1 /* 2 * xHCI host controller driver 3 * 4 * Copyright (C) 2008 Intel Corp. 5 * 6 * Author: Sarah Sharp 7 * Some code borrowed from the Linux EHCI driver. 8 * 9 * This program is free software; you can redistribute it and/or modify 10 * it under the terms of the GNU General Public License version 2 as 11 * published by the Free Software Foundation. 12 * 13 * This program is distributed in the hope that it will be useful, but 14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY 15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 16 * for more details. 17 * 18 * You should have received a copy of the GNU General Public License 19 * along with this program; if not, write to the Free Software Foundation, 20 * Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 21 */ 22 23 /* 24 * Ring initialization rules: 25 * 1. Each segment is initialized to zero, except for link TRBs. 26 * 2. Ring cycle state = 0. This represents Producer Cycle State (PCS) or 27 * Consumer Cycle State (CCS), depending on ring function. 28 * 3. Enqueue pointer = dequeue pointer = address of first TRB in the segment. 29 * 30 * Ring behavior rules: 31 * 1. A ring is empty if enqueue == dequeue. This means there will always be at 32 * least one free TRB in the ring. This is useful if you want to turn that 33 * into a link TRB and expand the ring. 34 * 2. When incrementing an enqueue or dequeue pointer, if the next TRB is a 35 * link TRB, then load the pointer with the address in the link TRB. If the 36 * link TRB had its toggle bit set, you may need to update the ring cycle 37 * state (see cycle bit rules). You may have to do this multiple times 38 * until you reach a non-link TRB. 39 * 3. A ring is full if enqueue++ (for the definition of increment above) 40 * equals the dequeue pointer. 41 * 42 * Cycle bit rules: 43 * 1. When a consumer increments a dequeue pointer and encounters a toggle bit 44 * in a link TRB, it must toggle the ring cycle state. 45 * 2. When a producer increments an enqueue pointer and encounters a toggle bit 46 * in a link TRB, it must toggle the ring cycle state. 47 * 48 * Producer rules: 49 * 1. Check if ring is full before you enqueue. 50 * 2. Write the ring cycle state to the cycle bit in the TRB you're enqueuing. 51 * Update enqueue pointer between each write (which may update the ring 52 * cycle state). 53 * 3. Notify consumer. If SW is producer, it rings the doorbell for command 54 * and endpoint rings. If HC is the producer for the event ring, 55 * and it generates an interrupt according to interrupt modulation rules. 56 * 57 * Consumer rules: 58 * 1. Check if TRB belongs to you. If the cycle bit == your ring cycle state, 59 * the TRB is owned by the consumer. 60 * 2. Update dequeue pointer (which may update the ring cycle state) and 61 * continue processing TRBs until you reach a TRB which is not owned by you. 62 * 3. Notify the producer. SW is the consumer for the event ring, and it 63 * updates event ring dequeue pointer. HC is the consumer for the command and 64 * endpoint rings; it generates events on the event ring for these. 65 */ 66 67 #include <linux/scatterlist.h> 68 #include <linux/slab.h> 69 #include "xhci.h" 70 #include "xhci-trace.h" 71 #include "xhci-mtk.h" 72 73 /* 74 * Returns zero if the TRB isn't in this segment, otherwise it returns the DMA 75 * address of the TRB. 76 */ 77 dma_addr_t xhci_trb_virt_to_dma(struct xhci_segment *seg, 78 union xhci_trb *trb) 79 { 80 unsigned long segment_offset; 81 82 if (!seg || !trb || trb < seg->trbs) 83 return 0; 84 /* offset in TRBs */ 85 segment_offset = trb - seg->trbs; 86 if (segment_offset >= TRBS_PER_SEGMENT) 87 return 0; 88 return seg->dma + (segment_offset * sizeof(*trb)); 89 } 90 91 /* Does this link TRB point to the first segment in a ring, 92 * or was the previous TRB the last TRB on the last segment in the ERST? 93 */ 94 static bool last_trb_on_last_seg(struct xhci_hcd *xhci, struct xhci_ring *ring, 95 struct xhci_segment *seg, union xhci_trb *trb) 96 { 97 if (ring == xhci->event_ring) 98 return (trb == &seg->trbs[TRBS_PER_SEGMENT]) && 99 (seg->next == xhci->event_ring->first_seg); 100 else 101 return le32_to_cpu(trb->link.control) & LINK_TOGGLE; 102 } 103 104 /* Is this TRB a link TRB or was the last TRB the last TRB in this event ring 105 * segment? I.e. would the updated event TRB pointer step off the end of the 106 * event seg? 107 */ 108 static int last_trb(struct xhci_hcd *xhci, struct xhci_ring *ring, 109 struct xhci_segment *seg, union xhci_trb *trb) 110 { 111 if (ring == xhci->event_ring) 112 return trb == &seg->trbs[TRBS_PER_SEGMENT]; 113 else 114 return TRB_TYPE_LINK_LE32(trb->link.control); 115 } 116 117 static int enqueue_is_link_trb(struct xhci_ring *ring) 118 { 119 struct xhci_link_trb *link = &ring->enqueue->link; 120 return TRB_TYPE_LINK_LE32(link->control); 121 } 122 123 /* Updates trb to point to the next TRB in the ring, and updates seg if the next 124 * TRB is in a new segment. This does not skip over link TRBs, and it does not 125 * effect the ring dequeue or enqueue pointers. 126 */ 127 static void next_trb(struct xhci_hcd *xhci, 128 struct xhci_ring *ring, 129 struct xhci_segment **seg, 130 union xhci_trb **trb) 131 { 132 if (last_trb(xhci, ring, *seg, *trb)) { 133 *seg = (*seg)->next; 134 *trb = ((*seg)->trbs); 135 } else { 136 (*trb)++; 137 } 138 } 139 140 /* 141 * See Cycle bit rules. SW is the consumer for the event ring only. 142 * Don't make a ring full of link TRBs. That would be dumb and this would loop. 143 */ 144 static void inc_deq(struct xhci_hcd *xhci, struct xhci_ring *ring) 145 { 146 ring->deq_updates++; 147 148 /* 149 * If this is not event ring, and the dequeue pointer 150 * is not on a link TRB, there is one more usable TRB 151 */ 152 if (ring->type != TYPE_EVENT && 153 !last_trb(xhci, ring, ring->deq_seg, ring->dequeue)) 154 ring->num_trbs_free++; 155 156 do { 157 /* 158 * Update the dequeue pointer further if that was a link TRB or 159 * we're at the end of an event ring segment (which doesn't have 160 * link TRBS) 161 */ 162 if (last_trb(xhci, ring, ring->deq_seg, ring->dequeue)) { 163 if (ring->type == TYPE_EVENT && 164 last_trb_on_last_seg(xhci, ring, 165 ring->deq_seg, ring->dequeue)) { 166 ring->cycle_state ^= 1; 167 } 168 ring->deq_seg = ring->deq_seg->next; 169 ring->dequeue = ring->deq_seg->trbs; 170 } else { 171 ring->dequeue++; 172 } 173 } while (last_trb(xhci, ring, ring->deq_seg, ring->dequeue)); 174 } 175 176 /* 177 * See Cycle bit rules. SW is the consumer for the event ring only. 178 * Don't make a ring full of link TRBs. That would be dumb and this would loop. 179 * 180 * If we've just enqueued a TRB that is in the middle of a TD (meaning the 181 * chain bit is set), then set the chain bit in all the following link TRBs. 182 * If we've enqueued the last TRB in a TD, make sure the following link TRBs 183 * have their chain bit cleared (so that each Link TRB is a separate TD). 184 * 185 * Section 6.4.4.1 of the 0.95 spec says link TRBs cannot have the chain bit 186 * set, but other sections talk about dealing with the chain bit set. This was 187 * fixed in the 0.96 specification errata, but we have to assume that all 0.95 188 * xHCI hardware can't handle the chain bit being cleared on a link TRB. 189 * 190 * @more_trbs_coming: Will you enqueue more TRBs before calling 191 * prepare_transfer()? 192 */ 193 static void inc_enq(struct xhci_hcd *xhci, struct xhci_ring *ring, 194 bool more_trbs_coming) 195 { 196 u32 chain; 197 union xhci_trb *next; 198 199 chain = le32_to_cpu(ring->enqueue->generic.field[3]) & TRB_CHAIN; 200 /* If this is not event ring, there is one less usable TRB */ 201 if (ring->type != TYPE_EVENT && 202 !last_trb(xhci, ring, ring->enq_seg, ring->enqueue)) 203 ring->num_trbs_free--; 204 next = ++(ring->enqueue); 205 206 ring->enq_updates++; 207 /* Update the dequeue pointer further if that was a link TRB or we're at 208 * the end of an event ring segment (which doesn't have link TRBS) 209 */ 210 while (last_trb(xhci, ring, ring->enq_seg, next)) { 211 if (ring->type != TYPE_EVENT) { 212 /* 213 * If the caller doesn't plan on enqueueing more 214 * TDs before ringing the doorbell, then we 215 * don't want to give the link TRB to the 216 * hardware just yet. We'll give the link TRB 217 * back in prepare_ring() just before we enqueue 218 * the TD at the top of the ring. 219 */ 220 if (!chain && !more_trbs_coming) 221 break; 222 223 /* If we're not dealing with 0.95 hardware or 224 * isoc rings on AMD 0.96 host, 225 * carry over the chain bit of the previous TRB 226 * (which may mean the chain bit is cleared). 227 */ 228 if (!(ring->type == TYPE_ISOC && 229 (xhci->quirks & XHCI_AMD_0x96_HOST)) 230 && !xhci_link_trb_quirk(xhci)) { 231 next->link.control &= 232 cpu_to_le32(~TRB_CHAIN); 233 next->link.control |= 234 cpu_to_le32(chain); 235 } 236 /* Give this link TRB to the hardware */ 237 wmb(); 238 next->link.control ^= cpu_to_le32(TRB_CYCLE); 239 240 /* Toggle the cycle bit after the last ring segment. */ 241 if (last_trb_on_last_seg(xhci, ring, ring->enq_seg, next)) { 242 ring->cycle_state ^= 1; 243 } 244 } 245 ring->enq_seg = ring->enq_seg->next; 246 ring->enqueue = ring->enq_seg->trbs; 247 next = ring->enqueue; 248 } 249 } 250 251 /* 252 * Check to see if there's room to enqueue num_trbs on the ring and make sure 253 * enqueue pointer will not advance into dequeue segment. See rules above. 254 */ 255 static inline int room_on_ring(struct xhci_hcd *xhci, struct xhci_ring *ring, 256 unsigned int num_trbs) 257 { 258 int num_trbs_in_deq_seg; 259 260 if (ring->num_trbs_free < num_trbs) 261 return 0; 262 263 if (ring->type != TYPE_COMMAND && ring->type != TYPE_EVENT) { 264 num_trbs_in_deq_seg = ring->dequeue - ring->deq_seg->trbs; 265 if (ring->num_trbs_free < num_trbs + num_trbs_in_deq_seg) 266 return 0; 267 } 268 269 return 1; 270 } 271 272 /* Ring the host controller doorbell after placing a command on the ring */ 273 void xhci_ring_cmd_db(struct xhci_hcd *xhci) 274 { 275 if (!(xhci->cmd_ring_state & CMD_RING_STATE_RUNNING)) 276 return; 277 278 xhci_dbg(xhci, "// Ding dong!\n"); 279 writel(DB_VALUE_HOST, &xhci->dba->doorbell[0]); 280 /* Flush PCI posted writes */ 281 readl(&xhci->dba->doorbell[0]); 282 } 283 284 static int xhci_abort_cmd_ring(struct xhci_hcd *xhci) 285 { 286 u64 temp_64; 287 int ret; 288 289 xhci_dbg(xhci, "Abort command ring\n"); 290 291 temp_64 = xhci_read_64(xhci, &xhci->op_regs->cmd_ring); 292 xhci->cmd_ring_state = CMD_RING_STATE_ABORTED; 293 294 /* 295 * Writing the CMD_RING_ABORT bit should cause a cmd completion event, 296 * however on some host hw the CMD_RING_RUNNING bit is correctly cleared 297 * but the completion event in never sent. Use the cmd timeout timer to 298 * handle those cases. Use twice the time to cover the bit polling retry 299 */ 300 mod_timer(&xhci->cmd_timer, jiffies + (2 * XHCI_CMD_DEFAULT_TIMEOUT)); 301 xhci_write_64(xhci, temp_64 | CMD_RING_ABORT, 302 &xhci->op_regs->cmd_ring); 303 304 /* Section 4.6.1.2 of xHCI 1.0 spec says software should 305 * time the completion od all xHCI commands, including 306 * the Command Abort operation. If software doesn't see 307 * CRR negated in a timely manner (e.g. longer than 5 308 * seconds), then it should assume that the there are 309 * larger problems with the xHC and assert HCRST. 310 */ 311 ret = xhci_handshake(&xhci->op_regs->cmd_ring, 312 CMD_RING_RUNNING, 0, 5 * 1000 * 1000); 313 if (ret < 0) { 314 /* we are about to kill xhci, give it one more chance */ 315 xhci_write_64(xhci, temp_64 | CMD_RING_ABORT, 316 &xhci->op_regs->cmd_ring); 317 udelay(1000); 318 ret = xhci_handshake(&xhci->op_regs->cmd_ring, 319 CMD_RING_RUNNING, 0, 3 * 1000 * 1000); 320 if (ret == 0) 321 return 0; 322 323 xhci_err(xhci, "Stopped the command ring failed, " 324 "maybe the host is dead\n"); 325 del_timer(&xhci->cmd_timer); 326 xhci->xhc_state |= XHCI_STATE_DYING; 327 xhci_quiesce(xhci); 328 xhci_halt(xhci); 329 return -ESHUTDOWN; 330 } 331 332 return 0; 333 } 334 335 void xhci_ring_ep_doorbell(struct xhci_hcd *xhci, 336 unsigned int slot_id, 337 unsigned int ep_index, 338 unsigned int stream_id) 339 { 340 __le32 __iomem *db_addr = &xhci->dba->doorbell[slot_id]; 341 struct xhci_virt_ep *ep = &xhci->devs[slot_id]->eps[ep_index]; 342 unsigned int ep_state = ep->ep_state; 343 344 /* Don't ring the doorbell for this endpoint if there are pending 345 * cancellations because we don't want to interrupt processing. 346 * We don't want to restart any stream rings if there's a set dequeue 347 * pointer command pending because the device can choose to start any 348 * stream once the endpoint is on the HW schedule. 349 */ 350 if ((ep_state & EP_HALT_PENDING) || (ep_state & SET_DEQ_PENDING) || 351 (ep_state & EP_HALTED)) 352 return; 353 writel(DB_VALUE(ep_index, stream_id), db_addr); 354 /* The CPU has better things to do at this point than wait for a 355 * write-posting flush. It'll get there soon enough. 356 */ 357 } 358 359 /* Ring the doorbell for any rings with pending URBs */ 360 static void ring_doorbell_for_active_rings(struct xhci_hcd *xhci, 361 unsigned int slot_id, 362 unsigned int ep_index) 363 { 364 unsigned int stream_id; 365 struct xhci_virt_ep *ep; 366 367 ep = &xhci->devs[slot_id]->eps[ep_index]; 368 369 /* A ring has pending URBs if its TD list is not empty */ 370 if (!(ep->ep_state & EP_HAS_STREAMS)) { 371 if (ep->ring && !(list_empty(&ep->ring->td_list))) 372 xhci_ring_ep_doorbell(xhci, slot_id, ep_index, 0); 373 return; 374 } 375 376 for (stream_id = 1; stream_id < ep->stream_info->num_streams; 377 stream_id++) { 378 struct xhci_stream_info *stream_info = ep->stream_info; 379 if (!list_empty(&stream_info->stream_rings[stream_id]->td_list)) 380 xhci_ring_ep_doorbell(xhci, slot_id, ep_index, 381 stream_id); 382 } 383 } 384 385 /* Get the right ring for the given slot_id, ep_index and stream_id. 386 * If the endpoint supports streams, boundary check the URB's stream ID. 387 * If the endpoint doesn't support streams, return the singular endpoint ring. 388 */ 389 struct xhci_ring *xhci_triad_to_transfer_ring(struct xhci_hcd *xhci, 390 unsigned int slot_id, unsigned int ep_index, 391 unsigned int stream_id) 392 { 393 struct xhci_virt_ep *ep; 394 395 ep = &xhci->devs[slot_id]->eps[ep_index]; 396 /* Common case: no streams */ 397 if (!(ep->ep_state & EP_HAS_STREAMS)) 398 return ep->ring; 399 400 if (stream_id == 0) { 401 xhci_warn(xhci, 402 "WARN: Slot ID %u, ep index %u has streams, " 403 "but URB has no stream ID.\n", 404 slot_id, ep_index); 405 return NULL; 406 } 407 408 if (stream_id < ep->stream_info->num_streams) 409 return ep->stream_info->stream_rings[stream_id]; 410 411 xhci_warn(xhci, 412 "WARN: Slot ID %u, ep index %u has " 413 "stream IDs 1 to %u allocated, " 414 "but stream ID %u is requested.\n", 415 slot_id, ep_index, 416 ep->stream_info->num_streams - 1, 417 stream_id); 418 return NULL; 419 } 420 421 /* 422 * Move the xHC's endpoint ring dequeue pointer past cur_td. 423 * Record the new state of the xHC's endpoint ring dequeue segment, 424 * dequeue pointer, and new consumer cycle state in state. 425 * Update our internal representation of the ring's dequeue pointer. 426 * 427 * We do this in three jumps: 428 * - First we update our new ring state to be the same as when the xHC stopped. 429 * - Then we traverse the ring to find the segment that contains 430 * the last TRB in the TD. We toggle the xHC's new cycle state when we pass 431 * any link TRBs with the toggle cycle bit set. 432 * - Finally we move the dequeue state one TRB further, toggling the cycle bit 433 * if we've moved it past a link TRB with the toggle cycle bit set. 434 * 435 * Some of the uses of xhci_generic_trb are grotty, but if they're done 436 * with correct __le32 accesses they should work fine. Only users of this are 437 * in here. 438 */ 439 void xhci_find_new_dequeue_state(struct xhci_hcd *xhci, 440 unsigned int slot_id, unsigned int ep_index, 441 unsigned int stream_id, struct xhci_td *cur_td, 442 struct xhci_dequeue_state *state) 443 { 444 struct xhci_virt_device *dev = xhci->devs[slot_id]; 445 struct xhci_virt_ep *ep = &dev->eps[ep_index]; 446 struct xhci_ring *ep_ring; 447 struct xhci_segment *new_seg; 448 union xhci_trb *new_deq; 449 dma_addr_t addr; 450 u64 hw_dequeue; 451 bool cycle_found = false; 452 bool td_last_trb_found = false; 453 454 ep_ring = xhci_triad_to_transfer_ring(xhci, slot_id, 455 ep_index, stream_id); 456 if (!ep_ring) { 457 xhci_warn(xhci, "WARN can't find new dequeue state " 458 "for invalid stream ID %u.\n", 459 stream_id); 460 return; 461 } 462 463 /* Dig out the cycle state saved by the xHC during the stop ep cmd */ 464 xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, 465 "Finding endpoint context"); 466 /* 4.6.9 the css flag is written to the stream context for streams */ 467 if (ep->ep_state & EP_HAS_STREAMS) { 468 struct xhci_stream_ctx *ctx = 469 &ep->stream_info->stream_ctx_array[stream_id]; 470 hw_dequeue = le64_to_cpu(ctx->stream_ring); 471 } else { 472 struct xhci_ep_ctx *ep_ctx 473 = xhci_get_ep_ctx(xhci, dev->out_ctx, ep_index); 474 hw_dequeue = le64_to_cpu(ep_ctx->deq); 475 } 476 477 new_seg = ep_ring->deq_seg; 478 new_deq = ep_ring->dequeue; 479 state->new_cycle_state = hw_dequeue & 0x1; 480 481 /* 482 * We want to find the pointer, segment and cycle state of the new trb 483 * (the one after current TD's last_trb). We know the cycle state at 484 * hw_dequeue, so walk the ring until both hw_dequeue and last_trb are 485 * found. 486 */ 487 do { 488 if (!cycle_found && xhci_trb_virt_to_dma(new_seg, new_deq) 489 == (dma_addr_t)(hw_dequeue & ~0xf)) { 490 cycle_found = true; 491 if (td_last_trb_found) 492 break; 493 } 494 if (new_deq == cur_td->last_trb) 495 td_last_trb_found = true; 496 497 if (cycle_found && 498 TRB_TYPE_LINK_LE32(new_deq->generic.field[3]) && 499 new_deq->generic.field[3] & cpu_to_le32(LINK_TOGGLE)) 500 state->new_cycle_state ^= 0x1; 501 502 next_trb(xhci, ep_ring, &new_seg, &new_deq); 503 504 /* Search wrapped around, bail out */ 505 if (new_deq == ep->ring->dequeue) { 506 xhci_err(xhci, "Error: Failed finding new dequeue state\n"); 507 state->new_deq_seg = NULL; 508 state->new_deq_ptr = NULL; 509 return; 510 } 511 512 } while (!cycle_found || !td_last_trb_found); 513 514 state->new_deq_seg = new_seg; 515 state->new_deq_ptr = new_deq; 516 517 /* Don't update the ring cycle state for the producer (us). */ 518 xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, 519 "Cycle state = 0x%x", state->new_cycle_state); 520 521 xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, 522 "New dequeue segment = %p (virtual)", 523 state->new_deq_seg); 524 addr = xhci_trb_virt_to_dma(state->new_deq_seg, state->new_deq_ptr); 525 xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, 526 "New dequeue pointer = 0x%llx (DMA)", 527 (unsigned long long) addr); 528 } 529 530 /* flip_cycle means flip the cycle bit of all but the first and last TRB. 531 * (The last TRB actually points to the ring enqueue pointer, which is not part 532 * of this TD.) This is used to remove partially enqueued isoc TDs from a ring. 533 */ 534 static void td_to_noop(struct xhci_hcd *xhci, struct xhci_ring *ep_ring, 535 struct xhci_td *cur_td, bool flip_cycle) 536 { 537 struct xhci_segment *cur_seg; 538 union xhci_trb *cur_trb; 539 540 for (cur_seg = cur_td->start_seg, cur_trb = cur_td->first_trb; 541 true; 542 next_trb(xhci, ep_ring, &cur_seg, &cur_trb)) { 543 if (TRB_TYPE_LINK_LE32(cur_trb->generic.field[3])) { 544 /* Unchain any chained Link TRBs, but 545 * leave the pointers intact. 546 */ 547 cur_trb->generic.field[3] &= cpu_to_le32(~TRB_CHAIN); 548 /* Flip the cycle bit (link TRBs can't be the first 549 * or last TRB). 550 */ 551 if (flip_cycle) 552 cur_trb->generic.field[3] ^= 553 cpu_to_le32(TRB_CYCLE); 554 xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, 555 "Cancel (unchain) link TRB"); 556 xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, 557 "Address = %p (0x%llx dma); " 558 "in seg %p (0x%llx dma)", 559 cur_trb, 560 (unsigned long long)xhci_trb_virt_to_dma(cur_seg, cur_trb), 561 cur_seg, 562 (unsigned long long)cur_seg->dma); 563 } else { 564 cur_trb->generic.field[0] = 0; 565 cur_trb->generic.field[1] = 0; 566 cur_trb->generic.field[2] = 0; 567 /* Preserve only the cycle bit of this TRB */ 568 cur_trb->generic.field[3] &= cpu_to_le32(TRB_CYCLE); 569 /* Flip the cycle bit except on the first or last TRB */ 570 if (flip_cycle && cur_trb != cur_td->first_trb && 571 cur_trb != cur_td->last_trb) 572 cur_trb->generic.field[3] ^= 573 cpu_to_le32(TRB_CYCLE); 574 cur_trb->generic.field[3] |= cpu_to_le32( 575 TRB_TYPE(TRB_TR_NOOP)); 576 xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, 577 "TRB to noop at offset 0x%llx", 578 (unsigned long long) 579 xhci_trb_virt_to_dma(cur_seg, cur_trb)); 580 } 581 if (cur_trb == cur_td->last_trb) 582 break; 583 } 584 } 585 586 static void xhci_stop_watchdog_timer_in_irq(struct xhci_hcd *xhci, 587 struct xhci_virt_ep *ep) 588 { 589 ep->ep_state &= ~EP_HALT_PENDING; 590 /* Can't del_timer_sync in interrupt, so we attempt to cancel. If the 591 * timer is running on another CPU, we don't decrement stop_cmds_pending 592 * (since we didn't successfully stop the watchdog timer). 593 */ 594 if (del_timer(&ep->stop_cmd_timer)) 595 ep->stop_cmds_pending--; 596 } 597 598 /* Must be called with xhci->lock held in interrupt context */ 599 static void xhci_giveback_urb_in_irq(struct xhci_hcd *xhci, 600 struct xhci_td *cur_td, int status) 601 { 602 struct usb_hcd *hcd; 603 struct urb *urb; 604 struct urb_priv *urb_priv; 605 606 urb = cur_td->urb; 607 urb_priv = urb->hcpriv; 608 urb_priv->td_cnt++; 609 hcd = bus_to_hcd(urb->dev->bus); 610 611 /* Only giveback urb when this is the last td in urb */ 612 if (urb_priv->td_cnt == urb_priv->length) { 613 if (usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS) { 614 xhci_to_hcd(xhci)->self.bandwidth_isoc_reqs--; 615 if (xhci_to_hcd(xhci)->self.bandwidth_isoc_reqs == 0) { 616 if (xhci->quirks & XHCI_AMD_PLL_FIX) 617 usb_amd_quirk_pll_enable(); 618 } 619 } 620 usb_hcd_unlink_urb_from_ep(hcd, urb); 621 622 spin_unlock(&xhci->lock); 623 usb_hcd_giveback_urb(hcd, urb, status); 624 xhci_urb_free_priv(urb_priv); 625 spin_lock(&xhci->lock); 626 } 627 } 628 629 /* 630 * When we get a command completion for a Stop Endpoint Command, we need to 631 * unlink any cancelled TDs from the ring. There are two ways to do that: 632 * 633 * 1. If the HW was in the middle of processing the TD that needs to be 634 * cancelled, then we must move the ring's dequeue pointer past the last TRB 635 * in the TD with a Set Dequeue Pointer Command. 636 * 2. Otherwise, we turn all the TRBs in the TD into No-op TRBs (with the chain 637 * bit cleared) so that the HW will skip over them. 638 */ 639 static void xhci_handle_cmd_stop_ep(struct xhci_hcd *xhci, int slot_id, 640 union xhci_trb *trb, struct xhci_event_cmd *event) 641 { 642 unsigned int ep_index; 643 struct xhci_ring *ep_ring; 644 struct xhci_virt_ep *ep; 645 struct list_head *entry; 646 struct xhci_td *cur_td = NULL; 647 struct xhci_td *last_unlinked_td; 648 649 struct xhci_dequeue_state deq_state; 650 651 if (unlikely(TRB_TO_SUSPEND_PORT(le32_to_cpu(trb->generic.field[3])))) { 652 if (!xhci->devs[slot_id]) 653 xhci_warn(xhci, "Stop endpoint command " 654 "completion for disabled slot %u\n", 655 slot_id); 656 return; 657 } 658 659 memset(&deq_state, 0, sizeof(deq_state)); 660 ep_index = TRB_TO_EP_INDEX(le32_to_cpu(trb->generic.field[3])); 661 ep = &xhci->devs[slot_id]->eps[ep_index]; 662 663 if (list_empty(&ep->cancelled_td_list)) { 664 xhci_stop_watchdog_timer_in_irq(xhci, ep); 665 ep->stopped_td = NULL; 666 ring_doorbell_for_active_rings(xhci, slot_id, ep_index); 667 return; 668 } 669 670 /* Fix up the ep ring first, so HW stops executing cancelled TDs. 671 * We have the xHCI lock, so nothing can modify this list until we drop 672 * it. We're also in the event handler, so we can't get re-interrupted 673 * if another Stop Endpoint command completes 674 */ 675 list_for_each(entry, &ep->cancelled_td_list) { 676 cur_td = list_entry(entry, struct xhci_td, cancelled_td_list); 677 xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, 678 "Removing canceled TD starting at 0x%llx (dma).", 679 (unsigned long long)xhci_trb_virt_to_dma( 680 cur_td->start_seg, cur_td->first_trb)); 681 ep_ring = xhci_urb_to_transfer_ring(xhci, cur_td->urb); 682 if (!ep_ring) { 683 /* This shouldn't happen unless a driver is mucking 684 * with the stream ID after submission. This will 685 * leave the TD on the hardware ring, and the hardware 686 * will try to execute it, and may access a buffer 687 * that has already been freed. In the best case, the 688 * hardware will execute it, and the event handler will 689 * ignore the completion event for that TD, since it was 690 * removed from the td_list for that endpoint. In 691 * short, don't muck with the stream ID after 692 * submission. 693 */ 694 xhci_warn(xhci, "WARN Cancelled URB %p " 695 "has invalid stream ID %u.\n", 696 cur_td->urb, 697 cur_td->urb->stream_id); 698 goto remove_finished_td; 699 } 700 /* 701 * If we stopped on the TD we need to cancel, then we have to 702 * move the xHC endpoint ring dequeue pointer past this TD. 703 */ 704 if (cur_td == ep->stopped_td) 705 xhci_find_new_dequeue_state(xhci, slot_id, ep_index, 706 cur_td->urb->stream_id, 707 cur_td, &deq_state); 708 else 709 td_to_noop(xhci, ep_ring, cur_td, false); 710 remove_finished_td: 711 /* 712 * The event handler won't see a completion for this TD anymore, 713 * so remove it from the endpoint ring's TD list. Keep it in 714 * the cancelled TD list for URB completion later. 715 */ 716 list_del_init(&cur_td->td_list); 717 } 718 last_unlinked_td = cur_td; 719 xhci_stop_watchdog_timer_in_irq(xhci, ep); 720 721 /* If necessary, queue a Set Transfer Ring Dequeue Pointer command */ 722 if (deq_state.new_deq_ptr && deq_state.new_deq_seg) { 723 xhci_queue_new_dequeue_state(xhci, slot_id, ep_index, 724 ep->stopped_td->urb->stream_id, &deq_state); 725 xhci_ring_cmd_db(xhci); 726 } else { 727 /* Otherwise ring the doorbell(s) to restart queued transfers */ 728 ring_doorbell_for_active_rings(xhci, slot_id, ep_index); 729 } 730 731 ep->stopped_td = NULL; 732 733 /* 734 * Drop the lock and complete the URBs in the cancelled TD list. 735 * New TDs to be cancelled might be added to the end of the list before 736 * we can complete all the URBs for the TDs we already unlinked. 737 * So stop when we've completed the URB for the last TD we unlinked. 738 */ 739 do { 740 cur_td = list_entry(ep->cancelled_td_list.next, 741 struct xhci_td, cancelled_td_list); 742 list_del_init(&cur_td->cancelled_td_list); 743 744 /* Clean up the cancelled URB */ 745 /* Doesn't matter what we pass for status, since the core will 746 * just overwrite it (because the URB has been unlinked). 747 */ 748 xhci_giveback_urb_in_irq(xhci, cur_td, 0); 749 750 /* Stop processing the cancelled list if the watchdog timer is 751 * running. 752 */ 753 if (xhci->xhc_state & XHCI_STATE_DYING) 754 return; 755 } while (cur_td != last_unlinked_td); 756 757 /* Return to the event handler with xhci->lock re-acquired */ 758 } 759 760 static void xhci_kill_ring_urbs(struct xhci_hcd *xhci, struct xhci_ring *ring) 761 { 762 struct xhci_td *cur_td; 763 764 while (!list_empty(&ring->td_list)) { 765 cur_td = list_first_entry(&ring->td_list, 766 struct xhci_td, td_list); 767 list_del_init(&cur_td->td_list); 768 if (!list_empty(&cur_td->cancelled_td_list)) 769 list_del_init(&cur_td->cancelled_td_list); 770 xhci_giveback_urb_in_irq(xhci, cur_td, -ESHUTDOWN); 771 } 772 } 773 774 static void xhci_kill_endpoint_urbs(struct xhci_hcd *xhci, 775 int slot_id, int ep_index) 776 { 777 struct xhci_td *cur_td; 778 struct xhci_virt_ep *ep; 779 struct xhci_ring *ring; 780 781 ep = &xhci->devs[slot_id]->eps[ep_index]; 782 if ((ep->ep_state & EP_HAS_STREAMS) || 783 (ep->ep_state & EP_GETTING_NO_STREAMS)) { 784 int stream_id; 785 786 for (stream_id = 0; stream_id < ep->stream_info->num_streams; 787 stream_id++) { 788 xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, 789 "Killing URBs for slot ID %u, ep index %u, stream %u", 790 slot_id, ep_index, stream_id + 1); 791 xhci_kill_ring_urbs(xhci, 792 ep->stream_info->stream_rings[stream_id]); 793 } 794 } else { 795 ring = ep->ring; 796 if (!ring) 797 return; 798 xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, 799 "Killing URBs for slot ID %u, ep index %u", 800 slot_id, ep_index); 801 xhci_kill_ring_urbs(xhci, ring); 802 } 803 while (!list_empty(&ep->cancelled_td_list)) { 804 cur_td = list_first_entry(&ep->cancelled_td_list, 805 struct xhci_td, cancelled_td_list); 806 list_del_init(&cur_td->cancelled_td_list); 807 xhci_giveback_urb_in_irq(xhci, cur_td, -ESHUTDOWN); 808 } 809 } 810 811 /* Watchdog timer function for when a stop endpoint command fails to complete. 812 * In this case, we assume the host controller is broken or dying or dead. The 813 * host may still be completing some other events, so we have to be careful to 814 * let the event ring handler and the URB dequeueing/enqueueing functions know 815 * through xhci->state. 816 * 817 * The timer may also fire if the host takes a very long time to respond to the 818 * command, and the stop endpoint command completion handler cannot delete the 819 * timer before the timer function is called. Another endpoint cancellation may 820 * sneak in before the timer function can grab the lock, and that may queue 821 * another stop endpoint command and add the timer back. So we cannot use a 822 * simple flag to say whether there is a pending stop endpoint command for a 823 * particular endpoint. 824 * 825 * Instead we use a combination of that flag and a counter for the number of 826 * pending stop endpoint commands. If the timer is the tail end of the last 827 * stop endpoint command, and the endpoint's command is still pending, we assume 828 * the host is dying. 829 */ 830 void xhci_stop_endpoint_command_watchdog(unsigned long arg) 831 { 832 struct xhci_hcd *xhci; 833 struct xhci_virt_ep *ep; 834 int ret, i, j; 835 unsigned long flags; 836 837 ep = (struct xhci_virt_ep *) arg; 838 xhci = ep->xhci; 839 840 spin_lock_irqsave(&xhci->lock, flags); 841 842 ep->stop_cmds_pending--; 843 if (xhci->xhc_state & XHCI_STATE_DYING) { 844 xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, 845 "Stop EP timer ran, but another timer marked " 846 "xHCI as DYING, exiting."); 847 spin_unlock_irqrestore(&xhci->lock, flags); 848 return; 849 } 850 if (!(ep->stop_cmds_pending == 0 && (ep->ep_state & EP_HALT_PENDING))) { 851 xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, 852 "Stop EP timer ran, but no command pending, " 853 "exiting."); 854 spin_unlock_irqrestore(&xhci->lock, flags); 855 return; 856 } 857 858 xhci_warn(xhci, "xHCI host not responding to stop endpoint command.\n"); 859 xhci_warn(xhci, "Assuming host is dying, halting host.\n"); 860 /* Oops, HC is dead or dying or at least not responding to the stop 861 * endpoint command. 862 */ 863 xhci->xhc_state |= XHCI_STATE_DYING; 864 /* Disable interrupts from the host controller and start halting it */ 865 xhci_quiesce(xhci); 866 spin_unlock_irqrestore(&xhci->lock, flags); 867 868 ret = xhci_halt(xhci); 869 870 spin_lock_irqsave(&xhci->lock, flags); 871 if (ret < 0) { 872 /* This is bad; the host is not responding to commands and it's 873 * not allowing itself to be halted. At least interrupts are 874 * disabled. If we call usb_hc_died(), it will attempt to 875 * disconnect all device drivers under this host. Those 876 * disconnect() methods will wait for all URBs to be unlinked, 877 * so we must complete them. 878 */ 879 xhci_warn(xhci, "Non-responsive xHCI host is not halting.\n"); 880 xhci_warn(xhci, "Completing active URBs anyway.\n"); 881 /* We could turn all TDs on the rings to no-ops. This won't 882 * help if the host has cached part of the ring, and is slow if 883 * we want to preserve the cycle bit. Skip it and hope the host 884 * doesn't touch the memory. 885 */ 886 } 887 for (i = 0; i < MAX_HC_SLOTS; i++) { 888 if (!xhci->devs[i]) 889 continue; 890 for (j = 0; j < 31; j++) 891 xhci_kill_endpoint_urbs(xhci, i, j); 892 } 893 spin_unlock_irqrestore(&xhci->lock, flags); 894 xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, 895 "Calling usb_hc_died()"); 896 usb_hc_died(xhci_to_hcd(xhci)->primary_hcd); 897 xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, 898 "xHCI host controller is dead."); 899 } 900 901 902 static void update_ring_for_set_deq_completion(struct xhci_hcd *xhci, 903 struct xhci_virt_device *dev, 904 struct xhci_ring *ep_ring, 905 unsigned int ep_index) 906 { 907 union xhci_trb *dequeue_temp; 908 int num_trbs_free_temp; 909 bool revert = false; 910 911 num_trbs_free_temp = ep_ring->num_trbs_free; 912 dequeue_temp = ep_ring->dequeue; 913 914 /* If we get two back-to-back stalls, and the first stalled transfer 915 * ends just before a link TRB, the dequeue pointer will be left on 916 * the link TRB by the code in the while loop. So we have to update 917 * the dequeue pointer one segment further, or we'll jump off 918 * the segment into la-la-land. 919 */ 920 if (last_trb(xhci, ep_ring, ep_ring->deq_seg, ep_ring->dequeue)) { 921 ep_ring->deq_seg = ep_ring->deq_seg->next; 922 ep_ring->dequeue = ep_ring->deq_seg->trbs; 923 } 924 925 while (ep_ring->dequeue != dev->eps[ep_index].queued_deq_ptr) { 926 /* We have more usable TRBs */ 927 ep_ring->num_trbs_free++; 928 ep_ring->dequeue++; 929 if (last_trb(xhci, ep_ring, ep_ring->deq_seg, 930 ep_ring->dequeue)) { 931 if (ep_ring->dequeue == 932 dev->eps[ep_index].queued_deq_ptr) 933 break; 934 ep_ring->deq_seg = ep_ring->deq_seg->next; 935 ep_ring->dequeue = ep_ring->deq_seg->trbs; 936 } 937 if (ep_ring->dequeue == dequeue_temp) { 938 revert = true; 939 break; 940 } 941 } 942 943 if (revert) { 944 xhci_dbg(xhci, "Unable to find new dequeue pointer\n"); 945 ep_ring->num_trbs_free = num_trbs_free_temp; 946 } 947 } 948 949 /* 950 * When we get a completion for a Set Transfer Ring Dequeue Pointer command, 951 * we need to clear the set deq pending flag in the endpoint ring state, so that 952 * the TD queueing code can ring the doorbell again. We also need to ring the 953 * endpoint doorbell to restart the ring, but only if there aren't more 954 * cancellations pending. 955 */ 956 static void xhci_handle_cmd_set_deq(struct xhci_hcd *xhci, int slot_id, 957 union xhci_trb *trb, u32 cmd_comp_code) 958 { 959 unsigned int ep_index; 960 unsigned int stream_id; 961 struct xhci_ring *ep_ring; 962 struct xhci_virt_device *dev; 963 struct xhci_virt_ep *ep; 964 struct xhci_ep_ctx *ep_ctx; 965 struct xhci_slot_ctx *slot_ctx; 966 967 ep_index = TRB_TO_EP_INDEX(le32_to_cpu(trb->generic.field[3])); 968 stream_id = TRB_TO_STREAM_ID(le32_to_cpu(trb->generic.field[2])); 969 dev = xhci->devs[slot_id]; 970 ep = &dev->eps[ep_index]; 971 972 ep_ring = xhci_stream_id_to_ring(dev, ep_index, stream_id); 973 if (!ep_ring) { 974 xhci_warn(xhci, "WARN Set TR deq ptr command for freed stream ID %u\n", 975 stream_id); 976 /* XXX: Harmless??? */ 977 goto cleanup; 978 } 979 980 ep_ctx = xhci_get_ep_ctx(xhci, dev->out_ctx, ep_index); 981 slot_ctx = xhci_get_slot_ctx(xhci, dev->out_ctx); 982 983 if (cmd_comp_code != COMP_SUCCESS) { 984 unsigned int ep_state; 985 unsigned int slot_state; 986 987 switch (cmd_comp_code) { 988 case COMP_TRB_ERR: 989 xhci_warn(xhci, "WARN Set TR Deq Ptr cmd invalid because of stream ID configuration\n"); 990 break; 991 case COMP_CTX_STATE: 992 xhci_warn(xhci, "WARN Set TR Deq Ptr cmd failed due to incorrect slot or ep state.\n"); 993 ep_state = le32_to_cpu(ep_ctx->ep_info); 994 ep_state &= EP_STATE_MASK; 995 slot_state = le32_to_cpu(slot_ctx->dev_state); 996 slot_state = GET_SLOT_STATE(slot_state); 997 xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, 998 "Slot state = %u, EP state = %u", 999 slot_state, ep_state); 1000 break; 1001 case COMP_EBADSLT: 1002 xhci_warn(xhci, "WARN Set TR Deq Ptr cmd failed because slot %u was not enabled.\n", 1003 slot_id); 1004 break; 1005 default: 1006 xhci_warn(xhci, "WARN Set TR Deq Ptr cmd with unknown completion code of %u.\n", 1007 cmd_comp_code); 1008 break; 1009 } 1010 /* OK what do we do now? The endpoint state is hosed, and we 1011 * should never get to this point if the synchronization between 1012 * queueing, and endpoint state are correct. This might happen 1013 * if the device gets disconnected after we've finished 1014 * cancelling URBs, which might not be an error... 1015 */ 1016 } else { 1017 u64 deq; 1018 /* 4.6.10 deq ptr is written to the stream ctx for streams */ 1019 if (ep->ep_state & EP_HAS_STREAMS) { 1020 struct xhci_stream_ctx *ctx = 1021 &ep->stream_info->stream_ctx_array[stream_id]; 1022 deq = le64_to_cpu(ctx->stream_ring) & SCTX_DEQ_MASK; 1023 } else { 1024 deq = le64_to_cpu(ep_ctx->deq) & ~EP_CTX_CYCLE_MASK; 1025 } 1026 xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, 1027 "Successful Set TR Deq Ptr cmd, deq = @%08llx", deq); 1028 if (xhci_trb_virt_to_dma(ep->queued_deq_seg, 1029 ep->queued_deq_ptr) == deq) { 1030 /* Update the ring's dequeue segment and dequeue pointer 1031 * to reflect the new position. 1032 */ 1033 update_ring_for_set_deq_completion(xhci, dev, 1034 ep_ring, ep_index); 1035 } else { 1036 xhci_warn(xhci, "Mismatch between completed Set TR Deq Ptr command & xHCI internal state.\n"); 1037 xhci_warn(xhci, "ep deq seg = %p, deq ptr = %p\n", 1038 ep->queued_deq_seg, ep->queued_deq_ptr); 1039 } 1040 } 1041 1042 cleanup: 1043 dev->eps[ep_index].ep_state &= ~SET_DEQ_PENDING; 1044 dev->eps[ep_index].queued_deq_seg = NULL; 1045 dev->eps[ep_index].queued_deq_ptr = NULL; 1046 /* Restart any rings with pending URBs */ 1047 ring_doorbell_for_active_rings(xhci, slot_id, ep_index); 1048 } 1049 1050 static void xhci_handle_cmd_reset_ep(struct xhci_hcd *xhci, int slot_id, 1051 union xhci_trb *trb, u32 cmd_comp_code) 1052 { 1053 unsigned int ep_index; 1054 1055 ep_index = TRB_TO_EP_INDEX(le32_to_cpu(trb->generic.field[3])); 1056 /* This command will only fail if the endpoint wasn't halted, 1057 * but we don't care. 1058 */ 1059 xhci_dbg_trace(xhci, trace_xhci_dbg_reset_ep, 1060 "Ignoring reset ep completion code of %u", cmd_comp_code); 1061 1062 /* HW with the reset endpoint quirk needs to have a configure endpoint 1063 * command complete before the endpoint can be used. Queue that here 1064 * because the HW can't handle two commands being queued in a row. 1065 */ 1066 if (xhci->quirks & XHCI_RESET_EP_QUIRK) { 1067 struct xhci_command *command; 1068 command = xhci_alloc_command(xhci, false, false, GFP_ATOMIC); 1069 if (!command) { 1070 xhci_warn(xhci, "WARN Cannot submit cfg ep: ENOMEM\n"); 1071 return; 1072 } 1073 xhci_dbg_trace(xhci, trace_xhci_dbg_quirks, 1074 "Queueing configure endpoint command"); 1075 xhci_queue_configure_endpoint(xhci, command, 1076 xhci->devs[slot_id]->in_ctx->dma, slot_id, 1077 false); 1078 xhci_ring_cmd_db(xhci); 1079 } else { 1080 /* Clear our internal halted state */ 1081 xhci->devs[slot_id]->eps[ep_index].ep_state &= ~EP_HALTED; 1082 } 1083 } 1084 1085 static void xhci_handle_cmd_enable_slot(struct xhci_hcd *xhci, int slot_id, 1086 u32 cmd_comp_code) 1087 { 1088 if (cmd_comp_code == COMP_SUCCESS) 1089 xhci->slot_id = slot_id; 1090 else 1091 xhci->slot_id = 0; 1092 } 1093 1094 static void xhci_handle_cmd_disable_slot(struct xhci_hcd *xhci, int slot_id) 1095 { 1096 struct xhci_virt_device *virt_dev; 1097 1098 virt_dev = xhci->devs[slot_id]; 1099 if (!virt_dev) 1100 return; 1101 if (xhci->quirks & XHCI_EP_LIMIT_QUIRK) 1102 /* Delete default control endpoint resources */ 1103 xhci_free_device_endpoint_resources(xhci, virt_dev, true); 1104 xhci_free_virt_device(xhci, slot_id); 1105 } 1106 1107 static void xhci_handle_cmd_config_ep(struct xhci_hcd *xhci, int slot_id, 1108 struct xhci_event_cmd *event, u32 cmd_comp_code) 1109 { 1110 struct xhci_virt_device *virt_dev; 1111 struct xhci_input_control_ctx *ctrl_ctx; 1112 unsigned int ep_index; 1113 unsigned int ep_state; 1114 u32 add_flags, drop_flags; 1115 1116 /* 1117 * Configure endpoint commands can come from the USB core 1118 * configuration or alt setting changes, or because the HW 1119 * needed an extra configure endpoint command after a reset 1120 * endpoint command or streams were being configured. 1121 * If the command was for a halted endpoint, the xHCI driver 1122 * is not waiting on the configure endpoint command. 1123 */ 1124 virt_dev = xhci->devs[slot_id]; 1125 ctrl_ctx = xhci_get_input_control_ctx(virt_dev->in_ctx); 1126 if (!ctrl_ctx) { 1127 xhci_warn(xhci, "Could not get input context, bad type.\n"); 1128 return; 1129 } 1130 1131 add_flags = le32_to_cpu(ctrl_ctx->add_flags); 1132 drop_flags = le32_to_cpu(ctrl_ctx->drop_flags); 1133 /* Input ctx add_flags are the endpoint index plus one */ 1134 ep_index = xhci_last_valid_endpoint(add_flags) - 1; 1135 1136 /* A usb_set_interface() call directly after clearing a halted 1137 * condition may race on this quirky hardware. Not worth 1138 * worrying about, since this is prototype hardware. Not sure 1139 * if this will work for streams, but streams support was 1140 * untested on this prototype. 1141 */ 1142 if (xhci->quirks & XHCI_RESET_EP_QUIRK && 1143 ep_index != (unsigned int) -1 && 1144 add_flags - SLOT_FLAG == drop_flags) { 1145 ep_state = virt_dev->eps[ep_index].ep_state; 1146 if (!(ep_state & EP_HALTED)) 1147 return; 1148 xhci_dbg_trace(xhci, trace_xhci_dbg_quirks, 1149 "Completed config ep cmd - " 1150 "last ep index = %d, state = %d", 1151 ep_index, ep_state); 1152 /* Clear internal halted state and restart ring(s) */ 1153 virt_dev->eps[ep_index].ep_state &= ~EP_HALTED; 1154 ring_doorbell_for_active_rings(xhci, slot_id, ep_index); 1155 return; 1156 } 1157 return; 1158 } 1159 1160 static void xhci_handle_cmd_reset_dev(struct xhci_hcd *xhci, int slot_id, 1161 struct xhci_event_cmd *event) 1162 { 1163 xhci_dbg(xhci, "Completed reset device command.\n"); 1164 if (!xhci->devs[slot_id]) 1165 xhci_warn(xhci, "Reset device command completion " 1166 "for disabled slot %u\n", slot_id); 1167 } 1168 1169 static void xhci_handle_cmd_nec_get_fw(struct xhci_hcd *xhci, 1170 struct xhci_event_cmd *event) 1171 { 1172 if (!(xhci->quirks & XHCI_NEC_HOST)) { 1173 xhci->error_bitmask |= 1 << 6; 1174 return; 1175 } 1176 xhci_dbg_trace(xhci, trace_xhci_dbg_quirks, 1177 "NEC firmware version %2x.%02x", 1178 NEC_FW_MAJOR(le32_to_cpu(event->status)), 1179 NEC_FW_MINOR(le32_to_cpu(event->status))); 1180 } 1181 1182 static void xhci_complete_del_and_free_cmd(struct xhci_command *cmd, u32 status) 1183 { 1184 list_del(&cmd->cmd_list); 1185 1186 if (cmd->completion) { 1187 cmd->status = status; 1188 complete(cmd->completion); 1189 } else { 1190 kfree(cmd); 1191 } 1192 } 1193 1194 void xhci_cleanup_command_queue(struct xhci_hcd *xhci) 1195 { 1196 struct xhci_command *cur_cmd, *tmp_cmd; 1197 list_for_each_entry_safe(cur_cmd, tmp_cmd, &xhci->cmd_list, cmd_list) 1198 xhci_complete_del_and_free_cmd(cur_cmd, COMP_CMD_ABORT); 1199 } 1200 1201 /* 1202 * Turn all commands on command ring with status set to "aborted" to no-op trbs. 1203 * If there are other commands waiting then restart the ring and kick the timer. 1204 * This must be called with command ring stopped and xhci->lock held. 1205 */ 1206 static void xhci_handle_stopped_cmd_ring(struct xhci_hcd *xhci, 1207 struct xhci_command *cur_cmd) 1208 { 1209 struct xhci_command *i_cmd, *tmp_cmd; 1210 u32 cycle_state; 1211 1212 /* Turn all aborted commands in list to no-ops, then restart */ 1213 list_for_each_entry_safe(i_cmd, tmp_cmd, &xhci->cmd_list, 1214 cmd_list) { 1215 1216 if (i_cmd->status != COMP_CMD_ABORT) 1217 continue; 1218 1219 i_cmd->status = COMP_CMD_STOP; 1220 1221 xhci_dbg(xhci, "Turn aborted command %p to no-op\n", 1222 i_cmd->command_trb); 1223 /* get cycle state from the original cmd trb */ 1224 cycle_state = le32_to_cpu( 1225 i_cmd->command_trb->generic.field[3]) & TRB_CYCLE; 1226 /* modify the command trb to no-op command */ 1227 i_cmd->command_trb->generic.field[0] = 0; 1228 i_cmd->command_trb->generic.field[1] = 0; 1229 i_cmd->command_trb->generic.field[2] = 0; 1230 i_cmd->command_trb->generic.field[3] = cpu_to_le32( 1231 TRB_TYPE(TRB_CMD_NOOP) | cycle_state); 1232 1233 /* 1234 * caller waiting for completion is called when command 1235 * completion event is received for these no-op commands 1236 */ 1237 } 1238 1239 xhci->cmd_ring_state = CMD_RING_STATE_RUNNING; 1240 1241 /* ring command ring doorbell to restart the command ring */ 1242 if ((xhci->cmd_ring->dequeue != xhci->cmd_ring->enqueue) && 1243 !(xhci->xhc_state & XHCI_STATE_DYING)) { 1244 xhci->current_cmd = cur_cmd; 1245 mod_timer(&xhci->cmd_timer, jiffies + XHCI_CMD_DEFAULT_TIMEOUT); 1246 xhci_ring_cmd_db(xhci); 1247 } 1248 return; 1249 } 1250 1251 1252 void xhci_handle_command_timeout(unsigned long data) 1253 { 1254 struct xhci_hcd *xhci; 1255 int ret; 1256 unsigned long flags; 1257 u64 hw_ring_state; 1258 bool second_timeout = false; 1259 xhci = (struct xhci_hcd *) data; 1260 1261 /* mark this command to be cancelled */ 1262 spin_lock_irqsave(&xhci->lock, flags); 1263 if (xhci->current_cmd) { 1264 if (xhci->current_cmd->status == COMP_CMD_ABORT) 1265 second_timeout = true; 1266 xhci->current_cmd->status = COMP_CMD_ABORT; 1267 } 1268 1269 /* Make sure command ring is running before aborting it */ 1270 hw_ring_state = xhci_read_64(xhci, &xhci->op_regs->cmd_ring); 1271 if ((xhci->cmd_ring_state & CMD_RING_STATE_RUNNING) && 1272 (hw_ring_state & CMD_RING_RUNNING)) { 1273 spin_unlock_irqrestore(&xhci->lock, flags); 1274 xhci_dbg(xhci, "Command timeout\n"); 1275 ret = xhci_abort_cmd_ring(xhci); 1276 if (unlikely(ret == -ESHUTDOWN)) { 1277 xhci_err(xhci, "Abort command ring failed\n"); 1278 xhci_cleanup_command_queue(xhci); 1279 usb_hc_died(xhci_to_hcd(xhci)->primary_hcd); 1280 xhci_dbg(xhci, "xHCI host controller is dead.\n"); 1281 } 1282 return; 1283 } 1284 1285 /* command ring failed to restart, or host removed. Bail out */ 1286 if (second_timeout || xhci->xhc_state & XHCI_STATE_REMOVING) { 1287 spin_unlock_irqrestore(&xhci->lock, flags); 1288 xhci_dbg(xhci, "command timed out twice, ring start fail?\n"); 1289 xhci_cleanup_command_queue(xhci); 1290 return; 1291 } 1292 1293 /* command timeout on stopped ring, ring can't be aborted */ 1294 xhci_dbg(xhci, "Command timeout on stopped ring\n"); 1295 xhci_handle_stopped_cmd_ring(xhci, xhci->current_cmd); 1296 spin_unlock_irqrestore(&xhci->lock, flags); 1297 return; 1298 } 1299 1300 static void handle_cmd_completion(struct xhci_hcd *xhci, 1301 struct xhci_event_cmd *event) 1302 { 1303 int slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags)); 1304 u64 cmd_dma; 1305 dma_addr_t cmd_dequeue_dma; 1306 u32 cmd_comp_code; 1307 union xhci_trb *cmd_trb; 1308 struct xhci_command *cmd; 1309 u32 cmd_type; 1310 1311 cmd_dma = le64_to_cpu(event->cmd_trb); 1312 cmd_trb = xhci->cmd_ring->dequeue; 1313 cmd_dequeue_dma = xhci_trb_virt_to_dma(xhci->cmd_ring->deq_seg, 1314 cmd_trb); 1315 /* Is the command ring deq ptr out of sync with the deq seg ptr? */ 1316 if (cmd_dequeue_dma == 0) { 1317 xhci->error_bitmask |= 1 << 4; 1318 return; 1319 } 1320 /* Does the DMA address match our internal dequeue pointer address? */ 1321 if (cmd_dma != (u64) cmd_dequeue_dma) { 1322 xhci->error_bitmask |= 1 << 5; 1323 return; 1324 } 1325 1326 cmd = list_entry(xhci->cmd_list.next, struct xhci_command, cmd_list); 1327 1328 if (cmd->command_trb != xhci->cmd_ring->dequeue) { 1329 xhci_err(xhci, 1330 "Command completion event does not match command\n"); 1331 return; 1332 } 1333 1334 del_timer(&xhci->cmd_timer); 1335 1336 trace_xhci_cmd_completion(cmd_trb, (struct xhci_generic_trb *) event); 1337 1338 cmd_comp_code = GET_COMP_CODE(le32_to_cpu(event->status)); 1339 1340 /* If CMD ring stopped we own the trbs between enqueue and dequeue */ 1341 if (cmd_comp_code == COMP_CMD_STOP) { 1342 xhci_handle_stopped_cmd_ring(xhci, cmd); 1343 return; 1344 } 1345 /* 1346 * Host aborted the command ring, check if the current command was 1347 * supposed to be aborted, otherwise continue normally. 1348 * The command ring is stopped now, but the xHC will issue a Command 1349 * Ring Stopped event which will cause us to restart it. 1350 */ 1351 if (cmd_comp_code == COMP_CMD_ABORT) { 1352 xhci->cmd_ring_state = CMD_RING_STATE_STOPPED; 1353 if (cmd->status == COMP_CMD_ABORT) 1354 goto event_handled; 1355 } 1356 1357 cmd_type = TRB_FIELD_TO_TYPE(le32_to_cpu(cmd_trb->generic.field[3])); 1358 switch (cmd_type) { 1359 case TRB_ENABLE_SLOT: 1360 xhci_handle_cmd_enable_slot(xhci, slot_id, cmd_comp_code); 1361 break; 1362 case TRB_DISABLE_SLOT: 1363 xhci_handle_cmd_disable_slot(xhci, slot_id); 1364 break; 1365 case TRB_CONFIG_EP: 1366 if (!cmd->completion) 1367 xhci_handle_cmd_config_ep(xhci, slot_id, event, 1368 cmd_comp_code); 1369 break; 1370 case TRB_EVAL_CONTEXT: 1371 break; 1372 case TRB_ADDR_DEV: 1373 break; 1374 case TRB_STOP_RING: 1375 WARN_ON(slot_id != TRB_TO_SLOT_ID( 1376 le32_to_cpu(cmd_trb->generic.field[3]))); 1377 xhci_handle_cmd_stop_ep(xhci, slot_id, cmd_trb, event); 1378 break; 1379 case TRB_SET_DEQ: 1380 WARN_ON(slot_id != TRB_TO_SLOT_ID( 1381 le32_to_cpu(cmd_trb->generic.field[3]))); 1382 xhci_handle_cmd_set_deq(xhci, slot_id, cmd_trb, cmd_comp_code); 1383 break; 1384 case TRB_CMD_NOOP: 1385 /* Is this an aborted command turned to NO-OP? */ 1386 if (cmd->status == COMP_CMD_STOP) 1387 cmd_comp_code = COMP_CMD_STOP; 1388 break; 1389 case TRB_RESET_EP: 1390 WARN_ON(slot_id != TRB_TO_SLOT_ID( 1391 le32_to_cpu(cmd_trb->generic.field[3]))); 1392 xhci_handle_cmd_reset_ep(xhci, slot_id, cmd_trb, cmd_comp_code); 1393 break; 1394 case TRB_RESET_DEV: 1395 /* SLOT_ID field in reset device cmd completion event TRB is 0. 1396 * Use the SLOT_ID from the command TRB instead (xhci 4.6.11) 1397 */ 1398 slot_id = TRB_TO_SLOT_ID( 1399 le32_to_cpu(cmd_trb->generic.field[3])); 1400 xhci_handle_cmd_reset_dev(xhci, slot_id, event); 1401 break; 1402 case TRB_NEC_GET_FW: 1403 xhci_handle_cmd_nec_get_fw(xhci, event); 1404 break; 1405 default: 1406 /* Skip over unknown commands on the event ring */ 1407 xhci->error_bitmask |= 1 << 6; 1408 break; 1409 } 1410 1411 /* restart timer if this wasn't the last command */ 1412 if (cmd->cmd_list.next != &xhci->cmd_list) { 1413 xhci->current_cmd = list_entry(cmd->cmd_list.next, 1414 struct xhci_command, cmd_list); 1415 mod_timer(&xhci->cmd_timer, jiffies + XHCI_CMD_DEFAULT_TIMEOUT); 1416 } 1417 1418 event_handled: 1419 xhci_complete_del_and_free_cmd(cmd, cmd_comp_code); 1420 1421 inc_deq(xhci, xhci->cmd_ring); 1422 } 1423 1424 static void handle_vendor_event(struct xhci_hcd *xhci, 1425 union xhci_trb *event) 1426 { 1427 u32 trb_type; 1428 1429 trb_type = TRB_FIELD_TO_TYPE(le32_to_cpu(event->generic.field[3])); 1430 xhci_dbg(xhci, "Vendor specific event TRB type = %u\n", trb_type); 1431 if (trb_type == TRB_NEC_CMD_COMP && (xhci->quirks & XHCI_NEC_HOST)) 1432 handle_cmd_completion(xhci, &event->event_cmd); 1433 } 1434 1435 /* @port_id: the one-based port ID from the hardware (indexed from array of all 1436 * port registers -- USB 3.0 and USB 2.0). 1437 * 1438 * Returns a zero-based port number, which is suitable for indexing into each of 1439 * the split roothubs' port arrays and bus state arrays. 1440 * Add one to it in order to call xhci_find_slot_id_by_port. 1441 */ 1442 static unsigned int find_faked_portnum_from_hw_portnum(struct usb_hcd *hcd, 1443 struct xhci_hcd *xhci, u32 port_id) 1444 { 1445 unsigned int i; 1446 unsigned int num_similar_speed_ports = 0; 1447 1448 /* port_id from the hardware is 1-based, but port_array[], usb3_ports[], 1449 * and usb2_ports are 0-based indexes. Count the number of similar 1450 * speed ports, up to 1 port before this port. 1451 */ 1452 for (i = 0; i < (port_id - 1); i++) { 1453 u8 port_speed = xhci->port_array[i]; 1454 1455 /* 1456 * Skip ports that don't have known speeds, or have duplicate 1457 * Extended Capabilities port speed entries. 1458 */ 1459 if (port_speed == 0 || port_speed == DUPLICATE_ENTRY) 1460 continue; 1461 1462 /* 1463 * USB 3.0 ports are always under a USB 3.0 hub. USB 2.0 and 1464 * 1.1 ports are under the USB 2.0 hub. If the port speed 1465 * matches the device speed, it's a similar speed port. 1466 */ 1467 if ((port_speed == 0x03) == (hcd->speed >= HCD_USB3)) 1468 num_similar_speed_ports++; 1469 } 1470 return num_similar_speed_ports; 1471 } 1472 1473 static void handle_device_notification(struct xhci_hcd *xhci, 1474 union xhci_trb *event) 1475 { 1476 u32 slot_id; 1477 struct usb_device *udev; 1478 1479 slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->generic.field[3])); 1480 if (!xhci->devs[slot_id]) { 1481 xhci_warn(xhci, "Device Notification event for " 1482 "unused slot %u\n", slot_id); 1483 return; 1484 } 1485 1486 xhci_dbg(xhci, "Device Wake Notification event for slot ID %u\n", 1487 slot_id); 1488 udev = xhci->devs[slot_id]->udev; 1489 if (udev && udev->parent) 1490 usb_wakeup_notification(udev->parent, udev->portnum); 1491 } 1492 1493 static void handle_port_status(struct xhci_hcd *xhci, 1494 union xhci_trb *event) 1495 { 1496 struct usb_hcd *hcd; 1497 u32 port_id; 1498 u32 temp, temp1; 1499 int max_ports; 1500 int slot_id; 1501 unsigned int faked_port_index; 1502 u8 major_revision; 1503 struct xhci_bus_state *bus_state; 1504 __le32 __iomem **port_array; 1505 bool bogus_port_status = false; 1506 1507 /* Port status change events always have a successful completion code */ 1508 if (GET_COMP_CODE(le32_to_cpu(event->generic.field[2])) != COMP_SUCCESS) { 1509 xhci_warn(xhci, "WARN: xHC returned failed port status event\n"); 1510 xhci->error_bitmask |= 1 << 8; 1511 } 1512 port_id = GET_PORT_ID(le32_to_cpu(event->generic.field[0])); 1513 xhci_dbg(xhci, "Port Status Change Event for port %d\n", port_id); 1514 1515 max_ports = HCS_MAX_PORTS(xhci->hcs_params1); 1516 if ((port_id <= 0) || (port_id > max_ports)) { 1517 xhci_warn(xhci, "Invalid port id %d\n", port_id); 1518 inc_deq(xhci, xhci->event_ring); 1519 return; 1520 } 1521 1522 /* Figure out which usb_hcd this port is attached to: 1523 * is it a USB 3.0 port or a USB 2.0/1.1 port? 1524 */ 1525 major_revision = xhci->port_array[port_id - 1]; 1526 1527 /* Find the right roothub. */ 1528 hcd = xhci_to_hcd(xhci); 1529 if ((major_revision == 0x03) != (hcd->speed >= HCD_USB3)) 1530 hcd = xhci->shared_hcd; 1531 1532 if (major_revision == 0) { 1533 xhci_warn(xhci, "Event for port %u not in " 1534 "Extended Capabilities, ignoring.\n", 1535 port_id); 1536 bogus_port_status = true; 1537 goto cleanup; 1538 } 1539 if (major_revision == DUPLICATE_ENTRY) { 1540 xhci_warn(xhci, "Event for port %u duplicated in" 1541 "Extended Capabilities, ignoring.\n", 1542 port_id); 1543 bogus_port_status = true; 1544 goto cleanup; 1545 } 1546 1547 /* 1548 * Hardware port IDs reported by a Port Status Change Event include USB 1549 * 3.0 and USB 2.0 ports. We want to check if the port has reported a 1550 * resume event, but we first need to translate the hardware port ID 1551 * into the index into the ports on the correct split roothub, and the 1552 * correct bus_state structure. 1553 */ 1554 bus_state = &xhci->bus_state[hcd_index(hcd)]; 1555 if (hcd->speed >= HCD_USB3) 1556 port_array = xhci->usb3_ports; 1557 else 1558 port_array = xhci->usb2_ports; 1559 /* Find the faked port hub number */ 1560 faked_port_index = find_faked_portnum_from_hw_portnum(hcd, xhci, 1561 port_id); 1562 1563 temp = readl(port_array[faked_port_index]); 1564 if (hcd->state == HC_STATE_SUSPENDED) { 1565 xhci_dbg(xhci, "resume root hub\n"); 1566 usb_hcd_resume_root_hub(hcd); 1567 } 1568 1569 if (hcd->speed >= HCD_USB3 && (temp & PORT_PLS_MASK) == XDEV_INACTIVE) 1570 bus_state->port_remote_wakeup &= ~(1 << faked_port_index); 1571 1572 if ((temp & PORT_PLC) && (temp & PORT_PLS_MASK) == XDEV_RESUME) { 1573 xhci_dbg(xhci, "port resume event for port %d\n", port_id); 1574 1575 temp1 = readl(&xhci->op_regs->command); 1576 if (!(temp1 & CMD_RUN)) { 1577 xhci_warn(xhci, "xHC is not running.\n"); 1578 goto cleanup; 1579 } 1580 1581 if (DEV_SUPERSPEED_ANY(temp)) { 1582 xhci_dbg(xhci, "remote wake SS port %d\n", port_id); 1583 /* Set a flag to say the port signaled remote wakeup, 1584 * so we can tell the difference between the end of 1585 * device and host initiated resume. 1586 */ 1587 bus_state->port_remote_wakeup |= 1 << faked_port_index; 1588 xhci_test_and_clear_bit(xhci, port_array, 1589 faked_port_index, PORT_PLC); 1590 xhci_set_link_state(xhci, port_array, faked_port_index, 1591 XDEV_U0); 1592 /* Need to wait until the next link state change 1593 * indicates the device is actually in U0. 1594 */ 1595 bogus_port_status = true; 1596 goto cleanup; 1597 } else if (!test_bit(faked_port_index, 1598 &bus_state->resuming_ports)) { 1599 xhci_dbg(xhci, "resume HS port %d\n", port_id); 1600 bus_state->resume_done[faked_port_index] = jiffies + 1601 msecs_to_jiffies(USB_RESUME_TIMEOUT); 1602 set_bit(faked_port_index, &bus_state->resuming_ports); 1603 mod_timer(&hcd->rh_timer, 1604 bus_state->resume_done[faked_port_index]); 1605 /* Do the rest in GetPortStatus */ 1606 } 1607 } 1608 1609 if ((temp & PORT_PLC) && (temp & PORT_PLS_MASK) == XDEV_U0 && 1610 DEV_SUPERSPEED_ANY(temp)) { 1611 xhci_dbg(xhci, "resume SS port %d finished\n", port_id); 1612 /* We've just brought the device into U0 through either the 1613 * Resume state after a device remote wakeup, or through the 1614 * U3Exit state after a host-initiated resume. If it's a device 1615 * initiated remote wake, don't pass up the link state change, 1616 * so the roothub behavior is consistent with external 1617 * USB 3.0 hub behavior. 1618 */ 1619 slot_id = xhci_find_slot_id_by_port(hcd, xhci, 1620 faked_port_index + 1); 1621 if (slot_id && xhci->devs[slot_id]) 1622 xhci_ring_device(xhci, slot_id); 1623 if (bus_state->port_remote_wakeup & (1 << faked_port_index)) { 1624 bus_state->port_remote_wakeup &= 1625 ~(1 << faked_port_index); 1626 xhci_test_and_clear_bit(xhci, port_array, 1627 faked_port_index, PORT_PLC); 1628 usb_wakeup_notification(hcd->self.root_hub, 1629 faked_port_index + 1); 1630 bogus_port_status = true; 1631 goto cleanup; 1632 } 1633 } 1634 1635 /* 1636 * Check to see if xhci-hub.c is waiting on RExit to U0 transition (or 1637 * RExit to a disconnect state). If so, let the the driver know it's 1638 * out of the RExit state. 1639 */ 1640 if (!DEV_SUPERSPEED_ANY(temp) && 1641 test_and_clear_bit(faked_port_index, 1642 &bus_state->rexit_ports)) { 1643 complete(&bus_state->rexit_done[faked_port_index]); 1644 bogus_port_status = true; 1645 goto cleanup; 1646 } 1647 1648 if (hcd->speed < HCD_USB3) 1649 xhci_test_and_clear_bit(xhci, port_array, faked_port_index, 1650 PORT_PLC); 1651 1652 cleanup: 1653 /* Update event ring dequeue pointer before dropping the lock */ 1654 inc_deq(xhci, xhci->event_ring); 1655 1656 /* Don't make the USB core poll the roothub if we got a bad port status 1657 * change event. Besides, at that point we can't tell which roothub 1658 * (USB 2.0 or USB 3.0) to kick. 1659 */ 1660 if (bogus_port_status) 1661 return; 1662 1663 /* 1664 * xHCI port-status-change events occur when the "or" of all the 1665 * status-change bits in the portsc register changes from 0 to 1. 1666 * New status changes won't cause an event if any other change 1667 * bits are still set. When an event occurs, switch over to 1668 * polling to avoid losing status changes. 1669 */ 1670 xhci_dbg(xhci, "%s: starting port polling.\n", __func__); 1671 set_bit(HCD_FLAG_POLL_RH, &hcd->flags); 1672 spin_unlock(&xhci->lock); 1673 /* Pass this up to the core */ 1674 usb_hcd_poll_rh_status(hcd); 1675 spin_lock(&xhci->lock); 1676 } 1677 1678 /* 1679 * This TD is defined by the TRBs starting at start_trb in start_seg and ending 1680 * at end_trb, which may be in another segment. If the suspect DMA address is a 1681 * TRB in this TD, this function returns that TRB's segment. Otherwise it 1682 * returns 0. 1683 */ 1684 struct xhci_segment *trb_in_td(struct xhci_hcd *xhci, 1685 struct xhci_segment *start_seg, 1686 union xhci_trb *start_trb, 1687 union xhci_trb *end_trb, 1688 dma_addr_t suspect_dma, 1689 bool debug) 1690 { 1691 dma_addr_t start_dma; 1692 dma_addr_t end_seg_dma; 1693 dma_addr_t end_trb_dma; 1694 struct xhci_segment *cur_seg; 1695 1696 start_dma = xhci_trb_virt_to_dma(start_seg, start_trb); 1697 cur_seg = start_seg; 1698 1699 do { 1700 if (start_dma == 0) 1701 return NULL; 1702 /* We may get an event for a Link TRB in the middle of a TD */ 1703 end_seg_dma = xhci_trb_virt_to_dma(cur_seg, 1704 &cur_seg->trbs[TRBS_PER_SEGMENT - 1]); 1705 /* If the end TRB isn't in this segment, this is set to 0 */ 1706 end_trb_dma = xhci_trb_virt_to_dma(cur_seg, end_trb); 1707 1708 if (debug) 1709 xhci_warn(xhci, 1710 "Looking for event-dma %016llx trb-start %016llx trb-end %016llx seg-start %016llx seg-end %016llx\n", 1711 (unsigned long long)suspect_dma, 1712 (unsigned long long)start_dma, 1713 (unsigned long long)end_trb_dma, 1714 (unsigned long long)cur_seg->dma, 1715 (unsigned long long)end_seg_dma); 1716 1717 if (end_trb_dma > 0) { 1718 /* The end TRB is in this segment, so suspect should be here */ 1719 if (start_dma <= end_trb_dma) { 1720 if (suspect_dma >= start_dma && suspect_dma <= end_trb_dma) 1721 return cur_seg; 1722 } else { 1723 /* Case for one segment with 1724 * a TD wrapped around to the top 1725 */ 1726 if ((suspect_dma >= start_dma && 1727 suspect_dma <= end_seg_dma) || 1728 (suspect_dma >= cur_seg->dma && 1729 suspect_dma <= end_trb_dma)) 1730 return cur_seg; 1731 } 1732 return NULL; 1733 } else { 1734 /* Might still be somewhere in this segment */ 1735 if (suspect_dma >= start_dma && suspect_dma <= end_seg_dma) 1736 return cur_seg; 1737 } 1738 cur_seg = cur_seg->next; 1739 start_dma = xhci_trb_virt_to_dma(cur_seg, &cur_seg->trbs[0]); 1740 } while (cur_seg != start_seg); 1741 1742 return NULL; 1743 } 1744 1745 static void xhci_cleanup_halted_endpoint(struct xhci_hcd *xhci, 1746 unsigned int slot_id, unsigned int ep_index, 1747 unsigned int stream_id, 1748 struct xhci_td *td, union xhci_trb *event_trb) 1749 { 1750 struct xhci_virt_ep *ep = &xhci->devs[slot_id]->eps[ep_index]; 1751 struct xhci_command *command; 1752 command = xhci_alloc_command(xhci, false, false, GFP_ATOMIC); 1753 if (!command) 1754 return; 1755 1756 ep->ep_state |= EP_HALTED; 1757 ep->stopped_stream = stream_id; 1758 1759 xhci_queue_reset_ep(xhci, command, slot_id, ep_index); 1760 xhci_cleanup_stalled_ring(xhci, ep_index, td); 1761 1762 ep->stopped_stream = 0; 1763 1764 xhci_ring_cmd_db(xhci); 1765 } 1766 1767 /* Check if an error has halted the endpoint ring. The class driver will 1768 * cleanup the halt for a non-default control endpoint if we indicate a stall. 1769 * However, a babble and other errors also halt the endpoint ring, and the class 1770 * driver won't clear the halt in that case, so we need to issue a Set Transfer 1771 * Ring Dequeue Pointer command manually. 1772 */ 1773 static int xhci_requires_manual_halt_cleanup(struct xhci_hcd *xhci, 1774 struct xhci_ep_ctx *ep_ctx, 1775 unsigned int trb_comp_code) 1776 { 1777 /* TRB completion codes that may require a manual halt cleanup */ 1778 if (trb_comp_code == COMP_TX_ERR || 1779 trb_comp_code == COMP_BABBLE || 1780 trb_comp_code == COMP_SPLIT_ERR) 1781 /* The 0.95 spec says a babbling control endpoint 1782 * is not halted. The 0.96 spec says it is. Some HW 1783 * claims to be 0.95 compliant, but it halts the control 1784 * endpoint anyway. Check if a babble halted the 1785 * endpoint. 1786 */ 1787 if ((ep_ctx->ep_info & cpu_to_le32(EP_STATE_MASK)) == 1788 cpu_to_le32(EP_STATE_HALTED)) 1789 return 1; 1790 1791 return 0; 1792 } 1793 1794 int xhci_is_vendor_info_code(struct xhci_hcd *xhci, unsigned int trb_comp_code) 1795 { 1796 if (trb_comp_code >= 224 && trb_comp_code <= 255) { 1797 /* Vendor defined "informational" completion code, 1798 * treat as not-an-error. 1799 */ 1800 xhci_dbg(xhci, "Vendor defined info completion code %u\n", 1801 trb_comp_code); 1802 xhci_dbg(xhci, "Treating code as success.\n"); 1803 return 1; 1804 } 1805 return 0; 1806 } 1807 1808 /* 1809 * Finish the td processing, remove the td from td list; 1810 * Return 1 if the urb can be given back. 1811 */ 1812 static int finish_td(struct xhci_hcd *xhci, struct xhci_td *td, 1813 union xhci_trb *event_trb, struct xhci_transfer_event *event, 1814 struct xhci_virt_ep *ep, int *status, bool skip) 1815 { 1816 struct xhci_virt_device *xdev; 1817 struct xhci_ring *ep_ring; 1818 unsigned int slot_id; 1819 int ep_index; 1820 struct urb *urb = NULL; 1821 struct xhci_ep_ctx *ep_ctx; 1822 int ret = 0; 1823 struct urb_priv *urb_priv; 1824 u32 trb_comp_code; 1825 1826 slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags)); 1827 xdev = xhci->devs[slot_id]; 1828 ep_index = TRB_TO_EP_ID(le32_to_cpu(event->flags)) - 1; 1829 ep_ring = xhci_dma_to_transfer_ring(ep, le64_to_cpu(event->buffer)); 1830 ep_ctx = xhci_get_ep_ctx(xhci, xdev->out_ctx, ep_index); 1831 trb_comp_code = GET_COMP_CODE(le32_to_cpu(event->transfer_len)); 1832 1833 if (skip) 1834 goto td_cleanup; 1835 1836 if (trb_comp_code == COMP_STOP_INVAL || 1837 trb_comp_code == COMP_STOP || 1838 trb_comp_code == COMP_STOP_SHORT) { 1839 /* The Endpoint Stop Command completion will take care of any 1840 * stopped TDs. A stopped TD may be restarted, so don't update 1841 * the ring dequeue pointer or take this TD off any lists yet. 1842 */ 1843 ep->stopped_td = td; 1844 return 0; 1845 } 1846 if (trb_comp_code == COMP_STALL || 1847 xhci_requires_manual_halt_cleanup(xhci, ep_ctx, 1848 trb_comp_code)) { 1849 /* Issue a reset endpoint command to clear the host side 1850 * halt, followed by a set dequeue command to move the 1851 * dequeue pointer past the TD. 1852 * The class driver clears the device side halt later. 1853 */ 1854 xhci_cleanup_halted_endpoint(xhci, slot_id, ep_index, 1855 ep_ring->stream_id, td, event_trb); 1856 } else { 1857 /* Update ring dequeue pointer */ 1858 while (ep_ring->dequeue != td->last_trb) 1859 inc_deq(xhci, ep_ring); 1860 inc_deq(xhci, ep_ring); 1861 } 1862 1863 td_cleanup: 1864 /* Clean up the endpoint's TD list */ 1865 urb = td->urb; 1866 urb_priv = urb->hcpriv; 1867 1868 /* Do one last check of the actual transfer length. 1869 * If the host controller said we transferred more data than the buffer 1870 * length, urb->actual_length will be a very big number (since it's 1871 * unsigned). Play it safe and say we didn't transfer anything. 1872 */ 1873 if (urb->actual_length > urb->transfer_buffer_length) { 1874 xhci_warn(xhci, "URB transfer length is wrong, xHC issue? req. len = %u, act. len = %u\n", 1875 urb->transfer_buffer_length, 1876 urb->actual_length); 1877 urb->actual_length = 0; 1878 if (td->urb->transfer_flags & URB_SHORT_NOT_OK) 1879 *status = -EREMOTEIO; 1880 else 1881 *status = 0; 1882 } 1883 list_del_init(&td->td_list); 1884 /* Was this TD slated to be cancelled but completed anyway? */ 1885 if (!list_empty(&td->cancelled_td_list)) 1886 list_del_init(&td->cancelled_td_list); 1887 1888 urb_priv->td_cnt++; 1889 /* Giveback the urb when all the tds are completed */ 1890 if (urb_priv->td_cnt == urb_priv->length) { 1891 ret = 1; 1892 if (usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS) { 1893 xhci_to_hcd(xhci)->self.bandwidth_isoc_reqs--; 1894 if (xhci_to_hcd(xhci)->self.bandwidth_isoc_reqs == 0) { 1895 if (xhci->quirks & XHCI_AMD_PLL_FIX) 1896 usb_amd_quirk_pll_enable(); 1897 } 1898 } 1899 } 1900 1901 return ret; 1902 } 1903 1904 /* 1905 * Process control tds, update urb status and actual_length. 1906 */ 1907 static int process_ctrl_td(struct xhci_hcd *xhci, struct xhci_td *td, 1908 union xhci_trb *event_trb, struct xhci_transfer_event *event, 1909 struct xhci_virt_ep *ep, int *status) 1910 { 1911 struct xhci_virt_device *xdev; 1912 struct xhci_ring *ep_ring; 1913 unsigned int slot_id; 1914 int ep_index; 1915 struct xhci_ep_ctx *ep_ctx; 1916 u32 trb_comp_code; 1917 1918 slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags)); 1919 xdev = xhci->devs[slot_id]; 1920 ep_index = TRB_TO_EP_ID(le32_to_cpu(event->flags)) - 1; 1921 ep_ring = xhci_dma_to_transfer_ring(ep, le64_to_cpu(event->buffer)); 1922 ep_ctx = xhci_get_ep_ctx(xhci, xdev->out_ctx, ep_index); 1923 trb_comp_code = GET_COMP_CODE(le32_to_cpu(event->transfer_len)); 1924 1925 switch (trb_comp_code) { 1926 case COMP_SUCCESS: 1927 if (event_trb == ep_ring->dequeue) { 1928 xhci_warn(xhci, "WARN: Success on ctrl setup TRB " 1929 "without IOC set??\n"); 1930 *status = -ESHUTDOWN; 1931 } else if (event_trb != td->last_trb) { 1932 xhci_warn(xhci, "WARN: Success on ctrl data TRB " 1933 "without IOC set??\n"); 1934 *status = -ESHUTDOWN; 1935 } else { 1936 *status = 0; 1937 } 1938 break; 1939 case COMP_SHORT_TX: 1940 if (td->urb->transfer_flags & URB_SHORT_NOT_OK) 1941 *status = -EREMOTEIO; 1942 else 1943 *status = 0; 1944 break; 1945 case COMP_STOP_SHORT: 1946 if (event_trb == ep_ring->dequeue || event_trb == td->last_trb) 1947 xhci_warn(xhci, "WARN: Stopped Short Packet on ctrl setup or status TRB\n"); 1948 else 1949 td->urb->actual_length = 1950 EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)); 1951 1952 return finish_td(xhci, td, event_trb, event, ep, status, false); 1953 case COMP_STOP: 1954 /* Did we stop at data stage? */ 1955 if (event_trb != ep_ring->dequeue && event_trb != td->last_trb) 1956 td->urb->actual_length = 1957 td->urb->transfer_buffer_length - 1958 EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)); 1959 /* fall through */ 1960 case COMP_STOP_INVAL: 1961 return finish_td(xhci, td, event_trb, event, ep, status, false); 1962 default: 1963 if (!xhci_requires_manual_halt_cleanup(xhci, 1964 ep_ctx, trb_comp_code)) 1965 break; 1966 xhci_dbg(xhci, "TRB error code %u, " 1967 "halted endpoint index = %u\n", 1968 trb_comp_code, ep_index); 1969 /* else fall through */ 1970 case COMP_STALL: 1971 /* Did we transfer part of the data (middle) phase? */ 1972 if (event_trb != ep_ring->dequeue && 1973 event_trb != td->last_trb) 1974 td->urb->actual_length = 1975 td->urb->transfer_buffer_length - 1976 EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)); 1977 else if (!td->urb_length_set) 1978 td->urb->actual_length = 0; 1979 1980 return finish_td(xhci, td, event_trb, event, ep, status, false); 1981 } 1982 /* 1983 * Did we transfer any data, despite the errors that might have 1984 * happened? I.e. did we get past the setup stage? 1985 */ 1986 if (event_trb != ep_ring->dequeue) { 1987 /* The event was for the status stage */ 1988 if (event_trb == td->last_trb) { 1989 if (td->urb_length_set) { 1990 /* Don't overwrite a previously set error code 1991 */ 1992 if ((*status == -EINPROGRESS || *status == 0) && 1993 (td->urb->transfer_flags 1994 & URB_SHORT_NOT_OK)) 1995 /* Did we already see a short data 1996 * stage? */ 1997 *status = -EREMOTEIO; 1998 } else { 1999 td->urb->actual_length = 2000 td->urb->transfer_buffer_length; 2001 } 2002 } else { 2003 /* 2004 * Maybe the event was for the data stage? If so, update 2005 * already the actual_length of the URB and flag it as 2006 * set, so that it is not overwritten in the event for 2007 * the last TRB. 2008 */ 2009 td->urb_length_set = true; 2010 td->urb->actual_length = 2011 td->urb->transfer_buffer_length - 2012 EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)); 2013 xhci_dbg(xhci, "Waiting for status " 2014 "stage event\n"); 2015 return 0; 2016 } 2017 } 2018 2019 return finish_td(xhci, td, event_trb, event, ep, status, false); 2020 } 2021 2022 /* 2023 * Process isochronous tds, update urb packet status and actual_length. 2024 */ 2025 static int process_isoc_td(struct xhci_hcd *xhci, struct xhci_td *td, 2026 union xhci_trb *event_trb, struct xhci_transfer_event *event, 2027 struct xhci_virt_ep *ep, int *status) 2028 { 2029 struct xhci_ring *ep_ring; 2030 struct urb_priv *urb_priv; 2031 int idx; 2032 int len = 0; 2033 union xhci_trb *cur_trb; 2034 struct xhci_segment *cur_seg; 2035 struct usb_iso_packet_descriptor *frame; 2036 u32 trb_comp_code; 2037 bool skip_td = false; 2038 2039 ep_ring = xhci_dma_to_transfer_ring(ep, le64_to_cpu(event->buffer)); 2040 trb_comp_code = GET_COMP_CODE(le32_to_cpu(event->transfer_len)); 2041 urb_priv = td->urb->hcpriv; 2042 idx = urb_priv->td_cnt; 2043 frame = &td->urb->iso_frame_desc[idx]; 2044 2045 /* handle completion code */ 2046 switch (trb_comp_code) { 2047 case COMP_SUCCESS: 2048 if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) == 0) { 2049 frame->status = 0; 2050 break; 2051 } 2052 if ((xhci->quirks & XHCI_TRUST_TX_LENGTH)) 2053 trb_comp_code = COMP_SHORT_TX; 2054 /* fallthrough */ 2055 case COMP_STOP_SHORT: 2056 case COMP_SHORT_TX: 2057 frame->status = td->urb->transfer_flags & URB_SHORT_NOT_OK ? 2058 -EREMOTEIO : 0; 2059 break; 2060 case COMP_BW_OVER: 2061 frame->status = -ECOMM; 2062 skip_td = true; 2063 break; 2064 case COMP_BUFF_OVER: 2065 case COMP_BABBLE: 2066 frame->status = -EOVERFLOW; 2067 skip_td = true; 2068 break; 2069 case COMP_DEV_ERR: 2070 case COMP_STALL: 2071 frame->status = -EPROTO; 2072 skip_td = true; 2073 break; 2074 case COMP_TX_ERR: 2075 frame->status = -EPROTO; 2076 if (event_trb != td->last_trb) 2077 return 0; 2078 skip_td = true; 2079 break; 2080 case COMP_STOP: 2081 case COMP_STOP_INVAL: 2082 break; 2083 default: 2084 frame->status = -1; 2085 break; 2086 } 2087 2088 if (trb_comp_code == COMP_SUCCESS || skip_td) { 2089 frame->actual_length = frame->length; 2090 td->urb->actual_length += frame->length; 2091 } else if (trb_comp_code == COMP_STOP_SHORT) { 2092 frame->actual_length = 2093 EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)); 2094 td->urb->actual_length += frame->actual_length; 2095 } else { 2096 for (cur_trb = ep_ring->dequeue, 2097 cur_seg = ep_ring->deq_seg; cur_trb != event_trb; 2098 next_trb(xhci, ep_ring, &cur_seg, &cur_trb)) { 2099 if (!TRB_TYPE_NOOP_LE32(cur_trb->generic.field[3]) && 2100 !TRB_TYPE_LINK_LE32(cur_trb->generic.field[3])) 2101 len += TRB_LEN(le32_to_cpu(cur_trb->generic.field[2])); 2102 } 2103 len += TRB_LEN(le32_to_cpu(cur_trb->generic.field[2])) - 2104 EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)); 2105 2106 if (trb_comp_code != COMP_STOP_INVAL) { 2107 frame->actual_length = len; 2108 td->urb->actual_length += len; 2109 } 2110 } 2111 2112 return finish_td(xhci, td, event_trb, event, ep, status, false); 2113 } 2114 2115 static int skip_isoc_td(struct xhci_hcd *xhci, struct xhci_td *td, 2116 struct xhci_transfer_event *event, 2117 struct xhci_virt_ep *ep, int *status) 2118 { 2119 struct xhci_ring *ep_ring; 2120 struct urb_priv *urb_priv; 2121 struct usb_iso_packet_descriptor *frame; 2122 int idx; 2123 2124 ep_ring = xhci_dma_to_transfer_ring(ep, le64_to_cpu(event->buffer)); 2125 urb_priv = td->urb->hcpriv; 2126 idx = urb_priv->td_cnt; 2127 frame = &td->urb->iso_frame_desc[idx]; 2128 2129 /* The transfer is partly done. */ 2130 frame->status = -EXDEV; 2131 2132 /* calc actual length */ 2133 frame->actual_length = 0; 2134 2135 /* Update ring dequeue pointer */ 2136 while (ep_ring->dequeue != td->last_trb) 2137 inc_deq(xhci, ep_ring); 2138 inc_deq(xhci, ep_ring); 2139 2140 return finish_td(xhci, td, NULL, event, ep, status, true); 2141 } 2142 2143 /* 2144 * Process bulk and interrupt tds, update urb status and actual_length. 2145 */ 2146 static int process_bulk_intr_td(struct xhci_hcd *xhci, struct xhci_td *td, 2147 union xhci_trb *event_trb, struct xhci_transfer_event *event, 2148 struct xhci_virt_ep *ep, int *status) 2149 { 2150 struct xhci_ring *ep_ring; 2151 union xhci_trb *cur_trb; 2152 struct xhci_segment *cur_seg; 2153 u32 trb_comp_code; 2154 2155 ep_ring = xhci_dma_to_transfer_ring(ep, le64_to_cpu(event->buffer)); 2156 trb_comp_code = GET_COMP_CODE(le32_to_cpu(event->transfer_len)); 2157 2158 switch (trb_comp_code) { 2159 case COMP_SUCCESS: 2160 /* Double check that the HW transferred everything. */ 2161 if (event_trb != td->last_trb || 2162 EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) != 0) { 2163 xhci_warn(xhci, "WARN Successful completion " 2164 "on short TX\n"); 2165 if (td->urb->transfer_flags & URB_SHORT_NOT_OK) 2166 *status = -EREMOTEIO; 2167 else 2168 *status = 0; 2169 if ((xhci->quirks & XHCI_TRUST_TX_LENGTH)) 2170 trb_comp_code = COMP_SHORT_TX; 2171 } else { 2172 *status = 0; 2173 } 2174 break; 2175 case COMP_STOP_SHORT: 2176 case COMP_SHORT_TX: 2177 if (td->urb->transfer_flags & URB_SHORT_NOT_OK) 2178 *status = -EREMOTEIO; 2179 else 2180 *status = 0; 2181 break; 2182 default: 2183 /* Others already handled above */ 2184 break; 2185 } 2186 if (trb_comp_code == COMP_SHORT_TX) 2187 xhci_dbg(xhci, "ep %#x - asked for %d bytes, " 2188 "%d bytes untransferred\n", 2189 td->urb->ep->desc.bEndpointAddress, 2190 td->urb->transfer_buffer_length, 2191 EVENT_TRB_LEN(le32_to_cpu(event->transfer_len))); 2192 /* Stopped - short packet completion */ 2193 if (trb_comp_code == COMP_STOP_SHORT) { 2194 td->urb->actual_length = 2195 EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)); 2196 2197 if (td->urb->transfer_buffer_length < 2198 td->urb->actual_length) { 2199 xhci_warn(xhci, "HC gave bad length of %d bytes txed\n", 2200 EVENT_TRB_LEN(le32_to_cpu(event->transfer_len))); 2201 td->urb->actual_length = 0; 2202 /* status will be set by usb core for canceled urbs */ 2203 } 2204 /* Fast path - was this the last TRB in the TD for this URB? */ 2205 } else if (event_trb == td->last_trb) { 2206 if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) != 0) { 2207 td->urb->actual_length = 2208 td->urb->transfer_buffer_length - 2209 EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)); 2210 if (td->urb->transfer_buffer_length < 2211 td->urb->actual_length) { 2212 xhci_warn(xhci, "HC gave bad length " 2213 "of %d bytes left\n", 2214 EVENT_TRB_LEN(le32_to_cpu(event->transfer_len))); 2215 td->urb->actual_length = 0; 2216 if (td->urb->transfer_flags & URB_SHORT_NOT_OK) 2217 *status = -EREMOTEIO; 2218 else 2219 *status = 0; 2220 } 2221 /* Don't overwrite a previously set error code */ 2222 if (*status == -EINPROGRESS) { 2223 if (td->urb->transfer_flags & URB_SHORT_NOT_OK) 2224 *status = -EREMOTEIO; 2225 else 2226 *status = 0; 2227 } 2228 } else { 2229 td->urb->actual_length = 2230 td->urb->transfer_buffer_length; 2231 /* Ignore a short packet completion if the 2232 * untransferred length was zero. 2233 */ 2234 if (*status == -EREMOTEIO) 2235 *status = 0; 2236 } 2237 } else { 2238 /* Slow path - walk the list, starting from the dequeue 2239 * pointer, to get the actual length transferred. 2240 */ 2241 td->urb->actual_length = 0; 2242 for (cur_trb = ep_ring->dequeue, cur_seg = ep_ring->deq_seg; 2243 cur_trb != event_trb; 2244 next_trb(xhci, ep_ring, &cur_seg, &cur_trb)) { 2245 if (!TRB_TYPE_NOOP_LE32(cur_trb->generic.field[3]) && 2246 !TRB_TYPE_LINK_LE32(cur_trb->generic.field[3])) 2247 td->urb->actual_length += 2248 TRB_LEN(le32_to_cpu(cur_trb->generic.field[2])); 2249 } 2250 /* If the ring didn't stop on a Link or No-op TRB, add 2251 * in the actual bytes transferred from the Normal TRB 2252 */ 2253 if (trb_comp_code != COMP_STOP_INVAL) 2254 td->urb->actual_length += 2255 TRB_LEN(le32_to_cpu(cur_trb->generic.field[2])) - 2256 EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)); 2257 } 2258 2259 return finish_td(xhci, td, event_trb, event, ep, status, false); 2260 } 2261 2262 /* 2263 * If this function returns an error condition, it means it got a Transfer 2264 * event with a corrupted Slot ID, Endpoint ID, or TRB DMA address. 2265 * At this point, the host controller is probably hosed and should be reset. 2266 */ 2267 static int handle_tx_event(struct xhci_hcd *xhci, 2268 struct xhci_transfer_event *event) 2269 __releases(&xhci->lock) 2270 __acquires(&xhci->lock) 2271 { 2272 struct xhci_virt_device *xdev; 2273 struct xhci_virt_ep *ep; 2274 struct xhci_ring *ep_ring; 2275 unsigned int slot_id; 2276 int ep_index; 2277 struct xhci_td *td = NULL; 2278 dma_addr_t event_dma; 2279 struct xhci_segment *event_seg; 2280 union xhci_trb *event_trb; 2281 struct urb *urb = NULL; 2282 int status = -EINPROGRESS; 2283 struct urb_priv *urb_priv; 2284 struct xhci_ep_ctx *ep_ctx; 2285 struct list_head *tmp; 2286 u32 trb_comp_code; 2287 int ret = 0; 2288 int td_num = 0; 2289 bool handling_skipped_tds = false; 2290 2291 slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags)); 2292 xdev = xhci->devs[slot_id]; 2293 if (!xdev) { 2294 xhci_err(xhci, "ERROR Transfer event pointed to bad slot\n"); 2295 xhci_err(xhci, "@%016llx %08x %08x %08x %08x\n", 2296 (unsigned long long) xhci_trb_virt_to_dma( 2297 xhci->event_ring->deq_seg, 2298 xhci->event_ring->dequeue), 2299 lower_32_bits(le64_to_cpu(event->buffer)), 2300 upper_32_bits(le64_to_cpu(event->buffer)), 2301 le32_to_cpu(event->transfer_len), 2302 le32_to_cpu(event->flags)); 2303 xhci_dbg(xhci, "Event ring:\n"); 2304 xhci_debug_segment(xhci, xhci->event_ring->deq_seg); 2305 return -ENODEV; 2306 } 2307 2308 /* Endpoint ID is 1 based, our index is zero based */ 2309 ep_index = TRB_TO_EP_ID(le32_to_cpu(event->flags)) - 1; 2310 ep = &xdev->eps[ep_index]; 2311 ep_ring = xhci_dma_to_transfer_ring(ep, le64_to_cpu(event->buffer)); 2312 ep_ctx = xhci_get_ep_ctx(xhci, xdev->out_ctx, ep_index); 2313 if (!ep_ring || 2314 (le32_to_cpu(ep_ctx->ep_info) & EP_STATE_MASK) == 2315 EP_STATE_DISABLED) { 2316 xhci_err(xhci, "ERROR Transfer event for disabled endpoint " 2317 "or incorrect stream ring\n"); 2318 xhci_err(xhci, "@%016llx %08x %08x %08x %08x\n", 2319 (unsigned long long) xhci_trb_virt_to_dma( 2320 xhci->event_ring->deq_seg, 2321 xhci->event_ring->dequeue), 2322 lower_32_bits(le64_to_cpu(event->buffer)), 2323 upper_32_bits(le64_to_cpu(event->buffer)), 2324 le32_to_cpu(event->transfer_len), 2325 le32_to_cpu(event->flags)); 2326 xhci_dbg(xhci, "Event ring:\n"); 2327 xhci_debug_segment(xhci, xhci->event_ring->deq_seg); 2328 return -ENODEV; 2329 } 2330 2331 /* Count current td numbers if ep->skip is set */ 2332 if (ep->skip) { 2333 list_for_each(tmp, &ep_ring->td_list) 2334 td_num++; 2335 } 2336 2337 event_dma = le64_to_cpu(event->buffer); 2338 trb_comp_code = GET_COMP_CODE(le32_to_cpu(event->transfer_len)); 2339 /* Look for common error cases */ 2340 switch (trb_comp_code) { 2341 /* Skip codes that require special handling depending on 2342 * transfer type 2343 */ 2344 case COMP_SUCCESS: 2345 if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) == 0) 2346 break; 2347 if (xhci->quirks & XHCI_TRUST_TX_LENGTH) 2348 trb_comp_code = COMP_SHORT_TX; 2349 else 2350 xhci_warn_ratelimited(xhci, 2351 "WARN Successful completion on short TX: needs XHCI_TRUST_TX_LENGTH quirk?\n"); 2352 case COMP_SHORT_TX: 2353 break; 2354 case COMP_STOP: 2355 xhci_dbg(xhci, "Stopped on Transfer TRB\n"); 2356 break; 2357 case COMP_STOP_INVAL: 2358 xhci_dbg(xhci, "Stopped on No-op or Link TRB\n"); 2359 break; 2360 case COMP_STOP_SHORT: 2361 xhci_dbg(xhci, "Stopped with short packet transfer detected\n"); 2362 break; 2363 case COMP_STALL: 2364 xhci_dbg(xhci, "Stalled endpoint\n"); 2365 ep->ep_state |= EP_HALTED; 2366 status = -EPIPE; 2367 break; 2368 case COMP_TRB_ERR: 2369 xhci_warn(xhci, "WARN: TRB error on endpoint\n"); 2370 status = -EILSEQ; 2371 break; 2372 case COMP_SPLIT_ERR: 2373 case COMP_TX_ERR: 2374 xhci_dbg(xhci, "Transfer error on endpoint\n"); 2375 status = -EPROTO; 2376 break; 2377 case COMP_BABBLE: 2378 xhci_dbg(xhci, "Babble error on endpoint\n"); 2379 status = -EOVERFLOW; 2380 break; 2381 case COMP_DB_ERR: 2382 xhci_warn(xhci, "WARN: HC couldn't access mem fast enough\n"); 2383 status = -ENOSR; 2384 break; 2385 case COMP_BW_OVER: 2386 xhci_warn(xhci, "WARN: bandwidth overrun event on endpoint\n"); 2387 break; 2388 case COMP_BUFF_OVER: 2389 xhci_warn(xhci, "WARN: buffer overrun event on endpoint\n"); 2390 break; 2391 case COMP_UNDERRUN: 2392 /* 2393 * When the Isoch ring is empty, the xHC will generate 2394 * a Ring Overrun Event for IN Isoch endpoint or Ring 2395 * Underrun Event for OUT Isoch endpoint. 2396 */ 2397 xhci_dbg(xhci, "underrun event on endpoint\n"); 2398 if (!list_empty(&ep_ring->td_list)) 2399 xhci_dbg(xhci, "Underrun Event for slot %d ep %d " 2400 "still with TDs queued?\n", 2401 TRB_TO_SLOT_ID(le32_to_cpu(event->flags)), 2402 ep_index); 2403 goto cleanup; 2404 case COMP_OVERRUN: 2405 xhci_dbg(xhci, "overrun event on endpoint\n"); 2406 if (!list_empty(&ep_ring->td_list)) 2407 xhci_dbg(xhci, "Overrun Event for slot %d ep %d " 2408 "still with TDs queued?\n", 2409 TRB_TO_SLOT_ID(le32_to_cpu(event->flags)), 2410 ep_index); 2411 goto cleanup; 2412 case COMP_DEV_ERR: 2413 xhci_warn(xhci, "WARN: detect an incompatible device"); 2414 status = -EPROTO; 2415 break; 2416 case COMP_MISSED_INT: 2417 /* 2418 * When encounter missed service error, one or more isoc tds 2419 * may be missed by xHC. 2420 * Set skip flag of the ep_ring; Complete the missed tds as 2421 * short transfer when process the ep_ring next time. 2422 */ 2423 ep->skip = true; 2424 xhci_dbg(xhci, "Miss service interval error, set skip flag\n"); 2425 goto cleanup; 2426 case COMP_PING_ERR: 2427 ep->skip = true; 2428 xhci_dbg(xhci, "No Ping response error, Skip one Isoc TD\n"); 2429 goto cleanup; 2430 default: 2431 if (xhci_is_vendor_info_code(xhci, trb_comp_code)) { 2432 status = 0; 2433 break; 2434 } 2435 xhci_warn(xhci, "ERROR Unknown event condition %u, HC probably busted\n", 2436 trb_comp_code); 2437 goto cleanup; 2438 } 2439 2440 do { 2441 /* This TRB should be in the TD at the head of this ring's 2442 * TD list. 2443 */ 2444 if (list_empty(&ep_ring->td_list)) { 2445 /* 2446 * A stopped endpoint may generate an extra completion 2447 * event if the device was suspended. Don't print 2448 * warnings. 2449 */ 2450 if (!(trb_comp_code == COMP_STOP || 2451 trb_comp_code == COMP_STOP_INVAL)) { 2452 xhci_warn(xhci, "WARN Event TRB for slot %d ep %d with no TDs queued?\n", 2453 TRB_TO_SLOT_ID(le32_to_cpu(event->flags)), 2454 ep_index); 2455 xhci_dbg(xhci, "Event TRB with TRB type ID %u\n", 2456 (le32_to_cpu(event->flags) & 2457 TRB_TYPE_BITMASK)>>10); 2458 xhci_print_trb_offsets(xhci, (union xhci_trb *) event); 2459 } 2460 if (ep->skip) { 2461 ep->skip = false; 2462 xhci_dbg(xhci, "td_list is empty while skip " 2463 "flag set. Clear skip flag.\n"); 2464 } 2465 ret = 0; 2466 goto cleanup; 2467 } 2468 2469 /* We've skipped all the TDs on the ep ring when ep->skip set */ 2470 if (ep->skip && td_num == 0) { 2471 ep->skip = false; 2472 xhci_dbg(xhci, "All tds on the ep_ring skipped. " 2473 "Clear skip flag.\n"); 2474 ret = 0; 2475 goto cleanup; 2476 } 2477 2478 td = list_entry(ep_ring->td_list.next, struct xhci_td, td_list); 2479 if (ep->skip) 2480 td_num--; 2481 2482 /* Is this a TRB in the currently executing TD? */ 2483 event_seg = trb_in_td(xhci, ep_ring->deq_seg, ep_ring->dequeue, 2484 td->last_trb, event_dma, false); 2485 2486 /* 2487 * Skip the Force Stopped Event. The event_trb(event_dma) of FSE 2488 * is not in the current TD pointed by ep_ring->dequeue because 2489 * that the hardware dequeue pointer still at the previous TRB 2490 * of the current TD. The previous TRB maybe a Link TD or the 2491 * last TRB of the previous TD. The command completion handle 2492 * will take care the rest. 2493 */ 2494 if (!event_seg && (trb_comp_code == COMP_STOP || 2495 trb_comp_code == COMP_STOP_INVAL)) { 2496 ret = 0; 2497 goto cleanup; 2498 } 2499 2500 if (!event_seg) { 2501 if (!ep->skip || 2502 !usb_endpoint_xfer_isoc(&td->urb->ep->desc)) { 2503 /* Some host controllers give a spurious 2504 * successful event after a short transfer. 2505 * Ignore it. 2506 */ 2507 if ((xhci->quirks & XHCI_SPURIOUS_SUCCESS) && 2508 ep_ring->last_td_was_short) { 2509 ep_ring->last_td_was_short = false; 2510 ret = 0; 2511 goto cleanup; 2512 } 2513 /* HC is busted, give up! */ 2514 xhci_err(xhci, 2515 "ERROR Transfer event TRB DMA ptr not " 2516 "part of current TD ep_index %d " 2517 "comp_code %u\n", ep_index, 2518 trb_comp_code); 2519 trb_in_td(xhci, ep_ring->deq_seg, 2520 ep_ring->dequeue, td->last_trb, 2521 event_dma, true); 2522 return -ESHUTDOWN; 2523 } 2524 2525 ret = skip_isoc_td(xhci, td, event, ep, &status); 2526 goto cleanup; 2527 } 2528 if (trb_comp_code == COMP_SHORT_TX) 2529 ep_ring->last_td_was_short = true; 2530 else 2531 ep_ring->last_td_was_short = false; 2532 2533 if (ep->skip) { 2534 xhci_dbg(xhci, "Found td. Clear skip flag.\n"); 2535 ep->skip = false; 2536 } 2537 2538 event_trb = &event_seg->trbs[(event_dma - event_seg->dma) / 2539 sizeof(*event_trb)]; 2540 /* 2541 * No-op TRB should not trigger interrupts. 2542 * If event_trb is a no-op TRB, it means the 2543 * corresponding TD has been cancelled. Just ignore 2544 * the TD. 2545 */ 2546 if (TRB_TYPE_NOOP_LE32(event_trb->generic.field[3])) { 2547 xhci_dbg(xhci, 2548 "event_trb is a no-op TRB. Skip it\n"); 2549 goto cleanup; 2550 } 2551 2552 /* Now update the urb's actual_length and give back to 2553 * the core 2554 */ 2555 if (usb_endpoint_xfer_control(&td->urb->ep->desc)) 2556 ret = process_ctrl_td(xhci, td, event_trb, event, ep, 2557 &status); 2558 else if (usb_endpoint_xfer_isoc(&td->urb->ep->desc)) 2559 ret = process_isoc_td(xhci, td, event_trb, event, ep, 2560 &status); 2561 else 2562 ret = process_bulk_intr_td(xhci, td, event_trb, event, 2563 ep, &status); 2564 2565 cleanup: 2566 2567 2568 handling_skipped_tds = ep->skip && 2569 trb_comp_code != COMP_MISSED_INT && 2570 trb_comp_code != COMP_PING_ERR; 2571 2572 /* 2573 * Do not update event ring dequeue pointer if we're in a loop 2574 * processing missed tds. 2575 */ 2576 if (!handling_skipped_tds) 2577 inc_deq(xhci, xhci->event_ring); 2578 2579 if (ret) { 2580 urb = td->urb; 2581 urb_priv = urb->hcpriv; 2582 2583 xhci_urb_free_priv(urb_priv); 2584 2585 usb_hcd_unlink_urb_from_ep(bus_to_hcd(urb->dev->bus), urb); 2586 if ((urb->actual_length != urb->transfer_buffer_length && 2587 (urb->transfer_flags & 2588 URB_SHORT_NOT_OK)) || 2589 (status != 0 && 2590 !usb_endpoint_xfer_isoc(&urb->ep->desc))) 2591 xhci_dbg(xhci, "Giveback URB %p, len = %d, " 2592 "expected = %d, status = %d\n", 2593 urb, urb->actual_length, 2594 urb->transfer_buffer_length, 2595 status); 2596 spin_unlock(&xhci->lock); 2597 /* EHCI, UHCI, and OHCI always unconditionally set the 2598 * urb->status of an isochronous endpoint to 0. 2599 */ 2600 if (usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS) 2601 status = 0; 2602 usb_hcd_giveback_urb(bus_to_hcd(urb->dev->bus), urb, status); 2603 spin_lock(&xhci->lock); 2604 } 2605 2606 /* 2607 * If ep->skip is set, it means there are missed tds on the 2608 * endpoint ring need to take care of. 2609 * Process them as short transfer until reach the td pointed by 2610 * the event. 2611 */ 2612 } while (handling_skipped_tds); 2613 2614 return 0; 2615 } 2616 2617 /* 2618 * This function handles all OS-owned events on the event ring. It may drop 2619 * xhci->lock between event processing (e.g. to pass up port status changes). 2620 * Returns >0 for "possibly more events to process" (caller should call again), 2621 * otherwise 0 if done. In future, <0 returns should indicate error code. 2622 */ 2623 static int xhci_handle_event(struct xhci_hcd *xhci) 2624 { 2625 union xhci_trb *event; 2626 int update_ptrs = 1; 2627 int ret; 2628 2629 if (!xhci->event_ring || !xhci->event_ring->dequeue) { 2630 xhci->error_bitmask |= 1 << 1; 2631 return 0; 2632 } 2633 2634 event = xhci->event_ring->dequeue; 2635 /* Does the HC or OS own the TRB? */ 2636 if ((le32_to_cpu(event->event_cmd.flags) & TRB_CYCLE) != 2637 xhci->event_ring->cycle_state) { 2638 xhci->error_bitmask |= 1 << 2; 2639 return 0; 2640 } 2641 2642 /* 2643 * Barrier between reading the TRB_CYCLE (valid) flag above and any 2644 * speculative reads of the event's flags/data below. 2645 */ 2646 rmb(); 2647 /* FIXME: Handle more event types. */ 2648 switch ((le32_to_cpu(event->event_cmd.flags) & TRB_TYPE_BITMASK)) { 2649 case TRB_TYPE(TRB_COMPLETION): 2650 handle_cmd_completion(xhci, &event->event_cmd); 2651 break; 2652 case TRB_TYPE(TRB_PORT_STATUS): 2653 handle_port_status(xhci, event); 2654 update_ptrs = 0; 2655 break; 2656 case TRB_TYPE(TRB_TRANSFER): 2657 ret = handle_tx_event(xhci, &event->trans_event); 2658 if (ret < 0) 2659 xhci->error_bitmask |= 1 << 9; 2660 else 2661 update_ptrs = 0; 2662 break; 2663 case TRB_TYPE(TRB_DEV_NOTE): 2664 handle_device_notification(xhci, event); 2665 break; 2666 default: 2667 if ((le32_to_cpu(event->event_cmd.flags) & TRB_TYPE_BITMASK) >= 2668 TRB_TYPE(48)) 2669 handle_vendor_event(xhci, event); 2670 else 2671 xhci->error_bitmask |= 1 << 3; 2672 } 2673 /* Any of the above functions may drop and re-acquire the lock, so check 2674 * to make sure a watchdog timer didn't mark the host as non-responsive. 2675 */ 2676 if (xhci->xhc_state & XHCI_STATE_DYING) { 2677 xhci_dbg(xhci, "xHCI host dying, returning from " 2678 "event handler.\n"); 2679 return 0; 2680 } 2681 2682 if (update_ptrs) 2683 /* Update SW event ring dequeue pointer */ 2684 inc_deq(xhci, xhci->event_ring); 2685 2686 /* Are there more items on the event ring? Caller will call us again to 2687 * check. 2688 */ 2689 return 1; 2690 } 2691 2692 /* 2693 * xHCI spec says we can get an interrupt, and if the HC has an error condition, 2694 * we might get bad data out of the event ring. Section 4.10.2.7 has a list of 2695 * indicators of an event TRB error, but we check the status *first* to be safe. 2696 */ 2697 irqreturn_t xhci_irq(struct usb_hcd *hcd) 2698 { 2699 struct xhci_hcd *xhci = hcd_to_xhci(hcd); 2700 u32 status; 2701 u64 temp_64; 2702 union xhci_trb *event_ring_deq; 2703 dma_addr_t deq; 2704 2705 spin_lock(&xhci->lock); 2706 /* Check if the xHC generated the interrupt, or the irq is shared */ 2707 status = readl(&xhci->op_regs->status); 2708 if (status == 0xffffffff) 2709 goto hw_died; 2710 2711 if (!(status & STS_EINT)) { 2712 spin_unlock(&xhci->lock); 2713 return IRQ_NONE; 2714 } 2715 if (status & STS_FATAL) { 2716 xhci_warn(xhci, "WARNING: Host System Error\n"); 2717 xhci_halt(xhci); 2718 hw_died: 2719 spin_unlock(&xhci->lock); 2720 return IRQ_HANDLED; 2721 } 2722 2723 /* 2724 * Clear the op reg interrupt status first, 2725 * so we can receive interrupts from other MSI-X interrupters. 2726 * Write 1 to clear the interrupt status. 2727 */ 2728 status |= STS_EINT; 2729 writel(status, &xhci->op_regs->status); 2730 /* FIXME when MSI-X is supported and there are multiple vectors */ 2731 /* Clear the MSI-X event interrupt status */ 2732 2733 if (hcd->irq) { 2734 u32 irq_pending; 2735 /* Acknowledge the PCI interrupt */ 2736 irq_pending = readl(&xhci->ir_set->irq_pending); 2737 irq_pending |= IMAN_IP; 2738 writel(irq_pending, &xhci->ir_set->irq_pending); 2739 } 2740 2741 if (xhci->xhc_state & XHCI_STATE_DYING || 2742 xhci->xhc_state & XHCI_STATE_HALTED) { 2743 xhci_dbg(xhci, "xHCI dying, ignoring interrupt. " 2744 "Shouldn't IRQs be disabled?\n"); 2745 /* Clear the event handler busy flag (RW1C); 2746 * the event ring should be empty. 2747 */ 2748 temp_64 = xhci_read_64(xhci, &xhci->ir_set->erst_dequeue); 2749 xhci_write_64(xhci, temp_64 | ERST_EHB, 2750 &xhci->ir_set->erst_dequeue); 2751 spin_unlock(&xhci->lock); 2752 2753 return IRQ_HANDLED; 2754 } 2755 2756 event_ring_deq = xhci->event_ring->dequeue; 2757 /* FIXME this should be a delayed service routine 2758 * that clears the EHB. 2759 */ 2760 while (xhci_handle_event(xhci) > 0) {} 2761 2762 temp_64 = xhci_read_64(xhci, &xhci->ir_set->erst_dequeue); 2763 /* If necessary, update the HW's version of the event ring deq ptr. */ 2764 if (event_ring_deq != xhci->event_ring->dequeue) { 2765 deq = xhci_trb_virt_to_dma(xhci->event_ring->deq_seg, 2766 xhci->event_ring->dequeue); 2767 if (deq == 0) 2768 xhci_warn(xhci, "WARN something wrong with SW event " 2769 "ring dequeue ptr.\n"); 2770 /* Update HC event ring dequeue pointer */ 2771 temp_64 &= ERST_PTR_MASK; 2772 temp_64 |= ((u64) deq & (u64) ~ERST_PTR_MASK); 2773 } 2774 2775 /* Clear the event handler busy flag (RW1C); event ring is empty. */ 2776 temp_64 |= ERST_EHB; 2777 xhci_write_64(xhci, temp_64, &xhci->ir_set->erst_dequeue); 2778 2779 spin_unlock(&xhci->lock); 2780 2781 return IRQ_HANDLED; 2782 } 2783 2784 irqreturn_t xhci_msi_irq(int irq, void *hcd) 2785 { 2786 return xhci_irq(hcd); 2787 } 2788 2789 /**** Endpoint Ring Operations ****/ 2790 2791 /* 2792 * Generic function for queueing a TRB on a ring. 2793 * The caller must have checked to make sure there's room on the ring. 2794 * 2795 * @more_trbs_coming: Will you enqueue more TRBs before calling 2796 * prepare_transfer()? 2797 */ 2798 static void queue_trb(struct xhci_hcd *xhci, struct xhci_ring *ring, 2799 bool more_trbs_coming, 2800 u32 field1, u32 field2, u32 field3, u32 field4) 2801 { 2802 struct xhci_generic_trb *trb; 2803 2804 trb = &ring->enqueue->generic; 2805 trb->field[0] = cpu_to_le32(field1); 2806 trb->field[1] = cpu_to_le32(field2); 2807 trb->field[2] = cpu_to_le32(field3); 2808 trb->field[3] = cpu_to_le32(field4); 2809 inc_enq(xhci, ring, more_trbs_coming); 2810 } 2811 2812 /* 2813 * Does various checks on the endpoint ring, and makes it ready to queue num_trbs. 2814 * FIXME allocate segments if the ring is full. 2815 */ 2816 static int prepare_ring(struct xhci_hcd *xhci, struct xhci_ring *ep_ring, 2817 u32 ep_state, unsigned int num_trbs, gfp_t mem_flags) 2818 { 2819 unsigned int num_trbs_needed; 2820 2821 /* Make sure the endpoint has been added to xHC schedule */ 2822 switch (ep_state) { 2823 case EP_STATE_DISABLED: 2824 /* 2825 * USB core changed config/interfaces without notifying us, 2826 * or hardware is reporting the wrong state. 2827 */ 2828 xhci_warn(xhci, "WARN urb submitted to disabled ep\n"); 2829 return -ENOENT; 2830 case EP_STATE_ERROR: 2831 xhci_warn(xhci, "WARN waiting for error on ep to be cleared\n"); 2832 /* FIXME event handling code for error needs to clear it */ 2833 /* XXX not sure if this should be -ENOENT or not */ 2834 return -EINVAL; 2835 case EP_STATE_HALTED: 2836 xhci_dbg(xhci, "WARN halted endpoint, queueing URB anyway.\n"); 2837 case EP_STATE_STOPPED: 2838 case EP_STATE_RUNNING: 2839 break; 2840 default: 2841 xhci_err(xhci, "ERROR unknown endpoint state for ep\n"); 2842 /* 2843 * FIXME issue Configure Endpoint command to try to get the HC 2844 * back into a known state. 2845 */ 2846 return -EINVAL; 2847 } 2848 2849 while (1) { 2850 if (room_on_ring(xhci, ep_ring, num_trbs)) 2851 break; 2852 2853 if (ep_ring == xhci->cmd_ring) { 2854 xhci_err(xhci, "Do not support expand command ring\n"); 2855 return -ENOMEM; 2856 } 2857 2858 xhci_dbg_trace(xhci, trace_xhci_dbg_ring_expansion, 2859 "ERROR no room on ep ring, try ring expansion"); 2860 num_trbs_needed = num_trbs - ep_ring->num_trbs_free; 2861 if (xhci_ring_expansion(xhci, ep_ring, num_trbs_needed, 2862 mem_flags)) { 2863 xhci_err(xhci, "Ring expansion failed\n"); 2864 return -ENOMEM; 2865 } 2866 } 2867 2868 if (enqueue_is_link_trb(ep_ring)) { 2869 struct xhci_ring *ring = ep_ring; 2870 union xhci_trb *next; 2871 2872 next = ring->enqueue; 2873 2874 while (last_trb(xhci, ring, ring->enq_seg, next)) { 2875 /* If we're not dealing with 0.95 hardware or isoc rings 2876 * on AMD 0.96 host, clear the chain bit. 2877 */ 2878 if (!xhci_link_trb_quirk(xhci) && 2879 !(ring->type == TYPE_ISOC && 2880 (xhci->quirks & XHCI_AMD_0x96_HOST))) 2881 next->link.control &= cpu_to_le32(~TRB_CHAIN); 2882 else 2883 next->link.control |= cpu_to_le32(TRB_CHAIN); 2884 2885 wmb(); 2886 next->link.control ^= cpu_to_le32(TRB_CYCLE); 2887 2888 /* Toggle the cycle bit after the last ring segment. */ 2889 if (last_trb_on_last_seg(xhci, ring, ring->enq_seg, next)) { 2890 ring->cycle_state ^= 1; 2891 } 2892 ring->enq_seg = ring->enq_seg->next; 2893 ring->enqueue = ring->enq_seg->trbs; 2894 next = ring->enqueue; 2895 } 2896 } 2897 2898 return 0; 2899 } 2900 2901 static int prepare_transfer(struct xhci_hcd *xhci, 2902 struct xhci_virt_device *xdev, 2903 unsigned int ep_index, 2904 unsigned int stream_id, 2905 unsigned int num_trbs, 2906 struct urb *urb, 2907 unsigned int td_index, 2908 gfp_t mem_flags) 2909 { 2910 int ret; 2911 struct urb_priv *urb_priv; 2912 struct xhci_td *td; 2913 struct xhci_ring *ep_ring; 2914 struct xhci_ep_ctx *ep_ctx = xhci_get_ep_ctx(xhci, xdev->out_ctx, ep_index); 2915 2916 ep_ring = xhci_stream_id_to_ring(xdev, ep_index, stream_id); 2917 if (!ep_ring) { 2918 xhci_dbg(xhci, "Can't prepare ring for bad stream ID %u\n", 2919 stream_id); 2920 return -EINVAL; 2921 } 2922 2923 ret = prepare_ring(xhci, ep_ring, 2924 le32_to_cpu(ep_ctx->ep_info) & EP_STATE_MASK, 2925 num_trbs, mem_flags); 2926 if (ret) 2927 return ret; 2928 2929 urb_priv = urb->hcpriv; 2930 td = urb_priv->td[td_index]; 2931 2932 INIT_LIST_HEAD(&td->td_list); 2933 INIT_LIST_HEAD(&td->cancelled_td_list); 2934 2935 if (td_index == 0) { 2936 ret = usb_hcd_link_urb_to_ep(bus_to_hcd(urb->dev->bus), urb); 2937 if (unlikely(ret)) 2938 return ret; 2939 } 2940 2941 td->urb = urb; 2942 /* Add this TD to the tail of the endpoint ring's TD list */ 2943 list_add_tail(&td->td_list, &ep_ring->td_list); 2944 td->start_seg = ep_ring->enq_seg; 2945 td->first_trb = ep_ring->enqueue; 2946 2947 urb_priv->td[td_index] = td; 2948 2949 return 0; 2950 } 2951 2952 static unsigned int count_trbs(u64 addr, u64 len) 2953 { 2954 unsigned int num_trbs; 2955 2956 num_trbs = DIV_ROUND_UP(len + (addr & (TRB_MAX_BUFF_SIZE - 1)), 2957 TRB_MAX_BUFF_SIZE); 2958 if (num_trbs == 0) 2959 num_trbs++; 2960 2961 return num_trbs; 2962 } 2963 2964 static inline unsigned int count_trbs_needed(struct urb *urb) 2965 { 2966 return count_trbs(urb->transfer_dma, urb->transfer_buffer_length); 2967 } 2968 2969 static unsigned int count_sg_trbs_needed(struct urb *urb) 2970 { 2971 struct scatterlist *sg; 2972 unsigned int i, len, full_len, num_trbs = 0; 2973 2974 full_len = urb->transfer_buffer_length; 2975 2976 for_each_sg(urb->sg, sg, urb->num_mapped_sgs, i) { 2977 len = sg_dma_len(sg); 2978 num_trbs += count_trbs(sg_dma_address(sg), len); 2979 len = min_t(unsigned int, len, full_len); 2980 full_len -= len; 2981 if (full_len == 0) 2982 break; 2983 } 2984 2985 return num_trbs; 2986 } 2987 2988 static unsigned int count_isoc_trbs_needed(struct urb *urb, int i) 2989 { 2990 u64 addr, len; 2991 2992 addr = (u64) (urb->transfer_dma + urb->iso_frame_desc[i].offset); 2993 len = urb->iso_frame_desc[i].length; 2994 2995 return count_trbs(addr, len); 2996 } 2997 2998 static void check_trb_math(struct urb *urb, int running_total) 2999 { 3000 if (unlikely(running_total != urb->transfer_buffer_length)) 3001 dev_err(&urb->dev->dev, "%s - ep %#x - Miscalculated tx length, " 3002 "queued %#x (%d), asked for %#x (%d)\n", 3003 __func__, 3004 urb->ep->desc.bEndpointAddress, 3005 running_total, running_total, 3006 urb->transfer_buffer_length, 3007 urb->transfer_buffer_length); 3008 } 3009 3010 static void giveback_first_trb(struct xhci_hcd *xhci, int slot_id, 3011 unsigned int ep_index, unsigned int stream_id, int start_cycle, 3012 struct xhci_generic_trb *start_trb) 3013 { 3014 /* 3015 * Pass all the TRBs to the hardware at once and make sure this write 3016 * isn't reordered. 3017 */ 3018 wmb(); 3019 if (start_cycle) 3020 start_trb->field[3] |= cpu_to_le32(start_cycle); 3021 else 3022 start_trb->field[3] &= cpu_to_le32(~TRB_CYCLE); 3023 xhci_ring_ep_doorbell(xhci, slot_id, ep_index, stream_id); 3024 } 3025 3026 static void check_interval(struct xhci_hcd *xhci, struct urb *urb, 3027 struct xhci_ep_ctx *ep_ctx) 3028 { 3029 int xhci_interval; 3030 int ep_interval; 3031 3032 xhci_interval = EP_INTERVAL_TO_UFRAMES(le32_to_cpu(ep_ctx->ep_info)); 3033 ep_interval = urb->interval; 3034 3035 /* Convert to microframes */ 3036 if (urb->dev->speed == USB_SPEED_LOW || 3037 urb->dev->speed == USB_SPEED_FULL) 3038 ep_interval *= 8; 3039 3040 /* FIXME change this to a warning and a suggestion to use the new API 3041 * to set the polling interval (once the API is added). 3042 */ 3043 if (xhci_interval != ep_interval) { 3044 dev_dbg_ratelimited(&urb->dev->dev, 3045 "Driver uses different interval (%d microframe%s) than xHCI (%d microframe%s)\n", 3046 ep_interval, ep_interval == 1 ? "" : "s", 3047 xhci_interval, xhci_interval == 1 ? "" : "s"); 3048 urb->interval = xhci_interval; 3049 /* Convert back to frames for LS/FS devices */ 3050 if (urb->dev->speed == USB_SPEED_LOW || 3051 urb->dev->speed == USB_SPEED_FULL) 3052 urb->interval /= 8; 3053 } 3054 } 3055 3056 /* 3057 * xHCI uses normal TRBs for both bulk and interrupt. When the interrupt 3058 * endpoint is to be serviced, the xHC will consume (at most) one TD. A TD 3059 * (comprised of sg list entries) can take several service intervals to 3060 * transmit. 3061 */ 3062 int xhci_queue_intr_tx(struct xhci_hcd *xhci, gfp_t mem_flags, 3063 struct urb *urb, int slot_id, unsigned int ep_index) 3064 { 3065 struct xhci_ep_ctx *ep_ctx; 3066 3067 ep_ctx = xhci_get_ep_ctx(xhci, xhci->devs[slot_id]->out_ctx, ep_index); 3068 check_interval(xhci, urb, ep_ctx); 3069 3070 return xhci_queue_bulk_tx(xhci, mem_flags, urb, slot_id, ep_index); 3071 } 3072 3073 /* 3074 * For xHCI 1.0 host controllers, TD size is the number of max packet sized 3075 * packets remaining in the TD (*not* including this TRB). 3076 * 3077 * Total TD packet count = total_packet_count = 3078 * DIV_ROUND_UP(TD size in bytes / wMaxPacketSize) 3079 * 3080 * Packets transferred up to and including this TRB = packets_transferred = 3081 * rounddown(total bytes transferred including this TRB / wMaxPacketSize) 3082 * 3083 * TD size = total_packet_count - packets_transferred 3084 * 3085 * For xHCI 0.96 and older, TD size field should be the remaining bytes 3086 * including this TRB, right shifted by 10 3087 * 3088 * For all hosts it must fit in bits 21:17, so it can't be bigger than 31. 3089 * This is taken care of in the TRB_TD_SIZE() macro 3090 * 3091 * The last TRB in a TD must have the TD size set to zero. 3092 */ 3093 static u32 xhci_td_remainder(struct xhci_hcd *xhci, int transferred, 3094 int trb_buff_len, unsigned int td_total_len, 3095 struct urb *urb, unsigned int num_trbs_left) 3096 { 3097 u32 maxp, total_packet_count; 3098 3099 /* MTK xHCI is mostly 0.97 but contains some features from 1.0 */ 3100 if (xhci->hci_version < 0x100 && !(xhci->quirks & XHCI_MTK_HOST)) 3101 return ((td_total_len - transferred) >> 10); 3102 3103 /* One TRB with a zero-length data packet. */ 3104 if (num_trbs_left == 0 || (transferred == 0 && trb_buff_len == 0) || 3105 trb_buff_len == td_total_len) 3106 return 0; 3107 3108 /* for MTK xHCI, TD size doesn't include this TRB */ 3109 if (xhci->quirks & XHCI_MTK_HOST) 3110 trb_buff_len = 0; 3111 3112 maxp = GET_MAX_PACKET(usb_endpoint_maxp(&urb->ep->desc)); 3113 total_packet_count = DIV_ROUND_UP(td_total_len, maxp); 3114 3115 /* Queueing functions don't count the current TRB into transferred */ 3116 return (total_packet_count - ((transferred + trb_buff_len) / maxp)); 3117 } 3118 3119 /* This is very similar to what ehci-q.c qtd_fill() does */ 3120 int xhci_queue_bulk_tx(struct xhci_hcd *xhci, gfp_t mem_flags, 3121 struct urb *urb, int slot_id, unsigned int ep_index) 3122 { 3123 struct xhci_ring *ep_ring; 3124 struct urb_priv *urb_priv; 3125 struct xhci_td *td; 3126 struct xhci_generic_trb *start_trb; 3127 struct scatterlist *sg = NULL; 3128 bool more_trbs_coming; 3129 bool zero_length_needed; 3130 unsigned int num_trbs, last_trb_num, i; 3131 unsigned int start_cycle, num_sgs = 0; 3132 unsigned int running_total, block_len, trb_buff_len; 3133 unsigned int full_len; 3134 int ret; 3135 u32 field, length_field, remainder; 3136 u64 addr; 3137 3138 ep_ring = xhci_urb_to_transfer_ring(xhci, urb); 3139 if (!ep_ring) 3140 return -EINVAL; 3141 3142 /* If we have scatter/gather list, we use it. */ 3143 if (urb->num_sgs) { 3144 num_sgs = urb->num_mapped_sgs; 3145 sg = urb->sg; 3146 num_trbs = count_sg_trbs_needed(urb); 3147 } else 3148 num_trbs = count_trbs_needed(urb); 3149 3150 ret = prepare_transfer(xhci, xhci->devs[slot_id], 3151 ep_index, urb->stream_id, 3152 num_trbs, urb, 0, mem_flags); 3153 if (unlikely(ret < 0)) 3154 return ret; 3155 3156 urb_priv = urb->hcpriv; 3157 3158 last_trb_num = num_trbs - 1; 3159 3160 /* Deal with URB_ZERO_PACKET - need one more td/trb */ 3161 zero_length_needed = urb->transfer_flags & URB_ZERO_PACKET && 3162 urb_priv->length == 2; 3163 if (zero_length_needed) { 3164 num_trbs++; 3165 xhci_dbg(xhci, "Creating zero length td.\n"); 3166 ret = prepare_transfer(xhci, xhci->devs[slot_id], 3167 ep_index, urb->stream_id, 3168 1, urb, 1, mem_flags); 3169 if (unlikely(ret < 0)) 3170 return ret; 3171 } 3172 3173 td = urb_priv->td[0]; 3174 3175 /* 3176 * Don't give the first TRB to the hardware (by toggling the cycle bit) 3177 * until we've finished creating all the other TRBs. The ring's cycle 3178 * state may change as we enqueue the other TRBs, so save it too. 3179 */ 3180 start_trb = &ep_ring->enqueue->generic; 3181 start_cycle = ep_ring->cycle_state; 3182 3183 full_len = urb->transfer_buffer_length; 3184 running_total = 0; 3185 block_len = 0; 3186 3187 /* Queue the TRBs, even if they are zero-length */ 3188 for (i = 0; i < num_trbs; i++) { 3189 field = TRB_TYPE(TRB_NORMAL); 3190 3191 if (block_len == 0) { 3192 /* A new contiguous block. */ 3193 if (sg) { 3194 addr = (u64) sg_dma_address(sg); 3195 block_len = sg_dma_len(sg); 3196 } else { 3197 addr = (u64) urb->transfer_dma; 3198 block_len = full_len; 3199 } 3200 /* TRB buffer should not cross 64KB boundaries */ 3201 trb_buff_len = TRB_BUFF_LEN_UP_TO_BOUNDARY(addr); 3202 trb_buff_len = min_t(unsigned int, 3203 trb_buff_len, 3204 block_len); 3205 } else { 3206 /* Further through the contiguous block. */ 3207 trb_buff_len = block_len; 3208 if (trb_buff_len > TRB_MAX_BUFF_SIZE) 3209 trb_buff_len = TRB_MAX_BUFF_SIZE; 3210 } 3211 3212 if (running_total + trb_buff_len > full_len) 3213 trb_buff_len = full_len - running_total; 3214 3215 /* Don't change the cycle bit of the first TRB until later */ 3216 if (i == 0) { 3217 if (start_cycle == 0) 3218 field |= TRB_CYCLE; 3219 } else 3220 field |= ep_ring->cycle_state; 3221 3222 /* Chain all the TRBs together; clear the chain bit in the last 3223 * TRB to indicate it's the last TRB in the chain. 3224 */ 3225 if (i < last_trb_num) { 3226 field |= TRB_CHAIN; 3227 } else { 3228 field |= TRB_IOC; 3229 if (i == last_trb_num) 3230 td->last_trb = ep_ring->enqueue; 3231 else if (zero_length_needed) { 3232 trb_buff_len = 0; 3233 urb_priv->td[1]->last_trb = ep_ring->enqueue; 3234 } 3235 } 3236 3237 /* Only set interrupt on short packet for IN endpoints */ 3238 if (usb_urb_dir_in(urb)) 3239 field |= TRB_ISP; 3240 3241 /* Set the TRB length, TD size, and interrupter fields. */ 3242 remainder = xhci_td_remainder(xhci, running_total, 3243 trb_buff_len, full_len, 3244 urb, num_trbs - i - 1); 3245 3246 length_field = TRB_LEN(trb_buff_len) | 3247 TRB_TD_SIZE(remainder) | 3248 TRB_INTR_TARGET(0); 3249 3250 if (i < num_trbs - 1) 3251 more_trbs_coming = true; 3252 else 3253 more_trbs_coming = false; 3254 queue_trb(xhci, ep_ring, more_trbs_coming, 3255 lower_32_bits(addr), 3256 upper_32_bits(addr), 3257 length_field, 3258 field); 3259 3260 running_total += trb_buff_len; 3261 addr += trb_buff_len; 3262 block_len -= trb_buff_len; 3263 3264 if (sg) { 3265 if (block_len == 0) { 3266 /* New sg entry */ 3267 --num_sgs; 3268 if (num_sgs == 0) 3269 break; 3270 sg = sg_next(sg); 3271 } 3272 } 3273 } 3274 3275 check_trb_math(urb, running_total); 3276 giveback_first_trb(xhci, slot_id, ep_index, urb->stream_id, 3277 start_cycle, start_trb); 3278 return 0; 3279 } 3280 3281 /* Caller must have locked xhci->lock */ 3282 int xhci_queue_ctrl_tx(struct xhci_hcd *xhci, gfp_t mem_flags, 3283 struct urb *urb, int slot_id, unsigned int ep_index) 3284 { 3285 struct xhci_ring *ep_ring; 3286 int num_trbs; 3287 int ret; 3288 struct usb_ctrlrequest *setup; 3289 struct xhci_generic_trb *start_trb; 3290 int start_cycle; 3291 u32 field, length_field, remainder; 3292 struct urb_priv *urb_priv; 3293 struct xhci_td *td; 3294 3295 ep_ring = xhci_urb_to_transfer_ring(xhci, urb); 3296 if (!ep_ring) 3297 return -EINVAL; 3298 3299 /* 3300 * Need to copy setup packet into setup TRB, so we can't use the setup 3301 * DMA address. 3302 */ 3303 if (!urb->setup_packet) 3304 return -EINVAL; 3305 3306 /* 1 TRB for setup, 1 for status */ 3307 num_trbs = 2; 3308 /* 3309 * Don't need to check if we need additional event data and normal TRBs, 3310 * since data in control transfers will never get bigger than 16MB 3311 * XXX: can we get a buffer that crosses 64KB boundaries? 3312 */ 3313 if (urb->transfer_buffer_length > 0) 3314 num_trbs++; 3315 ret = prepare_transfer(xhci, xhci->devs[slot_id], 3316 ep_index, urb->stream_id, 3317 num_trbs, urb, 0, mem_flags); 3318 if (ret < 0) 3319 return ret; 3320 3321 urb_priv = urb->hcpriv; 3322 td = urb_priv->td[0]; 3323 3324 /* 3325 * Don't give the first TRB to the hardware (by toggling the cycle bit) 3326 * until we've finished creating all the other TRBs. The ring's cycle 3327 * state may change as we enqueue the other TRBs, so save it too. 3328 */ 3329 start_trb = &ep_ring->enqueue->generic; 3330 start_cycle = ep_ring->cycle_state; 3331 3332 /* Queue setup TRB - see section 6.4.1.2.1 */ 3333 /* FIXME better way to translate setup_packet into two u32 fields? */ 3334 setup = (struct usb_ctrlrequest *) urb->setup_packet; 3335 field = 0; 3336 field |= TRB_IDT | TRB_TYPE(TRB_SETUP); 3337 if (start_cycle == 0) 3338 field |= 0x1; 3339 3340 /* xHCI 1.0/1.1 6.4.1.2.1: Transfer Type field */ 3341 if ((xhci->hci_version >= 0x100) || (xhci->quirks & XHCI_MTK_HOST)) { 3342 if (urb->transfer_buffer_length > 0) { 3343 if (setup->bRequestType & USB_DIR_IN) 3344 field |= TRB_TX_TYPE(TRB_DATA_IN); 3345 else 3346 field |= TRB_TX_TYPE(TRB_DATA_OUT); 3347 } 3348 } 3349 3350 queue_trb(xhci, ep_ring, true, 3351 setup->bRequestType | setup->bRequest << 8 | le16_to_cpu(setup->wValue) << 16, 3352 le16_to_cpu(setup->wIndex) | le16_to_cpu(setup->wLength) << 16, 3353 TRB_LEN(8) | TRB_INTR_TARGET(0), 3354 /* Immediate data in pointer */ 3355 field); 3356 3357 /* If there's data, queue data TRBs */ 3358 /* Only set interrupt on short packet for IN endpoints */ 3359 if (usb_urb_dir_in(urb)) 3360 field = TRB_ISP | TRB_TYPE(TRB_DATA); 3361 else 3362 field = TRB_TYPE(TRB_DATA); 3363 3364 remainder = xhci_td_remainder(xhci, 0, 3365 urb->transfer_buffer_length, 3366 urb->transfer_buffer_length, 3367 urb, 1); 3368 3369 length_field = TRB_LEN(urb->transfer_buffer_length) | 3370 TRB_TD_SIZE(remainder) | 3371 TRB_INTR_TARGET(0); 3372 3373 if (urb->transfer_buffer_length > 0) { 3374 if (setup->bRequestType & USB_DIR_IN) 3375 field |= TRB_DIR_IN; 3376 queue_trb(xhci, ep_ring, true, 3377 lower_32_bits(urb->transfer_dma), 3378 upper_32_bits(urb->transfer_dma), 3379 length_field, 3380 field | ep_ring->cycle_state); 3381 } 3382 3383 /* Save the DMA address of the last TRB in the TD */ 3384 td->last_trb = ep_ring->enqueue; 3385 3386 /* Queue status TRB - see Table 7 and sections 4.11.2.2 and 6.4.1.2.3 */ 3387 /* If the device sent data, the status stage is an OUT transfer */ 3388 if (urb->transfer_buffer_length > 0 && setup->bRequestType & USB_DIR_IN) 3389 field = 0; 3390 else 3391 field = TRB_DIR_IN; 3392 queue_trb(xhci, ep_ring, false, 3393 0, 3394 0, 3395 TRB_INTR_TARGET(0), 3396 /* Event on completion */ 3397 field | TRB_IOC | TRB_TYPE(TRB_STATUS) | ep_ring->cycle_state); 3398 3399 giveback_first_trb(xhci, slot_id, ep_index, 0, 3400 start_cycle, start_trb); 3401 return 0; 3402 } 3403 3404 /* 3405 * The transfer burst count field of the isochronous TRB defines the number of 3406 * bursts that are required to move all packets in this TD. Only SuperSpeed 3407 * devices can burst up to bMaxBurst number of packets per service interval. 3408 * This field is zero based, meaning a value of zero in the field means one 3409 * burst. Basically, for everything but SuperSpeed devices, this field will be 3410 * zero. Only xHCI 1.0 host controllers support this field. 3411 */ 3412 static unsigned int xhci_get_burst_count(struct xhci_hcd *xhci, 3413 struct urb *urb, unsigned int total_packet_count) 3414 { 3415 unsigned int max_burst; 3416 3417 if (xhci->hci_version < 0x100 || urb->dev->speed < USB_SPEED_SUPER) 3418 return 0; 3419 3420 max_burst = urb->ep->ss_ep_comp.bMaxBurst; 3421 return DIV_ROUND_UP(total_packet_count, max_burst + 1) - 1; 3422 } 3423 3424 /* 3425 * Returns the number of packets in the last "burst" of packets. This field is 3426 * valid for all speeds of devices. USB 2.0 devices can only do one "burst", so 3427 * the last burst packet count is equal to the total number of packets in the 3428 * TD. SuperSpeed endpoints can have up to 3 bursts. All but the last burst 3429 * must contain (bMaxBurst + 1) number of packets, but the last burst can 3430 * contain 1 to (bMaxBurst + 1) packets. 3431 */ 3432 static unsigned int xhci_get_last_burst_packet_count(struct xhci_hcd *xhci, 3433 struct urb *urb, unsigned int total_packet_count) 3434 { 3435 unsigned int max_burst; 3436 unsigned int residue; 3437 3438 if (xhci->hci_version < 0x100) 3439 return 0; 3440 3441 if (urb->dev->speed >= USB_SPEED_SUPER) { 3442 /* bMaxBurst is zero based: 0 means 1 packet per burst */ 3443 max_burst = urb->ep->ss_ep_comp.bMaxBurst; 3444 residue = total_packet_count % (max_burst + 1); 3445 /* If residue is zero, the last burst contains (max_burst + 1) 3446 * number of packets, but the TLBPC field is zero-based. 3447 */ 3448 if (residue == 0) 3449 return max_burst; 3450 return residue - 1; 3451 } 3452 if (total_packet_count == 0) 3453 return 0; 3454 return total_packet_count - 1; 3455 } 3456 3457 /* 3458 * Calculates Frame ID field of the isochronous TRB identifies the 3459 * target frame that the Interval associated with this Isochronous 3460 * Transfer Descriptor will start on. Refer to 4.11.2.5 in 1.1 spec. 3461 * 3462 * Returns actual frame id on success, negative value on error. 3463 */ 3464 static int xhci_get_isoc_frame_id(struct xhci_hcd *xhci, 3465 struct urb *urb, int index) 3466 { 3467 int start_frame, ist, ret = 0; 3468 int start_frame_id, end_frame_id, current_frame_id; 3469 3470 if (urb->dev->speed == USB_SPEED_LOW || 3471 urb->dev->speed == USB_SPEED_FULL) 3472 start_frame = urb->start_frame + index * urb->interval; 3473 else 3474 start_frame = (urb->start_frame + index * urb->interval) >> 3; 3475 3476 /* Isochronous Scheduling Threshold (IST, bits 0~3 in HCSPARAMS2): 3477 * 3478 * If bit [3] of IST is cleared to '0', software can add a TRB no 3479 * later than IST[2:0] Microframes before that TRB is scheduled to 3480 * be executed. 3481 * If bit [3] of IST is set to '1', software can add a TRB no later 3482 * than IST[2:0] Frames before that TRB is scheduled to be executed. 3483 */ 3484 ist = HCS_IST(xhci->hcs_params2) & 0x7; 3485 if (HCS_IST(xhci->hcs_params2) & (1 << 3)) 3486 ist <<= 3; 3487 3488 /* Software shall not schedule an Isoch TD with a Frame ID value that 3489 * is less than the Start Frame ID or greater than the End Frame ID, 3490 * where: 3491 * 3492 * End Frame ID = (Current MFINDEX register value + 895 ms.) MOD 2048 3493 * Start Frame ID = (Current MFINDEX register value + IST + 1) MOD 2048 3494 * 3495 * Both the End Frame ID and Start Frame ID values are calculated 3496 * in microframes. When software determines the valid Frame ID value; 3497 * The End Frame ID value should be rounded down to the nearest Frame 3498 * boundary, and the Start Frame ID value should be rounded up to the 3499 * nearest Frame boundary. 3500 */ 3501 current_frame_id = readl(&xhci->run_regs->microframe_index); 3502 start_frame_id = roundup(current_frame_id + ist + 1, 8); 3503 end_frame_id = rounddown(current_frame_id + 895 * 8, 8); 3504 3505 start_frame &= 0x7ff; 3506 start_frame_id = (start_frame_id >> 3) & 0x7ff; 3507 end_frame_id = (end_frame_id >> 3) & 0x7ff; 3508 3509 xhci_dbg(xhci, "%s: index %d, reg 0x%x start_frame_id 0x%x, end_frame_id 0x%x, start_frame 0x%x\n", 3510 __func__, index, readl(&xhci->run_regs->microframe_index), 3511 start_frame_id, end_frame_id, start_frame); 3512 3513 if (start_frame_id < end_frame_id) { 3514 if (start_frame > end_frame_id || 3515 start_frame < start_frame_id) 3516 ret = -EINVAL; 3517 } else if (start_frame_id > end_frame_id) { 3518 if ((start_frame > end_frame_id && 3519 start_frame < start_frame_id)) 3520 ret = -EINVAL; 3521 } else { 3522 ret = -EINVAL; 3523 } 3524 3525 if (index == 0) { 3526 if (ret == -EINVAL || start_frame == start_frame_id) { 3527 start_frame = start_frame_id + 1; 3528 if (urb->dev->speed == USB_SPEED_LOW || 3529 urb->dev->speed == USB_SPEED_FULL) 3530 urb->start_frame = start_frame; 3531 else 3532 urb->start_frame = start_frame << 3; 3533 ret = 0; 3534 } 3535 } 3536 3537 if (ret) { 3538 xhci_warn(xhci, "Frame ID %d (reg %d, index %d) beyond range (%d, %d)\n", 3539 start_frame, current_frame_id, index, 3540 start_frame_id, end_frame_id); 3541 xhci_warn(xhci, "Ignore frame ID field, use SIA bit instead\n"); 3542 return ret; 3543 } 3544 3545 return start_frame; 3546 } 3547 3548 /* This is for isoc transfer */ 3549 static int xhci_queue_isoc_tx(struct xhci_hcd *xhci, gfp_t mem_flags, 3550 struct urb *urb, int slot_id, unsigned int ep_index) 3551 { 3552 struct xhci_ring *ep_ring; 3553 struct urb_priv *urb_priv; 3554 struct xhci_td *td; 3555 int num_tds, trbs_per_td; 3556 struct xhci_generic_trb *start_trb; 3557 bool first_trb; 3558 int start_cycle; 3559 u32 field, length_field; 3560 int running_total, trb_buff_len, td_len, td_remain_len, ret; 3561 u64 start_addr, addr; 3562 int i, j; 3563 bool more_trbs_coming; 3564 struct xhci_virt_ep *xep; 3565 int frame_id; 3566 3567 xep = &xhci->devs[slot_id]->eps[ep_index]; 3568 ep_ring = xhci->devs[slot_id]->eps[ep_index].ring; 3569 3570 num_tds = urb->number_of_packets; 3571 if (num_tds < 1) { 3572 xhci_dbg(xhci, "Isoc URB with zero packets?\n"); 3573 return -EINVAL; 3574 } 3575 start_addr = (u64) urb->transfer_dma; 3576 start_trb = &ep_ring->enqueue->generic; 3577 start_cycle = ep_ring->cycle_state; 3578 3579 urb_priv = urb->hcpriv; 3580 /* Queue the TRBs for each TD, even if they are zero-length */ 3581 for (i = 0; i < num_tds; i++) { 3582 unsigned int total_pkt_count, max_pkt; 3583 unsigned int burst_count, last_burst_pkt_count; 3584 u32 sia_frame_id; 3585 3586 first_trb = true; 3587 running_total = 0; 3588 addr = start_addr + urb->iso_frame_desc[i].offset; 3589 td_len = urb->iso_frame_desc[i].length; 3590 td_remain_len = td_len; 3591 max_pkt = GET_MAX_PACKET(usb_endpoint_maxp(&urb->ep->desc)); 3592 total_pkt_count = DIV_ROUND_UP(td_len, max_pkt); 3593 3594 /* A zero-length transfer still involves at least one packet. */ 3595 if (total_pkt_count == 0) 3596 total_pkt_count++; 3597 burst_count = xhci_get_burst_count(xhci, urb, total_pkt_count); 3598 last_burst_pkt_count = xhci_get_last_burst_packet_count(xhci, 3599 urb, total_pkt_count); 3600 3601 trbs_per_td = count_isoc_trbs_needed(urb, i); 3602 3603 ret = prepare_transfer(xhci, xhci->devs[slot_id], ep_index, 3604 urb->stream_id, trbs_per_td, urb, i, mem_flags); 3605 if (ret < 0) { 3606 if (i == 0) 3607 return ret; 3608 goto cleanup; 3609 } 3610 td = urb_priv->td[i]; 3611 3612 /* use SIA as default, if frame id is used overwrite it */ 3613 sia_frame_id = TRB_SIA; 3614 if (!(urb->transfer_flags & URB_ISO_ASAP) && 3615 HCC_CFC(xhci->hcc_params)) { 3616 frame_id = xhci_get_isoc_frame_id(xhci, urb, i); 3617 if (frame_id >= 0) 3618 sia_frame_id = TRB_FRAME_ID(frame_id); 3619 } 3620 /* 3621 * Set isoc specific data for the first TRB in a TD. 3622 * Prevent HW from getting the TRBs by keeping the cycle state 3623 * inverted in the first TDs isoc TRB. 3624 */ 3625 field = TRB_TYPE(TRB_ISOC) | 3626 TRB_TLBPC(last_burst_pkt_count) | 3627 sia_frame_id | 3628 (i ? ep_ring->cycle_state : !start_cycle); 3629 3630 /* xhci 1.1 with ETE uses TD_Size field for TBC, old is Rsvdz */ 3631 if (!xep->use_extended_tbc) 3632 field |= TRB_TBC(burst_count); 3633 3634 /* fill the rest of the TRB fields, and remaining normal TRBs */ 3635 for (j = 0; j < trbs_per_td; j++) { 3636 u32 remainder = 0; 3637 3638 /* only first TRB is isoc, overwrite otherwise */ 3639 if (!first_trb) 3640 field = TRB_TYPE(TRB_NORMAL) | 3641 ep_ring->cycle_state; 3642 3643 /* Only set interrupt on short packet for IN EPs */ 3644 if (usb_urb_dir_in(urb)) 3645 field |= TRB_ISP; 3646 3647 /* Set the chain bit for all except the last TRB */ 3648 if (j < trbs_per_td - 1) { 3649 more_trbs_coming = true; 3650 field |= TRB_CHAIN; 3651 } else { 3652 more_trbs_coming = false; 3653 td->last_trb = ep_ring->enqueue; 3654 field |= TRB_IOC; 3655 /* set BEI, except for the last TD */ 3656 if (xhci->hci_version >= 0x100 && 3657 !(xhci->quirks & XHCI_AVOID_BEI) && 3658 i < num_tds - 1) 3659 field |= TRB_BEI; 3660 } 3661 /* Calculate TRB length */ 3662 trb_buff_len = TRB_BUFF_LEN_UP_TO_BOUNDARY(addr); 3663 if (trb_buff_len > td_remain_len) 3664 trb_buff_len = td_remain_len; 3665 3666 /* Set the TRB length, TD size, & interrupter fields. */ 3667 remainder = xhci_td_remainder(xhci, running_total, 3668 trb_buff_len, td_len, 3669 urb, trbs_per_td - j - 1); 3670 3671 length_field = TRB_LEN(trb_buff_len) | 3672 TRB_INTR_TARGET(0); 3673 3674 /* xhci 1.1 with ETE uses TD Size field for TBC */ 3675 if (first_trb && xep->use_extended_tbc) 3676 length_field |= TRB_TD_SIZE_TBC(burst_count); 3677 else 3678 length_field |= TRB_TD_SIZE(remainder); 3679 first_trb = false; 3680 3681 queue_trb(xhci, ep_ring, more_trbs_coming, 3682 lower_32_bits(addr), 3683 upper_32_bits(addr), 3684 length_field, 3685 field); 3686 running_total += trb_buff_len; 3687 3688 addr += trb_buff_len; 3689 td_remain_len -= trb_buff_len; 3690 } 3691 3692 /* Check TD length */ 3693 if (running_total != td_len) { 3694 xhci_err(xhci, "ISOC TD length unmatch\n"); 3695 ret = -EINVAL; 3696 goto cleanup; 3697 } 3698 } 3699 3700 /* store the next frame id */ 3701 if (HCC_CFC(xhci->hcc_params)) 3702 xep->next_frame_id = urb->start_frame + num_tds * urb->interval; 3703 3704 if (xhci_to_hcd(xhci)->self.bandwidth_isoc_reqs == 0) { 3705 if (xhci->quirks & XHCI_AMD_PLL_FIX) 3706 usb_amd_quirk_pll_disable(); 3707 } 3708 xhci_to_hcd(xhci)->self.bandwidth_isoc_reqs++; 3709 3710 giveback_first_trb(xhci, slot_id, ep_index, urb->stream_id, 3711 start_cycle, start_trb); 3712 return 0; 3713 cleanup: 3714 /* Clean up a partially enqueued isoc transfer. */ 3715 3716 for (i--; i >= 0; i--) 3717 list_del_init(&urb_priv->td[i]->td_list); 3718 3719 /* Use the first TD as a temporary variable to turn the TDs we've queued 3720 * into No-ops with a software-owned cycle bit. That way the hardware 3721 * won't accidentally start executing bogus TDs when we partially 3722 * overwrite them. td->first_trb and td->start_seg are already set. 3723 */ 3724 urb_priv->td[0]->last_trb = ep_ring->enqueue; 3725 /* Every TRB except the first & last will have its cycle bit flipped. */ 3726 td_to_noop(xhci, ep_ring, urb_priv->td[0], true); 3727 3728 /* Reset the ring enqueue back to the first TRB and its cycle bit. */ 3729 ep_ring->enqueue = urb_priv->td[0]->first_trb; 3730 ep_ring->enq_seg = urb_priv->td[0]->start_seg; 3731 ep_ring->cycle_state = start_cycle; 3732 ep_ring->num_trbs_free = ep_ring->num_trbs_free_temp; 3733 usb_hcd_unlink_urb_from_ep(bus_to_hcd(urb->dev->bus), urb); 3734 return ret; 3735 } 3736 3737 /* 3738 * Check transfer ring to guarantee there is enough room for the urb. 3739 * Update ISO URB start_frame and interval. 3740 * Update interval as xhci_queue_intr_tx does. Use xhci frame_index to 3741 * update urb->start_frame if URB_ISO_ASAP is set in transfer_flags or 3742 * Contiguous Frame ID is not supported by HC. 3743 */ 3744 int xhci_queue_isoc_tx_prepare(struct xhci_hcd *xhci, gfp_t mem_flags, 3745 struct urb *urb, int slot_id, unsigned int ep_index) 3746 { 3747 struct xhci_virt_device *xdev; 3748 struct xhci_ring *ep_ring; 3749 struct xhci_ep_ctx *ep_ctx; 3750 int start_frame; 3751 int num_tds, num_trbs, i; 3752 int ret; 3753 struct xhci_virt_ep *xep; 3754 int ist; 3755 3756 xdev = xhci->devs[slot_id]; 3757 xep = &xhci->devs[slot_id]->eps[ep_index]; 3758 ep_ring = xdev->eps[ep_index].ring; 3759 ep_ctx = xhci_get_ep_ctx(xhci, xdev->out_ctx, ep_index); 3760 3761 num_trbs = 0; 3762 num_tds = urb->number_of_packets; 3763 for (i = 0; i < num_tds; i++) 3764 num_trbs += count_isoc_trbs_needed(urb, i); 3765 3766 /* Check the ring to guarantee there is enough room for the whole urb. 3767 * Do not insert any td of the urb to the ring if the check failed. 3768 */ 3769 ret = prepare_ring(xhci, ep_ring, le32_to_cpu(ep_ctx->ep_info) & EP_STATE_MASK, 3770 num_trbs, mem_flags); 3771 if (ret) 3772 return ret; 3773 3774 /* 3775 * Check interval value. This should be done before we start to 3776 * calculate the start frame value. 3777 */ 3778 check_interval(xhci, urb, ep_ctx); 3779 3780 /* Calculate the start frame and put it in urb->start_frame. */ 3781 if (HCC_CFC(xhci->hcc_params) && !list_empty(&ep_ring->td_list)) { 3782 if ((le32_to_cpu(ep_ctx->ep_info) & EP_STATE_MASK) == 3783 EP_STATE_RUNNING) { 3784 urb->start_frame = xep->next_frame_id; 3785 goto skip_start_over; 3786 } 3787 } 3788 3789 start_frame = readl(&xhci->run_regs->microframe_index); 3790 start_frame &= 0x3fff; 3791 /* 3792 * Round up to the next frame and consider the time before trb really 3793 * gets scheduled by hardare. 3794 */ 3795 ist = HCS_IST(xhci->hcs_params2) & 0x7; 3796 if (HCS_IST(xhci->hcs_params2) & (1 << 3)) 3797 ist <<= 3; 3798 start_frame += ist + XHCI_CFC_DELAY; 3799 start_frame = roundup(start_frame, 8); 3800 3801 /* 3802 * Round up to the next ESIT (Endpoint Service Interval Time) if ESIT 3803 * is greate than 8 microframes. 3804 */ 3805 if (urb->dev->speed == USB_SPEED_LOW || 3806 urb->dev->speed == USB_SPEED_FULL) { 3807 start_frame = roundup(start_frame, urb->interval << 3); 3808 urb->start_frame = start_frame >> 3; 3809 } else { 3810 start_frame = roundup(start_frame, urb->interval); 3811 urb->start_frame = start_frame; 3812 } 3813 3814 skip_start_over: 3815 ep_ring->num_trbs_free_temp = ep_ring->num_trbs_free; 3816 3817 return xhci_queue_isoc_tx(xhci, mem_flags, urb, slot_id, ep_index); 3818 } 3819 3820 /**** Command Ring Operations ****/ 3821 3822 /* Generic function for queueing a command TRB on the command ring. 3823 * Check to make sure there's room on the command ring for one command TRB. 3824 * Also check that there's room reserved for commands that must not fail. 3825 * If this is a command that must not fail, meaning command_must_succeed = TRUE, 3826 * then only check for the number of reserved spots. 3827 * Don't decrement xhci->cmd_ring_reserved_trbs after we've queued the TRB 3828 * because the command event handler may want to resubmit a failed command. 3829 */ 3830 static int queue_command(struct xhci_hcd *xhci, struct xhci_command *cmd, 3831 u32 field1, u32 field2, 3832 u32 field3, u32 field4, bool command_must_succeed) 3833 { 3834 int reserved_trbs = xhci->cmd_ring_reserved_trbs; 3835 int ret; 3836 3837 if ((xhci->xhc_state & XHCI_STATE_DYING) || 3838 (xhci->xhc_state & XHCI_STATE_HALTED)) { 3839 xhci_dbg(xhci, "xHCI dying or halted, can't queue_command\n"); 3840 return -ESHUTDOWN; 3841 } 3842 3843 if (!command_must_succeed) 3844 reserved_trbs++; 3845 3846 ret = prepare_ring(xhci, xhci->cmd_ring, EP_STATE_RUNNING, 3847 reserved_trbs, GFP_ATOMIC); 3848 if (ret < 0) { 3849 xhci_err(xhci, "ERR: No room for command on command ring\n"); 3850 if (command_must_succeed) 3851 xhci_err(xhci, "ERR: Reserved TRB counting for " 3852 "unfailable commands failed.\n"); 3853 return ret; 3854 } 3855 3856 cmd->command_trb = xhci->cmd_ring->enqueue; 3857 list_add_tail(&cmd->cmd_list, &xhci->cmd_list); 3858 3859 /* if there are no other commands queued we start the timeout timer */ 3860 if (xhci->cmd_list.next == &cmd->cmd_list && 3861 !timer_pending(&xhci->cmd_timer)) { 3862 xhci->current_cmd = cmd; 3863 mod_timer(&xhci->cmd_timer, jiffies + XHCI_CMD_DEFAULT_TIMEOUT); 3864 } 3865 3866 queue_trb(xhci, xhci->cmd_ring, false, field1, field2, field3, 3867 field4 | xhci->cmd_ring->cycle_state); 3868 return 0; 3869 } 3870 3871 /* Queue a slot enable or disable request on the command ring */ 3872 int xhci_queue_slot_control(struct xhci_hcd *xhci, struct xhci_command *cmd, 3873 u32 trb_type, u32 slot_id) 3874 { 3875 return queue_command(xhci, cmd, 0, 0, 0, 3876 TRB_TYPE(trb_type) | SLOT_ID_FOR_TRB(slot_id), false); 3877 } 3878 3879 /* Queue an address device command TRB */ 3880 int xhci_queue_address_device(struct xhci_hcd *xhci, struct xhci_command *cmd, 3881 dma_addr_t in_ctx_ptr, u32 slot_id, enum xhci_setup_dev setup) 3882 { 3883 return queue_command(xhci, cmd, lower_32_bits(in_ctx_ptr), 3884 upper_32_bits(in_ctx_ptr), 0, 3885 TRB_TYPE(TRB_ADDR_DEV) | SLOT_ID_FOR_TRB(slot_id) 3886 | (setup == SETUP_CONTEXT_ONLY ? TRB_BSR : 0), false); 3887 } 3888 3889 int xhci_queue_vendor_command(struct xhci_hcd *xhci, struct xhci_command *cmd, 3890 u32 field1, u32 field2, u32 field3, u32 field4) 3891 { 3892 return queue_command(xhci, cmd, field1, field2, field3, field4, false); 3893 } 3894 3895 /* Queue a reset device command TRB */ 3896 int xhci_queue_reset_device(struct xhci_hcd *xhci, struct xhci_command *cmd, 3897 u32 slot_id) 3898 { 3899 return queue_command(xhci, cmd, 0, 0, 0, 3900 TRB_TYPE(TRB_RESET_DEV) | SLOT_ID_FOR_TRB(slot_id), 3901 false); 3902 } 3903 3904 /* Queue a configure endpoint command TRB */ 3905 int xhci_queue_configure_endpoint(struct xhci_hcd *xhci, 3906 struct xhci_command *cmd, dma_addr_t in_ctx_ptr, 3907 u32 slot_id, bool command_must_succeed) 3908 { 3909 return queue_command(xhci, cmd, lower_32_bits(in_ctx_ptr), 3910 upper_32_bits(in_ctx_ptr), 0, 3911 TRB_TYPE(TRB_CONFIG_EP) | SLOT_ID_FOR_TRB(slot_id), 3912 command_must_succeed); 3913 } 3914 3915 /* Queue an evaluate context command TRB */ 3916 int xhci_queue_evaluate_context(struct xhci_hcd *xhci, struct xhci_command *cmd, 3917 dma_addr_t in_ctx_ptr, u32 slot_id, bool command_must_succeed) 3918 { 3919 return queue_command(xhci, cmd, lower_32_bits(in_ctx_ptr), 3920 upper_32_bits(in_ctx_ptr), 0, 3921 TRB_TYPE(TRB_EVAL_CONTEXT) | SLOT_ID_FOR_TRB(slot_id), 3922 command_must_succeed); 3923 } 3924 3925 /* 3926 * Suspend is set to indicate "Stop Endpoint Command" is being issued to stop 3927 * activity on an endpoint that is about to be suspended. 3928 */ 3929 int xhci_queue_stop_endpoint(struct xhci_hcd *xhci, struct xhci_command *cmd, 3930 int slot_id, unsigned int ep_index, int suspend) 3931 { 3932 u32 trb_slot_id = SLOT_ID_FOR_TRB(slot_id); 3933 u32 trb_ep_index = EP_ID_FOR_TRB(ep_index); 3934 u32 type = TRB_TYPE(TRB_STOP_RING); 3935 u32 trb_suspend = SUSPEND_PORT_FOR_TRB(suspend); 3936 3937 return queue_command(xhci, cmd, 0, 0, 0, 3938 trb_slot_id | trb_ep_index | type | trb_suspend, false); 3939 } 3940 3941 /* Set Transfer Ring Dequeue Pointer command */ 3942 void xhci_queue_new_dequeue_state(struct xhci_hcd *xhci, 3943 unsigned int slot_id, unsigned int ep_index, 3944 unsigned int stream_id, 3945 struct xhci_dequeue_state *deq_state) 3946 { 3947 dma_addr_t addr; 3948 u32 trb_slot_id = SLOT_ID_FOR_TRB(slot_id); 3949 u32 trb_ep_index = EP_ID_FOR_TRB(ep_index); 3950 u32 trb_stream_id = STREAM_ID_FOR_TRB(stream_id); 3951 u32 trb_sct = 0; 3952 u32 type = TRB_TYPE(TRB_SET_DEQ); 3953 struct xhci_virt_ep *ep; 3954 struct xhci_command *cmd; 3955 int ret; 3956 3957 xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, 3958 "Set TR Deq Ptr cmd, new deq seg = %p (0x%llx dma), new deq ptr = %p (0x%llx dma), new cycle = %u", 3959 deq_state->new_deq_seg, 3960 (unsigned long long)deq_state->new_deq_seg->dma, 3961 deq_state->new_deq_ptr, 3962 (unsigned long long)xhci_trb_virt_to_dma( 3963 deq_state->new_deq_seg, deq_state->new_deq_ptr), 3964 deq_state->new_cycle_state); 3965 3966 addr = xhci_trb_virt_to_dma(deq_state->new_deq_seg, 3967 deq_state->new_deq_ptr); 3968 if (addr == 0) { 3969 xhci_warn(xhci, "WARN Cannot submit Set TR Deq Ptr\n"); 3970 xhci_warn(xhci, "WARN deq seg = %p, deq pt = %p\n", 3971 deq_state->new_deq_seg, deq_state->new_deq_ptr); 3972 return; 3973 } 3974 ep = &xhci->devs[slot_id]->eps[ep_index]; 3975 if ((ep->ep_state & SET_DEQ_PENDING)) { 3976 xhci_warn(xhci, "WARN Cannot submit Set TR Deq Ptr\n"); 3977 xhci_warn(xhci, "A Set TR Deq Ptr command is pending.\n"); 3978 return; 3979 } 3980 3981 /* This function gets called from contexts where it cannot sleep */ 3982 cmd = xhci_alloc_command(xhci, false, false, GFP_ATOMIC); 3983 if (!cmd) { 3984 xhci_warn(xhci, "WARN Cannot submit Set TR Deq Ptr: ENOMEM\n"); 3985 return; 3986 } 3987 3988 ep->queued_deq_seg = deq_state->new_deq_seg; 3989 ep->queued_deq_ptr = deq_state->new_deq_ptr; 3990 if (stream_id) 3991 trb_sct = SCT_FOR_TRB(SCT_PRI_TR); 3992 ret = queue_command(xhci, cmd, 3993 lower_32_bits(addr) | trb_sct | deq_state->new_cycle_state, 3994 upper_32_bits(addr), trb_stream_id, 3995 trb_slot_id | trb_ep_index | type, false); 3996 if (ret < 0) { 3997 xhci_free_command(xhci, cmd); 3998 return; 3999 } 4000 4001 /* Stop the TD queueing code from ringing the doorbell until 4002 * this command completes. The HC won't set the dequeue pointer 4003 * if the ring is running, and ringing the doorbell starts the 4004 * ring running. 4005 */ 4006 ep->ep_state |= SET_DEQ_PENDING; 4007 } 4008 4009 int xhci_queue_reset_ep(struct xhci_hcd *xhci, struct xhci_command *cmd, 4010 int slot_id, unsigned int ep_index) 4011 { 4012 u32 trb_slot_id = SLOT_ID_FOR_TRB(slot_id); 4013 u32 trb_ep_index = EP_ID_FOR_TRB(ep_index); 4014 u32 type = TRB_TYPE(TRB_RESET_EP); 4015 4016 return queue_command(xhci, cmd, 0, 0, 0, 4017 trb_slot_id | trb_ep_index | type, false); 4018 } 4019