1 /* 2 * QEMU USB EHCI Emulation 3 * 4 * Copyright(c) 2008 Emutex Ltd. (address@hidden) 5 * Copyright(c) 2011-2012 Red Hat, Inc. 6 * 7 * Red Hat Authors: 8 * Gerd Hoffmann <kraxel@redhat.com> 9 * Hans de Goede <hdegoede@redhat.com> 10 * 11 * EHCI project was started by Mark Burkley, with contributions by 12 * Niels de Vos. David S. Ahern continued working on it. Kevin Wolf, 13 * Jan Kiszka and Vincent Palatin contributed bugfixes. 14 * 15 * 16 * This library is free software; you can redistribute it and/or 17 * modify it under the terms of the GNU Lesser General Public 18 * License as published by the Free Software Foundation; either 19 * version 2 of the License, or(at your option) any later version. 20 * 21 * This library is distributed in the hope that it will be useful, 22 * but WITHOUT ANY WARRANTY; without even the implied warranty of 23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 24 * Lesser General Public License for more details. 25 * 26 * You should have received a copy of the GNU General Public License 27 * along with this program; if not, see <http://www.gnu.org/licenses/>. 28 */ 29 30 #include "qemu/osdep.h" 31 #include "hw/usb/ehci-regs.h" 32 #include "hw/usb/hcd-ehci.h" 33 #include "trace.h" 34 35 #define FRAME_TIMER_FREQ 1000 36 #define FRAME_TIMER_NS (NANOSECONDS_PER_SECOND / FRAME_TIMER_FREQ) 37 #define UFRAME_TIMER_NS (FRAME_TIMER_NS / 8) 38 39 #define NB_MAXINTRATE 8 // Max rate at which controller issues ints 40 #define BUFF_SIZE 5*4096 // Max bytes to transfer per transaction 41 #define MAX_QH 100 // Max allowable queue heads in a chain 42 #define MIN_UFR_PER_TICK 24 /* Min frames to process when catching up */ 43 #define PERIODIC_ACTIVE 512 /* Micro-frames */ 44 45 /* Internal periodic / asynchronous schedule state machine states 46 */ 47 typedef enum { 48 EST_INACTIVE = 1000, 49 EST_ACTIVE, 50 EST_EXECUTING, 51 EST_SLEEPING, 52 /* The following states are internal to the state machine function 53 */ 54 EST_WAITLISTHEAD, 55 EST_FETCHENTRY, 56 EST_FETCHQH, 57 EST_FETCHITD, 58 EST_FETCHSITD, 59 EST_ADVANCEQUEUE, 60 EST_FETCHQTD, 61 EST_EXECUTE, 62 EST_WRITEBACK, 63 EST_HORIZONTALQH 64 } EHCI_STATES; 65 66 /* macros for accessing fields within next link pointer entry */ 67 #define NLPTR_GET(x) ((x) & 0xffffffe0) 68 #define NLPTR_TYPE_GET(x) (((x) >> 1) & 3) 69 #define NLPTR_TBIT(x) ((x) & 1) // 1=invalid, 0=valid 70 71 /* link pointer types */ 72 #define NLPTR_TYPE_ITD 0 // isoc xfer descriptor 73 #define NLPTR_TYPE_QH 1 // queue head 74 #define NLPTR_TYPE_STITD 2 // split xaction, isoc xfer descriptor 75 #define NLPTR_TYPE_FSTN 3 // frame span traversal node 76 77 #define SET_LAST_RUN_CLOCK(s) \ 78 (s)->last_run_ns = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL); 79 80 /* nifty macros from Arnon's EHCI version */ 81 #define get_field(data, field) \ 82 (((data) & field##_MASK) >> field##_SH) 83 84 #define set_field(data, newval, field) do { \ 85 uint32_t val = *data; \ 86 val &= ~ field##_MASK; \ 87 val |= ((newval) << field##_SH) & field##_MASK; \ 88 *data = val; \ 89 } while(0) 90 91 static const char *ehci_state_names[] = { 92 [EST_INACTIVE] = "INACTIVE", 93 [EST_ACTIVE] = "ACTIVE", 94 [EST_EXECUTING] = "EXECUTING", 95 [EST_SLEEPING] = "SLEEPING", 96 [EST_WAITLISTHEAD] = "WAITLISTHEAD", 97 [EST_FETCHENTRY] = "FETCH ENTRY", 98 [EST_FETCHQH] = "FETCH QH", 99 [EST_FETCHITD] = "FETCH ITD", 100 [EST_ADVANCEQUEUE] = "ADVANCEQUEUE", 101 [EST_FETCHQTD] = "FETCH QTD", 102 [EST_EXECUTE] = "EXECUTE", 103 [EST_WRITEBACK] = "WRITEBACK", 104 [EST_HORIZONTALQH] = "HORIZONTALQH", 105 }; 106 107 static const char *ehci_mmio_names[] = { 108 [USBCMD] = "USBCMD", 109 [USBSTS] = "USBSTS", 110 [USBINTR] = "USBINTR", 111 [FRINDEX] = "FRINDEX", 112 [PERIODICLISTBASE] = "P-LIST BASE", 113 [ASYNCLISTADDR] = "A-LIST ADDR", 114 [CONFIGFLAG] = "CONFIGFLAG", 115 }; 116 117 static int ehci_state_executing(EHCIQueue *q); 118 static int ehci_state_writeback(EHCIQueue *q); 119 static int ehci_state_advqueue(EHCIQueue *q); 120 static int ehci_fill_queue(EHCIPacket *p); 121 static void ehci_free_packet(EHCIPacket *p); 122 123 static const char *nr2str(const char **n, size_t len, uint32_t nr) 124 { 125 if (nr < len && n[nr] != NULL) { 126 return n[nr]; 127 } else { 128 return "unknown"; 129 } 130 } 131 132 static const char *state2str(uint32_t state) 133 { 134 return nr2str(ehci_state_names, ARRAY_SIZE(ehci_state_names), state); 135 } 136 137 static const char *addr2str(hwaddr addr) 138 { 139 return nr2str(ehci_mmio_names, ARRAY_SIZE(ehci_mmio_names), addr); 140 } 141 142 static void ehci_trace_usbsts(uint32_t mask, int state) 143 { 144 /* interrupts */ 145 if (mask & USBSTS_INT) { 146 trace_usb_ehci_usbsts("INT", state); 147 } 148 if (mask & USBSTS_ERRINT) { 149 trace_usb_ehci_usbsts("ERRINT", state); 150 } 151 if (mask & USBSTS_PCD) { 152 trace_usb_ehci_usbsts("PCD", state); 153 } 154 if (mask & USBSTS_FLR) { 155 trace_usb_ehci_usbsts("FLR", state); 156 } 157 if (mask & USBSTS_HSE) { 158 trace_usb_ehci_usbsts("HSE", state); 159 } 160 if (mask & USBSTS_IAA) { 161 trace_usb_ehci_usbsts("IAA", state); 162 } 163 164 /* status */ 165 if (mask & USBSTS_HALT) { 166 trace_usb_ehci_usbsts("HALT", state); 167 } 168 if (mask & USBSTS_REC) { 169 trace_usb_ehci_usbsts("REC", state); 170 } 171 if (mask & USBSTS_PSS) { 172 trace_usb_ehci_usbsts("PSS", state); 173 } 174 if (mask & USBSTS_ASS) { 175 trace_usb_ehci_usbsts("ASS", state); 176 } 177 } 178 179 static inline void ehci_set_usbsts(EHCIState *s, int mask) 180 { 181 if ((s->usbsts & mask) == mask) { 182 return; 183 } 184 ehci_trace_usbsts(mask, 1); 185 s->usbsts |= mask; 186 } 187 188 static inline void ehci_clear_usbsts(EHCIState *s, int mask) 189 { 190 if ((s->usbsts & mask) == 0) { 191 return; 192 } 193 ehci_trace_usbsts(mask, 0); 194 s->usbsts &= ~mask; 195 } 196 197 /* update irq line */ 198 static inline void ehci_update_irq(EHCIState *s) 199 { 200 int level = 0; 201 202 if ((s->usbsts & USBINTR_MASK) & s->usbintr) { 203 level = 1; 204 } 205 206 trace_usb_ehci_irq(level, s->frindex, s->usbsts, s->usbintr); 207 qemu_set_irq(s->irq, level); 208 } 209 210 /* flag interrupt condition */ 211 static inline void ehci_raise_irq(EHCIState *s, int intr) 212 { 213 if (intr & (USBSTS_PCD | USBSTS_FLR | USBSTS_HSE)) { 214 s->usbsts |= intr; 215 ehci_update_irq(s); 216 } else { 217 s->usbsts_pending |= intr; 218 } 219 } 220 221 /* 222 * Commit pending interrupts (added via ehci_raise_irq), 223 * at the rate allowed by "Interrupt Threshold Control". 224 */ 225 static inline void ehci_commit_irq(EHCIState *s) 226 { 227 uint32_t itc; 228 229 if (!s->usbsts_pending) { 230 return; 231 } 232 if (s->usbsts_frindex > s->frindex) { 233 return; 234 } 235 236 itc = (s->usbcmd >> 16) & 0xff; 237 s->usbsts |= s->usbsts_pending; 238 s->usbsts_pending = 0; 239 s->usbsts_frindex = s->frindex + itc; 240 ehci_update_irq(s); 241 } 242 243 static void ehci_update_halt(EHCIState *s) 244 { 245 if (s->usbcmd & USBCMD_RUNSTOP) { 246 ehci_clear_usbsts(s, USBSTS_HALT); 247 } else { 248 if (s->astate == EST_INACTIVE && s->pstate == EST_INACTIVE) { 249 ehci_set_usbsts(s, USBSTS_HALT); 250 } 251 } 252 } 253 254 static void ehci_set_state(EHCIState *s, int async, int state) 255 { 256 if (async) { 257 trace_usb_ehci_state("async", state2str(state)); 258 s->astate = state; 259 if (s->astate == EST_INACTIVE) { 260 ehci_clear_usbsts(s, USBSTS_ASS); 261 ehci_update_halt(s); 262 } else { 263 ehci_set_usbsts(s, USBSTS_ASS); 264 } 265 } else { 266 trace_usb_ehci_state("periodic", state2str(state)); 267 s->pstate = state; 268 if (s->pstate == EST_INACTIVE) { 269 ehci_clear_usbsts(s, USBSTS_PSS); 270 ehci_update_halt(s); 271 } else { 272 ehci_set_usbsts(s, USBSTS_PSS); 273 } 274 } 275 } 276 277 static int ehci_get_state(EHCIState *s, int async) 278 { 279 return async ? s->astate : s->pstate; 280 } 281 282 static void ehci_set_fetch_addr(EHCIState *s, int async, uint32_t addr) 283 { 284 if (async) { 285 s->a_fetch_addr = addr; 286 } else { 287 s->p_fetch_addr = addr; 288 } 289 } 290 291 static int ehci_get_fetch_addr(EHCIState *s, int async) 292 { 293 return async ? s->a_fetch_addr : s->p_fetch_addr; 294 } 295 296 static void ehci_trace_qh(EHCIQueue *q, hwaddr addr, EHCIqh *qh) 297 { 298 /* need three here due to argument count limits */ 299 trace_usb_ehci_qh_ptrs(q, addr, qh->next, 300 qh->current_qtd, qh->next_qtd, qh->altnext_qtd); 301 trace_usb_ehci_qh_fields(addr, 302 get_field(qh->epchar, QH_EPCHAR_RL), 303 get_field(qh->epchar, QH_EPCHAR_MPLEN), 304 get_field(qh->epchar, QH_EPCHAR_EPS), 305 get_field(qh->epchar, QH_EPCHAR_EP), 306 get_field(qh->epchar, QH_EPCHAR_DEVADDR)); 307 trace_usb_ehci_qh_bits(addr, 308 (bool)(qh->epchar & QH_EPCHAR_C), 309 (bool)(qh->epchar & QH_EPCHAR_H), 310 (bool)(qh->epchar & QH_EPCHAR_DTC), 311 (bool)(qh->epchar & QH_EPCHAR_I)); 312 } 313 314 static void ehci_trace_qtd(EHCIQueue *q, hwaddr addr, EHCIqtd *qtd) 315 { 316 /* need three here due to argument count limits */ 317 trace_usb_ehci_qtd_ptrs(q, addr, qtd->next, qtd->altnext); 318 trace_usb_ehci_qtd_fields(addr, 319 get_field(qtd->token, QTD_TOKEN_TBYTES), 320 get_field(qtd->token, QTD_TOKEN_CPAGE), 321 get_field(qtd->token, QTD_TOKEN_CERR), 322 get_field(qtd->token, QTD_TOKEN_PID)); 323 trace_usb_ehci_qtd_bits(addr, 324 (bool)(qtd->token & QTD_TOKEN_IOC), 325 (bool)(qtd->token & QTD_TOKEN_ACTIVE), 326 (bool)(qtd->token & QTD_TOKEN_HALT), 327 (bool)(qtd->token & QTD_TOKEN_BABBLE), 328 (bool)(qtd->token & QTD_TOKEN_XACTERR)); 329 } 330 331 static void ehci_trace_itd(EHCIState *s, hwaddr addr, EHCIitd *itd) 332 { 333 trace_usb_ehci_itd(addr, itd->next, 334 get_field(itd->bufptr[1], ITD_BUFPTR_MAXPKT), 335 get_field(itd->bufptr[2], ITD_BUFPTR_MULT), 336 get_field(itd->bufptr[0], ITD_BUFPTR_EP), 337 get_field(itd->bufptr[0], ITD_BUFPTR_DEVADDR)); 338 } 339 340 static void ehci_trace_sitd(EHCIState *s, hwaddr addr, 341 EHCIsitd *sitd) 342 { 343 trace_usb_ehci_sitd(addr, sitd->next, 344 (bool)(sitd->results & SITD_RESULTS_ACTIVE)); 345 } 346 347 static void ehci_trace_guest_bug(EHCIState *s, const char *message) 348 { 349 trace_usb_ehci_guest_bug(message); 350 fprintf(stderr, "ehci warning: %s\n", message); 351 } 352 353 static inline bool ehci_enabled(EHCIState *s) 354 { 355 return s->usbcmd & USBCMD_RUNSTOP; 356 } 357 358 static inline bool ehci_async_enabled(EHCIState *s) 359 { 360 return ehci_enabled(s) && (s->usbcmd & USBCMD_ASE); 361 } 362 363 static inline bool ehci_periodic_enabled(EHCIState *s) 364 { 365 return ehci_enabled(s) && (s->usbcmd & USBCMD_PSE); 366 } 367 368 /* Get an array of dwords from main memory */ 369 static inline int get_dwords(EHCIState *ehci, uint32_t addr, 370 uint32_t *buf, int num) 371 { 372 int i; 373 374 if (!ehci->as) { 375 ehci_raise_irq(ehci, USBSTS_HSE); 376 ehci->usbcmd &= ~USBCMD_RUNSTOP; 377 trace_usb_ehci_dma_error(); 378 return -1; 379 } 380 381 for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { 382 dma_memory_read(ehci->as, addr, buf, sizeof(*buf)); 383 *buf = le32_to_cpu(*buf); 384 } 385 386 return num; 387 } 388 389 /* Put an array of dwords in to main memory */ 390 static inline int put_dwords(EHCIState *ehci, uint32_t addr, 391 uint32_t *buf, int num) 392 { 393 int i; 394 395 if (!ehci->as) { 396 ehci_raise_irq(ehci, USBSTS_HSE); 397 ehci->usbcmd &= ~USBCMD_RUNSTOP; 398 trace_usb_ehci_dma_error(); 399 return -1; 400 } 401 402 for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { 403 uint32_t tmp = cpu_to_le32(*buf); 404 dma_memory_write(ehci->as, addr, &tmp, sizeof(tmp)); 405 } 406 407 return num; 408 } 409 410 static int ehci_get_pid(EHCIqtd *qtd) 411 { 412 switch (get_field(qtd->token, QTD_TOKEN_PID)) { 413 case 0: 414 return USB_TOKEN_OUT; 415 case 1: 416 return USB_TOKEN_IN; 417 case 2: 418 return USB_TOKEN_SETUP; 419 default: 420 fprintf(stderr, "bad token\n"); 421 return 0; 422 } 423 } 424 425 static bool ehci_verify_qh(EHCIQueue *q, EHCIqh *qh) 426 { 427 uint32_t devaddr = get_field(qh->epchar, QH_EPCHAR_DEVADDR); 428 uint32_t endp = get_field(qh->epchar, QH_EPCHAR_EP); 429 if ((devaddr != get_field(q->qh.epchar, QH_EPCHAR_DEVADDR)) || 430 (endp != get_field(q->qh.epchar, QH_EPCHAR_EP)) || 431 (qh->current_qtd != q->qh.current_qtd) || 432 (q->async && qh->next_qtd != q->qh.next_qtd) || 433 (memcmp(&qh->altnext_qtd, &q->qh.altnext_qtd, 434 7 * sizeof(uint32_t)) != 0) || 435 (q->dev != NULL && q->dev->addr != devaddr)) { 436 return false; 437 } else { 438 return true; 439 } 440 } 441 442 static bool ehci_verify_qtd(EHCIPacket *p, EHCIqtd *qtd) 443 { 444 if (p->qtdaddr != p->queue->qtdaddr || 445 (p->queue->async && !NLPTR_TBIT(p->qtd.next) && 446 (p->qtd.next != qtd->next)) || 447 (!NLPTR_TBIT(p->qtd.altnext) && (p->qtd.altnext != qtd->altnext)) || 448 p->qtd.token != qtd->token || 449 p->qtd.bufptr[0] != qtd->bufptr[0]) { 450 return false; 451 } else { 452 return true; 453 } 454 } 455 456 static bool ehci_verify_pid(EHCIQueue *q, EHCIqtd *qtd) 457 { 458 int ep = get_field(q->qh.epchar, QH_EPCHAR_EP); 459 int pid = ehci_get_pid(qtd); 460 461 /* Note the pid changing is normal for ep 0 (the control ep) */ 462 if (q->last_pid && ep != 0 && pid != q->last_pid) { 463 return false; 464 } else { 465 return true; 466 } 467 } 468 469 /* Finish executing and writeback a packet outside of the regular 470 fetchqh -> fetchqtd -> execute -> writeback cycle */ 471 static void ehci_writeback_async_complete_packet(EHCIPacket *p) 472 { 473 EHCIQueue *q = p->queue; 474 EHCIqtd qtd; 475 EHCIqh qh; 476 int state; 477 478 /* Verify the qh + qtd, like we do when going through fetchqh & fetchqtd */ 479 get_dwords(q->ehci, NLPTR_GET(q->qhaddr), 480 (uint32_t *) &qh, sizeof(EHCIqh) >> 2); 481 get_dwords(q->ehci, NLPTR_GET(q->qtdaddr), 482 (uint32_t *) &qtd, sizeof(EHCIqtd) >> 2); 483 if (!ehci_verify_qh(q, &qh) || !ehci_verify_qtd(p, &qtd)) { 484 p->async = EHCI_ASYNC_INITIALIZED; 485 ehci_free_packet(p); 486 return; 487 } 488 489 state = ehci_get_state(q->ehci, q->async); 490 ehci_state_executing(q); 491 ehci_state_writeback(q); /* Frees the packet! */ 492 if (!(q->qh.token & QTD_TOKEN_HALT)) { 493 ehci_state_advqueue(q); 494 } 495 ehci_set_state(q->ehci, q->async, state); 496 } 497 498 /* packet management */ 499 500 static EHCIPacket *ehci_alloc_packet(EHCIQueue *q) 501 { 502 EHCIPacket *p; 503 504 p = g_new0(EHCIPacket, 1); 505 p->queue = q; 506 usb_packet_init(&p->packet); 507 QTAILQ_INSERT_TAIL(&q->packets, p, next); 508 trace_usb_ehci_packet_action(p->queue, p, "alloc"); 509 return p; 510 } 511 512 static void ehci_free_packet(EHCIPacket *p) 513 { 514 if (p->async == EHCI_ASYNC_FINISHED && 515 !(p->queue->qh.token & QTD_TOKEN_HALT)) { 516 ehci_writeback_async_complete_packet(p); 517 return; 518 } 519 trace_usb_ehci_packet_action(p->queue, p, "free"); 520 if (p->async == EHCI_ASYNC_INFLIGHT) { 521 usb_cancel_packet(&p->packet); 522 } 523 if (p->async == EHCI_ASYNC_FINISHED && 524 p->packet.status == USB_RET_SUCCESS) { 525 fprintf(stderr, 526 "EHCI: Dropping completed packet from halted %s ep %02X\n", 527 (p->pid == USB_TOKEN_IN) ? "in" : "out", 528 get_field(p->queue->qh.epchar, QH_EPCHAR_EP)); 529 } 530 if (p->async != EHCI_ASYNC_NONE) { 531 usb_packet_unmap(&p->packet, &p->sgl); 532 qemu_sglist_destroy(&p->sgl); 533 } 534 QTAILQ_REMOVE(&p->queue->packets, p, next); 535 usb_packet_cleanup(&p->packet); 536 g_free(p); 537 } 538 539 /* queue management */ 540 541 static EHCIQueue *ehci_alloc_queue(EHCIState *ehci, uint32_t addr, int async) 542 { 543 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues; 544 EHCIQueue *q; 545 546 q = g_malloc0(sizeof(*q)); 547 q->ehci = ehci; 548 q->qhaddr = addr; 549 q->async = async; 550 QTAILQ_INIT(&q->packets); 551 QTAILQ_INSERT_HEAD(head, q, next); 552 trace_usb_ehci_queue_action(q, "alloc"); 553 return q; 554 } 555 556 static void ehci_queue_stopped(EHCIQueue *q) 557 { 558 int endp = get_field(q->qh.epchar, QH_EPCHAR_EP); 559 560 if (!q->last_pid || !q->dev) { 561 return; 562 } 563 564 usb_device_ep_stopped(q->dev, usb_ep_get(q->dev, q->last_pid, endp)); 565 } 566 567 static int ehci_cancel_queue(EHCIQueue *q) 568 { 569 EHCIPacket *p; 570 int packets = 0; 571 572 p = QTAILQ_FIRST(&q->packets); 573 if (p == NULL) { 574 goto leave; 575 } 576 577 trace_usb_ehci_queue_action(q, "cancel"); 578 do { 579 ehci_free_packet(p); 580 packets++; 581 } while ((p = QTAILQ_FIRST(&q->packets)) != NULL); 582 583 leave: 584 ehci_queue_stopped(q); 585 return packets; 586 } 587 588 static int ehci_reset_queue(EHCIQueue *q) 589 { 590 int packets; 591 592 trace_usb_ehci_queue_action(q, "reset"); 593 packets = ehci_cancel_queue(q); 594 q->dev = NULL; 595 q->qtdaddr = 0; 596 q->last_pid = 0; 597 return packets; 598 } 599 600 static void ehci_free_queue(EHCIQueue *q, const char *warn) 601 { 602 EHCIQueueHead *head = q->async ? &q->ehci->aqueues : &q->ehci->pqueues; 603 int cancelled; 604 605 trace_usb_ehci_queue_action(q, "free"); 606 cancelled = ehci_cancel_queue(q); 607 if (warn && cancelled > 0) { 608 ehci_trace_guest_bug(q->ehci, warn); 609 } 610 QTAILQ_REMOVE(head, q, next); 611 g_free(q); 612 } 613 614 static EHCIQueue *ehci_find_queue_by_qh(EHCIState *ehci, uint32_t addr, 615 int async) 616 { 617 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues; 618 EHCIQueue *q; 619 620 QTAILQ_FOREACH(q, head, next) { 621 if (addr == q->qhaddr) { 622 return q; 623 } 624 } 625 return NULL; 626 } 627 628 static void ehci_queues_rip_unused(EHCIState *ehci, int async) 629 { 630 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues; 631 const char *warn = async ? "guest unlinked busy QH" : NULL; 632 uint64_t maxage = FRAME_TIMER_NS * ehci->maxframes * 4; 633 EHCIQueue *q, *tmp; 634 635 QTAILQ_FOREACH_SAFE(q, head, next, tmp) { 636 if (q->seen) { 637 q->seen = 0; 638 q->ts = ehci->last_run_ns; 639 continue; 640 } 641 if (ehci->last_run_ns < q->ts + maxage) { 642 continue; 643 } 644 ehci_free_queue(q, warn); 645 } 646 } 647 648 static void ehci_queues_rip_unseen(EHCIState *ehci, int async) 649 { 650 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues; 651 EHCIQueue *q, *tmp; 652 653 QTAILQ_FOREACH_SAFE(q, head, next, tmp) { 654 if (!q->seen) { 655 ehci_free_queue(q, NULL); 656 } 657 } 658 } 659 660 static void ehci_queues_rip_device(EHCIState *ehci, USBDevice *dev, int async) 661 { 662 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues; 663 EHCIQueue *q, *tmp; 664 665 QTAILQ_FOREACH_SAFE(q, head, next, tmp) { 666 if (q->dev != dev) { 667 continue; 668 } 669 ehci_free_queue(q, NULL); 670 } 671 } 672 673 static void ehci_queues_rip_all(EHCIState *ehci, int async) 674 { 675 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues; 676 const char *warn = async ? "guest stopped busy async schedule" : NULL; 677 EHCIQueue *q, *tmp; 678 679 QTAILQ_FOREACH_SAFE(q, head, next, tmp) { 680 ehci_free_queue(q, warn); 681 } 682 } 683 684 /* Attach or detach a device on root hub */ 685 686 static void ehci_attach(USBPort *port) 687 { 688 EHCIState *s = port->opaque; 689 uint32_t *portsc = &s->portsc[port->index]; 690 const char *owner = (*portsc & PORTSC_POWNER) ? "comp" : "ehci"; 691 692 trace_usb_ehci_port_attach(port->index, owner, port->dev->product_desc); 693 694 if (*portsc & PORTSC_POWNER) { 695 USBPort *companion = s->companion_ports[port->index]; 696 companion->dev = port->dev; 697 companion->ops->attach(companion); 698 return; 699 } 700 701 *portsc |= PORTSC_CONNECT; 702 *portsc |= PORTSC_CSC; 703 704 ehci_raise_irq(s, USBSTS_PCD); 705 } 706 707 static void ehci_detach(USBPort *port) 708 { 709 EHCIState *s = port->opaque; 710 uint32_t *portsc = &s->portsc[port->index]; 711 const char *owner = (*portsc & PORTSC_POWNER) ? "comp" : "ehci"; 712 713 trace_usb_ehci_port_detach(port->index, owner); 714 715 if (*portsc & PORTSC_POWNER) { 716 USBPort *companion = s->companion_ports[port->index]; 717 companion->ops->detach(companion); 718 companion->dev = NULL; 719 /* 720 * EHCI spec 4.2.2: "When a disconnect occurs... On the event, 721 * the port ownership is returned immediately to the EHCI controller." 722 */ 723 *portsc &= ~PORTSC_POWNER; 724 return; 725 } 726 727 ehci_queues_rip_device(s, port->dev, 0); 728 ehci_queues_rip_device(s, port->dev, 1); 729 730 *portsc &= ~(PORTSC_CONNECT|PORTSC_PED|PORTSC_SUSPEND); 731 *portsc |= PORTSC_CSC; 732 733 ehci_raise_irq(s, USBSTS_PCD); 734 } 735 736 static void ehci_child_detach(USBPort *port, USBDevice *child) 737 { 738 EHCIState *s = port->opaque; 739 uint32_t portsc = s->portsc[port->index]; 740 741 if (portsc & PORTSC_POWNER) { 742 USBPort *companion = s->companion_ports[port->index]; 743 companion->ops->child_detach(companion, child); 744 return; 745 } 746 747 ehci_queues_rip_device(s, child, 0); 748 ehci_queues_rip_device(s, child, 1); 749 } 750 751 static void ehci_wakeup(USBPort *port) 752 { 753 EHCIState *s = port->opaque; 754 uint32_t *portsc = &s->portsc[port->index]; 755 756 if (*portsc & PORTSC_POWNER) { 757 USBPort *companion = s->companion_ports[port->index]; 758 if (companion->ops->wakeup) { 759 companion->ops->wakeup(companion); 760 } 761 return; 762 } 763 764 if (*portsc & PORTSC_SUSPEND) { 765 trace_usb_ehci_port_wakeup(port->index); 766 *portsc |= PORTSC_FPRES; 767 ehci_raise_irq(s, USBSTS_PCD); 768 } 769 770 qemu_bh_schedule(s->async_bh); 771 } 772 773 static void ehci_register_companion(USBBus *bus, USBPort *ports[], 774 uint32_t portcount, uint32_t firstport, 775 Error **errp) 776 { 777 EHCIState *s = container_of(bus, EHCIState, bus); 778 uint32_t i; 779 780 if (firstport + portcount > NB_PORTS) { 781 error_setg(errp, "firstport must be between 0 and %u", 782 NB_PORTS - portcount); 783 return; 784 } 785 786 for (i = 0; i < portcount; i++) { 787 if (s->companion_ports[firstport + i]) { 788 error_setg(errp, "firstport %u asks for ports %u-%u," 789 " but port %u has a companion assigned already", 790 firstport, firstport, firstport + portcount - 1, 791 firstport + i); 792 return; 793 } 794 } 795 796 for (i = 0; i < portcount; i++) { 797 s->companion_ports[firstport + i] = ports[i]; 798 s->ports[firstport + i].speedmask |= 799 USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL; 800 /* Ensure devs attached before the initial reset go to the companion */ 801 s->portsc[firstport + i] = PORTSC_POWNER; 802 } 803 804 s->companion_count++; 805 s->caps[0x05] = (s->companion_count << 4) | portcount; 806 } 807 808 static void ehci_wakeup_endpoint(USBBus *bus, USBEndpoint *ep, 809 unsigned int stream) 810 { 811 EHCIState *s = container_of(bus, EHCIState, bus); 812 uint32_t portsc = s->portsc[ep->dev->port->index]; 813 814 if (portsc & PORTSC_POWNER) { 815 return; 816 } 817 818 s->periodic_sched_active = PERIODIC_ACTIVE; 819 qemu_bh_schedule(s->async_bh); 820 } 821 822 static USBDevice *ehci_find_device(EHCIState *ehci, uint8_t addr) 823 { 824 USBDevice *dev; 825 USBPort *port; 826 int i; 827 828 for (i = 0; i < NB_PORTS; i++) { 829 port = &ehci->ports[i]; 830 if (!(ehci->portsc[i] & PORTSC_PED)) { 831 DPRINTF("Port %d not enabled\n", i); 832 continue; 833 } 834 dev = usb_find_device(port, addr); 835 if (dev != NULL) { 836 return dev; 837 } 838 } 839 return NULL; 840 } 841 842 /* 4.1 host controller initialization */ 843 void ehci_reset(void *opaque) 844 { 845 EHCIState *s = opaque; 846 int i; 847 USBDevice *devs[NB_PORTS]; 848 849 trace_usb_ehci_reset(); 850 851 /* 852 * Do the detach before touching portsc, so that it correctly gets send to 853 * us or to our companion based on PORTSC_POWNER before the reset. 854 */ 855 for(i = 0; i < NB_PORTS; i++) { 856 devs[i] = s->ports[i].dev; 857 if (devs[i] && devs[i]->attached) { 858 usb_detach(&s->ports[i]); 859 } 860 } 861 862 memset(&s->opreg, 0x00, sizeof(s->opreg)); 863 memset(&s->portsc, 0x00, sizeof(s->portsc)); 864 865 s->usbcmd = NB_MAXINTRATE << USBCMD_ITC_SH; 866 s->usbsts = USBSTS_HALT; 867 s->usbsts_pending = 0; 868 s->usbsts_frindex = 0; 869 870 s->astate = EST_INACTIVE; 871 s->pstate = EST_INACTIVE; 872 873 for(i = 0; i < NB_PORTS; i++) { 874 if (s->companion_ports[i]) { 875 s->portsc[i] = PORTSC_POWNER | PORTSC_PPOWER; 876 } else { 877 s->portsc[i] = PORTSC_PPOWER; 878 } 879 if (devs[i] && devs[i]->attached) { 880 usb_attach(&s->ports[i]); 881 usb_device_reset(devs[i]); 882 } 883 } 884 ehci_queues_rip_all(s, 0); 885 ehci_queues_rip_all(s, 1); 886 timer_del(s->frame_timer); 887 qemu_bh_cancel(s->async_bh); 888 } 889 890 static uint64_t ehci_caps_read(void *ptr, hwaddr addr, 891 unsigned size) 892 { 893 EHCIState *s = ptr; 894 return s->caps[addr]; 895 } 896 897 static uint64_t ehci_opreg_read(void *ptr, hwaddr addr, 898 unsigned size) 899 { 900 EHCIState *s = ptr; 901 uint32_t val; 902 903 switch (addr) { 904 case FRINDEX: 905 /* Round down to mult of 8, else it can go backwards on migration */ 906 val = s->frindex & ~7; 907 break; 908 default: 909 val = s->opreg[addr >> 2]; 910 } 911 912 trace_usb_ehci_opreg_read(addr + s->opregbase, addr2str(addr), val); 913 return val; 914 } 915 916 static uint64_t ehci_port_read(void *ptr, hwaddr addr, 917 unsigned size) 918 { 919 EHCIState *s = ptr; 920 uint32_t val; 921 922 val = s->portsc[addr >> 2]; 923 trace_usb_ehci_portsc_read(addr + s->portscbase, addr >> 2, val); 924 return val; 925 } 926 927 static void handle_port_owner_write(EHCIState *s, int port, uint32_t owner) 928 { 929 USBDevice *dev = s->ports[port].dev; 930 uint32_t *portsc = &s->portsc[port]; 931 uint32_t orig; 932 933 if (s->companion_ports[port] == NULL) 934 return; 935 936 owner = owner & PORTSC_POWNER; 937 orig = *portsc & PORTSC_POWNER; 938 939 if (!(owner ^ orig)) { 940 return; 941 } 942 943 if (dev && dev->attached) { 944 usb_detach(&s->ports[port]); 945 } 946 947 *portsc &= ~PORTSC_POWNER; 948 *portsc |= owner; 949 950 if (dev && dev->attached) { 951 usb_attach(&s->ports[port]); 952 } 953 } 954 955 static void ehci_port_write(void *ptr, hwaddr addr, 956 uint64_t val, unsigned size) 957 { 958 EHCIState *s = ptr; 959 int port = addr >> 2; 960 uint32_t *portsc = &s->portsc[port]; 961 uint32_t old = *portsc; 962 USBDevice *dev = s->ports[port].dev; 963 964 trace_usb_ehci_portsc_write(addr + s->portscbase, addr >> 2, val); 965 966 /* Clear rwc bits */ 967 *portsc &= ~(val & PORTSC_RWC_MASK); 968 /* The guest may clear, but not set the PED bit */ 969 *portsc &= val | ~PORTSC_PED; 970 /* POWNER is masked out by RO_MASK as it is RO when we've no companion */ 971 handle_port_owner_write(s, port, val); 972 /* And finally apply RO_MASK */ 973 val &= PORTSC_RO_MASK; 974 975 if ((val & PORTSC_PRESET) && !(*portsc & PORTSC_PRESET)) { 976 trace_usb_ehci_port_reset(port, 1); 977 } 978 979 if (!(val & PORTSC_PRESET) &&(*portsc & PORTSC_PRESET)) { 980 trace_usb_ehci_port_reset(port, 0); 981 if (dev && dev->attached) { 982 usb_port_reset(&s->ports[port]); 983 *portsc &= ~PORTSC_CSC; 984 } 985 986 /* 987 * Table 2.16 Set the enable bit(and enable bit change) to indicate 988 * to SW that this port has a high speed device attached 989 */ 990 if (dev && dev->attached && (dev->speedmask & USB_SPEED_MASK_HIGH)) { 991 val |= PORTSC_PED; 992 } 993 } 994 995 if ((val & PORTSC_SUSPEND) && !(*portsc & PORTSC_SUSPEND)) { 996 trace_usb_ehci_port_suspend(port); 997 } 998 if (!(val & PORTSC_FPRES) && (*portsc & PORTSC_FPRES)) { 999 trace_usb_ehci_port_resume(port); 1000 val &= ~PORTSC_SUSPEND; 1001 } 1002 1003 *portsc &= ~PORTSC_RO_MASK; 1004 *portsc |= val; 1005 trace_usb_ehci_portsc_change(addr + s->portscbase, addr >> 2, *portsc, old); 1006 } 1007 1008 static void ehci_opreg_write(void *ptr, hwaddr addr, 1009 uint64_t val, unsigned size) 1010 { 1011 EHCIState *s = ptr; 1012 uint32_t *mmio = s->opreg + (addr >> 2); 1013 uint32_t old = *mmio; 1014 int i; 1015 1016 trace_usb_ehci_opreg_write(addr + s->opregbase, addr2str(addr), val); 1017 1018 switch (addr) { 1019 case USBCMD: 1020 if (val & USBCMD_HCRESET) { 1021 ehci_reset(s); 1022 val = s->usbcmd; 1023 break; 1024 } 1025 1026 /* not supporting dynamic frame list size at the moment */ 1027 if ((val & USBCMD_FLS) && !(s->usbcmd & USBCMD_FLS)) { 1028 fprintf(stderr, "attempt to set frame list size -- value %d\n", 1029 (int)val & USBCMD_FLS); 1030 val &= ~USBCMD_FLS; 1031 } 1032 1033 if (val & USBCMD_IAAD) { 1034 /* 1035 * Process IAAD immediately, otherwise the Linux IAAD watchdog may 1036 * trigger and re-use a qh without us seeing the unlink. 1037 */ 1038 s->async_stepdown = 0; 1039 qemu_bh_schedule(s->async_bh); 1040 trace_usb_ehci_doorbell_ring(); 1041 } 1042 1043 if (((USBCMD_RUNSTOP | USBCMD_PSE | USBCMD_ASE) & val) != 1044 ((USBCMD_RUNSTOP | USBCMD_PSE | USBCMD_ASE) & s->usbcmd)) { 1045 if (s->pstate == EST_INACTIVE) { 1046 SET_LAST_RUN_CLOCK(s); 1047 } 1048 s->usbcmd = val; /* Set usbcmd for ehci_update_halt() */ 1049 ehci_update_halt(s); 1050 s->async_stepdown = 0; 1051 qemu_bh_schedule(s->async_bh); 1052 } 1053 break; 1054 1055 case USBSTS: 1056 val &= USBSTS_RO_MASK; // bits 6 through 31 are RO 1057 ehci_clear_usbsts(s, val); // bits 0 through 5 are R/WC 1058 val = s->usbsts; 1059 ehci_update_irq(s); 1060 break; 1061 1062 case USBINTR: 1063 val &= USBINTR_MASK; 1064 if (ehci_enabled(s) && (USBSTS_FLR & val)) { 1065 qemu_bh_schedule(s->async_bh); 1066 } 1067 break; 1068 1069 case FRINDEX: 1070 val &= 0x00003fff; /* frindex is 14bits */ 1071 s->usbsts_frindex = val; 1072 break; 1073 1074 case CONFIGFLAG: 1075 val &= 0x1; 1076 if (val) { 1077 for(i = 0; i < NB_PORTS; i++) 1078 handle_port_owner_write(s, i, 0); 1079 } 1080 break; 1081 1082 case PERIODICLISTBASE: 1083 if (ehci_periodic_enabled(s)) { 1084 fprintf(stderr, 1085 "ehci: PERIODIC list base register set while periodic schedule\n" 1086 " is enabled and HC is enabled\n"); 1087 } 1088 break; 1089 1090 case ASYNCLISTADDR: 1091 if (ehci_async_enabled(s)) { 1092 fprintf(stderr, 1093 "ehci: ASYNC list address register set while async schedule\n" 1094 " is enabled and HC is enabled\n"); 1095 } 1096 break; 1097 } 1098 1099 *mmio = val; 1100 trace_usb_ehci_opreg_change(addr + s->opregbase, addr2str(addr), 1101 *mmio, old); 1102 } 1103 1104 /* 1105 * Write the qh back to guest physical memory. This step isn't 1106 * in the EHCI spec but we need to do it since we don't share 1107 * physical memory with our guest VM. 1108 * 1109 * The first three dwords are read-only for the EHCI, so skip them 1110 * when writing back the qh. 1111 */ 1112 static void ehci_flush_qh(EHCIQueue *q) 1113 { 1114 uint32_t *qh = (uint32_t *) &q->qh; 1115 uint32_t dwords = sizeof(EHCIqh) >> 2; 1116 uint32_t addr = NLPTR_GET(q->qhaddr); 1117 1118 put_dwords(q->ehci, addr + 3 * sizeof(uint32_t), qh + 3, dwords - 3); 1119 } 1120 1121 // 4.10.2 1122 1123 static int ehci_qh_do_overlay(EHCIQueue *q) 1124 { 1125 EHCIPacket *p = QTAILQ_FIRST(&q->packets); 1126 int i; 1127 int dtoggle; 1128 int ping; 1129 int eps; 1130 int reload; 1131 1132 assert(p != NULL); 1133 assert(p->qtdaddr == q->qtdaddr); 1134 1135 // remember values in fields to preserve in qh after overlay 1136 1137 dtoggle = q->qh.token & QTD_TOKEN_DTOGGLE; 1138 ping = q->qh.token & QTD_TOKEN_PING; 1139 1140 q->qh.current_qtd = p->qtdaddr; 1141 q->qh.next_qtd = p->qtd.next; 1142 q->qh.altnext_qtd = p->qtd.altnext; 1143 q->qh.token = p->qtd.token; 1144 1145 1146 eps = get_field(q->qh.epchar, QH_EPCHAR_EPS); 1147 if (eps == EHCI_QH_EPS_HIGH) { 1148 q->qh.token &= ~QTD_TOKEN_PING; 1149 q->qh.token |= ping; 1150 } 1151 1152 reload = get_field(q->qh.epchar, QH_EPCHAR_RL); 1153 set_field(&q->qh.altnext_qtd, reload, QH_ALTNEXT_NAKCNT); 1154 1155 for (i = 0; i < 5; i++) { 1156 q->qh.bufptr[i] = p->qtd.bufptr[i]; 1157 } 1158 1159 if (!(q->qh.epchar & QH_EPCHAR_DTC)) { 1160 // preserve QH DT bit 1161 q->qh.token &= ~QTD_TOKEN_DTOGGLE; 1162 q->qh.token |= dtoggle; 1163 } 1164 1165 q->qh.bufptr[1] &= ~BUFPTR_CPROGMASK_MASK; 1166 q->qh.bufptr[2] &= ~BUFPTR_FRAMETAG_MASK; 1167 1168 ehci_flush_qh(q); 1169 1170 return 0; 1171 } 1172 1173 static int ehci_init_transfer(EHCIPacket *p) 1174 { 1175 uint32_t cpage, offset, bytes, plen; 1176 dma_addr_t page; 1177 1178 cpage = get_field(p->qtd.token, QTD_TOKEN_CPAGE); 1179 bytes = get_field(p->qtd.token, QTD_TOKEN_TBYTES); 1180 offset = p->qtd.bufptr[0] & ~QTD_BUFPTR_MASK; 1181 qemu_sglist_init(&p->sgl, p->queue->ehci->device, 5, p->queue->ehci->as); 1182 1183 while (bytes > 0) { 1184 if (cpage > 4) { 1185 fprintf(stderr, "cpage out of range (%d)\n", cpage); 1186 return -1; 1187 } 1188 1189 page = p->qtd.bufptr[cpage] & QTD_BUFPTR_MASK; 1190 page += offset; 1191 plen = bytes; 1192 if (plen > 4096 - offset) { 1193 plen = 4096 - offset; 1194 offset = 0; 1195 cpage++; 1196 } 1197 1198 qemu_sglist_add(&p->sgl, page, plen); 1199 bytes -= plen; 1200 } 1201 return 0; 1202 } 1203 1204 static void ehci_finish_transfer(EHCIQueue *q, int len) 1205 { 1206 uint32_t cpage, offset; 1207 1208 if (len > 0) { 1209 /* update cpage & offset */ 1210 cpage = get_field(q->qh.token, QTD_TOKEN_CPAGE); 1211 offset = q->qh.bufptr[0] & ~QTD_BUFPTR_MASK; 1212 1213 offset += len; 1214 cpage += offset >> QTD_BUFPTR_SH; 1215 offset &= ~QTD_BUFPTR_MASK; 1216 1217 set_field(&q->qh.token, cpage, QTD_TOKEN_CPAGE); 1218 q->qh.bufptr[0] &= QTD_BUFPTR_MASK; 1219 q->qh.bufptr[0] |= offset; 1220 } 1221 } 1222 1223 static void ehci_async_complete_packet(USBPort *port, USBPacket *packet) 1224 { 1225 EHCIPacket *p; 1226 EHCIState *s = port->opaque; 1227 uint32_t portsc = s->portsc[port->index]; 1228 1229 if (portsc & PORTSC_POWNER) { 1230 USBPort *companion = s->companion_ports[port->index]; 1231 companion->ops->complete(companion, packet); 1232 return; 1233 } 1234 1235 p = container_of(packet, EHCIPacket, packet); 1236 assert(p->async == EHCI_ASYNC_INFLIGHT); 1237 1238 if (packet->status == USB_RET_REMOVE_FROM_QUEUE) { 1239 trace_usb_ehci_packet_action(p->queue, p, "remove"); 1240 ehci_free_packet(p); 1241 return; 1242 } 1243 1244 trace_usb_ehci_packet_action(p->queue, p, "wakeup"); 1245 p->async = EHCI_ASYNC_FINISHED; 1246 1247 if (!p->queue->async) { 1248 s->periodic_sched_active = PERIODIC_ACTIVE; 1249 } 1250 qemu_bh_schedule(s->async_bh); 1251 } 1252 1253 static void ehci_execute_complete(EHCIQueue *q) 1254 { 1255 EHCIPacket *p = QTAILQ_FIRST(&q->packets); 1256 uint32_t tbytes; 1257 1258 assert(p != NULL); 1259 assert(p->qtdaddr == q->qtdaddr); 1260 assert(p->async == EHCI_ASYNC_INITIALIZED || 1261 p->async == EHCI_ASYNC_FINISHED); 1262 1263 DPRINTF("execute_complete: qhaddr 0x%x, next 0x%x, qtdaddr 0x%x, " 1264 "status %d, actual_length %d\n", 1265 q->qhaddr, q->qh.next, q->qtdaddr, 1266 p->packet.status, p->packet.actual_length); 1267 1268 switch (p->packet.status) { 1269 case USB_RET_SUCCESS: 1270 break; 1271 case USB_RET_IOERROR: 1272 case USB_RET_NODEV: 1273 q->qh.token |= (QTD_TOKEN_HALT | QTD_TOKEN_XACTERR); 1274 set_field(&q->qh.token, 0, QTD_TOKEN_CERR); 1275 ehci_raise_irq(q->ehci, USBSTS_ERRINT); 1276 break; 1277 case USB_RET_STALL: 1278 q->qh.token |= QTD_TOKEN_HALT; 1279 ehci_raise_irq(q->ehci, USBSTS_ERRINT); 1280 break; 1281 case USB_RET_NAK: 1282 set_field(&q->qh.altnext_qtd, 0, QH_ALTNEXT_NAKCNT); 1283 return; /* We're not done yet with this transaction */ 1284 case USB_RET_BABBLE: 1285 q->qh.token |= (QTD_TOKEN_HALT | QTD_TOKEN_BABBLE); 1286 ehci_raise_irq(q->ehci, USBSTS_ERRINT); 1287 break; 1288 default: 1289 /* should not be triggerable */ 1290 fprintf(stderr, "USB invalid response %d\n", p->packet.status); 1291 g_assert_not_reached(); 1292 break; 1293 } 1294 1295 /* TODO check 4.12 for splits */ 1296 tbytes = get_field(q->qh.token, QTD_TOKEN_TBYTES); 1297 if (tbytes && p->pid == USB_TOKEN_IN) { 1298 tbytes -= p->packet.actual_length; 1299 if (tbytes) { 1300 /* 4.15.1.2 must raise int on a short input packet */ 1301 ehci_raise_irq(q->ehci, USBSTS_INT); 1302 if (q->async) { 1303 q->ehci->int_req_by_async = true; 1304 } 1305 } 1306 } else { 1307 tbytes = 0; 1308 } 1309 DPRINTF("updating tbytes to %d\n", tbytes); 1310 set_field(&q->qh.token, tbytes, QTD_TOKEN_TBYTES); 1311 1312 ehci_finish_transfer(q, p->packet.actual_length); 1313 usb_packet_unmap(&p->packet, &p->sgl); 1314 qemu_sglist_destroy(&p->sgl); 1315 p->async = EHCI_ASYNC_NONE; 1316 1317 q->qh.token ^= QTD_TOKEN_DTOGGLE; 1318 q->qh.token &= ~QTD_TOKEN_ACTIVE; 1319 1320 if (q->qh.token & QTD_TOKEN_IOC) { 1321 ehci_raise_irq(q->ehci, USBSTS_INT); 1322 if (q->async) { 1323 q->ehci->int_req_by_async = true; 1324 } 1325 } 1326 } 1327 1328 /* 4.10.3 returns "again" */ 1329 static int ehci_execute(EHCIPacket *p, const char *action) 1330 { 1331 USBEndpoint *ep; 1332 int endp; 1333 bool spd; 1334 1335 assert(p->async == EHCI_ASYNC_NONE || 1336 p->async == EHCI_ASYNC_INITIALIZED); 1337 1338 if (!(p->qtd.token & QTD_TOKEN_ACTIVE)) { 1339 fprintf(stderr, "Attempting to execute inactive qtd\n"); 1340 return -1; 1341 } 1342 1343 if (get_field(p->qtd.token, QTD_TOKEN_TBYTES) > BUFF_SIZE) { 1344 ehci_trace_guest_bug(p->queue->ehci, 1345 "guest requested more bytes than allowed"); 1346 return -1; 1347 } 1348 1349 if (!ehci_verify_pid(p->queue, &p->qtd)) { 1350 ehci_queue_stopped(p->queue); /* Mark the ep in the prev dir stopped */ 1351 } 1352 p->pid = ehci_get_pid(&p->qtd); 1353 p->queue->last_pid = p->pid; 1354 endp = get_field(p->queue->qh.epchar, QH_EPCHAR_EP); 1355 ep = usb_ep_get(p->queue->dev, p->pid, endp); 1356 1357 if (p->async == EHCI_ASYNC_NONE) { 1358 if (ehci_init_transfer(p) != 0) { 1359 return -1; 1360 } 1361 1362 spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0); 1363 usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd, 1364 (p->qtd.token & QTD_TOKEN_IOC) != 0); 1365 usb_packet_map(&p->packet, &p->sgl); 1366 p->async = EHCI_ASYNC_INITIALIZED; 1367 } 1368 1369 trace_usb_ehci_packet_action(p->queue, p, action); 1370 usb_handle_packet(p->queue->dev, &p->packet); 1371 DPRINTF("submit: qh 0x%x next 0x%x qtd 0x%x pid 0x%x len %zd endp 0x%x " 1372 "status %d actual_length %d\n", p->queue->qhaddr, p->qtd.next, 1373 p->qtdaddr, p->pid, p->packet.iov.size, endp, p->packet.status, 1374 p->packet.actual_length); 1375 1376 if (p->packet.actual_length > BUFF_SIZE) { 1377 fprintf(stderr, "ret from usb_handle_packet > BUFF_SIZE\n"); 1378 return -1; 1379 } 1380 1381 return 1; 1382 } 1383 1384 /* 4.7.2 1385 */ 1386 1387 static int ehci_process_itd(EHCIState *ehci, 1388 EHCIitd *itd, 1389 uint32_t addr) 1390 { 1391 USBDevice *dev; 1392 USBEndpoint *ep; 1393 uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; 1394 uint32_t pg, off, ptr1, ptr2, max, mult; 1395 1396 ehci->periodic_sched_active = PERIODIC_ACTIVE; 1397 1398 dir =(itd->bufptr[1] & ITD_BUFPTR_DIRECTION); 1399 devaddr = get_field(itd->bufptr[0], ITD_BUFPTR_DEVADDR); 1400 endp = get_field(itd->bufptr[0], ITD_BUFPTR_EP); 1401 max = get_field(itd->bufptr[1], ITD_BUFPTR_MAXPKT); 1402 mult = get_field(itd->bufptr[2], ITD_BUFPTR_MULT); 1403 1404 for(i = 0; i < 8; i++) { 1405 if (itd->transact[i] & ITD_XACT_ACTIVE) { 1406 pg = get_field(itd->transact[i], ITD_XACT_PGSEL); 1407 off = itd->transact[i] & ITD_XACT_OFFSET_MASK; 1408 ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK); 1409 ptr2 = (itd->bufptr[pg+1] & ITD_BUFPTR_MASK); 1410 len = get_field(itd->transact[i], ITD_XACT_LENGTH); 1411 1412 if (len > max * mult) { 1413 len = max * mult; 1414 } 1415 1416 if (len > BUFF_SIZE) { 1417 return -1; 1418 } 1419 1420 qemu_sglist_init(&ehci->isgl, ehci->device, 2, ehci->as); 1421 if (off + len > 4096) { 1422 /* transfer crosses page border */ 1423 uint32_t len2 = off + len - 4096; 1424 uint32_t len1 = len - len2; 1425 qemu_sglist_add(&ehci->isgl, ptr1 + off, len1); 1426 qemu_sglist_add(&ehci->isgl, ptr2, len2); 1427 } else { 1428 qemu_sglist_add(&ehci->isgl, ptr1 + off, len); 1429 } 1430 1431 pid = dir ? USB_TOKEN_IN : USB_TOKEN_OUT; 1432 1433 dev = ehci_find_device(ehci, devaddr); 1434 ep = usb_ep_get(dev, pid, endp); 1435 if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) { 1436 usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false, 1437 (itd->transact[i] & ITD_XACT_IOC) != 0); 1438 usb_packet_map(&ehci->ipacket, &ehci->isgl); 1439 usb_handle_packet(dev, &ehci->ipacket); 1440 usb_packet_unmap(&ehci->ipacket, &ehci->isgl); 1441 } else { 1442 DPRINTF("ISOCH: attempt to addess non-iso endpoint\n"); 1443 ehci->ipacket.status = USB_RET_NAK; 1444 ehci->ipacket.actual_length = 0; 1445 } 1446 qemu_sglist_destroy(&ehci->isgl); 1447 1448 switch (ehci->ipacket.status) { 1449 case USB_RET_SUCCESS: 1450 break; 1451 default: 1452 fprintf(stderr, "Unexpected iso usb result: %d\n", 1453 ehci->ipacket.status); 1454 /* Fall through */ 1455 case USB_RET_IOERROR: 1456 case USB_RET_NODEV: 1457 /* 3.3.2: XACTERR is only allowed on IN transactions */ 1458 if (dir) { 1459 itd->transact[i] |= ITD_XACT_XACTERR; 1460 ehci_raise_irq(ehci, USBSTS_ERRINT); 1461 } 1462 break; 1463 case USB_RET_BABBLE: 1464 itd->transact[i] |= ITD_XACT_BABBLE; 1465 ehci_raise_irq(ehci, USBSTS_ERRINT); 1466 break; 1467 case USB_RET_NAK: 1468 /* no data for us, so do a zero-length transfer */ 1469 ehci->ipacket.actual_length = 0; 1470 break; 1471 } 1472 if (!dir) { 1473 set_field(&itd->transact[i], len - ehci->ipacket.actual_length, 1474 ITD_XACT_LENGTH); /* OUT */ 1475 } else { 1476 set_field(&itd->transact[i], ehci->ipacket.actual_length, 1477 ITD_XACT_LENGTH); /* IN */ 1478 } 1479 if (itd->transact[i] & ITD_XACT_IOC) { 1480 ehci_raise_irq(ehci, USBSTS_INT); 1481 } 1482 itd->transact[i] &= ~ITD_XACT_ACTIVE; 1483 xfers++; 1484 } 1485 } 1486 return xfers ? 0 : -1; 1487 } 1488 1489 1490 /* This state is the entry point for asynchronous schedule 1491 * processing. Entry here consitutes a EHCI start event state (4.8.5) 1492 */ 1493 static int ehci_state_waitlisthead(EHCIState *ehci, int async) 1494 { 1495 EHCIqh qh; 1496 int i = 0; 1497 int again = 0; 1498 uint32_t entry = ehci->asynclistaddr; 1499 1500 /* set reclamation flag at start event (4.8.6) */ 1501 if (async) { 1502 ehci_set_usbsts(ehci, USBSTS_REC); 1503 } 1504 1505 ehci_queues_rip_unused(ehci, async); 1506 1507 /* Find the head of the list (4.9.1.1) */ 1508 for(i = 0; i < MAX_QH; i++) { 1509 if (get_dwords(ehci, NLPTR_GET(entry), (uint32_t *) &qh, 1510 sizeof(EHCIqh) >> 2) < 0) { 1511 return 0; 1512 } 1513 ehci_trace_qh(NULL, NLPTR_GET(entry), &qh); 1514 1515 if (qh.epchar & QH_EPCHAR_H) { 1516 if (async) { 1517 entry |= (NLPTR_TYPE_QH << 1); 1518 } 1519 1520 ehci_set_fetch_addr(ehci, async, entry); 1521 ehci_set_state(ehci, async, EST_FETCHENTRY); 1522 again = 1; 1523 goto out; 1524 } 1525 1526 entry = qh.next; 1527 if (entry == ehci->asynclistaddr) { 1528 break; 1529 } 1530 } 1531 1532 /* no head found for list. */ 1533 1534 ehci_set_state(ehci, async, EST_ACTIVE); 1535 1536 out: 1537 return again; 1538 } 1539 1540 1541 /* This state is the entry point for periodic schedule processing as 1542 * well as being a continuation state for async processing. 1543 */ 1544 static int ehci_state_fetchentry(EHCIState *ehci, int async) 1545 { 1546 int again = 0; 1547 uint32_t entry = ehci_get_fetch_addr(ehci, async); 1548 1549 if (NLPTR_TBIT(entry)) { 1550 ehci_set_state(ehci, async, EST_ACTIVE); 1551 goto out; 1552 } 1553 1554 /* section 4.8, only QH in async schedule */ 1555 if (async && (NLPTR_TYPE_GET(entry) != NLPTR_TYPE_QH)) { 1556 fprintf(stderr, "non queue head request in async schedule\n"); 1557 return -1; 1558 } 1559 1560 switch (NLPTR_TYPE_GET(entry)) { 1561 case NLPTR_TYPE_QH: 1562 ehci_set_state(ehci, async, EST_FETCHQH); 1563 again = 1; 1564 break; 1565 1566 case NLPTR_TYPE_ITD: 1567 ehci_set_state(ehci, async, EST_FETCHITD); 1568 again = 1; 1569 break; 1570 1571 case NLPTR_TYPE_STITD: 1572 ehci_set_state(ehci, async, EST_FETCHSITD); 1573 again = 1; 1574 break; 1575 1576 default: 1577 /* TODO: handle FSTN type */ 1578 fprintf(stderr, "FETCHENTRY: entry at %X is of type %d " 1579 "which is not supported yet\n", entry, NLPTR_TYPE_GET(entry)); 1580 return -1; 1581 } 1582 1583 out: 1584 return again; 1585 } 1586 1587 static EHCIQueue *ehci_state_fetchqh(EHCIState *ehci, int async) 1588 { 1589 uint32_t entry; 1590 EHCIQueue *q; 1591 EHCIqh qh; 1592 1593 entry = ehci_get_fetch_addr(ehci, async); 1594 q = ehci_find_queue_by_qh(ehci, entry, async); 1595 if (q == NULL) { 1596 q = ehci_alloc_queue(ehci, entry, async); 1597 } 1598 1599 q->seen++; 1600 if (q->seen > 1) { 1601 /* we are going in circles -- stop processing */ 1602 ehci_set_state(ehci, async, EST_ACTIVE); 1603 q = NULL; 1604 goto out; 1605 } 1606 1607 if (get_dwords(ehci, NLPTR_GET(q->qhaddr), 1608 (uint32_t *) &qh, sizeof(EHCIqh) >> 2) < 0) { 1609 q = NULL; 1610 goto out; 1611 } 1612 ehci_trace_qh(q, NLPTR_GET(q->qhaddr), &qh); 1613 1614 /* 1615 * The overlay area of the qh should never be changed by the guest, 1616 * except when idle, in which case the reset is a nop. 1617 */ 1618 if (!ehci_verify_qh(q, &qh)) { 1619 if (ehci_reset_queue(q) > 0) { 1620 ehci_trace_guest_bug(ehci, "guest updated active QH"); 1621 } 1622 } 1623 q->qh = qh; 1624 1625 q->transact_ctr = get_field(q->qh.epcap, QH_EPCAP_MULT); 1626 if (q->transact_ctr == 0) { /* Guest bug in some versions of windows */ 1627 q->transact_ctr = 4; 1628 } 1629 1630 if (q->dev == NULL) { 1631 q->dev = ehci_find_device(q->ehci, 1632 get_field(q->qh.epchar, QH_EPCHAR_DEVADDR)); 1633 } 1634 1635 if (async && (q->qh.epchar & QH_EPCHAR_H)) { 1636 1637 /* EHCI spec version 1.0 Section 4.8.3 & 4.10.1 */ 1638 if (ehci->usbsts & USBSTS_REC) { 1639 ehci_clear_usbsts(ehci, USBSTS_REC); 1640 } else { 1641 DPRINTF("FETCHQH: QH 0x%08x. H-bit set, reclamation status reset" 1642 " - done processing\n", q->qhaddr); 1643 ehci_set_state(ehci, async, EST_ACTIVE); 1644 q = NULL; 1645 goto out; 1646 } 1647 } 1648 1649 #if EHCI_DEBUG 1650 if (q->qhaddr != q->qh.next) { 1651 DPRINTF("FETCHQH: QH 0x%08x (h %x halt %x active %x) next 0x%08x\n", 1652 q->qhaddr, 1653 q->qh.epchar & QH_EPCHAR_H, 1654 q->qh.token & QTD_TOKEN_HALT, 1655 q->qh.token & QTD_TOKEN_ACTIVE, 1656 q->qh.next); 1657 } 1658 #endif 1659 1660 if (q->qh.token & QTD_TOKEN_HALT) { 1661 ehci_set_state(ehci, async, EST_HORIZONTALQH); 1662 1663 } else if ((q->qh.token & QTD_TOKEN_ACTIVE) && 1664 (NLPTR_TBIT(q->qh.current_qtd) == 0)) { 1665 q->qtdaddr = q->qh.current_qtd; 1666 ehci_set_state(ehci, async, EST_FETCHQTD); 1667 1668 } else { 1669 /* EHCI spec version 1.0 Section 4.10.2 */ 1670 ehci_set_state(ehci, async, EST_ADVANCEQUEUE); 1671 } 1672 1673 out: 1674 return q; 1675 } 1676 1677 static int ehci_state_fetchitd(EHCIState *ehci, int async) 1678 { 1679 uint32_t entry; 1680 EHCIitd itd; 1681 1682 assert(!async); 1683 entry = ehci_get_fetch_addr(ehci, async); 1684 1685 if (get_dwords(ehci, NLPTR_GET(entry), (uint32_t *) &itd, 1686 sizeof(EHCIitd) >> 2) < 0) { 1687 return -1; 1688 } 1689 ehci_trace_itd(ehci, entry, &itd); 1690 1691 if (ehci_process_itd(ehci, &itd, entry) != 0) { 1692 return -1; 1693 } 1694 1695 put_dwords(ehci, NLPTR_GET(entry), (uint32_t *) &itd, 1696 sizeof(EHCIitd) >> 2); 1697 ehci_set_fetch_addr(ehci, async, itd.next); 1698 ehci_set_state(ehci, async, EST_FETCHENTRY); 1699 1700 return 1; 1701 } 1702 1703 static int ehci_state_fetchsitd(EHCIState *ehci, int async) 1704 { 1705 uint32_t entry; 1706 EHCIsitd sitd; 1707 1708 assert(!async); 1709 entry = ehci_get_fetch_addr(ehci, async); 1710 1711 if (get_dwords(ehci, NLPTR_GET(entry), (uint32_t *)&sitd, 1712 sizeof(EHCIsitd) >> 2) < 0) { 1713 return 0; 1714 } 1715 ehci_trace_sitd(ehci, entry, &sitd); 1716 1717 if (!(sitd.results & SITD_RESULTS_ACTIVE)) { 1718 /* siTD is not active, nothing to do */; 1719 } else { 1720 /* TODO: split transfers are not implemented */ 1721 fprintf(stderr, "WARNING: Skipping active siTD\n"); 1722 } 1723 1724 ehci_set_fetch_addr(ehci, async, sitd.next); 1725 ehci_set_state(ehci, async, EST_FETCHENTRY); 1726 return 1; 1727 } 1728 1729 /* Section 4.10.2 - paragraph 3 */ 1730 static int ehci_state_advqueue(EHCIQueue *q) 1731 { 1732 #if 0 1733 /* TO-DO: 4.10.2 - paragraph 2 1734 * if I-bit is set to 1 and QH is not active 1735 * go to horizontal QH 1736 */ 1737 if (I-bit set) { 1738 ehci_set_state(ehci, async, EST_HORIZONTALQH); 1739 goto out; 1740 } 1741 #endif 1742 1743 /* 1744 * want data and alt-next qTD is valid 1745 */ 1746 if (((q->qh.token & QTD_TOKEN_TBYTES_MASK) != 0) && 1747 (NLPTR_TBIT(q->qh.altnext_qtd) == 0)) { 1748 q->qtdaddr = q->qh.altnext_qtd; 1749 ehci_set_state(q->ehci, q->async, EST_FETCHQTD); 1750 1751 /* 1752 * next qTD is valid 1753 */ 1754 } else if (NLPTR_TBIT(q->qh.next_qtd) == 0) { 1755 q->qtdaddr = q->qh.next_qtd; 1756 ehci_set_state(q->ehci, q->async, EST_FETCHQTD); 1757 1758 /* 1759 * no valid qTD, try next QH 1760 */ 1761 } else { 1762 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1763 } 1764 1765 return 1; 1766 } 1767 1768 /* Section 4.10.2 - paragraph 4 */ 1769 static int ehci_state_fetchqtd(EHCIQueue *q) 1770 { 1771 EHCIqtd qtd; 1772 EHCIPacket *p; 1773 int again = 1; 1774 1775 if (get_dwords(q->ehci, NLPTR_GET(q->qtdaddr), (uint32_t *) &qtd, 1776 sizeof(EHCIqtd) >> 2) < 0) { 1777 return 0; 1778 } 1779 ehci_trace_qtd(q, NLPTR_GET(q->qtdaddr), &qtd); 1780 1781 p = QTAILQ_FIRST(&q->packets); 1782 if (p != NULL) { 1783 if (!ehci_verify_qtd(p, &qtd)) { 1784 ehci_cancel_queue(q); 1785 if (qtd.token & QTD_TOKEN_ACTIVE) { 1786 ehci_trace_guest_bug(q->ehci, "guest updated active qTD"); 1787 } 1788 p = NULL; 1789 } else { 1790 p->qtd = qtd; 1791 ehci_qh_do_overlay(q); 1792 } 1793 } 1794 1795 if (!(qtd.token & QTD_TOKEN_ACTIVE)) { 1796 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1797 } else if (p != NULL) { 1798 switch (p->async) { 1799 case EHCI_ASYNC_NONE: 1800 case EHCI_ASYNC_INITIALIZED: 1801 /* Not yet executed (MULT), or previously nacked (int) packet */ 1802 ehci_set_state(q->ehci, q->async, EST_EXECUTE); 1803 break; 1804 case EHCI_ASYNC_INFLIGHT: 1805 /* Check if the guest has added new tds to the queue */ 1806 again = ehci_fill_queue(QTAILQ_LAST(&q->packets, pkts_head)); 1807 /* Unfinished async handled packet, go horizontal */ 1808 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1809 break; 1810 case EHCI_ASYNC_FINISHED: 1811 /* Complete executing of the packet */ 1812 ehci_set_state(q->ehci, q->async, EST_EXECUTING); 1813 break; 1814 } 1815 } else { 1816 p = ehci_alloc_packet(q); 1817 p->qtdaddr = q->qtdaddr; 1818 p->qtd = qtd; 1819 ehci_set_state(q->ehci, q->async, EST_EXECUTE); 1820 } 1821 1822 return again; 1823 } 1824 1825 static int ehci_state_horizqh(EHCIQueue *q) 1826 { 1827 int again = 0; 1828 1829 if (ehci_get_fetch_addr(q->ehci, q->async) != q->qh.next) { 1830 ehci_set_fetch_addr(q->ehci, q->async, q->qh.next); 1831 ehci_set_state(q->ehci, q->async, EST_FETCHENTRY); 1832 again = 1; 1833 } else { 1834 ehci_set_state(q->ehci, q->async, EST_ACTIVE); 1835 } 1836 1837 return again; 1838 } 1839 1840 /* Returns "again" */ 1841 static int ehci_fill_queue(EHCIPacket *p) 1842 { 1843 USBEndpoint *ep = p->packet.ep; 1844 EHCIQueue *q = p->queue; 1845 EHCIqtd qtd = p->qtd; 1846 uint32_t qtdaddr; 1847 1848 for (;;) { 1849 if (NLPTR_TBIT(qtd.next) != 0) { 1850 break; 1851 } 1852 qtdaddr = qtd.next; 1853 /* 1854 * Detect circular td lists, Windows creates these, counting on the 1855 * active bit going low after execution to make the queue stop. 1856 */ 1857 QTAILQ_FOREACH(p, &q->packets, next) { 1858 if (p->qtdaddr == qtdaddr) { 1859 goto leave; 1860 } 1861 } 1862 if (get_dwords(q->ehci, NLPTR_GET(qtdaddr), 1863 (uint32_t *) &qtd, sizeof(EHCIqtd) >> 2) < 0) { 1864 return -1; 1865 } 1866 ehci_trace_qtd(q, NLPTR_GET(qtdaddr), &qtd); 1867 if (!(qtd.token & QTD_TOKEN_ACTIVE)) { 1868 break; 1869 } 1870 if (!ehci_verify_pid(q, &qtd)) { 1871 ehci_trace_guest_bug(q->ehci, "guest queued token with wrong pid"); 1872 break; 1873 } 1874 p = ehci_alloc_packet(q); 1875 p->qtdaddr = qtdaddr; 1876 p->qtd = qtd; 1877 if (ehci_execute(p, "queue") == -1) { 1878 return -1; 1879 } 1880 assert(p->packet.status == USB_RET_ASYNC); 1881 p->async = EHCI_ASYNC_INFLIGHT; 1882 } 1883 leave: 1884 usb_device_flush_ep_queue(ep->dev, ep); 1885 return 1; 1886 } 1887 1888 static int ehci_state_execute(EHCIQueue *q) 1889 { 1890 EHCIPacket *p = QTAILQ_FIRST(&q->packets); 1891 int again = 0; 1892 1893 assert(p != NULL); 1894 assert(p->qtdaddr == q->qtdaddr); 1895 1896 if (ehci_qh_do_overlay(q) != 0) { 1897 return -1; 1898 } 1899 1900 // TODO verify enough time remains in the uframe as in 4.4.1.1 1901 // TODO write back ptr to async list when done or out of time 1902 1903 /* 4.10.3, bottom of page 82, go horizontal on transaction counter == 0 */ 1904 if (!q->async && q->transact_ctr == 0) { 1905 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1906 again = 1; 1907 goto out; 1908 } 1909 1910 if (q->async) { 1911 ehci_set_usbsts(q->ehci, USBSTS_REC); 1912 } 1913 1914 again = ehci_execute(p, "process"); 1915 if (again == -1) { 1916 goto out; 1917 } 1918 if (p->packet.status == USB_RET_ASYNC) { 1919 ehci_flush_qh(q); 1920 trace_usb_ehci_packet_action(p->queue, p, "async"); 1921 p->async = EHCI_ASYNC_INFLIGHT; 1922 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1923 if (q->async) { 1924 again = ehci_fill_queue(p); 1925 } else { 1926 again = 1; 1927 } 1928 goto out; 1929 } 1930 1931 ehci_set_state(q->ehci, q->async, EST_EXECUTING); 1932 again = 1; 1933 1934 out: 1935 return again; 1936 } 1937 1938 static int ehci_state_executing(EHCIQueue *q) 1939 { 1940 EHCIPacket *p = QTAILQ_FIRST(&q->packets); 1941 1942 assert(p != NULL); 1943 assert(p->qtdaddr == q->qtdaddr); 1944 1945 ehci_execute_complete(q); 1946 1947 /* 4.10.3 */ 1948 if (!q->async && q->transact_ctr > 0) { 1949 q->transact_ctr--; 1950 } 1951 1952 /* 4.10.5 */ 1953 if (p->packet.status == USB_RET_NAK) { 1954 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1955 } else { 1956 ehci_set_state(q->ehci, q->async, EST_WRITEBACK); 1957 } 1958 1959 ehci_flush_qh(q); 1960 return 1; 1961 } 1962 1963 1964 static int ehci_state_writeback(EHCIQueue *q) 1965 { 1966 EHCIPacket *p = QTAILQ_FIRST(&q->packets); 1967 uint32_t *qtd, addr; 1968 int again = 0; 1969 1970 /* Write back the QTD from the QH area */ 1971 assert(p != NULL); 1972 assert(p->qtdaddr == q->qtdaddr); 1973 1974 ehci_trace_qtd(q, NLPTR_GET(p->qtdaddr), (EHCIqtd *) &q->qh.next_qtd); 1975 qtd = (uint32_t *) &q->qh.next_qtd; 1976 addr = NLPTR_GET(p->qtdaddr); 1977 put_dwords(q->ehci, addr + 2 * sizeof(uint32_t), qtd + 2, 2); 1978 ehci_free_packet(p); 1979 1980 /* 1981 * EHCI specs say go horizontal here. 1982 * 1983 * We can also advance the queue here for performance reasons. We 1984 * need to take care to only take that shortcut in case we've 1985 * processed the qtd just written back without errors, i.e. halt 1986 * bit is clear. 1987 */ 1988 if (q->qh.token & QTD_TOKEN_HALT) { 1989 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1990 again = 1; 1991 } else { 1992 ehci_set_state(q->ehci, q->async, EST_ADVANCEQUEUE); 1993 again = 1; 1994 } 1995 return again; 1996 } 1997 1998 /* 1999 * This is the state machine that is common to both async and periodic 2000 */ 2001 2002 static void ehci_advance_state(EHCIState *ehci, int async) 2003 { 2004 EHCIQueue *q = NULL; 2005 int again; 2006 2007 do { 2008 switch(ehci_get_state(ehci, async)) { 2009 case EST_WAITLISTHEAD: 2010 again = ehci_state_waitlisthead(ehci, async); 2011 break; 2012 2013 case EST_FETCHENTRY: 2014 again = ehci_state_fetchentry(ehci, async); 2015 break; 2016 2017 case EST_FETCHQH: 2018 q = ehci_state_fetchqh(ehci, async); 2019 if (q != NULL) { 2020 assert(q->async == async); 2021 again = 1; 2022 } else { 2023 again = 0; 2024 } 2025 break; 2026 2027 case EST_FETCHITD: 2028 again = ehci_state_fetchitd(ehci, async); 2029 break; 2030 2031 case EST_FETCHSITD: 2032 again = ehci_state_fetchsitd(ehci, async); 2033 break; 2034 2035 case EST_ADVANCEQUEUE: 2036 assert(q != NULL); 2037 again = ehci_state_advqueue(q); 2038 break; 2039 2040 case EST_FETCHQTD: 2041 assert(q != NULL); 2042 again = ehci_state_fetchqtd(q); 2043 break; 2044 2045 case EST_HORIZONTALQH: 2046 assert(q != NULL); 2047 again = ehci_state_horizqh(q); 2048 break; 2049 2050 case EST_EXECUTE: 2051 assert(q != NULL); 2052 again = ehci_state_execute(q); 2053 if (async) { 2054 ehci->async_stepdown = 0; 2055 } 2056 break; 2057 2058 case EST_EXECUTING: 2059 assert(q != NULL); 2060 if (async) { 2061 ehci->async_stepdown = 0; 2062 } 2063 again = ehci_state_executing(q); 2064 break; 2065 2066 case EST_WRITEBACK: 2067 assert(q != NULL); 2068 again = ehci_state_writeback(q); 2069 if (!async) { 2070 ehci->periodic_sched_active = PERIODIC_ACTIVE; 2071 } 2072 break; 2073 2074 default: 2075 fprintf(stderr, "Bad state!\n"); 2076 again = -1; 2077 g_assert_not_reached(); 2078 break; 2079 } 2080 2081 if (again < 0) { 2082 fprintf(stderr, "processing error - resetting ehci HC\n"); 2083 ehci_reset(ehci); 2084 again = 0; 2085 } 2086 } 2087 while (again); 2088 } 2089 2090 static void ehci_advance_async_state(EHCIState *ehci) 2091 { 2092 const int async = 1; 2093 2094 switch(ehci_get_state(ehci, async)) { 2095 case EST_INACTIVE: 2096 if (!ehci_async_enabled(ehci)) { 2097 break; 2098 } 2099 ehci_set_state(ehci, async, EST_ACTIVE); 2100 // No break, fall through to ACTIVE 2101 2102 case EST_ACTIVE: 2103 if (!ehci_async_enabled(ehci)) { 2104 ehci_queues_rip_all(ehci, async); 2105 ehci_set_state(ehci, async, EST_INACTIVE); 2106 break; 2107 } 2108 2109 /* make sure guest has acknowledged the doorbell interrupt */ 2110 /* TO-DO: is this really needed? */ 2111 if (ehci->usbsts & USBSTS_IAA) { 2112 DPRINTF("IAA status bit still set.\n"); 2113 break; 2114 } 2115 2116 /* check that address register has been set */ 2117 if (ehci->asynclistaddr == 0) { 2118 break; 2119 } 2120 2121 ehci_set_state(ehci, async, EST_WAITLISTHEAD); 2122 ehci_advance_state(ehci, async); 2123 2124 /* If the doorbell is set, the guest wants to make a change to the 2125 * schedule. The host controller needs to release cached data. 2126 * (section 4.8.2) 2127 */ 2128 if (ehci->usbcmd & USBCMD_IAAD) { 2129 /* Remove all unseen qhs from the async qhs queue */ 2130 ehci_queues_rip_unseen(ehci, async); 2131 trace_usb_ehci_doorbell_ack(); 2132 ehci->usbcmd &= ~USBCMD_IAAD; 2133 ehci_raise_irq(ehci, USBSTS_IAA); 2134 } 2135 break; 2136 2137 default: 2138 /* this should only be due to a developer mistake */ 2139 fprintf(stderr, "ehci: Bad asynchronous state %d. " 2140 "Resetting to active\n", ehci->astate); 2141 g_assert_not_reached(); 2142 } 2143 } 2144 2145 static void ehci_advance_periodic_state(EHCIState *ehci) 2146 { 2147 uint32_t entry; 2148 uint32_t list; 2149 const int async = 0; 2150 2151 // 4.6 2152 2153 switch(ehci_get_state(ehci, async)) { 2154 case EST_INACTIVE: 2155 if (!(ehci->frindex & 7) && ehci_periodic_enabled(ehci)) { 2156 ehci_set_state(ehci, async, EST_ACTIVE); 2157 // No break, fall through to ACTIVE 2158 } else 2159 break; 2160 2161 case EST_ACTIVE: 2162 if (!(ehci->frindex & 7) && !ehci_periodic_enabled(ehci)) { 2163 ehci_queues_rip_all(ehci, async); 2164 ehci_set_state(ehci, async, EST_INACTIVE); 2165 break; 2166 } 2167 2168 list = ehci->periodiclistbase & 0xfffff000; 2169 /* check that register has been set */ 2170 if (list == 0) { 2171 break; 2172 } 2173 list |= ((ehci->frindex & 0x1ff8) >> 1); 2174 2175 if (get_dwords(ehci, list, &entry, 1) < 0) { 2176 break; 2177 } 2178 2179 DPRINTF("PERIODIC state adv fr=%d. [%08X] -> %08X\n", 2180 ehci->frindex / 8, list, entry); 2181 ehci_set_fetch_addr(ehci, async,entry); 2182 ehci_set_state(ehci, async, EST_FETCHENTRY); 2183 ehci_advance_state(ehci, async); 2184 ehci_queues_rip_unused(ehci, async); 2185 break; 2186 2187 default: 2188 /* this should only be due to a developer mistake */ 2189 fprintf(stderr, "ehci: Bad periodic state %d. " 2190 "Resetting to active\n", ehci->pstate); 2191 g_assert_not_reached(); 2192 } 2193 } 2194 2195 static void ehci_update_frindex(EHCIState *ehci, int uframes) 2196 { 2197 int i; 2198 2199 if (!ehci_enabled(ehci) && ehci->pstate == EST_INACTIVE) { 2200 return; 2201 } 2202 2203 for (i = 0; i < uframes; i++) { 2204 ehci->frindex++; 2205 2206 if (ehci->frindex == 0x00002000) { 2207 ehci_raise_irq(ehci, USBSTS_FLR); 2208 } 2209 2210 if (ehci->frindex == 0x00004000) { 2211 ehci_raise_irq(ehci, USBSTS_FLR); 2212 ehci->frindex = 0; 2213 if (ehci->usbsts_frindex >= 0x00004000) { 2214 ehci->usbsts_frindex -= 0x00004000; 2215 } else { 2216 ehci->usbsts_frindex = 0; 2217 } 2218 } 2219 } 2220 } 2221 2222 static void ehci_frame_timer(void *opaque) 2223 { 2224 EHCIState *ehci = opaque; 2225 int need_timer = 0; 2226 int64_t expire_time, t_now; 2227 uint64_t ns_elapsed; 2228 int uframes, skipped_uframes; 2229 int i; 2230 2231 t_now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL); 2232 ns_elapsed = t_now - ehci->last_run_ns; 2233 uframes = ns_elapsed / UFRAME_TIMER_NS; 2234 2235 if (ehci_periodic_enabled(ehci) || ehci->pstate != EST_INACTIVE) { 2236 need_timer++; 2237 2238 if (uframes > (ehci->maxframes * 8)) { 2239 skipped_uframes = uframes - (ehci->maxframes * 8); 2240 ehci_update_frindex(ehci, skipped_uframes); 2241 ehci->last_run_ns += UFRAME_TIMER_NS * skipped_uframes; 2242 uframes -= skipped_uframes; 2243 DPRINTF("WARNING - EHCI skipped %d uframes\n", skipped_uframes); 2244 } 2245 2246 for (i = 0; i < uframes; i++) { 2247 /* 2248 * If we're running behind schedule, we should not catch up 2249 * too fast, as that will make some guests unhappy: 2250 * 1) We must process a minimum of MIN_UFR_PER_TICK frames, 2251 * otherwise we will never catch up 2252 * 2) Process frames until the guest has requested an irq (IOC) 2253 */ 2254 if (i >= MIN_UFR_PER_TICK) { 2255 ehci_commit_irq(ehci); 2256 if ((ehci->usbsts & USBINTR_MASK) & ehci->usbintr) { 2257 break; 2258 } 2259 } 2260 if (ehci->periodic_sched_active) { 2261 ehci->periodic_sched_active--; 2262 } 2263 ehci_update_frindex(ehci, 1); 2264 if ((ehci->frindex & 7) == 0) { 2265 ehci_advance_periodic_state(ehci); 2266 } 2267 ehci->last_run_ns += UFRAME_TIMER_NS; 2268 } 2269 } else { 2270 ehci->periodic_sched_active = 0; 2271 ehci_update_frindex(ehci, uframes); 2272 ehci->last_run_ns += UFRAME_TIMER_NS * uframes; 2273 } 2274 2275 if (ehci->periodic_sched_active) { 2276 ehci->async_stepdown = 0; 2277 } else if (ehci->async_stepdown < ehci->maxframes / 2) { 2278 ehci->async_stepdown++; 2279 } 2280 2281 /* Async is not inside loop since it executes everything it can once 2282 * called 2283 */ 2284 if (ehci_async_enabled(ehci) || ehci->astate != EST_INACTIVE) { 2285 need_timer++; 2286 ehci_advance_async_state(ehci); 2287 } 2288 2289 ehci_commit_irq(ehci); 2290 if (ehci->usbsts_pending) { 2291 need_timer++; 2292 ehci->async_stepdown = 0; 2293 } 2294 2295 if (ehci_enabled(ehci) && (ehci->usbintr & USBSTS_FLR)) { 2296 need_timer++; 2297 } 2298 2299 if (need_timer) { 2300 /* If we've raised int, we speed up the timer, so that we quickly 2301 * notice any new packets queued up in response */ 2302 if (ehci->int_req_by_async && (ehci->usbsts & USBSTS_INT)) { 2303 expire_time = t_now + get_ticks_per_sec() / (FRAME_TIMER_FREQ * 4); 2304 ehci->int_req_by_async = false; 2305 } else { 2306 expire_time = t_now + (get_ticks_per_sec() 2307 * (ehci->async_stepdown+1) / FRAME_TIMER_FREQ); 2308 } 2309 timer_mod(ehci->frame_timer, expire_time); 2310 } 2311 } 2312 2313 static const MemoryRegionOps ehci_mmio_caps_ops = { 2314 .read = ehci_caps_read, 2315 .valid.min_access_size = 1, 2316 .valid.max_access_size = 4, 2317 .impl.min_access_size = 1, 2318 .impl.max_access_size = 1, 2319 .endianness = DEVICE_LITTLE_ENDIAN, 2320 }; 2321 2322 static const MemoryRegionOps ehci_mmio_opreg_ops = { 2323 .read = ehci_opreg_read, 2324 .write = ehci_opreg_write, 2325 .valid.min_access_size = 4, 2326 .valid.max_access_size = 4, 2327 .endianness = DEVICE_LITTLE_ENDIAN, 2328 }; 2329 2330 static const MemoryRegionOps ehci_mmio_port_ops = { 2331 .read = ehci_port_read, 2332 .write = ehci_port_write, 2333 .valid.min_access_size = 4, 2334 .valid.max_access_size = 4, 2335 .endianness = DEVICE_LITTLE_ENDIAN, 2336 }; 2337 2338 static USBPortOps ehci_port_ops = { 2339 .attach = ehci_attach, 2340 .detach = ehci_detach, 2341 .child_detach = ehci_child_detach, 2342 .wakeup = ehci_wakeup, 2343 .complete = ehci_async_complete_packet, 2344 }; 2345 2346 static USBBusOps ehci_bus_ops_companion = { 2347 .register_companion = ehci_register_companion, 2348 .wakeup_endpoint = ehci_wakeup_endpoint, 2349 }; 2350 static USBBusOps ehci_bus_ops_standalone = { 2351 .wakeup_endpoint = ehci_wakeup_endpoint, 2352 }; 2353 2354 static void usb_ehci_pre_save(void *opaque) 2355 { 2356 EHCIState *ehci = opaque; 2357 uint32_t new_frindex; 2358 2359 /* Round down frindex to a multiple of 8 for migration compatibility */ 2360 new_frindex = ehci->frindex & ~7; 2361 ehci->last_run_ns -= (ehci->frindex - new_frindex) * UFRAME_TIMER_NS; 2362 ehci->frindex = new_frindex; 2363 } 2364 2365 static int usb_ehci_post_load(void *opaque, int version_id) 2366 { 2367 EHCIState *s = opaque; 2368 int i; 2369 2370 for (i = 0; i < NB_PORTS; i++) { 2371 USBPort *companion = s->companion_ports[i]; 2372 if (companion == NULL) { 2373 continue; 2374 } 2375 if (s->portsc[i] & PORTSC_POWNER) { 2376 companion->dev = s->ports[i].dev; 2377 } else { 2378 companion->dev = NULL; 2379 } 2380 } 2381 2382 return 0; 2383 } 2384 2385 static void usb_ehci_vm_state_change(void *opaque, int running, RunState state) 2386 { 2387 EHCIState *ehci = opaque; 2388 2389 /* 2390 * We don't migrate the EHCIQueue-s, instead we rebuild them for the 2391 * schedule in guest memory. We must do the rebuilt ASAP, so that 2392 * USB-devices which have async handled packages have a packet in the 2393 * ep queue to match the completion with. 2394 */ 2395 if (state == RUN_STATE_RUNNING) { 2396 ehci_advance_async_state(ehci); 2397 } 2398 2399 /* 2400 * The schedule rebuilt from guest memory could cause the migration dest 2401 * to miss a QH unlink, and fail to cancel packets, since the unlinked QH 2402 * will never have existed on the destination. Therefor we must flush the 2403 * async schedule on savevm to catch any not yet noticed unlinks. 2404 */ 2405 if (state == RUN_STATE_SAVE_VM) { 2406 ehci_advance_async_state(ehci); 2407 ehci_queues_rip_unseen(ehci, 1); 2408 } 2409 } 2410 2411 const VMStateDescription vmstate_ehci = { 2412 .name = "ehci-core", 2413 .version_id = 2, 2414 .minimum_version_id = 1, 2415 .pre_save = usb_ehci_pre_save, 2416 .post_load = usb_ehci_post_load, 2417 .fields = (VMStateField[]) { 2418 /* mmio registers */ 2419 VMSTATE_UINT32(usbcmd, EHCIState), 2420 VMSTATE_UINT32(usbsts, EHCIState), 2421 VMSTATE_UINT32_V(usbsts_pending, EHCIState, 2), 2422 VMSTATE_UINT32_V(usbsts_frindex, EHCIState, 2), 2423 VMSTATE_UINT32(usbintr, EHCIState), 2424 VMSTATE_UINT32(frindex, EHCIState), 2425 VMSTATE_UINT32(ctrldssegment, EHCIState), 2426 VMSTATE_UINT32(periodiclistbase, EHCIState), 2427 VMSTATE_UINT32(asynclistaddr, EHCIState), 2428 VMSTATE_UINT32(configflag, EHCIState), 2429 VMSTATE_UINT32(portsc[0], EHCIState), 2430 VMSTATE_UINT32(portsc[1], EHCIState), 2431 VMSTATE_UINT32(portsc[2], EHCIState), 2432 VMSTATE_UINT32(portsc[3], EHCIState), 2433 VMSTATE_UINT32(portsc[4], EHCIState), 2434 VMSTATE_UINT32(portsc[5], EHCIState), 2435 /* frame timer */ 2436 VMSTATE_TIMER_PTR(frame_timer, EHCIState), 2437 VMSTATE_UINT64(last_run_ns, EHCIState), 2438 VMSTATE_UINT32(async_stepdown, EHCIState), 2439 /* schedule state */ 2440 VMSTATE_UINT32(astate, EHCIState), 2441 VMSTATE_UINT32(pstate, EHCIState), 2442 VMSTATE_UINT32(a_fetch_addr, EHCIState), 2443 VMSTATE_UINT32(p_fetch_addr, EHCIState), 2444 VMSTATE_END_OF_LIST() 2445 } 2446 }; 2447 2448 void usb_ehci_realize(EHCIState *s, DeviceState *dev, Error **errp) 2449 { 2450 int i; 2451 2452 if (s->portnr > NB_PORTS) { 2453 error_setg(errp, "Too many ports! Max. port number is %d.", 2454 NB_PORTS); 2455 return; 2456 } 2457 2458 usb_bus_new(&s->bus, sizeof(s->bus), s->companion_enable ? 2459 &ehci_bus_ops_companion : &ehci_bus_ops_standalone, dev); 2460 for (i = 0; i < s->portnr; i++) { 2461 usb_register_port(&s->bus, &s->ports[i], s, i, &ehci_port_ops, 2462 USB_SPEED_MASK_HIGH); 2463 s->ports[i].dev = 0; 2464 } 2465 2466 s->frame_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, ehci_frame_timer, s); 2467 s->async_bh = qemu_bh_new(ehci_frame_timer, s); 2468 s->device = dev; 2469 2470 s->vmstate = qemu_add_vm_change_state_handler(usb_ehci_vm_state_change, s); 2471 } 2472 2473 void usb_ehci_unrealize(EHCIState *s, DeviceState *dev, Error **errp) 2474 { 2475 trace_usb_ehci_unrealize(); 2476 2477 if (s->frame_timer) { 2478 timer_del(s->frame_timer); 2479 timer_free(s->frame_timer); 2480 s->frame_timer = NULL; 2481 } 2482 if (s->async_bh) { 2483 qemu_bh_delete(s->async_bh); 2484 } 2485 2486 ehci_queues_rip_all(s, 0); 2487 ehci_queues_rip_all(s, 1); 2488 2489 memory_region_del_subregion(&s->mem, &s->mem_caps); 2490 memory_region_del_subregion(&s->mem, &s->mem_opreg); 2491 memory_region_del_subregion(&s->mem, &s->mem_ports); 2492 2493 usb_bus_release(&s->bus); 2494 2495 if (s->vmstate) { 2496 qemu_del_vm_change_state_handler(s->vmstate); 2497 } 2498 } 2499 2500 void usb_ehci_init(EHCIState *s, DeviceState *dev) 2501 { 2502 /* 2.2 host controller interface version */ 2503 s->caps[0x00] = (uint8_t)(s->opregbase - s->capsbase); 2504 s->caps[0x01] = 0x00; 2505 s->caps[0x02] = 0x00; 2506 s->caps[0x03] = 0x01; /* HC version */ 2507 s->caps[0x04] = s->portnr; /* Number of downstream ports */ 2508 s->caps[0x05] = 0x00; /* No companion ports at present */ 2509 s->caps[0x06] = 0x00; 2510 s->caps[0x07] = 0x00; 2511 s->caps[0x08] = 0x80; /* We can cache whole frame, no 64-bit */ 2512 s->caps[0x0a] = 0x00; 2513 s->caps[0x0b] = 0x00; 2514 2515 QTAILQ_INIT(&s->aqueues); 2516 QTAILQ_INIT(&s->pqueues); 2517 usb_packet_init(&s->ipacket); 2518 2519 memory_region_init(&s->mem, OBJECT(dev), "ehci", MMIO_SIZE); 2520 memory_region_init_io(&s->mem_caps, OBJECT(dev), &ehci_mmio_caps_ops, s, 2521 "capabilities", CAPA_SIZE); 2522 memory_region_init_io(&s->mem_opreg, OBJECT(dev), &ehci_mmio_opreg_ops, s, 2523 "operational", s->portscbase); 2524 memory_region_init_io(&s->mem_ports, OBJECT(dev), &ehci_mmio_port_ops, s, 2525 "ports", 4 * s->portnr); 2526 2527 memory_region_add_subregion(&s->mem, s->capsbase, &s->mem_caps); 2528 memory_region_add_subregion(&s->mem, s->opregbase, &s->mem_opreg); 2529 memory_region_add_subregion(&s->mem, s->opregbase + s->portscbase, 2530 &s->mem_ports); 2531 } 2532 2533 /* 2534 * vim: expandtab ts=4 2535 */ 2536