USB: pxa27x_udc: Fix deadlocks on request queueing

 * @ep: pxa physical endpoint

 * @req: pxa request

 * @status: usb request status sent to gadget API

 * @pflags: flags of previous spinlock_irq_save() or NULL if no lock held

 *

 * Context: ep->lock held

 * Context: ep->lock held if flags not NULL, else ep->lock released

 *

 * Retire a pxa27x usb request. Endpoint must be locked.

 */

static void req_done(struct pxa_ep *ep, struct pxa27x_request *req, int status)

static void req_done(struct pxa_ep *ep, struct pxa27x_request *req, int status,

	unsigned long *pflags)

{

	unsigned long	flags;

	ep_del_request(ep, req);

	if (likely(req->req.status == -EINPROGRESS))

		req->req.status = status;

			&req->req, status,

			req->req.actual, req->req.length);

	if (pflags)

		spin_unlock_irqrestore(&ep->lock, *pflags);

	local_irq_save(flags);

	req->req.complete(&req->udc_usb_ep->usb_ep, &req->req);

	local_irq_restore(flags);

	if (pflags)

		spin_lock_irqsave(&ep->lock, *pflags);

}

/**

 * ep_end_out_req - Ends endpoint OUT request

 * @ep: physical endpoint

 * @req: pxa request

 * @pflags: flags of previous spinlock_irq_save() or NULL if no lock held

 *

 * Context: ep->lock held

 * Context: ep->lock held or released (see req_done())

 *

 * Ends endpoint OUT request (completes usb request).

 */

static void ep_end_out_req(struct pxa_ep *ep, struct pxa27x_request *req)

static void ep_end_out_req(struct pxa_ep *ep, struct pxa27x_request *req,

	unsigned long *pflags)

{

	inc_ep_stats_reqs(ep, !USB_DIR_IN);

	req_done(ep, req, 0);

	req_done(ep, req, 0, pflags);

}

/**

 * ep0_end_out_req - Ends control endpoint OUT request (ends data stage)

 * @ep: physical endpoint

 * @req: pxa request

 * @pflags: flags of previous spinlock_irq_save() or NULL if no lock held

 *

 * Context: ep->lock held

 * Context: ep->lock held or released (see req_done())

 *

 * Ends control endpoint OUT request (completes usb request), and puts

 * control endpoint into idle state

 */

static void ep0_end_out_req(struct pxa_ep *ep, struct pxa27x_request *req)

static void ep0_end_out_req(struct pxa_ep *ep, struct pxa27x_request *req,

	unsigned long *pflags)

{

	set_ep0state(ep->dev, OUT_STATUS_STAGE);

	ep_end_out_req(ep, req);

	ep_end_out_req(ep, req, pflags);

	ep0_idle(ep->dev);

}

 * ep_end_in_req - Ends endpoint IN request

 * @ep: physical endpoint

 * @req: pxa request

 * @pflags: flags of previous spinlock_irq_save() or NULL if no lock held

 *

 * Context: ep->lock held

 * Context: ep->lock held or released (see req_done())

 *

 * Ends endpoint IN request (completes usb request).

 */

static void ep_end_in_req(struct pxa_ep *ep, struct pxa27x_request *req)

static void ep_end_in_req(struct pxa_ep *ep, struct pxa27x_request *req,

	unsigned long *pflags)

{

	inc_ep_stats_reqs(ep, USB_DIR_IN);

	req_done(ep, req, 0);

	req_done(ep, req, 0, pflags);

}

/**

 * ep0_end_in_req - Ends control endpoint IN request (ends data stage)

 * @ep: physical endpoint

 * @req: pxa request

 * @pflags: flags of previous spinlock_irq_save() or NULL if no lock held

 *

 * Context: ep->lock held

 * Context: ep->lock held or released (see req_done())

 *

 * Ends control endpoint IN request (completes usb request), and puts

 * control endpoint into status state

 */

static void ep0_end_in_req(struct pxa_ep *ep, struct pxa27x_request *req)

static void ep0_end_in_req(struct pxa_ep *ep, struct pxa27x_request *req,

	unsigned long *pflags)

{

	set_ep0state(ep->dev, IN_STATUS_STAGE);

	ep_end_in_req(ep, req);

	ep_end_in_req(ep, req, pflags);

}

/**

 * @ep: pxa endpoint

 * @status: usb request status

 *

 * Context: ep->lock held

 * Context: ep->lock released

 *

 * Dequeues all requests on an endpoint. As a side effect, interrupts will be

 * disabled on that endpoint (because no more requests).

static void nuke(struct pxa_ep *ep, int status)

{

	struct pxa27x_request	*req;

	unsigned long		flags;

	spin_lock_irqsave(&ep->lock, flags);

	while (!list_empty(&ep->queue)) {

		req = list_entry(ep->queue.next, struct pxa27x_request, queue);

		req_done(ep, req, status);

		req_done(ep, req, status, &flags);

	}

	spin_unlock_irqrestore(&ep->lock, flags);

}

/**

	int			rc = 0;

	int			is_first_req;

	unsigned		length;

	int			recursion_detected;

	req = container_of(_req, struct pxa27x_request, req);

	udc_usb_ep = container_of(_ep, struct udc_usb_ep, usb_ep);

		return -EMSGSIZE;

	spin_lock_irqsave(&ep->lock, flags);

	recursion_detected = ep->in_handle_ep;

	is_first_req = list_empty(&ep->queue);

	ep_dbg(ep, "queue req %p(first=%s), len %d buf %p\n",

	if (!ep->enabled) {

		_req->status = -ESHUTDOWN;

		rc = -ESHUTDOWN;

		goto out;

		goto out_locked;

	}

	if (req->in_use) {

		ep_err(ep, "refusing to queue req %p (already queued)\n", req);

		goto out;

		goto out_locked;

	}

	length = _req->length;

	_req->actual = 0;

	ep_add_request(ep, req);

	spin_unlock_irqrestore(&ep->lock, flags);

	if (is_ep0(ep)) {

		switch (dev->ep0state) {

		case WAIT_ACK_SET_CONF_INTERF:

			if (length == 0) {

				ep_end_in_req(ep, req);

				ep_end_in_req(ep, req, NULL);

			} else {

				ep_err(ep, "got a request of %d bytes while"

					"in state WAIT_ACK_SET_CONF_INTERF\n",

		case IN_DATA_STAGE:

			if (!ep_is_full(ep))

				if (write_ep0_fifo(ep, req))

					ep0_end_in_req(ep, req);

					ep0_end_in_req(ep, req, NULL);

			break;

		case OUT_DATA_STAGE:

			if ((length == 0) || !epout_has_pkt(ep))

				if (read_ep0_fifo(ep, req))

					ep0_end_out_req(ep, req);

					ep0_end_out_req(ep, req, NULL);

			break;

		default:

			ep_err(ep, "odd state %s to send me a request\n",

			break;

		}

	} else {

		if (!recursion_detected)

			handle_ep(ep);

	}

out:

	spin_unlock_irqrestore(&ep->lock, flags);

	return rc;

out_locked:

	spin_unlock_irqrestore(&ep->lock, flags);

	goto out;

}

/**

	/* make sure it's actually queued on this endpoint */

	list_for_each_entry(req, &ep->queue, queue) {

		if (&req->req == _req) {

			req_done(ep, req, -ECONNRESET);

			rc = 0;

			break;

		}

	}

	spin_unlock_irqrestore(&ep->lock, flags);

	if (!rc)

		req_done(ep, req, -ECONNRESET, NULL);

	return rc;

}

{

	struct pxa_ep		*ep;

	struct udc_usb_ep	*udc_usb_ep;

	unsigned long		flags;

	if (!_ep)

		return -EINVAL;

	if (!ep || is_ep0(ep) || !list_empty(&ep->queue))

		return -EINVAL;

	spin_lock_irqsave(&ep->lock, flags);

	ep->enabled = 0;

	nuke(ep, -ESHUTDOWN);

	spin_unlock_irqrestore(&ep->lock, flags);

	pxa_ep_fifo_flush(_ep);

	udc_usb_ep->pxa_ep = NULL;

	} u;

	int i;

	int have_extrabytes = 0;

	unsigned long flags;

	nuke(ep, -EPROTO);

	spin_lock_irqsave(&ep->lock, flags);

	/*

	 * In the PXA320 manual, in the section about Back-to-Back setup

	/* Tell UDC to enter Data Stage */

	ep_write_UDCCSR(ep, UDCCSR0_SA | UDCCSR0_OPC);

	spin_unlock_irqrestore(&ep->lock, flags);

	i = udc->driver->setup(&udc->gadget, &u.r);

	spin_lock_irqsave(&ep->lock, flags);

	if (i < 0)

		goto stall;

out:

	spin_unlock_irqrestore(&ep->lock, flags);

	return;

stall:

	ep_dbg(ep, "protocol STALL, udccsr0=%03x err %d\n",

		if (req && !ep_is_full(ep))

			completed = write_ep0_fifo(ep, req);

		if (completed)

			ep0_end_in_req(ep, req);

			ep0_end_in_req(ep, req, NULL);

		break;

	case OUT_DATA_STAGE:			/* SET_DESCRIPTOR */

		if (epout_has_pkt(ep) && req)

			completed = read_ep0_fifo(ep, req);

		if (completed)

			ep0_end_out_req(ep, req);

			ep0_end_out_req(ep, req, NULL);

		break;

	case STALL:

		ep_write_UDCCSR(ep, UDCCSR0_FST);

 * Tries to transfer all pending request data into the endpoint and/or

 * transfer all pending data in the endpoint into usb requests.

 *

 * Is always called when in_interrupt() or with ep->lock held.

 * Is always called when in_interrupt() and with ep->lock released.

 */

static void handle_ep(struct pxa_ep *ep)

{

	u32 udccsr;

	int is_in = ep->dir_in;

	int loop = 0;

	unsigned long		flags;

	spin_lock_irqsave(&ep->lock, flags);

	if (ep->in_handle_ep)

		goto recursion_detected;

	ep->in_handle_ep = 1;

	do {

		completed = 0;

		udccsr = udc_ep_readl(ep, UDCCSR);

		if (likely(!list_empty(&ep->queue)))

			req = list_entry(ep->queue.next,

					struct pxa27x_request, queue);

		if (unlikely(is_in)) {

			if (likely(!ep_is_full(ep)))

				completed = write_fifo(ep, req);

			if (completed)

				ep_end_in_req(ep, req);

		} else {

			if (likely(epout_has_pkt(ep)))

				completed = read_fifo(ep, req);

			if (completed)

				ep_end_out_req(ep, req);

		}

		if (completed) {

			if (is_in)

				ep_end_in_req(ep, req, &flags);

			else

				ep_end_out_req(ep, req, &flags);

		}

	} while (completed);

	ep->in_handle_ep = 0;

recursion_detected:

	spin_unlock_irqrestore(&ep->lock, flags);

}

/**

 * @queue: requests queue

 * @lock: lock to pxa_ep data (queues and stats)

 * @enabled: true when endpoint enabled (not stopped by gadget layer)

 * @in_handle_ep: number of recursions of handle_ep() function

 * 	Prevents deadlocks or infinite recursions of types :

 *	  irq->handle_ep()->req_done()->req.complete()->pxa_ep_queue()->handle_ep()

 *      or

 *        pxa_ep_queue()->handle_ep()->req_done()->req.complete()->pxa_ep_queue()

 * @idx: endpoint index (1 => epA, 2 => epB, ..., 24 => epX)

 * @name: endpoint name (for trace/debug purpose)

 * @dir_in: 1 if IN endpoint, 0 if OUT endpoint

	spinlock_t		lock;		/* Protects this structure */

						/* (queues, stats) */

	unsigned		enabled:1;

	unsigned		in_handle_ep:1;

	unsigned		idx:5;

	char			*name;