xref: /openbmc/qemu/hw/usb/hcd-ohci.c (revision bfb27e60)
1 /*
2  * QEMU USB OHCI Emulation
3  * Copyright (c) 2004 Gianni Tedesco
4  * Copyright (c) 2006 CodeSourcery
5  * Copyright (c) 2006 Openedhand Ltd.
6  *
7  * This library is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU Lesser General Public
9  * License as published by the Free Software Foundation; either
10  * version 2 of the License, or (at your option) any later version.
11  *
12  * This library is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
19  *
20  * TODO:
21  *  o Isochronous transfers
22  *  o Allocate bandwidth in frames properly
23  *  o Disable timers when nothing needs to be done, or remove timer usage
24  *    all together.
25  *  o BIOS work to boot from USB storage
26 */
27 
28 #include "hw/hw.h"
29 #include "qemu/timer.h"
30 #include "hw/usb.h"
31 #include "hw/pci/pci.h"
32 #include "hw/sysbus.h"
33 #include "hw/qdev-dma.h"
34 
35 //#define DEBUG_OHCI
36 /* Dump packet contents.  */
37 //#define DEBUG_PACKET
38 //#define DEBUG_ISOCH
39 /* This causes frames to occur 1000x slower */
40 //#define OHCI_TIME_WARP 1
41 
42 #ifdef DEBUG_OHCI
43 #define DPRINTF printf
44 #else
45 #define DPRINTF(...)
46 #endif
47 
48 /* Number of Downstream Ports on the root hub.  */
49 
50 #define OHCI_MAX_PORTS 15
51 
52 static int64_t usb_frame_time;
53 static int64_t usb_bit_time;
54 
55 typedef struct OHCIPort {
56     USBPort port;
57     uint32_t ctrl;
58 } OHCIPort;
59 
60 typedef struct {
61     USBBus bus;
62     qemu_irq irq;
63     MemoryRegion mem;
64     AddressSpace *as;
65     int num_ports;
66     const char *name;
67 
68     QEMUTimer *eof_timer;
69     int64_t sof_time;
70 
71     /* OHCI state */
72     /* Control partition */
73     uint32_t ctl, status;
74     uint32_t intr_status;
75     uint32_t intr;
76 
77     /* memory pointer partition */
78     uint32_t hcca;
79     uint32_t ctrl_head, ctrl_cur;
80     uint32_t bulk_head, bulk_cur;
81     uint32_t per_cur;
82     uint32_t done;
83     int32_t done_count;
84 
85     /* Frame counter partition */
86     uint16_t fsmps;
87     uint8_t fit;
88     uint16_t fi;
89     uint8_t frt;
90     uint16_t frame_number;
91     uint16_t padding;
92     uint32_t pstart;
93     uint32_t lst;
94 
95     /* Root Hub partition */
96     uint32_t rhdesc_a, rhdesc_b;
97     uint32_t rhstatus;
98     OHCIPort rhport[OHCI_MAX_PORTS];
99 
100     /* PXA27x Non-OHCI events */
101     uint32_t hstatus;
102     uint32_t hmask;
103     uint32_t hreset;
104     uint32_t htest;
105 
106     /* SM501 local memory offset */
107     dma_addr_t localmem_base;
108 
109     /* Active packets.  */
110     uint32_t old_ctl;
111     USBPacket usb_packet;
112     uint8_t usb_buf[8192];
113     uint32_t async_td;
114     bool async_complete;
115 
116 } OHCIState;
117 
118 /* Host Controller Communications Area */
119 struct ohci_hcca {
120     uint32_t intr[32];
121     uint16_t frame, pad;
122     uint32_t done;
123 };
124 #define HCCA_WRITEBACK_OFFSET   offsetof(struct ohci_hcca, frame)
125 #define HCCA_WRITEBACK_SIZE     8 /* frame, pad, done */
126 
127 #define ED_WBACK_OFFSET offsetof(struct ohci_ed, head)
128 #define ED_WBACK_SIZE   4
129 
130 static void ohci_bus_stop(OHCIState *ohci);
131 static void ohci_async_cancel_device(OHCIState *ohci, USBDevice *dev);
132 
133 /* Bitfields for the first word of an Endpoint Desciptor.  */
134 #define OHCI_ED_FA_SHIFT  0
135 #define OHCI_ED_FA_MASK   (0x7f<<OHCI_ED_FA_SHIFT)
136 #define OHCI_ED_EN_SHIFT  7
137 #define OHCI_ED_EN_MASK   (0xf<<OHCI_ED_EN_SHIFT)
138 #define OHCI_ED_D_SHIFT   11
139 #define OHCI_ED_D_MASK    (3<<OHCI_ED_D_SHIFT)
140 #define OHCI_ED_S         (1<<13)
141 #define OHCI_ED_K         (1<<14)
142 #define OHCI_ED_F         (1<<15)
143 #define OHCI_ED_MPS_SHIFT 16
144 #define OHCI_ED_MPS_MASK  (0x7ff<<OHCI_ED_MPS_SHIFT)
145 
146 /* Flags in the head field of an Endpoint Desciptor.  */
147 #define OHCI_ED_H         1
148 #define OHCI_ED_C         2
149 
150 /* Bitfields for the first word of a Transfer Desciptor.  */
151 #define OHCI_TD_R         (1<<18)
152 #define OHCI_TD_DP_SHIFT  19
153 #define OHCI_TD_DP_MASK   (3<<OHCI_TD_DP_SHIFT)
154 #define OHCI_TD_DI_SHIFT  21
155 #define OHCI_TD_DI_MASK   (7<<OHCI_TD_DI_SHIFT)
156 #define OHCI_TD_T0        (1<<24)
157 #define OHCI_TD_T1        (1<<25)
158 #define OHCI_TD_EC_SHIFT  26
159 #define OHCI_TD_EC_MASK   (3<<OHCI_TD_EC_SHIFT)
160 #define OHCI_TD_CC_SHIFT  28
161 #define OHCI_TD_CC_MASK   (0xf<<OHCI_TD_CC_SHIFT)
162 
163 /* Bitfields for the first word of an Isochronous Transfer Desciptor.  */
164 /* CC & DI - same as in the General Transfer Desciptor */
165 #define OHCI_TD_SF_SHIFT  0
166 #define OHCI_TD_SF_MASK   (0xffff<<OHCI_TD_SF_SHIFT)
167 #define OHCI_TD_FC_SHIFT  24
168 #define OHCI_TD_FC_MASK   (7<<OHCI_TD_FC_SHIFT)
169 
170 /* Isochronous Transfer Desciptor - Offset / PacketStatusWord */
171 #define OHCI_TD_PSW_CC_SHIFT 12
172 #define OHCI_TD_PSW_CC_MASK  (0xf<<OHCI_TD_PSW_CC_SHIFT)
173 #define OHCI_TD_PSW_SIZE_SHIFT 0
174 #define OHCI_TD_PSW_SIZE_MASK  (0xfff<<OHCI_TD_PSW_SIZE_SHIFT)
175 
176 #define OHCI_PAGE_MASK    0xfffff000
177 #define OHCI_OFFSET_MASK  0xfff
178 
179 #define OHCI_DPTR_MASK    0xfffffff0
180 
181 #define OHCI_BM(val, field) \
182   (((val) & OHCI_##field##_MASK) >> OHCI_##field##_SHIFT)
183 
184 #define OHCI_SET_BM(val, field, newval) do { \
185     val &= ~OHCI_##field##_MASK; \
186     val |= ((newval) << OHCI_##field##_SHIFT) & OHCI_##field##_MASK; \
187     } while(0)
188 
189 /* endpoint descriptor */
190 struct ohci_ed {
191     uint32_t flags;
192     uint32_t tail;
193     uint32_t head;
194     uint32_t next;
195 };
196 
197 /* General transfer descriptor */
198 struct ohci_td {
199     uint32_t flags;
200     uint32_t cbp;
201     uint32_t next;
202     uint32_t be;
203 };
204 
205 /* Isochronous transfer descriptor */
206 struct ohci_iso_td {
207     uint32_t flags;
208     uint32_t bp;
209     uint32_t next;
210     uint32_t be;
211     uint16_t offset[8];
212 };
213 
214 #define USB_HZ                      12000000
215 
216 /* OHCI Local stuff */
217 #define OHCI_CTL_CBSR         ((1<<0)|(1<<1))
218 #define OHCI_CTL_PLE          (1<<2)
219 #define OHCI_CTL_IE           (1<<3)
220 #define OHCI_CTL_CLE          (1<<4)
221 #define OHCI_CTL_BLE          (1<<5)
222 #define OHCI_CTL_HCFS         ((1<<6)|(1<<7))
223 #define  OHCI_USB_RESET       0x00
224 #define  OHCI_USB_RESUME      0x40
225 #define  OHCI_USB_OPERATIONAL 0x80
226 #define  OHCI_USB_SUSPEND     0xc0
227 #define OHCI_CTL_IR           (1<<8)
228 #define OHCI_CTL_RWC          (1<<9)
229 #define OHCI_CTL_RWE          (1<<10)
230 
231 #define OHCI_STATUS_HCR       (1<<0)
232 #define OHCI_STATUS_CLF       (1<<1)
233 #define OHCI_STATUS_BLF       (1<<2)
234 #define OHCI_STATUS_OCR       (1<<3)
235 #define OHCI_STATUS_SOC       ((1<<6)|(1<<7))
236 
237 #define OHCI_INTR_SO          (1U<<0) /* Scheduling overrun */
238 #define OHCI_INTR_WD          (1U<<1) /* HcDoneHead writeback */
239 #define OHCI_INTR_SF          (1U<<2) /* Start of frame */
240 #define OHCI_INTR_RD          (1U<<3) /* Resume detect */
241 #define OHCI_INTR_UE          (1U<<4) /* Unrecoverable error */
242 #define OHCI_INTR_FNO         (1U<<5) /* Frame number overflow */
243 #define OHCI_INTR_RHSC        (1U<<6) /* Root hub status change */
244 #define OHCI_INTR_OC          (1U<<30) /* Ownership change */
245 #define OHCI_INTR_MIE         (1U<<31) /* Master Interrupt Enable */
246 
247 #define OHCI_HCCA_SIZE        0x100
248 #define OHCI_HCCA_MASK        0xffffff00
249 
250 #define OHCI_EDPTR_MASK       0xfffffff0
251 
252 #define OHCI_FMI_FI           0x00003fff
253 #define OHCI_FMI_FSMPS        0xffff0000
254 #define OHCI_FMI_FIT          0x80000000
255 
256 #define OHCI_FR_RT            (1U<<31)
257 
258 #define OHCI_LS_THRESH        0x628
259 
260 #define OHCI_RHA_RW_MASK      0x00000000 /* Mask of supported features.  */
261 #define OHCI_RHA_PSM          (1<<8)
262 #define OHCI_RHA_NPS          (1<<9)
263 #define OHCI_RHA_DT           (1<<10)
264 #define OHCI_RHA_OCPM         (1<<11)
265 #define OHCI_RHA_NOCP         (1<<12)
266 #define OHCI_RHA_POTPGT_MASK  0xff000000
267 
268 #define OHCI_RHS_LPS          (1U<<0)
269 #define OHCI_RHS_OCI          (1U<<1)
270 #define OHCI_RHS_DRWE         (1U<<15)
271 #define OHCI_RHS_LPSC         (1U<<16)
272 #define OHCI_RHS_OCIC         (1U<<17)
273 #define OHCI_RHS_CRWE         (1U<<31)
274 
275 #define OHCI_PORT_CCS         (1<<0)
276 #define OHCI_PORT_PES         (1<<1)
277 #define OHCI_PORT_PSS         (1<<2)
278 #define OHCI_PORT_POCI        (1<<3)
279 #define OHCI_PORT_PRS         (1<<4)
280 #define OHCI_PORT_PPS         (1<<8)
281 #define OHCI_PORT_LSDA        (1<<9)
282 #define OHCI_PORT_CSC         (1<<16)
283 #define OHCI_PORT_PESC        (1<<17)
284 #define OHCI_PORT_PSSC        (1<<18)
285 #define OHCI_PORT_OCIC        (1<<19)
286 #define OHCI_PORT_PRSC        (1<<20)
287 #define OHCI_PORT_WTC         (OHCI_PORT_CSC|OHCI_PORT_PESC|OHCI_PORT_PSSC \
288                                |OHCI_PORT_OCIC|OHCI_PORT_PRSC)
289 
290 #define OHCI_TD_DIR_SETUP     0x0
291 #define OHCI_TD_DIR_OUT       0x1
292 #define OHCI_TD_DIR_IN        0x2
293 #define OHCI_TD_DIR_RESERVED  0x3
294 
295 #define OHCI_CC_NOERROR             0x0
296 #define OHCI_CC_CRC                 0x1
297 #define OHCI_CC_BITSTUFFING         0x2
298 #define OHCI_CC_DATATOGGLEMISMATCH  0x3
299 #define OHCI_CC_STALL               0x4
300 #define OHCI_CC_DEVICENOTRESPONDING 0x5
301 #define OHCI_CC_PIDCHECKFAILURE     0x6
302 #define OHCI_CC_UNDEXPETEDPID       0x7
303 #define OHCI_CC_DATAOVERRUN         0x8
304 #define OHCI_CC_DATAUNDERRUN        0x9
305 #define OHCI_CC_BUFFEROVERRUN       0xc
306 #define OHCI_CC_BUFFERUNDERRUN      0xd
307 
308 #define OHCI_HRESET_FSBIR       (1 << 0)
309 
310 static void ohci_die(OHCIState *ohci);
311 
312 /* Update IRQ levels */
313 static inline void ohci_intr_update(OHCIState *ohci)
314 {
315     int level = 0;
316 
317     if ((ohci->intr & OHCI_INTR_MIE) &&
318         (ohci->intr_status & ohci->intr))
319         level = 1;
320 
321     qemu_set_irq(ohci->irq, level);
322 }
323 
324 /* Set an interrupt */
325 static inline void ohci_set_interrupt(OHCIState *ohci, uint32_t intr)
326 {
327     ohci->intr_status |= intr;
328     ohci_intr_update(ohci);
329 }
330 
331 /* Attach or detach a device on a root hub port.  */
332 static void ohci_attach(USBPort *port1)
333 {
334     OHCIState *s = port1->opaque;
335     OHCIPort *port = &s->rhport[port1->index];
336     uint32_t old_state = port->ctrl;
337 
338     /* set connect status */
339     port->ctrl |= OHCI_PORT_CCS | OHCI_PORT_CSC;
340 
341     /* update speed */
342     if (port->port.dev->speed == USB_SPEED_LOW) {
343         port->ctrl |= OHCI_PORT_LSDA;
344     } else {
345         port->ctrl &= ~OHCI_PORT_LSDA;
346     }
347 
348     /* notify of remote-wakeup */
349     if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND) {
350         ohci_set_interrupt(s, OHCI_INTR_RD);
351     }
352 
353     DPRINTF("usb-ohci: Attached port %d\n", port1->index);
354 
355     if (old_state != port->ctrl) {
356         ohci_set_interrupt(s, OHCI_INTR_RHSC);
357     }
358 }
359 
360 static void ohci_detach(USBPort *port1)
361 {
362     OHCIState *s = port1->opaque;
363     OHCIPort *port = &s->rhport[port1->index];
364     uint32_t old_state = port->ctrl;
365 
366     ohci_async_cancel_device(s, port1->dev);
367 
368     /* set connect status */
369     if (port->ctrl & OHCI_PORT_CCS) {
370         port->ctrl &= ~OHCI_PORT_CCS;
371         port->ctrl |= OHCI_PORT_CSC;
372     }
373     /* disable port */
374     if (port->ctrl & OHCI_PORT_PES) {
375         port->ctrl &= ~OHCI_PORT_PES;
376         port->ctrl |= OHCI_PORT_PESC;
377     }
378     DPRINTF("usb-ohci: Detached port %d\n", port1->index);
379 
380     if (old_state != port->ctrl) {
381         ohci_set_interrupt(s, OHCI_INTR_RHSC);
382     }
383 }
384 
385 static void ohci_wakeup(USBPort *port1)
386 {
387     OHCIState *s = port1->opaque;
388     OHCIPort *port = &s->rhport[port1->index];
389     uint32_t intr = 0;
390     if (port->ctrl & OHCI_PORT_PSS) {
391         DPRINTF("usb-ohci: port %d: wakeup\n", port1->index);
392         port->ctrl |= OHCI_PORT_PSSC;
393         port->ctrl &= ~OHCI_PORT_PSS;
394         intr = OHCI_INTR_RHSC;
395     }
396     /* Note that the controller can be suspended even if this port is not */
397     if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND) {
398         DPRINTF("usb-ohci: remote-wakeup: SUSPEND->RESUME\n");
399         /* This is the one state transition the controller can do by itself */
400         s->ctl &= ~OHCI_CTL_HCFS;
401         s->ctl |= OHCI_USB_RESUME;
402         /* In suspend mode only ResumeDetected is possible, not RHSC:
403          * see the OHCI spec 5.1.2.3.
404          */
405         intr = OHCI_INTR_RD;
406     }
407     ohci_set_interrupt(s, intr);
408 }
409 
410 static void ohci_child_detach(USBPort *port1, USBDevice *child)
411 {
412     OHCIState *s = port1->opaque;
413 
414     ohci_async_cancel_device(s, child);
415 }
416 
417 static USBDevice *ohci_find_device(OHCIState *ohci, uint8_t addr)
418 {
419     USBDevice *dev;
420     int i;
421 
422     for (i = 0; i < ohci->num_ports; i++) {
423         if ((ohci->rhport[i].ctrl & OHCI_PORT_PES) == 0) {
424             continue;
425         }
426         dev = usb_find_device(&ohci->rhport[i].port, addr);
427         if (dev != NULL) {
428             return dev;
429         }
430     }
431     return NULL;
432 }
433 
434 static void ohci_stop_endpoints(OHCIState *ohci)
435 {
436     USBDevice *dev;
437     int i, j;
438 
439     for (i = 0; i < ohci->num_ports; i++) {
440         dev = ohci->rhport[i].port.dev;
441         if (dev && dev->attached) {
442             usb_device_ep_stopped(dev, &dev->ep_ctl);
443             for (j = 0; j < USB_MAX_ENDPOINTS; j++) {
444                 usb_device_ep_stopped(dev, &dev->ep_in[j]);
445                 usb_device_ep_stopped(dev, &dev->ep_out[j]);
446             }
447         }
448     }
449 }
450 
451 /* Reset the controller */
452 static void ohci_reset(void *opaque)
453 {
454     OHCIState *ohci = opaque;
455     OHCIPort *port;
456     int i;
457 
458     ohci_bus_stop(ohci);
459     ohci->ctl = 0;
460     ohci->old_ctl = 0;
461     ohci->status = 0;
462     ohci->intr_status = 0;
463     ohci->intr = OHCI_INTR_MIE;
464 
465     ohci->hcca = 0;
466     ohci->ctrl_head = ohci->ctrl_cur = 0;
467     ohci->bulk_head = ohci->bulk_cur = 0;
468     ohci->per_cur = 0;
469     ohci->done = 0;
470     ohci->done_count = 7;
471 
472     /* FSMPS is marked TBD in OCHI 1.0, what gives ffs?
473      * I took the value linux sets ...
474      */
475     ohci->fsmps = 0x2778;
476     ohci->fi = 0x2edf;
477     ohci->fit = 0;
478     ohci->frt = 0;
479     ohci->frame_number = 0;
480     ohci->pstart = 0;
481     ohci->lst = OHCI_LS_THRESH;
482 
483     ohci->rhdesc_a = OHCI_RHA_NPS | ohci->num_ports;
484     ohci->rhdesc_b = 0x0; /* Impl. specific */
485     ohci->rhstatus = 0;
486 
487     for (i = 0; i < ohci->num_ports; i++)
488       {
489         port = &ohci->rhport[i];
490         port->ctrl = 0;
491         if (port->port.dev && port->port.dev->attached) {
492             usb_port_reset(&port->port);
493         }
494       }
495     if (ohci->async_td) {
496         usb_cancel_packet(&ohci->usb_packet);
497         ohci->async_td = 0;
498     }
499     ohci_stop_endpoints(ohci);
500     DPRINTF("usb-ohci: Reset %s\n", ohci->name);
501 }
502 
503 /* Get an array of dwords from main memory */
504 static inline int get_dwords(OHCIState *ohci,
505                              dma_addr_t addr, uint32_t *buf, int num)
506 {
507     int i;
508 
509     addr += ohci->localmem_base;
510 
511     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
512         if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) {
513             return -1;
514         }
515         *buf = le32_to_cpu(*buf);
516     }
517 
518     return 0;
519 }
520 
521 /* Put an array of dwords in to main memory */
522 static inline int put_dwords(OHCIState *ohci,
523                              dma_addr_t addr, uint32_t *buf, int num)
524 {
525     int i;
526 
527     addr += ohci->localmem_base;
528 
529     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
530         uint32_t tmp = cpu_to_le32(*buf);
531         if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) {
532             return -1;
533         }
534     }
535 
536     return 0;
537 }
538 
539 /* Get an array of words from main memory */
540 static inline int get_words(OHCIState *ohci,
541                             dma_addr_t addr, uint16_t *buf, int num)
542 {
543     int i;
544 
545     addr += ohci->localmem_base;
546 
547     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
548         if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) {
549             return -1;
550         }
551         *buf = le16_to_cpu(*buf);
552     }
553 
554     return 0;
555 }
556 
557 /* Put an array of words in to main memory */
558 static inline int put_words(OHCIState *ohci,
559                             dma_addr_t addr, uint16_t *buf, int num)
560 {
561     int i;
562 
563     addr += ohci->localmem_base;
564 
565     for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
566         uint16_t tmp = cpu_to_le16(*buf);
567         if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) {
568             return -1;
569         }
570     }
571 
572     return 0;
573 }
574 
575 static inline int ohci_read_ed(OHCIState *ohci,
576                                dma_addr_t addr, struct ohci_ed *ed)
577 {
578     return get_dwords(ohci, addr, (uint32_t *)ed, sizeof(*ed) >> 2);
579 }
580 
581 static inline int ohci_read_td(OHCIState *ohci,
582                                dma_addr_t addr, struct ohci_td *td)
583 {
584     return get_dwords(ohci, addr, (uint32_t *)td, sizeof(*td) >> 2);
585 }
586 
587 static inline int ohci_read_iso_td(OHCIState *ohci,
588                                    dma_addr_t addr, struct ohci_iso_td *td)
589 {
590     return get_dwords(ohci, addr, (uint32_t *)td, 4) ||
591            get_words(ohci, addr + 16, td->offset, 8);
592 }
593 
594 static inline int ohci_read_hcca(OHCIState *ohci,
595                                  dma_addr_t addr, struct ohci_hcca *hcca)
596 {
597     return dma_memory_read(ohci->as, addr + ohci->localmem_base,
598                            hcca, sizeof(*hcca));
599 }
600 
601 static inline int ohci_put_ed(OHCIState *ohci,
602                               dma_addr_t addr, struct ohci_ed *ed)
603 {
604     /* ed->tail is under control of the HCD.
605      * Since just ed->head is changed by HC, just write back this
606      */
607 
608     return put_dwords(ohci, addr + ED_WBACK_OFFSET,
609                       (uint32_t *)((char *)ed + ED_WBACK_OFFSET),
610                       ED_WBACK_SIZE >> 2);
611 }
612 
613 static inline int ohci_put_td(OHCIState *ohci,
614                               dma_addr_t addr, struct ohci_td *td)
615 {
616     return put_dwords(ohci, addr, (uint32_t *)td, sizeof(*td) >> 2);
617 }
618 
619 static inline int ohci_put_iso_td(OHCIState *ohci,
620                                   dma_addr_t addr, struct ohci_iso_td *td)
621 {
622     return put_dwords(ohci, addr, (uint32_t *)td, 4) ||
623            put_words(ohci, addr + 16, td->offset, 8);
624 }
625 
626 static inline int ohci_put_hcca(OHCIState *ohci,
627                                 dma_addr_t addr, struct ohci_hcca *hcca)
628 {
629     return dma_memory_write(ohci->as,
630                             addr + ohci->localmem_base + HCCA_WRITEBACK_OFFSET,
631                             (char *)hcca + HCCA_WRITEBACK_OFFSET,
632                             HCCA_WRITEBACK_SIZE);
633 }
634 
635 /* Read/Write the contents of a TD from/to main memory.  */
636 static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td,
637                         uint8_t *buf, int len, DMADirection dir)
638 {
639     dma_addr_t ptr, n;
640 
641     ptr = td->cbp;
642     n = 0x1000 - (ptr & 0xfff);
643     if (n > len)
644         n = len;
645 
646     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) {
647         return -1;
648     }
649     if (n == len) {
650         return 0;
651     }
652     ptr = td->be & ~0xfffu;
653     buf += n;
654     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
655                       len - n, dir)) {
656         return -1;
657     }
658     return 0;
659 }
660 
661 /* Read/Write the contents of an ISO TD from/to main memory.  */
662 static int ohci_copy_iso_td(OHCIState *ohci,
663                             uint32_t start_addr, uint32_t end_addr,
664                             uint8_t *buf, int len, DMADirection dir)
665 {
666     dma_addr_t ptr, n;
667 
668     ptr = start_addr;
669     n = 0x1000 - (ptr & 0xfff);
670     if (n > len)
671         n = len;
672 
673     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) {
674         return -1;
675     }
676     if (n == len) {
677         return 0;
678     }
679     ptr = end_addr & ~0xfffu;
680     buf += n;
681     if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
682                       len - n, dir)) {
683         return -1;
684     }
685     return 0;
686 }
687 
688 static void ohci_process_lists(OHCIState *ohci, int completion);
689 
690 static void ohci_async_complete_packet(USBPort *port, USBPacket *packet)
691 {
692     OHCIState *ohci = container_of(packet, OHCIState, usb_packet);
693 #ifdef DEBUG_PACKET
694     DPRINTF("Async packet complete\n");
695 #endif
696     ohci->async_complete = true;
697     ohci_process_lists(ohci, 1);
698 }
699 
700 #define USUB(a, b) ((int16_t)((uint16_t)(a) - (uint16_t)(b)))
701 
702 static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
703                                int completion)
704 {
705     int dir;
706     size_t len = 0;
707 #ifdef DEBUG_ISOCH
708     const char *str = NULL;
709 #endif
710     int pid;
711     int ret;
712     int i;
713     USBDevice *dev;
714     USBEndpoint *ep;
715     struct ohci_iso_td iso_td;
716     uint32_t addr;
717     uint16_t starting_frame;
718     int16_t relative_frame_number;
719     int frame_count;
720     uint32_t start_offset, next_offset, end_offset = 0;
721     uint32_t start_addr, end_addr;
722 
723     addr = ed->head & OHCI_DPTR_MASK;
724 
725     if (ohci_read_iso_td(ohci, addr, &iso_td)) {
726         printf("usb-ohci: ISO_TD read error at %x\n", addr);
727         ohci_die(ohci);
728         return 0;
729     }
730 
731     starting_frame = OHCI_BM(iso_td.flags, TD_SF);
732     frame_count = OHCI_BM(iso_td.flags, TD_FC);
733     relative_frame_number = USUB(ohci->frame_number, starting_frame);
734 
735 #ifdef DEBUG_ISOCH
736     printf("--- ISO_TD ED head 0x%.8x tailp 0x%.8x\n"
737            "0x%.8x 0x%.8x 0x%.8x 0x%.8x\n"
738            "0x%.8x 0x%.8x 0x%.8x 0x%.8x\n"
739            "0x%.8x 0x%.8x 0x%.8x 0x%.8x\n"
740            "frame_number 0x%.8x starting_frame 0x%.8x\n"
741            "frame_count  0x%.8x relative %d\n"
742            "di 0x%.8x cc 0x%.8x\n",
743            ed->head & OHCI_DPTR_MASK, ed->tail & OHCI_DPTR_MASK,
744            iso_td.flags, iso_td.bp, iso_td.next, iso_td.be,
745            iso_td.offset[0], iso_td.offset[1], iso_td.offset[2], iso_td.offset[3],
746            iso_td.offset[4], iso_td.offset[5], iso_td.offset[6], iso_td.offset[7],
747            ohci->frame_number, starting_frame,
748            frame_count, relative_frame_number,
749            OHCI_BM(iso_td.flags, TD_DI), OHCI_BM(iso_td.flags, TD_CC));
750 #endif
751 
752     if (relative_frame_number < 0) {
753         DPRINTF("usb-ohci: ISO_TD R=%d < 0\n", relative_frame_number);
754         return 1;
755     } else if (relative_frame_number > frame_count) {
756         /* ISO TD expired - retire the TD to the Done Queue and continue with
757            the next ISO TD of the same ED */
758         DPRINTF("usb-ohci: ISO_TD R=%d > FC=%d\n", relative_frame_number,
759                frame_count);
760         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
761         ed->head &= ~OHCI_DPTR_MASK;
762         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
763         iso_td.next = ohci->done;
764         ohci->done = addr;
765         i = OHCI_BM(iso_td.flags, TD_DI);
766         if (i < ohci->done_count)
767             ohci->done_count = i;
768         if (ohci_put_iso_td(ohci, addr, &iso_td)) {
769             ohci_die(ohci);
770             return 1;
771         }
772         return 0;
773     }
774 
775     dir = OHCI_BM(ed->flags, ED_D);
776     switch (dir) {
777     case OHCI_TD_DIR_IN:
778 #ifdef DEBUG_ISOCH
779         str = "in";
780 #endif
781         pid = USB_TOKEN_IN;
782         break;
783     case OHCI_TD_DIR_OUT:
784 #ifdef DEBUG_ISOCH
785         str = "out";
786 #endif
787         pid = USB_TOKEN_OUT;
788         break;
789     case OHCI_TD_DIR_SETUP:
790 #ifdef DEBUG_ISOCH
791         str = "setup";
792 #endif
793         pid = USB_TOKEN_SETUP;
794         break;
795     default:
796         printf("usb-ohci: Bad direction %d\n", dir);
797         return 1;
798     }
799 
800     if (!iso_td.bp || !iso_td.be) {
801         printf("usb-ohci: ISO_TD bp 0x%.8x be 0x%.8x\n", iso_td.bp, iso_td.be);
802         return 1;
803     }
804 
805     start_offset = iso_td.offset[relative_frame_number];
806     next_offset = iso_td.offset[relative_frame_number + 1];
807 
808     if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) ||
809         ((relative_frame_number < frame_count) &&
810          !(OHCI_BM(next_offset, TD_PSW_CC) & 0xe))) {
811         printf("usb-ohci: ISO_TD cc != not accessed 0x%.8x 0x%.8x\n",
812                start_offset, next_offset);
813         return 1;
814     }
815 
816     if ((relative_frame_number < frame_count) && (start_offset > next_offset)) {
817         printf("usb-ohci: ISO_TD start_offset=0x%.8x > next_offset=0x%.8x\n",
818                 start_offset, next_offset);
819         return 1;
820     }
821 
822     if ((start_offset & 0x1000) == 0) {
823         start_addr = (iso_td.bp & OHCI_PAGE_MASK) |
824             (start_offset & OHCI_OFFSET_MASK);
825     } else {
826         start_addr = (iso_td.be & OHCI_PAGE_MASK) |
827             (start_offset & OHCI_OFFSET_MASK);
828     }
829 
830     if (relative_frame_number < frame_count) {
831         end_offset = next_offset - 1;
832         if ((end_offset & 0x1000) == 0) {
833             end_addr = (iso_td.bp & OHCI_PAGE_MASK) |
834                 (end_offset & OHCI_OFFSET_MASK);
835         } else {
836             end_addr = (iso_td.be & OHCI_PAGE_MASK) |
837                 (end_offset & OHCI_OFFSET_MASK);
838         }
839     } else {
840         /* Last packet in the ISO TD */
841         end_addr = iso_td.be;
842     }
843 
844     if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
845         len = (end_addr & OHCI_OFFSET_MASK) + 0x1001
846             - (start_addr & OHCI_OFFSET_MASK);
847     } else {
848         len = end_addr - start_addr + 1;
849     }
850 
851     if (len && dir != OHCI_TD_DIR_IN) {
852         if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
853                              DMA_DIRECTION_TO_DEVICE)) {
854             ohci_die(ohci);
855             return 1;
856         }
857     }
858 
859     if (!completion) {
860         bool int_req = relative_frame_number == frame_count &&
861                        OHCI_BM(iso_td.flags, TD_DI) == 0;
862         dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
863         ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
864         usb_packet_setup(&ohci->usb_packet, pid, ep, 0, addr, false, int_req);
865         usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, len);
866         usb_handle_packet(dev, &ohci->usb_packet);
867         if (ohci->usb_packet.status == USB_RET_ASYNC) {
868             usb_device_flush_ep_queue(dev, ep);
869             return 1;
870         }
871     }
872     if (ohci->usb_packet.status == USB_RET_SUCCESS) {
873         ret = ohci->usb_packet.actual_length;
874     } else {
875         ret = ohci->usb_packet.status;
876     }
877 
878 #ifdef DEBUG_ISOCH
879     printf("so 0x%.8x eo 0x%.8x\nsa 0x%.8x ea 0x%.8x\ndir %s len %zu ret %d\n",
880            start_offset, end_offset, start_addr, end_addr, str, len, ret);
881 #endif
882 
883     /* Writeback */
884     if (dir == OHCI_TD_DIR_IN && ret >= 0 && ret <= len) {
885         /* IN transfer succeeded */
886         if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, ret,
887                              DMA_DIRECTION_FROM_DEVICE)) {
888             ohci_die(ohci);
889             return 1;
890         }
891         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
892                     OHCI_CC_NOERROR);
893         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE, ret);
894     } else if (dir == OHCI_TD_DIR_OUT && ret == len) {
895         /* OUT transfer succeeded */
896         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
897                     OHCI_CC_NOERROR);
898         OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE, 0);
899     } else {
900         if (ret > (ssize_t) len) {
901             printf("usb-ohci: DataOverrun %d > %zu\n", ret, len);
902             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
903                         OHCI_CC_DATAOVERRUN);
904             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
905                         len);
906         } else if (ret >= 0) {
907             printf("usb-ohci: DataUnderrun %d\n", ret);
908             OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
909                         OHCI_CC_DATAUNDERRUN);
910         } else {
911             switch (ret) {
912             case USB_RET_IOERROR:
913             case USB_RET_NODEV:
914                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
915                             OHCI_CC_DEVICENOTRESPONDING);
916                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
917                             0);
918                 break;
919             case USB_RET_NAK:
920             case USB_RET_STALL:
921                 printf("usb-ohci: got NAK/STALL %d\n", ret);
922                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
923                             OHCI_CC_STALL);
924                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_SIZE,
925                             0);
926                 break;
927             default:
928                 printf("usb-ohci: Bad device response %d\n", ret);
929                 OHCI_SET_BM(iso_td.offset[relative_frame_number], TD_PSW_CC,
930                             OHCI_CC_UNDEXPETEDPID);
931                 break;
932             }
933         }
934     }
935 
936     if (relative_frame_number == frame_count) {
937         /* Last data packet of ISO TD - retire the TD to the Done Queue */
938         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_NOERROR);
939         ed->head &= ~OHCI_DPTR_MASK;
940         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
941         iso_td.next = ohci->done;
942         ohci->done = addr;
943         i = OHCI_BM(iso_td.flags, TD_DI);
944         if (i < ohci->done_count)
945             ohci->done_count = i;
946     }
947     if (ohci_put_iso_td(ohci, addr, &iso_td)) {
948         ohci_die(ohci);
949     }
950     return 1;
951 }
952 
953 /* Service a transport descriptor.
954    Returns nonzero to terminate processing of this endpoint.  */
955 
956 static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
957 {
958     int dir;
959     size_t len = 0, pktlen = 0;
960 #ifdef DEBUG_PACKET
961     const char *str = NULL;
962 #endif
963     int pid;
964     int ret;
965     int i;
966     USBDevice *dev;
967     USBEndpoint *ep;
968     struct ohci_td td;
969     uint32_t addr;
970     int flag_r;
971     int completion;
972 
973     addr = ed->head & OHCI_DPTR_MASK;
974     /* See if this TD has already been submitted to the device.  */
975     completion = (addr == ohci->async_td);
976     if (completion && !ohci->async_complete) {
977 #ifdef DEBUG_PACKET
978         DPRINTF("Skipping async TD\n");
979 #endif
980         return 1;
981     }
982     if (ohci_read_td(ohci, addr, &td)) {
983         fprintf(stderr, "usb-ohci: TD read error at %x\n", addr);
984         ohci_die(ohci);
985         return 0;
986     }
987 
988     dir = OHCI_BM(ed->flags, ED_D);
989     switch (dir) {
990     case OHCI_TD_DIR_OUT:
991     case OHCI_TD_DIR_IN:
992         /* Same value.  */
993         break;
994     default:
995         dir = OHCI_BM(td.flags, TD_DP);
996         break;
997     }
998 
999     switch (dir) {
1000     case OHCI_TD_DIR_IN:
1001 #ifdef DEBUG_PACKET
1002         str = "in";
1003 #endif
1004         pid = USB_TOKEN_IN;
1005         break;
1006     case OHCI_TD_DIR_OUT:
1007 #ifdef DEBUG_PACKET
1008         str = "out";
1009 #endif
1010         pid = USB_TOKEN_OUT;
1011         break;
1012     case OHCI_TD_DIR_SETUP:
1013 #ifdef DEBUG_PACKET
1014         str = "setup";
1015 #endif
1016         pid = USB_TOKEN_SETUP;
1017         break;
1018     default:
1019         fprintf(stderr, "usb-ohci: Bad direction\n");
1020         return 1;
1021     }
1022     if (td.cbp && td.be) {
1023         if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
1024             len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
1025         } else {
1026             len = (td.be - td.cbp) + 1;
1027         }
1028 
1029         pktlen = len;
1030         if (len && dir != OHCI_TD_DIR_IN) {
1031             /* The endpoint may not allow us to transfer it all now */
1032             pktlen = (ed->flags & OHCI_ED_MPS_MASK) >> OHCI_ED_MPS_SHIFT;
1033             if (pktlen > len) {
1034                 pktlen = len;
1035             }
1036             if (!completion) {
1037                 if (ohci_copy_td(ohci, &td, ohci->usb_buf, pktlen,
1038                                  DMA_DIRECTION_TO_DEVICE)) {
1039                     ohci_die(ohci);
1040                 }
1041             }
1042         }
1043     }
1044 
1045     flag_r = (td.flags & OHCI_TD_R) != 0;
1046 #ifdef DEBUG_PACKET
1047     DPRINTF(" TD @ 0x%.8x %" PRId64 " of %" PRId64
1048             " bytes %s r=%d cbp=0x%.8x be=0x%.8x\n",
1049             addr, (int64_t)pktlen, (int64_t)len, str, flag_r, td.cbp, td.be);
1050 
1051     if (pktlen > 0 && dir != OHCI_TD_DIR_IN) {
1052         DPRINTF("  data:");
1053         for (i = 0; i < pktlen; i++) {
1054             printf(" %.2x", ohci->usb_buf[i]);
1055         }
1056         DPRINTF("\n");
1057     }
1058 #endif
1059     if (completion) {
1060         ohci->async_td = 0;
1061         ohci->async_complete = false;
1062     } else {
1063         if (ohci->async_td) {
1064             /* ??? The hardware should allow one active packet per
1065                endpoint.  We only allow one active packet per controller.
1066                This should be sufficient as long as devices respond in a
1067                timely manner.
1068             */
1069 #ifdef DEBUG_PACKET
1070             DPRINTF("Too many pending packets\n");
1071 #endif
1072             return 1;
1073         }
1074         dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
1075         ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
1076         usb_packet_setup(&ohci->usb_packet, pid, ep, 0, addr, !flag_r,
1077                          OHCI_BM(td.flags, TD_DI) == 0);
1078         usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, pktlen);
1079         usb_handle_packet(dev, &ohci->usb_packet);
1080 #ifdef DEBUG_PACKET
1081         DPRINTF("status=%d\n", ohci->usb_packet.status);
1082 #endif
1083         if (ohci->usb_packet.status == USB_RET_ASYNC) {
1084             usb_device_flush_ep_queue(dev, ep);
1085             ohci->async_td = addr;
1086             return 1;
1087         }
1088     }
1089     if (ohci->usb_packet.status == USB_RET_SUCCESS) {
1090         ret = ohci->usb_packet.actual_length;
1091     } else {
1092         ret = ohci->usb_packet.status;
1093     }
1094 
1095     if (ret >= 0) {
1096         if (dir == OHCI_TD_DIR_IN) {
1097             if (ohci_copy_td(ohci, &td, ohci->usb_buf, ret,
1098                              DMA_DIRECTION_FROM_DEVICE)) {
1099                 ohci_die(ohci);
1100             }
1101 #ifdef DEBUG_PACKET
1102             DPRINTF("  data:");
1103             for (i = 0; i < ret; i++)
1104                 printf(" %.2x", ohci->usb_buf[i]);
1105             DPRINTF("\n");
1106 #endif
1107         } else {
1108             ret = pktlen;
1109         }
1110     }
1111 
1112     /* Writeback */
1113     if (ret == pktlen || (dir == OHCI_TD_DIR_IN && ret >= 0 && flag_r)) {
1114         /* Transmission succeeded.  */
1115         if (ret == len) {
1116             td.cbp = 0;
1117         } else {
1118             if ((td.cbp & 0xfff) + ret > 0xfff) {
1119                 td.cbp = (td.be & ~0xfff) + ((td.cbp + ret) & 0xfff);
1120             } else {
1121                 td.cbp += ret;
1122             }
1123         }
1124         td.flags |= OHCI_TD_T1;
1125         td.flags ^= OHCI_TD_T0;
1126         OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_NOERROR);
1127         OHCI_SET_BM(td.flags, TD_EC, 0);
1128 
1129         if ((dir != OHCI_TD_DIR_IN) && (ret != len)) {
1130             /* Partial packet transfer: TD not ready to retire yet */
1131             goto exit_no_retire;
1132         }
1133 
1134         /* Setting ED_C is part of the TD retirement process */
1135         ed->head &= ~OHCI_ED_C;
1136         if (td.flags & OHCI_TD_T0)
1137             ed->head |= OHCI_ED_C;
1138     } else {
1139         if (ret >= 0) {
1140             DPRINTF("usb-ohci: Underrun\n");
1141             OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DATAUNDERRUN);
1142         } else {
1143             switch (ret) {
1144             case USB_RET_IOERROR:
1145             case USB_RET_NODEV:
1146                 DPRINTF("usb-ohci: got DEV ERROR\n");
1147                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DEVICENOTRESPONDING);
1148                 break;
1149             case USB_RET_NAK:
1150                 DPRINTF("usb-ohci: got NAK\n");
1151                 return 1;
1152             case USB_RET_STALL:
1153                 DPRINTF("usb-ohci: got STALL\n");
1154                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_STALL);
1155                 break;
1156             case USB_RET_BABBLE:
1157                 DPRINTF("usb-ohci: got BABBLE\n");
1158                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
1159                 break;
1160             default:
1161                 fprintf(stderr, "usb-ohci: Bad device response %d\n", ret);
1162                 OHCI_SET_BM(td.flags, TD_CC, OHCI_CC_UNDEXPETEDPID);
1163                 OHCI_SET_BM(td.flags, TD_EC, 3);
1164                 break;
1165             }
1166         }
1167         ed->head |= OHCI_ED_H;
1168     }
1169 
1170     /* Retire this TD */
1171     ed->head &= ~OHCI_DPTR_MASK;
1172     ed->head |= td.next & OHCI_DPTR_MASK;
1173     td.next = ohci->done;
1174     ohci->done = addr;
1175     i = OHCI_BM(td.flags, TD_DI);
1176     if (i < ohci->done_count)
1177         ohci->done_count = i;
1178 exit_no_retire:
1179     if (ohci_put_td(ohci, addr, &td)) {
1180         ohci_die(ohci);
1181         return 1;
1182     }
1183     return OHCI_BM(td.flags, TD_CC) != OHCI_CC_NOERROR;
1184 }
1185 
1186 /* Service an endpoint list.  Returns nonzero if active TD were found.  */
1187 static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
1188 {
1189     struct ohci_ed ed;
1190     uint32_t next_ed;
1191     uint32_t cur;
1192     int active;
1193 
1194     active = 0;
1195 
1196     if (head == 0)
1197         return 0;
1198 
1199     for (cur = head; cur; cur = next_ed) {
1200         if (ohci_read_ed(ohci, cur, &ed)) {
1201             fprintf(stderr, "usb-ohci: ED read error at %x\n", cur);
1202             ohci_die(ohci);
1203             return 0;
1204         }
1205 
1206         next_ed = ed.next & OHCI_DPTR_MASK;
1207 
1208         if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
1209             uint32_t addr;
1210             /* Cancel pending packets for ED that have been paused.  */
1211             addr = ed.head & OHCI_DPTR_MASK;
1212             if (ohci->async_td && addr == ohci->async_td) {
1213                 usb_cancel_packet(&ohci->usb_packet);
1214                 ohci->async_td = 0;
1215                 usb_device_ep_stopped(ohci->usb_packet.ep->dev,
1216                                       ohci->usb_packet.ep);
1217             }
1218             continue;
1219         }
1220 
1221         while ((ed.head & OHCI_DPTR_MASK) != ed.tail) {
1222 #ifdef DEBUG_PACKET
1223             DPRINTF("ED @ 0x%.8x fa=%u en=%u d=%u s=%u k=%u f=%u mps=%u "
1224                     "h=%u c=%u\n  head=0x%.8x tailp=0x%.8x next=0x%.8x\n", cur,
1225                     OHCI_BM(ed.flags, ED_FA), OHCI_BM(ed.flags, ED_EN),
1226                     OHCI_BM(ed.flags, ED_D), (ed.flags & OHCI_ED_S)!= 0,
1227                     (ed.flags & OHCI_ED_K) != 0, (ed.flags & OHCI_ED_F) != 0,
1228                     OHCI_BM(ed.flags, ED_MPS), (ed.head & OHCI_ED_H) != 0,
1229                     (ed.head & OHCI_ED_C) != 0, ed.head & OHCI_DPTR_MASK,
1230                     ed.tail & OHCI_DPTR_MASK, ed.next & OHCI_DPTR_MASK);
1231 #endif
1232             active = 1;
1233 
1234             if ((ed.flags & OHCI_ED_F) == 0) {
1235                 if (ohci_service_td(ohci, &ed))
1236                     break;
1237             } else {
1238                 /* Handle isochronous endpoints */
1239                 if (ohci_service_iso_td(ohci, &ed, completion))
1240                     break;
1241             }
1242         }
1243 
1244         if (ohci_put_ed(ohci, cur, &ed)) {
1245             ohci_die(ohci);
1246             return 0;
1247         }
1248     }
1249 
1250     return active;
1251 }
1252 
1253 /* Generate a SOF event, and set a timer for EOF */
1254 static void ohci_sof(OHCIState *ohci)
1255 {
1256     ohci->sof_time = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
1257     timer_mod(ohci->eof_timer, ohci->sof_time + usb_frame_time);
1258     ohci_set_interrupt(ohci, OHCI_INTR_SF);
1259 }
1260 
1261 /* Process Control and Bulk lists.  */
1262 static void ohci_process_lists(OHCIState *ohci, int completion)
1263 {
1264     if ((ohci->ctl & OHCI_CTL_CLE) && (ohci->status & OHCI_STATUS_CLF)) {
1265         if (ohci->ctrl_cur && ohci->ctrl_cur != ohci->ctrl_head) {
1266             DPRINTF("usb-ohci: head %x, cur %x\n",
1267                     ohci->ctrl_head, ohci->ctrl_cur);
1268         }
1269         if (!ohci_service_ed_list(ohci, ohci->ctrl_head, completion)) {
1270             ohci->ctrl_cur = 0;
1271             ohci->status &= ~OHCI_STATUS_CLF;
1272         }
1273     }
1274 
1275     if ((ohci->ctl & OHCI_CTL_BLE) && (ohci->status & OHCI_STATUS_BLF)) {
1276         if (!ohci_service_ed_list(ohci, ohci->bulk_head, completion)) {
1277             ohci->bulk_cur = 0;
1278             ohci->status &= ~OHCI_STATUS_BLF;
1279         }
1280     }
1281 }
1282 
1283 /* Do frame processing on frame boundary */
1284 static void ohci_frame_boundary(void *opaque)
1285 {
1286     OHCIState *ohci = opaque;
1287     struct ohci_hcca hcca;
1288 
1289     if (ohci_read_hcca(ohci, ohci->hcca, &hcca)) {
1290         fprintf(stderr, "usb-ohci: HCCA read error at %x\n", ohci->hcca);
1291         ohci_die(ohci);
1292         return;
1293     }
1294 
1295     /* Process all the lists at the end of the frame */
1296     if (ohci->ctl & OHCI_CTL_PLE) {
1297         int n;
1298 
1299         n = ohci->frame_number & 0x1f;
1300         ohci_service_ed_list(ohci, le32_to_cpu(hcca.intr[n]), 0);
1301     }
1302 
1303     /* Cancel all pending packets if either of the lists has been disabled.  */
1304     if (ohci->old_ctl & (~ohci->ctl) & (OHCI_CTL_BLE | OHCI_CTL_CLE)) {
1305         if (ohci->async_td) {
1306             usb_cancel_packet(&ohci->usb_packet);
1307             ohci->async_td = 0;
1308         }
1309         ohci_stop_endpoints(ohci);
1310     }
1311     ohci->old_ctl = ohci->ctl;
1312     ohci_process_lists(ohci, 0);
1313 
1314     /* Stop if UnrecoverableError happened or ohci_sof will crash */
1315     if (ohci->intr_status & OHCI_INTR_UE) {
1316         return;
1317     }
1318 
1319     /* Frame boundary, so do EOF stuf here */
1320     ohci->frt = ohci->fit;
1321 
1322     /* Increment frame number and take care of endianness. */
1323     ohci->frame_number = (ohci->frame_number + 1) & 0xffff;
1324     hcca.frame = cpu_to_le16(ohci->frame_number);
1325 
1326     if (ohci->done_count == 0 && !(ohci->intr_status & OHCI_INTR_WD)) {
1327         if (!ohci->done)
1328             abort();
1329         if (ohci->intr & ohci->intr_status)
1330             ohci->done |= 1;
1331         hcca.done = cpu_to_le32(ohci->done);
1332         ohci->done = 0;
1333         ohci->done_count = 7;
1334         ohci_set_interrupt(ohci, OHCI_INTR_WD);
1335     }
1336 
1337     if (ohci->done_count != 7 && ohci->done_count != 0)
1338         ohci->done_count--;
1339 
1340     /* Do SOF stuff here */
1341     ohci_sof(ohci);
1342 
1343     /* Writeback HCCA */
1344     if (ohci_put_hcca(ohci, ohci->hcca, &hcca)) {
1345         ohci_die(ohci);
1346     }
1347 }
1348 
1349 /* Start sending SOF tokens across the USB bus, lists are processed in
1350  * next frame
1351  */
1352 static int ohci_bus_start(OHCIState *ohci)
1353 {
1354     ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
1355                     ohci_frame_boundary,
1356                     ohci);
1357 
1358     if (ohci->eof_timer == NULL) {
1359         fprintf(stderr, "usb-ohci: %s: timer_new_ns failed\n", ohci->name);
1360         ohci_die(ohci);
1361         return 0;
1362     }
1363 
1364     DPRINTF("usb-ohci: %s: USB Operational\n", ohci->name);
1365 
1366     ohci_sof(ohci);
1367 
1368     return 1;
1369 }
1370 
1371 /* Stop sending SOF tokens on the bus */
1372 static void ohci_bus_stop(OHCIState *ohci)
1373 {
1374     if (ohci->eof_timer) {
1375         timer_del(ohci->eof_timer);
1376         timer_free(ohci->eof_timer);
1377     }
1378     ohci->eof_timer = NULL;
1379 }
1380 
1381 /* Sets a flag in a port status register but only set it if the port is
1382  * connected, if not set ConnectStatusChange flag. If flag is enabled
1383  * return 1.
1384  */
1385 static int ohci_port_set_if_connected(OHCIState *ohci, int i, uint32_t val)
1386 {
1387     int ret = 1;
1388 
1389     /* writing a 0 has no effect */
1390     if (val == 0)
1391         return 0;
1392 
1393     /* If CurrentConnectStatus is cleared we set
1394      * ConnectStatusChange
1395      */
1396     if (!(ohci->rhport[i].ctrl & OHCI_PORT_CCS)) {
1397         ohci->rhport[i].ctrl |= OHCI_PORT_CSC;
1398         if (ohci->rhstatus & OHCI_RHS_DRWE) {
1399             /* TODO: CSC is a wakeup event */
1400         }
1401         return 0;
1402     }
1403 
1404     if (ohci->rhport[i].ctrl & val)
1405         ret = 0;
1406 
1407     /* set the bit */
1408     ohci->rhport[i].ctrl |= val;
1409 
1410     return ret;
1411 }
1412 
1413 /* Set the frame interval - frame interval toggle is manipulated by the hcd only */
1414 static void ohci_set_frame_interval(OHCIState *ohci, uint16_t val)
1415 {
1416     val &= OHCI_FMI_FI;
1417 
1418     if (val != ohci->fi) {
1419         DPRINTF("usb-ohci: %s: FrameInterval = 0x%x (%u)\n",
1420             ohci->name, ohci->fi, ohci->fi);
1421     }
1422 
1423     ohci->fi = val;
1424 }
1425 
1426 static void ohci_port_power(OHCIState *ohci, int i, int p)
1427 {
1428     if (p) {
1429         ohci->rhport[i].ctrl |= OHCI_PORT_PPS;
1430     } else {
1431         ohci->rhport[i].ctrl &= ~(OHCI_PORT_PPS|
1432                     OHCI_PORT_CCS|
1433                     OHCI_PORT_PSS|
1434                     OHCI_PORT_PRS);
1435     }
1436 }
1437 
1438 /* Set HcControlRegister */
1439 static void ohci_set_ctl(OHCIState *ohci, uint32_t val)
1440 {
1441     uint32_t old_state;
1442     uint32_t new_state;
1443 
1444     old_state = ohci->ctl & OHCI_CTL_HCFS;
1445     ohci->ctl = val;
1446     new_state = ohci->ctl & OHCI_CTL_HCFS;
1447 
1448     /* no state change */
1449     if (old_state == new_state)
1450         return;
1451 
1452     switch (new_state) {
1453     case OHCI_USB_OPERATIONAL:
1454         ohci_bus_start(ohci);
1455         break;
1456     case OHCI_USB_SUSPEND:
1457         ohci_bus_stop(ohci);
1458         DPRINTF("usb-ohci: %s: USB Suspended\n", ohci->name);
1459         break;
1460     case OHCI_USB_RESUME:
1461         DPRINTF("usb-ohci: %s: USB Resume\n", ohci->name);
1462         break;
1463     case OHCI_USB_RESET:
1464         ohci_reset(ohci);
1465         DPRINTF("usb-ohci: %s: USB Reset\n", ohci->name);
1466         break;
1467     }
1468 }
1469 
1470 static uint32_t ohci_get_frame_remaining(OHCIState *ohci)
1471 {
1472     uint16_t fr;
1473     int64_t tks;
1474 
1475     if ((ohci->ctl & OHCI_CTL_HCFS) != OHCI_USB_OPERATIONAL)
1476         return (ohci->frt << 31);
1477 
1478     /* Being in USB operational state guarnatees sof_time was
1479      * set already.
1480      */
1481     tks = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) - ohci->sof_time;
1482 
1483     /* avoid muldiv if possible */
1484     if (tks >= usb_frame_time)
1485         return (ohci->frt << 31);
1486 
1487     tks = muldiv64(1, tks, usb_bit_time);
1488     fr = (uint16_t)(ohci->fi - tks);
1489 
1490     return (ohci->frt << 31) | fr;
1491 }
1492 
1493 
1494 /* Set root hub status */
1495 static void ohci_set_hub_status(OHCIState *ohci, uint32_t val)
1496 {
1497     uint32_t old_state;
1498 
1499     old_state = ohci->rhstatus;
1500 
1501     /* write 1 to clear OCIC */
1502     if (val & OHCI_RHS_OCIC)
1503         ohci->rhstatus &= ~OHCI_RHS_OCIC;
1504 
1505     if (val & OHCI_RHS_LPS) {
1506         int i;
1507 
1508         for (i = 0; i < ohci->num_ports; i++)
1509             ohci_port_power(ohci, i, 0);
1510         DPRINTF("usb-ohci: powered down all ports\n");
1511     }
1512 
1513     if (val & OHCI_RHS_LPSC) {
1514         int i;
1515 
1516         for (i = 0; i < ohci->num_ports; i++)
1517             ohci_port_power(ohci, i, 1);
1518         DPRINTF("usb-ohci: powered up all ports\n");
1519     }
1520 
1521     if (val & OHCI_RHS_DRWE)
1522         ohci->rhstatus |= OHCI_RHS_DRWE;
1523 
1524     if (val & OHCI_RHS_CRWE)
1525         ohci->rhstatus &= ~OHCI_RHS_DRWE;
1526 
1527     if (old_state != ohci->rhstatus)
1528         ohci_set_interrupt(ohci, OHCI_INTR_RHSC);
1529 }
1530 
1531 /* Set root hub port status */
1532 static void ohci_port_set_status(OHCIState *ohci, int portnum, uint32_t val)
1533 {
1534     uint32_t old_state;
1535     OHCIPort *port;
1536 
1537     port = &ohci->rhport[portnum];
1538     old_state = port->ctrl;
1539 
1540     /* Write to clear CSC, PESC, PSSC, OCIC, PRSC */
1541     if (val & OHCI_PORT_WTC)
1542         port->ctrl &= ~(val & OHCI_PORT_WTC);
1543 
1544     if (val & OHCI_PORT_CCS)
1545         port->ctrl &= ~OHCI_PORT_PES;
1546 
1547     ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PES);
1548 
1549     if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PSS)) {
1550         DPRINTF("usb-ohci: port %d: SUSPEND\n", portnum);
1551     }
1552 
1553     if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PRS)) {
1554         DPRINTF("usb-ohci: port %d: RESET\n", portnum);
1555         usb_device_reset(port->port.dev);
1556         port->ctrl &= ~OHCI_PORT_PRS;
1557         /* ??? Should this also set OHCI_PORT_PESC.  */
1558         port->ctrl |= OHCI_PORT_PES | OHCI_PORT_PRSC;
1559     }
1560 
1561     /* Invert order here to ensure in ambiguous case, device is
1562      * powered up...
1563      */
1564     if (val & OHCI_PORT_LSDA)
1565         ohci_port_power(ohci, portnum, 0);
1566     if (val & OHCI_PORT_PPS)
1567         ohci_port_power(ohci, portnum, 1);
1568 
1569     if (old_state != port->ctrl)
1570         ohci_set_interrupt(ohci, OHCI_INTR_RHSC);
1571 }
1572 
1573 static uint64_t ohci_mem_read(void *opaque,
1574                               hwaddr addr,
1575                               unsigned size)
1576 {
1577     OHCIState *ohci = opaque;
1578     uint32_t retval;
1579 
1580     /* Only aligned reads are allowed on OHCI */
1581     if (addr & 3) {
1582         fprintf(stderr, "usb-ohci: Mis-aligned read\n");
1583         return 0xffffffff;
1584     } else if (addr >= 0x54 && addr < 0x54 + ohci->num_ports * 4) {
1585         /* HcRhPortStatus */
1586         retval = ohci->rhport[(addr - 0x54) >> 2].ctrl | OHCI_PORT_PPS;
1587     } else {
1588         switch (addr >> 2) {
1589         case 0: /* HcRevision */
1590             retval = 0x10;
1591             break;
1592 
1593         case 1: /* HcControl */
1594             retval = ohci->ctl;
1595             break;
1596 
1597         case 2: /* HcCommandStatus */
1598             retval = ohci->status;
1599             break;
1600 
1601         case 3: /* HcInterruptStatus */
1602             retval = ohci->intr_status;
1603             break;
1604 
1605         case 4: /* HcInterruptEnable */
1606         case 5: /* HcInterruptDisable */
1607             retval = ohci->intr;
1608             break;
1609 
1610         case 6: /* HcHCCA */
1611             retval = ohci->hcca;
1612             break;
1613 
1614         case 7: /* HcPeriodCurrentED */
1615             retval = ohci->per_cur;
1616             break;
1617 
1618         case 8: /* HcControlHeadED */
1619             retval = ohci->ctrl_head;
1620             break;
1621 
1622         case 9: /* HcControlCurrentED */
1623             retval = ohci->ctrl_cur;
1624             break;
1625 
1626         case 10: /* HcBulkHeadED */
1627             retval = ohci->bulk_head;
1628             break;
1629 
1630         case 11: /* HcBulkCurrentED */
1631             retval = ohci->bulk_cur;
1632             break;
1633 
1634         case 12: /* HcDoneHead */
1635             retval = ohci->done;
1636             break;
1637 
1638         case 13: /* HcFmInterretval */
1639             retval = (ohci->fit << 31) | (ohci->fsmps << 16) | (ohci->fi);
1640             break;
1641 
1642         case 14: /* HcFmRemaining */
1643             retval = ohci_get_frame_remaining(ohci);
1644             break;
1645 
1646         case 15: /* HcFmNumber */
1647             retval = ohci->frame_number;
1648             break;
1649 
1650         case 16: /* HcPeriodicStart */
1651             retval = ohci->pstart;
1652             break;
1653 
1654         case 17: /* HcLSThreshold */
1655             retval = ohci->lst;
1656             break;
1657 
1658         case 18: /* HcRhDescriptorA */
1659             retval = ohci->rhdesc_a;
1660             break;
1661 
1662         case 19: /* HcRhDescriptorB */
1663             retval = ohci->rhdesc_b;
1664             break;
1665 
1666         case 20: /* HcRhStatus */
1667             retval = ohci->rhstatus;
1668             break;
1669 
1670         /* PXA27x specific registers */
1671         case 24: /* HcStatus */
1672             retval = ohci->hstatus & ohci->hmask;
1673             break;
1674 
1675         case 25: /* HcHReset */
1676             retval = ohci->hreset;
1677             break;
1678 
1679         case 26: /* HcHInterruptEnable */
1680             retval = ohci->hmask;
1681             break;
1682 
1683         case 27: /* HcHInterruptTest */
1684             retval = ohci->htest;
1685             break;
1686 
1687         default:
1688             fprintf(stderr, "ohci_read: Bad offset %x\n", (int)addr);
1689             retval = 0xffffffff;
1690         }
1691     }
1692 
1693     return retval;
1694 }
1695 
1696 static void ohci_mem_write(void *opaque,
1697                            hwaddr addr,
1698                            uint64_t val,
1699                            unsigned size)
1700 {
1701     OHCIState *ohci = opaque;
1702 
1703     /* Only aligned reads are allowed on OHCI */
1704     if (addr & 3) {
1705         fprintf(stderr, "usb-ohci: Mis-aligned write\n");
1706         return;
1707     }
1708 
1709     if (addr >= 0x54 && addr < 0x54 + ohci->num_ports * 4) {
1710         /* HcRhPortStatus */
1711         ohci_port_set_status(ohci, (addr - 0x54) >> 2, val);
1712         return;
1713     }
1714 
1715     switch (addr >> 2) {
1716     case 1: /* HcControl */
1717         ohci_set_ctl(ohci, val);
1718         break;
1719 
1720     case 2: /* HcCommandStatus */
1721         /* SOC is read-only */
1722         val = (val & ~OHCI_STATUS_SOC);
1723 
1724         /* Bits written as '0' remain unchanged in the register */
1725         ohci->status |= val;
1726 
1727         if (ohci->status & OHCI_STATUS_HCR)
1728             ohci_reset(ohci);
1729         break;
1730 
1731     case 3: /* HcInterruptStatus */
1732         ohci->intr_status &= ~val;
1733         ohci_intr_update(ohci);
1734         break;
1735 
1736     case 4: /* HcInterruptEnable */
1737         ohci->intr |= val;
1738         ohci_intr_update(ohci);
1739         break;
1740 
1741     case 5: /* HcInterruptDisable */
1742         ohci->intr &= ~val;
1743         ohci_intr_update(ohci);
1744         break;
1745 
1746     case 6: /* HcHCCA */
1747         ohci->hcca = val & OHCI_HCCA_MASK;
1748         break;
1749 
1750     case 7: /* HcPeriodCurrentED */
1751         /* Ignore writes to this read-only register, Linux does them */
1752         break;
1753 
1754     case 8: /* HcControlHeadED */
1755         ohci->ctrl_head = val & OHCI_EDPTR_MASK;
1756         break;
1757 
1758     case 9: /* HcControlCurrentED */
1759         ohci->ctrl_cur = val & OHCI_EDPTR_MASK;
1760         break;
1761 
1762     case 10: /* HcBulkHeadED */
1763         ohci->bulk_head = val & OHCI_EDPTR_MASK;
1764         break;
1765 
1766     case 11: /* HcBulkCurrentED */
1767         ohci->bulk_cur = val & OHCI_EDPTR_MASK;
1768         break;
1769 
1770     case 13: /* HcFmInterval */
1771         ohci->fsmps = (val & OHCI_FMI_FSMPS) >> 16;
1772         ohci->fit = (val & OHCI_FMI_FIT) >> 31;
1773         ohci_set_frame_interval(ohci, val);
1774         break;
1775 
1776     case 15: /* HcFmNumber */
1777         break;
1778 
1779     case 16: /* HcPeriodicStart */
1780         ohci->pstart = val & 0xffff;
1781         break;
1782 
1783     case 17: /* HcLSThreshold */
1784         ohci->lst = val & 0xffff;
1785         break;
1786 
1787     case 18: /* HcRhDescriptorA */
1788         ohci->rhdesc_a &= ~OHCI_RHA_RW_MASK;
1789         ohci->rhdesc_a |= val & OHCI_RHA_RW_MASK;
1790         break;
1791 
1792     case 19: /* HcRhDescriptorB */
1793         break;
1794 
1795     case 20: /* HcRhStatus */
1796         ohci_set_hub_status(ohci, val);
1797         break;
1798 
1799     /* PXA27x specific registers */
1800     case 24: /* HcStatus */
1801         ohci->hstatus &= ~(val & ohci->hmask);
1802         break;
1803 
1804     case 25: /* HcHReset */
1805         ohci->hreset = val & ~OHCI_HRESET_FSBIR;
1806         if (val & OHCI_HRESET_FSBIR)
1807             ohci_reset(ohci);
1808         break;
1809 
1810     case 26: /* HcHInterruptEnable */
1811         ohci->hmask = val;
1812         break;
1813 
1814     case 27: /* HcHInterruptTest */
1815         ohci->htest = val;
1816         break;
1817 
1818     default:
1819         fprintf(stderr, "ohci_write: Bad offset %x\n", (int)addr);
1820         break;
1821     }
1822 }
1823 
1824 static void ohci_async_cancel_device(OHCIState *ohci, USBDevice *dev)
1825 {
1826     if (ohci->async_td &&
1827         usb_packet_is_inflight(&ohci->usb_packet) &&
1828         ohci->usb_packet.ep->dev == dev) {
1829         usb_cancel_packet(&ohci->usb_packet);
1830         ohci->async_td = 0;
1831     }
1832 }
1833 
1834 static const MemoryRegionOps ohci_mem_ops = {
1835     .read = ohci_mem_read,
1836     .write = ohci_mem_write,
1837     .endianness = DEVICE_LITTLE_ENDIAN,
1838 };
1839 
1840 static USBPortOps ohci_port_ops = {
1841     .attach = ohci_attach,
1842     .detach = ohci_detach,
1843     .child_detach = ohci_child_detach,
1844     .wakeup = ohci_wakeup,
1845     .complete = ohci_async_complete_packet,
1846 };
1847 
1848 static USBBusOps ohci_bus_ops = {
1849 };
1850 
1851 static int usb_ohci_init(OHCIState *ohci, DeviceState *dev,
1852                          int num_ports, dma_addr_t localmem_base,
1853                          char *masterbus, uint32_t firstport,
1854                          AddressSpace *as)
1855 {
1856     int i;
1857 
1858     ohci->as = as;
1859 
1860     if (usb_frame_time == 0) {
1861 #ifdef OHCI_TIME_WARP
1862         usb_frame_time = get_ticks_per_sec();
1863         usb_bit_time = muldiv64(1, get_ticks_per_sec(), USB_HZ/1000);
1864 #else
1865         usb_frame_time = muldiv64(1, get_ticks_per_sec(), 1000);
1866         if (get_ticks_per_sec() >= USB_HZ) {
1867             usb_bit_time = muldiv64(1, get_ticks_per_sec(), USB_HZ);
1868         } else {
1869             usb_bit_time = 1;
1870         }
1871 #endif
1872         DPRINTF("usb-ohci: usb_bit_time=%" PRId64 " usb_frame_time=%" PRId64 "\n",
1873                 usb_frame_time, usb_bit_time);
1874     }
1875 
1876     ohci->num_ports = num_ports;
1877     if (masterbus) {
1878         USBPort *ports[OHCI_MAX_PORTS];
1879         for(i = 0; i < num_ports; i++) {
1880             ports[i] = &ohci->rhport[i].port;
1881         }
1882         if (usb_register_companion(masterbus, ports, num_ports,
1883                 firstport, ohci, &ohci_port_ops,
1884                 USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL) != 0) {
1885             return -1;
1886         }
1887     } else {
1888         usb_bus_new(&ohci->bus, sizeof(ohci->bus), &ohci_bus_ops, dev);
1889         for (i = 0; i < num_ports; i++) {
1890             usb_register_port(&ohci->bus, &ohci->rhport[i].port,
1891                               ohci, i, &ohci_port_ops,
1892                               USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
1893         }
1894     }
1895 
1896     memory_region_init_io(&ohci->mem, OBJECT(dev), &ohci_mem_ops,
1897                           ohci, "ohci", 256);
1898     ohci->localmem_base = localmem_base;
1899 
1900     ohci->name = object_get_typename(OBJECT(dev));
1901     usb_packet_init(&ohci->usb_packet);
1902 
1903     ohci->async_td = 0;
1904     qemu_register_reset(ohci_reset, ohci);
1905 
1906     return 0;
1907 }
1908 
1909 #define TYPE_PCI_OHCI "pci-ohci"
1910 #define PCI_OHCI(obj) OBJECT_CHECK(OHCIPCIState, (obj), TYPE_PCI_OHCI)
1911 
1912 typedef struct {
1913     /*< private >*/
1914     PCIDevice parent_obj;
1915     /*< public >*/
1916 
1917     OHCIState state;
1918     char *masterbus;
1919     uint32_t num_ports;
1920     uint32_t firstport;
1921 } OHCIPCIState;
1922 
1923 /** A typical O/EHCI will stop operating, set itself into error state
1924  * (which can be queried by MMIO) and will set PERR in its config
1925  * space to signal that it got an error
1926  */
1927 static void ohci_die(OHCIState *ohci)
1928 {
1929     OHCIPCIState *dev = container_of(ohci, OHCIPCIState, state);
1930 
1931     fprintf(stderr, "%s: DMA error\n", __func__);
1932 
1933     ohci_set_interrupt(ohci, OHCI_INTR_UE);
1934     ohci_bus_stop(ohci);
1935     pci_set_word(dev->parent_obj.config + PCI_STATUS,
1936                  PCI_STATUS_DETECTED_PARITY);
1937 }
1938 
1939 static int usb_ohci_initfn_pci(PCIDevice *dev)
1940 {
1941     OHCIPCIState *ohci = PCI_OHCI(dev);
1942 
1943     dev->config[PCI_CLASS_PROG] = 0x10; /* OHCI */
1944     dev->config[PCI_INTERRUPT_PIN] = 0x01; /* interrupt pin A */
1945 
1946     if (usb_ohci_init(&ohci->state, DEVICE(dev), ohci->num_ports, 0,
1947                       ohci->masterbus, ohci->firstport,
1948                       pci_get_address_space(dev)) != 0) {
1949         return -1;
1950     }
1951     ohci->state.irq = pci_allocate_irq(dev);
1952 
1953     pci_register_bar(dev, 0, 0, &ohci->state.mem);
1954     return 0;
1955 }
1956 
1957 static void usb_ohci_exit(PCIDevice *dev)
1958 {
1959     OHCIPCIState *ohci = PCI_OHCI(dev);
1960     OHCIState *s = &ohci->state;
1961 
1962     ohci_bus_stop(s);
1963 
1964     if (s->async_td) {
1965         usb_cancel_packet(&s->usb_packet);
1966         s->async_td = 0;
1967     }
1968     ohci_stop_endpoints(s);
1969 
1970     if (!ohci->masterbus) {
1971         usb_bus_release(&s->bus);
1972     }
1973 }
1974 
1975 #define TYPE_SYSBUS_OHCI "sysbus-ohci"
1976 #define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI)
1977 
1978 typedef struct {
1979     /*< private >*/
1980     SysBusDevice parent_obj;
1981     /*< public >*/
1982 
1983     OHCIState ohci;
1984     uint32_t num_ports;
1985     dma_addr_t dma_offset;
1986 } OHCISysBusState;
1987 
1988 static void ohci_realize_pxa(DeviceState *dev, Error **errp)
1989 {
1990     OHCISysBusState *s = SYSBUS_OHCI(dev);
1991     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
1992 
1993     /* Cannot fail as we pass NULL for masterbus */
1994     usb_ohci_init(&s->ohci, dev, s->num_ports, s->dma_offset, NULL, 0,
1995                   &address_space_memory);
1996     sysbus_init_irq(sbd, &s->ohci.irq);
1997     sysbus_init_mmio(sbd, &s->ohci.mem);
1998 }
1999 
2000 static Property ohci_pci_properties[] = {
2001     DEFINE_PROP_STRING("masterbus", OHCIPCIState, masterbus),
2002     DEFINE_PROP_UINT32("num-ports", OHCIPCIState, num_ports, 3),
2003     DEFINE_PROP_UINT32("firstport", OHCIPCIState, firstport, 0),
2004     DEFINE_PROP_END_OF_LIST(),
2005 };
2006 
2007 static const VMStateDescription vmstate_ohci_state_port = {
2008     .name = "ohci-core/port",
2009     .version_id = 1,
2010     .minimum_version_id = 1,
2011     .fields = (VMStateField[]) {
2012         VMSTATE_UINT32(ctrl, OHCIPort),
2013         VMSTATE_END_OF_LIST()
2014     },
2015 };
2016 
2017 static bool ohci_eof_timer_needed(void *opaque)
2018 {
2019     OHCIState *ohci = opaque;
2020 
2021     return ohci->eof_timer != NULL;
2022 }
2023 
2024 static int ohci_eof_timer_pre_load(void *opaque)
2025 {
2026     OHCIState *ohci = opaque;
2027 
2028     ohci_bus_start(ohci);
2029 
2030     return 0;
2031 }
2032 
2033 static const VMStateDescription vmstate_ohci_eof_timer = {
2034     .name = "ohci-core/eof-timer",
2035     .version_id = 1,
2036     .minimum_version_id = 1,
2037     .pre_load = ohci_eof_timer_pre_load,
2038     .fields = (VMStateField[]) {
2039         VMSTATE_TIMER(eof_timer, OHCIState),
2040         VMSTATE_END_OF_LIST()
2041     },
2042 };
2043 
2044 static const VMStateDescription vmstate_ohci_state = {
2045     .name = "ohci-core",
2046     .version_id = 1,
2047     .minimum_version_id = 1,
2048     .fields = (VMStateField[]) {
2049         VMSTATE_INT64(sof_time, OHCIState),
2050         VMSTATE_UINT32(ctl, OHCIState),
2051         VMSTATE_UINT32(status, OHCIState),
2052         VMSTATE_UINT32(intr_status, OHCIState),
2053         VMSTATE_UINT32(intr, OHCIState),
2054         VMSTATE_UINT32(hcca, OHCIState),
2055         VMSTATE_UINT32(ctrl_head, OHCIState),
2056         VMSTATE_UINT32(ctrl_cur, OHCIState),
2057         VMSTATE_UINT32(bulk_head, OHCIState),
2058         VMSTATE_UINT32(bulk_cur, OHCIState),
2059         VMSTATE_UINT32(per_cur, OHCIState),
2060         VMSTATE_UINT32(done, OHCIState),
2061         VMSTATE_INT32(done_count, OHCIState),
2062         VMSTATE_UINT16(fsmps, OHCIState),
2063         VMSTATE_UINT8(fit, OHCIState),
2064         VMSTATE_UINT16(fi, OHCIState),
2065         VMSTATE_UINT8(frt, OHCIState),
2066         VMSTATE_UINT16(frame_number, OHCIState),
2067         VMSTATE_UINT16(padding, OHCIState),
2068         VMSTATE_UINT32(pstart, OHCIState),
2069         VMSTATE_UINT32(lst, OHCIState),
2070         VMSTATE_UINT32(rhdesc_a, OHCIState),
2071         VMSTATE_UINT32(rhdesc_b, OHCIState),
2072         VMSTATE_UINT32(rhstatus, OHCIState),
2073         VMSTATE_STRUCT_ARRAY(rhport, OHCIState, OHCI_MAX_PORTS, 0,
2074                              vmstate_ohci_state_port, OHCIPort),
2075         VMSTATE_UINT32(hstatus, OHCIState),
2076         VMSTATE_UINT32(hmask, OHCIState),
2077         VMSTATE_UINT32(hreset, OHCIState),
2078         VMSTATE_UINT32(htest, OHCIState),
2079         VMSTATE_UINT32(old_ctl, OHCIState),
2080         VMSTATE_UINT8_ARRAY(usb_buf, OHCIState, 8192),
2081         VMSTATE_UINT32(async_td, OHCIState),
2082         VMSTATE_BOOL(async_complete, OHCIState),
2083         VMSTATE_END_OF_LIST()
2084     },
2085     .subsections = (VMStateSubsection []) {
2086         {
2087             .vmsd = &vmstate_ohci_eof_timer,
2088             .needed = ohci_eof_timer_needed,
2089         } , {
2090             /* empty */
2091         }
2092     }
2093 };
2094 
2095 static const VMStateDescription vmstate_ohci = {
2096     .name = "ohci",
2097     .version_id = 1,
2098     .minimum_version_id = 1,
2099     .fields = (VMStateField[]) {
2100         VMSTATE_PCI_DEVICE(parent_obj, OHCIPCIState),
2101         VMSTATE_STRUCT(state, OHCIPCIState, 1, vmstate_ohci_state, OHCIState),
2102         VMSTATE_END_OF_LIST()
2103     }
2104 };
2105 
2106 static void ohci_pci_class_init(ObjectClass *klass, void *data)
2107 {
2108     DeviceClass *dc = DEVICE_CLASS(klass);
2109     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2110 
2111     k->init = usb_ohci_initfn_pci;
2112     k->exit = usb_ohci_exit;
2113     k->vendor_id = PCI_VENDOR_ID_APPLE;
2114     k->device_id = PCI_DEVICE_ID_APPLE_IPID_USB;
2115     k->class_id = PCI_CLASS_SERIAL_USB;
2116     set_bit(DEVICE_CATEGORY_USB, dc->categories);
2117     dc->desc = "Apple USB Controller";
2118     dc->props = ohci_pci_properties;
2119     dc->hotpluggable = false;
2120     dc->vmsd = &vmstate_ohci;
2121 }
2122 
2123 static const TypeInfo ohci_pci_info = {
2124     .name          = TYPE_PCI_OHCI,
2125     .parent        = TYPE_PCI_DEVICE,
2126     .instance_size = sizeof(OHCIPCIState),
2127     .class_init    = ohci_pci_class_init,
2128 };
2129 
2130 static Property ohci_sysbus_properties[] = {
2131     DEFINE_PROP_UINT32("num-ports", OHCISysBusState, num_ports, 3),
2132     DEFINE_PROP_DMAADDR("dma-offset", OHCISysBusState, dma_offset, 3),
2133     DEFINE_PROP_END_OF_LIST(),
2134 };
2135 
2136 static void ohci_sysbus_class_init(ObjectClass *klass, void *data)
2137 {
2138     DeviceClass *dc = DEVICE_CLASS(klass);
2139 
2140     dc->realize = ohci_realize_pxa;
2141     set_bit(DEVICE_CATEGORY_USB, dc->categories);
2142     dc->desc = "OHCI USB Controller";
2143     dc->props = ohci_sysbus_properties;
2144 }
2145 
2146 static const TypeInfo ohci_sysbus_info = {
2147     .name          = TYPE_SYSBUS_OHCI,
2148     .parent        = TYPE_SYS_BUS_DEVICE,
2149     .instance_size = sizeof(OHCISysBusState),
2150     .class_init    = ohci_sysbus_class_init,
2151 };
2152 
2153 static void ohci_register_types(void)
2154 {
2155     type_register_static(&ohci_pci_info);
2156     type_register_static(&ohci_sysbus_info);
2157 }
2158 
2159 type_init(ohci_register_types)
2160