summaryrefslogtreecommitdiffstats
path: root/src/VBox/Devices/USB/DevXHCI.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'src/VBox/Devices/USB/DevXHCI.cpp')
-rw-r--r--src/VBox/Devices/USB/DevXHCI.cpp8295
1 files changed, 8295 insertions, 0 deletions
diff --git a/src/VBox/Devices/USB/DevXHCI.cpp b/src/VBox/Devices/USB/DevXHCI.cpp
new file mode 100644
index 00000000..ede6413c
--- /dev/null
+++ b/src/VBox/Devices/USB/DevXHCI.cpp
@@ -0,0 +1,8295 @@
+/* $Id: DevXHCI.cpp $ */
+/** @file
+ * DevXHCI - eXtensible Host Controller Interface for USB.
+ */
+
+/*
+ * Copyright (C) 2012-2022 Oracle and/or its affiliates.
+ *
+ * This file is part of VirtualBox base platform packages, as
+ * available from https://www.virtualbox.org.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation, in version 3 of the
+ * License.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <https://www.gnu.org/licenses>.
+ *
+ * SPDX-License-Identifier: GPL-3.0-only
+ */
+
+/** @page pg_dev_xhci xHCI - eXtensible Host Controller Interface Emulation.
+ *
+ * This component implements an xHCI USB controller.
+ *
+ * The xHCI device is significantly different from the EHCI and OHCI
+ * controllers in that it is not timer driven. A worker thread is responsible
+ * for transferring data between xHCI and VUSB.
+ *
+ * Since there can be dozens or even hundreds of USB devices, and because USB
+ * transfers must share the same bus, only one worker thread is created (per
+ * host controller).
+ *
+ *
+ * The xHCI operational model is heavily based around a producer/consumer
+ * model utilizing rings -- Command, Event, and Transfer rings. The Event ring
+ * is only written by the xHC and is read-only for the HCD (Host Controller
+ * Driver). The Command/Transfer rings are only written by the HCD and are
+ * read-only for the xHC.
+ *
+ * The rings contain TRBs (Transfer Request Blocks). The TRBs represent not
+ * only data transfers but also commands and status information. Each type of
+ * ring only produces/consumes specific TRB types.
+ *
+ * When processing a ring, the xHC simply keeps advancing an internal pointer.
+ * For the Command/Transfer rings, the HCD uses Link TRBs to manage the ring
+ * storage in a fairly arbitrary manner. Since the HCD cannot write to the
+ * Event ring, the Event Ring Segment Table (ERST) is used to manage the ring
+ * storage instead.
+ *
+ * The Cycle bit is used to manage the ring buffer full/empty condition. The
+ * Producer and Consumer both have their own Cycle State (PCS/CCS). The Cycle
+ * bit of each TRB determines who owns it. The consumer only processes TRBs
+ * whose Cycle bit matches the CCS. HCD software typically toggles the Cycle
+ * bit on each pass through the ring. The Link TRB can be used to toggle the
+ * CCS accordingly.
+ *
+ * Multiple Transfer TRBs can be chained together (via the Chain bit) into a
+ * single Transfer Descriptor (TD). This provides a convenient capability for
+ * the HCD to turn a URB into a single TD regardless of how the URB is laid
+ * out in physical memory. If a transfer encounters an error or is terminated
+ * by a short packet, the entire TD (i.e. chain of TRBs) is retired.
+ *
+ * Note that the xHC detects and handles short packets on its own. Backends
+ * are always asked not to consider a short packet to be an error condition.
+ *
+ * Command and Event TRBs cannot be chained, thus an ED (Event Descriptor)
+ * or a Command Descriptor (CD) always consists of a single TRB.
+ *
+ * There is one Command ring per xHC, one Event ring per interrupter (one or
+ * more), and a potentially very large number of Transfer rings. There is a
+ * 1:1 mapping between Transfer Rings and USB pipes, hence each USB device
+ * uses 1-31 Transfer rings (at least one for the default control endpoint,
+ * up to 31 if all IN/OUT endpoints are used). USB 3.0 devices may also use
+ * up to 64K streams per endpoint, each with its Transfer ring, massively
+ * increasing the potential number of Transfer rings in use.
+ *
+ * When building a Transfer ring, it's possible to queue up a large number
+ * of TDs and as soon as the oldest ones are retired, queue up new TDs. The
+ * Transfer ring might thus never be empty.
+ *
+ * For tracking ring buffer position, the TRDP and TREP fields in an endpoint
+ * context are used. The TRDP is the 'TR Dequeue Pointer', i.e. the position
+ * of the next TRB to be completed. This field is visible by the HCD when the
+ * endpoint isn't running. It reflects TRBs completely processed by the xHC
+ * and hence no longer owned by the xHC.
+ *
+ * The TREP field is the 'TR Enqueue Pointer' and tracks the position of the
+ * next TRB to start processing (submit). This is purely internal to the
+ * xHC. The TREP can potentially get far ahead of the TRDP, but only in the
+ * part of the ring owned by the xHC (i.e. with matching DCS bit).
+ *
+ * Unlike most other xHCI data structures, transfer TRBs may describe memory
+ * buffers with no alignment restrictions (both starting position and size).
+ * In addition, there is no relationship between TRB boundaries and USB
+ * packet boundaries.
+ *
+ *
+ * Typically an event would be generated via the IOC bit (Interrupt On
+ * Completion) when the last TRB of a TD is completed. However, multiple IOC
+ * bits may be set per TD. This may be required when a TD equal or larger
+ * than 16MB is used, since transfer events utilize a 24-bit length field.
+ *
+ * There is also the option of using Transfer Event TRBs to report TRB
+ * completion. Transfer Event TRBs may be freely intermixed with transfer
+ * TRBs. Note that an event TRB will produce an event reporting the size of
+ * data transferred since the last event TRB or since the beginning of a TD.
+ * The xHC submits URBs such that they either comprise the entire TD or end
+ * at a Transfer Event TRB, thus there is no need to track the EDTLA
+ * separately.
+ *
+ * Transfer errors always generate events, irrespective of IOC settings. The
+ * xHC has always the option to generate events at implementation-specific
+ * points so that the HCD does not fall too far behind.
+ *
+ * Control transfers use special TDs. A Setup Stage TD consists of only a
+ * single Setup Stage TRB (there's no Chain bit). The optional Data Stage
+ * TD consists of a Data Stage TRB chained to zero or more Normal TRBs
+ * and/or Event Data TRBs. The Status Stage TD then consists of a Status
+ * Stage TRB optionally chained to an Event Data TRB. The HCD is responsible
+ * for building the TDs correctly.
+ *
+ * For isochronous transfers, only the first TRB of a TD is actually an
+ * isochronous TRB. If the TD is chained, it will contain Normal TRBs (and
+ * possibly Event Data TRBs).
+ *
+ *
+ * Isochronous transfers require multiple TDs/URBs to be in flight at a
+ * time. This complicates dealing with non-data TRBs (such as link or event
+ * data TRBs). These TRBs cannot be completed while a previous TRB is still
+ * in flight. They are completed either: a) when submitting URBs and there
+ * are no in-flight URBs, or b) just prior to completing an URB.
+ *
+ * This approach works because URBs must be completed strictly in-order. The
+ * TRDP and TREP determine whether there are in-flight TRBs (TREP equals
+ * TRDP if and only if there are no in-flight TRBs).
+ *
+ * When submitting TRBs and there is in-flight traffic, non-data TRBs must
+ * be examined and skipped over. Link TRBs need to be taken into account.
+ *
+ * Unfortunately, certain HCDs (looking at you, Microsoft!) violate the xHCI
+ * specification and make assumptions about how far ahead of the TRDP the
+ * xHC can get. We have to artificially limit the number of in-flight TDs
+ * for this reason.
+ *
+ * Non-isochronous TRBs do not require this treatment for correct function
+ * but are likely to benefit performance-wise from the pipelining.
+ *
+ * With high-speed and faster transfers, there is an added complication for
+ * endpoints with more than one transfer per frame, i.e. short intervals. At
+ * least some host USB stacks require URBs to cover an entire frame, which
+ * means we may have to glue together several TDs into a single URB.
+ *
+ *
+ * A buggy or malicious guest can create a transfer or command ring that
+ * loops in on itself (in the simplest case using a sequence of one or more
+ * link TRBs where the last TRB points to the beginning of the sequence).
+ * Such a loop would effectively hang the processing thread. Since we cannot
+ * easily detect a generic loop, and because even non-looped TRB/command
+ * rings might contain extremely large number of items, we limit the number
+ * of entries that we are willing to process at once. If the limit is
+ * crossed, the xHC reports a host controller error and shuts itself down
+ * until it's reset.
+ *
+ * Note that for TRB lists, both URB submission and completion must protect
+ * against loops because the lists in guest memory are not guaranteed to stay
+ * unchanged between submitting and completing URBs.
+ *
+ * The event ring is not susceptible to loops because the xHC is the producer,
+ * not consumer. The event ring can run out of space but that is not a fatal
+ * problem.
+ *
+ *
+ * The interrupt logic uses an internal IPE (Interrupt Pending Enable) bit
+ * which controls whether the register-visible IP (Interrupt Pending) bit
+ * can be set. The IPE bit is set when a non-blocking event (BEI bit clear)
+ * is enqueued. The IPE bit is cleared when the event ring is initialized or
+ * transitions to empty (i.e. ERDP == EREP). When IPE transtitions to set,
+ * it will set IP unless the EHB (Event Handler Busy) bit is set or IMODC
+ * (Interrupt Moderation Counter) is non-zero. When IMODC counts down to
+ * zero, it sets the IP bit if IPE is set and EHB is not. Setting the IP bit
+ * triggers interrupt delivery. Note that clearing the IPE bit does not
+ * change the IP bit state.
+ *
+ * Interrupt delivery depends on whether MSI/MSI-X is in use or not. With MSI,
+ * an interrupter's IP (Interrupt Pending) bit is cleared as soon as the MSI
+ * message is written; with classic PCI interrupt delivery, the HCD must clear
+ * the IP bit. However, the EHB (Event Handler Busy) bit is always set, which
+ * causes further interrupts to be blocked on the interrupter until the HCD
+ * processes pending events and clears the EHB bit.
+ *
+ * Note that clearing the EHB bit may immediately trigger an interrupt if
+ * additional event TRBs were queued up while the HCD was processing previous
+ * ones.
+ *
+ *
+ * Each enabled USB device has a corresponding slot ID, a doorbell, as well as
+ * a device context which can be accessed through the DCBAA (Device Context
+ * Base Address Array). Valid slot IDs are in the 1-255 range; the first entry
+ * (i.e. index 0) in the DCBAA may optionally point to the Scratchpad Buffer
+ * Array, while doorbell 0 is associated with the Command Ring.
+ *
+ * While 255 valid slot IDs is an xHCI architectural limit, existing xHC
+ * implementations usually set a considerably lower limit, such as 32. See
+ * the XHCI_NDS constant.
+ *
+ * It would be tempting to use the DCBAA to determine which slots are free.
+ * Unfortunately the xHC is not allowed to access DCBAA entries which map to
+ * disabled slots (see section 6.1). A parallel aSlotState array is hence used
+ * to internally track the slot state and find available slots. Once a slot
+ * is enabled, the slot context entry in the DCBAA is used to track the
+ * slot state.
+ *
+ *
+ * Unlike OHCI/UHCI/EHCI, the xHC much more closely tracks USB device state.
+ * HCDs are not allowed to issue SET_ADDRESS requests at all and must use
+ * the Address Device xHCI command instead.
+ *
+ * HCDs can use SET_CONFIGURATION and SET_INTERFACE requests normally, but
+ * must inform the xHC of the changes via Configure Endpoint and Evaluate
+ * Context commands. Similarly there are Reset Endpoint and Stop Endpoint
+ * commands to manage endpoint state.
+ *
+ * A corollary of the above is that unlike OHCI/UHCI/EHCI, with xHCI there
+ * are very clear rules and a straightforward protocol for managing
+ * ownership of structures in physical memory. During normal operation, the
+ * xHC owns all device context memory and the HCD must explicitly ask the xHC
+ * to relinquish the ownership.
+ *
+ * The xHCI architecture offers an interesting feature in that it reserves
+ * opaque fields for xHCI use in certain data structures (slot and endpoint
+ * contexts) and gives the xHC an option to request scratchpad buffers that
+ * a HCD must provide. The xHC may use the opaque storage and/or scratchpad
+ * buffers for saving internal state.
+ *
+ * For implementation reasons, the xHCI device creates two root hubs on the
+ * VUSB level; one for USB2 devices (USB 1.x and 2.0), one for USB3. The
+ * behavior of USB2 vs. USB3 ports is different, and a device can only be
+ * attached to either one or the other hub. However, there is a single array
+ * of ports to avoid overly complicating the code, given that port numbering
+ * is linear and encompasses both USB2 and USB3 ports.
+ *
+ *
+ * The default emulated device is an Intel 7-Series xHC aka Panther Point.
+ * This was Intel's first xHC and is widely supported. It is also possible
+ * to select an Intel 8-Series xHC aka Lynx Point; this is only useful for
+ * debugging and requires the 'other' set of Windows 7 drivers.
+ *
+ * For Windows XP guest support, it is possible to emulate a Renesas
+ * (formerly NEC) uPD720201 xHC. It would be possible to emulate the earlier
+ * NEC chips but those a) only support xHCI 0.96, and b) their drivers
+ * require a reboot during installation. Renesas' drivers also support
+ * Windows Vista and 7.
+ *
+ *
+ * NB: Endpoints are addressed differently in xHCI and USB. In USB,
+ * endpoint addresses are 8-bit values with the low four bits identifying
+ * the endpoint number and the high bit indicating the direction (0=OUT,
+ * 1=IN); see e.g. 9.3.4 in USB 2.0 spec. In xHCI, endpoint addresses are
+ * used as DCIs (Device Context Index) and for that reason, they're
+ * compressed into 5 bits where the lowest bit(!) indicates direction (again
+ * 1=IN) and bits 1-4 designate the endpoint number. Endpoint 0 is somewhat
+ * special and uses DCI 1. See 4.8.1 in xHCI spec.
+ *
+ *
+ * NB: A variable named iPort is a zero-based index into the port array.
+ * On the other hand, a variable named uPort is a one-based port number!
+ * The implementation (obviously) uses zero-based indexing, but USB ports
+ * are numbered starting with 1. The same is true of xHCI slot numbering.
+ * The macros IDX_TO_ID() and ID_TO_IDX(a) should be used to convert between
+ * the two numbering conventions to make the intent clear.
+ *
+ */
+
+
+/*********************************************************************************************************************************
+* Header Files *
+*********************************************************************************************************************************/
+#define LOG_GROUP LOG_GROUP_DEV_XHCI
+#include <VBox/pci.h>
+#include <VBox/msi.h>
+#include <VBox/vmm/pdm.h>
+#include <VBox/err.h>
+#include <VBox/log.h>
+#include <iprt/assert.h>
+#ifdef IN_RING3
+# include <iprt/uuid.h>
+# include <iprt/critsect.h>
+#endif
+#include <VBox/vusb.h>
+#ifdef VBOX_IN_EXTPACK_R3
+# include <VBox/version.h>
+#endif
+#ifndef VBOX_IN_EXTPACK
+# include "VBoxDD.h"
+#endif
+
+
+/*********************************************************************************************************************************
+* (Most of the) Defined Constants, Macros and Structures *
+*********************************************************************************************************************************/
+
+/* Optional error injection support via DBGF. */
+//#define XHCI_ERROR_INJECTION
+
+/** The saved state version. */
+#define XHCI_SAVED_STATE_VERSION 1
+
+
+/** Convert a zero-based index to a 1-based ID. */
+#define IDX_TO_ID(a) (a + 1)
+/** Convert a 1-based ID to a zero-based index. */
+#define ID_TO_IDX(a) (a - 1)
+
+/** PCI device related constants. */
+#define XHCI_PCI_MSI_CAP_OFS 0x80
+
+/** Number of LUNs/root hubs. One each for USB2/USB3. */
+#define XHCI_NUM_LUNS 2
+
+/** @name The following two constants were determined experimentally.
+ * They determine the maximum number of TDs allowed to be in flight.
+ * NB: For isochronous TDs, the number *must* be limited because
+ * Windows 8+ violates the xHCI specification and does not keep
+ * the transfer rings consistent.
+ * @{
+ */
+//#define XHCI_MAX_ISOC_IN_FLIGHT 3 /* Scarlett needs 3; was 12 */
+#define XHCI_MAX_ISOC_IN_FLIGHT 12
+#define XHCI_MAX_BULK_IN_FLIGHT 8
+/** @} */
+
+/** @name Implementation limit on the number of TRBs and commands
+ * the xHC is willing to process at once. A larger number is taken
+ * to indicate a broken or malicious guest, and causes a HC error.
+ * @{
+ */
+#define XHCI_MAX_NUM_CMDS 128
+#define XHCI_MAX_NUM_TRBS 1024
+/** @} */
+
+/** Implementation TD size limit. Prevents EDTLA wrap-around. */
+#define XHCI_MAX_TD_SIZE (16 * _1M - 1)
+
+/** Special value to prevent further queuing. */
+#define XHCI_NO_QUEUING_IN_FLIGHT (XHCI_MAX_BULK_IN_FLIGHT * 2)
+
+/* Structural Parameters #1 (HCSPARAMS1) values. */
+
+/** Maximum allowed Number of Downstream Ports on the root hub. Careful
+ * when changing -- other structures may need adjusting!
+ */
+#define XHCI_NDP_MAX 32
+
+/** Default number of USB 2.0 ports.
+ *
+ * @note AppleUSBXHCI does not handle more than 15 ports. At least OS X
+ * 10.8.2 crashes if we report more than 15 ports! Hence the default
+ * is 8 USB2 + 6 USB3 ports for a total of 14 so that OS X is happy.
+ */
+#define XHCI_NDP_20_DEFAULT 8
+
+/** Default number of USB 3.0 ports. */
+#define XHCI_NDP_30_DEFAULT 6
+
+/** Number of interrupters. */
+#define XHCI_NINTR 8
+
+/** Mask for interrupter indexing. */
+#define XHCI_INTR_MASK (XHCI_NINTR - 1)
+
+/* The following is only true if XHCI_NINTR is a (non-zero) power of two. */
+AssertCompile((XHCI_NINTR & XHCI_INTR_MASK) == 0);
+
+/** Number of Device Slots. Determines the number of doorbell
+ * registers and device slots, among other things. */
+#define XHCI_NDS 32
+
+/* Enforce xHCI architectural limits on HCSPARAMS1. */
+AssertCompile(XHCI_NDP_MAX < 255 && XHCI_NINTR < 1024 && XHCI_NDS < 255);
+AssertCompile(XHCI_NDP_20_DEFAULT + XHCI_NDP_30_DEFAULT <= XHCI_NDP_MAX);
+AssertCompile(XHCI_NDP_MAX <= XHCI_NDS);
+
+/* Structural Parameters #2 (HCSPARAMS2) values. */
+
+/** Isochronous Scheduling Threshold. */
+#define XHCI_IST (RT_BIT(3) | 1) /* One frame. */
+
+/** Max number of Event Ring Segment Table entries as a power of two. */
+#define XHCI_ERSTMAX_LOG2 5
+/** Max number of Event Ring Segment Table entries. */
+#define XHCI_ERSTMAX RT_BIT(XHCI_ERSTMAX_LOG2)
+
+/* Enforce xHCI architectural limits on HCSPARAMS2. */
+AssertCompile(XHCI_ERSTMAX_LOG2 < 16);
+
+
+/** Size of the xHCI memory-mapped I/O region. */
+#define XHCI_MMIO_SIZE _64K
+
+/** Size of the capability part of the MMIO region. */
+#define XHCI_CAPS_REG_SIZE 0x80
+
+/** Offset of the port registers in operational register space. */
+#define XHCI_PORT_REG_OFFSET 0x400
+
+/** Offset of xHCI extended capabilities in MMIO region. */
+#define XHCI_XECP_OFFSET 0x1000
+
+/** Offset of the run-time registers in MMIO region. */
+#define XHCI_RTREG_OFFSET 0x2000
+
+/** Offset of the doorbell registers in MMIO region. */
+#define XHCI_DOORBELL_OFFSET 0x3000
+
+/** Size of the extended capability area. */
+#define XHCI_EXT_CAP_SIZE 1024
+
+/* Make sure we can identify MMIO register accesses properly. */
+AssertCompile(XHCI_DOORBELL_OFFSET > XHCI_RTREG_OFFSET);
+AssertCompile(XHCI_XECP_OFFSET > XHCI_PORT_REG_OFFSET + XHCI_CAPS_REG_SIZE);
+AssertCompile(XHCI_RTREG_OFFSET > XHCI_XECP_OFFSET + XHCI_EXT_CAP_SIZE);
+
+
+/** Maximum size of a single extended capability. */
+#define MAX_XCAP_SIZE 256
+
+/** @name xHCI Extended capability types.
+ * @{ */
+#define XHCI_XCP_USB_LEGACY 1 /**< USB legacy support. */
+#define XHCI_XCP_PROTOCOL 2 /**< Protocols supported by ports. */
+#define XHCI_XCP_EXT_PM 3 /**< Extended power management (non-PCI). */
+#define XHCI_XCP_IOVIRT 4 /**< Hardware xHCI virtualization support. */
+#define XHCI_XCP_MSI 5 /**< Message interrupts (non-PCI). */
+#define XHCI_XCP_LOCAL_MEM 6 /**< Local memory (for debug support). */
+#define XHCI_XCP_USB_DEBUG 10 /**< USB debug capability. */
+#define XHCI_XCP_EXT_MSI 17 /**< MSI-X (non-PCI). */
+/** @} */
+
+
+/* xHCI Register Bits. */
+
+
+/** @name Capability Parameters (HCCPARAMS) bits
+ * @{ */
+#define XHCI_HCC_AC64 RT_BIT(0) /**< RO */
+#define XHCI_HCC_BNC RT_BIT(1) /**< RO */
+#define XHCI_HCC_CSZ RT_BIT(2) /**< RO */
+#define XHCI_HCC_PPC RT_BIT(3) /**< RO */
+#define XHCI_HCC_PIND RT_BIT(4) /**< RO */
+#define XHCI_HCC_LHRC RT_BIT(5) /**< RO */
+#define XHCI_HCC_LTC RT_BIT(6) /**< RO */
+#define XHCI_HCC_NSS RT_BIT(7) /**< RO */
+#define XHCI_HCC_MAXPSA_MASK (RT_BIT(12)|RT_BIT(13)|RT_BIT(14)| RT_BIT(15)) /**< RO */
+#define XHCI_HCC_MAXPSA_SHIFT 12
+#define XHCI_HCC_XECP_MASK 0xFFFF0000 /**< RO */
+#define XHCI_HCC_XECP_SHIFT 16
+/** @} */
+
+
+/** @name Command Register (USBCMD) bits
+ * @{ */
+#define XHCI_CMD_RS RT_BIT(0) /**< RW - Run/Stop */
+#define XHCI_CMD_HCRST RT_BIT(1) /**< RW - Host Controller Reset */
+#define XHCI_CMD_INTE RT_BIT(2) /**< RW - Interrupter Enable */
+#define XHCI_CMD_HSEE RT_BIT(3) /**< RW - Host System Error Enable */
+#define XHCI_CMD_LCRST RT_BIT(7) /**< RW - Light HC Reset */
+#define XHCI_CMD_CSS RT_BIT(8) /**< RW - Controller Save State */
+#define XHCI_CMD_CRS RT_BIT(9) /**< RW - Controller Restore State */
+#define XHCI_CMD_EWE RT_BIT(10) /**< RW - Enable Wrap Event */
+#define XHCI_CMD_EU3S RT_BIT(11) /**< RW - Enable U3 MFINDEX Stop */
+
+#define XHCI_CMD_MASK ( XHCI_CMD_RS | XHCI_CMD_HCRST | XHCI_CMD_INTE | XHCI_CMD_HSEE | XHCI_CMD_LCRST \
+ | XHCI_CMD_CSS | XHCI_CMD_CRS | XHCI_CMD_EWE | XHCI_CMD_EU3S)
+/** @} */
+
+
+/** @name Status Register (USBSTS) bits
+ * @{ */
+#define XHCI_STATUS_HCH RT_BIT(0) /**< RO - HC Halted */
+#define XHCI_STATUS_HSE RT_BIT(2) /**< RW1C - Host System Error */
+#define XHCI_STATUS_EINT RT_BIT(3) /**< RW1C - Event Interrupt */
+#define XHCI_STATUS_PCD RT_BIT(4) /**< RW1C - Port Change Detect */
+#define XHCI_STATUS_SSS RT_BIT(8) /**< RO - Save State Status */
+#define XHCI_STATUS_RSS RT_BIT(9) /**< RO - Resture State Status */
+#define XHCI_STATUS_SRE RT_BIT(10) /**< RW1C - Save/Restore Error */
+#define XHCI_STATUS_CNR RT_BIT(11) /**< RO - Controller Not Ready */
+#define XHCI_STATUS_HCE RT_BIT(12) /**< RO - Host Controller Error */
+
+#define XHCI_STATUS_WRMASK (XHCI_STATUS_HSE | XHCI_STATUS_EINT | XHCI_STATUS_PCD | XHCI_STATUS_SRE)
+/** @} */
+
+
+/** @name Default xHCI speed definitions (7.2.2.1.1)
+ * @{ */
+#define XHCI_SPD_FULL 1
+#define XHCI_SPD_LOW 2
+#define XHCI_SPD_HIGH 3
+#define XHCI_SPD_SUPER 4
+/** @} */
+
+/** @name Port Status and Control Register bits (PORTSCUSB2/PORTSCUSB3)
+ * @{ */
+#define XHCI_PORT_CCS RT_BIT(0) /**< ROS - Current Connection Status */
+#define XHCI_PORT_PED RT_BIT(1) /**< RW1S - Port Enabled/Disabled */
+#define XHCI_PORT_OCA RT_BIT(3) /**< RO - Over-current Active */
+#define XHCI_PORT_PR RT_BIT(4) /**< RW1S - Port Reset */
+#define XHCI_PORT_PLS_MASK (RT_BIT(5) | RT_BIT(6) | RT_BIT(7) | RT_BIT(8)) /**< RWS */
+#define XHCI_PORT_PLS_SHIFT 5
+#define XHCI_PORT_PP RT_BIT(9) /**< RWS - Port Power */
+#define XHCI_PORT_SPD_MASK (RT_BIT(10) | RT_BIT(11) | RT_BIT(12) | RT_BIT(13)) /**< ROS */
+#define XHCI_PORT_SPD_SHIFT 10
+#define XHCI_PORT_LWS RT_BIT(16) /**< RW - Link State Write Strobe */
+#define XHCI_PORT_CSC RT_BIT(17) /**< RW1CS - Connect Status Change */
+#define XHCI_PORT_PEC RT_BIT(18) /**< RW1CS - Port Enabled/Disabled Change */
+#define XHCI_PORT_WRC RT_BIT(19) /**< RW1CS - Warm Port Reset Change */
+#define XHCI_PORT_OCC RT_BIT(20) /**< RW1CS - Over-current Change */
+#define XHCI_PORT_PRC RT_BIT(21) /**< RW1CS - Port Reset Change */
+#define XHCI_PORT_PLC RT_BIT(22) /**< RW1CS - Port Link State Change */
+#define XHCI_PORT_CEC RT_BIT(23) /**< RW1CS - Port Config Error Change */
+#define XHCI_PORT_CAS RT_BIT(24) /**< RO - Cold Attach Status */
+#define XHCI_PORT_WCE RT_BIT(25) /**< RWS - Wake on Connect Enable */
+#define XHCI_PORT_WDE RT_BIT(26) /**< RWS - Wake on Disconnect Enable */
+#define XHCI_PORT_WOE RT_BIT(27) /**< RWS - Wake on Over-current Enable */
+#define XHCI_PORT_DR RT_BIT(30) /**< RO - Device (Not) Removable */
+#define XHCI_PORT_WPR RT_BIT(31) /**< RW1S - Warm Port Reset */
+
+#define XHCI_PORT_RESERVED (RT_BIT(2) | RT_BIT(14) | RT_BIT(15) | RT_BIT(28) | RT_BIT(29))
+
+#define XHCI_PORT_WAKE_MASK (XHCI_PORT_WCE|XHCI_PORT_WDE|XHCI_PORT_WOE)
+#define XHCI_PORT_CHANGE_MASK (XHCI_PORT_CSC|XHCI_PORT_PEC|XHCI_PORT_WRC|XHCI_PORT_OCC|XHCI_PORT_PRC|XHCI_PORT_PLC|XHCI_PORT_CEC)
+#define XHCI_PORT_CTL_RW_MASK (XHCI_PORT_PP|XHCI_PORT_LWS)
+#define XHCI_PORT_CTL_W1_MASK (XHCI_PORT_PED|XHCI_PORT_PR|XHCI_PORT_WPR)
+#define XHCI_PORT_RO_MASK (XHCI_PORT_CCS|XHCI_PORT_OCA|XHCI_PORT_SPD_MASK|XHCI_PORT_CAS|XHCI_PORT_DR)
+/** @} */
+
+/** @name Port Link State values
+ * @{ */
+#define XHCI_PLS_U0 0 /**< U0 State. */
+#define XHCI_PLS_U1 1 /**< U1 State. */
+#define XHCI_PLS_U2 2 /**< U2 State. */
+#define XHCI_PLS_U3 3 /**< U3 State (Suspended). */
+#define XHCI_PLS_DISABLED 4 /**< Disabled. */
+#define XHCI_PLS_RXDETECT 5 /**< RxDetect. */
+#define XHCI_PLS_INACTIVE 6 /**< Inactive. */
+#define XHCI_PLS_POLLING 7 /**< Polling. */
+#define XHCI_PLS_RECOVERY 8 /**< Recovery. */
+#define XHCI_PLS_HOTRST 9 /**< Hot Reset. */
+#define XHCI_PLS_CMPLMODE 10 /**< Compliance Mode. */
+#define XHCI_PLS_TSTMODE 11 /**< Test Mode. */
+/* Values 12-14 are reserved. */
+#define XHCI_PLS_RESUME 15 /**< Resume. */
+/** @} */
+
+
+/** @name Command Ring Control Register (CRCR) bits
+ * @{ */
+#define XHCI_CRCR_RCS RT_BIT(0) /**< RW - Ring Cycle State */
+#define XHCI_CRCR_CS RT_BIT(1) /**< RW1S - Command Stop */
+#define XHCI_CRCR_CA RT_BIT(2) /**< RW1S - Command Abort */
+#define XHCI_CRCR_CRR RT_BIT(3) /**< RO - Command Ring Running */
+
+#define XHCI_CRCR_RD_MASK UINT64_C(0xFFFFFFFFFFFFFFF8) /* Mask off bits always read as zero. */
+#define XHCI_CRCR_ADDR_MASK UINT64_C(0xFFFFFFFFFFFFFFC0)
+#define XHCI_CRCR_UPD_MASK (XHCI_CRCR_ADDR_MASK | XHCI_CRCR_RCS)
+/** @} */
+
+
+/** @name Interrupter Management Register (IMAN) bits
+ * @{ */
+#define XHCI_IMAN_IP RT_BIT(0) /**< RW1C - Interrupt Pending */
+#define XHCI_IMAN_IE RT_BIT(1) /**< RW - Interrupt Enable */
+
+#define XHCI_IMAN_VALID_MASK (XHCI_IMAN_IP | XHCI_IMAN_IE)
+/** @} */
+
+
+/** @name Interrupter Moderation Register (IMOD) bits
+ * @{ */
+#define XHCI_IMOD_IMODC_MASK 0xFFFF0000 /**< RW */
+#define XHCI_IMOD_IMODC_SHIFT 16
+#define XHCI_IMOD_IMODI_MASK 0x0000FFFF /**< RW */
+/** @} */
+
+
+/** @name Event Ring Segment Table Size Register (ERSTSZ) bits
+ * @{ */
+#define XHCI_ERSTSZ_MASK 0x0000FFFF /**< RW */
+/** @} */
+
+/** @name Event Ring Segment Table Base Address Register (ERSTBA) bits
+ * @{ */
+#define XHCI_ERST_ADDR_MASK UINT64_C(0xFFFFFFFFFFFFFFC0)
+/** @} */
+
+/** For reasons that are not obvious, NEC/Renesas xHCs only require 16-bit
+ * alignment for the ERST base. This is not in line with the xHCI spec
+ * (which requires 64-bit alignment) but is clearly documented by NEC.
+ */
+#define NEC_ERST_ADDR_MASK UINT64_C(0xFFFFFFFFFFFFFFF0)
+
+/** Firmware revision reported in NEC/Renesas mode. Value chosen based on
+ * OS X driver check (OS X supports these chips since they're commonly
+ * found in ExpressCards).
+ */
+#define NEC_FW_REV 0x3028
+
+/** @name Event Ring Deqeue Pointer Register (ERDP) bits
+ * @{ */
+#define XHCI_ERDP_DESI_MASK 0x00000007 /**< RW - Dequeue ERST Segment Index */
+#define XHCI_ERDP_EHB RT_BIT(3) /**< RW1C - Event Handler Busy */
+#define XHCI_ERDP_ADDR_MASK UINT64_C(0xFFFFFFFFFFFFFFF0) /**< RW - ERDP address mask */
+/** @} */
+
+/** @name Device Context Base Address Array (DCBAA) definitions
+ * @{ */
+#define XHCI_DCBAA_ADDR_MASK UINT64_C(0xFFFFFFFFFFFFFFC0) /**< Applies to DCBAAP and its entries. */
+/** @} */
+
+/** @name Doorbell Register bits
+ * @{ */
+#define XHCI_DB_TGT_MASK 0x000000FF /**< DB Target mask. */
+#define XHCI_DB_STRMID_SHIFT 16 /**< DB Stream ID shift. */
+#define XHCI_DB_STRMID_MASK 0xFFFF0000 /**< DB Stream ID mask. */
+/** @} */
+
+/** Address mask for device/endpoint/input contexts. */
+#define XHCI_CTX_ADDR_MASK UINT64_C(0xFFFFFFFFFFFFFFF0)
+
+/** @name TRB Completion Codes
+ * @{ */
+#define XHCI_TCC_INVALID 0 /**< CC field not updated. */
+#define XHCI_TCC_SUCCESS 1 /**< Successful TRB completion. */
+#define XHCI_TCC_DATA_BUF_ERR 2 /**< Overrun/underrun. */
+#define XHCI_TCC_BABBLE 3 /**< Babble detected. */
+#define XHCI_TCC_USB_XACT_ERR 4 /**< USB transaction error. */
+#define XHCI_TCC_TRB_ERR 5 /**< TRB error detected. */
+#define XHCI_TCC_STALL 6 /**< USB Stall detected. */
+#define XHCI_TCC_RSRC_ERR 7 /**< Inadequate xHC resources. */
+#define XHCI_TCC_BWIDTH_ERR 8 /**< Unable to allocate bandwidth. */
+#define XHCI_TCC_NO_SLOTS 9 /**< MaxSlots (NDS) exceeded. */
+#define XHCI_TCC_INV_STRM_TYP 10 /**< Invalid stream context type. */
+#define XHCI_TCC_SLOT_NOT_ENB 11 /**< Slot not enabled. */
+#define XHCI_TCC_EP_NOT_ENB 12 /**< Endpoint not enabled. */
+#define XHCI_TCC_SHORT_PKT 13 /**< Short packet detected. */
+#define XHCI_TCC_RING_UNDERRUN 14 /**< Transfer ring underrun. */
+#define XHCI_TCC_RING_OVERRUN 15 /**< Transfer ring overrun. */
+#define XHCI_TCC_VF_RING_FULL 16 /**< VF event ring full. */
+#define XHCI_TCC_PARM_ERR 17 /**< Invalid context parameter. */
+#define XHCI_TCC_BWIDTH_OVER 18 /**< Isoc bandwidth overrun. */
+#define XHCI_TCC_CTX_STATE_ERR 19 /**< Transition from illegal context state. */
+#define XHCI_TCC_NO_PING 20 /**< No ping response in time. */
+#define XHCI_TCC_EVT_RING_FULL 21 /**< Event Ring full. */
+#define XHCI_TCC_DEVICE_COMPAT 22 /**< Incompatible device detected. */
+#define XHCI_TCC_MISS_SVC 23 /**< Missed isoc service. */
+#define XHCI_TCC_CMDR_STOPPED 24 /**< Command ring stopped. */
+#define XHCI_TCC_CMD_ABORTED 25 /**< Command aborted. */
+#define XHCI_TCC_STOPPED 26 /**< Endpoint stopped. */
+#define XHCI_TCC_STP_INV_LEN 27 /**< EP stopped, invalid transfer length. */
+ /* 28 Reserved. */
+#define XHCI_TCC_MAX_EXIT_LAT 29 /**< Max exit latency too large. */
+ /* 30 Reserved. */
+#define XHCI_TCC_ISOC_OVERRUN 31 /**< Isochronous buffer overrun. */
+#define XHCI_TCC_EVT_LOST 32 /**< Event lost due to overrun. */
+#define XHCI_TCC_ERR_OTHER 33 /**< Implementation specific error. */
+#define XHCI_TCC_INV_STRM_ID 34 /**< Invalid stream ID. */
+#define XHCI_TCC_SEC_BWIDTH_ERR 35 /**< Secondary bandwidth error. */
+#define XHCI_TCC_SPLIT_ERR 36 /**< Split transaction error. */
+/** @} */
+
+#if defined(IN_RING3) && defined(LOG_ENABLED)
+/** Human-readable completion code descriptions for debugging. */
+static const char * const g_apszCmplCodes[] = {
+ "CC field not updated", "Successful TRB completion", "Overrun/underrun", "Babble detected", /* 0-3 */
+ "USB transaction error", "TRB error detected", "USB Stall detected", "Inadequate xHC resources", /* 4-7 */
+ "Unable to allocate bandwidth", "MaxSlots (NDS) exceeded", "Invalid stream context type", "Slot not enabled", /* 8-11 */
+ "Endpoint not enabled", "Short packet detected", "Transfer ring underrun", "Transfer ring overrun", /* 12-15 */
+ "VF event ring full", "Invalid context param", "Isoc bandwidth overrun", "Transition from illegal ctx state", /* 16-19 */
+ "No ping response in time", "Event Ring full", "Incompatible device detected", "Missed isoc service", /* 20-23 */
+ "Command ring stopped", "Command aborted", "Endpoint stopped", "EP stopped, invalid transfer length", /* 24-27 */
+ "Reserved", "Max exit latency too large", "Reserved", "Isochronous buffer overrun", /* 28-31 */
+ "Event lost due to overrun", "Implementation specific error", "Invalid stream ID", "Secondary bandwidth error", /* 32-35 */
+ "Split transaction error" /* 36 */
+};
+#endif
+
+
+/* TRBs marked as 'TRB' are only valid in the transfer ring. TRBs marked
+ * as 'Command' are only valid in the command ring. TRBs marked as 'Event'
+ * are the only ones generated in the event ring. The Link TRB is valid
+ * in both the transfer and command rings.
+ */
+
+/** @name TRB Types
+ * @{ */
+#define XHCI_TRB_INVALID 0 /**< Reserved/unused TRB type. */
+#define XHCI_TRB_NORMAL 1 /**< Normal TRB. */
+#define XHCI_TRB_SETUP_STG 2 /**< Setup Stage TRB. */
+#define XHCI_TRB_DATA_STG 3 /**< Data Stage TRB. */
+#define XHCI_TRB_STATUS_STG 4 /**< Status Stage TRB. */
+#define XHCI_TRB_ISOCH 5 /**< Isochronous TRB. */
+#define XHCI_TRB_LINK 6 /**< Link. */
+#define XHCI_TRB_EVT_DATA 7 /**< Event Data TRB. */
+#define XHCI_TRB_NOOP_XFER 8 /**< No-op transfer TRB. */
+#define XHCI_TRB_ENB_SLOT 9 /**< Enable Slot Command. */
+#define XHCI_TRB_DIS_SLOT 10 /**< Disable Slot Command. */
+#define XHCI_TRB_ADDR_DEV 11 /**< Address Device Command. */
+#define XHCI_TRB_CFG_EP 12 /**< Configure Endpoint Command. */
+#define XHCI_TRB_EVAL_CTX 13 /**< Evaluate Context Command. */
+#define XHCI_TRB_RESET_EP 14 /**< Reset Endpoint Command. */
+#define XHCI_TRB_STOP_EP 15 /**< Stop Endpoint Command. */
+#define XHCI_TRB_SET_DEQ_PTR 16 /**< Set TR Dequeue Pointer Command. */
+#define XHCI_TRB_RESET_DEV 17 /**< Reset Device Command. */
+#define XHCI_TRB_FORCE_EVT 18 /**< Force Event Command. */
+#define XHCI_TRB_NEG_BWIDTH 19 /**< Negotiate Bandwidth Command. */
+#define XHCI_TRB_SET_LTV 20 /**< Set Latency Tolerate Value Command. */
+#define XHCI_TRB_GET_PORT_BW 21 /**< Get Port Bandwidth Command. */
+#define XHCI_TRB_FORCE_HDR 22 /**< Force Header Command. */
+#define XHCI_TRB_NOOP_CMD 23 /**< No-op Command. */
+ /* 24-31 Reserved. */
+#define XHCI_TRB_XFER 32 /**< Transfer Event. */
+#define XHCI_TRB_CMD_CMPL 33 /**< Command Completion Event. */
+#define XHCI_TRB_PORT_SC 34 /**< Port Status Change Event. */
+#define XHCI_TRB_BW_REQ 35 /**< Bandwidth Request Event. */
+#define XHCI_TRB_DBELL 36 /**< Doorbell Event. */
+#define XHCI_TRB_HC_EVT 37 /**< Host Controller Event. */
+#define XHCI_TRB_DEV_NOTIFY 38 /**< Device Notification Event. */
+#define XHCI_TRB_MFIDX_WRAP 39 /**< MFINDEX Wrap Event. */
+ /* 40-47 Reserved. */
+#define NEC_TRB_CMD_CMPL 48 /**< Command Completion Event, NEC specific. */
+#define NEC_TRB_GET_FW_VER 49 /**< Get Firmware Version Command, NEC specific. */
+#define NEC_TRB_AUTHENTICATE 50 /**< Authenticate Command, NEC specific. */
+/** @} */
+
+#if defined(IN_RING3) && defined(LOG_ENABLED)
+/** Human-readable TRB names for debugging. */
+static const char * const g_apszTrbNames[] = {
+ "Reserved/unused TRB!!", "Normal TRB", "Setup Stage TRB", "Data Stage TRB", /* 0-3 */
+ "Status Stage TRB", "Isochronous TRB", "Link", "Event Data TRB", /* 4-7 */
+ "No-op transfer TRB", "Enable Slot", "Disable Slot", "Address Device", /* 8-11 */
+ "Configure Endpoint", "Evaluate Context", "Reset Endpoint", "Stop Endpoint", /* 12-15 */
+ "Set TR Dequeue Pointer", "Reset Device", "Force Event", "Negotiate Bandwidth", /* 16-19 */
+ "Set Latency Tolerate Value", "Get Port Bandwidth", "Force Header", "No-op", /* 20-23 */
+ "UNDEF", "UNDEF", "UNDEF", "UNDEF", "UNDEF", "UNDEF", "UNDEF", "UNDEF", /* 24-31 */
+ "Transfer", "Command Completion", "Port Status Change", "BW Request", /* 32-35 */
+ "Doorbell", "Host Controller", "Device Notification", "MFINDEX Wrap", /* 36-39 */
+ "UNDEF", "UNDEF", "UNDEF", "UNDEF", "UNDEF", "UNDEF", "UNDEF", "UNDEF", /* 40-47 */
+ "NEC FW Version Completion", "NEC Get FW Version", "NEC Authenticate" /* 48-50 */
+};
+#endif
+
+/** Generic TRB template. */
+typedef struct sXHCI_TRB_G {
+ uint32_t resvd0;
+ uint32_t resvd1;
+ uint32_t resvd2 : 24;
+ uint32_t cc : 8; /**< Completion Code. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd3 : 9;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd4 : 16;
+} XHCI_TRB_G;
+AssertCompile(sizeof(XHCI_TRB_G) == 0x10);
+
+/** Generic transfer TRB template. */
+typedef struct sXHCI_TRB_GX {
+ uint32_t resvd0;
+ uint32_t resvd1;
+ uint32_t xfr_len : 17; /**< Transfer length. */
+ uint32_t resvd2 : 5;
+ uint32_t int_tgt : 10; /**< Interrupter target. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t ent : 1; /**< Evaluate Next TRB. */
+ uint32_t isp : 1; /**< Interrupt on Short Packet. */
+ uint32_t ns : 1; /**< No Snoop. */
+ uint32_t ch : 1; /**< Chain bit. */
+ uint32_t ioc : 1; /**< Interrupt On Completion. */
+ uint32_t idt : 1; /**< Immediate Data. */
+ uint32_t resvd3 : 3;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd4 : 16;
+} XHCI_TRB_GX;
+AssertCompile(sizeof(XHCI_TRB_GX) == 0x10);
+
+
+/* -= Transfer TRB types =- */
+
+
+/** Normal Transfer TRB. */
+typedef struct sXHCI_TRB_NORM {
+ uint64_t data_ptr; /**< Pointer or data. */
+ uint32_t xfr_len : 17; /**< Transfer length. */
+ uint32_t td_size : 5; /**< Remaining packets. */
+ uint32_t int_tgt : 10; /**< Interrupter target. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t ent : 1; /**< Evaluate Next TRB. */
+ uint32_t isp : 1; /**< Interrupt on Short Packet. */
+ uint32_t ns : 1; /**< No Snoop. */
+ uint32_t ch : 1; /**< Chain bit. */
+ uint32_t ioc : 1; /**< Interrupt On Completion. */
+ uint32_t idt : 1; /**< Immediate Data. */
+ uint32_t resvd0 : 2;
+ uint32_t bei : 1; /**< Block Event Interrupt. */
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd1 : 16;
+} XHCI_TRB_NORM;
+AssertCompile(sizeof(XHCI_TRB_NORM) == 0x10);
+
+/** Control Transfer - Setup Stage TRB. */
+typedef struct sXHCI_TRB_CTSP {
+ uint8_t bmRequestType; /**< See the USB spec. */
+ uint8_t bRequest;
+ uint16_t wValue;
+ uint16_t wIndex;
+ uint16_t wLength;
+ uint32_t xfr_len : 17; /**< Transfer length (8). */
+ uint32_t resvd0 : 5;
+ uint32_t int_tgt : 10; /**< Interrupter target. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd1 : 4;
+ uint32_t ioc : 1; /**< Interrupt On Completion. */
+ uint32_t idt : 1; /**< Immediate Data. */
+ uint32_t resvd2 : 2;
+ uint32_t bei : 1; /**< Block Event Interrupt. */
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t trt : 2; /**< Transfer Type. */
+ uint32_t resvd3 : 14;
+} XHCI_TRB_CTSP;
+AssertCompile(sizeof(XHCI_TRB_CTSP) == 0x10);
+
+/** Control Transfer - Data Stage TRB. */
+typedef struct sXHCI_TRB_CTDT {
+ uint64_t data_ptr; /**< Pointer or data. */
+ uint32_t xfr_len : 17; /**< Transfer length. */
+ uint32_t td_size : 5; /**< Remaining packets. */
+ uint32_t int_tgt : 10; /**< Interrupter target. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t ent : 1; /**< Evaluate Next TRB. */
+ uint32_t isp : 1; /**< Interrupt on Short Packet. */
+ uint32_t ns : 1; /**< No Snoop. */
+ uint32_t ch : 1; /**< Chain bit. */
+ uint32_t ioc : 1; /**< Interrupt On Completion. */
+ uint32_t idt : 1; /**< Immediate Data. */
+ uint32_t resvd0 : 3;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t dir : 1; /**< Direction (1=IN). */
+ uint32_t resvd1 : 15;
+} XHCI_TRB_CTDT;
+AssertCompile(sizeof(XHCI_TRB_CTDT) == 0x10);
+
+/** Control Transfer - Status Stage TRB. */
+typedef struct sXHCI_TRB_CTSS {
+ uint64_t resvd0;
+ uint32_t resvd1 : 22;
+ uint32_t int_tgt : 10; /**< Interrupter target. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t ent : 1; /**< Evaluate Next TRB. */
+ uint32_t resvd2 : 2;
+ uint32_t ch : 1; /**< Chain bit. */
+ uint32_t ioc : 1; /**< Interrupt On Completion. */
+ uint32_t resvd3 : 4;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t dir : 1; /**< Direction (1=IN). */
+ uint32_t resvd4 : 15;
+} XHCI_TRB_CTSS;
+AssertCompile(sizeof(XHCI_TRB_CTSS) == 0x10);
+
+/** Isochronous Transfer TRB. */
+typedef struct sXHCI_TRB_ISOC {
+ uint64_t data_ptr; /**< Pointer or data. */
+ uint32_t xfr_len : 17; /**< Transfer length. */
+ uint32_t td_size : 5; /**< Remaining packets. */
+ uint32_t int_tgt : 10; /**< Interrupter target. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t ent : 1; /**< Evaluate Next TRB. */
+ uint32_t isp : 1; /**< Interrupt on Short Packet. */
+ uint32_t ns : 1; /**< No Snoop. */
+ uint32_t ch : 1; /**< Chain bit. */
+ uint32_t ioc : 1; /**< Interrupt On Completion. */
+ uint32_t idt : 1; /**< Immediate Data. */
+ uint32_t tbc : 2; /**< Transfer Burst Count. */
+ uint32_t bei : 1; /**< Block Event Interrupt. */
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t tlbpc : 4; /**< Transfer Last Burst Packet Count. */
+ uint32_t frm_id : 11; /**< Frame ID. */
+ uint32_t sia : 1; /**< Start Isoch ASAP. */
+} XHCI_TRB_ISOC;
+AssertCompile(sizeof(XHCI_TRB_ISOC) == 0x10);
+
+/* Number of bits in the frame ID. */
+#define XHCI_FRAME_ID_BITS 11
+
+/** No Op Transfer TRB. */
+typedef struct sXHCI_TRB_NOPT {
+ uint64_t resvd0;
+ uint32_t resvd1 : 22;
+ uint32_t int_tgt : 10; /**< Interrupter target. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t ent : 1; /**< Evaluate Next TRB. */
+ uint32_t resvd2 : 2;
+ uint32_t ch : 1; /**< Chain bit. */
+ uint32_t ioc : 1; /**< Interrupt On Completion. */
+ uint32_t resvd3 : 4;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd4 : 16;
+} XHCI_TRB_NOPT;
+AssertCompile(sizeof(XHCI_TRB_NOPT) == 0x10);
+
+
+/* -= Event TRB types =- */
+
+
+/** Transfer Event TRB. */
+typedef struct sXHCI_TRB_TE {
+ uint64_t trb_ptr; /**< TRB pointer. */
+ uint32_t xfr_len : 24; /**< Transfer length. */
+ uint32_t cc : 8; /**< Completion Code. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd0 : 1;
+ uint32_t ed : 1; /**< Event Data flag. */
+ uint32_t resvd1 : 7;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t ep_id : 5; /**< Endpoint ID. */
+ uint32_t resvd2 : 3;
+ uint32_t slot_id : 8; /**< Slot ID. */
+} XHCI_TRB_TE;
+AssertCompile(sizeof(XHCI_TRB_TE) == 0x10);
+
+/** Command Completion Event TRB. */
+typedef struct sXHCI_TRB_CCE {
+ uint64_t trb_ptr; /**< Command TRB pointer. */
+ uint32_t resvd0 : 24;
+ uint32_t cc : 8; /**< Completion Code. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd1 : 9;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t vf_id : 8; /**< Virtual Function ID. */
+ uint32_t slot_id : 8; /**< Slot ID. */
+} XHCI_TRB_CCE;
+AssertCompile(sizeof(XHCI_TRB_CCE) == 0x10);
+
+/** Port Staus Change Event TRB. */
+typedef struct sXHCI_TRB_PSCE {
+ uint32_t resvd0 : 24;
+ uint32_t port_id : 8; /**< Port ID. */
+ uint32_t resvd1;
+ uint32_t resvd2 : 24;
+ uint32_t cc : 8; /**< Completion Code. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd3 : 9;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd4 : 16;
+} XHCI_TRB_PSCE;
+AssertCompile(sizeof(XHCI_TRB_PSCE) == 0x10);
+
+/** Bandwidth Request Event TRB. */
+typedef struct sXHCI_TRB_BRE {
+ uint32_t resvd0;
+ uint32_t resvd1;
+ uint32_t resvd2 : 24;
+ uint32_t cc : 8; /**< Completion Code. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd3 : 9;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd4 : 8;
+ uint32_t slot_id : 8; /**< Slot ID. */
+} XHCI_TRB_BRE;
+AssertCompile(sizeof(XHCI_TRB_BRE) == 0x10);
+
+/** Doorbell Event TRB. */
+typedef struct sXHCI_TRB_DBE {
+ uint32_t reason : 5; /**< DB Reason/target. */
+ uint32_t resvd0 : 27;
+ uint32_t resvd1;
+ uint32_t resvd2 : 24;
+ uint32_t cc : 8; /**< Completion Code. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd3 : 9;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t vf_id : 8; /**< Virtual Function ID. */
+ uint32_t slot_id : 8; /**< Slot ID. */
+} XHCI_TRB_DBE;
+AssertCompile(sizeof(XHCI_TRB_DBE) == 0x10);
+
+/** Host Controller Event TRB. */
+typedef struct sXHCI_TRB_HCE {
+ uint32_t resvd0;
+ uint32_t resvd1;
+ uint32_t resvd2 : 24;
+ uint32_t cc : 8; /**< Completion Code. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd3 : 9;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd4 : 16;
+} XHCI_TRB_HCE;
+AssertCompile(sizeof(XHCI_TRB_HCE) == 0x10);
+
+/** Device Notification Event TRB. */
+typedef struct sXHCI_TRB_DNE {
+ uint32_t resvd0 : 4;
+ uint32_t dn_type : 4; /**< Device Notification Type. */
+ uint32_t dnd_lo : 5; /**< Device Notification Data Lo. */
+ uint32_t dnd_hi; /**< Device Notification Data Hi. */
+ uint32_t resvd1 : 24;
+ uint32_t cc : 8; /**< Completion Code. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd2 : 9;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd3 : 8;
+ uint32_t slot_id : 8; /**< Slot ID. */
+} XHCI_TRB_DNE;
+AssertCompile(sizeof(XHCI_TRB_DNE) == 0x10);
+
+/** MFINDEX Wrap Event TRB. */
+typedef struct sXHCI_TRB_MWE {
+ uint32_t resvd0;
+ uint32_t resvd1;
+ uint32_t resvd2 : 24;
+ uint32_t cc : 8; /**< Completion Code. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd3 : 9;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd4 : 16;
+} XHCI_TRB_MWE;
+AssertCompile(sizeof(XHCI_TRB_MWE) == 0x10);
+
+/** NEC Specific Command Completion Event TRB. */
+typedef struct sXHCI_TRB_NCE {
+ uint64_t trb_ptr; /**< Command TRB pointer. */
+ uint32_t word1 : 16; /**< First result word. */
+ uint32_t resvd0 : 8;
+ uint32_t cc : 8; /**< Completion Code. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd1 : 9;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t word2 : 16; /**< Second result word. */
+} XHCI_TRB_NCE;
+AssertCompile(sizeof(XHCI_TRB_NCE) == 0x10);
+
+
+
+/* -= Command TRB types =- */
+
+
+/** No Op Command TRB. */
+typedef struct sXHCI_TRB_NOPC {
+ uint32_t resvd0;
+ uint32_t resvd1;
+ uint32_t resvd2;
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd3 : 9;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd4 : 16;
+} XHCI_TRB_NOPC;
+AssertCompile(sizeof(XHCI_TRB_NOPC) == 0x10);
+
+/** Enable Slot Command TRB. */
+typedef struct sXHCI_TRB_ESL {
+ uint32_t resvd0;
+ uint32_t resvd1;
+ uint32_t resvd2;
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd3 : 9;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd4 : 16;
+} XHCI_TRB_ESL;
+AssertCompile(sizeof(XHCI_TRB_ESL) == 0x10);
+
+/** Disable Slot Command TRB. */
+typedef struct sXHCI_TRB_DSL {
+ uint32_t resvd0;
+ uint32_t resvd1;
+ uint32_t resvd2;
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd3 : 9;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd4 : 8;
+ uint32_t slot_id : 8; /**< Slot ID. */
+} XHCI_TRB_DSL;
+AssertCompile(sizeof(XHCI_TRB_DSL) == 0x10);
+
+/** Address Device Command TRB. */
+typedef struct sXHCI_TRB_ADR {
+ uint64_t ctx_ptr; /**< Input Context pointer. */
+ uint32_t resvd0;
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd1 : 8;
+ uint32_t bsr : 1; /**< Block Set Address Request. */
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd2 : 8;
+ uint32_t slot_id : 8; /**< Slot ID. */
+} XHCI_TRB_ADR;
+AssertCompile(sizeof(XHCI_TRB_ADR) == 0x10);
+
+/** Configure Endpoint Command TRB. */
+typedef struct sXHCI_TRB_CFG {
+ uint64_t ctx_ptr; /**< Input Context pointer. */
+ uint32_t resvd0;
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd1 : 8;
+ uint32_t dc : 1; /**< Deconfigure. */
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd2 : 8;
+ uint32_t slot_id : 8; /**< Slot ID. */
+} XHCI_TRB_CFG;
+AssertCompile(sizeof(XHCI_TRB_CFG) == 0x10);
+
+/** Evaluate Context Command TRB. */
+typedef struct sXHCI_TRB_EVC {
+ uint64_t ctx_ptr; /**< Input Context pointer. */
+ uint32_t resvd0;
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd1 : 9;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd2 : 8;
+ uint32_t slot_id : 8; /**< Slot ID. */
+} XHCI_TRB_EVC;
+AssertCompile(sizeof(XHCI_TRB_EVC) == 0x10);
+
+/** Reset Endpoint Command TRB. */
+typedef struct sXHCI_TRB_RSE {
+ uint32_t resvd0;
+ uint32_t resvd1;
+ uint32_t resvd2;
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd3 : 8;
+ uint32_t tsp : 1; /**< Transfer State Preserve. */
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t ep_id : 5; /**< Endpoint ID. */
+ uint32_t resvd4 : 3;
+ uint32_t slot_id : 8; /**< Slot ID. */
+} XHCI_TRB_RSE;
+AssertCompile(sizeof(XHCI_TRB_RSE) == 0x10);
+
+/** Stop Endpoint Command TRB. */
+typedef struct sXHCI_TRB_STP {
+ uint32_t resvd0;
+ uint32_t resvd1;
+ uint32_t resvd2;
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd3 : 9;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t ep_id : 5; /**< Endpoint ID. */
+ uint32_t resvd4 : 2;
+ uint32_t sp : 1; /**< Suspend. */
+ uint32_t slot_id : 8; /**< Slot ID. */
+} XHCI_TRB_STP;
+AssertCompile(sizeof(XHCI_TRB_STP) == 0x10);
+
+/** Set TR Dequeue Pointer Command TRB. */
+typedef struct sXHCI_TRB_STDP {
+#if 0
+ uint64_t dcs : 1; /**< Dequeue Cycle State. */
+ uint64_t sct : 3; /**< Stream Context Type. */
+ uint64_t tr_dqp : 60; /**< New TR Dequeue Pointer (63:4). */
+#else
+ uint64_t tr_dqp;
+#endif
+ uint16_t resvd0;
+ uint16_t strm_id; /**< Stream ID. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd1 : 9;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t ep_id : 5; /**< Endpoint ID. */
+ uint32_t resvd2 : 3;
+ uint32_t slot_id : 8; /**< Slot ID. */
+} XHCI_TRB_STDP;
+AssertCompile(sizeof(XHCI_TRB_STDP) == 0x10);
+
+/** Reset Device Command TRB. */
+typedef struct sXHCI_TRB_RSD {
+ uint32_t resvd0;
+ uint32_t resvd1;
+ uint32_t resvd2;
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd3 : 9;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd4 : 8;
+ uint32_t slot_id : 8; /**< Slot ID. */
+} XHCI_TRB_RSD;
+AssertCompile(sizeof(XHCI_TRB_RSD) == 0x10);
+
+/** Get Port Bandwidth Command TRB. */
+typedef struct sXHCI_TRB_GPBW {
+ uint64_t pbctx_ptr; /**< Port Bandwidth Context pointer. */
+ uint32_t resvd0;
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd1 : 9;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t spd : 4; /**< Dev Speed. */
+ uint32_t resvd2 : 4;
+ uint32_t slot_id : 8; /**< Slot ID. */
+} XHCI_TRB_GPBW;
+AssertCompile(sizeof(XHCI_TRB_GPBW) == 0x10);
+
+/** Force Header Command TRB. */
+typedef struct sXHCI_TRB_FHD {
+ uint32_t pkt_typ : 5; /**< Packet Type. */
+ uint32_t hdr_lo : 27; /**< Header Info Lo. */
+ uint32_t hdr_mid; /**< Header Info Mid. */
+ uint32_t hdr_hi; /**< Header Info Hi. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd0 : 9;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd1 : 8;
+ uint32_t slot_id : 8; /**< Slot ID. */
+} XHCI_TRB_FHD;
+AssertCompile(sizeof(XHCI_TRB_FHD) == 0x10);
+
+/** NEC Specific Authenticate Command TRB. */
+typedef struct sXHCI_TRB_NAC {
+ uint64_t cookie; /**< Cookie to munge. */
+ uint32_t resvd0;
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t resvd1 : 9;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd2 : 8;
+ uint32_t slot_id : 8; /**< Slot ID. */
+} XHCI_TRB_NAC;
+AssertCompile(sizeof(XHCI_TRB_NAC) == 0x10);
+
+
+/* -= Other TRB types =- */
+
+
+/** Link TRB. */
+typedef struct sXHCI_TRB_LNK {
+ uint64_t rseg_ptr; /**< Ring Segment Pointer. */
+ uint32_t resvd0 : 22;
+ uint32_t int_tgt : 10; /**< Interrupter target. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t toggle : 1; /**< Toggle Cycle flag. */
+ uint32_t resvd1 : 2;
+ uint32_t chain : 1; /**< Chain flag. */
+ uint32_t ioc : 1; /**< Interrupt On Completion flag. */
+ uint32_t resvd2 : 4;
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd3 : 16;
+} XHCI_TRB_LNK;
+AssertCompile(sizeof(XHCI_TRB_LNK) == 0x10);
+
+/** Event Data TRB. */
+typedef struct sXHCI_TRB_EVTD {
+ uint64_t evt_data; /**< Event Data. */
+ uint32_t resvd0 : 22;
+ uint32_t int_tgt : 10; /**< Interrupter target. */
+ uint32_t cycle : 1; /**< Cycle bit. */
+ uint32_t ent : 1; /**< Evaluate Next Target flag. */
+ uint32_t resvd1 : 2;
+ uint32_t chain : 1; /**< Chain flag. */
+ uint32_t ioc : 1; /**< Interrupt On Completion flag. */
+ uint32_t resvd2 : 3;
+ uint32_t bei : 1; /**< Block Event Interrupt flag. */
+ uint32_t type : 6; /**< TRB Type. */
+ uint32_t resvd3 : 16;
+} XHCI_TRB_EVTD;
+AssertCompile(sizeof(XHCI_TRB_EVTD) == 0x10);
+
+
+/* -= Union TRB types for the three rings =- */
+
+
+typedef union sXHCI_XFER_TRB {
+ XHCI_TRB_NORM norm;
+ XHCI_TRB_CTSP setup;
+ XHCI_TRB_CTDT data;
+ XHCI_TRB_CTSS status;
+ XHCI_TRB_ISOC isoc;
+ XHCI_TRB_EVTD evtd;
+ XHCI_TRB_NOPT nop;
+ XHCI_TRB_LNK link;
+ XHCI_TRB_GX gen;
+} XHCI_XFER_TRB;
+AssertCompile(sizeof(XHCI_XFER_TRB) == 0x10);
+
+typedef union sXHCI_COMMAND_TRB {
+ XHCI_TRB_ESL esl;
+ XHCI_TRB_DSL dsl;
+ XHCI_TRB_ADR adr;
+ XHCI_TRB_CFG cfg;
+ XHCI_TRB_EVC evc;
+ XHCI_TRB_RSE rse;
+ XHCI_TRB_STP stp;
+ XHCI_TRB_STDP stdp;
+ XHCI_TRB_RSD rsd;
+ XHCI_TRB_GPBW gpbw;
+ XHCI_TRB_FHD fhd;
+ XHCI_TRB_NAC nac;
+ XHCI_TRB_NOPC nopc;
+ XHCI_TRB_LNK link;
+ XHCI_TRB_G gen;
+} XHCI_COMMAND_TRB;
+AssertCompile(sizeof(XHCI_COMMAND_TRB) == 0x10);
+
+typedef union sXHCI_EVENT_TRB {
+ XHCI_TRB_TE te;
+ XHCI_TRB_CCE cce;
+ XHCI_TRB_PSCE psce;
+ XHCI_TRB_BRE bre;
+ XHCI_TRB_DBE dbe;
+ XHCI_TRB_HCE hce;
+ XHCI_TRB_DNE dne;
+ XHCI_TRB_MWE mwe;
+ XHCI_TRB_NCE nce;
+ XHCI_TRB_G gen;
+} XHCI_EVENT_TRB;
+AssertCompile(sizeof(XHCI_EVENT_TRB) == 0x10);
+
+
+
+/* -=-=-= Contexts =-=-=- */
+
+/** Slot Context. */
+typedef struct sXHCI_SLOT_CTX {
+ uint32_t route_str : 20; /**< Route String. */
+ uint32_t speed : 4; /**< Device speed. */
+ uint32_t resvd0 : 1;
+ uint32_t mtt : 1; /**< Multi-TT flag. */
+ uint32_t hub : 1; /**< Hub flag. */
+ uint32_t ctx_ent : 5; /**< Context entries. */
+ uint32_t max_lat : 16; /**< Max exit latency in usec. */
+ uint32_t rh_port : 8; /**< Root hub port number (1-based). */
+ uint32_t n_ports : 8; /**< No. of ports for hubs. */
+ uint32_t tt_slot : 8; /**< TT hub slot ID. */
+ uint32_t tt_port : 8; /**< TT port number. */
+ uint32_t ttt : 2; /**< TT Think Time. */
+ uint32_t resvd1 : 4;
+ uint32_t intr_tgt : 10; /**< Interrupter Target. */
+ uint32_t dev_addr : 8; /**< Device Address. */
+ uint32_t resvd2 : 19;
+ uint32_t slot_state : 5; /**< Slot State. */
+ uint32_t opaque[4]; /**< For xHC (i.e. our own) use. */
+} XHCI_SLOT_CTX;
+AssertCompile(sizeof(XHCI_SLOT_CTX) == 0x20);
+
+/** @name Slot Context states
+ * @{ */
+#define XHCI_SLTST_ENDIS 0 /**< Enabled/Disabled. */
+#define XHCI_SLTST_DEFAULT 1 /**< Default. */
+#define XHCI_SLTST_ADDRESSED 2 /**< Addressed. */
+#define XHCI_SLTST_CONFIGURED 3 /**< Configured. */
+/** @} */
+
+#ifdef IN_RING3
+/** Human-readable slot state descriptions for debugging. */
+static const char * const g_apszSltStates[] = {
+ "Enabled/Disabled", "Default", "Addressed", "Configured" /* 0-3 */
+};
+#endif
+
+/** Endpoint Context. */
+typedef struct sXHCI_EP_CTX {
+ uint32_t ep_state : 3; /**< Endpoint state. */
+ uint32_t resvd0 : 5;
+ uint32_t mult : 2; /**< SS isoc burst count. */
+ uint32_t maxps : 5; /**< Max Primary Streams. */
+ uint32_t lsa : 1; /**< Linear Stream Array. */
+ uint32_t interval : 8; /**< USB request interval. */
+ uint32_t resvd1 : 8;
+ uint32_t resvd2 : 1;
+ uint32_t c_err : 2; /**< Error count. */
+ uint32_t ep_type : 3; /**< Endpoint type. */
+ uint32_t resvd3 : 1;
+ uint32_t hid : 1; /**< Host Initiate Disable. */
+ uint32_t max_brs_sz : 8; /**< Max Burst Size. */
+ uint32_t max_pkt_sz : 16; /**< Max Packet Size. */
+ uint64_t trdp; /**< TR Dequeue Pointer. */
+ uint32_t avg_trb_len : 16; /**< Average TRB Length. */
+ uint32_t max_esit : 16; /**< Max EP Service Interval Time Payload. */
+ /**< The rest for xHC (i.e. our own) use. */
+ uint32_t last_frm : 16; /**< Last isochronous frame used (opaque). */
+ uint32_t ifc : 8; /**< isoch in-flight TD count (opaque). */
+ uint32_t last_cc : 8; /**< Last TRB completion code (opaque). */
+ uint64_t trep; /**< TR Enqueue Pointer (opaque). */
+} XHCI_EP_CTX;
+AssertCompile(sizeof(XHCI_EP_CTX) == 0x20);
+
+/** @name Endpoint Context states
+ * @{ */
+#define XHCI_EPST_DISABLED 0 /**< Disabled. */
+#define XHCI_EPST_RUNNING 1 /**< Running. */
+#define XHCI_EPST_HALTED 2 /**< Halted. */
+#define XHCI_EPST_STOPPED 3 /**< Not running/stopped. */
+#define XHCI_EPST_ERROR 4 /**< Not running/error. */
+/** @} */
+
+/** @name Endpoint Type values
+ * @{ */
+#define XHCI_EPTYPE_INVALID 0 /**< Not valid. */
+#define XHCI_EPTYPE_ISOCH_OUT 1 /**< Isochronous Out. */
+#define XHCI_EPTYPE_BULK_OUT 2 /**< Bulk Out. */
+#define XHCI_EPTYPE_INTR_OUT 3 /**< Interrupt Out. */
+#define XHCI_EPTYPE_CONTROL 4 /**< Control Bidi. */
+#define XHCI_EPTYPE_ISOCH_IN 5 /**< Isochronous In. */
+#define XHCI_EPTYPE_BULK_IN 6 /**< Bulk In. */
+#define XHCI_EPTYPE_INTR_IN 7 /**< Interrupt In. */
+/** @} */
+
+/* Pick out transfer type from endpoint. */
+#define XHCI_EP_XTYPE(a) (a & 3)
+
+/* Endpoint transfer types. */
+#define XHCI_XFTYPE_CONTROL 0
+#define XHCI_XFTYPE_ISOCH XHCI_EPTYPE_ISOCH_OUT
+#define XHCI_XFTYPE_BULK XHCI_EPTYPE_BULK_OUT
+#define XHCI_XFTYPE_INTR XHCI_EPTYPE_INTR_OUT
+
+/* Transfer Ring Dequeue Pointer address mask. */
+#define XHCI_TRDP_ADDR_MASK UINT64_C(0xFFFFFFFFFFFFFFF0)
+#define XHCI_TRDP_DCS_MASK RT_BIT(0) /* Dequeue Cycle State bit. */
+
+
+#ifdef IN_RING3
+
+/* Human-readable endpoint state descriptions for debugging. */
+static const char * const g_apszEpStates[] = {
+ "Disabled", "Running", "Halted", "Stopped", "Error" /* 0-4 */
+};
+
+/* Human-readable endpoint type descriptions for debugging. */
+static const char * const g_apszEpTypes[] = {
+ "Not Valid", "Isoch Out", "Bulk Out", "Interrupt Out", /* 0-3 */
+ "Control", "Isoch In", "Bulk In", "Interrupt In" /* 4-7 */
+};
+
+#endif /* IN_RING3 */
+
+/* Input Control Context. */
+typedef struct sXHCI_INPC_CTX {
+ uint32_t drop_flags; /* Drop Context flags (2-31). */
+ uint32_t add_flags; /* Add Context flags (0-31). */
+ uint32_t resvd[6];
+} XHCI_INPC_CTX;
+AssertCompile(sizeof(XHCI_INPC_CTX) == 0x20);
+
+/* Make sure all contexts are the same size. */
+AssertCompile(sizeof(XHCI_EP_CTX) == sizeof(XHCI_SLOT_CTX));
+AssertCompile(sizeof(XHCI_EP_CTX) == sizeof(XHCI_INPC_CTX));
+
+/* -= Event Ring Segment Table =- */
+
+/** Event Ring Segment Table Entry. */
+typedef struct sXHCI_ERSTE {
+ uint64_t addr;
+ uint16_t size;
+ uint16_t resvd0;
+ uint32_t resvd1;
+} XHCI_ERSTE;
+AssertCompile(sizeof(XHCI_ERSTE) == 0x10);
+
+
+/* -=-= Internal data structures not defined by xHCI =-=- */
+
+
+/** Device slot entry -- either slot context or endpoint context. */
+typedef union sXHCI_DS_ENTRY {
+ XHCI_SLOT_CTX sc; /**< Slot context. */
+ XHCI_EP_CTX ep; /**< Endpoint context. */
+} XHCI_DS_ENTRY;
+
+/** Full device context (slot context + 31 endpoint contexts). */
+typedef struct sXHCI_DEV_CTX {
+ XHCI_DS_ENTRY entry[32];
+} XHCI_DEV_CTX;
+AssertCompile(sizeof(XHCI_DEV_CTX) == 32 * sizeof(XHCI_EP_CTX));
+AssertCompile(sizeof(XHCI_DEV_CTX) == 32 * sizeof(XHCI_SLOT_CTX));
+
+/** Pointer to the xHCI device state. */
+typedef struct XHCI *PXHCI;
+
+#ifndef VBOX_DEVICE_STRUCT_TESTCASE
+/**
+ * The xHCI controller data associated with each URB.
+ */
+typedef struct VUSBURBHCIINT
+{
+ /** The slot index. */
+ uint8_t uSlotID;
+ /** Number of Tds in the array. */
+ uint32_t cTRB;
+} VUSBURBHCIINT;
+#endif
+
+/**
+ * An xHCI root hub port, shared.
+ */
+typedef struct XHCIHUBPORT
+{
+ /** PORTSC: Port status/control register (R/W). */
+ uint32_t portsc;
+ /** PORTPM: Power management status/control register (R/W). */
+ uint32_t portpm;
+ /** PORTLI: USB3 port link information (R/O). */
+ uint32_t portli;
+} XHCIHUBPORT;
+/** Pointer to a shared xHCI root hub port. */
+typedef XHCIHUBPORT *PXHCIHUBPORT;
+
+/**
+ * An xHCI root hub port, ring-3.
+ */
+typedef struct XHCIHUBPORTR3
+{
+ /** Flag whether there is a device attached to the port. */
+ bool fAttached;
+} XHCIHUBPORTR3;
+/** Pointer to a ring-3 xHCI root hub port. */
+typedef XHCIHUBPORTR3 *PXHCIHUBPORTR3;
+
+/**
+ * The xHCI root hub, ring-3 only.
+ *
+ * @implements PDMIBASE
+ * @implements VUSBIROOTHUBPORT
+ */
+typedef struct XHCIROOTHUBR3
+{
+ /** Pointer to the parent xHC. */
+ R3PTRTYPE(struct XHCIR3 *) pXhciR3;
+ /** Pointer to the base interface of the VUSB RootHub. */
+ R3PTRTYPE(PPDMIBASE) pIBase;
+ /** Pointer to the connector interface of the VUSB RootHub. */
+ R3PTRTYPE(PVUSBIROOTHUBCONNECTOR) pIRhConn;
+ /** The base interface exposed to the roothub driver. */
+ PDMIBASE IBase;
+ /** The roothub port interface exposed to the roothub driver. */
+ VUSBIROOTHUBPORT IRhPort;
+
+ /** The LED for this hub. */
+ PDMLED Led;
+
+ /** Number of actually implemented ports. */
+ uint8_t cPortsImpl;
+ /** Index of first port for this hub. */
+ uint8_t uPortBase;
+
+ uint16_t Alignment0; /**< Force alignment. */
+#if HC_ARCH_BITS == 64
+ uint32_t Alignment1;
+#endif
+} XHCIROOTHUBR3;
+/** Pointer to a xHCI root hub (ring-3 only). */
+typedef XHCIROOTHUBR3 *PXHCIROOTHUBR3;
+
+/**
+ * An xHCI interrupter.
+ */
+typedef struct sXHCIINTRPTR
+{
+ /* Registers defined by xHCI. */
+ /** IMAN: Interrupt Management Register (R/W). */
+ uint32_t iman;
+ /** IMOD: Interrupt Moderation Register (R/W). */
+ uint32_t imod;
+ /** ERSTSZ: Event Ring Segment Table Size (R/W). */
+ uint32_t erstsz;
+ /* Reserved/padding. */
+ uint32_t reserved;
+ /** ERSTBA: Event Ring Segment Table Base Address (R/W). */
+ uint64_t erstba;
+ /** ERDP: Event Ring Dequeue Pointer (R/W). */
+ uint64_t erdp;
+ /* Interrupter lock. */
+ PDMCRITSECT lock;
+ /* Internal xHCI non-register state. */
+ /** Internal Event Ring enqueue pointer. */
+ uint64_t erep;
+ /** Internal ERDP re-write counter. */
+ uint32_t erdp_rewrites;
+ /** This interrupter's index (for logging). */
+ uint32_t index;
+ /** Internal index into Event Ring Segment Table. */
+ uint16_t erst_idx;
+ /** Internal index into Event Ring Segment. */
+ uint16_t trb_count;
+ /** Internal Event Ring Producer Cycle State. */
+ bool evtr_pcs;
+ /** Internal Interrupt Pending Enable flag. */
+ bool ipe;
+} XHCIINTRPTR, *PXHCIINTRPTR;
+
+/**
+ * xHCI device state.
+ * @implements PDMILEDPORTS
+ */
+typedef struct XHCI
+{
+ /** MFINDEX wraparound timer. */
+ TMTIMERHANDLE hWrapTimer;
+
+#ifdef XHCI_ERROR_INJECTION
+ bool fDropIntrHw;
+ bool fDropIntrIpe;
+ bool fDropUrb;
+ uint8_t Alignment00[1];
+#else
+ uint32_t Alignment00; /**< Force alignment. */
+#endif
+
+ /** Flag indicating a sleeping worker thread. */
+ volatile bool fWrkThreadSleeping;
+ volatile bool afPadding[3];
+
+ /** The event semaphore the worker thread waits on. */
+ SUPSEMEVENT hEvtProcess;
+
+ /** Bitmap for finished tasks (R3 -> Guest). */
+ volatile uint32_t u32TasksFinished;
+ /** Bitmap for finished queued tasks (R3 -> Guest). */
+ volatile uint32_t u32QueuedTasksFinished;
+ /** Bitmap for new queued tasks (Guest -> R3). */
+ volatile uint32_t u32TasksNew;
+
+ /** Copy of XHCIR3::RootHub2::cPortsImpl. */
+ uint8_t cUsb2Ports;
+ /** Copy of XHCIR3::RootHub3::cPortsImpl. */
+ uint8_t cUsb3Ports;
+ /** Sum of cUsb2Ports and cUsb3Ports. */
+ uint8_t cTotalPorts;
+ /** Explicit padding. */
+ uint8_t bPadding;
+
+ /** Start of current frame. */
+ uint64_t SofTime;
+ /** State of the individual ports. */
+ XHCIHUBPORT aPorts[XHCI_NDP_MAX];
+ /** Interrupters array. */
+ XHCIINTRPTR aInterrupters[XHCI_NINTR];
+
+ /** @name Host Controller Capability Registers
+ * @{ */
+ /** CAPLENGTH: base + CAPLENGTH = operational register start (R/O). */
+ uint32_t cap_length;
+ /** HCIVERSION: host controller interface version (R/O). */
+ uint32_t hci_version;
+ /** HCSPARAMS: Structural parameters 1 (R/O). */
+ uint32_t hcs_params1;
+ /** HCSPARAMS: Structural parameters 2 (R/O). */
+ uint32_t hcs_params2;
+ /** HCSPARAMS: Structural parameters 3 (R/O). */
+ uint32_t hcs_params3;
+ /** HCCPARAMS: Capability parameters (R/O). */
+ uint32_t hcc_params;
+ /** DBOFF: Doorbell offset (R/O). */
+ uint32_t dbell_off;
+ /** RTSOFF: Run-time register space offset (R/O). */
+ uint32_t rts_off;
+ /** @} */
+
+ /** @name Host Controller Operational Registers
+ * @{ */
+ /** USB command register - USBCMD (R/W). */
+ uint32_t cmd;
+ /** USB status register - USBSTS (R/W).*/
+ uint32_t status;
+ /** Device Control Notification register - DNCTRL (R/W). */
+ uint32_t dnctrl;
+ /** Configure Register (R/W). */
+ uint32_t config;
+ /** Command Ring Control Register - CRCR (R/W). */
+ uint64_t crcr;
+ /** Device Context Base Address Array Pointer (R/W). */
+ uint64_t dcbaap;
+ /** @} */
+
+ /** Extended Capabilities storage. */
+ uint8_t abExtCap[XHCI_EXT_CAP_SIZE];
+ /** Size of valid extended capabilities. */
+ uint32_t cbExtCap;
+
+ uint32_t Alignment1; /**< Align cmdr_dqp. */
+
+ /** @name Internal xHCI non-register state
+ * @{ */
+ /** Internal Command Ring dequeue pointer. */
+ uint64_t cmdr_dqp;
+ /** Internal Command Ring Consumer Cycle State. */
+ bool cmdr_ccs;
+ uint8_t aAlignment2[7]; /**< Force alignment. */
+ /** Internal Device Slot states. */
+ uint8_t aSlotState[XHCI_NDS];
+ /** Internal doorbell states. Each bit corresponds to an endpoint. */
+ uint32_t aBellsRung[XHCI_NDS];
+ /** @} */
+
+ /** @name Model specific configuration
+ * @{ */
+ /** ERST address mask. */
+ uint64_t erst_addr_mask;
+ /** @} */
+
+ /** The MMIO region. */
+ IOMMMIOHANDLE hMmio;
+
+ /** Detected isochronous URBs completed with error. */
+ STAMCOUNTER StatErrorIsocUrbs;
+ /** Detected isochronous packets (not URBs!) with error. */
+ STAMCOUNTER StatErrorIsocPkts;
+
+ /** Event TRBs written to event ring(s). */
+ STAMCOUNTER StatEventsWritten;
+ /** Event TRBs not written to event ring(s) due to HC being stopped. */
+ STAMCOUNTER StatEventsDropped;
+ /** Requests to set the IP bit. */
+ STAMCOUNTER StatIntrsPending;
+ /** Actual interrupt deliveries. */
+ STAMCOUNTER StatIntrsSet;
+ /** Interrupts not raised because they were disabled. */
+ STAMCOUNTER StatIntrsNotSet;
+ /** A pending interrupt was cleared. */
+ STAMCOUNTER StatIntrsCleared;
+ /** Number of TRBs that formed a single control URB. */
+ STAMCOUNTER StatTRBsPerCtlUrb;
+ /** Number of TRBs that formed a single data (bulk/interrupt) URB. */
+ STAMCOUNTER StatTRBsPerDtaUrb;
+ /** Number of TRBs that formed a single isochronous URB. */
+ STAMCOUNTER StatTRBsPerIsoUrb;
+ /** Size of a control URB in bytes. */
+ STAMCOUNTER StatUrbSizeCtrl;
+ /** Size of a data URB in bytes. */
+ STAMCOUNTER StatUrbSizeData;
+ /** Size of an isochronous URB in bytes. */
+ STAMCOUNTER StatUrbSizeIsoc;
+
+#ifdef VBOX_WITH_STATISTICS
+ /** @name Register access counters.
+ * @{ */
+ STAMCOUNTER StatRdCaps;
+ STAMCOUNTER StatRdCmdRingCtlHi;
+ STAMCOUNTER StatRdCmdRingCtlLo;
+ STAMCOUNTER StatRdConfig;
+ STAMCOUNTER StatRdDevCtxBaapHi;
+ STAMCOUNTER StatRdDevCtxBaapLo;
+ STAMCOUNTER StatRdDevNotifyCtrl;
+ STAMCOUNTER StatRdDoorBell;
+ STAMCOUNTER StatRdEvtRingDeqPtrHi;
+ STAMCOUNTER StatRdEvtRingDeqPtrLo;
+ STAMCOUNTER StatRdEvtRsTblBaseHi;
+ STAMCOUNTER StatRdEvtRsTblBaseLo;
+ STAMCOUNTER StatRdEvtRstblSize;
+ STAMCOUNTER StatRdEvtRsvd;
+ STAMCOUNTER StatRdIntrMgmt;
+ STAMCOUNTER StatRdIntrMod;
+ STAMCOUNTER StatRdMfIndex;
+ STAMCOUNTER StatRdPageSize;
+ STAMCOUNTER StatRdPortLinkInfo;
+ STAMCOUNTER StatRdPortPowerMgmt;
+ STAMCOUNTER StatRdPortRsvd;
+ STAMCOUNTER StatRdPortStatusCtrl;
+ STAMCOUNTER StatRdUsbCmd;
+ STAMCOUNTER StatRdUsbSts;
+ STAMCOUNTER StatRdUnknown;
+
+ STAMCOUNTER StatWrCmdRingCtlHi;
+ STAMCOUNTER StatWrCmdRingCtlLo;
+ STAMCOUNTER StatWrConfig;
+ STAMCOUNTER StatWrDevCtxBaapHi;
+ STAMCOUNTER StatWrDevCtxBaapLo;
+ STAMCOUNTER StatWrDevNotifyCtrl;
+ STAMCOUNTER StatWrDoorBell0;
+ STAMCOUNTER StatWrDoorBellN;
+ STAMCOUNTER StatWrEvtRingDeqPtrHi;
+ STAMCOUNTER StatWrEvtRingDeqPtrLo;
+ STAMCOUNTER StatWrEvtRsTblBaseHi;
+ STAMCOUNTER StatWrEvtRsTblBaseLo;
+ STAMCOUNTER StatWrEvtRstblSize;
+ STAMCOUNTER StatWrIntrMgmt;
+ STAMCOUNTER StatWrIntrMod;
+ STAMCOUNTER StatWrPortPowerMgmt;
+ STAMCOUNTER StatWrPortStatusCtrl;
+ STAMCOUNTER StatWrUsbCmd;
+ STAMCOUNTER StatWrUsbSts;
+ STAMCOUNTER StatWrUnknown;
+ /** @} */
+#endif
+} XHCI;
+
+/**
+ * xHCI device state, ring-3 edition.
+ * @implements PDMILEDPORTS
+ */
+typedef struct XHCIR3
+{
+ /** The async worker thread. */
+ R3PTRTYPE(PPDMTHREAD) pWorkerThread;
+ /** The device instance.
+ * @note This is only so interface functions can get their bearings. */
+ PPDMDEVINSR3 pDevIns;
+
+ /** Status LUN: The base interface. */
+ PDMIBASE IBase;
+ /** Status LUN: Leds interface. */
+ PDMILEDPORTS ILeds;
+ /** Status LUN: Partner of ILeds. */
+ R3PTRTYPE(PPDMILEDCONNECTORS) pLedsConnector;
+
+ /** USB 2.0 Root hub device. */
+ XHCIROOTHUBR3 RootHub2;
+ /** USB 3.0 Root hub device. */
+ XHCIROOTHUBR3 RootHub3;
+
+ /** State of the individual ports. */
+ XHCIHUBPORTR3 aPorts[XHCI_NDP_MAX];
+
+ /** Critsect to synchronize worker and I/O completion threads. */
+ RTCRITSECT CritSectThrd;
+} XHCIR3;
+/** Pointer to ring-3 xHCI device state. */
+typedef XHCIR3 *PXHCIR3;
+
+/**
+ * xHCI device data, ring-0 edition.
+ */
+typedef struct XHCIR0
+{
+ uint32_t uUnused;
+} XHCIR0;
+/** Pointer to ring-0 xHCI device data. */
+typedef struct XHCIR0 *PXHCIR0;
+
+
+/**
+ * xHCI device data, raw-mode edition.
+ */
+typedef struct XHCIRC
+{
+ uint32_t uUnused;
+} XHCIRC;
+/** Pointer to raw-mode xHCI device data. */
+typedef struct XHCIRC *PXHCIRC;
+
+
+/** @typedef XHCICC
+ * The xHCI device data for the current context. */
+typedef CTX_SUFF(XHCI) XHCICC;
+/** @typedef PXHCICC
+ * Pointer to the xHCI device for the current context. */
+typedef CTX_SUFF(PXHCI) PXHCICC;
+
+
+/* -=-= Local implementation details =-=- */
+
+typedef enum sXHCI_JOB {
+ XHCI_JOB_PROCESS_CMDRING, /**< Process the command ring. */
+ XHCI_JOB_DOORBELL, /**< A doorbell (other than DB0) was rung. */
+ XHCI_JOB_XFER_DONE, /**< Transfer completed, look for more work. */
+ XHCI_JOB_MAX
+} XHCI_JOB;
+
+/* -=-=- Local xHCI definitions -=-=- */
+
+/** @name USB states.
+ * @{ */
+#define XHCI_USB_RESET 0x00
+#define XHCI_USB_RESUME 0x40
+#define XHCI_USB_OPERATIONAL 0x80
+#define XHCI_USB_SUSPEND 0xc0
+/** @} */
+
+/* Primary interrupter (for readability). */
+#define XHCI_PRIMARY_INTERRUPTER 0
+
+/** @name Device Slot states.
+ * @{ */
+#define XHCI_DEVSLOT_EMPTY 0
+#define XHCI_DEVSLOT_ENABLED 1
+#define XHCI_DEVSLOT_DEFAULT 2
+#define XHCI_DEVSLOT_ADDRESSED 3
+#define XHCI_DEVSLOT_CONFIGURED 4
+/** @} */
+
+/** Get the pointer to a root hub corresponding to given port index. */
+#define GET_PORT_PRH(a_pThisCC, a_uPort) \
+ ((a_uPort) >= (a_pThisCC)->RootHub2.cPortsImpl ? &(a_pThisCC)->RootHub3 : &(a_pThisCC)->RootHub2)
+#define GET_VUSB_PORT_FROM_XHCI_PORT(a_pRh, a_iPort) \
+ (((a_iPort) - (a_pRh)->uPortBase) + 1)
+#define GET_XHCI_PORT_FROM_VUSB_PORT(a_pRh, a_uPort) \
+ ((a_pRh)->uPortBase + (a_uPort) - 1)
+
+/** Check if port corresponding to index is USB3, using shared data. */
+#define IS_USB3_PORT_IDX_SHR(a_pThis, a_uPort) ((a_uPort) >= (a_pThis)->cUsb2Ports)
+
+/** Check if port corresponding to index is USB3, using ring-3 data. */
+#define IS_USB3_PORT_IDX_R3(a_pThisCC, a_uPort) ((a_uPort) >= (a_pThisCC)->RootHub2.cPortsImpl)
+
+/** Query the number of configured USB2 ports. */
+#define XHCI_NDP_USB2(a_pThisCC) ((unsigned)(a_pThisCC)->RootHub2.cPortsImpl)
+
+/** Query the number of configured USB3 ports. */
+#define XHCI_NDP_USB3(a_pThisCC) ((unsigned)(a_pThisCC)->RootHub3.cPortsImpl)
+
+/** Query the total number of configured ports. */
+#define XHCI_NDP_CFG(a_pThis) ((unsigned)RT_MIN((a_pThis)->cTotalPorts, XHCI_NDP_MAX))
+
+
+#ifndef VBOX_DEVICE_STRUCT_TESTCASE
+
+
+/*********************************************************************************************************************************
+* Internal Functions *
+*********************************************************************************************************************************/
+
+#ifdef IN_RING3
+
+/** Build a Protocol extended capability. */
+static uint32_t xhciR3BuildProtocolCaps(uint8_t *pbCap, uint32_t cbMax, int cPorts, int nPortOfs, int ver)
+{
+ uint32_t *pu32Cap = (uint32_t *)pbCap;
+ unsigned cPsi;
+
+ Assert(nPortOfs + cPorts < 255);
+ Assert(ver == 2 || ver == 3);
+
+ cPsi = 0; /* Currently only implied port speed IDs. */
+
+ /* Make sure there's enough room. */
+ if (cPsi * 4 + 16 > cbMax)
+ return 0;
+
+ /* Header - includes (USB) specification version. */
+ *pu32Cap++ = (ver << 24) | (0 << 16) | XHCI_XCP_PROTOCOL;
+ /* Specification - 'USB ' */
+ *pu32Cap++ = 0x20425355;
+ /* Port offsets and counts. 1-based! */
+ *pu32Cap++ = (cPsi << 28) | (cPorts << 8) | (nPortOfs + 1);
+ /* Reserved dword. */
+ *pu32Cap++ = 0;
+
+ return (uint8_t *)pu32Cap - pbCap;
+}
+
+
+/** Add an extended capability and link it into the chain. */
+static int xhciR3AddExtCap(PXHCI pThis, const uint8_t *pCap, uint32_t cbCap, uint32_t *puPrevOfs)
+{
+ Assert(*puPrevOfs <= pThis->cbExtCap);
+ Assert(!(cbCap & 3));
+
+ /* Check that the extended capability is sane. */
+ if (cbCap == 0)
+ return VERR_BUFFER_UNDERFLOW;
+ if (pThis->cbExtCap + cbCap > XHCI_EXT_CAP_SIZE)
+ return VERR_BUFFER_OVERFLOW;
+ if (cbCap > 255 * 4) /* Size must fit into 8-bit dword count. */
+ return VERR_BUFFER_OVERFLOW;
+
+ /* Copy over the capability data and update offsets. */
+ memcpy(pThis->abExtCap + pThis->cbExtCap, pCap, cbCap);
+ pThis->abExtCap[*puPrevOfs + 1] = cbCap >> 2;
+ pThis->abExtCap[pThis->cbExtCap + 1] = 0;
+ *puPrevOfs = pThis->cbExtCap;
+ pThis->cbExtCap += cbCap;
+ return VINF_SUCCESS;
+}
+
+/** Build the xHCI Extended Capabilities region. */
+static int xhciR3BuildExtCaps(PXHCI pThis, PXHCICC pThisCC)
+{
+ int rc;
+ uint8_t abXcp[MAX_XCAP_SIZE];
+ uint32_t cbXcp;
+ uint32_t uPrevOfs = 0;
+
+ Assert(XHCI_NDP_USB2(pThisCC));
+ Assert(XHCI_NDP_USB3(pThisCC));
+
+ /* Most of the extended capabilities are optional or not relevant for PCI
+ * implementations. However, the Supported Protocol caps are required.
+ */
+ cbXcp = xhciR3BuildProtocolCaps(abXcp, sizeof(abXcp), XHCI_NDP_USB2(pThisCC), 0, 2);
+ rc = xhciR3AddExtCap(pThis, abXcp, cbXcp, &uPrevOfs);
+ AssertReturn(RT_SUCCESS(rc), rc);
+
+ cbXcp = xhciR3BuildProtocolCaps(abXcp, sizeof(abXcp), XHCI_NDP_USB3(pThisCC), XHCI_NDP_USB2(pThisCC), 3);
+ rc = xhciR3AddExtCap(pThis, abXcp, cbXcp, &uPrevOfs);
+ AssertReturn(RT_SUCCESS(rc), rc);
+
+ return VINF_SUCCESS;
+}
+
+
+/**
+ * Select an unused device address. Note that this may fail in the unlikely
+ * case where all possible addresses are exhausted.
+ */
+static uint8_t xhciR3SelectNewAddress(PXHCI pThis, uint8_t uSlotID)
+{
+ RT_NOREF(pThis, uSlotID);
+
+ /*
+ * Since there is a 1:1 mapping between USB devices and device slots, we
+ * should be able to assign a USB address which equals slot ID to any USB
+ * device. However, the address selection algorithm could be completely
+ * different (it is not defined by the xHCI spec).
+ */
+ return uSlotID;
+}
+
+
+/**
+ * Read the address of a device context for a slot from the DCBAA.
+ *
+ * @returns Given slot's device context base address.
+ * @param pDevIns The device instance.
+ * @param pThis Pointer to the xHCI state.
+ * @param uSlotID Slot ID to get the context address of.
+ */
+static uint64_t xhciR3FetchDevCtxAddr(PPDMDEVINS pDevIns, PXHCI pThis, uint8_t uSlotID)
+{
+ uint64_t uCtxAddr;
+ RTGCPHYS GCPhysDCBAAE;
+
+ Assert(uSlotID > 0);
+ Assert(uSlotID < XHCI_NDS);
+
+ /* Fetch the address of the output slot context from the DCBAA. */
+ GCPhysDCBAAE = pThis->dcbaap + uSlotID * sizeof(uint64_t);
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysDCBAAE, &uCtxAddr, sizeof(uCtxAddr));
+ LogFlowFunc(("Slot ID %u, device context @ %RGp\n", uSlotID, uCtxAddr));
+ Assert(uCtxAddr);
+
+ return uCtxAddr & XHCI_CTX_ADDR_MASK;
+}
+
+
+/**
+ * Fetch a device's slot or endpoint context from memory.
+ *
+ * @param pDevIns The device instance.
+ * @param pThis The xHCI device state.
+ * @param uSlotID Slot ID to access.
+ * @param uDCI Device Context Index.
+ * @param pCtx Pointer to storage for the context.
+ */
+static int xhciR3FetchDevCtx(PPDMDEVINS pDevIns, PXHCI pThis, uint8_t uSlotID, uint8_t uDCI, void *pCtx)
+{
+ RTGCPHYS GCPhysCtx;
+
+ GCPhysCtx = xhciR3FetchDevCtxAddr(pDevIns, pThis, uSlotID);
+ LogFlowFunc(("Reading device context @ %RGp, DCI %u\n", GCPhysCtx, uDCI));
+ GCPhysCtx += uDCI * sizeof(XHCI_SLOT_CTX);
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysCtx, pCtx, sizeof(XHCI_SLOT_CTX));
+ return VINF_SUCCESS;
+}
+
+
+/**
+ * Fetch a device's slot and endpoint contexts from guest memory.
+ *
+ * @param pDevIns The device instance.
+ * @param pThis The xHCI device state.
+ * @param uSlotID Slot ID to access.
+ * @param uDCI Endpoint Device Context Index.
+ * @param pSlot Pointer to storage for the slot context.
+ * @param pEp Pointer to storage for the endpoint context.
+ */
+static int xhciR3FetchCtxAndEp(PPDMDEVINS pDevIns, PXHCI pThis, uint8_t uSlotID, uint8_t uDCI, XHCI_SLOT_CTX *pSlot, XHCI_EP_CTX *pEp)
+{
+ AssertPtr(pSlot);
+ AssertPtr(pEp);
+ Assert(uDCI); /* Can't be 0 -- that's the device context. */
+
+ /* Load the slot context. */
+ xhciR3FetchDevCtx(pDevIns, pThis, uSlotID, 0, pSlot);
+ /// @todo sanity check the slot context here?
+ Assert(pSlot->ctx_ent >= uDCI);
+
+ /* Load the endpoint context. */
+ xhciR3FetchDevCtx(pDevIns, pThis, uSlotID, uDCI, pEp);
+ /// @todo sanity check the endpoint context here?
+
+ return VINF_SUCCESS;
+}
+
+
+/**
+ * Update an endpoint context in guest memory.
+ *
+ * @param pDevIns The device instance.
+ * @param pThis The xHCI device state.
+ * @param uSlotID Slot ID to access.
+ * @param uDCI Endpoint Device Context Index.
+ * @param pEp Pointer to storage of the endpoint context.
+ */
+static int xhciR3WriteBackEp(PPDMDEVINS pDevIns, PXHCI pThis, uint8_t uSlotID, uint8_t uDCI, XHCI_EP_CTX *pEp)
+{
+ RTGCPHYS GCPhysCtx;
+
+ AssertPtr(pEp);
+ Assert(uDCI); /* Can't be 0 -- that's the device context. */
+
+ /// @todo sanity check the endpoint context here?
+ /* Find the physical address. */
+ GCPhysCtx = xhciR3FetchDevCtxAddr(pDevIns, pThis, uSlotID);
+ LogFlowFunc(("Writing device context @ %RGp, DCI %u\n", GCPhysCtx, uDCI));
+ GCPhysCtx += uDCI * sizeof(XHCI_SLOT_CTX);
+ /* Write the updated context. */
+ PDMDevHlpPCIPhysWriteMeta(pDevIns, GCPhysCtx, pEp, sizeof(XHCI_EP_CTX));
+
+ return VINF_SUCCESS;
+}
+
+
+/**
+ * Modify an endpoint context such that it enters the running state.
+ *
+ * @param pEpCtx Pointer to the endpoint context.
+ */
+static void xhciR3EnableEP(XHCI_EP_CTX *pEpCtx)
+{
+ LogFlow(("Enabling EP, TRDP @ %RGp, DCS=%u\n", pEpCtx->trdp & XHCI_TRDP_ADDR_MASK, pEpCtx->trdp & XHCI_TRDP_DCS_MASK));
+ pEpCtx->ep_state = XHCI_EPST_RUNNING;
+ pEpCtx->trep = pEpCtx->trdp;
+}
+
+#endif /* IN_RING3 */
+
+#define MFIND_PERIOD_NS (UINT64_C(2048) * 1000000)
+
+/**
+ * Set up the MFINDEX wrap timer.
+ */
+static void xhciSetWrapTimer(PPDMDEVINS pDevIns, PXHCI pThis)
+{
+ uint64_t u64Now;
+ uint64_t u64LastWrap;
+ uint64_t u64Expire;
+ int rc;
+
+ /* Try to avoid drift. */
+ u64Now = PDMDevHlpTimerGet(pDevIns, pThis->hWrapTimer);
+// u64LastWrap = u64Now - (u64Now % (0x3FFF * 125000));
+ u64LastWrap = u64Now / MFIND_PERIOD_NS * MFIND_PERIOD_NS;
+ /* The MFINDEX counter wraps around every 2048 milliseconds. */
+ u64Expire = u64LastWrap + (uint64_t)2048 * 1000000;
+ rc = PDMDevHlpTimerSet(pDevIns, pThis->hWrapTimer, u64Expire);
+ AssertRC(rc);
+}
+
+/**
+ * Determine whether MSI/MSI-X is enabled for this PCI device.
+ *
+ * This influences interrupt handling in xHCI. NB: There should be a PCIDevXxx
+ * function for this.
+ */
+static bool xhciIsMSIEnabled(PPDMPCIDEV pDevIns)
+{
+ uint16_t uMsgCtl;
+
+ uMsgCtl = PDMPciDevGetWord(pDevIns, XHCI_PCI_MSI_CAP_OFS + VBOX_MSI_CAP_MESSAGE_CONTROL);
+ return !!(uMsgCtl & VBOX_PCI_MSI_FLAGS_ENABLE);
+}
+
+/**
+ * Get the worker thread going -- there's something to do.
+ */
+static void xhciKickWorker(PPDMDEVINS pDevIns, PXHCI pThis, XHCI_JOB enmJob, uint32_t uWorkDesc)
+{
+ RT_NOREF(enmJob, uWorkDesc);
+
+ /* Tell the worker thread there's something to do. */
+ if (ASMAtomicReadBool(&pThis->fWrkThreadSleeping))
+ {
+ LogFlowFunc(("Signal event semaphore\n"));
+ int rc = PDMDevHlpSUPSemEventSignal(pDevIns, pThis->hEvtProcess);
+ AssertRC(rc);
+ }
+}
+
+/**
+ * Fetch the current ERST entry from guest memory.
+ */
+static void xhciFetchErstEntry(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR ip)
+{
+ RTGCPHYS GCPhysErste;
+ XHCI_ERSTE entry;
+
+ Assert(ip->erst_idx < ip->erstsz);
+ GCPhysErste = ip->erstba + ip->erst_idx * sizeof(XHCI_ERSTE);
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysErste, &entry, sizeof(entry));
+
+ /*
+ * 6.5 claims values in 16-4096 range are valid, but does not say what
+ * happens for values outside of that range...
+ */
+ Assert((pThis->status & XHCI_STATUS_HCH) || (entry.size >= 16 && entry.size <= 4096));
+
+ /* Cache the entry data internally. */
+ ip->erep = entry.addr & pThis->erst_addr_mask;
+ ip->trb_count = entry.size;
+ Log(("Fetched ERST Entry at %RGp: %u entries at %RGp\n", GCPhysErste, ip->trb_count, ip->erep));
+}
+
+/**
+ * Set the interrupter's IP and EHB bits and trigger an interrupt if required.
+ *
+ * @param pDevIns The PDM device instance.
+ * @param pThis Pointer to the xHCI state.
+ * @param ip Pointer to the interrupter structure.
+ *
+ */
+static void xhciSetIntr(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR ip)
+{
+ Assert(pThis && ip);
+ LogFlowFunc(("old IP: %u\n", !!(ip->iman & XHCI_IMAN_IP)));
+
+ if (!(ip->iman & XHCI_IMAN_IP))
+ {
+ /// @todo assert that we own the interrupter lock
+ ASMAtomicOrU32(&pThis->status, XHCI_STATUS_EINT);
+ ASMAtomicOrU64(&ip->erdp, XHCI_ERDP_EHB);
+ ASMAtomicOrU32(&ip->iman, XHCI_IMAN_IP);
+ if ((ip->iman & XHCI_IMAN_IE) && (pThis->cmd & XHCI_CMD_INTE))
+ {
+#ifdef XHCI_ERROR_INJECTION
+ if (pThis->fDropIntrHw)
+ {
+ pThis->fDropIntrHw = false;
+ ASMAtomicAndU32(&ip->iman, ~XHCI_IMAN_IP);
+ }
+ else
+#endif
+ {
+ Log2(("Triggering interrupt on interrupter %u\n", ip->index));
+ PDMDevHlpPCISetIrq(pDevIns, 0, PDM_IRQ_LEVEL_HIGH);
+ STAM_COUNTER_INC(&pThis->StatIntrsSet);
+ }
+ }
+ else
+ {
+ Log2(("Not triggering interrupt on interrupter %u (interrupts disabled)\n", ip->index));
+ STAM_COUNTER_INC(&pThis->StatIntrsNotSet);
+ }
+
+ /* If MSI/MSI-X is in use, the IP bit is immediately cleared again. */
+ if (xhciIsMSIEnabled(pDevIns->apPciDevs[0]))
+ ASMAtomicAndU32(&ip->iman, ~XHCI_IMAN_IP);
+ }
+}
+
+#ifdef IN_RING3
+
+/**
+ * Set the interrupter's IPE bit. If this causes a 0->1 transition, an
+ * interrupt may be triggered.
+ *
+ * @param pDevIns The PDM device instance.
+ * @param pThis Pointer to the xHCI state.
+ * @param ip Pointer to the interrupter structure.
+ */
+static void xhciR3SetIntrPending(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR ip)
+{
+ uint16_t imodc = (ip->imod >> XHCI_IMOD_IMODC_SHIFT) & XHCI_IMOD_IMODC_MASK;
+
+ Assert(pThis && ip);
+ LogFlowFunc(("old IPE: %u, IMODC: %u, EREP: %RGp, EHB: %u\n", ip->ipe, imodc, (RTGCPHYS)ip->erep, !!(ip->erdp & XHCI_ERDP_EHB)));
+ STAM_COUNTER_INC(&pThis->StatIntrsPending);
+
+ if (!ip->ipe)
+ {
+#ifdef XHCI_ERROR_INJECTION
+ if (pThis->fDropIntrIpe)
+ {
+ pThis->fDropIntrIpe = false;
+ }
+ else
+#endif
+ {
+ ip->ipe = true;
+ if (!(ip->erdp & XHCI_ERDP_EHB) && (imodc == 0))
+ xhciSetIntr(pDevIns, pThis, ip);
+ }
+ }
+}
+
+
+/**
+ * Check if there is space available for writing at least two events on the
+ * event ring. See 4.9.4 for the state machine (right hand side of diagram).
+ * If there's only room for one event, the Event Ring Full TRB will need to
+ * be written out, hence the ring is considered full.
+ *
+ * @returns True if space is available, false otherwise.
+ * @param pDevIns The PDM device instance.
+ * @param pThis Pointer to the xHCI state.
+ * @param pIntr Pointer to the interrupter structure.
+ */
+static bool xhciR3IsEvtRingFull(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR pIntr)
+{
+ uint64_t next_ptr;
+ uint64_t erdp = pIntr->erdp & XHCI_ERDP_ADDR_MASK;
+
+ if (pIntr->trb_count > 1)
+ {
+ /* Check the current segment. */
+ next_ptr = pIntr->erep + sizeof(XHCI_EVENT_TRB);
+ }
+ else
+ {
+ uint16_t erst_idx;
+ XHCI_ERSTE entry;
+ RTGCPHYS GCPhysErste;
+
+ /* Need to check the next segment. */
+ erst_idx = pIntr->erst_idx + 1;
+ if (erst_idx == pIntr->erstsz)
+ erst_idx = 0;
+ GCPhysErste = pIntr->erstba + erst_idx * sizeof(XHCI_ERSTE);
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysErste, &entry, sizeof(entry));
+ next_ptr = entry.addr & pThis->erst_addr_mask;
+ }
+
+ /// @todo We'll have to remember somewhere that the ring is full
+ return erdp == next_ptr;
+}
+
+/**
+ * Write an event to the given Event Ring. This implements a good chunk of
+ * the event ring state machine in section 4.9.4 of the xHCI spec.
+ *
+ * @returns VBox status code. Error if event could not be enqueued.
+ * @param pDevIns The PDM device instance.
+ * @param pThis Pointer to the xHCI state.
+ * @param pEvent Pointer to the Event TRB to be enqueued.
+ * @param iIntr Index of the interrupter to write to.
+ * @param fBlockInt Set if interrupt should be blocked (BEI bit).
+ */
+static int xhciR3WriteEvent(PPDMDEVINS pDevIns, PXHCI pThis, XHCI_EVENT_TRB *pEvent, unsigned iIntr, bool fBlockInt)
+{
+ PXHCIINTRPTR pIntr;
+ int rc = VINF_SUCCESS;
+
+ LogFlowFunc(("Interrupter: %u\n", iIntr));
+
+ /* If the HC isn't running, events can not be generated. However,
+ * especially port change events can be triggered at any time. We just
+ * drop them here -- it's often not an error condition.
+ */
+ if (pThis->cmd & XHCI_CMD_RS)
+ {
+ STAM_COUNTER_INC(&pThis->StatEventsWritten);
+ Assert(iIntr < XHCI_NINTR); /* Supplied by guest, potentially invalid. */
+ pIntr = &pThis->aInterrupters[iIntr & XHCI_INTR_MASK];
+
+ /*
+ * If the interrupter/event ring isn't in a sane state, just
+ * give up and report Host Controller Error (HCE).
+ */
+ // pIntr->erst_idx
+
+ int const rcLock = PDMDevHlpCritSectEnter(pDevIns, &pIntr->lock, VERR_IGNORED); /* R3 only, no rcBusy. */
+ PDM_CRITSECT_RELEASE_ASSERT_RC_DEV(pDevIns, &pIntr->lock, rcLock); /* eventually, most call chains ignore the status. */
+
+ if (xhciR3IsEvtRingFull(pDevIns, pThis, pIntr))
+ {
+ LogRel(("xHCI: Event ring full!\n"));
+ }
+
+ /* Set the TRB's Cycle bit as appropriate. */
+ pEvent->gen.cycle = pIntr->evtr_pcs;
+
+ /* Write out the TRB and advance the EREP. */
+ /// @todo This either has to be atomic from the guest's POV or the cycle bit needs to be toggled last!!
+ PDMDevHlpPCIPhysWriteMeta(pDevIns, pIntr->erep, pEvent, sizeof(*pEvent));
+ pIntr->erep += sizeof(*pEvent);
+ --pIntr->trb_count;
+
+ /* Advance to the next ERST entry if necessary. */
+ if (pIntr->trb_count == 0)
+ {
+ ++pIntr->erst_idx;
+ /* If necessary, roll over back to the beginning. */
+ if (pIntr->erst_idx == pIntr->erstsz)
+ {
+ pIntr->erst_idx = 0;
+ pIntr->evtr_pcs = !pIntr->evtr_pcs;
+ }
+ xhciFetchErstEntry(pDevIns, pThis, pIntr);
+ }
+
+ /* Set the IPE bit unless interrupts are blocked. */
+ if (!fBlockInt)
+ xhciR3SetIntrPending(pDevIns, pThis, pIntr);
+
+ PDMDevHlpCritSectLeave(pDevIns, &pIntr->lock);
+ }
+ else
+ {
+ STAM_COUNTER_INC(&pThis->StatEventsDropped);
+ Log(("Event dropped because HC is not running.\n"));
+ }
+
+ return rc;
+}
+
+
+/**
+ * Post a port change TRB to an Event Ring.
+ */
+static int xhciR3GenPortChgEvent(PPDMDEVINS pDevIns, PXHCI pThis, uint8_t uPort)
+{
+ XHCI_EVENT_TRB ed; /* Event Descriptor */
+ LogFlowFunc(("Port ID: %u\n", uPort));
+
+ /*
+ * Devices can be "physically" attached/detached regardless of whether
+ * the HC is running or not, but the port status change events can only
+ * be generated when R/S is set; xhciR3WriteEvent() takes care of that.
+ */
+ RT_ZERO(ed);
+ ed.psce.cc = XHCI_TCC_SUCCESS;
+ ed.psce.port_id = uPort;
+ ed.psce.type = XHCI_TRB_PORT_SC;
+ return xhciR3WriteEvent(pDevIns, pThis, &ed, XHCI_PRIMARY_INTERRUPTER, false);
+}
+
+
+/**
+ * Post a command completion TRB to an Event Ring.
+ */
+static int xhciR3PostCmdCompletion(PPDMDEVINS pDevIns, PXHCI pThis, unsigned cc, unsigned uSlotID)
+{
+ XHCI_EVENT_TRB ed; /* Event Descriptor */
+ LogFlowFunc(("Cmd @ %RGp, Completion Code: %u (%s), Slot ID: %u\n", (RTGCPHYS)pThis->cmdr_dqp, cc,
+ cc < RT_ELEMENTS(g_apszCmplCodes) ? g_apszCmplCodes[cc] : "WHAT?!!", uSlotID));
+
+ /* The Command Ring dequeue pointer still holds the address of the current
+ * command TRB. It is written to the completion event TRB as the command
+ * TRB pointer.
+ */
+ RT_ZERO(ed);
+ ed.cce.trb_ptr = pThis->cmdr_dqp;
+ ed.cce.cc = cc;
+ ed.cce.type = XHCI_TRB_CMD_CMPL;
+ ed.cce.slot_id = uSlotID;
+ return xhciR3WriteEvent(pDevIns, pThis, &ed, XHCI_PRIMARY_INTERRUPTER, false);
+}
+
+
+/**
+ * Post a transfer event TRB to an Event Ring.
+ */
+static int xhciR3PostXferEvent(PPDMDEVINS pDevIns, PXHCI pThis, unsigned uIntTgt, unsigned uXferLen, unsigned cc,
+ unsigned uSlotID, unsigned uEpDCI, uint64_t uEvtData, bool fBlockInt, bool fEvent)
+{
+ XHCI_EVENT_TRB ed; /* Event Descriptor */
+ LogFlowFunc(("Xfer @ %RGp, Completion Code: %u (%s), Slot ID=%u DCI=%u Target=%u EvtData=%RX64 XfrLen=%u BEI=%u ED=%u\n",
+ (RTGCPHYS)pThis->cmdr_dqp, cc, cc < RT_ELEMENTS(g_apszCmplCodes) ? g_apszCmplCodes[cc] : "WHAT?!!",
+ uSlotID, uEpDCI, uIntTgt, uEvtData, uXferLen, fBlockInt, fEvent));
+
+ /* A transfer event may be either generated by TRB completion (in case
+ * fEvent=false) or by a special transfer event TRB (fEvent=true). In
+ * either case, interrupts may be suppressed.
+ */
+ RT_ZERO(ed);
+ ed.te.trb_ptr = uEvtData;
+ ed.te.xfr_len = uXferLen;
+ ed.te.cc = cc;
+ ed.te.ed = fEvent;
+ ed.te.type = XHCI_TRB_XFER;
+ ed.te.ep_id = uEpDCI;
+ ed.te.slot_id = uSlotID;
+ return xhciR3WriteEvent(pDevIns, pThis, &ed, uIntTgt, fBlockInt); /* Sets the cycle bit, too. */
+}
+
+
+static int xhciR3FindRhDevBySlot(PPDMDEVINS pDevIns, PXHCI pThis, PXHCICC pThisCC, uint8_t uSlotID, PXHCIROOTHUBR3 *ppRh, uint32_t *puPort)
+{
+ XHCI_SLOT_CTX slot_ctx;
+ PXHCIROOTHUBR3 pRh;
+ unsigned iPort;
+ int rc;
+
+ /// @todo Do any of these need to be release assertions?
+ Assert(uSlotID <= RT_ELEMENTS(pThis->aSlotState));
+ Assert(pThis->aSlotState[ID_TO_IDX(uSlotID)] > XHCI_DEVSLOT_EMPTY);
+
+ /* Load the slot context. */
+ xhciR3FetchDevCtx(pDevIns, pThis, uSlotID, 0, &slot_ctx);
+
+ /* The port ID is stored in the slot context. */
+ iPort = ID_TO_IDX(slot_ctx.rh_port);
+ if (iPort < XHCI_NDP_CFG(pThis))
+ {
+ /* Find the corresponding root hub. */
+ pRh = GET_PORT_PRH(pThisCC, iPort);
+ Assert(pRh);
+
+ /* And the device; if the device was ripped out fAttached will be false. */
+ if (pThisCC->aPorts[iPort].fAttached)
+ {
+ /* Provide the information the caller asked for. */
+ if (ppRh)
+ *ppRh = pRh;
+ if (puPort)
+ *puPort = GET_VUSB_PORT_FROM_XHCI_PORT(pRh, iPort);
+ rc = VINF_SUCCESS;
+ }
+ else
+ {
+ LogFunc(("No device attached (port index %u)!\n", iPort));
+ rc = VERR_VUSB_DEVICE_NOT_ATTACHED;
+ }
+ }
+ else
+ {
+ LogFunc(("Port out of range (index %u)!\n", iPort));
+ rc = VERR_INVALID_PARAMETER;
+ }
+ return rc;
+}
+
+
+static void xhciR3EndlessTrbError(PPDMDEVINS pDevIns, PXHCI pThis)
+{
+ /* Clear the R/S bit and indicate controller error. */
+ ASMAtomicAndU32(&pThis->cmd, ~XHCI_CMD_RS);
+ ASMAtomicOrU32(&pThis->status, XHCI_STATUS_HCE);
+
+ /* Ensure that XHCI_STATUS_HCH gets set by the worker thread. */
+ xhciKickWorker(pDevIns, pThis, XHCI_JOB_XFER_DONE, 0);
+
+ LogRelMax(10, ("xHCI: Attempted to process too many TRBs, stopping xHC!\n"));
+}
+
+/**
+ * TRB walker callback prototype.
+ *
+ * @returns true if walking should continue.
+ * @returns false if walking should be terminated.
+ * @param pDevIns The device instance.
+ * @param pThis The xHCI device state.
+ * @param pXferTRB Pointer to the transfer TRB to handle.
+ * @param GCPhysXfrTRB Physical address of the TRB.
+ * @param pvContext User-defined walk context.
+ * @remarks We don't need to use DECLCALLBACKPTR here, since all users are in
+ * the same source file, but having the functions marked with
+ * DECLCALLBACK helps readability.
+ */
+typedef DECLCALLBACKPTR(bool, PFNTRBWALKCB,(PPDMDEVINS pDevIns, PXHCI pThis, const XHCI_XFER_TRB *pXferTRB,
+ RTGCPHYS GCPhysXfrTRB, void *pvContext));
+
+
+/**
+ * Walk a chain of TRBs which comprise a single TD.
+ *
+ * This is something we need to do potentially more than once when submitting a
+ * URB and then often again when completing the URB. Note that the walker does
+ * not update the endpoint state (TRDP/TREP/DCS) so that it can be re-run
+ * multiple times.
+ *
+ * @param pDevIns The device instance.
+ * @param pThis The xHCI device state.
+ * @param uTRP Initial TR pointer and DCS.
+ * @param pfnCbk Callback routine.
+ * @param pvContext User-defined walk context.
+ * @param pTREP Pointer to storage for final TR Enqueue Pointer/DCS.
+ */
+static int xhciR3WalkXferTrbChain(PPDMDEVINS pDevIns, PXHCI pThis, uint64_t uTRP,
+ PFNTRBWALKCB pfnCbk, void *pvContext, uint64_t *pTREP)
+{
+ RTGCPHYS GCPhysXfrTRB;
+ uint64_t uTREP;
+ XHCI_XFER_TRB XferTRB;
+ bool fContinue = true;
+ bool dcs;
+ int rc = VINF_SUCCESS;
+ unsigned cTrbs = 0;
+
+ AssertPtr(pvContext);
+ AssertPtr(pTREP);
+ Assert(uTRP);
+
+ /* Find the transfer TRB address and the DCS. */
+ GCPhysXfrTRB = uTRP & XHCI_TRDP_ADDR_MASK;
+ dcs = !!(uTRP & XHCI_TRDP_DCS_MASK); /* MSC upgrades bool to signed something when comparing with a uint8_t:1. */
+ LogFlowFunc(("Walking Transfer Ring, TREP:%RGp DCS=%u\n", GCPhysXfrTRB, dcs));
+
+ do {
+ /* Fetch the transfer TRB. */
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysXfrTRB, &XferTRB, sizeof(XferTRB));
+
+ if ((bool)XferTRB.gen.cycle == dcs)
+ {
+ Log2(("Walking TRB@%RGp, type %u (%s) %u bytes ENT=%u ISP=%u NS=%u CH=%u IOC=%u IDT=%u\n", GCPhysXfrTRB, XferTRB.gen.type,
+ XferTRB.gen.type < RT_ELEMENTS(g_apszTrbNames) ? g_apszTrbNames[XferTRB.gen.type] : "WHAT?!!",
+ XferTRB.gen.xfr_len, XferTRB.gen.ent, XferTRB.gen.isp, XferTRB.gen.ns, XferTRB.gen.ch, XferTRB.gen.ioc, XferTRB.gen.idt));
+
+ /* DCS matches, the TRB is ours to process. */
+ switch (XferTRB.gen.type) {
+ case XHCI_TRB_LINK:
+ Log2(("Link intra-TD: Ptr=%RGp IOC=%u TC=%u CH=%u\n", XferTRB.link.rseg_ptr, XferTRB.link.ioc, XferTRB.link.toggle, XferTRB.link.chain));
+ Assert(XferTRB.link.chain);
+ /* Do not update the actual TRDP/TREP and DCS yet, just the temporary images. */
+ GCPhysXfrTRB = XferTRB.link.rseg_ptr & XHCI_TRDP_ADDR_MASK;
+ if (XferTRB.link.toggle)
+ dcs = !dcs;
+ Assert(!XferTRB.link.ioc); /// @todo Needs to be reported.
+ break;
+ case XHCI_TRB_NORMAL:
+ case XHCI_TRB_ISOCH:
+ case XHCI_TRB_SETUP_STG:
+ case XHCI_TRB_DATA_STG:
+ case XHCI_TRB_STATUS_STG:
+ case XHCI_TRB_EVT_DATA:
+ fContinue = pfnCbk(pDevIns, pThis, &XferTRB, GCPhysXfrTRB, pvContext);
+ GCPhysXfrTRB += sizeof(XferTRB);
+ break;
+ default:
+ /* NB: No-op TRBs are not allowed within TDs (4.11.7). */
+ Log(("Bad TRB type %u found within TD!!\n", XferTRB.gen.type));
+ fContinue = false;
+ /// @todo Stop EP etc.?
+ }
+ }
+ else
+ {
+ /* We don't have a complete TD. Interesting times. */
+ Log2(("DCS mismatch, no more TRBs available.\n"));
+ fContinue = false;
+ rc = VERR_TRY_AGAIN;
+ }
+
+ /* Kill the xHC if the TRB list has no end in sight. */
+ if (++cTrbs > XHCI_MAX_NUM_TRBS)
+ {
+ /* Stop the xHC with an error. */
+ xhciR3EndlessTrbError(pDevIns, pThis);
+
+ /* Get out of the loop. */
+ fContinue = false;
+ rc = VERR_NOT_SUPPORTED; /* No good error code really... */
+ }
+ } while (fContinue);
+
+ /* Inform caller of the new TR Enqueue Pointer/DCS (not necessarily changed). */
+ Assert(!(GCPhysXfrTRB & ~XHCI_TRDP_ADDR_MASK));
+ uTREP = GCPhysXfrTRB | (unsigned)dcs;
+ Log2(("Final TRP after walk: %RGp\n", uTREP));
+ *pTREP = uTREP;
+
+ return rc;
+}
+
+
+/** Context for probing TD size. */
+typedef struct {
+ uint32_t uXferLen;
+ uint32_t cTRB;
+ uint32_t uXfrLenLastED;
+ uint32_t cTRBLastED;
+} XHCI_CTX_XFER_PROBE;
+
+
+/** Context for submitting 'out' TDs. */
+typedef struct {
+ PVUSBURB pUrb;
+ uint32_t uXferPos;
+ unsigned cTRB;
+} XHCI_CTX_XFER_SUBMIT;
+
+
+/** Context for completing TDs. */
+typedef struct {
+ PVUSBURB pUrb;
+ uint32_t uXferPos;
+ uint32_t uXferLeft;
+ unsigned cTRB;
+ uint32_t uEDTLA : 24;
+ uint32_t uLastCC : 8;
+ uint8_t uSlotID;
+ uint8_t uEpDCI;
+ bool fMaxCount;
+} XHCI_CTX_XFER_COMPLETE;
+
+
+/** Context for building isochronous URBs. */
+typedef struct {
+ PVUSBURB pUrb;
+ unsigned iPkt;
+ uint32_t offCur;
+ uint64_t uInitTREP;
+ bool fSubmitFailed;
+} XHCI_CTX_ISOCH;
+
+
+/**
+ * @callback_method_impl{PFNTRBWALKCB,
+ * Probe a TD and figure out how big it is so that a URB can be allocated to back it.}
+ */
+static DECLCALLBACK(bool)
+xhciR3WalkDataTRBsProbe(PPDMDEVINS pDevIns, PXHCI pThis, const XHCI_XFER_TRB *pXferTRB, RTGCPHYS GCPhysXfrTRB, void *pvContext)
+{
+ RT_NOREF(pDevIns, pThis, GCPhysXfrTRB);
+ XHCI_CTX_XFER_PROBE *pCtx = (XHCI_CTX_XFER_PROBE *)pvContext;
+
+ pCtx->cTRB++;
+
+ /* Only consider TRBs which transfer data. */
+ switch (pXferTRB->gen.type)
+ {
+ case XHCI_TRB_NORMAL:
+ case XHCI_TRB_ISOCH:
+ case XHCI_TRB_SETUP_STG:
+ case XHCI_TRB_DATA_STG:
+ case XHCI_TRB_STATUS_STG:
+ pCtx->uXferLen += pXferTRB->norm.xfr_len;
+ if (RT_UNLIKELY(pCtx->uXferLen > XHCI_MAX_TD_SIZE))
+ {
+ /* NB: We let the TD size get a bit past the max so that we don't lose anything,
+ * but the EDTLA will wrap around.
+ */
+ LogRelMax(10, ("xHCI: TD size (%u) too big, not continuing!\n", pCtx->uXferLen));
+ return false;
+ }
+ break;
+ case XHCI_TRB_EVT_DATA:
+ /* Remember where the last seen Event Data TRB was. */
+ pCtx->cTRBLastED = pCtx->cTRB;
+ pCtx->uXfrLenLastED = pCtx->uXferLen;
+ break;
+ default: /* Could be a link TRB, too. */
+ break;
+ }
+
+ return pXferTRB->gen.ch;
+}
+
+
+/**
+ * @callback_method_impl{PFNTRBWALKCB,
+ * Copy data from a TD (TRB chain) into the corresponding TD. OUT direction only.}
+ */
+static DECLCALLBACK(bool)
+xhciR3WalkDataTRBsSubmit(PPDMDEVINS pDevIns, PXHCI pThis, const XHCI_XFER_TRB *pXferTRB, RTGCPHYS GCPhysXfrTRB, void *pvContext)
+{
+ RT_NOREF(pThis, GCPhysXfrTRB);
+ XHCI_CTX_XFER_SUBMIT *pCtx = (XHCI_CTX_XFER_SUBMIT *)pvContext;
+ uint32_t uXferLen = pXferTRB->norm.xfr_len;
+
+
+ /* Only consider TRBs which transfer data. */
+ switch (pXferTRB->gen.type)
+ {
+ case XHCI_TRB_NORMAL:
+ case XHCI_TRB_ISOCH:
+ case XHCI_TRB_SETUP_STG:
+ case XHCI_TRB_DATA_STG:
+ case XHCI_TRB_STATUS_STG:
+ /* NB: Transfer length may be zero! */
+ /// @todo explain/verify abuse of various TRB types here (data stage mapped to normal etc.).
+ if (uXferLen)
+ {
+ /* Sanity check for broken guests (TRBs may have changed since probing). */
+ if (pCtx->uXferPos + uXferLen <= pCtx->pUrb->cbData)
+ {
+ /* Data might be immediate or elsewhere in memory. */
+ if (pXferTRB->norm.idt)
+ {
+ /* If an immediate data TRB claims there's more than 8 bytes, we have a problem. */
+ if (uXferLen > 8)
+ {
+ LogRelMax(10, ("xHCI: Immediate data TRB length %u bytes, ignoring!\n", uXferLen));
+ return false; /* Stop walking the chain immediately. */
+ }
+
+ Assert(uXferLen >= 1 && uXferLen <= 8);
+ Log2(("Copying %u bytes to URB offset %u (immediate data)\n", uXferLen, pCtx->uXferPos));
+ memcpy(pCtx->pUrb->abData + pCtx->uXferPos, pXferTRB, uXferLen);
+ }
+ else
+ {
+ PDMDevHlpPCIPhysReadUser(pDevIns, pXferTRB->norm.data_ptr, pCtx->pUrb->abData + pCtx->uXferPos, uXferLen);
+ Log2(("Copying %u bytes to URB offset %u (from %RGp)\n", uXferLen, pCtx->uXferPos, pXferTRB->norm.data_ptr));
+ }
+ pCtx->uXferPos += uXferLen;
+ }
+ else
+ {
+ LogRelMax(10, ("xHCI: Attempted to submit too much data, ignoring!\n"));
+ return false; /* Stop walking the chain immediately. */
+ }
+
+ }
+ break;
+ default: /* Could be an event or status stage TRB, too. */
+ break;
+ }
+ pCtx->cTRB++;
+
+ /// @todo Maybe have to make certain that the number of probed TRBs matches? Potentially
+ /// by the time TRBs get submitted, there might be more of them available if the TD was
+ /// initially not fully written by HCD.
+
+ return pXferTRB->gen.ch;
+}
+
+
+/**
+ * Perform URB completion processing.
+ *
+ * Figure out how much data was really transferred, post events if required, and
+ * for IN transfers, copy data from the URB.
+ *
+ * @callback_method_impl{PFNTRBWALKCB}
+ */
+static DECLCALLBACK(bool)
+xhciR3WalkDataTRBsComplete(PPDMDEVINS pDevIns, PXHCI pThis, const XHCI_XFER_TRB *pXferTRB, RTGCPHYS GCPhysXfrTRB, void *pvContext)
+{
+ XHCI_CTX_XFER_COMPLETE *pCtx = (XHCI_CTX_XFER_COMPLETE *)pvContext;
+ int rc;
+ unsigned uXferLen;
+ unsigned uResidue;
+ uint8_t cc;
+ bool fKeepGoing = true;
+
+ switch (pXferTRB->gen.type)
+ {
+ case XHCI_TRB_NORMAL:
+ case XHCI_TRB_ISOCH:
+ case XHCI_TRB_SETUP_STG:
+ case XHCI_TRB_DATA_STG: /// @todo document abuse; esp. check BEI bit
+ case XHCI_TRB_STATUS_STG:
+ /* Assume successful transfer. */
+ uXferLen = pXferTRB->norm.xfr_len;
+ cc = XHCI_TCC_SUCCESS;
+
+ /* If there was a short packet, handle it accordingly. */
+ if (pCtx->uXferLeft < uXferLen)
+ {
+ /* The completion code is set regardless of IOC/ISP. It may be
+ * reported later via an Event Data TRB (4.10.1.1)
+ */
+ uXferLen = pCtx->uXferLeft;
+ cc = XHCI_TCC_SHORT_PKT;
+ }
+
+ if (pCtx->pUrb->enmDir == VUSBDIRECTION_IN)
+ {
+ Assert(!pXferTRB->norm.idt);
+
+ /* NB: Transfer length may be zero! */
+ if (uXferLen)
+ {
+ if (uXferLen <= pCtx->uXferLeft)
+ {
+ Log2(("Writing %u bytes to %RGp from URB offset %u (TRB@%RGp)\n", uXferLen, pXferTRB->norm.data_ptr, pCtx->uXferPos, GCPhysXfrTRB));
+ PDMDevHlpPCIPhysWriteUser(pDevIns, pXferTRB->norm.data_ptr, pCtx->pUrb->abData + pCtx->uXferPos, uXferLen);
+ }
+ else
+ {
+ LogRelMax(10, ("xHCI: Attempted to read too much data, ignoring!\n"));
+ }
+ }
+ }
+
+ /* Update position within TD. */
+ pCtx->uXferLeft -= uXferLen;
+ pCtx->uXferPos += uXferLen;
+ Log2(("Current uXferLeft=%u, uXferPos=%u (length was %u)\n", pCtx->uXferLeft, pCtx->uXferPos, uXferLen));
+
+ /* Keep track of the EDTLA and last completion status. */
+ pCtx->uEDTLA += uXferLen; /* May wrap around! */
+ pCtx->uLastCC = cc;
+
+ /* Report events as required. */
+ uResidue = pXferTRB->norm.xfr_len - uXferLen;
+ if (pXferTRB->norm.ioc || (pXferTRB->norm.isp && uResidue))
+ {
+ rc = xhciR3PostXferEvent(pDevIns, pThis, pXferTRB->norm.int_tgt, uResidue, cc,
+ pCtx->uSlotID, pCtx->uEpDCI, GCPhysXfrTRB, pXferTRB->norm.bei, false);
+ }
+ break;
+ case XHCI_TRB_EVT_DATA:
+ if (pXferTRB->evtd.ioc)
+ {
+ rc = xhciR3PostXferEvent(pDevIns, pThis, pXferTRB->evtd.int_tgt, pCtx->uEDTLA, pCtx->uLastCC,
+ pCtx->uSlotID, pCtx->uEpDCI, pXferTRB->evtd.evt_data, pXferTRB->evtd.bei, true);
+ }
+ /* Clear the EDTLA. */
+ pCtx->uEDTLA = 0;
+ break;
+ default:
+ AssertMsgFailed(("%#x\n", pXferTRB->gen.type));
+ break;
+ }
+
+ pCtx->cTRB--;
+ /* For TD fragments, enforce the maximum count, but only as long as the transfer
+ * is successful. In case of error we have to complete the entire TD! */
+ if (!pCtx->cTRB && pCtx->fMaxCount && pCtx->uLastCC == XHCI_TCC_SUCCESS)
+ {
+ Log2(("Stopping at the end of TD Fragment.\n"));
+ fKeepGoing = false;
+ }
+
+ /* NB: We currently do not enforce that the number of TRBs can't change between
+ * submission and completion. If we do, we'll have to store it somewhere for
+ * isochronous URBs.
+ */
+ return pXferTRB->gen.ch && fKeepGoing;
+}
+
+/**
+ * Process (consume) non-data TRBs on a transfer ring. This function
+ * completes TRBs which do not have any URB associated with them. Only
+ * used with running endpoints. Usable regardless of whether there are
+ * in-flight TRBs or not. Returns the next TRB and its address to the
+ * caller. May modify the endpoint context!
+ *
+ * @param pDevIns The device instance.
+ * @param pThis The xHCI device state.
+ * @param uSlotID The slot corresponding to this USB device.
+ * @param uEpDCI The DCI of this endpoint.
+ * @param pEpCtx Endpoint context. May be modified.
+ * @param pXfer Storage for returning the next TRB to caller.
+ * @param pGCPhys Storage for returning the physical address of TRB.
+ */
+static int xhciR3ConsumeNonXferTRBs(PPDMDEVINS pDevIns, PXHCI pThis, uint8_t uSlotID, uint8_t uEpDCI,
+ XHCI_EP_CTX *pEpCtx, XHCI_XFER_TRB *pXfer, RTGCPHYS *pGCPhys)
+{
+ XHCI_XFER_TRB xfer;
+ RTGCPHYS GCPhysXfrTRB = 0;
+ bool dcs;
+ bool fInFlight;
+ bool fContinue = true;
+ int rc;
+ unsigned cTrbs = 0;
+
+ LogFlowFunc(("Slot ID: %u, EP DCI %u\n", uSlotID, uEpDCI));
+ Assert(uSlotID > 0);
+ Assert(uSlotID <= XHCI_NDS);
+
+ Assert(pEpCtx->ep_state == XHCI_EPST_RUNNING);
+ do
+ {
+ /* Find the transfer TRB address. */
+ GCPhysXfrTRB = pEpCtx->trdp & XHCI_TRDP_ADDR_MASK;
+ dcs = !!(pEpCtx->trdp & XHCI_TRDP_DCS_MASK);
+
+ /* Determine whether there are any in-flight TRBs or not. This affects TREP
+ * processing -- when nothing is in flight, we have to move both TREP and TRDP;
+ * otherwise only the TRDP must be updated.
+ */
+ fInFlight = pEpCtx->trep != pEpCtx->trdp;
+ LogFlowFunc(("Skipping non-data TRBs, TREP:%RGp, TRDP:%RGp, in-flight: %RTbool\n", pEpCtx->trep, pEpCtx->trdp, fInFlight));
+
+ /* Fetch the transfer TRB. */
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysXfrTRB, &xfer, sizeof(xfer));
+
+ /* Make sure the Cycle State matches. */
+ if ((bool)xfer.gen.cycle == dcs)
+ {
+ Log2(("TRB @ %RGp, type %u (%s) %u bytes ENT=%u ISP=%u NS=%u CH=%u IOC=%u IDT=%u\n", GCPhysXfrTRB, xfer.gen.type,
+ xfer.gen.type < RT_ELEMENTS(g_apszTrbNames) ? g_apszTrbNames[xfer.gen.type] : "WHAT?!!",
+ xfer.gen.xfr_len, xfer.gen.ent, xfer.gen.isp, xfer.gen.ns, xfer.gen.ch, xfer.gen.ioc, xfer.gen.idt));
+
+ switch (xfer.gen.type) {
+ case XHCI_TRB_LINK:
+ Log2(("Link extra-TD: Ptr=%RGp IOC=%u TC=%u CH=%u\n", xfer.link.rseg_ptr, xfer.link.ioc, xfer.link.toggle, xfer.link.chain));
+ Assert(!xfer.link.chain);
+ /* Set new TRDP but leave DCS bit alone... */
+ pEpCtx->trdp = (xfer.link.rseg_ptr & XHCI_TRDP_ADDR_MASK) | (pEpCtx->trdp & XHCI_TRDP_DCS_MASK);
+ /* ...and flip the DCS bit if required. Then update the TREP. */
+ if (xfer.link.toggle)
+ pEpCtx->trdp = (pEpCtx->trdp & ~XHCI_TRDP_DCS_MASK) | (pEpCtx->trdp ^ XHCI_TRDP_DCS_MASK);
+ if (!fInFlight)
+ pEpCtx->trep = pEpCtx->trdp;
+ if (xfer.link.ioc)
+ rc = xhciR3PostXferEvent(pDevIns, pThis, xfer.link.int_tgt, 0, XHCI_TCC_SUCCESS, uSlotID, uEpDCI,
+ GCPhysXfrTRB, false, false);
+ break;
+ case XHCI_TRB_NOOP_XFER:
+ Log2(("No op xfer: IOC=%u CH=%u ENT=%u\n", xfer.nop.ioc, xfer.nop.ch, xfer.nop.ent));
+ /* A no-op transfer TRB must not be part of a chain. See 4.11.7. */
+ Assert(!xfer.link.chain);
+ /* Update enqueue/dequeue pointers. */
+ pEpCtx->trdp += sizeof(XHCI_XFER_TRB);
+ if (!fInFlight)
+ pEpCtx->trep += sizeof(XHCI_XFER_TRB);
+ if (xfer.nop.ioc)
+ rc = xhciR3PostXferEvent(pDevIns, pThis, xfer.nop.int_tgt, 0, XHCI_TCC_SUCCESS, uSlotID, uEpDCI,
+ GCPhysXfrTRB, false, false);
+ break;
+ default:
+ fContinue = false;
+ break;
+ }
+ }
+ else
+ {
+ LogFunc(("Transfer Ring empty\n"));
+ fContinue = false;
+ }
+
+ /* Kill the xHC if the TRB list has no end in sight. */
+ /* NB: The limit here could perhaps be much lower because a sequence of Link
+ * and No-op TRBs with no real work to be done would be highly suspect.
+ */
+ if (++cTrbs > XHCI_MAX_NUM_TRBS)
+ {
+ /* Stop the xHC with an error. */
+ xhciR3EndlessTrbError(pDevIns, pThis);
+
+ /* Get out of the loop. */
+ fContinue = false;
+ rc = VERR_NOT_SUPPORTED; /* No good error code really... */
+ }
+ } while (fContinue);
+
+ /* The caller will need the next TRB. Hand it over. */
+ Assert(GCPhysXfrTRB);
+ *pGCPhys = GCPhysXfrTRB;
+ *pXfer = xfer;
+ LogFlowFunc(("Final TREP:%RGp, TRDP:%RGp GCPhysXfrTRB:%RGp\n", pEpCtx->trep, pEpCtx->trdp, GCPhysXfrTRB));
+
+ return VINF_SUCCESS;
+}
+
+/**
+ * Transfer completion callback routine.
+ *
+ * VUSB will call this when a transfer have been completed
+ * in a one or another way.
+ *
+ * @param pInterface Pointer to XHCI::ROOTHUB::IRhPort.
+ * @param pUrb Pointer to the URB in question.
+ */
+static DECLCALLBACK(void) xhciR3RhXferCompletion(PVUSBIROOTHUBPORT pInterface, PVUSBURB pUrb)
+{
+ PXHCIROOTHUBR3 pRh = RT_FROM_MEMBER(pInterface, XHCIROOTHUBR3, IRhPort);
+ PXHCICC pThisCC = pRh->pXhciR3;
+ PPDMDEVINS pDevIns = pThisCC->pDevIns;
+ PXHCI pThis = PDMDEVINS_2_DATA(pDevIns, PXHCI);
+ XHCI_SLOT_CTX slot_ctx;
+ XHCI_EP_CTX ep_ctx;
+ XHCI_XFER_TRB xfer;
+ RTGCPHYS GCPhysXfrTRB;
+ int rc;
+ unsigned uResidue = 0;
+ uint8_t uSlotID = pUrb->pHci->uSlotID;
+ uint8_t cc = XHCI_TCC_SUCCESS;
+ uint8_t uEpDCI;
+
+ /* Check for URBs completed synchronously as part of xHCI command execution.
+ * The URB will have zero cTRB as it's not associated with a TD.
+ */
+ if (!pUrb->pHci->cTRB)
+ {
+ LogFlow(("%s: xhciR3RhXferCompletion: uSlotID=%u EP=%u cTRB=%d cbData=%u status=%u\n",
+ pUrb->pszDesc, uSlotID, pUrb->EndPt, pUrb->pHci->cTRB, pUrb->cbData, pUrb->enmStatus));
+ LogFlow(("%s: xhciR3RhXferCompletion: Completing xHCI-generated request\n", pUrb->pszDesc));
+ return;
+ }
+
+ /* If the xHC isn't running, just drop the URB right here. */
+ if (pThis->status & XHCI_STATUS_HCH)
+ {
+ LogFlow(("%s: xhciR3RhXferCompletion: uSlotID=%u EP=%u cTRB=%d cbData=%u status=%u\n",
+ pUrb->pszDesc, uSlotID, pUrb->EndPt, pUrb->pHci->cTRB, pUrb->cbData, pUrb->enmStatus));
+ LogFlow(("%s: xhciR3RhXferCompletion: xHC halted, skipping URB completion\n", pUrb->pszDesc));
+ return;
+ }
+
+#ifdef XHCI_ERROR_INJECTION
+ if (pThis->fDropUrb)
+ {
+ LogFlow(("%s: xhciR3RhXferCompletion: Error injection, dropping URB!\n", pUrb->pszDesc));
+ pThis->fDropUrb = false;
+ return;
+ }
+#endif
+
+ RTCritSectEnter(&pThisCC->CritSectThrd);
+
+ /* Convert USB endpoint address to xHCI format. */
+ if (pUrb->EndPt)
+ uEpDCI = pUrb->EndPt * 2 + (pUrb->enmDir == VUSBDIRECTION_IN ? 1 : 0);
+ else
+ uEpDCI = 1; /* EP 0 */
+
+ LogFlow(("%s: xhciR3RhXferCompletion: uSlotID=%u EP=%u cTRB=%d\n",
+ pUrb->pszDesc, uSlotID, pUrb->EndPt, pUrb->pHci->cTRB));
+ LogFlow(("%s: xhciR3RhXferCompletion: EP DCI=%u, cbData=%u status=%u\n", pUrb->pszDesc, uEpDCI, pUrb->cbData, pUrb->enmStatus));
+
+ /* Load the slot/endpoint contexts from guest memory. */
+ xhciR3FetchCtxAndEp(pDevIns, pThis, uSlotID, uEpDCI, &slot_ctx, &ep_ctx);
+
+ /* If the EP is disabled, we don't own it so we can't complete the URB.
+ * Leave this EP alone and drop the URB.
+ */
+ if (ep_ctx.ep_state != XHCI_EPST_RUNNING)
+ {
+ Log(("EP DCI %u not running (state %u), skipping URB completion\n", uEpDCI, ep_ctx.ep_state));
+ RTCritSectLeave(&pThisCC->CritSectThrd);
+ return;
+ }
+
+ /* Now complete any non-transfer TRBs that might be on the transfer ring before
+ * the TRB(s) corresponding to this URB. Preloads the TRB as a side effect.
+ * Endpoint state now must be written back in case it was modified!
+ */
+ xhciR3ConsumeNonXferTRBs(pDevIns, pThis, uSlotID, uEpDCI, &ep_ctx, &xfer, &GCPhysXfrTRB);
+
+ /* Deal with failures which halt the EP first. */
+ if (RT_UNLIKELY(pUrb->enmStatus != VUSBSTATUS_OK))
+ {
+ switch(pUrb->enmStatus)
+ {
+ case VUSBSTATUS_STALL:
+ /* Halt the endpoint and inform the HCD.
+ * NB: The TRDP is NOT advanced in case of error.
+ */
+ ep_ctx.ep_state = XHCI_EPST_HALTED;
+ cc = XHCI_TCC_STALL;
+ rc = xhciR3PostXferEvent(pDevIns, pThis, xfer.gen.int_tgt, uResidue, cc,
+ uSlotID, uEpDCI, GCPhysXfrTRB, false, false);
+ break;
+ case VUSBSTATUS_DNR:
+ /* Halt the endpoint and inform the HCD.
+ * NB: The TRDP is NOT advanced in case of error.
+ */
+ ep_ctx.ep_state = XHCI_EPST_HALTED;
+ cc = XHCI_TCC_USB_XACT_ERR;
+ rc = xhciR3PostXferEvent(pDevIns, pThis, xfer.gen.int_tgt, uResidue, cc,
+ uSlotID, uEpDCI, GCPhysXfrTRB, false, false);
+ break;
+ case VUSBSTATUS_CRC: /// @todo Separate status for canceling?!
+ ep_ctx.ep_state = XHCI_EPST_HALTED;
+ cc = XHCI_TCC_USB_XACT_ERR;
+ rc = xhciR3PostXferEvent(pDevIns, pThis, xfer.gen.int_tgt, uResidue, cc,
+ uSlotID, uEpDCI, GCPhysXfrTRB, false, false);
+
+ /* NB: The TRDP is *not* advanced and TREP is reset. */
+ ep_ctx.trep = ep_ctx.trdp;
+ break;
+ case VUSBSTATUS_DATA_OVERRUN:
+ case VUSBSTATUS_DATA_UNDERRUN:
+ /* Halt the endpoint and inform the HCD.
+ * NB: The TRDP is NOT advanced in case of error.
+ */
+ ep_ctx.ep_state = XHCI_EPST_HALTED;
+ cc = XHCI_TCC_DATA_BUF_ERR;
+ rc = xhciR3PostXferEvent(pDevIns, pThis, xfer.gen.int_tgt, uResidue, cc,
+ uSlotID, uEpDCI, GCPhysXfrTRB, false, false);
+ break;
+ default:
+ AssertMsgFailed(("Unexpected URB status %u\n", pUrb->enmStatus));
+ }
+
+ if (pUrb->enmType == VUSBXFERTYPE_ISOC)
+ STAM_COUNTER_INC(&pThis->StatErrorIsocUrbs);
+ }
+ else if (xfer.gen.type == XHCI_TRB_NORMAL)
+ {
+ XHCI_CTX_XFER_COMPLETE ctxComplete;
+ uint64_t uTRDP;
+
+ ctxComplete.pUrb = pUrb;
+ ctxComplete.uXferPos = 0;
+ ctxComplete.uXferLeft = pUrb->cbData;
+ ctxComplete.cTRB = pUrb->pHci->cTRB;
+ ctxComplete.uSlotID = uSlotID;
+ ctxComplete.uEpDCI = uEpDCI;
+ ctxComplete.uEDTLA = 0; // Always zero at the beginning of a new TD.
+ ctxComplete.uLastCC = cc;
+ ctxComplete.fMaxCount = ep_ctx.ifc >= XHCI_NO_QUEUING_IN_FLIGHT;
+ xhciR3WalkXferTrbChain(pDevIns, pThis, ep_ctx.trdp, xhciR3WalkDataTRBsComplete, &ctxComplete, &uTRDP);
+ ep_ctx.last_cc = ctxComplete.uLastCC;
+ ep_ctx.trdp = uTRDP;
+
+ if (ep_ctx.ifc >= XHCI_NO_QUEUING_IN_FLIGHT)
+ ep_ctx.ifc -= XHCI_NO_QUEUING_IN_FLIGHT; /* TD fragment done, allow further queuing. */
+ else
+ ep_ctx.ifc--; /* TD done, decrement in-flight counter. */
+ }
+ else if (xfer.gen.type == XHCI_TRB_ISOCH)
+ {
+ XHCI_CTX_XFER_COMPLETE ctxComplete;
+ uint64_t uTRDP;
+ unsigned iPkt;
+
+ ctxComplete.pUrb = pUrb;
+ ctxComplete.uSlotID = uSlotID;
+ ctxComplete.uEpDCI = uEpDCI;
+
+ for (iPkt = 0; iPkt < pUrb->cIsocPkts; ++iPkt) {
+ ctxComplete.uXferPos = pUrb->aIsocPkts[iPkt].off;
+ ctxComplete.uXferLeft = pUrb->aIsocPkts[iPkt].cb;
+ ctxComplete.cTRB = pUrb->pHci->cTRB;
+ ctxComplete.uEDTLA = 0; // Zero at TD start.
+ ctxComplete.uLastCC = cc;
+ ctxComplete.fMaxCount = false;
+ if (pUrb->aIsocPkts[iPkt].enmStatus != VUSBSTATUS_OK)
+ STAM_COUNTER_INC(&pThis->StatErrorIsocPkts);
+ xhciR3WalkXferTrbChain(pDevIns, pThis, ep_ctx.trdp, xhciR3WalkDataTRBsComplete, &ctxComplete, &uTRDP);
+ ep_ctx.last_cc = ctxComplete.uLastCC;
+ ep_ctx.trdp = uTRDP;
+ xhciR3ConsumeNonXferTRBs(pDevIns, pThis, uSlotID, uEpDCI, &ep_ctx, &xfer, &GCPhysXfrTRB);
+ }
+ ep_ctx.ifc--; /* TD done, decrement in-flight counter. */
+ }
+ else if (xfer.gen.type == XHCI_TRB_SETUP_STG || xfer.gen.type == XHCI_TRB_DATA_STG || xfer.gen.type == XHCI_TRB_STATUS_STG)
+ {
+ XHCI_CTX_XFER_COMPLETE ctxComplete;
+ uint64_t uTRDP;
+
+ ctxComplete.pUrb = pUrb;
+ ctxComplete.uXferPos = 0;
+ ctxComplete.uXferLeft = pUrb->cbData;
+ ctxComplete.cTRB = pUrb->pHci->cTRB;
+ ctxComplete.uSlotID = uSlotID;
+ ctxComplete.uEpDCI = uEpDCI;
+ ctxComplete.uEDTLA = 0; // Always zero at the beginning of a new TD.
+ ctxComplete.uLastCC = cc;
+ ctxComplete.fMaxCount = ep_ctx.ifc >= XHCI_NO_QUEUING_IN_FLIGHT;
+ xhciR3WalkXferTrbChain(pDevIns, pThis, ep_ctx.trdp, xhciR3WalkDataTRBsComplete, &ctxComplete, &uTRDP);
+ ep_ctx.last_cc = ctxComplete.uLastCC;
+ ep_ctx.trdp = uTRDP;
+ }
+ else
+ {
+ AssertMsgFailed(("Unexpected TRB type %u\n", xfer.gen.type));
+ Log2(("TRB @ %RGp, type %u unexpected!\n", GCPhysXfrTRB, xfer.gen.type));
+ /* Advance the TRDP anyway so that the endpoint isn't completely stuck. */
+ ep_ctx.trdp += sizeof(XHCI_XFER_TRB);
+ }
+
+ /* Update the endpoint state. */
+ xhciR3WriteBackEp(pDevIns, pThis, uSlotID, uEpDCI, &ep_ctx);
+
+ RTCritSectLeave(&pThisCC->CritSectThrd);
+
+ if (pUrb->enmStatus == VUSBSTATUS_OK)
+ {
+ /* Completion callback usually runs on a separate thread. Let the worker do more. */
+ Log2(("Ring bell for slot %u, DCI %u\n", uSlotID, uEpDCI));
+ ASMAtomicOrU32(&pThis->aBellsRung[ID_TO_IDX(uSlotID)], 1 << uEpDCI);
+ xhciKickWorker(pDevIns, pThis, XHCI_JOB_XFER_DONE, 0);
+ }
+}
+
+
+/**
+ * Handle transfer errors.
+ *
+ * VUSB calls this when a transfer attempt failed. This function will respond
+ * indicating whether to retry or complete the URB with failure.
+ *
+ * @returns true if the URB should be retired.
+ * @returns false if the URB should be re-tried.
+ * @param pInterface Pointer to XHCI::ROOTHUB::IRhPort.
+ * @param pUrb Pointer to the URB in question.
+ */
+static DECLCALLBACK(bool) xhciR3RhXferError(PVUSBIROOTHUBPORT pInterface, PVUSBURB pUrb)
+{
+ PXHCIROOTHUBR3 pRh = RT_FROM_MEMBER(pInterface, XHCIROOTHUBR3, IRhPort);
+ PXHCICC pThisCC = pRh->pXhciR3;
+ PXHCI pThis = PDMDEVINS_2_DATA(pThisCC->pDevIns, PXHCI);
+ bool fRetire = true;
+
+ /* If the xHC isn't running, get out of here immediately. */
+ if (pThis->status & XHCI_STATUS_HCH)
+ {
+ Log(("xHC halted, skipping URB error handling\n"));
+ return fRetire;
+ }
+
+ RTCritSectEnter(&pThisCC->CritSectThrd);
+
+ Assert(pUrb->pHci->cTRB); /* xHCI-generated URBs should not fail! */
+ if (!pUrb->pHci->cTRB)
+ {
+ Log(("%s: Failing xHCI-generated request!\n", pUrb->pszDesc));
+ }
+ else if (pUrb->enmStatus == VUSBSTATUS_STALL)
+ {
+ /* Don't retry on stall. */
+ Log2(("%s: xhciR3RhXferError: STALL, giving up.\n", pUrb->pszDesc));
+ } else if (pUrb->enmStatus == VUSBSTATUS_CRC) {
+ /* Don't retry on CRC errors either. These indicate canceled URBs, among others. */
+ Log2(("%s: xhciR3RhXferError: CRC, giving up.\n", pUrb->pszDesc));
+ } else if (pUrb->enmStatus == VUSBSTATUS_DNR) {
+ /* Don't retry on DNR errors. These indicate the device vanished. */
+ Log2(("%s: xhciR3RhXferError: DNR, giving up.\n", pUrb->pszDesc));
+ } else if (pUrb->enmStatus == VUSBSTATUS_DATA_OVERRUN) {
+ /* Don't retry on OVERRUN errors. These indicate a fatal error. */
+ Log2(("%s: xhciR3RhXferError: OVERRUN, giving up.\n", pUrb->pszDesc));
+ } else if (pUrb->enmStatus == VUSBSTATUS_DATA_UNDERRUN) {
+ /* Don't retry on UNDERRUN errors. These indicate a fatal error. */
+ Log2(("%s: xhciR3RhXferError: UNDERRUN, giving up.\n", pUrb->pszDesc));
+ } else {
+ /// @todo
+ AssertMsgFailed(("%#x\n", pUrb->enmStatus));
+ }
+
+ RTCritSectLeave(&pThisCC->CritSectThrd);
+ return fRetire;
+}
+
+
+/**
+ * Queue a TD composed of normal TRBs, event data TRBs, and suchlike.
+ *
+ * @returns VBox status code.
+ * @param pDevIns The device instance.
+ * @param pThis The xHCI device state, shared edition.
+ * @param pThisCC The xHCI device state, ring-3 edition.
+ * @param pRh Root hub for the device.
+ * @param GCPhysTRB Physical gues address of the TRB.
+ * @param pTrb Pointer to the contents of the first TRB.
+ * @param pEpCtx Pointer to the cached EP context.
+ * @param uSlotID ID of the associated slot context.
+ * @param uAddr The device address.
+ * @param uEpDCI The DCI(!) of the endpoint.
+ */
+static int xhciR3QueueDataTD(PPDMDEVINS pDevIns, PXHCI pThis, PXHCICC pThisCC, PXHCIROOTHUBR3 pRh, RTGCPHYS GCPhysTRB,
+ XHCI_XFER_TRB *pTrb, XHCI_EP_CTX *pEpCtx, uint8_t uSlotID, uint8_t uAddr, uint8_t uEpDCI)
+{
+ RT_NOREF(GCPhysTRB);
+ XHCI_CTX_XFER_PROBE ctxProbe;
+ XHCI_CTX_XFER_SUBMIT ctxSubmit;
+ uint64_t uTREP;
+ bool fFragOnly = false;
+ int rc;
+ VUSBXFERTYPE enmType;
+ VUSBDIRECTION enmDir;
+
+ /* Discover how big this TD is. */
+ RT_ZERO(ctxProbe);
+ rc = xhciR3WalkXferTrbChain(pDevIns, pThis, pEpCtx->trep, xhciR3WalkDataTRBsProbe, &ctxProbe, &uTREP);
+ if (RT_SUCCESS(rc))
+ LogFlowFunc(("Probed %u TRBs, %u bytes total, TREP@%RX64\n", ctxProbe.cTRB, ctxProbe.uXferLen, uTREP));
+ else
+ {
+ LogFlowFunc(("Probing failed after %u TRBs, %u bytes total (last ED after %u TRBs and %u bytes), TREP@%RX64\n", ctxProbe.cTRB, ctxProbe.uXferLen, ctxProbe.cTRBLastED, ctxProbe.uXfrLenLastED, uTREP));
+ if (rc == VERR_TRY_AGAIN && pTrb->gen.type == XHCI_TRB_NORMAL && ctxProbe.cTRBLastED)
+ {
+ /* The TD is incomplete, but we have at least one TD fragment. We can create a URB for
+ * what we have but we can't safely queue any more because if any error occurs, the
+ * TD needs to fail as a whole.
+ * OS X Mavericks and Yosemite tend to trigger this case when reading from USB 3.0
+ * MSDs (transfers up to 1MB).
+ */
+ fFragOnly = true;
+
+ /* Because we currently do not maintain the EDTLA across URBs, we have to only submit
+ * TD fragments up to where we last saw an Event Data TRB. If there was no Event Data
+ * TRB, we'll just try waiting a bit longer for the TD to be complete or an Event Data
+ * TRB to show up. The guest is extremely likely to do one or the other, since otherwise
+ * it has no way to tell when the transfer completed.
+ */
+ ctxProbe.cTRB = ctxProbe.cTRBLastED;
+ ctxProbe.uXferLen = ctxProbe.uXfrLenLastED;
+ }
+ else
+ return rc;
+ }
+
+ /* Determine the transfer kind based on endpoint type. */
+ switch (pEpCtx->ep_type)
+ {
+ case XHCI_EPTYPE_BULK_IN:
+ case XHCI_EPTYPE_BULK_OUT:
+ enmType = VUSBXFERTYPE_BULK;
+ break;
+ case XHCI_EPTYPE_INTR_IN:
+ case XHCI_EPTYPE_INTR_OUT:
+ enmType = VUSBXFERTYPE_INTR;
+ break;
+ case XHCI_EPTYPE_CONTROL:
+ enmType = VUSBXFERTYPE_CTRL;
+ break;
+ case XHCI_EPTYPE_ISOCH_IN:
+ case XHCI_EPTYPE_ISOCH_OUT:
+ default:
+ enmType = VUSBXFERTYPE_INVALID;
+ AssertMsgFailed(("%#x\n", pEpCtx->ep_type));
+ }
+
+ /* Determine the direction based on endpoint type. */
+ switch (pEpCtx->ep_type)
+ {
+ case XHCI_EPTYPE_BULK_IN:
+ case XHCI_EPTYPE_INTR_IN:
+ enmDir = VUSBDIRECTION_IN;
+ break;
+ case XHCI_EPTYPE_BULK_OUT:
+ case XHCI_EPTYPE_INTR_OUT:
+ enmDir = VUSBDIRECTION_OUT;
+ break;
+ default:
+ enmDir = VUSBDIRECTION_INVALID;
+ AssertMsgFailed(("%#x\n", pEpCtx->ep_type));
+ }
+
+ /* Allocate and initialize a URB. */
+ PVUSBURB pUrb = VUSBIRhNewUrb(pRh->pIRhConn, uAddr, VUSB_DEVICE_PORT_INVALID, enmType, enmDir, ctxProbe.uXferLen, ctxProbe.cTRB, NULL);
+ if (!pUrb)
+ return VERR_OUT_OF_RESOURCES; /// @todo handle error!
+
+ STAM_COUNTER_ADD(&pThis->StatTRBsPerDtaUrb, ctxProbe.cTRB);
+
+ /* See 4.5.1 about xHCI vs. USB endpoint addressing. */
+ Assert(uEpDCI);
+
+ pUrb->EndPt = uEpDCI / 2; /* DCI = EP * 2 + direction */
+ pUrb->fShortNotOk = false; /* We detect short packets ourselves. */
+ pUrb->enmStatus = VUSBSTATUS_OK;
+
+ /// @todo Cross check that the EP type corresponds to direction. Probably
+ //should check when configuring device?
+ pUrb->pHci->uSlotID = uSlotID;
+
+ /* For OUT transfers, copy the TD data into the URB. */
+ if (pUrb->enmDir == VUSBDIRECTION_OUT)
+ {
+ ctxSubmit.pUrb = pUrb;
+ ctxSubmit.uXferPos = 0;
+ ctxSubmit.cTRB = 0;
+ xhciR3WalkXferTrbChain(pDevIns, pThis, pEpCtx->trep, xhciR3WalkDataTRBsSubmit, &ctxSubmit, &uTREP);
+ Assert(ctxProbe.cTRB == ctxSubmit.cTRB);
+ ctxProbe.cTRB = ctxSubmit.cTRB;
+ }
+
+ /* If only completing a fragment, remember the TRB count and increase
+ * the in-flight count past the limit so we won't queue any more.
+ */
+ pUrb->pHci->cTRB = ctxProbe.cTRB;
+ if (fFragOnly)
+ /* Bit of a hack -- prevent further queuing. */
+ pEpCtx->ifc += XHCI_NO_QUEUING_IN_FLIGHT;
+ else
+ /* Increment the in-flight counter before queuing more. */
+ pEpCtx->ifc++;
+
+ /* Commit the updated TREP; submitting the URB may already invoke completion callbacks. */
+ pEpCtx->trep = uTREP;
+ xhciR3WriteBackEp(pDevIns, pThis, uSlotID, uEpDCI, pEpCtx);
+
+ /*
+ * Submit the URB.
+ */
+ STAM_COUNTER_ADD(&pThis->StatUrbSizeData, pUrb->cbData);
+ Log(("%s: xhciR3QueueDataTD: Addr=%u, EndPt=%u, enmDir=%u cbData=%u\n",
+ pUrb->pszDesc, pUrb->DstAddress, pUrb->EndPt, pUrb->enmDir, pUrb->cbData));
+ RTCritSectLeave(&pThisCC->CritSectThrd);
+ rc = VUSBIRhSubmitUrb(pRh->pIRhConn, pUrb, &pRh->Led);
+ RTCritSectEnter(&pThisCC->CritSectThrd);
+ if (RT_SUCCESS(rc))
+ return VINF_SUCCESS;
+
+ /* Failure cleanup. Can happen if we're still resetting the device or out of resources,
+ * or the user just ripped out the device.
+ */
+ /// @todo Mark the EP as halted and inactive and write back the changes.
+
+ return VERR_OUT_OF_RESOURCES;
+}
+
+
+/**
+ * Queue an isochronous TD composed of isochronous and normal TRBs, event
+ * data TRBs, and suchlike. This TD may either correspond to a single URB or
+ * form one packet of an isochronous URB.
+ *
+ * @returns VBox status code.
+ * @param pDevIns The device instance.
+ * @param pThis The xHCI device state, shared edition.
+ * @param pThisCC The xHCI device state, ring-3 edition.
+ * @param pRh Root hub for the device.
+ * @param GCPhysTRB Physical guest address of the TRB.
+ * @param pTrb Pointer to the contents of the first TRB.
+ * @param pEpCtx Pointer to the cached EP context.
+ * @param uSlotID ID of the associated slot context.
+ * @param uAddr The device address.
+ * @param uEpDCI The DCI(!) of the endpoint.
+ * @param pCtxIso Additional isochronous URB context.
+ */
+static int xhciR3QueueIsochTD(PPDMDEVINS pDevIns, PXHCI pThis, PXHCICC pThisCC, PXHCIROOTHUBR3 pRh, RTGCPHYS GCPhysTRB,
+ XHCI_XFER_TRB *pTrb, XHCI_EP_CTX *pEpCtx, uint8_t uSlotID, uint8_t uAddr, uint8_t uEpDCI,
+ XHCI_CTX_ISOCH *pCtxIso)
+{
+ RT_NOREF(GCPhysTRB, pTrb);
+ XHCI_CTX_XFER_PROBE ctxProbe;
+ XHCI_CTX_XFER_SUBMIT ctxSubmit;
+ uint64_t uTREP;
+ PVUSBURB pUrb;
+ unsigned cIsoPackets;
+ uint32_t cbPktMax;
+
+ /* Discover how big this TD is. */
+ RT_ZERO(ctxProbe);
+ xhciR3WalkXferTrbChain(pDevIns, pThis, pEpCtx->trep, xhciR3WalkDataTRBsProbe, &ctxProbe, &uTREP);
+ LogFlowFunc(("Probed %u TRBs, %u bytes total, TREP@%RX64\n", ctxProbe.cTRB, ctxProbe.uXferLen, uTREP));
+
+ /* See 4.5.1 about xHCI vs. USB endpoint addressing. */
+ Assert(uEpDCI);
+
+ /* For isochronous transfers, there's a bit of extra work to do. The interval
+ * is key and determines whether the TD will directly correspond to a URB or
+ * if it will only form part of a larger URB. In any case, one TD equals one
+ * 'packet' of an isochronous URB.
+ */
+ switch (pEpCtx->interval)
+ {
+ case 0: /* Every 2^0 * 125us, i.e. 8 per frame. */
+ cIsoPackets = 8;
+ break;
+ case 1: /* Every 2^1 * 125us, i.e. 4 per frame. */
+ cIsoPackets = 4;
+ break;
+ case 2: /* Every 2^2 * 125us, i.e. 2 per frame. */
+ cIsoPackets = 2;
+ break;
+ case 3: /* Every 2^3 * 125us, i.e. 1 per frame. */
+ default:/* Or any larger interval (every n frames).*/
+ cIsoPackets = 1;
+ break;
+ }
+
+ /* We do not know exactly how much data might be transferred until we
+ * look at all TDs/packets that constitute the URB. However, we do know
+ * the maximum possible size even without probing any TDs at all.
+ * The actual size is expected to be the same or at most slightly smaller,
+ * hence it makes sense to allocate the URB right away and copy data into
+ * it as we go, rather than doing complicated probing first.
+ * The Max Endpoint Service Interval Time (ESIT) Payload defines the
+ * maximum number of bytes that can be transferred per interval (4.14.2).
+ * Unfortunately Apple was lazy and their driver leaves the Max ESIT
+ * Payload as zero, so we have to do the math ourselves.
+ */
+
+ /* Calculate the maximum transfer size per (micro)frame. */
+ /// @todo This ought to be stored within the URB somewhere.
+ cbPktMax = pEpCtx->max_pkt_sz * (pEpCtx->max_brs_sz + 1) * (pEpCtx->mult + 1);
+ if (!pCtxIso->pUrb)
+ {
+ uint32_t cbUrbMax = cIsoPackets * cbPktMax;
+
+ /* Validate endpoint type. */
+ AssertMsg(pEpCtx->ep_type == XHCI_EPTYPE_ISOCH_IN || pEpCtx->ep_type == XHCI_EPTYPE_ISOCH_OUT,
+ ("%#x\n", pEpCtx->ep_type));
+
+ /* Allocate and initialize a new URB. */
+ pUrb = VUSBIRhNewUrb(pRh->pIRhConn, uAddr, VUSB_DEVICE_PORT_INVALID, VUSBXFERTYPE_ISOC,
+ (pEpCtx->ep_type == XHCI_EPTYPE_ISOCH_IN) ? VUSBDIRECTION_IN : VUSBDIRECTION_OUT,
+ cbUrbMax, ctxProbe.cTRB, NULL);
+ if (!pUrb)
+ return VERR_OUT_OF_RESOURCES; /// @todo handle error!
+
+ STAM_COUNTER_ADD(&pThis->StatTRBsPerIsoUrb, ctxProbe.cTRB);
+
+ LogFlowFunc(("Allocated URB with %u packets, %u bytes total (ESIT payload %u)\n", cIsoPackets, cbUrbMax, cbPktMax));
+
+ pUrb->EndPt = uEpDCI / 2; /* DCI = EP * 2 + direction */
+ pUrb->fShortNotOk = false; /* We detect short packets ourselves. */
+ pUrb->enmStatus = VUSBSTATUS_OK;
+ pUrb->cIsocPkts = cIsoPackets;
+ pUrb->pHci->uSlotID = uSlotID;
+ pUrb->pHci->cTRB = ctxProbe.cTRB;
+
+ /* If TRB says so or if there are multiple packets per interval, don't even
+ * bother with frame counting and schedule everything ASAP.
+ */
+ if (pTrb->isoc.sia || cIsoPackets != 1)
+ pUrb->uStartFrameDelta = 0;
+ else
+ {
+ uint16_t uFrameDelta;
+ uint32_t uPort;
+
+ /* Abort the endpoint, i.e. cancel any outstanding URBs. This needs to be done after
+ * writing back the EP state so that the completion callback can operate.
+ */
+ if (RT_SUCCESS(xhciR3FindRhDevBySlot(pDevIns, pThis, pThisCC, uSlotID, NULL, &uPort)))
+ {
+
+ uFrameDelta = pRh->pIRhConn->pfnUpdateIsocFrameDelta(pRh->pIRhConn, uPort, uEpDCI / 2,
+ uEpDCI & 1 ? VUSBDIRECTION_IN : VUSBDIRECTION_OUT,
+ pTrb->isoc.frm_id, XHCI_FRAME_ID_BITS);
+ pUrb->uStartFrameDelta = uFrameDelta;
+ Log(("%s: Isoch frame delta set to %u\n", pUrb->pszDesc, uFrameDelta));
+ }
+ else
+ {
+ Log(("%s: Failed to find device for slot! Setting frame delta to zero.\n", pUrb->pszDesc));
+ pUrb->uStartFrameDelta = 0;
+ }
+ }
+
+ Log(("%s: Addr=%u, EndPt=%u, enmDir=%u cIsocPkts=%u cbData=%u FrmID=%u Isoch URB created\n",
+ pUrb->pszDesc, pUrb->DstAddress, pUrb->EndPt, pUrb->enmDir, pUrb->cIsocPkts, pUrb->cbData, pTrb->isoc.frm_id));
+
+ /* Set up the context for later use. */
+ pCtxIso->pUrb = pUrb;
+ /* Save the current TREP in case we need to rewind. */
+ pCtxIso->uInitTREP = pEpCtx->trep;
+ }
+ else
+ {
+ Assert(cIsoPackets > 1);
+ /* Grab the URB we initialized earlier. */
+ pUrb = pCtxIso->pUrb;
+ }
+
+ /* Set up the packet corresponding to this TD. */
+ pUrb->aIsocPkts[pCtxIso->iPkt].cb = RT_MIN(ctxProbe.uXferLen, cbPktMax);
+ pUrb->aIsocPkts[pCtxIso->iPkt].off = pCtxIso->offCur;
+ pUrb->aIsocPkts[pCtxIso->iPkt].enmStatus = VUSBSTATUS_NOT_ACCESSED;
+
+ /* For OUT transfers, copy the TD data into the URB. */
+ if (pUrb->enmDir == VUSBDIRECTION_OUT)
+ {
+ ctxSubmit.pUrb = pUrb;
+ ctxSubmit.uXferPos = pCtxIso->offCur;
+ ctxSubmit.cTRB = 0;
+ xhciR3WalkXferTrbChain(pDevIns, pThis, pEpCtx->trep, xhciR3WalkDataTRBsSubmit, &ctxSubmit, &uTREP);
+ Assert(ctxProbe.cTRB == ctxSubmit.cTRB);
+ }
+
+ /* Done preparing this packet. */
+ Assert(pCtxIso->iPkt < 8);
+ pCtxIso->iPkt++;
+ pCtxIso->offCur += ctxProbe.uXferLen;
+ Assert(pCtxIso->offCur <= pUrb->cbData);
+
+ /* Increment the in-flight counter before queuing more. */
+ if (pCtxIso->iPkt == pUrb->cIsocPkts)
+ pEpCtx->ifc++;
+
+ /* Commit the updated TREP; submitting the URB may already invoke completion callbacks. */
+ pEpCtx->trep = uTREP;
+ xhciR3WriteBackEp(pDevIns, pThis, uSlotID, uEpDCI, pEpCtx);
+
+ /* If the URB is complete, submit it. */
+ if (pCtxIso->iPkt == pUrb->cIsocPkts)
+ {
+ /* Change cbData to reflect how much data should be transferred. This can differ
+ * from how much data was allocated for the URB.
+ */
+ pUrb->cbData = pCtxIso->offCur;
+ STAM_COUNTER_ADD(&pThis->StatUrbSizeIsoc, pUrb->cbData);
+ Log(("%s: Addr=%u, EndPt=%u, enmDir=%u cIsocPkts=%u cbData=%u Isoch URB being submitted\n",
+ pUrb->pszDesc, pUrb->DstAddress, pUrb->EndPt, pUrb->enmDir, pUrb->cIsocPkts, pUrb->cbData));
+ RTCritSectLeave(&pThisCC->CritSectThrd);
+ int rc = VUSBIRhSubmitUrb(pRh->pIRhConn, pUrb, &pRh->Led);
+ RTCritSectEnter(&pThisCC->CritSectThrd);
+ if (RT_FAILURE(rc))
+ {
+ /* Failure cleanup. Can happen if we're still resetting the device or out of resources,
+ * or the user just ripped out the device.
+ */
+ pCtxIso->fSubmitFailed = true;
+ /// @todo Mark the EP as halted and inactive and write back the changes.
+ return VERR_OUT_OF_RESOURCES;
+ }
+ /* Clear the isochronous URB context. */
+ RT_ZERO(*pCtxIso);
+ }
+
+ return VINF_SUCCESS;
+}
+
+
+/**
+ * Queue a control TD composed of setup/data/status stage TRBs, event data
+ * TRBs, and suchlike.
+ *
+ * @returns VBox status code.
+ * @param pDevIns The device instance.
+ * @param pThis The xHCI device state, shared edition.
+ * @param pThisCC The xHCI device state, ring-3 edition.
+ * @param pRh Root hub for the device.
+ * @param GCPhysTRB Physical guest address of th TRB.
+ * @param pTrb Pointer to the contents of the first TRB.
+ * @param pEpCtx Pointer to the cached EP context.
+ * @param uSlotID ID of the associated slot context.
+ * @param uAddr The device address.
+ * @param uEpDCI The DCI(!) of the endpoint.
+ */
+static int xhciR3QueueControlTD(PPDMDEVINS pDevIns, PXHCI pThis, PXHCICC pThisCC, PXHCIROOTHUBR3 pRh, RTGCPHYS GCPhysTRB,
+ XHCI_XFER_TRB *pTrb, XHCI_EP_CTX *pEpCtx, uint8_t uSlotID, uint8_t uAddr, uint8_t uEpDCI)
+{
+ RT_NOREF(GCPhysTRB);
+ XHCI_CTX_XFER_PROBE ctxProbe;
+ XHCI_CTX_XFER_SUBMIT ctxSubmit;
+ uint64_t uTREP;
+ int rc;
+ VUSBDIRECTION enmDir;
+
+ /* Discover how big this TD is. */
+ RT_ZERO(ctxProbe);
+ rc = xhciR3WalkXferTrbChain(pDevIns, pThis, pEpCtx->trep, xhciR3WalkDataTRBsProbe, &ctxProbe, &uTREP);
+ if (RT_SUCCESS(rc))
+ LogFlowFunc(("Probed %u TRBs, %u bytes total, TREP@%RX64\n", ctxProbe.cTRB, ctxProbe.uXferLen, uTREP));
+ else
+ {
+ LogFlowFunc(("Probing failed after %u TRBs, %u bytes total (last ED after %u TRBs and %u bytes), TREP@%RX64\n", ctxProbe.cTRB, ctxProbe.uXferLen, ctxProbe.cTRBLastED, ctxProbe.uXfrLenLastED, uTREP));
+ return rc;
+ }
+
+ /* Determine the transfer direction. */
+ switch (pTrb->gen.type)
+ {
+ case XHCI_TRB_SETUP_STG:
+ enmDir = VUSBDIRECTION_SETUP;
+ /* For setup TRBs, there is always 8 bytes of immediate data. */
+ Assert(sizeof(VUSBSETUP) == 8);
+ Assert(ctxProbe.uXferLen == 8);
+ Log2(("bmRequestType:%02X bRequest:%02X wValue:%04X wIndex:%04X wLength:%04X\n", pTrb->setup.bmRequestType,
+ pTrb->setup.bRequest, pTrb->setup.wValue, pTrb->setup.wIndex, pTrb->setup.wLength));
+ break;
+ case XHCI_TRB_STATUS_STG:
+ enmDir = pTrb->status.dir ? VUSBDIRECTION_IN : VUSBDIRECTION_OUT;
+ break;
+ case XHCI_TRB_DATA_STG:
+ enmDir = pTrb->data.dir ? VUSBDIRECTION_IN : VUSBDIRECTION_OUT;
+ break;
+ default:
+ AssertMsgFailed(("%#x\n", pTrb->gen.type)); /* Can't happen unless caller messed up. */
+ return VERR_INTERNAL_ERROR;
+ }
+
+ /* Allocate and initialize a URB. */
+ PVUSBURB pUrb = VUSBIRhNewUrb(pRh->pIRhConn, uAddr, VUSB_DEVICE_PORT_INVALID, VUSBXFERTYPE_CTRL, enmDir, ctxProbe.uXferLen, ctxProbe.cTRB,
+ NULL);
+ if (!pUrb)
+ return VERR_OUT_OF_RESOURCES; /// @todo handle error!
+
+ STAM_COUNTER_ADD(&pThis->StatTRBsPerCtlUrb, ctxProbe.cTRB);
+
+ /* See 4.5.1 about xHCI vs. USB endpoint addressing. */
+ Assert(uEpDCI);
+
+ /* This had better be a control endpoint. */
+ AssertMsg(pEpCtx->ep_type == XHCI_EPTYPE_CONTROL, ("%#x\n", pEpCtx->ep_type));
+
+ pUrb->EndPt = uEpDCI / 2; /* DCI = EP * 2 + direction */
+ pUrb->fShortNotOk = false; /* We detect short packets ourselves. */
+ pUrb->enmStatus = VUSBSTATUS_OK;
+ pUrb->pHci->uSlotID = uSlotID;
+
+ /* For OUT/SETUP transfers, copy the TD data into the URB. */
+ if (pUrb->enmDir == VUSBDIRECTION_OUT || pUrb->enmDir == VUSBDIRECTION_SETUP)
+ {
+ ctxSubmit.pUrb = pUrb;
+ ctxSubmit.uXferPos = 0;
+ ctxSubmit.cTRB = 0;
+ xhciR3WalkXferTrbChain(pDevIns, pThis, pEpCtx->trep, xhciR3WalkDataTRBsSubmit, &ctxSubmit, &uTREP);
+ Assert(ctxProbe.cTRB == ctxSubmit.cTRB);
+ ctxProbe.cTRB = ctxSubmit.cTRB;
+ }
+
+ pUrb->pHci->cTRB = ctxProbe.cTRB;
+
+ /* Commit the updated TREP; submitting the URB may already invoke completion callbacks. */
+ pEpCtx->trep = uTREP;
+ xhciR3WriteBackEp(pDevIns, pThis, uSlotID, uEpDCI, pEpCtx);
+
+ /*
+ * Submit the URB.
+ */
+ STAM_COUNTER_ADD(&pThis->StatUrbSizeCtrl, pUrb->cbData);
+ Log(("%s: xhciR3QueueControlTD: Addr=%u, EndPt=%u, enmDir=%u cbData=%u\n",
+ pUrb->pszDesc, pUrb->DstAddress, pUrb->EndPt, pUrb->enmDir, pUrb->cbData));
+ RTCritSectLeave(&pThisCC->CritSectThrd);
+ rc = VUSBIRhSubmitUrb(pRh->pIRhConn, pUrb, &pRh->Led);
+ RTCritSectEnter(&pThisCC->CritSectThrd);
+ if (RT_SUCCESS(rc))
+ return VINF_SUCCESS;
+
+ /* Failure cleanup. Can happen if we're still resetting the device or out of resources,
+ * or the user just ripped out the device.
+ */
+ /// @todo Mark the EP as halted and inactive and write back the changes.
+
+ return VERR_OUT_OF_RESOURCES;
+}
+
+
+/**
+ * Process a device context (transfer data).
+ *
+ * @param pDevIns The device instance.
+ * @param pThis The xHCI device state, shared edition.
+ * @param pThisCC The xHCI device state, ring-3 edition.
+ * @param uSlotID Slot/doorbell which had been rung.
+ * @param uDBVal Value written to the doorbell.
+ */
+static int xhciR3ProcessDevCtx(PPDMDEVINS pDevIns, PXHCI pThis, PXHCICC pThisCC, uint8_t uSlotID, uint32_t uDBVal)
+{
+ uint8_t uDBTarget = uDBVal & XHCI_DB_TGT_MASK;
+ XHCI_CTX_ISOCH ctxIsoch = {0};
+ XHCI_SLOT_CTX slot_ctx;
+ XHCI_EP_CTX ep_ctx;
+ XHCI_XFER_TRB xfer;
+ RTGCPHYS GCPhysXfrTRB;
+ PXHCIROOTHUBR3 pRh;
+ bool dcs;
+ bool fContinue = true;
+ int rc;
+ unsigned cTrbs = 0;
+
+ LogFlowFunc(("Slot ID: %u, DB target %u, DB stream ID %u\n", uSlotID, uDBTarget, (uDBVal & XHCI_DB_STRMID_MASK) >> XHCI_DB_STRMID_SHIFT));
+ Assert(uSlotID > 0);
+ Assert(uSlotID <= XHCI_NDS);
+ /// @todo report errors for bogus DB targets
+ Assert(uDBTarget > 0);
+ Assert(uDBTarget < 32);
+
+ /// @todo Check for aborts and the like?
+
+ /* Load the slot and endpoint contexts. */
+ xhciR3FetchCtxAndEp(pDevIns, pThis, uSlotID, uDBTarget, &slot_ctx, &ep_ctx);
+ /// @todo sanity check the context in here?
+
+ /* Select the root hub corresponding to the port. */
+ pRh = GET_PORT_PRH(pThisCC, ID_TO_IDX(slot_ctx.rh_port));
+
+ /* Stopped endpoints automatically transition to running state. */
+ if (RT_UNLIKELY(ep_ctx.ep_state == XHCI_EPST_STOPPED))
+ {
+ Log(("EP DCI %u stopped -> running\n", uDBTarget));
+ ep_ctx.ep_state = XHCI_EPST_RUNNING;
+ /* Update EP right here. Theoretically could be postponed, but we
+ * must ensure that the EP does get written back even if there is
+ * no other work to do.
+ */
+ xhciR3WriteBackEp(pDevIns, pThis, uSlotID, uDBTarget, &ep_ctx);
+ }
+
+ /* If the EP isn't running, get outta here. */
+ if (RT_UNLIKELY(ep_ctx.ep_state != XHCI_EPST_RUNNING))
+ {
+ Log2(("EP DCI %u not running (state %u), bail!\n", uDBTarget, ep_ctx.ep_state));
+ return VINF_SUCCESS;
+ }
+
+ /* Get any non-transfer TRBs out of the way. */
+ xhciR3ConsumeNonXferTRBs(pDevIns, pThis, uSlotID, uDBTarget, &ep_ctx, &xfer, &GCPhysXfrTRB);
+ /// @todo This is inefficient.
+ xhciR3WriteBackEp(pDevIns, pThis, uSlotID, uDBTarget, &ep_ctx);
+
+ do
+ {
+ /* Fetch the contexts again and find the TRB address at enqueue point. */
+ xhciR3FetchCtxAndEp(pDevIns, pThis, uSlotID, uDBTarget, &slot_ctx, &ep_ctx);
+ GCPhysXfrTRB = ep_ctx.trep & XHCI_TRDP_ADDR_MASK;
+ dcs = !!(ep_ctx.trep & XHCI_TRDP_DCS_MASK);
+ LogFlowFunc(("Processing Transfer Ring, TREP: %RGp\n", GCPhysXfrTRB));
+
+ /* Fetch the transfer TRB. */
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysXfrTRB, &xfer, sizeof(xfer));
+
+ /* Make sure the Cycle State matches. */
+ if ((bool)xfer.gen.cycle == dcs)
+ {
+ Log2(("TRB @ %RGp, type %u (%s) %u bytes ENT=%u ISP=%u NS=%u CH=%u IOC=%u IDT=%u\n", GCPhysXfrTRB, xfer.gen.type,
+ xfer.gen.type < RT_ELEMENTS(g_apszTrbNames) ? g_apszTrbNames[xfer.gen.type] : "WHAT?!!",
+ xfer.gen.xfr_len, xfer.gen.ent, xfer.gen.isp, xfer.gen.ns, xfer.gen.ch, xfer.gen.ioc, xfer.gen.idt));
+
+ /* If there is an "in-flight" TRDP, check if we need to wait until the transfer completes. */
+ if ((ep_ctx.trdp & XHCI_TRDP_ADDR_MASK) != GCPhysXfrTRB)
+ {
+ switch (xfer.gen.type) {
+ case XHCI_TRB_ISOCH:
+ if (ep_ctx.ifc >= XHCI_MAX_ISOC_IN_FLIGHT)
+ {
+ Log(("%u isoch URBs in flight, backing off\n", ep_ctx.ifc));
+ fContinue = false;
+ break;
+ }
+ RT_FALL_THRU();
+ case XHCI_TRB_LINK:
+ Log2(("TRB OK, continuing @ %RX64\n", GCPhysXfrTRB));
+ break;
+ case XHCI_TRB_NORMAL:
+ if (XHCI_EP_XTYPE(ep_ctx.ep_type) != XHCI_XFTYPE_BULK)
+ {
+ Log2(("Normal TRB not bulk, not continuing @ %RX64\n", GCPhysXfrTRB));
+ fContinue = false;
+ break;
+ }
+ if (ep_ctx.ifc >= XHCI_MAX_BULK_IN_FLIGHT)
+ {
+ Log(("%u normal URBs in flight, backing off\n", ep_ctx.ifc));
+ fContinue = false;
+ break;
+ }
+ Log2(("Bulk TRB OK, continuing @ %RX64\n", GCPhysXfrTRB));
+ break;
+ case XHCI_TRB_EVT_DATA:
+ case XHCI_TRB_NOOP_XFER:
+ Log2(("TRB not OK, not continuing @ %RX64\n", GCPhysXfrTRB));
+ fContinue = false;
+ break;
+ default:
+ Log2(("Some other TRB (type %u), not continuing @ %RX64\n", xfer.gen.type, GCPhysXfrTRB));
+ fContinue = false;
+ break;
+ }
+ }
+ if (!fContinue)
+ break;
+
+ switch (xfer.gen.type) {
+ case XHCI_TRB_NORMAL:
+ Log(("Normal TRB: Ptr=%RGp IOC=%u CH=%u\n", xfer.norm.data_ptr, xfer.norm.ioc, xfer.norm.ch));
+ rc = xhciR3QueueDataTD(pDevIns, pThis, pThisCC, pRh, GCPhysXfrTRB, &xfer, &ep_ctx, uSlotID,
+ slot_ctx.dev_addr, uDBTarget);
+ break;
+ case XHCI_TRB_SETUP_STG:
+ Log(("Setup stage TRB: IOC=%u IDT=%u\n", xfer.setup.ioc, xfer.setup.idt));
+ rc = xhciR3QueueControlTD(pDevIns, pThis, pThisCC, pRh, GCPhysXfrTRB, &xfer, &ep_ctx, uSlotID,
+ slot_ctx.dev_addr, uDBTarget);
+ break;
+ case XHCI_TRB_DATA_STG:
+ Log(("Data stage TRB: Ptr=%RGp IOC=%u CH=%u DIR=%u\n", xfer.data.data_ptr, xfer.data.ioc, xfer.data.ch, xfer.data.dir));
+ rc = xhciR3QueueControlTD(pDevIns, pThis, pThisCC, pRh, GCPhysXfrTRB, &xfer, &ep_ctx, uSlotID,
+ slot_ctx.dev_addr, uDBTarget);
+ break;
+ case XHCI_TRB_STATUS_STG:
+ Log(("Status stage TRB: IOC=%u CH=%u DIR=%u\n", xfer.status.ioc, xfer.status.ch, xfer.status.dir));
+ rc = xhciR3QueueControlTD(pDevIns, pThis, pThisCC, pRh, GCPhysXfrTRB, &xfer, &ep_ctx, uSlotID,
+ slot_ctx.dev_addr, uDBTarget);
+ break;
+ case XHCI_TRB_ISOCH:
+ Log(("Isoch TRB: Ptr=%RGp IOC=%u CH=%u TLBPC=%u TBC=%u SIA=%u FrmID=%u\n", xfer.isoc.data_ptr, xfer.isoc.ioc, xfer.isoc.ch, xfer.isoc.tlbpc, xfer.isoc.tbc, xfer.isoc.sia, xfer.isoc.frm_id));
+ rc = xhciR3QueueIsochTD(pDevIns, pThis, pThisCC, pRh, GCPhysXfrTRB, &xfer, &ep_ctx, uSlotID,
+ slot_ctx.dev_addr, uDBTarget, &ctxIsoch);
+ break;
+ case XHCI_TRB_LINK:
+ Log2(("Link extra-TD: Ptr=%RGp IOC=%u TC=%u CH=%u\n", xfer.link.rseg_ptr, xfer.link.ioc, xfer.link.toggle, xfer.link.chain));
+ Assert(!xfer.link.chain);
+ /* Set new TREP but leave DCS bit alone... */
+ ep_ctx.trep = (xfer.link.rseg_ptr & XHCI_TRDP_ADDR_MASK) | (ep_ctx.trep & XHCI_TRDP_DCS_MASK);
+ /* ...and flip the DCS bit if required. Then update the TREP. */
+ if (xfer.link.toggle)
+ ep_ctx.trep = (ep_ctx.trep & ~XHCI_TRDP_DCS_MASK) | (ep_ctx.trep ^ XHCI_TRDP_DCS_MASK);
+ rc = xhciR3WriteBackEp(pDevIns, pThis, uSlotID, uDBTarget, &ep_ctx);
+ break;
+ case XHCI_TRB_NOOP_XFER:
+ Log2(("No op xfer: IOC=%u CH=%u ENT=%u\n", xfer.nop.ioc, xfer.nop.ch, xfer.nop.ent));
+ /* A no-op transfer TRB must not be part of a chain. See 4.11.7. */
+ Assert(!xfer.link.chain);
+ /* Update enqueue pointer (TRB was not yet completed). */
+ ep_ctx.trep += sizeof(XHCI_XFER_TRB);
+ rc = xhciR3WriteBackEp(pDevIns, pThis, uSlotID, uDBTarget, &ep_ctx);
+ break;
+ default:
+ Log(("Unsupported TRB!!\n"));
+ rc = VERR_NOT_SUPPORTED;
+ break;
+ }
+ /* If queuing failed, stop right here. */
+ if (RT_FAILURE(rc))
+ fContinue = false;
+ }
+ else
+ {
+ LogFunc(("Transfer Ring empty\n"));
+ fContinue = false;
+
+ /* If an isochronous ring is empty, this is an overrun/underrun. At this point
+ * the ring will no longer be scheduled (until the doorbell is rung again)
+ * but it remains in the Running state. This error is only reported if someone
+ * rang the doorbell and there are no TDs available or in-flight.
+ */
+ if ( (ep_ctx.trep == ep_ctx.trdp) /* Nothing in-flight? */
+ && (ep_ctx.ep_type == XHCI_EPTYPE_ISOCH_IN || ep_ctx.ep_type == XHCI_EPTYPE_ISOCH_OUT))
+ {
+ /* There is no TRB associated with this error; the slot context
+ * determines the interrupter.
+ */
+ Log(("Isochronous ring %s, TRDP:%RGp\n", ep_ctx.ep_type == XHCI_EPTYPE_ISOCH_IN ? "overrun" : "underrun", ep_ctx.trdp & XHCI_TRDP_ADDR_MASK));
+ rc = xhciR3PostXferEvent(pDevIns, pThis, slot_ctx.intr_tgt, 0,
+ ep_ctx.ep_type == XHCI_EPTYPE_ISOCH_IN ? XHCI_TCC_RING_OVERRUN : XHCI_TCC_RING_UNDERRUN,
+ uSlotID, uDBTarget, 0, false, false);
+ }
+
+ }
+
+ /* Kill the xHC if the TRB list has no end in sight. */
+ if (++cTrbs > XHCI_MAX_NUM_TRBS)
+ {
+ /* Stop the xHC with an error. */
+ xhciR3EndlessTrbError(pDevIns, pThis);
+
+ /* Get out of the loop. */
+ fContinue = false;
+ rc = VERR_NOT_SUPPORTED; /* No good error code really... */
+ }
+ } while (fContinue);
+
+ /* It can unfortunately happen that for endpoints with more than one
+ * transfer per USB frame, there won't be a complete multi-packet URB ready
+ * when we go looking for it. If that happens, we'll "rewind" the TREP and
+ * try again later. Since the URB construction is done under a lock, this
+ * is safe as we won't be accessing the endpoint concurrently.
+ */
+ if (ctxIsoch.pUrb)
+ {
+ Log(("Unfinished ISOC URB (%u packets out of %u)!\n", ctxIsoch.iPkt, ctxIsoch.pUrb->cIsocPkts));
+ /* If submitting failed, the URB is already freed. */
+ if (!ctxIsoch.fSubmitFailed)
+ VUSBIRhFreeUrb(pRh->pIRhConn, ctxIsoch.pUrb);
+ ep_ctx.trep = ctxIsoch.uInitTREP;
+ xhciR3WriteBackEp(pDevIns, pThis, uSlotID, uDBTarget, &ep_ctx);
+ }
+ return VINF_SUCCESS;
+}
+
+
+/**
+ * A worker routine for Address Device command. Builds a URB containing
+ * a SET_ADDRESS requests and (synchronously) submits it to VUSB, then
+ * follows up with a status stage URB.
+ *
+ * @returns true on success.
+ * @returns false on failure to submit.
+ * @param pThisCC The xHCI device state, ring-3 edition.
+ * @param uSlotID Slot ID to assign address to.
+ * @param uDevAddr New device address.
+ * @param iPort The xHCI root hub port index.
+ */
+static bool xhciR3IssueSetAddress(PXHCICC pThisCC, uint8_t uSlotID, uint8_t uDevAddr, unsigned iPort)
+{
+ PXHCIROOTHUBR3 pRh = GET_PORT_PRH(pThisCC, iPort);
+
+ Assert(uSlotID);
+ LogFlowFunc(("Slot %u port idx %u: new address is %u\n", uSlotID, iPort, uDevAddr));
+
+ /* For USB3 devices, force the port number. This simulates the fact that USB3 uses directed (unicast) traffic. */
+ if (!IS_USB3_PORT_IDX_R3(pThisCC, iPort))
+ iPort = VUSB_DEVICE_PORT_INVALID;
+ else
+ iPort = GET_VUSB_PORT_FROM_XHCI_PORT(pRh, iPort);
+
+ /* Allocate and initialize a URB. NB: Zero cTds indicates a URB not submitted by guest. */
+ PVUSBURB pUrb = VUSBIRhNewUrb(pRh->pIRhConn, 0 /* address */, iPort, VUSBXFERTYPE_CTRL, VUSBDIRECTION_SETUP,
+ sizeof(VUSBSETUP), 0 /* cTds */, NULL);
+ if (!pUrb)
+ return false;
+
+ pUrb->EndPt = 0;
+ pUrb->fShortNotOk = true;
+ pUrb->enmStatus = VUSBSTATUS_OK;
+ pUrb->pHci->uSlotID = uSlotID;
+ pUrb->pHci->cTRB = 0;
+
+ /* Build the request. */
+ PVUSBSETUP pSetup = (PVUSBSETUP)pUrb->abData;
+ pSetup->bmRequestType = VUSB_DIR_TO_DEVICE | VUSB_REQ_STANDARD | VUSB_TO_DEVICE;
+ pSetup->bRequest = VUSB_REQ_SET_ADDRESS;
+ pSetup->wValue = uDevAddr;
+ pSetup->wIndex = 0;
+ pSetup->wLength = 0;
+
+ /* NB: We assume the address assignment is a synchronous operation. */
+
+ /* Submit the setup URB. */
+ Log(("%s: xhciSetAddress setup: cbData=%u\n", pUrb->pszDesc, pUrb->cbData));
+ RTCritSectLeave(&pThisCC->CritSectThrd);
+ int rc = VUSBIRhSubmitUrb(pRh->pIRhConn, pUrb, &pRh->Led);
+ RTCritSectEnter(&pThisCC->CritSectThrd);
+ if (RT_FAILURE(rc))
+ {
+ Log(("xhciSetAddress: setup stage failed pUrb=%p!!\n", pUrb));
+ return false;
+ }
+
+ /* To complete the SET_ADDRESS request, the status stage must succeed. */
+ pUrb = VUSBIRhNewUrb(pRh->pIRhConn, 0 /* address */, iPort, VUSBXFERTYPE_CTRL, VUSBDIRECTION_IN, 0 /* cbData */, 0 /* cTds */,
+ NULL);
+ if (!pUrb)
+ return false;
+
+ pUrb->EndPt = 0;
+ pUrb->fShortNotOk = true;
+ pUrb->enmStatus = VUSBSTATUS_OK;
+ pUrb->pHci->uSlotID = uSlotID;
+ pUrb->pHci->cTRB = 0;
+
+ /* Submit the setup URB. */
+ Log(("%s: xhciSetAddress status: cbData=%u\n", pUrb->pszDesc, pUrb->cbData));
+ RTCritSectLeave(&pThisCC->CritSectThrd);
+ rc = VUSBIRhSubmitUrb(pRh->pIRhConn, pUrb, &pRh->Led);
+ RTCritSectEnter(&pThisCC->CritSectThrd);
+ if (RT_FAILURE(rc))
+ {
+ Log(("xhciSetAddress: status stage failed pUrb=%p!!\n", pUrb));
+ return false;
+ }
+
+ Log(("xhciSetAddress: set address succeeded\n"));
+ return true;
+}
+
+
+/**
+ * Address a device.
+ *
+ * @returns TRB completion code.
+ * @param pDevIns The device instance.
+ * @param pThis The xHCI device state, shared edition.
+ * @param pThisCC The xHCI device state, ring-3 edition.
+ * @param uInpCtxAddr Address of the input context.
+ * @param uSlotID Slot ID to assign address to.
+ * @param fBSR Block Set address Request flag.
+ */
+static unsigned xhciR3AddressDevice(PPDMDEVINS pDevIns, PXHCI pThis, PXHCICC pThisCC, uint64_t uInpCtxAddr,
+ uint8_t uSlotID, bool fBSR)
+{
+ RTGCPHYS GCPhysInpCtx = uInpCtxAddr & XHCI_CTX_ADDR_MASK;
+ RTGCPHYS GCPhysInpSlot;
+ RTGCPHYS GCPhysOutSlot;
+ XHCI_INPC_CTX icc; /* Input Control Context (ICI=0). */
+ XHCI_SLOT_CTX inp_slot_ctx; /* Input Slot Context (ICI=1). */
+ XHCI_EP_CTX ep_ctx; /* Endpoint Context (ICI=2+). */
+ XHCI_SLOT_CTX out_slot_ctx; /* Output Slot Context. */
+ uint8_t dev_addr;
+ unsigned cc = XHCI_TCC_SUCCESS;
+
+ Assert(GCPhysInpCtx);
+ Assert(uSlotID);
+ LogFlowFunc(("Slot ID %u, input control context @ %RGp\n", uSlotID, GCPhysInpCtx));
+
+ /* Determine the address of the output slot context. */
+ GCPhysOutSlot = xhciR3FetchDevCtxAddr(pDevIns, pThis, uSlotID);
+
+ /* Fetch the output slot context. */
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysOutSlot, &out_slot_ctx, sizeof(out_slot_ctx));
+
+ /// @todo Check for valid context (6.2.2.1, 6.2.3.1)
+
+ /* See 4.6.5 */
+ do {
+ /* Parameter validation depends on whether the BSR flag is set or not. */
+ if (fBSR)
+ {
+ /* Check that the output slot context state is in Enabled state. */
+ if (out_slot_ctx.slot_state >= XHCI_SLTST_DEFAULT)
+ {
+ Log(("Output slot context state (%u) wrong (BSR)!\n", out_slot_ctx.slot_state));
+ cc = XHCI_TCC_CTX_STATE_ERR;
+ break;
+ }
+ dev_addr = 0;
+ }
+ else
+ {
+ /* Check that the output slot context state is in Enabled or Default state. */
+ if (out_slot_ctx.slot_state > XHCI_SLTST_DEFAULT)
+ {
+ Log(("Output slot context state (%u) wrong (no-BSR)!\n", out_slot_ctx.slot_state));
+ cc = XHCI_TCC_CTX_STATE_ERR;
+ break;
+ }
+ dev_addr = xhciR3SelectNewAddress(pThis, uSlotID);
+ }
+
+ /* Fetch the input control context. */
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysInpCtx, &icc, sizeof(icc));
+ Assert(icc.add_flags == (RT_BIT(0) | RT_BIT(1))); /* Should have been already checked. */
+ Assert(!icc.drop_flags);
+
+ /* Calculate the address of the input slot context (ICI=1/DCI=0). */
+ GCPhysInpSlot = GCPhysInpCtx + sizeof(XHCI_INPC_CTX);
+
+ /* Read the input slot context. */
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysInpSlot, &inp_slot_ctx, sizeof(inp_slot_ctx));
+
+ /* If BSR isn't set, issue the actual SET_ADDRESS request. */
+ if (!fBSR) {
+ unsigned iPort;
+
+ /* We have to dig out the port number/index to determine which virtual root hub to use. */
+ iPort = ID_TO_IDX(inp_slot_ctx.rh_port);
+ if (iPort >= XHCI_NDP_CFG(pThis))
+ {
+ Log(("Port out of range (index %u)!\n", iPort));
+ cc = XHCI_TCC_USB_XACT_ERR;
+ break;
+ }
+ if (!xhciR3IssueSetAddress(pThisCC, uSlotID, dev_addr, iPort))
+ {
+ Log(("SET_ADDRESS failed!\n"));
+ cc = XHCI_TCC_USB_XACT_ERR;
+ break;
+ }
+ }
+
+ /* Copy the slot context with appropriate modifications. */
+ out_slot_ctx = inp_slot_ctx;
+ if (fBSR)
+ out_slot_ctx.slot_state = XHCI_SLTST_DEFAULT;
+ else
+ out_slot_ctx.slot_state = XHCI_SLTST_ADDRESSED;
+ out_slot_ctx.dev_addr = dev_addr;
+ PDMDevHlpPCIPhysWriteMeta(pDevIns, GCPhysOutSlot, &out_slot_ctx, sizeof(out_slot_ctx));
+
+ /* Point at the EP0 contexts. */
+ GCPhysInpSlot += sizeof(inp_slot_ctx);
+ GCPhysOutSlot += sizeof(out_slot_ctx);
+
+ /* Copy EP0 context with appropriate modifications. */
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysInpSlot, &ep_ctx, sizeof(ep_ctx));
+ xhciR3EnableEP(&ep_ctx);
+ PDMDevHlpPCIPhysWriteMeta(pDevIns, GCPhysOutSlot, &ep_ctx, sizeof(ep_ctx));
+ } while (0);
+
+ return cc;
+}
+
+
+/**
+ * Reset a halted endpoint.
+ *
+ * @returns TRB completion code.
+ * @param pDevIns The device instance.
+ * @param pThis Pointer to the xHCI state.
+ * @param uSlotID Slot ID to work with.
+ * @param uDCI DCI of the endpoint to reset.
+ * @param fTSP The Transfer State Preserve flag.
+ */
+static unsigned xhciR3ResetEndpoint(PPDMDEVINS pDevIns, PXHCI pThis, uint8_t uSlotID, uint8_t uDCI, bool fTSP)
+{
+ RT_NOREF(fTSP);
+ RTGCPHYS GCPhysSlot;
+ RTGCPHYS GCPhysEndp;
+ XHCI_SLOT_CTX slot_ctx;
+ XHCI_EP_CTX endp_ctx;
+ unsigned cc = XHCI_TCC_SUCCESS;
+
+ Assert(uSlotID);
+
+ /* Determine the addresses of the contexts. */
+ GCPhysSlot = xhciR3FetchDevCtxAddr(pDevIns, pThis, uSlotID);
+ GCPhysEndp = GCPhysSlot + uDCI * sizeof(XHCI_EP_CTX);
+
+ /* Fetch the slot context. */
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysSlot, &slot_ctx, sizeof(slot_ctx));
+
+ /* See 4.6.8 */
+ do {
+ /* Check that the slot context state is Default, Addressed, or Configured. */
+ if (slot_ctx.slot_state < XHCI_SLTST_DEFAULT)
+ {
+ Log(("Slot context state wrong (%u)!\n", slot_ctx.slot_state));
+ cc = XHCI_TCC_CTX_STATE_ERR;
+ break;
+ }
+
+ /* Fetch the endpoint context. */
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysEndp, &endp_ctx, sizeof(endp_ctx));
+
+ /* Check that the endpoint context state is Halted. */
+ if (endp_ctx.ep_state != XHCI_EPST_HALTED)
+ {
+ Log(("Endpoint context state wrong (%u)!\n", endp_ctx.ep_state));
+ cc = XHCI_TCC_CTX_STATE_ERR;
+ break;
+ }
+
+ /* Transition EP state. */
+ endp_ctx.ep_state = XHCI_EPST_STOPPED;
+
+ /// @todo What can we do with the TSP flag?
+ /// @todo Anything to do WRT enabling the corresponding doorbell register?
+
+ /* Write back the updated endpoint context. */
+ PDMDevHlpPCIPhysWriteMeta(pDevIns, GCPhysEndp, &endp_ctx, sizeof(endp_ctx));
+ } while (0);
+
+ return cc;
+}
+
+
+/**
+ * Stop a running endpoint.
+ *
+ * @returns TRB completion code.
+ * @param pDevIns The device instance.
+ * @param pThis The xHCI device state, shared edition.
+ * @param pThisCC The xHCI device state, ring-3 edition.
+ * @param uSlotID Slot ID to work with.
+ * @param uDCI DCI of the endpoint to stop.
+ * @param fTSP The Suspend flag.
+ */
+static unsigned xhciR3StopEndpoint(PPDMDEVINS pDevIns, PXHCI pThis, PXHCICC pThisCC, uint8_t uSlotID, uint8_t uDCI, bool fTSP)
+{
+ RT_NOREF(fTSP);
+ RTGCPHYS GCPhysSlot;
+ RTGCPHYS GCPhysEndp;
+ XHCI_SLOT_CTX slot_ctx;
+ XHCI_EP_CTX endp_ctx;
+ unsigned cc = XHCI_TCC_SUCCESS;
+
+ Assert(uSlotID);
+
+ /* Determine the addresses of the contexts. */
+ GCPhysSlot = xhciR3FetchDevCtxAddr(pDevIns, pThis, uSlotID);
+ GCPhysEndp = GCPhysSlot + uDCI * sizeof(XHCI_EP_CTX);
+
+ /* Fetch the slot context. */
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysSlot, &slot_ctx, sizeof(slot_ctx));
+
+ /* See 4.6.9 */
+ do {
+ /* Check that the slot context state is Default, Addressed, or Configured. */
+ if (slot_ctx.slot_state < XHCI_SLTST_DEFAULT)
+ {
+ Log(("Slot context state wrong (%u)!\n", slot_ctx.slot_state));
+ cc = XHCI_TCC_CTX_STATE_ERR;
+ break;
+ }
+
+ /* The doorbell could be ringing; stop it if so. */
+ if (pThis->aBellsRung[ID_TO_IDX(uSlotID)] & (1 << uDCI))
+ {
+ Log(("Unring bell for slot ID %u, DCI %u\n", uSlotID, uDCI));
+ ASMAtomicAndU32(&pThis->aBellsRung[ID_TO_IDX(uSlotID)], ~(1 << uDCI));
+ }
+
+ /* Fetch the endpoint context. */
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysEndp, &endp_ctx, sizeof(endp_ctx));
+
+ /* Check that the endpoint context state is Running. */
+ if (endp_ctx.ep_state != XHCI_EPST_RUNNING)
+ {
+ Log(("Endpoint context state wrong (%u)!\n", endp_ctx.ep_state));
+ cc = XHCI_TCC_CTX_STATE_ERR;
+ break;
+ }
+
+ /* Transition EP state. */
+ endp_ctx.ep_state = XHCI_EPST_STOPPED;
+
+ /* Write back the updated endpoint context *now*, before actually canceling anyhing. */
+ PDMDevHlpPCIPhysWriteMeta(pDevIns, GCPhysEndp, &endp_ctx, sizeof(endp_ctx));
+
+ /// @todo What can we do with the SP flag?
+
+ PXHCIROOTHUBR3 pRh;
+ uint32_t uPort;
+
+ /* Abort the endpoint, i.e. cancel any outstanding URBs. This needs to be done after
+ * writing back the EP state so that the completion callback can operate.
+ */
+ if (RT_SUCCESS(xhciR3FindRhDevBySlot(pDevIns, pThis, pThisCC, uSlotID, &pRh, &uPort)))
+ {
+ /* Temporarily give up the lock so that the completion callbacks can run. */
+ RTCritSectLeave(&pThisCC->CritSectThrd);
+ Log(("Aborting DCI %u -> ep=%u d=%u\n", uDCI, uDCI / 2, uDCI & 1 ? VUSBDIRECTION_IN : VUSBDIRECTION_OUT));
+ pRh->pIRhConn->pfnAbortEp(pRh->pIRhConn, uPort, uDCI / 2, uDCI & 1 ? VUSBDIRECTION_IN : VUSBDIRECTION_OUT);
+ RTCritSectEnter(&pThisCC->CritSectThrd);
+ }
+
+ /// @todo The completion callbacks should do more work for canceled URBs.
+ /* Once the completion callbacks had a chance to run, we have to adjust
+ * the endpoint state.
+ * NB: The guest may just ring the doorbell to continue and not execute
+ * 'Set TRDP' after stopping the endpoint.
+ */
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysEndp, &endp_ctx, sizeof(endp_ctx));
+
+ bool fXferWasInProgress = endp_ctx.trep != endp_ctx.trdp;
+
+ /* Reset the TREP, but the EDTLA should be left alone. */
+ endp_ctx.trep = endp_ctx.trdp;
+
+ if (fXferWasInProgress)
+ {
+ /* Fetch the transfer TRB to see the length. */
+ RTGCPHYS GCPhysXfrTRB = endp_ctx.trdp & XHCI_TRDP_ADDR_MASK;
+ XHCI_XFER_TRB XferTRB;
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysXfrTRB, &XferTRB, sizeof(XferTRB));
+
+ xhciR3PostXferEvent(pDevIns, pThis, slot_ctx.intr_tgt, XferTRB.gen.xfr_len, XHCI_TCC_STOPPED, uSlotID, uDCI,
+ GCPhysXfrTRB, false, false);
+ }
+ else
+ {
+ /* We need to generate a Force Stopped Event or FSE. Note that FSEs were optional
+ * in xHCI 0.96 but aren't in 1.0.
+ */
+ xhciR3PostXferEvent(pDevIns, pThis, slot_ctx.intr_tgt, 0, XHCI_TCC_STP_INV_LEN, uSlotID, uDCI,
+ endp_ctx.trdp & XHCI_TRDP_ADDR_MASK, false, false);
+ }
+
+ /* Write back the updated endpoint context again. */
+ PDMDevHlpPCIPhysWriteMeta(pDevIns, GCPhysEndp, &endp_ctx, sizeof(endp_ctx));
+
+ } while (0);
+
+ return cc;
+}
+
+
+/**
+ * Set a new TR Dequeue Pointer for an endpoint.
+ *
+ * @returns TRB completion code.
+ * @param pDevIns The device instance.
+ * @param pThis Pointer to the xHCI state.
+ * @param uSlotID Slot ID to work with.
+ * @param uDCI DCI of the endpoint to reset.
+ * @param uTRDP The TRDP including DCS/ flag.
+ */
+static unsigned xhciR3SetTRDP(PPDMDEVINS pDevIns, PXHCI pThis, uint8_t uSlotID, uint8_t uDCI, uint64_t uTRDP)
+{
+ RTGCPHYS GCPhysSlot;
+ RTGCPHYS GCPhysEndp;
+ XHCI_SLOT_CTX slot_ctx;
+ XHCI_EP_CTX endp_ctx;
+ unsigned cc = XHCI_TCC_SUCCESS;
+
+ Assert(uSlotID);
+
+ /* Determine the addresses of the contexts. */
+ GCPhysSlot = xhciR3FetchDevCtxAddr(pDevIns, pThis, uSlotID);
+ GCPhysEndp = GCPhysSlot + uDCI * sizeof(XHCI_EP_CTX);
+
+ /* Fetch the slot context. */
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysSlot, &slot_ctx, sizeof(slot_ctx));
+
+ /* See 4.6.10 */
+ do {
+ /* Check that the slot context state is Default, Addressed, or Configured. */
+ if (slot_ctx.slot_state < XHCI_SLTST_DEFAULT)
+ {
+ Log(("Slot context state wrong (%u)!\n", slot_ctx.slot_state));
+ cc = XHCI_TCC_CTX_STATE_ERR;
+ break;
+ }
+
+ /* Fetch the endpoint context. */
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysEndp, &endp_ctx, sizeof(endp_ctx));
+
+ /* Check that the endpoint context state is Stopped or Error. */
+ if (endp_ctx.ep_state != XHCI_EPST_STOPPED && endp_ctx.ep_state != XHCI_EPST_ERROR)
+ {
+ Log(("Endpoint context state wrong (%u)!\n", endp_ctx.ep_state));
+ cc = XHCI_TCC_CTX_STATE_ERR;
+ break;
+ }
+
+ /* Update the TRDP/TREP and DCS. */
+ endp_ctx.trdp = uTRDP;
+ endp_ctx.trep = uTRDP;
+
+ /* Also clear the in-flight counter! */
+ endp_ctx.ifc = 0;
+
+ /// @todo Handle streams
+
+ /* Write back the updated endpoint context. */
+ PDMDevHlpPCIPhysWriteMeta(pDevIns, GCPhysEndp, &endp_ctx, sizeof(endp_ctx));
+ } while (0);
+
+ return cc;
+}
+
+
+/**
+ * Prepare for a device reset.
+ *
+ * @returns TRB completion code.
+ * @param pDevIns The device instance.
+ * @param pThis Pointer to the xHCI state.
+ * @param uSlotID Slot ID to work with.
+ */
+static unsigned xhciR3ResetDevice(PPDMDEVINS pDevIns, PXHCI pThis, uint8_t uSlotID)
+{
+ RTGCPHYS GCPhysSlot;
+ XHCI_SLOT_CTX slot_ctx;
+ XHCI_DEV_CTX dc;
+ unsigned num_ctx;
+ unsigned i;
+ unsigned cc = XHCI_TCC_SUCCESS;
+
+ Assert(uSlotID);
+
+ /* Determine the address of the slot/device context. */
+ GCPhysSlot = xhciR3FetchDevCtxAddr(pDevIns, pThis, uSlotID);
+
+ /* Fetch the slot context. */
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysSlot, &slot_ctx, sizeof(slot_ctx));
+
+ /* See 4.6.11. */
+ do {
+ /* Check that the slot context state is Addressed or Configured. */
+ if (slot_ctx.slot_state < XHCI_SLTST_ADDRESSED)
+ {
+ Log(("Slot context state wrong (%u)!\n", slot_ctx.slot_state));
+ cc = XHCI_TCC_CTX_STATE_ERR;
+ break;
+ }
+
+ /* Read the entire Device Context. */
+ num_ctx = slot_ctx.ctx_ent + 1; /* Slot context plus EPs. */
+ Assert(num_ctx);
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysSlot, &dc, num_ctx * sizeof(XHCI_SLOT_CTX));
+
+ /// @todo Abort any outstanding transfers!
+
+ /* Set slot state to Default and reset the USB device address. */
+ dc.entry[0].sc.slot_state = XHCI_SLTST_DEFAULT;
+ dc.entry[0].sc.dev_addr = 0;
+
+ /* Disable all endpoints except for EP 0 (aka DCI 1). */
+ for (i = 2; i < num_ctx; ++i)
+ dc.entry[i].ep.ep_state = XHCI_EPST_DISABLED;
+
+ /* Write back the updated device context. */
+ PDMDevHlpPCIPhysWriteMeta(pDevIns, GCPhysSlot, &dc, num_ctx * sizeof(XHCI_SLOT_CTX));
+ } while (0);
+
+ return cc;
+}
+
+
+/**
+ * Configure a device (even though the relevant command is called 'Configure
+ * Endpoint'. This includes adding/dropping endpoint contexts as directed by
+ * the input control context bits.
+ *
+ * @returns TRB completion code.
+ * @param pDevIns The device instance.
+ * @param pThis Pointer to the xHCI state.
+ * @param uInpCtxAddr Address of the input context.
+ * @param uSlotID Slot ID associated with the context.
+ * @param fDC Deconfigure flag set (input context unused).
+ */
+static unsigned xhciR3ConfigureDevice(PPDMDEVINS pDevIns, PXHCI pThis, uint64_t uInpCtxAddr, uint8_t uSlotID, bool fDC)
+{
+ RTGCPHYS GCPhysInpCtx = uInpCtxAddr & XHCI_CTX_ADDR_MASK;
+ RTGCPHYS GCPhysInpSlot;
+ RTGCPHYS GCPhysOutSlot;
+ RTGCPHYS GCPhysOutEndp;
+ XHCI_INPC_CTX icc; /* Input Control Context (ICI=0). */
+ XHCI_SLOT_CTX out_slot_ctx; /* Slot context (DCI=0). */
+ XHCI_EP_CTX out_endp_ctx; /* Endpoint Context (DCI=1). */
+ unsigned cc = XHCI_TCC_SUCCESS;
+ uint32_t uAddFlags;
+ uint32_t uDropFlags;
+ unsigned num_inp_ctx;
+ unsigned num_out_ctx;
+ XHCI_DEV_CTX dc_inp;
+ XHCI_DEV_CTX dc_out;
+ unsigned uDCI;
+
+ Assert(uSlotID);
+ LogFlowFunc(("Slot ID %u, input control context @ %RGp\n", uSlotID, GCPhysInpCtx));
+
+ /* Determine the address of the output slot context. */
+ GCPhysOutSlot = xhciR3FetchDevCtxAddr(pDevIns, pThis, uSlotID);
+ Assert(GCPhysOutSlot);
+
+ /* Fetch the output slot context. */
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysOutSlot, &out_slot_ctx, sizeof(out_slot_ctx));
+
+ /* See 4.6.6 */
+ do {
+ /* Check that the output slot context state is Addressed, or Configured. */
+ if (out_slot_ctx.slot_state < XHCI_SLTST_ADDRESSED)
+ {
+ Log(("Output slot context state wrong (%u)!\n", out_slot_ctx.slot_state));
+ cc = XHCI_TCC_CTX_STATE_ERR;
+ break;
+ }
+
+ /* Check for deconfiguration request. */
+ if (fDC) {
+ if (out_slot_ctx.slot_state == XHCI_SLTST_CONFIGURED) {
+ /* Disable all enabled endpoints. */
+ uDropFlags = 0xFFFFFFFC; /** @todo r=bird: Why do you set uDropFlags and uAddFlags in a code path that doesn't use
+ * them? This is a _very_ difficult function to get the hang of the way it's written.
+ * Stuff like this looks like there's a control flow flaw (as to the do-break-while-false
+ * loop which doesn't do any clean up or logging at the end and seems only sever the very
+ * dubious purpose of making sure ther's only one return statement). The insistance on
+ * C-style variable declarations (top of function), makes checking state harder, which is
+ * why it's discouraged. */
+ uAddFlags = 0;
+
+ /* Start with EP1. */
+ GCPhysOutEndp = GCPhysOutSlot + sizeof(XHCI_SLOT_CTX) + sizeof(XHCI_EP_CTX);
+
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysOutEndp, &out_endp_ctx, sizeof(out_endp_ctx));
+ out_endp_ctx.ep_state = XHCI_EPST_DISABLED;
+ PDMDevHlpPCIPhysWriteMeta(pDevIns, GCPhysOutEndp, &out_endp_ctx, sizeof(out_endp_ctx));
+ GCPhysOutEndp += sizeof(XHCI_EP_CTX); /* Point to the next EP context. */
+
+ /* Finally update the output slot context. */
+ out_slot_ctx.ctx_ent = 1; /* Only EP0 left. */
+ out_slot_ctx.slot_state = XHCI_SLTST_ADDRESSED;
+ PDMDevHlpPCIPhysWriteMeta(pDevIns, GCPhysOutSlot, &out_slot_ctx, sizeof(out_slot_ctx));
+ LogFlow(("Setting Output Slot State to Addressed, Context Entries = %u\n", out_slot_ctx.ctx_ent));
+ }
+ else
+ /* NB: Attempts to deconfigure a slot in Addressed state are ignored. */
+ Log(("Ignoring attempt to deconfigure slot in Addressed state!\n"));
+ break;
+ }
+
+ /* Fetch the input control context. */
+ Assert(GCPhysInpCtx);
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysInpCtx, &icc, sizeof(icc));
+ Assert(icc.add_flags || icc.drop_flags); /* Make sure there's something to do. */
+
+ uAddFlags = icc.add_flags;
+ uDropFlags = icc.drop_flags;
+ LogFlowFunc(("Add Flags=%08X, Drop Flags=%08X\n", uAddFlags, uDropFlags));
+
+ /* If and only if any 'add context' flag is set, fetch the corresponding
+ * input device context.
+ */
+ if (uAddFlags) {
+ /* Calculate the address of the input slot context (ICI=1/DCI=0). */
+ GCPhysInpSlot = GCPhysInpCtx + sizeof(XHCI_INPC_CTX);
+
+ /* Read the input Slot Context plus all Endpoint Contexts up to and
+ * including the one with the highest 'add' bit set.
+ */
+ num_inp_ctx = ASMBitLastSetU32(uAddFlags);
+ Assert(num_inp_ctx);
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysInpSlot, &dc_inp, num_inp_ctx * sizeof(XHCI_DS_ENTRY));
+
+ /// @todo Check that the highest set add flag isn't beyond input slot Context Entries
+
+ /// @todo Check input slot context according to 6.2.2.2
+ /// @todo Check input EP contexts according to 6.2.3.2
+ }
+/** @todo r=bird: Looks like MSC is right that dc_inp can be used uninitalized.
+ *
+ * However, this function is so hard to read I'm leaving the exorcism of it to
+ * the author and just zeroing it in the mean time.
+ *
+ */
+ else
+ RT_ZERO(dc_inp);
+
+ /* Read the output Slot Context plus all Endpoint Contexts up to and
+ * including the one with the highest 'add' or 'drop' bit set.
+ */
+ num_out_ctx = ASMBitLastSetU32(uAddFlags | uDropFlags);
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysOutSlot, &dc_out, num_out_ctx * sizeof(XHCI_DS_ENTRY));
+
+ /* Drop contexts as directed by flags. */
+ for (uDCI = 2; uDCI < 32; ++uDCI)
+ {
+ if (!((1 << uDCI) & uDropFlags))
+ continue;
+
+ Log2(("Dropping EP DCI %u\n", uDCI));
+ dc_out.entry[uDCI].ep.ep_state = XHCI_EPST_DISABLED;
+ /// @todo Do we need to bother tracking resources/bandwidth?
+ }
+
+ /* Now add contexts as directed by flags. */
+ for (uDCI = 2; uDCI < 32; ++uDCI)
+ {
+ if (!((1 << uDCI) & uAddFlags))
+ continue;
+
+ Assert(!fDC);
+ /* Copy over EP context, set to running. */
+ Log2(("Adding EP DCI %u\n", uDCI));
+ dc_out.entry[uDCI].ep = dc_inp.entry[uDCI].ep;
+ xhciR3EnableEP(&dc_out.entry[uDCI].ep);
+ /// @todo Do we need to bother tracking resources/bandwidth?
+ }
+
+ /* Finally update the device context. */
+ if (fDC || dc_inp.entry[0].sc.ctx_ent == 1)
+ {
+ dc_out.entry[0].sc.slot_state = XHCI_SLTST_ADDRESSED;
+ dc_out.entry[0].sc.ctx_ent = 1;
+ LogFlow(("Setting Output Slot State to Addressed\n"));
+ }
+ else
+ {
+ uint32_t uKillFlags = uDropFlags & ~uAddFlags; /* Endpoints going away. */
+
+ /* At least one EP enabled. Update Context Entries and state. */
+ Assert(dc_inp.entry[0].sc.ctx_ent);
+ dc_out.entry[0].sc.slot_state = XHCI_SLTST_CONFIGURED;
+ if (ID_TO_IDX(ASMBitLastSetU32(uAddFlags)) > dc_out.entry[0].sc.ctx_ent)
+ {
+ /* Adding new endpoints. */
+ dc_out.entry[0].sc.ctx_ent = ID_TO_IDX(ASMBitLastSetU32(uAddFlags));
+ }
+ else if (ID_TO_IDX(ASMBitLastSetU32(uKillFlags)) == dc_out.entry[0].sc.ctx_ent)
+ {
+ /* Removing the last endpoint, find the last non-disabled one. */
+ unsigned num_ctx_ent;
+
+ Assert(dc_out.entry[0].sc.ctx_ent + 1u == num_out_ctx);
+ for (num_ctx_ent = dc_out.entry[0].sc.ctx_ent; num_ctx_ent > 1; --num_ctx_ent)
+ if (dc_out.entry[num_ctx_ent].ep.ep_state != XHCI_EPST_DISABLED)
+ break;
+ dc_out.entry[0].sc.ctx_ent = num_ctx_ent; /* Last valid index to be precise. */
+ }
+ LogFlow(("Setting Output Slot State to Configured, Context Entries = %u\n", dc_out.entry[0].sc.ctx_ent));
+ }
+
+ /* If there were no errors, write back the updated output context. */
+ LogFlow(("Success, updating Output Context @ %RGp\n", GCPhysOutSlot));
+ PDMDevHlpPCIPhysWriteMeta(pDevIns, GCPhysOutSlot, &dc_out, num_out_ctx * sizeof(XHCI_DS_ENTRY));
+ } while (0);
+
+ return cc;
+}
+
+
+/**
+ * Evaluate an input context. This involves modifying device and endpoint
+ * contexts as directed by the input control context add bits.
+ *
+ * @returns TRB completion code.
+ * @param pDevIns The device instance.
+ * @param pThis Pointer to the xHCI state.
+ * @param uInpCtxAddr Address of the input context.
+ * @param uSlotID Slot ID associated with the context.
+ */
+static unsigned xhciR3EvalContext(PPDMDEVINS pDevIns, PXHCI pThis, uint64_t uInpCtxAddr, uint8_t uSlotID)
+{
+ RTGCPHYS GCPhysInpCtx = uInpCtxAddr & XHCI_CTX_ADDR_MASK;
+ RTGCPHYS GCPhysInpSlot;
+ RTGCPHYS GCPhysOutSlot;
+ XHCI_INPC_CTX icc; /* Input Control Context (ICI=0). */
+ XHCI_SLOT_CTX out_slot_ctx; /* Slot context (DCI=0). */
+ unsigned cc = XHCI_TCC_SUCCESS;
+ uint32_t uAddFlags;
+ uint32_t uDropFlags;
+ unsigned num_inp_ctx;
+ unsigned num_out_ctx;
+ XHCI_DEV_CTX dc_inp;
+ XHCI_DEV_CTX dc_out;
+ unsigned uDCI;
+
+ Assert(GCPhysInpCtx);
+ Assert(uSlotID);
+ LogFlowFunc(("Slot ID %u, input control context @ %RGp\n", uSlotID, GCPhysInpCtx));
+
+ /* Determine the address of the output slot context. */
+ GCPhysOutSlot = xhciR3FetchDevCtxAddr(pDevIns, pThis, uSlotID);
+ Assert(GCPhysOutSlot);
+
+ /* Fetch the output slot context. */
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysOutSlot, &out_slot_ctx, sizeof(out_slot_ctx));
+
+ /* See 4.6.7 */
+ do {
+ /* Check that the output slot context state is Default, Addressed, or Configured. */
+ if (out_slot_ctx.slot_state < XHCI_SLTST_DEFAULT)
+ {
+ Log(("Output slot context state wrong (%u)!\n", out_slot_ctx.slot_state));
+ cc = XHCI_TCC_CTX_STATE_ERR;
+ break;
+ }
+
+ /* Fetch the input control context. */
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysInpCtx, &icc, sizeof(icc));
+ uAddFlags = icc.add_flags;
+ uDropFlags = icc.drop_flags;
+ LogFlowFunc(("Add Flags=%08X, Drop Flags=%08X\n", uAddFlags, uDropFlags));
+
+ /* Drop flags "shall be cleared to 0" but also "do not apply" (4.6.7). Log & ignore. */
+ if (uDropFlags)
+ Log(("Drop flags set (%X) for evaluating context!\n", uDropFlags));
+
+ /* If no add flags are set, nothing will be done but an error is not reported
+ * according to the logic flow in 4.6.7.
+ */
+ if (!uAddFlags)
+ {
+ Log(("Warning: no add flags set for evaluating context!\n"));
+ break;
+ }
+
+ /* Calculate the address of the input slot context (ICI=1/DCI=0). */
+ GCPhysInpSlot = GCPhysInpCtx + sizeof(XHCI_INPC_CTX);
+
+ /* Read the output Slot Context plus all Endpoint Contexts up to and
+ * including the one with the highest 'add' bit set.
+ */
+ num_inp_ctx = ASMBitLastSetU32(uAddFlags);
+ Assert(num_inp_ctx);
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysInpSlot, &dc_inp, num_inp_ctx * sizeof(XHCI_DS_ENTRY));
+
+ /* Read the output Slot Context plus all Endpoint Contexts up to and
+ * including the one with the highest 'add' bit set.
+ */
+ num_out_ctx = ASMBitLastSetU32(uAddFlags);
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysOutSlot, &dc_out, num_out_ctx * sizeof(XHCI_DS_ENTRY));
+
+ /// @todo Check input slot context according to 6.2.2.3
+ /// @todo Check input EP contexts according to 6.2.3.3
+ /// @todo Check that the highest set add flag isn't beyond input slot Context Entries
+
+ /* Evaluate endpoint contexts as directed by add flags. */
+ /// @todo 6.2.3.3 suggests only the A1 bit matters? Anything besides A0/A1 is ignored??
+ for (uDCI = 1; uDCI < 32; ++uDCI)
+ {
+ if (!((1 << uDCI) & uAddFlags))
+ continue;
+
+ /* Evaluate Max Packet Size. */
+ LogFunc(("DCI %u: Max Packet Size: %u -> %u\n", uDCI, dc_out.entry[uDCI].ep.max_pkt_sz, dc_inp.entry[uDCI].ep.max_pkt_sz));
+ dc_out.entry[uDCI].ep.max_pkt_sz = dc_inp.entry[uDCI].ep.max_pkt_sz;
+ }
+
+ /* Finally update the device context if directed to do so (A0 flag set). */
+ if (uAddFlags & RT_BIT(0))
+ {
+ /* 6.2.2.3 - evaluate Interrupter Target and Max Exit Latency. */
+ Log(("Interrupter Target: %u -> %u\n", dc_out.entry[0].sc.intr_tgt, dc_inp.entry[0].sc.intr_tgt));
+ Log(("Max Exit Latency : %u -> %u\n", dc_out.entry[0].sc.max_lat, dc_inp.entry[0].sc.max_lat));
+
+ /// @todo Non-zero Max Exit Latency (see 4.6.7)
+ dc_out.entry[0].sc.intr_tgt = dc_inp.entry[0].sc.intr_tgt;
+ dc_out.entry[0].sc.max_lat = dc_inp.entry[0].sc.max_lat;
+ }
+
+ /* If there were no errors, write back the updated output context. */
+ LogFlow(("Success, updating Output Context @ %RGp\n", GCPhysOutSlot));
+ PDMDevHlpPCIPhysWriteMeta(pDevIns, GCPhysOutSlot, &dc_out, num_out_ctx * sizeof(XHCI_DS_ENTRY));
+ } while (0);
+
+ return cc;
+}
+
+
+/**
+ * Query available port bandwidth.
+ *
+ * @returns TRB completion code.
+ * @param pDevIns The device instance.
+ * @param pThis Pointer to the xHCI state.
+ * @param uDevSpd Speed of not yet attached devices.
+ * @param uHubSlotID Hub Slot ID to query (unsupported).
+ * @param uBwCtx Bandwidth context physical address.
+ */
+static unsigned xhciR3GetPortBandwidth(PPDMDEVINS pDevIns, PXHCI pThis, uint8_t uDevSpd, uint8_t uHubSlotID, uint64_t uBwCtx)
+{
+ RT_NOREF(uHubSlotID);
+ RTGCPHYS GCPhysBwCtx;
+ unsigned cc = XHCI_TCC_SUCCESS;
+ unsigned ctx_size;
+ unsigned iPort;
+ uint8_t bw_ctx[RT_ALIGN_32(XHCI_NDP_MAX + 1, 4)] = {0};
+ uint8_t dev_spd;
+ uint8_t avail_bw;
+
+ Assert(!uHubSlotID);
+ Assert(uBwCtx);
+
+ /* See 4.6.15. */
+
+ /* Hubs are not supported because guests will never see them. The
+ * reported values are more or less dummy because we have no real
+ * information about the bandwidth available on the host. The reported
+ * values are optimistic, as if each port had its own separate Bus
+ * Instance aka BI.
+ */
+
+ GCPhysBwCtx = uBwCtx & XHCI_CTX_ADDR_MASK;
+
+ /* Number of ports + 1, rounded up to DWORDs. */
+ ctx_size = RT_ALIGN_32(XHCI_NDP_CFG(pThis) + 1, 4);
+ LogFlowFunc(("BW Context at %RGp, size %u\n", GCPhysBwCtx, ctx_size));
+ Assert(ctx_size <= sizeof(bw_ctx));
+
+ /* Go over all the ports. */
+ for (iPort = 0; iPort < XHCI_NDP_CFG(pThis); ++iPort)
+ {
+ /* Get the device speed from the port... */
+ dev_spd = (pThis->aPorts[iPort].portsc & XHCI_PORT_PLS_MASK) >> XHCI_PORT_PLS_SHIFT;
+ /* ...and if nothing is attached, use the provided default. */
+ if (!dev_spd)
+ dev_spd = uDevSpd;
+
+ /* For USB3 ports, report 90% available for SS devices (see 6.2.6). */
+ if (IS_USB3_PORT_IDX_SHR(pThis, iPort))
+ avail_bw = dev_spd == XHCI_SPD_SUPER ? 90 : 0;
+ else
+ /* For USB2 ports, report 80% available for HS and 90% for FS/LS. */
+ switch (dev_spd)
+ {
+ case XHCI_SPD_HIGH:
+ avail_bw = 80;
+ break;
+ case XHCI_SPD_FULL:
+ case XHCI_SPD_LOW:
+ avail_bw = 90;
+ break;
+ default:
+ avail_bw = 0;
+ }
+
+ /* The first entry in the context is reserved. */
+ bw_ctx[iPort + 1] = avail_bw;
+ }
+
+ /* Write back the bandwidth context. */
+ PDMDevHlpPCIPhysWriteMeta(pDevIns, GCPhysBwCtx, &bw_ctx, ctx_size);
+
+ return cc;
+}
+
+#define NEC_MAGIC ('x' | ('H' << 8) | ('C' << 16) | ('I' << 24))
+
+/**
+ * Take a 64-bit input, shake well, produce 32-bit token. This mechanism
+ * prevents NEC/Renesas drivers from running on 3rd party hardware. Mirrors
+ * code found in vendor's drivers.
+ */
+static uint32_t xhciR3NecAuthenticate(uint64_t cookie)
+{
+ uint32_t cookie_lo = RT_LODWORD(cookie);
+ uint32_t cookie_hi = RT_HIDWORD(cookie);
+ uint32_t shift_cnt;
+ uint32_t token;
+
+ shift_cnt = (cookie_hi >> 8) & 31;
+ token = ASMRotateRightU32(cookie_lo - NEC_MAGIC, shift_cnt);
+ shift_cnt = cookie_hi & 31;
+ token += ASMRotateLeftU32(cookie_lo + NEC_MAGIC, shift_cnt);
+ shift_cnt = (cookie_lo >> 16) & 31;
+ token -= ASMRotateLeftU32(cookie_hi ^ NEC_MAGIC, shift_cnt);
+
+ return ~token;
+}
+
+/**
+ * Process a single command TRB and post completion information.
+ */
+static int xhciR3ExecuteCommand(PPDMDEVINS pDevIns, PXHCI pThis, PXHCICC pThisCC, XHCI_COMMAND_TRB *pCmd)
+{
+ XHCI_EVENT_TRB ed;
+ uint32_t token;
+ unsigned slot;
+ unsigned cc;
+ int rc = VINF_SUCCESS;
+ LogFlowFunc(("Executing command %u (%s) @ %RGp\n", pCmd->gen.type,
+ pCmd->gen.type < RT_ELEMENTS(g_apszTrbNames) ? g_apszTrbNames[pCmd->gen.type] : "WHAT?!!",
+ (RTGCPHYS)pThis->cmdr_dqp));
+
+ switch (pCmd->gen.type)
+ {
+ case XHCI_TRB_NOOP_CMD:
+ /* No-op, slot ID is always zero. */
+ rc = xhciR3PostCmdCompletion(pDevIns, pThis, XHCI_TCC_SUCCESS, 0);
+ pThis->cmdr_dqp += sizeof(XHCI_COMMAND_TRB);
+ break;
+
+ case XHCI_TRB_LINK:
+ /* Link; set the dequeue pointer. CH bit is ignored. */
+ Log(("Link: Ptr=%RGp IOC=%u TC=%u\n", pCmd->link.rseg_ptr, pCmd->link.ioc, pCmd->link.toggle));
+ if (pCmd->link.ioc) /* Command completion event is optional! */
+ rc = xhciR3PostCmdCompletion(pDevIns, pThis, XHCI_TCC_SUCCESS, 0);
+ /* Update the dequeue pointer and flip DCS if required. */
+ pThis->cmdr_dqp = pCmd->link.rseg_ptr & XHCI_TRDP_ADDR_MASK;
+ pThis->cmdr_ccs = pThis->cmdr_ccs ^ pCmd->link.toggle;
+ break;
+
+ case XHCI_TRB_ENB_SLOT:
+ /* Look for an empty device slot. */
+ for (slot = 0; slot < RT_ELEMENTS(pThis->aSlotState); ++slot)
+ {
+ if (pThis->aSlotState[slot] == XHCI_DEVSLOT_EMPTY)
+ {
+ /* Found a slot - transition to enabled state. */
+ pThis->aSlotState[slot] = XHCI_DEVSLOT_ENABLED;
+ break;
+ }
+ }
+ Log(("Enable Slot: found slot ID %u\n", IDX_TO_ID(slot)));
+
+ /* Post command completion event. */
+ if (slot == RT_ELEMENTS(pThis->aSlotState))
+ xhciR3PostCmdCompletion(pDevIns, pThis, XHCI_TCC_NO_SLOTS, 0);
+ else
+ xhciR3PostCmdCompletion(pDevIns, pThis, XHCI_TCC_SUCCESS, IDX_TO_ID(slot));
+
+ pThis->cmdr_dqp += sizeof(XHCI_COMMAND_TRB);
+ break;
+
+ case XHCI_TRB_DIS_SLOT:
+ /* Disable the given device slot. */
+ Log(("Disable Slot: slot ID %u\n", pCmd->dsl.slot_id));
+ cc = XHCI_TCC_SUCCESS;
+ slot = ID_TO_IDX(pCmd->dsl.slot_id);
+ if ((slot >= RT_ELEMENTS(pThis->aSlotState)) || (pThis->aSlotState[slot] == XHCI_DEVSLOT_EMPTY))
+ cc = XHCI_TCC_SLOT_NOT_ENB;
+ else
+ {
+ /// @todo set slot state of assoc. context to disabled
+ pThis->aSlotState[slot] = XHCI_DEVSLOT_EMPTY;
+ }
+ xhciR3PostCmdCompletion(pDevIns, pThis, cc, pCmd->dsl.slot_id);
+ pThis->cmdr_dqp += sizeof(XHCI_COMMAND_TRB);
+ break;
+
+ case XHCI_TRB_ADDR_DEV:
+ /* Address a device. */
+ Log(("Address Device: slot ID %u, BSR=%u\n", pCmd->adr.slot_id, pCmd->adr.bsr));
+ slot = ID_TO_IDX(pCmd->cfg.slot_id);
+ if ((slot >= RT_ELEMENTS(pThis->aSlotState)) || (pThis->aSlotState[slot] == XHCI_DEVSLOT_EMPTY))
+ cc = XHCI_TCC_SLOT_NOT_ENB;
+ else
+ cc = xhciR3AddressDevice(pDevIns, pThis, pThisCC, pCmd->adr.ctx_ptr, pCmd->adr.slot_id, pCmd->adr.bsr);
+ xhciR3PostCmdCompletion(pDevIns, pThis, cc, pCmd->adr.slot_id);
+ pThis->cmdr_dqp += sizeof(XHCI_COMMAND_TRB);
+ break;
+
+ case XHCI_TRB_CFG_EP:
+ /* Configure endpoint. */
+ Log(("Configure endpoint: slot ID %u, DC=%u, Ctx @ %RGp\n", pCmd->cfg.slot_id, pCmd->cfg.dc, pCmd->cfg.ctx_ptr));
+ slot = ID_TO_IDX(pCmd->cfg.slot_id);
+ if ((slot >= RT_ELEMENTS(pThis->aSlotState)) || (pThis->aSlotState[slot] == XHCI_DEVSLOT_EMPTY))
+ cc = XHCI_TCC_SLOT_NOT_ENB;
+ else
+ cc = xhciR3ConfigureDevice(pDevIns, pThis, pCmd->cfg.ctx_ptr, pCmd->cfg.slot_id, pCmd->cfg.dc);
+ xhciR3PostCmdCompletion(pDevIns, pThis, cc, pCmd->cfg.slot_id);
+ pThis->cmdr_dqp += sizeof(XHCI_COMMAND_TRB);
+ break;
+
+ case XHCI_TRB_EVAL_CTX:
+ /* Evaluate context. */
+ Log(("Evaluate context: slot ID %u, Ctx @ %RGp\n", pCmd->evc.slot_id, pCmd->evc.ctx_ptr));
+ slot = ID_TO_IDX(pCmd->evc.slot_id);
+ if ((slot >= RT_ELEMENTS(pThis->aSlotState)) || (pThis->aSlotState[slot] == XHCI_DEVSLOT_EMPTY))
+ cc = XHCI_TCC_SLOT_NOT_ENB;
+ else
+ cc = xhciR3EvalContext(pDevIns, pThis, pCmd->evc.ctx_ptr, pCmd->evc.slot_id);
+ xhciR3PostCmdCompletion(pDevIns, pThis, cc, pCmd->evc.slot_id);
+ pThis->cmdr_dqp += sizeof(XHCI_COMMAND_TRB);
+ break;
+
+ case XHCI_TRB_RESET_EP:
+ /* Reset the given endpoint. */
+ Log(("Reset Endpoint: slot ID %u, EP ID %u, TSP=%u\n", pCmd->rse.slot_id, pCmd->rse.ep_id, pCmd->rse.tsp));
+ cc = XHCI_TCC_SUCCESS;
+ slot = ID_TO_IDX(pCmd->rse.slot_id);
+ if ((slot >= RT_ELEMENTS(pThis->aSlotState)) || (pThis->aSlotState[slot] == XHCI_DEVSLOT_EMPTY))
+ cc = XHCI_TCC_SLOT_NOT_ENB;
+ else
+ cc = xhciR3ResetEndpoint(pDevIns, pThis, pCmd->rse.slot_id, pCmd->rse.ep_id, pCmd->rse.tsp);
+ xhciR3PostCmdCompletion(pDevIns, pThis, cc, pCmd->stp.slot_id);
+ pThis->cmdr_dqp += sizeof(XHCI_COMMAND_TRB);
+ break;
+
+ case XHCI_TRB_STOP_EP:
+ /* Stop the given endpoint. */
+ Log(("Stop Endpoint: slot ID %u, EP ID %u, SP=%u\n", pCmd->stp.slot_id, pCmd->stp.ep_id, pCmd->stp.sp));
+ cc = XHCI_TCC_SUCCESS;
+ slot = ID_TO_IDX(pCmd->stp.slot_id);
+ if ((slot >= RT_ELEMENTS(pThis->aSlotState)) || (pThis->aSlotState[slot] == XHCI_DEVSLOT_EMPTY))
+ cc = XHCI_TCC_SLOT_NOT_ENB;
+ else
+ cc = xhciR3StopEndpoint(pDevIns, pThis, pThisCC, pCmd->stp.slot_id, pCmd->stp.ep_id, pCmd->stp.sp);
+ xhciR3PostCmdCompletion(pDevIns, pThis, cc, pCmd->stp.slot_id);
+ pThis->cmdr_dqp += sizeof(XHCI_COMMAND_TRB);
+ break;
+
+ case XHCI_TRB_SET_DEQ_PTR:
+ /* Set TR Dequeue Pointer. */
+ Log(("Set TRDP: slot ID %u, EP ID %u, TRDP=%RX64\n", pCmd->stdp.slot_id, pCmd->stdp.ep_id, pCmd->stdp.tr_dqp));
+ cc = XHCI_TCC_SUCCESS;
+ slot = ID_TO_IDX(pCmd->stdp.slot_id);
+ if ((slot >= RT_ELEMENTS(pThis->aSlotState)) || (pThis->aSlotState[slot] == XHCI_DEVSLOT_EMPTY))
+ cc = XHCI_TCC_SLOT_NOT_ENB;
+ else
+ cc = xhciR3SetTRDP(pDevIns, pThis, pCmd->stdp.slot_id, pCmd->stdp.ep_id, pCmd->stdp.tr_dqp);
+ xhciR3PostCmdCompletion(pDevIns, pThis, cc, pCmd->stdp.slot_id);
+ pThis->cmdr_dqp += sizeof(XHCI_COMMAND_TRB);
+ break;
+
+ case XHCI_TRB_RESET_DEV:
+ /* Reset a device. */
+ Log(("Reset Device: slot ID %u\n", pCmd->rsd.slot_id));
+ cc = XHCI_TCC_SUCCESS;
+ slot = ID_TO_IDX(pCmd->rsd.slot_id);
+ if ((slot >= RT_ELEMENTS(pThis->aSlotState)) || (pThis->aSlotState[slot] == XHCI_DEVSLOT_EMPTY))
+ cc = XHCI_TCC_SLOT_NOT_ENB;
+ else
+ cc = xhciR3ResetDevice(pDevIns, pThis, pCmd->rsd.slot_id);
+ xhciR3PostCmdCompletion(pDevIns, pThis, cc, pCmd->rsd.slot_id);
+ pThis->cmdr_dqp += sizeof(XHCI_COMMAND_TRB);
+ break;
+
+ case XHCI_TRB_GET_PORT_BW:
+ /* Get port bandwidth. */
+ Log(("Get Port Bandwidth: Dev Speed %u, Hub Slot ID %u, Context=%RX64\n", pCmd->gpbw.spd, pCmd->gpbw.slot_id, pCmd->gpbw.pbctx_ptr));
+ cc = XHCI_TCC_SUCCESS;
+ if (pCmd->gpbw.slot_id)
+ cc = XHCI_TCC_PARM_ERR; /* Potential undefined behavior, see 4.6.15. */
+ else
+ cc = xhciR3GetPortBandwidth(pDevIns, pThis, pCmd->gpbw.spd, pCmd->gpbw.slot_id, pCmd->gpbw.pbctx_ptr);
+ xhciR3PostCmdCompletion(pDevIns, pThis, cc, 0);
+ pThis->cmdr_dqp += sizeof(XHCI_COMMAND_TRB);
+ break;
+
+ case NEC_TRB_GET_FW_VER:
+ /* Get NEC firmware version. */
+ Log(("Get NEC firmware version\n"));
+ cc = XHCI_TCC_SUCCESS;
+
+ RT_ZERO(ed);
+ ed.nce.word1 = NEC_FW_REV;
+ ed.nce.trb_ptr = pThis->cmdr_dqp;
+ ed.nce.cc = cc;
+ ed.nce.type = NEC_TRB_CMD_CMPL;
+
+ xhciR3WriteEvent(pDevIns, pThis, &ed, XHCI_PRIMARY_INTERRUPTER, false);
+
+ pThis->cmdr_dqp += sizeof(XHCI_COMMAND_TRB);
+ break;
+
+ case NEC_TRB_AUTHENTICATE:
+ /* NEC authentication. */
+ Log(("NEC authentication, cookie %RX64\n", pCmd->nac.cookie));
+ cc = XHCI_TCC_SUCCESS;
+
+ token = xhciR3NecAuthenticate(pCmd->nac.cookie);
+ RT_ZERO(ed);
+ ed.nce.word1 = RT_LOWORD(token);
+ ed.nce.word2 = RT_HIWORD(token);
+ ed.nce.trb_ptr = pThis->cmdr_dqp;
+ ed.nce.cc = cc;
+ ed.nce.type = NEC_TRB_CMD_CMPL;
+
+ xhciR3WriteEvent(pDevIns, pThis, &ed, XHCI_PRIMARY_INTERRUPTER, false);
+
+ pThis->cmdr_dqp += sizeof(XHCI_COMMAND_TRB);
+ break;
+
+ default:
+ Log(("Unsupported command!\n"));
+ pThis->cmdr_dqp += sizeof(XHCI_COMMAND_TRB);
+ break;
+ }
+
+ return rc;
+}
+
+
+/**
+ * Stop the Command Ring.
+ */
+static int xhciR3StopCommandRing(PPDMDEVINS pDevIns, PXHCI pThis)
+{
+ LogFlowFunc(("Command Ring stopping\n"));
+
+ Assert(pThis->crcr & (XHCI_CRCR_CA | XHCI_CRCR_CS));
+ Assert(pThis->crcr & XHCI_CRCR_CRR);
+ ASMAtomicAndU64(&pThis->crcr, ~(XHCI_CRCR_CRR | XHCI_CRCR_CA | XHCI_CRCR_CS));
+ return xhciR3PostCmdCompletion(pDevIns, pThis, XHCI_TCC_CMDR_STOPPED, 0);
+}
+
+
+/**
+ * Process the xHCI command ring.
+ */
+static int xhciR3ProcessCommandRing(PPDMDEVINS pDevIns, PXHCI pThis, PXHCICC pThisCC)
+{
+ RTGCPHYS GCPhysCmdTRB;
+ XHCI_COMMAND_TRB cmd; /* Command Descriptor */
+ unsigned cCmds;
+
+ Assert(pThis->crcr & XHCI_CRCR_CRR);
+ LogFlowFunc(("Processing commands...\n"));
+
+ for (cCmds = 0;; cCmds++)
+ {
+ /* First check if the xHC is running at all. */
+ if (!(pThis->cmd & XHCI_CMD_RS))
+ {
+ /* Note that this will call xhciR3PostCmdCompletion() which will
+ * end up doing nothing because R/S is clear.
+ */
+ xhciR3StopCommandRing(pDevIns, pThis);
+ break;
+ }
+
+ /* Check if Command Ring was stopped in the meantime. */
+ if (pThis->crcr & (XHCI_CRCR_CS | XHCI_CRCR_CA))
+ {
+ /* NB: We currently do not abort commands. If we did, we would
+ * abort the currently running command and complete it with
+ * the XHCI_TCC_CMD_ABORTED status.
+ */
+ xhciR3StopCommandRing(pDevIns, pThis);
+ break;
+ }
+
+ /* Fetch the command TRB. */
+ GCPhysCmdTRB = pThis->cmdr_dqp;
+ PDMDevHlpPCIPhysReadMeta(pDevIns, GCPhysCmdTRB, &cmd, sizeof(cmd));
+
+ /* Make sure the Cycle State matches. */
+ if ((bool)cmd.gen.cycle == pThis->cmdr_ccs)
+ xhciR3ExecuteCommand(pDevIns, pThis, pThisCC, &cmd);
+ else
+ {
+ Log(("Command Ring empty\n"));
+ break;
+ }
+
+ /* Check if we're being fed suspiciously many commands. */
+ if (cCmds > XHCI_MAX_NUM_CMDS)
+ {
+ /* Clear the R/S bit and any command ring running bits.
+ * Note that the caller (xhciR3WorkerLoop) will set XHCI_STATUS_HCH.
+ */
+ ASMAtomicAndU32(&pThis->cmd, ~XHCI_CMD_RS);
+ ASMAtomicAndU64(&pThis->crcr, ~(XHCI_CRCR_CRR | XHCI_CRCR_CA | XHCI_CRCR_CS));
+ ASMAtomicOrU32(&pThis->status, XHCI_STATUS_HCE);
+ LogRelMax(10, ("xHCI: Attempted to execute too many commands, stopping xHC!\n"));
+ break;
+ }
+ }
+ return VINF_SUCCESS;
+}
+
+
+/**
+ * The xHCI asynchronous worker thread.
+ *
+ * @returns VBox status code.
+ * @param pDevIns The xHCI device instance.
+ * @param pThread The worker thread.
+ */
+static DECLCALLBACK(int) xhciR3WorkerLoop(PPDMDEVINS pDevIns, PPDMTHREAD pThread)
+{
+ PXHCI pThis = PDMDEVINS_2_DATA(pDevIns, PXHCI);
+ PXHCICC pThisCC = PDMDEVINS_2_DATA_CC(pDevIns, PXHCICC);
+ int rc;
+
+ LogFlow(("xHCI entering worker thread loop.\n"));
+ if (pThread->enmState == PDMTHREADSTATE_INITIALIZING)
+ return VINF_SUCCESS;
+
+ while (pThread->enmState == PDMTHREADSTATE_RUNNING)
+ {
+ uint32_t u32Tasks = 0;
+ uint8_t uSlotID;
+
+ ASMAtomicWriteBool(&pThis->fWrkThreadSleeping, true);
+ u32Tasks = ASMAtomicXchgU32(&pThis->u32TasksNew, 0);
+ if (!u32Tasks)
+ {
+ Assert(ASMAtomicReadBool(&pThis->fWrkThreadSleeping));
+ rc = PDMDevHlpSUPSemEventWaitNoResume(pDevIns, pThis->hEvtProcess, RT_INDEFINITE_WAIT);
+ AssertLogRelMsgReturn(RT_SUCCESS(rc) || rc == VERR_INTERRUPTED, ("%Rrc\n", rc), rc);
+ if (RT_UNLIKELY(pThread->enmState != PDMTHREADSTATE_RUNNING))
+ break;
+ LogFlowFunc(("Woken up with rc=%Rrc\n", rc));
+ u32Tasks = ASMAtomicXchgU32(&pThis->u32TasksNew, 0);
+ }
+
+ RTCritSectEnter(&pThisCC->CritSectThrd);
+
+ if (pThis->crcr & XHCI_CRCR_CRR)
+ xhciR3ProcessCommandRing(pDevIns, pThis, pThisCC);
+
+ /* Run down the list of doorbells that are ringing. */
+ for (uSlotID = 1; uSlotID < XHCI_NDS; ++uSlotID)
+ {
+ if (pThis->aSlotState[ID_TO_IDX(uSlotID)] >= XHCI_DEVSLOT_ENABLED)
+ {
+ while (pThis->aBellsRung[ID_TO_IDX(uSlotID)])
+ {
+ uint8_t bit;
+ uint32_t uDBVal = 0;
+
+ for (bit = 0; bit < 32; ++bit)
+ if (pThis->aBellsRung[ID_TO_IDX(uSlotID)] & (1 << bit))
+ {
+ uDBVal = bit;
+ break;
+ }
+
+ Log2(("Stop ringing bell for slot %u, DCI %u\n", uSlotID, uDBVal));
+ ASMAtomicAndU32(&pThis->aBellsRung[ID_TO_IDX(uSlotID)], ~(1 << uDBVal));
+ xhciR3ProcessDevCtx(pDevIns, pThis, pThisCC, uSlotID, uDBVal);
+ }
+ }
+ }
+
+ /* If the R/S bit is no longer set, halt the xHC. */
+ if (!(pThis->cmd & XHCI_CMD_RS))
+ {
+ Log(("R/S clear, halting the xHC.\n"));
+ ASMAtomicOrU32(&pThis->status, XHCI_STATUS_HCH);
+ }
+
+ RTCritSectLeave(&pThisCC->CritSectThrd);
+
+ ASMAtomicWriteBool(&pThis->fWrkThreadSleeping, false);
+ } /* While running */
+
+ LogFlow(("xHCI worker thread exiting.\n"));
+ return VINF_SUCCESS;
+}
+
+
+/**
+ * Unblock the worker thread so it can respond to a state change.
+ *
+ * @returns VBox status code.
+ * @param pDevIns The xHCI device instance.
+ * @param pThread The worker thread.
+ */
+static DECLCALLBACK(int) xhciR3WorkerWakeUp(PPDMDEVINS pDevIns, PPDMTHREAD pThread)
+{
+ NOREF(pThread);
+ PXHCI pThis = PDMDEVINS_2_DATA(pDevIns, PXHCI);
+
+ return PDMDevHlpSUPSemEventSignal(pDevIns, pThis->hEvtProcess);
+}
+
+
+/**
+ * @interface_method_impl{PDMIBASE,pfnQueryInterface}
+ */
+static DECLCALLBACK(void *) xhciR3RhQueryInterface(PPDMIBASE pInterface, const char *pszIID)
+{
+ PXHCIROOTHUBR3 pRh = RT_FROM_MEMBER(pInterface, XHCIROOTHUBR3, IBase);
+ PDMIBASE_RETURN_INTERFACE(pszIID, PDMIBASE, &pRh->IBase);
+ PDMIBASE_RETURN_INTERFACE(pszIID, VUSBIROOTHUBPORT, &pRh->IRhPort);
+ return NULL;
+}
+
+/**
+ * @interface_method_impl{PDMIBASE,pfnQueryInterface}
+ */
+static DECLCALLBACK(void *) xhciR3QueryStatusInterface(PPDMIBASE pInterface, const char *pszIID)
+{
+ PXHCIR3 pThisCC = RT_FROM_MEMBER(pInterface, XHCIR3, IBase);
+ PDMIBASE_RETURN_INTERFACE(pszIID, PDMIBASE, &pThisCC->IBase);
+ PDMIBASE_RETURN_INTERFACE(pszIID, PDMILEDPORTS, &pThisCC->ILeds);
+ return NULL;
+}
+
+/**
+ * Gets the pointer to the status LED of a unit.
+ *
+ * @returns VBox status code.
+ * @param pInterface Pointer to the interface structure containing the called function pointer.
+ * @param iLUN The unit which status LED we desire.
+ * @param ppLed Where to store the LED pointer.
+ */
+static DECLCALLBACK(int) xhciR3QueryStatusLed(PPDMILEDPORTS pInterface, unsigned iLUN, PPDMLED *ppLed)
+{
+ PXHCICC pThisCC = RT_FROM_MEMBER(pInterface, XHCIR3, ILeds);
+
+ if (iLUN < XHCI_NUM_LUNS)
+ {
+ *ppLed = iLUN ? &pThisCC->RootHub3.Led : &pThisCC->RootHub2.Led;
+ Assert((*ppLed)->u32Magic == PDMLED_MAGIC);
+ return VINF_SUCCESS;
+ }
+ return VERR_PDM_LUN_NOT_FOUND;
+}
+
+
+/**
+ * Get the number of ports available in the hub.
+ *
+ * @returns The number of ports available.
+ * @param pInterface Pointer to this structure.
+ * @param pAvailable Bitmap indicating the available ports. Set bit == available port.
+ */
+static DECLCALLBACK(unsigned) xhciR3RhGetAvailablePorts(PVUSBIROOTHUBPORT pInterface, PVUSBPORTBITMAP pAvailable)
+{
+ PXHCIROOTHUBR3 pRh = RT_FROM_MEMBER(pInterface, XHCIROOTHUBR3, IRhPort);
+ PXHCICC pThisCC = pRh->pXhciR3;
+ PPDMDEVINS pDevIns = pThisCC->pDevIns;
+ unsigned iPort;
+ unsigned cPorts = 0;
+ LogFlow(("xhciR3RhGetAvailablePorts\n"));
+
+ memset(pAvailable, 0, sizeof(*pAvailable));
+
+ int const rcLock = PDMDevHlpCritSectEnter(pDevIns, pDevIns->pCritSectRoR3, VERR_IGNORED);
+ PDM_CRITSECT_RELEASE_ASSERT_RC_DEV(pDevIns, pDevIns->pCritSectRoR3, rcLock);
+
+ for (iPort = pRh->uPortBase; iPort < (unsigned)pRh->uPortBase + pRh->cPortsImpl; iPort++)
+ {
+ Assert(iPort < XHCI_NDP_CFG(PDMDEVINS_2_DATA(pDevIns, PXHCI)));
+ if (!pThisCC->aPorts[iPort].fAttached)
+ {
+ cPorts++;
+ ASMBitSet(pAvailable, IDX_TO_ID(iPort - pRh->uPortBase));
+ }
+ }
+
+ PDMDevHlpCritSectLeave(pDevIns, pDevIns->pCritSectRoR3);
+ return cPorts;
+}
+
+
+/**
+ * Get the supported USB versions for USB2 hubs.
+ *
+ * @returns The mask of supported USB versions.
+ * @param pInterface Pointer to this structure.
+ */
+static DECLCALLBACK(uint32_t) xhciR3RhGetUSBVersions2(PVUSBIROOTHUBPORT pInterface)
+{
+ RT_NOREF(pInterface);
+ return VUSB_STDVER_11 | VUSB_STDVER_20;
+}
+
+
+/**
+ * Get the supported USB versions for USB2 hubs.
+ *
+ * @returns The mask of supported USB versions.
+ * @param pInterface Pointer to this structure.
+ */
+static DECLCALLBACK(uint32_t) xhciR3RhGetUSBVersions3(PVUSBIROOTHUBPORT pInterface)
+{
+ RT_NOREF(pInterface);
+ return VUSB_STDVER_30;
+}
+
+
+/**
+ * Start sending SOF tokens across the USB bus, lists are processed in the
+ * next frame.
+ */
+static void xhciR3BusStart(PPDMDEVINS pDevIns, PXHCI pThis, PXHCICC pThisCC)
+{
+ unsigned iPort;
+
+ pThisCC->RootHub2.pIRhConn->pfnPowerOn(pThisCC->RootHub2.pIRhConn);
+ pThisCC->RootHub3.pIRhConn->pfnPowerOn(pThisCC->RootHub3.pIRhConn);
+// xhciR3BumpFrameNumber(pThis);
+
+ Log(("xHCI: Bus started\n"));
+
+ Assert(pThis->status & XHCI_STATUS_HCH);
+ ASMAtomicAndU32(&pThis->status, ~XHCI_STATUS_HCH);
+
+ /* HCH gates PSCEG (4.19.2). When clearing HCH, re-evaluate port changes. */
+ for (iPort = 0; iPort < XHCI_NDP_CFG(pThis); ++iPort)
+ {
+ if (pThis->aPorts[iPort].portsc & XHCI_PORT_CHANGE_MASK)
+ xhciR3GenPortChgEvent(pDevIns, pThis, IDX_TO_ID(iPort));
+ }
+
+ /// @todo record the starting time?
+// pThis->SofTime = TMTimerGet(pThis->CTX_SUFF(pEndOfFrameTimer)) - pThis->cTicksPerFrame;
+}
+
+/**
+ * Stop sending SOF tokens on the bus and processing the data.
+ */
+static void xhciR3BusStop(PPDMDEVINS pDevIns, PXHCI pThis, PXHCICC pThisCC)
+{
+ LogFlow(("xhciR3BusStop\n"));
+
+ /* Stop the controller and Command Ring. */
+ pThis->cmd &= ~XHCI_CMD_RS;
+ pThis->crcr |= XHCI_CRCR_CS;
+
+ /* Power off the root hubs. */
+ pThisCC->RootHub2.pIRhConn->pfnPowerOff(pThisCC->RootHub2.pIRhConn);
+ pThisCC->RootHub3.pIRhConn->pfnPowerOff(pThisCC->RootHub3.pIRhConn);
+
+ /* The worker thread will halt the HC (set HCH) when done. */
+ xhciKickWorker(pDevIns, pThis, XHCI_JOB_PROCESS_CMDRING, 0);
+}
+
+
+/**
+ * Power a port up or down
+ */
+static void xhciR3PortPower(PXHCI pThis, PXHCICC pThisCC, unsigned iPort, bool fPowerUp)
+{
+ PXHCIHUBPORT pPort = &pThis->aPorts[iPort];
+ PXHCIHUBPORTR3 pPortR3 = &pThisCC->aPorts[iPort];
+ PXHCIROOTHUBR3 pRh = GET_PORT_PRH(pThisCC, iPort);
+
+ bool fOldPPS = !!(pPort->portsc & XHCI_PORT_PP);
+ LogFlow(("xhciR3PortPower (port %u) %s\n", IDX_TO_ID(iPort), fPowerUp ? "UP" : "DOWN"));
+
+ if (fPowerUp)
+ {
+ /* Power up a port. */
+ if (pPortR3->fAttached)
+ ASMAtomicOrU32(&pPort->portsc, XHCI_PORT_CCS);
+ if (pPort->portsc & XHCI_PORT_CCS)
+ ASMAtomicOrU32(&pPort->portsc, XHCI_PORT_PP);
+ if (pPortR3->fAttached && !fOldPPS)
+ VUSBIRhDevPowerOn(pRh->pIRhConn, GET_VUSB_PORT_FROM_XHCI_PORT(pRh, iPort));
+ }
+ else
+ {
+ /* Power down. */
+ ASMAtomicAndU32(&pPort->portsc, ~(XHCI_PORT_PP | XHCI_PORT_CCS));
+ if (pPortR3->fAttached && fOldPPS)
+ VUSBIRhDevPowerOff(pRh->pIRhConn, GET_VUSB_PORT_FROM_XHCI_PORT(pRh, iPort));
+ }
+}
+
+
+/**
+ * Port reset done callback.
+ *
+ * @returns nothing.
+ * @param pDevIns The device instance data.
+ * @param iPort The XHCI port index of the port being resetted.
+ */
+static void xhciR3PortResetDone(PPDMDEVINS pDevIns, unsigned iPort)
+{
+ PXHCI pThis = PDMDEVINS_2_DATA(pDevIns, PXHCI);
+
+ Log2(("xhciR3PortResetDone\n"));
+
+ AssertReturnVoid(iPort < XHCI_NDP_CFG(pThis));
+
+ /*
+ * Successful reset.
+ */
+ Log2(("xhciR3PortResetDone: Reset completed.\n"));
+
+ uint32_t fChangeMask = XHCI_PORT_PED | XHCI_PORT_PRC;
+ /* For USB2 ports, transition the link state. */
+ if (!IS_USB3_PORT_IDX_SHR(pThis, iPort))
+ {
+ pThis->aPorts[iPort].portsc &= ~XHCI_PORT_PLS_MASK;
+ pThis->aPorts[iPort].portsc |= XHCI_PLS_U0 << XHCI_PORT_PLS_SHIFT;
+ }
+ else
+ {
+ if (pThis->aPorts[iPort].portsc & XHCI_PORT_WPR)
+ fChangeMask |= XHCI_PORT_WRC;
+ }
+
+ ASMAtomicAndU32(&pThis->aPorts[iPort].portsc, ~(XHCI_PORT_PR | XHCI_PORT_WPR));
+ ASMAtomicOrU32(&pThis->aPorts[iPort].portsc, fChangeMask);
+ /// @todo Set USBSTS.PCD and manage PSCEG correctly!
+ /// @todo just guessing?!
+// ASMAtomicOrU32(&pThis->aPorts[iPort].portsc, XHCI_PORT_CSC | XHCI_PORT_PLC);
+
+ /// @todo Is this the right place?
+ xhciR3GenPortChgEvent(pDevIns, pThis, IDX_TO_ID(iPort));
+}
+
+
+/**
+ * Sets a flag in a port status register, but only if a device is connected;
+ * if not, set ConnectStatusChange flag to force HCD to reevaluate connect status.
+ *
+ * @returns true if device was connected and the flag was cleared.
+ */
+static bool xhciR3RhPortSetIfConnected(PXHCI pThis, int iPort, uint32_t fValue)
+{
+ /*
+ * Writing a 0 has no effect
+ */
+ if (fValue == 0)
+ return false;
+
+ /*
+ * The port might be still/already disconnected.
+ */
+ if (!(pThis->aPorts[iPort].portsc & XHCI_PORT_CCS))
+ return false;
+
+ bool fRc = !(pThis->aPorts[iPort].portsc & fValue);
+
+ /* Set the bit. */
+ ASMAtomicOrU32(&pThis->aPorts[iPort].portsc, fValue);
+
+ return fRc;
+}
+
+
+/** Translate VUSB speed enum to xHCI definition. */
+static unsigned xhciR3UsbSpd2XhciSpd(VUSBSPEED enmSpeed)
+{
+ unsigned uSpd;
+
+ switch (enmSpeed)
+ {
+ default: AssertMsgFailed(("%d\n", enmSpeed));
+ RT_FALL_THRU();
+ case VUSB_SPEED_LOW: uSpd = XHCI_SPD_LOW; break;
+ case VUSB_SPEED_FULL: uSpd = XHCI_SPD_FULL; break;
+ case VUSB_SPEED_HIGH: uSpd = XHCI_SPD_HIGH; break;
+ case VUSB_SPEED_SUPER: uSpd = XHCI_SPD_SUPER; break;
+ }
+ return uSpd;
+}
+
+/** @interface_method_impl{VUSBIROOTHUBPORT,pfnAttach} */
+static DECLCALLBACK(int) xhciR3RhAttach(PVUSBIROOTHUBPORT pInterface, unsigned uPort, VUSBSPEED enmSpeed)
+{
+ PXHCIROOTHUBR3 pRh = RT_FROM_MEMBER(pInterface, XHCIROOTHUBR3, IRhPort);
+ PXHCICC pThisCC = pRh->pXhciR3;
+ PPDMDEVINS pDevIns = pThisCC->pDevIns;
+ PXHCI pThis = PDMDEVINS_2_DATA(pDevIns, PXHCI);
+ PXHCIHUBPORT pPort;
+ unsigned iPort;
+ LogFlow(("xhciR3RhAttach: uPort=%u (iPort=%u)\n", uPort, ID_TO_IDX(uPort) + pRh->uPortBase));
+
+ int const rcLock = PDMDevHlpCritSectEnter(pDevIns, pDevIns->pCritSectRoR3, VERR_IGNORED);
+ AssertRCReturn(rcLock, rcLock);
+
+ /*
+ * Validate and adjust input.
+ */
+ Assert(uPort >= 1 && uPort <= pRh->cPortsImpl);
+ iPort = ID_TO_IDX(uPort) + pRh->uPortBase;
+ Assert(iPort < XHCI_NDP_CFG(pThis));
+ pPort = &pThis->aPorts[iPort];
+ Assert(!pThisCC->aPorts[iPort].fAttached);
+ Assert(enmSpeed != VUSB_SPEED_UNKNOWN);
+
+ /*
+ * Attach it.
+ */
+ ASMAtomicOrU32(&pPort->portsc, XHCI_PORT_CCS | XHCI_PORT_CSC);
+ pThisCC->aPorts[iPort].fAttached = true;
+ xhciR3PortPower(pThis, pThisCC, iPort, 1 /* power on */);
+
+ /* USB3 ports automatically transition to Enabled state. */
+ if (IS_USB3_PORT_IDX_R3(pThisCC, iPort))
+ {
+ Assert(enmSpeed == VUSB_SPEED_SUPER);
+ pPort->portsc |= XHCI_PORT_PED;
+ pPort->portsc &= ~XHCI_PORT_PLS_MASK;
+ pPort->portsc |= XHCI_PLS_U0 << XHCI_PORT_PLS_SHIFT;
+ pPort->portsc &= ~XHCI_PORT_SPD_MASK;
+ pPort->portsc |= XHCI_SPD_SUPER << XHCI_PORT_SPD_SHIFT;
+ VUSBIRhDevReset(pRh->pIRhConn, GET_VUSB_PORT_FROM_XHCI_PORT(pRh, iPort),
+ false, NULL /* sync */, NULL, PDMDevHlpGetVM(pDevIns));
+ }
+ else
+ {
+ Assert(enmSpeed == VUSB_SPEED_LOW || enmSpeed == VUSB_SPEED_FULL || enmSpeed == VUSB_SPEED_HIGH);
+ pPort->portsc &= ~XHCI_PORT_SPD_MASK;
+ pPort->portsc |= xhciR3UsbSpd2XhciSpd(enmSpeed) << XHCI_PORT_SPD_SHIFT;
+ }
+
+ xhciR3GenPortChgEvent(pDevIns, pThis, IDX_TO_ID(iPort));
+
+ PDMDevHlpCritSectLeave(pDevIns, pDevIns->pCritSectRoR3);
+ return VINF_SUCCESS;
+}
+
+
+/**
+ * A device is being detached from a port in the root hub.
+ *
+ * @param pInterface Pointer to this structure.
+ * @param uPort The 1-based port number assigned to the device.
+ */
+static DECLCALLBACK(void) xhciR3RhDetach(PVUSBIROOTHUBPORT pInterface, unsigned uPort)
+{
+ PXHCIROOTHUBR3 pRh = RT_FROM_MEMBER(pInterface, XHCIROOTHUBR3, IRhPort);
+ PXHCICC pThisCC = pRh->pXhciR3;
+ PPDMDEVINS pDevIns = pThisCC->pDevIns;
+ PXHCI pThis = PDMDEVINS_2_DATA(pDevIns, PXHCI);
+ PXHCIHUBPORT pPort;
+ unsigned iPort;
+ LogFlow(("xhciR3RhDetach: uPort=%u iPort=%u\n", uPort, ID_TO_IDX(uPort) + pRh->uPortBase));
+ int const rcLock = PDMDevHlpCritSectEnter(pDevIns, pDevIns->pCritSectRoR3, VERR_IGNORED);
+ PDM_CRITSECT_RELEASE_ASSERT_RC_DEV(pDevIns, pDevIns->pCritSectRoR3, rcLock);
+
+ /*
+ * Validate and adjust input.
+ */
+ Assert(uPort >= 1 && uPort <= pRh->cPortsImpl);
+ iPort = ID_TO_IDX(uPort) + pRh->uPortBase;
+ Assert(iPort < XHCI_NDP_CFG(pThis));
+ pPort = &pThis->aPorts[iPort];
+ Assert(pThisCC->aPorts[iPort].fAttached);
+
+ /*
+ * Detach it.
+ */
+ pThisCC->aPorts[iPort].fAttached = false;
+ ASMAtomicAndU32(&pPort->portsc, ~(XHCI_PORT_CCS | XHCI_PORT_SPD_MASK | XHCI_PORT_PLS_MASK));
+ ASMAtomicOrU32(&pPort->portsc, XHCI_PORT_CSC);
+ /* Link state goes to RxDetect. */
+ ASMAtomicOrU32(&pPort->portsc, XHCI_PLS_RXDETECT << XHCI_PORT_PLS_SHIFT);
+ /* Disconnect clears the port enable bit. */
+ if (pPort->portsc & XHCI_PORT_PED)
+ ASMAtomicAndU32(&pPort->portsc, ~XHCI_PORT_PED);
+
+ xhciR3GenPortChgEvent(pDevIns, pThis, IDX_TO_ID(iPort));
+
+ PDMDevHlpCritSectLeave(pDevIns, pDevIns->pCritSectRoR3);
+}
+
+
+/**
+ * One of the root hub devices has completed its reset
+ * operation.
+ *
+ * Currently, we don't think anything is required to be done here
+ * so it's just a stub for forcing async resetting of the devices
+ * during a root hub reset.
+ *
+ * @param pDev The root hub device.
+ * @param rc The result of the operation.
+ * @param uPort The port number of the device on the roothub being resetted.
+ * @param pvUser Pointer to the controller.
+ */
+static DECLCALLBACK(void) xhciR3RhResetDoneOneDev(PVUSBIDEVICE pDev, uint32_t uPort, int rc, void *pvUser)
+{
+ LogRel(("xHCI: Root hub-attached device reset completed with %Rrc\n", rc));
+ RT_NOREF(pDev, uPort, rc, pvUser);
+}
+
+
+/**
+ * Does a software or hardware reset of the controller.
+ *
+ * This is called in response to setting HcCommandStatus.HCR, hardware reset,
+ * and device construction.
+ *
+ * @param pThis The shared XHCI instance data
+ * @param pThisCC The ring-3 XHCI instance data
+ * @param fNewMode The new mode of operation. This is UsbSuspend if
+ * it's a software reset, and UsbReset if it's a
+ * hardware reset / cold boot.
+ * @param fTrueReset Set if we can do a real reset of the devices
+ * attached to the root hub. This is really a just a
+ * hack for the non-working linux device reset. Linux
+ * has this feature called 'logical disconnect' if
+ * device reset fails which prevents us from doing
+ * resets when the guest asks for it - the guest will
+ * get confused when the device seems to be
+ * reconnected everytime it tries to reset it. But if
+ * we're at hardware reset time, we can allow a device
+ * to be 'reconnected' without upsetting the guest.
+ *
+ * @remark This has nothing to do with software setting the
+ * mode to UsbReset.
+ */
+static void xhciR3DoReset(PXHCI pThis, PXHCICC pThisCC, uint32_t fNewMode, bool fTrueReset)
+{
+ LogFunc(("%s reset%s\n", fNewMode == XHCI_USB_RESET ? "Hardware" : "Software",
+ fTrueReset ? " (really reset devices)" : ""));
+
+ /*
+ * Cancel all outstanding URBs.
+ *
+ * We can't, and won't, deal with URBs until we're moved out of the
+ * suspend/reset state. Also, a real HC isn't going to send anything
+ * any more when a reset has been signaled.
+ */
+ pThisCC->RootHub2.pIRhConn->pfnCancelAllUrbs(pThisCC->RootHub2.pIRhConn);
+ pThisCC->RootHub3.pIRhConn->pfnCancelAllUrbs(pThisCC->RootHub3.pIRhConn);
+
+ /*
+ * Reset the hardware registers.
+ */
+ /** @todo other differences between hardware reset and VM reset? */
+
+ pThis->cmd = 0;
+ pThis->status = XHCI_STATUS_HCH;
+ pThis->dnctrl = 0;
+ pThis->crcr = 0;
+ pThis->dcbaap = 0;
+ pThis->config = 0;
+
+ /*
+ * Reset the internal state.
+ */
+ pThis->cmdr_dqp = 0;
+ pThis->cmdr_ccs = 0;
+
+ RT_ZERO(pThis->aSlotState);
+ RT_ZERO(pThis->aBellsRung);
+
+ /* Zap everything but the lock. */
+ for (unsigned i = 0; i < RT_ELEMENTS(pThis->aInterrupters); ++i)
+ {
+ pThis->aInterrupters[i].iman = 0;
+ pThis->aInterrupters[i].imod = 0;
+ pThis->aInterrupters[i].erstsz = 0;
+ pThis->aInterrupters[i].erstba = 0;
+ pThis->aInterrupters[i].erdp = 0;
+ pThis->aInterrupters[i].erep = 0;
+ pThis->aInterrupters[i].erst_idx = 0;
+ pThis->aInterrupters[i].trb_count = 0;
+ pThis->aInterrupters[i].evtr_pcs = false;
+ pThis->aInterrupters[i].ipe = false;
+ }
+
+ if (fNewMode == XHCI_USB_RESET)
+ {
+ /* Only a hardware reset reinits the port registers. */
+ for (unsigned i = 0; i < XHCI_NDP_CFG(pThis); i++)
+ {
+ /* Need to preserve the speed of attached devices. */
+ pThis->aPorts[i].portsc &= XHCI_PORT_SPD_MASK;
+ pThis->aPorts[i].portsc |= XHCI_PLS_RXDETECT << XHCI_PORT_PLS_SHIFT;
+ /* If Port Power Control is not supported, ports are always powered on. */
+ if (!(pThis->hcc_params & XHCI_HCC_PPC))
+ pThis->aPorts[i].portsc |= XHCI_PORT_PP;
+ }
+ }
+
+ /*
+ * If this is a hardware reset, we will initialize the root hub too.
+ * Software resets doesn't do this according to the specs.
+ * (It's not possible to have a device connected at the time of the
+ * device construction, so nothing to worry about there.)
+ */
+ if (fNewMode == XHCI_USB_RESET)
+ {
+ pThisCC->RootHub2.pIRhConn->pfnReset(pThisCC->RootHub2.pIRhConn, fTrueReset);
+ pThisCC->RootHub3.pIRhConn->pfnReset(pThisCC->RootHub3.pIRhConn, fTrueReset);
+
+ /*
+ * Reattach the devices.
+ */
+ for (unsigned i = 0; i < XHCI_NDP_CFG(pThis); i++)
+ {
+ bool fAttached = pThisCC->aPorts[i].fAttached;
+ PXHCIROOTHUBR3 pRh = GET_PORT_PRH(pThisCC, i);
+ pThisCC->aPorts[i].fAttached = false;
+
+ if (fAttached)
+ {
+ VUSBSPEED enmSpeed = VUSBIRhDevGetSpeed(pRh->pIRhConn, GET_VUSB_PORT_FROM_XHCI_PORT(pRh, i));
+ xhciR3RhAttach(&pRh->IRhPort, GET_VUSB_PORT_FROM_XHCI_PORT(pRh, i), enmSpeed);
+ }
+ }
+ }
+}
+
+/**
+ * Reset the root hub.
+ *
+ * @returns VBox status code.
+ * @param pInterface Pointer to this structure.
+ * @param fTrueReset This is used to indicate whether we're at VM reset
+ * time and can do real resets or if we're at any other
+ * time where that isn't such a good idea.
+ * @remark Do NOT call VUSBIDevReset on the root hub in an async fashion!
+ * @thread EMT
+ */
+static DECLCALLBACK(int) xhciR3RhReset(PVUSBIROOTHUBPORT pInterface, bool fTrueReset)
+{
+ PXHCIROOTHUBR3 pRh = RT_FROM_MEMBER(pInterface, XHCIROOTHUBR3, IRhPort);
+ PXHCICC pThisCC = pRh->pXhciR3;
+ PPDMDEVINS pDevIns = pThisCC->pDevIns;
+ PXHCI pThis = PDMDEVINS_2_DATA(pDevIns, PXHCI);
+
+ Log(("xhciR3RhReset fTrueReset=%d\n", fTrueReset));
+ int const rcLock = PDMDevHlpCritSectEnter(pDevIns, pDevIns->pCritSectRoR3, VERR_IGNORED);
+ AssertRCReturn(rcLock, rcLock);
+
+ /* Soft reset first */
+ xhciR3DoReset(pThis, pThisCC, XHCI_USB_SUSPEND, false /* N/A */);
+
+ /*
+ * We're pretending to _reattach_ the devices without resetting them.
+ * Except, during VM reset where we use the opportunity to do a proper
+ * reset before the guest comes along and expects things.
+ *
+ * However, it's very very likely that we're not doing the right thing
+ * here when end up here on request from the guest (USB Reset state).
+ * The docs talk about root hub resetting, however what exact behaviour
+ * in terms of root hub status and changed bits, and HC interrupts aren't
+ * stated clearly. IF we get trouble and see the guest doing "USB Resets"
+ * we will have to look into this. For the time being we stick with simple.
+ */
+ for (unsigned iPort = pRh->uPortBase; iPort < XHCI_NDP_CFG(pThis); iPort++)
+ {
+ if (pThisCC->aPorts[iPort].fAttached)
+ {
+ ASMAtomicOrU32(&pThis->aPorts[iPort].portsc, XHCI_PORT_CCS | XHCI_PORT_CSC);
+ if (fTrueReset)
+ VUSBIRhDevReset(pRh->pIRhConn, GET_VUSB_PORT_FROM_XHCI_PORT(pRh, iPort), fTrueReset,
+ xhciR3RhResetDoneOneDev, pDevIns, PDMDevHlpGetVM(pDevIns));
+ }
+ }
+
+ PDMDevHlpCritSectLeave(pDevIns, pDevIns->pCritSectRoR3);
+ return VINF_SUCCESS;
+}
+
+#endif /* IN_RING3 */
+
+
+
+/* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- */
+/* xHCI Operational Register access routines */
+/* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- */
+
+
+
+/**
+ * Read the USBCMD register of the host controller.
+ */
+static VBOXSTRICTRC HcUsbcmd_r(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iReg, uint32_t *pu32Value)
+{
+ RT_NOREF(pDevIns, iReg);
+ STAM_COUNTER_INC(&pThis->StatRdUsbCmd);
+ *pu32Value = pThis->cmd;
+ return VINF_SUCCESS;
+}
+
+/**
+ * Write to the USBCMD register of the host controller.
+ */
+static VBOXSTRICTRC HcUsbcmd_w(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iReg, uint32_t val)
+{
+#ifdef IN_RING3
+ PXHCICC pThisCC = PDMDEVINS_2_DATA_CC(pDevIns, PXHCICC);
+#endif
+ RT_NOREF(iReg);
+ STAM_COUNTER_INC(&pThis->StatWrUsbCmd);
+#ifdef LOG_ENABLED
+ Log(("HcUsbcmd_w old=%x new=%x\n", pThis->cmd, val));
+ if (val & XHCI_CMD_RS)
+ Log((" XHCI_CMD_RS\n"));
+ if (val & XHCI_CMD_HCRST)
+ Log((" XHCI_CMD_HCRST\n"));
+ if (val & XHCI_CMD_INTE )
+ Log((" XHCI_CMD_INTE\n"));
+ if (val & XHCI_CMD_HSEE)
+ Log((" XHCI_CMD_HSEE\n"));
+ if (val & XHCI_CMD_LCRST)
+ Log((" XHCI_CMD_LCRST\n"));
+ if (val & XHCI_CMD_CSS)
+ Log((" XHCI_CMD_CSS\n"));
+ if (val & XHCI_CMD_CRS)
+ Log((" XHCI_CMD_CRS\n"));
+ if (val & XHCI_CMD_EWE)
+ Log((" XHCI_CMD_EWE\n"));
+ if (val & XHCI_CMD_EU3S)
+ Log((" XHCI_CMD_EU3S\n"));
+#endif
+
+ if (val & ~XHCI_CMD_MASK)
+ Log(("Unknown USBCMD bits %#x are set!\n", val & ~XHCI_CMD_MASK));
+
+ uint32_t old_cmd = pThis->cmd;
+#ifdef IN_RING3
+ pThis->cmd = val;
+#endif
+
+ if (val & XHCI_CMD_HCRST)
+ {
+#ifdef IN_RING3
+ LogRel(("xHCI: Hardware reset\n"));
+ xhciR3DoReset(pThis, pThisCC, XHCI_USB_RESET, true /* reset devices */);
+#else
+ return VINF_IOM_R3_MMIO_WRITE;
+#endif
+ }
+ else if (val & XHCI_CMD_LCRST)
+ {
+#ifdef IN_RING3
+ LogRel(("xHCI: Software reset\n"));
+ xhciR3DoReset(pThis, pThisCC, XHCI_USB_SUSPEND, false /* N/A */);
+#else
+ return VINF_IOM_R3_MMIO_WRITE;
+#endif
+ }
+ else if (pThis->status & XHCI_STATUS_HCE)
+ {
+ /* If HCE is set, don't restart the controller. Only a reset
+ * will clear the HCE bit.
+ */
+ Log(("xHCI: HCE bit set, ignoring USBCMD register changes!\n"));
+ pThis->cmd = old_cmd;
+ return VINF_SUCCESS;
+ }
+ else
+ {
+ /* See what changed and take action on that. First the R/S bit. */
+ uint32_t old_state = old_cmd & XHCI_CMD_RS;
+ uint32_t new_state = val & XHCI_CMD_RS;
+
+ if (old_state != new_state)
+ {
+#ifdef IN_RING3
+ switch (new_state)
+ {
+ case XHCI_CMD_RS:
+ LogRel(("xHCI: USB Operational\n"));
+ xhciR3BusStart(pDevIns, pThis, pThisCC);
+ break;
+ case 0:
+ xhciR3BusStop(pDevIns, pThis, pThisCC);
+ LogRel(("xHCI: USB Suspended\n"));
+ break;
+ }
+#else
+ return VINF_IOM_R3_MMIO_WRITE;
+#endif
+ }
+
+ /* Check EWE (Enable MFINDEX Wraparound Event) changes. */
+ old_state = old_cmd & XHCI_CMD_EWE;
+ new_state = val & XHCI_CMD_EWE;
+
+ if (old_state != new_state)
+ {
+ switch (new_state)
+ {
+ case XHCI_CMD_EWE:
+ Log(("xHCI: MFINDEX Wrap timer started\n"));
+ xhciSetWrapTimer(pDevIns, pThis);
+ break;
+ case 0:
+ PDMDevHlpTimerStop(pDevIns, pThis->hWrapTimer);
+ Log(("xHCI: MFINDEX Wrap timer stopped\n"));
+ break;
+ }
+ }
+
+ /* INTE transitions need to twiddle interrupts. */
+ old_state = old_cmd & XHCI_CMD_INTE;
+ new_state = val & XHCI_CMD_INTE;
+ if (old_state != new_state)
+ {
+ switch (new_state)
+ {
+ case XHCI_CMD_INTE:
+ /* Check whether the event interrupt bit is set and trigger an interrupt. */
+ if (pThis->status & XHCI_STATUS_EINT)
+ PDMDevHlpPCISetIrq(pDevIns, 0, PDM_IRQ_LEVEL_HIGH);
+ break;
+ case 0:
+ PDMDevHlpPCISetIrq(pDevIns, 0, PDM_IRQ_LEVEL_LOW);
+ break;
+ }
+ }
+
+ /* We currently do nothing for state save/restore. If we did, the CSS/CRS command bits
+ * would set the SSS/RSS status bits until the operation is done. The CSS/CRS bits are
+ * never read as one.
+ */
+ /// @todo 4.9.4 describes internal state that needs to be saved/restored:
+ /// ERSTE, ERST Count, EREP, and TRB Count
+ /// Command Ring Dequeue Pointer?
+ if (val & XHCI_CMD_CSS)
+ {
+ Log(("xHCI: Save State requested\n"));
+ val &= ~XHCI_CMD_CSS;
+ }
+
+ if (val & XHCI_CMD_CRS)
+ {
+ Log(("xHCI: Restore State requested\n"));
+ val &= ~XHCI_CMD_CRS;
+ }
+ }
+#ifndef IN_RING3
+ pThis->cmd = val;
+#endif
+ return VINF_SUCCESS;
+}
+
+#ifdef LOG_ENABLED
+static void HcUsbstsLogBits(uint32_t val)
+{
+ if (val & XHCI_STATUS_HCH)
+ Log((" XHCI_STATUS_HCH (HC Halted)\n"));
+ if (val & XHCI_STATUS_HSE)
+ Log((" XHCI_STATUS_HSE (Host System Error)\n"));
+ if (val & XHCI_STATUS_EINT)
+ Log((" XHCI_STATUS_EINT (Event Interrupt)\n"));
+ if (val & XHCI_STATUS_PCD)
+ Log((" XHCI_STATUS_PCD (Port Change Detect)\n"));
+ if (val & XHCI_STATUS_SSS)
+ Log((" XHCI_STATUS_SSS (Save State Status)\n"));
+ if (val & XHCI_STATUS_RSS)
+ Log((" XHCI_STATUS_RSS (Restore State Status)\n"));
+ if (val & XHCI_STATUS_SRE)
+ Log((" XHCI_STATUS_SRE (Save/Restore Error)\n"));
+ if (val & XHCI_STATUS_CNR)
+ Log((" XHCI_STATUS_CNR (Controller Not Ready)\n"));
+ if (val & XHCI_STATUS_HCE)
+ Log((" XHCI_STATUS_HCE (Host Controller Error)\n"));
+}
+#endif
+
+/**
+ * Read the USBSTS register of the host controller.
+ */
+static VBOXSTRICTRC HcUsbsts_r(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iReg, uint32_t *pu32Value)
+{
+#ifdef LOG_ENABLED
+ Log(("HcUsbsts_r current value %x\n", pThis->status));
+ HcUsbstsLogBits(pThis->status);
+#endif
+ RT_NOREF(pDevIns, iReg);
+ STAM_COUNTER_INC(&pThis->StatRdUsbSts);
+
+ *pu32Value = pThis->status;
+ return VINF_SUCCESS;
+}
+
+/**
+ * Write to the USBSTS register of the host controller.
+ */
+static VBOXSTRICTRC HcUsbsts_w(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iReg, uint32_t val)
+{
+#ifdef LOG_ENABLED
+ Log(("HcUsbsts_w current value %x; new %x\n", pThis->status, val));
+ HcUsbstsLogBits(val);
+#endif
+ RT_NOREF(pDevIns, iReg);
+ STAM_COUNTER_INC(&pThis->StatWrUsbSts);
+
+ if ( (val & ~XHCI_STATUS_WRMASK)
+ && val != 0xffffffff /* Ignore clear-all-like requests. */)
+ Log(("Unknown USBSTS bits %#x are set!\n", val & ~XHCI_STATUS_WRMASK));
+
+ /* Most bits are read-only. */
+ val &= XHCI_STATUS_WRMASK;
+
+ /* "The Host Controller Driver may clear specific bits in this
+ * register by writing '1' to bit positions to be cleared"
+ */
+ ASMAtomicAndU32(&pThis->status, ~val);
+
+ return VINF_SUCCESS;
+}
+
+/**
+ * Read the PAGESIZE register of the host controller.
+ */
+static VBOXSTRICTRC HcPagesize_r(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iReg, uint32_t *pu32Value)
+{
+ RT_NOREF(pDevIns, pThis, iReg);
+ STAM_COUNTER_INC(&pThis->StatRdPageSize);
+ *pu32Value = 1; /* 2^(bit n + 12) -> 4K page size only. */
+ return VINF_SUCCESS;
+}
+
+/**
+ * Read the DNCTRL (Device Notification Control) register.
+ */
+static VBOXSTRICTRC HcDevNotifyCtrl_r(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iReg, uint32_t *pu32Value)
+{
+ RT_NOREF(pDevIns, iReg);
+ STAM_COUNTER_INC(&pThis->StatRdDevNotifyCtrl);
+ *pu32Value = pThis->dnctrl;
+ return VINF_SUCCESS;
+}
+
+/**
+ * Write the DNCTRL (Device Notification Control) register.
+ */
+static VBOXSTRICTRC HcDevNotifyCtrl_w(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iReg, uint32_t val)
+{
+ RT_NOREF(pDevIns, iReg);
+ STAM_COUNTER_INC(&pThis->StatWrDevNotifyCtrl);
+ pThis->dnctrl = val;
+ return VINF_SUCCESS;
+}
+
+/**
+ * Read the low dword of CRCR (Command Ring Control) register.
+ */
+static VBOXSTRICTRC HcCmdRingCtlLo_r(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iReg, uint32_t *pu32Value)
+{
+ RT_NOREF(pDevIns, iReg);
+ STAM_COUNTER_INC(&pThis->StatRdCmdRingCtlLo);
+ *pu32Value = (uint32_t)(pThis->crcr & XHCI_CRCR_RD_MASK);
+ return VINF_SUCCESS;
+}
+
+/**
+ * Write the low dword of CRCR (Command Ring Control) register.
+ */
+static VBOXSTRICTRC HcCmdRingCtlLo_w(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iReg, uint32_t val)
+{
+ RT_NOREF(iReg);
+ STAM_COUNTER_INC(&pThis->StatWrCmdRingCtlLo);
+ /* NB: A dword write to the low half clears the high half. */
+
+ /* Sticky Abort/Stop bits - update register and kick the worker thread. */
+ if (val & (XHCI_CRCR_CA | XHCI_CRCR_CS))
+ {
+ pThis->crcr |= val & (XHCI_CRCR_CA | XHCI_CRCR_CS);
+ xhciKickWorker(pDevIns, pThis, XHCI_JOB_PROCESS_CMDRING, 0);
+ }
+
+ /*
+ * If the command ring is not running, the internal dequeue pointer
+ * and the cycle state is updated. Otherwise the update is ignored.
+ */
+ if (!(pThis->crcr & XHCI_CRCR_CRR))
+ {
+ pThis->crcr = (pThis->crcr & ~XHCI_CRCR_UPD_MASK) | (val & XHCI_CRCR_UPD_MASK);
+ /// @todo cmdr_dqp: atomic? volatile?
+ pThis->cmdr_dqp = pThis->crcr & XHCI_CRCR_ADDR_MASK;
+ pThis->cmdr_ccs = pThis->crcr & XHCI_CRCR_RCS;
+ }
+
+ return VINF_SUCCESS;
+}
+
+/**
+ * Read the high dword of CRCR (Command Ring Control) register.
+ */
+static VBOXSTRICTRC HcCmdRingCtlHi_r(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iReg, uint32_t *pu32Value)
+{
+ RT_NOREF(pDevIns, iReg);
+ STAM_COUNTER_INC(&pThis->StatRdCmdRingCtlHi);
+ *pu32Value = pThis->crcr >> 32;
+ return VINF_SUCCESS;
+}
+
+/**
+ * Write the high dword of CRCR (Command Ring Control) register.
+ */
+static VBOXSTRICTRC HcCmdRingCtlHi_w(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iReg, uint32_t val)
+{
+ RT_NOREF(pDevIns, iReg);
+ STAM_COUNTER_INC(&pThis->StatWrCmdRingCtlHi);
+ if (!(pThis->crcr & XHCI_CRCR_CRR))
+ {
+ pThis->crcr = ((uint64_t)val << 32) | (uint32_t)pThis->crcr;
+ pThis->cmdr_dqp = pThis->crcr & XHCI_CRCR_ADDR_MASK;
+ }
+ return VINF_SUCCESS;
+}
+
+/**
+ * Read the low dword of the DCBAAP register.
+ */
+static VBOXSTRICTRC HcDevCtxBAAPLo_r(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iReg, uint32_t *pu32Value)
+{
+ RT_NOREF(pDevIns, iReg);
+ STAM_COUNTER_INC(&pThis->StatRdDevCtxBaapLo);
+ *pu32Value = (uint32_t)pThis->dcbaap;
+ return VINF_SUCCESS;
+}
+
+/**
+ * Write the low dword of the DCBAAP register.
+ */
+static VBOXSTRICTRC HcDevCtxBAAPLo_w(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iReg, uint32_t val)
+{
+ RT_NOREF(pDevIns, iReg);
+ STAM_COUNTER_INC(&pThis->StatWrDevCtxBaapLo);
+ /* NB: A dword write to the low half clears the high half. */
+ /// @todo Should this mask off the reserved bits?
+ pThis->dcbaap = val;
+ return VINF_SUCCESS;
+}
+
+/**
+ * Read the high dword of the DCBAAP register.
+ */
+static VBOXSTRICTRC HcDevCtxBAAPHi_r(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iReg, uint32_t *pu32Value)
+{
+ RT_NOREF(pDevIns, iReg);
+ STAM_COUNTER_INC(&pThis->StatRdDevCtxBaapHi);
+ *pu32Value = pThis->dcbaap >> 32;
+ return VINF_SUCCESS;
+}
+
+/**
+ * Write the high dword of the DCBAAP register.
+ */
+static VBOXSTRICTRC HcDevCtxBAAPHi_w(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iReg, uint32_t val)
+{
+ RT_NOREF(pDevIns, iReg);
+ STAM_COUNTER_INC(&pThis->StatWrDevCtxBaapHi);
+ pThis->dcbaap = ((uint64_t)val << 32) | (uint32_t)pThis->dcbaap;
+ return VINF_SUCCESS;
+}
+
+/**
+ * Read the CONFIG register.
+ */
+static VBOXSTRICTRC HcConfig_r(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iReg, uint32_t *pu32Value)
+{
+ RT_NOREF(pDevIns, iReg);
+ STAM_COUNTER_INC(&pThis->StatRdConfig);
+ *pu32Value = pThis->config;
+ return VINF_SUCCESS;
+}
+
+/**
+ * Write the CONFIG register.
+ */
+static VBOXSTRICTRC HcConfig_w(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iReg, uint32_t val)
+{
+ RT_NOREF(pDevIns, iReg);
+ STAM_COUNTER_INC(&pThis->StatWrConfig);
+ /// @todo side effects?
+ pThis->config = val;
+ return VINF_SUCCESS;
+}
+
+
+
+/* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- */
+/* xHCI Port Register access routines */
+/* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- */
+
+
+
+/**
+ * Read the PORTSC register.
+ */
+static VBOXSTRICTRC HcPortStatusCtrl_r(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iPort, uint32_t *pu32Value)
+{
+ PXHCIHUBPORT p = &pThis->aPorts[iPort];
+ RT_NOREF(pDevIns);
+ STAM_COUNTER_INC(&pThis->StatRdPortStatusCtrl);
+
+ Assert(!(pThis->hcc_params & XHCI_HCC_PPC));
+
+ if (p->portsc & XHCI_PORT_PR)
+ {
+/// @todo Probably not needed?
+#ifdef IN_RING3
+ Log2(("HcPortStatusCtrl_r(): port %u: Impatient guest!\n", IDX_TO_ID(iPort)));
+ RTThreadYield();
+#else
+ Log2(("HcPortStatusCtrl_r: yield -> VINF_IOM_R3_MMIO_READ\n"));
+ return VINF_IOM_R3_MMIO_READ;
+#endif
+ }
+
+ /* The WPR bit is always read as zero. */
+ *pu32Value = p->portsc & ~XHCI_PORT_WPR;
+ return VINF_SUCCESS;
+}
+
+/**
+ * Write the PORTSC register.
+ */
+static VBOXSTRICTRC HcPortStatusCtrl_w(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iPort, uint32_t val)
+{
+ PXHCIHUBPORT p = &pThis->aPorts[iPort];
+#ifdef IN_RING3
+ PXHCICC pThisCC = PDMDEVINS_2_DATA_CC(pDevIns, PXHCICC);
+#endif
+ STAM_COUNTER_INC(&pThis->StatWrPortStatusCtrl);
+
+ /* If no register change results, we're done. */
+ if ( p->portsc == val
+ && !(val & XHCI_PORT_CHANGE_MASK))
+ return VINF_SUCCESS;
+
+ /* If port state is not changing (status bits are being cleared etc.), we can do it in any context.
+ * This case occurs when the R/W control bits are not changing and the W1C bits are not being set.
+ */
+ if ( (p->portsc & XHCI_PORT_CTL_RW_MASK) == (val & XHCI_PORT_CTL_RW_MASK)
+ && !(val & XHCI_PORT_CTL_W1_MASK))
+ {
+ Log(("HcPortStatusCtrl_w port %u (status only): old=%x new=%x\n", IDX_TO_ID(iPort), p->portsc, val));
+
+ if (val & XHCI_PORT_RESERVED)
+ Log(("Reserved bits set %x!\n", val & XHCI_PORT_RESERVED));
+
+ /* A write to clear any of the change notification bits. */
+ if (val & XHCI_PORT_CHANGE_MASK)
+ p->portsc &= ~(val & XHCI_PORT_CHANGE_MASK);
+
+ /* Update the wake mask. */
+ p->portsc &= ~XHCI_PORT_WAKE_MASK;
+ p->portsc |= val & XHCI_PORT_WAKE_MASK;
+
+ /* There may still be differences between 'portsc' and 'val' in
+ * the R/O bits; that does not count as a register change and is fine.
+ * The RW1x control bits are not considered either since those only matter
+ * if set in 'val'. Since the LWS bit was not set, the PLS bits should not
+ * be compared. The port change bits may differ as well since the guest
+ * could be clearing only some or none of them.
+ */
+ AssertMsg(!(val & XHCI_PORT_CTL_W1_MASK), ("val=%X\n", val));
+ AssertMsg(!(val & XHCI_PORT_LWS), ("val=%X\n", val));
+ AssertMsg((val & ~(XHCI_PORT_RO_MASK|XHCI_PORT_CTL_W1_MASK|XHCI_PORT_PLS_MASK|XHCI_PORT_CHANGE_MASK)) == (p->portsc & ~(XHCI_PORT_RO_MASK|XHCI_PORT_CTL_W1_MASK|XHCI_PORT_PLS_MASK|XHCI_PORT_CHANGE_MASK)), ("val=%X vs. portsc=%X\n", val, p->portsc));
+ return VINF_SUCCESS;
+ }
+
+ /* Actual USB port state changes need to be done in R3. */
+#ifdef IN_RING3
+ Log(("HcPortStatusCtrl_w port %u: old=%x new=%x\n", IDX_TO_ID(iPort), p->portsc, val));
+ Assert(!(pThis->hcc_params & XHCI_HCC_PPC));
+ Assert(p->portsc & XHCI_PORT_PP);
+
+ if (val & XHCI_PORT_RESERVED)
+ Log(("Reserved bits set %x!\n", val & XHCI_PORT_RESERVED));
+
+ /* A write to clear any of the change notification bits. */
+ if (val & XHCI_PORT_CHANGE_MASK)
+ p->portsc &= ~(val & XHCI_PORT_CHANGE_MASK);
+
+ /* Writing the Port Enable/Disable bit as 1 disables a port; it cannot be
+ * enabled that way. Writing the bit as zero does does nothing.
+ */
+ if ((val & XHCI_PORT_PED) && (p->portsc & XHCI_PORT_PED))
+ {
+ p->portsc &= ~XHCI_PORT_PED;
+ Log(("HcPortStatusCtrl_w(): port %u: DISABLE\n", IDX_TO_ID(iPort)));
+ }
+
+ if (!(val & XHCI_PORT_PP) && (p->portsc & XHCI_PORT_PP))
+ {
+ p->portsc &= ~XHCI_PORT_PP;
+ Log(("HcPortStatusCtrl_w(): port %u: POWER OFF\n", IDX_TO_ID(iPort)));
+ }
+
+ /* Warm Port Reset - USB3 only; see 4.19.5.1. */
+ if ((val & XHCI_PORT_WPR) && IS_USB3_PORT_IDX_SHR(pThis, iPort))
+ {
+ Log(("HcPortStatusCtrl_w(): port %u: WARM RESET\n", IDX_TO_ID(iPort)));
+ if (xhciR3RhPortSetIfConnected(pThis, iPort, XHCI_PORT_PR | XHCI_PORT_WPR))
+ {
+ PXHCIROOTHUBR3 pRh = GET_PORT_PRH(pThisCC, iPort);
+
+ VUSBIRhDevReset(pRh->pIRhConn, GET_VUSB_PORT_FROM_XHCI_PORT(pRh, iPort), false /* don't reset on linux */, NULL /* sync */, NULL, PDMDevHlpGetVM(pDevIns));
+ xhciR3PortResetDone(pDevIns, iPort);
+ }
+ }
+
+ if (val & XHCI_PORT_PR)
+ {
+ Log(("HcPortStatusCtrl_w(): port %u: RESET\n", IDX_TO_ID(iPort)));
+ if (xhciR3RhPortSetIfConnected(pThis, iPort, XHCI_PORT_PR))
+ {
+ PXHCIROOTHUBR3 pRh = GET_PORT_PRH(pThisCC, iPort);
+
+ VUSBIRhDevReset(pRh->pIRhConn, GET_VUSB_PORT_FROM_XHCI_PORT(pRh, iPort), false /* don't reset on linux */, NULL /* sync */, NULL, PDMDevHlpGetVM(pDevIns));
+ xhciR3PortResetDone(pDevIns, iPort);
+ }
+ else if (p->portsc & XHCI_PORT_PR)
+ {
+ /* the guest is getting impatient. */
+ Log2(("HcPortStatusCtrl_w(): port %u: Impatient guest!\n", IDX_TO_ID(iPort)));
+ RTThreadYield();
+ }
+ }
+
+ /// @todo Do some sanity checking on the new link state?
+ /* Update the link state if requested. */
+ if (val & XHCI_PORT_LWS)
+ {
+ unsigned old_pls;
+ unsigned new_pls;
+
+ old_pls = (p->portsc & XHCI_PORT_PLS_MASK) >> XHCI_PORT_PLS_SHIFT;
+ new_pls = (val & XHCI_PORT_PLS_MASK) >> XHCI_PORT_PLS_SHIFT;
+
+ p->portsc &= ~XHCI_PORT_PLS_MASK;
+ p->portsc |= new_pls << XHCI_PORT_PLS_SHIFT;
+ Log2(("HcPortStatusCtrl_w(): port %u: Updating link state from %u to %u\n", IDX_TO_ID(iPort), old_pls, new_pls));
+ /* U3->U0 (USB3) and Resume->U0 transitions set the PLC flag. See 4.15.2.2 */
+ if (new_pls == XHCI_PLS_U0)
+ if (old_pls == XHCI_PLS_U3 || old_pls == XHCI_PLS_RESUME)
+ {
+ p->portsc |= XHCI_PORT_PLC;
+ xhciR3GenPortChgEvent(pDevIns, pThis, IDX_TO_ID(iPort));
+ }
+ }
+
+ /// @todo which other bits can we safely ignore?
+
+ /* Update the wake mask. */
+ p->portsc &= ~XHCI_PORT_WAKE_MASK;
+ p->portsc |= val & XHCI_PORT_WAKE_MASK;
+
+ return VINF_SUCCESS;
+#else /* !IN_RING3 */
+ RT_NOREF(pDevIns);
+ return VINF_IOM_R3_MMIO_WRITE;
+#endif /* !IN_RING3 */
+}
+
+
+/**
+ * Read the PORTPMSC register.
+ */
+static VBOXSTRICTRC HcPortPowerMgmt_r(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iPort, uint32_t *pu32Value)
+{
+ PXHCIHUBPORT p = &pThis->aPorts[iPort];
+ RT_NOREF(pDevIns);
+ STAM_COUNTER_INC(&pThis->StatRdPortPowerMgmt);
+
+ *pu32Value = p->portpm;
+ return VINF_SUCCESS;
+}
+
+
+/**
+ * Write the PORTPMSC register.
+ */
+static VBOXSTRICTRC HcPortPowerMgmt_w(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iPort, uint32_t val)
+{
+ PXHCIHUBPORT p = &pThis->aPorts[iPort];
+ RT_NOREF(pDevIns);
+ STAM_COUNTER_INC(&pThis->StatWrPortPowerMgmt);
+
+ /// @todo anything to do here?
+ p->portpm = val;
+ return VINF_SUCCESS;
+}
+
+
+/**
+ * Read the PORTLI register.
+ */
+static VBOXSTRICTRC HcPortLinkInfo_r(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iPort, uint32_t *pu32Value)
+{
+ PXHCIHUBPORT p = &pThis->aPorts[iPort];
+ RT_NOREF(pDevIns);
+ STAM_COUNTER_INC(&pThis->StatRdPortLinkInfo);
+
+ /* The link information is R/O; we probably can't get it at all. If we
+ * do maintain it for USB3 ports, we also have to reset it (5.4.10).
+ */
+ *pu32Value = p->portli;
+ return VINF_SUCCESS;
+}
+
+/**
+ * Read the reserved register. Linux likes to do this.
+ */
+static VBOXSTRICTRC HcPortRsvd_r(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iPort, uint32_t *pu32Value)
+{
+ RT_NOREF(pDevIns, pThis, iPort);
+ STAM_COUNTER_INC(&pThis->StatRdPortRsvd);
+ *pu32Value = 0;
+ return VINF_SUCCESS;
+}
+
+
+
+/* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- */
+/* xHCI Interrupter Register access routines */
+/* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- */
+
+
+
+/**
+ * Read the IMAN register.
+ */
+static VBOXSTRICTRC HcIntrMgmt_r(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR ip, uint32_t *pu32Value)
+{
+ RT_NOREF(pDevIns, pThis);
+ STAM_COUNTER_INC(&pThis->StatRdIntrMgmt);
+
+ *pu32Value = ip->iman;
+ return VINF_SUCCESS;
+}
+
+/**
+ * Write the IMAN register.
+ */
+static VBOXSTRICTRC HcIntrMgmt_w(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR ip, uint32_t val)
+{
+ uint32_t uNew = val & XHCI_IMAN_VALID_MASK;
+ STAM_COUNTER_INC(&pThis->StatWrIntrMgmt);
+
+ if (val & ~XHCI_IMAN_VALID_MASK)
+ Log(("Reserved bits set %x!\n", val & ~XHCI_IMAN_VALID_MASK));
+
+ /* If the Interrupt Pending (IP) bit is set, writing one clears it.
+ * Note that when MSIs are enabled, the bit auto-clears almost immediately.
+ */
+ if (val & ip->iman & XHCI_IMAN_IP)
+ {
+ Log2(("clearing interrupt on interrupter %u\n", ip->index));
+ PDMDevHlpPCISetIrq(pDevIns, 0, PDM_IRQ_LEVEL_LOW);
+ STAM_COUNTER_INC(&pThis->StatIntrsCleared);
+ uNew &= ~XHCI_IMAN_IP;
+ }
+ else
+ {
+ /* Preserve the current IP bit. */
+ uNew = (uNew & ~XHCI_IMAN_IP) | (ip->iman & XHCI_IMAN_IP);
+ }
+
+ /* Trigger an interrupt if the IP bit is set and IE transitions from 0 to 1. */
+ if ( (uNew & XHCI_IMAN_IE)
+ && !(ip->iman & XHCI_IMAN_IE)
+ && (ip->iman & XHCI_IMAN_IP)
+ && (pThis->cmd & XHCI_CMD_INTE))
+ PDMDevHlpPCISetIrq(pDevIns, 0, PDM_IRQ_LEVEL_HIGH);
+
+ ip->iman = uNew;
+ return VINF_SUCCESS;
+}
+
+/**
+ * Read the IMOD register.
+ */
+static VBOXSTRICTRC HcIntrMod_r(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR ip, uint32_t *pu32Value)
+{
+ RT_NOREF(pDevIns, pThis);
+ STAM_COUNTER_INC(&pThis->StatRdIntrMod);
+
+ *pu32Value = ip->imod;
+ return VINF_SUCCESS;
+}
+
+/**
+ * Write the IMOD register.
+ */
+static VBOXSTRICTRC HcIntrMod_w(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR ip, uint32_t val)
+{
+ RT_NOREF(pDevIns, pThis);
+ STAM_COUNTER_INC(&pThis->StatWrIntrMod);
+
+ /// @todo Does writing a zero to IMODC/IMODI potentially trigger
+ /// an interrupt?
+ ip->imod = val;
+ return VINF_SUCCESS;
+}
+
+/**
+ * Read the ERSTSZ register.
+ */
+static VBOXSTRICTRC HcEvtRSTblSize_r(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR ip, uint32_t *pu32Value)
+{
+ RT_NOREF(pDevIns, pThis);
+ STAM_COUNTER_INC(&pThis->StatRdEvtRstblSize);
+
+ *pu32Value = ip->erstsz;
+ return VINF_SUCCESS;
+}
+
+/**
+ * Write the ERSTSZ register.
+ */
+static VBOXSTRICTRC HcEvtRSTblSize_w(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR ip, uint32_t val)
+{
+ RT_NOREF(pDevIns, pThis);
+ STAM_COUNTER_INC(&pThis->StatWrEvtRstblSize);
+
+ if (val & ~XHCI_ERSTSZ_MASK)
+ Log(("Reserved bits set %x!\n", val & ~XHCI_ERSTSZ_MASK));
+ if (val > XHCI_ERSTMAX)
+ Log(("ERSTSZ (%u) > ERSTMAX (%u)!\n", val, XHCI_ERSTMAX));
+
+ /* Enforce the maximum size. */
+ ip->erstsz = RT_MIN(val, XHCI_ERSTMAX);
+
+ if (!ip->index && !ip->erstsz) /* Windows 8 does this temporarily. Thanks guys... */
+ Log(("ERSTSZ is zero for primary interrupter: undefined behavior!\n"));
+
+ return VINF_SUCCESS;
+}
+
+/**
+ * Read the reserved register. Linux likes to do this.
+ */
+static VBOXSTRICTRC HcEvtRsvd_r(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR ip, uint32_t *pu32Value)
+{
+ RT_NOREF(pDevIns, pThis, ip);
+ STAM_COUNTER_INC(&pThis->StatRdEvtRsvd);
+ *pu32Value = 0;
+ return VINF_SUCCESS;
+}
+
+/**
+ * Read the low dword of the ERSTBA register.
+ */
+static VBOXSTRICTRC HcEvtRSTblBaseLo_r(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR ip, uint32_t *pu32Value)
+{
+ RT_NOREF(pDevIns, pThis);
+ STAM_COUNTER_INC(&pThis->StatRdEvtRsTblBaseLo);
+
+ *pu32Value = (uint32_t)ip->erstba;
+ return VINF_SUCCESS;
+}
+
+
+/**
+ * Write the low dword of the ERSTBA register.
+ */
+static VBOXSTRICTRC HcEvtRSTblBaseLo_w(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR ip, uint32_t val)
+{
+ STAM_COUNTER_INC(&pThis->StatWrEvtRsTblBaseLo);
+
+ if (val & ~pThis->erst_addr_mask)
+ Log(("Reserved bits set %x!\n", val & ~pThis->erst_addr_mask));
+
+ /* NB: A dword write to the low half clears the high half. */
+ ip->erstba = val & pThis->erst_addr_mask;
+
+ /* Initialize the internal event ring state. */
+ ip->evtr_pcs = 1;
+ ip->erst_idx = 0;
+ ip->ipe = false;
+
+ /* Fetch the first ERST entry now. Not later! That "sets the Event Ring
+ * State Machine:EREP Advancement to the Start state"
+ */
+ xhciFetchErstEntry(pDevIns, pThis, ip);
+
+ return VINF_SUCCESS;
+}
+
+/**
+ * Read the high dword of the ERSTBA register.
+ */
+static VBOXSTRICTRC HcEvtRSTblBaseHi_r(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR ip, uint32_t *pu32Value)
+{
+ RT_NOREF(pDevIns, pThis);
+ STAM_COUNTER_INC(&pThis->StatRdEvtRsTblBaseHi);
+
+ *pu32Value = (uint32_t)(ip->erstba >> 32);
+ return VINF_SUCCESS;
+}
+
+/**
+ * Write the high dword of the ERSTBA register.
+ */
+static VBOXSTRICTRC HcEvtRSTblBaseHi_w(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR ip, uint32_t val)
+{
+ STAM_COUNTER_INC(&pThis->StatWrEvtRsTblBaseHi);
+
+ /* Update the high dword while preserving the low one. */
+ ip->erstba = ((uint64_t)val << 32) | (uint32_t)ip->erstba;
+
+ /* We shouldn't be doing this when AC64 is set. But High Sierra
+ * ignores that because it "knows" the xHC handles 64-bit addressing,
+ * so we're going to assume that OSes are not going to write junk into
+ * ERSTBAH when they don't see AC64 set.
+ */
+ xhciFetchErstEntry(pDevIns, pThis, ip);
+
+ return VINF_SUCCESS;
+}
+
+
+/**
+ * Read the low dword of the ERDP register.
+ */
+static VBOXSTRICTRC HcEvtRingDeqPtrLo_r(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR ip, uint32_t *pu32Value)
+{
+ RT_NOREF(pThis);
+ STAM_COUNTER_INC(&pThis->StatRdEvtRingDeqPtrLo);
+
+ /* Lock to avoid incomplete update being seen. */
+ int rc = PDMDevHlpCritSectEnter(pDevIns, &ip->lock, VINF_IOM_R3_MMIO_READ);
+ if (rc != VINF_SUCCESS)
+ return rc;
+
+ *pu32Value = (uint32_t)ip->erdp;
+
+ PDMDevHlpCritSectLeave(pDevIns, &ip->lock);
+
+ return VINF_SUCCESS;
+}
+
+/**
+ * Write the low dword of the ERDP register.
+ */
+static VBOXSTRICTRC HcEvtRingDeqPtrLo_w(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR ip, uint32_t val)
+{
+ uint64_t old_erdp;
+ uint64_t new_erdp;
+ STAM_COUNTER_INC(&pThis->StatWrEvtRingDeqPtrLo);
+
+ /* NB: A dword write to the low half clears the high half.
+ * The high dword should be ignored when AC64=0, but High Sierra
+ * does not care what we report. Therefore a write to the low dword
+ * handles all the control bits and a write to the high dword still
+ * updates the ERDP address. On a 64-bit host, there must be a
+ * back-to-back low dword + high dword access. We are going to boldly
+ * assume that the guest will not place the event ring across the 4G
+ * boundary (i.e. storing the bottom part in the firmware ROM).
+ */
+ int rc = PDMDevHlpCritSectEnter(pDevIns, &ip->lock, VINF_IOM_R3_MMIO_WRITE);
+ if (rc != VINF_SUCCESS)
+ return rc;
+
+ old_erdp = ip->erdp & XHCI_ERDP_ADDR_MASK; /* Remember old ERDP address. */
+ new_erdp = ip->erdp & XHCI_ERDP_EHB; /* Preserve EHB */
+
+ /* If the Event Handler Busy (EHB) bit is set, writing a one clears it. */
+ if (val & ip->erdp & XHCI_ERDP_EHB)
+ {
+ Log2(("clearing EHB on interrupter %p\n", ip));
+ new_erdp &= ~XHCI_ERDP_EHB;
+ }
+ /// @todo Check if this might inadvertently set EHB!
+
+ new_erdp |= val & ~XHCI_ERDP_EHB;
+ ip->erdp = new_erdp;
+
+ /* Check if the ERDP changed. See workaround below. */
+ if (old_erdp != (new_erdp & XHCI_ERDP_ADDR_MASK))
+ ip->erdp_rewrites = 0;
+ else
+ ++ip->erdp_rewrites;
+
+ LogFlowFunc(("ERDP: %RGp, EREP: %RGp\n", (RTGCPHYS)(ip->erdp & XHCI_ERDP_ADDR_MASK), (RTGCPHYS)ip->erep));
+
+ if ((ip->erdp & XHCI_ERDP_ADDR_MASK) == ip->erep)
+ {
+ Log2(("Event Ring empty, clearing IPE\n"));
+ ip->ipe = false;
+ }
+ else if (ip->ipe && (val & XHCI_ERDP_EHB))
+ {
+ /* EHB is being cleared but the ring isn't empty and IPE is still set. */
+ if (RT_UNLIKELY(old_erdp == (new_erdp & XHCI_ERDP_ADDR_MASK) && ip->erdp_rewrites > 2))
+ {
+ /* If guest does not advance the ERDP, do not trigger an interrupt
+ * again. Workaround for buggy xHCI initialization in Linux 4.6 which
+ * enables interrupts before setting up internal driver state. That
+ * leads to the guest IRQ handler not actually handling events and
+ * infinitely re-triggering interrupts. However, only do this if the
+ * guest has already written the same ERDP value a few times. The Intel
+ * xHCI driver always writes the same ERDP twice and we must still
+ * re-trigger interrupts in that case.
+ * See @bugref{8546}.
+ */
+ Log2(("Event Ring not empty, ERDP not advanced, not re-triggering interrupt!\n"));
+ ip->ipe = false;
+ }
+ else
+ {
+ Log2(("Event Ring not empty, re-triggering interrupt\n"));
+ xhciSetIntr(pDevIns, pThis, ip);
+ }
+ }
+
+ PDMDevHlpCritSectLeave(pDevIns, &ip->lock);
+
+ return VINF_SUCCESS;
+}
+
+/**
+ * Read the high dword of the ERDP register.
+ */
+static VBOXSTRICTRC HcEvtRingDeqPtrHi_r(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR ip, uint32_t *pu32Value)
+{
+ RT_NOREF(pDevIns, pThis);
+ STAM_COUNTER_INC(&pThis->StatRdEvtRingDeqPtrHi);
+
+ *pu32Value = (uint32_t)(ip->erdp >> 32);
+ return VINF_SUCCESS;
+}
+
+/**
+ * Write the high dword of the ERDP register.
+ */
+static VBOXSTRICTRC HcEvtRingDeqPtrHi_w(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR ip, uint32_t val)
+{
+ RT_NOREF(pThis);
+ STAM_COUNTER_INC(&pThis->StatWrEvtRingDeqPtrHi);
+
+ /* See HcEvtRingDeqPtrLo_w for semantics. */
+ int rc = PDMDevHlpCritSectEnter(pDevIns, &ip->lock, VINF_IOM_R3_MMIO_WRITE);
+ if (rc != VINF_SUCCESS)
+ return rc;
+
+ /* Update the high dword while preserving the low one. */
+ ip->erdp = ((uint64_t)val << 32) | (uint32_t)ip->erdp;
+
+ PDMDevHlpCritSectLeave(pDevIns, &ip->lock);
+
+ return VINF_SUCCESS;
+}
+
+
+/**
+ * xHCI register access routines.
+ */
+typedef struct
+{
+ const char *pszName;
+ VBOXSTRICTRC (*pfnRead )(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iReg, uint32_t *pu32Value);
+ VBOXSTRICTRC (*pfnWrite)(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t iReg, uint32_t u32Value);
+} XHCIREGACC;
+
+/**
+ * xHCI interrupter register access routines.
+ */
+typedef struct
+{
+ const char *pszName;
+ VBOXSTRICTRC (*pfnIntrRead )(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR pIntr, uint32_t *pu32Value);
+ VBOXSTRICTRC (*pfnIntrWrite)(PPDMDEVINS pDevIns, PXHCI pThis, PXHCIINTRPTR pIntr, uint32_t u32Value);
+} XHCIINTRREGACC;
+
+/**
+ * Operational registers descriptor table.
+ */
+static const XHCIREGACC g_aOpRegs[] =
+{
+ {"USBCMD" , HcUsbcmd_r, HcUsbcmd_w },
+ {"USBSTS", HcUsbsts_r, HcUsbsts_w },
+ {"PAGESIZE", HcPagesize_r, NULL },
+ {"Unused", NULL, NULL },
+ {"Unused", NULL, NULL },
+ {"DNCTRL", HcDevNotifyCtrl_r, HcDevNotifyCtrl_w },
+ {"CRCRL", HcCmdRingCtlLo_r, HcCmdRingCtlLo_w },
+ {"CRCRH", HcCmdRingCtlHi_r, HcCmdRingCtlHi_w },
+ {"Unused", NULL, NULL },
+ {"Unused", NULL, NULL },
+ {"Unused", NULL, NULL },
+ {"Unused", NULL, NULL },
+ {"DCBAAPL", HcDevCtxBAAPLo_r, HcDevCtxBAAPLo_w },
+ {"DCBAAPH", HcDevCtxBAAPHi_r, HcDevCtxBAAPHi_w },
+ {"CONFIG", HcConfig_r, HcConfig_w }
+};
+
+
+/**
+ * Port registers descriptor table (for a single port). The number of ports
+ * and their associated registers depends on the NDP value.
+ */
+static const XHCIREGACC g_aPortRegs[] =
+{
+ /*
+ */
+ {"PORTSC", HcPortStatusCtrl_r, HcPortStatusCtrl_w },
+ {"PORTPMSC", HcPortPowerMgmt_r, HcPortPowerMgmt_w },
+ {"PORTLI", HcPortLinkInfo_r, NULL },
+ {"Reserved", HcPortRsvd_r, NULL }
+};
+AssertCompile(RT_ELEMENTS(g_aPortRegs) * sizeof(uint32_t) == 0x10);
+
+
+/**
+ * Interrupter runtime registers descriptor table (for a single interrupter).
+ * The number of interrupters depends on the XHCI_NINTR value.
+ */
+static const XHCIINTRREGACC g_aIntrRegs[] =
+{
+ {"IMAN", HcIntrMgmt_r, HcIntrMgmt_w },
+ {"IMOD", HcIntrMod_r, HcIntrMod_w },
+ {"ERSTSZ", HcEvtRSTblSize_r, HcEvtRSTblSize_w },
+ {"Reserved", HcEvtRsvd_r, NULL },
+ {"ERSTBAL", HcEvtRSTblBaseLo_r, HcEvtRSTblBaseLo_w },
+ {"ERSTBAH", HcEvtRSTblBaseHi_r, HcEvtRSTblBaseHi_w },
+ {"ERDPL", HcEvtRingDeqPtrLo_r, HcEvtRingDeqPtrLo_w },
+ {"ERDPH", HcEvtRingDeqPtrHi_r, HcEvtRingDeqPtrHi_w }
+};
+AssertCompile(RT_ELEMENTS(g_aIntrRegs) * sizeof(uint32_t) == 0x20);
+
+
+/**
+ * Read the MFINDEX register.
+ */
+static int HcMfIndex_r(PPDMDEVINS pDevIns, PXHCI pThis, uint32_t *pu32Value)
+{
+ uint64_t uNanoTime;
+ uint64_t uMfTime;
+ STAM_COUNTER_INC(&pThis->StatRdMfIndex);
+
+ /* MFINDEX increments once per micro-frame, i.e. 8 times per millisecond
+ * or every 125us. The resolution is only 14 bits, meaning that MFINDEX
+ * wraps around after it reaches 0x3FFF (16383) or every 2048 milliseconds.
+ */
+ /// @todo MFINDEX should only be running when R/S is set. May not matter.
+ uNanoTime = PDMDevHlpTimerGet(pDevIns, pThis->hWrapTimer);
+ uMfTime = uNanoTime / 125000;
+
+ *pu32Value = uMfTime & 0x3FFF;
+ Log2(("MFINDEX read: %u\n", *pu32Value));
+ return VINF_SUCCESS;
+}
+
+/**
+ * @callback_method_impl{FNIOMMMIONEWREAD, Read a MMIO register.}
+ *
+ * @note We only accept 32-bit writes that are 32-bit aligned.
+ */
+static DECLCALLBACK(VBOXSTRICTRC) xhciMmioRead(PPDMDEVINS pDevIns, void *pvUser, RTGCPHYS off, void *pv, unsigned cb)
+{
+ PXHCI pThis = PDMDEVINS_2_DATA(pDevIns, PXHCI);
+ const uint32_t offReg = (uint32_t)off;
+ uint32_t * const pu32 = (uint32_t *)pv;
+ uint32_t iReg;
+ RT_NOREF(pvUser);
+
+ Log2(("xhciRead %RGp (offset %04X) size=%d\n", off, offReg, cb));
+
+ if (offReg < XHCI_CAPS_REG_SIZE)
+ {
+ switch (offReg)
+ {
+ case 0x0: /* CAPLENGTH + HCIVERSION */
+ *pu32 = (pThis->hci_version << 16) | pThis->cap_length;
+ break;
+
+ case 0x4: /* HCSPARAMS1 (structural) */
+ Log2(("HCSPARAMS1 read\n"));
+ *pu32 = pThis->hcs_params1;
+ break;
+
+ case 0x8: /* HCSPARAMS2 (structural) */
+ Log2(("HCSPARAMS2 read\n"));
+ *pu32 = pThis->hcs_params2;
+ break;
+
+ case 0xC: /* HCSPARAMS3 (structural) */
+ Log2(("HCSPARAMS3 read\n"));
+ *pu32 = pThis->hcs_params3;
+ break;
+
+ case 0x10: /* HCCPARAMS1 (caps) */
+ Log2(("HCCPARAMS1 read\n"));
+ *pu32 = pThis->hcc_params;
+ break;
+
+ case 0x14: /* DBOFF (doorbell offset) */
+ Log2(("DBOFF read\n"));
+ *pu32 = pThis->dbell_off;
+ break;
+
+ case 0x18: /* RTSOFF (run-time register offset) */
+ Log2(("RTSOFF read\n"));
+ *pu32 = pThis->rts_off;
+ break;
+
+ case 0x1C: /* HCCPARAMS2 (caps) */
+ Log2(("HCCPARAMS2 read\n"));
+ *pu32 = 0; /* xHCI 1.1 only */
+ break;
+
+ default:
+ Log(("xHCI: Trying to read unknown capability register %u!\n", offReg));
+ STAM_COUNTER_INC(&pThis->StatRdUnknown);
+ return VINF_IOM_MMIO_UNUSED_FF;
+ }
+ STAM_COUNTER_INC(&pThis->StatRdCaps);
+ Log2(("xhciRead %RGp size=%d -> val=%x\n", off, cb, *pu32));
+ return VINF_SUCCESS;
+ }
+
+ /*
+ * Validate the access (in case of IOM bugs or incorrect MMIO registration).
+ */
+ AssertMsgReturn(cb == sizeof(uint32_t), ("IOM bug? %RGp LB %d\n", off, cb),
+ VINF_IOM_MMIO_UNUSED_FF /* No idea what really would happen... */);
+ /** r=bird: If you don't have an idea what would happen for non-dword reads,
+ * then the flags passed to IOM when creating the MMIO region are doubtful, right? */
+ AssertMsgReturn(!(off & 0x3), ("IOM bug? %RGp LB %d\n", off, cb), VINF_IOM_MMIO_UNUSED_FF);
+
+ /*
+ * Validate the register and call the read operator.
+ */
+ VBOXSTRICTRC rcStrict = VINF_IOM_MMIO_UNUSED_FF;
+ if (offReg >= XHCI_DOORBELL_OFFSET)
+ {
+ /* The doorbell registers are effectively write-only and return 0 when read. */
+ iReg = (offReg - XHCI_DOORBELL_OFFSET) >> 2;
+ if (iReg < XHCI_NDS)
+ {
+ STAM_COUNTER_INC(&pThis->StatRdDoorBell);
+ *pu32 = 0;
+ rcStrict = VINF_SUCCESS;
+ Log2(("xhciRead: DBellReg (DB %u) %RGp size=%d -> val=%x (rc=%d)\n", iReg, off, cb, *pu32, VBOXSTRICTRC_VAL(rcStrict)));
+ }
+ }
+ else if (offReg >= XHCI_RTREG_OFFSET)
+ {
+ /* Run-time registers. */
+ Assert(offReg < XHCI_DOORBELL_OFFSET);
+ /* The MFINDEX register would be interrupter -1... */
+ if (offReg < XHCI_RTREG_OFFSET + RT_ELEMENTS(g_aIntrRegs) * sizeof(uint32_t))
+ {
+ if (offReg == XHCI_RTREG_OFFSET)
+ rcStrict = HcMfIndex_r(pDevIns, pThis, pu32);
+ else
+ {
+ /* The silly Linux xHCI driver reads the reserved registers. */
+ STAM_COUNTER_INC(&pThis->StatRdUnknown);
+ *pu32 = 0;
+ rcStrict = VINF_SUCCESS;
+ }
+ }
+ else
+ {
+ Assert((offReg - XHCI_RTREG_OFFSET) / (RT_ELEMENTS(g_aIntrRegs) * sizeof(uint32_t)) > 0);
+ const uint32_t iIntr = (offReg - XHCI_RTREG_OFFSET) / (RT_ELEMENTS(g_aIntrRegs) * sizeof(uint32_t)) - 1;
+
+ if (iIntr < XHCI_NINTR)
+ {
+ iReg = (offReg >> 2) & (RT_ELEMENTS(g_aIntrRegs) - 1);
+ const XHCIINTRREGACC *pReg = &g_aIntrRegs[iReg];
+ if (pReg->pfnIntrRead)
+ {
+ PXHCIINTRPTR pIntr = &pThis->aInterrupters[iIntr];
+ rcStrict = pReg->pfnIntrRead(pDevIns, pThis, pIntr, pu32);
+ Log2(("xhciRead: IntrReg (intr %u): %RGp (%s) size=%d -> val=%x (rc=%d)\n", iIntr, off, pReg->pszName, cb, *pu32, VBOXSTRICTRC_VAL(rcStrict)));
+ }
+ }
+ }
+ }
+ else if (offReg >= XHCI_XECP_OFFSET)
+ {
+ /* Extended Capability registers. */
+ Assert(offReg < XHCI_RTREG_OFFSET);
+ uint32_t offXcp = offReg - XHCI_XECP_OFFSET;
+
+ if (offXcp + cb <= RT_MIN(pThis->cbExtCap, sizeof(pThis->abExtCap))) /* can't trust cbExtCap in ring-0. */
+ {
+ *pu32 = *(uint32_t *)&pThis->abExtCap[offXcp];
+ rcStrict = VINF_SUCCESS;
+ }
+ Log2(("xhciRead: ExtCapReg %RGp size=%d -> val=%x (rc=%d)\n", off, cb, *pu32, VBOXSTRICTRC_VAL(rcStrict)));
+ }
+ else
+ {
+ /* Operational registers (incl. port registers). */
+ Assert(offReg < XHCI_XECP_OFFSET);
+ iReg = (offReg - XHCI_CAPS_REG_SIZE) >> 2;
+ if (iReg < RT_ELEMENTS(g_aOpRegs))
+ {
+ const XHCIREGACC *pReg = &g_aOpRegs[iReg];
+ if (pReg->pfnRead)
+ {
+ rcStrict = pReg->pfnRead(pDevIns, pThis, iReg, pu32);
+ Log2(("xhciRead: OpReg %RGp (%s) size=%d -> val=%x (rc=%d)\n", off, pReg->pszName, cb, *pu32, VBOXSTRICTRC_VAL(rcStrict)));
+ }
+ }
+ else if (iReg >= (XHCI_PORT_REG_OFFSET >> 2))
+ {
+ iReg -= (XHCI_PORT_REG_OFFSET >> 2);
+ const uint32_t iPort = iReg / RT_ELEMENTS(g_aPortRegs);
+ if (iPort < XHCI_NDP_CFG(pThis))
+ {
+ iReg = (offReg >> 2) & (RT_ELEMENTS(g_aPortRegs) - 1);
+ Assert(iReg < RT_ELEMENTS(g_aPortRegs));
+ const XHCIREGACC *pReg = &g_aPortRegs[iReg];
+ if (pReg->pfnRead)
+ {
+ rcStrict = pReg->pfnRead(pDevIns, pThis, iPort, pu32);
+ Log2(("xhciRead: PortReg (port %u): %RGp (%s) size=%d -> val=%x (rc=%d)\n", IDX_TO_ID(iPort), off, pReg->pszName, cb, *pu32, VBOXSTRICTRC_VAL(rcStrict)));
+ }
+ }
+ }
+ }
+
+ if (rcStrict != VINF_IOM_MMIO_UNUSED_FF)
+ { /* likely */ }
+ else
+ {
+ STAM_COUNTER_INC(&pThis->StatRdUnknown);
+ Log(("xHCI: Trying to read unimplemented register at offset %04X!\n", offReg));
+ }
+
+ return rcStrict;
+}
+
+
+/**
+ * @callback_method_impl{FNIOMMMIONEWWRITE, Write to a MMIO register.}
+ *
+ * @note We only accept 32-bit writes that are 32-bit aligned.
+ */
+static DECLCALLBACK(VBOXSTRICTRC) xhciMmioWrite(PPDMDEVINS pDevIns, void *pvUser, RTGCPHYS off, void const *pv, unsigned cb)
+{
+ PXHCI pThis = PDMDEVINS_2_DATA(pDevIns, PXHCI);
+ const uint32_t offReg = (uint32_t)off;
+ uint32_t * const pu32 = (uint32_t *)pv;
+ uint32_t iReg;
+ RT_NOREF(pvUser);
+
+ Log2(("xhciWrite %RGp (offset %04X) %x size=%d\n", off, offReg, *(uint32_t *)pv, cb));
+
+ if (offReg < XHCI_CAPS_REG_SIZE)
+ {
+ /* These are read-only */
+ Log(("xHCI: Trying to write to register %u!\n", offReg));
+ STAM_COUNTER_INC(&pThis->StatWrUnknown);
+ return VINF_SUCCESS;
+ }
+
+ /*
+ * Validate the access (in case of IOM bug or incorrect MMIO registration).
+ */
+ AssertMsgReturn(cb == sizeof(uint32_t), ("IOM bug? %RGp LB %d\n", off, cb), VINF_SUCCESS);
+ AssertMsgReturn(!(off & 0x3), ("IOM bug? %RGp LB %d\n", off, cb), VINF_SUCCESS);
+
+ /*
+ * Validate the register and call the write operator.
+ */
+ VBOXSTRICTRC rcStrict = VINF_IOM_MMIO_UNUSED_FF;
+ if (offReg >= XHCI_DOORBELL_OFFSET)
+ {
+ /* Let's spring into action... as long as the xHC is running. */
+ iReg = (offReg - XHCI_DOORBELL_OFFSET) >> 2;
+ if ((pThis->cmd & XHCI_CMD_RS) && iReg < XHCI_NDS)
+ {
+ if (iReg == 0)
+ {
+ /* DB0 aka Command Ring. */
+ STAM_COUNTER_INC(&pThis->StatWrDoorBell0);
+ if (*pu32 == 0)
+ {
+ /* Set the Command Ring state to Running if not already set. */
+ if (!(pThis->crcr & XHCI_CRCR_CRR))
+ {
+ Log(("Command ring entered Running state\n"));
+ ASMAtomicOrU64(&pThis->crcr, XHCI_CRCR_CRR);
+ }
+ xhciKickWorker(pDevIns, pThis, XHCI_JOB_PROCESS_CMDRING, 0);
+ }
+ else
+ Log2(("Ignoring DB0 write with value %X!\n", *pu32));
+ }
+ else
+ {
+ /* Device context doorbell. Do basic parameter checking to avoid
+ * waking up the worker thread needlessly.
+ */
+ STAM_COUNTER_INC(&pThis->StatWrDoorBellN);
+ uint8_t uDBTarget = *pu32 & XHCI_DB_TGT_MASK;
+ Assert(uDBTarget < 32); /// @todo Report an error? Or just ignore?
+ if (uDBTarget < 32)
+ {
+ Log2(("Ring bell for slot %u, DCI %u\n", iReg, uDBTarget));
+ ASMAtomicOrU32(&pThis->aBellsRung[ID_TO_IDX(iReg)], 1 << uDBTarget);
+ xhciKickWorker(pDevIns, pThis, XHCI_JOB_DOORBELL, *pu32);
+ }
+ else
+ Log2(("Ignoring DB%u write with bad target %u!\n", iReg, uDBTarget));
+ }
+ rcStrict = VINF_SUCCESS;
+ Log2(("xhciWrite: DBellReg (DB %u) %RGp size=%d <- val=%x (rc=%d)\n", iReg, off, cb, *(uint32_t *)pv, VBOXSTRICTRC_VAL(rcStrict)));
+ }
+ }
+ else if (offReg >= XHCI_RTREG_OFFSET)
+ {
+ /* Run-time registers. */
+ Assert(offReg < XHCI_DOORBELL_OFFSET);
+ /* NB: The MFINDEX register is R/O. */
+ if (offReg >= XHCI_RTREG_OFFSET + (RT_ELEMENTS(g_aIntrRegs) * sizeof(uint32_t)))
+ {
+ Assert((offReg - XHCI_RTREG_OFFSET) / (RT_ELEMENTS(g_aIntrRegs) * sizeof(uint32_t)) > 0);
+ const uint32_t iIntr = (offReg - XHCI_RTREG_OFFSET) / (RT_ELEMENTS(g_aIntrRegs) * sizeof(uint32_t)) - 1;
+
+ if (iIntr < XHCI_NINTR)
+ {
+ iReg = (offReg >> 2) & (RT_ELEMENTS(g_aIntrRegs) - 1);
+ const XHCIINTRREGACC *pReg = &g_aIntrRegs[iReg];
+ if (pReg->pfnIntrWrite)
+ {
+ PXHCIINTRPTR pIntr = &pThis->aInterrupters[iIntr];
+ rcStrict = pReg->pfnIntrWrite(pDevIns, pThis, pIntr, *pu32);
+ Log2(("xhciWrite: IntrReg (intr %u): %RGp (%s) size=%d <- val=%x (rc=%d)\n", iIntr, off, pReg->pszName, cb, *pu32, VBOXSTRICTRC_VAL(rcStrict)));
+ }
+ }
+ }
+ }
+ else
+ {
+ /* Operational registers (incl. port registers). */
+ Assert(offReg < XHCI_RTREG_OFFSET);
+ iReg = (offReg - pThis->cap_length) >> 2;
+ if (iReg < RT_ELEMENTS(g_aOpRegs))
+ {
+ const XHCIREGACC *pReg = &g_aOpRegs[iReg];
+ if (pReg->pfnWrite)
+ {
+ rcStrict = pReg->pfnWrite(pDevIns, pThis, iReg, *(uint32_t *)pv);
+ Log2(("xhciWrite: OpReg %RGp (%s) size=%d <- val=%x (rc=%d)\n", off, pReg->pszName, cb, *(uint32_t *)pv, VBOXSTRICTRC_VAL(rcStrict)));
+ }
+ }
+ else if (iReg >= (XHCI_PORT_REG_OFFSET >> 2))
+ {
+ iReg -= (XHCI_PORT_REG_OFFSET >> 2);
+ const uint32_t iPort = iReg / RT_ELEMENTS(g_aPortRegs);
+ if (iPort < XHCI_NDP_CFG(pThis))
+ {
+ iReg = (offReg >> 2) & (RT_ELEMENTS(g_aPortRegs) - 1);
+ Assert(iReg < RT_ELEMENTS(g_aPortRegs));
+ const XHCIREGACC *pReg = &g_aPortRegs[iReg];
+ if (pReg->pfnWrite)
+ {
+ rcStrict = pReg->pfnWrite(pDevIns, pThis, iPort, *pu32);
+ Log2(("xhciWrite: PortReg (port %u): %RGp (%s) size=%d <- val=%x (rc=%d)\n", IDX_TO_ID(iPort), off, pReg->pszName, cb, *pu32, VBOXSTRICTRC_VAL(rcStrict)));
+ }
+ }
+ }
+ }
+
+ if (rcStrict != VINF_IOM_MMIO_UNUSED_FF)
+ { /* likely */ }
+ else
+ {
+ /* Ignore writes to unimplemented or read-only registers. */
+ STAM_COUNTER_INC(&pThis->StatWrUnknown);
+ Log(("xHCI: Trying to write unimplemented or R/O register at offset %04X!\n", offReg));
+ rcStrict = VINF_SUCCESS;
+ }
+
+ return rcStrict;
+}
+
+
+#ifdef IN_RING3
+
+/**
+ * @callback_method_impl{FNTMTIMERDEV,
+ * Provides periodic MFINDEX wrap events. See 4.14.2.}
+ */
+static DECLCALLBACK(void) xhciR3WrapTimer(PPDMDEVINS pDevIns, TMTIMERHANDLE hTimer, void *pvUser)
+{
+ PXHCI pThis = (PXHCI)pvUser;
+ XHCI_EVENT_TRB ed;
+ LogFlow(("xhciR3WrapTimer:\n"));
+ RT_NOREF(hTimer);
+
+ /*
+ * Post the MFINDEX Wrap event and rearm the timer. Only called
+ * when the EWE bit is set in command register.
+ */
+ RT_ZERO(ed);
+ ed.mwe.cc = XHCI_TCC_SUCCESS;
+ ed.mwe.type = XHCI_TRB_MFIDX_WRAP;
+ xhciR3WriteEvent(pDevIns, pThis, &ed, XHCI_PRIMARY_INTERRUPTER, false);
+
+ xhciSetWrapTimer(pDevIns, pThis);
+}
+
+
+/**
+ * @callback_method_impl{FNSSMDEVSAVEEXEC}
+ */
+static DECLCALLBACK(int) xhciR3SaveExec(PPDMDEVINS pDevIns, PSSMHANDLE pSSM)
+{
+ PXHCI pThis = PDMDEVINS_2_DATA(pDevIns, PXHCI);
+ PCPDMDEVHLPR3 pHlp = pDevIns->pHlpR3;
+ uint32_t iPort;
+ uint32_t iSlot;
+ uint32_t iIntr;
+
+ LogFlow(("xhciR3SaveExec: \n"));
+
+ /* Save HC operational registers. */
+ pHlp->pfnSSMPutU32(pSSM, pThis->cmd);
+ pHlp->pfnSSMPutU32(pSSM, pThis->status);
+ pHlp->pfnSSMPutU32(pSSM, pThis->dnctrl);
+ pHlp->pfnSSMPutU64(pSSM, pThis->crcr);
+ pHlp->pfnSSMPutU64(pSSM, pThis->dcbaap);
+ pHlp->pfnSSMPutU32(pSSM, pThis->config);
+
+ /* Save HC non-register state. */
+ pHlp->pfnSSMPutU64(pSSM, pThis->cmdr_dqp);
+ pHlp->pfnSSMPutBool(pSSM, pThis->cmdr_ccs);
+
+ /* Save per-slot state. */
+ pHlp->pfnSSMPutU32(pSSM, XHCI_NDS);
+ for (iSlot = 0; iSlot < XHCI_NDS; ++iSlot)
+ {
+ pHlp->pfnSSMPutU8 (pSSM, pThis->aSlotState[iSlot]);
+ pHlp->pfnSSMPutU32(pSSM, pThis->aBellsRung[iSlot]);
+ }
+
+ /* Save root hub (port) state. */
+ pHlp->pfnSSMPutU32(pSSM, XHCI_NDP_CFG(pThis));
+ for (iPort = 0; iPort < XHCI_NDP_CFG(pThis); ++iPort)
+ {
+ pHlp->pfnSSMPutU32(pSSM, pThis->aPorts[iPort].portsc);
+ pHlp->pfnSSMPutU32(pSSM, pThis->aPorts[iPort].portpm);
+ }
+
+ /* Save interrupter state. */
+ pHlp->pfnSSMPutU32(pSSM, XHCI_NINTR);
+ for (iIntr = 0; iIntr < XHCI_NINTR; ++iIntr)
+ {
+ pHlp->pfnSSMPutU32(pSSM, pThis->aInterrupters[iIntr].iman);
+ pHlp->pfnSSMPutU32(pSSM, pThis->aInterrupters[iIntr].imod);
+ pHlp->pfnSSMPutU32(pSSM, pThis->aInterrupters[iIntr].erstsz);
+ pHlp->pfnSSMPutU64(pSSM, pThis->aInterrupters[iIntr].erstba);
+ pHlp->pfnSSMPutU64(pSSM, pThis->aInterrupters[iIntr].erdp);
+ pHlp->pfnSSMPutU64(pSSM, pThis->aInterrupters[iIntr].erep);
+ pHlp->pfnSSMPutU16(pSSM, pThis->aInterrupters[iIntr].erst_idx);
+ pHlp->pfnSSMPutU16(pSSM, pThis->aInterrupters[iIntr].trb_count);
+ pHlp->pfnSSMPutBool(pSSM, pThis->aInterrupters[iIntr].evtr_pcs);
+ pHlp->pfnSSMPutBool(pSSM, pThis->aInterrupters[iIntr].ipe);
+ }
+
+ /* Terminator marker. */
+ pHlp->pfnSSMPutU32(pSSM, UINT32_MAX);
+
+ /* If not continuing after save, force HC into non-running state to avoid trouble later. */
+ if (pHlp->pfnSSMHandleGetAfter(pSSM) != SSMAFTER_CONTINUE)
+ pThis->cmd &= ~XHCI_CMD_RS;
+
+ return VINF_SUCCESS;
+}
+
+
+/**
+ * @callback_method_impl{FNSSMDEVLOADEXEC}
+ */
+static DECLCALLBACK(int) xhciR3LoadExec(PPDMDEVINS pDevIns, PSSMHANDLE pSSM, uint32_t uVersion, uint32_t uPass)
+{
+ PXHCI pThis = PDMDEVINS_2_DATA(pDevIns, PXHCI);
+ PCPDMDEVHLPR3 pHlp = pDevIns->pHlpR3;
+ int rc;
+ uint32_t cPorts;
+ uint32_t iPort;
+ uint32_t cSlots;
+ uint32_t iSlot;
+ uint32_t cIntrs;
+ uint32_t iIntr;
+ uint64_t u64Dummy;
+ uint32_t u32Dummy;
+ uint16_t u16Dummy;
+ uint8_t u8Dummy;
+ bool fDummy;
+
+ LogFlow(("xhciR3LoadExec:\n"));
+
+ Assert(uPass == SSM_PASS_FINAL); NOREF(uPass);
+ if (uVersion != XHCI_SAVED_STATE_VERSION)
+ return VERR_SSM_UNSUPPORTED_DATA_UNIT_VERSION;
+
+ /* Load HC operational registers. */
+ pHlp->pfnSSMGetU32(pSSM, &pThis->cmd);
+ pHlp->pfnSSMGetU32(pSSM, &pThis->status);
+ pHlp->pfnSSMGetU32(pSSM, &pThis->dnctrl);
+ pHlp->pfnSSMGetU64(pSSM, &pThis->crcr);
+ pHlp->pfnSSMGetU64(pSSM, &pThis->dcbaap);
+ pHlp->pfnSSMGetU32(pSSM, &pThis->config);
+
+ /* Load HC non-register state. */
+ pHlp->pfnSSMGetU64(pSSM, &pThis->cmdr_dqp);
+ pHlp->pfnSSMGetBool(pSSM, &pThis->cmdr_ccs);
+
+ /* Load per-slot state. */
+ rc = pHlp->pfnSSMGetU32(pSSM, &cSlots);
+ AssertRCReturn(rc, rc);
+ if (cSlots > 256) /* Sanity check. */
+ return VERR_SSM_INVALID_STATE;
+ for (iSlot = 0; iSlot < cSlots; ++iSlot)
+ {
+ /* Load only as many slots as we have; discard any extras. */
+ if (iSlot < XHCI_NDS)
+ {
+ pHlp->pfnSSMGetU8 (pSSM, &pThis->aSlotState[iSlot]);
+ pHlp->pfnSSMGetU32(pSSM, &pThis->aBellsRung[iSlot]);
+ }
+ else
+ {
+ pHlp->pfnSSMGetU8 (pSSM, &u8Dummy);
+ pHlp->pfnSSMGetU32(pSSM, &u32Dummy);
+ }
+ }
+
+ /* Load root hub (port) state. */
+ rc = pHlp->pfnSSMGetU32(pSSM, &cPorts);
+ AssertRCReturn(rc, rc);
+ if (cPorts > 256) /* Sanity check. */
+ return VERR_SSM_INVALID_STATE;
+
+ for (iPort = 0; iPort < cPorts; ++iPort)
+ {
+ /* Load only as many ports as we have; discard any extras. */
+ if (iPort < XHCI_NDP_CFG(pThis))
+ {
+ pHlp->pfnSSMGetU32(pSSM, &pThis->aPorts[iPort].portsc);
+ pHlp->pfnSSMGetU32(pSSM, &pThis->aPorts[iPort].portpm);
+ }
+ else
+ {
+ pHlp->pfnSSMGetU32(pSSM, &u32Dummy);
+ pHlp->pfnSSMGetU32(pSSM, &u32Dummy);
+ }
+ }
+
+ /* Load interrupter state. */
+ rc = pHlp->pfnSSMGetU32(pSSM, &cIntrs);
+ AssertRCReturn(rc, rc);
+ if (cIntrs > 256) /* Sanity check. */
+ return VERR_SSM_INVALID_STATE;
+ for (iIntr = 0; iIntr < cIntrs; ++iIntr)
+ {
+ /* Load only as many interrupters as we have; discard any extras. */
+ if (iIntr < XHCI_NINTR)
+ {
+ pHlp->pfnSSMGetU32(pSSM, &pThis->aInterrupters[iIntr].iman);
+ pHlp->pfnSSMGetU32(pSSM, &pThis->aInterrupters[iIntr].imod);
+ pHlp->pfnSSMGetU32(pSSM, &pThis->aInterrupters[iIntr].erstsz);
+ pHlp->pfnSSMGetU64(pSSM, &pThis->aInterrupters[iIntr].erstba);
+ pHlp->pfnSSMGetU64(pSSM, &pThis->aInterrupters[iIntr].erdp);
+ pHlp->pfnSSMGetU64(pSSM, &pThis->aInterrupters[iIntr].erep);
+ pHlp->pfnSSMGetU16(pSSM, &pThis->aInterrupters[iIntr].erst_idx);
+ pHlp->pfnSSMGetU16(pSSM, &pThis->aInterrupters[iIntr].trb_count);
+ pHlp->pfnSSMGetBool(pSSM, &pThis->aInterrupters[iIntr].evtr_pcs);
+ pHlp->pfnSSMGetBool(pSSM, &pThis->aInterrupters[iIntr].ipe);
+ }
+ else
+ {
+ pHlp->pfnSSMGetU32(pSSM, &u32Dummy);
+ pHlp->pfnSSMGetU32(pSSM, &u32Dummy);
+ pHlp->pfnSSMGetU32(pSSM, &u32Dummy);
+ pHlp->pfnSSMGetU64(pSSM, &u64Dummy);
+ pHlp->pfnSSMGetU64(pSSM, &u64Dummy);
+ pHlp->pfnSSMGetU64(pSSM, &u64Dummy);
+ pHlp->pfnSSMGetU16(pSSM, &u16Dummy);
+ pHlp->pfnSSMGetU16(pSSM, &u16Dummy);
+ pHlp->pfnSSMGetBool(pSSM, &fDummy);
+ pHlp->pfnSSMGetBool(pSSM, &fDummy);
+ }
+ }
+
+ /* Terminator marker. */
+ rc = pHlp->pfnSSMGetU32(pSSM, &u32Dummy);
+ AssertRCReturn(rc, rc);
+ AssertReturn(u32Dummy == UINT32_MAX, VERR_SSM_DATA_UNIT_FORMAT_CHANGED);
+
+ return rc;
+}
+
+
+/* -=-=-=-=- DBGF -=-=-=-=- */
+
+/**
+ * @callback_method_impl{FNDBGFHANDLERDEV, Dumps xHCI state.}
+ */
+static DECLCALLBACK(void) xhciR3Info(PPDMDEVINS pDevIns, PCDBGFINFOHLP pHlp, const char *pszArgs)
+{
+ PXHCI pThis = PDMDEVINS_2_DATA(pDevIns, PXHCI);
+ RTGCPHYS GPAddr;
+ bool fVerbose = false;
+ unsigned i, j;
+ uint64_t u64Val;
+
+ /* Parse arguments. */
+ if (pszArgs)
+ fVerbose = strstr(pszArgs, "verbose") != NULL;
+
+#ifdef XHCI_ERROR_INJECTION
+ if (pszArgs && strstr(pszArgs, "dropintrhw"))
+ {
+ pHlp->pfnPrintf(pHlp, "Dropping the next interrupt (external)!\n");
+ pThis->fDropIntrHw = true;
+ return;
+ }
+
+ if (pszArgs && strstr(pszArgs, "dropintrint"))
+ {
+ pHlp->pfnPrintf(pHlp, "Dropping the next interrupt (internal)!\n");
+ pThis->fDropIntrIpe = true;
+ return;
+ }
+
+ if (pszArgs && strstr(pszArgs, "dropurb"))
+ {
+ pHlp->pfnPrintf(pHlp, "Dropping the next URB!\n");
+ pThis->fDropUrb = true;
+ return;
+ }
+#endif
+
+ /* Show basic information. */
+ pHlp->pfnPrintf(pHlp,
+ "%s#%d: PCI MMIO=%RGp IRQ=%u MSI=%s R0=%RTbool RC=%RTbool\n",
+ pDevIns->pReg->szName,
+ pDevIns->iInstance,
+ PDMDevHlpMmioGetMappingAddress(pDevIns, pThis->hMmio),
+ PCIDevGetInterruptLine(pDevIns->apPciDevs[0]),
+#ifdef VBOX_WITH_MSI_DEVICES
+ xhciIsMSIEnabled(pDevIns->apPciDevs[0]) ? "on" : "off",
+#else
+ "none",
+#endif
+ pDevIns->fR0Enabled, pDevIns->fRCEnabled);
+
+ /* Command register. */
+ pHlp->pfnPrintf(pHlp, "USBCMD: %X:", pThis->cmd);
+ if (pThis->cmd & XHCI_CMD_EU3S) pHlp->pfnPrintf(pHlp, " EU3S" );
+ if (pThis->cmd & XHCI_CMD_EWE) pHlp->pfnPrintf(pHlp, " EWE" );
+ if (pThis->cmd & XHCI_CMD_CRS) pHlp->pfnPrintf(pHlp, " CRS" );
+ if (pThis->cmd & XHCI_CMD_CSS) pHlp->pfnPrintf(pHlp, " CSS" );
+ if (pThis->cmd & XHCI_CMD_LCRST) pHlp->pfnPrintf(pHlp, " LCRST" );
+ if (pThis->cmd & XHCI_CMD_HSEE) pHlp->pfnPrintf(pHlp, " HSEE" );
+ if (pThis->cmd & XHCI_CMD_INTE) pHlp->pfnPrintf(pHlp, " INTE" );
+ if (pThis->cmd & XHCI_CMD_HCRST) pHlp->pfnPrintf(pHlp, " HCRST" );
+ if (pThis->cmd & XHCI_CMD_RS) pHlp->pfnPrintf(pHlp, " RS" );
+ pHlp->pfnPrintf(pHlp, "\n");
+
+ /* Status register. */
+ pHlp->pfnPrintf(pHlp, "USBSTS: %X:", pThis->status);
+ if (pThis->status & XHCI_STATUS_HCH) pHlp->pfnPrintf(pHlp, " HCH" );
+ if (pThis->status & XHCI_STATUS_HSE) pHlp->pfnPrintf(pHlp, " HSE" );
+ if (pThis->status & XHCI_STATUS_EINT) pHlp->pfnPrintf(pHlp, " EINT" );
+ if (pThis->status & XHCI_STATUS_PCD) pHlp->pfnPrintf(pHlp, " PCD" );
+ if (pThis->status & XHCI_STATUS_SSS) pHlp->pfnPrintf(pHlp, " SSS" );
+ if (pThis->status & XHCI_STATUS_RSS) pHlp->pfnPrintf(pHlp, " RSS" );
+ if (pThis->status & XHCI_STATUS_SRE) pHlp->pfnPrintf(pHlp, " SRE" );
+ if (pThis->status & XHCI_STATUS_CNR) pHlp->pfnPrintf(pHlp, " CNR" );
+ if (pThis->status & XHCI_STATUS_HCE) pHlp->pfnPrintf(pHlp, " HCE" );
+ pHlp->pfnPrintf(pHlp, "\n");
+
+ /* Device Notification Control and Configure registers. */
+ pHlp->pfnPrintf(pHlp, "DNCTRL: %X CONFIG: %X (%u slots)\n", pThis->dnctrl, pThis->config, pThis->config);
+
+ /* Device Context Base Address Array. */
+ GPAddr = pThis->dcbaap & XHCI_DCBAA_ADDR_MASK;
+ pHlp->pfnPrintf(pHlp, "DCBAA ptr: %RGp\n", GPAddr);
+ /* The DCBAA must be valid in 'run' state. */
+ if (fVerbose && (pThis->cmd & XHCI_CMD_RS))
+ {
+ PDMDevHlpPCIPhysRead(pDevIns, GPAddr, &u64Val, sizeof(u64Val));
+ pHlp->pfnPrintf(pHlp, " Scratchpad buffer: %RX64\n", u64Val);
+ }
+
+ /* Command Ring Control Register. */
+ pHlp->pfnPrintf(pHlp, "CRCR: %X:", pThis->crcr & ~XHCI_CRCR_ADDR_MASK);
+ if (pThis->crcr & XHCI_CRCR_RCS) pHlp->pfnPrintf(pHlp, " RCS");
+ if (pThis->crcr & XHCI_CRCR_CS) pHlp->pfnPrintf(pHlp, " CS" );
+ if (pThis->crcr & XHCI_CRCR_CA) pHlp->pfnPrintf(pHlp, " CA" );
+ if (pThis->crcr & XHCI_CRCR_CRR) pHlp->pfnPrintf(pHlp, " CRR");
+ pHlp->pfnPrintf(pHlp, "\n");
+ GPAddr = pThis->crcr & XHCI_CRCR_ADDR_MASK;
+ pHlp->pfnPrintf(pHlp, "CRCR ptr : %RGp\n", GPAddr);
+
+ /* Interrupters. */
+ if (fVerbose)
+ {
+ for (i = 0; i < RT_ELEMENTS(pThis->aInterrupters); ++i)
+ {
+ if (pThis->aInterrupters[i].erstsz)
+ {
+ XHCIINTRPTR *ir = &pThis->aInterrupters[i];
+
+ pHlp->pfnPrintf(pHlp, "Interrupter %d (IPE=%u)\n", i, ir->ipe);
+
+ /* The Interrupt Management Register. */
+ pHlp->pfnPrintf(pHlp, " IMAN : %X:", ir->iman);
+ if (ir->iman & XHCI_IMAN_IP) pHlp->pfnPrintf(pHlp, " IP");
+ if (ir->iman & XHCI_IMAN_IE) pHlp->pfnPrintf(pHlp, " IE");
+ pHlp->pfnPrintf(pHlp, "\n");
+
+ /* The Interrupt Moderation Register. */
+ pHlp->pfnPrintf(pHlp, " IMOD : %X:", ir->imod);
+ pHlp->pfnPrintf(pHlp, " IMODI=%u", ir->imod & XHCI_IMOD_IMODI_MASK);
+ pHlp->pfnPrintf(pHlp, " IMODC=%u", (ir->imod & XHCI_IMOD_IMODC_MASK) >> XHCI_IMOD_IMODC_SHIFT);
+ pHlp->pfnPrintf(pHlp, "\n");
+
+ pHlp->pfnPrintf(pHlp, " ERSTSZ: %X\n", ir->erstsz);
+ pHlp->pfnPrintf(pHlp, " ERSTBA: %RGp\n", (RTGCPHYS)ir->erstba);
+
+ pHlp->pfnPrintf(pHlp, " ERDP : %RGp:", (RTGCPHYS)ir->erdp);
+ pHlp->pfnPrintf(pHlp, " EHB=%u", !!(ir->erdp & XHCI_ERDP_EHB));
+ pHlp->pfnPrintf(pHlp, " DESI=%u", ir->erdp & XHCI_ERDP_DESI_MASK);
+ pHlp->pfnPrintf(pHlp, " ptr=%RGp", ir->erdp & XHCI_ERDP_ADDR_MASK);
+ pHlp->pfnPrintf(pHlp, "\n");
+
+ pHlp->pfnPrintf(pHlp, " EREP : %RGp", ir->erep);
+ pHlp->pfnPrintf(pHlp, " Free TRBs in seg=%u", ir->trb_count);
+ pHlp->pfnPrintf(pHlp, "\n");
+ }
+ }
+ }
+
+ /* Port control/status. */
+ for (i = 0; i < XHCI_NDP_CFG(pThis); ++i)
+ {
+ PXHCIHUBPORT p = &pThis->aPorts[i];
+
+ pHlp->pfnPrintf(pHlp, "Port %02u (USB%c): ", IDX_TO_ID(i), IS_USB3_PORT_IDX_SHR(pThis, i) ? '3' : '2');
+
+ /* Port Status register. */
+ pHlp->pfnPrintf(pHlp, "PORTSC: %8X:", p->portsc);
+ if (p->portsc & XHCI_PORT_CCS) pHlp->pfnPrintf(pHlp, " CCS" );
+ if (p->portsc & XHCI_PORT_PED) pHlp->pfnPrintf(pHlp, " PED" );
+ if (p->portsc & XHCI_PORT_OCA) pHlp->pfnPrintf(pHlp, " OCA" );
+ if (p->portsc & XHCI_PORT_PR ) pHlp->pfnPrintf(pHlp, " PR" );
+ pHlp->pfnPrintf(pHlp, " PLS=%u", (p->portsc & XHCI_PORT_PLS_MASK) >> XHCI_PORT_PLS_SHIFT);
+ if (p->portsc & XHCI_PORT_PP ) pHlp->pfnPrintf(pHlp, " PP" );
+ pHlp->pfnPrintf(pHlp, " SPD=%u", (p->portsc & XHCI_PORT_SPD_MASK) >> XHCI_PORT_SPD_SHIFT);
+ if (p->portsc & XHCI_PORT_LWS) pHlp->pfnPrintf(pHlp, " LWS" );
+ if (p->portsc & XHCI_PORT_CSC) pHlp->pfnPrintf(pHlp, " CSC" );
+ if (p->portsc & XHCI_PORT_PEC) pHlp->pfnPrintf(pHlp, " PEC" );
+ if (p->portsc & XHCI_PORT_WRC) pHlp->pfnPrintf(pHlp, " WRC" );
+ if (p->portsc & XHCI_PORT_OCC) pHlp->pfnPrintf(pHlp, " OCC" );
+ if (p->portsc & XHCI_PORT_PRC) pHlp->pfnPrintf(pHlp, " PRC" );
+ if (p->portsc & XHCI_PORT_PLC) pHlp->pfnPrintf(pHlp, " PLC" );
+ if (p->portsc & XHCI_PORT_CEC) pHlp->pfnPrintf(pHlp, " CEC" );
+ if (p->portsc & XHCI_PORT_CAS) pHlp->pfnPrintf(pHlp, " CAS" );
+ if (p->portsc & XHCI_PORT_WCE) pHlp->pfnPrintf(pHlp, " WCE" );
+ if (p->portsc & XHCI_PORT_WDE) pHlp->pfnPrintf(pHlp, " WDE" );
+ if (p->portsc & XHCI_PORT_WOE) pHlp->pfnPrintf(pHlp, " WOE" );
+ if (p->portsc & XHCI_PORT_DR ) pHlp->pfnPrintf(pHlp, " DR" );
+ if (p->portsc & XHCI_PORT_WPR) pHlp->pfnPrintf(pHlp, " WPR" );
+ pHlp->pfnPrintf(pHlp, "\n");
+ }
+
+ /* Device contexts. */
+ if (fVerbose && (pThis->cmd & XHCI_CMD_RS))
+ {
+ for (i = 0; i < XHCI_NDS; ++i)
+ {
+ if (pThis->aSlotState[i] > XHCI_DEVSLOT_EMPTY)
+ {
+ RTGCPHYS GCPhysSlot;
+ XHCI_DEV_CTX ctxDevice;
+ XHCI_SLOT_CTX ctxSlot;
+ const char *pcszDesc;
+ uint8_t uSlotID = IDX_TO_ID(i);
+
+ /* Find the slot address/ */
+ GCPhysSlot = xhciR3FetchDevCtxAddr(pDevIns, pThis, uSlotID);
+ pHlp->pfnPrintf(pHlp, "Slot %d (device context @ %RGp)\n", uSlotID, GCPhysSlot);
+ if (!GCPhysSlot)
+ {
+ pHlp->pfnPrintf(pHlp, "Bad context address, skipping!\n");
+ continue;
+ }
+
+ /* Just read in the whole lot and sort in which contexts are valid later. */
+ PDMDevHlpPCIPhysRead(pDevIns, GCPhysSlot, &ctxDevice, sizeof(ctxDevice));
+
+ ctxSlot = ctxDevice.entry[0].sc;
+ pcszDesc = ctxSlot.slot_state < RT_ELEMENTS(g_apszSltStates) ? g_apszSltStates[ctxSlot.slot_state] : "BAD!!!";
+ pHlp->pfnPrintf(pHlp, " Speed:%u Entries:%u RhPort:%u", ctxSlot.speed, ctxSlot.ctx_ent, ctxSlot.rh_port);
+ pHlp->pfnPrintf(pHlp, " Address:%u State:%s \n", ctxSlot.dev_addr, pcszDesc);
+
+ /* Endpoint contexts. */
+ for (j = 1; j <= ctxSlot.ctx_ent; ++j)
+ {
+ XHCI_EP_CTX ctxEP = ctxDevice.entry[j].ep;
+
+ /* Skip disabled endpoints -- they may be unused and do not
+ * contain valid data in any case.
+ */
+ if (ctxEP.ep_state == XHCI_EPST_DISABLED)
+ continue;
+
+ pcszDesc = ctxEP.ep_state < RT_ELEMENTS(g_apszEpStates) ? g_apszEpStates[ctxEP.ep_state] : "BAD!!!";
+ pHlp->pfnPrintf(pHlp, " Endpoint DCI %u State:%s", j, pcszDesc);
+ pcszDesc = ctxEP.ep_type < RT_ELEMENTS(g_apszEpTypes) ? g_apszEpTypes[ctxEP.ep_type] : "BAD!!!";
+ pHlp->pfnPrintf(pHlp, " Type:%s\n",pcszDesc);
+
+ pHlp->pfnPrintf(pHlp, " Mult:%u MaxPStreams:%u LSA:%u Interval:%u\n",
+ ctxEP.mult, ctxEP.maxps, ctxEP.lsa, ctxEP.interval);
+ pHlp->pfnPrintf(pHlp, " CErr:%u HID:%u MaxPS:%u MaxBS:%u",
+ ctxEP.c_err, ctxEP.hid, ctxEP.max_pkt_sz, ctxEP.max_brs_sz);
+ pHlp->pfnPrintf(pHlp, " AvgTRBLen:%u MaxESIT:%u",
+ ctxEP.avg_trb_len, ctxEP.max_esit);
+ pHlp->pfnPrintf(pHlp, " LastFrm:%u IFC:%u LastCC:%u\n",
+ ctxEP.last_frm, ctxEP.ifc, ctxEP.last_cc);
+ pHlp->pfnPrintf(pHlp, " TRDP:%RGp DCS:%u\n", (RTGCPHYS)(ctxEP.trdp & XHCI_TRDP_ADDR_MASK),
+ ctxEP.trdp & XHCI_TRDP_DCS_MASK);
+ pHlp->pfnPrintf(pHlp, " TREP:%RGp DCS:%u\n", (RTGCPHYS)(ctxEP.trep & XHCI_TRDP_ADDR_MASK),
+ ctxEP.trep & XHCI_TRDP_DCS_MASK);
+ }
+ }
+ }
+ }
+}
+
+
+/**
+ * @interface_method_impl{PDMDEVREG,pfnReset}
+ */
+static DECLCALLBACK(void) xhciR3Reset(PPDMDEVINS pDevIns)
+{
+ PXHCI pThis = PDMDEVINS_2_DATA(pDevIns, PXHCI);
+ PXHCICC pThisCC = PDMDEVINS_2_DATA_CC(pDevIns, PXHCICC);
+ LogFlow(("xhciR3Reset:\n"));
+
+ /*
+ * There is no distinction between cold boot, warm reboot and software reboots,
+ * all of these are treated as cold boots. We are also doing the initialization
+ * job of a BIOS or SMM driver.
+ *
+ * Important: Don't confuse UsbReset with hardware reset. Hardware reset is
+ * just one way of getting into the UsbReset state.
+ */
+
+ /* Set the HC Halted bit now to prevent completion callbacks from running
+ *(there is really no point when resetting).
+ */
+ ASMAtomicOrU32(&pThis->status, XHCI_STATUS_HCH);
+
+ xhciR3BusStop(pDevIns, pThis, pThisCC);
+ xhciR3DoReset(pThis, pThisCC, XHCI_USB_RESET, true /* reset devices */);
+}
+
+
+/**
+ * @interface_method_impl{PDMDEVREG,pfnDestruct}
+ */
+static DECLCALLBACK(int) xhciR3Destruct(PPDMDEVINS pDevIns)
+{
+ PDMDEV_CHECK_VERSIONS_RETURN_QUIET(pDevIns);
+ PXHCI pThis = PDMDEVINS_2_DATA(pDevIns, PXHCI);
+ PXHCICC pThisCC = PDMDEVINS_2_DATA_CC(pDevIns, PXHCICC);
+ LogFlow(("xhciR3Destruct:\n"));
+
+ /*
+ * Destroy interrupter locks.
+ */
+ for (unsigned i = 0; i < RT_ELEMENTS(pThis->aInterrupters); ++i)
+ {
+ if (PDMDevHlpCritSectIsInitialized(pDevIns, &pThis->aInterrupters[i].lock))
+ PDMDevHlpCritSectDelete(pDevIns, &pThis->aInterrupters[i].lock);
+ }
+
+ /*
+ * Clean up the worker thread and associated machinery.
+ */
+ if (pThis->hEvtProcess != NIL_SUPSEMEVENT)
+ {
+ PDMDevHlpSUPSemEventClose(pDevIns, pThis->hEvtProcess);
+ pThis->hEvtProcess = NIL_SUPSEMEVENT;
+ }
+ if (RTCritSectIsInitialized(&pThisCC->CritSectThrd))
+ RTCritSectDelete(&pThisCC->CritSectThrd);
+
+ return VINF_SUCCESS;
+}
+
+
+/**
+ * Worker for xhciR3Construct that registers a LUN (USB root hub).
+ */
+static int xhciR3RegisterHub(PPDMDEVINS pDevIns, PXHCIROOTHUBR3 pRh, int iLun, const char *pszDesc)
+{
+ int rc = PDMDevHlpDriverAttach(pDevIns, iLun, &pRh->IBase, &pRh->pIBase, pszDesc);
+ AssertMsgRCReturn(rc, ("Configuration error: Failed to attach root hub driver to LUN #%d! (%Rrc)\n", iLun, rc), rc);
+
+ pRh->pIRhConn = PDMIBASE_QUERY_INTERFACE(pRh->pIBase, VUSBIROOTHUBCONNECTOR);
+ AssertMsgReturn(pRh->pIRhConn,
+ ("Configuration error: The driver doesn't provide the VUSBIROOTHUBCONNECTOR interface!\n"),
+ VERR_PDM_MISSING_INTERFACE);
+
+ /* Set URB parameters. */
+ rc = VUSBIRhSetUrbParams(pRh->pIRhConn, sizeof(VUSBURBHCIINT), 0);
+ if (RT_FAILURE(rc))
+ return PDMDevHlpVMSetError(pDevIns, rc, RT_SRC_POS, N_("OHCI: Failed to set URB parameters"));
+
+ return rc;
+}
+
+/**
+ * @interface_method_impl{PDMDEVREG,pfnConstruct,XHCI
+ * constructor}
+ */
+static DECLCALLBACK(int) xhciR3Construct(PPDMDEVINS pDevIns, int iInstance, PCFGMNODE pCfg)
+{
+ PDMDEV_CHECK_VERSIONS_RETURN(pDevIns);
+ PXHCI pThis = PDMDEVINS_2_DATA(pDevIns, PXHCI);
+ PXHCICC pThisCC = PDMDEVINS_2_DATA_CC(pDevIns, PXHCICC);
+ PCPDMDEVHLPR3 pHlp = pDevIns->pHlpR3;
+ uint32_t cUsb2Ports;
+ uint32_t cUsb3Ports;
+ int rc;
+ LogFlow(("xhciR3Construct:\n"));
+ RT_NOREF(iInstance);
+
+ /*
+ * Initialize data so the destructor runs smoothly.
+ */
+ pThis->hEvtProcess = NIL_SUPSEMEVENT;
+
+ /*
+ * Validate and read configuration.
+ */
+ PDMDEV_VALIDATE_CONFIG_RETURN(pDevIns, "USB2Ports|USB3Ports|ChipType", "");
+
+ /* Number of USB2 ports option. */
+ rc = pHlp->pfnCFGMQueryU32Def(pCfg, "USB2Ports", &cUsb2Ports, XHCI_NDP_20_DEFAULT);
+ if (RT_FAILURE(rc))
+ return PDMDEV_SET_ERROR(pDevIns, rc,
+ N_("xHCI configuration error: failed to read USB2Ports as integer"));
+
+ if (cUsb2Ports == 0 || cUsb2Ports > XHCI_NDP_MAX)
+ return PDMDevHlpVMSetError(pDevIns, VERR_INVALID_PARAMETER, RT_SRC_POS,
+ N_("xHCI configuration error: USB2Ports must be in range [%u,%u]"),
+ 1, XHCI_NDP_MAX);
+
+ /* Number of USB3 ports option. */
+ rc = pHlp->pfnCFGMQueryU32Def(pCfg, "USB3Ports", &cUsb3Ports, XHCI_NDP_30_DEFAULT);
+ if (RT_FAILURE(rc))
+ return PDMDEV_SET_ERROR(pDevIns, rc,
+ N_("xHCI configuration error: failed to read USB3Ports as integer"));
+
+ if (cUsb3Ports == 0 || cUsb3Ports > XHCI_NDP_MAX)
+ return PDMDevHlpVMSetError(pDevIns, VERR_INVALID_PARAMETER, RT_SRC_POS,
+ N_("xHCI configuration error: USB3Ports must be in range [%u,%u]"),
+ 1, XHCI_NDP_MAX);
+
+ /* Check that the total number of ports is within limits.*/
+ if (cUsb2Ports + cUsb3Ports > XHCI_NDP_MAX)
+ return PDMDevHlpVMSetError(pDevIns, VERR_INVALID_PARAMETER, RT_SRC_POS,
+ N_("xHCI configuration error: USB2Ports + USB3Ports must be in range [%u,%u]"),
+ 1, XHCI_NDP_MAX);
+
+ /* Determine the model. */
+ char szChipType[16];
+ rc = pHlp->pfnCFGMQueryStringDef(pCfg, "ChipType", &szChipType[0], sizeof(szChipType), "PantherPoint");
+ if (RT_FAILURE(rc))
+ return PDMDEV_SET_ERROR(pDevIns, VERR_PDM_DEVINS_UNKNOWN_CFG_VALUES,
+ N_("xHCI configuration error: Querying \"ChipType\" as string failed"));
+
+ /*
+ * The default model is Panther Point (8086:1E31), Intel's first and most widely
+ * supported xHCI implementation. For debugging, the Lynx Point (8086:8C31) model
+ * can be selected. These two models work with the 7 Series and 8 Series Intel xHCI
+ * drivers for Windows 7, respectively. There is no functional difference.
+ * For Windows XP support, it's also possible to present a Renesas uPD720201 xHC;
+ * this is an evolution of the original NEC xHCI chip.
+ */
+ bool fChipLynxPoint = false;
+ bool fChipRenesas = false;
+ if (!strcmp(szChipType, "PantherPoint"))
+ fChipLynxPoint = false;
+ else if (!strcmp(szChipType, "LynxPoint"))
+ fChipLynxPoint = true;
+ else if (!strcmp(szChipType, "uPD720201"))
+ fChipRenesas = true;
+ else
+ return PDMDevHlpVMSetError(pDevIns, VERR_PDM_DEVINS_UNKNOWN_CFG_VALUES, RT_SRC_POS,
+ N_("xHCI configuration error: The \"ChipType\" value \"%s\" is unsupported"), szChipType);
+
+ LogFunc(("cUsb2Ports=%u cUsb3Ports=%u szChipType=%s (%d,%d) fR0Enabled=%d fRCEnabled=%d\n", cUsb2Ports, cUsb3Ports,
+ szChipType, fChipLynxPoint, fChipRenesas, pDevIns->fR0Enabled, pDevIns->fRCEnabled));
+
+ /* Set up interrupter locks. */
+ for (unsigned i = 0; i < RT_ELEMENTS(pThis->aInterrupters); ++i)
+ {
+ rc = PDMDevHlpCritSectInit(pDevIns, &pThis->aInterrupters[i].lock, RT_SRC_POS, "xHCIIntr#%u", i);
+ if (RT_FAILURE(rc))
+ return PDMDevHlpVMSetError(pDevIns, rc, RT_SRC_POS,
+ N_("xHCI: Failed to create critical section for interrupter %u"), i);
+ pThis->aInterrupters[i].index = i; /* Stash away index, mostly for logging/debugging. */
+ }
+
+
+ /*
+ * Init instance data.
+ */
+ pThisCC->pDevIns = pDevIns;
+
+ PPDMPCIDEV pPciDev = pDevIns->apPciDevs[0];
+ if (fChipRenesas)
+ {
+ pThis->erst_addr_mask = NEC_ERST_ADDR_MASK;
+ PCIDevSetVendorId(pPciDev, 0x1912);
+ PCIDevSetDeviceId(pPciDev, 0x0014);
+ PCIDevSetByte(pPciDev, VBOX_PCI_REVISION_ID, 0x02);
+ }
+ else
+ {
+ pThis->erst_addr_mask = XHCI_ERST_ADDR_MASK;
+ PCIDevSetVendorId(pPciDev, 0x8086);
+ if (fChipLynxPoint)
+ PCIDevSetDeviceId(pPciDev, 0x8C31); /* Lynx Point / 8 Series */
+ else
+ PCIDevSetDeviceId(pPciDev, 0x1E31); /* Panther Point / 7 Series */
+ }
+
+ PCIDevSetClassProg(pPciDev, 0x30); /* xHCI */
+ PCIDevSetClassSub(pPciDev, 0x03); /* USB 3.0 */
+ PCIDevSetClassBase(pPciDev, 0x0C);
+ PCIDevSetInterruptPin(pPciDev, 0x01);
+#ifdef VBOX_WITH_MSI_DEVICES
+ PCIDevSetStatus(pPciDev, VBOX_PCI_STATUS_CAP_LIST);
+ PCIDevSetCapabilityList(pPciDev, 0x80);
+#endif
+ PDMPciDevSetByte(pPciDev, 0x60, 0x20); /* serial bus release number register; 0x20 = USB 2.0 */
+ /** @todo USBLEGSUP & USBLEGCTLSTS? Legacy interface for the BIOS (0xEECP+0 & 0xEECP+4) */
+
+ pThis->cTotalPorts = (uint8_t)(cUsb2Ports + cUsb3Ports);
+
+ /* Set up the USB2 root hub interface. */
+ pThis->cUsb2Ports = (uint8_t)cUsb2Ports;
+ pThisCC->RootHub2.pXhciR3 = pThisCC;
+ pThisCC->RootHub2.cPortsImpl = cUsb2Ports;
+ pThisCC->RootHub2.uPortBase = 0;
+ pThisCC->RootHub2.IBase.pfnQueryInterface = xhciR3RhQueryInterface;
+ pThisCC->RootHub2.IRhPort.pfnGetAvailablePorts = xhciR3RhGetAvailablePorts;
+ pThisCC->RootHub2.IRhPort.pfnGetUSBVersions = xhciR3RhGetUSBVersions2;
+ pThisCC->RootHub2.IRhPort.pfnAttach = xhciR3RhAttach;
+ pThisCC->RootHub2.IRhPort.pfnDetach = xhciR3RhDetach;
+ pThisCC->RootHub2.IRhPort.pfnReset = xhciR3RhReset;
+ pThisCC->RootHub2.IRhPort.pfnXferCompletion = xhciR3RhXferCompletion;
+ pThisCC->RootHub2.IRhPort.pfnXferError = xhciR3RhXferError;
+
+ /* Now the USB3 root hub interface. */
+ pThis->cUsb3Ports = (uint8_t)cUsb3Ports;
+ pThisCC->RootHub3.pXhciR3 = pThisCC;
+ pThisCC->RootHub3.cPortsImpl = cUsb3Ports;
+ pThisCC->RootHub3.uPortBase = XHCI_NDP_USB2(pThisCC);
+ pThisCC->RootHub3.IBase.pfnQueryInterface = xhciR3RhQueryInterface;
+ pThisCC->RootHub3.IRhPort.pfnGetAvailablePorts = xhciR3RhGetAvailablePorts;
+ pThisCC->RootHub3.IRhPort.pfnGetUSBVersions = xhciR3RhGetUSBVersions3;
+ pThisCC->RootHub3.IRhPort.pfnAttach = xhciR3RhAttach;
+ pThisCC->RootHub3.IRhPort.pfnDetach = xhciR3RhDetach;
+ pThisCC->RootHub3.IRhPort.pfnReset = xhciR3RhReset;
+ pThisCC->RootHub3.IRhPort.pfnXferCompletion = xhciR3RhXferCompletion;
+ pThisCC->RootHub3.IRhPort.pfnXferError = xhciR3RhXferError;
+
+ /* USB LED */
+ pThisCC->RootHub2.Led.u32Magic = PDMLED_MAGIC;
+ pThisCC->RootHub3.Led.u32Magic = PDMLED_MAGIC;
+ pThisCC->IBase.pfnQueryInterface = xhciR3QueryStatusInterface;
+ pThisCC->ILeds.pfnQueryStatusLed = xhciR3QueryStatusLed;
+
+ /* Initialize the capability registers */
+ pThis->cap_length = XHCI_CAPS_REG_SIZE;
+ pThis->hci_version = 0x100; /* Version 1.0 */
+ pThis->hcs_params1 = (XHCI_NDP_CFG(pThis) << 24) | (XHCI_NINTR << 8) | XHCI_NDS;
+ pThis->hcs_params2 = (XHCI_ERSTMAX_LOG2 << 4) | XHCI_IST;
+ pThis->hcs_params3 = (4 << 16) | 1; /* Matches Intel 7 Series xHCI. */
+ /* Note: The Intel 7 Series xHCI does not have port power control (XHCI_HCC_PPC). */
+ pThis->hcc_params = ((XHCI_XECP_OFFSET >> 2) << XHCI_HCC_XECP_SHIFT); /// @todo other fields
+ pThis->dbell_off = XHCI_DOORBELL_OFFSET;
+ pThis->rts_off = XHCI_RTREG_OFFSET;
+
+ /*
+ * Set up extended capabilities.
+ */
+ rc = xhciR3BuildExtCaps(pThis, pThisCC);
+ AssertRCReturn(rc, rc);
+
+ /*
+ * Register PCI device and I/O region.
+ */
+ rc = PDMDevHlpPCIRegister(pDevIns, pPciDev);
+ AssertRCReturn(rc, rc);
+
+#ifdef VBOX_WITH_MSI_DEVICES
+ PDMMSIREG MsiReg;
+ RT_ZERO(MsiReg);
+ MsiReg.cMsiVectors = 1;
+ MsiReg.iMsiCapOffset = XHCI_PCI_MSI_CAP_OFS;
+ MsiReg.iMsiNextOffset = 0x00;
+ rc = PDMDevHlpPCIRegisterMsi(pDevIns, &MsiReg);
+ if (RT_FAILURE (rc))
+ {
+ PCIDevSetCapabilityList(pPciDev, 0x0);
+ /* That's OK, we can work without MSI */
+ }
+#endif
+
+ rc = PDMDevHlpPCIIORegionCreateMmio(pDevIns, 0, XHCI_MMIO_SIZE, PCI_ADDRESS_SPACE_MEM,
+ xhciMmioWrite, xhciMmioRead, NULL,
+ IOMMMIO_FLAGS_READ_DWORD | IOMMMIO_FLAGS_WRITE_DWORD_ZEROED
+ /*| IOMMMIO_FLAGS_DBGSTOP_ON_COMPLICATED_WRITE*/,
+ "USB xHCI", &pThis->hMmio);
+ AssertRCReturn(rc, rc);
+
+ /*
+ * Register the saved state data unit.
+ */
+ rc = PDMDevHlpSSMRegisterEx(pDevIns, XHCI_SAVED_STATE_VERSION, sizeof(*pThis), NULL,
+ NULL, NULL, NULL,
+ NULL, xhciR3SaveExec, NULL,
+ NULL, xhciR3LoadExec, NULL);
+ AssertRCReturn(rc, rc);
+
+ /*
+ * Attach to the VBox USB RootHub Driver on LUN #0 (USB3 root hub).
+ * NB: USB3 must come first so that emulated devices which support both USB2
+ * and USB3 are attached to the USB3 hub.
+ */
+ rc = xhciR3RegisterHub(pDevIns, &pThisCC->RootHub3, 0, "RootHubUSB3");
+ AssertRCReturn(rc, rc);
+
+ /*
+ * Attach to the VBox USB RootHub Driver on LUN #1 (USB2 root hub).
+ */
+ rc = xhciR3RegisterHub(pDevIns, &pThisCC->RootHub2, 1, "RootHubUSB2");
+ AssertRCReturn(rc, rc);
+
+ /*
+ * Attach the status LED (optional).
+ */
+ PPDMIBASE pBase;
+ rc = PDMDevHlpDriverAttach(pDevIns, PDM_STATUS_LUN, &pThisCC->IBase, &pBase, "Status Port");
+ if (RT_SUCCESS(rc))
+ pThisCC->pLedsConnector = PDMIBASE_QUERY_INTERFACE(pBase, PDMILEDCONNECTORS);
+ else if (rc != VERR_PDM_NO_ATTACHED_DRIVER)
+ {
+ AssertMsgFailed(("xHCI: Failed to attach to status driver. rc=%Rrc\n", rc));
+ return PDMDEV_SET_ERROR(pDevIns, rc, N_("xHCI cannot attach to status driver"));
+ }
+
+ /*
+ * Create the MFINDEX wrap event timer.
+ */
+ rc = PDMDevHlpTimerCreate(pDevIns, TMCLOCK_VIRTUAL, xhciR3WrapTimer, pThis,
+ TMTIMER_FLAGS_NO_CRIT_SECT | TMTIMER_FLAGS_RING0, "xHCI MFINDEX Wrap", &pThis->hWrapTimer);
+ AssertRCReturn(rc, rc);
+
+ /*
+ * Set up the worker thread.
+ */
+ rc = PDMDevHlpSUPSemEventCreate(pDevIns, &pThis->hEvtProcess);
+ AssertLogRelRCReturn(rc, rc);
+
+ rc = RTCritSectInit(&pThisCC->CritSectThrd);
+ AssertLogRelRCReturn(rc, rc);
+
+ rc = PDMDevHlpThreadCreate(pDevIns, &pThisCC->pWorkerThread, pThis, xhciR3WorkerLoop, xhciR3WorkerWakeUp,
+ 0, RTTHREADTYPE_IO, "xHCI");
+ AssertLogRelRCReturn(rc, rc);
+
+ /*
+ * Do a hardware reset.
+ */
+ xhciR3DoReset(pThis, pThisCC, XHCI_USB_RESET, false /* don't reset devices */);
+
+# ifdef VBOX_WITH_STATISTICS
+ /*
+ * Register statistics.
+ */
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatErrorIsocUrbs, STAMTYPE_COUNTER, "IsocUrbsErr", STAMUNIT_OCCURENCES, "Isoch URBs completed w/error.");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatErrorIsocPkts, STAMTYPE_COUNTER, "IsocPktsErr", STAMUNIT_OCCURENCES, "Isoch packets completed w/error.");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatEventsWritten, STAMTYPE_COUNTER, "EventsWritten", STAMUNIT_OCCURENCES, "Event TRBs delivered.");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatEventsDropped, STAMTYPE_COUNTER, "EventsDropped", STAMUNIT_OCCURENCES, "Event TRBs dropped (HC stopped).");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatIntrsPending, STAMTYPE_COUNTER, "IntrsPending", STAMUNIT_OCCURENCES, "Requests to set the IP bit.");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatIntrsSet, STAMTYPE_COUNTER, "IntrsSet", STAMUNIT_OCCURENCES, "Actual interrupts delivered.");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatIntrsNotSet, STAMTYPE_COUNTER, "IntrsNotSet", STAMUNIT_OCCURENCES, "Interrupts not delivered/disabled.");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatIntrsCleared, STAMTYPE_COUNTER, "IntrsCleared", STAMUNIT_OCCURENCES, "Interrupts cleared by guest.");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatTRBsPerCtlUrb, STAMTYPE_COUNTER, "UrbTrbsCtl", STAMUNIT_COUNT, "TRBs per one control URB.");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatTRBsPerDtaUrb, STAMTYPE_COUNTER, "UrbTrbsDta", STAMUNIT_COUNT, "TRBs per one data (bulk/intr) URB.");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatTRBsPerIsoUrb, STAMTYPE_COUNTER, "UrbTrbsIso", STAMUNIT_COUNT, "TRBs per one isochronous URB.");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatUrbSizeCtrl, STAMTYPE_COUNTER, "UrbSizeCtl", STAMUNIT_COUNT, "Size of a control URB in bytes.");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatUrbSizeData, STAMTYPE_COUNTER, "UrbSizeDta", STAMUNIT_COUNT, "Size of a data (bulk/intr) URB in bytes.");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatUrbSizeIsoc, STAMTYPE_COUNTER, "UrbSizeIso", STAMUNIT_COUNT, "Size of an isochronous URB in bytes.");
+
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdCaps, STAMTYPE_COUNTER, "Regs/RdCaps", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdCmdRingCtlHi, STAMTYPE_COUNTER, "Regs/RdCmdRingCtlHi", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdCmdRingCtlLo, STAMTYPE_COUNTER, "Regs/RdCmdRingCtlLo", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdConfig, STAMTYPE_COUNTER, "Regs/RdConfig", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdDevCtxBaapHi, STAMTYPE_COUNTER, "Regs/RdDevCtxBaapHi", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdDevCtxBaapLo, STAMTYPE_COUNTER, "Regs/RdDevCtxBaapLo", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdDevNotifyCtrl, STAMTYPE_COUNTER, "Regs/RdDevNotifyCtrl", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdDoorBell, STAMTYPE_COUNTER, "Regs/RdDoorBell", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdEvtRingDeqPtrHi, STAMTYPE_COUNTER, "Regs/RdEvtRingDeqPtrHi", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdEvtRingDeqPtrLo, STAMTYPE_COUNTER, "Regs/RdEvtRingDeqPtrLo", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdEvtRsTblBaseHi, STAMTYPE_COUNTER, "Regs/RdEvtRsTblBaseHi", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdEvtRsTblBaseLo, STAMTYPE_COUNTER, "Regs/RdEvtRsTblBaseLo", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdEvtRstblSize, STAMTYPE_COUNTER, "Regs/RdEvtRstblSize", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdEvtRsvd, STAMTYPE_COUNTER, "Regs/RdEvtRsvd", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdIntrMgmt, STAMTYPE_COUNTER, "Regs/RdIntrMgmt", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdIntrMod, STAMTYPE_COUNTER, "Regs/RdIntrMod", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdMfIndex, STAMTYPE_COUNTER, "Regs/RdMfIndex", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdPageSize, STAMTYPE_COUNTER, "Regs/RdPageSize", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdPortLinkInfo, STAMTYPE_COUNTER, "Regs/RdPortLinkInfo", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdPortPowerMgmt, STAMTYPE_COUNTER, "Regs/RdPortPowerMgmt", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdPortRsvd, STAMTYPE_COUNTER, "Regs/RdPortRsvd", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdPortStatusCtrl, STAMTYPE_COUNTER, "Regs/RdPortStatusCtrl", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdUsbCmd, STAMTYPE_COUNTER, "Regs/RdUsbCmd", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdUsbSts, STAMTYPE_COUNTER, "Regs/RdUsbSts", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatRdUnknown, STAMTYPE_COUNTER, "Regs/RdUnknown", STAMUNIT_COUNT, "");
+
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrCmdRingCtlHi, STAMTYPE_COUNTER, "Regs/WrCmdRingCtlHi", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrCmdRingCtlLo, STAMTYPE_COUNTER, "Regs/WrCmdRingCtlLo", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrConfig, STAMTYPE_COUNTER, "Regs/WrConfig", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrDevCtxBaapHi, STAMTYPE_COUNTER, "Regs/WrDevCtxBaapHi", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrDevCtxBaapLo, STAMTYPE_COUNTER, "Regs/WrDevCtxBaapLo", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrDevNotifyCtrl, STAMTYPE_COUNTER, "Regs/WrDevNotifyCtrl", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrDoorBell0, STAMTYPE_COUNTER, "Regs/WrDoorBell0", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrDoorBellN, STAMTYPE_COUNTER, "Regs/WrDoorBellN", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrEvtRingDeqPtrHi, STAMTYPE_COUNTER, "Regs/WrEvtRingDeqPtrHi", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrEvtRingDeqPtrLo, STAMTYPE_COUNTER, "Regs/WrEvtRingDeqPtrLo", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrEvtRsTblBaseHi, STAMTYPE_COUNTER, "Regs/WrEvtRsTblBaseHi", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrEvtRsTblBaseLo, STAMTYPE_COUNTER, "Regs/WrEvtRsTblBaseLo", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrEvtRstblSize, STAMTYPE_COUNTER, "Regs/WrEvtRstblSize", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrIntrMgmt, STAMTYPE_COUNTER, "Regs/WrIntrMgmt", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrIntrMod, STAMTYPE_COUNTER, "Regs/WrIntrMod", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrPortPowerMgmt, STAMTYPE_COUNTER, "Regs/WrPortPowerMgmt", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrPortStatusCtrl, STAMTYPE_COUNTER, "Regs/WrPortStatusCtrl", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrUsbCmd, STAMTYPE_COUNTER, "Regs/WrUsbCmd", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrUsbSts, STAMTYPE_COUNTER, "Regs/WrUsbSts", STAMUNIT_COUNT, "");
+ PDMDevHlpSTAMRegister(pDevIns, &pThis->StatWrUnknown, STAMTYPE_COUNTER, "Regs/WrUnknown", STAMUNIT_COUNT, "");
+# endif /* VBOX_WITH_STATISTICS */
+
+ /*
+ * Register debugger info callbacks.
+ */
+ PDMDevHlpDBGFInfoRegister(pDevIns, "xhci", "xHCI registers.", xhciR3Info);
+
+ return VINF_SUCCESS;
+}
+
+#else /* !IN_RING3 */
+
+/**
+ * @callback_method_impl{PDMDEVREGR0,pfnConstruct}
+ */
+static DECLCALLBACK(int) xhciRZConstruct(PPDMDEVINS pDevIns)
+{
+ PDMDEV_CHECK_VERSIONS_RETURN(pDevIns);
+ PXHCI pThis = PDMDEVINS_2_DATA(pDevIns, PXHCI);
+
+ int rc = PDMDevHlpMmioSetUpContext(pDevIns, pThis->hMmio, xhciMmioWrite, xhciMmioRead, NULL /*pvUser*/);
+ AssertRCReturn(rc, rc);
+
+ return VINF_SUCCESS;
+}
+
+#endif /* !IN_RING3 */
+
+/* Without this, g_DeviceXHCI won't be visible outside this module! */
+extern "C" const PDMDEVREG g_DeviceXHCI;
+
+const PDMDEVREG g_DeviceXHCI =
+{
+ /* .u32version = */ PDM_DEVREG_VERSION,
+ /* .uReserved0 = */ 0,
+ /* .szName = */ "usb-xhci",
+ /* .fFlags = */ PDM_DEVREG_FLAGS_DEFAULT_BITS | PDM_DEVREG_FLAGS_RZ | PDM_DEVREG_FLAGS_NEW_STYLE,
+ /* .fClass = */ PDM_DEVREG_CLASS_BUS_USB,
+ /* .cMaxInstances = */ ~0U,
+ /* .uSharedVersion = */ 42,
+ /* .cbInstanceShared = */ sizeof(XHCI),
+ /* .cbInstanceCC = */ sizeof(XHCICC),
+ /* .cbInstanceRC = */ sizeof(XHCIRC),
+ /* .cMaxPciDevices = */ 1,
+ /* .cMaxMsixVectors = */ 0,
+ /* .pszDescription = */ "xHCI USB controller.\n",
+#if defined(IN_RING3)
+# ifdef VBOX_IN_EXTPACK
+ /* .pszRCMod = */ "VBoxEhciRC.rc",
+ /* .pszR0Mod = */ "VBoxEhciR0.r0",
+# else
+ /* .pszRCMod = */ "VBoxDDRC.rc",
+ /* .pszR0Mod = */ "VBoxDDR0.r0",
+# endif
+ /* .pfnConstruct = */ xhciR3Construct,
+ /* .pfnDestruct = */ xhciR3Destruct,
+ /* .pfnRelocate = */ NULL,
+ /* .pfnMemSetup = */ NULL,
+ /* .pfnPowerOn = */ NULL,
+ /* .pfnReset = */ xhciR3Reset,
+ /* .pfnSuspend = */ NULL,
+ /* .pfnResume = */ NULL,
+ /* .pfnAttach = */ NULL,
+ /* .pfnDetach = */ NULL,
+ /* .pfnQueryInterface = */ NULL,
+ /* .pfnInitComplete = */ NULL,
+ /* .pfnPowerOff = */ NULL,
+ /* .pfnSoftReset = */ NULL,
+ /* .pfnReserved0 = */ NULL,
+ /* .pfnReserved1 = */ NULL,
+ /* .pfnReserved2 = */ NULL,
+ /* .pfnReserved3 = */ NULL,
+ /* .pfnReserved4 = */ NULL,
+ /* .pfnReserved5 = */ NULL,
+ /* .pfnReserved6 = */ NULL,
+ /* .pfnReserved7 = */ NULL,
+#elif defined(IN_RING0)
+ /* .pfnEarlyConstruct = */ NULL,
+ /* .pfnConstruct = */ xhciRZConstruct,
+ /* .pfnDestruct = */ NULL,
+ /* .pfnFinalDestruct = */ NULL,
+ /* .pfnRequest = */ NULL,
+ /* .pfnReserved0 = */ NULL,
+ /* .pfnReserved1 = */ NULL,
+ /* .pfnReserved2 = */ NULL,
+ /* .pfnReserved3 = */ NULL,
+ /* .pfnReserved4 = */ NULL,
+ /* .pfnReserved5 = */ NULL,
+ /* .pfnReserved6 = */ NULL,
+ /* .pfnReserved7 = */ NULL,
+#elif defined(IN_RC)
+ /* .pfnConstruct = */ xhciRZConstruct,
+ /* .pfnReserved0 = */ NULL,
+ /* .pfnReserved1 = */ NULL,
+ /* .pfnReserved2 = */ NULL,
+ /* .pfnReserved3 = */ NULL,
+ /* .pfnReserved4 = */ NULL,
+ /* .pfnReserved5 = */ NULL,
+ /* .pfnReserved6 = */ NULL,
+ /* .pfnReserved7 = */ NULL,
+#else
+# error "Not in IN_RING3, IN_RING0 or IN_RC!"
+#endif
+ /* .u32VersionEnd = */ PDM_DEVREG_VERSION
+};
+
+#endif /* !VBOX_DEVICE_STRUCT_TESTCASE */