xref: /openbmc/qemu/hw/usb/hcd-ohci.c (revision ad66b5cb)
1 /*
2  * QEMU USB OHCI Emulation
3  * Copyright (c) 2004 Gianni Tedesco
4  * Copyright (c) 2006 CodeSourcery
5  * Copyright (c) 2006 Openedhand Ltd.
6  *
7  * This library is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2.1 of the License, or (at your option) any later version.
11  *
12  * This library is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
19  *
20  * TODO:
21  *  o Isochronous transfers
22  *  o Allocate bandwidth in frames properly
23  *  o Disable timers when nothing needs to be done, or remove timer usage
24  *    all together.
25  *  o BIOS work to boot from USB storage
26  */
27 
28 #include "qemu/osdep.h"
29 #include "hw/irq.h"
30 #include "qapi/error.h"
31 #include "qemu/module.h"
32 #include "qemu/timer.h"
33 #include "hw/usb.h"
34 #include "migration/vmstate.h"
35 #include "hw/sysbus.h"
36 #include "hw/qdev-dma.h"
37 #include "hw/qdev-properties.h"
38 #include "trace.h"
39 #include "hcd-ohci.h"
40 
41 /* This causes frames to occur 1000x slower */
42 /*#define OHCI_TIME_WARP 1*/
43 
44 #define ED_LINK_LIMIT 32
45 
46 static int64_t usb_frame_time;
47 static int64_t usb_bit_time;
48 
49 /* Host Controller Communications Area */
50 struct ohci_hcca {
51     uint32_t intr[32];
52     uint16_t frame, pad;
53     uint32_t done;
54 };
55 #define HCCA_WRITEBACK_OFFSET   offsetof(struct ohci_hcca, frame)
56 #define HCCA_WRITEBACK_SIZE     8 /* frame, pad, done */
57 
58 #define ED_WBACK_OFFSET offsetof(struct ohci_ed, head)
59 #define ED_WBACK_SIZE   4
60 
61 /* Bitfields for the first word of an Endpoint Descriptor. */
62 #define OHCI_ED_FA_SHIFT  0
63 #define OHCI_ED_FA_MASK   (0x7f << OHCI_ED_FA_SHIFT)
64 #define OHCI_ED_EN_SHIFT  7
65 #define OHCI_ED_EN_MASK   (0xf << OHCI_ED_EN_SHIFT)
66 #define OHCI_ED_D_SHIFT   11
67 #define OHCI_ED_D_MASK    (3 << OHCI_ED_D_SHIFT)
68 #define OHCI_ED_S         (1 << 13)
69 #define OHCI_ED_K         (1 << 14)
70 #define OHCI_ED_F         (1 << 15)
71 #define OHCI_ED_MPS_SHIFT 16
72 #define OHCI_ED_MPS_MASK  (0x7ff << OHCI_ED_MPS_SHIFT)
73 
74 /* Flags in the head field of an Endpoint Descriptor. */
75 #define OHCI_ED_H         1
76 #define OHCI_ED_C         2
77 
78 /* Bitfields for the first word of a Transfer Descriptor. */
79 #define OHCI_TD_R         (1 << 18)
80 #define OHCI_TD_DP_SHIFT  19
81 #define OHCI_TD_DP_MASK   (3 << OHCI_TD_DP_SHIFT)
82 #define OHCI_TD_DI_SHIFT  21
83 #define OHCI_TD_DI_MASK   (7 << OHCI_TD_DI_SHIFT)
84 #define OHCI_TD_T0        (1 << 24)
85 #define OHCI_TD_T1        (1 << 25)
86 #define OHCI_TD_EC_SHIFT  26
87 #define OHCI_TD_EC_MASK   (3 << OHCI_TD_EC_SHIFT)
88 #define OHCI_TD_CC_SHIFT  28
89 #define OHCI_TD_CC_MASK   (0xf << OHCI_TD_CC_SHIFT)
90 
91 /* Bitfields for the first word of an Isochronous Transfer Descriptor. */
92 /* CC & DI - same as in the General Transfer Descriptor */
93 #define OHCI_TD_SF_SHIFT  0
94 #define OHCI_TD_SF_MASK   (0xffff << OHCI_TD_SF_SHIFT)
95 #define OHCI_TD_FC_SHIFT  24
96 #define OHCI_TD_FC_MASK   (7 << OHCI_TD_FC_SHIFT)
97 
98 /* Isochronous Transfer Descriptor - Offset / PacketStatusWord */
99 #define OHCI_TD_PSW_CC_SHIFT 12
100 #define OHCI_TD_PSW_CC_MASK  (0xf << OHCI_TD_PSW_CC_SHIFT)
101 #define OHCI_TD_PSW_SIZE_SHIFT 0
102 #define OHCI_TD_PSW_SIZE_MASK  (0xfff << OHCI_TD_PSW_SIZE_SHIFT)
103 
104 #define OHCI_PAGE_MASK    0xfffff000
105 #define OHCI_OFFSET_MASK  0xfff
106 
107 #define OHCI_DPTR_MASK    0xfffffff0
108 
109 #define OHCI_BM(val, field) \
110   (((val) & OHCI_##field##_MASK) >> OHCI_##field##_SHIFT)
111 
112 #define OHCI_SET_BM(val, field, newval) do { \
113     val &= ~OHCI_##field##_MASK; \
114     val |= ((newval) << OHCI_##field##_SHIFT) & OHCI_##field##_MASK; \
115     } while (0)
116 
117 /* endpoint descriptor */
118 struct ohci_ed {
119     uint32_t flags;
120     uint32_t tail;
121     uint32_t head;
122     uint32_t next;
123 };
124 
125 /* General transfer descriptor */
126 struct ohci_td {
127     uint32_t flags;
128     uint32_t cbp;
129     uint32_t next;
130     uint32_t be;
131 };
132 
133 /* Isochronous transfer descriptor */
134 struct ohci_iso_td {
135     uint32_t flags;
136     uint32_t bp;
137     uint32_t next;
138     uint32_t be;
139     uint16_t offset[8];
140 };
141 
142 #define USB_HZ                      12000000
143 
144 /* OHCI Local stuff */
145 #define OHCI_CTL_CBSR         ((1 << 0) | (1 << 1))
146 #define OHCI_CTL_PLE          (1 << 2)
147 #define OHCI_CTL_IE           (1 << 3)
148 #define OHCI_CTL_CLE          (1 << 4)
149 #define OHCI_CTL_BLE          (1 << 5)
150 #define OHCI_CTL_HCFS         ((1 << 6) | (1 << 7))
151 #define  OHCI_USB_RESET       0x00
152 #define  OHCI_USB_RESUME      0x40
153 #define  OHCI_USB_OPERATIONAL 0x80
154 #define  OHCI_USB_SUSPEND     0xc0
155 #define OHCI_CTL_IR           (1 << 8)
156 #define OHCI_CTL_RWC          (1 << 9)
157 #define OHCI_CTL_RWE          (1 << 10)
158 
159 #define OHCI_STATUS_HCR       (1 << 0)
160 #define OHCI_STATUS_CLF       (1 << 1)
161 #define OHCI_STATUS_BLF       (1 << 2)
162 #define OHCI_STATUS_OCR       (1 << 3)
163 #define OHCI_STATUS_SOC       ((1 << 6) | (1 << 7))
164 
165 #define OHCI_INTR_SO          (1U << 0) /* Scheduling overrun */
166 #define OHCI_INTR_WD          (1U << 1) /* HcDoneHead writeback */
167 #define OHCI_INTR_SF          (1U << 2) /* Start of frame */
168 #define OHCI_INTR_RD          (1U << 3) /* Resume detect */
169 #define OHCI_INTR_UE          (1U << 4) /* Unrecoverable error */
170 #define OHCI_INTR_FNO         (1U << 5) /* Frame number overflow */
171 #define OHCI_INTR_RHSC        (1U << 6) /* Root hub status change */
172 #define OHCI_INTR_OC          (1U << 30) /* Ownership change */
173 #define OHCI_INTR_MIE         (1U << 31) /* Master Interrupt Enable */
174 
175 #define OHCI_HCCA_SIZE        0x100
176 #define OHCI_HCCA_MASK        0xffffff00
177 
178 #define OHCI_EDPTR_MASK       0xfffffff0
179 
180 #define OHCI_FMI_FI           0x00003fff
181 #define OHCI_FMI_FSMPS        0xffff0000
182 #define OHCI_FMI_FIT          0x80000000
183 
184 #define OHCI_FR_RT            (1U << 31)
185 
186 #define OHCI_LS_THRESH        0x628
187 
188 #define OHCI_RHA_RW_MASK      0x00000000 /* Mask of supported features.  */
189 #define OHCI_RHA_PSM          (1 << 8)
190 #define OHCI_RHA_NPS          (1 << 9)
191 #define OHCI_RHA_DT           (1 << 10)
192 #define OHCI_RHA_OCPM         (1 << 11)
193 #define OHCI_RHA_NOCP         (1 << 12)
194 #define OHCI_RHA_POTPGT_MASK  0xff000000
195 
196 #define OHCI_RHS_LPS          (1U << 0)
197 #define OHCI_RHS_OCI          (1U << 1)
198 #define OHCI_RHS_DRWE         (1U << 15)
199 #define OHCI_RHS_LPSC         (1U << 16)
200 #define OHCI_RHS_OCIC         (1U << 17)
201 #define OHCI_RHS_CRWE         (1U << 31)
202 
203 #define OHCI_PORT_CCS         (1 << 0)
204 #define OHCI_PORT_PES         (1 << 1)
205 #define OHCI_PORT_PSS         (1 << 2)
206 #define OHCI_PORT_POCI        (1 << 3)
207 #define OHCI_PORT_PRS         (1 << 4)
208 #define OHCI_PORT_PPS         (1 << 8)
209 #define OHCI_PORT_LSDA        (1 << 9)
210 #define OHCI_PORT_CSC         (1 << 16)
211 #define OHCI_PORT_PESC        (1 << 17)
212 #define OHCI_PORT_PSSC        (1 << 18)
213 #define OHCI_PORT_OCIC        (1 << 19)
214 #define OHCI_PORT_PRSC        (1 << 20)
215 #define OHCI_PORT_WTC         (OHCI_PORT_CSC | OHCI_PORT_PESC | \
216                                OHCI_PORT_PSSC | OHCI_PORT_OCIC | \
217                                OHCI_PORT_PRSC)
218 #define OHCI_TD_DIR_SETUP     0x0
219 #define OHCI_TD_DIR_OUT       0x1
220 #define OHCI_TD_DIR_IN        0x2
221 #define OHCI_TD_DIR_RESERVED  0x3
222 
223 #define OHCI_CC_NOERROR             0x0
224 #define OHCI_CC_CRC                 0x1
225 #define OHCI_CC_BITSTUFFING         0x2
226 #define OHCI_CC_DATATOGGLEMISMATCH  0x3
227 #define OHCI_CC_STALL               0x4
228 #define OHCI_CC_DEVICENOTRESPONDING 0x5
229 #define OHCI_CC_PIDCHECKFAILURE     0x6
230 #define OHCI_CC_UNDEXPETEDPID       0x7
231 #define OHCI_CC_DATAOVERRUN         0x8
232 #define OHCI_CC_DATAUNDERRUN        0x9
233 #define OHCI_CC_BUFFEROVERRUN       0xc
234 #define OHCI_CC_BUFFERUNDERRUN      0xd
235 
236 #define OHCI_HRESET_FSBIR       (1 << 0)
237 
238 static const char *ohci_reg_names[] = {
239     "HcRevision", "HcControl", "HcCommandStatus", "HcInterruptStatus",
240     "HcInterruptEnable", "HcInterruptDisable", "HcHCCA", "HcPeriodCurrentED",
241     "HcControlHeadED", "HcControlCurrentED", "HcBulkHeadED", "HcBulkCurrentED",
242     "HcDoneHead", "HcFmInterval", "HcFmRemaining", "HcFmNumber",
243     "HcPeriodicStart", "HcLSThreshold", "HcRhDescriptorA", "HcRhDescriptorB",
244     "HcRhStatus"
245 };
246 
247 static const char *ohci_reg_name(hwaddr addr)
248 {
249     if (addr >> 2 < ARRAY_SIZE(ohci_reg_names)) {
250         return ohci_reg_names[addr >> 2];
251     } else {
252         return "<unknown>";
253     }
254 }
255 
256 static void ohci_die(OHCIState *ohci)
257 {
258     ohci->ohci_die(ohci);
259 }
260 
261 /* Update IRQ levels */
262 static inline void ohci_intr_update(OHCIState *ohci)
263 {
264     int level = 0;
265 
266     if ((ohci->intr & OHCI_INTR_MIE) &&
267         (ohci->intr_status & ohci->intr))
268         level = 1;
269 
270     qemu_set_irq(ohci->irq, level);
271 }
272 
273 /* Set an interrupt */
274 static inline void ohci_set_interrupt(OHCIState *ohci, uint32_t intr)
275 {
276     ohci->intr_status |= intr;
277     ohci_intr_update(ohci);
278 }
279 
280 static USBDevice *ohci_find_device(OHCIState *ohci, uint8_t addr)
281 {
282     USBDevice *dev;
283     int i;
284 
285     for (i = 0; i < ohci->num_ports; i++) {
286         if ((ohci->rhport[i].ctrl & OHCI_PORT_PES) == 0) {
287             continue;
288         }
289         dev = usb_find_device(&ohci->rhport[i].port, addr);
290         if (dev != NULL) {
291             return dev;
292         }
293     }
294     return NULL;
295 }
296 
297 void ohci_stop_endpoints(OHCIState *ohci)
298 {
299     USBDevice *dev;
300     int i, j;
301 
302     if (ohci->async_td) {
303         usb_cancel_packet(&ohci->usb_packet);
304         ohci->async_td = 0;
305     }
306     for (i = 0; i < ohci->num_ports; i++) {
307         dev = ohci->rhport[i].port.dev;
308         if (dev && dev->attached) {
309             usb_device_ep_stopped(dev, &dev->ep_ctl);
310             for (j = 0; j < USB_MAX_ENDPOINTS; j++) {
311                 usb_device_ep_stopped(dev, &dev->ep_in[j]);
312                 usb_device_ep_stopped(dev, &dev->ep_out[j]);
313             }
314         }
315     }
316 }
317 
318 static void ohci_roothub_reset(OHCIState *ohci)
319 {
320     OHCIPort *port;
321     int i;
322 
323     ohci_bus_stop(ohci);
324     ohci->rhdesc_a = OHCI_RHA_NPS | ohci->num_ports;
325     ohci->rhdesc_b = 0x0; /* Impl. specific */
326     ohci->rhstatus = 0;
327 
328     for (i = 0; i < ohci->num_ports; i++) {
329         port = &ohci->rhport[i];
330         port->ctrl = 0;
331         if (port->port.dev && port->port.dev->attached) {
332             usb_port_reset(&port->port);
333         }
334     }
335     ohci_stop_endpoints(ohci);
336 }
337 
338 /* Reset the controller */
339 static void ohci_soft_reset(OHCIState *ohci)
340 {
341     trace_usb_ohci_reset(ohci->name);
342 
343     ohci_bus_stop(ohci);
344     ohci->ctl = (ohci->ctl & OHCI_CTL_IR) | OHCI_USB_SUSPEND;
345     ohci->old_ctl = 0;
346     ohci->status = 0;
347     ohci->intr_status = 0;
348     ohci->intr = OHCI_INTR_MIE;
349 
350     ohci->hcca = 0;
351     ohci->ctrl_head = ohci->ctrl_cur = 0;
352     ohci->bulk_head = ohci->bulk_cur = 0;
353     ohci->per_cur = 0;
354     ohci->done = 0;
355     ohci->done_count = 7;
356     /*
357      * FSMPS is marked TBD in OCHI 1.0, what gives ffs?
358      * I took the value linux sets ...
359      */
360     ohci->fsmps = 0x2778;
361     ohci->fi = 0x2edf;
362     ohci->fit = 0;
363     ohci->frt = 0;
364     ohci->frame_number = 0;
365     ohci->pstart = 0;
366     ohci->lst = OHCI_LS_THRESH;
367 }
368 
369 void ohci_hard_reset(OHCIState *ohci)
370 {
371     ohci_soft_reset(ohci);
372     ohci->ctl = 0;
373     ohci_roothub_reset(ohci);
374 }
375 
376 /* Get an array of dwords from main memory */
377 static inline int get_dwords(OHCIState *ohci,
378                              dma_addr_t addr, uint32_t *buf, int num)
379 {
380     int i;
381 
382     addr += ohci->localmem_base;
383 
384     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
385         if (dma_memory_read(ohci->as, addr,
386                             buf, sizeof(*buf), MEMTXATTRS_UNSPECIFIED)) {
387             return -1;
388         }
389         *buf = le32_to_cpu(*buf);
390     }
391 
392     return 0;
393 }
394 
395 /* Put an array of dwords in to main memory */
396 static inline int put_dwords(OHCIState *ohci,
397                              dma_addr_t addr, uint32_t *buf, int num)
398 {
399     int i;
400 
401     addr += ohci->localmem_base;
402 
403     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
404         uint32_t tmp = cpu_to_le32(*buf);
405         if (dma_memory_write(ohci->as, addr,
406                              &tmp, sizeof(tmp), MEMTXATTRS_UNSPECIFIED)) {
407             return -1;
408         }
409     }
410 
411     return 0;
412 }
413 
414 /* Get an array of words from main memory */
415 static inline int get_words(OHCIState *ohci,
416                             dma_addr_t addr, uint16_t *buf, int num)
417 {
418     int i;
419 
420     addr += ohci->localmem_base;
421 
422     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
423         if (dma_memory_read(ohci->as, addr,
424                             buf, sizeof(*buf), MEMTXATTRS_UNSPECIFIED)) {
425             return -1;
426         }
427         *buf = le16_to_cpu(*buf);
428     }
429 
430     return 0;
431 }
432 
433 /* Put an array of words in to main memory */
434 static inline int put_words(OHCIState *ohci,
435                             dma_addr_t addr, uint16_t *buf, int num)
436 {
437     int i;
438 
439     addr += ohci->localmem_base;
440 
441     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
442         uint16_t tmp = cpu_to_le16(*buf);
443         if (dma_memory_write(ohci->as, addr,
444                              &tmp, sizeof(tmp), MEMTXATTRS_UNSPECIFIED)) {
445             return -1;
446         }
447     }
448 
449     return 0;
450 }
451 
452 static inline int ohci_read_ed(OHCIState *ohci,
453                                dma_addr_t addr, struct ohci_ed *ed)
454 {
455     return get_dwords(ohci, addr, (uint32_t *)ed, sizeof(*ed) >> 2);
456 }
457 
458 static inline int ohci_read_td(OHCIState *ohci,
459                                dma_addr_t addr, struct ohci_td *td)
460 {
461     return get_dwords(ohci, addr, (uint32_t *)td, sizeof(*td) >> 2);
462 }
463 
464 static inline int ohci_read_iso_td(OHCIState *ohci,
465                                    dma_addr_t addr, struct ohci_iso_td *td)
466 {
467     return get_dwords(ohci, addr, (uint32_t *)td, 4) ||
468            get_words(ohci, addr + 16, td->offset, 8);
469 }
470 
471 static inline int ohci_read_hcca(OHCIState *ohci,
472                                  dma_addr_t addr, struct ohci_hcca *hcca)
473 {
474     return dma_memory_read(ohci->as, addr + ohci->localmem_base, hcca,
475                            sizeof(*hcca), MEMTXATTRS_UNSPECIFIED);
476 }
477 
478 static inline int ohci_put_ed(OHCIState *ohci,
479                               dma_addr_t addr, struct ohci_ed *ed)
480 {
481     /*
482      * ed->tail is under control of the HCD.
483      * Since just ed->head is changed by HC, just write back this
484      */
485     return put_dwords(ohci, addr + ED_WBACK_OFFSET,
486                       (uint32_t *)((char *)ed + ED_WBACK_OFFSET),
487                       ED_WBACK_SIZE >> 2);
488 }
489 
490 static inline int ohci_put_td(OHCIState *ohci,
491                               dma_addr_t addr, struct ohci_td *td)
492 {
493     return put_dwords(ohci, addr, (uint32_t *)td, sizeof(*td) >> 2);
494 }
495 
496 static inline int ohci_put_iso_td(OHCIState *ohci,
497                                   dma_addr_t addr, struct ohci_iso_td *td)
498 {
499     return put_dwords(ohci, addr, (uint32_t *)td, 4) ||
500            put_words(ohci, addr + 16, td->offset, 8);
501 }
502 
503 static inline int ohci_put_hcca(OHCIState *ohci,
504                                 dma_addr_t addr, struct ohci_hcca *hcca)
505 {
506     return dma_memory_write(ohci->as,
507                             addr + ohci->localmem_base + HCCA_WRITEBACK_OFFSET,
508                             (char *)hcca + HCCA_WRITEBACK_OFFSET,
509                             HCCA_WRITEBACK_SIZE, MEMTXATTRS_UNSPECIFIED);
510 }
511 
512 /* Read/Write the contents of a TD from/to main memory.  */
513 static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td,
514                         uint8_t *buf, int len, DMADirection dir)
515 {
516     dma_addr_t ptr, n;
517 
518     ptr = td->cbp;
519     n = 0x1000 - (ptr & 0xfff);
520     if (n > len) {
521         n = len;
522     }
523     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
524                       n, dir, MEMTXATTRS_UNSPECIFIED)) {
525         return -1;
526     }
527     if (n == len) {
528         return 0;
529     }
530     ptr = td->be & ~0xfffu;
531     buf += n;
532     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
533                       len - n, dir, MEMTXATTRS_UNSPECIFIED)) {
534         return -1;
535     }
536     return 0;
537 }
538 
539 /* Read/Write the contents of an ISO TD from/to main memory.  */
540 static int ohci_copy_iso_td(OHCIState *ohci,
541                             uint32_t start_addr, uint32_t end_addr,
542                             uint8_t *buf, int len, DMADirection dir)
543 {
544     dma_addr_t ptr, n;
545 
546     ptr = start_addr;
547     n = 0x1000 - (ptr & 0xfff);
548     if (n > len) {
549         n = len;
550     }
551     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
552                       n, dir, MEMTXATTRS_UNSPECIFIED)) {
553         return -1;
554     }
555     if (n == len) {
556         return 0;
557     }
558     ptr = end_addr & ~0xfffu;
559     buf += n;
560     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
561                       len - n, dir, MEMTXATTRS_UNSPECIFIED)) {
562         return -1;
563     }
564     return 0;
565 }
566 
567 #define USUB(a, b) ((int16_t)((uint16_t)(a) - (uint16_t)(b)))
568 
569 static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed)
570 {
571     int dir;
572     size_t len = 0;
573     const char *str = NULL;
574     int pid;
575     int ret;
576     int i;
577     USBDevice *dev;
578     USBEndpoint *ep;
579     USBPacket *pkt;
580     uint8_t buf[8192];
581     bool int_req;
582     struct ohci_iso_td iso_td;
583     uint32_t addr;
584     uint16_t starting_frame;
585     int16_t relative_frame_number;
586     int frame_count;
587     uint32_t start_offset, next_offset, end_offset = 0;
588     uint32_t start_addr, end_addr;
589 
590     addr = ed->head & OHCI_DPTR_MASK;
591 
592     if (addr == 0) {
593         ohci_die(ohci);
594         return 1;
595     }
596 
597     if (ohci_read_iso_td(ohci, addr, &iso_td)) {
598         trace_usb_ohci_iso_td_read_failed(addr);
599         ohci_die(ohci);
600         return 1;
601     }
602 
603     starting_frame = OHCI_BM(iso_td.flags, TD_SF);
604     frame_count = OHCI_BM(iso_td.flags, TD_FC);
605     relative_frame_number = USUB(ohci->frame_number, starting_frame);
606 
607     trace_usb_ohci_iso_td_head(
608            ed->head & OHCI_DPTR_MASK, ed->tail & OHCI_DPTR_MASK,
609            iso_td.flags, iso_td.bp, iso_td.next, iso_td.be,
610            ohci->frame_number, starting_frame,
611            frame_count, relative_frame_number);
612     trace_usb_ohci_iso_td_head_offset(
613            iso_td.offset[0], iso_td.offset[1],
614            iso_td.offset[2], iso_td.offset[3],
615            iso_td.offset[4], iso_td.offset[5],
616            iso_td.offset[6], iso_td.offset[7]);
617 
618     if (relative_frame_number < 0) {
619         trace_usb_ohci_iso_td_relative_frame_number_neg(relative_frame_number);
620         return 1;
621     } else if (relative_frame_number > frame_count) {
622         /*
623          * ISO TD expired - retire the TD to the Done Queue and continue with
624          * the next ISO TD of the same ED
625          */
626         trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number,
627                                                         frame_count);
628         if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) {
629             /* avoid infinite loop */
630             return 1;
631         }
632         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
633         ed->head &= ~OHCI_DPTR_MASK;
634         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
635         iso_td.next = ohci->done;
636         ohci->done = addr;
637         i = OHCI_BM(iso_td.flags, TD_DI);
638         if (i < ohci->done_count) {
639             ohci->done_count = i;
640         }
641         if (ohci_put_iso_td(ohci, addr, &iso_td)) {
642             ohci_die(ohci);
643             return 1;
644         }
645         return 0;
646     }
647 
648     dir = OHCI_BM(ed->flags, ED_D);
649     switch (dir) {
650     case OHCI_TD_DIR_IN:
651         str = "in";
652         pid = USB_TOKEN_IN;
653         break;
654     case OHCI_TD_DIR_OUT:
655         str = "out";
656         pid = USB_TOKEN_OUT;
657         break;
658     case OHCI_TD_DIR_SETUP:
659         str = "setup";
660         pid = USB_TOKEN_SETUP;
661         break;
662     default:
663         trace_usb_ohci_iso_td_bad_direction(dir);
664         return 1;
665     }
666 
667     if (!iso_td.bp || !iso_td.be) {
668         trace_usb_ohci_iso_td_bad_bp_be(iso_td.bp, iso_td.be);
669         return 1;
670     }
671 
672     start_offset = iso_td.offset[relative_frame_number];
673     if (relative_frame_number < frame_count) {
674         next_offset = iso_td.offset[relative_frame_number + 1];
675     } else {
676         next_offset = iso_td.be;
677     }
678 
679     if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) ||
680         ((relative_frame_number < frame_count) &&
681          !(OHCI_BM(next_offset, TD_PSW_CC) & 0xe))) {
682         trace_usb_ohci_iso_td_bad_cc_not_accessed(start_offset, next_offset);
683         return 1;
684     }
685 
686     if ((relative_frame_number < frame_count) && (start_offset > next_offset)) {
687         trace_usb_ohci_iso_td_bad_cc_overrun(start_offset, next_offset);
688         return 1;
689     }
690 
691     if ((start_offset & 0x1000) == 0) {
692         start_addr = (iso_td.bp & OHCI_PAGE_MASK) |
693             (start_offset & OHCI_OFFSET_MASK);
694     } else {
695         start_addr = (iso_td.be & OHCI_PAGE_MASK) |
696             (start_offset & OHCI_OFFSET_MASK);
697     }
698 
699     if (relative_frame_number < frame_count) {
700         end_offset = next_offset - 1;
701         if ((end_offset & 0x1000) == 0) {
702             end_addr = (iso_td.bp & OHCI_PAGE_MASK) |
703                 (end_offset & OHCI_OFFSET_MASK);
704         } else {
705             end_addr = (iso_td.be & OHCI_PAGE_MASK) |
706                 (end_offset & OHCI_OFFSET_MASK);
707         }
708     } else {
709         /* Last packet in the ISO TD */
710         end_addr = next_offset;
711     }
712 
713     if (start_addr > end_addr) {
714         trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr);
715         return 1;
716     }
717 
718     if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
719         len = (end_addr & OHCI_OFFSET_MASK) + 0x1001
720             - (start_addr & OHCI_OFFSET_MASK);
721     } else {
722         len = end_addr - start_addr + 1;
723     }
724     if (len > sizeof(buf)) {
725         len = sizeof(buf);
726     }
727 
728     if (len && dir != OHCI_TD_DIR_IN) {
729         if (ohci_copy_iso_td(ohci, start_addr, end_addr, buf, len,
730                              DMA_DIRECTION_TO_DEVICE)) {
731             ohci_die(ohci);
732             return 1;
733         }
734     }
735 
736     dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
737     if (dev == NULL) {
738         trace_usb_ohci_td_dev_error();
739         return 1;
740     }
741     ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
742     pkt = g_new0(USBPacket, 1);
743     usb_packet_init(pkt);
744     int_req = relative_frame_number == frame_count &&
745               OHCI_BM(iso_td.flags, TD_DI) == 0;
746     usb_packet_setup(pkt, pid, ep, 0, addr, false, int_req);
747     usb_packet_addbuf(pkt, buf, len);
748     usb_handle_packet(dev, pkt);
749     if (pkt->status == USB_RET_ASYNC) {
750         usb_device_flush_ep_queue(dev, ep);
751         g_free(pkt);
752         return 1;
753     }
754     if (pkt->status == USB_RET_SUCCESS) {
755         ret = pkt->actual_length;
756     } else {
757         ret = pkt->status;
758     }
759     g_free(pkt);
760 
761     trace_usb_ohci_iso_td_so(start_offset, end_offset, start_addr, end_addr,
762                              str, len, ret);
763 
764     /* Writeback */
765     if (dir == OHCI_TD_DIR_IN && ret >= 0 && ret <= len) {
766         /* IN transfer succeeded */
767         if (ohci_copy_iso_td(ohci, start_addr, end_addr, buf, ret,
768                              DMA_DIRECTION_FROM_DEVICE)) {
769             ohci_die(ohci);
770             return 1;
771         }
772         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
773                     OHCI_CC_NOERROR);
774         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE, ret);
775     } else if (dir == OHCI_TD_DIR_OUT && ret == len) {
776         /* OUT transfer succeeded */
777         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
778                     OHCI_CC_NOERROR);
779         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE, 0);
780     } else {
781         if (ret > (ssize_t) len) {
782             trace_usb_ohci_iso_td_data_overrun(ret, len);
783             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
784                         OHCI_CC_DATAOVERRUN);
785             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
786                         len);
787         } else if (ret >= 0) {
788             trace_usb_ohci_iso_td_data_underrun(ret);
789             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
790                         OHCI_CC_DATAUNDERRUN);
791         } else {
792             switch (ret) {
793             case USB_RET_IOERROR:
794             case USB_RET_NODEV:
795                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
796                             OHCI_CC_DEVICENOTRESPONDING);
797                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
798                             0);
799                 break;
800             case USB_RET_NAK:
801             case USB_RET_STALL:
802                 trace_usb_ohci_iso_td_nak(ret);
803                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
804                             OHCI_CC_STALL);
805                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
806                             0);
807                 break;
808             default:
809                 trace_usb_ohci_iso_td_bad_response(ret);
810                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
811                             OHCI_CC_UNDEXPETEDPID);
812                 break;
813             }
814         }
815     }
816 
817     if (relative_frame_number == frame_count) {
818         /* Last data packet of ISO TD - retire the TD to the Done Queue */
819         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_NOERROR);
820         ed->head &= ~OHCI_DPTR_MASK;
821         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
822         iso_td.next = ohci->done;
823         ohci->done = addr;
824         i = OHCI_BM(iso_td.flags, TD_DI);
825         if (i < ohci->done_count) {
826             ohci->done_count = i;
827         }
828     }
829     if (ohci_put_iso_td(ohci, addr, &iso_td)) {
830         ohci_die(ohci);
831     }
832     return 1;
833 }
834 
835 #define HEX_CHAR_PER_LINE 16
836 
837 static void ohci_td_pkt(const char *msg, const uint8_t *buf, size_t len)
838 {
839     bool print16;
840     bool printall;
841     int i;
842     char tmp[3 * HEX_CHAR_PER_LINE + 1];
843     char *p = tmp;
844 
845     print16 = !!trace_event_get_state_backends(TRACE_USB_OHCI_TD_PKT_SHORT);
846     printall = !!trace_event_get_state_backends(TRACE_USB_OHCI_TD_PKT_FULL);
847 
848     if (!printall && !print16) {
849         return;
850     }
851 
852     for (i = 0; ; i++) {
853         if (i && (!(i % HEX_CHAR_PER_LINE) || (i == len))) {
854             if (!printall) {
855                 trace_usb_ohci_td_pkt_short(msg, tmp);
856                 break;
857             }
858             trace_usb_ohci_td_pkt_full(msg, tmp);
859             p = tmp;
860             *p = 0;
861         }
862         if (i == len) {
863             break;
864         }
865 
866         p += sprintf(p, " %.2x", buf[i]);
867     }
868 }
869 
870 /*
871  * Service a transport descriptor.
872  * Returns nonzero to terminate processing of this endpoint.
873  */
874 static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
875 {
876     int dir;
877     size_t len = 0, pktlen = 0;
878     const char *str = NULL;
879     int pid;
880     int ret;
881     int i;
882     USBDevice *dev;
883     USBEndpoint *ep;
884     struct ohci_td td;
885     uint32_t addr;
886     int flag_r;
887     int completion;
888 
889     addr = ed->head & OHCI_DPTR_MASK;
890     if (addr == 0) {
891         ohci_die(ohci);
892         return 1;
893     }
894 
895     /* See if this TD has already been submitted to the device. */
896     completion = (addr == ohci->async_td);
897     if (completion && !ohci->async_complete) {
898         trace_usb_ohci_td_skip_async();
899         return 1;
900     }
901     if (ohci_read_td(ohci, addr, &td)) {
902         trace_usb_ohci_td_read_error(addr);
903         ohci_die(ohci);
904         return 1;
905     }
906 
907     dir = OHCI_BM(ed->flags, ED_D);
908     switch (dir) {
909     case OHCI_TD_DIR_OUT:
910     case OHCI_TD_DIR_IN:
911         /* Same value. */
912         break;
913     default:
914         dir = OHCI_BM(td.flags, TD_DP);
915         break;
916     }
917 
918     switch (dir) {
919     case OHCI_TD_DIR_IN:
920         str = "in";
921         pid = USB_TOKEN_IN;
922         break;
923     case OHCI_TD_DIR_OUT:
924         str = "out";
925         pid = USB_TOKEN_OUT;
926         break;
927     case OHCI_TD_DIR_SETUP:
928         str = "setup";
929         pid = USB_TOKEN_SETUP;
930         break;
931     default:
932         trace_usb_ohci_td_bad_direction(dir);
933         return 1;
934     }
935     if (td.cbp && td.be) {
936         if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
937             len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
938         } else {
939             if (td.cbp > td.be) {
940                 trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be);
941                 ohci_die(ohci);
942                 return 1;
943             }
944             len = (td.be - td.cbp) + 1;
945         }
946         if (len > sizeof(ohci->usb_buf)) {
947             len = sizeof(ohci->usb_buf);
948         }
949 
950         pktlen = len;
951         if (len && dir != OHCI_TD_DIR_IN) {
952             /* The endpoint may not allow us to transfer it all now */
953             pktlen = (ed->flags & OHCI_ED_MPS_MASK) >> OHCI_ED_MPS_SHIFT;
954             if (pktlen > len) {
955                 pktlen = len;
956             }
957             if (!completion) {
958                 if (ohci_copy_td(ohci, &td, ohci->usb_buf, pktlen,
959                                  DMA_DIRECTION_TO_DEVICE)) {
960                     ohci_die(ohci);
961                 }
962             }
963         }
964     }
965 
966     flag_r = (td.flags & OHCI_TD_R) != 0;
967     trace_usb_ohci_td_pkt_hdr(addr, (int64_t)pktlen, (int64_t)len, str,
968                               flag_r, td.cbp, td.be);
969     ohci_td_pkt("OUT", ohci->usb_buf, pktlen);
970 
971     if (completion) {
972         ohci->async_td = 0;
973         ohci->async_complete = false;
974     } else {
975         dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
976         if (dev == NULL) {
977             trace_usb_ohci_td_dev_error();
978             return 1;
979         }
980         ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
981         if (ohci->async_td) {
982             /*
983              * ??? The hardware should allow one active packet per
984              * endpoint.  We only allow one active packet per controller.
985              * This should be sufficient as long as devices respond in a
986              * timely manner.
987              */
988             trace_usb_ohci_td_too_many_pending(ep->nr);
989             return 1;
990         }
991         usb_packet_setup(&ohci->usb_packet, pid, ep, 0, addr, !flag_r,
992                          OHCI_BM(td.flags, TD_DI) == 0);
993         usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, pktlen);
994         usb_handle_packet(dev, &ohci->usb_packet);
995         trace_usb_ohci_td_packet_status(ohci->usb_packet.status);
996 
997         if (ohci->usb_packet.status == USB_RET_ASYNC) {
998             usb_device_flush_ep_queue(dev, ep);
999             ohci->async_td = addr;
1000             return 1;
1001         }
1002     }
1003     if (ohci->usb_packet.status == USB_RET_SUCCESS) {
1004         ret = ohci->usb_packet.actual_length;
1005     } else {
1006         ret = ohci->usb_packet.status;
1007     }
1008 
1009     if (ret >= 0) {
1010         if (dir == OHCI_TD_DIR_IN) {
1011             if (ohci_copy_td(ohci, &td, ohci->usb_buf, ret,
1012                              DMA_DIRECTION_FROM_DEVICE)) {
1013                 ohci_die(ohci);
1014             }
1015             ohci_td_pkt("IN", ohci->usb_buf, pktlen);
1016         } else {
1017             ret = pktlen;
1018         }
1019     }
1020 
1021     /* Writeback */
1022     if (ret == pktlen || (dir == OHCI_TD_DIR_IN && ret >= 0 && flag_r)) {
1023         /* Transmission succeeded. */
1024         if (ret == len) {
1025             td.cbp = 0;
1026         } else {
1027             if ((td.cbp & 0xfff) + ret > 0xfff) {
1028                 td.cbp = (td.be & ~0xfff) + ((td.cbp + ret) & 0xfff);
1029             } else {
1030                 td.cbp += ret;
1031             }
1032         }
1033         td.flags |= OHCI_TD_T1;
1034         td.flags ^= OHCI_TD_T0;
1035         OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_NOERROR);
1036         OHCI_SET_BM(td.flags, TD_EC, 0);
1037 
1038         if ((dir != OHCI_TD_DIR_IN) && (ret != len)) {
1039             /* Partial packet transfer: TD not ready to retire yet */
1040             goto exit_no_retire;
1041         }
1042 
1043         /* Setting ED_C is part of the TD retirement process */
1044         ed->head &= ~OHCI_ED_C;
1045         if (td.flags & OHCI_TD_T0) {
1046             ed->head |= OHCI_ED_C;
1047         }
1048     } else {
1049         if (ret >= 0) {
1050             trace_usb_ohci_td_underrun();
1051             OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DATAUNDERRUN);
1052         } else {
1053             switch (ret) {
1054             case USB_RET_IOERROR:
1055             case USB_RET_NODEV:
1056                 trace_usb_ohci_td_dev_error();
1057                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DEVICENOTRESPONDING);
1058                 break;
1059             case USB_RET_NAK:
1060                 trace_usb_ohci_td_nak();
1061                 return 1;
1062             case USB_RET_STALL:
1063                 trace_usb_ohci_td_stall();
1064                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_STALL);
1065                 break;
1066             case USB_RET_BABBLE:
1067                 trace_usb_ohci_td_babble();
1068                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
1069                 break;
1070             default:
1071                 trace_usb_ohci_td_bad_device_response(ret);
1072                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_UNDEXPETEDPID);
1073                 OHCI_SET_BM(td.flags, TD_EC, 3);
1074                 break;
1075             }
1076             /*
1077              * An error occurred so we have to clear the interrupt counter.
1078              * See spec at 6.4.4 on page 104
1079              */
1080             ohci->done_count = 0;
1081         }
1082         ed->head |= OHCI_ED_H;
1083     }
1084 
1085     /* Retire this TD */
1086     ed->head &= ~OHCI_DPTR_MASK;
1087     ed->head |= td.next & OHCI_DPTR_MASK;
1088     td.next = ohci->done;
1089     ohci->done = addr;
1090     i = OHCI_BM(td.flags, TD_DI);
1091     if (i < ohci->done_count) {
1092         ohci->done_count = i;
1093     }
1094 exit_no_retire:
1095     if (ohci_put_td(ohci, addr, &td)) {
1096         ohci_die(ohci);
1097         return 1;
1098     }
1099     return OHCI_BM(td.flags, TD_CC) != OHCI_CC_NOERROR;
1100 }
1101 
1102 /* Service an endpoint list.  Returns nonzero if active TD were found. */
1103 static int ohci_service_ed_list(OHCIState *ohci, uint32_t head)
1104 {
1105     struct ohci_ed ed;
1106     uint32_t next_ed;
1107     uint32_t cur;
1108     int active;
1109     uint32_t link_cnt = 0;
1110     active = 0;
1111 
1112     if (head == 0) {
1113         return 0;
1114     }
1115     for (cur = head; cur && link_cnt++ < ED_LINK_LIMIT; cur = next_ed) {
1116         if (ohci_read_ed(ohci, cur, &ed)) {
1117             trace_usb_ohci_ed_read_error(cur);
1118             ohci_die(ohci);
1119             return 0;
1120         }
1121 
1122         next_ed = ed.next & OHCI_DPTR_MASK;
1123 
1124         if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
1125             uint32_t addr;
1126             /* Cancel pending packets for ED that have been paused. */
1127             addr = ed.head & OHCI_DPTR_MASK;
1128             if (ohci->async_td && addr == ohci->async_td) {
1129                 usb_cancel_packet(&ohci->usb_packet);
1130                 ohci->async_td = 0;
1131                 usb_device_ep_stopped(ohci->usb_packet.ep->dev,
1132                                       ohci->usb_packet.ep);
1133             }
1134             continue;
1135         }
1136 
1137         while ((ed.head & OHCI_DPTR_MASK) != ed.tail) {
1138             trace_usb_ohci_ed_pkt(cur, (ed.head & OHCI_ED_H) != 0,
1139                     (ed.head & OHCI_ED_C) != 0, ed.head & OHCI_DPTR_MASK,
1140                     ed.tail & OHCI_DPTR_MASK, ed.next & OHCI_DPTR_MASK);
1141             trace_usb_ohci_ed_pkt_flags(
1142                     OHCI_BM(ed.flags, ED_FA), OHCI_BM(ed.flags, ED_EN),
1143                     OHCI_BM(ed.flags, ED_D), (ed.flags & OHCI_ED_S) != 0,
1144                     (ed.flags & OHCI_ED_K) != 0, (ed.flags & OHCI_ED_F) != 0,
1145                     OHCI_BM(ed.flags, ED_MPS));
1146 
1147             active = 1;
1148 
1149             if ((ed.flags & OHCI_ED_F) == 0) {
1150                 if (ohci_service_td(ohci, &ed)) {
1151                     break;
1152                 }
1153             } else {
1154                 /* Handle isochronous endpoints */
1155                 if (ohci_service_iso_td(ohci, &ed)) {
1156                     break;
1157                 }
1158             }
1159         }
1160 
1161         if (ohci_put_ed(ohci, cur, &ed)) {
1162             ohci_die(ohci);
1163             return 0;
1164         }
1165     }
1166 
1167     return active;
1168 }
1169 
1170 /* set a timer for EOF */
1171 static void ohci_eof_timer(OHCIState *ohci)
1172 {
1173     timer_mod(ohci->eof_timer, ohci->sof_time + usb_frame_time);
1174 }
1175 /* Set a timer for EOF and generate a SOF event */
1176 static void ohci_sof(OHCIState *ohci)
1177 {
1178     ohci->sof_time += usb_frame_time;
1179     ohci_eof_timer(ohci);
1180     ohci_set_interrupt(ohci, OHCI_INTR_SF);
1181 }
1182 
1183 /* Process Control and Bulk lists. */
1184 static void ohci_process_lists(OHCIState *ohci)
1185 {
1186     if ((ohci->ctl & OHCI_CTL_CLE) && (ohci->status & OHCI_STATUS_CLF)) {
1187         if (ohci->ctrl_cur && ohci->ctrl_cur != ohci->ctrl_head) {
1188             trace_usb_ohci_process_lists(ohci->ctrl_head, ohci->ctrl_cur);
1189         }
1190         if (!ohci_service_ed_list(ohci, ohci->ctrl_head)) {
1191             ohci->ctrl_cur = 0;
1192             ohci->status &= ~OHCI_STATUS_CLF;
1193         }
1194     }
1195 
1196     if ((ohci->ctl & OHCI_CTL_BLE) && (ohci->status & OHCI_STATUS_BLF)) {
1197         if (!ohci_service_ed_list(ohci, ohci->bulk_head)) {
1198             ohci->bulk_cur = 0;
1199             ohci->status &= ~OHCI_STATUS_BLF;
1200         }
1201     }
1202 }
1203 
1204 /* Do frame processing on frame boundary */
1205 static void ohci_frame_boundary(void *opaque)
1206 {
1207     OHCIState *ohci = opaque;
1208     struct ohci_hcca hcca;
1209 
1210     if (ohci_read_hcca(ohci, ohci->hcca, &hcca)) {
1211         trace_usb_ohci_hcca_read_error(ohci->hcca);
1212         ohci_die(ohci);
1213         return;
1214     }
1215 
1216     /* Process all the lists at the end of the frame */
1217     if (ohci->ctl & OHCI_CTL_PLE) {
1218         int n;
1219 
1220         n = ohci->frame_number & 0x1f;
1221         ohci_service_ed_list(ohci, le32_to_cpu(hcca.intr[n]));
1222     }
1223 
1224     /* Cancel all pending packets if either of the lists has been disabled. */
1225     if (ohci->old_ctl & (~ohci->ctl) & (OHCI_CTL_BLE | OHCI_CTL_CLE)) {
1226         ohci_stop_endpoints(ohci);
1227     }
1228     ohci->old_ctl = ohci->ctl;
1229     ohci_process_lists(ohci);
1230 
1231     /* Stop if UnrecoverableError happened or ohci_sof will crash */
1232     if (ohci->intr_status & OHCI_INTR_UE) {
1233         return;
1234     }
1235 
1236     /* Frame boundary, so do EOF stuf here */
1237     ohci->frt = ohci->fit;
1238 
1239     /* Increment frame number and take care of endianness. */
1240     ohci->frame_number = (ohci->frame_number + 1) & 0xffff;
1241     hcca.frame = cpu_to_le16(ohci->frame_number);
1242 
1243     if (ohci->done_count == 0 && !(ohci->intr_status & OHCI_INTR_WD)) {
1244         if (!ohci->done) {
1245             abort();
1246         }
1247         if (ohci->intr & ohci->intr_status) {
1248             ohci->done |= 1;
1249         }
1250         hcca.done = cpu_to_le32(ohci->done);
1251         ohci->done = 0;
1252         ohci->done_count = 7;
1253         ohci_set_interrupt(ohci, OHCI_INTR_WD);
1254     }
1255 
1256     if (ohci->done_count != 7 && ohci->done_count != 0) {
1257         ohci->done_count--;
1258     }
1259     /* Do SOF stuff here */
1260     ohci_sof(ohci);
1261 
1262     /* Writeback HCCA */
1263     if (ohci_put_hcca(ohci, ohci->hcca, &hcca)) {
1264         ohci_die(ohci);
1265     }
1266 }
1267 
1268 /*
1269  * Start sending SOF tokens across the USB bus, lists are processed in
1270  * next frame
1271  */
1272 static int ohci_bus_start(OHCIState *ohci)
1273 {
1274     trace_usb_ohci_start(ohci->name);
1275     /*
1276      * Delay the first SOF event by one frame time as linux driver is
1277      * not ready to receive it and can meet some race conditions
1278      */
1279     ohci->sof_time = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
1280     ohci_eof_timer(ohci);
1281 
1282     return 1;
1283 }
1284 
1285 /* Stop sending SOF tokens on the bus */
1286 void ohci_bus_stop(OHCIState *ohci)
1287 {
1288     trace_usb_ohci_stop(ohci->name);
1289     timer_del(ohci->eof_timer);
1290 }
1291 
1292 /* Frame interval toggle is manipulated by the hcd only */
1293 static void ohci_set_frame_interval(OHCIState *ohci, uint16_t val)
1294 {
1295     val &= OHCI_FMI_FI;
1296 
1297     if (val != ohci->fi) {
1298         trace_usb_ohci_set_frame_interval(ohci->name, ohci->fi, ohci->fi);
1299     }
1300 
1301     ohci->fi = val;
1302 }
1303 
1304 static void ohci_port_power(OHCIState *ohci, int i, int p)
1305 {
1306     if (p) {
1307         ohci->rhport[i].ctrl |= OHCI_PORT_PPS;
1308     } else {
1309         ohci->rhport[i].ctrl &= ~(OHCI_PORT_PPS | OHCI_PORT_CCS |
1310                                   OHCI_PORT_PSS | OHCI_PORT_PRS);
1311     }
1312 }
1313 
1314 /* Set HcControlRegister */
1315 static void ohci_set_ctl(OHCIState *ohci, uint32_t val)
1316 {
1317     uint32_t old_state;
1318     uint32_t new_state;
1319 
1320     old_state = ohci->ctl & OHCI_CTL_HCFS;
1321     ohci->ctl = val;
1322     new_state = ohci->ctl & OHCI_CTL_HCFS;
1323 
1324     /* no state change */
1325     if (old_state == new_state) {
1326         return;
1327     }
1328     trace_usb_ohci_set_ctl(ohci->name, new_state);
1329     switch (new_state) {
1330     case OHCI_USB_OPERATIONAL:
1331         ohci_bus_start(ohci);
1332         break;
1333     case OHCI_USB_SUSPEND:
1334         ohci_bus_stop(ohci);
1335         /* clear pending SF otherwise linux driver loops in ohci_irq() */
1336         ohci->intr_status &= ~OHCI_INTR_SF;
1337         ohci_intr_update(ohci);
1338         break;
1339     case OHCI_USB_RESUME:
1340         trace_usb_ohci_resume(ohci->name);
1341         break;
1342     case OHCI_USB_RESET:
1343         ohci_roothub_reset(ohci);
1344         break;
1345     }
1346 }
1347 
1348 static uint32_t ohci_get_frame_remaining(OHCIState *ohci)
1349 {
1350     uint16_t fr;
1351     int64_t tks;
1352 
1353     if ((ohci->ctl & OHCI_CTL_HCFS) != OHCI_USB_OPERATIONAL) {
1354         return ohci->frt << 31;
1355     }
1356     /* Being in USB operational state guarnatees sof_time was set already. */
1357     tks = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) - ohci->sof_time;
1358     if (tks < 0) {
1359         tks = 0;
1360     }
1361 
1362     /* avoid muldiv if possible */
1363     if (tks >= usb_frame_time) {
1364         return ohci->frt << 31;
1365     }
1366     tks = tks / usb_bit_time;
1367     fr = (uint16_t)(ohci->fi - tks);
1368 
1369     return (ohci->frt << 31) | fr;
1370 }
1371 
1372 
1373 /* Set root hub status */
1374 static void ohci_set_hub_status(OHCIState *ohci, uint32_t val)
1375 {
1376     uint32_t old_state;
1377 
1378     old_state = ohci->rhstatus;
1379 
1380     /* write 1 to clear OCIC */
1381     if (val & OHCI_RHS_OCIC) {
1382         ohci->rhstatus &= ~OHCI_RHS_OCIC;
1383     }
1384     if (val & OHCI_RHS_LPS) {
1385         int i;
1386 
1387         for (i = 0; i < ohci->num_ports; i++) {
1388             ohci_port_power(ohci, i, 0);
1389         }
1390         trace_usb_ohci_hub_power_down();
1391     }
1392 
1393     if (val & OHCI_RHS_LPSC) {
1394         int i;
1395 
1396         for (i = 0; i < ohci->num_ports; i++) {
1397             ohci_port_power(ohci, i, 1);
1398         }
1399         trace_usb_ohci_hub_power_up();
1400     }
1401 
1402     if (val & OHCI_RHS_DRWE) {
1403         ohci->rhstatus |= OHCI_RHS_DRWE;
1404     }
1405     if (val & OHCI_RHS_CRWE) {
1406         ohci->rhstatus &= ~OHCI_RHS_DRWE;
1407     }
1408     if (old_state != ohci->rhstatus) {
1409         ohci_set_interrupt(ohci, OHCI_INTR_RHSC);
1410     }
1411 }
1412 
1413 /*
1414  * Sets a flag in a port status reg but only set it if the port is connected.
1415  * If not set ConnectStatusChange flag. If flag is enabled return 1.
1416  */
1417 static int ohci_port_set_if_connected(OHCIState *ohci, int i, uint32_t val)
1418 {
1419     int ret = 1;
1420 
1421     /* writing a 0 has no effect */
1422     if (val == 0) {
1423         return 0;
1424     }
1425     /* If CurrentConnectStatus is cleared we set ConnectStatusChange */
1426     if (!(ohci->rhport[i].ctrl & OHCI_PORT_CCS)) {
1427         ohci->rhport[i].ctrl |= OHCI_PORT_CSC;
1428         if (ohci->rhstatus & OHCI_RHS_DRWE) {
1429             /* TODO: CSC is a wakeup event */
1430         }
1431         return 0;
1432     }
1433 
1434     if (ohci->rhport[i].ctrl & val) {
1435         ret = 0;
1436     }
1437     /* set the bit */
1438     ohci->rhport[i].ctrl |= val;
1439 
1440     return ret;
1441 }
1442 
1443 /* Set root hub port status */
1444 static void ohci_port_set_status(OHCIState *ohci, int portnum, uint32_t val)
1445 {
1446     uint32_t old_state;
1447     OHCIPort *port;
1448 
1449     port = &ohci->rhport[portnum];
1450     old_state = port->ctrl;
1451 
1452     /* Write to clear CSC, PESC, PSSC, OCIC, PRSC */
1453     if (val & OHCI_PORT_WTC) {
1454         port->ctrl &= ~(val & OHCI_PORT_WTC);
1455     }
1456     if (val & OHCI_PORT_CCS) {
1457         port->ctrl &= ~OHCI_PORT_PES;
1458     }
1459     ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PES);
1460 
1461     if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PSS)) {
1462         trace_usb_ohci_port_suspend(portnum);
1463     }
1464 
1465     if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PRS)) {
1466         trace_usb_ohci_port_reset(portnum);
1467         usb_device_reset(port->port.dev);
1468         port->ctrl &= ~OHCI_PORT_PRS;
1469         /* ??? Should this also set OHCI_PORT_PESC. */
1470         port->ctrl |= OHCI_PORT_PES | OHCI_PORT_PRSC;
1471     }
1472 
1473     /* Invert order here to ensure in ambiguous case, device is powered up. */
1474     if (val & OHCI_PORT_LSDA) {
1475         ohci_port_power(ohci, portnum, 0);
1476     }
1477     if (val & OHCI_PORT_PPS) {
1478         ohci_port_power(ohci, portnum, 1);
1479     }
1480     if (old_state != port->ctrl) {
1481         ohci_set_interrupt(ohci, OHCI_INTR_RHSC);
1482     }
1483 }
1484 
1485 static uint64_t ohci_mem_read(void *opaque,
1486                               hwaddr addr,
1487                               unsigned size)
1488 {
1489     OHCIState *ohci = opaque;
1490     uint32_t retval;
1491 
1492     /* Only aligned reads are allowed on OHCI */
1493     if (addr & 3) {
1494         trace_usb_ohci_mem_read_unaligned(addr);
1495         return 0xffffffff;
1496     } else if (addr >= 0x54 && addr < 0x54 + ohci->num_ports * 4) {
1497         /* HcRhPortStatus */
1498         retval = ohci->rhport[(addr - 0x54) >> 2].ctrl | OHCI_PORT_PPS;
1499         trace_usb_ohci_mem_port_read(size, "HcRhPortStatus", (addr - 0x50) >> 2,
1500                                      addr, addr >> 2, retval);
1501     } else {
1502         switch (addr >> 2) {
1503         case 0: /* HcRevision */
1504             retval = 0x10;
1505             break;
1506 
1507         case 1: /* HcControl */
1508             retval = ohci->ctl;
1509             break;
1510 
1511         case 2: /* HcCommandStatus */
1512             retval = ohci->status;
1513             break;
1514 
1515         case 3: /* HcInterruptStatus */
1516             retval = ohci->intr_status;
1517             break;
1518 
1519         case 4: /* HcInterruptEnable */
1520         case 5: /* HcInterruptDisable */
1521             retval = ohci->intr;
1522             break;
1523 
1524         case 6: /* HcHCCA */
1525             retval = ohci->hcca;
1526             break;
1527 
1528         case 7: /* HcPeriodCurrentED */
1529             retval = ohci->per_cur;
1530             break;
1531 
1532         case 8: /* HcControlHeadED */
1533             retval = ohci->ctrl_head;
1534             break;
1535 
1536         case 9: /* HcControlCurrentED */
1537             retval = ohci->ctrl_cur;
1538             break;
1539 
1540         case 10: /* HcBulkHeadED */
1541             retval = ohci->bulk_head;
1542             break;
1543 
1544         case 11: /* HcBulkCurrentED */
1545             retval = ohci->bulk_cur;
1546             break;
1547 
1548         case 12: /* HcDoneHead */
1549             retval = ohci->done;
1550             break;
1551 
1552         case 13: /* HcFmInterretval */
1553             retval = (ohci->fit << 31) | (ohci->fsmps << 16) | (ohci->fi);
1554             break;
1555 
1556         case 14: /* HcFmRemaining */
1557             retval = ohci_get_frame_remaining(ohci);
1558             break;
1559 
1560         case 15: /* HcFmNumber */
1561             retval = ohci->frame_number;
1562             break;
1563 
1564         case 16: /* HcPeriodicStart */
1565             retval = ohci->pstart;
1566             break;
1567 
1568         case 17: /* HcLSThreshold */
1569             retval = ohci->lst;
1570             break;
1571 
1572         case 18: /* HcRhDescriptorA */
1573             retval = ohci->rhdesc_a;
1574             break;
1575 
1576         case 19: /* HcRhDescriptorB */
1577             retval = ohci->rhdesc_b;
1578             break;
1579 
1580         case 20: /* HcRhStatus */
1581             retval = ohci->rhstatus;
1582             break;
1583 
1584         /* PXA27x specific registers */
1585         case 24: /* HcStatus */
1586             retval = ohci->hstatus & ohci->hmask;
1587             break;
1588 
1589         case 25: /* HcHReset */
1590             retval = ohci->hreset;
1591             break;
1592 
1593         case 26: /* HcHInterruptEnable */
1594             retval = ohci->hmask;
1595             break;
1596 
1597         case 27: /* HcHInterruptTest */
1598             retval = ohci->htest;
1599             break;
1600 
1601         default:
1602             trace_usb_ohci_mem_read_bad_offset(addr);
1603             retval = 0xffffffff;
1604         }
1605         if (addr != 0xc || retval) {
1606             trace_usb_ohci_mem_read(size, ohci_reg_name(addr), addr, addr >> 2,
1607                                     retval);
1608         }
1609     }
1610 
1611     return retval;
1612 }
1613 
1614 static void ohci_mem_write(void *opaque,
1615                            hwaddr addr,
1616                            uint64_t val,
1617                            unsigned size)
1618 {
1619     OHCIState *ohci = opaque;
1620 
1621     /* Only aligned reads are allowed on OHCI */
1622     if (addr & 3) {
1623         trace_usb_ohci_mem_write_unaligned(addr);
1624         return;
1625     }
1626 
1627     if (addr >= 0x54 && addr < 0x54 + ohci->num_ports * 4) {
1628         /* HcRhPortStatus */
1629         trace_usb_ohci_mem_port_write(size, "HcRhPortStatus",
1630                                       (addr - 0x50) >> 2, addr, addr >> 2, val);
1631         ohci_port_set_status(ohci, (addr - 0x54) >> 2, val);
1632         return;
1633     }
1634 
1635     trace_usb_ohci_mem_write(size, ohci_reg_name(addr), addr, addr >> 2, val);
1636     switch (addr >> 2) {
1637     case 1: /* HcControl */
1638         ohci_set_ctl(ohci, val);
1639         break;
1640 
1641     case 2: /* HcCommandStatus */
1642         /* SOC is read-only */
1643         val = (val & ~OHCI_STATUS_SOC);
1644 
1645         /* Bits written as '0' remain unchanged in the register */
1646         ohci->status |= val;
1647 
1648         if (ohci->status & OHCI_STATUS_HCR) {
1649             ohci_soft_reset(ohci);
1650         }
1651         break;
1652 
1653     case 3: /* HcInterruptStatus */
1654         ohci->intr_status &= ~val;
1655         ohci_intr_update(ohci);
1656         break;
1657 
1658     case 4: /* HcInterruptEnable */
1659         ohci->intr |= val;
1660         ohci_intr_update(ohci);
1661         break;
1662 
1663     case 5: /* HcInterruptDisable */
1664         ohci->intr &= ~val;
1665         ohci_intr_update(ohci);
1666         break;
1667 
1668     case 6: /* HcHCCA */
1669         ohci->hcca = val & OHCI_HCCA_MASK;
1670         break;
1671 
1672     case 7: /* HcPeriodCurrentED */
1673         /* Ignore writes to this read-only register, Linux does them */
1674         break;
1675 
1676     case 8: /* HcControlHeadED */
1677         ohci->ctrl_head = val & OHCI_EDPTR_MASK;
1678         break;
1679 
1680     case 9: /* HcControlCurrentED */
1681         ohci->ctrl_cur = val & OHCI_EDPTR_MASK;
1682         break;
1683 
1684     case 10: /* HcBulkHeadED */
1685         ohci->bulk_head = val & OHCI_EDPTR_MASK;
1686         break;
1687 
1688     case 11: /* HcBulkCurrentED */
1689         ohci->bulk_cur = val & OHCI_EDPTR_MASK;
1690         break;
1691 
1692     case 13: /* HcFmInterval */
1693         ohci->fsmps = (val & OHCI_FMI_FSMPS) >> 16;
1694         ohci->fit = (val & OHCI_FMI_FIT) >> 31;
1695         ohci_set_frame_interval(ohci, val);
1696         break;
1697 
1698     case 15: /* HcFmNumber */
1699         break;
1700 
1701     case 16: /* HcPeriodicStart */
1702         ohci->pstart = val & 0xffff;
1703         break;
1704 
1705     case 17: /* HcLSThreshold */
1706         ohci->lst = val & 0xffff;
1707         break;
1708 
1709     case 18: /* HcRhDescriptorA */
1710         ohci->rhdesc_a &= ~OHCI_RHA_RW_MASK;
1711         ohci->rhdesc_a |= val & OHCI_RHA_RW_MASK;
1712         break;
1713 
1714     case 19: /* HcRhDescriptorB */
1715         break;
1716 
1717     case 20: /* HcRhStatus */
1718         ohci_set_hub_status(ohci, val);
1719         break;
1720 
1721     /* PXA27x specific registers */
1722     case 24: /* HcStatus */
1723         ohci->hstatus &= ~(val & ohci->hmask);
1724         break;
1725 
1726     case 25: /* HcHReset */
1727         ohci->hreset = val & ~OHCI_HRESET_FSBIR;
1728         if (val & OHCI_HRESET_FSBIR) {
1729             ohci_hard_reset(ohci);
1730         }
1731         break;
1732 
1733     case 26: /* HcHInterruptEnable */
1734         ohci->hmask = val;
1735         break;
1736 
1737     case 27: /* HcHInterruptTest */
1738         ohci->htest = val;
1739         break;
1740 
1741     default:
1742         trace_usb_ohci_mem_write_bad_offset(addr);
1743         break;
1744     }
1745 }
1746 
1747 static const MemoryRegionOps ohci_mem_ops = {
1748     .read = ohci_mem_read,
1749     .write = ohci_mem_write,
1750     .endianness = DEVICE_LITTLE_ENDIAN,
1751 };
1752 
1753 /* USBPortOps */
1754 static void ohci_attach(USBPort *port1)
1755 {
1756     OHCIState *s = port1->opaque;
1757     OHCIPort *port = &s->rhport[port1->index];
1758     uint32_t old_state = port->ctrl;
1759 
1760     /* set connect status */
1761     port->ctrl |= OHCI_PORT_CCS | OHCI_PORT_CSC;
1762 
1763     /* update speed */
1764     if (port->port.dev->speed == USB_SPEED_LOW) {
1765         port->ctrl |= OHCI_PORT_LSDA;
1766     } else {
1767         port->ctrl &= ~OHCI_PORT_LSDA;
1768     }
1769 
1770     /* notify of remote-wakeup */
1771     if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND) {
1772         ohci_set_interrupt(s, OHCI_INTR_RD);
1773     }
1774 
1775     trace_usb_ohci_port_attach(port1->index);
1776 
1777     if (old_state != port->ctrl) {
1778         ohci_set_interrupt(s, OHCI_INTR_RHSC);
1779     }
1780 }
1781 
1782 static void ohci_child_detach(USBPort *port1, USBDevice *dev)
1783 {
1784     OHCIState *ohci = port1->opaque;
1785 
1786     if (ohci->async_td &&
1787         usb_packet_is_inflight(&ohci->usb_packet) &&
1788         ohci->usb_packet.ep->dev == dev) {
1789         usb_cancel_packet(&ohci->usb_packet);
1790         ohci->async_td = 0;
1791     }
1792 }
1793 
1794 static void ohci_detach(USBPort *port1)
1795 {
1796     OHCIState *s = port1->opaque;
1797     OHCIPort *port = &s->rhport[port1->index];
1798     uint32_t old_state = port->ctrl;
1799 
1800     ohci_child_detach(port1, port1->dev);
1801 
1802     /* set connect status */
1803     if (port->ctrl & OHCI_PORT_CCS) {
1804         port->ctrl &= ~OHCI_PORT_CCS;
1805         port->ctrl |= OHCI_PORT_CSC;
1806     }
1807     /* disable port */
1808     if (port->ctrl & OHCI_PORT_PES) {
1809         port->ctrl &= ~OHCI_PORT_PES;
1810         port->ctrl |= OHCI_PORT_PESC;
1811     }
1812     trace_usb_ohci_port_detach(port1->index);
1813 
1814     if (old_state != port->ctrl) {
1815         ohci_set_interrupt(s, OHCI_INTR_RHSC);
1816     }
1817 }
1818 
1819 static void ohci_wakeup(USBPort *port1)
1820 {
1821     OHCIState *s = port1->opaque;
1822     OHCIPort *port = &s->rhport[port1->index];
1823     uint32_t intr = 0;
1824     if (port->ctrl & OHCI_PORT_PSS) {
1825         trace_usb_ohci_port_wakeup(port1->index);
1826         port->ctrl |= OHCI_PORT_PSSC;
1827         port->ctrl &= ~OHCI_PORT_PSS;
1828         intr = OHCI_INTR_RHSC;
1829     }
1830     /* Note that the controller can be suspended even if this port is not */
1831     if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND) {
1832         trace_usb_ohci_remote_wakeup(s->name);
1833         /* This is the one state transition the controller can do by itself */
1834         s->ctl &= ~OHCI_CTL_HCFS;
1835         s->ctl |= OHCI_USB_RESUME;
1836         /*
1837          * In suspend mode only ResumeDetected is possible, not RHSC:
1838          * see the OHCI spec 5.1.2.3.
1839          */
1840         intr = OHCI_INTR_RD;
1841     }
1842     ohci_set_interrupt(s, intr);
1843 }
1844 
1845 static void ohci_async_complete_packet(USBPort *port, USBPacket *packet)
1846 {
1847     OHCIState *ohci = container_of(packet, OHCIState, usb_packet);
1848 
1849     trace_usb_ohci_async_complete();
1850     ohci->async_complete = true;
1851     ohci_process_lists(ohci);
1852 }
1853 
1854 static USBPortOps ohci_port_ops = {
1855     .attach = ohci_attach,
1856     .detach = ohci_detach,
1857     .child_detach = ohci_child_detach,
1858     .wakeup = ohci_wakeup,
1859     .complete = ohci_async_complete_packet,
1860 };
1861 
1862 static USBBusOps ohci_bus_ops = {
1863 };
1864 
1865 void usb_ohci_init(OHCIState *ohci, DeviceState *dev, uint32_t num_ports,
1866                    dma_addr_t localmem_base, char *masterbus,
1867                    uint32_t firstport, AddressSpace *as,
1868                    void (*ohci_die_fn)(OHCIState *), Error **errp)
1869 {
1870     Error *err = NULL;
1871     int i;
1872 
1873     ohci->as = as;
1874     ohci->ohci_die = ohci_die_fn;
1875 
1876     if (num_ports > OHCI_MAX_PORTS) {
1877         error_setg(errp, "OHCI num-ports=%u is too big (limit is %u ports)",
1878                    num_ports, OHCI_MAX_PORTS);
1879         return;
1880     }
1881 
1882     if (usb_frame_time == 0) {
1883 #ifdef OHCI_TIME_WARP
1884         usb_frame_time = NANOSECONDS_PER_SECOND;
1885         usb_bit_time = NANOSECONDS_PER_SECOND / (USB_HZ / 1000);
1886 #else
1887         usb_frame_time = NANOSECONDS_PER_SECOND / 1000;
1888         if (NANOSECONDS_PER_SECOND >= USB_HZ) {
1889             usb_bit_time = NANOSECONDS_PER_SECOND / USB_HZ;
1890         } else {
1891             usb_bit_time = 1;
1892         }
1893 #endif
1894         trace_usb_ohci_init_time(usb_frame_time, usb_bit_time);
1895     }
1896 
1897     ohci->num_ports = num_ports;
1898     if (masterbus) {
1899         USBPort *ports[OHCI_MAX_PORTS];
1900         for (i = 0; i < num_ports; i++) {
1901             ports[i] = &ohci->rhport[i].port;
1902         }
1903         usb_register_companion(masterbus, ports, num_ports,
1904                                firstport, ohci, &ohci_port_ops,
1905                                USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL,
1906                                &err);
1907         if (err) {
1908             error_propagate(errp, err);
1909             return;
1910         }
1911     } else {
1912         usb_bus_new(&ohci->bus, sizeof(ohci->bus), &ohci_bus_ops, dev);
1913         for (i = 0; i < num_ports; i++) {
1914             usb_register_port(&ohci->bus, &ohci->rhport[i].port,
1915                               ohci, i, &ohci_port_ops,
1916                               USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
1917         }
1918     }
1919 
1920     memory_region_init_io(&ohci->mem, OBJECT(dev), &ohci_mem_ops,
1921                           ohci, "ohci", 256);
1922     ohci->localmem_base = localmem_base;
1923 
1924     ohci->name = object_get_typename(OBJECT(dev));
1925     usb_packet_init(&ohci->usb_packet);
1926 
1927     ohci->async_td = 0;
1928 
1929     ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
1930                                    ohci_frame_boundary, ohci);
1931 }
1932 
1933 /*
1934  * A typical OHCI will stop operating and set itself into error state
1935  * (which can be queried by MMIO) to signal that it got an error.
1936  */
1937 void ohci_sysbus_die(struct OHCIState *ohci)
1938 {
1939     trace_usb_ohci_die();
1940 
1941     ohci_set_interrupt(ohci, OHCI_INTR_UE);
1942     ohci_bus_stop(ohci);
1943 }
1944 
1945 static void ohci_realize_pxa(DeviceState *dev, Error **errp)
1946 {
1947     OHCISysBusState *s = SYSBUS_OHCI(dev);
1948     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
1949     Error *err = NULL;
1950 
1951     usb_ohci_init(&s->ohci, dev, s->num_ports, s->dma_offset,
1952                   s->masterbus, s->firstport,
1953                   &address_space_memory, ohci_sysbus_die, &err);
1954     if (err) {
1955         error_propagate(errp, err);
1956         return;
1957     }
1958     sysbus_init_irq(sbd, &s->ohci.irq);
1959     sysbus_init_mmio(sbd, &s->ohci.mem);
1960 }
1961 
1962 static void usb_ohci_reset_sysbus(DeviceState *dev)
1963 {
1964     OHCISysBusState *s = SYSBUS_OHCI(dev);
1965     OHCIState *ohci = &s->ohci;
1966 
1967     ohci_hard_reset(ohci);
1968 }
1969 
1970 static const VMStateDescription vmstate_ohci_state_port = {
1971     .name = "ohci-core/port",
1972     .version_id = 1,
1973     .minimum_version_id = 1,
1974     .fields = (VMStateField[]) {
1975         VMSTATE_UINT32(ctrl, OHCIPort),
1976         VMSTATE_END_OF_LIST()
1977     },
1978 };
1979 
1980 static bool ohci_eof_timer_needed(void *opaque)
1981 {
1982     OHCIState *ohci = opaque;
1983 
1984     return timer_pending(ohci->eof_timer);
1985 }
1986 
1987 static const VMStateDescription vmstate_ohci_eof_timer = {
1988     .name = "ohci-core/eof-timer",
1989     .version_id = 1,
1990     .minimum_version_id = 1,
1991     .needed = ohci_eof_timer_needed,
1992     .fields = (VMStateField[]) {
1993         VMSTATE_TIMER_PTR(eof_timer, OHCIState),
1994         VMSTATE_END_OF_LIST()
1995     },
1996 };
1997 
1998 const VMStateDescription vmstate_ohci_state = {
1999     .name = "ohci-core",
2000     .version_id = 1,
2001     .minimum_version_id = 1,
2002     .fields = (VMStateField[]) {
2003         VMSTATE_INT64(sof_time, OHCIState),
2004         VMSTATE_UINT32(ctl, OHCIState),
2005         VMSTATE_UINT32(status, OHCIState),
2006         VMSTATE_UINT32(intr_status, OHCIState),
2007         VMSTATE_UINT32(intr, OHCIState),
2008         VMSTATE_UINT32(hcca, OHCIState),
2009         VMSTATE_UINT32(ctrl_head, OHCIState),
2010         VMSTATE_UINT32(ctrl_cur, OHCIState),
2011         VMSTATE_UINT32(bulk_head, OHCIState),
2012         VMSTATE_UINT32(bulk_cur, OHCIState),
2013         VMSTATE_UINT32(per_cur, OHCIState),
2014         VMSTATE_UINT32(done, OHCIState),
2015         VMSTATE_INT32(done_count, OHCIState),
2016         VMSTATE_UINT16(fsmps, OHCIState),
2017         VMSTATE_UINT8(fit, OHCIState),
2018         VMSTATE_UINT16(fi, OHCIState),
2019         VMSTATE_UINT8(frt, OHCIState),
2020         VMSTATE_UINT16(frame_number, OHCIState),
2021         VMSTATE_UINT16(padding, OHCIState),
2022         VMSTATE_UINT32(pstart, OHCIState),
2023         VMSTATE_UINT32(lst, OHCIState),
2024         VMSTATE_UINT32(rhdesc_a, OHCIState),
2025         VMSTATE_UINT32(rhdesc_b, OHCIState),
2026         VMSTATE_UINT32(rhstatus, OHCIState),
2027         VMSTATE_STRUCT_ARRAY(rhport, OHCIState, OHCI_MAX_PORTS, 0,
2028                              vmstate_ohci_state_port, OHCIPort),
2029         VMSTATE_UINT32(hstatus, OHCIState),
2030         VMSTATE_UINT32(hmask, OHCIState),
2031         VMSTATE_UINT32(hreset, OHCIState),
2032         VMSTATE_UINT32(htest, OHCIState),
2033         VMSTATE_UINT32(old_ctl, OHCIState),
2034         VMSTATE_UINT8_ARRAY(usb_buf, OHCIState, 8192),
2035         VMSTATE_UINT32(async_td, OHCIState),
2036         VMSTATE_BOOL(async_complete, OHCIState),
2037         VMSTATE_END_OF_LIST()
2038     },
2039     .subsections = (const VMStateDescription*[]) {
2040         &vmstate_ohci_eof_timer,
2041         NULL
2042     }
2043 };
2044 
2045 static Property ohci_sysbus_properties[] = {
2046     DEFINE_PROP_STRING("masterbus", OHCISysBusState, masterbus),
2047     DEFINE_PROP_UINT32("num-ports", OHCISysBusState, num_ports, 3),
2048     DEFINE_PROP_UINT32("firstport", OHCISysBusState, firstport, 0),
2049     DEFINE_PROP_DMAADDR("dma-offset", OHCISysBusState, dma_offset, 0),
2050     DEFINE_PROP_END_OF_LIST(),
2051 };
2052 
2053 static void ohci_sysbus_class_init(ObjectClass *klass, void *data)
2054 {
2055     DeviceClass *dc = DEVICE_CLASS(klass);
2056 
2057     dc->realize = ohci_realize_pxa;
2058     set_bit(DEVICE_CATEGORY_USB, dc->categories);
2059     dc->desc = "OHCI USB Controller";
2060     device_class_set_props(dc, ohci_sysbus_properties);
2061     dc->reset = usb_ohci_reset_sysbus;
2062 }
2063 
2064 static const TypeInfo ohci_sysbus_info = {
2065     .name          = TYPE_SYSBUS_OHCI,
2066     .parent        = TYPE_SYS_BUS_DEVICE,
2067     .instance_size = sizeof(OHCISysBusState),
2068     .class_init    = ohci_sysbus_class_init,
2069 };
2070 
2071 static void ohci_register_types(void)
2072 {
2073     type_register_static(&ohci_sysbus_info);
2074 }
2075 
2076 type_init(ohci_register_types)
2077