// Copyright 2016 The Fuchsia Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include <ddk/debug.h>
#include <ddk/phys-iter.h>
#include <ddk/protocol/usb/hci.h>
#include <fbl/auto_lock.h>
#include <zircon/assert.h>
#include <zircon/hw/usb.h>
#include <stdio.h>
#include <string.h>
#include <threads.h>

#include "xhci-transfer.h"
#include "xhci-trb.h"
#include "xhci-util.h"

namespace usb_xhci {

// reads a range of bits from an integer
#define READ_FIELD(i, start, bits) (((i) >> (start)) & ((1 << (bits)) - 1))

// This resets the transfer ring's dequeue pointer just past the last completed transfer.
// This can only be called when the endpoint is stopped and we are locked on ep->lock.
static zx_status_t xhci_reset_dequeue_ptr_locked(xhci_t* xhci, uint32_t slot_id,
                                                 uint32_t ep_index) {
    xhci_slot_t* slot = &xhci->slots[slot_id];
    xhci_endpoint_t* ep = &slot->eps[ep_index];
    xhci_transfer_ring_t* transfer_ring = &ep->transfer_ring;

    xhci_sync_command_t command;
    xhci_sync_command_init(&command);
    uint64_t ptr = xhci_transfer_ring_current_phys(transfer_ring);
    ptr |= transfer_ring->pcs;
    // command expects device context index, so increment ep_index by 1
    uint32_t control = (slot_id << TRB_SLOT_ID_START) |
                        ((ep_index + 1) << TRB_ENDPOINT_ID_START);
    zx_status_t status = xhci_post_command(xhci, TRB_CMD_SET_TR_DEQUEUE, ptr, control,
                                           &command.context);
    if (status != ZX_OK) {
        return status;
    }
    int cc = xhci_sync_command_wait(&command);
    if (cc != TRB_CC_SUCCESS) {
        zxlogf(ERROR, "TRB_CMD_SET_TR_DEQUEUE failed cc: %d\n", cc);
        return ZX_ERR_INTERNAL;
    }
    xhci_set_dequeue_ptr(transfer_ring, transfer_ring->current_trb);

    return ZX_OK;
}

static void xhci_process_transactions_locked(xhci_t* xhci, xhci_slot_t* slot, uint8_t ep_index,
                                             list_node_t* completed_reqs);

zx_status_t xhci_reset_endpoint(xhci_t* xhci, uint32_t slot_id, uint8_t ep_address) {
    xhci_slot_t* slot = &xhci->slots[slot_id];
    uint8_t ep_index = xhci_endpoint_index(ep_address);
    xhci_endpoint_t* ep = &slot->eps[ep_index];
    usb_request_t* req;

    // Recover from Halted and Error conditions. See section 4.8.3 of the XHCI spec.

    ep->lock.Acquire();

    if (ep->state != EP_STATE_HALTED && ep->state != EP_STATE_ERROR) {
        ep->lock.Release();
        return ZX_OK;
    }

    int ep_ctx_state = xhci_get_ep_ctx_state(slot, ep);
    zxlogf(TRACE, "xhci_reset_endpoint %d %d ep_ctx_state %d\n", slot_id, ep_index, ep_ctx_state);

    if (ep_ctx_state == EP_CTX_STATE_STOPPED || ep_ctx_state == EP_CTX_STATE_RUNNING) {
        ep->state = EP_STATE_RUNNING;
        ep->lock.Release();
        return ZX_OK;
    }
    if (ep_ctx_state == EP_CTX_STATE_HALTED) {
        // reset the endpoint to move from Halted to Stopped state
        xhci_sync_command_t command;
        xhci_sync_command_init(&command);
        // command expects device context index, so increment ep_index by 1
        uint32_t control = (slot_id << TRB_SLOT_ID_START) |
                            ((ep_index + 1) << TRB_ENDPOINT_ID_START);
        zx_status_t status = xhci_post_command(xhci, TRB_CMD_RESET_ENDPOINT, 0, control,
                                               &command.context);
        if (status != ZX_OK) {
            ep->lock.Release();
            return status;
        }

        // Release the lock before waiting for the command. The command may not complete,
        // if there is another transfer event on the completer thread waiting for the lock
        // on the same endpoint.
        ep->lock.Release();
        int cc = xhci_sync_command_wait(&command);
        if (cc != TRB_CC_SUCCESS) {
            zxlogf(ERROR, "xhci_reset_endpoint: TRB_CMD_RESET_ENDPOINT failed cc: %d\n", cc);
            return ZX_ERR_INTERNAL;
        }
        ep->lock.Acquire();

        // calling USB_REQ_CLEAR_FEATURE on a stalled control endpoint will not work,
        // so we only do this for the other endpoints
        if (ep_address != 0) {
            // This should come after the successful completion of a Reset Endpoint Command.
            // See XHCI spec, section 4.6.8
            xhci_control_request(xhci, slot_id, USB_DIR_OUT | USB_TYPE_STANDARD | USB_RECIP_ENDPOINT,
                                 USB_REQ_CLEAR_FEATURE, USB_ENDPOINT_HALT, ep_address, nullptr, 0,
                                 nullptr);
        }
    }

    // resetting the dequeue pointer gets us out of ERROR state, and is also necessary
    // after TRB_CMD_RESET_ENDPOINT.
    if (ep_ctx_state == EP_CTX_STATE_ERROR || ep_ctx_state == EP_CTX_STATE_HALTED) {
        // move transfer ring's dequeue pointer passed the failed transaction
        zx_status_t status = xhci_reset_dequeue_ptr_locked(xhci, slot_id, ep_index);
        if (status != ZX_OK) {
            ep->lock.Release();
            return status;
        }
    }

    // xhci_reset_dequeue_ptr_locked will skip past all pending transactions,
    // so move them all to the queued list so they will be requeued
    // Completed these with ZX_ERR_CANCELED out of the lock.
    // Remove from tail and add to head to preserve the ordering
    while (xhci_remove_from_list_tail(xhci, &ep->pending_reqs, &req)) {
        xhci_add_to_list_head(xhci, &ep->queued_reqs, req);
    }

    ep_ctx_state = xhci_get_ep_ctx_state(slot, ep);
    zx_status_t status;
    switch (ep_ctx_state) {
    case EP_CTX_STATE_DISABLED:
        ep->state = EP_STATE_DEAD;
        status = ZX_ERR_IO_NOT_PRESENT;
        break;
    case EP_CTX_STATE_RUNNING:
    case EP_CTX_STATE_STOPPED:
        ep->state = EP_STATE_RUNNING;
        status = ZX_OK;
        break;
    case EP_CTX_STATE_ERROR:
        ep->state = EP_STATE_ERROR;
        status = ZX_ERR_IO_INVALID;
        break;
    case EP_CTX_STATE_HALTED:
        ep->state = EP_STATE_HALTED;
        status = ZX_ERR_IO_REFUSED;
        break;
    default:
        ep->state = EP_STATE_HALTED;
        status = ZX_ERR_INTERNAL;
        break;
    }

    list_node_t completed_reqs = LIST_INITIAL_VALUE(completed_reqs);
    if (ep->state == EP_STATE_RUNNING) {
        // start processing transactions again
        xhci_process_transactions_locked(xhci, slot, ep_index, &completed_reqs);
    }

    ep->lock.Release();

    xhci_usb_request_internal_t* req_int = nullptr;
    // call complete callbacks out of the lock
    while ((req_int = list_remove_head_type(&completed_reqs,
                                            xhci_usb_request_internal_t, node)) != nullptr) {
        req = XHCI_INTERNAL_TO_USB_REQ(req_int);
        usb_request_complete(req, req->response.status, req->response.actual,
                             &req_int->complete_cb);
    }

    return status;
}

// locked on ep->lock
static zx_status_t xhci_start_transfer_locked(xhci_t* xhci, xhci_slot_t* slot, uint32_t ep_index,
                                              usb_request_t* req) {
    xhci_endpoint_t* ep = &slot->eps[ep_index];
    xhci_transfer_ring_t* ring = &ep->transfer_ring;
    if (ep->state != EP_STATE_RUNNING) {
        zxlogf(ERROR, "xhci_start_transfer_locked bad ep->state %d\n", ep->state);
        return ZX_ERR_BAD_STATE;
    }

    if (req->header.length > 0) {
        zx_status_t status = usb_request_physmap(req, xhci->bti_handle.get());
        if (status != ZX_OK) {
            zxlogf(ERROR, "%s: usb_request_physmap failed: %d\n", __FUNCTION__, status);
            return status;
        }
    }

    xhci_transfer_state_t* state = ep->transfer_state;
    xhci_transfer_state_init(state, req, ep->ep_type, ep->max_packet_size);

    if (req->header.length > UINT32_MAX) {
        return ZX_ERR_BUFFER_TOO_SMALL;
    }
    auto length = static_cast<uint32_t>(req->header.length);
    uint32_t interrupter_target = 0;

    usb_setup_t* setup = (req->header.ep_address == 0 ? &req->setup : nullptr);
    if (setup) {
        // Setup Stage
        xhci_trb_t* trb = ring->current_trb;
        xhci_clear_trb(trb);

        XHCI_SET_BITS32(&trb->ptr_low, SETUP_TRB_REQ_TYPE_START, SETUP_TRB_REQ_TYPE_BITS,
                        setup->bmRequestType);
        XHCI_SET_BITS32(&trb->ptr_low, SETUP_TRB_REQUEST_START, SETUP_TRB_REQUEST_BITS,
                        setup->bRequest);
        XHCI_SET_BITS32(&trb->ptr_low, SETUP_TRB_VALUE_START, SETUP_TRB_VALUE_BITS, setup->wValue);
        XHCI_SET_BITS32(&trb->ptr_high, SETUP_TRB_INDEX_START, SETUP_TRB_INDEX_BITS, setup->wIndex);
        XHCI_SET_BITS32(&trb->ptr_high, SETUP_TRB_LENGTH_START, SETUP_TRB_LENGTH_BITS, length);
        XHCI_SET_BITS32(&trb->status, XFER_TRB_XFER_LENGTH_START, XFER_TRB_XFER_LENGTH_BITS, 8);
        XHCI_SET_BITS32(&trb->status, XFER_TRB_INTR_TARGET_START, XFER_TRB_INTR_TARGET_BITS,
                        interrupter_target);

        uint32_t control_bits = (length == 0 ? XFER_TRB_TRT_NONE :
                            (state->direction == USB_DIR_IN ? XFER_TRB_TRT_IN : XFER_TRB_TRT_OUT));
        control_bits |= XFER_TRB_IDT; // immediate data flag
        trb_set_control(trb, TRB_TRANSFER_SETUP, control_bits);
        if (driver_get_log_flags() & DDK_LOG_SPEW) xhci_print_trb(ring, trb);
        xhci_increment_ring(ring);
    }

    return ZX_OK;
}

// returns ZX_OK if req has been successfully queued,
// ZX_ERR_SHOULD_WAIT if we ran out of TRBs and need to try again later,
// or other error for a hard failure.
static zx_status_t xhci_continue_transfer_locked(xhci_t* xhci, xhci_slot_t* slot,
                                                 uint32_t ep_index, usb_request_t* req) {
    xhci_endpoint_t* ep = &slot->eps[ep_index];
    xhci_transfer_ring_t* ring = &ep->transfer_ring;

    usb_header_t* header = &req->header;
    xhci_transfer_state_t* state = ep->transfer_state;
    size_t length = header->length;
    size_t free_trbs = xhci_transfer_ring_free_trbs(&ep->transfer_ring);
    uint8_t direction = state->direction;
    bool isochronous = (ep->ep_type == USB_ENDPOINT_ISOCHRONOUS);
    uint64_t frame = header->frame;

    uint32_t interrupter_target = 0;

    if (isochronous) {
        if (length == 0) return ZX_ERR_INVALID_ARGS;
        if (xhci->num_interrupts > 1) {
            interrupter_target = ISOCH_INTERRUPTER;
        }
    }

    if (frame != 0) {
        if (!isochronous) {
            zxlogf(ERROR, "frame scheduling only supported for isochronous transfers\n");
            return ZX_ERR_INVALID_ARGS;
        }
        uint64_t current_frame = xhci_get_current_frame(xhci);
        if (frame < current_frame) {
            zxlogf(ERROR, "can't schedule transfer into the past\n");
            return ZX_ERR_INVALID_ARGS;
        }
        if (frame - current_frame >= 895) {
            // See XHCI spec, section 4.11.2.5
            zxlogf(ERROR, "can't schedule transfer more than 895ms into the future\n");
            return ZX_ERR_INVALID_ARGS;
        }
    }

    // need to clean the cache for both IN and OUT transfers, invalidate only for IN
    if (direction == USB_DIR_IN) {
        usb_request_cache_flush_invalidate(req, 0, header->length);
    } else {
        usb_request_cache_flush(req, 0, header->length);
    }

    zx_status_t status = xhci_queue_data_trbs(ring, state, req, interrupter_target, isochronous);
    if (status != ZX_OK) {
        return status;
    }

    if (state->needs_status) {
        if (free_trbs == 0) {
            // will need to do this later
            return ZX_ERR_SHOULD_WAIT;
        }

        // Status Stage
        xhci_trb_t* trb = ring->current_trb;
        xhci_clear_trb(trb);
        XHCI_SET_BITS32(&trb->status, XFER_TRB_INTR_TARGET_START, XFER_TRB_INTR_TARGET_BITS,
                        interrupter_target);
        uint32_t control_bits = (direction == USB_DIR_IN && length > 0 ? XFER_TRB_DIR_OUT
                                                                       : XFER_TRB_DIR_IN);
        // generate an event for the status phase so we can catch stalls or other errors
        // before completing control transfer requests
        control_bits |= XFER_TRB_IOC;
        trb_set_control(trb, TRB_TRANSFER_STATUS, control_bits);
        if (driver_get_log_flags() & DDK_LOG_SPEW) xhci_print_trb(ring, trb);
        xhci_increment_ring(ring);
        free_trbs--;
        state->needs_status = false;
    }

    xhci_usb_request_internal_t* req_int = USB_REQ_TO_XHCI_INTERNAL(req);
    // if we get here, then we are ready to ring the doorbell
    // update dequeue_ptr to TRB following this transaction
    req_int->context = ring->current_trb;

    XHCI_WRITE32(&xhci->doorbells[header->device_id], ep_index + 1);
    // it seems we need to ring the doorbell a second time when transitioning from STOPPED
    while (xhci_get_ep_ctx_state(slot, ep) == EP_CTX_STATE_STOPPED) {
        zx_nanosleep(zx_deadline_after(ZX_MSEC(1)));
        XHCI_WRITE32(&xhci->doorbells[header->device_id], ep_index + 1);
    }

    return ZX_OK;
}

static void xhci_process_transactions_locked(xhci_t* xhci, xhci_slot_t* slot, uint8_t ep_index,
                                             list_node_t* completed_reqs) {
    xhci_endpoint_t* ep = &slot->eps[ep_index];

    // loop until we fill our transfer ring or run out of requests to process
    while (1) {
        if (xhci_transfer_ring_free_trbs(&ep->transfer_ring) == 0) {
            // no available TRBs - need to wait for some complete
            return;
        }

        while (!ep->current_req) {
            // start the next transaction in the queue
            usb_request_t* req;
            xhci_remove_from_list_head(xhci, &ep->queued_reqs, &req);
            if (!req) {
                // nothing to do
                return;
            }

            zx_status_t status = xhci_start_transfer_locked(xhci, slot, ep_index, req);
            if (status == ZX_OK) {
                xhci_add_to_list_tail(xhci, &ep->pending_reqs, req);
                ep->current_req = req;
            } else {
                req->response.status = status;
                req->response.actual = 0;
                xhci_add_to_list_tail(xhci, completed_reqs, req);
            }
        }

        if (ep->current_req) {
            usb_request_t* req = ep->current_req;
            zx_status_t status = xhci_continue_transfer_locked(xhci, slot, ep_index, req);
            if (status == ZX_ERR_SHOULD_WAIT) {
                // no available TRBs - need to wait for some complete
                return;
            } else {
                if (status != ZX_OK) {
                    req->response.status = status;
                    req->response.actual = 0;
                    xhci_delete_req_node(xhci, req);
                    xhci_add_to_list_tail(xhci, completed_reqs, req);
                }
                ep->current_req = nullptr;
            }
        }
    }
}

zx_status_t xhci_queue_transfer(xhci_t* xhci, usb_request_t* req) {
    uint32_t slot_id = req->header.device_id;
    uint8_t ep_index = xhci_endpoint_index(req->header.ep_address);
    __UNUSED usb_setup_t* setup = (ep_index == 0 ? &req->setup : nullptr);

    zxlogf(LSPEW, "xhci_queue_transfer slot_id: %d setup: %p ep_index: %d length: %lu\n",
            slot_id, setup, ep_index, req->header.length);

    int rh_index = xhci_get_root_hub_index(xhci, slot_id);
    if (rh_index >= 0) {
        return xhci_rh_usb_request_queue(xhci, req, rh_index);
    }

    if (slot_id < 1 || slot_id > xhci->max_slots) {
        return ZX_ERR_INVALID_ARGS;
    }
    if (ep_index >= XHCI_NUM_EPS) {
        return ZX_ERR_INVALID_ARGS;
    }

    xhci_slot_t* slot = &xhci->slots[slot_id];
    xhci_endpoint_t* ep = &slot->eps[ep_index];
    if (!slot->sc) {
        // slot no longer enabled
        return ZX_ERR_IO_NOT_PRESENT;
    }

    list_node_t completed_reqs = LIST_INITIAL_VALUE(completed_reqs);

    {
        fbl::AutoLock al(&ep->lock);

        zx_status_t status;
        switch (ep->state) {
        case EP_STATE_DEAD:
            status = ZX_ERR_IO_NOT_PRESENT;
            break;
        case EP_STATE_RUNNING:
            status = ZX_OK;
            break;
        case EP_STATE_PAUSED:
            status = ZX_ERR_BAD_STATE;
            break;
        case EP_STATE_ERROR:
            status = ZX_ERR_IO_INVALID;
            break;
        case EP_STATE_HALTED:
            status = ZX_ERR_IO_REFUSED;
            break;
        case EP_STATE_DISABLED:
            status = ZX_ERR_BAD_STATE;
            break;
        default:
            status = ZX_ERR_INTERNAL;
            break;
        }

        if (status != ZX_OK) {
            return status;
        }

        xhci_add_to_list_tail(xhci, &ep->queued_reqs, req);

        xhci_process_transactions_locked(xhci, slot, ep_index, &completed_reqs);
    }

    xhci_usb_request_internal_t* req_int = nullptr;
    // call complete callbacks out of the lock
    while ((req_int = list_remove_head_type(&completed_reqs,
                                            xhci_usb_request_internal_t, node)) != nullptr) {
        req = XHCI_INTERNAL_TO_USB_REQ(req_int);
        usb_request_complete(req, req->response.status, req->response.actual,
                             &req_int->complete_cb);
    }

    return ZX_OK;
}

zx_status_t xhci_cancel_transfers(xhci_t* xhci, uint32_t slot_id, uint32_t ep_index) {
    zxlogf(TRACE, "xhci_cancel_transfers slot_id: %d ep_index: %d\n", slot_id, ep_index);

    if (slot_id < 1 || slot_id > xhci->max_slots) {
        return ZX_ERR_INVALID_ARGS;
    }
    if (ep_index >= XHCI_NUM_EPS) {
        return ZX_ERR_INVALID_ARGS;
    }

    xhci_slot_t* slot = &xhci->slots[slot_id];
    xhci_endpoint_t* ep = &slot->eps[ep_index];
    list_node_t completed_reqs = LIST_INITIAL_VALUE(completed_reqs);
    usb_request_t* req;
    zx_status_t status = ZX_OK;

    ep->lock.Acquire();

    if (ep->state == EP_STATE_HALTED) {
      // xhci_reset_endpoint will be issued, when the transaction
      // that caused the STALL is completed. Let xhci_reset_endpoint
      // take care of resetting the endpoint to a running state.
      ep->lock.Release();
      return status;
    }
    if (!list_is_empty(&ep->pending_reqs)) {
        // stop the endpoint and remove transactions that have already been queued
        // in the transfer ring
        ep->state = EP_STATE_PAUSED;

        xhci_sync_command_t command;
        xhci_sync_command_init(&command);
        // command expects device context index, so increment ep_index by 1
        uint32_t control = (slot_id << TRB_SLOT_ID_START) |
                           ((ep_index + 1) << TRB_ENDPOINT_ID_START);
        zx_status_t status = xhci_post_command(xhci, TRB_CMD_STOP_ENDPOINT, 0, control,
                                               &command.context);
        if (status != ZX_OK) {
            ep->lock.Release();
            return status;
        }

        // We can't block on command completion while holding the lock.
        // It is safe to unlock here because no additional transactions will be
        // queued on the endpoint when ep->state is EP_STATE_PAUSED.
        ep->lock.Release();
        int cc = xhci_sync_command_wait(&command);
        if (cc != TRB_CC_SUCCESS) {
            // TRB_CC_CONTEXT_STATE_ERROR is normal here in the case of a disconnected device,
            // since by then the endpoint would already be in error state.
            zxlogf(ERROR, "xhci_cancel_transfers: TRB_CMD_STOP_ENDPOINT failed cc: %d\n", cc);
            return ZX_ERR_INTERNAL;
        }
        ep->lock.Acquire();

        // TRB_CMD_STOP_ENDPOINT may have have completed a currently executing request
        // but we may still have other pending requests. xhci_reset_dequeue_ptr_locked()
        // will set the dequeue pointer after the last completed request.
        while (xhci_remove_from_list_head(xhci, &ep->queued_reqs, &req)) {
            req->response.status = ZX_ERR_CANCELED;
            req->response.actual = 0;
            xhci_add_to_list_head(xhci, &completed_reqs, req);
        }

        status = xhci_reset_dequeue_ptr_locked(xhci, slot_id, ep_index);
        if (status == ZX_OK) {
            ep->state = EP_STATE_RUNNING;
        }
    }

    // elements of the queued_reqs list can simply be removed and completed.
    while (xhci_remove_from_list_head(xhci, &ep->queued_reqs, &req)) {
        req->response.status = ZX_ERR_CANCELED;
        req->response.actual = 0;
        xhci_add_to_list_head(xhci, &completed_reqs, req);
    }

    ep->lock.Release();

    xhci_usb_request_internal_t* req_int;
    // call complete callbacks out of the lock
    while ((req_int = list_remove_head_type(&completed_reqs,
                                            xhci_usb_request_internal_t, node)) != NULL) {
        req = XHCI_INTERNAL_TO_USB_REQ(req_int);
        usb_request_complete(req, req->response.status, req->response.actual,
                             &req_int->complete_cb);
    }

    return status;
}

static void xhci_control_complete(void* ctx, usb_request_t* req) {
    sync_completion_signal((sync_completion_t*)ctx);
}

zx_status_t xhci_control_request(xhci_t* xhci, uint32_t slot_id, uint8_t request_type,
                                 uint8_t request, uint16_t value, uint16_t index, void* data,
                                 uint16_t length, size_t* out_actual) {
    zxlogf(LTRACE, "xhci_control_request slot_id: %d type: 0x%02X req: %d value: %d index: %d "
            "length: %d\n", slot_id, request_type, request, value, index, length);

    // xhci_control_request is only used for reading first 8 bytes of the device descriptor,
    // so it makes sense to pool them.
    usb_request_t* req = usb_request_pool_get(&xhci->free_reqs, length);

    if (req == nullptr) {
        uint64_t total_req_size = sizeof(usb_request_t) + sizeof(xhci_usb_request_internal_t);
        auto status = usb_request_alloc(&req, length, 0, total_req_size);
        if (status != ZX_OK) {
            return status;
        }
    }

    usb_setup_t* setup = &req->setup;
    setup->bmRequestType = request_type;
    setup->bRequest = request;
    setup->wValue = value;
    setup->wIndex = index;
    setup->wLength = length;
    req->header.device_id = slot_id;

    bool out = !!((request_type & USB_DIR_MASK) == USB_DIR_OUT);
    if (length > 0 && out) {
        usb_request_copy_to(req, data, length, 0);
    }

    sync_completion_t completion;

    req->header.length = length;
    usb_request_complete_t complete = {
        .callback = xhci_control_complete,
        .ctx = &completion,
    };
    xhci_request_queue(xhci, req, &complete);
    auto status = sync_completion_wait(&completion, ZX_SEC(1));
    if (status == ZX_OK) {
        status = req->response.status;
    } else if (status == ZX_ERR_TIMED_OUT) {
        zxlogf(ERROR, "xhci_control_request ZX_ERR_TIMED_OUT\n");
        sync_completion_reset(&completion);
        status = xhci_cancel_transfers(xhci, slot_id, 0);
        if (status == ZX_OK) {
            sync_completion_wait(&completion, ZX_TIME_INFINITE);
            status = ZX_ERR_TIMED_OUT;
        }
    }
    zxlogf(TRACE, "xhci_control_transfer got %d\n", status);
    if (status == ZX_OK && out_actual != nullptr) {
        *out_actual = req->response.actual;

        if (length > 0 && !out) {
            usb_request_copy_from(req, data, req->response.actual, 0);
        }
    }

    if (usb_request_pool_add(&xhci->free_reqs, req) != ZX_OK) {
        zxlogf(TRACE, "xhci_control_transfer: Unable to add back request to the free pool\n");
        usb_request_release(req);
    }

    zxlogf(TRACE, "xhci_control_request returning %d\n", status);
    return status;
}

zx_status_t xhci_get_descriptor(xhci_t* xhci, uint32_t slot_id, uint8_t type, uint16_t value,
                                uint16_t index, void* data, uint16_t length, size_t* out_actual) {
    return xhci_control_request(xhci, slot_id, USB_DIR_IN | type | USB_RECIP_DEVICE,
                                USB_REQ_GET_DESCRIPTOR, value, index, data, length, out_actual);
}

void xhci_handle_transfer_event(xhci_t* xhci, xhci_trb_t* trb) {
    zxlogf(LTRACE, "xhci_handle_transfer_event: %08X %08X %08X %08X\n",
            ((uint32_t*)trb)[0], ((uint32_t*)trb)[1], ((uint32_t*)trb)[2], ((uint32_t*)trb)[3]);

    uint32_t control = XHCI_READ32(&trb->control);
    uint32_t status = XHCI_READ32(&trb->status);
    uint32_t slot_id = READ_FIELD(control, TRB_SLOT_ID_START, TRB_SLOT_ID_BITS);
    // ep_index is device context index, so decrement by 1 to get zero based index
    auto ep_index = static_cast<uint8_t>(
                            READ_FIELD(control, TRB_ENDPOINT_ID_START, TRB_ENDPOINT_ID_BITS) - 1);
    xhci_slot_t* slot = &xhci->slots[slot_id];
    xhci_endpoint_t* ep = &slot->eps[ep_index];
    xhci_transfer_ring_t* ring = &ep->transfer_ring;

    uint32_t cc = READ_FIELD(status, EVT_TRB_CC_START, EVT_TRB_CC_BITS);
    uint32_t length = READ_FIELD(status, EVT_TRB_XFER_LENGTH_START, EVT_TRB_XFER_LENGTH_BITS);
    usb_request_t* req = nullptr;

    list_node_t completed_reqs = LIST_INITIAL_VALUE(completed_reqs);
    {
        fbl::AutoLock al(&ep->lock);
        zx_status_t result;
        switch (cc) {
        case TRB_CC_SUCCESS:
        case TRB_CC_SHORT_PACKET:
            result = length;
            break;
        case TRB_CC_BABBLE_DETECTED_ERROR:
            zxlogf(TRACE, "xhci_handle_transfer_event: TRB_CC_BABBLE_DETECTED_ERROR\n");
            result = ZX_ERR_IO_OVERRUN;
            break;
        case TRB_CC_TRB_ERROR:
            zxlogf(TRACE, "xhci_handle_transfer_event: TRB_CC_TRB_ERROR\n");
            int ep_ctx_state;
            ep_ctx_state = xhci_get_ep_ctx_state(slot, ep);
            /*
             * For usb-c ethernet adapters on Intel xhci controller, we receive this error
             * when a packet fails with NRDY token on the bus.see NET:97 for more details.
             * Slow down the requests in the client when this error is received.
             */
            if (ep_ctx_state == EP_CTX_STATE_ERROR) {
                result = ZX_ERR_IO_INVALID;
            } else {
                result = ZX_ERR_IO;
            }
            break;
        case TRB_CC_USB_TRANSACTION_ERROR:
        case TRB_CC_STALL_ERROR: {
            int ep_ctx_state = xhci_get_ep_ctx_state(slot, ep);
            zxlogf(TRACE, "xhci_handle_transfer_event: cc %d ep_ctx_state %d\n", cc, ep_ctx_state);
            if (ep_ctx_state == EP_CTX_STATE_HALTED) {
                result = ZX_ERR_IO_REFUSED;
            } else {
                result = ZX_ERR_IO;
            }
            break;
        }
        case TRB_CC_RING_UNDERRUN:
            // non-fatal error that happens when no transfers are available for isochronous
            // endpoint
            zxlogf(TRACE, "xhci_handle_transfer_event: TRB_CC_RING_UNDERRUN\n");
            return;
        case TRB_CC_RING_OVERRUN:
            // non-fatal error that happens when no transfers are available for isochronous
            // endpoint
            zxlogf(TRACE, "xhci_handle_transfer_event: TRB_CC_RING_OVERRUN\n");
            return;
        case TRB_CC_MISSED_SERVICE_ERROR:
            zxlogf(TRACE, "xhci_handle_transfer_event: TRB_CC_MISSED_SERVICE_ERROR\n");
            result = ZX_ERR_IO_MISSED_DEADLINE;
            break;
        case TRB_CC_STOPPED:
        case TRB_CC_STOPPED_LENGTH_INVALID:
        case TRB_CC_STOPPED_SHORT_PACKET:
        case TRB_CC_ENDPOINT_NOT_ENABLED_ERROR:
            switch (ep->state) {
            case EP_STATE_PAUSED:
                result = ZX_ERR_CANCELED;
                break;
            case EP_STATE_DISABLED:
                result = ZX_ERR_BAD_STATE;
                break;
            case EP_STATE_DEAD:
                result = ZX_ERR_IO_NOT_PRESENT;
                break;
            default:
                zxlogf(ERROR, "xhci_handle_transfer_event: bad state for stopped req: %d\n",
                       ep->state);
                result = ZX_ERR_INTERNAL;
            }
            break;
        default: {
            int ep_ctx_state = xhci_get_ep_ctx_state(slot, ep);
            zxlogf(ERROR,
                   "xhci_handle_transfer_event: unhandled transfer event condition"
                   " code %d  ep_ctx_state %d:  %08X %08X %08X %08X\n",
                   cc, ep_ctx_state, ((uint32_t*)trb)[0], ((uint32_t*)trb)[1], ((uint32_t*)trb)[2],
                   ((uint32_t*)trb)[3]);
            if (ep_ctx_state == EP_CTX_STATE_HALTED) {
                result = ZX_ERR_IO_REFUSED;
            } else if (ep_ctx_state == EP_CTX_STATE_ERROR) {
                result = ZX_ERR_IO_INVALID;
            } else {
                result = ZX_ERR_IO;
            }
            break;
        }
        }

        bool req_status_set = false;

        if (trb->ptr && !list_is_empty(&ep->pending_reqs) && ep->state != EP_STATE_DISABLED &&
            ep->state != EP_STATE_DEAD) {
            if (control & EVT_TRB_ED) {
                req = reinterpret_cast<usb_request_t*>(trb->ptr);
                if (ep_index == 0) {
                    // For control requests we are expecting a second transfer event to signal the
                    // end of the status phase. So here we record the status and actual for the
                    // data phase but wait for the status phase to complete before completing the
                    // request.
                    slot->current_ctrl_req = req;
                    if (result < 0) {
                        req->response.status = result;
                        req->response.actual = 0;
                    } else {
                        req->response.status = 0;
                        req->response.actual = result;
                    }
                    return;
                }
            } else {
                trb = xhci_read_trb_ptr(ring, trb);
                if (trb_get_type(trb) == TRB_TRANSFER_STATUS && slot->current_ctrl_req) {
                    // complete current control request
                    req = slot->current_ctrl_req;
                    slot->current_ctrl_req = nullptr;
                    if (result < 0) {
                        // sometimes we receive stall errors in the status phase so update
                        // request status if necessary
                        req->response.status = result;
                        req->response.actual = 0;
                    }
                    req_status_set = true;
                } else {
                    for (uint i = 0; i < TRANSFER_RING_SIZE && trb; i++) {
                        if (trb_get_type(trb) == TRB_TRANSFER_EVENT_DATA) {
                            req = reinterpret_cast<usb_request_t*>(trb->ptr);
                            break;
                        }
                        trb = xhci_get_next_trb(ring, trb);
                    }
                }
            }
        }

        int ep_ctx_state = xhci_get_ep_ctx_state(slot, ep);
        if (ep_ctx_state != EP_CTX_STATE_RUNNING) {
            zxlogf(TRACE, "xhci_handle_transfer_event: ep ep_ctx_state %d cc %d\n", ep_ctx_state,
                   cc);
        }

        if (!req) {
            // no req expected for this condition code
            if (cc != TRB_CC_STOPPED_LENGTH_INVALID) {
                zxlogf(TRACE, "xhci_handle_transfer_event: unable to find request to complete!\n");
            }
            return;
        }

        // When transaction errors occur, we sometimes receive multiple events for the same
        // transfer. Here we check to make sure that this event doesn't correspond to a transfer
        // that has already been completed. In the typical case, the context will be found at the
        // head of pending_reqs.
        bool found_req = false;
        usb_request_t* test;
        xhci_usb_request_internal_t* req_int = nullptr;
        list_for_every_entry(&ep->pending_reqs, req_int, xhci_usb_request_internal_t, node) {
            test = XHCI_INTERNAL_TO_USB_REQ(req_int);
            if (test == req) {
                found_req = true;
                break;
            }
        }
        if (!found_req) {
            zxlogf(TRACE, "xhci_handle_transfer_event: ignoring transfer event for completed "
                          "transfer\n");
            return;
        }

        // update dequeue_ptr to TRB following this transaction
        xhci_set_dequeue_ptr(ring, req_int->context);

        // remove request from pending_reqs
        xhci_delete_req_node(xhci, req);

        if (!req_status_set) {
            if (result < 0) {
                req->response.status = result;
                req->response.actual = 0;
            } else {
                req->response.status = 0;
                req->response.actual = result;
            }
        }

        xhci_add_to_list_head(xhci, &completed_reqs, req);

        if (result == ZX_ERR_IO_REFUSED && ep->state != EP_STATE_DEAD) {
            ep->state = EP_STATE_HALTED;
        } else if (result == ZX_ERR_IO_INVALID && ep->state != EP_STATE_DEAD) {
            ep->state = EP_STATE_ERROR;
        } else if (ep->state == EP_STATE_RUNNING) {
            xhci_process_transactions_locked(xhci, slot, ep_index, &completed_reqs);
        }
    }

    // call complete callbacks out of the lock
    xhci_usb_request_internal_t* req_int;
    while ((req_int = list_remove_head_type(&completed_reqs,
                                             xhci_usb_request_internal_t, node)) != NULL) {
        req = XHCI_INTERNAL_TO_USB_REQ(req_int);
        usb_request_complete(req, req->response.status, req->response.actual,
                             &req_int->complete_cb);
    }
}

} // namespace usb_xhci