qemu/hw/usb/hcd-musb.c
<<
>>
Prefs
   1/*
   2 * "Inventra" High-speed Dual-Role Controller (MUSB-HDRC), Mentor Graphics,
   3 * USB2.0 OTG compliant core used in various chips.
   4 *
   5 * Copyright (C) 2008 Nokia Corporation
   6 * Written by Andrzej Zaborowski <andrew@openedhand.com>
   7 *
   8 * This program is free software; you can redistribute it and/or
   9 * modify it under the terms of the GNU General Public License as
  10 * published by the Free Software Foundation; either version 2 or
  11 * (at your option) version 3 of the License.
  12 *
  13 * This program is distributed in the hope that it will be useful,
  14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16 * GNU General Public License for more details.
  17 *
  18 * You should have received a copy of the GNU General Public License along
  19 * with this program; if not, see <http://www.gnu.org/licenses/>.
  20 *
  21 * Only host-mode and non-DMA accesses are currently supported.
  22 */
  23#include "qemu/osdep.h"
  24#include "qemu-common.h"
  25#include "qemu/timer.h"
  26#include "hw/usb.h"
  27#include "hw/irq.h"
  28#include "hw/hw.h"
  29
  30/* Common USB registers */
  31#define MUSB_HDRC_FADDR         0x00    /* 8-bit */
  32#define MUSB_HDRC_POWER         0x01    /* 8-bit */
  33
  34#define MUSB_HDRC_INTRTX        0x02    /* 16-bit */
  35#define MUSB_HDRC_INTRRX        0x04
  36#define MUSB_HDRC_INTRTXE       0x06  
  37#define MUSB_HDRC_INTRRXE       0x08  
  38#define MUSB_HDRC_INTRUSB       0x0a    /* 8 bit */
  39#define MUSB_HDRC_INTRUSBE      0x0b    /* 8 bit */
  40#define MUSB_HDRC_FRAME         0x0c    /* 16-bit */
  41#define MUSB_HDRC_INDEX         0x0e    /* 8 bit */
  42#define MUSB_HDRC_TESTMODE      0x0f    /* 8 bit */
  43
  44/* Per-EP registers in indexed mode */
  45#define MUSB_HDRC_EP_IDX        0x10    /* 8-bit */
  46
  47/* EP FIFOs */
  48#define MUSB_HDRC_FIFO          0x20
  49
  50/* Additional Control Registers */
  51#define MUSB_HDRC_DEVCTL        0x60    /* 8 bit */
  52
  53/* These are indexed */
  54#define MUSB_HDRC_TXFIFOSZ      0x62    /* 8 bit (see masks) */
  55#define MUSB_HDRC_RXFIFOSZ      0x63    /* 8 bit (see masks) */
  56#define MUSB_HDRC_TXFIFOADDR    0x64    /* 16 bit offset shifted right 3 */
  57#define MUSB_HDRC_RXFIFOADDR    0x66    /* 16 bit offset shifted right 3 */
  58
  59/* Some more registers */
  60#define MUSB_HDRC_VCTRL         0x68    /* 8 bit */
  61#define MUSB_HDRC_HWVERS        0x6c    /* 8 bit */
  62
  63/* Added in HDRC 1.9(?) & MHDRC 1.4 */
  64/* ULPI pass-through */
  65#define MUSB_HDRC_ULPI_VBUSCTL  0x70
  66#define MUSB_HDRC_ULPI_REGDATA  0x74
  67#define MUSB_HDRC_ULPI_REGADDR  0x75
  68#define MUSB_HDRC_ULPI_REGCTL   0x76
  69
  70/* Extended config & PHY control */
  71#define MUSB_HDRC_ENDCOUNT      0x78    /* 8 bit */
  72#define MUSB_HDRC_DMARAMCFG     0x79    /* 8 bit */
  73#define MUSB_HDRC_PHYWAIT       0x7a    /* 8 bit */
  74#define MUSB_HDRC_PHYVPLEN      0x7b    /* 8 bit */
  75#define MUSB_HDRC_HS_EOF1       0x7c    /* 8 bit, units of 546.1 us */
  76#define MUSB_HDRC_FS_EOF1       0x7d    /* 8 bit, units of 533.3 ns */
  77#define MUSB_HDRC_LS_EOF1       0x7e    /* 8 bit, units of 1.067 us */
  78
  79/* Per-EP BUSCTL registers */
  80#define MUSB_HDRC_BUSCTL        0x80
  81
  82/* Per-EP registers in flat mode */
  83#define MUSB_HDRC_EP            0x100
  84
  85/* offsets to registers in flat model */
  86#define MUSB_HDRC_TXMAXP        0x00    /* 16 bit apparently */
  87#define MUSB_HDRC_TXCSR         0x02    /* 16 bit apparently */
  88#define MUSB_HDRC_CSR0          MUSB_HDRC_TXCSR         /* re-used for EP0 */
  89#define MUSB_HDRC_RXMAXP        0x04    /* 16 bit apparently */
  90#define MUSB_HDRC_RXCSR         0x06    /* 16 bit apparently */
  91#define MUSB_HDRC_RXCOUNT       0x08    /* 16 bit apparently */
  92#define MUSB_HDRC_COUNT0        MUSB_HDRC_RXCOUNT       /* re-used for EP0 */
  93#define MUSB_HDRC_TXTYPE        0x0a    /* 8 bit apparently */
  94#define MUSB_HDRC_TYPE0         MUSB_HDRC_TXTYPE        /* re-used for EP0 */
  95#define MUSB_HDRC_TXINTERVAL    0x0b    /* 8 bit apparently */
  96#define MUSB_HDRC_NAKLIMIT0     MUSB_HDRC_TXINTERVAL    /* re-used for EP0 */
  97#define MUSB_HDRC_RXTYPE        0x0c    /* 8 bit apparently */
  98#define MUSB_HDRC_RXINTERVAL    0x0d    /* 8 bit apparently */
  99#define MUSB_HDRC_FIFOSIZE      0x0f    /* 8 bit apparently */
 100#define MUSB_HDRC_CONFIGDATA    MGC_O_HDRC_FIFOSIZE     /* re-used for EP0 */
 101
 102/* "Bus control" registers */
 103#define MUSB_HDRC_TXFUNCADDR    0x00
 104#define MUSB_HDRC_TXHUBADDR     0x02
 105#define MUSB_HDRC_TXHUBPORT     0x03
 106
 107#define MUSB_HDRC_RXFUNCADDR    0x04
 108#define MUSB_HDRC_RXHUBADDR     0x06
 109#define MUSB_HDRC_RXHUBPORT     0x07
 110
 111/*
 112 * MUSBHDRC Register bit masks
 113 */
 114
 115/* POWER */
 116#define MGC_M_POWER_ISOUPDATE           0x80 
 117#define MGC_M_POWER_SOFTCONN            0x40
 118#define MGC_M_POWER_HSENAB              0x20
 119#define MGC_M_POWER_HSMODE              0x10
 120#define MGC_M_POWER_RESET               0x08
 121#define MGC_M_POWER_RESUME              0x04
 122#define MGC_M_POWER_SUSPENDM            0x02
 123#define MGC_M_POWER_ENSUSPEND           0x01
 124
 125/* INTRUSB */
 126#define MGC_M_INTR_SUSPEND              0x01
 127#define MGC_M_INTR_RESUME               0x02
 128#define MGC_M_INTR_RESET                0x04
 129#define MGC_M_INTR_BABBLE               0x04
 130#define MGC_M_INTR_SOF                  0x08 
 131#define MGC_M_INTR_CONNECT              0x10
 132#define MGC_M_INTR_DISCONNECT           0x20
 133#define MGC_M_INTR_SESSREQ              0x40
 134#define MGC_M_INTR_VBUSERROR            0x80    /* FOR SESSION END */
 135#define MGC_M_INTR_EP0                  0x01    /* FOR EP0 INTERRUPT */
 136
 137/* DEVCTL */
 138#define MGC_M_DEVCTL_BDEVICE            0x80   
 139#define MGC_M_DEVCTL_FSDEV              0x40
 140#define MGC_M_DEVCTL_LSDEV              0x20
 141#define MGC_M_DEVCTL_VBUS               0x18
 142#define MGC_S_DEVCTL_VBUS               3
 143#define MGC_M_DEVCTL_HM                 0x04
 144#define MGC_M_DEVCTL_HR                 0x02
 145#define MGC_M_DEVCTL_SESSION            0x01
 146
 147/* TESTMODE */
 148#define MGC_M_TEST_FORCE_HOST           0x80
 149#define MGC_M_TEST_FIFO_ACCESS          0x40
 150#define MGC_M_TEST_FORCE_FS             0x20
 151#define MGC_M_TEST_FORCE_HS             0x10
 152#define MGC_M_TEST_PACKET               0x08
 153#define MGC_M_TEST_K                    0x04
 154#define MGC_M_TEST_J                    0x02
 155#define MGC_M_TEST_SE0_NAK              0x01
 156
 157/* CSR0 */
 158#define MGC_M_CSR0_FLUSHFIFO            0x0100
 159#define MGC_M_CSR0_TXPKTRDY             0x0002
 160#define MGC_M_CSR0_RXPKTRDY             0x0001
 161
 162/* CSR0 in Peripheral mode */
 163#define MGC_M_CSR0_P_SVDSETUPEND        0x0080
 164#define MGC_M_CSR0_P_SVDRXPKTRDY        0x0040
 165#define MGC_M_CSR0_P_SENDSTALL          0x0020
 166#define MGC_M_CSR0_P_SETUPEND           0x0010
 167#define MGC_M_CSR0_P_DATAEND            0x0008
 168#define MGC_M_CSR0_P_SENTSTALL          0x0004
 169
 170/* CSR0 in Host mode */
 171#define MGC_M_CSR0_H_NO_PING            0x0800
 172#define MGC_M_CSR0_H_WR_DATATOGGLE      0x0400  /* set to allow setting: */
 173#define MGC_M_CSR0_H_DATATOGGLE         0x0200  /* data toggle control */
 174#define MGC_M_CSR0_H_NAKTIMEOUT         0x0080
 175#define MGC_M_CSR0_H_STATUSPKT          0x0040
 176#define MGC_M_CSR0_H_REQPKT             0x0020
 177#define MGC_M_CSR0_H_ERROR              0x0010
 178#define MGC_M_CSR0_H_SETUPPKT           0x0008
 179#define MGC_M_CSR0_H_RXSTALL            0x0004
 180
 181/* CONFIGDATA */
 182#define MGC_M_CONFIGDATA_MPRXE          0x80    /* auto bulk pkt combining */
 183#define MGC_M_CONFIGDATA_MPTXE          0x40    /* auto bulk pkt splitting */
 184#define MGC_M_CONFIGDATA_BIGENDIAN      0x20
 185#define MGC_M_CONFIGDATA_HBRXE          0x10    /* HB-ISO for RX */
 186#define MGC_M_CONFIGDATA_HBTXE          0x08    /* HB-ISO for TX */
 187#define MGC_M_CONFIGDATA_DYNFIFO        0x04    /* dynamic FIFO sizing */
 188#define MGC_M_CONFIGDATA_SOFTCONE       0x02    /* SoftConnect */
 189#define MGC_M_CONFIGDATA_UTMIDW         0x01    /* Width, 0 => 8b, 1 => 16b */
 190
 191/* TXCSR in Peripheral and Host mode */
 192#define MGC_M_TXCSR_AUTOSET             0x8000
 193#define MGC_M_TXCSR_ISO                 0x4000
 194#define MGC_M_TXCSR_MODE                0x2000
 195#define MGC_M_TXCSR_DMAENAB             0x1000
 196#define MGC_M_TXCSR_FRCDATATOG          0x0800
 197#define MGC_M_TXCSR_DMAMODE             0x0400
 198#define MGC_M_TXCSR_CLRDATATOG          0x0040
 199#define MGC_M_TXCSR_FLUSHFIFO           0x0008
 200#define MGC_M_TXCSR_FIFONOTEMPTY        0x0002
 201#define MGC_M_TXCSR_TXPKTRDY            0x0001
 202
 203/* TXCSR in Peripheral mode */
 204#define MGC_M_TXCSR_P_INCOMPTX          0x0080
 205#define MGC_M_TXCSR_P_SENTSTALL         0x0020
 206#define MGC_M_TXCSR_P_SENDSTALL         0x0010
 207#define MGC_M_TXCSR_P_UNDERRUN          0x0004
 208
 209/* TXCSR in Host mode */
 210#define MGC_M_TXCSR_H_WR_DATATOGGLE     0x0200
 211#define MGC_M_TXCSR_H_DATATOGGLE        0x0100
 212#define MGC_M_TXCSR_H_NAKTIMEOUT        0x0080
 213#define MGC_M_TXCSR_H_RXSTALL           0x0020
 214#define MGC_M_TXCSR_H_ERROR             0x0004
 215
 216/* RXCSR in Peripheral and Host mode */
 217#define MGC_M_RXCSR_AUTOCLEAR           0x8000
 218#define MGC_M_RXCSR_DMAENAB             0x2000
 219#define MGC_M_RXCSR_DISNYET             0x1000
 220#define MGC_M_RXCSR_DMAMODE             0x0800
 221#define MGC_M_RXCSR_INCOMPRX            0x0100
 222#define MGC_M_RXCSR_CLRDATATOG          0x0080
 223#define MGC_M_RXCSR_FLUSHFIFO           0x0010
 224#define MGC_M_RXCSR_DATAERROR           0x0008
 225#define MGC_M_RXCSR_FIFOFULL            0x0002
 226#define MGC_M_RXCSR_RXPKTRDY            0x0001
 227
 228/* RXCSR in Peripheral mode */
 229#define MGC_M_RXCSR_P_ISO               0x4000
 230#define MGC_M_RXCSR_P_SENTSTALL         0x0040
 231#define MGC_M_RXCSR_P_SENDSTALL         0x0020
 232#define MGC_M_RXCSR_P_OVERRUN           0x0004
 233
 234/* RXCSR in Host mode */
 235#define MGC_M_RXCSR_H_AUTOREQ           0x4000
 236#define MGC_M_RXCSR_H_WR_DATATOGGLE     0x0400
 237#define MGC_M_RXCSR_H_DATATOGGLE        0x0200
 238#define MGC_M_RXCSR_H_RXSTALL           0x0040
 239#define MGC_M_RXCSR_H_REQPKT            0x0020
 240#define MGC_M_RXCSR_H_ERROR             0x0004
 241
 242/* HUBADDR */
 243#define MGC_M_HUBADDR_MULTI_TT          0x80
 244
 245/* ULPI: Added in HDRC 1.9(?) & MHDRC 1.4 */
 246#define MGC_M_ULPI_VBCTL_USEEXTVBUSIND  0x02
 247#define MGC_M_ULPI_VBCTL_USEEXTVBUS     0x01
 248#define MGC_M_ULPI_REGCTL_INT_ENABLE    0x08
 249#define MGC_M_ULPI_REGCTL_READNOTWRITE  0x04
 250#define MGC_M_ULPI_REGCTL_COMPLETE      0x02
 251#define MGC_M_ULPI_REGCTL_REG           0x01
 252
 253/* #define MUSB_DEBUG */
 254
 255#ifdef MUSB_DEBUG
 256#define TRACE(fmt, ...) fprintf(stderr, "%s@%d: " fmt "\n", __func__, \
 257                                __LINE__, ##__VA_ARGS__)
 258#else
 259#define TRACE(...)
 260#endif
 261
 262
 263static void musb_attach(USBPort *port);
 264static void musb_detach(USBPort *port);
 265static void musb_child_detach(USBPort *port, USBDevice *child);
 266static void musb_schedule_cb(USBPort *port, USBPacket *p);
 267static void musb_async_cancel_device(MUSBState *s, USBDevice *dev);
 268
 269static USBPortOps musb_port_ops = {
 270    .attach = musb_attach,
 271    .detach = musb_detach,
 272    .child_detach = musb_child_detach,
 273    .complete = musb_schedule_cb,
 274};
 275
 276static USBBusOps musb_bus_ops = {
 277};
 278
 279typedef struct MUSBPacket MUSBPacket;
 280typedef struct MUSBEndPoint MUSBEndPoint;
 281
 282struct MUSBPacket {
 283    USBPacket p;
 284    MUSBEndPoint *ep;
 285    int dir;
 286};
 287
 288struct MUSBEndPoint {
 289    uint16_t faddr[2];
 290    uint8_t haddr[2];
 291    uint8_t hport[2];
 292    uint16_t csr[2];
 293    uint16_t maxp[2];
 294    uint16_t rxcount;
 295    uint8_t type[2];
 296    uint8_t interval[2];
 297    uint8_t config;
 298    uint8_t fifosize;
 299    int timeout[2];     /* Always in microframes */
 300
 301    uint8_t *buf[2];
 302    int fifolen[2];
 303    int fifostart[2];
 304    int fifoaddr[2];
 305    MUSBPacket packey[2];
 306    int status[2];
 307    int ext_size[2];
 308
 309    /* For callbacks' use */
 310    int epnum;
 311    int interrupt[2];
 312    MUSBState *musb;
 313    USBCallback *delayed_cb[2];
 314    QEMUTimer *intv_timer[2];
 315};
 316
 317struct MUSBState {
 318    qemu_irq irqs[musb_irq_max];
 319    USBBus bus;
 320    USBPort port;
 321
 322    int idx;
 323    uint8_t devctl;
 324    uint8_t power;
 325    uint8_t faddr;
 326
 327    uint8_t intr;
 328    uint8_t mask;
 329    uint16_t tx_intr;
 330    uint16_t tx_mask;
 331    uint16_t rx_intr;
 332    uint16_t rx_mask;
 333
 334    int setup_len;
 335    int session;
 336
 337    uint8_t buf[0x8000];
 338
 339        /* Duplicating the world since 2008!...  probably we should have 32
 340         * logical, single endpoints instead.  */
 341    MUSBEndPoint ep[16];
 342};
 343
 344void musb_reset(MUSBState *s)
 345{
 346    int i;
 347
 348    s->faddr = 0x00;
 349    s->devctl = 0;
 350    s->power = MGC_M_POWER_HSENAB;
 351    s->tx_intr = 0x0000;
 352    s->rx_intr = 0x0000;
 353    s->tx_mask = 0xffff;
 354    s->rx_mask = 0xffff;
 355    s->intr = 0x00;
 356    s->mask = 0x06;
 357    s->idx = 0;
 358
 359    s->setup_len = 0;
 360    s->session = 0;
 361    memset(s->buf, 0, sizeof(s->buf));
 362
 363    /* TODO: _DW */
 364    s->ep[0].config = MGC_M_CONFIGDATA_SOFTCONE | MGC_M_CONFIGDATA_DYNFIFO;
 365    for (i = 0; i < 16; i ++) {
 366        s->ep[i].fifosize = 64;
 367        s->ep[i].maxp[0] = 0x40;
 368        s->ep[i].maxp[1] = 0x40;
 369        s->ep[i].musb = s;
 370        s->ep[i].epnum = i;
 371        usb_packet_init(&s->ep[i].packey[0].p);
 372        usb_packet_init(&s->ep[i].packey[1].p);
 373    }
 374}
 375
 376struct MUSBState *musb_init(DeviceState *parent_device, int gpio_base)
 377{
 378    MUSBState *s = g_malloc0(sizeof(*s));
 379    int i;
 380
 381    for (i = 0; i < musb_irq_max; i++) {
 382        s->irqs[i] = qdev_get_gpio_in(parent_device, gpio_base + i);
 383    }
 384
 385    musb_reset(s);
 386
 387    usb_bus_new(&s->bus, sizeof(s->bus), &musb_bus_ops, parent_device);
 388    usb_register_port(&s->bus, &s->port, s, 0, &musb_port_ops,
 389                      USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
 390
 391    return s;
 392}
 393
 394static void musb_vbus_set(MUSBState *s, int level)
 395{
 396    if (level)
 397        s->devctl |= 3 << MGC_S_DEVCTL_VBUS;
 398    else
 399        s->devctl &= ~MGC_M_DEVCTL_VBUS;
 400
 401    qemu_set_irq(s->irqs[musb_set_vbus], level);
 402}
 403
 404static void musb_intr_set(MUSBState *s, int line, int level)
 405{
 406    if (!level) {
 407        s->intr &= ~(1 << line);
 408        qemu_irq_lower(s->irqs[line]);
 409    } else if (s->mask & (1 << line)) {
 410        s->intr |= 1 << line;
 411        qemu_irq_raise(s->irqs[line]);
 412    }
 413}
 414
 415static void musb_tx_intr_set(MUSBState *s, int line, int level)
 416{
 417    if (!level) {
 418        s->tx_intr &= ~(1 << line);
 419        if (!s->tx_intr)
 420            qemu_irq_lower(s->irqs[musb_irq_tx]);
 421    } else if (s->tx_mask & (1 << line)) {
 422        s->tx_intr |= 1 << line;
 423        qemu_irq_raise(s->irqs[musb_irq_tx]);
 424    }
 425}
 426
 427static void musb_rx_intr_set(MUSBState *s, int line, int level)
 428{
 429    if (line) {
 430        if (!level) {
 431            s->rx_intr &= ~(1 << line);
 432            if (!s->rx_intr)
 433                qemu_irq_lower(s->irqs[musb_irq_rx]);
 434        } else if (s->rx_mask & (1 << line)) {
 435            s->rx_intr |= 1 << line;
 436            qemu_irq_raise(s->irqs[musb_irq_rx]);
 437        }
 438    } else
 439        musb_tx_intr_set(s, line, level);
 440}
 441
 442uint32_t musb_core_intr_get(MUSBState *s)
 443{
 444    return (s->rx_intr << 15) | s->tx_intr;
 445}
 446
 447void musb_core_intr_clear(MUSBState *s, uint32_t mask)
 448{
 449    if (s->rx_intr) {
 450        s->rx_intr &= mask >> 15;
 451        if (!s->rx_intr)
 452            qemu_irq_lower(s->irqs[musb_irq_rx]);
 453    }
 454
 455    if (s->tx_intr) {
 456        s->tx_intr &= mask & 0xffff;
 457        if (!s->tx_intr)
 458            qemu_irq_lower(s->irqs[musb_irq_tx]);
 459    }
 460}
 461
 462void musb_set_size(MUSBState *s, int epnum, int size, int is_tx)
 463{
 464    s->ep[epnum].ext_size[!is_tx] = size;
 465    s->ep[epnum].fifostart[0] = 0;
 466    s->ep[epnum].fifostart[1] = 0;
 467    s->ep[epnum].fifolen[0] = 0;
 468    s->ep[epnum].fifolen[1] = 0;
 469}
 470
 471static void musb_session_update(MUSBState *s, int prev_dev, int prev_sess)
 472{
 473    int detect_prev = prev_dev && prev_sess;
 474    int detect = !!s->port.dev && s->session;
 475
 476    if (detect && !detect_prev) {
 477        /* Let's skip the ID pin sense and VBUS sense formalities and
 478         * and signal a successful SRP directly.  This should work at least
 479         * for the Linux driver stack.  */
 480        musb_intr_set(s, musb_irq_connect, 1);
 481
 482        if (s->port.dev->speed == USB_SPEED_LOW) {
 483            s->devctl &= ~MGC_M_DEVCTL_FSDEV;
 484            s->devctl |= MGC_M_DEVCTL_LSDEV;
 485        } else {
 486            s->devctl |= MGC_M_DEVCTL_FSDEV;
 487            s->devctl &= ~MGC_M_DEVCTL_LSDEV;
 488        }
 489
 490        /* A-mode?  */
 491        s->devctl &= ~MGC_M_DEVCTL_BDEVICE;
 492
 493        /* Host-mode bit?  */
 494        s->devctl |= MGC_M_DEVCTL_HM;
 495#if 1
 496        musb_vbus_set(s, 1);
 497#endif
 498    } else if (!detect && detect_prev) {
 499#if 1
 500        musb_vbus_set(s, 0);
 501#endif
 502    }
 503}
 504
 505/* Attach or detach a device on our only port.  */
 506static void musb_attach(USBPort *port)
 507{
 508    MUSBState *s = (MUSBState *) port->opaque;
 509
 510    musb_intr_set(s, musb_irq_vbus_request, 1);
 511    musb_session_update(s, 0, s->session);
 512}
 513
 514static void musb_detach(USBPort *port)
 515{
 516    MUSBState *s = (MUSBState *) port->opaque;
 517
 518    musb_async_cancel_device(s, port->dev);
 519
 520    musb_intr_set(s, musb_irq_disconnect, 1);
 521    musb_session_update(s, 1, s->session);
 522}
 523
 524static void musb_child_detach(USBPort *port, USBDevice *child)
 525{
 526    MUSBState *s = (MUSBState *) port->opaque;
 527
 528    musb_async_cancel_device(s, child);
 529}
 530
 531static void musb_cb_tick0(void *opaque)
 532{
 533    MUSBEndPoint *ep = (MUSBEndPoint *) opaque;
 534
 535    ep->delayed_cb[0](&ep->packey[0].p, opaque);
 536}
 537
 538static void musb_cb_tick1(void *opaque)
 539{
 540    MUSBEndPoint *ep = (MUSBEndPoint *) opaque;
 541
 542    ep->delayed_cb[1](&ep->packey[1].p, opaque);
 543}
 544
 545#define musb_cb_tick    (dir ? musb_cb_tick1 : musb_cb_tick0)
 546
 547static void musb_schedule_cb(USBPort *port, USBPacket *packey)
 548{
 549    MUSBPacket *p = container_of(packey, MUSBPacket, p);
 550    MUSBEndPoint *ep = p->ep;
 551    int dir = p->dir;
 552    int timeout = 0;
 553
 554    if (ep->status[dir] == USB_RET_NAK)
 555        timeout = ep->timeout[dir];
 556    else if (ep->interrupt[dir])
 557        timeout = 8;
 558    else {
 559        musb_cb_tick(ep);
 560        return;
 561    }
 562
 563    if (!ep->intv_timer[dir])
 564        ep->intv_timer[dir] = timer_new_ns(QEMU_CLOCK_VIRTUAL, musb_cb_tick, ep);
 565
 566    timer_mod(ep->intv_timer[dir], qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
 567                   muldiv64(timeout, NANOSECONDS_PER_SECOND, 8000));
 568}
 569
 570static int musb_timeout(int ttype, int speed, int val)
 571{
 572#if 1
 573    return val << 3;
 574#endif
 575
 576    switch (ttype) {
 577    case USB_ENDPOINT_XFER_CONTROL:
 578        if (val < 2)
 579            return 0;
 580        else if (speed == USB_SPEED_HIGH)
 581            return 1 << (val - 1);
 582        else
 583            return 8 << (val - 1);
 584
 585    case USB_ENDPOINT_XFER_INT:
 586        if (speed == USB_SPEED_HIGH)
 587            if (val < 2)
 588                return 0;
 589            else
 590                return 1 << (val - 1);
 591        else
 592            return val << 3;
 593
 594    case USB_ENDPOINT_XFER_BULK:
 595    case USB_ENDPOINT_XFER_ISOC:
 596        if (val < 2)
 597            return 0;
 598        else if (speed == USB_SPEED_HIGH)
 599            return 1 << (val - 1);
 600        else
 601            return 8 << (val - 1);
 602        /* TODO: what with low-speed Bulk and Isochronous?  */
 603    }
 604
 605    hw_error("bad interval\n");
 606}
 607
 608static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
 609                int epnum, int pid, int len, USBCallback cb, int dir)
 610{
 611    USBDevice *dev;
 612    USBEndpoint *uep;
 613    int idx = epnum && dir;
 614    int id;
 615    int ttype;
 616
 617    /* ep->type[0,1] contains:
 618     * in bits 7:6 the speed (0 - invalid, 1 - high, 2 - full, 3 - slow)
 619     * in bits 5:4 the transfer type (BULK / INT)
 620     * in bits 3:0 the EP num
 621     */
 622    ttype = epnum ? (ep->type[idx] >> 4) & 3 : 0;
 623
 624    ep->timeout[dir] = musb_timeout(ttype,
 625                    ep->type[idx] >> 6, ep->interval[idx]);
 626    ep->interrupt[dir] = ttype == USB_ENDPOINT_XFER_INT;
 627    ep->delayed_cb[dir] = cb;
 628
 629    /* A wild guess on the FADDR semantics... */
 630    dev = usb_find_device(&s->port, ep->faddr[idx]);
 631    if (dev == NULL) {
 632        return;
 633    }
 634    uep = usb_ep_get(dev, pid, ep->type[idx] & 0xf);
 635    id = pid | (dev->addr << 16) | (uep->nr << 8);
 636    usb_packet_setup(&ep->packey[dir].p, pid, uep, 0, id, false, true);
 637    usb_packet_addbuf(&ep->packey[dir].p, ep->buf[idx], len);
 638    ep->packey[dir].ep = ep;
 639    ep->packey[dir].dir = dir;
 640
 641    usb_handle_packet(dev, &ep->packey[dir].p);
 642
 643    if (ep->packey[dir].p.status == USB_RET_ASYNC) {
 644        usb_device_flush_ep_queue(dev, uep);
 645        ep->status[dir] = len;
 646        return;
 647    }
 648
 649    if (ep->packey[dir].p.status == USB_RET_SUCCESS) {
 650        ep->status[dir] = ep->packey[dir].p.actual_length;
 651    } else {
 652        ep->status[dir] = ep->packey[dir].p.status;
 653    }
 654    musb_schedule_cb(&s->port, &ep->packey[dir].p);
 655}
 656
 657static void musb_tx_packet_complete(USBPacket *packey, void *opaque)
 658{
 659    /* Unfortunately we can't use packey->devep because that's the remote
 660     * endpoint number and may be different than our local.  */
 661    MUSBEndPoint *ep = (MUSBEndPoint *) opaque;
 662    int epnum = ep->epnum;
 663    MUSBState *s = ep->musb;
 664
 665    ep->fifostart[0] = 0;
 666    ep->fifolen[0] = 0;
 667#ifdef CLEAR_NAK
 668    if (ep->status[0] != USB_RET_NAK) {
 669#endif
 670        if (epnum)
 671            ep->csr[0] &= ~(MGC_M_TXCSR_FIFONOTEMPTY | MGC_M_TXCSR_TXPKTRDY);
 672        else
 673            ep->csr[0] &= ~MGC_M_CSR0_TXPKTRDY;
 674#ifdef CLEAR_NAK
 675    }
 676#endif
 677
 678    /* Clear all of the error bits first */
 679    if (epnum)
 680        ep->csr[0] &= ~(MGC_M_TXCSR_H_ERROR | MGC_M_TXCSR_H_RXSTALL |
 681                        MGC_M_TXCSR_H_NAKTIMEOUT);
 682    else
 683        ep->csr[0] &= ~(MGC_M_CSR0_H_ERROR | MGC_M_CSR0_H_RXSTALL |
 684                        MGC_M_CSR0_H_NAKTIMEOUT | MGC_M_CSR0_H_NO_PING);
 685
 686    if (ep->status[0] == USB_RET_STALL) {
 687        /* Command not supported by target! */
 688        ep->status[0] = 0;
 689
 690        if (epnum)
 691            ep->csr[0] |= MGC_M_TXCSR_H_RXSTALL;
 692        else
 693            ep->csr[0] |= MGC_M_CSR0_H_RXSTALL;
 694    }
 695
 696    if (ep->status[0] == USB_RET_NAK) {
 697        ep->status[0] = 0;
 698
 699        /* NAK timeouts are only generated in Bulk transfers and
 700         * Data-errors in Isochronous.  */
 701        if (ep->interrupt[0]) {
 702            return;
 703        }
 704
 705        if (epnum)
 706            ep->csr[0] |= MGC_M_TXCSR_H_NAKTIMEOUT;
 707        else
 708            ep->csr[0] |= MGC_M_CSR0_H_NAKTIMEOUT;
 709    }
 710
 711    if (ep->status[0] < 0) {
 712        if (ep->status[0] == USB_RET_BABBLE)
 713            musb_intr_set(s, musb_irq_rst_babble, 1);
 714
 715        /* Pretend we've tried three times already and failed (in
 716         * case of USB_TOKEN_SETUP).  */
 717        if (epnum)
 718            ep->csr[0] |= MGC_M_TXCSR_H_ERROR;
 719        else
 720            ep->csr[0] |= MGC_M_CSR0_H_ERROR;
 721
 722        musb_tx_intr_set(s, epnum, 1);
 723        return;
 724    }
 725    /* TODO: check len for over/underruns of an OUT packet?  */
 726
 727#ifdef SETUPLEN_HACK
 728    if (!epnum && ep->packey[0].pid == USB_TOKEN_SETUP)
 729        s->setup_len = ep->packey[0].data[6];
 730#endif
 731
 732    /* In DMA mode: if no error, assert DMA request for this EP,
 733     * and skip the interrupt.  */
 734    musb_tx_intr_set(s, epnum, 1);
 735}
 736
 737static void musb_rx_packet_complete(USBPacket *packey, void *opaque)
 738{
 739    /* Unfortunately we can't use packey->devep because that's the remote
 740     * endpoint number and may be different than our local.  */
 741    MUSBEndPoint *ep = (MUSBEndPoint *) opaque;
 742    int epnum = ep->epnum;
 743    MUSBState *s = ep->musb;
 744
 745    ep->fifostart[1] = 0;
 746    ep->fifolen[1] = 0;
 747
 748#ifdef CLEAR_NAK
 749    if (ep->status[1] != USB_RET_NAK) {
 750#endif
 751        ep->csr[1] &= ~MGC_M_RXCSR_H_REQPKT;
 752        if (!epnum)
 753            ep->csr[0] &= ~MGC_M_CSR0_H_REQPKT;
 754#ifdef CLEAR_NAK
 755    }
 756#endif
 757
 758    /* Clear all of the imaginable error bits first */
 759    ep->csr[1] &= ~(MGC_M_RXCSR_H_ERROR | MGC_M_RXCSR_H_RXSTALL |
 760                    MGC_M_RXCSR_DATAERROR);
 761    if (!epnum)
 762        ep->csr[0] &= ~(MGC_M_CSR0_H_ERROR | MGC_M_CSR0_H_RXSTALL |
 763                        MGC_M_CSR0_H_NAKTIMEOUT | MGC_M_CSR0_H_NO_PING);
 764
 765    if (ep->status[1] == USB_RET_STALL) {
 766        ep->status[1] = 0;
 767
 768        ep->csr[1] |= MGC_M_RXCSR_H_RXSTALL;
 769        if (!epnum)
 770            ep->csr[0] |= MGC_M_CSR0_H_RXSTALL;
 771    }
 772
 773    if (ep->status[1] == USB_RET_NAK) {
 774        ep->status[1] = 0;
 775
 776        /* NAK timeouts are only generated in Bulk transfers and
 777         * Data-errors in Isochronous.  */
 778        if (ep->interrupt[1]) {
 779            musb_packet(s, ep, epnum, USB_TOKEN_IN,
 780                        packey->iov.size, musb_rx_packet_complete, 1);
 781            return;
 782        }
 783
 784        ep->csr[1] |= MGC_M_RXCSR_DATAERROR;
 785        if (!epnum)
 786            ep->csr[0] |= MGC_M_CSR0_H_NAKTIMEOUT;
 787    }
 788
 789    if (ep->status[1] < 0) {
 790        if (ep->status[1] == USB_RET_BABBLE) {
 791            musb_intr_set(s, musb_irq_rst_babble, 1);
 792            return;
 793        }
 794
 795        /* Pretend we've tried three times already and failed (in
 796         * case of a control transfer).  */
 797        ep->csr[1] |= MGC_M_RXCSR_H_ERROR;
 798        if (!epnum)
 799            ep->csr[0] |= MGC_M_CSR0_H_ERROR;
 800
 801        musb_rx_intr_set(s, epnum, 1);
 802        return;
 803    }
 804    /* TODO: check len for over/underruns of an OUT packet?  */
 805    /* TODO: perhaps make use of e->ext_size[1] here.  */
 806
 807    if (!(ep->csr[1] & (MGC_M_RXCSR_H_RXSTALL | MGC_M_RXCSR_DATAERROR))) {
 808        ep->csr[1] |= MGC_M_RXCSR_FIFOFULL | MGC_M_RXCSR_RXPKTRDY;
 809        if (!epnum)
 810            ep->csr[0] |= MGC_M_CSR0_RXPKTRDY;
 811
 812        ep->rxcount = ep->status[1]; /* XXX: MIN(packey->len, ep->maxp[1]); */
 813        /* In DMA mode: assert DMA request for this EP */
 814    }
 815
 816    /* Only if DMA has not been asserted */
 817    musb_rx_intr_set(s, epnum, 1);
 818}
 819
 820static void musb_async_cancel_device(MUSBState *s, USBDevice *dev)
 821{
 822    int ep, dir;
 823
 824    for (ep = 0; ep < 16; ep++) {
 825        for (dir = 0; dir < 2; dir++) {
 826            if (!usb_packet_is_inflight(&s->ep[ep].packey[dir].p) ||
 827                s->ep[ep].packey[dir].p.ep->dev != dev) {
 828                continue;
 829            }
 830            usb_cancel_packet(&s->ep[ep].packey[dir].p);
 831            /* status updates needed here? */
 832        }
 833    }
 834}
 835
 836static void musb_tx_rdy(MUSBState *s, int epnum)
 837{
 838    MUSBEndPoint *ep = s->ep + epnum;
 839    int pid;
 840    int total, valid = 0;
 841    TRACE("start %d, len %d",  ep->fifostart[0], ep->fifolen[0] );
 842    ep->fifostart[0] += ep->fifolen[0];
 843    ep->fifolen[0] = 0;
 844
 845    /* XXX: how's the total size of the packet retrieved exactly in
 846     * the generic case?  */
 847    total = ep->maxp[0] & 0x3ff;
 848
 849    if (ep->ext_size[0]) {
 850        total = ep->ext_size[0];
 851        ep->ext_size[0] = 0;
 852        valid = 1;
 853    }
 854
 855    /* If the packet is not fully ready yet, wait for a next segment.  */
 856    if (epnum && (ep->fifostart[0]) < total)
 857        return;
 858
 859    if (!valid)
 860        total = ep->fifostart[0];
 861
 862    pid = USB_TOKEN_OUT;
 863    if (!epnum && (ep->csr[0] & MGC_M_CSR0_H_SETUPPKT)) {
 864        pid = USB_TOKEN_SETUP;
 865        if (total != 8) {
 866            TRACE("illegal SETUPPKT length of %i bytes", total);
 867        }
 868        /* Controller should retry SETUP packets three times on errors
 869         * but it doesn't make sense for us to do that.  */
 870    }
 871
 872    musb_packet(s, ep, epnum, pid, total, musb_tx_packet_complete, 0);
 873}
 874
 875static void musb_rx_req(MUSBState *s, int epnum)
 876{
 877    MUSBEndPoint *ep = s->ep + epnum;
 878    int total;
 879
 880    /* If we already have a packet, which didn't fit into the
 881     * 64 bytes of the FIFO, only move the FIFO start and return. (Obsolete) */
 882    if (ep->packey[1].p.pid == USB_TOKEN_IN && ep->status[1] >= 0 &&
 883                    (ep->fifostart[1]) + ep->rxcount <
 884                    ep->packey[1].p.iov.size) {
 885        TRACE("0x%08x, %d",  ep->fifostart[1], ep->rxcount );
 886        ep->fifostart[1] += ep->rxcount;
 887        ep->fifolen[1] = 0;
 888
 889        ep->rxcount = MIN(ep->packey[0].p.iov.size - (ep->fifostart[1]),
 890                        ep->maxp[1]);
 891
 892        ep->csr[1] &= ~MGC_M_RXCSR_H_REQPKT;
 893        if (!epnum)
 894            ep->csr[0] &= ~MGC_M_CSR0_H_REQPKT;
 895
 896        /* Clear all of the error bits first */
 897        ep->csr[1] &= ~(MGC_M_RXCSR_H_ERROR | MGC_M_RXCSR_H_RXSTALL |
 898                        MGC_M_RXCSR_DATAERROR);
 899        if (!epnum)
 900            ep->csr[0] &= ~(MGC_M_CSR0_H_ERROR | MGC_M_CSR0_H_RXSTALL |
 901                            MGC_M_CSR0_H_NAKTIMEOUT | MGC_M_CSR0_H_NO_PING);
 902
 903        ep->csr[1] |= MGC_M_RXCSR_FIFOFULL | MGC_M_RXCSR_RXPKTRDY;
 904        if (!epnum)
 905            ep->csr[0] |= MGC_M_CSR0_RXPKTRDY;
 906        musb_rx_intr_set(s, epnum, 1);
 907        return;
 908    }
 909
 910    /* The driver sets maxp[1] to 64 or less because it knows the hardware
 911     * FIFO is this deep.  Bigger packets get split in
 912     * usb_generic_handle_packet but we can also do the splitting locally
 913     * for performance.  It turns out we can also have a bigger FIFO and
 914     * ignore the limit set in ep->maxp[1].  The Linux MUSB driver deals
 915     * OK with single packets of even 32KB and we avoid splitting, however
 916     * usb_msd.c sometimes sends a packet bigger than what Linux expects
 917     * (e.g. 8192 bytes instead of 4096) and we get an OVERRUN.  Splitting
 918     * hides this overrun from Linux.  Up to 4096 everything is fine
 919     * though.  Currently this is disabled.
 920     *
 921     * XXX: mind ep->fifosize.  */
 922    total = MIN(ep->maxp[1] & 0x3ff, sizeof(s->buf));
 923
 924#ifdef SETUPLEN_HACK
 925    /* Why should *we* do that instead of Linux?  */
 926    if (!epnum) {
 927        if (ep->packey[0].p.devaddr == 2) {
 928            total = MIN(s->setup_len, 8);
 929        } else {
 930            total = MIN(s->setup_len, 64);
 931        }
 932        s->setup_len -= total;
 933    }
 934#endif
 935
 936    musb_packet(s, ep, epnum, USB_TOKEN_IN, total, musb_rx_packet_complete, 1);
 937}
 938
 939static uint8_t musb_read_fifo(MUSBEndPoint *ep)
 940{
 941    uint8_t value;
 942    if (ep->fifolen[1] >= 64) {
 943        /* We have a FIFO underrun */
 944        TRACE("EP%d FIFO is now empty, stop reading", ep->epnum);
 945        return 0x00000000;
 946    }
 947    /* In DMA mode clear RXPKTRDY and set REQPKT automatically
 948     * (if AUTOREQ is set) */
 949
 950    ep->csr[1] &= ~MGC_M_RXCSR_FIFOFULL;
 951    value=ep->buf[1][ep->fifostart[1] + ep->fifolen[1] ++];
 952    TRACE("EP%d 0x%02x, %d", ep->epnum, value, ep->fifolen[1] );
 953    return value;
 954}
 955
 956static void musb_write_fifo(MUSBEndPoint *ep, uint8_t value)
 957{
 958    TRACE("EP%d = %02x", ep->epnum, value);
 959    if (ep->fifolen[0] >= 64) {
 960        /* We have a FIFO overrun */
 961        TRACE("EP%d FIFO exceeded 64 bytes, stop feeding data", ep->epnum);
 962        return;
 963     }
 964
 965     ep->buf[0][ep->fifostart[0] + ep->fifolen[0] ++] = value;
 966     ep->csr[0] |= MGC_M_TXCSR_FIFONOTEMPTY;
 967}
 968
 969static void musb_ep_frame_cancel(MUSBEndPoint *ep, int dir)
 970{
 971    if (ep->intv_timer[dir])
 972        timer_del(ep->intv_timer[dir]);
 973}
 974
 975/* Bus control */
 976static uint8_t musb_busctl_readb(void *opaque, int ep, int addr)
 977{
 978    MUSBState *s = (MUSBState *) opaque;
 979
 980    switch (addr) {
 981    /* For USB2.0 HS hubs only */
 982    case MUSB_HDRC_TXHUBADDR:
 983        return s->ep[ep].haddr[0];
 984    case MUSB_HDRC_TXHUBPORT:
 985        return s->ep[ep].hport[0];
 986    case MUSB_HDRC_RXHUBADDR:
 987        return s->ep[ep].haddr[1];
 988    case MUSB_HDRC_RXHUBPORT:
 989        return s->ep[ep].hport[1];
 990
 991    default:
 992        TRACE("unknown register 0x%02x", addr);
 993        return 0x00;
 994    };
 995}
 996
 997static void musb_busctl_writeb(void *opaque, int ep, int addr, uint8_t value)
 998{
 999    MUSBState *s = (MUSBState *) opaque;
1000
1001    switch (addr) {
1002    case MUSB_HDRC_TXFUNCADDR:
1003        s->ep[ep].faddr[0] = value;
1004        break;
1005    case MUSB_HDRC_RXFUNCADDR:
1006        s->ep[ep].faddr[1] = value;
1007        break;
1008    case MUSB_HDRC_TXHUBADDR:
1009        s->ep[ep].haddr[0] = value;
1010        break;
1011    case MUSB_HDRC_TXHUBPORT:
1012        s->ep[ep].hport[0] = value;
1013        break;
1014    case MUSB_HDRC_RXHUBADDR:
1015        s->ep[ep].haddr[1] = value;
1016        break;
1017    case MUSB_HDRC_RXHUBPORT:
1018        s->ep[ep].hport[1] = value;
1019        break;
1020
1021    default:
1022        TRACE("unknown register 0x%02x", addr);
1023        break;
1024    };
1025}
1026
1027static uint16_t musb_busctl_readh(void *opaque, int ep, int addr)
1028{
1029    MUSBState *s = (MUSBState *) opaque;
1030
1031    switch (addr) {
1032    case MUSB_HDRC_TXFUNCADDR:
1033        return s->ep[ep].faddr[0];
1034    case MUSB_HDRC_RXFUNCADDR:
1035        return s->ep[ep].faddr[1];
1036
1037    default:
1038        return musb_busctl_readb(s, ep, addr) |
1039                (musb_busctl_readb(s, ep, addr | 1) << 8);
1040    };
1041}
1042
1043static void musb_busctl_writeh(void *opaque, int ep, int addr, uint16_t value)
1044{
1045    MUSBState *s = (MUSBState *) opaque;
1046
1047    switch (addr) {
1048    case MUSB_HDRC_TXFUNCADDR:
1049        s->ep[ep].faddr[0] = value;
1050        break;
1051    case MUSB_HDRC_RXFUNCADDR:
1052        s->ep[ep].faddr[1] = value;
1053        break;
1054
1055    default:
1056        musb_busctl_writeb(s, ep, addr, value & 0xff);
1057        musb_busctl_writeb(s, ep, addr | 1, value >> 8);
1058    };
1059}
1060
1061/* Endpoint control */
1062static uint8_t musb_ep_readb(void *opaque, int ep, int addr)
1063{
1064    MUSBState *s = (MUSBState *) opaque;
1065
1066    switch (addr) {
1067    case MUSB_HDRC_TXTYPE:
1068        return s->ep[ep].type[0];
1069    case MUSB_HDRC_TXINTERVAL:
1070        return s->ep[ep].interval[0];
1071    case MUSB_HDRC_RXTYPE:
1072        return s->ep[ep].type[1];
1073    case MUSB_HDRC_RXINTERVAL:
1074        return s->ep[ep].interval[1];
1075    case (MUSB_HDRC_FIFOSIZE & ~1):
1076        return 0x00;
1077    case MUSB_HDRC_FIFOSIZE:
1078        return ep ? s->ep[ep].fifosize : s->ep[ep].config;
1079    case MUSB_HDRC_RXCOUNT:
1080        return s->ep[ep].rxcount;
1081
1082    default:
1083        TRACE("unknown register 0x%02x", addr);
1084        return 0x00;
1085    };
1086}
1087
1088static void musb_ep_writeb(void *opaque, int ep, int addr, uint8_t value)
1089{
1090    MUSBState *s = (MUSBState *) opaque;
1091
1092    switch (addr) {
1093    case MUSB_HDRC_TXTYPE:
1094        s->ep[ep].type[0] = value;
1095        break;
1096    case MUSB_HDRC_TXINTERVAL:
1097        s->ep[ep].interval[0] = value;
1098        musb_ep_frame_cancel(&s->ep[ep], 0);
1099        break;
1100    case MUSB_HDRC_RXTYPE:
1101        s->ep[ep].type[1] = value;
1102        break;
1103    case MUSB_HDRC_RXINTERVAL:
1104        s->ep[ep].interval[1] = value;
1105        musb_ep_frame_cancel(&s->ep[ep], 1);
1106        break;
1107    case (MUSB_HDRC_FIFOSIZE & ~1):
1108        break;
1109    case MUSB_HDRC_FIFOSIZE:
1110        TRACE("somebody messes with fifosize (now %i bytes)", value);
1111        s->ep[ep].fifosize = value;
1112        break;
1113    default:
1114        TRACE("unknown register 0x%02x", addr);
1115        break;
1116    };
1117}
1118
1119static uint16_t musb_ep_readh(void *opaque, int ep, int addr)
1120{
1121    MUSBState *s = (MUSBState *) opaque;
1122    uint16_t ret;
1123
1124    switch (addr) {
1125    case MUSB_HDRC_TXMAXP:
1126        return s->ep[ep].maxp[0];
1127    case MUSB_HDRC_TXCSR:
1128        return s->ep[ep].csr[0];
1129    case MUSB_HDRC_RXMAXP:
1130        return s->ep[ep].maxp[1];
1131    case MUSB_HDRC_RXCSR:
1132        ret = s->ep[ep].csr[1];
1133
1134        /* TODO: This and other bits probably depend on
1135         * ep->csr[1] & MGC_M_RXCSR_AUTOCLEAR.  */
1136        if (s->ep[ep].csr[1] & MGC_M_RXCSR_AUTOCLEAR)
1137            s->ep[ep].csr[1] &= ~MGC_M_RXCSR_RXPKTRDY;
1138
1139        return ret;
1140    case MUSB_HDRC_RXCOUNT:
1141        return s->ep[ep].rxcount;
1142
1143    default:
1144        return musb_ep_readb(s, ep, addr) |
1145                (musb_ep_readb(s, ep, addr | 1) << 8);
1146    };
1147}
1148
1149static void musb_ep_writeh(void *opaque, int ep, int addr, uint16_t value)
1150{
1151    MUSBState *s = (MUSBState *) opaque;
1152
1153    switch (addr) {
1154    case MUSB_HDRC_TXMAXP:
1155        s->ep[ep].maxp[0] = value;
1156        break;
1157    case MUSB_HDRC_TXCSR:
1158        if (ep) {
1159            s->ep[ep].csr[0] &= value & 0xa6;
1160            s->ep[ep].csr[0] |= value & 0xff59;
1161        } else {
1162            s->ep[ep].csr[0] &= value & 0x85;
1163            s->ep[ep].csr[0] |= value & 0xf7a;
1164        }
1165
1166        musb_ep_frame_cancel(&s->ep[ep], 0);
1167
1168        if ((ep && (value & MGC_M_TXCSR_FLUSHFIFO)) ||
1169                        (!ep && (value & MGC_M_CSR0_FLUSHFIFO))) {
1170            s->ep[ep].fifolen[0] = 0;
1171            s->ep[ep].fifostart[0] = 0;
1172            if (ep)
1173                s->ep[ep].csr[0] &=
1174                        ~(MGC_M_TXCSR_FIFONOTEMPTY | MGC_M_TXCSR_TXPKTRDY);
1175            else
1176                s->ep[ep].csr[0] &=
1177                        ~(MGC_M_CSR0_TXPKTRDY | MGC_M_CSR0_RXPKTRDY);
1178        }
1179        if (
1180                        (ep &&
1181#ifdef CLEAR_NAK
1182                         (value & MGC_M_TXCSR_TXPKTRDY) &&
1183                         !(value & MGC_M_TXCSR_H_NAKTIMEOUT)) ||
1184#else
1185                         (value & MGC_M_TXCSR_TXPKTRDY)) ||
1186#endif
1187                        (!ep &&
1188#ifdef CLEAR_NAK
1189                         (value & MGC_M_CSR0_TXPKTRDY) &&
1190                         !(value & MGC_M_CSR0_H_NAKTIMEOUT)))
1191#else
1192                         (value & MGC_M_CSR0_TXPKTRDY)))
1193#endif
1194            musb_tx_rdy(s, ep);
1195        if (!ep &&
1196                        (value & MGC_M_CSR0_H_REQPKT) &&
1197#ifdef CLEAR_NAK
1198                        !(value & (MGC_M_CSR0_H_NAKTIMEOUT |
1199                                        MGC_M_CSR0_RXPKTRDY)))
1200#else
1201                        !(value & MGC_M_CSR0_RXPKTRDY))
1202#endif
1203            musb_rx_req(s, ep);
1204        break;
1205
1206    case MUSB_HDRC_RXMAXP:
1207        s->ep[ep].maxp[1] = value;
1208        break;
1209    case MUSB_HDRC_RXCSR:
1210        /* (DMA mode only) */
1211        if (
1212                (value & MGC_M_RXCSR_H_AUTOREQ) &&
1213                !(value & MGC_M_RXCSR_RXPKTRDY) &&
1214                (s->ep[ep].csr[1] & MGC_M_RXCSR_RXPKTRDY))
1215            value |= MGC_M_RXCSR_H_REQPKT;
1216
1217        s->ep[ep].csr[1] &= 0x102 | (value & 0x4d);
1218        s->ep[ep].csr[1] |= value & 0xfeb0;
1219
1220        musb_ep_frame_cancel(&s->ep[ep], 1);
1221
1222        if (value & MGC_M_RXCSR_FLUSHFIFO) {
1223            s->ep[ep].fifolen[1] = 0;
1224            s->ep[ep].fifostart[1] = 0;
1225            s->ep[ep].csr[1] &= ~(MGC_M_RXCSR_FIFOFULL | MGC_M_RXCSR_RXPKTRDY);
1226            /* If double buffering and we have two packets ready, flush
1227             * only the first one and set up the fifo at the second packet.  */
1228        }
1229#ifdef CLEAR_NAK
1230        if ((value & MGC_M_RXCSR_H_REQPKT) && !(value & MGC_M_RXCSR_DATAERROR))
1231#else
1232        if (value & MGC_M_RXCSR_H_REQPKT)
1233#endif
1234            musb_rx_req(s, ep);
1235        break;
1236    case MUSB_HDRC_RXCOUNT:
1237        s->ep[ep].rxcount = value;
1238        break;
1239
1240    default:
1241        musb_ep_writeb(s, ep, addr, value & 0xff);
1242        musb_ep_writeb(s, ep, addr | 1, value >> 8);
1243    };
1244}
1245
1246/* Generic control */
1247static uint32_t musb_readb(void *opaque, hwaddr addr)
1248{
1249    MUSBState *s = (MUSBState *) opaque;
1250    int ep, i;
1251    uint8_t ret;
1252
1253    switch (addr) {
1254    case MUSB_HDRC_FADDR:
1255        return s->faddr;
1256    case MUSB_HDRC_POWER:
1257        return s->power;
1258    case MUSB_HDRC_INTRUSB:
1259        ret = s->intr;
1260        for (i = 0; i < sizeof(ret) * 8; i ++)
1261            if (ret & (1 << i))
1262                musb_intr_set(s, i, 0);
1263        return ret;
1264    case MUSB_HDRC_INTRUSBE:
1265        return s->mask;
1266    case MUSB_HDRC_INDEX:
1267        return s->idx;
1268    case MUSB_HDRC_TESTMODE:
1269        return 0x00;
1270
1271    case MUSB_HDRC_EP_IDX ... (MUSB_HDRC_EP_IDX + 0xf):
1272        return musb_ep_readb(s, s->idx, addr & 0xf);
1273
1274    case MUSB_HDRC_DEVCTL:
1275        return s->devctl;
1276
1277    case MUSB_HDRC_TXFIFOSZ:
1278    case MUSB_HDRC_RXFIFOSZ:
1279    case MUSB_HDRC_VCTRL:
1280        /* TODO */
1281        return 0x00;
1282
1283    case MUSB_HDRC_HWVERS:
1284        return (1 << 10) | 400;
1285
1286    case (MUSB_HDRC_VCTRL | 1):
1287    case (MUSB_HDRC_HWVERS | 1):
1288    case (MUSB_HDRC_DEVCTL | 1):
1289        return 0x00;
1290
1291    case MUSB_HDRC_BUSCTL ... (MUSB_HDRC_BUSCTL + 0x7f):
1292        ep = (addr >> 3) & 0xf;
1293        return musb_busctl_readb(s, ep, addr & 0x7);
1294
1295    case MUSB_HDRC_EP ... (MUSB_HDRC_EP + 0xff):
1296        ep = (addr >> 4) & 0xf;
1297        return musb_ep_readb(s, ep, addr & 0xf);
1298
1299    case MUSB_HDRC_FIFO ... (MUSB_HDRC_FIFO + 0x3f):
1300        ep = ((addr - MUSB_HDRC_FIFO) >> 2) & 0xf;
1301        return musb_read_fifo(s->ep + ep);
1302
1303    default:
1304        TRACE("unknown register 0x%02x", (int) addr);
1305        return 0x00;
1306    };
1307}
1308
1309static void musb_writeb(void *opaque, hwaddr addr, uint32_t value)
1310{
1311    MUSBState *s = (MUSBState *) opaque;
1312    int ep;
1313
1314    switch (addr) {
1315    case MUSB_HDRC_FADDR:
1316        s->faddr = value & 0x7f;
1317        break;
1318    case MUSB_HDRC_POWER:
1319        s->power = (value & 0xef) | (s->power & 0x10);
1320        /* MGC_M_POWER_RESET is also read-only in Peripheral Mode */
1321        if ((value & MGC_M_POWER_RESET) && s->port.dev) {
1322            usb_device_reset(s->port.dev);
1323            /* Negotiate high-speed operation if MGC_M_POWER_HSENAB is set.  */
1324            if ((value & MGC_M_POWER_HSENAB) &&
1325                            s->port.dev->speed == USB_SPEED_HIGH)
1326                s->power |= MGC_M_POWER_HSMODE; /* Success */
1327            /* Restart frame counting.  */
1328        }
1329        if (value & MGC_M_POWER_SUSPENDM) {
1330            /* When all transfers finish, suspend and if MGC_M_POWER_ENSUSPEND
1331             * is set, also go into low power mode.  Frame counting stops.  */
1332            /* XXX: Cleared when the interrupt register is read */
1333        }
1334        if (value & MGC_M_POWER_RESUME) {
1335            /* Wait 20ms and signal resuming on the bus.  Frame counting
1336             * restarts.  */
1337        }
1338        break;
1339    case MUSB_HDRC_INTRUSB:
1340        break;
1341    case MUSB_HDRC_INTRUSBE:
1342        s->mask = value & 0xff;
1343        break;
1344    case MUSB_HDRC_INDEX:
1345        s->idx = value & 0xf;
1346        break;
1347    case MUSB_HDRC_TESTMODE:
1348        break;
1349
1350    case MUSB_HDRC_EP_IDX ... (MUSB_HDRC_EP_IDX + 0xf):
1351        musb_ep_writeb(s, s->idx, addr & 0xf, value);
1352        break;
1353
1354    case MUSB_HDRC_DEVCTL:
1355        s->session = !!(value & MGC_M_DEVCTL_SESSION);
1356        musb_session_update(s,
1357                        !!s->port.dev,
1358                        !!(s->devctl & MGC_M_DEVCTL_SESSION));
1359
1360        /* It seems this is the only R/W bit in this register?  */
1361        s->devctl &= ~MGC_M_DEVCTL_SESSION;
1362        s->devctl |= value & MGC_M_DEVCTL_SESSION;
1363        break;
1364
1365    case MUSB_HDRC_TXFIFOSZ:
1366    case MUSB_HDRC_RXFIFOSZ:
1367    case MUSB_HDRC_VCTRL:
1368        /* TODO */
1369        break;
1370
1371    case (MUSB_HDRC_VCTRL | 1):
1372    case (MUSB_HDRC_DEVCTL | 1):
1373        break;
1374
1375    case MUSB_HDRC_BUSCTL ... (MUSB_HDRC_BUSCTL + 0x7f):
1376        ep = (addr >> 3) & 0xf;
1377        musb_busctl_writeb(s, ep, addr & 0x7, value);
1378        break;
1379
1380    case MUSB_HDRC_EP ... (MUSB_HDRC_EP + 0xff):
1381        ep = (addr >> 4) & 0xf;
1382        musb_ep_writeb(s, ep, addr & 0xf, value);
1383        break;
1384
1385    case MUSB_HDRC_FIFO ... (MUSB_HDRC_FIFO + 0x3f):
1386        ep = ((addr - MUSB_HDRC_FIFO) >> 2) & 0xf;
1387        musb_write_fifo(s->ep + ep, value & 0xff);
1388        break;
1389
1390    default:
1391        TRACE("unknown register 0x%02x", (int) addr);
1392        break;
1393    };
1394}
1395
1396static uint32_t musb_readh(void *opaque, hwaddr addr)
1397{
1398    MUSBState *s = (MUSBState *) opaque;
1399    int ep, i;
1400    uint16_t ret;
1401
1402    switch (addr) {
1403    case MUSB_HDRC_INTRTX:
1404        ret = s->tx_intr;
1405        /* Auto clear */
1406        for (i = 0; i < sizeof(ret) * 8; i ++)
1407            if (ret & (1 << i))
1408                musb_tx_intr_set(s, i, 0);
1409        return ret;
1410    case MUSB_HDRC_INTRRX:
1411        ret = s->rx_intr;
1412        /* Auto clear */
1413        for (i = 0; i < sizeof(ret) * 8; i ++)
1414            if (ret & (1 << i))
1415                musb_rx_intr_set(s, i, 0);
1416        return ret;
1417    case MUSB_HDRC_INTRTXE:
1418        return s->tx_mask;
1419    case MUSB_HDRC_INTRRXE:
1420        return s->rx_mask;
1421
1422    case MUSB_HDRC_FRAME:
1423        /* TODO */
1424        return 0x0000;
1425    case MUSB_HDRC_TXFIFOADDR:
1426        return s->ep[s->idx].fifoaddr[0];
1427    case MUSB_HDRC_RXFIFOADDR:
1428        return s->ep[s->idx].fifoaddr[1];
1429
1430    case MUSB_HDRC_EP_IDX ... (MUSB_HDRC_EP_IDX + 0xf):
1431        return musb_ep_readh(s, s->idx, addr & 0xf);
1432
1433    case MUSB_HDRC_BUSCTL ... (MUSB_HDRC_BUSCTL + 0x7f):
1434        ep = (addr >> 3) & 0xf;
1435        return musb_busctl_readh(s, ep, addr & 0x7);
1436
1437    case MUSB_HDRC_EP ... (MUSB_HDRC_EP + 0xff):
1438        ep = (addr >> 4) & 0xf;
1439        return musb_ep_readh(s, ep, addr & 0xf);
1440
1441    case MUSB_HDRC_FIFO ... (MUSB_HDRC_FIFO + 0x3f):
1442        ep = ((addr - MUSB_HDRC_FIFO) >> 2) & 0xf;
1443        return (musb_read_fifo(s->ep + ep) | musb_read_fifo(s->ep + ep) << 8);
1444
1445    default:
1446        return musb_readb(s, addr) | (musb_readb(s, addr | 1) << 8);
1447    };
1448}
1449
1450static void musb_writeh(void *opaque, hwaddr addr, uint32_t value)
1451{
1452    MUSBState *s = (MUSBState *) opaque;
1453    int ep;
1454
1455    switch (addr) {
1456    case MUSB_HDRC_INTRTXE:
1457        s->tx_mask = value;
1458        /* XXX: the masks seem to apply on the raising edge like with
1459         * edge-triggered interrupts, thus no need to update.  I may be
1460         * wrong though.  */
1461        break;
1462    case MUSB_HDRC_INTRRXE:
1463        s->rx_mask = value;
1464        break;
1465
1466    case MUSB_HDRC_FRAME:
1467        /* TODO */
1468        break;
1469    case MUSB_HDRC_TXFIFOADDR:
1470        s->ep[s->idx].fifoaddr[0] = value;
1471        s->ep[s->idx].buf[0] =
1472                s->buf + ((value << 3) & 0x7ff );
1473        break;
1474    case MUSB_HDRC_RXFIFOADDR:
1475        s->ep[s->idx].fifoaddr[1] = value;
1476        s->ep[s->idx].buf[1] =
1477                s->buf + ((value << 3) & 0x7ff);
1478        break;
1479
1480    case MUSB_HDRC_EP_IDX ... (MUSB_HDRC_EP_IDX + 0xf):
1481        musb_ep_writeh(s, s->idx, addr & 0xf, value);
1482        break;
1483
1484    case MUSB_HDRC_BUSCTL ... (MUSB_HDRC_BUSCTL + 0x7f):
1485        ep = (addr >> 3) & 0xf;
1486        musb_busctl_writeh(s, ep, addr & 0x7, value);
1487        break;
1488
1489    case MUSB_HDRC_EP ... (MUSB_HDRC_EP + 0xff):
1490        ep = (addr >> 4) & 0xf;
1491        musb_ep_writeh(s, ep, addr & 0xf, value);
1492        break;
1493
1494    case MUSB_HDRC_FIFO ... (MUSB_HDRC_FIFO + 0x3f):
1495        ep = ((addr - MUSB_HDRC_FIFO) >> 2) & 0xf;
1496        musb_write_fifo(s->ep + ep, value & 0xff);
1497        musb_write_fifo(s->ep + ep, (value >> 8) & 0xff);
1498        break;
1499
1500    default:
1501        musb_writeb(s, addr, value & 0xff);
1502        musb_writeb(s, addr | 1, value >> 8);
1503    };
1504}
1505
1506static uint32_t musb_readw(void *opaque, hwaddr addr)
1507{
1508    MUSBState *s = (MUSBState *) opaque;
1509    int ep;
1510
1511    switch (addr) {
1512    case MUSB_HDRC_FIFO ... (MUSB_HDRC_FIFO + 0x3f):
1513        ep = ((addr - MUSB_HDRC_FIFO) >> 2) & 0xf;
1514        return ( musb_read_fifo(s->ep + ep)       |
1515                 musb_read_fifo(s->ep + ep) << 8  |
1516                 musb_read_fifo(s->ep + ep) << 16 |
1517                 musb_read_fifo(s->ep + ep) << 24 );
1518    default:
1519        TRACE("unknown register 0x%02x", (int) addr);
1520        return 0x00000000;
1521    };
1522}
1523
1524static void musb_writew(void *opaque, hwaddr addr, uint32_t value)
1525{
1526    MUSBState *s = (MUSBState *) opaque;
1527    int ep;
1528
1529    switch (addr) {
1530    case MUSB_HDRC_FIFO ... (MUSB_HDRC_FIFO + 0x3f):
1531        ep = ((addr - MUSB_HDRC_FIFO) >> 2) & 0xf;
1532        musb_write_fifo(s->ep + ep, value & 0xff);
1533        musb_write_fifo(s->ep + ep, (value >> 8 ) & 0xff);
1534        musb_write_fifo(s->ep + ep, (value >> 16) & 0xff);
1535        musb_write_fifo(s->ep + ep, (value >> 24) & 0xff);
1536            break;
1537    default:
1538        TRACE("unknown register 0x%02x", (int) addr);
1539        break;
1540    };
1541}
1542
1543CPUReadMemoryFunc * const musb_read[] = {
1544    musb_readb,
1545    musb_readh,
1546    musb_readw,
1547};
1548
1549CPUWriteMemoryFunc * const musb_write[] = {
1550    musb_writeb,
1551    musb_writeh,
1552    musb_writew,
1553};
1554