/*
 * xHCI host controller driver
 *
 * Copyright (C) 2008 Intel Corp.
 *
 * Author: Sarah Sharp
 * Some code borrowed from the Linux EHCI driver.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software Foundation,
 * Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 */

/*
 * Ring initialization rules:
 * 1. Each segment is initialized to zero, except for link TRBs.
 * 2. Ring cycle state = 0.  This represents Producer Cycle State (PCS) or
 *    Consumer Cycle State (CCS), depending on ring function.
 * 3. Enqueue pointer = dequeue pointer = address of first TRB in the segment.
 *
 * Ring behavior rules:
 * 1. A ring is empty if enqueue == dequeue.  This means there will always be at
 *    least one free TRB in the ring.  This is useful if you want to turn that
 *    into a link TRB and expand the ring.
 * 2. When incrementing an enqueue or dequeue pointer, if the next TRB is a
 *    link TRB, then load the pointer with the address in the link TRB.  If the
 *    link TRB had its toggle bit set, you may need to update the ring cycle
 *    state (see cycle bit rules).  You may have to do this multiple times
 *    until you reach a non-link TRB.
 * 3. A ring is full if enqueue++ (for the definition of increment above)
 *    equals the dequeue pointer.
 *
 * Cycle bit rules:
 * 1. When a consumer increments a dequeue pointer and encounters a toggle bit
 *    in a link TRB, it must toggle the ring cycle state.
 * 2. When a producer increments an enqueue pointer and encounters a toggle bit
 *    in a link TRB, it must toggle the ring cycle state.
 *
 * Producer rules:
 * 1. Check if ring is full before you enqueue.
 * 2. Write the ring cycle state to the cycle bit in the TRB you're enqueuing.
 *    Update enqueue pointer between each write (which may update the ring
 *    cycle state).
 * 3. Notify consumer.  If SW is producer, it rings the doorbell for command
 *    and endpoint rings.  If HC is the producer for the event ring,
 *    and it generates an interrupt according to interrupt modulation rules.
 *
 * Consumer rules:
 * 1. Check if TRB belongs to you.  If the cycle bit == your ring cycle state,
 *    the TRB is owned by the consumer.
 * 2. Update dequeue pointer (which may update the ring cycle state) and
 *    continue processing TRBs until you reach a TRB which is not owned by you.
 * 3. Notify the producer.  SW is the consumer for the event ring, and it
 *   updates event ring dequeue pointer.  HC is the consumer for the command and
 *   endpoint rings; it generates events on the event ring for these.
 */

#include <linux/scatterlist.h>
#include <linux/slab.h>
#include "xhci.h"
#include "xhci-trace.h"

static int handle_cmd_in_cmd_wait_list(struct xhci_hcd *xhci,
                struct xhci_virt_device *virt_dev,
                struct xhci_event_cmd *event);

/*
 * Returns zero if the TRB isn't in this segment, otherwise it returns the DMA
 * address of the TRB.
 */
dma_addr_t xhci_trb_virt_to_dma(struct xhci_segment *seg,
                union xhci_trb *trb)
{
        unsigned long segment_offset;

        if (!seg || !trb || trb < seg->trbs)
                return 0;
        /* offset in TRBs */
        segment_offset = trb - seg->trbs;
        if (segment_offset > TRBS_PER_SEGMENT)
                return 0;
        return seg->dma + (segment_offset * sizeof(*trb));
}

/* Does this link TRB point to the first segment in a ring,
 * or was the previous TRB the last TRB on the last segment in the ERST?
 */
static bool last_trb_on_last_seg(struct xhci_hcd *xhci, struct xhci_ring *ring,
                struct xhci_segment *seg, union xhci_trb *trb)
{
        if (ring == xhci->event_ring)
                return (trb == &seg->trbs[TRBS_PER_SEGMENT]) &&
                        (seg->next == xhci->event_ring->first_seg);
        else
                return le32_to_cpu(trb->link.control) & LINK_TOGGLE;
}

/* Is this TRB a link TRB or was the last TRB the last TRB in this event ring
 * segment?  I.e. would the updated event TRB pointer step off the end of the
 * event seg?
 */
static int last_trb(struct xhci_hcd *xhci, struct xhci_ring *ring,
                struct xhci_segment *seg, union xhci_trb *trb)
{
        if (ring == xhci->event_ring)
                return trb == &seg->trbs[TRBS_PER_SEGMENT];
        else
                return TRB_TYPE_LINK_LE32(trb->link.control);
}

static int enqueue_is_link_trb(struct xhci_ring *ring)
{
        struct xhci_link_trb *link = &ring->enqueue->link;
        return TRB_TYPE_LINK_LE32(link->control);
}

union xhci_trb *xhci_find_next_enqueue(struct xhci_ring *ring)
{
        /* Enqueue pointer can be left pointing to the link TRB,
         * we must handle that
         */
        if (TRB_TYPE_LINK_LE32(ring->enqueue->link.control))
                return ring->enq_seg->next->trbs;
        return ring->enqueue;
}

/* Updates trb to point to the next TRB in the ring, and updates seg if the next
 * TRB is in a new segment.  This does not skip over link TRBs, and it does not
 * effect the ring dequeue or enqueue pointers.
 */
static void next_trb(struct xhci_hcd *xhci,
                struct xhci_ring *ring,
                struct xhci_segment **seg,
                union xhci_trb **trb)
{
        if (last_trb(xhci, ring, *seg, *trb)) {
                *seg = (*seg)->next;
                *trb = ((*seg)->trbs);
        } else {
                (*trb)++;
        }
}

/*
 * See Cycle bit rules. SW is the consumer for the event ring only.
 * Don't make a ring full of link TRBs.  That would be dumb and this would loop.
 */
static void inc_deq(struct xhci_hcd *xhci, struct xhci_ring *ring)
{
        unsigned long long addr;

        ring->deq_updates++;

        /*
         * If this is not event ring, and the dequeue pointer
         * is not on a link TRB, there is one more usable TRB
         */
        if (ring->type != TYPE_EVENT &&
                        !last_trb(xhci, ring, ring->deq_seg, ring->dequeue))
                ring->num_trbs_free++;

        do {
                /*
                 * Update the dequeue pointer further if that was a link TRB or
                 * we're at the end of an event ring segment (which doesn't have
                 * link TRBS)
                 */
                if (last_trb(xhci, ring, ring->deq_seg, ring->dequeue)) {
                        if (ring->type == TYPE_EVENT &&
                                        last_trb_on_last_seg(xhci, ring,
                                                ring->deq_seg, ring->dequeue)) {
                                ring->cycle_state ^= 1;
                        }
                        ring->deq_seg = ring->deq_seg->next;
                        ring->dequeue = ring->deq_seg->trbs;
                } else {
                        ring->dequeue++;
                }
        } while (last_trb(xhci, ring, ring->deq_seg, ring->dequeue));

        addr = (unsigned long long) xhci_trb_virt_to_dma(ring->deq_seg, ring->dequeue);
}

/*
 * See Cycle bit rules. SW is the consumer for the event ring only.
 * Don't make a ring full of link TRBs.  That would be dumb and this would loop.
 *
 * If we've just enqueued a TRB that is in the middle of a TD (meaning the
 * chain bit is set), then set the chain bit in all the following link TRBs.
 * If we've enqueued the last TRB in a TD, make sure the following link TRBs
 * have their chain bit cleared (so that each Link TRB is a separate TD).
 *
 * Section 6.4.4.1 of the 0.95 spec says link TRBs cannot have the chain bit
 * set, but other sections talk about dealing with the chain bit set.  This was
 * fixed in the 0.96 specification errata, but we have to assume that all 0.95
 * xHCI hardware can't handle the chain bit being cleared on a link TRB.
 *
 * @more_trbs_coming:   Will you enqueue more TRBs before calling
 *                      prepare_transfer()?
 */
static void inc_enq(struct xhci_hcd *xhci, struct xhci_ring *ring,
                        bool more_trbs_coming)
{
        u32 chain;
        union xhci_trb *next;
        unsigned long long addr;

        chain = le32_to_cpu(ring->enqueue->generic.field[3]) & TRB_CHAIN;
        /* If this is not event ring, there is one less usable TRB */
        if (ring->type != TYPE_EVENT &&
                        !last_trb(xhci, ring, ring->enq_seg, ring->enqueue))
                ring->num_trbs_free--;
        next = ++(ring->enqueue);

        ring->enq_updates++;
        /* Update the dequeue pointer further if that was a link TRB or we're at
         * the end of an event ring segment (which doesn't have link TRBS)
         */
        while (last_trb(xhci, ring, ring->enq_seg, next)) {
                if (ring->type != TYPE_EVENT) {
                        /*
                         * If the caller doesn't plan on enqueueing more
                         * TDs before ringing the doorbell, then we
                         * don't want to give the link TRB to the
                         * hardware just yet.  We'll give the link TRB
                         * back in prepare_ring() just before we enqueue
                         * the TD at the top of the ring.
                         */
                        if (!chain && !more_trbs_coming)
                                break;

                        /* If we're not dealing with 0.95 hardware or
                         * isoc rings on AMD 0.96 host,
                         * carry over the chain bit of the previous TRB
                         * (which may mean the chain bit is cleared).
                         */
                        if (!(ring->type == TYPE_ISOC &&
                                        (xhci->quirks & XHCI_AMD_0x96_HOST))
                                                && !xhci_link_trb_quirk(xhci)) {
                                next->link.control &=
                                        cpu_to_le32(~TRB_CHAIN);
                                next->link.control |=
                                        cpu_to_le32(chain);
                        }
                        /* Give this link TRB to the hardware */
                        wmb();
                        next->link.control ^= cpu_to_le32(TRB_CYCLE);

                        /* Toggle the cycle bit after the last ring segment. */
                        if (last_trb_on_last_seg(xhci, ring, ring->enq_seg, next)) {
                                ring->cycle_state = (ring->cycle_state ? 0 : 1);
                        }
                }
                ring->enq_seg = ring->enq_seg->next;
                ring->enqueue = ring->enq_seg->trbs;
                next = ring->enqueue;
        }
        addr = (unsigned long long) xhci_trb_virt_to_dma(ring->enq_seg, ring->enqueue);
}

/*
 * Check to see if there's room to enqueue num_trbs on the ring and make sure
 * enqueue pointer will not advance into dequeue segment. See rules above.
 */
static inline int room_on_ring(struct xhci_hcd *xhci, struct xhci_ring *ring,
                unsigned int num_trbs)
{
        int num_trbs_in_deq_seg;

        if (ring->num_trbs_free < num_trbs)
                return 0;

        if (ring->type != TYPE_COMMAND && ring->type != TYPE_EVENT) {
                num_trbs_in_deq_seg = ring->dequeue - ring->deq_seg->trbs;
                if (ring->num_trbs_free < num_trbs + num_trbs_in_deq_seg)
                        return 0;
        }

        return 1;
}

/* Ring the host controller doorbell after placing a command on the ring */
void xhci_ring_cmd_db(struct xhci_hcd *xhci)
{
        if (!(xhci->cmd_ring_state & CMD_RING_STATE_RUNNING))
                return;

        xhci_dbg(xhci, "// Ding dong!\n");
        xhci_writel(xhci, DB_VALUE_HOST, &xhci->dba->doorbell[0]);
        /* Flush PCI posted writes */
        xhci_readl(xhci, &xhci->dba->doorbell[0]);
}

static int xhci_abort_cmd_ring(struct xhci_hcd *xhci)
{
        u64 temp_64;
        int ret;

        xhci_dbg(xhci, "Abort command ring\n");

        if (!(xhci->cmd_ring_state & CMD_RING_STATE_RUNNING)) {
                xhci_dbg(xhci, "The command ring isn't running, "
                                "Have the command ring been stopped?\n");
                return 0;
        }

        temp_64 = xhci_read_64(xhci, &xhci->op_regs->cmd_ring);
        if (!(temp_64 & CMD_RING_RUNNING)) {
                xhci_dbg(xhci, "Command ring had been stopped\n");
                return 0;
        }
        xhci->cmd_ring_state = CMD_RING_STATE_ABORTED;
        xhci_write_64(xhci, temp_64 | CMD_RING_ABORT,
                        &xhci->op_regs->cmd_ring);

        /* Section 4.6.1.2 of xHCI 1.0 spec says software should
         * time the completion od all xHCI commands, including
         * the Command Abort operation. If software doesn't see
         * CRR negated in a timely manner (e.g. longer than 5
         * seconds), then it should assume that the there are
         * larger problems with the xHC and assert HCRST.
         */
        ret = xhci_handshake(xhci, &xhci->op_regs->cmd_ring,
                        CMD_RING_RUNNING, 0, 5 * 1000 * 1000);
        if (ret < 0) {
                xhci_err(xhci, "Stopped the command ring failed, "
                                "maybe the host is dead\n");
                xhci->xhc_state |= XHCI_STATE_DYING;
                xhci_quiesce(xhci);
                xhci_halt(xhci);
                return -ESHUTDOWN;
        }

        return 0;
}

static int xhci_queue_cd(struct xhci_hcd *xhci,
                struct xhci_command *command,
                union xhci_trb *cmd_trb)
{
        struct xhci_cd *cd;
        cd = kzalloc(sizeof(struct xhci_cd), GFP_ATOMIC);
        if (!cd)
                return -ENOMEM;
        INIT_LIST_HEAD(&cd->cancel_cmd_list);

        cd->command = command;
        cd->cmd_trb = cmd_trb;
        list_add_tail(&cd->cancel_cmd_list, &xhci->cancel_cmd_list);

        return 0;
}

/*
 * Cancel the command which has issue.
 *
 * Some commands may hang due to waiting for acknowledgement from
 * usb device. It is outside of the xHC's ability to control and
 * will cause the command ring is blocked. When it occurs software
 * should intervene to recover the command ring.
 * See Section 4.6.1.1 and 4.6.1.2
 */
int xhci_cancel_cmd(struct xhci_hcd *xhci, struct xhci_command *command,
                union xhci_trb *cmd_trb)
{
        int retval = 0;
        unsigned long flags;

        spin_lock_irqsave(&xhci->lock, flags);

        if (xhci->xhc_state & XHCI_STATE_DYING) {
                xhci_warn(xhci, "Abort the command ring,"
                                " but the xHCI is dead.\n");
                retval = -ESHUTDOWN;
                goto fail;
        }

        /* queue the cmd desriptor to cancel_cmd_list */
        retval = xhci_queue_cd(xhci, command, cmd_trb);
        if (retval) {
                xhci_warn(xhci, "Queuing command descriptor failed.\n");
                goto fail;
        }

        /* abort command ring */
        retval = xhci_abort_cmd_ring(xhci);
        if (retval) {
                xhci_err(xhci, "Abort command ring failed\n");
                if (unlikely(retval == -ESHUTDOWN)) {
                        spin_unlock_irqrestore(&xhci->lock, flags);
                        usb_hc_died(xhci_to_hcd(xhci)->primary_hcd);
                        xhci_dbg(xhci, "xHCI host controller is dead.\n");
                        return retval;
                }
        }

fail:
        spin_unlock_irqrestore(&xhci->lock, flags);
        return retval;
}

void xhci_ring_ep_doorbell(struct xhci_hcd *xhci,
                unsigned int slot_id,
                unsigned int ep_index,
                unsigned int stream_id)
{
        __le32 __iomem *db_addr = &xhci->dba->doorbell[slot_id];
        struct xhci_virt_ep *ep = &xhci->devs[slot_id]->eps[ep_index];
        unsigned int ep_state = ep->ep_state;

        /* Don't ring the doorbell for this endpoint if there are pending
         * cancellations because we don't want to interrupt processing.
         * We don't want to restart any stream rings if there's a set dequeue
         * pointer command pending because the device can choose to start any
         * stream once the endpoint is on the HW schedule.
         * FIXME - check all the stream rings for pending cancellations.
         */
        if ((ep_state & EP_HALT_PENDING) || (ep_state & SET_DEQ_PENDING) ||
            (ep_state & EP_HALTED))
                return;
        xhci_writel(xhci, DB_VALUE(ep_index, stream_id), db_addr);
        /* The CPU has better things to do at this point than wait for a
         * write-posting flush.  It'll get there soon enough.
         */
}

/* Ring the doorbell for any rings with pending URBs */
static void ring_doorbell_for_active_rings(struct xhci_hcd *xhci,
                unsigned int slot_id,
                unsigned int ep_index)
{
        unsigned int stream_id;
        struct xhci_virt_ep *ep;

        ep = &xhci->devs[slot_id]->eps[ep_index];

        /* A ring has pending URBs if its TD list is not empty */
        if (!(ep->ep_state & EP_HAS_STREAMS)) {
                if (ep->ring && !(list_empty(&ep->ring->td_list)))
                        xhci_ring_ep_doorbell(xhci, slot_id, ep_index, 0);
                return;
        }

        for (stream_id = 1; stream_id < ep->stream_info->num_streams;
                        stream_id++) {
                struct xhci_stream_info *stream_info = ep->stream_info;
                if (!list_empty(&stream_info->stream_rings[stream_id]->td_list))
                        xhci_ring_ep_doorbell(xhci, slot_id, ep_index,
                                                stream_id);
        }
}

/*
 * Find the segment that trb is in.  Start searching in start_seg.
 * If we must move past a segment that has a link TRB with a toggle cycle state
 * bit set, then we will toggle the value pointed at by cycle_state.
 */
static struct xhci_segment *find_trb_seg(
                struct xhci_segment *start_seg,
                union xhci_trb  *trb, int *cycle_state)
{
        struct xhci_segment *cur_seg = start_seg;
        struct xhci_generic_trb *generic_trb;

        while (cur_seg->trbs > trb ||
                        &cur_seg->trbs[TRBS_PER_SEGMENT - 1] < trb) {
                generic_trb = &cur_seg->trbs[TRBS_PER_SEGMENT - 1].generic;
                if (generic_trb->field[3] & cpu_to_le32(LINK_TOGGLE))
                        *cycle_state ^= 0x1;
                cur_seg = cur_seg->next;
                if (cur_seg == start_seg)
                        /* Looped over the entire list.  Oops! */
                        return NULL;
        }
        return cur_seg;
}


static struct xhci_ring *xhci_triad_to_transfer_ring(struct xhci_hcd *xhci,
                unsigned int slot_id, unsigned int ep_index,
                unsigned int stream_id)
{
        struct xhci_virt_ep *ep;

        ep = &xhci->devs[slot_id]->eps[ep_index];
        /* Common case: no streams */
        if (!(ep->ep_state & EP_HAS_STREAMS))
                return ep->ring;

        if (stream_id == 0) {
                xhci_warn(xhci,
                                "WARN: Slot ID %u, ep index %u has streams, "
                                "but URB has no stream ID.\n",
                                slot_id, ep_index);
                return NULL;
        }

        if (stream_id < ep->stream_info->num_streams)
                return ep->stream_info->stream_rings[stream_id];

        xhci_warn(xhci,
                        "WARN: Slot ID %u, ep index %u has "
                        "stream IDs 1 to %u allocated, "
                        "but stream ID %u is requested.\n",
                        slot_id, ep_index,
                        ep->stream_info->num_streams - 1,
                        stream_id);
        return NULL;
}

/* Get the right ring for the given URB.
 * If the endpoint supports streams, boundary check the URB's stream ID.
 * If the endpoint doesn't support streams, return the singular endpoint ring.
 */
static struct xhci_ring *xhci_urb_to_transfer_ring(struct xhci_hcd *xhci,
                struct urb *urb)
{
        return xhci_triad_to_transfer_ring(xhci, urb->dev->slot_id,
                xhci_get_endpoint_index(&urb->ep->desc), urb->stream_id);
}

/*
 * Move the xHC's endpoint ring dequeue pointer past cur_td.
 * Record the new state of the xHC's endpoint ring dequeue segment,
 * dequeue pointer, and new consumer cycle state in state.
 * Update our internal representation of the ring's dequeue pointer.
 *
 * We do this in three jumps:
 *  - First we update our new ring state to be the same as when the xHC stopped.
 *  - Then we traverse the ring to find the segment that contains
 *    the last TRB in the TD.  We toggle the xHC's new cycle state when we pass
 *    any link TRBs with the toggle cycle bit set.
 *  - Finally we move the dequeue state one TRB further, toggling the cycle bit
 *    if we've moved it past a link TRB with the toggle cycle bit set.
 *
 * Some of the uses of xhci_generic_trb are grotty, but if they're done
 * with correct __le32 accesses they should work fine.  Only users of this are
 * in here.
 */
void xhci_find_new_dequeue_state(struct xhci_hcd *xhci,
                unsigned int slot_id, unsigned int ep_index,
                unsigned int stream_id, struct xhci_td *cur_td,
                struct xhci_dequeue_state *state)
{
        struct xhci_virt_device *dev = xhci->devs[slot_id];
        struct xhci_ring *ep_ring;
        struct xhci_generic_trb *trb;
        struct xhci_ep_ctx *ep_ctx;
        dma_addr_t addr;

        ep_ring = xhci_triad_to_transfer_ring(xhci, slot_id,
                        ep_index, stream_id);
        if (!ep_ring) {
                xhci_warn(xhci, "WARN can't find new dequeue state "
                                "for invalid stream ID %u.\n",
                                stream_id);
                return;
        }
        state->new_cycle_state = 0;
        xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
                        "Finding segment containing stopped TRB.");
        state->new_deq_seg = find_trb_seg(cur_td->start_seg,
                        dev->eps[ep_index].stopped_trb,
                        &state->new_cycle_state);
        if (!state->new_deq_seg) {
                WARN_ON(1);
                return;
        }

        /* Dig out the cycle state saved by the xHC during the stop ep cmd */
        xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
                        "Finding endpoint context");
        ep_ctx = xhci_get_ep_ctx(xhci, dev->out_ctx, ep_index);
        state->new_cycle_state = 0x1 & le64_to_cpu(ep_ctx->deq);

        state->new_deq_ptr = cur_td->last_trb;
        xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
                        "Finding segment containing last TRB in TD.");
        state->new_deq_seg = find_trb_seg(state->new_deq_seg,
                        state->new_deq_ptr,
                        &state->new_cycle_state);
        if (!state->new_deq_seg) {
                WARN_ON(1);
                return;
        }

        trb = &state->new_deq_ptr->generic;
        if (TRB_TYPE_LINK_LE32(trb->field[3]) &&
            (trb->field[3] & cpu_to_le32(LINK_TOGGLE)))
                state->new_cycle_state ^= 0x1;
        next_trb(xhci, ep_ring, &state->new_deq_seg, &state->new_deq_ptr);

        /*
         * If there is only one segment in a ring, find_trb_seg()'s while loop
         * will not run, and it will return before it has a chance to see if it
         * needs to toggle the cycle bit.  It can't tell if the stalled transfer
         * ended just before the link TRB on a one-segment ring, or if the TD
         * wrapped around the top of the ring, because it doesn't have the TD in
         * question.  Look for the one-segment case where stalled TRB's address
         * is greater than the new dequeue pointer address.
         */
        if (ep_ring->first_seg == ep_ring->first_seg->next &&
                        state->new_deq_ptr < dev->eps[ep_index].stopped_trb)
                state->new_cycle_state ^= 0x1;
        xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
                        "Cycle state = 0x%x", state->new_cycle_state);

        /* Don't update the ring cycle state for the producer (us). */
        xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
                        "New dequeue segment = %p (virtual)",
                        state->new_deq_seg);
        addr = xhci_trb_virt_to_dma(state->new_deq_seg, state->new_deq_ptr);
        xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
                        "New dequeue pointer = 0x%llx (DMA)",
                        (unsigned long long) addr);
}

/* flip_cycle means flip the cycle bit of all but the first and last TRB.
 * (The last TRB actually points to the ring enqueue pointer, which is not part
 * of this TD.)  This is used to remove partially enqueued isoc TDs from a ring.
 */
static void td_to_noop(struct xhci_hcd *xhci, struct xhci_ring *ep_ring,
                struct xhci_td *cur_td, bool flip_cycle)
{
        struct xhci_segment *cur_seg;
        union xhci_trb *cur_trb;

        for (cur_seg = cur_td->start_seg, cur_trb = cur_td->first_trb;
                        true;
                        next_trb(xhci, ep_ring, &cur_seg, &cur_trb)) {
                if (TRB_TYPE_LINK_LE32(cur_trb->generic.field[3])) {
                        /* Unchain any chained Link TRBs, but
                         * leave the pointers intact.
                         */
                        cur_trb->generic.field[3] &= cpu_to_le32(~TRB_CHAIN);
                        /* Flip the cycle bit (link TRBs can't be the first
                         * or last TRB).
                         */
                        if (flip_cycle)
                                cur_trb->generic.field[3] ^=
                                        cpu_to_le32(TRB_CYCLE);
                        xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
                                        "Cancel (unchain) link TRB");
                        xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
                                        "Address = %p (0x%llx dma); "
                                        "in seg %p (0x%llx dma)",
                                        cur_trb,
                                        (unsigned long long)xhci_trb_virt_to_dma(cur_seg, cur_trb),
                                        cur_seg,
                                        (unsigned long long)cur_seg->dma);
                } else {
                        cur_trb->generic.field[0] = 0;
                        cur_trb->generic.field[1] = 0;
                        cur_trb->generic.field[2] = 0;
                        /* Preserve only the cycle bit of this TRB */
                        cur_trb->generic.field[3] &= cpu_to_le32(TRB_CYCLE);
                        /* Flip the cycle bit except on the first or last TRB */
                        if (flip_cycle && cur_trb != cur_td->first_trb &&
                                        cur_trb != cur_td->last_trb)
                                cur_trb->generic.field[3] ^=
                                        cpu_to_le32(TRB_CYCLE);
                        cur_trb->generic.field[3] |= cpu_to_le32(
                                TRB_TYPE(TRB_TR_NOOP));
                        xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
                                        "TRB to noop at offset 0x%llx",
                                        (unsigned long long)
                                        xhci_trb_virt_to_dma(cur_seg, cur_trb));
                }
                if (cur_trb == cur_td->last_trb)
                        break;
        }
}

static int queue_set_tr_deq(struct xhci_hcd *xhci, int slot_id,
                unsigned int ep_index, unsigned int stream_id,
                struct xhci_segment *deq_seg,
                union xhci_trb *deq_ptr, u32 cycle_state);

void xhci_queue_new_dequeue_state(struct xhci_hcd *xhci,
                unsigned int slot_id, unsigned int ep_index,
                unsigned int stream_id,
                struct xhci_dequeue_state *deq_state)
{
        struct xhci_virt_ep *ep = &xhci->devs[slot_id]->eps[ep_index];

        xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
                        "Set TR Deq Ptr cmd, new deq seg = %p (0x%llx dma), "
                        "new deq ptr = %p (0x%llx dma), new cycle = %u",
                        deq_state->new_deq_seg,
                        (unsigned long long)deq_state->new_deq_seg->dma,
                        deq_state->new_deq_ptr,
                        (unsigned long long)xhci_trb_virt_to_dma(deq_state->new_deq_seg, deq_state->new_deq_ptr),
                        deq_state->new_cycle_state);
        queue_set_tr_deq(xhci, slot_id, ep_index, stream_id,
                        deq_state->new_deq_seg,
                        deq_state->new_deq_ptr,
                        (u32) deq_state->new_cycle_state);
        /* Stop the TD queueing code from ringing the doorbell until
         * this command completes.  The HC won't set the dequeue pointer
         * if the ring is running, and ringing the doorbell starts the
         * ring running.
         */
        ep->ep_state |= SET_DEQ_PENDING;
}

static void xhci_stop_watchdog_timer_in_irq(struct xhci_hcd *xhci,
                struct xhci_virt_ep *ep)
{
        ep->ep_state &= ~EP_HALT_PENDING;
        /* Can't del_timer_sync in interrupt, so we attempt to cancel.  If the
         * timer is running on another CPU, we don't decrement stop_cmds_pending
         * (since we didn't successfully stop the watchdog timer).
         */
        if (del_timer(&ep->stop_cmd_timer))
                ep->stop_cmds_pending--;
}

/* Must be called with xhci->lock held in interrupt context */
static void xhci_giveback_urb_in_irq(struct xhci_hcd *xhci,
                struct xhci_td *cur_td, int status)
{
        struct usb_hcd *hcd;
        struct urb      *urb;
        struct urb_priv *urb_priv;

        urb = cur_td->urb;
        urb_priv = urb->hcpriv;
        urb_priv->td_cnt++;
        hcd = bus_to_hcd(urb->dev->bus);

        /* Only giveback urb when this is the last td in urb */
        if (urb_priv->td_cnt == urb_priv->length) {
                if (usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS) {
                        xhci_to_hcd(xhci)->self.bandwidth_isoc_reqs--;
                        if (xhci_to_hcd(xhci)->self.bandwidth_isoc_reqs == 0) {
                                if (xhci->quirks & XHCI_AMD_PLL_FIX)
                                        usb_amd_quirk_pll_enable();
                        }
                }
                usb_hcd_unlink_urb_from_ep(hcd, urb);

                spin_unlock(&xhci->lock);
                usb_hcd_giveback_urb(hcd, urb, status);
                xhci_urb_free_priv(xhci, urb_priv);
                spin_lock(&xhci->lock);
        }
}

/*
 * When we get a command completion for a Stop Endpoint Command, we need to
 * unlink any cancelled TDs from the ring.  There are two ways to do that:
 *
 *  1. If the HW was in the middle of processing the TD that needs to be
 *     cancelled, then we must move the ring's dequeue pointer past the last TRB
 *     in the TD with a Set Dequeue Pointer Command.
 *  2. Otherwise, we turn all the TRBs in the TD into No-op TRBs (with the chain
 *     bit cleared) so that the HW will skip over them.
 */
static void xhci_handle_cmd_stop_ep(struct xhci_hcd *xhci, int slot_id,
                union xhci_trb *trb, struct xhci_event_cmd *event)
{
        unsigned int ep_index;
        struct xhci_virt_device *virt_dev;
        struct xhci_ring *ep_ring;
        struct xhci_virt_ep *ep;
        struct list_head *entry;
        struct xhci_td *cur_td = NULL;
        struct xhci_td *last_unlinked_td;

        struct xhci_dequeue_state deq_state;

        if (unlikely(TRB_TO_SUSPEND_PORT(le32_to_cpu(trb->generic.field[3])))) {
                virt_dev = xhci->devs[slot_id];
                if (virt_dev)
                        handle_cmd_in_cmd_wait_list(xhci, virt_dev,
                                event);
                else
                        xhci_warn(xhci, "Stop endpoint command "
                                "completion for disabled slot %u\n",
                                slot_id);
                return;
        }

        memset(&deq_state, 0, sizeof(deq_state));
        ep_index = TRB_TO_EP_INDEX(le32_to_cpu(trb->generic.field[3]));
        ep = &xhci->devs[slot_id]->eps[ep_index];

        if (list_empty(&ep->cancelled_td_list)) {
                xhci_stop_watchdog_timer_in_irq(xhci, ep);
                ep->stopped_td = NULL;
                ep->stopped_trb = NULL;
                ring_doorbell_for_active_rings(xhci, slot_id, ep_index);
                return;
        }

        /* Fix up the ep ring first, so HW stops executing cancelled TDs.
         * We have the xHCI lock, so nothing can modify this list until we drop
         * it.  We're also in the event handler, so we can't get re-interrupted
         * if another Stop Endpoint command completes
         */
        list_for_each(entry, &ep->cancelled_td_list) {
                cur_td = list_entry(entry, struct xhci_td, cancelled_td_list);
                xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
                                "Removing canceled TD starting at 0x%llx (dma).",
                                (unsigned long long)xhci_trb_virt_to_dma(
                                        cur_td->start_seg, cur_td->first_trb));
                ep_ring = xhci_urb_to_transfer_ring(xhci, cur_td->urb);
                if (!ep_ring) {
                        /* This shouldn't happen unless a driver is mucking
                         * with the stream ID after submission.  This will
                         * leave the TD on the hardware ring, and the hardware
                         * will try to execute it, and may access a buffer
                         * that has already been freed.  In the best case, the
                         * hardware will execute it, and the event handler will
                         * ignore the completion event for that TD, since it was
                         * removed from the td_list for that endpoint.  In
                         * short, don't muck with the stream ID after
                         * submission.
                         */
                        xhci_warn(xhci, "WARN Cancelled URB %p "
                                        "has invalid stream ID %u.\n",
                                        cur_td->urb,
                                        cur_td->urb->stream_id);
                        goto remove_finished_td;
                }
                /*
                 * If we stopped on the TD we need to cancel, then we have to
                 * move the xHC endpoint ring dequeue pointer past this TD.
                 */
                if (cur_td == ep->stopped_td)
                        xhci_find_new_dequeue_state(xhci, slot_id, ep_index,
                                        cur_td->urb->stream_id,
                                        cur_td, &deq_state);
                else
                        td_to_noop(xhci, ep_ring, cur_td, false);
remove_finished_td:
                /*
                 * The event handler won't see a completion for this TD anymore,
                 * so remove it from the endpoint ring's TD list.  Keep it in
                 * the cancelled TD list for URB completion later.
                 */
                list_del_init(&cur_td->td_list);
        }
        last_unlinked_td = cur_td;
        xhci_stop_watchdog_timer_in_irq(xhci, ep);

        /* If necessary, queue a Set Transfer Ring Dequeue Pointer command */
        if (deq_state.new_deq_ptr && deq_state.new_deq_seg) {
                xhci_queue_new_dequeue_state(xhci,
                                slot_id, ep_index,
                                ep->stopped_td->urb->stream_id,
                                &deq_state);
                xhci_ring_cmd_db(xhci);
        } else {
                /* Otherwise ring the doorbell(s) to restart queued transfers */
                ring_doorbell_for_active_rings(xhci, slot_id, ep_index);
        }

        /* Clear stopped_td and stopped_trb if endpoint is not halted */
        if (!(ep->ep_state & EP_HALTED)) {
                ep->stopped_td = NULL;
                ep->stopped_trb = NULL;
        }

        /*
         * Drop the lock and complete the URBs in the cancelled TD list.
         * New TDs to be cancelled might be added to the end of the list before
         * we can complete all the URBs for the TDs we already unlinked.
         * So stop when we've completed the URB for the last TD we unlinked.
         */
        do {
                cur_td = list_entry(ep->cancelled_td_list.next,
                                struct xhci_td, cancelled_td_list);
                list_del_init(&cur_td->cancelled_td_list);

                /* Clean up the cancelled URB */
                /* Doesn't matter what we pass for status, since the core will
                 * just overwrite it (because the URB has been unlinked).
                 */
                xhci_giveback_urb_in_irq(xhci, cur_td, 0);

                /* Stop processing the cancelled list if the watchdog timer is
                 * running.
                 */
                if (xhci->xhc_state & XHCI_STATE_DYING)
                        return;
        } while (cur_td != last_unlinked_td);

        /* Return to the event handler with xhci->lock re-acquired */
}

/* Watchdog timer function for when a stop endpoint command fails to complete.
 * In this case, we assume the host controller is broken or dying or dead.  The
 * host may still be completing some other events, so we have to be careful to
 * let the event ring handler and the URB dequeueing/enqueueing functions know
 * through xhci->state.
 *
 * The timer may also fire if the host takes a very long time to respond to the
 * command, and the stop endpoint command completion handler cannot delete the
 * timer before the timer function is called.  Another endpoint cancellation may
 * sneak in before the timer function can grab the lock, and that may queue
 * another stop endpoint command and add the timer back.  So we cannot use a
 * simple flag to say whether there is a pending stop endpoint command for a
 * particular endpoint.
 *
 * Instead we use a combination of that flag and a counter for the number of
 * pending stop endpoint commands.  If the timer is the tail end of the last
 * stop endpoint command, and the endpoint's command is still pending, we assume
 * the host is dying.
 */
void xhci_stop_endpoint_command_watchdog(unsigned long arg)
{
        struct xhci_hcd *xhci;
        struct xhci_virt_ep *ep;
        struct xhci_virt_ep *temp_ep;
        struct xhci_ring *ring;
        struct xhci_td *cur_td;
        int ret, i, j;
        unsigned long flags;

        ep = (struct xhci_virt_ep *) arg;
        xhci = ep->xhci;

        spin_lock_irqsave(&xhci->lock, flags);

        ep->stop_cmds_pending--;
        if (xhci->xhc_state & XHCI_STATE_DYING) {
                xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
                                "Stop EP timer ran, but another timer marked "
                                "xHCI as DYING, exiting.");
                spin_unlock_irqrestore(&xhci->lock, flags);
                return;
        }
        if (!(ep->stop_cmds_pending == 0 && (ep->ep_state & EP_HALT_PENDING))) {
                xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
                                "Stop EP timer ran, but no command pending, "
                                "exiting.");
                spin_unlock_irqrestore(&xhci->lock, flags);
                return;
        }

        xhci_warn(xhci, "xHCI host not responding to stop endpoint command.\n");
        xhci_warn(xhci, "Assuming host is dying, halting host.\n");
        /* Oops, HC is dead or dying or at least not responding to the stop
         * endpoint command.
         */
        xhci->xhc_state |= XHCI_STATE_DYING;
        /* Disable interrupts from the host controller and start halting it */
        xhci_quiesce(xhci);
        spin_unlock_irqrestore(&xhci->lock, flags);

        ret = xhci_halt(xhci);

        spin_lock_irqsave(&xhci->lock, flags);
        if (ret < 0) {
                /* This is bad; the host is not responding to commands and it's
                 * not allowing itself to be halted.  At least interrupts are
                 * disabled. If we call usb_hc_died(), it will attempt to
                 * disconnect all device drivers under this host.  Those
                 * disconnect() methods will wait for all URBs to be unlinked,
                 * so we must complete them.
                 */
                xhci_warn(xhci, "Non-responsive xHCI host is not halting.\n");
                xhci_warn(xhci, "Completing active URBs anyway.\n");
                /* We could turn all TDs on the rings to no-ops.  This won't
                 * help if the host has cached part of the ring, and is slow if
                 * we want to preserve the cycle bit.  Skip it and hope the host
                 * doesn't touch the memory.
                 */
        }
        for (i = 0; i < MAX_HC_SLOTS; i++) {
                if (!xhci->devs[i])
                        continue;
                for (j = 0; j < 31; j++) {
                        temp_ep = &xhci->devs[i]->eps[j];
                        ring = temp_ep->ring;
                        if (!ring)
                                continue;
                        xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
                                        "Killing URBs for slot ID %u, "
                                        "ep index %u", i, j);
                        while (!list_empty(&ring->td_list)) {
                                cur_td = list_first_entry(&ring->td_list,
                                                struct xhci_td,
                                                td_list);
                                list_del_init(&cur_td->td_list);
                                if (!list_empty(&cur_td->cancelled_td_list))
                                        list_del_init(&cur_td->cancelled_td_list);
                                xhci_giveback_urb_in_irq(xhci, cur_td,
                                                -ESHUTDOWN);
                        }

                        while (!list_empty(&temp_ep->cancelled_td_list)) {
                                cur_td = list_first_entry(
                                                &temp_ep->cancelled_td_list,
                                                struct xhci_td,
                                                cancelled_td_list);
                                list_del_init(&cur_td->cancelled_td_list);
                                xhci_giveback_urb_in_irq(xhci, cur_td,
                                                -ESHUTDOWN);
                        }
                }
        }
        spin_unlock_irqrestore(&xhci->lock, flags);
        xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
                        "Calling usb_hc_died()");
        usb_hc_died(xhci_to_hcd(xhci)->primary_hcd);
        xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
                        "xHCI host controller is dead.");
}


static void update_ring_for_set_deq_completion(struct xhci_hcd *xhci,
                struct xhci_virt_device *dev,
                struct xhci_ring *ep_ring,
                unsigned int ep_index)
{
        union xhci_trb *dequeue_temp;
        int num_trbs_free_temp;
        bool revert = false;

        num_trbs_free_temp = ep_ring->num_trbs_free;
        dequeue_temp = ep_ring->dequeue;

        /* If we get two back-to-back stalls, and the first stalled transfer
         * ends just before a link TRB, the dequeue pointer will be left on
         * the link TRB by the code in the while loop.  So we have to update
         * the dequeue pointer one segment further, or we'll jump off
         * the segment into la-la-land.
         */
        if (last_trb(xhci, ep_ring, ep_ring->deq_seg, ep_ring->dequeue)) {
                ep_ring->deq_seg = ep_ring->deq_seg->next;
                ep_ring->dequeue = ep_ring->deq_seg->trbs;
        }

        while (ep_ring->dequeue != dev->eps[ep_index].queued_deq_ptr) {
                /* We have more usable TRBs */
                ep_ring->num_trbs_free++;
                ep_ring->dequeue++;
                if (last_trb(xhci, ep_ring, ep_ring->deq_seg,
                                ep_ring->dequeue)) {
                        if (ep_ring->dequeue ==
                                        dev->eps[ep_index].queued_deq_ptr)
                                break;
                        ep_ring->deq_seg = ep_ring->deq_seg->next;
                        ep_ring->dequeue = ep_ring->deq_seg->trbs;
                }
                if (ep_ring->dequeue == dequeue_temp) {
                        revert = true;
                        break;
                }
        }

        if (revert) {
                xhci_dbg(xhci, "Unable to find new dequeue pointer\n");
                ep_ring->num_trbs_free = num_trbs_free_temp;
        }
}

/*
 * When we get a completion for a Set Transfer Ring Dequeue Pointer command,
 * we need to clear the set deq pending flag in the endpoint ring state, so that
 * the TD queueing code can ring the doorbell again.  We also need to ring the
 * endpoint doorbell to restart the ring, but only if there aren't more
 * cancellations pending.
 */
static void xhci_handle_cmd_set_deq(struct xhci_hcd *xhci, int slot_id,
                union xhci_trb *trb, u32 cmd_comp_code)
{
        unsigned int ep_index;
        unsigned int stream_id;
        struct xhci_ring *ep_ring;
        struct xhci_virt_device *dev;
        struct xhci_ep_ctx *ep_ctx;
        struct xhci_slot_ctx *slot_ctx;

        ep_index = TRB_TO_EP_INDEX(le32_to_cpu(trb->generic.field[3]));
        stream_id = TRB_TO_STREAM_ID(le32_to_cpu(trb->generic.field[2]));
        dev = xhci->devs[slot_id];

        ep_ring = xhci_stream_id_to_ring(dev, ep_index, stream_id);
        if (!ep_ring) {
                xhci_warn(xhci, "WARN Set TR deq ptr command for "
                                "freed stream ID %u\n",
                                stream_id);
                /* XXX: Harmless??? */
                dev->eps[ep_index].ep_state &= ~SET_DEQ_PENDING;
                return;
        }

        ep_ctx = xhci_get_ep_ctx(xhci, dev->out_ctx, ep_index);
        slot_ctx = xhci_get_slot_ctx(xhci, dev->out_ctx);

        if (cmd_comp_code != COMP_SUCCESS) {
                unsigned int ep_state;
                unsigned int slot_state;

                switch (cmd_comp_code) {
                case COMP_TRB_ERR:
                        xhci_warn(xhci, "WARN Set TR Deq Ptr cmd invalid because "
                                        "of stream ID configuration\n");
                        break;
                case COMP_CTX_STATE:
                        xhci_warn(xhci, "WARN Set TR Deq Ptr cmd failed due "
                                        "to incorrect slot or ep state.\n");
                        ep_state = le32_to_cpu(ep_ctx->ep_info);
                        ep_state &= EP_STATE_MASK;
                        slot_state = le32_to_cpu(slot_ctx->dev_state);
                        slot_state = GET_SLOT_STATE(slot_state);
                        xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
                                        "Slot state = %u, EP state = %u",
                                        slot_state, ep_state);
                        break;
                case COMP_EBADSLT:
                        xhci_warn(xhci, "WARN Set TR Deq Ptr cmd failed because "
                                        "slot %u was not enabled.\n", slot_id);
                        break;
                default:
                        xhci_warn(xhci, "WARN Set TR Deq Ptr cmd with unknown "
                                        "completion code of %u.\n",
                                  cmd_comp_code);
                        break;
                }
                /* OK what do we do now?  The endpoint state is hosed, and we
                 * should never get to this point if the synchronization between
                 * queueing, and endpoint state are correct.  This might happen
                 * if the device gets disconnected after we've finished
                 * cancelling URBs, which might not be an error...
                 */
        } else {
                xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
                        "Successful Set TR Deq Ptr cmd, deq = @%08llx",
                         le64_to_cpu(ep_ctx->deq));
                if (xhci_trb_virt_to_dma(dev->eps[ep_index].queued_deq_seg,
                                         dev->eps[ep_index].queued_deq_ptr) ==
                    (le64_to_cpu(ep_ctx->deq) & ~(EP_CTX_CYCLE_MASK))) {
                        /* Update the ring's dequeue segment and dequeue pointer
                         * to reflect the new position.
                         */
                        update_ring_for_set_deq_completion(xhci, dev,
                                ep_ring, ep_index);
                } else {
                        xhci_warn(xhci, "Mismatch between completed Set TR Deq "
                                        "Ptr command & xHCI internal state.\n");
                        xhci_warn(xhci, "ep deq seg = %p, deq ptr = %p\n",
                                        dev->eps[ep_index].queued_deq_seg,
                                        dev->eps[ep_index].queued_deq_ptr);
                }
        }

        dev->eps[ep_index].ep_state &= ~SET_DEQ_PENDING;
        dev->eps[ep_index].queued_deq_seg = NULL;
        dev->eps[ep_index].queued_deq_ptr = NULL;
        /* Restart any rings with pending URBs */
        ring_doorbell_for_active_rings(xhci, slot_id, ep_index);
}

static void xhci_handle_cmd_reset_ep(struct xhci_hcd *xhci, int slot_id,
                union xhci_trb *trb, u32 cmd_comp_code)
{
        unsigned int ep_index;

        ep_index = TRB_TO_EP_INDEX(le32_to_cpu(trb->generic.field[3]));
        /* This command will only fail if the endpoint wasn't halted,
         * but we don't care.
         */
        xhci_dbg_trace(xhci, trace_xhci_dbg_reset_ep,
                "Ignoring reset ep completion code of %u", cmd_comp_code);

        /* HW with the reset endpoint quirk needs to have a configure endpoint
         * command complete before the endpoint can be used.  Queue that here
         * because the HW can't handle two commands being queued in a row.
         */
        if (xhci->quirks & XHCI_RESET_EP_QUIRK) {
                xhci_dbg_trace(xhci, trace_xhci_dbg_quirks,
                                "Queueing configure endpoint command");
                xhci_queue_configure_endpoint(xhci,
                                xhci->devs[slot_id]->in_ctx->dma, slot_id,
                                false);
                xhci_ring_cmd_db(xhci);
        } else {
                /* Clear our internal halted state and restart the ring(s) */
                xhci->devs[slot_id]->eps[ep_index].ep_state &= ~EP_HALTED;
                ring_doorbell_for_active_rings(xhci, slot_id, ep_index);
        }
}

/* Complete the command and detele it from the devcie's command queue.
 */
static void xhci_complete_cmd_in_cmd_wait_list(struct xhci_hcd *xhci,
                struct xhci_command *command, u32 status)
{
        command->status = status;
        list_del(&command->cmd_list);
        if (command->completion)
                complete(command->completion);
        else
                xhci_free_command(xhci, command);
}


/* Check to see if a command in the device's command queue matches this one.
 * Signal the completion or free the command, and return 1.  Return 0 if the
 * completed command isn't at the head of the command list.
 */
static int handle_cmd_in_cmd_wait_list(struct xhci_hcd *xhci,
                struct xhci_virt_device *virt_dev,
                struct xhci_event_cmd *event)
{
        struct xhci_command *command;

        if (list_empty(&virt_dev->cmd_list))
                return 0;

        command = list_entry(virt_dev->cmd_list.next,
                        struct xhci_command, cmd_list);
        if (xhci->cmd_ring->dequeue != command->command_trb)
                return 0;

        xhci_complete_cmd_in_cmd_wait_list(xhci, command,
                        GET_COMP_CODE(le32_to_cpu(event->status)));
        return 1;
}

/*
 * Finding the command trb need to be cancelled and modifying it to
 * NO OP command. And if the command is in device's command wait
 * list, finishing and freeing it.
 *
 * If we can't find the command trb, we think it had already been
 * executed.
 */
static void xhci_cmd_to_noop(struct xhci_hcd *xhci, struct xhci_cd *cur_cd)
{
        struct xhci_segment *cur_seg;
        union xhci_trb *cmd_trb;
        u32 cycle_state;

        if (xhci->cmd_ring->dequeue == xhci->cmd_ring->enqueue)
                return;

        /* find the current segment of command ring */
        cur_seg = find_trb_seg(xhci->cmd_ring->first_seg,
                        xhci->cmd_ring->dequeue, &cycle_state);

        if (!cur_seg) {
                xhci_warn(xhci, "Command ring mismatch, dequeue = %p %llx (dma)\n",
                                xhci->cmd_ring->dequeue,
                                (unsigned long long)
                                xhci_trb_virt_to_dma(xhci->cmd_ring->deq_seg,
                                        xhci->cmd_ring->dequeue));
                xhci_debug_ring(xhci, xhci->cmd_ring);
                xhci_dbg_ring_ptrs(xhci, xhci->cmd_ring);
                return;
        }

        /* find the command trb matched by cd from command ring */
        for (cmd_trb = xhci->cmd_ring->dequeue;
                        cmd_trb != xhci->cmd_ring->enqueue;
                        next_trb(xhci, xhci->cmd_ring, &cur_seg, &cmd_trb)) {
                /* If the trb is link trb, continue */
                if (TRB_TYPE_LINK_LE32(cmd_trb->generic.field[3]))
                        continue;

                if (cur_cd->cmd_trb == cmd_trb) {

                        /* If the command in device's command list, we should
                         * finish it and free the command structure.
                         */
                        if (cur_cd->command)
                                xhci_complete_cmd_in_cmd_wait_list(xhci,
                                        cur_cd->command, COMP_CMD_STOP);

                        /* get cycle state from the origin command trb */
                        cycle_state = le32_to_cpu(cmd_trb->generic.field[3])
                                & TRB_CYCLE;

                        /* modify the command trb to NO OP command */
                        cmd_trb->generic.field[0] = 0;
                        cmd_trb->generic.field[1] = 0;
                        cmd_trb->generic.field[2] = 0;
                        cmd_trb->generic.field[3] = cpu_to_le32(
                                        TRB_TYPE(TRB_CMD_NOOP) | cycle_state);
                        break;
                }
        }
}

static void xhci_cancel_cmd_in_cd_list(struct xhci_hcd *xhci)
{
        struct xhci_cd *cur_cd, *next_cd;

        if (list_empty(&xhci->cancel_cmd_list))
                return;

        list_for_each_entry_safe(cur_cd, next_cd,
                        &xhci->cancel_cmd_list, cancel_cmd_list) {
                xhci_cmd_to_noop(xhci, cur_cd);
                list_del(&cur_cd->cancel_cmd_list);
                kfree(cur_cd);
        }
}

/*
 * traversing the cancel_cmd_list. If the command descriptor according
 * to cmd_trb is found, the function free it and return 1, otherwise
 * return 0.
 */
static int xhci_search_cmd_trb_in_cd_list(struct xhci_hcd *xhci,
                union xhci_trb *cmd_trb)
{
        struct xhci_cd *cur_cd, *next_cd;

        if (list_empty(&xhci->cancel_cmd_list))
                return 0;

        list_for_each_entry_safe(cur_cd, next_cd,
                        &xhci->cancel_cmd_list, cancel_cmd_list) {
                if (cur_cd->cmd_trb == cmd_trb) {
                        if (cur_cd->command)
                                xhci_complete_cmd_in_cmd_wait_list(xhci,
                                        cur_cd->command, COMP_CMD_STOP);
                        list_del(&cur_cd->cancel_cmd_list);
                        kfree(cur_cd);
                        return 1;
                }
        }

        return 0;
}

/*
 * If the cmd_trb_comp_code is COMP_CMD_ABORT, we just check whether the
 * trb pointed by the command ring dequeue pointer is the trb we want to
 * cancel or not. And if the cmd_trb_comp_code is COMP_CMD_STOP, we will
 * traverse the cancel_cmd_list to trun the all of the commands according
 * to command descriptor to NO-OP trb.
 */
static int handle_stopped_cmd_ring(struct xhci_hcd *xhci,
                int cmd_trb_comp_code)
{
        int cur_trb_is_good = 0;

        /* Searching the cmd trb pointed by the command ring dequeue
         * pointer in command descriptor list. If it is found, free it.
         */
        cur_trb_is_good = xhci_search_cmd_trb_in_cd_list(xhci,
                        xhci->cmd_ring->dequeue);

        if (cmd_trb_comp_code == COMP_CMD_ABORT)
                xhci->cmd_ring_state = CMD_RING_STATE_STOPPED;
        else if (cmd_trb_comp_code == COMP_CMD_STOP) {
                /* traversing the cancel_cmd_list and canceling
                 * the command according to command descriptor
                 */
                xhci_cancel_cmd_in_cd_list(xhci);

                xhci->cmd_ring_state = CMD_RING_STATE_RUNNING;
                /*
                 * ring command ring doorbell again to restart the
                 * command ring
                 */
                if (xhci->cmd_ring->dequeue != xhci->cmd_ring->enqueue)
                        xhci_ring_cmd_db(xhci);
        }
        return cur_trb_is_good;
}

static void xhci_handle_cmd_enable_slot(struct xhci_hcd *xhci, int slot_id,
                u32 cmd_comp_code)
{
        if (cmd_comp_code == COMP_SUCCESS)
                xhci->slot_id = slot_id;
        else
                xhci->slot_id = 0;
        complete(&xhci->addr_dev);
}

static void xhci_handle_cmd_disable_slot(struct xhci_hcd *xhci, int slot_id)
{
        struct xhci_virt_device *virt_dev;

        virt_dev = xhci->devs[slot_id];
        if (!virt_dev)
                return;
        if (xhci->quirks & XHCI_EP_LIMIT_QUIRK)
                /* Delete default control endpoint resources */
                xhci_free_device_endpoint_resources(xhci, virt_dev, true);
        xhci_free_virt_device(xhci, slot_id);
}

static void xhci_handle_cmd_config_ep(struct xhci_hcd *xhci, int slot_id,
                struct xhci_event_cmd *event, u32 cmd_comp_code)
{
        struct xhci_virt_device *virt_dev;
        struct xhci_input_control_ctx *ctrl_ctx;
        unsigned int ep_index;
        unsigned int ep_state;
        u32 add_flags, drop_flags;

        virt_dev = xhci->devs[slot_id];
        if (handle_cmd_in_cmd_wait_list(xhci, virt_dev, event))
                return;
        /*
         * Configure endpoint commands can come from the USB core
         * configuration or alt setting changes, or because the HW
         * needed an extra configure endpoint command after a reset
         * endpoint command or streams were being configured.
         * If the command was for a halted endpoint, the xHCI driver
         * is not waiting on the configure endpoint command.
         */
        ctrl_ctx = xhci_get_input_control_ctx(xhci, virt_dev->in_ctx);
        if (!ctrl_ctx) {
                xhci_warn(xhci, "Could not get input context, bad type.\n");
                return;
        }

        add_flags = le32_to_cpu(ctrl_ctx->add_flags);
        drop_flags = le32_to_cpu(ctrl_ctx->drop_flags);
        /* Input ctx add_flags are the endpoint index plus one */
        ep_index = xhci_last_valid_endpoint(add_flags) - 1;

        /* A usb_set_interface() call directly after clearing a halted
         * condition may race on this quirky hardware.  Not worth
         * worrying about, since this is prototype hardware.  Not sure
         * if this will work for streams, but streams support was
         * untested on this prototype.
         */
        if (xhci->quirks & XHCI_RESET_EP_QUIRK &&
                        ep_index != (unsigned int) -1 &&
                        add_flags - SLOT_FLAG == drop_flags) {
                ep_state = virt_dev->eps[ep_index].ep_state;
                if (!(ep_state & EP_HALTED))
                        goto bandwidth_change;
                xhci_dbg_trace(xhci, trace_xhci_dbg_quirks,
                                "Completed config ep cmd - "
                                "last ep index = %d, state = %d",
                                ep_index, ep_state);
                /* Clear internal halted state and restart ring(s) */
                virt_dev->eps[ep_index].ep_state &= ~EP_HALTED;
                ring_doorbell_for_active_rings(xhci, slot_id, ep_index);
                return;
        }
bandwidth_change:
        xhci_dbg_trace(xhci,  trace_xhci_dbg_context_change,
                        "Completed config ep cmd");
        virt_dev->cmd_status = cmd_comp_code;
        complete(&virt_dev->cmd_completion);
        return;
}

static void xhci_handle_cmd_eval_ctx(struct xhci_hcd *xhci, int slot_id,
                struct xhci_event_cmd *event, u32 cmd_comp_code)
{
        struct xhci_virt_device *virt_dev;

        virt_dev = xhci->devs[slot_id];
        if (handle_cmd_in_cmd_wait_list(xhci, virt_dev, event))
                return;
        virt_dev->cmd_status = cmd_comp_code;
        complete(&virt_dev->cmd_completion);
}

static void xhci_handle_cmd_addr_dev(struct xhci_hcd *xhci, int slot_id,
                u32 cmd_comp_code)
{
        xhci->devs[slot_id]->cmd_status = cmd_comp_code;
        complete(&xhci->addr_dev);
}

static void xhci_handle_cmd_reset_dev(struct xhci_hcd *xhci, int slot_id,
                struct xhci_event_cmd *event)
{
        struct xhci_virt_device *virt_dev;

        xhci_dbg(xhci, "Completed reset device command.\n");
        virt_dev = xhci->devs[slot_id];
        if (virt_dev)
                handle_cmd_in_cmd_wait_list(xhci, virt_dev, event);
        else
                xhci_warn(xhci, "Reset device command completion "
                                "for disabled slot %u\n", slot_id);
}

static void xhci_handle_cmd_nec_get_fw(struct xhci_hcd *xhci,
                struct xhci_event_cmd *event)
{
        if (!(xhci->quirks & XHCI_NEC_HOST)) {
                xhci->error_bitmask |= 1 << 6;
                return;
        }
        xhci_dbg_trace(xhci, trace_xhci_dbg_quirks,
                        "NEC firmware version %2x.%02x",
                        NEC_FW_MAJOR(le32_to_cpu(event->status)),
                        NEC_FW_MINOR(le32_to_cpu(event->status)));
}

static void handle_cmd_completion(struct xhci_hcd *xhci,
                struct xhci_event_cmd *event)
{
        int slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags));
        u64 cmd_dma;
        dma_addr_t cmd_dequeue_dma;
        u32 cmd_comp_code;
        union xhci_trb *cmd_trb;
        u32 cmd_type;

        cmd_dma = le64_to_cpu(event->cmd_trb);
        cmd_trb = xhci->cmd_ring->dequeue;
        cmd_dequeue_dma = xhci_trb_virt_to_dma(xhci->cmd_ring->deq_seg,
                        cmd_trb);
        /* Is the command ring deq ptr out of sync with the deq seg ptr? */
        if (cmd_dequeue_dma == 0) {
                xhci->error_bitmask |= 1 << 4;
                return;
        }
        /* Does the DMA address match our internal dequeue pointer address? */
        if (cmd_dma != (u64) cmd_dequeue_dma) {
                xhci->error_bitmask |= 1 << 5;
                return;
        }

        trace_xhci_cmd_completion(cmd_trb, (struct xhci_generic_trb *) event);

        cmd_comp_code = GET_COMP_CODE(le32_to_cpu(event->status));
        if (cmd_comp_code == COMP_CMD_ABORT || cmd_comp_code == COMP_CMD_STOP) {
                /* If the return value is 0, we think the trb pointed by
                 * command ring dequeue pointer is a good trb. The good
                 * trb means we don't want to cancel the trb, but it have
                 * been stopped by host. So we should handle it normally.
                 * Otherwise, driver should invoke inc_deq() and return.
                 */
                if (handle_stopped_cmd_ring(xhci, cmd_comp_code)) {
                        inc_deq(xhci, xhci->cmd_ring);
                        return;
                }
                /* There is no command to handle if we get a stop event when the
                 * command ring is empty, event->cmd_trb points to the next
                 * unset command
                 */
                if (xhci->cmd_ring->dequeue == xhci->cmd_ring->enqueue)
                        return;
        }

        cmd_type = TRB_FIELD_TO_TYPE(le32_to_cpu(cmd_trb->generic.field[3]));
        switch (cmd_type) {
        case TRB_ENABLE_SLOT:
                xhci_handle_cmd_enable_slot(xhci, slot_id, cmd_comp_code);
                break;
        case TRB_DISABLE_SLOT:
                xhci_handle_cmd_disable_slot(xhci, slot_id);
                break;
        case TRB_CONFIG_EP:
                xhci_handle_cmd_config_ep(xhci, slot_id, event, cmd_comp_code);
                break;
        case TRB_EVAL_CONTEXT:
                xhci_handle_cmd_eval_ctx(xhci, slot_id, event, cmd_comp_code);
                break;
        case TRB_ADDR_DEV:
                xhci_handle_cmd_addr_dev(xhci, slot_id, cmd_comp_code);
                break;
        case TRB_STOP_RING:
                WARN_ON(slot_id != TRB_TO_SLOT_ID(
                                le32_to_cpu(cmd_trb->generic.field[3])));
                xhci_handle_cmd_stop_ep(xhci, slot_id, cmd_trb, event);
                break;
        case TRB_SET_DEQ:
                WARN_ON(slot_id != TRB_TO_SLOT_ID(
                                le32_to_cpu(cmd_trb->generic.field[3])));
                xhci_handle_cmd_set_deq(xhci, slot_id, cmd_trb, cmd_comp_code);
                break;
        case TRB_CMD_NOOP:
                break;
        case TRB_RESET_EP:
                WARN_ON(slot_id != TRB_TO_SLOT_ID(
                                le32_to_cpu(cmd_trb->generic.field[3])));
                xhci_handle_cmd_reset_ep(xhci, slot_id, cmd_trb, cmd_comp_code);
                break;
        case TRB_RESET_DEV:
                WARN_ON(slot_id != TRB_TO_SLOT_ID(
                                le32_to_cpu(cmd_trb->generic.field[3])));
                xhci_handle_cmd_reset_dev(xhci, slot_id, event);
                break;
        case TRB_NEC_GET_FW:
                xhci_handle_cmd_nec_get_fw(xhci, event);
                break;
        default:
                /* Skip over unknown commands on the event ring */
                xhci->error_bitmask |= 1 << 6;
                break;
        }
        inc_deq(xhci, xhci->cmd_ring);
}

static void handle_vendor_event(struct xhci_hcd *xhci,
                union xhci_trb *event)
{
        u32 trb_type;

        trb_type = TRB_FIELD_TO_TYPE(le32_to_cpu(event->generic.field[3]));
        xhci_dbg(xhci, "Vendor specific event TRB type = %u\n", trb_type);
        if (trb_type == TRB_NEC_CMD_COMP && (xhci->quirks & XHCI_NEC_HOST))
                handle_cmd_completion(xhci, &event->event_cmd);
}

/* @port_id: the one-based port ID from the hardware (indexed from array of all
 * port registers -- USB 3.0 and USB 2.0).
 *
 * Returns a zero-based port number, which is suitable for indexing into each of
 * the split roothubs' port arrays and bus state arrays.
 * Add one to it in order to call xhci_find_slot_id_by_port.
 */
static unsigned int find_faked_portnum_from_hw_portnum(struct usb_hcd *hcd,
                struct xhci_hcd *xhci, u32 port_id)
{
        unsigned int i;
        unsigned int num_similar_speed_ports = 0;

        /* port_id from the hardware is 1-based, but port_array[], usb3_ports[],
         * and usb2_ports are 0-based indexes.  Count the number of similar
         * speed ports, up to 1 port before this port.
         */
        for (i = 0; i < (port_id - 1); i++) {
                u8 port_speed = xhci->port_array[i];

                /*
                 * Skip ports that don't have known speeds, or have duplicate
                 * Extended Capabilities port speed entries.
                 */
                if (port_speed == 0 || port_speed == DUPLICATE_ENTRY)
                        continue;

                /*
                 * USB 3.0 ports are always under a USB 3.0 hub.  USB 2.0 and
                 * 1.1 ports are under the USB 2.0 hub.  If the port speed
                 * matches the device speed, it's a similar speed port.
                 */
                if ((port_speed == 0x03) == (hcd->speed == HCD_USB3))
                        num_similar_speed_ports++;
        }
        return num_similar_speed_ports;
}

static void handle_device_notification(struct xhci_hcd *xhci,
                union xhci_trb *event)
{
        u32 slot_id;
        struct usb_device *udev;

        slot_id = TRB_TO_SLOT_ID(event->generic.field[3]);
        if (!xhci->devs[slot_id]) {
                xhci_warn(xhci, "Device Notification event for "
                                "unused slot %u\n", slot_id);
                return;
        }

        xhci_dbg(xhci, "Device Wake Notification event for slot ID %u\n",
                        slot_id);
        udev = xhci->devs[slot_id]->udev;
        if (udev && udev->parent)
                usb_wakeup_notification(udev->parent, udev->portnum);
}

static void handle_port_status(struct xhci_hcd *xhci,
                union xhci_trb *event)
{
        struct usb_hcd *hcd;
        u32 port_id;
        u32 temp, temp1;
        int max_ports;
        int slot_id;
        unsigned int faked_port_index;
        u8 major_revision;
        struct xhci_bus_state *bus_state;
        __le32 __iomem **port_array;
        bool bogus_port_status = false;

        /* Port status change events always have a successful completion code */
        if (GET_COMP_CODE(le32_to_cpu(event->generic.field[2])) != COMP_SUCCESS) {
                xhci_warn(xhci, "WARN: xHC returned failed port status event\n");
                xhci->error_bitmask |= 1 << 8;
        }
        port_id = GET_PORT_ID(le32_to_cpu(event->generic.field[0]));
        xhci_dbg(xhci, "Port Status Change Event for port %d\n", port_id);

        max_ports = HCS_MAX_PORTS(xhci->hcs_params1);
        if ((port_id <= 0) || (port_id > max_ports)) {
                xhci_warn(xhci, "Invalid port id %d\n", port_id);
                inc_deq(xhci, xhci->event_ring);
                return;
        }

        /* Figure out which usb_hcd this port is attached to:
         * is it a USB 3.0 port or a USB 2.0/1.1 port?
         */
        major_revision = xhci->port_array[port_id - 1];

        /* Find the right roothub. */
        hcd = xhci_to_hcd(xhci);
        if ((major_revision == 0x03) != (hcd->speed == HCD_USB3))
                hcd = xhci->shared_hcd;

        if (major_revision == 0) {
                xhci_warn(xhci, "Event for port %u not in "
                                "Extended Capabilities, ignoring.\n",
                                port_id);
                bogus_port_status = true;
                goto cleanup;
        }
        if (major_revision == DUPLICATE_ENTRY) {
                xhci_warn(xhci, "Event for port %u duplicated in"
                                "Extended Capabilities, ignoring.\n",
                                port_id);
                bogus_port_status = true;
                goto cleanup;
        }

        /*
         * Hardware port IDs reported by a Port Status Change Event include USB
         * 3.0 and USB 2.0 ports.  We want to check if the port has reported a
         * resume event, but we first need to translate the hardware port ID
         * into the index into the ports on the correct split roothub, and the
         * correct bus_state structure.
         */
        bus_state = &xhci->bus_state[hcd_index(hcd)];
        if (hcd->speed == HCD_USB3)
                port_array = xhci->usb3_ports;
        else
                port_array = xhci->usb2_ports;
        /* Find the faked port hub number */
        faked_port_index = find_faked_portnum_from_hw_portnum(hcd, xhci,
                        port_id);

        temp = xhci_readl(xhci, port_array[faked_port_index]);
        if (hcd->state == HC_STATE_SUSPENDED) {
                xhci_dbg(xhci, "resume root hub\n");
                usb_hcd_resume_root_hub(hcd);
        }

        if ((temp & PORT_PLC) && (temp & PORT_PLS_MASK) == XDEV_RESUME) {
                xhci_dbg(xhci, "port resume event for port %d\n", port_id);

                temp1 = xhci_readl(xhci, &xhci->op_regs->command);
                if (!(temp1 & CMD_RUN)) {
                        xhci_warn(xhci, "xHC is not running.\n");
                        goto cleanup;
                }

                if (DEV_SUPERSPEED(temp)) {
                        xhci_dbg(xhci, "remote wake SS port %d\n", port_id);
                        /* Set a flag to say the port signaled remote wakeup,
                         * so we can tell the difference between the end of
                         * device and host initiated resume.
                         */
                        bus_state->port_remote_wakeup |= 1 << faked_port_index;
                        xhci_test_and_clear_bit(xhci, port_array,
                                        faked_port_index, PORT_PLC);
                        xhci_set_link_state(xhci, port_array, faked_port_index,
                                                XDEV_U0);
                        /* Need to wait until the next link state change
                         * indicates the device is actually in U0.
                         */
                        bogus_port_status = true;
                        goto cleanup;
                } else {
                        xhci_dbg(xhci, "resume HS port %d\n", port_id);
                        bus_state->resume_done[faked_port_index] = jiffies +
                                msecs_to_jiffies(20);
                        set_bit(faked_port_index, &bus_state->resuming_ports);
                        mod_timer(&hcd->rh_timer,
                                  bus_state->resume_done[faked_port_index]);
                        /* Do the rest in GetPortStatus */
                }
        }

        if ((temp & PORT_PLC) && (temp & PORT_PLS_MASK) == XDEV_U0 &&
                        DEV_SUPERSPEED(temp)) {
                xhci_dbg(xhci, "resume SS port %d finished\n", port_id);
                /* We've just brought the device into U0 through either the
                 * Resume state after a device remote wakeup, or through the
                 * U3Exit state after a host-initiated resume.  If it's a device
                 * initiated remote wake, don't pass up the link state change,
                 * so the roothub behavior is consistent with external
                 * USB 3.0 hub behavior.
                 */
                slot_id = xhci_find_slot_id_by_port(hcd, xhci,
                                faked_port_index + 1);
                if (slot_id && xhci->devs[slot_id])
                        xhci_ring_device(xhci, slot_id);
                if (bus_state->port_remote_wakeup & (1 << faked_port_index)) {
                        bus_state->port_remote_wakeup &=
                                ~(1 << faked_port_index);
                        xhci_test_and_clear_bit(xhci, port_array,
                                        faked_port_index, PORT_PLC);
                        usb_wakeup_notification(hcd->self.root_hub,
                                        faked_port_index + 1);
                        bogus_port_status = true;
                        goto cleanup;
                }
        }

        /*
         * Check to see if xhci-hub.c is waiting on RExit to U0 transition (or
         * RExit to a disconnect state).  If so, let the the driver know it's
         * out of the RExit state.
         */
        if (!DEV_SUPERSPEED(temp) &&
                        test_and_clear_bit(faked_port_index,
                                &bus_state->rexit_ports)) {
                complete(&bus_state->rexit_done[faked_port_index]);
                bogus_port_status = true;
                goto cleanup;
        }

        if (hcd->speed != HCD_USB3)
                xhci_test_and_clear_bit(xhci, port_array, faked_port_index,
                                        PORT_PLC);

cleanup:
        /* Update event ring dequeue pointer before dropping the lock */
        inc_deq(xhci, xhci->event_ring);

        /* Don't make the USB core poll the roothub if we got a bad port status
         * change event.  Besides, at that point we can't tell which roothub
         * (USB 2.0 or USB 3.0) to kick.
         */
        if (bogus_port_status)
                return;

        /*
         * xHCI port-status-change events occur when the "or" of all the
         * status-change bits in the portsc register changes from 0 to 1.
         * New status changes won't cause an event if any other change
         * bits are still set.  When an event occurs, switch over to
         * polling to avoid losing status changes.
         */
        xhci_dbg(xhci, "%s: starting port polling.\n", __func__);
        set_bit(HCD_FLAG_POLL_RH, &hcd->flags);
        spin_unlock(&xhci->lock);
        /* Pass this up to the core */
        usb_hcd_poll_rh_status(hcd);
        spin_lock(&xhci->lock);
}

/*
 * This TD is defined by the TRBs starting at start_trb in start_seg and ending
 * at end_trb, which may be in another segment.  If the suspect DMA address is a
 * TRB in this TD, this function returns that TRB's segment.  Otherwise it
 * returns 0.
 */
struct xhci_segment *trb_in_td(struct xhci_segment *start_seg,
                union xhci_trb  *start_trb,
                union xhci_trb  *end_trb,
                dma_addr_t      suspect_dma)
{
        dma_addr_t start_dma;
        dma_addr_t end_seg_dma;
        dma_addr_t end_trb_dma;
        struct xhci_segment *cur_seg;

        start_dma = xhci_trb_virt_to_dma(start_seg, start_trb);
        cur_seg = start_seg;

        do {
                if (start_dma == 0)
                        return NULL;
                /* We may get an event for a Link TRB in the middle of a TD */
                end_seg_dma = xhci_trb_virt_to_dma(cur_seg,
                                &cur_seg->trbs[TRBS_PER_SEGMENT - 1]);
                /* If the end TRB isn't in this segment, this is set to 0 */
                end_trb_dma = xhci_trb_virt_to_dma(cur_seg, end_trb);

                if (end_trb_dma > 0) {
                        /* The end TRB is in this segment, so suspect should be here */
                        if (start_dma <= end_trb_dma) {
                                if (suspect_dma >= start_dma && suspect_dma <= end_trb_dma)
                                        return cur_seg;
                        } else {
                                /* Case for one segment with
                                 * a TD wrapped around to the top
                                 */
                                if ((suspect_dma >= start_dma &&
                                                        suspect_dma <= end_seg_dma) ||
                                                (suspect_dma >= cur_seg->dma &&
                                                 suspect_dma <= end_trb_dma))
                                        return cur_seg;
                        }
                        return NULL;
                } else {
                        /* Might still be somewhere in this segment */
                        if (suspect_dma >= start_dma && suspect_dma <= end_seg_dma)
                                return cur_seg;
                }
                cur_seg = cur_seg->next;
                start_dma = xhci_trb_virt_to_dma(cur_seg, &cur_seg->trbs[0]);
        } while (cur_seg != start_seg);

        return NULL;
}

static void xhci_cleanup_halted_endpoint(struct xhci_hcd *xhci,
                unsigned int slot_id, unsigned int ep_index,
                unsigned int stream_id,
                struct xhci_td *td, union xhci_trb *event_trb)
{
        struct xhci_virt_ep *ep = &xhci->devs[slot_id]->eps[ep_index];
        ep->ep_state |= EP_HALTED;
        ep->stopped_td = td;
        ep->stopped_trb = event_trb;
        ep->stopped_stream = stream_id;

        xhci_queue_reset_ep(xhci, slot_id, ep_index);
        xhci_cleanup_stalled_ring(xhci, td->urb->dev, ep_index);

        ep->stopped_td = NULL;
        ep->stopped_trb = NULL;
        ep->stopped_stream = 0;

        xhci_ring_cmd_db(xhci);
}

/* Check if an error has halted the endpoint ring.  The class driver will
 * cleanup the halt for a non-default control endpoint if we indicate a stall.
 * However, a babble and other errors also halt the endpoint ring, and the class
 * driver won't clear the halt in that case, so we need to issue a Set Transfer
 * Ring Dequeue Pointer command manually.
 */
static int xhci_requires_manual_halt_cleanup(struct xhci_hcd *xhci,
                struct xhci_ep_ctx *ep_ctx,
                unsigned int trb_comp_code)
{
        /* TRB completion codes that may require a manual halt cleanup */
        if (trb_comp_code == COMP_TX_ERR ||
                        trb_comp_code == COMP_BABBLE ||
                        trb_comp_code == COMP_SPLIT_ERR)
                /* The 0.96 spec says a babbling control endpoint
                 * is not halted. The 0.96 spec says it is.  Some HW
                 * claims to be 0.95 compliant, but it halts the control
                 * endpoint anyway.  Check if a babble halted the
                 * endpoint.
                 */
                if ((ep_ctx->ep_info & cpu_to_le32(EP_STATE_MASK)) ==
                    cpu_to_le32(EP_STATE_HALTED))
                        return 1;

        return 0;
}

int xhci_is_vendor_info_code(struct xhci_hcd *xhci, unsigned int trb_comp_code)
{
        if (trb_comp_code >= 224 && trb_comp_code <= 255) {
                /* Vendor defined "informational" completion code,
                 * treat as not-an-error.
                 */
                xhci_dbg(xhci, "Vendor defined info completion code %u\n",
                                trb_comp_code);
                xhci_dbg(xhci, "Treating code as success.\n");
                return 1;
        }
        return 0;
}

/*
 * Finish the td processing, remove the td from td list;
 * Return 1 if the urb can be given back.
 */
static int finish_td(struct xhci_hcd *xhci, struct xhci_td *td,
        union xhci_trb *event_trb, struct xhci_transfer_event *event,
        struct xhci_virt_ep *ep, int *status, bool skip)
{
        struct xhci_virt_device *xdev;
        struct xhci_ring *ep_ring;
        unsigned int slot_id;
        int ep_index;
        struct urb *urb = NULL;
        struct xhci_ep_ctx *ep_ctx;
        int ret = 0;
        struct urb_priv *urb_priv;
        u32 trb_comp_code;

        slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags));
        xdev = xhci->devs[slot_id];
        ep_index = TRB_TO_EP_ID(le32_to_cpu(event->flags)) - 1;
        ep_ring = xhci_dma_to_transfer_ring(ep, le64_to_cpu(event->buffer));
        ep_ctx = xhci_get_ep_ctx(xhci, xdev->out_ctx, ep_index);
        trb_comp_code = GET_COMP_CODE(le32_to_cpu(event->transfer_len));

        if (skip)
                goto td_cleanup;

        if (trb_comp_code == COMP_STOP_INVAL ||
                        trb_comp_code == COMP_STOP) {

                /* The Endpoint Stop Command completion will take care of any
                 * stopped TDs.  A stopped TD may be restarted, so don't update
                 * the ring dequeue pointer or take this TD off any lists yet.
                 */
                ep->stopped_td = td;
                ep->stopped_trb = event_trb;
                return 0;
        } else {
                if (trb_comp_code == COMP_STALL) {
                        /* The transfer is completed from the driver's
                         * perspective, but we need to issue a set dequeue
                         * command for this stalled endpoint to move the dequeue
                         * pointer past the TD.  We can't do that here because
                         * the halt condition must be cleared first.  Let the
                         * USB class driver clear the stall later.
                         */
                        ep->stopped_td = td;
                        ep->stopped_trb = event_trb;
                        ep->stopped_stream = ep_ring->stream_id;
                } else if (xhci_requires_manual_halt_cleanup(xhci,
                                        ep_ctx, trb_comp_code)) {
                        /* Other types of errors halt the endpoint, but the
                         * class driver doesn't call usb_reset_endpoint() unless
                         * the error is -EPIPE.  Clear the halted status in the
                         * xHCI hardware manually.
                         */
                        xhci_cleanup_halted_endpoint(xhci,
                                        slot_id, ep_index, ep_ring->stream_id,
                                        td, event_trb);
                } else {
                        /* Update ring dequeue pointer */
                        while (ep_ring->dequeue != td->last_trb)
                                inc_deq(xhci, ep_ring);
                        inc_deq(xhci, ep_ring);
                }

td_cleanup:
                /* Clean up the endpoint's TD list */
                urb = td->urb;
                urb_priv = urb->hcpriv;

                /* Do one last check of the actual transfer length.
                 * If the host controller said we transferred more data than
                 * the buffer length, urb->actual_length will be a very big
                 * number (since it's unsigned).  Play it safe and say we didn't
                 * transfer anything.
                 */
                if (urb->actual_length > urb->transfer_buffer_length) {
                        xhci_warn(xhci, "URB transfer length is wrong, "
                                        "xHC issue? req. len = %u, "
                                        "act. len = %u\n",
                                        urb->transfer_buffer_length,
                                        urb->actual_length);
                        urb->actual_length = 0;
                        if (td->urb->transfer_flags & URB_SHORT_NOT_OK)
                                *status = -EREMOTEIO;
                        else
                                *status = 0;
                }
                list_del_init(&td->td_list);
                /* Was this TD slated to be cancelled but completed anyway? */
                if (!list_empty(&td->cancelled_td_list))
                        list_del_init(&td->cancelled_td_list);

                urb_priv->td_cnt++;
                /* Giveback the urb when all the tds are completed */
                if (urb_priv->td_cnt == urb_priv->length) {
                        ret = 1;
                        if (usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS) {
                                xhci_to_hcd(xhci)->self.bandwidth_isoc_reqs--;
                                if (xhci_to_hcd(xhci)->self.bandwidth_isoc_reqs
                                        == 0) {
                                        if (xhci->quirks & XHCI_AMD_PLL_FIX)
                                                usb_amd_quirk_pll_enable();
                                }
                        }
                }
        }

        return ret;
}

/*
 * Process control tds, update urb status and actual_length.
 */
static int process_ctrl_td(struct xhci_hcd *xhci, struct xhci_td *td,
        union xhci_trb *event_trb, struct xhci_transfer_event *event,
        struct xhci_virt_ep *ep, int *status)
{
        struct xhci_virt_device *xdev;
        struct xhci_ring *ep_ring;
        unsigned int slot_id;
        int ep_index;
        struct xhci_ep_ctx *ep_ctx;
        u32 trb_comp_code;

        slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags));
        xdev = xhci->devs[slot_id];
        ep_index = TRB_TO_EP_ID(le32_to_cpu(event->flags)) - 1;
        ep_ring = xhci_dma_to_transfer_ring(ep, le64_to_cpu(event->buffer));
        ep_ctx = xhci_get_ep_ctx(xhci, xdev->out_ctx, ep_index);
        trb_comp_code = GET_COMP_CODE(le32_to_cpu(event->transfer_len));

        switch (trb_comp_code) {
        case COMP_SUCCESS:
                if (event_trb == ep_ring->dequeue) {
                        xhci_warn(xhci, "WARN: Success on ctrl setup TRB "
                                        "without IOC set??\n");
                        *status = -ESHUTDOWN;
                } else if (event_trb != td->last_trb) {
                        xhci_warn(xhci, "WARN: Success on ctrl data TRB "
                                        "without IOC set??\n");
                        *status = -ESHUTDOWN;
                } else {
                        *status = 0;
                }
                break;
        case COMP_SHORT_TX:
                if (td->urb->transfer_flags & URB_SHORT_NOT_OK)
                        *status = -EREMOTEIO;
                else
                        *status = 0;
                break;
        case COMP_STOP_INVAL:
        case COMP_STOP:
                return finish_td(xhci, td, event_trb, event, ep, status, false);
        default:
                if (!xhci_requires_manual_halt_cleanup(xhci,
                                        ep_ctx, trb_comp_code))
                        break;
                xhci_dbg(xhci, "TRB error code %u, "
                                "halted endpoint index = %u\n",
                                trb_comp_code, ep_index);
                /* else fall through */
        case COMP_STALL:
                /* Did we transfer part of the data (middle) phase? */
                if (event_trb != ep_ring->dequeue &&
                                event_trb != td->last_trb)
                        td->urb->actual_length =
                                td->urb->transfer_buffer_length -
                                EVENT_TRB_LEN(le32_to_cpu(event->transfer_len));
                else
                        td->urb->actual_length = 0;

                xhci_cleanup_halted_endpoint(xhci,
                        slot_id, ep_index, 0, td, event_trb);
                return finish_td(xhci, td, event_trb, event, ep, status, true);
        }
        /*
         * Did we transfer any data, despite the errors that might have
         * happened?  I.e. did we get past the setup stage?
         */
        if (event_trb != ep_ring->dequeue) {
                /* The event was for the status stage */
                if (event_trb == td->last_trb) {
                        if (td->urb->actual_length != 0) {
                                /* Don't overwrite a previously set error code
                                 */
                                if ((*status == -EINPROGRESS || *status == 0) &&
                                                (td->urb->transfer_flags
                                                 & URB_SHORT_NOT_OK))
                                        /* Did we already see a short data
                                         * stage? */
                                        *status = -EREMOTEIO;
                        } else {
                                td->urb->actual_length =
                                        td->urb->transfer_buffer_length;
                        }
                } else {
                /* Maybe the event was for the data stage? */
                        td->urb->actual_length =
                                td->urb->transfer_buffer_length -
                                EVENT_TRB_LEN(le32_to_cpu(event->transfer_len));
                        xhci_dbg(xhci, "Waiting for status "
                                        "stage event\n");
                        return 0;
                }
        }

        return finish_td(xhci, td, event_trb, event, ep, status, false);
}

/*
 * Process isochronous tds, update urb packet status and actual_length.
 */
static int process_isoc_td(struct xhci_hcd *xhci, struct xhci_td *td,
        union xhci_trb *event_trb, struct xhci_transfer_event *event,
        struct xhci_virt_ep *ep, int *status)
{
        struct xhci_ring *ep_ring;
        struct urb_priv *urb_priv;
        int idx;
        int len = 0;
        union xhci_trb *cur_trb;
        struct xhci_segment *cur_seg;
        struct usb_iso_packet_descriptor *frame;
        u32 trb_comp_code;
        bool skip_td = false;

        ep_ring = xhci_dma_to_transfer_ring(ep, le64_to_cpu(event->buffer));
        trb_comp_code = GET_COMP_CODE(le32_to_cpu(event->transfer_len));
        urb_priv = td->urb->hcpriv;
        idx = urb_priv->td_cnt;
        frame = &td->urb->iso_frame_desc[idx];

        /* handle completion code */
        switch (trb_comp_code) {
        case COMP_SUCCESS:
                if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) == 0) {
                        frame->status = 0;
                        break;
                }
                if ((xhci->quirks & XHCI_TRUST_TX_LENGTH))
                        trb_comp_code = COMP_SHORT_TX;
        case COMP_SHORT_TX:
                frame->status = td->urb->transfer_flags & URB_SHORT_NOT_OK ?
                                -EREMOTEIO : 0;
                break;
        case COMP_BW_OVER:
                frame->status = -ECOMM;
                skip_td = true;
                break;
        case COMP_BUFF_OVER:
        case COMP_BABBLE:
                frame->status = -EOVERFLOW;
                skip_td = true;
                break;
        case COMP_DEV_ERR:
        case COMP_STALL:
        case COMP_TX_ERR:
                frame->status = -EPROTO;
                skip_td = true;
                break;
        case COMP_STOP:
        case COMP_STOP_INVAL:
                break;
        default:
                frame->status = -1;
                break;
        }

        if (trb_comp_code == COMP_SUCCESS || skip_td) {
                frame->actual_length = frame->length;
                td->urb->actual_length += frame->length;
        } else {
                for (cur_trb = ep_ring->dequeue,
                     cur_seg = ep_ring->deq_seg; cur_trb != event_trb;
                     next_trb(xhci, ep_ring, &cur_seg, &cur_trb)) {
                        if (!TRB_TYPE_NOOP_LE32(cur_trb->generic.field[3]) &&
                            !TRB_TYPE_LINK_LE32(cur_trb->generic.field[3]))
                                len += TRB_LEN(le32_to_cpu(cur_trb->generic.field[2]));
                }
                len += TRB_LEN(le32_to_cpu(cur_trb->generic.field[2])) -
                        EVENT_TRB_LEN(le32_to_cpu(event->transfer_len));

                if (trb_comp_code != COMP_STOP_INVAL) {
                        frame->actual_length = len;
                        td->urb->actual_length += len;
                }
        }

        return finish_td(xhci, td, event_trb, event, ep, status, false);
}

static int skip_isoc_td(struct xhci_hcd *xhci, struct xhci_td *td,
                        struct xhci_transfer_event *event,
                        struct xhci_virt_ep *ep, int *status)
{
        struct xhci_ring *ep_ring;
        struct urb_priv *urb_priv;
        struct usb_iso_packet_descriptor *frame;
        int idx;

        ep_ring = xhci_dma_to_transfer_ring(ep, le64_to_cpu(event->buffer));
        urb_priv = td->urb->hcpriv;
        idx = urb_priv->td_cnt;
        frame = &td->urb->iso_frame_desc[idx];

        /* The transfer is partly done. */
        frame->status = -EXDEV;

        /* calc actual length */
        frame->actual_length = 0;

        /* Update ring dequeue pointer */
        while (ep_ring->dequeue != td->last_trb)
                inc_deq(xhci, ep_ring);
        inc_deq(xhci, ep_ring);

        return finish_td(xhci, td, NULL, event, ep, status, true);
}

/*
 * Process bulk and interrupt tds, update urb status and actual_length.
 */
static int process_bulk_intr_td(struct xhci_hcd *xhci, struct xhci_td *td,
        union xhci_trb *event_trb, struct xhci_transfer_event *event,
        struct xhci_virt_ep *ep, int *status)
{
        struct xhci_ring *ep_ring;
        union xhci_trb *cur_trb;
        struct xhci_segment *cur_seg;
        u32 trb_comp_code;

        ep_ring = xhci_dma_to_transfer_ring(ep, le64_to_cpu(event->buffer));
        trb_comp_code = GET_COMP_CODE(le32_to_cpu(event->transfer_len));

        switch (trb_comp_code) {
        case COMP_SUCCESS:
                /* Double check that the HW transferred everything. */
                if (event_trb != td->last_trb ||
                    EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) != 0) {
                        xhci_warn(xhci, "WARN Successful completion "
                                        "on short TX\n");
                        if (td->urb->transfer_flags & URB_SHORT_NOT_OK)
                                *status = -EREMOTEIO;
                        else
                                *status = 0;
                        if ((xhci->quirks & XHCI_TRUST_TX_LENGTH))
                                trb_comp_code = COMP_SHORT_TX;
                } else {
                        *status = 0;
                }
                break;
        case COMP_SHORT_TX:
                if (td->urb->transfer_flags & URB_SHORT_NOT_OK)
                        *status = -EREMOTEIO;
                else
                        *status = 0;
                break;
        default:
                /* Others already handled above */
                break;
        }
        if (trb_comp_code == COMP_SHORT_TX)
                xhci_dbg(xhci, "ep %#x - asked for %d bytes, "
                                "%d bytes untransferred\n",
                                td->urb->ep->desc.bEndpointAddress,
                                td->urb->transfer_buffer_length,
                                EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)));
        /* Fast path - was this the last TRB in the TD for this URB? */
        if (event_trb == td->last_trb) {
                if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) != 0) {
                        td->urb->actual_length =
                                td->urb->transfer_buffer_length -
                                EVENT_TRB_LEN(le32_to_cpu(event->transfer_len));
                        if (td->urb->transfer_buffer_length <
                                        td->urb->actual_length) {
                                xhci_warn(xhci, "HC gave bad length "
                                                "of %d bytes left\n",
                                          EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)));
                                td->urb->actual_length = 0;
                                if (td->urb->transfer_flags & URB_SHORT_NOT_OK)
                                        *status = -EREMOTEIO;
                                else
                                        *status = 0;
                        }
                        /* Don't overwrite a previously set error code */
                        if (*status == -EINPROGRESS) {
                                if (td->urb->transfer_flags & URB_SHORT_NOT_OK)
                                        *status = -EREMOTEIO;
                                else
                                        *status = 0;
                        }
                } else {
                        td->urb->actual_length =
                                td->urb->transfer_buffer_length;
                        /* Ignore a short packet completion if the
                         * untransferred length was zero.
                         */
                        if (*status == -EREMOTEIO)
                                *status = 0;
                }
        } else {
                /* Slow path - walk the list, starting from the dequeue
                 * pointer, to get the actual length transferred.
                 */
                td->urb->actual_length = 0;
                for (cur_trb = ep_ring->dequeue, cur_seg = ep_ring->deq_seg;
                                cur_trb != event_trb;
                                next_trb(xhci, ep_ring, &cur_seg, &cur_trb)) {
                        if (!TRB_TYPE_NOOP_LE32(cur_trb->generic.field[3]) &&
                            !TRB_TYPE_LINK_LE32(cur_trb->generic.field[3]))
                                td->urb->actual_length +=
                                        TRB_LEN(le32_to_cpu(cur_trb->generic.field[2]));
                }
                /* If the ring didn't stop on a Link or No-op TRB, add
                 * in the actual bytes transferred from the Normal TRB
                 */
                if (trb_comp_code != COMP_STOP_INVAL)
                        td->urb->actual_length +=
                                TRB_LEN(le32_to_cpu(cur_trb->generic.field[2])) -
                                EVENT_TRB_LEN(le32_to_cpu(event->transfer_len));
        }

        return finish_td(xhci, td, event_trb, event, ep, status, false);
}

/*
 * If this function returns an error condition, it means it got a Transfer
 * event with a corrupted Slot ID, Endpoint ID, or TRB DMA address.
 * At this point, the host controller is probably hosed and should be reset.
 */
static int handle_tx_event(struct xhci_hcd *xhci,
                struct xhci_transfer_event *event)
        __releases(&xhci->lock)
        __acquires(&xhci->lock)
{
        struct xhci_virt_device *xdev;
        struct xhci_virt_ep *ep;
        struct xhci_ring *ep_ring;
        unsigned int slot_id;
        int ep_index;
        struct xhci_td *td = NULL;
        dma_addr_t event_dma;
        struct xhci_segment *event_seg;
        union xhci_trb *event_trb;
        struct urb *urb = NULL;
        int status = -EINPROGRESS;
        struct urb_priv *urb_priv;
        struct xhci_ep_ctx *ep_ctx;
        struct list_head *tmp;
        u32 trb_comp_code;
        int ret = 0;
        int td_num = 0;

        slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags));
        xdev = xhci->devs[slot_id];
        if (!xdev) {
                xhci_err(xhci, "ERROR Transfer event pointed to bad slot\n");
                xhci_err(xhci, "@%016llx %08x %08x %08x %08x\n",
                         (unsigned long long) xhci_trb_virt_to_dma(
                                 xhci->event_ring->deq_seg,
                                 xhci->event_ring->dequeue),
                         lower_32_bits(le64_to_cpu(event->buffer)),
                         upper_32_bits(le64_to_cpu(event->buffer)),
                         le32_to_cpu(event->transfer_len),
                         le32_to_cpu(event->flags));
                xhci_dbg(xhci, "Event ring:\n");
                xhci_debug_segment(xhci, xhci->event_ring->deq_seg);
                return -ENODEV;
        }

        /* Endpoint ID is 1 based, our index is zero based */
        ep_index = TRB_TO_EP_ID(le32_to_cpu(event->flags)) - 1;
        ep = &xdev->eps[ep_index];
        ep_ring = xhci_dma_to_transfer_ring(ep, le64_to_cpu(event->buffer));
        ep_ctx = xhci_get_ep_ctx(xhci, xdev->out_ctx, ep_index);
        if (!ep_ring ||
            (le32_to_cpu(ep_ctx->ep_info) & EP_STATE_MASK) ==
            EP_STATE_DISABLED) {
                xhci_err(xhci, "ERROR Transfer event for disabled endpoint "
                                "or incorrect stream ring\n");
                xhci_err(xhci, "@%016llx %08x %08x %08x %08x\n",
                         (unsigned long long) xhci_trb_virt_to_dma(
                                 xhci->event_ring->deq_seg,
                                 xhci->event_ring->dequeue),
                         lower_32_bits(le64_to_cpu(event->buffer)),
                         upper_32_bits(le64_to_cpu(event->buffer)),
                         le32_to_cpu(event->transfer_len),
                         le32_to_cpu(event->flags));
                xhci_dbg(xhci, "Event ring:\n");
                xhci_debug_segment(xhci, xhci->event_ring->deq_seg);
                return -ENODEV;
        }

        /* Count current td numbers if ep->skip is set */
        if (ep->skip) {
                list_for_each(tmp, &ep_ring->td_list)
                        td_num++;
        }

        event_dma = le64_to_cpu(event->buffer);
        trb_comp_code = GET_COMP_CODE(le32_to_cpu(event->transfer_len));
        /* Look for common error cases */
        switch (trb_comp_code) {
        /* Skip codes that require special handling depending on
         * transfer type
         */
        case COMP_SUCCESS:
                if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) == 0)
                        break;
                if (xhci->quirks & XHCI_TRUST_TX_LENGTH)
                        trb_comp_code = COMP_SHORT_TX;
                else
                        xhci_warn_ratelimited(xhci,
                                        "WARN Successful completion on short TX: needs XHCI_TRUST_TX_LENGTH quirk?\n");
        case COMP_SHORT_TX:
                break;
        case COMP_STOP:
                xhci_dbg(xhci, "Stopped on Transfer TRB\n");
                break;
        case COMP_STOP_INVAL:
                xhci_dbg(xhci, "Stopped on No-op or Link TRB\n");
                break;
        case COMP_STALL:
                xhci_dbg(xhci, "Stalled endpoint\n");
                ep->ep_state |= EP_HALTED;
                status = -EPIPE;
                break;
        case COMP_TRB_ERR:
                xhci_warn(xhci, "WARN: TRB error on endpoint\n");
                status = -EILSEQ;
                break;
        case COMP_SPLIT_ERR:
        case COMP_TX_ERR:
                xhci_dbg(xhci, "Transfer error on endpoint\n");
                status = -EPROTO;
                break;
        case COMP_BABBLE:
                xhci_dbg(xhci, "Babble error on endpoint\n");
                status = -EOVERFLOW;
                break;
        case COMP_DB_ERR:
                xhci_warn(xhci, "WARN: HC couldn't access mem fast enough\n");
                status = -ENOSR;
                break;
        case COMP_BW_OVER:
                xhci_warn(xhci, "WARN: bandwidth overrun event on endpoint\n");
                break;
        case COMP_BUFF_OVER:
                xhci_warn(xhci, "WARN: buffer overrun event on endpoint\n");
                break;
        case COMP_UNDERRUN:
                /*
                 * When the Isoch ring is empty, the xHC will generate
                 * a Ring Overrun Event for IN Isoch endpoint or Ring
                 * Underrun Event for OUT Isoch endpoint.
                 */
                xhci_dbg(xhci, "underrun event on endpoint\n");
                if (!list_empty(&ep_ring->td_list))
                        xhci_dbg(xhci, "Underrun Event for slot %d ep %d "
                                        "still with TDs queued?\n",
                                 TRB_TO_SLOT_ID(le32_to_cpu(event->flags)),
                                 ep_index);
                goto cleanup;
        case COMP_OVERRUN:
                xhci_dbg(xhci, "overrun event on endpoint\n");
                if (!list_empty(&ep_ring->td_list))
                        xhci_dbg(xhci, "Overrun Event for slot %d ep %d "
                                        "still with TDs queued?\n",
                                 TRB_TO_SLOT_ID(le32_to_cpu(event->flags)),
                                 ep_index);
                goto cleanup;
        case COMP_DEV_ERR:
                xhci_warn(xhci, "WARN: detect an incompatible device");
                status = -EPROTO;
                break;
        case COMP_MISSED_INT:
                /*
                 * When encounter missed service error, one or more isoc tds
                 * may be missed by xHC.
                 * Set skip flag of the ep_ring; Complete the missed tds as
                 * short transfer when process the ep_ring next time.
                 */
                ep->skip = true;
                xhci_dbg(xhci, "Miss service interval error, set skip flag\n");
                goto cleanup;
        default:
                if (xhci_is_vendor_info_code(xhci, trb_comp_code)) {
                        status = 0;
                        break;
                }
                xhci_warn(xhci, "ERROR Unknown event condition, HC probably "
                                "busted\n");
                goto cleanup;
        }

        do {
                /* This TRB should be in the TD at the head of this ring's
                 * TD list.
                 */
                if (list_empty(&ep_ring->td_list)) {
                        /*
                         * A stopped endpoint may generate an extra completion
                         * event if the device was suspended.  Don't print
                         * warnings.
                         */
                        if (!(trb_comp_code == COMP_STOP ||
                                                trb_comp_code == COMP_STOP_INVAL)) {
                                xhci_warn(xhci, "WARN Event TRB for slot %d ep %d with no TDs queued?\n",
                                                TRB_TO_SLOT_ID(le32_to_cpu(event->flags)),
                                                ep_index);
                                xhci_dbg(xhci, "Event TRB with TRB type ID %u\n",
                                                (le32_to_cpu(event->flags) &
                                                 TRB_TYPE_BITMASK)>>10);
                                xhci_print_trb_offsets(xhci, (union xhci_trb *) event);
                        }
                        if (ep->skip) {
                                ep->skip = false;
                                xhci_dbg(xhci, "td_list is empty while skip "
                                                "flag set. Clear skip flag.\n");
                        }
                        ret = 0;
                        goto cleanup;
                }

                /* We've skipped all the TDs on the ep ring when ep->skip set */
                if (ep->skip && td_num == 0) {
                        ep->skip = false;
                        xhci_dbg(xhci, "All tds on the ep_ring skipped. "
                                                "Clear skip flag.\n");
                        ret = 0;
                        goto cleanup;
                }

                td = list_entry(ep_ring->td_list.next, struct xhci_td, td_list);
                if (ep->skip)
                        td_num--;

                /* Is this a TRB in the currently executing TD? */
                event_seg = trb_in_td(ep_ring->deq_seg, ep_ring->dequeue,
                                td->last_trb, event_dma);

                /*
                 * Skip the Force Stopped Event. The event_trb(event_dma) of FSE
                 * is not in the current TD pointed by ep_ring->dequeue because
                 * that the hardware dequeue pointer still at the previous TRB
                 * of the current TD. The previous TRB maybe a Link TD or the
                 * last TRB of the previous TD. The command completion handle
                 * will take care the rest.
                 */
                if (!event_seg && trb_comp_code == COMP_STOP_INVAL) {
                        ret = 0;
                        goto cleanup;
                }

                if (!event_seg) {
                        if (!ep->skip ||
                            !usb_endpoint_xfer_isoc(&td->urb->ep->desc)) {
                                /* Some host controllers give a spurious
                                 * successful event after a short transfer.
                                 * Ignore it.
                                 */
                                if ((xhci->quirks & XHCI_SPURIOUS_SUCCESS) && 
                                                ep_ring->last_td_was_short) {
                                        ep_ring->last_td_was_short = false;
                                        ret = 0;
                                        goto cleanup;
                                }
                                /* HC is busted, give up! */
                                xhci_err(xhci,
                                        "ERROR Transfer event TRB DMA ptr not "
                                        "part of current TD\n");
                                return -ESHUTDOWN;
                        }

                        ret = skip_isoc_td(xhci, td, event, ep, &status);
                        goto cleanup;
                }
                if (trb_comp_code == COMP_SHORT_TX)
                        ep_ring->last_td_was_short = true;
                else
                        ep_ring->last_td_was_short = false;

                if (ep->skip) {
                        xhci_dbg(xhci, "Found td. Clear skip flag.\n");
                        ep->skip = false;
                }

                event_trb = &event_seg->trbs[(event_dma - event_seg->dma) /
                                                sizeof(*event_trb)];
                /*
                 * No-op TRB should not trigger interrupts.
                 * If event_trb is a no-op TRB, it means the
                 * corresponding TD has been cancelled. Just ignore
                 * the TD.
                 */
                if (TRB_TYPE_NOOP_LE32(event_trb->generic.field[3])) {
                        xhci_dbg(xhci,
                                 "event_trb is a no-op TRB. Skip it\n");
                        goto cleanup;
                }

                /* Now update the urb's actual_length and give back to
                 * the core
                 */
                if (usb_endpoint_xfer_control(&td->urb->ep->desc))
                        ret = process_ctrl_td(xhci, td, event_trb, event, ep,
                                                 &status);
                else if (usb_endpoint_xfer_isoc(&td->urb->ep->desc))
                        ret = process_isoc_td(xhci, td, event_trb, event, ep,
                                                 &status);
                else
                        ret = process_bulk_intr_td(xhci, td, event_trb, event,
                                                 ep, &status);

cleanup:
                /*
                 * Do not update event ring dequeue pointer if ep->skip is set.
                 * Will roll back to continue process missed tds.
                 */
                if (trb_comp_code == COMP_MISSED_INT || !ep->skip) {
                        inc_deq(xhci, xhci->event_ring);
                }

                if (ret) {
                        urb = td->urb;
                        urb_priv = urb->hcpriv;
                        /* Leave the TD around for the reset endpoint function
                         * to use(but only if it's not a control endpoint,
                         * since we already queued the Set TR dequeue pointer
                         * command for stalled control endpoints).
                         */
                        if (usb_endpoint_xfer_control(&urb->ep->desc) ||
                                (trb_comp_code != COMP_STALL &&
                                        trb_comp_code != COMP_BABBLE))
                                xhci_urb_free_priv(xhci, urb_priv);
                        else
                                kfree(urb_priv);

                        usb_hcd_unlink_urb_from_ep(bus_to_hcd(urb->dev->bus), urb);
                        if ((urb->actual_length != urb->transfer_buffer_length &&
                                                (urb->transfer_flags &
                                                 URB_SHORT_NOT_OK)) ||
                                        (status != 0 &&
                                         !usb_endpoint_xfer_isoc(&urb->ep->desc)))
                                xhci_dbg(xhci, "Giveback URB %p, len = %d, "
                                                "expected = %d, status = %d\n",
                                                urb, urb->actual_length,
                                                urb->transfer_buffer_length,
                                                status);
                        spin_unlock(&xhci->lock);
                        /* EHCI, UHCI, and OHCI always unconditionally set the
                         * urb->status of an isochronous endpoint to 0.
                         */
                        if (usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS)
                                status = 0;
                        usb_hcd_giveback_urb(bus_to_hcd(urb->dev->bus), urb, status);
                        spin_lock(&xhci->lock);
                }

        /*
         * If ep->skip is set, it means there are missed tds on the
         * endpoint ring need to take care of.
         * Process them as short transfer until reach the td pointed by
         * the event.
         */
        } while (ep->skip && trb_comp_code != COMP_MISSED_INT);

        return 0;
}

/*
 * This function handles all OS-owned events on the event ring.  It may drop
 * xhci->lock between event processing (e.g. to pass up port status changes).
 * Returns >0 for "possibly more events to process" (caller should call again),
 * otherwise 0 if done.  In future, <0 returns should indicate error code.
 */
static int xhci_handle_event(struct xhci_hcd *xhci)
{
        union xhci_trb *event;
        int update_ptrs = 1;
        int ret;

        if (!xhci->event_ring || !xhci->event_ring->dequeue) {
                xhci->error_bitmask |= 1 << 1;
                return 0;
        }

        event = xhci->event_ring->dequeue;
        /* Does the HC or OS own the TRB? */
        if ((le32_to_cpu(event->event_cmd.flags) & TRB_CYCLE) !=
            xhci->event_ring->cycle_state) {
                xhci->error_bitmask |= 1 << 2;
                return 0;
        }

        /*
         * Barrier between reading the TRB_CYCLE (valid) flag above and any
         * speculative reads of the event's flags/data below.
         */
        rmb();
        /* FIXME: Handle more event types. */
        switch ((le32_to_cpu(event->event_cmd.flags) & TRB_TYPE_BITMASK)) {
        case TRB_TYPE(TRB_COMPLETION):
                handle_cmd_completion(xhci, &event->event_cmd);
                break;
        case TRB_TYPE(TRB_PORT_STATUS):
                handle_port_status(xhci, event);
                update_ptrs = 0;
                break;
        case TRB_TYPE(TRB_TRANSFER):
                ret = handle_tx_event(xhci, &event->trans_event);
                if (ret < 0)
                        xhci->error_bitmask |= 1 << 9;
                else
                        update_ptrs = 0;
                break;
        case TRB_TYPE(TRB_DEV_NOTE):
                handle_device_notification(xhci, event);
                break;
        default:
                if ((le32_to_cpu(event->event_cmd.flags) & TRB_TYPE_BITMASK) >=
                    TRB_TYPE(48))
                        handle_vendor_event(xhci, event);
                else
                        xhci->error_bitmask |= 1 << 3;
        }
        /* Any of the above functions may drop and re-acquire the lock, so check
         * to make sure a watchdog timer didn't mark the host as non-responsive.
         */
        if (xhci->xhc_state & XHCI_STATE_DYING) {
                xhci_dbg(xhci, "xHCI host dying, returning from "
                                "event handler.\n");
                return 0;
        }

        if (update_ptrs)
                /* Update SW event ring dequeue pointer */
                inc_deq(xhci, xhci->event_ring);

        /* Are there more items on the event ring?  Caller will call us again to
         * check.
         */
        return 1;
}

/*
 * xHCI spec says we can get an interrupt, and if the HC has an error condition,
 * we might get bad data out of the event ring.  Section 4.10.2.7 has a list of
 * indicators of an event TRB error, but we check the status *first* to be safe.
 */
irqreturn_t xhci_irq(struct usb_hcd *hcd)
{
        struct xhci_hcd *xhci = hcd_to_xhci(hcd);
        u32 status;
        u64 temp_64;
        union xhci_trb *event_ring_deq;
        dma_addr_t deq;

        spin_lock(&xhci->lock);
        /* Check if the xHC generated the interrupt, or the irq is shared */
        status = xhci_readl(xhci, &xhci->op_regs->status);
        if (status == 0xffffffff)
                goto hw_died;

        if (!(status & STS_EINT)) {
                spin_unlock(&xhci->lock);
                return IRQ_NONE;
        }
        if (status & STS_FATAL) {
                xhci_warn(xhci, "WARNING: Host System Error\n");
                xhci_halt(xhci);
hw_died:
                spin_unlock(&xhci->lock);
                return -ESHUTDOWN;
        }

        /*
         * Clear the op reg interrupt status first,
         * so we can receive interrupts from other MSI-X interrupters.
         * Write 1 to clear the interrupt status.
         */
        status |= STS_EINT;
        xhci_writel(xhci, status, &xhci->op_regs->status);
        /* FIXME when MSI-X is supported and there are multiple vectors */
        /* Clear the MSI-X event interrupt status */

        if (hcd->irq) {
                u32 irq_pending;
                /* Acknowledge the PCI interrupt */
                irq_pending = xhci_readl(xhci, &xhci->ir_set->irq_pending);
                irq_pending |= IMAN_IP;
                xhci_writel(xhci, irq_pending, &xhci->ir_set->irq_pending);
        }

        if (xhci->xhc_state & XHCI_STATE_DYING) {
                xhci_dbg(xhci, "xHCI dying, ignoring interrupt. "
                                "Shouldn't IRQs be disabled?\n");
                /* Clear the event handler busy flag (RW1C);
                 * the event ring should be empty.
                 */
                temp_64 = xhci_read_64(xhci, &xhci->ir_set->erst_dequeue);
                xhci_write_64(xhci, temp_64 | ERST_EHB,
                                &xhci->ir_set->erst_dequeue);
                spin_unlock(&xhci->lock);

                return IRQ_HANDLED;
        }

        event_ring_deq = xhci->event_ring->dequeue;
        /* FIXME this should be a delayed service routine
         * that clears the EHB.
         */
        while (xhci_handle_event(xhci) > 0) {}

        temp_64 = xhci_read_64(xhci, &xhci->ir_set->erst_dequeue);
        /* If necessary, update the HW's version of the event ring deq ptr. */
        if (event_ring_deq != xhci->event_ring->dequeue) {
                deq = xhci_trb_virt_to_dma(xhci->event_ring->deq_seg,
                                xhci->event_ring->dequeue);
                if (deq == 0)
                        xhci_warn(xhci, "WARN something wrong with SW event "
                                        "ring dequeue ptr.\n");
                /* Update HC event ring dequeue pointer */
                temp_64 &= ERST_PTR_MASK;
                temp_64 |= ((u64) deq & (u64) ~ERST_PTR_MASK);
        }

        /* Clear the event handler busy flag (RW1C); event ring is empty. */
        temp_64 |= ERST_EHB;
        xhci_write_64(xhci, temp_64, &xhci->ir_set->erst_dequeue);

        spin_unlock(&xhci->lock);

        return IRQ_HANDLED;
}

irqreturn_t xhci_msi_irq(int irq, void *hcd)
{
        return xhci_irq(hcd);
}

/****           Endpoint Ring Operations        ****/

/*
 * Generic function for queueing a TRB on a ring.
 * The caller must have checked to make sure there's room on the ring.
 *
 * @more_trbs_coming:   Will you enqueue more TRBs before calling
 *                      prepare_transfer()?
 */
static void queue_trb(struct xhci_hcd *xhci, struct xhci_ring *ring,
                bool more_trbs_coming,
                u32 field1, u32 field2, u32 field3, u32 field4)
{
        struct xhci_generic_trb *trb;

        trb = &ring->enqueue->generic;
        trb->field[0] = cpu_to_le32(field1);
        trb->field[1] = cpu_to_le32(field2);
        trb->field[2] = cpu_to_le32(field3);
        trb->field[3] = cpu_to_le32(field4);
        inc_enq(xhci, ring, more_trbs_coming);
}

/*
 * Does various checks on the endpoint ring, and makes it ready to queue num_trbs.
 * FIXME allocate segments if the ring is full.
 */
static int prepare_ring(struct xhci_hcd *xhci, struct xhci_ring *ep_ring,
                u32 ep_state, unsigned int num_trbs, gfp_t mem_flags)
{
        unsigned int num_trbs_needed;

        /* Make sure the endpoint has been added to xHC schedule */
        switch (ep_state) {
        case EP_STATE_DISABLED:
                /*
                 * USB core changed config/interfaces without notifying us,
                 * or hardware is reporting the wrong state.
                 */
                xhci_warn(xhci, "WARN urb submitted to disabled ep\n");
                return -ENOENT;
        case EP_STATE_ERROR:
                xhci_warn(xhci, "WARN waiting for error on ep to be cleared\n");
                /* FIXME event handling code for error needs to clear it */
                /* XXX not sure if this should be -ENOENT or not */
                return -EINVAL;
        case EP_STATE_HALTED:
                xhci_dbg(xhci, "WARN halted endpoint, queueing URB anyway.\n");
        case EP_STATE_STOPPED:
        case EP_STATE_RUNNING:
                break;
        default:
                xhci_err(xhci, "ERROR unknown endpoint state for ep\n");
                /*
                 * FIXME issue Configure Endpoint command to try to get the HC
                 * back into a known state.
                 */
                return -EINVAL;
        }

        while (1) {
                if (room_on_ring(xhci, ep_ring, num_trbs)) {
                        union xhci_trb *trb = ep_ring->enqueue;
                        unsigned int usable = ep_ring->enq_seg->trbs +
                                        TRBS_PER_SEGMENT - 1 - trb;
                        u32 nop_cmd;

                        /*
                         * Section 4.11.7.1 TD Fragments states that a link
                         * TRB must only occur at the boundary between
                         * data bursts (eg 512 bytes for 480M).
                         * While it is possible to split a large fragment
                         * we don't know the size yet.
                         * Simplest solution is to fill the trb before the
                         * LINK with nop commands.
                         */
                        if (num_trbs == 1 || num_trbs <= usable || usable == 0)
                                break;

                        if (ep_ring->type != TYPE_BULK)
                                /*
                                 * While isoc transfers might have a buffer that
                                 * crosses a 64k boundary it is unlikely.
                                 * Since we can't add NOPs without generating
                                 * gaps in the traffic just hope it never
                                 * happens at the end of the ring.