LXR linux/drivers/usb/gadget/function/f_mass

   1/*
   2 * f_mass_storage.c -- Mass Storage USB Composite Function
   3 *
   4 * Copyright (C) 2003-2008 Alan Stern
   5 * Copyright (C) 2009 Samsung Electronics
   6 *                    Author: Michal Nazarewicz <mina86@mina86.com>
   7 * All rights reserved.
   8 *
   9 * Redistribution and use in source and binary forms, with or without
  10 * modification, are permitted provided that the following conditions
  11 * are met:
  12 * 1. Redistributions of source code must retain the above copyright
  13 *    notice, this list of conditions, and the following disclaimer,
  14 *    without modification.
  15 * 2. Redistributions in binary form must reproduce the above copyright
  16 *    notice, this list of conditions and the following disclaimer in the
  17 *    documentation and/or other materials provided with the distribution.
  18 * 3. The names of the above-listed copyright holders may not be used
  19 *    to endorse or promote products derived from this software without
  20 *    specific prior written permission.
  21 *
  22 * ALTERNATIVELY, this software may be distributed under the terms of the
  23 * GNU General Public License ("GPL") as published by the Free Software
  24 * Foundation, either version 2 of that License or (at your option) any
  25 * later version.
  26 *
  27 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
  28 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
  29 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  30 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
  31 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  32 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  33 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  34 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  35 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  36 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  37 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  38 */
  39
  40/*
  41 * The Mass Storage Function acts as a USB Mass Storage device,
  42 * appearing to the host as a disk drive or as a CD-ROM drive.  In
  43 * addition to providing an example of a genuinely useful composite
  44 * function for a USB device, it also illustrates a technique of
  45 * double-buffering for increased throughput.
  46 *
  47 * For more information about MSF and in particular its module
  48 * parameters and sysfs interface read the
  49 * <Documentation/usb/mass-storage.txt> file.
  50 */
  51
  52/*
  53 * MSF is configured by specifying a fsg_config structure.  It has the
  54 * following fields:
  55 *
  56 *      nluns           Number of LUNs function have (anywhere from 1
  57 *                              to FSG_MAX_LUNS).
  58 *      luns            An array of LUN configuration values.  This
  59 *                              should be filled for each LUN that
  60 *                              function will include (ie. for "nluns"
  61 *                              LUNs).  Each element of the array has
  62 *                              the following fields:
  63 *      ->filename      The path to the backing file for the LUN.
  64 *                              Required if LUN is not marked as
  65 *                              removable.
  66 *      ->ro            Flag specifying access to the LUN shall be
  67 *                              read-only.  This is implied if CD-ROM
  68 *                              emulation is enabled as well as when
  69 *                              it was impossible to open "filename"
  70 *                              in R/W mode.
  71 *      ->removable     Flag specifying that LUN shall be indicated as
  72 *                              being removable.
  73 *      ->cdrom         Flag specifying that LUN shall be reported as
  74 *                              being a CD-ROM.
  75 *      ->nofua         Flag specifying that FUA flag in SCSI WRITE(10,12)
  76 *                              commands for this LUN shall be ignored.
  77 *
  78 *      vendor_name
  79 *      product_name
  80 *      release         Information used as a reply to INQUIRY
  81 *                              request.  To use default set to NULL,
  82 *                              NULL, 0xffff respectively.  The first
  83 *                              field should be 8 and the second 16
  84 *                              characters or less.
  85 *
  86 *      can_stall       Set to permit function to halt bulk endpoints.
  87 *                              Disabled on some USB devices known not
  88 *                              to work correctly.  You should set it
  89 *                              to true.
  90 *
  91 * If "removable" is not set for a LUN then a backing file must be
  92 * specified.  If it is set, then NULL filename means the LUN's medium
  93 * is not loaded (an empty string as "filename" in the fsg_config
  94 * structure causes error).  The CD-ROM emulation includes a single
  95 * data track and no audio tracks; hence there need be only one
  96 * backing file per LUN.
  97 *
  98 * This function is heavily based on "File-backed Storage Gadget" by
  99 * Alan Stern which in turn is heavily based on "Gadget Zero" by David
 100 * Brownell.  The driver's SCSI command interface was based on the
 101 * "Information technology - Small Computer System Interface - 2"
 102 * document from X3T9.2 Project 375D, Revision 10L, 7-SEP-93,
 103 * available at <http://www.t10.org/ftp/t10/drafts/s2/s2-r10l.pdf>.
 104 * The single exception is opcode 0x23 (READ FORMAT CAPACITIES), which
 105 * was based on the "Universal Serial Bus Mass Storage Class UFI
 106 * Command Specification" document, Revision 1.0, December 14, 1998,
 107 * available at
 108 * <http://www.usb.org/developers/devclass_docs/usbmass-ufi10.pdf>.
 109 */
 110
 111/*
 112 *                              Driver Design
 113 *
 114 * The MSF is fairly straightforward.  There is a main kernel
 115 * thread that handles most of the work.  Interrupt routines field
 116 * callbacks from the controller driver: bulk- and interrupt-request
 117 * completion notifications, endpoint-0 events, and disconnect events.
 118 * Completion events are passed to the main thread by wakeup calls.  Many
 119 * ep0 requests are handled at interrupt time, but SetInterface,
 120 * SetConfiguration, and device reset requests are forwarded to the
 121 * thread in the form of "exceptions" using SIGUSR1 signals (since they
 122 * should interrupt any ongoing file I/O operations).
 123 *
 124 * The thread's main routine implements the standard command/data/status
 125 * parts of a SCSI interaction.  It and its subroutines are full of tests
 126 * for pending signals/exceptions -- all this polling is necessary since
 127 * the kernel has no setjmp/longjmp equivalents.  (Maybe this is an
 128 * indication that the driver really wants to be running in userspace.)
 129 * An important point is that so long as the thread is alive it keeps an
 130 * open reference to the backing file.  This will prevent unmounting
 131 * the backing file's underlying filesystem and could cause problems
 132 * during system shutdown, for example.  To prevent such problems, the
 133 * thread catches INT, TERM, and KILL signals and converts them into
 134 * an EXIT exception.
 135 *
 136 * In normal operation the main thread is started during the gadget's
 137 * fsg_bind() callback and stopped during fsg_unbind().  But it can
 138 * also exit when it receives a signal, and there's no point leaving
 139 * the gadget running when the thread is dead.  As of this moment, MSF
 140 * provides no way to deregister the gadget when thread dies -- maybe
 141 * a callback functions is needed.
 142 *
 143 * To provide maximum throughput, the driver uses a circular pipeline of
 144 * buffer heads (struct fsg_buffhd).  In principle the pipeline can be
 145 * arbitrarily long; in practice the benefits don't justify having more
 146 * than 2 stages (i.e., double buffering).  But it helps to think of the
 147 * pipeline as being a long one.  Each buffer head contains a bulk-in and
 148 * a bulk-out request pointer (since the buffer can be used for both
 149 * output and input -- directions always are given from the host's
 150 * point of view) as well as a pointer to the buffer and various state
 151 * variables.
 152 *
 153 * Use of the pipeline follows a simple protocol.  There is a variable
 154 * (fsg->next_buffhd_to_fill) that points to the next buffer head to use.
 155 * At any time that buffer head may still be in use from an earlier
 156 * request, so each buffer head has a state variable indicating whether
 157 * it is EMPTY, FULL, or BUSY.  Typical use involves waiting for the
 158 * buffer head to be EMPTY, filling the buffer either by file I/O or by
 159 * USB I/O (during which the buffer head is BUSY), and marking the buffer
 160 * head FULL when the I/O is complete.  Then the buffer will be emptied
 161 * (again possibly by USB I/O, during which it is marked BUSY) and
 162 * finally marked EMPTY again (possibly by a completion routine).
 163 *
 164 * A module parameter tells the driver to avoid stalling the bulk
 165 * endpoints wherever the transport specification allows.  This is
 166 * necessary for some UDCs like the SuperH, which cannot reliably clear a
 167 * halt on a bulk endpoint.  However, under certain circumstances the
 168 * Bulk-only specification requires a stall.  In such cases the driver
 169 * will halt the endpoint and set a flag indicating that it should clear
 170 * the halt in software during the next device reset.  Hopefully this
 171 * will permit everything to work correctly.  Furthermore, although the
 172 * specification allows the bulk-out endpoint to halt when the host sends
 173 * too much data, implementing this would cause an unavoidable race.
 174 * The driver will always use the "no-stall" approach for OUT transfers.
 175 *
 176 * One subtle point concerns sending status-stage responses for ep0
 177 * requests.  Some of these requests, such as device reset, can involve
 178 * interrupting an ongoing file I/O operation, which might take an
 179 * arbitrarily long time.  During that delay the host might give up on
 180 * the original ep0 request and issue a new one.  When that happens the
 181 * driver should not notify the host about completion of the original
 182 * request, as the host will no longer be waiting for it.  So the driver
 183 * assigns to each ep0 request a unique tag, and it keeps track of the
 184 * tag value of the request associated with a long-running exception
 185 * (device-reset, interface-change, or configuration-change).  When the
 186 * exception handler is finished, the status-stage response is submitted
 187 * only if the current ep0 request tag is equal to the exception request
 188 * tag.  Thus only the most recently received ep0 request will get a
 189 * status-stage response.
 190 *
 191 * Warning: This driver source file is too long.  It ought to be split up
 192 * into a header file plus about 3 separate .c files, to handle the details
 193 * of the Gadget, USB Mass Storage, and SCSI protocols.
 194 */
 195
 196
 197/* #define VERBOSE_DEBUG */
 198/* #define DUMP_MSGS */
 199
 200#include <linux/blkdev.h>
 201#include <linux/completion.h>
 202#include <linux/dcache.h>
 203#include <linux/delay.h>
 204#include <linux/device.h>
 205#include <linux/fcntl.h>
 206#include <linux/file.h>
 207#include <linux/fs.h>
 208#include <linux/kref.h>
 209#include <linux/kthread.h>
 210#include <linux/sched/signal.h>
 211#include <linux/limits.h>
 212#include <linux/rwsem.h>
 213#include <linux/slab.h>
 214#include <linux/spinlock.h>
 215#include <linux/string.h>
 216#include <linux/freezer.h>
 217#include <linux/module.h>
 218#include <linux/uaccess.h>
 219
 220#include <linux/usb/ch9.h>
 221#include <linux/usb/gadget.h>
 222#include <linux/usb/composite.h>
 223
 224#include "configfs.h"
 225
 226
 227/*------------------------------------------------------------------------*/
 228
 229#define FSG_DRIVER_DESC         "Mass Storage Function"
 230#define FSG_DRIVER_VERSION      "2009/09/11"
 231
 232static const char fsg_string_interface[] = "Mass Storage";
 233
 234#include "storage_common.h"
 235#include "f_mass_storage.h"
 236
 237/* Static strings, in UTF-8 (for simplicity we use only ASCII characters) */
 238static struct usb_string                fsg_strings[] = {
 239        {FSG_STRING_INTERFACE,          fsg_string_interface},
 240        {}
 241};
 242
 243static struct usb_gadget_strings        fsg_stringtab = {
 244        .language       = 0x0409,               /* en-us */
 245        .strings        = fsg_strings,
 246};
 247
 248static struct usb_gadget_strings *fsg_strings_array[] = {
 249        &fsg_stringtab,
 250        NULL,
 251};
 252
 253/*-------------------------------------------------------------------------*/
 254
 255struct fsg_dev;
 256struct fsg_common;
 257
 258/* Data shared by all the FSG instances. */
 259struct fsg_common {
 260        struct usb_gadget       *gadget;
 261        struct usb_composite_dev *cdev;
 262        struct fsg_dev          *fsg, *new_fsg;
 263        wait_queue_head_t       io_wait;
 264        wait_queue_head_t       fsg_wait;
 265
 266        /* filesem protects: backing files in use */
 267        struct rw_semaphore     filesem;
 268
 269        /* lock protects: state and thread_task */
 270        spinlock_t              lock;
 271
 272        struct usb_ep           *ep0;           /* Copy of gadget->ep0 */
 273        struct usb_request      *ep0req;        /* Copy of cdev->req */
 274        unsigned int            ep0_req_tag;
 275
 276        struct fsg_buffhd       *next_buffhd_to_fill;
 277        struct fsg_buffhd       *next_buffhd_to_drain;
 278        struct fsg_buffhd       *buffhds;
 279        unsigned int            fsg_num_buffers;
 280
 281        int                     cmnd_size;
 282        u8                      cmnd[MAX_COMMAND_SIZE];
 283
 284        unsigned int            lun;
 285        struct fsg_lun          *luns[FSG_MAX_LUNS];
 286        struct fsg_lun          *curlun;
 287
 288        unsigned int            bulk_out_maxpacket;
 289        enum fsg_state          state;          /* For exception handling */
 290        unsigned int            exception_req_tag;
 291
 292        enum data_direction     data_dir;
 293        u32                     data_size;
 294        u32                     data_size_from_cmnd;
 295        u32                     tag;
 296        u32                     residue;
 297        u32                     usb_amount_left;
 298
 299        unsigned int            can_stall:1;
 300        unsigned int            free_storage_on_release:1;
 301        unsigned int            phase_error:1;
 302        unsigned int            short_packet_received:1;
 303        unsigned int            bad_lun_okay:1;
 304        unsigned int            running:1;
 305        unsigned int            sysfs:1;
 306
 307        struct completion       thread_notifier;
 308        struct task_struct      *thread_task;
 309
 310        /* Callback functions. */
 311        const struct fsg_operations     *ops;
 312        /* Gadget's private data. */
 313        void                    *private_data;
 314
 315        char inquiry_string[INQUIRY_STRING_LEN];
 316
 317        struct kref             ref;
 318};
 319
 320struct fsg_dev {
 321        struct usb_function     function;
 322        struct usb_gadget       *gadget;        /* Copy of cdev->gadget */
 323        struct fsg_common       *common;
 324
 325        u16                     interface_number;
 326
 327        unsigned int            bulk_in_enabled:1;
 328        unsigned int            bulk_out_enabled:1;
 329
 330        unsigned long           atomic_bitflags;
 331#define IGNORE_BULK_OUT         0
 332
 333        struct usb_ep           *bulk_in;
 334        struct usb_ep           *bulk_out;
 335};
 336
 337static inline int __fsg_is_set(struct fsg_common *common,
 338                               const char *func, unsigned line)
 339{
 340        if (common->fsg)
 341                return 1;
 342        ERROR(common, "common->fsg is NULL in %s at %u\n", func, line);
 343        WARN_ON(1);
 344        return 0;
 345}
 346
 347#define fsg_is_set(common) likely(__fsg_is_set(common, __func__, __LINE__))
 348
 349static inline struct fsg_dev *fsg_from_func(struct usb_function *f)
 350{
 351        return container_of(f, struct fsg_dev, function);
 352}
 353
 354typedef void (*fsg_routine_t)(struct fsg_dev *);
 355
 356static int exception_in_progress(struct fsg_common *common)
 357{
 358        return common->state > FSG_STATE_NORMAL;
 359}
 360
 361/* Make bulk-out requests be divisible by the maxpacket size */
 362static void set_bulk_out_req_length(struct fsg_common *common,
 363                                    struct fsg_buffhd *bh, unsigned int length)
 364{
 365        unsigned int    rem;
 366
 367        bh->bulk_out_intended_length = length;
 368        rem = length % common->bulk_out_maxpacket;
 369        if (rem > 0)
 370                length += common->bulk_out_maxpacket - rem;
 371        bh->outreq->length = length;
 372}
 373
 374
 375/*-------------------------------------------------------------------------*/
 376
 377static int fsg_set_halt(struct fsg_dev *fsg, struct usb_ep *ep)
 378{
 379        const char      *name;
 380
 381        if (ep == fsg->bulk_in)
 382                name = "bulk-in";
 383        else if (ep == fsg->bulk_out)
 384                name = "bulk-out";
 385        else
 386                name = ep->name;
 387        DBG(fsg, "%s set halt\n", name);
 388        return usb_ep_set_halt(ep);
 389}
 390
 391
 392/*-------------------------------------------------------------------------*/
 393
 394/* These routines may be called in process context or in_irq */
 395
 396static void raise_exception(struct fsg_common *common, enum fsg_state new_state)
 397{
 398        unsigned long           flags;
 399
 400        /*
 401         * Do nothing if a higher-priority exception is already in progress.
 402         * If a lower-or-equal priority exception is in progress, preempt it
 403         * and notify the main thread by sending it a signal.
 404         */
 405        spin_lock_irqsave(&common->lock, flags);
 406        if (common->state <= new_state) {
 407                common->exception_req_tag = common->ep0_req_tag;
 408                common->state = new_state;
 409                if (common->thread_task)
 410                        send_sig_info(SIGUSR1, SEND_SIG_FORCED,
 411                                      common->thread_task);
 412        }
 413        spin_unlock_irqrestore(&common->lock, flags);
 414}
 415
 416
 417/*-------------------------------------------------------------------------*/
 418
 419static int ep0_queue(struct fsg_common *common)
 420{
 421        int     rc;
 422
 423        rc = usb_ep_queue(common->ep0, common->ep0req, GFP_ATOMIC);
 424        common->ep0->driver_data = common;
 425        if (rc != 0 && rc != -ESHUTDOWN) {
 426                /* We can't do much more than wait for a reset */
 427                WARNING(common, "error in submission: %s --> %d\n",
 428                        common->ep0->name, rc);
 429        }
 430        return rc;
 431}
 432
 433
 434/*-------------------------------------------------------------------------*/
 435
 436/* Completion handlers. These always run in_irq. */
 437
 438static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req)
 439{
 440        struct fsg_common       *common = ep->driver_data;
 441        struct fsg_buffhd       *bh = req->context;
 442
 443        if (req->status || req->actual != req->length)
 444                DBG(common, "%s --> %d, %u/%u\n", __func__,
 445                    req->status, req->actual, req->length);
 446        if (req->status == -ECONNRESET)         /* Request was cancelled */
 447                usb_ep_fifo_flush(ep);
 448
 449        /* Synchronize with the smp_load_acquire() in sleep_thread() */
 450        smp_store_release(&bh->state, BUF_STATE_EMPTY);
 451        wake_up(&common->io_wait);
 452}
 453
 454static void bulk_out_complete(struct usb_ep *ep, struct usb_request *req)
 455{
 456        struct fsg_common       *common = ep->driver_data;
 457        struct fsg_buffhd       *bh = req->context;
 458
 459        dump_msg(common, "bulk-out", req->buf, req->actual);
 460        if (req->status || req->actual != bh->bulk_out_intended_length)
 461                DBG(common, "%s --> %d, %u/%u\n", __func__,
 462                    req->status, req->actual, bh->bulk_out_intended_length);
 463        if (req->status == -ECONNRESET)         /* Request was cancelled */
 464                usb_ep_fifo_flush(ep);
 465
 466        /* Synchronize with the smp_load_acquire() in sleep_thread() */
 467        smp_store_release(&bh->state, BUF_STATE_FULL);
 468        wake_up(&common->io_wait);
 469}
 470
 471static int _fsg_common_get_max_lun(struct fsg_common *common)
 472{
 473        int i = ARRAY_SIZE(common->luns) - 1;
 474
 475        while (i >= 0 && !common->luns[i])
 476                --i;
 477
 478        return i;
 479}
 480
 481static int fsg_setup(struct usb_function *f,
 482                     const struct usb_ctrlrequest *ctrl)
 483{
 484        struct fsg_dev          *fsg = fsg_from_func(f);
 485        struct usb_request      *req = fsg->common->ep0req;
 486        u16                     w_index = le16_to_cpu(ctrl->wIndex);
 487        u16                     w_value = le16_to_cpu(ctrl->wValue);
 488        u16                     w_length = le16_to_cpu(ctrl->wLength);
 489
 490        if (!fsg_is_set(fsg->common))
 491                return -EOPNOTSUPP;
 492
 493        ++fsg->common->ep0_req_tag;     /* Record arrival of a new request */
 494        req->context = NULL;
 495        req->length = 0;
 496        dump_msg(fsg, "ep0-setup", (u8 *) ctrl, sizeof(*ctrl));
 497
 498        switch (ctrl->bRequest) {
 499
 500        case US_BULK_RESET_REQUEST:
 501                if (ctrl->bRequestType !=
 502                    (USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 503                        break;
 504                if (w_index != fsg->interface_number || w_value != 0 ||
 505                                w_length != 0)
 506                        return -EDOM;
 507
 508                /*
 509                 * Raise an exception to stop the current operation
 510                 * and reinitialize our state.
 511                 */
 512                DBG(fsg, "bulk reset request\n");
 513                raise_exception(fsg->common, FSG_STATE_PROTOCOL_RESET);
 514                return USB_GADGET_DELAYED_STATUS;
 515
 516        case US_BULK_GET_MAX_LUN:
 517                if (ctrl->bRequestType !=
 518                    (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 519                        break;
 520                if (w_index != fsg->interface_number || w_value != 0 ||
 521                                w_length != 1)
 522                        return -EDOM;
 523                VDBG(fsg, "get max LUN\n");
 524                *(u8 *)req->buf = _fsg_common_get_max_lun(fsg->common);
 525
 526                /* Respond with data/status */
 527                req->length = min((u16)1, w_length);
 528                return ep0_queue(fsg->common);
 529        }
 530
 531        VDBG(fsg,
 532             "unknown class-specific control req %02x.%02x v%04x i%04x l%u\n",
 533             ctrl->bRequestType, ctrl->bRequest,
 534             le16_to_cpu(ctrl->wValue), w_index, w_length);
 535        return -EOPNOTSUPP;
 536}
 537
 538
 539/*-------------------------------------------------------------------------*/
 540
 541/* All the following routines run in process context */
 542
 543/* Use this for bulk or interrupt transfers, not ep0 */
 544static int start_transfer(struct fsg_dev *fsg, struct usb_ep *ep,
 545                           struct usb_request *req)
 546{
 547        int     rc;
 548
 549        if (ep == fsg->bulk_in)
 550                dump_msg(fsg, "bulk-in", req->buf, req->length);
 551
 552        rc = usb_ep_queue(ep, req, GFP_KERNEL);
 553        if (rc) {
 554
 555                /* We can't do much more than wait for a reset */
 556                req->status = rc;
 557
 558                /*
 559                 * Note: currently the net2280 driver fails zero-length
 560                 * submissions if DMA is enabled.
 561                 */
 562                if (rc != -ESHUTDOWN &&
 563                                !(rc == -EOPNOTSUPP && req->length == 0))
 564                        WARNING(fsg, "error in submission: %s --> %d\n",
 565                                        ep->name, rc);
 566        }
 567        return rc;
 568}
 569
 570static bool start_in_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 571{
 572        if (!fsg_is_set(common))
 573                return false;
 574        bh->state = BUF_STATE_SENDING;
 575        if (start_transfer(common->fsg, common->fsg->bulk_in, bh->inreq))
 576                bh->state = BUF_STATE_EMPTY;
 577        return true;
 578}
 579
 580static bool start_out_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 581{
 582        if (!fsg_is_set(common))
 583                return false;
 584        bh->state = BUF_STATE_RECEIVING;
 585        if (start_transfer(common->fsg, common->fsg->bulk_out, bh->outreq))
 586                bh->state = BUF_STATE_FULL;
 587        return true;
 588}
 589
 590static int sleep_thread(struct fsg_common *common, bool can_freeze,
 591                struct fsg_buffhd *bh)
 592{
 593        int     rc;
 594
 595        /* Wait until a signal arrives or bh is no longer busy */
 596        if (can_freeze)
 597                /*
 598                 * synchronize with the smp_store_release(&bh->state) in
 599                 * bulk_in_complete() or bulk_out_complete()
 600                 */
 601                rc = wait_event_freezable(common->io_wait,
 602                                bh && smp_load_acquire(&bh->state) >=
 603                                        BUF_STATE_EMPTY);
 604        else
 605                rc = wait_event_interruptible(common->io_wait,
 606                                bh && smp_load_acquire(&bh->state) >=
 607                                        BUF_STATE_EMPTY);
 608        return rc ? -EINTR : 0;
 609}
 610
 611
 612/*-------------------------------------------------------------------------*/
 613
 614static int do_read(struct fsg_common *common)
 615{
 616        struct fsg_lun          *curlun = common->curlun;
 617        u32                     lba;
 618        struct fsg_buffhd       *bh;
 619        int                     rc;
 620        u32                     amount_left;
 621        loff_t                  file_offset, file_offset_tmp;
 622        unsigned int            amount;
 623        ssize_t                 nread;
 624
 625        /*
 626         * Get the starting Logical Block Address and check that it's
 627         * not too big.
 628         */
 629        if (common->cmnd[0] == READ_6)
 630                lba = get_unaligned_be24(&common->cmnd[1]);
 631        else {
 632                lba = get_unaligned_be32(&common->cmnd[2]);
 633
 634                /*
 635                 * We allow DPO (Disable Page Out = don't save data in the
 636                 * cache) and FUA (Force Unit Access = don't read from the
 637                 * cache), but we don't implement them.
 638                 */
 639                if ((common->cmnd[1] & ~0x18) != 0) {
 640                        curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 641                        return -EINVAL;
 642                }
 643        }
 644        if (lba >= curlun->num_sectors) {
 645                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 646                return -EINVAL;
 647        }
 648        file_offset = ((loff_t) lba) << curlun->blkbits;
 649
 650        /* Carry out the file reads */
 651        amount_left = common->data_size_from_cmnd;
 652        if (unlikely(amount_left == 0))
 653                return -EIO;            /* No default reply */
 654
 655        for (;;) {
 656                /*
 657                 * Figure out how much we need to read:
 658                 * Try to read the remaining amount.
 659                 * But don't read more than the buffer size.
 660                 * And don't try to read past the end of the file.
 661                 */
 662                amount = min(amount_left, FSG_BUFLEN);
 663                amount = min((loff_t)amount,
 664                             curlun->file_length - file_offset);
 665
 666                /* Wait for the next buffer to become available */
 667                bh = common->next_buffhd_to_fill;
 668                rc = sleep_thread(common, false, bh);
 669                if (rc)
 670                        return rc;
 671
 672                /*
 673                 * If we were asked to read past the end of file,
 674                 * end with an empty buffer.
 675                 */
 676                if (amount == 0) {
 677                        curlun->sense_data =
 678                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 679                        curlun->sense_data_info =
 680                                        file_offset >> curlun->blkbits;
 681                        curlun->info_valid = 1;
 682                        bh->inreq->length = 0;
 683                        bh->state = BUF_STATE_FULL;
 684                        break;
 685                }
 686
 687                /* Perform the read */
 688                file_offset_tmp = file_offset;
 689                nread = vfs_read(curlun->filp,
 690                                 (char __user *)bh->buf,
 691                                 amount, &file_offset_tmp);
 692                VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
 693                      (unsigned long long)file_offset, (int)nread);
 694                if (signal_pending(current))
 695                        return -EINTR;
 696
 697                if (nread < 0) {
 698                        LDBG(curlun, "error in file read: %d\n", (int)nread);
 699                        nread = 0;
 700                } else if (nread < amount) {
 701                        LDBG(curlun, "partial file read: %d/%u\n",
 702                             (int)nread, amount);
 703                        nread = round_down(nread, curlun->blksize);
 704                }
 705                file_offset  += nread;
 706                amount_left  -= nread;
 707                common->residue -= nread;
 708
 709                /*
 710                 * Except at the end of the transfer, nread will be
 711                 * equal to the buffer size, which is divisible by the
 712                 * bulk-in maxpacket size.
 713                 */
 714                bh->inreq->length = nread;
 715                bh->state = BUF_STATE_FULL;
 716
 717                /* If an error occurred, report it and its position */
 718                if (nread < amount) {
 719                        curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
 720                        curlun->sense_data_info =
 721                                        file_offset >> curlun->blkbits;
 722                        curlun->info_valid = 1;
 723                        break;
 724                }
 725
 726                if (amount_left == 0)
 727                        break;          /* No more left to read */
 728
 729                /* Send this buffer and go read some more */
 730                bh->inreq->zero = 0;
 731                if (!start_in_transfer(common, bh))
 732                        /* Don't know what to do if common->fsg is NULL */
 733                        return -EIO;
 734                common->next_buffhd_to_fill = bh->next;
 735        }
 736
 737        return -EIO;            /* No default reply */
 738}
 739
 740
 741/*-------------------------------------------------------------------------*/
 742
 743static int do_write(struct fsg_common *common)
 744{
 745        struct fsg_lun          *curlun = common->curlun;
 746        u32                     lba;
 747        struct fsg_buffhd       *bh;
 748        int                     get_some_more;
 749        u32                     amount_left_to_req, amount_left_to_write;
 750        loff_t                  usb_offset, file_offset, file_offset_tmp;
 751        unsigned int            amount;
 752        ssize_t                 nwritten;
 753        int                     rc;
 754
 755        if (curlun->ro) {
 756                curlun->sense_data = SS_WRITE_PROTECTED;
 757                return -EINVAL;
 758        }
 759        spin_lock(&curlun->filp->f_lock);
 760        curlun->filp->f_flags &= ~O_SYNC;       /* Default is not to wait */
 761        spin_unlock(&curlun->filp->f_lock);
 762
 763        /*
 764         * Get the starting Logical Block Address and check that it's
 765         * not too big
 766         */
 767        if (common->cmnd[0] == WRITE_6)
 768                lba = get_unaligned_be24(&common->cmnd[1]);
 769        else {
 770                lba = get_unaligned_be32(&common->cmnd[2]);
 771
 772                /*
 773                 * We allow DPO (Disable Page Out = don't save data in the
 774                 * cache) and FUA (Force Unit Access = write directly to the
 775                 * medium).  We don't implement DPO; we implement FUA by
 776                 * performing synchronous output.
 777                 */
 778                if (common->cmnd[1] & ~0x18) {
 779                        curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 780                        return -EINVAL;
 781                }
 782                if (!curlun->nofua && (common->cmnd[1] & 0x08)) { /* FUA */
 783                        spin_lock(&curlun->filp->f_lock);
 784                        curlun->filp->f_flags |= O_SYNC;
 785                        spin_unlock(&curlun->filp->f_lock);
 786                }
 787        }
 788        if (lba >= curlun->num_sectors) {
 789                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 790                return -EINVAL;
 791        }
 792
 793        /* Carry out the file writes */
 794        get_some_more = 1;
 795        file_offset = usb_offset = ((loff_t) lba) << curlun->blkbits;
 796        amount_left_to_req = common->data_size_from_cmnd;
 797        amount_left_to_write = common->data_size_from_cmnd;
 798
 799        while (amount_left_to_write > 0) {
 800
 801                /* Queue a request for more data from the host */
 802                bh = common->next_buffhd_to_fill;
 803                if (bh->state == BUF_STATE_EMPTY && get_some_more) {
 804
 805                        /*
 806                         * Figure out how much we want to get:
 807                         * Try to get the remaining amount,
 808                         * but not more than the buffer size.
 809                         */
 810                        amount = min(amount_left_to_req, FSG_BUFLEN);
 811
 812                        /* Beyond the end of the backing file? */
 813                        if (usb_offset >= curlun->file_length) {
 814                                get_some_more = 0;
 815                                curlun->sense_data =
 816                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 817                                curlun->sense_data_info =
 818                                        usb_offset >> curlun->blkbits;
 819                                curlun->info_valid = 1;
 820                                continue;
 821                        }
 822
 823                        /* Get the next buffer */
 824                        usb_offset += amount;
 825                        common->usb_amount_left -= amount;
 826                        amount_left_to_req -= amount;
 827                        if (amount_left_to_req == 0)
 828                                get_some_more = 0;
 829
 830                        /*
 831                         * Except at the end of the transfer, amount will be
 832                         * equal to the buffer size, which is divisible by
 833                         * the bulk-out maxpacket size.
 834                         */
 835                        set_bulk_out_req_length(common, bh, amount);
 836                        if (!start_out_transfer(common, bh))
 837                                /* Dunno what to do if common->fsg is NULL */
 838                                return -EIO;
 839                        common->next_buffhd_to_fill = bh->next;
 840                        continue;
 841                }
 842
 843                /* Write the received data to the backing file */
 844                bh = common->next_buffhd_to_drain;
 845                if (bh->state == BUF_STATE_EMPTY && !get_some_more)
 846                        break;                  /* We stopped early */
 847
 848                /* Wait for the data to be received */
 849                rc = sleep_thread(common, false, bh);
 850                if (rc)
 851                        return rc;
 852
 853                common->next_buffhd_to_drain = bh->next;
 854                bh->state = BUF_STATE_EMPTY;
 855
 856                /* Did something go wrong with the transfer? */
 857                if (bh->outreq->status != 0) {
 858                        curlun->sense_data = SS_COMMUNICATION_FAILURE;
 859                        curlun->sense_data_info =
 860                                        file_offset >> curlun->blkbits;
 861                        curlun->info_valid = 1;
 862                        break;
 863                }
 864
 865                amount = bh->outreq->actual;
 866                if (curlun->file_length - file_offset < amount) {
 867                        LERROR(curlun, "write %u @ %llu beyond end %llu\n",
 868                                       amount, (unsigned long long)file_offset,
 869                                       (unsigned long long)curlun->file_length);
 870                        amount = curlun->file_length - file_offset;
 871                }
 872
 873                /*
 874                 * Don't accept excess data.  The spec doesn't say
 875                 * what to do in this case.  We'll ignore the error.
 876                 */
 877                amount = min(amount, bh->bulk_out_intended_length);
 878
 879                /* Don't write a partial block */
 880                amount = round_down(amount, curlun->blksize);
 881                if (amount == 0)
 882                        goto empty_write;
 883
 884                /* Perform the write */
 885                file_offset_tmp = file_offset;
 886                nwritten = vfs_write(curlun->filp, (char __user *)bh->buf,
 887                                amount, &file_offset_tmp);
 888                VLDBG(curlun, "file write %u @ %llu -> %d\n", amount,
 889                                (unsigned long long)file_offset, (int)nwritten);
 890                if (signal_pending(current))
 891                        return -EINTR;          /* Interrupted! */
 892
 893                if (nwritten < 0) {
 894                        LDBG(curlun, "error in file write: %d\n",
 895                                        (int) nwritten);
 896                        nwritten = 0;
 897                } else if (nwritten < amount) {
 898                        LDBG(curlun, "partial file write: %d/%u\n",
 899                                        (int) nwritten, amount);
 900                        nwritten = round_down(nwritten, curlun->blksize);
 901                }
 902                file_offset += nwritten;
 903                amount_left_to_write -= nwritten;
 904                common->residue -= nwritten;
 905
 906                /* If an error occurred, report it and its position */
 907                if (nwritten < amount) {
 908                        curlun->sense_data = SS_WRITE_ERROR;
 909                        curlun->sense_data_info =
 910                                        file_offset >> curlun->blkbits;
 911                        curlun->info_valid = 1;
 912                        break;
 913                }
 914
 915 empty_write:
 916                /* Did the host decide to stop early? */
 917                if (bh->outreq->actual < bh->bulk_out_intended_length) {
 918                        common->short_packet_received = 1;
 919                        break;
 920                }
 921        }
 922
 923        return -EIO;            /* No default reply */
 924}
 925
 926
 927/*-------------------------------------------------------------------------*/
 928
 929static int do_synchronize_cache(struct fsg_common *common)
 930{
 931        struct fsg_lun  *curlun = common->curlun;
 932        int             rc;
 933
 934        /* We ignore the requested LBA and write out all file's
 935         * dirty data buffers. */
 936        rc = fsg_lun_fsync_sub(curlun);
 937        if (rc)
 938                curlun->sense_data = SS_WRITE_ERROR;
 939        return 0;
 940}
 941
 942
 943/*-------------------------------------------------------------------------*/
 944
 945static void invalidate_sub(struct fsg_lun *curlun)
 946{
 947        struct file     *filp = curlun->filp;
 948        struct inode    *inode = file_inode(filp);
 949        unsigned long   rc;
 950
 951        rc = invalidate_mapping_pages(inode->i_mapping, 0, -1);
 952        VLDBG(curlun, "invalidate_mapping_pages -> %ld\n", rc);
 953}
 954
 955static int do_verify(struct fsg_common *common)
 956{
 957        struct fsg_lun          *curlun = common->curlun;
 958        u32                     lba;
 959        u32                     verification_length;
 960        struct fsg_buffhd       *bh = common->next_buffhd_to_fill;
 961        loff_t                  file_offset, file_offset_tmp;
 962        u32                     amount_left;
 963        unsigned int            amount;
 964        ssize_t                 nread;
 965
 966        /*
 967         * Get the starting Logical Block Address and check that it's
 968         * not too big.
 969         */
 970        lba = get_unaligned_be32(&common->cmnd[2]);
 971        if (lba >= curlun->num_sectors) {
 972                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 973                return -EINVAL;
 974        }
 975
 976        /*
 977         * We allow DPO (Disable Page Out = don't save data in the
 978         * cache) but we don't implement it.
 979         */
 980        if (common->cmnd[1] & ~0x10) {
 981                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 982                return -EINVAL;
 983        }
 984
 985        verification_length = get_unaligned_be16(&common->cmnd[7]);
 986        if (unlikely(verification_length == 0))
 987                return -EIO;            /* No default reply */
 988
 989        /* Prepare to carry out the file verify */
 990        amount_left = verification_length << curlun->blkbits;
 991        file_offset = ((loff_t) lba) << curlun->blkbits;
 992
 993        /* Write out all the dirty buffers before invalidating them */
 994        fsg_lun_fsync_sub(curlun);
 995        if (signal_pending(current))
 996                return -EINTR;
 997
 998        invalidate_sub(curlun);
 999        if (signal_pending(current))
1000                return -EINTR;

1001
1002        /* Just try to read the requested blocks */
1003        while (amount_left > 0) {
1004                /*
1005                 * Figure out how much we need to read:
1006                 * Try to read the remaining amount, but not more than
1007                 * the buffer size.
1008                 * And don't try to read past the end of the file.
1009                 */
1010                amount = min(amount_left, FSG_BUFLEN);
1011                amount = min((loff_t)amount,
1012                             curlun->file_length - file_offset);
1013                if (amount == 0) {
1014                        curlun->sense_data =
1015                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1016                        curlun->sense_data_info =
1017                                file_offset >> curlun->blkbits;
1018                        curlun->info_valid = 1;
1019                        break;
1020                }
1021
1022                /* Perform the read */
1023                file_offset_tmp = file_offset;
1024                nread = vfs_read(curlun->filp,
1025                                (char __user *) bh->buf,
1026                                amount, &file_offset_tmp);
1027                VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
1028                                (unsigned long long) file_offset,
1029                                (int) nread);
1030                if (signal_pending(current))
1031                        return -EINTR;
1032
1033                if (nread < 0) {
1034                        LDBG(curlun, "error in file verify: %d\n", (int)nread);
1035                        nread = 0;
1036                } else if (nread < amount) {
1037                        LDBG(curlun, "partial file verify: %d/%u\n",
1038                             (int)nread, amount);
1039                        nread = round_down(nread, curlun->blksize);
1040                }
1041                if (nread == 0) {
1042                        curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
1043                        curlun->sense_data_info =
1044                                file_offset >> curlun->blkbits;
1045                        curlun->info_valid = 1;
1046                        break;
1047                }
1048                file_offset += nread;
1049                amount_left -= nread;
1050        }
1051        return 0;
1052}
1053
1054
1055/*-------------------------------------------------------------------------*/
1056
1057static int do_inquiry(struct fsg_common *common, struct fsg_buffhd *bh)
1058{
1059        struct fsg_lun *curlun = common->curlun;
1060        u8      *buf = (u8 *) bh->buf;
1061
1062        if (!curlun) {          /* Unsupported LUNs are okay */
1063                common->bad_lun_okay = 1;
1064                memset(buf, 0, 36);
1065                buf[0] = TYPE_NO_LUN;   /* Unsupported, no device-type */
1066                buf[4] = 31;            /* Additional length */
1067                return 36;
1068        }
1069
1070        buf[0] = curlun->cdrom ? TYPE_ROM : TYPE_DISK;
1071        buf[1] = curlun->removable ? 0x80 : 0;
1072        buf[2] = 2;             /* ANSI SCSI level 2 */
1073        buf[3] = 2;             /* SCSI-2 INQUIRY data format */
1074        buf[4] = 31;            /* Additional length */
1075        buf[5] = 0;             /* No special options */
1076        buf[6] = 0;
1077        buf[7] = 0;
1078        if (curlun->inquiry_string[0])
1079                memcpy(buf + 8, curlun->inquiry_string,
1080                       sizeof(curlun->inquiry_string));
1081        else
1082                memcpy(buf + 8, common->inquiry_string,
1083                       sizeof(common->inquiry_string));
1084        return 36;
1085}
1086
1087static int do_request_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1088{
1089        struct fsg_lun  *curlun = common->curlun;
1090        u8              *buf = (u8 *) bh->buf;
1091        u32             sd, sdinfo;
1092        int             valid;
1093
1094        /*
1095         * From the SCSI-2 spec., section 7.9 (Unit attention condition):
1096         *
1097         * If a REQUEST SENSE command is received from an initiator
1098         * with a pending unit attention condition (before the target
1099         * generates the contingent allegiance condition), then the
1100         * target shall either:
1101         *   a) report any pending sense data and preserve the unit
1102         *      attention condition on the logical unit, or,
1103         *   b) report the unit attention condition, may discard any
1104         *      pending sense data, and clear the unit attention
1105         *      condition on the logical unit for that initiator.
1106         *
1107         * FSG normally uses option a); enable this code to use option b).
1108         */
1109#if 0
1110        if (curlun && curlun->unit_attention_data != SS_NO_SENSE) {
1111                curlun->sense_data = curlun->unit_attention_data;
1112                curlun->unit_attention_data = SS_NO_SENSE;
1113        }
1114#endif
1115
1116        if (!curlun) {          /* Unsupported LUNs are okay */
1117                common->bad_lun_okay = 1;
1118                sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1119                sdinfo = 0;
1120                valid = 0;
1121        } else {
1122                sd = curlun->sense_data;
1123                sdinfo = curlun->sense_data_info;
1124                valid = curlun->info_valid << 7;
1125                curlun->sense_data = SS_NO_SENSE;
1126                curlun->sense_data_info = 0;
1127                curlun->info_valid = 0;
1128        }
1129
1130        memset(buf, 0, 18);
1131        buf[0] = valid | 0x70;                  /* Valid, current error */
1132        buf[2] = SK(sd);
1133        put_unaligned_be32(sdinfo, &buf[3]);    /* Sense information */
1134        buf[7] = 18 - 8;                        /* Additional sense length */
1135        buf[12] = ASC(sd);
1136        buf[13] = ASCQ(sd);
1137        return 18;
1138}
1139
1140static int do_read_capacity(struct fsg_common *common, struct fsg_buffhd *bh)
1141{
1142        struct fsg_lun  *curlun = common->curlun;
1143        u32             lba = get_unaligned_be32(&common->cmnd[2]);
1144        int             pmi = common->cmnd[8];
1145        u8              *buf = (u8 *)bh->buf;
1146
1147        /* Check the PMI and LBA fields */
1148        if (pmi > 1 || (pmi == 0 && lba != 0)) {
1149                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1150                return -EINVAL;
1151        }
1152
1153        put_unaligned_be32(curlun->num_sectors - 1, &buf[0]);
1154                                                /* Max logical block */
1155        put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1156        return 8;
1157}
1158
1159static int do_read_header(struct fsg_common *common, struct fsg_buffhd *bh)
1160{
1161        struct fsg_lun  *curlun = common->curlun;
1162        int             msf = common->cmnd[1] & 0x02;
1163        u32             lba = get_unaligned_be32(&common->cmnd[2]);
1164        u8              *buf = (u8 *)bh->buf;
1165
1166        if (common->cmnd[1] & ~0x02) {          /* Mask away MSF */
1167                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1168                return -EINVAL;
1169        }
1170        if (lba >= curlun->num_sectors) {
1171                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1172                return -EINVAL;
1173        }
1174
1175        memset(buf, 0, 8);
1176        buf[0] = 0x01;          /* 2048 bytes of user data, rest is EC */
1177        store_cdrom_address(&buf[4], msf, lba);
1178        return 8;
1179}
1180
1181static int do_read_toc(struct fsg_common *common, struct fsg_buffhd *bh)
1182{
1183        struct fsg_lun  *curlun = common->curlun;
1184        int             msf = common->cmnd[1] & 0x02;
1185        int             start_track = common->cmnd[6];
1186        u8              *buf = (u8 *)bh->buf;
1187
1188        if ((common->cmnd[1] & ~0x02) != 0 ||   /* Mask away MSF */
1189                        start_track > 1) {
1190                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1191                return -EINVAL;
1192        }
1193
1194        memset(buf, 0, 20);
1195        buf[1] = (20-2);                /* TOC data length */
1196        buf[2] = 1;                     /* First track number */
1197        buf[3] = 1;                     /* Last track number */
1198        buf[5] = 0x16;                  /* Data track, copying allowed */
1199        buf[6] = 0x01;                  /* Only track is number 1 */
1200        store_cdrom_address(&buf[8], msf, 0);
1201
1202        buf[13] = 0x16;                 /* Lead-out track is data */
1203        buf[14] = 0xAA;                 /* Lead-out track number */
1204        store_cdrom_address(&buf[16], msf, curlun->num_sectors);
1205        return 20;
1206}
1207
1208static int do_mode_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1209{
1210        struct fsg_lun  *curlun = common->curlun;
1211        int             mscmnd = common->cmnd[0];
1212        u8              *buf = (u8 *) bh->buf;
1213        u8              *buf0 = buf;
1214        int             pc, page_code;
1215        int             changeable_values, all_pages;
1216        int             valid_page = 0;
1217        int             len, limit;
1218
1219        if ((common->cmnd[1] & ~0x08) != 0) {   /* Mask away DBD */
1220                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1221                return -EINVAL;
1222        }
1223        pc = common->cmnd[2] >> 6;
1224        page_code = common->cmnd[2] & 0x3f;
1225        if (pc == 3) {
1226                curlun->sense_data = SS_SAVING_PARAMETERS_NOT_SUPPORTED;
1227                return -EINVAL;
1228        }
1229        changeable_values = (pc == 1);
1230        all_pages = (page_code == 0x3f);
1231
1232        /*
1233         * Write the mode parameter header.  Fixed values are: default
1234         * medium type, no cache control (DPOFUA), and no block descriptors.
1235         * The only variable value is the WriteProtect bit.  We will fill in
1236         * the mode data length later.
1237         */
1238        memset(buf, 0, 8);
1239        if (mscmnd == MODE_SENSE) {
1240                buf[2] = (curlun->ro ? 0x80 : 0x00);            /* WP, DPOFUA */
1241                buf += 4;
1242                limit = 255;
1243        } else {                        /* MODE_SENSE_10 */
1244                buf[3] = (curlun->ro ? 0x80 : 0x00);            /* WP, DPOFUA */
1245                buf += 8;
1246                limit = 65535;          /* Should really be FSG_BUFLEN */
1247        }
1248
1249        /* No block descriptors */
1250
1251        /*
1252         * The mode pages, in numerical order.  The only page we support
1253         * is the Caching page.
1254         */
1255        if (page_code == 0x08 || all_pages) {
1256                valid_page = 1;
1257                buf[0] = 0x08;          /* Page code */
1258                buf[1] = 10;            /* Page length */
1259                memset(buf+2, 0, 10);   /* None of the fields are changeable */
1260
1261                if (!changeable_values) {
1262                        buf[2] = 0x04;  /* Write cache enable, */
1263                                        /* Read cache not disabled */
1264                                        /* No cache retention priorities */
1265                        put_unaligned_be16(0xffff, &buf[4]);
1266                                        /* Don't disable prefetch */
1267                                        /* Minimum prefetch = 0 */
1268                        put_unaligned_be16(0xffff, &buf[8]);
1269                                        /* Maximum prefetch */
1270                        put_unaligned_be16(0xffff, &buf[10]);
1271                                        /* Maximum prefetch ceiling */
1272                }
1273                buf += 12;
1274        }
1275
1276        /*
1277         * Check that a valid page was requested and the mode data length
1278         * isn't too long.
1279         */
1280        len = buf - buf0;
1281        if (!valid_page || len > limit) {
1282                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1283                return -EINVAL;
1284        }
1285
1286        /*  Store the mode data length */
1287        if (mscmnd == MODE_SENSE)
1288                buf0[0] = len - 1;
1289        else
1290                put_unaligned_be16(len - 2, buf0);
1291        return len;
1292}
1293
1294static int do_start_stop(struct fsg_common *common)
1295{
1296        struct fsg_lun  *curlun = common->curlun;
1297        int             loej, start;
1298
1299        if (!curlun) {
1300                return -EINVAL;
1301        } else if (!curlun->removable) {
1302                curlun->sense_data = SS_INVALID_COMMAND;
1303                return -EINVAL;
1304        } else if ((common->cmnd[1] & ~0x01) != 0 || /* Mask away Immed */
1305                   (common->cmnd[4] & ~0x03) != 0) { /* Mask LoEj, Start */
1306                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1307                return -EINVAL;
1308        }
1309
1310        loej  = common->cmnd[4] & 0x02;
1311        start = common->cmnd[4] & 0x01;
1312
1313        /*
1314         * Our emulation doesn't support mounting; the medium is
1315         * available for use as soon as it is loaded.
1316         */
1317        if (start) {
1318                if (!fsg_lun_is_open(curlun)) {
1319                        curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1320                        return -EINVAL;
1321                }
1322                return 0;
1323        }
1324
1325        /* Are we allowed to unload the media? */
1326        if (curlun->prevent_medium_removal) {
1327                LDBG(curlun, "unload attempt prevented\n");
1328                curlun->sense_data = SS_MEDIUM_REMOVAL_PREVENTED;
1329                return -EINVAL;
1330        }
1331
1332        if (!loej)
1333                return 0;
1334
1335        up_read(&common->filesem);
1336        down_write(&common->filesem);
1337        fsg_lun_close(curlun);
1338        up_write(&common->filesem);
1339        down_read(&common->filesem);
1340
1341        return 0;
1342}
1343
1344static int do_prevent_allow(struct fsg_common *common)
1345{
1346        struct fsg_lun  *curlun = common->curlun;
1347        int             prevent;
1348
1349        if (!common->curlun) {
1350                return -EINVAL;
1351        } else if (!common->curlun->removable) {
1352                common->curlun->sense_data = SS_INVALID_COMMAND;
1353                return -EINVAL;
1354        }
1355
1356        prevent = common->cmnd[4] & 0x01;
1357        if ((common->cmnd[4] & ~0x01) != 0) {   /* Mask away Prevent */
1358                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1359                return -EINVAL;
1360        }
1361
1362        if (curlun->prevent_medium_removal && !prevent)
1363                fsg_lun_fsync_sub(curlun);
1364        curlun->prevent_medium_removal = prevent;
1365        return 0;
1366}
1367
1368static int do_read_format_capacities(struct fsg_common *common,
1369                        struct fsg_buffhd *bh)
1370{
1371        struct fsg_lun  *curlun = common->curlun;
1372        u8              *buf = (u8 *) bh->buf;
1373
1374        buf[0] = buf[1] = buf[2] = 0;
1375        buf[3] = 8;     /* Only the Current/Maximum Capacity Descriptor */
1376        buf += 4;
1377
1378        put_unaligned_be32(curlun->num_sectors, &buf[0]);
1379                                                /* Number of blocks */
1380        put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1381        buf[4] = 0x02;                          /* Current capacity */
1382        return 12;
1383}
1384
1385static int do_mode_select(struct fsg_common *common, struct fsg_buffhd *bh)
1386{
1387        struct fsg_lun  *curlun = common->curlun;
1388
1389        /* We don't support MODE SELECT */
1390        if (curlun)
1391                curlun->sense_data = SS_INVALID_COMMAND;
1392        return -EINVAL;
1393}
1394
1395
1396/*-------------------------------------------------------------------------*/
1397
1398static int halt_bulk_in_endpoint(struct fsg_dev *fsg)
1399{
1400        int     rc;
1401
1402        rc = fsg_set_halt(fsg, fsg->bulk_in);
1403        if (rc == -EAGAIN)
1404                VDBG(fsg, "delayed bulk-in endpoint halt\n");
1405        while (rc != 0) {
1406                if (rc != -EAGAIN) {
1407                        WARNING(fsg, "usb_ep_set_halt -> %d\n", rc);
1408                        rc = 0;
1409                        break;
1410                }
1411
1412                /* Wait for a short time and then try again */
1413                if (msleep_interruptible(100) != 0)
1414                        return -EINTR;
1415                rc = usb_ep_set_halt(fsg->bulk_in);
1416        }
1417        return rc;
1418}
1419
1420static int wedge_bulk_in_endpoint(struct fsg_dev *fsg)
1421{
1422        int     rc;
1423
1424        DBG(fsg, "bulk-in set wedge\n");
1425        rc = usb_ep_set_wedge(fsg->bulk_in);
1426        if (rc == -EAGAIN)
1427                VDBG(fsg, "delayed bulk-in endpoint wedge\n");
1428        while (rc != 0) {
1429                if (rc != -EAGAIN) {
1430                        WARNING(fsg, "usb_ep_set_wedge -> %d\n", rc);
1431                        rc = 0;
1432                        break;
1433                }
1434
1435                /* Wait for a short time and then try again */
1436                if (msleep_interruptible(100) != 0)
1437                        return -EINTR;
1438                rc = usb_ep_set_wedge(fsg->bulk_in);
1439        }
1440        return rc;
1441}
1442
1443static int throw_away_data(struct fsg_common *common)
1444{
1445        struct fsg_buffhd       *bh, *bh2;
1446        u32                     amount;
1447        int                     rc;
1448
1449        for (bh = common->next_buffhd_to_drain;
1450             bh->state != BUF_STATE_EMPTY || common->usb_amount_left > 0;
1451             bh = common->next_buffhd_to_drain) {
1452
1453                /* Try to submit another request if we need one */
1454                bh2 = common->next_buffhd_to_fill;
1455                if (bh2->state == BUF_STATE_EMPTY &&
1456                                common->usb_amount_left > 0) {
1457                        amount = min(common->usb_amount_left, FSG_BUFLEN);
1458
1459                        /*
1460                         * Except at the end of the transfer, amount will be
1461                         * equal to the buffer size, which is divisible by
1462                         * the bulk-out maxpacket size.
1463                         */
1464                        set_bulk_out_req_length(common, bh2, amount);
1465                        if (!start_out_transfer(common, bh2))
1466                                /* Dunno what to do if common->fsg is NULL */
1467                                return -EIO;
1468                        common->next_buffhd_to_fill = bh2->next;
1469                        common->usb_amount_left -= amount;
1470                        continue;
1471                }
1472
1473                /* Wait for the data to be received */
1474                rc = sleep_thread(common, false, bh);
1475                if (rc)
1476                        return rc;
1477
1478                /* Throw away the data in a filled buffer */
1479                bh->state = BUF_STATE_EMPTY;
1480                common->next_buffhd_to_drain = bh->next;
1481
1482                /* A short packet or an error ends everything */
1483                if (bh->outreq->actual < bh->bulk_out_intended_length ||
1484                                bh->outreq->status != 0) {
1485                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1486                        return -EINTR;
1487                }
1488        }
1489        return 0;
1490}
1491
1492static int finish_reply(struct fsg_common *common)
1493{
1494        struct fsg_buffhd       *bh = common->next_buffhd_to_fill;
1495        int                     rc = 0;
1496
1497        switch (common->data_dir) {
1498        case DATA_DIR_NONE:
1499                break;                  /* Nothing to send */
1500
1501        /*
1502         * If we don't know whether the host wants to read or write,
1503         * this must be CB or CBI with an unknown command.  We mustn't
1504         * try to send or receive any data.  So stall both bulk pipes
1505         * if we can and wait for a reset.
1506         */
1507        case DATA_DIR_UNKNOWN:
1508                if (!common->can_stall) {
1509                        /* Nothing */
1510                } else if (fsg_is_set(common)) {
1511                        fsg_set_halt(common->fsg, common->fsg->bulk_out);
1512                        rc = halt_bulk_in_endpoint(common->fsg);
1513                } else {
1514                        /* Don't know what to do if common->fsg is NULL */
1515                        rc = -EIO;
1516                }
1517                break;
1518
1519        /* All but the last buffer of data must have already been sent */
1520        case DATA_DIR_TO_HOST:
1521                if (common->data_size == 0) {
1522                        /* Nothing to send */
1523
1524                /* Don't know what to do if common->fsg is NULL */
1525                } else if (!fsg_is_set(common)) {
1526                        rc = -EIO;
1527
1528                /* If there's no residue, simply send the last buffer */
1529                } else if (common->residue == 0) {
1530                        bh->inreq->zero = 0;
1531                        if (!start_in_transfer(common, bh))
1532                                return -EIO;
1533                        common->next_buffhd_to_fill = bh->next;
1534
1535                /*
1536                 * For Bulk-only, mark the end of the data with a short
1537                 * packet.  If we are allowed to stall, halt the bulk-in
1538                 * endpoint.  (Note: This violates the Bulk-Only Transport
1539                 * specification, which requires us to pad the data if we
1540                 * don't halt the endpoint.  Presumably nobody will mind.)
1541                 */
1542                } else {
1543                        bh->inreq->zero = 1;
1544                        if (!start_in_transfer(common, bh))
1545                                rc = -EIO;
1546                        common->next_buffhd_to_fill = bh->next;
1547                        if (common->can_stall)
1548                                rc = halt_bulk_in_endpoint(common->fsg);
1549                }
1550                break;
1551
1552        /*
1553         * We have processed all we want from the data the host has sent.
1554         * There may still be outstanding bulk-out requests.
1555         */
1556        case DATA_DIR_FROM_HOST:
1557                if (common->residue == 0) {
1558                        /* Nothing to receive */
1559
1560                /* Did the host stop sending unexpectedly early? */
1561                } else if (common->short_packet_received) {
1562                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1563                        rc = -EINTR;
1564
1565                /*
1566                 * We haven't processed all the incoming data.  Even though
1567                 * we may be allowed to stall, doing so would cause a race.
1568                 * The controller may already have ACK'ed all the remaining
1569                 * bulk-out packets, in which case the host wouldn't see a
1570                 * STALL.  Not realizing the endpoint was halted, it wouldn't
1571                 * clear the halt -- leading to problems later on.
1572                 */
1573#if 0
1574                } else if (common->can_stall) {
1575                        if (fsg_is_set(common))
1576                                fsg_set_halt(common->fsg,
1577                                             common->fsg->bulk_out);
1578                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1579                        rc = -EINTR;
1580#endif
1581
1582                /*
1583                 * We can't stall.  Read in the excess data and throw it
1584                 * all away.
1585                 */
1586                } else {
1587                        rc = throw_away_data(common);
1588                }
1589                break;
1590        }
1591        return rc;
1592}
1593
1594static void send_status(struct fsg_common *common)
1595{
1596        struct fsg_lun          *curlun = common->curlun;
1597        struct fsg_buffhd       *bh;
1598        struct bulk_cs_wrap     *csw;
1599        int                     rc;
1600        u8                      status = US_BULK_STAT_OK;
1601        u32                     sd, sdinfo = 0;
1602
1603        /* Wait for the next buffer to become available */
1604        bh = common->next_buffhd_to_fill;
1605        rc = sleep_thread(common, false, bh);
1606        if (rc)
1607                return;
1608
1609        if (curlun) {
1610                sd = curlun->sense_data;
1611                sdinfo = curlun->sense_data_info;
1612        } else if (common->bad_lun_okay)
1613                sd = SS_NO_SENSE;
1614        else
1615                sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1616
1617        if (common->phase_error) {
1618                DBG(common, "sending phase-error status\n");
1619                status = US_BULK_STAT_PHASE;
1620                sd = SS_INVALID_COMMAND;
1621        } else if (sd != SS_NO_SENSE) {
1622                DBG(common, "sending command-failure status\n");
1623                status = US_BULK_STAT_FAIL;
1624                VDBG(common, "  sense data: SK x%02x, ASC x%02x, ASCQ x%02x;"
1625                                "  info x%x\n",
1626                                SK(sd), ASC(sd), ASCQ(sd), sdinfo);
1627        }
1628
1629        /* Store and send the Bulk-only CSW */
1630        csw = (void *)bh->buf;
1631
1632        csw->Signature = cpu_to_le32(US_BULK_CS_SIGN);
1633        csw->Tag = common->tag;
1634        csw->Residue = cpu_to_le32(common->residue);
1635        csw->Status = status;
1636
1637        bh->inreq->length = US_BULK_CS_WRAP_LEN;
1638        bh->inreq->zero = 0;
1639        if (!start_in_transfer(common, bh))
1640                /* Don't know what to do if common->fsg is NULL */
1641                return;
1642
1643        common->next_buffhd_to_fill = bh->next;
1644        return;
1645}
1646
1647
1648/*-------------------------------------------------------------------------*/
1649
1650/*
1651 * Check whether the command is properly formed and whether its data size
1652 * and direction agree with the values we already have.
1653 */
1654static int check_command(struct fsg_common *common, int cmnd_size,
1655                         enum data_direction data_dir, unsigned int mask,
1656                         int needs_medium, const char *name)
1657{
1658        int                     i;
1659        unsigned int            lun = common->cmnd[1] >> 5;
1660        static const char       dirletter[4] = {'u', 'o', 'i', 'n'};
1661        char                    hdlen[20];
1662        struct fsg_lun          *curlun;
1663
1664        hdlen[0] = 0;
1665        if (common->data_dir != DATA_DIR_UNKNOWN)
1666                sprintf(hdlen, ", H%c=%u", dirletter[(int) common->data_dir],
1667                        common->data_size);
1668        VDBG(common, "SCSI command: %s;  Dc=%d, D%c=%u;  Hc=%d%s\n",
1669             name, cmnd_size, dirletter[(int) data_dir],
1670             common->data_size_from_cmnd, common->cmnd_size, hdlen);
1671
1672        /*
1673         * We can't reply at all until we know the correct data direction
1674         * and size.
1675         */
1676        if (common->data_size_from_cmnd == 0)
1677                data_dir = DATA_DIR_NONE;
1678        if (common->data_size < common->data_size_from_cmnd) {
1679                /*
1680                 * Host data size < Device data size is a phase error.
1681                 * Carry out the command, but only transfer as much as
1682                 * we are allowed.
1683                 */
1684                common->data_size_from_cmnd = common->data_size;
1685                common->phase_error = 1;
1686        }
1687        common->residue = common->data_size;
1688        common->usb_amount_left = common->data_size;
1689
1690        /* Conflicting data directions is a phase error */
1691        if (common->data_dir != data_dir && common->data_size_from_cmnd > 0) {
1692                common->phase_error = 1;
1693                return -EINVAL;
1694        }
1695
1696        /* Verify the length of the command itself */
1697        if (cmnd_size != common->cmnd_size) {
1698
1699                /*
1700                 * Special case workaround: There are plenty of buggy SCSI
1701                 * implementations. Many have issues with cbw->Length
1702                 * field passing a wrong command size. For those cases we
1703                 * always try to work around the problem by using the length
1704                 * sent by the host side provided it is at least as large
1705                 * as the correct command length.
1706                 * Examples of such cases would be MS-Windows, which issues
1707                 * REQUEST SENSE with cbw->Length == 12 where it should
1708                 * be 6, and xbox360 issuing INQUIRY, TEST UNIT READY and
1709                 * REQUEST SENSE with cbw->Length == 10 where it should
1710                 * be 6 as well.
1711                 */
1712                if (cmnd_size <= common->cmnd_size) {
1713                        DBG(common, "%s is buggy! Expected length %d "
1714                            "but we got %d\n", name,
1715                            cmnd_size, common->cmnd_size);
1716                        cmnd_size = common->cmnd_size;
1717                } else {
1718                        common->phase_error = 1;
1719                        return -EINVAL;
1720                }
1721        }
1722
1723        /* Check that the LUN values are consistent */
1724        if (common->lun != lun)
1725                DBG(common, "using LUN %u from CBW, not LUN %u from CDB\n",
1726                    common->lun, lun);
1727
1728        /* Check the LUN */
1729        curlun = common->curlun;
1730        if (curlun) {
1731                if (common->cmnd[0] != REQUEST_SENSE) {
1732                        curlun->sense_data = SS_NO_SENSE;
1733                        curlun->sense_data_info = 0;
1734                        curlun->info_valid = 0;
1735                }
1736        } else {
1737                common->bad_lun_okay = 0;
1738
1739                /*
1740                 * INQUIRY and REQUEST SENSE commands are explicitly allowed
1741                 * to use unsupported LUNs; all others may not.
1742                 */
1743                if (common->cmnd[0] != INQUIRY &&
1744                    common->cmnd[0] != REQUEST_SENSE) {
1745                        DBG(common, "unsupported LUN %u\n", common->lun);
1746                        return -EINVAL;
1747                }
1748        }
1749
1750        /*
1751         * If a unit attention condition exists, only INQUIRY and
1752         * REQUEST SENSE commands are allowed; anything else must fail.
1753         */
1754        if (curlun && curlun->unit_attention_data != SS_NO_SENSE &&
1755            common->cmnd[0] != INQUIRY &&
1756            common->cmnd[0] != REQUEST_SENSE) {
1757                curlun->sense_data = curlun->unit_attention_data;
1758                curlun->unit_attention_data = SS_NO_SENSE;
1759                return -EINVAL;
1760        }
1761
1762        /* Check that only command bytes listed in the mask are non-zero */
1763        common->cmnd[1] &= 0x1f;                        /* Mask away the LUN */
1764        for (i = 1; i < cmnd_size; ++i) {
1765                if (common->cmnd[i] && !(mask & (1 << i))) {
1766                        if (curlun)
1767                                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1768                        return -EINVAL;
1769                }
1770        }
1771
1772        /* If the medium isn't mounted and the command needs to access
1773         * it, return an error. */
1774        if (curlun && !fsg_lun_is_open(curlun) && needs_medium) {
1775                curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1776                return -EINVAL;
1777        }
1778
1779        return 0;
1780}
1781
1782/* wrapper of check_command for data size in blocks handling */
1783static int check_command_size_in_blocks(struct fsg_common *common,
1784                int cmnd_size, enum data_direction data_dir,
1785                unsigned int mask, int needs_medium, const char *name)
1786{
1787        if (common->curlun)
1788                common->data_size_from_cmnd <<= common->curlun->blkbits;
1789        return check_command(common, cmnd_size, data_dir,
1790                        mask, needs_medium, name);
1791}
1792
1793static int do_scsi_command(struct fsg_common *common)
1794{
1795        struct fsg_buffhd       *bh;
1796        int                     rc;
1797        int                     reply = -EINVAL;
1798        int                     i;
1799        static char             unknown[16];
1800
1801        dump_cdb(common);
1802
1803        /* Wait for the next buffer to become available for data or status */
1804        bh = common->next_buffhd_to_fill;
1805        common->next_buffhd_to_drain = bh;
1806        rc = sleep_thread(common, false, bh);
1807        if (rc)
1808                return rc;
1809
1810        common->phase_error = 0;
1811        common->short_packet_received = 0;
1812
1813        down_read(&common->filesem);    /* We're using the backing file */
1814        switch (common->cmnd[0]) {
1815
1816        case INQUIRY:
1817                common->data_size_from_cmnd = common->cmnd[4];
1818                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1819                                      (1<<4), 0,
1820                                      "INQUIRY");
1821                if (reply == 0)
1822                        reply = do_inquiry(common, bh);
1823                break;
1824
1825        case MODE_SELECT:
1826                common->data_size_from_cmnd = common->cmnd[4];
1827                reply = check_command(common, 6, DATA_DIR_FROM_HOST,
1828                                      (1<<1) | (1<<4), 0,
1829                                      "MODE SELECT(6)");
1830                if (reply == 0)
1831                        reply = do_mode_select(common, bh);
1832                break;
1833
1834        case MODE_SELECT_10:
1835                common->data_size_from_cmnd =
1836                        get_unaligned_be16(&common->cmnd[7]);
1837                reply = check_command(common, 10, DATA_DIR_FROM_HOST,
1838                                      (1<<1) | (3<<7), 0,
1839                                      "MODE SELECT(10)");
1840                if (reply == 0)
1841                        reply = do_mode_select(common, bh);
1842                break;
1843
1844        case MODE_SENSE:
1845                common->data_size_from_cmnd = common->cmnd[4];
1846                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1847                                      (1<<1) | (1<<2) | (1<<4), 0,
1848                                      "MODE SENSE(6)");
1849                if (reply == 0)
1850                        reply = do_mode_sense(common, bh);
1851                break;
1852
1853        case MODE_SENSE_10:
1854                common->data_size_from_cmnd =
1855                        get_unaligned_be16(&common->cmnd[7]);
1856                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1857                                      (1<<1) | (1<<2) | (3<<7), 0,
1858                                      "MODE SENSE(10)");
1859                if (reply == 0)
1860                        reply = do_mode_sense(common, bh);
1861                break;
1862
1863        case ALLOW_MEDIUM_REMOVAL:
1864                common->data_size_from_cmnd = 0;
1865                reply = check_command(common, 6, DATA_DIR_NONE,
1866                                      (1<<4), 0,
1867                                      "PREVENT-ALLOW MEDIUM REMOVAL");
1868                if (reply == 0)
1869                        reply = do_prevent_allow(common);
1870                break;
1871
1872        case READ_6:
1873                i = common->cmnd[4];
1874                common->data_size_from_cmnd = (i == 0) ? 256 : i;
1875                reply = check_command_size_in_blocks(common, 6,
1876                                      DATA_DIR_TO_HOST,
1877                                      (7<<1) | (1<<4), 1,
1878                                      "READ(6)");
1879                if (reply == 0)
1880                        reply = do_read(common);
1881                break;
1882
1883        case READ_10:
1884                common->data_size_from_cmnd =
1885                                get_unaligned_be16(&common->cmnd[7]);
1886                reply = check_command_size_in_blocks(common, 10,
1887                                      DATA_DIR_TO_HOST,
1888                                      (1<<1) | (0xf<<2) | (3<<7), 1,
1889                                      "READ(10)");
1890                if (reply == 0)
1891                        reply = do_read(common);
1892                break;
1893
1894        case READ_12:
1895                common->data_size_from_cmnd =
1896                                get_unaligned_be32(&common->cmnd[6]);
1897                reply = check_command_size_in_blocks(common, 12,
1898                                      DATA_DIR_TO_HOST,
1899                                      (1<<1) | (0xf<<2) | (0xf<<6), 1,
1900                                      "READ(12)");
1901                if (reply == 0)
1902                        reply = do_read(common);
1903                break;
1904
1905        case READ_CAPACITY:
1906                common->data_size_from_cmnd = 8;
1907                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1908                                      (0xf<<2) | (1<<8), 1,
1909                                      "READ CAPACITY");
1910                if (reply == 0)
1911                        reply = do_read_capacity(common, bh);
1912                break;
1913
1914        case READ_HEADER:
1915                if (!common->curlun || !common->curlun->cdrom)
1916                        goto unknown_cmnd;
1917                common->data_size_from_cmnd =
1918                        get_unaligned_be16(&common->cmnd[7]);
1919                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1920                                      (3<<7) | (0x1f<<1), 1,
1921                                      "READ HEADER");
1922                if (reply == 0)
1923                        reply = do_read_header(common, bh);
1924                break;
1925
1926        case READ_TOC:
1927                if (!common->curlun || !common->curlun->cdrom)
1928                        goto unknown_cmnd;
1929                common->data_size_from_cmnd =
1930                        get_unaligned_be16(&common->cmnd[7]);
1931                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1932                                      (7<<6) | (1<<1), 1,
1933                                      "READ TOC");
1934                if (reply == 0)
1935                        reply = do_read_toc(common, bh);
1936                break;
1937
1938        case READ_FORMAT_CAPACITIES:
1939                common->data_size_from_cmnd =
1940                        get_unaligned_be16(&common->cmnd[7]);
1941                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1942                                      (3<<7), 1,
1943                                      "READ FORMAT CAPACITIES");
1944                if (reply == 0)
1945                        reply = do_read_format_capacities(common, bh);
1946                break;
1947
1948        case REQUEST_SENSE:
1949                common->data_size_from_cmnd = common->cmnd[4];
1950                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1951                                      (1<<4), 0,
1952                                      "REQUEST SENSE");
1953                if (reply == 0)
1954                        reply = do_request_sense(common, bh);
1955                break;
1956
1957        case START_STOP:
1958                common->data_size_from_cmnd = 0;
1959                reply = check_command(common, 6, DATA_DIR_NONE,
1960                                      (1<<1) | (1<<4), 0,
1961                                      "START-STOP UNIT");
1962                if (reply == 0)
1963                        reply = do_start_stop(common);
1964                break;
1965
1966        case SYNCHRONIZE_CACHE:
1967                common->data_size_from_cmnd = 0;
1968                reply = check_command(common, 10, DATA_DIR_NONE,
1969                                      (0xf<<2) | (3<<7), 1,
1970                                      "SYNCHRONIZE CACHE");
1971                if (reply == 0)
1972                        reply = do_synchronize_cache(common);
1973                break;
1974
1975        case TEST_UNIT_READY:
1976                common->data_size_from_cmnd = 0;
1977                reply = check_command(common, 6, DATA_DIR_NONE,
1978                                0, 1,
1979                                "TEST UNIT READY");
1980                break;
1981
1982        /*
1983         * Although optional, this command is used by MS-Windows.  We
1984         * support a minimal version: BytChk must be 0.
1985         */
1986        case VERIFY:
1987                common->data_size_from_cmnd = 0;
1988                reply = check_command(common, 10, DATA_DIR_NONE,
1989                                      (1<<1) | (0xf<<2) | (3<<7), 1,
1990                                      "VERIFY");
1991                if (reply == 0)
1992                        reply = do_verify(common);
1993                break;
1994
1995        case WRITE_6:
1996                i = common->cmnd[4];
1997                common->data_size_from_cmnd = (i == 0) ? 256 : i;
1998                reply = check_command_size_in_blocks(common, 6,
1999                                      DATA_DIR_FROM_HOST,
2000                                      (7<<1) | (1<<4), 1,

2001                                      "WRITE(6)");
2002                if (reply == 0)
2003                        reply = do_write(common);
2004                break;
2005
2006        case WRITE_10:
2007                common->data_size_from_cmnd =
2008                                get_unaligned_be16(&common->cmnd[7]);
2009                reply = check_command_size_in_blocks(common, 10,
2010                                      DATA_DIR_FROM_HOST,
2011                                      (1<<1) | (0xf<<2) | (3<<7), 1,
2012                                      "WRITE(10)");
2013                if (reply == 0)
2014                        reply = do_write(common);
2015                break;
2016
2017        case WRITE_12:
2018                common->data_size_from_cmnd =
2019                                get_unaligned_be32(&common->cmnd[6]);
2020                reply = check_command_size_in_blocks(common, 12,
2021                                      DATA_DIR_FROM_HOST,
2022                                      (1<<1) | (0xf<<2) | (0xf<<6), 1,
2023                                      "WRITE(12)");
2024                if (reply == 0)
2025                        reply = do_write(common);
2026                break;
2027
2028        /*
2029         * Some mandatory commands that we recognize but don't implement.
2030         * They don't mean much in this setting.  It's left as an exercise
2031         * for anyone interested to implement RESERVE and RELEASE in terms
2032         * of Posix locks.
2033         */
2034        case FORMAT_UNIT:
2035        case RELEASE:
2036        case RESERVE:
2037        case SEND_DIAGNOSTIC:
2038                /* Fall through */
2039
2040        default:
2041unknown_cmnd:
2042                common->data_size_from_cmnd = 0;
2043                sprintf(unknown, "Unknown x%02x", common->cmnd[0]);
2044                reply = check_command(common, common->cmnd_size,
2045                                      DATA_DIR_UNKNOWN, ~0, 0, unknown);
2046                if (reply == 0) {
2047                        common->curlun->sense_data = SS_INVALID_COMMAND;
2048                        reply = -EINVAL;
2049                }
2050                break;
2051        }
2052        up_read(&common->filesem);
2053
2054        if (reply == -EINTR || signal_pending(current))
2055                return -EINTR;
2056
2057        /* Set up the single reply buffer for finish_reply() */
2058        if (reply == -EINVAL)
2059                reply = 0;              /* Error reply length */
2060        if (reply >= 0 && common->data_dir == DATA_DIR_TO_HOST) {
2061                reply = min((u32)reply, common->data_size_from_cmnd);
2062                bh->inreq->length = reply;
2063                bh->state = BUF_STATE_FULL;
2064                common->residue -= reply;
2065        }                               /* Otherwise it's already set */
2066
2067        return 0;
2068}
2069
2070
2071/*-------------------------------------------------------------------------*/
2072
2073static int received_cbw(struct fsg_dev *fsg, struct fsg_buffhd *bh)
2074{
2075        struct usb_request      *req = bh->outreq;
2076        struct bulk_cb_wrap     *cbw = req->buf;
2077        struct fsg_common       *common = fsg->common;
2078
2079        /* Was this a real packet?  Should it be ignored? */
2080        if (req->status || test_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags))
2081                return -EINVAL;
2082
2083        /* Is the CBW valid? */
2084        if (req->actual != US_BULK_CB_WRAP_LEN ||
2085                        cbw->Signature != cpu_to_le32(
2086                                US_BULK_CB_SIGN)) {
2087                DBG(fsg, "invalid CBW: len %u sig 0x%x\n",
2088                                req->actual,
2089                                le32_to_cpu(cbw->Signature));
2090
2091                /*
2092                 * The Bulk-only spec says we MUST stall the IN endpoint
2093                 * (6.6.1), so it's unavoidable.  It also says we must
2094                 * retain this state until the next reset, but there's
2095                 * no way to tell the controller driver it should ignore
2096                 * Clear-Feature(HALT) requests.
2097                 *
2098                 * We aren't required to halt the OUT endpoint; instead
2099                 * we can simply accept and discard any data received
2100                 * until the next reset.
2101                 */
2102                wedge_bulk_in_endpoint(fsg);
2103                set_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags);
2104                return -EINVAL;
2105        }
2106
2107        /* Is the CBW meaningful? */
2108        if (cbw->Lun >= ARRAY_SIZE(common->luns) ||
2109            cbw->Flags & ~US_BULK_FLAG_IN || cbw->Length <= 0 ||
2110            cbw->Length > MAX_COMMAND_SIZE) {
2111                DBG(fsg, "non-meaningful CBW: lun = %u, flags = 0x%x, "
2112                                "cmdlen %u\n",
2113                                cbw->Lun, cbw->Flags, cbw->Length);
2114
2115                /*
2116                 * We can do anything we want here, so let's stall the
2117                 * bulk pipes if we are allowed to.
2118                 */
2119                if (common->can_stall) {
2120                        fsg_set_halt(fsg, fsg->bulk_out);
2121                        halt_bulk_in_endpoint(fsg);
2122                }
2123                return -EINVAL;
2124        }
2125
2126        /* Save the command for later */
2127        common->cmnd_size = cbw->Length;
2128        memcpy(common->cmnd, cbw->CDB, common->cmnd_size);
2129        if (cbw->Flags & US_BULK_FLAG_IN)
2130                common->data_dir = DATA_DIR_TO_HOST;
2131        else
2132                common->data_dir = DATA_DIR_FROM_HOST;
2133        common->data_size = le32_to_cpu(cbw->DataTransferLength);
2134        if (common->data_size == 0)
2135                common->data_dir = DATA_DIR_NONE;
2136        common->lun = cbw->Lun;
2137        if (common->lun < ARRAY_SIZE(common->luns))
2138                common->curlun = common->luns[common->lun];
2139        else
2140                common->curlun = NULL;
2141        common->tag = cbw->Tag;
2142        return 0;
2143}
2144
2145static int get_next_command(struct fsg_common *common)
2146{
2147        struct fsg_buffhd       *bh;
2148        int                     rc = 0;
2149
2150        /* Wait for the next buffer to become available */
2151        bh = common->next_buffhd_to_fill;
2152        rc = sleep_thread(common, true, bh);
2153        if (rc)
2154                return rc;
2155
2156        /* Queue a request to read a Bulk-only CBW */
2157        set_bulk_out_req_length(common, bh, US_BULK_CB_WRAP_LEN);
2158        if (!start_out_transfer(common, bh))
2159                /* Don't know what to do if common->fsg is NULL */
2160                return -EIO;
2161
2162        /*
2163         * We will drain the buffer in software, which means we
2164         * can reuse it for the next filling.  No need to advance
2165         * next_buffhd_to_fill.
2166         */
2167
2168        /* Wait for the CBW to arrive */
2169        rc = sleep_thread(common, true, bh);
2170        if (rc)
2171                return rc;
2172
2173        rc = fsg_is_set(common) ? received_cbw(common->fsg, bh) : -EIO;
2174        bh->state = BUF_STATE_EMPTY;
2175
2176        return rc;
2177}
2178
2179
2180/*-------------------------------------------------------------------------*/
2181
2182static int alloc_request(struct fsg_common *common, struct usb_ep *ep,
2183                struct usb_request **preq)
2184{
2185        *preq = usb_ep_alloc_request(ep, GFP_ATOMIC);
2186        if (*preq)
2187                return 0;
2188        ERROR(common, "can't allocate request for %s\n", ep->name);
2189        return -ENOMEM;
2190}
2191
2192/* Reset interface setting and re-init endpoint state (toggle etc). */
2193static int do_set_interface(struct fsg_common *common, struct fsg_dev *new_fsg)
2194{
2195        struct fsg_dev *fsg;
2196        int i, rc = 0;
2197
2198        if (common->running)
2199                DBG(common, "reset interface\n");
2200
2201reset:
2202        /* Deallocate the requests */
2203        if (common->fsg) {
2204                fsg = common->fsg;
2205
2206                for (i = 0; i < common->fsg_num_buffers; ++i) {
2207                        struct fsg_buffhd *bh = &common->buffhds[i];
2208
2209                        if (bh->inreq) {
2210                                usb_ep_free_request(fsg->bulk_in, bh->inreq);
2211                                bh->inreq = NULL;
2212                        }
2213                        if (bh->outreq) {
2214                                usb_ep_free_request(fsg->bulk_out, bh->outreq);
2215                                bh->outreq = NULL;
2216                        }
2217                }
2218
2219                /* Disable the endpoints */
2220                if (fsg->bulk_in_enabled) {
2221                        usb_ep_disable(fsg->bulk_in);
2222                        fsg->bulk_in_enabled = 0;
2223                }
2224                if (fsg->bulk_out_enabled) {
2225                        usb_ep_disable(fsg->bulk_out);
2226                        fsg->bulk_out_enabled = 0;
2227                }
2228
2229                common->fsg = NULL;
2230                wake_up(&common->fsg_wait);
2231        }
2232
2233        common->running = 0;
2234        if (!new_fsg || rc)
2235                return rc;
2236
2237        common->fsg = new_fsg;
2238        fsg = common->fsg;
2239
2240        /* Enable the endpoints */
2241        rc = config_ep_by_speed(common->gadget, &(fsg->function), fsg->bulk_in);
2242        if (rc)
2243                goto reset;
2244        rc = usb_ep_enable(fsg->bulk_in);
2245        if (rc)
2246                goto reset;
2247        fsg->bulk_in->driver_data = common;
2248        fsg->bulk_in_enabled = 1;
2249
2250        rc = config_ep_by_speed(common->gadget, &(fsg->function),
2251                                fsg->bulk_out);
2252        if (rc)
2253                goto reset;
2254        rc = usb_ep_enable(fsg->bulk_out);
2255        if (rc)
2256                goto reset;
2257        fsg->bulk_out->driver_data = common;
2258        fsg->bulk_out_enabled = 1;
2259        common->bulk_out_maxpacket = usb_endpoint_maxp(fsg->bulk_out->desc);
2260        clear_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags);
2261
2262        /* Allocate the requests */
2263        for (i = 0; i < common->fsg_num_buffers; ++i) {
2264                struct fsg_buffhd       *bh = &common->buffhds[i];
2265
2266                rc = alloc_request(common, fsg->bulk_in, &bh->inreq);
2267                if (rc)
2268                        goto reset;
2269                rc = alloc_request(common, fsg->bulk_out, &bh->outreq);
2270                if (rc)
2271                        goto reset;
2272                bh->inreq->buf = bh->outreq->buf = bh->buf;
2273                bh->inreq->context = bh->outreq->context = bh;
2274                bh->inreq->complete = bulk_in_complete;
2275                bh->outreq->complete = bulk_out_complete;
2276        }
2277
2278        common->running = 1;
2279        for (i = 0; i < ARRAY_SIZE(common->luns); ++i)
2280                if (common->luns[i])
2281                        common->luns[i]->unit_attention_data =
2282                                SS_RESET_OCCURRED;
2283        return rc;
2284}
2285
2286
2287/****************************** ALT CONFIGS ******************************/
2288
2289static int fsg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
2290{
2291        struct fsg_dev *fsg = fsg_from_func(f);
2292        fsg->common->new_fsg = fsg;
2293        raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2294        return USB_GADGET_DELAYED_STATUS;
2295}
2296
2297static void fsg_disable(struct usb_function *f)
2298{
2299        struct fsg_dev *fsg = fsg_from_func(f);
2300        fsg->common->new_fsg = NULL;
2301        raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2302}
2303
2304
2305/*-------------------------------------------------------------------------*/
2306
2307static void handle_exception(struct fsg_common *common)
2308{
2309        int                     i;
2310        struct fsg_buffhd       *bh;
2311        enum fsg_state          old_state;
2312        struct fsg_lun          *curlun;
2313        unsigned int            exception_req_tag;
2314
2315        /*
2316         * Clear the existing signals.  Anything but SIGUSR1 is converted
2317         * into a high-priority EXIT exception.
2318         */
2319        for (;;) {
2320                int sig = kernel_dequeue_signal(NULL);
2321                if (!sig)
2322                        break;
2323                if (sig != SIGUSR1) {
2324                        spin_lock_irq(&common->lock);
2325                        if (common->state < FSG_STATE_EXIT)
2326                                DBG(common, "Main thread exiting on signal\n");
2327                        common->state = FSG_STATE_EXIT;
2328                        spin_unlock_irq(&common->lock);
2329                }
2330        }
2331
2332        /* Cancel all the pending transfers */
2333        if (likely(common->fsg)) {
2334                for (i = 0; i < common->fsg_num_buffers; ++i) {
2335                        bh = &common->buffhds[i];
2336                        if (bh->state == BUF_STATE_SENDING)
2337                                usb_ep_dequeue(common->fsg->bulk_in, bh->inreq);
2338                        if (bh->state == BUF_STATE_RECEIVING)
2339                                usb_ep_dequeue(common->fsg->bulk_out,
2340                                               bh->outreq);
2341
2342                        /* Wait for a transfer to become idle */
2343                        if (sleep_thread(common, false, bh))
2344                                return;
2345                }
2346
2347                /* Clear out the controller's fifos */
2348                if (common->fsg->bulk_in_enabled)
2349                        usb_ep_fifo_flush(common->fsg->bulk_in);
2350                if (common->fsg->bulk_out_enabled)
2351                        usb_ep_fifo_flush(common->fsg->bulk_out);
2352        }
2353
2354        /*
2355         * Reset the I/O buffer states and pointers, the SCSI
2356         * state, and the exception.  Then invoke the handler.
2357         */
2358        spin_lock_irq(&common->lock);
2359
2360        for (i = 0; i < common->fsg_num_buffers; ++i) {
2361                bh = &common->buffhds[i];
2362                bh->state = BUF_STATE_EMPTY;
2363        }
2364        common->next_buffhd_to_fill = &common->buffhds[0];
2365        common->next_buffhd_to_drain = &common->buffhds[0];
2366        exception_req_tag = common->exception_req_tag;
2367        old_state = common->state;
2368        common->state = FSG_STATE_NORMAL;
2369
2370        if (old_state != FSG_STATE_ABORT_BULK_OUT) {
2371                for (i = 0; i < ARRAY_SIZE(common->luns); ++i) {
2372                        curlun = common->luns[i];
2373                        if (!curlun)
2374                                continue;
2375                        curlun->prevent_medium_removal = 0;
2376                        curlun->sense_data = SS_NO_SENSE;
2377                        curlun->unit_attention_data = SS_NO_SENSE;
2378                        curlun->sense_data_info = 0;
2379                        curlun->info_valid = 0;
2380                }
2381        }
2382        spin_unlock_irq(&common->lock);
2383
2384        /* Carry out any extra actions required for the exception */
2385        switch (old_state) {
2386        case FSG_STATE_NORMAL:
2387                break;
2388
2389        case FSG_STATE_ABORT_BULK_OUT:
2390                send_status(common);
2391                break;
2392
2393        case FSG_STATE_PROTOCOL_RESET:
2394                /*
2395                 * In case we were forced against our will to halt a
2396                 * bulk endpoint, clear the halt now.  (The SuperH UDC
2397                 * requires this.)
2398                 */
2399                if (!fsg_is_set(common))
2400                        break;
2401                if (test_and_clear_bit(IGNORE_BULK_OUT,
2402                                       &common->fsg->atomic_bitflags))
2403                        usb_ep_clear_halt(common->fsg->bulk_in);
2404
2405                if (common->ep0_req_tag == exception_req_tag)
2406                        ep0_queue(common);      /* Complete the status stage */
2407
2408                /*
2409                 * Technically this should go here, but it would only be
2410                 * a waste of time.  Ditto for the INTERFACE_CHANGE and
2411                 * CONFIG_CHANGE cases.
2412                 */
2413                /* for (i = 0; i < common->ARRAY_SIZE(common->luns); ++i) */
2414                /*      if (common->luns[i]) */
2415                /*              common->luns[i]->unit_attention_data = */
2416                /*                      SS_RESET_OCCURRED;  */
2417                break;
2418
2419        case FSG_STATE_CONFIG_CHANGE:
2420                do_set_interface(common, common->new_fsg);
2421                if (common->new_fsg)
2422                        usb_composite_setup_continue(common->cdev);
2423                break;
2424
2425        case FSG_STATE_EXIT:
2426                do_set_interface(common, NULL);         /* Free resources */
2427                spin_lock_irq(&common->lock);
2428                common->state = FSG_STATE_TERMINATED;   /* Stop the thread */
2429                spin_unlock_irq(&common->lock);
2430                break;
2431
2432        case FSG_STATE_TERMINATED:
2433                break;
2434        }
2435}
2436
2437
2438/*-------------------------------------------------------------------------*/
2439
2440static int fsg_main_thread(void *common_)
2441{
2442        struct fsg_common       *common = common_;
2443
2444        /*
2445         * Allow the thread to be killed by a signal, but set the signal mask
2446         * to block everything but INT, TERM, KILL, and USR1.
2447         */
2448        allow_signal(SIGINT);
2449        allow_signal(SIGTERM);
2450        allow_signal(SIGKILL);
2451        allow_signal(SIGUSR1);
2452
2453        /* Allow the thread to be frozen */
2454        set_freezable();
2455
2456        /*
2457         * Arrange for userspace references to be interpreted as kernel
2458         * pointers.  That way we can pass a kernel pointer to a routine
2459         * that expects a __user pointer and it will work okay.
2460         */
2461        set_fs(get_ds());
2462
2463        /* The main loop */
2464        while (common->state != FSG_STATE_TERMINATED) {
2465                if (exception_in_progress(common) || signal_pending(current)) {
2466                        handle_exception(common);
2467                        continue;
2468                }
2469
2470                if (!common->running) {
2471                        sleep_thread(common, true, NULL);
2472                        continue;
2473                }
2474
2475                if (get_next_command(common) || exception_in_progress(common))
2476                        continue;
2477                if (do_scsi_command(common) || exception_in_progress(common))
2478                        continue;
2479                if (finish_reply(common) || exception_in_progress(common))
2480                        continue;
2481                send_status(common);
2482        }
2483
2484        spin_lock_irq(&common->lock);
2485        common->thread_task = NULL;
2486        spin_unlock_irq(&common->lock);
2487
2488        if (!common->ops || !common->ops->thread_exits
2489         || common->ops->thread_exits(common) < 0) {
2490                int i;
2491
2492                down_write(&common->filesem);
2493                for (i = 0; i < ARRAY_SIZE(common->luns); i++) {
2494                        struct fsg_lun *curlun = common->luns[i];
2495                        if (!curlun || !fsg_lun_is_open(curlun))
2496                                continue;
2497
2498                        fsg_lun_close(curlun);
2499                        curlun->unit_attention_data = SS_MEDIUM_NOT_PRESENT;
2500                }
2501                up_write(&common->filesem);
2502        }
2503
2504        /* Let fsg_unbind() know the thread has exited */
2505        complete_and_exit(&common->thread_notifier, 0);
2506}
2507
2508
2509/*************************** DEVICE ATTRIBUTES ***************************/
2510
2511static ssize_t ro_show(struct device *dev, struct device_attribute *attr, char *buf)
2512{
2513        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2514
2515        return fsg_show_ro(curlun, buf);
2516}
2517
2518static ssize_t nofua_show(struct device *dev, struct device_attribute *attr,
2519                          char *buf)
2520{
2521        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2522
2523        return fsg_show_nofua(curlun, buf);
2524}
2525
2526static ssize_t file_show(struct device *dev, struct device_attribute *attr,
2527                         char *buf)
2528{
2529        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2530        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2531
2532        return fsg_show_file(curlun, filesem, buf);
2533}
2534
2535static ssize_t ro_store(struct device *dev, struct device_attribute *attr,
2536                        const char *buf, size_t count)
2537{
2538        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2539        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2540
2541        return fsg_store_ro(curlun, filesem, buf, count);
2542}
2543
2544static ssize_t nofua_store(struct device *dev, struct device_attribute *attr,
2545                           const char *buf, size_t count)
2546{
2547        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2548
2549        return fsg_store_nofua(curlun, buf, count);
2550}
2551
2552static ssize_t file_store(struct device *dev, struct device_attribute *attr,
2553                          const char *buf, size_t count)
2554{
2555        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2556        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2557
2558        return fsg_store_file(curlun, filesem, buf, count);
2559}
2560
2561static DEVICE_ATTR_RW(nofua);
2562/* mode wil be set in fsg_lun_attr_is_visible() */
2563static DEVICE_ATTR(ro, 0, ro_show, ro_store);
2564static DEVICE_ATTR(file, 0, file_show, file_store);
2565
2566/****************************** FSG COMMON ******************************/
2567
2568static void fsg_common_release(struct kref *ref);
2569
2570static void fsg_lun_release(struct device *dev)
2571{
2572        /* Nothing needs to be done */
2573}
2574
2575void fsg_common_get(struct fsg_common *common)
2576{
2577        kref_get(&common->ref);
2578}
2579EXPORT_SYMBOL_GPL(fsg_common_get);
2580
2581void fsg_common_put(struct fsg_common *common)
2582{
2583        kref_put(&common->ref, fsg_common_release);
2584}
2585EXPORT_SYMBOL_GPL(fsg_common_put);
2586
2587static struct fsg_common *fsg_common_setup(struct fsg_common *common)
2588{
2589        if (!common) {
2590                common = kzalloc(sizeof(*common), GFP_KERNEL);
2591                if (!common)
2592                        return ERR_PTR(-ENOMEM);
2593                common->free_storage_on_release = 1;
2594        } else {
2595                common->free_storage_on_release = 0;
2596        }
2597        init_rwsem(&common->filesem);
2598        spin_lock_init(&common->lock);
2599        kref_init(&common->ref);
2600        init_completion(&common->thread_notifier);
2601        init_waitqueue_head(&common->io_wait);
2602        init_waitqueue_head(&common->fsg_wait);
2603        common->state = FSG_STATE_TERMINATED;
2604        memset(common->luns, 0, sizeof(common->luns));
2605
2606        return common;
2607}
2608
2609void fsg_common_set_sysfs(struct fsg_common *common, bool sysfs)
2610{
2611        common->sysfs = sysfs;
2612}
2613EXPORT_SYMBOL_GPL(fsg_common_set_sysfs);
2614
2615static void _fsg_common_free_buffers(struct fsg_buffhd *buffhds, unsigned n)
2616{
2617        if (buffhds) {
2618                struct fsg_buffhd *bh = buffhds;
2619                while (n--) {
2620                        kfree(bh->buf);
2621                        ++bh;
2622                }
2623                kfree(buffhds);
2624        }
2625}
2626
2627int fsg_common_set_num_buffers(struct fsg_common *common, unsigned int n)
2628{
2629        struct fsg_buffhd *bh, *buffhds;
2630        int i;
2631
2632        buffhds = kcalloc(n, sizeof(*buffhds), GFP_KERNEL);
2633        if (!buffhds)
2634                return -ENOMEM;
2635
2636        /* Data buffers cyclic list */
2637        bh = buffhds;
2638        i = n;
2639        goto buffhds_first_it;
2640        do {
2641                bh->next = bh + 1;
2642                ++bh;
2643buffhds_first_it:
2644                bh->buf = kmalloc(FSG_BUFLEN, GFP_KERNEL);
2645                if (unlikely(!bh->buf))
2646                        goto error_release;
2647        } while (--i);
2648        bh->next = buffhds;
2649
2650        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2651        common->fsg_num_buffers = n;
2652        common->buffhds = buffhds;
2653
2654        return 0;
2655
2656error_release:
2657        /*
2658         * "buf"s pointed to by heads after n - i are NULL
2659         * so releasing them won't hurt
2660         */
2661        _fsg_common_free_buffers(buffhds, n);
2662
2663        return -ENOMEM;
2664}
2665EXPORT_SYMBOL_GPL(fsg_common_set_num_buffers);
2666
2667void fsg_common_remove_lun(struct fsg_lun *lun)
2668{
2669        if (device_is_registered(&lun->dev))
2670                device_unregister(&lun->dev);
2671        fsg_lun_close(lun);
2672        kfree(lun);
2673}
2674EXPORT_SYMBOL_GPL(fsg_common_remove_lun);
2675
2676static void _fsg_common_remove_luns(struct fsg_common *common, int n)
2677{
2678        int i;
2679
2680        for (i = 0; i < n; ++i)
2681                if (common->luns[i]) {
2682                        fsg_common_remove_lun(common->luns[i]);
2683                        common->luns[i] = NULL;
2684                }
2685}
2686
2687void fsg_common_remove_luns(struct fsg_common *common)
2688{
2689        _fsg_common_remove_luns(common, ARRAY_SIZE(common->luns));
2690}
2691EXPORT_SYMBOL_GPL(fsg_common_remove_luns);
2692
2693void fsg_common_set_ops(struct fsg_common *common,
2694                        const struct fsg_operations *ops)
2695{
2696        common->ops = ops;
2697}
2698EXPORT_SYMBOL_GPL(fsg_common_set_ops);
2699
2700void fsg_common_free_buffers(struct fsg_common *common)
2701{
2702        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2703        common->buffhds = NULL;
2704}
2705EXPORT_SYMBOL_GPL(fsg_common_free_buffers);
2706
2707int fsg_common_set_cdev(struct fsg_common *common,
2708                         struct usb_composite_dev *cdev, bool can_stall)
2709{
2710        struct usb_string *us;
2711
2712        common->gadget = cdev->gadget;
2713        common->ep0 = cdev->gadget->ep0;
2714        common->ep0req = cdev->req;
2715        common->cdev = cdev;
2716
2717        us = usb_gstrings_attach(cdev, fsg_strings_array,
2718                                 ARRAY_SIZE(fsg_strings));
2719        if (IS_ERR(us))
2720                return PTR_ERR(us);
2721
2722        fsg_intf_desc.iInterface = us[FSG_STRING_INTERFACE].id;
2723
2724        /*
2725         * Some peripheral controllers are known not to be able to
2726         * halt bulk endpoints correctly.  If one of them is present,
2727         * disable stalls.
2728         */
2729        common->can_stall = can_stall &&
2730                        gadget_is_stall_supported(common->gadget);
2731
2732        return 0;
2733}
2734EXPORT_SYMBOL_GPL(fsg_common_set_cdev);
2735
2736static struct attribute *fsg_lun_dev_attrs[] = {
2737        &dev_attr_ro.attr,
2738        &dev_attr_file.attr,
2739        &dev_attr_nofua.attr,
2740        NULL
2741};
2742
2743static umode_t fsg_lun_dev_is_visible(struct kobject *kobj,
2744                                      struct attribute *attr, int idx)
2745{
2746        struct device *dev = kobj_to_dev(kobj);
2747        struct fsg_lun *lun = fsg_lun_from_dev(dev);
2748
2749        if (attr == &dev_attr_ro.attr)
2750                return lun->cdrom ? S_IRUGO : (S_IWUSR | S_IRUGO);
2751        if (attr == &dev_attr_file.attr)
2752                return lun->removable ? (S_IWUSR | S_IRUGO) : S_IRUGO;
2753        return attr->mode;
2754}
2755
2756static const struct attribute_group fsg_lun_dev_group = {
2757        .attrs = fsg_lun_dev_attrs,
2758        .is_visible = fsg_lun_dev_is_visible,
2759};
2760
2761static const struct attribute_group *fsg_lun_dev_groups[] = {
2762        &fsg_lun_dev_group,
2763        NULL
2764};
2765
2766int fsg_common_create_lun(struct fsg_common *common, struct fsg_lun_config *cfg,
2767                          unsigned int id, const char *name,
2768                          const char **name_pfx)
2769{
2770        struct fsg_lun *lun;
2771        char *pathbuf, *p;
2772        int rc = -ENOMEM;
2773
2774        if (id >= ARRAY_SIZE(common->luns))
2775                return -ENODEV;
2776
2777        if (common->luns[id])
2778                return -EBUSY;
2779
2780        if (!cfg->filename && !cfg->removable) {
2781                pr_err("no file given for LUN%d\n", id);
2782                return -EINVAL;
2783        }
2784
2785        lun = kzalloc(sizeof(*lun), GFP_KERNEL);
2786        if (!lun)
2787                return -ENOMEM;
2788
2789        lun->name_pfx = name_pfx;
2790
2791        lun->cdrom = !!cfg->cdrom;
2792        lun->ro = cfg->cdrom || cfg->ro;
2793        lun->initially_ro = lun->ro;
2794        lun->removable = !!cfg->removable;
2795
2796        if (!common->sysfs) {
2797                /* we DON'T own the name!*/
2798                lun->name = name;
2799        } else {
2800                lun->dev.release = fsg_lun_release;
2801                lun->dev.parent = &common->gadget->dev;
2802                lun->dev.groups = fsg_lun_dev_groups;
2803                dev_set_drvdata(&lun->dev, &common->filesem);
2804                dev_set_name(&lun->dev, "%s", name);
2805                lun->name = dev_name(&lun->dev);
2806
2807                rc = device_register(&lun->dev);
2808                if (rc) {
2809                        pr_info("failed to register LUN%d: %d\n", id, rc);
2810                        put_device(&lun->dev);
2811                        goto error_sysfs;
2812                }
2813        }
2814
2815        common->luns[id] = lun;
2816
2817        if (cfg->filename) {
2818                rc = fsg_lun_open(lun, cfg->filename);
2819                if (rc)
2820                        goto error_lun;
2821        }
2822
2823        pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
2824        p = "(no medium)";
2825        if (fsg_lun_is_open(lun)) {
2826                p = "(error)";
2827                if (pathbuf) {
2828                        p = file_path(lun->filp, pathbuf, PATH_MAX);
2829                        if (IS_ERR(p))
2830                                p = "(error)";
2831                }
2832        }
2833        pr_info("LUN: %s%s%sfile: %s\n",
2834              lun->removable ? "removable " : "",
2835              lun->ro ? "read only " : "",
2836              lun->cdrom ? "CD-ROM " : "",
2837              p);
2838        kfree(pathbuf);
2839
2840        return 0;
2841
2842error_lun:
2843        if (device_is_registered(&lun->dev))
2844                device_unregister(&lun->dev);
2845        fsg_lun_close(lun);
2846        common->luns[id] = NULL;
2847error_sysfs:
2848        kfree(lun);
2849        return rc;
2850}
2851EXPORT_SYMBOL_GPL(fsg_common_create_lun);
2852
2853int fsg_common_create_luns(struct fsg_common *common, struct fsg_config *cfg)
2854{
2855        char buf[8]; /* enough for 100000000 different numbers, decimal */
2856        int i, rc;
2857
2858        fsg_common_remove_luns(common);
2859
2860        for (i = 0; i < cfg->nluns; ++i) {
2861                snprintf(buf, sizeof(buf), "lun%d", i);
2862                rc = fsg_common_create_lun(common, &cfg->luns[i], i, buf, NULL);
2863                if (rc)
2864                        goto fail;
2865        }
2866
2867        pr_info("Number of LUNs=%d\n", cfg->nluns);
2868
2869        return 0;
2870
2871fail:
2872        _fsg_common_remove_luns(common, i);
2873        return rc;
2874}
2875EXPORT_SYMBOL_GPL(fsg_common_create_luns);
2876
2877void fsg_common_set_inquiry_string(struct fsg_common *common, const char *vn,
2878                                   const char *pn)
2879{
2880        int i;
2881
2882        /* Prepare inquiryString */
2883        i = get_default_bcdDevice();
2884        snprintf(common->inquiry_string, sizeof(common->inquiry_string),
2885                 "%-8s%-16s%04x", vn ?: "Linux",
2886                 /* Assume product name dependent on the first LUN */
2887                 pn ?: ((*common->luns)->cdrom
2888                     ? "File-CD Gadget"
2889                     : "File-Stor Gadget"),
2890                 i);
2891}
2892EXPORT_SYMBOL_GPL(fsg_common_set_inquiry_string);
2893
2894static void fsg_common_release(struct kref *ref)
2895{
2896        struct fsg_common *common = container_of(ref, struct fsg_common, ref);
2897        int i;
2898
2899        /* If the thread isn't already dead, tell it to exit now */
2900        if (common->state != FSG_STATE_TERMINATED) {
2901                raise_exception(common, FSG_STATE_EXIT);
2902                wait_for_completion(&common->thread_notifier);
2903        }
2904
2905        for (i = 0; i < ARRAY_SIZE(common->luns); ++i) {
2906                struct fsg_lun *lun = common->luns[i];
2907                if (!lun)
2908                        continue;
2909                fsg_lun_close(lun);
2910                if (device_is_registered(&lun->dev))
2911                        device_unregister(&lun->dev);
2912                kfree(lun);
2913        }
2914
2915        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2916        if (common->free_storage_on_release)
2917                kfree(common);
2918}
2919
2920
2921/*-------------------------------------------------------------------------*/
2922
2923static int fsg_bind(struct usb_configuration *c, struct usb_function *f)
2924{
2925        struct fsg_dev          *fsg = fsg_from_func(f);
2926        struct fsg_common       *common = fsg->common;
2927        struct usb_gadget       *gadget = c->cdev->gadget;
2928        int                     i;
2929        struct usb_ep           *ep;
2930        unsigned                max_burst;
2931        int                     ret;
2932        struct fsg_opts         *opts;
2933
2934        /* Don't allow to bind if we don't have at least one LUN */
2935        ret = _fsg_common_get_max_lun(common);
2936        if (ret < 0) {
2937                pr_err("There should be at least one LUN.\n");
2938                return -EINVAL;
2939        }
2940
2941        opts = fsg_opts_from_func_inst(f->fi);
2942        if (!opts->no_configfs) {
2943                ret = fsg_common_set_cdev(fsg->common, c->cdev,
2944                                          fsg->common->can_stall);
2945                if (ret)
2946                        return ret;
2947                fsg_common_set_inquiry_string(fsg->common, NULL, NULL);
2948        }
2949
2950        if (!common->thread_task) {
2951                common->state = FSG_STATE_NORMAL;
2952                common->thread_task =
2953                        kthread_create(fsg_main_thread, common, "file-storage");
2954                if (IS_ERR(common->thread_task)) {
2955                        ret = PTR_ERR(common->thread_task);
2956                        common->thread_task = NULL;
2957                        common->state = FSG_STATE_TERMINATED;
2958                        return ret;
2959                }
2960                DBG(common, "I/O thread pid: %d\n",
2961                    task_pid_nr(common->thread_task));
2962                wake_up_process(common->thread_task);
2963        }
2964
2965        fsg->gadget = gadget;
2966
2967        /* New interface */
2968        i = usb_interface_id(c, f);
2969        if (i < 0)
2970                goto fail;
2971        fsg_intf_desc.bInterfaceNumber = i;
2972        fsg->interface_number = i;
2973
2974        /* Find all the endpoints we will use */
2975        ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_in_desc);
2976        if (!ep)
2977                goto autoconf_fail;
2978        fsg->bulk_in = ep;
2979
2980        ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_out_desc);
2981        if (!ep)
2982                goto autoconf_fail;
2983        fsg->bulk_out = ep;
2984
2985        /* Assume endpoint addresses are the same for both speeds */
2986        fsg_hs_bulk_in_desc.bEndpointAddress =
2987                fsg_fs_bulk_in_desc.bEndpointAddress;
2988        fsg_hs_bulk_out_desc.bEndpointAddress =
2989                fsg_fs_bulk_out_desc.bEndpointAddress;
2990
2991        /* Calculate bMaxBurst, we know packet size is 1024 */
2992        max_burst = min_t(unsigned, FSG_BUFLEN / 1024, 15);
2993
2994        fsg_ss_bulk_in_desc.bEndpointAddress =
2995                fsg_fs_bulk_in_desc.bEndpointAddress;
2996        fsg_ss_bulk_in_comp_desc.bMaxBurst = max_burst;
2997
2998        fsg_ss_bulk_out_desc.bEndpointAddress =
2999                fsg_fs_bulk_out_desc.bEndpointAddress;
3000        fsg_ss_bulk_out_comp_desc.bMaxBurst = max_burst;

3001
3002        ret = usb_assign_descriptors(f, fsg_fs_function, fsg_hs_function,
3003                        fsg_ss_function, fsg_ss_function);
3004        if (ret)
3005                goto autoconf_fail;
3006
3007        return 0;
3008
3009autoconf_fail:
3010        ERROR(fsg, "unable to autoconfigure all endpoints\n");
3011        i = -ENOTSUPP;
3012fail:
3013        /* terminate the thread */
3014        if (fsg->common->state != FSG_STATE_TERMINATED) {
3015                raise_exception(fsg->common, FSG_STATE_EXIT);
3016                wait_for_completion(&fsg->common->thread_notifier);
3017        }
3018        return i;
3019}
3020
3021/****************************** ALLOCATE FUNCTION *************************/
3022
3023static void fsg_unbind(struct usb_configuration *c, struct usb_function *f)
3024{
3025        struct fsg_dev          *fsg = fsg_from_func(f);
3026        struct fsg_common       *common = fsg->common;
3027
3028        DBG(fsg, "unbind\n");
3029        if (fsg->common->fsg == fsg) {
3030                fsg->common->new_fsg = NULL;
3031                raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
3032                /* FIXME: make interruptible or killable somehow? */
3033                wait_event(common->fsg_wait, common->fsg != fsg);
3034        }
3035
3036        usb_free_all_descriptors(&fsg->function);
3037}
3038
3039static inline struct fsg_lun_opts *to_fsg_lun_opts(struct config_item *item)
3040{
3041        return container_of(to_config_group(item), struct fsg_lun_opts, group);
3042}
3043
3044static inline struct fsg_opts *to_fsg_opts(struct config_item *item)
3045{
3046        return container_of(to_config_group(item), struct fsg_opts,
3047                            func_inst.group);
3048}
3049
3050static void fsg_lun_attr_release(struct config_item *item)
3051{
3052        struct fsg_lun_opts *lun_opts;
3053
3054        lun_opts = to_fsg_lun_opts(item);
3055        kfree(lun_opts);
3056}
3057
3058static struct configfs_item_operations fsg_lun_item_ops = {
3059        .release                = fsg_lun_attr_release,
3060};
3061
3062static ssize_t fsg_lun_opts_file_show(struct config_item *item, char *page)
3063{
3064        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3065        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3066
3067        return fsg_show_file(opts->lun, &fsg_opts->common->filesem, page);
3068}
3069
3070static ssize_t fsg_lun_opts_file_store(struct config_item *item,
3071                                       const char *page, size_t len)
3072{
3073        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3074        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3075
3076        return fsg_store_file(opts->lun, &fsg_opts->common->filesem, page, len);
3077}
3078
3079CONFIGFS_ATTR(fsg_lun_opts_, file);
3080
3081static ssize_t fsg_lun_opts_ro_show(struct config_item *item, char *page)
3082{
3083        return fsg_show_ro(to_fsg_lun_opts(item)->lun, page);
3084}
3085
3086static ssize_t fsg_lun_opts_ro_store(struct config_item *item,
3087                                       const char *page, size_t len)
3088{
3089        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3090        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3091
3092        return fsg_store_ro(opts->lun, &fsg_opts->common->filesem, page, len);
3093}
3094
3095CONFIGFS_ATTR(fsg_lun_opts_, ro);
3096
3097static ssize_t fsg_lun_opts_removable_show(struct config_item *item,
3098                                           char *page)
3099{
3100        return fsg_show_removable(to_fsg_lun_opts(item)->lun, page);
3101}
3102
3103static ssize_t fsg_lun_opts_removable_store(struct config_item *item,
3104                                       const char *page, size_t len)
3105{
3106        return fsg_store_removable(to_fsg_lun_opts(item)->lun, page, len);
3107}
3108
3109CONFIGFS_ATTR(fsg_lun_opts_, removable);
3110
3111static ssize_t fsg_lun_opts_cdrom_show(struct config_item *item, char *page)
3112{
3113        return fsg_show_cdrom(to_fsg_lun_opts(item)->lun, page);
3114}
3115
3116static ssize_t fsg_lun_opts_cdrom_store(struct config_item *item,
3117                                       const char *page, size_t len)
3118{
3119        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3120        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3121
3122        return fsg_store_cdrom(opts->lun, &fsg_opts->common->filesem, page,
3123                               len);
3124}
3125
3126CONFIGFS_ATTR(fsg_lun_opts_, cdrom);
3127
3128static ssize_t fsg_lun_opts_nofua_show(struct config_item *item, char *page)
3129{
3130        return fsg_show_nofua(to_fsg_lun_opts(item)->lun, page);
3131}
3132
3133static ssize_t fsg_lun_opts_nofua_store(struct config_item *item,
3134                                       const char *page, size_t len)
3135{
3136        return fsg_store_nofua(to_fsg_lun_opts(item)->lun, page, len);
3137}
3138
3139CONFIGFS_ATTR(fsg_lun_opts_, nofua);
3140
3141static ssize_t fsg_lun_opts_inquiry_string_show(struct config_item *item,
3142                                                char *page)
3143{
3144        return fsg_show_inquiry_string(to_fsg_lun_opts(item)->lun, page);
3145}
3146
3147static ssize_t fsg_lun_opts_inquiry_string_store(struct config_item *item,
3148                                                 const char *page, size_t len)
3149{
3150        return fsg_store_inquiry_string(to_fsg_lun_opts(item)->lun, page, len);
3151}
3152
3153CONFIGFS_ATTR(fsg_lun_opts_, inquiry_string);
3154
3155static struct configfs_attribute *fsg_lun_attrs[] = {
3156        &fsg_lun_opts_attr_file,
3157        &fsg_lun_opts_attr_ro,
3158        &fsg_lun_opts_attr_removable,
3159        &fsg_lun_opts_attr_cdrom,
3160        &fsg_lun_opts_attr_nofua,
3161        &fsg_lun_opts_attr_inquiry_string,
3162        NULL,
3163};
3164
3165static struct config_item_type fsg_lun_type = {
3166        .ct_item_ops    = &fsg_lun_item_ops,
3167        .ct_attrs       = fsg_lun_attrs,
3168        .ct_owner       = THIS_MODULE,
3169};
3170
3171static struct config_group *fsg_lun_make(struct config_group *group,
3172                                         const char *name)
3173{
3174        struct fsg_lun_opts *opts;
3175        struct fsg_opts *fsg_opts;
3176        struct fsg_lun_config config;
3177        char *num_str;
3178        u8 num;
3179        int ret;
3180
3181        num_str = strchr(name, '.');
3182        if (!num_str) {
3183                pr_err("Unable to locate . in LUN.NUMBER\n");
3184                return ERR_PTR(-EINVAL);
3185        }
3186        num_str++;
3187
3188        ret = kstrtou8(num_str, 0, &num);
3189        if (ret)
3190                return ERR_PTR(ret);
3191
3192        fsg_opts = to_fsg_opts(&group->cg_item);
3193        if (num >= FSG_MAX_LUNS)
3194                return ERR_PTR(-ERANGE);
3195
3196        mutex_lock(&fsg_opts->lock);
3197        if (fsg_opts->refcnt || fsg_opts->common->luns[num]) {
3198                ret = -EBUSY;
3199                goto out;
3200        }
3201
3202        opts = kzalloc(sizeof(*opts), GFP_KERNEL);
3203        if (!opts) {
3204                ret = -ENOMEM;
3205                goto out;
3206        }
3207
3208        memset(&config, 0, sizeof(config));
3209        config.removable = true;
3210
3211        ret = fsg_common_create_lun(fsg_opts->common, &config, num, name,
3212                                    (const char **)&group->cg_item.ci_name);
3213        if (ret) {
3214                kfree(opts);
3215                goto out;
3216        }
3217        opts->lun = fsg_opts->common->luns[num];
3218        opts->lun_id = num;
3219        mutex_unlock(&fsg_opts->lock);
3220
3221        config_group_init_type_name(&opts->group, name, &fsg_lun_type);
3222
3223        return &opts->group;
3224out:
3225        mutex_unlock(&fsg_opts->lock);
3226        return ERR_PTR(ret);
3227}
3228
3229static void fsg_lun_drop(struct config_group *group, struct config_item *item)
3230{
3231        struct fsg_lun_opts *lun_opts;
3232        struct fsg_opts *fsg_opts;
3233
3234        lun_opts = to_fsg_lun_opts(item);
3235        fsg_opts = to_fsg_opts(&group->cg_item);
3236
3237        mutex_lock(&fsg_opts->lock);
3238        if (fsg_opts->refcnt) {
3239                struct config_item *gadget;
3240
3241                gadget = group->cg_item.ci_parent->ci_parent;
3242                unregister_gadget_item(gadget);
3243        }
3244
3245        fsg_common_remove_lun(lun_opts->lun);
3246        fsg_opts->common->luns[lun_opts->lun_id] = NULL;
3247        lun_opts->lun_id = 0;
3248        mutex_unlock(&fsg_opts->lock);
3249
3250        config_item_put(item);
3251}
3252
3253static void fsg_attr_release(struct config_item *item)
3254{
3255        struct fsg_opts *opts = to_fsg_opts(item);
3256
3257        usb_put_function_instance(&opts->func_inst);
3258}
3259
3260static struct configfs_item_operations fsg_item_ops = {
3261        .release                = fsg_attr_release,
3262};
3263
3264static ssize_t fsg_opts_stall_show(struct config_item *item, char *page)
3265{
3266        struct fsg_opts *opts = to_fsg_opts(item);
3267        int result;
3268
3269        mutex_lock(&opts->lock);
3270        result = sprintf(page, "%d", opts->common->can_stall);
3271        mutex_unlock(&opts->lock);
3272
3273        return result;
3274}
3275
3276static ssize_t fsg_opts_stall_store(struct config_item *item, const char *page,
3277                                    size_t len)
3278{
3279        struct fsg_opts *opts = to_fsg_opts(item);
3280        int ret;
3281        bool stall;
3282
3283        mutex_lock(&opts->lock);
3284
3285        if (opts->refcnt) {
3286                mutex_unlock(&opts->lock);
3287                return -EBUSY;
3288        }
3289
3290        ret = strtobool(page, &stall);
3291        if (!ret) {
3292                opts->common->can_stall = stall;
3293                ret = len;
3294        }
3295
3296        mutex_unlock(&opts->lock);
3297
3298        return ret;
3299}
3300
3301CONFIGFS_ATTR(fsg_opts_, stall);
3302
3303#ifdef CONFIG_USB_GADGET_DEBUG_FILES
3304static ssize_t fsg_opts_num_buffers_show(struct config_item *item, char *page)
3305{
3306        struct fsg_opts *opts = to_fsg_opts(item);
3307        int result;
3308
3309        mutex_lock(&opts->lock);
3310        result = sprintf(page, "%d", opts->common->fsg_num_buffers);
3311        mutex_unlock(&opts->lock);
3312
3313        return result;
3314}
3315
3316static ssize_t fsg_opts_num_buffers_store(struct config_item *item,
3317                                          const char *page, size_t len)
3318{
3319        struct fsg_opts *opts = to_fsg_opts(item);
3320        int ret;
3321        u8 num;
3322
3323        mutex_lock(&opts->lock);
3324        if (opts->refcnt) {
3325                ret = -EBUSY;
3326                goto end;
3327        }
3328        ret = kstrtou8(page, 0, &num);
3329        if (ret)
3330                goto end;
3331
3332        fsg_common_set_num_buffers(opts->common, num);
3333        ret = len;
3334
3335end:
3336        mutex_unlock(&opts->lock);
3337        return ret;
3338}
3339
3340CONFIGFS_ATTR(fsg_opts_, num_buffers);
3341#endif
3342
3343static struct configfs_attribute *fsg_attrs[] = {
3344        &fsg_opts_attr_stall,
3345#ifdef CONFIG_USB_GADGET_DEBUG_FILES
3346        &fsg_opts_attr_num_buffers,
3347#endif
3348        NULL,
3349};
3350
3351static struct configfs_group_operations fsg_group_ops = {
3352        .make_group     = fsg_lun_make,
3353        .drop_item      = fsg_lun_drop,
3354};
3355
3356static struct config_item_type fsg_func_type = {
3357        .ct_item_ops    = &fsg_item_ops,
3358        .ct_group_ops   = &fsg_group_ops,
3359        .ct_attrs       = fsg_attrs,
3360        .ct_owner       = THIS_MODULE,
3361};
3362
3363static void fsg_free_inst(struct usb_function_instance *fi)
3364{
3365        struct fsg_opts *opts;
3366
3367        opts = fsg_opts_from_func_inst(fi);
3368        fsg_common_put(opts->common);
3369        kfree(opts);
3370}
3371
3372static struct usb_function_instance *fsg_alloc_inst(void)
3373{
3374        struct fsg_opts *opts;
3375        struct fsg_lun_config config;
3376        int rc;
3377
3378        opts = kzalloc(sizeof(*opts), GFP_KERNEL);
3379        if (!opts)
3380                return ERR_PTR(-ENOMEM);
3381        mutex_init(&opts->lock);
3382        opts->func_inst.free_func_inst = fsg_free_inst;
3383        opts->common = fsg_common_setup(opts->common);
3384        if (IS_ERR(opts->common)) {
3385                rc = PTR_ERR(opts->common);
3386                goto release_opts;
3387        }
3388
3389        rc = fsg_common_set_num_buffers(opts->common,
3390                                        CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS);
3391        if (rc)
3392                goto release_opts;
3393
3394        pr_info(FSG_DRIVER_DESC ", version: " FSG_DRIVER_VERSION "\n");
3395
3396        memset(&config, 0, sizeof(config));
3397        config.removable = true;
3398        rc = fsg_common_create_lun(opts->common, &config, 0, "lun.0",
3399                        (const char **)&opts->func_inst.group.cg_item.ci_name);
3400        if (rc)
3401                goto release_buffers;
3402
3403        opts->lun0.lun = opts->common->luns[0];
3404        opts->lun0.lun_id = 0;
3405
3406        config_group_init_type_name(&opts->func_inst.group, "", &fsg_func_type);
3407
3408        config_group_init_type_name(&opts->lun0.group, "lun.0", &fsg_lun_type);
3409        configfs_add_default_group(&opts->lun0.group, &opts->func_inst.group);
3410
3411        return &opts->func_inst;
3412
3413release_buffers:
3414        fsg_common_free_buffers(opts->common);
3415release_opts:
3416        kfree(opts);
3417        return ERR_PTR(rc);
3418}
3419
3420static void fsg_free(struct usb_function *f)
3421{
3422        struct fsg_dev *fsg;
3423        struct fsg_opts *opts;
3424
3425        fsg = container_of(f, struct fsg_dev, function);
3426        opts = container_of(f->fi, struct fsg_opts, func_inst);
3427
3428        mutex_lock(&opts->lock);
3429        opts->refcnt--;
3430        mutex_unlock(&opts->lock);
3431
3432        kfree(fsg);
3433}
3434
3435static struct usb_function *fsg_alloc(struct usb_function_instance *fi)
3436{
3437        struct fsg_opts *opts = fsg_opts_from_func_inst(fi);
3438        struct fsg_common *common = opts->common;
3439        struct fsg_dev *fsg;
3440
3441        fsg = kzalloc(sizeof(*fsg), GFP_KERNEL);
3442        if (unlikely(!fsg))
3443                return ERR_PTR(-ENOMEM);
3444
3445        mutex_lock(&opts->lock);
3446        opts->refcnt++;
3447        mutex_unlock(&opts->lock);
3448
3449        fsg->function.name      = FSG_DRIVER_DESC;
3450        fsg->function.bind      = fsg_bind;
3451        fsg->function.unbind    = fsg_unbind;
3452        fsg->function.setup     = fsg_setup;
3453        fsg->function.set_alt   = fsg_set_alt;
3454        fsg->function.disable   = fsg_disable;
3455        fsg->function.free_func = fsg_free;
3456
3457        fsg->common               = common;
3458
3459        return &fsg->function;
3460}
3461
3462DECLARE_USB_FUNCTION_INIT(mass_storage, fsg_alloc_inst, fsg_alloc);
3463MODULE_LICENSE("GPL");
3464MODULE_AUTHOR("Michal Nazarewicz");
3465
3466/************************* Module parameters *************************/
3467
3468
3469void fsg_config_from_params(struct fsg_config *cfg,
3470                       const struct fsg_module_parameters *params,
3471                       unsigned int fsg_num_buffers)
3472{
3473        struct fsg_lun_config *lun;
3474        unsigned i;
3475
3476        /* Configure LUNs */
3477        cfg->nluns =
3478                min(params->luns ?: (params->file_count ?: 1u),
3479                    (unsigned)FSG_MAX_LUNS);
3480        for (i = 0, lun = cfg->luns; i < cfg->nluns; ++i, ++lun) {
3481                lun->ro = !!params->ro[i];
3482                lun->cdrom = !!params->cdrom[i];
3483                lun->removable = !!params->removable[i];
3484                lun->filename =
3485                        params->file_count > i && params->file[i][0]
3486                        ? params->file[i]
3487                        : NULL;
3488        }
3489
3490        /* Let MSF use defaults */
3491        cfg->vendor_name = NULL;
3492        cfg->product_name = NULL;
3493
3494        cfg->ops = NULL;
3495        cfg->private_data = NULL;
3496
3497        /* Finalise */
3498        cfg->can_stall = params->stall;
3499        cfg->fsg_num_buffers = fsg_num_buffers;
3500}
3501EXPORT_SYMBOL_GPL(fsg_config_from_params);
3502