xref: /openbmc/qemu/hw/usb/hcd-ohci.c (revision a1857ad1)
1 /*
2  * QEMU USB OHCI Emulation
3  * Copyright (c) 2004 Gianni Tedesco
4  * Copyright (c) 2006 CodeSourcery
5  * Copyright (c) 2006 Openedhand Ltd.
6  *
7  * This library is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2 of the License, or (at your option) any later version.
11  *
12  * This library is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
19  *
20  * TODO:
21  *  o Isochronous transfers
22  *  o Allocate bandwidth in frames properly
23  *  o Disable timers when nothing needs to be done, or remove timer usage
24  *    all together.
25  *  o BIOS work to boot from USB storage
26 */
27 
28 #include "hw/hw.h"
29 #include "qemu/timer.h"
30 #include "hw/usb.h"
31 #include "hw/pci/pci.h"
32 #include "hw/sysbus.h"
33 #include "hw/qdev-dma.h"
34 
35 //#define DEBUG_OHCI
36 /* Dump packet contents.  */
37 //#define DEBUG_PACKET
38 //#define DEBUG_ISOCH
39 /* This causes frames to occur 1000x slower */
40 //#define OHCI_TIME_WARP 1
41 
42 #ifdef DEBUG_OHCI
43 #define DPRINTF printf
44 #else
45 #define DPRINTF(...)
46 #endif
47 
48 /* Number of Downstream Ports on the root hub.  */
49 
50 #define OHCI_MAX_PORTS 15
51 
52 static int64_t usb_frame_time;
53 static int64_t usb_bit_time;
54 
55 typedef struct OHCIPort {
56     USBPort port;
57     uint32_t ctrl;
58 } OHCIPort;
59 
60 typedef struct {
61     USBBus bus;
62     qemu_irq irq;
63     MemoryRegion mem;
64     AddressSpace *as;
65     int num_ports;
66     const char *name;
67 
68     QEMUTimer *eof_timer;
69     int64_t sof_time;
70 
71     /* OHCI state */
72     /* Control partition */
73     uint32_t ctl, status;
74     uint32_t intr_status;
75     uint32_t intr;
76 
77     /* memory pointer partition */
78     uint32_t hcca;
79     uint32_t ctrl_head, ctrl_cur;
80     uint32_t bulk_head, bulk_cur;
81     uint32_t per_cur;
82     uint32_t done;
83     int32_t done_count;
84 
85     /* Frame counter partition */
86     uint16_t fsmps;
87     uint8_t fit;
88     uint16_t fi;
89     uint8_t frt;
90     uint16_t frame_number;
91     uint16_t padding;
92     uint32_t pstart;
93     uint32_t lst;
94 
95     /* Root Hub partition */
96     uint32_t rhdesc_a, rhdesc_b;
97     uint32_t rhstatus;
98     OHCIPort rhport[OHCI_MAX_PORTS];
99 
100     /* PXA27x Non-OHCI events */
101     uint32_t hstatus;
102     uint32_t hmask;
103     uint32_t hreset;
104     uint32_t htest;
105 
106     /* SM501 local memory offset */
107     dma_addr_t localmem_base;
108 
109     /* Active packets.  */
110     uint32_t old_ctl;
111     USBPacket usb_packet;
112     uint8_t usb_buf[8192];
113     uint32_t async_td;
114     bool async_complete;
115 
116 } OHCIState;
117 
118 /* Host Controller Communications Area */
119 struct ohci_hcca {
120     uint32_t intr[32];
121     uint16_t frame, pad;
122     uint32_t done;
123 };
124 #define HCCA_WRITEBACK_OFFSET   offsetof(struct ohci_hcca, frame)
125 #define HCCA_WRITEBACK_SIZE     8 /* frame, pad, done */
126 
127 #define ED_WBACK_OFFSET offsetof(struct ohci_ed, head)
128 #define ED_WBACK_SIZE   4
129 
130 static void ohci_bus_stop(OHCIState *ohci);
131 static void ohci_async_cancel_device(OHCIState *ohci, USBDevice *dev);
132 
133 /* Bitfields for the first word of an Endpoint Desciptor.  */
134 #define OHCI_ED_FA_SHIFT  0
135 #define OHCI_ED_FA_MASK   (0x7f<<OHCI_ED_FA_SHIFT)
136 #define OHCI_ED_EN_SHIFT  7
137 #define OHCI_ED_EN_MASK   (0xf<<OHCI_ED_EN_SHIFT)
138 #define OHCI_ED_D_SHIFT   11
139 #define OHCI_ED_D_MASK    (3<<OHCI_ED_D_SHIFT)
140 #define OHCI_ED_S         (1<<13)
141 #define OHCI_ED_K         (1<<14)
142 #define OHCI_ED_F         (1<<15)
143 #define OHCI_ED_MPS_SHIFT 16
144 #define OHCI_ED_MPS_MASK  (0x7ff<<OHCI_ED_MPS_SHIFT)
145 
146 /* Flags in the head field of an Endpoint Desciptor.  */
147 #define OHCI_ED_H         1
148 #define OHCI_ED_C         2
149 
150 /* Bitfields for the first word of a Transfer Desciptor.  */
151 #define OHCI_TD_R         (1<<18)
152 #define OHCI_TD_DP_SHIFT  19
153 #define OHCI_TD_DP_MASK   (3<<OHCI_TD_DP_SHIFT)
154 #define OHCI_TD_DI_SHIFT  21
155 #define OHCI_TD_DI_MASK   (7<<OHCI_TD_DI_SHIFT)
156 #define OHCI_TD_T0        (1<<24)
157 #define OHCI_TD_T1        (1<<25)
158 #define OHCI_TD_EC_SHIFT  26
159 #define OHCI_TD_EC_MASK   (3<<OHCI_TD_EC_SHIFT)
160 #define OHCI_TD_CC_SHIFT  28
161 #define OHCI_TD_CC_MASK   (0xf<<OHCI_TD_CC_SHIFT)
162 
163 /* Bitfields for the first word of an Isochronous Transfer Desciptor.  */
164 /* CC & DI - same as in the General Transfer Desciptor */
165 #define OHCI_TD_SF_SHIFT  0
166 #define OHCI_TD_SF_MASK   (0xffff<<OHCI_TD_SF_SHIFT)
167 #define OHCI_TD_FC_SHIFT  24
168 #define OHCI_TD_FC_MASK   (7<<OHCI_TD_FC_SHIFT)
169 
170 /* Isochronous Transfer Desciptor - Offset / PacketStatusWord */
171 #define OHCI_TD_PSW_CC_SHIFT 12
172 #define OHCI_TD_PSW_CC_MASK  (0xf<<OHCI_TD_PSW_CC_SHIFT)
173 #define OHCI_TD_PSW_SIZE_SHIFT 0
174 #define OHCI_TD_PSW_SIZE_MASK  (0xfff<<OHCI_TD_PSW_SIZE_SHIFT)
175 
176 #define OHCI_PAGE_MASK    0xfffff000
177 #define OHCI_OFFSET_MASK  0xfff
178 
179 #define OHCI_DPTR_MASK    0xfffffff0
180 
181 #define OHCI_BM(val, field) \
182   (((val) & OHCI_##field##_MASK) >> OHCI_##field##_SHIFT)
183 
184 #define OHCI_SET_BM(val, field, newval) do { \
185     val &= ~OHCI_##field##_MASK; \
186     val |= ((newval) << OHCI_##field##_SHIFT) & OHCI_##field##_MASK; \
187     } while(0)
188 
189 /* endpoint descriptor */
190 struct ohci_ed {
191     uint32_t flags;
192     uint32_t tail;
193     uint32_t head;
194     uint32_t next;
195 };
196 
197 /* General transfer descriptor */
198 struct ohci_td {
199     uint32_t flags;
200     uint32_t cbp;
201     uint32_t next;
202     uint32_t be;
203 };
204 
205 /* Isochronous transfer descriptor */
206 struct ohci_iso_td {
207     uint32_t flags;
208     uint32_t bp;
209     uint32_t next;
210     uint32_t be;
211     uint16_t offset[8];
212 };
213 
214 #define USB_HZ                      12000000
215 
216 /* OHCI Local stuff */
217 #define OHCI_CTL_CBSR         ((1<<0)|(1<<1))
218 #define OHCI_CTL_PLE          (1<<2)
219 #define OHCI_CTL_IE           (1<<3)
220 #define OHCI_CTL_CLE          (1<<4)
221 #define OHCI_CTL_BLE          (1<<5)
222 #define OHCI_CTL_HCFS         ((1<<6)|(1<<7))
223 #define  OHCI_USB_RESET       0x00
224 #define  OHCI_USB_RESUME      0x40
225 #define  OHCI_USB_OPERATIONAL 0x80
226 #define  OHCI_USB_SUSPEND     0xc0
227 #define OHCI_CTL_IR           (1<<8)
228 #define OHCI_CTL_RWC          (1<<9)
229 #define OHCI_CTL_RWE          (1<<10)
230 
231 #define OHCI_STATUS_HCR       (1<<0)
232 #define OHCI_STATUS_CLF       (1<<1)
233 #define OHCI_STATUS_BLF       (1<<2)
234 #define OHCI_STATUS_OCR       (1<<3)
235 #define OHCI_STATUS_SOC       ((1<<6)|(1<<7))
236 
237 #define OHCI_INTR_SO          (1U<<0) /* Scheduling overrun */
238 #define OHCI_INTR_WD          (1U<<1) /* HcDoneHead writeback */
239 #define OHCI_INTR_SF          (1U<<2) /* Start of frame */
240 #define OHCI_INTR_RD          (1U<<3) /* Resume detect */
241 #define OHCI_INTR_UE          (1U<<4) /* Unrecoverable error */
242 #define OHCI_INTR_FNO         (1U<<5) /* Frame number overflow */
243 #define OHCI_INTR_RHSC        (1U<<6) /* Root hub status change */
244 #define OHCI_INTR_OC          (1U<<30) /* Ownership change */
245 #define OHCI_INTR_MIE         (1U<<31) /* Master Interrupt Enable */
246 
247 #define OHCI_HCCA_SIZE        0x100
248 #define OHCI_HCCA_MASK        0xffffff00
249 
250 #define OHCI_EDPTR_MASK       0xfffffff0
251 
252 #define OHCI_FMI_FI           0x00003fff
253 #define OHCI_FMI_FSMPS        0xffff0000
254 #define OHCI_FMI_FIT          0x80000000
255 
256 #define OHCI_FR_RT            (1U<<31)
257 
258 #define OHCI_LS_THRESH        0x628
259 
260 #define OHCI_RHA_RW_MASK      0x00000000 /* Mask of supported features.  */
261 #define OHCI_RHA_PSM          (1<<8)
262 #define OHCI_RHA_NPS          (1<<9)
263 #define OHCI_RHA_DT           (1<<10)
264 #define OHCI_RHA_OCPM         (1<<11)
265 #define OHCI_RHA_NOCP         (1<<12)
266 #define OHCI_RHA_POTPGT_MASK  0xff000000
267 
268 #define OHCI_RHS_LPS          (1U<<0)
269 #define OHCI_RHS_OCI          (1U<<1)
270 #define OHCI_RHS_DRWE         (1U<<15)
271 #define OHCI_RHS_LPSC         (1U<<16)
272 #define OHCI_RHS_OCIC         (1U<<17)
273 #define OHCI_RHS_CRWE         (1U<<31)
274 
275 #define OHCI_PORT_CCS         (1<<0)
276 #define OHCI_PORT_PES         (1<<1)
277 #define OHCI_PORT_PSS         (1<<2)
278 #define OHCI_PORT_POCI        (1<<3)
279 #define OHCI_PORT_PRS         (1<<4)
280 #define OHCI_PORT_PPS         (1<<8)
281 #define OHCI_PORT_LSDA        (1<<9)
282 #define OHCI_PORT_CSC         (1<<16)
283 #define OHCI_PORT_PESC        (1<<17)
284 #define OHCI_PORT_PSSC        (1<<18)
285 #define OHCI_PORT_OCIC        (1<<19)
286 #define OHCI_PORT_PRSC        (1<<20)
287 #define OHCI_PORT_WTC         (OHCI_PORT_CSC|OHCI_PORT_PESC|OHCI_PORT_PSSC \
288                                |OHCI_PORT_OCIC|OHCI_PORT_PRSC)
289 
290 #define OHCI_TD_DIR_SETUP     0x0
291 #define OHCI_TD_DIR_OUT       0x1
292 #define OHCI_TD_DIR_IN        0x2
293 #define OHCI_TD_DIR_RESERVED  0x3
294 
295 #define OHCI_CC_NOERROR             0x0
296 #define OHCI_CC_CRC                 0x1
297 #define OHCI_CC_BITSTUFFING         0x2
298 #define OHCI_CC_DATATOGGLEMISMATCH  0x3
299 #define OHCI_CC_STALL               0x4
300 #define OHCI_CC_DEVICENOTRESPONDING 0x5
301 #define OHCI_CC_PIDCHECKFAILURE     0x6
302 #define OHCI_CC_UNDEXPETEDPID       0x7
303 #define OHCI_CC_DATAOVERRUN         0x8
304 #define OHCI_CC_DATAUNDERRUN        0x9
305 #define OHCI_CC_BUFFEROVERRUN       0xc
306 #define OHCI_CC_BUFFERUNDERRUN      0xd
307 
308 #define OHCI_HRESET_FSBIR       (1 << 0)
309 
310 static void ohci_die(OHCIState *ohci);
311 
312 /* Update IRQ levels */
313 static inline void ohci_intr_update(OHCIState *ohci)
314 {
315     int level = 0;
316 
317     if ((ohci->intr & OHCI_INTR_MIE) &&
318         (ohci->intr_status & ohci->intr))
319         level = 1;
320 
321     qemu_set_irq(ohci->irq, level);
322 }
323 
324 /* Set an interrupt */
325 static inline void ohci_set_interrupt(OHCIState *ohci, uint32_t intr)
326 {
327     ohci->intr_status |= intr;
328     ohci_intr_update(ohci);
329 }
330 
331 /* Attach or detach a device on a root hub port.  */
332 static void ohci_attach(USBPort *port1)
333 {
334     OHCIState *s = port1->opaque;
335     OHCIPort *port = &s->rhport[port1->index];
336     uint32_t old_state = port->ctrl;
337 
338     /* set connect status */
339     port->ctrl |= OHCI_PORT_CCS | OHCI_PORT_CSC;
340 
341     /* update speed */
342     if (port->port.dev->speed == USB_SPEED_LOW) {
343         port->ctrl |= OHCI_PORT_LSDA;
344     } else {
345         port->ctrl &= ~OHCI_PORT_LSDA;
346     }
347 
348     /* notify of remote-wakeup */
349     if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND) {
350         ohci_set_interrupt(s, OHCI_INTR_RD);
351     }
352 
353     DPRINTF("usb-ohci: Attached port %d\n", port1->index);
354 
355     if (old_state != port->ctrl) {
356         ohci_set_interrupt(s, OHCI_INTR_RHSC);
357     }
358 }
359 
360 static void ohci_detach(USBPort *port1)
361 {
362     OHCIState *s = port1->opaque;
363     OHCIPort *port = &s->rhport[port1->index];
364     uint32_t old_state = port->ctrl;
365 
366     ohci_async_cancel_device(s, port1->dev);
367 
368     /* set connect status */
369     if (port->ctrl & OHCI_PORT_CCS) {
370         port->ctrl &= ~OHCI_PORT_CCS;
371         port->ctrl |= OHCI_PORT_CSC;
372     }
373     /* disable port */
374     if (port->ctrl & OHCI_PORT_PES) {
375         port->ctrl &= ~OHCI_PORT_PES;
376         port->ctrl |= OHCI_PORT_PESC;
377     }
378     DPRINTF("usb-ohci: Detached port %d\n", port1->index);
379 
380     if (old_state != port->ctrl) {
381         ohci_set_interrupt(s, OHCI_INTR_RHSC);
382     }
383 }
384 
385 static void ohci_wakeup(USBPort *port1)
386 {
387     OHCIState *s = port1->opaque;
388     OHCIPort *port = &s->rhport[port1->index];
389     uint32_t intr = 0;
390     if (port->ctrl & OHCI_PORT_PSS) {
391         DPRINTF("usb-ohci: port %d: wakeup\n", port1->index);
392         port->ctrl |= OHCI_PORT_PSSC;
393         port->ctrl &= ~OHCI_PORT_PSS;
394         intr = OHCI_INTR_RHSC;
395     }
396     /* Note that the controller can be suspended even if this port is not */
397     if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND) {
398         DPRINTF("usb-ohci: remote-wakeup: SUSPEND->RESUME\n");
399         /* This is the one state transition the controller can do by itself */
400         s->ctl &= ~OHCI_CTL_HCFS;
401         s->ctl |= OHCI_USB_RESUME;
402         /* In suspend mode only ResumeDetected is possible, not RHSC:
403          * see the OHCI spec 5.1.2.3.
404          */
405         intr = OHCI_INTR_RD;
406     }
407     ohci_set_interrupt(s, intr);
408 }
409 
410 static void ohci_child_detach(USBPort *port1, USBDevice *child)
411 {
412     OHCIState *s = port1->opaque;
413 
414     ohci_async_cancel_device(s, child);
415 }
416 
417 static USBDevice *ohci_find_device(OHCIState *ohci, uint8_t addr)
418 {
419     USBDevice *dev;
420     int i;
421 
422     for (i = 0; i < ohci->num_ports; i++) {
423         if ((ohci->rhport[i].ctrl & OHCI_PORT_PES) == 0) {
424             continue;
425         }
426         dev = usb_find_device(&ohci->rhport[i].port, addr);
427         if (dev != NULL) {
428             return dev;
429         }
430     }
431     return NULL;
432 }
433 
434 static void ohci_stop_endpoints(OHCIState *ohci)
435 {
436     USBDevice *dev;
437     int i, j;
438 
439     for (i = 0; i < ohci->num_ports; i++) {
440         dev = ohci->rhport[i].port.dev;
441         if (dev && dev->attached) {
442             usb_device_ep_stopped(dev, &dev->ep_ctl);
443             for (j = 0; j < USB_MAX_ENDPOINTS; j++) {
444                 usb_device_ep_stopped(dev, &dev->ep_in[j]);
445                 usb_device_ep_stopped(dev, &dev->ep_out[j]);
446             }
447         }
448     }
449 }
450 
451 /* Reset the controller */
452 static void ohci_reset(void *opaque)
453 {
454     OHCIState *ohci = opaque;
455     OHCIPort *port;
456     int i;
457 
458     ohci_bus_stop(ohci);
459     ohci->ctl = 0;
460     ohci->old_ctl = 0;
461     ohci->status = 0;
462     ohci->intr_status = 0;
463     ohci->intr = OHCI_INTR_MIE;
464 
465     ohci->hcca = 0;
466     ohci->ctrl_head = ohci->ctrl_cur = 0;
467     ohci->bulk_head = ohci->bulk_cur = 0;
468     ohci->per_cur = 0;
469     ohci->done = 0;
470     ohci->done_count = 7;
471 
472     /* FSMPS is marked TBD in OCHI 1.0, what gives ffs?
473      * I took the value linux sets ...
474      */
475     ohci->fsmps = 0x2778;
476     ohci->fi = 0x2edf;
477     ohci->fit = 0;
478     ohci->frt = 0;
479     ohci->frame_number = 0;
480     ohci->pstart = 0;
481     ohci->lst = OHCI_LS_THRESH;
482 
483     ohci->rhdesc_a = OHCI_RHA_NPS | ohci->num_ports;
484     ohci->rhdesc_b = 0x0; /* Impl. specific */
485     ohci->rhstatus = 0;
486 
487     for (i = 0; i < ohci->num_ports; i++)
488       {
489         port = &ohci->rhport[i];
490         port->ctrl = 0;
491         if (port->port.dev && port->port.dev->attached) {
492             usb_port_reset(&port->port);
493         }
494       }
495     if (ohci->async_td) {
496         usb_cancel_packet(&ohci->usb_packet);
497         ohci->async_td = 0;
498     }
499     ohci_stop_endpoints(ohci);
500     DPRINTF("usb-ohci: Reset %s\n", ohci->name);
501 }
502 
503 /* Get an array of dwords from main memory */
504 static inline int get_dwords(OHCIState *ohci,
505                              dma_addr_t addr, uint32_t *buf, int num)
506 {
507     int i;
508 
509     addr += ohci->localmem_base;
510 
511     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
512         if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) {
513             return -1;
514         }
515         *buf = le32_to_cpu(*buf);
516     }
517 
518     return 0;
519 }
520 
521 /* Put an array of dwords in to main memory */
522 static inline int put_dwords(OHCIState *ohci,
523                              dma_addr_t addr, uint32_t *buf, int num)
524 {
525     int i;
526 
527     addr += ohci->localmem_base;
528 
529     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
530         uint32_t tmp = cpu_to_le32(*buf);
531         if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) {
532             return -1;
533         }
534     }
535 
536     return 0;
537 }
538 
539 /* Get an array of words from main memory */
540 static inline int get_words(OHCIState *ohci,
541                             dma_addr_t addr, uint16_t *buf, int num)
542 {
543     int i;
544 
545     addr += ohci->localmem_base;
546 
547     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
548         if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) {
549             return -1;
550         }
551         *buf = le16_to_cpu(*buf);
552     }
553 
554     return 0;
555 }
556 
557 /* Put an array of words in to main memory */
558 static inline int put_words(OHCIState *ohci,
559                             dma_addr_t addr, uint16_t *buf, int num)
560 {
561     int i;
562 
563     addr += ohci->localmem_base;
564 
565     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
566         uint16_t tmp = cpu_to_le16(*buf);
567         if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) {
568             return -1;
569         }
570     }
571 
572     return 0;
573 }
574 
575 static inline int ohci_read_ed(OHCIState *ohci,
576                                dma_addr_t addr, struct ohci_ed *ed)
577 {
578     return get_dwords(ohci, addr, (uint32_t *)ed, sizeof(*ed) >> 2);
579 }
580 
581 static inline int ohci_read_td(OHCIState *ohci,
582                                dma_addr_t addr, struct ohci_td *td)
583 {
584     return get_dwords(ohci, addr, (uint32_t *)td, sizeof(*td) >> 2);
585 }
586 
587 static inline int ohci_read_iso_td(OHCIState *ohci,
588                                    dma_addr_t addr, struct ohci_iso_td *td)
589 {
590     return get_dwords(ohci, addr, (uint32_t *)td, 4) ||
591            get_words(ohci, addr + 16, td->offset, 8);
592 }
593 
594 static inline int ohci_read_hcca(OHCIState *ohci,
595                                  dma_addr_t addr, struct ohci_hcca *hcca)
596 {
597     return dma_memory_read(ohci->as, addr + ohci->localmem_base,
598                            hcca, sizeof(*hcca));
599 }
600 
601 static inline int ohci_put_ed(OHCIState *ohci,
602                               dma_addr_t addr, struct ohci_ed *ed)
603 {
604     /* ed->tail is under control of the HCD.
605      * Since just ed->head is changed by HC, just write back this
606      */
607 
608     return put_dwords(ohci, addr + ED_WBACK_OFFSET,
609                       (uint32_t *)((char *)ed + ED_WBACK_OFFSET),
610                       ED_WBACK_SIZE >> 2);
611 }
612 
613 static inline int ohci_put_td(OHCIState *ohci,
614                               dma_addr_t addr, struct ohci_td *td)
615 {
616     return put_dwords(ohci, addr, (uint32_t *)td, sizeof(*td) >> 2);
617 }
618 
619 static inline int ohci_put_iso_td(OHCIState *ohci,
620                                   dma_addr_t addr, struct ohci_iso_td *td)
621 {
622     return put_dwords(ohci, addr, (uint32_t *)td, 4 ||
623            put_words(ohci, addr + 16, td->offset, 8));
624 }
625 
626 static inline int ohci_put_hcca(OHCIState *ohci,
627                                 dma_addr_t addr, struct ohci_hcca *hcca)
628 {
629     return dma_memory_write(ohci->as,
630                             addr + ohci->localmem_base + HCCA_WRITEBACK_OFFSET,
631                             (char *)hcca + HCCA_WRITEBACK_OFFSET,
632                             HCCA_WRITEBACK_SIZE);
633 }
634 
635 /* Read/Write the contents of a TD from/to main memory.  */
636 static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td,
637                         uint8_t *buf, int len, DMADirection dir)
638 {
639     dma_addr_t ptr, n;
640 
641     ptr = td->cbp;
642     n = 0x1000 - (ptr & 0xfff);
643     if (n > len)
644         n = len;
645 
646     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) {
647         return -1;
648     }
649     if (n == len) {
650         return 0;
651     }
652     ptr = td->be & ~0xfffu;
653     buf += n;
654     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
655                       len - n, dir)) {
656         return -1;
657     }
658     return 0;
659 }
660 
661 /* Read/Write the contents of an ISO TD from/to main memory.  */
662 static int ohci_copy_iso_td(OHCIState *ohci,
663                             uint32_t start_addr, uint32_t end_addr,
664                             uint8_t *buf, int len, DMADirection dir)
665 {
666     dma_addr_t ptr, n;
667 
668     ptr = start_addr;
669     n = 0x1000 - (ptr & 0xfff);
670     if (n > len)
671         n = len;
672 
673     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) {
674         return -1;
675     }
676     if (n == len) {
677         return 0;
678     }
679     ptr = end_addr & ~0xfffu;
680     buf += n;
681     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
682                       len - n, dir)) {
683         return -1;
684     }
685     return 0;
686 }
687 
688 static void ohci_process_lists(OHCIState *ohci, int completion);
689 
690 static void ohci_async_complete_packet(USBPort *port, USBPacket *packet)
691 {
692     OHCIState *ohci = container_of(packet, OHCIState, usb_packet);
693 #ifdef DEBUG_PACKET
694     DPRINTF("Async packet complete\n");
695 #endif
696     ohci->async_complete = true;
697     ohci_process_lists(ohci, 1);
698 }
699 
700 #define USUB(a, b) ((int16_t)((uint16_t)(a) - (uint16_t)(b)))
701 
702 static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
703                                int completion)
704 {
705     int dir;
706     size_t len = 0;
707 #ifdef DEBUG_ISOCH
708     const char *str = NULL;
709 #endif
710     int pid;
711     int ret;
712     int i;
713     USBDevice *dev;
714     USBEndpoint *ep;
715     struct ohci_iso_td iso_td;
716     uint32_t addr;
717     uint16_t starting_frame;
718     int16_t relative_frame_number;
719     int frame_count;
720     uint32_t start_offset, next_offset, end_offset = 0;
721     uint32_t start_addr, end_addr;
722 
723     addr = ed->head & OHCI_DPTR_MASK;
724 
725     if (ohci_read_iso_td(ohci, addr, &iso_td)) {
726         printf("usb-ohci: ISO_TD read error at %x\n", addr);
727         ohci_die(ohci);
728         return 0;
729     }
730 
731     starting_frame = OHCI_BM(iso_td.flags, TD_SF);
732     frame_count = OHCI_BM(iso_td.flags, TD_FC);
733     relative_frame_number = USUB(ohci->frame_number, starting_frame);
734 
735 #ifdef DEBUG_ISOCH
736     printf("--- ISO_TD ED head 0x%.8x tailp 0x%.8x\n"
737            "0x%.8x 0x%.8x 0x%.8x 0x%.8x\n"
738            "0x%.8x 0x%.8x 0x%.8x 0x%.8x\n"
739            "0x%.8x 0x%.8x 0x%.8x 0x%.8x\n"
740            "frame_number 0x%.8x starting_frame 0x%.8x\n"
741            "frame_count  0x%.8x relative %d\n"
742            "di 0x%.8x cc 0x%.8x\n",
743            ed->head & OHCI_DPTR_MASK, ed->tail & OHCI_DPTR_MASK,
744            iso_td.flags, iso_td.bp, iso_td.next, iso_td.be,
745            iso_td.offset[0], iso_td.offset[1], iso_td.offset[2], iso_td.offset[3],
746            iso_td.offset[4], iso_td.offset[5], iso_td.offset[6], iso_td.offset[7],
747            ohci->frame_number, starting_frame,
748            frame_count, relative_frame_number,
749            OHCI_BM(iso_td.flags, TD_DI), OHCI_BM(iso_td.flags, TD_CC));
750 #endif
751 
752     if (relative_frame_number < 0) {
753         DPRINTF("usb-ohci: ISO_TD R=%d < 0\n", relative_frame_number);
754         return 1;
755     } else if (relative_frame_number > frame_count) {
756         /* ISO TD expired - retire the TD to the Done Queue and continue with
757            the next ISO TD of the same ED */
758         DPRINTF("usb-ohci: ISO_TD R=%d > FC=%d\n", relative_frame_number,
759                frame_count);
760         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
761         ed->head &= ~OHCI_DPTR_MASK;
762         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
763         iso_td.next = ohci->done;
764         ohci->done = addr;
765         i = OHCI_BM(iso_td.flags, TD_DI);
766         if (i < ohci->done_count)
767             ohci->done_count = i;
768         if (ohci_put_iso_td(ohci, addr, &iso_td)) {
769             ohci_die(ohci);
770             return 1;
771         }
772         return 0;
773     }
774 
775     dir = OHCI_BM(ed->flags, ED_D);
776     switch (dir) {
777     case OHCI_TD_DIR_IN:
778 #ifdef DEBUG_ISOCH
779         str = "in";
780 #endif
781         pid = USB_TOKEN_IN;
782         break;
783     case OHCI_TD_DIR_OUT:
784 #ifdef DEBUG_ISOCH
785         str = "out";
786 #endif
787         pid = USB_TOKEN_OUT;
788         break;
789     case OHCI_TD_DIR_SETUP:
790 #ifdef DEBUG_ISOCH
791         str = "setup";
792 #endif
793         pid = USB_TOKEN_SETUP;
794         break;
795     default:
796         printf("usb-ohci: Bad direction %d\n", dir);
797         return 1;
798     }
799 
800     if (!iso_td.bp || !iso_td.be) {
801         printf("usb-ohci: ISO_TD bp 0x%.8x be 0x%.8x\n", iso_td.bp, iso_td.be);
802         return 1;
803     }
804 
805     start_offset = iso_td.offset[relative_frame_number];
806     next_offset = iso_td.offset[relative_frame_number + 1];
807 
808     if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) ||
809         ((relative_frame_number < frame_count) &&
810          !(OHCI_BM(next_offset, TD_PSW_CC) & 0xe))) {
811         printf("usb-ohci: ISO_TD cc != not accessed 0x%.8x 0x%.8x\n",
812                start_offset, next_offset);
813         return 1;
814     }
815 
816     if ((relative_frame_number < frame_count) && (start_offset > next_offset)) {
817         printf("usb-ohci: ISO_TD start_offset=0x%.8x > next_offset=0x%.8x\n",
818                 start_offset, next_offset);
819         return 1;
820     }
821 
822     if ((start_offset & 0x1000) == 0) {
823         start_addr = (iso_td.bp & OHCI_PAGE_MASK) |
824             (start_offset & OHCI_OFFSET_MASK);
825     } else {
826         start_addr = (iso_td.be & OHCI_PAGE_MASK) |
827             (start_offset & OHCI_OFFSET_MASK);
828     }
829 
830     if (relative_frame_number < frame_count) {
831         end_offset = next_offset - 1;
832         if ((end_offset & 0x1000) == 0) {
833             end_addr = (iso_td.bp & OHCI_PAGE_MASK) |
834                 (end_offset & OHCI_OFFSET_MASK);
835         } else {
836             end_addr = (iso_td.be & OHCI_PAGE_MASK) |
837                 (end_offset & OHCI_OFFSET_MASK);
838         }
839     } else {
840         /* Last packet in the ISO TD */
841         end_addr = iso_td.be;
842     }
843 
844     if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
845         len = (end_addr & OHCI_OFFSET_MASK) + 0x1001
846             - (start_addr & OHCI_OFFSET_MASK);
847     } else {
848         len = end_addr - start_addr + 1;
849     }
850 
851     if (len && dir != OHCI_TD_DIR_IN) {
852         if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
853                              DMA_DIRECTION_TO_DEVICE)) {
854             ohci_die(ohci);
855             return 1;
856         }
857     }
858 
859     if (!completion) {
860         bool int_req = relative_frame_number == frame_count &&
861                        OHCI_BM(iso_td.flags, TD_DI) == 0;
862         dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
863         ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
864         usb_packet_setup(&ohci->usb_packet, pid, ep, 0, addr, false, int_req);
865         usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, len);
866         usb_handle_packet(dev, &ohci->usb_packet);
867         if (ohci->usb_packet.status == USB_RET_ASYNC) {
868             usb_device_flush_ep_queue(dev, ep);
869             return 1;
870         }
871     }
872     if (ohci->usb_packet.status == USB_RET_SUCCESS) {
873         ret = ohci->usb_packet.actual_length;
874     } else {
875         ret = ohci->usb_packet.status;
876     }
877 
878 #ifdef DEBUG_ISOCH
879     printf("so 0x%.8x eo 0x%.8x\nsa 0x%.8x ea 0x%.8x\ndir %s len %zu ret %d\n",
880            start_offset, end_offset, start_addr, end_addr, str, len, ret);
881 #endif
882 
883     /* Writeback */
884     if (dir == OHCI_TD_DIR_IN && ret >= 0 && ret <= len) {
885         /* IN transfer succeeded */
886         if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, ret,
887                              DMA_DIRECTION_FROM_DEVICE)) {
888             ohci_die(ohci);
889             return 1;
890         }
891         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
892                     OHCI_CC_NOERROR);
893         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE, ret);
894     } else if (dir == OHCI_TD_DIR_OUT && ret == len) {
895         /* OUT transfer succeeded */
896         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
897                     OHCI_CC_NOERROR);
898         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE, 0);
899     } else {
900         if (ret > (ssize_t) len) {
901             printf("usb-ohci: DataOverrun %d > %zu\n", ret, len);
902             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
903                         OHCI_CC_DATAOVERRUN);
904             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
905                         len);
906         } else if (ret >= 0) {
907             printf("usb-ohci: DataUnderrun %d\n", ret);
908             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
909                         OHCI_CC_DATAUNDERRUN);
910         } else {
911             switch (ret) {
912             case USB_RET_IOERROR:
913             case USB_RET_NODEV:
914                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
915                             OHCI_CC_DEVICENOTRESPONDING);
916                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
917                             0);
918                 break;
919             case USB_RET_NAK:
920             case USB_RET_STALL:
921                 printf("usb-ohci: got NAK/STALL %d\n", ret);
922                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
923                             OHCI_CC_STALL);
924                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
925                             0);
926                 break;
927             default:
928                 printf("usb-ohci: Bad device response %d\n", ret);
929                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
930                             OHCI_CC_UNDEXPETEDPID);
931                 break;
932             }
933         }
934     }
935 
936     if (relative_frame_number == frame_count) {
937         /* Last data packet of ISO TD - retire the TD to the Done Queue */
938         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_NOERROR);
939         ed->head &= ~OHCI_DPTR_MASK;
940         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
941         iso_td.next = ohci->done;
942         ohci->done = addr;
943         i = OHCI_BM(iso_td.flags, TD_DI);
944         if (i < ohci->done_count)
945             ohci->done_count = i;
946     }
947     if (ohci_put_iso_td(ohci, addr, &iso_td)) {
948         ohci_die(ohci);
949     }
950     return 1;
951 }
952 
953 /* Service a transport descriptor.
954    Returns nonzero to terminate processing of this endpoint.  */
955 
956 static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
957 {
958     int dir;
959     size_t len = 0, pktlen = 0;
960 #ifdef DEBUG_PACKET
961     const char *str = NULL;
962 #endif
963     int pid;
964     int ret;
965     int i;
966     USBDevice *dev;
967     USBEndpoint *ep;
968     struct ohci_td td;
969     uint32_t addr;
970     int flag_r;
971     int completion;
972 
973     addr = ed->head & OHCI_DPTR_MASK;
974     /* See if this TD has already been submitted to the device.  */
975     completion = (addr == ohci->async_td);
976     if (completion && !ohci->async_complete) {
977 #ifdef DEBUG_PACKET
978         DPRINTF("Skipping async TD\n");
979 #endif
980         return 1;
981     }
982     if (ohci_read_td(ohci, addr, &td)) {
983         fprintf(stderr, "usb-ohci: TD read error at %x\n", addr);
984         ohci_die(ohci);
985         return 0;
986     }
987 
988     dir = OHCI_BM(ed->flags, ED_D);
989     switch (dir) {
990     case OHCI_TD_DIR_OUT:
991     case OHCI_TD_DIR_IN:
992         /* Same value.  */
993         break;
994     default:
995         dir = OHCI_BM(td.flags, TD_DP);
996         break;
997     }
998 
999     switch (dir) {
1000     case OHCI_TD_DIR_IN:
1001 #ifdef DEBUG_PACKET
1002         str = "in";
1003 #endif
1004         pid = USB_TOKEN_IN;
1005         break;
1006     case OHCI_TD_DIR_OUT:
1007 #ifdef DEBUG_PACKET
1008         str = "out";
1009 #endif
1010         pid = USB_TOKEN_OUT;
1011         break;
1012     case OHCI_TD_DIR_SETUP:
1013 #ifdef DEBUG_PACKET
1014         str = "setup";
1015 #endif
1016         pid = USB_TOKEN_SETUP;
1017         break;
1018     default:
1019         fprintf(stderr, "usb-ohci: Bad direction\n");
1020         return 1;
1021     }
1022     if (td.cbp && td.be) {
1023         if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
1024             len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
1025         } else {
1026             len = (td.be - td.cbp) + 1;
1027         }
1028 
1029         pktlen = len;
1030         if (len && dir != OHCI_TD_DIR_IN) {
1031             /* The endpoint may not allow us to transfer it all now */
1032             pktlen = (ed->flags & OHCI_ED_MPS_MASK) >> OHCI_ED_MPS_SHIFT;
1033             if (pktlen > len) {
1034                 pktlen = len;
1035             }
1036             if (!completion) {
1037                 if (ohci_copy_td(ohci, &td, ohci->usb_buf, pktlen,
1038                                  DMA_DIRECTION_TO_DEVICE)) {
1039                     ohci_die(ohci);
1040                 }
1041             }
1042         }
1043     }
1044 
1045     flag_r = (td.flags & OHCI_TD_R) != 0;
1046 #ifdef DEBUG_PACKET
1047     DPRINTF(" TD @ 0x%.8x %" PRId64 " of %" PRId64
1048             " bytes %s r=%d cbp=0x%.8x be=0x%.8x\n",
1049             addr, (int64_t)pktlen, (int64_t)len, str, flag_r, td.cbp, td.be);
1050 
1051     if (pktlen > 0 && dir != OHCI_TD_DIR_IN) {
1052         DPRINTF("  data:");
1053         for (i = 0; i < pktlen; i++) {
1054             printf(" %.2x", ohci->usb_buf[i]);
1055         }
1056         DPRINTF("\n");
1057     }
1058 #endif
1059     if (completion) {
1060         ohci->async_td = 0;
1061         ohci->async_complete = false;
1062     } else {
1063         if (ohci->async_td) {
1064             /* ??? The hardware should allow one active packet per
1065                endpoint.  We only allow one active packet per controller.
1066                This should be sufficient as long as devices respond in a
1067                timely manner.
1068             */
1069 #ifdef DEBUG_PACKET
1070             DPRINTF("Too many pending packets\n");
1071 #endif
1072             return 1;
1073         }
1074         dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
1075         ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
1076         usb_packet_setup(&ohci->usb_packet, pid, ep, 0, addr, !flag_r,
1077                          OHCI_BM(td.flags, TD_DI) == 0);
1078         usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, pktlen);
1079         usb_handle_packet(dev, &ohci->usb_packet);
1080 #ifdef DEBUG_PACKET
1081         DPRINTF("status=%d\n", ohci->usb_packet.status);
1082 #endif
1083         if (ohci->usb_packet.status == USB_RET_ASYNC) {
1084             usb_device_flush_ep_queue(dev, ep);
1085             ohci->async_td = addr;
1086             return 1;
1087         }
1088     }
1089     if (ohci->usb_packet.status == USB_RET_SUCCESS) {
1090         ret = ohci->usb_packet.actual_length;
1091     } else {
1092         ret = ohci->usb_packet.status;
1093     }
1094 
1095     if (ret >= 0) {
1096         if (dir == OHCI_TD_DIR_IN) {
1097             if (ohci_copy_td(ohci, &td, ohci->usb_buf, ret,
1098                              DMA_DIRECTION_FROM_DEVICE)) {
1099                 ohci_die(ohci);
1100             }
1101 #ifdef DEBUG_PACKET
1102             DPRINTF("  data:");
1103             for (i = 0; i < ret; i++)
1104                 printf(" %.2x", ohci->usb_buf[i]);
1105             DPRINTF("\n");
1106 #endif
1107         } else {
1108             ret = pktlen;
1109         }
1110     }
1111 
1112     /* Writeback */
1113     if (ret == pktlen || (dir == OHCI_TD_DIR_IN && ret >= 0 && flag_r)) {
1114         /* Transmission succeeded.  */
1115         if (ret == len) {
1116             td.cbp = 0;
1117         } else {
1118             if ((td.cbp & 0xfff) + ret > 0xfff) {
1119                 td.cbp = (td.be & ~0xfff) + ((td.cbp + ret) & 0xfff);
1120             } else {
1121                 td.cbp += ret;
1122             }
1123         }
1124         td.flags |= OHCI_TD_T1;
1125         td.flags ^= OHCI_TD_T0;
1126         OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_NOERROR);
1127         OHCI_SET_BM(td.flags, TD_EC, 0);
1128 
1129         if ((dir != OHCI_TD_DIR_IN) && (ret != len)) {
1130             /* Partial packet transfer: TD not ready to retire yet */
1131             goto exit_no_retire;
1132         }
1133 
1134         /* Setting ED_C is part of the TD retirement process */
1135         ed->head &= ~OHCI_ED_C;
1136         if (td.flags & OHCI_TD_T0)
1137             ed->head |= OHCI_ED_C;
1138     } else {
1139         if (ret >= 0) {
1140             DPRINTF("usb-ohci: Underrun\n");
1141             OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DATAUNDERRUN);
1142         } else {
1143             switch (ret) {
1144             case USB_RET_IOERROR:
1145             case USB_RET_NODEV:
1146                 DPRINTF("usb-ohci: got DEV ERROR\n");
1147                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DEVICENOTRESPONDING);
1148                 break;
1149             case USB_RET_NAK:
1150                 DPRINTF("usb-ohci: got NAK\n");
1151                 return 1;
1152             case USB_RET_STALL:
1153                 DPRINTF("usb-ohci: got STALL\n");
1154                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_STALL);
1155                 break;
1156             case USB_RET_BABBLE:
1157                 DPRINTF("usb-ohci: got BABBLE\n");
1158                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
1159                 break;
1160             default:
1161                 fprintf(stderr, "usb-ohci: Bad device response %d\n", ret);
1162                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_UNDEXPETEDPID);
1163                 OHCI_SET_BM(td.flags, TD_EC, 3);
1164                 break;
1165             }
1166         }
1167         ed->head |= OHCI_ED_H;
1168     }
1169 
1170     /* Retire this TD */
1171     ed->head &= ~OHCI_DPTR_MASK;
1172     ed->head |= td.next & OHCI_DPTR_MASK;
1173     td.next = ohci->done;
1174     ohci->done = addr;
1175     i = OHCI_BM(td.flags, TD_DI);
1176     if (i < ohci->done_count)
1177         ohci->done_count = i;
1178 exit_no_retire:
1179     if (ohci_put_td(ohci, addr, &td)) {
1180         ohci_die(ohci);
1181         return 1;
1182     }
1183     return OHCI_BM(td.flags, TD_CC) != OHCI_CC_NOERROR;
1184 }
1185 
1186 /* Service an endpoint list.  Returns nonzero if active TD were found.  */
1187 static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
1188 {
1189     struct ohci_ed ed;
1190     uint32_t next_ed;
1191     uint32_t cur;
1192     int active;
1193 
1194     active = 0;
1195 
1196     if (head == 0)
1197         return 0;
1198 
1199     for (cur = head; cur; cur = next_ed) {
1200         if (ohci_read_ed(ohci, cur, &ed)) {
1201             fprintf(stderr, "usb-ohci: ED read error at %x\n", cur);
1202             ohci_die(ohci);
1203             return 0;
1204         }
1205 
1206         next_ed = ed.next & OHCI_DPTR_MASK;
1207 
1208         if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
1209             uint32_t addr;
1210             /* Cancel pending packets for ED that have been paused.  */
1211             addr = ed.head & OHCI_DPTR_MASK;
1212             if (ohci->async_td && addr == ohci->async_td) {
1213                 usb_cancel_packet(&ohci->usb_packet);
1214                 ohci->async_td = 0;
1215                 usb_device_ep_stopped(ohci->usb_packet.ep->dev,
1216                                       ohci->usb_packet.ep);
1217             }
1218             continue;
1219         }
1220 
1221         while ((ed.head & OHCI_DPTR_MASK) != ed.tail) {
1222 #ifdef DEBUG_PACKET
1223             DPRINTF("ED @ 0x%.8x fa=%u en=%u d=%u s=%u k=%u f=%u mps=%u "
1224                     "h=%u c=%u\n  head=0x%.8x tailp=0x%.8x next=0x%.8x\n", cur,
1225                     OHCI_BM(ed.flags, ED_FA), OHCI_BM(ed.flags, ED_EN),
1226                     OHCI_BM(ed.flags, ED_D), (ed.flags & OHCI_ED_S)!= 0,
1227                     (ed.flags & OHCI_ED_K) != 0, (ed.flags & OHCI_ED_F) != 0,
1228                     OHCI_BM(ed.flags, ED_MPS), (ed.head & OHCI_ED_H) != 0,
1229                     (ed.head & OHCI_ED_C) != 0, ed.head & OHCI_DPTR_MASK,
1230                     ed.tail & OHCI_DPTR_MASK, ed.next & OHCI_DPTR_MASK);
1231 #endif
1232             active = 1;
1233 
1234             if ((ed.flags & OHCI_ED_F) == 0) {
1235                 if (ohci_service_td(ohci, &ed))
1236                     break;
1237             } else {
1238                 /* Handle isochronous endpoints */
1239                 if (ohci_service_iso_td(ohci, &ed, completion))
1240                     break;
1241             }
1242         }
1243 
1244         if (ohci_put_ed(ohci, cur, &ed)) {
1245             ohci_die(ohci);
1246             return 0;
1247         }
1248     }
1249 
1250     return active;
1251 }
1252 
1253 /* Generate a SOF event, and set a timer for EOF */
1254 static void ohci_sof(OHCIState *ohci)
1255 {
1256     ohci->sof_time = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
1257     timer_mod(ohci->eof_timer, ohci->sof_time + usb_frame_time);
1258     ohci_set_interrupt(ohci, OHCI_INTR_SF);
1259 }
1260 
1261 /* Process Control and Bulk lists.  */
1262 static void ohci_process_lists(OHCIState *ohci, int completion)
1263 {
1264     if ((ohci->ctl & OHCI_CTL_CLE) && (ohci->status & OHCI_STATUS_CLF)) {
1265         if (ohci->ctrl_cur && ohci->ctrl_cur != ohci->ctrl_head) {
1266             DPRINTF("usb-ohci: head %x, cur %x\n",
1267                     ohci->ctrl_head, ohci->ctrl_cur);
1268         }
1269         if (!ohci_service_ed_list(ohci, ohci->ctrl_head, completion)) {
1270             ohci->ctrl_cur = 0;
1271             ohci->status &= ~OHCI_STATUS_CLF;
1272         }
1273     }
1274 
1275     if ((ohci->ctl & OHCI_CTL_BLE) && (ohci->status & OHCI_STATUS_BLF)) {
1276         if (!ohci_service_ed_list(ohci, ohci->bulk_head, completion)) {
1277             ohci->bulk_cur = 0;
1278             ohci->status &= ~OHCI_STATUS_BLF;
1279         }
1280     }
1281 }
1282 
1283 /* Do frame processing on frame boundary */
1284 static void ohci_frame_boundary(void *opaque)
1285 {
1286     OHCIState *ohci = opaque;
1287     struct ohci_hcca hcca;
1288 
1289     if (ohci_read_hcca(ohci, ohci->hcca, &hcca)) {
1290         fprintf(stderr, "usb-ohci: HCCA read error at %x\n", ohci->hcca);
1291         ohci_die(ohci);
1292         return;
1293     }
1294 
1295     /* Process all the lists at the end of the frame */
1296     if (ohci->ctl & OHCI_CTL_PLE) {
1297         int n;
1298 
1299         n = ohci->frame_number & 0x1f;
1300         ohci_service_ed_list(ohci, le32_to_cpu(hcca.intr[n]), 0);
1301     }
1302 
1303     /* Cancel all pending packets if either of the lists has been disabled.  */
1304     if (ohci->old_ctl & (~ohci->ctl) & (OHCI_CTL_BLE | OHCI_CTL_CLE)) {
1305         if (ohci->async_td) {
1306             usb_cancel_packet(&ohci->usb_packet);
1307             ohci->async_td = 0;
1308         }
1309         ohci_stop_endpoints(ohci);
1310     }
1311     ohci->old_ctl = ohci->ctl;
1312     ohci_process_lists(ohci, 0);
1313 
1314     /* Stop if UnrecoverableError happened or ohci_sof will crash */
1315     if (ohci->intr_status & OHCI_INTR_UE) {
1316         return;
1317     }
1318 
1319     /* Frame boundary, so do EOF stuf here */
1320     ohci->frt = ohci->fit;
1321 
1322     /* Increment frame number and take care of endianness. */
1323     ohci->frame_number = (ohci->frame_number + 1) & 0xffff;
1324     hcca.frame = cpu_to_le16(ohci->frame_number);
1325 
1326     if (ohci->done_count == 0 && !(ohci->intr_status & OHCI_INTR_WD)) {
1327         if (!ohci->done)
1328             abort();
1329         if (ohci->intr & ohci->intr_status)
1330             ohci->done |= 1;
1331         hcca.done = cpu_to_le32(ohci->done);
1332         ohci->done = 0;
1333         ohci->done_count = 7;
1334         ohci_set_interrupt(ohci, OHCI_INTR_WD);
1335     }
1336 
1337     if (ohci->done_count != 7 && ohci->done_count != 0)
1338         ohci->done_count--;
1339 
1340     /* Do SOF stuff here */
1341     ohci_sof(ohci);
1342 
1343     /* Writeback HCCA */
1344     if (ohci_put_hcca(ohci, ohci->hcca, &hcca)) {
1345         ohci_die(ohci);
1346     }
1347 }
1348 
1349 /* Start sending SOF tokens across the USB bus, lists are processed in
1350  * next frame
1351  */
1352 static int ohci_bus_start(OHCIState *ohci)
1353 {
1354     ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
1355                     ohci_frame_boundary,
1356                     ohci);
1357 
1358     if (ohci->eof_timer == NULL) {
1359         fprintf(stderr, "usb-ohci: %s: timer_new_ns failed\n", ohci->name);
1360         ohci_die(ohci);
1361         return 0;
1362     }
1363 
1364     DPRINTF("usb-ohci: %s: USB Operational\n", ohci->name);
1365 
1366     ohci_sof(ohci);
1367 
1368     return 1;
1369 }
1370 
1371 /* Stop sending SOF tokens on the bus */
1372 static void ohci_bus_stop(OHCIState *ohci)
1373 {
1374     if (ohci->eof_timer)
1375         timer_del(ohci->eof_timer);
1376     ohci->eof_timer = NULL;
1377 }
1378 
1379 /* Sets a flag in a port status register but only set it if the port is
1380  * connected, if not set ConnectStatusChange flag. If flag is enabled
1381  * return 1.
1382  */
1383 static int ohci_port_set_if_connected(OHCIState *ohci, int i, uint32_t val)
1384 {
1385     int ret = 1;
1386 
1387     /* writing a 0 has no effect */
1388     if (val == 0)
1389         return 0;
1390 
1391     /* If CurrentConnectStatus is cleared we set
1392      * ConnectStatusChange
1393      */
1394     if (!(ohci->rhport[i].ctrl & OHCI_PORT_CCS)) {
1395         ohci->rhport[i].ctrl |= OHCI_PORT_CSC;
1396         if (ohci->rhstatus & OHCI_RHS_DRWE) {
1397             /* TODO: CSC is a wakeup event */
1398         }
1399         return 0;
1400     }
1401 
1402     if (ohci->rhport[i].ctrl & val)
1403         ret = 0;
1404 
1405     /* set the bit */
1406     ohci->rhport[i].ctrl |= val;
1407 
1408     return ret;
1409 }
1410 
1411 /* Set the frame interval - frame interval toggle is manipulated by the hcd only */
1412 static void ohci_set_frame_interval(OHCIState *ohci, uint16_t val)
1413 {
1414     val &= OHCI_FMI_FI;
1415 
1416     if (val != ohci->fi) {
1417         DPRINTF("usb-ohci: %s: FrameInterval = 0x%x (%u)\n",
1418             ohci->name, ohci->fi, ohci->fi);
1419     }
1420 
1421     ohci->fi = val;
1422 }
1423 
1424 static void ohci_port_power(OHCIState *ohci, int i, int p)
1425 {
1426     if (p) {
1427         ohci->rhport[i].ctrl |= OHCI_PORT_PPS;
1428     } else {
1429         ohci->rhport[i].ctrl &= ~(OHCI_PORT_PPS|
1430                     OHCI_PORT_CCS|
1431                     OHCI_PORT_PSS|
1432                     OHCI_PORT_PRS);
1433     }
1434 }
1435 
1436 /* Set HcControlRegister */
1437 static void ohci_set_ctl(OHCIState *ohci, uint32_t val)
1438 {
1439     uint32_t old_state;
1440     uint32_t new_state;
1441 
1442     old_state = ohci->ctl & OHCI_CTL_HCFS;
1443     ohci->ctl = val;
1444     new_state = ohci->ctl & OHCI_CTL_HCFS;
1445 
1446     /* no state change */
1447     if (old_state == new_state)
1448         return;
1449 
1450     switch (new_state) {
1451     case OHCI_USB_OPERATIONAL:
1452         ohci_bus_start(ohci);
1453         break;
1454     case OHCI_USB_SUSPEND:
1455         ohci_bus_stop(ohci);
1456         DPRINTF("usb-ohci: %s: USB Suspended\n", ohci->name);
1457         break;
1458     case OHCI_USB_RESUME:
1459         DPRINTF("usb-ohci: %s: USB Resume\n", ohci->name);
1460         break;
1461     case OHCI_USB_RESET:
1462         ohci_reset(ohci);
1463         DPRINTF("usb-ohci: %s: USB Reset\n", ohci->name);
1464         break;
1465     }
1466 }
1467 
1468 static uint32_t ohci_get_frame_remaining(OHCIState *ohci)
1469 {
1470     uint16_t fr;
1471     int64_t tks;
1472 
1473     if ((ohci->ctl & OHCI_CTL_HCFS) != OHCI_USB_OPERATIONAL)
1474         return (ohci->frt << 31);
1475 
1476     /* Being in USB operational state guarnatees sof_time was
1477      * set already.
1478      */
1479     tks = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) - ohci->sof_time;
1480 
1481     /* avoid muldiv if possible */
1482     if (tks >= usb_frame_time)
1483         return (ohci->frt << 31);
1484 
1485     tks = muldiv64(1, tks, usb_bit_time);
1486     fr = (uint16_t)(ohci->fi - tks);
1487 
1488     return (ohci->frt << 31) | fr;
1489 }
1490 
1491 
1492 /* Set root hub status */
1493 static void ohci_set_hub_status(OHCIState *ohci, uint32_t val)
1494 {
1495     uint32_t old_state;
1496 
1497     old_state = ohci->rhstatus;
1498 
1499     /* write 1 to clear OCIC */
1500     if (val & OHCI_RHS_OCIC)
1501         ohci->rhstatus &= ~OHCI_RHS_OCIC;
1502 
1503     if (val & OHCI_RHS_LPS) {
1504         int i;
1505 
1506         for (i = 0; i < ohci->num_ports; i++)
1507             ohci_port_power(ohci, i, 0);
1508         DPRINTF("usb-ohci: powered down all ports\n");
1509     }
1510 
1511     if (val & OHCI_RHS_LPSC) {
1512         int i;
1513 
1514         for (i = 0; i < ohci->num_ports; i++)
1515             ohci_port_power(ohci, i, 1);
1516         DPRINTF("usb-ohci: powered up all ports\n");
1517     }
1518 
1519     if (val & OHCI_RHS_DRWE)
1520         ohci->rhstatus |= OHCI_RHS_DRWE;
1521 
1522     if (val & OHCI_RHS_CRWE)
1523         ohci->rhstatus &= ~OHCI_RHS_DRWE;
1524 
1525     if (old_state != ohci->rhstatus)
1526         ohci_set_interrupt(ohci, OHCI_INTR_RHSC);
1527 }
1528 
1529 /* Set root hub port status */
1530 static void ohci_port_set_status(OHCIState *ohci, int portnum, uint32_t val)
1531 {
1532     uint32_t old_state;
1533     OHCIPort *port;
1534 
1535     port = &ohci->rhport[portnum];
1536     old_state = port->ctrl;
1537 
1538     /* Write to clear CSC, PESC, PSSC, OCIC, PRSC */
1539     if (val & OHCI_PORT_WTC)
1540         port->ctrl &= ~(val & OHCI_PORT_WTC);
1541 
1542     if (val & OHCI_PORT_CCS)
1543         port->ctrl &= ~OHCI_PORT_PES;
1544 
1545     ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PES);
1546 
1547     if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PSS)) {
1548         DPRINTF("usb-ohci: port %d: SUSPEND\n", portnum);
1549     }
1550 
1551     if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PRS)) {
1552         DPRINTF("usb-ohci: port %d: RESET\n", portnum);
1553         usb_device_reset(port->port.dev);
1554         port->ctrl &= ~OHCI_PORT_PRS;
1555         /* ??? Should this also set OHCI_PORT_PESC.  */
1556         port->ctrl |= OHCI_PORT_PES | OHCI_PORT_PRSC;
1557     }
1558 
1559     /* Invert order here to ensure in ambiguous case, device is
1560      * powered up...
1561      */
1562     if (val & OHCI_PORT_LSDA)
1563         ohci_port_power(ohci, portnum, 0);
1564     if (val & OHCI_PORT_PPS)
1565         ohci_port_power(ohci, portnum, 1);
1566 
1567     if (old_state != port->ctrl)
1568         ohci_set_interrupt(ohci, OHCI_INTR_RHSC);
1569 }
1570 
1571 static uint64_t ohci_mem_read(void *opaque,
1572                               hwaddr addr,
1573                               unsigned size)
1574 {
1575     OHCIState *ohci = opaque;
1576     uint32_t retval;
1577 
1578     /* Only aligned reads are allowed on OHCI */
1579     if (addr & 3) {
1580         fprintf(stderr, "usb-ohci: Mis-aligned read\n");
1581         return 0xffffffff;
1582     } else if (addr >= 0x54 && addr < 0x54 + ohci->num_ports * 4) {
1583         /* HcRhPortStatus */
1584         retval = ohci->rhport[(addr - 0x54) >> 2].ctrl | OHCI_PORT_PPS;
1585     } else {
1586         switch (addr >> 2) {
1587         case 0: /* HcRevision */
1588             retval = 0x10;
1589             break;
1590 
1591         case 1: /* HcControl */
1592             retval = ohci->ctl;
1593             break;
1594 
1595         case 2: /* HcCommandStatus */
1596             retval = ohci->status;
1597             break;
1598 
1599         case 3: /* HcInterruptStatus */
1600             retval = ohci->intr_status;
1601             break;
1602 
1603         case 4: /* HcInterruptEnable */
1604         case 5: /* HcInterruptDisable */
1605             retval = ohci->intr;
1606             break;
1607 
1608         case 6: /* HcHCCA */
1609             retval = ohci->hcca;
1610             break;
1611 
1612         case 7: /* HcPeriodCurrentED */
1613             retval = ohci->per_cur;
1614             break;
1615 
1616         case 8: /* HcControlHeadED */
1617             retval = ohci->ctrl_head;
1618             break;
1619 
1620         case 9: /* HcControlCurrentED */
1621             retval = ohci->ctrl_cur;
1622             break;
1623 
1624         case 10: /* HcBulkHeadED */
1625             retval = ohci->bulk_head;
1626             break;
1627 
1628         case 11: /* HcBulkCurrentED */
1629             retval = ohci->bulk_cur;
1630             break;
1631 
1632         case 12: /* HcDoneHead */
1633             retval = ohci->done;
1634             break;
1635 
1636         case 13: /* HcFmInterretval */
1637             retval = (ohci->fit << 31) | (ohci->fsmps << 16) | (ohci->fi);
1638             break;
1639 
1640         case 14: /* HcFmRemaining */
1641             retval = ohci_get_frame_remaining(ohci);
1642             break;
1643 
1644         case 15: /* HcFmNumber */
1645             retval = ohci->frame_number;
1646             break;
1647 
1648         case 16: /* HcPeriodicStart */
1649             retval = ohci->pstart;
1650             break;
1651 
1652         case 17: /* HcLSThreshold */
1653             retval = ohci->lst;
1654             break;
1655 
1656         case 18: /* HcRhDescriptorA */
1657             retval = ohci->rhdesc_a;
1658             break;
1659 
1660         case 19: /* HcRhDescriptorB */
1661             retval = ohci->rhdesc_b;
1662             break;
1663 
1664         case 20: /* HcRhStatus */
1665             retval = ohci->rhstatus;
1666             break;
1667 
1668         /* PXA27x specific registers */
1669         case 24: /* HcStatus */
1670             retval = ohci->hstatus & ohci->hmask;
1671             break;
1672 
1673         case 25: /* HcHReset */
1674             retval = ohci->hreset;
1675             break;
1676 
1677         case 26: /* HcHInterruptEnable */
1678             retval = ohci->hmask;
1679             break;
1680 
1681         case 27: /* HcHInterruptTest */
1682             retval = ohci->htest;
1683             break;
1684 
1685         default:
1686             fprintf(stderr, "ohci_read: Bad offset %x\n", (int)addr);
1687             retval = 0xffffffff;
1688         }
1689     }
1690 
1691     return retval;
1692 }
1693 
1694 static void ohci_mem_write(void *opaque,
1695                            hwaddr addr,
1696                            uint64_t val,
1697                            unsigned size)
1698 {
1699     OHCIState *ohci = opaque;
1700 
1701     /* Only aligned reads are allowed on OHCI */
1702     if (addr & 3) {
1703         fprintf(stderr, "usb-ohci: Mis-aligned write\n");
1704         return;
1705     }
1706 
1707     if (addr >= 0x54 && addr < 0x54 + ohci->num_ports * 4) {
1708         /* HcRhPortStatus */
1709         ohci_port_set_status(ohci, (addr - 0x54) >> 2, val);
1710         return;
1711     }
1712 
1713     switch (addr >> 2) {
1714     case 1: /* HcControl */
1715         ohci_set_ctl(ohci, val);
1716         break;
1717 
1718     case 2: /* HcCommandStatus */
1719         /* SOC is read-only */
1720         val = (val & ~OHCI_STATUS_SOC);
1721 
1722         /* Bits written as '0' remain unchanged in the register */
1723         ohci->status |= val;
1724 
1725         if (ohci->status & OHCI_STATUS_HCR)
1726             ohci_reset(ohci);
1727         break;
1728 
1729     case 3: /* HcInterruptStatus */
1730         ohci->intr_status &= ~val;
1731         ohci_intr_update(ohci);
1732         break;
1733 
1734     case 4: /* HcInterruptEnable */
1735         ohci->intr |= val;
1736         ohci_intr_update(ohci);
1737         break;
1738 
1739     case 5: /* HcInterruptDisable */
1740         ohci->intr &= ~val;
1741         ohci_intr_update(ohci);
1742         break;
1743 
1744     case 6: /* HcHCCA */
1745         ohci->hcca = val & OHCI_HCCA_MASK;
1746         break;
1747 
1748     case 7: /* HcPeriodCurrentED */
1749         /* Ignore writes to this read-only register, Linux does them */
1750         break;
1751 
1752     case 8: /* HcControlHeadED */
1753         ohci->ctrl_head = val & OHCI_EDPTR_MASK;
1754         break;
1755 
1756     case 9: /* HcControlCurrentED */
1757         ohci->ctrl_cur = val & OHCI_EDPTR_MASK;
1758         break;
1759 
1760     case 10: /* HcBulkHeadED */
1761         ohci->bulk_head = val & OHCI_EDPTR_MASK;
1762         break;
1763 
1764     case 11: /* HcBulkCurrentED */
1765         ohci->bulk_cur = val & OHCI_EDPTR_MASK;
1766         break;
1767 
1768     case 13: /* HcFmInterval */
1769         ohci->fsmps = (val & OHCI_FMI_FSMPS) >> 16;
1770         ohci->fit = (val & OHCI_FMI_FIT) >> 31;
1771         ohci_set_frame_interval(ohci, val);
1772         break;
1773 
1774     case 15: /* HcFmNumber */
1775         break;
1776 
1777     case 16: /* HcPeriodicStart */
1778         ohci->pstart = val & 0xffff;
1779         break;
1780 
1781     case 17: /* HcLSThreshold */
1782         ohci->lst = val & 0xffff;
1783         break;
1784 
1785     case 18: /* HcRhDescriptorA */
1786         ohci->rhdesc_a &= ~OHCI_RHA_RW_MASK;
1787         ohci->rhdesc_a |= val & OHCI_RHA_RW_MASK;
1788         break;
1789 
1790     case 19: /* HcRhDescriptorB */
1791         break;
1792 
1793     case 20: /* HcRhStatus */
1794         ohci_set_hub_status(ohci, val);
1795         break;
1796 
1797     /* PXA27x specific registers */
1798     case 24: /* HcStatus */
1799         ohci->hstatus &= ~(val & ohci->hmask);
1800         break;
1801 
1802     case 25: /* HcHReset */
1803         ohci->hreset = val & ~OHCI_HRESET_FSBIR;
1804         if (val & OHCI_HRESET_FSBIR)
1805             ohci_reset(ohci);
1806         break;
1807 
1808     case 26: /* HcHInterruptEnable */
1809         ohci->hmask = val;
1810         break;
1811 
1812     case 27: /* HcHInterruptTest */
1813         ohci->htest = val;
1814         break;
1815 
1816     default:
1817         fprintf(stderr, "ohci_write: Bad offset %x\n", (int)addr);
1818         break;
1819     }
1820 }
1821 
1822 static void ohci_async_cancel_device(OHCIState *ohci, USBDevice *dev)
1823 {
1824     if (ohci->async_td &&
1825         usb_packet_is_inflight(&ohci->usb_packet) &&
1826         ohci->usb_packet.ep->dev == dev) {
1827         usb_cancel_packet(&ohci->usb_packet);
1828         ohci->async_td = 0;
1829     }
1830 }
1831 
1832 static const MemoryRegionOps ohci_mem_ops = {
1833     .read = ohci_mem_read,
1834     .write = ohci_mem_write,
1835     .endianness = DEVICE_LITTLE_ENDIAN,
1836 };
1837 
1838 static USBPortOps ohci_port_ops = {
1839     .attach = ohci_attach,
1840     .detach = ohci_detach,
1841     .child_detach = ohci_child_detach,
1842     .wakeup = ohci_wakeup,
1843     .complete = ohci_async_complete_packet,
1844 };
1845 
1846 static USBBusOps ohci_bus_ops = {
1847 };
1848 
1849 static int usb_ohci_init(OHCIState *ohci, DeviceState *dev,
1850                          int num_ports, dma_addr_t localmem_base,
1851                          char *masterbus, uint32_t firstport,
1852                          AddressSpace *as)
1853 {
1854     int i;
1855 
1856     ohci->as = as;
1857 
1858     if (usb_frame_time == 0) {
1859 #ifdef OHCI_TIME_WARP
1860         usb_frame_time = get_ticks_per_sec();
1861         usb_bit_time = muldiv64(1, get_ticks_per_sec(), USB_HZ/1000);
1862 #else
1863         usb_frame_time = muldiv64(1, get_ticks_per_sec(), 1000);
1864         if (get_ticks_per_sec() >= USB_HZ) {
1865             usb_bit_time = muldiv64(1, get_ticks_per_sec(), USB_HZ);
1866         } else {
1867             usb_bit_time = 1;
1868         }
1869 #endif
1870         DPRINTF("usb-ohci: usb_bit_time=%" PRId64 " usb_frame_time=%" PRId64 "\n",
1871                 usb_frame_time, usb_bit_time);
1872     }
1873 
1874     ohci->num_ports = num_ports;
1875     if (masterbus) {
1876         USBPort *ports[OHCI_MAX_PORTS];
1877         for(i = 0; i < num_ports; i++) {
1878             ports[i] = &ohci->rhport[i].port;
1879         }
1880         if (usb_register_companion(masterbus, ports, num_ports,
1881                 firstport, ohci, &ohci_port_ops,
1882                 USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL) != 0) {
1883             return -1;
1884         }
1885     } else {
1886         usb_bus_new(&ohci->bus, sizeof(ohci->bus), &ohci_bus_ops, dev);
1887         for (i = 0; i < num_ports; i++) {
1888             usb_register_port(&ohci->bus, &ohci->rhport[i].port,
1889                               ohci, i, &ohci_port_ops,
1890                               USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
1891         }
1892     }
1893 
1894     memory_region_init_io(&ohci->mem, OBJECT(dev), &ohci_mem_ops,
1895                           ohci, "ohci", 256);
1896     ohci->localmem_base = localmem_base;
1897 
1898     ohci->name = object_get_typename(OBJECT(dev));
1899     usb_packet_init(&ohci->usb_packet);
1900 
1901     ohci->async_td = 0;
1902     qemu_register_reset(ohci_reset, ohci);
1903 
1904     return 0;
1905 }
1906 
1907 #define TYPE_PCI_OHCI "pci-ohci"
1908 #define PCI_OHCI(obj) OBJECT_CHECK(OHCIPCIState, (obj), TYPE_PCI_OHCI)
1909 
1910 typedef struct {
1911     /*< private >*/
1912     PCIDevice parent_obj;
1913     /*< public >*/
1914 
1915     OHCIState state;
1916     char *masterbus;
1917     uint32_t num_ports;
1918     uint32_t firstport;
1919 } OHCIPCIState;
1920 
1921 /** A typical O/EHCI will stop operating, set itself into error state
1922  * (which can be queried by MMIO) and will set PERR in its config
1923  * space to signal that it got an error
1924  */
1925 static void ohci_die(OHCIState *ohci)
1926 {
1927     OHCIPCIState *dev = container_of(ohci, OHCIPCIState, state);
1928 
1929     fprintf(stderr, "%s: DMA error\n", __func__);
1930 
1931     ohci_set_interrupt(ohci, OHCI_INTR_UE);
1932     ohci_bus_stop(ohci);
1933     pci_set_word(dev->parent_obj.config + PCI_STATUS,
1934                  PCI_STATUS_DETECTED_PARITY);
1935 }
1936 
1937 static int usb_ohci_initfn_pci(PCIDevice *dev)
1938 {
1939     OHCIPCIState *ohci = PCI_OHCI(dev);
1940 
1941     dev->config[PCI_CLASS_PROG] = 0x10; /* OHCI */
1942     dev->config[PCI_INTERRUPT_PIN] = 0x01; /* interrupt pin A */
1943 
1944     if (usb_ohci_init(&ohci->state, DEVICE(dev), ohci->num_ports, 0,
1945                       ohci->masterbus, ohci->firstport,
1946                       pci_get_address_space(dev)) != 0) {
1947         return -1;
1948     }
1949     ohci->state.irq = pci_allocate_irq(dev);
1950 
1951     pci_register_bar(dev, 0, 0, &ohci->state.mem);
1952     return 0;
1953 }
1954 
1955 #define TYPE_SYSBUS_OHCI "sysbus-ohci"
1956 #define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI)
1957 
1958 typedef struct {
1959     /*< private >*/
1960     SysBusDevice parent_obj;
1961     /*< public >*/
1962 
1963     OHCIState ohci;
1964     uint32_t num_ports;
1965     dma_addr_t dma_offset;
1966 } OHCISysBusState;
1967 
1968 static void ohci_realize_pxa(DeviceState *dev, Error **errp)
1969 {
1970     OHCISysBusState *s = SYSBUS_OHCI(dev);
1971     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
1972 
1973     /* Cannot fail as we pass NULL for masterbus */
1974     usb_ohci_init(&s->ohci, dev, s->num_ports, s->dma_offset, NULL, 0,
1975                   &address_space_memory);
1976     sysbus_init_irq(sbd, &s->ohci.irq);
1977     sysbus_init_mmio(sbd, &s->ohci.mem);
1978 }
1979 
1980 static Property ohci_pci_properties[] = {
1981     DEFINE_PROP_STRING("masterbus", OHCIPCIState, masterbus),
1982     DEFINE_PROP_UINT32("num-ports", OHCIPCIState, num_ports, 3),
1983     DEFINE_PROP_UINT32("firstport", OHCIPCIState, firstport, 0),
1984     DEFINE_PROP_END_OF_LIST(),
1985 };
1986 
1987 static const VMStateDescription vmstate_ohci_state_port = {
1988     .name = "ohci-core/port",
1989     .version_id = 1,
1990     .minimum_version_id = 1,
1991     .fields = (VMStateField[]) {
1992         VMSTATE_UINT32(ctrl, OHCIPort),
1993         VMSTATE_END_OF_LIST()
1994     },
1995 };
1996 
1997 static bool ohci_eof_timer_needed(void *opaque)
1998 {
1999     OHCIState *ohci = opaque;
2000 
2001     return ohci->eof_timer != NULL;
2002 }
2003 
2004 static int ohci_eof_timer_pre_load(void *opaque)
2005 {
2006     OHCIState *ohci = opaque;
2007 
2008     ohci_bus_start(ohci);
2009 
2010     return 0;
2011 }
2012 
2013 static const VMStateDescription vmstate_ohci_eof_timer = {
2014     .name = "ohci-core/eof-timer",
2015     .version_id = 1,
2016     .minimum_version_id = 1,
2017     .pre_load = ohci_eof_timer_pre_load,
2018     .fields = (VMStateField[]) {
2019         VMSTATE_TIMER(eof_timer, OHCIState),
2020         VMSTATE_END_OF_LIST()
2021     },
2022 };
2023 
2024 static const VMStateDescription vmstate_ohci_state = {
2025     .name = "ohci-core",
2026     .version_id = 1,
2027     .minimum_version_id = 1,
2028     .fields = (VMStateField[]) {
2029         VMSTATE_INT64(sof_time, OHCIState),
2030         VMSTATE_UINT32(ctl, OHCIState),
2031         VMSTATE_UINT32(status, OHCIState),
2032         VMSTATE_UINT32(intr_status, OHCIState),
2033         VMSTATE_UINT32(intr, OHCIState),
2034         VMSTATE_UINT32(hcca, OHCIState),
2035         VMSTATE_UINT32(ctrl_head, OHCIState),
2036         VMSTATE_UINT32(ctrl_cur, OHCIState),
2037         VMSTATE_UINT32(bulk_head, OHCIState),
2038         VMSTATE_UINT32(bulk_cur, OHCIState),
2039         VMSTATE_UINT32(per_cur, OHCIState),
2040         VMSTATE_UINT32(done, OHCIState),
2041         VMSTATE_INT32(done_count, OHCIState),
2042         VMSTATE_UINT16(fsmps, OHCIState),
2043         VMSTATE_UINT8(fit, OHCIState),
2044         VMSTATE_UINT16(fi, OHCIState),
2045         VMSTATE_UINT8(frt, OHCIState),
2046         VMSTATE_UINT16(frame_number, OHCIState),
2047         VMSTATE_UINT16(padding, OHCIState),
2048         VMSTATE_UINT32(pstart, OHCIState),
2049         VMSTATE_UINT32(lst, OHCIState),
2050         VMSTATE_UINT32(rhdesc_a, OHCIState),
2051         VMSTATE_UINT32(rhdesc_b, OHCIState),
2052         VMSTATE_UINT32(rhstatus, OHCIState),
2053         VMSTATE_STRUCT_ARRAY(rhport, OHCIState, OHCI_MAX_PORTS, 0,
2054                              vmstate_ohci_state_port, OHCIPort),
2055         VMSTATE_UINT32(hstatus, OHCIState),
2056         VMSTATE_UINT32(hmask, OHCIState),
2057         VMSTATE_UINT32(hreset, OHCIState),
2058         VMSTATE_UINT32(htest, OHCIState),
2059         VMSTATE_UINT32(old_ctl, OHCIState),
2060         VMSTATE_UINT8_ARRAY(usb_buf, OHCIState, 8192),
2061         VMSTATE_UINT32(async_td, OHCIState),
2062         VMSTATE_BOOL(async_complete, OHCIState),
2063         VMSTATE_END_OF_LIST()
2064     },
2065     .subsections = (VMStateSubsection []) {
2066         {
2067             .vmsd = &vmstate_ohci_eof_timer,
2068             .needed = ohci_eof_timer_needed,
2069         } , {
2070             /* empty */
2071         }
2072     }
2073 };
2074 
2075 static const VMStateDescription vmstate_ohci = {
2076     .name = "ohci",
2077     .version_id = 1,
2078     .minimum_version_id = 1,
2079     .fields = (VMStateField[]) {
2080         VMSTATE_PCI_DEVICE(parent_obj, OHCIPCIState),
2081         VMSTATE_STRUCT(state, OHCIPCIState, 1, vmstate_ohci_state, OHCIState),
2082         VMSTATE_END_OF_LIST()
2083     }
2084 };
2085 
2086 static void ohci_pci_class_init(ObjectClass *klass, void *data)
2087 {
2088     DeviceClass *dc = DEVICE_CLASS(klass);
2089     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2090 
2091     k->init = usb_ohci_initfn_pci;
2092     k->vendor_id = PCI_VENDOR_ID_APPLE;
2093     k->device_id = PCI_DEVICE_ID_APPLE_IPID_USB;
2094     k->class_id = PCI_CLASS_SERIAL_USB;
2095     set_bit(DEVICE_CATEGORY_USB, dc->categories);
2096     dc->desc = "Apple USB Controller";
2097     dc->props = ohci_pci_properties;
2098     dc->hotpluggable = false;
2099     dc->vmsd = &vmstate_ohci;
2100 }
2101 
2102 static const TypeInfo ohci_pci_info = {
2103     .name          = TYPE_PCI_OHCI,
2104     .parent        = TYPE_PCI_DEVICE,
2105     .instance_size = sizeof(OHCIPCIState),
2106     .class_init    = ohci_pci_class_init,
2107 };
2108 
2109 static Property ohci_sysbus_properties[] = {
2110     DEFINE_PROP_UINT32("num-ports", OHCISysBusState, num_ports, 3),
2111     DEFINE_PROP_DMAADDR("dma-offset", OHCISysBusState, dma_offset, 3),
2112     DEFINE_PROP_END_OF_LIST(),
2113 };
2114 
2115 static void ohci_sysbus_class_init(ObjectClass *klass, void *data)
2116 {
2117     DeviceClass *dc = DEVICE_CLASS(klass);
2118 
2119     dc->realize = ohci_realize_pxa;
2120     set_bit(DEVICE_CATEGORY_USB, dc->categories);
2121     dc->desc = "OHCI USB Controller";
2122     dc->props = ohci_sysbus_properties;
2123 }
2124 
2125 static const TypeInfo ohci_sysbus_info = {
2126     .name          = TYPE_SYSBUS_OHCI,
2127     .parent        = TYPE_SYS_BUS_DEVICE,
2128     .instance_size = sizeof(OHCISysBusState),
2129     .class_init    = ohci_sysbus_class_init,
2130 };
2131 
2132 static void ohci_register_types(void)
2133 {
2134     type_register_static(&ohci_pci_info);
2135     type_register_static(&ohci_sysbus_info);
2136 }
2137 
2138 type_init(ohci_register_types)
2139