xref: /openbmc/qemu/hw/usb/hcd-ohci.c (revision 709395f8)
1 /*
2  * QEMU USB OHCI Emulation
3  * Copyright (c) 2004 Gianni Tedesco
4  * Copyright (c) 2006 CodeSourcery
5  * Copyright (c) 2006 Openedhand Ltd.
6  *
7  * This library is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2 of the License, or (at your option) any later version.
11  *
12  * This library is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
19  *
20  * TODO:
21  *  o Isochronous transfers
22  *  o Allocate bandwidth in frames properly
23  *  o Disable timers when nothing needs to be done, or remove timer usage
24  *    all together.
25  *  o BIOS work to boot from USB storage
26 */
27 
28 #include "qemu/osdep.h"
29 #include "hw/hw.h"
30 #include "qapi/error.h"
31 #include "qemu/timer.h"
32 #include "hw/usb.h"
33 #include "hw/pci/pci.h"
34 #include "hw/sysbus.h"
35 #include "hw/qdev-dma.h"
36 #include "trace.h"
37 
38 /* This causes frames to occur 1000x slower */
39 //#define OHCI_TIME_WARP 1
40 
41 /* Number of Downstream Ports on the root hub.  */
42 
43 #define OHCI_MAX_PORTS 15
44 
45 #define ED_LINK_LIMIT 32
46 
47 static int64_t usb_frame_time;
48 static int64_t usb_bit_time;
49 
50 typedef struct OHCIPort {
51     USBPort port;
52     uint32_t ctrl;
53 } OHCIPort;
54 
55 typedef struct {
56     USBBus bus;
57     qemu_irq irq;
58     MemoryRegion mem;
59     AddressSpace *as;
60     uint32_t num_ports;
61     const char *name;
62 
63     QEMUTimer *eof_timer;
64     int64_t sof_time;
65 
66     /* OHCI state */
67     /* Control partition */
68     uint32_t ctl, status;
69     uint32_t intr_status;
70     uint32_t intr;
71 
72     /* memory pointer partition */
73     uint32_t hcca;
74     uint32_t ctrl_head, ctrl_cur;
75     uint32_t bulk_head, bulk_cur;
76     uint32_t per_cur;
77     uint32_t done;
78     int32_t done_count;
79 
80     /* Frame counter partition */
81     uint16_t fsmps;
82     uint8_t fit;
83     uint16_t fi;
84     uint8_t frt;
85     uint16_t frame_number;
86     uint16_t padding;
87     uint32_t pstart;
88     uint32_t lst;
89 
90     /* Root Hub partition */
91     uint32_t rhdesc_a, rhdesc_b;
92     uint32_t rhstatus;
93     OHCIPort rhport[OHCI_MAX_PORTS];
94 
95     /* PXA27x Non-OHCI events */
96     uint32_t hstatus;
97     uint32_t hmask;
98     uint32_t hreset;
99     uint32_t htest;
100 
101     /* SM501 local memory offset */
102     dma_addr_t localmem_base;
103 
104     /* Active packets.  */
105     uint32_t old_ctl;
106     USBPacket usb_packet;
107     uint8_t usb_buf[8192];
108     uint32_t async_td;
109     bool async_complete;
110 
111 } OHCIState;
112 
113 /* Host Controller Communications Area */
114 struct ohci_hcca {
115     uint32_t intr[32];
116     uint16_t frame, pad;
117     uint32_t done;
118 };
119 #define HCCA_WRITEBACK_OFFSET   offsetof(struct ohci_hcca, frame)
120 #define HCCA_WRITEBACK_SIZE     8 /* frame, pad, done */
121 
122 #define ED_WBACK_OFFSET offsetof(struct ohci_ed, head)
123 #define ED_WBACK_SIZE   4
124 
125 static void ohci_bus_stop(OHCIState *ohci);
126 static void ohci_async_cancel_device(OHCIState *ohci, USBDevice *dev);
127 
128 /* Bitfields for the first word of an Endpoint Desciptor.  */
129 #define OHCI_ED_FA_SHIFT  0
130 #define OHCI_ED_FA_MASK   (0x7f<<OHCI_ED_FA_SHIFT)
131 #define OHCI_ED_EN_SHIFT  7
132 #define OHCI_ED_EN_MASK   (0xf<<OHCI_ED_EN_SHIFT)
133 #define OHCI_ED_D_SHIFT   11
134 #define OHCI_ED_D_MASK    (3<<OHCI_ED_D_SHIFT)
135 #define OHCI_ED_S         (1<<13)
136 #define OHCI_ED_K         (1<<14)
137 #define OHCI_ED_F         (1<<15)
138 #define OHCI_ED_MPS_SHIFT 16
139 #define OHCI_ED_MPS_MASK  (0x7ff<<OHCI_ED_MPS_SHIFT)
140 
141 /* Flags in the head field of an Endpoint Desciptor.  */
142 #define OHCI_ED_H         1
143 #define OHCI_ED_C         2
144 
145 /* Bitfields for the first word of a Transfer Desciptor.  */
146 #define OHCI_TD_R         (1<<18)
147 #define OHCI_TD_DP_SHIFT  19
148 #define OHCI_TD_DP_MASK   (3<<OHCI_TD_DP_SHIFT)
149 #define OHCI_TD_DI_SHIFT  21
150 #define OHCI_TD_DI_MASK   (7<<OHCI_TD_DI_SHIFT)
151 #define OHCI_TD_T0        (1<<24)
152 #define OHCI_TD_T1        (1<<25)
153 #define OHCI_TD_EC_SHIFT  26
154 #define OHCI_TD_EC_MASK   (3<<OHCI_TD_EC_SHIFT)
155 #define OHCI_TD_CC_SHIFT  28
156 #define OHCI_TD_CC_MASK   (0xf<<OHCI_TD_CC_SHIFT)
157 
158 /* Bitfields for the first word of an Isochronous Transfer Desciptor.  */
159 /* CC & DI - same as in the General Transfer Desciptor */
160 #define OHCI_TD_SF_SHIFT  0
161 #define OHCI_TD_SF_MASK   (0xffff<<OHCI_TD_SF_SHIFT)
162 #define OHCI_TD_FC_SHIFT  24
163 #define OHCI_TD_FC_MASK   (7<<OHCI_TD_FC_SHIFT)
164 
165 /* Isochronous Transfer Desciptor - Offset / PacketStatusWord */
166 #define OHCI_TD_PSW_CC_SHIFT 12
167 #define OHCI_TD_PSW_CC_MASK  (0xf<<OHCI_TD_PSW_CC_SHIFT)
168 #define OHCI_TD_PSW_SIZE_SHIFT 0
169 #define OHCI_TD_PSW_SIZE_MASK  (0xfff<<OHCI_TD_PSW_SIZE_SHIFT)
170 
171 #define OHCI_PAGE_MASK    0xfffff000
172 #define OHCI_OFFSET_MASK  0xfff
173 
174 #define OHCI_DPTR_MASK    0xfffffff0
175 
176 #define OHCI_BM(val, field) \
177   (((val) & OHCI_##field##_MASK) >> OHCI_##field##_SHIFT)
178 
179 #define OHCI_SET_BM(val, field, newval) do { \
180     val &= ~OHCI_##field##_MASK; \
181     val |= ((newval) << OHCI_##field##_SHIFT) & OHCI_##field##_MASK; \
182     } while(0)
183 
184 /* endpoint descriptor */
185 struct ohci_ed {
186     uint32_t flags;
187     uint32_t tail;
188     uint32_t head;
189     uint32_t next;
190 };
191 
192 /* General transfer descriptor */
193 struct ohci_td {
194     uint32_t flags;
195     uint32_t cbp;
196     uint32_t next;
197     uint32_t be;
198 };
199 
200 /* Isochronous transfer descriptor */
201 struct ohci_iso_td {
202     uint32_t flags;
203     uint32_t bp;
204     uint32_t next;
205     uint32_t be;
206     uint16_t offset[8];
207 };
208 
209 #define USB_HZ                      12000000
210 
211 /* OHCI Local stuff */
212 #define OHCI_CTL_CBSR         ((1<<0)|(1<<1))
213 #define OHCI_CTL_PLE          (1<<2)
214 #define OHCI_CTL_IE           (1<<3)
215 #define OHCI_CTL_CLE          (1<<4)
216 #define OHCI_CTL_BLE          (1<<5)
217 #define OHCI_CTL_HCFS         ((1<<6)|(1<<7))
218 #define  OHCI_USB_RESET       0x00
219 #define  OHCI_USB_RESUME      0x40
220 #define  OHCI_USB_OPERATIONAL 0x80
221 #define  OHCI_USB_SUSPEND     0xc0
222 #define OHCI_CTL_IR           (1<<8)
223 #define OHCI_CTL_RWC          (1<<9)
224 #define OHCI_CTL_RWE          (1<<10)
225 
226 #define OHCI_STATUS_HCR       (1<<0)
227 #define OHCI_STATUS_CLF       (1<<1)
228 #define OHCI_STATUS_BLF       (1<<2)
229 #define OHCI_STATUS_OCR       (1<<3)
230 #define OHCI_STATUS_SOC       ((1<<6)|(1<<7))
231 
232 #define OHCI_INTR_SO          (1U<<0) /* Scheduling overrun */
233 #define OHCI_INTR_WD          (1U<<1) /* HcDoneHead writeback */
234 #define OHCI_INTR_SF          (1U<<2) /* Start of frame */
235 #define OHCI_INTR_RD          (1U<<3) /* Resume detect */
236 #define OHCI_INTR_UE          (1U<<4) /* Unrecoverable error */
237 #define OHCI_INTR_FNO         (1U<<5) /* Frame number overflow */
238 #define OHCI_INTR_RHSC        (1U<<6) /* Root hub status change */
239 #define OHCI_INTR_OC          (1U<<30) /* Ownership change */
240 #define OHCI_INTR_MIE         (1U<<31) /* Master Interrupt Enable */
241 
242 #define OHCI_HCCA_SIZE        0x100
243 #define OHCI_HCCA_MASK        0xffffff00
244 
245 #define OHCI_EDPTR_MASK       0xfffffff0
246 
247 #define OHCI_FMI_FI           0x00003fff
248 #define OHCI_FMI_FSMPS        0xffff0000
249 #define OHCI_FMI_FIT          0x80000000
250 
251 #define OHCI_FR_RT            (1U<<31)
252 
253 #define OHCI_LS_THRESH        0x628
254 
255 #define OHCI_RHA_RW_MASK      0x00000000 /* Mask of supported features.  */
256 #define OHCI_RHA_PSM          (1<<8)
257 #define OHCI_RHA_NPS          (1<<9)
258 #define OHCI_RHA_DT           (1<<10)
259 #define OHCI_RHA_OCPM         (1<<11)
260 #define OHCI_RHA_NOCP         (1<<12)
261 #define OHCI_RHA_POTPGT_MASK  0xff000000
262 
263 #define OHCI_RHS_LPS          (1U<<0)
264 #define OHCI_RHS_OCI          (1U<<1)
265 #define OHCI_RHS_DRWE         (1U<<15)
266 #define OHCI_RHS_LPSC         (1U<<16)
267 #define OHCI_RHS_OCIC         (1U<<17)
268 #define OHCI_RHS_CRWE         (1U<<31)
269 
270 #define OHCI_PORT_CCS         (1<<0)
271 #define OHCI_PORT_PES         (1<<1)
272 #define OHCI_PORT_PSS         (1<<2)
273 #define OHCI_PORT_POCI        (1<<3)
274 #define OHCI_PORT_PRS         (1<<4)
275 #define OHCI_PORT_PPS         (1<<8)
276 #define OHCI_PORT_LSDA        (1<<9)
277 #define OHCI_PORT_CSC         (1<<16)
278 #define OHCI_PORT_PESC        (1<<17)
279 #define OHCI_PORT_PSSC        (1<<18)
280 #define OHCI_PORT_OCIC        (1<<19)
281 #define OHCI_PORT_PRSC        (1<<20)
282 #define OHCI_PORT_WTC         (OHCI_PORT_CSC|OHCI_PORT_PESC|OHCI_PORT_PSSC \
283                                |OHCI_PORT_OCIC|OHCI_PORT_PRSC)
284 
285 #define OHCI_TD_DIR_SETUP     0x0
286 #define OHCI_TD_DIR_OUT       0x1
287 #define OHCI_TD_DIR_IN        0x2
288 #define OHCI_TD_DIR_RESERVED  0x3
289 
290 #define OHCI_CC_NOERROR             0x0
291 #define OHCI_CC_CRC                 0x1
292 #define OHCI_CC_BITSTUFFING         0x2
293 #define OHCI_CC_DATATOGGLEMISMATCH  0x3
294 #define OHCI_CC_STALL               0x4
295 #define OHCI_CC_DEVICENOTRESPONDING 0x5
296 #define OHCI_CC_PIDCHECKFAILURE     0x6
297 #define OHCI_CC_UNDEXPETEDPID       0x7
298 #define OHCI_CC_DATAOVERRUN         0x8
299 #define OHCI_CC_DATAUNDERRUN        0x9
300 #define OHCI_CC_BUFFEROVERRUN       0xc
301 #define OHCI_CC_BUFFERUNDERRUN      0xd
302 
303 #define OHCI_HRESET_FSBIR       (1 << 0)
304 
305 static void ohci_die(OHCIState *ohci);
306 
307 /* Update IRQ levels */
308 static inline void ohci_intr_update(OHCIState *ohci)
309 {
310     int level = 0;
311 
312     if ((ohci->intr & OHCI_INTR_MIE) &&
313         (ohci->intr_status & ohci->intr))
314         level = 1;
315 
316     qemu_set_irq(ohci->irq, level);
317 }
318 
319 /* Set an interrupt */
320 static inline void ohci_set_interrupt(OHCIState *ohci, uint32_t intr)
321 {
322     ohci->intr_status |= intr;
323     ohci_intr_update(ohci);
324 }
325 
326 /* Attach or detach a device on a root hub port.  */
327 static void ohci_attach(USBPort *port1)
328 {
329     OHCIState *s = port1->opaque;
330     OHCIPort *port = &s->rhport[port1->index];
331     uint32_t old_state = port->ctrl;
332 
333     /* set connect status */
334     port->ctrl |= OHCI_PORT_CCS | OHCI_PORT_CSC;
335 
336     /* update speed */
337     if (port->port.dev->speed == USB_SPEED_LOW) {
338         port->ctrl |= OHCI_PORT_LSDA;
339     } else {
340         port->ctrl &= ~OHCI_PORT_LSDA;
341     }
342 
343     /* notify of remote-wakeup */
344     if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND) {
345         ohci_set_interrupt(s, OHCI_INTR_RD);
346     }
347 
348     trace_usb_ohci_port_attach(port1->index);
349 
350     if (old_state != port->ctrl) {
351         ohci_set_interrupt(s, OHCI_INTR_RHSC);
352     }
353 }
354 
355 static void ohci_detach(USBPort *port1)
356 {
357     OHCIState *s = port1->opaque;
358     OHCIPort *port = &s->rhport[port1->index];
359     uint32_t old_state = port->ctrl;
360 
361     ohci_async_cancel_device(s, port1->dev);
362 
363     /* set connect status */
364     if (port->ctrl & OHCI_PORT_CCS) {
365         port->ctrl &= ~OHCI_PORT_CCS;
366         port->ctrl |= OHCI_PORT_CSC;
367     }
368     /* disable port */
369     if (port->ctrl & OHCI_PORT_PES) {
370         port->ctrl &= ~OHCI_PORT_PES;
371         port->ctrl |= OHCI_PORT_PESC;
372     }
373     trace_usb_ohci_port_detach(port1->index);
374 
375     if (old_state != port->ctrl) {
376         ohci_set_interrupt(s, OHCI_INTR_RHSC);
377     }
378 }
379 
380 static void ohci_wakeup(USBPort *port1)
381 {
382     OHCIState *s = port1->opaque;
383     OHCIPort *port = &s->rhport[port1->index];
384     uint32_t intr = 0;
385     if (port->ctrl & OHCI_PORT_PSS) {
386         trace_usb_ohci_port_wakeup(port1->index);
387         port->ctrl |= OHCI_PORT_PSSC;
388         port->ctrl &= ~OHCI_PORT_PSS;
389         intr = OHCI_INTR_RHSC;
390     }
391     /* Note that the controller can be suspended even if this port is not */
392     if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND) {
393         trace_usb_ohci_remote_wakeup(s->name);
394         /* This is the one state transition the controller can do by itself */
395         s->ctl &= ~OHCI_CTL_HCFS;
396         s->ctl |= OHCI_USB_RESUME;
397         /* In suspend mode only ResumeDetected is possible, not RHSC:
398          * see the OHCI spec 5.1.2.3.
399          */
400         intr = OHCI_INTR_RD;
401     }
402     ohci_set_interrupt(s, intr);
403 }
404 
405 static void ohci_child_detach(USBPort *port1, USBDevice *child)
406 {
407     OHCIState *s = port1->opaque;
408 
409     ohci_async_cancel_device(s, child);
410 }
411 
412 static USBDevice *ohci_find_device(OHCIState *ohci, uint8_t addr)
413 {
414     USBDevice *dev;
415     int i;
416 
417     for (i = 0; i < ohci->num_ports; i++) {
418         if ((ohci->rhport[i].ctrl & OHCI_PORT_PES) == 0) {
419             continue;
420         }
421         dev = usb_find_device(&ohci->rhport[i].port, addr);
422         if (dev != NULL) {
423             return dev;
424         }
425     }
426     return NULL;
427 }
428 
429 static void ohci_stop_endpoints(OHCIState *ohci)
430 {
431     USBDevice *dev;
432     int i, j;
433 
434     for (i = 0; i < ohci->num_ports; i++) {
435         dev = ohci->rhport[i].port.dev;
436         if (dev && dev->attached) {
437             usb_device_ep_stopped(dev, &dev->ep_ctl);
438             for (j = 0; j < USB_MAX_ENDPOINTS; j++) {
439                 usb_device_ep_stopped(dev, &dev->ep_in[j]);
440                 usb_device_ep_stopped(dev, &dev->ep_out[j]);
441             }
442         }
443     }
444 }
445 
446 static void ohci_roothub_reset(OHCIState *ohci)
447 {
448     OHCIPort *port;
449     int i;
450 
451     ohci_bus_stop(ohci);
452     ohci->rhdesc_a = OHCI_RHA_NPS | ohci->num_ports;
453     ohci->rhdesc_b = 0x0; /* Impl. specific */
454     ohci->rhstatus = 0;
455 
456     for (i = 0; i < ohci->num_ports; i++) {
457         port = &ohci->rhport[i];
458         port->ctrl = 0;
459         if (port->port.dev && port->port.dev->attached) {
460             usb_port_reset(&port->port);
461         }
462     }
463     if (ohci->async_td) {
464         usb_cancel_packet(&ohci->usb_packet);
465         ohci->async_td = 0;
466     }
467     ohci_stop_endpoints(ohci);
468 }
469 
470 /* Reset the controller */
471 static void ohci_soft_reset(OHCIState *ohci)
472 {
473     trace_usb_ohci_reset(ohci->name);
474 
475     ohci_bus_stop(ohci);
476     ohci->ctl = (ohci->ctl & OHCI_CTL_IR) | OHCI_USB_SUSPEND;
477     ohci->old_ctl = 0;
478     ohci->status = 0;
479     ohci->intr_status = 0;
480     ohci->intr = OHCI_INTR_MIE;
481 
482     ohci->hcca = 0;
483     ohci->ctrl_head = ohci->ctrl_cur = 0;
484     ohci->bulk_head = ohci->bulk_cur = 0;
485     ohci->per_cur = 0;
486     ohci->done = 0;
487     ohci->done_count = 7;
488 
489     /* FSMPS is marked TBD in OCHI 1.0, what gives ffs?
490      * I took the value linux sets ...
491      */
492     ohci->fsmps = 0x2778;
493     ohci->fi = 0x2edf;
494     ohci->fit = 0;
495     ohci->frt = 0;
496     ohci->frame_number = 0;
497     ohci->pstart = 0;
498     ohci->lst = OHCI_LS_THRESH;
499 }
500 
501 static void ohci_hard_reset(OHCIState *ohci)
502 {
503     ohci_soft_reset(ohci);
504     ohci->ctl = 0;
505     ohci_roothub_reset(ohci);
506 }
507 
508 /* Get an array of dwords from main memory */
509 static inline int get_dwords(OHCIState *ohci,
510                              dma_addr_t addr, uint32_t *buf, int num)
511 {
512     int i;
513 
514     addr += ohci->localmem_base;
515 
516     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
517         if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) {
518             return -1;
519         }
520         *buf = le32_to_cpu(*buf);
521     }
522 
523     return 0;
524 }
525 
526 /* Put an array of dwords in to main memory */
527 static inline int put_dwords(OHCIState *ohci,
528                              dma_addr_t addr, uint32_t *buf, int num)
529 {
530     int i;
531 
532     addr += ohci->localmem_base;
533 
534     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
535         uint32_t tmp = cpu_to_le32(*buf);
536         if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) {
537             return -1;
538         }
539     }
540 
541     return 0;
542 }
543 
544 /* Get an array of words from main memory */
545 static inline int get_words(OHCIState *ohci,
546                             dma_addr_t addr, uint16_t *buf, int num)
547 {
548     int i;
549 
550     addr += ohci->localmem_base;
551 
552     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
553         if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) {
554             return -1;
555         }
556         *buf = le16_to_cpu(*buf);
557     }
558 
559     return 0;
560 }
561 
562 /* Put an array of words in to main memory */
563 static inline int put_words(OHCIState *ohci,
564                             dma_addr_t addr, uint16_t *buf, int num)
565 {
566     int i;
567 
568     addr += ohci->localmem_base;
569 
570     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
571         uint16_t tmp = cpu_to_le16(*buf);
572         if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) {
573             return -1;
574         }
575     }
576 
577     return 0;
578 }
579 
580 static inline int ohci_read_ed(OHCIState *ohci,
581                                dma_addr_t addr, struct ohci_ed *ed)
582 {
583     return get_dwords(ohci, addr, (uint32_t *)ed, sizeof(*ed) >> 2);
584 }
585 
586 static inline int ohci_read_td(OHCIState *ohci,
587                                dma_addr_t addr, struct ohci_td *td)
588 {
589     return get_dwords(ohci, addr, (uint32_t *)td, sizeof(*td) >> 2);
590 }
591 
592 static inline int ohci_read_iso_td(OHCIState *ohci,
593                                    dma_addr_t addr, struct ohci_iso_td *td)
594 {
595     return get_dwords(ohci, addr, (uint32_t *)td, 4) ||
596            get_words(ohci, addr + 16, td->offset, 8);
597 }
598 
599 static inline int ohci_read_hcca(OHCIState *ohci,
600                                  dma_addr_t addr, struct ohci_hcca *hcca)
601 {
602     return dma_memory_read(ohci->as, addr + ohci->localmem_base,
603                            hcca, sizeof(*hcca));
604 }
605 
606 static inline int ohci_put_ed(OHCIState *ohci,
607                               dma_addr_t addr, struct ohci_ed *ed)
608 {
609     /* ed->tail is under control of the HCD.
610      * Since just ed->head is changed by HC, just write back this
611      */
612 
613     return put_dwords(ohci, addr + ED_WBACK_OFFSET,
614                       (uint32_t *)((char *)ed + ED_WBACK_OFFSET),
615                       ED_WBACK_SIZE >> 2);
616 }
617 
618 static inline int ohci_put_td(OHCIState *ohci,
619                               dma_addr_t addr, struct ohci_td *td)
620 {
621     return put_dwords(ohci, addr, (uint32_t *)td, sizeof(*td) >> 2);
622 }
623 
624 static inline int ohci_put_iso_td(OHCIState *ohci,
625                                   dma_addr_t addr, struct ohci_iso_td *td)
626 {
627     return put_dwords(ohci, addr, (uint32_t *)td, 4) ||
628            put_words(ohci, addr + 16, td->offset, 8);
629 }
630 
631 static inline int ohci_put_hcca(OHCIState *ohci,
632                                 dma_addr_t addr, struct ohci_hcca *hcca)
633 {
634     return dma_memory_write(ohci->as,
635                             addr + ohci->localmem_base + HCCA_WRITEBACK_OFFSET,
636                             (char *)hcca + HCCA_WRITEBACK_OFFSET,
637                             HCCA_WRITEBACK_SIZE);
638 }
639 
640 /* Read/Write the contents of a TD from/to main memory.  */
641 static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td,
642                         uint8_t *buf, int len, DMADirection dir)
643 {
644     dma_addr_t ptr, n;
645 
646     ptr = td->cbp;
647     n = 0x1000 - (ptr & 0xfff);
648     if (n > len)
649         n = len;
650 
651     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) {
652         return -1;
653     }
654     if (n == len) {
655         return 0;
656     }
657     ptr = td->be & ~0xfffu;
658     buf += n;
659     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
660                       len - n, dir)) {
661         return -1;
662     }
663     return 0;
664 }
665 
666 /* Read/Write the contents of an ISO TD from/to main memory.  */
667 static int ohci_copy_iso_td(OHCIState *ohci,
668                             uint32_t start_addr, uint32_t end_addr,
669                             uint8_t *buf, int len, DMADirection dir)
670 {
671     dma_addr_t ptr, n;
672 
673     ptr = start_addr;
674     n = 0x1000 - (ptr & 0xfff);
675     if (n > len)
676         n = len;
677 
678     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) {
679         return -1;
680     }
681     if (n == len) {
682         return 0;
683     }
684     ptr = end_addr & ~0xfffu;
685     buf += n;
686     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
687                       len - n, dir)) {
688         return -1;
689     }
690     return 0;
691 }
692 
693 static void ohci_process_lists(OHCIState *ohci, int completion);
694 
695 static void ohci_async_complete_packet(USBPort *port, USBPacket *packet)
696 {
697     OHCIState *ohci = container_of(packet, OHCIState, usb_packet);
698 
699     trace_usb_ohci_async_complete();
700     ohci->async_complete = true;
701     ohci_process_lists(ohci, 1);
702 }
703 
704 #define USUB(a, b) ((int16_t)((uint16_t)(a) - (uint16_t)(b)))
705 
706 static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
707                                int completion)
708 {
709     int dir;
710     size_t len = 0;
711     const char *str = NULL;
712     int pid;
713     int ret;
714     int i;
715     USBDevice *dev;
716     USBEndpoint *ep;
717     struct ohci_iso_td iso_td;
718     uint32_t addr;
719     uint16_t starting_frame;
720     int16_t relative_frame_number;
721     int frame_count;
722     uint32_t start_offset, next_offset, end_offset = 0;
723     uint32_t start_addr, end_addr;
724 
725     addr = ed->head & OHCI_DPTR_MASK;
726 
727     if (ohci_read_iso_td(ohci, addr, &iso_td)) {
728         trace_usb_ohci_iso_td_read_failed(addr);
729         ohci_die(ohci);
730         return 1;
731     }
732 
733     starting_frame = OHCI_BM(iso_td.flags, TD_SF);
734     frame_count = OHCI_BM(iso_td.flags, TD_FC);
735     relative_frame_number = USUB(ohci->frame_number, starting_frame);
736 
737     trace_usb_ohci_iso_td_head(
738            ed->head & OHCI_DPTR_MASK, ed->tail & OHCI_DPTR_MASK,
739            iso_td.flags, iso_td.bp, iso_td.next, iso_td.be,
740            ohci->frame_number, starting_frame,
741            frame_count, relative_frame_number);
742     trace_usb_ohci_iso_td_head_offset(
743            iso_td.offset[0], iso_td.offset[1],
744            iso_td.offset[2], iso_td.offset[3],
745            iso_td.offset[4], iso_td.offset[5],
746            iso_td.offset[6], iso_td.offset[7]);
747 
748     if (relative_frame_number < 0) {
749         trace_usb_ohci_iso_td_relative_frame_number_neg(relative_frame_number);
750         return 1;
751     } else if (relative_frame_number > frame_count) {
752         /* ISO TD expired - retire the TD to the Done Queue and continue with
753            the next ISO TD of the same ED */
754         trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number,
755                                                         frame_count);
756         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
757         ed->head &= ~OHCI_DPTR_MASK;
758         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
759         iso_td.next = ohci->done;
760         ohci->done = addr;
761         i = OHCI_BM(iso_td.flags, TD_DI);
762         if (i < ohci->done_count)
763             ohci->done_count = i;
764         if (ohci_put_iso_td(ohci, addr, &iso_td)) {
765             ohci_die(ohci);
766             return 1;
767         }
768         return 0;
769     }
770 
771     dir = OHCI_BM(ed->flags, ED_D);
772     switch (dir) {
773     case OHCI_TD_DIR_IN:
774         str = "in";
775         pid = USB_TOKEN_IN;
776         break;
777     case OHCI_TD_DIR_OUT:
778         str = "out";
779         pid = USB_TOKEN_OUT;
780         break;
781     case OHCI_TD_DIR_SETUP:
782         str = "setup";
783         pid = USB_TOKEN_SETUP;
784         break;
785     default:
786         trace_usb_ohci_iso_td_bad_direction(dir);
787         return 1;
788     }
789 
790     if (!iso_td.bp || !iso_td.be) {
791         trace_usb_ohci_iso_td_bad_bp_be(iso_td.bp, iso_td.be);
792         return 1;
793     }
794 
795     start_offset = iso_td.offset[relative_frame_number];
796     next_offset = iso_td.offset[relative_frame_number + 1];
797 
798     if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) ||
799         ((relative_frame_number < frame_count) &&
800          !(OHCI_BM(next_offset, TD_PSW_CC) & 0xe))) {
801         trace_usb_ohci_iso_td_bad_cc_not_accessed(start_offset, next_offset);
802         return 1;
803     }
804 
805     if ((relative_frame_number < frame_count) && (start_offset > next_offset)) {
806         trace_usb_ohci_iso_td_bad_cc_overrun(start_offset, next_offset);
807         return 1;
808     }
809 
810     if ((start_offset & 0x1000) == 0) {
811         start_addr = (iso_td.bp & OHCI_PAGE_MASK) |
812             (start_offset & OHCI_OFFSET_MASK);
813     } else {
814         start_addr = (iso_td.be & OHCI_PAGE_MASK) |
815             (start_offset & OHCI_OFFSET_MASK);
816     }
817 
818     if (relative_frame_number < frame_count) {
819         end_offset = next_offset - 1;
820         if ((end_offset & 0x1000) == 0) {
821             end_addr = (iso_td.bp & OHCI_PAGE_MASK) |
822                 (end_offset & OHCI_OFFSET_MASK);
823         } else {
824             end_addr = (iso_td.be & OHCI_PAGE_MASK) |
825                 (end_offset & OHCI_OFFSET_MASK);
826         }
827     } else {
828         /* Last packet in the ISO TD */
829         end_addr = iso_td.be;
830     }
831 
832     if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
833         len = (end_addr & OHCI_OFFSET_MASK) + 0x1001
834             - (start_addr & OHCI_OFFSET_MASK);
835     } else {
836         len = end_addr - start_addr + 1;
837     }
838 
839     if (len && dir != OHCI_TD_DIR_IN) {
840         if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
841                              DMA_DIRECTION_TO_DEVICE)) {
842             ohci_die(ohci);
843             return 1;
844         }
845     }
846 
847     if (!completion) {
848         bool int_req = relative_frame_number == frame_count &&
849                        OHCI_BM(iso_td.flags, TD_DI) == 0;
850         dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
851         if (dev == NULL) {
852             trace_usb_ohci_td_dev_error();
853             return 1;
854         }
855         ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
856         usb_packet_setup(&ohci->usb_packet, pid, ep, 0, addr, false, int_req);
857         usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, len);
858         usb_handle_packet(dev, &ohci->usb_packet);
859         if (ohci->usb_packet.status == USB_RET_ASYNC) {
860             usb_device_flush_ep_queue(dev, ep);
861             return 1;
862         }
863     }
864     if (ohci->usb_packet.status == USB_RET_SUCCESS) {
865         ret = ohci->usb_packet.actual_length;
866     } else {
867         ret = ohci->usb_packet.status;
868     }
869 
870     trace_usb_ohci_iso_td_so(start_offset, end_offset, start_addr, end_addr,
871                              str, len, ret);
872 
873     /* Writeback */
874     if (dir == OHCI_TD_DIR_IN && ret >= 0 && ret <= len) {
875         /* IN transfer succeeded */
876         if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, ret,
877                              DMA_DIRECTION_FROM_DEVICE)) {
878             ohci_die(ohci);
879             return 1;
880         }
881         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
882                     OHCI_CC_NOERROR);
883         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE, ret);
884     } else if (dir == OHCI_TD_DIR_OUT && ret == len) {
885         /* OUT transfer succeeded */
886         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
887                     OHCI_CC_NOERROR);
888         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE, 0);
889     } else {
890         if (ret > (ssize_t) len) {
891             trace_usb_ohci_iso_td_data_overrun(ret, len);
892             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
893                         OHCI_CC_DATAOVERRUN);
894             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
895                         len);
896         } else if (ret >= 0) {
897             trace_usb_ohci_iso_td_data_underrun(ret);
898             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
899                         OHCI_CC_DATAUNDERRUN);
900         } else {
901             switch (ret) {
902             case USB_RET_IOERROR:
903             case USB_RET_NODEV:
904                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
905                             OHCI_CC_DEVICENOTRESPONDING);
906                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
907                             0);
908                 break;
909             case USB_RET_NAK:
910             case USB_RET_STALL:
911                 trace_usb_ohci_iso_td_nak(ret);
912                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
913                             OHCI_CC_STALL);
914                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
915                             0);
916                 break;
917             default:
918                 trace_usb_ohci_iso_td_bad_response(ret);
919                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
920                             OHCI_CC_UNDEXPETEDPID);
921                 break;
922             }
923         }
924     }
925 
926     if (relative_frame_number == frame_count) {
927         /* Last data packet of ISO TD - retire the TD to the Done Queue */
928         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_NOERROR);
929         ed->head &= ~OHCI_DPTR_MASK;
930         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
931         iso_td.next = ohci->done;
932         ohci->done = addr;
933         i = OHCI_BM(iso_td.flags, TD_DI);
934         if (i < ohci->done_count)
935             ohci->done_count = i;
936     }
937     if (ohci_put_iso_td(ohci, addr, &iso_td)) {
938         ohci_die(ohci);
939     }
940     return 1;
941 }
942 
943 static void ohci_td_pkt(const char *msg, const uint8_t *buf, size_t len)
944 {
945     bool print16;
946     bool printall;
947     const int width = 16;
948     int i;
949     char tmp[3 * width + 1];
950     char *p = tmp;
951 
952     print16 = !!trace_event_get_state_backends(TRACE_USB_OHCI_TD_PKT_SHORT);
953     printall = !!trace_event_get_state_backends(TRACE_USB_OHCI_TD_PKT_FULL);
954 
955     if (!printall && !print16) {
956         return;
957     }
958 
959     for (i = 0; ; i++) {
960         if (i && (!(i % width) || (i == len))) {
961             if (!printall) {
962                 trace_usb_ohci_td_pkt_short(msg, tmp);
963                 break;
964             }
965             trace_usb_ohci_td_pkt_full(msg, tmp);
966             p = tmp;
967             *p = 0;
968         }
969         if (i == len) {
970             break;
971         }
972 
973         p += sprintf(p, " %.2x", buf[i]);
974     }
975 }
976 
977 /* Service a transport descriptor.
978    Returns nonzero to terminate processing of this endpoint.  */
979 
980 static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
981 {
982     int dir;
983     size_t len = 0, pktlen = 0;
984     const char *str = NULL;
985     int pid;
986     int ret;
987     int i;
988     USBDevice *dev;
989     USBEndpoint *ep;
990     struct ohci_td td;
991     uint32_t addr;
992     int flag_r;
993     int completion;
994 
995     addr = ed->head & OHCI_DPTR_MASK;
996     /* See if this TD has already been submitted to the device.  */
997     completion = (addr == ohci->async_td);
998     if (completion && !ohci->async_complete) {
999         trace_usb_ohci_td_skip_async();
1000         return 1;
1001     }
1002     if (ohci_read_td(ohci, addr, &td)) {
1003         trace_usb_ohci_td_read_error(addr);
1004         ohci_die(ohci);
1005         return 1;
1006     }
1007 
1008     dir = OHCI_BM(ed->flags, ED_D);
1009     switch (dir) {
1010     case OHCI_TD_DIR_OUT:
1011     case OHCI_TD_DIR_IN:
1012         /* Same value.  */
1013         break;
1014     default:
1015         dir = OHCI_BM(td.flags, TD_DP);
1016         break;
1017     }
1018 
1019     switch (dir) {
1020     case OHCI_TD_DIR_IN:
1021         str = "in";
1022         pid = USB_TOKEN_IN;
1023         break;
1024     case OHCI_TD_DIR_OUT:
1025         str = "out";
1026         pid = USB_TOKEN_OUT;
1027         break;
1028     case OHCI_TD_DIR_SETUP:
1029         str = "setup";
1030         pid = USB_TOKEN_SETUP;
1031         break;
1032     default:
1033         trace_usb_ohci_td_bad_direction(dir);
1034         return 1;
1035     }
1036     if (td.cbp && td.be) {
1037         if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
1038             len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
1039         } else {
1040             len = (td.be - td.cbp) + 1;
1041         }
1042 
1043         pktlen = len;
1044         if (len && dir != OHCI_TD_DIR_IN) {
1045             /* The endpoint may not allow us to transfer it all now */
1046             pktlen = (ed->flags & OHCI_ED_MPS_MASK) >> OHCI_ED_MPS_SHIFT;
1047             if (pktlen > len) {
1048                 pktlen = len;
1049             }
1050             if (!completion) {
1051                 if (ohci_copy_td(ohci, &td, ohci->usb_buf, pktlen,
1052                                  DMA_DIRECTION_TO_DEVICE)) {
1053                     ohci_die(ohci);
1054                 }
1055             }
1056         }
1057     }
1058 
1059     flag_r = (td.flags & OHCI_TD_R) != 0;
1060     trace_usb_ohci_td_pkt_hdr(addr, (int64_t)pktlen, (int64_t)len, str,
1061                               flag_r, td.cbp, td.be);
1062     ohci_td_pkt("OUT", ohci->usb_buf, pktlen);
1063 
1064     if (completion) {
1065         ohci->async_td = 0;
1066         ohci->async_complete = false;
1067     } else {
1068         if (ohci->async_td) {
1069             /* ??? The hardware should allow one active packet per
1070                endpoint.  We only allow one active packet per controller.
1071                This should be sufficient as long as devices respond in a
1072                timely manner.
1073             */
1074             trace_usb_ohci_td_too_many_pending();
1075             return 1;
1076         }
1077         dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
1078         if (dev == NULL) {
1079             trace_usb_ohci_td_dev_error();
1080             return 1;
1081         }
1082         ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
1083         usb_packet_setup(&ohci->usb_packet, pid, ep, 0, addr, !flag_r,
1084                          OHCI_BM(td.flags, TD_DI) == 0);
1085         usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, pktlen);
1086         usb_handle_packet(dev, &ohci->usb_packet);
1087         trace_usb_ohci_td_packet_status(ohci->usb_packet.status);
1088 
1089         if (ohci->usb_packet.status == USB_RET_ASYNC) {
1090             usb_device_flush_ep_queue(dev, ep);
1091             ohci->async_td = addr;
1092             return 1;
1093         }
1094     }
1095     if (ohci->usb_packet.status == USB_RET_SUCCESS) {
1096         ret = ohci->usb_packet.actual_length;
1097     } else {
1098         ret = ohci->usb_packet.status;
1099     }
1100 
1101     if (ret >= 0) {
1102         if (dir == OHCI_TD_DIR_IN) {
1103             if (ohci_copy_td(ohci, &td, ohci->usb_buf, ret,
1104                              DMA_DIRECTION_FROM_DEVICE)) {
1105                 ohci_die(ohci);
1106             }
1107             ohci_td_pkt("IN", ohci->usb_buf, pktlen);
1108         } else {
1109             ret = pktlen;
1110         }
1111     }
1112 
1113     /* Writeback */
1114     if (ret == pktlen || (dir == OHCI_TD_DIR_IN && ret >= 0 && flag_r)) {
1115         /* Transmission succeeded.  */
1116         if (ret == len) {
1117             td.cbp = 0;
1118         } else {
1119             if ((td.cbp & 0xfff) + ret > 0xfff) {
1120                 td.cbp = (td.be & ~0xfff) + ((td.cbp + ret) & 0xfff);
1121             } else {
1122                 td.cbp += ret;
1123             }
1124         }
1125         td.flags |= OHCI_TD_T1;
1126         td.flags ^= OHCI_TD_T0;
1127         OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_NOERROR);
1128         OHCI_SET_BM(td.flags, TD_EC, 0);
1129 
1130         if ((dir != OHCI_TD_DIR_IN) && (ret != len)) {
1131             /* Partial packet transfer: TD not ready to retire yet */
1132             goto exit_no_retire;
1133         }
1134 
1135         /* Setting ED_C is part of the TD retirement process */
1136         ed->head &= ~OHCI_ED_C;
1137         if (td.flags & OHCI_TD_T0)
1138             ed->head |= OHCI_ED_C;
1139     } else {
1140         if (ret >= 0) {
1141             trace_usb_ohci_td_underrun();
1142             OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DATAUNDERRUN);
1143         } else {
1144             switch (ret) {
1145             case USB_RET_IOERROR:
1146             case USB_RET_NODEV:
1147                 trace_usb_ohci_td_dev_error();
1148                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DEVICENOTRESPONDING);
1149                 break;
1150             case USB_RET_NAK:
1151                 trace_usb_ohci_td_nak();
1152                 return 1;
1153             case USB_RET_STALL:
1154                 trace_usb_ohci_td_stall();
1155                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_STALL);
1156                 break;
1157             case USB_RET_BABBLE:
1158                 trace_usb_ohci_td_babble();
1159                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
1160                 break;
1161             default:
1162                 trace_usb_ohci_td_bad_device_response(ret);
1163                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_UNDEXPETEDPID);
1164                 OHCI_SET_BM(td.flags, TD_EC, 3);
1165                 break;
1166             }
1167             /* An error occured so we have to clear the interrupt counter. See
1168              * spec at 6.4.4 on page 104 */
1169             ohci->done_count = 0;
1170         }
1171         ed->head |= OHCI_ED_H;
1172     }
1173 
1174     /* Retire this TD */
1175     ed->head &= ~OHCI_DPTR_MASK;
1176     ed->head |= td.next & OHCI_DPTR_MASK;
1177     td.next = ohci->done;
1178     ohci->done = addr;
1179     i = OHCI_BM(td.flags, TD_DI);
1180     if (i < ohci->done_count)
1181         ohci->done_count = i;
1182 exit_no_retire:
1183     if (ohci_put_td(ohci, addr, &td)) {
1184         ohci_die(ohci);
1185         return 1;
1186     }
1187     return OHCI_BM(td.flags, TD_CC) != OHCI_CC_NOERROR;
1188 }
1189 
1190 /* Service an endpoint list.  Returns nonzero if active TD were found.  */
1191 static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
1192 {
1193     struct ohci_ed ed;
1194     uint32_t next_ed;
1195     uint32_t cur;
1196     int active;
1197     uint32_t link_cnt = 0;
1198     active = 0;
1199 
1200     if (head == 0)
1201         return 0;
1202 
1203     for (cur = head; cur; cur = next_ed) {
1204         if (ohci_read_ed(ohci, cur, &ed)) {
1205             trace_usb_ohci_ed_read_error(cur);
1206             ohci_die(ohci);
1207             return 0;
1208         }
1209 
1210         next_ed = ed.next & OHCI_DPTR_MASK;
1211 
1212         if (++link_cnt > ED_LINK_LIMIT) {
1213             ohci_die(ohci);
1214             return 0;
1215         }
1216 
1217         if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
1218             uint32_t addr;
1219             /* Cancel pending packets for ED that have been paused.  */
1220             addr = ed.head & OHCI_DPTR_MASK;
1221             if (ohci->async_td && addr == ohci->async_td) {
1222                 usb_cancel_packet(&ohci->usb_packet);
1223                 ohci->async_td = 0;
1224                 usb_device_ep_stopped(ohci->usb_packet.ep->dev,
1225                                       ohci->usb_packet.ep);
1226             }
1227             continue;
1228         }
1229 
1230         while ((ed.head & OHCI_DPTR_MASK) != ed.tail) {
1231             trace_usb_ohci_ed_pkt(cur, (ed.head & OHCI_ED_H) != 0,
1232                     (ed.head & OHCI_ED_C) != 0, ed.head & OHCI_DPTR_MASK,
1233                     ed.tail & OHCI_DPTR_MASK, ed.next & OHCI_DPTR_MASK);
1234             trace_usb_ohci_ed_pkt_flags(
1235                     OHCI_BM(ed.flags, ED_FA), OHCI_BM(ed.flags, ED_EN),
1236                     OHCI_BM(ed.flags, ED_D), (ed.flags & OHCI_ED_S)!= 0,
1237                     (ed.flags & OHCI_ED_K) != 0, (ed.flags & OHCI_ED_F) != 0,
1238                     OHCI_BM(ed.flags, ED_MPS));
1239 
1240             active = 1;
1241 
1242             if ((ed.flags & OHCI_ED_F) == 0) {
1243                 if (ohci_service_td(ohci, &ed))
1244                     break;
1245             } else {
1246                 /* Handle isochronous endpoints */
1247                 if (ohci_service_iso_td(ohci, &ed, completion))
1248                     break;
1249             }
1250         }
1251 
1252         if (ohci_put_ed(ohci, cur, &ed)) {
1253             ohci_die(ohci);
1254             return 0;
1255         }
1256     }
1257 
1258     return active;
1259 }
1260 
1261 /* set a timer for EOF */
1262 static void ohci_eof_timer(OHCIState *ohci)
1263 {
1264     timer_mod(ohci->eof_timer, ohci->sof_time + usb_frame_time);
1265 }
1266 /* Set a timer for EOF and generate a SOF event */
1267 static void ohci_sof(OHCIState *ohci)
1268 {
1269     ohci->sof_time += usb_frame_time;
1270     ohci_eof_timer(ohci);
1271     ohci_set_interrupt(ohci, OHCI_INTR_SF);
1272 }
1273 
1274 /* Process Control and Bulk lists.  */
1275 static void ohci_process_lists(OHCIState *ohci, int completion)
1276 {
1277     if ((ohci->ctl & OHCI_CTL_CLE) && (ohci->status & OHCI_STATUS_CLF)) {
1278         if (ohci->ctrl_cur && ohci->ctrl_cur != ohci->ctrl_head) {
1279             trace_usb_ohci_process_lists(ohci->ctrl_head, ohci->ctrl_cur);
1280         }
1281         if (!ohci_service_ed_list(ohci, ohci->ctrl_head, completion)) {
1282             ohci->ctrl_cur = 0;
1283             ohci->status &= ~OHCI_STATUS_CLF;
1284         }
1285     }
1286 
1287     if ((ohci->ctl & OHCI_CTL_BLE) && (ohci->status & OHCI_STATUS_BLF)) {
1288         if (!ohci_service_ed_list(ohci, ohci->bulk_head, completion)) {
1289             ohci->bulk_cur = 0;
1290             ohci->status &= ~OHCI_STATUS_BLF;
1291         }
1292     }
1293 }
1294 
1295 /* Do frame processing on frame boundary */
1296 static void ohci_frame_boundary(void *opaque)
1297 {
1298     OHCIState *ohci = opaque;
1299     struct ohci_hcca hcca;
1300 
1301     if (ohci_read_hcca(ohci, ohci->hcca, &hcca)) {
1302         trace_usb_ohci_hcca_read_error(ohci->hcca);
1303         ohci_die(ohci);
1304         return;
1305     }
1306 
1307     /* Process all the lists at the end of the frame */
1308     if (ohci->ctl & OHCI_CTL_PLE) {
1309         int n;
1310 
1311         n = ohci->frame_number & 0x1f;
1312         ohci_service_ed_list(ohci, le32_to_cpu(hcca.intr[n]), 0);
1313     }
1314 
1315     /* Cancel all pending packets if either of the lists has been disabled.  */
1316     if (ohci->old_ctl & (~ohci->ctl) & (OHCI_CTL_BLE | OHCI_CTL_CLE)) {
1317         if (ohci->async_td) {
1318             usb_cancel_packet(&ohci->usb_packet);
1319             ohci->async_td = 0;
1320         }
1321         ohci_stop_endpoints(ohci);
1322     }
1323     ohci->old_ctl = ohci->ctl;
1324     ohci_process_lists(ohci, 0);
1325 
1326     /* Stop if UnrecoverableError happened or ohci_sof will crash */
1327     if (ohci->intr_status & OHCI_INTR_UE) {
1328         return;
1329     }
1330 
1331     /* Frame boundary, so do EOF stuf here */
1332     ohci->frt = ohci->fit;
1333 
1334     /* Increment frame number and take care of endianness. */
1335     ohci->frame_number = (ohci->frame_number + 1) & 0xffff;
1336     hcca.frame = cpu_to_le16(ohci->frame_number);
1337 
1338     if (ohci->done_count == 0 && !(ohci->intr_status & OHCI_INTR_WD)) {
1339         if (!ohci->done)
1340             abort();
1341         if (ohci->intr & ohci->intr_status)
1342             ohci->done |= 1;
1343         hcca.done = cpu_to_le32(ohci->done);
1344         ohci->done = 0;
1345         ohci->done_count = 7;
1346         ohci_set_interrupt(ohci, OHCI_INTR_WD);
1347     }
1348 
1349     if (ohci->done_count != 7 && ohci->done_count != 0)
1350         ohci->done_count--;
1351 
1352     /* Do SOF stuff here */
1353     ohci_sof(ohci);
1354 
1355     /* Writeback HCCA */
1356     if (ohci_put_hcca(ohci, ohci->hcca, &hcca)) {
1357         ohci_die(ohci);
1358     }
1359 }
1360 
1361 /* Start sending SOF tokens across the USB bus, lists are processed in
1362  * next frame
1363  */
1364 static int ohci_bus_start(OHCIState *ohci)
1365 {
1366     trace_usb_ohci_start(ohci->name);
1367 
1368     /* Delay the first SOF event by one frame time as
1369      * linux driver is not ready to receive it and
1370      * can meet some race conditions
1371      */
1372 
1373     ohci->sof_time = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
1374     ohci_eof_timer(ohci);
1375 
1376     return 1;
1377 }
1378 
1379 /* Stop sending SOF tokens on the bus */
1380 static void ohci_bus_stop(OHCIState *ohci)
1381 {
1382     trace_usb_ohci_stop(ohci->name);
1383     timer_del(ohci->eof_timer);
1384 }
1385 
1386 /* Sets a flag in a port status register but only set it if the port is
1387  * connected, if not set ConnectStatusChange flag. If flag is enabled
1388  * return 1.
1389  */
1390 static int ohci_port_set_if_connected(OHCIState *ohci, int i, uint32_t val)
1391 {
1392     int ret = 1;
1393 
1394     /* writing a 0 has no effect */
1395     if (val == 0)
1396         return 0;
1397 
1398     /* If CurrentConnectStatus is cleared we set
1399      * ConnectStatusChange
1400      */
1401     if (!(ohci->rhport[i].ctrl & OHCI_PORT_CCS)) {
1402         ohci->rhport[i].ctrl |= OHCI_PORT_CSC;
1403         if (ohci->rhstatus & OHCI_RHS_DRWE) {
1404             /* TODO: CSC is a wakeup event */
1405         }
1406         return 0;
1407     }
1408 
1409     if (ohci->rhport[i].ctrl & val)
1410         ret = 0;
1411 
1412     /* set the bit */
1413     ohci->rhport[i].ctrl |= val;
1414 
1415     return ret;
1416 }
1417 
1418 /* Set the frame interval - frame interval toggle is manipulated by the hcd only */
1419 static void ohci_set_frame_interval(OHCIState *ohci, uint16_t val)
1420 {
1421     val &= OHCI_FMI_FI;
1422 
1423     if (val != ohci->fi) {
1424         trace_usb_ohci_set_frame_interval(ohci->name, ohci->fi, ohci->fi);
1425     }
1426 
1427     ohci->fi = val;
1428 }
1429 
1430 static void ohci_port_power(OHCIState *ohci, int i, int p)
1431 {
1432     if (p) {
1433         ohci->rhport[i].ctrl |= OHCI_PORT_PPS;
1434     } else {
1435         ohci->rhport[i].ctrl &= ~(OHCI_PORT_PPS|
1436                     OHCI_PORT_CCS|
1437                     OHCI_PORT_PSS|
1438                     OHCI_PORT_PRS);
1439     }
1440 }
1441 
1442 /* Set HcControlRegister */
1443 static void ohci_set_ctl(OHCIState *ohci, uint32_t val)
1444 {
1445     uint32_t old_state;
1446     uint32_t new_state;
1447 
1448     old_state = ohci->ctl & OHCI_CTL_HCFS;
1449     ohci->ctl = val;
1450     new_state = ohci->ctl & OHCI_CTL_HCFS;
1451 
1452     /* no state change */
1453     if (old_state == new_state)
1454         return;
1455 
1456     trace_usb_ohci_set_ctl(ohci->name, new_state);
1457     switch (new_state) {
1458     case OHCI_USB_OPERATIONAL:
1459         ohci_bus_start(ohci);
1460         break;
1461     case OHCI_USB_SUSPEND:
1462         ohci_bus_stop(ohci);
1463         /* clear pending SF otherwise linux driver loops in ohci_irq() */
1464         ohci->intr_status &= ~OHCI_INTR_SF;
1465         ohci_intr_update(ohci);
1466         break;
1467     case OHCI_USB_RESUME:
1468         trace_usb_ohci_resume(ohci->name);
1469         break;
1470     case OHCI_USB_RESET:
1471         ohci_roothub_reset(ohci);
1472         break;
1473     }
1474 }
1475 
1476 static uint32_t ohci_get_frame_remaining(OHCIState *ohci)
1477 {
1478     uint16_t fr;
1479     int64_t tks;
1480 
1481     if ((ohci->ctl & OHCI_CTL_HCFS) != OHCI_USB_OPERATIONAL)
1482         return (ohci->frt << 31);
1483 
1484     /* Being in USB operational state guarnatees sof_time was
1485      * set already.
1486      */
1487     tks = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) - ohci->sof_time;
1488     if (tks < 0) {
1489         tks = 0;
1490     }
1491 
1492     /* avoid muldiv if possible */
1493     if (tks >= usb_frame_time)
1494         return (ohci->frt << 31);
1495 
1496     tks = tks / usb_bit_time;
1497     fr = (uint16_t)(ohci->fi - tks);
1498 
1499     return (ohci->frt << 31) | fr;
1500 }
1501 
1502 
1503 /* Set root hub status */
1504 static void ohci_set_hub_status(OHCIState *ohci, uint32_t val)
1505 {
1506     uint32_t old_state;
1507 
1508     old_state = ohci->rhstatus;
1509 
1510     /* write 1 to clear OCIC */
1511     if (val & OHCI_RHS_OCIC)
1512         ohci->rhstatus &= ~OHCI_RHS_OCIC;
1513 
1514     if (val & OHCI_RHS_LPS) {
1515         int i;
1516 
1517         for (i = 0; i < ohci->num_ports; i++)
1518             ohci_port_power(ohci, i, 0);
1519         trace_usb_ohci_hub_power_down();
1520     }
1521 
1522     if (val & OHCI_RHS_LPSC) {
1523         int i;
1524 
1525         for (i = 0; i < ohci->num_ports; i++)
1526             ohci_port_power(ohci, i, 1);
1527         trace_usb_ohci_hub_power_up();
1528     }
1529 
1530     if (val & OHCI_RHS_DRWE)
1531         ohci->rhstatus |= OHCI_RHS_DRWE;
1532 
1533     if (val & OHCI_RHS_CRWE)
1534         ohci->rhstatus &= ~OHCI_RHS_DRWE;
1535 
1536     if (old_state != ohci->rhstatus)
1537         ohci_set_interrupt(ohci, OHCI_INTR_RHSC);
1538 }
1539 
1540 /* Set root hub port status */
1541 static void ohci_port_set_status(OHCIState *ohci, int portnum, uint32_t val)
1542 {
1543     uint32_t old_state;
1544     OHCIPort *port;
1545 
1546     port = &ohci->rhport[portnum];
1547     old_state = port->ctrl;
1548 
1549     /* Write to clear CSC, PESC, PSSC, OCIC, PRSC */
1550     if (val & OHCI_PORT_WTC)
1551         port->ctrl &= ~(val & OHCI_PORT_WTC);
1552 
1553     if (val & OHCI_PORT_CCS)
1554         port->ctrl &= ~OHCI_PORT_PES;
1555 
1556     ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PES);
1557 
1558     if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PSS)) {
1559         trace_usb_ohci_port_suspend(portnum);
1560     }
1561 
1562     if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PRS)) {
1563         trace_usb_ohci_port_reset(portnum);
1564         usb_device_reset(port->port.dev);
1565         port->ctrl &= ~OHCI_PORT_PRS;
1566         /* ??? Should this also set OHCI_PORT_PESC.  */
1567         port->ctrl |= OHCI_PORT_PES | OHCI_PORT_PRSC;
1568     }
1569 
1570     /* Invert order here to ensure in ambiguous case, device is
1571      * powered up...
1572      */
1573     if (val & OHCI_PORT_LSDA)
1574         ohci_port_power(ohci, portnum, 0);
1575     if (val & OHCI_PORT_PPS)
1576         ohci_port_power(ohci, portnum, 1);
1577 
1578     if (old_state != port->ctrl)
1579         ohci_set_interrupt(ohci, OHCI_INTR_RHSC);
1580 }
1581 
1582 static uint64_t ohci_mem_read(void *opaque,
1583                               hwaddr addr,
1584                               unsigned size)
1585 {
1586     OHCIState *ohci = opaque;
1587     uint32_t retval;
1588 
1589     /* Only aligned reads are allowed on OHCI */
1590     if (addr & 3) {
1591         trace_usb_ohci_mem_read_unaligned(addr);
1592         return 0xffffffff;
1593     } else if (addr >= 0x54 && addr < 0x54 + ohci->num_ports * 4) {
1594         /* HcRhPortStatus */
1595         retval = ohci->rhport[(addr - 0x54) >> 2].ctrl | OHCI_PORT_PPS;
1596     } else {
1597         switch (addr >> 2) {
1598         case 0: /* HcRevision */
1599             retval = 0x10;
1600             break;
1601 
1602         case 1: /* HcControl */
1603             retval = ohci->ctl;
1604             break;
1605 
1606         case 2: /* HcCommandStatus */
1607             retval = ohci->status;
1608             break;
1609 
1610         case 3: /* HcInterruptStatus */
1611             retval = ohci->intr_status;
1612             break;
1613 
1614         case 4: /* HcInterruptEnable */
1615         case 5: /* HcInterruptDisable */
1616             retval = ohci->intr;
1617             break;
1618 
1619         case 6: /* HcHCCA */
1620             retval = ohci->hcca;
1621             break;
1622 
1623         case 7: /* HcPeriodCurrentED */
1624             retval = ohci->per_cur;
1625             break;
1626 
1627         case 8: /* HcControlHeadED */
1628             retval = ohci->ctrl_head;
1629             break;
1630 
1631         case 9: /* HcControlCurrentED */
1632             retval = ohci->ctrl_cur;
1633             break;
1634 
1635         case 10: /* HcBulkHeadED */
1636             retval = ohci->bulk_head;
1637             break;
1638 
1639         case 11: /* HcBulkCurrentED */
1640             retval = ohci->bulk_cur;
1641             break;
1642 
1643         case 12: /* HcDoneHead */
1644             retval = ohci->done;
1645             break;
1646 
1647         case 13: /* HcFmInterretval */
1648             retval = (ohci->fit << 31) | (ohci->fsmps << 16) | (ohci->fi);
1649             break;
1650 
1651         case 14: /* HcFmRemaining */
1652             retval = ohci_get_frame_remaining(ohci);
1653             break;
1654 
1655         case 15: /* HcFmNumber */
1656             retval = ohci->frame_number;
1657             break;
1658 
1659         case 16: /* HcPeriodicStart */
1660             retval = ohci->pstart;
1661             break;
1662 
1663         case 17: /* HcLSThreshold */
1664             retval = ohci->lst;
1665             break;
1666 
1667         case 18: /* HcRhDescriptorA */
1668             retval = ohci->rhdesc_a;
1669             break;
1670 
1671         case 19: /* HcRhDescriptorB */
1672             retval = ohci->rhdesc_b;
1673             break;
1674 
1675         case 20: /* HcRhStatus */
1676             retval = ohci->rhstatus;
1677             break;
1678 
1679         /* PXA27x specific registers */
1680         case 24: /* HcStatus */
1681             retval = ohci->hstatus & ohci->hmask;
1682             break;
1683 
1684         case 25: /* HcHReset */
1685             retval = ohci->hreset;
1686             break;
1687 
1688         case 26: /* HcHInterruptEnable */
1689             retval = ohci->hmask;
1690             break;
1691 
1692         case 27: /* HcHInterruptTest */
1693             retval = ohci->htest;
1694             break;
1695 
1696         default:
1697             trace_usb_ohci_mem_read_bad_offset(addr);
1698             retval = 0xffffffff;
1699         }
1700     }
1701 
1702     return retval;
1703 }
1704 
1705 static void ohci_mem_write(void *opaque,
1706                            hwaddr addr,
1707                            uint64_t val,
1708                            unsigned size)
1709 {
1710     OHCIState *ohci = opaque;
1711 
1712     /* Only aligned reads are allowed on OHCI */
1713     if (addr & 3) {
1714         trace_usb_ohci_mem_write_unaligned(addr);
1715         return;
1716     }
1717 
1718     if (addr >= 0x54 && addr < 0x54 + ohci->num_ports * 4) {
1719         /* HcRhPortStatus */
1720         ohci_port_set_status(ohci, (addr - 0x54) >> 2, val);
1721         return;
1722     }
1723 
1724     switch (addr >> 2) {
1725     case 1: /* HcControl */
1726         ohci_set_ctl(ohci, val);
1727         break;
1728 
1729     case 2: /* HcCommandStatus */
1730         /* SOC is read-only */
1731         val = (val & ~OHCI_STATUS_SOC);
1732 
1733         /* Bits written as '0' remain unchanged in the register */
1734         ohci->status |= val;
1735 
1736         if (ohci->status & OHCI_STATUS_HCR)
1737             ohci_soft_reset(ohci);
1738         break;
1739 
1740     case 3: /* HcInterruptStatus */
1741         ohci->intr_status &= ~val;
1742         ohci_intr_update(ohci);
1743         break;
1744 
1745     case 4: /* HcInterruptEnable */
1746         ohci->intr |= val;
1747         ohci_intr_update(ohci);
1748         break;
1749 
1750     case 5: /* HcInterruptDisable */
1751         ohci->intr &= ~val;
1752         ohci_intr_update(ohci);
1753         break;
1754 
1755     case 6: /* HcHCCA */
1756         ohci->hcca = val & OHCI_HCCA_MASK;
1757         break;
1758 
1759     case 7: /* HcPeriodCurrentED */
1760         /* Ignore writes to this read-only register, Linux does them */
1761         break;
1762 
1763     case 8: /* HcControlHeadED */
1764         ohci->ctrl_head = val & OHCI_EDPTR_MASK;
1765         break;
1766 
1767     case 9: /* HcControlCurrentED */
1768         ohci->ctrl_cur = val & OHCI_EDPTR_MASK;
1769         break;
1770 
1771     case 10: /* HcBulkHeadED */
1772         ohci->bulk_head = val & OHCI_EDPTR_MASK;
1773         break;
1774 
1775     case 11: /* HcBulkCurrentED */
1776         ohci->bulk_cur = val & OHCI_EDPTR_MASK;
1777         break;
1778 
1779     case 13: /* HcFmInterval */
1780         ohci->fsmps = (val & OHCI_FMI_FSMPS) >> 16;
1781         ohci->fit = (val & OHCI_FMI_FIT) >> 31;
1782         ohci_set_frame_interval(ohci, val);
1783         break;
1784 
1785     case 15: /* HcFmNumber */
1786         break;
1787 
1788     case 16: /* HcPeriodicStart */
1789         ohci->pstart = val & 0xffff;
1790         break;
1791 
1792     case 17: /* HcLSThreshold */
1793         ohci->lst = val & 0xffff;
1794         break;
1795 
1796     case 18: /* HcRhDescriptorA */
1797         ohci->rhdesc_a &= ~OHCI_RHA_RW_MASK;
1798         ohci->rhdesc_a |= val & OHCI_RHA_RW_MASK;
1799         break;
1800 
1801     case 19: /* HcRhDescriptorB */
1802         break;
1803 
1804     case 20: /* HcRhStatus */
1805         ohci_set_hub_status(ohci, val);
1806         break;
1807 
1808     /* PXA27x specific registers */
1809     case 24: /* HcStatus */
1810         ohci->hstatus &= ~(val & ohci->hmask);
1811         break;
1812 
1813     case 25: /* HcHReset */
1814         ohci->hreset = val & ~OHCI_HRESET_FSBIR;
1815         if (val & OHCI_HRESET_FSBIR)
1816             ohci_hard_reset(ohci);
1817         break;
1818 
1819     case 26: /* HcHInterruptEnable */
1820         ohci->hmask = val;
1821         break;
1822 
1823     case 27: /* HcHInterruptTest */
1824         ohci->htest = val;
1825         break;
1826 
1827     default:
1828         trace_usb_ohci_mem_write_bad_offset(addr);
1829         break;
1830     }
1831 }
1832 
1833 static void ohci_async_cancel_device(OHCIState *ohci, USBDevice *dev)
1834 {
1835     if (ohci->async_td &&
1836         usb_packet_is_inflight(&ohci->usb_packet) &&
1837         ohci->usb_packet.ep->dev == dev) {
1838         usb_cancel_packet(&ohci->usb_packet);
1839         ohci->async_td = 0;
1840     }
1841 }
1842 
1843 static const MemoryRegionOps ohci_mem_ops = {
1844     .read = ohci_mem_read,
1845     .write = ohci_mem_write,
1846     .endianness = DEVICE_LITTLE_ENDIAN,
1847 };
1848 
1849 static USBPortOps ohci_port_ops = {
1850     .attach = ohci_attach,
1851     .detach = ohci_detach,
1852     .child_detach = ohci_child_detach,
1853     .wakeup = ohci_wakeup,
1854     .complete = ohci_async_complete_packet,
1855 };
1856 
1857 static USBBusOps ohci_bus_ops = {
1858 };
1859 
1860 static void usb_ohci_init(OHCIState *ohci, DeviceState *dev,
1861                           uint32_t num_ports, dma_addr_t localmem_base,
1862                           char *masterbus, uint32_t firstport,
1863                           AddressSpace *as, Error **errp)
1864 {
1865     Error *err = NULL;
1866     int i;
1867 
1868     ohci->as = as;
1869 
1870     if (num_ports > OHCI_MAX_PORTS) {
1871         error_setg(errp, "OHCI num-ports=%u is too big (limit is %u ports)",
1872                    num_ports, OHCI_MAX_PORTS);
1873         return;
1874     }
1875 
1876     if (usb_frame_time == 0) {
1877 #ifdef OHCI_TIME_WARP
1878         usb_frame_time = NANOSECONDS_PER_SECOND;
1879         usb_bit_time = NANOSECONDS_PER_SECOND / (USB_HZ / 1000);
1880 #else
1881         usb_frame_time = NANOSECONDS_PER_SECOND / 1000;
1882         if (NANOSECONDS_PER_SECOND >= USB_HZ) {
1883             usb_bit_time = NANOSECONDS_PER_SECOND / USB_HZ;
1884         } else {
1885             usb_bit_time = 1;
1886         }
1887 #endif
1888         trace_usb_ohci_init_time(usb_frame_time, usb_bit_time);
1889     }
1890 
1891     ohci->num_ports = num_ports;
1892     if (masterbus) {
1893         USBPort *ports[OHCI_MAX_PORTS];
1894         for(i = 0; i < num_ports; i++) {
1895             ports[i] = &ohci->rhport[i].port;
1896         }
1897         usb_register_companion(masterbus, ports, num_ports,
1898                                firstport, ohci, &ohci_port_ops,
1899                                USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL,
1900                                &err);
1901         if (err) {
1902             error_propagate(errp, err);
1903             return;
1904         }
1905     } else {
1906         usb_bus_new(&ohci->bus, sizeof(ohci->bus), &ohci_bus_ops, dev);
1907         for (i = 0; i < num_ports; i++) {
1908             usb_register_port(&ohci->bus, &ohci->rhport[i].port,
1909                               ohci, i, &ohci_port_ops,
1910                               USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
1911         }
1912     }
1913 
1914     memory_region_init_io(&ohci->mem, OBJECT(dev), &ohci_mem_ops,
1915                           ohci, "ohci", 256);
1916     ohci->localmem_base = localmem_base;
1917 
1918     ohci->name = object_get_typename(OBJECT(dev));
1919     usb_packet_init(&ohci->usb_packet);
1920 
1921     ohci->async_td = 0;
1922 
1923     ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
1924                                    ohci_frame_boundary, ohci);
1925 }
1926 
1927 #define TYPE_PCI_OHCI "pci-ohci"
1928 #define PCI_OHCI(obj) OBJECT_CHECK(OHCIPCIState, (obj), TYPE_PCI_OHCI)
1929 
1930 typedef struct {
1931     /*< private >*/
1932     PCIDevice parent_obj;
1933     /*< public >*/
1934 
1935     OHCIState state;
1936     char *masterbus;
1937     uint32_t num_ports;
1938     uint32_t firstport;
1939 } OHCIPCIState;
1940 
1941 /** A typical O/EHCI will stop operating, set itself into error state
1942  * (which can be queried by MMIO) and will set PERR in its config
1943  * space to signal that it got an error
1944  */
1945 static void ohci_die(OHCIState *ohci)
1946 {
1947     OHCIPCIState *dev = container_of(ohci, OHCIPCIState, state);
1948 
1949     trace_usb_ohci_die();
1950 
1951     ohci_set_interrupt(ohci, OHCI_INTR_UE);
1952     ohci_bus_stop(ohci);
1953     pci_set_word(dev->parent_obj.config + PCI_STATUS,
1954                  PCI_STATUS_DETECTED_PARITY);
1955 }
1956 
1957 static void usb_ohci_realize_pci(PCIDevice *dev, Error **errp)
1958 {
1959     Error *err = NULL;
1960     OHCIPCIState *ohci = PCI_OHCI(dev);
1961 
1962     dev->config[PCI_CLASS_PROG] = 0x10; /* OHCI */
1963     dev->config[PCI_INTERRUPT_PIN] = 0x01; /* interrupt pin A */
1964 
1965     usb_ohci_init(&ohci->state, DEVICE(dev), ohci->num_ports, 0,
1966                   ohci->masterbus, ohci->firstport,
1967                   pci_get_address_space(dev), &err);
1968     if (err) {
1969         error_propagate(errp, err);
1970         return;
1971     }
1972 
1973     ohci->state.irq = pci_allocate_irq(dev);
1974     pci_register_bar(dev, 0, 0, &ohci->state.mem);
1975 }
1976 
1977 static void usb_ohci_exit(PCIDevice *dev)
1978 {
1979     OHCIPCIState *ohci = PCI_OHCI(dev);
1980     OHCIState *s = &ohci->state;
1981 
1982     trace_usb_ohci_exit(s->name);
1983     ohci_bus_stop(s);
1984 
1985     if (s->async_td) {
1986         usb_cancel_packet(&s->usb_packet);
1987         s->async_td = 0;
1988     }
1989     ohci_stop_endpoints(s);
1990 
1991     if (!ohci->masterbus) {
1992         usb_bus_release(&s->bus);
1993     }
1994 
1995     timer_del(s->eof_timer);
1996     timer_free(s->eof_timer);
1997 }
1998 
1999 static void usb_ohci_reset_pci(DeviceState *d)
2000 {
2001     PCIDevice *dev = PCI_DEVICE(d);
2002     OHCIPCIState *ohci = PCI_OHCI(dev);
2003     OHCIState *s = &ohci->state;
2004 
2005     ohci_hard_reset(s);
2006 }
2007 
2008 #define TYPE_SYSBUS_OHCI "sysbus-ohci"
2009 #define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI)
2010 
2011 typedef struct {
2012     /*< private >*/
2013     SysBusDevice parent_obj;
2014     /*< public >*/
2015 
2016     OHCIState ohci;
2017     char *masterbus;
2018     uint32_t num_ports;
2019     uint32_t firstport;
2020     dma_addr_t dma_offset;
2021 } OHCISysBusState;
2022 
2023 static void ohci_realize_pxa(DeviceState *dev, Error **errp)
2024 {
2025     OHCISysBusState *s = SYSBUS_OHCI(dev);
2026     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
2027     Error *err = NULL;
2028 
2029     usb_ohci_init(&s->ohci, dev, s->num_ports, s->dma_offset,
2030                   s->masterbus, s->firstport,
2031                   &address_space_memory, &err);
2032     if (err) {
2033         error_propagate(errp, err);
2034         return;
2035     }
2036     sysbus_init_irq(sbd, &s->ohci.irq);
2037     sysbus_init_mmio(sbd, &s->ohci.mem);
2038 }
2039 
2040 static void usb_ohci_reset_sysbus(DeviceState *dev)
2041 {
2042     OHCISysBusState *s = SYSBUS_OHCI(dev);
2043     OHCIState *ohci = &s->ohci;
2044 
2045     ohci_hard_reset(ohci);
2046 }
2047 
2048 static Property ohci_pci_properties[] = {
2049     DEFINE_PROP_STRING("masterbus", OHCIPCIState, masterbus),
2050     DEFINE_PROP_UINT32("num-ports", OHCIPCIState, num_ports, 3),
2051     DEFINE_PROP_UINT32("firstport", OHCIPCIState, firstport, 0),
2052     DEFINE_PROP_END_OF_LIST(),
2053 };
2054 
2055 static const VMStateDescription vmstate_ohci_state_port = {
2056     .name = "ohci-core/port",
2057     .version_id = 1,
2058     .minimum_version_id = 1,
2059     .fields = (VMStateField[]) {
2060         VMSTATE_UINT32(ctrl, OHCIPort),
2061         VMSTATE_END_OF_LIST()
2062     },
2063 };
2064 
2065 static bool ohci_eof_timer_needed(void *opaque)
2066 {
2067     OHCIState *ohci = opaque;
2068 
2069     return timer_pending(ohci->eof_timer);
2070 }
2071 
2072 static const VMStateDescription vmstate_ohci_eof_timer = {
2073     .name = "ohci-core/eof-timer",
2074     .version_id = 1,
2075     .minimum_version_id = 1,
2076     .needed = ohci_eof_timer_needed,
2077     .fields = (VMStateField[]) {
2078         VMSTATE_TIMER_PTR(eof_timer, OHCIState),
2079         VMSTATE_END_OF_LIST()
2080     },
2081 };
2082 
2083 static const VMStateDescription vmstate_ohci_state = {
2084     .name = "ohci-core",
2085     .version_id = 1,
2086     .minimum_version_id = 1,
2087     .fields = (VMStateField[]) {
2088         VMSTATE_INT64(sof_time, OHCIState),
2089         VMSTATE_UINT32(ctl, OHCIState),
2090         VMSTATE_UINT32(status, OHCIState),
2091         VMSTATE_UINT32(intr_status, OHCIState),
2092         VMSTATE_UINT32(intr, OHCIState),
2093         VMSTATE_UINT32(hcca, OHCIState),
2094         VMSTATE_UINT32(ctrl_head, OHCIState),
2095         VMSTATE_UINT32(ctrl_cur, OHCIState),
2096         VMSTATE_UINT32(bulk_head, OHCIState),
2097         VMSTATE_UINT32(bulk_cur, OHCIState),
2098         VMSTATE_UINT32(per_cur, OHCIState),
2099         VMSTATE_UINT32(done, OHCIState),
2100         VMSTATE_INT32(done_count, OHCIState),
2101         VMSTATE_UINT16(fsmps, OHCIState),
2102         VMSTATE_UINT8(fit, OHCIState),
2103         VMSTATE_UINT16(fi, OHCIState),
2104         VMSTATE_UINT8(frt, OHCIState),
2105         VMSTATE_UINT16(frame_number, OHCIState),
2106         VMSTATE_UINT16(padding, OHCIState),
2107         VMSTATE_UINT32(pstart, OHCIState),
2108         VMSTATE_UINT32(lst, OHCIState),
2109         VMSTATE_UINT32(rhdesc_a, OHCIState),
2110         VMSTATE_UINT32(rhdesc_b, OHCIState),
2111         VMSTATE_UINT32(rhstatus, OHCIState),
2112         VMSTATE_STRUCT_ARRAY(rhport, OHCIState, OHCI_MAX_PORTS, 0,
2113                              vmstate_ohci_state_port, OHCIPort),
2114         VMSTATE_UINT32(hstatus, OHCIState),
2115         VMSTATE_UINT32(hmask, OHCIState),
2116         VMSTATE_UINT32(hreset, OHCIState),
2117         VMSTATE_UINT32(htest, OHCIState),
2118         VMSTATE_UINT32(old_ctl, OHCIState),
2119         VMSTATE_UINT8_ARRAY(usb_buf, OHCIState, 8192),
2120         VMSTATE_UINT32(async_td, OHCIState),
2121         VMSTATE_BOOL(async_complete, OHCIState),
2122         VMSTATE_END_OF_LIST()
2123     },
2124     .subsections = (const VMStateDescription*[]) {
2125         &vmstate_ohci_eof_timer,
2126         NULL
2127     }
2128 };
2129 
2130 static const VMStateDescription vmstate_ohci = {
2131     .name = "ohci",
2132     .version_id = 1,
2133     .minimum_version_id = 1,
2134     .fields = (VMStateField[]) {
2135         VMSTATE_PCI_DEVICE(parent_obj, OHCIPCIState),
2136         VMSTATE_STRUCT(state, OHCIPCIState, 1, vmstate_ohci_state, OHCIState),
2137         VMSTATE_END_OF_LIST()
2138     }
2139 };
2140 
2141 static void ohci_pci_class_init(ObjectClass *klass, void *data)
2142 {
2143     DeviceClass *dc = DEVICE_CLASS(klass);
2144     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2145 
2146     k->realize = usb_ohci_realize_pci;
2147     k->exit = usb_ohci_exit;
2148     k->vendor_id = PCI_VENDOR_ID_APPLE;
2149     k->device_id = PCI_DEVICE_ID_APPLE_IPID_USB;
2150     k->class_id = PCI_CLASS_SERIAL_USB;
2151     set_bit(DEVICE_CATEGORY_USB, dc->categories);
2152     dc->desc = "Apple USB Controller";
2153     dc->props = ohci_pci_properties;
2154     dc->hotpluggable = false;
2155     dc->vmsd = &vmstate_ohci;
2156     dc->reset = usb_ohci_reset_pci;
2157 }
2158 
2159 static const TypeInfo ohci_pci_info = {
2160     .name          = TYPE_PCI_OHCI,
2161     .parent        = TYPE_PCI_DEVICE,
2162     .instance_size = sizeof(OHCIPCIState),
2163     .class_init    = ohci_pci_class_init,
2164     .interfaces = (InterfaceInfo[]) {
2165         { INTERFACE_CONVENTIONAL_PCI_DEVICE },
2166         { },
2167     },
2168 };
2169 
2170 static Property ohci_sysbus_properties[] = {
2171     DEFINE_PROP_STRING("masterbus", OHCISysBusState, masterbus),
2172     DEFINE_PROP_UINT32("num-ports", OHCISysBusState, num_ports, 3),
2173     DEFINE_PROP_UINT32("firstport", OHCISysBusState, firstport, 0),
2174     DEFINE_PROP_DMAADDR("dma-offset", OHCISysBusState, dma_offset, 0),
2175     DEFINE_PROP_END_OF_LIST(),
2176 };
2177 
2178 static void ohci_sysbus_class_init(ObjectClass *klass, void *data)
2179 {
2180     DeviceClass *dc = DEVICE_CLASS(klass);
2181 
2182     dc->realize = ohci_realize_pxa;
2183     set_bit(DEVICE_CATEGORY_USB, dc->categories);
2184     dc->desc = "OHCI USB Controller";
2185     dc->props = ohci_sysbus_properties;
2186     dc->reset = usb_ohci_reset_sysbus;
2187 }
2188 
2189 static const TypeInfo ohci_sysbus_info = {
2190     .name          = TYPE_SYSBUS_OHCI,
2191     .parent        = TYPE_SYS_BUS_DEVICE,
2192     .instance_size = sizeof(OHCISysBusState),
2193     .class_init    = ohci_sysbus_class_init,
2194 };
2195 
2196 static void ohci_register_types(void)
2197 {
2198     type_register_static(&ohci_pci_info);
2199     type_register_static(&ohci_sysbus_info);
2200 }
2201 
2202 type_init(ohci_register_types)
2203