1 /* 2 * QEMU USB EHCI Emulation 3 * 4 * Copyright(c) 2008 Emutex Ltd. (address@hidden) 5 * Copyright(c) 2011-2012 Red Hat, Inc. 6 * 7 * Red Hat Authors: 8 * Gerd Hoffmann <kraxel@redhat.com> 9 * Hans de Goede <hdegoede@redhat.com> 10 * 11 * EHCI project was started by Mark Burkley, with contributions by 12 * Niels de Vos. David S. Ahern continued working on it. Kevin Wolf, 13 * Jan Kiszka and Vincent Palatin contributed bugfixes. 14 * 15 * 16 * This library is free software; you can redistribute it and/or 17 * modify it under the terms of the GNU Lesser General Public 18 * License as published by the Free Software Foundation; either 19 * version 2 of the License, or(at your option) any later version. 20 * 21 * This library is distributed in the hope that it will be useful, 22 * but WITHOUT ANY WARRANTY; without even the implied warranty of 23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 24 * Lesser General Public License for more details. 25 * 26 * You should have received a copy of the GNU General Public License 27 * along with this program; if not, see <http://www.gnu.org/licenses/>. 28 */ 29 30 #include "qemu/osdep.h" 31 #include "hw/usb/ehci-regs.h" 32 #include "hw/usb/hcd-ehci.h" 33 #include "trace.h" 34 35 #define FRAME_TIMER_FREQ 1000 36 #define FRAME_TIMER_NS (NANOSECONDS_PER_SECOND / FRAME_TIMER_FREQ) 37 #define UFRAME_TIMER_NS (FRAME_TIMER_NS / 8) 38 39 #define NB_MAXINTRATE 8 // Max rate at which controller issues ints 40 #define BUFF_SIZE 5*4096 // Max bytes to transfer per transaction 41 #define MAX_QH 100 // Max allowable queue heads in a chain 42 #define MIN_UFR_PER_TICK 24 /* Min frames to process when catching up */ 43 #define PERIODIC_ACTIVE 512 /* Micro-frames */ 44 45 /* Internal periodic / asynchronous schedule state machine states 46 */ 47 typedef enum { 48 EST_INACTIVE = 1000, 49 EST_ACTIVE, 50 EST_EXECUTING, 51 EST_SLEEPING, 52 /* The following states are internal to the state machine function 53 */ 54 EST_WAITLISTHEAD, 55 EST_FETCHENTRY, 56 EST_FETCHQH, 57 EST_FETCHITD, 58 EST_FETCHSITD, 59 EST_ADVANCEQUEUE, 60 EST_FETCHQTD, 61 EST_EXECUTE, 62 EST_WRITEBACK, 63 EST_HORIZONTALQH 64 } EHCI_STATES; 65 66 /* macros for accessing fields within next link pointer entry */ 67 #define NLPTR_GET(x) ((x) & 0xffffffe0) 68 #define NLPTR_TYPE_GET(x) (((x) >> 1) & 3) 69 #define NLPTR_TBIT(x) ((x) & 1) // 1=invalid, 0=valid 70 71 /* link pointer types */ 72 #define NLPTR_TYPE_ITD 0 // isoc xfer descriptor 73 #define NLPTR_TYPE_QH 1 // queue head 74 #define NLPTR_TYPE_STITD 2 // split xaction, isoc xfer descriptor 75 #define NLPTR_TYPE_FSTN 3 // frame span traversal node 76 77 #define SET_LAST_RUN_CLOCK(s) \ 78 (s)->last_run_ns = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL); 79 80 /* nifty macros from Arnon's EHCI version */ 81 #define get_field(data, field) \ 82 (((data) & field##_MASK) >> field##_SH) 83 84 #define set_field(data, newval, field) do { \ 85 uint32_t val = *data; \ 86 val &= ~ field##_MASK; \ 87 val |= ((newval) << field##_SH) & field##_MASK; \ 88 *data = val; \ 89 } while(0) 90 91 static const char *ehci_state_names[] = { 92 [EST_INACTIVE] = "INACTIVE", 93 [EST_ACTIVE] = "ACTIVE", 94 [EST_EXECUTING] = "EXECUTING", 95 [EST_SLEEPING] = "SLEEPING", 96 [EST_WAITLISTHEAD] = "WAITLISTHEAD", 97 [EST_FETCHENTRY] = "FETCH ENTRY", 98 [EST_FETCHQH] = "FETCH QH", 99 [EST_FETCHITD] = "FETCH ITD", 100 [EST_ADVANCEQUEUE] = "ADVANCEQUEUE", 101 [EST_FETCHQTD] = "FETCH QTD", 102 [EST_EXECUTE] = "EXECUTE", 103 [EST_WRITEBACK] = "WRITEBACK", 104 [EST_HORIZONTALQH] = "HORIZONTALQH", 105 }; 106 107 static const char *ehci_mmio_names[] = { 108 [USBCMD] = "USBCMD", 109 [USBSTS] = "USBSTS", 110 [USBINTR] = "USBINTR", 111 [FRINDEX] = "FRINDEX", 112 [PERIODICLISTBASE] = "P-LIST BASE", 113 [ASYNCLISTADDR] = "A-LIST ADDR", 114 [CONFIGFLAG] = "CONFIGFLAG", 115 }; 116 117 static int ehci_state_executing(EHCIQueue *q); 118 static int ehci_state_writeback(EHCIQueue *q); 119 static int ehci_state_advqueue(EHCIQueue *q); 120 static int ehci_fill_queue(EHCIPacket *p); 121 static void ehci_free_packet(EHCIPacket *p); 122 123 static const char *nr2str(const char **n, size_t len, uint32_t nr) 124 { 125 if (nr < len && n[nr] != NULL) { 126 return n[nr]; 127 } else { 128 return "unknown"; 129 } 130 } 131 132 static const char *state2str(uint32_t state) 133 { 134 return nr2str(ehci_state_names, ARRAY_SIZE(ehci_state_names), state); 135 } 136 137 static const char *addr2str(hwaddr addr) 138 { 139 return nr2str(ehci_mmio_names, ARRAY_SIZE(ehci_mmio_names), addr); 140 } 141 142 static void ehci_trace_usbsts(uint32_t mask, int state) 143 { 144 /* interrupts */ 145 if (mask & USBSTS_INT) { 146 trace_usb_ehci_usbsts("INT", state); 147 } 148 if (mask & USBSTS_ERRINT) { 149 trace_usb_ehci_usbsts("ERRINT", state); 150 } 151 if (mask & USBSTS_PCD) { 152 trace_usb_ehci_usbsts("PCD", state); 153 } 154 if (mask & USBSTS_FLR) { 155 trace_usb_ehci_usbsts("FLR", state); 156 } 157 if (mask & USBSTS_HSE) { 158 trace_usb_ehci_usbsts("HSE", state); 159 } 160 if (mask & USBSTS_IAA) { 161 trace_usb_ehci_usbsts("IAA", state); 162 } 163 164 /* status */ 165 if (mask & USBSTS_HALT) { 166 trace_usb_ehci_usbsts("HALT", state); 167 } 168 if (mask & USBSTS_REC) { 169 trace_usb_ehci_usbsts("REC", state); 170 } 171 if (mask & USBSTS_PSS) { 172 trace_usb_ehci_usbsts("PSS", state); 173 } 174 if (mask & USBSTS_ASS) { 175 trace_usb_ehci_usbsts("ASS", state); 176 } 177 } 178 179 static inline void ehci_set_usbsts(EHCIState *s, int mask) 180 { 181 if ((s->usbsts & mask) == mask) { 182 return; 183 } 184 ehci_trace_usbsts(mask, 1); 185 s->usbsts |= mask; 186 } 187 188 static inline void ehci_clear_usbsts(EHCIState *s, int mask) 189 { 190 if ((s->usbsts & mask) == 0) { 191 return; 192 } 193 ehci_trace_usbsts(mask, 0); 194 s->usbsts &= ~mask; 195 } 196 197 /* update irq line */ 198 static inline void ehci_update_irq(EHCIState *s) 199 { 200 int level = 0; 201 202 if ((s->usbsts & USBINTR_MASK) & s->usbintr) { 203 level = 1; 204 } 205 206 trace_usb_ehci_irq(level, s->frindex, s->usbsts, s->usbintr); 207 qemu_set_irq(s->irq, level); 208 } 209 210 /* flag interrupt condition */ 211 static inline void ehci_raise_irq(EHCIState *s, int intr) 212 { 213 if (intr & (USBSTS_PCD | USBSTS_FLR | USBSTS_HSE)) { 214 s->usbsts |= intr; 215 ehci_update_irq(s); 216 } else { 217 s->usbsts_pending |= intr; 218 } 219 } 220 221 /* 222 * Commit pending interrupts (added via ehci_raise_irq), 223 * at the rate allowed by "Interrupt Threshold Control". 224 */ 225 static inline void ehci_commit_irq(EHCIState *s) 226 { 227 uint32_t itc; 228 229 if (!s->usbsts_pending) { 230 return; 231 } 232 if (s->usbsts_frindex > s->frindex) { 233 return; 234 } 235 236 itc = (s->usbcmd >> 16) & 0xff; 237 s->usbsts |= s->usbsts_pending; 238 s->usbsts_pending = 0; 239 s->usbsts_frindex = s->frindex + itc; 240 ehci_update_irq(s); 241 } 242 243 static void ehci_update_halt(EHCIState *s) 244 { 245 if (s->usbcmd & USBCMD_RUNSTOP) { 246 ehci_clear_usbsts(s, USBSTS_HALT); 247 } else { 248 if (s->astate == EST_INACTIVE && s->pstate == EST_INACTIVE) { 249 ehci_set_usbsts(s, USBSTS_HALT); 250 } 251 } 252 } 253 254 static void ehci_set_state(EHCIState *s, int async, int state) 255 { 256 if (async) { 257 trace_usb_ehci_state("async", state2str(state)); 258 s->astate = state; 259 if (s->astate == EST_INACTIVE) { 260 ehci_clear_usbsts(s, USBSTS_ASS); 261 ehci_update_halt(s); 262 } else { 263 ehci_set_usbsts(s, USBSTS_ASS); 264 } 265 } else { 266 trace_usb_ehci_state("periodic", state2str(state)); 267 s->pstate = state; 268 if (s->pstate == EST_INACTIVE) { 269 ehci_clear_usbsts(s, USBSTS_PSS); 270 ehci_update_halt(s); 271 } else { 272 ehci_set_usbsts(s, USBSTS_PSS); 273 } 274 } 275 } 276 277 static int ehci_get_state(EHCIState *s, int async) 278 { 279 return async ? s->astate : s->pstate; 280 } 281 282 static void ehci_set_fetch_addr(EHCIState *s, int async, uint32_t addr) 283 { 284 if (async) { 285 s->a_fetch_addr = addr; 286 } else { 287 s->p_fetch_addr = addr; 288 } 289 } 290 291 static int ehci_get_fetch_addr(EHCIState *s, int async) 292 { 293 return async ? s->a_fetch_addr : s->p_fetch_addr; 294 } 295 296 static void ehci_trace_qh(EHCIQueue *q, hwaddr addr, EHCIqh *qh) 297 { 298 /* need three here due to argument count limits */ 299 trace_usb_ehci_qh_ptrs(q, addr, qh->next, 300 qh->current_qtd, qh->next_qtd, qh->altnext_qtd); 301 trace_usb_ehci_qh_fields(addr, 302 get_field(qh->epchar, QH_EPCHAR_RL), 303 get_field(qh->epchar, QH_EPCHAR_MPLEN), 304 get_field(qh->epchar, QH_EPCHAR_EPS), 305 get_field(qh->epchar, QH_EPCHAR_EP), 306 get_field(qh->epchar, QH_EPCHAR_DEVADDR)); 307 trace_usb_ehci_qh_bits(addr, 308 (bool)(qh->epchar & QH_EPCHAR_C), 309 (bool)(qh->epchar & QH_EPCHAR_H), 310 (bool)(qh->epchar & QH_EPCHAR_DTC), 311 (bool)(qh->epchar & QH_EPCHAR_I)); 312 } 313 314 static void ehci_trace_qtd(EHCIQueue *q, hwaddr addr, EHCIqtd *qtd) 315 { 316 /* need three here due to argument count limits */ 317 trace_usb_ehci_qtd_ptrs(q, addr, qtd->next, qtd->altnext); 318 trace_usb_ehci_qtd_fields(addr, 319 get_field(qtd->token, QTD_TOKEN_TBYTES), 320 get_field(qtd->token, QTD_TOKEN_CPAGE), 321 get_field(qtd->token, QTD_TOKEN_CERR), 322 get_field(qtd->token, QTD_TOKEN_PID)); 323 trace_usb_ehci_qtd_bits(addr, 324 (bool)(qtd->token & QTD_TOKEN_IOC), 325 (bool)(qtd->token & QTD_TOKEN_ACTIVE), 326 (bool)(qtd->token & QTD_TOKEN_HALT), 327 (bool)(qtd->token & QTD_TOKEN_BABBLE), 328 (bool)(qtd->token & QTD_TOKEN_XACTERR)); 329 } 330 331 static void ehci_trace_itd(EHCIState *s, hwaddr addr, EHCIitd *itd) 332 { 333 trace_usb_ehci_itd(addr, itd->next, 334 get_field(itd->bufptr[1], ITD_BUFPTR_MAXPKT), 335 get_field(itd->bufptr[2], ITD_BUFPTR_MULT), 336 get_field(itd->bufptr[0], ITD_BUFPTR_EP), 337 get_field(itd->bufptr[0], ITD_BUFPTR_DEVADDR)); 338 } 339 340 static void ehci_trace_sitd(EHCIState *s, hwaddr addr, 341 EHCIsitd *sitd) 342 { 343 trace_usb_ehci_sitd(addr, sitd->next, 344 (bool)(sitd->results & SITD_RESULTS_ACTIVE)); 345 } 346 347 static void ehci_trace_guest_bug(EHCIState *s, const char *message) 348 { 349 trace_usb_ehci_guest_bug(message); 350 fprintf(stderr, "ehci warning: %s\n", message); 351 } 352 353 static inline bool ehci_enabled(EHCIState *s) 354 { 355 return s->usbcmd & USBCMD_RUNSTOP; 356 } 357 358 static inline bool ehci_async_enabled(EHCIState *s) 359 { 360 return ehci_enabled(s) && (s->usbcmd & USBCMD_ASE); 361 } 362 363 static inline bool ehci_periodic_enabled(EHCIState *s) 364 { 365 return ehci_enabled(s) && (s->usbcmd & USBCMD_PSE); 366 } 367 368 /* Get an array of dwords from main memory */ 369 static inline int get_dwords(EHCIState *ehci, uint32_t addr, 370 uint32_t *buf, int num) 371 { 372 int i; 373 374 if (!ehci->as) { 375 ehci_raise_irq(ehci, USBSTS_HSE); 376 ehci->usbcmd &= ~USBCMD_RUNSTOP; 377 trace_usb_ehci_dma_error(); 378 return -1; 379 } 380 381 for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { 382 dma_memory_read(ehci->as, addr, buf, sizeof(*buf)); 383 *buf = le32_to_cpu(*buf); 384 } 385 386 return num; 387 } 388 389 /* Put an array of dwords in to main memory */ 390 static inline int put_dwords(EHCIState *ehci, uint32_t addr, 391 uint32_t *buf, int num) 392 { 393 int i; 394 395 if (!ehci->as) { 396 ehci_raise_irq(ehci, USBSTS_HSE); 397 ehci->usbcmd &= ~USBCMD_RUNSTOP; 398 trace_usb_ehci_dma_error(); 399 return -1; 400 } 401 402 for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { 403 uint32_t tmp = cpu_to_le32(*buf); 404 dma_memory_write(ehci->as, addr, &tmp, sizeof(tmp)); 405 } 406 407 return num; 408 } 409 410 static int ehci_get_pid(EHCIqtd *qtd) 411 { 412 switch (get_field(qtd->token, QTD_TOKEN_PID)) { 413 case 0: 414 return USB_TOKEN_OUT; 415 case 1: 416 return USB_TOKEN_IN; 417 case 2: 418 return USB_TOKEN_SETUP; 419 default: 420 fprintf(stderr, "bad token\n"); 421 return 0; 422 } 423 } 424 425 static bool ehci_verify_qh(EHCIQueue *q, EHCIqh *qh) 426 { 427 uint32_t devaddr = get_field(qh->epchar, QH_EPCHAR_DEVADDR); 428 uint32_t endp = get_field(qh->epchar, QH_EPCHAR_EP); 429 if ((devaddr != get_field(q->qh.epchar, QH_EPCHAR_DEVADDR)) || 430 (endp != get_field(q->qh.epchar, QH_EPCHAR_EP)) || 431 (qh->current_qtd != q->qh.current_qtd) || 432 (q->async && qh->next_qtd != q->qh.next_qtd) || 433 (memcmp(&qh->altnext_qtd, &q->qh.altnext_qtd, 434 7 * sizeof(uint32_t)) != 0) || 435 (q->dev != NULL && q->dev->addr != devaddr)) { 436 return false; 437 } else { 438 return true; 439 } 440 } 441 442 static bool ehci_verify_qtd(EHCIPacket *p, EHCIqtd *qtd) 443 { 444 if (p->qtdaddr != p->queue->qtdaddr || 445 (p->queue->async && !NLPTR_TBIT(p->qtd.next) && 446 (p->qtd.next != qtd->next)) || 447 (!NLPTR_TBIT(p->qtd.altnext) && (p->qtd.altnext != qtd->altnext)) || 448 p->qtd.token != qtd->token || 449 p->qtd.bufptr[0] != qtd->bufptr[0]) { 450 return false; 451 } else { 452 return true; 453 } 454 } 455 456 static bool ehci_verify_pid(EHCIQueue *q, EHCIqtd *qtd) 457 { 458 int ep = get_field(q->qh.epchar, QH_EPCHAR_EP); 459 int pid = ehci_get_pid(qtd); 460 461 /* Note the pid changing is normal for ep 0 (the control ep) */ 462 if (q->last_pid && ep != 0 && pid != q->last_pid) { 463 return false; 464 } else { 465 return true; 466 } 467 } 468 469 /* Finish executing and writeback a packet outside of the regular 470 fetchqh -> fetchqtd -> execute -> writeback cycle */ 471 static void ehci_writeback_async_complete_packet(EHCIPacket *p) 472 { 473 EHCIQueue *q = p->queue; 474 EHCIqtd qtd; 475 EHCIqh qh; 476 int state; 477 478 /* Verify the qh + qtd, like we do when going through fetchqh & fetchqtd */ 479 get_dwords(q->ehci, NLPTR_GET(q->qhaddr), 480 (uint32_t *) &qh, sizeof(EHCIqh) >> 2); 481 get_dwords(q->ehci, NLPTR_GET(q->qtdaddr), 482 (uint32_t *) &qtd, sizeof(EHCIqtd) >> 2); 483 if (!ehci_verify_qh(q, &qh) || !ehci_verify_qtd(p, &qtd)) { 484 p->async = EHCI_ASYNC_INITIALIZED; 485 ehci_free_packet(p); 486 return; 487 } 488 489 state = ehci_get_state(q->ehci, q->async); 490 ehci_state_executing(q); 491 ehci_state_writeback(q); /* Frees the packet! */ 492 if (!(q->qh.token & QTD_TOKEN_HALT)) { 493 ehci_state_advqueue(q); 494 } 495 ehci_set_state(q->ehci, q->async, state); 496 } 497 498 /* packet management */ 499 500 static EHCIPacket *ehci_alloc_packet(EHCIQueue *q) 501 { 502 EHCIPacket *p; 503 504 p = g_new0(EHCIPacket, 1); 505 p->queue = q; 506 usb_packet_init(&p->packet); 507 QTAILQ_INSERT_TAIL(&q->packets, p, next); 508 trace_usb_ehci_packet_action(p->queue, p, "alloc"); 509 return p; 510 } 511 512 static void ehci_free_packet(EHCIPacket *p) 513 { 514 if (p->async == EHCI_ASYNC_FINISHED && 515 !(p->queue->qh.token & QTD_TOKEN_HALT)) { 516 ehci_writeback_async_complete_packet(p); 517 return; 518 } 519 trace_usb_ehci_packet_action(p->queue, p, "free"); 520 if (p->async == EHCI_ASYNC_INFLIGHT) { 521 usb_cancel_packet(&p->packet); 522 } 523 if (p->async == EHCI_ASYNC_FINISHED && 524 p->packet.status == USB_RET_SUCCESS) { 525 fprintf(stderr, 526 "EHCI: Dropping completed packet from halted %s ep %02X\n", 527 (p->pid == USB_TOKEN_IN) ? "in" : "out", 528 get_field(p->queue->qh.epchar, QH_EPCHAR_EP)); 529 } 530 if (p->async != EHCI_ASYNC_NONE) { 531 usb_packet_unmap(&p->packet, &p->sgl); 532 qemu_sglist_destroy(&p->sgl); 533 } 534 QTAILQ_REMOVE(&p->queue->packets, p, next); 535 usb_packet_cleanup(&p->packet); 536 g_free(p); 537 } 538 539 /* queue management */ 540 541 static EHCIQueue *ehci_alloc_queue(EHCIState *ehci, uint32_t addr, int async) 542 { 543 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues; 544 EHCIQueue *q; 545 546 q = g_malloc0(sizeof(*q)); 547 q->ehci = ehci; 548 q->qhaddr = addr; 549 q->async = async; 550 QTAILQ_INIT(&q->packets); 551 QTAILQ_INSERT_HEAD(head, q, next); 552 trace_usb_ehci_queue_action(q, "alloc"); 553 return q; 554 } 555 556 static void ehci_queue_stopped(EHCIQueue *q) 557 { 558 int endp = get_field(q->qh.epchar, QH_EPCHAR_EP); 559 560 if (!q->last_pid || !q->dev) { 561 return; 562 } 563 564 usb_device_ep_stopped(q->dev, usb_ep_get(q->dev, q->last_pid, endp)); 565 } 566 567 static int ehci_cancel_queue(EHCIQueue *q) 568 { 569 EHCIPacket *p; 570 int packets = 0; 571 572 p = QTAILQ_FIRST(&q->packets); 573 if (p == NULL) { 574 goto leave; 575 } 576 577 trace_usb_ehci_queue_action(q, "cancel"); 578 do { 579 ehci_free_packet(p); 580 packets++; 581 } while ((p = QTAILQ_FIRST(&q->packets)) != NULL); 582 583 leave: 584 ehci_queue_stopped(q); 585 return packets; 586 } 587 588 static int ehci_reset_queue(EHCIQueue *q) 589 { 590 int packets; 591 592 trace_usb_ehci_queue_action(q, "reset"); 593 packets = ehci_cancel_queue(q); 594 q->dev = NULL; 595 q->qtdaddr = 0; 596 q->last_pid = 0; 597 return packets; 598 } 599 600 static void ehci_free_queue(EHCIQueue *q, const char *warn) 601 { 602 EHCIQueueHead *head = q->async ? &q->ehci->aqueues : &q->ehci->pqueues; 603 int cancelled; 604 605 trace_usb_ehci_queue_action(q, "free"); 606 cancelled = ehci_cancel_queue(q); 607 if (warn && cancelled > 0) { 608 ehci_trace_guest_bug(q->ehci, warn); 609 } 610 QTAILQ_REMOVE(head, q, next); 611 g_free(q); 612 } 613 614 static EHCIQueue *ehci_find_queue_by_qh(EHCIState *ehci, uint32_t addr, 615 int async) 616 { 617 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues; 618 EHCIQueue *q; 619 620 QTAILQ_FOREACH(q, head, next) { 621 if (addr == q->qhaddr) { 622 return q; 623 } 624 } 625 return NULL; 626 } 627 628 static void ehci_queues_rip_unused(EHCIState *ehci, int async) 629 { 630 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues; 631 const char *warn = async ? "guest unlinked busy QH" : NULL; 632 uint64_t maxage = FRAME_TIMER_NS * ehci->maxframes * 4; 633 EHCIQueue *q, *tmp; 634 635 QTAILQ_FOREACH_SAFE(q, head, next, tmp) { 636 if (q->seen) { 637 q->seen = 0; 638 q->ts = ehci->last_run_ns; 639 continue; 640 } 641 if (ehci->last_run_ns < q->ts + maxage) { 642 continue; 643 } 644 ehci_free_queue(q, warn); 645 } 646 } 647 648 static void ehci_queues_rip_unseen(EHCIState *ehci, int async) 649 { 650 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues; 651 EHCIQueue *q, *tmp; 652 653 QTAILQ_FOREACH_SAFE(q, head, next, tmp) { 654 if (!q->seen) { 655 ehci_free_queue(q, NULL); 656 } 657 } 658 } 659 660 static void ehci_queues_rip_device(EHCIState *ehci, USBDevice *dev, int async) 661 { 662 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues; 663 EHCIQueue *q, *tmp; 664 665 QTAILQ_FOREACH_SAFE(q, head, next, tmp) { 666 if (q->dev != dev) { 667 continue; 668 } 669 ehci_free_queue(q, NULL); 670 } 671 } 672 673 static void ehci_queues_rip_all(EHCIState *ehci, int async) 674 { 675 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues; 676 const char *warn = async ? "guest stopped busy async schedule" : NULL; 677 EHCIQueue *q, *tmp; 678 679 QTAILQ_FOREACH_SAFE(q, head, next, tmp) { 680 ehci_free_queue(q, warn); 681 } 682 } 683 684 /* Attach or detach a device on root hub */ 685 686 static void ehci_attach(USBPort *port) 687 { 688 EHCIState *s = port->opaque; 689 uint32_t *portsc = &s->portsc[port->index]; 690 const char *owner = (*portsc & PORTSC_POWNER) ? "comp" : "ehci"; 691 692 trace_usb_ehci_port_attach(port->index, owner, port->dev->product_desc); 693 694 if (*portsc & PORTSC_POWNER) { 695 USBPort *companion = s->companion_ports[port->index]; 696 companion->dev = port->dev; 697 companion->ops->attach(companion); 698 return; 699 } 700 701 *portsc |= PORTSC_CONNECT; 702 *portsc |= PORTSC_CSC; 703 704 ehci_raise_irq(s, USBSTS_PCD); 705 } 706 707 static void ehci_detach(USBPort *port) 708 { 709 EHCIState *s = port->opaque; 710 uint32_t *portsc = &s->portsc[port->index]; 711 const char *owner = (*portsc & PORTSC_POWNER) ? "comp" : "ehci"; 712 713 trace_usb_ehci_port_detach(port->index, owner); 714 715 if (*portsc & PORTSC_POWNER) { 716 USBPort *companion = s->companion_ports[port->index]; 717 companion->ops->detach(companion); 718 companion->dev = NULL; 719 /* 720 * EHCI spec 4.2.2: "When a disconnect occurs... On the event, 721 * the port ownership is returned immediately to the EHCI controller." 722 */ 723 *portsc &= ~PORTSC_POWNER; 724 return; 725 } 726 727 ehci_queues_rip_device(s, port->dev, 0); 728 ehci_queues_rip_device(s, port->dev, 1); 729 730 *portsc &= ~(PORTSC_CONNECT|PORTSC_PED|PORTSC_SUSPEND); 731 *portsc |= PORTSC_CSC; 732 733 ehci_raise_irq(s, USBSTS_PCD); 734 } 735 736 static void ehci_child_detach(USBPort *port, USBDevice *child) 737 { 738 EHCIState *s = port->opaque; 739 uint32_t portsc = s->portsc[port->index]; 740 741 if (portsc & PORTSC_POWNER) { 742 USBPort *companion = s->companion_ports[port->index]; 743 companion->ops->child_detach(companion, child); 744 return; 745 } 746 747 ehci_queues_rip_device(s, child, 0); 748 ehci_queues_rip_device(s, child, 1); 749 } 750 751 static void ehci_wakeup(USBPort *port) 752 { 753 EHCIState *s = port->opaque; 754 uint32_t *portsc = &s->portsc[port->index]; 755 756 if (*portsc & PORTSC_POWNER) { 757 USBPort *companion = s->companion_ports[port->index]; 758 if (companion->ops->wakeup) { 759 companion->ops->wakeup(companion); 760 } 761 return; 762 } 763 764 if (*portsc & PORTSC_SUSPEND) { 765 trace_usb_ehci_port_wakeup(port->index); 766 *portsc |= PORTSC_FPRES; 767 ehci_raise_irq(s, USBSTS_PCD); 768 } 769 770 qemu_bh_schedule(s->async_bh); 771 } 772 773 static void ehci_register_companion(USBBus *bus, USBPort *ports[], 774 uint32_t portcount, uint32_t firstport, 775 Error **errp) 776 { 777 EHCIState *s = container_of(bus, EHCIState, bus); 778 uint32_t i; 779 780 if (firstport + portcount > NB_PORTS) { 781 error_setg(errp, "firstport must be between 0 and %u", 782 NB_PORTS - portcount); 783 return; 784 } 785 786 for (i = 0; i < portcount; i++) { 787 if (s->companion_ports[firstport + i]) { 788 error_setg(errp, "firstport %u asks for ports %u-%u," 789 " but port %u has a companion assigned already", 790 firstport, firstport, firstport + portcount - 1, 791 firstport + i); 792 return; 793 } 794 } 795 796 for (i = 0; i < portcount; i++) { 797 s->companion_ports[firstport + i] = ports[i]; 798 s->ports[firstport + i].speedmask |= 799 USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL; 800 /* Ensure devs attached before the initial reset go to the companion */ 801 s->portsc[firstport + i] = PORTSC_POWNER; 802 } 803 804 s->companion_count++; 805 s->caps[0x05] = (s->companion_count << 4) | portcount; 806 } 807 808 static void ehci_wakeup_endpoint(USBBus *bus, USBEndpoint *ep, 809 unsigned int stream) 810 { 811 EHCIState *s = container_of(bus, EHCIState, bus); 812 uint32_t portsc = s->portsc[ep->dev->port->index]; 813 814 if (portsc & PORTSC_POWNER) { 815 return; 816 } 817 818 s->periodic_sched_active = PERIODIC_ACTIVE; 819 qemu_bh_schedule(s->async_bh); 820 } 821 822 static USBDevice *ehci_find_device(EHCIState *ehci, uint8_t addr) 823 { 824 USBDevice *dev; 825 USBPort *port; 826 int i; 827 828 for (i = 0; i < NB_PORTS; i++) { 829 port = &ehci->ports[i]; 830 if (!(ehci->portsc[i] & PORTSC_PED)) { 831 DPRINTF("Port %d not enabled\n", i); 832 continue; 833 } 834 dev = usb_find_device(port, addr); 835 if (dev != NULL) { 836 return dev; 837 } 838 } 839 return NULL; 840 } 841 842 /* 4.1 host controller initialization */ 843 void ehci_reset(void *opaque) 844 { 845 EHCIState *s = opaque; 846 int i; 847 USBDevice *devs[NB_PORTS]; 848 849 trace_usb_ehci_reset(); 850 851 /* 852 * Do the detach before touching portsc, so that it correctly gets send to 853 * us or to our companion based on PORTSC_POWNER before the reset. 854 */ 855 for(i = 0; i < NB_PORTS; i++) { 856 devs[i] = s->ports[i].dev; 857 if (devs[i] && devs[i]->attached) { 858 usb_detach(&s->ports[i]); 859 } 860 } 861 862 memset(&s->opreg, 0x00, sizeof(s->opreg)); 863 memset(&s->portsc, 0x00, sizeof(s->portsc)); 864 865 s->usbcmd = NB_MAXINTRATE << USBCMD_ITC_SH; 866 s->usbsts = USBSTS_HALT; 867 s->usbsts_pending = 0; 868 s->usbsts_frindex = 0; 869 ehci_update_irq(s); 870 871 s->astate = EST_INACTIVE; 872 s->pstate = EST_INACTIVE; 873 874 for(i = 0; i < NB_PORTS; i++) { 875 if (s->companion_ports[i]) { 876 s->portsc[i] = PORTSC_POWNER | PORTSC_PPOWER; 877 } else { 878 s->portsc[i] = PORTSC_PPOWER; 879 } 880 if (devs[i] && devs[i]->attached) { 881 usb_attach(&s->ports[i]); 882 usb_device_reset(devs[i]); 883 } 884 } 885 ehci_queues_rip_all(s, 0); 886 ehci_queues_rip_all(s, 1); 887 timer_del(s->frame_timer); 888 qemu_bh_cancel(s->async_bh); 889 } 890 891 static uint64_t ehci_caps_read(void *ptr, hwaddr addr, 892 unsigned size) 893 { 894 EHCIState *s = ptr; 895 return s->caps[addr]; 896 } 897 898 static uint64_t ehci_opreg_read(void *ptr, hwaddr addr, 899 unsigned size) 900 { 901 EHCIState *s = ptr; 902 uint32_t val; 903 904 switch (addr) { 905 case FRINDEX: 906 /* Round down to mult of 8, else it can go backwards on migration */ 907 val = s->frindex & ~7; 908 break; 909 default: 910 val = s->opreg[addr >> 2]; 911 } 912 913 trace_usb_ehci_opreg_read(addr + s->opregbase, addr2str(addr), val); 914 return val; 915 } 916 917 static uint64_t ehci_port_read(void *ptr, hwaddr addr, 918 unsigned size) 919 { 920 EHCIState *s = ptr; 921 uint32_t val; 922 923 val = s->portsc[addr >> 2]; 924 trace_usb_ehci_portsc_read(addr + s->portscbase, addr >> 2, val); 925 return val; 926 } 927 928 static void handle_port_owner_write(EHCIState *s, int port, uint32_t owner) 929 { 930 USBDevice *dev = s->ports[port].dev; 931 uint32_t *portsc = &s->portsc[port]; 932 uint32_t orig; 933 934 if (s->companion_ports[port] == NULL) 935 return; 936 937 owner = owner & PORTSC_POWNER; 938 orig = *portsc & PORTSC_POWNER; 939 940 if (!(owner ^ orig)) { 941 return; 942 } 943 944 if (dev && dev->attached) { 945 usb_detach(&s->ports[port]); 946 } 947 948 *portsc &= ~PORTSC_POWNER; 949 *portsc |= owner; 950 951 if (dev && dev->attached) { 952 usb_attach(&s->ports[port]); 953 } 954 } 955 956 static void ehci_port_write(void *ptr, hwaddr addr, 957 uint64_t val, unsigned size) 958 { 959 EHCIState *s = ptr; 960 int port = addr >> 2; 961 uint32_t *portsc = &s->portsc[port]; 962 uint32_t old = *portsc; 963 USBDevice *dev = s->ports[port].dev; 964 965 trace_usb_ehci_portsc_write(addr + s->portscbase, addr >> 2, val); 966 967 /* Clear rwc bits */ 968 *portsc &= ~(val & PORTSC_RWC_MASK); 969 /* The guest may clear, but not set the PED bit */ 970 *portsc &= val | ~PORTSC_PED; 971 /* POWNER is masked out by RO_MASK as it is RO when we've no companion */ 972 handle_port_owner_write(s, port, val); 973 /* And finally apply RO_MASK */ 974 val &= PORTSC_RO_MASK; 975 976 if ((val & PORTSC_PRESET) && !(*portsc & PORTSC_PRESET)) { 977 trace_usb_ehci_port_reset(port, 1); 978 } 979 980 if (!(val & PORTSC_PRESET) &&(*portsc & PORTSC_PRESET)) { 981 trace_usb_ehci_port_reset(port, 0); 982 if (dev && dev->attached) { 983 usb_port_reset(&s->ports[port]); 984 *portsc &= ~PORTSC_CSC; 985 } 986 987 /* 988 * Table 2.16 Set the enable bit(and enable bit change) to indicate 989 * to SW that this port has a high speed device attached 990 */ 991 if (dev && dev->attached && (dev->speedmask & USB_SPEED_MASK_HIGH)) { 992 val |= PORTSC_PED; 993 } 994 } 995 996 if ((val & PORTSC_SUSPEND) && !(*portsc & PORTSC_SUSPEND)) { 997 trace_usb_ehci_port_suspend(port); 998 } 999 if (!(val & PORTSC_FPRES) && (*portsc & PORTSC_FPRES)) { 1000 trace_usb_ehci_port_resume(port); 1001 val &= ~PORTSC_SUSPEND; 1002 } 1003 1004 *portsc &= ~PORTSC_RO_MASK; 1005 *portsc |= val; 1006 trace_usb_ehci_portsc_change(addr + s->portscbase, addr >> 2, *portsc, old); 1007 } 1008 1009 static void ehci_opreg_write(void *ptr, hwaddr addr, 1010 uint64_t val, unsigned size) 1011 { 1012 EHCIState *s = ptr; 1013 uint32_t *mmio = s->opreg + (addr >> 2); 1014 uint32_t old = *mmio; 1015 int i; 1016 1017 trace_usb_ehci_opreg_write(addr + s->opregbase, addr2str(addr), val); 1018 1019 switch (addr) { 1020 case USBCMD: 1021 if (val & USBCMD_HCRESET) { 1022 ehci_reset(s); 1023 val = s->usbcmd; 1024 break; 1025 } 1026 1027 /* not supporting dynamic frame list size at the moment */ 1028 if ((val & USBCMD_FLS) && !(s->usbcmd & USBCMD_FLS)) { 1029 fprintf(stderr, "attempt to set frame list size -- value %d\n", 1030 (int)val & USBCMD_FLS); 1031 val &= ~USBCMD_FLS; 1032 } 1033 1034 if (val & USBCMD_IAAD) { 1035 /* 1036 * Process IAAD immediately, otherwise the Linux IAAD watchdog may 1037 * trigger and re-use a qh without us seeing the unlink. 1038 */ 1039 s->async_stepdown = 0; 1040 qemu_bh_schedule(s->async_bh); 1041 trace_usb_ehci_doorbell_ring(); 1042 } 1043 1044 if (((USBCMD_RUNSTOP | USBCMD_PSE | USBCMD_ASE) & val) != 1045 ((USBCMD_RUNSTOP | USBCMD_PSE | USBCMD_ASE) & s->usbcmd)) { 1046 if (s->pstate == EST_INACTIVE) { 1047 SET_LAST_RUN_CLOCK(s); 1048 } 1049 s->usbcmd = val; /* Set usbcmd for ehci_update_halt() */ 1050 ehci_update_halt(s); 1051 s->async_stepdown = 0; 1052 qemu_bh_schedule(s->async_bh); 1053 } 1054 break; 1055 1056 case USBSTS: 1057 val &= USBSTS_RO_MASK; // bits 6 through 31 are RO 1058 ehci_clear_usbsts(s, val); // bits 0 through 5 are R/WC 1059 val = s->usbsts; 1060 ehci_update_irq(s); 1061 break; 1062 1063 case USBINTR: 1064 val &= USBINTR_MASK; 1065 if (ehci_enabled(s) && (USBSTS_FLR & val)) { 1066 qemu_bh_schedule(s->async_bh); 1067 } 1068 break; 1069 1070 case FRINDEX: 1071 val &= 0x00003fff; /* frindex is 14bits */ 1072 s->usbsts_frindex = val; 1073 break; 1074 1075 case CONFIGFLAG: 1076 val &= 0x1; 1077 if (val) { 1078 for(i = 0; i < NB_PORTS; i++) 1079 handle_port_owner_write(s, i, 0); 1080 } 1081 break; 1082 1083 case PERIODICLISTBASE: 1084 if (ehci_periodic_enabled(s)) { 1085 fprintf(stderr, 1086 "ehci: PERIODIC list base register set while periodic schedule\n" 1087 " is enabled and HC is enabled\n"); 1088 } 1089 break; 1090 1091 case ASYNCLISTADDR: 1092 if (ehci_async_enabled(s)) { 1093 fprintf(stderr, 1094 "ehci: ASYNC list address register set while async schedule\n" 1095 " is enabled and HC is enabled\n"); 1096 } 1097 break; 1098 } 1099 1100 *mmio = val; 1101 trace_usb_ehci_opreg_change(addr + s->opregbase, addr2str(addr), 1102 *mmio, old); 1103 } 1104 1105 /* 1106 * Write the qh back to guest physical memory. This step isn't 1107 * in the EHCI spec but we need to do it since we don't share 1108 * physical memory with our guest VM. 1109 * 1110 * The first three dwords are read-only for the EHCI, so skip them 1111 * when writing back the qh. 1112 */ 1113 static void ehci_flush_qh(EHCIQueue *q) 1114 { 1115 uint32_t *qh = (uint32_t *) &q->qh; 1116 uint32_t dwords = sizeof(EHCIqh) >> 2; 1117 uint32_t addr = NLPTR_GET(q->qhaddr); 1118 1119 put_dwords(q->ehci, addr + 3 * sizeof(uint32_t), qh + 3, dwords - 3); 1120 } 1121 1122 // 4.10.2 1123 1124 static int ehci_qh_do_overlay(EHCIQueue *q) 1125 { 1126 EHCIPacket *p = QTAILQ_FIRST(&q->packets); 1127 int i; 1128 int dtoggle; 1129 int ping; 1130 int eps; 1131 int reload; 1132 1133 assert(p != NULL); 1134 assert(p->qtdaddr == q->qtdaddr); 1135 1136 // remember values in fields to preserve in qh after overlay 1137 1138 dtoggle = q->qh.token & QTD_TOKEN_DTOGGLE; 1139 ping = q->qh.token & QTD_TOKEN_PING; 1140 1141 q->qh.current_qtd = p->qtdaddr; 1142 q->qh.next_qtd = p->qtd.next; 1143 q->qh.altnext_qtd = p->qtd.altnext; 1144 q->qh.token = p->qtd.token; 1145 1146 1147 eps = get_field(q->qh.epchar, QH_EPCHAR_EPS); 1148 if (eps == EHCI_QH_EPS_HIGH) { 1149 q->qh.token &= ~QTD_TOKEN_PING; 1150 q->qh.token |= ping; 1151 } 1152 1153 reload = get_field(q->qh.epchar, QH_EPCHAR_RL); 1154 set_field(&q->qh.altnext_qtd, reload, QH_ALTNEXT_NAKCNT); 1155 1156 for (i = 0; i < 5; i++) { 1157 q->qh.bufptr[i] = p->qtd.bufptr[i]; 1158 } 1159 1160 if (!(q->qh.epchar & QH_EPCHAR_DTC)) { 1161 // preserve QH DT bit 1162 q->qh.token &= ~QTD_TOKEN_DTOGGLE; 1163 q->qh.token |= dtoggle; 1164 } 1165 1166 q->qh.bufptr[1] &= ~BUFPTR_CPROGMASK_MASK; 1167 q->qh.bufptr[2] &= ~BUFPTR_FRAMETAG_MASK; 1168 1169 ehci_flush_qh(q); 1170 1171 return 0; 1172 } 1173 1174 static int ehci_init_transfer(EHCIPacket *p) 1175 { 1176 uint32_t cpage, offset, bytes, plen; 1177 dma_addr_t page; 1178 1179 cpage = get_field(p->qtd.token, QTD_TOKEN_CPAGE); 1180 bytes = get_field(p->qtd.token, QTD_TOKEN_TBYTES); 1181 offset = p->qtd.bufptr[0] & ~QTD_BUFPTR_MASK; 1182 qemu_sglist_init(&p->sgl, p->queue->ehci->device, 5, p->queue->ehci->as); 1183 1184 while (bytes > 0) { 1185 if (cpage > 4) { 1186 fprintf(stderr, "cpage out of range (%d)\n", cpage); 1187 return -1; 1188 } 1189 1190 page = p->qtd.bufptr[cpage] & QTD_BUFPTR_MASK; 1191 page += offset; 1192 plen = bytes; 1193 if (plen > 4096 - offset) { 1194 plen = 4096 - offset; 1195 offset = 0; 1196 cpage++; 1197 } 1198 1199 qemu_sglist_add(&p->sgl, page, plen); 1200 bytes -= plen; 1201 } 1202 return 0; 1203 } 1204 1205 static void ehci_finish_transfer(EHCIQueue *q, int len) 1206 { 1207 uint32_t cpage, offset; 1208 1209 if (len > 0) { 1210 /* update cpage & offset */ 1211 cpage = get_field(q->qh.token, QTD_TOKEN_CPAGE); 1212 offset = q->qh.bufptr[0] & ~QTD_BUFPTR_MASK; 1213 1214 offset += len; 1215 cpage += offset >> QTD_BUFPTR_SH; 1216 offset &= ~QTD_BUFPTR_MASK; 1217 1218 set_field(&q->qh.token, cpage, QTD_TOKEN_CPAGE); 1219 q->qh.bufptr[0] &= QTD_BUFPTR_MASK; 1220 q->qh.bufptr[0] |= offset; 1221 } 1222 } 1223 1224 static void ehci_async_complete_packet(USBPort *port, USBPacket *packet) 1225 { 1226 EHCIPacket *p; 1227 EHCIState *s = port->opaque; 1228 uint32_t portsc = s->portsc[port->index]; 1229 1230 if (portsc & PORTSC_POWNER) { 1231 USBPort *companion = s->companion_ports[port->index]; 1232 companion->ops->complete(companion, packet); 1233 return; 1234 } 1235 1236 p = container_of(packet, EHCIPacket, packet); 1237 assert(p->async == EHCI_ASYNC_INFLIGHT); 1238 1239 if (packet->status == USB_RET_REMOVE_FROM_QUEUE) { 1240 trace_usb_ehci_packet_action(p->queue, p, "remove"); 1241 ehci_free_packet(p); 1242 return; 1243 } 1244 1245 trace_usb_ehci_packet_action(p->queue, p, "wakeup"); 1246 p->async = EHCI_ASYNC_FINISHED; 1247 1248 if (!p->queue->async) { 1249 s->periodic_sched_active = PERIODIC_ACTIVE; 1250 } 1251 qemu_bh_schedule(s->async_bh); 1252 } 1253 1254 static void ehci_execute_complete(EHCIQueue *q) 1255 { 1256 EHCIPacket *p = QTAILQ_FIRST(&q->packets); 1257 uint32_t tbytes; 1258 1259 assert(p != NULL); 1260 assert(p->qtdaddr == q->qtdaddr); 1261 assert(p->async == EHCI_ASYNC_INITIALIZED || 1262 p->async == EHCI_ASYNC_FINISHED); 1263 1264 DPRINTF("execute_complete: qhaddr 0x%x, next 0x%x, qtdaddr 0x%x, " 1265 "status %d, actual_length %d\n", 1266 q->qhaddr, q->qh.next, q->qtdaddr, 1267 p->packet.status, p->packet.actual_length); 1268 1269 switch (p->packet.status) { 1270 case USB_RET_SUCCESS: 1271 break; 1272 case USB_RET_IOERROR: 1273 case USB_RET_NODEV: 1274 q->qh.token |= (QTD_TOKEN_HALT | QTD_TOKEN_XACTERR); 1275 set_field(&q->qh.token, 0, QTD_TOKEN_CERR); 1276 ehci_raise_irq(q->ehci, USBSTS_ERRINT); 1277 break; 1278 case USB_RET_STALL: 1279 q->qh.token |= QTD_TOKEN_HALT; 1280 ehci_raise_irq(q->ehci, USBSTS_ERRINT); 1281 break; 1282 case USB_RET_NAK: 1283 set_field(&q->qh.altnext_qtd, 0, QH_ALTNEXT_NAKCNT); 1284 return; /* We're not done yet with this transaction */ 1285 case USB_RET_BABBLE: 1286 q->qh.token |= (QTD_TOKEN_HALT | QTD_TOKEN_BABBLE); 1287 ehci_raise_irq(q->ehci, USBSTS_ERRINT); 1288 break; 1289 default: 1290 /* should not be triggerable */ 1291 fprintf(stderr, "USB invalid response %d\n", p->packet.status); 1292 g_assert_not_reached(); 1293 break; 1294 } 1295 1296 /* TODO check 4.12 for splits */ 1297 tbytes = get_field(q->qh.token, QTD_TOKEN_TBYTES); 1298 if (tbytes && p->pid == USB_TOKEN_IN) { 1299 tbytes -= p->packet.actual_length; 1300 if (tbytes) { 1301 /* 4.15.1.2 must raise int on a short input packet */ 1302 ehci_raise_irq(q->ehci, USBSTS_INT); 1303 if (q->async) { 1304 q->ehci->int_req_by_async = true; 1305 } 1306 } 1307 } else { 1308 tbytes = 0; 1309 } 1310 DPRINTF("updating tbytes to %d\n", tbytes); 1311 set_field(&q->qh.token, tbytes, QTD_TOKEN_TBYTES); 1312 1313 ehci_finish_transfer(q, p->packet.actual_length); 1314 usb_packet_unmap(&p->packet, &p->sgl); 1315 qemu_sglist_destroy(&p->sgl); 1316 p->async = EHCI_ASYNC_NONE; 1317 1318 q->qh.token ^= QTD_TOKEN_DTOGGLE; 1319 q->qh.token &= ~QTD_TOKEN_ACTIVE; 1320 1321 if (q->qh.token & QTD_TOKEN_IOC) { 1322 ehci_raise_irq(q->ehci, USBSTS_INT); 1323 if (q->async) { 1324 q->ehci->int_req_by_async = true; 1325 } 1326 } 1327 } 1328 1329 /* 4.10.3 returns "again" */ 1330 static int ehci_execute(EHCIPacket *p, const char *action) 1331 { 1332 USBEndpoint *ep; 1333 int endp; 1334 bool spd; 1335 1336 assert(p->async == EHCI_ASYNC_NONE || 1337 p->async == EHCI_ASYNC_INITIALIZED); 1338 1339 if (!(p->qtd.token & QTD_TOKEN_ACTIVE)) { 1340 fprintf(stderr, "Attempting to execute inactive qtd\n"); 1341 return -1; 1342 } 1343 1344 if (get_field(p->qtd.token, QTD_TOKEN_TBYTES) > BUFF_SIZE) { 1345 ehci_trace_guest_bug(p->queue->ehci, 1346 "guest requested more bytes than allowed"); 1347 return -1; 1348 } 1349 1350 if (!ehci_verify_pid(p->queue, &p->qtd)) { 1351 ehci_queue_stopped(p->queue); /* Mark the ep in the prev dir stopped */ 1352 } 1353 p->pid = ehci_get_pid(&p->qtd); 1354 p->queue->last_pid = p->pid; 1355 endp = get_field(p->queue->qh.epchar, QH_EPCHAR_EP); 1356 ep = usb_ep_get(p->queue->dev, p->pid, endp); 1357 1358 if (p->async == EHCI_ASYNC_NONE) { 1359 if (ehci_init_transfer(p) != 0) { 1360 return -1; 1361 } 1362 1363 spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0); 1364 usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd, 1365 (p->qtd.token & QTD_TOKEN_IOC) != 0); 1366 usb_packet_map(&p->packet, &p->sgl); 1367 p->async = EHCI_ASYNC_INITIALIZED; 1368 } 1369 1370 trace_usb_ehci_packet_action(p->queue, p, action); 1371 usb_handle_packet(p->queue->dev, &p->packet); 1372 DPRINTF("submit: qh 0x%x next 0x%x qtd 0x%x pid 0x%x len %zd endp 0x%x " 1373 "status %d actual_length %d\n", p->queue->qhaddr, p->qtd.next, 1374 p->qtdaddr, p->pid, p->packet.iov.size, endp, p->packet.status, 1375 p->packet.actual_length); 1376 1377 if (p->packet.actual_length > BUFF_SIZE) { 1378 fprintf(stderr, "ret from usb_handle_packet > BUFF_SIZE\n"); 1379 return -1; 1380 } 1381 1382 return 1; 1383 } 1384 1385 /* 4.7.2 1386 */ 1387 1388 static int ehci_process_itd(EHCIState *ehci, 1389 EHCIitd *itd, 1390 uint32_t addr) 1391 { 1392 USBDevice *dev; 1393 USBEndpoint *ep; 1394 uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; 1395 uint32_t pg, off, ptr1, ptr2, max, mult; 1396 1397 ehci->periodic_sched_active = PERIODIC_ACTIVE; 1398 1399 dir =(itd->bufptr[1] & ITD_BUFPTR_DIRECTION); 1400 devaddr = get_field(itd->bufptr[0], ITD_BUFPTR_DEVADDR); 1401 endp = get_field(itd->bufptr[0], ITD_BUFPTR_EP); 1402 max = get_field(itd->bufptr[1], ITD_BUFPTR_MAXPKT); 1403 mult = get_field(itd->bufptr[2], ITD_BUFPTR_MULT); 1404 1405 for(i = 0; i < 8; i++) { 1406 if (itd->transact[i] & ITD_XACT_ACTIVE) { 1407 pg = get_field(itd->transact[i], ITD_XACT_PGSEL); 1408 off = itd->transact[i] & ITD_XACT_OFFSET_MASK; 1409 len = get_field(itd->transact[i], ITD_XACT_LENGTH); 1410 1411 if (len > max * mult) { 1412 len = max * mult; 1413 } 1414 if (len > BUFF_SIZE || pg > 6) { 1415 return -1; 1416 } 1417 1418 ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK); 1419 qemu_sglist_init(&ehci->isgl, ehci->device, 2, ehci->as); 1420 if (off + len > 4096) { 1421 /* transfer crosses page border */ 1422 if (pg == 6) { 1423 return -1; /* avoid page pg + 1 */ 1424 } 1425 ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK); 1426 uint32_t len2 = off + len - 4096; 1427 uint32_t len1 = len - len2; 1428 qemu_sglist_add(&ehci->isgl, ptr1 + off, len1); 1429 qemu_sglist_add(&ehci->isgl, ptr2, len2); 1430 } else { 1431 qemu_sglist_add(&ehci->isgl, ptr1 + off, len); 1432 } 1433 1434 pid = dir ? USB_TOKEN_IN : USB_TOKEN_OUT; 1435 1436 dev = ehci_find_device(ehci, devaddr); 1437 ep = usb_ep_get(dev, pid, endp); 1438 if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) { 1439 usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false, 1440 (itd->transact[i] & ITD_XACT_IOC) != 0); 1441 usb_packet_map(&ehci->ipacket, &ehci->isgl); 1442 usb_handle_packet(dev, &ehci->ipacket); 1443 usb_packet_unmap(&ehci->ipacket, &ehci->isgl); 1444 } else { 1445 DPRINTF("ISOCH: attempt to addess non-iso endpoint\n"); 1446 ehci->ipacket.status = USB_RET_NAK; 1447 ehci->ipacket.actual_length = 0; 1448 } 1449 qemu_sglist_destroy(&ehci->isgl); 1450 1451 switch (ehci->ipacket.status) { 1452 case USB_RET_SUCCESS: 1453 break; 1454 default: 1455 fprintf(stderr, "Unexpected iso usb result: %d\n", 1456 ehci->ipacket.status); 1457 /* Fall through */ 1458 case USB_RET_IOERROR: 1459 case USB_RET_NODEV: 1460 /* 3.3.2: XACTERR is only allowed on IN transactions */ 1461 if (dir) { 1462 itd->transact[i] |= ITD_XACT_XACTERR; 1463 ehci_raise_irq(ehci, USBSTS_ERRINT); 1464 } 1465 break; 1466 case USB_RET_BABBLE: 1467 itd->transact[i] |= ITD_XACT_BABBLE; 1468 ehci_raise_irq(ehci, USBSTS_ERRINT); 1469 break; 1470 case USB_RET_NAK: 1471 /* no data for us, so do a zero-length transfer */ 1472 ehci->ipacket.actual_length = 0; 1473 break; 1474 } 1475 if (!dir) { 1476 set_field(&itd->transact[i], len - ehci->ipacket.actual_length, 1477 ITD_XACT_LENGTH); /* OUT */ 1478 } else { 1479 set_field(&itd->transact[i], ehci->ipacket.actual_length, 1480 ITD_XACT_LENGTH); /* IN */ 1481 } 1482 if (itd->transact[i] & ITD_XACT_IOC) { 1483 ehci_raise_irq(ehci, USBSTS_INT); 1484 } 1485 itd->transact[i] &= ~ITD_XACT_ACTIVE; 1486 xfers++; 1487 } 1488 } 1489 return xfers ? 0 : -1; 1490 } 1491 1492 1493 /* This state is the entry point for asynchronous schedule 1494 * processing. Entry here consitutes a EHCI start event state (4.8.5) 1495 */ 1496 static int ehci_state_waitlisthead(EHCIState *ehci, int async) 1497 { 1498 EHCIqh qh; 1499 int i = 0; 1500 int again = 0; 1501 uint32_t entry = ehci->asynclistaddr; 1502 1503 /* set reclamation flag at start event (4.8.6) */ 1504 if (async) { 1505 ehci_set_usbsts(ehci, USBSTS_REC); 1506 } 1507 1508 ehci_queues_rip_unused(ehci, async); 1509 1510 /* Find the head of the list (4.9.1.1) */ 1511 for(i = 0; i < MAX_QH; i++) { 1512 if (get_dwords(ehci, NLPTR_GET(entry), (uint32_t *) &qh, 1513 sizeof(EHCIqh) >> 2) < 0) { 1514 return 0; 1515 } 1516 ehci_trace_qh(NULL, NLPTR_GET(entry), &qh); 1517 1518 if (qh.epchar & QH_EPCHAR_H) { 1519 if (async) { 1520 entry |= (NLPTR_TYPE_QH << 1); 1521 } 1522 1523 ehci_set_fetch_addr(ehci, async, entry); 1524 ehci_set_state(ehci, async, EST_FETCHENTRY); 1525 again = 1; 1526 goto out; 1527 } 1528 1529 entry = qh.next; 1530 if (entry == ehci->asynclistaddr) { 1531 break; 1532 } 1533 } 1534 1535 /* no head found for list. */ 1536 1537 ehci_set_state(ehci, async, EST_ACTIVE); 1538 1539 out: 1540 return again; 1541 } 1542 1543 1544 /* This state is the entry point for periodic schedule processing as 1545 * well as being a continuation state for async processing. 1546 */ 1547 static int ehci_state_fetchentry(EHCIState *ehci, int async) 1548 { 1549 int again = 0; 1550 uint32_t entry = ehci_get_fetch_addr(ehci, async); 1551 1552 if (NLPTR_TBIT(entry)) { 1553 ehci_set_state(ehci, async, EST_ACTIVE); 1554 goto out; 1555 } 1556 1557 /* section 4.8, only QH in async schedule */ 1558 if (async && (NLPTR_TYPE_GET(entry) != NLPTR_TYPE_QH)) { 1559 fprintf(stderr, "non queue head request in async schedule\n"); 1560 return -1; 1561 } 1562 1563 switch (NLPTR_TYPE_GET(entry)) { 1564 case NLPTR_TYPE_QH: 1565 ehci_set_state(ehci, async, EST_FETCHQH); 1566 again = 1; 1567 break; 1568 1569 case NLPTR_TYPE_ITD: 1570 ehci_set_state(ehci, async, EST_FETCHITD); 1571 again = 1; 1572 break; 1573 1574 case NLPTR_TYPE_STITD: 1575 ehci_set_state(ehci, async, EST_FETCHSITD); 1576 again = 1; 1577 break; 1578 1579 default: 1580 /* TODO: handle FSTN type */ 1581 fprintf(stderr, "FETCHENTRY: entry at %X is of type %d " 1582 "which is not supported yet\n", entry, NLPTR_TYPE_GET(entry)); 1583 return -1; 1584 } 1585 1586 out: 1587 return again; 1588 } 1589 1590 static EHCIQueue *ehci_state_fetchqh(EHCIState *ehci, int async) 1591 { 1592 uint32_t entry; 1593 EHCIQueue *q; 1594 EHCIqh qh; 1595 1596 entry = ehci_get_fetch_addr(ehci, async); 1597 q = ehci_find_queue_by_qh(ehci, entry, async); 1598 if (q == NULL) { 1599 q = ehci_alloc_queue(ehci, entry, async); 1600 } 1601 1602 q->seen++; 1603 if (q->seen > 1) { 1604 /* we are going in circles -- stop processing */ 1605 ehci_set_state(ehci, async, EST_ACTIVE); 1606 q = NULL; 1607 goto out; 1608 } 1609 1610 if (get_dwords(ehci, NLPTR_GET(q->qhaddr), 1611 (uint32_t *) &qh, sizeof(EHCIqh) >> 2) < 0) { 1612 q = NULL; 1613 goto out; 1614 } 1615 ehci_trace_qh(q, NLPTR_GET(q->qhaddr), &qh); 1616 1617 /* 1618 * The overlay area of the qh should never be changed by the guest, 1619 * except when idle, in which case the reset is a nop. 1620 */ 1621 if (!ehci_verify_qh(q, &qh)) { 1622 if (ehci_reset_queue(q) > 0) { 1623 ehci_trace_guest_bug(ehci, "guest updated active QH"); 1624 } 1625 } 1626 q->qh = qh; 1627 1628 q->transact_ctr = get_field(q->qh.epcap, QH_EPCAP_MULT); 1629 if (q->transact_ctr == 0) { /* Guest bug in some versions of windows */ 1630 q->transact_ctr = 4; 1631 } 1632 1633 if (q->dev == NULL) { 1634 q->dev = ehci_find_device(q->ehci, 1635 get_field(q->qh.epchar, QH_EPCHAR_DEVADDR)); 1636 } 1637 1638 if (async && (q->qh.epchar & QH_EPCHAR_H)) { 1639 1640 /* EHCI spec version 1.0 Section 4.8.3 & 4.10.1 */ 1641 if (ehci->usbsts & USBSTS_REC) { 1642 ehci_clear_usbsts(ehci, USBSTS_REC); 1643 } else { 1644 DPRINTF("FETCHQH: QH 0x%08x. H-bit set, reclamation status reset" 1645 " - done processing\n", q->qhaddr); 1646 ehci_set_state(ehci, async, EST_ACTIVE); 1647 q = NULL; 1648 goto out; 1649 } 1650 } 1651 1652 #if EHCI_DEBUG 1653 if (q->qhaddr != q->qh.next) { 1654 DPRINTF("FETCHQH: QH 0x%08x (h %x halt %x active %x) next 0x%08x\n", 1655 q->qhaddr, 1656 q->qh.epchar & QH_EPCHAR_H, 1657 q->qh.token & QTD_TOKEN_HALT, 1658 q->qh.token & QTD_TOKEN_ACTIVE, 1659 q->qh.next); 1660 } 1661 #endif 1662 1663 if (q->qh.token & QTD_TOKEN_HALT) { 1664 ehci_set_state(ehci, async, EST_HORIZONTALQH); 1665 1666 } else if ((q->qh.token & QTD_TOKEN_ACTIVE) && 1667 (NLPTR_TBIT(q->qh.current_qtd) == 0)) { 1668 q->qtdaddr = q->qh.current_qtd; 1669 ehci_set_state(ehci, async, EST_FETCHQTD); 1670 1671 } else { 1672 /* EHCI spec version 1.0 Section 4.10.2 */ 1673 ehci_set_state(ehci, async, EST_ADVANCEQUEUE); 1674 } 1675 1676 out: 1677 return q; 1678 } 1679 1680 static int ehci_state_fetchitd(EHCIState *ehci, int async) 1681 { 1682 uint32_t entry; 1683 EHCIitd itd; 1684 1685 assert(!async); 1686 entry = ehci_get_fetch_addr(ehci, async); 1687 1688 if (get_dwords(ehci, NLPTR_GET(entry), (uint32_t *) &itd, 1689 sizeof(EHCIitd) >> 2) < 0) { 1690 return -1; 1691 } 1692 ehci_trace_itd(ehci, entry, &itd); 1693 1694 if (ehci_process_itd(ehci, &itd, entry) != 0) { 1695 return -1; 1696 } 1697 1698 put_dwords(ehci, NLPTR_GET(entry), (uint32_t *) &itd, 1699 sizeof(EHCIitd) >> 2); 1700 ehci_set_fetch_addr(ehci, async, itd.next); 1701 ehci_set_state(ehci, async, EST_FETCHENTRY); 1702 1703 return 1; 1704 } 1705 1706 static int ehci_state_fetchsitd(EHCIState *ehci, int async) 1707 { 1708 uint32_t entry; 1709 EHCIsitd sitd; 1710 1711 assert(!async); 1712 entry = ehci_get_fetch_addr(ehci, async); 1713 1714 if (get_dwords(ehci, NLPTR_GET(entry), (uint32_t *)&sitd, 1715 sizeof(EHCIsitd) >> 2) < 0) { 1716 return 0; 1717 } 1718 ehci_trace_sitd(ehci, entry, &sitd); 1719 1720 if (!(sitd.results & SITD_RESULTS_ACTIVE)) { 1721 /* siTD is not active, nothing to do */; 1722 } else { 1723 /* TODO: split transfers are not implemented */ 1724 fprintf(stderr, "WARNING: Skipping active siTD\n"); 1725 } 1726 1727 ehci_set_fetch_addr(ehci, async, sitd.next); 1728 ehci_set_state(ehci, async, EST_FETCHENTRY); 1729 return 1; 1730 } 1731 1732 /* Section 4.10.2 - paragraph 3 */ 1733 static int ehci_state_advqueue(EHCIQueue *q) 1734 { 1735 #if 0 1736 /* TO-DO: 4.10.2 - paragraph 2 1737 * if I-bit is set to 1 and QH is not active 1738 * go to horizontal QH 1739 */ 1740 if (I-bit set) { 1741 ehci_set_state(ehci, async, EST_HORIZONTALQH); 1742 goto out; 1743 } 1744 #endif 1745 1746 /* 1747 * want data and alt-next qTD is valid 1748 */ 1749 if (((q->qh.token & QTD_TOKEN_TBYTES_MASK) != 0) && 1750 (NLPTR_TBIT(q->qh.altnext_qtd) == 0)) { 1751 q->qtdaddr = q->qh.altnext_qtd; 1752 ehci_set_state(q->ehci, q->async, EST_FETCHQTD); 1753 1754 /* 1755 * next qTD is valid 1756 */ 1757 } else if (NLPTR_TBIT(q->qh.next_qtd) == 0) { 1758 q->qtdaddr = q->qh.next_qtd; 1759 ehci_set_state(q->ehci, q->async, EST_FETCHQTD); 1760 1761 /* 1762 * no valid qTD, try next QH 1763 */ 1764 } else { 1765 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1766 } 1767 1768 return 1; 1769 } 1770 1771 /* Section 4.10.2 - paragraph 4 */ 1772 static int ehci_state_fetchqtd(EHCIQueue *q) 1773 { 1774 EHCIqtd qtd; 1775 EHCIPacket *p; 1776 int again = 1; 1777 1778 if (get_dwords(q->ehci, NLPTR_GET(q->qtdaddr), (uint32_t *) &qtd, 1779 sizeof(EHCIqtd) >> 2) < 0) { 1780 return 0; 1781 } 1782 ehci_trace_qtd(q, NLPTR_GET(q->qtdaddr), &qtd); 1783 1784 p = QTAILQ_FIRST(&q->packets); 1785 if (p != NULL) { 1786 if (!ehci_verify_qtd(p, &qtd)) { 1787 ehci_cancel_queue(q); 1788 if (qtd.token & QTD_TOKEN_ACTIVE) { 1789 ehci_trace_guest_bug(q->ehci, "guest updated active qTD"); 1790 } 1791 p = NULL; 1792 } else { 1793 p->qtd = qtd; 1794 ehci_qh_do_overlay(q); 1795 } 1796 } 1797 1798 if (!(qtd.token & QTD_TOKEN_ACTIVE)) { 1799 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1800 } else if (p != NULL) { 1801 switch (p->async) { 1802 case EHCI_ASYNC_NONE: 1803 case EHCI_ASYNC_INITIALIZED: 1804 /* Not yet executed (MULT), or previously nacked (int) packet */ 1805 ehci_set_state(q->ehci, q->async, EST_EXECUTE); 1806 break; 1807 case EHCI_ASYNC_INFLIGHT: 1808 /* Check if the guest has added new tds to the queue */ 1809 again = ehci_fill_queue(QTAILQ_LAST(&q->packets, pkts_head)); 1810 /* Unfinished async handled packet, go horizontal */ 1811 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1812 break; 1813 case EHCI_ASYNC_FINISHED: 1814 /* Complete executing of the packet */ 1815 ehci_set_state(q->ehci, q->async, EST_EXECUTING); 1816 break; 1817 } 1818 } else { 1819 p = ehci_alloc_packet(q); 1820 p->qtdaddr = q->qtdaddr; 1821 p->qtd = qtd; 1822 ehci_set_state(q->ehci, q->async, EST_EXECUTE); 1823 } 1824 1825 return again; 1826 } 1827 1828 static int ehci_state_horizqh(EHCIQueue *q) 1829 { 1830 int again = 0; 1831 1832 if (ehci_get_fetch_addr(q->ehci, q->async) != q->qh.next) { 1833 ehci_set_fetch_addr(q->ehci, q->async, q->qh.next); 1834 ehci_set_state(q->ehci, q->async, EST_FETCHENTRY); 1835 again = 1; 1836 } else { 1837 ehci_set_state(q->ehci, q->async, EST_ACTIVE); 1838 } 1839 1840 return again; 1841 } 1842 1843 /* Returns "again" */ 1844 static int ehci_fill_queue(EHCIPacket *p) 1845 { 1846 USBEndpoint *ep = p->packet.ep; 1847 EHCIQueue *q = p->queue; 1848 EHCIqtd qtd = p->qtd; 1849 uint32_t qtdaddr; 1850 1851 for (;;) { 1852 if (NLPTR_TBIT(qtd.next) != 0) { 1853 break; 1854 } 1855 qtdaddr = qtd.next; 1856 /* 1857 * Detect circular td lists, Windows creates these, counting on the 1858 * active bit going low after execution to make the queue stop. 1859 */ 1860 QTAILQ_FOREACH(p, &q->packets, next) { 1861 if (p->qtdaddr == qtdaddr) { 1862 goto leave; 1863 } 1864 } 1865 if (get_dwords(q->ehci, NLPTR_GET(qtdaddr), 1866 (uint32_t *) &qtd, sizeof(EHCIqtd) >> 2) < 0) { 1867 return -1; 1868 } 1869 ehci_trace_qtd(q, NLPTR_GET(qtdaddr), &qtd); 1870 if (!(qtd.token & QTD_TOKEN_ACTIVE)) { 1871 break; 1872 } 1873 if (!ehci_verify_pid(q, &qtd)) { 1874 ehci_trace_guest_bug(q->ehci, "guest queued token with wrong pid"); 1875 break; 1876 } 1877 p = ehci_alloc_packet(q); 1878 p->qtdaddr = qtdaddr; 1879 p->qtd = qtd; 1880 if (ehci_execute(p, "queue") == -1) { 1881 return -1; 1882 } 1883 assert(p->packet.status == USB_RET_ASYNC); 1884 p->async = EHCI_ASYNC_INFLIGHT; 1885 } 1886 leave: 1887 usb_device_flush_ep_queue(ep->dev, ep); 1888 return 1; 1889 } 1890 1891 static int ehci_state_execute(EHCIQueue *q) 1892 { 1893 EHCIPacket *p = QTAILQ_FIRST(&q->packets); 1894 int again = 0; 1895 1896 assert(p != NULL); 1897 assert(p->qtdaddr == q->qtdaddr); 1898 1899 if (ehci_qh_do_overlay(q) != 0) { 1900 return -1; 1901 } 1902 1903 // TODO verify enough time remains in the uframe as in 4.4.1.1 1904 // TODO write back ptr to async list when done or out of time 1905 1906 /* 4.10.3, bottom of page 82, go horizontal on transaction counter == 0 */ 1907 if (!q->async && q->transact_ctr == 0) { 1908 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1909 again = 1; 1910 goto out; 1911 } 1912 1913 if (q->async) { 1914 ehci_set_usbsts(q->ehci, USBSTS_REC); 1915 } 1916 1917 again = ehci_execute(p, "process"); 1918 if (again == -1) { 1919 goto out; 1920 } 1921 if (p->packet.status == USB_RET_ASYNC) { 1922 ehci_flush_qh(q); 1923 trace_usb_ehci_packet_action(p->queue, p, "async"); 1924 p->async = EHCI_ASYNC_INFLIGHT; 1925 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1926 if (q->async) { 1927 again = ehci_fill_queue(p); 1928 } else { 1929 again = 1; 1930 } 1931 goto out; 1932 } 1933 1934 ehci_set_state(q->ehci, q->async, EST_EXECUTING); 1935 again = 1; 1936 1937 out: 1938 return again; 1939 } 1940 1941 static int ehci_state_executing(EHCIQueue *q) 1942 { 1943 EHCIPacket *p = QTAILQ_FIRST(&q->packets); 1944 1945 assert(p != NULL); 1946 assert(p->qtdaddr == q->qtdaddr); 1947 1948 ehci_execute_complete(q); 1949 1950 /* 4.10.3 */ 1951 if (!q->async && q->transact_ctr > 0) { 1952 q->transact_ctr--; 1953 } 1954 1955 /* 4.10.5 */ 1956 if (p->packet.status == USB_RET_NAK) { 1957 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1958 } else { 1959 ehci_set_state(q->ehci, q->async, EST_WRITEBACK); 1960 } 1961 1962 ehci_flush_qh(q); 1963 return 1; 1964 } 1965 1966 1967 static int ehci_state_writeback(EHCIQueue *q) 1968 { 1969 EHCIPacket *p = QTAILQ_FIRST(&q->packets); 1970 uint32_t *qtd, addr; 1971 int again = 0; 1972 1973 /* Write back the QTD from the QH area */ 1974 assert(p != NULL); 1975 assert(p->qtdaddr == q->qtdaddr); 1976 1977 ehci_trace_qtd(q, NLPTR_GET(p->qtdaddr), (EHCIqtd *) &q->qh.next_qtd); 1978 qtd = (uint32_t *) &q->qh.next_qtd; 1979 addr = NLPTR_GET(p->qtdaddr); 1980 put_dwords(q->ehci, addr + 2 * sizeof(uint32_t), qtd + 2, 2); 1981 ehci_free_packet(p); 1982 1983 /* 1984 * EHCI specs say go horizontal here. 1985 * 1986 * We can also advance the queue here for performance reasons. We 1987 * need to take care to only take that shortcut in case we've 1988 * processed the qtd just written back without errors, i.e. halt 1989 * bit is clear. 1990 */ 1991 if (q->qh.token & QTD_TOKEN_HALT) { 1992 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1993 again = 1; 1994 } else { 1995 ehci_set_state(q->ehci, q->async, EST_ADVANCEQUEUE); 1996 again = 1; 1997 } 1998 return again; 1999 } 2000 2001 /* 2002 * This is the state machine that is common to both async and periodic 2003 */ 2004 2005 static void ehci_advance_state(EHCIState *ehci, int async) 2006 { 2007 EHCIQueue *q = NULL; 2008 int again; 2009 2010 do { 2011 switch(ehci_get_state(ehci, async)) { 2012 case EST_WAITLISTHEAD: 2013 again = ehci_state_waitlisthead(ehci, async); 2014 break; 2015 2016 case EST_FETCHENTRY: 2017 again = ehci_state_fetchentry(ehci, async); 2018 break; 2019 2020 case EST_FETCHQH: 2021 q = ehci_state_fetchqh(ehci, async); 2022 if (q != NULL) { 2023 assert(q->async == async); 2024 again = 1; 2025 } else { 2026 again = 0; 2027 } 2028 break; 2029 2030 case EST_FETCHITD: 2031 again = ehci_state_fetchitd(ehci, async); 2032 break; 2033 2034 case EST_FETCHSITD: 2035 again = ehci_state_fetchsitd(ehci, async); 2036 break; 2037 2038 case EST_ADVANCEQUEUE: 2039 assert(q != NULL); 2040 again = ehci_state_advqueue(q); 2041 break; 2042 2043 case EST_FETCHQTD: 2044 assert(q != NULL); 2045 again = ehci_state_fetchqtd(q); 2046 break; 2047 2048 case EST_HORIZONTALQH: 2049 assert(q != NULL); 2050 again = ehci_state_horizqh(q); 2051 break; 2052 2053 case EST_EXECUTE: 2054 assert(q != NULL); 2055 again = ehci_state_execute(q); 2056 if (async) { 2057 ehci->async_stepdown = 0; 2058 } 2059 break; 2060 2061 case EST_EXECUTING: 2062 assert(q != NULL); 2063 if (async) { 2064 ehci->async_stepdown = 0; 2065 } 2066 again = ehci_state_executing(q); 2067 break; 2068 2069 case EST_WRITEBACK: 2070 assert(q != NULL); 2071 again = ehci_state_writeback(q); 2072 if (!async) { 2073 ehci->periodic_sched_active = PERIODIC_ACTIVE; 2074 } 2075 break; 2076 2077 default: 2078 fprintf(stderr, "Bad state!\n"); 2079 again = -1; 2080 g_assert_not_reached(); 2081 break; 2082 } 2083 2084 if (again < 0) { 2085 fprintf(stderr, "processing error - resetting ehci HC\n"); 2086 ehci_reset(ehci); 2087 again = 0; 2088 } 2089 } 2090 while (again); 2091 } 2092 2093 static void ehci_advance_async_state(EHCIState *ehci) 2094 { 2095 const int async = 1; 2096 2097 switch(ehci_get_state(ehci, async)) { 2098 case EST_INACTIVE: 2099 if (!ehci_async_enabled(ehci)) { 2100 break; 2101 } 2102 ehci_set_state(ehci, async, EST_ACTIVE); 2103 // No break, fall through to ACTIVE 2104 2105 case EST_ACTIVE: 2106 if (!ehci_async_enabled(ehci)) { 2107 ehci_queues_rip_all(ehci, async); 2108 ehci_set_state(ehci, async, EST_INACTIVE); 2109 break; 2110 } 2111 2112 /* make sure guest has acknowledged the doorbell interrupt */ 2113 /* TO-DO: is this really needed? */ 2114 if (ehci->usbsts & USBSTS_IAA) { 2115 DPRINTF("IAA status bit still set.\n"); 2116 break; 2117 } 2118 2119 /* check that address register has been set */ 2120 if (ehci->asynclistaddr == 0) { 2121 break; 2122 } 2123 2124 ehci_set_state(ehci, async, EST_WAITLISTHEAD); 2125 ehci_advance_state(ehci, async); 2126 2127 /* If the doorbell is set, the guest wants to make a change to the 2128 * schedule. The host controller needs to release cached data. 2129 * (section 4.8.2) 2130 */ 2131 if (ehci->usbcmd & USBCMD_IAAD) { 2132 /* Remove all unseen qhs from the async qhs queue */ 2133 ehci_queues_rip_unseen(ehci, async); 2134 trace_usb_ehci_doorbell_ack(); 2135 ehci->usbcmd &= ~USBCMD_IAAD; 2136 ehci_raise_irq(ehci, USBSTS_IAA); 2137 } 2138 break; 2139 2140 default: 2141 /* this should only be due to a developer mistake */ 2142 fprintf(stderr, "ehci: Bad asynchronous state %d. " 2143 "Resetting to active\n", ehci->astate); 2144 g_assert_not_reached(); 2145 } 2146 } 2147 2148 static void ehci_advance_periodic_state(EHCIState *ehci) 2149 { 2150 uint32_t entry; 2151 uint32_t list; 2152 const int async = 0; 2153 2154 // 4.6 2155 2156 switch(ehci_get_state(ehci, async)) { 2157 case EST_INACTIVE: 2158 if (!(ehci->frindex & 7) && ehci_periodic_enabled(ehci)) { 2159 ehci_set_state(ehci, async, EST_ACTIVE); 2160 // No break, fall through to ACTIVE 2161 } else 2162 break; 2163 2164 case EST_ACTIVE: 2165 if (!(ehci->frindex & 7) && !ehci_periodic_enabled(ehci)) { 2166 ehci_queues_rip_all(ehci, async); 2167 ehci_set_state(ehci, async, EST_INACTIVE); 2168 break; 2169 } 2170 2171 list = ehci->periodiclistbase & 0xfffff000; 2172 /* check that register has been set */ 2173 if (list == 0) { 2174 break; 2175 } 2176 list |= ((ehci->frindex & 0x1ff8) >> 1); 2177 2178 if (get_dwords(ehci, list, &entry, 1) < 0) { 2179 break; 2180 } 2181 2182 DPRINTF("PERIODIC state adv fr=%d. [%08X] -> %08X\n", 2183 ehci->frindex / 8, list, entry); 2184 ehci_set_fetch_addr(ehci, async,entry); 2185 ehci_set_state(ehci, async, EST_FETCHENTRY); 2186 ehci_advance_state(ehci, async); 2187 ehci_queues_rip_unused(ehci, async); 2188 break; 2189 2190 default: 2191 /* this should only be due to a developer mistake */ 2192 fprintf(stderr, "ehci: Bad periodic state %d. " 2193 "Resetting to active\n", ehci->pstate); 2194 g_assert_not_reached(); 2195 } 2196 } 2197 2198 static void ehci_update_frindex(EHCIState *ehci, int uframes) 2199 { 2200 int i; 2201 2202 if (!ehci_enabled(ehci) && ehci->pstate == EST_INACTIVE) { 2203 return; 2204 } 2205 2206 for (i = 0; i < uframes; i++) { 2207 ehci->frindex++; 2208 2209 if (ehci->frindex == 0x00002000) { 2210 ehci_raise_irq(ehci, USBSTS_FLR); 2211 } 2212 2213 if (ehci->frindex == 0x00004000) { 2214 ehci_raise_irq(ehci, USBSTS_FLR); 2215 ehci->frindex = 0; 2216 if (ehci->usbsts_frindex >= 0x00004000) { 2217 ehci->usbsts_frindex -= 0x00004000; 2218 } else { 2219 ehci->usbsts_frindex = 0; 2220 } 2221 } 2222 } 2223 } 2224 2225 static void ehci_frame_timer(void *opaque) 2226 { 2227 EHCIState *ehci = opaque; 2228 int need_timer = 0; 2229 int64_t expire_time, t_now; 2230 uint64_t ns_elapsed; 2231 int uframes, skipped_uframes; 2232 int i; 2233 2234 t_now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL); 2235 ns_elapsed = t_now - ehci->last_run_ns; 2236 uframes = ns_elapsed / UFRAME_TIMER_NS; 2237 2238 if (ehci_periodic_enabled(ehci) || ehci->pstate != EST_INACTIVE) { 2239 need_timer++; 2240 2241 if (uframes > (ehci->maxframes * 8)) { 2242 skipped_uframes = uframes - (ehci->maxframes * 8); 2243 ehci_update_frindex(ehci, skipped_uframes); 2244 ehci->last_run_ns += UFRAME_TIMER_NS * skipped_uframes; 2245 uframes -= skipped_uframes; 2246 DPRINTF("WARNING - EHCI skipped %d uframes\n", skipped_uframes); 2247 } 2248 2249 for (i = 0; i < uframes; i++) { 2250 /* 2251 * If we're running behind schedule, we should not catch up 2252 * too fast, as that will make some guests unhappy: 2253 * 1) We must process a minimum of MIN_UFR_PER_TICK frames, 2254 * otherwise we will never catch up 2255 * 2) Process frames until the guest has requested an irq (IOC) 2256 */ 2257 if (i >= MIN_UFR_PER_TICK) { 2258 ehci_commit_irq(ehci); 2259 if ((ehci->usbsts & USBINTR_MASK) & ehci->usbintr) { 2260 break; 2261 } 2262 } 2263 if (ehci->periodic_sched_active) { 2264 ehci->periodic_sched_active--; 2265 } 2266 ehci_update_frindex(ehci, 1); 2267 if ((ehci->frindex & 7) == 0) { 2268 ehci_advance_periodic_state(ehci); 2269 } 2270 ehci->last_run_ns += UFRAME_TIMER_NS; 2271 } 2272 } else { 2273 ehci->periodic_sched_active = 0; 2274 ehci_update_frindex(ehci, uframes); 2275 ehci->last_run_ns += UFRAME_TIMER_NS * uframes; 2276 } 2277 2278 if (ehci->periodic_sched_active) { 2279 ehci->async_stepdown = 0; 2280 } else if (ehci->async_stepdown < ehci->maxframes / 2) { 2281 ehci->async_stepdown++; 2282 } 2283 2284 /* Async is not inside loop since it executes everything it can once 2285 * called 2286 */ 2287 if (ehci_async_enabled(ehci) || ehci->astate != EST_INACTIVE) { 2288 need_timer++; 2289 ehci_advance_async_state(ehci); 2290 } 2291 2292 ehci_commit_irq(ehci); 2293 if (ehci->usbsts_pending) { 2294 need_timer++; 2295 ehci->async_stepdown = 0; 2296 } 2297 2298 if (ehci_enabled(ehci) && (ehci->usbintr & USBSTS_FLR)) { 2299 need_timer++; 2300 } 2301 2302 if (need_timer) { 2303 /* If we've raised int, we speed up the timer, so that we quickly 2304 * notice any new packets queued up in response */ 2305 if (ehci->int_req_by_async && (ehci->usbsts & USBSTS_INT)) { 2306 expire_time = t_now + get_ticks_per_sec() / (FRAME_TIMER_FREQ * 4); 2307 ehci->int_req_by_async = false; 2308 } else { 2309 expire_time = t_now + (get_ticks_per_sec() 2310 * (ehci->async_stepdown+1) / FRAME_TIMER_FREQ); 2311 } 2312 timer_mod(ehci->frame_timer, expire_time); 2313 } 2314 } 2315 2316 static const MemoryRegionOps ehci_mmio_caps_ops = { 2317 .read = ehci_caps_read, 2318 .valid.min_access_size = 1, 2319 .valid.max_access_size = 4, 2320 .impl.min_access_size = 1, 2321 .impl.max_access_size = 1, 2322 .endianness = DEVICE_LITTLE_ENDIAN, 2323 }; 2324 2325 static const MemoryRegionOps ehci_mmio_opreg_ops = { 2326 .read = ehci_opreg_read, 2327 .write = ehci_opreg_write, 2328 .valid.min_access_size = 4, 2329 .valid.max_access_size = 4, 2330 .endianness = DEVICE_LITTLE_ENDIAN, 2331 }; 2332 2333 static const MemoryRegionOps ehci_mmio_port_ops = { 2334 .read = ehci_port_read, 2335 .write = ehci_port_write, 2336 .valid.min_access_size = 4, 2337 .valid.max_access_size = 4, 2338 .endianness = DEVICE_LITTLE_ENDIAN, 2339 }; 2340 2341 static USBPortOps ehci_port_ops = { 2342 .attach = ehci_attach, 2343 .detach = ehci_detach, 2344 .child_detach = ehci_child_detach, 2345 .wakeup = ehci_wakeup, 2346 .complete = ehci_async_complete_packet, 2347 }; 2348 2349 static USBBusOps ehci_bus_ops_companion = { 2350 .register_companion = ehci_register_companion, 2351 .wakeup_endpoint = ehci_wakeup_endpoint, 2352 }; 2353 static USBBusOps ehci_bus_ops_standalone = { 2354 .wakeup_endpoint = ehci_wakeup_endpoint, 2355 }; 2356 2357 static void usb_ehci_pre_save(void *opaque) 2358 { 2359 EHCIState *ehci = opaque; 2360 uint32_t new_frindex; 2361 2362 /* Round down frindex to a multiple of 8 for migration compatibility */ 2363 new_frindex = ehci->frindex & ~7; 2364 ehci->last_run_ns -= (ehci->frindex - new_frindex) * UFRAME_TIMER_NS; 2365 ehci->frindex = new_frindex; 2366 } 2367 2368 static int usb_ehci_post_load(void *opaque, int version_id) 2369 { 2370 EHCIState *s = opaque; 2371 int i; 2372 2373 for (i = 0; i < NB_PORTS; i++) { 2374 USBPort *companion = s->companion_ports[i]; 2375 if (companion == NULL) { 2376 continue; 2377 } 2378 if (s->portsc[i] & PORTSC_POWNER) { 2379 companion->dev = s->ports[i].dev; 2380 } else { 2381 companion->dev = NULL; 2382 } 2383 } 2384 2385 return 0; 2386 } 2387 2388 static void usb_ehci_vm_state_change(void *opaque, int running, RunState state) 2389 { 2390 EHCIState *ehci = opaque; 2391 2392 /* 2393 * We don't migrate the EHCIQueue-s, instead we rebuild them for the 2394 * schedule in guest memory. We must do the rebuilt ASAP, so that 2395 * USB-devices which have async handled packages have a packet in the 2396 * ep queue to match the completion with. 2397 */ 2398 if (state == RUN_STATE_RUNNING) { 2399 ehci_advance_async_state(ehci); 2400 } 2401 2402 /* 2403 * The schedule rebuilt from guest memory could cause the migration dest 2404 * to miss a QH unlink, and fail to cancel packets, since the unlinked QH 2405 * will never have existed on the destination. Therefor we must flush the 2406 * async schedule on savevm to catch any not yet noticed unlinks. 2407 */ 2408 if (state == RUN_STATE_SAVE_VM) { 2409 ehci_advance_async_state(ehci); 2410 ehci_queues_rip_unseen(ehci, 1); 2411 } 2412 } 2413 2414 const VMStateDescription vmstate_ehci = { 2415 .name = "ehci-core", 2416 .version_id = 2, 2417 .minimum_version_id = 1, 2418 .pre_save = usb_ehci_pre_save, 2419 .post_load = usb_ehci_post_load, 2420 .fields = (VMStateField[]) { 2421 /* mmio registers */ 2422 VMSTATE_UINT32(usbcmd, EHCIState), 2423 VMSTATE_UINT32(usbsts, EHCIState), 2424 VMSTATE_UINT32_V(usbsts_pending, EHCIState, 2), 2425 VMSTATE_UINT32_V(usbsts_frindex, EHCIState, 2), 2426 VMSTATE_UINT32(usbintr, EHCIState), 2427 VMSTATE_UINT32(frindex, EHCIState), 2428 VMSTATE_UINT32(ctrldssegment, EHCIState), 2429 VMSTATE_UINT32(periodiclistbase, EHCIState), 2430 VMSTATE_UINT32(asynclistaddr, EHCIState), 2431 VMSTATE_UINT32(configflag, EHCIState), 2432 VMSTATE_UINT32(portsc[0], EHCIState), 2433 VMSTATE_UINT32(portsc[1], EHCIState), 2434 VMSTATE_UINT32(portsc[2], EHCIState), 2435 VMSTATE_UINT32(portsc[3], EHCIState), 2436 VMSTATE_UINT32(portsc[4], EHCIState), 2437 VMSTATE_UINT32(portsc[5], EHCIState), 2438 /* frame timer */ 2439 VMSTATE_TIMER_PTR(frame_timer, EHCIState), 2440 VMSTATE_UINT64(last_run_ns, EHCIState), 2441 VMSTATE_UINT32(async_stepdown, EHCIState), 2442 /* schedule state */ 2443 VMSTATE_UINT32(astate, EHCIState), 2444 VMSTATE_UINT32(pstate, EHCIState), 2445 VMSTATE_UINT32(a_fetch_addr, EHCIState), 2446 VMSTATE_UINT32(p_fetch_addr, EHCIState), 2447 VMSTATE_END_OF_LIST() 2448 } 2449 }; 2450 2451 void usb_ehci_realize(EHCIState *s, DeviceState *dev, Error **errp) 2452 { 2453 int i; 2454 2455 if (s->portnr > NB_PORTS) { 2456 error_setg(errp, "Too many ports! Max. port number is %d.", 2457 NB_PORTS); 2458 return; 2459 } 2460 2461 usb_bus_new(&s->bus, sizeof(s->bus), s->companion_enable ? 2462 &ehci_bus_ops_companion : &ehci_bus_ops_standalone, dev); 2463 for (i = 0; i < s->portnr; i++) { 2464 usb_register_port(&s->bus, &s->ports[i], s, i, &ehci_port_ops, 2465 USB_SPEED_MASK_HIGH); 2466 s->ports[i].dev = 0; 2467 } 2468 2469 s->frame_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, ehci_frame_timer, s); 2470 s->async_bh = qemu_bh_new(ehci_frame_timer, s); 2471 s->device = dev; 2472 2473 s->vmstate = qemu_add_vm_change_state_handler(usb_ehci_vm_state_change, s); 2474 } 2475 2476 void usb_ehci_unrealize(EHCIState *s, DeviceState *dev, Error **errp) 2477 { 2478 trace_usb_ehci_unrealize(); 2479 2480 if (s->frame_timer) { 2481 timer_del(s->frame_timer); 2482 timer_free(s->frame_timer); 2483 s->frame_timer = NULL; 2484 } 2485 if (s->async_bh) { 2486 qemu_bh_delete(s->async_bh); 2487 } 2488 2489 ehci_queues_rip_all(s, 0); 2490 ehci_queues_rip_all(s, 1); 2491 2492 memory_region_del_subregion(&s->mem, &s->mem_caps); 2493 memory_region_del_subregion(&s->mem, &s->mem_opreg); 2494 memory_region_del_subregion(&s->mem, &s->mem_ports); 2495 2496 usb_bus_release(&s->bus); 2497 2498 if (s->vmstate) { 2499 qemu_del_vm_change_state_handler(s->vmstate); 2500 } 2501 } 2502 2503 void usb_ehci_init(EHCIState *s, DeviceState *dev) 2504 { 2505 /* 2.2 host controller interface version */ 2506 s->caps[0x00] = (uint8_t)(s->opregbase - s->capsbase); 2507 s->caps[0x01] = 0x00; 2508 s->caps[0x02] = 0x00; 2509 s->caps[0x03] = 0x01; /* HC version */ 2510 s->caps[0x04] = s->portnr; /* Number of downstream ports */ 2511 s->caps[0x05] = 0x00; /* No companion ports at present */ 2512 s->caps[0x06] = 0x00; 2513 s->caps[0x07] = 0x00; 2514 s->caps[0x08] = 0x80; /* We can cache whole frame, no 64-bit */ 2515 s->caps[0x0a] = 0x00; 2516 s->caps[0x0b] = 0x00; 2517 2518 QTAILQ_INIT(&s->aqueues); 2519 QTAILQ_INIT(&s->pqueues); 2520 usb_packet_init(&s->ipacket); 2521 2522 memory_region_init(&s->mem, OBJECT(dev), "ehci", MMIO_SIZE); 2523 memory_region_init_io(&s->mem_caps, OBJECT(dev), &ehci_mmio_caps_ops, s, 2524 "capabilities", CAPA_SIZE); 2525 memory_region_init_io(&s->mem_opreg, OBJECT(dev), &ehci_mmio_opreg_ops, s, 2526 "operational", s->portscbase); 2527 memory_region_init_io(&s->mem_ports, OBJECT(dev), &ehci_mmio_port_ops, s, 2528 "ports", 4 * s->portnr); 2529 2530 memory_region_add_subregion(&s->mem, s->capsbase, &s->mem_caps); 2531 memory_region_add_subregion(&s->mem, s->opregbase, &s->mem_opreg); 2532 memory_region_add_subregion(&s->mem, s->opregbase + s->portscbase, 2533 &s->mem_ports); 2534 } 2535 2536 /* 2537 * vim: expandtab ts=4 2538 */ 2539