hcd-ehci.c (75115B)
1/* 2 * QEMU USB EHCI Emulation 3 * 4 * Copyright(c) 2008 Emutex Ltd. (address@hidden) 5 * Copyright(c) 2011-2012 Red Hat, Inc. 6 * 7 * Red Hat Authors: 8 * Gerd Hoffmann <kraxel@redhat.com> 9 * Hans de Goede <hdegoede@redhat.com> 10 * 11 * EHCI project was started by Mark Burkley, with contributions by 12 * Niels de Vos. David S. Ahern continued working on it. Kevin Wolf, 13 * Jan Kiszka and Vincent Palatin contributed bugfixes. 14 * 15 * This library is free software; you can redistribute it and/or 16 * modify it under the terms of the GNU Lesser General Public 17 * License as published by the Free Software Foundation; either 18 * version 2.1 of the License, or (at your option) any later version. 19 * 20 * This library is distributed in the hope that it will be useful, 21 * but WITHOUT ANY WARRANTY; without even the implied warranty of 22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 23 * Lesser General Public License for more details. 24 * 25 * You should have received a copy of the GNU Lesser General Public License 26 * along with this program; if not, see <http://www.gnu.org/licenses/>. 27 */ 28 29#include "qemu/osdep.h" 30#include "qapi/error.h" 31#include "hw/irq.h" 32#include "hw/usb/ehci-regs.h" 33#include "hw/usb/hcd-ehci.h" 34#include "migration/vmstate.h" 35#include "trace.h" 36#include "qemu/error-report.h" 37#include "qemu/main-loop.h" 38#include "sysemu/runstate.h" 39 40#define FRAME_TIMER_FREQ 1000 41#define FRAME_TIMER_NS (NANOSECONDS_PER_SECOND / FRAME_TIMER_FREQ) 42#define UFRAME_TIMER_NS (FRAME_TIMER_NS / 8) 43 44#define NB_MAXINTRATE 8 // Max rate at which controller issues ints 45#define BUFF_SIZE 5*4096 // Max bytes to transfer per transaction 46#define MAX_QH 100 // Max allowable queue heads in a chain 47#define MIN_UFR_PER_TICK 24 /* Min frames to process when catching up */ 48#define PERIODIC_ACTIVE 512 /* Micro-frames */ 49 50/* Internal periodic / asynchronous schedule state machine states 51 */ 52typedef enum { 53 EST_INACTIVE = 1000, 54 EST_ACTIVE, 55 EST_EXECUTING, 56 EST_SLEEPING, 57 /* The following states are internal to the state machine function 58 */ 59 EST_WAITLISTHEAD, 60 EST_FETCHENTRY, 61 EST_FETCHQH, 62 EST_FETCHITD, 63 EST_FETCHSITD, 64 EST_ADVANCEQUEUE, 65 EST_FETCHQTD, 66 EST_EXECUTE, 67 EST_WRITEBACK, 68 EST_HORIZONTALQH 69} EHCI_STATES; 70 71/* macros for accessing fields within next link pointer entry */ 72#define NLPTR_GET(x) ((x) & 0xffffffe0) 73#define NLPTR_TYPE_GET(x) (((x) >> 1) & 3) 74#define NLPTR_TBIT(x) ((x) & 1) // 1=invalid, 0=valid 75 76/* link pointer types */ 77#define NLPTR_TYPE_ITD 0 // isoc xfer descriptor 78#define NLPTR_TYPE_QH 1 // queue head 79#define NLPTR_TYPE_STITD 2 // split xaction, isoc xfer descriptor 80#define NLPTR_TYPE_FSTN 3 // frame span traversal node 81 82#define SET_LAST_RUN_CLOCK(s) \ 83 (s)->last_run_ns = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL); 84 85/* nifty macros from Arnon's EHCI version */ 86#define get_field(data, field) \ 87 (((data) & field##_MASK) >> field##_SH) 88 89#define set_field(data, newval, field) do { \ 90 uint32_t val = *data; \ 91 val &= ~ field##_MASK; \ 92 val |= ((newval) << field##_SH) & field##_MASK; \ 93 *data = val; \ 94 } while(0) 95 96static const char *ehci_state_names[] = { 97 [EST_INACTIVE] = "INACTIVE", 98 [EST_ACTIVE] = "ACTIVE", 99 [EST_EXECUTING] = "EXECUTING", 100 [EST_SLEEPING] = "SLEEPING", 101 [EST_WAITLISTHEAD] = "WAITLISTHEAD", 102 [EST_FETCHENTRY] = "FETCH ENTRY", 103 [EST_FETCHQH] = "FETCH QH", 104 [EST_FETCHITD] = "FETCH ITD", 105 [EST_ADVANCEQUEUE] = "ADVANCEQUEUE", 106 [EST_FETCHQTD] = "FETCH QTD", 107 [EST_EXECUTE] = "EXECUTE", 108 [EST_WRITEBACK] = "WRITEBACK", 109 [EST_HORIZONTALQH] = "HORIZONTALQH", 110}; 111 112static const char *ehci_mmio_names[] = { 113 [USBCMD] = "USBCMD", 114 [USBSTS] = "USBSTS", 115 [USBINTR] = "USBINTR", 116 [FRINDEX] = "FRINDEX", 117 [PERIODICLISTBASE] = "P-LIST BASE", 118 [ASYNCLISTADDR] = "A-LIST ADDR", 119 [CONFIGFLAG] = "CONFIGFLAG", 120}; 121 122static int ehci_state_executing(EHCIQueue *q); 123static int ehci_state_writeback(EHCIQueue *q); 124static int ehci_state_advqueue(EHCIQueue *q); 125static int ehci_fill_queue(EHCIPacket *p); 126static void ehci_free_packet(EHCIPacket *p); 127 128static const char *nr2str(const char **n, size_t len, uint32_t nr) 129{ 130 if (nr < len && n[nr] != NULL) { 131 return n[nr]; 132 } else { 133 return "unknown"; 134 } 135} 136 137static const char *state2str(uint32_t state) 138{ 139 return nr2str(ehci_state_names, ARRAY_SIZE(ehci_state_names), state); 140} 141 142static const char *addr2str(hwaddr addr) 143{ 144 return nr2str(ehci_mmio_names, ARRAY_SIZE(ehci_mmio_names), addr); 145} 146 147static void ehci_trace_usbsts(uint32_t mask, int state) 148{ 149 /* interrupts */ 150 if (mask & USBSTS_INT) { 151 trace_usb_ehci_usbsts("INT", state); 152 } 153 if (mask & USBSTS_ERRINT) { 154 trace_usb_ehci_usbsts("ERRINT", state); 155 } 156 if (mask & USBSTS_PCD) { 157 trace_usb_ehci_usbsts("PCD", state); 158 } 159 if (mask & USBSTS_FLR) { 160 trace_usb_ehci_usbsts("FLR", state); 161 } 162 if (mask & USBSTS_HSE) { 163 trace_usb_ehci_usbsts("HSE", state); 164 } 165 if (mask & USBSTS_IAA) { 166 trace_usb_ehci_usbsts("IAA", state); 167 } 168 169 /* status */ 170 if (mask & USBSTS_HALT) { 171 trace_usb_ehci_usbsts("HALT", state); 172 } 173 if (mask & USBSTS_REC) { 174 trace_usb_ehci_usbsts("REC", state); 175 } 176 if (mask & USBSTS_PSS) { 177 trace_usb_ehci_usbsts("PSS", state); 178 } 179 if (mask & USBSTS_ASS) { 180 trace_usb_ehci_usbsts("ASS", state); 181 } 182} 183 184static inline void ehci_set_usbsts(EHCIState *s, int mask) 185{ 186 if ((s->usbsts & mask) == mask) { 187 return; 188 } 189 ehci_trace_usbsts(mask, 1); 190 s->usbsts |= mask; 191} 192 193static inline void ehci_clear_usbsts(EHCIState *s, int mask) 194{ 195 if ((s->usbsts & mask) == 0) { 196 return; 197 } 198 ehci_trace_usbsts(mask, 0); 199 s->usbsts &= ~mask; 200} 201 202/* update irq line */ 203static inline void ehci_update_irq(EHCIState *s) 204{ 205 int level = 0; 206 207 if ((s->usbsts & USBINTR_MASK) & s->usbintr) { 208 level = 1; 209 } 210 211 trace_usb_ehci_irq(level, s->frindex, s->usbsts, s->usbintr); 212 qemu_set_irq(s->irq, level); 213} 214 215/* flag interrupt condition */ 216static inline void ehci_raise_irq(EHCIState *s, int intr) 217{ 218 if (intr & (USBSTS_PCD | USBSTS_FLR | USBSTS_HSE)) { 219 s->usbsts |= intr; 220 ehci_update_irq(s); 221 } else { 222 s->usbsts_pending |= intr; 223 } 224} 225 226/* 227 * Commit pending interrupts (added via ehci_raise_irq), 228 * at the rate allowed by "Interrupt Threshold Control". 229 */ 230static inline void ehci_commit_irq(EHCIState *s) 231{ 232 uint32_t itc; 233 234 if (!s->usbsts_pending) { 235 return; 236 } 237 if (s->usbsts_frindex > s->frindex) { 238 return; 239 } 240 241 itc = (s->usbcmd >> 16) & 0xff; 242 s->usbsts |= s->usbsts_pending; 243 s->usbsts_pending = 0; 244 s->usbsts_frindex = s->frindex + itc; 245 ehci_update_irq(s); 246} 247 248static void ehci_update_halt(EHCIState *s) 249{ 250 if (s->usbcmd & USBCMD_RUNSTOP) { 251 ehci_clear_usbsts(s, USBSTS_HALT); 252 } else { 253 if (s->astate == EST_INACTIVE && s->pstate == EST_INACTIVE) { 254 ehci_set_usbsts(s, USBSTS_HALT); 255 } 256 } 257} 258 259static void ehci_set_state(EHCIState *s, int async, int state) 260{ 261 if (async) { 262 trace_usb_ehci_state("async", state2str(state)); 263 s->astate = state; 264 if (s->astate == EST_INACTIVE) { 265 ehci_clear_usbsts(s, USBSTS_ASS); 266 ehci_update_halt(s); 267 } else { 268 ehci_set_usbsts(s, USBSTS_ASS); 269 } 270 } else { 271 trace_usb_ehci_state("periodic", state2str(state)); 272 s->pstate = state; 273 if (s->pstate == EST_INACTIVE) { 274 ehci_clear_usbsts(s, USBSTS_PSS); 275 ehci_update_halt(s); 276 } else { 277 ehci_set_usbsts(s, USBSTS_PSS); 278 } 279 } 280} 281 282static int ehci_get_state(EHCIState *s, int async) 283{ 284 return async ? s->astate : s->pstate; 285} 286 287static void ehci_set_fetch_addr(EHCIState *s, int async, uint32_t addr) 288{ 289 if (async) { 290 s->a_fetch_addr = addr; 291 } else { 292 s->p_fetch_addr = addr; 293 } 294} 295 296static int ehci_get_fetch_addr(EHCIState *s, int async) 297{ 298 return async ? s->a_fetch_addr : s->p_fetch_addr; 299} 300 301static void ehci_trace_qh(EHCIQueue *q, hwaddr addr, EHCIqh *qh) 302{ 303 /* need three here due to argument count limits */ 304 trace_usb_ehci_qh_ptrs(q, addr, qh->next, 305 qh->current_qtd, qh->next_qtd, qh->altnext_qtd); 306 trace_usb_ehci_qh_fields(addr, 307 get_field(qh->epchar, QH_EPCHAR_RL), 308 get_field(qh->epchar, QH_EPCHAR_MPLEN), 309 get_field(qh->epchar, QH_EPCHAR_EPS), 310 get_field(qh->epchar, QH_EPCHAR_EP), 311 get_field(qh->epchar, QH_EPCHAR_DEVADDR)); 312 trace_usb_ehci_qh_bits(addr, 313 (bool)(qh->epchar & QH_EPCHAR_C), 314 (bool)(qh->epchar & QH_EPCHAR_H), 315 (bool)(qh->epchar & QH_EPCHAR_DTC), 316 (bool)(qh->epchar & QH_EPCHAR_I)); 317} 318 319static void ehci_trace_qtd(EHCIQueue *q, hwaddr addr, EHCIqtd *qtd) 320{ 321 /* need three here due to argument count limits */ 322 trace_usb_ehci_qtd_ptrs(q, addr, qtd->next, qtd->altnext); 323 trace_usb_ehci_qtd_fields(addr, 324 get_field(qtd->token, QTD_TOKEN_TBYTES), 325 get_field(qtd->token, QTD_TOKEN_CPAGE), 326 get_field(qtd->token, QTD_TOKEN_CERR), 327 get_field(qtd->token, QTD_TOKEN_PID)); 328 trace_usb_ehci_qtd_bits(addr, 329 (bool)(qtd->token & QTD_TOKEN_IOC), 330 (bool)(qtd->token & QTD_TOKEN_ACTIVE), 331 (bool)(qtd->token & QTD_TOKEN_HALT), 332 (bool)(qtd->token & QTD_TOKEN_BABBLE), 333 (bool)(qtd->token & QTD_TOKEN_XACTERR)); 334} 335 336static void ehci_trace_itd(EHCIState *s, hwaddr addr, EHCIitd *itd) 337{ 338 trace_usb_ehci_itd(addr, itd->next, 339 get_field(itd->bufptr[1], ITD_BUFPTR_MAXPKT), 340 get_field(itd->bufptr[2], ITD_BUFPTR_MULT), 341 get_field(itd->bufptr[0], ITD_BUFPTR_EP), 342 get_field(itd->bufptr[0], ITD_BUFPTR_DEVADDR)); 343} 344 345static void ehci_trace_sitd(EHCIState *s, hwaddr addr, 346 EHCIsitd *sitd) 347{ 348 trace_usb_ehci_sitd(addr, sitd->next, 349 (bool)(sitd->results & SITD_RESULTS_ACTIVE)); 350} 351 352static void ehci_trace_guest_bug(EHCIState *s, const char *message) 353{ 354 trace_usb_ehci_guest_bug(message); 355} 356 357static inline bool ehci_enabled(EHCIState *s) 358{ 359 return s->usbcmd & USBCMD_RUNSTOP; 360} 361 362static inline bool ehci_async_enabled(EHCIState *s) 363{ 364 return ehci_enabled(s) && (s->usbcmd & USBCMD_ASE); 365} 366 367static inline bool ehci_periodic_enabled(EHCIState *s) 368{ 369 return ehci_enabled(s) && (s->usbcmd & USBCMD_PSE); 370} 371 372/* Get an array of dwords from main memory */ 373static inline int get_dwords(EHCIState *ehci, uint32_t addr, 374 uint32_t *buf, int num) 375{ 376 int i; 377 378 if (!ehci->as) { 379 ehci_raise_irq(ehci, USBSTS_HSE); 380 ehci->usbcmd &= ~USBCMD_RUNSTOP; 381 trace_usb_ehci_dma_error(); 382 return -1; 383 } 384 385 for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { 386 dma_memory_read(ehci->as, addr, buf, sizeof(*buf)); 387 *buf = le32_to_cpu(*buf); 388 } 389 390 return num; 391} 392 393/* Put an array of dwords in to main memory */ 394static inline int put_dwords(EHCIState *ehci, uint32_t addr, 395 uint32_t *buf, int num) 396{ 397 int i; 398 399 if (!ehci->as) { 400 ehci_raise_irq(ehci, USBSTS_HSE); 401 ehci->usbcmd &= ~USBCMD_RUNSTOP; 402 trace_usb_ehci_dma_error(); 403 return -1; 404 } 405 406 for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { 407 uint32_t tmp = cpu_to_le32(*buf); 408 dma_memory_write(ehci->as, addr, &tmp, sizeof(tmp)); 409 } 410 411 return num; 412} 413 414static int ehci_get_pid(EHCIqtd *qtd) 415{ 416 switch (get_field(qtd->token, QTD_TOKEN_PID)) { 417 case 0: 418 return USB_TOKEN_OUT; 419 case 1: 420 return USB_TOKEN_IN; 421 case 2: 422 return USB_TOKEN_SETUP; 423 default: 424 fprintf(stderr, "bad token\n"); 425 return 0; 426 } 427} 428 429static bool ehci_verify_qh(EHCIQueue *q, EHCIqh *qh) 430{ 431 uint32_t devaddr = get_field(qh->epchar, QH_EPCHAR_DEVADDR); 432 uint32_t endp = get_field(qh->epchar, QH_EPCHAR_EP); 433 if ((devaddr != get_field(q->qh.epchar, QH_EPCHAR_DEVADDR)) || 434 (endp != get_field(q->qh.epchar, QH_EPCHAR_EP)) || 435 (qh->current_qtd != q->qh.current_qtd) || 436 (q->async && qh->next_qtd != q->qh.next_qtd) || 437 (memcmp(&qh->altnext_qtd, &q->qh.altnext_qtd, 438 7 * sizeof(uint32_t)) != 0) || 439 (q->dev != NULL && q->dev->addr != devaddr)) { 440 return false; 441 } else { 442 return true; 443 } 444} 445 446static bool ehci_verify_qtd(EHCIPacket *p, EHCIqtd *qtd) 447{ 448 if (p->qtdaddr != p->queue->qtdaddr || 449 (p->queue->async && !NLPTR_TBIT(p->qtd.next) && 450 (p->qtd.next != qtd->next)) || 451 (!NLPTR_TBIT(p->qtd.altnext) && (p->qtd.altnext != qtd->altnext)) || 452 p->qtd.token != qtd->token || 453 p->qtd.bufptr[0] != qtd->bufptr[0]) { 454 return false; 455 } else { 456 return true; 457 } 458} 459 460static bool ehci_verify_pid(EHCIQueue *q, EHCIqtd *qtd) 461{ 462 int ep = get_field(q->qh.epchar, QH_EPCHAR_EP); 463 int pid = ehci_get_pid(qtd); 464 465 /* Note the pid changing is normal for ep 0 (the control ep) */ 466 if (q->last_pid && ep != 0 && pid != q->last_pid) { 467 return false; 468 } else { 469 return true; 470 } 471} 472 473/* Finish executing and writeback a packet outside of the regular 474 fetchqh -> fetchqtd -> execute -> writeback cycle */ 475static void ehci_writeback_async_complete_packet(EHCIPacket *p) 476{ 477 EHCIQueue *q = p->queue; 478 EHCIqtd qtd; 479 EHCIqh qh; 480 int state; 481 482 /* Verify the qh + qtd, like we do when going through fetchqh & fetchqtd */ 483 get_dwords(q->ehci, NLPTR_GET(q->qhaddr), 484 (uint32_t *) &qh, sizeof(EHCIqh) >> 2); 485 get_dwords(q->ehci, NLPTR_GET(q->qtdaddr), 486 (uint32_t *) &qtd, sizeof(EHCIqtd) >> 2); 487 if (!ehci_verify_qh(q, &qh) || !ehci_verify_qtd(p, &qtd)) { 488 p->async = EHCI_ASYNC_INITIALIZED; 489 ehci_free_packet(p); 490 return; 491 } 492 493 state = ehci_get_state(q->ehci, q->async); 494 ehci_state_executing(q); 495 ehci_state_writeback(q); /* Frees the packet! */ 496 if (!(q->qh.token & QTD_TOKEN_HALT)) { 497 ehci_state_advqueue(q); 498 } 499 ehci_set_state(q->ehci, q->async, state); 500} 501 502/* packet management */ 503 504static EHCIPacket *ehci_alloc_packet(EHCIQueue *q) 505{ 506 EHCIPacket *p; 507 508 p = g_new0(EHCIPacket, 1); 509 p->queue = q; 510 usb_packet_init(&p->packet); 511 QTAILQ_INSERT_TAIL(&q->packets, p, next); 512 trace_usb_ehci_packet_action(p->queue, p, "alloc"); 513 return p; 514} 515 516static void ehci_free_packet(EHCIPacket *p) 517{ 518 if (p->async == EHCI_ASYNC_FINISHED && 519 !(p->queue->qh.token & QTD_TOKEN_HALT)) { 520 ehci_writeback_async_complete_packet(p); 521 return; 522 } 523 trace_usb_ehci_packet_action(p->queue, p, "free"); 524 if (p->async == EHCI_ASYNC_INFLIGHT) { 525 usb_cancel_packet(&p->packet); 526 } 527 if (p->async == EHCI_ASYNC_FINISHED && 528 p->packet.status == USB_RET_SUCCESS) { 529 fprintf(stderr, 530 "EHCI: Dropping completed packet from halted %s ep %02X\n", 531 (p->pid == USB_TOKEN_IN) ? "in" : "out", 532 get_field(p->queue->qh.epchar, QH_EPCHAR_EP)); 533 } 534 if (p->async != EHCI_ASYNC_NONE) { 535 usb_packet_unmap(&p->packet, &p->sgl); 536 qemu_sglist_destroy(&p->sgl); 537 } 538 QTAILQ_REMOVE(&p->queue->packets, p, next); 539 usb_packet_cleanup(&p->packet); 540 g_free(p); 541} 542 543/* queue management */ 544 545static EHCIQueue *ehci_alloc_queue(EHCIState *ehci, uint32_t addr, int async) 546{ 547 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues; 548 EHCIQueue *q; 549 550 q = g_malloc0(sizeof(*q)); 551 q->ehci = ehci; 552 q->qhaddr = addr; 553 q->async = async; 554 QTAILQ_INIT(&q->packets); 555 QTAILQ_INSERT_HEAD(head, q, next); 556 trace_usb_ehci_queue_action(q, "alloc"); 557 return q; 558} 559 560static void ehci_queue_stopped(EHCIQueue *q) 561{ 562 int endp = get_field(q->qh.epchar, QH_EPCHAR_EP); 563 564 if (!q->last_pid || !q->dev) { 565 return; 566 } 567 568 usb_device_ep_stopped(q->dev, usb_ep_get(q->dev, q->last_pid, endp)); 569} 570 571static int ehci_cancel_queue(EHCIQueue *q) 572{ 573 EHCIPacket *p; 574 int packets = 0; 575 576 p = QTAILQ_FIRST(&q->packets); 577 if (p == NULL) { 578 goto leave; 579 } 580 581 trace_usb_ehci_queue_action(q, "cancel"); 582 do { 583 ehci_free_packet(p); 584 packets++; 585 } while ((p = QTAILQ_FIRST(&q->packets)) != NULL); 586 587leave: 588 ehci_queue_stopped(q); 589 return packets; 590} 591 592static int ehci_reset_queue(EHCIQueue *q) 593{ 594 int packets; 595 596 trace_usb_ehci_queue_action(q, "reset"); 597 packets = ehci_cancel_queue(q); 598 q->dev = NULL; 599 q->qtdaddr = 0; 600 q->last_pid = 0; 601 return packets; 602} 603 604static void ehci_free_queue(EHCIQueue *q, const char *warn) 605{ 606 EHCIQueueHead *head = q->async ? &q->ehci->aqueues : &q->ehci->pqueues; 607 int cancelled; 608 609 trace_usb_ehci_queue_action(q, "free"); 610 cancelled = ehci_cancel_queue(q); 611 if (warn && cancelled > 0) { 612 ehci_trace_guest_bug(q->ehci, warn); 613 } 614 QTAILQ_REMOVE(head, q, next); 615 g_free(q); 616} 617 618static EHCIQueue *ehci_find_queue_by_qh(EHCIState *ehci, uint32_t addr, 619 int async) 620{ 621 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues; 622 EHCIQueue *q; 623 624 QTAILQ_FOREACH(q, head, next) { 625 if (addr == q->qhaddr) { 626 return q; 627 } 628 } 629 return NULL; 630} 631 632static void ehci_queues_rip_unused(EHCIState *ehci, int async) 633{ 634 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues; 635 const char *warn = async ? "guest unlinked busy QH" : NULL; 636 uint64_t maxage = FRAME_TIMER_NS * ehci->maxframes * 4; 637 EHCIQueue *q, *tmp; 638 639 QTAILQ_FOREACH_SAFE(q, head, next, tmp) { 640 if (q->seen) { 641 q->seen = 0; 642 q->ts = ehci->last_run_ns; 643 continue; 644 } 645 if (ehci->last_run_ns < q->ts + maxage) { 646 continue; 647 } 648 ehci_free_queue(q, warn); 649 } 650} 651 652static void ehci_queues_rip_unseen(EHCIState *ehci, int async) 653{ 654 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues; 655 EHCIQueue *q, *tmp; 656 657 QTAILQ_FOREACH_SAFE(q, head, next, tmp) { 658 if (!q->seen) { 659 ehci_free_queue(q, NULL); 660 } 661 } 662} 663 664static void ehci_queues_rip_device(EHCIState *ehci, USBDevice *dev, int async) 665{ 666 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues; 667 EHCIQueue *q, *tmp; 668 669 QTAILQ_FOREACH_SAFE(q, head, next, tmp) { 670 if (q->dev != dev) { 671 continue; 672 } 673 ehci_free_queue(q, NULL); 674 } 675} 676 677static void ehci_queues_rip_all(EHCIState *ehci, int async) 678{ 679 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues; 680 const char *warn = async ? "guest stopped busy async schedule" : NULL; 681 EHCIQueue *q, *tmp; 682 683 QTAILQ_FOREACH_SAFE(q, head, next, tmp) { 684 ehci_free_queue(q, warn); 685 } 686} 687 688/* Attach or detach a device on root hub */ 689 690static void ehci_attach(USBPort *port) 691{ 692 EHCIState *s = port->opaque; 693 uint32_t *portsc = &s->portsc[port->index]; 694 const char *owner = (*portsc & PORTSC_POWNER) ? "comp" : "ehci"; 695 696 trace_usb_ehci_port_attach(port->index, owner, port->dev->product_desc); 697 698 if (*portsc & PORTSC_POWNER) { 699 USBPort *companion = s->companion_ports[port->index]; 700 companion->dev = port->dev; 701 companion->ops->attach(companion); 702 return; 703 } 704 705 *portsc |= PORTSC_CONNECT; 706 *portsc |= PORTSC_CSC; 707 708 ehci_raise_irq(s, USBSTS_PCD); 709} 710 711static void ehci_detach(USBPort *port) 712{ 713 EHCIState *s = port->opaque; 714 uint32_t *portsc = &s->portsc[port->index]; 715 const char *owner = (*portsc & PORTSC_POWNER) ? "comp" : "ehci"; 716 717 trace_usb_ehci_port_detach(port->index, owner); 718 719 if (*portsc & PORTSC_POWNER) { 720 USBPort *companion = s->companion_ports[port->index]; 721 companion->ops->detach(companion); 722 companion->dev = NULL; 723 /* 724 * EHCI spec 4.2.2: "When a disconnect occurs... On the event, 725 * the port ownership is returned immediately to the EHCI controller." 726 */ 727 *portsc &= ~PORTSC_POWNER; 728 return; 729 } 730 731 ehci_queues_rip_device(s, port->dev, 0); 732 ehci_queues_rip_device(s, port->dev, 1); 733 734 *portsc &= ~(PORTSC_CONNECT|PORTSC_PED|PORTSC_SUSPEND); 735 *portsc |= PORTSC_CSC; 736 737 ehci_raise_irq(s, USBSTS_PCD); 738} 739 740static void ehci_child_detach(USBPort *port, USBDevice *child) 741{ 742 EHCIState *s = port->opaque; 743 uint32_t portsc = s->portsc[port->index]; 744 745 if (portsc & PORTSC_POWNER) { 746 USBPort *companion = s->companion_ports[port->index]; 747 companion->ops->child_detach(companion, child); 748 return; 749 } 750 751 ehci_queues_rip_device(s, child, 0); 752 ehci_queues_rip_device(s, child, 1); 753} 754 755static void ehci_wakeup(USBPort *port) 756{ 757 EHCIState *s = port->opaque; 758 uint32_t *portsc = &s->portsc[port->index]; 759 760 if (*portsc & PORTSC_POWNER) { 761 USBPort *companion = s->companion_ports[port->index]; 762 if (companion->ops->wakeup) { 763 companion->ops->wakeup(companion); 764 } 765 return; 766 } 767 768 if (*portsc & PORTSC_SUSPEND) { 769 trace_usb_ehci_port_wakeup(port->index); 770 *portsc |= PORTSC_FPRES; 771 ehci_raise_irq(s, USBSTS_PCD); 772 } 773 774 qemu_bh_schedule(s->async_bh); 775} 776 777static void ehci_register_companion(USBBus *bus, USBPort *ports[], 778 uint32_t portcount, uint32_t firstport, 779 Error **errp) 780{ 781 EHCIState *s = container_of(bus, EHCIState, bus); 782 uint32_t i; 783 784 if (firstport + portcount > NB_PORTS) { 785 error_setg(errp, "firstport must be between 0 and %u", 786 NB_PORTS - portcount); 787 return; 788 } 789 790 for (i = 0; i < portcount; i++) { 791 if (s->companion_ports[firstport + i]) { 792 error_setg(errp, "firstport %u asks for ports %u-%u," 793 " but port %u has a companion assigned already", 794 firstport, firstport, firstport + portcount - 1, 795 firstport + i); 796 return; 797 } 798 } 799 800 for (i = 0; i < portcount; i++) { 801 s->companion_ports[firstport + i] = ports[i]; 802 s->ports[firstport + i].speedmask |= 803 USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL; 804 /* Ensure devs attached before the initial reset go to the companion */ 805 s->portsc[firstport + i] = PORTSC_POWNER; 806 } 807 808 s->companion_count++; 809 s->caps[0x05] = (s->companion_count << 4) | portcount; 810} 811 812static void ehci_wakeup_endpoint(USBBus *bus, USBEndpoint *ep, 813 unsigned int stream) 814{ 815 EHCIState *s = container_of(bus, EHCIState, bus); 816 uint32_t portsc = s->portsc[ep->dev->port->index]; 817 818 if (portsc & PORTSC_POWNER) { 819 return; 820 } 821 822 s->periodic_sched_active = PERIODIC_ACTIVE; 823 qemu_bh_schedule(s->async_bh); 824} 825 826static USBDevice *ehci_find_device(EHCIState *ehci, uint8_t addr) 827{ 828 USBDevice *dev; 829 USBPort *port; 830 int i; 831 832 for (i = 0; i < NB_PORTS; i++) { 833 port = &ehci->ports[i]; 834 if (!(ehci->portsc[i] & PORTSC_PED)) { 835 DPRINTF("Port %d not enabled\n", i); 836 continue; 837 } 838 dev = usb_find_device(port, addr); 839 if (dev != NULL) { 840 return dev; 841 } 842 } 843 return NULL; 844} 845 846/* 4.1 host controller initialization */ 847void ehci_reset(void *opaque) 848{ 849 EHCIState *s = opaque; 850 int i; 851 USBDevice *devs[NB_PORTS]; 852 853 trace_usb_ehci_reset(); 854 855 /* 856 * Do the detach before touching portsc, so that it correctly gets send to 857 * us or to our companion based on PORTSC_POWNER before the reset. 858 */ 859 for(i = 0; i < NB_PORTS; i++) { 860 devs[i] = s->ports[i].dev; 861 if (devs[i] && devs[i]->attached) { 862 usb_detach(&s->ports[i]); 863 } 864 } 865 866 memset(&s->opreg, 0x00, sizeof(s->opreg)); 867 memset(&s->portsc, 0x00, sizeof(s->portsc)); 868 869 s->usbcmd = NB_MAXINTRATE << USBCMD_ITC_SH; 870 s->usbsts = USBSTS_HALT; 871 s->usbsts_pending = 0; 872 s->usbsts_frindex = 0; 873 ehci_update_irq(s); 874 875 s->astate = EST_INACTIVE; 876 s->pstate = EST_INACTIVE; 877 878 for(i = 0; i < NB_PORTS; i++) { 879 if (s->companion_ports[i]) { 880 s->portsc[i] = PORTSC_POWNER | PORTSC_PPOWER; 881 } else { 882 s->portsc[i] = PORTSC_PPOWER; 883 } 884 if (devs[i] && devs[i]->attached) { 885 usb_attach(&s->ports[i]); 886 usb_device_reset(devs[i]); 887 } 888 } 889 ehci_queues_rip_all(s, 0); 890 ehci_queues_rip_all(s, 1); 891 timer_del(s->frame_timer); 892 qemu_bh_cancel(s->async_bh); 893} 894 895static uint64_t ehci_caps_read(void *ptr, hwaddr addr, 896 unsigned size) 897{ 898 EHCIState *s = ptr; 899 return s->caps[addr]; 900} 901 902static void ehci_caps_write(void *ptr, hwaddr addr, 903 uint64_t val, unsigned size) 904{ 905} 906 907static uint64_t ehci_opreg_read(void *ptr, hwaddr addr, 908 unsigned size) 909{ 910 EHCIState *s = ptr; 911 uint32_t val; 912 913 switch (addr) { 914 case FRINDEX: 915 /* Round down to mult of 8, else it can go backwards on migration */ 916 val = s->frindex & ~7; 917 break; 918 default: 919 val = s->opreg[addr >> 2]; 920 } 921 922 trace_usb_ehci_opreg_read(addr + s->opregbase, addr2str(addr), val); 923 return val; 924} 925 926static uint64_t ehci_port_read(void *ptr, hwaddr addr, 927 unsigned size) 928{ 929 EHCIState *s = ptr; 930 uint32_t val; 931 932 val = s->portsc[addr >> 2]; 933 trace_usb_ehci_portsc_read(addr + s->portscbase, addr >> 2, val); 934 return val; 935} 936 937static void handle_port_owner_write(EHCIState *s, int port, uint32_t owner) 938{ 939 USBDevice *dev = s->ports[port].dev; 940 uint32_t *portsc = &s->portsc[port]; 941 uint32_t orig; 942 943 if (s->companion_ports[port] == NULL) 944 return; 945 946 owner = owner & PORTSC_POWNER; 947 orig = *portsc & PORTSC_POWNER; 948 949 if (!(owner ^ orig)) { 950 return; 951 } 952 953 if (dev && dev->attached) { 954 usb_detach(&s->ports[port]); 955 } 956 957 *portsc &= ~PORTSC_POWNER; 958 *portsc |= owner; 959 960 if (dev && dev->attached) { 961 usb_attach(&s->ports[port]); 962 } 963} 964 965static void ehci_port_write(void *ptr, hwaddr addr, 966 uint64_t val, unsigned size) 967{ 968 EHCIState *s = ptr; 969 int port = addr >> 2; 970 uint32_t *portsc = &s->portsc[port]; 971 uint32_t old = *portsc; 972 USBDevice *dev = s->ports[port].dev; 973 974 trace_usb_ehci_portsc_write(addr + s->portscbase, addr >> 2, val); 975 976 /* Clear rwc bits */ 977 *portsc &= ~(val & PORTSC_RWC_MASK); 978 /* The guest may clear, but not set the PED bit */ 979 *portsc &= val | ~PORTSC_PED; 980 /* POWNER is masked out by RO_MASK as it is RO when we've no companion */ 981 handle_port_owner_write(s, port, val); 982 /* And finally apply RO_MASK */ 983 val &= PORTSC_RO_MASK; 984 985 if ((val & PORTSC_PRESET) && !(*portsc & PORTSC_PRESET)) { 986 trace_usb_ehci_port_reset(port, 1); 987 } 988 989 if (!(val & PORTSC_PRESET) &&(*portsc & PORTSC_PRESET)) { 990 trace_usb_ehci_port_reset(port, 0); 991 if (dev && dev->attached) { 992 usb_port_reset(&s->ports[port]); 993 *portsc &= ~PORTSC_CSC; 994 } 995 996 /* 997 * Table 2.16 Set the enable bit(and enable bit change) to indicate 998 * to SW that this port has a high speed device attached 999 */ 1000 if (dev && dev->attached && (dev->speedmask & USB_SPEED_MASK_HIGH)) { 1001 val |= PORTSC_PED; 1002 } 1003 } 1004 1005 if ((val & PORTSC_SUSPEND) && !(*portsc & PORTSC_SUSPEND)) { 1006 trace_usb_ehci_port_suspend(port); 1007 } 1008 if (!(val & PORTSC_FPRES) && (*portsc & PORTSC_FPRES)) { 1009 trace_usb_ehci_port_resume(port); 1010 val &= ~PORTSC_SUSPEND; 1011 } 1012 1013 *portsc &= ~PORTSC_RO_MASK; 1014 *portsc |= val; 1015 trace_usb_ehci_portsc_change(addr + s->portscbase, addr >> 2, *portsc, old); 1016} 1017 1018static void ehci_opreg_write(void *ptr, hwaddr addr, 1019 uint64_t val, unsigned size) 1020{ 1021 EHCIState *s = ptr; 1022 uint32_t *mmio = s->opreg + (addr >> 2); 1023 uint32_t old = *mmio; 1024 int i; 1025 1026 trace_usb_ehci_opreg_write(addr + s->opregbase, addr2str(addr), val); 1027 1028 switch (addr) { 1029 case USBCMD: 1030 if (val & USBCMD_HCRESET) { 1031 ehci_reset(s); 1032 val = s->usbcmd; 1033 break; 1034 } 1035 1036 /* not supporting dynamic frame list size at the moment */ 1037 if ((val & USBCMD_FLS) && !(s->usbcmd & USBCMD_FLS)) { 1038 fprintf(stderr, "attempt to set frame list size -- value %d\n", 1039 (int)val & USBCMD_FLS); 1040 val &= ~USBCMD_FLS; 1041 } 1042 1043 if (val & USBCMD_IAAD) { 1044 /* 1045 * Process IAAD immediately, otherwise the Linux IAAD watchdog may 1046 * trigger and re-use a qh without us seeing the unlink. 1047 */ 1048 s->async_stepdown = 0; 1049 qemu_bh_schedule(s->async_bh); 1050 trace_usb_ehci_doorbell_ring(); 1051 } 1052 1053 if (((USBCMD_RUNSTOP | USBCMD_PSE | USBCMD_ASE) & val) != 1054 ((USBCMD_RUNSTOP | USBCMD_PSE | USBCMD_ASE) & s->usbcmd)) { 1055 if (s->pstate == EST_INACTIVE) { 1056 SET_LAST_RUN_CLOCK(s); 1057 } 1058 s->usbcmd = val; /* Set usbcmd for ehci_update_halt() */ 1059 ehci_update_halt(s); 1060 s->async_stepdown = 0; 1061 qemu_bh_schedule(s->async_bh); 1062 } 1063 break; 1064 1065 case USBSTS: 1066 val &= USBSTS_RO_MASK; // bits 6 through 31 are RO 1067 ehci_clear_usbsts(s, val); // bits 0 through 5 are R/WC 1068 val = s->usbsts; 1069 ehci_update_irq(s); 1070 break; 1071 1072 case USBINTR: 1073 val &= USBINTR_MASK; 1074 if (ehci_enabled(s) && (USBSTS_FLR & val)) { 1075 qemu_bh_schedule(s->async_bh); 1076 } 1077 break; 1078 1079 case FRINDEX: 1080 val &= 0x00003fff; /* frindex is 14bits */ 1081 s->usbsts_frindex = val; 1082 break; 1083 1084 case CONFIGFLAG: 1085 val &= 0x1; 1086 if (val) { 1087 for(i = 0; i < NB_PORTS; i++) 1088 handle_port_owner_write(s, i, 0); 1089 } 1090 break; 1091 1092 case PERIODICLISTBASE: 1093 if (ehci_periodic_enabled(s)) { 1094 fprintf(stderr, 1095 "ehci: PERIODIC list base register set while periodic schedule\n" 1096 " is enabled and HC is enabled\n"); 1097 } 1098 break; 1099 1100 case ASYNCLISTADDR: 1101 if (ehci_async_enabled(s)) { 1102 fprintf(stderr, 1103 "ehci: ASYNC list address register set while async schedule\n" 1104 " is enabled and HC is enabled\n"); 1105 } 1106 break; 1107 } 1108 1109 *mmio = val; 1110 trace_usb_ehci_opreg_change(addr + s->opregbase, addr2str(addr), 1111 *mmio, old); 1112} 1113 1114/* 1115 * Write the qh back to guest physical memory. This step isn't 1116 * in the EHCI spec but we need to do it since we don't share 1117 * physical memory with our guest VM. 1118 * 1119 * The first three dwords are read-only for the EHCI, so skip them 1120 * when writing back the qh. 1121 */ 1122static void ehci_flush_qh(EHCIQueue *q) 1123{ 1124 uint32_t *qh = (uint32_t *) &q->qh; 1125 uint32_t dwords = sizeof(EHCIqh) >> 2; 1126 uint32_t addr = NLPTR_GET(q->qhaddr); 1127 1128 put_dwords(q->ehci, addr + 3 * sizeof(uint32_t), qh + 3, dwords - 3); 1129} 1130 1131// 4.10.2 1132 1133static int ehci_qh_do_overlay(EHCIQueue *q) 1134{ 1135 EHCIPacket *p = QTAILQ_FIRST(&q->packets); 1136 int i; 1137 int dtoggle; 1138 int ping; 1139 int eps; 1140 int reload; 1141 1142 assert(p != NULL); 1143 assert(p->qtdaddr == q->qtdaddr); 1144 1145 // remember values in fields to preserve in qh after overlay 1146 1147 dtoggle = q->qh.token & QTD_TOKEN_DTOGGLE; 1148 ping = q->qh.token & QTD_TOKEN_PING; 1149 1150 q->qh.current_qtd = p->qtdaddr; 1151 q->qh.next_qtd = p->qtd.next; 1152 q->qh.altnext_qtd = p->qtd.altnext; 1153 q->qh.token = p->qtd.token; 1154 1155 1156 eps = get_field(q->qh.epchar, QH_EPCHAR_EPS); 1157 if (eps == EHCI_QH_EPS_HIGH) { 1158 q->qh.token &= ~QTD_TOKEN_PING; 1159 q->qh.token |= ping; 1160 } 1161 1162 reload = get_field(q->qh.epchar, QH_EPCHAR_RL); 1163 set_field(&q->qh.altnext_qtd, reload, QH_ALTNEXT_NAKCNT); 1164 1165 for (i = 0; i < 5; i++) { 1166 q->qh.bufptr[i] = p->qtd.bufptr[i]; 1167 } 1168 1169 if (!(q->qh.epchar & QH_EPCHAR_DTC)) { 1170 // preserve QH DT bit 1171 q->qh.token &= ~QTD_TOKEN_DTOGGLE; 1172 q->qh.token |= dtoggle; 1173 } 1174 1175 q->qh.bufptr[1] &= ~BUFPTR_CPROGMASK_MASK; 1176 q->qh.bufptr[2] &= ~BUFPTR_FRAMETAG_MASK; 1177 1178 ehci_flush_qh(q); 1179 1180 return 0; 1181} 1182 1183static int ehci_init_transfer(EHCIPacket *p) 1184{ 1185 uint32_t cpage, offset, bytes, plen; 1186 dma_addr_t page; 1187 1188 cpage = get_field(p->qtd.token, QTD_TOKEN_CPAGE); 1189 bytes = get_field(p->qtd.token, QTD_TOKEN_TBYTES); 1190 offset = p->qtd.bufptr[0] & ~QTD_BUFPTR_MASK; 1191 qemu_sglist_init(&p->sgl, p->queue->ehci->device, 5, p->queue->ehci->as); 1192 1193 while (bytes > 0) { 1194 if (cpage > 4) { 1195 fprintf(stderr, "cpage out of range (%u)\n", cpage); 1196 qemu_sglist_destroy(&p->sgl); 1197 return -1; 1198 } 1199 1200 page = p->qtd.bufptr[cpage] & QTD_BUFPTR_MASK; 1201 page += offset; 1202 plen = bytes; 1203 if (plen > 4096 - offset) { 1204 plen = 4096 - offset; 1205 offset = 0; 1206 cpage++; 1207 } 1208 1209 qemu_sglist_add(&p->sgl, page, plen); 1210 bytes -= plen; 1211 } 1212 return 0; 1213} 1214 1215static void ehci_finish_transfer(EHCIQueue *q, int len) 1216{ 1217 uint32_t cpage, offset; 1218 1219 if (len > 0) { 1220 /* update cpage & offset */ 1221 cpage = get_field(q->qh.token, QTD_TOKEN_CPAGE); 1222 offset = q->qh.bufptr[0] & ~QTD_BUFPTR_MASK; 1223 1224 offset += len; 1225 cpage += offset >> QTD_BUFPTR_SH; 1226 offset &= ~QTD_BUFPTR_MASK; 1227 1228 set_field(&q->qh.token, cpage, QTD_TOKEN_CPAGE); 1229 q->qh.bufptr[0] &= QTD_BUFPTR_MASK; 1230 q->qh.bufptr[0] |= offset; 1231 } 1232} 1233 1234static void ehci_async_complete_packet(USBPort *port, USBPacket *packet) 1235{ 1236 EHCIPacket *p; 1237 EHCIState *s = port->opaque; 1238 uint32_t portsc = s->portsc[port->index]; 1239 1240 if (portsc & PORTSC_POWNER) { 1241 USBPort *companion = s->companion_ports[port->index]; 1242 companion->ops->complete(companion, packet); 1243 return; 1244 } 1245 1246 p = container_of(packet, EHCIPacket, packet); 1247 assert(p->async == EHCI_ASYNC_INFLIGHT); 1248 1249 if (packet->status == USB_RET_REMOVE_FROM_QUEUE) { 1250 trace_usb_ehci_packet_action(p->queue, p, "remove"); 1251 ehci_free_packet(p); 1252 return; 1253 } 1254 1255 trace_usb_ehci_packet_action(p->queue, p, "wakeup"); 1256 p->async = EHCI_ASYNC_FINISHED; 1257 1258 if (!p->queue->async) { 1259 s->periodic_sched_active = PERIODIC_ACTIVE; 1260 } 1261 qemu_bh_schedule(s->async_bh); 1262} 1263 1264static void ehci_execute_complete(EHCIQueue *q) 1265{ 1266 EHCIPacket *p = QTAILQ_FIRST(&q->packets); 1267 uint32_t tbytes; 1268 1269 assert(p != NULL); 1270 assert(p->qtdaddr == q->qtdaddr); 1271 assert(p->async == EHCI_ASYNC_INITIALIZED || 1272 p->async == EHCI_ASYNC_FINISHED); 1273 1274 DPRINTF("execute_complete: qhaddr 0x%x, next 0x%x, qtdaddr 0x%x, " 1275 "status %d, actual_length %d\n", 1276 q->qhaddr, q->qh.next, q->qtdaddr, 1277 p->packet.status, p->packet.actual_length); 1278 1279 switch (p->packet.status) { 1280 case USB_RET_SUCCESS: 1281 break; 1282 case USB_RET_IOERROR: 1283 case USB_RET_NODEV: 1284 q->qh.token |= (QTD_TOKEN_HALT | QTD_TOKEN_XACTERR); 1285 set_field(&q->qh.token, 0, QTD_TOKEN_CERR); 1286 ehci_raise_irq(q->ehci, USBSTS_ERRINT); 1287 break; 1288 case USB_RET_STALL: 1289 q->qh.token |= QTD_TOKEN_HALT; 1290 ehci_raise_irq(q->ehci, USBSTS_ERRINT); 1291 break; 1292 case USB_RET_NAK: 1293 set_field(&q->qh.altnext_qtd, 0, QH_ALTNEXT_NAKCNT); 1294 return; /* We're not done yet with this transaction */ 1295 case USB_RET_BABBLE: 1296 q->qh.token |= (QTD_TOKEN_HALT | QTD_TOKEN_BABBLE); 1297 ehci_raise_irq(q->ehci, USBSTS_ERRINT); 1298 break; 1299 default: 1300 /* should not be triggerable */ 1301 fprintf(stderr, "USB invalid response %d\n", p->packet.status); 1302 g_assert_not_reached(); 1303 } 1304 1305 /* TODO check 4.12 for splits */ 1306 tbytes = get_field(q->qh.token, QTD_TOKEN_TBYTES); 1307 if (tbytes && p->pid == USB_TOKEN_IN) { 1308 tbytes -= p->packet.actual_length; 1309 if (tbytes) { 1310 /* 4.15.1.2 must raise int on a short input packet */ 1311 ehci_raise_irq(q->ehci, USBSTS_INT); 1312 if (q->async) { 1313 q->ehci->int_req_by_async = true; 1314 } 1315 } 1316 } else { 1317 tbytes = 0; 1318 } 1319 DPRINTF("updating tbytes to %d\n", tbytes); 1320 set_field(&q->qh.token, tbytes, QTD_TOKEN_TBYTES); 1321 1322 ehci_finish_transfer(q, p->packet.actual_length); 1323 usb_packet_unmap(&p->packet, &p->sgl); 1324 qemu_sglist_destroy(&p->sgl); 1325 p->async = EHCI_ASYNC_NONE; 1326 1327 q->qh.token ^= QTD_TOKEN_DTOGGLE; 1328 q->qh.token &= ~QTD_TOKEN_ACTIVE; 1329 1330 if (q->qh.token & QTD_TOKEN_IOC) { 1331 ehci_raise_irq(q->ehci, USBSTS_INT); 1332 if (q->async) { 1333 q->ehci->int_req_by_async = true; 1334 } 1335 } 1336} 1337 1338/* 4.10.3 returns "again" */ 1339static int ehci_execute(EHCIPacket *p, const char *action) 1340{ 1341 USBEndpoint *ep; 1342 int endp; 1343 bool spd; 1344 1345 assert(p->async == EHCI_ASYNC_NONE || 1346 p->async == EHCI_ASYNC_INITIALIZED); 1347 1348 if (!(p->qtd.token & QTD_TOKEN_ACTIVE)) { 1349 fprintf(stderr, "Attempting to execute inactive qtd\n"); 1350 return -1; 1351 } 1352 1353 if (get_field(p->qtd.token, QTD_TOKEN_TBYTES) > BUFF_SIZE) { 1354 ehci_trace_guest_bug(p->queue->ehci, 1355 "guest requested more bytes than allowed"); 1356 return -1; 1357 } 1358 1359 if (!ehci_verify_pid(p->queue, &p->qtd)) { 1360 ehci_queue_stopped(p->queue); /* Mark the ep in the prev dir stopped */ 1361 } 1362 p->pid = ehci_get_pid(&p->qtd); 1363 p->queue->last_pid = p->pid; 1364 endp = get_field(p->queue->qh.epchar, QH_EPCHAR_EP); 1365 ep = usb_ep_get(p->queue->dev, p->pid, endp); 1366 1367 if (p->async == EHCI_ASYNC_NONE) { 1368 if (ehci_init_transfer(p) != 0) { 1369 return -1; 1370 } 1371 1372 spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0); 1373 usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd, 1374 (p->qtd.token & QTD_TOKEN_IOC) != 0); 1375 if (usb_packet_map(&p->packet, &p->sgl)) { 1376 qemu_sglist_destroy(&p->sgl); 1377 return -1; 1378 } 1379 p->async = EHCI_ASYNC_INITIALIZED; 1380 } 1381 1382 trace_usb_ehci_packet_action(p->queue, p, action); 1383 usb_handle_packet(p->queue->dev, &p->packet); 1384 DPRINTF("submit: qh 0x%x next 0x%x qtd 0x%x pid 0x%x len %zd endp 0x%x " 1385 "status %d actual_length %d\n", p->queue->qhaddr, p->qtd.next, 1386 p->qtdaddr, p->pid, p->packet.iov.size, endp, p->packet.status, 1387 p->packet.actual_length); 1388 1389 if (p->packet.actual_length > BUFF_SIZE) { 1390 fprintf(stderr, "ret from usb_handle_packet > BUFF_SIZE\n"); 1391 return -1; 1392 } 1393 1394 return 1; 1395} 1396 1397/* 4.7.2 1398 */ 1399 1400static int ehci_process_itd(EHCIState *ehci, 1401 EHCIitd *itd, 1402 uint32_t addr) 1403{ 1404 USBDevice *dev; 1405 USBEndpoint *ep; 1406 uint32_t i, len, pid, dir, devaddr, endp; 1407 uint32_t pg, off, ptr1, ptr2, max, mult; 1408 1409 ehci->periodic_sched_active = PERIODIC_ACTIVE; 1410 1411 dir =(itd->bufptr[1] & ITD_BUFPTR_DIRECTION); 1412 devaddr = get_field(itd->bufptr[0], ITD_BUFPTR_DEVADDR); 1413 endp = get_field(itd->bufptr[0], ITD_BUFPTR_EP); 1414 max = get_field(itd->bufptr[1], ITD_BUFPTR_MAXPKT); 1415 mult = get_field(itd->bufptr[2], ITD_BUFPTR_MULT); 1416 1417 for(i = 0; i < 8; i++) { 1418 if (itd->transact[i] & ITD_XACT_ACTIVE) { 1419 pg = get_field(itd->transact[i], ITD_XACT_PGSEL); 1420 off = itd->transact[i] & ITD_XACT_OFFSET_MASK; 1421 len = get_field(itd->transact[i], ITD_XACT_LENGTH); 1422 1423 if (len > max * mult) { 1424 len = max * mult; 1425 } 1426 if (len > BUFF_SIZE || pg > 6) { 1427 return -1; 1428 } 1429 1430 ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK); 1431 qemu_sglist_init(&ehci->isgl, ehci->device, 2, ehci->as); 1432 if (off + len > 4096) { 1433 /* transfer crosses page border */ 1434 if (pg == 6) { 1435 qemu_sglist_destroy(&ehci->isgl); 1436 return -1; /* avoid page pg + 1 */ 1437 } 1438 ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK); 1439 uint32_t len2 = off + len - 4096; 1440 uint32_t len1 = len - len2; 1441 qemu_sglist_add(&ehci->isgl, ptr1 + off, len1); 1442 qemu_sglist_add(&ehci->isgl, ptr2, len2); 1443 } else { 1444 qemu_sglist_add(&ehci->isgl, ptr1 + off, len); 1445 } 1446 1447 dev = ehci_find_device(ehci, devaddr); 1448 if (dev == NULL) { 1449 ehci_trace_guest_bug(ehci, "no device found"); 1450 ehci->ipacket.status = USB_RET_NODEV; 1451 ehci->ipacket.actual_length = 0; 1452 } else { 1453 pid = dir ? USB_TOKEN_IN : USB_TOKEN_OUT; 1454 ep = usb_ep_get(dev, pid, endp); 1455 if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) { 1456 usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false, 1457 (itd->transact[i] & ITD_XACT_IOC) != 0); 1458 if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) { 1459 qemu_sglist_destroy(&ehci->isgl); 1460 return -1; 1461 } 1462 usb_handle_packet(dev, &ehci->ipacket); 1463 usb_packet_unmap(&ehci->ipacket, &ehci->isgl); 1464 } else { 1465 DPRINTF("ISOCH: attempt to addess non-iso endpoint\n"); 1466 ehci->ipacket.status = USB_RET_NAK; 1467 ehci->ipacket.actual_length = 0; 1468 } 1469 } 1470 qemu_sglist_destroy(&ehci->isgl); 1471 1472 switch (ehci->ipacket.status) { 1473 case USB_RET_SUCCESS: 1474 break; 1475 default: 1476 fprintf(stderr, "Unexpected iso usb result: %d\n", 1477 ehci->ipacket.status); 1478 /* Fall through */ 1479 case USB_RET_IOERROR: 1480 case USB_RET_NODEV: 1481 /* 3.3.2: XACTERR is only allowed on IN transactions */ 1482 if (dir) { 1483 itd->transact[i] |= ITD_XACT_XACTERR; 1484 ehci_raise_irq(ehci, USBSTS_ERRINT); 1485 } 1486 break; 1487 case USB_RET_BABBLE: 1488 itd->transact[i] |= ITD_XACT_BABBLE; 1489 ehci_raise_irq(ehci, USBSTS_ERRINT); 1490 break; 1491 case USB_RET_NAK: 1492 /* no data for us, so do a zero-length transfer */ 1493 ehci->ipacket.actual_length = 0; 1494 break; 1495 } 1496 if (!dir) { 1497 set_field(&itd->transact[i], len - ehci->ipacket.actual_length, 1498 ITD_XACT_LENGTH); /* OUT */ 1499 } else { 1500 set_field(&itd->transact[i], ehci->ipacket.actual_length, 1501 ITD_XACT_LENGTH); /* IN */ 1502 } 1503 if (itd->transact[i] & ITD_XACT_IOC) { 1504 ehci_raise_irq(ehci, USBSTS_INT); 1505 } 1506 itd->transact[i] &= ~ITD_XACT_ACTIVE; 1507 } 1508 } 1509 return 0; 1510} 1511 1512 1513/* This state is the entry point for asynchronous schedule 1514 * processing. Entry here consitutes a EHCI start event state (4.8.5) 1515 */ 1516static int ehci_state_waitlisthead(EHCIState *ehci, int async) 1517{ 1518 EHCIqh qh; 1519 int i = 0; 1520 int again = 0; 1521 uint32_t entry = ehci->asynclistaddr; 1522 1523 /* set reclamation flag at start event (4.8.6) */ 1524 if (async) { 1525 ehci_set_usbsts(ehci, USBSTS_REC); 1526 } 1527 1528 ehci_queues_rip_unused(ehci, async); 1529 1530 /* Find the head of the list (4.9.1.1) */ 1531 for(i = 0; i < MAX_QH; i++) { 1532 if (get_dwords(ehci, NLPTR_GET(entry), (uint32_t *) &qh, 1533 sizeof(EHCIqh) >> 2) < 0) { 1534 return 0; 1535 } 1536 ehci_trace_qh(NULL, NLPTR_GET(entry), &qh); 1537 1538 if (qh.epchar & QH_EPCHAR_H) { 1539 if (async) { 1540 entry |= (NLPTR_TYPE_QH << 1); 1541 } 1542 1543 ehci_set_fetch_addr(ehci, async, entry); 1544 ehci_set_state(ehci, async, EST_FETCHENTRY); 1545 again = 1; 1546 goto out; 1547 } 1548 1549 entry = qh.next; 1550 if (entry == ehci->asynclistaddr) { 1551 break; 1552 } 1553 } 1554 1555 /* no head found for list. */ 1556 1557 ehci_set_state(ehci, async, EST_ACTIVE); 1558 1559out: 1560 return again; 1561} 1562 1563 1564/* This state is the entry point for periodic schedule processing as 1565 * well as being a continuation state for async processing. 1566 */ 1567static int ehci_state_fetchentry(EHCIState *ehci, int async) 1568{ 1569 int again = 0; 1570 uint32_t entry = ehci_get_fetch_addr(ehci, async); 1571 1572 if (NLPTR_TBIT(entry)) { 1573 ehci_set_state(ehci, async, EST_ACTIVE); 1574 goto out; 1575 } 1576 1577 /* section 4.8, only QH in async schedule */ 1578 if (async && (NLPTR_TYPE_GET(entry) != NLPTR_TYPE_QH)) { 1579 fprintf(stderr, "non queue head request in async schedule\n"); 1580 return -1; 1581 } 1582 1583 switch (NLPTR_TYPE_GET(entry)) { 1584 case NLPTR_TYPE_QH: 1585 ehci_set_state(ehci, async, EST_FETCHQH); 1586 again = 1; 1587 break; 1588 1589 case NLPTR_TYPE_ITD: 1590 ehci_set_state(ehci, async, EST_FETCHITD); 1591 again = 1; 1592 break; 1593 1594 case NLPTR_TYPE_STITD: 1595 ehci_set_state(ehci, async, EST_FETCHSITD); 1596 again = 1; 1597 break; 1598 1599 default: 1600 /* TODO: handle FSTN type */ 1601 fprintf(stderr, "FETCHENTRY: entry at %X is of type %u " 1602 "which is not supported yet\n", entry, NLPTR_TYPE_GET(entry)); 1603 return -1; 1604 } 1605 1606out: 1607 return again; 1608} 1609 1610static EHCIQueue *ehci_state_fetchqh(EHCIState *ehci, int async) 1611{ 1612 uint32_t entry; 1613 EHCIQueue *q; 1614 EHCIqh qh; 1615 1616 entry = ehci_get_fetch_addr(ehci, async); 1617 q = ehci_find_queue_by_qh(ehci, entry, async); 1618 if (q == NULL) { 1619 q = ehci_alloc_queue(ehci, entry, async); 1620 } 1621 1622 q->seen++; 1623 if (q->seen > 1) { 1624 /* we are going in circles -- stop processing */ 1625 ehci_set_state(ehci, async, EST_ACTIVE); 1626 q = NULL; 1627 goto out; 1628 } 1629 1630 if (get_dwords(ehci, NLPTR_GET(q->qhaddr), 1631 (uint32_t *) &qh, sizeof(EHCIqh) >> 2) < 0) { 1632 q = NULL; 1633 goto out; 1634 } 1635 ehci_trace_qh(q, NLPTR_GET(q->qhaddr), &qh); 1636 1637 /* 1638 * The overlay area of the qh should never be changed by the guest, 1639 * except when idle, in which case the reset is a nop. 1640 */ 1641 if (!ehci_verify_qh(q, &qh)) { 1642 if (ehci_reset_queue(q) > 0) { 1643 ehci_trace_guest_bug(ehci, "guest updated active QH"); 1644 } 1645 } 1646 q->qh = qh; 1647 1648 q->transact_ctr = get_field(q->qh.epcap, QH_EPCAP_MULT); 1649 if (q->transact_ctr == 0) { /* Guest bug in some versions of windows */ 1650 q->transact_ctr = 4; 1651 } 1652 1653 if (q->dev == NULL) { 1654 q->dev = ehci_find_device(q->ehci, 1655 get_field(q->qh.epchar, QH_EPCHAR_DEVADDR)); 1656 } 1657 1658 if (async && (q->qh.epchar & QH_EPCHAR_H)) { 1659 1660 /* EHCI spec version 1.0 Section 4.8.3 & 4.10.1 */ 1661 if (ehci->usbsts & USBSTS_REC) { 1662 ehci_clear_usbsts(ehci, USBSTS_REC); 1663 } else { 1664 DPRINTF("FETCHQH: QH 0x%08x. H-bit set, reclamation status reset" 1665 " - done processing\n", q->qhaddr); 1666 ehci_set_state(ehci, async, EST_ACTIVE); 1667 q = NULL; 1668 goto out; 1669 } 1670 } 1671 1672#if EHCI_DEBUG 1673 if (q->qhaddr != q->qh.next) { 1674 DPRINTF("FETCHQH: QH 0x%08x (h %x halt %x active %x) next 0x%08x\n", 1675 q->qhaddr, 1676 q->qh.epchar & QH_EPCHAR_H, 1677 q->qh.token & QTD_TOKEN_HALT, 1678 q->qh.token & QTD_TOKEN_ACTIVE, 1679 q->qh.next); 1680 } 1681#endif 1682 1683 if (q->qh.token & QTD_TOKEN_HALT) { 1684 ehci_set_state(ehci, async, EST_HORIZONTALQH); 1685 1686 } else if ((q->qh.token & QTD_TOKEN_ACTIVE) && 1687 (NLPTR_TBIT(q->qh.current_qtd) == 0) && 1688 (q->qh.current_qtd != 0)) { 1689 q->qtdaddr = q->qh.current_qtd; 1690 ehci_set_state(ehci, async, EST_FETCHQTD); 1691 1692 } else { 1693 /* EHCI spec version 1.0 Section 4.10.2 */ 1694 ehci_set_state(ehci, async, EST_ADVANCEQUEUE); 1695 } 1696 1697out: 1698 return q; 1699} 1700 1701static int ehci_state_fetchitd(EHCIState *ehci, int async) 1702{ 1703 uint32_t entry; 1704 EHCIitd itd; 1705 1706 assert(!async); 1707 entry = ehci_get_fetch_addr(ehci, async); 1708 1709 if (get_dwords(ehci, NLPTR_GET(entry), (uint32_t *) &itd, 1710 sizeof(EHCIitd) >> 2) < 0) { 1711 return -1; 1712 } 1713 ehci_trace_itd(ehci, entry, &itd); 1714 1715 if (ehci_process_itd(ehci, &itd, entry) != 0) { 1716 return -1; 1717 } 1718 1719 put_dwords(ehci, NLPTR_GET(entry), (uint32_t *) &itd, 1720 sizeof(EHCIitd) >> 2); 1721 ehci_set_fetch_addr(ehci, async, itd.next); 1722 ehci_set_state(ehci, async, EST_FETCHENTRY); 1723 1724 return 1; 1725} 1726 1727static int ehci_state_fetchsitd(EHCIState *ehci, int async) 1728{ 1729 uint32_t entry; 1730 EHCIsitd sitd; 1731 1732 assert(!async); 1733 entry = ehci_get_fetch_addr(ehci, async); 1734 1735 if (get_dwords(ehci, NLPTR_GET(entry), (uint32_t *)&sitd, 1736 sizeof(EHCIsitd) >> 2) < 0) { 1737 return 0; 1738 } 1739 ehci_trace_sitd(ehci, entry, &sitd); 1740 1741 if (!(sitd.results & SITD_RESULTS_ACTIVE)) { 1742 /* siTD is not active, nothing to do */; 1743 } else { 1744 /* TODO: split transfers are not implemented */ 1745 warn_report("Skipping active siTD"); 1746 } 1747 1748 ehci_set_fetch_addr(ehci, async, sitd.next); 1749 ehci_set_state(ehci, async, EST_FETCHENTRY); 1750 return 1; 1751} 1752 1753/* Section 4.10.2 - paragraph 3 */ 1754static int ehci_state_advqueue(EHCIQueue *q) 1755{ 1756#if 0 1757 /* TO-DO: 4.10.2 - paragraph 2 1758 * if I-bit is set to 1 and QH is not active 1759 * go to horizontal QH 1760 */ 1761 if (I-bit set) { 1762 ehci_set_state(ehci, async, EST_HORIZONTALQH); 1763 goto out; 1764 } 1765#endif 1766 1767 /* 1768 * want data and alt-next qTD is valid 1769 */ 1770 if (((q->qh.token & QTD_TOKEN_TBYTES_MASK) != 0) && 1771 (NLPTR_TBIT(q->qh.altnext_qtd) == 0)) { 1772 q->qtdaddr = q->qh.altnext_qtd; 1773 ehci_set_state(q->ehci, q->async, EST_FETCHQTD); 1774 1775 /* 1776 * next qTD is valid 1777 */ 1778 } else if (NLPTR_TBIT(q->qh.next_qtd) == 0) { 1779 q->qtdaddr = q->qh.next_qtd; 1780 ehci_set_state(q->ehci, q->async, EST_FETCHQTD); 1781 1782 /* 1783 * no valid qTD, try next QH 1784 */ 1785 } else { 1786 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1787 } 1788 1789 return 1; 1790} 1791 1792/* Section 4.10.2 - paragraph 4 */ 1793static int ehci_state_fetchqtd(EHCIQueue *q) 1794{ 1795 EHCIqtd qtd; 1796 EHCIPacket *p; 1797 int again = 1; 1798 uint32_t addr; 1799 1800 addr = NLPTR_GET(q->qtdaddr); 1801 if (get_dwords(q->ehci, addr + 8, &qtd.token, 1) < 0) { 1802 return 0; 1803 } 1804 barrier(); 1805 if (get_dwords(q->ehci, addr + 0, &qtd.next, 1) < 0 || 1806 get_dwords(q->ehci, addr + 4, &qtd.altnext, 1) < 0 || 1807 get_dwords(q->ehci, addr + 12, qtd.bufptr, 1808 ARRAY_SIZE(qtd.bufptr)) < 0) { 1809 return 0; 1810 } 1811 ehci_trace_qtd(q, NLPTR_GET(q->qtdaddr), &qtd); 1812 1813 p = QTAILQ_FIRST(&q->packets); 1814 if (p != NULL) { 1815 if (!ehci_verify_qtd(p, &qtd)) { 1816 ehci_cancel_queue(q); 1817 if (qtd.token & QTD_TOKEN_ACTIVE) { 1818 ehci_trace_guest_bug(q->ehci, "guest updated active qTD"); 1819 } 1820 p = NULL; 1821 } else { 1822 p->qtd = qtd; 1823 ehci_qh_do_overlay(q); 1824 } 1825 } 1826 1827 if (!(qtd.token & QTD_TOKEN_ACTIVE)) { 1828 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1829 } else if (p != NULL) { 1830 switch (p->async) { 1831 case EHCI_ASYNC_NONE: 1832 case EHCI_ASYNC_INITIALIZED: 1833 /* Not yet executed (MULT), or previously nacked (int) packet */ 1834 ehci_set_state(q->ehci, q->async, EST_EXECUTE); 1835 break; 1836 case EHCI_ASYNC_INFLIGHT: 1837 /* Check if the guest has added new tds to the queue */ 1838 again = ehci_fill_queue(QTAILQ_LAST(&q->packets)); 1839 /* Unfinished async handled packet, go horizontal */ 1840 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1841 break; 1842 case EHCI_ASYNC_FINISHED: 1843 /* Complete executing of the packet */ 1844 ehci_set_state(q->ehci, q->async, EST_EXECUTING); 1845 break; 1846 } 1847 } else if (q->dev == NULL) { 1848 ehci_trace_guest_bug(q->ehci, "no device attached to queue"); 1849 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1850 } else { 1851 p = ehci_alloc_packet(q); 1852 p->qtdaddr = q->qtdaddr; 1853 p->qtd = qtd; 1854 ehci_set_state(q->ehci, q->async, EST_EXECUTE); 1855 } 1856 1857 return again; 1858} 1859 1860static int ehci_state_horizqh(EHCIQueue *q) 1861{ 1862 int again = 0; 1863 1864 if (ehci_get_fetch_addr(q->ehci, q->async) != q->qh.next) { 1865 ehci_set_fetch_addr(q->ehci, q->async, q->qh.next); 1866 ehci_set_state(q->ehci, q->async, EST_FETCHENTRY); 1867 again = 1; 1868 } else { 1869 ehci_set_state(q->ehci, q->async, EST_ACTIVE); 1870 } 1871 1872 return again; 1873} 1874 1875/* Returns "again" */ 1876static int ehci_fill_queue(EHCIPacket *p) 1877{ 1878 USBEndpoint *ep = p->packet.ep; 1879 EHCIQueue *q = p->queue; 1880 EHCIqtd qtd = p->qtd; 1881 uint32_t qtdaddr; 1882 1883 for (;;) { 1884 if (NLPTR_TBIT(qtd.next) != 0) { 1885 break; 1886 } 1887 qtdaddr = qtd.next; 1888 /* 1889 * Detect circular td lists, Windows creates these, counting on the 1890 * active bit going low after execution to make the queue stop. 1891 */ 1892 QTAILQ_FOREACH(p, &q->packets, next) { 1893 if (p->qtdaddr == qtdaddr) { 1894 goto leave; 1895 } 1896 } 1897 if (get_dwords(q->ehci, NLPTR_GET(qtdaddr), 1898 (uint32_t *) &qtd, sizeof(EHCIqtd) >> 2) < 0) { 1899 return -1; 1900 } 1901 ehci_trace_qtd(q, NLPTR_GET(qtdaddr), &qtd); 1902 if (!(qtd.token & QTD_TOKEN_ACTIVE)) { 1903 break; 1904 } 1905 if (!ehci_verify_pid(q, &qtd)) { 1906 ehci_trace_guest_bug(q->ehci, "guest queued token with wrong pid"); 1907 break; 1908 } 1909 p = ehci_alloc_packet(q); 1910 p->qtdaddr = qtdaddr; 1911 p->qtd = qtd; 1912 if (ehci_execute(p, "queue") == -1) { 1913 return -1; 1914 } 1915 assert(p->packet.status == USB_RET_ASYNC); 1916 p->async = EHCI_ASYNC_INFLIGHT; 1917 } 1918leave: 1919 usb_device_flush_ep_queue(ep->dev, ep); 1920 return 1; 1921} 1922 1923static int ehci_state_execute(EHCIQueue *q) 1924{ 1925 EHCIPacket *p = QTAILQ_FIRST(&q->packets); 1926 int again = 0; 1927 1928 assert(p != NULL); 1929 assert(p->qtdaddr == q->qtdaddr); 1930 1931 if (ehci_qh_do_overlay(q) != 0) { 1932 return -1; 1933 } 1934 1935 // TODO verify enough time remains in the uframe as in 4.4.1.1 1936 // TODO write back ptr to async list when done or out of time 1937 1938 /* 4.10.3, bottom of page 82, go horizontal on transaction counter == 0 */ 1939 if (!q->async && q->transact_ctr == 0) { 1940 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1941 again = 1; 1942 goto out; 1943 } 1944 1945 if (q->async) { 1946 ehci_set_usbsts(q->ehci, USBSTS_REC); 1947 } 1948 1949 again = ehci_execute(p, "process"); 1950 if (again == -1) { 1951 goto out; 1952 } 1953 if (p->packet.status == USB_RET_ASYNC) { 1954 ehci_flush_qh(q); 1955 trace_usb_ehci_packet_action(p->queue, p, "async"); 1956 p->async = EHCI_ASYNC_INFLIGHT; 1957 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1958 if (q->async) { 1959 again = ehci_fill_queue(p); 1960 } else { 1961 again = 1; 1962 } 1963 goto out; 1964 } 1965 1966 ehci_set_state(q->ehci, q->async, EST_EXECUTING); 1967 again = 1; 1968 1969out: 1970 return again; 1971} 1972 1973static int ehci_state_executing(EHCIQueue *q) 1974{ 1975 EHCIPacket *p = QTAILQ_FIRST(&q->packets); 1976 1977 assert(p != NULL); 1978 assert(p->qtdaddr == q->qtdaddr); 1979 1980 ehci_execute_complete(q); 1981 1982 /* 4.10.3 */ 1983 if (!q->async && q->transact_ctr > 0) { 1984 q->transact_ctr--; 1985 } 1986 1987 /* 4.10.5 */ 1988 if (p->packet.status == USB_RET_NAK) { 1989 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 1990 } else { 1991 ehci_set_state(q->ehci, q->async, EST_WRITEBACK); 1992 } 1993 1994 ehci_flush_qh(q); 1995 return 1; 1996} 1997 1998 1999static int ehci_state_writeback(EHCIQueue *q) 2000{ 2001 EHCIPacket *p = QTAILQ_FIRST(&q->packets); 2002 uint32_t *qtd, addr; 2003 int again = 0; 2004 2005 /* Write back the QTD from the QH area */ 2006 assert(p != NULL); 2007 assert(p->qtdaddr == q->qtdaddr); 2008 2009 ehci_trace_qtd(q, NLPTR_GET(p->qtdaddr), (EHCIqtd *) &q->qh.next_qtd); 2010 qtd = (uint32_t *) &q->qh.next_qtd; 2011 addr = NLPTR_GET(p->qtdaddr); 2012 put_dwords(q->ehci, addr + 2 * sizeof(uint32_t), qtd + 2, 2); 2013 ehci_free_packet(p); 2014 2015 /* 2016 * EHCI specs say go horizontal here. 2017 * 2018 * We can also advance the queue here for performance reasons. We 2019 * need to take care to only take that shortcut in case we've 2020 * processed the qtd just written back without errors, i.e. halt 2021 * bit is clear. 2022 */ 2023 if (q->qh.token & QTD_TOKEN_HALT) { 2024 ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH); 2025 again = 1; 2026 } else { 2027 ehci_set_state(q->ehci, q->async, EST_ADVANCEQUEUE); 2028 again = 1; 2029 } 2030 return again; 2031} 2032 2033/* 2034 * This is the state machine that is common to both async and periodic 2035 */ 2036 2037static void ehci_advance_state(EHCIState *ehci, int async) 2038{ 2039 EHCIQueue *q = NULL; 2040 int itd_count = 0; 2041 int again; 2042 2043 do { 2044 switch(ehci_get_state(ehci, async)) { 2045 case EST_WAITLISTHEAD: 2046 again = ehci_state_waitlisthead(ehci, async); 2047 break; 2048 2049 case EST_FETCHENTRY: 2050 again = ehci_state_fetchentry(ehci, async); 2051 break; 2052 2053 case EST_FETCHQH: 2054 q = ehci_state_fetchqh(ehci, async); 2055 if (q != NULL) { 2056 assert(q->async == async); 2057 again = 1; 2058 } else { 2059 again = 0; 2060 } 2061 break; 2062 2063 case EST_FETCHITD: 2064 again = ehci_state_fetchitd(ehci, async); 2065 itd_count++; 2066 break; 2067 2068 case EST_FETCHSITD: 2069 again = ehci_state_fetchsitd(ehci, async); 2070 itd_count++; 2071 break; 2072 2073 case EST_ADVANCEQUEUE: 2074 assert(q != NULL); 2075 again = ehci_state_advqueue(q); 2076 break; 2077 2078 case EST_FETCHQTD: 2079 assert(q != NULL); 2080 again = ehci_state_fetchqtd(q); 2081 break; 2082 2083 case EST_HORIZONTALQH: 2084 assert(q != NULL); 2085 again = ehci_state_horizqh(q); 2086 break; 2087 2088 case EST_EXECUTE: 2089 assert(q != NULL); 2090 again = ehci_state_execute(q); 2091 if (async) { 2092 ehci->async_stepdown = 0; 2093 } 2094 break; 2095 2096 case EST_EXECUTING: 2097 assert(q != NULL); 2098 if (async) { 2099 ehci->async_stepdown = 0; 2100 } 2101 again = ehci_state_executing(q); 2102 break; 2103 2104 case EST_WRITEBACK: 2105 assert(q != NULL); 2106 again = ehci_state_writeback(q); 2107 if (!async) { 2108 ehci->periodic_sched_active = PERIODIC_ACTIVE; 2109 } 2110 break; 2111 2112 default: 2113 fprintf(stderr, "Bad state!\n"); 2114 g_assert_not_reached(); 2115 } 2116 2117 if (again < 0 || itd_count > 16) { 2118 /* TODO: notify guest (raise HSE irq?) */ 2119 fprintf(stderr, "processing error - resetting ehci HC\n"); 2120 ehci_reset(ehci); 2121 again = 0; 2122 } 2123 } 2124 while (again); 2125} 2126 2127static void ehci_advance_async_state(EHCIState *ehci) 2128{ 2129 const int async = 1; 2130 2131 switch(ehci_get_state(ehci, async)) { 2132 case EST_INACTIVE: 2133 if (!ehci_async_enabled(ehci)) { 2134 break; 2135 } 2136 ehci_set_state(ehci, async, EST_ACTIVE); 2137 // No break, fall through to ACTIVE 2138 2139 case EST_ACTIVE: 2140 if (!ehci_async_enabled(ehci)) { 2141 ehci_queues_rip_all(ehci, async); 2142 ehci_set_state(ehci, async, EST_INACTIVE); 2143 break; 2144 } 2145 2146 /* make sure guest has acknowledged the doorbell interrupt */ 2147 /* TO-DO: is this really needed? */ 2148 if (ehci->usbsts & USBSTS_IAA) { 2149 DPRINTF("IAA status bit still set.\n"); 2150 break; 2151 } 2152 2153 /* check that address register has been set */ 2154 if (ehci->asynclistaddr == 0) { 2155 break; 2156 } 2157 2158 ehci_set_state(ehci, async, EST_WAITLISTHEAD); 2159 ehci_advance_state(ehci, async); 2160 2161 /* If the doorbell is set, the guest wants to make a change to the 2162 * schedule. The host controller needs to release cached data. 2163 * (section 4.8.2) 2164 */ 2165 if (ehci->usbcmd & USBCMD_IAAD) { 2166 /* Remove all unseen qhs from the async qhs queue */ 2167 ehci_queues_rip_unseen(ehci, async); 2168 trace_usb_ehci_doorbell_ack(); 2169 ehci->usbcmd &= ~USBCMD_IAAD; 2170 ehci_raise_irq(ehci, USBSTS_IAA); 2171 } 2172 break; 2173 2174 default: 2175 /* this should only be due to a developer mistake */ 2176 fprintf(stderr, "ehci: Bad asynchronous state %d. " 2177 "Resetting to active\n", ehci->astate); 2178 g_assert_not_reached(); 2179 } 2180} 2181 2182static void ehci_advance_periodic_state(EHCIState *ehci) 2183{ 2184 uint32_t entry; 2185 uint32_t list; 2186 const int async = 0; 2187 2188 // 4.6 2189 2190 switch(ehci_get_state(ehci, async)) { 2191 case EST_INACTIVE: 2192 if (!(ehci->frindex & 7) && ehci_periodic_enabled(ehci)) { 2193 ehci_set_state(ehci, async, EST_ACTIVE); 2194 // No break, fall through to ACTIVE 2195 } else 2196 break; 2197 2198 case EST_ACTIVE: 2199 if (!(ehci->frindex & 7) && !ehci_periodic_enabled(ehci)) { 2200 ehci_queues_rip_all(ehci, async); 2201 ehci_set_state(ehci, async, EST_INACTIVE); 2202 break; 2203 } 2204 2205 list = ehci->periodiclistbase & 0xfffff000; 2206 /* check that register has been set */ 2207 if (list == 0) { 2208 break; 2209 } 2210 list |= ((ehci->frindex & 0x1ff8) >> 1); 2211 2212 if (get_dwords(ehci, list, &entry, 1) < 0) { 2213 break; 2214 } 2215 2216 DPRINTF("PERIODIC state adv fr=%d. [%08X] -> %08X\n", 2217 ehci->frindex / 8, list, entry); 2218 ehci_set_fetch_addr(ehci, async,entry); 2219 ehci_set_state(ehci, async, EST_FETCHENTRY); 2220 ehci_advance_state(ehci, async); 2221 ehci_queues_rip_unused(ehci, async); 2222 break; 2223 2224 default: 2225 /* this should only be due to a developer mistake */ 2226 fprintf(stderr, "ehci: Bad periodic state %d. " 2227 "Resetting to active\n", ehci->pstate); 2228 g_assert_not_reached(); 2229 } 2230} 2231 2232static void ehci_update_frindex(EHCIState *ehci, int uframes) 2233{ 2234 if (!ehci_enabled(ehci) && ehci->pstate == EST_INACTIVE) { 2235 return; 2236 } 2237 2238 /* Generate FLR interrupt if frame index rolls over 0x2000 */ 2239 if ((ehci->frindex % 0x2000) + uframes >= 0x2000) { 2240 ehci_raise_irq(ehci, USBSTS_FLR); 2241 } 2242 2243 /* How many times will frindex roll over 0x4000 with this frame count? 2244 * usbsts_frindex is decremented by 0x4000 on rollover until it reaches 0 2245 */ 2246 int rollovers = (ehci->frindex + uframes) / 0x4000; 2247 if (rollovers > 0) { 2248 if (ehci->usbsts_frindex >= (rollovers * 0x4000)) { 2249 ehci->usbsts_frindex -= 0x4000 * rollovers; 2250 } else { 2251 ehci->usbsts_frindex = 0; 2252 } 2253 } 2254 2255 ehci->frindex = (ehci->frindex + uframes) % 0x4000; 2256} 2257 2258static void ehci_work_bh(void *opaque) 2259{ 2260 EHCIState *ehci = opaque; 2261 int need_timer = 0; 2262 int64_t expire_time, t_now; 2263 uint64_t ns_elapsed; 2264 uint64_t uframes, skipped_uframes; 2265 int i; 2266 2267 if (ehci->working) { 2268 return; 2269 } 2270 ehci->working = true; 2271 2272 t_now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL); 2273 ns_elapsed = t_now - ehci->last_run_ns; 2274 uframes = ns_elapsed / UFRAME_TIMER_NS; 2275 2276 if (ehci_periodic_enabled(ehci) || ehci->pstate != EST_INACTIVE) { 2277 need_timer++; 2278 2279 if (uframes > (ehci->maxframes * 8)) { 2280 skipped_uframes = uframes - (ehci->maxframes * 8); 2281 ehci_update_frindex(ehci, skipped_uframes); 2282 ehci->last_run_ns += UFRAME_TIMER_NS * skipped_uframes; 2283 uframes -= skipped_uframes; 2284 DPRINTF("WARNING - EHCI skipped %d uframes\n", skipped_uframes); 2285 } 2286 2287 for (i = 0; i < uframes; i++) { 2288 /* 2289 * If we're running behind schedule, we should not catch up 2290 * too fast, as that will make some guests unhappy: 2291 * 1) We must process a minimum of MIN_UFR_PER_TICK frames, 2292 * otherwise we will never catch up 2293 * 2) Process frames until the guest has requested an irq (IOC) 2294 */ 2295 if (i >= MIN_UFR_PER_TICK) { 2296 ehci_commit_irq(ehci); 2297 if ((ehci->usbsts & USBINTR_MASK) & ehci->usbintr) { 2298 break; 2299 } 2300 } 2301 if (ehci->periodic_sched_active) { 2302 ehci->periodic_sched_active--; 2303 } 2304 ehci_update_frindex(ehci, 1); 2305 if ((ehci->frindex & 7) == 0) { 2306 ehci_advance_periodic_state(ehci); 2307 } 2308 ehci->last_run_ns += UFRAME_TIMER_NS; 2309 } 2310 } else { 2311 ehci->periodic_sched_active = 0; 2312 ehci_update_frindex(ehci, uframes); 2313 ehci->last_run_ns += UFRAME_TIMER_NS * uframes; 2314 } 2315 2316 if (ehci->periodic_sched_active) { 2317 ehci->async_stepdown = 0; 2318 } else if (ehci->async_stepdown < ehci->maxframes / 2) { 2319 ehci->async_stepdown++; 2320 } 2321 2322 /* Async is not inside loop since it executes everything it can once 2323 * called 2324 */ 2325 if (ehci_async_enabled(ehci) || ehci->astate != EST_INACTIVE) { 2326 need_timer++; 2327 ehci_advance_async_state(ehci); 2328 } 2329 2330 ehci_commit_irq(ehci); 2331 if (ehci->usbsts_pending) { 2332 need_timer++; 2333 ehci->async_stepdown = 0; 2334 } 2335 2336 if (ehci_enabled(ehci) && (ehci->usbintr & USBSTS_FLR)) { 2337 need_timer++; 2338 } 2339 2340 if (need_timer) { 2341 /* If we've raised int, we speed up the timer, so that we quickly 2342 * notice any new packets queued up in response */ 2343 if (ehci->int_req_by_async && (ehci->usbsts & USBSTS_INT)) { 2344 expire_time = t_now + 2345 NANOSECONDS_PER_SECOND / (FRAME_TIMER_FREQ * 4); 2346 ehci->int_req_by_async = false; 2347 } else { 2348 expire_time = t_now + (NANOSECONDS_PER_SECOND 2349 * (ehci->async_stepdown+1) / FRAME_TIMER_FREQ); 2350 } 2351 timer_mod(ehci->frame_timer, expire_time); 2352 } 2353 2354 ehci->working = false; 2355} 2356 2357static void ehci_work_timer(void *opaque) 2358{ 2359 EHCIState *ehci = opaque; 2360 2361 qemu_bh_schedule(ehci->async_bh); 2362} 2363 2364static const MemoryRegionOps ehci_mmio_caps_ops = { 2365 .read = ehci_caps_read, 2366 .write = ehci_caps_write, 2367 .valid.min_access_size = 1, 2368 .valid.max_access_size = 4, 2369 .impl.min_access_size = 1, 2370 .impl.max_access_size = 1, 2371 .endianness = DEVICE_LITTLE_ENDIAN, 2372}; 2373 2374static const MemoryRegionOps ehci_mmio_opreg_ops = { 2375 .read = ehci_opreg_read, 2376 .write = ehci_opreg_write, 2377 .valid.min_access_size = 4, 2378 .valid.max_access_size = 4, 2379 .endianness = DEVICE_LITTLE_ENDIAN, 2380}; 2381 2382static const MemoryRegionOps ehci_mmio_port_ops = { 2383 .read = ehci_port_read, 2384 .write = ehci_port_write, 2385 .valid.min_access_size = 4, 2386 .valid.max_access_size = 4, 2387 .endianness = DEVICE_LITTLE_ENDIAN, 2388}; 2389 2390static USBPortOps ehci_port_ops = { 2391 .attach = ehci_attach, 2392 .detach = ehci_detach, 2393 .child_detach = ehci_child_detach, 2394 .wakeup = ehci_wakeup, 2395 .complete = ehci_async_complete_packet, 2396}; 2397 2398static USBBusOps ehci_bus_ops_companion = { 2399 .register_companion = ehci_register_companion, 2400 .wakeup_endpoint = ehci_wakeup_endpoint, 2401}; 2402static USBBusOps ehci_bus_ops_standalone = { 2403 .wakeup_endpoint = ehci_wakeup_endpoint, 2404}; 2405 2406static int usb_ehci_pre_save(void *opaque) 2407{ 2408 EHCIState *ehci = opaque; 2409 uint32_t new_frindex; 2410 2411 /* Round down frindex to a multiple of 8 for migration compatibility */ 2412 new_frindex = ehci->frindex & ~7; 2413 ehci->last_run_ns -= (ehci->frindex - new_frindex) * UFRAME_TIMER_NS; 2414 ehci->frindex = new_frindex; 2415 2416 return 0; 2417} 2418 2419static int usb_ehci_post_load(void *opaque, int version_id) 2420{ 2421 EHCIState *s = opaque; 2422 int i; 2423 2424 for (i = 0; i < NB_PORTS; i++) { 2425 USBPort *companion = s->companion_ports[i]; 2426 if (companion == NULL) { 2427 continue; 2428 } 2429 if (s->portsc[i] & PORTSC_POWNER) { 2430 companion->dev = s->ports[i].dev; 2431 } else { 2432 companion->dev = NULL; 2433 } 2434 } 2435 2436 return 0; 2437} 2438 2439static void usb_ehci_vm_state_change(void *opaque, bool running, RunState state) 2440{ 2441 EHCIState *ehci = opaque; 2442 2443 /* 2444 * We don't migrate the EHCIQueue-s, instead we rebuild them for the 2445 * schedule in guest memory. We must do the rebuilt ASAP, so that 2446 * USB-devices which have async handled packages have a packet in the 2447 * ep queue to match the completion with. 2448 */ 2449 if (state == RUN_STATE_RUNNING) { 2450 ehci_advance_async_state(ehci); 2451 } 2452 2453 /* 2454 * The schedule rebuilt from guest memory could cause the migration dest 2455 * to miss a QH unlink, and fail to cancel packets, since the unlinked QH 2456 * will never have existed on the destination. Therefor we must flush the 2457 * async schedule on savevm to catch any not yet noticed unlinks. 2458 */ 2459 if (state == RUN_STATE_SAVE_VM) { 2460 ehci_advance_async_state(ehci); 2461 ehci_queues_rip_unseen(ehci, 1); 2462 } 2463} 2464 2465const VMStateDescription vmstate_ehci = { 2466 .name = "ehci-core", 2467 .version_id = 2, 2468 .minimum_version_id = 1, 2469 .pre_save = usb_ehci_pre_save, 2470 .post_load = usb_ehci_post_load, 2471 .fields = (VMStateField[]) { 2472 /* mmio registers */ 2473 VMSTATE_UINT32(usbcmd, EHCIState), 2474 VMSTATE_UINT32(usbsts, EHCIState), 2475 VMSTATE_UINT32_V(usbsts_pending, EHCIState, 2), 2476 VMSTATE_UINT32_V(usbsts_frindex, EHCIState, 2), 2477 VMSTATE_UINT32(usbintr, EHCIState), 2478 VMSTATE_UINT32(frindex, EHCIState), 2479 VMSTATE_UINT32(ctrldssegment, EHCIState), 2480 VMSTATE_UINT32(periodiclistbase, EHCIState), 2481 VMSTATE_UINT32(asynclistaddr, EHCIState), 2482 VMSTATE_UINT32(configflag, EHCIState), 2483 VMSTATE_UINT32(portsc[0], EHCIState), 2484 VMSTATE_UINT32(portsc[1], EHCIState), 2485 VMSTATE_UINT32(portsc[2], EHCIState), 2486 VMSTATE_UINT32(portsc[3], EHCIState), 2487 VMSTATE_UINT32(portsc[4], EHCIState), 2488 VMSTATE_UINT32(portsc[5], EHCIState), 2489 /* frame timer */ 2490 VMSTATE_TIMER_PTR(frame_timer, EHCIState), 2491 VMSTATE_UINT64(last_run_ns, EHCIState), 2492 VMSTATE_UINT32(async_stepdown, EHCIState), 2493 /* schedule state */ 2494 VMSTATE_UINT32(astate, EHCIState), 2495 VMSTATE_UINT32(pstate, EHCIState), 2496 VMSTATE_UINT32(a_fetch_addr, EHCIState), 2497 VMSTATE_UINT32(p_fetch_addr, EHCIState), 2498 VMSTATE_END_OF_LIST() 2499 } 2500}; 2501 2502void usb_ehci_realize(EHCIState *s, DeviceState *dev, Error **errp) 2503{ 2504 int i; 2505 2506 if (s->portnr > NB_PORTS) { 2507 error_setg(errp, "Too many ports! Max. port number is %d.", 2508 NB_PORTS); 2509 return; 2510 } 2511 if (s->maxframes < 8 || s->maxframes > 512) { 2512 error_setg(errp, "maxframes %d out if range (8 .. 512)", 2513 s->maxframes); 2514 return; 2515 } 2516 2517 memory_region_add_subregion(&s->mem, s->capsbase, &s->mem_caps); 2518 memory_region_add_subregion(&s->mem, s->opregbase, &s->mem_opreg); 2519 memory_region_add_subregion(&s->mem, s->opregbase + s->portscbase, 2520 &s->mem_ports); 2521 2522 usb_bus_new(&s->bus, sizeof(s->bus), s->companion_enable ? 2523 &ehci_bus_ops_companion : &ehci_bus_ops_standalone, dev); 2524 for (i = 0; i < s->portnr; i++) { 2525 usb_register_port(&s->bus, &s->ports[i], s, i, &ehci_port_ops, 2526 USB_SPEED_MASK_HIGH); 2527 s->ports[i].dev = 0; 2528 } 2529 2530 s->frame_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, ehci_work_timer, s); 2531 s->async_bh = qemu_bh_new(ehci_work_bh, s); 2532 s->device = dev; 2533 2534 s->vmstate = qemu_add_vm_change_state_handler(usb_ehci_vm_state_change, s); 2535} 2536 2537void usb_ehci_unrealize(EHCIState *s, DeviceState *dev) 2538{ 2539 trace_usb_ehci_unrealize(); 2540 2541 if (s->frame_timer) { 2542 timer_free(s->frame_timer); 2543 s->frame_timer = NULL; 2544 } 2545 if (s->async_bh) { 2546 qemu_bh_delete(s->async_bh); 2547 } 2548 2549 ehci_queues_rip_all(s, 0); 2550 ehci_queues_rip_all(s, 1); 2551 2552 memory_region_del_subregion(&s->mem, &s->mem_caps); 2553 memory_region_del_subregion(&s->mem, &s->mem_opreg); 2554 memory_region_del_subregion(&s->mem, &s->mem_ports); 2555 2556 usb_bus_release(&s->bus); 2557 2558 if (s->vmstate) { 2559 qemu_del_vm_change_state_handler(s->vmstate); 2560 } 2561} 2562 2563void usb_ehci_init(EHCIState *s, DeviceState *dev) 2564{ 2565 /* 2.2 host controller interface version */ 2566 s->caps[0x00] = (uint8_t)(s->opregbase - s->capsbase); 2567 s->caps[0x01] = 0x00; 2568 s->caps[0x02] = 0x00; 2569 s->caps[0x03] = 0x01; /* HC version */ 2570 s->caps[0x04] = s->portnr; /* Number of downstream ports */ 2571 s->caps[0x05] = 0x00; /* No companion ports at present */ 2572 s->caps[0x06] = 0x00; 2573 s->caps[0x07] = 0x00; 2574 s->caps[0x08] = 0x80; /* We can cache whole frame, no 64-bit */ 2575 s->caps[0x0a] = 0x00; 2576 s->caps[0x0b] = 0x00; 2577 2578 QTAILQ_INIT(&s->aqueues); 2579 QTAILQ_INIT(&s->pqueues); 2580 usb_packet_init(&s->ipacket); 2581 2582 memory_region_init(&s->mem, OBJECT(dev), "ehci", MMIO_SIZE); 2583 memory_region_init_io(&s->mem_caps, OBJECT(dev), &ehci_mmio_caps_ops, s, 2584 "capabilities", CAPA_SIZE); 2585 memory_region_init_io(&s->mem_opreg, OBJECT(dev), &ehci_mmio_opreg_ops, s, 2586 "operational", s->portscbase); 2587 memory_region_init_io(&s->mem_ports, OBJECT(dev), &ehci_mmio_port_ops, s, 2588 "ports", 4 * s->portnr); 2589} 2590 2591void usb_ehci_finalize(EHCIState *s) 2592{ 2593 usb_packet_cleanup(&s->ipacket); 2594} 2595 2596/* 2597 * vim: expandtab ts=4 2598 */