xref: /openbmc/qemu/hw/usb/hcd-ohci.c (revision 64552b6b)
1 /*
2  * QEMU USB OHCI Emulation
3  * Copyright (c) 2004 Gianni Tedesco
4  * Copyright (c) 2006 CodeSourcery
5  * Copyright (c) 2006 Openedhand Ltd.
6  *
7  * This library is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2 of the License, or (at your option) any later version.
11  *
12  * This library is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
19  *
20  * TODO:
21  *  o Isochronous transfers
22  *  o Allocate bandwidth in frames properly
23  *  o Disable timers when nothing needs to be done, or remove timer usage
24  *    all together.
25  *  o BIOS work to boot from USB storage
26 */
27 
28 #include "qemu/osdep.h"
29 #include "hw/hw.h"
30 #include "hw/irq.h"
31 #include "qapi/error.h"
32 #include "qemu/module.h"
33 #include "qemu/timer.h"
34 #include "hw/usb.h"
35 #include "hw/sysbus.h"
36 #include "hw/qdev-dma.h"
37 #include "trace.h"
38 #include "hcd-ohci.h"
39 
40 /* This causes frames to occur 1000x slower */
41 //#define OHCI_TIME_WARP 1
42 
43 #define ED_LINK_LIMIT 32
44 
45 static int64_t usb_frame_time;
46 static int64_t usb_bit_time;
47 
48 /* Host Controller Communications Area */
49 struct ohci_hcca {
50     uint32_t intr[32];
51     uint16_t frame, pad;
52     uint32_t done;
53 };
54 #define HCCA_WRITEBACK_OFFSET   offsetof(struct ohci_hcca, frame)
55 #define HCCA_WRITEBACK_SIZE     8 /* frame, pad, done */
56 
57 #define ED_WBACK_OFFSET offsetof(struct ohci_ed, head)
58 #define ED_WBACK_SIZE   4
59 
60 static void ohci_async_cancel_device(OHCIState *ohci, USBDevice *dev);
61 
62 /* Bitfields for the first word of an Endpoint Desciptor.  */
63 #define OHCI_ED_FA_SHIFT  0
64 #define OHCI_ED_FA_MASK   (0x7f<<OHCI_ED_FA_SHIFT)
65 #define OHCI_ED_EN_SHIFT  7
66 #define OHCI_ED_EN_MASK   (0xf<<OHCI_ED_EN_SHIFT)
67 #define OHCI_ED_D_SHIFT   11
68 #define OHCI_ED_D_MASK    (3<<OHCI_ED_D_SHIFT)
69 #define OHCI_ED_S         (1<<13)
70 #define OHCI_ED_K         (1<<14)
71 #define OHCI_ED_F         (1<<15)
72 #define OHCI_ED_MPS_SHIFT 16
73 #define OHCI_ED_MPS_MASK  (0x7ff<<OHCI_ED_MPS_SHIFT)
74 
75 /* Flags in the head field of an Endpoint Desciptor.  */
76 #define OHCI_ED_H         1
77 #define OHCI_ED_C         2
78 
79 /* Bitfields for the first word of a Transfer Desciptor.  */
80 #define OHCI_TD_R         (1<<18)
81 #define OHCI_TD_DP_SHIFT  19
82 #define OHCI_TD_DP_MASK   (3<<OHCI_TD_DP_SHIFT)
83 #define OHCI_TD_DI_SHIFT  21
84 #define OHCI_TD_DI_MASK   (7<<OHCI_TD_DI_SHIFT)
85 #define OHCI_TD_T0        (1<<24)
86 #define OHCI_TD_T1        (1<<25)
87 #define OHCI_TD_EC_SHIFT  26
88 #define OHCI_TD_EC_MASK   (3<<OHCI_TD_EC_SHIFT)
89 #define OHCI_TD_CC_SHIFT  28
90 #define OHCI_TD_CC_MASK   (0xf<<OHCI_TD_CC_SHIFT)
91 
92 /* Bitfields for the first word of an Isochronous Transfer Desciptor.  */
93 /* CC & DI - same as in the General Transfer Desciptor */
94 #define OHCI_TD_SF_SHIFT  0
95 #define OHCI_TD_SF_MASK   (0xffff<<OHCI_TD_SF_SHIFT)
96 #define OHCI_TD_FC_SHIFT  24
97 #define OHCI_TD_FC_MASK   (7<<OHCI_TD_FC_SHIFT)
98 
99 /* Isochronous Transfer Desciptor - Offset / PacketStatusWord */
100 #define OHCI_TD_PSW_CC_SHIFT 12
101 #define OHCI_TD_PSW_CC_MASK  (0xf<<OHCI_TD_PSW_CC_SHIFT)
102 #define OHCI_TD_PSW_SIZE_SHIFT 0
103 #define OHCI_TD_PSW_SIZE_MASK  (0xfff<<OHCI_TD_PSW_SIZE_SHIFT)
104 
105 #define OHCI_PAGE_MASK    0xfffff000
106 #define OHCI_OFFSET_MASK  0xfff
107 
108 #define OHCI_DPTR_MASK    0xfffffff0
109 
110 #define OHCI_BM(val, field) \
111   (((val) & OHCI_##field##_MASK) >> OHCI_##field##_SHIFT)
112 
113 #define OHCI_SET_BM(val, field, newval) do { \
114     val &= ~OHCI_##field##_MASK; \
115     val |= ((newval) << OHCI_##field##_SHIFT) & OHCI_##field##_MASK; \
116     } while(0)
117 
118 /* endpoint descriptor */
119 struct ohci_ed {
120     uint32_t flags;
121     uint32_t tail;
122     uint32_t head;
123     uint32_t next;
124 };
125 
126 /* General transfer descriptor */
127 struct ohci_td {
128     uint32_t flags;
129     uint32_t cbp;
130     uint32_t next;
131     uint32_t be;
132 };
133 
134 /* Isochronous transfer descriptor */
135 struct ohci_iso_td {
136     uint32_t flags;
137     uint32_t bp;
138     uint32_t next;
139     uint32_t be;
140     uint16_t offset[8];
141 };
142 
143 #define USB_HZ                      12000000
144 
145 /* OHCI Local stuff */
146 #define OHCI_CTL_CBSR         ((1<<0)|(1<<1))
147 #define OHCI_CTL_PLE          (1<<2)
148 #define OHCI_CTL_IE           (1<<3)
149 #define OHCI_CTL_CLE          (1<<4)
150 #define OHCI_CTL_BLE          (1<<5)
151 #define OHCI_CTL_HCFS         ((1<<6)|(1<<7))
152 #define  OHCI_USB_RESET       0x00
153 #define  OHCI_USB_RESUME      0x40
154 #define  OHCI_USB_OPERATIONAL 0x80
155 #define  OHCI_USB_SUSPEND     0xc0
156 #define OHCI_CTL_IR           (1<<8)
157 #define OHCI_CTL_RWC          (1<<9)
158 #define OHCI_CTL_RWE          (1<<10)
159 
160 #define OHCI_STATUS_HCR       (1<<0)
161 #define OHCI_STATUS_CLF       (1<<1)
162 #define OHCI_STATUS_BLF       (1<<2)
163 #define OHCI_STATUS_OCR       (1<<3)
164 #define OHCI_STATUS_SOC       ((1<<6)|(1<<7))
165 
166 #define OHCI_INTR_SO          (1U<<0) /* Scheduling overrun */
167 #define OHCI_INTR_WD          (1U<<1) /* HcDoneHead writeback */
168 #define OHCI_INTR_SF          (1U<<2) /* Start of frame */
169 #define OHCI_INTR_RD          (1U<<3) /* Resume detect */
170 #define OHCI_INTR_UE          (1U<<4) /* Unrecoverable error */
171 #define OHCI_INTR_FNO         (1U<<5) /* Frame number overflow */
172 #define OHCI_INTR_RHSC        (1U<<6) /* Root hub status change */
173 #define OHCI_INTR_OC          (1U<<30) /* Ownership change */
174 #define OHCI_INTR_MIE         (1U<<31) /* Master Interrupt Enable */
175 
176 #define OHCI_HCCA_SIZE        0x100
177 #define OHCI_HCCA_MASK        0xffffff00
178 
179 #define OHCI_EDPTR_MASK       0xfffffff0
180 
181 #define OHCI_FMI_FI           0x00003fff
182 #define OHCI_FMI_FSMPS        0xffff0000
183 #define OHCI_FMI_FIT          0x80000000
184 
185 #define OHCI_FR_RT            (1U<<31)
186 
187 #define OHCI_LS_THRESH        0x628
188 
189 #define OHCI_RHA_RW_MASK      0x00000000 /* Mask of supported features.  */
190 #define OHCI_RHA_PSM          (1<<8)
191 #define OHCI_RHA_NPS          (1<<9)
192 #define OHCI_RHA_DT           (1<<10)
193 #define OHCI_RHA_OCPM         (1<<11)
194 #define OHCI_RHA_NOCP         (1<<12)
195 #define OHCI_RHA_POTPGT_MASK  0xff000000
196 
197 #define OHCI_RHS_LPS          (1U<<0)
198 #define OHCI_RHS_OCI          (1U<<1)
199 #define OHCI_RHS_DRWE         (1U<<15)
200 #define OHCI_RHS_LPSC         (1U<<16)
201 #define OHCI_RHS_OCIC         (1U<<17)
202 #define OHCI_RHS_CRWE         (1U<<31)
203 
204 #define OHCI_PORT_CCS         (1<<0)
205 #define OHCI_PORT_PES         (1<<1)
206 #define OHCI_PORT_PSS         (1<<2)
207 #define OHCI_PORT_POCI        (1<<3)
208 #define OHCI_PORT_PRS         (1<<4)
209 #define OHCI_PORT_PPS         (1<<8)
210 #define OHCI_PORT_LSDA        (1<<9)
211 #define OHCI_PORT_CSC         (1<<16)
212 #define OHCI_PORT_PESC        (1<<17)
213 #define OHCI_PORT_PSSC        (1<<18)
214 #define OHCI_PORT_OCIC        (1<<19)
215 #define OHCI_PORT_PRSC        (1<<20)
216 #define OHCI_PORT_WTC         (OHCI_PORT_CSC|OHCI_PORT_PESC|OHCI_PORT_PSSC \
217                                |OHCI_PORT_OCIC|OHCI_PORT_PRSC)
218 
219 #define OHCI_TD_DIR_SETUP     0x0
220 #define OHCI_TD_DIR_OUT       0x1
221 #define OHCI_TD_DIR_IN        0x2
222 #define OHCI_TD_DIR_RESERVED  0x3
223 
224 #define OHCI_CC_NOERROR             0x0
225 #define OHCI_CC_CRC                 0x1
226 #define OHCI_CC_BITSTUFFING         0x2
227 #define OHCI_CC_DATATOGGLEMISMATCH  0x3
228 #define OHCI_CC_STALL               0x4
229 #define OHCI_CC_DEVICENOTRESPONDING 0x5
230 #define OHCI_CC_PIDCHECKFAILURE     0x6
231 #define OHCI_CC_UNDEXPETEDPID       0x7
232 #define OHCI_CC_DATAOVERRUN         0x8
233 #define OHCI_CC_DATAUNDERRUN        0x9
234 #define OHCI_CC_BUFFEROVERRUN       0xc
235 #define OHCI_CC_BUFFERUNDERRUN      0xd
236 
237 #define OHCI_HRESET_FSBIR       (1 << 0)
238 
239 static void ohci_die(OHCIState *ohci)
240 {
241     ohci->ohci_die(ohci);
242 }
243 
244 /* Update IRQ levels */
245 static inline void ohci_intr_update(OHCIState *ohci)
246 {
247     int level = 0;
248 
249     if ((ohci->intr & OHCI_INTR_MIE) &&
250         (ohci->intr_status & ohci->intr))
251         level = 1;
252 
253     qemu_set_irq(ohci->irq, level);
254 }
255 
256 /* Set an interrupt */
257 static inline void ohci_set_interrupt(OHCIState *ohci, uint32_t intr)
258 {
259     ohci->intr_status |= intr;
260     ohci_intr_update(ohci);
261 }
262 
263 /* Attach or detach a device on a root hub port.  */
264 static void ohci_attach(USBPort *port1)
265 {
266     OHCIState *s = port1->opaque;
267     OHCIPort *port = &s->rhport[port1->index];
268     uint32_t old_state = port->ctrl;
269 
270     /* set connect status */
271     port->ctrl |= OHCI_PORT_CCS | OHCI_PORT_CSC;
272 
273     /* update speed */
274     if (port->port.dev->speed == USB_SPEED_LOW) {
275         port->ctrl |= OHCI_PORT_LSDA;
276     } else {
277         port->ctrl &= ~OHCI_PORT_LSDA;
278     }
279 
280     /* notify of remote-wakeup */
281     if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND) {
282         ohci_set_interrupt(s, OHCI_INTR_RD);
283     }
284 
285     trace_usb_ohci_port_attach(port1->index);
286 
287     if (old_state != port->ctrl) {
288         ohci_set_interrupt(s, OHCI_INTR_RHSC);
289     }
290 }
291 
292 static void ohci_detach(USBPort *port1)
293 {
294     OHCIState *s = port1->opaque;
295     OHCIPort *port = &s->rhport[port1->index];
296     uint32_t old_state = port->ctrl;
297 
298     ohci_async_cancel_device(s, port1->dev);
299 
300     /* set connect status */
301     if (port->ctrl & OHCI_PORT_CCS) {
302         port->ctrl &= ~OHCI_PORT_CCS;
303         port->ctrl |= OHCI_PORT_CSC;
304     }
305     /* disable port */
306     if (port->ctrl & OHCI_PORT_PES) {
307         port->ctrl &= ~OHCI_PORT_PES;
308         port->ctrl |= OHCI_PORT_PESC;
309     }
310     trace_usb_ohci_port_detach(port1->index);
311 
312     if (old_state != port->ctrl) {
313         ohci_set_interrupt(s, OHCI_INTR_RHSC);
314     }
315 }
316 
317 static void ohci_wakeup(USBPort *port1)
318 {
319     OHCIState *s = port1->opaque;
320     OHCIPort *port = &s->rhport[port1->index];
321     uint32_t intr = 0;
322     if (port->ctrl & OHCI_PORT_PSS) {
323         trace_usb_ohci_port_wakeup(port1->index);
324         port->ctrl |= OHCI_PORT_PSSC;
325         port->ctrl &= ~OHCI_PORT_PSS;
326         intr = OHCI_INTR_RHSC;
327     }
328     /* Note that the controller can be suspended even if this port is not */
329     if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND) {
330         trace_usb_ohci_remote_wakeup(s->name);
331         /* This is the one state transition the controller can do by itself */
332         s->ctl &= ~OHCI_CTL_HCFS;
333         s->ctl |= OHCI_USB_RESUME;
334         /* In suspend mode only ResumeDetected is possible, not RHSC:
335          * see the OHCI spec 5.1.2.3.
336          */
337         intr = OHCI_INTR_RD;
338     }
339     ohci_set_interrupt(s, intr);
340 }
341 
342 static void ohci_child_detach(USBPort *port1, USBDevice *child)
343 {
344     OHCIState *s = port1->opaque;
345 
346     ohci_async_cancel_device(s, child);
347 }
348 
349 static USBDevice *ohci_find_device(OHCIState *ohci, uint8_t addr)
350 {
351     USBDevice *dev;
352     int i;
353 
354     for (i = 0; i < ohci->num_ports; i++) {
355         if ((ohci->rhport[i].ctrl & OHCI_PORT_PES) == 0) {
356             continue;
357         }
358         dev = usb_find_device(&ohci->rhport[i].port, addr);
359         if (dev != NULL) {
360             return dev;
361         }
362     }
363     return NULL;
364 }
365 
366 void ohci_stop_endpoints(OHCIState *ohci)
367 {
368     USBDevice *dev;
369     int i, j;
370 
371     for (i = 0; i < ohci->num_ports; i++) {
372         dev = ohci->rhport[i].port.dev;
373         if (dev && dev->attached) {
374             usb_device_ep_stopped(dev, &dev->ep_ctl);
375             for (j = 0; j < USB_MAX_ENDPOINTS; j++) {
376                 usb_device_ep_stopped(dev, &dev->ep_in[j]);
377                 usb_device_ep_stopped(dev, &dev->ep_out[j]);
378             }
379         }
380     }
381 }
382 
383 static void ohci_roothub_reset(OHCIState *ohci)
384 {
385     OHCIPort *port;
386     int i;
387 
388     ohci_bus_stop(ohci);
389     ohci->rhdesc_a = OHCI_RHA_NPS | ohci->num_ports;
390     ohci->rhdesc_b = 0x0; /* Impl. specific */
391     ohci->rhstatus = 0;
392 
393     for (i = 0; i < ohci->num_ports; i++) {
394         port = &ohci->rhport[i];
395         port->ctrl = 0;
396         if (port->port.dev && port->port.dev->attached) {
397             usb_port_reset(&port->port);
398         }
399     }
400     if (ohci->async_td) {
401         usb_cancel_packet(&ohci->usb_packet);
402         ohci->async_td = 0;
403     }
404     ohci_stop_endpoints(ohci);
405 }
406 
407 /* Reset the controller */
408 static void ohci_soft_reset(OHCIState *ohci)
409 {
410     trace_usb_ohci_reset(ohci->name);
411 
412     ohci_bus_stop(ohci);
413     ohci->ctl = (ohci->ctl & OHCI_CTL_IR) | OHCI_USB_SUSPEND;
414     ohci->old_ctl = 0;
415     ohci->status = 0;
416     ohci->intr_status = 0;
417     ohci->intr = OHCI_INTR_MIE;
418 
419     ohci->hcca = 0;
420     ohci->ctrl_head = ohci->ctrl_cur = 0;
421     ohci->bulk_head = ohci->bulk_cur = 0;
422     ohci->per_cur = 0;
423     ohci->done = 0;
424     ohci->done_count = 7;
425 
426     /* FSMPS is marked TBD in OCHI 1.0, what gives ffs?
427      * I took the value linux sets ...
428      */
429     ohci->fsmps = 0x2778;
430     ohci->fi = 0x2edf;
431     ohci->fit = 0;
432     ohci->frt = 0;
433     ohci->frame_number = 0;
434     ohci->pstart = 0;
435     ohci->lst = OHCI_LS_THRESH;
436 }
437 
438 void ohci_hard_reset(OHCIState *ohci)
439 {
440     ohci_soft_reset(ohci);
441     ohci->ctl = 0;
442     ohci_roothub_reset(ohci);
443 }
444 
445 /* Get an array of dwords from main memory */
446 static inline int get_dwords(OHCIState *ohci,
447                              dma_addr_t addr, uint32_t *buf, int num)
448 {
449     int i;
450 
451     addr += ohci->localmem_base;
452 
453     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
454         if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) {
455             return -1;
456         }
457         *buf = le32_to_cpu(*buf);
458     }
459 
460     return 0;
461 }
462 
463 /* Put an array of dwords in to main memory */
464 static inline int put_dwords(OHCIState *ohci,
465                              dma_addr_t addr, uint32_t *buf, int num)
466 {
467     int i;
468 
469     addr += ohci->localmem_base;
470 
471     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
472         uint32_t tmp = cpu_to_le32(*buf);
473         if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) {
474             return -1;
475         }
476     }
477 
478     return 0;
479 }
480 
481 /* Get an array of words from main memory */
482 static inline int get_words(OHCIState *ohci,
483                             dma_addr_t addr, uint16_t *buf, int num)
484 {
485     int i;
486 
487     addr += ohci->localmem_base;
488 
489     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
490         if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) {
491             return -1;
492         }
493         *buf = le16_to_cpu(*buf);
494     }
495 
496     return 0;
497 }
498 
499 /* Put an array of words in to main memory */
500 static inline int put_words(OHCIState *ohci,
501                             dma_addr_t addr, uint16_t *buf, int num)
502 {
503     int i;
504 
505     addr += ohci->localmem_base;
506 
507     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
508         uint16_t tmp = cpu_to_le16(*buf);
509         if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) {
510             return -1;
511         }
512     }
513 
514     return 0;
515 }
516 
517 static inline int ohci_read_ed(OHCIState *ohci,
518                                dma_addr_t addr, struct ohci_ed *ed)
519 {
520     return get_dwords(ohci, addr, (uint32_t *)ed, sizeof(*ed) >> 2);
521 }
522 
523 static inline int ohci_read_td(OHCIState *ohci,
524                                dma_addr_t addr, struct ohci_td *td)
525 {
526     return get_dwords(ohci, addr, (uint32_t *)td, sizeof(*td) >> 2);
527 }
528 
529 static inline int ohci_read_iso_td(OHCIState *ohci,
530                                    dma_addr_t addr, struct ohci_iso_td *td)
531 {
532     return get_dwords(ohci, addr, (uint32_t *)td, 4) ||
533            get_words(ohci, addr + 16, td->offset, 8);
534 }
535 
536 static inline int ohci_read_hcca(OHCIState *ohci,
537                                  dma_addr_t addr, struct ohci_hcca *hcca)
538 {
539     return dma_memory_read(ohci->as, addr + ohci->localmem_base,
540                            hcca, sizeof(*hcca));
541 }
542 
543 static inline int ohci_put_ed(OHCIState *ohci,
544                               dma_addr_t addr, struct ohci_ed *ed)
545 {
546     /* ed->tail is under control of the HCD.
547      * Since just ed->head is changed by HC, just write back this
548      */
549 
550     return put_dwords(ohci, addr + ED_WBACK_OFFSET,
551                       (uint32_t *)((char *)ed + ED_WBACK_OFFSET),
552                       ED_WBACK_SIZE >> 2);
553 }
554 
555 static inline int ohci_put_td(OHCIState *ohci,
556                               dma_addr_t addr, struct ohci_td *td)
557 {
558     return put_dwords(ohci, addr, (uint32_t *)td, sizeof(*td) >> 2);
559 }
560 
561 static inline int ohci_put_iso_td(OHCIState *ohci,
562                                   dma_addr_t addr, struct ohci_iso_td *td)
563 {
564     return put_dwords(ohci, addr, (uint32_t *)td, 4) ||
565            put_words(ohci, addr + 16, td->offset, 8);
566 }
567 
568 static inline int ohci_put_hcca(OHCIState *ohci,
569                                 dma_addr_t addr, struct ohci_hcca *hcca)
570 {
571     return dma_memory_write(ohci->as,
572                             addr + ohci->localmem_base + HCCA_WRITEBACK_OFFSET,
573                             (char *)hcca + HCCA_WRITEBACK_OFFSET,
574                             HCCA_WRITEBACK_SIZE);
575 }
576 
577 /* Read/Write the contents of a TD from/to main memory.  */
578 static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td,
579                         uint8_t *buf, int len, DMADirection dir)
580 {
581     dma_addr_t ptr, n;
582 
583     ptr = td->cbp;
584     n = 0x1000 - (ptr & 0xfff);
585     if (n > len)
586         n = len;
587 
588     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) {
589         return -1;
590     }
591     if (n == len) {
592         return 0;
593     }
594     ptr = td->be & ~0xfffu;
595     buf += n;
596     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
597                       len - n, dir)) {
598         return -1;
599     }
600     return 0;
601 }
602 
603 /* Read/Write the contents of an ISO TD from/to main memory.  */
604 static int ohci_copy_iso_td(OHCIState *ohci,
605                             uint32_t start_addr, uint32_t end_addr,
606                             uint8_t *buf, int len, DMADirection dir)
607 {
608     dma_addr_t ptr, n;
609 
610     ptr = start_addr;
611     n = 0x1000 - (ptr & 0xfff);
612     if (n > len)
613         n = len;
614 
615     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) {
616         return -1;
617     }
618     if (n == len) {
619         return 0;
620     }
621     ptr = end_addr & ~0xfffu;
622     buf += n;
623     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
624                       len - n, dir)) {
625         return -1;
626     }
627     return 0;
628 }
629 
630 static void ohci_process_lists(OHCIState *ohci, int completion);
631 
632 static void ohci_async_complete_packet(USBPort *port, USBPacket *packet)
633 {
634     OHCIState *ohci = container_of(packet, OHCIState, usb_packet);
635 
636     trace_usb_ohci_async_complete();
637     ohci->async_complete = true;
638     ohci_process_lists(ohci, 1);
639 }
640 
641 #define USUB(a, b) ((int16_t)((uint16_t)(a) - (uint16_t)(b)))
642 
643 static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
644                                int completion)
645 {
646     int dir;
647     size_t len = 0;
648     const char *str = NULL;
649     int pid;
650     int ret;
651     int i;
652     USBDevice *dev;
653     USBEndpoint *ep;
654     struct ohci_iso_td iso_td;
655     uint32_t addr;
656     uint16_t starting_frame;
657     int16_t relative_frame_number;
658     int frame_count;
659     uint32_t start_offset, next_offset, end_offset = 0;
660     uint32_t start_addr, end_addr;
661 
662     addr = ed->head & OHCI_DPTR_MASK;
663 
664     if (ohci_read_iso_td(ohci, addr, &iso_td)) {
665         trace_usb_ohci_iso_td_read_failed(addr);
666         ohci_die(ohci);
667         return 1;
668     }
669 
670     starting_frame = OHCI_BM(iso_td.flags, TD_SF);
671     frame_count = OHCI_BM(iso_td.flags, TD_FC);
672     relative_frame_number = USUB(ohci->frame_number, starting_frame);
673 
674     trace_usb_ohci_iso_td_head(
675            ed->head & OHCI_DPTR_MASK, ed->tail & OHCI_DPTR_MASK,
676            iso_td.flags, iso_td.bp, iso_td.next, iso_td.be,
677            ohci->frame_number, starting_frame,
678            frame_count, relative_frame_number);
679     trace_usb_ohci_iso_td_head_offset(
680            iso_td.offset[0], iso_td.offset[1],
681            iso_td.offset[2], iso_td.offset[3],
682            iso_td.offset[4], iso_td.offset[5],
683            iso_td.offset[6], iso_td.offset[7]);
684 
685     if (relative_frame_number < 0) {
686         trace_usb_ohci_iso_td_relative_frame_number_neg(relative_frame_number);
687         return 1;
688     } else if (relative_frame_number > frame_count) {
689         /* ISO TD expired - retire the TD to the Done Queue and continue with
690            the next ISO TD of the same ED */
691         trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number,
692                                                         frame_count);
693         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
694         ed->head &= ~OHCI_DPTR_MASK;
695         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
696         iso_td.next = ohci->done;
697         ohci->done = addr;
698         i = OHCI_BM(iso_td.flags, TD_DI);
699         if (i < ohci->done_count)
700             ohci->done_count = i;
701         if (ohci_put_iso_td(ohci, addr, &iso_td)) {
702             ohci_die(ohci);
703             return 1;
704         }
705         return 0;
706     }
707 
708     dir = OHCI_BM(ed->flags, ED_D);
709     switch (dir) {
710     case OHCI_TD_DIR_IN:
711         str = "in";
712         pid = USB_TOKEN_IN;
713         break;
714     case OHCI_TD_DIR_OUT:
715         str = "out";
716         pid = USB_TOKEN_OUT;
717         break;
718     case OHCI_TD_DIR_SETUP:
719         str = "setup";
720         pid = USB_TOKEN_SETUP;
721         break;
722     default:
723         trace_usb_ohci_iso_td_bad_direction(dir);
724         return 1;
725     }
726 
727     if (!iso_td.bp || !iso_td.be) {
728         trace_usb_ohci_iso_td_bad_bp_be(iso_td.bp, iso_td.be);
729         return 1;
730     }
731 
732     start_offset = iso_td.offset[relative_frame_number];
733     next_offset = iso_td.offset[relative_frame_number + 1];
734 
735     if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) ||
736         ((relative_frame_number < frame_count) &&
737          !(OHCI_BM(next_offset, TD_PSW_CC) & 0xe))) {
738         trace_usb_ohci_iso_td_bad_cc_not_accessed(start_offset, next_offset);
739         return 1;
740     }
741 
742     if ((relative_frame_number < frame_count) && (start_offset > next_offset)) {
743         trace_usb_ohci_iso_td_bad_cc_overrun(start_offset, next_offset);
744         return 1;
745     }
746 
747     if ((start_offset & 0x1000) == 0) {
748         start_addr = (iso_td.bp & OHCI_PAGE_MASK) |
749             (start_offset & OHCI_OFFSET_MASK);
750     } else {
751         start_addr = (iso_td.be & OHCI_PAGE_MASK) |
752             (start_offset & OHCI_OFFSET_MASK);
753     }
754 
755     if (relative_frame_number < frame_count) {
756         end_offset = next_offset - 1;
757         if ((end_offset & 0x1000) == 0) {
758             end_addr = (iso_td.bp & OHCI_PAGE_MASK) |
759                 (end_offset & OHCI_OFFSET_MASK);
760         } else {
761             end_addr = (iso_td.be & OHCI_PAGE_MASK) |
762                 (end_offset & OHCI_OFFSET_MASK);
763         }
764     } else {
765         /* Last packet in the ISO TD */
766         end_addr = iso_td.be;
767     }
768 
769     if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
770         len = (end_addr & OHCI_OFFSET_MASK) + 0x1001
771             - (start_addr & OHCI_OFFSET_MASK);
772     } else {
773         len = end_addr - start_addr + 1;
774     }
775 
776     if (len && dir != OHCI_TD_DIR_IN) {
777         if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
778                              DMA_DIRECTION_TO_DEVICE)) {
779             ohci_die(ohci);
780             return 1;
781         }
782     }
783 
784     if (!completion) {
785         bool int_req = relative_frame_number == frame_count &&
786                        OHCI_BM(iso_td.flags, TD_DI) == 0;
787         dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
788         if (dev == NULL) {
789             trace_usb_ohci_td_dev_error();
790             return 1;
791         }
792         ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
793         usb_packet_setup(&ohci->usb_packet, pid, ep, 0, addr, false, int_req);
794         usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, len);
795         usb_handle_packet(dev, &ohci->usb_packet);
796         if (ohci->usb_packet.status == USB_RET_ASYNC) {
797             usb_device_flush_ep_queue(dev, ep);
798             return 1;
799         }
800     }
801     if (ohci->usb_packet.status == USB_RET_SUCCESS) {
802         ret = ohci->usb_packet.actual_length;
803     } else {
804         ret = ohci->usb_packet.status;
805     }
806 
807     trace_usb_ohci_iso_td_so(start_offset, end_offset, start_addr, end_addr,
808                              str, len, ret);
809 
810     /* Writeback */
811     if (dir == OHCI_TD_DIR_IN && ret >= 0 && ret <= len) {
812         /* IN transfer succeeded */
813         if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, ret,
814                              DMA_DIRECTION_FROM_DEVICE)) {
815             ohci_die(ohci);
816             return 1;
817         }
818         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
819                     OHCI_CC_NOERROR);
820         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE, ret);
821     } else if (dir == OHCI_TD_DIR_OUT && ret == len) {
822         /* OUT transfer succeeded */
823         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
824                     OHCI_CC_NOERROR);
825         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE, 0);
826     } else {
827         if (ret > (ssize_t) len) {
828             trace_usb_ohci_iso_td_data_overrun(ret, len);
829             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
830                         OHCI_CC_DATAOVERRUN);
831             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
832                         len);
833         } else if (ret >= 0) {
834             trace_usb_ohci_iso_td_data_underrun(ret);
835             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
836                         OHCI_CC_DATAUNDERRUN);
837         } else {
838             switch (ret) {
839             case USB_RET_IOERROR:
840             case USB_RET_NODEV:
841                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
842                             OHCI_CC_DEVICENOTRESPONDING);
843                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
844                             0);
845                 break;
846             case USB_RET_NAK:
847             case USB_RET_STALL:
848                 trace_usb_ohci_iso_td_nak(ret);
849                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
850                             OHCI_CC_STALL);
851                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
852                             0);
853                 break;
854             default:
855                 trace_usb_ohci_iso_td_bad_response(ret);
856                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
857                             OHCI_CC_UNDEXPETEDPID);
858                 break;
859             }
860         }
861     }
862 
863     if (relative_frame_number == frame_count) {
864         /* Last data packet of ISO TD - retire the TD to the Done Queue */
865         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_NOERROR);
866         ed->head &= ~OHCI_DPTR_MASK;
867         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
868         iso_td.next = ohci->done;
869         ohci->done = addr;
870         i = OHCI_BM(iso_td.flags, TD_DI);
871         if (i < ohci->done_count)
872             ohci->done_count = i;
873     }
874     if (ohci_put_iso_td(ohci, addr, &iso_td)) {
875         ohci_die(ohci);
876     }
877     return 1;
878 }
879 
880 static void ohci_td_pkt(const char *msg, const uint8_t *buf, size_t len)
881 {
882     bool print16;
883     bool printall;
884     const int width = 16;
885     int i;
886     char tmp[3 * width + 1];
887     char *p = tmp;
888 
889     print16 = !!trace_event_get_state_backends(TRACE_USB_OHCI_TD_PKT_SHORT);
890     printall = !!trace_event_get_state_backends(TRACE_USB_OHCI_TD_PKT_FULL);
891 
892     if (!printall && !print16) {
893         return;
894     }
895 
896     for (i = 0; ; i++) {
897         if (i && (!(i % width) || (i == len))) {
898             if (!printall) {
899                 trace_usb_ohci_td_pkt_short(msg, tmp);
900                 break;
901             }
902             trace_usb_ohci_td_pkt_full(msg, tmp);
903             p = tmp;
904             *p = 0;
905         }
906         if (i == len) {
907             break;
908         }
909 
910         p += sprintf(p, " %.2x", buf[i]);
911     }
912 }
913 
914 /* Service a transport descriptor.
915    Returns nonzero to terminate processing of this endpoint.  */
916 
917 static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
918 {
919     int dir;
920     size_t len = 0, pktlen = 0;
921     const char *str = NULL;
922     int pid;
923     int ret;
924     int i;
925     USBDevice *dev;
926     USBEndpoint *ep;
927     struct ohci_td td;
928     uint32_t addr;
929     int flag_r;
930     int completion;
931 
932     addr = ed->head & OHCI_DPTR_MASK;
933     /* See if this TD has already been submitted to the device.  */
934     completion = (addr == ohci->async_td);
935     if (completion && !ohci->async_complete) {
936         trace_usb_ohci_td_skip_async();
937         return 1;
938     }
939     if (ohci_read_td(ohci, addr, &td)) {
940         trace_usb_ohci_td_read_error(addr);
941         ohci_die(ohci);
942         return 1;
943     }
944 
945     dir = OHCI_BM(ed->flags, ED_D);
946     switch (dir) {
947     case OHCI_TD_DIR_OUT:
948     case OHCI_TD_DIR_IN:
949         /* Same value.  */
950         break;
951     default:
952         dir = OHCI_BM(td.flags, TD_DP);
953         break;
954     }
955 
956     switch (dir) {
957     case OHCI_TD_DIR_IN:
958         str = "in";
959         pid = USB_TOKEN_IN;
960         break;
961     case OHCI_TD_DIR_OUT:
962         str = "out";
963         pid = USB_TOKEN_OUT;
964         break;
965     case OHCI_TD_DIR_SETUP:
966         str = "setup";
967         pid = USB_TOKEN_SETUP;
968         break;
969     default:
970         trace_usb_ohci_td_bad_direction(dir);
971         return 1;
972     }
973     if (td.cbp && td.be) {
974         if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
975             len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
976         } else {
977             len = (td.be - td.cbp) + 1;
978         }
979 
980         pktlen = len;
981         if (len && dir != OHCI_TD_DIR_IN) {
982             /* The endpoint may not allow us to transfer it all now */
983             pktlen = (ed->flags & OHCI_ED_MPS_MASK) >> OHCI_ED_MPS_SHIFT;
984             if (pktlen > len) {
985                 pktlen = len;
986             }
987             if (!completion) {
988                 if (ohci_copy_td(ohci, &td, ohci->usb_buf, pktlen,
989                                  DMA_DIRECTION_TO_DEVICE)) {
990                     ohci_die(ohci);
991                 }
992             }
993         }
994     }
995 
996     flag_r = (td.flags & OHCI_TD_R) != 0;
997     trace_usb_ohci_td_pkt_hdr(addr, (int64_t)pktlen, (int64_t)len, str,
998                               flag_r, td.cbp, td.be);
999     ohci_td_pkt("OUT", ohci->usb_buf, pktlen);
1000 
1001     if (completion) {
1002         ohci->async_td = 0;
1003         ohci->async_complete = false;
1004     } else {
1005         if (ohci->async_td) {
1006             /* ??? The hardware should allow one active packet per
1007                endpoint.  We only allow one active packet per controller.
1008                This should be sufficient as long as devices respond in a
1009                timely manner.
1010             */
1011             trace_usb_ohci_td_too_many_pending();
1012             return 1;
1013         }
1014         dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
1015         if (dev == NULL) {
1016             trace_usb_ohci_td_dev_error();
1017             return 1;
1018         }
1019         ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
1020         usb_packet_setup(&ohci->usb_packet, pid, ep, 0, addr, !flag_r,
1021                          OHCI_BM(td.flags, TD_DI) == 0);
1022         usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, pktlen);
1023         usb_handle_packet(dev, &ohci->usb_packet);
1024         trace_usb_ohci_td_packet_status(ohci->usb_packet.status);
1025 
1026         if (ohci->usb_packet.status == USB_RET_ASYNC) {
1027             usb_device_flush_ep_queue(dev, ep);
1028             ohci->async_td = addr;
1029             return 1;
1030         }
1031     }
1032     if (ohci->usb_packet.status == USB_RET_SUCCESS) {
1033         ret = ohci->usb_packet.actual_length;
1034     } else {
1035         ret = ohci->usb_packet.status;
1036     }
1037 
1038     if (ret >= 0) {
1039         if (dir == OHCI_TD_DIR_IN) {
1040             if (ohci_copy_td(ohci, &td, ohci->usb_buf, ret,
1041                              DMA_DIRECTION_FROM_DEVICE)) {
1042                 ohci_die(ohci);
1043             }
1044             ohci_td_pkt("IN", ohci->usb_buf, pktlen);
1045         } else {
1046             ret = pktlen;
1047         }
1048     }
1049 
1050     /* Writeback */
1051     if (ret == pktlen || (dir == OHCI_TD_DIR_IN && ret >= 0 && flag_r)) {
1052         /* Transmission succeeded.  */
1053         if (ret == len) {
1054             td.cbp = 0;
1055         } else {
1056             if ((td.cbp & 0xfff) + ret > 0xfff) {
1057                 td.cbp = (td.be & ~0xfff) + ((td.cbp + ret) & 0xfff);
1058             } else {
1059                 td.cbp += ret;
1060             }
1061         }
1062         td.flags |= OHCI_TD_T1;
1063         td.flags ^= OHCI_TD_T0;
1064         OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_NOERROR);
1065         OHCI_SET_BM(td.flags, TD_EC, 0);
1066 
1067         if ((dir != OHCI_TD_DIR_IN) && (ret != len)) {
1068             /* Partial packet transfer: TD not ready to retire yet */
1069             goto exit_no_retire;
1070         }
1071 
1072         /* Setting ED_C is part of the TD retirement process */
1073         ed->head &= ~OHCI_ED_C;
1074         if (td.flags & OHCI_TD_T0)
1075             ed->head |= OHCI_ED_C;
1076     } else {
1077         if (ret >= 0) {
1078             trace_usb_ohci_td_underrun();
1079             OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DATAUNDERRUN);
1080         } else {
1081             switch (ret) {
1082             case USB_RET_IOERROR:
1083             case USB_RET_NODEV:
1084                 trace_usb_ohci_td_dev_error();
1085                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DEVICENOTRESPONDING);
1086                 break;
1087             case USB_RET_NAK:
1088                 trace_usb_ohci_td_nak();
1089                 return 1;
1090             case USB_RET_STALL:
1091                 trace_usb_ohci_td_stall();
1092                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_STALL);
1093                 break;
1094             case USB_RET_BABBLE:
1095                 trace_usb_ohci_td_babble();
1096                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
1097                 break;
1098             default:
1099                 trace_usb_ohci_td_bad_device_response(ret);
1100                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_UNDEXPETEDPID);
1101                 OHCI_SET_BM(td.flags, TD_EC, 3);
1102                 break;
1103             }
1104             /* An error occured so we have to clear the interrupt counter. See
1105              * spec at 6.4.4 on page 104 */
1106             ohci->done_count = 0;
1107         }
1108         ed->head |= OHCI_ED_H;
1109     }
1110 
1111     /* Retire this TD */
1112     ed->head &= ~OHCI_DPTR_MASK;
1113     ed->head |= td.next & OHCI_DPTR_MASK;
1114     td.next = ohci->done;
1115     ohci->done = addr;
1116     i = OHCI_BM(td.flags, TD_DI);
1117     if (i < ohci->done_count)
1118         ohci->done_count = i;
1119 exit_no_retire:
1120     if (ohci_put_td(ohci, addr, &td)) {
1121         ohci_die(ohci);
1122         return 1;
1123     }
1124     return OHCI_BM(td.flags, TD_CC) != OHCI_CC_NOERROR;
1125 }
1126 
1127 /* Service an endpoint list.  Returns nonzero if active TD were found.  */
1128 static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
1129 {
1130     struct ohci_ed ed;
1131     uint32_t next_ed;
1132     uint32_t cur;
1133     int active;
1134     uint32_t link_cnt = 0;
1135     active = 0;
1136 
1137     if (head == 0)
1138         return 0;
1139 
1140     for (cur = head; cur && link_cnt++ < ED_LINK_LIMIT; cur = next_ed) {
1141         if (ohci_read_ed(ohci, cur, &ed)) {
1142             trace_usb_ohci_ed_read_error(cur);
1143             ohci_die(ohci);
1144             return 0;
1145         }
1146 
1147         next_ed = ed.next & OHCI_DPTR_MASK;
1148 
1149         if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
1150             uint32_t addr;
1151             /* Cancel pending packets for ED that have been paused.  */
1152             addr = ed.head & OHCI_DPTR_MASK;
1153             if (ohci->async_td && addr == ohci->async_td) {
1154                 usb_cancel_packet(&ohci->usb_packet);
1155                 ohci->async_td = 0;
1156                 usb_device_ep_stopped(ohci->usb_packet.ep->dev,
1157                                       ohci->usb_packet.ep);
1158             }
1159             continue;
1160         }
1161 
1162         while ((ed.head & OHCI_DPTR_MASK) != ed.tail) {
1163             trace_usb_ohci_ed_pkt(cur, (ed.head & OHCI_ED_H) != 0,
1164                     (ed.head & OHCI_ED_C) != 0, ed.head & OHCI_DPTR_MASK,
1165                     ed.tail & OHCI_DPTR_MASK, ed.next & OHCI_DPTR_MASK);
1166             trace_usb_ohci_ed_pkt_flags(
1167                     OHCI_BM(ed.flags, ED_FA), OHCI_BM(ed.flags, ED_EN),
1168                     OHCI_BM(ed.flags, ED_D), (ed.flags & OHCI_ED_S)!= 0,
1169                     (ed.flags & OHCI_ED_K) != 0, (ed.flags & OHCI_ED_F) != 0,
1170                     OHCI_BM(ed.flags, ED_MPS));
1171 
1172             active = 1;
1173 
1174             if ((ed.flags & OHCI_ED_F) == 0) {
1175                 if (ohci_service_td(ohci, &ed))
1176                     break;
1177             } else {
1178                 /* Handle isochronous endpoints */
1179                 if (ohci_service_iso_td(ohci, &ed, completion))
1180                     break;
1181             }
1182         }
1183 
1184         if (ohci_put_ed(ohci, cur, &ed)) {
1185             ohci_die(ohci);
1186             return 0;
1187         }
1188     }
1189 
1190     return active;
1191 }
1192 
1193 /* set a timer for EOF */
1194 static void ohci_eof_timer(OHCIState *ohci)
1195 {
1196     timer_mod(ohci->eof_timer, ohci->sof_time + usb_frame_time);
1197 }
1198 /* Set a timer for EOF and generate a SOF event */
1199 static void ohci_sof(OHCIState *ohci)
1200 {
1201     ohci->sof_time += usb_frame_time;
1202     ohci_eof_timer(ohci);
1203     ohci_set_interrupt(ohci, OHCI_INTR_SF);
1204 }
1205 
1206 /* Process Control and Bulk lists.  */
1207 static void ohci_process_lists(OHCIState *ohci, int completion)
1208 {
1209     if ((ohci->ctl & OHCI_CTL_CLE) && (ohci->status & OHCI_STATUS_CLF)) {
1210         if (ohci->ctrl_cur && ohci->ctrl_cur != ohci->ctrl_head) {
1211             trace_usb_ohci_process_lists(ohci->ctrl_head, ohci->ctrl_cur);
1212         }
1213         if (!ohci_service_ed_list(ohci, ohci->ctrl_head, completion)) {
1214             ohci->ctrl_cur = 0;
1215             ohci->status &= ~OHCI_STATUS_CLF;
1216         }
1217     }
1218 
1219     if ((ohci->ctl & OHCI_CTL_BLE) && (ohci->status & OHCI_STATUS_BLF)) {
1220         if (!ohci_service_ed_list(ohci, ohci->bulk_head, completion)) {
1221             ohci->bulk_cur = 0;
1222             ohci->status &= ~OHCI_STATUS_BLF;
1223         }
1224     }
1225 }
1226 
1227 /* Do frame processing on frame boundary */
1228 static void ohci_frame_boundary(void *opaque)
1229 {
1230     OHCIState *ohci = opaque;
1231     struct ohci_hcca hcca;
1232 
1233     if (ohci_read_hcca(ohci, ohci->hcca, &hcca)) {
1234         trace_usb_ohci_hcca_read_error(ohci->hcca);
1235         ohci_die(ohci);
1236         return;
1237     }
1238 
1239     /* Process all the lists at the end of the frame */
1240     if (ohci->ctl & OHCI_CTL_PLE) {
1241         int n;
1242 
1243         n = ohci->frame_number & 0x1f;
1244         ohci_service_ed_list(ohci, le32_to_cpu(hcca.intr[n]), 0);
1245     }
1246 
1247     /* Cancel all pending packets if either of the lists has been disabled.  */
1248     if (ohci->old_ctl & (~ohci->ctl) & (OHCI_CTL_BLE | OHCI_CTL_CLE)) {
1249         if (ohci->async_td) {
1250             usb_cancel_packet(&ohci->usb_packet);
1251             ohci->async_td = 0;
1252         }
1253         ohci_stop_endpoints(ohci);
1254     }
1255     ohci->old_ctl = ohci->ctl;
1256     ohci_process_lists(ohci, 0);
1257 
1258     /* Stop if UnrecoverableError happened or ohci_sof will crash */
1259     if (ohci->intr_status & OHCI_INTR_UE) {
1260         return;
1261     }
1262 
1263     /* Frame boundary, so do EOF stuf here */
1264     ohci->frt = ohci->fit;
1265 
1266     /* Increment frame number and take care of endianness. */
1267     ohci->frame_number = (ohci->frame_number + 1) & 0xffff;
1268     hcca.frame = cpu_to_le16(ohci->frame_number);
1269 
1270     if (ohci->done_count == 0 && !(ohci->intr_status & OHCI_INTR_WD)) {
1271         if (!ohci->done)
1272             abort();
1273         if (ohci->intr & ohci->intr_status)
1274             ohci->done |= 1;
1275         hcca.done = cpu_to_le32(ohci->done);
1276         ohci->done = 0;
1277         ohci->done_count = 7;
1278         ohci_set_interrupt(ohci, OHCI_INTR_WD);
1279     }
1280 
1281     if (ohci->done_count != 7 && ohci->done_count != 0)
1282         ohci->done_count--;
1283 
1284     /* Do SOF stuff here */
1285     ohci_sof(ohci);
1286 
1287     /* Writeback HCCA */
1288     if (ohci_put_hcca(ohci, ohci->hcca, &hcca)) {
1289         ohci_die(ohci);
1290     }
1291 }
1292 
1293 /* Start sending SOF tokens across the USB bus, lists are processed in
1294  * next frame
1295  */
1296 static int ohci_bus_start(OHCIState *ohci)
1297 {
1298     trace_usb_ohci_start(ohci->name);
1299 
1300     /* Delay the first SOF event by one frame time as
1301      * linux driver is not ready to receive it and
1302      * can meet some race conditions
1303      */
1304 
1305     ohci->sof_time = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
1306     ohci_eof_timer(ohci);
1307 
1308     return 1;
1309 }
1310 
1311 /* Stop sending SOF tokens on the bus */
1312 void ohci_bus_stop(OHCIState *ohci)
1313 {
1314     trace_usb_ohci_stop(ohci->name);
1315     timer_del(ohci->eof_timer);
1316 }
1317 
1318 /* Sets a flag in a port status register but only set it if the port is
1319  * connected, if not set ConnectStatusChange flag. If flag is enabled
1320  * return 1.
1321  */
1322 static int ohci_port_set_if_connected(OHCIState *ohci, int i, uint32_t val)
1323 {
1324     int ret = 1;
1325 
1326     /* writing a 0 has no effect */
1327     if (val == 0)
1328         return 0;
1329 
1330     /* If CurrentConnectStatus is cleared we set
1331      * ConnectStatusChange
1332      */
1333     if (!(ohci->rhport[i].ctrl & OHCI_PORT_CCS)) {
1334         ohci->rhport[i].ctrl |= OHCI_PORT_CSC;
1335         if (ohci->rhstatus & OHCI_RHS_DRWE) {
1336             /* TODO: CSC is a wakeup event */
1337         }
1338         return 0;
1339     }
1340 
1341     if (ohci->rhport[i].ctrl & val)
1342         ret = 0;
1343 
1344     /* set the bit */
1345     ohci->rhport[i].ctrl |= val;
1346 
1347     return ret;
1348 }
1349 
1350 /* Set the frame interval - frame interval toggle is manipulated by the hcd only */
1351 static void ohci_set_frame_interval(OHCIState *ohci, uint16_t val)
1352 {
1353     val &= OHCI_FMI_FI;
1354 
1355     if (val != ohci->fi) {
1356         trace_usb_ohci_set_frame_interval(ohci->name, ohci->fi, ohci->fi);
1357     }
1358 
1359     ohci->fi = val;
1360 }
1361 
1362 static void ohci_port_power(OHCIState *ohci, int i, int p)
1363 {
1364     if (p) {
1365         ohci->rhport[i].ctrl |= OHCI_PORT_PPS;
1366     } else {
1367         ohci->rhport[i].ctrl &= ~(OHCI_PORT_PPS|
1368                     OHCI_PORT_CCS|
1369                     OHCI_PORT_PSS|
1370                     OHCI_PORT_PRS);
1371     }
1372 }
1373 
1374 /* Set HcControlRegister */
1375 static void ohci_set_ctl(OHCIState *ohci, uint32_t val)
1376 {
1377     uint32_t old_state;
1378     uint32_t new_state;
1379 
1380     old_state = ohci->ctl & OHCI_CTL_HCFS;
1381     ohci->ctl = val;
1382     new_state = ohci->ctl & OHCI_CTL_HCFS;
1383 
1384     /* no state change */
1385     if (old_state == new_state)
1386         return;
1387 
1388     trace_usb_ohci_set_ctl(ohci->name, new_state);
1389     switch (new_state) {
1390     case OHCI_USB_OPERATIONAL:
1391         ohci_bus_start(ohci);
1392         break;
1393     case OHCI_USB_SUSPEND:
1394         ohci_bus_stop(ohci);
1395         /* clear pending SF otherwise linux driver loops in ohci_irq() */
1396         ohci->intr_status &= ~OHCI_INTR_SF;
1397         ohci_intr_update(ohci);
1398         break;
1399     case OHCI_USB_RESUME:
1400         trace_usb_ohci_resume(ohci->name);
1401         break;
1402     case OHCI_USB_RESET:
1403         ohci_roothub_reset(ohci);
1404         break;
1405     }
1406 }
1407 
1408 static uint32_t ohci_get_frame_remaining(OHCIState *ohci)
1409 {
1410     uint16_t fr;
1411     int64_t tks;
1412 
1413     if ((ohci->ctl & OHCI_CTL_HCFS) != OHCI_USB_OPERATIONAL)
1414         return (ohci->frt << 31);
1415 
1416     /* Being in USB operational state guarnatees sof_time was
1417      * set already.
1418      */
1419     tks = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) - ohci->sof_time;
1420     if (tks < 0) {
1421         tks = 0;
1422     }
1423 
1424     /* avoid muldiv if possible */
1425     if (tks >= usb_frame_time)
1426         return (ohci->frt << 31);
1427 
1428     tks = tks / usb_bit_time;
1429     fr = (uint16_t)(ohci->fi - tks);
1430 
1431     return (ohci->frt << 31) | fr;
1432 }
1433 
1434 
1435 /* Set root hub status */
1436 static void ohci_set_hub_status(OHCIState *ohci, uint32_t val)
1437 {
1438     uint32_t old_state;
1439 
1440     old_state = ohci->rhstatus;
1441 
1442     /* write 1 to clear OCIC */
1443     if (val & OHCI_RHS_OCIC)
1444         ohci->rhstatus &= ~OHCI_RHS_OCIC;
1445 
1446     if (val & OHCI_RHS_LPS) {
1447         int i;
1448 
1449         for (i = 0; i < ohci->num_ports; i++)
1450             ohci_port_power(ohci, i, 0);
1451         trace_usb_ohci_hub_power_down();
1452     }
1453 
1454     if (val & OHCI_RHS_LPSC) {
1455         int i;
1456 
1457         for (i = 0; i < ohci->num_ports; i++)
1458             ohci_port_power(ohci, i, 1);
1459         trace_usb_ohci_hub_power_up();
1460     }
1461 
1462     if (val & OHCI_RHS_DRWE)
1463         ohci->rhstatus |= OHCI_RHS_DRWE;
1464 
1465     if (val & OHCI_RHS_CRWE)
1466         ohci->rhstatus &= ~OHCI_RHS_DRWE;
1467 
1468     if (old_state != ohci->rhstatus)
1469         ohci_set_interrupt(ohci, OHCI_INTR_RHSC);
1470 }
1471 
1472 /* Set root hub port status */
1473 static void ohci_port_set_status(OHCIState *ohci, int portnum, uint32_t val)
1474 {
1475     uint32_t old_state;
1476     OHCIPort *port;
1477 
1478     port = &ohci->rhport[portnum];
1479     old_state = port->ctrl;
1480 
1481     /* Write to clear CSC, PESC, PSSC, OCIC, PRSC */
1482     if (val & OHCI_PORT_WTC)
1483         port->ctrl &= ~(val & OHCI_PORT_WTC);
1484 
1485     if (val & OHCI_PORT_CCS)
1486         port->ctrl &= ~OHCI_PORT_PES;
1487 
1488     ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PES);
1489 
1490     if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PSS)) {
1491         trace_usb_ohci_port_suspend(portnum);
1492     }
1493 
1494     if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PRS)) {
1495         trace_usb_ohci_port_reset(portnum);
1496         usb_device_reset(port->port.dev);
1497         port->ctrl &= ~OHCI_PORT_PRS;
1498         /* ??? Should this also set OHCI_PORT_PESC.  */
1499         port->ctrl |= OHCI_PORT_PES | OHCI_PORT_PRSC;
1500     }
1501 
1502     /* Invert order here to ensure in ambiguous case, device is
1503      * powered up...
1504      */
1505     if (val & OHCI_PORT_LSDA)
1506         ohci_port_power(ohci, portnum, 0);
1507     if (val & OHCI_PORT_PPS)
1508         ohci_port_power(ohci, portnum, 1);
1509 
1510     if (old_state != port->ctrl)
1511         ohci_set_interrupt(ohci, OHCI_INTR_RHSC);
1512 }
1513 
1514 static uint64_t ohci_mem_read(void *opaque,
1515                               hwaddr addr,
1516                               unsigned size)
1517 {
1518     OHCIState *ohci = opaque;
1519     uint32_t retval;
1520 
1521     /* Only aligned reads are allowed on OHCI */
1522     if (addr & 3) {
1523         trace_usb_ohci_mem_read_unaligned(addr);
1524         return 0xffffffff;
1525     } else if (addr >= 0x54 && addr < 0x54 + ohci->num_ports * 4) {
1526         /* HcRhPortStatus */
1527         retval = ohci->rhport[(addr - 0x54) >> 2].ctrl | OHCI_PORT_PPS;
1528     } else {
1529         switch (addr >> 2) {
1530         case 0: /* HcRevision */
1531             retval = 0x10;
1532             break;
1533 
1534         case 1: /* HcControl */
1535             retval = ohci->ctl;
1536             break;
1537 
1538         case 2: /* HcCommandStatus */
1539             retval = ohci->status;
1540             break;
1541 
1542         case 3: /* HcInterruptStatus */
1543             retval = ohci->intr_status;
1544             break;
1545 
1546         case 4: /* HcInterruptEnable */
1547         case 5: /* HcInterruptDisable */
1548             retval = ohci->intr;
1549             break;
1550 
1551         case 6: /* HcHCCA */
1552             retval = ohci->hcca;
1553             break;
1554 
1555         case 7: /* HcPeriodCurrentED */
1556             retval = ohci->per_cur;
1557             break;
1558 
1559         case 8: /* HcControlHeadED */
1560             retval = ohci->ctrl_head;
1561             break;
1562 
1563         case 9: /* HcControlCurrentED */
1564             retval = ohci->ctrl_cur;
1565             break;
1566 
1567         case 10: /* HcBulkHeadED */
1568             retval = ohci->bulk_head;
1569             break;
1570 
1571         case 11: /* HcBulkCurrentED */
1572             retval = ohci->bulk_cur;
1573             break;
1574 
1575         case 12: /* HcDoneHead */
1576             retval = ohci->done;
1577             break;
1578 
1579         case 13: /* HcFmInterretval */
1580             retval = (ohci->fit << 31) | (ohci->fsmps << 16) | (ohci->fi);
1581             break;
1582 
1583         case 14: /* HcFmRemaining */
1584             retval = ohci_get_frame_remaining(ohci);
1585             break;
1586 
1587         case 15: /* HcFmNumber */
1588             retval = ohci->frame_number;
1589             break;
1590 
1591         case 16: /* HcPeriodicStart */
1592             retval = ohci->pstart;
1593             break;
1594 
1595         case 17: /* HcLSThreshold */
1596             retval = ohci->lst;
1597             break;
1598 
1599         case 18: /* HcRhDescriptorA */
1600             retval = ohci->rhdesc_a;
1601             break;
1602 
1603         case 19: /* HcRhDescriptorB */
1604             retval = ohci->rhdesc_b;
1605             break;
1606 
1607         case 20: /* HcRhStatus */
1608             retval = ohci->rhstatus;
1609             break;
1610 
1611         /* PXA27x specific registers */
1612         case 24: /* HcStatus */
1613             retval = ohci->hstatus & ohci->hmask;
1614             break;
1615 
1616         case 25: /* HcHReset */
1617             retval = ohci->hreset;
1618             break;
1619 
1620         case 26: /* HcHInterruptEnable */
1621             retval = ohci->hmask;
1622             break;
1623 
1624         case 27: /* HcHInterruptTest */
1625             retval = ohci->htest;
1626             break;
1627 
1628         default:
1629             trace_usb_ohci_mem_read_bad_offset(addr);
1630             retval = 0xffffffff;
1631         }
1632     }
1633 
1634     return retval;
1635 }
1636 
1637 static void ohci_mem_write(void *opaque,
1638                            hwaddr addr,
1639                            uint64_t val,
1640                            unsigned size)
1641 {
1642     OHCIState *ohci = opaque;
1643 
1644     /* Only aligned reads are allowed on OHCI */
1645     if (addr & 3) {
1646         trace_usb_ohci_mem_write_unaligned(addr);
1647         return;
1648     }
1649 
1650     if (addr >= 0x54 && addr < 0x54 + ohci->num_ports * 4) {
1651         /* HcRhPortStatus */
1652         ohci_port_set_status(ohci, (addr - 0x54) >> 2, val);
1653         return;
1654     }
1655 
1656     switch (addr >> 2) {
1657     case 1: /* HcControl */
1658         ohci_set_ctl(ohci, val);
1659         break;
1660 
1661     case 2: /* HcCommandStatus */
1662         /* SOC is read-only */
1663         val = (val & ~OHCI_STATUS_SOC);
1664 
1665         /* Bits written as '0' remain unchanged in the register */
1666         ohci->status |= val;
1667 
1668         if (ohci->status & OHCI_STATUS_HCR)
1669             ohci_soft_reset(ohci);
1670         break;
1671 
1672     case 3: /* HcInterruptStatus */
1673         ohci->intr_status &= ~val;
1674         ohci_intr_update(ohci);
1675         break;
1676 
1677     case 4: /* HcInterruptEnable */
1678         ohci->intr |= val;
1679         ohci_intr_update(ohci);
1680         break;
1681 
1682     case 5: /* HcInterruptDisable */
1683         ohci->intr &= ~val;
1684         ohci_intr_update(ohci);
1685         break;
1686 
1687     case 6: /* HcHCCA */
1688         ohci->hcca = val & OHCI_HCCA_MASK;
1689         break;
1690 
1691     case 7: /* HcPeriodCurrentED */
1692         /* Ignore writes to this read-only register, Linux does them */
1693         break;
1694 
1695     case 8: /* HcControlHeadED */
1696         ohci->ctrl_head = val & OHCI_EDPTR_MASK;
1697         break;
1698 
1699     case 9: /* HcControlCurrentED */
1700         ohci->ctrl_cur = val & OHCI_EDPTR_MASK;
1701         break;
1702 
1703     case 10: /* HcBulkHeadED */
1704         ohci->bulk_head = val & OHCI_EDPTR_MASK;
1705         break;
1706 
1707     case 11: /* HcBulkCurrentED */
1708         ohci->bulk_cur = val & OHCI_EDPTR_MASK;
1709         break;
1710 
1711     case 13: /* HcFmInterval */
1712         ohci->fsmps = (val & OHCI_FMI_FSMPS) >> 16;
1713         ohci->fit = (val & OHCI_FMI_FIT) >> 31;
1714         ohci_set_frame_interval(ohci, val);
1715         break;
1716 
1717     case 15: /* HcFmNumber */
1718         break;
1719 
1720     case 16: /* HcPeriodicStart */
1721         ohci->pstart = val & 0xffff;
1722         break;
1723 
1724     case 17: /* HcLSThreshold */
1725         ohci->lst = val & 0xffff;
1726         break;
1727 
1728     case 18: /* HcRhDescriptorA */
1729         ohci->rhdesc_a &= ~OHCI_RHA_RW_MASK;
1730         ohci->rhdesc_a |= val & OHCI_RHA_RW_MASK;
1731         break;
1732 
1733     case 19: /* HcRhDescriptorB */
1734         break;
1735 
1736     case 20: /* HcRhStatus */
1737         ohci_set_hub_status(ohci, val);
1738         break;
1739 
1740     /* PXA27x specific registers */
1741     case 24: /* HcStatus */
1742         ohci->hstatus &= ~(val & ohci->hmask);
1743         break;
1744 
1745     case 25: /* HcHReset */
1746         ohci->hreset = val & ~OHCI_HRESET_FSBIR;
1747         if (val & OHCI_HRESET_FSBIR)
1748             ohci_hard_reset(ohci);
1749         break;
1750 
1751     case 26: /* HcHInterruptEnable */
1752         ohci->hmask = val;
1753         break;
1754 
1755     case 27: /* HcHInterruptTest */
1756         ohci->htest = val;
1757         break;
1758 
1759     default:
1760         trace_usb_ohci_mem_write_bad_offset(addr);
1761         break;
1762     }
1763 }
1764 
1765 static void ohci_async_cancel_device(OHCIState *ohci, USBDevice *dev)
1766 {
1767     if (ohci->async_td &&
1768         usb_packet_is_inflight(&ohci->usb_packet) &&
1769         ohci->usb_packet.ep->dev == dev) {
1770         usb_cancel_packet(&ohci->usb_packet);
1771         ohci->async_td = 0;
1772     }
1773 }
1774 
1775 static const MemoryRegionOps ohci_mem_ops = {
1776     .read = ohci_mem_read,
1777     .write = ohci_mem_write,
1778     .endianness = DEVICE_LITTLE_ENDIAN,
1779 };
1780 
1781 static USBPortOps ohci_port_ops = {
1782     .attach = ohci_attach,
1783     .detach = ohci_detach,
1784     .child_detach = ohci_child_detach,
1785     .wakeup = ohci_wakeup,
1786     .complete = ohci_async_complete_packet,
1787 };
1788 
1789 static USBBusOps ohci_bus_ops = {
1790 };
1791 
1792 void usb_ohci_init(OHCIState *ohci, DeviceState *dev, uint32_t num_ports,
1793                    dma_addr_t localmem_base, char *masterbus,
1794                    uint32_t firstport, AddressSpace *as,
1795                    void (*ohci_die_fn)(struct OHCIState *), Error **errp)
1796 {
1797     Error *err = NULL;
1798     int i;
1799 
1800     ohci->as = as;
1801     ohci->ohci_die = ohci_die_fn;
1802 
1803     if (num_ports > OHCI_MAX_PORTS) {
1804         error_setg(errp, "OHCI num-ports=%u is too big (limit is %u ports)",
1805                    num_ports, OHCI_MAX_PORTS);
1806         return;
1807     }
1808 
1809     if (usb_frame_time == 0) {
1810 #ifdef OHCI_TIME_WARP
1811         usb_frame_time = NANOSECONDS_PER_SECOND;
1812         usb_bit_time = NANOSECONDS_PER_SECOND / (USB_HZ / 1000);
1813 #else
1814         usb_frame_time = NANOSECONDS_PER_SECOND / 1000;
1815         if (NANOSECONDS_PER_SECOND >= USB_HZ) {
1816             usb_bit_time = NANOSECONDS_PER_SECOND / USB_HZ;
1817         } else {
1818             usb_bit_time = 1;
1819         }
1820 #endif
1821         trace_usb_ohci_init_time(usb_frame_time, usb_bit_time);
1822     }
1823 
1824     ohci->num_ports = num_ports;
1825     if (masterbus) {
1826         USBPort *ports[OHCI_MAX_PORTS];
1827         for(i = 0; i < num_ports; i++) {
1828             ports[i] = &ohci->rhport[i].port;
1829         }
1830         usb_register_companion(masterbus, ports, num_ports,
1831                                firstport, ohci, &ohci_port_ops,
1832                                USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL,
1833                                &err);
1834         if (err) {
1835             error_propagate(errp, err);
1836             return;
1837         }
1838     } else {
1839         usb_bus_new(&ohci->bus, sizeof(ohci->bus), &ohci_bus_ops, dev);
1840         for (i = 0; i < num_ports; i++) {
1841             usb_register_port(&ohci->bus, &ohci->rhport[i].port,
1842                               ohci, i, &ohci_port_ops,
1843                               USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
1844         }
1845     }
1846 
1847     memory_region_init_io(&ohci->mem, OBJECT(dev), &ohci_mem_ops,
1848                           ohci, "ohci", 256);
1849     ohci->localmem_base = localmem_base;
1850 
1851     ohci->name = object_get_typename(OBJECT(dev));
1852     usb_packet_init(&ohci->usb_packet);
1853 
1854     ohci->async_td = 0;
1855 
1856     ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
1857                                    ohci_frame_boundary, ohci);
1858 }
1859 
1860 /**
1861  * A typical OHCI will stop operating and set itself into error state
1862  * (which can be queried by MMIO) to signal that it got an error.
1863  */
1864 void ohci_sysbus_die(struct OHCIState *ohci)
1865 {
1866     trace_usb_ohci_die();
1867 
1868     ohci_set_interrupt(ohci, OHCI_INTR_UE);
1869     ohci_bus_stop(ohci);
1870 }
1871 
1872 #define TYPE_SYSBUS_OHCI "sysbus-ohci"
1873 #define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI)
1874 
1875 typedef struct {
1876     /*< private >*/
1877     SysBusDevice parent_obj;
1878     /*< public >*/
1879 
1880     OHCIState ohci;
1881     char *masterbus;
1882     uint32_t num_ports;
1883     uint32_t firstport;
1884     dma_addr_t dma_offset;
1885 } OHCISysBusState;
1886 
1887 static void ohci_realize_pxa(DeviceState *dev, Error **errp)
1888 {
1889     OHCISysBusState *s = SYSBUS_OHCI(dev);
1890     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
1891     Error *err = NULL;
1892 
1893     usb_ohci_init(&s->ohci, dev, s->num_ports, s->dma_offset,
1894                   s->masterbus, s->firstport,
1895                   &address_space_memory, ohci_sysbus_die, &err);
1896     if (err) {
1897         error_propagate(errp, err);
1898         return;
1899     }
1900     sysbus_init_irq(sbd, &s->ohci.irq);
1901     sysbus_init_mmio(sbd, &s->ohci.mem);
1902 }
1903 
1904 static void usb_ohci_reset_sysbus(DeviceState *dev)
1905 {
1906     OHCISysBusState *s = SYSBUS_OHCI(dev);
1907     OHCIState *ohci = &s->ohci;
1908 
1909     ohci_hard_reset(ohci);
1910 }
1911 
1912 static const VMStateDescription vmstate_ohci_state_port = {
1913     .name = "ohci-core/port",
1914     .version_id = 1,
1915     .minimum_version_id = 1,
1916     .fields = (VMStateField[]) {
1917         VMSTATE_UINT32(ctrl, OHCIPort),
1918         VMSTATE_END_OF_LIST()
1919     },
1920 };
1921 
1922 static bool ohci_eof_timer_needed(void *opaque)
1923 {
1924     OHCIState *ohci = opaque;
1925 
1926     return timer_pending(ohci->eof_timer);
1927 }
1928 
1929 static const VMStateDescription vmstate_ohci_eof_timer = {
1930     .name = "ohci-core/eof-timer",
1931     .version_id = 1,
1932     .minimum_version_id = 1,
1933     .needed = ohci_eof_timer_needed,
1934     .fields = (VMStateField[]) {
1935         VMSTATE_TIMER_PTR(eof_timer, OHCIState),
1936         VMSTATE_END_OF_LIST()
1937     },
1938 };
1939 
1940 const VMStateDescription vmstate_ohci_state = {
1941     .name = "ohci-core",
1942     .version_id = 1,
1943     .minimum_version_id = 1,
1944     .fields = (VMStateField[]) {
1945         VMSTATE_INT64(sof_time, OHCIState),
1946         VMSTATE_UINT32(ctl, OHCIState),
1947         VMSTATE_UINT32(status, OHCIState),
1948         VMSTATE_UINT32(intr_status, OHCIState),
1949         VMSTATE_UINT32(intr, OHCIState),
1950         VMSTATE_UINT32(hcca, OHCIState),
1951         VMSTATE_UINT32(ctrl_head, OHCIState),
1952         VMSTATE_UINT32(ctrl_cur, OHCIState),
1953         VMSTATE_UINT32(bulk_head, OHCIState),
1954         VMSTATE_UINT32(bulk_cur, OHCIState),
1955         VMSTATE_UINT32(per_cur, OHCIState),
1956         VMSTATE_UINT32(done, OHCIState),
1957         VMSTATE_INT32(done_count, OHCIState),
1958         VMSTATE_UINT16(fsmps, OHCIState),
1959         VMSTATE_UINT8(fit, OHCIState),
1960         VMSTATE_UINT16(fi, OHCIState),
1961         VMSTATE_UINT8(frt, OHCIState),
1962         VMSTATE_UINT16(frame_number, OHCIState),
1963         VMSTATE_UINT16(padding, OHCIState),
1964         VMSTATE_UINT32(pstart, OHCIState),
1965         VMSTATE_UINT32(lst, OHCIState),
1966         VMSTATE_UINT32(rhdesc_a, OHCIState),
1967         VMSTATE_UINT32(rhdesc_b, OHCIState),
1968         VMSTATE_UINT32(rhstatus, OHCIState),
1969         VMSTATE_STRUCT_ARRAY(rhport, OHCIState, OHCI_MAX_PORTS, 0,
1970                              vmstate_ohci_state_port, OHCIPort),
1971         VMSTATE_UINT32(hstatus, OHCIState),
1972         VMSTATE_UINT32(hmask, OHCIState),
1973         VMSTATE_UINT32(hreset, OHCIState),
1974         VMSTATE_UINT32(htest, OHCIState),
1975         VMSTATE_UINT32(old_ctl, OHCIState),
1976         VMSTATE_UINT8_ARRAY(usb_buf, OHCIState, 8192),
1977         VMSTATE_UINT32(async_td, OHCIState),
1978         VMSTATE_BOOL(async_complete, OHCIState),
1979         VMSTATE_END_OF_LIST()
1980     },
1981     .subsections = (const VMStateDescription*[]) {
1982         &vmstate_ohci_eof_timer,
1983         NULL
1984     }
1985 };
1986 
1987 static Property ohci_sysbus_properties[] = {
1988     DEFINE_PROP_STRING("masterbus", OHCISysBusState, masterbus),
1989     DEFINE_PROP_UINT32("num-ports", OHCISysBusState, num_ports, 3),
1990     DEFINE_PROP_UINT32("firstport", OHCISysBusState, firstport, 0),
1991     DEFINE_PROP_DMAADDR("dma-offset", OHCISysBusState, dma_offset, 0),
1992     DEFINE_PROP_END_OF_LIST(),
1993 };
1994 
1995 static void ohci_sysbus_class_init(ObjectClass *klass, void *data)
1996 {
1997     DeviceClass *dc = DEVICE_CLASS(klass);
1998 
1999     dc->realize = ohci_realize_pxa;
2000     set_bit(DEVICE_CATEGORY_USB, dc->categories);
2001     dc->desc = "OHCI USB Controller";
2002     dc->props = ohci_sysbus_properties;
2003     dc->reset = usb_ohci_reset_sysbus;
2004 }
2005 
2006 static const TypeInfo ohci_sysbus_info = {
2007     .name          = TYPE_SYSBUS_OHCI,
2008     .parent        = TYPE_SYS_BUS_DEVICE,
2009     .instance_size = sizeof(OHCISysBusState),
2010     .class_init    = ohci_sysbus_class_init,
2011 };
2012 
2013 static void ohci_register_types(void)
2014 {
2015     type_register_static(&ohci_sysbus_info);
2016 }
2017 
2018 type_init(ohci_register_types)
2019