bpf: Prevent memory disambiguation attack
[linux/fpc-iii.git] / drivers / usb / musb / musb_gadget_ep0.c
blob91a5027b5c1f97d522c7beed568f2ac39e74ea86
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * MUSB OTG peripheral driver ep0 handling
5 * Copyright 2005 Mentor Graphics Corporation
6 * Copyright (C) 2005-2006 by Texas Instruments
7 * Copyright (C) 2006-2007 Nokia Corporation
8 * Copyright (C) 2008-2009 MontaVista Software, Inc. <source@mvista.com>
9 */
11 #include <linux/kernel.h>
12 #include <linux/list.h>
13 #include <linux/timer.h>
14 #include <linux/spinlock.h>
15 #include <linux/device.h>
16 #include <linux/interrupt.h>
18 #include "musb_core.h"
20 /* ep0 is always musb->endpoints[0].ep_in */
21 #define next_ep0_request(musb) next_in_request(&(musb)->endpoints[0])
24 * locking note: we use only the controller lock, for simpler correctness.
25 * It's always held with IRQs blocked.
27 * It protects the ep0 request queue as well as ep0_state, not just the
28 * controller and indexed registers. And that lock stays held unless it
29 * needs to be dropped to allow reentering this driver ... like upcalls to
30 * the gadget driver, or adjusting endpoint halt status.
33 static char *decode_ep0stage(u8 stage)
35 switch (stage) {
36 case MUSB_EP0_STAGE_IDLE: return "idle";
37 case MUSB_EP0_STAGE_SETUP: return "setup";
38 case MUSB_EP0_STAGE_TX: return "in";
39 case MUSB_EP0_STAGE_RX: return "out";
40 case MUSB_EP0_STAGE_ACKWAIT: return "wait";
41 case MUSB_EP0_STAGE_STATUSIN: return "in/status";
42 case MUSB_EP0_STAGE_STATUSOUT: return "out/status";
43 default: return "?";
47 /* handle a standard GET_STATUS request
48 * Context: caller holds controller lock
50 static int service_tx_status_request(
51 struct musb *musb,
52 const struct usb_ctrlrequest *ctrlrequest)
54 void __iomem *mbase = musb->mregs;
55 int handled = 1;
56 u8 result[2], epnum = 0;
57 const u8 recip = ctrlrequest->bRequestType & USB_RECIP_MASK;
59 result[1] = 0;
61 switch (recip) {
62 case USB_RECIP_DEVICE:
63 result[0] = musb->g.is_selfpowered << USB_DEVICE_SELF_POWERED;
64 result[0] |= musb->may_wakeup << USB_DEVICE_REMOTE_WAKEUP;
65 if (musb->g.is_otg) {
66 result[0] |= musb->g.b_hnp_enable
67 << USB_DEVICE_B_HNP_ENABLE;
68 result[0] |= musb->g.a_alt_hnp_support
69 << USB_DEVICE_A_ALT_HNP_SUPPORT;
70 result[0] |= musb->g.a_hnp_support
71 << USB_DEVICE_A_HNP_SUPPORT;
73 break;
75 case USB_RECIP_INTERFACE:
76 result[0] = 0;
77 break;
79 case USB_RECIP_ENDPOINT: {
80 int is_in;
81 struct musb_ep *ep;
82 u16 tmp;
83 void __iomem *regs;
85 epnum = (u8) ctrlrequest->wIndex;
86 if (!epnum) {
87 result[0] = 0;
88 break;
91 is_in = epnum & USB_DIR_IN;
92 epnum &= 0x0f;
93 if (epnum >= MUSB_C_NUM_EPS) {
94 handled = -EINVAL;
95 break;
98 if (is_in)
99 ep = &musb->endpoints[epnum].ep_in;
100 else
101 ep = &musb->endpoints[epnum].ep_out;
102 regs = musb->endpoints[epnum].regs;
104 if (!ep->desc) {
105 handled = -EINVAL;
106 break;
109 musb_ep_select(mbase, epnum);
110 if (is_in)
111 tmp = musb_readw(regs, MUSB_TXCSR)
112 & MUSB_TXCSR_P_SENDSTALL;
113 else
114 tmp = musb_readw(regs, MUSB_RXCSR)
115 & MUSB_RXCSR_P_SENDSTALL;
116 musb_ep_select(mbase, 0);
118 result[0] = tmp ? 1 : 0;
119 } break;
121 default:
122 /* class, vendor, etc ... delegate */
123 handled = 0;
124 break;
127 /* fill up the fifo; caller updates csr0 */
128 if (handled > 0) {
129 u16 len = le16_to_cpu(ctrlrequest->wLength);
131 if (len > 2)
132 len = 2;
133 musb_write_fifo(&musb->endpoints[0], len, result);
136 return handled;
140 * handle a control-IN request, the end0 buffer contains the current request
141 * that is supposed to be a standard control request. Assumes the fifo to
142 * be at least 2 bytes long.
144 * @return 0 if the request was NOT HANDLED,
145 * < 0 when error
146 * > 0 when the request is processed
148 * Context: caller holds controller lock
150 static int
151 service_in_request(struct musb *musb, const struct usb_ctrlrequest *ctrlrequest)
153 int handled = 0; /* not handled */
155 if ((ctrlrequest->bRequestType & USB_TYPE_MASK)
156 == USB_TYPE_STANDARD) {
157 switch (ctrlrequest->bRequest) {
158 case USB_REQ_GET_STATUS:
159 handled = service_tx_status_request(musb,
160 ctrlrequest);
161 break;
163 /* case USB_REQ_SYNC_FRAME: */
165 default:
166 break;
169 return handled;
173 * Context: caller holds controller lock
175 static void musb_g_ep0_giveback(struct musb *musb, struct usb_request *req)
177 musb_g_giveback(&musb->endpoints[0].ep_in, req, 0);
181 * Tries to start B-device HNP negotiation if enabled via sysfs
183 static inline void musb_try_b_hnp_enable(struct musb *musb)
185 void __iomem *mbase = musb->mregs;
186 u8 devctl;
188 musb_dbg(musb, "HNP: Setting HR");
189 devctl = musb_readb(mbase, MUSB_DEVCTL);
190 musb_writeb(mbase, MUSB_DEVCTL, devctl | MUSB_DEVCTL_HR);
194 * Handle all control requests with no DATA stage, including standard
195 * requests such as:
196 * USB_REQ_SET_CONFIGURATION, USB_REQ_SET_INTERFACE, unrecognized
197 * always delegated to the gadget driver
198 * USB_REQ_SET_ADDRESS, USB_REQ_CLEAR_FEATURE, USB_REQ_SET_FEATURE
199 * always handled here, except for class/vendor/... features
201 * Context: caller holds controller lock
203 static int
204 service_zero_data_request(struct musb *musb,
205 struct usb_ctrlrequest *ctrlrequest)
206 __releases(musb->lock)
207 __acquires(musb->lock)
209 int handled = -EINVAL;
210 void __iomem *mbase = musb->mregs;
211 const u8 recip = ctrlrequest->bRequestType & USB_RECIP_MASK;
213 /* the gadget driver handles everything except what we MUST handle */
214 if ((ctrlrequest->bRequestType & USB_TYPE_MASK)
215 == USB_TYPE_STANDARD) {
216 switch (ctrlrequest->bRequest) {
217 case USB_REQ_SET_ADDRESS:
218 /* change it after the status stage */
219 musb->set_address = true;
220 musb->address = (u8) (ctrlrequest->wValue & 0x7f);
221 handled = 1;
222 break;
224 case USB_REQ_CLEAR_FEATURE:
225 switch (recip) {
226 case USB_RECIP_DEVICE:
227 if (ctrlrequest->wValue
228 != USB_DEVICE_REMOTE_WAKEUP)
229 break;
230 musb->may_wakeup = 0;
231 handled = 1;
232 break;
233 case USB_RECIP_INTERFACE:
234 break;
235 case USB_RECIP_ENDPOINT:{
236 const u8 epnum =
237 ctrlrequest->wIndex & 0x0f;
238 struct musb_ep *musb_ep;
239 struct musb_hw_ep *ep;
240 struct musb_request *request;
241 void __iomem *regs;
242 int is_in;
243 u16 csr;
245 if (epnum == 0 || epnum >= MUSB_C_NUM_EPS ||
246 ctrlrequest->wValue != USB_ENDPOINT_HALT)
247 break;
249 ep = musb->endpoints + epnum;
250 regs = ep->regs;
251 is_in = ctrlrequest->wIndex & USB_DIR_IN;
252 if (is_in)
253 musb_ep = &ep->ep_in;
254 else
255 musb_ep = &ep->ep_out;
256 if (!musb_ep->desc)
257 break;
259 handled = 1;
260 /* Ignore request if endpoint is wedged */
261 if (musb_ep->wedged)
262 break;
264 musb_ep_select(mbase, epnum);
265 if (is_in) {
266 csr = musb_readw(regs, MUSB_TXCSR);
267 csr |= MUSB_TXCSR_CLRDATATOG |
268 MUSB_TXCSR_P_WZC_BITS;
269 csr &= ~(MUSB_TXCSR_P_SENDSTALL |
270 MUSB_TXCSR_P_SENTSTALL |
271 MUSB_TXCSR_TXPKTRDY);
272 musb_writew(regs, MUSB_TXCSR, csr);
273 } else {
274 csr = musb_readw(regs, MUSB_RXCSR);
275 csr |= MUSB_RXCSR_CLRDATATOG |
276 MUSB_RXCSR_P_WZC_BITS;
277 csr &= ~(MUSB_RXCSR_P_SENDSTALL |
278 MUSB_RXCSR_P_SENTSTALL);
279 musb_writew(regs, MUSB_RXCSR, csr);
282 /* Maybe start the first request in the queue */
283 request = next_request(musb_ep);
284 if (!musb_ep->busy && request) {
285 musb_dbg(musb, "restarting the request");
286 musb_ep_restart(musb, request);
289 /* select ep0 again */
290 musb_ep_select(mbase, 0);
291 } break;
292 default:
293 /* class, vendor, etc ... delegate */
294 handled = 0;
295 break;
297 break;
299 case USB_REQ_SET_FEATURE:
300 switch (recip) {
301 case USB_RECIP_DEVICE:
302 handled = 1;
303 switch (ctrlrequest->wValue) {
304 case USB_DEVICE_REMOTE_WAKEUP:
305 musb->may_wakeup = 1;
306 break;
307 case USB_DEVICE_TEST_MODE:
308 if (musb->g.speed != USB_SPEED_HIGH)
309 goto stall;
310 if (ctrlrequest->wIndex & 0xff)
311 goto stall;
313 switch (ctrlrequest->wIndex >> 8) {
314 case 1:
315 pr_debug("TEST_J\n");
316 /* TEST_J */
317 musb->test_mode_nr =
318 MUSB_TEST_J;
319 break;
320 case 2:
321 /* TEST_K */
322 pr_debug("TEST_K\n");
323 musb->test_mode_nr =
324 MUSB_TEST_K;
325 break;
326 case 3:
327 /* TEST_SE0_NAK */
328 pr_debug("TEST_SE0_NAK\n");
329 musb->test_mode_nr =
330 MUSB_TEST_SE0_NAK;
331 break;
332 case 4:
333 /* TEST_PACKET */
334 pr_debug("TEST_PACKET\n");
335 musb->test_mode_nr =
336 MUSB_TEST_PACKET;
337 break;
339 case 0xc0:
340 /* TEST_FORCE_HS */
341 pr_debug("TEST_FORCE_HS\n");
342 musb->test_mode_nr =
343 MUSB_TEST_FORCE_HS;
344 break;
345 case 0xc1:
346 /* TEST_FORCE_FS */
347 pr_debug("TEST_FORCE_FS\n");
348 musb->test_mode_nr =
349 MUSB_TEST_FORCE_FS;
350 break;
351 case 0xc2:
352 /* TEST_FIFO_ACCESS */
353 pr_debug("TEST_FIFO_ACCESS\n");
354 musb->test_mode_nr =
355 MUSB_TEST_FIFO_ACCESS;
356 break;
357 case 0xc3:
358 /* TEST_FORCE_HOST */
359 pr_debug("TEST_FORCE_HOST\n");
360 musb->test_mode_nr =
361 MUSB_TEST_FORCE_HOST;
362 break;
363 default:
364 goto stall;
367 /* enter test mode after irq */
368 if (handled > 0)
369 musb->test_mode = true;
370 break;
371 case USB_DEVICE_B_HNP_ENABLE:
372 if (!musb->g.is_otg)
373 goto stall;
374 musb->g.b_hnp_enable = 1;
375 musb_try_b_hnp_enable(musb);
376 break;
377 case USB_DEVICE_A_HNP_SUPPORT:
378 if (!musb->g.is_otg)
379 goto stall;
380 musb->g.a_hnp_support = 1;
381 break;
382 case USB_DEVICE_A_ALT_HNP_SUPPORT:
383 if (!musb->g.is_otg)
384 goto stall;
385 musb->g.a_alt_hnp_support = 1;
386 break;
387 case USB_DEVICE_DEBUG_MODE:
388 handled = 0;
389 break;
390 stall:
391 default:
392 handled = -EINVAL;
393 break;
395 break;
397 case USB_RECIP_INTERFACE:
398 break;
400 case USB_RECIP_ENDPOINT:{
401 const u8 epnum =
402 ctrlrequest->wIndex & 0x0f;
403 struct musb_ep *musb_ep;
404 struct musb_hw_ep *ep;
405 void __iomem *regs;
406 int is_in;
407 u16 csr;
409 if (epnum == 0 || epnum >= MUSB_C_NUM_EPS ||
410 ctrlrequest->wValue != USB_ENDPOINT_HALT)
411 break;
413 ep = musb->endpoints + epnum;
414 regs = ep->regs;
415 is_in = ctrlrequest->wIndex & USB_DIR_IN;
416 if (is_in)
417 musb_ep = &ep->ep_in;
418 else
419 musb_ep = &ep->ep_out;
420 if (!musb_ep->desc)
421 break;
423 musb_ep_select(mbase, epnum);
424 if (is_in) {
425 csr = musb_readw(regs, MUSB_TXCSR);
426 if (csr & MUSB_TXCSR_FIFONOTEMPTY)
427 csr |= MUSB_TXCSR_FLUSHFIFO;
428 csr |= MUSB_TXCSR_P_SENDSTALL
429 | MUSB_TXCSR_CLRDATATOG
430 | MUSB_TXCSR_P_WZC_BITS;
431 musb_writew(regs, MUSB_TXCSR, csr);
432 } else {
433 csr = musb_readw(regs, MUSB_RXCSR);
434 csr |= MUSB_RXCSR_P_SENDSTALL
435 | MUSB_RXCSR_FLUSHFIFO
436 | MUSB_RXCSR_CLRDATATOG
437 | MUSB_RXCSR_P_WZC_BITS;
438 musb_writew(regs, MUSB_RXCSR, csr);
441 /* select ep0 again */
442 musb_ep_select(mbase, 0);
443 handled = 1;
444 } break;
446 default:
447 /* class, vendor, etc ... delegate */
448 handled = 0;
449 break;
451 break;
452 default:
453 /* delegate SET_CONFIGURATION, etc */
454 handled = 0;
456 } else
457 handled = 0;
458 return handled;
461 /* we have an ep0out data packet
462 * Context: caller holds controller lock
464 static void ep0_rxstate(struct musb *musb)
466 void __iomem *regs = musb->control_ep->regs;
467 struct musb_request *request;
468 struct usb_request *req;
469 u16 count, csr;
471 request = next_ep0_request(musb);
472 req = &request->request;
474 /* read packet and ack; or stall because of gadget driver bug:
475 * should have provided the rx buffer before setup() returned.
477 if (req) {
478 void *buf = req->buf + req->actual;
479 unsigned len = req->length - req->actual;
481 /* read the buffer */
482 count = musb_readb(regs, MUSB_COUNT0);
483 if (count > len) {
484 req->status = -EOVERFLOW;
485 count = len;
487 if (count > 0) {
488 musb_read_fifo(&musb->endpoints[0], count, buf);
489 req->actual += count;
491 csr = MUSB_CSR0_P_SVDRXPKTRDY;
492 if (count < 64 || req->actual == req->length) {
493 musb->ep0_state = MUSB_EP0_STAGE_STATUSIN;
494 csr |= MUSB_CSR0_P_DATAEND;
495 } else
496 req = NULL;
497 } else
498 csr = MUSB_CSR0_P_SVDRXPKTRDY | MUSB_CSR0_P_SENDSTALL;
501 /* Completion handler may choose to stall, e.g. because the
502 * message just received holds invalid data.
504 if (req) {
505 musb->ackpend = csr;
506 musb_g_ep0_giveback(musb, req);
507 if (!musb->ackpend)
508 return;
509 musb->ackpend = 0;
511 musb_ep_select(musb->mregs, 0);
512 musb_writew(regs, MUSB_CSR0, csr);
516 * transmitting to the host (IN), this code might be called from IRQ
517 * and from kernel thread.
519 * Context: caller holds controller lock
521 static void ep0_txstate(struct musb *musb)
523 void __iomem *regs = musb->control_ep->regs;
524 struct musb_request *req = next_ep0_request(musb);
525 struct usb_request *request;
526 u16 csr = MUSB_CSR0_TXPKTRDY;
527 u8 *fifo_src;
528 u8 fifo_count;
530 if (!req) {
531 /* WARN_ON(1); */
532 musb_dbg(musb, "odd; csr0 %04x", musb_readw(regs, MUSB_CSR0));
533 return;
536 request = &req->request;
538 /* load the data */
539 fifo_src = (u8 *) request->buf + request->actual;
540 fifo_count = min((unsigned) MUSB_EP0_FIFOSIZE,
541 request->length - request->actual);
542 musb_write_fifo(&musb->endpoints[0], fifo_count, fifo_src);
543 request->actual += fifo_count;
545 /* update the flags */
546 if (fifo_count < MUSB_MAX_END0_PACKET
547 || (request->actual == request->length
548 && !request->zero)) {
549 musb->ep0_state = MUSB_EP0_STAGE_STATUSOUT;
550 csr |= MUSB_CSR0_P_DATAEND;
551 } else
552 request = NULL;
554 /* report completions as soon as the fifo's loaded; there's no
555 * win in waiting till this last packet gets acked. (other than
556 * very precise fault reporting, needed by USB TMC; possible with
557 * this hardware, but not usable from portable gadget drivers.)
559 if (request) {
560 musb->ackpend = csr;
561 musb_g_ep0_giveback(musb, request);
562 if (!musb->ackpend)
563 return;
564 musb->ackpend = 0;
567 /* send it out, triggering a "txpktrdy cleared" irq */
568 musb_ep_select(musb->mregs, 0);
569 musb_writew(regs, MUSB_CSR0, csr);
573 * Read a SETUP packet (struct usb_ctrlrequest) from the hardware.
574 * Fields are left in USB byte-order.
576 * Context: caller holds controller lock.
578 static void
579 musb_read_setup(struct musb *musb, struct usb_ctrlrequest *req)
581 struct musb_request *r;
582 void __iomem *regs = musb->control_ep->regs;
584 musb_read_fifo(&musb->endpoints[0], sizeof *req, (u8 *)req);
586 /* NOTE: earlier 2.6 versions changed setup packets to host
587 * order, but now USB packets always stay in USB byte order.
589 musb_dbg(musb, "SETUP req%02x.%02x v%04x i%04x l%d",
590 req->bRequestType,
591 req->bRequest,
592 le16_to_cpu(req->wValue),
593 le16_to_cpu(req->wIndex),
594 le16_to_cpu(req->wLength));
596 /* clean up any leftover transfers */
597 r = next_ep0_request(musb);
598 if (r)
599 musb_g_ep0_giveback(musb, &r->request);
601 /* For zero-data requests we want to delay the STATUS stage to
602 * avoid SETUPEND errors. If we read data (OUT), delay accepting
603 * packets until there's a buffer to store them in.
605 * If we write data, the controller acts happier if we enable
606 * the TX FIFO right away, and give the controller a moment
607 * to switch modes...
609 musb->set_address = false;
610 musb->ackpend = MUSB_CSR0_P_SVDRXPKTRDY;
611 if (req->wLength == 0) {
612 if (req->bRequestType & USB_DIR_IN)
613 musb->ackpend |= MUSB_CSR0_TXPKTRDY;
614 musb->ep0_state = MUSB_EP0_STAGE_ACKWAIT;
615 } else if (req->bRequestType & USB_DIR_IN) {
616 musb->ep0_state = MUSB_EP0_STAGE_TX;
617 musb_writew(regs, MUSB_CSR0, MUSB_CSR0_P_SVDRXPKTRDY);
618 while ((musb_readw(regs, MUSB_CSR0)
619 & MUSB_CSR0_RXPKTRDY) != 0)
620 cpu_relax();
621 musb->ackpend = 0;
622 } else
623 musb->ep0_state = MUSB_EP0_STAGE_RX;
626 static int
627 forward_to_driver(struct musb *musb, const struct usb_ctrlrequest *ctrlrequest)
628 __releases(musb->lock)
629 __acquires(musb->lock)
631 int retval;
632 if (!musb->gadget_driver)
633 return -EOPNOTSUPP;
634 spin_unlock(&musb->lock);
635 retval = musb->gadget_driver->setup(&musb->g, ctrlrequest);
636 spin_lock(&musb->lock);
637 return retval;
641 * Handle peripheral ep0 interrupt
643 * Context: irq handler; we won't re-enter the driver that way.
645 irqreturn_t musb_g_ep0_irq(struct musb *musb)
647 u16 csr;
648 u16 len;
649 void __iomem *mbase = musb->mregs;
650 void __iomem *regs = musb->endpoints[0].regs;
651 irqreturn_t retval = IRQ_NONE;
653 musb_ep_select(mbase, 0); /* select ep0 */
654 csr = musb_readw(regs, MUSB_CSR0);
655 len = musb_readb(regs, MUSB_COUNT0);
657 musb_dbg(musb, "csr %04x, count %d, ep0stage %s",
658 csr, len, decode_ep0stage(musb->ep0_state));
660 if (csr & MUSB_CSR0_P_DATAEND) {
662 * If DATAEND is set we should not call the callback,
663 * hence the status stage is not complete.
665 return IRQ_HANDLED;
668 /* I sent a stall.. need to acknowledge it now.. */
669 if (csr & MUSB_CSR0_P_SENTSTALL) {
670 musb_writew(regs, MUSB_CSR0,
671 csr & ~MUSB_CSR0_P_SENTSTALL);
672 retval = IRQ_HANDLED;
673 musb->ep0_state = MUSB_EP0_STAGE_IDLE;
674 csr = musb_readw(regs, MUSB_CSR0);
677 /* request ended "early" */
678 if (csr & MUSB_CSR0_P_SETUPEND) {
679 musb_writew(regs, MUSB_CSR0, MUSB_CSR0_P_SVDSETUPEND);
680 retval = IRQ_HANDLED;
681 /* Transition into the early status phase */
682 switch (musb->ep0_state) {
683 case MUSB_EP0_STAGE_TX:
684 musb->ep0_state = MUSB_EP0_STAGE_STATUSOUT;
685 break;
686 case MUSB_EP0_STAGE_RX:
687 musb->ep0_state = MUSB_EP0_STAGE_STATUSIN;
688 break;
689 default:
690 ERR("SetupEnd came in a wrong ep0stage %s\n",
691 decode_ep0stage(musb->ep0_state));
693 csr = musb_readw(regs, MUSB_CSR0);
694 /* NOTE: request may need completion */
697 /* docs from Mentor only describe tx, rx, and idle/setup states.
698 * we need to handle nuances around status stages, and also the
699 * case where status and setup stages come back-to-back ...
701 switch (musb->ep0_state) {
703 case MUSB_EP0_STAGE_TX:
704 /* irq on clearing txpktrdy */
705 if ((csr & MUSB_CSR0_TXPKTRDY) == 0) {
706 ep0_txstate(musb);
707 retval = IRQ_HANDLED;
709 break;
711 case MUSB_EP0_STAGE_RX:
712 /* irq on set rxpktrdy */
713 if (csr & MUSB_CSR0_RXPKTRDY) {
714 ep0_rxstate(musb);
715 retval = IRQ_HANDLED;
717 break;
719 case MUSB_EP0_STAGE_STATUSIN:
720 /* end of sequence #2 (OUT/RX state) or #3 (no data) */
722 /* update address (if needed) only @ the end of the
723 * status phase per usb spec, which also guarantees
724 * we get 10 msec to receive this irq... until this
725 * is done we won't see the next packet.
727 if (musb->set_address) {
728 musb->set_address = false;
729 musb_writeb(mbase, MUSB_FADDR, musb->address);
732 /* enter test mode if needed (exit by reset) */
733 else if (musb->test_mode) {
734 musb_dbg(musb, "entering TESTMODE");
736 if (MUSB_TEST_PACKET == musb->test_mode_nr)
737 musb_load_testpacket(musb);
739 musb_writeb(mbase, MUSB_TESTMODE,
740 musb->test_mode_nr);
742 /* FALLTHROUGH */
744 case MUSB_EP0_STAGE_STATUSOUT:
745 /* end of sequence #1: write to host (TX state) */
747 struct musb_request *req;
749 req = next_ep0_request(musb);
750 if (req)
751 musb_g_ep0_giveback(musb, &req->request);
755 * In case when several interrupts can get coalesced,
756 * check to see if we've already received a SETUP packet...
758 if (csr & MUSB_CSR0_RXPKTRDY)
759 goto setup;
761 retval = IRQ_HANDLED;
762 musb->ep0_state = MUSB_EP0_STAGE_IDLE;
763 break;
765 case MUSB_EP0_STAGE_IDLE:
767 * This state is typically (but not always) indiscernible
768 * from the status states since the corresponding interrupts
769 * tend to happen within too little period of time (with only
770 * a zero-length packet in between) and so get coalesced...
772 retval = IRQ_HANDLED;
773 musb->ep0_state = MUSB_EP0_STAGE_SETUP;
774 /* FALLTHROUGH */
776 case MUSB_EP0_STAGE_SETUP:
777 setup:
778 if (csr & MUSB_CSR0_RXPKTRDY) {
779 struct usb_ctrlrequest setup;
780 int handled = 0;
782 if (len != 8) {
783 ERR("SETUP packet len %d != 8 ?\n", len);
784 break;
786 musb_read_setup(musb, &setup);
787 retval = IRQ_HANDLED;
789 /* sometimes the RESET won't be reported */
790 if (unlikely(musb->g.speed == USB_SPEED_UNKNOWN)) {
791 u8 power;
793 printk(KERN_NOTICE "%s: peripheral reset "
794 "irq lost!\n",
795 musb_driver_name);
796 power = musb_readb(mbase, MUSB_POWER);
797 musb->g.speed = (power & MUSB_POWER_HSMODE)
798 ? USB_SPEED_HIGH : USB_SPEED_FULL;
802 switch (musb->ep0_state) {
804 /* sequence #3 (no data stage), includes requests
805 * we can't forward (notably SET_ADDRESS and the
806 * device/endpoint feature set/clear operations)
807 * plus SET_CONFIGURATION and others we must
809 case MUSB_EP0_STAGE_ACKWAIT:
810 handled = service_zero_data_request(
811 musb, &setup);
814 * We're expecting no data in any case, so
815 * always set the DATAEND bit -- doing this
816 * here helps avoid SetupEnd interrupt coming
817 * in the idle stage when we're stalling...
819 musb->ackpend |= MUSB_CSR0_P_DATAEND;
821 /* status stage might be immediate */
822 if (handled > 0)
823 musb->ep0_state =
824 MUSB_EP0_STAGE_STATUSIN;
825 break;
827 /* sequence #1 (IN to host), includes GET_STATUS
828 * requests that we can't forward, GET_DESCRIPTOR
829 * and others that we must
831 case MUSB_EP0_STAGE_TX:
832 handled = service_in_request(musb, &setup);
833 if (handled > 0) {
834 musb->ackpend = MUSB_CSR0_TXPKTRDY
835 | MUSB_CSR0_P_DATAEND;
836 musb->ep0_state =
837 MUSB_EP0_STAGE_STATUSOUT;
839 break;
841 /* sequence #2 (OUT from host), always forward */
842 default: /* MUSB_EP0_STAGE_RX */
843 break;
846 musb_dbg(musb, "handled %d, csr %04x, ep0stage %s",
847 handled, csr,
848 decode_ep0stage(musb->ep0_state));
850 /* unless we need to delegate this to the gadget
851 * driver, we know how to wrap this up: csr0 has
852 * not yet been written.
854 if (handled < 0)
855 goto stall;
856 else if (handled > 0)
857 goto finish;
859 handled = forward_to_driver(musb, &setup);
860 if (handled < 0) {
861 musb_ep_select(mbase, 0);
862 stall:
863 musb_dbg(musb, "stall (%d)", handled);
864 musb->ackpend |= MUSB_CSR0_P_SENDSTALL;
865 musb->ep0_state = MUSB_EP0_STAGE_IDLE;
866 finish:
867 musb_writew(regs, MUSB_CSR0,
868 musb->ackpend);
869 musb->ackpend = 0;
872 break;
874 case MUSB_EP0_STAGE_ACKWAIT:
875 /* This should not happen. But happens with tusb6010 with
876 * g_file_storage and high speed. Do nothing.
878 retval = IRQ_HANDLED;
879 break;
881 default:
882 /* "can't happen" */
883 WARN_ON(1);
884 musb_writew(regs, MUSB_CSR0, MUSB_CSR0_P_SENDSTALL);
885 musb->ep0_state = MUSB_EP0_STAGE_IDLE;
886 break;
889 return retval;
893 static int
894 musb_g_ep0_enable(struct usb_ep *ep, const struct usb_endpoint_descriptor *desc)
896 /* always enabled */
897 return -EINVAL;
900 static int musb_g_ep0_disable(struct usb_ep *e)
902 /* always enabled */
903 return -EINVAL;
906 static int
907 musb_g_ep0_queue(struct usb_ep *e, struct usb_request *r, gfp_t gfp_flags)
909 struct musb_ep *ep;
910 struct musb_request *req;
911 struct musb *musb;
912 int status;
913 unsigned long lockflags;
914 void __iomem *regs;
916 if (!e || !r)
917 return -EINVAL;
919 ep = to_musb_ep(e);
920 musb = ep->musb;
921 regs = musb->control_ep->regs;
923 req = to_musb_request(r);
924 req->musb = musb;
925 req->request.actual = 0;
926 req->request.status = -EINPROGRESS;
927 req->tx = ep->is_in;
929 spin_lock_irqsave(&musb->lock, lockflags);
931 if (!list_empty(&ep->req_list)) {
932 status = -EBUSY;
933 goto cleanup;
936 switch (musb->ep0_state) {
937 case MUSB_EP0_STAGE_RX: /* control-OUT data */
938 case MUSB_EP0_STAGE_TX: /* control-IN data */
939 case MUSB_EP0_STAGE_ACKWAIT: /* zero-length data */
940 status = 0;
941 break;
942 default:
943 musb_dbg(musb, "ep0 request queued in state %d",
944 musb->ep0_state);
945 status = -EINVAL;
946 goto cleanup;
949 /* add request to the list */
950 list_add_tail(&req->list, &ep->req_list);
952 musb_dbg(musb, "queue to %s (%s), length=%d",
953 ep->name, ep->is_in ? "IN/TX" : "OUT/RX",
954 req->request.length);
956 musb_ep_select(musb->mregs, 0);
958 /* sequence #1, IN ... start writing the data */
959 if (musb->ep0_state == MUSB_EP0_STAGE_TX)
960 ep0_txstate(musb);
962 /* sequence #3, no-data ... issue IN status */
963 else if (musb->ep0_state == MUSB_EP0_STAGE_ACKWAIT) {
964 if (req->request.length)
965 status = -EINVAL;
966 else {
967 musb->ep0_state = MUSB_EP0_STAGE_STATUSIN;
968 musb_writew(regs, MUSB_CSR0,
969 musb->ackpend | MUSB_CSR0_P_DATAEND);
970 musb->ackpend = 0;
971 musb_g_ep0_giveback(ep->musb, r);
974 /* else for sequence #2 (OUT), caller provides a buffer
975 * before the next packet arrives. deferred responses
976 * (after SETUP is acked) are racey.
978 } else if (musb->ackpend) {
979 musb_writew(regs, MUSB_CSR0, musb->ackpend);
980 musb->ackpend = 0;
983 cleanup:
984 spin_unlock_irqrestore(&musb->lock, lockflags);
985 return status;
988 static int musb_g_ep0_dequeue(struct usb_ep *ep, struct usb_request *req)
990 /* we just won't support this */
991 return -EINVAL;
994 static int musb_g_ep0_halt(struct usb_ep *e, int value)
996 struct musb_ep *ep;
997 struct musb *musb;
998 void __iomem *base, *regs;
999 unsigned long flags;
1000 int status;
1001 u16 csr;
1003 if (!e || !value)
1004 return -EINVAL;
1006 ep = to_musb_ep(e);
1007 musb = ep->musb;
1008 base = musb->mregs;
1009 regs = musb->control_ep->regs;
1010 status = 0;
1012 spin_lock_irqsave(&musb->lock, flags);
1014 if (!list_empty(&ep->req_list)) {
1015 status = -EBUSY;
1016 goto cleanup;
1019 musb_ep_select(base, 0);
1020 csr = musb->ackpend;
1022 switch (musb->ep0_state) {
1024 /* Stalls are usually issued after parsing SETUP packet, either
1025 * directly in irq context from setup() or else later.
1027 case MUSB_EP0_STAGE_TX: /* control-IN data */
1028 case MUSB_EP0_STAGE_ACKWAIT: /* STALL for zero-length data */
1029 case MUSB_EP0_STAGE_RX: /* control-OUT data */
1030 csr = musb_readw(regs, MUSB_CSR0);
1031 /* FALLTHROUGH */
1033 /* It's also OK to issue stalls during callbacks when a non-empty
1034 * DATA stage buffer has been read (or even written).
1036 case MUSB_EP0_STAGE_STATUSIN: /* control-OUT status */
1037 case MUSB_EP0_STAGE_STATUSOUT: /* control-IN status */
1039 csr |= MUSB_CSR0_P_SENDSTALL;
1040 musb_writew(regs, MUSB_CSR0, csr);
1041 musb->ep0_state = MUSB_EP0_STAGE_IDLE;
1042 musb->ackpend = 0;
1043 break;
1044 default:
1045 musb_dbg(musb, "ep0 can't halt in state %d", musb->ep0_state);
1046 status = -EINVAL;
1049 cleanup:
1050 spin_unlock_irqrestore(&musb->lock, flags);
1051 return status;
1054 const struct usb_ep_ops musb_g_ep0_ops = {
1055 .enable = musb_g_ep0_enable,
1056 .disable = musb_g_ep0_disable,
1057 .alloc_request = musb_alloc_request,
1058 .free_request = musb_free_request,
1059 .queue = musb_g_ep0_queue,
1060 .dequeue = musb_g_ep0_dequeue,
1061 .set_halt = musb_g_ep0_halt,