1 /*
2  * MUSB OTG peripheral driver ep0 handling
3  *
4  * Copyright 2005 Mentor Graphics Corporation
5  * Copyright (C) 2005-2006 by Texas Instruments
6  * Copyright (C) 2006-2007 Nokia Corporation
7  * Copyright (C) 2008-2009 MontaVista Software, Inc. <source@mvista.com>
8  *
9  * This program is free software; you can redistribute it and/or
10  * modify it under the terms of the GNU General Public License
11  * version 2 as published by the Free Software Foundation.
12  *
13  * This program is distributed in the hope that it will be useful, but
14  * WITHOUT ANY WARRANTY; without even the implied warranty of
15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
16  * General Public License for more details.
17  *
18  * You should have received a copy of the GNU General Public License
19  * along with this program; if not, write to the Free Software
20  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
21  * 02110-1301 USA
22  *
23  * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
24  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
25  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN
26  * NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, INDIRECT,
27  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
28  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
29  * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
30  * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
32  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33  *
34  */
35 
36 #define __UBOOT__
37 #ifndef __UBOOT__
38 #include <linux/kernel.h>
39 #include <linux/list.h>
40 #include <linux/timer.h>
41 #include <linux/spinlock.h>
42 #include <linux/device.h>
43 #include <linux/interrupt.h>
44 #else
45 #include <common.h>
46 #include "linux-compat.h"
47 #endif
48 
49 #include "musb_core.h"
50 
51 /* ep0 is always musb->endpoints[0].ep_in */
52 #define	next_ep0_request(musb)	next_in_request(&(musb)->endpoints[0])
53 
54 /*
55  * locking note:  we use only the controller lock, for simpler correctness.
56  * It's always held with IRQs blocked.
57  *
58  * It protects the ep0 request queue as well as ep0_state, not just the
59  * controller and indexed registers.  And that lock stays held unless it
60  * needs to be dropped to allow reentering this driver ... like upcalls to
61  * the gadget driver, or adjusting endpoint halt status.
62  */
63 
64 static char *decode_ep0stage(u8 stage)
65 {
66 	switch (stage) {
67 	case MUSB_EP0_STAGE_IDLE:	return "idle";
68 	case MUSB_EP0_STAGE_SETUP:	return "setup";
69 	case MUSB_EP0_STAGE_TX:		return "in";
70 	case MUSB_EP0_STAGE_RX:		return "out";
71 	case MUSB_EP0_STAGE_ACKWAIT:	return "wait";
72 	case MUSB_EP0_STAGE_STATUSIN:	return "in/status";
73 	case MUSB_EP0_STAGE_STATUSOUT:	return "out/status";
74 	default:			return "?";
75 	}
76 }
77 
78 /* handle a standard GET_STATUS request
79  * Context:  caller holds controller lock
80  */
81 static int service_tx_status_request(
82 	struct musb *musb,
83 	const struct usb_ctrlrequest *ctrlrequest)
84 {
85 	void __iomem	*mbase = musb->mregs;
86 	int handled = 1;
87 	u8 result[2], epnum = 0;
88 	const u8 recip = ctrlrequest->bRequestType & USB_RECIP_MASK;
89 
90 	result[1] = 0;
91 
92 	switch (recip) {
93 	case USB_RECIP_DEVICE:
94 		result[0] = musb->is_self_powered << USB_DEVICE_SELF_POWERED;
95 		result[0] |= musb->may_wakeup << USB_DEVICE_REMOTE_WAKEUP;
96 		if (musb->g.is_otg) {
97 			result[0] |= musb->g.b_hnp_enable
98 				<< USB_DEVICE_B_HNP_ENABLE;
99 			result[0] |= musb->g.a_alt_hnp_support
100 				<< USB_DEVICE_A_ALT_HNP_SUPPORT;
101 			result[0] |= musb->g.a_hnp_support
102 				<< USB_DEVICE_A_HNP_SUPPORT;
103 		}
104 		break;
105 
106 	case USB_RECIP_INTERFACE:
107 		result[0] = 0;
108 		break;
109 
110 	case USB_RECIP_ENDPOINT: {
111 		int		is_in;
112 		struct musb_ep	*ep;
113 		u16		tmp;
114 		void __iomem	*regs;
115 
116 		epnum = (u8) ctrlrequest->wIndex;
117 		if (!epnum) {
118 			result[0] = 0;
119 			break;
120 		}
121 
122 		is_in = epnum & USB_DIR_IN;
123 		if (is_in) {
124 			epnum &= 0x0f;
125 			ep = &musb->endpoints[epnum].ep_in;
126 		} else {
127 			ep = &musb->endpoints[epnum].ep_out;
128 		}
129 		regs = musb->endpoints[epnum].regs;
130 
131 		if (epnum >= MUSB_C_NUM_EPS || !ep->desc) {
132 			handled = -EINVAL;
133 			break;
134 		}
135 
136 		musb_ep_select(mbase, epnum);
137 		if (is_in)
138 			tmp = musb_readw(regs, MUSB_TXCSR)
139 						& MUSB_TXCSR_P_SENDSTALL;
140 		else
141 			tmp = musb_readw(regs, MUSB_RXCSR)
142 						& MUSB_RXCSR_P_SENDSTALL;
143 		musb_ep_select(mbase, 0);
144 
145 		result[0] = tmp ? 1 : 0;
146 		} break;
147 
148 	default:
149 		/* class, vendor, etc ... delegate */
150 		handled = 0;
151 		break;
152 	}
153 
154 	/* fill up the fifo; caller updates csr0 */
155 	if (handled > 0) {
156 		u16	len = le16_to_cpu(ctrlrequest->wLength);
157 
158 		if (len > 2)
159 			len = 2;
160 		musb_write_fifo(&musb->endpoints[0], len, result);
161 	}
162 
163 	return handled;
164 }
165 
166 /*
167  * handle a control-IN request, the end0 buffer contains the current request
168  * that is supposed to be a standard control request. Assumes the fifo to
169  * be at least 2 bytes long.
170  *
171  * @return 0 if the request was NOT HANDLED,
172  * < 0 when error
173  * > 0 when the request is processed
174  *
175  * Context:  caller holds controller lock
176  */
177 static int
178 service_in_request(struct musb *musb, const struct usb_ctrlrequest *ctrlrequest)
179 {
180 	int handled = 0;	/* not handled */
181 
182 	if ((ctrlrequest->bRequestType & USB_TYPE_MASK)
183 			== USB_TYPE_STANDARD) {
184 		switch (ctrlrequest->bRequest) {
185 		case USB_REQ_GET_STATUS:
186 			handled = service_tx_status_request(musb,
187 					ctrlrequest);
188 			break;
189 
190 		/* case USB_REQ_SYNC_FRAME: */
191 
192 		default:
193 			break;
194 		}
195 	}
196 	return handled;
197 }
198 
199 /*
200  * Context:  caller holds controller lock
201  */
202 static void musb_g_ep0_giveback(struct musb *musb, struct usb_request *req)
203 {
204 	musb_g_giveback(&musb->endpoints[0].ep_in, req, 0);
205 }
206 
207 /*
208  * Tries to start B-device HNP negotiation if enabled via sysfs
209  */
210 static inline void musb_try_b_hnp_enable(struct musb *musb)
211 {
212 	void __iomem	*mbase = musb->mregs;
213 	u8		devctl;
214 
215 	dev_dbg(musb->controller, "HNP: Setting HR\n");
216 	devctl = musb_readb(mbase, MUSB_DEVCTL);
217 	musb_writeb(mbase, MUSB_DEVCTL, devctl | MUSB_DEVCTL_HR);
218 }
219 
220 /*
221  * Handle all control requests with no DATA stage, including standard
222  * requests such as:
223  * USB_REQ_SET_CONFIGURATION, USB_REQ_SET_INTERFACE, unrecognized
224  *	always delegated to the gadget driver
225  * USB_REQ_SET_ADDRESS, USB_REQ_CLEAR_FEATURE, USB_REQ_SET_FEATURE
226  *	always handled here, except for class/vendor/... features
227  *
228  * Context:  caller holds controller lock
229  */
230 static int
231 service_zero_data_request(struct musb *musb,
232 		struct usb_ctrlrequest *ctrlrequest)
233 __releases(musb->lock)
234 __acquires(musb->lock)
235 {
236 	int handled = -EINVAL;
237 	void __iomem *mbase = musb->mregs;
238 	const u8 recip = ctrlrequest->bRequestType & USB_RECIP_MASK;
239 
240 	/* the gadget driver handles everything except what we MUST handle */
241 	if ((ctrlrequest->bRequestType & USB_TYPE_MASK)
242 			== USB_TYPE_STANDARD) {
243 		switch (ctrlrequest->bRequest) {
244 		case USB_REQ_SET_ADDRESS:
245 			/* change it after the status stage */
246 			musb->set_address = true;
247 			musb->address = (u8) (ctrlrequest->wValue & 0x7f);
248 			handled = 1;
249 			break;
250 
251 		case USB_REQ_CLEAR_FEATURE:
252 			switch (recip) {
253 			case USB_RECIP_DEVICE:
254 				if (ctrlrequest->wValue
255 						!= USB_DEVICE_REMOTE_WAKEUP)
256 					break;
257 				musb->may_wakeup = 0;
258 				handled = 1;
259 				break;
260 			case USB_RECIP_INTERFACE:
261 				break;
262 			case USB_RECIP_ENDPOINT:{
263 				const u8		epnum =
264 					ctrlrequest->wIndex & 0x0f;
265 				struct musb_ep		*musb_ep;
266 				struct musb_hw_ep	*ep;
267 				struct musb_request	*request;
268 				void __iomem		*regs;
269 				int			is_in;
270 				u16			csr;
271 
272 				if (epnum == 0 || epnum >= MUSB_C_NUM_EPS ||
273 				    ctrlrequest->wValue != USB_ENDPOINT_HALT)
274 					break;
275 
276 				ep = musb->endpoints + epnum;
277 				regs = ep->regs;
278 				is_in = ctrlrequest->wIndex & USB_DIR_IN;
279 				if (is_in)
280 					musb_ep = &ep->ep_in;
281 				else
282 					musb_ep = &ep->ep_out;
283 				if (!musb_ep->desc)
284 					break;
285 
286 				handled = 1;
287 				/* Ignore request if endpoint is wedged */
288 				if (musb_ep->wedged)
289 					break;
290 
291 				musb_ep_select(mbase, epnum);
292 				if (is_in) {
293 					csr  = musb_readw(regs, MUSB_TXCSR);
294 					csr |= MUSB_TXCSR_CLRDATATOG |
295 					       MUSB_TXCSR_P_WZC_BITS;
296 					csr &= ~(MUSB_TXCSR_P_SENDSTALL |
297 						 MUSB_TXCSR_P_SENTSTALL |
298 						 MUSB_TXCSR_TXPKTRDY);
299 					musb_writew(regs, MUSB_TXCSR, csr);
300 				} else {
301 					csr  = musb_readw(regs, MUSB_RXCSR);
302 					csr |= MUSB_RXCSR_CLRDATATOG |
303 					       MUSB_RXCSR_P_WZC_BITS;
304 					csr &= ~(MUSB_RXCSR_P_SENDSTALL |
305 						 MUSB_RXCSR_P_SENTSTALL);
306 					musb_writew(regs, MUSB_RXCSR, csr);
307 				}
308 
309 				/* Maybe start the first request in the queue */
310 				request = next_request(musb_ep);
311 				if (!musb_ep->busy && request) {
312 					dev_dbg(musb->controller, "restarting the request\n");
313 					musb_ep_restart(musb, request);
314 				}
315 
316 				/* select ep0 again */
317 				musb_ep_select(mbase, 0);
318 				} break;
319 			default:
320 				/* class, vendor, etc ... delegate */
321 				handled = 0;
322 				break;
323 			}
324 			break;
325 
326 		case USB_REQ_SET_FEATURE:
327 			switch (recip) {
328 			case USB_RECIP_DEVICE:
329 				handled = 1;
330 				switch (ctrlrequest->wValue) {
331 				case USB_DEVICE_REMOTE_WAKEUP:
332 					musb->may_wakeup = 1;
333 					break;
334 				case USB_DEVICE_TEST_MODE:
335 					if (musb->g.speed != USB_SPEED_HIGH)
336 						goto stall;
337 					if (ctrlrequest->wIndex & 0xff)
338 						goto stall;
339 
340 					switch (ctrlrequest->wIndex >> 8) {
341 					case 1:
342 						pr_debug("TEST_J\n");
343 						/* TEST_J */
344 						musb->test_mode_nr =
345 							MUSB_TEST_J;
346 						break;
347 					case 2:
348 						/* TEST_K */
349 						pr_debug("TEST_K\n");
350 						musb->test_mode_nr =
351 							MUSB_TEST_K;
352 						break;
353 					case 3:
354 						/* TEST_SE0_NAK */
355 						pr_debug("TEST_SE0_NAK\n");
356 						musb->test_mode_nr =
357 							MUSB_TEST_SE0_NAK;
358 						break;
359 					case 4:
360 						/* TEST_PACKET */
361 						pr_debug("TEST_PACKET\n");
362 						musb->test_mode_nr =
363 							MUSB_TEST_PACKET;
364 						break;
365 
366 					case 0xc0:
367 						/* TEST_FORCE_HS */
368 						pr_debug("TEST_FORCE_HS\n");
369 						musb->test_mode_nr =
370 							MUSB_TEST_FORCE_HS;
371 						break;
372 					case 0xc1:
373 						/* TEST_FORCE_FS */
374 						pr_debug("TEST_FORCE_FS\n");
375 						musb->test_mode_nr =
376 							MUSB_TEST_FORCE_FS;
377 						break;
378 					case 0xc2:
379 						/* TEST_FIFO_ACCESS */
380 						pr_debug("TEST_FIFO_ACCESS\n");
381 						musb->test_mode_nr =
382 							MUSB_TEST_FIFO_ACCESS;
383 						break;
384 					case 0xc3:
385 						/* TEST_FORCE_HOST */
386 						pr_debug("TEST_FORCE_HOST\n");
387 						musb->test_mode_nr =
388 							MUSB_TEST_FORCE_HOST;
389 						break;
390 					default:
391 						goto stall;
392 					}
393 
394 					/* enter test mode after irq */
395 					if (handled > 0)
396 						musb->test_mode = true;
397 					break;
398 				case USB_DEVICE_B_HNP_ENABLE:
399 					if (!musb->g.is_otg)
400 						goto stall;
401 					musb->g.b_hnp_enable = 1;
402 					musb_try_b_hnp_enable(musb);
403 					break;
404 				case USB_DEVICE_A_HNP_SUPPORT:
405 					if (!musb->g.is_otg)
406 						goto stall;
407 					musb->g.a_hnp_support = 1;
408 					break;
409 				case USB_DEVICE_A_ALT_HNP_SUPPORT:
410 					if (!musb->g.is_otg)
411 						goto stall;
412 					musb->g.a_alt_hnp_support = 1;
413 					break;
414 				case USB_DEVICE_DEBUG_MODE:
415 					handled = 0;
416 					break;
417 stall:
418 				default:
419 					handled = -EINVAL;
420 					break;
421 				}
422 				break;
423 
424 			case USB_RECIP_INTERFACE:
425 				break;
426 
427 			case USB_RECIP_ENDPOINT:{
428 				const u8		epnum =
429 					ctrlrequest->wIndex & 0x0f;
430 				struct musb_ep		*musb_ep;
431 				struct musb_hw_ep	*ep;
432 				void __iomem		*regs;
433 				int			is_in;
434 				u16			csr;
435 
436 				if (epnum == 0 || epnum >= MUSB_C_NUM_EPS ||
437 				    ctrlrequest->wValue	!= USB_ENDPOINT_HALT)
438 					break;
439 
440 				ep = musb->endpoints + epnum;
441 				regs = ep->regs;
442 				is_in = ctrlrequest->wIndex & USB_DIR_IN;
443 				if (is_in)
444 					musb_ep = &ep->ep_in;
445 				else
446 					musb_ep = &ep->ep_out;
447 				if (!musb_ep->desc)
448 					break;
449 
450 				musb_ep_select(mbase, epnum);
451 				if (is_in) {
452 					csr = musb_readw(regs, MUSB_TXCSR);
453 					if (csr & MUSB_TXCSR_FIFONOTEMPTY)
454 						csr |= MUSB_TXCSR_FLUSHFIFO;
455 					csr |= MUSB_TXCSR_P_SENDSTALL
456 						| MUSB_TXCSR_CLRDATATOG
457 						| MUSB_TXCSR_P_WZC_BITS;
458 					musb_writew(regs, MUSB_TXCSR, csr);
459 				} else {
460 					csr = musb_readw(regs, MUSB_RXCSR);
461 					csr |= MUSB_RXCSR_P_SENDSTALL
462 						| MUSB_RXCSR_FLUSHFIFO
463 						| MUSB_RXCSR_CLRDATATOG
464 						| MUSB_RXCSR_P_WZC_BITS;
465 					musb_writew(regs, MUSB_RXCSR, csr);
466 				}
467 
468 				/* select ep0 again */
469 				musb_ep_select(mbase, 0);
470 				handled = 1;
471 				} break;
472 
473 			default:
474 				/* class, vendor, etc ... delegate */
475 				handled = 0;
476 				break;
477 			}
478 			break;
479 		default:
480 			/* delegate SET_CONFIGURATION, etc */
481 			handled = 0;
482 		}
483 	} else
484 		handled = 0;
485 	return handled;
486 }
487 
488 /* we have an ep0out data packet
489  * Context:  caller holds controller lock
490  */
491 static void ep0_rxstate(struct musb *musb)
492 {
493 	void __iomem		*regs = musb->control_ep->regs;
494 	struct musb_request	*request;
495 	struct usb_request	*req;
496 	u16			count, csr;
497 
498 	request = next_ep0_request(musb);
499 	req = &request->request;
500 
501 	/* read packet and ack; or stall because of gadget driver bug:
502 	 * should have provided the rx buffer before setup() returned.
503 	 */
504 	if (req) {
505 		void		*buf = req->buf + req->actual;
506 		unsigned	len = req->length - req->actual;
507 
508 		/* read the buffer */
509 		count = musb_readb(regs, MUSB_COUNT0);
510 		if (count > len) {
511 			req->status = -EOVERFLOW;
512 			count = len;
513 		}
514 		musb_read_fifo(&musb->endpoints[0], count, buf);
515 		req->actual += count;
516 		csr = MUSB_CSR0_P_SVDRXPKTRDY;
517 		if (count < 64 || req->actual == req->length) {
518 			musb->ep0_state = MUSB_EP0_STAGE_STATUSIN;
519 			csr |= MUSB_CSR0_P_DATAEND;
520 		} else
521 			req = NULL;
522 	} else
523 		csr = MUSB_CSR0_P_SVDRXPKTRDY | MUSB_CSR0_P_SENDSTALL;
524 
525 
526 	/* Completion handler may choose to stall, e.g. because the
527 	 * message just received holds invalid data.
528 	 */
529 	if (req) {
530 		musb->ackpend = csr;
531 		musb_g_ep0_giveback(musb, req);
532 		if (!musb->ackpend)
533 			return;
534 		musb->ackpend = 0;
535 	}
536 	musb_ep_select(musb->mregs, 0);
537 	musb_writew(regs, MUSB_CSR0, csr);
538 }
539 
540 /*
541  * transmitting to the host (IN), this code might be called from IRQ
542  * and from kernel thread.
543  *
544  * Context:  caller holds controller lock
545  */
546 static void ep0_txstate(struct musb *musb)
547 {
548 	void __iomem		*regs = musb->control_ep->regs;
549 	struct musb_request	*req = next_ep0_request(musb);
550 	struct usb_request	*request;
551 	u16			csr = MUSB_CSR0_TXPKTRDY;
552 	u8			*fifo_src;
553 	u8			fifo_count;
554 
555 	if (!req) {
556 		/* WARN_ON(1); */
557 		dev_dbg(musb->controller, "odd; csr0 %04x\n", musb_readw(regs, MUSB_CSR0));
558 		return;
559 	}
560 
561 	request = &req->request;
562 
563 	/* load the data */
564 	fifo_src = (u8 *) request->buf + request->actual;
565 	fifo_count = min((unsigned) MUSB_EP0_FIFOSIZE,
566 		request->length - request->actual);
567 	musb_write_fifo(&musb->endpoints[0], fifo_count, fifo_src);
568 	request->actual += fifo_count;
569 
570 	/* update the flags */
571 	if (fifo_count < MUSB_MAX_END0_PACKET
572 			|| (request->actual == request->length
573 				&& !request->zero)) {
574 		musb->ep0_state = MUSB_EP0_STAGE_STATUSOUT;
575 		csr |= MUSB_CSR0_P_DATAEND;
576 	} else
577 		request = NULL;
578 
579 	/* send it out, triggering a "txpktrdy cleared" irq */
580 	musb_ep_select(musb->mregs, 0);
581 	musb_writew(regs, MUSB_CSR0, csr);
582 
583 	/* report completions as soon as the fifo's loaded; there's no
584 	 * win in waiting till this last packet gets acked.  (other than
585 	 * very precise fault reporting, needed by USB TMC; possible with
586 	 * this hardware, but not usable from portable gadget drivers.)
587 	 */
588 	if (request) {
589 		musb->ackpend = csr;
590 		musb_g_ep0_giveback(musb, request);
591 		if (!musb->ackpend)
592 			return;
593 		musb->ackpend = 0;
594 	}
595 }
596 
597 /*
598  * Read a SETUP packet (struct usb_ctrlrequest) from the hardware.
599  * Fields are left in USB byte-order.
600  *
601  * Context:  caller holds controller lock.
602  */
603 static void
604 musb_read_setup(struct musb *musb, struct usb_ctrlrequest *req)
605 {
606 	struct musb_request	*r;
607 	void __iomem		*regs = musb->control_ep->regs;
608 
609 	musb_read_fifo(&musb->endpoints[0], sizeof *req, (u8 *)req);
610 
611 	/* NOTE:  earlier 2.6 versions changed setup packets to host
612 	 * order, but now USB packets always stay in USB byte order.
613 	 */
614 	dev_dbg(musb->controller, "SETUP req%02x.%02x v%04x i%04x l%d\n",
615 		req->bRequestType,
616 		req->bRequest,
617 		le16_to_cpu(req->wValue),
618 		le16_to_cpu(req->wIndex),
619 		le16_to_cpu(req->wLength));
620 
621 	/* clean up any leftover transfers */
622 	r = next_ep0_request(musb);
623 	if (r)
624 		musb_g_ep0_giveback(musb, &r->request);
625 
626 	/* For zero-data requests we want to delay the STATUS stage to
627 	 * avoid SETUPEND errors.  If we read data (OUT), delay accepting
628 	 * packets until there's a buffer to store them in.
629 	 *
630 	 * If we write data, the controller acts happier if we enable
631 	 * the TX FIFO right away, and give the controller a moment
632 	 * to switch modes...
633 	 */
634 	musb->set_address = false;
635 	musb->ackpend = MUSB_CSR0_P_SVDRXPKTRDY;
636 	if (req->wLength == 0) {
637 		if (req->bRequestType & USB_DIR_IN)
638 			musb->ackpend |= MUSB_CSR0_TXPKTRDY;
639 		musb->ep0_state = MUSB_EP0_STAGE_ACKWAIT;
640 	} else if (req->bRequestType & USB_DIR_IN) {
641 		musb->ep0_state = MUSB_EP0_STAGE_TX;
642 		musb_writew(regs, MUSB_CSR0, MUSB_CSR0_P_SVDRXPKTRDY);
643 		while ((musb_readw(regs, MUSB_CSR0)
644 				& MUSB_CSR0_RXPKTRDY) != 0)
645 			cpu_relax();
646 		musb->ackpend = 0;
647 	} else
648 		musb->ep0_state = MUSB_EP0_STAGE_RX;
649 }
650 
651 static int
652 forward_to_driver(struct musb *musb, const struct usb_ctrlrequest *ctrlrequest)
653 __releases(musb->lock)
654 __acquires(musb->lock)
655 {
656 	int retval;
657 	if (!musb->gadget_driver)
658 		return -EOPNOTSUPP;
659 	spin_unlock(&musb->lock);
660 	retval = musb->gadget_driver->setup(&musb->g, ctrlrequest);
661 	spin_lock(&musb->lock);
662 	return retval;
663 }
664 
665 /*
666  * Handle peripheral ep0 interrupt
667  *
668  * Context: irq handler; we won't re-enter the driver that way.
669  */
670 irqreturn_t musb_g_ep0_irq(struct musb *musb)
671 {
672 	u16		csr;
673 	u16		len;
674 	void __iomem	*mbase = musb->mregs;
675 	void __iomem	*regs = musb->endpoints[0].regs;
676 	irqreturn_t	retval = IRQ_NONE;
677 
678 	musb_ep_select(mbase, 0);	/* select ep0 */
679 	csr = musb_readw(regs, MUSB_CSR0);
680 	len = musb_readb(regs, MUSB_COUNT0);
681 
682 	dev_dbg(musb->controller, "csr %04x, count %d, myaddr %d, ep0stage %s\n",
683 			csr, len,
684 			musb_readb(mbase, MUSB_FADDR),
685 			decode_ep0stage(musb->ep0_state));
686 
687 	if (csr & MUSB_CSR0_P_DATAEND) {
688 		/*
689 		 * If DATAEND is set we should not call the callback,
690 		 * hence the status stage is not complete.
691 		 */
692 		return IRQ_HANDLED;
693 	}
694 
695 	/* I sent a stall.. need to acknowledge it now.. */
696 	if (csr & MUSB_CSR0_P_SENTSTALL) {
697 		musb_writew(regs, MUSB_CSR0,
698 				csr & ~MUSB_CSR0_P_SENTSTALL);
699 		retval = IRQ_HANDLED;
700 		musb->ep0_state = MUSB_EP0_STAGE_IDLE;
701 		csr = musb_readw(regs, MUSB_CSR0);
702 	}
703 
704 	/* request ended "early" */
705 	if (csr & MUSB_CSR0_P_SETUPEND) {
706 		musb_writew(regs, MUSB_CSR0, MUSB_CSR0_P_SVDSETUPEND);
707 		retval = IRQ_HANDLED;
708 		/* Transition into the early status phase */
709 		switch (musb->ep0_state) {
710 		case MUSB_EP0_STAGE_TX:
711 			musb->ep0_state = MUSB_EP0_STAGE_STATUSOUT;
712 			break;
713 		case MUSB_EP0_STAGE_RX:
714 			musb->ep0_state = MUSB_EP0_STAGE_STATUSIN;
715 			break;
716 		default:
717 			ERR("SetupEnd came in a wrong ep0stage %s\n",
718 			    decode_ep0stage(musb->ep0_state));
719 		}
720 		csr = musb_readw(regs, MUSB_CSR0);
721 		/* NOTE:  request may need completion */
722 	}
723 
724 	/* docs from Mentor only describe tx, rx, and idle/setup states.
725 	 * we need to handle nuances around status stages, and also the
726 	 * case where status and setup stages come back-to-back ...
727 	 */
728 	switch (musb->ep0_state) {
729 
730 	case MUSB_EP0_STAGE_TX:
731 		/* irq on clearing txpktrdy */
732 		if ((csr & MUSB_CSR0_TXPKTRDY) == 0) {
733 			ep0_txstate(musb);
734 			retval = IRQ_HANDLED;
735 		}
736 		break;
737 
738 	case MUSB_EP0_STAGE_RX:
739 		/* irq on set rxpktrdy */
740 		if (csr & MUSB_CSR0_RXPKTRDY) {
741 			ep0_rxstate(musb);
742 			retval = IRQ_HANDLED;
743 		}
744 		break;
745 
746 	case MUSB_EP0_STAGE_STATUSIN:
747 		/* end of sequence #2 (OUT/RX state) or #3 (no data) */
748 
749 		/* update address (if needed) only @ the end of the
750 		 * status phase per usb spec, which also guarantees
751 		 * we get 10 msec to receive this irq... until this
752 		 * is done we won't see the next packet.
753 		 */
754 		if (musb->set_address) {
755 			musb->set_address = false;
756 			musb_writeb(mbase, MUSB_FADDR, musb->address);
757 		}
758 
759 		/* enter test mode if needed (exit by reset) */
760 		else if (musb->test_mode) {
761 			dev_dbg(musb->controller, "entering TESTMODE\n");
762 
763 			if (MUSB_TEST_PACKET == musb->test_mode_nr)
764 				musb_load_testpacket(musb);
765 
766 			musb_writeb(mbase, MUSB_TESTMODE,
767 					musb->test_mode_nr);
768 		}
769 		/* FALLTHROUGH */
770 
771 	case MUSB_EP0_STAGE_STATUSOUT:
772 		/* end of sequence #1: write to host (TX state) */
773 		{
774 			struct musb_request	*req;
775 
776 			req = next_ep0_request(musb);
777 			if (req)
778 				musb_g_ep0_giveback(musb, &req->request);
779 		}
780 
781 		/*
782 		 * In case when several interrupts can get coalesced,
783 		 * check to see if we've already received a SETUP packet...
784 		 */
785 		if (csr & MUSB_CSR0_RXPKTRDY)
786 			goto setup;
787 
788 		retval = IRQ_HANDLED;
789 		musb->ep0_state = MUSB_EP0_STAGE_IDLE;
790 		break;
791 
792 	case MUSB_EP0_STAGE_IDLE:
793 		/*
794 		 * This state is typically (but not always) indiscernible
795 		 * from the status states since the corresponding interrupts
796 		 * tend to happen within too little period of time (with only
797 		 * a zero-length packet in between) and so get coalesced...
798 		 */
799 		retval = IRQ_HANDLED;
800 		musb->ep0_state = MUSB_EP0_STAGE_SETUP;
801 		/* FALLTHROUGH */
802 
803 	case MUSB_EP0_STAGE_SETUP:
804 setup:
805 		if (csr & MUSB_CSR0_RXPKTRDY) {
806 			struct usb_ctrlrequest	setup;
807 			int			handled = 0;
808 
809 			if (len != 8) {
810 				ERR("SETUP packet len %d != 8 ?\n", len);
811 				break;
812 			}
813 			musb_read_setup(musb, &setup);
814 			retval = IRQ_HANDLED;
815 
816 			/* sometimes the RESET won't be reported */
817 			if (unlikely(musb->g.speed == USB_SPEED_UNKNOWN)) {
818 				u8	power;
819 
820 				printk(KERN_NOTICE "%s: peripheral reset "
821 						"irq lost!\n",
822 						musb_driver_name);
823 				power = musb_readb(mbase, MUSB_POWER);
824 				musb->g.speed = (power & MUSB_POWER_HSMODE)
825 					? USB_SPEED_HIGH : USB_SPEED_FULL;
826 
827 			}
828 
829 			switch (musb->ep0_state) {
830 
831 			/* sequence #3 (no data stage), includes requests
832 			 * we can't forward (notably SET_ADDRESS and the
833 			 * device/endpoint feature set/clear operations)
834 			 * plus SET_CONFIGURATION and others we must
835 			 */
836 			case MUSB_EP0_STAGE_ACKWAIT:
837 				handled = service_zero_data_request(
838 						musb, &setup);
839 
840 				/*
841 				 * We're expecting no data in any case, so
842 				 * always set the DATAEND bit -- doing this
843 				 * here helps avoid SetupEnd interrupt coming
844 				 * in the idle stage when we're stalling...
845 				 */
846 				musb->ackpend |= MUSB_CSR0_P_DATAEND;
847 
848 				/* status stage might be immediate */
849 				if (handled > 0)
850 					musb->ep0_state =
851 						MUSB_EP0_STAGE_STATUSIN;
852 				break;
853 
854 			/* sequence #1 (IN to host), includes GET_STATUS
855 			 * requests that we can't forward, GET_DESCRIPTOR
856 			 * and others that we must
857 			 */
858 			case MUSB_EP0_STAGE_TX:
859 				handled = service_in_request(musb, &setup);
860 				if (handled > 0) {
861 					musb->ackpend = MUSB_CSR0_TXPKTRDY
862 						| MUSB_CSR0_P_DATAEND;
863 					musb->ep0_state =
864 						MUSB_EP0_STAGE_STATUSOUT;
865 				}
866 				break;
867 
868 			/* sequence #2 (OUT from host), always forward */
869 			default:		/* MUSB_EP0_STAGE_RX */
870 				break;
871 			}
872 
873 			dev_dbg(musb->controller, "handled %d, csr %04x, ep0stage %s\n",
874 				handled, csr,
875 				decode_ep0stage(musb->ep0_state));
876 
877 			/* unless we need to delegate this to the gadget
878 			 * driver, we know how to wrap this up:  csr0 has
879 			 * not yet been written.
880 			 */
881 			if (handled < 0)
882 				goto stall;
883 			else if (handled > 0)
884 				goto finish;
885 
886 			handled = forward_to_driver(musb, &setup);
887 			if (handled < 0) {
888 				musb_ep_select(mbase, 0);
889 stall:
890 				dev_dbg(musb->controller, "stall (%d)\n", handled);
891 				musb->ackpend |= MUSB_CSR0_P_SENDSTALL;
892 				musb->ep0_state = MUSB_EP0_STAGE_IDLE;
893 finish:
894 				musb_writew(regs, MUSB_CSR0,
895 						musb->ackpend);
896 				musb->ackpend = 0;
897 			}
898 		}
899 		break;
900 
901 	case MUSB_EP0_STAGE_ACKWAIT:
902 		/* This should not happen. But happens with tusb6010 with
903 		 * g_file_storage and high speed. Do nothing.
904 		 */
905 		retval = IRQ_HANDLED;
906 		break;
907 
908 	default:
909 		/* "can't happen" */
910 		WARN_ON(1);
911 		musb_writew(regs, MUSB_CSR0, MUSB_CSR0_P_SENDSTALL);
912 		musb->ep0_state = MUSB_EP0_STAGE_IDLE;
913 		break;
914 	}
915 
916 	return retval;
917 }
918 
919 
920 static int
921 musb_g_ep0_enable(struct usb_ep *ep, const struct usb_endpoint_descriptor *desc)
922 {
923 	/* always enabled */
924 	return -EINVAL;
925 }
926 
927 static int musb_g_ep0_disable(struct usb_ep *e)
928 {
929 	/* always enabled */
930 	return -EINVAL;
931 }
932 
933 static int
934 musb_g_ep0_queue(struct usb_ep *e, struct usb_request *r, gfp_t gfp_flags)
935 {
936 	struct musb_ep		*ep;
937 	struct musb_request	*req;
938 	struct musb		*musb;
939 	int			status;
940 	unsigned long		lockflags;
941 	void __iomem		*regs;
942 
943 	if (!e || !r)
944 		return -EINVAL;
945 
946 	ep = to_musb_ep(e);
947 	musb = ep->musb;
948 	regs = musb->control_ep->regs;
949 
950 	req = to_musb_request(r);
951 	req->musb = musb;
952 	req->request.actual = 0;
953 	req->request.status = -EINPROGRESS;
954 	req->tx = ep->is_in;
955 
956 	spin_lock_irqsave(&musb->lock, lockflags);
957 
958 	if (!list_empty(&ep->req_list)) {
959 		status = -EBUSY;
960 		goto cleanup;
961 	}
962 
963 	switch (musb->ep0_state) {
964 	case MUSB_EP0_STAGE_RX:		/* control-OUT data */
965 	case MUSB_EP0_STAGE_TX:		/* control-IN data */
966 	case MUSB_EP0_STAGE_ACKWAIT:	/* zero-length data */
967 		status = 0;
968 		break;
969 	default:
970 		dev_dbg(musb->controller, "ep0 request queued in state %d\n",
971 				musb->ep0_state);
972 		status = -EINVAL;
973 		goto cleanup;
974 	}
975 
976 	/* add request to the list */
977 	list_add_tail(&req->list, &ep->req_list);
978 
979 	dev_dbg(musb->controller, "queue to %s (%s), length=%d\n",
980 			ep->name, ep->is_in ? "IN/TX" : "OUT/RX",
981 			req->request.length);
982 
983 	musb_ep_select(musb->mregs, 0);
984 
985 	/* sequence #1, IN ... start writing the data */
986 	if (musb->ep0_state == MUSB_EP0_STAGE_TX)
987 		ep0_txstate(musb);
988 
989 	/* sequence #3, no-data ... issue IN status */
990 	else if (musb->ep0_state == MUSB_EP0_STAGE_ACKWAIT) {
991 		if (req->request.length)
992 			status = -EINVAL;
993 		else {
994 			musb->ep0_state = MUSB_EP0_STAGE_STATUSIN;
995 			musb_writew(regs, MUSB_CSR0,
996 					musb->ackpend | MUSB_CSR0_P_DATAEND);
997 			musb->ackpend = 0;
998 			musb_g_ep0_giveback(ep->musb, r);
999 		}
1000 
1001 	/* else for sequence #2 (OUT), caller provides a buffer
1002 	 * before the next packet arrives.  deferred responses
1003 	 * (after SETUP is acked) are racey.
1004 	 */
1005 	} else if (musb->ackpend) {
1006 		musb_writew(regs, MUSB_CSR0, musb->ackpend);
1007 		musb->ackpend = 0;
1008 	}
1009 
1010 cleanup:
1011 	spin_unlock_irqrestore(&musb->lock, lockflags);
1012 	return status;
1013 }
1014 
1015 static int musb_g_ep0_dequeue(struct usb_ep *ep, struct usb_request *req)
1016 {
1017 	/* we just won't support this */
1018 	return -EINVAL;
1019 }
1020 
1021 static int musb_g_ep0_halt(struct usb_ep *e, int value)
1022 {
1023 	struct musb_ep		*ep;
1024 	struct musb		*musb;
1025 	void __iomem		*base, *regs;
1026 	unsigned long		flags;
1027 	int			status;
1028 	u16			csr;
1029 
1030 	if (!e || !value)
1031 		return -EINVAL;
1032 
1033 	ep = to_musb_ep(e);
1034 	musb = ep->musb;
1035 	base = musb->mregs;
1036 	regs = musb->control_ep->regs;
1037 	status = 0;
1038 
1039 	spin_lock_irqsave(&musb->lock, flags);
1040 
1041 	if (!list_empty(&ep->req_list)) {
1042 		status = -EBUSY;
1043 		goto cleanup;
1044 	}
1045 
1046 	musb_ep_select(base, 0);
1047 	csr = musb->ackpend;
1048 
1049 	switch (musb->ep0_state) {
1050 
1051 	/* Stalls are usually issued after parsing SETUP packet, either
1052 	 * directly in irq context from setup() or else later.
1053 	 */
1054 	case MUSB_EP0_STAGE_TX:		/* control-IN data */
1055 	case MUSB_EP0_STAGE_ACKWAIT:	/* STALL for zero-length data */
1056 	case MUSB_EP0_STAGE_RX:		/* control-OUT data */
1057 		csr = musb_readw(regs, MUSB_CSR0);
1058 		/* FALLTHROUGH */
1059 
1060 	/* It's also OK to issue stalls during callbacks when a non-empty
1061 	 * DATA stage buffer has been read (or even written).
1062 	 */
1063 	case MUSB_EP0_STAGE_STATUSIN:	/* control-OUT status */
1064 	case MUSB_EP0_STAGE_STATUSOUT:	/* control-IN status */
1065 
1066 		csr |= MUSB_CSR0_P_SENDSTALL;
1067 		musb_writew(regs, MUSB_CSR0, csr);
1068 		musb->ep0_state = MUSB_EP0_STAGE_IDLE;
1069 		musb->ackpend = 0;
1070 		break;
1071 	default:
1072 		dev_dbg(musb->controller, "ep0 can't halt in state %d\n", musb->ep0_state);
1073 		status = -EINVAL;
1074 	}
1075 
1076 cleanup:
1077 	spin_unlock_irqrestore(&musb->lock, flags);
1078 	return status;
1079 }
1080 
1081 const struct usb_ep_ops musb_g_ep0_ops = {
1082 	.enable		= musb_g_ep0_enable,
1083 	.disable	= musb_g_ep0_disable,
1084 	.alloc_request	= musb_alloc_request,
1085 	.free_request	= musb_free_request,
1086 	.queue		= musb_g_ep0_queue,
1087 	.dequeue	= musb_g_ep0_dequeue,
1088 	.set_halt	= musb_g_ep0_halt,
1089 };
1090