1 /* 2 * USB UHCI controller emulation 3 * 4 * Copyright (c) 2005 Fabrice Bellard 5 * 6 * Copyright (c) 2008 Max Krasnyansky 7 * Magor rewrite of the UHCI data structures parser and frame processor 8 * Support for fully async operation and multiple outstanding transactions 9 * 10 * Permission is hereby granted, free of charge, to any person obtaining a copy 11 * of this software and associated documentation files (the "Software"), to deal 12 * in the Software without restriction, including without limitation the rights 13 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 14 * copies of the Software, and to permit persons to whom the Software is 15 * furnished to do so, subject to the following conditions: 16 * 17 * The above copyright notice and this permission notice shall be included in 18 * all copies or substantial portions of the Software. 19 * 20 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 21 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 23 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 24 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 25 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 26 * THE SOFTWARE. 27 */ 28 29 #include "qemu/osdep.h" 30 #include "hw/usb.h" 31 #include "hw/usb/uhci-regs.h" 32 #include "migration/vmstate.h" 33 #include "hw/irq.h" 34 #include "hw/qdev-properties.h" 35 #include "qapi/error.h" 36 #include "qemu/timer.h" 37 #include "qemu/iov.h" 38 #include "sysemu/dma.h" 39 #include "trace.h" 40 #include "qemu/main-loop.h" 41 #include "qemu/module.h" 42 #include "qom/object.h" 43 #include "hcd-uhci.h" 44 45 #define FRAME_TIMER_FREQ 1000 46 47 #define FRAME_MAX_LOOPS 256 48 49 /* Must be large enough to handle 10 frame delay for initial isoc requests */ 50 #define QH_VALID 32 51 52 #define MAX_FRAMES_PER_TICK (QH_VALID / 2) 53 54 enum { 55 TD_RESULT_STOP_FRAME = 10, 56 TD_RESULT_COMPLETE, 57 TD_RESULT_NEXT_QH, 58 TD_RESULT_ASYNC_START, 59 TD_RESULT_ASYNC_CONT, 60 }; 61 62 typedef struct UHCIAsync UHCIAsync; 63 64 /* 65 * Pending async transaction. 66 * 'packet' must be the first field because completion 67 * handler does "(UHCIAsync *) pkt" cast. 68 */ 69 70 struct UHCIAsync { 71 USBPacket packet; 72 uint8_t static_buf[64]; /* 64 bytes is enough, except for isoc packets */ 73 uint8_t *buf; 74 UHCIQueue *queue; 75 QTAILQ_ENTRY(UHCIAsync) next; 76 uint32_t td_addr; 77 uint8_t done; 78 }; 79 80 struct UHCIQueue { 81 uint32_t qh_addr; 82 uint32_t token; 83 UHCIState *uhci; 84 USBEndpoint *ep; 85 QTAILQ_ENTRY(UHCIQueue) next; 86 QTAILQ_HEAD(, UHCIAsync) asyncs; 87 int8_t valid; 88 }; 89 90 typedef struct UHCI_TD { 91 uint32_t link; 92 uint32_t ctrl; /* see TD_CTRL_xxx */ 93 uint32_t token; 94 uint32_t buffer; 95 } UHCI_TD; 96 97 typedef struct UHCI_QH { 98 uint32_t link; 99 uint32_t el_link; 100 } UHCI_QH; 101 102 static void uhci_async_cancel(UHCIAsync *async); 103 static void uhci_queue_fill(UHCIQueue *q, UHCI_TD *td); 104 static void uhci_resume(void *opaque); 105 106 static inline int32_t uhci_queue_token(UHCI_TD *td) 107 { 108 if ((td->token & (0xf << 15)) == 0) { 109 /* ctrl ep, cover ep and dev, not pid! */ 110 return td->token & 0x7ff00; 111 } else { 112 /* covers ep, dev, pid -> identifies the endpoint */ 113 return td->token & 0x7ffff; 114 } 115 } 116 117 static UHCIQueue *uhci_queue_new(UHCIState *s, uint32_t qh_addr, UHCI_TD *td, 118 USBEndpoint *ep) 119 { 120 UHCIQueue *queue; 121 122 queue = g_new0(UHCIQueue, 1); 123 queue->uhci = s; 124 queue->qh_addr = qh_addr; 125 queue->token = uhci_queue_token(td); 126 queue->ep = ep; 127 QTAILQ_INIT(&queue->asyncs); 128 QTAILQ_INSERT_HEAD(&s->queues, queue, next); 129 queue->valid = QH_VALID; 130 trace_usb_uhci_queue_add(queue->token); 131 return queue; 132 } 133 134 static void uhci_queue_free(UHCIQueue *queue, const char *reason) 135 { 136 UHCIState *s = queue->uhci; 137 UHCIAsync *async; 138 139 while (!QTAILQ_EMPTY(&queue->asyncs)) { 140 async = QTAILQ_FIRST(&queue->asyncs); 141 uhci_async_cancel(async); 142 } 143 usb_device_ep_stopped(queue->ep->dev, queue->ep); 144 145 trace_usb_uhci_queue_del(queue->token, reason); 146 QTAILQ_REMOVE(&s->queues, queue, next); 147 g_free(queue); 148 } 149 150 static UHCIQueue *uhci_queue_find(UHCIState *s, UHCI_TD *td) 151 { 152 uint32_t token = uhci_queue_token(td); 153 UHCIQueue *queue; 154 155 QTAILQ_FOREACH(queue, &s->queues, next) { 156 if (queue->token == token) { 157 return queue; 158 } 159 } 160 return NULL; 161 } 162 163 static bool uhci_queue_verify(UHCIQueue *queue, uint32_t qh_addr, UHCI_TD *td, 164 uint32_t td_addr, bool queuing) 165 { 166 UHCIAsync *first = QTAILQ_FIRST(&queue->asyncs); 167 uint32_t queue_token_addr = (queue->token >> 8) & 0x7f; 168 169 return queue->qh_addr == qh_addr && 170 queue->token == uhci_queue_token(td) && 171 queue_token_addr == queue->ep->dev->addr && 172 (queuing || !(td->ctrl & TD_CTRL_ACTIVE) || first == NULL || 173 first->td_addr == td_addr); 174 } 175 176 static UHCIAsync *uhci_async_alloc(UHCIQueue *queue, uint32_t td_addr) 177 { 178 UHCIAsync *async = g_new0(UHCIAsync, 1); 179 180 async->queue = queue; 181 async->td_addr = td_addr; 182 usb_packet_init(&async->packet); 183 trace_usb_uhci_packet_add(async->queue->token, async->td_addr); 184 185 return async; 186 } 187 188 static void uhci_async_free(UHCIAsync *async) 189 { 190 trace_usb_uhci_packet_del(async->queue->token, async->td_addr); 191 usb_packet_cleanup(&async->packet); 192 if (async->buf != async->static_buf) { 193 g_free(async->buf); 194 } 195 g_free(async); 196 } 197 198 static void uhci_async_link(UHCIAsync *async) 199 { 200 UHCIQueue *queue = async->queue; 201 QTAILQ_INSERT_TAIL(&queue->asyncs, async, next); 202 trace_usb_uhci_packet_link_async(async->queue->token, async->td_addr); 203 } 204 205 static void uhci_async_unlink(UHCIAsync *async) 206 { 207 UHCIQueue *queue = async->queue; 208 QTAILQ_REMOVE(&queue->asyncs, async, next); 209 trace_usb_uhci_packet_unlink_async(async->queue->token, async->td_addr); 210 } 211 212 static void uhci_async_cancel(UHCIAsync *async) 213 { 214 uhci_async_unlink(async); 215 trace_usb_uhci_packet_cancel(async->queue->token, async->td_addr, 216 async->done); 217 if (!async->done) { 218 usb_cancel_packet(&async->packet); 219 } 220 uhci_async_free(async); 221 } 222 223 /* 224 * Mark all outstanding async packets as invalid. 225 * This is used for canceling them when TDs are removed by the HCD. 226 */ 227 static void uhci_async_validate_begin(UHCIState *s) 228 { 229 UHCIQueue *queue; 230 231 QTAILQ_FOREACH(queue, &s->queues, next) { 232 queue->valid--; 233 } 234 } 235 236 /* 237 * Cancel async packets that are no longer valid 238 */ 239 static void uhci_async_validate_end(UHCIState *s) 240 { 241 UHCIQueue *queue, *n; 242 243 QTAILQ_FOREACH_SAFE(queue, &s->queues, next, n) { 244 if (!queue->valid) { 245 uhci_queue_free(queue, "validate-end"); 246 } 247 } 248 } 249 250 static void uhci_async_cancel_device(UHCIState *s, USBDevice *dev) 251 { 252 UHCIQueue *queue, *n; 253 254 QTAILQ_FOREACH_SAFE(queue, &s->queues, next, n) { 255 if (queue->ep->dev == dev) { 256 uhci_queue_free(queue, "cancel-device"); 257 } 258 } 259 } 260 261 static void uhci_async_cancel_all(UHCIState *s) 262 { 263 UHCIQueue *queue, *nq; 264 265 QTAILQ_FOREACH_SAFE(queue, &s->queues, next, nq) { 266 uhci_queue_free(queue, "cancel-all"); 267 } 268 } 269 270 static UHCIAsync *uhci_async_find_td(UHCIState *s, uint32_t td_addr) 271 { 272 UHCIQueue *queue; 273 UHCIAsync *async; 274 275 QTAILQ_FOREACH(queue, &s->queues, next) { 276 QTAILQ_FOREACH(async, &queue->asyncs, next) { 277 if (async->td_addr == td_addr) { 278 return async; 279 } 280 } 281 } 282 return NULL; 283 } 284 285 static void uhci_update_irq(UHCIState *s) 286 { 287 int level = 0; 288 if (((s->status2 & 1) && (s->intr & (1 << 2))) || 289 ((s->status2 & 2) && (s->intr & (1 << 3))) || 290 ((s->status & UHCI_STS_USBERR) && (s->intr & (1 << 0))) || 291 ((s->status & UHCI_STS_RD) && (s->intr & (1 << 1))) || 292 (s->status & UHCI_STS_HSERR) || 293 (s->status & UHCI_STS_HCPERR)) { 294 level = 1; 295 } 296 qemu_set_irq(s->irq, level); 297 } 298 299 void uhci_state_reset(UHCIState *s) 300 { 301 int i; 302 UHCIPort *port; 303 304 trace_usb_uhci_reset(); 305 306 s->cmd = 0; 307 s->status = UHCI_STS_HCHALTED; 308 s->status2 = 0; 309 s->intr = 0; 310 s->fl_base_addr = 0; 311 s->sof_timing = 64; 312 313 for (i = 0; i < UHCI_PORTS; i++) { 314 port = &s->ports[i]; 315 port->ctrl = 0x0080; 316 if (port->port.dev && port->port.dev->attached) { 317 usb_port_reset(&port->port); 318 } 319 } 320 321 uhci_async_cancel_all(s); 322 qemu_bh_cancel(s->bh); 323 uhci_update_irq(s); 324 } 325 326 static void uhci_reset(UHCIState *s) 327 { 328 s->uhci_reset(s); 329 } 330 331 static const VMStateDescription vmstate_uhci_port = { 332 .name = "uhci port", 333 .version_id = 1, 334 .minimum_version_id = 1, 335 .fields = (const VMStateField[]) { 336 VMSTATE_UINT16(ctrl, UHCIPort), 337 VMSTATE_END_OF_LIST() 338 } 339 }; 340 341 static int uhci_post_load(void *opaque, int version_id) 342 { 343 UHCIState *s = opaque; 344 345 if (version_id < 2) { 346 s->expire_time = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + 347 (NANOSECONDS_PER_SECOND / FRAME_TIMER_FREQ); 348 } 349 return 0; 350 } 351 352 const VMStateDescription vmstate_uhci_state = { 353 .name = "uhci", 354 .version_id = 4, 355 .minimum_version_id = 1, 356 .post_load = uhci_post_load, 357 .fields = (const VMStateField[]) { 358 VMSTATE_UINT8_EQUAL(num_ports_vmstate, UHCIState, NULL), 359 VMSTATE_STRUCT_ARRAY(ports, UHCIState, UHCI_PORTS, 1, 360 vmstate_uhci_port, UHCIPort), 361 VMSTATE_UINT16(cmd, UHCIState), 362 VMSTATE_UINT16(status, UHCIState), 363 VMSTATE_UINT16(intr, UHCIState), 364 VMSTATE_UINT16(frnum, UHCIState), 365 VMSTATE_UINT32(fl_base_addr, UHCIState), 366 VMSTATE_UINT8(sof_timing, UHCIState), 367 VMSTATE_UINT8(status2, UHCIState), 368 VMSTATE_TIMER_PTR(frame_timer, UHCIState), 369 VMSTATE_INT64_V(expire_time, UHCIState, 2), 370 VMSTATE_UINT32_V(pending_int_mask, UHCIState, 3), 371 VMSTATE_END_OF_LIST() 372 } 373 }; 374 375 static void uhci_port_write(void *opaque, hwaddr addr, 376 uint64_t val, unsigned size) 377 { 378 UHCIState *s = opaque; 379 380 trace_usb_uhci_mmio_writew(addr, val); 381 382 switch (addr) { 383 case UHCI_USBCMD: 384 if ((val & UHCI_CMD_RS) && !(s->cmd & UHCI_CMD_RS)) { 385 /* start frame processing */ 386 trace_usb_uhci_schedule_start(); 387 s->expire_time = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + 388 (NANOSECONDS_PER_SECOND / FRAME_TIMER_FREQ); 389 timer_mod(s->frame_timer, s->expire_time); 390 s->status &= ~UHCI_STS_HCHALTED; 391 } else if (!(val & UHCI_CMD_RS)) { 392 s->status |= UHCI_STS_HCHALTED; 393 } 394 if (val & UHCI_CMD_GRESET) { 395 UHCIPort *port; 396 int i; 397 398 /* send reset on the USB bus */ 399 for (i = 0; i < UHCI_PORTS; i++) { 400 port = &s->ports[i]; 401 usb_device_reset(port->port.dev); 402 } 403 uhci_reset(s); 404 return; 405 } 406 if (val & UHCI_CMD_HCRESET) { 407 uhci_reset(s); 408 return; 409 } 410 s->cmd = val; 411 if (val & UHCI_CMD_EGSM) { 412 if ((s->ports[0].ctrl & UHCI_PORT_RD) || 413 (s->ports[1].ctrl & UHCI_PORT_RD)) { 414 uhci_resume(s); 415 } 416 } 417 break; 418 case UHCI_USBSTS: 419 s->status &= ~val; 420 /* 421 * XXX: the chip spec is not coherent, so we add a hidden 422 * register to distinguish between IOC and SPD 423 */ 424 if (val & UHCI_STS_USBINT) { 425 s->status2 = 0; 426 } 427 uhci_update_irq(s); 428 break; 429 case UHCI_USBINTR: 430 s->intr = val; 431 uhci_update_irq(s); 432 break; 433 case UHCI_USBFRNUM: 434 if (s->status & UHCI_STS_HCHALTED) { 435 s->frnum = val & 0x7ff; 436 } 437 break; 438 case UHCI_USBFLBASEADD: 439 s->fl_base_addr &= 0xffff0000; 440 s->fl_base_addr |= val & ~0xfff; 441 break; 442 case UHCI_USBFLBASEADD + 2: 443 s->fl_base_addr &= 0x0000ffff; 444 s->fl_base_addr |= (val << 16); 445 break; 446 case UHCI_USBSOF: 447 s->sof_timing = val & 0xff; 448 break; 449 case UHCI_USBPORTSC1 ... UHCI_USBPORTSC4: 450 { 451 UHCIPort *port; 452 USBDevice *dev; 453 int n; 454 455 n = (addr >> 1) & 7; 456 if (n >= UHCI_PORTS) { 457 return; 458 } 459 port = &s->ports[n]; 460 dev = port->port.dev; 461 if (dev && dev->attached) { 462 /* port reset */ 463 if ((val & UHCI_PORT_RESET) && 464 !(port->ctrl & UHCI_PORT_RESET)) { 465 usb_device_reset(dev); 466 } 467 } 468 port->ctrl &= UHCI_PORT_READ_ONLY; 469 /* enabled may only be set if a device is connected */ 470 if (!(port->ctrl & UHCI_PORT_CCS)) { 471 val &= ~UHCI_PORT_EN; 472 } 473 port->ctrl |= (val & ~UHCI_PORT_READ_ONLY); 474 /* some bits are reset when a '1' is written to them */ 475 port->ctrl &= ~(val & UHCI_PORT_WRITE_CLEAR); 476 } 477 break; 478 } 479 } 480 481 static uint64_t uhci_port_read(void *opaque, hwaddr addr, unsigned size) 482 { 483 UHCIState *s = opaque; 484 uint32_t val; 485 486 switch (addr) { 487 case UHCI_USBCMD: 488 val = s->cmd; 489 break; 490 case UHCI_USBSTS: 491 val = s->status; 492 break; 493 case UHCI_USBINTR: 494 val = s->intr; 495 break; 496 case UHCI_USBFRNUM: 497 val = s->frnum; 498 break; 499 case UHCI_USBFLBASEADD: 500 val = s->fl_base_addr & 0xffff; 501 break; 502 case UHCI_USBFLBASEADD + 2: 503 val = (s->fl_base_addr >> 16) & 0xffff; 504 break; 505 case UHCI_USBSOF: 506 val = s->sof_timing; 507 break; 508 case UHCI_USBPORTSC1 ... UHCI_USBPORTSC4: 509 { 510 UHCIPort *port; 511 int n; 512 n = (addr >> 1) & 7; 513 if (n >= UHCI_PORTS) { 514 goto read_default; 515 } 516 port = &s->ports[n]; 517 val = port->ctrl; 518 } 519 break; 520 default: 521 read_default: 522 val = 0xff7f; /* disabled port */ 523 break; 524 } 525 526 trace_usb_uhci_mmio_readw(addr, val); 527 528 return val; 529 } 530 531 /* signal resume if controller suspended */ 532 static void uhci_resume(void *opaque) 533 { 534 UHCIState *s = (UHCIState *)opaque; 535 536 if (!s) { 537 return; 538 } 539 540 if (s->cmd & UHCI_CMD_EGSM) { 541 s->cmd |= UHCI_CMD_FGR; 542 s->status |= UHCI_STS_RD; 543 uhci_update_irq(s); 544 } 545 } 546 547 static void uhci_attach(USBPort *port1) 548 { 549 UHCIState *s = port1->opaque; 550 UHCIPort *port = &s->ports[port1->index]; 551 552 /* set connect status */ 553 port->ctrl |= UHCI_PORT_CCS | UHCI_PORT_CSC; 554 555 /* update speed */ 556 if (port->port.dev->speed == USB_SPEED_LOW) { 557 port->ctrl |= UHCI_PORT_LSDA; 558 } else { 559 port->ctrl &= ~UHCI_PORT_LSDA; 560 } 561 562 uhci_resume(s); 563 } 564 565 static void uhci_detach(USBPort *port1) 566 { 567 UHCIState *s = port1->opaque; 568 UHCIPort *port = &s->ports[port1->index]; 569 570 uhci_async_cancel_device(s, port1->dev); 571 572 /* set connect status */ 573 if (port->ctrl & UHCI_PORT_CCS) { 574 port->ctrl &= ~UHCI_PORT_CCS; 575 port->ctrl |= UHCI_PORT_CSC; 576 } 577 /* disable port */ 578 if (port->ctrl & UHCI_PORT_EN) { 579 port->ctrl &= ~UHCI_PORT_EN; 580 port->ctrl |= UHCI_PORT_ENC; 581 } 582 583 uhci_resume(s); 584 } 585 586 static void uhci_child_detach(USBPort *port1, USBDevice *child) 587 { 588 UHCIState *s = port1->opaque; 589 590 uhci_async_cancel_device(s, child); 591 } 592 593 static void uhci_wakeup(USBPort *port1) 594 { 595 UHCIState *s = port1->opaque; 596 UHCIPort *port = &s->ports[port1->index]; 597 598 if (port->ctrl & UHCI_PORT_SUSPEND && !(port->ctrl & UHCI_PORT_RD)) { 599 port->ctrl |= UHCI_PORT_RD; 600 uhci_resume(s); 601 } 602 } 603 604 static USBDevice *uhci_find_device(UHCIState *s, uint8_t addr) 605 { 606 USBDevice *dev; 607 int i; 608 609 for (i = 0; i < UHCI_PORTS; i++) { 610 UHCIPort *port = &s->ports[i]; 611 if (!(port->ctrl & UHCI_PORT_EN)) { 612 continue; 613 } 614 dev = usb_find_device(&port->port, addr); 615 if (dev != NULL) { 616 return dev; 617 } 618 } 619 return NULL; 620 } 621 622 static void uhci_dma_read(UHCIState *s, dma_addr_t addr, void *buf, 623 dma_addr_t len) 624 { 625 dma_memory_read(s->as, addr, buf, len, MEMTXATTRS_UNSPECIFIED); 626 } 627 628 static void uhci_dma_write(UHCIState *s, dma_addr_t addr, void *buf, 629 dma_addr_t len) 630 { 631 dma_memory_write(s->as, addr, buf, len, MEMTXATTRS_UNSPECIFIED); 632 } 633 634 static void uhci_read_td(UHCIState *s, UHCI_TD *td, uint32_t link) 635 { 636 uhci_dma_read(s, link & ~0xf, td, sizeof(*td)); 637 le32_to_cpus(&td->link); 638 le32_to_cpus(&td->ctrl); 639 le32_to_cpus(&td->token); 640 le32_to_cpus(&td->buffer); 641 } 642 643 static int uhci_handle_td_error(UHCIState *s, UHCI_TD *td, uint32_t td_addr, 644 int status, uint32_t *int_mask) 645 { 646 uint32_t queue_token = uhci_queue_token(td); 647 int ret; 648 649 switch (status) { 650 case USB_RET_NAK: 651 td->ctrl |= TD_CTRL_NAK; 652 return TD_RESULT_NEXT_QH; 653 654 case USB_RET_STALL: 655 td->ctrl |= TD_CTRL_STALL; 656 trace_usb_uhci_packet_complete_stall(queue_token, td_addr); 657 ret = TD_RESULT_NEXT_QH; 658 break; 659 660 case USB_RET_BABBLE: 661 td->ctrl |= TD_CTRL_BABBLE | TD_CTRL_STALL; 662 /* frame interrupted */ 663 trace_usb_uhci_packet_complete_babble(queue_token, td_addr); 664 ret = TD_RESULT_STOP_FRAME; 665 break; 666 667 case USB_RET_IOERROR: 668 case USB_RET_NODEV: 669 default: 670 td->ctrl |= TD_CTRL_TIMEOUT; 671 td->ctrl &= ~(3 << TD_CTRL_ERROR_SHIFT); 672 trace_usb_uhci_packet_complete_error(queue_token, td_addr); 673 ret = TD_RESULT_NEXT_QH; 674 break; 675 } 676 677 td->ctrl &= ~TD_CTRL_ACTIVE; 678 s->status |= UHCI_STS_USBERR; 679 if (td->ctrl & TD_CTRL_IOC) { 680 *int_mask |= 0x01; 681 } 682 uhci_update_irq(s); 683 return ret; 684 } 685 686 static int uhci_complete_td(UHCIState *s, UHCI_TD *td, UHCIAsync *async, 687 uint32_t *int_mask) 688 { 689 int len = 0, max_len; 690 uint8_t pid; 691 692 max_len = ((td->token >> 21) + 1) & 0x7ff; 693 pid = td->token & 0xff; 694 695 if (td->ctrl & TD_CTRL_IOS) { 696 td->ctrl &= ~TD_CTRL_ACTIVE; 697 } 698 699 if (async->packet.status != USB_RET_SUCCESS) { 700 return uhci_handle_td_error(s, td, async->td_addr, 701 async->packet.status, int_mask); 702 } 703 704 len = async->packet.actual_length; 705 td->ctrl = (td->ctrl & ~0x7ff) | ((len - 1) & 0x7ff); 706 707 /* 708 * The NAK bit may have been set by a previous frame, so clear it 709 * here. The docs are somewhat unclear, but win2k relies on this 710 * behavior. 711 */ 712 td->ctrl &= ~(TD_CTRL_ACTIVE | TD_CTRL_NAK); 713 if (td->ctrl & TD_CTRL_IOC) { 714 *int_mask |= 0x01; 715 } 716 717 if (pid == USB_TOKEN_IN) { 718 uhci_dma_write(s, td->buffer, async->buf, len); 719 if ((td->ctrl & TD_CTRL_SPD) && len < max_len) { 720 *int_mask |= 0x02; 721 /* short packet: do not update QH */ 722 trace_usb_uhci_packet_complete_shortxfer(async->queue->token, 723 async->td_addr); 724 return TD_RESULT_NEXT_QH; 725 } 726 } 727 728 /* success */ 729 trace_usb_uhci_packet_complete_success(async->queue->token, 730 async->td_addr); 731 return TD_RESULT_COMPLETE; 732 } 733 734 static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr, 735 UHCI_TD *td, uint32_t td_addr, uint32_t *int_mask) 736 { 737 int ret, max_len; 738 bool spd; 739 bool queuing = (q != NULL); 740 uint8_t pid = td->token & 0xff; 741 UHCIAsync *async; 742 743 async = uhci_async_find_td(s, td_addr); 744 if (async) { 745 if (uhci_queue_verify(async->queue, qh_addr, td, td_addr, queuing)) { 746 assert(q == NULL || q == async->queue); 747 q = async->queue; 748 } else { 749 uhci_queue_free(async->queue, "guest re-used pending td"); 750 async = NULL; 751 } 752 } 753 754 if (q == NULL) { 755 q = uhci_queue_find(s, td); 756 if (q && !uhci_queue_verify(q, qh_addr, td, td_addr, queuing)) { 757 uhci_queue_free(q, "guest re-used qh"); 758 q = NULL; 759 } 760 } 761 762 if (q) { 763 q->valid = QH_VALID; 764 } 765 766 /* Is active ? */ 767 if (!(td->ctrl & TD_CTRL_ACTIVE)) { 768 if (async) { 769 /* Guest marked a pending td non-active, cancel the queue */ 770 uhci_queue_free(async->queue, "pending td non-active"); 771 } 772 /* 773 * ehci11d spec page 22: "Even if the Active bit in the TD is already 774 * cleared when the TD is fetched ... an IOC interrupt is generated" 775 */ 776 if (td->ctrl & TD_CTRL_IOC) { 777 *int_mask |= 0x01; 778 } 779 return TD_RESULT_NEXT_QH; 780 } 781 782 switch (pid) { 783 case USB_TOKEN_OUT: 784 case USB_TOKEN_SETUP: 785 case USB_TOKEN_IN: 786 break; 787 default: 788 /* invalid pid : frame interrupted */ 789 s->status |= UHCI_STS_HCPERR; 790 s->cmd &= ~UHCI_CMD_RS; 791 uhci_update_irq(s); 792 return TD_RESULT_STOP_FRAME; 793 } 794 795 if (async) { 796 if (queuing) { 797 /* 798 * we are busy filling the queue, we are not prepared 799 * to consume completed packages then, just leave them 800 * in async state 801 */ 802 return TD_RESULT_ASYNC_CONT; 803 } 804 if (!async->done) { 805 UHCI_TD last_td; 806 UHCIAsync *last = QTAILQ_LAST(&async->queue->asyncs); 807 /* 808 * While we are waiting for the current td to complete, the guest 809 * may have added more tds to the queue. Note we re-read the td 810 * rather then caching it, as we want to see guest made changes! 811 */ 812 uhci_read_td(s, &last_td, last->td_addr); 813 uhci_queue_fill(async->queue, &last_td); 814 815 return TD_RESULT_ASYNC_CONT; 816 } 817 uhci_async_unlink(async); 818 goto done; 819 } 820 821 if (s->completions_only) { 822 return TD_RESULT_ASYNC_CONT; 823 } 824 825 /* Allocate new packet */ 826 if (q == NULL) { 827 USBDevice *dev; 828 USBEndpoint *ep; 829 830 dev = uhci_find_device(s, (td->token >> 8) & 0x7f); 831 if (dev == NULL) { 832 return uhci_handle_td_error(s, td, td_addr, USB_RET_NODEV, 833 int_mask); 834 } 835 ep = usb_ep_get(dev, pid, (td->token >> 15) & 0xf); 836 q = uhci_queue_new(s, qh_addr, td, ep); 837 } 838 async = uhci_async_alloc(q, td_addr); 839 840 max_len = ((td->token >> 21) + 1) & 0x7ff; 841 spd = (pid == USB_TOKEN_IN && (td->ctrl & TD_CTRL_SPD) != 0); 842 usb_packet_setup(&async->packet, pid, q->ep, 0, td_addr, spd, 843 (td->ctrl & TD_CTRL_IOC) != 0); 844 if (max_len <= sizeof(async->static_buf)) { 845 async->buf = async->static_buf; 846 } else { 847 async->buf = g_malloc(max_len); 848 } 849 usb_packet_addbuf(&async->packet, async->buf, max_len); 850 851 switch (pid) { 852 case USB_TOKEN_OUT: 853 case USB_TOKEN_SETUP: 854 uhci_dma_read(s, td->buffer, async->buf, max_len); 855 usb_handle_packet(q->ep->dev, &async->packet); 856 if (async->packet.status == USB_RET_SUCCESS) { 857 async->packet.actual_length = max_len; 858 } 859 break; 860 861 case USB_TOKEN_IN: 862 usb_handle_packet(q->ep->dev, &async->packet); 863 break; 864 865 default: 866 abort(); /* Never to execute */ 867 } 868 869 if (async->packet.status == USB_RET_ASYNC) { 870 uhci_async_link(async); 871 if (!queuing) { 872 uhci_queue_fill(q, td); 873 } 874 return TD_RESULT_ASYNC_START; 875 } 876 877 done: 878 ret = uhci_complete_td(s, td, async, int_mask); 879 uhci_async_free(async); 880 return ret; 881 } 882 883 static void uhci_async_complete(USBPort *port, USBPacket *packet) 884 { 885 UHCIAsync *async = container_of(packet, UHCIAsync, packet); 886 UHCIState *s = async->queue->uhci; 887 888 if (packet->status == USB_RET_REMOVE_FROM_QUEUE) { 889 uhci_async_cancel(async); 890 return; 891 } 892 893 async->done = 1; 894 /* Force processing of this packet *now*, needed for migration */ 895 s->completions_only = true; 896 qemu_bh_schedule(s->bh); 897 } 898 899 static int is_valid(uint32_t link) 900 { 901 return (link & 1) == 0; 902 } 903 904 static int is_qh(uint32_t link) 905 { 906 return (link & 2) != 0; 907 } 908 909 static int depth_first(uint32_t link) 910 { 911 return (link & 4) != 0; 912 } 913 914 /* QH DB used for detecting QH loops */ 915 #define UHCI_MAX_QUEUES 128 916 typedef struct { 917 uint32_t addr[UHCI_MAX_QUEUES]; 918 int count; 919 } QhDb; 920 921 static void qhdb_reset(QhDb *db) 922 { 923 db->count = 0; 924 } 925 926 /* Add QH to DB. Returns 1 if already present or DB is full. */ 927 static int qhdb_insert(QhDb *db, uint32_t addr) 928 { 929 int i; 930 for (i = 0; i < db->count; i++) { 931 if (db->addr[i] == addr) { 932 return 1; 933 } 934 } 935 936 if (db->count >= UHCI_MAX_QUEUES) { 937 return 1; 938 } 939 940 db->addr[db->count++] = addr; 941 return 0; 942 } 943 944 static void uhci_queue_fill(UHCIQueue *q, UHCI_TD *td) 945 { 946 uint32_t int_mask = 0; 947 uint32_t plink = td->link; 948 UHCI_TD ptd; 949 int ret; 950 951 while (is_valid(plink)) { 952 uhci_read_td(q->uhci, &ptd, plink); 953 if (!(ptd.ctrl & TD_CTRL_ACTIVE)) { 954 break; 955 } 956 if (uhci_queue_token(&ptd) != q->token) { 957 break; 958 } 959 trace_usb_uhci_td_queue(plink & ~0xf, ptd.ctrl, ptd.token); 960 ret = uhci_handle_td(q->uhci, q, q->qh_addr, &ptd, plink, &int_mask); 961 if (ret == TD_RESULT_ASYNC_CONT) { 962 break; 963 } 964 assert(ret == TD_RESULT_ASYNC_START); 965 assert(int_mask == 0); 966 plink = ptd.link; 967 } 968 usb_device_flush_ep_queue(q->ep->dev, q->ep); 969 } 970 971 static void uhci_process_frame(UHCIState *s) 972 { 973 uint32_t frame_addr, link, old_td_ctrl, val, int_mask; 974 uint32_t curr_qh, td_count = 0; 975 int cnt, ret; 976 UHCI_TD td; 977 UHCI_QH qh; 978 QhDb qhdb; 979 980 frame_addr = s->fl_base_addr + ((s->frnum & 0x3ff) << 2); 981 982 uhci_dma_read(s, frame_addr, &link, 4); 983 le32_to_cpus(&link); 984 985 int_mask = 0; 986 curr_qh = 0; 987 988 qhdb_reset(&qhdb); 989 990 for (cnt = FRAME_MAX_LOOPS; is_valid(link) && cnt; cnt--) { 991 if (!s->completions_only && s->frame_bytes >= s->frame_bandwidth) { 992 /* 993 * We've reached the usb 1.1 bandwidth, which is 994 * 1280 bytes/frame, stop processing 995 */ 996 trace_usb_uhci_frame_stop_bandwidth(); 997 break; 998 } 999 if (is_qh(link)) { 1000 /* QH */ 1001 trace_usb_uhci_qh_load(link & ~0xf); 1002 1003 if (qhdb_insert(&qhdb, link)) { 1004 /* 1005 * We're going in circles. Which is not a bug because 1006 * HCD is allowed to do that as part of the BW management. 1007 * 1008 * Stop processing here if no transaction has been done 1009 * since we've been here last time. 1010 */ 1011 if (td_count == 0) { 1012 trace_usb_uhci_frame_loop_stop_idle(); 1013 break; 1014 } else { 1015 trace_usb_uhci_frame_loop_continue(); 1016 td_count = 0; 1017 qhdb_reset(&qhdb); 1018 qhdb_insert(&qhdb, link); 1019 } 1020 } 1021 1022 uhci_dma_read(s, link & ~0xf, &qh, sizeof(qh)); 1023 le32_to_cpus(&qh.link); 1024 le32_to_cpus(&qh.el_link); 1025 1026 if (!is_valid(qh.el_link)) { 1027 /* QH w/o elements */ 1028 curr_qh = 0; 1029 link = qh.link; 1030 } else { 1031 /* QH with elements */ 1032 curr_qh = link; 1033 link = qh.el_link; 1034 } 1035 continue; 1036 } 1037 1038 /* TD */ 1039 uhci_read_td(s, &td, link); 1040 trace_usb_uhci_td_load(curr_qh & ~0xf, link & ~0xf, td.ctrl, td.token); 1041 1042 old_td_ctrl = td.ctrl; 1043 ret = uhci_handle_td(s, NULL, curr_qh, &td, link, &int_mask); 1044 if (old_td_ctrl != td.ctrl) { 1045 /* update the status bits of the TD */ 1046 val = cpu_to_le32(td.ctrl); 1047 uhci_dma_write(s, (link & ~0xf) + 4, &val, sizeof(val)); 1048 } 1049 1050 switch (ret) { 1051 case TD_RESULT_STOP_FRAME: /* interrupted frame */ 1052 goto out; 1053 1054 case TD_RESULT_NEXT_QH: 1055 case TD_RESULT_ASYNC_CONT: 1056 trace_usb_uhci_td_nextqh(curr_qh & ~0xf, link & ~0xf); 1057 link = curr_qh ? qh.link : td.link; 1058 continue; 1059 1060 case TD_RESULT_ASYNC_START: 1061 trace_usb_uhci_td_async(curr_qh & ~0xf, link & ~0xf); 1062 link = curr_qh ? qh.link : td.link; 1063 continue; 1064 1065 case TD_RESULT_COMPLETE: 1066 trace_usb_uhci_td_complete(curr_qh & ~0xf, link & ~0xf); 1067 link = td.link; 1068 td_count++; 1069 s->frame_bytes += (td.ctrl & 0x7ff) + 1; 1070 1071 if (curr_qh) { 1072 /* update QH element link */ 1073 qh.el_link = link; 1074 val = cpu_to_le32(qh.el_link); 1075 uhci_dma_write(s, (curr_qh & ~0xf) + 4, &val, sizeof(val)); 1076 1077 if (!depth_first(link)) { 1078 /* done with this QH */ 1079 curr_qh = 0; 1080 link = qh.link; 1081 } 1082 } 1083 break; 1084 1085 default: 1086 assert(!"unknown return code"); 1087 } 1088 1089 /* go to the next entry */ 1090 } 1091 1092 out: 1093 s->pending_int_mask |= int_mask; 1094 } 1095 1096 static void uhci_bh(void *opaque) 1097 { 1098 UHCIState *s = opaque; 1099 uhci_process_frame(s); 1100 } 1101 1102 static void uhci_frame_timer(void *opaque) 1103 { 1104 UHCIState *s = opaque; 1105 uint64_t t_now, t_last_run; 1106 int i, frames; 1107 const uint64_t frame_t = NANOSECONDS_PER_SECOND / FRAME_TIMER_FREQ; 1108 1109 s->completions_only = false; 1110 qemu_bh_cancel(s->bh); 1111 1112 if (!(s->cmd & UHCI_CMD_RS)) { 1113 /* Full stop */ 1114 trace_usb_uhci_schedule_stop(); 1115 timer_del(s->frame_timer); 1116 uhci_async_cancel_all(s); 1117 /* set hchalted bit in status - UHCI11D 2.1.2 */ 1118 s->status |= UHCI_STS_HCHALTED; 1119 return; 1120 } 1121 1122 /* We still store expire_time in our state, for migration */ 1123 t_last_run = s->expire_time - frame_t; 1124 t_now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL); 1125 1126 /* Process up to MAX_FRAMES_PER_TICK frames */ 1127 frames = (t_now - t_last_run) / frame_t; 1128 if (frames > s->maxframes) { 1129 int skipped = frames - s->maxframes; 1130 s->expire_time += skipped * frame_t; 1131 s->frnum = (s->frnum + skipped) & 0x7ff; 1132 frames -= skipped; 1133 } 1134 if (frames > MAX_FRAMES_PER_TICK) { 1135 frames = MAX_FRAMES_PER_TICK; 1136 } 1137 1138 for (i = 0; i < frames; i++) { 1139 s->frame_bytes = 0; 1140 trace_usb_uhci_frame_start(s->frnum); 1141 uhci_async_validate_begin(s); 1142 uhci_process_frame(s); 1143 uhci_async_validate_end(s); 1144 /* 1145 * The spec says frnum is the frame currently being processed, and 1146 * the guest must look at frnum - 1 on interrupt, so inc frnum now 1147 */ 1148 s->frnum = (s->frnum + 1) & 0x7ff; 1149 s->expire_time += frame_t; 1150 } 1151 1152 /* Complete the previous frame(s) */ 1153 if (s->pending_int_mask) { 1154 s->status2 |= s->pending_int_mask; 1155 s->status |= UHCI_STS_USBINT; 1156 uhci_update_irq(s); 1157 } 1158 s->pending_int_mask = 0; 1159 1160 timer_mod(s->frame_timer, t_now + frame_t); 1161 } 1162 1163 static const MemoryRegionOps uhci_ioport_ops = { 1164 .read = uhci_port_read, 1165 .write = uhci_port_write, 1166 .valid.min_access_size = 1, 1167 .valid.max_access_size = 4, 1168 .impl.min_access_size = 2, 1169 .impl.max_access_size = 2, 1170 .endianness = DEVICE_LITTLE_ENDIAN, 1171 }; 1172 1173 static USBPortOps uhci_port_ops = { 1174 .attach = uhci_attach, 1175 .detach = uhci_detach, 1176 .child_detach = uhci_child_detach, 1177 .wakeup = uhci_wakeup, 1178 .complete = uhci_async_complete, 1179 }; 1180 1181 static USBBusOps uhci_bus_ops = { 1182 }; 1183 1184 void usb_uhci_init(UHCIState *s, DeviceState *dev, Error **errp) 1185 { 1186 Error *err = NULL; 1187 int i; 1188 1189 if (s->masterbus) { 1190 USBPort *ports[UHCI_PORTS]; 1191 for (i = 0; i < UHCI_PORTS; i++) { 1192 ports[i] = &s->ports[i].port; 1193 } 1194 usb_register_companion(s->masterbus, ports, UHCI_PORTS, 1195 s->firstport, s, &uhci_port_ops, 1196 USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL, 1197 &err); 1198 if (err) { 1199 error_propagate(errp, err); 1200 return; 1201 } 1202 } else { 1203 usb_bus_new(&s->bus, sizeof(s->bus), &uhci_bus_ops, DEVICE(dev)); 1204 for (i = 0; i < UHCI_PORTS; i++) { 1205 usb_register_port(&s->bus, &s->ports[i].port, s, i, &uhci_port_ops, 1206 USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL); 1207 } 1208 } 1209 s->bh = qemu_bh_new_guarded(uhci_bh, s, &dev->mem_reentrancy_guard); 1210 s->frame_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, uhci_frame_timer, s); 1211 s->num_ports_vmstate = UHCI_PORTS; 1212 QTAILQ_INIT(&s->queues); 1213 1214 memory_region_init_io(&s->mem, OBJECT(s), &uhci_ioport_ops, s, 1215 "uhci", 0x100); 1216 } 1217 1218 void usb_uhci_exit(UHCIState *s) 1219 { 1220 trace_usb_uhci_exit(); 1221 1222 if (s->frame_timer) { 1223 timer_free(s->frame_timer); 1224 s->frame_timer = NULL; 1225 } 1226 1227 if (s->bh) { 1228 qemu_bh_delete(s->bh); 1229 } 1230 1231 uhci_async_cancel_all(s); 1232 1233 if (!s->masterbus) { 1234 usb_bus_release(&s->bus); 1235 } 1236 } 1237