qemu/hw/net/lan9118.c
<<
>>
Prefs
   1/*
   2 * SMSC LAN9118 Ethernet interface emulation
   3 *
   4 * Copyright (c) 2009 CodeSourcery, LLC.
   5 * Written by Paul Brook
   6 *
   7 * This code is licensed under the GNU GPL v2
   8 *
   9 * Contributions after 2012-01-13 are licensed under the terms of the
  10 * GNU GPL, version 2 or (at your option) any later version.
  11 */
  12
  13#include "qemu/osdep.h"
  14#include "hw/sysbus.h"
  15#include "migration/vmstate.h"
  16#include "net/net.h"
  17#include "net/eth.h"
  18#include "hw/hw.h"
  19#include "hw/irq.h"
  20#include "hw/net/lan9118.h"
  21#include "hw/ptimer.h"
  22#include "hw/qdev-properties.h"
  23#include "qapi/error.h"
  24#include "qemu/log.h"
  25#include "qemu/module.h"
  26/* For crc32 */
  27#include <zlib.h>
  28#include "qom/object.h"
  29
  30//#define DEBUG_LAN9118
  31
  32#ifdef DEBUG_LAN9118
  33#define DPRINTF(fmt, ...) \
  34do { printf("lan9118: " fmt , ## __VA_ARGS__); } while (0)
  35#define BADF(fmt, ...) \
  36do { hw_error("lan9118: error: " fmt , ## __VA_ARGS__);} while (0)
  37#else
  38#define DPRINTF(fmt, ...) do {} while(0)
  39#define BADF(fmt, ...) \
  40do { fprintf(stderr, "lan9118: error: " fmt , ## __VA_ARGS__);} while (0)
  41#endif
  42
  43/* The tx and rx fifo ports are a range of aliased 32-bit registers */
  44#define RX_DATA_FIFO_PORT_FIRST 0x00
  45#define RX_DATA_FIFO_PORT_LAST 0x1f
  46#define TX_DATA_FIFO_PORT_FIRST 0x20
  47#define TX_DATA_FIFO_PORT_LAST 0x3f
  48
  49#define RX_STATUS_FIFO_PORT 0x40
  50#define RX_STATUS_FIFO_PEEK 0x44
  51#define TX_STATUS_FIFO_PORT 0x48
  52#define TX_STATUS_FIFO_PEEK 0x4c
  53
  54#define CSR_ID_REV      0x50
  55#define CSR_IRQ_CFG     0x54
  56#define CSR_INT_STS     0x58
  57#define CSR_INT_EN      0x5c
  58#define CSR_BYTE_TEST   0x64
  59#define CSR_FIFO_INT    0x68
  60#define CSR_RX_CFG      0x6c
  61#define CSR_TX_CFG      0x70
  62#define CSR_HW_CFG      0x74
  63#define CSR_RX_DP_CTRL  0x78
  64#define CSR_RX_FIFO_INF 0x7c
  65#define CSR_TX_FIFO_INF 0x80
  66#define CSR_PMT_CTRL    0x84
  67#define CSR_GPIO_CFG    0x88
  68#define CSR_GPT_CFG     0x8c
  69#define CSR_GPT_CNT     0x90
  70#define CSR_WORD_SWAP   0x98
  71#define CSR_FREE_RUN    0x9c
  72#define CSR_RX_DROP     0xa0
  73#define CSR_MAC_CSR_CMD 0xa4
  74#define CSR_MAC_CSR_DATA 0xa8
  75#define CSR_AFC_CFG     0xac
  76#define CSR_E2P_CMD     0xb0
  77#define CSR_E2P_DATA    0xb4
  78
  79#define E2P_CMD_MAC_ADDR_LOADED 0x100
  80
  81/* IRQ_CFG */
  82#define IRQ_INT         0x00001000
  83#define IRQ_EN          0x00000100
  84#define IRQ_POL         0x00000010
  85#define IRQ_TYPE        0x00000001
  86
  87/* INT_STS/INT_EN */
  88#define SW_INT          0x80000000
  89#define TXSTOP_INT      0x02000000
  90#define RXSTOP_INT      0x01000000
  91#define RXDFH_INT       0x00800000
  92#define TX_IOC_INT      0x00200000
  93#define RXD_INT         0x00100000
  94#define GPT_INT         0x00080000
  95#define PHY_INT         0x00040000
  96#define PME_INT         0x00020000
  97#define TXSO_INT        0x00010000
  98#define RWT_INT         0x00008000
  99#define RXE_INT         0x00004000
 100#define TXE_INT         0x00002000
 101#define TDFU_INT        0x00000800
 102#define TDFO_INT        0x00000400
 103#define TDFA_INT        0x00000200
 104#define TSFF_INT        0x00000100
 105#define TSFL_INT        0x00000080
 106#define RXDF_INT        0x00000040
 107#define RDFL_INT        0x00000020
 108#define RSFF_INT        0x00000010
 109#define RSFL_INT        0x00000008
 110#define GPIO2_INT       0x00000004
 111#define GPIO1_INT       0x00000002
 112#define GPIO0_INT       0x00000001
 113#define RESERVED_INT    0x7c001000
 114
 115#define MAC_CR          1
 116#define MAC_ADDRH       2
 117#define MAC_ADDRL       3
 118#define MAC_HASHH       4
 119#define MAC_HASHL       5
 120#define MAC_MII_ACC     6
 121#define MAC_MII_DATA    7
 122#define MAC_FLOW        8
 123#define MAC_VLAN1       9 /* TODO */
 124#define MAC_VLAN2       10 /* TODO */
 125#define MAC_WUFF        11 /* TODO */
 126#define MAC_WUCSR       12 /* TODO */
 127
 128#define MAC_CR_RXALL    0x80000000
 129#define MAC_CR_RCVOWN   0x00800000
 130#define MAC_CR_LOOPBK   0x00200000
 131#define MAC_CR_FDPX     0x00100000
 132#define MAC_CR_MCPAS    0x00080000
 133#define MAC_CR_PRMS     0x00040000
 134#define MAC_CR_INVFILT  0x00020000
 135#define MAC_CR_PASSBAD  0x00010000
 136#define MAC_CR_HO       0x00008000
 137#define MAC_CR_HPFILT   0x00002000
 138#define MAC_CR_LCOLL    0x00001000
 139#define MAC_CR_BCAST    0x00000800
 140#define MAC_CR_DISRTY   0x00000400
 141#define MAC_CR_PADSTR   0x00000100
 142#define MAC_CR_BOLMT    0x000000c0
 143#define MAC_CR_DFCHK    0x00000020
 144#define MAC_CR_TXEN     0x00000008
 145#define MAC_CR_RXEN     0x00000004
 146#define MAC_CR_RESERVED 0x7f404213
 147
 148#define PHY_INT_ENERGYON            0x80
 149#define PHY_INT_AUTONEG_COMPLETE    0x40
 150#define PHY_INT_FAULT               0x20
 151#define PHY_INT_DOWN                0x10
 152#define PHY_INT_AUTONEG_LP          0x08
 153#define PHY_INT_PARFAULT            0x04
 154#define PHY_INT_AUTONEG_PAGE        0x02
 155
 156#define GPT_TIMER_EN    0x20000000
 157
 158enum tx_state {
 159    TX_IDLE,
 160    TX_B,
 161    TX_DATA
 162};
 163
 164typedef struct {
 165    /* state is a tx_state but we can't put enums in VMStateDescriptions. */
 166    uint32_t state;
 167    uint32_t cmd_a;
 168    uint32_t cmd_b;
 169    int32_t buffer_size;
 170    int32_t offset;
 171    int32_t pad;
 172    int32_t fifo_used;
 173    int32_t len;
 174    uint8_t data[2048];
 175} LAN9118Packet;
 176
 177static const VMStateDescription vmstate_lan9118_packet = {
 178    .name = "lan9118_packet",
 179    .version_id = 1,
 180    .minimum_version_id = 1,
 181    .fields = (VMStateField[]) {
 182        VMSTATE_UINT32(state, LAN9118Packet),
 183        VMSTATE_UINT32(cmd_a, LAN9118Packet),
 184        VMSTATE_UINT32(cmd_b, LAN9118Packet),
 185        VMSTATE_INT32(buffer_size, LAN9118Packet),
 186        VMSTATE_INT32(offset, LAN9118Packet),
 187        VMSTATE_INT32(pad, LAN9118Packet),
 188        VMSTATE_INT32(fifo_used, LAN9118Packet),
 189        VMSTATE_INT32(len, LAN9118Packet),
 190        VMSTATE_UINT8_ARRAY(data, LAN9118Packet, 2048),
 191        VMSTATE_END_OF_LIST()
 192    }
 193};
 194
 195OBJECT_DECLARE_SIMPLE_TYPE(lan9118_state, LAN9118)
 196
 197struct lan9118_state {
 198    SysBusDevice parent_obj;
 199
 200    NICState *nic;
 201    NICConf conf;
 202    qemu_irq irq;
 203    MemoryRegion mmio;
 204    ptimer_state *timer;
 205
 206    uint32_t irq_cfg;
 207    uint32_t int_sts;
 208    uint32_t int_en;
 209    uint32_t fifo_int;
 210    uint32_t rx_cfg;
 211    uint32_t tx_cfg;
 212    uint32_t hw_cfg;
 213    uint32_t pmt_ctrl;
 214    uint32_t gpio_cfg;
 215    uint32_t gpt_cfg;
 216    uint32_t word_swap;
 217    uint32_t free_timer_start;
 218    uint32_t mac_cmd;
 219    uint32_t mac_data;
 220    uint32_t afc_cfg;
 221    uint32_t e2p_cmd;
 222    uint32_t e2p_data;
 223
 224    uint32_t mac_cr;
 225    uint32_t mac_hashh;
 226    uint32_t mac_hashl;
 227    uint32_t mac_mii_acc;
 228    uint32_t mac_mii_data;
 229    uint32_t mac_flow;
 230
 231    uint32_t phy_status;
 232    uint32_t phy_control;
 233    uint32_t phy_advertise;
 234    uint32_t phy_int;
 235    uint32_t phy_int_mask;
 236
 237    int32_t eeprom_writable;
 238    uint8_t eeprom[128];
 239
 240    int32_t tx_fifo_size;
 241    LAN9118Packet *txp;
 242    LAN9118Packet tx_packet;
 243
 244    int32_t tx_status_fifo_used;
 245    int32_t tx_status_fifo_head;
 246    uint32_t tx_status_fifo[512];
 247
 248    int32_t rx_status_fifo_size;
 249    int32_t rx_status_fifo_used;
 250    int32_t rx_status_fifo_head;
 251    uint32_t rx_status_fifo[896];
 252    int32_t rx_fifo_size;
 253    int32_t rx_fifo_used;
 254    int32_t rx_fifo_head;
 255    uint32_t rx_fifo[3360];
 256    int32_t rx_packet_size_head;
 257    int32_t rx_packet_size_tail;
 258    int32_t rx_packet_size[1024];
 259
 260    int32_t rxp_offset;
 261    int32_t rxp_size;
 262    int32_t rxp_pad;
 263
 264    uint32_t write_word_prev_offset;
 265    uint32_t write_word_n;
 266    uint16_t write_word_l;
 267    uint16_t write_word_h;
 268    uint32_t read_word_prev_offset;
 269    uint32_t read_word_n;
 270    uint32_t read_long;
 271
 272    uint32_t mode_16bit;
 273};
 274
 275static const VMStateDescription vmstate_lan9118 = {
 276    .name = "lan9118",
 277    .version_id = 2,
 278    .minimum_version_id = 1,
 279    .fields = (VMStateField[]) {
 280        VMSTATE_PTIMER(timer, lan9118_state),
 281        VMSTATE_UINT32(irq_cfg, lan9118_state),
 282        VMSTATE_UINT32(int_sts, lan9118_state),
 283        VMSTATE_UINT32(int_en, lan9118_state),
 284        VMSTATE_UINT32(fifo_int, lan9118_state),
 285        VMSTATE_UINT32(rx_cfg, lan9118_state),
 286        VMSTATE_UINT32(tx_cfg, lan9118_state),
 287        VMSTATE_UINT32(hw_cfg, lan9118_state),
 288        VMSTATE_UINT32(pmt_ctrl, lan9118_state),
 289        VMSTATE_UINT32(gpio_cfg, lan9118_state),
 290        VMSTATE_UINT32(gpt_cfg, lan9118_state),
 291        VMSTATE_UINT32(word_swap, lan9118_state),
 292        VMSTATE_UINT32(free_timer_start, lan9118_state),
 293        VMSTATE_UINT32(mac_cmd, lan9118_state),
 294        VMSTATE_UINT32(mac_data, lan9118_state),
 295        VMSTATE_UINT32(afc_cfg, lan9118_state),
 296        VMSTATE_UINT32(e2p_cmd, lan9118_state),
 297        VMSTATE_UINT32(e2p_data, lan9118_state),
 298        VMSTATE_UINT32(mac_cr, lan9118_state),
 299        VMSTATE_UINT32(mac_hashh, lan9118_state),
 300        VMSTATE_UINT32(mac_hashl, lan9118_state),
 301        VMSTATE_UINT32(mac_mii_acc, lan9118_state),
 302        VMSTATE_UINT32(mac_mii_data, lan9118_state),
 303        VMSTATE_UINT32(mac_flow, lan9118_state),
 304        VMSTATE_UINT32(phy_status, lan9118_state),
 305        VMSTATE_UINT32(phy_control, lan9118_state),
 306        VMSTATE_UINT32(phy_advertise, lan9118_state),
 307        VMSTATE_UINT32(phy_int, lan9118_state),
 308        VMSTATE_UINT32(phy_int_mask, lan9118_state),
 309        VMSTATE_INT32(eeprom_writable, lan9118_state),
 310        VMSTATE_UINT8_ARRAY(eeprom, lan9118_state, 128),
 311        VMSTATE_INT32(tx_fifo_size, lan9118_state),
 312        /* txp always points at tx_packet so need not be saved */
 313        VMSTATE_STRUCT(tx_packet, lan9118_state, 0,
 314                       vmstate_lan9118_packet, LAN9118Packet),
 315        VMSTATE_INT32(tx_status_fifo_used, lan9118_state),
 316        VMSTATE_INT32(tx_status_fifo_head, lan9118_state),
 317        VMSTATE_UINT32_ARRAY(tx_status_fifo, lan9118_state, 512),
 318        VMSTATE_INT32(rx_status_fifo_size, lan9118_state),
 319        VMSTATE_INT32(rx_status_fifo_used, lan9118_state),
 320        VMSTATE_INT32(rx_status_fifo_head, lan9118_state),
 321        VMSTATE_UINT32_ARRAY(rx_status_fifo, lan9118_state, 896),
 322        VMSTATE_INT32(rx_fifo_size, lan9118_state),
 323        VMSTATE_INT32(rx_fifo_used, lan9118_state),
 324        VMSTATE_INT32(rx_fifo_head, lan9118_state),
 325        VMSTATE_UINT32_ARRAY(rx_fifo, lan9118_state, 3360),
 326        VMSTATE_INT32(rx_packet_size_head, lan9118_state),
 327        VMSTATE_INT32(rx_packet_size_tail, lan9118_state),
 328        VMSTATE_INT32_ARRAY(rx_packet_size, lan9118_state, 1024),
 329        VMSTATE_INT32(rxp_offset, lan9118_state),
 330        VMSTATE_INT32(rxp_size, lan9118_state),
 331        VMSTATE_INT32(rxp_pad, lan9118_state),
 332        VMSTATE_UINT32_V(write_word_prev_offset, lan9118_state, 2),
 333        VMSTATE_UINT32_V(write_word_n, lan9118_state, 2),
 334        VMSTATE_UINT16_V(write_word_l, lan9118_state, 2),
 335        VMSTATE_UINT16_V(write_word_h, lan9118_state, 2),
 336        VMSTATE_UINT32_V(read_word_prev_offset, lan9118_state, 2),
 337        VMSTATE_UINT32_V(read_word_n, lan9118_state, 2),
 338        VMSTATE_UINT32_V(read_long, lan9118_state, 2),
 339        VMSTATE_UINT32_V(mode_16bit, lan9118_state, 2),
 340        VMSTATE_END_OF_LIST()
 341    }
 342};
 343
 344static void lan9118_update(lan9118_state *s)
 345{
 346    int level;
 347
 348    /* TODO: Implement FIFO level IRQs.  */
 349    level = (s->int_sts & s->int_en) != 0;
 350    if (level) {
 351        s->irq_cfg |= IRQ_INT;
 352    } else {
 353        s->irq_cfg &= ~IRQ_INT;
 354    }
 355    if ((s->irq_cfg & IRQ_EN) == 0) {
 356        level = 0;
 357    }
 358    if ((s->irq_cfg & (IRQ_TYPE | IRQ_POL)) != (IRQ_TYPE | IRQ_POL)) {
 359        /* Interrupt is active low unless we're configured as
 360         * active-high polarity, push-pull type.
 361         */
 362        level = !level;
 363    }
 364    qemu_set_irq(s->irq, level);
 365}
 366
 367static void lan9118_mac_changed(lan9118_state *s)
 368{
 369    qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
 370}
 371
 372static void lan9118_reload_eeprom(lan9118_state *s)
 373{
 374    int i;
 375    if (s->eeprom[0] != 0xa5) {
 376        s->e2p_cmd &= ~E2P_CMD_MAC_ADDR_LOADED;
 377        DPRINTF("MACADDR load failed\n");
 378        return;
 379    }
 380    for (i = 0; i < 6; i++) {
 381        s->conf.macaddr.a[i] = s->eeprom[i + 1];
 382    }
 383    s->e2p_cmd |= E2P_CMD_MAC_ADDR_LOADED;
 384    DPRINTF("MACADDR loaded from eeprom\n");
 385    lan9118_mac_changed(s);
 386}
 387
 388static void phy_update_irq(lan9118_state *s)
 389{
 390    if (s->phy_int & s->phy_int_mask) {
 391        s->int_sts |= PHY_INT;
 392    } else {
 393        s->int_sts &= ~PHY_INT;
 394    }
 395    lan9118_update(s);
 396}
 397
 398static void phy_update_link(lan9118_state *s)
 399{
 400    /* Autonegotiation status mirrors link status.  */
 401    if (qemu_get_queue(s->nic)->link_down) {
 402        s->phy_status &= ~0x0024;
 403        s->phy_int |= PHY_INT_DOWN;
 404    } else {
 405        s->phy_status |= 0x0024;
 406        s->phy_int |= PHY_INT_ENERGYON;
 407        s->phy_int |= PHY_INT_AUTONEG_COMPLETE;
 408    }
 409    phy_update_irq(s);
 410}
 411
 412static void lan9118_set_link(NetClientState *nc)
 413{
 414    phy_update_link(qemu_get_nic_opaque(nc));
 415}
 416
 417static void phy_reset(lan9118_state *s)
 418{
 419    s->phy_status = 0x7809;
 420    s->phy_control = 0x3000;
 421    s->phy_advertise = 0x01e1;
 422    s->phy_int_mask = 0;
 423    s->phy_int = 0;
 424    phy_update_link(s);
 425}
 426
 427static void lan9118_reset(DeviceState *d)
 428{
 429    lan9118_state *s = LAN9118(d);
 430
 431    s->irq_cfg &= (IRQ_TYPE | IRQ_POL);
 432    s->int_sts = 0;
 433    s->int_en = 0;
 434    s->fifo_int = 0x48000000;
 435    s->rx_cfg = 0;
 436    s->tx_cfg = 0;
 437    s->hw_cfg = s->mode_16bit ? 0x00050000 : 0x00050004;
 438    s->pmt_ctrl &= 0x45;
 439    s->gpio_cfg = 0;
 440    s->txp->fifo_used = 0;
 441    s->txp->state = TX_IDLE;
 442    s->txp->cmd_a = 0xffffffffu;
 443    s->txp->cmd_b = 0xffffffffu;
 444    s->txp->len = 0;
 445    s->txp->fifo_used = 0;
 446    s->tx_fifo_size = 4608;
 447    s->tx_status_fifo_used = 0;
 448    s->rx_status_fifo_size = 704;
 449    s->rx_fifo_size = 2640;
 450    s->rx_fifo_used = 0;
 451    s->rx_status_fifo_size = 176;
 452    s->rx_status_fifo_used = 0;
 453    s->rxp_offset = 0;
 454    s->rxp_size = 0;
 455    s->rxp_pad = 0;
 456    s->rx_packet_size_tail = s->rx_packet_size_head;
 457    s->rx_packet_size[s->rx_packet_size_head] = 0;
 458    s->mac_cmd = 0;
 459    s->mac_data = 0;
 460    s->afc_cfg = 0;
 461    s->e2p_cmd = 0;
 462    s->e2p_data = 0;
 463    s->free_timer_start = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / 40;
 464
 465    ptimer_transaction_begin(s->timer);
 466    ptimer_stop(s->timer);
 467    ptimer_set_count(s->timer, 0xffff);
 468    ptimer_transaction_commit(s->timer);
 469    s->gpt_cfg = 0xffff;
 470
 471    s->mac_cr = MAC_CR_PRMS;
 472    s->mac_hashh = 0;
 473    s->mac_hashl = 0;
 474    s->mac_mii_acc = 0;
 475    s->mac_mii_data = 0;
 476    s->mac_flow = 0;
 477
 478    s->read_word_n = 0;
 479    s->write_word_n = 0;
 480
 481    phy_reset(s);
 482
 483    s->eeprom_writable = 0;
 484    lan9118_reload_eeprom(s);
 485}
 486
 487static void rx_fifo_push(lan9118_state *s, uint32_t val)
 488{
 489    int fifo_pos;
 490    fifo_pos = s->rx_fifo_head + s->rx_fifo_used;
 491    if (fifo_pos >= s->rx_fifo_size)
 492      fifo_pos -= s->rx_fifo_size;
 493    s->rx_fifo[fifo_pos] = val;
 494    s->rx_fifo_used++;
 495}
 496
 497/* Return nonzero if the packet is accepted by the filter.  */
 498static int lan9118_filter(lan9118_state *s, const uint8_t *addr)
 499{
 500    int multicast;
 501    uint32_t hash;
 502
 503    if (s->mac_cr & MAC_CR_PRMS) {
 504        return 1;
 505    }
 506    if (addr[0] == 0xff && addr[1] == 0xff && addr[2] == 0xff &&
 507        addr[3] == 0xff && addr[4] == 0xff && addr[5] == 0xff) {
 508        return (s->mac_cr & MAC_CR_BCAST) == 0;
 509    }
 510
 511    multicast = addr[0] & 1;
 512    if (multicast &&s->mac_cr & MAC_CR_MCPAS) {
 513        return 1;
 514    }
 515    if (multicast ? (s->mac_cr & MAC_CR_HPFILT) == 0
 516                  : (s->mac_cr & MAC_CR_HO) == 0) {
 517        /* Exact matching.  */
 518        hash = memcmp(addr, s->conf.macaddr.a, 6);
 519        if (s->mac_cr & MAC_CR_INVFILT) {
 520            return hash != 0;
 521        } else {
 522            return hash == 0;
 523        }
 524    } else {
 525        /* Hash matching  */
 526        hash = net_crc32(addr, ETH_ALEN) >> 26;
 527        if (hash & 0x20) {
 528            return (s->mac_hashh >> (hash & 0x1f)) & 1;
 529        } else {
 530            return (s->mac_hashl >> (hash & 0x1f)) & 1;
 531        }
 532    }
 533}
 534
 535static ssize_t lan9118_receive(NetClientState *nc, const uint8_t *buf,
 536                               size_t size)
 537{
 538    lan9118_state *s = qemu_get_nic_opaque(nc);
 539    int fifo_len;
 540    int offset;
 541    int src_pos;
 542    int n;
 543    int filter;
 544    uint32_t val;
 545    uint32_t crc;
 546    uint32_t status;
 547
 548    if ((s->mac_cr & MAC_CR_RXEN) == 0) {
 549        return -1;
 550    }
 551
 552    if (size >= 2048 || size < 14) {
 553        return -1;
 554    }
 555
 556    /* TODO: Implement FIFO overflow notification.  */
 557    if (s->rx_status_fifo_used == s->rx_status_fifo_size) {
 558        return -1;
 559    }
 560
 561    filter = lan9118_filter(s, buf);
 562    if (!filter && (s->mac_cr & MAC_CR_RXALL) == 0) {
 563        return size;
 564    }
 565
 566    offset = (s->rx_cfg >> 8) & 0x1f;
 567    n = offset & 3;
 568    fifo_len = (size + n + 3) >> 2;
 569    /* Add a word for the CRC.  */
 570    fifo_len++;
 571    if (s->rx_fifo_size - s->rx_fifo_used < fifo_len) {
 572        return -1;
 573    }
 574
 575    DPRINTF("Got packet len:%d fifo:%d filter:%s\n",
 576            (int)size, fifo_len, filter ? "pass" : "fail");
 577    val = 0;
 578    crc = bswap32(crc32(~0, buf, size));
 579    for (src_pos = 0; src_pos < size; src_pos++) {
 580        val = (val >> 8) | ((uint32_t)buf[src_pos] << 24);
 581        n++;
 582        if (n == 4) {
 583            n = 0;
 584            rx_fifo_push(s, val);
 585            val = 0;
 586        }
 587    }
 588    if (n) {
 589        val >>= ((4 - n) * 8);
 590        val |= crc << (n * 8);
 591        rx_fifo_push(s, val);
 592        val = crc >> ((4 - n) * 8);
 593        rx_fifo_push(s, val);
 594    } else {
 595        rx_fifo_push(s, crc);
 596    }
 597    n = s->rx_status_fifo_head + s->rx_status_fifo_used;
 598    if (n >= s->rx_status_fifo_size) {
 599        n -= s->rx_status_fifo_size;
 600    }
 601    s->rx_packet_size[s->rx_packet_size_tail] = fifo_len;
 602    s->rx_packet_size_tail = (s->rx_packet_size_tail + 1023) & 1023;
 603    s->rx_status_fifo_used++;
 604
 605    status = (size + 4) << 16;
 606    if (buf[0] == 0xff && buf[1] == 0xff && buf[2] == 0xff &&
 607        buf[3] == 0xff && buf[4] == 0xff && buf[5] == 0xff) {
 608        status |= 0x00002000;
 609    } else if (buf[0] & 1) {
 610        status |= 0x00000400;
 611    }
 612    if (!filter) {
 613        status |= 0x40000000;
 614    }
 615    s->rx_status_fifo[n] = status;
 616
 617    if (s->rx_status_fifo_used > (s->fifo_int & 0xff)) {
 618        s->int_sts |= RSFL_INT;
 619    }
 620    lan9118_update(s);
 621
 622    return size;
 623}
 624
 625static uint32_t rx_fifo_pop(lan9118_state *s)
 626{
 627    int n;
 628    uint32_t val;
 629
 630    if (s->rxp_size == 0 && s->rxp_pad == 0) {
 631        s->rxp_size = s->rx_packet_size[s->rx_packet_size_head];
 632        s->rx_packet_size[s->rx_packet_size_head] = 0;
 633        if (s->rxp_size != 0) {
 634            s->rx_packet_size_head = (s->rx_packet_size_head + 1023) & 1023;
 635            s->rxp_offset = (s->rx_cfg >> 10) & 7;
 636            n = s->rxp_offset + s->rxp_size;
 637            switch (s->rx_cfg >> 30) {
 638            case 1:
 639                n = (-n) & 3;
 640                break;
 641            case 2:
 642                n = (-n) & 7;
 643                break;
 644            default:
 645                n = 0;
 646                break;
 647            }
 648            s->rxp_pad = n;
 649            DPRINTF("Pop packet size:%d offset:%d pad: %d\n",
 650                    s->rxp_size, s->rxp_offset, s->rxp_pad);
 651        }
 652    }
 653    if (s->rxp_offset > 0) {
 654        s->rxp_offset--;
 655        val = 0;
 656    } else if (s->rxp_size > 0) {
 657        s->rxp_size--;
 658        val = s->rx_fifo[s->rx_fifo_head++];
 659        if (s->rx_fifo_head >= s->rx_fifo_size) {
 660            s->rx_fifo_head -= s->rx_fifo_size;
 661        }
 662        s->rx_fifo_used--;
 663    } else if (s->rxp_pad > 0) {
 664        s->rxp_pad--;
 665        val =  0;
 666    } else {
 667        DPRINTF("RX underflow\n");
 668        s->int_sts |= RXE_INT;
 669        val =  0;
 670    }
 671    lan9118_update(s);
 672    return val;
 673}
 674
 675static void do_tx_packet(lan9118_state *s)
 676{
 677    int n;
 678    uint32_t status;
 679
 680    /* FIXME: Honor TX disable, and allow queueing of packets.  */
 681    if (s->phy_control & 0x4000)  {
 682        /* This assumes the receive routine doesn't touch the VLANClient.  */
 683        qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
 684    } else {
 685        qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
 686    }
 687    s->txp->fifo_used = 0;
 688
 689    if (s->tx_status_fifo_used == 512) {
 690        /* Status FIFO full */
 691        return;
 692    }
 693    /* Add entry to status FIFO.  */
 694    status = s->txp->cmd_b & 0xffff0000u;
 695    DPRINTF("Sent packet tag:%04x len %d\n", status >> 16, s->txp->len);
 696    n = (s->tx_status_fifo_head + s->tx_status_fifo_used) & 511;
 697    s->tx_status_fifo[n] = status;
 698    s->tx_status_fifo_used++;
 699    if (s->tx_status_fifo_used == 512) {
 700        s->int_sts |= TSFF_INT;
 701        /* TODO: Stop transmission.  */
 702    }
 703}
 704
 705static uint32_t rx_status_fifo_pop(lan9118_state *s)
 706{
 707    uint32_t val;
 708
 709    val = s->rx_status_fifo[s->rx_status_fifo_head];
 710    if (s->rx_status_fifo_used != 0) {
 711        s->rx_status_fifo_used--;
 712        s->rx_status_fifo_head++;
 713        if (s->rx_status_fifo_head >= s->rx_status_fifo_size) {
 714            s->rx_status_fifo_head -= s->rx_status_fifo_size;
 715        }
 716        /* ??? What value should be returned when the FIFO is empty?  */
 717        DPRINTF("RX status pop 0x%08x\n", val);
 718    }
 719    return val;
 720}
 721
 722static uint32_t tx_status_fifo_pop(lan9118_state *s)
 723{
 724    uint32_t val;
 725
 726    val = s->tx_status_fifo[s->tx_status_fifo_head];
 727    if (s->tx_status_fifo_used != 0) {
 728        s->tx_status_fifo_used--;
 729        s->tx_status_fifo_head = (s->tx_status_fifo_head + 1) & 511;
 730        /* ??? What value should be returned when the FIFO is empty?  */
 731    }
 732    return val;
 733}
 734
 735static void tx_fifo_push(lan9118_state *s, uint32_t val)
 736{
 737    int n;
 738
 739    if (s->txp->fifo_used == s->tx_fifo_size) {
 740        s->int_sts |= TDFO_INT;
 741        return;
 742    }
 743    switch (s->txp->state) {
 744    case TX_IDLE:
 745        s->txp->cmd_a = val & 0x831f37ff;
 746        s->txp->fifo_used++;
 747        s->txp->state = TX_B;
 748        s->txp->buffer_size = extract32(s->txp->cmd_a, 0, 11);
 749        s->txp->offset = extract32(s->txp->cmd_a, 16, 5);
 750        break;
 751    case TX_B:
 752        if (s->txp->cmd_a & 0x2000) {
 753            /* First segment */
 754            s->txp->cmd_b = val;
 755            s->txp->fifo_used++;
 756            /* End alignment does not include command words.  */
 757            n = (s->txp->buffer_size + s->txp->offset + 3) >> 2;
 758            switch ((n >> 24) & 3) {
 759            case 1:
 760                n = (-n) & 3;
 761                break;
 762            case 2:
 763                n = (-n) & 7;
 764                break;
 765            default:
 766                n = 0;
 767            }
 768            s->txp->pad = n;
 769            s->txp->len = 0;
 770        }
 771        DPRINTF("Block len:%d offset:%d pad:%d cmd %08x\n",
 772                s->txp->buffer_size, s->txp->offset, s->txp->pad,
 773                s->txp->cmd_a);
 774        s->txp->state = TX_DATA;
 775        break;
 776    case TX_DATA:
 777        if (s->txp->offset >= 4) {
 778            s->txp->offset -= 4;
 779            break;
 780        }
 781        if (s->txp->buffer_size <= 0 && s->txp->pad != 0) {
 782            s->txp->pad--;
 783        } else {
 784            n = MIN(4, s->txp->buffer_size + s->txp->offset);
 785            while (s->txp->offset) {
 786                val >>= 8;
 787                n--;
 788                s->txp->offset--;
 789            }
 790            /* Documentation is somewhat unclear on the ordering of bytes
 791               in FIFO words.  Empirical results show it to be little-endian.
 792               */
 793            /* TODO: FIFO overflow checking.  */
 794            while (n--) {
 795                s->txp->data[s->txp->len] = val & 0xff;
 796                s->txp->len++;
 797                val >>= 8;
 798                s->txp->buffer_size--;
 799            }
 800            s->txp->fifo_used++;
 801        }
 802        if (s->txp->buffer_size <= 0 && s->txp->pad == 0) {
 803            if (s->txp->cmd_a & 0x1000) {
 804                do_tx_packet(s);
 805            }
 806            if (s->txp->cmd_a & 0x80000000) {
 807                s->int_sts |= TX_IOC_INT;
 808            }
 809            s->txp->state = TX_IDLE;
 810        }
 811        break;
 812    }
 813}
 814
 815static uint32_t do_phy_read(lan9118_state *s, int reg)
 816{
 817    uint32_t val;
 818
 819    switch (reg) {
 820    case 0: /* Basic Control */
 821        return s->phy_control;
 822    case 1: /* Basic Status */
 823        return s->phy_status;
 824    case 2: /* ID1 */
 825        return 0x0007;
 826    case 3: /* ID2 */
 827        return 0xc0d1;
 828    case 4: /* Auto-neg advertisement */
 829        return s->phy_advertise;
 830    case 5: /* Auto-neg Link Partner Ability */
 831        return 0x0f71;
 832    case 6: /* Auto-neg Expansion */
 833        return 1;
 834        /* TODO 17, 18, 27, 29, 30, 31 */
 835    case 29: /* Interrupt source.  */
 836        val = s->phy_int;
 837        s->phy_int = 0;
 838        phy_update_irq(s);
 839        return val;
 840    case 30: /* Interrupt mask */
 841        return s->phy_int_mask;
 842    default:
 843        BADF("PHY read reg %d\n", reg);
 844        return 0;
 845    }
 846}
 847
 848static void do_phy_write(lan9118_state *s, int reg, uint32_t val)
 849{
 850    switch (reg) {
 851    case 0: /* Basic Control */
 852        if (val & 0x8000) {
 853            phy_reset(s);
 854            break;
 855        }
 856        s->phy_control = val & 0x7980;
 857        /* Complete autonegotiation immediately.  */
 858        if (val & 0x1000) {
 859            s->phy_status |= 0x0020;
 860        }
 861        break;
 862    case 4: /* Auto-neg advertisement */
 863        s->phy_advertise = (val & 0x2d7f) | 0x80;
 864        break;
 865        /* TODO 17, 18, 27, 31 */
 866    case 30: /* Interrupt mask */
 867        s->phy_int_mask = val & 0xff;
 868        phy_update_irq(s);
 869        break;
 870    default:
 871        BADF("PHY write reg %d = 0x%04x\n", reg, val);
 872    }
 873}
 874
 875static void do_mac_write(lan9118_state *s, int reg, uint32_t val)
 876{
 877    switch (reg) {
 878    case MAC_CR:
 879        if ((s->mac_cr & MAC_CR_RXEN) != 0 && (val & MAC_CR_RXEN) == 0) {
 880            s->int_sts |= RXSTOP_INT;
 881        }
 882        s->mac_cr = val & ~MAC_CR_RESERVED;
 883        DPRINTF("MAC_CR: %08x\n", val);
 884        break;
 885    case MAC_ADDRH:
 886        s->conf.macaddr.a[4] = val & 0xff;
 887        s->conf.macaddr.a[5] = (val >> 8) & 0xff;
 888        lan9118_mac_changed(s);
 889        break;
 890    case MAC_ADDRL:
 891        s->conf.macaddr.a[0] = val & 0xff;
 892        s->conf.macaddr.a[1] = (val >> 8) & 0xff;
 893        s->conf.macaddr.a[2] = (val >> 16) & 0xff;
 894        s->conf.macaddr.a[3] = (val >> 24) & 0xff;
 895        lan9118_mac_changed(s);
 896        break;
 897    case MAC_HASHH:
 898        s->mac_hashh = val;
 899        break;
 900    case MAC_HASHL:
 901        s->mac_hashl = val;
 902        break;
 903    case MAC_MII_ACC:
 904        s->mac_mii_acc = val & 0xffc2;
 905        if (val & 2) {
 906            DPRINTF("PHY write %d = 0x%04x\n",
 907                    (val >> 6) & 0x1f, s->mac_mii_data);
 908            do_phy_write(s, (val >> 6) & 0x1f, s->mac_mii_data);
 909        } else {
 910            s->mac_mii_data = do_phy_read(s, (val >> 6) & 0x1f);
 911            DPRINTF("PHY read %d = 0x%04x\n",
 912                    (val >> 6) & 0x1f, s->mac_mii_data);
 913        }
 914        break;
 915    case MAC_MII_DATA:
 916        s->mac_mii_data = val & 0xffff;
 917        break;
 918    case MAC_FLOW:
 919        s->mac_flow = val & 0xffff0000;
 920        break;
 921    case MAC_VLAN1:
 922        /* Writing to this register changes a condition for
 923         * FrameTooLong bit in rx_status.  Since we do not set
 924         * FrameTooLong anyway, just ignore write to this.
 925         */
 926        break;
 927    default:
 928        qemu_log_mask(LOG_GUEST_ERROR,
 929                      "lan9118: Unimplemented MAC register write: %d = 0x%x\n",
 930                 s->mac_cmd & 0xf, val);
 931    }
 932}
 933
 934static uint32_t do_mac_read(lan9118_state *s, int reg)
 935{
 936    switch (reg) {
 937    case MAC_CR:
 938        return s->mac_cr;
 939    case MAC_ADDRH:
 940        return s->conf.macaddr.a[4] | (s->conf.macaddr.a[5] << 8);
 941    case MAC_ADDRL:
 942        return s->conf.macaddr.a[0] | (s->conf.macaddr.a[1] << 8)
 943               | (s->conf.macaddr.a[2] << 16) | (s->conf.macaddr.a[3] << 24);
 944    case MAC_HASHH:
 945        return s->mac_hashh;
 946    case MAC_HASHL:
 947        return s->mac_hashl;
 948    case MAC_MII_ACC:
 949        return s->mac_mii_acc;
 950    case MAC_MII_DATA:
 951        return s->mac_mii_data;
 952    case MAC_FLOW:
 953        return s->mac_flow;
 954    default:
 955        qemu_log_mask(LOG_GUEST_ERROR,
 956                      "lan9118: Unimplemented MAC register read: %d\n",
 957                 s->mac_cmd & 0xf);
 958        return 0;
 959    }
 960}
 961
 962static void lan9118_eeprom_cmd(lan9118_state *s, int cmd, int addr)
 963{
 964    s->e2p_cmd = (s->e2p_cmd & E2P_CMD_MAC_ADDR_LOADED) | (cmd << 28) | addr;
 965    switch (cmd) {
 966    case 0:
 967        s->e2p_data = s->eeprom[addr];
 968        DPRINTF("EEPROM Read %d = 0x%02x\n", addr, s->e2p_data);
 969        break;
 970    case 1:
 971        s->eeprom_writable = 0;
 972        DPRINTF("EEPROM Write Disable\n");
 973        break;
 974    case 2: /* EWEN */
 975        s->eeprom_writable = 1;
 976        DPRINTF("EEPROM Write Enable\n");
 977        break;
 978    case 3: /* WRITE */
 979        if (s->eeprom_writable) {
 980            s->eeprom[addr] &= s->e2p_data;
 981            DPRINTF("EEPROM Write %d = 0x%02x\n", addr, s->e2p_data);
 982        } else {
 983            DPRINTF("EEPROM Write %d (ignored)\n", addr);
 984        }
 985        break;
 986    case 4: /* WRAL */
 987        if (s->eeprom_writable) {
 988            for (addr = 0; addr < 128; addr++) {
 989                s->eeprom[addr] &= s->e2p_data;
 990            }
 991            DPRINTF("EEPROM Write All 0x%02x\n", s->e2p_data);
 992        } else {
 993            DPRINTF("EEPROM Write All (ignored)\n");
 994        }
 995        break;
 996    case 5: /* ERASE */
 997        if (s->eeprom_writable) {
 998            s->eeprom[addr] = 0xff;
 999            DPRINTF("EEPROM Erase %d\n", addr);
1000        } else {
1001            DPRINTF("EEPROM Erase %d (ignored)\n", addr);
1002        }
1003        break;
1004    case 6: /* ERAL */
1005        if (s->eeprom_writable) {
1006            memset(s->eeprom, 0xff, 128);
1007            DPRINTF("EEPROM Erase All\n");
1008        } else {
1009            DPRINTF("EEPROM Erase All (ignored)\n");
1010        }
1011        break;
1012    case 7: /* RELOAD */
1013        lan9118_reload_eeprom(s);
1014        break;
1015    }
1016}
1017
1018static void lan9118_tick(void *opaque)
1019{
1020    lan9118_state *s = (lan9118_state *)opaque;
1021    if (s->int_en & GPT_INT) {
1022        s->int_sts |= GPT_INT;
1023    }
1024    lan9118_update(s);
1025}
1026
1027static void lan9118_writel(void *opaque, hwaddr offset,
1028                           uint64_t val, unsigned size)
1029{
1030    lan9118_state *s = (lan9118_state *)opaque;
1031    offset &= 0xff;
1032
1033    //DPRINTF("Write reg 0x%02x = 0x%08x\n", (int)offset, val);
1034    if (offset >= TX_DATA_FIFO_PORT_FIRST &&
1035        offset <= TX_DATA_FIFO_PORT_LAST) {
1036        /* TX FIFO */
1037        tx_fifo_push(s, val);
1038        return;
1039    }
1040    switch (offset) {
1041    case CSR_IRQ_CFG:
1042        /* TODO: Implement interrupt deassertion intervals.  */
1043        val &= (IRQ_EN | IRQ_POL | IRQ_TYPE);
1044        s->irq_cfg = (s->irq_cfg & IRQ_INT) | val;
1045        break;
1046    case CSR_INT_STS:
1047        s->int_sts &= ~val;
1048        break;
1049    case CSR_INT_EN:
1050        s->int_en = val & ~RESERVED_INT;
1051        s->int_sts |= val & SW_INT;
1052        break;
1053    case CSR_FIFO_INT:
1054        DPRINTF("FIFO INT levels %08x\n", val);
1055        s->fifo_int = val;
1056        break;
1057    case CSR_RX_CFG:
1058        if (val & 0x8000) {
1059            /* RX_DUMP */
1060            s->rx_fifo_used = 0;
1061            s->rx_status_fifo_used = 0;
1062            s->rx_packet_size_tail = s->rx_packet_size_head;
1063            s->rx_packet_size[s->rx_packet_size_head] = 0;
1064        }
1065        s->rx_cfg = val & 0xcfff1ff0;
1066        break;
1067    case CSR_TX_CFG:
1068        if (val & 0x8000) {
1069            s->tx_status_fifo_used = 0;
1070        }
1071        if (val & 0x4000) {
1072            s->txp->state = TX_IDLE;
1073            s->txp->fifo_used = 0;
1074            s->txp->cmd_a = 0xffffffff;
1075        }
1076        s->tx_cfg = val & 6;
1077        break;
1078    case CSR_HW_CFG:
1079        if (val & 1) {
1080            /* SRST */
1081            lan9118_reset(DEVICE(s));
1082        } else {
1083            s->hw_cfg = (val & 0x003f300) | (s->hw_cfg & 0x4);
1084        }
1085        break;
1086    case CSR_RX_DP_CTRL:
1087        if (val & 0x80000000) {
1088            /* Skip forward to next packet.  */
1089            s->rxp_pad = 0;
1090            s->rxp_offset = 0;
1091            if (s->rxp_size == 0) {
1092                /* Pop a word to start the next packet.  */
1093                rx_fifo_pop(s);
1094                s->rxp_pad = 0;
1095                s->rxp_offset = 0;
1096            }
1097            s->rx_fifo_head += s->rxp_size;
1098            if (s->rx_fifo_head >= s->rx_fifo_size) {
1099                s->rx_fifo_head -= s->rx_fifo_size;
1100            }
1101        }
1102        break;
1103    case CSR_PMT_CTRL:
1104        if (val & 0x400) {
1105            phy_reset(s);
1106        }
1107        s->pmt_ctrl &= ~0x34e;
1108        s->pmt_ctrl |= (val & 0x34e);
1109        break;
1110    case CSR_GPIO_CFG:
1111        /* Probably just enabling LEDs.  */
1112        s->gpio_cfg = val & 0x7777071f;
1113        break;
1114    case CSR_GPT_CFG:
1115        if ((s->gpt_cfg ^ val) & GPT_TIMER_EN) {
1116            ptimer_transaction_begin(s->timer);
1117            if (val & GPT_TIMER_EN) {
1118                ptimer_set_count(s->timer, val & 0xffff);
1119                ptimer_run(s->timer, 0);
1120            } else {
1121                ptimer_stop(s->timer);
1122                ptimer_set_count(s->timer, 0xffff);
1123            }
1124            ptimer_transaction_commit(s->timer);
1125        }
1126        s->gpt_cfg = val & (GPT_TIMER_EN | 0xffff);
1127        break;
1128    case CSR_WORD_SWAP:
1129        /* Ignored because we're in 32-bit mode.  */
1130        s->word_swap = val;
1131        break;
1132    case CSR_MAC_CSR_CMD:
1133        s->mac_cmd = val & 0x4000000f;
1134        if (val & 0x80000000) {
1135            if (val & 0x40000000) {
1136                s->mac_data = do_mac_read(s, val & 0xf);
1137                DPRINTF("MAC read %d = 0x%08x\n", val & 0xf, s->mac_data);
1138            } else {
1139                DPRINTF("MAC write %d = 0x%08x\n", val & 0xf, s->mac_data);
1140                do_mac_write(s, val & 0xf, s->mac_data);
1141            }
1142        }
1143        break;
1144    case CSR_MAC_CSR_DATA:
1145        s->mac_data = val;
1146        break;
1147    case CSR_AFC_CFG:
1148        s->afc_cfg = val & 0x00ffffff;
1149        break;
1150    case CSR_E2P_CMD:
1151        lan9118_eeprom_cmd(s, (val >> 28) & 7, val & 0x7f);
1152        break;
1153    case CSR_E2P_DATA:
1154        s->e2p_data = val & 0xff;
1155        break;
1156
1157    default:
1158        qemu_log_mask(LOG_GUEST_ERROR, "lan9118_write: Bad reg 0x%x = %x\n",
1159                      (int)offset, (int)val);
1160        break;
1161    }
1162    lan9118_update(s);
1163}
1164
1165static void lan9118_writew(void *opaque, hwaddr offset,
1166                           uint32_t val)
1167{
1168    lan9118_state *s = (lan9118_state *)opaque;
1169    offset &= 0xff;
1170
1171    if (s->write_word_prev_offset != (offset & ~0x3)) {
1172        /* New offset, reset word counter */
1173        s->write_word_n = 0;
1174        s->write_word_prev_offset = offset & ~0x3;
1175    }
1176
1177    if (offset & 0x2) {
1178        s->write_word_h = val;
1179    } else {
1180        s->write_word_l = val;
1181    }
1182
1183    //DPRINTF("Writew reg 0x%02x = 0x%08x\n", (int)offset, val);
1184    s->write_word_n++;
1185    if (s->write_word_n == 2) {
1186        s->write_word_n = 0;
1187        lan9118_writel(s, offset & ~3, s->write_word_l +
1188                (s->write_word_h << 16), 4);
1189    }
1190}
1191
1192static void lan9118_16bit_mode_write(void *opaque, hwaddr offset,
1193                                     uint64_t val, unsigned size)
1194{
1195    switch (size) {
1196    case 2:
1197        lan9118_writew(opaque, offset, (uint32_t)val);
1198        return;
1199    case 4:
1200        lan9118_writel(opaque, offset, val, size);
1201        return;
1202    }
1203
1204    hw_error("lan9118_write: Bad size 0x%x\n", size);
1205}
1206
1207static uint64_t lan9118_readl(void *opaque, hwaddr offset,
1208                              unsigned size)
1209{
1210    lan9118_state *s = (lan9118_state *)opaque;
1211
1212    //DPRINTF("Read reg 0x%02x\n", (int)offset);
1213    if (offset <= RX_DATA_FIFO_PORT_LAST) {
1214        /* RX FIFO */
1215        return rx_fifo_pop(s);
1216    }
1217    switch (offset) {
1218    case RX_STATUS_FIFO_PORT:
1219        return rx_status_fifo_pop(s);
1220    case RX_STATUS_FIFO_PEEK:
1221        return s->rx_status_fifo[s->rx_status_fifo_head];
1222    case TX_STATUS_FIFO_PORT:
1223        return tx_status_fifo_pop(s);
1224    case TX_STATUS_FIFO_PEEK:
1225        return s->tx_status_fifo[s->tx_status_fifo_head];
1226    case CSR_ID_REV:
1227        return 0x01180001;
1228    case CSR_IRQ_CFG:
1229        return s->irq_cfg;
1230    case CSR_INT_STS:
1231        return s->int_sts;
1232    case CSR_INT_EN:
1233        return s->int_en;
1234    case CSR_BYTE_TEST:
1235        return 0x87654321;
1236    case CSR_FIFO_INT:
1237        return s->fifo_int;
1238    case CSR_RX_CFG:
1239        return s->rx_cfg;
1240    case CSR_TX_CFG:
1241        return s->tx_cfg;
1242    case CSR_HW_CFG:
1243        return s->hw_cfg;
1244    case CSR_RX_DP_CTRL:
1245        return 0;
1246    case CSR_RX_FIFO_INF:
1247        return (s->rx_status_fifo_used << 16) | (s->rx_fifo_used << 2);
1248    case CSR_TX_FIFO_INF:
1249        return (s->tx_status_fifo_used << 16)
1250               | (s->tx_fifo_size - s->txp->fifo_used);
1251    case CSR_PMT_CTRL:
1252        return s->pmt_ctrl;
1253    case CSR_GPIO_CFG:
1254        return s->gpio_cfg;
1255    case CSR_GPT_CFG:
1256        return s->gpt_cfg;
1257    case CSR_GPT_CNT:
1258        return ptimer_get_count(s->timer);
1259    case CSR_WORD_SWAP:
1260        return s->word_swap;
1261    case CSR_FREE_RUN:
1262        return (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / 40) - s->free_timer_start;
1263    case CSR_RX_DROP:
1264        /* TODO: Implement dropped frames counter.  */
1265        return 0;
1266    case CSR_MAC_CSR_CMD:
1267        return s->mac_cmd;
1268    case CSR_MAC_CSR_DATA:
1269        return s->mac_data;
1270    case CSR_AFC_CFG:
1271        return s->afc_cfg;
1272    case CSR_E2P_CMD:
1273        return s->e2p_cmd;
1274    case CSR_E2P_DATA:
1275        return s->e2p_data;
1276    }
1277    qemu_log_mask(LOG_GUEST_ERROR, "lan9118_read: Bad reg 0x%x\n", (int)offset);
1278    return 0;
1279}
1280
1281static uint32_t lan9118_readw(void *opaque, hwaddr offset)
1282{
1283    lan9118_state *s = (lan9118_state *)opaque;
1284    uint32_t val;
1285
1286    if (s->read_word_prev_offset != (offset & ~0x3)) {
1287        /* New offset, reset word counter */
1288        s->read_word_n = 0;
1289        s->read_word_prev_offset = offset & ~0x3;
1290    }
1291
1292    s->read_word_n++;
1293    if (s->read_word_n == 1) {
1294        s->read_long = lan9118_readl(s, offset & ~3, 4);
1295    } else {
1296        s->read_word_n = 0;
1297    }
1298
1299    if (offset & 2) {
1300        val = s->read_long >> 16;
1301    } else {
1302        val = s->read_long & 0xFFFF;
1303    }
1304
1305    //DPRINTF("Readw reg 0x%02x, val 0x%x\n", (int)offset, val);
1306    return val;
1307}
1308
1309static uint64_t lan9118_16bit_mode_read(void *opaque, hwaddr offset,
1310                                        unsigned size)
1311{
1312    switch (size) {
1313    case 2:
1314        return lan9118_readw(opaque, offset);
1315    case 4:
1316        return lan9118_readl(opaque, offset, size);
1317    }
1318
1319    hw_error("lan9118_read: Bad size 0x%x\n", size);
1320    return 0;
1321}
1322
1323static const MemoryRegionOps lan9118_mem_ops = {
1324    .read = lan9118_readl,
1325    .write = lan9118_writel,
1326    .endianness = DEVICE_NATIVE_ENDIAN,
1327};
1328
1329static const MemoryRegionOps lan9118_16bit_mem_ops = {
1330    .read = lan9118_16bit_mode_read,
1331    .write = lan9118_16bit_mode_write,
1332    .endianness = DEVICE_NATIVE_ENDIAN,
1333};
1334
1335static NetClientInfo net_lan9118_info = {
1336    .type = NET_CLIENT_DRIVER_NIC,
1337    .size = sizeof(NICState),
1338    .receive = lan9118_receive,
1339    .link_status_changed = lan9118_set_link,
1340};
1341
1342static void lan9118_realize(DeviceState *dev, Error **errp)
1343{
1344    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
1345    lan9118_state *s = LAN9118(dev);
1346    int i;
1347    const MemoryRegionOps *mem_ops =
1348            s->mode_16bit ? &lan9118_16bit_mem_ops : &lan9118_mem_ops;
1349
1350    memory_region_init_io(&s->mmio, OBJECT(dev), mem_ops, s,
1351                          "lan9118-mmio", 0x100);
1352    sysbus_init_mmio(sbd, &s->mmio);
1353    sysbus_init_irq(sbd, &s->irq);
1354    qemu_macaddr_default_if_unset(&s->conf.macaddr);
1355
1356    s->nic = qemu_new_nic(&net_lan9118_info, &s->conf,
1357                          object_get_typename(OBJECT(dev)), dev->id, s);
1358    qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
1359    s->eeprom[0] = 0xa5;
1360    for (i = 0; i < 6; i++) {
1361        s->eeprom[i + 1] = s->conf.macaddr.a[i];
1362    }
1363    s->pmt_ctrl = 1;
1364    s->txp = &s->tx_packet;
1365
1366    s->timer = ptimer_init(lan9118_tick, s, PTIMER_POLICY_DEFAULT);
1367    ptimer_transaction_begin(s->timer);
1368    ptimer_set_freq(s->timer, 10000);
1369    ptimer_set_limit(s->timer, 0xffff, 1);
1370    ptimer_transaction_commit(s->timer);
1371}
1372
1373static Property lan9118_properties[] = {
1374    DEFINE_NIC_PROPERTIES(lan9118_state, conf),
1375    DEFINE_PROP_UINT32("mode_16bit", lan9118_state, mode_16bit, 0),
1376    DEFINE_PROP_END_OF_LIST(),
1377};
1378
1379static void lan9118_class_init(ObjectClass *klass, void *data)
1380{
1381    DeviceClass *dc = DEVICE_CLASS(klass);
1382
1383    dc->reset = lan9118_reset;
1384    device_class_set_props(dc, lan9118_properties);
1385    dc->vmsd = &vmstate_lan9118;
1386    dc->realize = lan9118_realize;
1387}
1388
1389static const TypeInfo lan9118_info = {
1390    .name          = TYPE_LAN9118,
1391    .parent        = TYPE_SYS_BUS_DEVICE,
1392    .instance_size = sizeof(lan9118_state),
1393    .class_init    = lan9118_class_init,
1394};
1395
1396static void lan9118_register_types(void)
1397{
1398    type_register_static(&lan9118_info);
1399}
1400
1401/* Legacy helper function.  Should go away when machine config files are
1402   implemented.  */
1403void lan9118_init(NICInfo *nd, uint32_t base, qemu_irq irq)
1404{
1405    DeviceState *dev;
1406    SysBusDevice *s;
1407
1408    qemu_check_nic_model(nd, "lan9118");
1409    dev = qdev_new(TYPE_LAN9118);
1410    qdev_set_nic_properties(dev, nd);
1411    s = SYS_BUS_DEVICE(dev);
1412    sysbus_realize_and_unref(s, &error_fatal);
1413    sysbus_mmio_map(s, 0, base);
1414    sysbus_connect_irq(s, 0, irq);
1415}
1416
1417type_init(lan9118_register_types)
1418