1 /*
2  * MUSB OTG peripheral driver ep0 handling
3  *
4  * Copyright 2005 Mentor Graphics Corporation
5  * Copyright (C) 2005-2006 by Texas Instruments
6  * Copyright (C) 2006-2007 Nokia Corporation
7  * Copyright (C) 2008-2009 MontaVista Software, Inc. <source@mvista.com>
8  *
9  * This program is free software; you can redistribute it and/or
10  * modify it under the terms of the GNU General Public License
11  * version 2 as published by the Free Software Foundation.
12  *
13  * This program is distributed in the hope that it will be useful, but
14  * WITHOUT ANY WARRANTY; without even the implied warranty of
15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
16  * General Public License for more details.
17  *
18  * You should have received a copy of the GNU General Public License
19  * along with this program; if not, write to the Free Software
20  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
21  * 02110-1301 USA
22  *
23  * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
24  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
25  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN
26  * NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, INDIRECT,
27  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
28  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
29  * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
30  * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
32  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33  *
34  */
35 
36 #include <linux/kernel.h>
37 #include <linux/list.h>
38 #include <linux/timer.h>
39 #include <linux/spinlock.h>
40 #include <linux/init.h>
41 #include <linux/device.h>
42 #include <linux/interrupt.h>
43 
44 #include "musb_core.h"
45 
46 /* ep0 is always musb->endpoints[0].ep_in */
47 #define	next_ep0_request(musb)	next_in_request(&(musb)->endpoints[0])
48 
49 /*
50  * locking note:  we use only the controller lock, for simpler correctness.
51  * It's always held with IRQs blocked.
52  *
53  * It protects the ep0 request queue as well as ep0_state, not just the
54  * controller and indexed registers.  And that lock stays held unless it
55  * needs to be dropped to allow reentering this driver ... like upcalls to
56  * the gadget driver, or adjusting endpoint halt status.
57  */
58 
59 static char *decode_ep0stage(u8 stage)
60 {
61 	switch (stage) {
62 	case MUSB_EP0_STAGE_IDLE:	return "idle";
63 	case MUSB_EP0_STAGE_SETUP:	return "setup";
64 	case MUSB_EP0_STAGE_TX:		return "in";
65 	case MUSB_EP0_STAGE_RX:		return "out";
66 	case MUSB_EP0_STAGE_ACKWAIT:	return "wait";
67 	case MUSB_EP0_STAGE_STATUSIN:	return "in/status";
68 	case MUSB_EP0_STAGE_STATUSOUT:	return "out/status";
69 	default:			return "?";
70 	}
71 }
72 
73 /* handle a standard GET_STATUS request
74  * Context:  caller holds controller lock
75  */
76 static int service_tx_status_request(
77 	struct musb *musb,
78 	const struct usb_ctrlrequest *ctrlrequest)
79 {
80 	void __iomem	*mbase = musb->mregs;
81 	int handled = 1;
82 	u8 result[2], epnum = 0;
83 	const u8 recip = ctrlrequest->bRequestType & USB_RECIP_MASK;
84 
85 	result[1] = 0;
86 
87 	switch (recip) {
88 	case USB_RECIP_DEVICE:
89 		result[0] = musb->is_self_powered << USB_DEVICE_SELF_POWERED;
90 		result[0] |= musb->may_wakeup << USB_DEVICE_REMOTE_WAKEUP;
91 #ifdef CONFIG_USB_MUSB_OTG
92 		if (musb->g.is_otg) {
93 			result[0] |= musb->g.b_hnp_enable
94 				<< USB_DEVICE_B_HNP_ENABLE;
95 			result[0] |= musb->g.a_alt_hnp_support
96 				<< USB_DEVICE_A_ALT_HNP_SUPPORT;
97 			result[0] |= musb->g.a_hnp_support
98 				<< USB_DEVICE_A_HNP_SUPPORT;
99 		}
100 #endif
101 		break;
102 
103 	case USB_RECIP_INTERFACE:
104 		result[0] = 0;
105 		break;
106 
107 	case USB_RECIP_ENDPOINT: {
108 		int		is_in;
109 		struct musb_ep	*ep;
110 		u16		tmp;
111 		void __iomem	*regs;
112 
113 		epnum = (u8) ctrlrequest->wIndex;
114 		if (!epnum) {
115 			result[0] = 0;
116 			break;
117 		}
118 
119 		is_in = epnum & USB_DIR_IN;
120 		if (is_in) {
121 			epnum &= 0x0f;
122 			ep = &musb->endpoints[epnum].ep_in;
123 		} else {
124 			ep = &musb->endpoints[epnum].ep_out;
125 		}
126 		regs = musb->endpoints[epnum].regs;
127 
128 		if (epnum >= MUSB_C_NUM_EPS || !ep->desc) {
129 			handled = -EINVAL;
130 			break;
131 		}
132 
133 		musb_ep_select(mbase, epnum);
134 		if (is_in)
135 			tmp = musb_readw(regs, MUSB_TXCSR)
136 						& MUSB_TXCSR_P_SENDSTALL;
137 		else
138 			tmp = musb_readw(regs, MUSB_RXCSR)
139 						& MUSB_RXCSR_P_SENDSTALL;
140 		musb_ep_select(mbase, 0);
141 
142 		result[0] = tmp ? 1 : 0;
143 		} break;
144 
145 	default:
146 		/* class, vendor, etc ... delegate */
147 		handled = 0;
148 		break;
149 	}
150 
151 	/* fill up the fifo; caller updates csr0 */
152 	if (handled > 0) {
153 		u16	len = le16_to_cpu(ctrlrequest->wLength);
154 
155 		if (len > 2)
156 			len = 2;
157 		musb_write_fifo(&musb->endpoints[0], len, result);
158 	}
159 
160 	return handled;
161 }
162 
163 /*
164  * handle a control-IN request, the end0 buffer contains the current request
165  * that is supposed to be a standard control request. Assumes the fifo to
166  * be at least 2 bytes long.
167  *
168  * @return 0 if the request was NOT HANDLED,
169  * < 0 when error
170  * > 0 when the request is processed
171  *
172  * Context:  caller holds controller lock
173  */
174 static int
175 service_in_request(struct musb *musb, const struct usb_ctrlrequest *ctrlrequest)
176 {
177 	int handled = 0;	/* not handled */
178 
179 	if ((ctrlrequest->bRequestType & USB_TYPE_MASK)
180 			== USB_TYPE_STANDARD) {
181 		switch (ctrlrequest->bRequest) {
182 		case USB_REQ_GET_STATUS:
183 			handled = service_tx_status_request(musb,
184 					ctrlrequest);
185 			break;
186 
187 		/* case USB_REQ_SYNC_FRAME: */
188 
189 		default:
190 			break;
191 		}
192 	}
193 	return handled;
194 }
195 
196 /*
197  * Context:  caller holds controller lock
198  */
199 static void musb_g_ep0_giveback(struct musb *musb, struct usb_request *req)
200 {
201 	musb_g_giveback(&musb->endpoints[0].ep_in, req, 0);
202 }
203 
204 /*
205  * Tries to start B-device HNP negotiation if enabled via sysfs
206  */
207 static inline void musb_try_b_hnp_enable(struct musb *musb)
208 {
209 	void __iomem	*mbase = musb->mregs;
210 	u8		devctl;
211 
212 	DBG(1, "HNP: Setting HR\n");
213 	devctl = musb_readb(mbase, MUSB_DEVCTL);
214 	musb_writeb(mbase, MUSB_DEVCTL, devctl | MUSB_DEVCTL_HR);
215 }
216 
217 /*
218  * Handle all control requests with no DATA stage, including standard
219  * requests such as:
220  * USB_REQ_SET_CONFIGURATION, USB_REQ_SET_INTERFACE, unrecognized
221  *	always delegated to the gadget driver
222  * USB_REQ_SET_ADDRESS, USB_REQ_CLEAR_FEATURE, USB_REQ_SET_FEATURE
223  *	always handled here, except for class/vendor/... features
224  *
225  * Context:  caller holds controller lock
226  */
227 static int
228 service_zero_data_request(struct musb *musb,
229 		struct usb_ctrlrequest *ctrlrequest)
230 __releases(musb->lock)
231 __acquires(musb->lock)
232 {
233 	int handled = -EINVAL;
234 	void __iomem *mbase = musb->mregs;
235 	const u8 recip = ctrlrequest->bRequestType & USB_RECIP_MASK;
236 
237 	/* the gadget driver handles everything except what we MUST handle */
238 	if ((ctrlrequest->bRequestType & USB_TYPE_MASK)
239 			== USB_TYPE_STANDARD) {
240 		switch (ctrlrequest->bRequest) {
241 		case USB_REQ_SET_ADDRESS:
242 			/* change it after the status stage */
243 			musb->set_address = true;
244 			musb->address = (u8) (ctrlrequest->wValue & 0x7f);
245 			handled = 1;
246 			break;
247 
248 		case USB_REQ_CLEAR_FEATURE:
249 			switch (recip) {
250 			case USB_RECIP_DEVICE:
251 				if (ctrlrequest->wValue
252 						!= USB_DEVICE_REMOTE_WAKEUP)
253 					break;
254 				musb->may_wakeup = 0;
255 				handled = 1;
256 				break;
257 			case USB_RECIP_INTERFACE:
258 				break;
259 			case USB_RECIP_ENDPOINT:{
260 				const u8		epnum =
261 					ctrlrequest->wIndex & 0x0f;
262 				struct musb_ep		*musb_ep;
263 				struct musb_hw_ep	*ep;
264 				void __iomem		*regs;
265 				int			is_in;
266 				u16			csr;
267 
268 				if (epnum == 0 || epnum >= MUSB_C_NUM_EPS ||
269 				    ctrlrequest->wValue != USB_ENDPOINT_HALT)
270 					break;
271 
272 				ep = musb->endpoints + epnum;
273 				regs = ep->regs;
274 				is_in = ctrlrequest->wIndex & USB_DIR_IN;
275 				if (is_in)
276 					musb_ep = &ep->ep_in;
277 				else
278 					musb_ep = &ep->ep_out;
279 				if (!musb_ep->desc)
280 					break;
281 
282 				handled = 1;
283 				/* Ignore request if endpoint is wedged */
284 				if (musb_ep->wedged)
285 					break;
286 
287 				musb_ep_select(mbase, epnum);
288 				if (is_in) {
289 					csr  = musb_readw(regs, MUSB_TXCSR);
290 					csr |= MUSB_TXCSR_CLRDATATOG |
291 					       MUSB_TXCSR_P_WZC_BITS;
292 					csr &= ~(MUSB_TXCSR_P_SENDSTALL |
293 						 MUSB_TXCSR_P_SENTSTALL |
294 						 MUSB_TXCSR_TXPKTRDY);
295 					musb_writew(regs, MUSB_TXCSR, csr);
296 				} else {
297 					csr  = musb_readw(regs, MUSB_RXCSR);
298 					csr |= MUSB_RXCSR_CLRDATATOG |
299 					       MUSB_RXCSR_P_WZC_BITS;
300 					csr &= ~(MUSB_RXCSR_P_SENDSTALL |
301 						 MUSB_RXCSR_P_SENTSTALL);
302 					musb_writew(regs, MUSB_RXCSR, csr);
303 				}
304 
305 				/* select ep0 again */
306 				musb_ep_select(mbase, 0);
307 				} break;
308 			default:
309 				/* class, vendor, etc ... delegate */
310 				handled = 0;
311 				break;
312 			}
313 			break;
314 
315 		case USB_REQ_SET_FEATURE:
316 			switch (recip) {
317 			case USB_RECIP_DEVICE:
318 				handled = 1;
319 				switch (ctrlrequest->wValue) {
320 				case USB_DEVICE_REMOTE_WAKEUP:
321 					musb->may_wakeup = 1;
322 					break;
323 				case USB_DEVICE_TEST_MODE:
324 					if (musb->g.speed != USB_SPEED_HIGH)
325 						goto stall;
326 					if (ctrlrequest->wIndex & 0xff)
327 						goto stall;
328 
329 					switch (ctrlrequest->wIndex >> 8) {
330 					case 1:
331 						pr_debug("TEST_J\n");
332 						/* TEST_J */
333 						musb->test_mode_nr =
334 							MUSB_TEST_J;
335 						break;
336 					case 2:
337 						/* TEST_K */
338 						pr_debug("TEST_K\n");
339 						musb->test_mode_nr =
340 							MUSB_TEST_K;
341 						break;
342 					case 3:
343 						/* TEST_SE0_NAK */
344 						pr_debug("TEST_SE0_NAK\n");
345 						musb->test_mode_nr =
346 							MUSB_TEST_SE0_NAK;
347 						break;
348 					case 4:
349 						/* TEST_PACKET */
350 						pr_debug("TEST_PACKET\n");
351 						musb->test_mode_nr =
352 							MUSB_TEST_PACKET;
353 						break;
354 					default:
355 						goto stall;
356 					}
357 
358 					/* enter test mode after irq */
359 					if (handled > 0)
360 						musb->test_mode = true;
361 					break;
362 #ifdef CONFIG_USB_MUSB_OTG
363 				case USB_DEVICE_B_HNP_ENABLE:
364 					if (!musb->g.is_otg)
365 						goto stall;
366 					musb->g.b_hnp_enable = 1;
367 					musb_try_b_hnp_enable(musb);
368 					break;
369 				case USB_DEVICE_A_HNP_SUPPORT:
370 					if (!musb->g.is_otg)
371 						goto stall;
372 					musb->g.a_hnp_support = 1;
373 					break;
374 				case USB_DEVICE_A_ALT_HNP_SUPPORT:
375 					if (!musb->g.is_otg)
376 						goto stall;
377 					musb->g.a_alt_hnp_support = 1;
378 					break;
379 #endif
380 stall:
381 				default:
382 					handled = -EINVAL;
383 					break;
384 				}
385 				break;
386 
387 			case USB_RECIP_INTERFACE:
388 				break;
389 
390 			case USB_RECIP_ENDPOINT:{
391 				const u8		epnum =
392 					ctrlrequest->wIndex & 0x0f;
393 				struct musb_ep		*musb_ep;
394 				struct musb_hw_ep	*ep;
395 				void __iomem		*regs;
396 				int			is_in;
397 				u16			csr;
398 
399 				if (epnum == 0 || epnum >= MUSB_C_NUM_EPS ||
400 				    ctrlrequest->wValue	!= USB_ENDPOINT_HALT)
401 					break;
402 
403 				ep = musb->endpoints + epnum;
404 				regs = ep->regs;
405 				is_in = ctrlrequest->wIndex & USB_DIR_IN;
406 				if (is_in)
407 					musb_ep = &ep->ep_in;
408 				else
409 					musb_ep = &ep->ep_out;
410 				if (!musb_ep->desc)
411 					break;
412 
413 				musb_ep_select(mbase, epnum);
414 				if (is_in) {
415 					csr = musb_readw(regs, MUSB_TXCSR);
416 					if (csr & MUSB_TXCSR_FIFONOTEMPTY)
417 						csr |= MUSB_TXCSR_FLUSHFIFO;
418 					csr |= MUSB_TXCSR_P_SENDSTALL
419 						| MUSB_TXCSR_CLRDATATOG
420 						| MUSB_TXCSR_P_WZC_BITS;
421 					musb_writew(regs, MUSB_TXCSR, csr);
422 				} else {
423 					csr = musb_readw(regs, MUSB_RXCSR);
424 					csr |= MUSB_RXCSR_P_SENDSTALL
425 						| MUSB_RXCSR_FLUSHFIFO
426 						| MUSB_RXCSR_CLRDATATOG
427 						| MUSB_RXCSR_P_WZC_BITS;
428 					musb_writew(regs, MUSB_RXCSR, csr);
429 				}
430 
431 				/* select ep0 again */
432 				musb_ep_select(mbase, 0);
433 				handled = 1;
434 				} break;
435 
436 			default:
437 				/* class, vendor, etc ... delegate */
438 				handled = 0;
439 				break;
440 			}
441 			break;
442 		default:
443 			/* delegate SET_CONFIGURATION, etc */
444 			handled = 0;
445 		}
446 	} else
447 		handled = 0;
448 	return handled;
449 }
450 
451 /* we have an ep0out data packet
452  * Context:  caller holds controller lock
453  */
454 static void ep0_rxstate(struct musb *musb)
455 {
456 	void __iomem		*regs = musb->control_ep->regs;
457 	struct usb_request	*req;
458 	u16			count, csr;
459 
460 	req = next_ep0_request(musb);
461 
462 	/* read packet and ack; or stall because of gadget driver bug:
463 	 * should have provided the rx buffer before setup() returned.
464 	 */
465 	if (req) {
466 		void		*buf = req->buf + req->actual;
467 		unsigned	len = req->length - req->actual;
468 
469 		/* read the buffer */
470 		count = musb_readb(regs, MUSB_COUNT0);
471 		if (count > len) {
472 			req->status = -EOVERFLOW;
473 			count = len;
474 		}
475 		musb_read_fifo(&musb->endpoints[0], count, buf);
476 		req->actual += count;
477 		csr = MUSB_CSR0_P_SVDRXPKTRDY;
478 		if (count < 64 || req->actual == req->length) {
479 			musb->ep0_state = MUSB_EP0_STAGE_STATUSIN;
480 			csr |= MUSB_CSR0_P_DATAEND;
481 		} else
482 			req = NULL;
483 	} else
484 		csr = MUSB_CSR0_P_SVDRXPKTRDY | MUSB_CSR0_P_SENDSTALL;
485 
486 
487 	/* Completion handler may choose to stall, e.g. because the
488 	 * message just received holds invalid data.
489 	 */
490 	if (req) {
491 		musb->ackpend = csr;
492 		musb_g_ep0_giveback(musb, req);
493 		if (!musb->ackpend)
494 			return;
495 		musb->ackpend = 0;
496 	}
497 	musb_ep_select(musb->mregs, 0);
498 	musb_writew(regs, MUSB_CSR0, csr);
499 }
500 
501 /*
502  * transmitting to the host (IN), this code might be called from IRQ
503  * and from kernel thread.
504  *
505  * Context:  caller holds controller lock
506  */
507 static void ep0_txstate(struct musb *musb)
508 {
509 	void __iomem		*regs = musb->control_ep->regs;
510 	struct usb_request	*request = next_ep0_request(musb);
511 	u16			csr = MUSB_CSR0_TXPKTRDY;
512 	u8			*fifo_src;
513 	u8			fifo_count;
514 
515 	if (!request) {
516 		/* WARN_ON(1); */
517 		DBG(2, "odd; csr0 %04x\n", musb_readw(regs, MUSB_CSR0));
518 		return;
519 	}
520 
521 	/* load the data */
522 	fifo_src = (u8 *) request->buf + request->actual;
523 	fifo_count = min((unsigned) MUSB_EP0_FIFOSIZE,
524 		request->length - request->actual);
525 	musb_write_fifo(&musb->endpoints[0], fifo_count, fifo_src);
526 	request->actual += fifo_count;
527 
528 	/* update the flags */
529 	if (fifo_count < MUSB_MAX_END0_PACKET
530 			|| (request->actual == request->length
531 				&& !request->zero)) {
532 		musb->ep0_state = MUSB_EP0_STAGE_STATUSOUT;
533 		csr |= MUSB_CSR0_P_DATAEND;
534 	} else
535 		request = NULL;
536 
537 	/* report completions as soon as the fifo's loaded; there's no
538 	 * win in waiting till this last packet gets acked.  (other than
539 	 * very precise fault reporting, needed by USB TMC; possible with
540 	 * this hardware, but not usable from portable gadget drivers.)
541 	 */
542 	if (request) {
543 		musb->ackpend = csr;
544 		musb_g_ep0_giveback(musb, request);
545 		if (!musb->ackpend)
546 			return;
547 		musb->ackpend = 0;
548 	}
549 
550 	/* send it out, triggering a "txpktrdy cleared" irq */
551 	musb_ep_select(musb->mregs, 0);
552 	musb_writew(regs, MUSB_CSR0, csr);
553 }
554 
555 /*
556  * Read a SETUP packet (struct usb_ctrlrequest) from the hardware.
557  * Fields are left in USB byte-order.
558  *
559  * Context:  caller holds controller lock.
560  */
561 static void
562 musb_read_setup(struct musb *musb, struct usb_ctrlrequest *req)
563 {
564 	struct usb_request	*r;
565 	void __iomem		*regs = musb->control_ep->regs;
566 
567 	musb_read_fifo(&musb->endpoints[0], sizeof *req, (u8 *)req);
568 
569 	/* NOTE:  earlier 2.6 versions changed setup packets to host
570 	 * order, but now USB packets always stay in USB byte order.
571 	 */
572 	DBG(3, "SETUP req%02x.%02x v%04x i%04x l%d\n",
573 		req->bRequestType,
574 		req->bRequest,
575 		le16_to_cpu(req->wValue),
576 		le16_to_cpu(req->wIndex),
577 		le16_to_cpu(req->wLength));
578 
579 	/* clean up any leftover transfers */
580 	r = next_ep0_request(musb);
581 	if (r)
582 		musb_g_ep0_giveback(musb, r);
583 
584 	/* For zero-data requests we want to delay the STATUS stage to
585 	 * avoid SETUPEND errors.  If we read data (OUT), delay accepting
586 	 * packets until there's a buffer to store them in.
587 	 *
588 	 * If we write data, the controller acts happier if we enable
589 	 * the TX FIFO right away, and give the controller a moment
590 	 * to switch modes...
591 	 */
592 	musb->set_address = false;
593 	musb->ackpend = MUSB_CSR0_P_SVDRXPKTRDY;
594 	if (req->wLength == 0) {
595 		if (req->bRequestType & USB_DIR_IN)
596 			musb->ackpend |= MUSB_CSR0_TXPKTRDY;
597 		musb->ep0_state = MUSB_EP0_STAGE_ACKWAIT;
598 	} else if (req->bRequestType & USB_DIR_IN) {
599 		musb->ep0_state = MUSB_EP0_STAGE_TX;
600 		musb_writew(regs, MUSB_CSR0, MUSB_CSR0_P_SVDRXPKTRDY);
601 		while ((musb_readw(regs, MUSB_CSR0)
602 				& MUSB_CSR0_RXPKTRDY) != 0)
603 			cpu_relax();
604 		musb->ackpend = 0;
605 	} else
606 		musb->ep0_state = MUSB_EP0_STAGE_RX;
607 }
608 
609 static int
610 forward_to_driver(struct musb *musb, const struct usb_ctrlrequest *ctrlrequest)
611 __releases(musb->lock)
612 __acquires(musb->lock)
613 {
614 	int retval;
615 	if (!musb->gadget_driver)
616 		return -EOPNOTSUPP;
617 	spin_unlock(&musb->lock);
618 	retval = musb->gadget_driver->setup(&musb->g, ctrlrequest);
619 	spin_lock(&musb->lock);
620 	return retval;
621 }
622 
623 /*
624  * Handle peripheral ep0 interrupt
625  *
626  * Context: irq handler; we won't re-enter the driver that way.
627  */
628 irqreturn_t musb_g_ep0_irq(struct musb *musb)
629 {
630 	u16		csr;
631 	u16		len;
632 	void __iomem	*mbase = musb->mregs;
633 	void __iomem	*regs = musb->endpoints[0].regs;
634 	irqreturn_t	retval = IRQ_NONE;
635 
636 	musb_ep_select(mbase, 0);	/* select ep0 */
637 	csr = musb_readw(regs, MUSB_CSR0);
638 	len = musb_readb(regs, MUSB_COUNT0);
639 
640 	DBG(4, "csr %04x, count %d, myaddr %d, ep0stage %s\n",
641 			csr, len,
642 			musb_readb(mbase, MUSB_FADDR),
643 			decode_ep0stage(musb->ep0_state));
644 
645 	/* I sent a stall.. need to acknowledge it now.. */
646 	if (csr & MUSB_CSR0_P_SENTSTALL) {
647 		musb_writew(regs, MUSB_CSR0,
648 				csr & ~MUSB_CSR0_P_SENTSTALL);
649 		retval = IRQ_HANDLED;
650 		musb->ep0_state = MUSB_EP0_STAGE_IDLE;
651 		csr = musb_readw(regs, MUSB_CSR0);
652 	}
653 
654 	/* request ended "early" */
655 	if (csr & MUSB_CSR0_P_SETUPEND) {
656 		musb_writew(regs, MUSB_CSR0, MUSB_CSR0_P_SVDSETUPEND);
657 		retval = IRQ_HANDLED;
658 		/* Transition into the early status phase */
659 		switch (musb->ep0_state) {
660 		case MUSB_EP0_STAGE_TX:
661 			musb->ep0_state = MUSB_EP0_STAGE_STATUSOUT;
662 			break;
663 		case MUSB_EP0_STAGE_RX:
664 			musb->ep0_state = MUSB_EP0_STAGE_STATUSIN;
665 			break;
666 		default:
667 			ERR("SetupEnd came in a wrong ep0stage %s\n",
668 			    decode_ep0stage(musb->ep0_state));
669 		}
670 		csr = musb_readw(regs, MUSB_CSR0);
671 		/* NOTE:  request may need completion */
672 	}
673 
674 	/* docs from Mentor only describe tx, rx, and idle/setup states.
675 	 * we need to handle nuances around status stages, and also the
676 	 * case where status and setup stages come back-to-back ...
677 	 */
678 	switch (musb->ep0_state) {
679 
680 	case MUSB_EP0_STAGE_TX:
681 		/* irq on clearing txpktrdy */
682 		if ((csr & MUSB_CSR0_TXPKTRDY) == 0) {
683 			ep0_txstate(musb);
684 			retval = IRQ_HANDLED;
685 		}
686 		break;
687 
688 	case MUSB_EP0_STAGE_RX:
689 		/* irq on set rxpktrdy */
690 		if (csr & MUSB_CSR0_RXPKTRDY) {
691 			ep0_rxstate(musb);
692 			retval = IRQ_HANDLED;
693 		}
694 		break;
695 
696 	case MUSB_EP0_STAGE_STATUSIN:
697 		/* end of sequence #2 (OUT/RX state) or #3 (no data) */
698 
699 		/* update address (if needed) only @ the end of the
700 		 * status phase per usb spec, which also guarantees
701 		 * we get 10 msec to receive this irq... until this
702 		 * is done we won't see the next packet.
703 		 */
704 		if (musb->set_address) {
705 			musb->set_address = false;
706 			musb_writeb(mbase, MUSB_FADDR, musb->address);
707 		}
708 
709 		/* enter test mode if needed (exit by reset) */
710 		else if (musb->test_mode) {
711 			DBG(1, "entering TESTMODE\n");
712 
713 			if (MUSB_TEST_PACKET == musb->test_mode_nr)
714 				musb_load_testpacket(musb);
715 
716 			musb_writeb(mbase, MUSB_TESTMODE,
717 					musb->test_mode_nr);
718 		}
719 		/* FALLTHROUGH */
720 
721 	case MUSB_EP0_STAGE_STATUSOUT:
722 		/* end of sequence #1: write to host (TX state) */
723 		{
724 			struct usb_request	*req;
725 
726 			req = next_ep0_request(musb);
727 			if (req)
728 				musb_g_ep0_giveback(musb, req);
729 		}
730 
731 		/*
732 		 * In case when several interrupts can get coalesced,
733 		 * check to see if we've already received a SETUP packet...
734 		 */
735 		if (csr & MUSB_CSR0_RXPKTRDY)
736 			goto setup;
737 
738 		retval = IRQ_HANDLED;
739 		musb->ep0_state = MUSB_EP0_STAGE_IDLE;
740 		break;
741 
742 	case MUSB_EP0_STAGE_IDLE:
743 		/*
744 		 * This state is typically (but not always) indiscernible
745 		 * from the status states since the corresponding interrupts
746 		 * tend to happen within too little period of time (with only
747 		 * a zero-length packet in between) and so get coalesced...
748 		 */
749 		retval = IRQ_HANDLED;
750 		musb->ep0_state = MUSB_EP0_STAGE_SETUP;
751 		/* FALLTHROUGH */
752 
753 	case MUSB_EP0_STAGE_SETUP:
754 setup:
755 		if (csr & MUSB_CSR0_RXPKTRDY) {
756 			struct usb_ctrlrequest	setup;
757 			int			handled = 0;
758 
759 			if (len != 8) {
760 				ERR("SETUP packet len %d != 8 ?\n", len);
761 				break;
762 			}
763 			musb_read_setup(musb, &setup);
764 			retval = IRQ_HANDLED;
765 
766 			/* sometimes the RESET won't be reported */
767 			if (unlikely(musb->g.speed == USB_SPEED_UNKNOWN)) {
768 				u8	power;
769 
770 				printk(KERN_NOTICE "%s: peripheral reset "
771 						"irq lost!\n",
772 						musb_driver_name);
773 				power = musb_readb(mbase, MUSB_POWER);
774 				musb->g.speed = (power & MUSB_POWER_HSMODE)
775 					? USB_SPEED_HIGH : USB_SPEED_FULL;
776 
777 			}
778 
779 			switch (musb->ep0_state) {
780 
781 			/* sequence #3 (no data stage), includes requests
782 			 * we can't forward (notably SET_ADDRESS and the
783 			 * device/endpoint feature set/clear operations)
784 			 * plus SET_CONFIGURATION and others we must
785 			 */
786 			case MUSB_EP0_STAGE_ACKWAIT:
787 				handled = service_zero_data_request(
788 						musb, &setup);
789 
790 				/*
791 				 * We're expecting no data in any case, so
792 				 * always set the DATAEND bit -- doing this
793 				 * here helps avoid SetupEnd interrupt coming
794 				 * in the idle stage when we're stalling...
795 				 */
796 				musb->ackpend |= MUSB_CSR0_P_DATAEND;
797 
798 				/* status stage might be immediate */
799 				if (handled > 0)
800 					musb->ep0_state =
801 						MUSB_EP0_STAGE_STATUSIN;
802 				break;
803 
804 			/* sequence #1 (IN to host), includes GET_STATUS
805 			 * requests that we can't forward, GET_DESCRIPTOR
806 			 * and others that we must
807 			 */
808 			case MUSB_EP0_STAGE_TX:
809 				handled = service_in_request(musb, &setup);
810 				if (handled > 0) {
811 					musb->ackpend = MUSB_CSR0_TXPKTRDY
812 						| MUSB_CSR0_P_DATAEND;
813 					musb->ep0_state =
814 						MUSB_EP0_STAGE_STATUSOUT;
815 				}
816 				break;
817 
818 			/* sequence #2 (OUT from host), always forward */
819 			default:		/* MUSB_EP0_STAGE_RX */
820 				break;
821 			}
822 
823 			DBG(3, "handled %d, csr %04x, ep0stage %s\n",
824 				handled, csr,
825 				decode_ep0stage(musb->ep0_state));
826 
827 			/* unless we need to delegate this to the gadget
828 			 * driver, we know how to wrap this up:  csr0 has
829 			 * not yet been written.
830 			 */
831 			if (handled < 0)
832 				goto stall;
833 			else if (handled > 0)
834 				goto finish;
835 
836 			handled = forward_to_driver(musb, &setup);
837 			if (handled < 0) {
838 				musb_ep_select(mbase, 0);
839 stall:
840 				DBG(3, "stall (%d)\n", handled);
841 				musb->ackpend |= MUSB_CSR0_P_SENDSTALL;
842 				musb->ep0_state = MUSB_EP0_STAGE_IDLE;
843 finish:
844 				musb_writew(regs, MUSB_CSR0,
845 						musb->ackpend);
846 				musb->ackpend = 0;
847 			}
848 		}
849 		break;
850 
851 	case MUSB_EP0_STAGE_ACKWAIT:
852 		/* This should not happen. But happens with tusb6010 with
853 		 * g_file_storage and high speed. Do nothing.
854 		 */
855 		retval = IRQ_HANDLED;
856 		break;
857 
858 	default:
859 		/* "can't happen" */
860 		WARN_ON(1);
861 		musb_writew(regs, MUSB_CSR0, MUSB_CSR0_P_SENDSTALL);
862 		musb->ep0_state = MUSB_EP0_STAGE_IDLE;
863 		break;
864 	}
865 
866 	return retval;
867 }
868 
869 
870 static int
871 musb_g_ep0_enable(struct usb_ep *ep, const struct usb_endpoint_descriptor *desc)
872 {
873 	/* always enabled */
874 	return -EINVAL;
875 }
876 
877 static int musb_g_ep0_disable(struct usb_ep *e)
878 {
879 	/* always enabled */
880 	return -EINVAL;
881 }
882 
883 static int
884 musb_g_ep0_queue(struct usb_ep *e, struct usb_request *r, gfp_t gfp_flags)
885 {
886 	struct musb_ep		*ep;
887 	struct musb_request	*req;
888 	struct musb		*musb;
889 	int			status;
890 	unsigned long		lockflags;
891 	void __iomem		*regs;
892 
893 	if (!e || !r)
894 		return -EINVAL;
895 
896 	ep = to_musb_ep(e);
897 	musb = ep->musb;
898 	regs = musb->control_ep->regs;
899 
900 	req = to_musb_request(r);
901 	req->musb = musb;
902 	req->request.actual = 0;
903 	req->request.status = -EINPROGRESS;
904 	req->tx = ep->is_in;
905 
906 	spin_lock_irqsave(&musb->lock, lockflags);
907 
908 	if (!list_empty(&ep->req_list)) {
909 		status = -EBUSY;
910 		goto cleanup;
911 	}
912 
913 	switch (musb->ep0_state) {
914 	case MUSB_EP0_STAGE_RX:		/* control-OUT data */
915 	case MUSB_EP0_STAGE_TX:		/* control-IN data */
916 	case MUSB_EP0_STAGE_ACKWAIT:	/* zero-length data */
917 		status = 0;
918 		break;
919 	default:
920 		DBG(1, "ep0 request queued in state %d\n",
921 				musb->ep0_state);
922 		status = -EINVAL;
923 		goto cleanup;
924 	}
925 
926 	/* add request to the list */
927 	list_add_tail(&(req->request.list), &(ep->req_list));
928 
929 	DBG(3, "queue to %s (%s), length=%d\n",
930 			ep->name, ep->is_in ? "IN/TX" : "OUT/RX",
931 			req->request.length);
932 
933 	musb_ep_select(musb->mregs, 0);
934 
935 	/* sequence #1, IN ... start writing the data */
936 	if (musb->ep0_state == MUSB_EP0_STAGE_TX)
937 		ep0_txstate(musb);
938 
939 	/* sequence #3, no-data ... issue IN status */
940 	else if (musb->ep0_state == MUSB_EP0_STAGE_ACKWAIT) {
941 		if (req->request.length)
942 			status = -EINVAL;
943 		else {
944 			musb->ep0_state = MUSB_EP0_STAGE_STATUSIN;
945 			musb_writew(regs, MUSB_CSR0,
946 					musb->ackpend | MUSB_CSR0_P_DATAEND);
947 			musb->ackpend = 0;
948 			musb_g_ep0_giveback(ep->musb, r);
949 		}
950 
951 	/* else for sequence #2 (OUT), caller provides a buffer
952 	 * before the next packet arrives.  deferred responses
953 	 * (after SETUP is acked) are racey.
954 	 */
955 	} else if (musb->ackpend) {
956 		musb_writew(regs, MUSB_CSR0, musb->ackpend);
957 		musb->ackpend = 0;
958 	}
959 
960 cleanup:
961 	spin_unlock_irqrestore(&musb->lock, lockflags);
962 	return status;
963 }
964 
965 static int musb_g_ep0_dequeue(struct usb_ep *ep, struct usb_request *req)
966 {
967 	/* we just won't support this */
968 	return -EINVAL;
969 }
970 
971 static int musb_g_ep0_halt(struct usb_ep *e, int value)
972 {
973 	struct musb_ep		*ep;
974 	struct musb		*musb;
975 	void __iomem		*base, *regs;
976 	unsigned long		flags;
977 	int			status;
978 	u16			csr;
979 
980 	if (!e || !value)
981 		return -EINVAL;
982 
983 	ep = to_musb_ep(e);
984 	musb = ep->musb;
985 	base = musb->mregs;
986 	regs = musb->control_ep->regs;
987 	status = 0;
988 
989 	spin_lock_irqsave(&musb->lock, flags);
990 
991 	if (!list_empty(&ep->req_list)) {
992 		status = -EBUSY;
993 		goto cleanup;
994 	}
995 
996 	musb_ep_select(base, 0);
997 	csr = musb->ackpend;
998 
999 	switch (musb->ep0_state) {
1000 
1001 	/* Stalls are usually issued after parsing SETUP packet, either
1002 	 * directly in irq context from setup() or else later.
1003 	 */
1004 	case MUSB_EP0_STAGE_TX:		/* control-IN data */
1005 	case MUSB_EP0_STAGE_ACKWAIT:	/* STALL for zero-length data */
1006 	case MUSB_EP0_STAGE_RX:		/* control-OUT data */
1007 		csr = musb_readw(regs, MUSB_CSR0);
1008 		/* FALLTHROUGH */
1009 
1010 	/* It's also OK to issue stalls during callbacks when a non-empty
1011 	 * DATA stage buffer has been read (or even written).
1012 	 */
1013 	case MUSB_EP0_STAGE_STATUSIN:	/* control-OUT status */
1014 	case MUSB_EP0_STAGE_STATUSOUT:	/* control-IN status */
1015 
1016 		csr |= MUSB_CSR0_P_SENDSTALL;
1017 		musb_writew(regs, MUSB_CSR0, csr);
1018 		musb->ep0_state = MUSB_EP0_STAGE_IDLE;
1019 		musb->ackpend = 0;
1020 		break;
1021 	default:
1022 		DBG(1, "ep0 can't halt in state %d\n", musb->ep0_state);
1023 		status = -EINVAL;
1024 	}
1025 
1026 cleanup:
1027 	spin_unlock_irqrestore(&musb->lock, flags);
1028 	return status;
1029 }
1030 
1031 const struct usb_ep_ops musb_g_ep0_ops = {
1032 	.enable		= musb_g_ep0_enable,
1033 	.disable	= musb_g_ep0_disable,
1034 	.alloc_request	= musb_alloc_request,
1035 	.free_request	= musb_free_request,
1036 	.queue		= musb_g_ep0_queue,
1037 	.dequeue	= musb_g_ep0_dequeue,
1038 	.set_halt	= musb_g_ep0_halt,
1039 };
1040