net: add checks to validate ring buffer pointers(CVE-2015-5279)
[qemu.git] / hw / net / ne2000.c
1 /*
2 * QEMU NE2000 emulation
3 *
4 * Copyright (c) 2003-2004 Fabrice Bellard
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 * THE SOFTWARE.
23 */
24 #include "hw/hw.h"
25 #include "hw/pci/pci.h"
26 #include "net/net.h"
27 #include "ne2000.h"
28 #include "hw/loader.h"
29 #include "sysemu/sysemu.h"
30
31 /* debug NE2000 card */
32 //#define DEBUG_NE2000
33
34 #define MAX_ETH_FRAME_SIZE 1514
35
36 #define E8390_CMD 0x00 /* The command register (for all pages) */
37 /* Page 0 register offsets. */
38 #define EN0_CLDALO 0x01 /* Low byte of current local dma addr RD */
39 #define EN0_STARTPG 0x01 /* Starting page of ring bfr WR */
40 #define EN0_CLDAHI 0x02 /* High byte of current local dma addr RD */
41 #define EN0_STOPPG 0x02 /* Ending page +1 of ring bfr WR */
42 #define EN0_BOUNDARY 0x03 /* Boundary page of ring bfr RD WR */
43 #define EN0_TSR 0x04 /* Transmit status reg RD */
44 #define EN0_TPSR 0x04 /* Transmit starting page WR */
45 #define EN0_NCR 0x05 /* Number of collision reg RD */
46 #define EN0_TCNTLO 0x05 /* Low byte of tx byte count WR */
47 #define EN0_FIFO 0x06 /* FIFO RD */
48 #define EN0_TCNTHI 0x06 /* High byte of tx byte count WR */
49 #define EN0_ISR 0x07 /* Interrupt status reg RD WR */
50 #define EN0_CRDALO 0x08 /* low byte of current remote dma address RD */
51 #define EN0_RSARLO 0x08 /* Remote start address reg 0 */
52 #define EN0_CRDAHI 0x09 /* high byte, current remote dma address RD */
53 #define EN0_RSARHI 0x09 /* Remote start address reg 1 */
54 #define EN0_RCNTLO 0x0a /* Remote byte count reg WR */
55 #define EN0_RTL8029ID0 0x0a /* Realtek ID byte #1 RD */
56 #define EN0_RCNTHI 0x0b /* Remote byte count reg WR */
57 #define EN0_RTL8029ID1 0x0b /* Realtek ID byte #2 RD */
58 #define EN0_RSR 0x0c /* rx status reg RD */
59 #define EN0_RXCR 0x0c /* RX configuration reg WR */
60 #define EN0_TXCR 0x0d /* TX configuration reg WR */
61 #define EN0_COUNTER0 0x0d /* Rcv alignment error counter RD */
62 #define EN0_DCFG 0x0e /* Data configuration reg WR */
63 #define EN0_COUNTER1 0x0e /* Rcv CRC error counter RD */
64 #define EN0_IMR 0x0f /* Interrupt mask reg WR */
65 #define EN0_COUNTER2 0x0f /* Rcv missed frame error counter RD */
66
67 #define EN1_PHYS 0x11
68 #define EN1_CURPAG 0x17
69 #define EN1_MULT 0x18
70
71 #define EN2_STARTPG 0x21 /* Starting page of ring bfr RD */
72 #define EN2_STOPPG 0x22 /* Ending page +1 of ring bfr RD */
73
74 #define EN3_CONFIG0 0x33
75 #define EN3_CONFIG1 0x34
76 #define EN3_CONFIG2 0x35
77 #define EN3_CONFIG3 0x36
78
79 /* Register accessed at EN_CMD, the 8390 base addr. */
80 #define E8390_STOP 0x01 /* Stop and reset the chip */
81 #define E8390_START 0x02 /* Start the chip, clear reset */
82 #define E8390_TRANS 0x04 /* Transmit a frame */
83 #define E8390_RREAD 0x08 /* Remote read */
84 #define E8390_RWRITE 0x10 /* Remote write */
85 #define E8390_NODMA 0x20 /* Remote DMA */
86 #define E8390_PAGE0 0x00 /* Select page chip registers */
87 #define E8390_PAGE1 0x40 /* using the two high-order bits */
88 #define E8390_PAGE2 0x80 /* Page 3 is invalid. */
89
90 /* Bits in EN0_ISR - Interrupt status register */
91 #define ENISR_RX 0x01 /* Receiver, no error */
92 #define ENISR_TX 0x02 /* Transmitter, no error */
93 #define ENISR_RX_ERR 0x04 /* Receiver, with error */
94 #define ENISR_TX_ERR 0x08 /* Transmitter, with error */
95 #define ENISR_OVER 0x10 /* Receiver overwrote the ring */
96 #define ENISR_COUNTERS 0x20 /* Counters need emptying */
97 #define ENISR_RDC 0x40 /* remote dma complete */
98 #define ENISR_RESET 0x80 /* Reset completed */
99 #define ENISR_ALL 0x3f /* Interrupts we will enable */
100
101 /* Bits in received packet status byte and EN0_RSR*/
102 #define ENRSR_RXOK 0x01 /* Received a good packet */
103 #define ENRSR_CRC 0x02 /* CRC error */
104 #define ENRSR_FAE 0x04 /* frame alignment error */
105 #define ENRSR_FO 0x08 /* FIFO overrun */
106 #define ENRSR_MPA 0x10 /* missed pkt */
107 #define ENRSR_PHY 0x20 /* physical/multicast address */
108 #define ENRSR_DIS 0x40 /* receiver disable. set in monitor mode */
109 #define ENRSR_DEF 0x80 /* deferring */
110
111 /* Transmitted packet status, EN0_TSR. */
112 #define ENTSR_PTX 0x01 /* Packet transmitted without error */
113 #define ENTSR_ND 0x02 /* The transmit wasn't deferred. */
114 #define ENTSR_COL 0x04 /* The transmit collided at least once. */
115 #define ENTSR_ABT 0x08 /* The transmit collided 16 times, and was deferred. */
116 #define ENTSR_CRS 0x10 /* The carrier sense was lost. */
117 #define ENTSR_FU 0x20 /* A "FIFO underrun" occurred during transmit. */
118 #define ENTSR_CDH 0x40 /* The collision detect "heartbeat" signal was lost. */
119 #define ENTSR_OWC 0x80 /* There was an out-of-window collision. */
120
121 typedef struct PCINE2000State {
122 PCIDevice dev;
123 NE2000State ne2000;
124 } PCINE2000State;
125
126 void ne2000_reset(NE2000State *s)
127 {
128 int i;
129
130 s->isr = ENISR_RESET;
131 memcpy(s->mem, &s->c.macaddr, 6);
132 s->mem[14] = 0x57;
133 s->mem[15] = 0x57;
134
135 /* duplicate prom data */
136 for(i = 15;i >= 0; i--) {
137 s->mem[2 * i] = s->mem[i];
138 s->mem[2 * i + 1] = s->mem[i];
139 }
140 }
141
142 static void ne2000_update_irq(NE2000State *s)
143 {
144 int isr;
145 isr = (s->isr & s->imr) & 0x7f;
146 #if defined(DEBUG_NE2000)
147 printf("NE2000: Set IRQ to %d (%02x %02x)\n",
148 isr ? 1 : 0, s->isr, s->imr);
149 #endif
150 qemu_set_irq(s->irq, (isr != 0));
151 }
152
153 static int ne2000_buffer_full(NE2000State *s)
154 {
155 int avail, index, boundary;
156
157 index = s->curpag << 8;
158 boundary = s->boundary << 8;
159 if (index < boundary)
160 avail = boundary - index;
161 else
162 avail = (s->stop - s->start) - (index - boundary);
163 if (avail < (MAX_ETH_FRAME_SIZE + 4))
164 return 1;
165 return 0;
166 }
167
168 #define MIN_BUF_SIZE 60
169
170 ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
171 {
172 NE2000State *s = qemu_get_nic_opaque(nc);
173 int size = size_;
174 uint8_t *p;
175 unsigned int total_len, next, avail, len, index, mcast_idx;
176 uint8_t buf1[60];
177 static const uint8_t broadcast_macaddr[6] =
178 { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
179
180 #if defined(DEBUG_NE2000)
181 printf("NE2000: received len=%d\n", size);
182 #endif
183
184 if (s->cmd & E8390_STOP || ne2000_buffer_full(s))
185 return -1;
186
187 /* XXX: check this */
188 if (s->rxcr & 0x10) {
189 /* promiscuous: receive all */
190 } else {
191 if (!memcmp(buf, broadcast_macaddr, 6)) {
192 /* broadcast address */
193 if (!(s->rxcr & 0x04))
194 return size;
195 } else if (buf[0] & 0x01) {
196 /* multicast */
197 if (!(s->rxcr & 0x08))
198 return size;
199 mcast_idx = compute_mcast_idx(buf);
200 if (!(s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))))
201 return size;
202 } else if (s->mem[0] == buf[0] &&
203 s->mem[2] == buf[1] &&
204 s->mem[4] == buf[2] &&
205 s->mem[6] == buf[3] &&
206 s->mem[8] == buf[4] &&
207 s->mem[10] == buf[5]) {
208 /* match */
209 } else {
210 return size;
211 }
212 }
213
214
215 /* if too small buffer, then expand it */
216 if (size < MIN_BUF_SIZE) {
217 memcpy(buf1, buf, size);
218 memset(buf1 + size, 0, MIN_BUF_SIZE - size);
219 buf = buf1;
220 size = MIN_BUF_SIZE;
221 }
222
223 index = s->curpag << 8;
224 if (index >= NE2000_PMEM_END) {
225 index = s->start;
226 }
227 /* 4 bytes for header */
228 total_len = size + 4;
229 /* address for next packet (4 bytes for CRC) */
230 next = index + ((total_len + 4 + 255) & ~0xff);
231 if (next >= s->stop)
232 next -= (s->stop - s->start);
233 /* prepare packet header */
234 p = s->mem + index;
235 s->rsr = ENRSR_RXOK; /* receive status */
236 /* XXX: check this */
237 if (buf[0] & 0x01)
238 s->rsr |= ENRSR_PHY;
239 p[0] = s->rsr;
240 p[1] = next >> 8;
241 p[2] = total_len;
242 p[3] = total_len >> 8;
243 index += 4;
244
245 /* write packet data */
246 while (size > 0) {
247 if (index <= s->stop)
248 avail = s->stop - index;
249 else
250 avail = 0;
251 len = size;
252 if (len > avail)
253 len = avail;
254 memcpy(s->mem + index, buf, len);
255 buf += len;
256 index += len;
257 if (index == s->stop)
258 index = s->start;
259 size -= len;
260 }
261 s->curpag = next >> 8;
262
263 /* now we can signal we have received something */
264 s->isr |= ENISR_RX;
265 ne2000_update_irq(s);
266
267 return size_;
268 }
269
270 static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
271 {
272 NE2000State *s = opaque;
273 int offset, page, index;
274
275 addr &= 0xf;
276 #ifdef DEBUG_NE2000
277 printf("NE2000: write addr=0x%x val=0x%02x\n", addr, val);
278 #endif
279 if (addr == E8390_CMD) {
280 /* control register */
281 s->cmd = val;
282 if (!(val & E8390_STOP)) { /* START bit makes no sense on RTL8029... */
283 s->isr &= ~ENISR_RESET;
284 /* test specific case: zero length transfer */
285 if ((val & (E8390_RREAD | E8390_RWRITE)) &&
286 s->rcnt == 0) {
287 s->isr |= ENISR_RDC;
288 ne2000_update_irq(s);
289 }
290 if (val & E8390_TRANS) {
291 index = (s->tpsr << 8);
292 /* XXX: next 2 lines are a hack to make netware 3.11 work */
293 if (index >= NE2000_PMEM_END)
294 index -= NE2000_PMEM_SIZE;
295 /* fail safe: check range on the transmitted length */
296 if (index + s->tcnt <= NE2000_PMEM_END) {
297 qemu_send_packet(qemu_get_queue(s->nic), s->mem + index,
298 s->tcnt);
299 }
300 /* signal end of transfer */
301 s->tsr = ENTSR_PTX;
302 s->isr |= ENISR_TX;
303 s->cmd &= ~E8390_TRANS;
304 ne2000_update_irq(s);
305 }
306 }
307 } else {
308 page = s->cmd >> 6;
309 offset = addr | (page << 4);
310 switch(offset) {
311 case EN0_STARTPG:
312 if (val << 8 <= NE2000_PMEM_END) {
313 s->start = val << 8;
314 }
315 break;
316 case EN0_STOPPG:
317 if (val << 8 <= NE2000_PMEM_END) {
318 s->stop = val << 8;
319 }
320 break;
321 case EN0_BOUNDARY:
322 if (val << 8 < NE2000_PMEM_END) {
323 s->boundary = val;
324 }
325 break;
326 case EN0_IMR:
327 s->imr = val;
328 ne2000_update_irq(s);
329 break;
330 case EN0_TPSR:
331 s->tpsr = val;
332 break;
333 case EN0_TCNTLO:
334 s->tcnt = (s->tcnt & 0xff00) | val;
335 break;
336 case EN0_TCNTHI:
337 s->tcnt = (s->tcnt & 0x00ff) | (val << 8);
338 break;
339 case EN0_RSARLO:
340 s->rsar = (s->rsar & 0xff00) | val;
341 break;
342 case EN0_RSARHI:
343 s->rsar = (s->rsar & 0x00ff) | (val << 8);
344 break;
345 case EN0_RCNTLO:
346 s->rcnt = (s->rcnt & 0xff00) | val;
347 break;
348 case EN0_RCNTHI:
349 s->rcnt = (s->rcnt & 0x00ff) | (val << 8);
350 break;
351 case EN0_RXCR:
352 s->rxcr = val;
353 break;
354 case EN0_DCFG:
355 s->dcfg = val;
356 break;
357 case EN0_ISR:
358 s->isr &= ~(val & 0x7f);
359 ne2000_update_irq(s);
360 break;
361 case EN1_PHYS ... EN1_PHYS + 5:
362 s->phys[offset - EN1_PHYS] = val;
363 break;
364 case EN1_CURPAG:
365 if (val << 8 < NE2000_PMEM_END) {
366 s->curpag = val;
367 }
368 break;
369 case EN1_MULT ... EN1_MULT + 7:
370 s->mult[offset - EN1_MULT] = val;
371 break;
372 }
373 }
374 }
375
376 static uint32_t ne2000_ioport_read(void *opaque, uint32_t addr)
377 {
378 NE2000State *s = opaque;
379 int offset, page, ret;
380
381 addr &= 0xf;
382 if (addr == E8390_CMD) {
383 ret = s->cmd;
384 } else {
385 page = s->cmd >> 6;
386 offset = addr | (page << 4);
387 switch(offset) {
388 case EN0_TSR:
389 ret = s->tsr;
390 break;
391 case EN0_BOUNDARY:
392 ret = s->boundary;
393 break;
394 case EN0_ISR:
395 ret = s->isr;
396 break;
397 case EN0_RSARLO:
398 ret = s->rsar & 0x00ff;
399 break;
400 case EN0_RSARHI:
401 ret = s->rsar >> 8;
402 break;
403 case EN1_PHYS ... EN1_PHYS + 5:
404 ret = s->phys[offset - EN1_PHYS];
405 break;
406 case EN1_CURPAG:
407 ret = s->curpag;
408 break;
409 case EN1_MULT ... EN1_MULT + 7:
410 ret = s->mult[offset - EN1_MULT];
411 break;
412 case EN0_RSR:
413 ret = s->rsr;
414 break;
415 case EN2_STARTPG:
416 ret = s->start >> 8;
417 break;
418 case EN2_STOPPG:
419 ret = s->stop >> 8;
420 break;
421 case EN0_RTL8029ID0:
422 ret = 0x50;
423 break;
424 case EN0_RTL8029ID1:
425 ret = 0x43;
426 break;
427 case EN3_CONFIG0:
428 ret = 0; /* 10baseT media */
429 break;
430 case EN3_CONFIG2:
431 ret = 0x40; /* 10baseT active */
432 break;
433 case EN3_CONFIG3:
434 ret = 0x40; /* Full duplex */
435 break;
436 default:
437 ret = 0x00;
438 break;
439 }
440 }
441 #ifdef DEBUG_NE2000
442 printf("NE2000: read addr=0x%x val=%02x\n", addr, ret);
443 #endif
444 return ret;
445 }
446
447 static inline void ne2000_mem_writeb(NE2000State *s, uint32_t addr,
448 uint32_t val)
449 {
450 if (addr < 32 ||
451 (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
452 s->mem[addr] = val;
453 }
454 }
455
456 static inline void ne2000_mem_writew(NE2000State *s, uint32_t addr,
457 uint32_t val)
458 {
459 addr &= ~1; /* XXX: check exact behaviour if not even */
460 if (addr < 32 ||
461 (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
462 *(uint16_t *)(s->mem + addr) = cpu_to_le16(val);
463 }
464 }
465
466 static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
467 uint32_t val)
468 {
469 addr &= ~1; /* XXX: check exact behaviour if not even */
470 if (addr < 32 ||
471 (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
472 stl_le_p(s->mem + addr, val);
473 }
474 }
475
476 static inline uint32_t ne2000_mem_readb(NE2000State *s, uint32_t addr)
477 {
478 if (addr < 32 ||
479 (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
480 return s->mem[addr];
481 } else {
482 return 0xff;
483 }
484 }
485
486 static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
487 {
488 addr &= ~1; /* XXX: check exact behaviour if not even */
489 if (addr < 32 ||
490 (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
491 return le16_to_cpu(*(uint16_t *)(s->mem + addr));
492 } else {
493 return 0xffff;
494 }
495 }
496
497 static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
498 {
499 addr &= ~1; /* XXX: check exact behaviour if not even */
500 if (addr < 32 ||
501 (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
502 return ldl_le_p(s->mem + addr);
503 } else {
504 return 0xffffffff;
505 }
506 }
507
508 static inline void ne2000_dma_update(NE2000State *s, int len)
509 {
510 s->rsar += len;
511 /* wrap */
512 /* XXX: check what to do if rsar > stop */
513 if (s->rsar == s->stop)
514 s->rsar = s->start;
515
516 if (s->rcnt <= len) {
517 s->rcnt = 0;
518 /* signal end of transfer */
519 s->isr |= ENISR_RDC;
520 ne2000_update_irq(s);
521 } else {
522 s->rcnt -= len;
523 }
524 }
525
526 static void ne2000_asic_ioport_write(void *opaque, uint32_t addr, uint32_t val)
527 {
528 NE2000State *s = opaque;
529
530 #ifdef DEBUG_NE2000
531 printf("NE2000: asic write val=0x%04x\n", val);
532 #endif
533 if (s->rcnt == 0)
534 return;
535 if (s->dcfg & 0x01) {
536 /* 16 bit access */
537 ne2000_mem_writew(s, s->rsar, val);
538 ne2000_dma_update(s, 2);
539 } else {
540 /* 8 bit access */
541 ne2000_mem_writeb(s, s->rsar, val);
542 ne2000_dma_update(s, 1);
543 }
544 }
545
546 static uint32_t ne2000_asic_ioport_read(void *opaque, uint32_t addr)
547 {
548 NE2000State *s = opaque;
549 int ret;
550
551 if (s->dcfg & 0x01) {
552 /* 16 bit access */
553 ret = ne2000_mem_readw(s, s->rsar);
554 ne2000_dma_update(s, 2);
555 } else {
556 /* 8 bit access */
557 ret = ne2000_mem_readb(s, s->rsar);
558 ne2000_dma_update(s, 1);
559 }
560 #ifdef DEBUG_NE2000
561 printf("NE2000: asic read val=0x%04x\n", ret);
562 #endif
563 return ret;
564 }
565
566 static void ne2000_asic_ioport_writel(void *opaque, uint32_t addr, uint32_t val)
567 {
568 NE2000State *s = opaque;
569
570 #ifdef DEBUG_NE2000
571 printf("NE2000: asic writel val=0x%04x\n", val);
572 #endif
573 if (s->rcnt == 0)
574 return;
575 /* 32 bit access */
576 ne2000_mem_writel(s, s->rsar, val);
577 ne2000_dma_update(s, 4);
578 }
579
580 static uint32_t ne2000_asic_ioport_readl(void *opaque, uint32_t addr)
581 {
582 NE2000State *s = opaque;
583 int ret;
584
585 /* 32 bit access */
586 ret = ne2000_mem_readl(s, s->rsar);
587 ne2000_dma_update(s, 4);
588 #ifdef DEBUG_NE2000
589 printf("NE2000: asic readl val=0x%04x\n", ret);
590 #endif
591 return ret;
592 }
593
594 static void ne2000_reset_ioport_write(void *opaque, uint32_t addr, uint32_t val)
595 {
596 /* nothing to do (end of reset pulse) */
597 }
598
599 static uint32_t ne2000_reset_ioport_read(void *opaque, uint32_t addr)
600 {
601 NE2000State *s = opaque;
602 ne2000_reset(s);
603 return 0;
604 }
605
606 static int ne2000_post_load(void* opaque, int version_id)
607 {
608 NE2000State* s = opaque;
609
610 if (version_id < 2) {
611 s->rxcr = 0x0c;
612 }
613 return 0;
614 }
615
616 const VMStateDescription vmstate_ne2000 = {
617 .name = "ne2000",
618 .version_id = 2,
619 .minimum_version_id = 0,
620 .post_load = ne2000_post_load,
621 .fields = (VMStateField[]) {
622 VMSTATE_UINT8_V(rxcr, NE2000State, 2),
623 VMSTATE_UINT8(cmd, NE2000State),
624 VMSTATE_UINT32(start, NE2000State),
625 VMSTATE_UINT32(stop, NE2000State),
626 VMSTATE_UINT8(boundary, NE2000State),
627 VMSTATE_UINT8(tsr, NE2000State),
628 VMSTATE_UINT8(tpsr, NE2000State),
629 VMSTATE_UINT16(tcnt, NE2000State),
630 VMSTATE_UINT16(rcnt, NE2000State),
631 VMSTATE_UINT32(rsar, NE2000State),
632 VMSTATE_UINT8(rsr, NE2000State),
633 VMSTATE_UINT8(isr, NE2000State),
634 VMSTATE_UINT8(dcfg, NE2000State),
635 VMSTATE_UINT8(imr, NE2000State),
636 VMSTATE_BUFFER(phys, NE2000State),
637 VMSTATE_UINT8(curpag, NE2000State),
638 VMSTATE_BUFFER(mult, NE2000State),
639 VMSTATE_UNUSED(4), /* was irq */
640 VMSTATE_BUFFER(mem, NE2000State),
641 VMSTATE_END_OF_LIST()
642 }
643 };
644
645 static const VMStateDescription vmstate_pci_ne2000 = {
646 .name = "ne2000",
647 .version_id = 3,
648 .minimum_version_id = 3,
649 .fields = (VMStateField[]) {
650 VMSTATE_PCI_DEVICE(dev, PCINE2000State),
651 VMSTATE_STRUCT(ne2000, PCINE2000State, 0, vmstate_ne2000, NE2000State),
652 VMSTATE_END_OF_LIST()
653 }
654 };
655
656 static uint64_t ne2000_read(void *opaque, hwaddr addr,
657 unsigned size)
658 {
659 NE2000State *s = opaque;
660
661 if (addr < 0x10 && size == 1) {
662 return ne2000_ioport_read(s, addr);
663 } else if (addr == 0x10) {
664 if (size <= 2) {
665 return ne2000_asic_ioport_read(s, addr);
666 } else {
667 return ne2000_asic_ioport_readl(s, addr);
668 }
669 } else if (addr == 0x1f && size == 1) {
670 return ne2000_reset_ioport_read(s, addr);
671 }
672 return ((uint64_t)1 << (size * 8)) - 1;
673 }
674
675 static void ne2000_write(void *opaque, hwaddr addr,
676 uint64_t data, unsigned size)
677 {
678 NE2000State *s = opaque;
679
680 if (addr < 0x10 && size == 1) {
681 ne2000_ioport_write(s, addr, data);
682 } else if (addr == 0x10) {
683 if (size <= 2) {
684 ne2000_asic_ioport_write(s, addr, data);
685 } else {
686 ne2000_asic_ioport_writel(s, addr, data);
687 }
688 } else if (addr == 0x1f && size == 1) {
689 ne2000_reset_ioport_write(s, addr, data);
690 }
691 }
692
693 static const MemoryRegionOps ne2000_ops = {
694 .read = ne2000_read,
695 .write = ne2000_write,
696 .endianness = DEVICE_LITTLE_ENDIAN,
697 };
698
699 /***********************************************************/
700 /* PCI NE2000 definitions */
701
702 void ne2000_setup_io(NE2000State *s, DeviceState *dev, unsigned size)
703 {
704 memory_region_init_io(&s->io, OBJECT(dev), &ne2000_ops, s, "ne2000", size);
705 }
706
707 static NetClientInfo net_ne2000_info = {
708 .type = NET_CLIENT_OPTIONS_KIND_NIC,
709 .size = sizeof(NICState),
710 .receive = ne2000_receive,
711 };
712
713 static void pci_ne2000_realize(PCIDevice *pci_dev, Error **errp)
714 {
715 PCINE2000State *d = DO_UPCAST(PCINE2000State, dev, pci_dev);
716 NE2000State *s;
717 uint8_t *pci_conf;
718
719 pci_conf = d->dev.config;
720 pci_conf[PCI_INTERRUPT_PIN] = 1; /* interrupt pin A */
721
722 s = &d->ne2000;
723 ne2000_setup_io(s, DEVICE(pci_dev), 0x100);
724 pci_register_bar(&d->dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->io);
725 s->irq = pci_allocate_irq(&d->dev);
726
727 qemu_macaddr_default_if_unset(&s->c.macaddr);
728 ne2000_reset(s);
729
730 s->nic = qemu_new_nic(&net_ne2000_info, &s->c,
731 object_get_typename(OBJECT(pci_dev)), pci_dev->qdev.id, s);
732 qemu_format_nic_info_str(qemu_get_queue(s->nic), s->c.macaddr.a);
733 }
734
735 static void pci_ne2000_exit(PCIDevice *pci_dev)
736 {
737 PCINE2000State *d = DO_UPCAST(PCINE2000State, dev, pci_dev);
738 NE2000State *s = &d->ne2000;
739
740 qemu_del_nic(s->nic);
741 qemu_free_irq(s->irq);
742 }
743
744 static void ne2000_instance_init(Object *obj)
745 {
746 PCIDevice *pci_dev = PCI_DEVICE(obj);
747 PCINE2000State *d = DO_UPCAST(PCINE2000State, dev, pci_dev);
748 NE2000State *s = &d->ne2000;
749
750 device_add_bootindex_property(obj, &s->c.bootindex,
751 "bootindex", "/ethernet-phy@0",
752 &pci_dev->qdev, NULL);
753 }
754
755 static Property ne2000_properties[] = {
756 DEFINE_NIC_PROPERTIES(PCINE2000State, ne2000.c),
757 DEFINE_PROP_END_OF_LIST(),
758 };
759
760 static void ne2000_class_init(ObjectClass *klass, void *data)
761 {
762 DeviceClass *dc = DEVICE_CLASS(klass);
763 PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
764
765 k->realize = pci_ne2000_realize;
766 k->exit = pci_ne2000_exit;
767 k->romfile = "efi-ne2k_pci.rom",
768 k->vendor_id = PCI_VENDOR_ID_REALTEK;
769 k->device_id = PCI_DEVICE_ID_REALTEK_8029;
770 k->class_id = PCI_CLASS_NETWORK_ETHERNET;
771 dc->vmsd = &vmstate_pci_ne2000;
772 dc->props = ne2000_properties;
773 set_bit(DEVICE_CATEGORY_NETWORK, dc->categories);
774 }
775
776 static const TypeInfo ne2000_info = {
777 .name = "ne2k_pci",
778 .parent = TYPE_PCI_DEVICE,
779 .instance_size = sizeof(PCINE2000State),
780 .class_init = ne2000_class_init,
781 .instance_init = ne2000_instance_init,
782 };
783
784 static void ne2000_register_types(void)
785 {
786 type_register_static(&ne2000_info);
787 }
788
789 type_init(ne2000_register_types)