xref: /openbmc/qemu/hw/usb/hcd-musb.c (revision 6016b7b4)
1 /*
2  * "Inventra" High-speed Dual-Role Controller (MUSB-HDRC), Mentor Graphics,
3  * USB2.0 OTG compliant core used in various chips.
4  *
5  * Copyright (C) 2008 Nokia Corporation
6  * Written by Andrzej Zaborowski <andrew@openedhand.com>
7  *
8  * This program is free software; you can redistribute it and/or
9  * modify it under the terms of the GNU General Public License as
10  * published by the Free Software Foundation; either version 2 or
11  * (at your option) version 3 of the License.
12  *
13  * This program is distributed in the hope that it will be useful,
14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16  * GNU General Public License for more details.
17  *
18  * You should have received a copy of the GNU General Public License along
19  * with this program; if not, see <http://www.gnu.org/licenses/>.
20  *
21  * Only host-mode and non-DMA accesses are currently supported.
22  */
23 #include "qemu/osdep.h"
24 #include "qemu/timer.h"
25 #include "hw/usb.h"
26 #include "hw/usb/hcd-musb.h"
27 #include "hw/irq.h"
28 #include "hw/hw.h"
29 
30 /* Common USB registers */
31 #define MUSB_HDRC_FADDR		0x00	/* 8-bit */
32 #define MUSB_HDRC_POWER		0x01	/* 8-bit */
33 
34 #define MUSB_HDRC_INTRTX	0x02	/* 16-bit */
35 #define MUSB_HDRC_INTRRX	0x04
36 #define MUSB_HDRC_INTRTXE	0x06
37 #define MUSB_HDRC_INTRRXE	0x08
38 #define MUSB_HDRC_INTRUSB	0x0a	/* 8 bit */
39 #define MUSB_HDRC_INTRUSBE	0x0b	/* 8 bit */
40 #define MUSB_HDRC_FRAME		0x0c	/* 16-bit */
41 #define MUSB_HDRC_INDEX		0x0e	/* 8 bit */
42 #define MUSB_HDRC_TESTMODE	0x0f	/* 8 bit */
43 
44 /* Per-EP registers in indexed mode */
45 #define MUSB_HDRC_EP_IDX	0x10	/* 8-bit */
46 
47 /* EP FIFOs */
48 #define MUSB_HDRC_FIFO		0x20
49 
50 /* Additional Control Registers */
51 #define	MUSB_HDRC_DEVCTL	0x60	/* 8 bit */
52 
53 /* These are indexed */
54 #define MUSB_HDRC_TXFIFOSZ	0x62	/* 8 bit (see masks) */
55 #define MUSB_HDRC_RXFIFOSZ	0x63	/* 8 bit (see masks) */
56 #define MUSB_HDRC_TXFIFOADDR	0x64	/* 16 bit offset shifted right 3 */
57 #define MUSB_HDRC_RXFIFOADDR	0x66	/* 16 bit offset shifted right 3 */
58 
59 /* Some more registers */
60 #define MUSB_HDRC_VCTRL		0x68	/* 8 bit */
61 #define MUSB_HDRC_HWVERS	0x6c	/* 8 bit */
62 
63 /* Added in HDRC 1.9(?) & MHDRC 1.4 */
64 /* ULPI pass-through */
65 #define MUSB_HDRC_ULPI_VBUSCTL	0x70
66 #define MUSB_HDRC_ULPI_REGDATA	0x74
67 #define MUSB_HDRC_ULPI_REGADDR	0x75
68 #define MUSB_HDRC_ULPI_REGCTL	0x76
69 
70 /* Extended config & PHY control */
71 #define MUSB_HDRC_ENDCOUNT	0x78	/* 8 bit */
72 #define MUSB_HDRC_DMARAMCFG	0x79	/* 8 bit */
73 #define MUSB_HDRC_PHYWAIT	0x7a	/* 8 bit */
74 #define MUSB_HDRC_PHYVPLEN	0x7b	/* 8 bit */
75 #define MUSB_HDRC_HS_EOF1	0x7c	/* 8 bit, units of 546.1 us */
76 #define MUSB_HDRC_FS_EOF1	0x7d	/* 8 bit, units of 533.3 ns */
77 #define MUSB_HDRC_LS_EOF1	0x7e	/* 8 bit, units of 1.067 us */
78 
79 /* Per-EP BUSCTL registers */
80 #define MUSB_HDRC_BUSCTL	0x80
81 
82 /* Per-EP registers in flat mode */
83 #define MUSB_HDRC_EP		0x100
84 
85 /* offsets to registers in flat model */
86 #define MUSB_HDRC_TXMAXP	0x00	/* 16 bit apparently */
87 #define MUSB_HDRC_TXCSR		0x02	/* 16 bit apparently */
88 #define MUSB_HDRC_CSR0		MUSB_HDRC_TXCSR		/* re-used for EP0 */
89 #define MUSB_HDRC_RXMAXP	0x04	/* 16 bit apparently */
90 #define MUSB_HDRC_RXCSR		0x06	/* 16 bit apparently */
91 #define MUSB_HDRC_RXCOUNT	0x08	/* 16 bit apparently */
92 #define MUSB_HDRC_COUNT0	MUSB_HDRC_RXCOUNT	/* re-used for EP0 */
93 #define MUSB_HDRC_TXTYPE	0x0a	/* 8 bit apparently */
94 #define MUSB_HDRC_TYPE0		MUSB_HDRC_TXTYPE	/* re-used for EP0 */
95 #define MUSB_HDRC_TXINTERVAL	0x0b	/* 8 bit apparently */
96 #define MUSB_HDRC_NAKLIMIT0	MUSB_HDRC_TXINTERVAL	/* re-used for EP0 */
97 #define MUSB_HDRC_RXTYPE	0x0c	/* 8 bit apparently */
98 #define MUSB_HDRC_RXINTERVAL	0x0d	/* 8 bit apparently */
99 #define MUSB_HDRC_FIFOSIZE	0x0f	/* 8 bit apparently */
100 #define MUSB_HDRC_CONFIGDATA	MGC_O_HDRC_FIFOSIZE	/* re-used for EP0 */
101 
102 /* "Bus control" registers */
103 #define MUSB_HDRC_TXFUNCADDR	0x00
104 #define MUSB_HDRC_TXHUBADDR	0x02
105 #define MUSB_HDRC_TXHUBPORT	0x03
106 
107 #define MUSB_HDRC_RXFUNCADDR	0x04
108 #define MUSB_HDRC_RXHUBADDR	0x06
109 #define MUSB_HDRC_RXHUBPORT	0x07
110 
111 /*
112  * MUSBHDRC Register bit masks
113  */
114 
115 /* POWER */
116 #define MGC_M_POWER_ISOUPDATE		0x80
117 #define	MGC_M_POWER_SOFTCONN		0x40
118 #define	MGC_M_POWER_HSENAB		0x20
119 #define	MGC_M_POWER_HSMODE		0x10
120 #define MGC_M_POWER_RESET		0x08
121 #define MGC_M_POWER_RESUME		0x04
122 #define MGC_M_POWER_SUSPENDM		0x02
123 #define MGC_M_POWER_ENSUSPEND		0x01
124 
125 /* INTRUSB */
126 #define MGC_M_INTR_SUSPEND		0x01
127 #define MGC_M_INTR_RESUME		0x02
128 #define MGC_M_INTR_RESET		0x04
129 #define MGC_M_INTR_BABBLE		0x04
130 #define MGC_M_INTR_SOF			0x08
131 #define MGC_M_INTR_CONNECT		0x10
132 #define MGC_M_INTR_DISCONNECT		0x20
133 #define MGC_M_INTR_SESSREQ		0x40
134 #define MGC_M_INTR_VBUSERROR		0x80	/* FOR SESSION END */
135 #define MGC_M_INTR_EP0			0x01	/* FOR EP0 INTERRUPT */
136 
137 /* DEVCTL */
138 #define MGC_M_DEVCTL_BDEVICE		0x80
139 #define MGC_M_DEVCTL_FSDEV		0x40
140 #define MGC_M_DEVCTL_LSDEV		0x20
141 #define MGC_M_DEVCTL_VBUS		0x18
142 #define MGC_S_DEVCTL_VBUS		3
143 #define MGC_M_DEVCTL_HM			0x04
144 #define MGC_M_DEVCTL_HR			0x02
145 #define MGC_M_DEVCTL_SESSION		0x01
146 
147 /* TESTMODE */
148 #define MGC_M_TEST_FORCE_HOST		0x80
149 #define MGC_M_TEST_FIFO_ACCESS		0x40
150 #define MGC_M_TEST_FORCE_FS		0x20
151 #define MGC_M_TEST_FORCE_HS		0x10
152 #define MGC_M_TEST_PACKET		0x08
153 #define MGC_M_TEST_K			0x04
154 #define MGC_M_TEST_J			0x02
155 #define MGC_M_TEST_SE0_NAK		0x01
156 
157 /* CSR0 */
158 #define	MGC_M_CSR0_FLUSHFIFO		0x0100
159 #define MGC_M_CSR0_TXPKTRDY		0x0002
160 #define MGC_M_CSR0_RXPKTRDY		0x0001
161 
162 /* CSR0 in Peripheral mode */
163 #define MGC_M_CSR0_P_SVDSETUPEND	0x0080
164 #define MGC_M_CSR0_P_SVDRXPKTRDY	0x0040
165 #define MGC_M_CSR0_P_SENDSTALL		0x0020
166 #define MGC_M_CSR0_P_SETUPEND		0x0010
167 #define MGC_M_CSR0_P_DATAEND		0x0008
168 #define MGC_M_CSR0_P_SENTSTALL		0x0004
169 
170 /* CSR0 in Host mode */
171 #define MGC_M_CSR0_H_NO_PING		0x0800
172 #define MGC_M_CSR0_H_WR_DATATOGGLE	0x0400	/* set to allow setting: */
173 #define MGC_M_CSR0_H_DATATOGGLE		0x0200	/* data toggle control */
174 #define	MGC_M_CSR0_H_NAKTIMEOUT		0x0080
175 #define MGC_M_CSR0_H_STATUSPKT		0x0040
176 #define MGC_M_CSR0_H_REQPKT		0x0020
177 #define MGC_M_CSR0_H_ERROR		0x0010
178 #define MGC_M_CSR0_H_SETUPPKT		0x0008
179 #define MGC_M_CSR0_H_RXSTALL		0x0004
180 
181 /* CONFIGDATA */
182 #define MGC_M_CONFIGDATA_MPRXE		0x80	/* auto bulk pkt combining */
183 #define MGC_M_CONFIGDATA_MPTXE		0x40	/* auto bulk pkt splitting */
184 #define MGC_M_CONFIGDATA_BIGENDIAN	0x20
185 #define MGC_M_CONFIGDATA_HBRXE		0x10	/* HB-ISO for RX */
186 #define MGC_M_CONFIGDATA_HBTXE		0x08	/* HB-ISO for TX */
187 #define MGC_M_CONFIGDATA_DYNFIFO	0x04	/* dynamic FIFO sizing */
188 #define MGC_M_CONFIGDATA_SOFTCONE	0x02	/* SoftConnect */
189 #define MGC_M_CONFIGDATA_UTMIDW		0x01	/* Width, 0 => 8b, 1 => 16b */
190 
191 /* TXCSR in Peripheral and Host mode */
192 #define MGC_M_TXCSR_AUTOSET		0x8000
193 #define MGC_M_TXCSR_ISO			0x4000
194 #define MGC_M_TXCSR_MODE		0x2000
195 #define MGC_M_TXCSR_DMAENAB		0x1000
196 #define MGC_M_TXCSR_FRCDATATOG		0x0800
197 #define MGC_M_TXCSR_DMAMODE		0x0400
198 #define MGC_M_TXCSR_CLRDATATOG		0x0040
199 #define MGC_M_TXCSR_FLUSHFIFO		0x0008
200 #define MGC_M_TXCSR_FIFONOTEMPTY	0x0002
201 #define MGC_M_TXCSR_TXPKTRDY		0x0001
202 
203 /* TXCSR in Peripheral mode */
204 #define MGC_M_TXCSR_P_INCOMPTX		0x0080
205 #define MGC_M_TXCSR_P_SENTSTALL		0x0020
206 #define MGC_M_TXCSR_P_SENDSTALL		0x0010
207 #define MGC_M_TXCSR_P_UNDERRUN		0x0004
208 
209 /* TXCSR in Host mode */
210 #define MGC_M_TXCSR_H_WR_DATATOGGLE	0x0200
211 #define MGC_M_TXCSR_H_DATATOGGLE	0x0100
212 #define MGC_M_TXCSR_H_NAKTIMEOUT	0x0080
213 #define MGC_M_TXCSR_H_RXSTALL		0x0020
214 #define MGC_M_TXCSR_H_ERROR		0x0004
215 
216 /* RXCSR in Peripheral and Host mode */
217 #define MGC_M_RXCSR_AUTOCLEAR		0x8000
218 #define MGC_M_RXCSR_DMAENAB		0x2000
219 #define MGC_M_RXCSR_DISNYET		0x1000
220 #define MGC_M_RXCSR_DMAMODE		0x0800
221 #define MGC_M_RXCSR_INCOMPRX		0x0100
222 #define MGC_M_RXCSR_CLRDATATOG		0x0080
223 #define MGC_M_RXCSR_FLUSHFIFO		0x0010
224 #define MGC_M_RXCSR_DATAERROR		0x0008
225 #define MGC_M_RXCSR_FIFOFULL		0x0002
226 #define MGC_M_RXCSR_RXPKTRDY		0x0001
227 
228 /* RXCSR in Peripheral mode */
229 #define MGC_M_RXCSR_P_ISO		0x4000
230 #define MGC_M_RXCSR_P_SENTSTALL		0x0040
231 #define MGC_M_RXCSR_P_SENDSTALL		0x0020
232 #define MGC_M_RXCSR_P_OVERRUN		0x0004
233 
234 /* RXCSR in Host mode */
235 #define MGC_M_RXCSR_H_AUTOREQ		0x4000
236 #define MGC_M_RXCSR_H_WR_DATATOGGLE	0x0400
237 #define MGC_M_RXCSR_H_DATATOGGLE	0x0200
238 #define MGC_M_RXCSR_H_RXSTALL		0x0040
239 #define MGC_M_RXCSR_H_REQPKT		0x0020
240 #define MGC_M_RXCSR_H_ERROR		0x0004
241 
242 /* HUBADDR */
243 #define MGC_M_HUBADDR_MULTI_TT		0x80
244 
245 /* ULPI: Added in HDRC 1.9(?) & MHDRC 1.4 */
246 #define MGC_M_ULPI_VBCTL_USEEXTVBUSIND	0x02
247 #define MGC_M_ULPI_VBCTL_USEEXTVBUS	0x01
248 #define MGC_M_ULPI_REGCTL_INT_ENABLE	0x08
249 #define MGC_M_ULPI_REGCTL_READNOTWRITE	0x04
250 #define MGC_M_ULPI_REGCTL_COMPLETE	0x02
251 #define MGC_M_ULPI_REGCTL_REG		0x01
252 
253 /* #define MUSB_DEBUG */
254 
255 #ifdef MUSB_DEBUG
256 #define TRACE(fmt, ...) fprintf(stderr, "%s@%d: " fmt "\n", __func__, \
257                                 __LINE__, ##__VA_ARGS__)
258 #else
259 #define TRACE(...)
260 #endif
261 
262 
263 static void musb_attach(USBPort *port);
264 static void musb_detach(USBPort *port);
265 static void musb_child_detach(USBPort *port, USBDevice *child);
266 static void musb_schedule_cb(USBPort *port, USBPacket *p);
267 static void musb_async_cancel_device(MUSBState *s, USBDevice *dev);
268 
269 static USBPortOps musb_port_ops = {
270     .attach = musb_attach,
271     .detach = musb_detach,
272     .child_detach = musb_child_detach,
273     .complete = musb_schedule_cb,
274 };
275 
276 static USBBusOps musb_bus_ops = {
277 };
278 
279 typedef struct MUSBPacket MUSBPacket;
280 typedef struct MUSBEndPoint MUSBEndPoint;
281 
282 struct MUSBPacket {
283     USBPacket p;
284     MUSBEndPoint *ep;
285     int dir;
286 };
287 
288 struct MUSBEndPoint {
289     uint16_t faddr[2];
290     uint8_t haddr[2];
291     uint8_t hport[2];
292     uint16_t csr[2];
293     uint16_t maxp[2];
294     uint16_t rxcount;
295     uint8_t type[2];
296     uint8_t interval[2];
297     uint8_t config;
298     uint8_t fifosize;
299     int timeout[2];	/* Always in microframes */
300 
301     uint8_t *buf[2];
302     int fifolen[2];
303     int fifostart[2];
304     int fifoaddr[2];
305     MUSBPacket packey[2];
306     int status[2];
307     int ext_size[2];
308 
309     /* For callbacks' use */
310     int epnum;
311     int interrupt[2];
312     MUSBState *musb;
313     USBCallback *delayed_cb[2];
314     QEMUTimer *intv_timer[2];
315 };
316 
317 struct MUSBState {
318     qemu_irq irqs[musb_irq_max];
319     USBBus bus;
320     USBPort port;
321 
322     int idx;
323     uint8_t devctl;
324     uint8_t power;
325     uint8_t faddr;
326 
327     uint8_t intr;
328     uint8_t mask;
329     uint16_t tx_intr;
330     uint16_t tx_mask;
331     uint16_t rx_intr;
332     uint16_t rx_mask;
333 
334     int setup_len;
335     int session;
336 
337     uint8_t buf[0x8000];
338 
339         /* Duplicating the world since 2008!...  probably we should have 32
340          * logical, single endpoints instead.  */
341     MUSBEndPoint ep[16];
342 };
343 
344 void musb_reset(MUSBState *s)
345 {
346     int i;
347 
348     s->faddr = 0x00;
349     s->devctl = 0;
350     s->power = MGC_M_POWER_HSENAB;
351     s->tx_intr = 0x0000;
352     s->rx_intr = 0x0000;
353     s->tx_mask = 0xffff;
354     s->rx_mask = 0xffff;
355     s->intr = 0x00;
356     s->mask = 0x06;
357     s->idx = 0;
358 
359     s->setup_len = 0;
360     s->session = 0;
361     memset(s->buf, 0, sizeof(s->buf));
362 
363     /* TODO: _DW */
364     s->ep[0].config = MGC_M_CONFIGDATA_SOFTCONE | MGC_M_CONFIGDATA_DYNFIFO;
365     for (i = 0; i < 16; i ++) {
366         s->ep[i].fifosize = 64;
367         s->ep[i].maxp[0] = 0x40;
368         s->ep[i].maxp[1] = 0x40;
369         s->ep[i].musb = s;
370         s->ep[i].epnum = i;
371         usb_packet_init(&s->ep[i].packey[0].p);
372         usb_packet_init(&s->ep[i].packey[1].p);
373     }
374 }
375 
376 struct MUSBState *musb_init(DeviceState *parent_device, int gpio_base)
377 {
378     MUSBState *s = g_malloc0(sizeof(*s));
379     int i;
380 
381     for (i = 0; i < musb_irq_max; i++) {
382         s->irqs[i] = qdev_get_gpio_in(parent_device, gpio_base + i);
383     }
384 
385     musb_reset(s);
386 
387     usb_bus_new(&s->bus, sizeof(s->bus), &musb_bus_ops, parent_device);
388     usb_register_port(&s->bus, &s->port, s, 0, &musb_port_ops,
389                       USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
390 
391     return s;
392 }
393 
394 static void musb_vbus_set(MUSBState *s, int level)
395 {
396     if (level)
397         s->devctl |= 3 << MGC_S_DEVCTL_VBUS;
398     else
399         s->devctl &= ~MGC_M_DEVCTL_VBUS;
400 
401     qemu_set_irq(s->irqs[musb_set_vbus], level);
402 }
403 
404 static void musb_intr_set(MUSBState *s, int line, int level)
405 {
406     if (!level) {
407         s->intr &= ~(1 << line);
408         qemu_irq_lower(s->irqs[line]);
409     } else if (s->mask & (1 << line)) {
410         s->intr |= 1 << line;
411         qemu_irq_raise(s->irqs[line]);
412     }
413 }
414 
415 static void musb_tx_intr_set(MUSBState *s, int line, int level)
416 {
417     if (!level) {
418         s->tx_intr &= ~(1 << line);
419         if (!s->tx_intr)
420             qemu_irq_lower(s->irqs[musb_irq_tx]);
421     } else if (s->tx_mask & (1 << line)) {
422         s->tx_intr |= 1 << line;
423         qemu_irq_raise(s->irqs[musb_irq_tx]);
424     }
425 }
426 
427 static void musb_rx_intr_set(MUSBState *s, int line, int level)
428 {
429     if (line) {
430         if (!level) {
431             s->rx_intr &= ~(1 << line);
432             if (!s->rx_intr)
433                 qemu_irq_lower(s->irqs[musb_irq_rx]);
434         } else if (s->rx_mask & (1 << line)) {
435             s->rx_intr |= 1 << line;
436             qemu_irq_raise(s->irqs[musb_irq_rx]);
437         }
438     } else
439         musb_tx_intr_set(s, line, level);
440 }
441 
442 uint32_t musb_core_intr_get(MUSBState *s)
443 {
444     return (s->rx_intr << 15) | s->tx_intr;
445 }
446 
447 void musb_core_intr_clear(MUSBState *s, uint32_t mask)
448 {
449     if (s->rx_intr) {
450         s->rx_intr &= mask >> 15;
451         if (!s->rx_intr)
452             qemu_irq_lower(s->irqs[musb_irq_rx]);
453     }
454 
455     if (s->tx_intr) {
456         s->tx_intr &= mask & 0xffff;
457         if (!s->tx_intr)
458             qemu_irq_lower(s->irqs[musb_irq_tx]);
459     }
460 }
461 
462 void musb_set_size(MUSBState *s, int epnum, int size, int is_tx)
463 {
464     s->ep[epnum].ext_size[!is_tx] = size;
465     s->ep[epnum].fifostart[0] = 0;
466     s->ep[epnum].fifostart[1] = 0;
467     s->ep[epnum].fifolen[0] = 0;
468     s->ep[epnum].fifolen[1] = 0;
469 }
470 
471 static void musb_session_update(MUSBState *s, int prev_dev, int prev_sess)
472 {
473     int detect_prev = prev_dev && prev_sess;
474     int detect = !!s->port.dev && s->session;
475 
476     if (detect && !detect_prev) {
477         /* Let's skip the ID pin sense and VBUS sense formalities and
478          * and signal a successful SRP directly.  This should work at least
479          * for the Linux driver stack.  */
480         musb_intr_set(s, musb_irq_connect, 1);
481 
482         if (s->port.dev->speed == USB_SPEED_LOW) {
483             s->devctl &= ~MGC_M_DEVCTL_FSDEV;
484             s->devctl |= MGC_M_DEVCTL_LSDEV;
485         } else {
486             s->devctl |= MGC_M_DEVCTL_FSDEV;
487             s->devctl &= ~MGC_M_DEVCTL_LSDEV;
488         }
489 
490         /* A-mode?  */
491         s->devctl &= ~MGC_M_DEVCTL_BDEVICE;
492 
493         /* Host-mode bit?  */
494         s->devctl |= MGC_M_DEVCTL_HM;
495 #if 1
496         musb_vbus_set(s, 1);
497 #endif
498     } else if (!detect && detect_prev) {
499 #if 1
500         musb_vbus_set(s, 0);
501 #endif
502     }
503 }
504 
505 /* Attach or detach a device on our only port.  */
506 static void musb_attach(USBPort *port)
507 {
508     MUSBState *s = (MUSBState *) port->opaque;
509 
510     musb_intr_set(s, musb_irq_vbus_request, 1);
511     musb_session_update(s, 0, s->session);
512 }
513 
514 static void musb_detach(USBPort *port)
515 {
516     MUSBState *s = (MUSBState *) port->opaque;
517 
518     musb_async_cancel_device(s, port->dev);
519 
520     musb_intr_set(s, musb_irq_disconnect, 1);
521     musb_session_update(s, 1, s->session);
522 }
523 
524 static void musb_child_detach(USBPort *port, USBDevice *child)
525 {
526     MUSBState *s = (MUSBState *) port->opaque;
527 
528     musb_async_cancel_device(s, child);
529 }
530 
531 static void musb_cb_tick0(void *opaque)
532 {
533     MUSBEndPoint *ep = (MUSBEndPoint *) opaque;
534 
535     ep->delayed_cb[0](&ep->packey[0].p, opaque);
536 }
537 
538 static void musb_cb_tick1(void *opaque)
539 {
540     MUSBEndPoint *ep = (MUSBEndPoint *) opaque;
541 
542     ep->delayed_cb[1](&ep->packey[1].p, opaque);
543 }
544 
545 #define musb_cb_tick	(dir ? musb_cb_tick1 : musb_cb_tick0)
546 
547 static void musb_schedule_cb(USBPort *port, USBPacket *packey)
548 {
549     MUSBPacket *p = container_of(packey, MUSBPacket, p);
550     MUSBEndPoint *ep = p->ep;
551     int dir = p->dir;
552     int timeout = 0;
553 
554     if (ep->status[dir] == USB_RET_NAK)
555         timeout = ep->timeout[dir];
556     else if (ep->interrupt[dir])
557         timeout = 8;
558     else {
559         musb_cb_tick(ep);
560         return;
561     }
562 
563     if (!ep->intv_timer[dir])
564         ep->intv_timer[dir] = timer_new_ns(QEMU_CLOCK_VIRTUAL, musb_cb_tick, ep);
565 
566     timer_mod(ep->intv_timer[dir], qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
567                    muldiv64(timeout, NANOSECONDS_PER_SECOND, 8000));
568 }
569 
570 static int musb_timeout(int ttype, int speed, int val)
571 {
572 #if 1
573     return val << 3;
574 #endif
575 
576     switch (ttype) {
577     case USB_ENDPOINT_XFER_CONTROL:
578         if (val < 2)
579             return 0;
580         else if (speed == USB_SPEED_HIGH)
581             return 1 << (val - 1);
582         else
583             return 8 << (val - 1);
584 
585     case USB_ENDPOINT_XFER_INT:
586         if (speed == USB_SPEED_HIGH)
587             if (val < 2)
588                 return 0;
589             else
590                 return 1 << (val - 1);
591         else
592             return val << 3;
593 
594     case USB_ENDPOINT_XFER_BULK:
595     case USB_ENDPOINT_XFER_ISOC:
596         if (val < 2)
597             return 0;
598         else if (speed == USB_SPEED_HIGH)
599             return 1 << (val - 1);
600         else
601             return 8 << (val - 1);
602         /* TODO: what with low-speed Bulk and Isochronous?  */
603     }
604 
605     hw_error("bad interval\n");
606 }
607 
608 static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
609                 int epnum, int pid, int len, USBCallback cb, int dir)
610 {
611     USBDevice *dev;
612     USBEndpoint *uep;
613     int idx = epnum && dir;
614     int id;
615     int ttype;
616 
617     /* ep->type[0,1] contains:
618      * in bits 7:6 the speed (0 - invalid, 1 - high, 2 - full, 3 - slow)
619      * in bits 5:4 the transfer type (BULK / INT)
620      * in bits 3:0 the EP num
621      */
622     ttype = epnum ? (ep->type[idx] >> 4) & 3 : 0;
623 
624     ep->timeout[dir] = musb_timeout(ttype,
625                     ep->type[idx] >> 6, ep->interval[idx]);
626     ep->interrupt[dir] = ttype == USB_ENDPOINT_XFER_INT;
627     ep->delayed_cb[dir] = cb;
628 
629     /* A wild guess on the FADDR semantics... */
630     dev = usb_find_device(&s->port, ep->faddr[idx]);
631     if (dev == NULL) {
632         return;
633     }
634     uep = usb_ep_get(dev, pid, ep->type[idx] & 0xf);
635     id = pid | (dev->addr << 16) | (uep->nr << 8);
636     usb_packet_setup(&ep->packey[dir].p, pid, uep, 0, id, false, true);
637     usb_packet_addbuf(&ep->packey[dir].p, ep->buf[idx], len);
638     ep->packey[dir].ep = ep;
639     ep->packey[dir].dir = dir;
640 
641     usb_handle_packet(dev, &ep->packey[dir].p);
642 
643     if (ep->packey[dir].p.status == USB_RET_ASYNC) {
644         usb_device_flush_ep_queue(dev, uep);
645         ep->status[dir] = len;
646         return;
647     }
648 
649     if (ep->packey[dir].p.status == USB_RET_SUCCESS) {
650         ep->status[dir] = ep->packey[dir].p.actual_length;
651     } else {
652         ep->status[dir] = ep->packey[dir].p.status;
653     }
654     musb_schedule_cb(&s->port, &ep->packey[dir].p);
655 }
656 
657 static void musb_tx_packet_complete(USBPacket *packey, void *opaque)
658 {
659     /* Unfortunately we can't use packey->devep because that's the remote
660      * endpoint number and may be different than our local.  */
661     MUSBEndPoint *ep = (MUSBEndPoint *) opaque;
662     int epnum = ep->epnum;
663     MUSBState *s = ep->musb;
664 
665     ep->fifostart[0] = 0;
666     ep->fifolen[0] = 0;
667 #ifdef CLEAR_NAK
668     if (ep->status[0] != USB_RET_NAK) {
669 #endif
670         if (epnum)
671             ep->csr[0] &= ~(MGC_M_TXCSR_FIFONOTEMPTY | MGC_M_TXCSR_TXPKTRDY);
672         else
673             ep->csr[0] &= ~MGC_M_CSR0_TXPKTRDY;
674 #ifdef CLEAR_NAK
675     }
676 #endif
677 
678     /* Clear all of the error bits first */
679     if (epnum)
680         ep->csr[0] &= ~(MGC_M_TXCSR_H_ERROR | MGC_M_TXCSR_H_RXSTALL |
681                         MGC_M_TXCSR_H_NAKTIMEOUT);
682     else
683         ep->csr[0] &= ~(MGC_M_CSR0_H_ERROR | MGC_M_CSR0_H_RXSTALL |
684                         MGC_M_CSR0_H_NAKTIMEOUT | MGC_M_CSR0_H_NO_PING);
685 
686     if (ep->status[0] == USB_RET_STALL) {
687         /* Command not supported by target! */
688         ep->status[0] = 0;
689 
690         if (epnum)
691             ep->csr[0] |= MGC_M_TXCSR_H_RXSTALL;
692         else
693             ep->csr[0] |= MGC_M_CSR0_H_RXSTALL;
694     }
695 
696     if (ep->status[0] == USB_RET_NAK) {
697         ep->status[0] = 0;
698 
699         /* NAK timeouts are only generated in Bulk transfers and
700          * Data-errors in Isochronous.  */
701         if (ep->interrupt[0]) {
702             return;
703         }
704 
705         if (epnum)
706             ep->csr[0] |= MGC_M_TXCSR_H_NAKTIMEOUT;
707         else
708             ep->csr[0] |= MGC_M_CSR0_H_NAKTIMEOUT;
709     }
710 
711     if (ep->status[0] < 0) {
712         if (ep->status[0] == USB_RET_BABBLE)
713             musb_intr_set(s, musb_irq_rst_babble, 1);
714 
715         /* Pretend we've tried three times already and failed (in
716          * case of USB_TOKEN_SETUP).  */
717         if (epnum)
718             ep->csr[0] |= MGC_M_TXCSR_H_ERROR;
719         else
720             ep->csr[0] |= MGC_M_CSR0_H_ERROR;
721 
722         musb_tx_intr_set(s, epnum, 1);
723         return;
724     }
725     /* TODO: check len for over/underruns of an OUT packet?  */
726 
727 #ifdef SETUPLEN_HACK
728     if (!epnum && ep->packey[0].pid == USB_TOKEN_SETUP)
729         s->setup_len = ep->packey[0].data[6];
730 #endif
731 
732     /* In DMA mode: if no error, assert DMA request for this EP,
733      * and skip the interrupt.  */
734     musb_tx_intr_set(s, epnum, 1);
735 }
736 
737 static void musb_rx_packet_complete(USBPacket *packey, void *opaque)
738 {
739     /* Unfortunately we can't use packey->devep because that's the remote
740      * endpoint number and may be different than our local.  */
741     MUSBEndPoint *ep = (MUSBEndPoint *) opaque;
742     int epnum = ep->epnum;
743     MUSBState *s = ep->musb;
744 
745     ep->fifostart[1] = 0;
746     ep->fifolen[1] = 0;
747 
748 #ifdef CLEAR_NAK
749     if (ep->status[1] != USB_RET_NAK) {
750 #endif
751         ep->csr[1] &= ~MGC_M_RXCSR_H_REQPKT;
752         if (!epnum)
753             ep->csr[0] &= ~MGC_M_CSR0_H_REQPKT;
754 #ifdef CLEAR_NAK
755     }
756 #endif
757 
758     /* Clear all of the imaginable error bits first */
759     ep->csr[1] &= ~(MGC_M_RXCSR_H_ERROR | MGC_M_RXCSR_H_RXSTALL |
760                     MGC_M_RXCSR_DATAERROR);
761     if (!epnum)
762         ep->csr[0] &= ~(MGC_M_CSR0_H_ERROR | MGC_M_CSR0_H_RXSTALL |
763                         MGC_M_CSR0_H_NAKTIMEOUT | MGC_M_CSR0_H_NO_PING);
764 
765     if (ep->status[1] == USB_RET_STALL) {
766         ep->status[1] = 0;
767 
768         ep->csr[1] |= MGC_M_RXCSR_H_RXSTALL;
769         if (!epnum)
770             ep->csr[0] |= MGC_M_CSR0_H_RXSTALL;
771     }
772 
773     if (ep->status[1] == USB_RET_NAK) {
774         ep->status[1] = 0;
775 
776         /* NAK timeouts are only generated in Bulk transfers and
777          * Data-errors in Isochronous.  */
778         if (ep->interrupt[1]) {
779             musb_packet(s, ep, epnum, USB_TOKEN_IN,
780                         packey->iov.size, musb_rx_packet_complete, 1);
781             return;
782         }
783 
784         ep->csr[1] |= MGC_M_RXCSR_DATAERROR;
785         if (!epnum)
786             ep->csr[0] |= MGC_M_CSR0_H_NAKTIMEOUT;
787     }
788 
789     if (ep->status[1] < 0) {
790         if (ep->status[1] == USB_RET_BABBLE) {
791             musb_intr_set(s, musb_irq_rst_babble, 1);
792             return;
793         }
794 
795         /* Pretend we've tried three times already and failed (in
796          * case of a control transfer).  */
797         ep->csr[1] |= MGC_M_RXCSR_H_ERROR;
798         if (!epnum)
799             ep->csr[0] |= MGC_M_CSR0_H_ERROR;
800 
801         musb_rx_intr_set(s, epnum, 1);
802         return;
803     }
804     /* TODO: check len for over/underruns of an OUT packet?  */
805     /* TODO: perhaps make use of e->ext_size[1] here.  */
806 
807     if (!(ep->csr[1] & (MGC_M_RXCSR_H_RXSTALL | MGC_M_RXCSR_DATAERROR))) {
808         ep->csr[1] |= MGC_M_RXCSR_FIFOFULL | MGC_M_RXCSR_RXPKTRDY;
809         if (!epnum)
810             ep->csr[0] |= MGC_M_CSR0_RXPKTRDY;
811 
812         ep->rxcount = ep->status[1]; /* XXX: MIN(packey->len, ep->maxp[1]); */
813         /* In DMA mode: assert DMA request for this EP */
814     }
815 
816     /* Only if DMA has not been asserted */
817     musb_rx_intr_set(s, epnum, 1);
818 }
819 
820 static void musb_async_cancel_device(MUSBState *s, USBDevice *dev)
821 {
822     int ep, dir;
823 
824     for (ep = 0; ep < 16; ep++) {
825         for (dir = 0; dir < 2; dir++) {
826             if (!usb_packet_is_inflight(&s->ep[ep].packey[dir].p) ||
827                 s->ep[ep].packey[dir].p.ep->dev != dev) {
828                 continue;
829             }
830             usb_cancel_packet(&s->ep[ep].packey[dir].p);
831             /* status updates needed here? */
832         }
833     }
834 }
835 
836 static void musb_tx_rdy(MUSBState *s, int epnum)
837 {
838     MUSBEndPoint *ep = s->ep + epnum;
839     int pid;
840     int total, valid = 0;
841     TRACE("start %d, len %d",  ep->fifostart[0], ep->fifolen[0] );
842     ep->fifostart[0] += ep->fifolen[0];
843     ep->fifolen[0] = 0;
844 
845     /* XXX: how's the total size of the packet retrieved exactly in
846      * the generic case?  */
847     total = ep->maxp[0] & 0x3ff;
848 
849     if (ep->ext_size[0]) {
850         total = ep->ext_size[0];
851         ep->ext_size[0] = 0;
852         valid = 1;
853     }
854 
855     /* If the packet is not fully ready yet, wait for a next segment.  */
856     if (epnum && (ep->fifostart[0]) < total)
857         return;
858 
859     if (!valid)
860         total = ep->fifostart[0];
861 
862     pid = USB_TOKEN_OUT;
863     if (!epnum && (ep->csr[0] & MGC_M_CSR0_H_SETUPPKT)) {
864         pid = USB_TOKEN_SETUP;
865         if (total != 8) {
866             TRACE("illegal SETUPPKT length of %i bytes", total);
867         }
868         /* Controller should retry SETUP packets three times on errors
869          * but it doesn't make sense for us to do that.  */
870     }
871 
872     musb_packet(s, ep, epnum, pid, total, musb_tx_packet_complete, 0);
873 }
874 
875 static void musb_rx_req(MUSBState *s, int epnum)
876 {
877     MUSBEndPoint *ep = s->ep + epnum;
878     int total;
879 
880     /* If we already have a packet, which didn't fit into the
881      * 64 bytes of the FIFO, only move the FIFO start and return. (Obsolete) */
882     if (ep->packey[1].p.pid == USB_TOKEN_IN && ep->status[1] >= 0 &&
883                     (ep->fifostart[1]) + ep->rxcount <
884                     ep->packey[1].p.iov.size) {
885         TRACE("0x%08x, %d",  ep->fifostart[1], ep->rxcount );
886         ep->fifostart[1] += ep->rxcount;
887         ep->fifolen[1] = 0;
888 
889         ep->rxcount = MIN(ep->packey[0].p.iov.size - (ep->fifostart[1]),
890                         ep->maxp[1]);
891 
892         ep->csr[1] &= ~MGC_M_RXCSR_H_REQPKT;
893         if (!epnum)
894             ep->csr[0] &= ~MGC_M_CSR0_H_REQPKT;
895 
896         /* Clear all of the error bits first */
897         ep->csr[1] &= ~(MGC_M_RXCSR_H_ERROR | MGC_M_RXCSR_H_RXSTALL |
898                         MGC_M_RXCSR_DATAERROR);
899         if (!epnum)
900             ep->csr[0] &= ~(MGC_M_CSR0_H_ERROR | MGC_M_CSR0_H_RXSTALL |
901                             MGC_M_CSR0_H_NAKTIMEOUT | MGC_M_CSR0_H_NO_PING);
902 
903         ep->csr[1] |= MGC_M_RXCSR_FIFOFULL | MGC_M_RXCSR_RXPKTRDY;
904         if (!epnum)
905             ep->csr[0] |= MGC_M_CSR0_RXPKTRDY;
906         musb_rx_intr_set(s, epnum, 1);
907         return;
908     }
909 
910     /* The driver sets maxp[1] to 64 or less because it knows the hardware
911      * FIFO is this deep.  Bigger packets get split in
912      * usb_generic_handle_packet but we can also do the splitting locally
913      * for performance.  It turns out we can also have a bigger FIFO and
914      * ignore the limit set in ep->maxp[1].  The Linux MUSB driver deals
915      * OK with single packets of even 32KB and we avoid splitting, however
916      * usb_msd.c sometimes sends a packet bigger than what Linux expects
917      * (e.g. 8192 bytes instead of 4096) and we get an OVERRUN.  Splitting
918      * hides this overrun from Linux.  Up to 4096 everything is fine
919      * though.  Currently this is disabled.
920      *
921      * XXX: mind ep->fifosize.  */
922     total = MIN(ep->maxp[1] & 0x3ff, sizeof(s->buf));
923 
924 #ifdef SETUPLEN_HACK
925     /* Why should *we* do that instead of Linux?  */
926     if (!epnum) {
927         if (ep->packey[0].p.devaddr == 2) {
928             total = MIN(s->setup_len, 8);
929         } else {
930             total = MIN(s->setup_len, 64);
931         }
932         s->setup_len -= total;
933     }
934 #endif
935 
936     musb_packet(s, ep, epnum, USB_TOKEN_IN, total, musb_rx_packet_complete, 1);
937 }
938 
939 static uint8_t musb_read_fifo(MUSBEndPoint *ep)
940 {
941     uint8_t value;
942     if (ep->fifolen[1] >= 64) {
943         /* We have a FIFO underrun */
944         TRACE("EP%d FIFO is now empty, stop reading", ep->epnum);
945         return 0x00000000;
946     }
947     /* In DMA mode clear RXPKTRDY and set REQPKT automatically
948      * (if AUTOREQ is set) */
949 
950     ep->csr[1] &= ~MGC_M_RXCSR_FIFOFULL;
951     value=ep->buf[1][ep->fifostart[1] + ep->fifolen[1] ++];
952     TRACE("EP%d 0x%02x, %d", ep->epnum, value, ep->fifolen[1] );
953     return value;
954 }
955 
956 static void musb_write_fifo(MUSBEndPoint *ep, uint8_t value)
957 {
958     TRACE("EP%d = %02x", ep->epnum, value);
959     if (ep->fifolen[0] >= 64) {
960         /* We have a FIFO overrun */
961         TRACE("EP%d FIFO exceeded 64 bytes, stop feeding data", ep->epnum);
962         return;
963      }
964 
965      ep->buf[0][ep->fifostart[0] + ep->fifolen[0] ++] = value;
966      ep->csr[0] |= MGC_M_TXCSR_FIFONOTEMPTY;
967 }
968 
969 static void musb_ep_frame_cancel(MUSBEndPoint *ep, int dir)
970 {
971     if (ep->intv_timer[dir])
972         timer_del(ep->intv_timer[dir]);
973 }
974 
975 /* Bus control */
976 static uint8_t musb_busctl_readb(void *opaque, int ep, int addr)
977 {
978     MUSBState *s = (MUSBState *) opaque;
979 
980     switch (addr) {
981     /* For USB2.0 HS hubs only */
982     case MUSB_HDRC_TXHUBADDR:
983         return s->ep[ep].haddr[0];
984     case MUSB_HDRC_TXHUBPORT:
985         return s->ep[ep].hport[0];
986     case MUSB_HDRC_RXHUBADDR:
987         return s->ep[ep].haddr[1];
988     case MUSB_HDRC_RXHUBPORT:
989         return s->ep[ep].hport[1];
990 
991     default:
992         TRACE("unknown register 0x%02x", addr);
993         return 0x00;
994     };
995 }
996 
997 static void musb_busctl_writeb(void *opaque, int ep, int addr, uint8_t value)
998 {
999     MUSBState *s = (MUSBState *) opaque;
1000 
1001     switch (addr) {
1002     case MUSB_HDRC_TXFUNCADDR:
1003         s->ep[ep].faddr[0] = value;
1004         break;
1005     case MUSB_HDRC_RXFUNCADDR:
1006         s->ep[ep].faddr[1] = value;
1007         break;
1008     case MUSB_HDRC_TXHUBADDR:
1009         s->ep[ep].haddr[0] = value;
1010         break;
1011     case MUSB_HDRC_TXHUBPORT:
1012         s->ep[ep].hport[0] = value;
1013         break;
1014     case MUSB_HDRC_RXHUBADDR:
1015         s->ep[ep].haddr[1] = value;
1016         break;
1017     case MUSB_HDRC_RXHUBPORT:
1018         s->ep[ep].hport[1] = value;
1019         break;
1020 
1021     default:
1022         TRACE("unknown register 0x%02x", addr);
1023         break;
1024     };
1025 }
1026 
1027 static uint16_t musb_busctl_readh(void *opaque, int ep, int addr)
1028 {
1029     MUSBState *s = (MUSBState *) opaque;
1030 
1031     switch (addr) {
1032     case MUSB_HDRC_TXFUNCADDR:
1033         return s->ep[ep].faddr[0];
1034     case MUSB_HDRC_RXFUNCADDR:
1035         return s->ep[ep].faddr[1];
1036 
1037     default:
1038         return musb_busctl_readb(s, ep, addr) |
1039                 (musb_busctl_readb(s, ep, addr | 1) << 8);
1040     };
1041 }
1042 
1043 static void musb_busctl_writeh(void *opaque, int ep, int addr, uint16_t value)
1044 {
1045     MUSBState *s = (MUSBState *) opaque;
1046 
1047     switch (addr) {
1048     case MUSB_HDRC_TXFUNCADDR:
1049         s->ep[ep].faddr[0] = value;
1050         break;
1051     case MUSB_HDRC_RXFUNCADDR:
1052         s->ep[ep].faddr[1] = value;
1053         break;
1054 
1055     default:
1056         musb_busctl_writeb(s, ep, addr, value & 0xff);
1057         musb_busctl_writeb(s, ep, addr | 1, value >> 8);
1058     };
1059 }
1060 
1061 /* Endpoint control */
1062 static uint8_t musb_ep_readb(void *opaque, int ep, int addr)
1063 {
1064     MUSBState *s = (MUSBState *) opaque;
1065 
1066     switch (addr) {
1067     case MUSB_HDRC_TXTYPE:
1068         return s->ep[ep].type[0];
1069     case MUSB_HDRC_TXINTERVAL:
1070         return s->ep[ep].interval[0];
1071     case MUSB_HDRC_RXTYPE:
1072         return s->ep[ep].type[1];
1073     case MUSB_HDRC_RXINTERVAL:
1074         return s->ep[ep].interval[1];
1075     case (MUSB_HDRC_FIFOSIZE & ~1):
1076         return 0x00;
1077     case MUSB_HDRC_FIFOSIZE:
1078         return ep ? s->ep[ep].fifosize : s->ep[ep].config;
1079     case MUSB_HDRC_RXCOUNT:
1080         return s->ep[ep].rxcount;
1081 
1082     default:
1083         TRACE("unknown register 0x%02x", addr);
1084         return 0x00;
1085     };
1086 }
1087 
1088 static void musb_ep_writeb(void *opaque, int ep, int addr, uint8_t value)
1089 {
1090     MUSBState *s = (MUSBState *) opaque;
1091 
1092     switch (addr) {
1093     case MUSB_HDRC_TXTYPE:
1094         s->ep[ep].type[0] = value;
1095         break;
1096     case MUSB_HDRC_TXINTERVAL:
1097         s->ep[ep].interval[0] = value;
1098         musb_ep_frame_cancel(&s->ep[ep], 0);
1099         break;
1100     case MUSB_HDRC_RXTYPE:
1101         s->ep[ep].type[1] = value;
1102         break;
1103     case MUSB_HDRC_RXINTERVAL:
1104         s->ep[ep].interval[1] = value;
1105         musb_ep_frame_cancel(&s->ep[ep], 1);
1106         break;
1107     case (MUSB_HDRC_FIFOSIZE & ~1):
1108         break;
1109     case MUSB_HDRC_FIFOSIZE:
1110         TRACE("somebody messes with fifosize (now %i bytes)", value);
1111         s->ep[ep].fifosize = value;
1112         break;
1113     default:
1114         TRACE("unknown register 0x%02x", addr);
1115         break;
1116     };
1117 }
1118 
1119 static uint16_t musb_ep_readh(void *opaque, int ep, int addr)
1120 {
1121     MUSBState *s = (MUSBState *) opaque;
1122     uint16_t ret;
1123 
1124     switch (addr) {
1125     case MUSB_HDRC_TXMAXP:
1126         return s->ep[ep].maxp[0];
1127     case MUSB_HDRC_TXCSR:
1128         return s->ep[ep].csr[0];
1129     case MUSB_HDRC_RXMAXP:
1130         return s->ep[ep].maxp[1];
1131     case MUSB_HDRC_RXCSR:
1132         ret = s->ep[ep].csr[1];
1133 
1134         /* TODO: This and other bits probably depend on
1135          * ep->csr[1] & MGC_M_RXCSR_AUTOCLEAR.  */
1136         if (s->ep[ep].csr[1] & MGC_M_RXCSR_AUTOCLEAR)
1137             s->ep[ep].csr[1] &= ~MGC_M_RXCSR_RXPKTRDY;
1138 
1139         return ret;
1140     case MUSB_HDRC_RXCOUNT:
1141         return s->ep[ep].rxcount;
1142 
1143     default:
1144         return musb_ep_readb(s, ep, addr) |
1145                 (musb_ep_readb(s, ep, addr | 1) << 8);
1146     };
1147 }
1148 
1149 static void musb_ep_writeh(void *opaque, int ep, int addr, uint16_t value)
1150 {
1151     MUSBState *s = (MUSBState *) opaque;
1152 
1153     switch (addr) {
1154     case MUSB_HDRC_TXMAXP:
1155         s->ep[ep].maxp[0] = value;
1156         break;
1157     case MUSB_HDRC_TXCSR:
1158         if (ep) {
1159             s->ep[ep].csr[0] &= value & 0xa6;
1160             s->ep[ep].csr[0] |= value & 0xff59;
1161         } else {
1162             s->ep[ep].csr[0] &= value & 0x85;
1163             s->ep[ep].csr[0] |= value & 0xf7a;
1164         }
1165 
1166         musb_ep_frame_cancel(&s->ep[ep], 0);
1167 
1168         if ((ep && (value & MGC_M_TXCSR_FLUSHFIFO)) ||
1169                         (!ep && (value & MGC_M_CSR0_FLUSHFIFO))) {
1170             s->ep[ep].fifolen[0] = 0;
1171             s->ep[ep].fifostart[0] = 0;
1172             if (ep)
1173                 s->ep[ep].csr[0] &=
1174                         ~(MGC_M_TXCSR_FIFONOTEMPTY | MGC_M_TXCSR_TXPKTRDY);
1175             else
1176                 s->ep[ep].csr[0] &=
1177                         ~(MGC_M_CSR0_TXPKTRDY | MGC_M_CSR0_RXPKTRDY);
1178         }
1179         if (
1180                         (ep &&
1181 #ifdef CLEAR_NAK
1182                          (value & MGC_M_TXCSR_TXPKTRDY) &&
1183                          !(value & MGC_M_TXCSR_H_NAKTIMEOUT)) ||
1184 #else
1185                          (value & MGC_M_TXCSR_TXPKTRDY)) ||
1186 #endif
1187                         (!ep &&
1188 #ifdef CLEAR_NAK
1189                          (value & MGC_M_CSR0_TXPKTRDY) &&
1190                          !(value & MGC_M_CSR0_H_NAKTIMEOUT)))
1191 #else
1192                          (value & MGC_M_CSR0_TXPKTRDY)))
1193 #endif
1194             musb_tx_rdy(s, ep);
1195         if (!ep &&
1196                         (value & MGC_M_CSR0_H_REQPKT) &&
1197 #ifdef CLEAR_NAK
1198                         !(value & (MGC_M_CSR0_H_NAKTIMEOUT |
1199                                         MGC_M_CSR0_RXPKTRDY)))
1200 #else
1201                         !(value & MGC_M_CSR0_RXPKTRDY))
1202 #endif
1203             musb_rx_req(s, ep);
1204         break;
1205 
1206     case MUSB_HDRC_RXMAXP:
1207         s->ep[ep].maxp[1] = value;
1208         break;
1209     case MUSB_HDRC_RXCSR:
1210         /* (DMA mode only) */
1211         if (
1212                 (value & MGC_M_RXCSR_H_AUTOREQ) &&
1213                 !(value & MGC_M_RXCSR_RXPKTRDY) &&
1214                 (s->ep[ep].csr[1] & MGC_M_RXCSR_RXPKTRDY))
1215             value |= MGC_M_RXCSR_H_REQPKT;
1216 
1217         s->ep[ep].csr[1] &= 0x102 | (value & 0x4d);
1218         s->ep[ep].csr[1] |= value & 0xfeb0;
1219 
1220         musb_ep_frame_cancel(&s->ep[ep], 1);
1221 
1222         if (value & MGC_M_RXCSR_FLUSHFIFO) {
1223             s->ep[ep].fifolen[1] = 0;
1224             s->ep[ep].fifostart[1] = 0;
1225             s->ep[ep].csr[1] &= ~(MGC_M_RXCSR_FIFOFULL | MGC_M_RXCSR_RXPKTRDY);
1226             /* If double buffering and we have two packets ready, flush
1227              * only the first one and set up the fifo at the second packet.  */
1228         }
1229 #ifdef CLEAR_NAK
1230         if ((value & MGC_M_RXCSR_H_REQPKT) && !(value & MGC_M_RXCSR_DATAERROR))
1231 #else
1232         if (value & MGC_M_RXCSR_H_REQPKT)
1233 #endif
1234             musb_rx_req(s, ep);
1235         break;
1236     case MUSB_HDRC_RXCOUNT:
1237         s->ep[ep].rxcount = value;
1238         break;
1239 
1240     default:
1241         musb_ep_writeb(s, ep, addr, value & 0xff);
1242         musb_ep_writeb(s, ep, addr | 1, value >> 8);
1243     };
1244 }
1245 
1246 /* Generic control */
1247 static uint32_t musb_readb(void *opaque, hwaddr addr)
1248 {
1249     MUSBState *s = (MUSBState *) opaque;
1250     int ep, i;
1251     uint8_t ret;
1252 
1253     switch (addr) {
1254     case MUSB_HDRC_FADDR:
1255         return s->faddr;
1256     case MUSB_HDRC_POWER:
1257         return s->power;
1258     case MUSB_HDRC_INTRUSB:
1259         ret = s->intr;
1260         for (i = 0; i < sizeof(ret) * 8; i ++)
1261             if (ret & (1 << i))
1262                 musb_intr_set(s, i, 0);
1263         return ret;
1264     case MUSB_HDRC_INTRUSBE:
1265         return s->mask;
1266     case MUSB_HDRC_INDEX:
1267         return s->idx;
1268     case MUSB_HDRC_TESTMODE:
1269         return 0x00;
1270 
1271     case MUSB_HDRC_EP_IDX ... (MUSB_HDRC_EP_IDX + 0xf):
1272         return musb_ep_readb(s, s->idx, addr & 0xf);
1273 
1274     case MUSB_HDRC_DEVCTL:
1275         return s->devctl;
1276 
1277     case MUSB_HDRC_TXFIFOSZ:
1278     case MUSB_HDRC_RXFIFOSZ:
1279     case MUSB_HDRC_VCTRL:
1280         /* TODO */
1281         return 0x00;
1282 
1283     case MUSB_HDRC_HWVERS:
1284         return (1 << 10) | 400;
1285 
1286     case (MUSB_HDRC_VCTRL | 1):
1287     case (MUSB_HDRC_HWVERS | 1):
1288     case (MUSB_HDRC_DEVCTL | 1):
1289         return 0x00;
1290 
1291     case MUSB_HDRC_BUSCTL ... (MUSB_HDRC_BUSCTL + 0x7f):
1292         ep = (addr >> 3) & 0xf;
1293         return musb_busctl_readb(s, ep, addr & 0x7);
1294 
1295     case MUSB_HDRC_EP ... (MUSB_HDRC_EP + 0xff):
1296         ep = (addr >> 4) & 0xf;
1297         return musb_ep_readb(s, ep, addr & 0xf);
1298 
1299     case MUSB_HDRC_FIFO ... (MUSB_HDRC_FIFO + 0x3f):
1300         ep = ((addr - MUSB_HDRC_FIFO) >> 2) & 0xf;
1301         return musb_read_fifo(s->ep + ep);
1302 
1303     default:
1304         TRACE("unknown register 0x%02x", (int) addr);
1305         return 0x00;
1306     };
1307 }
1308 
1309 static void musb_writeb(void *opaque, hwaddr addr, uint32_t value)
1310 {
1311     MUSBState *s = (MUSBState *) opaque;
1312     int ep;
1313 
1314     switch (addr) {
1315     case MUSB_HDRC_FADDR:
1316         s->faddr = value & 0x7f;
1317         break;
1318     case MUSB_HDRC_POWER:
1319         s->power = (value & 0xef) | (s->power & 0x10);
1320         /* MGC_M_POWER_RESET is also read-only in Peripheral Mode */
1321         if ((value & MGC_M_POWER_RESET) && s->port.dev) {
1322             usb_device_reset(s->port.dev);
1323             /* Negotiate high-speed operation if MGC_M_POWER_HSENAB is set.  */
1324             if ((value & MGC_M_POWER_HSENAB) &&
1325                             s->port.dev->speed == USB_SPEED_HIGH)
1326                 s->power |= MGC_M_POWER_HSMODE;	/* Success */
1327             /* Restart frame counting.  */
1328         }
1329         if (value & MGC_M_POWER_SUSPENDM) {
1330             /* When all transfers finish, suspend and if MGC_M_POWER_ENSUSPEND
1331              * is set, also go into low power mode.  Frame counting stops.  */
1332             /* XXX: Cleared when the interrupt register is read */
1333         }
1334         if (value & MGC_M_POWER_RESUME) {
1335             /* Wait 20ms and signal resuming on the bus.  Frame counting
1336              * restarts.  */
1337         }
1338         break;
1339     case MUSB_HDRC_INTRUSB:
1340         break;
1341     case MUSB_HDRC_INTRUSBE:
1342         s->mask = value & 0xff;
1343         break;
1344     case MUSB_HDRC_INDEX:
1345         s->idx = value & 0xf;
1346         break;
1347     case MUSB_HDRC_TESTMODE:
1348         break;
1349 
1350     case MUSB_HDRC_EP_IDX ... (MUSB_HDRC_EP_IDX + 0xf):
1351         musb_ep_writeb(s, s->idx, addr & 0xf, value);
1352         break;
1353 
1354     case MUSB_HDRC_DEVCTL:
1355         s->session = !!(value & MGC_M_DEVCTL_SESSION);
1356         musb_session_update(s,
1357                         !!s->port.dev,
1358                         !!(s->devctl & MGC_M_DEVCTL_SESSION));
1359 
1360         /* It seems this is the only R/W bit in this register?  */
1361         s->devctl &= ~MGC_M_DEVCTL_SESSION;
1362         s->devctl |= value & MGC_M_DEVCTL_SESSION;
1363         break;
1364 
1365     case MUSB_HDRC_TXFIFOSZ:
1366     case MUSB_HDRC_RXFIFOSZ:
1367     case MUSB_HDRC_VCTRL:
1368         /* TODO */
1369         break;
1370 
1371     case (MUSB_HDRC_VCTRL | 1):
1372     case (MUSB_HDRC_DEVCTL | 1):
1373         break;
1374 
1375     case MUSB_HDRC_BUSCTL ... (MUSB_HDRC_BUSCTL + 0x7f):
1376         ep = (addr >> 3) & 0xf;
1377         musb_busctl_writeb(s, ep, addr & 0x7, value);
1378         break;
1379 
1380     case MUSB_HDRC_EP ... (MUSB_HDRC_EP + 0xff):
1381         ep = (addr >> 4) & 0xf;
1382         musb_ep_writeb(s, ep, addr & 0xf, value);
1383         break;
1384 
1385     case MUSB_HDRC_FIFO ... (MUSB_HDRC_FIFO + 0x3f):
1386         ep = ((addr - MUSB_HDRC_FIFO) >> 2) & 0xf;
1387         musb_write_fifo(s->ep + ep, value & 0xff);
1388         break;
1389 
1390     default:
1391         TRACE("unknown register 0x%02x", (int) addr);
1392         break;
1393     };
1394 }
1395 
1396 static uint32_t musb_readh(void *opaque, hwaddr addr)
1397 {
1398     MUSBState *s = (MUSBState *) opaque;
1399     int ep, i;
1400     uint16_t ret;
1401 
1402     switch (addr) {
1403     case MUSB_HDRC_INTRTX:
1404         ret = s->tx_intr;
1405         /* Auto clear */
1406         for (i = 0; i < sizeof(ret) * 8; i ++)
1407             if (ret & (1 << i))
1408                 musb_tx_intr_set(s, i, 0);
1409         return ret;
1410     case MUSB_HDRC_INTRRX:
1411         ret = s->rx_intr;
1412         /* Auto clear */
1413         for (i = 0; i < sizeof(ret) * 8; i ++)
1414             if (ret & (1 << i))
1415                 musb_rx_intr_set(s, i, 0);
1416         return ret;
1417     case MUSB_HDRC_INTRTXE:
1418         return s->tx_mask;
1419     case MUSB_HDRC_INTRRXE:
1420         return s->rx_mask;
1421 
1422     case MUSB_HDRC_FRAME:
1423         /* TODO */
1424         return 0x0000;
1425     case MUSB_HDRC_TXFIFOADDR:
1426         return s->ep[s->idx].fifoaddr[0];
1427     case MUSB_HDRC_RXFIFOADDR:
1428         return s->ep[s->idx].fifoaddr[1];
1429 
1430     case MUSB_HDRC_EP_IDX ... (MUSB_HDRC_EP_IDX + 0xf):
1431         return musb_ep_readh(s, s->idx, addr & 0xf);
1432 
1433     case MUSB_HDRC_BUSCTL ... (MUSB_HDRC_BUSCTL + 0x7f):
1434         ep = (addr >> 3) & 0xf;
1435         return musb_busctl_readh(s, ep, addr & 0x7);
1436 
1437     case MUSB_HDRC_EP ... (MUSB_HDRC_EP + 0xff):
1438         ep = (addr >> 4) & 0xf;
1439         return musb_ep_readh(s, ep, addr & 0xf);
1440 
1441     case MUSB_HDRC_FIFO ... (MUSB_HDRC_FIFO + 0x3f):
1442         ep = ((addr - MUSB_HDRC_FIFO) >> 2) & 0xf;
1443         return (musb_read_fifo(s->ep + ep) | musb_read_fifo(s->ep + ep) << 8);
1444 
1445     default:
1446         return musb_readb(s, addr) | (musb_readb(s, addr | 1) << 8);
1447     };
1448 }
1449 
1450 static void musb_writeh(void *opaque, hwaddr addr, uint32_t value)
1451 {
1452     MUSBState *s = (MUSBState *) opaque;
1453     int ep;
1454 
1455     switch (addr) {
1456     case MUSB_HDRC_INTRTXE:
1457         s->tx_mask = value;
1458         /* XXX: the masks seem to apply on the raising edge like with
1459          * edge-triggered interrupts, thus no need to update.  I may be
1460          * wrong though.  */
1461         break;
1462     case MUSB_HDRC_INTRRXE:
1463         s->rx_mask = value;
1464         break;
1465 
1466     case MUSB_HDRC_FRAME:
1467         /* TODO */
1468         break;
1469     case MUSB_HDRC_TXFIFOADDR:
1470         s->ep[s->idx].fifoaddr[0] = value;
1471         s->ep[s->idx].buf[0] =
1472                 s->buf + ((value << 3) & 0x7ff );
1473         break;
1474     case MUSB_HDRC_RXFIFOADDR:
1475         s->ep[s->idx].fifoaddr[1] = value;
1476         s->ep[s->idx].buf[1] =
1477                 s->buf + ((value << 3) & 0x7ff);
1478         break;
1479 
1480     case MUSB_HDRC_EP_IDX ... (MUSB_HDRC_EP_IDX + 0xf):
1481         musb_ep_writeh(s, s->idx, addr & 0xf, value);
1482         break;
1483 
1484     case MUSB_HDRC_BUSCTL ... (MUSB_HDRC_BUSCTL + 0x7f):
1485         ep = (addr >> 3) & 0xf;
1486         musb_busctl_writeh(s, ep, addr & 0x7, value);
1487         break;
1488 
1489     case MUSB_HDRC_EP ... (MUSB_HDRC_EP + 0xff):
1490         ep = (addr >> 4) & 0xf;
1491         musb_ep_writeh(s, ep, addr & 0xf, value);
1492         break;
1493 
1494     case MUSB_HDRC_FIFO ... (MUSB_HDRC_FIFO + 0x3f):
1495         ep = ((addr - MUSB_HDRC_FIFO) >> 2) & 0xf;
1496         musb_write_fifo(s->ep + ep, value & 0xff);
1497         musb_write_fifo(s->ep + ep, (value >> 8) & 0xff);
1498         break;
1499 
1500     default:
1501         musb_writeb(s, addr, value & 0xff);
1502         musb_writeb(s, addr | 1, value >> 8);
1503     };
1504 }
1505 
1506 static uint32_t musb_readw(void *opaque, hwaddr addr)
1507 {
1508     MUSBState *s = (MUSBState *) opaque;
1509     int ep;
1510 
1511     switch (addr) {
1512     case MUSB_HDRC_FIFO ... (MUSB_HDRC_FIFO + 0x3f):
1513         ep = ((addr - MUSB_HDRC_FIFO) >> 2) & 0xf;
1514         return ( musb_read_fifo(s->ep + ep)       |
1515                  musb_read_fifo(s->ep + ep) << 8  |
1516                  musb_read_fifo(s->ep + ep) << 16 |
1517                  musb_read_fifo(s->ep + ep) << 24 );
1518     default:
1519         TRACE("unknown register 0x%02x", (int) addr);
1520         return 0x00000000;
1521     };
1522 }
1523 
1524 static void musb_writew(void *opaque, hwaddr addr, uint32_t value)
1525 {
1526     MUSBState *s = (MUSBState *) opaque;
1527     int ep;
1528 
1529     switch (addr) {
1530     case MUSB_HDRC_FIFO ... (MUSB_HDRC_FIFO + 0x3f):
1531         ep = ((addr - MUSB_HDRC_FIFO) >> 2) & 0xf;
1532         musb_write_fifo(s->ep + ep, value & 0xff);
1533         musb_write_fifo(s->ep + ep, (value >> 8 ) & 0xff);
1534         musb_write_fifo(s->ep + ep, (value >> 16) & 0xff);
1535         musb_write_fifo(s->ep + ep, (value >> 24) & 0xff);
1536             break;
1537     default:
1538         TRACE("unknown register 0x%02x", (int) addr);
1539         break;
1540     };
1541 }
1542 
1543 MUSBReadFunc * const musb_read[] = {
1544     musb_readb,
1545     musb_readh,
1546     musb_readw,
1547 };
1548 
1549 MUSBWriteFunc * const musb_write[] = {
1550     musb_writeb,
1551     musb_writeh,
1552     musb_writew,
1553 };
1554