xref: /openbmc/qemu/hw/usb/hcd-ohci.c (revision fe721c1948ef459caab106190276717bec252c88)
1 /*
2  * QEMU USB OHCI Emulation
3  * Copyright (c) 2004 Gianni Tedesco
4  * Copyright (c) 2006 CodeSourcery
5  * Copyright (c) 2006 Openedhand Ltd.
6  *
7  * This library is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * This library is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
19  *
20  * TODO:
21  *  o Isochronous transfers
22  *  o Allocate bandwidth in frames properly
23  *  o Disable timers when nothing needs to be done, or remove timer usage
24  *    all together.
25  *  o BIOS work to boot from USB storage
26  */
27 
28 #include "qemu/osdep.h"
29 #include "hw/irq.h"
30 #include "qapi/error.h"
31 #include "qemu/module.h"
32 #include "qemu/timer.h"
33 #include "hw/usb.h"
34 #include "migration/vmstate.h"
35 #include "hw/sysbus.h"
36 #include "hw/qdev-dma.h"
37 #include "hw/qdev-properties.h"
38 #include "trace.h"
39 #include "hcd-ohci.h"
40 
41 /* This causes frames to occur 1000x slower */
42 /*#define OHCI_TIME_WARP 1*/
43 
44 #define ED_LINK_LIMIT 32
45 
46 static int64_t usb_frame_time;
47 static int64_t usb_bit_time;
48 
49 /* Host Controller Communications Area */
50 struct ohci_hcca {
51     uint32_t intr[32];
52     uint16_t frame, pad;
53     uint32_t done;
54 };
55 #define HCCA_WRITEBACK_OFFSET   offsetof(struct ohci_hcca, frame)
56 #define HCCA_WRITEBACK_SIZE     8 /* frame, pad, done */
57 
58 #define ED_WBACK_OFFSET offsetof(struct ohci_ed, head)
59 #define ED_WBACK_SIZE   4
60 
61 /* Bitfields for the first word of an Endpoint Descriptor. */
62 #define OHCI_ED_FA_SHIFT  0
63 #define OHCI_ED_FA_MASK   (0x7f << OHCI_ED_FA_SHIFT)
64 #define OHCI_ED_EN_SHIFT  7
65 #define OHCI_ED_EN_MASK   (0xf << OHCI_ED_EN_SHIFT)
66 #define OHCI_ED_D_SHIFT   11
67 #define OHCI_ED_D_MASK    (3 << OHCI_ED_D_SHIFT)
68 #define OHCI_ED_S         (1 << 13)
69 #define OHCI_ED_K         (1 << 14)
70 #define OHCI_ED_F         (1 << 15)
71 #define OHCI_ED_MPS_SHIFT 16
72 #define OHCI_ED_MPS_MASK  (0x7ff << OHCI_ED_MPS_SHIFT)
73 
74 /* Flags in the head field of an Endpoint Descriptor. */
75 #define OHCI_ED_H         1
76 #define OHCI_ED_C         2
77 
78 /* Bitfields for the first word of a Transfer Descriptor. */
79 #define OHCI_TD_R         (1 << 18)
80 #define OHCI_TD_DP_SHIFT  19
81 #define OHCI_TD_DP_MASK   (3 << OHCI_TD_DP_SHIFT)
82 #define OHCI_TD_DI_SHIFT  21
83 #define OHCI_TD_DI_MASK   (7 << OHCI_TD_DI_SHIFT)
84 #define OHCI_TD_T0        (1 << 24)
85 #define OHCI_TD_T1        (1 << 25)
86 #define OHCI_TD_EC_SHIFT  26
87 #define OHCI_TD_EC_MASK   (3 << OHCI_TD_EC_SHIFT)
88 #define OHCI_TD_CC_SHIFT  28
89 #define OHCI_TD_CC_MASK   (0xf << OHCI_TD_CC_SHIFT)
90 
91 /* Bitfields for the first word of an Isochronous Transfer Descriptor. */
92 /* CC & DI - same as in the General Transfer Descriptor */
93 #define OHCI_TD_SF_SHIFT  0
94 #define OHCI_TD_SF_MASK   (0xffff << OHCI_TD_SF_SHIFT)
95 #define OHCI_TD_FC_SHIFT  24
96 #define OHCI_TD_FC_MASK   (7 << OHCI_TD_FC_SHIFT)
97 
98 /* Isochronous Transfer Descriptor - Offset / PacketStatusWord */
99 #define OHCI_TD_PSW_CC_SHIFT 12
100 #define OHCI_TD_PSW_CC_MASK  (0xf << OHCI_TD_PSW_CC_SHIFT)
101 #define OHCI_TD_PSW_SIZE_SHIFT 0
102 #define OHCI_TD_PSW_SIZE_MASK  (0xfff << OHCI_TD_PSW_SIZE_SHIFT)
103 
104 #define OHCI_PAGE_MASK    0xfffff000
105 #define OHCI_OFFSET_MASK  0xfff
106 
107 #define OHCI_DPTR_MASK    0xfffffff0
108 
109 #define OHCI_BM(val, field) \
110   (((val) & OHCI_##field##_MASK) >> OHCI_##field##_SHIFT)
111 
112 #define OHCI_SET_BM(val, field, newval) do { \
113     val &= ~OHCI_##field##_MASK; \
114     val |= ((newval) << OHCI_##field##_SHIFT) & OHCI_##field##_MASK; \
115     } while (0)
116 
117 /* endpoint descriptor */
118 struct ohci_ed {
119     uint32_t flags;
120     uint32_t tail;
121     uint32_t head;
122     uint32_t next;
123 };
124 
125 /* General transfer descriptor */
126 struct ohci_td {
127     uint32_t flags;
128     uint32_t cbp;
129     uint32_t next;
130     uint32_t be;
131 };
132 
133 /* Isochronous transfer descriptor */
134 struct ohci_iso_td {
135     uint32_t flags;
136     uint32_t bp;
137     uint32_t next;
138     uint32_t be;
139     uint16_t offset[8];
140 };
141 
142 #define USB_HZ                      12000000
143 
144 /* OHCI Local stuff */
145 #define OHCI_CTL_CBSR         ((1 << 0) | (1 << 1))
146 #define OHCI_CTL_PLE          (1 << 2)
147 #define OHCI_CTL_IE           (1 << 3)
148 #define OHCI_CTL_CLE          (1 << 4)
149 #define OHCI_CTL_BLE          (1 << 5)
150 #define OHCI_CTL_HCFS         ((1 << 6) | (1 << 7))
151 #define  OHCI_USB_RESET       0x00
152 #define  OHCI_USB_RESUME      0x40
153 #define  OHCI_USB_OPERATIONAL 0x80
154 #define  OHCI_USB_SUSPEND     0xc0
155 #define OHCI_CTL_IR           (1 << 8)
156 #define OHCI_CTL_RWC          (1 << 9)
157 #define OHCI_CTL_RWE          (1 << 10)
158 
159 #define OHCI_STATUS_HCR       (1 << 0)
160 #define OHCI_STATUS_CLF       (1 << 1)
161 #define OHCI_STATUS_BLF       (1 << 2)
162 #define OHCI_STATUS_OCR       (1 << 3)
163 #define OHCI_STATUS_SOC       ((1 << 6) | (1 << 7))
164 
165 #define OHCI_INTR_SO          (1U << 0) /* Scheduling overrun */
166 #define OHCI_INTR_WD          (1U << 1) /* HcDoneHead writeback */
167 #define OHCI_INTR_SF          (1U << 2) /* Start of frame */
168 #define OHCI_INTR_RD          (1U << 3) /* Resume detect */
169 #define OHCI_INTR_UE          (1U << 4) /* Unrecoverable error */
170 #define OHCI_INTR_FNO         (1U << 5) /* Frame number overflow */
171 #define OHCI_INTR_RHSC        (1U << 6) /* Root hub status change */
172 #define OHCI_INTR_OC          (1U << 30) /* Ownership change */
173 #define OHCI_INTR_MIE         (1U << 31) /* Master Interrupt Enable */
174 
175 #define OHCI_HCCA_SIZE        0x100
176 #define OHCI_HCCA_MASK        0xffffff00
177 
178 #define OHCI_EDPTR_MASK       0xfffffff0
179 
180 #define OHCI_FMI_FI           0x00003fff
181 #define OHCI_FMI_FSMPS        0xffff0000
182 #define OHCI_FMI_FIT          0x80000000
183 
184 #define OHCI_FR_RT            (1U << 31)
185 
186 #define OHCI_LS_THRESH        0x628
187 
188 #define OHCI_RHA_RW_MASK      0x00000000 /* Mask of supported features.  */
189 #define OHCI_RHA_PSM          (1 << 8)
190 #define OHCI_RHA_NPS          (1 << 9)
191 #define OHCI_RHA_DT           (1 << 10)
192 #define OHCI_RHA_OCPM         (1 << 11)
193 #define OHCI_RHA_NOCP         (1 << 12)
194 #define OHCI_RHA_POTPGT_MASK  0xff000000
195 
196 #define OHCI_RHS_LPS          (1U << 0)
197 #define OHCI_RHS_OCI          (1U << 1)
198 #define OHCI_RHS_DRWE         (1U << 15)
199 #define OHCI_RHS_LPSC         (1U << 16)
200 #define OHCI_RHS_OCIC         (1U << 17)
201 #define OHCI_RHS_CRWE         (1U << 31)
202 
203 #define OHCI_PORT_CCS         (1 << 0)
204 #define OHCI_PORT_PES         (1 << 1)
205 #define OHCI_PORT_PSS         (1 << 2)
206 #define OHCI_PORT_POCI        (1 << 3)
207 #define OHCI_PORT_PRS         (1 << 4)
208 #define OHCI_PORT_PPS         (1 << 8)
209 #define OHCI_PORT_LSDA        (1 << 9)
210 #define OHCI_PORT_CSC         (1 << 16)
211 #define OHCI_PORT_PESC        (1 << 17)
212 #define OHCI_PORT_PSSC        (1 << 18)
213 #define OHCI_PORT_OCIC        (1 << 19)
214 #define OHCI_PORT_PRSC        (1 << 20)
215 #define OHCI_PORT_WTC         (OHCI_PORT_CSC | OHCI_PORT_PESC | \
216                                OHCI_PORT_PSSC | OHCI_PORT_OCIC | \
217                                OHCI_PORT_PRSC)
218 #define OHCI_TD_DIR_SETUP     0x0
219 #define OHCI_TD_DIR_OUT       0x1
220 #define OHCI_TD_DIR_IN        0x2
221 #define OHCI_TD_DIR_RESERVED  0x3
222 
223 #define OHCI_CC_NOERROR             0x0
224 #define OHCI_CC_CRC                 0x1
225 #define OHCI_CC_BITSTUFFING         0x2
226 #define OHCI_CC_DATATOGGLEMISMATCH  0x3
227 #define OHCI_CC_STALL               0x4
228 #define OHCI_CC_DEVICENOTRESPONDING 0x5
229 #define OHCI_CC_PIDCHECKFAILURE     0x6
230 #define OHCI_CC_UNDEXPETEDPID       0x7
231 #define OHCI_CC_DATAOVERRUN         0x8
232 #define OHCI_CC_DATAUNDERRUN        0x9
233 #define OHCI_CC_BUFFEROVERRUN       0xc
234 #define OHCI_CC_BUFFERUNDERRUN      0xd
235 
236 #define OHCI_HRESET_FSBIR       (1 << 0)
237 
238 static const char *ohci_reg_names[] = {
239     "HcRevision", "HcControl", "HcCommandStatus", "HcInterruptStatus",
240     "HcInterruptEnable", "HcInterruptDisable", "HcHCCA", "HcPeriodCurrentED",
241     "HcControlHeadED", "HcControlCurrentED", "HcBulkHeadED", "HcBulkCurrentED",
242     "HcDoneHead", "HcFmInterval", "HcFmRemaining", "HcFmNumber",
243     "HcPeriodicStart", "HcLSThreshold", "HcRhDescriptorA", "HcRhDescriptorB",
244     "HcRhStatus"
245 };
246 
247 static const char *ohci_reg_name(hwaddr addr)
248 {
249     if (addr >> 2 < ARRAY_SIZE(ohci_reg_names)) {
250         return ohci_reg_names[addr >> 2];
251     } else {
252         return "<unknown>";
253     }
254 }
255 
256 static void ohci_die(OHCIState *ohci)
257 {
258     ohci->ohci_die(ohci);
259 }
260 
261 /* Update IRQ levels */
262 static inline void ohci_intr_update(OHCIState *ohci)
263 {
264     int level = 0;
265 
266     if ((ohci->intr & OHCI_INTR_MIE) &&
267         (ohci->intr_status & ohci->intr))
268         level = 1;
269 
270     qemu_set_irq(ohci->irq, level);
271 }
272 
273 /* Set an interrupt */
274 static inline void ohci_set_interrupt(OHCIState *ohci, uint32_t intr)
275 {
276     ohci->intr_status |= intr;
277     ohci_intr_update(ohci);
278 }
279 
280 static USBDevice *ohci_find_device(OHCIState *ohci, uint8_t addr)
281 {
282     USBDevice *dev;
283     int i;
284 
285     for (i = 0; i < ohci->num_ports; i++) {
286         if ((ohci->rhport[i].ctrl & OHCI_PORT_PES) == 0) {
287             continue;
288         }
289         dev = usb_find_device(&ohci->rhport[i].port, addr);
290         if (dev != NULL) {
291             return dev;
292         }
293     }
294     return NULL;
295 }
296 
297 void ohci_stop_endpoints(OHCIState *ohci)
298 {
299     USBDevice *dev;
300     int i, j;
301 
302     if (ohci->async_td) {
303         usb_cancel_packet(&ohci->usb_packet);
304         ohci->async_td = 0;
305     }
306     for (i = 0; i < ohci->num_ports; i++) {
307         dev = ohci->rhport[i].port.dev;
308         if (dev && dev->attached) {
309             usb_device_ep_stopped(dev, &dev->ep_ctl);
310             for (j = 0; j < USB_MAX_ENDPOINTS; j++) {
311                 usb_device_ep_stopped(dev, &dev->ep_in[j]);
312                 usb_device_ep_stopped(dev, &dev->ep_out[j]);
313             }
314         }
315     }
316 }
317 
318 static void ohci_roothub_reset(OHCIState *ohci)
319 {
320     OHCIPort *port;
321     int i;
322 
323     ohci_bus_stop(ohci);
324     ohci->rhdesc_a = OHCI_RHA_NPS | ohci->num_ports;
325     ohci->rhdesc_b = 0x0; /* Impl. specific */
326     ohci->rhstatus = 0;
327 
328     for (i = 0; i < ohci->num_ports; i++) {
329         port = &ohci->rhport[i];
330         port->ctrl = 0;
331         if (port->port.dev && port->port.dev->attached) {
332             usb_port_reset(&port->port);
333         }
334     }
335     ohci_stop_endpoints(ohci);
336 }
337 
338 /* Reset the controller */
339 static void ohci_soft_reset(OHCIState *ohci)
340 {
341     trace_usb_ohci_reset(ohci->name);
342 
343     ohci_bus_stop(ohci);
344     ohci->ctl = (ohci->ctl & OHCI_CTL_IR) | OHCI_USB_SUSPEND;
345     ohci->old_ctl = 0;
346     ohci->status = 0;
347     ohci->intr_status = 0;
348     ohci->intr = OHCI_INTR_MIE;
349 
350     ohci->hcca = 0;
351     ohci->ctrl_head = ohci->ctrl_cur = 0;
352     ohci->bulk_head = ohci->bulk_cur = 0;
353     ohci->per_cur = 0;
354     ohci->done = 0;
355     ohci->done_count = 7;
356     /*
357      * FSMPS is marked TBD in OCHI 1.0, what gives ffs?
358      * I took the value linux sets ...
359      */
360     ohci->fsmps = 0x2778;
361     ohci->fi = 0x2edf;
362     ohci->fit = 0;
363     ohci->frt = 0;
364     ohci->frame_number = 0;
365     ohci->pstart = 0;
366     ohci->lst = OHCI_LS_THRESH;
367 }
368 
369 void ohci_hard_reset(OHCIState *ohci)
370 {
371     ohci_soft_reset(ohci);
372     ohci->ctl = 0;
373     ohci_roothub_reset(ohci);
374 }
375 
376 /* Get an array of dwords from main memory */
377 static inline int get_dwords(OHCIState *ohci,
378                              dma_addr_t addr, uint32_t *buf, int num)
379 {
380     int i;
381 
382     addr += ohci->localmem_base;
383 
384     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
385         if (dma_memory_read(ohci->as, addr,
386                             buf, sizeof(*buf), MEMTXATTRS_UNSPECIFIED)) {
387             return -1;
388         }
389         *buf = le32_to_cpu(*buf);
390     }
391 
392     return 0;
393 }
394 
395 /* Put an array of dwords in to main memory */
396 static inline int put_dwords(OHCIState *ohci,
397                              dma_addr_t addr, uint32_t *buf, int num)
398 {
399     int i;
400 
401     addr += ohci->localmem_base;
402 
403     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
404         uint32_t tmp = cpu_to_le32(*buf);
405         if (dma_memory_write(ohci->as, addr,
406                              &tmp, sizeof(tmp), MEMTXATTRS_UNSPECIFIED)) {
407             return -1;
408         }
409     }
410 
411     return 0;
412 }
413 
414 /* Get an array of words from main memory */
415 static inline int get_words(OHCIState *ohci,
416                             dma_addr_t addr, uint16_t *buf, int num)
417 {
418     int i;
419 
420     addr += ohci->localmem_base;
421 
422     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
423         if (dma_memory_read(ohci->as, addr,
424                             buf, sizeof(*buf), MEMTXATTRS_UNSPECIFIED)) {
425             return -1;
426         }
427         *buf = le16_to_cpu(*buf);
428     }
429 
430     return 0;
431 }
432 
433 /* Put an array of words in to main memory */
434 static inline int put_words(OHCIState *ohci,
435                             dma_addr_t addr, uint16_t *buf, int num)
436 {
437     int i;
438 
439     addr += ohci->localmem_base;
440 
441     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
442         uint16_t tmp = cpu_to_le16(*buf);
443         if (dma_memory_write(ohci->as, addr,
444                              &tmp, sizeof(tmp), MEMTXATTRS_UNSPECIFIED)) {
445             return -1;
446         }
447     }
448 
449     return 0;
450 }
451 
452 static inline int ohci_read_ed(OHCIState *ohci,
453                                dma_addr_t addr, struct ohci_ed *ed)
454 {
455     return get_dwords(ohci, addr, (uint32_t *)ed, sizeof(*ed) >> 2);
456 }
457 
458 static inline int ohci_read_td(OHCIState *ohci,
459                                dma_addr_t addr, struct ohci_td *td)
460 {
461     return get_dwords(ohci, addr, (uint32_t *)td, sizeof(*td) >> 2);
462 }
463 
464 static inline int ohci_read_iso_td(OHCIState *ohci,
465                                    dma_addr_t addr, struct ohci_iso_td *td)
466 {
467     return get_dwords(ohci, addr, (uint32_t *)td, 4) ||
468            get_words(ohci, addr + 16, td->offset, 8);
469 }
470 
471 static inline int ohci_read_hcca(OHCIState *ohci,
472                                  dma_addr_t addr, struct ohci_hcca *hcca)
473 {
474     return dma_memory_read(ohci->as, addr + ohci->localmem_base, hcca,
475                            sizeof(*hcca), MEMTXATTRS_UNSPECIFIED);
476 }
477 
478 static inline int ohci_put_ed(OHCIState *ohci,
479                               dma_addr_t addr, struct ohci_ed *ed)
480 {
481     /*
482      * ed->tail is under control of the HCD.
483      * Since just ed->head is changed by HC, just write back this
484      */
485     return put_dwords(ohci, addr + ED_WBACK_OFFSET,
486                       (uint32_t *)((char *)ed + ED_WBACK_OFFSET),
487                       ED_WBACK_SIZE >> 2);
488 }
489 
490 static inline int ohci_put_td(OHCIState *ohci,
491                               dma_addr_t addr, struct ohci_td *td)
492 {
493     return put_dwords(ohci, addr, (uint32_t *)td, sizeof(*td) >> 2);
494 }
495 
496 static inline int ohci_put_iso_td(OHCIState *ohci,
497                                   dma_addr_t addr, struct ohci_iso_td *td)
498 {
499     return put_dwords(ohci, addr, (uint32_t *)td, 4) ||
500            put_words(ohci, addr + 16, td->offset, 8);
501 }
502 
503 static inline int ohci_put_hcca(OHCIState *ohci,
504                                 dma_addr_t addr, struct ohci_hcca *hcca)
505 {
506     return dma_memory_write(ohci->as,
507                             addr + ohci->localmem_base + HCCA_WRITEBACK_OFFSET,
508                             (char *)hcca + HCCA_WRITEBACK_OFFSET,
509                             HCCA_WRITEBACK_SIZE, MEMTXATTRS_UNSPECIFIED);
510 }
511 
512 /* Read/Write the contents of a TD from/to main memory.  */
513 static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td,
514                         uint8_t *buf, int len, DMADirection dir)
515 {
516     dma_addr_t ptr, n;
517 
518     ptr = td->cbp;
519     n = 0x1000 - (ptr & 0xfff);
520     if (n > len) {
521         n = len;
522     }
523     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
524                       n, dir, MEMTXATTRS_UNSPECIFIED)) {
525         return -1;
526     }
527     if (n == len) {
528         return 0;
529     }
530     ptr = td->be & ~0xfffu;
531     buf += n;
532     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
533                       len - n, dir, MEMTXATTRS_UNSPECIFIED)) {
534         return -1;
535     }
536     return 0;
537 }
538 
539 /* Read/Write the contents of an ISO TD from/to main memory.  */
540 static int ohci_copy_iso_td(OHCIState *ohci,
541                             uint32_t start_addr, uint32_t end_addr,
542                             uint8_t *buf, int len, DMADirection dir)
543 {
544     dma_addr_t ptr, n;
545 
546     ptr = start_addr;
547     n = 0x1000 - (ptr & 0xfff);
548     if (n > len) {
549         n = len;
550     }
551     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
552                       n, dir, MEMTXATTRS_UNSPECIFIED)) {
553         return -1;
554     }
555     if (n == len) {
556         return 0;
557     }
558     ptr = end_addr & ~0xfffu;
559     buf += n;
560     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
561                       len - n, dir, MEMTXATTRS_UNSPECIFIED)) {
562         return -1;
563     }
564     return 0;
565 }
566 
567 #define USUB(a, b) ((int16_t)((uint16_t)(a) - (uint16_t)(b)))
568 
569 static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed)
570 {
571     int dir;
572     size_t len = 0;
573     const char *str = NULL;
574     int pid;
575     int ret;
576     int i;
577     USBDevice *dev;
578     USBEndpoint *ep;
579     USBPacket *pkt;
580     uint8_t buf[8192];
581     bool int_req;
582     struct ohci_iso_td iso_td;
583     uint32_t addr;
584     uint16_t starting_frame;
585     int16_t relative_frame_number;
586     int frame_count;
587     uint32_t start_offset, next_offset, end_offset = 0;
588     uint32_t start_addr, end_addr;
589 
590     addr = ed->head & OHCI_DPTR_MASK;
591 
592     if (addr == 0) {
593         ohci_die(ohci);
594         return 1;
595     }
596 
597     if (ohci_read_iso_td(ohci, addr, &iso_td)) {
598         trace_usb_ohci_iso_td_read_failed(addr);
599         ohci_die(ohci);
600         return 1;
601     }
602 
603     starting_frame = OHCI_BM(iso_td.flags, TD_SF);
604     frame_count = OHCI_BM(iso_td.flags, TD_FC);
605     relative_frame_number = USUB(ohci->frame_number, starting_frame);
606 
607     trace_usb_ohci_iso_td_head(
608            ed->head & OHCI_DPTR_MASK, ed->tail & OHCI_DPTR_MASK,
609            iso_td.flags, iso_td.bp, iso_td.next, iso_td.be,
610            ohci->frame_number, starting_frame,
611            frame_count, relative_frame_number);
612     trace_usb_ohci_iso_td_head_offset(
613            iso_td.offset[0], iso_td.offset[1],
614            iso_td.offset[2], iso_td.offset[3],
615            iso_td.offset[4], iso_td.offset[5],
616            iso_td.offset[6], iso_td.offset[7]);
617 
618     if (relative_frame_number < 0) {
619         trace_usb_ohci_iso_td_relative_frame_number_neg(relative_frame_number);
620         return 1;
621     } else if (relative_frame_number > frame_count) {
622         /*
623          * ISO TD expired - retire the TD to the Done Queue and continue with
624          * the next ISO TD of the same ED
625          */
626         trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number,
627                                                         frame_count);
628         if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) {
629             /* avoid infinite loop */
630             return 1;
631         }
632         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
633         ed->head &= ~OHCI_DPTR_MASK;
634         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
635         iso_td.next = ohci->done;
636         ohci->done = addr;
637         i = OHCI_BM(iso_td.flags, TD_DI);
638         if (i < ohci->done_count) {
639             ohci->done_count = i;
640         }
641         if (ohci_put_iso_td(ohci, addr, &iso_td)) {
642             ohci_die(ohci);
643             return 1;
644         }
645         return 0;
646     }
647 
648     dir = OHCI_BM(ed->flags, ED_D);
649     switch (dir) {
650     case OHCI_TD_DIR_IN:
651         str = "in";
652         pid = USB_TOKEN_IN;
653         break;
654     case OHCI_TD_DIR_OUT:
655         str = "out";
656         pid = USB_TOKEN_OUT;
657         break;
658     case OHCI_TD_DIR_SETUP:
659         str = "setup";
660         pid = USB_TOKEN_SETUP;
661         break;
662     default:
663         trace_usb_ohci_iso_td_bad_direction(dir);
664         return 1;
665     }
666 
667     if (!iso_td.bp || !iso_td.be) {
668         trace_usb_ohci_iso_td_bad_bp_be(iso_td.bp, iso_td.be);
669         return 1;
670     }
671 
672     start_offset = iso_td.offset[relative_frame_number];
673     if (relative_frame_number < frame_count) {
674         next_offset = iso_td.offset[relative_frame_number + 1];
675     } else {
676         next_offset = iso_td.be;
677     }
678 
679     if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) ||
680         ((relative_frame_number < frame_count) &&
681          !(OHCI_BM(next_offset, TD_PSW_CC) & 0xe))) {
682         trace_usb_ohci_iso_td_bad_cc_not_accessed(start_offset, next_offset);
683         return 1;
684     }
685 
686     if ((relative_frame_number < frame_count) && (start_offset > next_offset)) {
687         trace_usb_ohci_iso_td_bad_cc_overrun(start_offset, next_offset);
688         return 1;
689     }
690 
691     if ((start_offset & 0x1000) == 0) {
692         start_addr = (iso_td.bp & OHCI_PAGE_MASK) |
693             (start_offset & OHCI_OFFSET_MASK);
694     } else {
695         start_addr = (iso_td.be & OHCI_PAGE_MASK) |
696             (start_offset & OHCI_OFFSET_MASK);
697     }
698 
699     if (relative_frame_number < frame_count) {
700         end_offset = next_offset - 1;
701         if ((end_offset & 0x1000) == 0) {
702             end_addr = (iso_td.bp & OHCI_PAGE_MASK) |
703                 (end_offset & OHCI_OFFSET_MASK);
704         } else {
705             end_addr = (iso_td.be & OHCI_PAGE_MASK) |
706                 (end_offset & OHCI_OFFSET_MASK);
707         }
708     } else {
709         /* Last packet in the ISO TD */
710         end_addr = next_offset;
711     }
712 
713     if (start_addr > end_addr) {
714         trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr);
715         return 1;
716     }
717 
718     if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
719         len = (end_addr & OHCI_OFFSET_MASK) + 0x1001
720             - (start_addr & OHCI_OFFSET_MASK);
721     } else {
722         len = end_addr - start_addr + 1;
723     }
724     if (len > sizeof(buf)) {
725         len = sizeof(buf);
726     }
727 
728     if (len && dir != OHCI_TD_DIR_IN) {
729         if (ohci_copy_iso_td(ohci, start_addr, end_addr, buf, len,
730                              DMA_DIRECTION_TO_DEVICE)) {
731             ohci_die(ohci);
732             return 1;
733         }
734     }
735 
736     dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
737     if (dev == NULL) {
738         trace_usb_ohci_td_dev_error();
739         return 1;
740     }
741     ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
742     pkt = g_new0(USBPacket, 1);
743     usb_packet_init(pkt);
744     int_req = relative_frame_number == frame_count &&
745               OHCI_BM(iso_td.flags, TD_DI) == 0;
746     usb_packet_setup(pkt, pid, ep, 0, addr, false, int_req);
747     usb_packet_addbuf(pkt, buf, len);
748     usb_handle_packet(dev, pkt);
749     if (pkt->status == USB_RET_ASYNC) {
750         usb_device_flush_ep_queue(dev, ep);
751         g_free(pkt);
752         return 1;
753     }
754     if (pkt->status == USB_RET_SUCCESS) {
755         ret = pkt->actual_length;
756     } else {
757         ret = pkt->status;
758     }
759     g_free(pkt);
760 
761     trace_usb_ohci_iso_td_so(start_offset, end_offset, start_addr, end_addr,
762                              str, len, ret);
763 
764     /* Writeback */
765     if (dir == OHCI_TD_DIR_IN && ret >= 0 && ret <= len) {
766         /* IN transfer succeeded */
767         if (ohci_copy_iso_td(ohci, start_addr, end_addr, buf, ret,
768                              DMA_DIRECTION_FROM_DEVICE)) {
769             ohci_die(ohci);
770             return 1;
771         }
772         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
773                     OHCI_CC_NOERROR);
774         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE, ret);
775     } else if (dir == OHCI_TD_DIR_OUT && ret == len) {
776         /* OUT transfer succeeded */
777         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
778                     OHCI_CC_NOERROR);
779         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE, 0);
780     } else {
781         if (ret > (ssize_t) len) {
782             trace_usb_ohci_iso_td_data_overrun(ret, len);
783             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
784                         OHCI_CC_DATAOVERRUN);
785             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
786                         len);
787         } else if (ret >= 0) {
788             trace_usb_ohci_iso_td_data_underrun(ret);
789             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
790                         OHCI_CC_DATAUNDERRUN);
791         } else {
792             switch (ret) {
793             case USB_RET_IOERROR:
794             case USB_RET_NODEV:
795                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
796                             OHCI_CC_DEVICENOTRESPONDING);
797                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
798                             0);
799                 break;
800             case USB_RET_NAK:
801             case USB_RET_STALL:
802                 trace_usb_ohci_iso_td_nak(ret);
803                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
804                             OHCI_CC_STALL);
805                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
806                             0);
807                 break;
808             default:
809                 trace_usb_ohci_iso_td_bad_response(ret);
810                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
811                             OHCI_CC_UNDEXPETEDPID);
812                 break;
813             }
814         }
815     }
816 
817     if (relative_frame_number == frame_count) {
818         /* Last data packet of ISO TD - retire the TD to the Done Queue */
819         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_NOERROR);
820         ed->head &= ~OHCI_DPTR_MASK;
821         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
822         iso_td.next = ohci->done;
823         ohci->done = addr;
824         i = OHCI_BM(iso_td.flags, TD_DI);
825         if (i < ohci->done_count) {
826             ohci->done_count = i;
827         }
828     }
829     if (ohci_put_iso_td(ohci, addr, &iso_td)) {
830         ohci_die(ohci);
831     }
832     return 1;
833 }
834 
835 #define HEX_CHAR_PER_LINE 16
836 
837 static void ohci_td_pkt(const char *msg, const uint8_t *buf, size_t len)
838 {
839     bool print16;
840     bool printall;
841     int i;
842     char tmp[3 * HEX_CHAR_PER_LINE + 1];
843     char *p = tmp;
844 
845     print16 = !!trace_event_get_state_backends(TRACE_USB_OHCI_TD_PKT_SHORT);
846     printall = !!trace_event_get_state_backends(TRACE_USB_OHCI_TD_PKT_FULL);
847 
848     if (!printall && !print16) {
849         return;
850     }
851 
852     for (i = 0; ; i++) {
853         if (i && (!(i % HEX_CHAR_PER_LINE) || (i == len))) {
854             if (!printall) {
855                 trace_usb_ohci_td_pkt_short(msg, tmp);
856                 break;
857             }
858             trace_usb_ohci_td_pkt_full(msg, tmp);
859             p = tmp;
860             *p = 0;
861         }
862         if (i == len) {
863             break;
864         }
865 
866         p += sprintf(p, " %.2x", buf[i]);
867     }
868 }
869 
870 /*
871  * Service a transport descriptor.
872  * Returns nonzero to terminate processing of this endpoint.
873  */
874 static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
875 {
876     int dir;
877     size_t len = 0, pktlen = 0;
878     const char *str = NULL;
879     int pid;
880     int ret;
881     int i;
882     USBDevice *dev;
883     USBEndpoint *ep;
884     struct ohci_td td;
885     uint32_t addr;
886     int flag_r;
887     int completion;
888 
889     addr = ed->head & OHCI_DPTR_MASK;
890     if (addr == 0) {
891         ohci_die(ohci);
892         return 1;
893     }
894 
895     /* See if this TD has already been submitted to the device. */
896     completion = (addr == ohci->async_td);
897     if (completion && !ohci->async_complete) {
898         trace_usb_ohci_td_skip_async();
899         return 1;
900     }
901     if (ohci_read_td(ohci, addr, &td)) {
902         trace_usb_ohci_td_read_error(addr);
903         ohci_die(ohci);
904         return 1;
905     }
906 
907     dir = OHCI_BM(ed->flags, ED_D);
908     switch (dir) {
909     case OHCI_TD_DIR_OUT:
910     case OHCI_TD_DIR_IN:
911         /* Same value. */
912         break;
913     default:
914         dir = OHCI_BM(td.flags, TD_DP);
915         break;
916     }
917 
918     switch (dir) {
919     case OHCI_TD_DIR_IN:
920         str = "in";
921         pid = USB_TOKEN_IN;
922         break;
923     case OHCI_TD_DIR_OUT:
924         str = "out";
925         pid = USB_TOKEN_OUT;
926         break;
927     case OHCI_TD_DIR_SETUP:
928         str = "setup";
929         pid = USB_TOKEN_SETUP;
930         if (OHCI_BM(ed->flags, ED_EN) > 0) {  /* setup only allowed to ep 0 */
931             trace_usb_ohci_td_bad_pid(str, ed->flags, td.flags);
932             ohci_die(ohci);
933             return 1;
934         }
935         break;
936     default:
937         trace_usb_ohci_td_bad_direction(dir);
938         return 1;
939     }
940     if (td.cbp && td.be) {
941         if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
942             len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
943         } else {
944             if (td.cbp - 1 > td.be) {  /* rely on td.cbp != 0 */
945                 trace_usb_ohci_td_bad_buf(td.cbp, td.be);
946                 ohci_die(ohci);
947                 return 1;
948             }
949             len = (td.be - td.cbp) + 1;
950         }
951         if (len > sizeof(ohci->usb_buf)) {
952             len = sizeof(ohci->usb_buf);
953         }
954 
955         pktlen = len;
956         if (len && dir != OHCI_TD_DIR_IN) {
957             /* The endpoint may not allow us to transfer it all now */
958             pktlen = (ed->flags & OHCI_ED_MPS_MASK) >> OHCI_ED_MPS_SHIFT;
959             if (pktlen > len) {
960                 pktlen = len;
961             }
962             if (!completion) {
963                 if (ohci_copy_td(ohci, &td, ohci->usb_buf, pktlen,
964                                  DMA_DIRECTION_TO_DEVICE)) {
965                     ohci_die(ohci);
966                 }
967             }
968         }
969     }
970 
971     flag_r = (td.flags & OHCI_TD_R) != 0;
972     trace_usb_ohci_td_pkt_hdr(addr, (int64_t)pktlen, (int64_t)len, str,
973                               flag_r, td.cbp, td.be);
974     ohci_td_pkt("OUT", ohci->usb_buf, pktlen);
975 
976     if (completion) {
977         ohci->async_td = 0;
978         ohci->async_complete = false;
979     } else {
980         dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
981         if (dev == NULL) {
982             trace_usb_ohci_td_dev_error();
983             return 1;
984         }
985         ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
986         if (ohci->async_td) {
987             /*
988              * ??? The hardware should allow one active packet per
989              * endpoint.  We only allow one active packet per controller.
990              * This should be sufficient as long as devices respond in a
991              * timely manner.
992              */
993             trace_usb_ohci_td_too_many_pending(ep->nr);
994             return 1;
995         }
996         usb_packet_setup(&ohci->usb_packet, pid, ep, 0, addr, !flag_r,
997                          OHCI_BM(td.flags, TD_DI) == 0);
998         usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, pktlen);
999         usb_handle_packet(dev, &ohci->usb_packet);
1000         trace_usb_ohci_td_packet_status(ohci->usb_packet.status);
1001 
1002         if (ohci->usb_packet.status == USB_RET_ASYNC) {
1003             usb_device_flush_ep_queue(dev, ep);
1004             ohci->async_td = addr;
1005             return 1;
1006         }
1007     }
1008     if (ohci->usb_packet.status == USB_RET_SUCCESS) {
1009         ret = ohci->usb_packet.actual_length;
1010     } else {
1011         ret = ohci->usb_packet.status;
1012     }
1013 
1014     if (ret >= 0) {
1015         if (dir == OHCI_TD_DIR_IN) {
1016             if (ohci_copy_td(ohci, &td, ohci->usb_buf, ret,
1017                              DMA_DIRECTION_FROM_DEVICE)) {
1018                 ohci_die(ohci);
1019             }
1020             ohci_td_pkt("IN", ohci->usb_buf, pktlen);
1021         } else {
1022             ret = pktlen;
1023         }
1024     }
1025 
1026     /* Writeback */
1027     if (ret == pktlen || (dir == OHCI_TD_DIR_IN && ret >= 0 && flag_r)) {
1028         /* Transmission succeeded. */
1029         if (ret == len) {
1030             td.cbp = 0;
1031         } else {
1032             if ((td.cbp & 0xfff) + ret > 0xfff) {
1033                 td.cbp = (td.be & ~0xfff) + ((td.cbp + ret) & 0xfff);
1034             } else {
1035                 td.cbp += ret;
1036             }
1037         }
1038         td.flags |= OHCI_TD_T1;
1039         td.flags ^= OHCI_TD_T0;
1040         OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_NOERROR);
1041         OHCI_SET_BM(td.flags, TD_EC, 0);
1042 
1043         if ((dir != OHCI_TD_DIR_IN) && (ret != len)) {
1044             /* Partial packet transfer: TD not ready to retire yet */
1045             goto exit_no_retire;
1046         }
1047 
1048         /* Setting ED_C is part of the TD retirement process */
1049         ed->head &= ~OHCI_ED_C;
1050         if (td.flags & OHCI_TD_T0) {
1051             ed->head |= OHCI_ED_C;
1052         }
1053     } else {
1054         if (ret >= 0) {
1055             trace_usb_ohci_td_underrun();
1056             OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DATAUNDERRUN);
1057         } else {
1058             switch (ret) {
1059             case USB_RET_IOERROR:
1060             case USB_RET_NODEV:
1061                 trace_usb_ohci_td_dev_error();
1062                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DEVICENOTRESPONDING);
1063                 break;
1064             case USB_RET_NAK:
1065                 trace_usb_ohci_td_nak();
1066                 return 1;
1067             case USB_RET_STALL:
1068                 trace_usb_ohci_td_stall();
1069                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_STALL);
1070                 break;
1071             case USB_RET_BABBLE:
1072                 trace_usb_ohci_td_babble();
1073                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
1074                 break;
1075             default:
1076                 trace_usb_ohci_td_bad_device_response(ret);
1077                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_UNDEXPETEDPID);
1078                 OHCI_SET_BM(td.flags, TD_EC, 3);
1079                 break;
1080             }
1081             /*
1082              * An error occurred so we have to clear the interrupt counter.
1083              * See spec at 6.4.4 on page 104
1084              */
1085             ohci->done_count = 0;
1086         }
1087         ed->head |= OHCI_ED_H;
1088     }
1089 
1090     /* Retire this TD */
1091     ed->head &= ~OHCI_DPTR_MASK;
1092     ed->head |= td.next & OHCI_DPTR_MASK;
1093     td.next = ohci->done;
1094     ohci->done = addr;
1095     i = OHCI_BM(td.flags, TD_DI);
1096     if (i < ohci->done_count) {
1097         ohci->done_count = i;
1098     }
1099 exit_no_retire:
1100     if (ohci_put_td(ohci, addr, &td)) {
1101         ohci_die(ohci);
1102         return 1;
1103     }
1104     return OHCI_BM(td.flags, TD_CC) != OHCI_CC_NOERROR;
1105 }
1106 
1107 /* Service an endpoint list.  Returns nonzero if active TD were found. */
1108 static int ohci_service_ed_list(OHCIState *ohci, uint32_t head)
1109 {
1110     struct ohci_ed ed;
1111     uint32_t next_ed;
1112     uint32_t cur;
1113     int active;
1114     uint32_t link_cnt = 0;
1115     active = 0;
1116 
1117     if (head == 0) {
1118         return 0;
1119     }
1120     for (cur = head; cur && link_cnt++ < ED_LINK_LIMIT; cur = next_ed) {
1121         if (ohci_read_ed(ohci, cur, &ed)) {
1122             trace_usb_ohci_ed_read_error(cur);
1123             ohci_die(ohci);
1124             return 0;
1125         }
1126 
1127         next_ed = ed.next & OHCI_DPTR_MASK;
1128 
1129         if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
1130             uint32_t addr;
1131             /* Cancel pending packets for ED that have been paused. */
1132             addr = ed.head & OHCI_DPTR_MASK;
1133             if (ohci->async_td && addr == ohci->async_td) {
1134                 usb_cancel_packet(&ohci->usb_packet);
1135                 ohci->async_td = 0;
1136                 usb_device_ep_stopped(ohci->usb_packet.ep->dev,
1137                                       ohci->usb_packet.ep);
1138             }
1139             continue;
1140         }
1141 
1142         while ((ed.head & OHCI_DPTR_MASK) != ed.tail) {
1143             trace_usb_ohci_ed_pkt(cur, (ed.head & OHCI_ED_H) != 0,
1144                     (ed.head & OHCI_ED_C) != 0, ed.head & OHCI_DPTR_MASK,
1145                     ed.tail & OHCI_DPTR_MASK, ed.next & OHCI_DPTR_MASK);
1146             trace_usb_ohci_ed_pkt_flags(
1147                     OHCI_BM(ed.flags, ED_FA), OHCI_BM(ed.flags, ED_EN),
1148                     OHCI_BM(ed.flags, ED_D), (ed.flags & OHCI_ED_S) != 0,
1149                     (ed.flags & OHCI_ED_K) != 0, (ed.flags & OHCI_ED_F) != 0,
1150                     OHCI_BM(ed.flags, ED_MPS));
1151 
1152             active = 1;
1153 
1154             if ((ed.flags & OHCI_ED_F) == 0) {
1155                 if (ohci_service_td(ohci, &ed)) {
1156                     break;
1157                 }
1158             } else {
1159                 /* Handle isochronous endpoints */
1160                 if (ohci_service_iso_td(ohci, &ed)) {
1161                     break;
1162                 }
1163             }
1164         }
1165 
1166         if (ohci_put_ed(ohci, cur, &ed)) {
1167             ohci_die(ohci);
1168             return 0;
1169         }
1170     }
1171 
1172     return active;
1173 }
1174 
1175 /* set a timer for EOF */
1176 static void ohci_eof_timer(OHCIState *ohci)
1177 {
1178     timer_mod(ohci->eof_timer, ohci->sof_time + usb_frame_time);
1179 }
1180 /* Set a timer for EOF and generate a SOF event */
1181 static void ohci_sof(OHCIState *ohci)
1182 {
1183     ohci->sof_time += usb_frame_time;
1184     ohci_eof_timer(ohci);
1185     ohci_set_interrupt(ohci, OHCI_INTR_SF);
1186 }
1187 
1188 /* Process Control and Bulk lists. */
1189 static void ohci_process_lists(OHCIState *ohci)
1190 {
1191     if ((ohci->ctl & OHCI_CTL_CLE) && (ohci->status & OHCI_STATUS_CLF)) {
1192         if (ohci->ctrl_cur && ohci->ctrl_cur != ohci->ctrl_head) {
1193             trace_usb_ohci_process_lists(ohci->ctrl_head, ohci->ctrl_cur);
1194         }
1195         if (!ohci_service_ed_list(ohci, ohci->ctrl_head)) {
1196             ohci->ctrl_cur = 0;
1197             ohci->status &= ~OHCI_STATUS_CLF;
1198         }
1199     }
1200 
1201     if ((ohci->ctl & OHCI_CTL_BLE) && (ohci->status & OHCI_STATUS_BLF)) {
1202         if (!ohci_service_ed_list(ohci, ohci->bulk_head)) {
1203             ohci->bulk_cur = 0;
1204             ohci->status &= ~OHCI_STATUS_BLF;
1205         }
1206     }
1207 }
1208 
1209 /* Do frame processing on frame boundary */
1210 static void ohci_frame_boundary(void *opaque)
1211 {
1212     OHCIState *ohci = opaque;
1213     struct ohci_hcca hcca;
1214 
1215     if (ohci_read_hcca(ohci, ohci->hcca, &hcca)) {
1216         trace_usb_ohci_hcca_read_error(ohci->hcca);
1217         ohci_die(ohci);
1218         return;
1219     }
1220 
1221     /* Process all the lists at the end of the frame */
1222     if (ohci->ctl & OHCI_CTL_PLE) {
1223         int n;
1224 
1225         n = ohci->frame_number & 0x1f;
1226         ohci_service_ed_list(ohci, le32_to_cpu(hcca.intr[n]));
1227     }
1228 
1229     /* Cancel all pending packets if either of the lists has been disabled. */
1230     if (ohci->old_ctl & (~ohci->ctl) & (OHCI_CTL_BLE | OHCI_CTL_CLE)) {
1231         ohci_stop_endpoints(ohci);
1232     }
1233     ohci->old_ctl = ohci->ctl;
1234     ohci_process_lists(ohci);
1235 
1236     /* Stop if UnrecoverableError happened or ohci_sof will crash */
1237     if (ohci->intr_status & OHCI_INTR_UE) {
1238         return;
1239     }
1240 
1241     /* Frame boundary, so do EOF stuf here */
1242     ohci->frt = ohci->fit;
1243 
1244     /* Increment frame number and take care of endianness. */
1245     ohci->frame_number = (ohci->frame_number + 1) & 0xffff;
1246     hcca.frame = cpu_to_le16(ohci->frame_number);
1247     /* When the HC updates frame number, set pad to 0. Ref OHCI Spec 4.4.1*/
1248     hcca.pad = 0;
1249 
1250     if (ohci->done_count == 0 && !(ohci->intr_status & OHCI_INTR_WD)) {
1251         if (!ohci->done) {
1252             abort();
1253         }
1254         if (ohci->intr & ohci->intr_status) {
1255             ohci->done |= 1;
1256         }
1257         hcca.done = cpu_to_le32(ohci->done);
1258         ohci->done = 0;
1259         ohci->done_count = 7;
1260         ohci_set_interrupt(ohci, OHCI_INTR_WD);
1261     }
1262 
1263     if (ohci->done_count != 7 && ohci->done_count != 0) {
1264         ohci->done_count--;
1265     }
1266     /* Do SOF stuff here */
1267     ohci_sof(ohci);
1268 
1269     /* Writeback HCCA */
1270     if (ohci_put_hcca(ohci, ohci->hcca, &hcca)) {
1271         ohci_die(ohci);
1272     }
1273 }
1274 
1275 /*
1276  * Start sending SOF tokens across the USB bus, lists are processed in
1277  * next frame
1278  */
1279 static int ohci_bus_start(OHCIState *ohci)
1280 {
1281     trace_usb_ohci_start(ohci->name);
1282     /*
1283      * Delay the first SOF event by one frame time as linux driver is
1284      * not ready to receive it and can meet some race conditions
1285      */
1286     ohci->sof_time = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
1287     ohci_eof_timer(ohci);
1288 
1289     return 1;
1290 }
1291 
1292 /* Stop sending SOF tokens on the bus */
1293 void ohci_bus_stop(OHCIState *ohci)
1294 {
1295     trace_usb_ohci_stop(ohci->name);
1296     timer_del(ohci->eof_timer);
1297 }
1298 
1299 /* Frame interval toggle is manipulated by the hcd only */
1300 static void ohci_set_frame_interval(OHCIState *ohci, uint16_t val)
1301 {
1302     val &= OHCI_FMI_FI;
1303 
1304     if (val != ohci->fi) {
1305         trace_usb_ohci_set_frame_interval(ohci->name, ohci->fi, ohci->fi);
1306     }
1307 
1308     ohci->fi = val;
1309 }
1310 
1311 static void ohci_port_power(OHCIState *ohci, int i, int p)
1312 {
1313     if (p) {
1314         ohci->rhport[i].ctrl |= OHCI_PORT_PPS;
1315     } else {
1316         ohci->rhport[i].ctrl &= ~(OHCI_PORT_PPS | OHCI_PORT_CCS |
1317                                   OHCI_PORT_PSS | OHCI_PORT_PRS);
1318     }
1319 }
1320 
1321 /* Set HcControlRegister */
1322 static void ohci_set_ctl(OHCIState *ohci, uint32_t val)
1323 {
1324     uint32_t old_state;
1325     uint32_t new_state;
1326 
1327     old_state = ohci->ctl & OHCI_CTL_HCFS;
1328     ohci->ctl = val;
1329     new_state = ohci->ctl & OHCI_CTL_HCFS;
1330 
1331     /* no state change */
1332     if (old_state == new_state) {
1333         return;
1334     }
1335     trace_usb_ohci_set_ctl(ohci->name, new_state);
1336     switch (new_state) {
1337     case OHCI_USB_OPERATIONAL:
1338         ohci_bus_start(ohci);
1339         break;
1340     case OHCI_USB_SUSPEND:
1341         ohci_bus_stop(ohci);
1342         /* clear pending SF otherwise linux driver loops in ohci_irq() */
1343         ohci->intr_status &= ~OHCI_INTR_SF;
1344         ohci_intr_update(ohci);
1345         break;
1346     case OHCI_USB_RESUME:
1347         trace_usb_ohci_resume(ohci->name);
1348         break;
1349     case OHCI_USB_RESET:
1350         ohci_roothub_reset(ohci);
1351         break;
1352     }
1353 }
1354 
1355 static uint32_t ohci_get_frame_remaining(OHCIState *ohci)
1356 {
1357     uint16_t fr;
1358     int64_t tks;
1359 
1360     if ((ohci->ctl & OHCI_CTL_HCFS) != OHCI_USB_OPERATIONAL) {
1361         return ohci->frt << 31;
1362     }
1363     /* Being in USB operational state guarantees sof_time was set already. */
1364     tks = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) - ohci->sof_time;
1365     if (tks < 0) {
1366         tks = 0;
1367     }
1368 
1369     /* avoid muldiv if possible */
1370     if (tks >= usb_frame_time) {
1371         return ohci->frt << 31;
1372     }
1373     tks = tks / usb_bit_time;
1374     fr = (uint16_t)(ohci->fi - tks);
1375 
1376     return (ohci->frt << 31) | fr;
1377 }
1378 
1379 
1380 /* Set root hub status */
1381 static void ohci_set_hub_status(OHCIState *ohci, uint32_t val)
1382 {
1383     uint32_t old_state;
1384 
1385     old_state = ohci->rhstatus;
1386 
1387     /* write 1 to clear OCIC */
1388     if (val & OHCI_RHS_OCIC) {
1389         ohci->rhstatus &= ~OHCI_RHS_OCIC;
1390     }
1391     if (val & OHCI_RHS_LPS) {
1392         int i;
1393 
1394         for (i = 0; i < ohci->num_ports; i++) {
1395             ohci_port_power(ohci, i, 0);
1396         }
1397         trace_usb_ohci_hub_power_down();
1398     }
1399 
1400     if (val & OHCI_RHS_LPSC) {
1401         int i;
1402 
1403         for (i = 0; i < ohci->num_ports; i++) {
1404             ohci_port_power(ohci, i, 1);
1405         }
1406         trace_usb_ohci_hub_power_up();
1407     }
1408 
1409     if (val & OHCI_RHS_DRWE) {
1410         ohci->rhstatus |= OHCI_RHS_DRWE;
1411     }
1412     if (val & OHCI_RHS_CRWE) {
1413         ohci->rhstatus &= ~OHCI_RHS_DRWE;
1414     }
1415     if (old_state != ohci->rhstatus) {
1416         ohci_set_interrupt(ohci, OHCI_INTR_RHSC);
1417     }
1418 }
1419 
1420 /* This is the one state transition the controller can do by itself */
1421 static bool ohci_resume(OHCIState *s)
1422 {
1423     if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND) {
1424         trace_usb_ohci_remote_wakeup(s->name);
1425         s->ctl &= ~OHCI_CTL_HCFS;
1426         s->ctl |= OHCI_USB_RESUME;
1427         return true;
1428     }
1429     return false;
1430 }
1431 
1432 /*
1433  * Sets a flag in a port status reg but only set it if the port is connected.
1434  * If not set ConnectStatusChange flag. If flag is enabled return 1.
1435  */
1436 static int ohci_port_set_if_connected(OHCIState *ohci, int i, uint32_t val)
1437 {
1438     int ret = 1;
1439 
1440     /* writing a 0 has no effect */
1441     if (val == 0) {
1442         return 0;
1443     }
1444     /* If CurrentConnectStatus is cleared we set ConnectStatusChange */
1445     if (!(ohci->rhport[i].ctrl & OHCI_PORT_CCS)) {
1446         ohci->rhport[i].ctrl |= OHCI_PORT_CSC;
1447         if (ohci->rhstatus & OHCI_RHS_DRWE) {
1448             /* CSC is a wakeup event */
1449             if (ohci_resume(ohci)) {
1450                 ohci_set_interrupt(ohci, OHCI_INTR_RD);
1451             }
1452         }
1453         return 0;
1454     }
1455 
1456     if (ohci->rhport[i].ctrl & val) {
1457         ret = 0;
1458     }
1459     /* set the bit */
1460     ohci->rhport[i].ctrl |= val;
1461 
1462     return ret;
1463 }
1464 
1465 /* Set root hub port status */
1466 static void ohci_port_set_status(OHCIState *ohci, int portnum, uint32_t val)
1467 {
1468     uint32_t old_state;
1469     OHCIPort *port;
1470 
1471     port = &ohci->rhport[portnum];
1472     old_state = port->ctrl;
1473 
1474     /* Write to clear CSC, PESC, PSSC, OCIC, PRSC */
1475     if (val & OHCI_PORT_WTC) {
1476         port->ctrl &= ~(val & OHCI_PORT_WTC);
1477     }
1478     if (val & OHCI_PORT_CCS) {
1479         port->ctrl &= ~OHCI_PORT_PES;
1480     }
1481     ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PES);
1482 
1483     if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PSS)) {
1484         trace_usb_ohci_port_suspend(portnum);
1485     }
1486 
1487     if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PRS)) {
1488         trace_usb_ohci_port_reset(portnum);
1489         usb_device_reset(port->port.dev);
1490         port->ctrl &= ~OHCI_PORT_PRS;
1491         /* ??? Should this also set OHCI_PORT_PESC. */
1492         port->ctrl |= OHCI_PORT_PES | OHCI_PORT_PRSC;
1493     }
1494 
1495     /* Invert order here to ensure in ambiguous case, device is powered up. */
1496     if (val & OHCI_PORT_LSDA) {
1497         ohci_port_power(ohci, portnum, 0);
1498     }
1499     if (val & OHCI_PORT_PPS) {
1500         ohci_port_power(ohci, portnum, 1);
1501     }
1502     if (old_state != port->ctrl) {
1503         ohci_set_interrupt(ohci, OHCI_INTR_RHSC);
1504     }
1505 }
1506 
1507 static uint64_t ohci_mem_read(void *opaque,
1508                               hwaddr addr,
1509                               unsigned size)
1510 {
1511     OHCIState *ohci = opaque;
1512     uint32_t retval;
1513 
1514     /* Only aligned reads are allowed on OHCI */
1515     if (addr & 3) {
1516         trace_usb_ohci_mem_read_unaligned(addr);
1517         return 0xffffffff;
1518     } else if (addr >= 0x54 && addr < 0x54 + ohci->num_ports * 4) {
1519         /* HcRhPortStatus */
1520         retval = ohci->rhport[(addr - 0x54) >> 2].ctrl | OHCI_PORT_PPS;
1521         trace_usb_ohci_mem_port_read(size, "HcRhPortStatus", (addr - 0x50) >> 2,
1522                                      addr, addr >> 2, retval);
1523     } else {
1524         switch (addr >> 2) {
1525         case 0: /* HcRevision */
1526             retval = 0x10;
1527             break;
1528 
1529         case 1: /* HcControl */
1530             retval = ohci->ctl;
1531             break;
1532 
1533         case 2: /* HcCommandStatus */
1534             retval = ohci->status;
1535             break;
1536 
1537         case 3: /* HcInterruptStatus */
1538             retval = ohci->intr_status;
1539             break;
1540 
1541         case 4: /* HcInterruptEnable */
1542         case 5: /* HcInterruptDisable */
1543             retval = ohci->intr;
1544             break;
1545 
1546         case 6: /* HcHCCA */
1547             retval = ohci->hcca;
1548             break;
1549 
1550         case 7: /* HcPeriodCurrentED */
1551             retval = ohci->per_cur;
1552             break;
1553 
1554         case 8: /* HcControlHeadED */
1555             retval = ohci->ctrl_head;
1556             break;
1557 
1558         case 9: /* HcControlCurrentED */
1559             retval = ohci->ctrl_cur;
1560             break;
1561 
1562         case 10: /* HcBulkHeadED */
1563             retval = ohci->bulk_head;
1564             break;
1565 
1566         case 11: /* HcBulkCurrentED */
1567             retval = ohci->bulk_cur;
1568             break;
1569 
1570         case 12: /* HcDoneHead */
1571             retval = ohci->done;
1572             break;
1573 
1574         case 13: /* HcFmInterretval */
1575             retval = (ohci->fit << 31) | (ohci->fsmps << 16) | (ohci->fi);
1576             break;
1577 
1578         case 14: /* HcFmRemaining */
1579             retval = ohci_get_frame_remaining(ohci);
1580             break;
1581 
1582         case 15: /* HcFmNumber */
1583             retval = ohci->frame_number;
1584             break;
1585 
1586         case 16: /* HcPeriodicStart */
1587             retval = ohci->pstart;
1588             break;
1589 
1590         case 17: /* HcLSThreshold */
1591             retval = ohci->lst;
1592             break;
1593 
1594         case 18: /* HcRhDescriptorA */
1595             retval = ohci->rhdesc_a;
1596             break;
1597 
1598         case 19: /* HcRhDescriptorB */
1599             retval = ohci->rhdesc_b;
1600             break;
1601 
1602         case 20: /* HcRhStatus */
1603             retval = ohci->rhstatus;
1604             break;
1605 
1606         /* PXA27x specific registers */
1607         case 24: /* HcStatus */
1608             retval = ohci->hstatus & ohci->hmask;
1609             break;
1610 
1611         case 25: /* HcHReset */
1612             retval = ohci->hreset;
1613             break;
1614 
1615         case 26: /* HcHInterruptEnable */
1616             retval = ohci->hmask;
1617             break;
1618 
1619         case 27: /* HcHInterruptTest */
1620             retval = ohci->htest;
1621             break;
1622 
1623         default:
1624             trace_usb_ohci_mem_read_bad_offset(addr);
1625             retval = 0xffffffff;
1626         }
1627         if (addr != 0xc || retval) {
1628             trace_usb_ohci_mem_read(size, ohci_reg_name(addr), addr, addr >> 2,
1629                                     retval);
1630         }
1631     }
1632 
1633     return retval;
1634 }
1635 
1636 static void ohci_mem_write(void *opaque,
1637                            hwaddr addr,
1638                            uint64_t val,
1639                            unsigned size)
1640 {
1641     OHCIState *ohci = opaque;
1642 
1643     /* Only aligned reads are allowed on OHCI */
1644     if (addr & 3) {
1645         trace_usb_ohci_mem_write_unaligned(addr);
1646         return;
1647     }
1648 
1649     if (addr >= 0x54 && addr < 0x54 + ohci->num_ports * 4) {
1650         /* HcRhPortStatus */
1651         trace_usb_ohci_mem_port_write(size, "HcRhPortStatus",
1652                                       (addr - 0x50) >> 2, addr, addr >> 2, val);
1653         ohci_port_set_status(ohci, (addr - 0x54) >> 2, val);
1654         return;
1655     }
1656 
1657     trace_usb_ohci_mem_write(size, ohci_reg_name(addr), addr, addr >> 2, val);
1658     switch (addr >> 2) {
1659     case 1: /* HcControl */
1660         ohci_set_ctl(ohci, val);
1661         break;
1662 
1663     case 2: /* HcCommandStatus */
1664         /* SOC is read-only */
1665         val = (val & ~OHCI_STATUS_SOC);
1666 
1667         /* Bits written as '0' remain unchanged in the register */
1668         ohci->status |= val;
1669 
1670         if (ohci->status & OHCI_STATUS_HCR) {
1671             ohci_soft_reset(ohci);
1672         }
1673         break;
1674 
1675     case 3: /* HcInterruptStatus */
1676         ohci->intr_status &= ~val;
1677         ohci_intr_update(ohci);
1678         break;
1679 
1680     case 4: /* HcInterruptEnable */
1681         ohci->intr |= val;
1682         ohci_intr_update(ohci);
1683         break;
1684 
1685     case 5: /* HcInterruptDisable */
1686         ohci->intr &= ~val;
1687         ohci_intr_update(ohci);
1688         break;
1689 
1690     case 6: /* HcHCCA */
1691         ohci->hcca = val & OHCI_HCCA_MASK;
1692         break;
1693 
1694     case 7: /* HcPeriodCurrentED */
1695         /* Ignore writes to this read-only register, Linux does them */
1696         break;
1697 
1698     case 8: /* HcControlHeadED */
1699         ohci->ctrl_head = val & OHCI_EDPTR_MASK;
1700         break;
1701 
1702     case 9: /* HcControlCurrentED */
1703         ohci->ctrl_cur = val & OHCI_EDPTR_MASK;
1704         break;
1705 
1706     case 10: /* HcBulkHeadED */
1707         ohci->bulk_head = val & OHCI_EDPTR_MASK;
1708         break;
1709 
1710     case 11: /* HcBulkCurrentED */
1711         ohci->bulk_cur = val & OHCI_EDPTR_MASK;
1712         break;
1713 
1714     case 13: /* HcFmInterval */
1715         ohci->fsmps = (val & OHCI_FMI_FSMPS) >> 16;
1716         ohci->fit = (val & OHCI_FMI_FIT) >> 31;
1717         ohci_set_frame_interval(ohci, val);
1718         break;
1719 
1720     case 15: /* HcFmNumber */
1721         break;
1722 
1723     case 16: /* HcPeriodicStart */
1724         ohci->pstart = val & 0xffff;
1725         break;
1726 
1727     case 17: /* HcLSThreshold */
1728         ohci->lst = val & 0xffff;
1729         break;
1730 
1731     case 18: /* HcRhDescriptorA */
1732         ohci->rhdesc_a &= ~OHCI_RHA_RW_MASK;
1733         ohci->rhdesc_a |= val & OHCI_RHA_RW_MASK;
1734         break;
1735 
1736     case 19: /* HcRhDescriptorB */
1737         break;
1738 
1739     case 20: /* HcRhStatus */
1740         ohci_set_hub_status(ohci, val);
1741         break;
1742 
1743     /* PXA27x specific registers */
1744     case 24: /* HcStatus */
1745         ohci->hstatus &= ~(val & ohci->hmask);
1746         break;
1747 
1748     case 25: /* HcHReset */
1749         ohci->hreset = val & ~OHCI_HRESET_FSBIR;
1750         if (val & OHCI_HRESET_FSBIR) {
1751             ohci_hard_reset(ohci);
1752         }
1753         break;
1754 
1755     case 26: /* HcHInterruptEnable */
1756         ohci->hmask = val;
1757         break;
1758 
1759     case 27: /* HcHInterruptTest */
1760         ohci->htest = val;
1761         break;
1762 
1763     default:
1764         trace_usb_ohci_mem_write_bad_offset(addr);
1765         break;
1766     }
1767 }
1768 
1769 static const MemoryRegionOps ohci_mem_ops = {
1770     .read = ohci_mem_read,
1771     .write = ohci_mem_write,
1772     .endianness = DEVICE_LITTLE_ENDIAN,
1773 };
1774 
1775 /* USBPortOps */
1776 static void ohci_attach(USBPort *port1)
1777 {
1778     OHCIState *s = port1->opaque;
1779     OHCIPort *port = &s->rhport[port1->index];
1780     uint32_t old_state = port->ctrl;
1781 
1782     /* set connect status */
1783     port->ctrl |= OHCI_PORT_CCS | OHCI_PORT_CSC;
1784 
1785     /* update speed */
1786     if (port->port.dev->speed == USB_SPEED_LOW) {
1787         port->ctrl |= OHCI_PORT_LSDA;
1788     } else {
1789         port->ctrl &= ~OHCI_PORT_LSDA;
1790     }
1791 
1792     /* notify of remote-wakeup */
1793     if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND) {
1794         ohci_set_interrupt(s, OHCI_INTR_RD);
1795     }
1796 
1797     trace_usb_ohci_port_attach(port1->index);
1798 
1799     if (old_state != port->ctrl) {
1800         ohci_set_interrupt(s, OHCI_INTR_RHSC);
1801     }
1802 }
1803 
1804 static void ohci_child_detach(USBPort *port1, USBDevice *dev)
1805 {
1806     OHCIState *ohci = port1->opaque;
1807 
1808     if (ohci->async_td &&
1809         usb_packet_is_inflight(&ohci->usb_packet) &&
1810         ohci->usb_packet.ep->dev == dev) {
1811         usb_cancel_packet(&ohci->usb_packet);
1812         ohci->async_td = 0;
1813     }
1814 }
1815 
1816 static void ohci_detach(USBPort *port1)
1817 {
1818     OHCIState *s = port1->opaque;
1819     OHCIPort *port = &s->rhport[port1->index];
1820     uint32_t old_state = port->ctrl;
1821 
1822     ohci_child_detach(port1, port1->dev);
1823 
1824     /* set connect status */
1825     if (port->ctrl & OHCI_PORT_CCS) {
1826         port->ctrl &= ~OHCI_PORT_CCS;
1827         port->ctrl |= OHCI_PORT_CSC;
1828     }
1829     /* disable port */
1830     if (port->ctrl & OHCI_PORT_PES) {
1831         port->ctrl &= ~OHCI_PORT_PES;
1832         port->ctrl |= OHCI_PORT_PESC;
1833     }
1834     trace_usb_ohci_port_detach(port1->index);
1835 
1836     if (old_state != port->ctrl) {
1837         ohci_set_interrupt(s, OHCI_INTR_RHSC);
1838     }
1839 }
1840 
1841 static void ohci_wakeup(USBPort *port1)
1842 {
1843     OHCIState *s = port1->opaque;
1844     OHCIPort *port = &s->rhport[port1->index];
1845     uint32_t intr = 0;
1846     if (port->ctrl & OHCI_PORT_PSS) {
1847         trace_usb_ohci_port_wakeup(port1->index);
1848         port->ctrl |= OHCI_PORT_PSSC;
1849         port->ctrl &= ~OHCI_PORT_PSS;
1850         intr = OHCI_INTR_RHSC;
1851     }
1852     /* Note that the controller can be suspended even if this port is not */
1853     if (ohci_resume(s)) {
1854         /*
1855          * In suspend mode only ResumeDetected is possible, not RHSC:
1856          * see the OHCI spec 5.1.2.3.
1857          */
1858         intr = OHCI_INTR_RD;
1859     }
1860     ohci_set_interrupt(s, intr);
1861 }
1862 
1863 static void ohci_async_complete_packet(USBPort *port, USBPacket *packet)
1864 {
1865     OHCIState *ohci = container_of(packet, OHCIState, usb_packet);
1866 
1867     trace_usb_ohci_async_complete();
1868     ohci->async_complete = true;
1869     ohci_process_lists(ohci);
1870 }
1871 
1872 static USBPortOps ohci_port_ops = {
1873     .attach = ohci_attach,
1874     .detach = ohci_detach,
1875     .child_detach = ohci_child_detach,
1876     .wakeup = ohci_wakeup,
1877     .complete = ohci_async_complete_packet,
1878 };
1879 
1880 static USBBusOps ohci_bus_ops = {
1881 };
1882 
1883 void usb_ohci_init(OHCIState *ohci, DeviceState *dev, uint32_t num_ports,
1884                    dma_addr_t localmem_base, char *masterbus,
1885                    uint32_t firstport, AddressSpace *as,
1886                    void (*ohci_die_fn)(OHCIState *), Error **errp)
1887 {
1888     Error *err = NULL;
1889     int i;
1890 
1891     ohci->as = as;
1892     ohci->ohci_die = ohci_die_fn;
1893 
1894     if (num_ports > OHCI_MAX_PORTS) {
1895         error_setg(errp, "OHCI num-ports=%u is too big (limit is %u ports)",
1896                    num_ports, OHCI_MAX_PORTS);
1897         return;
1898     }
1899 
1900     if (usb_frame_time == 0) {
1901 #ifdef OHCI_TIME_WARP
1902         usb_frame_time = NANOSECONDS_PER_SECOND;
1903         usb_bit_time = NANOSECONDS_PER_SECOND / (USB_HZ / 1000);
1904 #else
1905         usb_frame_time = NANOSECONDS_PER_SECOND / 1000;
1906         if (NANOSECONDS_PER_SECOND >= USB_HZ) {
1907             usb_bit_time = NANOSECONDS_PER_SECOND / USB_HZ;
1908         } else {
1909             usb_bit_time = 1;
1910         }
1911 #endif
1912         trace_usb_ohci_init_time(usb_frame_time, usb_bit_time);
1913     }
1914 
1915     ohci->num_ports = num_ports;
1916     if (masterbus) {
1917         USBPort *ports[OHCI_MAX_PORTS];
1918         for (i = 0; i < num_ports; i++) {
1919             ports[i] = &ohci->rhport[i].port;
1920         }
1921         usb_register_companion(masterbus, ports, num_ports,
1922                                firstport, ohci, &ohci_port_ops,
1923                                USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL,
1924                                &err);
1925         if (err) {
1926             error_propagate(errp, err);
1927             return;
1928         }
1929     } else {
1930         usb_bus_new(&ohci->bus, sizeof(ohci->bus), &ohci_bus_ops, dev);
1931         for (i = 0; i < num_ports; i++) {
1932             usb_register_port(&ohci->bus, &ohci->rhport[i].port,
1933                               ohci, i, &ohci_port_ops,
1934                               USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
1935         }
1936     }
1937 
1938     memory_region_init_io(&ohci->mem, OBJECT(dev), &ohci_mem_ops,
1939                           ohci, "ohci", 256);
1940     ohci->localmem_base = localmem_base;
1941 
1942     ohci->name = object_get_typename(OBJECT(dev));
1943     usb_packet_init(&ohci->usb_packet);
1944 
1945     ohci->async_td = 0;
1946 
1947     ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
1948                                    ohci_frame_boundary, ohci);
1949 }
1950 
1951 /*
1952  * A typical OHCI will stop operating and set itself into error state
1953  * (which can be queried by MMIO) to signal that it got an error.
1954  */
1955 void ohci_sysbus_die(struct OHCIState *ohci)
1956 {
1957     trace_usb_ohci_die();
1958 
1959     ohci_set_interrupt(ohci, OHCI_INTR_UE);
1960     ohci_bus_stop(ohci);
1961 }
1962 
1963 static const VMStateDescription vmstate_ohci_state_port = {
1964     .name = "ohci-core/port",
1965     .version_id = 1,
1966     .minimum_version_id = 1,
1967     .fields = (const VMStateField[]) {
1968         VMSTATE_UINT32(ctrl, OHCIPort),
1969         VMSTATE_END_OF_LIST()
1970     },
1971 };
1972 
1973 static bool ohci_eof_timer_needed(void *opaque)
1974 {
1975     OHCIState *ohci = opaque;
1976 
1977     return timer_pending(ohci->eof_timer);
1978 }
1979 
1980 static const VMStateDescription vmstate_ohci_eof_timer = {
1981     .name = "ohci-core/eof-timer",
1982     .version_id = 1,
1983     .minimum_version_id = 1,
1984     .needed = ohci_eof_timer_needed,
1985     .fields = (const VMStateField[]) {
1986         VMSTATE_TIMER_PTR(eof_timer, OHCIState),
1987         VMSTATE_END_OF_LIST()
1988     },
1989 };
1990 
1991 const VMStateDescription vmstate_ohci_state = {
1992     .name = "ohci-core",
1993     .version_id = 1,
1994     .minimum_version_id = 1,
1995     .fields = (const VMStateField[]) {
1996         VMSTATE_INT64(sof_time, OHCIState),
1997         VMSTATE_UINT32(ctl, OHCIState),
1998         VMSTATE_UINT32(status, OHCIState),
1999         VMSTATE_UINT32(intr_status, OHCIState),
2000         VMSTATE_UINT32(intr, OHCIState),
2001         VMSTATE_UINT32(hcca, OHCIState),
2002         VMSTATE_UINT32(ctrl_head, OHCIState),
2003         VMSTATE_UINT32(ctrl_cur, OHCIState),
2004         VMSTATE_UINT32(bulk_head, OHCIState),
2005         VMSTATE_UINT32(bulk_cur, OHCIState),
2006         VMSTATE_UINT32(per_cur, OHCIState),
2007         VMSTATE_UINT32(done, OHCIState),
2008         VMSTATE_INT32(done_count, OHCIState),
2009         VMSTATE_UINT16(fsmps, OHCIState),
2010         VMSTATE_UINT8(fit, OHCIState),
2011         VMSTATE_UINT16(fi, OHCIState),
2012         VMSTATE_UINT8(frt, OHCIState),
2013         VMSTATE_UINT16(frame_number, OHCIState),
2014         VMSTATE_UINT16(padding, OHCIState),
2015         VMSTATE_UINT32(pstart, OHCIState),
2016         VMSTATE_UINT32(lst, OHCIState),
2017         VMSTATE_UINT32(rhdesc_a, OHCIState),
2018         VMSTATE_UINT32(rhdesc_b, OHCIState),
2019         VMSTATE_UINT32(rhstatus, OHCIState),
2020         VMSTATE_STRUCT_ARRAY(rhport, OHCIState, OHCI_MAX_PORTS, 0,
2021                              vmstate_ohci_state_port, OHCIPort),
2022         VMSTATE_UINT32(hstatus, OHCIState),
2023         VMSTATE_UINT32(hmask, OHCIState),
2024         VMSTATE_UINT32(hreset, OHCIState),
2025         VMSTATE_UINT32(htest, OHCIState),
2026         VMSTATE_UINT32(old_ctl, OHCIState),
2027         VMSTATE_UINT8_ARRAY(usb_buf, OHCIState, 8192),
2028         VMSTATE_UINT32(async_td, OHCIState),
2029         VMSTATE_BOOL(async_complete, OHCIState),
2030         VMSTATE_END_OF_LIST()
2031     },
2032     .subsections = (const VMStateDescription * const []) {
2033         &vmstate_ohci_eof_timer,
2034         NULL
2035     }
2036 };
2037