xref: /qemu/hw/net/smc91c111.c (revision 06b40d250ecfa1633209c2e431a7a38acfd03a98) 
1 /*
2  * SMSC 91C111 Ethernet interface emulation
3  *
4  * Copyright (c) 2005 CodeSourcery, LLC.
5  * Written by Paul Brook
6  *
7  * This code is licensed under the GPL
8  */
9 
10 #include "qemu/osdep.h"
11 #include "hw/sysbus.h"
12 #include "migration/vmstate.h"
13 #include "net/net.h"
14 #include "hw/irq.h"
15 #include "hw/net/smc91c111.h"
16 #include "hw/registerfields.h"
17 #include "hw/qdev-properties.h"
18 #include "qapi/error.h"
19 #include "qemu/log.h"
20 #include "qemu/module.h"
21 #include <zlib.h> /* for crc32 */
22 #include "qom/object.h"
23 
24 /* Number of 2k memory pages available.  */
25 #define NUM_PACKETS 4
26 /*
27  * Maximum size of a data frame, including the leading status word
28  * and byte count fields and the trailing CRC, last data byte
29  * and control byte (per figure 8-1 in the Microchip Technology
30  * LAN91C111 datasheet).
31  */
32 #define MAX_PACKET_SIZE 2048
33 
34 #define TYPE_SMC91C111 "smc91c111"
35 OBJECT_DECLARE_SIMPLE_TYPE(smc91c111_state, SMC91C111)
36 
37 struct smc91c111_state {
38     SysBusDevice parent_obj;
39 
40     NICState *nic;
41     NICConf conf;
42     uint16_t tcr;
43     uint16_t rcr;
44     uint16_t cr;
45     uint16_t ctr;
46     uint16_t gpr;
47     uint16_t ptr;
48     uint16_t ercv;
49     qemu_irq irq;
50     int bank;
51     int packet_num;
52     int tx_alloc;
53     /* Bitmask of allocated packets.  */
54     int allocated;
55     int tx_fifo_len;
56     int tx_fifo[NUM_PACKETS];
57     int rx_fifo_len;
58     int rx_fifo[NUM_PACKETS];
59     int tx_fifo_done_len;
60     int tx_fifo_done[NUM_PACKETS];
61     /* Packet buffer memory.  */
62     uint8_t data[NUM_PACKETS][MAX_PACKET_SIZE];
63     uint8_t int_level;
64     uint8_t int_mask;
65     MemoryRegion mmio;
66 };
67 
68 static const VMStateDescription vmstate_smc91c111 = {
69     .name = "smc91c111",
70     .version_id = 1,
71     .minimum_version_id = 1,
72     .fields = (const VMStateField[]) {
73         VMSTATE_UINT16(tcr, smc91c111_state),
74         VMSTATE_UINT16(rcr, smc91c111_state),
75         VMSTATE_UINT16(cr, smc91c111_state),
76         VMSTATE_UINT16(ctr, smc91c111_state),
77         VMSTATE_UINT16(gpr, smc91c111_state),
78         VMSTATE_UINT16(ptr, smc91c111_state),
79         VMSTATE_UINT16(ercv, smc91c111_state),
80         VMSTATE_INT32(bank, smc91c111_state),
81         VMSTATE_INT32(packet_num, smc91c111_state),
82         VMSTATE_INT32(tx_alloc, smc91c111_state),
83         VMSTATE_INT32(allocated, smc91c111_state),
84         VMSTATE_INT32(tx_fifo_len, smc91c111_state),
85         VMSTATE_INT32_ARRAY(tx_fifo, smc91c111_state, NUM_PACKETS),
86         VMSTATE_INT32(rx_fifo_len, smc91c111_state),
87         VMSTATE_INT32_ARRAY(rx_fifo, smc91c111_state, NUM_PACKETS),
88         VMSTATE_INT32(tx_fifo_done_len, smc91c111_state),
89         VMSTATE_INT32_ARRAY(tx_fifo_done, smc91c111_state, NUM_PACKETS),
90         VMSTATE_BUFFER_UNSAFE(data, smc91c111_state, 0,
91                               NUM_PACKETS * MAX_PACKET_SIZE),
92         VMSTATE_UINT8(int_level, smc91c111_state),
93         VMSTATE_UINT8(int_mask, smc91c111_state),
94         VMSTATE_END_OF_LIST()
95     }
96 };
97 
98 #define RCR_SOFT_RST  0x8000
99 #define RCR_STRIP_CRC 0x0200
100 #define RCR_RXEN      0x0100
101 
102 #define TCR_EPH_LOOP  0x2000
103 #define TCR_NOCRC     0x0100
104 #define TCR_PAD_EN    0x0080
105 #define TCR_FORCOL    0x0004
106 #define TCR_LOOP      0x0002
107 #define TCR_TXEN      0x0001
108 
109 #define INT_MD        0x80
110 #define INT_ERCV      0x40
111 #define INT_EPH       0x20
112 #define INT_RX_OVRN   0x10
113 #define INT_ALLOC     0x08
114 #define INT_TX_EMPTY  0x04
115 #define INT_TX        0x02
116 #define INT_RCV       0x01
117 
118 #define CTR_AUTO_RELEASE  0x0800
119 #define CTR_RELOAD        0x0002
120 #define CTR_STORE         0x0001
121 
122 #define RS_ALGNERR      0x8000
123 #define RS_BRODCAST     0x4000
124 #define RS_BADCRC       0x2000
125 #define RS_ODDFRAME     0x1000
126 #define RS_TOOLONG      0x0800
127 #define RS_TOOSHORT     0x0400
128 #define RS_MULTICAST    0x0001
129 
130 FIELD(PTR, PTR, 0, 11)
131 FIELD(PTR, NOT_EMPTY, 11, 1)
132 FIELD(PTR, RESERVED, 12, 1)
133 FIELD(PTR, READ, 13, 1)
134 FIELD(PTR, AUTOINCR, 14, 1)
135 FIELD(PTR, RCV, 15, 1)
136 
packetnum_valid(int packet_num)137 static inline bool packetnum_valid(int packet_num)
138 {
139     return packet_num >= 0 && packet_num < NUM_PACKETS;
140 }
141 
142 /* Update interrupt status.  */
smc91c111_update(smc91c111_state * s)143 static void smc91c111_update(smc91c111_state *s)
144 {
145     int level;
146 
147     if (s->tx_fifo_len == 0)
148         s->int_level |= INT_TX_EMPTY;
149     if (s->tx_fifo_done_len != 0)
150         s->int_level |= INT_TX;
151     level = (s->int_level & s->int_mask) != 0;
152     qemu_set_irq(s->irq, level);
153 }
154 
smc91c111_can_receive(smc91c111_state * s)155 static bool smc91c111_can_receive(smc91c111_state *s)
156 {
157     if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST)) {
158         return true;
159     }
160     if (s->allocated == (1 << NUM_PACKETS) - 1 ||
161         s->rx_fifo_len == NUM_PACKETS) {
162         return false;
163     }
164     return true;
165 }
166 
smc91c111_flush_queued_packets(smc91c111_state * s)167 static inline void smc91c111_flush_queued_packets(smc91c111_state *s)
168 {
169     if (smc91c111_can_receive(s)) {
170         qemu_flush_queued_packets(qemu_get_queue(s->nic));
171     }
172 }
173 
174 /* Try to allocate a packet.  Returns 0x80 on failure.  */
smc91c111_allocate_packet(smc91c111_state * s)175 static int smc91c111_allocate_packet(smc91c111_state *s)
176 {
177     int i;
178     if (s->allocated == (1 << NUM_PACKETS) - 1) {
179         return 0x80;
180     }
181 
182     for (i = 0; i < NUM_PACKETS; i++) {
183         if ((s->allocated & (1 << i)) == 0)
184             break;
185     }
186     s->allocated |= 1 << i;
187     return i;
188 }
189 
190 
191 /* Process a pending TX allocate.  */
smc91c111_tx_alloc(smc91c111_state * s)192 static void smc91c111_tx_alloc(smc91c111_state *s)
193 {
194     s->tx_alloc = smc91c111_allocate_packet(s);
195     if (s->tx_alloc == 0x80)
196         return;
197     s->int_level |= INT_ALLOC;
198     smc91c111_update(s);
199 }
200 
201 /* Remove and item from the RX FIFO.  */
smc91c111_pop_rx_fifo(smc91c111_state * s)202 static void smc91c111_pop_rx_fifo(smc91c111_state *s)
203 {
204     int i;
205 
206     if (s->rx_fifo_len == 0) {
207         /*
208          * The datasheet doesn't document what the behaviour is if the
209          * guest tries to pop an empty RX FIFO, and there's no obvious
210          * error status register to report it. Just ignore the attempt.
211          */
212         return;
213     }
214 
215     s->rx_fifo_len--;
216     if (s->rx_fifo_len) {
217         for (i = 0; i < s->rx_fifo_len; i++)
218             s->rx_fifo[i] = s->rx_fifo[i + 1];
219         s->int_level |= INT_RCV;
220     } else {
221         s->int_level &= ~INT_RCV;
222     }
223     smc91c111_flush_queued_packets(s);
224     smc91c111_update(s);
225 }
226 
227 /* Remove an item from the TX completion FIFO.  */
smc91c111_pop_tx_fifo_done(smc91c111_state * s)228 static void smc91c111_pop_tx_fifo_done(smc91c111_state *s)
229 {
230     int i;
231 
232     if (s->tx_fifo_done_len == 0)
233         return;
234     s->tx_fifo_done_len--;
235     for (i = 0; i < s->tx_fifo_done_len; i++)
236         s->tx_fifo_done[i] = s->tx_fifo_done[i + 1];
237 }
238 
239 /* Release the memory allocated to a packet.  */
smc91c111_release_packet(smc91c111_state * s,int packet)240 static void smc91c111_release_packet(smc91c111_state *s, int packet)
241 {
242     if (!packetnum_valid(packet)) {
243         /*
244          * Data sheet doesn't document behaviour in this guest error
245          * case, and there is no error status register to report it.
246          * Log and ignore the attempt.
247          */
248         qemu_log_mask(LOG_GUEST_ERROR,
249                       "smc91c111: attempt to release invalid packet %d\n",
250                       packet);
251         return;
252     }
253     s->allocated &= ~(1 << packet);
254     if (s->tx_alloc == 0x80)
255         smc91c111_tx_alloc(s);
256     smc91c111_flush_queued_packets(s);
257 }
258 
smc91c111_complete_tx_packet(smc91c111_state * s,int packetnum)259 static void smc91c111_complete_tx_packet(smc91c111_state *s, int packetnum)
260 {
261     if (s->ctr & CTR_AUTO_RELEASE) {
262         /* Race?  */
263         smc91c111_release_packet(s, packetnum);
264     } else if (s->tx_fifo_done_len < NUM_PACKETS) {
265         s->tx_fifo_done[s->tx_fifo_done_len++] = packetnum;
266     }
267 }
268 
269 /* Flush the TX FIFO.  */
smc91c111_do_tx(smc91c111_state * s)270 static void smc91c111_do_tx(smc91c111_state *s)
271 {
272     int i;
273     int len;
274     int control;
275     int packetnum;
276     uint8_t *p;
277 
278     if ((s->tcr & TCR_TXEN) == 0)
279         return;
280     if (s->tx_fifo_len == 0)
281         return;
282     for (i = 0; i < s->tx_fifo_len; i++) {
283         packetnum = s->tx_fifo[i];
284         /* queue_tx checked the packet number was valid */
285         assert(packetnum_valid(packetnum));
286         p = &s->data[packetnum][0];
287         /* Set status word.  */
288         *(p++) = 0x01;
289         *(p++) = 0x40;
290         len = *(p++);
291         len |= ((int)*(p++)) << 8;
292         if (len > MAX_PACKET_SIZE) {
293             /*
294              * Datasheet doesn't say what to do here, and there is no
295              * relevant tx error condition listed. Log, and drop the packet.
296              */
297             qemu_log_mask(LOG_GUEST_ERROR,
298                           "smc91c111: tx packet with bad length %d, dropping\n",
299                           len);
300             smc91c111_complete_tx_packet(s, packetnum);
301             continue;
302         }
303         len -= 6;
304         control = p[len + 1];
305         if (control & 0x20)
306             len++;
307         /* ??? This overwrites the data following the buffer.
308            Don't know what real hardware does.  */
309         if (len < 64 && (s->tcr & TCR_PAD_EN)) {
310             memset(p + len, 0, 64 - len);
311             len = 64;
312         }
313 #if 0
314         {
315             int add_crc;
316 
317             /* The card is supposed to append the CRC to the frame.
318                However none of the other network traffic has the CRC
319                appended.  Suspect this is low level ethernet detail we
320                don't need to worry about.  */
321             add_crc = (control & 0x10) || (s->tcr & TCR_NOCRC) == 0;
322             if (add_crc) {
323                 uint32_t crc;
324 
325                 crc = crc32(~0, p, len);
326                 memcpy(p + len, &crc, 4);
327                 len += 4;
328             }
329         }
330 #endif
331         smc91c111_complete_tx_packet(s, packetnum);
332         qemu_send_packet(qemu_get_queue(s->nic), p, len);
333     }
334     s->tx_fifo_len = 0;
335     smc91c111_update(s);
336 }
337 
338 /* Add a packet to the TX FIFO.  */
smc91c111_queue_tx(smc91c111_state * s,int packet)339 static void smc91c111_queue_tx(smc91c111_state *s, int packet)
340 {
341     if (!packetnum_valid(packet)) {
342         /*
343          * Datasheet doesn't document behaviour in this error case, and
344          * there's no error status register we could report it in.
345          * Log and ignore.
346          */
347         qemu_log_mask(LOG_GUEST_ERROR,
348                       "smc91c111: attempt to queue invalid packet %d\n",
349                       packet);
350         return;
351     }
352     if (s->tx_fifo_len == NUM_PACKETS)
353         return;
354     s->tx_fifo[s->tx_fifo_len++] = packet;
355     smc91c111_do_tx(s);
356 }
357 
smc91c111_reset(DeviceState * dev)358 static void smc91c111_reset(DeviceState *dev)
359 {
360     smc91c111_state *s = SMC91C111(dev);
361 
362     s->bank = 0;
363     s->tx_fifo_len = 0;
364     s->tx_fifo_done_len = 0;
365     s->rx_fifo_len = 0;
366     s->allocated = 0;
367     s->packet_num = 0;
368     s->tx_alloc = 0;
369     s->tcr = 0;
370     s->rcr = 0;
371     s->cr = 0xa0b1;
372     s->ctr = 0x1210;
373     s->ptr = 0;
374     s->ercv = 0x1f;
375     s->int_level = INT_TX_EMPTY;
376     s->int_mask = 0;
377     smc91c111_update(s);
378 }
379 
380 #define SET_LOW(name, val) s->name = (s->name & 0xff00) | val
381 #define SET_HIGH(name, val) s->name = (s->name & 0xff) | (val << 8)
382 
383 /*
384  * The pointer register's pointer is an 11 bit value (so it exactly
385  * indexes a 2048-byte data frame). Add the specified offset to it,
386  * wrapping around at the 2048 byte mark, and return the resulting
387  * wrapped value. There are flag bits in the top part of the register,
388  * but we can ignore them here as the mask will mask them out.
389  */
ptr_reg_add(smc91c111_state * s,int offset)390 static int ptr_reg_add(smc91c111_state *s, int offset)
391 {
392     return (s->ptr + offset) & R_PTR_PTR_MASK;
393 }
394 
395 /*
396  * For an access to the Data Register at @offset, return the
397  * required offset into the packet's data frame. This will
398  * perform the pointer register autoincrement if required, and
399  * guarantees to return an in-bounds offset.
400  */
data_reg_ptr(smc91c111_state * s,int offset)401 static int data_reg_ptr(smc91c111_state *s, int offset)
402 {
403     int p;
404 
405     if (s->ptr & R_PTR_AUTOINCR_MASK) {
406         /*
407          * Autoincrement: use the current pointer value, and
408          * increment the pointer register's pointer field.
409          */
410         p = FIELD_EX32(s->ptr, PTR, PTR);
411         s->ptr = FIELD_DP32(s->ptr, PTR, PTR, ptr_reg_add(s, 1));
412     } else {
413         /*
414          * No autoincrement: register offset determines which
415          * byte we're addressing. Setting the pointer to the top
416          * of the data buffer and then using the pointer wrapping
417          * to read the bottom byte of the buffer is not something
418          * sensible guest software will do, but the datasheet
419          * doesn't say what the behaviour is, so we don't forbid it.
420          */
421         p = ptr_reg_add(s, offset & 3);
422     }
423     return p;
424 }
425 
smc91c111_writeb(void * opaque,hwaddr offset,uint32_t value)426 static void smc91c111_writeb(void *opaque, hwaddr offset,
427                              uint32_t value)
428 {
429     smc91c111_state *s = (smc91c111_state *)opaque;
430 
431     offset = offset & 0xf;
432     if (offset == 14) {
433         s->bank = value;
434         return;
435     }
436     if (offset == 15)
437         return;
438     switch (s->bank) {
439     case 0:
440         switch (offset) {
441         case 0: /* TCR */
442             SET_LOW(tcr, value);
443             return;
444         case 1:
445             SET_HIGH(tcr, value);
446             return;
447         case 4: /* RCR */
448             SET_LOW(rcr, value);
449             return;
450         case 5:
451             SET_HIGH(rcr, value);
452             if (s->rcr & RCR_SOFT_RST) {
453                 smc91c111_reset(DEVICE(s));
454             }
455             smc91c111_flush_queued_packets(s);
456             return;
457         case 10: case 11: /* RPCR */
458             /* Ignored */
459             return;
460         case 12: case 13: /* Reserved */
461             return;
462         }
463         break;
464 
465     case 1:
466         switch (offset) {
467         case 0: /* CONFIG */
468             SET_LOW(cr, value);
469             return;
470         case 1:
471             SET_HIGH(cr,value);
472             return;
473         case 2: case 3: /* BASE */
474         case 4: case 5: case 6: case 7: case 8: case 9: /* IA */
475             /* Not implemented.  */
476             return;
477         case 10: /* General Purpose */
478             SET_LOW(gpr, value);
479             return;
480         case 11:
481             SET_HIGH(gpr, value);
482             return;
483         case 12: /* Control */
484             if (value & 1) {
485                 qemu_log_mask(LOG_UNIMP,
486                               "smc91c111: EEPROM store not implemented\n");
487             }
488             if (value & 2) {
489                 qemu_log_mask(LOG_UNIMP,
490                               "smc91c111: EEPROM reload not implemented\n");
491             }
492             value &= ~3;
493             SET_LOW(ctr, value);
494             return;
495         case 13:
496             SET_HIGH(ctr, value);
497             return;
498         }
499         break;
500 
501     case 2:
502         switch (offset) {
503         case 0: /* MMU Command */
504             switch (value >> 5) {
505             case 0: /* no-op */
506                 break;
507             case 1: /* Allocate for TX.  */
508                 s->tx_alloc = 0x80;
509                 s->int_level &= ~INT_ALLOC;
510                 smc91c111_update(s);
511                 smc91c111_tx_alloc(s);
512                 break;
513             case 2: /* Reset MMU.  */
514                 s->allocated = 0;
515                 s->tx_fifo_len = 0;
516                 s->tx_fifo_done_len = 0;
517                 s->rx_fifo_len = 0;
518                 s->tx_alloc = 0;
519                 break;
520             case 3: /* Remove from RX FIFO.  */
521                 smc91c111_pop_rx_fifo(s);
522                 break;
523             case 4: /* Remove from RX FIFO and release.  */
524                 if (s->rx_fifo_len > 0) {
525                     smc91c111_release_packet(s, s->rx_fifo[0]);
526                 }
527                 smc91c111_pop_rx_fifo(s);
528                 break;
529             case 5: /* Release.  */
530                 smc91c111_release_packet(s, s->packet_num);
531                 break;
532             case 6: /* Add to TX FIFO.  */
533                 smc91c111_queue_tx(s, s->packet_num);
534                 break;
535             case 7: /* Reset TX FIFO.  */
536                 s->tx_fifo_len = 0;
537                 s->tx_fifo_done_len = 0;
538                 break;
539             }
540             return;
541         case 1:
542             /* Ignore.  */
543             return;
544         case 2: /* Packet Number Register */
545             s->packet_num = value;
546             return;
547         case 3: case 4: case 5:
548             /* Should be readonly, but linux writes to them anyway. Ignore.  */
549             return;
550         case 6: /* Pointer */
551             SET_LOW(ptr, value);
552             return;
553         case 7:
554             SET_HIGH(ptr, value);
555             return;
556         case 8: case 9: case 10: case 11: /* Data */
557             {
558                 int p;
559                 int n;
560 
561                 if (s->ptr & 0x8000)
562                     n = s->rx_fifo[0];
563                 else
564                     n = s->packet_num;
565                 if (!packetnum_valid(n)) {
566                     /* Datasheet doesn't document what to do here */
567                     qemu_log_mask(LOG_GUEST_ERROR,
568                                   "smc91c111: attempt to write data to invalid packet %d\n",
569                                   n);
570                     return;
571                 }
572                 p = data_reg_ptr(s, offset);
573                 s->data[n][p] = value;
574             }
575             return;
576         case 12: /* Interrupt ACK.  */
577             s->int_level &= ~(value & 0xd6);
578             if (value & INT_TX)
579                 smc91c111_pop_tx_fifo_done(s);
580             smc91c111_update(s);
581             return;
582         case 13: /* Interrupt mask.  */
583             s->int_mask = value;
584             smc91c111_update(s);
585             return;
586         }
587         break;
588 
589     case 3:
590         switch (offset) {
591         case 0: case 1: case 2: case 3: case 4: case 5: case 6: case 7:
592             /* Multicast table.  */
593             /* Not implemented.  */
594             return;
595         case 8: case 9: /* Management Interface.  */
596             /* Not implemented.  */
597             return;
598         case 12: /* Early receive.  */
599             s->ercv = value & 0x1f;
600             return;
601         case 13:
602             /* Ignore.  */
603             return;
604         }
605         break;
606     }
607     qemu_log_mask(LOG_GUEST_ERROR, "smc91c111_write(bank:%d) Illegal register"
608                                    " 0x%" HWADDR_PRIx " = 0x%x\n",
609                   s->bank, offset, value);
610 }
611 
smc91c111_readb(void * opaque,hwaddr offset)612 static uint32_t smc91c111_readb(void *opaque, hwaddr offset)
613 {
614     smc91c111_state *s = (smc91c111_state *)opaque;
615 
616     offset = offset & 0xf;
617     if (offset == 14) {
618         return s->bank;
619     }
620     if (offset == 15)
621         return 0x33;
622     switch (s->bank) {
623     case 0:
624         switch (offset) {
625         case 0: /* TCR */
626             return s->tcr & 0xff;
627         case 1:
628             return s->tcr >> 8;
629         case 2: /* EPH Status */
630             return 0;
631         case 3:
632             return 0x40;
633         case 4: /* RCR */
634             return s->rcr & 0xff;
635         case 5:
636             return s->rcr >> 8;
637         case 6: /* Counter */
638         case 7:
639             /* Not implemented.  */
640             return 0;
641         case 8: /* Memory size.  */
642             return NUM_PACKETS;
643         case 9: /* Free memory available.  */
644             {
645                 int i;
646                 int n;
647                 n = 0;
648                 for (i = 0; i < NUM_PACKETS; i++) {
649                     if (s->allocated & (1 << i))
650                         n++;
651                 }
652                 return n;
653             }
654         case 10: case 11: /* RPCR */
655             /* Not implemented.  */
656             return 0;
657         case 12: case 13: /* Reserved */
658             return 0;
659         }
660         break;
661 
662     case 1:
663         switch (offset) {
664         case 0: /* CONFIG */
665             return s->cr & 0xff;
666         case 1:
667             return s->cr >> 8;
668         case 2: case 3: /* BASE */
669             /* Not implemented.  */
670             return 0;
671         case 4: case 5: case 6: case 7: case 8: case 9: /* IA */
672             return s->conf.macaddr.a[offset - 4];
673         case 10: /* General Purpose */
674             return s->gpr & 0xff;
675         case 11:
676             return s->gpr >> 8;
677         case 12: /* Control */
678             return s->ctr & 0xff;
679         case 13:
680             return s->ctr >> 8;
681         }
682         break;
683 
684     case 2:
685         switch (offset) {
686         case 0: case 1: /* MMUCR Busy bit.  */
687             return 0;
688         case 2: /* Packet Number.  */
689             return s->packet_num;
690         case 3: /* Allocation Result.  */
691             return s->tx_alloc;
692         case 4: /* TX FIFO */
693             if (s->tx_fifo_done_len == 0)
694                 return 0x80;
695             else
696                 return s->tx_fifo_done[0];
697         case 5: /* RX FIFO */
698             if (s->rx_fifo_len == 0)
699                 return 0x80;
700             else
701                 return s->rx_fifo[0];
702         case 6: /* Pointer */
703             return s->ptr & 0xff;
704         case 7:
705             return (s->ptr >> 8) & 0xf7;
706         case 8: case 9: case 10: case 11: /* Data */
707             {
708                 int p;
709                 int n;
710 
711                 if (s->ptr & 0x8000)
712                     n = s->rx_fifo[0];
713                 else
714                     n = s->packet_num;
715                 if (!packetnum_valid(n)) {
716                     /* Datasheet doesn't document what to do here */
717                     qemu_log_mask(LOG_GUEST_ERROR,
718                                   "smc91c111: attempt to read data from invalid packet %d\n",
719                                   n);
720                     return 0;
721                 }
722                 p = data_reg_ptr(s, offset);
723                 return s->data[n][p];
724             }
725         case 12: /* Interrupt status.  */
726             return s->int_level;
727         case 13: /* Interrupt mask.  */
728             return s->int_mask;
729         }
730         break;
731 
732     case 3:
733         switch (offset) {
734         case 0: case 1: case 2: case 3: case 4: case 5: case 6: case 7:
735             /* Multicast table.  */
736             /* Not implemented.  */
737             return 0;
738         case 8: /* Management Interface.  */
739             /* Not implemented.  */
740             return 0x30;
741         case 9:
742             return 0x33;
743         case 10: /* Revision.  */
744             return 0x91;
745         case 11:
746             return 0x33;
747         case 12:
748             return s->ercv;
749         case 13:
750             return 0;
751         }
752         break;
753     }
754     qemu_log_mask(LOG_GUEST_ERROR, "smc91c111_read(bank:%d) Illegal register"
755                                    " 0x%" HWADDR_PRIx "\n",
756                   s->bank, offset);
757     return 0;
758 }
759 
smc91c111_readfn(void * opaque,hwaddr addr,unsigned size)760 static uint64_t smc91c111_readfn(void *opaque, hwaddr addr, unsigned size)
761 {
762     int i;
763     uint32_t val = 0;
764 
765     for (i = 0; i < size; i++) {
766         val |= smc91c111_readb(opaque, addr + i) << (i * 8);
767     }
768     return val;
769 }
770 
smc91c111_writefn(void * opaque,hwaddr addr,uint64_t value,unsigned size)771 static void smc91c111_writefn(void *opaque, hwaddr addr,
772                                uint64_t value, unsigned size)
773 {
774     int i = 0;
775 
776     /* 32-bit writes to offset 0xc only actually write to the bank select
777      * register (offset 0xe), so skip the first two bytes we would write.
778      */
779     if (addr == 0xc && size == 4) {
780         i += 2;
781     }
782 
783     for (; i < size; i++) {
784         smc91c111_writeb(opaque, addr + i,
785                          extract32(value, i * 8, 8));
786     }
787 }
788 
smc91c111_can_receive_nc(NetClientState * nc)789 static bool smc91c111_can_receive_nc(NetClientState *nc)
790 {
791     smc91c111_state *s = qemu_get_nic_opaque(nc);
792 
793     return smc91c111_can_receive(s);
794 }
795 
smc91c111_receive(NetClientState * nc,const uint8_t * buf,size_t size)796 static ssize_t smc91c111_receive(NetClientState *nc, const uint8_t *buf, size_t size)
797 {
798     smc91c111_state *s = qemu_get_nic_opaque(nc);
799     int status;
800     int packetsize;
801     uint32_t crc;
802     int packetnum;
803     uint8_t *p;
804 
805     if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST))
806         return -1;
807     /* Short packets are padded with zeros.  Receiving a packet
808        < 64 bytes long is considered an error condition.  */
809     if (size < 64)
810         packetsize = 64;
811     else
812         packetsize = (size & ~1);
813     packetsize += 6;
814     crc = (s->rcr & RCR_STRIP_CRC) == 0;
815     if (crc)
816         packetsize += 4;
817     /* TODO: Flag overrun and receive errors.  */
818     if (packetsize > MAX_PACKET_SIZE) {
819         return -1;
820     }
821     packetnum = smc91c111_allocate_packet(s);
822     if (packetnum == 0x80)
823         return -1;
824     s->rx_fifo[s->rx_fifo_len++] = packetnum;
825 
826     /* allocate_packet() will not hand us back an invalid packet number */
827     assert(packetnum_valid(packetnum));
828     p = &s->data[packetnum][0];
829     /* ??? Multicast packets?  */
830     status = 0;
831     if (size > 1518)
832         status |= RS_TOOLONG;
833     if (size & 1)
834         status |= RS_ODDFRAME;
835     *(p++) = status & 0xff;
836     *(p++) = status >> 8;
837     *(p++) = packetsize & 0xff;
838     *(p++) = packetsize >> 8;
839     memcpy(p, buf, size & ~1);
840     p += (size & ~1);
841     /* Pad short packets.  */
842     if (size < 64) {
843         int pad;
844 
845         if (size & 1)
846             *(p++) = buf[size - 1];
847         pad = 64 - size;
848         memset(p, 0, pad);
849         p += pad;
850         size = 64;
851     }
852     /* It's not clear if the CRC should go before or after the last byte in
853        odd sized packets.  Linux disables the CRC, so that's no help.
854        The pictures in the documentation show the CRC aligned on a 16-bit
855        boundary before the last odd byte, so that's what we do.  */
856     if (crc) {
857         crc = crc32(~0, buf, size);
858         *(p++) = crc & 0xff; crc >>= 8;
859         *(p++) = crc & 0xff; crc >>= 8;
860         *(p++) = crc & 0xff; crc >>= 8;
861         *(p++) = crc & 0xff;
862     }
863     if (size & 1) {
864         *(p++) = buf[size - 1];
865         *p = 0x60;
866     } else {
867         *(p++) = 0;
868         *p = 0x40;
869     }
870     /* TODO: Raise early RX interrupt?  */
871     s->int_level |= INT_RCV;
872     smc91c111_update(s);
873 
874     return size;
875 }
876 
877 static const MemoryRegionOps smc91c111_mem_ops = {
878     /* The special case for 32 bit writes to 0xc means we can't just
879      * set .impl.min/max_access_size to 1, unfortunately
880      */
881     .read = smc91c111_readfn,
882     .write = smc91c111_writefn,
883     .valid.min_access_size = 1,
884     .valid.max_access_size = 4,
885     .endianness = DEVICE_NATIVE_ENDIAN,
886 };
887 
888 static NetClientInfo net_smc91c111_info = {
889     .type = NET_CLIENT_DRIVER_NIC,
890     .size = sizeof(NICState),
891     .can_receive = smc91c111_can_receive_nc,
892     .receive = smc91c111_receive,
893 };
894 
smc91c111_realize(DeviceState * dev,Error ** errp)895 static void smc91c111_realize(DeviceState *dev, Error **errp)
896 {
897     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
898     smc91c111_state *s = SMC91C111(dev);
899 
900     memory_region_init_io(&s->mmio, OBJECT(s), &smc91c111_mem_ops, s,
901                           "smc91c111-mmio", 16);
902     sysbus_init_mmio(sbd, &s->mmio);
903     sysbus_init_irq(sbd, &s->irq);
904     qemu_macaddr_default_if_unset(&s->conf.macaddr);
905     s->nic = qemu_new_nic(&net_smc91c111_info, &s->conf,
906                           object_get_typename(OBJECT(dev)), dev->id,
907                           &dev->mem_reentrancy_guard, s);
908     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
909     /* ??? Save/restore.  */
910 }
911 
912 static const Property smc91c111_properties[] = {
913     DEFINE_NIC_PROPERTIES(smc91c111_state, conf),
914 };
915 
smc91c111_class_init(ObjectClass * klass,const void * data)916 static void smc91c111_class_init(ObjectClass *klass, const void *data)
917 {
918     DeviceClass *dc = DEVICE_CLASS(klass);
919 
920     dc->realize = smc91c111_realize;
921     device_class_set_legacy_reset(dc, smc91c111_reset);
922     dc->vmsd = &vmstate_smc91c111;
923     device_class_set_props(dc, smc91c111_properties);
924 }
925 
926 static const TypeInfo smc91c111_info = {
927     .name          = TYPE_SMC91C111,
928     .parent        = TYPE_SYS_BUS_DEVICE,
929     .instance_size = sizeof(smc91c111_state),
930     .class_init    = smc91c111_class_init,
931 };
932 
smc91c111_register_types(void)933 static void smc91c111_register_types(void)
934 {
935     type_register_static(&smc91c111_info);
936 }
937 
938 /* Legacy helper function.  Should go away when machine config files are
939    implemented.  */
smc91c111_init(uint32_t base,qemu_irq irq)940 void smc91c111_init(uint32_t base, qemu_irq irq)
941 {
942     DeviceState *dev;
943     SysBusDevice *s;
944 
945     dev = qdev_new(TYPE_SMC91C111);
946     qemu_configure_nic_device(dev, true, NULL);
947     s = SYS_BUS_DEVICE(dev);
948     sysbus_realize_and_unref(s, &error_fatal);
949     sysbus_mmio_map(s, 0, base);
950     sysbus_connect_irq(s, 0, irq);
951 }
952 
953 type_init(smc91c111_register_types)
954