• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3  * USB HOST XHCI Controller stack
4  *
5  * Based on xHCI host controller driver in linux-kernel
6  * by Sarah Sharp.
7  *
8  * Copyright (C) 2008 Intel Corp.
9  * Author: Sarah Sharp
10  *
11  * Copyright (C) 2013 Samsung Electronics Co.Ltd
12  * Authors: Vivek Gautam <gautam.vivek@samsung.com>
13  *	    Vikas Sajjan <vikas.sajjan@samsung.com>
14  */
15 
16 #include <common.h>
17 #include <cpu_func.h>
18 #include <asm/byteorder.h>
19 #include <usb.h>
20 #include <asm/unaligned.h>
21 #include <linux/errno.h>
22 
23 #include <usb/xhci.h>
24 
25 /**
26  * Is this TRB a link TRB or was the last TRB the last TRB in this event ring
27  * segment?  I.e. would the updated event TRB pointer step off the end of the
28  * event seg ?
29  *
30  * @param ctrl	Host controller data structure
31  * @param ring	pointer to the ring
32  * @param seg	poniter to the segment to which TRB belongs
33  * @param trb	poniter to the ring trb
34  * @return 1 if this TRB a link TRB else 0
35  */
last_trb(struct xhci_ctrl * ctrl,struct xhci_ring * ring,struct xhci_segment * seg,union xhci_trb * trb)36 static int last_trb(struct xhci_ctrl *ctrl, struct xhci_ring *ring,
37 			struct xhci_segment *seg, union xhci_trb *trb)
38 {
39 	if (ring == ctrl->event_ring)
40 		return trb == &seg->trbs[TRBS_PER_SEGMENT];
41 	else
42 		return TRB_TYPE_LINK_LE32(trb->link.control);
43 }
44 
45 /**
46  * Does this link TRB point to the first segment in a ring,
47  * or was the previous TRB the last TRB on the last segment in the ERST?
48  *
49  * @param ctrl	Host controller data structure
50  * @param ring	pointer to the ring
51  * @param seg	poniter to the segment to which TRB belongs
52  * @param trb	poniter to the ring trb
53  * @return 1 if this TRB is the last TRB on the last segment else 0
54  */
last_trb_on_last_seg(struct xhci_ctrl * ctrl,struct xhci_ring * ring,struct xhci_segment * seg,union xhci_trb * trb)55 static bool last_trb_on_last_seg(struct xhci_ctrl *ctrl,
56 				 struct xhci_ring *ring,
57 				 struct xhci_segment *seg,
58 				 union xhci_trb *trb)
59 {
60 	if (ring == ctrl->event_ring)
61 		return ((trb == &seg->trbs[TRBS_PER_SEGMENT]) &&
62 			(seg->next == ring->first_seg));
63 	else
64 		return le32_to_cpu(trb->link.control) & LINK_TOGGLE;
65 }
66 
67 /**
68  * See Cycle bit rules. SW is the consumer for the event ring only.
69  * Don't make a ring full of link TRBs.  That would be dumb and this would loop.
70  *
71  * If we've just enqueued a TRB that is in the middle of a TD (meaning the
72  * chain bit is set), then set the chain bit in all the following link TRBs.
73  * If we've enqueued the last TRB in a TD, make sure the following link TRBs
74  * have their chain bit cleared (so that each Link TRB is a separate TD).
75  *
76  * Section 6.4.4.1 of the 0.95 spec says link TRBs cannot have the chain bit
77  * set, but other sections talk about dealing with the chain bit set.  This was
78  * fixed in the 0.96 specification errata, but we have to assume that all 0.95
79  * xHCI hardware can't handle the chain bit being cleared on a link TRB.
80  *
81  * @param ctrl	Host controller data structure
82  * @param ring	pointer to the ring
83  * @param more_trbs_coming	flag to indicate whether more trbs
84  *				are expected or NOT.
85  *				Will you enqueue more TRBs before calling
86  *				prepare_ring()?
87  * @return none
88  */
inc_enq(struct xhci_ctrl * ctrl,struct xhci_ring * ring,bool more_trbs_coming)89 static void inc_enq(struct xhci_ctrl *ctrl, struct xhci_ring *ring,
90 						bool more_trbs_coming)
91 {
92 	u32 chain;
93 	union xhci_trb *next;
94 
95 	chain = le32_to_cpu(ring->enqueue->generic.field[3]) & TRB_CHAIN;
96 	next = ++(ring->enqueue);
97 
98 	/*
99 	 * Update the dequeue pointer further if that was a link TRB or we're at
100 	 * the end of an event ring segment (which doesn't have link TRBS)
101 	 */
102 	while (last_trb(ctrl, ring, ring->enq_seg, next)) {
103 		if (ring != ctrl->event_ring) {
104 			/*
105 			 * If the caller doesn't plan on enqueueing more
106 			 * TDs before ringing the doorbell, then we
107 			 * don't want to give the link TRB to the
108 			 * hardware just yet.  We'll give the link TRB
109 			 * back in prepare_ring() just before we enqueue
110 			 * the TD at the top of the ring.
111 			 */
112 			if (!chain && !more_trbs_coming)
113 				break;
114 
115 			/*
116 			 * If we're not dealing with 0.95 hardware or
117 			 * isoc rings on AMD 0.96 host,
118 			 * carry over the chain bit of the previous TRB
119 			 * (which may mean the chain bit is cleared).
120 			 */
121 			next->link.control &= cpu_to_le32(~TRB_CHAIN);
122 			next->link.control |= cpu_to_le32(chain);
123 
124 			next->link.control ^= cpu_to_le32(TRB_CYCLE);
125 			xhci_flush_cache((uintptr_t)next,
126 					 sizeof(union xhci_trb));
127 		}
128 		/* Toggle the cycle bit after the last ring segment. */
129 		if (last_trb_on_last_seg(ctrl, ring,
130 					ring->enq_seg, next))
131 			ring->cycle_state = (ring->cycle_state ? 0 : 1);
132 
133 		ring->enq_seg = ring->enq_seg->next;
134 		ring->enqueue = ring->enq_seg->trbs;
135 		next = ring->enqueue;
136 	}
137 }
138 
139 /**
140  * See Cycle bit rules. SW is the consumer for the event ring only.
141  * Don't make a ring full of link TRBs.  That would be dumb and this would loop.
142  *
143  * @param ctrl	Host controller data structure
144  * @param ring	Ring whose Dequeue TRB pointer needs to be incremented.
145  * return none
146  */
inc_deq(struct xhci_ctrl * ctrl,struct xhci_ring * ring)147 static void inc_deq(struct xhci_ctrl *ctrl, struct xhci_ring *ring)
148 {
149 	do {
150 		/*
151 		 * Update the dequeue pointer further if that was a link TRB or
152 		 * we're at the end of an event ring segment (which doesn't have
153 		 * link TRBS)
154 		 */
155 		if (last_trb(ctrl, ring, ring->deq_seg, ring->dequeue)) {
156 			if (ring == ctrl->event_ring &&
157 					last_trb_on_last_seg(ctrl, ring,
158 						ring->deq_seg, ring->dequeue)) {
159 				ring->cycle_state = (ring->cycle_state ? 0 : 1);
160 			}
161 			ring->deq_seg = ring->deq_seg->next;
162 			ring->dequeue = ring->deq_seg->trbs;
163 		} else {
164 			ring->dequeue++;
165 		}
166 	} while (last_trb(ctrl, ring, ring->deq_seg, ring->dequeue));
167 }
168 
169 /**
170  * Generic function for queueing a TRB on a ring.
171  * The caller must have checked to make sure there's room on the ring.
172  *
173  * @param	more_trbs_coming:   Will you enqueue more TRBs before calling
174  *				prepare_ring()?
175  * @param ctrl	Host controller data structure
176  * @param ring	pointer to the ring
177  * @param more_trbs_coming	flag to indicate whether more trbs
178  * @param trb_fields	pointer to trb field array containing TRB contents
179  * @return pointer to the enqueued trb
180  */
queue_trb(struct xhci_ctrl * ctrl,struct xhci_ring * ring,bool more_trbs_coming,unsigned int * trb_fields)181 static struct xhci_generic_trb *queue_trb(struct xhci_ctrl *ctrl,
182 					  struct xhci_ring *ring,
183 					  bool more_trbs_coming,
184 					  unsigned int *trb_fields)
185 {
186 	struct xhci_generic_trb *trb;
187 	int i;
188 
189 	trb = &ring->enqueue->generic;
190 
191 	for (i = 0; i < 4; i++)
192 		trb->field[i] = cpu_to_le32(trb_fields[i]);
193 
194 	xhci_flush_cache((uintptr_t)trb, sizeof(struct xhci_generic_trb));
195 
196 	inc_enq(ctrl, ring, more_trbs_coming);
197 
198 	return trb;
199 }
200 
201 /**
202  * Does various checks on the endpoint ring, and makes it ready
203  * to queue num_trbs.
204  *
205  * @param ctrl		Host controller data structure
206  * @param ep_ring	pointer to the EP Transfer Ring
207  * @param ep_state	State of the End Point
208  * @return error code in case of invalid ep_state, 0 on success
209  */
prepare_ring(struct xhci_ctrl * ctrl,struct xhci_ring * ep_ring,u32 ep_state)210 static int prepare_ring(struct xhci_ctrl *ctrl, struct xhci_ring *ep_ring,
211 							u32 ep_state)
212 {
213 	union xhci_trb *next = ep_ring->enqueue;
214 
215 	/* Make sure the endpoint has been added to xHC schedule */
216 	switch (ep_state) {
217 	case EP_STATE_DISABLED:
218 		/*
219 		 * USB core changed config/interfaces without notifying us,
220 		 * or hardware is reporting the wrong state.
221 		 */
222 		puts("WARN urb submitted to disabled ep\n");
223 		return -ENOENT;
224 	case EP_STATE_ERROR:
225 		puts("WARN waiting for error on ep to be cleared\n");
226 		return -EINVAL;
227 	case EP_STATE_HALTED:
228 		puts("WARN halted endpoint, queueing URB anyway.\n");
229 	case EP_STATE_STOPPED:
230 	case EP_STATE_RUNNING:
231 		debug("EP STATE RUNNING.\n");
232 		break;
233 	default:
234 		puts("ERROR unknown endpoint state for ep\n");
235 		return -EINVAL;
236 	}
237 
238 	while (last_trb(ctrl, ep_ring, ep_ring->enq_seg, next)) {
239 		/*
240 		 * If we're not dealing with 0.95 hardware or isoc rings
241 		 * on AMD 0.96 host, clear the chain bit.
242 		 */
243 		next->link.control &= cpu_to_le32(~TRB_CHAIN);
244 
245 		next->link.control ^= cpu_to_le32(TRB_CYCLE);
246 
247 		xhci_flush_cache((uintptr_t)next, sizeof(union xhci_trb));
248 
249 		/* Toggle the cycle bit after the last ring segment. */
250 		if (last_trb_on_last_seg(ctrl, ep_ring,
251 					ep_ring->enq_seg, next))
252 			ep_ring->cycle_state = (ep_ring->cycle_state ? 0 : 1);
253 		ep_ring->enq_seg = ep_ring->enq_seg->next;
254 		ep_ring->enqueue = ep_ring->enq_seg->trbs;
255 		next = ep_ring->enqueue;
256 	}
257 
258 	return 0;
259 }
260 
261 /**
262  * Generic function for queueing a command TRB on the command ring.
263  * Check to make sure there's room on the command ring for one command TRB.
264  *
265  * @param ctrl		Host controller data structure
266  * @param ptr		Pointer address to write in the first two fields (opt.)
267  * @param slot_id	Slot ID to encode in the flags field (opt.)
268  * @param ep_index	Endpoint index to encode in the flags field (opt.)
269  * @param cmd		Command type to enqueue
270  * @return none
271  */
xhci_queue_command(struct xhci_ctrl * ctrl,u8 * ptr,u32 slot_id,u32 ep_index,trb_type cmd)272 void xhci_queue_command(struct xhci_ctrl *ctrl, u8 *ptr, u32 slot_id,
273 			u32 ep_index, trb_type cmd)
274 {
275 	u32 fields[4];
276 	u64 val_64 = (uintptr_t)ptr;
277 
278 	BUG_ON(prepare_ring(ctrl, ctrl->cmd_ring, EP_STATE_RUNNING));
279 
280 	fields[0] = lower_32_bits(val_64);
281 	fields[1] = upper_32_bits(val_64);
282 	fields[2] = 0;
283 	fields[3] = TRB_TYPE(cmd) | SLOT_ID_FOR_TRB(slot_id) |
284 		    ctrl->cmd_ring->cycle_state;
285 
286 	/*
287 	 * Only 'reset endpoint', 'stop endpoint' and 'set TR dequeue pointer'
288 	 * commands need endpoint id encoded.
289 	 */
290 	if (cmd >= TRB_RESET_EP && cmd <= TRB_SET_DEQ)
291 		fields[3] |= EP_ID_FOR_TRB(ep_index);
292 
293 	queue_trb(ctrl, ctrl->cmd_ring, false, fields);
294 
295 	/* Ring the command ring doorbell */
296 	xhci_writel(&ctrl->dba->doorbell[0], DB_VALUE_HOST);
297 }
298 
299 /**
300  * The TD size is the number of bytes remaining in the TD (including this TRB),
301  * right shifted by 10.
302  * It must fit in bits 21:17, so it can't be bigger than 31.
303  *
304  * @param remainder	remaining packets to be sent
305  * @return remainder if remainder is less than max else max
306  */
xhci_td_remainder(unsigned int remainder)307 static u32 xhci_td_remainder(unsigned int remainder)
308 {
309 	u32 max = (1 << (21 - 17 + 1)) - 1;
310 
311 	if ((remainder >> 10) >= max)
312 		return max << 17;
313 	else
314 		return (remainder >> 10) << 17;
315 }
316 
317 /**
318  * Finds out the remanining packets to be sent
319  *
320  * @param running_total	total size sent so far
321  * @param trb_buff_len	length of the TRB Buffer
322  * @param total_packet_count	total packet count
323  * @param maxpacketsize		max packet size of current pipe
324  * @param num_trbs_left		number of TRBs left to be processed
325  * @return 0 if running_total or trb_buff_len is 0, else remainder
326  */
xhci_v1_0_td_remainder(int running_total,int trb_buff_len,unsigned int total_packet_count,int maxpacketsize,unsigned int num_trbs_left)327 static u32 xhci_v1_0_td_remainder(int running_total,
328 				int trb_buff_len,
329 				unsigned int total_packet_count,
330 				int maxpacketsize,
331 				unsigned int num_trbs_left)
332 {
333 	int packets_transferred;
334 
335 	/* One TRB with a zero-length data packet. */
336 	if (num_trbs_left == 0 || (running_total == 0 && trb_buff_len == 0))
337 		return 0;
338 
339 	/*
340 	 * All the TRB queueing functions don't count the current TRB in
341 	 * running_total.
342 	 */
343 	packets_transferred = (running_total + trb_buff_len) / maxpacketsize;
344 
345 	if ((total_packet_count - packets_transferred) > 31)
346 		return 31 << 17;
347 	return (total_packet_count - packets_transferred) << 17;
348 }
349 
350 /**
351  * Ring the doorbell of the End Point
352  *
353  * @param udev		pointer to the USB device structure
354  * @param ep_index	index of the endpoint
355  * @param start_cycle	cycle flag of the first TRB
356  * @param start_trb	pionter to the first TRB
357  * @return none
358  */
giveback_first_trb(struct usb_device * udev,int ep_index,int start_cycle,struct xhci_generic_trb * start_trb)359 static void giveback_first_trb(struct usb_device *udev, int ep_index,
360 				int start_cycle,
361 				struct xhci_generic_trb *start_trb)
362 {
363 	struct xhci_ctrl *ctrl = xhci_get_ctrl(udev);
364 
365 	/*
366 	 * Pass all the TRBs to the hardware at once and make sure this write
367 	 * isn't reordered.
368 	 */
369 	if (start_cycle)
370 		start_trb->field[3] |= cpu_to_le32(start_cycle);
371 	else
372 		start_trb->field[3] &= cpu_to_le32(~TRB_CYCLE);
373 
374 	xhci_flush_cache((uintptr_t)start_trb, sizeof(struct xhci_generic_trb));
375 
376 	/* Ringing EP doorbell here */
377 	xhci_writel(&ctrl->dba->doorbell[udev->slot_id],
378 				DB_VALUE(ep_index, 0));
379 
380 	return;
381 }
382 
383 /**** POLLING mechanism for XHCI ****/
384 
385 /**
386  * Finalizes a handled event TRB by advancing our dequeue pointer and giving
387  * the TRB back to the hardware for recycling. Must call this exactly once at
388  * the end of each event handler, and not touch the TRB again afterwards.
389  *
390  * @param ctrl	Host controller data structure
391  * @return none
392  */
xhci_acknowledge_event(struct xhci_ctrl * ctrl)393 void xhci_acknowledge_event(struct xhci_ctrl *ctrl)
394 {
395 	/* Advance our dequeue pointer to the next event */
396 	inc_deq(ctrl, ctrl->event_ring);
397 
398 	/* Inform the hardware */
399 	xhci_writeq(&ctrl->ir_set->erst_dequeue,
400 		(uintptr_t)ctrl->event_ring->dequeue | ERST_EHB);
401 }
402 
403 /**
404  * Checks if there is a new event to handle on the event ring.
405  *
406  * @param ctrl	Host controller data structure
407  * @return 0 if failure else 1 on success
408  */
event_ready(struct xhci_ctrl * ctrl)409 static int event_ready(struct xhci_ctrl *ctrl)
410 {
411 	union xhci_trb *event;
412 
413 	xhci_inval_cache((uintptr_t)ctrl->event_ring->dequeue,
414 			 sizeof(union xhci_trb));
415 
416 	event = ctrl->event_ring->dequeue;
417 
418 	/* Does the HC or OS own the TRB? */
419 	if ((le32_to_cpu(event->event_cmd.flags) & TRB_CYCLE) !=
420 		ctrl->event_ring->cycle_state)
421 		return 0;
422 
423 	return 1;
424 }
425 
426 /**
427  * Waits for a specific type of event and returns it. Discards unexpected
428  * events. Caller *must* call xhci_acknowledge_event() after it is finished
429  * processing the event, and must not access the returned pointer afterwards.
430  *
431  * @param ctrl		Host controller data structure
432  * @param expected	TRB type expected from Event TRB
433  * @return pointer to event trb
434  */
xhci_wait_for_event(struct xhci_ctrl * ctrl,trb_type expected)435 union xhci_trb *xhci_wait_for_event(struct xhci_ctrl *ctrl, trb_type expected)
436 {
437 	trb_type type;
438 	unsigned long ts = get_timer(0);
439 
440 	do {
441 		union xhci_trb *event = ctrl->event_ring->dequeue;
442 
443 		if (!event_ready(ctrl))
444 			continue;
445 
446 		type = TRB_FIELD_TO_TYPE(le32_to_cpu(event->event_cmd.flags));
447 		if (type == expected)
448 			return event;
449 
450 		if (type == TRB_PORT_STATUS)
451 		/* TODO: remove this once enumeration has been reworked */
452 			/*
453 			 * Port status change events always have a
454 			 * successful completion code
455 			 */
456 			BUG_ON(GET_COMP_CODE(
457 				le32_to_cpu(event->generic.field[2])) !=
458 								COMP_SUCCESS);
459 		else
460 			printf("Unexpected XHCI event TRB, skipping... "
461 				"(%08x %08x %08x %08x)\n",
462 				le32_to_cpu(event->generic.field[0]),
463 				le32_to_cpu(event->generic.field[1]),
464 				le32_to_cpu(event->generic.field[2]),
465 				le32_to_cpu(event->generic.field[3]));
466 
467 		xhci_acknowledge_event(ctrl);
468 	} while (get_timer(ts) < XHCI_TIMEOUT);
469 
470 	if (expected == TRB_TRANSFER)
471 		return NULL;
472 
473 	printf("XHCI timeout on event type %d... cannot recover.\n", expected);
474 	BUG();
475 }
476 
477 /*
478  * Stops transfer processing for an endpoint and throws away all unprocessed
479  * TRBs by setting the xHC's dequeue pointer to our enqueue pointer. The next
480  * xhci_bulk_tx/xhci_ctrl_tx on this enpoint will add new transfers there and
481  * ring the doorbell, causing this endpoint to start working again.
482  * (Careful: This will BUG() when there was no transfer in progress. Shouldn't
483  * happen in practice for current uses and is too complicated to fix right now.)
484  */
abort_td(struct usb_device * udev,int ep_index)485 static void abort_td(struct usb_device *udev, int ep_index)
486 {
487 	struct xhci_ctrl *ctrl = xhci_get_ctrl(udev);
488 	struct xhci_ring *ring =  ctrl->devs[udev->slot_id]->eps[ep_index].ring;
489 	union xhci_trb *event;
490 	u32 field;
491 
492 	xhci_queue_command(ctrl, NULL, udev->slot_id, ep_index, TRB_STOP_RING);
493 
494 	event = xhci_wait_for_event(ctrl, TRB_TRANSFER);
495 	field = le32_to_cpu(event->trans_event.flags);
496 	BUG_ON(TRB_TO_SLOT_ID(field) != udev->slot_id);
497 	BUG_ON(TRB_TO_EP_INDEX(field) != ep_index);
498 	BUG_ON(GET_COMP_CODE(le32_to_cpu(event->trans_event.transfer_len
499 		!= COMP_STOP)));
500 	xhci_acknowledge_event(ctrl);
501 
502 	event = xhci_wait_for_event(ctrl, TRB_COMPLETION);
503 	BUG_ON(TRB_TO_SLOT_ID(le32_to_cpu(event->event_cmd.flags))
504 		!= udev->slot_id || GET_COMP_CODE(le32_to_cpu(
505 		event->event_cmd.status)) != COMP_SUCCESS);
506 	xhci_acknowledge_event(ctrl);
507 
508 	xhci_queue_command(ctrl, (void *)((uintptr_t)ring->enqueue |
509 		ring->cycle_state), udev->slot_id, ep_index, TRB_SET_DEQ);
510 	event = xhci_wait_for_event(ctrl, TRB_COMPLETION);
511 	BUG_ON(TRB_TO_SLOT_ID(le32_to_cpu(event->event_cmd.flags))
512 		!= udev->slot_id || GET_COMP_CODE(le32_to_cpu(
513 		event->event_cmd.status)) != COMP_SUCCESS);
514 	xhci_acknowledge_event(ctrl);
515 }
516 
record_transfer_result(struct usb_device * udev,union xhci_trb * event,int length)517 static void record_transfer_result(struct usb_device *udev,
518 				   union xhci_trb *event, int length)
519 {
520 	udev->act_len = min(length, length -
521 		(int)EVENT_TRB_LEN(le32_to_cpu(event->trans_event.transfer_len)));
522 
523 	switch (GET_COMP_CODE(le32_to_cpu(event->trans_event.transfer_len))) {
524 	case COMP_SUCCESS:
525 		BUG_ON(udev->act_len != length);
526 		/* fallthrough */
527 	case COMP_SHORT_TX:
528 		udev->status = 0;
529 		break;
530 	case COMP_STALL:
531 		udev->status = USB_ST_STALLED;
532 		break;
533 	case COMP_DB_ERR:
534 	case COMP_TRB_ERR:
535 		udev->status = USB_ST_BUF_ERR;
536 		break;
537 	case COMP_BABBLE:
538 		udev->status = USB_ST_BABBLE_DET;
539 		break;
540 	default:
541 		udev->status = 0x80;  /* USB_ST_TOO_LAZY_TO_MAKE_A_NEW_MACRO */
542 	}
543 }
544 
545 /**** Bulk and Control transfer methods ****/
546 /**
547  * Queues up the BULK Request
548  *
549  * @param udev		pointer to the USB device structure
550  * @param pipe		contains the DIR_IN or OUT , devnum
551  * @param length	length of the buffer
552  * @param buffer	buffer to be read/written based on the request
553  * @return returns 0 if successful else -1 on failure
554  */
xhci_bulk_tx(struct usb_device * udev,unsigned long pipe,int length,void * buffer)555 int xhci_bulk_tx(struct usb_device *udev, unsigned long pipe,
556 			int length, void *buffer)
557 {
558 	int num_trbs = 0;
559 	struct xhci_generic_trb *start_trb;
560 	bool first_trb = false;
561 	int start_cycle;
562 	u32 field = 0;
563 	u32 length_field = 0;
564 	struct xhci_ctrl *ctrl = xhci_get_ctrl(udev);
565 	int slot_id = udev->slot_id;
566 	int ep_index;
567 	struct xhci_virt_device *virt_dev;
568 	struct xhci_ep_ctx *ep_ctx;
569 	struct xhci_ring *ring;		/* EP transfer ring */
570 	union xhci_trb *event;
571 
572 	int running_total, trb_buff_len;
573 	unsigned int total_packet_count;
574 	int maxpacketsize;
575 	u64 addr;
576 	int ret;
577 	u32 trb_fields[4];
578 	u64 val_64 = (uintptr_t)buffer;
579 
580 	debug("dev=%p, pipe=%lx, buffer=%p, length=%d\n",
581 		udev, pipe, buffer, length);
582 
583 	ep_index = usb_pipe_ep_index(pipe);
584 	virt_dev = ctrl->devs[slot_id];
585 
586 	xhci_inval_cache((uintptr_t)virt_dev->out_ctx->bytes,
587 			 virt_dev->out_ctx->size);
588 
589 	ep_ctx = xhci_get_ep_ctx(ctrl, virt_dev->out_ctx, ep_index);
590 
591 	ring = virt_dev->eps[ep_index].ring;
592 	/*
593 	 * How much data is (potentially) left before the 64KB boundary?
594 	 * XHCI Spec puts restriction( TABLE 49 and 6.4.1 section of XHCI Spec)
595 	 * that the buffer should not span 64KB boundary. if so
596 	 * we send request in more than 1 TRB by chaining them.
597 	 */
598 	running_total = TRB_MAX_BUFF_SIZE -
599 			(lower_32_bits(val_64) & (TRB_MAX_BUFF_SIZE - 1));
600 	trb_buff_len = running_total;
601 	running_total &= TRB_MAX_BUFF_SIZE - 1;
602 
603 	/*
604 	 * If there's some data on this 64KB chunk, or we have to send a
605 	 * zero-length transfer, we need at least one TRB
606 	 */
607 	if (running_total != 0 || length == 0)
608 		num_trbs++;
609 
610 	/* How many more 64KB chunks to transfer, how many more TRBs? */
611 	while (running_total < length) {
612 		num_trbs++;
613 		running_total += TRB_MAX_BUFF_SIZE;
614 	}
615 
616 	/*
617 	 * XXX: Calling routine prepare_ring() called in place of
618 	 * prepare_trasfer() as there in 'Linux' since we are not
619 	 * maintaining multiple TDs/transfer at the same time.
620 	 */
621 	ret = prepare_ring(ctrl, ring,
622 			   le32_to_cpu(ep_ctx->ep_info) & EP_STATE_MASK);
623 	if (ret < 0)
624 		return ret;
625 
626 	/*
627 	 * Don't give the first TRB to the hardware (by toggling the cycle bit)
628 	 * until we've finished creating all the other TRBs.  The ring's cycle
629 	 * state may change as we enqueue the other TRBs, so save it too.
630 	 */
631 	start_trb = &ring->enqueue->generic;
632 	start_cycle = ring->cycle_state;
633 
634 	running_total = 0;
635 	maxpacketsize = usb_maxpacket(udev, pipe);
636 
637 	total_packet_count = DIV_ROUND_UP(length, maxpacketsize);
638 
639 	/* How much data is in the first TRB? */
640 	/*
641 	 * How much data is (potentially) left before the 64KB boundary?
642 	 * XHCI Spec puts restriction( TABLE 49 and 6.4.1 section of XHCI Spec)
643 	 * that the buffer should not span 64KB boundary. if so
644 	 * we send request in more than 1 TRB by chaining them.
645 	 */
646 	addr = val_64;
647 
648 	if (trb_buff_len > length)
649 		trb_buff_len = length;
650 
651 	first_trb = true;
652 
653 	/* flush the buffer before use */
654 	xhci_flush_cache((uintptr_t)buffer, length);
655 
656 	/* Queue the first TRB, even if it's zero-length */
657 	do {
658 		u32 remainder = 0;
659 		field = 0;
660 		/* Don't change the cycle bit of the first TRB until later */
661 		if (first_trb) {
662 			first_trb = false;
663 			if (start_cycle == 0)
664 				field |= TRB_CYCLE;
665 		} else {
666 			field |= ring->cycle_state;
667 		}
668 
669 		/*
670 		 * Chain all the TRBs together; clear the chain bit in the last
671 		 * TRB to indicate it's the last TRB in the chain.
672 		 */
673 		if (num_trbs > 1)
674 			field |= TRB_CHAIN;
675 		else
676 			field |= TRB_IOC;
677 
678 		/* Only set interrupt on short packet for IN endpoints */
679 		if (usb_pipein(pipe))
680 			field |= TRB_ISP;
681 
682 		/* Set the TRB length, TD size, and interrupter fields. */
683 		if (HC_VERSION(xhci_readl(&ctrl->hccr->cr_capbase)) < 0x100)
684 			remainder = xhci_td_remainder(length - running_total);
685 		else
686 			remainder = xhci_v1_0_td_remainder(running_total,
687 							   trb_buff_len,
688 							   total_packet_count,
689 							   maxpacketsize,
690 							   num_trbs - 1);
691 
692 		length_field = ((trb_buff_len & TRB_LEN_MASK) |
693 				remainder |
694 				((0 & TRB_INTR_TARGET_MASK) <<
695 				TRB_INTR_TARGET_SHIFT));
696 
697 		trb_fields[0] = lower_32_bits(addr);
698 		trb_fields[1] = upper_32_bits(addr);
699 		trb_fields[2] = length_field;
700 		trb_fields[3] = field | (TRB_NORMAL << TRB_TYPE_SHIFT);
701 
702 		queue_trb(ctrl, ring, (num_trbs > 1), trb_fields);
703 
704 		--num_trbs;
705 
706 		running_total += trb_buff_len;
707 
708 		/* Calculate length for next transfer */
709 		addr += trb_buff_len;
710 		trb_buff_len = min((length - running_total), TRB_MAX_BUFF_SIZE);
711 	} while (running_total < length);
712 
713 	giveback_first_trb(udev, ep_index, start_cycle, start_trb);
714 
715 	event = xhci_wait_for_event(ctrl, TRB_TRANSFER);
716 	if (!event) {
717 		debug("XHCI bulk transfer timed out, aborting...\n");
718 		abort_td(udev, ep_index);
719 		udev->status = USB_ST_NAK_REC;  /* closest thing to a timeout */
720 		udev->act_len = 0;
721 		return -ETIMEDOUT;
722 	}
723 	field = le32_to_cpu(event->trans_event.flags);
724 
725 	BUG_ON(TRB_TO_SLOT_ID(field) != slot_id);
726 	BUG_ON(TRB_TO_EP_INDEX(field) != ep_index);
727 	BUG_ON(*(void **)(uintptr_t)le64_to_cpu(event->trans_event.buffer) -
728 		buffer > (size_t)length);
729 
730 	record_transfer_result(udev, event, length);
731 	xhci_acknowledge_event(ctrl);
732 	xhci_inval_cache((uintptr_t)buffer, length);
733 
734 	return (udev->status != USB_ST_NOT_PROC) ? 0 : -1;
735 }
736 
737 /**
738  * Queues up the Control Transfer Request
739  *
740  * @param udev	pointer to the USB device structure
741  * @param pipe		contains the DIR_IN or OUT , devnum
742  * @param req		request type
743  * @param length	length of the buffer
744  * @param buffer	buffer to be read/written based on the request
745  * @return returns 0 if successful else error code on failure
746  */
xhci_ctrl_tx(struct usb_device * udev,unsigned long pipe,struct devrequest * req,int length,void * buffer)747 int xhci_ctrl_tx(struct usb_device *udev, unsigned long pipe,
748 			struct devrequest *req,	int length,
749 			void *buffer)
750 {
751 	int ret;
752 	int start_cycle;
753 	int num_trbs;
754 	u32 field;
755 	u32 length_field;
756 	u64 buf_64 = 0;
757 	struct xhci_generic_trb *start_trb;
758 	struct xhci_ctrl *ctrl = xhci_get_ctrl(udev);
759 	int slot_id = udev->slot_id;
760 	int ep_index;
761 	u32 trb_fields[4];
762 	struct xhci_virt_device *virt_dev = ctrl->devs[slot_id];
763 	struct xhci_ring *ep_ring;
764 	union xhci_trb *event;
765 
766 	debug("req=%u (%#x), type=%u (%#x), value=%u (%#x), index=%u\n",
767 		req->request, req->request,
768 		req->requesttype, req->requesttype,
769 		le16_to_cpu(req->value), le16_to_cpu(req->value),
770 		le16_to_cpu(req->index));
771 
772 	ep_index = usb_pipe_ep_index(pipe);
773 
774 	ep_ring = virt_dev->eps[ep_index].ring;
775 
776 	/*
777 	 * Check to see if the max packet size for the default control
778 	 * endpoint changed during FS device enumeration
779 	 */
780 	if (udev->speed == USB_SPEED_FULL) {
781 		ret = xhci_check_maxpacket(udev);
782 		if (ret < 0)
783 			return ret;
784 	}
785 
786 	xhci_inval_cache((uintptr_t)virt_dev->out_ctx->bytes,
787 			 virt_dev->out_ctx->size);
788 
789 	struct xhci_ep_ctx *ep_ctx = NULL;
790 	ep_ctx = xhci_get_ep_ctx(ctrl, virt_dev->out_ctx, ep_index);
791 
792 	/* 1 TRB for setup, 1 for status */
793 	num_trbs = 2;
794 	/*
795 	 * Don't need to check if we need additional event data and normal TRBs,
796 	 * since data in control transfers will never get bigger than 16MB
797 	 * XXX: can we get a buffer that crosses 64KB boundaries?
798 	 */
799 
800 	if (length > 0)
801 		num_trbs++;
802 	/*
803 	 * XXX: Calling routine prepare_ring() called in place of
804 	 * prepare_trasfer() as there in 'Linux' since we are not
805 	 * maintaining multiple TDs/transfer at the same time.
806 	 */
807 	ret = prepare_ring(ctrl, ep_ring,
808 				le32_to_cpu(ep_ctx->ep_info) & EP_STATE_MASK);
809 
810 	if (ret < 0)
811 		return ret;
812 
813 	/*
814 	 * Don't give the first TRB to the hardware (by toggling the cycle bit)
815 	 * until we've finished creating all the other TRBs.  The ring's cycle
816 	 * state may change as we enqueue the other TRBs, so save it too.
817 	 */
818 	start_trb = &ep_ring->enqueue->generic;
819 	start_cycle = ep_ring->cycle_state;
820 
821 	debug("start_trb %p, start_cycle %d\n", start_trb, start_cycle);
822 
823 	/* Queue setup TRB - see section 6.4.1.2.1 */
824 	/* FIXME better way to translate setup_packet into two u32 fields? */
825 	field = 0;
826 	field |= TRB_IDT | (TRB_SETUP << TRB_TYPE_SHIFT);
827 	if (start_cycle == 0)
828 		field |= 0x1;
829 
830 	/* xHCI 1.0 6.4.1.2.1: Transfer Type field */
831 	if (HC_VERSION(xhci_readl(&ctrl->hccr->cr_capbase)) >= 0x100) {
832 		if (length > 0) {
833 			if (req->requesttype & USB_DIR_IN)
834 				field |= (TRB_DATA_IN << TRB_TX_TYPE_SHIFT);
835 			else
836 				field |= (TRB_DATA_OUT << TRB_TX_TYPE_SHIFT);
837 		}
838 	}
839 
840 	debug("req->requesttype = %d, req->request = %d,"
841 		"le16_to_cpu(req->value) = %d,"
842 		"le16_to_cpu(req->index) = %d,"
843 		"le16_to_cpu(req->length) = %d\n",
844 		req->requesttype, req->request, le16_to_cpu(req->value),
845 		le16_to_cpu(req->index), le16_to_cpu(req->length));
846 
847 	trb_fields[0] = req->requesttype | req->request << 8 |
848 				le16_to_cpu(req->value) << 16;
849 	trb_fields[1] = le16_to_cpu(req->index) |
850 			le16_to_cpu(req->length) << 16;
851 	/* TRB_LEN | (TRB_INTR_TARGET) */
852 	trb_fields[2] = (8 | ((0 & TRB_INTR_TARGET_MASK) <<
853 			TRB_INTR_TARGET_SHIFT));
854 	/* Immediate data in pointer */
855 	trb_fields[3] = field;
856 	queue_trb(ctrl, ep_ring, true, trb_fields);
857 
858 	/* Re-initializing field to zero */
859 	field = 0;
860 	/* If there's data, queue data TRBs */
861 	/* Only set interrupt on short packet for IN endpoints */
862 	if (usb_pipein(pipe))
863 		field = TRB_ISP | (TRB_DATA << TRB_TYPE_SHIFT);
864 	else
865 		field = (TRB_DATA << TRB_TYPE_SHIFT);
866 
867 	length_field = (length & TRB_LEN_MASK) | xhci_td_remainder(length) |
868 			((0 & TRB_INTR_TARGET_MASK) << TRB_INTR_TARGET_SHIFT);
869 	debug("length_field = %d, length = %d,"
870 		"xhci_td_remainder(length) = %d , TRB_INTR_TARGET(0) = %d\n",
871 		length_field, (length & TRB_LEN_MASK),
872 		xhci_td_remainder(length), 0);
873 
874 	if (length > 0) {
875 		if (req->requesttype & USB_DIR_IN)
876 			field |= TRB_DIR_IN;
877 		buf_64 = (uintptr_t)buffer;
878 
879 		trb_fields[0] = lower_32_bits(buf_64);
880 		trb_fields[1] = upper_32_bits(buf_64);
881 		trb_fields[2] = length_field;
882 		trb_fields[3] = field | ep_ring->cycle_state;
883 
884 		xhci_flush_cache((uintptr_t)buffer, length);
885 		queue_trb(ctrl, ep_ring, true, trb_fields);
886 	}
887 
888 	/*
889 	 * Queue status TRB -
890 	 * see Table 7 and sections 4.11.2.2 and 6.4.1.2.3
891 	 */
892 
893 	/* If the device sent data, the status stage is an OUT transfer */
894 	field = 0;
895 	if (length > 0 && req->requesttype & USB_DIR_IN)
896 		field = 0;
897 	else
898 		field = TRB_DIR_IN;
899 
900 	trb_fields[0] = 0;
901 	trb_fields[1] = 0;
902 	trb_fields[2] = ((0 & TRB_INTR_TARGET_MASK) << TRB_INTR_TARGET_SHIFT);
903 		/* Event on completion */
904 	trb_fields[3] = field | TRB_IOC |
905 			(TRB_STATUS << TRB_TYPE_SHIFT) |
906 			ep_ring->cycle_state;
907 
908 	queue_trb(ctrl, ep_ring, false, trb_fields);
909 
910 	giveback_first_trb(udev, ep_index, start_cycle, start_trb);
911 
912 	event = xhci_wait_for_event(ctrl, TRB_TRANSFER);
913 	if (!event)
914 		goto abort;
915 	field = le32_to_cpu(event->trans_event.flags);
916 
917 	BUG_ON(TRB_TO_SLOT_ID(field) != slot_id);
918 	BUG_ON(TRB_TO_EP_INDEX(field) != ep_index);
919 
920 	record_transfer_result(udev, event, length);
921 	xhci_acknowledge_event(ctrl);
922 
923 	/* Invalidate buffer to make it available to usb-core */
924 	if (length > 0)
925 		xhci_inval_cache((uintptr_t)buffer, length);
926 
927 	if (GET_COMP_CODE(le32_to_cpu(event->trans_event.transfer_len))
928 			== COMP_SHORT_TX) {
929 		/* Short data stage, clear up additional status stage event */
930 		event = xhci_wait_for_event(ctrl, TRB_TRANSFER);
931 		if (!event)
932 			goto abort;
933 		BUG_ON(TRB_TO_SLOT_ID(field) != slot_id);
934 		BUG_ON(TRB_TO_EP_INDEX(field) != ep_index);
935 		xhci_acknowledge_event(ctrl);
936 	}
937 
938 	return (udev->status != USB_ST_NOT_PROC) ? 0 : -1;
939 
940 abort:
941 	debug("XHCI control transfer timed out, aborting...\n");
942 	abort_td(udev, ep_index);
943 	udev->status = USB_ST_NAK_REC;
944 	udev->act_len = 0;
945 	return -ETIMEDOUT;
946 }
947