LXR linux/drivers/usb/gadget/f_mass

   1/*
   2 * f_mass_storage.c -- Mass Storage USB Composite Function
   3 *
   4 * Copyright (C) 2003-2008 Alan Stern
   5 * Copyright (C) 2009 Samsung Electronics
   6 *                    Author: Michal Nazarewicz <mina86@mina86.com>
   7 * All rights reserved.
   8 *
   9 * Redistribution and use in source and binary forms, with or without
  10 * modification, are permitted provided that the following conditions
  11 * are met:
  12 * 1. Redistributions of source code must retain the above copyright
  13 *    notice, this list of conditions, and the following disclaimer,
  14 *    without modification.
  15 * 2. Redistributions in binary form must reproduce the above copyright
  16 *    notice, this list of conditions and the following disclaimer in the
  17 *    documentation and/or other materials provided with the distribution.
  18 * 3. The names of the above-listed copyright holders may not be used
  19 *    to endorse or promote products derived from this software without
  20 *    specific prior written permission.
  21 *
  22 * ALTERNATIVELY, this software may be distributed under the terms of the
  23 * GNU General Public License ("GPL") as published by the Free Software
  24 * Foundation, either version 2 of that License or (at your option) any
  25 * later version.
  26 *
  27 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
  28 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
  29 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  30 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
  31 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  32 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  33 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  34 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  35 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  36 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  37 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  38 */
  39
  40/*
  41 * The Mass Storage Function acts as a USB Mass Storage device,
  42 * appearing to the host as a disk drive or as a CD-ROM drive.  In
  43 * addition to providing an example of a genuinely useful composite
  44 * function for a USB device, it also illustrates a technique of
  45 * double-buffering for increased throughput.
  46 *
  47 * For more information about MSF and in particular its module
  48 * parameters and sysfs interface read the
  49 * <Documentation/usb/mass-storage.txt> file.
  50 */
  51
  52/*
  53 * MSF is configured by specifying a fsg_config structure.  It has the
  54 * following fields:
  55 *
  56 *      nluns           Number of LUNs function have (anywhere from 1
  57 *                              to FSG_MAX_LUNS which is 8).
  58 *      luns            An array of LUN configuration values.  This
  59 *                              should be filled for each LUN that
  60 *                              function will include (ie. for "nluns"
  61 *                              LUNs).  Each element of the array has
  62 *                              the following fields:
  63 *      ->filename      The path to the backing file for the LUN.
  64 *                              Required if LUN is not marked as
  65 *                              removable.
  66 *      ->ro            Flag specifying access to the LUN shall be
  67 *                              read-only.  This is implied if CD-ROM
  68 *                              emulation is enabled as well as when
  69 *                              it was impossible to open "filename"
  70 *                              in R/W mode.
  71 *      ->removable     Flag specifying that LUN shall be indicated as
  72 *                              being removable.
  73 *      ->cdrom         Flag specifying that LUN shall be reported as
  74 *                              being a CD-ROM.
  75 *      ->nofua         Flag specifying that FUA flag in SCSI WRITE(10,12)
  76 *                              commands for this LUN shall be ignored.
  77 *
  78 *      vendor_name
  79 *      product_name
  80 *      release         Information used as a reply to INQUIRY
  81 *                              request.  To use default set to NULL,
  82 *                              NULL, 0xffff respectively.  The first
  83 *                              field should be 8 and the second 16
  84 *                              characters or less.
  85 *
  86 *      can_stall       Set to permit function to halt bulk endpoints.
  87 *                              Disabled on some USB devices known not
  88 *                              to work correctly.  You should set it
  89 *                              to true.
  90 *
  91 * If "removable" is not set for a LUN then a backing file must be
  92 * specified.  If it is set, then NULL filename means the LUN's medium
  93 * is not loaded (an empty string as "filename" in the fsg_config
  94 * structure causes error).  The CD-ROM emulation includes a single
  95 * data track and no audio tracks; hence there need be only one
  96 * backing file per LUN.
  97 *
  98 * This function is heavily based on "File-backed Storage Gadget" by
  99 * Alan Stern which in turn is heavily based on "Gadget Zero" by David
 100 * Brownell.  The driver's SCSI command interface was based on the
 101 * "Information technology - Small Computer System Interface - 2"
 102 * document from X3T9.2 Project 375D, Revision 10L, 7-SEP-93,
 103 * available at <http://www.t10.org/ftp/t10/drafts/s2/s2-r10l.pdf>.
 104 * The single exception is opcode 0x23 (READ FORMAT CAPACITIES), which
 105 * was based on the "Universal Serial Bus Mass Storage Class UFI
 106 * Command Specification" document, Revision 1.0, December 14, 1998,
 107 * available at
 108 * <http://www.usb.org/developers/devclass_docs/usbmass-ufi10.pdf>.
 109 */
 110
 111/*
 112 *                              Driver Design
 113 *
 114 * The MSF is fairly straightforward.  There is a main kernel
 115 * thread that handles most of the work.  Interrupt routines field
 116 * callbacks from the controller driver: bulk- and interrupt-request
 117 * completion notifications, endpoint-0 events, and disconnect events.
 118 * Completion events are passed to the main thread by wakeup calls.  Many
 119 * ep0 requests are handled at interrupt time, but SetInterface,
 120 * SetConfiguration, and device reset requests are forwarded to the
 121 * thread in the form of "exceptions" using SIGUSR1 signals (since they
 122 * should interrupt any ongoing file I/O operations).
 123 *
 124 * The thread's main routine implements the standard command/data/status
 125 * parts of a SCSI interaction.  It and its subroutines are full of tests
 126 * for pending signals/exceptions -- all this polling is necessary since
 127 * the kernel has no setjmp/longjmp equivalents.  (Maybe this is an
 128 * indication that the driver really wants to be running in userspace.)
 129 * An important point is that so long as the thread is alive it keeps an
 130 * open reference to the backing file.  This will prevent unmounting
 131 * the backing file's underlying filesystem and could cause problems
 132 * during system shutdown, for example.  To prevent such problems, the
 133 * thread catches INT, TERM, and KILL signals and converts them into
 134 * an EXIT exception.
 135 *
 136 * In normal operation the main thread is started during the gadget's
 137 * fsg_bind() callback and stopped during fsg_unbind().  But it can
 138 * also exit when it receives a signal, and there's no point leaving
 139 * the gadget running when the thread is dead.  As of this moment, MSF
 140 * provides no way to deregister the gadget when thread dies -- maybe
 141 * a callback functions is needed.
 142 *
 143 * To provide maximum throughput, the driver uses a circular pipeline of
 144 * buffer heads (struct fsg_buffhd).  In principle the pipeline can be
 145 * arbitrarily long; in practice the benefits don't justify having more
 146 * than 2 stages (i.e., double buffering).  But it helps to think of the
 147 * pipeline as being a long one.  Each buffer head contains a bulk-in and
 148 * a bulk-out request pointer (since the buffer can be used for both
 149 * output and input -- directions always are given from the host's
 150 * point of view) as well as a pointer to the buffer and various state
 151 * variables.
 152 *
 153 * Use of the pipeline follows a simple protocol.  There is a variable
 154 * (fsg->next_buffhd_to_fill) that points to the next buffer head to use.
 155 * At any time that buffer head may still be in use from an earlier
 156 * request, so each buffer head has a state variable indicating whether
 157 * it is EMPTY, FULL, or BUSY.  Typical use involves waiting for the
 158 * buffer head to be EMPTY, filling the buffer either by file I/O or by
 159 * USB I/O (during which the buffer head is BUSY), and marking the buffer
 160 * head FULL when the I/O is complete.  Then the buffer will be emptied
 161 * (again possibly by USB I/O, during which it is marked BUSY) and
 162 * finally marked EMPTY again (possibly by a completion routine).
 163 *
 164 * A module parameter tells the driver to avoid stalling the bulk
 165 * endpoints wherever the transport specification allows.  This is
 166 * necessary for some UDCs like the SuperH, which cannot reliably clear a
 167 * halt on a bulk endpoint.  However, under certain circumstances the
 168 * Bulk-only specification requires a stall.  In such cases the driver
 169 * will halt the endpoint and set a flag indicating that it should clear
 170 * the halt in software during the next device reset.  Hopefully this
 171 * will permit everything to work correctly.  Furthermore, although the
 172 * specification allows the bulk-out endpoint to halt when the host sends
 173 * too much data, implementing this would cause an unavoidable race.
 174 * The driver will always use the "no-stall" approach for OUT transfers.
 175 *
 176 * One subtle point concerns sending status-stage responses for ep0
 177 * requests.  Some of these requests, such as device reset, can involve
 178 * interrupting an ongoing file I/O operation, which might take an
 179 * arbitrarily long time.  During that delay the host might give up on
 180 * the original ep0 request and issue a new one.  When that happens the
 181 * driver should not notify the host about completion of the original
 182 * request, as the host will no longer be waiting for it.  So the driver
 183 * assigns to each ep0 request a unique tag, and it keeps track of the
 184 * tag value of the request associated with a long-running exception
 185 * (device-reset, interface-change, or configuration-change).  When the
 186 * exception handler is finished, the status-stage response is submitted
 187 * only if the current ep0 request tag is equal to the exception request
 188 * tag.  Thus only the most recently received ep0 request will get a
 189 * status-stage response.
 190 *
 191 * Warning: This driver source file is too long.  It ought to be split up
 192 * into a header file plus about 3 separate .c files, to handle the details
 193 * of the Gadget, USB Mass Storage, and SCSI protocols.
 194 */
 195
 196
 197/* #define VERBOSE_DEBUG */
 198/* #define DUMP_MSGS */
 199
 200#include <linux/blkdev.h>
 201#include <linux/completion.h>
 202#include <linux/dcache.h>
 203#include <linux/delay.h>
 204#include <linux/device.h>
 205#include <linux/fcntl.h>
 206#include <linux/file.h>
 207#include <linux/fs.h>
 208#include <linux/kref.h>
 209#include <linux/kthread.h>
 210#include <linux/limits.h>
 211#include <linux/rwsem.h>
 212#include <linux/slab.h>
 213#include <linux/spinlock.h>
 214#include <linux/string.h>
 215#include <linux/freezer.h>
 216#include <linux/module.h>
 217
 218#include <linux/usb/ch9.h>
 219#include <linux/usb/gadget.h>
 220#include <linux/usb/composite.h>
 221
 222#include "gadget_chips.h"
 223#include "configfs.h"
 224
 225
 226/*------------------------------------------------------------------------*/
 227
 228#define FSG_DRIVER_DESC         "Mass Storage Function"
 229#define FSG_DRIVER_VERSION      "2009/09/11"
 230
 231static const char fsg_string_interface[] = "Mass Storage";
 232
 233#include "storage_common.h"
 234#include "f_mass_storage.h"
 235
 236/* Static strings, in UTF-8 (for simplicity we use only ASCII characters) */
 237static struct usb_string                fsg_strings[] = {
 238        {FSG_STRING_INTERFACE,          fsg_string_interface},
 239        {}
 240};
 241
 242static struct usb_gadget_strings        fsg_stringtab = {
 243        .language       = 0x0409,               /* en-us */
 244        .strings        = fsg_strings,
 245};
 246
 247static struct usb_gadget_strings *fsg_strings_array[] = {
 248        &fsg_stringtab,
 249        NULL,
 250};
 251
 252/*-------------------------------------------------------------------------*/
 253
 254struct fsg_dev;
 255struct fsg_common;
 256
 257/* Data shared by all the FSG instances. */
 258struct fsg_common {
 259        struct usb_gadget       *gadget;
 260        struct usb_composite_dev *cdev;
 261        struct fsg_dev          *fsg, *new_fsg;
 262        wait_queue_head_t       fsg_wait;
 263
 264        /* filesem protects: backing files in use */
 265        struct rw_semaphore     filesem;
 266
 267        /* lock protects: state, all the req_busy's */
 268        spinlock_t              lock;
 269
 270        struct usb_ep           *ep0;           /* Copy of gadget->ep0 */
 271        struct usb_request      *ep0req;        /* Copy of cdev->req */
 272        unsigned int            ep0_req_tag;
 273
 274        struct fsg_buffhd       *next_buffhd_to_fill;
 275        struct fsg_buffhd       *next_buffhd_to_drain;
 276        struct fsg_buffhd       *buffhds;
 277        unsigned int            fsg_num_buffers;
 278
 279        int                     cmnd_size;
 280        u8                      cmnd[MAX_COMMAND_SIZE];
 281
 282        unsigned int            nluns;
 283        unsigned int            lun;
 284        struct fsg_lun          **luns;
 285        struct fsg_lun          *curlun;
 286
 287        unsigned int            bulk_out_maxpacket;
 288        enum fsg_state          state;          /* For exception handling */
 289        unsigned int            exception_req_tag;
 290
 291        enum data_direction     data_dir;
 292        u32                     data_size;
 293        u32                     data_size_from_cmnd;
 294        u32                     tag;
 295        u32                     residue;
 296        u32                     usb_amount_left;
 297
 298        unsigned int            can_stall:1;
 299        unsigned int            free_storage_on_release:1;
 300        unsigned int            phase_error:1;
 301        unsigned int            short_packet_received:1;
 302        unsigned int            bad_lun_okay:1;
 303        unsigned int            running:1;
 304        unsigned int            sysfs:1;
 305
 306        int                     thread_wakeup_needed;
 307        struct completion       thread_notifier;
 308        struct task_struct      *thread_task;
 309
 310        /* Callback functions. */
 311        const struct fsg_operations     *ops;
 312        /* Gadget's private data. */
 313        void                    *private_data;
 314
 315        /*
 316         * Vendor (8 chars), product (16 chars), release (4
 317         * hexadecimal digits) and NUL byte
 318         */
 319        char inquiry_string[8 + 16 + 4 + 1];
 320
 321        struct kref             ref;
 322};
 323
 324struct fsg_dev {
 325        struct usb_function     function;
 326        struct usb_gadget       *gadget;        /* Copy of cdev->gadget */
 327        struct fsg_common       *common;
 328
 329        u16                     interface_number;
 330
 331        unsigned int            bulk_in_enabled:1;
 332        unsigned int            bulk_out_enabled:1;
 333
 334        unsigned long           atomic_bitflags;
 335#define IGNORE_BULK_OUT         0
 336
 337        struct usb_ep           *bulk_in;
 338        struct usb_ep           *bulk_out;
 339};
 340
 341static inline int __fsg_is_set(struct fsg_common *common,
 342                               const char *func, unsigned line)
 343{
 344        if (common->fsg)
 345                return 1;
 346        ERROR(common, "common->fsg is NULL in %s at %u\n", func, line);
 347        WARN_ON(1);
 348        return 0;
 349}
 350
 351#define fsg_is_set(common) likely(__fsg_is_set(common, __func__, __LINE__))
 352
 353static inline struct fsg_dev *fsg_from_func(struct usb_function *f)
 354{
 355        return container_of(f, struct fsg_dev, function);
 356}
 357
 358typedef void (*fsg_routine_t)(struct fsg_dev *);
 359
 360static int exception_in_progress(struct fsg_common *common)
 361{
 362        return common->state > FSG_STATE_IDLE;
 363}
 364
 365/* Make bulk-out requests be divisible by the maxpacket size */
 366static void set_bulk_out_req_length(struct fsg_common *common,
 367                                    struct fsg_buffhd *bh, unsigned int length)
 368{
 369        unsigned int    rem;
 370
 371        bh->bulk_out_intended_length = length;
 372        rem = length % common->bulk_out_maxpacket;
 373        if (rem > 0)
 374                length += common->bulk_out_maxpacket - rem;
 375        bh->outreq->length = length;
 376}
 377
 378
 379/*-------------------------------------------------------------------------*/
 380
 381static int fsg_set_halt(struct fsg_dev *fsg, struct usb_ep *ep)
 382{
 383        const char      *name;
 384
 385        if (ep == fsg->bulk_in)
 386                name = "bulk-in";
 387        else if (ep == fsg->bulk_out)
 388                name = "bulk-out";
 389        else
 390                name = ep->name;
 391        DBG(fsg, "%s set halt\n", name);
 392        return usb_ep_set_halt(ep);
 393}
 394
 395
 396/*-------------------------------------------------------------------------*/
 397
 398/* These routines may be called in process context or in_irq */
 399
 400/* Caller must hold fsg->lock */
 401static void wakeup_thread(struct fsg_common *common)
 402{
 403        smp_wmb();      /* ensure the write of bh->state is complete */
 404        /* Tell the main thread that something has happened */
 405        common->thread_wakeup_needed = 1;
 406        if (common->thread_task)
 407                wake_up_process(common->thread_task);
 408}
 409
 410static void raise_exception(struct fsg_common *common, enum fsg_state new_state)
 411{
 412        unsigned long           flags;
 413
 414        /*
 415         * Do nothing if a higher-priority exception is already in progress.
 416         * If a lower-or-equal priority exception is in progress, preempt it
 417         * and notify the main thread by sending it a signal.
 418         */
 419        spin_lock_irqsave(&common->lock, flags);
 420        if (common->state <= new_state) {
 421                common->exception_req_tag = common->ep0_req_tag;
 422                common->state = new_state;
 423                if (common->thread_task)
 424                        send_sig_info(SIGUSR1, SEND_SIG_FORCED,
 425                                      common->thread_task);
 426        }
 427        spin_unlock_irqrestore(&common->lock, flags);
 428}
 429
 430
 431/*-------------------------------------------------------------------------*/
 432
 433static int ep0_queue(struct fsg_common *common)
 434{
 435        int     rc;
 436
 437        rc = usb_ep_queue(common->ep0, common->ep0req, GFP_ATOMIC);
 438        common->ep0->driver_data = common;
 439        if (rc != 0 && rc != -ESHUTDOWN) {
 440                /* We can't do much more than wait for a reset */
 441                WARNING(common, "error in submission: %s --> %d\n",
 442                        common->ep0->name, rc);
 443        }
 444        return rc;
 445}
 446
 447
 448/*-------------------------------------------------------------------------*/
 449
 450/* Completion handlers. These always run in_irq. */
 451
 452static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req)
 453{
 454        struct fsg_common       *common = ep->driver_data;
 455        struct fsg_buffhd       *bh = req->context;
 456
 457        if (req->status || req->actual != req->length)
 458                DBG(common, "%s --> %d, %u/%u\n", __func__,
 459                    req->status, req->actual, req->length);
 460        if (req->status == -ECONNRESET)         /* Request was cancelled */
 461                usb_ep_fifo_flush(ep);
 462
 463        /* Hold the lock while we update the request and buffer states */
 464        smp_wmb();
 465        spin_lock(&common->lock);
 466        bh->inreq_busy = 0;
 467        bh->state = BUF_STATE_EMPTY;
 468        wakeup_thread(common);
 469        spin_unlock(&common->lock);
 470}
 471
 472static void bulk_out_complete(struct usb_ep *ep, struct usb_request *req)
 473{
 474        struct fsg_common       *common = ep->driver_data;
 475        struct fsg_buffhd       *bh = req->context;
 476
 477        dump_msg(common, "bulk-out", req->buf, req->actual);
 478        if (req->status || req->actual != bh->bulk_out_intended_length)
 479                DBG(common, "%s --> %d, %u/%u\n", __func__,
 480                    req->status, req->actual, bh->bulk_out_intended_length);
 481        if (req->status == -ECONNRESET)         /* Request was cancelled */
 482                usb_ep_fifo_flush(ep);
 483
 484        /* Hold the lock while we update the request and buffer states */
 485        smp_wmb();
 486        spin_lock(&common->lock);
 487        bh->outreq_busy = 0;
 488        bh->state = BUF_STATE_FULL;
 489        wakeup_thread(common);
 490        spin_unlock(&common->lock);
 491}
 492
 493static int fsg_setup(struct usb_function *f,
 494                     const struct usb_ctrlrequest *ctrl)
 495{
 496        struct fsg_dev          *fsg = fsg_from_func(f);
 497        struct usb_request      *req = fsg->common->ep0req;
 498        u16                     w_index = le16_to_cpu(ctrl->wIndex);
 499        u16                     w_value = le16_to_cpu(ctrl->wValue);
 500        u16                     w_length = le16_to_cpu(ctrl->wLength);
 501
 502        if (!fsg_is_set(fsg->common))
 503                return -EOPNOTSUPP;
 504
 505        ++fsg->common->ep0_req_tag;     /* Record arrival of a new request */
 506        req->context = NULL;
 507        req->length = 0;
 508        dump_msg(fsg, "ep0-setup", (u8 *) ctrl, sizeof(*ctrl));
 509
 510        switch (ctrl->bRequest) {
 511
 512        case US_BULK_RESET_REQUEST:
 513                if (ctrl->bRequestType !=
 514                    (USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 515                        break;
 516                if (w_index != fsg->interface_number || w_value != 0 ||
 517                                w_length != 0)
 518                        return -EDOM;
 519
 520                /*
 521                 * Raise an exception to stop the current operation
 522                 * and reinitialize our state.
 523                 */
 524                DBG(fsg, "bulk reset request\n");
 525                raise_exception(fsg->common, FSG_STATE_RESET);
 526                return USB_GADGET_DELAYED_STATUS;
 527
 528        case US_BULK_GET_MAX_LUN:
 529                if (ctrl->bRequestType !=
 530                    (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 531                        break;
 532                if (w_index != fsg->interface_number || w_value != 0 ||
 533                                w_length != 1)
 534                        return -EDOM;
 535                VDBG(fsg, "get max LUN\n");
 536                *(u8 *)req->buf = fsg->common->nluns - 1;
 537
 538                /* Respond with data/status */
 539                req->length = min((u16)1, w_length);
 540                return ep0_queue(fsg->common);
 541        }
 542
 543        VDBG(fsg,
 544             "unknown class-specific control req %02x.%02x v%04x i%04x l%u\n",
 545             ctrl->bRequestType, ctrl->bRequest,
 546             le16_to_cpu(ctrl->wValue), w_index, w_length);
 547        return -EOPNOTSUPP;
 548}
 549
 550
 551/*-------------------------------------------------------------------------*/
 552
 553/* All the following routines run in process context */
 554
 555/* Use this for bulk or interrupt transfers, not ep0 */
 556static void start_transfer(struct fsg_dev *fsg, struct usb_ep *ep,
 557                           struct usb_request *req, int *pbusy,
 558                           enum fsg_buffer_state *state)
 559{
 560        int     rc;
 561
 562        if (ep == fsg->bulk_in)
 563                dump_msg(fsg, "bulk-in", req->buf, req->length);
 564
 565        spin_lock_irq(&fsg->common->lock);
 566        *pbusy = 1;
 567        *state = BUF_STATE_BUSY;
 568        spin_unlock_irq(&fsg->common->lock);
 569        rc = usb_ep_queue(ep, req, GFP_KERNEL);
 570        if (rc != 0) {
 571                *pbusy = 0;
 572                *state = BUF_STATE_EMPTY;
 573
 574                /* We can't do much more than wait for a reset */
 575
 576                /*
 577                 * Note: currently the net2280 driver fails zero-length
 578                 * submissions if DMA is enabled.
 579                 */
 580                if (rc != -ESHUTDOWN &&
 581                    !(rc == -EOPNOTSUPP && req->length == 0))
 582                        WARNING(fsg, "error in submission: %s --> %d\n",
 583                                ep->name, rc);
 584        }
 585}
 586
 587static bool start_in_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 588{
 589        if (!fsg_is_set(common))
 590                return false;
 591        start_transfer(common->fsg, common->fsg->bulk_in,
 592                       bh->inreq, &bh->inreq_busy, &bh->state);
 593        return true;
 594}
 595
 596static bool start_out_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 597{
 598        if (!fsg_is_set(common))
 599                return false;
 600        start_transfer(common->fsg, common->fsg->bulk_out,
 601                       bh->outreq, &bh->outreq_busy, &bh->state);
 602        return true;
 603}
 604
 605static int sleep_thread(struct fsg_common *common, bool can_freeze)
 606{
 607        int     rc = 0;
 608
 609        /* Wait until a signal arrives or we are woken up */
 610        for (;;) {
 611                if (can_freeze)
 612                        try_to_freeze();
 613                set_current_state(TASK_INTERRUPTIBLE);
 614                if (signal_pending(current)) {
 615                        rc = -EINTR;
 616                        break;
 617                }
 618                if (common->thread_wakeup_needed)
 619                        break;
 620                schedule();
 621        }
 622        __set_current_state(TASK_RUNNING);
 623        common->thread_wakeup_needed = 0;
 624        smp_rmb();      /* ensure the latest bh->state is visible */
 625        return rc;
 626}
 627
 628
 629/*-------------------------------------------------------------------------*/
 630
 631static int do_read(struct fsg_common *common)
 632{
 633        struct fsg_lun          *curlun = common->curlun;
 634        u32                     lba;
 635        struct fsg_buffhd       *bh;
 636        int                     rc;
 637        u32                     amount_left;
 638        loff_t                  file_offset, file_offset_tmp;
 639        unsigned int            amount;
 640        ssize_t                 nread;
 641
 642        /*
 643         * Get the starting Logical Block Address and check that it's
 644         * not too big.
 645         */
 646        if (common->cmnd[0] == READ_6)
 647                lba = get_unaligned_be24(&common->cmnd[1]);
 648        else {
 649                lba = get_unaligned_be32(&common->cmnd[2]);
 650
 651                /*
 652                 * We allow DPO (Disable Page Out = don't save data in the
 653                 * cache) and FUA (Force Unit Access = don't read from the
 654                 * cache), but we don't implement them.
 655                 */
 656                if ((common->cmnd[1] & ~0x18) != 0) {
 657                        curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 658                        return -EINVAL;
 659                }
 660        }
 661        if (lba >= curlun->num_sectors) {
 662                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 663                return -EINVAL;
 664        }
 665        file_offset = ((loff_t) lba) << curlun->blkbits;
 666
 667        /* Carry out the file reads */
 668        amount_left = common->data_size_from_cmnd;
 669        if (unlikely(amount_left == 0))
 670                return -EIO;            /* No default reply */
 671
 672        for (;;) {
 673                /*
 674                 * Figure out how much we need to read:
 675                 * Try to read the remaining amount.
 676                 * But don't read more than the buffer size.
 677                 * And don't try to read past the end of the file.
 678                 */
 679                amount = min(amount_left, FSG_BUFLEN);
 680                amount = min((loff_t)amount,
 681                             curlun->file_length - file_offset);
 682
 683                /* Wait for the next buffer to become available */
 684                bh = common->next_buffhd_to_fill;
 685                while (bh->state != BUF_STATE_EMPTY) {
 686                        rc = sleep_thread(common, false);
 687                        if (rc)
 688                                return rc;
 689                }
 690
 691                /*
 692                 * If we were asked to read past the end of file,
 693                 * end with an empty buffer.
 694                 */
 695                if (amount == 0) {
 696                        curlun->sense_data =
 697                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 698                        curlun->sense_data_info =
 699                                        file_offset >> curlun->blkbits;
 700                        curlun->info_valid = 1;
 701                        bh->inreq->length = 0;
 702                        bh->state = BUF_STATE_FULL;
 703                        break;
 704                }
 705
 706                /* Perform the read */
 707                file_offset_tmp = file_offset;
 708                nread = vfs_read(curlun->filp,
 709                                 (char __user *)bh->buf,
 710                                 amount, &file_offset_tmp);
 711                VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
 712                      (unsigned long long)file_offset, (int)nread);
 713                if (signal_pending(current))
 714                        return -EINTR;
 715
 716                if (nread < 0) {
 717                        LDBG(curlun, "error in file read: %d\n", (int)nread);
 718                        nread = 0;
 719                } else if (nread < amount) {
 720                        LDBG(curlun, "partial file read: %d/%u\n",
 721                             (int)nread, amount);
 722                        nread = round_down(nread, curlun->blksize);
 723                }
 724                file_offset  += nread;
 725                amount_left  -= nread;
 726                common->residue -= nread;
 727
 728                /*
 729                 * Except at the end of the transfer, nread will be
 730                 * equal to the buffer size, which is divisible by the
 731                 * bulk-in maxpacket size.
 732                 */
 733                bh->inreq->length = nread;
 734                bh->state = BUF_STATE_FULL;
 735
 736                /* If an error occurred, report it and its position */
 737                if (nread < amount) {
 738                        curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
 739                        curlun->sense_data_info =
 740                                        file_offset >> curlun->blkbits;
 741                        curlun->info_valid = 1;
 742                        break;
 743                }
 744
 745                if (amount_left == 0)
 746                        break;          /* No more left to read */
 747
 748                /* Send this buffer and go read some more */
 749                bh->inreq->zero = 0;
 750                if (!start_in_transfer(common, bh))
 751                        /* Don't know what to do if common->fsg is NULL */
 752                        return -EIO;
 753                common->next_buffhd_to_fill = bh->next;
 754        }
 755
 756        return -EIO;            /* No default reply */
 757}
 758
 759
 760/*-------------------------------------------------------------------------*/
 761
 762static int do_write(struct fsg_common *common)
 763{
 764        struct fsg_lun          *curlun = common->curlun;
 765        u32                     lba;
 766        struct fsg_buffhd       *bh;
 767        int                     get_some_more;
 768        u32                     amount_left_to_req, amount_left_to_write;
 769        loff_t                  usb_offset, file_offset, file_offset_tmp;
 770        unsigned int            amount;
 771        ssize_t                 nwritten;
 772        int                     rc;
 773
 774        if (curlun->ro) {
 775                curlun->sense_data = SS_WRITE_PROTECTED;
 776                return -EINVAL;
 777        }
 778        spin_lock(&curlun->filp->f_lock);
 779        curlun->filp->f_flags &= ~O_SYNC;       /* Default is not to wait */
 780        spin_unlock(&curlun->filp->f_lock);
 781
 782        /*
 783         * Get the starting Logical Block Address and check that it's
 784         * not too big
 785         */
 786        if (common->cmnd[0] == WRITE_6)
 787                lba = get_unaligned_be24(&common->cmnd[1]);
 788        else {
 789                lba = get_unaligned_be32(&common->cmnd[2]);
 790
 791                /*
 792                 * We allow DPO (Disable Page Out = don't save data in the
 793                 * cache) and FUA (Force Unit Access = write directly to the
 794                 * medium).  We don't implement DPO; we implement FUA by
 795                 * performing synchronous output.
 796                 */
 797                if (common->cmnd[1] & ~0x18) {
 798                        curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 799                        return -EINVAL;
 800                }
 801                if (!curlun->nofua && (common->cmnd[1] & 0x08)) { /* FUA */
 802                        spin_lock(&curlun->filp->f_lock);
 803                        curlun->filp->f_flags |= O_SYNC;
 804                        spin_unlock(&curlun->filp->f_lock);
 805                }
 806        }
 807        if (lba >= curlun->num_sectors) {
 808                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 809                return -EINVAL;
 810        }
 811
 812        /* Carry out the file writes */
 813        get_some_more = 1;
 814        file_offset = usb_offset = ((loff_t) lba) << curlun->blkbits;
 815        amount_left_to_req = common->data_size_from_cmnd;
 816        amount_left_to_write = common->data_size_from_cmnd;
 817
 818        while (amount_left_to_write > 0) {
 819
 820                /* Queue a request for more data from the host */
 821                bh = common->next_buffhd_to_fill;
 822                if (bh->state == BUF_STATE_EMPTY && get_some_more) {
 823
 824                        /*
 825                         * Figure out how much we want to get:
 826                         * Try to get the remaining amount,
 827                         * but not more than the buffer size.
 828                         */
 829                        amount = min(amount_left_to_req, FSG_BUFLEN);
 830
 831                        /* Beyond the end of the backing file? */
 832                        if (usb_offset >= curlun->file_length) {
 833                                get_some_more = 0;
 834                                curlun->sense_data =
 835                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 836                                curlun->sense_data_info =
 837                                        usb_offset >> curlun->blkbits;
 838                                curlun->info_valid = 1;
 839                                continue;
 840                        }
 841
 842                        /* Get the next buffer */
 843                        usb_offset += amount;
 844                        common->usb_amount_left -= amount;
 845                        amount_left_to_req -= amount;
 846                        if (amount_left_to_req == 0)
 847                                get_some_more = 0;
 848
 849                        /*
 850                         * Except at the end of the transfer, amount will be
 851                         * equal to the buffer size, which is divisible by
 852                         * the bulk-out maxpacket size.
 853                         */
 854                        set_bulk_out_req_length(common, bh, amount);
 855                        if (!start_out_transfer(common, bh))
 856                                /* Dunno what to do if common->fsg is NULL */
 857                                return -EIO;
 858                        common->next_buffhd_to_fill = bh->next;
 859                        continue;
 860                }
 861
 862                /* Write the received data to the backing file */
 863                bh = common->next_buffhd_to_drain;
 864                if (bh->state == BUF_STATE_EMPTY && !get_some_more)
 865                        break;                  /* We stopped early */
 866                if (bh->state == BUF_STATE_FULL) {
 867                        smp_rmb();
 868                        common->next_buffhd_to_drain = bh->next;
 869                        bh->state = BUF_STATE_EMPTY;
 870
 871                        /* Did something go wrong with the transfer? */
 872                        if (bh->outreq->status != 0) {
 873                                curlun->sense_data = SS_COMMUNICATION_FAILURE;
 874                                curlun->sense_data_info =
 875                                        file_offset >> curlun->blkbits;
 876                                curlun->info_valid = 1;
 877                                break;
 878                        }
 879
 880                        amount = bh->outreq->actual;
 881                        if (curlun->file_length - file_offset < amount) {
 882                                LERROR(curlun,
 883                                       "write %u @ %llu beyond end %llu\n",
 884                                       amount, (unsigned long long)file_offset,
 885                                       (unsigned long long)curlun->file_length);
 886                                amount = curlun->file_length - file_offset;
 887                        }
 888
 889                        /* Don't accept excess data.  The spec doesn't say
 890                         * what to do in this case.  We'll ignore the error.
 891                         */
 892                        amount = min(amount, bh->bulk_out_intended_length);
 893
 894                        /* Don't write a partial block */
 895                        amount = round_down(amount, curlun->blksize);
 896                        if (amount == 0)
 897                                goto empty_write;
 898
 899                        /* Perform the write */
 900                        file_offset_tmp = file_offset;
 901                        nwritten = vfs_write(curlun->filp,
 902                                             (char __user *)bh->buf,
 903                                             amount, &file_offset_tmp);
 904                        VLDBG(curlun, "file write %u @ %llu -> %d\n", amount,
 905                              (unsigned long long)file_offset, (int)nwritten);
 906                        if (signal_pending(current))
 907                                return -EINTR;          /* Interrupted! */
 908
 909                        if (nwritten < 0) {
 910                                LDBG(curlun, "error in file write: %d\n",
 911                                     (int)nwritten);
 912                                nwritten = 0;
 913                        } else if (nwritten < amount) {
 914                                LDBG(curlun, "partial file write: %d/%u\n",
 915                                     (int)nwritten, amount);
 916                                nwritten = round_down(nwritten, curlun->blksize);
 917                        }
 918                        file_offset += nwritten;
 919                        amount_left_to_write -= nwritten;
 920                        common->residue -= nwritten;
 921
 922                        /* If an error occurred, report it and its position */
 923                        if (nwritten < amount) {
 924                                curlun->sense_data = SS_WRITE_ERROR;
 925                                curlun->sense_data_info =
 926                                        file_offset >> curlun->blkbits;
 927                                curlun->info_valid = 1;
 928                                break;
 929                        }
 930
 931 empty_write:
 932                        /* Did the host decide to stop early? */
 933                        if (bh->outreq->actual < bh->bulk_out_intended_length) {
 934                                common->short_packet_received = 1;
 935                                break;
 936                        }
 937                        continue;
 938                }
 939
 940                /* Wait for something to happen */
 941                rc = sleep_thread(common, false);
 942                if (rc)
 943                        return rc;
 944        }
 945
 946        return -EIO;            /* No default reply */
 947}
 948
 949
 950/*-------------------------------------------------------------------------*/
 951
 952static int do_synchronize_cache(struct fsg_common *common)
 953{
 954        struct fsg_lun  *curlun = common->curlun;
 955        int             rc;
 956
 957        /* We ignore the requested LBA and write out all file's
 958         * dirty data buffers. */
 959        rc = fsg_lun_fsync_sub(curlun);
 960        if (rc)
 961                curlun->sense_data = SS_WRITE_ERROR;
 962        return 0;
 963}
 964
 965
 966/*-------------------------------------------------------------------------*/
 967
 968static void invalidate_sub(struct fsg_lun *curlun)
 969{
 970        struct file     *filp = curlun->filp;
 971        struct inode    *inode = file_inode(filp);
 972        unsigned long   rc;
 973
 974        rc = invalidate_mapping_pages(inode->i_mapping, 0, -1);
 975        VLDBG(curlun, "invalidate_mapping_pages -> %ld\n", rc);
 976}
 977
 978static int do_verify(struct fsg_common *common)
 979{
 980        struct fsg_lun          *curlun = common->curlun;
 981        u32                     lba;
 982        u32                     verification_length;
 983        struct fsg_buffhd       *bh = common->next_buffhd_to_fill;
 984        loff_t                  file_offset, file_offset_tmp;
 985        u32                     amount_left;
 986        unsigned int            amount;
 987        ssize_t                 nread;
 988
 989        /*
 990         * Get the starting Logical Block Address and check that it's
 991         * not too big.
 992         */
 993        lba = get_unaligned_be32(&common->cmnd[2]);
 994        if (lba >= curlun->num_sectors) {
 995                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 996                return -EINVAL;
 997        }
 998
 999        /*
1000         * We allow DPO (Disable Page Out = don't save data in the

1001         * cache) but we don't implement it.
1002         */
1003        if (common->cmnd[1] & ~0x10) {
1004                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1005                return -EINVAL;
1006        }
1007
1008        verification_length = get_unaligned_be16(&common->cmnd[7]);
1009        if (unlikely(verification_length == 0))
1010                return -EIO;            /* No default reply */
1011
1012        /* Prepare to carry out the file verify */
1013        amount_left = verification_length << curlun->blkbits;
1014        file_offset = ((loff_t) lba) << curlun->blkbits;
1015
1016        /* Write out all the dirty buffers before invalidating them */
1017        fsg_lun_fsync_sub(curlun);
1018        if (signal_pending(current))
1019                return -EINTR;
1020
1021        invalidate_sub(curlun);
1022        if (signal_pending(current))
1023                return -EINTR;
1024
1025        /* Just try to read the requested blocks */
1026        while (amount_left > 0) {
1027                /*
1028                 * Figure out how much we need to read:
1029                 * Try to read the remaining amount, but not more than
1030                 * the buffer size.
1031                 * And don't try to read past the end of the file.
1032                 */
1033                amount = min(amount_left, FSG_BUFLEN);
1034                amount = min((loff_t)amount,
1035                             curlun->file_length - file_offset);
1036                if (amount == 0) {
1037                        curlun->sense_data =
1038                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1039                        curlun->sense_data_info =
1040                                file_offset >> curlun->blkbits;
1041                        curlun->info_valid = 1;
1042                        break;
1043                }
1044
1045                /* Perform the read */
1046                file_offset_tmp = file_offset;
1047                nread = vfs_read(curlun->filp,
1048                                (char __user *) bh->buf,
1049                                amount, &file_offset_tmp);
1050                VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
1051                                (unsigned long long) file_offset,
1052                                (int) nread);
1053                if (signal_pending(current))
1054                        return -EINTR;
1055
1056                if (nread < 0) {
1057                        LDBG(curlun, "error in file verify: %d\n", (int)nread);
1058                        nread = 0;
1059                } else if (nread < amount) {
1060                        LDBG(curlun, "partial file verify: %d/%u\n",
1061                             (int)nread, amount);
1062                        nread = round_down(nread, curlun->blksize);
1063                }
1064                if (nread == 0) {
1065                        curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
1066                        curlun->sense_data_info =
1067                                file_offset >> curlun->blkbits;
1068                        curlun->info_valid = 1;
1069                        break;
1070                }
1071                file_offset += nread;
1072                amount_left -= nread;
1073        }
1074        return 0;
1075}
1076
1077
1078/*-------------------------------------------------------------------------*/
1079
1080static int do_inquiry(struct fsg_common *common, struct fsg_buffhd *bh)
1081{
1082        struct fsg_lun *curlun = common->curlun;
1083        u8      *buf = (u8 *) bh->buf;
1084
1085        if (!curlun) {          /* Unsupported LUNs are okay */
1086                common->bad_lun_okay = 1;
1087                memset(buf, 0, 36);
1088                buf[0] = 0x7f;          /* Unsupported, no device-type */
1089                buf[4] = 31;            /* Additional length */
1090                return 36;
1091        }
1092
1093        buf[0] = curlun->cdrom ? TYPE_ROM : TYPE_DISK;
1094        buf[1] = curlun->removable ? 0x80 : 0;
1095        buf[2] = 2;             /* ANSI SCSI level 2 */
1096        buf[3] = 2;             /* SCSI-2 INQUIRY data format */
1097        buf[4] = 31;            /* Additional length */
1098        buf[5] = 0;             /* No special options */
1099        buf[6] = 0;
1100        buf[7] = 0;
1101        memcpy(buf + 8, common->inquiry_string, sizeof common->inquiry_string);
1102        return 36;
1103}
1104
1105static int do_request_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1106{
1107        struct fsg_lun  *curlun = common->curlun;
1108        u8              *buf = (u8 *) bh->buf;
1109        u32             sd, sdinfo;
1110        int             valid;
1111
1112        /*
1113         * From the SCSI-2 spec., section 7.9 (Unit attention condition):
1114         *
1115         * If a REQUEST SENSE command is received from an initiator
1116         * with a pending unit attention condition (before the target
1117         * generates the contingent allegiance condition), then the
1118         * target shall either:
1119         *   a) report any pending sense data and preserve the unit
1120         *      attention condition on the logical unit, or,
1121         *   b) report the unit attention condition, may discard any
1122         *      pending sense data, and clear the unit attention
1123         *      condition on the logical unit for that initiator.
1124         *
1125         * FSG normally uses option a); enable this code to use option b).
1126         */
1127#if 0
1128        if (curlun && curlun->unit_attention_data != SS_NO_SENSE) {
1129                curlun->sense_data = curlun->unit_attention_data;
1130                curlun->unit_attention_data = SS_NO_SENSE;
1131        }
1132#endif
1133
1134        if (!curlun) {          /* Unsupported LUNs are okay */
1135                common->bad_lun_okay = 1;
1136                sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1137                sdinfo = 0;
1138                valid = 0;
1139        } else {
1140                sd = curlun->sense_data;
1141                sdinfo = curlun->sense_data_info;
1142                valid = curlun->info_valid << 7;
1143                curlun->sense_data = SS_NO_SENSE;
1144                curlun->sense_data_info = 0;
1145                curlun->info_valid = 0;
1146        }
1147
1148        memset(buf, 0, 18);
1149        buf[0] = valid | 0x70;                  /* Valid, current error */
1150        buf[2] = SK(sd);
1151        put_unaligned_be32(sdinfo, &buf[3]);    /* Sense information */
1152        buf[7] = 18 - 8;                        /* Additional sense length */
1153        buf[12] = ASC(sd);
1154        buf[13] = ASCQ(sd);
1155        return 18;
1156}
1157
1158static int do_read_capacity(struct fsg_common *common, struct fsg_buffhd *bh)
1159{
1160        struct fsg_lun  *curlun = common->curlun;
1161        u32             lba = get_unaligned_be32(&common->cmnd[2]);
1162        int             pmi = common->cmnd[8];
1163        u8              *buf = (u8 *)bh->buf;
1164
1165        /* Check the PMI and LBA fields */
1166        if (pmi > 1 || (pmi == 0 && lba != 0)) {
1167                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1168                return -EINVAL;
1169        }
1170
1171        put_unaligned_be32(curlun->num_sectors - 1, &buf[0]);
1172                                                /* Max logical block */
1173        put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1174        return 8;
1175}
1176
1177static int do_read_header(struct fsg_common *common, struct fsg_buffhd *bh)
1178{
1179        struct fsg_lun  *curlun = common->curlun;
1180        int             msf = common->cmnd[1] & 0x02;
1181        u32             lba = get_unaligned_be32(&common->cmnd[2]);
1182        u8              *buf = (u8 *)bh->buf;
1183
1184        if (common->cmnd[1] & ~0x02) {          /* Mask away MSF */
1185                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1186                return -EINVAL;
1187        }
1188        if (lba >= curlun->num_sectors) {
1189                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1190                return -EINVAL;
1191        }
1192
1193        memset(buf, 0, 8);
1194        buf[0] = 0x01;          /* 2048 bytes of user data, rest is EC */
1195        store_cdrom_address(&buf[4], msf, lba);
1196        return 8;
1197}
1198
1199static int do_read_toc(struct fsg_common *common, struct fsg_buffhd *bh)
1200{
1201        struct fsg_lun  *curlun = common->curlun;
1202        int             msf = common->cmnd[1] & 0x02;
1203        int             start_track = common->cmnd[6];
1204        u8              *buf = (u8 *)bh->buf;
1205
1206        if ((common->cmnd[1] & ~0x02) != 0 ||   /* Mask away MSF */
1207                        start_track > 1) {
1208                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1209                return -EINVAL;
1210        }
1211
1212        memset(buf, 0, 20);
1213        buf[1] = (20-2);                /* TOC data length */
1214        buf[2] = 1;                     /* First track number */
1215        buf[3] = 1;                     /* Last track number */
1216        buf[5] = 0x16;                  /* Data track, copying allowed */
1217        buf[6] = 0x01;                  /* Only track is number 1 */
1218        store_cdrom_address(&buf[8], msf, 0);
1219
1220        buf[13] = 0x16;                 /* Lead-out track is data */
1221        buf[14] = 0xAA;                 /* Lead-out track number */
1222        store_cdrom_address(&buf[16], msf, curlun->num_sectors);
1223        return 20;
1224}
1225
1226static int do_mode_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1227{
1228        struct fsg_lun  *curlun = common->curlun;
1229        int             mscmnd = common->cmnd[0];
1230        u8              *buf = (u8 *) bh->buf;
1231        u8              *buf0 = buf;
1232        int             pc, page_code;
1233        int             changeable_values, all_pages;
1234        int             valid_page = 0;
1235        int             len, limit;
1236
1237        if ((common->cmnd[1] & ~0x08) != 0) {   /* Mask away DBD */
1238                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1239                return -EINVAL;
1240        }
1241        pc = common->cmnd[2] >> 6;
1242        page_code = common->cmnd[2] & 0x3f;
1243        if (pc == 3) {
1244                curlun->sense_data = SS_SAVING_PARAMETERS_NOT_SUPPORTED;
1245                return -EINVAL;
1246        }
1247        changeable_values = (pc == 1);
1248        all_pages = (page_code == 0x3f);
1249
1250        /*
1251         * Write the mode parameter header.  Fixed values are: default
1252         * medium type, no cache control (DPOFUA), and no block descriptors.
1253         * The only variable value is the WriteProtect bit.  We will fill in
1254         * the mode data length later.
1255         */
1256        memset(buf, 0, 8);
1257        if (mscmnd == MODE_SENSE) {
1258                buf[2] = (curlun->ro ? 0x80 : 0x00);            /* WP, DPOFUA */
1259                buf += 4;
1260                limit = 255;
1261        } else {                        /* MODE_SENSE_10 */
1262                buf[3] = (curlun->ro ? 0x80 : 0x00);            /* WP, DPOFUA */
1263                buf += 8;
1264                limit = 65535;          /* Should really be FSG_BUFLEN */
1265        }
1266
1267        /* No block descriptors */
1268
1269        /*
1270         * The mode pages, in numerical order.  The only page we support
1271         * is the Caching page.
1272         */
1273        if (page_code == 0x08 || all_pages) {
1274                valid_page = 1;
1275                buf[0] = 0x08;          /* Page code */
1276                buf[1] = 10;            /* Page length */
1277                memset(buf+2, 0, 10);   /* None of the fields are changeable */
1278
1279                if (!changeable_values) {
1280                        buf[2] = 0x04;  /* Write cache enable, */
1281                                        /* Read cache not disabled */
1282                                        /* No cache retention priorities */
1283                        put_unaligned_be16(0xffff, &buf[4]);
1284                                        /* Don't disable prefetch */
1285                                        /* Minimum prefetch = 0 */
1286                        put_unaligned_be16(0xffff, &buf[8]);
1287                                        /* Maximum prefetch */
1288                        put_unaligned_be16(0xffff, &buf[10]);
1289                                        /* Maximum prefetch ceiling */
1290                }
1291                buf += 12;
1292        }
1293
1294        /*
1295         * Check that a valid page was requested and the mode data length
1296         * isn't too long.
1297         */
1298        len = buf - buf0;
1299        if (!valid_page || len > limit) {
1300                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1301                return -EINVAL;
1302        }
1303
1304        /*  Store the mode data length */
1305        if (mscmnd == MODE_SENSE)
1306                buf0[0] = len - 1;
1307        else
1308                put_unaligned_be16(len - 2, buf0);
1309        return len;
1310}
1311
1312static int do_start_stop(struct fsg_common *common)
1313{
1314        struct fsg_lun  *curlun = common->curlun;
1315        int             loej, start;
1316
1317        if (!curlun) {
1318                return -EINVAL;
1319        } else if (!curlun->removable) {
1320                curlun->sense_data = SS_INVALID_COMMAND;
1321                return -EINVAL;
1322        } else if ((common->cmnd[1] & ~0x01) != 0 || /* Mask away Immed */
1323                   (common->cmnd[4] & ~0x03) != 0) { /* Mask LoEj, Start */
1324                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1325                return -EINVAL;
1326        }
1327
1328        loej  = common->cmnd[4] & 0x02;
1329        start = common->cmnd[4] & 0x01;
1330
1331        /*
1332         * Our emulation doesn't support mounting; the medium is
1333         * available for use as soon as it is loaded.
1334         */
1335        if (start) {
1336                if (!fsg_lun_is_open(curlun)) {
1337                        curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1338                        return -EINVAL;
1339                }
1340                return 0;
1341        }
1342
1343        /* Are we allowed to unload the media? */
1344        if (curlun->prevent_medium_removal) {
1345                LDBG(curlun, "unload attempt prevented\n");
1346                curlun->sense_data = SS_MEDIUM_REMOVAL_PREVENTED;
1347                return -EINVAL;
1348        }
1349
1350        if (!loej)
1351                return 0;
1352
1353        up_read(&common->filesem);
1354        down_write(&common->filesem);
1355        fsg_lun_close(curlun);
1356        up_write(&common->filesem);
1357        down_read(&common->filesem);
1358
1359        return 0;
1360}
1361
1362static int do_prevent_allow(struct fsg_common *common)
1363{
1364        struct fsg_lun  *curlun = common->curlun;
1365        int             prevent;
1366
1367        if (!common->curlun) {
1368                return -EINVAL;
1369        } else if (!common->curlun->removable) {
1370                common->curlun->sense_data = SS_INVALID_COMMAND;
1371                return -EINVAL;
1372        }
1373
1374        prevent = common->cmnd[4] & 0x01;
1375        if ((common->cmnd[4] & ~0x01) != 0) {   /* Mask away Prevent */
1376                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1377                return -EINVAL;
1378        }
1379
1380        if (curlun->prevent_medium_removal && !prevent)
1381                fsg_lun_fsync_sub(curlun);
1382        curlun->prevent_medium_removal = prevent;
1383        return 0;
1384}
1385
1386static int do_read_format_capacities(struct fsg_common *common,
1387                        struct fsg_buffhd *bh)
1388{
1389        struct fsg_lun  *curlun = common->curlun;
1390        u8              *buf = (u8 *) bh->buf;
1391
1392        buf[0] = buf[1] = buf[2] = 0;
1393        buf[3] = 8;     /* Only the Current/Maximum Capacity Descriptor */
1394        buf += 4;
1395
1396        put_unaligned_be32(curlun->num_sectors, &buf[0]);
1397                                                /* Number of blocks */
1398        put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1399        buf[4] = 0x02;                          /* Current capacity */
1400        return 12;
1401}
1402
1403static int do_mode_select(struct fsg_common *common, struct fsg_buffhd *bh)
1404{
1405        struct fsg_lun  *curlun = common->curlun;
1406
1407        /* We don't support MODE SELECT */
1408        if (curlun)
1409                curlun->sense_data = SS_INVALID_COMMAND;
1410        return -EINVAL;
1411}
1412
1413
1414/*-------------------------------------------------------------------------*/
1415
1416static int halt_bulk_in_endpoint(struct fsg_dev *fsg)
1417{
1418        int     rc;
1419
1420        rc = fsg_set_halt(fsg, fsg->bulk_in);
1421        if (rc == -EAGAIN)
1422                VDBG(fsg, "delayed bulk-in endpoint halt\n");
1423        while (rc != 0) {
1424                if (rc != -EAGAIN) {
1425                        WARNING(fsg, "usb_ep_set_halt -> %d\n", rc);
1426                        rc = 0;
1427                        break;
1428                }
1429
1430                /* Wait for a short time and then try again */
1431                if (msleep_interruptible(100) != 0)
1432                        return -EINTR;
1433                rc = usb_ep_set_halt(fsg->bulk_in);
1434        }
1435        return rc;
1436}
1437
1438static int wedge_bulk_in_endpoint(struct fsg_dev *fsg)
1439{
1440        int     rc;
1441
1442        DBG(fsg, "bulk-in set wedge\n");
1443        rc = usb_ep_set_wedge(fsg->bulk_in);
1444        if (rc == -EAGAIN)
1445                VDBG(fsg, "delayed bulk-in endpoint wedge\n");
1446        while (rc != 0) {
1447                if (rc != -EAGAIN) {
1448                        WARNING(fsg, "usb_ep_set_wedge -> %d\n", rc);
1449                        rc = 0;
1450                        break;
1451                }
1452
1453                /* Wait for a short time and then try again */
1454                if (msleep_interruptible(100) != 0)
1455                        return -EINTR;
1456                rc = usb_ep_set_wedge(fsg->bulk_in);
1457        }
1458        return rc;
1459}
1460
1461static int throw_away_data(struct fsg_common *common)
1462{
1463        struct fsg_buffhd       *bh;
1464        u32                     amount;
1465        int                     rc;
1466
1467        for (bh = common->next_buffhd_to_drain;
1468             bh->state != BUF_STATE_EMPTY || common->usb_amount_left > 0;
1469             bh = common->next_buffhd_to_drain) {
1470
1471                /* Throw away the data in a filled buffer */
1472                if (bh->state == BUF_STATE_FULL) {
1473                        smp_rmb();
1474                        bh->state = BUF_STATE_EMPTY;
1475                        common->next_buffhd_to_drain = bh->next;
1476
1477                        /* A short packet or an error ends everything */
1478                        if (bh->outreq->actual < bh->bulk_out_intended_length ||
1479                            bh->outreq->status != 0) {
1480                                raise_exception(common,
1481                                                FSG_STATE_ABORT_BULK_OUT);
1482                                return -EINTR;
1483                        }
1484                        continue;
1485                }
1486
1487                /* Try to submit another request if we need one */
1488                bh = common->next_buffhd_to_fill;
1489                if (bh->state == BUF_STATE_EMPTY
1490                 && common->usb_amount_left > 0) {
1491                        amount = min(common->usb_amount_left, FSG_BUFLEN);
1492
1493                        /*
1494                         * Except at the end of the transfer, amount will be
1495                         * equal to the buffer size, which is divisible by
1496                         * the bulk-out maxpacket size.
1497                         */
1498                        set_bulk_out_req_length(common, bh, amount);
1499                        if (!start_out_transfer(common, bh))
1500                                /* Dunno what to do if common->fsg is NULL */
1501                                return -EIO;
1502                        common->next_buffhd_to_fill = bh->next;
1503                        common->usb_amount_left -= amount;
1504                        continue;
1505                }
1506
1507                /* Otherwise wait for something to happen */
1508                rc = sleep_thread(common, true);
1509                if (rc)
1510                        return rc;
1511        }
1512        return 0;
1513}
1514
1515static int finish_reply(struct fsg_common *common)
1516{
1517        struct fsg_buffhd       *bh = common->next_buffhd_to_fill;
1518        int                     rc = 0;
1519
1520        switch (common->data_dir) {
1521        case DATA_DIR_NONE:
1522                break;                  /* Nothing to send */
1523
1524        /*
1525         * If we don't know whether the host wants to read or write,
1526         * this must be CB or CBI with an unknown command.  We mustn't
1527         * try to send or receive any data.  So stall both bulk pipes
1528         * if we can and wait for a reset.
1529         */
1530        case DATA_DIR_UNKNOWN:
1531                if (!common->can_stall) {
1532                        /* Nothing */
1533                } else if (fsg_is_set(common)) {
1534                        fsg_set_halt(common->fsg, common->fsg->bulk_out);
1535                        rc = halt_bulk_in_endpoint(common->fsg);
1536                } else {
1537                        /* Don't know what to do if common->fsg is NULL */
1538                        rc = -EIO;
1539                }
1540                break;
1541
1542        /* All but the last buffer of data must have already been sent */
1543        case DATA_DIR_TO_HOST:
1544                if (common->data_size == 0) {
1545                        /* Nothing to send */
1546
1547                /* Don't know what to do if common->fsg is NULL */
1548                } else if (!fsg_is_set(common)) {
1549                        rc = -EIO;
1550
1551                /* If there's no residue, simply send the last buffer */
1552                } else if (common->residue == 0) {
1553                        bh->inreq->zero = 0;
1554                        if (!start_in_transfer(common, bh))
1555                                return -EIO;
1556                        common->next_buffhd_to_fill = bh->next;
1557
1558                /*
1559                 * For Bulk-only, mark the end of the data with a short
1560                 * packet.  If we are allowed to stall, halt the bulk-in
1561                 * endpoint.  (Note: This violates the Bulk-Only Transport
1562                 * specification, which requires us to pad the data if we
1563                 * don't halt the endpoint.  Presumably nobody will mind.)
1564                 */
1565                } else {
1566                        bh->inreq->zero = 1;
1567                        if (!start_in_transfer(common, bh))
1568                                rc = -EIO;
1569                        common->next_buffhd_to_fill = bh->next;
1570                        if (common->can_stall)
1571                                rc = halt_bulk_in_endpoint(common->fsg);
1572                }
1573                break;
1574
1575        /*
1576         * We have processed all we want from the data the host has sent.
1577         * There may still be outstanding bulk-out requests.
1578         */
1579        case DATA_DIR_FROM_HOST:
1580                if (common->residue == 0) {
1581                        /* Nothing to receive */
1582
1583                /* Did the host stop sending unexpectedly early? */
1584                } else if (common->short_packet_received) {
1585                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1586                        rc = -EINTR;
1587
1588                /*
1589                 * We haven't processed all the incoming data.  Even though
1590                 * we may be allowed to stall, doing so would cause a race.
1591                 * The controller may already have ACK'ed all the remaining
1592                 * bulk-out packets, in which case the host wouldn't see a
1593                 * STALL.  Not realizing the endpoint was halted, it wouldn't
1594                 * clear the halt -- leading to problems later on.
1595                 */
1596#if 0
1597                } else if (common->can_stall) {
1598                        if (fsg_is_set(common))
1599                                fsg_set_halt(common->fsg,
1600                                             common->fsg->bulk_out);
1601                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1602                        rc = -EINTR;
1603#endif
1604
1605                /*
1606                 * We can't stall.  Read in the excess data and throw it
1607                 * all away.
1608                 */
1609                } else {
1610                        rc = throw_away_data(common);
1611                }
1612                break;
1613        }
1614        return rc;
1615}
1616
1617static int send_status(struct fsg_common *common)
1618{
1619        struct fsg_lun          *curlun = common->curlun;
1620        struct fsg_buffhd       *bh;
1621        struct bulk_cs_wrap     *csw;
1622        int                     rc;
1623        u8                      status = US_BULK_STAT_OK;
1624        u32                     sd, sdinfo = 0;
1625
1626        /* Wait for the next buffer to become available */
1627        bh = common->next_buffhd_to_fill;
1628        while (bh->state != BUF_STATE_EMPTY) {
1629                rc = sleep_thread(common, true);
1630                if (rc)
1631                        return rc;
1632        }
1633
1634        if (curlun) {
1635                sd = curlun->sense_data;
1636                sdinfo = curlun->sense_data_info;
1637        } else if (common->bad_lun_okay)
1638                sd = SS_NO_SENSE;
1639        else
1640                sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1641
1642        if (common->phase_error) {
1643                DBG(common, "sending phase-error status\n");
1644                status = US_BULK_STAT_PHASE;
1645                sd = SS_INVALID_COMMAND;
1646        } else if (sd != SS_NO_SENSE) {
1647                DBG(common, "sending command-failure status\n");
1648                status = US_BULK_STAT_FAIL;
1649                VDBG(common, "  sense data: SK x%02x, ASC x%02x, ASCQ x%02x;"
1650                                "  info x%x\n",
1651                                SK(sd), ASC(sd), ASCQ(sd), sdinfo);
1652        }
1653
1654        /* Store and send the Bulk-only CSW */
1655        csw = (void *)bh->buf;
1656
1657        csw->Signature = cpu_to_le32(US_BULK_CS_SIGN);
1658        csw->Tag = common->tag;
1659        csw->Residue = cpu_to_le32(common->residue);
1660        csw->Status = status;
1661
1662        bh->inreq->length = US_BULK_CS_WRAP_LEN;
1663        bh->inreq->zero = 0;
1664        if (!start_in_transfer(common, bh))
1665                /* Don't know what to do if common->fsg is NULL */
1666                return -EIO;
1667
1668        common->next_buffhd_to_fill = bh->next;
1669        return 0;
1670}
1671
1672
1673/*-------------------------------------------------------------------------*/
1674
1675/*
1676 * Check whether the command is properly formed and whether its data size
1677 * and direction agree with the values we already have.
1678 */
1679static int check_command(struct fsg_common *common, int cmnd_size,
1680                         enum data_direction data_dir, unsigned int mask,
1681                         int needs_medium, const char *name)
1682{
1683        int                     i;
1684        unsigned int            lun = common->cmnd[1] >> 5;
1685        static const char       dirletter[4] = {'u', 'o', 'i', 'n'};
1686        char                    hdlen[20];
1687        struct fsg_lun          *curlun;
1688
1689        hdlen[0] = 0;
1690        if (common->data_dir != DATA_DIR_UNKNOWN)
1691                sprintf(hdlen, ", H%c=%u", dirletter[(int) common->data_dir],
1692                        common->data_size);
1693        VDBG(common, "SCSI command: %s;  Dc=%d, D%c=%u;  Hc=%d%s\n",
1694             name, cmnd_size, dirletter[(int) data_dir],
1695             common->data_size_from_cmnd, common->cmnd_size, hdlen);
1696
1697        /*
1698         * We can't reply at all until we know the correct data direction
1699         * and size.
1700         */
1701        if (common->data_size_from_cmnd == 0)
1702                data_dir = DATA_DIR_NONE;
1703        if (common->data_size < common->data_size_from_cmnd) {
1704                /*
1705                 * Host data size < Device data size is a phase error.
1706                 * Carry out the command, but only transfer as much as
1707                 * we are allowed.
1708                 */
1709                common->data_size_from_cmnd = common->data_size;
1710                common->phase_error = 1;
1711        }
1712        common->residue = common->data_size;
1713        common->usb_amount_left = common->data_size;
1714
1715        /* Conflicting data directions is a phase error */
1716        if (common->data_dir != data_dir && common->data_size_from_cmnd > 0) {
1717                common->phase_error = 1;
1718                return -EINVAL;
1719        }
1720
1721        /* Verify the length of the command itself */
1722        if (cmnd_size != common->cmnd_size) {
1723
1724                /*
1725                 * Special case workaround: There are plenty of buggy SCSI
1726                 * implementations. Many have issues with cbw->Length
1727                 * field passing a wrong command size. For those cases we
1728                 * always try to work around the problem by using the length
1729                 * sent by the host side provided it is at least as large
1730                 * as the correct command length.
1731                 * Examples of such cases would be MS-Windows, which issues
1732                 * REQUEST SENSE with cbw->Length == 12 where it should
1733                 * be 6, and xbox360 issuing INQUIRY, TEST UNIT READY and
1734                 * REQUEST SENSE with cbw->Length == 10 where it should
1735                 * be 6 as well.
1736                 */
1737                if (cmnd_size <= common->cmnd_size) {
1738                        DBG(common, "%s is buggy! Expected length %d "
1739                            "but we got %d\n", name,
1740                            cmnd_size, common->cmnd_size);
1741                        cmnd_size = common->cmnd_size;
1742                } else {
1743                        common->phase_error = 1;
1744                        return -EINVAL;
1745                }
1746        }
1747
1748        /* Check that the LUN values are consistent */
1749        if (common->lun != lun)
1750                DBG(common, "using LUN %u from CBW, not LUN %u from CDB\n",
1751                    common->lun, lun);
1752
1753        /* Check the LUN */
1754        curlun = common->curlun;
1755        if (curlun) {
1756                if (common->cmnd[0] != REQUEST_SENSE) {
1757                        curlun->sense_data = SS_NO_SENSE;
1758                        curlun->sense_data_info = 0;
1759                        curlun->info_valid = 0;
1760                }
1761        } else {
1762                common->bad_lun_okay = 0;
1763
1764                /*
1765                 * INQUIRY and REQUEST SENSE commands are explicitly allowed
1766                 * to use unsupported LUNs; all others may not.
1767                 */
1768                if (common->cmnd[0] != INQUIRY &&
1769                    common->cmnd[0] != REQUEST_SENSE) {
1770                        DBG(common, "unsupported LUN %u\n", common->lun);
1771                        return -EINVAL;
1772                }
1773        }
1774
1775        /*
1776         * If a unit attention condition exists, only INQUIRY and
1777         * REQUEST SENSE commands are allowed; anything else must fail.
1778         */
1779        if (curlun && curlun->unit_attention_data != SS_NO_SENSE &&
1780            common->cmnd[0] != INQUIRY &&
1781            common->cmnd[0] != REQUEST_SENSE) {
1782                curlun->sense_data = curlun->unit_attention_data;
1783                curlun->unit_attention_data = SS_NO_SENSE;
1784                return -EINVAL;
1785        }
1786
1787        /* Check that only command bytes listed in the mask are non-zero */
1788        common->cmnd[1] &= 0x1f;                        /* Mask away the LUN */
1789        for (i = 1; i < cmnd_size; ++i) {
1790                if (common->cmnd[i] && !(mask & (1 << i))) {
1791                        if (curlun)
1792                                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1793                        return -EINVAL;
1794                }
1795        }
1796
1797        /* If the medium isn't mounted and the command needs to access
1798         * it, return an error. */
1799        if (curlun && !fsg_lun_is_open(curlun) && needs_medium) {
1800                curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1801                return -EINVAL;
1802        }
1803
1804        return 0;
1805}
1806
1807/* wrapper of check_command for data size in blocks handling */
1808static int check_command_size_in_blocks(struct fsg_common *common,
1809                int cmnd_size, enum data_direction data_dir,
1810                unsigned int mask, int needs_medium, const char *name)
1811{
1812        if (common->curlun)
1813                common->data_size_from_cmnd <<= common->curlun->blkbits;
1814        return check_command(common, cmnd_size, data_dir,
1815                        mask, needs_medium, name);
1816}
1817
1818static int do_scsi_command(struct fsg_common *common)
1819{
1820        struct fsg_buffhd       *bh;
1821        int                     rc;
1822        int                     reply = -EINVAL;
1823        int                     i;
1824        static char             unknown[16];
1825
1826        dump_cdb(common);
1827
1828        /* Wait for the next buffer to become available for data or status */
1829        bh = common->next_buffhd_to_fill;
1830        common->next_buffhd_to_drain = bh;
1831        while (bh->state != BUF_STATE_EMPTY) {
1832                rc = sleep_thread(common, true);
1833                if (rc)
1834                        return rc;
1835        }
1836        common->phase_error = 0;
1837        common->short_packet_received = 0;
1838
1839        down_read(&common->filesem);    /* We're using the backing file */
1840        switch (common->cmnd[0]) {
1841
1842        case INQUIRY:
1843                common->data_size_from_cmnd = common->cmnd[4];
1844                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1845                                      (1<<4), 0,
1846                                      "INQUIRY");
1847                if (reply == 0)
1848                        reply = do_inquiry(common, bh);
1849                break;
1850
1851        case MODE_SELECT:
1852                common->data_size_from_cmnd = common->cmnd[4];
1853                reply = check_command(common, 6, DATA_DIR_FROM_HOST,
1854                                      (1<<1) | (1<<4), 0,
1855                                      "MODE SELECT(6)");
1856                if (reply == 0)
1857                        reply = do_mode_select(common, bh);
1858                break;
1859
1860        case MODE_SELECT_10:
1861                common->data_size_from_cmnd =
1862                        get_unaligned_be16(&common->cmnd[7]);
1863                reply = check_command(common, 10, DATA_DIR_FROM_HOST,
1864                                      (1<<1) | (3<<7), 0,
1865                                      "MODE SELECT(10)");
1866                if (reply == 0)
1867                        reply = do_mode_select(common, bh);
1868                break;
1869
1870        case MODE_SENSE:
1871                common->data_size_from_cmnd = common->cmnd[4];
1872                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1873                                      (1<<1) | (1<<2) | (1<<4), 0,
1874                                      "MODE SENSE(6)");
1875                if (reply == 0)
1876                        reply = do_mode_sense(common, bh);
1877                break;
1878
1879        case MODE_SENSE_10:
1880                common->data_size_from_cmnd =
1881                        get_unaligned_be16(&common->cmnd[7]);
1882                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1883                                      (1<<1) | (1<<2) | (3<<7), 0,
1884                                      "MODE SENSE(10)");
1885                if (reply == 0)
1886                        reply = do_mode_sense(common, bh);
1887                break;
1888
1889        case ALLOW_MEDIUM_REMOVAL:
1890                common->data_size_from_cmnd = 0;
1891                reply = check_command(common, 6, DATA_DIR_NONE,
1892                                      (1<<4), 0,
1893                                      "PREVENT-ALLOW MEDIUM REMOVAL");
1894                if (reply == 0)
1895                        reply = do_prevent_allow(common);
1896                break;
1897
1898        case READ_6:
1899                i = common->cmnd[4];
1900                common->data_size_from_cmnd = (i == 0) ? 256 : i;
1901                reply = check_command_size_in_blocks(common, 6,
1902                                      DATA_DIR_TO_HOST,
1903                                      (7<<1) | (1<<4), 1,
1904                                      "READ(6)");
1905                if (reply == 0)
1906                        reply = do_read(common);
1907                break;
1908
1909        case READ_10:
1910                common->data_size_from_cmnd =
1911                                get_unaligned_be16(&common->cmnd[7]);
1912                reply = check_command_size_in_blocks(common, 10,
1913                                      DATA_DIR_TO_HOST,
1914                                      (1<<1) | (0xf<<2) | (3<<7), 1,
1915                                      "READ(10)");
1916                if (reply == 0)
1917                        reply = do_read(common);
1918                break;
1919
1920        case READ_12:
1921                common->data_size_from_cmnd =
1922                                get_unaligned_be32(&common->cmnd[6]);
1923                reply = check_command_size_in_blocks(common, 12,
1924                                      DATA_DIR_TO_HOST,
1925                                      (1<<1) | (0xf<<2) | (0xf<<6), 1,
1926                                      "READ(12)");
1927                if (reply == 0)
1928                        reply = do_read(common);
1929                break;
1930
1931        case READ_CAPACITY:
1932                common->data_size_from_cmnd = 8;
1933                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1934                                      (0xf<<2) | (1<<8), 1,
1935                                      "READ CAPACITY");
1936                if (reply == 0)
1937                        reply = do_read_capacity(common, bh);
1938                break;
1939
1940        case READ_HEADER:
1941                if (!common->curlun || !common->curlun->cdrom)
1942                        goto unknown_cmnd;
1943                common->data_size_from_cmnd =
1944                        get_unaligned_be16(&common->cmnd[7]);
1945                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1946                                      (3<<7) | (0x1f<<1), 1,
1947                                      "READ HEADER");
1948                if (reply == 0)
1949                        reply = do_read_header(common, bh);
1950                break;
1951
1952        case READ_TOC:
1953                if (!common->curlun || !common->curlun->cdrom)
1954                        goto unknown_cmnd;
1955                common->data_size_from_cmnd =
1956                        get_unaligned_be16(&common->cmnd[7]);
1957                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1958                                      (7<<6) | (1<<1), 1,
1959                                      "READ TOC");
1960                if (reply == 0)
1961                        reply = do_read_toc(common, bh);
1962                break;
1963
1964        case READ_FORMAT_CAPACITIES:
1965                common->data_size_from_cmnd =
1966                        get_unaligned_be16(&common->cmnd[7]);
1967                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1968                                      (3<<7), 1,
1969                                      "READ FORMAT CAPACITIES");
1970                if (reply == 0)
1971                        reply = do_read_format_capacities(common, bh);
1972                break;
1973
1974        case REQUEST_SENSE:
1975                common->data_size_from_cmnd = common->cmnd[4];
1976                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1977                                      (1<<4), 0,
1978                                      "REQUEST SENSE");
1979                if (reply == 0)
1980                        reply = do_request_sense(common, bh);
1981                break;
1982
1983        case START_STOP:
1984                common->data_size_from_cmnd = 0;
1985                reply = check_command(common, 6, DATA_DIR_NONE,
1986                                      (1<<1) | (1<<4), 0,
1987                                      "START-STOP UNIT");
1988                if (reply == 0)
1989                        reply = do_start_stop(common);
1990                break;
1991
1992        case SYNCHRONIZE_CACHE:
1993                common->data_size_from_cmnd = 0;
1994                reply = check_command(common, 10, DATA_DIR_NONE,
1995                                      (0xf<<2) | (3<<7), 1,
1996                                      "SYNCHRONIZE CACHE");
1997                if (reply == 0)
1998                        reply = do_synchronize_cache(common);
1999                break;
2000

2001        case TEST_UNIT_READY:
2002                common->data_size_from_cmnd = 0;
2003                reply = check_command(common, 6, DATA_DIR_NONE,
2004                                0, 1,
2005                                "TEST UNIT READY");
2006                break;
2007
2008        /*
2009         * Although optional, this command is used by MS-Windows.  We
2010         * support a minimal version: BytChk must be 0.
2011         */
2012        case VERIFY:
2013                common->data_size_from_cmnd = 0;
2014                reply = check_command(common, 10, DATA_DIR_NONE,
2015                                      (1<<1) | (0xf<<2) | (3<<7), 1,
2016                                      "VERIFY");
2017                if (reply == 0)
2018                        reply = do_verify(common);
2019                break;
2020
2021        case WRITE_6:
2022                i = common->cmnd[4];
2023                common->data_size_from_cmnd = (i == 0) ? 256 : i;
2024                reply = check_command_size_in_blocks(common, 6,
2025                                      DATA_DIR_FROM_HOST,
2026                                      (7<<1) | (1<<4), 1,
2027                                      "WRITE(6)");
2028                if (reply == 0)
2029                        reply = do_write(common);
2030                break;
2031
2032        case WRITE_10:
2033                common->data_size_from_cmnd =
2034                                get_unaligned_be16(&common->cmnd[7]);
2035                reply = check_command_size_in_blocks(common, 10,
2036                                      DATA_DIR_FROM_HOST,
2037                                      (1<<1) | (0xf<<2) | (3<<7), 1,
2038                                      "WRITE(10)");
2039                if (reply == 0)
2040                        reply = do_write(common);
2041                break;
2042
2043        case WRITE_12:
2044                common->data_size_from_cmnd =
2045                                get_unaligned_be32(&common->cmnd[6]);
2046                reply = check_command_size_in_blocks(common, 12,
2047                                      DATA_DIR_FROM_HOST,
2048                                      (1<<1) | (0xf<<2) | (0xf<<6), 1,
2049                                      "WRITE(12)");
2050                if (reply == 0)
2051                        reply = do_write(common);
2052                break;
2053
2054        /*
2055         * Some mandatory commands that we recognize but don't implement.
2056         * They don't mean much in this setting.  It's left as an exercise
2057         * for anyone interested to implement RESERVE and RELEASE in terms
2058         * of Posix locks.
2059         */
2060        case FORMAT_UNIT:
2061        case RELEASE:
2062        case RESERVE:
2063        case SEND_DIAGNOSTIC:
2064                /* Fall through */
2065
2066        default:
2067unknown_cmnd:
2068                common->data_size_from_cmnd = 0;
2069                sprintf(unknown, "Unknown x%02x", common->cmnd[0]);
2070                reply = check_command(common, common->cmnd_size,
2071                                      DATA_DIR_UNKNOWN, ~0, 0, unknown);
2072                if (reply == 0) {
2073                        common->curlun->sense_data = SS_INVALID_COMMAND;
2074                        reply = -EINVAL;
2075                }
2076                break;
2077        }
2078        up_read(&common->filesem);
2079
2080        if (reply == -EINTR || signal_pending(current))
2081                return -EINTR;
2082
2083        /* Set up the single reply buffer for finish_reply() */
2084        if (reply == -EINVAL)
2085                reply = 0;              /* Error reply length */
2086        if (reply >= 0 && common->data_dir == DATA_DIR_TO_HOST) {
2087                reply = min((u32)reply, common->data_size_from_cmnd);
2088                bh->inreq->length = reply;
2089                bh->state = BUF_STATE_FULL;
2090                common->residue -= reply;
2091        }                               /* Otherwise it's already set */
2092
2093        return 0;
2094}
2095
2096
2097/*-------------------------------------------------------------------------*/
2098
2099static int received_cbw(struct fsg_dev *fsg, struct fsg_buffhd *bh)
2100{
2101        struct usb_request      *req = bh->outreq;
2102        struct bulk_cb_wrap     *cbw = req->buf;
2103        struct fsg_common       *common = fsg->common;
2104
2105        /* Was this a real packet?  Should it be ignored? */
2106        if (req->status || test_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags))
2107                return -EINVAL;
2108
2109        /* Is the CBW valid? */
2110        if (req->actual != US_BULK_CB_WRAP_LEN ||
2111                        cbw->Signature != cpu_to_le32(
2112                                US_BULK_CB_SIGN)) {
2113                DBG(fsg, "invalid CBW: len %u sig 0x%x\n",
2114                                req->actual,
2115                                le32_to_cpu(cbw->Signature));
2116
2117                /*
2118                 * The Bulk-only spec says we MUST stall the IN endpoint
2119                 * (6.6.1), so it's unavoidable.  It also says we must
2120                 * retain this state until the next reset, but there's
2121                 * no way to tell the controller driver it should ignore
2122                 * Clear-Feature(HALT) requests.
2123                 *
2124                 * We aren't required to halt the OUT endpoint; instead
2125                 * we can simply accept and discard any data received
2126                 * until the next reset.
2127                 */
2128                wedge_bulk_in_endpoint(fsg);
2129                set_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags);
2130                return -EINVAL;
2131        }
2132
2133        /* Is the CBW meaningful? */
2134        if (cbw->Lun >= FSG_MAX_LUNS || cbw->Flags & ~US_BULK_FLAG_IN ||
2135                        cbw->Length <= 0 || cbw->Length > MAX_COMMAND_SIZE) {
2136                DBG(fsg, "non-meaningful CBW: lun = %u, flags = 0x%x, "
2137                                "cmdlen %u\n",
2138                                cbw->Lun, cbw->Flags, cbw->Length);
2139
2140                /*
2141                 * We can do anything we want here, so let's stall the
2142                 * bulk pipes if we are allowed to.
2143                 */
2144                if (common->can_stall) {
2145                        fsg_set_halt(fsg, fsg->bulk_out);
2146                        halt_bulk_in_endpoint(fsg);
2147                }
2148                return -EINVAL;
2149        }
2150
2151        /* Save the command for later */
2152        common->cmnd_size = cbw->Length;
2153        memcpy(common->cmnd, cbw->CDB, common->cmnd_size);
2154        if (cbw->Flags & US_BULK_FLAG_IN)
2155                common->data_dir = DATA_DIR_TO_HOST;
2156        else
2157                common->data_dir = DATA_DIR_FROM_HOST;
2158        common->data_size = le32_to_cpu(cbw->DataTransferLength);
2159        if (common->data_size == 0)
2160                common->data_dir = DATA_DIR_NONE;
2161        common->lun = cbw->Lun;
2162        if (common->lun < common->nluns)
2163                common->curlun = common->luns[common->lun];
2164        else
2165                common->curlun = NULL;
2166        common->tag = cbw->Tag;
2167        return 0;
2168}
2169
2170static int get_next_command(struct fsg_common *common)
2171{
2172        struct fsg_buffhd       *bh;
2173        int                     rc = 0;
2174
2175        /* Wait for the next buffer to become available */
2176        bh = common->next_buffhd_to_fill;
2177        while (bh->state != BUF_STATE_EMPTY) {
2178                rc = sleep_thread(common, true);
2179                if (rc)
2180                        return rc;
2181        }
2182
2183        /* Queue a request to read a Bulk-only CBW */
2184        set_bulk_out_req_length(common, bh, US_BULK_CB_WRAP_LEN);
2185        if (!start_out_transfer(common, bh))
2186                /* Don't know what to do if common->fsg is NULL */
2187                return -EIO;
2188
2189        /*
2190         * We will drain the buffer in software, which means we
2191         * can reuse it for the next filling.  No need to advance
2192         * next_buffhd_to_fill.
2193         */
2194
2195        /* Wait for the CBW to arrive */
2196        while (bh->state != BUF_STATE_FULL) {
2197                rc = sleep_thread(common, true);
2198                if (rc)
2199                        return rc;
2200        }
2201        smp_rmb();
2202        rc = fsg_is_set(common) ? received_cbw(common->fsg, bh) : -EIO;
2203        bh->state = BUF_STATE_EMPTY;
2204
2205        return rc;
2206}
2207
2208
2209/*-------------------------------------------------------------------------*/
2210
2211static int alloc_request(struct fsg_common *common, struct usb_ep *ep,
2212                struct usb_request **preq)
2213{
2214        *preq = usb_ep_alloc_request(ep, GFP_ATOMIC);
2215        if (*preq)
2216                return 0;
2217        ERROR(common, "can't allocate request for %s\n", ep->name);
2218        return -ENOMEM;
2219}
2220
2221/* Reset interface setting and re-init endpoint state (toggle etc). */
2222static int do_set_interface(struct fsg_common *common, struct fsg_dev *new_fsg)
2223{
2224        struct fsg_dev *fsg;
2225        int i, rc = 0;
2226
2227        if (common->running)
2228                DBG(common, "reset interface\n");
2229
2230reset:
2231        /* Deallocate the requests */
2232        if (common->fsg) {
2233                fsg = common->fsg;
2234
2235                for (i = 0; i < common->fsg_num_buffers; ++i) {
2236                        struct fsg_buffhd *bh = &common->buffhds[i];
2237
2238                        if (bh->inreq) {
2239                                usb_ep_free_request(fsg->bulk_in, bh->inreq);
2240                                bh->inreq = NULL;
2241                        }
2242                        if (bh->outreq) {
2243                                usb_ep_free_request(fsg->bulk_out, bh->outreq);
2244                                bh->outreq = NULL;
2245                        }
2246                }
2247
2248                /* Disable the endpoints */
2249                if (fsg->bulk_in_enabled) {
2250                        usb_ep_disable(fsg->bulk_in);
2251                        fsg->bulk_in->driver_data = NULL;
2252                        fsg->bulk_in_enabled = 0;
2253                }
2254                if (fsg->bulk_out_enabled) {
2255                        usb_ep_disable(fsg->bulk_out);
2256                        fsg->bulk_out->driver_data = NULL;
2257                        fsg->bulk_out_enabled = 0;
2258                }
2259
2260                common->fsg = NULL;
2261                wake_up(&common->fsg_wait);
2262        }
2263
2264        common->running = 0;
2265        if (!new_fsg || rc)
2266                return rc;
2267
2268        common->fsg = new_fsg;
2269        fsg = common->fsg;
2270
2271        /* Enable the endpoints */
2272        rc = config_ep_by_speed(common->gadget, &(fsg->function), fsg->bulk_in);
2273        if (rc)
2274                goto reset;
2275        rc = usb_ep_enable(fsg->bulk_in);
2276        if (rc)
2277                goto reset;
2278        fsg->bulk_in->driver_data = common;
2279        fsg->bulk_in_enabled = 1;
2280
2281        rc = config_ep_by_speed(common->gadget, &(fsg->function),
2282                                fsg->bulk_out);
2283        if (rc)
2284                goto reset;
2285        rc = usb_ep_enable(fsg->bulk_out);
2286        if (rc)
2287                goto reset;
2288        fsg->bulk_out->driver_data = common;
2289        fsg->bulk_out_enabled = 1;
2290        common->bulk_out_maxpacket = usb_endpoint_maxp(fsg->bulk_out->desc);
2291        clear_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags);
2292
2293        /* Allocate the requests */
2294        for (i = 0; i < common->fsg_num_buffers; ++i) {
2295                struct fsg_buffhd       *bh = &common->buffhds[i];
2296
2297                rc = alloc_request(common, fsg->bulk_in, &bh->inreq);
2298                if (rc)
2299                        goto reset;
2300                rc = alloc_request(common, fsg->bulk_out, &bh->outreq);
2301                if (rc)
2302                        goto reset;
2303                bh->inreq->buf = bh->outreq->buf = bh->buf;
2304                bh->inreq->context = bh->outreq->context = bh;
2305                bh->inreq->complete = bulk_in_complete;
2306                bh->outreq->complete = bulk_out_complete;
2307        }
2308
2309        common->running = 1;
2310        for (i = 0; i < common->nluns; ++i)
2311                if (common->luns[i])
2312                        common->luns[i]->unit_attention_data =
2313                                SS_RESET_OCCURRED;
2314        return rc;
2315}
2316
2317
2318/****************************** ALT CONFIGS ******************************/
2319
2320static int fsg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
2321{
2322        struct fsg_dev *fsg = fsg_from_func(f);
2323        fsg->common->new_fsg = fsg;
2324        raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2325        return USB_GADGET_DELAYED_STATUS;
2326}
2327
2328static void fsg_disable(struct usb_function *f)
2329{
2330        struct fsg_dev *fsg = fsg_from_func(f);
2331        fsg->common->new_fsg = NULL;
2332        raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2333}
2334
2335
2336/*-------------------------------------------------------------------------*/
2337
2338static void handle_exception(struct fsg_common *common)
2339{
2340        siginfo_t               info;
2341        int                     i;
2342        struct fsg_buffhd       *bh;
2343        enum fsg_state          old_state;
2344        struct fsg_lun          *curlun;
2345        unsigned int            exception_req_tag;
2346
2347        /*
2348         * Clear the existing signals.  Anything but SIGUSR1 is converted
2349         * into a high-priority EXIT exception.
2350         */
2351        for (;;) {
2352                int sig =
2353                        dequeue_signal_lock(current, &current->blocked, &info);
2354                if (!sig)
2355                        break;
2356                if (sig != SIGUSR1) {
2357                        if (common->state < FSG_STATE_EXIT)
2358                                DBG(common, "Main thread exiting on signal\n");
2359                        raise_exception(common, FSG_STATE_EXIT);
2360                }
2361        }
2362
2363        /* Cancel all the pending transfers */
2364        if (likely(common->fsg)) {
2365                for (i = 0; i < common->fsg_num_buffers; ++i) {
2366                        bh = &common->buffhds[i];
2367                        if (bh->inreq_busy)
2368                                usb_ep_dequeue(common->fsg->bulk_in, bh->inreq);
2369                        if (bh->outreq_busy)
2370                                usb_ep_dequeue(common->fsg->bulk_out,
2371                                               bh->outreq);
2372                }
2373
2374                /* Wait until everything is idle */
2375                for (;;) {
2376                        int num_active = 0;
2377                        for (i = 0; i < common->fsg_num_buffers; ++i) {
2378                                bh = &common->buffhds[i];
2379                                num_active += bh->inreq_busy + bh->outreq_busy;
2380                        }
2381                        if (num_active == 0)
2382                                break;
2383                        if (sleep_thread(common, true))
2384                                return;
2385                }
2386
2387                /* Clear out the controller's fifos */
2388                if (common->fsg->bulk_in_enabled)
2389                        usb_ep_fifo_flush(common->fsg->bulk_in);
2390                if (common->fsg->bulk_out_enabled)
2391                        usb_ep_fifo_flush(common->fsg->bulk_out);
2392        }
2393
2394        /*
2395         * Reset the I/O buffer states and pointers, the SCSI
2396         * state, and the exception.  Then invoke the handler.
2397         */
2398        spin_lock_irq(&common->lock);
2399
2400        for (i = 0; i < common->fsg_num_buffers; ++i) {
2401                bh = &common->buffhds[i];
2402                bh->state = BUF_STATE_EMPTY;
2403        }
2404        common->next_buffhd_to_fill = &common->buffhds[0];
2405        common->next_buffhd_to_drain = &common->buffhds[0];
2406        exception_req_tag = common->exception_req_tag;
2407        old_state = common->state;
2408
2409        if (old_state == FSG_STATE_ABORT_BULK_OUT)
2410                common->state = FSG_STATE_STATUS_PHASE;
2411        else {
2412                for (i = 0; i < common->nluns; ++i) {
2413                        curlun = common->luns[i];
2414                        if (!curlun)
2415                                continue;
2416                        curlun->prevent_medium_removal = 0;
2417                        curlun->sense_data = SS_NO_SENSE;
2418                        curlun->unit_attention_data = SS_NO_SENSE;
2419                        curlun->sense_data_info = 0;
2420                        curlun->info_valid = 0;
2421                }
2422                common->state = FSG_STATE_IDLE;
2423        }
2424        spin_unlock_irq(&common->lock);
2425
2426        /* Carry out any extra actions required for the exception */
2427        switch (old_state) {
2428        case FSG_STATE_ABORT_BULK_OUT:
2429                send_status(common);
2430                spin_lock_irq(&common->lock);
2431                if (common->state == FSG_STATE_STATUS_PHASE)
2432                        common->state = FSG_STATE_IDLE;
2433                spin_unlock_irq(&common->lock);
2434                break;
2435
2436        case FSG_STATE_RESET:
2437                /*
2438                 * In case we were forced against our will to halt a
2439                 * bulk endpoint, clear the halt now.  (The SuperH UDC
2440                 * requires this.)
2441                 */
2442                if (!fsg_is_set(common))
2443                        break;
2444                if (test_and_clear_bit(IGNORE_BULK_OUT,
2445                                       &common->fsg->atomic_bitflags))
2446                        usb_ep_clear_halt(common->fsg->bulk_in);
2447
2448                if (common->ep0_req_tag == exception_req_tag)
2449                        ep0_queue(common);      /* Complete the status stage */
2450
2451                /*
2452                 * Technically this should go here, but it would only be
2453                 * a waste of time.  Ditto for the INTERFACE_CHANGE and
2454                 * CONFIG_CHANGE cases.
2455                 */
2456                /* for (i = 0; i < common->nluns; ++i) */
2457                /*      if (common->luns[i]) */
2458                /*              common->luns[i]->unit_attention_data = */
2459                /*                      SS_RESET_OCCURRED;  */
2460                break;
2461
2462        case FSG_STATE_CONFIG_CHANGE:
2463                do_set_interface(common, common->new_fsg);
2464                if (common->new_fsg)
2465                        usb_composite_setup_continue(common->cdev);
2466                break;
2467
2468        case FSG_STATE_EXIT:
2469        case FSG_STATE_TERMINATED:
2470                do_set_interface(common, NULL);         /* Free resources */
2471                spin_lock_irq(&common->lock);
2472                common->state = FSG_STATE_TERMINATED;   /* Stop the thread */
2473                spin_unlock_irq(&common->lock);
2474                break;
2475
2476        case FSG_STATE_INTERFACE_CHANGE:
2477        case FSG_STATE_DISCONNECT:
2478        case FSG_STATE_COMMAND_PHASE:
2479        case FSG_STATE_DATA_PHASE:
2480        case FSG_STATE_STATUS_PHASE:
2481        case FSG_STATE_IDLE:
2482                break;
2483        }
2484}
2485
2486
2487/*-------------------------------------------------------------------------*/
2488
2489static int fsg_main_thread(void *common_)
2490{
2491        struct fsg_common       *common = common_;
2492
2493        /*
2494         * Allow the thread to be killed by a signal, but set the signal mask
2495         * to block everything but INT, TERM, KILL, and USR1.
2496         */
2497        allow_signal(SIGINT);
2498        allow_signal(SIGTERM);
2499        allow_signal(SIGKILL);
2500        allow_signal(SIGUSR1);
2501
2502        /* Allow the thread to be frozen */
2503        set_freezable();
2504
2505        /*
2506         * Arrange for userspace references to be interpreted as kernel
2507         * pointers.  That way we can pass a kernel pointer to a routine
2508         * that expects a __user pointer and it will work okay.
2509         */
2510        set_fs(get_ds());
2511
2512        /* The main loop */
2513        while (common->state != FSG_STATE_TERMINATED) {
2514                if (exception_in_progress(common) || signal_pending(current)) {
2515                        handle_exception(common);
2516                        continue;
2517                }
2518
2519                if (!common->running) {
2520                        sleep_thread(common, true);
2521                        continue;
2522                }
2523
2524                if (get_next_command(common))
2525                        continue;
2526
2527                spin_lock_irq(&common->lock);
2528                if (!exception_in_progress(common))
2529                        common->state = FSG_STATE_DATA_PHASE;
2530                spin_unlock_irq(&common->lock);
2531
2532                if (do_scsi_command(common) || finish_reply(common))
2533                        continue;
2534
2535                spin_lock_irq(&common->lock);
2536                if (!exception_in_progress(common))
2537                        common->state = FSG_STATE_STATUS_PHASE;
2538                spin_unlock_irq(&common->lock);
2539
2540                if (send_status(common))
2541                        continue;
2542
2543                spin_lock_irq(&common->lock);
2544                if (!exception_in_progress(common))
2545                        common->state = FSG_STATE_IDLE;
2546                spin_unlock_irq(&common->lock);
2547        }
2548
2549        spin_lock_irq(&common->lock);
2550        common->thread_task = NULL;
2551        spin_unlock_irq(&common->lock);
2552
2553        if (!common->ops || !common->ops->thread_exits
2554         || common->ops->thread_exits(common) < 0) {
2555                struct fsg_lun **curlun_it = common->luns;
2556                unsigned i = common->nluns;
2557
2558                down_write(&common->filesem);
2559                for (; i--; ++curlun_it) {
2560                        struct fsg_lun *curlun = *curlun_it;
2561                        if (!curlun || !fsg_lun_is_open(curlun))
2562                                continue;
2563
2564                        fsg_lun_close(curlun);
2565                        curlun->unit_attention_data = SS_MEDIUM_NOT_PRESENT;
2566                }
2567                up_write(&common->filesem);
2568        }
2569
2570        /* Let fsg_unbind() know the thread has exited */
2571        complete_and_exit(&common->thread_notifier, 0);
2572}
2573
2574
2575/*************************** DEVICE ATTRIBUTES ***************************/
2576
2577static ssize_t ro_show(struct device *dev, struct device_attribute *attr, char *buf)
2578{
2579        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2580
2581        return fsg_show_ro(curlun, buf);
2582}
2583
2584static ssize_t nofua_show(struct device *dev, struct device_attribute *attr,
2585                          char *buf)
2586{
2587        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2588
2589        return fsg_show_nofua(curlun, buf);
2590}
2591
2592static ssize_t file_show(struct device *dev, struct device_attribute *attr,
2593                         char *buf)
2594{
2595        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2596        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2597
2598        return fsg_show_file(curlun, filesem, buf);
2599}
2600
2601static ssize_t ro_store(struct device *dev, struct device_attribute *attr,
2602                        const char *buf, size_t count)
2603{
2604        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2605        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2606
2607        return fsg_store_ro(curlun, filesem, buf, count);
2608}
2609
2610static ssize_t nofua_store(struct device *dev, struct device_attribute *attr,
2611                           const char *buf, size_t count)
2612{
2613        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2614
2615        return fsg_store_nofua(curlun, buf, count);
2616}
2617
2618static ssize_t file_store(struct device *dev, struct device_attribute *attr,
2619                          const char *buf, size_t count)
2620{
2621        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2622        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2623
2624        return fsg_store_file(curlun, filesem, buf, count);
2625}
2626
2627static DEVICE_ATTR_RW(ro);
2628static DEVICE_ATTR_RW(nofua);
2629static DEVICE_ATTR_RW(file);
2630
2631static struct device_attribute dev_attr_ro_cdrom = __ATTR_RO(ro);
2632static struct device_attribute dev_attr_file_nonremovable = __ATTR_RO(file);
2633
2634
2635/****************************** FSG COMMON ******************************/
2636
2637static void fsg_common_release(struct kref *ref);
2638
2639static void fsg_lun_release(struct device *dev)
2640{
2641        /* Nothing needs to be done */
2642}
2643
2644void fsg_common_get(struct fsg_common *common)
2645{
2646        kref_get(&common->ref);
2647}
2648EXPORT_SYMBOL_GPL(fsg_common_get);
2649
2650void fsg_common_put(struct fsg_common *common)
2651{
2652        kref_put(&common->ref, fsg_common_release);
2653}
2654EXPORT_SYMBOL_GPL(fsg_common_put);
2655
2656/* check if fsg_num_buffers is within a valid range */
2657static inline int fsg_num_buffers_validate(unsigned int fsg_num_buffers)
2658{
2659        if (fsg_num_buffers >= 2 && fsg_num_buffers <= 4)
2660                return 0;
2661        pr_err("fsg_num_buffers %u is out of range (%d to %d)\n",
2662               fsg_num_buffers, 2, 4);
2663        return -EINVAL;
2664}
2665
2666static struct fsg_common *fsg_common_setup(struct fsg_common *common)
2667{
2668        if (!common) {
2669                common = kzalloc(sizeof(*common), GFP_KERNEL);
2670                if (!common)
2671                        return ERR_PTR(-ENOMEM);
2672                common->free_storage_on_release = 1;
2673        } else {
2674                common->free_storage_on_release = 0;
2675        }
2676        init_rwsem(&common->filesem);
2677        spin_lock_init(&common->lock);
2678        kref_init(&common->ref);
2679        init_completion(&common->thread_notifier);
2680        init_waitqueue_head(&common->fsg_wait);
2681        common->state = FSG_STATE_TERMINATED;
2682
2683        return common;
2684}
2685
2686void fsg_common_set_sysfs(struct fsg_common *common, bool sysfs)
2687{
2688        common->sysfs = sysfs;
2689}
2690EXPORT_SYMBOL_GPL(fsg_common_set_sysfs);
2691
2692static void _fsg_common_free_buffers(struct fsg_buffhd *buffhds, unsigned n)
2693{
2694        if (buffhds) {
2695                struct fsg_buffhd *bh = buffhds;
2696                while (n--) {
2697                        kfree(bh->buf);
2698                        ++bh;
2699                }
2700                kfree(buffhds);
2701        }
2702}
2703
2704int fsg_common_set_num_buffers(struct fsg_common *common, unsigned int n)
2705{
2706        struct fsg_buffhd *bh, *buffhds;
2707        int i, rc;
2708
2709        rc = fsg_num_buffers_validate(n);
2710        if (rc != 0)
2711                return rc;
2712
2713        buffhds = kcalloc(n, sizeof(*buffhds), GFP_KERNEL);
2714        if (!buffhds)
2715                return -ENOMEM;
2716
2717        /* Data buffers cyclic list */
2718        bh = buffhds;
2719        i = n;
2720        goto buffhds_first_it;
2721        do {
2722                bh->next = bh + 1;
2723                ++bh;
2724buffhds_first_it:
2725                bh->buf = kmalloc(FSG_BUFLEN, GFP_KERNEL);
2726                if (unlikely(!bh->buf))
2727                        goto error_release;
2728        } while (--i);
2729        bh->next = buffhds;
2730
2731        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2732        common->fsg_num_buffers = n;
2733        common->buffhds = buffhds;
2734
2735        return 0;
2736
2737error_release:
2738        /*
2739         * "buf"s pointed to by heads after n - i are NULL
2740         * so releasing them won't hurt
2741         */
2742        _fsg_common_free_buffers(buffhds, n);
2743
2744        return -ENOMEM;
2745}
2746EXPORT_SYMBOL_GPL(fsg_common_set_num_buffers);
2747
2748static inline void fsg_common_remove_sysfs(struct fsg_lun *lun)
2749{
2750        device_remove_file(&lun->dev, &dev_attr_nofua);
2751        /*
2752         * device_remove_file() =>
2753         *
2754         * here the attr (e.g. dev_attr_ro) is only used to be passed to:
2755         *
2756         *      sysfs_remove_file() =>
2757         *
2758         *      here e.g. both dev_attr_ro_cdrom and dev_attr_ro are in
2759         *      the same namespace and
2760         *      from here only attr->name is passed to:
2761         *
2762         *              sysfs_hash_and_remove()
2763         *
2764         *              attr->name is the same for dev_attr_ro_cdrom and
2765         *              dev_attr_ro
2766         *              attr->name is the same for dev_attr_file and
2767         *              dev_attr_file_nonremovable
2768         *
2769         * so we don't differentiate between removing e.g. dev_attr_ro_cdrom
2770         * and dev_attr_ro
2771         */
2772        device_remove_file(&lun->dev, &dev_attr_ro);
2773        device_remove_file(&lun->dev, &dev_attr_file);
2774}
2775
2776void fsg_common_remove_lun(struct fsg_lun *lun, bool sysfs)
2777{
2778        if (sysfs) {
2779                fsg_common_remove_sysfs(lun);
2780                device_unregister(&lun->dev);
2781        }
2782        fsg_lun_close(lun);
2783        kfree(lun);
2784}
2785EXPORT_SYMBOL_GPL(fsg_common_remove_lun);
2786
2787static void _fsg_common_remove_luns(struct fsg_common *common, int n)
2788{
2789        int i;
2790
2791        for (i = 0; i < n; ++i)
2792                if (common->luns[i]) {
2793                        fsg_common_remove_lun(common->luns[i], common->sysfs);
2794                        common->luns[i] = NULL;
2795                }
2796}
2797EXPORT_SYMBOL_GPL(fsg_common_remove_luns);
2798
2799void fsg_common_remove_luns(struct fsg_common *common)
2800{
2801        _fsg_common_remove_luns(common, common->nluns);
2802}
2803
2804void fsg_common_free_luns(struct fsg_common *common)
2805{
2806        fsg_common_remove_luns(common);
2807        kfree(common->luns);
2808        common->luns = NULL;
2809}
2810EXPORT_SYMBOL_GPL(fsg_common_free_luns);
2811
2812int fsg_common_set_nluns(struct fsg_common *common, int nluns)
2813{
2814        struct fsg_lun **curlun;
2815
2816        /* Find out how many LUNs there should be */
2817        if (nluns < 1 || nluns > FSG_MAX_LUNS) {
2818                pr_err("invalid number of LUNs: %u\n", nluns);
2819                return -EINVAL;
2820        }
2821
2822        curlun = kcalloc(nluns, sizeof(*curlun), GFP_KERNEL);
2823        if (unlikely(!curlun))
2824                return -ENOMEM;
2825
2826        if (common->luns)
2827                fsg_common_free_luns(common);
2828
2829        common->luns = curlun;
2830        common->nluns = nluns;
2831
2832        pr_info("Number of LUNs=%d\n", common->nluns);
2833
2834        return 0;
2835}
2836EXPORT_SYMBOL_GPL(fsg_common_set_nluns);
2837
2838void fsg_common_set_ops(struct fsg_common *common,
2839                        const struct fsg_operations *ops)
2840{
2841        common->ops = ops;
2842}
2843EXPORT_SYMBOL_GPL(fsg_common_set_ops);
2844
2845void fsg_common_free_buffers(struct fsg_common *common)
2846{
2847        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2848        common->buffhds = NULL;
2849}
2850EXPORT_SYMBOL_GPL(fsg_common_free_buffers);
2851
2852int fsg_common_set_cdev(struct fsg_common *common,
2853                         struct usb_composite_dev *cdev, bool can_stall)
2854{
2855        struct usb_string *us;
2856
2857        common->gadget = cdev->gadget;
2858        common->ep0 = cdev->gadget->ep0;
2859        common->ep0req = cdev->req;
2860        common->cdev = cdev;
2861
2862        us = usb_gstrings_attach(cdev, fsg_strings_array,
2863                                 ARRAY_SIZE(fsg_strings));
2864        if (IS_ERR(us))
2865                return PTR_ERR(us);
2866
2867        fsg_intf_desc.iInterface = us[FSG_STRING_INTERFACE].id;
2868
2869        /*
2870         * Some peripheral controllers are known not to be able to
2871         * halt bulk endpoints correctly.  If one of them is present,
2872         * disable stalls.
2873         */
2874        common->can_stall = can_stall && !(gadget_is_at91(common->gadget));
2875
2876        return 0;
2877}
2878EXPORT_SYMBOL_GPL(fsg_common_set_cdev);
2879
2880static inline int fsg_common_add_sysfs(struct fsg_common *common,
2881                                       struct fsg_lun *lun)
2882{
2883        int rc;
2884
2885        rc = device_register(&lun->dev);
2886        if (rc) {
2887                put_device(&lun->dev);
2888                return rc;
2889        }
2890
2891        rc = device_create_file(&lun->dev,
2892                                lun->cdrom
2893                              ? &dev_attr_ro_cdrom
2894                              : &dev_attr_ro);
2895        if (rc)
2896                goto error;
2897        rc = device_create_file(&lun->dev,
2898                                lun->removable
2899                              ? &dev_attr_file
2900                              : &dev_attr_file_nonremovable);
2901        if (rc)
2902                goto error;
2903        rc = device_create_file(&lun->dev, &dev_attr_nofua);
2904        if (rc)
2905                goto error;
2906
2907        return 0;
2908
2909error:
2910        /* removing nonexistent files is a no-op */
2911        fsg_common_remove_sysfs(lun);
2912        device_unregister(&lun->dev);
2913        return rc;
2914}
2915
2916int fsg_common_create_lun(struct fsg_common *common, struct fsg_lun_config *cfg,
2917                          unsigned int id, const char *name,
2918                          const char **name_pfx)
2919{
2920        struct fsg_lun *lun;
2921        char *pathbuf, *p;
2922        int rc = -ENOMEM;
2923
2924        if (!common->nluns || !common->luns)
2925                return -ENODEV;
2926
2927        if (common->luns[id])
2928                return -EBUSY;
2929
2930        if (!cfg->filename && !cfg->removable) {
2931                pr_err("no file given for LUN%d\n", id);
2932                return -EINVAL;
2933        }
2934
2935        lun = kzalloc(sizeof(*lun), GFP_KERNEL);
2936        if (!lun)
2937                return -ENOMEM;
2938
2939        lun->name_pfx = name_pfx;
2940
2941        lun->cdrom = !!cfg->cdrom;
2942        lun->ro = cfg->cdrom || cfg->ro;
2943        lun->initially_ro = lun->ro;
2944        lun->removable = !!cfg->removable;
2945
2946        if (!common->sysfs) {
2947                /* we DON'T own the name!*/
2948                lun->name = name;
2949        } else {
2950                lun->dev.release = fsg_lun_release;
2951                lun->dev.parent = &common->gadget->dev;
2952                dev_set_drvdata(&lun->dev, &common->filesem);
2953                dev_set_name(&lun->dev, "%s", name);
2954                lun->name = dev_name(&lun->dev);
2955
2956                rc = fsg_common_add_sysfs(common, lun);
2957                if (rc) {
2958                        pr_info("failed to register LUN%d: %d\n", id, rc);
2959                        goto error_sysfs;
2960                }
2961        }
2962
2963        common->luns[id] = lun;
2964
2965        if (cfg->filename) {
2966                rc = fsg_lun_open(lun, cfg->filename);
2967                if (rc)
2968                        goto error_lun;
2969        }
2970
2971        pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
2972        p = "(no medium)";
2973        if (fsg_lun_is_open(lun)) {
2974                p = "(error)";
2975                if (pathbuf) {
2976                        p = d_path(&lun->filp->f_path, pathbuf, PATH_MAX);
2977                        if (IS_ERR(p))
2978                                p = "(error)";
2979                }
2980        }
2981        pr_info("LUN: %s%s%sfile: %s\n",
2982              lun->removable ? "removable " : "",
2983              lun->ro ? "read only " : "",
2984              lun->cdrom ? "CD-ROM " : "",
2985              p);
2986        kfree(pathbuf);
2987
2988        return 0;
2989
2990error_lun:
2991        if (common->sysfs) {
2992                fsg_common_remove_sysfs(lun);
2993                device_unregister(&lun->dev);
2994        }
2995        fsg_lun_close(lun);
2996        common->luns[id] = NULL;
2997error_sysfs:
2998        kfree(lun);
2999        return rc;
3000}

3001EXPORT_SYMBOL_GPL(fsg_common_create_lun);
3002
3003int fsg_common_create_luns(struct fsg_common *common, struct fsg_config *cfg)
3004{
3005        char buf[8]; /* enough for 100000000 different numbers, decimal */
3006        int i, rc;
3007
3008        for (i = 0; i < common->nluns; ++i) {
3009                snprintf(buf, sizeof(buf), "lun%d", i);
3010                rc = fsg_common_create_lun(common, &cfg->luns[i], i, buf, NULL);
3011                if (rc)
3012                        goto fail;
3013        }
3014
3015        pr_info("Number of LUNs=%d\n", common->nluns);
3016
3017        return 0;
3018
3019fail:
3020        _fsg_common_remove_luns(common, i);
3021        return rc;
3022}
3023EXPORT_SYMBOL_GPL(fsg_common_create_luns);
3024
3025void fsg_common_set_inquiry_string(struct fsg_common *common, const char *vn,
3026                                   const char *pn)
3027{
3028        int i;
3029
3030        /* Prepare inquiryString */
3031        i = get_default_bcdDevice();
3032        snprintf(common->inquiry_string, sizeof(common->inquiry_string),
3033                 "%-8s%-16s%04x", vn ?: "Linux",
3034                 /* Assume product name dependent on the first LUN */
3035                 pn ?: ((*common->luns)->cdrom
3036                     ? "File-CD Gadget"
3037                     : "File-Stor Gadget"),
3038                 i);
3039}
3040EXPORT_SYMBOL_GPL(fsg_common_set_inquiry_string);
3041
3042int fsg_common_run_thread(struct fsg_common *common)
3043{
3044        common->state = FSG_STATE_IDLE;
3045        /* Tell the thread to start working */
3046        common->thread_task =
3047                kthread_create(fsg_main_thread, common, "file-storage");
3048        if (IS_ERR(common->thread_task)) {
3049                common->state = FSG_STATE_TERMINATED;
3050                return PTR_ERR(common->thread_task);
3051        }
3052
3053        DBG(common, "I/O thread pid: %d\n", task_pid_nr(common->thread_task));
3054
3055        wake_up_process(common->thread_task);
3056
3057        return 0;
3058}
3059EXPORT_SYMBOL_GPL(fsg_common_run_thread);
3060
3061static void fsg_common_release(struct kref *ref)
3062{
3063        struct fsg_common *common = container_of(ref, struct fsg_common, ref);
3064
3065        /* If the thread isn't already dead, tell it to exit now */
3066        if (common->state != FSG_STATE_TERMINATED) {
3067                raise_exception(common, FSG_STATE_EXIT);
3068                wait_for_completion(&common->thread_notifier);
3069        }
3070
3071        if (likely(common->luns)) {
3072                struct fsg_lun **lun_it = common->luns;
3073                unsigned i = common->nluns;
3074
3075                /* In error recovery common->nluns may be zero. */
3076                for (; i; --i, ++lun_it) {
3077                        struct fsg_lun *lun = *lun_it;
3078                        if (!lun)
3079                                continue;
3080                        if (common->sysfs)
3081                                fsg_common_remove_sysfs(lun);
3082                        fsg_lun_close(lun);
3083                        if (common->sysfs)
3084                                device_unregister(&lun->dev);
3085                        kfree(lun);
3086                }
3087
3088                kfree(common->luns);
3089        }
3090
3091        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
3092        if (common->free_storage_on_release)
3093                kfree(common);
3094}
3095
3096
3097/*-------------------------------------------------------------------------*/
3098
3099static int fsg_bind(struct usb_configuration *c, struct usb_function *f)
3100{
3101        struct fsg_dev          *fsg = fsg_from_func(f);
3102        struct usb_gadget       *gadget = c->cdev->gadget;
3103        int                     i;
3104        struct usb_ep           *ep;
3105        unsigned                max_burst;
3106        int                     ret;
3107        struct fsg_opts         *opts;
3108
3109        opts = fsg_opts_from_func_inst(f->fi);
3110        if (!opts->no_configfs) {
3111                ret = fsg_common_set_cdev(fsg->common, c->cdev,
3112                                          fsg->common->can_stall);
3113                if (ret)
3114                        return ret;
3115                fsg_common_set_inquiry_string(fsg->common, NULL, NULL);
3116                ret = fsg_common_run_thread(fsg->common);
3117                if (ret)
3118                        return ret;
3119        }
3120
3121        fsg->gadget = gadget;
3122
3123        /* New interface */
3124        i = usb_interface_id(c, f);
3125        if (i < 0)
3126                return i;
3127        fsg_intf_desc.bInterfaceNumber = i;
3128        fsg->interface_number = i;
3129
3130        /* Find all the endpoints we will use */
3131        ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_in_desc);
3132        if (!ep)
3133                goto autoconf_fail;
3134        ep->driver_data = fsg->common;  /* claim the endpoint */
3135        fsg->bulk_in = ep;
3136
3137        ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_out_desc);
3138        if (!ep)
3139                goto autoconf_fail;
3140        ep->driver_data = fsg->common;  /* claim the endpoint */
3141        fsg->bulk_out = ep;
3142
3143        /* Assume endpoint addresses are the same for both speeds */
3144        fsg_hs_bulk_in_desc.bEndpointAddress =
3145                fsg_fs_bulk_in_desc.bEndpointAddress;
3146        fsg_hs_bulk_out_desc.bEndpointAddress =
3147                fsg_fs_bulk_out_desc.bEndpointAddress;
3148
3149        /* Calculate bMaxBurst, we know packet size is 1024 */
3150        max_burst = min_t(unsigned, FSG_BUFLEN / 1024, 15);
3151
3152        fsg_ss_bulk_in_desc.bEndpointAddress =
3153                fsg_fs_bulk_in_desc.bEndpointAddress;
3154        fsg_ss_bulk_in_comp_desc.bMaxBurst = max_burst;
3155
3156        fsg_ss_bulk_out_desc.bEndpointAddress =
3157                fsg_fs_bulk_out_desc.bEndpointAddress;
3158        fsg_ss_bulk_out_comp_desc.bMaxBurst = max_burst;
3159
3160        ret = usb_assign_descriptors(f, fsg_fs_function, fsg_hs_function,
3161                        fsg_ss_function);
3162        if (ret)
3163                goto autoconf_fail;
3164
3165        return 0;
3166
3167autoconf_fail:
3168        ERROR(fsg, "unable to autoconfigure all endpoints\n");
3169        return -ENOTSUPP;
3170}
3171
3172/****************************** ALLOCATE FUNCTION *************************/
3173
3174static void fsg_unbind(struct usb_configuration *c, struct usb_function *f)
3175{
3176        struct fsg_dev          *fsg = fsg_from_func(f);
3177        struct fsg_common       *common = fsg->common;
3178
3179        DBG(fsg, "unbind\n");
3180        if (fsg->common->fsg == fsg) {
3181                fsg->common->new_fsg = NULL;
3182                raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
3183                /* FIXME: make interruptible or killable somehow? */
3184                wait_event(common->fsg_wait, common->fsg != fsg);
3185        }
3186
3187        usb_free_all_descriptors(&fsg->function);
3188}
3189
3190static inline struct fsg_lun_opts *to_fsg_lun_opts(struct config_item *item)
3191{
3192        return container_of(to_config_group(item), struct fsg_lun_opts, group);
3193}
3194
3195static inline struct fsg_opts *to_fsg_opts(struct config_item *item)
3196{
3197        return container_of(to_config_group(item), struct fsg_opts,
3198                            func_inst.group);
3199}
3200
3201CONFIGFS_ATTR_STRUCT(fsg_lun_opts);
3202CONFIGFS_ATTR_OPS(fsg_lun_opts);
3203
3204static void fsg_lun_attr_release(struct config_item *item)
3205{
3206        struct fsg_lun_opts *lun_opts;
3207
3208        lun_opts = to_fsg_lun_opts(item);
3209        kfree(lun_opts);
3210}
3211
3212static struct configfs_item_operations fsg_lun_item_ops = {
3213        .release                = fsg_lun_attr_release,
3214        .show_attribute         = fsg_lun_opts_attr_show,
3215        .store_attribute        = fsg_lun_opts_attr_store,
3216};
3217
3218static ssize_t fsg_lun_opts_file_show(struct fsg_lun_opts *opts, char *page)
3219{
3220        struct fsg_opts *fsg_opts;
3221
3222        fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3223
3224        return fsg_show_file(opts->lun, &fsg_opts->common->filesem, page);
3225}
3226
3227static ssize_t fsg_lun_opts_file_store(struct fsg_lun_opts *opts,
3228                                       const char *page, size_t len)
3229{
3230        struct fsg_opts *fsg_opts;
3231
3232        fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3233
3234        return fsg_store_file(opts->lun, &fsg_opts->common->filesem, page, len);
3235}
3236
3237static struct fsg_lun_opts_attribute fsg_lun_opts_file =
3238        __CONFIGFS_ATTR(file, S_IRUGO | S_IWUSR, fsg_lun_opts_file_show,
3239                        fsg_lun_opts_file_store);
3240
3241static ssize_t fsg_lun_opts_ro_show(struct fsg_lun_opts *opts, char *page)
3242{
3243        return fsg_show_ro(opts->lun, page);
3244}
3245
3246static ssize_t fsg_lun_opts_ro_store(struct fsg_lun_opts *opts,
3247                                       const char *page, size_t len)
3248{
3249        struct fsg_opts *fsg_opts;
3250
3251        fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3252
3253        return fsg_store_ro(opts->lun, &fsg_opts->common->filesem, page, len);
3254}
3255
3256static struct fsg_lun_opts_attribute fsg_lun_opts_ro =
3257        __CONFIGFS_ATTR(ro, S_IRUGO | S_IWUSR, fsg_lun_opts_ro_show,
3258                        fsg_lun_opts_ro_store);
3259
3260static ssize_t fsg_lun_opts_removable_show(struct fsg_lun_opts *opts,
3261                                           char *page)
3262{
3263        return fsg_show_removable(opts->lun, page);
3264}
3265
3266static ssize_t fsg_lun_opts_removable_store(struct fsg_lun_opts *opts,
3267                                       const char *page, size_t len)
3268{
3269        return fsg_store_removable(opts->lun, page, len);
3270}
3271
3272static struct fsg_lun_opts_attribute fsg_lun_opts_removable =
3273        __CONFIGFS_ATTR(removable, S_IRUGO | S_IWUSR,
3274                        fsg_lun_opts_removable_show,
3275                        fsg_lun_opts_removable_store);
3276
3277static ssize_t fsg_lun_opts_cdrom_show(struct fsg_lun_opts *opts, char *page)
3278{
3279        return fsg_show_cdrom(opts->lun, page);
3280}
3281
3282static ssize_t fsg_lun_opts_cdrom_store(struct fsg_lun_opts *opts,
3283                                       const char *page, size_t len)
3284{
3285        struct fsg_opts *fsg_opts;
3286
3287        fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3288
3289        return fsg_store_cdrom(opts->lun, &fsg_opts->common->filesem, page,
3290                               len);
3291}
3292
3293static struct fsg_lun_opts_attribute fsg_lun_opts_cdrom =
3294        __CONFIGFS_ATTR(cdrom, S_IRUGO | S_IWUSR, fsg_lun_opts_cdrom_show,
3295                        fsg_lun_opts_cdrom_store);
3296
3297static ssize_t fsg_lun_opts_nofua_show(struct fsg_lun_opts *opts, char *page)
3298{
3299        return fsg_show_nofua(opts->lun, page);
3300}
3301
3302static ssize_t fsg_lun_opts_nofua_store(struct fsg_lun_opts *opts,
3303                                       const char *page, size_t len)
3304{
3305        return fsg_store_nofua(opts->lun, page, len);
3306}
3307
3308static struct fsg_lun_opts_attribute fsg_lun_opts_nofua =
3309        __CONFIGFS_ATTR(nofua, S_IRUGO | S_IWUSR, fsg_lun_opts_nofua_show,
3310                        fsg_lun_opts_nofua_store);
3311
3312static struct configfs_attribute *fsg_lun_attrs[] = {
3313        &fsg_lun_opts_file.attr,
3314        &fsg_lun_opts_ro.attr,
3315        &fsg_lun_opts_removable.attr,
3316        &fsg_lun_opts_cdrom.attr,
3317        &fsg_lun_opts_nofua.attr,
3318        NULL,
3319};
3320
3321static struct config_item_type fsg_lun_type = {
3322        .ct_item_ops    = &fsg_lun_item_ops,
3323        .ct_attrs       = fsg_lun_attrs,
3324        .ct_owner       = THIS_MODULE,
3325};
3326
3327static struct config_group *fsg_lun_make(struct config_group *group,
3328                                         const char *name)
3329{
3330        struct fsg_lun_opts *opts;
3331        struct fsg_opts *fsg_opts;
3332        struct fsg_lun_config config;
3333        char *num_str;
3334        u8 num;
3335        int ret;
3336
3337        num_str = strchr(name, '.');
3338        if (!num_str) {
3339                pr_err("Unable to locate . in LUN.NUMBER\n");
3340                return ERR_PTR(-EINVAL);
3341        }
3342        num_str++;
3343
3344        ret = kstrtou8(num_str, 0, &num);
3345        if (ret)
3346                return ERR_PTR(ret);
3347
3348        fsg_opts = to_fsg_opts(&group->cg_item);
3349        if (num >= FSG_MAX_LUNS)
3350                return ERR_PTR(-ERANGE);
3351
3352        mutex_lock(&fsg_opts->lock);
3353        if (fsg_opts->refcnt || fsg_opts->common->luns[num]) {
3354                ret = -EBUSY;
3355                goto out;
3356        }
3357
3358        opts = kzalloc(sizeof(*opts), GFP_KERNEL);
3359        if (!opts) {
3360                ret = -ENOMEM;
3361                goto out;
3362        }
3363
3364        memset(&config, 0, sizeof(config));
3365        config.removable = true;
3366
3367        ret = fsg_common_create_lun(fsg_opts->common, &config, num, name,
3368                                    (const char **)&group->cg_item.ci_name);
3369        if (ret) {
3370                kfree(opts);
3371                goto out;
3372        }
3373        opts->lun = fsg_opts->common->luns[num];
3374        opts->lun_id = num;
3375        mutex_unlock(&fsg_opts->lock);
3376
3377        config_group_init_type_name(&opts->group, name, &fsg_lun_type);
3378
3379        return &opts->group;
3380out:
3381        mutex_unlock(&fsg_opts->lock);
3382        return ERR_PTR(ret);
3383}
3384
3385static void fsg_lun_drop(struct config_group *group, struct config_item *item)
3386{
3387        struct fsg_lun_opts *lun_opts;
3388        struct fsg_opts *fsg_opts;
3389
3390        lun_opts = to_fsg_lun_opts(item);
3391        fsg_opts = to_fsg_opts(&group->cg_item);
3392
3393        mutex_lock(&fsg_opts->lock);
3394        if (fsg_opts->refcnt) {
3395                struct config_item *gadget;
3396
3397                gadget = group->cg_item.ci_parent->ci_parent;
3398                unregister_gadget_item(gadget);
3399        }
3400
3401        fsg_common_remove_lun(lun_opts->lun, fsg_opts->common->sysfs);
3402        fsg_opts->common->luns[lun_opts->lun_id] = NULL;
3403        lun_opts->lun_id = 0;
3404        mutex_unlock(&fsg_opts->lock);
3405
3406        config_item_put(item);
3407}
3408
3409CONFIGFS_ATTR_STRUCT(fsg_opts);
3410CONFIGFS_ATTR_OPS(fsg_opts);
3411
3412static void fsg_attr_release(struct config_item *item)
3413{
3414        struct fsg_opts *opts = to_fsg_opts(item);
3415
3416        usb_put_function_instance(&opts->func_inst);
3417}
3418
3419static struct configfs_item_operations fsg_item_ops = {
3420        .release                = fsg_attr_release,
3421        .show_attribute         = fsg_opts_attr_show,
3422        .store_attribute        = fsg_opts_attr_store,
3423};
3424
3425static ssize_t fsg_opts_stall_show(struct fsg_opts *opts, char *page)
3426{
3427        int result;
3428
3429        mutex_lock(&opts->lock);
3430        result = sprintf(page, "%d", opts->common->can_stall);
3431        mutex_unlock(&opts->lock);
3432
3433        return result;
3434}
3435
3436static ssize_t fsg_opts_stall_store(struct fsg_opts *opts, const char *page,
3437                                    size_t len)
3438{
3439        int ret;
3440        bool stall;
3441
3442        mutex_lock(&opts->lock);
3443
3444        if (opts->refcnt) {
3445                mutex_unlock(&opts->lock);
3446                return -EBUSY;
3447        }
3448
3449        ret = strtobool(page, &stall);
3450        if (!ret) {
3451                opts->common->can_stall = stall;
3452                ret = len;
3453        }
3454
3455        mutex_unlock(&opts->lock);
3456
3457        return ret;
3458}
3459
3460static struct fsg_opts_attribute fsg_opts_stall =
3461        __CONFIGFS_ATTR(stall, S_IRUGO | S_IWUSR, fsg_opts_stall_show,
3462                        fsg_opts_stall_store);
3463
3464#ifdef CONFIG_USB_GADGET_DEBUG_FILES
3465static ssize_t fsg_opts_num_buffers_show(struct fsg_opts *opts, char *page)
3466{
3467        int result;
3468
3469        mutex_lock(&opts->lock);
3470        result = sprintf(page, "%d", opts->common->fsg_num_buffers);
3471        mutex_unlock(&opts->lock);
3472
3473        return result;
3474}
3475
3476static ssize_t fsg_opts_num_buffers_store(struct fsg_opts *opts,
3477                                          const char *page, size_t len)
3478{
3479        int ret;
3480        u8 num;
3481
3482        mutex_lock(&opts->lock);
3483        if (opts->refcnt) {
3484                ret = -EBUSY;
3485                goto end;
3486        }
3487        ret = kstrtou8(page, 0, &num);
3488        if (ret)
3489                goto end;
3490
3491        ret = fsg_num_buffers_validate(num);
3492        if (ret)
3493                goto end;
3494
3495        fsg_common_set_num_buffers(opts->common, num);
3496        ret = len;
3497
3498end:
3499        mutex_unlock(&opts->lock);
3500        return ret;
3501}
3502
3503static struct fsg_opts_attribute fsg_opts_num_buffers =
3504        __CONFIGFS_ATTR(num_buffers, S_IRUGO | S_IWUSR,
3505                        fsg_opts_num_buffers_show,
3506                        fsg_opts_num_buffers_store);
3507
3508#endif
3509
3510static struct configfs_attribute *fsg_attrs[] = {
3511        &fsg_opts_stall.attr,
3512#ifdef CONFIG_USB_GADGET_DEBUG_FILES
3513        &fsg_opts_num_buffers.attr,
3514#endif
3515        NULL,
3516};
3517
3518static struct configfs_group_operations fsg_group_ops = {
3519        .make_group     = fsg_lun_make,
3520        .drop_item      = fsg_lun_drop,
3521};
3522
3523static struct config_item_type fsg_func_type = {
3524        .ct_item_ops    = &fsg_item_ops,
3525        .ct_group_ops   = &fsg_group_ops,
3526        .ct_attrs       = fsg_attrs,
3527        .ct_owner       = THIS_MODULE,
3528};
3529
3530static void fsg_free_inst(struct usb_function_instance *fi)
3531{
3532        struct fsg_opts *opts;
3533
3534        opts = fsg_opts_from_func_inst(fi);
3535        fsg_common_put(opts->common);
3536        kfree(opts);
3537}
3538
3539static struct usb_function_instance *fsg_alloc_inst(void)
3540{
3541        struct fsg_opts *opts;
3542        struct fsg_lun_config config;
3543        int rc;
3544
3545        opts = kzalloc(sizeof(*opts), GFP_KERNEL);
3546        if (!opts)
3547                return ERR_PTR(-ENOMEM);
3548        mutex_init(&opts->lock);
3549        opts->func_inst.free_func_inst = fsg_free_inst;
3550        opts->common = fsg_common_setup(opts->common);
3551        if (IS_ERR(opts->common)) {
3552                rc = PTR_ERR(opts->common);
3553                goto release_opts;
3554        }
3555        rc = fsg_common_set_nluns(opts->common, FSG_MAX_LUNS);
3556        if (rc)
3557                goto release_opts;
3558
3559        rc = fsg_common_set_num_buffers(opts->common,
3560                                        CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS);
3561        if (rc)
3562                goto release_luns;
3563
3564        pr_info(FSG_DRIVER_DESC ", version: " FSG_DRIVER_VERSION "\n");
3565
3566        memset(&config, 0, sizeof(config));
3567        config.removable = true;
3568        rc = fsg_common_create_lun(opts->common, &config, 0, "lun.0",
3569                        (const char **)&opts->func_inst.group.cg_item.ci_name);
3570        opts->lun0.lun = opts->common->luns[0];
3571        opts->lun0.lun_id = 0;
3572        config_group_init_type_name(&opts->lun0.group, "lun.0", &fsg_lun_type);
3573        opts->default_groups[0] = &opts->lun0.group;
3574        opts->func_inst.group.default_groups = opts->default_groups;
3575
3576        config_group_init_type_name(&opts->func_inst.group, "", &fsg_func_type);
3577
3578        return &opts->func_inst;
3579
3580release_luns:
3581        kfree(opts->common->luns);
3582release_opts:
3583        kfree(opts);
3584        return ERR_PTR(rc);
3585}
3586
3587static void fsg_free(struct usb_function *f)
3588{
3589        struct fsg_dev *fsg;
3590        struct fsg_opts *opts;
3591
3592        fsg = container_of(f, struct fsg_dev, function);
3593        opts = container_of(f->fi, struct fsg_opts, func_inst);
3594
3595        mutex_lock(&opts->lock);
3596        opts->refcnt--;
3597        mutex_unlock(&opts->lock);
3598
3599        kfree(fsg);
3600}
3601
3602static struct usb_function *fsg_alloc(struct usb_function_instance *fi)
3603{
3604        struct fsg_opts *opts = fsg_opts_from_func_inst(fi);
3605        struct fsg_common *common = opts->common;
3606        struct fsg_dev *fsg;
3607
3608        fsg = kzalloc(sizeof(*fsg), GFP_KERNEL);
3609        if (unlikely(!fsg))
3610                return ERR_PTR(-ENOMEM);
3611
3612        mutex_lock(&opts->lock);
3613        opts->refcnt++;
3614        mutex_unlock(&opts->lock);
3615        fsg->function.name      = FSG_DRIVER_DESC;
3616        fsg->function.bind      = fsg_bind;
3617        fsg->function.unbind    = fsg_unbind;
3618        fsg->function.setup     = fsg_setup;
3619        fsg->function.set_alt   = fsg_set_alt;
3620        fsg->function.disable   = fsg_disable;
3621        fsg->function.free_func = fsg_free;
3622
3623        fsg->common               = common;
3624
3625        return &fsg->function;
3626}
3627
3628DECLARE_USB_FUNCTION_INIT(mass_storage, fsg_alloc_inst, fsg_alloc);
3629MODULE_LICENSE("GPL");
3630MODULE_AUTHOR("Michal Nazarewicz");
3631
3632/************************* Module parameters *************************/
3633
3634
3635void fsg_config_from_params(struct fsg_config *cfg,
3636                       const struct fsg_module_parameters *params,
3637                       unsigned int fsg_num_buffers)
3638{
3639        struct fsg_lun_config *lun;
3640        unsigned i;
3641
3642        /* Configure LUNs */
3643        cfg->nluns =
3644                min(params->luns ?: (params->file_count ?: 1u),
3645                    (unsigned)FSG_MAX_LUNS);
3646        for (i = 0, lun = cfg->luns; i < cfg->nluns; ++i, ++lun) {
3647                lun->ro = !!params->ro[i];
3648                lun->cdrom = !!params->cdrom[i];
3649                lun->removable = !!params->removable[i];
3650                lun->filename =
3651                        params->file_count > i && params->file[i][0]
3652                        ? params->file[i]
3653                        : NULL;
3654        }
3655
3656        /* Let MSF use defaults */
3657        cfg->vendor_name = NULL;
3658        cfg->product_name = NULL;
3659
3660        cfg->ops = NULL;
3661        cfg->private_data = NULL;
3662
3663        /* Finalise */
3664        cfg->can_stall = params->stall;
3665        cfg->fsg_num_buffers = fsg_num_buffers;
3666}
3667EXPORT_SYMBOL_GPL(fsg_config_from_params);
3668
3669