xref: /openbmc/qemu/hw/usb/hcd-ohci.c (revision ae3c12a0)
1 /*
2  * QEMU USB OHCI Emulation
3  * Copyright (c) 2004 Gianni Tedesco
4  * Copyright (c) 2006 CodeSourcery
5  * Copyright (c) 2006 Openedhand Ltd.
6  *
7  * This library is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2 of the License, or (at your option) any later version.
11  *
12  * This library is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
19  *
20  * TODO:
21  *  o Isochronous transfers
22  *  o Allocate bandwidth in frames properly
23  *  o Disable timers when nothing needs to be done, or remove timer usage
24  *    all together.
25  *  o BIOS work to boot from USB storage
26 */
27 
28 #include "qemu/osdep.h"
29 #include "hw/hw.h"
30 #include "qapi/error.h"
31 #include "qemu/timer.h"
32 #include "hw/usb.h"
33 #include "hw/sysbus.h"
34 #include "hw/qdev-dma.h"
35 #include "trace.h"
36 #include "hcd-ohci.h"
37 
38 /* This causes frames to occur 1000x slower */
39 //#define OHCI_TIME_WARP 1
40 
41 #define ED_LINK_LIMIT 32
42 
43 static int64_t usb_frame_time;
44 static int64_t usb_bit_time;
45 
46 /* Host Controller Communications Area */
47 struct ohci_hcca {
48     uint32_t intr[32];
49     uint16_t frame, pad;
50     uint32_t done;
51 };
52 #define HCCA_WRITEBACK_OFFSET   offsetof(struct ohci_hcca, frame)
53 #define HCCA_WRITEBACK_SIZE     8 /* frame, pad, done */
54 
55 #define ED_WBACK_OFFSET offsetof(struct ohci_ed, head)
56 #define ED_WBACK_SIZE   4
57 
58 static void ohci_async_cancel_device(OHCIState *ohci, USBDevice *dev);
59 
60 /* Bitfields for the first word of an Endpoint Desciptor.  */
61 #define OHCI_ED_FA_SHIFT  0
62 #define OHCI_ED_FA_MASK   (0x7f<<OHCI_ED_FA_SHIFT)
63 #define OHCI_ED_EN_SHIFT  7
64 #define OHCI_ED_EN_MASK   (0xf<<OHCI_ED_EN_SHIFT)
65 #define OHCI_ED_D_SHIFT   11
66 #define OHCI_ED_D_MASK    (3<<OHCI_ED_D_SHIFT)
67 #define OHCI_ED_S         (1<<13)
68 #define OHCI_ED_K         (1<<14)
69 #define OHCI_ED_F         (1<<15)
70 #define OHCI_ED_MPS_SHIFT 16
71 #define OHCI_ED_MPS_MASK  (0x7ff<<OHCI_ED_MPS_SHIFT)
72 
73 /* Flags in the head field of an Endpoint Desciptor.  */
74 #define OHCI_ED_H         1
75 #define OHCI_ED_C         2
76 
77 /* Bitfields for the first word of a Transfer Desciptor.  */
78 #define OHCI_TD_R         (1<<18)
79 #define OHCI_TD_DP_SHIFT  19
80 #define OHCI_TD_DP_MASK   (3<<OHCI_TD_DP_SHIFT)
81 #define OHCI_TD_DI_SHIFT  21
82 #define OHCI_TD_DI_MASK   (7<<OHCI_TD_DI_SHIFT)
83 #define OHCI_TD_T0        (1<<24)
84 #define OHCI_TD_T1        (1<<25)
85 #define OHCI_TD_EC_SHIFT  26
86 #define OHCI_TD_EC_MASK   (3<<OHCI_TD_EC_SHIFT)
87 #define OHCI_TD_CC_SHIFT  28
88 #define OHCI_TD_CC_MASK   (0xf<<OHCI_TD_CC_SHIFT)
89 
90 /* Bitfields for the first word of an Isochronous Transfer Desciptor.  */
91 /* CC & DI - same as in the General Transfer Desciptor */
92 #define OHCI_TD_SF_SHIFT  0
93 #define OHCI_TD_SF_MASK   (0xffff<<OHCI_TD_SF_SHIFT)
94 #define OHCI_TD_FC_SHIFT  24
95 #define OHCI_TD_FC_MASK   (7<<OHCI_TD_FC_SHIFT)
96 
97 /* Isochronous Transfer Desciptor - Offset / PacketStatusWord */
98 #define OHCI_TD_PSW_CC_SHIFT 12
99 #define OHCI_TD_PSW_CC_MASK  (0xf<<OHCI_TD_PSW_CC_SHIFT)
100 #define OHCI_TD_PSW_SIZE_SHIFT 0
101 #define OHCI_TD_PSW_SIZE_MASK  (0xfff<<OHCI_TD_PSW_SIZE_SHIFT)
102 
103 #define OHCI_PAGE_MASK    0xfffff000
104 #define OHCI_OFFSET_MASK  0xfff
105 
106 #define OHCI_DPTR_MASK    0xfffffff0
107 
108 #define OHCI_BM(val, field) \
109   (((val) & OHCI_##field##_MASK) >> OHCI_##field##_SHIFT)
110 
111 #define OHCI_SET_BM(val, field, newval) do { \
112     val &= ~OHCI_##field##_MASK; \
113     val |= ((newval) << OHCI_##field##_SHIFT) & OHCI_##field##_MASK; \
114     } while(0)
115 
116 /* endpoint descriptor */
117 struct ohci_ed {
118     uint32_t flags;
119     uint32_t tail;
120     uint32_t head;
121     uint32_t next;
122 };
123 
124 /* General transfer descriptor */
125 struct ohci_td {
126     uint32_t flags;
127     uint32_t cbp;
128     uint32_t next;
129     uint32_t be;
130 };
131 
132 /* Isochronous transfer descriptor */
133 struct ohci_iso_td {
134     uint32_t flags;
135     uint32_t bp;
136     uint32_t next;
137     uint32_t be;
138     uint16_t offset[8];
139 };
140 
141 #define USB_HZ                      12000000
142 
143 /* OHCI Local stuff */
144 #define OHCI_CTL_CBSR         ((1<<0)|(1<<1))
145 #define OHCI_CTL_PLE          (1<<2)
146 #define OHCI_CTL_IE           (1<<3)
147 #define OHCI_CTL_CLE          (1<<4)
148 #define OHCI_CTL_BLE          (1<<5)
149 #define OHCI_CTL_HCFS         ((1<<6)|(1<<7))
150 #define  OHCI_USB_RESET       0x00
151 #define  OHCI_USB_RESUME      0x40
152 #define  OHCI_USB_OPERATIONAL 0x80
153 #define  OHCI_USB_SUSPEND     0xc0
154 #define OHCI_CTL_IR           (1<<8)
155 #define OHCI_CTL_RWC          (1<<9)
156 #define OHCI_CTL_RWE          (1<<10)
157 
158 #define OHCI_STATUS_HCR       (1<<0)
159 #define OHCI_STATUS_CLF       (1<<1)
160 #define OHCI_STATUS_BLF       (1<<2)
161 #define OHCI_STATUS_OCR       (1<<3)
162 #define OHCI_STATUS_SOC       ((1<<6)|(1<<7))
163 
164 #define OHCI_INTR_SO          (1U<<0) /* Scheduling overrun */
165 #define OHCI_INTR_WD          (1U<<1) /* HcDoneHead writeback */
166 #define OHCI_INTR_SF          (1U<<2) /* Start of frame */
167 #define OHCI_INTR_RD          (1U<<3) /* Resume detect */
168 #define OHCI_INTR_UE          (1U<<4) /* Unrecoverable error */
169 #define OHCI_INTR_FNO         (1U<<5) /* Frame number overflow */
170 #define OHCI_INTR_RHSC        (1U<<6) /* Root hub status change */
171 #define OHCI_INTR_OC          (1U<<30) /* Ownership change */
172 #define OHCI_INTR_MIE         (1U<<31) /* Master Interrupt Enable */
173 
174 #define OHCI_HCCA_SIZE        0x100
175 #define OHCI_HCCA_MASK        0xffffff00
176 
177 #define OHCI_EDPTR_MASK       0xfffffff0
178 
179 #define OHCI_FMI_FI           0x00003fff
180 #define OHCI_FMI_FSMPS        0xffff0000
181 #define OHCI_FMI_FIT          0x80000000
182 
183 #define OHCI_FR_RT            (1U<<31)
184 
185 #define OHCI_LS_THRESH        0x628
186 
187 #define OHCI_RHA_RW_MASK      0x00000000 /* Mask of supported features.  */
188 #define OHCI_RHA_PSM          (1<<8)
189 #define OHCI_RHA_NPS          (1<<9)
190 #define OHCI_RHA_DT           (1<<10)
191 #define OHCI_RHA_OCPM         (1<<11)
192 #define OHCI_RHA_NOCP         (1<<12)
193 #define OHCI_RHA_POTPGT_MASK  0xff000000
194 
195 #define OHCI_RHS_LPS          (1U<<0)
196 #define OHCI_RHS_OCI          (1U<<1)
197 #define OHCI_RHS_DRWE         (1U<<15)
198 #define OHCI_RHS_LPSC         (1U<<16)
199 #define OHCI_RHS_OCIC         (1U<<17)
200 #define OHCI_RHS_CRWE         (1U<<31)
201 
202 #define OHCI_PORT_CCS         (1<<0)
203 #define OHCI_PORT_PES         (1<<1)
204 #define OHCI_PORT_PSS         (1<<2)
205 #define OHCI_PORT_POCI        (1<<3)
206 #define OHCI_PORT_PRS         (1<<4)
207 #define OHCI_PORT_PPS         (1<<8)
208 #define OHCI_PORT_LSDA        (1<<9)
209 #define OHCI_PORT_CSC         (1<<16)
210 #define OHCI_PORT_PESC        (1<<17)
211 #define OHCI_PORT_PSSC        (1<<18)
212 #define OHCI_PORT_OCIC        (1<<19)
213 #define OHCI_PORT_PRSC        (1<<20)
214 #define OHCI_PORT_WTC         (OHCI_PORT_CSC|OHCI_PORT_PESC|OHCI_PORT_PSSC \
215                                |OHCI_PORT_OCIC|OHCI_PORT_PRSC)
216 
217 #define OHCI_TD_DIR_SETUP     0x0
218 #define OHCI_TD_DIR_OUT       0x1
219 #define OHCI_TD_DIR_IN        0x2
220 #define OHCI_TD_DIR_RESERVED  0x3
221 
222 #define OHCI_CC_NOERROR             0x0
223 #define OHCI_CC_CRC                 0x1
224 #define OHCI_CC_BITSTUFFING         0x2
225 #define OHCI_CC_DATATOGGLEMISMATCH  0x3
226 #define OHCI_CC_STALL               0x4
227 #define OHCI_CC_DEVICENOTRESPONDING 0x5
228 #define OHCI_CC_PIDCHECKFAILURE     0x6
229 #define OHCI_CC_UNDEXPETEDPID       0x7
230 #define OHCI_CC_DATAOVERRUN         0x8
231 #define OHCI_CC_DATAUNDERRUN        0x9
232 #define OHCI_CC_BUFFEROVERRUN       0xc
233 #define OHCI_CC_BUFFERUNDERRUN      0xd
234 
235 #define OHCI_HRESET_FSBIR       (1 << 0)
236 
237 static void ohci_die(OHCIState *ohci)
238 {
239     ohci->ohci_die(ohci);
240 }
241 
242 /* Update IRQ levels */
243 static inline void ohci_intr_update(OHCIState *ohci)
244 {
245     int level = 0;
246 
247     if ((ohci->intr & OHCI_INTR_MIE) &&
248         (ohci->intr_status & ohci->intr))
249         level = 1;
250 
251     qemu_set_irq(ohci->irq, level);
252 }
253 
254 /* Set an interrupt */
255 static inline void ohci_set_interrupt(OHCIState *ohci, uint32_t intr)
256 {
257     ohci->intr_status |= intr;
258     ohci_intr_update(ohci);
259 }
260 
261 /* Attach or detach a device on a root hub port.  */
262 static void ohci_attach(USBPort *port1)
263 {
264     OHCIState *s = port1->opaque;
265     OHCIPort *port = &s->rhport[port1->index];
266     uint32_t old_state = port->ctrl;
267 
268     /* set connect status */
269     port->ctrl |= OHCI_PORT_CCS | OHCI_PORT_CSC;
270 
271     /* update speed */
272     if (port->port.dev->speed == USB_SPEED_LOW) {
273         port->ctrl |= OHCI_PORT_LSDA;
274     } else {
275         port->ctrl &= ~OHCI_PORT_LSDA;
276     }
277 
278     /* notify of remote-wakeup */
279     if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND) {
280         ohci_set_interrupt(s, OHCI_INTR_RD);
281     }
282 
283     trace_usb_ohci_port_attach(port1->index);
284 
285     if (old_state != port->ctrl) {
286         ohci_set_interrupt(s, OHCI_INTR_RHSC);
287     }
288 }
289 
290 static void ohci_detach(USBPort *port1)
291 {
292     OHCIState *s = port1->opaque;
293     OHCIPort *port = &s->rhport[port1->index];
294     uint32_t old_state = port->ctrl;
295 
296     ohci_async_cancel_device(s, port1->dev);
297 
298     /* set connect status */
299     if (port->ctrl & OHCI_PORT_CCS) {
300         port->ctrl &= ~OHCI_PORT_CCS;
301         port->ctrl |= OHCI_PORT_CSC;
302     }
303     /* disable port */
304     if (port->ctrl & OHCI_PORT_PES) {
305         port->ctrl &= ~OHCI_PORT_PES;
306         port->ctrl |= OHCI_PORT_PESC;
307     }
308     trace_usb_ohci_port_detach(port1->index);
309 
310     if (old_state != port->ctrl) {
311         ohci_set_interrupt(s, OHCI_INTR_RHSC);
312     }
313 }
314 
315 static void ohci_wakeup(USBPort *port1)
316 {
317     OHCIState *s = port1->opaque;
318     OHCIPort *port = &s->rhport[port1->index];
319     uint32_t intr = 0;
320     if (port->ctrl & OHCI_PORT_PSS) {
321         trace_usb_ohci_port_wakeup(port1->index);
322         port->ctrl |= OHCI_PORT_PSSC;
323         port->ctrl &= ~OHCI_PORT_PSS;
324         intr = OHCI_INTR_RHSC;
325     }
326     /* Note that the controller can be suspended even if this port is not */
327     if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND) {
328         trace_usb_ohci_remote_wakeup(s->name);
329         /* This is the one state transition the controller can do by itself */
330         s->ctl &= ~OHCI_CTL_HCFS;
331         s->ctl |= OHCI_USB_RESUME;
332         /* In suspend mode only ResumeDetected is possible, not RHSC:
333          * see the OHCI spec 5.1.2.3.
334          */
335         intr = OHCI_INTR_RD;
336     }
337     ohci_set_interrupt(s, intr);
338 }
339 
340 static void ohci_child_detach(USBPort *port1, USBDevice *child)
341 {
342     OHCIState *s = port1->opaque;
343 
344     ohci_async_cancel_device(s, child);
345 }
346 
347 static USBDevice *ohci_find_device(OHCIState *ohci, uint8_t addr)
348 {
349     USBDevice *dev;
350     int i;
351 
352     for (i = 0; i < ohci->num_ports; i++) {
353         if ((ohci->rhport[i].ctrl & OHCI_PORT_PES) == 0) {
354             continue;
355         }
356         dev = usb_find_device(&ohci->rhport[i].port, addr);
357         if (dev != NULL) {
358             return dev;
359         }
360     }
361     return NULL;
362 }
363 
364 void ohci_stop_endpoints(OHCIState *ohci)
365 {
366     USBDevice *dev;
367     int i, j;
368 
369     for (i = 0; i < ohci->num_ports; i++) {
370         dev = ohci->rhport[i].port.dev;
371         if (dev && dev->attached) {
372             usb_device_ep_stopped(dev, &dev->ep_ctl);
373             for (j = 0; j < USB_MAX_ENDPOINTS; j++) {
374                 usb_device_ep_stopped(dev, &dev->ep_in[j]);
375                 usb_device_ep_stopped(dev, &dev->ep_out[j]);
376             }
377         }
378     }
379 }
380 
381 static void ohci_roothub_reset(OHCIState *ohci)
382 {
383     OHCIPort *port;
384     int i;
385 
386     ohci_bus_stop(ohci);
387     ohci->rhdesc_a = OHCI_RHA_NPS | ohci->num_ports;
388     ohci->rhdesc_b = 0x0; /* Impl. specific */
389     ohci->rhstatus = 0;
390 
391     for (i = 0; i < ohci->num_ports; i++) {
392         port = &ohci->rhport[i];
393         port->ctrl = 0;
394         if (port->port.dev && port->port.dev->attached) {
395             usb_port_reset(&port->port);
396         }
397     }
398     if (ohci->async_td) {
399         usb_cancel_packet(&ohci->usb_packet);
400         ohci->async_td = 0;
401     }
402     ohci_stop_endpoints(ohci);
403 }
404 
405 /* Reset the controller */
406 static void ohci_soft_reset(OHCIState *ohci)
407 {
408     trace_usb_ohci_reset(ohci->name);
409 
410     ohci_bus_stop(ohci);
411     ohci->ctl = (ohci->ctl & OHCI_CTL_IR) | OHCI_USB_SUSPEND;
412     ohci->old_ctl = 0;
413     ohci->status = 0;
414     ohci->intr_status = 0;
415     ohci->intr = OHCI_INTR_MIE;
416 
417     ohci->hcca = 0;
418     ohci->ctrl_head = ohci->ctrl_cur = 0;
419     ohci->bulk_head = ohci->bulk_cur = 0;
420     ohci->per_cur = 0;
421     ohci->done = 0;
422     ohci->done_count = 7;
423 
424     /* FSMPS is marked TBD in OCHI 1.0, what gives ffs?
425      * I took the value linux sets ...
426      */
427     ohci->fsmps = 0x2778;
428     ohci->fi = 0x2edf;
429     ohci->fit = 0;
430     ohci->frt = 0;
431     ohci->frame_number = 0;
432     ohci->pstart = 0;
433     ohci->lst = OHCI_LS_THRESH;
434 }
435 
436 void ohci_hard_reset(OHCIState *ohci)
437 {
438     ohci_soft_reset(ohci);
439     ohci->ctl = 0;
440     ohci_roothub_reset(ohci);
441 }
442 
443 /* Get an array of dwords from main memory */
444 static inline int get_dwords(OHCIState *ohci,
445                              dma_addr_t addr, uint32_t *buf, int num)
446 {
447     int i;
448 
449     addr += ohci->localmem_base;
450 
451     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
452         if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) {
453             return -1;
454         }
455         *buf = le32_to_cpu(*buf);
456     }
457 
458     return 0;
459 }
460 
461 /* Put an array of dwords in to main memory */
462 static inline int put_dwords(OHCIState *ohci,
463                              dma_addr_t addr, uint32_t *buf, int num)
464 {
465     int i;
466 
467     addr += ohci->localmem_base;
468 
469     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
470         uint32_t tmp = cpu_to_le32(*buf);
471         if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) {
472             return -1;
473         }
474     }
475 
476     return 0;
477 }
478 
479 /* Get an array of words from main memory */
480 static inline int get_words(OHCIState *ohci,
481                             dma_addr_t addr, uint16_t *buf, int num)
482 {
483     int i;
484 
485     addr += ohci->localmem_base;
486 
487     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
488         if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) {
489             return -1;
490         }
491         *buf = le16_to_cpu(*buf);
492     }
493 
494     return 0;
495 }
496 
497 /* Put an array of words in to main memory */
498 static inline int put_words(OHCIState *ohci,
499                             dma_addr_t addr, uint16_t *buf, int num)
500 {
501     int i;
502 
503     addr += ohci->localmem_base;
504 
505     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
506         uint16_t tmp = cpu_to_le16(*buf);
507         if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) {
508             return -1;
509         }
510     }
511 
512     return 0;
513 }
514 
515 static inline int ohci_read_ed(OHCIState *ohci,
516                                dma_addr_t addr, struct ohci_ed *ed)
517 {
518     return get_dwords(ohci, addr, (uint32_t *)ed, sizeof(*ed) >> 2);
519 }
520 
521 static inline int ohci_read_td(OHCIState *ohci,
522                                dma_addr_t addr, struct ohci_td *td)
523 {
524     return get_dwords(ohci, addr, (uint32_t *)td, sizeof(*td) >> 2);
525 }
526 
527 static inline int ohci_read_iso_td(OHCIState *ohci,
528                                    dma_addr_t addr, struct ohci_iso_td *td)
529 {
530     return get_dwords(ohci, addr, (uint32_t *)td, 4) ||
531            get_words(ohci, addr + 16, td->offset, 8);
532 }
533 
534 static inline int ohci_read_hcca(OHCIState *ohci,
535                                  dma_addr_t addr, struct ohci_hcca *hcca)
536 {
537     return dma_memory_read(ohci->as, addr + ohci->localmem_base,
538                            hcca, sizeof(*hcca));
539 }
540 
541 static inline int ohci_put_ed(OHCIState *ohci,
542                               dma_addr_t addr, struct ohci_ed *ed)
543 {
544     /* ed->tail is under control of the HCD.
545      * Since just ed->head is changed by HC, just write back this
546      */
547 
548     return put_dwords(ohci, addr + ED_WBACK_OFFSET,
549                       (uint32_t *)((char *)ed + ED_WBACK_OFFSET),
550                       ED_WBACK_SIZE >> 2);
551 }
552 
553 static inline int ohci_put_td(OHCIState *ohci,
554                               dma_addr_t addr, struct ohci_td *td)
555 {
556     return put_dwords(ohci, addr, (uint32_t *)td, sizeof(*td) >> 2);
557 }
558 
559 static inline int ohci_put_iso_td(OHCIState *ohci,
560                                   dma_addr_t addr, struct ohci_iso_td *td)
561 {
562     return put_dwords(ohci, addr, (uint32_t *)td, 4) ||
563            put_words(ohci, addr + 16, td->offset, 8);
564 }
565 
566 static inline int ohci_put_hcca(OHCIState *ohci,
567                                 dma_addr_t addr, struct ohci_hcca *hcca)
568 {
569     return dma_memory_write(ohci->as,
570                             addr + ohci->localmem_base + HCCA_WRITEBACK_OFFSET,
571                             (char *)hcca + HCCA_WRITEBACK_OFFSET,
572                             HCCA_WRITEBACK_SIZE);
573 }
574 
575 /* Read/Write the contents of a TD from/to main memory.  */
576 static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td,
577                         uint8_t *buf, int len, DMADirection dir)
578 {
579     dma_addr_t ptr, n;
580 
581     ptr = td->cbp;
582     n = 0x1000 - (ptr & 0xfff);
583     if (n > len)
584         n = len;
585 
586     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) {
587         return -1;
588     }
589     if (n == len) {
590         return 0;
591     }
592     ptr = td->be & ~0xfffu;
593     buf += n;
594     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
595                       len - n, dir)) {
596         return -1;
597     }
598     return 0;
599 }
600 
601 /* Read/Write the contents of an ISO TD from/to main memory.  */
602 static int ohci_copy_iso_td(OHCIState *ohci,
603                             uint32_t start_addr, uint32_t end_addr,
604                             uint8_t *buf, int len, DMADirection dir)
605 {
606     dma_addr_t ptr, n;
607 
608     ptr = start_addr;
609     n = 0x1000 - (ptr & 0xfff);
610     if (n > len)
611         n = len;
612 
613     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) {
614         return -1;
615     }
616     if (n == len) {
617         return 0;
618     }
619     ptr = end_addr & ~0xfffu;
620     buf += n;
621     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
622                       len - n, dir)) {
623         return -1;
624     }
625     return 0;
626 }
627 
628 static void ohci_process_lists(OHCIState *ohci, int completion);
629 
630 static void ohci_async_complete_packet(USBPort *port, USBPacket *packet)
631 {
632     OHCIState *ohci = container_of(packet, OHCIState, usb_packet);
633 
634     trace_usb_ohci_async_complete();
635     ohci->async_complete = true;
636     ohci_process_lists(ohci, 1);
637 }
638 
639 #define USUB(a, b) ((int16_t)((uint16_t)(a) - (uint16_t)(b)))
640 
641 static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
642                                int completion)
643 {
644     int dir;
645     size_t len = 0;
646     const char *str = NULL;
647     int pid;
648     int ret;
649     int i;
650     USBDevice *dev;
651     USBEndpoint *ep;
652     struct ohci_iso_td iso_td;
653     uint32_t addr;
654     uint16_t starting_frame;
655     int16_t relative_frame_number;
656     int frame_count;
657     uint32_t start_offset, next_offset, end_offset = 0;
658     uint32_t start_addr, end_addr;
659 
660     addr = ed->head & OHCI_DPTR_MASK;
661 
662     if (ohci_read_iso_td(ohci, addr, &iso_td)) {
663         trace_usb_ohci_iso_td_read_failed(addr);
664         ohci_die(ohci);
665         return 1;
666     }
667 
668     starting_frame = OHCI_BM(iso_td.flags, TD_SF);
669     frame_count = OHCI_BM(iso_td.flags, TD_FC);
670     relative_frame_number = USUB(ohci->frame_number, starting_frame);
671 
672     trace_usb_ohci_iso_td_head(
673            ed->head & OHCI_DPTR_MASK, ed->tail & OHCI_DPTR_MASK,
674            iso_td.flags, iso_td.bp, iso_td.next, iso_td.be,
675            ohci->frame_number, starting_frame,
676            frame_count, relative_frame_number);
677     trace_usb_ohci_iso_td_head_offset(
678            iso_td.offset[0], iso_td.offset[1],
679            iso_td.offset[2], iso_td.offset[3],
680            iso_td.offset[4], iso_td.offset[5],
681            iso_td.offset[6], iso_td.offset[7]);
682 
683     if (relative_frame_number < 0) {
684         trace_usb_ohci_iso_td_relative_frame_number_neg(relative_frame_number);
685         return 1;
686     } else if (relative_frame_number > frame_count) {
687         /* ISO TD expired - retire the TD to the Done Queue and continue with
688            the next ISO TD of the same ED */
689         trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number,
690                                                         frame_count);
691         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
692         ed->head &= ~OHCI_DPTR_MASK;
693         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
694         iso_td.next = ohci->done;
695         ohci->done = addr;
696         i = OHCI_BM(iso_td.flags, TD_DI);
697         if (i < ohci->done_count)
698             ohci->done_count = i;
699         if (ohci_put_iso_td(ohci, addr, &iso_td)) {
700             ohci_die(ohci);
701             return 1;
702         }
703         return 0;
704     }
705 
706     dir = OHCI_BM(ed->flags, ED_D);
707     switch (dir) {
708     case OHCI_TD_DIR_IN:
709         str = "in";
710         pid = USB_TOKEN_IN;
711         break;
712     case OHCI_TD_DIR_OUT:
713         str = "out";
714         pid = USB_TOKEN_OUT;
715         break;
716     case OHCI_TD_DIR_SETUP:
717         str = "setup";
718         pid = USB_TOKEN_SETUP;
719         break;
720     default:
721         trace_usb_ohci_iso_td_bad_direction(dir);
722         return 1;
723     }
724 
725     if (!iso_td.bp || !iso_td.be) {
726         trace_usb_ohci_iso_td_bad_bp_be(iso_td.bp, iso_td.be);
727         return 1;
728     }
729 
730     start_offset = iso_td.offset[relative_frame_number];
731     next_offset = iso_td.offset[relative_frame_number + 1];
732 
733     if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) ||
734         ((relative_frame_number < frame_count) &&
735          !(OHCI_BM(next_offset, TD_PSW_CC) & 0xe))) {
736         trace_usb_ohci_iso_td_bad_cc_not_accessed(start_offset, next_offset);
737         return 1;
738     }
739 
740     if ((relative_frame_number < frame_count) && (start_offset > next_offset)) {
741         trace_usb_ohci_iso_td_bad_cc_overrun(start_offset, next_offset);
742         return 1;
743     }
744 
745     if ((start_offset & 0x1000) == 0) {
746         start_addr = (iso_td.bp & OHCI_PAGE_MASK) |
747             (start_offset & OHCI_OFFSET_MASK);
748     } else {
749         start_addr = (iso_td.be & OHCI_PAGE_MASK) |
750             (start_offset & OHCI_OFFSET_MASK);
751     }
752 
753     if (relative_frame_number < frame_count) {
754         end_offset = next_offset - 1;
755         if ((end_offset & 0x1000) == 0) {
756             end_addr = (iso_td.bp & OHCI_PAGE_MASK) |
757                 (end_offset & OHCI_OFFSET_MASK);
758         } else {
759             end_addr = (iso_td.be & OHCI_PAGE_MASK) |
760                 (end_offset & OHCI_OFFSET_MASK);
761         }
762     } else {
763         /* Last packet in the ISO TD */
764         end_addr = iso_td.be;
765     }
766 
767     if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
768         len = (end_addr & OHCI_OFFSET_MASK) + 0x1001
769             - (start_addr & OHCI_OFFSET_MASK);
770     } else {
771         len = end_addr - start_addr + 1;
772     }
773 
774     if (len && dir != OHCI_TD_DIR_IN) {
775         if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
776                              DMA_DIRECTION_TO_DEVICE)) {
777             ohci_die(ohci);
778             return 1;
779         }
780     }
781 
782     if (!completion) {
783         bool int_req = relative_frame_number == frame_count &&
784                        OHCI_BM(iso_td.flags, TD_DI) == 0;
785         dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
786         if (dev == NULL) {
787             trace_usb_ohci_td_dev_error();
788             return 1;
789         }
790         ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
791         usb_packet_setup(&ohci->usb_packet, pid, ep, 0, addr, false, int_req);
792         usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, len);
793         usb_handle_packet(dev, &ohci->usb_packet);
794         if (ohci->usb_packet.status == USB_RET_ASYNC) {
795             usb_device_flush_ep_queue(dev, ep);
796             return 1;
797         }
798     }
799     if (ohci->usb_packet.status == USB_RET_SUCCESS) {
800         ret = ohci->usb_packet.actual_length;
801     } else {
802         ret = ohci->usb_packet.status;
803     }
804 
805     trace_usb_ohci_iso_td_so(start_offset, end_offset, start_addr, end_addr,
806                              str, len, ret);
807 
808     /* Writeback */
809     if (dir == OHCI_TD_DIR_IN && ret >= 0 && ret <= len) {
810         /* IN transfer succeeded */
811         if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, ret,
812                              DMA_DIRECTION_FROM_DEVICE)) {
813             ohci_die(ohci);
814             return 1;
815         }
816         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
817                     OHCI_CC_NOERROR);
818         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE, ret);
819     } else if (dir == OHCI_TD_DIR_OUT && ret == len) {
820         /* OUT transfer succeeded */
821         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
822                     OHCI_CC_NOERROR);
823         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE, 0);
824     } else {
825         if (ret > (ssize_t) len) {
826             trace_usb_ohci_iso_td_data_overrun(ret, len);
827             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
828                         OHCI_CC_DATAOVERRUN);
829             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
830                         len);
831         } else if (ret >= 0) {
832             trace_usb_ohci_iso_td_data_underrun(ret);
833             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
834                         OHCI_CC_DATAUNDERRUN);
835         } else {
836             switch (ret) {
837             case USB_RET_IOERROR:
838             case USB_RET_NODEV:
839                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
840                             OHCI_CC_DEVICENOTRESPONDING);
841                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
842                             0);
843                 break;
844             case USB_RET_NAK:
845             case USB_RET_STALL:
846                 trace_usb_ohci_iso_td_nak(ret);
847                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
848                             OHCI_CC_STALL);
849                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
850                             0);
851                 break;
852             default:
853                 trace_usb_ohci_iso_td_bad_response(ret);
854                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
855                             OHCI_CC_UNDEXPETEDPID);
856                 break;
857             }
858         }
859     }
860 
861     if (relative_frame_number == frame_count) {
862         /* Last data packet of ISO TD - retire the TD to the Done Queue */
863         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_NOERROR);
864         ed->head &= ~OHCI_DPTR_MASK;
865         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
866         iso_td.next = ohci->done;
867         ohci->done = addr;
868         i = OHCI_BM(iso_td.flags, TD_DI);
869         if (i < ohci->done_count)
870             ohci->done_count = i;
871     }
872     if (ohci_put_iso_td(ohci, addr, &iso_td)) {
873         ohci_die(ohci);
874     }
875     return 1;
876 }
877 
878 static void ohci_td_pkt(const char *msg, const uint8_t *buf, size_t len)
879 {
880     bool print16;
881     bool printall;
882     const int width = 16;
883     int i;
884     char tmp[3 * width + 1];
885     char *p = tmp;
886 
887     print16 = !!trace_event_get_state_backends(TRACE_USB_OHCI_TD_PKT_SHORT);
888     printall = !!trace_event_get_state_backends(TRACE_USB_OHCI_TD_PKT_FULL);
889 
890     if (!printall && !print16) {
891         return;
892     }
893 
894     for (i = 0; ; i++) {
895         if (i && (!(i % width) || (i == len))) {
896             if (!printall) {
897                 trace_usb_ohci_td_pkt_short(msg, tmp);
898                 break;
899             }
900             trace_usb_ohci_td_pkt_full(msg, tmp);
901             p = tmp;
902             *p = 0;
903         }
904         if (i == len) {
905             break;
906         }
907 
908         p += sprintf(p, " %.2x", buf[i]);
909     }
910 }
911 
912 /* Service a transport descriptor.
913    Returns nonzero to terminate processing of this endpoint.  */
914 
915 static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
916 {
917     int dir;
918     size_t len = 0, pktlen = 0;
919     const char *str = NULL;
920     int pid;
921     int ret;
922     int i;
923     USBDevice *dev;
924     USBEndpoint *ep;
925     struct ohci_td td;
926     uint32_t addr;
927     int flag_r;
928     int completion;
929 
930     addr = ed->head & OHCI_DPTR_MASK;
931     /* See if this TD has already been submitted to the device.  */
932     completion = (addr == ohci->async_td);
933     if (completion && !ohci->async_complete) {
934         trace_usb_ohci_td_skip_async();
935         return 1;
936     }
937     if (ohci_read_td(ohci, addr, &td)) {
938         trace_usb_ohci_td_read_error(addr);
939         ohci_die(ohci);
940         return 1;
941     }
942 
943     dir = OHCI_BM(ed->flags, ED_D);
944     switch (dir) {
945     case OHCI_TD_DIR_OUT:
946     case OHCI_TD_DIR_IN:
947         /* Same value.  */
948         break;
949     default:
950         dir = OHCI_BM(td.flags, TD_DP);
951         break;
952     }
953 
954     switch (dir) {
955     case OHCI_TD_DIR_IN:
956         str = "in";
957         pid = USB_TOKEN_IN;
958         break;
959     case OHCI_TD_DIR_OUT:
960         str = "out";
961         pid = USB_TOKEN_OUT;
962         break;
963     case OHCI_TD_DIR_SETUP:
964         str = "setup";
965         pid = USB_TOKEN_SETUP;
966         break;
967     default:
968         trace_usb_ohci_td_bad_direction(dir);
969         return 1;
970     }
971     if (td.cbp && td.be) {
972         if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
973             len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
974         } else {
975             len = (td.be - td.cbp) + 1;
976         }
977 
978         pktlen = len;
979         if (len && dir != OHCI_TD_DIR_IN) {
980             /* The endpoint may not allow us to transfer it all now */
981             pktlen = (ed->flags & OHCI_ED_MPS_MASK) >> OHCI_ED_MPS_SHIFT;
982             if (pktlen > len) {
983                 pktlen = len;
984             }
985             if (!completion) {
986                 if (ohci_copy_td(ohci, &td, ohci->usb_buf, pktlen,
987                                  DMA_DIRECTION_TO_DEVICE)) {
988                     ohci_die(ohci);
989                 }
990             }
991         }
992     }
993 
994     flag_r = (td.flags & OHCI_TD_R) != 0;
995     trace_usb_ohci_td_pkt_hdr(addr, (int64_t)pktlen, (int64_t)len, str,
996                               flag_r, td.cbp, td.be);
997     ohci_td_pkt("OUT", ohci->usb_buf, pktlen);
998 
999     if (completion) {
1000         ohci->async_td = 0;
1001         ohci->async_complete = false;
1002     } else {
1003         if (ohci->async_td) {
1004             /* ??? The hardware should allow one active packet per
1005                endpoint.  We only allow one active packet per controller.
1006                This should be sufficient as long as devices respond in a
1007                timely manner.
1008             */
1009             trace_usb_ohci_td_too_many_pending();
1010             return 1;
1011         }
1012         dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
1013         if (dev == NULL) {
1014             trace_usb_ohci_td_dev_error();
1015             return 1;
1016         }
1017         ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
1018         usb_packet_setup(&ohci->usb_packet, pid, ep, 0, addr, !flag_r,
1019                          OHCI_BM(td.flags, TD_DI) == 0);
1020         usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, pktlen);
1021         usb_handle_packet(dev, &ohci->usb_packet);
1022         trace_usb_ohci_td_packet_status(ohci->usb_packet.status);
1023 
1024         if (ohci->usb_packet.status == USB_RET_ASYNC) {
1025             usb_device_flush_ep_queue(dev, ep);
1026             ohci->async_td = addr;
1027             return 1;
1028         }
1029     }
1030     if (ohci->usb_packet.status == USB_RET_SUCCESS) {
1031         ret = ohci->usb_packet.actual_length;
1032     } else {
1033         ret = ohci->usb_packet.status;
1034     }
1035 
1036     if (ret >= 0) {
1037         if (dir == OHCI_TD_DIR_IN) {
1038             if (ohci_copy_td(ohci, &td, ohci->usb_buf, ret,
1039                              DMA_DIRECTION_FROM_DEVICE)) {
1040                 ohci_die(ohci);
1041             }
1042             ohci_td_pkt("IN", ohci->usb_buf, pktlen);
1043         } else {
1044             ret = pktlen;
1045         }
1046     }
1047 
1048     /* Writeback */
1049     if (ret == pktlen || (dir == OHCI_TD_DIR_IN && ret >= 0 && flag_r)) {
1050         /* Transmission succeeded.  */
1051         if (ret == len) {
1052             td.cbp = 0;
1053         } else {
1054             if ((td.cbp & 0xfff) + ret > 0xfff) {
1055                 td.cbp = (td.be & ~0xfff) + ((td.cbp + ret) & 0xfff);
1056             } else {
1057                 td.cbp += ret;
1058             }
1059         }
1060         td.flags |= OHCI_TD_T1;
1061         td.flags ^= OHCI_TD_T0;
1062         OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_NOERROR);
1063         OHCI_SET_BM(td.flags, TD_EC, 0);
1064 
1065         if ((dir != OHCI_TD_DIR_IN) && (ret != len)) {
1066             /* Partial packet transfer: TD not ready to retire yet */
1067             goto exit_no_retire;
1068         }
1069 
1070         /* Setting ED_C is part of the TD retirement process */
1071         ed->head &= ~OHCI_ED_C;
1072         if (td.flags & OHCI_TD_T0)
1073             ed->head |= OHCI_ED_C;
1074     } else {
1075         if (ret >= 0) {
1076             trace_usb_ohci_td_underrun();
1077             OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DATAUNDERRUN);
1078         } else {
1079             switch (ret) {
1080             case USB_RET_IOERROR:
1081             case USB_RET_NODEV:
1082                 trace_usb_ohci_td_dev_error();
1083                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DEVICENOTRESPONDING);
1084                 break;
1085             case USB_RET_NAK:
1086                 trace_usb_ohci_td_nak();
1087                 return 1;
1088             case USB_RET_STALL:
1089                 trace_usb_ohci_td_stall();
1090                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_STALL);
1091                 break;
1092             case USB_RET_BABBLE:
1093                 trace_usb_ohci_td_babble();
1094                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
1095                 break;
1096             default:
1097                 trace_usb_ohci_td_bad_device_response(ret);
1098                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_UNDEXPETEDPID);
1099                 OHCI_SET_BM(td.flags, TD_EC, 3);
1100                 break;
1101             }
1102             /* An error occured so we have to clear the interrupt counter. See
1103              * spec at 6.4.4 on page 104 */
1104             ohci->done_count = 0;
1105         }
1106         ed->head |= OHCI_ED_H;
1107     }
1108 
1109     /* Retire this TD */
1110     ed->head &= ~OHCI_DPTR_MASK;
1111     ed->head |= td.next & OHCI_DPTR_MASK;
1112     td.next = ohci->done;
1113     ohci->done = addr;
1114     i = OHCI_BM(td.flags, TD_DI);
1115     if (i < ohci->done_count)
1116         ohci->done_count = i;
1117 exit_no_retire:
1118     if (ohci_put_td(ohci, addr, &td)) {
1119         ohci_die(ohci);
1120         return 1;
1121     }
1122     return OHCI_BM(td.flags, TD_CC) != OHCI_CC_NOERROR;
1123 }
1124 
1125 /* Service an endpoint list.  Returns nonzero if active TD were found.  */
1126 static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
1127 {
1128     struct ohci_ed ed;
1129     uint32_t next_ed;
1130     uint32_t cur;
1131     int active;
1132     uint32_t link_cnt = 0;
1133     active = 0;
1134 
1135     if (head == 0)
1136         return 0;
1137 
1138     for (cur = head; cur && link_cnt++ < ED_LINK_LIMIT; cur = next_ed) {
1139         if (ohci_read_ed(ohci, cur, &ed)) {
1140             trace_usb_ohci_ed_read_error(cur);
1141             ohci_die(ohci);
1142             return 0;
1143         }
1144 
1145         next_ed = ed.next & OHCI_DPTR_MASK;
1146 
1147         if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
1148             uint32_t addr;
1149             /* Cancel pending packets for ED that have been paused.  */
1150             addr = ed.head & OHCI_DPTR_MASK;
1151             if (ohci->async_td && addr == ohci->async_td) {
1152                 usb_cancel_packet(&ohci->usb_packet);
1153                 ohci->async_td = 0;
1154                 usb_device_ep_stopped(ohci->usb_packet.ep->dev,
1155                                       ohci->usb_packet.ep);
1156             }
1157             continue;
1158         }
1159 
1160         while ((ed.head & OHCI_DPTR_MASK) != ed.tail) {
1161             trace_usb_ohci_ed_pkt(cur, (ed.head & OHCI_ED_H) != 0,
1162                     (ed.head & OHCI_ED_C) != 0, ed.head & OHCI_DPTR_MASK,
1163                     ed.tail & OHCI_DPTR_MASK, ed.next & OHCI_DPTR_MASK);
1164             trace_usb_ohci_ed_pkt_flags(
1165                     OHCI_BM(ed.flags, ED_FA), OHCI_BM(ed.flags, ED_EN),
1166                     OHCI_BM(ed.flags, ED_D), (ed.flags & OHCI_ED_S)!= 0,
1167                     (ed.flags & OHCI_ED_K) != 0, (ed.flags & OHCI_ED_F) != 0,
1168                     OHCI_BM(ed.flags, ED_MPS));
1169 
1170             active = 1;
1171 
1172             if ((ed.flags & OHCI_ED_F) == 0) {
1173                 if (ohci_service_td(ohci, &ed))
1174                     break;
1175             } else {
1176                 /* Handle isochronous endpoints */
1177                 if (ohci_service_iso_td(ohci, &ed, completion))
1178                     break;
1179             }
1180         }
1181 
1182         if (ohci_put_ed(ohci, cur, &ed)) {
1183             ohci_die(ohci);
1184             return 0;
1185         }
1186     }
1187 
1188     return active;
1189 }
1190 
1191 /* set a timer for EOF */
1192 static void ohci_eof_timer(OHCIState *ohci)
1193 {
1194     timer_mod(ohci->eof_timer, ohci->sof_time + usb_frame_time);
1195 }
1196 /* Set a timer for EOF and generate a SOF event */
1197 static void ohci_sof(OHCIState *ohci)
1198 {
1199     ohci->sof_time += usb_frame_time;
1200     ohci_eof_timer(ohci);
1201     ohci_set_interrupt(ohci, OHCI_INTR_SF);
1202 }
1203 
1204 /* Process Control and Bulk lists.  */
1205 static void ohci_process_lists(OHCIState *ohci, int completion)
1206 {
1207     if ((ohci->ctl & OHCI_CTL_CLE) && (ohci->status & OHCI_STATUS_CLF)) {
1208         if (ohci->ctrl_cur && ohci->ctrl_cur != ohci->ctrl_head) {
1209             trace_usb_ohci_process_lists(ohci->ctrl_head, ohci->ctrl_cur);
1210         }
1211         if (!ohci_service_ed_list(ohci, ohci->ctrl_head, completion)) {
1212             ohci->ctrl_cur = 0;
1213             ohci->status &= ~OHCI_STATUS_CLF;
1214         }
1215     }
1216 
1217     if ((ohci->ctl & OHCI_CTL_BLE) && (ohci->status & OHCI_STATUS_BLF)) {
1218         if (!ohci_service_ed_list(ohci, ohci->bulk_head, completion)) {
1219             ohci->bulk_cur = 0;
1220             ohci->status &= ~OHCI_STATUS_BLF;
1221         }
1222     }
1223 }
1224 
1225 /* Do frame processing on frame boundary */
1226 static void ohci_frame_boundary(void *opaque)
1227 {
1228     OHCIState *ohci = opaque;
1229     struct ohci_hcca hcca;
1230 
1231     if (ohci_read_hcca(ohci, ohci->hcca, &hcca)) {
1232         trace_usb_ohci_hcca_read_error(ohci->hcca);
1233         ohci_die(ohci);
1234         return;
1235     }
1236 
1237     /* Process all the lists at the end of the frame */
1238     if (ohci->ctl & OHCI_CTL_PLE) {
1239         int n;
1240 
1241         n = ohci->frame_number & 0x1f;
1242         ohci_service_ed_list(ohci, le32_to_cpu(hcca.intr[n]), 0);
1243     }
1244 
1245     /* Cancel all pending packets if either of the lists has been disabled.  */
1246     if (ohci->old_ctl & (~ohci->ctl) & (OHCI_CTL_BLE | OHCI_CTL_CLE)) {
1247         if (ohci->async_td) {
1248             usb_cancel_packet(&ohci->usb_packet);
1249             ohci->async_td = 0;
1250         }
1251         ohci_stop_endpoints(ohci);
1252     }
1253     ohci->old_ctl = ohci->ctl;
1254     ohci_process_lists(ohci, 0);
1255 
1256     /* Stop if UnrecoverableError happened or ohci_sof will crash */
1257     if (ohci->intr_status & OHCI_INTR_UE) {
1258         return;
1259     }
1260 
1261     /* Frame boundary, so do EOF stuf here */
1262     ohci->frt = ohci->fit;
1263 
1264     /* Increment frame number and take care of endianness. */
1265     ohci->frame_number = (ohci->frame_number + 1) & 0xffff;
1266     hcca.frame = cpu_to_le16(ohci->frame_number);
1267 
1268     if (ohci->done_count == 0 && !(ohci->intr_status & OHCI_INTR_WD)) {
1269         if (!ohci->done)
1270             abort();
1271         if (ohci->intr & ohci->intr_status)
1272             ohci->done |= 1;
1273         hcca.done = cpu_to_le32(ohci->done);
1274         ohci->done = 0;
1275         ohci->done_count = 7;
1276         ohci_set_interrupt(ohci, OHCI_INTR_WD);
1277     }
1278 
1279     if (ohci->done_count != 7 && ohci->done_count != 0)
1280         ohci->done_count--;
1281 
1282     /* Do SOF stuff here */
1283     ohci_sof(ohci);
1284 
1285     /* Writeback HCCA */
1286     if (ohci_put_hcca(ohci, ohci->hcca, &hcca)) {
1287         ohci_die(ohci);
1288     }
1289 }
1290 
1291 /* Start sending SOF tokens across the USB bus, lists are processed in
1292  * next frame
1293  */
1294 static int ohci_bus_start(OHCIState *ohci)
1295 {
1296     trace_usb_ohci_start(ohci->name);
1297 
1298     /* Delay the first SOF event by one frame time as
1299      * linux driver is not ready to receive it and
1300      * can meet some race conditions
1301      */
1302 
1303     ohci->sof_time = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
1304     ohci_eof_timer(ohci);
1305 
1306     return 1;
1307 }
1308 
1309 /* Stop sending SOF tokens on the bus */
1310 void ohci_bus_stop(OHCIState *ohci)
1311 {
1312     trace_usb_ohci_stop(ohci->name);
1313     timer_del(ohci->eof_timer);
1314 }
1315 
1316 /* Sets a flag in a port status register but only set it if the port is
1317  * connected, if not set ConnectStatusChange flag. If flag is enabled
1318  * return 1.
1319  */
1320 static int ohci_port_set_if_connected(OHCIState *ohci, int i, uint32_t val)
1321 {
1322     int ret = 1;
1323 
1324     /* writing a 0 has no effect */
1325     if (val == 0)
1326         return 0;
1327 
1328     /* If CurrentConnectStatus is cleared we set
1329      * ConnectStatusChange
1330      */
1331     if (!(ohci->rhport[i].ctrl & OHCI_PORT_CCS)) {
1332         ohci->rhport[i].ctrl |= OHCI_PORT_CSC;
1333         if (ohci->rhstatus & OHCI_RHS_DRWE) {
1334             /* TODO: CSC is a wakeup event */
1335         }
1336         return 0;
1337     }
1338 
1339     if (ohci->rhport[i].ctrl & val)
1340         ret = 0;
1341 
1342     /* set the bit */
1343     ohci->rhport[i].ctrl |= val;
1344 
1345     return ret;
1346 }
1347 
1348 /* Set the frame interval - frame interval toggle is manipulated by the hcd only */
1349 static void ohci_set_frame_interval(OHCIState *ohci, uint16_t val)
1350 {
1351     val &= OHCI_FMI_FI;
1352 
1353     if (val != ohci->fi) {
1354         trace_usb_ohci_set_frame_interval(ohci->name, ohci->fi, ohci->fi);
1355     }
1356 
1357     ohci->fi = val;
1358 }
1359 
1360 static void ohci_port_power(OHCIState *ohci, int i, int p)
1361 {
1362     if (p) {
1363         ohci->rhport[i].ctrl |= OHCI_PORT_PPS;
1364     } else {
1365         ohci->rhport[i].ctrl &= ~(OHCI_PORT_PPS|
1366                     OHCI_PORT_CCS|
1367                     OHCI_PORT_PSS|
1368                     OHCI_PORT_PRS);
1369     }
1370 }
1371 
1372 /* Set HcControlRegister */
1373 static void ohci_set_ctl(OHCIState *ohci, uint32_t val)
1374 {
1375     uint32_t old_state;
1376     uint32_t new_state;
1377 
1378     old_state = ohci->ctl & OHCI_CTL_HCFS;
1379     ohci->ctl = val;
1380     new_state = ohci->ctl & OHCI_CTL_HCFS;
1381 
1382     /* no state change */
1383     if (old_state == new_state)
1384         return;
1385 
1386     trace_usb_ohci_set_ctl(ohci->name, new_state);
1387     switch (new_state) {
1388     case OHCI_USB_OPERATIONAL:
1389         ohci_bus_start(ohci);
1390         break;
1391     case OHCI_USB_SUSPEND:
1392         ohci_bus_stop(ohci);
1393         /* clear pending SF otherwise linux driver loops in ohci_irq() */
1394         ohci->intr_status &= ~OHCI_INTR_SF;
1395         ohci_intr_update(ohci);
1396         break;
1397     case OHCI_USB_RESUME:
1398         trace_usb_ohci_resume(ohci->name);
1399         break;
1400     case OHCI_USB_RESET:
1401         ohci_roothub_reset(ohci);
1402         break;
1403     }
1404 }
1405 
1406 static uint32_t ohci_get_frame_remaining(OHCIState *ohci)
1407 {
1408     uint16_t fr;
1409     int64_t tks;
1410 
1411     if ((ohci->ctl & OHCI_CTL_HCFS) != OHCI_USB_OPERATIONAL)
1412         return (ohci->frt << 31);
1413 
1414     /* Being in USB operational state guarnatees sof_time was
1415      * set already.
1416      */
1417     tks = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) - ohci->sof_time;
1418     if (tks < 0) {
1419         tks = 0;
1420     }
1421 
1422     /* avoid muldiv if possible */
1423     if (tks >= usb_frame_time)
1424         return (ohci->frt << 31);
1425 
1426     tks = tks / usb_bit_time;
1427     fr = (uint16_t)(ohci->fi - tks);
1428 
1429     return (ohci->frt << 31) | fr;
1430 }
1431 
1432 
1433 /* Set root hub status */
1434 static void ohci_set_hub_status(OHCIState *ohci, uint32_t val)
1435 {
1436     uint32_t old_state;
1437 
1438     old_state = ohci->rhstatus;
1439 
1440     /* write 1 to clear OCIC */
1441     if (val & OHCI_RHS_OCIC)
1442         ohci->rhstatus &= ~OHCI_RHS_OCIC;
1443 
1444     if (val & OHCI_RHS_LPS) {
1445         int i;
1446 
1447         for (i = 0; i < ohci->num_ports; i++)
1448             ohci_port_power(ohci, i, 0);
1449         trace_usb_ohci_hub_power_down();
1450     }
1451 
1452     if (val & OHCI_RHS_LPSC) {
1453         int i;
1454 
1455         for (i = 0; i < ohci->num_ports; i++)
1456             ohci_port_power(ohci, i, 1);
1457         trace_usb_ohci_hub_power_up();
1458     }
1459 
1460     if (val & OHCI_RHS_DRWE)
1461         ohci->rhstatus |= OHCI_RHS_DRWE;
1462 
1463     if (val & OHCI_RHS_CRWE)
1464         ohci->rhstatus &= ~OHCI_RHS_DRWE;
1465 
1466     if (old_state != ohci->rhstatus)
1467         ohci_set_interrupt(ohci, OHCI_INTR_RHSC);
1468 }
1469 
1470 /* Set root hub port status */
1471 static void ohci_port_set_status(OHCIState *ohci, int portnum, uint32_t val)
1472 {
1473     uint32_t old_state;
1474     OHCIPort *port;
1475 
1476     port = &ohci->rhport[portnum];
1477     old_state = port->ctrl;
1478 
1479     /* Write to clear CSC, PESC, PSSC, OCIC, PRSC */
1480     if (val & OHCI_PORT_WTC)
1481         port->ctrl &= ~(val & OHCI_PORT_WTC);
1482 
1483     if (val & OHCI_PORT_CCS)
1484         port->ctrl &= ~OHCI_PORT_PES;
1485 
1486     ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PES);
1487 
1488     if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PSS)) {
1489         trace_usb_ohci_port_suspend(portnum);
1490     }
1491 
1492     if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PRS)) {
1493         trace_usb_ohci_port_reset(portnum);
1494         usb_device_reset(port->port.dev);
1495         port->ctrl &= ~OHCI_PORT_PRS;
1496         /* ??? Should this also set OHCI_PORT_PESC.  */
1497         port->ctrl |= OHCI_PORT_PES | OHCI_PORT_PRSC;
1498     }
1499 
1500     /* Invert order here to ensure in ambiguous case, device is
1501      * powered up...
1502      */
1503     if (val & OHCI_PORT_LSDA)
1504         ohci_port_power(ohci, portnum, 0);
1505     if (val & OHCI_PORT_PPS)
1506         ohci_port_power(ohci, portnum, 1);
1507 
1508     if (old_state != port->ctrl)
1509         ohci_set_interrupt(ohci, OHCI_INTR_RHSC);
1510 }
1511 
1512 static uint64_t ohci_mem_read(void *opaque,
1513                               hwaddr addr,
1514                               unsigned size)
1515 {
1516     OHCIState *ohci = opaque;
1517     uint32_t retval;
1518 
1519     /* Only aligned reads are allowed on OHCI */
1520     if (addr & 3) {
1521         trace_usb_ohci_mem_read_unaligned(addr);
1522         return 0xffffffff;
1523     } else if (addr >= 0x54 && addr < 0x54 + ohci->num_ports * 4) {
1524         /* HcRhPortStatus */
1525         retval = ohci->rhport[(addr - 0x54) >> 2].ctrl | OHCI_PORT_PPS;
1526     } else {
1527         switch (addr >> 2) {
1528         case 0: /* HcRevision */
1529             retval = 0x10;
1530             break;
1531 
1532         case 1: /* HcControl */
1533             retval = ohci->ctl;
1534             break;
1535 
1536         case 2: /* HcCommandStatus */
1537             retval = ohci->status;
1538             break;
1539 
1540         case 3: /* HcInterruptStatus */
1541             retval = ohci->intr_status;
1542             break;
1543 
1544         case 4: /* HcInterruptEnable */
1545         case 5: /* HcInterruptDisable */
1546             retval = ohci->intr;
1547             break;
1548 
1549         case 6: /* HcHCCA */
1550             retval = ohci->hcca;
1551             break;
1552 
1553         case 7: /* HcPeriodCurrentED */
1554             retval = ohci->per_cur;
1555             break;
1556 
1557         case 8: /* HcControlHeadED */
1558             retval = ohci->ctrl_head;
1559             break;
1560 
1561         case 9: /* HcControlCurrentED */
1562             retval = ohci->ctrl_cur;
1563             break;
1564 
1565         case 10: /* HcBulkHeadED */
1566             retval = ohci->bulk_head;
1567             break;
1568 
1569         case 11: /* HcBulkCurrentED */
1570             retval = ohci->bulk_cur;
1571             break;
1572 
1573         case 12: /* HcDoneHead */
1574             retval = ohci->done;
1575             break;
1576 
1577         case 13: /* HcFmInterretval */
1578             retval = (ohci->fit << 31) | (ohci->fsmps << 16) | (ohci->fi);
1579             break;
1580 
1581         case 14: /* HcFmRemaining */
1582             retval = ohci_get_frame_remaining(ohci);
1583             break;
1584 
1585         case 15: /* HcFmNumber */
1586             retval = ohci->frame_number;
1587             break;
1588 
1589         case 16: /* HcPeriodicStart */
1590             retval = ohci->pstart;
1591             break;
1592 
1593         case 17: /* HcLSThreshold */
1594             retval = ohci->lst;
1595             break;
1596 
1597         case 18: /* HcRhDescriptorA */
1598             retval = ohci->rhdesc_a;
1599             break;
1600 
1601         case 19: /* HcRhDescriptorB */
1602             retval = ohci->rhdesc_b;
1603             break;
1604 
1605         case 20: /* HcRhStatus */
1606             retval = ohci->rhstatus;
1607             break;
1608 
1609         /* PXA27x specific registers */
1610         case 24: /* HcStatus */
1611             retval = ohci->hstatus & ohci->hmask;
1612             break;
1613 
1614         case 25: /* HcHReset */
1615             retval = ohci->hreset;
1616             break;
1617 
1618         case 26: /* HcHInterruptEnable */
1619             retval = ohci->hmask;
1620             break;
1621 
1622         case 27: /* HcHInterruptTest */
1623             retval = ohci->htest;
1624             break;
1625 
1626         default:
1627             trace_usb_ohci_mem_read_bad_offset(addr);
1628             retval = 0xffffffff;
1629         }
1630     }
1631 
1632     return retval;
1633 }
1634 
1635 static void ohci_mem_write(void *opaque,
1636                            hwaddr addr,
1637                            uint64_t val,
1638                            unsigned size)
1639 {
1640     OHCIState *ohci = opaque;
1641 
1642     /* Only aligned reads are allowed on OHCI */
1643     if (addr & 3) {
1644         trace_usb_ohci_mem_write_unaligned(addr);
1645         return;
1646     }
1647 
1648     if (addr >= 0x54 && addr < 0x54 + ohci->num_ports * 4) {
1649         /* HcRhPortStatus */
1650         ohci_port_set_status(ohci, (addr - 0x54) >> 2, val);
1651         return;
1652     }
1653 
1654     switch (addr >> 2) {
1655     case 1: /* HcControl */
1656         ohci_set_ctl(ohci, val);
1657         break;
1658 
1659     case 2: /* HcCommandStatus */
1660         /* SOC is read-only */
1661         val = (val & ~OHCI_STATUS_SOC);
1662 
1663         /* Bits written as '0' remain unchanged in the register */
1664         ohci->status |= val;
1665 
1666         if (ohci->status & OHCI_STATUS_HCR)
1667             ohci_soft_reset(ohci);
1668         break;
1669 
1670     case 3: /* HcInterruptStatus */
1671         ohci->intr_status &= ~val;
1672         ohci_intr_update(ohci);
1673         break;
1674 
1675     case 4: /* HcInterruptEnable */
1676         ohci->intr |= val;
1677         ohci_intr_update(ohci);
1678         break;
1679 
1680     case 5: /* HcInterruptDisable */
1681         ohci->intr &= ~val;
1682         ohci_intr_update(ohci);
1683         break;
1684 
1685     case 6: /* HcHCCA */
1686         ohci->hcca = val & OHCI_HCCA_MASK;
1687         break;
1688 
1689     case 7: /* HcPeriodCurrentED */
1690         /* Ignore writes to this read-only register, Linux does them */
1691         break;
1692 
1693     case 8: /* HcControlHeadED */
1694         ohci->ctrl_head = val & OHCI_EDPTR_MASK;
1695         break;
1696 
1697     case 9: /* HcControlCurrentED */
1698         ohci->ctrl_cur = val & OHCI_EDPTR_MASK;
1699         break;
1700 
1701     case 10: /* HcBulkHeadED */
1702         ohci->bulk_head = val & OHCI_EDPTR_MASK;
1703         break;
1704 
1705     case 11: /* HcBulkCurrentED */
1706         ohci->bulk_cur = val & OHCI_EDPTR_MASK;
1707         break;
1708 
1709     case 13: /* HcFmInterval */
1710         ohci->fsmps = (val & OHCI_FMI_FSMPS) >> 16;
1711         ohci->fit = (val & OHCI_FMI_FIT) >> 31;
1712         ohci_set_frame_interval(ohci, val);
1713         break;
1714 
1715     case 15: /* HcFmNumber */
1716         break;
1717 
1718     case 16: /* HcPeriodicStart */
1719         ohci->pstart = val & 0xffff;
1720         break;
1721 
1722     case 17: /* HcLSThreshold */
1723         ohci->lst = val & 0xffff;
1724         break;
1725 
1726     case 18: /* HcRhDescriptorA */
1727         ohci->rhdesc_a &= ~OHCI_RHA_RW_MASK;
1728         ohci->rhdesc_a |= val & OHCI_RHA_RW_MASK;
1729         break;
1730 
1731     case 19: /* HcRhDescriptorB */
1732         break;
1733 
1734     case 20: /* HcRhStatus */
1735         ohci_set_hub_status(ohci, val);
1736         break;
1737 
1738     /* PXA27x specific registers */
1739     case 24: /* HcStatus */
1740         ohci->hstatus &= ~(val & ohci->hmask);
1741         break;
1742 
1743     case 25: /* HcHReset */
1744         ohci->hreset = val & ~OHCI_HRESET_FSBIR;
1745         if (val & OHCI_HRESET_FSBIR)
1746             ohci_hard_reset(ohci);
1747         break;
1748 
1749     case 26: /* HcHInterruptEnable */
1750         ohci->hmask = val;
1751         break;
1752 
1753     case 27: /* HcHInterruptTest */
1754         ohci->htest = val;
1755         break;
1756 
1757     default:
1758         trace_usb_ohci_mem_write_bad_offset(addr);
1759         break;
1760     }
1761 }
1762 
1763 static void ohci_async_cancel_device(OHCIState *ohci, USBDevice *dev)
1764 {
1765     if (ohci->async_td &&
1766         usb_packet_is_inflight(&ohci->usb_packet) &&
1767         ohci->usb_packet.ep->dev == dev) {
1768         usb_cancel_packet(&ohci->usb_packet);
1769         ohci->async_td = 0;
1770     }
1771 }
1772 
1773 static const MemoryRegionOps ohci_mem_ops = {
1774     .read = ohci_mem_read,
1775     .write = ohci_mem_write,
1776     .endianness = DEVICE_LITTLE_ENDIAN,
1777 };
1778 
1779 static USBPortOps ohci_port_ops = {
1780     .attach = ohci_attach,
1781     .detach = ohci_detach,
1782     .child_detach = ohci_child_detach,
1783     .wakeup = ohci_wakeup,
1784     .complete = ohci_async_complete_packet,
1785 };
1786 
1787 static USBBusOps ohci_bus_ops = {
1788 };
1789 
1790 void usb_ohci_init(OHCIState *ohci, DeviceState *dev, uint32_t num_ports,
1791                    dma_addr_t localmem_base, char *masterbus,
1792                    uint32_t firstport, AddressSpace *as,
1793                    void (*ohci_die_fn)(struct OHCIState *), Error **errp)
1794 {
1795     Error *err = NULL;
1796     int i;
1797 
1798     ohci->as = as;
1799     ohci->ohci_die = ohci_die_fn;
1800 
1801     if (num_ports > OHCI_MAX_PORTS) {
1802         error_setg(errp, "OHCI num-ports=%u is too big (limit is %u ports)",
1803                    num_ports, OHCI_MAX_PORTS);
1804         return;
1805     }
1806 
1807     if (usb_frame_time == 0) {
1808 #ifdef OHCI_TIME_WARP
1809         usb_frame_time = NANOSECONDS_PER_SECOND;
1810         usb_bit_time = NANOSECONDS_PER_SECOND / (USB_HZ / 1000);
1811 #else
1812         usb_frame_time = NANOSECONDS_PER_SECOND / 1000;
1813         if (NANOSECONDS_PER_SECOND >= USB_HZ) {
1814             usb_bit_time = NANOSECONDS_PER_SECOND / USB_HZ;
1815         } else {
1816             usb_bit_time = 1;
1817         }
1818 #endif
1819         trace_usb_ohci_init_time(usb_frame_time, usb_bit_time);
1820     }
1821 
1822     ohci->num_ports = num_ports;
1823     if (masterbus) {
1824         USBPort *ports[OHCI_MAX_PORTS];
1825         for(i = 0; i < num_ports; i++) {
1826             ports[i] = &ohci->rhport[i].port;
1827         }
1828         usb_register_companion(masterbus, ports, num_ports,
1829                                firstport, ohci, &ohci_port_ops,
1830                                USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL,
1831                                &err);
1832         if (err) {
1833             error_propagate(errp, err);
1834             return;
1835         }
1836     } else {
1837         usb_bus_new(&ohci->bus, sizeof(ohci->bus), &ohci_bus_ops, dev);
1838         for (i = 0; i < num_ports; i++) {
1839             usb_register_port(&ohci->bus, &ohci->rhport[i].port,
1840                               ohci, i, &ohci_port_ops,
1841                               USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
1842         }
1843     }
1844 
1845     memory_region_init_io(&ohci->mem, OBJECT(dev), &ohci_mem_ops,
1846                           ohci, "ohci", 256);
1847     ohci->localmem_base = localmem_base;
1848 
1849     ohci->name = object_get_typename(OBJECT(dev));
1850     usb_packet_init(&ohci->usb_packet);
1851 
1852     ohci->async_td = 0;
1853 
1854     ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
1855                                    ohci_frame_boundary, ohci);
1856 }
1857 
1858 /**
1859  * A typical OHCI will stop operating and set itself into error state
1860  * (which can be queried by MMIO) to signal that it got an error.
1861  */
1862 void ohci_sysbus_die(struct OHCIState *ohci)
1863 {
1864     trace_usb_ohci_die();
1865 
1866     ohci_set_interrupt(ohci, OHCI_INTR_UE);
1867     ohci_bus_stop(ohci);
1868 }
1869 
1870 #define TYPE_SYSBUS_OHCI "sysbus-ohci"
1871 #define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI)
1872 
1873 typedef struct {
1874     /*< private >*/
1875     SysBusDevice parent_obj;
1876     /*< public >*/
1877 
1878     OHCIState ohci;
1879     char *masterbus;
1880     uint32_t num_ports;
1881     uint32_t firstport;
1882     dma_addr_t dma_offset;
1883 } OHCISysBusState;
1884 
1885 static void ohci_realize_pxa(DeviceState *dev, Error **errp)
1886 {
1887     OHCISysBusState *s = SYSBUS_OHCI(dev);
1888     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
1889     Error *err = NULL;
1890 
1891     usb_ohci_init(&s->ohci, dev, s->num_ports, s->dma_offset,
1892                   s->masterbus, s->firstport,
1893                   &address_space_memory, ohci_sysbus_die, &err);
1894     if (err) {
1895         error_propagate(errp, err);
1896         return;
1897     }
1898     sysbus_init_irq(sbd, &s->ohci.irq);
1899     sysbus_init_mmio(sbd, &s->ohci.mem);
1900 }
1901 
1902 static void usb_ohci_reset_sysbus(DeviceState *dev)
1903 {
1904     OHCISysBusState *s = SYSBUS_OHCI(dev);
1905     OHCIState *ohci = &s->ohci;
1906 
1907     ohci_hard_reset(ohci);
1908 }
1909 
1910 static const VMStateDescription vmstate_ohci_state_port = {
1911     .name = "ohci-core/port",
1912     .version_id = 1,
1913     .minimum_version_id = 1,
1914     .fields = (VMStateField[]) {
1915         VMSTATE_UINT32(ctrl, OHCIPort),
1916         VMSTATE_END_OF_LIST()
1917     },
1918 };
1919 
1920 static bool ohci_eof_timer_needed(void *opaque)
1921 {
1922     OHCIState *ohci = opaque;
1923 
1924     return timer_pending(ohci->eof_timer);
1925 }
1926 
1927 static const VMStateDescription vmstate_ohci_eof_timer = {
1928     .name = "ohci-core/eof-timer",
1929     .version_id = 1,
1930     .minimum_version_id = 1,
1931     .needed = ohci_eof_timer_needed,
1932     .fields = (VMStateField[]) {
1933         VMSTATE_TIMER_PTR(eof_timer, OHCIState),
1934         VMSTATE_END_OF_LIST()
1935     },
1936 };
1937 
1938 const VMStateDescription vmstate_ohci_state = {
1939     .name = "ohci-core",
1940     .version_id = 1,
1941     .minimum_version_id = 1,
1942     .fields = (VMStateField[]) {
1943         VMSTATE_INT64(sof_time, OHCIState),
1944         VMSTATE_UINT32(ctl, OHCIState),
1945         VMSTATE_UINT32(status, OHCIState),
1946         VMSTATE_UINT32(intr_status, OHCIState),
1947         VMSTATE_UINT32(intr, OHCIState),
1948         VMSTATE_UINT32(hcca, OHCIState),
1949         VMSTATE_UINT32(ctrl_head, OHCIState),
1950         VMSTATE_UINT32(ctrl_cur, OHCIState),
1951         VMSTATE_UINT32(bulk_head, OHCIState),
1952         VMSTATE_UINT32(bulk_cur, OHCIState),
1953         VMSTATE_UINT32(per_cur, OHCIState),
1954         VMSTATE_UINT32(done, OHCIState),
1955         VMSTATE_INT32(done_count, OHCIState),
1956         VMSTATE_UINT16(fsmps, OHCIState),
1957         VMSTATE_UINT8(fit, OHCIState),
1958         VMSTATE_UINT16(fi, OHCIState),
1959         VMSTATE_UINT8(frt, OHCIState),
1960         VMSTATE_UINT16(frame_number, OHCIState),
1961         VMSTATE_UINT16(padding, OHCIState),
1962         VMSTATE_UINT32(pstart, OHCIState),
1963         VMSTATE_UINT32(lst, OHCIState),
1964         VMSTATE_UINT32(rhdesc_a, OHCIState),
1965         VMSTATE_UINT32(rhdesc_b, OHCIState),
1966         VMSTATE_UINT32(rhstatus, OHCIState),
1967         VMSTATE_STRUCT_ARRAY(rhport, OHCIState, OHCI_MAX_PORTS, 0,
1968                              vmstate_ohci_state_port, OHCIPort),
1969         VMSTATE_UINT32(hstatus, OHCIState),
1970         VMSTATE_UINT32(hmask, OHCIState),
1971         VMSTATE_UINT32(hreset, OHCIState),
1972         VMSTATE_UINT32(htest, OHCIState),
1973         VMSTATE_UINT32(old_ctl, OHCIState),
1974         VMSTATE_UINT8_ARRAY(usb_buf, OHCIState, 8192),
1975         VMSTATE_UINT32(async_td, OHCIState),
1976         VMSTATE_BOOL(async_complete, OHCIState),
1977         VMSTATE_END_OF_LIST()
1978     },
1979     .subsections = (const VMStateDescription*[]) {
1980         &vmstate_ohci_eof_timer,
1981         NULL
1982     }
1983 };
1984 
1985 static Property ohci_sysbus_properties[] = {
1986     DEFINE_PROP_STRING("masterbus", OHCISysBusState, masterbus),
1987     DEFINE_PROP_UINT32("num-ports", OHCISysBusState, num_ports, 3),
1988     DEFINE_PROP_UINT32("firstport", OHCISysBusState, firstport, 0),
1989     DEFINE_PROP_DMAADDR("dma-offset", OHCISysBusState, dma_offset, 0),
1990     DEFINE_PROP_END_OF_LIST(),
1991 };
1992 
1993 static void ohci_sysbus_class_init(ObjectClass *klass, void *data)
1994 {
1995     DeviceClass *dc = DEVICE_CLASS(klass);
1996 
1997     dc->realize = ohci_realize_pxa;
1998     set_bit(DEVICE_CATEGORY_USB, dc->categories);
1999     dc->desc = "OHCI USB Controller";
2000     dc->props = ohci_sysbus_properties;
2001     dc->reset = usb_ohci_reset_sysbus;
2002 }
2003 
2004 static const TypeInfo ohci_sysbus_info = {
2005     .name          = TYPE_SYSBUS_OHCI,
2006     .parent        = TYPE_SYS_BUS_DEVICE,
2007     .instance_size = sizeof(OHCISysBusState),
2008     .class_init    = ohci_sysbus_class_init,
2009 };
2010 
2011 static void ohci_register_types(void)
2012 {
2013     type_register_static(&ohci_sysbus_info);
2014 }
2015 
2016 type_init(ohci_register_types)
2017