mirror of
https://github.com/qemu/qemu.git
synced 2024-11-25 11:53:39 +08:00
c46a3ea025
Fix a buffer overflow, reported by cppcheck: [/src/qemu/hw/lan9118.c:849]: (error) Buffer access out-of-bounds: s.eeprom All eeprom handling code assumes that the size of eeprom is 128, except lan9118_eeprom_cmd. Fix this by restricting the address passed. Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
1185 lines
31 KiB
C
1185 lines
31 KiB
C
/*
|
|
* SMSC LAN9118 Ethernet interface emulation
|
|
*
|
|
* Copyright (c) 2009 CodeSourcery, LLC.
|
|
* Written by Paul Brook
|
|
*
|
|
* This code is licenced under the GNU GPL v2
|
|
*/
|
|
|
|
#include "sysbus.h"
|
|
#include "net.h"
|
|
#include "devices.h"
|
|
#include "sysemu.h"
|
|
/* For crc32 */
|
|
#include <zlib.h>
|
|
|
|
//#define DEBUG_LAN9118
|
|
|
|
#ifdef DEBUG_LAN9118
|
|
#define DPRINTF(fmt, ...) \
|
|
do { printf("lan9118: " fmt , ## __VA_ARGS__); } while (0)
|
|
#define BADF(fmt, ...) \
|
|
do { hw_error("lan9118: error: " fmt , ## __VA_ARGS__);} while (0)
|
|
#else
|
|
#define DPRINTF(fmt, ...) do {} while(0)
|
|
#define BADF(fmt, ...) \
|
|
do { fprintf(stderr, "lan9118: error: " fmt , ## __VA_ARGS__);} while (0)
|
|
#endif
|
|
|
|
#define CSR_ID_REV 0x50
|
|
#define CSR_IRQ_CFG 0x54
|
|
#define CSR_INT_STS 0x58
|
|
#define CSR_INT_EN 0x5c
|
|
#define CSR_BYTE_TEST 0x64
|
|
#define CSR_FIFO_INT 0x68
|
|
#define CSR_RX_CFG 0x6c
|
|
#define CSR_TX_CFG 0x70
|
|
#define CSR_HW_CFG 0x74
|
|
#define CSR_RX_DP_CTRL 0x78
|
|
#define CSR_RX_FIFO_INF 0x7c
|
|
#define CSR_TX_FIFO_INF 0x80
|
|
#define CSR_PMT_CTRL 0x84
|
|
#define CSR_GPIO_CFG 0x88
|
|
#define CSR_GPT_CFG 0x8c
|
|
#define CSR_GPT_CNT 0x90
|
|
#define CSR_WORD_SWAP 0x98
|
|
#define CSR_FREE_RUN 0x9c
|
|
#define CSR_RX_DROP 0xa0
|
|
#define CSR_MAC_CSR_CMD 0xa4
|
|
#define CSR_MAC_CSR_DATA 0xa8
|
|
#define CSR_AFC_CFG 0xac
|
|
#define CSR_E2P_CMD 0xb0
|
|
#define CSR_E2P_DATA 0xb4
|
|
|
|
/* IRQ_CFG */
|
|
#define IRQ_INT 0x00001000
|
|
#define IRQ_EN 0x00000100
|
|
#define IRQ_POL 0x00000010
|
|
#define IRQ_TYPE 0x00000001
|
|
|
|
/* INT_STS/INT_EN */
|
|
#define SW_INT 0x80000000
|
|
#define TXSTOP_INT 0x02000000
|
|
#define RXSTOP_INT 0x01000000
|
|
#define RXDFH_INT 0x00800000
|
|
#define TX_IOC_INT 0x00200000
|
|
#define RXD_INT 0x00100000
|
|
#define GPT_INT 0x00080000
|
|
#define PHY_INT 0x00040000
|
|
#define PME_INT 0x00020000
|
|
#define TXSO_INT 0x00010000
|
|
#define RWT_INT 0x00008000
|
|
#define RXE_INT 0x00004000
|
|
#define TXE_INT 0x00002000
|
|
#define TDFU_INT 0x00000800
|
|
#define TDFO_INT 0x00000400
|
|
#define TDFA_INT 0x00000200
|
|
#define TSFF_INT 0x00000100
|
|
#define TSFL_INT 0x00000080
|
|
#define RXDF_INT 0x00000040
|
|
#define RDFL_INT 0x00000020
|
|
#define RSFF_INT 0x00000010
|
|
#define RSFL_INT 0x00000008
|
|
#define GPIO2_INT 0x00000004
|
|
#define GPIO1_INT 0x00000002
|
|
#define GPIO0_INT 0x00000001
|
|
#define RESERVED_INT 0x7c001000
|
|
|
|
#define MAC_CR 1
|
|
#define MAC_ADDRH 2
|
|
#define MAC_ADDRL 3
|
|
#define MAC_HASHH 4
|
|
#define MAC_HASHL 5
|
|
#define MAC_MII_ACC 6
|
|
#define MAC_MII_DATA 7
|
|
#define MAC_FLOW 8
|
|
#define MAC_VLAN1 9 /* TODO */
|
|
#define MAC_VLAN2 10 /* TODO */
|
|
#define MAC_WUFF 11 /* TODO */
|
|
#define MAC_WUCSR 12 /* TODO */
|
|
|
|
#define MAC_CR_RXALL 0x80000000
|
|
#define MAC_CR_RCVOWN 0x00800000
|
|
#define MAC_CR_LOOPBK 0x00200000
|
|
#define MAC_CR_FDPX 0x00100000
|
|
#define MAC_CR_MCPAS 0x00080000
|
|
#define MAC_CR_PRMS 0x00040000
|
|
#define MAC_CR_INVFILT 0x00020000
|
|
#define MAC_CR_PASSBAD 0x00010000
|
|
#define MAC_CR_HO 0x00008000
|
|
#define MAC_CR_HPFILT 0x00002000
|
|
#define MAC_CR_LCOLL 0x00001000
|
|
#define MAC_CR_BCAST 0x00000800
|
|
#define MAC_CR_DISRTY 0x00000400
|
|
#define MAC_CR_PADSTR 0x00000100
|
|
#define MAC_CR_BOLMT 0x000000c0
|
|
#define MAC_CR_DFCHK 0x00000020
|
|
#define MAC_CR_TXEN 0x00000008
|
|
#define MAC_CR_RXEN 0x00000004
|
|
#define MAC_CR_RESERVED 0x7f404213
|
|
|
|
#define PHY_INT_ENERGYON 0x80
|
|
#define PHY_INT_AUTONEG_COMPLETE 0x40
|
|
#define PHY_INT_FAULT 0x20
|
|
#define PHY_INT_DOWN 0x10
|
|
#define PHY_INT_AUTONEG_LP 0x08
|
|
#define PHY_INT_PARFAULT 0x04
|
|
#define PHY_INT_AUTONEG_PAGE 0x02
|
|
|
|
#define GPT_TIMER_EN 0x20000000
|
|
|
|
enum tx_state {
|
|
TX_IDLE,
|
|
TX_B,
|
|
TX_DATA
|
|
};
|
|
|
|
typedef struct {
|
|
enum tx_state state;
|
|
uint32_t cmd_a;
|
|
uint32_t cmd_b;
|
|
int buffer_size;
|
|
int offset;
|
|
int pad;
|
|
int fifo_used;
|
|
int len;
|
|
uint8_t data[2048];
|
|
} LAN9118Packet;
|
|
|
|
typedef struct {
|
|
SysBusDevice busdev;
|
|
NICState *nic;
|
|
NICConf conf;
|
|
qemu_irq irq;
|
|
int mmio_index;
|
|
ptimer_state *timer;
|
|
|
|
uint32_t irq_cfg;
|
|
uint32_t int_sts;
|
|
uint32_t int_en;
|
|
uint32_t fifo_int;
|
|
uint32_t rx_cfg;
|
|
uint32_t tx_cfg;
|
|
uint32_t hw_cfg;
|
|
uint32_t pmt_ctrl;
|
|
uint32_t gpio_cfg;
|
|
uint32_t gpt_cfg;
|
|
uint32_t word_swap;
|
|
uint32_t free_timer_start;
|
|
uint32_t mac_cmd;
|
|
uint32_t mac_data;
|
|
uint32_t afc_cfg;
|
|
uint32_t e2p_cmd;
|
|
uint32_t e2p_data;
|
|
|
|
uint32_t mac_cr;
|
|
uint32_t mac_hashh;
|
|
uint32_t mac_hashl;
|
|
uint32_t mac_mii_acc;
|
|
uint32_t mac_mii_data;
|
|
uint32_t mac_flow;
|
|
|
|
uint32_t phy_status;
|
|
uint32_t phy_control;
|
|
uint32_t phy_advertise;
|
|
uint32_t phy_int;
|
|
uint32_t phy_int_mask;
|
|
|
|
int eeprom_writable;
|
|
uint8_t eeprom[128];
|
|
|
|
int tx_fifo_size;
|
|
LAN9118Packet *txp;
|
|
LAN9118Packet tx_packet;
|
|
|
|
int tx_status_fifo_used;
|
|
int tx_status_fifo_head;
|
|
uint32_t tx_status_fifo[512];
|
|
|
|
int rx_status_fifo_size;
|
|
int rx_status_fifo_used;
|
|
int rx_status_fifo_head;
|
|
uint32_t rx_status_fifo[896];
|
|
int rx_fifo_size;
|
|
int rx_fifo_used;
|
|
int rx_fifo_head;
|
|
uint32_t rx_fifo[3360];
|
|
int rx_packet_size_head;
|
|
int rx_packet_size_tail;
|
|
int rx_packet_size[1024];
|
|
|
|
int rxp_offset;
|
|
int rxp_size;
|
|
int rxp_pad;
|
|
} lan9118_state;
|
|
|
|
static void lan9118_update(lan9118_state *s)
|
|
{
|
|
int level;
|
|
|
|
/* TODO: Implement FIFO level IRQs. */
|
|
level = (s->int_sts & s->int_en) != 0;
|
|
if (level) {
|
|
s->irq_cfg |= IRQ_INT;
|
|
} else {
|
|
s->irq_cfg &= ~IRQ_INT;
|
|
}
|
|
if ((s->irq_cfg & IRQ_EN) == 0) {
|
|
level = 0;
|
|
}
|
|
qemu_set_irq(s->irq, level);
|
|
}
|
|
|
|
static void lan9118_mac_changed(lan9118_state *s)
|
|
{
|
|
qemu_format_nic_info_str(&s->nic->nc, s->conf.macaddr.a);
|
|
}
|
|
|
|
static void lan9118_reload_eeprom(lan9118_state *s)
|
|
{
|
|
int i;
|
|
if (s->eeprom[0] != 0xa5) {
|
|
s->e2p_cmd &= ~0x10;
|
|
DPRINTF("MACADDR load failed\n");
|
|
return;
|
|
}
|
|
for (i = 0; i < 6; i++) {
|
|
s->conf.macaddr.a[i] = s->eeprom[i + 1];
|
|
}
|
|
s->e2p_cmd |= 0x10;
|
|
DPRINTF("MACADDR loaded from eeprom\n");
|
|
lan9118_mac_changed(s);
|
|
}
|
|
|
|
static void phy_update_irq(lan9118_state *s)
|
|
{
|
|
if (s->phy_int & s->phy_int_mask) {
|
|
s->int_sts |= PHY_INT;
|
|
} else {
|
|
s->int_sts &= ~PHY_INT;
|
|
}
|
|
lan9118_update(s);
|
|
}
|
|
|
|
static void phy_update_link(lan9118_state *s)
|
|
{
|
|
/* Autonegotiation status mirrors link status. */
|
|
if (s->nic->nc.link_down) {
|
|
s->phy_status &= ~0x0024;
|
|
s->phy_int |= PHY_INT_DOWN;
|
|
} else {
|
|
s->phy_status |= 0x0024;
|
|
s->phy_int |= PHY_INT_ENERGYON;
|
|
s->phy_int |= PHY_INT_AUTONEG_COMPLETE;
|
|
}
|
|
phy_update_irq(s);
|
|
}
|
|
|
|
static void lan9118_set_link(VLANClientState *nc)
|
|
{
|
|
phy_update_link(DO_UPCAST(NICState, nc, nc)->opaque);
|
|
}
|
|
|
|
static void phy_reset(lan9118_state *s)
|
|
{
|
|
s->phy_status = 0x7809;
|
|
s->phy_control = 0x3000;
|
|
s->phy_advertise = 0x01e1;
|
|
s->phy_int_mask = 0;
|
|
s->phy_int = 0;
|
|
phy_update_link(s);
|
|
}
|
|
|
|
static void lan9118_reset(DeviceState *d)
|
|
{
|
|
lan9118_state *s = FROM_SYSBUS(lan9118_state, sysbus_from_qdev(d));
|
|
|
|
s->irq_cfg &= ~(IRQ_TYPE | IRQ_POL);
|
|
s->int_sts = 0;
|
|
s->int_en = 0;
|
|
s->fifo_int = 0x48000000;
|
|
s->rx_cfg = 0;
|
|
s->tx_cfg = 0;
|
|
s->hw_cfg = 0x00050000;
|
|
s->pmt_ctrl &= 0x45;
|
|
s->gpio_cfg = 0;
|
|
s->txp->fifo_used = 0;
|
|
s->txp->state = TX_IDLE;
|
|
s->txp->cmd_a = 0xffffffffu;
|
|
s->txp->cmd_b = 0xffffffffu;
|
|
s->txp->len = 0;
|
|
s->txp->fifo_used = 0;
|
|
s->tx_fifo_size = 4608;
|
|
s->tx_status_fifo_used = 0;
|
|
s->rx_status_fifo_size = 704;
|
|
s->rx_fifo_size = 2640;
|
|
s->rx_fifo_used = 0;
|
|
s->rx_status_fifo_size = 176;
|
|
s->rx_status_fifo_used = 0;
|
|
s->rxp_offset = 0;
|
|
s->rxp_size = 0;
|
|
s->rxp_pad = 0;
|
|
s->rx_packet_size_tail = s->rx_packet_size_head;
|
|
s->rx_packet_size[s->rx_packet_size_head] = 0;
|
|
s->mac_cmd = 0;
|
|
s->mac_data = 0;
|
|
s->afc_cfg = 0;
|
|
s->e2p_cmd = 0;
|
|
s->e2p_data = 0;
|
|
s->free_timer_start = qemu_get_clock(vm_clock) / 40;
|
|
|
|
ptimer_stop(s->timer);
|
|
ptimer_set_count(s->timer, 0xffff);
|
|
s->gpt_cfg = 0xffff;
|
|
|
|
s->mac_cr = MAC_CR_PRMS;
|
|
s->mac_hashh = 0;
|
|
s->mac_hashl = 0;
|
|
s->mac_mii_acc = 0;
|
|
s->mac_mii_data = 0;
|
|
s->mac_flow = 0;
|
|
|
|
phy_reset(s);
|
|
|
|
s->eeprom_writable = 0;
|
|
lan9118_reload_eeprom(s);
|
|
}
|
|
|
|
static int lan9118_can_receive(VLANClientState *nc)
|
|
{
|
|
return 1;
|
|
}
|
|
|
|
static void rx_fifo_push(lan9118_state *s, uint32_t val)
|
|
{
|
|
int fifo_pos;
|
|
fifo_pos = s->rx_fifo_head + s->rx_fifo_used;
|
|
if (fifo_pos >= s->rx_fifo_size)
|
|
fifo_pos -= s->rx_fifo_size;
|
|
s->rx_fifo[fifo_pos] = val;
|
|
s->rx_fifo_used++;
|
|
}
|
|
|
|
/* Return nonzero if the packet is accepted by the filter. */
|
|
static int lan9118_filter(lan9118_state *s, const uint8_t *addr)
|
|
{
|
|
int multicast;
|
|
uint32_t hash;
|
|
|
|
if (s->mac_cr & MAC_CR_PRMS) {
|
|
return 1;
|
|
}
|
|
if (addr[0] == 0xff && addr[1] == 0xff && addr[2] == 0xff &&
|
|
addr[3] == 0xff && addr[4] == 0xff && addr[5] == 0xff) {
|
|
return (s->mac_cr & MAC_CR_BCAST) == 0;
|
|
}
|
|
|
|
multicast = addr[0] & 1;
|
|
if (multicast &&s->mac_cr & MAC_CR_MCPAS) {
|
|
return 1;
|
|
}
|
|
if (multicast ? (s->mac_cr & MAC_CR_HPFILT) == 0
|
|
: (s->mac_cr & MAC_CR_HO) == 0) {
|
|
/* Exact matching. */
|
|
hash = memcmp(addr, s->conf.macaddr.a, 6);
|
|
if (s->mac_cr & MAC_CR_INVFILT) {
|
|
return hash != 0;
|
|
} else {
|
|
return hash == 0;
|
|
}
|
|
} else {
|
|
/* Hash matching */
|
|
hash = (crc32(~0, addr, 6) >> 26);
|
|
if (hash & 0x20) {
|
|
return (s->mac_hashh >> (hash & 0x1f)) & 1;
|
|
} else {
|
|
return (s->mac_hashl >> (hash & 0x1f)) & 1;
|
|
}
|
|
}
|
|
}
|
|
|
|
static ssize_t lan9118_receive(VLANClientState *nc, const uint8_t *buf,
|
|
size_t size)
|
|
{
|
|
lan9118_state *s = DO_UPCAST(NICState, nc, nc)->opaque;
|
|
int fifo_len;
|
|
int offset;
|
|
int src_pos;
|
|
int n;
|
|
int filter;
|
|
uint32_t val;
|
|
uint32_t crc;
|
|
uint32_t status;
|
|
|
|
if ((s->mac_cr & MAC_CR_RXEN) == 0) {
|
|
return -1;
|
|
}
|
|
|
|
if (size >= 2048 || size < 14) {
|
|
return -1;
|
|
}
|
|
|
|
/* TODO: Implement FIFO overflow notification. */
|
|
if (s->rx_status_fifo_used == s->rx_status_fifo_size) {
|
|
return -1;
|
|
}
|
|
|
|
filter = lan9118_filter(s, buf);
|
|
if (!filter && (s->mac_cr & MAC_CR_RXALL) == 0) {
|
|
return size;
|
|
}
|
|
|
|
offset = (s->rx_cfg >> 8) & 0x1f;
|
|
n = offset & 3;
|
|
fifo_len = (size + n + 3) >> 2;
|
|
/* Add a word for the CRC. */
|
|
fifo_len++;
|
|
if (s->rx_fifo_size - s->rx_fifo_used < fifo_len) {
|
|
return -1;
|
|
}
|
|
|
|
DPRINTF("Got packet len:%d fifo:%d filter:%s\n",
|
|
(int)size, fifo_len, filter ? "pass" : "fail");
|
|
val = 0;
|
|
crc = bswap32(crc32(~0, buf, size));
|
|
for (src_pos = 0; src_pos < size; src_pos++) {
|
|
val = (val >> 8) | ((uint32_t)buf[src_pos] << 24);
|
|
n++;
|
|
if (n == 4) {
|
|
n = 0;
|
|
rx_fifo_push(s, val);
|
|
val = 0;
|
|
}
|
|
}
|
|
if (n) {
|
|
val >>= ((4 - n) * 8);
|
|
val |= crc << (n * 8);
|
|
rx_fifo_push(s, val);
|
|
val = crc >> ((4 - n) * 8);
|
|
rx_fifo_push(s, val);
|
|
} else {
|
|
rx_fifo_push(s, crc);
|
|
}
|
|
n = s->rx_status_fifo_head + s->rx_status_fifo_used;
|
|
if (n >= s->rx_status_fifo_size) {
|
|
n -= s->rx_status_fifo_size;
|
|
}
|
|
s->rx_packet_size[s->rx_packet_size_tail] = fifo_len;
|
|
s->rx_packet_size_tail = (s->rx_packet_size_tail + 1023) & 1023;
|
|
s->rx_status_fifo_used++;
|
|
|
|
status = (size + 4) << 16;
|
|
if (buf[0] == 0xff && buf[1] == 0xff && buf[2] == 0xff &&
|
|
buf[3] == 0xff && buf[4] == 0xff && buf[5] == 0xff) {
|
|
status |= 0x00002000;
|
|
} else if (buf[0] & 1) {
|
|
status |= 0x00000400;
|
|
}
|
|
if (!filter) {
|
|
status |= 0x40000000;
|
|
}
|
|
s->rx_status_fifo[n] = status;
|
|
|
|
if (s->rx_status_fifo_used > (s->fifo_int & 0xff)) {
|
|
s->int_sts |= RSFL_INT;
|
|
}
|
|
lan9118_update(s);
|
|
|
|
return size;
|
|
}
|
|
|
|
static uint32_t rx_fifo_pop(lan9118_state *s)
|
|
{
|
|
int n;
|
|
uint32_t val;
|
|
|
|
if (s->rxp_size == 0 && s->rxp_pad == 0) {
|
|
s->rxp_size = s->rx_packet_size[s->rx_packet_size_head];
|
|
s->rx_packet_size[s->rx_packet_size_head] = 0;
|
|
if (s->rxp_size != 0) {
|
|
s->rx_packet_size_head = (s->rx_packet_size_head + 1023) & 1023;
|
|
s->rxp_offset = (s->rx_cfg >> 10) & 7;
|
|
n = s->rxp_offset + s->rxp_size;
|
|
switch (s->rx_cfg >> 30) {
|
|
case 1:
|
|
n = (-n) & 3;
|
|
break;
|
|
case 2:
|
|
n = (-n) & 7;
|
|
break;
|
|
default:
|
|
n = 0;
|
|
break;
|
|
}
|
|
s->rxp_pad = n;
|
|
DPRINTF("Pop packet size:%d offset:%d pad: %d\n",
|
|
s->rxp_size, s->rxp_offset, s->rxp_pad);
|
|
}
|
|
}
|
|
if (s->rxp_offset > 0) {
|
|
s->rxp_offset--;
|
|
val = 0;
|
|
} else if (s->rxp_size > 0) {
|
|
s->rxp_size--;
|
|
val = s->rx_fifo[s->rx_fifo_head++];
|
|
if (s->rx_fifo_head >= s->rx_fifo_size) {
|
|
s->rx_fifo_head -= s->rx_fifo_size;
|
|
}
|
|
s->rx_fifo_used--;
|
|
} else if (s->rxp_pad > 0) {
|
|
s->rxp_pad--;
|
|
val = 0;
|
|
} else {
|
|
DPRINTF("RX underflow\n");
|
|
s->int_sts |= RXE_INT;
|
|
val = 0;
|
|
}
|
|
lan9118_update(s);
|
|
return val;
|
|
}
|
|
|
|
static void do_tx_packet(lan9118_state *s)
|
|
{
|
|
int n;
|
|
uint32_t status;
|
|
|
|
/* FIXME: Honor TX disable, and allow queueing of packets. */
|
|
if (s->phy_control & 0x4000) {
|
|
/* This assumes the receive routine doesn't touch the VLANClient. */
|
|
lan9118_receive(&s->nic->nc, s->txp->data, s->txp->len);
|
|
} else {
|
|
qemu_send_packet(&s->nic->nc, s->txp->data, s->txp->len);
|
|
}
|
|
s->txp->fifo_used = 0;
|
|
|
|
if (s->tx_status_fifo_used == 512) {
|
|
/* Status FIFO full */
|
|
return;
|
|
}
|
|
/* Add entry to status FIFO. */
|
|
status = s->txp->cmd_b & 0xffff0000u;
|
|
DPRINTF("Sent packet tag:%04x len %d\n", status >> 16, s->txp->len);
|
|
n = (s->tx_status_fifo_head + s->tx_status_fifo_used) & 511;
|
|
s->tx_status_fifo[n] = status;
|
|
s->tx_status_fifo_used++;
|
|
if (s->tx_status_fifo_used == 512) {
|
|
s->int_sts |= TSFF_INT;
|
|
/* TODO: Stop transmission. */
|
|
}
|
|
}
|
|
|
|
static uint32_t rx_status_fifo_pop(lan9118_state *s)
|
|
{
|
|
uint32_t val;
|
|
|
|
val = s->rx_status_fifo[s->rx_status_fifo_head];
|
|
if (s->rx_status_fifo_used != 0) {
|
|
s->rx_status_fifo_used--;
|
|
s->rx_status_fifo_head++;
|
|
if (s->rx_status_fifo_head >= s->rx_status_fifo_size) {
|
|
s->rx_status_fifo_head -= s->rx_status_fifo_size;
|
|
}
|
|
/* ??? What value should be returned when the FIFO is empty? */
|
|
DPRINTF("RX status pop 0x%08x\n", val);
|
|
}
|
|
return val;
|
|
}
|
|
|
|
static uint32_t tx_status_fifo_pop(lan9118_state *s)
|
|
{
|
|
uint32_t val;
|
|
|
|
val = s->tx_status_fifo[s->tx_status_fifo_head];
|
|
if (s->tx_status_fifo_used != 0) {
|
|
s->tx_status_fifo_used--;
|
|
s->tx_status_fifo_head = (s->tx_status_fifo_head + 1) & 511;
|
|
/* ??? What value should be returned when the FIFO is empty? */
|
|
}
|
|
return val;
|
|
}
|
|
|
|
static void tx_fifo_push(lan9118_state *s, uint32_t val)
|
|
{
|
|
int n;
|
|
|
|
if (s->txp->fifo_used == s->tx_fifo_size) {
|
|
s->int_sts |= TDFO_INT;
|
|
return;
|
|
}
|
|
switch (s->txp->state) {
|
|
case TX_IDLE:
|
|
s->txp->cmd_a = val & 0x831f37ff;
|
|
s->txp->fifo_used++;
|
|
s->txp->state = TX_B;
|
|
break;
|
|
case TX_B:
|
|
if (s->txp->cmd_a & 0x2000) {
|
|
/* First segment */
|
|
s->txp->cmd_b = val;
|
|
s->txp->fifo_used++;
|
|
s->txp->buffer_size = s->txp->cmd_a & 0x7ff;
|
|
s->txp->offset = (s->txp->cmd_a >> 16) & 0x1f;
|
|
/* End alignment does not include command words. */
|
|
n = (s->txp->buffer_size + s->txp->offset + 3) >> 2;
|
|
switch ((n >> 24) & 3) {
|
|
case 1:
|
|
n = (-n) & 3;
|
|
break;
|
|
case 2:
|
|
n = (-n) & 7;
|
|
break;
|
|
default:
|
|
n = 0;
|
|
}
|
|
s->txp->pad = n;
|
|
s->txp->len = 0;
|
|
}
|
|
DPRINTF("Block len:%d offset:%d pad:%d cmd %08x\n",
|
|
s->txp->buffer_size, s->txp->offset, s->txp->pad,
|
|
s->txp->cmd_a);
|
|
s->txp->state = TX_DATA;
|
|
break;
|
|
case TX_DATA:
|
|
if (s->txp->offset >= 4) {
|
|
s->txp->offset -= 4;
|
|
break;
|
|
}
|
|
if (s->txp->buffer_size <= 0 && s->txp->pad != 0) {
|
|
s->txp->pad--;
|
|
} else {
|
|
n = 4;
|
|
while (s->txp->offset) {
|
|
val >>= 8;
|
|
n--;
|
|
s->txp->offset--;
|
|
}
|
|
/* Documentation is somewhat unclear on the ordering of bytes
|
|
in FIFO words. Empirical results show it to be little-endian.
|
|
*/
|
|
/* TODO: FIFO overflow checking. */
|
|
while (n--) {
|
|
s->txp->data[s->txp->len] = val & 0xff;
|
|
s->txp->len++;
|
|
val >>= 8;
|
|
s->txp->buffer_size--;
|
|
}
|
|
s->txp->fifo_used++;
|
|
}
|
|
if (s->txp->buffer_size <= 0 && s->txp->pad == 0) {
|
|
if (s->txp->cmd_a & 0x1000) {
|
|
do_tx_packet(s);
|
|
}
|
|
if (s->txp->cmd_a & 0x80000000) {
|
|
s->int_sts |= TX_IOC_INT;
|
|
}
|
|
s->txp->state = TX_IDLE;
|
|
}
|
|
break;
|
|
}
|
|
}
|
|
|
|
static uint32_t do_phy_read(lan9118_state *s, int reg)
|
|
{
|
|
uint32_t val;
|
|
|
|
switch (reg) {
|
|
case 0: /* Basic Control */
|
|
return s->phy_control;
|
|
case 1: /* Basic Status */
|
|
return s->phy_status;
|
|
case 2: /* ID1 */
|
|
return 0x0007;
|
|
case 3: /* ID2 */
|
|
return 0xc0d1;
|
|
case 4: /* Auto-neg advertisment */
|
|
return s->phy_advertise;
|
|
case 5: /* Auto-neg Link Partner Ability */
|
|
return 0x0f71;
|
|
case 6: /* Auto-neg Expansion */
|
|
return 1;
|
|
/* TODO 17, 18, 27, 29, 30, 31 */
|
|
case 29: /* Interrupt source. */
|
|
val = s->phy_int;
|
|
s->phy_int = 0;
|
|
phy_update_irq(s);
|
|
return val;
|
|
case 30: /* Interrupt mask */
|
|
return s->phy_int_mask;
|
|
default:
|
|
BADF("PHY read reg %d\n", reg);
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
static void do_phy_write(lan9118_state *s, int reg, uint32_t val)
|
|
{
|
|
switch (reg) {
|
|
case 0: /* Basic Control */
|
|
if (val & 0x8000) {
|
|
phy_reset(s);
|
|
break;
|
|
}
|
|
s->phy_control = val & 0x7980;
|
|
/* Complete autonegotiation imediately. */
|
|
if (val & 0x1000) {
|
|
s->phy_status |= 0x0020;
|
|
}
|
|
break;
|
|
case 4: /* Auto-neg advertisment */
|
|
s->phy_advertise = (val & 0x2d7f) | 0x80;
|
|
break;
|
|
/* TODO 17, 18, 27, 31 */
|
|
case 30: /* Interrupt mask */
|
|
s->phy_int_mask = val & 0xff;
|
|
phy_update_irq(s);
|
|
break;
|
|
default:
|
|
BADF("PHY write reg %d = 0x%04x\n", reg, val);
|
|
}
|
|
}
|
|
|
|
static void do_mac_write(lan9118_state *s, int reg, uint32_t val)
|
|
{
|
|
switch (reg) {
|
|
case MAC_CR:
|
|
if ((s->mac_cr & MAC_CR_RXEN) != 0 && (val & MAC_CR_RXEN) == 0) {
|
|
s->int_sts |= RXSTOP_INT;
|
|
}
|
|
s->mac_cr = val & ~MAC_CR_RESERVED;
|
|
DPRINTF("MAC_CR: %08x\n", val);
|
|
break;
|
|
case MAC_ADDRH:
|
|
s->conf.macaddr.a[4] = val & 0xff;
|
|
s->conf.macaddr.a[5] = (val >> 8) & 0xff;
|
|
lan9118_mac_changed(s);
|
|
break;
|
|
case MAC_ADDRL:
|
|
s->conf.macaddr.a[0] = val & 0xff;
|
|
s->conf.macaddr.a[1] = (val >> 8) & 0xff;
|
|
s->conf.macaddr.a[2] = (val >> 16) & 0xff;
|
|
s->conf.macaddr.a[3] = (val >> 24) & 0xff;
|
|
lan9118_mac_changed(s);
|
|
break;
|
|
case MAC_HASHH:
|
|
s->mac_hashh = val;
|
|
break;
|
|
case MAC_HASHL:
|
|
s->mac_hashl = val;
|
|
break;
|
|
case MAC_MII_ACC:
|
|
s->mac_mii_acc = val & 0xffc2;
|
|
if (val & 2) {
|
|
DPRINTF("PHY write %d = 0x%04x\n",
|
|
(val >> 6) & 0x1f, s->mac_mii_data);
|
|
do_phy_write(s, (val >> 6) & 0x1f, s->mac_mii_data);
|
|
} else {
|
|
s->mac_mii_data = do_phy_read(s, (val >> 6) & 0x1f);
|
|
DPRINTF("PHY read %d = 0x%04x\n",
|
|
(val >> 6) & 0x1f, s->mac_mii_data);
|
|
}
|
|
break;
|
|
case MAC_MII_DATA:
|
|
s->mac_mii_data = val & 0xffff;
|
|
break;
|
|
case MAC_FLOW:
|
|
s->mac_flow = val & 0xffff0000;
|
|
break;
|
|
default:
|
|
hw_error("lan9118: Unimplemented MAC register write: %d = 0x%x\n",
|
|
s->mac_cmd & 0xf, val);
|
|
}
|
|
}
|
|
|
|
static uint32_t do_mac_read(lan9118_state *s, int reg)
|
|
{
|
|
switch (reg) {
|
|
case MAC_CR:
|
|
return s->mac_cr;
|
|
case MAC_ADDRH:
|
|
return s->conf.macaddr.a[4] | (s->conf.macaddr.a[5] << 8);
|
|
case MAC_ADDRL:
|
|
return s->conf.macaddr.a[0] | (s->conf.macaddr.a[1] << 8)
|
|
| (s->conf.macaddr.a[2] << 16) | (s->conf.macaddr.a[3] << 24);
|
|
case MAC_HASHH:
|
|
return s->mac_hashh;
|
|
break;
|
|
case MAC_HASHL:
|
|
return s->mac_hashl;
|
|
break;
|
|
case MAC_MII_ACC:
|
|
return s->mac_mii_acc;
|
|
case MAC_MII_DATA:
|
|
return s->mac_mii_data;
|
|
case MAC_FLOW:
|
|
return s->mac_flow;
|
|
default:
|
|
hw_error("lan9118: Unimplemented MAC register read: %d\n",
|
|
s->mac_cmd & 0xf);
|
|
}
|
|
}
|
|
|
|
static void lan9118_eeprom_cmd(lan9118_state *s, int cmd, int addr)
|
|
{
|
|
s->e2p_cmd = (s->e2p_cmd & 0x10) | (cmd << 28) | addr;
|
|
switch (cmd) {
|
|
case 0:
|
|
s->e2p_data = s->eeprom[addr];
|
|
DPRINTF("EEPROM Read %d = 0x%02x\n", addr, s->e2p_data);
|
|
break;
|
|
case 1:
|
|
s->eeprom_writable = 0;
|
|
DPRINTF("EEPROM Write Disable\n");
|
|
break;
|
|
case 2: /* EWEN */
|
|
s->eeprom_writable = 1;
|
|
DPRINTF("EEPROM Write Enable\n");
|
|
break;
|
|
case 3: /* WRITE */
|
|
if (s->eeprom_writable) {
|
|
s->eeprom[addr] &= s->e2p_data;
|
|
DPRINTF("EEPROM Write %d = 0x%02x\n", addr, s->e2p_data);
|
|
} else {
|
|
DPRINTF("EEPROM Write %d (ignored)\n", addr);
|
|
}
|
|
break;
|
|
case 4: /* WRAL */
|
|
if (s->eeprom_writable) {
|
|
for (addr = 0; addr < 128; addr++) {
|
|
s->eeprom[addr] &= s->e2p_data;
|
|
}
|
|
DPRINTF("EEPROM Write All 0x%02x\n", s->e2p_data);
|
|
} else {
|
|
DPRINTF("EEPROM Write All (ignored)\n");
|
|
}
|
|
case 5: /* ERASE */
|
|
if (s->eeprom_writable) {
|
|
s->eeprom[addr] = 0xff;
|
|
DPRINTF("EEPROM Erase %d\n", addr);
|
|
} else {
|
|
DPRINTF("EEPROM Erase %d (ignored)\n", addr);
|
|
}
|
|
break;
|
|
case 6: /* ERAL */
|
|
if (s->eeprom_writable) {
|
|
memset(s->eeprom, 0xff, 128);
|
|
DPRINTF("EEPROM Erase All\n");
|
|
} else {
|
|
DPRINTF("EEPROM Erase All (ignored)\n");
|
|
}
|
|
break;
|
|
case 7: /* RELOAD */
|
|
lan9118_reload_eeprom(s);
|
|
break;
|
|
}
|
|
}
|
|
|
|
static void lan9118_tick(void *opaque)
|
|
{
|
|
lan9118_state *s = (lan9118_state *)opaque;
|
|
if (s->int_en & GPT_INT) {
|
|
s->int_sts |= GPT_INT;
|
|
}
|
|
lan9118_update(s);
|
|
}
|
|
|
|
static void lan9118_writel(void *opaque, target_phys_addr_t offset,
|
|
uint32_t val)
|
|
{
|
|
lan9118_state *s = (lan9118_state *)opaque;
|
|
offset &= 0xff;
|
|
|
|
//DPRINTF("Write reg 0x%02x = 0x%08x\n", (int)offset, val);
|
|
if (offset >= 0x20 && offset < 0x40) {
|
|
/* TX FIFO */
|
|
tx_fifo_push(s, val);
|
|
return;
|
|
}
|
|
switch (offset) {
|
|
case CSR_IRQ_CFG:
|
|
/* TODO: Implement interrupt deassertion intervals. */
|
|
s->irq_cfg = (s->irq_cfg & IRQ_INT) | (val & IRQ_EN);
|
|
break;
|
|
case CSR_INT_STS:
|
|
s->int_sts &= ~val;
|
|
break;
|
|
case CSR_INT_EN:
|
|
s->int_en = val & ~RESERVED_INT;
|
|
s->int_sts |= val & SW_INT;
|
|
break;
|
|
case CSR_FIFO_INT:
|
|
DPRINTF("FIFO INT levels %08x\n", val);
|
|
s->fifo_int = val;
|
|
break;
|
|
case CSR_RX_CFG:
|
|
if (val & 0x8000) {
|
|
/* RX_DUMP */
|
|
s->rx_fifo_used = 0;
|
|
s->rx_status_fifo_used = 0;
|
|
s->rx_packet_size_tail = s->rx_packet_size_head;
|
|
s->rx_packet_size[s->rx_packet_size_head] = 0;
|
|
}
|
|
s->rx_cfg = val & 0xcfff1ff0;
|
|
break;
|
|
case CSR_TX_CFG:
|
|
if (val & 0x8000) {
|
|
s->tx_status_fifo_used = 0;
|
|
}
|
|
if (val & 0x4000) {
|
|
s->txp->state = TX_IDLE;
|
|
s->txp->fifo_used = 0;
|
|
s->txp->cmd_a = 0xffffffff;
|
|
}
|
|
s->tx_cfg = val & 6;
|
|
break;
|
|
case CSR_HW_CFG:
|
|
if (val & 1) {
|
|
/* SRST */
|
|
lan9118_reset(&s->busdev.qdev);
|
|
} else {
|
|
s->hw_cfg = val & 0x003f300;
|
|
}
|
|
break;
|
|
case CSR_RX_DP_CTRL:
|
|
if (val & 0x80000000) {
|
|
/* Skip forward to next packet. */
|
|
s->rxp_pad = 0;
|
|
s->rxp_offset = 0;
|
|
if (s->rxp_size == 0) {
|
|
/* Pop a word to start the next packet. */
|
|
rx_fifo_pop(s);
|
|
s->rxp_pad = 0;
|
|
s->rxp_offset = 0;
|
|
}
|
|
s->rx_fifo_head += s->rxp_size;
|
|
if (s->rx_fifo_head >= s->rx_fifo_size) {
|
|
s->rx_fifo_head -= s->rx_fifo_size;
|
|
}
|
|
}
|
|
break;
|
|
case CSR_PMT_CTRL:
|
|
if (val & 0x400) {
|
|
phy_reset(s);
|
|
}
|
|
s->pmt_ctrl &= ~0x34e;
|
|
s->pmt_ctrl |= (val & 0x34e);
|
|
break;
|
|
case CSR_GPIO_CFG:
|
|
/* Probably just enabling LEDs. */
|
|
s->gpio_cfg = val & 0x7777071f;
|
|
break;
|
|
case CSR_GPT_CFG:
|
|
if ((s->gpt_cfg ^ val) & GPT_TIMER_EN) {
|
|
if (val & GPT_TIMER_EN) {
|
|
ptimer_set_count(s->timer, val & 0xffff);
|
|
ptimer_run(s->timer, 0);
|
|
} else {
|
|
ptimer_stop(s->timer);
|
|
ptimer_set_count(s->timer, 0xffff);
|
|
}
|
|
}
|
|
s->gpt_cfg = val & (GPT_TIMER_EN | 0xffff);
|
|
break;
|
|
case CSR_WORD_SWAP:
|
|
/* Ignored because we're in 32-bit mode. */
|
|
s->word_swap = val;
|
|
break;
|
|
case CSR_MAC_CSR_CMD:
|
|
s->mac_cmd = val & 0x4000000f;
|
|
if (val & 0x80000000) {
|
|
if (val & 0x40000000) {
|
|
s->mac_data = do_mac_read(s, val & 0xf);
|
|
DPRINTF("MAC read %d = 0x%08x\n", val & 0xf, s->mac_data);
|
|
} else {
|
|
DPRINTF("MAC write %d = 0x%08x\n", val & 0xf, s->mac_data);
|
|
do_mac_write(s, val & 0xf, s->mac_data);
|
|
}
|
|
}
|
|
break;
|
|
case CSR_MAC_CSR_DATA:
|
|
s->mac_data = val;
|
|
break;
|
|
case CSR_AFC_CFG:
|
|
s->afc_cfg = val & 0x00ffffff;
|
|
break;
|
|
case CSR_E2P_CMD:
|
|
lan9118_eeprom_cmd(s, (val >> 28) & 7, val & 0x7f);
|
|
break;
|
|
case CSR_E2P_DATA:
|
|
s->e2p_data = val & 0xff;
|
|
break;
|
|
|
|
default:
|
|
hw_error("lan9118_write: Bad reg 0x%x = %x\n", (int)offset, val);
|
|
break;
|
|
}
|
|
lan9118_update(s);
|
|
}
|
|
|
|
static uint32_t lan9118_readl(void *opaque, target_phys_addr_t offset)
|
|
{
|
|
lan9118_state *s = (lan9118_state *)opaque;
|
|
|
|
//DPRINTF("Read reg 0x%02x\n", (int)offset);
|
|
if (offset < 0x20) {
|
|
/* RX FIFO */
|
|
return rx_fifo_pop(s);
|
|
}
|
|
switch (offset) {
|
|
case 0x40:
|
|
return rx_status_fifo_pop(s);
|
|
case 0x44:
|
|
return s->rx_status_fifo[s->tx_status_fifo_head];
|
|
case 0x48:
|
|
return tx_status_fifo_pop(s);
|
|
case 0x4c:
|
|
return s->tx_status_fifo[s->tx_status_fifo_head];
|
|
case CSR_ID_REV:
|
|
return 0x01180001;
|
|
case CSR_IRQ_CFG:
|
|
return s->irq_cfg;
|
|
case CSR_INT_STS:
|
|
return s->int_sts;
|
|
case CSR_INT_EN:
|
|
return s->int_en;
|
|
case CSR_BYTE_TEST:
|
|
return 0x87654321;
|
|
case CSR_FIFO_INT:
|
|
return s->fifo_int;
|
|
case CSR_RX_CFG:
|
|
return s->rx_cfg;
|
|
case CSR_TX_CFG:
|
|
return s->tx_cfg;
|
|
case CSR_HW_CFG:
|
|
return s->hw_cfg | 0x4;
|
|
case CSR_RX_DP_CTRL:
|
|
return 0;
|
|
case CSR_RX_FIFO_INF:
|
|
return (s->rx_status_fifo_used << 16) | (s->rx_fifo_used << 2);
|
|
case CSR_TX_FIFO_INF:
|
|
return (s->tx_status_fifo_used << 16)
|
|
| (s->tx_fifo_size - s->txp->fifo_used);
|
|
case CSR_PMT_CTRL:
|
|
return s->pmt_ctrl;
|
|
case CSR_GPIO_CFG:
|
|
return s->gpio_cfg;
|
|
case CSR_GPT_CFG:
|
|
return s->gpt_cfg;
|
|
case CSR_GPT_CNT:
|
|
return ptimer_get_count(s->timer);
|
|
case CSR_WORD_SWAP:
|
|
return s->word_swap;
|
|
case CSR_FREE_RUN:
|
|
return (qemu_get_clock(vm_clock) / 40) - s->free_timer_start;
|
|
case CSR_RX_DROP:
|
|
/* TODO: Implement dropped frames counter. */
|
|
return 0;
|
|
case CSR_MAC_CSR_CMD:
|
|
return s->mac_cmd;
|
|
case CSR_MAC_CSR_DATA:
|
|
return s->mac_data;
|
|
case CSR_AFC_CFG:
|
|
return s->afc_cfg;
|
|
case CSR_E2P_CMD:
|
|
return s->e2p_cmd;
|
|
case CSR_E2P_DATA:
|
|
return s->e2p_data;
|
|
}
|
|
hw_error("lan9118_read: Bad reg 0x%x\n", (int)offset);
|
|
return 0;
|
|
}
|
|
|
|
static CPUReadMemoryFunc * const lan9118_readfn[] = {
|
|
lan9118_readl,
|
|
lan9118_readl,
|
|
lan9118_readl
|
|
};
|
|
|
|
static CPUWriteMemoryFunc * const lan9118_writefn[] = {
|
|
lan9118_writel,
|
|
lan9118_writel,
|
|
lan9118_writel
|
|
};
|
|
|
|
static void lan9118_cleanup(VLANClientState *nc)
|
|
{
|
|
lan9118_state *s = DO_UPCAST(NICState, nc, nc)->opaque;
|
|
|
|
s->nic = NULL;
|
|
}
|
|
|
|
static NetClientInfo net_lan9118_info = {
|
|
.type = NET_CLIENT_TYPE_NIC,
|
|
.size = sizeof(NICState),
|
|
.can_receive = lan9118_can_receive,
|
|
.receive = lan9118_receive,
|
|
.cleanup = lan9118_cleanup,
|
|
.link_status_changed = lan9118_set_link,
|
|
};
|
|
|
|
static int lan9118_init1(SysBusDevice *dev)
|
|
{
|
|
lan9118_state *s = FROM_SYSBUS(lan9118_state, dev);
|
|
QEMUBH *bh;
|
|
int i;
|
|
|
|
s->mmio_index = cpu_register_io_memory(lan9118_readfn,
|
|
lan9118_writefn, s,
|
|
DEVICE_NATIVE_ENDIAN);
|
|
sysbus_init_mmio(dev, 0x100, s->mmio_index);
|
|
sysbus_init_irq(dev, &s->irq);
|
|
qemu_macaddr_default_if_unset(&s->conf.macaddr);
|
|
|
|
s->nic = qemu_new_nic(&net_lan9118_info, &s->conf,
|
|
dev->qdev.info->name, dev->qdev.id, s);
|
|
qemu_format_nic_info_str(&s->nic->nc, s->conf.macaddr.a);
|
|
s->eeprom[0] = 0xa5;
|
|
for (i = 0; i < 6; i++) {
|
|
s->eeprom[i + 1] = s->conf.macaddr.a[i];
|
|
}
|
|
s->pmt_ctrl = 1;
|
|
s->txp = &s->tx_packet;
|
|
|
|
bh = qemu_bh_new(lan9118_tick, s);
|
|
s->timer = ptimer_init(bh);
|
|
ptimer_set_freq(s->timer, 10000);
|
|
ptimer_set_limit(s->timer, 0xffff, 1);
|
|
|
|
/* ??? Save/restore. */
|
|
return 0;
|
|
}
|
|
|
|
static SysBusDeviceInfo lan9118_info = {
|
|
.init = lan9118_init1,
|
|
.qdev.name = "lan9118",
|
|
.qdev.size = sizeof(lan9118_state),
|
|
.qdev.reset = lan9118_reset,
|
|
.qdev.props = (Property[]) {
|
|
DEFINE_NIC_PROPERTIES(lan9118_state, conf),
|
|
DEFINE_PROP_END_OF_LIST(),
|
|
}
|
|
};
|
|
|
|
static void lan9118_register_devices(void)
|
|
{
|
|
sysbus_register_withprop(&lan9118_info);
|
|
}
|
|
|
|
/* Legacy helper function. Should go away when machine config files are
|
|
implemented. */
|
|
void lan9118_init(NICInfo *nd, uint32_t base, qemu_irq irq)
|
|
{
|
|
DeviceState *dev;
|
|
SysBusDevice *s;
|
|
|
|
qemu_check_nic_model(nd, "lan9118");
|
|
dev = qdev_create(NULL, "lan9118");
|
|
qdev_set_nic_properties(dev, nd);
|
|
qdev_init_nofail(dev);
|
|
s = sysbus_from_qdev(dev);
|
|
sysbus_mmio_map(s, 0, base);
|
|
sysbus_connect_irq(s, 0, irq);
|
|
}
|
|
|
|
device_init(lan9118_register_devices)
|