qemu/hw/usb/hcd-ohci.c
<<
>>
Prefs
   1/*
   2 * QEMU USB OHCI Emulation
   3 * Copyright (c) 2004 Gianni Tedesco
   4 * Copyright (c) 2006 CodeSourcery
   5 * Copyright (c) 2006 Openedhand Ltd.
   6 *
   7 * This library is free software; you can redistribute it and/or
   8 * modify it under the terms of the GNU Lesser General Public
   9 * License as published by the Free Software Foundation; either
  10 * version 2 of the License, or (at your option) any later version.
  11 *
  12 * This library is distributed in the hope that it will be useful,
  13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  15 * Lesser General Public License for more details.
  16 *
  17 * You should have received a copy of the GNU Lesser General Public
  18 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
  19 *
  20 * TODO:
  21 *  o Isochronous transfers
  22 *  o Allocate bandwidth in frames properly
  23 *  o Disable timers when nothing needs to be done, or remove timer usage
  24 *    all together.
  25 *  o BIOS work to boot from USB storage
  26*/
  27
  28#include "qemu/osdep.h"
  29#include "hw/hw.h"
  30#include "qapi/error.h"
  31#include "qemu/timer.h"
  32#include "hw/usb.h"
  33#include "hw/pci/pci.h"
  34#include "hw/sysbus.h"
  35#include "hw/qdev-dma.h"
  36#include "trace.h"
  37
  38/* This causes frames to occur 1000x slower */
  39//#define OHCI_TIME_WARP 1
  40
  41/* Number of Downstream Ports on the root hub.  */
  42
  43#define OHCI_MAX_PORTS 15
  44
  45#define ED_LINK_LIMIT 32
  46
  47static int64_t usb_frame_time;
  48static int64_t usb_bit_time;
  49
  50typedef struct OHCIPort {
  51    USBPort port;
  52    uint32_t ctrl;
  53} OHCIPort;
  54
  55typedef struct {
  56    USBBus bus;
  57    qemu_irq irq;
  58    MemoryRegion mem;
  59    AddressSpace *as;
  60    int num_ports;
  61    const char *name;
  62
  63    QEMUTimer *eof_timer;
  64    int64_t sof_time;
  65
  66    /* OHCI state */
  67    /* Control partition */
  68    uint32_t ctl, status;
  69    uint32_t intr_status;
  70    uint32_t intr;
  71
  72    /* memory pointer partition */
  73    uint32_t hcca;
  74    uint32_t ctrl_head, ctrl_cur;
  75    uint32_t bulk_head, bulk_cur;
  76    uint32_t per_cur;
  77    uint32_t done;
  78    int32_t done_count;
  79
  80    /* Frame counter partition */
  81    uint16_t fsmps;
  82    uint8_t fit;
  83    uint16_t fi;
  84    uint8_t frt;
  85    uint16_t frame_number;
  86    uint16_t padding;
  87    uint32_t pstart;
  88    uint32_t lst;
  89
  90    /* Root Hub partition */
  91    uint32_t rhdesc_a, rhdesc_b;
  92    uint32_t rhstatus;
  93    OHCIPort rhport[OHCI_MAX_PORTS];
  94
  95    /* PXA27x Non-OHCI events */
  96    uint32_t hstatus;
  97    uint32_t hmask;
  98    uint32_t hreset;
  99    uint32_t htest;
 100
 101    /* SM501 local memory offset */
 102    dma_addr_t localmem_base;
 103
 104    /* Active packets.  */
 105    uint32_t old_ctl;
 106    USBPacket usb_packet;
 107    uint8_t usb_buf[8192];
 108    uint32_t async_td;
 109    bool async_complete;
 110
 111} OHCIState;
 112
 113/* Host Controller Communications Area */
 114struct ohci_hcca {
 115    uint32_t intr[32];
 116    uint16_t frame, pad;
 117    uint32_t done;
 118};
 119#define HCCA_WRITEBACK_OFFSET   offsetof(struct ohci_hcca, frame)
 120#define HCCA_WRITEBACK_SIZE     8 /* frame, pad, done */
 121
 122#define ED_WBACK_OFFSET offsetof(struct ohci_ed, head)
 123#define ED_WBACK_SIZE   4
 124
 125static void ohci_bus_stop(OHCIState *ohci);
 126static void ohci_async_cancel_device(OHCIState *ohci, USBDevice *dev);
 127
 128/* Bitfields for the first word of an Endpoint Desciptor.  */
 129#define OHCI_ED_FA_SHIFT  0
 130#define OHCI_ED_FA_MASK   (0x7f<<OHCI_ED_FA_SHIFT)
 131#define OHCI_ED_EN_SHIFT  7
 132#define OHCI_ED_EN_MASK   (0xf<<OHCI_ED_EN_SHIFT)
 133#define OHCI_ED_D_SHIFT   11
 134#define OHCI_ED_D_MASK    (3<<OHCI_ED_D_SHIFT)
 135#define OHCI_ED_S         (1<<13)
 136#define OHCI_ED_K         (1<<14)
 137#define OHCI_ED_F         (1<<15)
 138#define OHCI_ED_MPS_SHIFT 16
 139#define OHCI_ED_MPS_MASK  (0x7ff<<OHCI_ED_MPS_SHIFT)
 140
 141/* Flags in the head field of an Endpoint Desciptor.  */
 142#define OHCI_ED_H         1
 143#define OHCI_ED_C         2
 144
 145/* Bitfields for the first word of a Transfer Desciptor.  */
 146#define OHCI_TD_R         (1<<18)
 147#define OHCI_TD_DP_SHIFT  19
 148#define OHCI_TD_DP_MASK   (3<<OHCI_TD_DP_SHIFT)
 149#define OHCI_TD_DI_SHIFT  21
 150#define OHCI_TD_DI_MASK   (7<<OHCI_TD_DI_SHIFT)
 151#define OHCI_TD_T0        (1<<24)
 152#define OHCI_TD_T1        (1<<25)
 153#define OHCI_TD_EC_SHIFT  26
 154#define OHCI_TD_EC_MASK   (3<<OHCI_TD_EC_SHIFT)
 155#define OHCI_TD_CC_SHIFT  28
 156#define OHCI_TD_CC_MASK   (0xf<<OHCI_TD_CC_SHIFT)
 157
 158/* Bitfields for the first word of an Isochronous Transfer Desciptor.  */
 159/* CC & DI - same as in the General Transfer Desciptor */
 160#define OHCI_TD_SF_SHIFT  0
 161#define OHCI_TD_SF_MASK   (0xffff<<OHCI_TD_SF_SHIFT)
 162#define OHCI_TD_FC_SHIFT  24
 163#define OHCI_TD_FC_MASK   (7<<OHCI_TD_FC_SHIFT)
 164
 165/* Isochronous Transfer Desciptor - Offset / PacketStatusWord */
 166#define OHCI_TD_PSW_CC_SHIFT 12
 167#define OHCI_TD_PSW_CC_MASK  (0xf<<OHCI_TD_PSW_CC_SHIFT)
 168#define OHCI_TD_PSW_SIZE_SHIFT 0
 169#define OHCI_TD_PSW_SIZE_MASK  (0xfff<<OHCI_TD_PSW_SIZE_SHIFT)
 170
 171#define OHCI_PAGE_MASK    0xfffff000
 172#define OHCI_OFFSET_MASK  0xfff
 173
 174#define OHCI_DPTR_MASK    0xfffffff0
 175
 176#define OHCI_BM(val, field) \
 177  (((val) & OHCI_##field##_MASK) >> OHCI_##field##_SHIFT)
 178
 179#define OHCI_SET_BM(val, field, newval) do { \
 180    val &= ~OHCI_##field##_MASK; \
 181    val |= ((newval) << OHCI_##field##_SHIFT) & OHCI_##field##_MASK; \
 182    } while(0)
 183
 184/* endpoint descriptor */
 185struct ohci_ed {
 186    uint32_t flags;
 187    uint32_t tail;
 188    uint32_t head;
 189    uint32_t next;
 190};
 191
 192/* General transfer descriptor */
 193struct ohci_td {
 194    uint32_t flags;
 195    uint32_t cbp;
 196    uint32_t next;
 197    uint32_t be;
 198};
 199
 200/* Isochronous transfer descriptor */
 201struct ohci_iso_td {
 202    uint32_t flags;
 203    uint32_t bp;
 204    uint32_t next;
 205    uint32_t be;
 206    uint16_t offset[8];
 207};
 208
 209#define USB_HZ                      12000000
 210
 211/* OHCI Local stuff */
 212#define OHCI_CTL_CBSR         ((1<<0)|(1<<1))
 213#define OHCI_CTL_PLE          (1<<2)
 214#define OHCI_CTL_IE           (1<<3)
 215#define OHCI_CTL_CLE          (1<<4)
 216#define OHCI_CTL_BLE          (1<<5)
 217#define OHCI_CTL_HCFS         ((1<<6)|(1<<7))
 218#define  OHCI_USB_RESET       0x00
 219#define  OHCI_USB_RESUME      0x40
 220#define  OHCI_USB_OPERATIONAL 0x80
 221#define  OHCI_USB_SUSPEND     0xc0
 222#define OHCI_CTL_IR           (1<<8)
 223#define OHCI_CTL_RWC          (1<<9)
 224#define OHCI_CTL_RWE          (1<<10)
 225
 226#define OHCI_STATUS_HCR       (1<<0)
 227#define OHCI_STATUS_CLF       (1<<1)
 228#define OHCI_STATUS_BLF       (1<<2)
 229#define OHCI_STATUS_OCR       (1<<3)
 230#define OHCI_STATUS_SOC       ((1<<6)|(1<<7))
 231
 232#define OHCI_INTR_SO          (1U<<0) /* Scheduling overrun */
 233#define OHCI_INTR_WD          (1U<<1) /* HcDoneHead writeback */
 234#define OHCI_INTR_SF          (1U<<2) /* Start of frame */
 235#define OHCI_INTR_RD          (1U<<3) /* Resume detect */
 236#define OHCI_INTR_UE          (1U<<4) /* Unrecoverable error */
 237#define OHCI_INTR_FNO         (1U<<5) /* Frame number overflow */
 238#define OHCI_INTR_RHSC        (1U<<6) /* Root hub status change */
 239#define OHCI_INTR_OC          (1U<<30) /* Ownership change */
 240#define OHCI_INTR_MIE         (1U<<31) /* Master Interrupt Enable */
 241
 242#define OHCI_HCCA_SIZE        0x100
 243#define OHCI_HCCA_MASK        0xffffff00
 244
 245#define OHCI_EDPTR_MASK       0xfffffff0
 246
 247#define OHCI_FMI_FI           0x00003fff
 248#define OHCI_FMI_FSMPS        0xffff0000
 249#define OHCI_FMI_FIT          0x80000000
 250
 251#define OHCI_FR_RT            (1U<<31)
 252
 253#define OHCI_LS_THRESH        0x628
 254
 255#define OHCI_RHA_RW_MASK      0x00000000 /* Mask of supported features.  */
 256#define OHCI_RHA_PSM          (1<<8)
 257#define OHCI_RHA_NPS          (1<<9)
 258#define OHCI_RHA_DT           (1<<10)
 259#define OHCI_RHA_OCPM         (1<<11)
 260#define OHCI_RHA_NOCP         (1<<12)
 261#define OHCI_RHA_POTPGT_MASK  0xff000000
 262
 263#define OHCI_RHS_LPS          (1U<<0)
 264#define OHCI_RHS_OCI          (1U<<1)
 265#define OHCI_RHS_DRWE         (1U<<15)
 266#define OHCI_RHS_LPSC         (1U<<16)
 267#define OHCI_RHS_OCIC         (1U<<17)
 268#define OHCI_RHS_CRWE         (1U<<31)
 269
 270#define OHCI_PORT_CCS         (1<<0)
 271#define OHCI_PORT_PES         (1<<1)
 272#define OHCI_PORT_PSS         (1<<2)
 273#define OHCI_PORT_POCI        (1<<3)
 274#define OHCI_PORT_PRS         (1<<4)
 275#define OHCI_PORT_PPS         (1<<8)
 276#define OHCI_PORT_LSDA        (1<<9)
 277#define OHCI_PORT_CSC         (1<<16)
 278#define OHCI_PORT_PESC        (1<<17)
 279#define OHCI_PORT_PSSC        (1<<18)
 280#define OHCI_PORT_OCIC        (1<<19)
 281#define OHCI_PORT_PRSC        (1<<20)
 282#define OHCI_PORT_WTC         (OHCI_PORT_CSC|OHCI_PORT_PESC|OHCI_PORT_PSSC \
 283                               |OHCI_PORT_OCIC|OHCI_PORT_PRSC)
 284
 285#define OHCI_TD_DIR_SETUP     0x0
 286#define OHCI_TD_DIR_OUT       0x1
 287#define OHCI_TD_DIR_IN        0x2
 288#define OHCI_TD_DIR_RESERVED  0x3
 289
 290#define OHCI_CC_NOERROR             0x0
 291#define OHCI_CC_CRC                 0x1
 292#define OHCI_CC_BITSTUFFING         0x2
 293#define OHCI_CC_DATATOGGLEMISMATCH  0x3
 294#define OHCI_CC_STALL               0x4
 295#define OHCI_CC_DEVICENOTRESPONDING 0x5
 296#define OHCI_CC_PIDCHECKFAILURE     0x6
 297#define OHCI_CC_UNDEXPETEDPID       0x7
 298#define OHCI_CC_DATAOVERRUN         0x8
 299#define OHCI_CC_DATAUNDERRUN        0x9
 300#define OHCI_CC_BUFFEROVERRUN       0xc
 301#define OHCI_CC_BUFFERUNDERRUN      0xd
 302
 303#define OHCI_HRESET_FSBIR       (1 << 0)
 304
 305static void ohci_die(OHCIState *ohci);
 306
 307/* Update IRQ levels */
 308static inline void ohci_intr_update(OHCIState *ohci)
 309{
 310    int level = 0;
 311
 312    if ((ohci->intr & OHCI_INTR_MIE) &&
 313        (ohci->intr_status & ohci->intr))
 314        level = 1;
 315
 316    qemu_set_irq(ohci->irq, level);
 317}
 318
 319/* Set an interrupt */
 320static inline void ohci_set_interrupt(OHCIState *ohci, uint32_t intr)
 321{
 322    ohci->intr_status |= intr;
 323    ohci_intr_update(ohci);
 324}
 325
 326/* Attach or detach a device on a root hub port.  */
 327static void ohci_attach(USBPort *port1)
 328{
 329    OHCIState *s = port1->opaque;
 330    OHCIPort *port = &s->rhport[port1->index];
 331    uint32_t old_state = port->ctrl;
 332
 333    /* set connect status */
 334    port->ctrl |= OHCI_PORT_CCS | OHCI_PORT_CSC;
 335
 336    /* update speed */
 337    if (port->port.dev->speed == USB_SPEED_LOW) {
 338        port->ctrl |= OHCI_PORT_LSDA;
 339    } else {
 340        port->ctrl &= ~OHCI_PORT_LSDA;
 341    }
 342
 343    /* notify of remote-wakeup */
 344    if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND) {
 345        ohci_set_interrupt(s, OHCI_INTR_RD);
 346    }
 347
 348    trace_usb_ohci_port_attach(port1->index);
 349
 350    if (old_state != port->ctrl) {
 351        ohci_set_interrupt(s, OHCI_INTR_RHSC);
 352    }
 353}
 354
 355static void ohci_detach(USBPort *port1)
 356{
 357    OHCIState *s = port1->opaque;
 358    OHCIPort *port = &s->rhport[port1->index];
 359    uint32_t old_state = port->ctrl;
 360
 361    ohci_async_cancel_device(s, port1->dev);
 362
 363    /* set connect status */
 364    if (port->ctrl & OHCI_PORT_CCS) {
 365        port->ctrl &= ~OHCI_PORT_CCS;
 366        port->ctrl |= OHCI_PORT_CSC;
 367    }
 368    /* disable port */
 369    if (port->ctrl & OHCI_PORT_PES) {
 370        port->ctrl &= ~OHCI_PORT_PES;
 371        port->ctrl |= OHCI_PORT_PESC;
 372    }
 373    trace_usb_ohci_port_detach(port1->index);
 374
 375    if (old_state != port->ctrl) {
 376        ohci_set_interrupt(s, OHCI_INTR_RHSC);
 377    }
 378}
 379
 380static void ohci_wakeup(USBPort *port1)
 381{
 382    OHCIState *s = port1->opaque;
 383    OHCIPort *port = &s->rhport[port1->index];
 384    uint32_t intr = 0;
 385    if (port->ctrl & OHCI_PORT_PSS) {
 386        trace_usb_ohci_port_wakeup(port1->index);
 387        port->ctrl |= OHCI_PORT_PSSC;
 388        port->ctrl &= ~OHCI_PORT_PSS;
 389        intr = OHCI_INTR_RHSC;
 390    }
 391    /* Note that the controller can be suspended even if this port is not */
 392    if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND) {
 393        trace_usb_ohci_remote_wakeup(s->name);
 394        /* This is the one state transition the controller can do by itself */
 395        s->ctl &= ~OHCI_CTL_HCFS;
 396        s->ctl |= OHCI_USB_RESUME;
 397        /* In suspend mode only ResumeDetected is possible, not RHSC:
 398         * see the OHCI spec 5.1.2.3.
 399         */
 400        intr = OHCI_INTR_RD;
 401    }
 402    ohci_set_interrupt(s, intr);
 403}
 404
 405static void ohci_child_detach(USBPort *port1, USBDevice *child)
 406{
 407    OHCIState *s = port1->opaque;
 408
 409    ohci_async_cancel_device(s, child);
 410}
 411
 412static USBDevice *ohci_find_device(OHCIState *ohci, uint8_t addr)
 413{
 414    USBDevice *dev;
 415    int i;
 416
 417    for (i = 0; i < ohci->num_ports; i++) {
 418        if ((ohci->rhport[i].ctrl & OHCI_PORT_PES) == 0) {
 419            continue;
 420        }
 421        dev = usb_find_device(&ohci->rhport[i].port, addr);
 422        if (dev != NULL) {
 423            return dev;
 424        }
 425    }
 426    return NULL;
 427}
 428
 429static void ohci_stop_endpoints(OHCIState *ohci)
 430{
 431    USBDevice *dev;
 432    int i, j;
 433
 434    for (i = 0; i < ohci->num_ports; i++) {
 435        dev = ohci->rhport[i].port.dev;
 436        if (dev && dev->attached) {
 437            usb_device_ep_stopped(dev, &dev->ep_ctl);
 438            for (j = 0; j < USB_MAX_ENDPOINTS; j++) {
 439                usb_device_ep_stopped(dev, &dev->ep_in[j]);
 440                usb_device_ep_stopped(dev, &dev->ep_out[j]);
 441            }
 442        }
 443    }
 444}
 445
 446static void ohci_roothub_reset(OHCIState *ohci)
 447{
 448    OHCIPort *port;
 449    int i;
 450
 451    ohci_bus_stop(ohci);
 452    ohci->rhdesc_a = OHCI_RHA_NPS | ohci->num_ports;
 453    ohci->rhdesc_b = 0x0; /* Impl. specific */
 454    ohci->rhstatus = 0;
 455
 456    for (i = 0; i < ohci->num_ports; i++) {
 457        port = &ohci->rhport[i];
 458        port->ctrl = 0;
 459        if (port->port.dev && port->port.dev->attached) {
 460            usb_port_reset(&port->port);
 461        }
 462    }
 463    if (ohci->async_td) {
 464        usb_cancel_packet(&ohci->usb_packet);
 465        ohci->async_td = 0;
 466    }
 467    ohci_stop_endpoints(ohci);
 468}
 469
 470/* Reset the controller */
 471static void ohci_soft_reset(OHCIState *ohci)
 472{
 473    trace_usb_ohci_reset(ohci->name);
 474
 475    ohci_bus_stop(ohci);
 476    ohci->ctl = (ohci->ctl & OHCI_CTL_IR) | OHCI_USB_SUSPEND;
 477    ohci->old_ctl = 0;
 478    ohci->status = 0;
 479    ohci->intr_status = 0;
 480    ohci->intr = OHCI_INTR_MIE;
 481
 482    ohci->hcca = 0;
 483    ohci->ctrl_head = ohci->ctrl_cur = 0;
 484    ohci->bulk_head = ohci->bulk_cur = 0;
 485    ohci->per_cur = 0;
 486    ohci->done = 0;
 487    ohci->done_count = 7;
 488
 489    /* FSMPS is marked TBD in OCHI 1.0, what gives ffs?
 490     * I took the value linux sets ...
 491     */
 492    ohci->fsmps = 0x2778;
 493    ohci->fi = 0x2edf;
 494    ohci->fit = 0;
 495    ohci->frt = 0;
 496    ohci->frame_number = 0;
 497    ohci->pstart = 0;
 498    ohci->lst = OHCI_LS_THRESH;
 499}
 500
 501static void ohci_hard_reset(OHCIState *ohci)
 502{
 503    ohci_soft_reset(ohci);
 504    ohci->ctl = 0;
 505    ohci_roothub_reset(ohci);
 506}
 507
 508/* Get an array of dwords from main memory */
 509static inline int get_dwords(OHCIState *ohci,
 510                             dma_addr_t addr, uint32_t *buf, int num)
 511{
 512    int i;
 513
 514    addr += ohci->localmem_base;
 515
 516    for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
 517        if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) {
 518            return -1;
 519        }
 520        *buf = le32_to_cpu(*buf);
 521    }
 522
 523    return 0;
 524}
 525
 526/* Put an array of dwords in to main memory */
 527static inline int put_dwords(OHCIState *ohci,
 528                             dma_addr_t addr, uint32_t *buf, int num)
 529{
 530    int i;
 531
 532    addr += ohci->localmem_base;
 533
 534    for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
 535        uint32_t tmp = cpu_to_le32(*buf);
 536        if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) {
 537            return -1;
 538        }
 539    }
 540
 541    return 0;
 542}
 543
 544/* Get an array of words from main memory */
 545static inline int get_words(OHCIState *ohci,
 546                            dma_addr_t addr, uint16_t *buf, int num)
 547{
 548    int i;
 549
 550    addr += ohci->localmem_base;
 551
 552    for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
 553        if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) {
 554            return -1;
 555        }
 556        *buf = le16_to_cpu(*buf);
 557    }
 558
 559    return 0;
 560}
 561
 562/* Put an array of words in to main memory */
 563static inline int put_words(OHCIState *ohci,
 564                            dma_addr_t addr, uint16_t *buf, int num)
 565{
 566    int i;
 567
 568    addr += ohci->localmem_base;
 569
 570    for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
 571        uint16_t tmp = cpu_to_le16(*buf);
 572        if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) {
 573            return -1;
 574        }
 575    }
 576
 577    return 0;
 578}
 579
 580static inline int ohci_read_ed(OHCIState *ohci,
 581                               dma_addr_t addr, struct ohci_ed *ed)
 582{
 583    return get_dwords(ohci, addr, (uint32_t *)ed, sizeof(*ed) >> 2);
 584}
 585
 586static inline int ohci_read_td(OHCIState *ohci,
 587                               dma_addr_t addr, struct ohci_td *td)
 588{
 589    return get_dwords(ohci, addr, (uint32_t *)td, sizeof(*td) >> 2);
 590}
 591
 592static inline int ohci_read_iso_td(OHCIState *ohci,
 593                                   dma_addr_t addr, struct ohci_iso_td *td)
 594{
 595    return get_dwords(ohci, addr, (uint32_t *)td, 4) ||
 596           get_words(ohci, addr + 16, td->offset, 8);
 597}
 598
 599static inline int ohci_read_hcca(OHCIState *ohci,
 600                                 dma_addr_t addr, struct ohci_hcca *hcca)
 601{
 602    return dma_memory_read(ohci->as, addr + ohci->localmem_base,
 603                           hcca, sizeof(*hcca));
 604}
 605
 606static inline int ohci_put_ed(OHCIState *ohci,
 607                              dma_addr_t addr, struct ohci_ed *ed)
 608{
 609    /* ed->tail is under control of the HCD.
 610     * Since just ed->head is changed by HC, just write back this
 611     */
 612
 613    return put_dwords(ohci, addr + ED_WBACK_OFFSET,
 614                      (uint32_t *)((char *)ed + ED_WBACK_OFFSET),
 615                      ED_WBACK_SIZE >> 2);
 616}
 617
 618static inline int ohci_put_td(OHCIState *ohci,
 619                              dma_addr_t addr, struct ohci_td *td)
 620{
 621    return put_dwords(ohci, addr, (uint32_t *)td, sizeof(*td) >> 2);
 622}
 623
 624static inline int ohci_put_iso_td(OHCIState *ohci,
 625                                  dma_addr_t addr, struct ohci_iso_td *td)
 626{
 627    return put_dwords(ohci, addr, (uint32_t *)td, 4) ||
 628           put_words(ohci, addr + 16, td->offset, 8);
 629}
 630
 631static inline int ohci_put_hcca(OHCIState *ohci,
 632                                dma_addr_t addr, struct ohci_hcca *hcca)
 633{
 634    return dma_memory_write(ohci->as,
 635                            addr + ohci->localmem_base + HCCA_WRITEBACK_OFFSET,
 636                            (char *)hcca + HCCA_WRITEBACK_OFFSET,
 637                            HCCA_WRITEBACK_SIZE);
 638}
 639
 640/* Read/Write the contents of a TD from/to main memory.  */
 641static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td,
 642                        uint8_t *buf, int len, DMADirection dir)
 643{
 644    dma_addr_t ptr, n;
 645
 646    ptr = td->cbp;
 647    n = 0x1000 - (ptr & 0xfff);
 648    if (n > len)
 649        n = len;
 650
 651    if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) {
 652        return -1;
 653    }
 654    if (n == len) {
 655        return 0;
 656    }
 657    ptr = td->be & ~0xfffu;
 658    buf += n;
 659    if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
 660                      len - n, dir)) {
 661        return -1;
 662    }
 663    return 0;
 664}
 665
 666/* Read/Write the contents of an ISO TD from/to main memory.  */
 667static int ohci_copy_iso_td(OHCIState *ohci,
 668                            uint32_t start_addr, uint32_t end_addr,
 669                            uint8_t *buf, int len, DMADirection dir)
 670{
 671    dma_addr_t ptr, n;
 672
 673    ptr = start_addr;
 674    n = 0x1000 - (ptr & 0xfff);
 675    if (n > len)
 676        n = len;
 677
 678    if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) {
 679        return -1;
 680    }
 681    if (n == len) {
 682        return 0;
 683    }
 684    ptr = end_addr & ~0xfffu;
 685    buf += n;
 686    if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
 687                      len - n, dir)) {
 688        return -1;
 689    }
 690    return 0;
 691}
 692
 693static void ohci_process_lists(OHCIState *ohci, int completion);
 694
 695static void ohci_async_complete_packet(USBPort *port, USBPacket *packet)
 696{
 697    OHCIState *ohci = container_of(packet, OHCIState, usb_packet);
 698
 699    trace_usb_ohci_async_complete();
 700    ohci->async_complete = true;
 701    ohci_process_lists(ohci, 1);
 702}
 703
 704#define USUB(a, b) ((int16_t)((uint16_t)(a) - (uint16_t)(b)))
 705
 706static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
 707                               int completion)
 708{
 709    int dir;
 710    size_t len = 0;
 711    const char *str = NULL;
 712    int pid;
 713    int ret;
 714    int i;
 715    USBDevice *dev;
 716    USBEndpoint *ep;
 717    struct ohci_iso_td iso_td;
 718    uint32_t addr;
 719    uint16_t starting_frame;
 720    int16_t relative_frame_number;
 721    int frame_count;
 722    uint32_t start_offset, next_offset, end_offset = 0;
 723    uint32_t start_addr, end_addr;
 724
 725    addr = ed->head & OHCI_DPTR_MASK;
 726
 727    if (ohci_read_iso_td(ohci, addr, &iso_td)) {
 728        trace_usb_ohci_iso_td_read_failed(addr);
 729        ohci_die(ohci);
 730        return 1;
 731    }
 732
 733    starting_frame = OHCI_BM(iso_td.flags, TD_SF);
 734    frame_count = OHCI_BM(iso_td.flags, TD_FC);
 735    relative_frame_number = USUB(ohci->frame_number, starting_frame); 
 736
 737    trace_usb_ohci_iso_td_head(
 738           ed->head & OHCI_DPTR_MASK, ed->tail & OHCI_DPTR_MASK,
 739           iso_td.flags, iso_td.bp, iso_td.next, iso_td.be,
 740           ohci->frame_number, starting_frame,
 741           frame_count, relative_frame_number);
 742    trace_usb_ohci_iso_td_head_offset(
 743           iso_td.offset[0], iso_td.offset[1],
 744           iso_td.offset[2], iso_td.offset[3],
 745           iso_td.offset[4], iso_td.offset[5],
 746           iso_td.offset[6], iso_td.offset[7]);
 747
 748    if (relative_frame_number < 0) {
 749        trace_usb_ohci_iso_td_relative_frame_number_neg(relative_frame_number);
 750        return 1;
 751    } else if (relative_frame_number > frame_count) {
 752        /* ISO TD expired - retire the TD to the Done Queue and continue with
 753           the next ISO TD of the same ED */
 754        trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number,
 755                                                        frame_count);
 756        OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
 757        ed->head &= ~OHCI_DPTR_MASK;
 758        ed->head |= (iso_td.next & OHCI_DPTR_MASK);
 759        iso_td.next = ohci->done;
 760        ohci->done = addr;
 761        i = OHCI_BM(iso_td.flags, TD_DI);
 762        if (i < ohci->done_count)
 763            ohci->done_count = i;
 764        if (ohci_put_iso_td(ohci, addr, &iso_td)) {
 765            ohci_die(ohci);
 766            return 1;
 767        }
 768        return 0;
 769    }
 770
 771    dir = OHCI_BM(ed->flags, ED_D);
 772    switch (dir) {
 773    case OHCI_TD_DIR_IN:
 774        str = "in";
 775        pid = USB_TOKEN_IN;
 776        break;
 777    case OHCI_TD_DIR_OUT:
 778        str = "out";
 779        pid = USB_TOKEN_OUT;
 780        break;
 781    case OHCI_TD_DIR_SETUP:
 782        str = "setup";
 783        pid = USB_TOKEN_SETUP;
 784        break;
 785    default:
 786        trace_usb_ohci_iso_td_bad_direction(dir);
 787        return 1;
 788    }
 789
 790    if (!iso_td.bp || !iso_td.be) {
 791        trace_usb_ohci_iso_td_bad_bp_be(iso_td.bp, iso_td.be);
 792        return 1;
 793    }
 794
 795    start_offset = iso_td.offset[relative_frame_number];
 796    next_offset = iso_td.offset[relative_frame_number + 1];
 797
 798    if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) || 
 799        ((relative_frame_number < frame_count) && 
 800         !(OHCI_BM(next_offset, TD_PSW_CC) & 0xe))) {
 801        trace_usb_ohci_iso_td_bad_cc_not_accessed(start_offset, next_offset);
 802        return 1;
 803    }
 804
 805    if ((relative_frame_number < frame_count) && (start_offset > next_offset)) {
 806        trace_usb_ohci_iso_td_bad_cc_overrun(start_offset, next_offset);
 807        return 1;
 808    }
 809
 810    if ((start_offset & 0x1000) == 0) {
 811        start_addr = (iso_td.bp & OHCI_PAGE_MASK) |
 812            (start_offset & OHCI_OFFSET_MASK);
 813    } else {
 814        start_addr = (iso_td.be & OHCI_PAGE_MASK) |
 815            (start_offset & OHCI_OFFSET_MASK);
 816    }
 817
 818    if (relative_frame_number < frame_count) {
 819        end_offset = next_offset - 1;
 820        if ((end_offset & 0x1000) == 0) {
 821            end_addr = (iso_td.bp & OHCI_PAGE_MASK) |
 822                (end_offset & OHCI_OFFSET_MASK);
 823        } else {
 824            end_addr = (iso_td.be & OHCI_PAGE_MASK) |
 825                (end_offset & OHCI_OFFSET_MASK);
 826        }
 827    } else {
 828        /* Last packet in the ISO TD */
 829        end_addr = iso_td.be;
 830    }
 831
 832    if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
 833        len = (end_addr & OHCI_OFFSET_MASK) + 0x1001
 834            - (start_addr & OHCI_OFFSET_MASK);
 835    } else {
 836        len = end_addr - start_addr + 1;
 837    }
 838
 839    if (len && dir != OHCI_TD_DIR_IN) {
 840        if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
 841                             DMA_DIRECTION_TO_DEVICE)) {
 842            ohci_die(ohci);
 843            return 1;
 844        }
 845    }
 846
 847    if (!completion) {
 848        bool int_req = relative_frame_number == frame_count &&
 849                       OHCI_BM(iso_td.flags, TD_DI) == 0;
 850        dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
 851        ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
 852        usb_packet_setup(&ohci->usb_packet, pid, ep, 0, addr, false, int_req);
 853        usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, len);
 854        usb_handle_packet(dev, &ohci->usb_packet);
 855        if (ohci->usb_packet.status == USB_RET_ASYNC) {
 856            usb_device_flush_ep_queue(dev, ep);
 857            return 1;
 858        }
 859    }
 860    if (ohci->usb_packet.status == USB_RET_SUCCESS) {
 861        ret = ohci->usb_packet.actual_length;
 862    } else {
 863        ret = ohci->usb_packet.status;
 864    }
 865
 866    trace_usb_ohci_iso_td_so(start_offset, end_offset, start_addr, end_addr,
 867                             str, len, ret);
 868
 869    /* Writeback */
 870    if (dir == OHCI_TD_DIR_IN && ret >= 0 && ret <= len) {
 871        /* IN transfer succeeded */
 872        if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, ret,
 873                             DMA_DIRECTION_FROM_DEVICE)) {
 874            ohci_die(ohci);
 875            return 1;
 876        }
 877        OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
 878                    OHCI_CC_NOERROR);
 879        OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE, ret);
 880    } else if (dir == OHCI_TD_DIR_OUT && ret == len) {
 881        /* OUT transfer succeeded */
 882        OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
 883                    OHCI_CC_NOERROR);
 884        OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE, 0);
 885    } else {
 886        if (ret > (ssize_t) len) {
 887            trace_usb_ohci_iso_td_data_overrun(ret, len);
 888            OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
 889                        OHCI_CC_DATAOVERRUN);
 890            OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
 891                        len);
 892        } else if (ret >= 0) {
 893            trace_usb_ohci_iso_td_data_underrun(ret);
 894            OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
 895                        OHCI_CC_DATAUNDERRUN);
 896        } else {
 897            switch (ret) {
 898            case USB_RET_IOERROR:
 899            case USB_RET_NODEV:
 900                OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
 901                            OHCI_CC_DEVICENOTRESPONDING);
 902                OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
 903                            0);
 904                break;
 905            case USB_RET_NAK:
 906            case USB_RET_STALL:
 907                trace_usb_ohci_iso_td_nak(ret);
 908                OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
 909                            OHCI_CC_STALL);
 910                OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
 911                            0);
 912                break;
 913            default:
 914                trace_usb_ohci_iso_td_bad_response(ret);
 915                OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
 916                            OHCI_CC_UNDEXPETEDPID);
 917                break;
 918            }
 919        }
 920    }
 921
 922    if (relative_frame_number == frame_count) {
 923        /* Last data packet of ISO TD - retire the TD to the Done Queue */
 924        OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_NOERROR);
 925        ed->head &= ~OHCI_DPTR_MASK;
 926        ed->head |= (iso_td.next & OHCI_DPTR_MASK);
 927        iso_td.next = ohci->done;
 928        ohci->done = addr;
 929        i = OHCI_BM(iso_td.flags, TD_DI);
 930        if (i < ohci->done_count)
 931            ohci->done_count = i;
 932    }
 933    if (ohci_put_iso_td(ohci, addr, &iso_td)) {
 934        ohci_die(ohci);
 935    }
 936    return 1;
 937}
 938
 939static void ohci_td_pkt(const char *msg, const uint8_t *buf, size_t len)
 940{
 941    bool print16;
 942    bool printall;
 943    const int width = 16;
 944    int i;
 945    char tmp[3 * width + 1];
 946    char *p = tmp;
 947
 948    print16 = !!trace_event_get_state_backends(TRACE_USB_OHCI_TD_PKT_SHORT);
 949    printall = !!trace_event_get_state_backends(TRACE_USB_OHCI_TD_PKT_FULL);
 950
 951    if (!printall && !print16) {
 952        return;
 953    }
 954
 955    for (i = 0; ; i++) {
 956        if (i && (!(i % width) || (i == len))) {
 957            if (!printall) {
 958                trace_usb_ohci_td_pkt_short(msg, tmp);
 959                break;
 960            }
 961            trace_usb_ohci_td_pkt_full(msg, tmp);
 962            p = tmp;
 963            *p = 0;
 964        }
 965        if (i == len) {
 966            break;
 967        }
 968
 969        p += sprintf(p, " %.2x", buf[i]);
 970    }
 971}
 972
 973/* Service a transport descriptor.
 974   Returns nonzero to terminate processing of this endpoint.  */
 975
 976static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
 977{
 978    int dir;
 979    size_t len = 0, pktlen = 0;
 980    const char *str = NULL;
 981    int pid;
 982    int ret;
 983    int i;
 984    USBDevice *dev;
 985    USBEndpoint *ep;
 986    struct ohci_td td;
 987    uint32_t addr;
 988    int flag_r;
 989    int completion;
 990
 991    addr = ed->head & OHCI_DPTR_MASK;
 992    /* See if this TD has already been submitted to the device.  */
 993    completion = (addr == ohci->async_td);
 994    if (completion && !ohci->async_complete) {
 995        trace_usb_ohci_td_skip_async();
 996        return 1;
 997    }
 998    if (ohci_read_td(ohci, addr, &td)) {
 999        trace_usb_ohci_td_read_error(addr);
1000        ohci_die(ohci);
1001        return 1;
1002    }
1003
1004    dir = OHCI_BM(ed->flags, ED_D);
1005    switch (dir) {
1006    case OHCI_TD_DIR_OUT:
1007    case OHCI_TD_DIR_IN:
1008        /* Same value.  */
1009        break;
1010    default:
1011        dir = OHCI_BM(td.flags, TD_DP);
1012        break;
1013    }
1014
1015    switch (dir) {
1016    case OHCI_TD_DIR_IN:
1017        str = "in";
1018        pid = USB_TOKEN_IN;
1019        break;
1020    case OHCI_TD_DIR_OUT:
1021        str = "out";
1022        pid = USB_TOKEN_OUT;
1023        break;
1024    case OHCI_TD_DIR_SETUP:
1025        str = "setup";
1026        pid = USB_TOKEN_SETUP;
1027        break;
1028    default:
1029        trace_usb_ohci_td_bad_direction(dir);
1030        return 1;
1031    }
1032    if (td.cbp && td.be) {
1033        if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
1034            len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
1035        } else {
1036            len = (td.be - td.cbp) + 1;
1037        }
1038
1039        pktlen = len;
1040        if (len && dir != OHCI_TD_DIR_IN) {
1041            /* The endpoint may not allow us to transfer it all now */
1042            pktlen = (ed->flags & OHCI_ED_MPS_MASK) >> OHCI_ED_MPS_SHIFT;
1043            if (pktlen > len) {
1044                pktlen = len;
1045            }
1046            if (!completion) {
1047                if (ohci_copy_td(ohci, &td, ohci->usb_buf, pktlen,
1048                                 DMA_DIRECTION_TO_DEVICE)) {
1049                    ohci_die(ohci);
1050                }
1051            }
1052        }
1053    }
1054
1055    flag_r = (td.flags & OHCI_TD_R) != 0;
1056    trace_usb_ohci_td_pkt_hdr(addr, (int64_t)pktlen, (int64_t)len, str,
1057                              flag_r, td.cbp, td.be);
1058    ohci_td_pkt("OUT", ohci->usb_buf, pktlen);
1059
1060    if (completion) {
1061        ohci->async_td = 0;
1062        ohci->async_complete = false;
1063    } else {
1064        if (ohci->async_td) {
1065            /* ??? The hardware should allow one active packet per
1066               endpoint.  We only allow one active packet per controller.
1067               This should be sufficient as long as devices respond in a
1068               timely manner.
1069            */
1070            trace_usb_ohci_td_too_many_pending();
1071            return 1;
1072        }
1073        dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
1074        ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
1075        usb_packet_setup(&ohci->usb_packet, pid, ep, 0, addr, !flag_r,
1076                         OHCI_BM(td.flags, TD_DI) == 0);
1077        usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, pktlen);
1078        usb_handle_packet(dev, &ohci->usb_packet);
1079        trace_usb_ohci_td_packet_status(ohci->usb_packet.status);
1080
1081        if (ohci->usb_packet.status == USB_RET_ASYNC) {
1082            usb_device_flush_ep_queue(dev, ep);
1083            ohci->async_td = addr;
1084            return 1;
1085        }
1086    }
1087    if (ohci->usb_packet.status == USB_RET_SUCCESS) {
1088        ret = ohci->usb_packet.actual_length;
1089    } else {
1090        ret = ohci->usb_packet.status;
1091    }
1092
1093    if (ret >= 0) {
1094        if (dir == OHCI_TD_DIR_IN) {
1095            if (ohci_copy_td(ohci, &td, ohci->usb_buf, ret,
1096                             DMA_DIRECTION_FROM_DEVICE)) {
1097                ohci_die(ohci);
1098            }
1099            ohci_td_pkt("IN", ohci->usb_buf, pktlen);
1100        } else {
1101            ret = pktlen;
1102        }
1103    }
1104
1105    /* Writeback */
1106    if (ret == pktlen || (dir == OHCI_TD_DIR_IN && ret >= 0 && flag_r)) {
1107        /* Transmission succeeded.  */
1108        if (ret == len) {
1109            td.cbp = 0;
1110        } else {
1111            if ((td.cbp & 0xfff) + ret > 0xfff) {
1112                td.cbp = (td.be & ~0xfff) + ((td.cbp + ret) & 0xfff);
1113            } else {
1114                td.cbp += ret;
1115            }
1116        }
1117        td.flags |= OHCI_TD_T1;
1118        td.flags ^= OHCI_TD_T0;
1119        OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_NOERROR);
1120        OHCI_SET_BM(td.flags, TD_EC, 0);
1121
1122        if ((dir != OHCI_TD_DIR_IN) && (ret != len)) {
1123            /* Partial packet transfer: TD not ready to retire yet */
1124            goto exit_no_retire;
1125        }
1126
1127        /* Setting ED_C is part of the TD retirement process */
1128        ed->head &= ~OHCI_ED_C;
1129        if (td.flags & OHCI_TD_T0)
1130            ed->head |= OHCI_ED_C;
1131    } else {
1132        if (ret >= 0) {
1133            trace_usb_ohci_td_underrun();
1134            OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DATAUNDERRUN);
1135        } else {
1136            switch (ret) {
1137            case USB_RET_IOERROR:
1138            case USB_RET_NODEV:
1139                trace_usb_ohci_td_dev_error();
1140                OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DEVICENOTRESPONDING);
1141                break;
1142            case USB_RET_NAK:
1143                trace_usb_ohci_td_nak();
1144                return 1;
1145            case USB_RET_STALL:
1146                trace_usb_ohci_td_stall();
1147                OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_STALL);
1148                break;
1149            case USB_RET_BABBLE:
1150                trace_usb_ohci_td_babble();
1151                OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
1152                break;
1153            default:
1154                trace_usb_ohci_td_bad_device_response(ret);
1155                OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_UNDEXPETEDPID);
1156                OHCI_SET_BM(td.flags, TD_EC, 3);
1157                break;
1158            }
1159        }
1160        ed->head |= OHCI_ED_H;
1161    }
1162
1163    /* Retire this TD */
1164    ed->head &= ~OHCI_DPTR_MASK;
1165    ed->head |= td.next & OHCI_DPTR_MASK;
1166    td.next = ohci->done;
1167    ohci->done = addr;
1168    i = OHCI_BM(td.flags, TD_DI);
1169    if (i < ohci->done_count)
1170        ohci->done_count = i;
1171exit_no_retire:
1172    if (ohci_put_td(ohci, addr, &td)) {
1173        ohci_die(ohci);
1174        return 1;
1175    }
1176    return OHCI_BM(td.flags, TD_CC) != OHCI_CC_NOERROR;
1177}
1178
1179/* Service an endpoint list.  Returns nonzero if active TD were found.  */
1180static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
1181{
1182    struct ohci_ed ed;
1183    uint32_t next_ed;
1184    uint32_t cur;
1185    int active;
1186    uint32_t link_cnt = 0;
1187    active = 0;
1188
1189    if (head == 0)
1190        return 0;
1191
1192    for (cur = head; cur; cur = next_ed) {
1193        if (ohci_read_ed(ohci, cur, &ed)) {
1194            trace_usb_ohci_ed_read_error(cur);
1195            ohci_die(ohci);
1196            return 0;
1197        }
1198
1199        next_ed = ed.next & OHCI_DPTR_MASK;
1200
1201        if (++link_cnt > ED_LINK_LIMIT) {
1202            ohci_die(ohci);
1203            return 0;
1204        }
1205
1206        if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
1207            uint32_t addr;
1208            /* Cancel pending packets for ED that have been paused.  */
1209            addr = ed.head & OHCI_DPTR_MASK;
1210            if (ohci->async_td && addr == ohci->async_td) {
1211                usb_cancel_packet(&ohci->usb_packet);
1212                ohci->async_td = 0;
1213                usb_device_ep_stopped(ohci->usb_packet.ep->dev,
1214                                      ohci->usb_packet.ep);
1215            }
1216            continue;
1217        }
1218
1219        while ((ed.head & OHCI_DPTR_MASK) != ed.tail) {
1220            trace_usb_ohci_ed_pkt(cur, (ed.head & OHCI_ED_H) != 0,
1221                    (ed.head & OHCI_ED_C) != 0, ed.head & OHCI_DPTR_MASK,
1222                    ed.tail & OHCI_DPTR_MASK, ed.next & OHCI_DPTR_MASK);
1223            trace_usb_ohci_ed_pkt_flags(
1224                    OHCI_BM(ed.flags, ED_FA), OHCI_BM(ed.flags, ED_EN),
1225                    OHCI_BM(ed.flags, ED_D), (ed.flags & OHCI_ED_S)!= 0,
1226                    (ed.flags & OHCI_ED_K) != 0, (ed.flags & OHCI_ED_F) != 0,
1227                    OHCI_BM(ed.flags, ED_MPS));
1228
1229            active = 1;
1230
1231            if ((ed.flags & OHCI_ED_F) == 0) {
1232                if (ohci_service_td(ohci, &ed))
1233                    break;
1234            } else {
1235                /* Handle isochronous endpoints */
1236                if (ohci_service_iso_td(ohci, &ed, completion))
1237                    break;
1238            }
1239        }
1240
1241        if (ohci_put_ed(ohci, cur, &ed)) {
1242            ohci_die(ohci);
1243            return 0;
1244        }
1245    }
1246
1247    return active;
1248}
1249
1250/* set a timer for EOF */
1251static void ohci_eof_timer(OHCIState *ohci)
1252{
1253    ohci->sof_time = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
1254    timer_mod(ohci->eof_timer, ohci->sof_time + usb_frame_time);
1255}
1256/* Set a timer for EOF and generate a SOF event */
1257static void ohci_sof(OHCIState *ohci)
1258{
1259    ohci_eof_timer(ohci);
1260    ohci_set_interrupt(ohci, OHCI_INTR_SF);
1261}
1262
1263/* Process Control and Bulk lists.  */
1264static void ohci_process_lists(OHCIState *ohci, int completion)
1265{
1266    if ((ohci->ctl & OHCI_CTL_CLE) && (ohci->status & OHCI_STATUS_CLF)) {
1267        if (ohci->ctrl_cur && ohci->ctrl_cur != ohci->ctrl_head) {
1268            trace_usb_ohci_process_lists(ohci->ctrl_head, ohci->ctrl_cur);
1269        }
1270        if (!ohci_service_ed_list(ohci, ohci->ctrl_head, completion)) {
1271            ohci->ctrl_cur = 0;
1272            ohci->status &= ~OHCI_STATUS_CLF;
1273        }
1274    }
1275
1276    if ((ohci->ctl & OHCI_CTL_BLE) && (ohci->status & OHCI_STATUS_BLF)) {
1277        if (!ohci_service_ed_list(ohci, ohci->bulk_head, completion)) {
1278            ohci->bulk_cur = 0;
1279            ohci->status &= ~OHCI_STATUS_BLF;
1280        }
1281    }
1282}
1283
1284/* Do frame processing on frame boundary */
1285static void ohci_frame_boundary(void *opaque)
1286{
1287    OHCIState *ohci = opaque;
1288    struct ohci_hcca hcca;
1289
1290    if (ohci_read_hcca(ohci, ohci->hcca, &hcca)) {
1291        trace_usb_ohci_hcca_read_error(ohci->hcca);
1292        ohci_die(ohci);
1293        return;
1294    }
1295
1296    /* Process all the lists at the end of the frame */
1297    if (ohci->ctl & OHCI_CTL_PLE) {
1298        int n;
1299
1300        n = ohci->frame_number & 0x1f;
1301        ohci_service_ed_list(ohci, le32_to_cpu(hcca.intr[n]), 0);
1302    }
1303
1304    /* Cancel all pending packets if either of the lists has been disabled.  */
1305    if (ohci->old_ctl & (~ohci->ctl) & (OHCI_CTL_BLE | OHCI_CTL_CLE)) {
1306        if (ohci->async_td) {
1307            usb_cancel_packet(&ohci->usb_packet);
1308            ohci->async_td = 0;
1309        }
1310        ohci_stop_endpoints(ohci);
1311    }
1312    ohci->old_ctl = ohci->ctl;
1313    ohci_process_lists(ohci, 0);
1314
1315    /* Stop if UnrecoverableError happened or ohci_sof will crash */
1316    if (ohci->intr_status & OHCI_INTR_UE) {
1317        return;
1318    }
1319
1320    /* Frame boundary, so do EOF stuf here */
1321    ohci->frt = ohci->fit;
1322
1323    /* Increment frame number and take care of endianness. */
1324    ohci->frame_number = (ohci->frame_number + 1) & 0xffff;
1325    hcca.frame = cpu_to_le16(ohci->frame_number);
1326
1327    if (ohci->done_count == 0 && !(ohci->intr_status & OHCI_INTR_WD)) {
1328        if (!ohci->done)
1329            abort();
1330        if (ohci->intr & ohci->intr_status)
1331            ohci->done |= 1;
1332        hcca.done = cpu_to_le32(ohci->done);
1333        ohci->done = 0;
1334        ohci->done_count = 7;
1335        ohci_set_interrupt(ohci, OHCI_INTR_WD);
1336    }
1337
1338    if (ohci->done_count != 7 && ohci->done_count != 0)
1339        ohci->done_count--;
1340
1341    /* Do SOF stuff here */
1342    ohci_sof(ohci);
1343
1344    /* Writeback HCCA */
1345    if (ohci_put_hcca(ohci, ohci->hcca, &hcca)) {
1346        ohci_die(ohci);
1347    }
1348}
1349
1350/* Start sending SOF tokens across the USB bus, lists are processed in
1351 * next frame
1352 */
1353static int ohci_bus_start(OHCIState *ohci)
1354{
1355    trace_usb_ohci_start(ohci->name);
1356
1357    /* Delay the first SOF event by one frame time as
1358     * linux driver is not ready to receive it and
1359     * can meet some race conditions
1360     */
1361
1362    ohci_eof_timer(ohci);
1363
1364    return 1;
1365}
1366
1367/* Stop sending SOF tokens on the bus */
1368static void ohci_bus_stop(OHCIState *ohci)
1369{
1370    trace_usb_ohci_stop(ohci->name);
1371    timer_del(ohci->eof_timer);
1372}
1373
1374/* Sets a flag in a port status register but only set it if the port is
1375 * connected, if not set ConnectStatusChange flag. If flag is enabled
1376 * return 1.
1377 */
1378static int ohci_port_set_if_connected(OHCIState *ohci, int i, uint32_t val)
1379{
1380    int ret = 1;
1381
1382    /* writing a 0 has no effect */
1383    if (val == 0)
1384        return 0;
1385
1386    /* If CurrentConnectStatus is cleared we set
1387     * ConnectStatusChange
1388     */
1389    if (!(ohci->rhport[i].ctrl & OHCI_PORT_CCS)) {
1390        ohci->rhport[i].ctrl |= OHCI_PORT_CSC;
1391        if (ohci->rhstatus & OHCI_RHS_DRWE) {
1392            /* TODO: CSC is a wakeup event */
1393        }
1394        return 0;
1395    }
1396
1397    if (ohci->rhport[i].ctrl & val)
1398        ret = 0;
1399
1400    /* set the bit */
1401    ohci->rhport[i].ctrl |= val;
1402
1403    return ret;
1404}
1405
1406/* Set the frame interval - frame interval toggle is manipulated by the hcd only */
1407static void ohci_set_frame_interval(OHCIState *ohci, uint16_t val)
1408{
1409    val &= OHCI_FMI_FI;
1410
1411    if (val != ohci->fi) {
1412        trace_usb_ohci_set_frame_interval(ohci->name, ohci->fi, ohci->fi);
1413    }
1414
1415    ohci->fi = val;
1416}
1417
1418static void ohci_port_power(OHCIState *ohci, int i, int p)
1419{
1420    if (p) {
1421        ohci->rhport[i].ctrl |= OHCI_PORT_PPS;
1422    } else {
1423        ohci->rhport[i].ctrl &= ~(OHCI_PORT_PPS|
1424                    OHCI_PORT_CCS|
1425                    OHCI_PORT_PSS|
1426                    OHCI_PORT_PRS);
1427    }
1428}
1429
1430/* Set HcControlRegister */
1431static void ohci_set_ctl(OHCIState *ohci, uint32_t val)
1432{
1433    uint32_t old_state;
1434    uint32_t new_state;
1435
1436    old_state = ohci->ctl & OHCI_CTL_HCFS;
1437    ohci->ctl = val;
1438    new_state = ohci->ctl & OHCI_CTL_HCFS;
1439
1440    /* no state change */
1441    if (old_state == new_state)
1442        return;
1443
1444    trace_usb_ohci_set_ctl(ohci->name, new_state);
1445    switch (new_state) {
1446    case OHCI_USB_OPERATIONAL:
1447        ohci_bus_start(ohci);
1448        break;
1449    case OHCI_USB_SUSPEND:
1450        ohci_bus_stop(ohci);
1451        /* clear pending SF otherwise linux driver loops in ohci_irq() */
1452        ohci->intr_status &= ~OHCI_INTR_SF;
1453        ohci_intr_update(ohci);
1454        break;
1455    case OHCI_USB_RESUME:
1456        trace_usb_ohci_resume(ohci->name);
1457        break;
1458    case OHCI_USB_RESET:
1459        ohci_roothub_reset(ohci);
1460        break;
1461    }
1462}
1463
1464static uint32_t ohci_get_frame_remaining(OHCIState *ohci)
1465{
1466    uint16_t fr;
1467    int64_t tks;
1468
1469    if ((ohci->ctl & OHCI_CTL_HCFS) != OHCI_USB_OPERATIONAL)
1470        return (ohci->frt << 31);
1471
1472    /* Being in USB operational state guarnatees sof_time was
1473     * set already.
1474     */
1475    tks = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) - ohci->sof_time;
1476
1477    /* avoid muldiv if possible */
1478    if (tks >= usb_frame_time)
1479        return (ohci->frt << 31);
1480
1481    tks = tks / usb_bit_time;
1482    fr = (uint16_t)(ohci->fi - tks);
1483
1484    return (ohci->frt << 31) | fr;
1485}
1486
1487
1488/* Set root hub status */
1489static void ohci_set_hub_status(OHCIState *ohci, uint32_t val)
1490{
1491    uint32_t old_state;
1492
1493    old_state = ohci->rhstatus;
1494
1495    /* write 1 to clear OCIC */
1496    if (val & OHCI_RHS_OCIC)
1497        ohci->rhstatus &= ~OHCI_RHS_OCIC;
1498
1499    if (val & OHCI_RHS_LPS) {
1500        int i;
1501
1502        for (i = 0; i < ohci->num_ports; i++)
1503            ohci_port_power(ohci, i, 0);
1504        trace_usb_ohci_hub_power_down();
1505    }
1506
1507    if (val & OHCI_RHS_LPSC) {
1508        int i;
1509
1510        for (i = 0; i < ohci->num_ports; i++)
1511            ohci_port_power(ohci, i, 1);
1512        trace_usb_ohci_hub_power_up();
1513    }
1514
1515    if (val & OHCI_RHS_DRWE)
1516        ohci->rhstatus |= OHCI_RHS_DRWE;
1517
1518    if (val & OHCI_RHS_CRWE)
1519        ohci->rhstatus &= ~OHCI_RHS_DRWE;
1520
1521    if (old_state != ohci->rhstatus)
1522        ohci_set_interrupt(ohci, OHCI_INTR_RHSC);
1523}
1524
1525/* Set root hub port status */
1526static void ohci_port_set_status(OHCIState *ohci, int portnum, uint32_t val)
1527{
1528    uint32_t old_state;
1529    OHCIPort *port;
1530
1531    port = &ohci->rhport[portnum];
1532    old_state = port->ctrl;
1533
1534    /* Write to clear CSC, PESC, PSSC, OCIC, PRSC */
1535    if (val & OHCI_PORT_WTC)
1536        port->ctrl &= ~(val & OHCI_PORT_WTC);
1537
1538    if (val & OHCI_PORT_CCS)
1539        port->ctrl &= ~OHCI_PORT_PES;
1540
1541    ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PES);
1542
1543    if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PSS)) {
1544        trace_usb_ohci_port_suspend(portnum);
1545    }
1546
1547    if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PRS)) {
1548        trace_usb_ohci_port_reset(portnum);
1549        usb_device_reset(port->port.dev);
1550        port->ctrl &= ~OHCI_PORT_PRS;
1551        /* ??? Should this also set OHCI_PORT_PESC.  */
1552        port->ctrl |= OHCI_PORT_PES | OHCI_PORT_PRSC;
1553    }
1554
1555    /* Invert order here to ensure in ambiguous case, device is
1556     * powered up...
1557     */
1558    if (val & OHCI_PORT_LSDA)
1559        ohci_port_power(ohci, portnum, 0);
1560    if (val & OHCI_PORT_PPS)
1561        ohci_port_power(ohci, portnum, 1);
1562
1563    if (old_state != port->ctrl)
1564        ohci_set_interrupt(ohci, OHCI_INTR_RHSC);
1565}
1566
1567static uint64_t ohci_mem_read(void *opaque,
1568                              hwaddr addr,
1569                              unsigned size)
1570{
1571    OHCIState *ohci = opaque;
1572    uint32_t retval;
1573
1574    /* Only aligned reads are allowed on OHCI */
1575    if (addr & 3) {
1576        trace_usb_ohci_mem_read_unaligned(addr);
1577        return 0xffffffff;
1578    } else if (addr >= 0x54 && addr < 0x54 + ohci->num_ports * 4) {
1579        /* HcRhPortStatus */
1580        retval = ohci->rhport[(addr - 0x54) >> 2].ctrl | OHCI_PORT_PPS;
1581    } else {
1582        switch (addr >> 2) {
1583        case 0: /* HcRevision */
1584            retval = 0x10;
1585            break;
1586
1587        case 1: /* HcControl */
1588            retval = ohci->ctl;
1589            break;
1590
1591        case 2: /* HcCommandStatus */
1592            retval = ohci->status;
1593            break;
1594
1595        case 3: /* HcInterruptStatus */
1596            retval = ohci->intr_status;
1597            break;
1598
1599        case 4: /* HcInterruptEnable */
1600        case 5: /* HcInterruptDisable */
1601            retval = ohci->intr;
1602            break;
1603
1604        case 6: /* HcHCCA */
1605            retval = ohci->hcca;
1606            break;
1607
1608        case 7: /* HcPeriodCurrentED */
1609            retval = ohci->per_cur;
1610            break;
1611
1612        case 8: /* HcControlHeadED */
1613            retval = ohci->ctrl_head;
1614            break;
1615
1616        case 9: /* HcControlCurrentED */
1617            retval = ohci->ctrl_cur;
1618            break;
1619
1620        case 10: /* HcBulkHeadED */
1621            retval = ohci->bulk_head;
1622            break;
1623
1624        case 11: /* HcBulkCurrentED */
1625            retval = ohci->bulk_cur;
1626            break;
1627
1628        case 12: /* HcDoneHead */
1629            retval = ohci->done;
1630            break;
1631
1632        case 13: /* HcFmInterretval */
1633            retval = (ohci->fit << 31) | (ohci->fsmps << 16) | (ohci->fi);
1634            break;
1635
1636        case 14: /* HcFmRemaining */
1637            retval = ohci_get_frame_remaining(ohci);
1638            break;
1639
1640        case 15: /* HcFmNumber */
1641            retval = ohci->frame_number;
1642            break;
1643
1644        case 16: /* HcPeriodicStart */
1645            retval = ohci->pstart;
1646            break;
1647
1648        case 17: /* HcLSThreshold */
1649            retval = ohci->lst;
1650            break;
1651
1652        case 18: /* HcRhDescriptorA */
1653            retval = ohci->rhdesc_a;
1654            break;
1655
1656        case 19: /* HcRhDescriptorB */
1657            retval = ohci->rhdesc_b;
1658            break;
1659
1660        case 20: /* HcRhStatus */
1661            retval = ohci->rhstatus;
1662            break;
1663
1664        /* PXA27x specific registers */
1665        case 24: /* HcStatus */
1666            retval = ohci->hstatus & ohci->hmask;
1667            break;
1668
1669        case 25: /* HcHReset */
1670            retval = ohci->hreset;
1671            break;
1672
1673        case 26: /* HcHInterruptEnable */
1674            retval = ohci->hmask;
1675            break;
1676
1677        case 27: /* HcHInterruptTest */
1678            retval = ohci->htest;
1679            break;
1680
1681        default:
1682            trace_usb_ohci_mem_read_bad_offset(addr);
1683            retval = 0xffffffff;
1684        }
1685    }
1686
1687    return retval;
1688}
1689
1690static void ohci_mem_write(void *opaque,
1691                           hwaddr addr,
1692                           uint64_t val,
1693                           unsigned size)
1694{
1695    OHCIState *ohci = opaque;
1696
1697    /* Only aligned reads are allowed on OHCI */
1698    if (addr & 3) {
1699        trace_usb_ohci_mem_write_unaligned(addr);
1700        return;
1701    }
1702
1703    if (addr >= 0x54 && addr < 0x54 + ohci->num_ports * 4) {
1704        /* HcRhPortStatus */
1705        ohci_port_set_status(ohci, (addr - 0x54) >> 2, val);
1706        return;
1707    }
1708
1709    switch (addr >> 2) {
1710    case 1: /* HcControl */
1711        ohci_set_ctl(ohci, val);
1712        break;
1713
1714    case 2: /* HcCommandStatus */
1715        /* SOC is read-only */
1716        val = (val & ~OHCI_STATUS_SOC);
1717
1718        /* Bits written as '0' remain unchanged in the register */
1719        ohci->status |= val;
1720
1721        if (ohci->status & OHCI_STATUS_HCR)
1722            ohci_soft_reset(ohci);
1723        break;
1724
1725    case 3: /* HcInterruptStatus */
1726        ohci->intr_status &= ~val;
1727        ohci_intr_update(ohci);
1728        break;
1729
1730    case 4: /* HcInterruptEnable */
1731        ohci->intr |= val;
1732        ohci_intr_update(ohci);
1733        break;
1734
1735    case 5: /* HcInterruptDisable */
1736        ohci->intr &= ~val;
1737        ohci_intr_update(ohci);
1738        break;
1739
1740    case 6: /* HcHCCA */
1741        ohci->hcca = val & OHCI_HCCA_MASK;
1742        break;
1743
1744    case 7: /* HcPeriodCurrentED */
1745        /* Ignore writes to this read-only register, Linux does them */
1746        break;
1747
1748    case 8: /* HcControlHeadED */
1749        ohci->ctrl_head = val & OHCI_EDPTR_MASK;
1750        break;
1751
1752    case 9: /* HcControlCurrentED */
1753        ohci->ctrl_cur = val & OHCI_EDPTR_MASK;
1754        break;
1755
1756    case 10: /* HcBulkHeadED */
1757        ohci->bulk_head = val & OHCI_EDPTR_MASK;
1758        break;
1759
1760    case 11: /* HcBulkCurrentED */
1761        ohci->bulk_cur = val & OHCI_EDPTR_MASK;
1762        break;
1763
1764    case 13: /* HcFmInterval */
1765        ohci->fsmps = (val & OHCI_FMI_FSMPS) >> 16;
1766        ohci->fit = (val & OHCI_FMI_FIT) >> 31;
1767        ohci_set_frame_interval(ohci, val);
1768        break;
1769
1770    case 15: /* HcFmNumber */
1771        break;
1772
1773    case 16: /* HcPeriodicStart */
1774        ohci->pstart = val & 0xffff;
1775        break;
1776
1777    case 17: /* HcLSThreshold */
1778        ohci->lst = val & 0xffff;
1779        break;
1780
1781    case 18: /* HcRhDescriptorA */
1782        ohci->rhdesc_a &= ~OHCI_RHA_RW_MASK;
1783        ohci->rhdesc_a |= val & OHCI_RHA_RW_MASK;
1784        break;
1785
1786    case 19: /* HcRhDescriptorB */
1787        break;
1788
1789    case 20: /* HcRhStatus */
1790        ohci_set_hub_status(ohci, val);
1791        break;
1792
1793    /* PXA27x specific registers */
1794    case 24: /* HcStatus */
1795        ohci->hstatus &= ~(val & ohci->hmask);
1796        break;
1797
1798    case 25: /* HcHReset */
1799        ohci->hreset = val & ~OHCI_HRESET_FSBIR;
1800        if (val & OHCI_HRESET_FSBIR)
1801            ohci_hard_reset(ohci);
1802        break;
1803
1804    case 26: /* HcHInterruptEnable */
1805        ohci->hmask = val;
1806        break;
1807
1808    case 27: /* HcHInterruptTest */
1809        ohci->htest = val;
1810        break;
1811
1812    default:
1813        trace_usb_ohci_mem_write_bad_offset(addr);
1814        break;
1815    }
1816}
1817
1818static void ohci_async_cancel_device(OHCIState *ohci, USBDevice *dev)
1819{
1820    if (ohci->async_td &&
1821        usb_packet_is_inflight(&ohci->usb_packet) &&
1822        ohci->usb_packet.ep->dev == dev) {
1823        usb_cancel_packet(&ohci->usb_packet);
1824        ohci->async_td = 0;
1825    }
1826}
1827
1828static const MemoryRegionOps ohci_mem_ops = {
1829    .read = ohci_mem_read,
1830    .write = ohci_mem_write,
1831    .endianness = DEVICE_LITTLE_ENDIAN,
1832};
1833
1834static USBPortOps ohci_port_ops = {
1835    .attach = ohci_attach,
1836    .detach = ohci_detach,
1837    .child_detach = ohci_child_detach,
1838    .wakeup = ohci_wakeup,
1839    .complete = ohci_async_complete_packet,
1840};
1841
1842static USBBusOps ohci_bus_ops = {
1843};
1844
1845static void usb_ohci_init(OHCIState *ohci, DeviceState *dev,
1846                          int num_ports, dma_addr_t localmem_base,
1847                          char *masterbus, uint32_t firstport,
1848                          AddressSpace *as, Error **errp)
1849{
1850    Error *err = NULL;
1851    int i;
1852
1853    ohci->as = as;
1854
1855    if (num_ports > OHCI_MAX_PORTS) {
1856        error_setg(errp, "OHCI num-ports=%d is too big (limit is %d ports)",
1857                   num_ports, OHCI_MAX_PORTS);
1858        return;
1859    }
1860
1861    if (usb_frame_time == 0) {
1862#ifdef OHCI_TIME_WARP
1863        usb_frame_time = NANOSECONDS_PER_SECOND;
1864        usb_bit_time = NANOSECONDS_PER_SECOND / (USB_HZ / 1000);
1865#else
1866        usb_frame_time = NANOSECONDS_PER_SECOND / 1000;
1867        if (NANOSECONDS_PER_SECOND >= USB_HZ) {
1868            usb_bit_time = NANOSECONDS_PER_SECOND / USB_HZ;
1869        } else {
1870            usb_bit_time = 1;
1871        }
1872#endif
1873        trace_usb_ohci_init_time(usb_frame_time, usb_bit_time);
1874    }
1875
1876    ohci->num_ports = num_ports;
1877    if (masterbus) {
1878        USBPort *ports[OHCI_MAX_PORTS];
1879        for(i = 0; i < num_ports; i++) {
1880            ports[i] = &ohci->rhport[i].port;
1881        }
1882        usb_register_companion(masterbus, ports, num_ports,
1883                               firstport, ohci, &ohci_port_ops,
1884                               USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL,
1885                               &err);
1886        if (err) {
1887            error_propagate(errp, err);
1888            return;
1889        }
1890    } else {
1891        usb_bus_new(&ohci->bus, sizeof(ohci->bus), &ohci_bus_ops, dev);
1892        for (i = 0; i < num_ports; i++) {
1893            usb_register_port(&ohci->bus, &ohci->rhport[i].port,
1894                              ohci, i, &ohci_port_ops,
1895                              USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
1896        }
1897    }
1898
1899    memory_region_init_io(&ohci->mem, OBJECT(dev), &ohci_mem_ops,
1900                          ohci, "ohci", 256);
1901    ohci->localmem_base = localmem_base;
1902
1903    ohci->name = object_get_typename(OBJECT(dev));
1904    usb_packet_init(&ohci->usb_packet);
1905
1906    ohci->async_td = 0;
1907
1908    ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
1909                                   ohci_frame_boundary, ohci);
1910}
1911
1912#define TYPE_PCI_OHCI "pci-ohci"
1913#define PCI_OHCI(obj) OBJECT_CHECK(OHCIPCIState, (obj), TYPE_PCI_OHCI)
1914
1915typedef struct {
1916    /*< private >*/
1917    PCIDevice parent_obj;
1918    /*< public >*/
1919
1920    OHCIState state;
1921    char *masterbus;
1922    uint32_t num_ports;
1923    uint32_t firstport;
1924} OHCIPCIState;
1925
1926/** A typical O/EHCI will stop operating, set itself into error state
1927 * (which can be queried by MMIO) and will set PERR in its config
1928 * space to signal that it got an error
1929 */
1930static void ohci_die(OHCIState *ohci)
1931{
1932    OHCIPCIState *dev = container_of(ohci, OHCIPCIState, state);
1933
1934    trace_usb_ohci_die();
1935
1936    ohci_set_interrupt(ohci, OHCI_INTR_UE);
1937    ohci_bus_stop(ohci);
1938    pci_set_word(dev->parent_obj.config + PCI_STATUS,
1939                 PCI_STATUS_DETECTED_PARITY);
1940}
1941
1942static void usb_ohci_realize_pci(PCIDevice *dev, Error **errp)
1943{
1944    Error *err = NULL;
1945    OHCIPCIState *ohci = PCI_OHCI(dev);
1946
1947    dev->config[PCI_CLASS_PROG] = 0x10; /* OHCI */
1948    dev->config[PCI_INTERRUPT_PIN] = 0x01; /* interrupt pin A */
1949
1950    usb_ohci_init(&ohci->state, DEVICE(dev), ohci->num_ports, 0,
1951                  ohci->masterbus, ohci->firstport,
1952                  pci_get_address_space(dev), &err);
1953    if (err) {
1954        error_propagate(errp, err);
1955        return;
1956    }
1957
1958    ohci->state.irq = pci_allocate_irq(dev);
1959    pci_register_bar(dev, 0, 0, &ohci->state.mem);
1960}
1961
1962static void usb_ohci_exit(PCIDevice *dev)
1963{
1964    OHCIPCIState *ohci = PCI_OHCI(dev);
1965    OHCIState *s = &ohci->state;
1966
1967    trace_usb_ohci_exit(s->name);
1968    ohci_bus_stop(s);
1969
1970    if (s->async_td) {
1971        usb_cancel_packet(&s->usb_packet);
1972        s->async_td = 0;
1973    }
1974    ohci_stop_endpoints(s);
1975
1976    if (!ohci->masterbus) {
1977        usb_bus_release(&s->bus);
1978    }
1979
1980    timer_del(s->eof_timer);
1981    timer_free(s->eof_timer);
1982}
1983
1984static void usb_ohci_reset_pci(DeviceState *d)
1985{
1986    PCIDevice *dev = PCI_DEVICE(d);
1987    OHCIPCIState *ohci = PCI_OHCI(dev);
1988    OHCIState *s = &ohci->state;
1989
1990    ohci_hard_reset(s);
1991}
1992
1993#define TYPE_SYSBUS_OHCI "sysbus-ohci"
1994#define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI)
1995
1996typedef struct {
1997    /*< private >*/
1998    SysBusDevice parent_obj;
1999    /*< public >*/
2000
2001    OHCIState ohci;
2002    uint32_t num_ports;
2003    dma_addr_t dma_offset;
2004} OHCISysBusState;
2005
2006static void ohci_realize_pxa(DeviceState *dev, Error **errp)
2007{
2008    OHCISysBusState *s = SYSBUS_OHCI(dev);
2009    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
2010
2011    /* Cannot fail as we pass NULL for masterbus */
2012    usb_ohci_init(&s->ohci, dev, s->num_ports, s->dma_offset, NULL, 0,
2013                  &address_space_memory, &error_abort);
2014    sysbus_init_irq(sbd, &s->ohci.irq);
2015    sysbus_init_mmio(sbd, &s->ohci.mem);
2016}
2017
2018static void usb_ohci_reset_sysbus(DeviceState *dev)
2019{
2020    OHCISysBusState *s = SYSBUS_OHCI(dev);
2021    OHCIState *ohci = &s->ohci;
2022
2023    ohci_hard_reset(ohci);
2024}
2025
2026static Property ohci_pci_properties[] = {
2027    DEFINE_PROP_STRING("masterbus", OHCIPCIState, masterbus),
2028    DEFINE_PROP_UINT32("num-ports", OHCIPCIState, num_ports, 3),
2029    DEFINE_PROP_UINT32("firstport", OHCIPCIState, firstport, 0),
2030    DEFINE_PROP_END_OF_LIST(),
2031};
2032
2033static const VMStateDescription vmstate_ohci_state_port = {
2034    .name = "ohci-core/port",
2035    .version_id = 1,
2036    .minimum_version_id = 1,
2037    .fields = (VMStateField[]) {
2038        VMSTATE_UINT32(ctrl, OHCIPort),
2039        VMSTATE_END_OF_LIST()
2040    },
2041};
2042
2043static bool ohci_eof_timer_needed(void *opaque)
2044{
2045    OHCIState *ohci = opaque;
2046
2047    return timer_pending(ohci->eof_timer);
2048}
2049
2050static const VMStateDescription vmstate_ohci_eof_timer = {
2051    .name = "ohci-core/eof-timer",
2052    .version_id = 1,
2053    .minimum_version_id = 1,
2054    .needed = ohci_eof_timer_needed,
2055    .fields = (VMStateField[]) {
2056        VMSTATE_TIMER_PTR(eof_timer, OHCIState),
2057        VMSTATE_END_OF_LIST()
2058    },
2059};
2060
2061static const VMStateDescription vmstate_ohci_state = {
2062    .name = "ohci-core",
2063    .version_id = 1,
2064    .minimum_version_id = 1,
2065    .fields = (VMStateField[]) {
2066        VMSTATE_INT64(sof_time, OHCIState),
2067        VMSTATE_UINT32(ctl, OHCIState),
2068        VMSTATE_UINT32(status, OHCIState),
2069        VMSTATE_UINT32(intr_status, OHCIState),
2070        VMSTATE_UINT32(intr, OHCIState),
2071        VMSTATE_UINT32(hcca, OHCIState),
2072        VMSTATE_UINT32(ctrl_head, OHCIState),
2073        VMSTATE_UINT32(ctrl_cur, OHCIState),
2074        VMSTATE_UINT32(bulk_head, OHCIState),
2075        VMSTATE_UINT32(bulk_cur, OHCIState),
2076        VMSTATE_UINT32(per_cur, OHCIState),
2077        VMSTATE_UINT32(done, OHCIState),
2078        VMSTATE_INT32(done_count, OHCIState),
2079        VMSTATE_UINT16(fsmps, OHCIState),
2080        VMSTATE_UINT8(fit, OHCIState),
2081        VMSTATE_UINT16(fi, OHCIState),
2082        VMSTATE_UINT8(frt, OHCIState),
2083        VMSTATE_UINT16(frame_number, OHCIState),
2084        VMSTATE_UINT16(padding, OHCIState),
2085        VMSTATE_UINT32(pstart, OHCIState),
2086        VMSTATE_UINT32(lst, OHCIState),
2087        VMSTATE_UINT32(rhdesc_a, OHCIState),
2088        VMSTATE_UINT32(rhdesc_b, OHCIState),
2089        VMSTATE_UINT32(rhstatus, OHCIState),
2090        VMSTATE_STRUCT_ARRAY(rhport, OHCIState, OHCI_MAX_PORTS, 0,
2091                             vmstate_ohci_state_port, OHCIPort),
2092        VMSTATE_UINT32(hstatus, OHCIState),
2093        VMSTATE_UINT32(hmask, OHCIState),
2094        VMSTATE_UINT32(hreset, OHCIState),
2095        VMSTATE_UINT32(htest, OHCIState),
2096        VMSTATE_UINT32(old_ctl, OHCIState),
2097        VMSTATE_UINT8_ARRAY(usb_buf, OHCIState, 8192),
2098        VMSTATE_UINT32(async_td, OHCIState),
2099        VMSTATE_BOOL(async_complete, OHCIState),
2100        VMSTATE_END_OF_LIST()
2101    },
2102    .subsections = (const VMStateDescription*[]) {
2103        &vmstate_ohci_eof_timer,
2104        NULL
2105    }
2106};
2107
2108static const VMStateDescription vmstate_ohci = {
2109    .name = "ohci",
2110    .version_id = 1,
2111    .minimum_version_id = 1,
2112    .fields = (VMStateField[]) {
2113        VMSTATE_PCI_DEVICE(parent_obj, OHCIPCIState),
2114        VMSTATE_STRUCT(state, OHCIPCIState, 1, vmstate_ohci_state, OHCIState),
2115        VMSTATE_END_OF_LIST()
2116    }
2117};
2118
2119static void ohci_pci_class_init(ObjectClass *klass, void *data)
2120{
2121    DeviceClass *dc = DEVICE_CLASS(klass);
2122    PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2123
2124    k->realize = usb_ohci_realize_pci;
2125    k->exit = usb_ohci_exit;
2126    k->vendor_id = PCI_VENDOR_ID_APPLE;
2127    k->device_id = PCI_DEVICE_ID_APPLE_IPID_USB;
2128    k->class_id = PCI_CLASS_SERIAL_USB;
2129    set_bit(DEVICE_CATEGORY_USB, dc->categories);
2130    dc->desc = "Apple USB Controller";
2131    dc->props = ohci_pci_properties;
2132    dc->hotpluggable = false;
2133    dc->vmsd = &vmstate_ohci;
2134    dc->reset = usb_ohci_reset_pci;
2135}
2136
2137static const TypeInfo ohci_pci_info = {
2138    .name          = TYPE_PCI_OHCI,
2139    .parent        = TYPE_PCI_DEVICE,
2140    .instance_size = sizeof(OHCIPCIState),
2141    .class_init    = ohci_pci_class_init,
2142};
2143
2144static Property ohci_sysbus_properties[] = {
2145    DEFINE_PROP_UINT32("num-ports", OHCISysBusState, num_ports, 3),
2146    DEFINE_PROP_DMAADDR("dma-offset", OHCISysBusState, dma_offset, 0),
2147    DEFINE_PROP_END_OF_LIST(),
2148};
2149
2150static void ohci_sysbus_class_init(ObjectClass *klass, void *data)
2151{
2152    DeviceClass *dc = DEVICE_CLASS(klass);
2153
2154    dc->realize = ohci_realize_pxa;
2155    set_bit(DEVICE_CATEGORY_USB, dc->categories);
2156    dc->desc = "OHCI USB Controller";
2157    dc->props = ohci_sysbus_properties;
2158    dc->reset = usb_ohci_reset_sysbus;
2159}
2160
2161static const TypeInfo ohci_sysbus_info = {
2162    .name          = TYPE_SYSBUS_OHCI,
2163    .parent        = TYPE_SYS_BUS_DEVICE,
2164    .instance_size = sizeof(OHCISysBusState),
2165    .class_init    = ohci_sysbus_class_init,
2166};
2167
2168static void ohci_register_types(void)
2169{
2170    type_register_static(&ohci_pci_info);
2171    type_register_static(&ohci_sysbus_info);
2172}
2173
2174type_init(ohci_register_types)
2175