[Qemu-devel] Fatal error on accessing IO memory of smc91c111 NIC

[Thorsten Zitterell]

Hi,

there seems to be a problem when accessing the IO memory of an emulated gumstix 
(PXA) with smc91c111 NIC. I suspect that it has to do with the base address 
which is not a multiple of the page size. Here, the NIC is registered at base 
address 0x04000300:

    smc91c111_init(&nd_table[0], 0x04000300,
                    pxa2xx_gpio_in_get(cpu->gpio)[99]);

According to the last two lines of qemu.log, the NIC is correctly accessed 
during guest system boot at address 0400030e (r4+#14):

0xa3f07fdc:  strh       r5, [r4, #14]
0xa3f07fe0:  bl 0xa3f00f5c

Then, qemu panics:

qemu: fatal: smc91c111_write: Bad reg 0:30e

R00=a3ee01f0 R01=a3edefb8 R02=00000001 R03=00008000
R04=04000300 R05=00000000 R06=a3edefb8 R07=a3edefb8
R08=a3edefdc R09=a3ee0230 R10=a3ee01f0 R11=00000000
R12=a3f27488 R13=a3edec34 R14=a3f04148 R15=a3f07fac
PSR=600001d3 -ZC- A svc32

However, the correct reg should be 0:0e - not 0:30e. The fatal error also occurs 
with disabled MMU. I have debugged the smc91c111 driver and it gets the wrong 
offset value from the calling qemu core.

Could this wrong offset be related cpu_register_physical_memory_offset(...) as 
addresses are rounded down to page boundaries?

exec.c:2325:

/* register physical memory. 'size' must be a multiple of the target
   page size. If (phys_offset & ~TARGET_PAGE_MASK) != 0, then it is an
   io memory page.  The address used when calling the IO function is
   the offset from the start of the region, plus region_offset.  Both
   start_addr and region_offset are rounded down to a page boundary
   before calculating this offset.  This should not be a problem unless
   the low bits of start_addr and region_offset differ.  */

Can this be fixed by another driver initialization?

Thorsten