1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3  * aspeed-vhub -- Driver for Aspeed SoC "vHub" USB gadget
4  *
5  * ep0.c - Endpoint 0 handling
6  *
7  * Copyright 2017 IBM Corporation
8  */
9 
10 #include <linux/kernel.h>
11 #include <linux/module.h>
12 #include <linux/platform_device.h>
13 #include <linux/delay.h>
14 #include <linux/ioport.h>
15 #include <linux/slab.h>
16 #include <linux/errno.h>
17 #include <linux/list.h>
18 #include <linux/interrupt.h>
19 #include <linux/proc_fs.h>
20 #include <linux/prefetch.h>
21 #include <linux/clk.h>
22 #include <linux/usb/gadget.h>
23 #include <linux/of.h>
24 #include <linux/regmap.h>
25 #include <linux/dma-mapping.h>
26 
27 #include "vhub.h"
28 
ast_vhub_reply(struct ast_vhub_ep * ep,char * ptr,int len)29 int ast_vhub_reply(struct ast_vhub_ep *ep, char *ptr, int len)
30 {
31 	struct usb_request *req = &ep->ep0.req.req;
32 	int rc;
33 
34 	if (WARN_ON(ep->d_idx != 0))
35 		return std_req_stall;
36 	if (WARN_ON(!ep->ep0.dir_in))
37 		return std_req_stall;
38 	if (WARN_ON(len > AST_VHUB_EP0_MAX_PACKET))
39 		return std_req_stall;
40 	if (WARN_ON(req->status == -EINPROGRESS))
41 		return std_req_stall;
42 
43 	req->buf = ptr;
44 	req->length = len;
45 	req->complete = NULL;
46 	req->zero = true;
47 
48 	/*
49 	 * Call internal queue directly after dropping the lock. This is
50 	 * safe to do as the reply is always the last thing done when
51 	 * processing a SETUP packet, usually as a tail call
52 	 */
53 	spin_unlock(&ep->vhub->lock);
54 	if (ep->ep.ops->queue(&ep->ep, req, GFP_ATOMIC))
55 		rc = std_req_stall;
56 	else
57 		rc = std_req_data;
58 	spin_lock(&ep->vhub->lock);
59 	return rc;
60 }
61 
__ast_vhub_simple_reply(struct ast_vhub_ep * ep,int len,...)62 int __ast_vhub_simple_reply(struct ast_vhub_ep *ep, int len, ...)
63 {
64 	u8 *buffer = ep->buf;
65 	unsigned int i;
66 	va_list args;
67 
68 	va_start(args, len);
69 
70 	/* Copy data directly into EP buffer */
71 	for (i = 0; i < len; i++)
72 		buffer[i] = va_arg(args, int);
73 	va_end(args);
74 
75 	/* req->buf NULL means data is already there */
76 	return ast_vhub_reply(ep, NULL, len);
77 }
78 
ast_vhub_ep0_handle_setup(struct ast_vhub_ep * ep)79 void ast_vhub_ep0_handle_setup(struct ast_vhub_ep *ep)
80 {
81 	struct usb_ctrlrequest crq;
82 	enum std_req_rc std_req_rc;
83 	int rc = -ENODEV;
84 
85 	if (WARN_ON(ep->d_idx != 0))
86 		return;
87 
88 	/*
89 	 * Grab the setup packet from the chip and byteswap
90 	 * interesting fields
91 	 */
92 	memcpy_fromio(&crq, ep->ep0.setup, sizeof(crq));
93 
94 	EPDBG(ep, "SETUP packet %02x/%02x/%04x/%04x/%04x [%s] st=%d\n",
95 	      crq.bRequestType, crq.bRequest,
96 	       le16_to_cpu(crq.wValue),
97 	       le16_to_cpu(crq.wIndex),
98 	       le16_to_cpu(crq.wLength),
99 	       (crq.bRequestType & USB_DIR_IN) ? "in" : "out",
100 	       ep->ep0.state);
101 
102 	/*
103 	 * Check our state, cancel pending requests if needed
104 	 *
105 	 * Note: Under some circumstances, we can get a new setup
106 	 * packet while waiting for the stall ack, just accept it.
107 	 *
108 	 * In any case, a SETUP packet in wrong state should have
109 	 * reset the HW state machine, so let's just log, nuke
110 	 * requests, move on.
111 	 */
112 	if (ep->ep0.state != ep0_state_token &&
113 	    ep->ep0.state != ep0_state_stall) {
114 		EPDBG(ep, "wrong state\n");
115 		ast_vhub_nuke(ep, -EIO);
116 	}
117 
118 	/* Calculate next state for EP0 */
119 	ep->ep0.state = ep0_state_data;
120 	ep->ep0.dir_in = !!(crq.bRequestType & USB_DIR_IN);
121 
122 	/* If this is the vHub, we handle requests differently */
123 	std_req_rc = std_req_driver;
124 	if (ep->dev == NULL) {
125 		if ((crq.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD)
126 			std_req_rc = ast_vhub_std_hub_request(ep, &crq);
127 		else if ((crq.bRequestType & USB_TYPE_MASK) == USB_TYPE_CLASS)
128 			std_req_rc = ast_vhub_class_hub_request(ep, &crq);
129 		else
130 			std_req_rc = std_req_stall;
131 	} else if ((crq.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD)
132 		std_req_rc = ast_vhub_std_dev_request(ep, &crq);
133 
134 	/* Act upon result */
135 	switch(std_req_rc) {
136 	case std_req_complete:
137 		goto complete;
138 	case std_req_stall:
139 		goto stall;
140 	case std_req_driver:
141 		break;
142 	case std_req_data:
143 		return;
144 	}
145 
146 	/* Pass request up to the gadget driver */
147 	if (WARN_ON(!ep->dev))
148 		goto stall;
149 	if (ep->dev->driver) {
150 		EPDBG(ep, "forwarding to gadget...\n");
151 		spin_unlock(&ep->vhub->lock);
152 		rc = ep->dev->driver->setup(&ep->dev->gadget, &crq);
153 		spin_lock(&ep->vhub->lock);
154 		EPDBG(ep, "driver returned %d\n", rc);
155 	} else {
156 		EPDBG(ep, "no gadget for request !\n");
157 	}
158 	if (rc >= 0)
159 		return;
160 
161  stall:
162 	EPDBG(ep, "stalling\n");
163 	writel(VHUB_EP0_CTRL_STALL, ep->ep0.ctlstat);
164 	ep->ep0.state = ep0_state_stall;
165 	ep->ep0.dir_in = false;
166 	return;
167 
168  complete:
169 	EPVDBG(ep, "sending [in] status with no data\n");
170 	writel(VHUB_EP0_TX_BUFF_RDY, ep->ep0.ctlstat);
171 	ep->ep0.state = ep0_state_status;
172 	ep->ep0.dir_in = false;
173 }
174 
175 
ast_vhub_ep0_do_send(struct ast_vhub_ep * ep,struct ast_vhub_req * req)176 static void ast_vhub_ep0_do_send(struct ast_vhub_ep *ep,
177 				 struct ast_vhub_req *req)
178 {
179 	unsigned int chunk;
180 	u32 reg;
181 
182 	/* If this is a 0-length request, it's the gadget trying to
183 	 * send a status on our behalf. We take it from here.
184 	 */
185 	if (req->req.length == 0)
186 		req->last_desc = 1;
187 
188 	/* Are we done ? Complete request, otherwise wait for next interrupt */
189 	if (req->last_desc >= 0) {
190 		EPVDBG(ep, "complete send %d/%d\n",
191 		       req->req.actual, req->req.length);
192 		ep->ep0.state = ep0_state_status;
193 		writel(VHUB_EP0_RX_BUFF_RDY, ep->ep0.ctlstat);
194 		ast_vhub_done(ep, req, 0);
195 		return;
196 	}
197 
198 	/*
199 	 * Next chunk cropped to max packet size. Also check if this
200 	 * is the last packet
201 	 */
202 	chunk = req->req.length - req->req.actual;
203 	if (chunk > ep->ep.maxpacket)
204 		chunk = ep->ep.maxpacket;
205 	else if ((chunk < ep->ep.maxpacket) || !req->req.zero)
206 		req->last_desc = 1;
207 
208 	EPVDBG(ep, "send chunk=%d last=%d, req->act=%d mp=%d\n",
209 	       chunk, req->last_desc, req->req.actual, ep->ep.maxpacket);
210 
211 	/*
212 	 * Copy data if any (internal requests already have data
213 	 * in the EP buffer)
214 	 */
215 	if (chunk && req->req.buf)
216 		memcpy(ep->buf, req->req.buf + req->req.actual, chunk);
217 
218 	vhub_dma_workaround(ep->buf);
219 
220 	/* Remember chunk size and trigger send */
221 	reg = VHUB_EP0_SET_TX_LEN(chunk);
222 	writel(reg, ep->ep0.ctlstat);
223 	writel(reg | VHUB_EP0_TX_BUFF_RDY, ep->ep0.ctlstat);
224 	req->req.actual += chunk;
225 }
226 
ast_vhub_ep0_rx_prime(struct ast_vhub_ep * ep)227 static void ast_vhub_ep0_rx_prime(struct ast_vhub_ep *ep)
228 {
229 	EPVDBG(ep, "rx prime\n");
230 
231 	/* Prime endpoint for receiving data */
232 	writel(VHUB_EP0_RX_BUFF_RDY, ep->ep0.ctlstat);
233 }
234 
ast_vhub_ep0_do_receive(struct ast_vhub_ep * ep,struct ast_vhub_req * req,unsigned int len)235 static void ast_vhub_ep0_do_receive(struct ast_vhub_ep *ep, struct ast_vhub_req *req,
236 				    unsigned int len)
237 {
238 	unsigned int remain;
239 	int rc = 0;
240 
241 	/* We are receiving... grab request */
242 	remain = req->req.length - req->req.actual;
243 
244 	EPVDBG(ep, "receive got=%d remain=%d\n", len, remain);
245 
246 	/* Are we getting more than asked ? */
247 	if (len > remain) {
248 		EPDBG(ep, "receiving too much (ovf: %d) !\n",
249 		      len - remain);
250 		len = remain;
251 		rc = -EOVERFLOW;
252 	}
253 
254 	/* Hardware return wrong data len */
255 	if (len < ep->ep.maxpacket && len != remain) {
256 		EPDBG(ep, "using expected data len instead\n");
257 		len = remain;
258 	}
259 
260 	if (len && req->req.buf)
261 		memcpy(req->req.buf + req->req.actual, ep->buf, len);
262 	req->req.actual += len;
263 
264 	/* Done ? */
265 	if (len < ep->ep.maxpacket || len == remain) {
266 		ep->ep0.state = ep0_state_status;
267 		writel(VHUB_EP0_TX_BUFF_RDY, ep->ep0.ctlstat);
268 		ast_vhub_done(ep, req, rc);
269 	} else
270 		ast_vhub_ep0_rx_prime(ep);
271 }
272 
ast_vhub_ep0_handle_ack(struct ast_vhub_ep * ep,bool in_ack)273 void ast_vhub_ep0_handle_ack(struct ast_vhub_ep *ep, bool in_ack)
274 {
275 	struct ast_vhub_req *req;
276 	struct ast_vhub *vhub = ep->vhub;
277 	struct device *dev = &vhub->pdev->dev;
278 	bool stall = false;
279 	u32 stat;
280 
281 	/* Read EP0 status */
282 	stat = readl(ep->ep0.ctlstat);
283 
284 	/* Grab current request if any */
285 	req = list_first_entry_or_null(&ep->queue, struct ast_vhub_req, queue);
286 
287 	EPVDBG(ep, "ACK status=%08x,state=%d is_in=%d in_ack=%d req=%p\n",
288 		stat, ep->ep0.state, ep->ep0.dir_in, in_ack, req);
289 
290 	switch(ep->ep0.state) {
291 	case ep0_state_token:
292 		/* There should be no request queued in that state... */
293 		if (req) {
294 			dev_warn(dev, "request present while in TOKEN state\n");
295 			ast_vhub_nuke(ep, -EINVAL);
296 		}
297 		dev_warn(dev, "ack while in TOKEN state\n");
298 		stall = true;
299 		break;
300 	case ep0_state_data:
301 		/* Check the state bits corresponding to our direction */
302 		if ((ep->ep0.dir_in && (stat & VHUB_EP0_TX_BUFF_RDY)) ||
303 		    (!ep->ep0.dir_in && (stat & VHUB_EP0_RX_BUFF_RDY)) ||
304 		    (ep->ep0.dir_in != in_ack)) {
305 			/* In that case, ignore interrupt */
306 			dev_warn(dev, "irq state mismatch");
307 			break;
308 		}
309 		/*
310 		 * We are in data phase and there's no request, something is
311 		 * wrong, stall
312 		 */
313 		if (!req) {
314 			dev_warn(dev, "data phase, no request\n");
315 			stall = true;
316 			break;
317 		}
318 
319 		/* We have a request, handle data transfers */
320 		if (ep->ep0.dir_in)
321 			ast_vhub_ep0_do_send(ep, req);
322 		else
323 			ast_vhub_ep0_do_receive(ep, req, VHUB_EP0_RX_LEN(stat));
324 		return;
325 	case ep0_state_status:
326 		/* Nuke stale requests */
327 		if (req) {
328 			dev_warn(dev, "request present while in STATUS state\n");
329 			ast_vhub_nuke(ep, -EINVAL);
330 		}
331 
332 		/*
333 		 * If the status phase completes with the wrong ack, stall
334 		 * the endpoint just in case, to abort whatever the host
335 		 * was doing.
336 		 */
337 		if (ep->ep0.dir_in == in_ack) {
338 			dev_warn(dev, "status direction mismatch\n");
339 			stall = true;
340 		}
341 		break;
342 	case ep0_state_stall:
343 		/*
344 		 * There shouldn't be any request left, but nuke just in case
345 		 * otherwise the stale request will block subsequent ones
346 		 */
347 		ast_vhub_nuke(ep, -EIO);
348 		break;
349 	}
350 
351 	/* Reset to token state or stall */
352 	if (stall) {
353 		writel(VHUB_EP0_CTRL_STALL, ep->ep0.ctlstat);
354 		ep->ep0.state = ep0_state_stall;
355 	} else
356 		ep->ep0.state = ep0_state_token;
357 }
358 
ast_vhub_ep0_queue(struct usb_ep * u_ep,struct usb_request * u_req,gfp_t gfp_flags)359 static int ast_vhub_ep0_queue(struct usb_ep* u_ep, struct usb_request *u_req,
360 			      gfp_t gfp_flags)
361 {
362 	struct ast_vhub_req *req = to_ast_req(u_req);
363 	struct ast_vhub_ep *ep = to_ast_ep(u_ep);
364 	struct ast_vhub *vhub = ep->vhub;
365 	struct device *dev = &vhub->pdev->dev;
366 	unsigned long flags;
367 
368 	/* Paranoid cheks */
369 	if (!u_req || (!u_req->complete && !req->internal)) {
370 		dev_warn(dev, "Bogus EP0 request ! u_req=%p\n", u_req);
371 		if (u_req) {
372 			dev_warn(dev, "complete=%p internal=%d\n",
373 				 u_req->complete, req->internal);
374 		}
375 		return -EINVAL;
376 	}
377 
378 	/* Not endpoint 0 ? */
379 	if (WARN_ON(ep->d_idx != 0))
380 		return -EINVAL;
381 
382 	/* Disabled device */
383 	if (ep->dev && !ep->dev->enabled)
384 		return -ESHUTDOWN;
385 
386 	/* Data, no buffer and not internal ? */
387 	if (u_req->length && !u_req->buf && !req->internal) {
388 		dev_warn(dev, "Request with no buffer !\n");
389 		return -EINVAL;
390 	}
391 
392 	EPVDBG(ep, "enqueue req @%p\n", req);
393 	EPVDBG(ep, "  l=%d zero=%d noshort=%d is_in=%d\n",
394 	       u_req->length, u_req->zero,
395 	       u_req->short_not_ok, ep->ep0.dir_in);
396 
397 	/* Initialize request progress fields */
398 	u_req->status = -EINPROGRESS;
399 	u_req->actual = 0;
400 	req->last_desc = -1;
401 	req->active = false;
402 
403 	spin_lock_irqsave(&vhub->lock, flags);
404 
405 	/* EP0 can only support a single request at a time */
406 	if (!list_empty(&ep->queue) ||
407 	    ep->ep0.state == ep0_state_token ||
408 	    ep->ep0.state == ep0_state_stall) {
409 		dev_warn(dev, "EP0: Request in wrong state\n");
410 	        EPVDBG(ep, "EP0: list_empty=%d state=%d\n",
411 		       list_empty(&ep->queue), ep->ep0.state);
412 		spin_unlock_irqrestore(&vhub->lock, flags);
413 		return -EBUSY;
414 	}
415 
416 	/* Add request to list and kick processing if empty */
417 	list_add_tail(&req->queue, &ep->queue);
418 
419 	if (ep->ep0.dir_in) {
420 		/* IN request, send data */
421 		ast_vhub_ep0_do_send(ep, req);
422 	} else if (u_req->length == 0) {
423 		/* 0-len request, send completion as rx */
424 		EPVDBG(ep, "0-length rx completion\n");
425 		ep->ep0.state = ep0_state_status;
426 		writel(VHUB_EP0_TX_BUFF_RDY, ep->ep0.ctlstat);
427 		ast_vhub_done(ep, req, 0);
428 	} else {
429 		/* OUT request, start receiver */
430 		ast_vhub_ep0_rx_prime(ep);
431 	}
432 
433 	spin_unlock_irqrestore(&vhub->lock, flags);
434 
435 	return 0;
436 }
437 
ast_vhub_ep0_dequeue(struct usb_ep * u_ep,struct usb_request * u_req)438 static int ast_vhub_ep0_dequeue(struct usb_ep* u_ep, struct usb_request *u_req)
439 {
440 	struct ast_vhub_ep *ep = to_ast_ep(u_ep);
441 	struct ast_vhub *vhub = ep->vhub;
442 	struct ast_vhub_req *req;
443 	unsigned long flags;
444 	int rc = -EINVAL;
445 
446 	spin_lock_irqsave(&vhub->lock, flags);
447 
448 	/* Only one request can be in the queue */
449 	req = list_first_entry_or_null(&ep->queue, struct ast_vhub_req, queue);
450 
451 	/* Is it ours ? */
452 	if (req && u_req == &req->req) {
453 		EPVDBG(ep, "dequeue req @%p\n", req);
454 
455 		/*
456 		 * We don't have to deal with "active" as all
457 		 * DMAs go to the EP buffers, not the request.
458 		 */
459 		ast_vhub_done(ep, req, -ECONNRESET);
460 
461 		/* We do stall the EP to clean things up in HW */
462 		writel(VHUB_EP0_CTRL_STALL, ep->ep0.ctlstat);
463 		ep->ep0.state = ep0_state_status;
464 		ep->ep0.dir_in = false;
465 		rc = 0;
466 	}
467 	spin_unlock_irqrestore(&vhub->lock, flags);
468 	return rc;
469 }
470 
471 
472 static const struct usb_ep_ops ast_vhub_ep0_ops = {
473 	.queue		= ast_vhub_ep0_queue,
474 	.dequeue	= ast_vhub_ep0_dequeue,
475 	.alloc_request	= ast_vhub_alloc_request,
476 	.free_request	= ast_vhub_free_request,
477 };
478 
ast_vhub_reset_ep0(struct ast_vhub_dev * dev)479 void ast_vhub_reset_ep0(struct ast_vhub_dev *dev)
480 {
481 	struct ast_vhub_ep *ep = &dev->ep0;
482 
483 	ast_vhub_nuke(ep, -EIO);
484 	ep->ep0.state = ep0_state_token;
485 }
486 
487 
ast_vhub_init_ep0(struct ast_vhub * vhub,struct ast_vhub_ep * ep,struct ast_vhub_dev * dev)488 void ast_vhub_init_ep0(struct ast_vhub *vhub, struct ast_vhub_ep *ep,
489 		       struct ast_vhub_dev *dev)
490 {
491 	memset(ep, 0, sizeof(*ep));
492 
493 	INIT_LIST_HEAD(&ep->ep.ep_list);
494 	INIT_LIST_HEAD(&ep->queue);
495 	ep->ep.ops = &ast_vhub_ep0_ops;
496 	ep->ep.name = "ep0";
497 	ep->ep.caps.type_control = true;
498 	usb_ep_set_maxpacket_limit(&ep->ep, AST_VHUB_EP0_MAX_PACKET);
499 	ep->d_idx = 0;
500 	ep->dev = dev;
501 	ep->vhub = vhub;
502 	ep->ep0.state = ep0_state_token;
503 	INIT_LIST_HEAD(&ep->ep0.req.queue);
504 	ep->ep0.req.internal = true;
505 
506 	/* Small difference between vHub and devices */
507 	if (dev) {
508 		ep->ep0.ctlstat = dev->regs + AST_VHUB_DEV_EP0_CTRL;
509 		ep->ep0.setup = vhub->regs +
510 			AST_VHUB_SETUP0 + 8 * (dev->index + 1);
511 		ep->buf = vhub->ep0_bufs +
512 			AST_VHUB_EP0_MAX_PACKET * (dev->index + 1);
513 		ep->buf_dma = vhub->ep0_bufs_dma +
514 			AST_VHUB_EP0_MAX_PACKET * (dev->index + 1);
515 	} else {
516 		ep->ep0.ctlstat = vhub->regs + AST_VHUB_EP0_CTRL;
517 		ep->ep0.setup = vhub->regs + AST_VHUB_SETUP0;
518 		ep->buf = vhub->ep0_bufs;
519 		ep->buf_dma = vhub->ep0_bufs_dma;
520 	}
521 }
522