[PATCH v1 00/13] hw/usb/ehci: Add 64-bit descriptor addressing support

[PATCH v1 00/13] hw/usb/ehci: Add 64-bit descriptor addressing support

[Jamin Lin]

EHCI supports 64-bit addressing through the CTRLDSSEGMENT register,
which provides the upper 32 bits of descriptor addresses when the
controller advertises 64-bit capability.

Currently QEMU EHCI model only partially supports this functionality and
descriptor addresses are effectively treated as 32-bit. This becomes
problematic on systems where system memory is located above the 4GB
boundary.

The Linux EHCI driver enables 64-bit addressing if the controller
advertises the capability. During initialization it programs the
segment register to zero:

  https://github.com/torvalds/linux/blob/master/drivers/usb/host/ehci-hcd.c#L600

The driver also notes that descriptor structures allocated from the
DMA pool use segment zero semantics. Descriptor memory is allocated
using the DMA API and platforms may configure a 64-bit DMA mask,
allowing descriptor memory to be placed above 4GB.

On AST2700 platforms, system DRAM is mapped at 0x400000000. As a
result, descriptor addresses constructed directly from the EHCI
registers do not match the actual system addresses used by the
controller when accessing queue heads (QH) and queue element transfer
descriptors (qTD).

This patch series implements full 64-bit descriptor addressing support
in the EHCI emulation. Descriptor address handling is updated to use
64-bit values and the descriptor structures (QH, qTD, iTD and siTD)
are extended to support the upper address bits provided by the segment
register.

In addition, a descriptor-addr-offset property is introduced so
platforms can apply an address translation when descriptor memory
resides above the 4GB boundary.

The AST2700 machine uses this property to account for its DRAM mapping
at 0x400000000 and enables 64-bit EHCI DMA addressing.

Test Result:
1. EHCI 32bits with ast2600-evb machine
Command line:
./build/qemu-system-arm \
  -machine ast2600-evb \
  -m 1G \
  -drive file=image-bmc,if=mtd,format=raw \
  -nographic \
  -device usb-kbd,bus=usb-bus.1,id=mykbd \
  -drive id=usbdisk,if=none,file=image0.ext4,format=raw \
  -device usb-storage,bus=usb-bus.1,id=mystorage,drive=usbdisk
  -snapshot \
  -nographic
Result:
unable to initialize usb specBus 001 Device 001: ID 1d6b:0002 Linux 6.18.3-v00.08.01-g172b7e27a30d ehci_hcd EHCI Host Controller
Bus 001 Device 002: ID 0627:0001 QEMU QEMU USB Keyboard
Bus 001 Device 003: ID 46f4:0001 QEMU QEMU USB HARDDRIVE
Bus 002 Device 001: ID 1d6b:0001 Linux 6.18.3-v00.08.01-g172b7e27a30d uhci_hcd Generic UHCI Host Controller

2. EHCI 64bits with ast2700a2-evb machine
Command line:
./build/qemu-system-aarch64 -M ast2700a2-evb -nographic\
 -bios ast27x0_bootrom.bin \
 -drive file=image-bmc,format=raw,if=mtd \
 -snapshot \
 -device usb-kbd,bus=usb-bus.3,id=mykbd \
 -drive id=usbdisk,if=none,file=image0.ext4,format=raw \
 -device usb-storage,bus=usb-bus.3,id=mystorage,drive=usbdisk
Result:
root@ast2700-default:~# lsusb
unable to initialize usb specBus 001 Device 001: ID 1d6b:0001 Linux 6.18.3-v00.08.01-g172b7e27a30d uhci_hcd Generic UHCI Host Controller
Bus 002 Device 001: ID 1d6b:0002 Linux 6.18.3-v00.08.01-g172b7e27a30d ehci_hcd EHCI Host Controller
Bus 002 Device 002: ID 0627:0001 QEMU QEMU USB Keyboard
Bus 002 Device 003: ID 46f4:0001 QEMU QEMU USB HARDDRIVE
 
v1
 1. Fix checkpatch coding style issues
 2. Implement 64-bit addressing for QH/qTD/iTD/siTD descriptors
 3. Add descriptor address offset property
 4. Enable 64-bit EHCI DMA addressing on AST2700
 5. Configure descriptor address offset for AST2700

Jamin Lin (13):
  hw/usb/hcd-ehci.h: Fix coding style issues reported by checkpatch
  hw/usb/hcd-ehci.c: Fix coding style issues reported by checkpatch
  hw/usb/hcd-ehci: Change descriptor addresses to 64-bit
  hw/usb/trace-events: Print EHCI queue and transfer addresses as 64-bit
  hw/usb/hcd-ehci: Add property to advertise 64-bit addressing
    capability
  hw/usb/hcd-ehci: Reject CTRLDSSEGMENT writes without 64-bit capability
  hw/usb/hcd-ehci: Implement 64-bit QH descriptor addressing
  hw/usb/hcd-ehci: Implement 64-bit qTD descriptor addressing
  hw/usb/hcd-ehci: Implement 64-bit iTD descriptor addressing
  hw/usb/hcd-ehci: Implement 64-bit siTD descriptor addressing
  hw/usb/hcd-ehci: Add descriptor address offset property
  hw/arm/aspeed_ast27x0: Enable 64-bit EHCI DMA addressing
  hw/arm/aspeed_ast27x0: Set EHCI descriptor address offset

 hw/usb/hcd-ehci.h        |  36 +++--
 hw/arm/aspeed_ast27x0.c  |   5 +
 hw/usb/hcd-ehci-pci.c    |   4 +
 hw/usb/hcd-ehci-sysbus.c |   4 +
 hw/usb/hcd-ehci.c        | 293 ++++++++++++++++++++++++---------------
 hw/usb/trace-events      |  16 +--
 6 files changed, 226 insertions(+), 132 deletions(-)

-- 
2.43.0

[PATCH v1 01/13] hw/usb/hcd-ehci.h: Fix coding style issues reported by checkpatch

[Jamin Lin]

No functional change.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 hw/usb/hcd-ehci.h | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/hw/usb/hcd-ehci.h b/hw/usb/hcd-ehci.h
index 0ae8c06331..ed44935302 100644
--- a/hw/usb/hcd-ehci.h
+++ b/hw/usb/hcd-ehci.h
@@ -43,7 +43,8 @@ typedef struct EHCIPacket EHCIPacket;
 typedef struct EHCIQueue EHCIQueue;
 typedef struct EHCIState EHCIState;
 
-/*  EHCI spec version 1.0 Section 3.3
+/*
+ * EHCI spec version 1.0 Section 3.3
  */
 typedef struct EHCIitd {
     uint32_t next;
@@ -74,7 +75,8 @@ typedef struct EHCIitd {
 #define ITD_BUFPTR_MULT_SH       0
 } EHCIitd;
 
-/*  EHCI spec version 1.0 Section 3.4
+/*
+ * EHCI spec version 1.0 Section 3.4
  */
 typedef struct EHCIsitd {
     uint32_t next;                  /* Standard next link pointer */
@@ -118,7 +120,8 @@ typedef struct EHCIsitd {
     uint32_t backptr;                 /* Standard next link pointer */
 } EHCIsitd;
 
-/*  EHCI spec version 1.0 Section 3.5
+/*
+ * EHCI spec version 1.0 Section 3.5
  */
 typedef struct EHCIqtd {
     uint32_t next;                    /* Standard next link pointer */
@@ -148,7 +151,8 @@ typedef struct EHCIqtd {
 #define QTD_BUFPTR_SH                 12
 } EHCIqtd;
 
-/*  EHCI spec version 1.0 Section 3.6
+/*
+ * EHCI spec version 1.0 Section 3.6
  */
 typedef struct EHCIqh {
     uint32_t next;                    /* Standard next link pointer */
@@ -202,7 +206,8 @@ typedef struct EHCIqh {
 #define BUFPTR_SBYTES_SH              5
 } EHCIqh;
 
-/*  EHCI spec version 1.0 Section 3.7
+/*
+ * EHCI spec version 1.0 Section 3.7
  */
 typedef struct EHCIfstn {
     uint32_t next;                    /* Standard next link pointer */
@@ -237,7 +242,8 @@ struct EHCIQueue {
     int async;
     int transact_ctr;
 
-    /* cached data from guest - needs to be flushed
+    /*
+     * cached data from guest - needs to be flushed
      * when guest removes an entry (doorbell, handshake sequence)
      */
     EHCIqh qh;             /* copy of current QH (being worked on) */
@@ -275,7 +281,7 @@ struct EHCIState {
      */
     uint8_t caps[CAPA_SIZE];
     union {
-        uint32_t opreg[0x44/sizeof(uint32_t)];
+        uint32_t opreg[0x44 / sizeof(uint32_t)];
         struct {
             uint32_t usbcmd;
             uint32_t usbsts;
-- 
2.43.0

[PATCH v1 02/13] hw/usb/hcd-ehci.c: Fix coding style issues reported by checkpatch

[Jamin Lin]

No functional change.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 hw/usb/hcd-ehci.c | 129 +++++++++++++++++++++++++---------------------
 1 file changed, 71 insertions(+), 58 deletions(-)

diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 57f930b099..e2ff0f5874 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -41,21 +41,23 @@
 #define FRAME_TIMER_NS   (NANOSECONDS_PER_SECOND / FRAME_TIMER_FREQ)
 #define UFRAME_TIMER_NS  (FRAME_TIMER_NS / 8)
 
-#define NB_MAXINTRATE    8        // Max rate at which controller issues ints
-#define BUFF_SIZE        5*4096   // Max bytes to transfer per transaction
-#define MAX_QH           100      // Max allowable queue heads in a chain
+#define NB_MAXINTRATE    8      /* Max rate at which controller issues ints */
+#define BUFF_SIZE        (5 * 4096) /* Max bytes to transfer per transaction */
+#define MAX_QH           100      /* Max allowable queue heads in a chain */
 #define MIN_UFR_PER_TICK 24       /* Min frames to process when catching up */
 #define PERIODIC_ACTIVE  512      /* Micro-frames */
 
-/*  Internal periodic / asynchronous schedule state machine states
+/*
+ * Internal periodic / asynchronous schedule state machine states
  */
 typedef enum {
     EST_INACTIVE = 1000,
     EST_ACTIVE,
     EST_EXECUTING,
     EST_SLEEPING,
-    /*  The following states are internal to the state machine function
-    */
+    /*
+     *The following states are internal to the state machine function
+     */
     EST_WAITLISTHEAD,
     EST_FETCHENTRY,
     EST_FETCHQH,
@@ -71,13 +73,13 @@ typedef enum {
 /* macros for accessing fields within next link pointer entry */
 #define NLPTR_GET(x)             ((x) & 0xffffffe0)
 #define NLPTR_TYPE_GET(x)        (((x) >> 1) & 3)
-#define NLPTR_TBIT(x)            ((x) & 1)  // 1=invalid, 0=valid
+#define NLPTR_TBIT(x)            ((x) & 1)  /* 1=invalid, 0=valid */
 
 /* link pointer types */
-#define NLPTR_TYPE_ITD           0     // isoc xfer descriptor
-#define NLPTR_TYPE_QH            1     // queue head
-#define NLPTR_TYPE_STITD         2     // split xaction, isoc xfer descriptor
-#define NLPTR_TYPE_FSTN          3     // frame span traversal node
+#define NLPTR_TYPE_ITD           0     /* isoc xfer descriptor */
+#define NLPTR_TYPE_QH            1     /* queue head */
+#define NLPTR_TYPE_STITD         2     /* split xaction, isoc xfer descriptor */
+#define NLPTR_TYPE_FSTN          3     /* frame span traversal node */
 
 #define SET_LAST_RUN_CLOCK(s) \
     (s)->last_run_ns = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
@@ -88,10 +90,10 @@ typedef enum {
 
 #define set_field(data, newval, field) do { \
     uint32_t val = *data; \
-    val &= ~ field##_MASK; \
+    val &= ~field##_MASK; \
     val |= ((newval) << field##_SH) & field##_MASK; \
     *data = val; \
-    } while(0)
+    } while (0)
 
 static const char *ehci_state_names[] = {
     [EST_INACTIVE]     = "INACTIVE",
@@ -472,8 +474,10 @@ static bool ehci_verify_pid(EHCIQueue *q, EHCIqtd *qtd)
     }
 }
 
-/* Finish executing and writeback a packet outside of the regular
-   fetchqh -> fetchqtd -> execute -> writeback cycle */
+/*
+ * Finish executing and writeback a packet outside of the regular
+ * fetchqh -> fetchqtd -> execute -> writeback cycle
+ */
 static void ehci_writeback_async_complete_packet(EHCIPacket *p)
 {
     EHCIQueue *q = p->queue;
@@ -733,7 +737,7 @@ static void ehci_detach(USBPort *port)
     ehci_queues_rip_device(s, port->dev, 0);
     ehci_queues_rip_device(s, port->dev, 1);
 
-    *portsc &= ~(PORTSC_CONNECT|PORTSC_PED|PORTSC_SUSPEND);
+    *portsc &= ~(PORTSC_CONNECT | PORTSC_PED | PORTSC_SUSPEND);
     *portsc |= PORTSC_CSC;
 
     ehci_raise_irq(s, USBSTS_PCD);
@@ -858,7 +862,7 @@ void ehci_reset(void *opaque)
      * Do the detach before touching portsc, so that it correctly gets send to
      * us or to our companion based on PORTSC_POWNER before the reset.
      */
-    for(i = 0; i < EHCI_PORTS; i++) {
+    for (i = 0; i < EHCI_PORTS; i++) {
         devs[i] = s->ports[i].dev;
         if (devs[i] && devs[i]->attached) {
             usb_detach(&s->ports[i]);
@@ -877,7 +881,7 @@ void ehci_reset(void *opaque)
     s->astate = EST_INACTIVE;
     s->pstate = EST_INACTIVE;
 
-    for(i = 0; i < EHCI_PORTS; i++) {
+    for (i = 0; i < EHCI_PORTS; i++) {
         if (s->companion_ports[i]) {
             s->portsc[i] = PORTSC_POWNER | PORTSC_PPOWER;
         } else {
@@ -942,8 +946,9 @@ static void handle_port_owner_write(EHCIState *s, int port, uint32_t owner)
     uint32_t *portsc = &s->portsc[port];
     uint32_t orig;
 
-    if (s->companion_ports[port] == NULL)
+    if (s->companion_ports[port] == NULL) {
         return;
+    }
 
     owner = owner & PORTSC_POWNER;
     orig  = *portsc & PORTSC_POWNER;
@@ -988,7 +993,7 @@ static void ehci_port_write(void *ptr, hwaddr addr,
         trace_usb_ehci_port_reset(port, 1);
     }
 
-    if (!(val & PORTSC_PRESET) &&(*portsc & PORTSC_PRESET)) {
+    if (!(val & PORTSC_PRESET) && (*portsc & PORTSC_PRESET)) {
         trace_usb_ehci_port_reset(port, 0);
         if (dev && dev->attached) {
             usb_port_reset(&s->ports[port]);
@@ -1065,8 +1070,10 @@ static void ehci_opreg_write(void *ptr, hwaddr addr,
         break;
 
     case USBSTS:
-        val &= USBSTS_RO_MASK;              // bits 6 through 31 are RO
-        ehci_clear_usbsts(s, val);          // bits 0 through 5 are R/WC
+        /* bits 6 through 31 are RO */
+        val &= USBSTS_RO_MASK;
+        /* bits 0 through 5 are R/WC */
+        ehci_clear_usbsts(s, val);
         val = s->usbsts;
         ehci_update_irq(s);
         break;
@@ -1131,8 +1138,7 @@ static void ehci_flush_qh(EHCIQueue *q)
     put_dwords(q->ehci, addr + 3 * sizeof(uint32_t), qh + 3, dwords - 3);
 }
 
-// 4.10.2
-
+/* 4.10.2 */
 static int ehci_qh_do_overlay(EHCIQueue *q)
 {
     EHCIPacket *p = QTAILQ_FIRST(&q->packets);
@@ -1145,8 +1151,7 @@ static int ehci_qh_do_overlay(EHCIQueue *q)
     assert(p != NULL);
     assert(p->qtdaddr == q->qtdaddr);
 
-    // remember values in fields to preserve in qh after overlay
-
+    /*  remember values in fields to preserve in qh after overlay */
     dtoggle = q->qh.token & QTD_TOKEN_DTOGGLE;
     ping    = q->qh.token & QTD_TOKEN_PING;
 
@@ -1170,7 +1175,7 @@ static int ehci_qh_do_overlay(EHCIQueue *q)
     }
 
     if (!(q->qh.epchar & QH_EPCHAR_DTC)) {
-        // preserve QH DT bit
+        /* preserve QH DT bit */
         q->qh.token &= ~QTD_TOKEN_DTOGGLE;
         q->qh.token |= dtoggle;
     }
@@ -1397,9 +1402,7 @@ static int ehci_execute(EHCIPacket *p, const char *action)
     return 1;
 }
 
-/*  4.7.2
- */
-
+/* 4.7.2 */
 static int ehci_process_itd(EHCIState *ehci,
                             EHCIitd *itd,
                             uint32_t addr)
@@ -1411,13 +1414,13 @@ static int ehci_process_itd(EHCIState *ehci,
 
     ehci->periodic_sched_active = PERIODIC_ACTIVE;
 
-    dir =(itd->bufptr[1] & ITD_BUFPTR_DIRECTION);
+    dir = (itd->bufptr[1] & ITD_BUFPTR_DIRECTION);
     devaddr = get_field(itd->bufptr[0], ITD_BUFPTR_DEVADDR);
     endp = get_field(itd->bufptr[0], ITD_BUFPTR_EP);
     max = get_field(itd->bufptr[1], ITD_BUFPTR_MAXPKT);
     mult = get_field(itd->bufptr[2], ITD_BUFPTR_MULT);
 
-    for(i = 0; i < 8; i++) {
+    for (i = 0; i < 8; i++) {
         if (itd->transact[i] & ITD_XACT_ACTIVE) {
             pg   = get_field(itd->transact[i], ITD_XACT_PGSEL);
             off  = itd->transact[i] & ITD_XACT_OFFSET_MASK;
@@ -1513,8 +1516,9 @@ static int ehci_process_itd(EHCIState *ehci,
 }
 
 
-/*  This state is the entry point for asynchronous schedule
- *  processing.  Entry here constitutes a EHCI start event state (4.8.5)
+/*
+ * This state is the entry point for asynchronous schedule
+ * processing.  Entry here constitutes a EHCI start event state (4.8.5)
  */
 static int ehci_state_waitlisthead(EHCIState *ehci,  int async)
 {
@@ -1531,7 +1535,7 @@ static int ehci_state_waitlisthead(EHCIState *ehci,  int async)
     ehci_queues_rip_unused(ehci, async);
 
     /*  Find the head of the list (4.9.1.1) */
-    for(i = 0; i < MAX_QH; i++) {
+    for (i = 0; i < MAX_QH; i++) {
         if (get_dwords(ehci, NLPTR_GET(entry), (uint32_t *) &qh,
                        sizeof(EHCIqh) >> 2) < 0) {
             return 0;
@@ -1564,8 +1568,9 @@ out:
 }
 
 
-/*  This state is the entry point for periodic schedule processing as
- *  well as being a continuation state for async processing.
+/*
+ * This state is the entry point for periodic schedule processing as
+ * well as being a continuation state for async processing.
  */
 static int ehci_state_fetchentry(EHCIState *ehci, int async)
 {
@@ -1674,7 +1679,7 @@ static EHCIQueue *ehci_state_fetchqh(EHCIState *ehci, int async)
 
 #if EHCI_DEBUG
     if (q->qhaddr != q->qh.next) {
-    DPRINTF("FETCHQH:  QH 0x%08x (h %x halt %x active %x) next 0x%08x\n",
+        DPRINTF("FETCHQH:  QH 0x%08x (h %x halt %x active %x) next 0x%08x\n",
                q->qhaddr,
                q->qh.epchar & QH_EPCHAR_H,
                q->qh.token & QTD_TOKEN_HALT,
@@ -1757,7 +1762,8 @@ static int ehci_state_fetchsitd(EHCIState *ehci, int async)
 static int ehci_state_advqueue(EHCIQueue *q)
 {
 #if 0
-    /* TO-DO: 4.10.2 - paragraph 2
+    /*
+     * TO-DO: 4.10.2 - paragraph 2
      * if I-bit is set to 1 and QH is not active
      * go to horizontal QH
      */
@@ -1935,8 +1941,10 @@ static int ehci_state_execute(EHCIQueue *q)
         return -1;
     }
 
-    // TODO verify enough time remains in the uframe as in 4.4.1.1
-    // TODO write back ptr to async list when done or out of time
+    /*
+     * TODO verify enough time remains in the uframe as in 4.4.1.1
+     * TODO write back ptr to async list when done or out of time
+     */
 
     /* 4.10.3, bottom of page 82, go horizontal on transaction counter == 0 */
     if (!q->async && q->transact_ctr == 0) {
@@ -2047,7 +2055,7 @@ static void ehci_advance_state(EHCIState *ehci, int async)
     int again;
 
     do {
-        switch(ehci_get_state(ehci, async)) {
+        switch (ehci_get_state(ehci, async)) {
         case EST_WAITLISTHEAD:
             again = ehci_state_waitlisthead(ehci, async);
             break;
@@ -2126,21 +2134,20 @@ static void ehci_advance_state(EHCIState *ehci, int async)
             ehci_reset(ehci);
             again = 0;
         }
-    }
-    while (again);
+    } while (again);
 }
 
 static void ehci_advance_async_state(EHCIState *ehci)
 {
     const int async = 1;
 
-    switch(ehci_get_state(ehci, async)) {
+    switch (ehci_get_state(ehci, async)) {
     case EST_INACTIVE:
         if (!ehci_async_enabled(ehci)) {
             break;
         }
         ehci_set_state(ehci, async, EST_ACTIVE);
-        // No break, fall through to ACTIVE
+        /* No break, fall through to ACTIVE */
 
     case EST_ACTIVE:
         if (!ehci_async_enabled(ehci)) {
@@ -2164,7 +2171,8 @@ static void ehci_advance_async_state(EHCIState *ehci)
         ehci_set_state(ehci, async, EST_WAITLISTHEAD);
         ehci_advance_state(ehci, async);
 
-        /* If the doorbell is set, the guest wants to make a change to the
+        /*
+         * If the doorbell is set, the guest wants to make a change to the
          * schedule. The host controller needs to release cached data.
          * (section 4.8.2)
          */
@@ -2191,13 +2199,13 @@ static void ehci_advance_periodic_state(EHCIState *ehci)
     uint32_t list;
     const int async = 0;
 
-    // 4.6
+    /* 4.6 */
 
-    switch(ehci_get_state(ehci, async)) {
+    switch (ehci_get_state(ehci, async)) {
     case EST_INACTIVE:
         if (!(ehci->frindex & 7) && ehci_periodic_enabled(ehci)) {
             ehci_set_state(ehci, async, EST_ACTIVE);
-            // No break, fall through to ACTIVE
+            /* No break, fall through to ACTIVE */
         } else
             break;
 
@@ -2221,7 +2229,7 @@ static void ehci_advance_periodic_state(EHCIState *ehci)
 
         DPRINTF("PERIODIC state adv fr=%d.  [%08X] -> %08X\n",
                 ehci->frindex / 8, list, entry);
-        ehci_set_fetch_addr(ehci, async,entry);
+        ehci_set_fetch_addr(ehci, async, entry);
         ehci_set_state(ehci, async, EST_FETCHENTRY);
         ehci_advance_state(ehci, async);
         ehci_queues_rip_unused(ehci, async);
@@ -2246,7 +2254,8 @@ static void ehci_update_frindex(EHCIState *ehci, int uframes)
         ehci_raise_irq(ehci, USBSTS_FLR);
     }
 
-    /* How many times will frindex roll over 0x4000 with this frame count?
+    /*
+     * How many times will frindex roll over 0x4000 with this frame count?
      * usbsts_frindex is decremented by 0x4000 on rollover until it reaches 0
      */
     int rollovers = (ehci->frindex + uframes) / 0x4000;
@@ -2326,8 +2335,9 @@ static void ehci_work_bh(void *opaque)
         ehci->async_stepdown++;
     }
 
-    /*  Async is not inside loop since it executes everything it can once
-     *  called
+    /*
+     * Async is not inside loop since it executes everything it can once
+     * called
      */
     if (ehci_async_enabled(ehci) || ehci->astate != EST_INACTIVE) {
         need_timer++;
@@ -2345,15 +2355,18 @@ static void ehci_work_bh(void *opaque)
     }
 
     if (need_timer) {
-        /* If we've raised int, we speed up the timer, so that we quickly
-         * notice any new packets queued up in response */
+        /*
+         * If we've raised int, we speed up the timer, so that we quickly
+         * notice any new packets queued up in response
+         */
         if (ehci->int_req_by_async && (ehci->usbsts & USBSTS_INT)) {
             expire_time = t_now +
                 NANOSECONDS_PER_SECOND / (FRAME_TIMER_FREQ * 4);
             ehci->int_req_by_async = false;
         } else {
-            expire_time = t_now + (NANOSECONDS_PER_SECOND
-                               * (ehci->async_stepdown+1) / FRAME_TIMER_FREQ);
+            expire_time = t_now
+                + (NANOSECONDS_PER_SECOND * (ehci->async_stepdown + 1) /
+                   FRAME_TIMER_FREQ);
         }
         timer_mod(ehci->frame_timer, expire_time);
     }
-- 
2.43.0

[PATCH v1 03/13] hw/usb/hcd-ehci: Change descriptor addresses to 64-bit

[Jamin Lin]

Change internal EHCI descriptor addresses from uint32_t to uint64_t.

The following fields are updated:
- EHCIPacket::qtdaddr
- EHCIQueue::{qhaddr, qtdaddr}
- EHCIState::{a_fetch_addr, p_fetch_addr}

Update get_dwords() and put_dwords() to take 64-bit addresses and
propagate the type change through the descriptor traversal paths.

Adjust NLPTR_GET() to operate on 64-bit values:

    #define NLPTR_GET(x) ((x) & ~(uint64_t)0x1f)

so that link pointer masking works correctly when descriptor
addresses exceed 32-bit space. The previous mask (0xffffffe0)
implicitly truncated addresses to 32 bits.

This patch does not change the on-wire descriptor layout yet.
It only removes the internal 32-bit address limit and prepares
for later patches that will add full 64-bit QH/qTD/iTD/siTD support.

Since the type of fetch_addr changes from 32-bit to 64-bit,
bump the VMState version.

No functional change.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 hw/usb/hcd-ehci.h | 10 +++----
 hw/usb/hcd-ehci.c | 67 +++++++++++++++++++++++++----------------------
 2 files changed, 41 insertions(+), 36 deletions(-)

diff --git a/hw/usb/hcd-ehci.h b/hw/usb/hcd-ehci.h
index ed44935302..df87f8145f 100644
--- a/hw/usb/hcd-ehci.h
+++ b/hw/usb/hcd-ehci.h
@@ -226,7 +226,7 @@ struct EHCIPacket {
     QTAILQ_ENTRY(EHCIPacket) next;
 
     EHCIqtd qtd;           /* copy of current QTD (being worked on) */
-    uint32_t qtdaddr;      /* address QTD read from                 */
+    uint64_t qtdaddr;      /* address QTD read from                 */
 
     USBPacket packet;
     QEMUSGList sgl;
@@ -247,8 +247,8 @@ struct EHCIQueue {
      * when guest removes an entry (doorbell, handshake sequence)
      */
     EHCIqh qh;             /* copy of current QH (being worked on) */
-    uint32_t qhaddr;       /* address QH read from                 */
-    uint32_t qtdaddr;      /* address QTD read from                */
+    uint64_t qhaddr;       /* address QH read from                 */
+    uint64_t qtdaddr;      /* address QTD read from                */
     int last_pid;          /* pid of last packet executed          */
     USBDevice *dev;
     QTAILQ_HEAD(, EHCIPacket) packets;
@@ -312,8 +312,8 @@ struct EHCIState {
     EHCIQueueHead pqueues;
 
     /* which address to look at next */
-    uint32_t a_fetch_addr;
-    uint32_t p_fetch_addr;
+    uint64_t a_fetch_addr;
+    uint64_t p_fetch_addr;
 
     USBPacket ipacket;
     QEMUSGList isgl;
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index e2ff0f5874..87c3991313 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -71,7 +71,7 @@ typedef enum {
 } EHCI_STATES;
 
 /* macros for accessing fields within next link pointer entry */
-#define NLPTR_GET(x)             ((x) & 0xffffffe0)
+#define NLPTR_GET(x)             ((x) & ~(uint64_t)0x1f)
 #define NLPTR_TYPE_GET(x)        (((x) >> 1) & 3)
 #define NLPTR_TBIT(x)            ((x) & 1)  /* 1=invalid, 0=valid */
 
@@ -286,7 +286,7 @@ static int ehci_get_state(EHCIState *s, int async)
     return async ? s->astate : s->pstate;
 }
 
-static void ehci_set_fetch_addr(EHCIState *s, int async, uint32_t addr)
+static void ehci_set_fetch_addr(EHCIState *s, int async, uint64_t addr)
 {
     if (async) {
         s->a_fetch_addr = addr;
@@ -295,7 +295,7 @@ static void ehci_set_fetch_addr(EHCIState *s, int async, uint32_t addr)
     }
 }
 
-static int ehci_get_fetch_addr(EHCIState *s, int async)
+static uint64_t ehci_get_fetch_addr(EHCIState *s, int async)
 {
     return async ? s->a_fetch_addr : s->p_fetch_addr;
 }
@@ -372,7 +372,7 @@ static inline bool ehci_periodic_enabled(EHCIState *s)
 }
 
 /* Get an array of dwords from main memory */
-static inline int get_dwords(EHCIState *ehci, uint32_t addr,
+static inline int get_dwords(EHCIState *ehci, uint64_t addr,
                              uint32_t *buf, int num)
 {
     int i;
@@ -394,7 +394,7 @@ static inline int get_dwords(EHCIState *ehci, uint32_t addr,
 }
 
 /* Put an array of dwords in to main memory */
-static inline int put_dwords(EHCIState *ehci, uint32_t addr,
+static inline int put_dwords(EHCIState *ehci, uint64_t addr,
                              uint32_t *buf, int num)
 {
     int i;
@@ -548,7 +548,7 @@ static void ehci_free_packet(EHCIPacket *p)
 
 /* queue management */
 
-static EHCIQueue *ehci_alloc_queue(EHCIState *ehci, uint32_t addr, int async)
+static EHCIQueue *ehci_alloc_queue(EHCIState *ehci, uint64_t addr, int async)
 {
     EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues;
     EHCIQueue *q;
@@ -621,7 +621,7 @@ static void ehci_free_queue(EHCIQueue *q, const char *warn)
     g_free(q);
 }
 
-static EHCIQueue *ehci_find_queue_by_qh(EHCIState *ehci, uint32_t addr,
+static EHCIQueue *ehci_find_queue_by_qh(EHCIState *ehci, uint64_t addr,
                                         int async)
 {
     EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues;
@@ -1133,7 +1133,7 @@ static void ehci_flush_qh(EHCIQueue *q)
 {
     uint32_t *qh = (uint32_t *) &q->qh;
     uint32_t dwords = sizeof(EHCIqh) >> 2;
-    uint32_t addr = NLPTR_GET(q->qhaddr);
+    uint64_t addr = NLPTR_GET(q->qhaddr);
 
     put_dwords(q->ehci, addr + 3 * sizeof(uint32_t), qh + 3, dwords - 3);
 }
@@ -1279,8 +1279,8 @@ static void ehci_execute_complete(EHCIQueue *q)
     assert(p->async == EHCI_ASYNC_INITIALIZED ||
            p->async == EHCI_ASYNC_FINISHED);
 
-    DPRINTF("execute_complete: qhaddr 0x%x, next 0x%x, qtdaddr 0x%x, "
-            "status %d, actual_length %d\n",
+    DPRINTF("execute_complete: qhaddr 0x%" PRIx64 ", next 0x%x, "
+            "qtdaddr 0x%" PRIx64 ", status %d, actual_length %d\n",
             q->qhaddr, q->qh.next, q->qtdaddr,
             p->packet.status, p->packet.actual_length);
 
@@ -1389,9 +1389,10 @@ static int ehci_execute(EHCIPacket *p, const char *action)
 
     trace_usb_ehci_packet_action(p->queue, p, action);
     usb_handle_packet(p->queue->dev, &p->packet);
-    DPRINTF("submit: qh 0x%x next 0x%x qtd 0x%x pid 0x%x len %zd endp 0x%x "
-            "status %d actual_length %d\n", p->queue->qhaddr, p->qtd.next,
-            p->qtdaddr, p->pid, p->packet.iov.size, endp, p->packet.status,
+    DPRINTF("submit: qh 0x%" PRIx64 " next 0x%x qtd 0x%" PRIx64
+            " pid 0x%x len %zd endp 0x%x status %d actual_length %d\n",
+            p->queue->qhaddr, p->qtd.next, p->qtdaddr, p->pid,
+            p->packet.iov.size, endp, p->packet.status,
             p->packet.actual_length);
 
     if (p->packet.actual_length > BUFF_SIZE) {
@@ -1405,12 +1406,13 @@ static int ehci_execute(EHCIPacket *p, const char *action)
 /* 4.7.2 */
 static int ehci_process_itd(EHCIState *ehci,
                             EHCIitd *itd,
-                            uint32_t addr)
+                            uint64_t addr)
 {
     USBDevice *dev;
     USBEndpoint *ep;
     uint32_t i, len, pid, dir, devaddr, endp;
-    uint32_t pg, off, ptr1, ptr2, max, mult;
+    uint32_t pg, off, max, mult;
+    uint64_t ptr1, ptr2;
 
     ehci->periodic_sched_active = PERIODIC_ACTIVE;
 
@@ -1525,7 +1527,7 @@ static int ehci_state_waitlisthead(EHCIState *ehci,  int async)
     EHCIqh qh;
     int i = 0;
     int again = 0;
-    uint32_t entry = ehci->asynclistaddr;
+    uint64_t entry = ehci->asynclistaddr;
 
     /* set reclamation flag at start event (4.8.6) */
     if (async) {
@@ -1575,7 +1577,7 @@ out:
 static int ehci_state_fetchentry(EHCIState *ehci, int async)
 {
     int again = 0;
-    uint32_t entry = ehci_get_fetch_addr(ehci, async);
+    uint64_t entry = ehci_get_fetch_addr(ehci, async);
 
     if (NLPTR_TBIT(entry)) {
         ehci_set_state(ehci, async, EST_ACTIVE);
@@ -1606,7 +1608,7 @@ static int ehci_state_fetchentry(EHCIState *ehci, int async)
 
     default:
         /* TODO: handle FSTN type */
-        fprintf(stderr, "FETCHENTRY: entry at %X is of type %u "
+        fprintf(stderr, "FETCHENTRY: entry at %" PRIx64 "is of type %" PRIu64
                 "which is not supported yet\n", entry, NLPTR_TYPE_GET(entry));
         return -1;
     }
@@ -1617,7 +1619,7 @@ out:
 
 static EHCIQueue *ehci_state_fetchqh(EHCIState *ehci, int async)
 {
-    uint32_t entry;
+    uint64_t entry;
     EHCIQueue *q;
     EHCIqh qh;
 
@@ -1669,8 +1671,9 @@ static EHCIQueue *ehci_state_fetchqh(EHCIState *ehci, int async)
         if (ehci->usbsts & USBSTS_REC) {
             ehci_clear_usbsts(ehci, USBSTS_REC);
         } else {
-            DPRINTF("FETCHQH:  QH 0x%08x. H-bit set, reclamation status reset"
-                       " - done processing\n", q->qhaddr);
+            DPRINTF("FETCHQH:  QH 0x%" PRIx64
+                    ". H-bit set, reclamation status reset - "
+                    "done processing\n", q->qhaddr);
             ehci_set_state(ehci, async, EST_ACTIVE);
             q = NULL;
             goto out;
@@ -1679,7 +1682,8 @@ static EHCIQueue *ehci_state_fetchqh(EHCIState *ehci, int async)
 
 #if EHCI_DEBUG
     if (q->qhaddr != q->qh.next) {
-        DPRINTF("FETCHQH:  QH 0x%08x (h %x halt %x active %x) next 0x%08x\n",
+        DPRINTF("FETCHQH:  QH 0x%" PRIx64
+                " (h %x halt %x active %x) next 0x%08x\n",
                q->qhaddr,
                q->qh.epchar & QH_EPCHAR_H,
                q->qh.token & QTD_TOKEN_HALT,
@@ -1708,7 +1712,7 @@ out:
 
 static int ehci_state_fetchitd(EHCIState *ehci, int async)
 {
-    uint32_t entry;
+    uint64_t entry;
     EHCIitd itd;
 
     assert(!async);
@@ -1734,7 +1738,7 @@ static int ehci_state_fetchitd(EHCIState *ehci, int async)
 
 static int ehci_state_fetchsitd(EHCIState *ehci, int async)
 {
-    uint32_t entry;
+    uint64_t entry;
     EHCIsitd sitd;
 
     assert(!async);
@@ -1804,7 +1808,7 @@ static int ehci_state_fetchqtd(EHCIQueue *q)
     EHCIqtd qtd;
     EHCIPacket *p;
     int again = 1;
-    uint32_t addr;
+    uint64_t addr;
 
     addr = NLPTR_GET(q->qtdaddr);
     if (get_dwords(q->ehci, addr +  8, &qtd.token,   1) < 0) {
@@ -1887,7 +1891,7 @@ static int ehci_fill_queue(EHCIPacket *p)
     USBEndpoint *ep = p->packet.ep;
     EHCIQueue *q = p->queue;
     EHCIqtd qtd = p->qtd;
-    uint32_t qtdaddr;
+    uint64_t qtdaddr;
 
     for (;;) {
         if (NLPTR_TBIT(qtd.next) != 0) {
@@ -2010,7 +2014,8 @@ static int ehci_state_executing(EHCIQueue *q)
 static int ehci_state_writeback(EHCIQueue *q)
 {
     EHCIPacket *p = QTAILQ_FIRST(&q->packets);
-    uint32_t *qtd, addr;
+    uint32_t *qtd;
+    uint64_t addr;
     int again = 0;
 
     /*  Write back the QTD from the QH area */
@@ -2484,8 +2489,8 @@ static void usb_ehci_vm_state_change(void *opaque, bool running, RunState state)
 
 const VMStateDescription vmstate_ehci = {
     .name        = "ehci-core",
-    .version_id  = 2,
-    .minimum_version_id  = 1,
+    .version_id  = 3,
+    .minimum_version_id  = 2,
     .pre_save    = usb_ehci_pre_save,
     .post_load   = usb_ehci_post_load,
     .fields = (const VMStateField[]) {
@@ -2513,8 +2518,8 @@ const VMStateDescription vmstate_ehci = {
         /* schedule state */
         VMSTATE_UINT32(astate, EHCIState),
         VMSTATE_UINT32(pstate, EHCIState),
-        VMSTATE_UINT32(a_fetch_addr, EHCIState),
-        VMSTATE_UINT32(p_fetch_addr, EHCIState),
+        VMSTATE_UINT64(a_fetch_addr, EHCIState),
+        VMSTATE_UINT64(p_fetch_addr, EHCIState),
         VMSTATE_END_OF_LIST()
     }
 };
-- 
2.43.0

[PATCH v1 04/13] hw/usb/trace-events: Print EHCI queue and transfer addresses as 64-bit

[Jamin Lin]

Update the EHCI trace-events prototypes for QH, qTD, iTD, and siTD to
use uint64_t for the address argument and print it with PRIx64. This
ensures full 64-bit addresses are shown in trace output and improves
debugging of queue heads and transfer descriptors.

This change only affects trace formatting and does not modify the EHCI
data structure layout or behavior.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 hw/usb/trace-events | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/hw/usb/trace-events b/hw/usb/trace-events
index dd04f14add..ecd84e54c0 100644
--- a/hw/usb/trace-events
+++ b/hw/usb/trace-events
@@ -86,14 +86,14 @@ usb_ehci_portsc_write(uint32_t addr, uint32_t port, uint32_t val) "wr mmio 0x%04
 usb_ehci_portsc_change(uint32_t addr, uint32_t port, uint32_t new, uint32_t old) "ch mmio 0x%04x [port %d] = 0x%x (old: 0x%x)"
 usb_ehci_usbsts(const char *sts, int state) "usbsts %s %d"
 usb_ehci_state(const char *schedule, const char *state) "%s schedule %s"
-usb_ehci_qh_ptrs(void *q, uint32_t addr, uint32_t nxt, uint32_t c_qtd, uint32_t n_qtd, uint32_t a_qtd) "q %p - QH @ 0x%08x: next 0x%08x qtds 0x%08x,0x%08x,0x%08x"
-usb_ehci_qh_fields(uint32_t addr, int rl, int mplen, int eps, int ep, int devaddr) "QH @ 0x%08x - rl %d, mplen %d, eps %d, ep %d, dev %d"
-usb_ehci_qh_bits(uint32_t addr, int c, int h, int dtc, int i) "QH @ 0x%08x - c %d, h %d, dtc %d, i %d"
-usb_ehci_qtd_ptrs(void *q, uint32_t addr, uint32_t nxt, uint32_t altnext) "q %p - QTD @ 0x%08x: next 0x%08x altnext 0x%08x"
-usb_ehci_qtd_fields(uint32_t addr, int tbytes, int cpage, int cerr, int pid) "QTD @ 0x%08x - tbytes %d, cpage %d, cerr %d, pid %d"
-usb_ehci_qtd_bits(uint32_t addr, int ioc, int active, int halt, int babble, int xacterr) "QTD @ 0x%08x - ioc %d, active %d, halt %d, babble %d, xacterr %d"
-usb_ehci_itd(uint32_t addr, uint32_t nxt, uint32_t mplen, uint32_t mult, uint32_t ep, uint32_t devaddr) "ITD @ 0x%08x: next 0x%08x - mplen %d, mult %d, ep %d, dev %d"
-usb_ehci_sitd(uint32_t addr, uint32_t nxt, uint32_t active) "ITD @ 0x%08x: next 0x%08x - active %d"
+usb_ehci_qh_ptrs(void *q, uint64_t addr, uint32_t nxt, uint32_t c_qtd, uint32_t n_qtd, uint32_t a_qtd) "q %p - QH @ 0x%" PRIx64 ": next 0x%08x qtds 0x%08x,0x%08x,0x%08x"
+usb_ehci_qh_fields(uint64_t addr, int rl, int mplen, int eps, int ep, int devaddr) "QH @ 0x%" PRIx64 " - rl %d, mplen %d, eps %d, ep %d, dev %d"
+usb_ehci_qh_bits(uint64_t addr, int c, int h, int dtc, int i) "QH @ 0x%" PRIx64 " - c %d, h %d, dtc %d, i %d"
+usb_ehci_qtd_ptrs(void *q, uint64_t addr, uint32_t nxt, uint32_t altnext) "q %p - QTD @ 0x%" PRIx64 ": next 0x%08x altnext 0x%08x"
+usb_ehci_qtd_fields(uint64_t addr, int tbytes, int cpage, int cerr, int pid) "QTD @ 0x%" PRIx64 " - tbytes %d, cpage %d, cerr %d, pid %d"
+usb_ehci_qtd_bits(uint64_t addr, int ioc, int active, int halt, int babble, int xacterr) "QTD @ 0x%" PRIx64 " - ioc %d, active %d, halt %d, babble %d, xacterr %d"
+usb_ehci_itd(uint64_t addr, uint32_t nxt, uint32_t mplen, uint32_t mult, uint32_t ep, uint32_t devaddr) "ITD @ 0x%" PRIx64 ": next 0x%08x - mplen %d, mult %d, ep %d, dev %d"
+usb_ehci_sitd(uint64_t addr, uint32_t nxt, uint32_t active) "SITD @ 0x%" PRIx64 ": next 0x%08x - active %d"
 usb_ehci_port_attach(uint32_t port, const char *owner, const char *device) "attach port #%d, owner %s, device %s"
 usb_ehci_port_detach(uint32_t port, const char *owner) "detach port #%d, owner %s"
 usb_ehci_port_reset(uint32_t port, int enable) "reset port #%d - %d"
-- 
2.43.0

[PATCH v1 05/13] hw/usb/hcd-ehci: Add property to advertise 64-bit addressing capability

[Jamin Lin]

Introduce a new boolean property, "caps-64bit-addr", to control
HCCPARAMS[0] (64-bit Addressing Capability).

When enabled, the EHCI controller advertises support for 64-bit
address memory pointers as defined in the EHCI specification
(Table 2-7, HCCPARAMS). This allows software to use the 64-bit
data structure formats described in Appendix B.

When disabled (default), the controller reports 32-bit addressing
capability and uses the standard 32-bit data structures.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 hw/usb/hcd-ehci.h        | 1 +
 hw/usb/hcd-ehci-pci.c    | 2 ++
 hw/usb/hcd-ehci-sysbus.c | 2 ++
 hw/usb/hcd-ehci.c        | 5 ++++-
 4 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/hw/usb/hcd-ehci.h b/hw/usb/hcd-ehci.h
index df87f8145f..7dc6d151cc 100644
--- a/hw/usb/hcd-ehci.h
+++ b/hw/usb/hcd-ehci.h
@@ -274,6 +274,7 @@ struct EHCIState {
 
     /* properties */
     uint32_t maxframes;
+    bool caps_64bit_addr;
 
     /*
      *  EHCI spec version 1.0 Section 2.3
diff --git a/hw/usb/hcd-ehci-pci.c b/hw/usb/hcd-ehci-pci.c
index 9febcc1031..2ea8549db9 100644
--- a/hw/usb/hcd-ehci-pci.c
+++ b/hw/usb/hcd-ehci-pci.c
@@ -137,6 +137,8 @@ static void usb_ehci_pci_write_config(PCIDevice *dev, uint32_t addr,
 
 static const Property ehci_pci_properties[] = {
     DEFINE_PROP_UINT32("maxframes", EHCIPCIState, ehci.maxframes, 128),
+    DEFINE_PROP_BOOL("caps-64bit-addr", EHCIPCIState, ehci.caps_64bit_addr,
+                     false),
 };
 
 static const VMStateDescription vmstate_ehci_pci = {
diff --git a/hw/usb/hcd-ehci-sysbus.c b/hw/usb/hcd-ehci-sysbus.c
index b31032bbf3..61215e9f3d 100644
--- a/hw/usb/hcd-ehci-sysbus.c
+++ b/hw/usb/hcd-ehci-sysbus.c
@@ -34,6 +34,8 @@ static const Property ehci_sysbus_properties[] = {
     DEFINE_PROP_UINT32("maxframes", EHCISysBusState, ehci.maxframes, 128),
     DEFINE_PROP_BOOL("companion-enable", EHCISysBusState, ehci.companion_enable,
                      false),
+    DEFINE_PROP_BOOL("caps-64bit-addr", EHCISysBusState, ehci.caps_64bit_addr,
+                     false),
 };
 
 static void usb_ehci_sysbus_realize(DeviceState *dev, Error **errp)
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 87c3991313..9e82328116 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -2538,6 +2538,9 @@ void usb_ehci_realize(EHCIState *s, DeviceState *dev, Error **errp)
                    s->maxframes);
         return;
     }
+    if (s->caps_64bit_addr) {
+        s->caps[0x08] |= BIT(0);
+    }
 
     memory_region_add_subregion(&s->mem, s->capsbase, &s->mem_caps);
     memory_region_add_subregion(&s->mem, s->opregbase, &s->mem_opreg);
@@ -2597,7 +2600,7 @@ void usb_ehci_init(EHCIState *s, DeviceState *dev)
     s->caps[0x05] = 0x00;        /* No companion ports at present */
     s->caps[0x06] = 0x00;
     s->caps[0x07] = 0x00;
-    s->caps[0x08] = 0x80;        /* We can cache whole frame, no 64-bit */
+    s->caps[0x08] = 0x80;        /* We can cache whole frame */
     s->caps[0x0a] = 0x00;
     s->caps[0x0b] = 0x00;
 
-- 
2.43.0

[PATCH v1 06/13] hw/usb/hcd-ehci: Reject CTRLDSSEGMENT writes without 64-bit capability

[Jamin Lin]

The EHCI CTRLDSSEGMENT register provides the upper 32 bits [63:32] used to
form 64-bit addresses for EHCI control data structures. Per EHCI 1.0
spec section 2.3.5, when the HCCPARAMS 64-bit Addressing Capability bit
is zero, CTRLDSSEGMENT is not used: software cannot write it and reads
must return zero.

Add a capability check in the operational register write handler and
reject guest writes to CTRLDSSEGMENT when 64-bit addressing is
not enabled.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 hw/usb/hcd-ehci.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 9e82328116..d7a0917caf 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1106,7 +1106,14 @@ static void ehci_opreg_write(void *ptr, hwaddr addr,
               "      is enabled and HC is enabled\n");
         }
         break;
-
+    case CTRLDSSEGMENT:
+        if (!s->caps_64bit_addr) {
+            fprintf(stderr,
+                    "ehci: write to CTRLDSSEGMENT while "
+                    "64-bit addressing capability is disabled\n");
+            return;
+        }
+        break;
     case ASYNCLISTADDR:
         if (ehci_async_enabled(s)) {
             fprintf(stderr,
-- 
2.43.0

[PATCH v1 07/13] hw/usb/hcd-ehci: Implement 64-bit QH descriptor addressing

[Jamin Lin]

EHCI supports 64-bit control data structure addressing when the
64-bit Addressing Capability bit in HCCPARAMS is set. In that mode,
the CTRLDSSEGMENT register supplies the upper 32 bits which are
concatenated with 32-bit link pointer fields to form full 64-bit
descriptor addresses (EHCI 1.0, section 2.3.5 and Appendix B).

The current implementation assumes 32-bit QH descriptor addresses
and directly uses link pointer values without applying the
CTRLDSSEGMENT upper dword.

Introduce a helper, ehci_get_desc_addr(), to construct full 64-bit
descriptor addresses when 64-bit capability is enabled. Update QH
traversal paths (async list walk, horizontal QH link, and periodic
schedule entry handling) to use the translated 64-bit addresses.

Also add bufptr_hi[5] to EHCIqh to support 64-bit buffer pointer
fields as defined in Appendix B.

When 64-bit capability is disabled, descriptor addresses remain
32-bit and existing behaviour is unchanged.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 hw/usb/hcd-ehci.h |  1 +
 hw/usb/hcd-ehci.c | 45 ++++++++++++++++++++++++++++++++-------------
 2 files changed, 33 insertions(+), 13 deletions(-)

diff --git a/hw/usb/hcd-ehci.h b/hw/usb/hcd-ehci.h
index 7dc6d151cc..f18150c352 100644
--- a/hw/usb/hcd-ehci.h
+++ b/hw/usb/hcd-ehci.h
@@ -204,6 +204,7 @@ typedef struct EHCIqh {
 #define BUFPTR_FRAMETAG_MASK          0x0000001f
 #define BUFPTR_SBYTES_MASK            0x00000fe0
 #define BUFPTR_SBYTES_SH              5
+    uint32_t bufptr_hi[5];
 } EHCIqh;
 
 /*
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index d7a0917caf..8fd3fd60c4 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -146,6 +146,18 @@ static const char *addr2str(hwaddr addr)
     return nr2str(ehci_mmio_names, ARRAY_SIZE(ehci_mmio_names), addr);
 }
 
+static uint64_t ehci_get_desc_addr(EHCIState *s, uint32_t low)
+{
+    uint64_t addr;
+
+    addr = (uint64_t)low;
+    if (s->caps_64bit_addr) {
+        addr |= (uint64_t)s->ctrldssegment << 32;
+    }
+
+    return addr;
+}
+
 static void ehci_trace_usbsts(uint32_t mask, int state)
 {
     /* interrupts */
@@ -438,8 +450,9 @@ static bool ehci_verify_qh(EHCIQueue *q, EHCIqh *qh)
         (endp    != get_field(q->qh.epchar, QH_EPCHAR_EP)) ||
         (qh->current_qtd != q->qh.current_qtd) ||
         (q->async && qh->next_qtd != q->qh.next_qtd) ||
+        /* 1 altnext_qtd + 1 token + 5 bufptr + 5 bufptr_hi */
         (memcmp(&qh->altnext_qtd, &q->qh.altnext_qtd,
-                                 7 * sizeof(uint32_t)) != 0) ||
+                12 * sizeof(uint32_t)) != 0) ||
         (q->dev != NULL && q->dev->addr != devaddr)) {
         return false;
     } else {
@@ -1534,7 +1547,9 @@ static int ehci_state_waitlisthead(EHCIState *ehci,  int async)
     EHCIqh qh;
     int i = 0;
     int again = 0;
-    uint64_t entry = ehci->asynclistaddr;
+    uint64_t entry = 0;
+
+    entry = ehci_get_desc_addr(ehci, ehci->asynclistaddr);
 
     /* set reclamation flag at start event (4.8.6) */
     if (async) {
@@ -1562,8 +1577,8 @@ static int ehci_state_waitlisthead(EHCIState *ehci,  int async)
             goto out;
         }
 
-        entry = qh.next;
-        if (entry == ehci->asynclistaddr) {
+        entry = ehci_get_desc_addr(ehci, qh.next);
+        if (entry == ehci_get_desc_addr(ehci, ehci->asynclistaddr)) {
             break;
         }
     }
@@ -1688,7 +1703,7 @@ static EHCIQueue *ehci_state_fetchqh(EHCIState *ehci, int async)
     }
 
 #if EHCI_DEBUG
-    if (q->qhaddr != q->qh.next) {
+    if (q->qhaddr != ehci_get_desc_addr(ehci, q->qh.next)) {
         DPRINTF("FETCHQH:  QH 0x%" PRIx64
                 " (h %x halt %x active %x) next 0x%08x\n",
                q->qhaddr,
@@ -1879,10 +1894,12 @@ static int ehci_state_fetchqtd(EHCIQueue *q)
 
 static int ehci_state_horizqh(EHCIQueue *q)
 {
+    uint64_t addr;
     int again = 0;
 
-    if (ehci_get_fetch_addr(q->ehci, q->async) != q->qh.next) {
-        ehci_set_fetch_addr(q->ehci, q->async, q->qh.next);
+    addr = ehci_get_desc_addr(q->ehci, q->qh.next);
+    if (ehci_get_fetch_addr(q->ehci, q->async) != addr) {
+        ehci_set_fetch_addr(q->ehci, q->async, addr);
         ehci_set_state(q->ehci, q->async, EST_FETCHENTRY);
         again = 1;
     } else {
@@ -2210,6 +2227,8 @@ static void ehci_advance_periodic_state(EHCIState *ehci)
     uint32_t entry;
     uint32_t list;
     const int async = 0;
+    uint64_t entry64;
+    uint64_t list64;
 
     /* 4.6 */
 
@@ -2234,14 +2253,14 @@ static void ehci_advance_periodic_state(EHCIState *ehci)
             break;
         }
         list |= ((ehci->frindex & 0x1ff8) >> 1);
-
-        if (get_dwords(ehci, list, &entry, 1) < 0) {
+        list64 = ehci_get_desc_addr(ehci, list);
+        if (get_dwords(ehci, list64, &entry, 1) < 0) {
             break;
         }
-
-        DPRINTF("PERIODIC state adv fr=%d.  [%08X] -> %08X\n",
-                ehci->frindex / 8, list, entry);
-        ehci_set_fetch_addr(ehci, async, entry);
+        entry64 = ehci_get_desc_addr(ehci, entry);
+        DPRINTF("PERIODIC state adv fr=%d.  %" PRIx64 " -> %" PRIx64 "\n",
+                ehci->frindex / 8, list64, entry64);
+        ehci_set_fetch_addr(ehci, async, entry64);
         ehci_set_state(ehci, async, EST_FETCHENTRY);
         ehci_advance_state(ehci, async);
         ehci_queues_rip_unused(ehci, async);
-- 
2.43.0

[PATCH v1 08/13] hw/usb/hcd-ehci: Implement 64-bit qTD descriptor addressing

[Jamin Lin]

EHCI supports 64-bit addressing when the 64-bit Addressing Capability
bit in HCCPARAMS is set. In that mode, the CTRLDSSEGMENT register
provides the upper 32 bits that are concatenated with 32-bit link
pointer values to form 64-bit control data structure addresses
(EHCI 1.0, section 2.3.5 and Appendix B).

qTD link pointers (current_qtd/next_qtd/altnext_qtd and qTD.next)
are stored as 32-bit values in the data structures and must be
expanded to full 64-bit descriptor addresses when 64-bit mode is
enabled. Update the qTD traversal paths to use ehci_get_desc_addr()
when following link pointers.

Appendix B also defines high dword fields for qTD buffer pointers.
Add bufptr_hi[5] to EHCIqtd and extend qTD fetch and QH overlay
handling to load and propagate the high buffer pointer fields.

Introduce ehci_get_buf_addr() to construct full 64-bit buffer
addresses from bufptr[] and bufptr_hi[] fields. Use this helper
when calculating transfer buffer addresses so that data buffers
above 4GB are correctly handled.

When 64-bit capability is disabled, descriptor and buffer addresses
remain 32-bit and existing behaviour is unchanged.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 hw/usb/hcd-ehci.h |  1 +
 hw/usb/hcd-ehci.c | 32 +++++++++++++++++++++++++-------
 2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/hw/usb/hcd-ehci.h b/hw/usb/hcd-ehci.h
index f18150c352..df16426f76 100644
--- a/hw/usb/hcd-ehci.h
+++ b/hw/usb/hcd-ehci.h
@@ -149,6 +149,7 @@ typedef struct EHCIqtd {
     uint32_t bufptr[5];               /* Standard buffer pointer */
 #define QTD_BUFPTR_MASK               0xfffff000
 #define QTD_BUFPTR_SH                 12
+    uint32_t bufptr_hi[5];
 } EHCIqtd;
 
 /*
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 8fd3fd60c4..5964ede05b 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -158,6 +158,19 @@ static uint64_t ehci_get_desc_addr(EHCIState *s, uint32_t low)
     return addr;
 }
 
+static uint64_t ehci_get_buf_addr(EHCIState *s, uint32_t hi, uint32_t low,
+                                  uint32_t mask)
+{
+    uint64_t addr;
+
+    addr = (uint64_t)(low & mask);
+    if (s->caps_64bit_addr) {
+        addr |= (uint64_t)hi << 32;
+    }
+
+    return addr;
+}
+
 static void ehci_trace_usbsts(uint32_t mask, int state)
 {
     /* interrupts */
@@ -467,7 +480,8 @@ static bool ehci_verify_qtd(EHCIPacket *p, EHCIqtd *qtd)
             (p->qtd.next != qtd->next)) ||
         (!NLPTR_TBIT(p->qtd.altnext) && (p->qtd.altnext != qtd->altnext)) ||
         p->qtd.token != qtd->token ||
-        p->qtd.bufptr[0] != qtd->bufptr[0]) {
+        p->qtd.bufptr[0] != qtd->bufptr[0] ||
+        p->qtd.bufptr_hi[0] != qtd->bufptr_hi[0]) {
         return false;
     } else {
         return true;
@@ -1192,6 +1206,7 @@ static int ehci_qh_do_overlay(EHCIQueue *q)
 
     for (i = 0; i < 5; i++) {
         q->qh.bufptr[i] = p->qtd.bufptr[i];
+        q->qh.bufptr_hi[i] = p->qtd.bufptr_hi[i];
     }
 
     if (!(q->qh.epchar & QH_EPCHAR_DTC)) {
@@ -1225,7 +1240,8 @@ static int ehci_init_transfer(EHCIPacket *p)
             return -1;
         }
 
-        page  = p->qtd.bufptr[cpage] & QTD_BUFPTR_MASK;
+        page = ehci_get_buf_addr(p->queue->ehci, p->qtd.bufptr_hi[cpage],
+                                 p->qtd.bufptr[cpage], QTD_BUFPTR_MASK);
         page += offset;
         plen  = bytes;
         if (plen > 4096 - offset) {
@@ -1720,7 +1736,7 @@ static EHCIQueue *ehci_state_fetchqh(EHCIState *ehci, int async)
     } else if ((q->qh.token & QTD_TOKEN_ACTIVE) &&
                (NLPTR_TBIT(q->qh.current_qtd) == 0) &&
                (q->qh.current_qtd != 0)) {
-        q->qtdaddr = q->qh.current_qtd;
+        q->qtdaddr = ehci_get_desc_addr(ehci, q->qh.current_qtd);
         ehci_set_state(ehci, async, EST_FETCHQTD);
 
     } else {
@@ -1804,14 +1820,14 @@ static int ehci_state_advqueue(EHCIQueue *q)
      */
     if (((q->qh.token & QTD_TOKEN_TBYTES_MASK) != 0) &&
         (NLPTR_TBIT(q->qh.altnext_qtd) == 0)) {
-        q->qtdaddr = q->qh.altnext_qtd;
+        q->qtdaddr = ehci_get_desc_addr(q->ehci, q->qh.altnext_qtd);
         ehci_set_state(q->ehci, q->async, EST_FETCHQTD);
 
     /*
      *  next qTD is valid
      */
     } else if (NLPTR_TBIT(q->qh.next_qtd) == 0) {
-        q->qtdaddr = q->qh.next_qtd;
+        q->qtdaddr = ehci_get_desc_addr(q->ehci, q->qh.next_qtd);
         ehci_set_state(q->ehci, q->async, EST_FETCHQTD);
 
     /*
@@ -1840,7 +1856,9 @@ static int ehci_state_fetchqtd(EHCIQueue *q)
     if (get_dwords(q->ehci, addr +  0, &qtd.next,    1) < 0 ||
         get_dwords(q->ehci, addr +  4, &qtd.altnext, 1) < 0 ||
         get_dwords(q->ehci, addr + 12, qtd.bufptr,
-                   ARRAY_SIZE(qtd.bufptr)) < 0) {
+                   ARRAY_SIZE(qtd.bufptr)) < 0 ||
+        get_dwords(q->ehci, addr + 32, qtd.bufptr_hi,
+                   ARRAY_SIZE(qtd.bufptr_hi)) < 0) {
         return 0;
     }
     ehci_trace_qtd(q, NLPTR_GET(q->qtdaddr), &qtd);
@@ -1921,7 +1939,7 @@ static int ehci_fill_queue(EHCIPacket *p)
         if (NLPTR_TBIT(qtd.next) != 0) {
             break;
         }
-        qtdaddr = qtd.next;
+        qtdaddr = ehci_get_desc_addr(q->ehci, qtd.next);
         /*
          * Detect circular td lists, Windows creates these, counting on the
          * active bit going low after execution to make the queue stop.
-- 
2.43.0

[PATCH v1 09/13] hw/usb/hcd-ehci: Implement 64-bit iTD descriptor addressing

[Jamin Lin]

EHCI supports 64-bit control data structure addressing when the
64-bit Addressing Capability bit in HCCPARAMS is set. In that mode,
the CTRLDSSEGMENT register provides the upper 32 bits that are
concatenated with 32-bit link pointer values to form full 64-bit
descriptor addresses (EHCI 1.0, section 2.3.5 and Appendix B).

iTD link pointers are stored as 32-bit values and must be expanded
to full 64-bit descriptor addresses when 64-bit mode is enabled.
Update the iTD traversal path to use ehci_get_desc_addr() when
following link pointers.

Appendix B also defines high dword fields for iTD buffer pointers.
Add bufptr_hi[7] to EHCIitd and use ehci_get_buf_addr() to construct
full 64-bit buffer addresses from bufptr[] and bufptr_hi[] fields
when processing isochronous transfers. This allows buffers above
4GB to be handled correctly.

When 64-bit capability is disabled, descriptor and buffer addresses
remain 32-bit and existing behaviour is unchanged.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 hw/usb/hcd-ehci.h | 1 +
 hw/usb/hcd-ehci.c | 9 ++++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/hw/usb/hcd-ehci.h b/hw/usb/hcd-ehci.h
index df16426f76..f0cb50ba45 100644
--- a/hw/usb/hcd-ehci.h
+++ b/hw/usb/hcd-ehci.h
@@ -73,6 +73,7 @@ typedef struct EHCIitd {
 #define ITD_BUFPTR_MAXPKT_SH     0
 #define ITD_BUFPTR_MULT_MASK     0x00000003
 #define ITD_BUFPTR_MULT_SH       0
+    uint32_t bufptr_hi[7];
 } EHCIitd;
 
 /*
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 5964ede05b..a4a45c7601 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1471,7 +1471,8 @@ static int ehci_process_itd(EHCIState *ehci,
                 return -1;
             }
 
-            ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK);
+            ptr1 = ehci_get_buf_addr(ehci, itd->bufptr_hi[pg],
+                                     itd->bufptr[pg], ITD_BUFPTR_MASK);
             qemu_sglist_init(&ehci->isgl, ehci->device, 2, ehci->as);
             if (off + len > 4096) {
                 /* transfer crosses page border */
@@ -1479,7 +1480,9 @@ static int ehci_process_itd(EHCIState *ehci,
                     qemu_sglist_destroy(&ehci->isgl);
                     return -1;  /* avoid page pg + 1 */
                 }
-                ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
+                ptr2 = ehci_get_buf_addr(ehci, itd->bufptr_hi[pg + 1],
+                                         itd->bufptr[pg + 1],
+                                         ITD_BUFPTR_MASK);
                 uint32_t len2 = off + len - 4096;
                 uint32_t len1 = len - len2;
                 qemu_sglist_add(&ehci->isgl, ptr1 + off, len1);
@@ -1768,7 +1771,7 @@ static int ehci_state_fetchitd(EHCIState *ehci, int async)
 
     put_dwords(ehci, NLPTR_GET(entry), (uint32_t *) &itd,
                sizeof(EHCIitd) >> 2);
-    ehci_set_fetch_addr(ehci, async, itd.next);
+    ehci_set_fetch_addr(ehci, async, ehci_get_desc_addr(ehci, itd.next));
     ehci_set_state(ehci, async, EST_FETCHENTRY);
 
     return 1;
-- 
2.43.0

[PATCH v1 10/13] hw/usb/hcd-ehci: Implement 64-bit siTD descriptor addressing

[Jamin Lin]

EHCI supports 64-bit control data structure addressing when the
64-bit Addressing Capability bit in HCCPARAMS is set. In that mode,
the CTRLDSSEGMENT register provides the upper 32 bits that are
concatenated with 32-bit link pointer values to form full 64-bit
descriptor addresses (EHCI 1.0, section 2.3.5 and Appendix B).

siTD link pointers are stored as 32-bit values and must be expanded
to full 64-bit descriptor addresses when 64-bit mode is enabled.
Update the siTD traversal path to use ehci_get_desc_addr() when
following link pointers.

Appendix B also defines high dword fields for siTD buffer pointers.
Add bufptr_hi[] fields to EHCIsitd and use ehci_get_buf_addr() to
construct full 64-bit buffer addresses from bufptr[] and bufptr_hi[]
when processing split isochronous transfers. This allows buffers
above 4GB to be handled correctly.

When 64-bit capability is disabled, descriptor and buffer addresses
remain 32-bit and existing behaviour is unchanged.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 hw/usb/hcd-ehci.h | 1 +
 hw/usb/hcd-ehci.c | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/usb/hcd-ehci.h b/hw/usb/hcd-ehci.h
index f0cb50ba45..a11d4179cd 100644
--- a/hw/usb/hcd-ehci.h
+++ b/hw/usb/hcd-ehci.h
@@ -119,6 +119,7 @@ typedef struct EHCIsitd {
 #define SITD_BUFPTR_TCNT_MASK         0x00000007
 
     uint32_t backptr;                 /* Standard next link pointer */
+    uint32_t bufptr_hi[2];
 } EHCIsitd;
 
 /*
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index a4a45c7601..d9d1ac2d28 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1798,7 +1798,7 @@ static int ehci_state_fetchsitd(EHCIState *ehci, int async)
         warn_report("Skipping active siTD");
     }
 
-    ehci_set_fetch_addr(ehci, async, sitd.next);
+    ehci_set_fetch_addr(ehci, async, ehci_get_desc_addr(ehci, sitd.next));
     ehci_set_state(ehci, async, EST_FETCHENTRY);
     return 1;
 }
-- 
2.43.0

[PATCH v1 11/13] hw/usb/hcd-ehci: Add descriptor address offset property

[Jamin Lin]

When 64-bit addressing is supported, the Linux EHCI driver programs the
segment register to zero. See ehci_run function:
https://github.com/torvalds/linux/blob/master/drivers/usb/host/ehci-hcd.c

The driver comment also notes that descriptor structures allocated from
the DMA pool use segment zero semantics.

Descriptor memory is allocated using the DMA API. The platform driver
configures a 64-bit DMA mask so memory can be allocated above 4GB.
See ehci_platform_probe function:
https://github.com/torvalds/linux/blob/master/drivers/usb/host/ehci-platform.c

On AST2700 platforms, system DRAM is mapped above 4GB at 0x400000000.
As a result, descriptor addresses constructed directly from the guest
EHCI registers do not match the actual system address used by the
controller when fetching queue heads (QH) and queue element transfer
descriptors (qTD).

Introduce a descriptor-addr-offset property so platforms can provide an
address offset applied when constructing descriptor addresses. This
allows systems where DRAM resides above 4GB to correctly access EHCI
descriptors while keeping the default behavior unchanged for existing
machines.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 hw/usb/hcd-ehci.h        | 1 +
 hw/usb/hcd-ehci-pci.c    | 2 ++
 hw/usb/hcd-ehci-sysbus.c | 2 ++
 hw/usb/hcd-ehci.c        | 1 +
 4 files changed, 6 insertions(+)

diff --git a/hw/usb/hcd-ehci.h b/hw/usb/hcd-ehci.h
index a11d4179cd..6593480028 100644
--- a/hw/usb/hcd-ehci.h
+++ b/hw/usb/hcd-ehci.h
@@ -279,6 +279,7 @@ struct EHCIState {
     /* properties */
     uint32_t maxframes;
     bool caps_64bit_addr;
+    uint64_t descriptor_addr_offset;
 
     /*
      *  EHCI spec version 1.0 Section 2.3
diff --git a/hw/usb/hcd-ehci-pci.c b/hw/usb/hcd-ehci-pci.c
index 2ea8549db9..115d05ede0 100644
--- a/hw/usb/hcd-ehci-pci.c
+++ b/hw/usb/hcd-ehci-pci.c
@@ -139,6 +139,8 @@ static const Property ehci_pci_properties[] = {
     DEFINE_PROP_UINT32("maxframes", EHCIPCIState, ehci.maxframes, 128),
     DEFINE_PROP_BOOL("caps-64bit-addr", EHCIPCIState, ehci.caps_64bit_addr,
                      false),
+    DEFINE_PROP_UINT64("descriptor-addr-offset", EHCIPCIState,
+                       ehci.descriptor_addr_offset, 0),
 };
 
 static const VMStateDescription vmstate_ehci_pci = {
diff --git a/hw/usb/hcd-ehci-sysbus.c b/hw/usb/hcd-ehci-sysbus.c
index 61215e9f3d..df138fb339 100644
--- a/hw/usb/hcd-ehci-sysbus.c
+++ b/hw/usb/hcd-ehci-sysbus.c
@@ -36,6 +36,8 @@ static const Property ehci_sysbus_properties[] = {
                      false),
     DEFINE_PROP_BOOL("caps-64bit-addr", EHCISysBusState, ehci.caps_64bit_addr,
                      false),
+    DEFINE_PROP_UINT64("descriptor-addr-offset", EHCISysBusState,
+                       ehci.descriptor_addr_offset, 0),
 };
 
 static void usb_ehci_sysbus_realize(DeviceState *dev, Error **errp)
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index d9d1ac2d28..cdb53be4ae 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -155,6 +155,7 @@ static uint64_t ehci_get_desc_addr(EHCIState *s, uint32_t low)
         addr |= (uint64_t)s->ctrldssegment << 32;
     }
 
+    addr += s->descriptor_addr_offset;
     return addr;
 }
 
-- 
2.43.0

[PATCH v1 12/13] hw/arm/aspeed_ast27x0: Enable 64-bit EHCI DMA addressing

[Jamin Lin]

AST2700 supports a 64-bit DRAM address space. Therefore, DMA
transactions must be capable of accessing 64-bit addresses.

Enable the "caps-64bit-addr" property for the EHCI controllers
on AST2700 so that USB DMA operations can correctly handle
64-bit memory addresses.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 hw/arm/aspeed_ast27x0.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/arm/aspeed_ast27x0.c b/hw/arm/aspeed_ast27x0.c
index 87dcb82e1b..4a1f7cad73 100644
--- a/hw/arm/aspeed_ast27x0.c
+++ b/hw/arm/aspeed_ast27x0.c
@@ -856,6 +856,8 @@ static void aspeed_soc_ast2700_realize(DeviceState *dev, Error **errp)
 
     /* EHCI */
     for (i = 0; i < sc->ehcis_num; i++) {
+        object_property_set_bool(OBJECT(&s->ehci[i]), "caps-64bit-addr", true,
+                                 &error_abort);
         if (!sysbus_realize(SYS_BUS_DEVICE(&s->ehci[i]), errp)) {
             return;
         }
-- 
2.43.0

[PATCH v1 13/13] hw/arm/aspeed_ast27x0: Set EHCI descriptor address offset

[Jamin Lin]

On AST2700 platforms, system DRAM is mapped above 4GB with the
base address at 0x400000000.

The Linux EHCI driver programs the segment register to zero when
64-bit addressing is supported. As a result, descriptor addresses
derived from the EHCI registers do not include the DRAM base
address.

Descriptor memory is allocated through the DMA API with a 64-bit
DMA mask, which allows descriptors to be placed in DRAM above 4GB.
When running on AST2700, this means EHCI queue heads (QH) and queue
element transfer descriptors (qTD) reside at addresses starting
from 0x400000000.

Set the descriptor-addr-offset property to the DRAM base so the
emulated EHCI controller can construct the correct descriptor
addresses when accessing system memory.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 hw/arm/aspeed_ast27x0.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/arm/aspeed_ast27x0.c b/hw/arm/aspeed_ast27x0.c
index 4a1f7cad73..3cdbf78ac1 100644
--- a/hw/arm/aspeed_ast27x0.c
+++ b/hw/arm/aspeed_ast27x0.c
@@ -858,6 +858,9 @@ static void aspeed_soc_ast2700_realize(DeviceState *dev, Error **errp)
     for (i = 0; i < sc->ehcis_num; i++) {
         object_property_set_bool(OBJECT(&s->ehci[i]), "caps-64bit-addr", true,
                                  &error_abort);
+        object_property_set_int(OBJECT(&s->ehci[i]), "descriptor-addr-offset",
+                                sc->memmap[ASPEED_DEV_SDRAM],
+                                &error_abort);
         if (!sysbus_realize(SYS_BUS_DEVICE(&s->ehci[i]), errp)) {
             return;
         }
-- 
2.43.0