linux/drivers/usb/gadget/f_mass_storage.c
<<
>>
Prefs
   1/*
   2 * f_mass_storage.c -- Mass Storage USB Composite Function
   3 *
   4 * Copyright (C) 2003-2008 Alan Stern
   5 * Copyright (C) 2009 Samsung Electronics
   6 *                    Author: Michal Nazarewicz <mina86@mina86.com>
   7 * All rights reserved.
   8 *
   9 * Redistribution and use in source and binary forms, with or without
  10 * modification, are permitted provided that the following conditions
  11 * are met:
  12 * 1. Redistributions of source code must retain the above copyright
  13 *    notice, this list of conditions, and the following disclaimer,
  14 *    without modification.
  15 * 2. Redistributions in binary form must reproduce the above copyright
  16 *    notice, this list of conditions and the following disclaimer in the
  17 *    documentation and/or other materials provided with the distribution.
  18 * 3. The names of the above-listed copyright holders may not be used
  19 *    to endorse or promote products derived from this software without
  20 *    specific prior written permission.
  21 *
  22 * ALTERNATIVELY, this software may be distributed under the terms of the
  23 * GNU General Public License ("GPL") as published by the Free Software
  24 * Foundation, either version 2 of that License or (at your option) any
  25 * later version.
  26 *
  27 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
  28 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
  29 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  30 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
  31 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  32 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  33 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  34 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  35 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  36 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  37 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  38 */
  39
  40/*
  41 * The Mass Storage Function acts as a USB Mass Storage device,
  42 * appearing to the host as a disk drive or as a CD-ROM drive.  In
  43 * addition to providing an example of a genuinely useful composite
  44 * function for a USB device, it also illustrates a technique of
  45 * double-buffering for increased throughput.
  46 *
  47 * For more information about MSF and in particular its module
  48 * parameters and sysfs interface read the
  49 * <Documentation/usb/mass-storage.txt> file.
  50 */
  51
  52/*
  53 * MSF is configured by specifying a fsg_config structure.  It has the
  54 * following fields:
  55 *
  56 *      nluns           Number of LUNs function have (anywhere from 1
  57 *                              to FSG_MAX_LUNS which is 8).
  58 *      luns            An array of LUN configuration values.  This
  59 *                              should be filled for each LUN that
  60 *                              function will include (ie. for "nluns"
  61 *                              LUNs).  Each element of the array has
  62 *                              the following fields:
  63 *      ->filename      The path to the backing file for the LUN.
  64 *                              Required if LUN is not marked as
  65 *                              removable.
  66 *      ->ro            Flag specifying access to the LUN shall be
  67 *                              read-only.  This is implied if CD-ROM
  68 *                              emulation is enabled as well as when
  69 *                              it was impossible to open "filename"
  70 *                              in R/W mode.
  71 *      ->removable     Flag specifying that LUN shall be indicated as
  72 *                              being removable.
  73 *      ->cdrom         Flag specifying that LUN shall be reported as
  74 *                              being a CD-ROM.
  75 *      ->nofua         Flag specifying that FUA flag in SCSI WRITE(10,12)
  76 *                              commands for this LUN shall be ignored.
  77 *
  78 *      vendor_name
  79 *      product_name
  80 *      release         Information used as a reply to INQUIRY
  81 *                              request.  To use default set to NULL,
  82 *                              NULL, 0xffff respectively.  The first
  83 *                              field should be 8 and the second 16
  84 *                              characters or less.
  85 *
  86 *      can_stall       Set to permit function to halt bulk endpoints.
  87 *                              Disabled on some USB devices known not
  88 *                              to work correctly.  You should set it
  89 *                              to true.
  90 *
  91 * If "removable" is not set for a LUN then a backing file must be
  92 * specified.  If it is set, then NULL filename means the LUN's medium
  93 * is not loaded (an empty string as "filename" in the fsg_config
  94 * structure causes error).  The CD-ROM emulation includes a single
  95 * data track and no audio tracks; hence there need be only one
  96 * backing file per LUN.
  97 *
  98 * This function is heavily based on "File-backed Storage Gadget" by
  99 * Alan Stern which in turn is heavily based on "Gadget Zero" by David
 100 * Brownell.  The driver's SCSI command interface was based on the
 101 * "Information technology - Small Computer System Interface - 2"
 102 * document from X3T9.2 Project 375D, Revision 10L, 7-SEP-93,
 103 * available at <http://www.t10.org/ftp/t10/drafts/s2/s2-r10l.pdf>.
 104 * The single exception is opcode 0x23 (READ FORMAT CAPACITIES), which
 105 * was based on the "Universal Serial Bus Mass Storage Class UFI
 106 * Command Specification" document, Revision 1.0, December 14, 1998,
 107 * available at
 108 * <http://www.usb.org/developers/devclass_docs/usbmass-ufi10.pdf>.
 109 */
 110
 111/*
 112 *                              Driver Design
 113 *
 114 * The MSF is fairly straightforward.  There is a main kernel
 115 * thread that handles most of the work.  Interrupt routines field
 116 * callbacks from the controller driver: bulk- and interrupt-request
 117 * completion notifications, endpoint-0 events, and disconnect events.
 118 * Completion events are passed to the main thread by wakeup calls.  Many
 119 * ep0 requests are handled at interrupt time, but SetInterface,
 120 * SetConfiguration, and device reset requests are forwarded to the
 121 * thread in the form of "exceptions" using SIGUSR1 signals (since they
 122 * should interrupt any ongoing file I/O operations).
 123 *
 124 * The thread's main routine implements the standard command/data/status
 125 * parts of a SCSI interaction.  It and its subroutines are full of tests
 126 * for pending signals/exceptions -- all this polling is necessary since
 127 * the kernel has no setjmp/longjmp equivalents.  (Maybe this is an
 128 * indication that the driver really wants to be running in userspace.)
 129 * An important point is that so long as the thread is alive it keeps an
 130 * open reference to the backing file.  This will prevent unmounting
 131 * the backing file's underlying filesystem and could cause problems
 132 * during system shutdown, for example.  To prevent such problems, the
 133 * thread catches INT, TERM, and KILL signals and converts them into
 134 * an EXIT exception.
 135 *
 136 * In normal operation the main thread is started during the gadget's
 137 * fsg_bind() callback and stopped during fsg_unbind().  But it can
 138 * also exit when it receives a signal, and there's no point leaving
 139 * the gadget running when the thread is dead.  As of this moment, MSF
 140 * provides no way to deregister the gadget when thread dies -- maybe
 141 * a callback functions is needed.
 142 *
 143 * To provide maximum throughput, the driver uses a circular pipeline of
 144 * buffer heads (struct fsg_buffhd).  In principle the pipeline can be
 145 * arbitrarily long; in practice the benefits don't justify having more
 146 * than 2 stages (i.e., double buffering).  But it helps to think of the
 147 * pipeline as being a long one.  Each buffer head contains a bulk-in and
 148 * a bulk-out request pointer (since the buffer can be used for both
 149 * output and input -- directions always are given from the host's
 150 * point of view) as well as a pointer to the buffer and various state
 151 * variables.
 152 *
 153 * Use of the pipeline follows a simple protocol.  There is a variable
 154 * (fsg->next_buffhd_to_fill) that points to the next buffer head to use.
 155 * At any time that buffer head may still be in use from an earlier
 156 * request, so each buffer head has a state variable indicating whether
 157 * it is EMPTY, FULL, or BUSY.  Typical use involves waiting for the
 158 * buffer head to be EMPTY, filling the buffer either by file I/O or by
 159 * USB I/O (during which the buffer head is BUSY), and marking the buffer
 160 * head FULL when the I/O is complete.  Then the buffer will be emptied
 161 * (again possibly by USB I/O, during which it is marked BUSY) and
 162 * finally marked EMPTY again (possibly by a completion routine).
 163 *
 164 * A module parameter tells the driver to avoid stalling the bulk
 165 * endpoints wherever the transport specification allows.  This is
 166 * necessary for some UDCs like the SuperH, which cannot reliably clear a
 167 * halt on a bulk endpoint.  However, under certain circumstances the
 168 * Bulk-only specification requires a stall.  In such cases the driver
 169 * will halt the endpoint and set a flag indicating that it should clear
 170 * the halt in software during the next device reset.  Hopefully this
 171 * will permit everything to work correctly.  Furthermore, although the
 172 * specification allows the bulk-out endpoint to halt when the host sends
 173 * too much data, implementing this would cause an unavoidable race.
 174 * The driver will always use the "no-stall" approach for OUT transfers.
 175 *
 176 * One subtle point concerns sending status-stage responses for ep0
 177 * requests.  Some of these requests, such as device reset, can involve
 178 * interrupting an ongoing file I/O operation, which might take an
 179 * arbitrarily long time.  During that delay the host might give up on
 180 * the original ep0 request and issue a new one.  When that happens the
 181 * driver should not notify the host about completion of the original
 182 * request, as the host will no longer be waiting for it.  So the driver
 183 * assigns to each ep0 request a unique tag, and it keeps track of the
 184 * tag value of the request associated with a long-running exception
 185 * (device-reset, interface-change, or configuration-change).  When the
 186 * exception handler is finished, the status-stage response is submitted
 187 * only if the current ep0 request tag is equal to the exception request
 188 * tag.  Thus only the most recently received ep0 request will get a
 189 * status-stage response.
 190 *
 191 * Warning: This driver source file is too long.  It ought to be split up
 192 * into a header file plus about 3 separate .c files, to handle the details
 193 * of the Gadget, USB Mass Storage, and SCSI protocols.
 194 */
 195
 196
 197/* #define VERBOSE_DEBUG */
 198/* #define DUMP_MSGS */
 199
 200#include <linux/blkdev.h>
 201#include <linux/completion.h>
 202#include <linux/dcache.h>
 203#include <linux/delay.h>
 204#include <linux/device.h>
 205#include <linux/fcntl.h>
 206#include <linux/file.h>
 207#include <linux/fs.h>
 208#include <linux/kref.h>
 209#include <linux/kthread.h>
 210#include <linux/limits.h>
 211#include <linux/rwsem.h>
 212#include <linux/slab.h>
 213#include <linux/spinlock.h>
 214#include <linux/string.h>
 215#include <linux/freezer.h>
 216
 217#include <linux/usb/ch9.h>
 218#include <linux/usb/gadget.h>
 219#include <linux/usb/composite.h>
 220
 221#include "gadget_chips.h"
 222
 223
 224/*------------------------------------------------------------------------*/
 225
 226#define FSG_DRIVER_DESC         "Mass Storage Function"
 227#define FSG_DRIVER_VERSION      "2009/09/11"
 228
 229static const char fsg_string_interface[] = "Mass Storage";
 230
 231#include "storage_common.c"
 232
 233
 234/*-------------------------------------------------------------------------*/
 235
 236struct fsg_dev;
 237struct fsg_common;
 238
 239/* FSF callback functions */
 240struct fsg_operations {
 241        /*
 242         * Callback function to call when thread exits.  If no
 243         * callback is set or it returns value lower then zero MSF
 244         * will force eject all LUNs it operates on (including those
 245         * marked as non-removable or with prevent_medium_removal flag
 246         * set).
 247         */
 248        int (*thread_exits)(struct fsg_common *common);
 249};
 250
 251/* Data shared by all the FSG instances. */
 252struct fsg_common {
 253        struct usb_gadget       *gadget;
 254        struct usb_composite_dev *cdev;
 255        struct fsg_dev          *fsg, *new_fsg;
 256        wait_queue_head_t       fsg_wait;
 257
 258        /* filesem protects: backing files in use */
 259        struct rw_semaphore     filesem;
 260
 261        /* lock protects: state, all the req_busy's */
 262        spinlock_t              lock;
 263
 264        struct usb_ep           *ep0;           /* Copy of gadget->ep0 */
 265        struct usb_request      *ep0req;        /* Copy of cdev->req */
 266        unsigned int            ep0_req_tag;
 267
 268        struct fsg_buffhd       *next_buffhd_to_fill;
 269        struct fsg_buffhd       *next_buffhd_to_drain;
 270        struct fsg_buffhd       *buffhds;
 271
 272        int                     cmnd_size;
 273        u8                      cmnd[MAX_COMMAND_SIZE];
 274
 275        unsigned int            nluns;
 276        unsigned int            lun;
 277        struct fsg_lun          *luns;
 278        struct fsg_lun          *curlun;
 279
 280        unsigned int            bulk_out_maxpacket;
 281        enum fsg_state          state;          /* For exception handling */
 282        unsigned int            exception_req_tag;
 283
 284        enum data_direction     data_dir;
 285        u32                     data_size;
 286        u32                     data_size_from_cmnd;
 287        u32                     tag;
 288        u32                     residue;
 289        u32                     usb_amount_left;
 290
 291        unsigned int            can_stall:1;
 292        unsigned int            free_storage_on_release:1;
 293        unsigned int            phase_error:1;
 294        unsigned int            short_packet_received:1;
 295        unsigned int            bad_lun_okay:1;
 296        unsigned int            running:1;
 297
 298        int                     thread_wakeup_needed;
 299        struct completion       thread_notifier;
 300        struct task_struct      *thread_task;
 301
 302        /* Callback functions. */
 303        const struct fsg_operations     *ops;
 304        /* Gadget's private data. */
 305        void                    *private_data;
 306
 307        /*
 308         * Vendor (8 chars), product (16 chars), release (4
 309         * hexadecimal digits) and NUL byte
 310         */
 311        char inquiry_string[8 + 16 + 4 + 1];
 312
 313        struct kref             ref;
 314};
 315
 316struct fsg_config {
 317        unsigned nluns;
 318        struct fsg_lun_config {
 319                const char *filename;
 320                char ro;
 321                char removable;
 322                char cdrom;
 323                char nofua;
 324        } luns[FSG_MAX_LUNS];
 325
 326        /* Callback functions. */
 327        const struct fsg_operations     *ops;
 328        /* Gadget's private data. */
 329        void                    *private_data;
 330
 331        const char *vendor_name;                /*  8 characters or less */
 332        const char *product_name;               /* 16 characters or less */
 333
 334        char                    can_stall;
 335};
 336
 337struct fsg_dev {
 338        struct usb_function     function;
 339        struct usb_gadget       *gadget;        /* Copy of cdev->gadget */
 340        struct fsg_common       *common;
 341
 342        u16                     interface_number;
 343
 344        unsigned int            bulk_in_enabled:1;
 345        unsigned int            bulk_out_enabled:1;
 346
 347        unsigned long           atomic_bitflags;
 348#define IGNORE_BULK_OUT         0
 349
 350        struct usb_ep           *bulk_in;
 351        struct usb_ep           *bulk_out;
 352};
 353
 354static inline int __fsg_is_set(struct fsg_common *common,
 355                               const char *func, unsigned line)
 356{
 357        if (common->fsg)
 358                return 1;
 359        ERROR(common, "common->fsg is NULL in %s at %u\n", func, line);
 360        WARN_ON(1);
 361        return 0;
 362}
 363
 364#define fsg_is_set(common) likely(__fsg_is_set(common, __func__, __LINE__))
 365
 366static inline struct fsg_dev *fsg_from_func(struct usb_function *f)
 367{
 368        return container_of(f, struct fsg_dev, function);
 369}
 370
 371typedef void (*fsg_routine_t)(struct fsg_dev *);
 372
 373static int exception_in_progress(struct fsg_common *common)
 374{
 375        return common->state > FSG_STATE_IDLE;
 376}
 377
 378/* Make bulk-out requests be divisible by the maxpacket size */
 379static void set_bulk_out_req_length(struct fsg_common *common,
 380                                    struct fsg_buffhd *bh, unsigned int length)
 381{
 382        unsigned int    rem;
 383
 384        bh->bulk_out_intended_length = length;
 385        rem = length % common->bulk_out_maxpacket;
 386        if (rem > 0)
 387                length += common->bulk_out_maxpacket - rem;
 388        bh->outreq->length = length;
 389}
 390
 391
 392/*-------------------------------------------------------------------------*/
 393
 394static int fsg_set_halt(struct fsg_dev *fsg, struct usb_ep *ep)
 395{
 396        const char      *name;
 397
 398        if (ep == fsg->bulk_in)
 399                name = "bulk-in";
 400        else if (ep == fsg->bulk_out)
 401                name = "bulk-out";
 402        else
 403                name = ep->name;
 404        DBG(fsg, "%s set halt\n", name);
 405        return usb_ep_set_halt(ep);
 406}
 407
 408
 409/*-------------------------------------------------------------------------*/
 410
 411/* These routines may be called in process context or in_irq */
 412
 413/* Caller must hold fsg->lock */
 414static void wakeup_thread(struct fsg_common *common)
 415{
 416        smp_wmb();      /* ensure the write of bh->state is complete */
 417        /* Tell the main thread that something has happened */
 418        common->thread_wakeup_needed = 1;
 419        if (common->thread_task)
 420                wake_up_process(common->thread_task);
 421}
 422
 423static void raise_exception(struct fsg_common *common, enum fsg_state new_state)
 424{
 425        unsigned long           flags;
 426
 427        /*
 428         * Do nothing if a higher-priority exception is already in progress.
 429         * If a lower-or-equal priority exception is in progress, preempt it
 430         * and notify the main thread by sending it a signal.
 431         */
 432        spin_lock_irqsave(&common->lock, flags);
 433        if (common->state <= new_state) {
 434                common->exception_req_tag = common->ep0_req_tag;
 435                common->state = new_state;
 436                if (common->thread_task)
 437                        send_sig_info(SIGUSR1, SEND_SIG_FORCED,
 438                                      common->thread_task);
 439        }
 440        spin_unlock_irqrestore(&common->lock, flags);
 441}
 442
 443
 444/*-------------------------------------------------------------------------*/
 445
 446static int ep0_queue(struct fsg_common *common)
 447{
 448        int     rc;
 449
 450        rc = usb_ep_queue(common->ep0, common->ep0req, GFP_ATOMIC);
 451        common->ep0->driver_data = common;
 452        if (rc != 0 && rc != -ESHUTDOWN) {
 453                /* We can't do much more than wait for a reset */
 454                WARNING(common, "error in submission: %s --> %d\n",
 455                        common->ep0->name, rc);
 456        }
 457        return rc;
 458}
 459
 460
 461/*-------------------------------------------------------------------------*/
 462
 463/* Completion handlers. These always run in_irq. */
 464
 465static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req)
 466{
 467        struct fsg_common       *common = ep->driver_data;
 468        struct fsg_buffhd       *bh = req->context;
 469
 470        if (req->status || req->actual != req->length)
 471                DBG(common, "%s --> %d, %u/%u\n", __func__,
 472                    req->status, req->actual, req->length);
 473        if (req->status == -ECONNRESET)         /* Request was cancelled */
 474                usb_ep_fifo_flush(ep);
 475
 476        /* Hold the lock while we update the request and buffer states */
 477        smp_wmb();
 478        spin_lock(&common->lock);
 479        bh->inreq_busy = 0;
 480        bh->state = BUF_STATE_EMPTY;
 481        wakeup_thread(common);
 482        spin_unlock(&common->lock);
 483}
 484
 485static void bulk_out_complete(struct usb_ep *ep, struct usb_request *req)
 486{
 487        struct fsg_common       *common = ep->driver_data;
 488        struct fsg_buffhd       *bh = req->context;
 489
 490        dump_msg(common, "bulk-out", req->buf, req->actual);
 491        if (req->status || req->actual != bh->bulk_out_intended_length)
 492                DBG(common, "%s --> %d, %u/%u\n", __func__,
 493                    req->status, req->actual, bh->bulk_out_intended_length);
 494        if (req->status == -ECONNRESET)         /* Request was cancelled */
 495                usb_ep_fifo_flush(ep);
 496
 497        /* Hold the lock while we update the request and buffer states */
 498        smp_wmb();
 499        spin_lock(&common->lock);
 500        bh->outreq_busy = 0;
 501        bh->state = BUF_STATE_FULL;
 502        wakeup_thread(common);
 503        spin_unlock(&common->lock);
 504}
 505
 506static int fsg_setup(struct usb_function *f,
 507                     const struct usb_ctrlrequest *ctrl)
 508{
 509        struct fsg_dev          *fsg = fsg_from_func(f);
 510        struct usb_request      *req = fsg->common->ep0req;
 511        u16                     w_index = le16_to_cpu(ctrl->wIndex);
 512        u16                     w_value = le16_to_cpu(ctrl->wValue);
 513        u16                     w_length = le16_to_cpu(ctrl->wLength);
 514
 515        if (!fsg_is_set(fsg->common))
 516                return -EOPNOTSUPP;
 517
 518        ++fsg->common->ep0_req_tag;     /* Record arrival of a new request */
 519        req->context = NULL;
 520        req->length = 0;
 521        dump_msg(fsg, "ep0-setup", (u8 *) ctrl, sizeof(*ctrl));
 522
 523        switch (ctrl->bRequest) {
 524
 525        case US_BULK_RESET_REQUEST:
 526                if (ctrl->bRequestType !=
 527                    (USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 528                        break;
 529                if (w_index != fsg->interface_number || w_value != 0 ||
 530                                w_length != 0)
 531                        return -EDOM;
 532
 533                /*
 534                 * Raise an exception to stop the current operation
 535                 * and reinitialize our state.
 536                 */
 537                DBG(fsg, "bulk reset request\n");
 538                raise_exception(fsg->common, FSG_STATE_RESET);
 539                return DELAYED_STATUS;
 540
 541        case US_BULK_GET_MAX_LUN:
 542                if (ctrl->bRequestType !=
 543                    (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 544                        break;
 545                if (w_index != fsg->interface_number || w_value != 0 ||
 546                                w_length != 1)
 547                        return -EDOM;
 548                VDBG(fsg, "get max LUN\n");
 549                *(u8 *)req->buf = fsg->common->nluns - 1;
 550
 551                /* Respond with data/status */
 552                req->length = min((u16)1, w_length);
 553                return ep0_queue(fsg->common);
 554        }
 555
 556        VDBG(fsg,
 557             "unknown class-specific control req %02x.%02x v%04x i%04x l%u\n",
 558             ctrl->bRequestType, ctrl->bRequest,
 559             le16_to_cpu(ctrl->wValue), w_index, w_length);
 560        return -EOPNOTSUPP;
 561}
 562
 563
 564/*-------------------------------------------------------------------------*/
 565
 566/* All the following routines run in process context */
 567
 568/* Use this for bulk or interrupt transfers, not ep0 */
 569static void start_transfer(struct fsg_dev *fsg, struct usb_ep *ep,
 570                           struct usb_request *req, int *pbusy,
 571                           enum fsg_buffer_state *state)
 572{
 573        int     rc;
 574
 575        if (ep == fsg->bulk_in)
 576                dump_msg(fsg, "bulk-in", req->buf, req->length);
 577
 578        spin_lock_irq(&fsg->common->lock);
 579        *pbusy = 1;
 580        *state = BUF_STATE_BUSY;
 581        spin_unlock_irq(&fsg->common->lock);
 582        rc = usb_ep_queue(ep, req, GFP_KERNEL);
 583        if (rc != 0) {
 584                *pbusy = 0;
 585                *state = BUF_STATE_EMPTY;
 586
 587                /* We can't do much more than wait for a reset */
 588
 589                /*
 590                 * Note: currently the net2280 driver fails zero-length
 591                 * submissions if DMA is enabled.
 592                 */
 593                if (rc != -ESHUTDOWN &&
 594                    !(rc == -EOPNOTSUPP && req->length == 0))
 595                        WARNING(fsg, "error in submission: %s --> %d\n",
 596                                ep->name, rc);
 597        }
 598}
 599
 600static bool start_in_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 601{
 602        if (!fsg_is_set(common))
 603                return false;
 604        start_transfer(common->fsg, common->fsg->bulk_in,
 605                       bh->inreq, &bh->inreq_busy, &bh->state);
 606        return true;
 607}
 608
 609static bool start_out_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 610{
 611        if (!fsg_is_set(common))
 612                return false;
 613        start_transfer(common->fsg, common->fsg->bulk_out,
 614                       bh->outreq, &bh->outreq_busy, &bh->state);
 615        return true;
 616}
 617
 618static int sleep_thread(struct fsg_common *common)
 619{
 620        int     rc = 0;
 621
 622        /* Wait until a signal arrives or we are woken up */
 623        for (;;) {
 624                try_to_freeze();
 625                set_current_state(TASK_INTERRUPTIBLE);
 626                if (signal_pending(current)) {
 627                        rc = -EINTR;
 628                        break;
 629                }
 630                if (common->thread_wakeup_needed)
 631                        break;
 632                schedule();
 633        }
 634        __set_current_state(TASK_RUNNING);
 635        common->thread_wakeup_needed = 0;
 636        smp_rmb();      /* ensure the latest bh->state is visible */
 637        return rc;
 638}
 639
 640
 641/*-------------------------------------------------------------------------*/
 642
 643static int do_read(struct fsg_common *common)
 644{
 645        struct fsg_lun          *curlun = common->curlun;
 646        u32                     lba;
 647        struct fsg_buffhd       *bh;
 648        int                     rc;
 649        u32                     amount_left;
 650        loff_t                  file_offset, file_offset_tmp;
 651        unsigned int            amount;
 652        ssize_t                 nread;
 653
 654        /*
 655         * Get the starting Logical Block Address and check that it's
 656         * not too big.
 657         */
 658        if (common->cmnd[0] == READ_6)
 659                lba = get_unaligned_be24(&common->cmnd[1]);
 660        else {
 661                lba = get_unaligned_be32(&common->cmnd[2]);
 662
 663                /*
 664                 * We allow DPO (Disable Page Out = don't save data in the
 665                 * cache) and FUA (Force Unit Access = don't read from the
 666                 * cache), but we don't implement them.
 667                 */
 668                if ((common->cmnd[1] & ~0x18) != 0) {
 669                        curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 670                        return -EINVAL;
 671                }
 672        }
 673        if (lba >= curlun->num_sectors) {
 674                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 675                return -EINVAL;
 676        }
 677        file_offset = ((loff_t) lba) << curlun->blkbits;
 678
 679        /* Carry out the file reads */
 680        amount_left = common->data_size_from_cmnd;
 681        if (unlikely(amount_left == 0))
 682                return -EIO;            /* No default reply */
 683
 684        for (;;) {
 685                /*
 686                 * Figure out how much we need to read:
 687                 * Try to read the remaining amount.
 688                 * But don't read more than the buffer size.
 689                 * And don't try to read past the end of the file.
 690                 */
 691                amount = min(amount_left, FSG_BUFLEN);
 692                amount = min((loff_t)amount,
 693                             curlun->file_length - file_offset);
 694
 695                /* Wait for the next buffer to become available */
 696                bh = common->next_buffhd_to_fill;
 697                while (bh->state != BUF_STATE_EMPTY) {
 698                        rc = sleep_thread(common);
 699                        if (rc)
 700                                return rc;
 701                }
 702
 703                /*
 704                 * If we were asked to read past the end of file,
 705                 * end with an empty buffer.
 706                 */
 707                if (amount == 0) {
 708                        curlun->sense_data =
 709                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 710                        curlun->sense_data_info =
 711                                        file_offset >> curlun->blkbits;
 712                        curlun->info_valid = 1;
 713                        bh->inreq->length = 0;
 714                        bh->state = BUF_STATE_FULL;
 715                        break;
 716                }
 717
 718                /* Perform the read */
 719                file_offset_tmp = file_offset;
 720                nread = vfs_read(curlun->filp,
 721                                 (char __user *)bh->buf,
 722                                 amount, &file_offset_tmp);
 723                VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
 724                      (unsigned long long)file_offset, (int)nread);
 725                if (signal_pending(current))
 726                        return -EINTR;
 727
 728                if (nread < 0) {
 729                        LDBG(curlun, "error in file read: %d\n", (int)nread);
 730                        nread = 0;
 731                } else if (nread < amount) {
 732                        LDBG(curlun, "partial file read: %d/%u\n",
 733                             (int)nread, amount);
 734                        nread = round_down(nread, curlun->blksize);
 735                }
 736                file_offset  += nread;
 737                amount_left  -= nread;
 738                common->residue -= nread;
 739
 740                /*
 741                 * Except at the end of the transfer, nread will be
 742                 * equal to the buffer size, which is divisible by the
 743                 * bulk-in maxpacket size.
 744                 */
 745                bh->inreq->length = nread;
 746                bh->state = BUF_STATE_FULL;
 747
 748                /* If an error occurred, report it and its position */
 749                if (nread < amount) {
 750                        curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
 751                        curlun->sense_data_info =
 752                                        file_offset >> curlun->blkbits;
 753                        curlun->info_valid = 1;
 754                        break;
 755                }
 756
 757                if (amount_left == 0)
 758                        break;          /* No more left to read */
 759
 760                /* Send this buffer and go read some more */
 761                bh->inreq->zero = 0;
 762                if (!start_in_transfer(common, bh))
 763                        /* Don't know what to do if common->fsg is NULL */
 764                        return -EIO;
 765                common->next_buffhd_to_fill = bh->next;
 766        }
 767
 768        return -EIO;            /* No default reply */
 769}
 770
 771
 772/*-------------------------------------------------------------------------*/
 773
 774static int do_write(struct fsg_common *common)
 775{
 776        struct fsg_lun          *curlun = common->curlun;
 777        u32                     lba;
 778        struct fsg_buffhd       *bh;
 779        int                     get_some_more;
 780        u32                     amount_left_to_req, amount_left_to_write;
 781        loff_t                  usb_offset, file_offset, file_offset_tmp;
 782        unsigned int            amount;
 783        ssize_t                 nwritten;
 784        int                     rc;
 785
 786        if (curlun->ro) {
 787                curlun->sense_data = SS_WRITE_PROTECTED;
 788                return -EINVAL;
 789        }
 790        spin_lock(&curlun->filp->f_lock);
 791        curlun->filp->f_flags &= ~O_SYNC;       /* Default is not to wait */
 792        spin_unlock(&curlun->filp->f_lock);
 793
 794        /*
 795         * Get the starting Logical Block Address and check that it's
 796         * not too big
 797         */
 798        if (common->cmnd[0] == WRITE_6)
 799                lba = get_unaligned_be24(&common->cmnd[1]);
 800        else {
 801                lba = get_unaligned_be32(&common->cmnd[2]);
 802
 803                /*
 804                 * We allow DPO (Disable Page Out = don't save data in the
 805                 * cache) and FUA (Force Unit Access = write directly to the
 806                 * medium).  We don't implement DPO; we implement FUA by
 807                 * performing synchronous output.
 808                 */
 809                if (common->cmnd[1] & ~0x18) {
 810                        curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 811                        return -EINVAL;
 812                }
 813                if (!curlun->nofua && (common->cmnd[1] & 0x08)) { /* FUA */
 814                        spin_lock(&curlun->filp->f_lock);
 815                        curlun->filp->f_flags |= O_SYNC;
 816                        spin_unlock(&curlun->filp->f_lock);
 817                }
 818        }
 819        if (lba >= curlun->num_sectors) {
 820                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 821                return -EINVAL;
 822        }
 823
 824        /* Carry out the file writes */
 825        get_some_more = 1;
 826        file_offset = usb_offset = ((loff_t) lba) << curlun->blkbits;
 827        amount_left_to_req = common->data_size_from_cmnd;
 828        amount_left_to_write = common->data_size_from_cmnd;
 829
 830        while (amount_left_to_write > 0) {
 831
 832                /* Queue a request for more data from the host */
 833                bh = common->next_buffhd_to_fill;
 834                if (bh->state == BUF_STATE_EMPTY && get_some_more) {
 835
 836                        /*
 837                         * Figure out how much we want to get:
 838                         * Try to get the remaining amount,
 839                         * but not more than the buffer size.
 840                         */
 841                        amount = min(amount_left_to_req, FSG_BUFLEN);
 842
 843                        /* Beyond the end of the backing file? */
 844                        if (usb_offset >= curlun->file_length) {
 845                                get_some_more = 0;
 846                                curlun->sense_data =
 847                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 848                                curlun->sense_data_info =
 849                                        usb_offset >> curlun->blkbits;
 850                                curlun->info_valid = 1;
 851                                continue;
 852                        }
 853
 854                        /* Get the next buffer */
 855                        usb_offset += amount;
 856                        common->usb_amount_left -= amount;
 857                        amount_left_to_req -= amount;
 858                        if (amount_left_to_req == 0)
 859                                get_some_more = 0;
 860
 861                        /*
 862                         * Except at the end of the transfer, amount will be
 863                         * equal to the buffer size, which is divisible by
 864                         * the bulk-out maxpacket size.
 865                         */
 866                        set_bulk_out_req_length(common, bh, amount);
 867                        if (!start_out_transfer(common, bh))
 868                                /* Dunno what to do if common->fsg is NULL */
 869                                return -EIO;
 870                        common->next_buffhd_to_fill = bh->next;
 871                        continue;
 872                }
 873
 874                /* Write the received data to the backing file */
 875                bh = common->next_buffhd_to_drain;
 876                if (bh->state == BUF_STATE_EMPTY && !get_some_more)
 877                        break;                  /* We stopped early */
 878                if (bh->state == BUF_STATE_FULL) {
 879                        smp_rmb();
 880                        common->next_buffhd_to_drain = bh->next;
 881                        bh->state = BUF_STATE_EMPTY;
 882
 883                        /* Did something go wrong with the transfer? */
 884                        if (bh->outreq->status != 0) {
 885                                curlun->sense_data = SS_COMMUNICATION_FAILURE;
 886                                curlun->sense_data_info =
 887                                        file_offset >> curlun->blkbits;
 888                                curlun->info_valid = 1;
 889                                break;
 890                        }
 891
 892                        amount = bh->outreq->actual;
 893                        if (curlun->file_length - file_offset < amount) {
 894                                LERROR(curlun,
 895                                       "write %u @ %llu beyond end %llu\n",
 896                                       amount, (unsigned long long)file_offset,
 897                                       (unsigned long long)curlun->file_length);
 898                                amount = curlun->file_length - file_offset;
 899                        }
 900
 901                        /* Don't accept excess data.  The spec doesn't say
 902                         * what to do in this case.  We'll ignore the error.
 903                         */
 904                        amount = min(amount, bh->bulk_out_intended_length);
 905
 906                        /* Don't write a partial block */
 907                        amount = round_down(amount, curlun->blksize);
 908                        if (amount == 0)
 909                                goto empty_write;
 910
 911                        /* Perform the write */
 912                        file_offset_tmp = file_offset;
 913                        nwritten = vfs_write(curlun->filp,
 914                                             (char __user *)bh->buf,
 915                                             amount, &file_offset_tmp);
 916                        VLDBG(curlun, "file write %u @ %llu -> %d\n", amount,
 917                              (unsigned long long)file_offset, (int)nwritten);
 918                        if (signal_pending(current))
 919                                return -EINTR;          /* Interrupted! */
 920
 921                        if (nwritten < 0) {
 922                                LDBG(curlun, "error in file write: %d\n",
 923                                     (int)nwritten);
 924                                nwritten = 0;
 925                        } else if (nwritten < amount) {
 926                                LDBG(curlun, "partial file write: %d/%u\n",
 927                                     (int)nwritten, amount);
 928                                nwritten = round_down(nwritten, curlun->blksize);
 929                        }
 930                        file_offset += nwritten;
 931                        amount_left_to_write -= nwritten;
 932                        common->residue -= nwritten;
 933
 934                        /* If an error occurred, report it and its position */
 935                        if (nwritten < amount) {
 936                                curlun->sense_data = SS_WRITE_ERROR;
 937                                curlun->sense_data_info =
 938                                        file_offset >> curlun->blkbits;
 939                                curlun->info_valid = 1;
 940                                break;
 941                        }
 942
 943 empty_write:
 944                        /* Did the host decide to stop early? */
 945                        if (bh->outreq->actual < bh->bulk_out_intended_length) {
 946                                common->short_packet_received = 1;
 947                                break;
 948                        }
 949                        continue;
 950                }
 951
 952                /* Wait for something to happen */
 953                rc = sleep_thread(common);
 954                if (rc)
 955                        return rc;
 956        }
 957
 958        return -EIO;            /* No default reply */
 959}
 960
 961
 962/*-------------------------------------------------------------------------*/
 963
 964static int do_synchronize_cache(struct fsg_common *common)
 965{
 966        struct fsg_lun  *curlun = common->curlun;
 967        int             rc;
 968
 969        /* We ignore the requested LBA and write out all file's
 970         * dirty data buffers. */
 971        rc = fsg_lun_fsync_sub(curlun);
 972        if (rc)
 973                curlun->sense_data = SS_WRITE_ERROR;
 974        return 0;
 975}
 976
 977
 978/*-------------------------------------------------------------------------*/
 979
 980static void invalidate_sub(struct fsg_lun *curlun)
 981{
 982        struct file     *filp = curlun->filp;
 983        struct inode    *inode = file_inode(filp);
 984        unsigned long   rc;
 985
 986        rc = invalidate_mapping_pages(inode->i_mapping, 0, -1);
 987        VLDBG(curlun, "invalidate_mapping_pages -> %ld\n", rc);
 988}
 989
 990static int do_verify(struct fsg_common *common)
 991{
 992        struct fsg_lun          *curlun = common->curlun;
 993        u32                     lba;
 994        u32                     verification_length;
 995        struct fsg_buffhd       *bh = common->next_buffhd_to_fill;
 996        loff_t                  file_offset, file_offset_tmp;
 997        u32                     amount_left;
 998        unsigned int            amount;
 999        ssize_t                 nread;
1000
1001        /*
1002         * Get the starting Logical Block Address and check that it's
1003         * not too big.
1004         */
1005        lba = get_unaligned_be32(&common->cmnd[2]);
1006        if (lba >= curlun->num_sectors) {
1007                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1008                return -EINVAL;
1009        }
1010
1011        /*
1012         * We allow DPO (Disable Page Out = don't save data in the
1013         * cache) but we don't implement it.
1014         */
1015        if (common->cmnd[1] & ~0x10) {
1016                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1017                return -EINVAL;
1018        }
1019
1020        verification_length = get_unaligned_be16(&common->cmnd[7]);
1021        if (unlikely(verification_length == 0))
1022                return -EIO;            /* No default reply */
1023
1024        /* Prepare to carry out the file verify */
1025        amount_left = verification_length << curlun->blkbits;
1026        file_offset = ((loff_t) lba) << curlun->blkbits;
1027
1028        /* Write out all the dirty buffers before invalidating them */
1029        fsg_lun_fsync_sub(curlun);
1030        if (signal_pending(current))
1031                return -EINTR;
1032
1033        invalidate_sub(curlun);
1034        if (signal_pending(current))
1035                return -EINTR;
1036
1037        /* Just try to read the requested blocks */
1038        while (amount_left > 0) {
1039                /*
1040                 * Figure out how much we need to read:
1041                 * Try to read the remaining amount, but not more than
1042                 * the buffer size.
1043                 * And don't try to read past the end of the file.
1044                 */
1045                amount = min(amount_left, FSG_BUFLEN);
1046                amount = min((loff_t)amount,
1047                             curlun->file_length - file_offset);
1048                if (amount == 0) {
1049                        curlun->sense_data =
1050                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1051                        curlun->sense_data_info =
1052                                file_offset >> curlun->blkbits;
1053                        curlun->info_valid = 1;
1054                        break;
1055                }
1056
1057                /* Perform the read */
1058                file_offset_tmp = file_offset;
1059                nread = vfs_read(curlun->filp,
1060                                (char __user *) bh->buf,
1061                                amount, &file_offset_tmp);
1062                VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
1063                                (unsigned long long) file_offset,
1064                                (int) nread);
1065                if (signal_pending(current))
1066                        return -EINTR;
1067
1068                if (nread < 0) {
1069                        LDBG(curlun, "error in file verify: %d\n", (int)nread);
1070                        nread = 0;
1071                } else if (nread < amount) {
1072                        LDBG(curlun, "partial file verify: %d/%u\n",
1073                             (int)nread, amount);
1074                        nread = round_down(nread, curlun->blksize);
1075                }
1076                if (nread == 0) {
1077                        curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
1078                        curlun->sense_data_info =
1079                                file_offset >> curlun->blkbits;
1080                        curlun->info_valid = 1;
1081                        break;
1082                }
1083                file_offset += nread;
1084                amount_left -= nread;
1085        }
1086        return 0;
1087}
1088
1089
1090/*-------------------------------------------------------------------------*/
1091
1092static int do_inquiry(struct fsg_common *common, struct fsg_buffhd *bh)
1093{
1094        struct fsg_lun *curlun = common->curlun;
1095        u8      *buf = (u8 *) bh->buf;
1096
1097        if (!curlun) {          /* Unsupported LUNs are okay */
1098                common->bad_lun_okay = 1;
1099                memset(buf, 0, 36);
1100                buf[0] = 0x7f;          /* Unsupported, no device-type */
1101                buf[4] = 31;            /* Additional length */
1102                return 36;
1103        }
1104
1105        buf[0] = curlun->cdrom ? TYPE_ROM : TYPE_DISK;
1106        buf[1] = curlun->removable ? 0x80 : 0;
1107        buf[2] = 2;             /* ANSI SCSI level 2 */
1108        buf[3] = 2;             /* SCSI-2 INQUIRY data format */
1109        buf[4] = 31;            /* Additional length */
1110        buf[5] = 0;             /* No special options */
1111        buf[6] = 0;
1112        buf[7] = 0;
1113        memcpy(buf + 8, common->inquiry_string, sizeof common->inquiry_string);
1114        return 36;
1115}
1116
1117static int do_request_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1118{
1119        struct fsg_lun  *curlun = common->curlun;
1120        u8              *buf = (u8 *) bh->buf;
1121        u32             sd, sdinfo;
1122        int             valid;
1123
1124        /*
1125         * From the SCSI-2 spec., section 7.9 (Unit attention condition):
1126         *
1127         * If a REQUEST SENSE command is received from an initiator
1128         * with a pending unit attention condition (before the target
1129         * generates the contingent allegiance condition), then the
1130         * target shall either:
1131         *   a) report any pending sense data and preserve the unit
1132         *      attention condition on the logical unit, or,
1133         *   b) report the unit attention condition, may discard any
1134         *      pending sense data, and clear the unit attention
1135         *      condition on the logical unit for that initiator.
1136         *
1137         * FSG normally uses option a); enable this code to use option b).
1138         */
1139#if 0
1140        if (curlun && curlun->unit_attention_data != SS_NO_SENSE) {
1141                curlun->sense_data = curlun->unit_attention_data;
1142                curlun->unit_attention_data = SS_NO_SENSE;
1143        }
1144#endif
1145
1146        if (!curlun) {          /* Unsupported LUNs are okay */
1147                common->bad_lun_okay = 1;
1148                sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1149                sdinfo = 0;
1150                valid = 0;
1151        } else {
1152                sd = curlun->sense_data;
1153                sdinfo = curlun->sense_data_info;
1154                valid = curlun->info_valid << 7;
1155                curlun->sense_data = SS_NO_SENSE;
1156                curlun->sense_data_info = 0;
1157                curlun->info_valid = 0;
1158        }
1159
1160        memset(buf, 0, 18);
1161        buf[0] = valid | 0x70;                  /* Valid, current error */
1162        buf[2] = SK(sd);
1163        put_unaligned_be32(sdinfo, &buf[3]);    /* Sense information */
1164        buf[7] = 18 - 8;                        /* Additional sense length */
1165        buf[12] = ASC(sd);
1166        buf[13] = ASCQ(sd);
1167        return 18;
1168}
1169
1170static int do_read_capacity(struct fsg_common *common, struct fsg_buffhd *bh)
1171{
1172        struct fsg_lun  *curlun = common->curlun;
1173        u32             lba = get_unaligned_be32(&common->cmnd[2]);
1174        int             pmi = common->cmnd[8];
1175        u8              *buf = (u8 *)bh->buf;
1176
1177        /* Check the PMI and LBA fields */
1178        if (pmi > 1 || (pmi == 0 && lba != 0)) {
1179                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1180                return -EINVAL;
1181        }
1182
1183        put_unaligned_be32(curlun->num_sectors - 1, &buf[0]);
1184                                                /* Max logical block */
1185        put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1186        return 8;
1187}
1188
1189static int do_read_header(struct fsg_common *common, struct fsg_buffhd *bh)
1190{
1191        struct fsg_lun  *curlun = common->curlun;
1192        int             msf = common->cmnd[1] & 0x02;
1193        u32             lba = get_unaligned_be32(&common->cmnd[2]);
1194        u8              *buf = (u8 *)bh->buf;
1195
1196        if (common->cmnd[1] & ~0x02) {          /* Mask away MSF */
1197                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1198                return -EINVAL;
1199        }
1200        if (lba >= curlun->num_sectors) {
1201                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1202                return -EINVAL;
1203        }
1204
1205        memset(buf, 0, 8);
1206        buf[0] = 0x01;          /* 2048 bytes of user data, rest is EC */
1207        store_cdrom_address(&buf[4], msf, lba);
1208        return 8;
1209}
1210
1211static int do_read_toc(struct fsg_common *common, struct fsg_buffhd *bh)
1212{
1213        struct fsg_lun  *curlun = common->curlun;
1214        int             msf = common->cmnd[1] & 0x02;
1215        int             start_track = common->cmnd[6];
1216        u8              *buf = (u8 *)bh->buf;
1217
1218        if ((common->cmnd[1] & ~0x02) != 0 ||   /* Mask away MSF */
1219                        start_track > 1) {
1220                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1221                return -EINVAL;
1222        }
1223
1224        memset(buf, 0, 20);
1225        buf[1] = (20-2);                /* TOC data length */
1226        buf[2] = 1;                     /* First track number */
1227        buf[3] = 1;                     /* Last track number */
1228        buf[5] = 0x16;                  /* Data track, copying allowed */
1229        buf[6] = 0x01;                  /* Only track is number 1 */
1230        store_cdrom_address(&buf[8], msf, 0);
1231
1232        buf[13] = 0x16;                 /* Lead-out track is data */
1233        buf[14] = 0xAA;                 /* Lead-out track number */
1234        store_cdrom_address(&buf[16], msf, curlun->num_sectors);
1235        return 20;
1236}
1237
1238static int do_mode_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1239{
1240        struct fsg_lun  *curlun = common->curlun;
1241        int             mscmnd = common->cmnd[0];
1242        u8              *buf = (u8 *) bh->buf;
1243        u8              *buf0 = buf;
1244        int             pc, page_code;
1245        int             changeable_values, all_pages;
1246        int             valid_page = 0;
1247        int             len, limit;
1248
1249        if ((common->cmnd[1] & ~0x08) != 0) {   /* Mask away DBD */
1250                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1251                return -EINVAL;
1252        }
1253        pc = common->cmnd[2] >> 6;
1254        page_code = common->cmnd[2] & 0x3f;
1255        if (pc == 3) {
1256                curlun->sense_data = SS_SAVING_PARAMETERS_NOT_SUPPORTED;
1257                return -EINVAL;
1258        }
1259        changeable_values = (pc == 1);
1260        all_pages = (page_code == 0x3f);
1261
1262        /*
1263         * Write the mode parameter header.  Fixed values are: default
1264         * medium type, no cache control (DPOFUA), and no block descriptors.
1265         * The only variable value is the WriteProtect bit.  We will fill in
1266         * the mode data length later.
1267         */
1268        memset(buf, 0, 8);
1269        if (mscmnd == MODE_SENSE) {
1270                buf[2] = (curlun->ro ? 0x80 : 0x00);            /* WP, DPOFUA */
1271                buf += 4;
1272                limit = 255;
1273        } else {                        /* MODE_SENSE_10 */
1274                buf[3] = (curlun->ro ? 0x80 : 0x00);            /* WP, DPOFUA */
1275                buf += 8;
1276                limit = 65535;          /* Should really be FSG_BUFLEN */
1277        }
1278
1279        /* No block descriptors */
1280
1281        /*
1282         * The mode pages, in numerical order.  The only page we support
1283         * is the Caching page.
1284         */
1285        if (page_code == 0x08 || all_pages) {
1286                valid_page = 1;
1287                buf[0] = 0x08;          /* Page code */
1288                buf[1] = 10;            /* Page length */
1289                memset(buf+2, 0, 10);   /* None of the fields are changeable */
1290
1291                if (!changeable_values) {
1292                        buf[2] = 0x04;  /* Write cache enable, */
1293                                        /* Read cache not disabled */
1294                                        /* No cache retention priorities */
1295                        put_unaligned_be16(0xffff, &buf[4]);
1296                                        /* Don't disable prefetch */
1297                                        /* Minimum prefetch = 0 */
1298                        put_unaligned_be16(0xffff, &buf[8]);
1299                                        /* Maximum prefetch */
1300                        put_unaligned_be16(0xffff, &buf[10]);
1301                                        /* Maximum prefetch ceiling */
1302                }
1303                buf += 12;
1304        }
1305
1306        /*
1307         * Check that a valid page was requested and the mode data length
1308         * isn't too long.
1309         */
1310        len = buf - buf0;
1311        if (!valid_page || len > limit) {
1312                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1313                return -EINVAL;
1314        }
1315
1316        /*  Store the mode data length */
1317        if (mscmnd == MODE_SENSE)
1318                buf0[0] = len - 1;
1319        else
1320                put_unaligned_be16(len - 2, buf0);
1321        return len;
1322}
1323
1324static int do_start_stop(struct fsg_common *common)
1325{
1326        struct fsg_lun  *curlun = common->curlun;
1327        int             loej, start;
1328
1329        if (!curlun) {
1330                return -EINVAL;
1331        } else if (!curlun->removable) {
1332                curlun->sense_data = SS_INVALID_COMMAND;
1333                return -EINVAL;
1334        } else if ((common->cmnd[1] & ~0x01) != 0 || /* Mask away Immed */
1335                   (common->cmnd[4] & ~0x03) != 0) { /* Mask LoEj, Start */
1336                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1337                return -EINVAL;
1338        }
1339
1340        loej  = common->cmnd[4] & 0x02;
1341        start = common->cmnd[4] & 0x01;
1342
1343        /*
1344         * Our emulation doesn't support mounting; the medium is
1345         * available for use as soon as it is loaded.
1346         */
1347        if (start) {
1348                if (!fsg_lun_is_open(curlun)) {
1349                        curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1350                        return -EINVAL;
1351                }
1352                return 0;
1353        }
1354
1355        /* Are we allowed to unload the media? */
1356        if (curlun->prevent_medium_removal) {
1357                LDBG(curlun, "unload attempt prevented\n");
1358                curlun->sense_data = SS_MEDIUM_REMOVAL_PREVENTED;
1359                return -EINVAL;
1360        }
1361
1362        if (!loej)
1363                return 0;
1364
1365        up_read(&common->filesem);
1366        down_write(&common->filesem);
1367        fsg_lun_close(curlun);
1368        up_write(&common->filesem);
1369        down_read(&common->filesem);
1370
1371        return 0;
1372}
1373
1374static int do_prevent_allow(struct fsg_common *common)
1375{
1376        struct fsg_lun  *curlun = common->curlun;
1377        int             prevent;
1378
1379        if (!common->curlun) {
1380                return -EINVAL;
1381        } else if (!common->curlun->removable) {
1382                common->curlun->sense_data = SS_INVALID_COMMAND;
1383                return -EINVAL;
1384        }
1385
1386        prevent = common->cmnd[4] & 0x01;
1387        if ((common->cmnd[4] & ~0x01) != 0) {   /* Mask away Prevent */
1388                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1389                return -EINVAL;
1390        }
1391
1392        if (curlun->prevent_medium_removal && !prevent)
1393                fsg_lun_fsync_sub(curlun);
1394        curlun->prevent_medium_removal = prevent;
1395        return 0;
1396}
1397
1398static int do_read_format_capacities(struct fsg_common *common,
1399                        struct fsg_buffhd *bh)
1400{
1401        struct fsg_lun  *curlun = common->curlun;
1402        u8              *buf = (u8 *) bh->buf;
1403
1404        buf[0] = buf[1] = buf[2] = 0;
1405        buf[3] = 8;     /* Only the Current/Maximum Capacity Descriptor */
1406        buf += 4;
1407
1408        put_unaligned_be32(curlun->num_sectors, &buf[0]);
1409                                                /* Number of blocks */
1410        put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1411        buf[4] = 0x02;                          /* Current capacity */
1412        return 12;
1413}
1414
1415static int do_mode_select(struct fsg_common *common, struct fsg_buffhd *bh)
1416{
1417        struct fsg_lun  *curlun = common->curlun;
1418
1419        /* We don't support MODE SELECT */
1420        if (curlun)
1421                curlun->sense_data = SS_INVALID_COMMAND;
1422        return -EINVAL;
1423}
1424
1425
1426/*-------------------------------------------------------------------------*/
1427
1428static int halt_bulk_in_endpoint(struct fsg_dev *fsg)
1429{
1430        int     rc;
1431
1432        rc = fsg_set_halt(fsg, fsg->bulk_in);
1433        if (rc == -EAGAIN)
1434                VDBG(fsg, "delayed bulk-in endpoint halt\n");
1435        while (rc != 0) {
1436                if (rc != -EAGAIN) {
1437                        WARNING(fsg, "usb_ep_set_halt -> %d\n", rc);
1438                        rc = 0;
1439                        break;
1440                }
1441
1442                /* Wait for a short time and then try again */
1443                if (msleep_interruptible(100) != 0)
1444                        return -EINTR;
1445                rc = usb_ep_set_halt(fsg->bulk_in);
1446        }
1447        return rc;
1448}
1449
1450static int wedge_bulk_in_endpoint(struct fsg_dev *fsg)
1451{
1452        int     rc;
1453
1454        DBG(fsg, "bulk-in set wedge\n");
1455        rc = usb_ep_set_wedge(fsg->bulk_in);
1456        if (rc == -EAGAIN)
1457                VDBG(fsg, "delayed bulk-in endpoint wedge\n");
1458        while (rc != 0) {
1459                if (rc != -EAGAIN) {
1460                        WARNING(fsg, "usb_ep_set_wedge -> %d\n", rc);
1461                        rc = 0;
1462                        break;
1463                }
1464
1465                /* Wait for a short time and then try again */
1466                if (msleep_interruptible(100) != 0)
1467                        return -EINTR;
1468                rc = usb_ep_set_wedge(fsg->bulk_in);
1469        }
1470        return rc;
1471}
1472
1473static int throw_away_data(struct fsg_common *common)
1474{
1475        struct fsg_buffhd       *bh;
1476        u32                     amount;
1477        int                     rc;
1478
1479        for (bh = common->next_buffhd_to_drain;
1480             bh->state != BUF_STATE_EMPTY || common->usb_amount_left > 0;
1481             bh = common->next_buffhd_to_drain) {
1482
1483                /* Throw away the data in a filled buffer */
1484                if (bh->state == BUF_STATE_FULL) {
1485                        smp_rmb();
1486                        bh->state = BUF_STATE_EMPTY;
1487                        common->next_buffhd_to_drain = bh->next;
1488
1489                        /* A short packet or an error ends everything */
1490                        if (bh->outreq->actual < bh->bulk_out_intended_length ||
1491                            bh->outreq->status != 0) {
1492                                raise_exception(common,
1493                                                FSG_STATE_ABORT_BULK_OUT);
1494                                return -EINTR;
1495                        }
1496                        continue;
1497                }
1498
1499                /* Try to submit another request if we need one */
1500                bh = common->next_buffhd_to_fill;
1501                if (bh->state == BUF_STATE_EMPTY
1502                 && common->usb_amount_left > 0) {
1503                        amount = min(common->usb_amount_left, FSG_BUFLEN);
1504
1505                        /*
1506                         * Except at the end of the transfer, amount will be
1507                         * equal to the buffer size, which is divisible by
1508                         * the bulk-out maxpacket size.
1509                         */
1510                        set_bulk_out_req_length(common, bh, amount);
1511                        if (!start_out_transfer(common, bh))
1512                                /* Dunno what to do if common->fsg is NULL */
1513                                return -EIO;
1514                        common->next_buffhd_to_fill = bh->next;
1515                        common->usb_amount_left -= amount;
1516                        continue;
1517                }
1518
1519                /* Otherwise wait for something to happen */
1520                rc = sleep_thread(common);
1521                if (rc)
1522                        return rc;
1523        }
1524        return 0;
1525}
1526
1527static int finish_reply(struct fsg_common *common)
1528{
1529        struct fsg_buffhd       *bh = common->next_buffhd_to_fill;
1530        int                     rc = 0;
1531
1532        switch (common->data_dir) {
1533        case DATA_DIR_NONE:
1534                break;                  /* Nothing to send */
1535
1536        /*
1537         * If we don't know whether the host wants to read or write,
1538         * this must be CB or CBI with an unknown command.  We mustn't
1539         * try to send or receive any data.  So stall both bulk pipes
1540         * if we can and wait for a reset.
1541         */
1542        case DATA_DIR_UNKNOWN:
1543                if (!common->can_stall) {
1544                        /* Nothing */
1545                } else if (fsg_is_set(common)) {
1546                        fsg_set_halt(common->fsg, common->fsg->bulk_out);
1547                        rc = halt_bulk_in_endpoint(common->fsg);
1548                } else {
1549                        /* Don't know what to do if common->fsg is NULL */
1550                        rc = -EIO;
1551                }
1552                break;
1553
1554        /* All but the last buffer of data must have already been sent */
1555        case DATA_DIR_TO_HOST:
1556                if (common->data_size == 0) {
1557                        /* Nothing to send */
1558
1559                /* Don't know what to do if common->fsg is NULL */
1560                } else if (!fsg_is_set(common)) {
1561                        rc = -EIO;
1562
1563                /* If there's no residue, simply send the last buffer */
1564                } else if (common->residue == 0) {
1565                        bh->inreq->zero = 0;
1566                        if (!start_in_transfer(common, bh))
1567                                return -EIO;
1568                        common->next_buffhd_to_fill = bh->next;
1569
1570                /*
1571                 * For Bulk-only, mark the end of the data with a short
1572                 * packet.  If we are allowed to stall, halt the bulk-in
1573                 * endpoint.  (Note: This violates the Bulk-Only Transport
1574                 * specification, which requires us to pad the data if we
1575                 * don't halt the endpoint.  Presumably nobody will mind.)
1576                 */
1577                } else {
1578                        bh->inreq->zero = 1;
1579                        if (!start_in_transfer(common, bh))
1580                                rc = -EIO;
1581                        common->next_buffhd_to_fill = bh->next;
1582                        if (common->can_stall)
1583                                rc = halt_bulk_in_endpoint(common->fsg);
1584                }
1585                break;
1586
1587        /*
1588         * We have processed all we want from the data the host has sent.
1589         * There may still be outstanding bulk-out requests.
1590         */
1591        case DATA_DIR_FROM_HOST:
1592                if (common->residue == 0) {
1593                        /* Nothing to receive */
1594
1595                /* Did the host stop sending unexpectedly early? */
1596                } else if (common->short_packet_received) {
1597                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1598                        rc = -EINTR;
1599
1600                /*
1601                 * We haven't processed all the incoming data.  Even though
1602                 * we may be allowed to stall, doing so would cause a race.
1603                 * The controller may already have ACK'ed all the remaining
1604                 * bulk-out packets, in which case the host wouldn't see a
1605                 * STALL.  Not realizing the endpoint was halted, it wouldn't
1606                 * clear the halt -- leading to problems later on.
1607                 */
1608#if 0
1609                } else if (common->can_stall) {
1610                        if (fsg_is_set(common))
1611                                fsg_set_halt(common->fsg,
1612                                             common->fsg->bulk_out);
1613                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1614                        rc = -EINTR;
1615#endif
1616
1617                /*
1618                 * We can't stall.  Read in the excess data and throw it
1619                 * all away.
1620                 */
1621                } else {
1622                        rc = throw_away_data(common);
1623                }
1624                break;
1625        }
1626        return rc;
1627}
1628
1629static int send_status(struct fsg_common *common)
1630{
1631        struct fsg_lun          *curlun = common->curlun;
1632        struct fsg_buffhd       *bh;
1633        struct bulk_cs_wrap     *csw;
1634        int                     rc;
1635        u8                      status = US_BULK_STAT_OK;
1636        u32                     sd, sdinfo = 0;
1637
1638        /* Wait for the next buffer to become available */
1639        bh = common->next_buffhd_to_fill;
1640        while (bh->state != BUF_STATE_EMPTY) {
1641                rc = sleep_thread(common);
1642                if (rc)
1643                        return rc;
1644        }
1645
1646        if (curlun) {
1647                sd = curlun->sense_data;
1648                sdinfo = curlun->sense_data_info;
1649        } else if (common->bad_lun_okay)
1650                sd = SS_NO_SENSE;
1651        else
1652                sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1653
1654        if (common->phase_error) {
1655                DBG(common, "sending phase-error status\n");
1656                status = US_BULK_STAT_PHASE;
1657                sd = SS_INVALID_COMMAND;
1658        } else if (sd != SS_NO_SENSE) {
1659                DBG(common, "sending command-failure status\n");
1660                status = US_BULK_STAT_FAIL;
1661                VDBG(common, "  sense data: SK x%02x, ASC x%02x, ASCQ x%02x;"
1662                                "  info x%x\n",
1663                                SK(sd), ASC(sd), ASCQ(sd), sdinfo);
1664        }
1665
1666        /* Store and send the Bulk-only CSW */
1667        csw = (void *)bh->buf;
1668
1669        csw->Signature = cpu_to_le32(US_BULK_CS_SIGN);
1670        csw->Tag = common->tag;
1671        csw->Residue = cpu_to_le32(common->residue);
1672        csw->Status = status;
1673
1674        bh->inreq->length = US_BULK_CS_WRAP_LEN;
1675        bh->inreq->zero = 0;
1676        if (!start_in_transfer(common, bh))
1677                /* Don't know what to do if common->fsg is NULL */
1678                return -EIO;
1679
1680        common->next_buffhd_to_fill = bh->next;
1681        return 0;
1682}
1683
1684
1685/*-------------------------------------------------------------------------*/
1686
1687/*
1688 * Check whether the command is properly formed and whether its data size
1689 * and direction agree with the values we already have.
1690 */
1691static int check_command(struct fsg_common *common, int cmnd_size,
1692                         enum data_direction data_dir, unsigned int mask,
1693                         int needs_medium, const char *name)
1694{
1695        int                     i;
1696        unsigned int            lun = common->cmnd[1] >> 5;
1697        static const char       dirletter[4] = {'u', 'o', 'i', 'n'};
1698        char                    hdlen[20];
1699        struct fsg_lun          *curlun;
1700
1701        hdlen[0] = 0;
1702        if (common->data_dir != DATA_DIR_UNKNOWN)
1703                sprintf(hdlen, ", H%c=%u", dirletter[(int) common->data_dir],
1704                        common->data_size);
1705        VDBG(common, "SCSI command: %s;  Dc=%d, D%c=%u;  Hc=%d%s\n",
1706             name, cmnd_size, dirletter[(int) data_dir],
1707             common->data_size_from_cmnd, common->cmnd_size, hdlen);
1708
1709        /*
1710         * We can't reply at all until we know the correct data direction
1711         * and size.
1712         */
1713        if (common->data_size_from_cmnd == 0)
1714                data_dir = DATA_DIR_NONE;
1715        if (common->data_size < common->data_size_from_cmnd) {
1716                /*
1717                 * Host data size < Device data size is a phase error.
1718                 * Carry out the command, but only transfer as much as
1719                 * we are allowed.
1720                 */
1721                common->data_size_from_cmnd = common->data_size;
1722                common->phase_error = 1;
1723        }
1724        common->residue = common->data_size;
1725        common->usb_amount_left = common->data_size;
1726
1727        /* Conflicting data directions is a phase error */
1728        if (common->data_dir != data_dir && common->data_size_from_cmnd > 0) {
1729                common->phase_error = 1;
1730                return -EINVAL;
1731        }
1732
1733        /* Verify the length of the command itself */
1734        if (cmnd_size != common->cmnd_size) {
1735
1736                /*
1737                 * Special case workaround: There are plenty of buggy SCSI
1738                 * implementations. Many have issues with cbw->Length
1739                 * field passing a wrong command size. For those cases we
1740                 * always try to work around the problem by using the length
1741                 * sent by the host side provided it is at least as large
1742                 * as the correct command length.
1743                 * Examples of such cases would be MS-Windows, which issues
1744                 * REQUEST SENSE with cbw->Length == 12 where it should
1745                 * be 6, and xbox360 issuing INQUIRY, TEST UNIT READY and
1746                 * REQUEST SENSE with cbw->Length == 10 where it should
1747                 * be 6 as well.
1748                 */
1749                if (cmnd_size <= common->cmnd_size) {
1750                        DBG(common, "%s is buggy! Expected length %d "
1751                            "but we got %d\n", name,
1752                            cmnd_size, common->cmnd_size);
1753                        cmnd_size = common->cmnd_size;
1754                } else {
1755                        common->phase_error = 1;
1756                        return -EINVAL;
1757                }
1758        }
1759
1760        /* Check that the LUN values are consistent */
1761        if (common->lun != lun)
1762                DBG(common, "using LUN %u from CBW, not LUN %u from CDB\n",
1763                    common->lun, lun);
1764
1765        /* Check the LUN */
1766        curlun = common->curlun;
1767        if (curlun) {
1768                if (common->cmnd[0] != REQUEST_SENSE) {
1769                        curlun->sense_data = SS_NO_SENSE;
1770                        curlun->sense_data_info = 0;
1771                        curlun->info_valid = 0;
1772                }
1773        } else {
1774                common->bad_lun_okay = 0;
1775
1776                /*
1777                 * INQUIRY and REQUEST SENSE commands are explicitly allowed
1778                 * to use unsupported LUNs; all others may not.
1779                 */
1780                if (common->cmnd[0] != INQUIRY &&
1781                    common->cmnd[0] != REQUEST_SENSE) {
1782                        DBG(common, "unsupported LUN %u\n", common->lun);
1783                        return -EINVAL;
1784                }
1785        }
1786
1787        /*
1788         * If a unit attention condition exists, only INQUIRY and
1789         * REQUEST SENSE commands are allowed; anything else must fail.
1790         */
1791        if (curlun && curlun->unit_attention_data != SS_NO_SENSE &&
1792            common->cmnd[0] != INQUIRY &&
1793            common->cmnd[0] != REQUEST_SENSE) {
1794                curlun->sense_data = curlun->unit_attention_data;
1795                curlun->unit_attention_data = SS_NO_SENSE;
1796                return -EINVAL;
1797        }
1798
1799        /* Check that only command bytes listed in the mask are non-zero */
1800        common->cmnd[1] &= 0x1f;                        /* Mask away the LUN */
1801        for (i = 1; i < cmnd_size; ++i) {
1802                if (common->cmnd[i] && !(mask & (1 << i))) {
1803                        if (curlun)
1804                                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1805                        return -EINVAL;
1806                }
1807        }
1808
1809        /* If the medium isn't mounted and the command needs to access
1810         * it, return an error. */
1811        if (curlun && !fsg_lun_is_open(curlun) && needs_medium) {
1812                curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1813                return -EINVAL;
1814        }
1815
1816        return 0;
1817}
1818
1819/* wrapper of check_command for data size in blocks handling */
1820static int check_command_size_in_blocks(struct fsg_common *common,
1821                int cmnd_size, enum data_direction data_dir,
1822                unsigned int mask, int needs_medium, const char *name)
1823{
1824        if (common->curlun)
1825                common->data_size_from_cmnd <<= common->curlun->blkbits;
1826        return check_command(common, cmnd_size, data_dir,
1827                        mask, needs_medium, name);
1828}
1829
1830static int do_scsi_command(struct fsg_common *common)
1831{
1832        struct fsg_buffhd       *bh;
1833        int                     rc;
1834        int                     reply = -EINVAL;
1835        int                     i;
1836        static char             unknown[16];
1837
1838        dump_cdb(common);
1839
1840        /* Wait for the next buffer to become available for data or status */
1841        bh = common->next_buffhd_to_fill;
1842        common->next_buffhd_to_drain = bh;
1843        while (bh->state != BUF_STATE_EMPTY) {
1844                rc = sleep_thread(common);
1845                if (rc)
1846                        return rc;
1847        }
1848        common->phase_error = 0;
1849        common->short_packet_received = 0;
1850
1851        down_read(&common->filesem);    /* We're using the backing file */
1852        switch (common->cmnd[0]) {
1853
1854        case INQUIRY:
1855                common->data_size_from_cmnd = common->cmnd[4];
1856                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1857                                      (1<<4), 0,
1858                                      "INQUIRY");
1859                if (reply == 0)
1860                        reply = do_inquiry(common, bh);
1861                break;
1862
1863        case MODE_SELECT:
1864                common->data_size_from_cmnd = common->cmnd[4];
1865                reply = check_command(common, 6, DATA_DIR_FROM_HOST,
1866                                      (1<<1) | (1<<4), 0,
1867                                      "MODE SELECT(6)");
1868                if (reply == 0)
1869                        reply = do_mode_select(common, bh);
1870                break;
1871
1872        case MODE_SELECT_10:
1873                common->data_size_from_cmnd =
1874                        get_unaligned_be16(&common->cmnd[7]);
1875                reply = check_command(common, 10, DATA_DIR_FROM_HOST,
1876                                      (1<<1) | (3<<7), 0,
1877                                      "MODE SELECT(10)");
1878                if (reply == 0)
1879                        reply = do_mode_select(common, bh);
1880                break;
1881
1882        case MODE_SENSE:
1883                common->data_size_from_cmnd = common->cmnd[4];
1884                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1885                                      (1<<1) | (1<<2) | (1<<4), 0,
1886                                      "MODE SENSE(6)");
1887                if (reply == 0)
1888                        reply = do_mode_sense(common, bh);
1889                break;
1890
1891        case MODE_SENSE_10:
1892                common->data_size_from_cmnd =
1893                        get_unaligned_be16(&common->cmnd[7]);
1894                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1895                                      (1<<1) | (1<<2) | (3<<7), 0,
1896                                      "MODE SENSE(10)");
1897                if (reply == 0)
1898                        reply = do_mode_sense(common, bh);
1899                break;
1900
1901        case ALLOW_MEDIUM_REMOVAL:
1902                common->data_size_from_cmnd = 0;
1903                reply = check_command(common, 6, DATA_DIR_NONE,
1904                                      (1<<4), 0,
1905                                      "PREVENT-ALLOW MEDIUM REMOVAL");
1906                if (reply == 0)
1907                        reply = do_prevent_allow(common);
1908                break;
1909
1910        case READ_6:
1911                i = common->cmnd[4];
1912                common->data_size_from_cmnd = (i == 0) ? 256 : i;
1913                reply = check_command_size_in_blocks(common, 6,
1914                                      DATA_DIR_TO_HOST,
1915                                      (7<<1) | (1<<4), 1,
1916                                      "READ(6)");
1917                if (reply == 0)
1918                        reply = do_read(common);
1919                break;
1920
1921        case READ_10:
1922                common->data_size_from_cmnd =
1923                                get_unaligned_be16(&common->cmnd[7]);
1924                reply = check_command_size_in_blocks(common, 10,
1925                                      DATA_DIR_TO_HOST,
1926                                      (1<<1) | (0xf<<2) | (3<<7), 1,
1927                                      "READ(10)");
1928                if (reply == 0)
1929                        reply = do_read(common);
1930                break;
1931
1932        case READ_12:
1933                common->data_size_from_cmnd =
1934                                get_unaligned_be32(&common->cmnd[6]);
1935                reply = check_command_size_in_blocks(common, 12,
1936                                      DATA_DIR_TO_HOST,
1937                                      (1<<1) | (0xf<<2) | (0xf<<6), 1,
1938                                      "READ(12)");
1939                if (reply == 0)
1940                        reply = do_read(common);
1941                break;
1942
1943        case READ_CAPACITY:
1944                common->data_size_from_cmnd = 8;
1945                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1946                                      (0xf<<2) | (1<<8), 1,
1947                                      "READ CAPACITY");
1948                if (reply == 0)
1949                        reply = do_read_capacity(common, bh);
1950                break;
1951
1952        case READ_HEADER:
1953                if (!common->curlun || !common->curlun->cdrom)
1954                        goto unknown_cmnd;
1955                common->data_size_from_cmnd =
1956                        get_unaligned_be16(&common->cmnd[7]);
1957                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1958                                      (3<<7) | (0x1f<<1), 1,
1959                                      "READ HEADER");
1960                if (reply == 0)
1961                        reply = do_read_header(common, bh);
1962                break;
1963
1964        case READ_TOC:
1965                if (!common->curlun || !common->curlun->cdrom)
1966                        goto unknown_cmnd;
1967                common->data_size_from_cmnd =
1968                        get_unaligned_be16(&common->cmnd[7]);
1969                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1970                                      (7<<6) | (1<<1), 1,
1971                                      "READ TOC");
1972                if (reply == 0)
1973                        reply = do_read_toc(common, bh);
1974                break;
1975
1976        case READ_FORMAT_CAPACITIES:
1977                common->data_size_from_cmnd =
1978                        get_unaligned_be16(&common->cmnd[7]);
1979                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1980                                      (3<<7), 1,
1981                                      "READ FORMAT CAPACITIES");
1982                if (reply == 0)
1983                        reply = do_read_format_capacities(common, bh);
1984                break;
1985
1986        case REQUEST_SENSE:
1987                common->data_size_from_cmnd = common->cmnd[4];
1988                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1989                                      (1<<4), 0,
1990                                      "REQUEST SENSE");
1991                if (reply == 0)
1992                        reply = do_request_sense(common, bh);
1993                break;
1994
1995        case START_STOP:
1996                common->data_size_from_cmnd = 0;
1997                reply = check_command(common, 6, DATA_DIR_NONE,
1998                                      (1<<1) | (1<<4), 0,
1999                                      "START-STOP UNIT");
2000                if (reply == 0)
2001                        reply = do_start_stop(common);
2002                break;
2003
2004        case SYNCHRONIZE_CACHE:
2005                common->data_size_from_cmnd = 0;
2006                reply = check_command(common, 10, DATA_DIR_NONE,
2007                                      (0xf<<2) | (3<<7), 1,
2008                                      "SYNCHRONIZE CACHE");
2009                if (reply == 0)
2010                        reply = do_synchronize_cache(common);
2011                break;
2012
2013        case TEST_UNIT_READY:
2014                common->data_size_from_cmnd = 0;
2015                reply = check_command(common, 6, DATA_DIR_NONE,
2016                                0, 1,
2017                                "TEST UNIT READY");
2018                break;
2019
2020        /*
2021         * Although optional, this command is used by MS-Windows.  We
2022         * support a minimal version: BytChk must be 0.
2023         */
2024        case VERIFY:
2025                common->data_size_from_cmnd = 0;
2026                reply = check_command(common, 10, DATA_DIR_NONE,
2027                                      (1<<1) | (0xf<<2) | (3<<7), 1,
2028                                      "VERIFY");
2029                if (reply == 0)
2030                        reply = do_verify(common);
2031                break;
2032
2033        case WRITE_6:
2034                i = common->cmnd[4];
2035                common->data_size_from_cmnd = (i == 0) ? 256 : i;
2036                reply = check_command_size_in_blocks(common, 6,
2037                                      DATA_DIR_FROM_HOST,
2038                                      (7<<1) | (1<<4), 1,
2039                                      "WRITE(6)");
2040                if (reply == 0)
2041                        reply = do_write(common);
2042                break;
2043
2044        case WRITE_10:
2045                common->data_size_from_cmnd =
2046                                get_unaligned_be16(&common->cmnd[7]);
2047                reply = check_command_size_in_blocks(common, 10,
2048                                      DATA_DIR_FROM_HOST,
2049                                      (1<<1) | (0xf<<2) | (3<<7), 1,
2050                                      "WRITE(10)");
2051                if (reply == 0)
2052                        reply = do_write(common);
2053                break;
2054
2055        case WRITE_12:
2056                common->data_size_from_cmnd =
2057                                get_unaligned_be32(&common->cmnd[6]);
2058                reply = check_command_size_in_blocks(common, 12,
2059                                      DATA_DIR_FROM_HOST,
2060                                      (1<<1) | (0xf<<2) | (0xf<<6), 1,
2061                                      "WRITE(12)");
2062                if (reply == 0)
2063                        reply = do_write(common);
2064                break;
2065
2066        /*
2067         * Some mandatory commands that we recognize but don't implement.
2068         * They don't mean much in this setting.  It's left as an exercise
2069         * for anyone interested to implement RESERVE and RELEASE in terms
2070         * of Posix locks.
2071         */
2072        case FORMAT_UNIT:
2073        case RELEASE:
2074        case RESERVE:
2075        case SEND_DIAGNOSTIC:
2076                /* Fall through */
2077
2078        default:
2079unknown_cmnd:
2080                common->data_size_from_cmnd = 0;
2081                sprintf(unknown, "Unknown x%02x", common->cmnd[0]);
2082                reply = check_command(common, common->cmnd_size,
2083                                      DATA_DIR_UNKNOWN, ~0, 0, unknown);
2084                if (reply == 0) {
2085                        common->curlun->sense_data = SS_INVALID_COMMAND;
2086                        reply = -EINVAL;
2087                }
2088                break;
2089        }
2090        up_read(&common->filesem);
2091
2092        if (reply == -EINTR || signal_pending(current))
2093                return -EINTR;
2094
2095        /* Set up the single reply buffer for finish_reply() */
2096        if (reply == -EINVAL)
2097                reply = 0;              /* Error reply length */
2098        if (reply >= 0 && common->data_dir == DATA_DIR_TO_HOST) {
2099                reply = min((u32)reply, common->data_size_from_cmnd);
2100                bh->inreq->length = reply;
2101                bh->state = BUF_STATE_FULL;
2102                common->residue -= reply;
2103        }                               /* Otherwise it's already set */
2104
2105        return 0;
2106}
2107
2108
2109/*-------------------------------------------------------------------------*/
2110
2111static int received_cbw(struct fsg_dev *fsg, struct fsg_buffhd *bh)
2112{
2113        struct usb_request      *req = bh->outreq;
2114        struct bulk_cb_wrap     *cbw = req->buf;
2115        struct fsg_common       *common = fsg->common;
2116
2117        /* Was this a real packet?  Should it be ignored? */
2118        if (req->status || test_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags))
2119                return -EINVAL;
2120
2121        /* Is the CBW valid? */
2122        if (req->actual != US_BULK_CB_WRAP_LEN ||
2123                        cbw->Signature != cpu_to_le32(
2124                                US_BULK_CB_SIGN)) {
2125                DBG(fsg, "invalid CBW: len %u sig 0x%x\n",
2126                                req->actual,
2127                                le32_to_cpu(cbw->Signature));
2128
2129                /*
2130                 * The Bulk-only spec says we MUST stall the IN endpoint
2131                 * (6.6.1), so it's unavoidable.  It also says we must
2132                 * retain this state until the next reset, but there's
2133                 * no way to tell the controller driver it should ignore
2134                 * Clear-Feature(HALT) requests.
2135                 *
2136                 * We aren't required to halt the OUT endpoint; instead
2137                 * we can simply accept and discard any data received
2138                 * until the next reset.
2139                 */
2140                wedge_bulk_in_endpoint(fsg);
2141                set_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags);
2142                return -EINVAL;
2143        }
2144
2145        /* Is the CBW meaningful? */
2146        if (cbw->Lun >= FSG_MAX_LUNS || cbw->Flags & ~US_BULK_FLAG_IN ||
2147                        cbw->Length <= 0 || cbw->Length > MAX_COMMAND_SIZE) {
2148                DBG(fsg, "non-meaningful CBW: lun = %u, flags = 0x%x, "
2149                                "cmdlen %u\n",
2150                                cbw->Lun, cbw->Flags, cbw->Length);
2151
2152                /*
2153                 * We can do anything we want here, so let's stall the
2154                 * bulk pipes if we are allowed to.
2155                 */
2156                if (common->can_stall) {
2157                        fsg_set_halt(fsg, fsg->bulk_out);
2158                        halt_bulk_in_endpoint(fsg);
2159                }
2160                return -EINVAL;
2161        }
2162
2163        /* Save the command for later */
2164        common->cmnd_size = cbw->Length;
2165        memcpy(common->cmnd, cbw->CDB, common->cmnd_size);
2166        if (cbw->Flags & US_BULK_FLAG_IN)
2167                common->data_dir = DATA_DIR_TO_HOST;
2168        else
2169                common->data_dir = DATA_DIR_FROM_HOST;
2170        common->data_size = le32_to_cpu(cbw->DataTransferLength);
2171        if (common->data_size == 0)
2172                common->data_dir = DATA_DIR_NONE;
2173        common->lun = cbw->Lun;
2174        if (common->lun < common->nluns)
2175                common->curlun = &common->luns[common->lun];
2176        else
2177                common->curlun = NULL;
2178        common->tag = cbw->Tag;
2179        return 0;
2180}
2181
2182static int get_next_command(struct fsg_common *common)
2183{
2184        struct fsg_buffhd       *bh;
2185        int                     rc = 0;
2186
2187        /* Wait for the next buffer to become available */
2188        bh = common->next_buffhd_to_fill;
2189        while (bh->state != BUF_STATE_EMPTY) {
2190                rc = sleep_thread(common);
2191                if (rc)
2192                        return rc;
2193        }
2194
2195        /* Queue a request to read a Bulk-only CBW */
2196        set_bulk_out_req_length(common, bh, US_BULK_CB_WRAP_LEN);
2197        if (!start_out_transfer(common, bh))
2198                /* Don't know what to do if common->fsg is NULL */
2199                return -EIO;
2200
2201        /*
2202         * We will drain the buffer in software, which means we
2203         * can reuse it for the next filling.  No need to advance
2204         * next_buffhd_to_fill.
2205         */
2206
2207        /* Wait for the CBW to arrive */
2208        while (bh->state != BUF_STATE_FULL) {
2209                rc = sleep_thread(common);
2210                if (rc)
2211                        return rc;
2212        }
2213        smp_rmb();
2214        rc = fsg_is_set(common) ? received_cbw(common->fsg, bh) : -EIO;
2215        bh->state = BUF_STATE_EMPTY;
2216
2217        return rc;
2218}
2219
2220
2221/*-------------------------------------------------------------------------*/
2222
2223static int alloc_request(struct fsg_common *common, struct usb_ep *ep,
2224                struct usb_request **preq)
2225{
2226        *preq = usb_ep_alloc_request(ep, GFP_ATOMIC);
2227        if (*preq)
2228                return 0;
2229        ERROR(common, "can't allocate request for %s\n", ep->name);
2230        return -ENOMEM;
2231}
2232
2233/* Reset interface setting and re-init endpoint state (toggle etc). */
2234static int do_set_interface(struct fsg_common *common, struct fsg_dev *new_fsg)
2235{
2236        struct fsg_dev *fsg;
2237        int i, rc = 0;
2238
2239        if (common->running)
2240                DBG(common, "reset interface\n");
2241
2242reset:
2243        /* Deallocate the requests */
2244        if (common->fsg) {
2245                fsg = common->fsg;
2246
2247                for (i = 0; i < fsg_num_buffers; ++i) {
2248                        struct fsg_buffhd *bh = &common->buffhds[i];
2249
2250                        if (bh->inreq) {
2251                                usb_ep_free_request(fsg->bulk_in, bh->inreq);
2252                                bh->inreq = NULL;
2253                        }
2254                        if (bh->outreq) {
2255                                usb_ep_free_request(fsg->bulk_out, bh->outreq);
2256                                bh->outreq = NULL;
2257                        }
2258                }
2259
2260                /* Disable the endpoints */
2261                if (fsg->bulk_in_enabled) {
2262                        usb_ep_disable(fsg->bulk_in);
2263                        fsg->bulk_in_enabled = 0;
2264                }
2265                if (fsg->bulk_out_enabled) {
2266                        usb_ep_disable(fsg->bulk_out);
2267                        fsg->bulk_out_enabled = 0;
2268                }
2269
2270                common->fsg = NULL;
2271                wake_up(&common->fsg_wait);
2272        }
2273
2274        common->running = 0;
2275        if (!new_fsg || rc)
2276                return rc;
2277
2278        common->fsg = new_fsg;
2279        fsg = common->fsg;
2280
2281        /* Enable the endpoints */
2282        rc = config_ep_by_speed(common->gadget, &(fsg->function), fsg->bulk_in);
2283        if (rc)
2284                goto reset;
2285        rc = usb_ep_enable(fsg->bulk_in);
2286        if (rc)
2287                goto reset;
2288        fsg->bulk_in->driver_data = common;
2289        fsg->bulk_in_enabled = 1;
2290
2291        rc = config_ep_by_speed(common->gadget, &(fsg->function),
2292                                fsg->bulk_out);
2293        if (rc)
2294                goto reset;
2295        rc = usb_ep_enable(fsg->bulk_out);
2296        if (rc)
2297                goto reset;
2298        fsg->bulk_out->driver_data = common;
2299        fsg->bulk_out_enabled = 1;
2300        common->bulk_out_maxpacket = usb_endpoint_maxp(fsg->bulk_out->desc);
2301        clear_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags);
2302
2303        /* Allocate the requests */
2304        for (i = 0; i < fsg_num_buffers; ++i) {
2305                struct fsg_buffhd       *bh = &common->buffhds[i];
2306
2307                rc = alloc_request(common, fsg->bulk_in, &bh->inreq);
2308                if (rc)
2309                        goto reset;
2310                rc = alloc_request(common, fsg->bulk_out, &bh->outreq);
2311                if (rc)
2312                        goto reset;
2313                bh->inreq->buf = bh->outreq->buf = bh->buf;
2314                bh->inreq->context = bh->outreq->context = bh;
2315                bh->inreq->complete = bulk_in_complete;
2316                bh->outreq->complete = bulk_out_complete;
2317        }
2318
2319        common->running = 1;
2320        for (i = 0; i < common->nluns; ++i)
2321                common->luns[i].unit_attention_data = SS_RESET_OCCURRED;
2322        return rc;
2323}
2324
2325
2326/****************************** ALT CONFIGS ******************************/
2327
2328static int fsg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
2329{
2330        struct fsg_dev *fsg = fsg_from_func(f);
2331        fsg->common->new_fsg = fsg;
2332        raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2333        return USB_GADGET_DELAYED_STATUS;
2334}
2335
2336static void fsg_disable(struct usb_function *f)
2337{
2338        struct fsg_dev *fsg = fsg_from_func(f);
2339        fsg->common->new_fsg = NULL;
2340        raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2341}
2342
2343
2344/*-------------------------------------------------------------------------*/
2345
2346static void handle_exception(struct fsg_common *common)
2347{
2348        siginfo_t               info;
2349        int                     i;
2350        struct fsg_buffhd       *bh;
2351        enum fsg_state          old_state;
2352        struct fsg_lun          *curlun;
2353        unsigned int            exception_req_tag;
2354
2355        /*
2356         * Clear the existing signals.  Anything but SIGUSR1 is converted
2357         * into a high-priority EXIT exception.
2358         */
2359        for (;;) {
2360                int sig =
2361                        dequeue_signal_lock(current, &current->blocked, &info);
2362                if (!sig)
2363                        break;
2364                if (sig != SIGUSR1) {
2365                        if (common->state < FSG_STATE_EXIT)
2366                                DBG(common, "Main thread exiting on signal\n");
2367                        raise_exception(common, FSG_STATE_EXIT);
2368                }
2369        }
2370
2371        /* Cancel all the pending transfers */
2372        if (likely(common->fsg)) {
2373                for (i = 0; i < fsg_num_buffers; ++i) {
2374                        bh = &common->buffhds[i];
2375                        if (bh->inreq_busy)
2376                                usb_ep_dequeue(common->fsg->bulk_in, bh->inreq);
2377                        if (bh->outreq_busy)
2378                                usb_ep_dequeue(common->fsg->bulk_out,
2379                                               bh->outreq);
2380                }
2381
2382                /* Wait until everything is idle */
2383                for (;;) {
2384                        int num_active = 0;
2385                        for (i = 0; i < fsg_num_buffers; ++i) {
2386                                bh = &common->buffhds[i];
2387                                num_active += bh->inreq_busy + bh->outreq_busy;
2388                        }
2389                        if (num_active == 0)
2390                                break;
2391                        if (sleep_thread(common))
2392                                return;
2393                }
2394
2395                /* Clear out the controller's fifos */
2396                if (common->fsg->bulk_in_enabled)
2397                        usb_ep_fifo_flush(common->fsg->bulk_in);
2398                if (common->fsg->bulk_out_enabled)
2399                        usb_ep_fifo_flush(common->fsg->bulk_out);
2400        }
2401
2402        /*
2403         * Reset the I/O buffer states and pointers, the SCSI
2404         * state, and the exception.  Then invoke the handler.
2405         */
2406        spin_lock_irq(&common->lock);
2407
2408        for (i = 0; i < fsg_num_buffers; ++i) {
2409                bh = &common->buffhds[i];
2410                bh->state = BUF_STATE_EMPTY;
2411        }
2412        common->next_buffhd_to_fill = &common->buffhds[0];
2413        common->next_buffhd_to_drain = &common->buffhds[0];
2414        exception_req_tag = common->exception_req_tag;
2415        old_state = common->state;
2416
2417        if (old_state == FSG_STATE_ABORT_BULK_OUT)
2418                common->state = FSG_STATE_STATUS_PHASE;
2419        else {
2420                for (i = 0; i < common->nluns; ++i) {
2421                        curlun = &common->luns[i];
2422                        curlun->prevent_medium_removal = 0;
2423                        curlun->sense_data = SS_NO_SENSE;
2424                        curlun->unit_attention_data = SS_NO_SENSE;
2425                        curlun->sense_data_info = 0;
2426                        curlun->info_valid = 0;
2427                }
2428                common->state = FSG_STATE_IDLE;
2429        }
2430        spin_unlock_irq(&common->lock);
2431
2432        /* Carry out any extra actions required for the exception */
2433        switch (old_state) {
2434        case FSG_STATE_ABORT_BULK_OUT:
2435                send_status(common);
2436                spin_lock_irq(&common->lock);
2437                if (common->state == FSG_STATE_STATUS_PHASE)
2438                        common->state = FSG_STATE_IDLE;
2439                spin_unlock_irq(&common->lock);
2440                break;
2441
2442        case FSG_STATE_RESET:
2443                /*
2444                 * In case we were forced against our will to halt a
2445                 * bulk endpoint, clear the halt now.  (The SuperH UDC
2446                 * requires this.)
2447                 */
2448                if (!fsg_is_set(common))
2449                        break;
2450                if (test_and_clear_bit(IGNORE_BULK_OUT,
2451                                       &common->fsg->atomic_bitflags))
2452                        usb_ep_clear_halt(common->fsg->bulk_in);
2453
2454                if (common->ep0_req_tag == exception_req_tag)
2455                        ep0_queue(common);      /* Complete the status stage */
2456
2457                /*
2458                 * Technically this should go here, but it would only be
2459                 * a waste of time.  Ditto for the INTERFACE_CHANGE and
2460                 * CONFIG_CHANGE cases.
2461                 */
2462                /* for (i = 0; i < common->nluns; ++i) */
2463                /*      common->luns[i].unit_attention_data = */
2464                /*              SS_RESET_OCCURRED;  */
2465                break;
2466
2467        case FSG_STATE_CONFIG_CHANGE:
2468                do_set_interface(common, common->new_fsg);
2469                if (common->new_fsg)
2470                        usb_composite_setup_continue(common->cdev);
2471                break;
2472
2473        case FSG_STATE_EXIT:
2474        case FSG_STATE_TERMINATED:
2475                do_set_interface(common, NULL);         /* Free resources */
2476                spin_lock_irq(&common->lock);
2477                common->state = FSG_STATE_TERMINATED;   /* Stop the thread */
2478                spin_unlock_irq(&common->lock);
2479                break;
2480
2481        case FSG_STATE_INTERFACE_CHANGE:
2482        case FSG_STATE_DISCONNECT:
2483        case FSG_STATE_COMMAND_PHASE:
2484        case FSG_STATE_DATA_PHASE:
2485        case FSG_STATE_STATUS_PHASE:
2486        case FSG_STATE_IDLE:
2487                break;
2488        }
2489}
2490
2491
2492/*-------------------------------------------------------------------------*/
2493
2494static int fsg_main_thread(void *common_)
2495{
2496        struct fsg_common       *common = common_;
2497
2498        /*
2499         * Allow the thread to be killed by a signal, but set the signal mask
2500         * to block everything but INT, TERM, KILL, and USR1.
2501         */
2502        allow_signal(SIGINT);
2503        allow_signal(SIGTERM);
2504        allow_signal(SIGKILL);
2505        allow_signal(SIGUSR1);
2506
2507        /* Allow the thread to be frozen */
2508        set_freezable();
2509
2510        /*
2511         * Arrange for userspace references to be interpreted as kernel
2512         * pointers.  That way we can pass a kernel pointer to a routine
2513         * that expects a __user pointer and it will work okay.
2514         */
2515        set_fs(get_ds());
2516
2517        /* The main loop */
2518        while (common->state != FSG_STATE_TERMINATED) {
2519                if (exception_in_progress(common) || signal_pending(current)) {
2520                        handle_exception(common);
2521                        continue;
2522                }
2523
2524                if (!common->running) {
2525                        sleep_thread(common);
2526                        continue;
2527                }
2528
2529                if (get_next_command(common))
2530                        continue;
2531
2532                spin_lock_irq(&common->lock);
2533                if (!exception_in_progress(common))
2534                        common->state = FSG_STATE_DATA_PHASE;
2535                spin_unlock_irq(&common->lock);
2536
2537                if (do_scsi_command(common) || finish_reply(common))
2538                        continue;
2539
2540                spin_lock_irq(&common->lock);
2541                if (!exception_in_progress(common))
2542                        common->state = FSG_STATE_STATUS_PHASE;
2543                spin_unlock_irq(&common->lock);
2544
2545                if (send_status(common))
2546                        continue;
2547
2548                spin_lock_irq(&common->lock);
2549                if (!exception_in_progress(common))
2550                        common->state = FSG_STATE_IDLE;
2551                spin_unlock_irq(&common->lock);
2552        }
2553
2554        spin_lock_irq(&common->lock);
2555        common->thread_task = NULL;
2556        spin_unlock_irq(&common->lock);
2557
2558        if (!common->ops || !common->ops->thread_exits
2559         || common->ops->thread_exits(common) < 0) {
2560                struct fsg_lun *curlun = common->luns;
2561                unsigned i = common->nluns;
2562
2563                down_write(&common->filesem);
2564                for (; i--; ++curlun) {
2565                        if (!fsg_lun_is_open(curlun))
2566                                continue;
2567
2568                        fsg_lun_close(curlun);
2569                        curlun->unit_attention_data = SS_MEDIUM_NOT_PRESENT;
2570                }
2571                up_write(&common->filesem);
2572        }
2573
2574        /* Let fsg_unbind() know the thread has exited */
2575        complete_and_exit(&common->thread_notifier, 0);
2576}
2577
2578
2579/*************************** DEVICE ATTRIBUTES ***************************/
2580
2581static DEVICE_ATTR(ro, 0644, fsg_show_ro, fsg_store_ro);
2582static DEVICE_ATTR(nofua, 0644, fsg_show_nofua, fsg_store_nofua);
2583static DEVICE_ATTR(file, 0644, fsg_show_file, fsg_store_file);
2584
2585static struct device_attribute dev_attr_ro_cdrom =
2586        __ATTR(ro, 0444, fsg_show_ro, NULL);
2587static struct device_attribute dev_attr_file_nonremovable =
2588        __ATTR(file, 0444, fsg_show_file, NULL);
2589
2590
2591/****************************** FSG COMMON ******************************/
2592
2593static void fsg_common_release(struct kref *ref);
2594
2595static void fsg_lun_release(struct device *dev)
2596{
2597        /* Nothing needs to be done */
2598}
2599
2600static inline void fsg_common_get(struct fsg_common *common)
2601{
2602        kref_get(&common->ref);
2603}
2604
2605static inline void fsg_common_put(struct fsg_common *common)
2606{
2607        kref_put(&common->ref, fsg_common_release);
2608}
2609
2610static struct fsg_common *fsg_common_init(struct fsg_common *common,
2611                                          struct usb_composite_dev *cdev,
2612                                          struct fsg_config *cfg)
2613{
2614        struct usb_gadget *gadget = cdev->gadget;
2615        struct fsg_buffhd *bh;
2616        struct fsg_lun *curlun;
2617        struct fsg_lun_config *lcfg;
2618        int nluns, i, rc;
2619        char *pathbuf;
2620
2621        rc = fsg_num_buffers_validate();
2622        if (rc != 0)
2623                return ERR_PTR(rc);
2624
2625        /* Find out how many LUNs there should be */
2626        nluns = cfg->nluns;
2627        if (nluns < 1 || nluns > FSG_MAX_LUNS) {
2628                dev_err(&gadget->dev, "invalid number of LUNs: %u\n", nluns);
2629                return ERR_PTR(-EINVAL);
2630        }
2631
2632        /* Allocate? */
2633        if (!common) {
2634                common = kzalloc(sizeof *common, GFP_KERNEL);
2635                if (!common)
2636                        return ERR_PTR(-ENOMEM);
2637                common->free_storage_on_release = 1;
2638        } else {
2639                memset(common, 0, sizeof *common);
2640                common->free_storage_on_release = 0;
2641        }
2642
2643        common->buffhds = kcalloc(fsg_num_buffers,
2644                                  sizeof *(common->buffhds), GFP_KERNEL);
2645        if (!common->buffhds) {
2646                if (common->free_storage_on_release)
2647                        kfree(common);
2648                return ERR_PTR(-ENOMEM);
2649        }
2650
2651        common->ops = cfg->ops;
2652        common->private_data = cfg->private_data;
2653
2654        common->gadget = gadget;
2655        common->ep0 = gadget->ep0;
2656        common->ep0req = cdev->req;
2657        common->cdev = cdev;
2658
2659        /* Maybe allocate device-global string IDs, and patch descriptors */
2660        if (fsg_strings[FSG_STRING_INTERFACE].id == 0) {
2661                rc = usb_string_id(cdev);
2662                if (unlikely(rc < 0))
2663                        goto error_release;
2664                fsg_strings[FSG_STRING_INTERFACE].id = rc;
2665                fsg_intf_desc.iInterface = rc;
2666        }
2667
2668        /*
2669         * Create the LUNs, open their backing files, and register the
2670         * LUN devices in sysfs.
2671         */
2672        curlun = kcalloc(nluns, sizeof(*curlun), GFP_KERNEL);
2673        if (unlikely(!curlun)) {
2674                rc = -ENOMEM;
2675                goto error_release;
2676        }
2677        common->luns = curlun;
2678
2679        init_rwsem(&common->filesem);
2680
2681        for (i = 0, lcfg = cfg->luns; i < nluns; ++i, ++curlun, ++lcfg) {
2682                curlun->cdrom = !!lcfg->cdrom;
2683                curlun->ro = lcfg->cdrom || lcfg->ro;
2684                curlun->initially_ro = curlun->ro;
2685                curlun->removable = lcfg->removable;
2686                curlun->dev.release = fsg_lun_release;
2687                curlun->dev.parent = &gadget->dev;
2688                /* curlun->dev.driver = &fsg_driver.driver; XXX */
2689                dev_set_drvdata(&curlun->dev, &common->filesem);
2690                dev_set_name(&curlun->dev, "lun%d", i);
2691
2692                rc = device_register(&curlun->dev);
2693                if (rc) {
2694                        INFO(common, "failed to register LUN%d: %d\n", i, rc);
2695                        common->nluns = i;
2696                        put_device(&curlun->dev);
2697                        goto error_release;
2698                }
2699
2700                rc = device_create_file(&curlun->dev,
2701                                        curlun->cdrom
2702                                      ? &dev_attr_ro_cdrom
2703                                      : &dev_attr_ro);
2704                if (rc)
2705                        goto error_luns;
2706                rc = device_create_file(&curlun->dev,
2707                                        curlun->removable
2708                                      ? &dev_attr_file
2709                                      : &dev_attr_file_nonremovable);
2710                if (rc)
2711                        goto error_luns;
2712                rc = device_create_file(&curlun->dev, &dev_attr_nofua);
2713                if (rc)
2714                        goto error_luns;
2715
2716                if (lcfg->filename) {
2717                        rc = fsg_lun_open(curlun, lcfg->filename);
2718                        if (rc)
2719                                goto error_luns;
2720                } else if (!curlun->removable) {
2721                        ERROR(common, "no file given for LUN%d\n", i);
2722                        rc = -EINVAL;
2723                        goto error_luns;
2724                }
2725        }
2726        common->nluns = nluns;
2727
2728        /* Data buffers cyclic list */
2729        bh = common->buffhds;
2730        i = fsg_num_buffers;
2731        goto buffhds_first_it;
2732        do {
2733                bh->next = bh + 1;
2734                ++bh;
2735buffhds_first_it:
2736                bh->buf = kmalloc(FSG_BUFLEN, GFP_KERNEL);
2737                if (unlikely(!bh->buf)) {
2738                        rc = -ENOMEM;
2739                        goto error_release;
2740                }
2741        } while (--i);
2742        bh->next = common->buffhds;
2743
2744        /* Prepare inquiryString */
2745        i = get_default_bcdDevice();
2746        snprintf(common->inquiry_string, sizeof common->inquiry_string,
2747                 "%-8s%-16s%04x", cfg->vendor_name ?: "Linux",
2748                 /* Assume product name dependent on the first LUN */
2749                 cfg->product_name ?: (common->luns->cdrom
2750                                     ? "File-Stor Gadget"
2751                                     : "File-CD Gadget"),
2752                 i);
2753
2754        /*
2755         * Some peripheral controllers are known not to be able to
2756         * halt bulk endpoints correctly.  If one of them is present,
2757         * disable stalls.
2758         */
2759        common->can_stall = cfg->can_stall &&
2760                !(gadget_is_at91(common->gadget));
2761
2762        spin_lock_init(&common->lock);
2763        kref_init(&common->ref);
2764
2765        /* Tell the thread to start working */
2766        common->thread_task =
2767                kthread_create(fsg_main_thread, common, "file-storage");
2768        if (IS_ERR(common->thread_task)) {
2769                rc = PTR_ERR(common->thread_task);
2770                goto error_release;
2771        }
2772        init_completion(&common->thread_notifier);
2773        init_waitqueue_head(&common->fsg_wait);
2774
2775        /* Information */
2776        INFO(common, FSG_DRIVER_DESC ", version: " FSG_DRIVER_VERSION "\n");
2777        INFO(common, "Number of LUNs=%d\n", common->nluns);
2778
2779        pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
2780        for (i = 0, nluns = common->nluns, curlun = common->luns;
2781             i < nluns;
2782             ++curlun, ++i) {
2783                char *p = "(no medium)";
2784                if (fsg_lun_is_open(curlun)) {
2785                        p = "(error)";
2786                        if (pathbuf) {
2787                                p = d_path(&curlun->filp->f_path,
2788                                           pathbuf, PATH_MAX);
2789                                if (IS_ERR(p))
2790                                        p = "(error)";
2791                        }
2792                }
2793                LINFO(curlun, "LUN: %s%s%sfile: %s\n",
2794                      curlun->removable ? "removable " : "",
2795                      curlun->ro ? "read only " : "",
2796                      curlun->cdrom ? "CD-ROM " : "",
2797                      p);
2798        }
2799        kfree(pathbuf);
2800
2801        DBG(common, "I/O thread pid: %d\n", task_pid_nr(common->thread_task));
2802
2803        wake_up_process(common->thread_task);
2804
2805        return common;
2806
2807error_luns:
2808        common->nluns = i + 1;
2809error_release:
2810        common->state = FSG_STATE_TERMINATED;   /* The thread is dead */
2811        /* Call fsg_common_release() directly, ref might be not initialised. */
2812        fsg_common_release(&common->ref);
2813        return ERR_PTR(rc);
2814}
2815
2816static void fsg_common_release(struct kref *ref)
2817{
2818        struct fsg_common *common = container_of(ref, struct fsg_common, ref);
2819
2820        /* If the thread isn't already dead, tell it to exit now */
2821        if (common->state != FSG_STATE_TERMINATED) {
2822                raise_exception(common, FSG_STATE_EXIT);
2823                wait_for_completion(&common->thread_notifier);
2824        }
2825
2826        if (likely(common->luns)) {
2827                struct fsg_lun *lun = common->luns;
2828                unsigned i = common->nluns;
2829
2830                /* In error recovery common->nluns may be zero. */
2831                for (; i; --i, ++lun) {
2832                        device_remove_file(&lun->dev, &dev_attr_nofua);
2833                        device_remove_file(&lun->dev,
2834                                           lun->cdrom
2835                                         ? &dev_attr_ro_cdrom
2836                                         : &dev_attr_ro);
2837                        device_remove_file(&lun->dev,
2838                                           lun->removable
2839                                         ? &dev_attr_file
2840                                         : &dev_attr_file_nonremovable);
2841                        fsg_lun_close(lun);
2842                        device_unregister(&lun->dev);
2843                }
2844
2845                kfree(common->luns);
2846        }
2847
2848        {
2849                struct fsg_buffhd *bh = common->buffhds;
2850                unsigned i = fsg_num_buffers;
2851                do {
2852                        kfree(bh->buf);
2853                } while (++bh, --i);
2854        }
2855
2856        kfree(common->buffhds);
2857        if (common->free_storage_on_release)
2858                kfree(common);
2859}
2860
2861
2862/*-------------------------------------------------------------------------*/
2863
2864static void fsg_unbind(struct usb_configuration *c, struct usb_function *f)
2865{
2866        struct fsg_dev          *fsg = fsg_from_func(f);
2867        struct fsg_common       *common = fsg->common;
2868
2869        DBG(fsg, "unbind\n");
2870        if (fsg->common->fsg == fsg) {
2871                fsg->common->new_fsg = NULL;
2872                raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2873                /* FIXME: make interruptible or killable somehow? */
2874                wait_event(common->fsg_wait, common->fsg != fsg);
2875        }
2876
2877        fsg_common_put(common);
2878        usb_free_all_descriptors(&fsg->function);
2879        kfree(fsg);
2880}
2881
2882static int fsg_bind(struct usb_configuration *c, struct usb_function *f)
2883{
2884        struct fsg_dev          *fsg = fsg_from_func(f);
2885        struct usb_gadget       *gadget = c->cdev->gadget;
2886        int                     i;
2887        struct usb_ep           *ep;
2888        unsigned                max_burst;
2889        int                     ret;
2890
2891        fsg->gadget = gadget;
2892
2893        /* New interface */
2894        i = usb_interface_id(c, f);
2895        if (i < 0)
2896                return i;
2897        fsg_intf_desc.bInterfaceNumber = i;
2898        fsg->interface_number = i;
2899
2900        /* Find all the endpoints we will use */
2901        ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_in_desc);
2902        if (!ep)
2903                goto autoconf_fail;
2904        ep->driver_data = fsg->common;  /* claim the endpoint */
2905        fsg->bulk_in = ep;
2906
2907        ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_out_desc);
2908        if (!ep)
2909                goto autoconf_fail;
2910        ep->driver_data = fsg->common;  /* claim the endpoint */
2911        fsg->bulk_out = ep;
2912
2913        /* Assume endpoint addresses are the same for both speeds */
2914        fsg_hs_bulk_in_desc.bEndpointAddress =
2915                fsg_fs_bulk_in_desc.bEndpointAddress;
2916        fsg_hs_bulk_out_desc.bEndpointAddress =
2917                fsg_fs_bulk_out_desc.bEndpointAddress;
2918
2919        /* Calculate bMaxBurst, we know packet size is 1024 */
2920        max_burst = min_t(unsigned, FSG_BUFLEN / 1024, 15);
2921
2922        fsg_ss_bulk_in_desc.bEndpointAddress =
2923                fsg_fs_bulk_in_desc.bEndpointAddress;
2924        fsg_ss_bulk_in_comp_desc.bMaxBurst = max_burst;
2925
2926        fsg_ss_bulk_out_desc.bEndpointAddress =
2927                fsg_fs_bulk_out_desc.bEndpointAddress;
2928        fsg_ss_bulk_out_comp_desc.bMaxBurst = max_burst;
2929
2930        ret = usb_assign_descriptors(f, fsg_fs_function, fsg_hs_function,
2931                        fsg_ss_function);
2932        if (ret)
2933                goto autoconf_fail;
2934
2935        return 0;
2936
2937autoconf_fail:
2938        ERROR(fsg, "unable to autoconfigure all endpoints\n");
2939        return -ENOTSUPP;
2940}
2941
2942/****************************** ADD FUNCTION ******************************/
2943
2944static struct usb_gadget_strings *fsg_strings_array[] = {
2945        &fsg_stringtab,
2946        NULL,
2947};
2948
2949static int fsg_bind_config(struct usb_composite_dev *cdev,
2950                           struct usb_configuration *c,
2951                           struct fsg_common *common)
2952{
2953        struct fsg_dev *fsg;
2954        int rc;
2955
2956        fsg = kzalloc(sizeof *fsg, GFP_KERNEL);
2957        if (unlikely(!fsg))
2958                return -ENOMEM;
2959
2960        fsg->function.name        = FSG_DRIVER_DESC;
2961        fsg->function.strings     = fsg_strings_array;
2962        fsg->function.bind        = fsg_bind;
2963        fsg->function.unbind      = fsg_unbind;
2964        fsg->function.setup       = fsg_setup;
2965        fsg->function.set_alt     = fsg_set_alt;
2966        fsg->function.disable     = fsg_disable;
2967
2968        fsg->common               = common;
2969        /*
2970         * Our caller holds a reference to common structure so we
2971         * don't have to be worry about it being freed until we return
2972         * from this function.  So instead of incrementing counter now
2973         * and decrement in error recovery we increment it only when
2974         * call to usb_add_function() was successful.
2975         */
2976
2977        rc = usb_add_function(c, &fsg->function);
2978        if (unlikely(rc))
2979                kfree(fsg);
2980        else
2981                fsg_common_get(fsg->common);
2982        return rc;
2983}
2984
2985
2986/************************* Module parameters *************************/
2987
2988struct fsg_module_parameters {
2989        char            *file[FSG_MAX_LUNS];
2990        bool            ro[FSG_MAX_LUNS];
2991        bool            removable[FSG_MAX_LUNS];
2992        bool            cdrom[FSG_MAX_LUNS];
2993        bool            nofua[FSG_MAX_LUNS];
2994
2995        unsigned int    file_count, ro_count, removable_count, cdrom_count;
2996        unsigned int    nofua_count;
2997        unsigned int    luns;   /* nluns */
2998        bool            stall;  /* can_stall */
2999};
3000
3001#define _FSG_MODULE_PARAM_ARRAY(prefix, params, name, type, desc)       \
3002        module_param_array_named(prefix ## name, params.name, type,     \
3003                                 &prefix ## params.name ## _count,      \
3004                                 S_IRUGO);                              \
3005        MODULE_PARM_DESC(prefix ## name, desc)
3006
3007#define _FSG_MODULE_PARAM(prefix, params, name, type, desc)             \
3008        module_param_named(prefix ## name, params.name, type,           \
3009                           S_IRUGO);                                    \
3010        MODULE_PARM_DESC(prefix ## name, desc)
3011
3012#define FSG_MODULE_PARAMETERS(prefix, params)                           \
3013        _FSG_MODULE_PARAM_ARRAY(prefix, params, file, charp,            \
3014                                "names of backing files or devices");   \
3015        _FSG_MODULE_PARAM_ARRAY(prefix, params, ro, bool,               \
3016                                "true to force read-only");             \
3017        _FSG_MODULE_PARAM_ARRAY(prefix, params, removable, bool,        \
3018                                "true to simulate removable media");    \
3019        _FSG_MODULE_PARAM_ARRAY(prefix, params, cdrom, bool,            \
3020                                "true to simulate CD-ROM instead of disk"); \
3021        _FSG_MODULE_PARAM_ARRAY(prefix, params, nofua, bool,            \
3022                                "true to ignore SCSI WRITE(10,12) FUA bit"); \
3023        _FSG_MODULE_PARAM(prefix, params, luns, uint,                   \
3024                          "number of LUNs");                            \
3025        _FSG_MODULE_PARAM(prefix, params, stall, bool,                  \
3026                          "false to prevent bulk stalls")
3027
3028static void
3029fsg_config_from_params(struct fsg_config *cfg,
3030                       const struct fsg_module_parameters *params)
3031{
3032        struct fsg_lun_config *lun;
3033        unsigned i;
3034
3035        /* Configure LUNs */
3036        cfg->nluns =
3037                min(params->luns ?: (params->file_count ?: 1u),
3038                    (unsigned)FSG_MAX_LUNS);
3039        for (i = 0, lun = cfg->luns; i < cfg->nluns; ++i, ++lun) {
3040                lun->ro = !!params->ro[i];
3041                lun->cdrom = !!params->cdrom[i];
3042                lun->removable = !!params->removable[i];
3043                lun->filename =
3044                        params->file_count > i && params->file[i][0]
3045                        ? params->file[i]
3046                        : 0;
3047        }
3048
3049        /* Let MSF use defaults */
3050        cfg->vendor_name = 0;
3051        cfg->product_name = 0;
3052
3053        cfg->ops = NULL;
3054        cfg->private_data = NULL;
3055
3056        /* Finalise */
3057        cfg->can_stall = params->stall;
3058}
3059
3060static inline struct fsg_common *
3061fsg_common_from_params(struct fsg_common *common,
3062                       struct usb_composite_dev *cdev,
3063                       const struct fsg_module_parameters *params)
3064        __attribute__((unused));
3065static inline struct fsg_common *
3066fsg_common_from_params(struct fsg_common *common,
3067                       struct usb_composite_dev *cdev,
3068                       const struct fsg_module_parameters *params)
3069{
3070        struct fsg_config cfg;
3071        fsg_config_from_params(&cfg, params);
3072        return fsg_common_init(common, cdev, &cfg);
3073}
3074