xref: /openbmc/u-boot/drivers/usb/host/xhci-ring.c (revision ed09a554)
1 /*
2  * USB HOST XHCI Controller stack
3  *
4  * Based on xHCI host controller driver in linux-kernel
5  * by Sarah Sharp.
6  *
7  * Copyright (C) 2008 Intel Corp.
8  * Author: Sarah Sharp
9  *
10  * Copyright (C) 2013 Samsung Electronics Co.Ltd
11  * Authors: Vivek Gautam <gautam.vivek@samsung.com>
12  *	    Vikas Sajjan <vikas.sajjan@samsung.com>
13  *
14  * SPDX-License-Identifier:	GPL-2.0+
15  */
16 
17 #include <common.h>
18 #include <asm/byteorder.h>
19 #include <usb.h>
20 #include <asm/unaligned.h>
21 #include <asm-generic/errno.h>
22 
23 #include "xhci.h"
24 
25 /**
26  * Is this TRB a link TRB or was the last TRB the last TRB in this event ring
27  * segment?  I.e. would the updated event TRB pointer step off the end of the
28  * event seg ?
29  *
30  * @param ctrl	Host controller data structure
31  * @param ring	pointer to the ring
32  * @param seg	poniter to the segment to which TRB belongs
33  * @param trb	poniter to the ring trb
34  * @return 1 if this TRB a link TRB else 0
35  */
36 static int last_trb(struct xhci_ctrl *ctrl, struct xhci_ring *ring,
37 			struct xhci_segment *seg, union xhci_trb *trb)
38 {
39 	if (ring == ctrl->event_ring)
40 		return trb == &seg->trbs[TRBS_PER_SEGMENT];
41 	else
42 		return TRB_TYPE_LINK_LE32(trb->link.control);
43 }
44 
45 /**
46  * Does this link TRB point to the first segment in a ring,
47  * or was the previous TRB the last TRB on the last segment in the ERST?
48  *
49  * @param ctrl	Host controller data structure
50  * @param ring	pointer to the ring
51  * @param seg	poniter to the segment to which TRB belongs
52  * @param trb	poniter to the ring trb
53  * @return 1 if this TRB is the last TRB on the last segment else 0
54  */
55 static bool last_trb_on_last_seg(struct xhci_ctrl *ctrl,
56 				 struct xhci_ring *ring,
57 				 struct xhci_segment *seg,
58 				 union xhci_trb *trb)
59 {
60 	if (ring == ctrl->event_ring)
61 		return ((trb == &seg->trbs[TRBS_PER_SEGMENT]) &&
62 			(seg->next == ring->first_seg));
63 	else
64 		return le32_to_cpu(trb->link.control) & LINK_TOGGLE;
65 }
66 
67 /**
68  * See Cycle bit rules. SW is the consumer for the event ring only.
69  * Don't make a ring full of link TRBs.  That would be dumb and this would loop.
70  *
71  * If we've just enqueued a TRB that is in the middle of a TD (meaning the
72  * chain bit is set), then set the chain bit in all the following link TRBs.
73  * If we've enqueued the last TRB in a TD, make sure the following link TRBs
74  * have their chain bit cleared (so that each Link TRB is a separate TD).
75  *
76  * Section 6.4.4.1 of the 0.95 spec says link TRBs cannot have the chain bit
77  * set, but other sections talk about dealing with the chain bit set.  This was
78  * fixed in the 0.96 specification errata, but we have to assume that all 0.95
79  * xHCI hardware can't handle the chain bit being cleared on a link TRB.
80  *
81  * @param ctrl	Host controller data structure
82  * @param ring	pointer to the ring
83  * @param more_trbs_coming	flag to indicate whether more trbs
84  *				are expected or NOT.
85  *				Will you enqueue more TRBs before calling
86  *				prepare_ring()?
87  * @return none
88  */
89 static void inc_enq(struct xhci_ctrl *ctrl, struct xhci_ring *ring,
90 						bool more_trbs_coming)
91 {
92 	u32 chain;
93 	union xhci_trb *next;
94 
95 	chain = le32_to_cpu(ring->enqueue->generic.field[3]) & TRB_CHAIN;
96 	next = ++(ring->enqueue);
97 
98 	/*
99 	 * Update the dequeue pointer further if that was a link TRB or we're at
100 	 * the end of an event ring segment (which doesn't have link TRBS)
101 	 */
102 	while (last_trb(ctrl, ring, ring->enq_seg, next)) {
103 		if (ring != ctrl->event_ring) {
104 			/*
105 			 * If the caller doesn't plan on enqueueing more
106 			 * TDs before ringing the doorbell, then we
107 			 * don't want to give the link TRB to the
108 			 * hardware just yet.  We'll give the link TRB
109 			 * back in prepare_ring() just before we enqueue
110 			 * the TD at the top of the ring.
111 			 */
112 			if (!chain && !more_trbs_coming)
113 				break;
114 
115 			/*
116 			 * If we're not dealing with 0.95 hardware or
117 			 * isoc rings on AMD 0.96 host,
118 			 * carry over the chain bit of the previous TRB
119 			 * (which may mean the chain bit is cleared).
120 			 */
121 			next->link.control &= cpu_to_le32(~TRB_CHAIN);
122 			next->link.control |= cpu_to_le32(chain);
123 
124 			next->link.control ^= cpu_to_le32(TRB_CYCLE);
125 			xhci_flush_cache((uintptr_t)next,
126 					 sizeof(union xhci_trb));
127 		}
128 		/* Toggle the cycle bit after the last ring segment. */
129 		if (last_trb_on_last_seg(ctrl, ring,
130 					ring->enq_seg, next))
131 			ring->cycle_state = (ring->cycle_state ? 0 : 1);
132 
133 		ring->enq_seg = ring->enq_seg->next;
134 		ring->enqueue = ring->enq_seg->trbs;
135 		next = ring->enqueue;
136 	}
137 }
138 
139 /**
140  * See Cycle bit rules. SW is the consumer for the event ring only.
141  * Don't make a ring full of link TRBs.  That would be dumb and this would loop.
142  *
143  * @param ctrl	Host controller data structure
144  * @param ring	Ring whose Dequeue TRB pointer needs to be incremented.
145  * return none
146  */
147 static void inc_deq(struct xhci_ctrl *ctrl, struct xhci_ring *ring)
148 {
149 	do {
150 		/*
151 		 * Update the dequeue pointer further if that was a link TRB or
152 		 * we're at the end of an event ring segment (which doesn't have
153 		 * link TRBS)
154 		 */
155 		if (last_trb(ctrl, ring, ring->deq_seg, ring->dequeue)) {
156 			if (ring == ctrl->event_ring &&
157 					last_trb_on_last_seg(ctrl, ring,
158 						ring->deq_seg, ring->dequeue)) {
159 				ring->cycle_state = (ring->cycle_state ? 0 : 1);
160 			}
161 			ring->deq_seg = ring->deq_seg->next;
162 			ring->dequeue = ring->deq_seg->trbs;
163 		} else {
164 			ring->dequeue++;
165 		}
166 	} while (last_trb(ctrl, ring, ring->deq_seg, ring->dequeue));
167 }
168 
169 /**
170  * Generic function for queueing a TRB on a ring.
171  * The caller must have checked to make sure there's room on the ring.
172  *
173  * @param	more_trbs_coming:   Will you enqueue more TRBs before calling
174  *				prepare_ring()?
175  * @param ctrl	Host controller data structure
176  * @param ring	pointer to the ring
177  * @param more_trbs_coming	flag to indicate whether more trbs
178  * @param trb_fields	pointer to trb field array containing TRB contents
179  * @return pointer to the enqueued trb
180  */
181 static struct xhci_generic_trb *queue_trb(struct xhci_ctrl *ctrl,
182 					  struct xhci_ring *ring,
183 					  bool more_trbs_coming,
184 					  unsigned int *trb_fields)
185 {
186 	struct xhci_generic_trb *trb;
187 	int i;
188 
189 	trb = &ring->enqueue->generic;
190 
191 	for (i = 0; i < 4; i++)
192 		trb->field[i] = cpu_to_le32(trb_fields[i]);
193 
194 	xhci_flush_cache((uintptr_t)trb, sizeof(struct xhci_generic_trb));
195 
196 	inc_enq(ctrl, ring, more_trbs_coming);
197 
198 	return trb;
199 }
200 
201 /**
202  * Does various checks on the endpoint ring, and makes it ready
203  * to queue num_trbs.
204  *
205  * @param ctrl		Host controller data structure
206  * @param ep_ring	pointer to the EP Transfer Ring
207  * @param ep_state	State of the End Point
208  * @return error code in case of invalid ep_state, 0 on success
209  */
210 static int prepare_ring(struct xhci_ctrl *ctrl, struct xhci_ring *ep_ring,
211 							u32 ep_state)
212 {
213 	union xhci_trb *next = ep_ring->enqueue;
214 
215 	/* Make sure the endpoint has been added to xHC schedule */
216 	switch (ep_state) {
217 	case EP_STATE_DISABLED:
218 		/*
219 		 * USB core changed config/interfaces without notifying us,
220 		 * or hardware is reporting the wrong state.
221 		 */
222 		puts("WARN urb submitted to disabled ep\n");
223 		return -ENOENT;
224 	case EP_STATE_ERROR:
225 		puts("WARN waiting for error on ep to be cleared\n");
226 		return -EINVAL;
227 	case EP_STATE_HALTED:
228 		puts("WARN halted endpoint, queueing URB anyway.\n");
229 	case EP_STATE_STOPPED:
230 	case EP_STATE_RUNNING:
231 		debug("EP STATE RUNNING.\n");
232 		break;
233 	default:
234 		puts("ERROR unknown endpoint state for ep\n");
235 		return -EINVAL;
236 	}
237 
238 	while (last_trb(ctrl, ep_ring, ep_ring->enq_seg, next)) {
239 		/*
240 		 * If we're not dealing with 0.95 hardware or isoc rings
241 		 * on AMD 0.96 host, clear the chain bit.
242 		 */
243 		next->link.control &= cpu_to_le32(~TRB_CHAIN);
244 
245 		next->link.control ^= cpu_to_le32(TRB_CYCLE);
246 
247 		xhci_flush_cache((uintptr_t)next, sizeof(union xhci_trb));
248 
249 		/* Toggle the cycle bit after the last ring segment. */
250 		if (last_trb_on_last_seg(ctrl, ep_ring,
251 					ep_ring->enq_seg, next))
252 			ep_ring->cycle_state = (ep_ring->cycle_state ? 0 : 1);
253 		ep_ring->enq_seg = ep_ring->enq_seg->next;
254 		ep_ring->enqueue = ep_ring->enq_seg->trbs;
255 		next = ep_ring->enqueue;
256 	}
257 
258 	return 0;
259 }
260 
261 /**
262  * Generic function for queueing a command TRB on the command ring.
263  * Check to make sure there's room on the command ring for one command TRB.
264  *
265  * @param ctrl		Host controller data structure
266  * @param ptr		Pointer address to write in the first two fields (opt.)
267  * @param slot_id	Slot ID to encode in the flags field (opt.)
268  * @param ep_index	Endpoint index to encode in the flags field (opt.)
269  * @param cmd		Command type to enqueue
270  * @return none
271  */
272 void xhci_queue_command(struct xhci_ctrl *ctrl, u8 *ptr, u32 slot_id,
273 			u32 ep_index, trb_type cmd)
274 {
275 	u32 fields[4];
276 	u64 val_64 = (uintptr_t)ptr;
277 
278 	BUG_ON(prepare_ring(ctrl, ctrl->cmd_ring, EP_STATE_RUNNING));
279 
280 	fields[0] = lower_32_bits(val_64);
281 	fields[1] = upper_32_bits(val_64);
282 	fields[2] = 0;
283 	fields[3] = TRB_TYPE(cmd) | EP_ID_FOR_TRB(ep_index) |
284 		    SLOT_ID_FOR_TRB(slot_id) | ctrl->cmd_ring->cycle_state;
285 
286 	queue_trb(ctrl, ctrl->cmd_ring, false, fields);
287 
288 	/* Ring the command ring doorbell */
289 	xhci_writel(&ctrl->dba->doorbell[0], DB_VALUE_HOST);
290 }
291 
292 /**
293  * The TD size is the number of bytes remaining in the TD (including this TRB),
294  * right shifted by 10.
295  * It must fit in bits 21:17, so it can't be bigger than 31.
296  *
297  * @param remainder	remaining packets to be sent
298  * @return remainder if remainder is less than max else max
299  */
300 static u32 xhci_td_remainder(unsigned int remainder)
301 {
302 	u32 max = (1 << (21 - 17 + 1)) - 1;
303 
304 	if ((remainder >> 10) >= max)
305 		return max << 17;
306 	else
307 		return (remainder >> 10) << 17;
308 }
309 
310 /**
311  * Finds out the remanining packets to be sent
312  *
313  * @param running_total	total size sent so far
314  * @param trb_buff_len	length of the TRB Buffer
315  * @param total_packet_count	total packet count
316  * @param maxpacketsize		max packet size of current pipe
317  * @param num_trbs_left		number of TRBs left to be processed
318  * @return 0 if running_total or trb_buff_len is 0, else remainder
319  */
320 static u32 xhci_v1_0_td_remainder(int running_total,
321 				int trb_buff_len,
322 				unsigned int total_packet_count,
323 				int maxpacketsize,
324 				unsigned int num_trbs_left)
325 {
326 	int packets_transferred;
327 
328 	/* One TRB with a zero-length data packet. */
329 	if (num_trbs_left == 0 || (running_total == 0 && trb_buff_len == 0))
330 		return 0;
331 
332 	/*
333 	 * All the TRB queueing functions don't count the current TRB in
334 	 * running_total.
335 	 */
336 	packets_transferred = (running_total + trb_buff_len) / maxpacketsize;
337 
338 	if ((total_packet_count - packets_transferred) > 31)
339 		return 31 << 17;
340 	return (total_packet_count - packets_transferred) << 17;
341 }
342 
343 /**
344  * Ring the doorbell of the End Point
345  *
346  * @param udev		pointer to the USB device structure
347  * @param ep_index	index of the endpoint
348  * @param start_cycle	cycle flag of the first TRB
349  * @param start_trb	pionter to the first TRB
350  * @return none
351  */
352 static void giveback_first_trb(struct usb_device *udev, int ep_index,
353 				int start_cycle,
354 				struct xhci_generic_trb *start_trb)
355 {
356 	struct xhci_ctrl *ctrl = xhci_get_ctrl(udev);
357 
358 	/*
359 	 * Pass all the TRBs to the hardware at once and make sure this write
360 	 * isn't reordered.
361 	 */
362 	if (start_cycle)
363 		start_trb->field[3] |= cpu_to_le32(start_cycle);
364 	else
365 		start_trb->field[3] &= cpu_to_le32(~TRB_CYCLE);
366 
367 	xhci_flush_cache((uintptr_t)start_trb, sizeof(struct xhci_generic_trb));
368 
369 	/* Ringing EP doorbell here */
370 	xhci_writel(&ctrl->dba->doorbell[udev->slot_id],
371 				DB_VALUE(ep_index, 0));
372 
373 	return;
374 }
375 
376 /**** POLLING mechanism for XHCI ****/
377 
378 /**
379  * Finalizes a handled event TRB by advancing our dequeue pointer and giving
380  * the TRB back to the hardware for recycling. Must call this exactly once at
381  * the end of each event handler, and not touch the TRB again afterwards.
382  *
383  * @param ctrl	Host controller data structure
384  * @return none
385  */
386 void xhci_acknowledge_event(struct xhci_ctrl *ctrl)
387 {
388 	/* Advance our dequeue pointer to the next event */
389 	inc_deq(ctrl, ctrl->event_ring);
390 
391 	/* Inform the hardware */
392 	xhci_writeq(&ctrl->ir_set->erst_dequeue,
393 		(uintptr_t)ctrl->event_ring->dequeue | ERST_EHB);
394 }
395 
396 /**
397  * Checks if there is a new event to handle on the event ring.
398  *
399  * @param ctrl	Host controller data structure
400  * @return 0 if failure else 1 on success
401  */
402 static int event_ready(struct xhci_ctrl *ctrl)
403 {
404 	union xhci_trb *event;
405 
406 	xhci_inval_cache((uintptr_t)ctrl->event_ring->dequeue,
407 			 sizeof(union xhci_trb));
408 
409 	event = ctrl->event_ring->dequeue;
410 
411 	/* Does the HC or OS own the TRB? */
412 	if ((le32_to_cpu(event->event_cmd.flags) & TRB_CYCLE) !=
413 		ctrl->event_ring->cycle_state)
414 		return 0;
415 
416 	return 1;
417 }
418 
419 /**
420  * Waits for a specific type of event and returns it. Discards unexpected
421  * events. Caller *must* call xhci_acknowledge_event() after it is finished
422  * processing the event, and must not access the returned pointer afterwards.
423  *
424  * @param ctrl		Host controller data structure
425  * @param expected	TRB type expected from Event TRB
426  * @return pointer to event trb
427  */
428 union xhci_trb *xhci_wait_for_event(struct xhci_ctrl *ctrl, trb_type expected)
429 {
430 	trb_type type;
431 	unsigned long ts = get_timer(0);
432 
433 	do {
434 		union xhci_trb *event = ctrl->event_ring->dequeue;
435 
436 		if (!event_ready(ctrl))
437 			continue;
438 
439 		type = TRB_FIELD_TO_TYPE(le32_to_cpu(event->event_cmd.flags));
440 		if (type == expected)
441 			return event;
442 
443 		if (type == TRB_PORT_STATUS)
444 		/* TODO: remove this once enumeration has been reworked */
445 			/*
446 			 * Port status change events always have a
447 			 * successful completion code
448 			 */
449 			BUG_ON(GET_COMP_CODE(
450 				le32_to_cpu(event->generic.field[2])) !=
451 								COMP_SUCCESS);
452 		else
453 			printf("Unexpected XHCI event TRB, skipping... "
454 				"(%08x %08x %08x %08x)\n",
455 				le32_to_cpu(event->generic.field[0]),
456 				le32_to_cpu(event->generic.field[1]),
457 				le32_to_cpu(event->generic.field[2]),
458 				le32_to_cpu(event->generic.field[3]));
459 
460 		xhci_acknowledge_event(ctrl);
461 	} while (get_timer(ts) < XHCI_TIMEOUT);
462 
463 	if (expected == TRB_TRANSFER)
464 		return NULL;
465 
466 	printf("XHCI timeout on event type %d... cannot recover.\n", expected);
467 	BUG();
468 }
469 
470 /*
471  * Stops transfer processing for an endpoint and throws away all unprocessed
472  * TRBs by setting the xHC's dequeue pointer to our enqueue pointer. The next
473  * xhci_bulk_tx/xhci_ctrl_tx on this enpoint will add new transfers there and
474  * ring the doorbell, causing this endpoint to start working again.
475  * (Careful: This will BUG() when there was no transfer in progress. Shouldn't
476  * happen in practice for current uses and is too complicated to fix right now.)
477  */
478 static void abort_td(struct usb_device *udev, int ep_index)
479 {
480 	struct xhci_ctrl *ctrl = xhci_get_ctrl(udev);
481 	struct xhci_ring *ring =  ctrl->devs[udev->slot_id]->eps[ep_index].ring;
482 	union xhci_trb *event;
483 	u32 field;
484 
485 	xhci_queue_command(ctrl, NULL, udev->slot_id, ep_index, TRB_STOP_RING);
486 
487 	event = xhci_wait_for_event(ctrl, TRB_TRANSFER);
488 	field = le32_to_cpu(event->trans_event.flags);
489 	BUG_ON(TRB_TO_SLOT_ID(field) != udev->slot_id);
490 	BUG_ON(TRB_TO_EP_INDEX(field) != ep_index);
491 	BUG_ON(GET_COMP_CODE(le32_to_cpu(event->trans_event.transfer_len
492 		!= COMP_STOP)));
493 	xhci_acknowledge_event(ctrl);
494 
495 	event = xhci_wait_for_event(ctrl, TRB_COMPLETION);
496 	BUG_ON(TRB_TO_SLOT_ID(le32_to_cpu(event->event_cmd.flags))
497 		!= udev->slot_id || GET_COMP_CODE(le32_to_cpu(
498 		event->event_cmd.status)) != COMP_SUCCESS);
499 	xhci_acknowledge_event(ctrl);
500 
501 	xhci_queue_command(ctrl, (void *)((uintptr_t)ring->enqueue |
502 		ring->cycle_state), udev->slot_id, ep_index, TRB_SET_DEQ);
503 	event = xhci_wait_for_event(ctrl, TRB_COMPLETION);
504 	BUG_ON(TRB_TO_SLOT_ID(le32_to_cpu(event->event_cmd.flags))
505 		!= udev->slot_id || GET_COMP_CODE(le32_to_cpu(
506 		event->event_cmd.status)) != COMP_SUCCESS);
507 	xhci_acknowledge_event(ctrl);
508 }
509 
510 static void record_transfer_result(struct usb_device *udev,
511 				   union xhci_trb *event, int length)
512 {
513 	udev->act_len = min(length, length -
514 		(int)EVENT_TRB_LEN(le32_to_cpu(event->trans_event.transfer_len)));
515 
516 	switch (GET_COMP_CODE(le32_to_cpu(event->trans_event.transfer_len))) {
517 	case COMP_SUCCESS:
518 		BUG_ON(udev->act_len != length);
519 		/* fallthrough */
520 	case COMP_SHORT_TX:
521 		udev->status = 0;
522 		break;
523 	case COMP_STALL:
524 		udev->status = USB_ST_STALLED;
525 		break;
526 	case COMP_DB_ERR:
527 	case COMP_TRB_ERR:
528 		udev->status = USB_ST_BUF_ERR;
529 		break;
530 	case COMP_BABBLE:
531 		udev->status = USB_ST_BABBLE_DET;
532 		break;
533 	default:
534 		udev->status = 0x80;  /* USB_ST_TOO_LAZY_TO_MAKE_A_NEW_MACRO */
535 	}
536 }
537 
538 /**** Bulk and Control transfer methods ****/
539 /**
540  * Queues up the BULK Request
541  *
542  * @param udev		pointer to the USB device structure
543  * @param pipe		contains the DIR_IN or OUT , devnum
544  * @param length	length of the buffer
545  * @param buffer	buffer to be read/written based on the request
546  * @return returns 0 if successful else -1 on failure
547  */
548 int xhci_bulk_tx(struct usb_device *udev, unsigned long pipe,
549 			int length, void *buffer)
550 {
551 	int num_trbs = 0;
552 	struct xhci_generic_trb *start_trb;
553 	bool first_trb = 0;
554 	int start_cycle;
555 	u32 field = 0;
556 	u32 length_field = 0;
557 	struct xhci_ctrl *ctrl = xhci_get_ctrl(udev);
558 	int slot_id = udev->slot_id;
559 	int ep_index;
560 	struct xhci_virt_device *virt_dev;
561 	struct xhci_ep_ctx *ep_ctx;
562 	struct xhci_ring *ring;		/* EP transfer ring */
563 	union xhci_trb *event;
564 
565 	int running_total, trb_buff_len;
566 	unsigned int total_packet_count;
567 	int maxpacketsize;
568 	u64 addr;
569 	int ret;
570 	u32 trb_fields[4];
571 	u64 val_64 = (uintptr_t)buffer;
572 
573 	debug("dev=%p, pipe=%lx, buffer=%p, length=%d\n",
574 		udev, pipe, buffer, length);
575 
576 	ep_index = usb_pipe_ep_index(pipe);
577 	virt_dev = ctrl->devs[slot_id];
578 
579 	xhci_inval_cache((uintptr_t)virt_dev->out_ctx->bytes,
580 			 virt_dev->out_ctx->size);
581 
582 	ep_ctx = xhci_get_ep_ctx(ctrl, virt_dev->out_ctx, ep_index);
583 
584 	ring = virt_dev->eps[ep_index].ring;
585 	/*
586 	 * How much data is (potentially) left before the 64KB boundary?
587 	 * XHCI Spec puts restriction( TABLE 49 and 6.4.1 section of XHCI Spec)
588 	 * that the buffer should not span 64KB boundary. if so
589 	 * we send request in more than 1 TRB by chaining them.
590 	 */
591 	running_total = TRB_MAX_BUFF_SIZE -
592 			(lower_32_bits(val_64) & (TRB_MAX_BUFF_SIZE - 1));
593 	trb_buff_len = running_total;
594 	running_total &= TRB_MAX_BUFF_SIZE - 1;
595 
596 	/*
597 	 * If there's some data on this 64KB chunk, or we have to send a
598 	 * zero-length transfer, we need at least one TRB
599 	 */
600 	if (running_total != 0 || length == 0)
601 		num_trbs++;
602 
603 	/* How many more 64KB chunks to transfer, how many more TRBs? */
604 	while (running_total < length) {
605 		num_trbs++;
606 		running_total += TRB_MAX_BUFF_SIZE;
607 	}
608 
609 	/*
610 	 * XXX: Calling routine prepare_ring() called in place of
611 	 * prepare_trasfer() as there in 'Linux' since we are not
612 	 * maintaining multiple TDs/transfer at the same time.
613 	 */
614 	ret = prepare_ring(ctrl, ring,
615 			   le32_to_cpu(ep_ctx->ep_info) & EP_STATE_MASK);
616 	if (ret < 0)
617 		return ret;
618 
619 	/*
620 	 * Don't give the first TRB to the hardware (by toggling the cycle bit)
621 	 * until we've finished creating all the other TRBs.  The ring's cycle
622 	 * state may change as we enqueue the other TRBs, so save it too.
623 	 */
624 	start_trb = &ring->enqueue->generic;
625 	start_cycle = ring->cycle_state;
626 
627 	running_total = 0;
628 	maxpacketsize = usb_maxpacket(udev, pipe);
629 
630 	total_packet_count = DIV_ROUND_UP(length, maxpacketsize);
631 
632 	/* How much data is in the first TRB? */
633 	/*
634 	 * How much data is (potentially) left before the 64KB boundary?
635 	 * XHCI Spec puts restriction( TABLE 49 and 6.4.1 section of XHCI Spec)
636 	 * that the buffer should not span 64KB boundary. if so
637 	 * we send request in more than 1 TRB by chaining them.
638 	 */
639 	addr = val_64;
640 
641 	if (trb_buff_len > length)
642 		trb_buff_len = length;
643 
644 	first_trb = true;
645 
646 	/* flush the buffer before use */
647 	xhci_flush_cache((uintptr_t)buffer, length);
648 
649 	/* Queue the first TRB, even if it's zero-length */
650 	do {
651 		u32 remainder = 0;
652 		field = 0;
653 		/* Don't change the cycle bit of the first TRB until later */
654 		if (first_trb) {
655 			first_trb = false;
656 			if (start_cycle == 0)
657 				field |= TRB_CYCLE;
658 		} else {
659 			field |= ring->cycle_state;
660 		}
661 
662 		/*
663 		 * Chain all the TRBs together; clear the chain bit in the last
664 		 * TRB to indicate it's the last TRB in the chain.
665 		 */
666 		if (num_trbs > 1)
667 			field |= TRB_CHAIN;
668 		else
669 			field |= TRB_IOC;
670 
671 		/* Only set interrupt on short packet for IN endpoints */
672 		if (usb_pipein(pipe))
673 			field |= TRB_ISP;
674 
675 		/* Set the TRB length, TD size, and interrupter fields. */
676 		if (HC_VERSION(xhci_readl(&ctrl->hccr->cr_capbase)) < 0x100)
677 			remainder = xhci_td_remainder(length - running_total);
678 		else
679 			remainder = xhci_v1_0_td_remainder(running_total,
680 							   trb_buff_len,
681 							   total_packet_count,
682 							   maxpacketsize,
683 							   num_trbs - 1);
684 
685 		length_field = ((trb_buff_len & TRB_LEN_MASK) |
686 				remainder |
687 				((0 & TRB_INTR_TARGET_MASK) <<
688 				TRB_INTR_TARGET_SHIFT));
689 
690 		trb_fields[0] = lower_32_bits(addr);
691 		trb_fields[1] = upper_32_bits(addr);
692 		trb_fields[2] = length_field;
693 		trb_fields[3] = field | (TRB_NORMAL << TRB_TYPE_SHIFT);
694 
695 		queue_trb(ctrl, ring, (num_trbs > 1), trb_fields);
696 
697 		--num_trbs;
698 
699 		running_total += trb_buff_len;
700 
701 		/* Calculate length for next transfer */
702 		addr += trb_buff_len;
703 		trb_buff_len = min((length - running_total), TRB_MAX_BUFF_SIZE);
704 	} while (running_total < length);
705 
706 	giveback_first_trb(udev, ep_index, start_cycle, start_trb);
707 
708 	event = xhci_wait_for_event(ctrl, TRB_TRANSFER);
709 	if (!event) {
710 		debug("XHCI bulk transfer timed out, aborting...\n");
711 		abort_td(udev, ep_index);
712 		udev->status = USB_ST_NAK_REC;  /* closest thing to a timeout */
713 		udev->act_len = 0;
714 		return -ETIMEDOUT;
715 	}
716 	field = le32_to_cpu(event->trans_event.flags);
717 
718 	BUG_ON(TRB_TO_SLOT_ID(field) != slot_id);
719 	BUG_ON(TRB_TO_EP_INDEX(field) != ep_index);
720 	BUG_ON(*(void **)(uintptr_t)le64_to_cpu(event->trans_event.buffer) -
721 		buffer > (size_t)length);
722 
723 	record_transfer_result(udev, event, length);
724 	xhci_acknowledge_event(ctrl);
725 	xhci_inval_cache((uintptr_t)buffer, length);
726 
727 	return (udev->status != USB_ST_NOT_PROC) ? 0 : -1;
728 }
729 
730 /**
731  * Queues up the Control Transfer Request
732  *
733  * @param udev	pointer to the USB device structure
734  * @param pipe		contains the DIR_IN or OUT , devnum
735  * @param req		request type
736  * @param length	length of the buffer
737  * @param buffer	buffer to be read/written based on the request
738  * @return returns 0 if successful else error code on failure
739  */
740 int xhci_ctrl_tx(struct usb_device *udev, unsigned long pipe,
741 			struct devrequest *req,	int length,
742 			void *buffer)
743 {
744 	int ret;
745 	int start_cycle;
746 	int num_trbs;
747 	u32 field;
748 	u32 length_field;
749 	u64 buf_64 = 0;
750 	struct xhci_generic_trb *start_trb;
751 	struct xhci_ctrl *ctrl = xhci_get_ctrl(udev);
752 	int slot_id = udev->slot_id;
753 	int ep_index;
754 	u32 trb_fields[4];
755 	struct xhci_virt_device *virt_dev = ctrl->devs[slot_id];
756 	struct xhci_ring *ep_ring;
757 	union xhci_trb *event;
758 
759 	debug("req=%u (%#x), type=%u (%#x), value=%u (%#x), index=%u\n",
760 		req->request, req->request,
761 		req->requesttype, req->requesttype,
762 		le16_to_cpu(req->value), le16_to_cpu(req->value),
763 		le16_to_cpu(req->index));
764 
765 	ep_index = usb_pipe_ep_index(pipe);
766 
767 	ep_ring = virt_dev->eps[ep_index].ring;
768 
769 	/*
770 	 * Check to see if the max packet size for the default control
771 	 * endpoint changed during FS device enumeration
772 	 */
773 	if (udev->speed == USB_SPEED_FULL) {
774 		ret = xhci_check_maxpacket(udev);
775 		if (ret < 0)
776 			return ret;
777 	}
778 
779 	xhci_inval_cache((uintptr_t)virt_dev->out_ctx->bytes,
780 			 virt_dev->out_ctx->size);
781 
782 	struct xhci_ep_ctx *ep_ctx = NULL;
783 	ep_ctx = xhci_get_ep_ctx(ctrl, virt_dev->out_ctx, ep_index);
784 
785 	/* 1 TRB for setup, 1 for status */
786 	num_trbs = 2;
787 	/*
788 	 * Don't need to check if we need additional event data and normal TRBs,
789 	 * since data in control transfers will never get bigger than 16MB
790 	 * XXX: can we get a buffer that crosses 64KB boundaries?
791 	 */
792 
793 	if (length > 0)
794 		num_trbs++;
795 	/*
796 	 * XXX: Calling routine prepare_ring() called in place of
797 	 * prepare_trasfer() as there in 'Linux' since we are not
798 	 * maintaining multiple TDs/transfer at the same time.
799 	 */
800 	ret = prepare_ring(ctrl, ep_ring,
801 				le32_to_cpu(ep_ctx->ep_info) & EP_STATE_MASK);
802 
803 	if (ret < 0)
804 		return ret;
805 
806 	/*
807 	 * Don't give the first TRB to the hardware (by toggling the cycle bit)
808 	 * until we've finished creating all the other TRBs.  The ring's cycle
809 	 * state may change as we enqueue the other TRBs, so save it too.
810 	 */
811 	start_trb = &ep_ring->enqueue->generic;
812 	start_cycle = ep_ring->cycle_state;
813 
814 	debug("start_trb %p, start_cycle %d\n", start_trb, start_cycle);
815 
816 	/* Queue setup TRB - see section 6.4.1.2.1 */
817 	/* FIXME better way to translate setup_packet into two u32 fields? */
818 	field = 0;
819 	field |= TRB_IDT | (TRB_SETUP << TRB_TYPE_SHIFT);
820 	if (start_cycle == 0)
821 		field |= 0x1;
822 
823 	/* xHCI 1.0 6.4.1.2.1: Transfer Type field */
824 	if (HC_VERSION(xhci_readl(&ctrl->hccr->cr_capbase)) == 0x100) {
825 		if (length > 0) {
826 			if (req->requesttype & USB_DIR_IN)
827 				field |= (TRB_DATA_IN << TRB_TX_TYPE_SHIFT);
828 			else
829 				field |= (TRB_DATA_OUT << TRB_TX_TYPE_SHIFT);
830 		}
831 	}
832 
833 	debug("req->requesttype = %d, req->request = %d,"
834 		"le16_to_cpu(req->value) = %d,"
835 		"le16_to_cpu(req->index) = %d,"
836 		"le16_to_cpu(req->length) = %d\n",
837 		req->requesttype, req->request, le16_to_cpu(req->value),
838 		le16_to_cpu(req->index), le16_to_cpu(req->length));
839 
840 	trb_fields[0] = req->requesttype | req->request << 8 |
841 				le16_to_cpu(req->value) << 16;
842 	trb_fields[1] = le16_to_cpu(req->index) |
843 			le16_to_cpu(req->length) << 16;
844 	/* TRB_LEN | (TRB_INTR_TARGET) */
845 	trb_fields[2] = (8 | ((0 & TRB_INTR_TARGET_MASK) <<
846 			TRB_INTR_TARGET_SHIFT));
847 	/* Immediate data in pointer */
848 	trb_fields[3] = field;
849 	queue_trb(ctrl, ep_ring, true, trb_fields);
850 
851 	/* Re-initializing field to zero */
852 	field = 0;
853 	/* If there's data, queue data TRBs */
854 	/* Only set interrupt on short packet for IN endpoints */
855 	if (usb_pipein(pipe))
856 		field = TRB_ISP | (TRB_DATA << TRB_TYPE_SHIFT);
857 	else
858 		field = (TRB_DATA << TRB_TYPE_SHIFT);
859 
860 	length_field = (length & TRB_LEN_MASK) | xhci_td_remainder(length) |
861 			((0 & TRB_INTR_TARGET_MASK) << TRB_INTR_TARGET_SHIFT);
862 	debug("length_field = %d, length = %d,"
863 		"xhci_td_remainder(length) = %d , TRB_INTR_TARGET(0) = %d\n",
864 		length_field, (length & TRB_LEN_MASK),
865 		xhci_td_remainder(length), 0);
866 
867 	if (length > 0) {
868 		if (req->requesttype & USB_DIR_IN)
869 			field |= TRB_DIR_IN;
870 		buf_64 = (uintptr_t)buffer;
871 
872 		trb_fields[0] = lower_32_bits(buf_64);
873 		trb_fields[1] = upper_32_bits(buf_64);
874 		trb_fields[2] = length_field;
875 		trb_fields[3] = field | ep_ring->cycle_state;
876 
877 		xhci_flush_cache((uintptr_t)buffer, length);
878 		queue_trb(ctrl, ep_ring, true, trb_fields);
879 	}
880 
881 	/*
882 	 * Queue status TRB -
883 	 * see Table 7 and sections 4.11.2.2 and 6.4.1.2.3
884 	 */
885 
886 	/* If the device sent data, the status stage is an OUT transfer */
887 	field = 0;
888 	if (length > 0 && req->requesttype & USB_DIR_IN)
889 		field = 0;
890 	else
891 		field = TRB_DIR_IN;
892 
893 	trb_fields[0] = 0;
894 	trb_fields[1] = 0;
895 	trb_fields[2] = ((0 & TRB_INTR_TARGET_MASK) << TRB_INTR_TARGET_SHIFT);
896 		/* Event on completion */
897 	trb_fields[3] = field | TRB_IOC |
898 			(TRB_STATUS << TRB_TYPE_SHIFT) |
899 			ep_ring->cycle_state;
900 
901 	queue_trb(ctrl, ep_ring, false, trb_fields);
902 
903 	giveback_first_trb(udev, ep_index, start_cycle, start_trb);
904 
905 	event = xhci_wait_for_event(ctrl, TRB_TRANSFER);
906 	if (!event)
907 		goto abort;
908 	field = le32_to_cpu(event->trans_event.flags);
909 
910 	BUG_ON(TRB_TO_SLOT_ID(field) != slot_id);
911 	BUG_ON(TRB_TO_EP_INDEX(field) != ep_index);
912 
913 	record_transfer_result(udev, event, length);
914 	xhci_acknowledge_event(ctrl);
915 
916 	/* Invalidate buffer to make it available to usb-core */
917 	if (length > 0)
918 		xhci_inval_cache((uintptr_t)buffer, length);
919 
920 	if (GET_COMP_CODE(le32_to_cpu(event->trans_event.transfer_len))
921 			== COMP_SHORT_TX) {
922 		/* Short data stage, clear up additional status stage event */
923 		event = xhci_wait_for_event(ctrl, TRB_TRANSFER);
924 		if (!event)
925 			goto abort;
926 		BUG_ON(TRB_TO_SLOT_ID(field) != slot_id);
927 		BUG_ON(TRB_TO_EP_INDEX(field) != ep_index);
928 		xhci_acknowledge_event(ctrl);
929 	}
930 
931 	return (udev->status != USB_ST_NOT_PROC) ? 0 : -1;
932 
933 abort:
934 	debug("XHCI control transfer timed out, aborting...\n");
935 	abort_td(udev, ep_index);
936 	udev->status = USB_ST_NAK_REC;
937 	udev->act_len = 0;
938 	return -ETIMEDOUT;
939 }
940