xref: /openbmc/qemu/hw/usb/hcd-ohci.c (revision 56c4bfb3)
1 /*
2  * QEMU USB OHCI Emulation
3  * Copyright (c) 2004 Gianni Tedesco
4  * Copyright (c) 2006 CodeSourcery
5  * Copyright (c) 2006 Openedhand Ltd.
6  *
7  * This library is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2 of the License, or (at your option) any later version.
11  *
12  * This library is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
19  *
20  * TODO:
21  *  o Isochronous transfers
22  *  o Allocate bandwidth in frames properly
23  *  o Disable timers when nothing needs to be done, or remove timer usage
24  *    all together.
25  *  o BIOS work to boot from USB storage
26 */
27 
28 #include "hw/hw.h"
29 #include "qemu/timer.h"
30 #include "hw/usb.h"
31 #include "hw/pci/pci.h"
32 #include "hw/sysbus.h"
33 #include "hw/qdev-dma.h"
34 
35 //#define DEBUG_OHCI
36 /* Dump packet contents.  */
37 //#define DEBUG_PACKET
38 //#define DEBUG_ISOCH
39 /* This causes frames to occur 1000x slower */
40 //#define OHCI_TIME_WARP 1
41 
42 #ifdef DEBUG_OHCI
43 #define DPRINTF printf
44 #else
45 #define DPRINTF(...)
46 #endif
47 
48 /* Number of Downstream Ports on the root hub.  */
49 
50 #define OHCI_MAX_PORTS 15
51 
52 static int64_t usb_frame_time;
53 static int64_t usb_bit_time;
54 
55 typedef struct OHCIPort {
56     USBPort port;
57     uint32_t ctrl;
58 } OHCIPort;
59 
60 typedef struct {
61     USBBus bus;
62     qemu_irq irq;
63     MemoryRegion mem;
64     AddressSpace *as;
65     int num_ports;
66     const char *name;
67 
68     QEMUTimer *eof_timer;
69     int64_t sof_time;
70 
71     /* OHCI state */
72     /* Control partition */
73     uint32_t ctl, status;
74     uint32_t intr_status;
75     uint32_t intr;
76 
77     /* memory pointer partition */
78     uint32_t hcca;
79     uint32_t ctrl_head, ctrl_cur;
80     uint32_t bulk_head, bulk_cur;
81     uint32_t per_cur;
82     uint32_t done;
83     int done_count;
84 
85     /* Frame counter partition */
86     uint32_t fsmps:15;
87     uint32_t fit:1;
88     uint32_t fi:14;
89     uint32_t frt:1;
90     uint16_t frame_number;
91     uint16_t padding;
92     uint32_t pstart;
93     uint32_t lst;
94 
95     /* Root Hub partition */
96     uint32_t rhdesc_a, rhdesc_b;
97     uint32_t rhstatus;
98     OHCIPort rhport[OHCI_MAX_PORTS];
99 
100     /* PXA27x Non-OHCI events */
101     uint32_t hstatus;
102     uint32_t hmask;
103     uint32_t hreset;
104     uint32_t htest;
105 
106     /* SM501 local memory offset */
107     dma_addr_t localmem_base;
108 
109     /* Active packets.  */
110     uint32_t old_ctl;
111     USBPacket usb_packet;
112     uint8_t usb_buf[8192];
113     uint32_t async_td;
114     int async_complete;
115 
116 } OHCIState;
117 
118 /* Host Controller Communications Area */
119 struct ohci_hcca {
120     uint32_t intr[32];
121     uint16_t frame, pad;
122     uint32_t done;
123 };
124 #define HCCA_WRITEBACK_OFFSET   offsetof(struct ohci_hcca, frame)
125 #define HCCA_WRITEBACK_SIZE     8 /* frame, pad, done */
126 
127 #define ED_WBACK_OFFSET offsetof(struct ohci_ed, head)
128 #define ED_WBACK_SIZE   4
129 
130 static void ohci_bus_stop(OHCIState *ohci);
131 static void ohci_async_cancel_device(OHCIState *ohci, USBDevice *dev);
132 
133 /* Bitfields for the first word of an Endpoint Desciptor.  */
134 #define OHCI_ED_FA_SHIFT  0
135 #define OHCI_ED_FA_MASK   (0x7f<<OHCI_ED_FA_SHIFT)
136 #define OHCI_ED_EN_SHIFT  7
137 #define OHCI_ED_EN_MASK   (0xf<<OHCI_ED_EN_SHIFT)
138 #define OHCI_ED_D_SHIFT   11
139 #define OHCI_ED_D_MASK    (3<<OHCI_ED_D_SHIFT)
140 #define OHCI_ED_S         (1<<13)
141 #define OHCI_ED_K         (1<<14)
142 #define OHCI_ED_F         (1<<15)
143 #define OHCI_ED_MPS_SHIFT 16
144 #define OHCI_ED_MPS_MASK  (0x7ff<<OHCI_ED_MPS_SHIFT)
145 
146 /* Flags in the head field of an Endpoint Desciptor.  */
147 #define OHCI_ED_H         1
148 #define OHCI_ED_C         2
149 
150 /* Bitfields for the first word of a Transfer Desciptor.  */
151 #define OHCI_TD_R         (1<<18)
152 #define OHCI_TD_DP_SHIFT  19
153 #define OHCI_TD_DP_MASK   (3<<OHCI_TD_DP_SHIFT)
154 #define OHCI_TD_DI_SHIFT  21
155 #define OHCI_TD_DI_MASK   (7<<OHCI_TD_DI_SHIFT)
156 #define OHCI_TD_T0        (1<<24)
157 #define OHCI_TD_T1        (1<<25)
158 #define OHCI_TD_EC_SHIFT  26
159 #define OHCI_TD_EC_MASK   (3<<OHCI_TD_EC_SHIFT)
160 #define OHCI_TD_CC_SHIFT  28
161 #define OHCI_TD_CC_MASK   (0xf<<OHCI_TD_CC_SHIFT)
162 
163 /* Bitfields for the first word of an Isochronous Transfer Desciptor.  */
164 /* CC & DI - same as in the General Transfer Desciptor */
165 #define OHCI_TD_SF_SHIFT  0
166 #define OHCI_TD_SF_MASK   (0xffff<<OHCI_TD_SF_SHIFT)
167 #define OHCI_TD_FC_SHIFT  24
168 #define OHCI_TD_FC_MASK   (7<<OHCI_TD_FC_SHIFT)
169 
170 /* Isochronous Transfer Desciptor - Offset / PacketStatusWord */
171 #define OHCI_TD_PSW_CC_SHIFT 12
172 #define OHCI_TD_PSW_CC_MASK  (0xf<<OHCI_TD_PSW_CC_SHIFT)
173 #define OHCI_TD_PSW_SIZE_SHIFT 0
174 #define OHCI_TD_PSW_SIZE_MASK  (0xfff<<OHCI_TD_PSW_SIZE_SHIFT)
175 
176 #define OHCI_PAGE_MASK    0xfffff000
177 #define OHCI_OFFSET_MASK  0xfff
178 
179 #define OHCI_DPTR_MASK    0xfffffff0
180 
181 #define OHCI_BM(val, field) \
182   (((val) & OHCI_##field##_MASK) >> OHCI_##field##_SHIFT)
183 
184 #define OHCI_SET_BM(val, field, newval) do { \
185     val &= ~OHCI_##field##_MASK; \
186     val |= ((newval) << OHCI_##field##_SHIFT) & OHCI_##field##_MASK; \
187     } while(0)
188 
189 /* endpoint descriptor */
190 struct ohci_ed {
191     uint32_t flags;
192     uint32_t tail;
193     uint32_t head;
194     uint32_t next;
195 };
196 
197 /* General transfer descriptor */
198 struct ohci_td {
199     uint32_t flags;
200     uint32_t cbp;
201     uint32_t next;
202     uint32_t be;
203 };
204 
205 /* Isochronous transfer descriptor */
206 struct ohci_iso_td {
207     uint32_t flags;
208     uint32_t bp;
209     uint32_t next;
210     uint32_t be;
211     uint16_t offset[8];
212 };
213 
214 #define USB_HZ                      12000000
215 
216 /* OHCI Local stuff */
217 #define OHCI_CTL_CBSR         ((1<<0)|(1<<1))
218 #define OHCI_CTL_PLE          (1<<2)
219 #define OHCI_CTL_IE           (1<<3)
220 #define OHCI_CTL_CLE          (1<<4)
221 #define OHCI_CTL_BLE          (1<<5)
222 #define OHCI_CTL_HCFS         ((1<<6)|(1<<7))
223 #define  OHCI_USB_RESET       0x00
224 #define  OHCI_USB_RESUME      0x40
225 #define  OHCI_USB_OPERATIONAL 0x80
226 #define  OHCI_USB_SUSPEND     0xc0
227 #define OHCI_CTL_IR           (1<<8)
228 #define OHCI_CTL_RWC          (1<<9)
229 #define OHCI_CTL_RWE          (1<<10)
230 
231 #define OHCI_STATUS_HCR       (1<<0)
232 #define OHCI_STATUS_CLF       (1<<1)
233 #define OHCI_STATUS_BLF       (1<<2)
234 #define OHCI_STATUS_OCR       (1<<3)
235 #define OHCI_STATUS_SOC       ((1<<6)|(1<<7))
236 
237 #define OHCI_INTR_SO          (1<<0) /* Scheduling overrun */
238 #define OHCI_INTR_WD          (1<<1) /* HcDoneHead writeback */
239 #define OHCI_INTR_SF          (1<<2) /* Start of frame */
240 #define OHCI_INTR_RD          (1<<3) /* Resume detect */
241 #define OHCI_INTR_UE          (1<<4) /* Unrecoverable error */
242 #define OHCI_INTR_FNO         (1<<5) /* Frame number overflow */
243 #define OHCI_INTR_RHSC        (1<<6) /* Root hub status change */
244 #define OHCI_INTR_OC          (1<<30) /* Ownership change */
245 #define OHCI_INTR_MIE         (1<<31) /* Master Interrupt Enable */
246 
247 #define OHCI_HCCA_SIZE        0x100
248 #define OHCI_HCCA_MASK        0xffffff00
249 
250 #define OHCI_EDPTR_MASK       0xfffffff0
251 
252 #define OHCI_FMI_FI           0x00003fff
253 #define OHCI_FMI_FSMPS        0xffff0000
254 #define OHCI_FMI_FIT          0x80000000
255 
256 #define OHCI_FR_RT            (1<<31)
257 
258 #define OHCI_LS_THRESH        0x628
259 
260 #define OHCI_RHA_RW_MASK      0x00000000 /* Mask of supported features.  */
261 #define OHCI_RHA_PSM          (1<<8)
262 #define OHCI_RHA_NPS          (1<<9)
263 #define OHCI_RHA_DT           (1<<10)
264 #define OHCI_RHA_OCPM         (1<<11)
265 #define OHCI_RHA_NOCP         (1<<12)
266 #define OHCI_RHA_POTPGT_MASK  0xff000000
267 
268 #define OHCI_RHS_LPS          (1<<0)
269 #define OHCI_RHS_OCI          (1<<1)
270 #define OHCI_RHS_DRWE         (1<<15)
271 #define OHCI_RHS_LPSC         (1<<16)
272 #define OHCI_RHS_OCIC         (1<<17)
273 #define OHCI_RHS_CRWE         (1<<31)
274 
275 #define OHCI_PORT_CCS         (1<<0)
276 #define OHCI_PORT_PES         (1<<1)
277 #define OHCI_PORT_PSS         (1<<2)
278 #define OHCI_PORT_POCI        (1<<3)
279 #define OHCI_PORT_PRS         (1<<4)
280 #define OHCI_PORT_PPS         (1<<8)
281 #define OHCI_PORT_LSDA        (1<<9)
282 #define OHCI_PORT_CSC         (1<<16)
283 #define OHCI_PORT_PESC        (1<<17)
284 #define OHCI_PORT_PSSC        (1<<18)
285 #define OHCI_PORT_OCIC        (1<<19)
286 #define OHCI_PORT_PRSC        (1<<20)
287 #define OHCI_PORT_WTC         (OHCI_PORT_CSC|OHCI_PORT_PESC|OHCI_PORT_PSSC \
288                                |OHCI_PORT_OCIC|OHCI_PORT_PRSC)
289 
290 #define OHCI_TD_DIR_SETUP     0x0
291 #define OHCI_TD_DIR_OUT       0x1
292 #define OHCI_TD_DIR_IN        0x2
293 #define OHCI_TD_DIR_RESERVED  0x3
294 
295 #define OHCI_CC_NOERROR             0x0
296 #define OHCI_CC_CRC                 0x1
297 #define OHCI_CC_BITSTUFFING         0x2
298 #define OHCI_CC_DATATOGGLEMISMATCH  0x3
299 #define OHCI_CC_STALL               0x4
300 #define OHCI_CC_DEVICENOTRESPONDING 0x5
301 #define OHCI_CC_PIDCHECKFAILURE     0x6
302 #define OHCI_CC_UNDEXPETEDPID       0x7
303 #define OHCI_CC_DATAOVERRUN         0x8
304 #define OHCI_CC_DATAUNDERRUN        0x9
305 #define OHCI_CC_BUFFEROVERRUN       0xc
306 #define OHCI_CC_BUFFERUNDERRUN      0xd
307 
308 #define OHCI_HRESET_FSBIR       (1 << 0)
309 
310 static void ohci_die(OHCIState *ohci);
311 
312 /* Update IRQ levels */
313 static inline void ohci_intr_update(OHCIState *ohci)
314 {
315     int level = 0;
316 
317     if ((ohci->intr & OHCI_INTR_MIE) &&
318         (ohci->intr_status & ohci->intr))
319         level = 1;
320 
321     qemu_set_irq(ohci->irq, level);
322 }
323 
324 /* Set an interrupt */
325 static inline void ohci_set_interrupt(OHCIState *ohci, uint32_t intr)
326 {
327     ohci->intr_status |= intr;
328     ohci_intr_update(ohci);
329 }
330 
331 /* Attach or detach a device on a root hub port.  */
332 static void ohci_attach(USBPort *port1)
333 {
334     OHCIState *s = port1->opaque;
335     OHCIPort *port = &s->rhport[port1->index];
336     uint32_t old_state = port->ctrl;
337 
338     /* set connect status */
339     port->ctrl |= OHCI_PORT_CCS | OHCI_PORT_CSC;
340 
341     /* update speed */
342     if (port->port.dev->speed == USB_SPEED_LOW) {
343         port->ctrl |= OHCI_PORT_LSDA;
344     } else {
345         port->ctrl &= ~OHCI_PORT_LSDA;
346     }
347 
348     /* notify of remote-wakeup */
349     if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND) {
350         ohci_set_interrupt(s, OHCI_INTR_RD);
351     }
352 
353     DPRINTF("usb-ohci: Attached port %d\n", port1->index);
354 
355     if (old_state != port->ctrl) {
356         ohci_set_interrupt(s, OHCI_INTR_RHSC);
357     }
358 }
359 
360 static void ohci_detach(USBPort *port1)
361 {
362     OHCIState *s = port1->opaque;
363     OHCIPort *port = &s->rhport[port1->index];
364     uint32_t old_state = port->ctrl;
365 
366     ohci_async_cancel_device(s, port1->dev);
367 
368     /* set connect status */
369     if (port->ctrl & OHCI_PORT_CCS) {
370         port->ctrl &= ~OHCI_PORT_CCS;
371         port->ctrl |= OHCI_PORT_CSC;
372     }
373     /* disable port */
374     if (port->ctrl & OHCI_PORT_PES) {
375         port->ctrl &= ~OHCI_PORT_PES;
376         port->ctrl |= OHCI_PORT_PESC;
377     }
378     DPRINTF("usb-ohci: Detached port %d\n", port1->index);
379 
380     if (old_state != port->ctrl) {
381         ohci_set_interrupt(s, OHCI_INTR_RHSC);
382     }
383 }
384 
385 static void ohci_wakeup(USBPort *port1)
386 {
387     OHCIState *s = port1->opaque;
388     OHCIPort *port = &s->rhport[port1->index];
389     uint32_t intr = 0;
390     if (port->ctrl & OHCI_PORT_PSS) {
391         DPRINTF("usb-ohci: port %d: wakeup\n", port1->index);
392         port->ctrl |= OHCI_PORT_PSSC;
393         port->ctrl &= ~OHCI_PORT_PSS;
394         intr = OHCI_INTR_RHSC;
395     }
396     /* Note that the controller can be suspended even if this port is not */
397     if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND) {
398         DPRINTF("usb-ohci: remote-wakeup: SUSPEND->RESUME\n");
399         /* This is the one state transition the controller can do by itself */
400         s->ctl &= ~OHCI_CTL_HCFS;
401         s->ctl |= OHCI_USB_RESUME;
402         /* In suspend mode only ResumeDetected is possible, not RHSC:
403          * see the OHCI spec 5.1.2.3.
404          */
405         intr = OHCI_INTR_RD;
406     }
407     ohci_set_interrupt(s, intr);
408 }
409 
410 static void ohci_child_detach(USBPort *port1, USBDevice *child)
411 {
412     OHCIState *s = port1->opaque;
413 
414     ohci_async_cancel_device(s, child);
415 }
416 
417 static USBDevice *ohci_find_device(OHCIState *ohci, uint8_t addr)
418 {
419     USBDevice *dev;
420     int i;
421 
422     for (i = 0; i < ohci->num_ports; i++) {
423         if ((ohci->rhport[i].ctrl & OHCI_PORT_PES) == 0) {
424             continue;
425         }
426         dev = usb_find_device(&ohci->rhport[i].port, addr);
427         if (dev != NULL) {
428             return dev;
429         }
430     }
431     return NULL;
432 }
433 
434 static void ohci_stop_endpoints(OHCIState *ohci)
435 {
436     USBDevice *dev;
437     int i, j;
438 
439     for (i = 0; i < ohci->num_ports; i++) {
440         dev = ohci->rhport[i].port.dev;
441         if (dev && dev->attached) {
442             usb_device_ep_stopped(dev, &dev->ep_ctl);
443             for (j = 0; j < USB_MAX_ENDPOINTS; j++) {
444                 usb_device_ep_stopped(dev, &dev->ep_in[j]);
445                 usb_device_ep_stopped(dev, &dev->ep_out[j]);
446             }
447         }
448     }
449 }
450 
451 /* Reset the controller */
452 static void ohci_reset(void *opaque)
453 {
454     OHCIState *ohci = opaque;
455     OHCIPort *port;
456     int i;
457 
458     ohci_bus_stop(ohci);
459     ohci->ctl = 0;
460     ohci->old_ctl = 0;
461     ohci->status = 0;
462     ohci->intr_status = 0;
463     ohci->intr = OHCI_INTR_MIE;
464 
465     ohci->hcca = 0;
466     ohci->ctrl_head = ohci->ctrl_cur = 0;
467     ohci->bulk_head = ohci->bulk_cur = 0;
468     ohci->per_cur = 0;
469     ohci->done = 0;
470     ohci->done_count = 7;
471 
472     /* FSMPS is marked TBD in OCHI 1.0, what gives ffs?
473      * I took the value linux sets ...
474      */
475     ohci->fsmps = 0x2778;
476     ohci->fi = 0x2edf;
477     ohci->fit = 0;
478     ohci->frt = 0;
479     ohci->frame_number = 0;
480     ohci->pstart = 0;
481     ohci->lst = OHCI_LS_THRESH;
482 
483     ohci->rhdesc_a = OHCI_RHA_NPS | ohci->num_ports;
484     ohci->rhdesc_b = 0x0; /* Impl. specific */
485     ohci->rhstatus = 0;
486 
487     for (i = 0; i < ohci->num_ports; i++)
488       {
489         port = &ohci->rhport[i];
490         port->ctrl = 0;
491         if (port->port.dev && port->port.dev->attached) {
492             usb_port_reset(&port->port);
493         }
494       }
495     if (ohci->async_td) {
496         usb_cancel_packet(&ohci->usb_packet);
497         ohci->async_td = 0;
498     }
499     ohci_stop_endpoints(ohci);
500     DPRINTF("usb-ohci: Reset %s\n", ohci->name);
501 }
502 
503 /* Get an array of dwords from main memory */
504 static inline int get_dwords(OHCIState *ohci,
505                              dma_addr_t addr, uint32_t *buf, int num)
506 {
507     int i;
508 
509     addr += ohci->localmem_base;
510 
511     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
512         if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) {
513             return -1;
514         }
515         *buf = le32_to_cpu(*buf);
516     }
517 
518     return 0;
519 }
520 
521 /* Put an array of dwords in to main memory */
522 static inline int put_dwords(OHCIState *ohci,
523                              dma_addr_t addr, uint32_t *buf, int num)
524 {
525     int i;
526 
527     addr += ohci->localmem_base;
528 
529     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
530         uint32_t tmp = cpu_to_le32(*buf);
531         if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) {
532             return -1;
533         }
534     }
535 
536     return 0;
537 }
538 
539 /* Get an array of words from main memory */
540 static inline int get_words(OHCIState *ohci,
541                             dma_addr_t addr, uint16_t *buf, int num)
542 {
543     int i;
544 
545     addr += ohci->localmem_base;
546 
547     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
548         if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) {
549             return -1;
550         }
551         *buf = le16_to_cpu(*buf);
552     }
553 
554     return 0;
555 }
556 
557 /* Put an array of words in to main memory */
558 static inline int put_words(OHCIState *ohci,
559                             dma_addr_t addr, uint16_t *buf, int num)
560 {
561     int i;
562 
563     addr += ohci->localmem_base;
564 
565     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
566         uint16_t tmp = cpu_to_le16(*buf);
567         if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) {
568             return -1;
569         }
570     }
571 
572     return 0;
573 }
574 
575 static inline int ohci_read_ed(OHCIState *ohci,
576                                dma_addr_t addr, struct ohci_ed *ed)
577 {
578     return get_dwords(ohci, addr, (uint32_t *)ed, sizeof(*ed) >> 2);
579 }
580 
581 static inline int ohci_read_td(OHCIState *ohci,
582                                dma_addr_t addr, struct ohci_td *td)
583 {
584     return get_dwords(ohci, addr, (uint32_t *)td, sizeof(*td) >> 2);
585 }
586 
587 static inline int ohci_read_iso_td(OHCIState *ohci,
588                                    dma_addr_t addr, struct ohci_iso_td *td)
589 {
590     return get_dwords(ohci, addr, (uint32_t *)td, 4) ||
591            get_words(ohci, addr + 16, td->offset, 8);
592 }
593 
594 static inline int ohci_read_hcca(OHCIState *ohci,
595                                  dma_addr_t addr, struct ohci_hcca *hcca)
596 {
597     return dma_memory_read(ohci->as, addr + ohci->localmem_base,
598                            hcca, sizeof(*hcca));
599 }
600 
601 static inline int ohci_put_ed(OHCIState *ohci,
602                               dma_addr_t addr, struct ohci_ed *ed)
603 {
604     /* ed->tail is under control of the HCD.
605      * Since just ed->head is changed by HC, just write back this
606      */
607 
608     return put_dwords(ohci, addr + ED_WBACK_OFFSET,
609                       (uint32_t *)((char *)ed + ED_WBACK_OFFSET),
610                       ED_WBACK_SIZE >> 2);
611 }
612 
613 static inline int ohci_put_td(OHCIState *ohci,
614                               dma_addr_t addr, struct ohci_td *td)
615 {
616     return put_dwords(ohci, addr, (uint32_t *)td, sizeof(*td) >> 2);
617 }
618 
619 static inline int ohci_put_iso_td(OHCIState *ohci,
620                                   dma_addr_t addr, struct ohci_iso_td *td)
621 {
622     return put_dwords(ohci, addr, (uint32_t *)td, 4 ||
623            put_words(ohci, addr + 16, td->offset, 8));
624 }
625 
626 static inline int ohci_put_hcca(OHCIState *ohci,
627                                 dma_addr_t addr, struct ohci_hcca *hcca)
628 {
629     return dma_memory_write(ohci->as,
630                             addr + ohci->localmem_base + HCCA_WRITEBACK_OFFSET,
631                             (char *)hcca + HCCA_WRITEBACK_OFFSET,
632                             HCCA_WRITEBACK_SIZE);
633 }
634 
635 /* Read/Write the contents of a TD from/to main memory.  */
636 static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td,
637                         uint8_t *buf, int len, DMADirection dir)
638 {
639     dma_addr_t ptr, n;
640 
641     ptr = td->cbp;
642     n = 0x1000 - (ptr & 0xfff);
643     if (n > len)
644         n = len;
645 
646     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) {
647         return -1;
648     }
649     if (n == len) {
650         return 0;
651     }
652     ptr = td->be & ~0xfffu;
653     buf += n;
654     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
655                       len - n, dir)) {
656         return -1;
657     }
658     return 0;
659 }
660 
661 /* Read/Write the contents of an ISO TD from/to main memory.  */
662 static int ohci_copy_iso_td(OHCIState *ohci,
663                             uint32_t start_addr, uint32_t end_addr,
664                             uint8_t *buf, int len, DMADirection dir)
665 {
666     dma_addr_t ptr, n;
667 
668     ptr = start_addr;
669     n = 0x1000 - (ptr & 0xfff);
670     if (n > len)
671         n = len;
672 
673     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) {
674         return -1;
675     }
676     if (n == len) {
677         return 0;
678     }
679     ptr = end_addr & ~0xfffu;
680     buf += n;
681     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
682                       len - n, dir)) {
683         return -1;
684     }
685     return 0;
686 }
687 
688 static void ohci_process_lists(OHCIState *ohci, int completion);
689 
690 static void ohci_async_complete_packet(USBPort *port, USBPacket *packet)
691 {
692     OHCIState *ohci = container_of(packet, OHCIState, usb_packet);
693 #ifdef DEBUG_PACKET
694     DPRINTF("Async packet complete\n");
695 #endif
696     ohci->async_complete = 1;
697     ohci_process_lists(ohci, 1);
698 }
699 
700 #define USUB(a, b) ((int16_t)((uint16_t)(a) - (uint16_t)(b)))
701 
702 static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
703                                int completion)
704 {
705     int dir;
706     size_t len = 0;
707 #ifdef DEBUG_ISOCH
708     const char *str = NULL;
709 #endif
710     int pid;
711     int ret;
712     int i;
713     USBDevice *dev;
714     USBEndpoint *ep;
715     struct ohci_iso_td iso_td;
716     uint32_t addr;
717     uint16_t starting_frame;
718     int16_t relative_frame_number;
719     int frame_count;
720     uint32_t start_offset, next_offset, end_offset = 0;
721     uint32_t start_addr, end_addr;
722 
723     addr = ed->head & OHCI_DPTR_MASK;
724 
725     if (ohci_read_iso_td(ohci, addr, &iso_td)) {
726         printf("usb-ohci: ISO_TD read error at %x\n", addr);
727         ohci_die(ohci);
728         return 0;
729     }
730 
731     starting_frame = OHCI_BM(iso_td.flags, TD_SF);
732     frame_count = OHCI_BM(iso_td.flags, TD_FC);
733     relative_frame_number = USUB(ohci->frame_number, starting_frame);
734 
735 #ifdef DEBUG_ISOCH
736     printf("--- ISO_TD ED head 0x%.8x tailp 0x%.8x\n"
737            "0x%.8x 0x%.8x 0x%.8x 0x%.8x\n"
738            "0x%.8x 0x%.8x 0x%.8x 0x%.8x\n"
739            "0x%.8x 0x%.8x 0x%.8x 0x%.8x\n"
740            "frame_number 0x%.8x starting_frame 0x%.8x\n"
741            "frame_count  0x%.8x relative %d\n"
742            "di 0x%.8x cc 0x%.8x\n",
743            ed->head & OHCI_DPTR_MASK, ed->tail & OHCI_DPTR_MASK,
744            iso_td.flags, iso_td.bp, iso_td.next, iso_td.be,
745            iso_td.offset[0], iso_td.offset[1], iso_td.offset[2], iso_td.offset[3],
746            iso_td.offset[4], iso_td.offset[5], iso_td.offset[6], iso_td.offset[7],
747            ohci->frame_number, starting_frame,
748            frame_count, relative_frame_number,
749            OHCI_BM(iso_td.flags, TD_DI), OHCI_BM(iso_td.flags, TD_CC));
750 #endif
751 
752     if (relative_frame_number < 0) {
753         DPRINTF("usb-ohci: ISO_TD R=%d < 0\n", relative_frame_number);
754         return 1;
755     } else if (relative_frame_number > frame_count) {
756         /* ISO TD expired - retire the TD to the Done Queue and continue with
757            the next ISO TD of the same ED */
758         DPRINTF("usb-ohci: ISO_TD R=%d > FC=%d\n", relative_frame_number,
759                frame_count);
760         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
761         ed->head &= ~OHCI_DPTR_MASK;
762         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
763         iso_td.next = ohci->done;
764         ohci->done = addr;
765         i = OHCI_BM(iso_td.flags, TD_DI);
766         if (i < ohci->done_count)
767             ohci->done_count = i;
768         if (ohci_put_iso_td(ohci, addr, &iso_td)) {
769             ohci_die(ohci);
770             return 1;
771         }
772         return 0;
773     }
774 
775     dir = OHCI_BM(ed->flags, ED_D);
776     switch (dir) {
777     case OHCI_TD_DIR_IN:
778 #ifdef DEBUG_ISOCH
779         str = "in";
780 #endif
781         pid = USB_TOKEN_IN;
782         break;
783     case OHCI_TD_DIR_OUT:
784 #ifdef DEBUG_ISOCH
785         str = "out";
786 #endif
787         pid = USB_TOKEN_OUT;
788         break;
789     case OHCI_TD_DIR_SETUP:
790 #ifdef DEBUG_ISOCH
791         str = "setup";
792 #endif
793         pid = USB_TOKEN_SETUP;
794         break;
795     default:
796         printf("usb-ohci: Bad direction %d\n", dir);
797         return 1;
798     }
799 
800     if (!iso_td.bp || !iso_td.be) {
801         printf("usb-ohci: ISO_TD bp 0x%.8x be 0x%.8x\n", iso_td.bp, iso_td.be);
802         return 1;
803     }
804 
805     start_offset = iso_td.offset[relative_frame_number];
806     next_offset = iso_td.offset[relative_frame_number + 1];
807 
808     if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) ||
809         ((relative_frame_number < frame_count) &&
810          !(OHCI_BM(next_offset, TD_PSW_CC) & 0xe))) {
811         printf("usb-ohci: ISO_TD cc != not accessed 0x%.8x 0x%.8x\n",
812                start_offset, next_offset);
813         return 1;
814     }
815 
816     if ((relative_frame_number < frame_count) && (start_offset > next_offset)) {
817         printf("usb-ohci: ISO_TD start_offset=0x%.8x > next_offset=0x%.8x\n",
818                 start_offset, next_offset);
819         return 1;
820     }
821 
822     if ((start_offset & 0x1000) == 0) {
823         start_addr = (iso_td.bp & OHCI_PAGE_MASK) |
824             (start_offset & OHCI_OFFSET_MASK);
825     } else {
826         start_addr = (iso_td.be & OHCI_PAGE_MASK) |
827             (start_offset & OHCI_OFFSET_MASK);
828     }
829 
830     if (relative_frame_number < frame_count) {
831         end_offset = next_offset - 1;
832         if ((end_offset & 0x1000) == 0) {
833             end_addr = (iso_td.bp & OHCI_PAGE_MASK) |
834                 (end_offset & OHCI_OFFSET_MASK);
835         } else {
836             end_addr = (iso_td.be & OHCI_PAGE_MASK) |
837                 (end_offset & OHCI_OFFSET_MASK);
838         }
839     } else {
840         /* Last packet in the ISO TD */
841         end_addr = iso_td.be;
842     }
843 
844     if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
845         len = (end_addr & OHCI_OFFSET_MASK) + 0x1001
846             - (start_addr & OHCI_OFFSET_MASK);
847     } else {
848         len = end_addr - start_addr + 1;
849     }
850 
851     if (len && dir != OHCI_TD_DIR_IN) {
852         if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
853                              DMA_DIRECTION_TO_DEVICE)) {
854             ohci_die(ohci);
855             return 1;
856         }
857     }
858 
859     if (!completion) {
860         bool int_req = relative_frame_number == frame_count &&
861                        OHCI_BM(iso_td.flags, TD_DI) == 0;
862         dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
863         ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
864         usb_packet_setup(&ohci->usb_packet, pid, ep, 0, addr, false, int_req);
865         usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, len);
866         usb_handle_packet(dev, &ohci->usb_packet);
867         if (ohci->usb_packet.status == USB_RET_ASYNC) {
868             usb_device_flush_ep_queue(dev, ep);
869             return 1;
870         }
871     }
872     if (ohci->usb_packet.status == USB_RET_SUCCESS) {
873         ret = ohci->usb_packet.actual_length;
874     } else {
875         ret = ohci->usb_packet.status;
876     }
877 
878 #ifdef DEBUG_ISOCH
879     printf("so 0x%.8x eo 0x%.8x\nsa 0x%.8x ea 0x%.8x\ndir %s len %zu ret %d\n",
880            start_offset, end_offset, start_addr, end_addr, str, len, ret);
881 #endif
882 
883     /* Writeback */
884     if (dir == OHCI_TD_DIR_IN && ret >= 0 && ret <= len) {
885         /* IN transfer succeeded */
886         if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, ret,
887                              DMA_DIRECTION_FROM_DEVICE)) {
888             ohci_die(ohci);
889             return 1;
890         }
891         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
892                     OHCI_CC_NOERROR);
893         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE, ret);
894     } else if (dir == OHCI_TD_DIR_OUT && ret == len) {
895         /* OUT transfer succeeded */
896         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
897                     OHCI_CC_NOERROR);
898         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE, 0);
899     } else {
900         if (ret > (ssize_t) len) {
901             printf("usb-ohci: DataOverrun %d > %zu\n", ret, len);
902             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
903                         OHCI_CC_DATAOVERRUN);
904             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
905                         len);
906         } else if (ret >= 0) {
907             printf("usb-ohci: DataUnderrun %d\n", ret);
908             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
909                         OHCI_CC_DATAUNDERRUN);
910         } else {
911             switch (ret) {
912             case USB_RET_IOERROR:
913             case USB_RET_NODEV:
914                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
915                             OHCI_CC_DEVICENOTRESPONDING);
916                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
917                             0);
918                 break;
919             case USB_RET_NAK:
920             case USB_RET_STALL:
921                 printf("usb-ohci: got NAK/STALL %d\n", ret);
922                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
923                             OHCI_CC_STALL);
924                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
925                             0);
926                 break;
927             default:
928                 printf("usb-ohci: Bad device response %d\n", ret);
929                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
930                             OHCI_CC_UNDEXPETEDPID);
931                 break;
932             }
933         }
934     }
935 
936     if (relative_frame_number == frame_count) {
937         /* Last data packet of ISO TD - retire the TD to the Done Queue */
938         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_NOERROR);
939         ed->head &= ~OHCI_DPTR_MASK;
940         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
941         iso_td.next = ohci->done;
942         ohci->done = addr;
943         i = OHCI_BM(iso_td.flags, TD_DI);
944         if (i < ohci->done_count)
945             ohci->done_count = i;
946     }
947     if (ohci_put_iso_td(ohci, addr, &iso_td)) {
948         ohci_die(ohci);
949     }
950     return 1;
951 }
952 
953 /* Service a transport descriptor.
954    Returns nonzero to terminate processing of this endpoint.  */
955 
956 static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
957 {
958     int dir;
959     size_t len = 0, pktlen = 0;
960 #ifdef DEBUG_PACKET
961     const char *str = NULL;
962 #endif
963     int pid;
964     int ret;
965     int i;
966     USBDevice *dev;
967     USBEndpoint *ep;
968     struct ohci_td td;
969     uint32_t addr;
970     int flag_r;
971     int completion;
972 
973     addr = ed->head & OHCI_DPTR_MASK;
974     /* See if this TD has already been submitted to the device.  */
975     completion = (addr == ohci->async_td);
976     if (completion && !ohci->async_complete) {
977 #ifdef DEBUG_PACKET
978         DPRINTF("Skipping async TD\n");
979 #endif
980         return 1;
981     }
982     if (ohci_read_td(ohci, addr, &td)) {
983         fprintf(stderr, "usb-ohci: TD read error at %x\n", addr);
984         ohci_die(ohci);
985         return 0;
986     }
987 
988     dir = OHCI_BM(ed->flags, ED_D);
989     switch (dir) {
990     case OHCI_TD_DIR_OUT:
991     case OHCI_TD_DIR_IN:
992         /* Same value.  */
993         break;
994     default:
995         dir = OHCI_BM(td.flags, TD_DP);
996         break;
997     }
998 
999     switch (dir) {
1000     case OHCI_TD_DIR_IN:
1001 #ifdef DEBUG_PACKET
1002         str = "in";
1003 #endif
1004         pid = USB_TOKEN_IN;
1005         break;
1006     case OHCI_TD_DIR_OUT:
1007 #ifdef DEBUG_PACKET
1008         str = "out";
1009 #endif
1010         pid = USB_TOKEN_OUT;
1011         break;
1012     case OHCI_TD_DIR_SETUP:
1013 #ifdef DEBUG_PACKET
1014         str = "setup";
1015 #endif
1016         pid = USB_TOKEN_SETUP;
1017         break;
1018     default:
1019         fprintf(stderr, "usb-ohci: Bad direction\n");
1020         return 1;
1021     }
1022     if (td.cbp && td.be) {
1023         if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
1024             len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
1025         } else {
1026             len = (td.be - td.cbp) + 1;
1027         }
1028 
1029         pktlen = len;
1030         if (len && dir != OHCI_TD_DIR_IN) {
1031             /* The endpoint may not allow us to transfer it all now */
1032             pktlen = (ed->flags & OHCI_ED_MPS_MASK) >> OHCI_ED_MPS_SHIFT;
1033             if (pktlen > len) {
1034                 pktlen = len;
1035             }
1036             if (!completion) {
1037                 if (ohci_copy_td(ohci, &td, ohci->usb_buf, pktlen,
1038                                  DMA_DIRECTION_TO_DEVICE)) {
1039                     ohci_die(ohci);
1040                 }
1041             }
1042         }
1043     }
1044 
1045     flag_r = (td.flags & OHCI_TD_R) != 0;
1046 #ifdef DEBUG_PACKET
1047     DPRINTF(" TD @ 0x%.8x %" PRId64 " of %" PRId64
1048             " bytes %s r=%d cbp=0x%.8x be=0x%.8x\n",
1049             addr, (int64_t)pktlen, (int64_t)len, str, flag_r, td.cbp, td.be);
1050 
1051     if (pktlen > 0 && dir != OHCI_TD_DIR_IN) {
1052         DPRINTF("  data:");
1053         for (i = 0; i < pktlen; i++) {
1054             printf(" %.2x", ohci->usb_buf[i]);
1055         }
1056         DPRINTF("\n");
1057     }
1058 #endif
1059     if (completion) {
1060         ohci->async_td = 0;
1061         ohci->async_complete = 0;
1062     } else {
1063         if (ohci->async_td) {
1064             /* ??? The hardware should allow one active packet per
1065                endpoint.  We only allow one active packet per controller.
1066                This should be sufficient as long as devices respond in a
1067                timely manner.
1068             */
1069 #ifdef DEBUG_PACKET
1070             DPRINTF("Too many pending packets\n");
1071 #endif
1072             return 1;
1073         }
1074         dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
1075         ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
1076         usb_packet_setup(&ohci->usb_packet, pid, ep, 0, addr, !flag_r,
1077                          OHCI_BM(td.flags, TD_DI) == 0);
1078         usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, pktlen);
1079         usb_handle_packet(dev, &ohci->usb_packet);
1080 #ifdef DEBUG_PACKET
1081         DPRINTF("status=%d\n", ohci->usb_packet.status);
1082 #endif
1083         if (ohci->usb_packet.status == USB_RET_ASYNC) {
1084             usb_device_flush_ep_queue(dev, ep);
1085             ohci->async_td = addr;
1086             return 1;
1087         }
1088     }
1089     if (ohci->usb_packet.status == USB_RET_SUCCESS) {
1090         ret = ohci->usb_packet.actual_length;
1091     } else {
1092         ret = ohci->usb_packet.status;
1093     }
1094 
1095     if (ret >= 0) {
1096         if (dir == OHCI_TD_DIR_IN) {
1097             if (ohci_copy_td(ohci, &td, ohci->usb_buf, ret,
1098                              DMA_DIRECTION_FROM_DEVICE)) {
1099                 ohci_die(ohci);
1100             }
1101 #ifdef DEBUG_PACKET
1102             DPRINTF("  data:");
1103             for (i = 0; i < ret; i++)
1104                 printf(" %.2x", ohci->usb_buf[i]);
1105             DPRINTF("\n");
1106 #endif
1107         } else {
1108             ret = pktlen;
1109         }
1110     }
1111 
1112     /* Writeback */
1113     if (ret == pktlen || (dir == OHCI_TD_DIR_IN && ret >= 0 && flag_r)) {
1114         /* Transmission succeeded.  */
1115         if (ret == len) {
1116             td.cbp = 0;
1117         } else {
1118             if ((td.cbp & 0xfff) + ret > 0xfff) {
1119                 td.cbp = (td.be & ~0xfff) + ((td.cbp + ret) & 0xfff);
1120             } else {
1121                 td.cbp += ret;
1122             }
1123         }
1124         td.flags |= OHCI_TD_T1;
1125         td.flags ^= OHCI_TD_T0;
1126         OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_NOERROR);
1127         OHCI_SET_BM(td.flags, TD_EC, 0);
1128 
1129         if ((dir != OHCI_TD_DIR_IN) && (ret != len)) {
1130             /* Partial packet transfer: TD not ready to retire yet */
1131             goto exit_no_retire;
1132         }
1133 
1134         /* Setting ED_C is part of the TD retirement process */
1135         ed->head &= ~OHCI_ED_C;
1136         if (td.flags & OHCI_TD_T0)
1137             ed->head |= OHCI_ED_C;
1138     } else {
1139         if (ret >= 0) {
1140             DPRINTF("usb-ohci: Underrun\n");
1141             OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DATAUNDERRUN);
1142         } else {
1143             switch (ret) {
1144             case USB_RET_IOERROR:
1145             case USB_RET_NODEV:
1146                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DEVICENOTRESPONDING);
1147             case USB_RET_NAK:
1148                 DPRINTF("usb-ohci: got NAK\n");
1149                 return 1;
1150             case USB_RET_STALL:
1151                 DPRINTF("usb-ohci: got STALL\n");
1152                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_STALL);
1153                 break;
1154             case USB_RET_BABBLE:
1155                 DPRINTF("usb-ohci: got BABBLE\n");
1156                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
1157                 break;
1158             default:
1159                 fprintf(stderr, "usb-ohci: Bad device response %d\n", ret);
1160                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_UNDEXPETEDPID);
1161                 OHCI_SET_BM(td.flags, TD_EC, 3);
1162                 break;
1163             }
1164         }
1165         ed->head |= OHCI_ED_H;
1166     }
1167 
1168     /* Retire this TD */
1169     ed->head &= ~OHCI_DPTR_MASK;
1170     ed->head |= td.next & OHCI_DPTR_MASK;
1171     td.next = ohci->done;
1172     ohci->done = addr;
1173     i = OHCI_BM(td.flags, TD_DI);
1174     if (i < ohci->done_count)
1175         ohci->done_count = i;
1176 exit_no_retire:
1177     if (ohci_put_td(ohci, addr, &td)) {
1178         ohci_die(ohci);
1179         return 1;
1180     }
1181     return OHCI_BM(td.flags, TD_CC) != OHCI_CC_NOERROR;
1182 }
1183 
1184 /* Service an endpoint list.  Returns nonzero if active TD were found.  */
1185 static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
1186 {
1187     struct ohci_ed ed;
1188     uint32_t next_ed;
1189     uint32_t cur;
1190     int active;
1191 
1192     active = 0;
1193 
1194     if (head == 0)
1195         return 0;
1196 
1197     for (cur = head; cur; cur = next_ed) {
1198         if (ohci_read_ed(ohci, cur, &ed)) {
1199             fprintf(stderr, "usb-ohci: ED read error at %x\n", cur);
1200             ohci_die(ohci);
1201             return 0;
1202         }
1203 
1204         next_ed = ed.next & OHCI_DPTR_MASK;
1205 
1206         if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
1207             uint32_t addr;
1208             /* Cancel pending packets for ED that have been paused.  */
1209             addr = ed.head & OHCI_DPTR_MASK;
1210             if (ohci->async_td && addr == ohci->async_td) {
1211                 usb_cancel_packet(&ohci->usb_packet);
1212                 ohci->async_td = 0;
1213                 usb_device_ep_stopped(ohci->usb_packet.ep->dev,
1214                                       ohci->usb_packet.ep);
1215             }
1216             continue;
1217         }
1218 
1219         while ((ed.head & OHCI_DPTR_MASK) != ed.tail) {
1220 #ifdef DEBUG_PACKET
1221             DPRINTF("ED @ 0x%.8x fa=%u en=%u d=%u s=%u k=%u f=%u mps=%u "
1222                     "h=%u c=%u\n  head=0x%.8x tailp=0x%.8x next=0x%.8x\n", cur,
1223                     OHCI_BM(ed.flags, ED_FA), OHCI_BM(ed.flags, ED_EN),
1224                     OHCI_BM(ed.flags, ED_D), (ed.flags & OHCI_ED_S)!= 0,
1225                     (ed.flags & OHCI_ED_K) != 0, (ed.flags & OHCI_ED_F) != 0,
1226                     OHCI_BM(ed.flags, ED_MPS), (ed.head & OHCI_ED_H) != 0,
1227                     (ed.head & OHCI_ED_C) != 0, ed.head & OHCI_DPTR_MASK,
1228                     ed.tail & OHCI_DPTR_MASK, ed.next & OHCI_DPTR_MASK);
1229 #endif
1230             active = 1;
1231 
1232             if ((ed.flags & OHCI_ED_F) == 0) {
1233                 if (ohci_service_td(ohci, &ed))
1234                     break;
1235             } else {
1236                 /* Handle isochronous endpoints */
1237                 if (ohci_service_iso_td(ohci, &ed, completion))
1238                     break;
1239             }
1240         }
1241 
1242         if (ohci_put_ed(ohci, cur, &ed)) {
1243             ohci_die(ohci);
1244             return 0;
1245         }
1246     }
1247 
1248     return active;
1249 }
1250 
1251 /* Generate a SOF event, and set a timer for EOF */
1252 static void ohci_sof(OHCIState *ohci)
1253 {
1254     ohci->sof_time = qemu_get_clock_ns(vm_clock);
1255     qemu_mod_timer(ohci->eof_timer, ohci->sof_time + usb_frame_time);
1256     ohci_set_interrupt(ohci, OHCI_INTR_SF);
1257 }
1258 
1259 /* Process Control and Bulk lists.  */
1260 static void ohci_process_lists(OHCIState *ohci, int completion)
1261 {
1262     if ((ohci->ctl & OHCI_CTL_CLE) && (ohci->status & OHCI_STATUS_CLF)) {
1263         if (ohci->ctrl_cur && ohci->ctrl_cur != ohci->ctrl_head) {
1264             DPRINTF("usb-ohci: head %x, cur %x\n",
1265                     ohci->ctrl_head, ohci->ctrl_cur);
1266         }
1267         if (!ohci_service_ed_list(ohci, ohci->ctrl_head, completion)) {
1268             ohci->ctrl_cur = 0;
1269             ohci->status &= ~OHCI_STATUS_CLF;
1270         }
1271     }
1272 
1273     if ((ohci->ctl & OHCI_CTL_BLE) && (ohci->status & OHCI_STATUS_BLF)) {
1274         if (!ohci_service_ed_list(ohci, ohci->bulk_head, completion)) {
1275             ohci->bulk_cur = 0;
1276             ohci->status &= ~OHCI_STATUS_BLF;
1277         }
1278     }
1279 }
1280 
1281 /* Do frame processing on frame boundary */
1282 static void ohci_frame_boundary(void *opaque)
1283 {
1284     OHCIState *ohci = opaque;
1285     struct ohci_hcca hcca;
1286 
1287     if (ohci_read_hcca(ohci, ohci->hcca, &hcca)) {
1288         fprintf(stderr, "usb-ohci: HCCA read error at %x\n", ohci->hcca);
1289         ohci_die(ohci);
1290         return;
1291     }
1292 
1293     /* Process all the lists at the end of the frame */
1294     if (ohci->ctl & OHCI_CTL_PLE) {
1295         int n;
1296 
1297         n = ohci->frame_number & 0x1f;
1298         ohci_service_ed_list(ohci, le32_to_cpu(hcca.intr[n]), 0);
1299     }
1300 
1301     /* Cancel all pending packets if either of the lists has been disabled.  */
1302     if (ohci->old_ctl & (~ohci->ctl) & (OHCI_CTL_BLE | OHCI_CTL_CLE)) {
1303         if (ohci->async_td) {
1304             usb_cancel_packet(&ohci->usb_packet);
1305             ohci->async_td = 0;
1306         }
1307         ohci_stop_endpoints(ohci);
1308     }
1309     ohci->old_ctl = ohci->ctl;
1310     ohci_process_lists(ohci, 0);
1311 
1312     /* Stop if UnrecoverableError happened or ohci_sof will crash */
1313     if (ohci->intr_status & OHCI_INTR_UE) {
1314         return;
1315     }
1316 
1317     /* Frame boundary, so do EOF stuf here */
1318     ohci->frt = ohci->fit;
1319 
1320     /* Increment frame number and take care of endianness. */
1321     ohci->frame_number = (ohci->frame_number + 1) & 0xffff;
1322     hcca.frame = cpu_to_le16(ohci->frame_number);
1323 
1324     if (ohci->done_count == 0 && !(ohci->intr_status & OHCI_INTR_WD)) {
1325         if (!ohci->done)
1326             abort();
1327         if (ohci->intr & ohci->intr_status)
1328             ohci->done |= 1;
1329         hcca.done = cpu_to_le32(ohci->done);
1330         ohci->done = 0;
1331         ohci->done_count = 7;
1332         ohci_set_interrupt(ohci, OHCI_INTR_WD);
1333     }
1334 
1335     if (ohci->done_count != 7 && ohci->done_count != 0)
1336         ohci->done_count--;
1337 
1338     /* Do SOF stuff here */
1339     ohci_sof(ohci);
1340 
1341     /* Writeback HCCA */
1342     if (ohci_put_hcca(ohci, ohci->hcca, &hcca)) {
1343         ohci_die(ohci);
1344     }
1345 }
1346 
1347 /* Start sending SOF tokens across the USB bus, lists are processed in
1348  * next frame
1349  */
1350 static int ohci_bus_start(OHCIState *ohci)
1351 {
1352     ohci->eof_timer = qemu_new_timer_ns(vm_clock,
1353                     ohci_frame_boundary,
1354                     ohci);
1355 
1356     if (ohci->eof_timer == NULL) {
1357         fprintf(stderr, "usb-ohci: %s: qemu_new_timer_ns failed\n", ohci->name);
1358         ohci_die(ohci);
1359         return 0;
1360     }
1361 
1362     DPRINTF("usb-ohci: %s: USB Operational\n", ohci->name);
1363 
1364     ohci_sof(ohci);
1365 
1366     return 1;
1367 }
1368 
1369 /* Stop sending SOF tokens on the bus */
1370 static void ohci_bus_stop(OHCIState *ohci)
1371 {
1372     if (ohci->eof_timer)
1373         qemu_del_timer(ohci->eof_timer);
1374     ohci->eof_timer = NULL;
1375 }
1376 
1377 /* Sets a flag in a port status register but only set it if the port is
1378  * connected, if not set ConnectStatusChange flag. If flag is enabled
1379  * return 1.
1380  */
1381 static int ohci_port_set_if_connected(OHCIState *ohci, int i, uint32_t val)
1382 {
1383     int ret = 1;
1384 
1385     /* writing a 0 has no effect */
1386     if (val == 0)
1387         return 0;
1388 
1389     /* If CurrentConnectStatus is cleared we set
1390      * ConnectStatusChange
1391      */
1392     if (!(ohci->rhport[i].ctrl & OHCI_PORT_CCS)) {
1393         ohci->rhport[i].ctrl |= OHCI_PORT_CSC;
1394         if (ohci->rhstatus & OHCI_RHS_DRWE) {
1395             /* TODO: CSC is a wakeup event */
1396         }
1397         return 0;
1398     }
1399 
1400     if (ohci->rhport[i].ctrl & val)
1401         ret = 0;
1402 
1403     /* set the bit */
1404     ohci->rhport[i].ctrl |= val;
1405 
1406     return ret;
1407 }
1408 
1409 /* Set the frame interval - frame interval toggle is manipulated by the hcd only */
1410 static void ohci_set_frame_interval(OHCIState *ohci, uint16_t val)
1411 {
1412     val &= OHCI_FMI_FI;
1413 
1414     if (val != ohci->fi) {
1415         DPRINTF("usb-ohci: %s: FrameInterval = 0x%x (%u)\n",
1416             ohci->name, ohci->fi, ohci->fi);
1417     }
1418 
1419     ohci->fi = val;
1420 }
1421 
1422 static void ohci_port_power(OHCIState *ohci, int i, int p)
1423 {
1424     if (p) {
1425         ohci->rhport[i].ctrl |= OHCI_PORT_PPS;
1426     } else {
1427         ohci->rhport[i].ctrl &= ~(OHCI_PORT_PPS|
1428                     OHCI_PORT_CCS|
1429                     OHCI_PORT_PSS|
1430                     OHCI_PORT_PRS);
1431     }
1432 }
1433 
1434 /* Set HcControlRegister */
1435 static void ohci_set_ctl(OHCIState *ohci, uint32_t val)
1436 {
1437     uint32_t old_state;
1438     uint32_t new_state;
1439 
1440     old_state = ohci->ctl & OHCI_CTL_HCFS;
1441     ohci->ctl = val;
1442     new_state = ohci->ctl & OHCI_CTL_HCFS;
1443 
1444     /* no state change */
1445     if (old_state == new_state)
1446         return;
1447 
1448     switch (new_state) {
1449     case OHCI_USB_OPERATIONAL:
1450         ohci_bus_start(ohci);
1451         break;
1452     case OHCI_USB_SUSPEND:
1453         ohci_bus_stop(ohci);
1454         DPRINTF("usb-ohci: %s: USB Suspended\n", ohci->name);
1455         break;
1456     case OHCI_USB_RESUME:
1457         DPRINTF("usb-ohci: %s: USB Resume\n", ohci->name);
1458         break;
1459     case OHCI_USB_RESET:
1460         ohci_reset(ohci);
1461         DPRINTF("usb-ohci: %s: USB Reset\n", ohci->name);
1462         break;
1463     }
1464 }
1465 
1466 static uint32_t ohci_get_frame_remaining(OHCIState *ohci)
1467 {
1468     uint16_t fr;
1469     int64_t tks;
1470 
1471     if ((ohci->ctl & OHCI_CTL_HCFS) != OHCI_USB_OPERATIONAL)
1472         return (ohci->frt << 31);
1473 
1474     /* Being in USB operational state guarnatees sof_time was
1475      * set already.
1476      */
1477     tks = qemu_get_clock_ns(vm_clock) - ohci->sof_time;
1478 
1479     /* avoid muldiv if possible */
1480     if (tks >= usb_frame_time)
1481         return (ohci->frt << 31);
1482 
1483     tks = muldiv64(1, tks, usb_bit_time);
1484     fr = (uint16_t)(ohci->fi - tks);
1485 
1486     return (ohci->frt << 31) | fr;
1487 }
1488 
1489 
1490 /* Set root hub status */
1491 static void ohci_set_hub_status(OHCIState *ohci, uint32_t val)
1492 {
1493     uint32_t old_state;
1494 
1495     old_state = ohci->rhstatus;
1496 
1497     /* write 1 to clear OCIC */
1498     if (val & OHCI_RHS_OCIC)
1499         ohci->rhstatus &= ~OHCI_RHS_OCIC;
1500 
1501     if (val & OHCI_RHS_LPS) {
1502         int i;
1503 
1504         for (i = 0; i < ohci->num_ports; i++)
1505             ohci_port_power(ohci, i, 0);
1506         DPRINTF("usb-ohci: powered down all ports\n");
1507     }
1508 
1509     if (val & OHCI_RHS_LPSC) {
1510         int i;
1511 
1512         for (i = 0; i < ohci->num_ports; i++)
1513             ohci_port_power(ohci, i, 1);
1514         DPRINTF("usb-ohci: powered up all ports\n");
1515     }
1516 
1517     if (val & OHCI_RHS_DRWE)
1518         ohci->rhstatus |= OHCI_RHS_DRWE;
1519 
1520     if (val & OHCI_RHS_CRWE)
1521         ohci->rhstatus &= ~OHCI_RHS_DRWE;
1522 
1523     if (old_state != ohci->rhstatus)
1524         ohci_set_interrupt(ohci, OHCI_INTR_RHSC);
1525 }
1526 
1527 /* Set root hub port status */
1528 static void ohci_port_set_status(OHCIState *ohci, int portnum, uint32_t val)
1529 {
1530     uint32_t old_state;
1531     OHCIPort *port;
1532 
1533     port = &ohci->rhport[portnum];
1534     old_state = port->ctrl;
1535 
1536     /* Write to clear CSC, PESC, PSSC, OCIC, PRSC */
1537     if (val & OHCI_PORT_WTC)
1538         port->ctrl &= ~(val & OHCI_PORT_WTC);
1539 
1540     if (val & OHCI_PORT_CCS)
1541         port->ctrl &= ~OHCI_PORT_PES;
1542 
1543     ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PES);
1544 
1545     if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PSS)) {
1546         DPRINTF("usb-ohci: port %d: SUSPEND\n", portnum);
1547     }
1548 
1549     if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PRS)) {
1550         DPRINTF("usb-ohci: port %d: RESET\n", portnum);
1551         usb_device_reset(port->port.dev);
1552         port->ctrl &= ~OHCI_PORT_PRS;
1553         /* ??? Should this also set OHCI_PORT_PESC.  */
1554         port->ctrl |= OHCI_PORT_PES | OHCI_PORT_PRSC;
1555     }
1556 
1557     /* Invert order here to ensure in ambiguous case, device is
1558      * powered up...
1559      */
1560     if (val & OHCI_PORT_LSDA)
1561         ohci_port_power(ohci, portnum, 0);
1562     if (val & OHCI_PORT_PPS)
1563         ohci_port_power(ohci, portnum, 1);
1564 
1565     if (old_state != port->ctrl)
1566         ohci_set_interrupt(ohci, OHCI_INTR_RHSC);
1567 }
1568 
1569 static uint64_t ohci_mem_read(void *opaque,
1570                               hwaddr addr,
1571                               unsigned size)
1572 {
1573     OHCIState *ohci = opaque;
1574     uint32_t retval;
1575 
1576     /* Only aligned reads are allowed on OHCI */
1577     if (addr & 3) {
1578         fprintf(stderr, "usb-ohci: Mis-aligned read\n");
1579         return 0xffffffff;
1580     } else if (addr >= 0x54 && addr < 0x54 + ohci->num_ports * 4) {
1581         /* HcRhPortStatus */
1582         retval = ohci->rhport[(addr - 0x54) >> 2].ctrl | OHCI_PORT_PPS;
1583     } else {
1584         switch (addr >> 2) {
1585         case 0: /* HcRevision */
1586             retval = 0x10;
1587             break;
1588 
1589         case 1: /* HcControl */
1590             retval = ohci->ctl;
1591             break;
1592 
1593         case 2: /* HcCommandStatus */
1594             retval = ohci->status;
1595             break;
1596 
1597         case 3: /* HcInterruptStatus */
1598             retval = ohci->intr_status;
1599             break;
1600 
1601         case 4: /* HcInterruptEnable */
1602         case 5: /* HcInterruptDisable */
1603             retval = ohci->intr;
1604             break;
1605 
1606         case 6: /* HcHCCA */
1607             retval = ohci->hcca;
1608             break;
1609 
1610         case 7: /* HcPeriodCurrentED */
1611             retval = ohci->per_cur;
1612             break;
1613 
1614         case 8: /* HcControlHeadED */
1615             retval = ohci->ctrl_head;
1616             break;
1617 
1618         case 9: /* HcControlCurrentED */
1619             retval = ohci->ctrl_cur;
1620             break;
1621 
1622         case 10: /* HcBulkHeadED */
1623             retval = ohci->bulk_head;
1624             break;
1625 
1626         case 11: /* HcBulkCurrentED */
1627             retval = ohci->bulk_cur;
1628             break;
1629 
1630         case 12: /* HcDoneHead */
1631             retval = ohci->done;
1632             break;
1633 
1634         case 13: /* HcFmInterretval */
1635             retval = (ohci->fit << 31) | (ohci->fsmps << 16) | (ohci->fi);
1636             break;
1637 
1638         case 14: /* HcFmRemaining */
1639             retval = ohci_get_frame_remaining(ohci);
1640             break;
1641 
1642         case 15: /* HcFmNumber */
1643             retval = ohci->frame_number;
1644             break;
1645 
1646         case 16: /* HcPeriodicStart */
1647             retval = ohci->pstart;
1648             break;
1649 
1650         case 17: /* HcLSThreshold */
1651             retval = ohci->lst;
1652             break;
1653 
1654         case 18: /* HcRhDescriptorA */
1655             retval = ohci->rhdesc_a;
1656             break;
1657 
1658         case 19: /* HcRhDescriptorB */
1659             retval = ohci->rhdesc_b;
1660             break;
1661 
1662         case 20: /* HcRhStatus */
1663             retval = ohci->rhstatus;
1664             break;
1665 
1666         /* PXA27x specific registers */
1667         case 24: /* HcStatus */
1668             retval = ohci->hstatus & ohci->hmask;
1669             break;
1670 
1671         case 25: /* HcHReset */
1672             retval = ohci->hreset;
1673             break;
1674 
1675         case 26: /* HcHInterruptEnable */
1676             retval = ohci->hmask;
1677             break;
1678 
1679         case 27: /* HcHInterruptTest */
1680             retval = ohci->htest;
1681             break;
1682 
1683         default:
1684             fprintf(stderr, "ohci_read: Bad offset %x\n", (int)addr);
1685             retval = 0xffffffff;
1686         }
1687     }
1688 
1689     return retval;
1690 }
1691 
1692 static void ohci_mem_write(void *opaque,
1693                            hwaddr addr,
1694                            uint64_t val,
1695                            unsigned size)
1696 {
1697     OHCIState *ohci = opaque;
1698 
1699     /* Only aligned reads are allowed on OHCI */
1700     if (addr & 3) {
1701         fprintf(stderr, "usb-ohci: Mis-aligned write\n");
1702         return;
1703     }
1704 
1705     if (addr >= 0x54 && addr < 0x54 + ohci->num_ports * 4) {
1706         /* HcRhPortStatus */
1707         ohci_port_set_status(ohci, (addr - 0x54) >> 2, val);
1708         return;
1709     }
1710 
1711     switch (addr >> 2) {
1712     case 1: /* HcControl */
1713         ohci_set_ctl(ohci, val);
1714         break;
1715 
1716     case 2: /* HcCommandStatus */
1717         /* SOC is read-only */
1718         val = (val & ~OHCI_STATUS_SOC);
1719 
1720         /* Bits written as '0' remain unchanged in the register */
1721         ohci->status |= val;
1722 
1723         if (ohci->status & OHCI_STATUS_HCR)
1724             ohci_reset(ohci);
1725         break;
1726 
1727     case 3: /* HcInterruptStatus */
1728         ohci->intr_status &= ~val;
1729         ohci_intr_update(ohci);
1730         break;
1731 
1732     case 4: /* HcInterruptEnable */
1733         ohci->intr |= val;
1734         ohci_intr_update(ohci);
1735         break;
1736 
1737     case 5: /* HcInterruptDisable */
1738         ohci->intr &= ~val;
1739         ohci_intr_update(ohci);
1740         break;
1741 
1742     case 6: /* HcHCCA */
1743         ohci->hcca = val & OHCI_HCCA_MASK;
1744         break;
1745 
1746     case 7: /* HcPeriodCurrentED */
1747         /* Ignore writes to this read-only register, Linux does them */
1748         break;
1749 
1750     case 8: /* HcControlHeadED */
1751         ohci->ctrl_head = val & OHCI_EDPTR_MASK;
1752         break;
1753 
1754     case 9: /* HcControlCurrentED */
1755         ohci->ctrl_cur = val & OHCI_EDPTR_MASK;
1756         break;
1757 
1758     case 10: /* HcBulkHeadED */
1759         ohci->bulk_head = val & OHCI_EDPTR_MASK;
1760         break;
1761 
1762     case 11: /* HcBulkCurrentED */
1763         ohci->bulk_cur = val & OHCI_EDPTR_MASK;
1764         break;
1765 
1766     case 13: /* HcFmInterval */
1767         ohci->fsmps = (val & OHCI_FMI_FSMPS) >> 16;
1768         ohci->fit = (val & OHCI_FMI_FIT) >> 31;
1769         ohci_set_frame_interval(ohci, val);
1770         break;
1771 
1772     case 15: /* HcFmNumber */
1773         break;
1774 
1775     case 16: /* HcPeriodicStart */
1776         ohci->pstart = val & 0xffff;
1777         break;
1778 
1779     case 17: /* HcLSThreshold */
1780         ohci->lst = val & 0xffff;
1781         break;
1782 
1783     case 18: /* HcRhDescriptorA */
1784         ohci->rhdesc_a &= ~OHCI_RHA_RW_MASK;
1785         ohci->rhdesc_a |= val & OHCI_RHA_RW_MASK;
1786         break;
1787 
1788     case 19: /* HcRhDescriptorB */
1789         break;
1790 
1791     case 20: /* HcRhStatus */
1792         ohci_set_hub_status(ohci, val);
1793         break;
1794 
1795     /* PXA27x specific registers */
1796     case 24: /* HcStatus */
1797         ohci->hstatus &= ~(val & ohci->hmask);
1798         break;
1799 
1800     case 25: /* HcHReset */
1801         ohci->hreset = val & ~OHCI_HRESET_FSBIR;
1802         if (val & OHCI_HRESET_FSBIR)
1803             ohci_reset(ohci);
1804         break;
1805 
1806     case 26: /* HcHInterruptEnable */
1807         ohci->hmask = val;
1808         break;
1809 
1810     case 27: /* HcHInterruptTest */
1811         ohci->htest = val;
1812         break;
1813 
1814     default:
1815         fprintf(stderr, "ohci_write: Bad offset %x\n", (int)addr);
1816         break;
1817     }
1818 }
1819 
1820 static void ohci_async_cancel_device(OHCIState *ohci, USBDevice *dev)
1821 {
1822     if (ohci->async_td &&
1823         usb_packet_is_inflight(&ohci->usb_packet) &&
1824         ohci->usb_packet.ep->dev == dev) {
1825         usb_cancel_packet(&ohci->usb_packet);
1826         ohci->async_td = 0;
1827     }
1828 }
1829 
1830 static const MemoryRegionOps ohci_mem_ops = {
1831     .read = ohci_mem_read,
1832     .write = ohci_mem_write,
1833     .endianness = DEVICE_LITTLE_ENDIAN,
1834 };
1835 
1836 static USBPortOps ohci_port_ops = {
1837     .attach = ohci_attach,
1838     .detach = ohci_detach,
1839     .child_detach = ohci_child_detach,
1840     .wakeup = ohci_wakeup,
1841     .complete = ohci_async_complete_packet,
1842 };
1843 
1844 static USBBusOps ohci_bus_ops = {
1845 };
1846 
1847 static int usb_ohci_init(OHCIState *ohci, DeviceState *dev,
1848                          int num_ports, dma_addr_t localmem_base,
1849                          char *masterbus, uint32_t firstport,
1850                          AddressSpace *as)
1851 {
1852     int i;
1853 
1854     ohci->as = as;
1855 
1856     if (usb_frame_time == 0) {
1857 #ifdef OHCI_TIME_WARP
1858         usb_frame_time = get_ticks_per_sec();
1859         usb_bit_time = muldiv64(1, get_ticks_per_sec(), USB_HZ/1000);
1860 #else
1861         usb_frame_time = muldiv64(1, get_ticks_per_sec(), 1000);
1862         if (get_ticks_per_sec() >= USB_HZ) {
1863             usb_bit_time = muldiv64(1, get_ticks_per_sec(), USB_HZ);
1864         } else {
1865             usb_bit_time = 1;
1866         }
1867 #endif
1868         DPRINTF("usb-ohci: usb_bit_time=%" PRId64 " usb_frame_time=%" PRId64 "\n",
1869                 usb_frame_time, usb_bit_time);
1870     }
1871 
1872     ohci->num_ports = num_ports;
1873     if (masterbus) {
1874         USBPort *ports[OHCI_MAX_PORTS];
1875         for(i = 0; i < num_ports; i++) {
1876             ports[i] = &ohci->rhport[i].port;
1877         }
1878         if (usb_register_companion(masterbus, ports, num_ports,
1879                 firstport, ohci, &ohci_port_ops,
1880                 USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL) != 0) {
1881             return -1;
1882         }
1883     } else {
1884         usb_bus_new(&ohci->bus, &ohci_bus_ops, dev);
1885         for (i = 0; i < num_ports; i++) {
1886             usb_register_port(&ohci->bus, &ohci->rhport[i].port,
1887                               ohci, i, &ohci_port_ops,
1888                               USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
1889         }
1890     }
1891 
1892     memory_region_init_io(&ohci->mem, OBJECT(dev), &ohci_mem_ops,
1893                           ohci, "ohci", 256);
1894     ohci->localmem_base = localmem_base;
1895 
1896     ohci->name = object_get_typename(OBJECT(dev));
1897     usb_packet_init(&ohci->usb_packet);
1898 
1899     ohci->async_td = 0;
1900     qemu_register_reset(ohci_reset, ohci);
1901 
1902     return 0;
1903 }
1904 
1905 #define TYPE_PCI_OHCI "pci-ohci"
1906 #define PCI_OHCI(obj) OBJECT_CHECK(OHCIPCIState, (obj), TYPE_PCI_OHCI)
1907 
1908 typedef struct {
1909     /*< private >*/
1910     PCIDevice parent_obj;
1911     /*< public >*/
1912 
1913     OHCIState state;
1914     char *masterbus;
1915     uint32_t num_ports;
1916     uint32_t firstport;
1917 } OHCIPCIState;
1918 
1919 /** A typical O/EHCI will stop operating, set itself into error state
1920  * (which can be queried by MMIO) and will set PERR in its config
1921  * space to signal that it got an error
1922  */
1923 static void ohci_die(OHCIState *ohci)
1924 {
1925     OHCIPCIState *dev = container_of(ohci, OHCIPCIState, state);
1926 
1927     fprintf(stderr, "%s: DMA error\n", __func__);
1928 
1929     ohci_set_interrupt(ohci, OHCI_INTR_UE);
1930     ohci_bus_stop(ohci);
1931     pci_set_word(dev->parent_obj.config + PCI_STATUS,
1932                  PCI_STATUS_DETECTED_PARITY);
1933 }
1934 
1935 static int usb_ohci_initfn_pci(PCIDevice *dev)
1936 {
1937     OHCIPCIState *ohci = PCI_OHCI(dev);
1938 
1939     dev->config[PCI_CLASS_PROG] = 0x10; /* OHCI */
1940     dev->config[PCI_INTERRUPT_PIN] = 0x01; /* interrupt pin A */
1941 
1942     if (usb_ohci_init(&ohci->state, DEVICE(dev), ohci->num_ports, 0,
1943                       ohci->masterbus, ohci->firstport,
1944                       pci_get_address_space(dev)) != 0) {
1945         return -1;
1946     }
1947     ohci->state.irq = dev->irq[0];
1948 
1949     pci_register_bar(dev, 0, 0, &ohci->state.mem);
1950     return 0;
1951 }
1952 
1953 #define TYPE_SYSBUS_OHCI "sysbus-ohci"
1954 #define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI)
1955 
1956 typedef struct {
1957     /*< private >*/
1958     SysBusDevice parent_obj;
1959     /*< public >*/
1960 
1961     OHCIState ohci;
1962     uint32_t num_ports;
1963     dma_addr_t dma_offset;
1964 } OHCISysBusState;
1965 
1966 static void ohci_realize_pxa(DeviceState *dev, Error **errp)
1967 {
1968     OHCISysBusState *s = SYSBUS_OHCI(dev);
1969     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
1970 
1971     /* Cannot fail as we pass NULL for masterbus */
1972     usb_ohci_init(&s->ohci, dev, s->num_ports, s->dma_offset, NULL, 0,
1973                   &address_space_memory);
1974     sysbus_init_irq(sbd, &s->ohci.irq);
1975     sysbus_init_mmio(sbd, &s->ohci.mem);
1976 }
1977 
1978 static Property ohci_pci_properties[] = {
1979     DEFINE_PROP_STRING("masterbus", OHCIPCIState, masterbus),
1980     DEFINE_PROP_UINT32("num-ports", OHCIPCIState, num_ports, 3),
1981     DEFINE_PROP_UINT32("firstport", OHCIPCIState, firstport, 0),
1982     DEFINE_PROP_END_OF_LIST(),
1983 };
1984 
1985 static void ohci_pci_class_init(ObjectClass *klass, void *data)
1986 {
1987     DeviceClass *dc = DEVICE_CLASS(klass);
1988     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
1989 
1990     k->init = usb_ohci_initfn_pci;
1991     k->vendor_id = PCI_VENDOR_ID_APPLE;
1992     k->device_id = PCI_DEVICE_ID_APPLE_IPID_USB;
1993     k->class_id = PCI_CLASS_SERIAL_USB;
1994     k->no_hotplug = 1;
1995     set_bit(DEVICE_CATEGORY_USB, dc->categories);
1996     dc->desc = "Apple USB Controller";
1997     dc->props = ohci_pci_properties;
1998 }
1999 
2000 static const TypeInfo ohci_pci_info = {
2001     .name          = TYPE_PCI_OHCI,
2002     .parent        = TYPE_PCI_DEVICE,
2003     .instance_size = sizeof(OHCIPCIState),
2004     .class_init    = ohci_pci_class_init,
2005 };
2006 
2007 static Property ohci_sysbus_properties[] = {
2008     DEFINE_PROP_UINT32("num-ports", OHCISysBusState, num_ports, 3),
2009     DEFINE_PROP_DMAADDR("dma-offset", OHCISysBusState, dma_offset, 3),
2010     DEFINE_PROP_END_OF_LIST(),
2011 };
2012 
2013 static void ohci_sysbus_class_init(ObjectClass *klass, void *data)
2014 {
2015     DeviceClass *dc = DEVICE_CLASS(klass);
2016 
2017     dc->realize = ohci_realize_pxa;
2018     set_bit(DEVICE_CATEGORY_USB, dc->categories);
2019     dc->desc = "OHCI USB Controller";
2020     dc->props = ohci_sysbus_properties;
2021 }
2022 
2023 static const TypeInfo ohci_sysbus_info = {
2024     .name          = TYPE_SYSBUS_OHCI,
2025     .parent        = TYPE_SYS_BUS_DEVICE,
2026     .instance_size = sizeof(OHCISysBusState),
2027     .class_init    = ohci_sysbus_class_init,
2028 };
2029 
2030 static void ohci_register_types(void)
2031 {
2032     type_register_static(&ohci_pci_info);
2033     type_register_static(&ohci_sysbus_info);
2034 }
2035 
2036 type_init(ohci_register_types)
2037