Wait until data is available.  */
 530        DPRINTF("DMA no data available\n");
 531        return;
 532    }
 533
 534    dev = s->current->req->dev;
 535    assert(dev);
 536
 537    count = s->dbc;
 538    if (count > s->current->dma_len)
 539        count = s->current->dma_len;
 540
 541    addr = s->dnad;
 542    /* both 40 and Table Indirect 64-bit DMAs store upper bits in dnad64 */
 543    if (lsi_dma_40bit(s) || lsi_dma_ti64bit(s))
 544        addr |= ((uint64_t)s->dnad64 << 32);
 545    else if (s->dbms)
 546        addr |= ((uint64_t)s->dbms << 32);
 547    else if (s->sbms)
 548        addr |= ((uint64_t)s->sbms << 32);
 549
 550    DPRINTF("DMA addr=0x" DMA_ADDR_FMT " len=%d\n", addr, count);
 551    s->csbc += count;
 552    s->dnad += count;
 553    s->dbc -= count;
 554     if (s->current->dma_buf == NULL) {
 555        s->current->dma_buf = scsi_req_get_buf(s->current->req);
 556    }
 557    /* ??? Set SFBR to first data byte.  */
 558    if (out) {
 559        pci_dma_read(&s->dev, addr, s->current->dma_buf, count);
 560    } else {
 561        pci_dma_write(&s->dev, addr, s->current->dma_buf, count);
 562    }
 563    s->current->dma_len -= count;
 564    if (s->current->dma_len == 0) {
 565        s->current->dma_buf = NULL;
 566        scsi_req_continue(s->current->req);
 567    } else {
 568        s->current->dma_buf += count;
 569        lsi_resume_script(s);
 570    }
 571}
 572
 573
 574/* Add a command to the queue.  */
 575static void lsi_queue_command(LSIState *s)
 576{
 577    lsi_request *p = s->current;
 578
 579    DPRINTF("Queueing tag=0x%x\n", p->tag);
 580    assert(s->current != NULL);
 581    assert(s->current->dma_len == 0);
 582    QTAILQ_INSERT_TAIL(&s->queue, s->current, next);
 583    s->current = NULL;
 584
 585    p->pending = 0;
 586    p->out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
 587}
 588
 589/* Queue a byte for a MSG IN phase.  */
 590static void lsi_add_msg_byte(LSIState *s, uint8_t data)
 591{
 592    if (s->msg_len >= LSI_MAX_MSGIN_LEN) {
 593        BADF("MSG IN data too long\n");
 594    } else {
 595        DPRINTF("MSG IN 0x%02x\n", data);
 596        s->msg[s->msg_len++] = data;
 597    }
 598}
 599
 600/* Perform reselection to continue a command.  */
 601static void lsi_reselect(LSIState *s, lsi_request *p)
 602{
 603    int id;
 604
 605    assert(s->current == NULL);
 606    QTAILQ_REMOVE(&s->queue, p, next);
 607    s->current = p;
 608
 609    id = (p->tag >> 8) & 0xf;
 610    s->ssid = id | 0x80;
 611    /* LSI53C700 Family Compatibility, see LSI53C895A 4-73 */
 612    if (!(s->dcntl & LSI_DCNTL_COM)) {
 613        s->sfbr = 1 << (id & 0x7);
 614    }
 615    DPRINTF("Reselected target %d\n", id);
 616    s->scntl1 |= LSI_SCNTL1_CON;
 617    lsi_set_phase(s, PHASE_MI);
 618    s->msg_action = p->out ? 2 : 3;
 619    s->current->dma_len = p->pending;
 620    lsi_add_msg_byte(s, 0x80);
 621    if (s->current->tag & LSI_TAG_VALID) {
 622        lsi_add_msg_byte(s, 0x20);
 623        lsi_add_msg_byte(s, p->tag & 0xff);
 624    }
 625
 626    if (lsi_irq_on_rsl(s)) {
 627        lsi_script_scsi_interrupt(s, LSI_SIST0_RSL, 0);
 628    }
 629}
 630
 631static lsi_request *lsi_find_by_tag(LSIState *s, uint32_t tag)
 632{
 633    lsi_request *p;
 634
 635    QTAILQ_FOREACH(p, &s->queue, next) {
 636        if (p->tag == tag) {
 637            return p;
 638        }
 639    }
 640
 641    return NULL;
 642}
 643
 644static void lsi_request_free(LSIState *s, lsi_request *p)
 645{
 646    if (p == s->current) {
 647        s->current = NULL;
 648    } else {
 649        QTAILQ_REMOVE(&s->queue, p, next);
 650    }
 651    g_free(p);
 652}
 653
 654static void lsi_request_cancelled(SCSIRequest *req)
 655{
 656    LSIState *s = DO_UPCAST(LSIState, dev.qdev, req->bus->qbus.parent);
 657    lsi_request *p = req->hba_private;
 658
 659    req->hba_private = NULL;
 660    lsi_request_free(s, p);
 661    scsi_req_unref(req);
 662}
 663
 664/* Record that data is available for a queued command.  Returns zero if
 665   the device was reselected, nonzero if the IO is deferred.  */
 666static int lsi_queue_req(LSIState *s, SCSIRequest *req, uint32_t len)
 667{
 668    lsi_request *p = req->hba_private;
 669
 670    if (p->pending) {
 671        BADF("Multiple IO pending for request %p\n", p);
 672    }
 673    p->pending = len;
 674    /* Reselect if waiting for it, or if reselection triggers an IRQ
 675       and the bus is free.
 676       Since no interrupt stacking is implemented in the emulation, it
 677       is also required that there are no pending interrupts waiting
 678       for service from the device driver. */
 679    if (s->waiting == 1 ||
 680        (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON) &&
 681         !(s->istat0 & (LSI_ISTAT0_SIP | LSI_ISTAT0_DIP)))) {
 682        /* Reselect device.  */
 683        lsi_reselect(s, p);
 684        return 0;
 685    } else {
 686        DPRINTF("Queueing IO tag=0x%x\n", p->tag);
 687        p->pending = len;
 688        return 1;
 689    }
 690}
 691
 692 /* Callback to indicate that the SCSI layer has completed a command.  */
 693static void lsi_command_complete(SCSIRequest *req, uint32_t status, size_t resid)
 694{
 695    LSIState *s = DO_UPCAST(LSIState, dev.qdev, req->bus->qbus.parent);
 696    int out;
 697
 698    out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
 699    DPRINTF("Command complete status=%d\n", (int)status);
 700    s->status = status;
 701    s->command_complete = 2;
 702    if (s->waiting && s->dbc != 0) {
 703        /* Raise phase mismatch for short transfers.  */
 704        lsi_bad_phase(s, out, PHASE_ST);
 705    } else {
 706        lsi_set_phase(s, PHASE_ST);
 707    }
 708
 709    if (req->hba_private == s->current) {
 710        req->hba_private = NULL;
 711        lsi_request_free(s, s->current);
 712        scsi_req_unref(req);
 713    }
 714    lsi_resume_script(s);
 715}
 716
 717 /* Callback to indicate that the SCSI layer has completed a transfer.  */
 718static void lsi_transfer_data(SCSIRequest *req, uint32_t len)
 719{
 720    LSIState *s = DO_UPCAST(LSIState, dev.qdev, req->bus->qbus.parent);
 721    int out;
 722
 723    assert(req->hba_private);
 724    if (s->waiting == 1 || req->hba_private != s->current ||
 725        (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON))) {
 726        if (lsi_queue_req(s, req, len)) {
 727            return;
 728        }
 729    }
 730
 731    out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
 732
 733    /* host adapter (re)connected */
 734    DPRINTF("Data ready tag=0x%x len=%d\n", req->tag, len);
 735    s->current->dma_len = len;
 736    s->command_complete = 1;
 737    if (s->waiting) {
 738        if (s->waiting == 1 || s->dbc == 0) {
 739            lsi_resume_script(s);
 740        } else {
 741            lsi_do_dma(s, out);
 742        }
 743    }
 744}
 745
 746static void lsi_do_command(LSIState *s)
 747{
 748    SCSIDevice *dev;
 749    uint8_t buf[16];
 750    uint32_t id;
 751    int n;
 752
 753    DPRINTF("Send command len=%d\n", s->dbc);
 754    if (s->dbc > 16)
 755        s->dbc = 16;
 756    pci_dma_read(&s->dev, s->dnad, buf, s->dbc);
 757    s->sfbr = buf[0];
 758    s->command_complete = 0;
 759
 760    id = (s->select_tag >> 8) & 0xf;
 761    dev = scsi_device_find(&s->bus, 0, id, s->current_lun);
 762    if (!dev) {
 763        lsi_bad_selection(s, id);
 764        return;
 765    }
 766
 767    assert(s->current == NULL);
 768    s->current = g_malloc0(sizeof(lsi_request));
 769    s->current->tag = s->select_tag;
 770    s->current->req = scsi_req_new(dev, s->current->tag, s->current_lun, buf,
 771                                   s->current);
 772
 773    n = scsi_req_enqueue(s->current->req);
 774    if (n) {
 775        if (n > 0) {
 776            lsi_set_phase(s, PHASE_DI);
 777        } else if (n < 0) {
 778            lsi_set_phase(s, PHASE_DO);
 779        }
 780        scsi_req_continue(s->current->req);
 781    }
 782    if (!s->command_complete) {
 783        if (n) {
 784            /* Command did not complete immediately so disconnect.  */
 785            lsi_add_msg_byte(s, 2); /* SAVE DATA POINTER */
 786            lsi_add_msg_byte(s, 4); /* DISCONNECT */
 787            /* wait data */
 788            lsi_set_phase(s, PHASE_MI);
 789            s->msg_action = 1;
 790            lsi_queue_command(s);
 791        } else {
 792            /* wait command complete */
 793            lsi_set_phase(s, PHASE_DI);
 794        }
 795    }
 796}
 797
 798static void lsi_do_status(LSIState *s)
 799{
 800    uint8_t status;
 801    DPRINTF("Get status len=%d status=%d\n", s->dbc, s->status);
 802    if (s->dbc != 1)
 803        BADF("Bad Status move\n");
 804    s->dbc = 1;
 805    status = s->status;
 806    s->sfbr = status;
 807    pci_dma_write(&s->dev, s->dnad, &status, 1);
 808    lsi_set_phase(s, PHASE_MI);
 809    s->msg_action = 1;
 810    lsi_add_msg_byte(s, 0); /* COMMAND COMPLETE */
 811}
 812
 813static void lsi_do_msgin(LSIState *s)
 814{
 815    int len;
 816    DPRINTF("Message in len=%d/%d\n", s->dbc, s->msg_len);
 817    s->sfbr = s->msg[0];
 818    len = s->msg_len;
 819    if (len > s->dbc)
 820        len = s->dbc;
 821    pci_dma_write(&s->dev, s->dnad, s->msg, len);
 822    /* Linux drivers rely on the last byte being in the SIDL.  */
 823    s->sidl = s->msg[len - 1];
 824    s->msg_len -= len;
 825    if (s->msg_len) {
 826        memmove(s->msg, s->msg + len, s->msg_len);
 827    } else {
 828        /* ??? Check if ATN (not yet implemented) is asserted and maybe
 829           switch to PHASE_MO.  */
 830        switch (s->msg_action) {
 831        case 0:
 832            lsi_set_phase(s, PHASE_CMD);
 833            break;
 834        case 1:
 835            lsi_disconnect(s);
 836            break;
 837        case 2:
 838            lsi_set_phase(s, PHASE_DO);
 839            break;
 840        case 3:
 841            lsi_set_phase(s, PHASE_DI);
 842            break;
 843        default:
 844            abort();
 845        }
 846    }
 847}
 848
 849/* Read the next byte during a MSGOUT phase.  */
 850static uint8_t lsi_get_msgbyte(LSIState *s)
 851{
 852    uint8_t data;
 853    pci_dma_read(&s->dev, s->dnad, &data, 1);
 854    s->dnad++;
 855    s->dbc--;
 856    return data;
 857}
 858
 859/* Skip the next n bytes during a MSGOUT phase. */
 860static void lsi_skip_msgbytes(LSIState *s, unsigned int n)
 861{
 862    s->dnad += n;
 863    s->dbc  -= n;
 864}
 865
 866static void lsi_do_msgout(LSIState *s)
 867{
 868    uint8_t msg;
 869    int len;
 870    uint32_t current_tag;
 871    lsi_request *current_req, *p, *p_next;
 872
 873    if (s->current) {
 874        current_tag = s->current->tag;
 875        current_req = s->current;
 876    } else {
 877        current_tag = s->select_tag;
 878        current_req = lsi_find_by_tag(s, current_tag);
 879    }
 880
 881    DPRINTF("MSG out len=%d\n", s->dbc);
 882    while (s->dbc) {
 883        msg = lsi_get_msgbyte(s);
 884        s->sfbr = msg;
 885
 886        switch (msg) {
 887        case 0x04:
 888            DPRINTF("MSG: Disconnect\n");
 889            lsi_disconnect(s);
 890            break;
 891        case 0x08:
 892            DPRINTF("MSG: No Operation\n");
 893            lsi_set_phase(s, PHASE_CMD);
 894            break;
 895        case 0x01:
 896            len = lsi_get_msgbyte(s);
 897            msg = lsi_get_msgbyte(s);
 898            (void)len; /* avoid a warning about unused variable*/
 899            DPRINTF("Extended message 0x%x (len %d)\n", msg, len);
 900            switch (msg) {
 901            case 1:
 902                DPRINTF("SDTR (ignored)\n");
 903                lsi_skip_msgbytes(s, 2);
 904                break;
 905            case 3:
 906                DPRINTF("WDTR (ignored)\n");
 907                lsi_skip_msgbytes(s, 1);
 908                break;
 909            default:
 910                goto bad;
 911            }
 912            break;
 913        case 0x20: /* SIMPLE queue */
 914            s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
 915            DPRINTF("SIMPLE queue tag=0x%x\n", s->select_tag & 0xff);
 916            break;
 917        case 0x21: /* HEAD of queue */
 918            BADF("HEAD queue not implemented\n");
 919            s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
 920            break;
 921        case 0x22: /* ORDERED queue */
 922            BADF("ORDERED queue not implemented\n");
 923            s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
 924            break;
 925        case 0x0d:
 926            /* The ABORT TAG message clears the current I/O process only. */
 927            DPRINTF("MSG: ABORT TAG tag=0x%x\n", current_tag);
 928            if (current_req) {
 929                scsi_req_cancel(current_req->req);
 930            }
 931            lsi_disconnect(s);
 932            break;
 933        case 0x06:
 934        case 0x0e:
 935        case 0x0c:
 936            /* The ABORT message clears all I/O processes for the selecting
 937               initiator on the specified logical unit of the target. */
 938            if (msg == 0x06) {
 939                DPRINTF("MSG: ABORT tag=0x%x\n", current_tag);
 940            }
 941            /* The CLEAR QUEUE message clears all I/O processes for all
 942               initiators on the specified logical unit of the target. */
 943            if (msg == 0x0e) {
 944                DPRINTF("MSG: CLEAR QUEUE tag=0x%x\n", current_tag);
 945            }
 946            /* The BUS DEVICE RESET message clears all I/O processes for all
 947               initiators on all logical units of the target. */
 948            if (msg == 0x0c) {
 949                DPRINTF("MSG: BUS DEVICE RESET tag=0x%x\n", current_tag);
 950            }
 951
 952            /* clear the current I/O process */
 953            if (s->current) {
 954                scsi_req_cancel(s->current->req);
 955            }
 956
 957            /* As the current implemented devices scsi_disk and scsi_generic
 958               only support one LUN, we don't need to keep track of LUNs.
 959               Clearing I/O processes for other initiators could be possible
 960               for scsi_generic by sending a SG_SCSI_RESET to the /dev/sgX
 961               device, but this is currently not implemented (and seems not
 962               to be really necessary). So let's simply clear all queued
 963               commands for the current device: */
 964            QTAILQ_FOREACH_SAFE(p, &s->queue, next, p_next) {
 965                if ((p->tag & 0x0000ff00) == (current_tag & 0x0000ff00)) {
 966                    scsi_req_cancel(p->req);
 967                }
 968            }
 969
 970            lsi_disconnect(s);
 971            break;
 972        default:
 973            if ((msg & 0x80) == 0) {
 974                goto bad;
 975            }
 976            s->current_lun = msg & 7;
 977            DPRINTF("Select LUN %d\n", s->current_lun);
 978            lsi_set_phase(s, PHASE_CMD);
 979            break;
 980        }
 981    }
 982    return;
 983bad:
 984    BADF("Unimplemented message 0x%02x\n", msg);
 985    lsi_set_phase(s, PHASE_MI);
 986    lsi_add_msg_byte(s, 7); /* MESSAGE REJECT */
 987    s->msg_action = 0;
 988}
 989
 990/* Sign extend a 24-bit value.  */
 991static inline int32_t sxt24(int32_t n)
 992{
 993    return (n << 8) >> 8;
 994}
 995
 996#define LSI_BUF_SIZE 4096
 997static void lsi_memcpy(LSIState *s, uint32_t dest, uint32_t src, int count)
 998{
 999    int n;
1000    uint8_t buf[LSI_BUF_SIZE];

1001
1002    DPRINTF("memcpy dest 0x%08x src 0x%08x count %d\n", dest, src, count);
1003    while (count) {
1004        n = (count > LSI_BUF_SIZE) ? LSI_BUF_SIZE : count;
1005        pci_dma_read(&s->dev, src, buf, n);
1006        pci_dma_write(&s->dev, dest, buf, n);
1007        src += n;
1008        dest += n;
1009        count -= n;
1010    }
1011}
1012
1013static void lsi_wait_reselect(LSIState *s)
1014{
1015    lsi_request *p;
1016
1017    DPRINTF("Wait Reselect\n");
1018
1019    QTAILQ_FOREACH(p, &s->queue, next) {
1020        if (p->pending) {
1021            lsi_reselect(s, p);
1022            break;
1023        }
1024    }
1025    if (s->current == NULL) {
1026        s->waiting = 1;
1027    }
1028}
1029
1030static void lsi_execute_script(LSIState *s)
1031{
1032    uint32_t insn;
1033    uint32_t addr, addr_high;
1034    int opcode;
1035    int insn_processed = 0;
1036
1037    s->istat1 |= LSI_ISTAT1_SRUN;
1038again:
1039    insn_processed++;
1040    insn = read_dword(s, s->dsp);
1041    if (!insn) {
1042        /* If we receive an empty opcode increment the DSP by 4 bytes
1043           instead of 8 and execute the next opcode at that location */
1044        s->dsp += 4;
1045        goto again;
1046    }
1047    addr = read_dword(s, s->dsp + 4);
1048    addr_high = 0;
1049    DPRINTF("SCRIPTS dsp=%08x opcode %08x arg %08x\n", s->dsp, insn, addr);
1050    s->dsps = addr;
1051    s->dcmd = insn >> 24;
1052    s->dsp += 8;
1053    switch (insn >> 30) {
1054    case 0: /* Block move.  */
1055        if (s->sist1 & LSI_SIST1_STO) {
1056            DPRINTF("Delayed select timeout\n");
1057            lsi_stop_script(s);
1058            break;
1059        }
1060        s->dbc = insn & 0xffffff;
1061        s->rbc = s->dbc;
1062        /* ??? Set ESA.  */
1063        s->ia = s->dsp - 8;
1064        if (insn & (1 << 29)) {
1065            /* Indirect addressing.  */
1066            addr = read_dword(s, addr);
1067        } else if (insn & (1 << 28)) {
1068            uint32_t buf[2];
1069            int32_t offset;
1070            /* Table indirect addressing.  */
1071
1072            /* 32-bit Table indirect */
1073            offset = sxt24(addr);
1074            pci_dma_read(&s->dev, s->dsa + offset, buf, 8);
1075            /* byte count is stored in bits 0:23 only */
1076            s->dbc = cpu_to_le32(buf[0]) & 0xffffff;
1077            s->rbc = s->dbc;
1078            addr = cpu_to_le32(buf[1]);
1079
1080            /* 40-bit DMA, upper addr bits [39:32] stored in first DWORD of
1081             * table, bits [31:24] */
1082            if (lsi_dma_40bit(s))
1083                addr_high = cpu_to_le32(buf[0]) >> 24;
1084            else if (lsi_dma_ti64bit(s)) {
1085                int selector = (cpu_to_le32(buf[0]) >> 24) & 0x1f;
1086                switch (selector) {
1087                case 0 ... 0x0f:
1088                    /* offset index into scratch registers since
1089                     * TI64 mode can use registers C to R */
1090                    addr_high = s->scratch[2 + selector];
1091                    break;
1092                case 0x10:
1093                    addr_high = s->mmrs;
1094                    break;
1095                case 0x11:
1096                    addr_high = s->mmws;
1097                    break;
1098                case 0x12:
1099                    addr_high = s->sfs;
1100                    break;
1101                case 0x13:
1102                    addr_high = s->drs;
1103                    break;
1104                case 0x14:
1105                    addr_high = s->sbms;
1106                    break;
1107                case 0x15:
1108                    addr_high = s->dbms;
1109                    break;
1110                default:
1111                    BADF("Illegal selector specified (0x%x > 0x15)"
1112                         " for 64-bit DMA block move", selector);
1113                    break;
1114                }
1115            }
1116        } else if (lsi_dma_64bit(s)) {
1117            /* fetch a 3rd dword if 64-bit direct move is enabled and
1118               only if we're not doing table indirect or indirect addressing */
1119            s->dbms = read_dword(s, s->dsp);
1120            s->dsp += 4;
1121            s->ia = s->dsp - 12;
1122        }
1123        if ((s->sstat1 & PHASE_MASK) != ((insn >> 24) & 7)) {
1124            DPRINTF("Wrong phase got %d expected %d\n",
1125                    s->sstat1 & PHASE_MASK, (insn >> 24) & 7);
1126            lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
1127            break;
1128        }
1129        s->dnad = addr;
1130        s->dnad64 = addr_high;
1131        switch (s->sstat1 & 0x7) {
1132        case PHASE_DO:
1133            s->waiting = 2;
1134            lsi_do_dma(s, 1);
1135            if (s->waiting)
1136                s->waiting = 3;
1137            break;
1138        case PHASE_DI:
1139            s->waiting = 2;
1140            lsi_do_dma(s, 0);
1141            if (s->waiting)
1142                s->waiting = 3;
1143            break;
1144        case PHASE_CMD:
1145            lsi_do_command(s);
1146            break;
1147        case PHASE_ST:
1148            lsi_do_status(s);
1149            break;
1150        case PHASE_MO:
1151            lsi_do_msgout(s);
1152            break;
1153        case PHASE_MI:
1154            lsi_do_msgin(s);
1155            break;
1156        default:
1157            BADF("Unimplemented phase %d\n", s->sstat1 & PHASE_MASK);
1158            exit(1);
1159        }
1160        s->dfifo = s->dbc & 0xff;
1161        s->ctest5 = (s->ctest5 & 0xfc) | ((s->dbc >> 8) & 3);
1162        s->sbc = s->dbc;
1163        s->rbc -= s->dbc;
1164        s->ua = addr + s->dbc;
1165        break;
1166
1167    case 1: /* IO or Read/Write instruction.  */
1168        opcode = (insn >> 27) & 7;
1169        if (opcode < 5) {
1170            uint32_t id;
1171
1172            if (insn & (1 << 25)) {
1173                id = read_dword(s, s->dsa + sxt24(insn));
1174            } else {
1175                id = insn;
1176            }
1177            id = (id >> 16) & 0xf;
1178            if (insn & (1 << 26)) {
1179                addr = s->dsp + sxt24(addr);
1180            }
1181            s->dnad = addr;
1182            switch (opcode) {
1183            case 0: /* Select */
1184                s->sdid = id;
1185                if (s->scntl1 & LSI_SCNTL1_CON) {
1186                    DPRINTF("Already reselected, jumping to alternative address\n");
1187                    s->dsp = s->dnad;
1188                    break;
1189                }
1190                s->sstat0 |= LSI_SSTAT0_WOA;
1191                s->scntl1 &= ~LSI_SCNTL1_IARB;
1192                if (!scsi_device_find(&s->bus, 0, id, 0)) {
1193                    lsi_bad_selection(s, id);
1194                    break;
1195                }
1196                DPRINTF("Selected target %d%s\n",
1197                        id, insn & (1 << 3) ? " ATN" : "");
1198                /* ??? Linux drivers compain when this is set.  Maybe
1199                   it only applies in low-level mode (unimplemented).
1200                lsi_script_scsi_interrupt(s, LSI_SIST0_CMP, 0); */
1201                s->select_tag = id << 8;
1202                s->scntl1 |= LSI_SCNTL1_CON;
1203                if (insn & (1 << 3)) {
1204                    s->socl |= LSI_SOCL_ATN;
1205                }
1206                lsi_set_phase(s, PHASE_MO);
1207                break;
1208            case 1: /* Disconnect */
1209                DPRINTF("Wait Disconnect\n");
1210                s->scntl1 &= ~LSI_SCNTL1_CON;
1211                break;
1212            case 2: /* Wait Reselect */
1213                if (!lsi_irq_on_rsl(s)) {
1214                    lsi_wait_reselect(s);
1215                }
1216                break;
1217            case 3: /* Set */
1218                DPRINTF("Set%s%s%s%s\n",
1219                        insn & (1 << 3) ? " ATN" : "",
1220                        insn & (1 << 6) ? " ACK" : "",
1221                        insn & (1 << 9) ? " TM" : "",
1222                        insn & (1 << 10) ? " CC" : "");
1223                if (insn & (1 << 3)) {
1224                    s->socl |= LSI_SOCL_ATN;
1225                    lsi_set_phase(s, PHASE_MO);
1226                }
1227                if (insn & (1 << 9)) {
1228                    BADF("Target mode not implemented\n");
1229                    exit(1);
1230                }
1231                if (insn & (1 << 10))
1232                    s->carry = 1;
1233                break;
1234            case 4: /* Clear */
1235                DPRINTF("Clear%s%s%s%s\n",
1236                        insn & (1 << 3) ? " ATN" : "",
1237                        insn & (1 << 6) ? " ACK" : "",
1238                        insn & (1 << 9) ? " TM" : "",
1239                        insn & (1 << 10) ? " CC" : "");
1240                if (insn & (1 << 3)) {
1241                    s->socl &= ~LSI_SOCL_ATN;
1242                }
1243                if (insn & (1 << 10))
1244                    s->carry = 0;
1245                break;
1246            }
1247        } else {
1248            uint8_t op0;
1249            uint8_t op1;
1250            uint8_t data8;
1251            int reg;
1252            int operator;
1253#ifdef DEBUG_LSI
1254            static const char *opcode_names[3] =
1255                {"Write", "Read", "Read-Modify-Write"};
1256            static const char *operator_names[8] =
1257                {"MOV", "SHL", "OR", "XOR", "AND", "SHR", "ADD", "ADC"};
1258#endif
1259
1260            reg = ((insn >> 16) & 0x7f) | (insn & 0x80);
1261            data8 = (insn >> 8) & 0xff;
1262            opcode = (insn >> 27) & 7;
1263            operator = (insn >> 24) & 7;
1264            DPRINTF("%s reg 0x%x %s data8=0x%02x sfbr=0x%02x%s\n",
1265                    opcode_names[opcode - 5], reg,
1266                    operator_names[operator], data8, s->sfbr,
1267                    (insn & (1 << 23)) ? " SFBR" : "");
1268            op0 = op1 = 0;
1269            switch (opcode) {
1270            case 5: /* From SFBR */
1271                op0 = s->sfbr;
1272                op1 = data8;
1273                break;
1274            case 6: /* To SFBR */
1275                if (operator)
1276                    op0 = lsi_reg_readb(s, reg);
1277                op1 = data8;
1278                break;
1279            case 7: /* Read-modify-write */
1280                if (operator)
1281                    op0 = lsi_reg_readb(s, reg);
1282                if (insn & (1 << 23)) {
1283                    op1 = s->sfbr;
1284                } else {
1285                    op1 = data8;
1286                }
1287                break;
1288            }
1289
1290            switch (operator) {
1291            case 0: /* move */
1292                op0 = op1;
1293                break;
1294            case 1: /* Shift left */
1295                op1 = op0 >> 7;
1296                op0 = (op0 << 1) | s->carry;
1297                s->carry = op1;
1298                break;
1299            case 2: /* OR */
1300                op0 |= op1;
1301                break;
1302            case 3: /* XOR */
1303                op0 ^= op1;
1304                break;
1305            case 4: /* AND */
1306                op0 &= op1;
1307                break;
1308            case 5: /* SHR */
1309                op1 = op0 & 1;
1310                op0 = (op0 >> 1) | (s->carry << 7);
1311                s->carry = op1;
1312                break;
1313            case 6: /* ADD */
1314                op0 += op1;
1315                s->carry = op0 < op1;
1316                break;
1317            case 7: /* ADC */
1318                op0 += op1 + s->carry;
1319                if (s->carry)
1320                    s->carry = op0 <= op1;
1321                else
1322                    s->carry = op0 < op1;
1323                break;
1324            }
1325
1326            switch (opcode) {
1327            case 5: /* From SFBR */
1328            case 7: /* Read-modify-write */
1329                lsi_reg_writeb(s, reg, op0);
1330                break;
1331            case 6: /* To SFBR */
1332                s->sfbr = op0;
1333                break;
1334            }
1335        }
1336        break;
1337
1338    case 2: /* Transfer Control.  */
1339        {
1340            int cond;
1341            int jmp;
1342
1343            if ((insn & 0x002e0000) == 0) {
1344                DPRINTF("NOP\n");
1345                break;
1346            }
1347            if (s->sist1 & LSI_SIST1_STO) {
1348                DPRINTF("Delayed select timeout\n");
1349                lsi_stop_script(s);
1350                break;
1351            }
1352            cond = jmp = (insn & (1 << 19)) != 0;
1353            if (cond == jmp && (insn & (1 << 21))) {
1354                DPRINTF("Compare carry %d\n", s->carry == jmp);
1355                cond = s->carry != 0;
1356            }
1357            if (cond == jmp && (insn & (1 << 17))) {
1358                DPRINTF("Compare phase %d %c= %d\n",
1359                        (s->sstat1 & PHASE_MASK),
1360                        jmp ? '=' : '!',
1361                        ((insn >> 24) & 7));
1362                cond = (s->sstat1 & PHASE_MASK) == ((insn >> 24) & 7);
1363            }
1364            if (cond == jmp && (insn & (1 << 18))) {
1365                uint8_t mask;
1366
1367                mask = (~insn >> 8) & 0xff;
1368                DPRINTF("Compare data 0x%x & 0x%x %c= 0x%x\n",
1369                        s->sfbr, mask, jmp ? '=' : '!', insn & mask);
1370                cond = (s->sfbr & mask) == (insn & mask);
1371            }
1372            if (cond == jmp) {
1373                if (insn & (1 << 23)) {
1374                    /* Relative address.  */
1375                    addr = s->dsp + sxt24(addr);
1376                }
1377                switch ((insn >> 27) & 7) {
1378                case 0: /* Jump */
1379                    DPRINTF("Jump to 0x%08x\n", addr);
1380                    s->dsp = addr;
1381                    break;
1382                case 1: /* Call */
1383                    DPRINTF("Call 0x%08x\n", addr);
1384                    s->temp = s->dsp;
1385                    s->dsp = addr;
1386                    break;
1387                case 2: /* Return */
1388                    DPRINTF("Return to 0x%08x\n", s->temp);
1389                    s->dsp = s->temp;
1390                    break;
1391                case 3: /* Interrupt */
1392                    DPRINTF("Interrupt 0x%08x\n", s->dsps);
1393                    if ((insn & (1 << 20)) != 0) {
1394                        s->istat0 |= LSI_ISTAT0_INTF;
1395                        lsi_update_irq(s);
1396                    } else {
1397                        lsi_script_dma_interrupt(s, LSI_DSTAT_SIR);
1398                    }
1399                    break;
1400                default:
1401                    DPRINTF("Illegal transfer control\n");
1402                    lsi_script_dma_interrupt(s, LSI_DSTAT_IID);
1403                    break;
1404                }
1405            } else {
1406                DPRINTF("Control condition failed\n");
1407            }
1408        }
1409        break;
1410
1411    case 3:
1412        if ((insn & (1 << 29)) == 0) {
1413            /* Memory move.  */
1414            uint32_t dest;
1415            /* ??? The docs imply the destination address is loaded into
1416               the TEMP register.  However the Linux drivers rely on
1417               the value being presrved.  */
1418            dest = read_dword(s, s->dsp);
1419            s->dsp += 4;
1420            lsi_memcpy(s, dest, addr, insn & 0xffffff);
1421        } else {
1422            uint8_t data[7];
1423            int reg;
1424            int n;
1425            int i;
1426
1427            if (insn & (1 << 28)) {
1428                addr = s->dsa + sxt24(addr);
1429            }
1430            n = (insn & 7);
1431            reg = (insn >> 16) & 0xff;
1432            if (insn & (1 << 24)) {
1433                pci_dma_read(&s->dev, addr, data, n);
1434                DPRINTF("Load reg 0x%x size %d addr 0x%08x = %08x\n", reg, n,
1435                        addr, *(int *)data);
1436                for (i = 0; i < n; i++) {
1437                    lsi_reg_writeb(s, reg + i, data[i]);
1438                }
1439            } else {
1440                DPRINTF("Store reg 0x%x size %d addr 0x%08x\n", reg, n, addr);
1441                for (i = 0; i < n; i++) {
1442                    data[i] = lsi_reg_readb(s, reg + i);
1443                }
1444                pci_dma_write(&s->dev, addr, data, n);
1445            }
1446        }
1447    }
1448    if (insn_processed > 10000 && !s->waiting) {
1449        /* Some windows drivers make the device spin waiting for a memory
1450           location to change.  If we have been executed a lot of code then
1451           assume this is the case and force an unexpected device disconnect.
1452           This is apparently sufficient to beat the drivers into submission.
1453         */
1454        if (!(s->sien0 & LSI_SIST0_UDC))
1455            fprintf(stderr, "inf. loop with UDC masked\n");
1456        lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
1457        lsi_disconnect(s);
1458    } else if (s->istat1 & LSI_ISTAT1_SRUN && !s->waiting) {
1459        if (s->dcntl & LSI_DCNTL_SSM) {
1460            lsi_script_dma_interrupt(s, LSI_DSTAT_SSI);
1461        } else {
1462            goto again;
1463        }
1464    }
1465    DPRINTF("SCRIPTS execution stopped\n");
1466}
1467
1468static uint8_t lsi_reg_readb(LSIState *s, int offset)
1469{
1470    uint8_t tmp;
1471#define CASE_GET_REG24(name, addr) \
1472    case addr: return s->name & 0xff; \
1473    case addr + 1: return (s->name >> 8) & 0xff; \
1474    case addr + 2: return (s->name >> 16) & 0xff;
1475
1476#define CASE_GET_REG32(name, addr) \
1477    case addr: return s->name & 0xff; \
1478    case addr + 1: return (s->name >> 8) & 0xff; \
1479    case addr + 2: return (s->name >> 16) & 0xff; \
1480    case addr + 3: return (s->name >> 24) & 0xff;
1481
1482#ifdef DEBUG_LSI_REG
1483    DPRINTF("Read reg %x\n", offset);
1484#endif
1485    switch (offset) {
1486    case 0x00: /* SCNTL0 */
1487        return s->scntl0;
1488    case 0x01: /* SCNTL1 */
1489        return s->scntl1;
1490    case 0x02: /* SCNTL2 */
1491        return s->scntl2;
1492    case 0x03: /* SCNTL3 */
1493        return s->scntl3;
1494    case 0x04: /* SCID */
1495        return s->scid;
1496    case 0x05: /* SXFER */
1497        return s->sxfer;
1498    case 0x06: /* SDID */
1499        return s->sdid;
1500    case 0x07: /* GPREG0 */
1501        return 0x7f;
1502    case 0x08: /* Revision ID */
1503        return 0x00;
1504    case 0xa: /* SSID */
1505        return s->ssid;
1506    case 0xb: /* SBCL */
1507        /* ??? This is not correct. However it's (hopefully) only
1508           used for diagnostics, so should be ok.  */
1509        return 0;
1510    case 0xc: /* DSTAT */
1511        tmp = s->dstat | 0x80;
1512        if ((s->istat0 & LSI_ISTAT0_INTF) == 0)
1513            s->dstat = 0;
1514        lsi_update_irq(s);
1515        return tmp;
1516    case 0x0d: /* SSTAT0 */
1517        return s->sstat0;
1518    case 0x0e: /* SSTAT1 */
1519        return s->sstat1;
1520    case 0x0f: /* SSTAT2 */
1521        return s->scntl1 & LSI_SCNTL1_CON ? 0 : 2;
1522    CASE_GET_REG32(dsa, 0x10)
1523    case 0x14: /* ISTAT0 */
1524        return s->istat0;
1525    case 0x15: /* ISTAT1 */
1526        return s->istat1;
1527    case 0x16: /* MBOX0 */
1528        return s->mbox0;
1529    case 0x17: /* MBOX1 */
1530        return s->mbox1;
1531    case 0x18: /* CTEST0 */
1532        return 0xff;
1533    case 0x19: /* CTEST1 */
1534        return 0;
1535    case 0x1a: /* CTEST2 */
1536        tmp = s->ctest2 | LSI_CTEST2_DACK | LSI_CTEST2_CM;
1537        if (s->istat0 & LSI_ISTAT0_SIGP) {
1538            s->istat0 &= ~LSI_ISTAT0_SIGP;
1539            tmp |= LSI_CTEST2_SIGP;
1540        }
1541        return tmp;
1542    case 0x1b: /* CTEST3 */
1543        return s->ctest3;
1544    CASE_GET_REG32(temp, 0x1c)
1545    case 0x20: /* DFIFO */
1546        return 0;
1547    case 0x21: /* CTEST4 */
1548        return s->ctest4;
1549    case 0x22: /* CTEST5 */
1550        return s->ctest5;
1551    case 0x23: /* CTEST6 */
1552         return 0;
1553    CASE_GET_REG24(dbc, 0x24)
1554    case 0x27: /* DCMD */
1555        return s->dcmd;
1556    CASE_GET_REG32(dnad, 0x28)
1557    CASE_GET_REG32(dsp, 0x2c)
1558    CASE_GET_REG32(dsps, 0x30)
1559    CASE_GET_REG32(scratch[0], 0x34)
1560    case 0x38: /* DMODE */
1561        return s->dmode;
1562    case 0x39: /* DIEN */
1563        return s->dien;
1564    case 0x3a: /* SBR */
1565        return s->sbr;
1566    case 0x3b: /* DCNTL */
1567        return s->dcntl;
1568    case 0x40: /* SIEN0 */
1569        return s->sien0;
1570    case 0x41: /* SIEN1 */
1571        return s->sien1;
1572    case 0x42: /* SIST0 */
1573        tmp = s->sist0;
1574        s->sist0 = 0;
1575        lsi_update_irq(s);
1576        return tmp;
1577    case 0x43: /* SIST1 */
1578        tmp = s->sist1;
1579        s->sist1 = 0;
1580        lsi_update_irq(s);
1581        return tmp;
1582    case 0x46: /* MACNTL */
1583        return 0x0f;
1584    case 0x47: /* GPCNTL0 */
1585        return 0x0f;
1586    case 0x48: /* STIME0 */
1587        return s->stime0;
1588    case 0x4a: /* RESPID0 */
1589        return s->respid0;
1590    case 0x4b: /* RESPID1 */
1591        return s->respid1;
1592    case 0x4d: /* STEST1 */
1593        return s->stest1;
1594    case 0x4e: /* STEST2 */
1595        return s->stest2;
1596    case 0x4f: /* STEST3 */
1597        return s->stest3;
1598    case 0x50: /* SIDL */
1599        /* This is needed by the linux drivers.  We currently only update it
1600           during the MSG IN phase.  */
1601        return s->sidl;
1602    case 0x52: /* STEST4 */
1603        return 0xe0;
1604    case 0x56: /* CCNTL0 */
1605        return s->ccntl0;
1606    case 0x57: /* CCNTL1 */
1607        return s->ccntl1;
1608    case 0x58: /* SBDL */
1609        /* Some drivers peek at the data bus during the MSG IN phase.  */
1610        if ((s->sstat1 & PHASE_MASK) == PHASE_MI)
1611            return s->msg[0];
1612        return 0;
1613    case 0x59: /* SBDL high */
1614        return 0;
1615    CASE_GET_REG32(mmrs, 0xa0)
1616    CASE_GET_REG32(mmws, 0xa4)
1617    CASE_GET_REG32(sfs, 0xa8)
1618    CASE_GET_REG32(drs, 0xac)
1619    CASE_GET_REG32(sbms, 0xb0)
1620    CASE_GET_REG32(dbms, 0xb4)
1621    CASE_GET_REG32(dnad64, 0xb8)
1622    CASE_GET_REG32(pmjad1, 0xc0)
1623    CASE_GET_REG32(pmjad2, 0xc4)
1624    CASE_GET_REG32(rbc, 0xc8)
1625    CASE_GET_REG32(ua, 0xcc)
1626    CASE_GET_REG32(ia, 0xd4)
1627    CASE_GET_REG32(sbc, 0xd8)
1628    CASE_GET_REG32(csbc, 0xdc)
1629    }
1630    if (offset >= 0x5c && offset < 0xa0) {
1631        int n;
1632        int shift;
1633        n = (offset - 0x58) >> 2;
1634        shift = (offset & 3) * 8;
1635        return (s->scratch[n] >> shift) & 0xff;
1636    }
1637    BADF("readb 0x%x\n", offset);
1638    exit(1);
1639#undef CASE_GET_REG24
1640#undef CASE_GET_REG32
1641}
1642
1643static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val)
1644{
1645#define CASE_SET_REG24(name, addr) \
1646    case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1647    case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1648    case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break;
1649
1650#define CASE_SET_REG32(name, addr) \
1651    case addr    : s->name &= 0xffffff00; s->name |= val;       break; \
1652    case addr + 1: s->name &= 0xffff00ff; s->name |= val << 8;  break; \
1653    case addr + 2: s->name &= 0xff00ffff; s->name |= val << 16; break; \
1654    case addr + 3: s->name &= 0x00ffffff; s->name |= val << 24; break;
1655
1656#ifdef DEBUG_LSI_REG
1657    DPRINTF("Write reg %x = %02x\n", offset, val);
1658#endif
1659    switch (offset) {
1660    case 0x00: /* SCNTL0 */
1661        s->scntl0 = val;
1662        if (val & LSI_SCNTL0_START) {
1663            BADF("Start sequence not implemented\n");
1664        }
1665        break;
1666    case 0x01: /* SCNTL1 */
1667        s->scntl1 = val & ~LSI_SCNTL1_SST;
1668        if (val & LSI_SCNTL1_IARB) {
1669            BADF("Immediate Arbritration not implemented\n");
1670        }
1671        if (val & LSI_SCNTL1_RST) {
1672            if (!(s->sstat0 & LSI_SSTAT0_RST)) {
1673                qbus_reset_all(&s->bus.qbus);
1674                s->sstat0 |= LSI_SSTAT0_RST;
1675                lsi_script_scsi_interrupt(s, LSI_SIST0_RST, 0);
1676            }
1677        } else {
1678            s->sstat0 &= ~LSI_SSTAT0_RST;
1679        }
1680        break;
1681    case 0x02: /* SCNTL2 */
1682        val &= ~(LSI_SCNTL2_WSR | LSI_SCNTL2_WSS);
1683        s->scntl2 = val;
1684        break;
1685    case 0x03: /* SCNTL3 */
1686        s->scntl3 = val;
1687        break;
1688    case 0x04: /* SCID */
1689        s->scid = val;
1690        break;
1691    case 0x05: /* SXFER */
1692        s->sxfer = val;
1693        break;
1694    case 0x06: /* SDID */
1695        if ((val & 0xf) != (s->ssid & 0xf))
1696            BADF("Destination ID does not match SSID\n");
1697        s->sdid = val & 0xf;
1698        break;
1699    case 0x07: /* GPREG0 */
1700        break;
1701    case 0x08: /* SFBR */
1702        /* The CPU is not allowed to write to this register.  However the
1703           SCRIPTS register move instructions are.  */
1704        s->sfbr = val;
1705        break;
1706    case 0x0a: case 0x0b:
1707        /* Openserver writes to these readonly registers on startup */
1708        return;
1709    case 0x0c: case 0x0d: case 0x0e: case 0x0f:
1710        /* Linux writes to these readonly registers on startup.  */
1711        return;
1712    CASE_SET_REG32(dsa, 0x10)
1713    case 0x14: /* ISTAT0 */
1714        s->istat0 = (s->istat0 & 0x0f) | (val & 0xf0);
1715        if (val & LSI_ISTAT0_ABRT) {
1716            lsi_script_dma_interrupt(s, LSI_DSTAT_ABRT);
1717        }
1718        if (val & LSI_ISTAT0_INTF) {
1719            s->istat0 &= ~LSI_ISTAT0_INTF;
1720            lsi_update_irq(s);
1721        }
1722        if (s->waiting == 1 && val & LSI_ISTAT0_SIGP) {
1723            DPRINTF("Woken by SIGP\n");
1724            s->waiting = 0;
1725            s->dsp = s->dnad;
1726            lsi_execute_script(s);
1727        }
1728        if (val & LSI_ISTAT0_SRST) {
1729            qdev_reset_all(&s->dev.qdev);
1730        }
1731        break;
1732    case 0x16: /* MBOX0 */
1733        s->mbox0 = val;
1734        break;
1735    case 0x17: /* MBOX1 */
1736        s->mbox1 = val;
1737        break;
1738    case 0x1a: /* CTEST2 */
1739        s->ctest2 = val & LSI_CTEST2_PCICIE;
1740        break;
1741    case 0x1b: /* CTEST3 */
1742        s->ctest3 = val & 0x0f;
1743        break;
1744    CASE_SET_REG32(temp, 0x1c)
1745    case 0x21: /* CTEST4 */
1746        if (val & 7) {
1747           BADF("Unimplemented CTEST4-FBL 0x%x\n", val);
1748        }
1749        s->ctest4 = val;
1750        break;
1751    case 0x22: /* CTEST5 */
1752        if (val & (LSI_CTEST5_ADCK | LSI_CTEST5_BBCK)) {
1753            BADF("CTEST5 DMA increment not implemented\n");
1754        }
1755        s->ctest5 = val;
1756        break;
1757    CASE_SET_REG24(dbc, 0x24)
1758    CASE_SET_REG32(dnad, 0x28)
1759    case 0x2c: /* DSP[0:7] */
1760        s->dsp &= 0xffffff00;
1761        s->dsp |= val;
1762        break;
1763    case 0x2d: /* DSP[8:15] */
1764        s->dsp &= 0xffff00ff;
1765        s->dsp |= val << 8;
1766        break;
1767    case 0x2e: /* DSP[16:23] */
1768        s->dsp &= 0xff00ffff;
1769        s->dsp |= val << 16;
1770        break;
1771    case 0x2f: /* DSP[24:31] */
1772        s->dsp &= 0x00ffffff;
1773        s->dsp |= val << 24;
1774        if ((s->dmode & LSI_DMODE_MAN) == 0
1775            && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
1776            lsi_execute_script(s);
1777        break;
1778    CASE_SET_REG32(dsps, 0x30)
1779    CASE_SET_REG32(scratch[0], 0x34)
1780    case 0x38: /* DMODE */
1781        if (val & (LSI_DMODE_SIOM | LSI_DMODE_DIOM)) {
1782            BADF("IO mappings not implemented\n");
1783        }
1784        s->dmode = val;
1785        break;
1786    case 0x39: /* DIEN */
1787        s->dien = val;
1788        lsi_update_irq(s);
1789        break;
1790    case 0x3a: /* SBR */
1791        s->sbr = val;
1792        break;
1793    case 0x3b: /* DCNTL */
1794        s->dcntl = val & ~(LSI_DCNTL_PFF | LSI_DCNTL_STD);
1795        if ((val & LSI_DCNTL_STD) && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
1796            lsi_execute_script(s);
1797        break;
1798    case 0x40: /* SIEN0 */
1799        s->sien0 = val;
1800        lsi_update_irq(s);
1801        break;
1802    case 0x41: /* SIEN1 */
1803        s->sien1 = val;
1804        lsi_update_irq(s);
1805        break;
1806    case 0x47: /* GPCNTL0 */
1807        break;
1808    case 0x48: /* STIME0 */
1809        s->stime0 = val;
1810        break;
1811    case 0x49: /* STIME1 */
1812        if (val & 0xf) {
1813            DPRINTF("General purpose timer not implemented\n");
1814            /* ??? Raising the interrupt immediately seems to be sufficient
1815               to keep the FreeBSD driver happy.  */
1816            lsi_script_scsi_interrupt(s, 0, LSI_SIST1_GEN);
1817        }
1818        break;
1819    case 0x4a: /* RESPID0 */
1820        s->respid0 = val;
1821        break;
1822    case 0x4b: /* RESPID1 */
1823        s->respid1 = val;
1824        break;
1825    case 0x4d: /* STEST1 */
1826        s->stest1 = val;
1827        break;
1828    case 0x4e: /* STEST2 */
1829        if (val & 1) {
1830            BADF("Low level mode not implemented\n");
1831        }
1832        s->stest2 = val;
1833        break;
1834    case 0x4f: /* STEST3 */
1835        if (val & 0x41) {
1836            BADF("SCSI FIFO test mode not implemented\n");
1837        }
1838        s->stest3 = val;
1839        break;
1840    case 0x56: /* CCNTL0 */
1841        s->ccntl0 = val;
1842        break;
1843    case 0x57: /* CCNTL1 */
1844        s->ccntl1 = val;
1845        break;
1846    CASE_SET_REG32(mmrs, 0xa0)
1847    CASE_SET_REG32(mmws, 0xa4)
1848    CASE_SET_REG32(sfs, 0xa8)
1849    CASE_SET_REG32(drs, 0xac)
1850    CASE_SET_REG32(sbms, 0xb0)
1851    CASE_SET_REG32(dbms, 0xb4)
1852    CASE_SET_REG32(dnad64, 0xb8)
1853    CASE_SET_REG32(pmjad1, 0xc0)
1854    CASE_SET_REG32(pmjad2, 0xc4)
1855    CASE_SET_REG32(rbc, 0xc8)
1856    CASE_SET_REG32(ua, 0xcc)
1857    CASE_SET_REG32(ia, 0xd4)
1858    CASE_SET_REG32(sbc, 0xd8)
1859    CASE_SET_REG32(csbc, 0xdc)
1860    default:
1861        if (offset >= 0x5c && offset < 0xa0) {
1862            int n;
1863            int shift;
1864            n = (offset - 0x58) >> 2;
1865            shift = (offset & 3) * 8;
1866            s->scratch[n] &= ~(0xff << shift);
1867            s->scratch[n] |= (val & 0xff) << shift;
1868        } else {
1869            BADF("Unhandled writeb 0x%x = 0x%x\n", offset, val);
1870        }
1871    }
1872#undef CASE_SET_REG24
1873#undef CASE_SET_REG32
1874}
1875
1876static void lsi_mmio_write(void *opaque, hwaddr addr,
1877                           uint64_t val, unsigned size)
1878{
1879    LSIState *s = opaque;
1880
1881    lsi_reg_writeb(s, addr & 0xff, val);
1882}
1883
1884static uint64_t lsi_mmio_read(void *opaque, hwaddr addr,
1885                              unsigned size)
1886{
1887    LSIState *s = opaque;
1888
1889    return lsi_reg_readb(s, addr & 0xff);
1890}
1891
1892static const MemoryRegionOps lsi_mmio_ops = {
1893    .read = lsi_mmio_read,
1894    .write = lsi_mmio_write,
1895    .endianness = DEVICE_NATIVE_ENDIAN,
1896    .impl = {
1897        .min_access_size = 1,
1898        .max_access_size = 1,
1899    },
1900};
1901
1902static void lsi_ram_write(void *opaque, hwaddr addr,
1903                          uint64_t val, unsigned size)
1904{
1905    LSIState *s = opaque;
1906    uint32_t newval;
1907    uint32_t mask;
1908    int shift;
1909
1910    newval = s->script_ram[addr >> 2];
1911    shift = (addr & 3) * 8;
1912    mask = ((uint64_t)1 << (size * 8)) - 1;
1913    newval &= ~(mask << shift);
1914    newval |= val << shift;
1915    s->script_ram[addr >> 2] = newval;
1916}
1917
1918static uint64_t lsi_ram_read(void *opaque, hwaddr addr,
1919                             unsigned size)
1920{
1921    LSIState *s = opaque;
1922    uint32_t val;
1923    uint32_t mask;
1924
1925    val = s->script_ram[addr >> 2];
1926    mask = ((uint64_t)1 << (size * 8)) - 1;
1927    val >>= (addr & 3) * 8;
1928    return val & mask;
1929}
1930
1931static const MemoryRegionOps lsi_ram_ops = {
1932    .read = lsi_ram_read,
1933    .write = lsi_ram_write,
1934    .endianness = DEVICE_NATIVE_ENDIAN,
1935};
1936
1937static uint64_t lsi_io_read(void *opaque, hwaddr addr,
1938                            unsigned size)
1939{
1940    LSIState *s = opaque;
1941    return lsi_reg_readb(s, addr & 0xff);
1942}
1943
1944static void lsi_io_write(void *opaque, hwaddr addr,
1945                         uint64_t val, unsigned size)
1946{
1947    LSIState *s = opaque;
1948    lsi_reg_writeb(s, addr & 0xff, val);
1949}
1950
1951static const MemoryRegionOps lsi_io_ops = {
1952    .read = lsi_io_read,
1953    .write = lsi_io_write,
1954    .endianness = DEVICE_NATIVE_ENDIAN,
1955    .impl = {
1956        .min_access_size = 1,
1957        .max_access_size = 1,
1958    },
1959};
1960
1961static void lsi_scsi_reset(DeviceState *dev)
1962{
1963    LSIState *s = DO_UPCAST(LSIState, dev.qdev, dev);
1964
1965    lsi_soft_reset(s);
1966}
1967
1968static void lsi_pre_save(void *opaque)
1969{
1970    LSIState *s = opaque;
1971
1972    if (s->current) {
1973        assert(s->current->dma_buf == NULL);
1974        assert(s->current->dma_len == 0);
1975    }
1976    assert(QTAILQ_EMPTY(&s->queue));
1977}
1978
1979static const VMStateDescription vmstate_lsi_scsi = {
1980    .name = "lsiscsi",
1981    .version_id = 0,
1982    .minimum_version_id = 0,
1983    .minimum_version_id_old = 0,
1984    .pre_save = lsi_pre_save,
1985    .fields      = (VMStateField []) {
1986        VMSTATE_PCI_DEVICE(dev, LSIState),
1987
1988        VMSTATE_INT32(carry, LSIState),
1989        VMSTATE_INT32(status, LSIState),
1990        VMSTATE_INT32(msg_action, LSIState),
1991        VMSTATE_INT32(msg_len, LSIState),
1992        VMSTATE_BUFFER(msg, LSIState),
1993        VMSTATE_INT32(waiting, LSIState),
1994
1995        VMSTATE_UINT32(dsa, LSIState),
1996        VMSTATE_UINT32(temp, LSIState),
1997        VMSTATE_UINT32(dnad, LSIState),
1998        VMSTATE_UINT32(dbc, LSIState),
1999        VMSTATE_UINT8(istat0, LSIState),
2000        VMSTATE_UINT8(istat1, LSIState),

2001        VMSTATE_UINT8(dcmd, LSIState),
2002        VMSTATE_UINT8(dstat, LSIState),
2003        VMSTATE_UINT8(dien, LSIState),
2004        VMSTATE_UINT8(sist0, LSIState),
2005        VMSTATE_UINT8(sist1, LSIState),
2006        VMSTATE_UINT8(sien0, LSIState),
2007        VMSTATE_UINT8(sien1, LSIState),
2008        VMSTATE_UINT8(mbox0, LSIState),
2009        VMSTATE_UINT8(mbox1, LSIState),
2010        VMSTATE_UINT8(dfifo, LSIState),
2011        VMSTATE_UINT8(ctest2, LSIState),
2012        VMSTATE_UINT8(ctest3, LSIState),
2013        VMSTATE_UINT8(ctest4, LSIState),
2014        VMSTATE_UINT8(ctest5, LSIState),
2015        VMSTATE_UINT8(ccntl0, LSIState),
2016        VMSTATE_UINT8(ccntl1, LSIState),
2017        VMSTATE_UINT32(dsp, LSIState),
2018        VMSTATE_UINT32(dsps, LSIState),
2019        VMSTATE_UINT8(dmode, LSIState),
2020        VMSTATE_UINT8(dcntl, LSIState),
2021        VMSTATE_UINT8(scntl0, LSIState),
2022        VMSTATE_UINT8(scntl1, LSIState),
2023        VMSTATE_UINT8(scntl2, LSIState),
2024        VMSTATE_UINT8(scntl3, LSIState),
2025        VMSTATE_UINT8(sstat0, LSIState),
2026        VMSTATE_UINT8(sstat1, LSIState),
2027        VMSTATE_UINT8(scid, LSIState),
2028        VMSTATE_UINT8(sxfer, LSIState),
2029        VMSTATE_UINT8(socl, LSIState),
2030        VMSTATE_UINT8(sdid, LSIState),
2031        VMSTATE_UINT8(ssid, LSIState),
2032        VMSTATE_UINT8(sfbr, LSIState),
2033        VMSTATE_UINT8(stest1, LSIState),
2034        VMSTATE_UINT8(stest2, LSIState),
2035        VMSTATE_UINT8(stest3, LSIState),
2036        VMSTATE_UINT8(sidl, LSIState),
2037        VMSTATE_UINT8(stime0, LSIState),
2038        VMSTATE_UINT8(respid0, LSIState),
2039        VMSTATE_UINT8(respid1, LSIState),
2040        VMSTATE_UINT32(mmrs, LSIState),
2041        VMSTATE_UINT32(mmws, LSIState),
2042        VMSTATE_UINT32(sfs, LSIState),
2043        VMSTATE_UINT32(drs, LSIState),
2044        VMSTATE_UINT32(sbms, LSIState),
2045        VMSTATE_UINT32(dbms, LSIState),
2046        VMSTATE_UINT32(dnad64, LSIState),
2047        VMSTATE_UINT32(pmjad1, LSIState),
2048        VMSTATE_UINT32(pmjad2, LSIState),
2049        VMSTATE_UINT32(rbc, LSIState),
2050        VMSTATE_UINT32(ua, LSIState),
2051        VMSTATE_UINT32(ia, LSIState),
2052        VMSTATE_UINT32(sbc, LSIState),
2053        VMSTATE_UINT32(csbc, LSIState),
2054        VMSTATE_BUFFER_UNSAFE(scratch, LSIState, 0, 18 * sizeof(uint32_t)),
2055        VMSTATE_UINT8(sbr, LSIState),
2056
2057        VMSTATE_BUFFER_UNSAFE(script_ram, LSIState, 0, 2048 * sizeof(uint32_t)),
2058        VMSTATE_END_OF_LIST()
2059    }
2060};
2061
2062static void lsi_scsi_uninit(PCIDevice *d)
2063{
2064    LSIState *s = DO_UPCAST(LSIState, dev, d);
2065
2066    memory_region_destroy(&s->mmio_io);
2067    memory_region_destroy(&s->ram_io);
2068    memory_region_destroy(&s->io_io);
2069}
2070
2071static const struct SCSIBusInfo lsi_scsi_info = {
2072    .tcq = true,
2073    .max_target = LSI_MAX_DEVS,
2074    .max_lun = 0,  /* LUN support is buggy */
2075
2076    .transfer_data = lsi_transfer_data,
2077    .complete = lsi_command_complete,
2078    .cancel = lsi_request_cancelled
2079};
2080
2081static int lsi_scsi_init(PCIDevice *dev)
2082{
2083    LSIState *s = DO_UPCAST(LSIState, dev, dev);
2084    uint8_t *pci_conf;
2085
2086    pci_conf = s->dev.config;
2087
2088    /* PCI latency timer = 255 */
2089    pci_conf[PCI_LATENCY_TIMER] = 0xff;
2090    /* Interrupt pin A */
2091    pci_conf[PCI_INTERRUPT_PIN] = 0x01;
2092
2093    memory_region_init_io(&s->mmio_io, &lsi_mmio_ops, s, "lsi-mmio", 0x400);
2094    memory_region_init_io(&s->ram_io, &lsi_ram_ops, s, "lsi-ram", 0x2000);
2095    memory_region_init_io(&s->io_io, &lsi_io_ops, s, "lsi-io", 256);
2096
2097    pci_register_bar(&s->dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->io_io);
2098    pci_register_bar(&s->dev, 1, 0, &s->mmio_io);
2099    pci_register_bar(&s->dev, 2, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->ram_io);
2100    QTAILQ_INIT(&s->queue);
2101
2102    scsi_bus_new(&s->bus, &dev->qdev, &lsi_scsi_info);
2103    if (!dev->qdev.hotplugged) {
2104        return scsi_bus_legacy_handle_cmdline(&s->bus);
2105    }
2106    return 0;
2107}
2108
2109static void lsi_class_init(ObjectClass *klass, void *data)
2110{
2111    DeviceClass *dc = DEVICE_CLASS(klass);
2112    PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2113
2114    k->init = lsi_scsi_init;
2115    k->exit = lsi_scsi_uninit;
2116    k->vendor_id = PCI_VENDOR_ID_LSI_LOGIC;
2117    k->device_id = PCI_DEVICE_ID_LSI_53C895A;
2118    k->class_id = PCI_CLASS_STORAGE_SCSI;
2119    k->subsystem_id = 0x1000;
2120    dc->reset = lsi_scsi_reset;
2121    dc->vmsd = &vmstate_lsi_scsi;
2122}
2123
2124static const TypeInfo lsi_info = {
2125    .name          = "lsi53c895a",
2126    .parent        = TYPE_PCI_DEVICE,
2127    .instance_size = sizeof(LSIState),
2128    .class_init    = lsi_class_init,
2129};
2130
2131static void lsi53c895a_register_types(void)
2132{
2133    type_register_static(&lsi_info);
2134}
2135
2136type_init(lsi53c895a_register_types)
2137