search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
USB: xhci: Handle short control packets correctly.
[linux-2.6/btrfs-unstable.git] / drivers / usb / host / xhci-ring.c
blob5dd3b1fd71c01673d8776f6e97b8d46dd660ac28
1 /*
2 * xHCI host controller driver
3 *
4 * Copyright (C) 2008 Intel Corp.
5 *
6 * Author: Sarah Sharp
7 * Some code borrowed from the Linux EHCI driver.
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License version 2 as
11 * published by the Free Software Foundation.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software Foundation,
20 * Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 /*
24 * Ring initialization rules:
25 * 1. Each segment is initialized to zero, except for link TRBs.
26 * 2. Ring cycle state = 0. This represents Producer Cycle State (PCS) or
27 * Consumer Cycle State (CCS), depending on ring function.
28 * 3. Enqueue pointer = dequeue pointer = address of first TRB in the segment.
29 *
30 * Ring behavior rules:
31 * 1. A ring is empty if enqueue == dequeue. This means there will always be at
32 * least one free TRB in the ring. This is useful if you want to turn that
33 * into a link TRB and expand the ring.
34 * 2. When incrementing an enqueue or dequeue pointer, if the next TRB is a
35 * link TRB, then load the pointer with the address in the link TRB. If the
36 * link TRB had its toggle bit set, you may need to update the ring cycle
37 * state (see cycle bit rules). You may have to do this multiple times
38 * until you reach a non-link TRB.
39 * 3. A ring is full if enqueue++ (for the definition of increment above)
40 * equals the dequeue pointer.
41 *
42 * Cycle bit rules:
43 * 1. When a consumer increments a dequeue pointer and encounters a toggle bit
44 * in a link TRB, it must toggle the ring cycle state.
45 * 2. When a producer increments an enqueue pointer and encounters a toggle bit
46 * in a link TRB, it must toggle the ring cycle state.
47 *
48 * Producer rules:
49 * 1. Check if ring is full before you enqueue.
50 * 2. Write the ring cycle state to the cycle bit in the TRB you're enqueuing.
51 * Update enqueue pointer between each write (which may update the ring
52 * cycle state).
53 * 3. Notify consumer. If SW is producer, it rings the doorbell for command
54 * and endpoint rings. If HC is the producer for the event ring,
55 * and it generates an interrupt according to interrupt modulation rules.
56 *
57 * Consumer rules:
58 * 1. Check if TRB belongs to you. If the cycle bit == your ring cycle state,
59 * the TRB is owned by the consumer.
60 * 2. Update dequeue pointer (which may update the ring cycle state) and
61 * continue processing TRBs until you reach a TRB which is not owned by you.
62 * 3. Notify the producer. SW is the consumer for the event ring, and it
63 * updates event ring dequeue pointer. HC is the consumer for the command and
64 * endpoint rings; it generates events on the event ring for these.
65 */
66
67 #include <linux/scatterlist.h>
68 #include "xhci.h"
69
70 /*
71 * Returns zero if the TRB isn't in this segment, otherwise it returns the DMA
72 * address of the TRB.
73 */
74 dma_addr_t xhci_trb_virt_to_dma(struct xhci_segment *seg,
75 union xhci_trb *trb)
76 {
77 unsigned long segment_offset;
78
79 if (!seg || !trb || trb < seg->trbs)
80 return 0;
81 /* offset in TRBs */
82 segment_offset = trb - seg->trbs;
83 if (segment_offset > TRBS_PER_SEGMENT)
84 return 0;
85 return seg->dma + (segment_offset * sizeof(*trb));
86 }
87
88 /* Does this link TRB point to the first segment in a ring,
89 * or was the previous TRB the last TRB on the last segment in the ERST?
90 */
91 static inline bool last_trb_on_last_seg(struct xhci_hcd *xhci, struct xhci_ring *ring,
92 struct xhci_segment *seg, union xhci_trb *trb)
93 {
94 if (ring == xhci->event_ring)
95 return (trb == &seg->trbs[TRBS_PER_SEGMENT]) &&
96 (seg->next == xhci->event_ring->first_seg);
97 else
98 return trb->link.control & LINK_TOGGLE;
99 }
100
101 /* Is this TRB a link TRB or was the last TRB the last TRB in this event ring
102 * segment? I.e. would the updated event TRB pointer step off the end of the
103 * event seg?
104 */
105 static inline int last_trb(struct xhci_hcd *xhci, struct xhci_ring *ring,
106 struct xhci_segment *seg, union xhci_trb *trb)
107 {
108 if (ring == xhci->event_ring)
109 return trb == &seg->trbs[TRBS_PER_SEGMENT];
110 else
111 return (trb->link.control & TRB_TYPE_BITMASK) == TRB_TYPE(TRB_LINK);
112 }
113
114 /* Updates trb to point to the next TRB in the ring, and updates seg if the next
115 * TRB is in a new segment. This does not skip over link TRBs, and it does not
116 * effect the ring dequeue or enqueue pointers.
117 */
118 static void next_trb(struct xhci_hcd *xhci,
119 struct xhci_ring *ring,
120 struct xhci_segment **seg,
121 union xhci_trb **trb)
122 {
123 if (last_trb(xhci, ring, *seg, *trb)) {
124 *seg = (*seg)->next;
125 *trb = ((*seg)->trbs);
126 } else {
127 *trb = (*trb)++;
128 }
129 }
130
131 /*
132 * See Cycle bit rules. SW is the consumer for the event ring only.
133 * Don't make a ring full of link TRBs. That would be dumb and this would loop.
134 */
135 static void inc_deq(struct xhci_hcd *xhci, struct xhci_ring *ring, bool consumer)
136 {
137 union xhci_trb *next = ++(ring->dequeue);
138
139 ring->deq_updates++;
140 /* Update the dequeue pointer further if that was a link TRB or we're at
141 * the end of an event ring segment (which doesn't have link TRBS)
142 */
143 while (last_trb(xhci, ring, ring->deq_seg, next)) {
144 if (consumer && last_trb_on_last_seg(xhci, ring, ring->deq_seg, next)) {
145 ring->cycle_state = (ring->cycle_state ? 0 : 1);
146 if (!in_interrupt())
147 xhci_dbg(xhci, "Toggle cycle state for ring %p = %i\n",
148 ring,
149 (unsigned int) ring->cycle_state);
150 }
151 ring->deq_seg = ring->deq_seg->next;
152 ring->dequeue = ring->deq_seg->trbs;
153 next = ring->dequeue;
154 }
155 }
156
157 /*
158 * See Cycle bit rules. SW is the consumer for the event ring only.
159 * Don't make a ring full of link TRBs. That would be dumb and this would loop.
160 *
161 * If we've just enqueued a TRB that is in the middle of a TD (meaning the
162 * chain bit is set), then set the chain bit in all the following link TRBs.
163 * If we've enqueued the last TRB in a TD, make sure the following link TRBs
164 * have their chain bit cleared (so that each Link TRB is a separate TD).
165 *
166 * Section 6.4.4.1 of the 0.95 spec says link TRBs cannot have the chain bit
167 * set, but other sections talk about dealing with the chain bit set.
168 * Assume section 6.4.4.1 is wrong, and the chain bit can be set in a Link TRB.
169 */
170 static void inc_enq(struct xhci_hcd *xhci, struct xhci_ring *ring, bool consumer)
171 {
172 u32 chain;
173 union xhci_trb *next;
174
175 chain = ring->enqueue->generic.field[3] & TRB_CHAIN;
176 next = ++(ring->enqueue);
177
178 ring->enq_updates++;
179 /* Update the dequeue pointer further if that was a link TRB or we're at
180 * the end of an event ring segment (which doesn't have link TRBS)
181 */
182 while (last_trb(xhci, ring, ring->enq_seg, next)) {
183 if (!consumer) {
184 if (ring != xhci->event_ring) {
185 next->link.control &= ~TRB_CHAIN;
186 next->link.control |= chain;
187 /* Give this link TRB to the hardware */
188 wmb();
189 if (next->link.control & TRB_CYCLE)
190 next->link.control &= (u32) ~TRB_CYCLE;
191 else
192 next->link.control |= (u32) TRB_CYCLE;
193 }
194 /* Toggle the cycle bit after the last ring segment. */
195 if (last_trb_on_last_seg(xhci, ring, ring->enq_seg, next)) {
196 ring->cycle_state = (ring->cycle_state ? 0 : 1);
197 if (!in_interrupt())
198 xhci_dbg(xhci, "Toggle cycle state for ring %p = %i\n",
199 ring,
200 (unsigned int) ring->cycle_state);
201 }
202 }
203 ring->enq_seg = ring->enq_seg->next;
204 ring->enqueue = ring->enq_seg->trbs;
205 next = ring->enqueue;
206 }
207 }
208
209 /*
210 * Check to see if there's room to enqueue num_trbs on the ring. See rules
211 * above.
212 * FIXME: this would be simpler and faster if we just kept track of the number
213 * of free TRBs in a ring.
214 */
215 static int room_on_ring(struct xhci_hcd *xhci, struct xhci_ring *ring,
216 unsigned int num_trbs)
217 {
218 int i;
219 union xhci_trb *enq = ring->enqueue;
220 struct xhci_segment *enq_seg = ring->enq_seg;
221
222 /* Check if ring is empty */
223 if (enq == ring->dequeue)
224 return 1;
225 /* Make sure there's an extra empty TRB available */
226 for (i = 0; i <= num_trbs; ++i) {
227 if (enq == ring->dequeue)
228 return 0;
229 enq++;
230 while (last_trb(xhci, ring, enq_seg, enq)) {
231 enq_seg = enq_seg->next;
232 enq = enq_seg->trbs;
233 }
234 }
235 return 1;
236 }
237
238 void xhci_set_hc_event_deq(struct xhci_hcd *xhci)
239 {
240 u64 temp;
241 dma_addr_t deq;
242
243 deq = xhci_trb_virt_to_dma(xhci->event_ring->deq_seg,
244 xhci->event_ring->dequeue);
245 if (deq == 0 && !in_interrupt())
246 xhci_warn(xhci, "WARN something wrong with SW event ring "
247 "dequeue ptr.\n");
248 /* Update HC event ring dequeue pointer */
249 temp = xhci_read_64(xhci, &xhci->ir_set->erst_dequeue);
250 temp &= ERST_PTR_MASK;
251 if (!in_interrupt())
252 xhci_dbg(xhci, "// Write event ring dequeue pointer\n");
253 xhci_write_64(xhci, ((u64) deq & (u64) ~ERST_PTR_MASK) | temp,
254 &xhci->ir_set->erst_dequeue);
255 }
256
257 /* Ring the host controller doorbell after placing a command on the ring */
258 void xhci_ring_cmd_db(struct xhci_hcd *xhci)
259 {
260 u32 temp;
261
262 xhci_dbg(xhci, "// Ding dong!\n");
263 temp = xhci_readl(xhci, &xhci->dba->doorbell[0]) & DB_MASK;
264 xhci_writel(xhci, temp | DB_TARGET_HOST, &xhci->dba->doorbell[0]);
265 /* Flush PCI posted writes */
266 xhci_readl(xhci, &xhci->dba->doorbell[0]);
267 }
268
269 static void ring_ep_doorbell(struct xhci_hcd *xhci,
270 unsigned int slot_id,
271 unsigned int ep_index)
272 {
273 struct xhci_ring *ep_ring;
274 u32 field;
275 __u32 __iomem *db_addr = &xhci->dba->doorbell[slot_id];
276
277 ep_ring = xhci->devs[slot_id]->ep_rings[ep_index];
278 /* Don't ring the doorbell for this endpoint if there are pending
279 * cancellations because the we don't want to interrupt processing.
280 */
281 if (!ep_ring->cancels_pending && !(ep_ring->state & SET_DEQ_PENDING)
282 && !(ep_ring->state & EP_HALTED)) {
283 field = xhci_readl(xhci, db_addr) & DB_MASK;
284 xhci_writel(xhci, field | EPI_TO_DB(ep_index), db_addr);
285 /* Flush PCI posted writes - FIXME Matthew Wilcox says this
286 * isn't time-critical and we shouldn't make the CPU wait for
287 * the flush.
288 */
289 xhci_readl(xhci, db_addr);
290 }
291 }
292
293 /*
294 * Find the segment that trb is in. Start searching in start_seg.
295 * If we must move past a segment that has a link TRB with a toggle cycle state
296 * bit set, then we will toggle the value pointed at by cycle_state.
297 */
298 static struct xhci_segment *find_trb_seg(
299 struct xhci_segment *start_seg,
300 union xhci_trb *trb, int *cycle_state)
301 {
302 struct xhci_segment *cur_seg = start_seg;
303 struct xhci_generic_trb *generic_trb;
304
305 while (cur_seg->trbs > trb ||
306 &cur_seg->trbs[TRBS_PER_SEGMENT - 1] < trb) {
307 generic_trb = &cur_seg->trbs[TRBS_PER_SEGMENT - 1].generic;
308 if (TRB_TYPE(generic_trb->field[3]) == TRB_LINK &&
309 (generic_trb->field[3] & LINK_TOGGLE))
310 *cycle_state = ~(*cycle_state) & 0x1;
311 cur_seg = cur_seg->next;
312 if (cur_seg == start_seg)
313 /* Looped over the entire list. Oops! */
314 return 0;
315 }
316 return cur_seg;
317 }
318
319 struct dequeue_state {
320 struct xhci_segment *new_deq_seg;
321 union xhci_trb *new_deq_ptr;
322 int new_cycle_state;
323 };
324
325 /*
326 * Move the xHC's endpoint ring dequeue pointer past cur_td.
327 * Record the new state of the xHC's endpoint ring dequeue segment,
328 * dequeue pointer, and new consumer cycle state in state.
329 * Update our internal representation of the ring's dequeue pointer.
330 *
331 * We do this in three jumps:
332 * - First we update our new ring state to be the same as when the xHC stopped.
333 * - Then we traverse the ring to find the segment that contains
334 * the last TRB in the TD. We toggle the xHC's new cycle state when we pass
335 * any link TRBs with the toggle cycle bit set.
336 * - Finally we move the dequeue state one TRB further, toggling the cycle bit
337 * if we've moved it past a link TRB with the toggle cycle bit set.
338 */
339 static void find_new_dequeue_state(struct xhci_hcd *xhci,
340 unsigned int slot_id, unsigned int ep_index,
341 struct xhci_td *cur_td, struct dequeue_state *state)
342 {
343 struct xhci_virt_device *dev = xhci->devs[slot_id];
344 struct xhci_ring *ep_ring = dev->ep_rings[ep_index];
345 struct xhci_generic_trb *trb;
346
347 state->new_cycle_state = 0;
348 state->new_deq_seg = find_trb_seg(cur_td->start_seg,
349 ep_ring->stopped_trb,
350 &state->new_cycle_state);
351 if (!state->new_deq_seg)
352 BUG();
353 /* Dig out the cycle state saved by the xHC during the stop ep cmd */
354 state->new_cycle_state = 0x1 & dev->out_ctx->ep[ep_index].deq;
355
356 state->new_deq_ptr = cur_td->last_trb;
357 state->new_deq_seg = find_trb_seg(state->new_deq_seg,
358 state->new_deq_ptr,
359 &state->new_cycle_state);
360 if (!state->new_deq_seg)
361 BUG();
362
363 trb = &state->new_deq_ptr->generic;
364 if (TRB_TYPE(trb->field[3]) == TRB_LINK &&
365 (trb->field[3] & LINK_TOGGLE))
366 state->new_cycle_state = ~(state->new_cycle_state) & 0x1;
367 next_trb(xhci, ep_ring, &state->new_deq_seg, &state->new_deq_ptr);
368
369 /* Don't update the ring cycle state for the producer (us). */
370 ep_ring->dequeue = state->new_deq_ptr;
371 ep_ring->deq_seg = state->new_deq_seg;
372 }
373
374 static void td_to_noop(struct xhci_hcd *xhci, struct xhci_ring *ep_ring,
375 struct xhci_td *cur_td)
376 {
377 struct xhci_segment *cur_seg;
378 union xhci_trb *cur_trb;
379
380 for (cur_seg = cur_td->start_seg, cur_trb = cur_td->first_trb;
381 true;
382 next_trb(xhci, ep_ring, &cur_seg, &cur_trb)) {
383 if ((cur_trb->generic.field[3] & TRB_TYPE_BITMASK) ==
384 TRB_TYPE(TRB_LINK)) {
385 /* Unchain any chained Link TRBs, but
386 * leave the pointers intact.
387 */
388 cur_trb->generic.field[3] &= ~TRB_CHAIN;
389 xhci_dbg(xhci, "Cancel (unchain) link TRB\n");
390 xhci_dbg(xhci, "Address = %p (0x%llx dma); "
391 "in seg %p (0x%llx dma)\n",
392 cur_trb,
393 (unsigned long long)xhci_trb_virt_to_dma(cur_seg, cur_trb),
394 cur_seg,
395 (unsigned long long)cur_seg->dma);
396 } else {
397 cur_trb->generic.field[0] = 0;
398 cur_trb->generic.field[1] = 0;
399 cur_trb->generic.field[2] = 0;
400 /* Preserve only the cycle bit of this TRB */
401 cur_trb->generic.field[3] &= TRB_CYCLE;
402 cur_trb->generic.field[3] |= TRB_TYPE(TRB_TR_NOOP);
403 xhci_dbg(xhci, "Cancel TRB %p (0x%llx dma) "
404 "in seg %p (0x%llx dma)\n",
405 cur_trb,
406 (unsigned long long)xhci_trb_virt_to_dma(cur_seg, cur_trb),
407 cur_seg,
408 (unsigned long long)cur_seg->dma);
409 }
410 if (cur_trb == cur_td->last_trb)
411 break;
412 }
413 }
414
415 static int queue_set_tr_deq(struct xhci_hcd *xhci, int slot_id,
416 unsigned int ep_index, struct xhci_segment *deq_seg,
417 union xhci_trb *deq_ptr, u32 cycle_state);
418
419 /*
420 * When we get a command completion for a Stop Endpoint Command, we need to
421 * unlink any cancelled TDs from the ring. There are two ways to do that:
422 *
423 * 1. If the HW was in the middle of processing the TD that needs to be
424 * cancelled, then we must move the ring's dequeue pointer past the last TRB
425 * in the TD with a Set Dequeue Pointer Command.
426 * 2. Otherwise, we turn all the TRBs in the TD into No-op TRBs (with the chain
427 * bit cleared) so that the HW will skip over them.
428 */
429 static void handle_stopped_endpoint(struct xhci_hcd *xhci,
430 union xhci_trb *trb)
431 {
432 unsigned int slot_id;
433 unsigned int ep_index;
434 struct xhci_ring *ep_ring;
435 struct list_head *entry;
436 struct xhci_td *cur_td = 0;
437 struct xhci_td *last_unlinked_td;
438
439 struct dequeue_state deq_state;
440 #ifdef CONFIG_USB_HCD_STAT
441 ktime_t stop_time = ktime_get();
442 #endif
443
444 memset(&deq_state, 0, sizeof(deq_state));
445 slot_id = TRB_TO_SLOT_ID(trb->generic.field[3]);
446 ep_index = TRB_TO_EP_INDEX(trb->generic.field[3]);
447 ep_ring = xhci->devs[slot_id]->ep_rings[ep_index];
448
449 if (list_empty(&ep_ring->cancelled_td_list))
450 return;
451
452 /* Fix up the ep ring first, so HW stops executing cancelled TDs.
453 * We have the xHCI lock, so nothing can modify this list until we drop
454 * it. We're also in the event handler, so we can't get re-interrupted
455 * if another Stop Endpoint command completes
456 */
457 list_for_each(entry, &ep_ring->cancelled_td_list) {
458 cur_td = list_entry(entry, struct xhci_td, cancelled_td_list);
459 xhci_dbg(xhci, "Cancelling TD starting at %p, 0x%llx (dma).\n",
460 cur_td->first_trb,
461 (unsigned long long)xhci_trb_virt_to_dma(cur_td->start_seg, cur_td->first_trb));
462 /*
463 * If we stopped on the TD we need to cancel, then we have to
464 * move the xHC endpoint ring dequeue pointer past this TD.
465 */
466 if (cur_td == ep_ring->stopped_td)
467 find_new_dequeue_state(xhci, slot_id, ep_index, cur_td,
468 &deq_state);
469 else
470 td_to_noop(xhci, ep_ring, cur_td);
471 /*
472 * The event handler won't see a completion for this TD anymore,
473 * so remove it from the endpoint ring's TD list. Keep it in
474 * the cancelled TD list for URB completion later.
475 */
476 list_del(&cur_td->td_list);
477 ep_ring->cancels_pending--;
478 }
479 last_unlinked_td = cur_td;
480
481 /* If necessary, queue a Set Transfer Ring Dequeue Pointer command */
482 if (deq_state.new_deq_ptr && deq_state.new_deq_seg) {
483 xhci_dbg(xhci, "Set TR Deq Ptr cmd, new deq seg = %p (0x%llx dma), "
484 "new deq ptr = %p (0x%llx dma), new cycle = %u\n",
485 deq_state.new_deq_seg,
486 (unsigned long long)deq_state.new_deq_seg->dma,
487 deq_state.new_deq_ptr,
488 (unsigned long long)xhci_trb_virt_to_dma(deq_state.new_deq_seg, deq_state.new_deq_ptr),
489 deq_state.new_cycle_state);
490 queue_set_tr_deq(xhci, slot_id, ep_index,
491 deq_state.new_deq_seg,
492 deq_state.new_deq_ptr,
493 (u32) deq_state.new_cycle_state);
494 /* Stop the TD queueing code from ringing the doorbell until
495 * this command completes. The HC won't set the dequeue pointer
496 * if the ring is running, and ringing the doorbell starts the
497 * ring running.
498 */
499 ep_ring->state |= SET_DEQ_PENDING;
500 xhci_ring_cmd_db(xhci);
501 } else {
502 /* Otherwise just ring the doorbell to restart the ring */
503 ring_ep_doorbell(xhci, slot_id, ep_index);
504 }
505
506 /*
507 * Drop the lock and complete the URBs in the cancelled TD list.
508 * New TDs to be cancelled might be added to the end of the list before
509 * we can complete all the URBs for the TDs we already unlinked.
510 * So stop when we've completed the URB for the last TD we unlinked.
511 */
512 do {
513 cur_td = list_entry(ep_ring->cancelled_td_list.next,
514 struct xhci_td, cancelled_td_list);
515 list_del(&cur_td->cancelled_td_list);
516
517 /* Clean up the cancelled URB */
518 #ifdef CONFIG_USB_HCD_STAT
519 hcd_stat_update(xhci->tp_stat, cur_td->urb->actual_length,
520 ktime_sub(stop_time, cur_td->start_time));
521 #endif
522 cur_td->urb->hcpriv = NULL;
523 usb_hcd_unlink_urb_from_ep(xhci_to_hcd(xhci), cur_td->urb);
524
525 xhci_dbg(xhci, "Giveback cancelled URB %p\n", cur_td->urb);
526 spin_unlock(&xhci->lock);
527 /* Doesn't matter what we pass for status, since the core will
528 * just overwrite it (because the URB has been unlinked).
529 */
530 usb_hcd_giveback_urb(xhci_to_hcd(xhci), cur_td->urb, 0);
531 kfree(cur_td);
532
533 spin_lock(&xhci->lock);
534 } while (cur_td != last_unlinked_td);
535
536 /* Return to the event handler with xhci->lock re-acquired */
537 }
538
539 /*
540 * When we get a completion for a Set Transfer Ring Dequeue Pointer command,
541 * we need to clear the set deq pending flag in the endpoint ring state, so that
542 * the TD queueing code can ring the doorbell again. We also need to ring the
543 * endpoint doorbell to restart the ring, but only if there aren't more
544 * cancellations pending.
545 */
546 static void handle_set_deq_completion(struct xhci_hcd *xhci,
547 struct xhci_event_cmd *event,
548 union xhci_trb *trb)
549 {
550 unsigned int slot_id;
551 unsigned int ep_index;
552 struct xhci_ring *ep_ring;
553 struct xhci_virt_device *dev;
554
555 slot_id = TRB_TO_SLOT_ID(trb->generic.field[3]);
556 ep_index = TRB_TO_EP_INDEX(trb->generic.field[3]);
557 dev = xhci->devs[slot_id];
558 ep_ring = dev->ep_rings[ep_index];
559
560 if (GET_COMP_CODE(event->status) != COMP_SUCCESS) {
561 unsigned int ep_state;
562 unsigned int slot_state;
563
564 switch (GET_COMP_CODE(event->status)) {
565 case COMP_TRB_ERR:
566 xhci_warn(xhci, "WARN Set TR Deq Ptr cmd invalid because "
567 "of stream ID configuration\n");
568 break;
569 case COMP_CTX_STATE:
570 xhci_warn(xhci, "WARN Set TR Deq Ptr cmd failed due "
571 "to incorrect slot or ep state.\n");
572 ep_state = dev->out_ctx->ep[ep_index].ep_info;
573 ep_state &= EP_STATE_MASK;
574 slot_state = dev->out_ctx->slot.dev_state;
575 slot_state = GET_SLOT_STATE(slot_state);
576 xhci_dbg(xhci, "Slot state = %u, EP state = %u\n",
577 slot_state, ep_state);
578 break;
579 case COMP_EBADSLT:
580 xhci_warn(xhci, "WARN Set TR Deq Ptr cmd failed because "
581 "slot %u was not enabled.\n", slot_id);
582 break;
583 default:
584 xhci_warn(xhci, "WARN Set TR Deq Ptr cmd with unknown "
585 "completion code of %u.\n",
586 GET_COMP_CODE(event->status));
587 break;
588 }
589 /* OK what do we do now? The endpoint state is hosed, and we
590 * should never get to this point if the synchronization between
591 * queueing, and endpoint state are correct. This might happen
592 * if the device gets disconnected after we've finished
593 * cancelling URBs, which might not be an error...
594 */
595 } else {
596 xhci_dbg(xhci, "Successful Set TR Deq Ptr cmd, deq = @%08llx\n",
597 dev->out_ctx->ep[ep_index].deq);
598 }
599
600 ep_ring->state &= ~SET_DEQ_PENDING;
601 ring_ep_doorbell(xhci, slot_id, ep_index);
602 }
603
604 static void handle_reset_ep_completion(struct xhci_hcd *xhci,
605 struct xhci_event_cmd *event,
606 union xhci_trb *trb)
607 {
608 int slot_id;
609 unsigned int ep_index;
610
611 slot_id = TRB_TO_SLOT_ID(trb->generic.field[3]);
612 ep_index = TRB_TO_EP_INDEX(trb->generic.field[3]);
613 /* This command will only fail if the endpoint wasn't halted,
614 * but we don't care.
615 */
616 xhci_dbg(xhci, "Ignoring reset ep completion code of %u\n",
617 (unsigned int) GET_COMP_CODE(event->status));
618
619 /* Clear our internal halted state and restart the ring */
620 xhci->devs[slot_id]->ep_rings[ep_index]->state &= ~EP_HALTED;
621 ring_ep_doorbell(xhci, slot_id, ep_index);
622 }
623
624 static void handle_cmd_completion(struct xhci_hcd *xhci,
625 struct xhci_event_cmd *event)
626 {
627 int slot_id = TRB_TO_SLOT_ID(event->flags);
628 u64 cmd_dma;
629 dma_addr_t cmd_dequeue_dma;
630
631 cmd_dma = event->cmd_trb;
632 cmd_dequeue_dma = xhci_trb_virt_to_dma(xhci->cmd_ring->deq_seg,
633 xhci->cmd_ring->dequeue);
634 /* Is the command ring deq ptr out of sync with the deq seg ptr? */
635 if (cmd_dequeue_dma == 0) {
636 xhci->error_bitmask |= 1 << 4;
637 return;
638 }
639 /* Does the DMA address match our internal dequeue pointer address? */
640 if (cmd_dma != (u64) cmd_dequeue_dma) {
641 xhci->error_bitmask |= 1 << 5;
642 return;
643 }
644 switch (xhci->cmd_ring->dequeue->generic.field[3] & TRB_TYPE_BITMASK) {
645 case TRB_TYPE(TRB_ENABLE_SLOT):
646 if (GET_COMP_CODE(event->status) == COMP_SUCCESS)
647 xhci->slot_id = slot_id;
648 else
649 xhci->slot_id = 0;
650 complete(&xhci->addr_dev);
651 break;
652 case TRB_TYPE(TRB_DISABLE_SLOT):
653 if (xhci->devs[slot_id])
654 xhci_free_virt_device(xhci, slot_id);
655 break;
656 case TRB_TYPE(TRB_CONFIG_EP):
657 xhci->devs[slot_id]->cmd_status = GET_COMP_CODE(event->status);
658 complete(&xhci->devs[slot_id]->cmd_completion);
659 break;
660 case TRB_TYPE(TRB_ADDR_DEV):
661 xhci->devs[slot_id]->cmd_status = GET_COMP_CODE(event->status);
662 complete(&xhci->addr_dev);
663 break;
664 case TRB_TYPE(TRB_STOP_RING):
665 handle_stopped_endpoint(xhci, xhci->cmd_ring->dequeue);
666 break;
667 case TRB_TYPE(TRB_SET_DEQ):
668 handle_set_deq_completion(xhci, event, xhci->cmd_ring->dequeue);
669 break;
670 case TRB_TYPE(TRB_CMD_NOOP):
671 ++xhci->noops_handled;
672 break;
673 case TRB_TYPE(TRB_RESET_EP):
674 handle_reset_ep_completion(xhci, event, xhci->cmd_ring->dequeue);
675 break;
676 default:
677 /* Skip over unknown commands on the event ring */
678 xhci->error_bitmask |= 1 << 6;
679 break;
680 }
681 inc_deq(xhci, xhci->cmd_ring, false);
682 }
683
684 static void handle_port_status(struct xhci_hcd *xhci,
685 union xhci_trb *event)
686 {
687 u32 port_id;
688
689 /* Port status change events always have a successful completion code */
690 if (GET_COMP_CODE(event->generic.field[2]) != COMP_SUCCESS) {
691 xhci_warn(xhci, "WARN: xHC returned failed port status event\n");
692 xhci->error_bitmask |= 1 << 8;
693 }
694 /* FIXME: core doesn't care about all port link state changes yet */
695 port_id = GET_PORT_ID(event->generic.field[0]);
696 xhci_dbg(xhci, "Port Status Change Event for port %d\n", port_id);
697
698 /* Update event ring dequeue pointer before dropping the lock */
699 inc_deq(xhci, xhci->event_ring, true);
700 xhci_set_hc_event_deq(xhci);
701
702 spin_unlock(&xhci->lock);
703 /* Pass this up to the core */
704 usb_hcd_poll_rh_status(xhci_to_hcd(xhci));
705 spin_lock(&xhci->lock);
706 }
707
708 /*
709 * This TD is defined by the TRBs starting at start_trb in start_seg and ending
710 * at end_trb, which may be in another segment. If the suspect DMA address is a
711 * TRB in this TD, this function returns that TRB's segment. Otherwise it
712 * returns 0.
713 */
714 static struct xhci_segment *trb_in_td(
715 struct xhci_segment *start_seg,
716 union xhci_trb *start_trb,
717 union xhci_trb *end_trb,
718 dma_addr_t suspect_dma)
719 {
720 dma_addr_t start_dma;
721 dma_addr_t end_seg_dma;
722 dma_addr_t end_trb_dma;
723 struct xhci_segment *cur_seg;
724
725 start_dma = xhci_trb_virt_to_dma(start_seg, start_trb);
726 cur_seg = start_seg;
727
728 do {
729 /* We may get an event for a Link TRB in the middle of a TD */
730 end_seg_dma = xhci_trb_virt_to_dma(cur_seg,
731 &start_seg->trbs[TRBS_PER_SEGMENT - 1]);
732 /* If the end TRB isn't in this segment, this is set to 0 */
733 end_trb_dma = xhci_trb_virt_to_dma(cur_seg, end_trb);
734
735 if (end_trb_dma > 0) {
736 /* The end TRB is in this segment, so suspect should be here */
737 if (start_dma <= end_trb_dma) {
738 if (suspect_dma >= start_dma && suspect_dma <= end_trb_dma)
739 return cur_seg;
740 } else {
741 /* Case for one segment with
742 * a TD wrapped around to the top
743 */
744 if ((suspect_dma >= start_dma &&
745 suspect_dma <= end_seg_dma) ||
746 (suspect_dma >= cur_seg->dma &&
747 suspect_dma <= end_trb_dma))
748 return cur_seg;
749 }
750 return 0;
751 } else {
752 /* Might still be somewhere in this segment */
753 if (suspect_dma >= start_dma && suspect_dma <= end_seg_dma)
754 return cur_seg;
755 }
756 cur_seg = cur_seg->next;
757 start_dma = xhci_trb_virt_to_dma(cur_seg, &cur_seg->trbs[0]);
758 } while (1);
759
760 }
761
762 /*
763 * If this function returns an error condition, it means it got a Transfer
764 * event with a corrupted Slot ID, Endpoint ID, or TRB DMA address.
765 * At this point, the host controller is probably hosed and should be reset.
766 */
767 static int handle_tx_event(struct xhci_hcd *xhci,
768 struct xhci_transfer_event *event)
769 {
770 struct xhci_virt_device *xdev;
771 struct xhci_ring *ep_ring;
772 int ep_index;
773 struct xhci_td *td = 0;
774 dma_addr_t event_dma;
775 struct xhci_segment *event_seg;
776 union xhci_trb *event_trb;
777 struct urb *urb = 0;
778 int status = -EINPROGRESS;
779
780 xdev = xhci->devs[TRB_TO_SLOT_ID(event->flags)];
781 if (!xdev) {
782 xhci_err(xhci, "ERROR Transfer event pointed to bad slot\n");
783 return -ENODEV;
784 }
785
786 /* Endpoint ID is 1 based, our index is zero based */
787 ep_index = TRB_TO_EP_ID(event->flags) - 1;
788 ep_ring = xdev->ep_rings[ep_index];
789 if (!ep_ring || (xdev->out_ctx->ep[ep_index].ep_info & EP_STATE_MASK) == EP_STATE_DISABLED) {
790 xhci_err(xhci, "ERROR Transfer event pointed to disabled endpoint\n");
791 return -ENODEV;
792 }
793
794 event_dma = event->buffer;
795 /* This TRB should be in the TD at the head of this ring's TD list */
796 if (list_empty(&ep_ring->td_list)) {
797 xhci_warn(xhci, "WARN Event TRB for slot %d ep %d with no TDs queued?\n",
798 TRB_TO_SLOT_ID(event->flags), ep_index);
799 xhci_dbg(xhci, "Event TRB with TRB type ID %u\n",
800 (unsigned int) (event->flags & TRB_TYPE_BITMASK)>>10);
801 xhci_print_trb_offsets(xhci, (union xhci_trb *) event);
802 urb = NULL;
803 goto cleanup;
804 }
805 td = list_entry(ep_ring->td_list.next, struct xhci_td, td_list);
806
807 /* Is this a TRB in the currently executing TD? */
808 event_seg = trb_in_td(ep_ring->deq_seg, ep_ring->dequeue,
809 td->last_trb, event_dma);
810 if (!event_seg) {
811 /* HC is busted, give up! */
812 xhci_err(xhci, "ERROR Transfer event TRB DMA ptr not part of current TD\n");
813 return -ESHUTDOWN;
814 }
815 event_trb = &event_seg->trbs[(event_dma - event_seg->dma) / sizeof(*event_trb)];
816 xhci_dbg(xhci, "Event TRB with TRB type ID %u\n",
817 (unsigned int) (event->flags & TRB_TYPE_BITMASK)>>10);
818 xhci_dbg(xhci, "Offset 0x00 (buffer lo) = 0x%x\n",
819 lower_32_bits(event->buffer));
820 xhci_dbg(xhci, "Offset 0x04 (buffer hi) = 0x%x\n",
821 upper_32_bits(event->buffer));
822 xhci_dbg(xhci, "Offset 0x08 (transfer length) = 0x%x\n",
823 (unsigned int) event->transfer_len);
824 xhci_dbg(xhci, "Offset 0x0C (flags) = 0x%x\n",
825 (unsigned int) event->flags);
826
827 /* Look for common error cases */
828 switch (GET_COMP_CODE(event->transfer_len)) {
829 /* Skip codes that require special handling depending on
830 * transfer type
831 */
832 case COMP_SUCCESS:
833 case COMP_SHORT_TX:
834 break;
835 case COMP_STOP:
836 xhci_dbg(xhci, "Stopped on Transfer TRB\n");
837 break;
838 case COMP_STOP_INVAL:
839 xhci_dbg(xhci, "Stopped on No-op or Link TRB\n");
840 break;
841 case COMP_STALL:
842 xhci_warn(xhci, "WARN: Stalled endpoint\n");
843 ep_ring->state |= EP_HALTED;
844 status = -EPIPE;
845 break;
846 case COMP_TRB_ERR:
847 xhci_warn(xhci, "WARN: TRB error on endpoint\n");
848 status = -EILSEQ;
849 break;
850 case COMP_TX_ERR:
851 xhci_warn(xhci, "WARN: transfer error on endpoint\n");
852 status = -EPROTO;
853 break;
854 case COMP_DB_ERR:
855 xhci_warn(xhci, "WARN: HC couldn't access mem fast enough\n");
856 status = -ENOSR;
857 break;
858 default:
859 xhci_warn(xhci, "ERROR Unknown event condition, HC probably busted\n");
860 urb = NULL;
861 goto cleanup;
862 }
863 /* Now update the urb's actual_length and give back to the core */
864 /* Was this a control transfer? */
865 if (usb_endpoint_xfer_control(&td->urb->ep->desc)) {
866 xhci_debug_trb(xhci, xhci->event_ring->dequeue);
867 switch (GET_COMP_CODE(event->transfer_len)) {
868 case COMP_SUCCESS:
869 if (event_trb == ep_ring->dequeue) {
870 xhci_warn(xhci, "WARN: Success on ctrl setup TRB without IOC set??\n");
871 status = -ESHUTDOWN;
872 } else if (event_trb != td->last_trb) {
873 xhci_warn(xhci, "WARN: Success on ctrl data TRB without IOC set??\n");
874 status = -ESHUTDOWN;
875 } else {
876 xhci_dbg(xhci, "Successful control transfer!\n");
877 status = 0;
878 }
879 break;
880 case COMP_SHORT_TX:
881 xhci_warn(xhci, "WARN: short transfer on control ep\n");
882 status = -EREMOTEIO;
883 break;
884 default:
885 /* Others already handled above */
886 break;
887 }
888 /*
889 * Did we transfer any data, despite the errors that might have
890 * happened? I.e. did we get past the setup stage?
891 */
892 if (event_trb != ep_ring->dequeue) {
893 /* The event was for the status stage */
894 if (event_trb == td->last_trb) {
895 /* Did we already see a short data stage? */
896 if (td->urb->actual_length != 0)
897 status = -EREMOTEIO;
898 else
899 td->urb->actual_length =
900 td->urb->transfer_buffer_length;
901 } else {
902 /* Maybe the event was for the data stage? */
903 if (GET_COMP_CODE(event->transfer_len) != COMP_STOP_INVAL) {
904 /* We didn't stop on a link TRB in the middle */
905 td->urb->actual_length =
906 td->urb->transfer_buffer_length -
907 TRB_LEN(event->transfer_len);
908 xhci_dbg(xhci, "Waiting for status stage event\n");
909 urb = NULL;
910 goto cleanup;
911 }
912 }
913 }
914 } else {
915 switch (GET_COMP_CODE(event->transfer_len)) {
916 case COMP_SUCCESS:
917 /* Double check that the HW transferred everything. */
918 if (event_trb != td->last_trb) {
919 xhci_warn(xhci, "WARN Successful completion "
920 "on short TX\n");
921 if (td->urb->transfer_flags & URB_SHORT_NOT_OK)
922 status = -EREMOTEIO;
923 else
924 status = 0;
925 } else {
926 xhci_dbg(xhci, "Successful bulk transfer!\n");
927 status = 0;
928 }
929 break;
930 case COMP_SHORT_TX:
931 if (td->urb->transfer_flags & URB_SHORT_NOT_OK)
932 status = -EREMOTEIO;
933 else
934 status = 0;
935 break;
936 default:
937 /* Others already handled above */
938 break;
939 }
940 dev_dbg(&td->urb->dev->dev,
941 "ep %#x - asked for %d bytes, "
942 "%d bytes untransferred\n",
943 td->urb->ep->desc.bEndpointAddress,
944 td->urb->transfer_buffer_length,
945 TRB_LEN(event->transfer_len));
946 /* Fast path - was this the last TRB in the TD for this URB? */
947 if (event_trb == td->last_trb) {
948 if (TRB_LEN(event->transfer_len) != 0) {
949 td->urb->actual_length =
950 td->urb->transfer_buffer_length -
951 TRB_LEN(event->transfer_len);
952 if (td->urb->actual_length < 0) {
953 xhci_warn(xhci, "HC gave bad length "
954 "of %d bytes left\n",
955 TRB_LEN(event->transfer_len));
956 td->urb->actual_length = 0;
957 }
958 if (td->urb->transfer_flags & URB_SHORT_NOT_OK)
959 status = -EREMOTEIO;
960 else
961 status = 0;
962 } else {
963 td->urb->actual_length = td->urb->transfer_buffer_length;
964 /* Ignore a short packet completion if the
965 * untransferred length was zero.
966 */
967 status = 0;
968 }
969 } else {
970 /* Slow path - walk the list, starting from the dequeue
971 * pointer, to get the actual length transferred.
972 */
973 union xhci_trb *cur_trb;
974 struct xhci_segment *cur_seg;
975
976 td->urb->actual_length = 0;
977 for (cur_trb = ep_ring->dequeue, cur_seg = ep_ring->deq_seg;
978 cur_trb != event_trb;
979 next_trb(xhci, ep_ring, &cur_seg, &cur_trb)) {
980 if (TRB_TYPE(cur_trb->generic.field[3]) != TRB_TR_NOOP &&
981 TRB_TYPE(cur_trb->generic.field[3]) != TRB_LINK)
982 td->urb->actual_length +=
983 TRB_LEN(cur_trb->generic.field[2]);
984 }
985 /* If the ring didn't stop on a Link or No-op TRB, add
986 * in the actual bytes transferred from the Normal TRB
987 */
988 if (GET_COMP_CODE(event->transfer_len) != COMP_STOP_INVAL)
989 td->urb->actual_length +=
990 TRB_LEN(cur_trb->generic.field[2]) -
991 TRB_LEN(event->transfer_len);
992 }
993 }
994 /* The Endpoint Stop Command completion will take care of
995 * any stopped TDs. A stopped TD may be restarted, so don't update the
996 * ring dequeue pointer or take this TD off any lists yet.
997 */
998 if (GET_COMP_CODE(event->transfer_len) == COMP_STOP_INVAL ||
999 GET_COMP_CODE(event->transfer_len) == COMP_STOP) {
1000 ep_ring->stopped_td = td;
1001 ep_ring->stopped_trb = event_trb;
1002 } else {
1003 /* Update ring dequeue pointer */
1004 while (ep_ring->dequeue != td->last_trb)
1005 inc_deq(xhci, ep_ring, false);
1006 inc_deq(xhci, ep_ring, false);
1007
1008 /* Clean up the endpoint's TD list */
1009 urb = td->urb;
1010 list_del(&td->td_list);
1011 /* Was this TD slated to be cancelled but completed anyway? */
1012 if (!list_empty(&td->cancelled_td_list)) {
1013 list_del(&td->cancelled_td_list);
1014 ep_ring->cancels_pending--;
1015 }
1016 kfree(td);
1017 urb->hcpriv = NULL;
1018 }
1019 cleanup:
1020 inc_deq(xhci, xhci->event_ring, true);
1021 xhci_set_hc_event_deq(xhci);
1022
1023 /* FIXME for multi-TD URBs (who have buffers bigger than 64MB) */
1024 if (urb) {
1025 usb_hcd_unlink_urb_from_ep(xhci_to_hcd(xhci), urb);
1026 spin_unlock(&xhci->lock);
1027 usb_hcd_giveback_urb(xhci_to_hcd(xhci), urb, status);
1028 spin_lock(&xhci->lock);
1029 }
1030 return 0;
1031 }
1032
1033 /*
1034 * This function handles all OS-owned events on the event ring. It may drop
1035 * xhci->lock between event processing (e.g. to pass up port status changes).
1036 */
1037 void xhci_handle_event(struct xhci_hcd *xhci)
1038 {
1039 union xhci_trb *event;
1040 int update_ptrs = 1;
1041 int ret;
1042
1043 if (!xhci->event_ring || !xhci->event_ring->dequeue) {
1044 xhci->error_bitmask |= 1 << 1;
1045 return;
1046 }
1047
1048 event = xhci->event_ring->dequeue;
1049 /* Does the HC or OS own the TRB? */
1050 if ((event->event_cmd.flags & TRB_CYCLE) !=
1051 xhci->event_ring->cycle_state) {
1052 xhci->error_bitmask |= 1 << 2;
1053 return;
1054 }
1055
1056 /* FIXME: Handle more event types. */
1057 switch ((event->event_cmd.flags & TRB_TYPE_BITMASK)) {
1058 case TRB_TYPE(TRB_COMPLETION):
1059 handle_cmd_completion(xhci, &event->event_cmd);
1060 break;
1061 case TRB_TYPE(TRB_PORT_STATUS):
1062 handle_port_status(xhci, event);
1063 update_ptrs = 0;
1064 break;
1065 case TRB_TYPE(TRB_TRANSFER):
1066 ret = handle_tx_event(xhci, &event->trans_event);
1067 if (ret < 0)
1068 xhci->error_bitmask |= 1 << 9;
1069 else
1070 update_ptrs = 0;
1071 break;
1072 default:
1073 xhci->error_bitmask |= 1 << 3;
1074 }
1075
1076 if (update_ptrs) {
1077 /* Update SW and HC event ring dequeue pointer */
1078 inc_deq(xhci, xhci->event_ring, true);
1079 xhci_set_hc_event_deq(xhci);
1080 }
1081 /* Are there more items on the event ring? */
1082 xhci_handle_event(xhci);
1083 }
1084
1085 /**** Endpoint Ring Operations ****/
1086
1087 /*
1088 * Generic function for queueing a TRB on a ring.
1089 * The caller must have checked to make sure there's room on the ring.
1090 */
1091 static void queue_trb(struct xhci_hcd *xhci, struct xhci_ring *ring,
1092 bool consumer,
1093 u32 field1, u32 field2, u32 field3, u32 field4)
1094 {
1095 struct xhci_generic_trb *trb;
1096
1097 trb = &ring->enqueue->generic;
1098 trb->field[0] = field1;
1099 trb->field[1] = field2;
1100 trb->field[2] = field3;
1101 trb->field[3] = field4;
1102 inc_enq(xhci, ring, consumer);
1103 }
1104
1105 /*
1106 * Does various checks on the endpoint ring, and makes it ready to queue num_trbs.
1107 * FIXME allocate segments if the ring is full.
1108 */
1109 static int prepare_ring(struct xhci_hcd *xhci, struct xhci_ring *ep_ring,
1110 u32 ep_state, unsigned int num_trbs, gfp_t mem_flags)
1111 {
1112 /* Make sure the endpoint has been added to xHC schedule */
1113 xhci_dbg(xhci, "Endpoint state = 0x%x\n", ep_state);
1114 switch (ep_state) {
1115 case EP_STATE_DISABLED:
1116 /*
1117 * USB core changed config/interfaces without notifying us,
1118 * or hardware is reporting the wrong state.
1119 */
1120 xhci_warn(xhci, "WARN urb submitted to disabled ep\n");
1121 return -ENOENT;
1122 case EP_STATE_HALTED:
1123 case EP_STATE_ERROR:
1124 xhci_warn(xhci, "WARN waiting for halt or error on ep "
1125 "to be cleared\n");
1126 /* FIXME event handling code for error needs to clear it */
1127 /* XXX not sure if this should be -ENOENT or not */
1128 return -EINVAL;
1129 case EP_STATE_STOPPED:
1130 case EP_STATE_RUNNING:
1131 break;
1132 default:
1133 xhci_err(xhci, "ERROR unknown endpoint state for ep\n");
1134 /*
1135 * FIXME issue Configure Endpoint command to try to get the HC
1136 * back into a known state.
1137 */
1138 return -EINVAL;
1139 }
1140 if (!room_on_ring(xhci, ep_ring, num_trbs)) {
1141 /* FIXME allocate more room */
1142 xhci_err(xhci, "ERROR no room on ep ring\n");
1143 return -ENOMEM;
1144 }
1145 return 0;
1146 }
1147
1148 static int prepare_transfer(struct xhci_hcd *xhci,
1149 struct xhci_virt_device *xdev,
1150 unsigned int ep_index,
1151 unsigned int num_trbs,
1152 struct urb *urb,
1153 struct xhci_td **td,
1154 gfp_t mem_flags)
1155 {
1156 int ret;
1157
1158 ret = prepare_ring(xhci, xdev->ep_rings[ep_index],
1159 xdev->out_ctx->ep[ep_index].ep_info & EP_STATE_MASK,
1160 num_trbs, mem_flags);
1161 if (ret)
1162 return ret;
1163 *td = kzalloc(sizeof(struct xhci_td), mem_flags);
1164 if (!*td)
1165 return -ENOMEM;
1166 INIT_LIST_HEAD(&(*td)->td_list);
1167 INIT_LIST_HEAD(&(*td)->cancelled_td_list);
1168
1169 ret = usb_hcd_link_urb_to_ep(xhci_to_hcd(xhci), urb);
1170 if (unlikely(ret)) {
1171 kfree(*td);
1172 return ret;
1173 }
1174
1175 (*td)->urb = urb;
1176 urb->hcpriv = (void *) (*td);
1177 /* Add this TD to the tail of the endpoint ring's TD list */
1178 list_add_tail(&(*td)->td_list, &xdev->ep_rings[ep_index]->td_list);
1179 (*td)->start_seg = xdev->ep_rings[ep_index]->enq_seg;
1180 (*td)->first_trb = xdev->ep_rings[ep_index]->enqueue;
1181
1182 return 0;
1183 }
1184
1185 static unsigned int count_sg_trbs_needed(struct xhci_hcd *xhci, struct urb *urb)
1186 {
1187 int num_sgs, num_trbs, running_total, temp, i;
1188 struct scatterlist *sg;
1189
1190 sg = NULL;
1191 num_sgs = urb->num_sgs;
1192 temp = urb->transfer_buffer_length;
1193
1194 xhci_dbg(xhci, "count sg list trbs: \n");
1195 num_trbs = 0;
1196 for_each_sg(urb->sg->sg, sg, num_sgs, i) {
1197 unsigned int previous_total_trbs = num_trbs;
1198 unsigned int len = sg_dma_len(sg);
1199
1200 /* Scatter gather list entries may cross 64KB boundaries */
1201 running_total = TRB_MAX_BUFF_SIZE -
1202 (sg_dma_address(sg) & ((1 << TRB_MAX_BUFF_SHIFT) - 1));
1203 if (running_total != 0)
1204 num_trbs++;
1205
1206 /* How many more 64KB chunks to transfer, how many more TRBs? */
1207 while (running_total < sg_dma_len(sg)) {
1208 num_trbs++;
1209 running_total += TRB_MAX_BUFF_SIZE;
1210 }
1211 xhci_dbg(xhci, " sg #%d: dma = %#llx, len = %#x (%d), num_trbs = %d\n",
1212 i, (unsigned long long)sg_dma_address(sg),
1213 len, len, num_trbs - previous_total_trbs);
1214
1215 len = min_t(int, len, temp);
1216 temp -= len;
1217 if (temp == 0)
1218 break;
1219 }
1220 xhci_dbg(xhci, "\n");
1221 if (!in_interrupt())
1222 dev_dbg(&urb->dev->dev, "ep %#x - urb len = %d, sglist used, num_trbs = %d\n",
1223 urb->ep->desc.bEndpointAddress,
1224 urb->transfer_buffer_length,
1225 num_trbs);
1226 return num_trbs;
1227 }
1228
1229 static void check_trb_math(struct urb *urb, int num_trbs, int running_total)
1230 {
1231 if (num_trbs != 0)
1232 dev_dbg(&urb->dev->dev, "%s - ep %#x - Miscalculated number of "
1233 "TRBs, %d left\n", __func__,
1234 urb->ep->desc.bEndpointAddress, num_trbs);
1235 if (running_total != urb->transfer_buffer_length)
1236 dev_dbg(&urb->dev->dev, "%s - ep %#x - Miscalculated tx length, "
1237 "queued %#x (%d), asked for %#x (%d)\n",
1238 __func__,
1239 urb->ep->desc.bEndpointAddress,
1240 running_total, running_total,
1241 urb->transfer_buffer_length,
1242 urb->transfer_buffer_length);
1243 }
1244
1245 static void giveback_first_trb(struct xhci_hcd *xhci, int slot_id,
1246 unsigned int ep_index, int start_cycle,
1247 struct xhci_generic_trb *start_trb, struct xhci_td *td)
1248 {
1249 /*
1250 * Pass all the TRBs to the hardware at once and make sure this write
1251 * isn't reordered.
1252 */
1253 wmb();
1254 start_trb->field[3] |= start_cycle;
1255 ring_ep_doorbell(xhci, slot_id, ep_index);
1256 }
1257
1258 static int queue_bulk_sg_tx(struct xhci_hcd *xhci, gfp_t mem_flags,
1259 struct urb *urb, int slot_id, unsigned int ep_index)
1260 {
1261 struct xhci_ring *ep_ring;
1262 unsigned int num_trbs;
1263 struct xhci_td *td;
1264 struct scatterlist *sg;
1265 int num_sgs;
1266 int trb_buff_len, this_sg_len, running_total;
1267 bool first_trb;
1268 u64 addr;
1269
1270 struct xhci_generic_trb *start_trb;
1271 int start_cycle;
1272
1273 ep_ring = xhci->devs[slot_id]->ep_rings[ep_index];
1274 num_trbs = count_sg_trbs_needed(xhci, urb);
1275 num_sgs = urb->num_sgs;
1276
1277 trb_buff_len = prepare_transfer(xhci, xhci->devs[slot_id],
1278 ep_index, num_trbs, urb, &td, mem_flags);
1279 if (trb_buff_len < 0)
1280 return trb_buff_len;
1281 /*
1282 * Don't give the first TRB to the hardware (by toggling the cycle bit)
1283 * until we've finished creating all the other TRBs. The ring's cycle
1284 * state may change as we enqueue the other TRBs, so save it too.
1285 */
1286 start_trb = &ep_ring->enqueue->generic;
1287 start_cycle = ep_ring->cycle_state;
1288
1289 running_total = 0;
1290 /*
1291 * How much data is in the first TRB?
1292 *
1293 * There are three forces at work for TRB buffer pointers and lengths:
1294 * 1. We don't want to walk off the end of this sg-list entry buffer.
1295 * 2. The transfer length that the driver requested may be smaller than
1296 * the amount of memory allocated for this scatter-gather list.
1297 * 3. TRBs buffers can't cross 64KB boundaries.
1298 */
1299 sg = urb->sg->sg;
1300 addr = (u64) sg_dma_address(sg);
1301 this_sg_len = sg_dma_len(sg);
1302 trb_buff_len = TRB_MAX_BUFF_SIZE -
1303 (addr & ((1 << TRB_MAX_BUFF_SHIFT) - 1));
1304 trb_buff_len = min_t(int, trb_buff_len, this_sg_len);
1305 if (trb_buff_len > urb->transfer_buffer_length)
1306 trb_buff_len = urb->transfer_buffer_length;
1307 xhci_dbg(xhci, "First length to xfer from 1st sglist entry = %u\n",
1308 trb_buff_len);
1309
1310 first_trb = true;
1311 /* Queue the first TRB, even if it's zero-length */
1312 do {
1313 u32 field = 0;
1314 u32 length_field = 0;
1315
1316 /* Don't change the cycle bit of the first TRB until later */
1317 if (first_trb)
1318 first_trb = false;
1319 else
1320 field |= ep_ring->cycle_state;
1321
1322 /* Chain all the TRBs together; clear the chain bit in the last
1323 * TRB to indicate it's the last TRB in the chain.
1324 */
1325 if (num_trbs > 1) {
1326 field |= TRB_CHAIN;
1327 } else {
1328 /* FIXME - add check for ZERO_PACKET flag before this */
1329 td->last_trb = ep_ring->enqueue;
1330 field |= TRB_IOC;
1331 }
1332 xhci_dbg(xhci, " sg entry: dma = %#x, len = %#x (%d), "
1333 "64KB boundary at %#x, end dma = %#x\n",
1334 (unsigned int) addr, trb_buff_len, trb_buff_len,
1335 (unsigned int) (addr + TRB_MAX_BUFF_SIZE) & ~(TRB_MAX_BUFF_SIZE - 1),
1336 (unsigned int) addr + trb_buff_len);
1337 if (TRB_MAX_BUFF_SIZE -
1338 (addr & ((1 << TRB_MAX_BUFF_SHIFT) - 1)) < trb_buff_len) {
1339 xhci_warn(xhci, "WARN: sg dma xfer crosses 64KB boundaries!\n");
1340 xhci_dbg(xhci, "Next boundary at %#x, end dma = %#x\n",
1341 (unsigned int) (addr + TRB_MAX_BUFF_SIZE) & ~(TRB_MAX_BUFF_SIZE - 1),
1342 (unsigned int) addr + trb_buff_len);
1343 }
1344 length_field = TRB_LEN(trb_buff_len) |
1345 TD_REMAINDER(urb->transfer_buffer_length - running_total) |
1346 TRB_INTR_TARGET(0);
1347 queue_trb(xhci, ep_ring, false,
1348 lower_32_bits(addr),
1349 upper_32_bits(addr),
1350 length_field,
1351 /* We always want to know if the TRB was short,
1352 * or we won't get an event when it completes.
1353 * (Unless we use event data TRBs, which are a
1354 * waste of space and HC resources.)
1355 */
1356 field | TRB_ISP | TRB_TYPE(TRB_NORMAL));
1357 --num_trbs;
1358 running_total += trb_buff_len;
1359
1360 /* Calculate length for next transfer --
1361 * Are we done queueing all the TRBs for this sg entry?
1362 */
1363 this_sg_len -= trb_buff_len;
1364 if (this_sg_len == 0) {
1365 --num_sgs;
1366 if (num_sgs == 0)
1367 break;
1368 sg = sg_next(sg);
1369 addr = (u64) sg_dma_address(sg);
1370 this_sg_len = sg_dma_len(sg);
1371 } else {
1372 addr += trb_buff_len;
1373 }
1374
1375 trb_buff_len = TRB_MAX_BUFF_SIZE -
1376 (addr & ((1 << TRB_MAX_BUFF_SHIFT) - 1));
1377 trb_buff_len = min_t(int, trb_buff_len, this_sg_len);
1378 if (running_total + trb_buff_len > urb->transfer_buffer_length)
1379 trb_buff_len =
1380 urb->transfer_buffer_length - running_total;
1381 } while (running_total < urb->transfer_buffer_length);
1382
1383 check_trb_math(urb, num_trbs, running_total);
1384 giveback_first_trb(xhci, slot_id, ep_index, start_cycle, start_trb, td);
1385 return 0;
1386 }
1387
1388 /* This is very similar to what ehci-q.c qtd_fill() does */
1389 int xhci_queue_bulk_tx(struct xhci_hcd *xhci, gfp_t mem_flags,
1390 struct urb *urb, int slot_id, unsigned int ep_index)
1391 {
1392 struct xhci_ring *ep_ring;
1393 struct xhci_td *td;
1394 int num_trbs;
1395 struct xhci_generic_trb *start_trb;
1396 bool first_trb;
1397 int start_cycle;
1398 u32 field, length_field;
1399
1400 int running_total, trb_buff_len, ret;
1401 u64 addr;
1402
1403 if (urb->sg)
1404 return queue_bulk_sg_tx(xhci, mem_flags, urb, slot_id, ep_index);
1405
1406 ep_ring = xhci->devs[slot_id]->ep_rings[ep_index];
1407
1408 num_trbs = 0;
1409 /* How much data is (potentially) left before the 64KB boundary? */
1410 running_total = TRB_MAX_BUFF_SIZE -
1411 (urb->transfer_dma & ((1 << TRB_MAX_BUFF_SHIFT) - 1));
1412
1413 /* If there's some data on this 64KB chunk, or we have to send a
1414 * zero-length transfer, we need at least one TRB
1415 */
1416 if (running_total != 0 || urb->transfer_buffer_length == 0)
1417 num_trbs++;
1418 /* How many more 64KB chunks to transfer, how many more TRBs? */
1419 while (running_total < urb->transfer_buffer_length) {
1420 num_trbs++;
1421 running_total += TRB_MAX_BUFF_SIZE;
1422 }
1423 /* FIXME: this doesn't deal with URB_ZERO_PACKET - need one more */
1424
1425 if (!in_interrupt())
1426 dev_dbg(&urb->dev->dev, "ep %#x - urb len = %#x (%d), addr = %#llx, num_trbs = %d\n",
1427 urb->ep->desc.bEndpointAddress,
1428 urb->transfer_buffer_length,
1429 urb->transfer_buffer_length,
1430 (unsigned long long)urb->transfer_dma,
1431 num_trbs);
1432
1433 ret = prepare_transfer(xhci, xhci->devs[slot_id], ep_index,
1434 num_trbs, urb, &td, mem_flags);
1435 if (ret < 0)
1436 return ret;
1437
1438 /*
1439 * Don't give the first TRB to the hardware (by toggling the cycle bit)
1440 * until we've finished creating all the other TRBs. The ring's cycle
1441 * state may change as we enqueue the other TRBs, so save it too.
1442 */
1443 start_trb = &ep_ring->enqueue->generic;
1444 start_cycle = ep_ring->cycle_state;
1445
1446 running_total = 0;
1447 /* How much data is in the first TRB? */
1448 addr = (u64) urb->transfer_dma;
1449 trb_buff_len = TRB_MAX_BUFF_SIZE -
1450 (urb->transfer_dma & ((1 << TRB_MAX_BUFF_SHIFT) - 1));
1451 if (urb->transfer_buffer_length < trb_buff_len)
1452 trb_buff_len = urb->transfer_buffer_length;
1453
1454 first_trb = true;
1455
1456 /* Queue the first TRB, even if it's zero-length */
1457 do {
1458 field = 0;
1459
1460 /* Don't change the cycle bit of the first TRB until later */
1461 if (first_trb)
1462 first_trb = false;
1463 else
1464 field |= ep_ring->cycle_state;
1465
1466 /* Chain all the TRBs together; clear the chain bit in the last
1467 * TRB to indicate it's the last TRB in the chain.
1468 */
1469 if (num_trbs > 1) {
1470 field |= TRB_CHAIN;
1471 } else {
1472 /* FIXME - add check for ZERO_PACKET flag before this */
1473 td->last_trb = ep_ring->enqueue;
1474 field |= TRB_IOC;
1475 }
1476 length_field = TRB_LEN(trb_buff_len) |
1477 TD_REMAINDER(urb->transfer_buffer_length - running_total) |
1478 TRB_INTR_TARGET(0);
1479 queue_trb(xhci, ep_ring, false,
1480 lower_32_bits(addr),
1481 upper_32_bits(addr),
1482 length_field,
1483 /* We always want to know if the TRB was short,
1484 * or we won't get an event when it completes.
1485 * (Unless we use event data TRBs, which are a
1486 * waste of space and HC resources.)
1487 */
1488 field | TRB_ISP | TRB_TYPE(TRB_NORMAL));
1489 --num_trbs;
1490 running_total += trb_buff_len;
1491
1492 /* Calculate length for next transfer */
1493 addr += trb_buff_len;
1494 trb_buff_len = urb->transfer_buffer_length - running_total;
1495 if (trb_buff_len > TRB_MAX_BUFF_SIZE)
1496 trb_buff_len = TRB_MAX_BUFF_SIZE;
1497 } while (running_total < urb->transfer_buffer_length);
1498
1499 check_trb_math(urb, num_trbs, running_total);
1500 giveback_first_trb(xhci, slot_id, ep_index, start_cycle, start_trb, td);
1501 return 0;
1502 }
1503
1504 /* Caller must have locked xhci->lock */
1505 int xhci_queue_ctrl_tx(struct xhci_hcd *xhci, gfp_t mem_flags,
1506 struct urb *urb, int slot_id, unsigned int ep_index)
1507 {
1508 struct xhci_ring *ep_ring;
1509 int num_trbs;
1510 int ret;
1511 struct usb_ctrlrequest *setup;
1512 struct xhci_generic_trb *start_trb;
1513 int start_cycle;
1514 u32 field, length_field;
1515 struct xhci_td *td;
1516
1517 ep_ring = xhci->devs[slot_id]->ep_rings[ep_index];
1518
1519 /*
1520 * Need to copy setup packet into setup TRB, so we can't use the setup
1521 * DMA address.
1522 */
1523 if (!urb->setup_packet)
1524 return -EINVAL;
1525
1526 if (!in_interrupt())
1527 xhci_dbg(xhci, "Queueing ctrl tx for slot id %d, ep %d\n",
1528 slot_id, ep_index);
1529 /* 1 TRB for setup, 1 for status */
1530 num_trbs = 2;
1531 /*
1532 * Don't need to check if we need additional event data and normal TRBs,
1533 * since data in control transfers will never get bigger than 16MB
1534 * XXX: can we get a buffer that crosses 64KB boundaries?
1535 */
1536 if (urb->transfer_buffer_length > 0)
1537 num_trbs++;
1538 ret = prepare_transfer(xhci, xhci->devs[slot_id], ep_index, num_trbs,
1539 urb, &td, mem_flags);
1540 if (ret < 0)
1541 return ret;
1542
1543 /*
1544 * Don't give the first TRB to the hardware (by toggling the cycle bit)
1545 * until we've finished creating all the other TRBs. The ring's cycle
1546 * state may change as we enqueue the other TRBs, so save it too.
1547 */
1548 start_trb = &ep_ring->enqueue->generic;
1549 start_cycle = ep_ring->cycle_state;
1550
1551 /* Queue setup TRB - see section 6.4.1.2.1 */
1552 /* FIXME better way to translate setup_packet into two u32 fields? */
1553 setup = (struct usb_ctrlrequest *) urb->setup_packet;
1554 queue_trb(xhci, ep_ring, false,
1555 /* FIXME endianness is probably going to bite my ass here. */
1556 setup->bRequestType | setup->bRequest << 8 | setup->wValue << 16,
1557 setup->wIndex | setup->wLength << 16,
1558 TRB_LEN(8) | TRB_INTR_TARGET(0),
1559 /* Immediate data in pointer */
1560 TRB_IDT | TRB_TYPE(TRB_SETUP));
1561
1562 /* If there's data, queue data TRBs */
1563 field = 0;
1564 length_field = TRB_LEN(urb->transfer_buffer_length) |
1565 TD_REMAINDER(urb->transfer_buffer_length) |
1566 TRB_INTR_TARGET(0);
1567 if (urb->transfer_buffer_length > 0) {
1568 if (setup->bRequestType & USB_DIR_IN)
1569 field |= TRB_DIR_IN;
1570 queue_trb(xhci, ep_ring, false,
1571 lower_32_bits(urb->transfer_dma),
1572 upper_32_bits(urb->transfer_dma),
1573 length_field,
1574 /* Event on short tx */
1575 field | TRB_ISP | TRB_TYPE(TRB_DATA) | ep_ring->cycle_state);
1576 }
1577
1578 /* Save the DMA address of the last TRB in the TD */
1579 td->last_trb = ep_ring->enqueue;
1580
1581 /* Queue status TRB - see Table 7 and sections 4.11.2.2 and 6.4.1.2.3 */
1582 /* If the device sent data, the status stage is an OUT transfer */
1583 if (urb->transfer_buffer_length > 0 && setup->bRequestType & USB_DIR_IN)
1584 field = 0;
1585 else
1586 field = TRB_DIR_IN;
1587 queue_trb(xhci, ep_ring, false,
1588 0,
1589 0,
1590 TRB_INTR_TARGET(0),
1591 /* Event on completion */
1592 field | TRB_IOC | TRB_TYPE(TRB_STATUS) | ep_ring->cycle_state);
1593
1594 giveback_first_trb(xhci, slot_id, ep_index, start_cycle, start_trb, td);
1595 return 0;
1596 }
1597
1598 /**** Command Ring Operations ****/
1599
1600 /* Generic function for queueing a command TRB on the command ring */
1601 static int queue_command(struct xhci_hcd *xhci, u32 field1, u32 field2, u32 field3, u32 field4)
1602 {
1603 if (!room_on_ring(xhci, xhci->cmd_ring, 1)) {
1604 if (!in_interrupt())
1605 xhci_err(xhci, "ERR: No room for command on command ring\n");
1606 return -ENOMEM;
1607 }
1608 queue_trb(xhci, xhci->cmd_ring, false, field1, field2, field3,
1609 field4 | xhci->cmd_ring->cycle_state);
1610 return 0;
1611 }
1612
1613 /* Queue a no-op command on the command ring */
1614 static int queue_cmd_noop(struct xhci_hcd *xhci)
1615 {
1616 return queue_command(xhci, 0, 0, 0, TRB_TYPE(TRB_CMD_NOOP));
1617 }
1618
1619 /*
1620 * Place a no-op command on the command ring to test the command and
1621 * event ring.
1622 */
1623 void *xhci_setup_one_noop(struct xhci_hcd *xhci)
1624 {
1625 if (queue_cmd_noop(xhci) < 0)
1626 return NULL;
1627 xhci->noops_submitted++;
1628 return xhci_ring_cmd_db;
1629 }
1630
1631 /* Queue a slot enable or disable request on the command ring */
1632 int xhci_queue_slot_control(struct xhci_hcd *xhci, u32 trb_type, u32 slot_id)
1633 {
1634 return queue_command(xhci, 0, 0, 0,
1635 TRB_TYPE(trb_type) | SLOT_ID_FOR_TRB(slot_id));
1636 }
1637
1638 /* Queue an address device command TRB */
1639 int xhci_queue_address_device(struct xhci_hcd *xhci, dma_addr_t in_ctx_ptr,
1640 u32 slot_id)
1641 {
1642 return queue_command(xhci, lower_32_bits(in_ctx_ptr),
1643 upper_32_bits(in_ctx_ptr), 0,
1644 TRB_TYPE(TRB_ADDR_DEV) | SLOT_ID_FOR_TRB(slot_id));
1645 }
1646
1647 /* Queue a configure endpoint command TRB */
1648 int xhci_queue_configure_endpoint(struct xhci_hcd *xhci, dma_addr_t in_ctx_ptr,
1649 u32 slot_id)
1650 {
1651 return queue_command(xhci, lower_32_bits(in_ctx_ptr),
1652 upper_32_bits(in_ctx_ptr), 0,
1653 TRB_TYPE(TRB_CONFIG_EP) | SLOT_ID_FOR_TRB(slot_id));
1654 }
1655
1656 int xhci_queue_stop_endpoint(struct xhci_hcd *xhci, int slot_id,
1657 unsigned int ep_index)
1658 {
1659 u32 trb_slot_id = SLOT_ID_FOR_TRB(slot_id);
1660 u32 trb_ep_index = EP_ID_FOR_TRB(ep_index);
1661 u32 type = TRB_TYPE(TRB_STOP_RING);
1662
1663 return queue_command(xhci, 0, 0, 0,
1664 trb_slot_id | trb_ep_index | type);
1665 }
1666
1667 /* Set Transfer Ring Dequeue Pointer command.
1668 * This should not be used for endpoints that have streams enabled.
1669 */
1670 static int queue_set_tr_deq(struct xhci_hcd *xhci, int slot_id,
1671 unsigned int ep_index, struct xhci_segment *deq_seg,
1672 union xhci_trb *deq_ptr, u32 cycle_state)
1673 {
1674 dma_addr_t addr;
1675 u32 trb_slot_id = SLOT_ID_FOR_TRB(slot_id);
1676 u32 trb_ep_index = EP_ID_FOR_TRB(ep_index);
1677 u32 type = TRB_TYPE(TRB_SET_DEQ);
1678
1679 addr = xhci_trb_virt_to_dma(deq_seg, deq_ptr);
1680 if (addr == 0)
1681 xhci_warn(xhci, "WARN Cannot submit Set TR Deq Ptr\n");
1682 xhci_warn(xhci, "WARN deq seg = %p, deq pt = %p\n",
1683 deq_seg, deq_ptr);
1684 return queue_command(xhci, lower_32_bits(addr) | cycle_state,
1685 upper_32_bits(addr), 0,
1686 trb_slot_id | trb_ep_index | type);
1687 }
1688
1689 int xhci_queue_reset_ep(struct xhci_hcd *xhci, int slot_id,
1690 unsigned int ep_index)
1691 {
1692 u32 trb_slot_id = SLOT_ID_FOR_TRB(slot_id);
1693 u32 trb_ep_index = EP_ID_FOR_TRB(ep_index);
1694 u32 type = TRB_TYPE(TRB_RESET_EP);
1695
1696 return queue_command(xhci, 0, 0, 0, trb_slot_id | trb_ep_index | type);
1697 }
(deprecated) Btrfs devel tree