LXR linux/drivers/usb/gadget/function/f_mass

   1// SPDX-License-Identifier: (GPL-2.0+ OR BSD-3-Clause)
   2/*
   3 * f_mass_storage.c -- Mass Storage USB Composite Function
   4 *
   5 * Copyright (C) 2003-2008 Alan Stern
   6 * Copyright (C) 2009 Samsung Electronics
   7 *                    Author: Michal Nazarewicz <mina86@mina86.com>
   8 * All rights reserved.
   9 *
  10 * Redistribution and use in source and binary forms, with or without
  11 * modification, are permitted provided that the following conditions
  12 * are met:
  13 * 1. Redistributions of source code must retain the above copyright
  14 *    notice, this list of conditions, and the following disclaimer,
  15 *    without modification.
  16 * 2. Redistributions in binary form must reproduce the above copyright
  17 *    notice, this list of conditions and the following disclaimer in the
  18 *    documentation and/or other materials provided with the distribution.
  19 * 3. The names of the above-listed copyright holders may not be used
  20 *    to endorse or promote products derived from this software without
  21 *    specific prior written permission.
  22 *
  23 * ALTERNATIVELY, this software may be distributed under the terms of the
  24 * GNU General Public License ("GPL") as published by the Free Software
  25 * Foundation, either version 2 of that License or (at your option) any
  26 * later version.
  27 *
  28 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
  29 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
  30 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  31 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
  32 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  33 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  34 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  35 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  36 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  37 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  38 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  39 */
  40
  41/*
  42 * The Mass Storage Function acts as a USB Mass Storage device,
  43 * appearing to the host as a disk drive or as a CD-ROM drive.  In
  44 * addition to providing an example of a genuinely useful composite
  45 * function for a USB device, it also illustrates a technique of
  46 * double-buffering for increased throughput.
  47 *
  48 * For more information about MSF and in particular its module
  49 * parameters and sysfs interface read the
  50 * <Documentation/usb/mass-storage.txt> file.
  51 */
  52
  53/*
  54 * MSF is configured by specifying a fsg_config structure.  It has the
  55 * following fields:
  56 *
  57 *      nluns           Number of LUNs function have (anywhere from 1
  58 *                              to FSG_MAX_LUNS).
  59 *      luns            An array of LUN configuration values.  This
  60 *                              should be filled for each LUN that
  61 *                              function will include (ie. for "nluns"
  62 *                              LUNs).  Each element of the array has
  63 *                              the following fields:
  64 *      ->filename      The path to the backing file for the LUN.
  65 *                              Required if LUN is not marked as
  66 *                              removable.
  67 *      ->ro            Flag specifying access to the LUN shall be
  68 *                              read-only.  This is implied if CD-ROM
  69 *                              emulation is enabled as well as when
  70 *                              it was impossible to open "filename"
  71 *                              in R/W mode.
  72 *      ->removable     Flag specifying that LUN shall be indicated as
  73 *                              being removable.
  74 *      ->cdrom         Flag specifying that LUN shall be reported as
  75 *                              being a CD-ROM.
  76 *      ->nofua         Flag specifying that FUA flag in SCSI WRITE(10,12)
  77 *                              commands for this LUN shall be ignored.
  78 *
  79 *      vendor_name
  80 *      product_name
  81 *      release         Information used as a reply to INQUIRY
  82 *                              request.  To use default set to NULL,
  83 *                              NULL, 0xffff respectively.  The first
  84 *                              field should be 8 and the second 16
  85 *                              characters or less.
  86 *
  87 *      can_stall       Set to permit function to halt bulk endpoints.
  88 *                              Disabled on some USB devices known not
  89 *                              to work correctly.  You should set it
  90 *                              to true.
  91 *
  92 * If "removable" is not set for a LUN then a backing file must be
  93 * specified.  If it is set, then NULL filename means the LUN's medium
  94 * is not loaded (an empty string as "filename" in the fsg_config
  95 * structure causes error).  The CD-ROM emulation includes a single
  96 * data track and no audio tracks; hence there need be only one
  97 * backing file per LUN.
  98 *
  99 * This function is heavily based on "File-backed Storage Gadget" by
 100 * Alan Stern which in turn is heavily based on "Gadget Zero" by David
 101 * Brownell.  The driver's SCSI command interface was based on the
 102 * "Information technology - Small Computer System Interface - 2"
 103 * document from X3T9.2 Project 375D, Revision 10L, 7-SEP-93,
 104 * available at <http://www.t10.org/ftp/t10/drafts/s2/s2-r10l.pdf>.
 105 * The single exception is opcode 0x23 (READ FORMAT CAPACITIES), which
 106 * was based on the "Universal Serial Bus Mass Storage Class UFI
 107 * Command Specification" document, Revision 1.0, December 14, 1998,
 108 * available at
 109 * <http://www.usb.org/developers/devclass_docs/usbmass-ufi10.pdf>.
 110 */
 111
 112/*
 113 *                              Driver Design
 114 *
 115 * The MSF is fairly straightforward.  There is a main kernel
 116 * thread that handles most of the work.  Interrupt routines field
 117 * callbacks from the controller driver: bulk- and interrupt-request
 118 * completion notifications, endpoint-0 events, and disconnect events.
 119 * Completion events are passed to the main thread by wakeup calls.  Many
 120 * ep0 requests are handled at interrupt time, but SetInterface,
 121 * SetConfiguration, and device reset requests are forwarded to the
 122 * thread in the form of "exceptions" using SIGUSR1 signals (since they
 123 * should interrupt any ongoing file I/O operations).
 124 *
 125 * The thread's main routine implements the standard command/data/status
 126 * parts of a SCSI interaction.  It and its subroutines are full of tests
 127 * for pending signals/exceptions -- all this polling is necessary since
 128 * the kernel has no setjmp/longjmp equivalents.  (Maybe this is an
 129 * indication that the driver really wants to be running in userspace.)
 130 * An important point is that so long as the thread is alive it keeps an
 131 * open reference to the backing file.  This will prevent unmounting
 132 * the backing file's underlying filesystem and could cause problems
 133 * during system shutdown, for example.  To prevent such problems, the
 134 * thread catches INT, TERM, and KILL signals and converts them into
 135 * an EXIT exception.
 136 *
 137 * In normal operation the main thread is started during the gadget's
 138 * fsg_bind() callback and stopped during fsg_unbind().  But it can
 139 * also exit when it receives a signal, and there's no point leaving
 140 * the gadget running when the thread is dead.  As of this moment, MSF
 141 * provides no way to deregister the gadget when thread dies -- maybe
 142 * a callback functions is needed.
 143 *
 144 * To provide maximum throughput, the driver uses a circular pipeline of
 145 * buffer heads (struct fsg_buffhd).  In principle the pipeline can be
 146 * arbitrarily long; in practice the benefits don't justify having more
 147 * than 2 stages (i.e., double buffering).  But it helps to think of the
 148 * pipeline as being a long one.  Each buffer head contains a bulk-in and
 149 * a bulk-out request pointer (since the buffer can be used for both
 150 * output and input -- directions always are given from the host's
 151 * point of view) as well as a pointer to the buffer and various state
 152 * variables.
 153 *
 154 * Use of the pipeline follows a simple protocol.  There is a variable
 155 * (fsg->next_buffhd_to_fill) that points to the next buffer head to use.
 156 * At any time that buffer head may still be in use from an earlier
 157 * request, so each buffer head has a state variable indicating whether
 158 * it is EMPTY, FULL, or BUSY.  Typical use involves waiting for the
 159 * buffer head to be EMPTY, filling the buffer either by file I/O or by
 160 * USB I/O (during which the buffer head is BUSY), and marking the buffer
 161 * head FULL when the I/O is complete.  Then the buffer will be emptied
 162 * (again possibly by USB I/O, during which it is marked BUSY) and
 163 * finally marked EMPTY again (possibly by a completion routine).
 164 *
 165 * A module parameter tells the driver to avoid stalling the bulk
 166 * endpoints wherever the transport specification allows.  This is
 167 * necessary for some UDCs like the SuperH, which cannot reliably clear a
 168 * halt on a bulk endpoint.  However, under certain circumstances the
 169 * Bulk-only specification requires a stall.  In such cases the driver
 170 * will halt the endpoint and set a flag indicating that it should clear
 171 * the halt in software during the next device reset.  Hopefully this
 172 * will permit everything to work correctly.  Furthermore, although the
 173 * specification allows the bulk-out endpoint to halt when the host sends
 174 * too much data, implementing this would cause an unavoidable race.
 175 * The driver will always use the "no-stall" approach for OUT transfers.
 176 *
 177 * One subtle point concerns sending status-stage responses for ep0
 178 * requests.  Some of these requests, such as device reset, can involve
 179 * interrupting an ongoing file I/O operation, which might take an
 180 * arbitrarily long time.  During that delay the host might give up on
 181 * the original ep0 request and issue a new one.  When that happens the
 182 * driver should not notify the host about completion of the original
 183 * request, as the host will no longer be waiting for it.  So the driver
 184 * assigns to each ep0 request a unique tag, and it keeps track of the
 185 * tag value of the request associated with a long-running exception
 186 * (device-reset, interface-change, or configuration-change).  When the
 187 * exception handler is finished, the status-stage response is submitted
 188 * only if the current ep0 request tag is equal to the exception request
 189 * tag.  Thus only the most recently received ep0 request will get a
 190 * status-stage response.
 191 *
 192 * Warning: This driver source file is too long.  It ought to be split up
 193 * into a header file plus about 3 separate .c files, to handle the details
 194 * of the Gadget, USB Mass Storage, and SCSI protocols.
 195 */
 196
 197
 198/* #define VERBOSE_DEBUG */
 199/* #define DUMP_MSGS */
 200
 201#include <linux/blkdev.h>
 202#include <linux/completion.h>
 203#include <linux/dcache.h>
 204#include <linux/delay.h>
 205#include <linux/device.h>
 206#include <linux/fcntl.h>
 207#include <linux/file.h>
 208#include <linux/fs.h>
 209#include <linux/kref.h>
 210#include <linux/kthread.h>
 211#include <linux/sched/signal.h>
 212#include <linux/limits.h>
 213#include <linux/rwsem.h>
 214#include <linux/slab.h>
 215#include <linux/spinlock.h>
 216#include <linux/string.h>
 217#include <linux/freezer.h>
 218#include <linux/module.h>
 219#include <linux/uaccess.h>
 220
 221#include <linux/usb/ch9.h>
 222#include <linux/usb/gadget.h>
 223#include <linux/usb/composite.h>
 224
 225#include "configfs.h"
 226
 227
 228/*------------------------------------------------------------------------*/
 229
 230#define FSG_DRIVER_DESC         "Mass Storage Function"
 231#define FSG_DRIVER_VERSION      "2009/09/11"
 232
 233static const char fsg_string_interface[] = "Mass Storage";
 234
 235#include "storage_common.h"
 236#include "f_mass_storage.h"
 237
 238/* Static strings, in UTF-8 (for simplicity we use only ASCII characters) */
 239static struct usb_string                fsg_strings[] = {
 240        {FSG_STRING_INTERFACE,          fsg_string_interface},
 241        {}
 242};
 243
 244static struct usb_gadget_strings        fsg_stringtab = {
 245        .language       = 0x0409,               /* en-us */
 246        .strings        = fsg_strings,
 247};
 248
 249static struct usb_gadget_strings *fsg_strings_array[] = {
 250        &fsg_stringtab,
 251        NULL,
 252};
 253
 254/*-------------------------------------------------------------------------*/
 255
 256struct fsg_dev;
 257struct fsg_common;
 258
 259/* Data shared by all the FSG instances. */
 260struct fsg_common {
 261        struct usb_gadget       *gadget;
 262        struct usb_composite_dev *cdev;
 263        struct fsg_dev          *fsg, *new_fsg;
 264        wait_queue_head_t       io_wait;
 265        wait_queue_head_t       fsg_wait;
 266
 267        /* filesem protects: backing files in use */
 268        struct rw_semaphore     filesem;
 269
 270        /* lock protects: state and thread_task */
 271        spinlock_t              lock;
 272
 273        struct usb_ep           *ep0;           /* Copy of gadget->ep0 */
 274        struct usb_request      *ep0req;        /* Copy of cdev->req */
 275        unsigned int            ep0_req_tag;
 276
 277        struct fsg_buffhd       *next_buffhd_to_fill;
 278        struct fsg_buffhd       *next_buffhd_to_drain;
 279        struct fsg_buffhd       *buffhds;
 280        unsigned int            fsg_num_buffers;
 281
 282        int                     cmnd_size;
 283        u8                      cmnd[MAX_COMMAND_SIZE];
 284
 285        unsigned int            lun;
 286        struct fsg_lun          *luns[FSG_MAX_LUNS];
 287        struct fsg_lun          *curlun;
 288
 289        unsigned int            bulk_out_maxpacket;
 290        enum fsg_state          state;          /* For exception handling */
 291        unsigned int            exception_req_tag;
 292
 293        enum data_direction     data_dir;
 294        u32                     data_size;
 295        u32                     data_size_from_cmnd;
 296        u32                     tag;
 297        u32                     residue;
 298        u32                     usb_amount_left;
 299
 300        unsigned int            can_stall:1;
 301        unsigned int            free_storage_on_release:1;
 302        unsigned int            phase_error:1;
 303        unsigned int            short_packet_received:1;
 304        unsigned int            bad_lun_okay:1;
 305        unsigned int            running:1;
 306        unsigned int            sysfs:1;
 307
 308        struct completion       thread_notifier;
 309        struct task_struct      *thread_task;
 310
 311        /* Gadget's private data. */
 312        void                    *private_data;
 313
 314        char inquiry_string[INQUIRY_STRING_LEN];
 315
 316        struct kref             ref;
 317};
 318
 319struct fsg_dev {
 320        struct usb_function     function;
 321        struct usb_gadget       *gadget;        /* Copy of cdev->gadget */
 322        struct fsg_common       *common;
 323
 324        u16                     interface_number;
 325
 326        unsigned int            bulk_in_enabled:1;
 327        unsigned int            bulk_out_enabled:1;
 328
 329        unsigned long           atomic_bitflags;
 330#define IGNORE_BULK_OUT         0
 331
 332        struct usb_ep           *bulk_in;
 333        struct usb_ep           *bulk_out;
 334};
 335
 336static inline int __fsg_is_set(struct fsg_common *common,
 337                               const char *func, unsigned line)
 338{
 339        if (common->fsg)
 340                return 1;
 341        ERROR(common, "common->fsg is NULL in %s at %u\n", func, line);
 342        WARN_ON(1);
 343        return 0;
 344}
 345
 346#define fsg_is_set(common) likely(__fsg_is_set(common, __func__, __LINE__))
 347
 348static inline struct fsg_dev *fsg_from_func(struct usb_function *f)
 349{
 350        return container_of(f, struct fsg_dev, function);
 351}
 352
 353typedef void (*fsg_routine_t)(struct fsg_dev *);
 354
 355static int exception_in_progress(struct fsg_common *common)
 356{
 357        return common->state > FSG_STATE_NORMAL;
 358}
 359
 360/* Make bulk-out requests be divisible by the maxpacket size */
 361static void set_bulk_out_req_length(struct fsg_common *common,
 362                                    struct fsg_buffhd *bh, unsigned int length)
 363{
 364        unsigned int    rem;
 365
 366        bh->bulk_out_intended_length = length;
 367        rem = length % common->bulk_out_maxpacket;
 368        if (rem > 0)
 369                length += common->bulk_out_maxpacket - rem;
 370        bh->outreq->length = length;
 371}
 372
 373
 374/*-------------------------------------------------------------------------*/
 375
 376static int fsg_set_halt(struct fsg_dev *fsg, struct usb_ep *ep)
 377{
 378        const char      *name;
 379
 380        if (ep == fsg->bulk_in)
 381                name = "bulk-in";
 382        else if (ep == fsg->bulk_out)
 383                name = "bulk-out";
 384        else
 385                name = ep->name;
 386        DBG(fsg, "%s set halt\n", name);
 387        return usb_ep_set_halt(ep);
 388}
 389
 390
 391/*-------------------------------------------------------------------------*/
 392
 393/* These routines may be called in process context or in_irq */
 394
 395static void raise_exception(struct fsg_common *common, enum fsg_state new_state)
 396{
 397        unsigned long           flags;
 398
 399        /*
 400         * Do nothing if a higher-priority exception is already in progress.
 401         * If a lower-or-equal priority exception is in progress, preempt it
 402         * and notify the main thread by sending it a signal.
 403         */
 404        spin_lock_irqsave(&common->lock, flags);
 405        if (common->state <= new_state) {
 406                common->exception_req_tag = common->ep0_req_tag;
 407                common->state = new_state;
 408                if (common->thread_task)
 409                        send_sig_info(SIGUSR1, SEND_SIG_FORCED,
 410                                      common->thread_task);
 411        }
 412        spin_unlock_irqrestore(&common->lock, flags);
 413}
 414
 415
 416/*-------------------------------------------------------------------------*/
 417
 418static int ep0_queue(struct fsg_common *common)
 419{
 420        int     rc;
 421
 422        rc = usb_ep_queue(common->ep0, common->ep0req, GFP_ATOMIC);
 423        common->ep0->driver_data = common;
 424        if (rc != 0 && rc != -ESHUTDOWN) {
 425                /* We can't do much more than wait for a reset */
 426                WARNING(common, "error in submission: %s --> %d\n",
 427                        common->ep0->name, rc);
 428        }
 429        return rc;
 430}
 431
 432
 433/*-------------------------------------------------------------------------*/
 434
 435/* Completion handlers. These always run in_irq. */
 436
 437static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req)
 438{
 439        struct fsg_common       *common = ep->driver_data;
 440        struct fsg_buffhd       *bh = req->context;
 441
 442        if (req->status || req->actual != req->length)
 443                DBG(common, "%s --> %d, %u/%u\n", __func__,
 444                    req->status, req->actual, req->length);
 445        if (req->status == -ECONNRESET)         /* Request was cancelled */
 446                usb_ep_fifo_flush(ep);
 447
 448        /* Synchronize with the smp_load_acquire() in sleep_thread() */
 449        smp_store_release(&bh->state, BUF_STATE_EMPTY);
 450        wake_up(&common->io_wait);
 451}
 452
 453static void bulk_out_complete(struct usb_ep *ep, struct usb_request *req)
 454{
 455        struct fsg_common       *common = ep->driver_data;
 456        struct fsg_buffhd       *bh = req->context;
 457
 458        dump_msg(common, "bulk-out", req->buf, req->actual);
 459        if (req->status || req->actual != bh->bulk_out_intended_length)
 460                DBG(common, "%s --> %d, %u/%u\n", __func__,
 461                    req->status, req->actual, bh->bulk_out_intended_length);
 462        if (req->status == -ECONNRESET)         /* Request was cancelled */
 463                usb_ep_fifo_flush(ep);
 464
 465        /* Synchronize with the smp_load_acquire() in sleep_thread() */
 466        smp_store_release(&bh->state, BUF_STATE_FULL);
 467        wake_up(&common->io_wait);
 468}
 469
 470static int _fsg_common_get_max_lun(struct fsg_common *common)
 471{
 472        int i = ARRAY_SIZE(common->luns) - 1;
 473
 474        while (i >= 0 && !common->luns[i])
 475                --i;
 476
 477        return i;
 478}
 479
 480static int fsg_setup(struct usb_function *f,
 481                     const struct usb_ctrlrequest *ctrl)
 482{
 483        struct fsg_dev          *fsg = fsg_from_func(f);
 484        struct usb_request      *req = fsg->common->ep0req;
 485        u16                     w_index = le16_to_cpu(ctrl->wIndex);
 486        u16                     w_value = le16_to_cpu(ctrl->wValue);
 487        u16                     w_length = le16_to_cpu(ctrl->wLength);
 488
 489        if (!fsg_is_set(fsg->common))
 490                return -EOPNOTSUPP;
 491
 492        ++fsg->common->ep0_req_tag;     /* Record arrival of a new request */
 493        req->context = NULL;
 494        req->length = 0;
 495        dump_msg(fsg, "ep0-setup", (u8 *) ctrl, sizeof(*ctrl));
 496
 497        switch (ctrl->bRequest) {
 498
 499        case US_BULK_RESET_REQUEST:
 500                if (ctrl->bRequestType !=
 501                    (USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 502                        break;
 503                if (w_index != fsg->interface_number || w_value != 0 ||
 504                                w_length != 0)
 505                        return -EDOM;
 506
 507                /*
 508                 * Raise an exception to stop the current operation
 509                 * and reinitialize our state.
 510                 */
 511                DBG(fsg, "bulk reset request\n");
 512                raise_exception(fsg->common, FSG_STATE_PROTOCOL_RESET);
 513                return USB_GADGET_DELAYED_STATUS;
 514
 515        case US_BULK_GET_MAX_LUN:
 516                if (ctrl->bRequestType !=
 517                    (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 518                        break;
 519                if (w_index != fsg->interface_number || w_value != 0 ||
 520                                w_length != 1)
 521                        return -EDOM;
 522                VDBG(fsg, "get max LUN\n");
 523                *(u8 *)req->buf = _fsg_common_get_max_lun(fsg->common);
 524
 525                /* Respond with data/status */
 526                req->length = min((u16)1, w_length);
 527                return ep0_queue(fsg->common);
 528        }
 529
 530        VDBG(fsg,
 531             "unknown class-specific control req %02x.%02x v%04x i%04x l%u\n",
 532             ctrl->bRequestType, ctrl->bRequest,
 533             le16_to_cpu(ctrl->wValue), w_index, w_length);
 534        return -EOPNOTSUPP;
 535}
 536
 537
 538/*-------------------------------------------------------------------------*/
 539
 540/* All the following routines run in process context */
 541
 542/* Use this for bulk or interrupt transfers, not ep0 */
 543static int start_transfer(struct fsg_dev *fsg, struct usb_ep *ep,
 544                           struct usb_request *req)
 545{
 546        int     rc;
 547
 548        if (ep == fsg->bulk_in)
 549                dump_msg(fsg, "bulk-in", req->buf, req->length);
 550
 551        rc = usb_ep_queue(ep, req, GFP_KERNEL);
 552        if (rc) {
 553
 554                /* We can't do much more than wait for a reset */
 555                req->status = rc;
 556
 557                /*
 558                 * Note: currently the net2280 driver fails zero-length
 559                 * submissions if DMA is enabled.
 560                 */
 561                if (rc != -ESHUTDOWN &&
 562                                !(rc == -EOPNOTSUPP && req->length == 0))
 563                        WARNING(fsg, "error in submission: %s --> %d\n",
 564                                        ep->name, rc);
 565        }
 566        return rc;
 567}
 568
 569static bool start_in_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 570{
 571        if (!fsg_is_set(common))
 572                return false;
 573        bh->state = BUF_STATE_SENDING;
 574        if (start_transfer(common->fsg, common->fsg->bulk_in, bh->inreq))
 575                bh->state = BUF_STATE_EMPTY;
 576        return true;
 577}
 578
 579static bool start_out_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 580{
 581        if (!fsg_is_set(common))
 582                return false;
 583        bh->state = BUF_STATE_RECEIVING;
 584        if (start_transfer(common->fsg, common->fsg->bulk_out, bh->outreq))
 585                bh->state = BUF_STATE_FULL;
 586        return true;
 587}
 588
 589static int sleep_thread(struct fsg_common *common, bool can_freeze,
 590                struct fsg_buffhd *bh)
 591{
 592        int     rc;
 593
 594        /* Wait until a signal arrives or bh is no longer busy */
 595        if (can_freeze)
 596                /*
 597                 * synchronize with the smp_store_release(&bh->state) in
 598                 * bulk_in_complete() or bulk_out_complete()
 599                 */
 600                rc = wait_event_freezable(common->io_wait,
 601                                bh && smp_load_acquire(&bh->state) >=
 602                                        BUF_STATE_EMPTY);
 603        else
 604                rc = wait_event_interruptible(common->io_wait,
 605                                bh && smp_load_acquire(&bh->state) >=
 606                                        BUF_STATE_EMPTY);
 607        return rc ? -EINTR : 0;
 608}
 609
 610
 611/*-------------------------------------------------------------------------*/
 612
 613static int do_read(struct fsg_common *common)
 614{
 615        struct fsg_lun          *curlun = common->curlun;
 616        u32                     lba;
 617        struct fsg_buffhd       *bh;
 618        int                     rc;
 619        u32                     amount_left;
 620        loff_t                  file_offset, file_offset_tmp;
 621        unsigned int            amount;
 622        ssize_t                 nread;
 623
 624        /*
 625         * Get the starting Logical Block Address and check that it's
 626         * not too big.
 627         */
 628        if (common->cmnd[0] == READ_6)
 629                lba = get_unaligned_be24(&common->cmnd[1]);
 630        else {
 631                lba = get_unaligned_be32(&common->cmnd[2]);
 632
 633                /*
 634                 * We allow DPO (Disable Page Out = don't save data in the
 635                 * cache) and FUA (Force Unit Access = don't read from the
 636                 * cache), but we don't implement them.
 637                 */
 638                if ((common->cmnd[1] & ~0x18) != 0) {
 639                        curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 640                        return -EINVAL;
 641                }
 642        }
 643        if (lba >= curlun->num_sectors) {
 644                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 645                return -EINVAL;
 646        }
 647        file_offset = ((loff_t) lba) << curlun->blkbits;
 648
 649        /* Carry out the file reads */
 650        amount_left = common->data_size_from_cmnd;
 651        if (unlikely(amount_left == 0))
 652                return -EIO;            /* No default reply */
 653
 654        for (;;) {
 655                /*
 656                 * Figure out how much we need to read:
 657                 * Try to read the remaining amount.
 658                 * But don't read more than the buffer size.
 659                 * And don't try to read past the end of the file.
 660                 */
 661                amount = min(amount_left, FSG_BUFLEN);
 662                amount = min((loff_t)amount,
 663                             curlun->file_length - file_offset);
 664
 665                /* Wait for the next buffer to become available */
 666                bh = common->next_buffhd_to_fill;
 667                rc = sleep_thread(common, false, bh);
 668                if (rc)
 669                        return rc;
 670
 671                /*
 672                 * If we were asked to read past the end of file,
 673                 * end with an empty buffer.
 674                 */
 675                if (amount == 0) {
 676                        curlun->sense_data =
 677                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 678                        curlun->sense_data_info =
 679                                        file_offset >> curlun->blkbits;
 680                        curlun->info_valid = 1;
 681                        bh->inreq->length = 0;
 682                        bh->state = BUF_STATE_FULL;
 683                        break;
 684                }
 685
 686                /* Perform the read */
 687                file_offset_tmp = file_offset;
 688                nread = kernel_read(curlun->filp, bh->buf, amount,
 689                                &file_offset_tmp);
 690                VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
 691                      (unsigned long long)file_offset, (int)nread);
 692                if (signal_pending(current))
 693                        return -EINTR;
 694
 695                if (nread < 0) {
 696                        LDBG(curlun, "error in file read: %d\n", (int)nread);
 697                        nread = 0;
 698                } else if (nread < amount) {
 699                        LDBG(curlun, "partial file read: %d/%u\n",
 700                             (int)nread, amount);
 701                        nread = round_down(nread, curlun->blksize);
 702                }
 703                file_offset  += nread;
 704                amount_left  -= nread;
 705                common->residue -= nread;
 706
 707                /*
 708                 * Except at the end of the transfer, nread will be
 709                 * equal to the buffer size, which is divisible by the
 710                 * bulk-in maxpacket size.
 711                 */
 712                bh->inreq->length = nread;
 713                bh->state = BUF_STATE_FULL;
 714
 715                /* If an error occurred, report it and its position */
 716                if (nread < amount) {
 717                        curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
 718                        curlun->sense_data_info =
 719                                        file_offset >> curlun->blkbits;
 720                        curlun->info_valid = 1;
 721                        break;
 722                }
 723
 724                if (amount_left == 0)
 725                        break;          /* No more left to read */
 726
 727                /* Send this buffer and go read some more */
 728                bh->inreq->zero = 0;
 729                if (!start_in_transfer(common, bh))
 730                        /* Don't know what to do if common->fsg is NULL */
 731                        return -EIO;
 732                common->next_buffhd_to_fill = bh->next;
 733        }
 734
 735        return -EIO;            /* No default reply */
 736}
 737
 738
 739/*-------------------------------------------------------------------------*/
 740
 741static int do_write(struct fsg_common *common)
 742{
 743        struct fsg_lun          *curlun = common->curlun;
 744        u32                     lba;
 745        struct fsg_buffhd       *bh;
 746        int                     get_some_more;
 747        u32                     amount_left_to_req, amount_left_to_write;
 748        loff_t                  usb_offset, file_offset, file_offset_tmp;
 749        unsigned int            amount;
 750        ssize_t                 nwritten;
 751        int                     rc;
 752
 753        if (curlun->ro) {
 754                curlun->sense_data = SS_WRITE_PROTECTED;
 755                return -EINVAL;
 756        }
 757        spin_lock(&curlun->filp->f_lock);
 758        curlun->filp->f_flags &= ~O_SYNC;       /* Default is not to wait */
 759        spin_unlock(&curlun->filp->f_lock);
 760
 761        /*
 762         * Get the starting Logical Block Address and check that it's
 763         * not too big
 764         */
 765        if (common->cmnd[0] == WRITE_6)
 766                lba = get_unaligned_be24(&common->cmnd[1]);
 767        else {
 768                lba = get_unaligned_be32(&common->cmnd[2]);
 769
 770                /*
 771                 * We allow DPO (Disable Page Out = don't save data in the
 772                 * cache) and FUA (Force Unit Access = write directly to the
 773                 * medium).  We don't implement DPO; we implement FUA by
 774                 * performing synchronous output.
 775                 */
 776                if (common->cmnd[1] & ~0x18) {
 777                        curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 778                        return -EINVAL;
 779                }
 780                if (!curlun->nofua && (common->cmnd[1] & 0x08)) { /* FUA */
 781                        spin_lock(&curlun->filp->f_lock);
 782                        curlun->filp->f_flags |= O_SYNC;
 783                        spin_unlock(&curlun->filp->f_lock);
 784                }
 785        }
 786        if (lba >= curlun->num_sectors) {
 787                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 788                return -EINVAL;
 789        }
 790
 791        /* Carry out the file writes */
 792        get_some_more = 1;
 793        file_offset = usb_offset = ((loff_t) lba) << curlun->blkbits;
 794        amount_left_to_req = common->data_size_from_cmnd;
 795        amount_left_to_write = common->data_size_from_cmnd;
 796
 797        while (amount_left_to_write > 0) {
 798
 799                /* Queue a request for more data from the host */
 800                bh = common->next_buffhd_to_fill;
 801                if (bh->state == BUF_STATE_EMPTY && get_some_more) {
 802
 803                        /*
 804                         * Figure out how much we want to get:
 805                         * Try to get the remaining amount,
 806                         * but not more than the buffer size.
 807                         */
 808                        amount = min(amount_left_to_req, FSG_BUFLEN);
 809
 810                        /* Beyond the end of the backing file? */
 811                        if (usb_offset >= curlun->file_length) {
 812                                get_some_more = 0;
 813                                curlun->sense_data =
 814                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 815                                curlun->sense_data_info =
 816                                        usb_offset >> curlun->blkbits;
 817                                curlun->info_valid = 1;
 818                                continue;
 819                        }
 820
 821                        /* Get the next buffer */
 822                        usb_offset += amount;
 823                        common->usb_amount_left -= amount;
 824                        amount_left_to_req -= amount;
 825                        if (amount_left_to_req == 0)
 826                                get_some_more = 0;
 827
 828                        /*
 829                         * Except at the end of the transfer, amount will be
 830                         * equal to the buffer size, which is divisible by
 831                         * the bulk-out maxpacket size.
 832                         */
 833                        set_bulk_out_req_length(common, bh, amount);
 834                        if (!start_out_transfer(common, bh))
 835                                /* Dunno what to do if common->fsg is NULL */
 836                                return -EIO;
 837                        common->next_buffhd_to_fill = bh->next;
 838                        continue;
 839                }
 840
 841                /* Write the received data to the backing file */
 842                bh = common->next_buffhd_to_drain;
 843                if (bh->state == BUF_STATE_EMPTY && !get_some_more)
 844                        break;                  /* We stopped early */
 845
 846                /* Wait for the data to be received */
 847                rc = sleep_thread(common, false, bh);
 848                if (rc)
 849                        return rc;
 850
 851                common->next_buffhd_to_drain = bh->next;
 852                bh->state = BUF_STATE_EMPTY;
 853
 854                /* Did something go wrong with the transfer? */
 855                if (bh->outreq->status != 0) {
 856                        curlun->sense_data = SS_COMMUNICATION_FAILURE;
 857                        curlun->sense_data_info =
 858                                        file_offset >> curlun->blkbits;
 859                        curlun->info_valid = 1;
 860                        break;
 861                }
 862
 863                amount = bh->outreq->actual;
 864                if (curlun->file_length - file_offset < amount) {
 865                        LERROR(curlun, "write %u @ %llu beyond end %llu\n",
 866                                       amount, (unsigned long long)file_offset,
 867                                       (unsigned long long)curlun->file_length);
 868                        amount = curlun->file_length - file_offset;
 869                }
 870
 871                /*
 872                 * Don't accept excess data.  The spec doesn't say
 873                 * what to do in this case.  We'll ignore the error.
 874                 */
 875                amount = min(amount, bh->bulk_out_intended_length);
 876
 877                /* Don't write a partial block */
 878                amount = round_down(amount, curlun->blksize);
 879                if (amount == 0)
 880                        goto empty_write;
 881
 882                /* Perform the write */
 883                file_offset_tmp = file_offset;
 884                nwritten = kernel_write(curlun->filp, bh->buf, amount,
 885                                &file_offset_tmp);
 886                VLDBG(curlun, "file write %u @ %llu -> %d\n", amount,
 887                                (unsigned long long)file_offset, (int)nwritten);
 888                if (signal_pending(current))
 889                        return -EINTR;          /* Interrupted! */
 890
 891                if (nwritten < 0) {
 892                        LDBG(curlun, "error in file write: %d\n",
 893                                        (int) nwritten);
 894                        nwritten = 0;
 895                } else if (nwritten < amount) {
 896                        LDBG(curlun, "partial file write: %d/%u\n",
 897                                        (int) nwritten, amount);
 898                        nwritten = round_down(nwritten, curlun->blksize);
 899                }
 900                file_offset += nwritten;
 901                amount_left_to_write -= nwritten;
 902                common->residue -= nwritten;
 903
 904                /* If an error occurred, report it and its position */
 905                if (nwritten < amount) {
 906                        curlun->sense_data = SS_WRITE_ERROR;
 907                        curlun->sense_data_info =
 908                                        file_offset >> curlun->blkbits;
 909                        curlun->info_valid = 1;
 910                        break;
 911                }
 912
 913 empty_write:
 914                /* Did the host decide to stop early? */
 915                if (bh->outreq->actual < bh->bulk_out_intended_length) {
 916                        common->short_packet_received = 1;
 917                        break;
 918                }
 919        }
 920
 921        return -EIO;            /* No default reply */
 922}
 923
 924
 925/*-------------------------------------------------------------------------*/
 926
 927static int do_synchronize_cache(struct fsg_common *common)
 928{
 929        struct fsg_lun  *curlun = common->curlun;
 930        int             rc;
 931
 932        /* We ignore the requested LBA and write out all file's
 933         * dirty data buffers. */
 934        rc = fsg_lun_fsync_sub(curlun);
 935        if (rc)
 936                curlun->sense_data = SS_WRITE_ERROR;
 937        return 0;
 938}
 939
 940
 941/*-------------------------------------------------------------------------*/
 942
 943static void invalidate_sub(struct fsg_lun *curlun)
 944{
 945        struct file     *filp = curlun->filp;
 946        struct inode    *inode = file_inode(filp);
 947        unsigned long   rc;
 948
 949        rc = invalidate_mapping_pages(inode->i_mapping, 0, -1);
 950        VLDBG(curlun, "invalidate_mapping_pages -> %ld\n", rc);
 951}
 952
 953static int do_verify(struct fsg_common *common)
 954{
 955        struct fsg_lun          *curlun = common->curlun;
 956        u32                     lba;
 957        u32                     verification_length;
 958        struct fsg_buffhd       *bh = common->next_buffhd_to_fill;
 959        loff_t                  file_offset, file_offset_tmp;
 960        u32                     amount_left;
 961        unsigned int            amount;
 962        ssize_t                 nread;
 963
 964        /*
 965         * Get the starting Logical Block Address and check that it's
 966         * not too big.
 967         */
 968        lba = get_unaligned_be32(&common->cmnd[2]);
 969        if (lba >= curlun->num_sectors) {
 970                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 971                return -EINVAL;
 972        }
 973
 974        /*
 975         * We allow DPO (Disable Page Out = don't save data in the
 976         * cache) but we don't implement it.
 977         */
 978        if (common->cmnd[1] & ~0x10) {
 979                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 980                return -EINVAL;
 981        }
 982
 983        verification_length = get_unaligned_be16(&common->cmnd[7]);
 984        if (unlikely(verification_length == 0))
 985                return -EIO;            /* No default reply */
 986
 987        /* Prepare to carry out the file verify */
 988        amount_left = verification_length << curlun->blkbits;
 989        file_offset = ((loff_t) lba) << curlun->blkbits;
 990
 991        /* Write out all the dirty buffers before invalidating them */
 992        fsg_lun_fsync_sub(curlun);
 993        if (signal_pending(current))
 994                return -EINTR;
 995
 996        invalidate_sub(curlun);
 997        if (signal_pending(current))
 998                return -EINTR;
 999
1000        /* Just try to read the requested blocks */

1001        while (amount_left > 0) {
1002                /*
1003                 * Figure out how much we need to read:
1004                 * Try to read the remaining amount, but not more than
1005                 * the buffer size.
1006                 * And don't try to read past the end of the file.
1007                 */
1008                amount = min(amount_left, FSG_BUFLEN);
1009                amount = min((loff_t)amount,
1010                             curlun->file_length - file_offset);
1011                if (amount == 0) {
1012                        curlun->sense_data =
1013                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1014                        curlun->sense_data_info =
1015                                file_offset >> curlun->blkbits;
1016                        curlun->info_valid = 1;
1017                        break;
1018                }
1019
1020                /* Perform the read */
1021                file_offset_tmp = file_offset;
1022                nread = kernel_read(curlun->filp, bh->buf, amount,
1023                                &file_offset_tmp);
1024                VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
1025                                (unsigned long long) file_offset,
1026                                (int) nread);
1027                if (signal_pending(current))
1028                        return -EINTR;
1029
1030                if (nread < 0) {
1031                        LDBG(curlun, "error in file verify: %d\n", (int)nread);
1032                        nread = 0;
1033                } else if (nread < amount) {
1034                        LDBG(curlun, "partial file verify: %d/%u\n",
1035                             (int)nread, amount);
1036                        nread = round_down(nread, curlun->blksize);
1037                }
1038                if (nread == 0) {
1039                        curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
1040                        curlun->sense_data_info =
1041                                file_offset >> curlun->blkbits;
1042                        curlun->info_valid = 1;
1043                        break;
1044                }
1045                file_offset += nread;
1046                amount_left -= nread;
1047        }
1048        return 0;
1049}
1050
1051
1052/*-------------------------------------------------------------------------*/
1053
1054static int do_inquiry(struct fsg_common *common, struct fsg_buffhd *bh)
1055{
1056        struct fsg_lun *curlun = common->curlun;
1057        u8      *buf = (u8 *) bh->buf;
1058
1059        if (!curlun) {          /* Unsupported LUNs are okay */
1060                common->bad_lun_okay = 1;
1061                memset(buf, 0, 36);
1062                buf[0] = TYPE_NO_LUN;   /* Unsupported, no device-type */
1063                buf[4] = 31;            /* Additional length */
1064                return 36;
1065        }
1066
1067        buf[0] = curlun->cdrom ? TYPE_ROM : TYPE_DISK;
1068        buf[1] = curlun->removable ? 0x80 : 0;
1069        buf[2] = 2;             /* ANSI SCSI level 2 */
1070        buf[3] = 2;             /* SCSI-2 INQUIRY data format */
1071        buf[4] = 31;            /* Additional length */
1072        buf[5] = 0;             /* No special options */
1073        buf[6] = 0;
1074        buf[7] = 0;
1075        if (curlun->inquiry_string[0])
1076                memcpy(buf + 8, curlun->inquiry_string,
1077                       sizeof(curlun->inquiry_string));
1078        else
1079                memcpy(buf + 8, common->inquiry_string,
1080                       sizeof(common->inquiry_string));
1081        return 36;
1082}
1083
1084static int do_request_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1085{
1086        struct fsg_lun  *curlun = common->curlun;
1087        u8              *buf = (u8 *) bh->buf;
1088        u32             sd, sdinfo;
1089        int             valid;
1090
1091        /*
1092         * From the SCSI-2 spec., section 7.9 (Unit attention condition):
1093         *
1094         * If a REQUEST SENSE command is received from an initiator
1095         * with a pending unit attention condition (before the target
1096         * generates the contingent allegiance condition), then the
1097         * target shall either:
1098         *   a) report any pending sense data and preserve the unit
1099         *      attention condition on the logical unit, or,
1100         *   b) report the unit attention condition, may discard any
1101         *      pending sense data, and clear the unit attention
1102         *      condition on the logical unit for that initiator.
1103         *
1104         * FSG normally uses option a); enable this code to use option b).
1105         */
1106#if 0
1107        if (curlun && curlun->unit_attention_data != SS_NO_SENSE) {
1108                curlun->sense_data = curlun->unit_attention_data;
1109                curlun->unit_attention_data = SS_NO_SENSE;
1110        }
1111#endif
1112
1113        if (!curlun) {          /* Unsupported LUNs are okay */
1114                common->bad_lun_okay = 1;
1115                sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1116                sdinfo = 0;
1117                valid = 0;
1118        } else {
1119                sd = curlun->sense_data;
1120                sdinfo = curlun->sense_data_info;
1121                valid = curlun->info_valid << 7;
1122                curlun->sense_data = SS_NO_SENSE;
1123                curlun->sense_data_info = 0;
1124                curlun->info_valid = 0;
1125        }
1126
1127        memset(buf, 0, 18);
1128        buf[0] = valid | 0x70;                  /* Valid, current error */
1129        buf[2] = SK(sd);
1130        put_unaligned_be32(sdinfo, &buf[3]);    /* Sense information */
1131        buf[7] = 18 - 8;                        /* Additional sense length */
1132        buf[12] = ASC(sd);
1133        buf[13] = ASCQ(sd);
1134        return 18;
1135}
1136
1137static int do_read_capacity(struct fsg_common *common, struct fsg_buffhd *bh)
1138{
1139        struct fsg_lun  *curlun = common->curlun;
1140        u32             lba = get_unaligned_be32(&common->cmnd[2]);
1141        int             pmi = common->cmnd[8];
1142        u8              *buf = (u8 *)bh->buf;
1143
1144        /* Check the PMI and LBA fields */
1145        if (pmi > 1 || (pmi == 0 && lba != 0)) {
1146                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1147                return -EINVAL;
1148        }
1149
1150        put_unaligned_be32(curlun->num_sectors - 1, &buf[0]);
1151                                                /* Max logical block */
1152        put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1153        return 8;
1154}
1155
1156static int do_read_header(struct fsg_common *common, struct fsg_buffhd *bh)
1157{
1158        struct fsg_lun  *curlun = common->curlun;
1159        int             msf = common->cmnd[1] & 0x02;
1160        u32             lba = get_unaligned_be32(&common->cmnd[2]);
1161        u8              *buf = (u8 *)bh->buf;
1162
1163        if (common->cmnd[1] & ~0x02) {          /* Mask away MSF */
1164                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1165                return -EINVAL;
1166        }
1167        if (lba >= curlun->num_sectors) {
1168                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1169                return -EINVAL;
1170        }
1171
1172        memset(buf, 0, 8);
1173        buf[0] = 0x01;          /* 2048 bytes of user data, rest is EC */
1174        store_cdrom_address(&buf[4], msf, lba);
1175        return 8;
1176}
1177
1178static int do_read_toc(struct fsg_common *common, struct fsg_buffhd *bh)
1179{
1180        struct fsg_lun  *curlun = common->curlun;
1181        int             msf = common->cmnd[1] & 0x02;
1182        int             start_track = common->cmnd[6];
1183        u8              *buf = (u8 *)bh->buf;
1184
1185        if ((common->cmnd[1] & ~0x02) != 0 ||   /* Mask away MSF */
1186                        start_track > 1) {
1187                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1188                return -EINVAL;
1189        }
1190
1191        memset(buf, 0, 20);
1192        buf[1] = (20-2);                /* TOC data length */
1193        buf[2] = 1;                     /* First track number */
1194        buf[3] = 1;                     /* Last track number */
1195        buf[5] = 0x16;                  /* Data track, copying allowed */
1196        buf[6] = 0x01;                  /* Only track is number 1 */
1197        store_cdrom_address(&buf[8], msf, 0);
1198
1199        buf[13] = 0x16;                 /* Lead-out track is data */
1200        buf[14] = 0xAA;                 /* Lead-out track number */
1201        store_cdrom_address(&buf[16], msf, curlun->num_sectors);
1202        return 20;
1203}
1204
1205static int do_mode_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1206{
1207        struct fsg_lun  *curlun = common->curlun;
1208        int             mscmnd = common->cmnd[0];
1209        u8              *buf = (u8 *) bh->buf;
1210        u8              *buf0 = buf;
1211        int             pc, page_code;
1212        int             changeable_values, all_pages;
1213        int             valid_page = 0;
1214        int             len, limit;
1215
1216        if ((common->cmnd[1] & ~0x08) != 0) {   /* Mask away DBD */
1217                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1218                return -EINVAL;
1219        }
1220        pc = common->cmnd[2] >> 6;
1221        page_code = common->cmnd[2] & 0x3f;
1222        if (pc == 3) {
1223                curlun->sense_data = SS_SAVING_PARAMETERS_NOT_SUPPORTED;
1224                return -EINVAL;
1225        }
1226        changeable_values = (pc == 1);
1227        all_pages = (page_code == 0x3f);
1228
1229        /*
1230         * Write the mode parameter header.  Fixed values are: default
1231         * medium type, no cache control (DPOFUA), and no block descriptors.
1232         * The only variable value is the WriteProtect bit.  We will fill in
1233         * the mode data length later.
1234         */
1235        memset(buf, 0, 8);
1236        if (mscmnd == MODE_SENSE) {
1237                buf[2] = (curlun->ro ? 0x80 : 0x00);            /* WP, DPOFUA */
1238                buf += 4;
1239                limit = 255;
1240        } else {                        /* MODE_SENSE_10 */
1241                buf[3] = (curlun->ro ? 0x80 : 0x00);            /* WP, DPOFUA */
1242                buf += 8;
1243                limit = 65535;          /* Should really be FSG_BUFLEN */
1244        }
1245
1246        /* No block descriptors */
1247
1248        /*
1249         * The mode pages, in numerical order.  The only page we support
1250         * is the Caching page.
1251         */
1252        if (page_code == 0x08 || all_pages) {
1253                valid_page = 1;
1254                buf[0] = 0x08;          /* Page code */
1255                buf[1] = 10;            /* Page length */
1256                memset(buf+2, 0, 10);   /* None of the fields are changeable */
1257
1258                if (!changeable_values) {
1259                        buf[2] = 0x04;  /* Write cache enable, */
1260                                        /* Read cache not disabled */
1261                                        /* No cache retention priorities */
1262                        put_unaligned_be16(0xffff, &buf[4]);
1263                                        /* Don't disable prefetch */
1264                                        /* Minimum prefetch = 0 */
1265                        put_unaligned_be16(0xffff, &buf[8]);
1266                                        /* Maximum prefetch */
1267                        put_unaligned_be16(0xffff, &buf[10]);
1268                                        /* Maximum prefetch ceiling */
1269                }
1270                buf += 12;
1271        }
1272
1273        /*
1274         * Check that a valid page was requested and the mode data length
1275         * isn't too long.
1276         */
1277        len = buf - buf0;
1278        if (!valid_page || len > limit) {
1279                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1280                return -EINVAL;
1281        }
1282
1283        /*  Store the mode data length */
1284        if (mscmnd == MODE_SENSE)
1285                buf0[0] = len - 1;
1286        else
1287                put_unaligned_be16(len - 2, buf0);
1288        return len;
1289}
1290
1291static int do_start_stop(struct fsg_common *common)
1292{
1293        struct fsg_lun  *curlun = common->curlun;
1294        int             loej, start;
1295
1296        if (!curlun) {
1297                return -EINVAL;
1298        } else if (!curlun->removable) {
1299                curlun->sense_data = SS_INVALID_COMMAND;
1300                return -EINVAL;
1301        } else if ((common->cmnd[1] & ~0x01) != 0 || /* Mask away Immed */
1302                   (common->cmnd[4] & ~0x03) != 0) { /* Mask LoEj, Start */
1303                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1304                return -EINVAL;
1305        }
1306
1307        loej  = common->cmnd[4] & 0x02;
1308        start = common->cmnd[4] & 0x01;
1309
1310        /*
1311         * Our emulation doesn't support mounting; the medium is
1312         * available for use as soon as it is loaded.
1313         */
1314        if (start) {
1315                if (!fsg_lun_is_open(curlun)) {
1316                        curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1317                        return -EINVAL;
1318                }
1319                return 0;
1320        }
1321
1322        /* Are we allowed to unload the media? */
1323        if (curlun->prevent_medium_removal) {
1324                LDBG(curlun, "unload attempt prevented\n");
1325                curlun->sense_data = SS_MEDIUM_REMOVAL_PREVENTED;
1326                return -EINVAL;
1327        }
1328
1329        if (!loej)
1330                return 0;
1331
1332        up_read(&common->filesem);
1333        down_write(&common->filesem);
1334        fsg_lun_close(curlun);
1335        up_write(&common->filesem);
1336        down_read(&common->filesem);
1337
1338        return 0;
1339}
1340
1341static int do_prevent_allow(struct fsg_common *common)
1342{
1343        struct fsg_lun  *curlun = common->curlun;
1344        int             prevent;
1345
1346        if (!common->curlun) {
1347                return -EINVAL;
1348        } else if (!common->curlun->removable) {
1349                common->curlun->sense_data = SS_INVALID_COMMAND;
1350                return -EINVAL;
1351        }
1352
1353        prevent = common->cmnd[4] & 0x01;
1354        if ((common->cmnd[4] & ~0x01) != 0) {   /* Mask away Prevent */
1355                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1356                return -EINVAL;
1357        }
1358
1359        if (curlun->prevent_medium_removal && !prevent)
1360                fsg_lun_fsync_sub(curlun);
1361        curlun->prevent_medium_removal = prevent;
1362        return 0;
1363}
1364
1365static int do_read_format_capacities(struct fsg_common *common,
1366                        struct fsg_buffhd *bh)
1367{
1368        struct fsg_lun  *curlun = common->curlun;
1369        u8              *buf = (u8 *) bh->buf;
1370
1371        buf[0] = buf[1] = buf[2] = 0;
1372        buf[3] = 8;     /* Only the Current/Maximum Capacity Descriptor */
1373        buf += 4;
1374
1375        put_unaligned_be32(curlun->num_sectors, &buf[0]);
1376                                                /* Number of blocks */
1377        put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1378        buf[4] = 0x02;                          /* Current capacity */
1379        return 12;
1380}
1381
1382static int do_mode_select(struct fsg_common *common, struct fsg_buffhd *bh)
1383{
1384        struct fsg_lun  *curlun = common->curlun;
1385
1386        /* We don't support MODE SELECT */
1387        if (curlun)
1388                curlun->sense_data = SS_INVALID_COMMAND;
1389        return -EINVAL;
1390}
1391
1392
1393/*-------------------------------------------------------------------------*/
1394
1395static int halt_bulk_in_endpoint(struct fsg_dev *fsg)
1396{
1397        int     rc;
1398
1399        rc = fsg_set_halt(fsg, fsg->bulk_in);
1400        if (rc == -EAGAIN)
1401                VDBG(fsg, "delayed bulk-in endpoint halt\n");
1402        while (rc != 0) {
1403                if (rc != -EAGAIN) {
1404                        WARNING(fsg, "usb_ep_set_halt -> %d\n", rc);
1405                        rc = 0;
1406                        break;
1407                }
1408
1409                /* Wait for a short time and then try again */
1410                if (msleep_interruptible(100) != 0)
1411                        return -EINTR;
1412                rc = usb_ep_set_halt(fsg->bulk_in);
1413        }
1414        return rc;
1415}
1416
1417static int wedge_bulk_in_endpoint(struct fsg_dev *fsg)
1418{
1419        int     rc;
1420
1421        DBG(fsg, "bulk-in set wedge\n");
1422        rc = usb_ep_set_wedge(fsg->bulk_in);
1423        if (rc == -EAGAIN)
1424                VDBG(fsg, "delayed bulk-in endpoint wedge\n");
1425        while (rc != 0) {
1426                if (rc != -EAGAIN) {
1427                        WARNING(fsg, "usb_ep_set_wedge -> %d\n", rc);
1428                        rc = 0;
1429                        break;
1430                }
1431
1432                /* Wait for a short time and then try again */
1433                if (msleep_interruptible(100) != 0)
1434                        return -EINTR;
1435                rc = usb_ep_set_wedge(fsg->bulk_in);
1436        }
1437        return rc;
1438}
1439
1440static int throw_away_data(struct fsg_common *common)
1441{
1442        struct fsg_buffhd       *bh, *bh2;
1443        u32                     amount;
1444        int                     rc;
1445
1446        for (bh = common->next_buffhd_to_drain;
1447             bh->state != BUF_STATE_EMPTY || common->usb_amount_left > 0;
1448             bh = common->next_buffhd_to_drain) {
1449
1450                /* Try to submit another request if we need one */
1451                bh2 = common->next_buffhd_to_fill;
1452                if (bh2->state == BUF_STATE_EMPTY &&
1453                                common->usb_amount_left > 0) {
1454                        amount = min(common->usb_amount_left, FSG_BUFLEN);
1455
1456                        /*
1457                         * Except at the end of the transfer, amount will be
1458                         * equal to the buffer size, which is divisible by
1459                         * the bulk-out maxpacket size.
1460                         */
1461                        set_bulk_out_req_length(common, bh2, amount);
1462                        if (!start_out_transfer(common, bh2))
1463                                /* Dunno what to do if common->fsg is NULL */
1464                                return -EIO;
1465                        common->next_buffhd_to_fill = bh2->next;
1466                        common->usb_amount_left -= amount;
1467                        continue;
1468                }
1469
1470                /* Wait for the data to be received */
1471                rc = sleep_thread(common, false, bh);
1472                if (rc)
1473                        return rc;
1474
1475                /* Throw away the data in a filled buffer */
1476                bh->state = BUF_STATE_EMPTY;
1477                common->next_buffhd_to_drain = bh->next;
1478
1479                /* A short packet or an error ends everything */
1480                if (bh->outreq->actual < bh->bulk_out_intended_length ||
1481                                bh->outreq->status != 0) {
1482                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1483                        return -EINTR;
1484                }
1485        }
1486        return 0;
1487}
1488
1489static int finish_reply(struct fsg_common *common)
1490{
1491        struct fsg_buffhd       *bh = common->next_buffhd_to_fill;
1492        int                     rc = 0;
1493
1494        switch (common->data_dir) {
1495        case DATA_DIR_NONE:
1496                break;                  /* Nothing to send */
1497
1498        /*
1499         * If we don't know whether the host wants to read or write,
1500         * this must be CB or CBI with an unknown command.  We mustn't
1501         * try to send or receive any data.  So stall both bulk pipes
1502         * if we can and wait for a reset.
1503         */
1504        case DATA_DIR_UNKNOWN:
1505                if (!common->can_stall) {
1506                        /* Nothing */
1507                } else if (fsg_is_set(common)) {
1508                        fsg_set_halt(common->fsg, common->fsg->bulk_out);
1509                        rc = halt_bulk_in_endpoint(common->fsg);
1510                } else {
1511                        /* Don't know what to do if common->fsg is NULL */
1512                        rc = -EIO;
1513                }
1514                break;
1515
1516        /* All but the last buffer of data must have already been sent */
1517        case DATA_DIR_TO_HOST:
1518                if (common->data_size == 0) {
1519                        /* Nothing to send */
1520
1521                /* Don't know what to do if common->fsg is NULL */
1522                } else if (!fsg_is_set(common)) {
1523                        rc = -EIO;
1524
1525                /* If there's no residue, simply send the last buffer */
1526                } else if (common->residue == 0) {
1527                        bh->inreq->zero = 0;
1528                        if (!start_in_transfer(common, bh))
1529                                return -EIO;
1530                        common->next_buffhd_to_fill = bh->next;
1531
1532                /*
1533                 * For Bulk-only, mark the end of the data with a short
1534                 * packet.  If we are allowed to stall, halt the bulk-in
1535                 * endpoint.  (Note: This violates the Bulk-Only Transport
1536                 * specification, which requires us to pad the data if we
1537                 * don't halt the endpoint.  Presumably nobody will mind.)
1538                 */
1539                } else {
1540                        bh->inreq->zero = 1;
1541                        if (!start_in_transfer(common, bh))
1542                                rc = -EIO;
1543                        common->next_buffhd_to_fill = bh->next;
1544                        if (common->can_stall)
1545                                rc = halt_bulk_in_endpoint(common->fsg);
1546                }
1547                break;
1548
1549        /*
1550         * We have processed all we want from the data the host has sent.
1551         * There may still be outstanding bulk-out requests.
1552         */
1553        case DATA_DIR_FROM_HOST:
1554                if (common->residue == 0) {
1555                        /* Nothing to receive */
1556
1557                /* Did the host stop sending unexpectedly early? */
1558                } else if (common->short_packet_received) {
1559                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1560                        rc = -EINTR;
1561
1562                /*
1563                 * We haven't processed all the incoming data.  Even though
1564                 * we may be allowed to stall, doing so would cause a race.
1565                 * The controller may already have ACK'ed all the remaining
1566                 * bulk-out packets, in which case the host wouldn't see a
1567                 * STALL.  Not realizing the endpoint was halted, it wouldn't
1568                 * clear the halt -- leading to problems later on.
1569                 */
1570#if 0
1571                } else if (common->can_stall) {
1572                        if (fsg_is_set(common))
1573                                fsg_set_halt(common->fsg,
1574                                             common->fsg->bulk_out);
1575                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1576                        rc = -EINTR;
1577#endif
1578
1579                /*
1580                 * We can't stall.  Read in the excess data and throw it
1581                 * all away.
1582                 */
1583                } else {
1584                        rc = throw_away_data(common);
1585                }
1586                break;
1587        }
1588        return rc;
1589}
1590
1591static void send_status(struct fsg_common *common)
1592{
1593        struct fsg_lun          *curlun = common->curlun;
1594        struct fsg_buffhd       *bh;
1595        struct bulk_cs_wrap     *csw;
1596        int                     rc;
1597        u8                      status = US_BULK_STAT_OK;
1598        u32                     sd, sdinfo = 0;
1599
1600        /* Wait for the next buffer to become available */
1601        bh = common->next_buffhd_to_fill;
1602        rc = sleep_thread(common, false, bh);
1603        if (rc)
1604                return;
1605
1606        if (curlun) {
1607                sd = curlun->sense_data;
1608                sdinfo = curlun->sense_data_info;
1609        } else if (common->bad_lun_okay)
1610                sd = SS_NO_SENSE;
1611        else
1612                sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1613
1614        if (common->phase_error) {
1615                DBG(common, "sending phase-error status\n");
1616                status = US_BULK_STAT_PHASE;
1617                sd = SS_INVALID_COMMAND;
1618        } else if (sd != SS_NO_SENSE) {
1619                DBG(common, "sending command-failure status\n");
1620                status = US_BULK_STAT_FAIL;
1621                VDBG(common, "  sense data: SK x%02x, ASC x%02x, ASCQ x%02x;"
1622                                "  info x%x\n",
1623                                SK(sd), ASC(sd), ASCQ(sd), sdinfo);
1624        }
1625
1626        /* Store and send the Bulk-only CSW */
1627        csw = (void *)bh->buf;
1628
1629        csw->Signature = cpu_to_le32(US_BULK_CS_SIGN);
1630        csw->Tag = common->tag;
1631        csw->Residue = cpu_to_le32(common->residue);
1632        csw->Status = status;
1633
1634        bh->inreq->length = US_BULK_CS_WRAP_LEN;
1635        bh->inreq->zero = 0;
1636        if (!start_in_transfer(common, bh))
1637                /* Don't know what to do if common->fsg is NULL */
1638                return;
1639
1640        common->next_buffhd_to_fill = bh->next;
1641        return;
1642}
1643
1644
1645/*-------------------------------------------------------------------------*/
1646
1647/*
1648 * Check whether the command is properly formed and whether its data size
1649 * and direction agree with the values we already have.
1650 */
1651static int check_command(struct fsg_common *common, int cmnd_size,
1652                         enum data_direction data_dir, unsigned int mask,
1653                         int needs_medium, const char *name)
1654{
1655        int                     i;
1656        unsigned int            lun = common->cmnd[1] >> 5;
1657        static const char       dirletter[4] = {'u', 'o', 'i', 'n'};
1658        char                    hdlen[20];
1659        struct fsg_lun          *curlun;
1660
1661        hdlen[0] = 0;
1662        if (common->data_dir != DATA_DIR_UNKNOWN)
1663                sprintf(hdlen, ", H%c=%u", dirletter[(int) common->data_dir],
1664                        common->data_size);
1665        VDBG(common, "SCSI command: %s;  Dc=%d, D%c=%u;  Hc=%d%s\n",
1666             name, cmnd_size, dirletter[(int) data_dir],
1667             common->data_size_from_cmnd, common->cmnd_size, hdlen);
1668
1669        /*
1670         * We can't reply at all until we know the correct data direction
1671         * and size.
1672         */
1673        if (common->data_size_from_cmnd == 0)
1674                data_dir = DATA_DIR_NONE;
1675        if (common->data_size < common->data_size_from_cmnd) {
1676                /*
1677                 * Host data size < Device data size is a phase error.
1678                 * Carry out the command, but only transfer as much as
1679                 * we are allowed.
1680                 */
1681                common->data_size_from_cmnd = common->data_size;
1682                common->phase_error = 1;
1683        }
1684        common->residue = common->data_size;
1685        common->usb_amount_left = common->data_size;
1686
1687        /* Conflicting data directions is a phase error */
1688        if (common->data_dir != data_dir && common->data_size_from_cmnd > 0) {
1689                common->phase_error = 1;
1690                return -EINVAL;
1691        }
1692
1693        /* Verify the length of the command itself */
1694        if (cmnd_size != common->cmnd_size) {
1695
1696                /*
1697                 * Special case workaround: There are plenty of buggy SCSI
1698                 * implementations. Many have issues with cbw->Length
1699                 * field passing a wrong command size. For those cases we
1700                 * always try to work around the problem by using the length
1701                 * sent by the host side provided it is at least as large
1702                 * as the correct command length.
1703                 * Examples of such cases would be MS-Windows, which issues
1704                 * REQUEST SENSE with cbw->Length == 12 where it should
1705                 * be 6, and xbox360 issuing INQUIRY, TEST UNIT READY and
1706                 * REQUEST SENSE with cbw->Length == 10 where it should
1707                 * be 6 as well.
1708                 */
1709                if (cmnd_size <= common->cmnd_size) {
1710                        DBG(common, "%s is buggy! Expected length %d "
1711                            "but we got %d\n", name,
1712                            cmnd_size, common->cmnd_size);
1713                        cmnd_size = common->cmnd_size;
1714                } else {
1715                        common->phase_error = 1;
1716                        return -EINVAL;
1717                }
1718        }
1719
1720        /* Check that the LUN values are consistent */
1721        if (common->lun != lun)
1722                DBG(common, "using LUN %u from CBW, not LUN %u from CDB\n",
1723                    common->lun, lun);
1724
1725        /* Check the LUN */
1726        curlun = common->curlun;
1727        if (curlun) {
1728                if (common->cmnd[0] != REQUEST_SENSE) {
1729                        curlun->sense_data = SS_NO_SENSE;
1730                        curlun->sense_data_info = 0;
1731                        curlun->info_valid = 0;
1732                }
1733        } else {
1734                common->bad_lun_okay = 0;
1735
1736                /*
1737                 * INQUIRY and REQUEST SENSE commands are explicitly allowed
1738                 * to use unsupported LUNs; all others may not.
1739                 */
1740                if (common->cmnd[0] != INQUIRY &&
1741                    common->cmnd[0] != REQUEST_SENSE) {
1742                        DBG(common, "unsupported LUN %u\n", common->lun);
1743                        return -EINVAL;
1744                }
1745        }
1746
1747        /*
1748         * If a unit attention condition exists, only INQUIRY and
1749         * REQUEST SENSE commands are allowed; anything else must fail.
1750         */
1751        if (curlun && curlun->unit_attention_data != SS_NO_SENSE &&
1752            common->cmnd[0] != INQUIRY &&
1753            common->cmnd[0] != REQUEST_SENSE) {
1754                curlun->sense_data = curlun->unit_attention_data;
1755                curlun->unit_attention_data = SS_NO_SENSE;
1756                return -EINVAL;
1757        }
1758
1759        /* Check that only command bytes listed in the mask are non-zero */
1760        common->cmnd[1] &= 0x1f;                        /* Mask away the LUN */
1761        for (i = 1; i < cmnd_size; ++i) {
1762                if (common->cmnd[i] && !(mask & (1 << i))) {
1763                        if (curlun)
1764                                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1765                        return -EINVAL;
1766                }
1767        }
1768
1769        /* If the medium isn't mounted and the command needs to access
1770         * it, return an error. */
1771        if (curlun && !fsg_lun_is_open(curlun) && needs_medium) {
1772                curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1773                return -EINVAL;
1774        }
1775
1776        return 0;
1777}
1778
1779/* wrapper of check_command for data size in blocks handling */
1780static int check_command_size_in_blocks(struct fsg_common *common,
1781                int cmnd_size, enum data_direction data_dir,
1782                unsigned int mask, int needs_medium, const char *name)
1783{
1784        if (common->curlun)
1785                common->data_size_from_cmnd <<= common->curlun->blkbits;
1786        return check_command(common, cmnd_size, data_dir,
1787                        mask, needs_medium, name);
1788}
1789
1790static int do_scsi_command(struct fsg_common *common)
1791{
1792        struct fsg_buffhd       *bh;
1793        int                     rc;
1794        int                     reply = -EINVAL;
1795        int                     i;
1796        static char             unknown[16];
1797
1798        dump_cdb(common);
1799
1800        /* Wait for the next buffer to become available for data or status */
1801        bh = common->next_buffhd_to_fill;
1802        common->next_buffhd_to_drain = bh;
1803        rc = sleep_thread(common, false, bh);
1804        if (rc)
1805                return rc;
1806
1807        common->phase_error = 0;
1808        common->short_packet_received = 0;
1809
1810        down_read(&common->filesem);    /* We're using the backing file */
1811        switch (common->cmnd[0]) {
1812
1813        case INQUIRY:
1814                common->data_size_from_cmnd = common->cmnd[4];
1815                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1816                                      (1<<4), 0,
1817                                      "INQUIRY");
1818                if (reply == 0)
1819                        reply = do_inquiry(common, bh);
1820                break;
1821
1822        case MODE_SELECT:
1823                common->data_size_from_cmnd = common->cmnd[4];
1824                reply = check_command(common, 6, DATA_DIR_FROM_HOST,
1825                                      (1<<1) | (1<<4), 0,
1826                                      "MODE SELECT(6)");
1827                if (reply == 0)
1828                        reply = do_mode_select(common, bh);
1829                break;
1830
1831        case MODE_SELECT_10:
1832                common->data_size_from_cmnd =
1833                        get_unaligned_be16(&common->cmnd[7]);
1834                reply = check_command(common, 10, DATA_DIR_FROM_HOST,
1835                                      (1<<1) | (3<<7), 0,
1836                                      "MODE SELECT(10)");
1837                if (reply == 0)
1838                        reply = do_mode_select(common, bh);
1839                break;
1840
1841        case MODE_SENSE:
1842                common->data_size_from_cmnd = common->cmnd[4];
1843                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1844                                      (1<<1) | (1<<2) | (1<<4), 0,
1845                                      "MODE SENSE(6)");
1846                if (reply == 0)
1847                        reply = do_mode_sense(common, bh);
1848                break;
1849
1850        case MODE_SENSE_10:
1851                common->data_size_from_cmnd =
1852                        get_unaligned_be16(&common->cmnd[7]);
1853                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1854                                      (1<<1) | (1<<2) | (3<<7), 0,
1855                                      "MODE SENSE(10)");
1856                if (reply == 0)
1857                        reply = do_mode_sense(common, bh);
1858                break;
1859
1860        case ALLOW_MEDIUM_REMOVAL:
1861                common->data_size_from_cmnd = 0;
1862                reply = check_command(common, 6, DATA_DIR_NONE,
1863                                      (1<<4), 0,
1864                                      "PREVENT-ALLOW MEDIUM REMOVAL");
1865                if (reply == 0)
1866                        reply = do_prevent_allow(common);
1867                break;
1868
1869        case READ_6:
1870                i = common->cmnd[4];
1871                common->data_size_from_cmnd = (i == 0) ? 256 : i;
1872                reply = check_command_size_in_blocks(common, 6,
1873                                      DATA_DIR_TO_HOST,
1874                                      (7<<1) | (1<<4), 1,
1875                                      "READ(6)");
1876                if (reply == 0)
1877                        reply = do_read(common);
1878                break;
1879
1880        case READ_10:
1881                common->data_size_from_cmnd =
1882                                get_unaligned_be16(&common->cmnd[7]);
1883                reply = check_command_size_in_blocks(common, 10,
1884                                      DATA_DIR_TO_HOST,
1885                                      (1<<1) | (0xf<<2) | (3<<7), 1,
1886                                      "READ(10)");
1887                if (reply == 0)
1888                        reply = do_read(common);
1889                break;
1890
1891        case READ_12:
1892                common->data_size_from_cmnd =
1893                                get_unaligned_be32(&common->cmnd[6]);
1894                reply = check_command_size_in_blocks(common, 12,
1895                                      DATA_DIR_TO_HOST,
1896                                      (1<<1) | (0xf<<2) | (0xf<<6), 1,
1897                                      "READ(12)");
1898                if (reply == 0)
1899                        reply = do_read(common);
1900                break;
1901
1902        case READ_CAPACITY:
1903                common->data_size_from_cmnd = 8;
1904                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1905                                      (0xf<<2) | (1<<8), 1,
1906                                      "READ CAPACITY");
1907                if (reply == 0)
1908                        reply = do_read_capacity(common, bh);
1909                break;
1910
1911        case READ_HEADER:
1912                if (!common->curlun || !common->curlun->cdrom)
1913                        goto unknown_cmnd;
1914                common->data_size_from_cmnd =
1915                        get_unaligned_be16(&common->cmnd[7]);
1916                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1917                                      (3<<7) | (0x1f<<1), 1,
1918                                      "READ HEADER");
1919                if (reply == 0)
1920                        reply = do_read_header(common, bh);
1921                break;
1922
1923        case READ_TOC:
1924                if (!common->curlun || !common->curlun->cdrom)
1925                        goto unknown_cmnd;
1926                common->data_size_from_cmnd =
1927                        get_unaligned_be16(&common->cmnd[7]);
1928                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1929                                      (7<<6) | (1<<1), 1,
1930                                      "READ TOC");
1931                if (reply == 0)
1932                        reply = do_read_toc(common, bh);
1933                break;
1934
1935        case READ_FORMAT_CAPACITIES:
1936                common->data_size_from_cmnd =
1937                        get_unaligned_be16(&common->cmnd[7]);
1938                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1939                                      (3<<7), 1,
1940                                      "READ FORMAT CAPACITIES");
1941                if (reply == 0)
1942                        reply = do_read_format_capacities(common, bh);
1943                break;
1944
1945        case REQUEST_SENSE:
1946                common->data_size_from_cmnd = common->cmnd[4];
1947                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1948                                      (1<<4), 0,
1949                                      "REQUEST SENSE");
1950                if (reply == 0)
1951                        reply = do_request_sense(common, bh);
1952                break;
1953
1954        case START_STOP:
1955                common->data_size_from_cmnd = 0;
1956                reply = check_command(common, 6, DATA_DIR_NONE,
1957                                      (1<<1) | (1<<4), 0,
1958                                      "START-STOP UNIT");
1959                if (reply == 0)
1960                        reply = do_start_stop(common);
1961                break;
1962
1963        case SYNCHRONIZE_CACHE:
1964                common->data_size_from_cmnd = 0;
1965                reply = check_command(common, 10, DATA_DIR_NONE,
1966                                      (0xf<<2) | (3<<7), 1,
1967                                      "SYNCHRONIZE CACHE");
1968                if (reply == 0)
1969                        reply = do_synchronize_cache(common);
1970                break;
1971
1972        case TEST_UNIT_READY:
1973                common->data_size_from_cmnd = 0;
1974                reply = check_command(common, 6, DATA_DIR_NONE,
1975                                0, 1,
1976                                "TEST UNIT READY");
1977                break;
1978
1979        /*
1980         * Although optional, this command is used by MS-Windows.  We
1981         * support a minimal version: BytChk must be 0.
1982         */
1983        case VERIFY:
1984                common->data_size_from_cmnd = 0;
1985                reply = check_command(common, 10, DATA_DIR_NONE,
1986                                      (1<<1) | (0xf<<2) | (3<<7), 1,
1987                                      "VERIFY");
1988                if (reply == 0)
1989                        reply = do_verify(common);
1990                break;
1991
1992        case WRITE_6:
1993                i = common->cmnd[4];
1994                common->data_size_from_cmnd = (i == 0) ? 256 : i;
1995                reply = check_command_size_in_blocks(common, 6,
1996                                      DATA_DIR_FROM_HOST,
1997                                      (7<<1) | (1<<4), 1,
1998                                      "WRITE(6)");
1999                if (reply == 0)
2000                        reply = do_write(common);

2001                break;
2002
2003        case WRITE_10:
2004                common->data_size_from_cmnd =
2005                                get_unaligned_be16(&common->cmnd[7]);
2006                reply = check_command_size_in_blocks(common, 10,
2007                                      DATA_DIR_FROM_HOST,
2008                                      (1<<1) | (0xf<<2) | (3<<7), 1,
2009                                      "WRITE(10)");
2010                if (reply == 0)
2011                        reply = do_write(common);
2012                break;
2013
2014        case WRITE_12:
2015                common->data_size_from_cmnd =
2016                                get_unaligned_be32(&common->cmnd[6]);
2017                reply = check_command_size_in_blocks(common, 12,
2018                                      DATA_DIR_FROM_HOST,
2019                                      (1<<1) | (0xf<<2) | (0xf<<6), 1,
2020                                      "WRITE(12)");
2021                if (reply == 0)
2022                        reply = do_write(common);
2023                break;
2024
2025        /*
2026         * Some mandatory commands that we recognize but don't implement.
2027         * They don't mean much in this setting.  It's left as an exercise
2028         * for anyone interested to implement RESERVE and RELEASE in terms
2029         * of Posix locks.
2030         */
2031        case FORMAT_UNIT:
2032        case RELEASE:
2033        case RESERVE:
2034        case SEND_DIAGNOSTIC:
2035                /* Fall through */
2036
2037        default:
2038unknown_cmnd:
2039                common->data_size_from_cmnd = 0;
2040                sprintf(unknown, "Unknown x%02x", common->cmnd[0]);
2041                reply = check_command(common, common->cmnd_size,
2042                                      DATA_DIR_UNKNOWN, ~0, 0, unknown);
2043                if (reply == 0) {
2044                        common->curlun->sense_data = SS_INVALID_COMMAND;
2045                        reply = -EINVAL;
2046                }
2047                break;
2048        }
2049        up_read(&common->filesem);
2050
2051        if (reply == -EINTR || signal_pending(current))
2052                return -EINTR;
2053
2054        /* Set up the single reply buffer for finish_reply() */
2055        if (reply == -EINVAL)
2056                reply = 0;              /* Error reply length */
2057        if (reply >= 0 && common->data_dir == DATA_DIR_TO_HOST) {
2058                reply = min((u32)reply, common->data_size_from_cmnd);
2059                bh->inreq->length = reply;
2060                bh->state = BUF_STATE_FULL;
2061                common->residue -= reply;
2062        }                               /* Otherwise it's already set */
2063
2064        return 0;
2065}
2066
2067
2068/*-------------------------------------------------------------------------*/
2069
2070static int received_cbw(struct fsg_dev *fsg, struct fsg_buffhd *bh)
2071{
2072        struct usb_request      *req = bh->outreq;
2073        struct bulk_cb_wrap     *cbw = req->buf;
2074        struct fsg_common       *common = fsg->common;
2075
2076        /* Was this a real packet?  Should it be ignored? */
2077        if (req->status || test_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags))
2078                return -EINVAL;
2079
2080        /* Is the CBW valid? */
2081        if (req->actual != US_BULK_CB_WRAP_LEN ||
2082                        cbw->Signature != cpu_to_le32(
2083                                US_BULK_CB_SIGN)) {
2084                DBG(fsg, "invalid CBW: len %u sig 0x%x\n",
2085                                req->actual,
2086                                le32_to_cpu(cbw->Signature));
2087
2088                /*
2089                 * The Bulk-only spec says we MUST stall the IN endpoint
2090                 * (6.6.1), so it's unavoidable.  It also says we must
2091                 * retain this state until the next reset, but there's
2092                 * no way to tell the controller driver it should ignore
2093                 * Clear-Feature(HALT) requests.
2094                 *
2095                 * We aren't required to halt the OUT endpoint; instead
2096                 * we can simply accept and discard any data received
2097                 * until the next reset.
2098                 */
2099                wedge_bulk_in_endpoint(fsg);
2100                set_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags);
2101                return -EINVAL;
2102        }
2103
2104        /* Is the CBW meaningful? */
2105        if (cbw->Lun >= ARRAY_SIZE(common->luns) ||
2106            cbw->Flags & ~US_BULK_FLAG_IN || cbw->Length <= 0 ||
2107            cbw->Length > MAX_COMMAND_SIZE) {
2108                DBG(fsg, "non-meaningful CBW: lun = %u, flags = 0x%x, "
2109                                "cmdlen %u\n",
2110                                cbw->Lun, cbw->Flags, cbw->Length);
2111
2112                /*
2113                 * We can do anything we want here, so let's stall the
2114                 * bulk pipes if we are allowed to.
2115                 */
2116                if (common->can_stall) {
2117                        fsg_set_halt(fsg, fsg->bulk_out);
2118                        halt_bulk_in_endpoint(fsg);
2119                }
2120                return -EINVAL;
2121        }
2122
2123        /* Save the command for later */
2124        common->cmnd_size = cbw->Length;
2125        memcpy(common->cmnd, cbw->CDB, common->cmnd_size);
2126        if (cbw->Flags & US_BULK_FLAG_IN)
2127                common->data_dir = DATA_DIR_TO_HOST;
2128        else
2129                common->data_dir = DATA_DIR_FROM_HOST;
2130        common->data_size = le32_to_cpu(cbw->DataTransferLength);
2131        if (common->data_size == 0)
2132                common->data_dir = DATA_DIR_NONE;
2133        common->lun = cbw->Lun;
2134        if (common->lun < ARRAY_SIZE(common->luns))
2135                common->curlun = common->luns[common->lun];
2136        else
2137                common->curlun = NULL;
2138        common->tag = cbw->Tag;
2139        return 0;
2140}
2141
2142static int get_next_command(struct fsg_common *common)
2143{
2144        struct fsg_buffhd       *bh;
2145        int                     rc = 0;
2146
2147        /* Wait for the next buffer to become available */
2148        bh = common->next_buffhd_to_fill;
2149        rc = sleep_thread(common, true, bh);
2150        if (rc)
2151                return rc;
2152
2153        /* Queue a request to read a Bulk-only CBW */
2154        set_bulk_out_req_length(common, bh, US_BULK_CB_WRAP_LEN);
2155        if (!start_out_transfer(common, bh))
2156                /* Don't know what to do if common->fsg is NULL */
2157                return -EIO;
2158
2159        /*
2160         * We will drain the buffer in software, which means we
2161         * can reuse it for the next filling.  No need to advance
2162         * next_buffhd_to_fill.
2163         */
2164
2165        /* Wait for the CBW to arrive */
2166        rc = sleep_thread(common, true, bh);
2167        if (rc)
2168                return rc;
2169
2170        rc = fsg_is_set(common) ? received_cbw(common->fsg, bh) : -EIO;
2171        bh->state = BUF_STATE_EMPTY;
2172
2173        return rc;
2174}
2175
2176
2177/*-------------------------------------------------------------------------*/
2178
2179static int alloc_request(struct fsg_common *common, struct usb_ep *ep,
2180                struct usb_request **preq)
2181{
2182        *preq = usb_ep_alloc_request(ep, GFP_ATOMIC);
2183        if (*preq)
2184                return 0;
2185        ERROR(common, "can't allocate request for %s\n", ep->name);
2186        return -ENOMEM;
2187}
2188
2189/* Reset interface setting and re-init endpoint state (toggle etc). */
2190static int do_set_interface(struct fsg_common *common, struct fsg_dev *new_fsg)
2191{
2192        struct fsg_dev *fsg;
2193        int i, rc = 0;
2194
2195        if (common->running)
2196                DBG(common, "reset interface\n");
2197
2198reset:
2199        /* Deallocate the requests */
2200        if (common->fsg) {
2201                fsg = common->fsg;
2202
2203                for (i = 0; i < common->fsg_num_buffers; ++i) {
2204                        struct fsg_buffhd *bh = &common->buffhds[i];
2205
2206                        if (bh->inreq) {
2207                                usb_ep_free_request(fsg->bulk_in, bh->inreq);
2208                                bh->inreq = NULL;
2209                        }
2210                        if (bh->outreq) {
2211                                usb_ep_free_request(fsg->bulk_out, bh->outreq);
2212                                bh->outreq = NULL;
2213                        }
2214                }
2215
2216                /* Disable the endpoints */
2217                if (fsg->bulk_in_enabled) {
2218                        usb_ep_disable(fsg->bulk_in);
2219                        fsg->bulk_in_enabled = 0;
2220                }
2221                if (fsg->bulk_out_enabled) {
2222                        usb_ep_disable(fsg->bulk_out);
2223                        fsg->bulk_out_enabled = 0;
2224                }
2225
2226                common->fsg = NULL;
2227                wake_up(&common->fsg_wait);
2228        }
2229
2230        common->running = 0;
2231        if (!new_fsg || rc)
2232                return rc;
2233
2234        common->fsg = new_fsg;
2235        fsg = common->fsg;
2236
2237        /* Enable the endpoints */
2238        rc = config_ep_by_speed(common->gadget, &(fsg->function), fsg->bulk_in);
2239        if (rc)
2240                goto reset;
2241        rc = usb_ep_enable(fsg->bulk_in);
2242        if (rc)
2243                goto reset;
2244        fsg->bulk_in->driver_data = common;
2245        fsg->bulk_in_enabled = 1;
2246
2247        rc = config_ep_by_speed(common->gadget, &(fsg->function),
2248                                fsg->bulk_out);
2249        if (rc)
2250                goto reset;
2251        rc = usb_ep_enable(fsg->bulk_out);
2252        if (rc)
2253                goto reset;
2254        fsg->bulk_out->driver_data = common;
2255        fsg->bulk_out_enabled = 1;
2256        common->bulk_out_maxpacket = usb_endpoint_maxp(fsg->bulk_out->desc);
2257        clear_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags);
2258
2259        /* Allocate the requests */
2260        for (i = 0; i < common->fsg_num_buffers; ++i) {
2261                struct fsg_buffhd       *bh = &common->buffhds[i];
2262
2263                rc = alloc_request(common, fsg->bulk_in, &bh->inreq);
2264                if (rc)
2265                        goto reset;
2266                rc = alloc_request(common, fsg->bulk_out, &bh->outreq);
2267                if (rc)
2268                        goto reset;
2269                bh->inreq->buf = bh->outreq->buf = bh->buf;
2270                bh->inreq->context = bh->outreq->context = bh;
2271                bh->inreq->complete = bulk_in_complete;
2272                bh->outreq->complete = bulk_out_complete;
2273        }
2274
2275        common->running = 1;
2276        for (i = 0; i < ARRAY_SIZE(common->luns); ++i)
2277                if (common->luns[i])
2278                        common->luns[i]->unit_attention_data =
2279                                SS_RESET_OCCURRED;
2280        return rc;
2281}
2282
2283
2284/****************************** ALT CONFIGS ******************************/
2285
2286static int fsg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
2287{
2288        struct fsg_dev *fsg = fsg_from_func(f);
2289        fsg->common->new_fsg = fsg;
2290        raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2291        return USB_GADGET_DELAYED_STATUS;
2292}
2293
2294static void fsg_disable(struct usb_function *f)
2295{
2296        struct fsg_dev *fsg = fsg_from_func(f);
2297        fsg->common->new_fsg = NULL;
2298        raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2299}
2300
2301
2302/*-------------------------------------------------------------------------*/
2303
2304static void handle_exception(struct fsg_common *common)
2305{
2306        int                     i;
2307        struct fsg_buffhd       *bh;
2308        enum fsg_state          old_state;
2309        struct fsg_lun          *curlun;
2310        unsigned int            exception_req_tag;
2311
2312        /*
2313         * Clear the existing signals.  Anything but SIGUSR1 is converted
2314         * into a high-priority EXIT exception.
2315         */
2316        for (;;) {
2317                int sig = kernel_dequeue_signal(NULL);
2318                if (!sig)
2319                        break;
2320                if (sig != SIGUSR1) {
2321                        spin_lock_irq(&common->lock);
2322                        if (common->state < FSG_STATE_EXIT)
2323                                DBG(common, "Main thread exiting on signal\n");
2324                        common->state = FSG_STATE_EXIT;
2325                        spin_unlock_irq(&common->lock);
2326                }
2327        }
2328
2329        /* Cancel all the pending transfers */
2330        if (likely(common->fsg)) {
2331                for (i = 0; i < common->fsg_num_buffers; ++i) {
2332                        bh = &common->buffhds[i];
2333                        if (bh->state == BUF_STATE_SENDING)
2334                                usb_ep_dequeue(common->fsg->bulk_in, bh->inreq);
2335                        if (bh->state == BUF_STATE_RECEIVING)
2336                                usb_ep_dequeue(common->fsg->bulk_out,
2337                                               bh->outreq);
2338
2339                        /* Wait for a transfer to become idle */
2340                        if (sleep_thread(common, false, bh))
2341                                return;
2342                }
2343
2344                /* Clear out the controller's fifos */
2345                if (common->fsg->bulk_in_enabled)
2346                        usb_ep_fifo_flush(common->fsg->bulk_in);
2347                if (common->fsg->bulk_out_enabled)
2348                        usb_ep_fifo_flush(common->fsg->bulk_out);
2349        }
2350
2351        /*
2352         * Reset the I/O buffer states and pointers, the SCSI
2353         * state, and the exception.  Then invoke the handler.
2354         */
2355        spin_lock_irq(&common->lock);
2356
2357        for (i = 0; i < common->fsg_num_buffers; ++i) {
2358                bh = &common->buffhds[i];
2359                bh->state = BUF_STATE_EMPTY;
2360        }
2361        common->next_buffhd_to_fill = &common->buffhds[0];
2362        common->next_buffhd_to_drain = &common->buffhds[0];
2363        exception_req_tag = common->exception_req_tag;
2364        old_state = common->state;
2365        common->state = FSG_STATE_NORMAL;
2366
2367        if (old_state != FSG_STATE_ABORT_BULK_OUT) {
2368                for (i = 0; i < ARRAY_SIZE(common->luns); ++i) {
2369                        curlun = common->luns[i];
2370                        if (!curlun)
2371                                continue;
2372                        curlun->prevent_medium_removal = 0;
2373                        curlun->sense_data = SS_NO_SENSE;
2374                        curlun->unit_attention_data = SS_NO_SENSE;
2375                        curlun->sense_data_info = 0;
2376                        curlun->info_valid = 0;
2377                }
2378        }
2379        spin_unlock_irq(&common->lock);
2380
2381        /* Carry out any extra actions required for the exception */
2382        switch (old_state) {
2383        case FSG_STATE_NORMAL:
2384                break;
2385
2386        case FSG_STATE_ABORT_BULK_OUT:
2387                send_status(common);
2388                break;
2389
2390        case FSG_STATE_PROTOCOL_RESET:
2391                /*
2392                 * In case we were forced against our will to halt a
2393                 * bulk endpoint, clear the halt now.  (The SuperH UDC
2394                 * requires this.)
2395                 */
2396                if (!fsg_is_set(common))
2397                        break;
2398                if (test_and_clear_bit(IGNORE_BULK_OUT,
2399                                       &common->fsg->atomic_bitflags))
2400                        usb_ep_clear_halt(common->fsg->bulk_in);
2401
2402                if (common->ep0_req_tag == exception_req_tag)
2403                        ep0_queue(common);      /* Complete the status stage */
2404
2405                /*
2406                 * Technically this should go here, but it would only be
2407                 * a waste of time.  Ditto for the INTERFACE_CHANGE and
2408                 * CONFIG_CHANGE cases.
2409                 */
2410                /* for (i = 0; i < common->ARRAY_SIZE(common->luns); ++i) */
2411                /*      if (common->luns[i]) */
2412                /*              common->luns[i]->unit_attention_data = */
2413                /*                      SS_RESET_OCCURRED;  */
2414                break;
2415
2416        case FSG_STATE_CONFIG_CHANGE:
2417                do_set_interface(common, common->new_fsg);
2418                if (common->new_fsg)
2419                        usb_composite_setup_continue(common->cdev);
2420                break;
2421
2422        case FSG_STATE_EXIT:
2423                do_set_interface(common, NULL);         /* Free resources */
2424                spin_lock_irq(&common->lock);
2425                common->state = FSG_STATE_TERMINATED;   /* Stop the thread */
2426                spin_unlock_irq(&common->lock);
2427                break;
2428
2429        case FSG_STATE_TERMINATED:
2430                break;
2431        }
2432}
2433
2434
2435/*-------------------------------------------------------------------------*/
2436
2437static int fsg_main_thread(void *common_)
2438{
2439        struct fsg_common       *common = common_;
2440        int                     i;
2441
2442        /*
2443         * Allow the thread to be killed by a signal, but set the signal mask
2444         * to block everything but INT, TERM, KILL, and USR1.
2445         */
2446        allow_signal(SIGINT);
2447        allow_signal(SIGTERM);
2448        allow_signal(SIGKILL);
2449        allow_signal(SIGUSR1);
2450
2451        /* Allow the thread to be frozen */
2452        set_freezable();
2453
2454        /* The main loop */
2455        while (common->state != FSG_STATE_TERMINATED) {
2456                if (exception_in_progress(common) || signal_pending(current)) {
2457                        handle_exception(common);
2458                        continue;
2459                }
2460
2461                if (!common->running) {
2462                        sleep_thread(common, true, NULL);
2463                        continue;
2464                }
2465
2466                if (get_next_command(common) || exception_in_progress(common))
2467                        continue;
2468                if (do_scsi_command(common) || exception_in_progress(common))
2469                        continue;
2470                if (finish_reply(common) || exception_in_progress(common))
2471                        continue;
2472                send_status(common);
2473        }
2474
2475        spin_lock_irq(&common->lock);
2476        common->thread_task = NULL;
2477        spin_unlock_irq(&common->lock);
2478
2479        /* Eject media from all LUNs */
2480
2481        down_write(&common->filesem);
2482        for (i = 0; i < ARRAY_SIZE(common->luns); i++) {
2483                struct fsg_lun *curlun = common->luns[i];
2484
2485                if (curlun && fsg_lun_is_open(curlun))
2486                        fsg_lun_close(curlun);
2487        }
2488        up_write(&common->filesem);
2489
2490        /* Let fsg_unbind() know the thread has exited */
2491        complete_and_exit(&common->thread_notifier, 0);
2492}
2493
2494
2495/*************************** DEVICE ATTRIBUTES ***************************/
2496
2497static ssize_t ro_show(struct device *dev, struct device_attribute *attr, char *buf)
2498{
2499        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2500
2501        return fsg_show_ro(curlun, buf);
2502}
2503
2504static ssize_t nofua_show(struct device *dev, struct device_attribute *attr,
2505                          char *buf)
2506{
2507        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2508
2509        return fsg_show_nofua(curlun, buf);
2510}
2511
2512static ssize_t file_show(struct device *dev, struct device_attribute *attr,
2513                         char *buf)
2514{
2515        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2516        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2517
2518        return fsg_show_file(curlun, filesem, buf);
2519}
2520
2521static ssize_t ro_store(struct device *dev, struct device_attribute *attr,
2522                        const char *buf, size_t count)
2523{
2524        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2525        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2526
2527        return fsg_store_ro(curlun, filesem, buf, count);
2528}
2529
2530static ssize_t nofua_store(struct device *dev, struct device_attribute *attr,
2531                           const char *buf, size_t count)
2532{
2533        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2534
2535        return fsg_store_nofua(curlun, buf, count);
2536}
2537
2538static ssize_t file_store(struct device *dev, struct device_attribute *attr,
2539                          const char *buf, size_t count)
2540{
2541        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2542        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2543
2544        return fsg_store_file(curlun, filesem, buf, count);
2545}
2546
2547static DEVICE_ATTR_RW(nofua);
2548/* mode wil be set in fsg_lun_attr_is_visible() */
2549static DEVICE_ATTR(ro, 0, ro_show, ro_store);
2550static DEVICE_ATTR(file, 0, file_show, file_store);
2551
2552/****************************** FSG COMMON ******************************/
2553
2554static void fsg_common_release(struct kref *ref);
2555
2556static void fsg_lun_release(struct device *dev)
2557{
2558        /* Nothing needs to be done */
2559}
2560
2561void fsg_common_get(struct fsg_common *common)
2562{
2563        kref_get(&common->ref);
2564}
2565EXPORT_SYMBOL_GPL(fsg_common_get);
2566
2567void fsg_common_put(struct fsg_common *common)
2568{
2569        kref_put(&common->ref, fsg_common_release);
2570}
2571EXPORT_SYMBOL_GPL(fsg_common_put);
2572
2573static struct fsg_common *fsg_common_setup(struct fsg_common *common)
2574{
2575        if (!common) {
2576                common = kzalloc(sizeof(*common), GFP_KERNEL);
2577                if (!common)
2578                        return ERR_PTR(-ENOMEM);
2579                common->free_storage_on_release = 1;
2580        } else {
2581                common->free_storage_on_release = 0;
2582        }
2583        init_rwsem(&common->filesem);
2584        spin_lock_init(&common->lock);
2585        kref_init(&common->ref);
2586        init_completion(&common->thread_notifier);
2587        init_waitqueue_head(&common->io_wait);
2588        init_waitqueue_head(&common->fsg_wait);
2589        common->state = FSG_STATE_TERMINATED;
2590        memset(common->luns, 0, sizeof(common->luns));
2591
2592        return common;
2593}
2594
2595void fsg_common_set_sysfs(struct fsg_common *common, bool sysfs)
2596{
2597        common->sysfs = sysfs;
2598}
2599EXPORT_SYMBOL_GPL(fsg_common_set_sysfs);
2600
2601static void _fsg_common_free_buffers(struct fsg_buffhd *buffhds, unsigned n)
2602{
2603        if (buffhds) {
2604                struct fsg_buffhd *bh = buffhds;
2605                while (n--) {
2606                        kfree(bh->buf);
2607                        ++bh;
2608                }
2609                kfree(buffhds);
2610        }
2611}
2612
2613int fsg_common_set_num_buffers(struct fsg_common *common, unsigned int n)
2614{
2615        struct fsg_buffhd *bh, *buffhds;
2616        int i;
2617
2618        buffhds = kcalloc(n, sizeof(*buffhds), GFP_KERNEL);
2619        if (!buffhds)
2620                return -ENOMEM;
2621
2622        /* Data buffers cyclic list */
2623        bh = buffhds;
2624        i = n;
2625        goto buffhds_first_it;
2626        do {
2627                bh->next = bh + 1;
2628                ++bh;
2629buffhds_first_it:
2630                bh->buf = kmalloc(FSG_BUFLEN, GFP_KERNEL);
2631                if (unlikely(!bh->buf))
2632                        goto error_release;
2633        } while (--i);
2634        bh->next = buffhds;
2635
2636        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2637        common->fsg_num_buffers = n;
2638        common->buffhds = buffhds;
2639
2640        return 0;
2641
2642error_release:
2643        /*
2644         * "buf"s pointed to by heads after n - i are NULL
2645         * so releasing them won't hurt
2646         */
2647        _fsg_common_free_buffers(buffhds, n);
2648
2649        return -ENOMEM;
2650}
2651EXPORT_SYMBOL_GPL(fsg_common_set_num_buffers);
2652
2653void fsg_common_remove_lun(struct fsg_lun *lun)
2654{
2655        if (device_is_registered(&lun->dev))
2656                device_unregister(&lun->dev);
2657        fsg_lun_close(lun);
2658        kfree(lun);
2659}
2660EXPORT_SYMBOL_GPL(fsg_common_remove_lun);
2661
2662static void _fsg_common_remove_luns(struct fsg_common *common, int n)
2663{
2664        int i;
2665
2666        for (i = 0; i < n; ++i)
2667                if (common->luns[i]) {
2668                        fsg_common_remove_lun(common->luns[i]);
2669                        common->luns[i] = NULL;
2670                }
2671}
2672
2673void fsg_common_remove_luns(struct fsg_common *common)
2674{
2675        _fsg_common_remove_luns(common, ARRAY_SIZE(common->luns));
2676}
2677EXPORT_SYMBOL_GPL(fsg_common_remove_luns);
2678
2679void fsg_common_free_buffers(struct fsg_common *common)
2680{
2681        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2682        common->buffhds = NULL;
2683}
2684EXPORT_SYMBOL_GPL(fsg_common_free_buffers);
2685
2686int fsg_common_set_cdev(struct fsg_common *common,
2687                         struct usb_composite_dev *cdev, bool can_stall)
2688{
2689        struct usb_string *us;
2690
2691        common->gadget = cdev->gadget;
2692        common->ep0 = cdev->gadget->ep0;
2693        common->ep0req = cdev->req;
2694        common->cdev = cdev;
2695
2696        us = usb_gstrings_attach(cdev, fsg_strings_array,
2697                                 ARRAY_SIZE(fsg_strings));
2698        if (IS_ERR(us))
2699                return PTR_ERR(us);
2700
2701        fsg_intf_desc.iInterface = us[FSG_STRING_INTERFACE].id;
2702
2703        /*
2704         * Some peripheral controllers are known not to be able to
2705         * halt bulk endpoints correctly.  If one of them is present,
2706         * disable stalls.
2707         */
2708        common->can_stall = can_stall &&
2709                        gadget_is_stall_supported(common->gadget);
2710
2711        return 0;
2712}
2713EXPORT_SYMBOL_GPL(fsg_common_set_cdev);
2714
2715static struct attribute *fsg_lun_dev_attrs[] = {
2716        &dev_attr_ro.attr,
2717        &dev_attr_file.attr,
2718        &dev_attr_nofua.attr,
2719        NULL
2720};
2721
2722static umode_t fsg_lun_dev_is_visible(struct kobject *kobj,
2723                                      struct attribute *attr, int idx)
2724{
2725        struct device *dev = kobj_to_dev(kobj);
2726        struct fsg_lun *lun = fsg_lun_from_dev(dev);
2727
2728        if (attr == &dev_attr_ro.attr)
2729                return lun->cdrom ? S_IRUGO : (S_IWUSR | S_IRUGO);
2730        if (attr == &dev_attr_file.attr)
2731                return lun->removable ? (S_IWUSR | S_IRUGO) : S_IRUGO;
2732        return attr->mode;
2733}
2734
2735static const struct attribute_group fsg_lun_dev_group = {
2736        .attrs = fsg_lun_dev_attrs,
2737        .is_visible = fsg_lun_dev_is_visible,
2738};
2739
2740static const struct attribute_group *fsg_lun_dev_groups[] = {
2741        &fsg_lun_dev_group,
2742        NULL
2743};
2744
2745int fsg_common_create_lun(struct fsg_common *common, struct fsg_lun_config *cfg,
2746                          unsigned int id, const char *name,
2747                          const char **name_pfx)
2748{
2749        struct fsg_lun *lun;
2750        char *pathbuf, *p;
2751        int rc = -ENOMEM;
2752
2753        if (id >= ARRAY_SIZE(common->luns))
2754                return -ENODEV;
2755
2756        if (common->luns[id])
2757                return -EBUSY;
2758
2759        if (!cfg->filename && !cfg->removable) {
2760                pr_err("no file given for LUN%d\n", id);
2761                return -EINVAL;
2762        }
2763
2764        lun = kzalloc(sizeof(*lun), GFP_KERNEL);
2765        if (!lun)
2766                return -ENOMEM;
2767
2768        lun->name_pfx = name_pfx;
2769
2770        lun->cdrom = !!cfg->cdrom;
2771        lun->ro = cfg->cdrom || cfg->ro;
2772        lun->initially_ro = lun->ro;
2773        lun->removable = !!cfg->removable;
2774
2775        if (!common->sysfs) {
2776                /* we DON'T own the name!*/
2777                lun->name = name;
2778        } else {
2779                lun->dev.release = fsg_lun_release;
2780                lun->dev.parent = &common->gadget->dev;
2781                lun->dev.groups = fsg_lun_dev_groups;
2782                dev_set_drvdata(&lun->dev, &common->filesem);
2783                dev_set_name(&lun->dev, "%s", name);
2784                lun->name = dev_name(&lun->dev);
2785
2786                rc = device_register(&lun->dev);
2787                if (rc) {
2788                        pr_info("failed to register LUN%d: %d\n", id, rc);
2789                        put_device(&lun->dev);
2790                        goto error_sysfs;
2791                }
2792        }
2793
2794        common->luns[id] = lun;
2795
2796        if (cfg->filename) {
2797                rc = fsg_lun_open(lun, cfg->filename);
2798                if (rc)
2799                        goto error_lun;
2800        }
2801
2802        pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
2803        p = "(no medium)";
2804        if (fsg_lun_is_open(lun)) {
2805                p = "(error)";
2806                if (pathbuf) {
2807                        p = file_path(lun->filp, pathbuf, PATH_MAX);
2808                        if (IS_ERR(p))
2809                                p = "(error)";
2810                }
2811        }
2812        pr_info("LUN: %s%s%sfile: %s\n",
2813              lun->removable ? "removable " : "",
2814              lun->ro ? "read only " : "",
2815              lun->cdrom ? "CD-ROM " : "",
2816              p);
2817        kfree(pathbuf);
2818
2819        return 0;
2820
2821error_lun:
2822        if (device_is_registered(&lun->dev))
2823                device_unregister(&lun->dev);
2824        fsg_lun_close(lun);
2825        common->luns[id] = NULL;
2826error_sysfs:
2827        kfree(lun);
2828        return rc;
2829}
2830EXPORT_SYMBOL_GPL(fsg_common_create_lun);
2831
2832int fsg_common_create_luns(struct fsg_common *common, struct fsg_config *cfg)
2833{
2834        char buf[8]; /* enough for 100000000 different numbers, decimal */
2835        int i, rc;
2836
2837        fsg_common_remove_luns(common);
2838
2839        for (i = 0; i < cfg->nluns; ++i) {
2840                snprintf(buf, sizeof(buf), "lun%d", i);
2841                rc = fsg_common_create_lun(common, &cfg->luns[i], i, buf, NULL);
2842                if (rc)
2843                        goto fail;
2844        }
2845
2846        pr_info("Number of LUNs=%d\n", cfg->nluns);
2847
2848        return 0;
2849
2850fail:
2851        _fsg_common_remove_luns(common, i);
2852        return rc;
2853}
2854EXPORT_SYMBOL_GPL(fsg_common_create_luns);
2855
2856void fsg_common_set_inquiry_string(struct fsg_common *common, const char *vn,
2857                                   const char *pn)
2858{
2859        int i;
2860
2861        /* Prepare inquiryString */
2862        i = get_default_bcdDevice();
2863        snprintf(common->inquiry_string, sizeof(common->inquiry_string),
2864                 "%-8s%-16s%04x", vn ?: "Linux",
2865                 /* Assume product name dependent on the first LUN */
2866                 pn ?: ((*common->luns)->cdrom
2867                     ? "File-CD Gadget"
2868                     : "File-Stor Gadget"),
2869                 i);
2870}
2871EXPORT_SYMBOL_GPL(fsg_common_set_inquiry_string);
2872
2873static void fsg_common_release(struct kref *ref)
2874{
2875        struct fsg_common *common = container_of(ref, struct fsg_common, ref);
2876        int i;
2877
2878        /* If the thread isn't already dead, tell it to exit now */
2879        if (common->state != FSG_STATE_TERMINATED) {
2880                raise_exception(common, FSG_STATE_EXIT);
2881                wait_for_completion(&common->thread_notifier);
2882        }
2883
2884        for (i = 0; i < ARRAY_SIZE(common->luns); ++i) {
2885                struct fsg_lun *lun = common->luns[i];
2886                if (!lun)
2887                        continue;
2888                fsg_lun_close(lun);
2889                if (device_is_registered(&lun->dev))
2890                        device_unregister(&lun->dev);
2891                kfree(lun);
2892        }
2893
2894        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2895        if (common->free_storage_on_release)
2896                kfree(common);
2897}
2898
2899
2900/*-------------------------------------------------------------------------*/
2901
2902static int fsg_bind(struct usb_configuration *c, struct usb_function *f)
2903{
2904        struct fsg_dev          *fsg = fsg_from_func(f);
2905        struct fsg_common       *common = fsg->common;
2906        struct usb_gadget       *gadget = c->cdev->gadget;
2907        int                     i;
2908        struct usb_ep           *ep;
2909        unsigned                max_burst;
2910        int                     ret;
2911        struct fsg_opts         *opts;
2912
2913        /* Don't allow to bind if we don't have at least one LUN */
2914        ret = _fsg_common_get_max_lun(common);
2915        if (ret < 0) {
2916                pr_err("There should be at least one LUN.\n");
2917                return -EINVAL;
2918        }
2919
2920        opts = fsg_opts_from_func_inst(f->fi);
2921        if (!opts->no_configfs) {
2922                ret = fsg_common_set_cdev(fsg->common, c->cdev,
2923                                          fsg->common->can_stall);
2924                if (ret)
2925                        return ret;
2926                fsg_common_set_inquiry_string(fsg->common, NULL, NULL);
2927        }
2928
2929        if (!common->thread_task) {
2930                common->state = FSG_STATE_NORMAL;
2931                common->thread_task =
2932                        kthread_create(fsg_main_thread, common, "file-storage");
2933                if (IS_ERR(common->thread_task)) {
2934                        ret = PTR_ERR(common->thread_task);
2935                        common->thread_task = NULL;
2936                        common->state = FSG_STATE_TERMINATED;
2937                        return ret;
2938                }
2939                DBG(common, "I/O thread pid: %d\n",
2940                    task_pid_nr(common->thread_task));
2941                wake_up_process(common->thread_task);
2942        }
2943
2944        fsg->gadget = gadget;
2945
2946        /* New interface */
2947        i = usb_interface_id(c, f);
2948        if (i < 0)
2949                goto fail;
2950        fsg_intf_desc.bInterfaceNumber = i;
2951        fsg->interface_number = i;
2952
2953        /* Find all the endpoints we will use */
2954        ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_in_desc);
2955        if (!ep)
2956                goto autoconf_fail;
2957        fsg->bulk_in = ep;
2958
2959        ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_out_desc);
2960        if (!ep)
2961                goto autoconf_fail;
2962        fsg->bulk_out = ep;
2963
2964        /* Assume endpoint addresses are the same for both speeds */
2965        fsg_hs_bulk_in_desc.bEndpointAddress =
2966                fsg_fs_bulk_in_desc.bEndpointAddress;
2967        fsg_hs_bulk_out_desc.bEndpointAddress =
2968                fsg_fs_bulk_out_desc.bEndpointAddress;
2969
2970        /* Calculate bMaxBurst, we know packet size is 1024 */
2971        max_burst = min_t(unsigned, FSG_BUFLEN / 1024, 15);
2972
2973        fsg_ss_bulk_in_desc.bEndpointAddress =
2974                fsg_fs_bulk_in_desc.bEndpointAddress;
2975        fsg_ss_bulk_in_comp_desc.bMaxBurst = max_burst;
2976
2977        fsg_ss_bulk_out_desc.bEndpointAddress =
2978                fsg_fs_bulk_out_desc.bEndpointAddress;
2979        fsg_ss_bulk_out_comp_desc.bMaxBurst = max_burst;
2980
2981        ret = usb_assign_descriptors(f, fsg_fs_function, fsg_hs_function,
2982                        fsg_ss_function, fsg_ss_function);
2983        if (ret)
2984                goto autoconf_fail;
2985
2986        return 0;
2987
2988autoconf_fail:
2989        ERROR(fsg, "unable to autoconfigure all endpoints\n");
2990        i = -ENOTSUPP;
2991fail:
2992        /* terminate the thread */
2993        if (fsg->common->state != FSG_STATE_TERMINATED) {
2994                raise_exception(fsg->common, FSG_STATE_EXIT);
2995                wait_for_completion(&fsg->common->thread_notifier);
2996        }
2997        return i;
2998}
2999
3000/****************************** ALLOCATE FUNCTION *************************/

3001
3002static void fsg_unbind(struct usb_configuration *c, struct usb_function *f)
3003{
3004        struct fsg_dev          *fsg = fsg_from_func(f);
3005        struct fsg_common       *common = fsg->common;
3006
3007        DBG(fsg, "unbind\n");
3008        if (fsg->common->fsg == fsg) {
3009                fsg->common->new_fsg = NULL;
3010                raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
3011                /* FIXME: make interruptible or killable somehow? */
3012                wait_event(common->fsg_wait, common->fsg != fsg);
3013        }
3014
3015        usb_free_all_descriptors(&fsg->function);
3016}
3017
3018static inline struct fsg_lun_opts *to_fsg_lun_opts(struct config_item *item)
3019{
3020        return container_of(to_config_group(item), struct fsg_lun_opts, group);
3021}
3022
3023static inline struct fsg_opts *to_fsg_opts(struct config_item *item)
3024{
3025        return container_of(to_config_group(item), struct fsg_opts,
3026                            func_inst.group);
3027}
3028
3029static void fsg_lun_attr_release(struct config_item *item)
3030{
3031        struct fsg_lun_opts *lun_opts;
3032
3033        lun_opts = to_fsg_lun_opts(item);
3034        kfree(lun_opts);
3035}
3036
3037static struct configfs_item_operations fsg_lun_item_ops = {
3038        .release                = fsg_lun_attr_release,
3039};
3040
3041static ssize_t fsg_lun_opts_file_show(struct config_item *item, char *page)
3042{
3043        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3044        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3045
3046        return fsg_show_file(opts->lun, &fsg_opts->common->filesem, page);
3047}
3048
3049static ssize_t fsg_lun_opts_file_store(struct config_item *item,
3050                                       const char *page, size_t len)
3051{
3052        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3053        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3054
3055        return fsg_store_file(opts->lun, &fsg_opts->common->filesem, page, len);
3056}
3057
3058CONFIGFS_ATTR(fsg_lun_opts_, file);
3059
3060static ssize_t fsg_lun_opts_ro_show(struct config_item *item, char *page)
3061{
3062        return fsg_show_ro(to_fsg_lun_opts(item)->lun, page);
3063}
3064
3065static ssize_t fsg_lun_opts_ro_store(struct config_item *item,
3066                                       const char *page, size_t len)
3067{
3068        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3069        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3070
3071        return fsg_store_ro(opts->lun, &fsg_opts->common->filesem, page, len);
3072}
3073
3074CONFIGFS_ATTR(fsg_lun_opts_, ro);
3075
3076static ssize_t fsg_lun_opts_removable_show(struct config_item *item,
3077                                           char *page)
3078{
3079        return fsg_show_removable(to_fsg_lun_opts(item)->lun, page);
3080}
3081
3082static ssize_t fsg_lun_opts_removable_store(struct config_item *item,
3083                                       const char *page, size_t len)
3084{
3085        return fsg_store_removable(to_fsg_lun_opts(item)->lun, page, len);
3086}
3087
3088CONFIGFS_ATTR(fsg_lun_opts_, removable);
3089
3090static ssize_t fsg_lun_opts_cdrom_show(struct config_item *item, char *page)
3091{
3092        return fsg_show_cdrom(to_fsg_lun_opts(item)->lun, page);
3093}
3094
3095static ssize_t fsg_lun_opts_cdrom_store(struct config_item *item,
3096                                       const char *page, size_t len)
3097{
3098        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3099        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3100
3101        return fsg_store_cdrom(opts->lun, &fsg_opts->common->filesem, page,
3102                               len);
3103}
3104
3105CONFIGFS_ATTR(fsg_lun_opts_, cdrom);
3106
3107static ssize_t fsg_lun_opts_nofua_show(struct config_item *item, char *page)
3108{
3109        return fsg_show_nofua(to_fsg_lun_opts(item)->lun, page);
3110}
3111
3112static ssize_t fsg_lun_opts_nofua_store(struct config_item *item,
3113                                       const char *page, size_t len)
3114{
3115        return fsg_store_nofua(to_fsg_lun_opts(item)->lun, page, len);
3116}
3117
3118CONFIGFS_ATTR(fsg_lun_opts_, nofua);
3119
3120static ssize_t fsg_lun_opts_inquiry_string_show(struct config_item *item,
3121                                                char *page)
3122{
3123        return fsg_show_inquiry_string(to_fsg_lun_opts(item)->lun, page);
3124}
3125
3126static ssize_t fsg_lun_opts_inquiry_string_store(struct config_item *item,
3127                                                 const char *page, size_t len)
3128{
3129        return fsg_store_inquiry_string(to_fsg_lun_opts(item)->lun, page, len);
3130}
3131
3132CONFIGFS_ATTR(fsg_lun_opts_, inquiry_string);
3133
3134static struct configfs_attribute *fsg_lun_attrs[] = {
3135        &fsg_lun_opts_attr_file,
3136        &fsg_lun_opts_attr_ro,
3137        &fsg_lun_opts_attr_removable,
3138        &fsg_lun_opts_attr_cdrom,
3139        &fsg_lun_opts_attr_nofua,
3140        &fsg_lun_opts_attr_inquiry_string,
3141        NULL,
3142};
3143
3144static const struct config_item_type fsg_lun_type = {
3145        .ct_item_ops    = &fsg_lun_item_ops,
3146        .ct_attrs       = fsg_lun_attrs,
3147        .ct_owner       = THIS_MODULE,
3148};
3149
3150static struct config_group *fsg_lun_make(struct config_group *group,
3151                                         const char *name)
3152{
3153        struct fsg_lun_opts *opts;
3154        struct fsg_opts *fsg_opts;
3155        struct fsg_lun_config config;
3156        char *num_str;
3157        u8 num;
3158        int ret;
3159
3160        num_str = strchr(name, '.');
3161        if (!num_str) {
3162                pr_err("Unable to locate . in LUN.NUMBER\n");
3163                return ERR_PTR(-EINVAL);
3164        }
3165        num_str++;
3166
3167        ret = kstrtou8(num_str, 0, &num);
3168        if (ret)
3169                return ERR_PTR(ret);
3170
3171        fsg_opts = to_fsg_opts(&group->cg_item);
3172        if (num >= FSG_MAX_LUNS)
3173                return ERR_PTR(-ERANGE);
3174
3175        mutex_lock(&fsg_opts->lock);
3176        if (fsg_opts->refcnt || fsg_opts->common->luns[num]) {
3177                ret = -EBUSY;
3178                goto out;
3179        }
3180
3181        opts = kzalloc(sizeof(*opts), GFP_KERNEL);
3182        if (!opts) {
3183                ret = -ENOMEM;
3184                goto out;
3185        }
3186
3187        memset(&config, 0, sizeof(config));
3188        config.removable = true;
3189
3190        ret = fsg_common_create_lun(fsg_opts->common, &config, num, name,
3191                                    (const char **)&group->cg_item.ci_name);
3192        if (ret) {
3193                kfree(opts);
3194                goto out;
3195        }
3196        opts->lun = fsg_opts->common->luns[num];
3197        opts->lun_id = num;
3198        mutex_unlock(&fsg_opts->lock);
3199
3200        config_group_init_type_name(&opts->group, name, &fsg_lun_type);
3201
3202        return &opts->group;
3203out:
3204        mutex_unlock(&fsg_opts->lock);
3205        return ERR_PTR(ret);
3206}
3207
3208static void fsg_lun_drop(struct config_group *group, struct config_item *item)
3209{
3210        struct fsg_lun_opts *lun_opts;
3211        struct fsg_opts *fsg_opts;
3212
3213        lun_opts = to_fsg_lun_opts(item);
3214        fsg_opts = to_fsg_opts(&group->cg_item);
3215
3216        mutex_lock(&fsg_opts->lock);
3217        if (fsg_opts->refcnt) {
3218                struct config_item *gadget;
3219
3220                gadget = group->cg_item.ci_parent->ci_parent;
3221                unregister_gadget_item(gadget);
3222        }
3223
3224        fsg_common_remove_lun(lun_opts->lun);
3225        fsg_opts->common->luns[lun_opts->lun_id] = NULL;
3226        lun_opts->lun_id = 0;
3227        mutex_unlock(&fsg_opts->lock);
3228
3229        config_item_put(item);
3230}
3231
3232static void fsg_attr_release(struct config_item *item)
3233{
3234        struct fsg_opts *opts = to_fsg_opts(item);
3235
3236        usb_put_function_instance(&opts->func_inst);
3237}
3238
3239static struct configfs_item_operations fsg_item_ops = {
3240        .release                = fsg_attr_release,
3241};
3242
3243static ssize_t fsg_opts_stall_show(struct config_item *item, char *page)
3244{
3245        struct fsg_opts *opts = to_fsg_opts(item);
3246        int result;
3247
3248        mutex_lock(&opts->lock);
3249        result = sprintf(page, "%d", opts->common->can_stall);
3250        mutex_unlock(&opts->lock);
3251
3252        return result;
3253}
3254
3255static ssize_t fsg_opts_stall_store(struct config_item *item, const char *page,
3256                                    size_t len)
3257{
3258        struct fsg_opts *opts = to_fsg_opts(item);
3259        int ret;
3260        bool stall;
3261
3262        mutex_lock(&opts->lock);
3263
3264        if (opts->refcnt) {
3265                mutex_unlock(&opts->lock);
3266                return -EBUSY;
3267        }
3268
3269        ret = strtobool(page, &stall);
3270        if (!ret) {
3271                opts->common->can_stall = stall;
3272                ret = len;
3273        }
3274
3275        mutex_unlock(&opts->lock);
3276
3277        return ret;
3278}
3279
3280CONFIGFS_ATTR(fsg_opts_, stall);
3281
3282#ifdef CONFIG_USB_GADGET_DEBUG_FILES
3283static ssize_t fsg_opts_num_buffers_show(struct config_item *item, char *page)
3284{
3285        struct fsg_opts *opts = to_fsg_opts(item);
3286        int result;
3287
3288        mutex_lock(&opts->lock);
3289        result = sprintf(page, "%d", opts->common->fsg_num_buffers);
3290        mutex_unlock(&opts->lock);
3291
3292        return result;
3293}
3294
3295static ssize_t fsg_opts_num_buffers_store(struct config_item *item,
3296                                          const char *page, size_t len)
3297{
3298        struct fsg_opts *opts = to_fsg_opts(item);
3299        int ret;
3300        u8 num;
3301
3302        mutex_lock(&opts->lock);
3303        if (opts->refcnt) {
3304                ret = -EBUSY;
3305                goto end;
3306        }
3307        ret = kstrtou8(page, 0, &num);
3308        if (ret)
3309                goto end;
3310
3311        fsg_common_set_num_buffers(opts->common, num);
3312        ret = len;
3313
3314end:
3315        mutex_unlock(&opts->lock);
3316        return ret;
3317}
3318
3319CONFIGFS_ATTR(fsg_opts_, num_buffers);
3320#endif
3321
3322static struct configfs_attribute *fsg_attrs[] = {
3323        &fsg_opts_attr_stall,
3324#ifdef CONFIG_USB_GADGET_DEBUG_FILES
3325        &fsg_opts_attr_num_buffers,
3326#endif
3327        NULL,
3328};
3329
3330static struct configfs_group_operations fsg_group_ops = {
3331        .make_group     = fsg_lun_make,
3332        .drop_item      = fsg_lun_drop,
3333};
3334
3335static const struct config_item_type fsg_func_type = {
3336        .ct_item_ops    = &fsg_item_ops,
3337        .ct_group_ops   = &fsg_group_ops,
3338        .ct_attrs       = fsg_attrs,
3339        .ct_owner       = THIS_MODULE,
3340};
3341
3342static void fsg_free_inst(struct usb_function_instance *fi)
3343{
3344        struct fsg_opts *opts;
3345
3346        opts = fsg_opts_from_func_inst(fi);
3347        fsg_common_put(opts->common);
3348        kfree(opts);
3349}
3350
3351static struct usb_function_instance *fsg_alloc_inst(void)
3352{
3353        struct fsg_opts *opts;
3354        struct fsg_lun_config config;
3355        int rc;
3356
3357        opts = kzalloc(sizeof(*opts), GFP_KERNEL);
3358        if (!opts)
3359                return ERR_PTR(-ENOMEM);
3360        mutex_init(&opts->lock);
3361        opts->func_inst.free_func_inst = fsg_free_inst;
3362        opts->common = fsg_common_setup(opts->common);
3363        if (IS_ERR(opts->common)) {
3364                rc = PTR_ERR(opts->common);
3365                goto release_opts;
3366        }
3367
3368        rc = fsg_common_set_num_buffers(opts->common,
3369                                        CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS);
3370        if (rc)
3371                goto release_opts;
3372
3373        pr_info(FSG_DRIVER_DESC ", version: " FSG_DRIVER_VERSION "\n");
3374
3375        memset(&config, 0, sizeof(config));
3376        config.removable = true;
3377        rc = fsg_common_create_lun(opts->common, &config, 0, "lun.0",
3378                        (const char **)&opts->func_inst.group.cg_item.ci_name);
3379        if (rc)
3380                goto release_buffers;
3381
3382        opts->lun0.lun = opts->common->luns[0];
3383        opts->lun0.lun_id = 0;
3384
3385        config_group_init_type_name(&opts->func_inst.group, "", &fsg_func_type);
3386
3387        config_group_init_type_name(&opts->lun0.group, "lun.0", &fsg_lun_type);
3388        configfs_add_default_group(&opts->lun0.group, &opts->func_inst.group);
3389
3390        return &opts->func_inst;
3391
3392release_buffers:
3393        fsg_common_free_buffers(opts->common);
3394release_opts:
3395        kfree(opts);
3396        return ERR_PTR(rc);
3397}
3398
3399static void fsg_free(struct usb_function *f)
3400{
3401        struct fsg_dev *fsg;
3402        struct fsg_opts *opts;
3403
3404        fsg = container_of(f, struct fsg_dev, function);
3405        opts = container_of(f->fi, struct fsg_opts, func_inst);
3406
3407        mutex_lock(&opts->lock);
3408        opts->refcnt--;
3409        mutex_unlock(&opts->lock);
3410
3411        kfree(fsg);
3412}
3413
3414static struct usb_function *fsg_alloc(struct usb_function_instance *fi)
3415{
3416        struct fsg_opts *opts = fsg_opts_from_func_inst(fi);
3417        struct fsg_common *common = opts->common;
3418        struct fsg_dev *fsg;
3419
3420        fsg = kzalloc(sizeof(*fsg), GFP_KERNEL);
3421        if (unlikely(!fsg))
3422                return ERR_PTR(-ENOMEM);
3423
3424        mutex_lock(&opts->lock);
3425        opts->refcnt++;
3426        mutex_unlock(&opts->lock);
3427
3428        fsg->function.name      = FSG_DRIVER_DESC;
3429        fsg->function.bind      = fsg_bind;
3430        fsg->function.unbind    = fsg_unbind;
3431        fsg->function.setup     = fsg_setup;
3432        fsg->function.set_alt   = fsg_set_alt;
3433        fsg->function.disable   = fsg_disable;
3434        fsg->function.free_func = fsg_free;
3435
3436        fsg->common               = common;
3437
3438        return &fsg->function;
3439}
3440
3441DECLARE_USB_FUNCTION_INIT(mass_storage, fsg_alloc_inst, fsg_alloc);
3442MODULE_LICENSE("GPL");
3443MODULE_AUTHOR("Michal Nazarewicz");
3444
3445/************************* Module parameters *************************/
3446
3447
3448void fsg_config_from_params(struct fsg_config *cfg,
3449                       const struct fsg_module_parameters *params,
3450                       unsigned int fsg_num_buffers)
3451{
3452        struct fsg_lun_config *lun;
3453        unsigned i;
3454
3455        /* Configure LUNs */
3456        cfg->nluns =
3457                min(params->luns ?: (params->file_count ?: 1u),
3458                    (unsigned)FSG_MAX_LUNS);
3459        for (i = 0, lun = cfg->luns; i < cfg->nluns; ++i, ++lun) {
3460                lun->ro = !!params->ro[i];
3461                lun->cdrom = !!params->cdrom[i];
3462                lun->removable = !!params->removable[i];
3463                lun->filename =
3464                        params->file_count > i && params->file[i][0]
3465                        ? params->file[i]
3466                        : NULL;
3467        }
3468
3469        /* Let MSF use defaults */
3470        cfg->vendor_name = NULL;
3471        cfg->product_name = NULL;
3472
3473        cfg->ops = NULL;
3474        cfg->private_data = NULL;
3475
3476        /* Finalise */
3477        cfg->can_stall = params->stall;
3478        cfg->fsg_num_buffers = fsg_num_buffers;
3479}
3480EXPORT_SYMBOL_GPL(fsg_config_from_params);
3481