LXR linux/drivers/usb/gadget/function/f_mass

   1// SPDX-License-Identifier: (GPL-2.0+ OR BSD-3-Clause)
   2/*
   3 * f_mass_storage.c -- Mass Storage USB Composite Function
   4 *
   5 * Copyright (C) 2003-2008 Alan Stern
   6 * Copyright (C) 2009 Samsung Electronics
   7 *                    Author: Michal Nazarewicz <mina86@mina86.com>
   8 * All rights reserved.
   9 *
  10 * Redistribution and use in source and binary forms, with or without
  11 * modification, are permitted provided that the following conditions
  12 * are met:
  13 * 1. Redistributions of source code must retain the above copyright
  14 *    notice, this list of conditions, and the following disclaimer,
  15 *    without modification.
  16 * 2. Redistributions in binary form must reproduce the above copyright
  17 *    notice, this list of conditions and the following disclaimer in the
  18 *    documentation and/or other materials provided with the distribution.
  19 * 3. The names of the above-listed copyright holders may not be used
  20 *    to endorse or promote products derived from this software without
  21 *    specific prior written permission.
  22 *
  23 * ALTERNATIVELY, this software may be distributed under the terms of the
  24 * GNU General Public License ("GPL") as published by the Free Software
  25 * Foundation, either version 2 of that License or (at your option) any
  26 * later version.
  27 *
  28 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
  29 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
  30 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  31 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
  32 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  33 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  34 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  35 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  36 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  37 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  38 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  39 */
  40
  41/*
  42 * The Mass Storage Function acts as a USB Mass Storage device,
  43 * appearing to the host as a disk drive or as a CD-ROM drive.  In
  44 * addition to providing an example of a genuinely useful composite
  45 * function for a USB device, it also illustrates a technique of
  46 * double-buffering for increased throughput.
  47 *
  48 * For more information about MSF and in particular its module
  49 * parameters and sysfs interface read the
  50 * <Documentation/usb/mass-storage.rst> file.
  51 */
  52
  53/*
  54 * MSF is configured by specifying a fsg_config structure.  It has the
  55 * following fields:
  56 *
  57 *      nluns           Number of LUNs function have (anywhere from 1
  58 *                              to FSG_MAX_LUNS).
  59 *      luns            An array of LUN configuration values.  This
  60 *                              should be filled for each LUN that
  61 *                              function will include (ie. for "nluns"
  62 *                              LUNs).  Each element of the array has
  63 *                              the following fields:
  64 *      ->filename      The path to the backing file for the LUN.
  65 *                              Required if LUN is not marked as
  66 *                              removable.
  67 *      ->ro            Flag specifying access to the LUN shall be
  68 *                              read-only.  This is implied if CD-ROM
  69 *                              emulation is enabled as well as when
  70 *                              it was impossible to open "filename"
  71 *                              in R/W mode.
  72 *      ->removable     Flag specifying that LUN shall be indicated as
  73 *                              being removable.
  74 *      ->cdrom         Flag specifying that LUN shall be reported as
  75 *                              being a CD-ROM.
  76 *      ->nofua         Flag specifying that FUA flag in SCSI WRITE(10,12)
  77 *                              commands for this LUN shall be ignored.
  78 *
  79 *      vendor_name
  80 *      product_name
  81 *      release         Information used as a reply to INQUIRY
  82 *                              request.  To use default set to NULL,
  83 *                              NULL, 0xffff respectively.  The first
  84 *                              field should be 8 and the second 16
  85 *                              characters or less.
  86 *
  87 *      can_stall       Set to permit function to halt bulk endpoints.
  88 *                              Disabled on some USB devices known not
  89 *                              to work correctly.  You should set it
  90 *                              to true.
  91 *
  92 * If "removable" is not set for a LUN then a backing file must be
  93 * specified.  If it is set, then NULL filename means the LUN's medium
  94 * is not loaded (an empty string as "filename" in the fsg_config
  95 * structure causes error).  The CD-ROM emulation includes a single
  96 * data track and no audio tracks; hence there need be only one
  97 * backing file per LUN.
  98 *
  99 * This function is heavily based on "File-backed Storage Gadget" by
 100 * Alan Stern which in turn is heavily based on "Gadget Zero" by David
 101 * Brownell.  The driver's SCSI command interface was based on the
 102 * "Information technology - Small Computer System Interface - 2"
 103 * document from X3T9.2 Project 375D, Revision 10L, 7-SEP-93,
 104 * available at <http://www.t10.org/ftp/t10/drafts/s2/s2-r10l.pdf>.
 105 * The single exception is opcode 0x23 (READ FORMAT CAPACITIES), which
 106 * was based on the "Universal Serial Bus Mass Storage Class UFI
 107 * Command Specification" document, Revision 1.0, December 14, 1998,
 108 * available at
 109 * <http://www.usb.org/developers/devclass_docs/usbmass-ufi10.pdf>.
 110 */
 111
 112/*
 113 *                              Driver Design
 114 *
 115 * The MSF is fairly straightforward.  There is a main kernel
 116 * thread that handles most of the work.  Interrupt routines field
 117 * callbacks from the controller driver: bulk- and interrupt-request
 118 * completion notifications, endpoint-0 events, and disconnect events.
 119 * Completion events are passed to the main thread by wakeup calls.  Many
 120 * ep0 requests are handled at interrupt time, but SetInterface,
 121 * SetConfiguration, and device reset requests are forwarded to the
 122 * thread in the form of "exceptions" using SIGUSR1 signals (since they
 123 * should interrupt any ongoing file I/O operations).
 124 *
 125 * The thread's main routine implements the standard command/data/status
 126 * parts of a SCSI interaction.  It and its subroutines are full of tests
 127 * for pending signals/exceptions -- all this polling is necessary since
 128 * the kernel has no setjmp/longjmp equivalents.  (Maybe this is an
 129 * indication that the driver really wants to be running in userspace.)
 130 * An important point is that so long as the thread is alive it keeps an
 131 * open reference to the backing file.  This will prevent unmounting
 132 * the backing file's underlying filesystem and could cause problems
 133 * during system shutdown, for example.  To prevent such problems, the
 134 * thread catches INT, TERM, and KILL signals and converts them into
 135 * an EXIT exception.
 136 *
 137 * In normal operation the main thread is started during the gadget's
 138 * fsg_bind() callback and stopped during fsg_unbind().  But it can
 139 * also exit when it receives a signal, and there's no point leaving
 140 * the gadget running when the thread is dead.  As of this moment, MSF
 141 * provides no way to deregister the gadget when thread dies -- maybe
 142 * a callback functions is needed.
 143 *
 144 * To provide maximum throughput, the driver uses a circular pipeline of
 145 * buffer heads (struct fsg_buffhd).  In principle the pipeline can be
 146 * arbitrarily long; in practice the benefits don't justify having more
 147 * than 2 stages (i.e., double buffering).  But it helps to think of the
 148 * pipeline as being a long one.  Each buffer head contains a bulk-in and
 149 * a bulk-out request pointer (since the buffer can be used for both
 150 * output and input -- directions always are given from the host's
 151 * point of view) as well as a pointer to the buffer and various state
 152 * variables.
 153 *
 154 * Use of the pipeline follows a simple protocol.  There is a variable
 155 * (fsg->next_buffhd_to_fill) that points to the next buffer head to use.
 156 * At any time that buffer head may still be in use from an earlier
 157 * request, so each buffer head has a state variable indicating whether
 158 * it is EMPTY, FULL, or BUSY.  Typical use involves waiting for the
 159 * buffer head to be EMPTY, filling the buffer either by file I/O or by
 160 * USB I/O (during which the buffer head is BUSY), and marking the buffer
 161 * head FULL when the I/O is complete.  Then the buffer will be emptied
 162 * (again possibly by USB I/O, during which it is marked BUSY) and
 163 * finally marked EMPTY again (possibly by a completion routine).
 164 *
 165 * A module parameter tells the driver to avoid stalling the bulk
 166 * endpoints wherever the transport specification allows.  This is
 167 * necessary for some UDCs like the SuperH, which cannot reliably clear a
 168 * halt on a bulk endpoint.  However, under certain circumstances the
 169 * Bulk-only specification requires a stall.  In such cases the driver
 170 * will halt the endpoint and set a flag indicating that it should clear
 171 * the halt in software during the next device reset.  Hopefully this
 172 * will permit everything to work correctly.  Furthermore, although the
 173 * specification allows the bulk-out endpoint to halt when the host sends
 174 * too much data, implementing this would cause an unavoidable race.
 175 * The driver will always use the "no-stall" approach for OUT transfers.
 176 *
 177 * One subtle point concerns sending status-stage responses for ep0
 178 * requests.  Some of these requests, such as device reset, can involve
 179 * interrupting an ongoing file I/O operation, which might take an
 180 * arbitrarily long time.  During that delay the host might give up on
 181 * the original ep0 request and issue a new one.  When that happens the
 182 * driver should not notify the host about completion of the original
 183 * request, as the host will no longer be waiting for it.  So the driver
 184 * assigns to each ep0 request a unique tag, and it keeps track of the
 185 * tag value of the request associated with a long-running exception
 186 * (device-reset, interface-change, or configuration-change).  When the
 187 * exception handler is finished, the status-stage response is submitted
 188 * only if the current ep0 request tag is equal to the exception request
 189 * tag.  Thus only the most recently received ep0 request will get a
 190 * status-stage response.
 191 *
 192 * Warning: This driver source file is too long.  It ought to be split up
 193 * into a header file plus about 3 separate .c files, to handle the details
 194 * of the Gadget, USB Mass Storage, and SCSI protocols.
 195 */
 196
 197
 198/* #define VERBOSE_DEBUG */
 199/* #define DUMP_MSGS */
 200
 201#include <linux/blkdev.h>
 202#include <linux/completion.h>
 203#include <linux/dcache.h>
 204#include <linux/delay.h>
 205#include <linux/device.h>
 206#include <linux/fcntl.h>
 207#include <linux/file.h>
 208#include <linux/fs.h>
 209#include <linux/kthread.h>
 210#include <linux/sched/signal.h>
 211#include <linux/limits.h>
 212#include <linux/rwsem.h>
 213#include <linux/slab.h>
 214#include <linux/spinlock.h>
 215#include <linux/string.h>
 216#include <linux/freezer.h>
 217#include <linux/module.h>
 218#include <linux/uaccess.h>
 219#include <asm/unaligned.h>
 220
 221#include <linux/usb/ch9.h>
 222#include <linux/usb/gadget.h>
 223#include <linux/usb/composite.h>
 224
 225#include <linux/nospec.h>
 226
 227#include "configfs.h"
 228
 229
 230/*------------------------------------------------------------------------*/
 231
 232#define FSG_DRIVER_DESC         "Mass Storage Function"
 233#define FSG_DRIVER_VERSION      "2009/09/11"
 234
 235static const char fsg_string_interface[] = "Mass Storage";
 236
 237#include "storage_common.h"
 238#include "f_mass_storage.h"
 239
 240/* Static strings, in UTF-8 (for simplicity we use only ASCII characters) */
 241static struct usb_string                fsg_strings[] = {
 242        {FSG_STRING_INTERFACE,          fsg_string_interface},
 243        {}
 244};
 245
 246static struct usb_gadget_strings        fsg_stringtab = {
 247        .language       = 0x0409,               /* en-us */
 248        .strings        = fsg_strings,
 249};
 250
 251static struct usb_gadget_strings *fsg_strings_array[] = {
 252        &fsg_stringtab,
 253        NULL,
 254};
 255
 256/*-------------------------------------------------------------------------*/
 257
 258struct fsg_dev;
 259struct fsg_common;
 260
 261/* Data shared by all the FSG instances. */
 262struct fsg_common {
 263        struct usb_gadget       *gadget;
 264        struct usb_composite_dev *cdev;
 265        struct fsg_dev          *fsg;
 266        wait_queue_head_t       io_wait;
 267        wait_queue_head_t       fsg_wait;
 268
 269        /* filesem protects: backing files in use */
 270        struct rw_semaphore     filesem;
 271
 272        /* lock protects: state and thread_task */
 273        spinlock_t              lock;
 274
 275        struct usb_ep           *ep0;           /* Copy of gadget->ep0 */
 276        struct usb_request      *ep0req;        /* Copy of cdev->req */
 277        unsigned int            ep0_req_tag;
 278
 279        struct fsg_buffhd       *next_buffhd_to_fill;
 280        struct fsg_buffhd       *next_buffhd_to_drain;
 281        struct fsg_buffhd       *buffhds;
 282        unsigned int            fsg_num_buffers;
 283
 284        int                     cmnd_size;
 285        u8                      cmnd[MAX_COMMAND_SIZE];
 286
 287        unsigned int            lun;
 288        struct fsg_lun          *luns[FSG_MAX_LUNS];
 289        struct fsg_lun          *curlun;
 290
 291        unsigned int            bulk_out_maxpacket;
 292        enum fsg_state          state;          /* For exception handling */
 293        unsigned int            exception_req_tag;
 294        void                    *exception_arg;
 295
 296        enum data_direction     data_dir;
 297        u32                     data_size;
 298        u32                     data_size_from_cmnd;
 299        u32                     tag;
 300        u32                     residue;
 301        u32                     usb_amount_left;
 302
 303        unsigned int            can_stall:1;
 304        unsigned int            free_storage_on_release:1;
 305        unsigned int            phase_error:1;
 306        unsigned int            short_packet_received:1;
 307        unsigned int            bad_lun_okay:1;
 308        unsigned int            running:1;
 309        unsigned int            sysfs:1;
 310
 311        struct completion       thread_notifier;
 312        struct task_struct      *thread_task;
 313
 314        /* Gadget's private data. */
 315        void                    *private_data;
 316
 317        char inquiry_string[INQUIRY_STRING_LEN];
 318};
 319
 320struct fsg_dev {
 321        struct usb_function     function;
 322        struct usb_gadget       *gadget;        /* Copy of cdev->gadget */
 323        struct fsg_common       *common;
 324
 325        u16                     interface_number;
 326
 327        unsigned int            bulk_in_enabled:1;
 328        unsigned int            bulk_out_enabled:1;
 329
 330        unsigned long           atomic_bitflags;
 331#define IGNORE_BULK_OUT         0
 332
 333        struct usb_ep           *bulk_in;
 334        struct usb_ep           *bulk_out;
 335};
 336
 337static inline int __fsg_is_set(struct fsg_common *common,
 338                               const char *func, unsigned line)
 339{
 340        if (common->fsg)
 341                return 1;
 342        ERROR(common, "common->fsg is NULL in %s at %u\n", func, line);
 343        WARN_ON(1);
 344        return 0;
 345}
 346
 347#define fsg_is_set(common) likely(__fsg_is_set(common, __func__, __LINE__))
 348
 349static inline struct fsg_dev *fsg_from_func(struct usb_function *f)
 350{
 351        return container_of(f, struct fsg_dev, function);
 352}
 353
 354typedef void (*fsg_routine_t)(struct fsg_dev *);
 355
 356static int exception_in_progress(struct fsg_common *common)
 357{
 358        return common->state > FSG_STATE_NORMAL;
 359}
 360
 361/* Make bulk-out requests be divisible by the maxpacket size */
 362static void set_bulk_out_req_length(struct fsg_common *common,
 363                                    struct fsg_buffhd *bh, unsigned int length)
 364{
 365        unsigned int    rem;
 366
 367        bh->bulk_out_intended_length = length;
 368        rem = length % common->bulk_out_maxpacket;
 369        if (rem > 0)
 370                length += common->bulk_out_maxpacket - rem;
 371        bh->outreq->length = length;
 372}
 373
 374
 375/*-------------------------------------------------------------------------*/
 376
 377static int fsg_set_halt(struct fsg_dev *fsg, struct usb_ep *ep)
 378{
 379        const char      *name;
 380
 381        if (ep == fsg->bulk_in)
 382                name = "bulk-in";
 383        else if (ep == fsg->bulk_out)
 384                name = "bulk-out";
 385        else
 386                name = ep->name;
 387        DBG(fsg, "%s set halt\n", name);
 388        return usb_ep_set_halt(ep);
 389}
 390
 391
 392/*-------------------------------------------------------------------------*/
 393
 394/* These routines may be called in process context or in_irq */
 395
 396static void __raise_exception(struct fsg_common *common, enum fsg_state new_state,
 397                              void *arg)
 398{
 399        unsigned long           flags;
 400
 401        /*
 402         * Do nothing if a higher-priority exception is already in progress.
 403         * If a lower-or-equal priority exception is in progress, preempt it
 404         * and notify the main thread by sending it a signal.
 405         */
 406        spin_lock_irqsave(&common->lock, flags);
 407        if (common->state <= new_state) {
 408                common->exception_req_tag = common->ep0_req_tag;
 409                common->state = new_state;
 410                common->exception_arg = arg;
 411                if (common->thread_task)
 412                        send_sig_info(SIGUSR1, SEND_SIG_PRIV,
 413                                      common->thread_task);
 414        }
 415        spin_unlock_irqrestore(&common->lock, flags);
 416}
 417
 418static void raise_exception(struct fsg_common *common, enum fsg_state new_state)
 419{
 420        __raise_exception(common, new_state, NULL);
 421}
 422
 423/*-------------------------------------------------------------------------*/
 424
 425static int ep0_queue(struct fsg_common *common)
 426{
 427        int     rc;
 428
 429        rc = usb_ep_queue(common->ep0, common->ep0req, GFP_ATOMIC);
 430        common->ep0->driver_data = common;
 431        if (rc != 0 && rc != -ESHUTDOWN) {
 432                /* We can't do much more than wait for a reset */
 433                WARNING(common, "error in submission: %s --> %d\n",
 434                        common->ep0->name, rc);
 435        }
 436        return rc;
 437}
 438
 439
 440/*-------------------------------------------------------------------------*/
 441
 442/* Completion handlers. These always run in_irq. */
 443
 444static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req)
 445{
 446        struct fsg_common       *common = ep->driver_data;
 447        struct fsg_buffhd       *bh = req->context;
 448
 449        if (req->status || req->actual != req->length)
 450                DBG(common, "%s --> %d, %u/%u\n", __func__,
 451                    req->status, req->actual, req->length);
 452        if (req->status == -ECONNRESET)         /* Request was cancelled */
 453                usb_ep_fifo_flush(ep);
 454
 455        /* Synchronize with the smp_load_acquire() in sleep_thread() */
 456        smp_store_release(&bh->state, BUF_STATE_EMPTY);
 457        wake_up(&common->io_wait);
 458}
 459
 460static void bulk_out_complete(struct usb_ep *ep, struct usb_request *req)
 461{
 462        struct fsg_common       *common = ep->driver_data;
 463        struct fsg_buffhd       *bh = req->context;
 464
 465        dump_msg(common, "bulk-out", req->buf, req->actual);
 466        if (req->status || req->actual != bh->bulk_out_intended_length)
 467                DBG(common, "%s --> %d, %u/%u\n", __func__,
 468                    req->status, req->actual, bh->bulk_out_intended_length);
 469        if (req->status == -ECONNRESET)         /* Request was cancelled */
 470                usb_ep_fifo_flush(ep);
 471
 472        /* Synchronize with the smp_load_acquire() in sleep_thread() */
 473        smp_store_release(&bh->state, BUF_STATE_FULL);
 474        wake_up(&common->io_wait);
 475}
 476
 477static int _fsg_common_get_max_lun(struct fsg_common *common)
 478{
 479        int i = ARRAY_SIZE(common->luns) - 1;
 480
 481        while (i >= 0 && !common->luns[i])
 482                --i;
 483
 484        return i;
 485}
 486
 487static int fsg_setup(struct usb_function *f,
 488                     const struct usb_ctrlrequest *ctrl)
 489{
 490        struct fsg_dev          *fsg = fsg_from_func(f);
 491        struct usb_request      *req = fsg->common->ep0req;
 492        u16                     w_index = le16_to_cpu(ctrl->wIndex);
 493        u16                     w_value = le16_to_cpu(ctrl->wValue);
 494        u16                     w_length = le16_to_cpu(ctrl->wLength);
 495
 496        if (!fsg_is_set(fsg->common))
 497                return -EOPNOTSUPP;
 498
 499        ++fsg->common->ep0_req_tag;     /* Record arrival of a new request */
 500        req->context = NULL;
 501        req->length = 0;
 502        dump_msg(fsg, "ep0-setup", (u8 *) ctrl, sizeof(*ctrl));
 503
 504        switch (ctrl->bRequest) {
 505
 506        case US_BULK_RESET_REQUEST:
 507                if (ctrl->bRequestType !=
 508                    (USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 509                        break;
 510                if (w_index != fsg->interface_number || w_value != 0 ||
 511                                w_length != 0)
 512                        return -EDOM;
 513
 514                /*
 515                 * Raise an exception to stop the current operation
 516                 * and reinitialize our state.
 517                 */
 518                DBG(fsg, "bulk reset request\n");
 519                raise_exception(fsg->common, FSG_STATE_PROTOCOL_RESET);
 520                return USB_GADGET_DELAYED_STATUS;
 521
 522        case US_BULK_GET_MAX_LUN:
 523                if (ctrl->bRequestType !=
 524                    (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 525                        break;
 526                if (w_index != fsg->interface_number || w_value != 0 ||
 527                                w_length != 1)
 528                        return -EDOM;
 529                VDBG(fsg, "get max LUN\n");
 530                *(u8 *)req->buf = _fsg_common_get_max_lun(fsg->common);
 531
 532                /* Respond with data/status */
 533                req->length = min((u16)1, w_length);
 534                return ep0_queue(fsg->common);
 535        }
 536
 537        VDBG(fsg,
 538             "unknown class-specific control req %02x.%02x v%04x i%04x l%u\n",
 539             ctrl->bRequestType, ctrl->bRequest,
 540             le16_to_cpu(ctrl->wValue), w_index, w_length);
 541        return -EOPNOTSUPP;
 542}
 543
 544
 545/*-------------------------------------------------------------------------*/
 546
 547/* All the following routines run in process context */
 548
 549/* Use this for bulk or interrupt transfers, not ep0 */
 550static int start_transfer(struct fsg_dev *fsg, struct usb_ep *ep,
 551                           struct usb_request *req)
 552{
 553        int     rc;
 554
 555        if (ep == fsg->bulk_in)
 556                dump_msg(fsg, "bulk-in", req->buf, req->length);
 557
 558        rc = usb_ep_queue(ep, req, GFP_KERNEL);
 559        if (rc) {
 560
 561                /* We can't do much more than wait for a reset */
 562                req->status = rc;
 563
 564                /*
 565                 * Note: currently the net2280 driver fails zero-length
 566                 * submissions if DMA is enabled.
 567                 */
 568                if (rc != -ESHUTDOWN &&
 569                                !(rc == -EOPNOTSUPP && req->length == 0))
 570                        WARNING(fsg, "error in submission: %s --> %d\n",
 571                                        ep->name, rc);
 572        }
 573        return rc;
 574}
 575
 576static bool start_in_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 577{
 578        if (!fsg_is_set(common))
 579                return false;
 580        bh->state = BUF_STATE_SENDING;
 581        if (start_transfer(common->fsg, common->fsg->bulk_in, bh->inreq))
 582                bh->state = BUF_STATE_EMPTY;
 583        return true;
 584}
 585
 586static bool start_out_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 587{
 588        if (!fsg_is_set(common))
 589                return false;
 590        bh->state = BUF_STATE_RECEIVING;
 591        if (start_transfer(common->fsg, common->fsg->bulk_out, bh->outreq))
 592                bh->state = BUF_STATE_FULL;
 593        return true;
 594}
 595
 596static int sleep_thread(struct fsg_common *common, bool can_freeze,
 597                struct fsg_buffhd *bh)
 598{
 599        int     rc;
 600
 601        /* Wait until a signal arrives or bh is no longer busy */
 602        if (can_freeze)
 603                /*
 604                 * synchronize with the smp_store_release(&bh->state) in
 605                 * bulk_in_complete() or bulk_out_complete()
 606                 */
 607                rc = wait_event_freezable(common->io_wait,
 608                                bh && smp_load_acquire(&bh->state) >=
 609                                        BUF_STATE_EMPTY);
 610        else
 611                rc = wait_event_interruptible(common->io_wait,
 612                                bh && smp_load_acquire(&bh->state) >=
 613                                        BUF_STATE_EMPTY);
 614        return rc ? -EINTR : 0;
 615}
 616
 617
 618/*-------------------------------------------------------------------------*/
 619
 620static int do_read(struct fsg_common *common)
 621{
 622        struct fsg_lun          *curlun = common->curlun;
 623        u32                     lba;
 624        struct fsg_buffhd       *bh;
 625        int                     rc;
 626        u32                     amount_left;
 627        loff_t                  file_offset, file_offset_tmp;
 628        unsigned int            amount;
 629        ssize_t                 nread;
 630
 631        /*
 632         * Get the starting Logical Block Address and check that it's
 633         * not too big.
 634         */
 635        if (common->cmnd[0] == READ_6)
 636                lba = get_unaligned_be24(&common->cmnd[1]);
 637        else {
 638                lba = get_unaligned_be32(&common->cmnd[2]);
 639
 640                /*
 641                 * We allow DPO (Disable Page Out = don't save data in the
 642                 * cache) and FUA (Force Unit Access = don't read from the
 643                 * cache), but we don't implement them.
 644                 */
 645                if ((common->cmnd[1] & ~0x18) != 0) {
 646                        curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 647                        return -EINVAL;
 648                }
 649        }
 650        if (lba >= curlun->num_sectors) {
 651                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 652                return -EINVAL;
 653        }
 654        file_offset = ((loff_t) lba) << curlun->blkbits;
 655
 656        /* Carry out the file reads */
 657        amount_left = common->data_size_from_cmnd;
 658        if (unlikely(amount_left == 0))
 659                return -EIO;            /* No default reply */
 660
 661        for (;;) {
 662                /*
 663                 * Figure out how much we need to read:
 664                 * Try to read the remaining amount.
 665                 * But don't read more than the buffer size.
 666                 * And don't try to read past the end of the file.
 667                 */
 668                amount = min(amount_left, FSG_BUFLEN);
 669                amount = min((loff_t)amount,
 670                             curlun->file_length - file_offset);
 671
 672                /* Wait for the next buffer to become available */
 673                bh = common->next_buffhd_to_fill;
 674                rc = sleep_thread(common, false, bh);
 675                if (rc)
 676                        return rc;
 677
 678                /*
 679                 * If we were asked to read past the end of file,
 680                 * end with an empty buffer.
 681                 */
 682                if (amount == 0) {
 683                        curlun->sense_data =
 684                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 685                        curlun->sense_data_info =
 686                                        file_offset >> curlun->blkbits;
 687                        curlun->info_valid = 1;
 688                        bh->inreq->length = 0;
 689                        bh->state = BUF_STATE_FULL;
 690                        break;
 691                }
 692
 693                /* Perform the read */
 694                file_offset_tmp = file_offset;
 695                nread = kernel_read(curlun->filp, bh->buf, amount,
 696                                &file_offset_tmp);
 697                VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
 698                      (unsigned long long)file_offset, (int)nread);
 699                if (signal_pending(current))
 700                        return -EINTR;
 701
 702                if (nread < 0) {
 703                        LDBG(curlun, "error in file read: %d\n", (int)nread);
 704                        nread = 0;
 705                } else if (nread < amount) {
 706                        LDBG(curlun, "partial file read: %d/%u\n",
 707                             (int)nread, amount);
 708                        nread = round_down(nread, curlun->blksize);
 709                }
 710                file_offset  += nread;
 711                amount_left  -= nread;
 712                common->residue -= nread;
 713
 714                /*
 715                 * Except at the end of the transfer, nread will be
 716                 * equal to the buffer size, which is divisible by the
 717                 * bulk-in maxpacket size.
 718                 */
 719                bh->inreq->length = nread;
 720                bh->state = BUF_STATE_FULL;
 721
 722                /* If an error occurred, report it and its position */
 723                if (nread < amount) {
 724                        curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
 725                        curlun->sense_data_info =
 726                                        file_offset >> curlun->blkbits;
 727                        curlun->info_valid = 1;
 728                        break;
 729                }
 730
 731                if (amount_left == 0)
 732                        break;          /* No more left to read */
 733
 734                /* Send this buffer and go read some more */
 735                bh->inreq->zero = 0;
 736                if (!start_in_transfer(common, bh))
 737                        /* Don't know what to do if common->fsg is NULL */
 738                        return -EIO;
 739                common->next_buffhd_to_fill = bh->next;
 740        }
 741
 742        return -EIO;            /* No default reply */
 743}
 744
 745
 746/*-------------------------------------------------------------------------*/
 747
 748static int do_write(struct fsg_common *common)
 749{
 750        struct fsg_lun          *curlun = common->curlun;
 751        u32                     lba;
 752        struct fsg_buffhd       *bh;
 753        int                     get_some_more;
 754        u32                     amount_left_to_req, amount_left_to_write;
 755        loff_t                  usb_offset, file_offset, file_offset_tmp;
 756        unsigned int            amount;
 757        ssize_t                 nwritten;
 758        int                     rc;
 759
 760        if (curlun->ro) {
 761                curlun->sense_data = SS_WRITE_PROTECTED;
 762                return -EINVAL;
 763        }
 764        spin_lock(&curlun->filp->f_lock);
 765        curlun->filp->f_flags &= ~O_SYNC;       /* Default is not to wait */
 766        spin_unlock(&curlun->filp->f_lock);
 767
 768        /*
 769         * Get the starting Logical Block Address and check that it's
 770         * not too big
 771         */
 772        if (common->cmnd[0] == WRITE_6)
 773                lba = get_unaligned_be24(&common->cmnd[1]);
 774        else {
 775                lba = get_unaligned_be32(&common->cmnd[2]);
 776
 777                /*
 778                 * We allow DPO (Disable Page Out = don't save data in the
 779                 * cache) and FUA (Force Unit Access = write directly to the
 780                 * medium).  We don't implement DPO; we implement FUA by
 781                 * performing synchronous output.
 782                 */
 783                if (common->cmnd[1] & ~0x18) {
 784                        curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 785                        return -EINVAL;
 786                }
 787                if (!curlun->nofua && (common->cmnd[1] & 0x08)) { /* FUA */
 788                        spin_lock(&curlun->filp->f_lock);
 789                        curlun->filp->f_flags |= O_SYNC;
 790                        spin_unlock(&curlun->filp->f_lock);
 791                }
 792        }
 793        if (lba >= curlun->num_sectors) {
 794                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 795                return -EINVAL;
 796        }
 797
 798        /* Carry out the file writes */
 799        get_some_more = 1;
 800        file_offset = usb_offset = ((loff_t) lba) << curlun->blkbits;
 801        amount_left_to_req = common->data_size_from_cmnd;
 802        amount_left_to_write = common->data_size_from_cmnd;
 803
 804        while (amount_left_to_write > 0) {
 805
 806                /* Queue a request for more data from the host */
 807                bh = common->next_buffhd_to_fill;
 808                if (bh->state == BUF_STATE_EMPTY && get_some_more) {
 809
 810                        /*
 811                         * Figure out how much we want to get:
 812                         * Try to get the remaining amount,
 813                         * but not more than the buffer size.
 814                         */
 815                        amount = min(amount_left_to_req, FSG_BUFLEN);
 816
 817                        /* Beyond the end of the backing file? */
 818                        if (usb_offset >= curlun->file_length) {
 819                                get_some_more = 0;
 820                                curlun->sense_data =
 821                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 822                                curlun->sense_data_info =
 823                                        usb_offset >> curlun->blkbits;
 824                                curlun->info_valid = 1;
 825                                continue;
 826                        }
 827
 828                        /* Get the next buffer */
 829                        usb_offset += amount;
 830                        common->usb_amount_left -= amount;
 831                        amount_left_to_req -= amount;
 832                        if (amount_left_to_req == 0)
 833                                get_some_more = 0;
 834
 835                        /*
 836                         * Except at the end of the transfer, amount will be
 837                         * equal to the buffer size, which is divisible by
 838                         * the bulk-out maxpacket size.
 839                         */
 840                        set_bulk_out_req_length(common, bh, amount);
 841                        if (!start_out_transfer(common, bh))
 842                                /* Dunno what to do if common->fsg is NULL */
 843                                return -EIO;
 844                        common->next_buffhd_to_fill = bh->next;
 845                        continue;
 846                }
 847
 848                /* Write the received data to the backing file */
 849                bh = common->next_buffhd_to_drain;
 850                if (bh->state == BUF_STATE_EMPTY && !get_some_more)
 851                        break;                  /* We stopped early */
 852
 853                /* Wait for the data to be received */
 854                rc = sleep_thread(common, false, bh);
 855                if (rc)
 856                        return rc;
 857
 858                common->next_buffhd_to_drain = bh->next;
 859                bh->state = BUF_STATE_EMPTY;
 860
 861                /* Did something go wrong with the transfer? */
 862                if (bh->outreq->status != 0) {
 863                        curlun->sense_data = SS_COMMUNICATION_FAILURE;
 864                        curlun->sense_data_info =
 865                                        file_offset >> curlun->blkbits;
 866                        curlun->info_valid = 1;
 867                        break;
 868                }
 869
 870                amount = bh->outreq->actual;
 871                if (curlun->file_length - file_offset < amount) {
 872                        LERROR(curlun, "write %u @ %llu beyond end %llu\n",
 873                                       amount, (unsigned long long)file_offset,
 874                                       (unsigned long long)curlun->file_length);
 875                        amount = curlun->file_length - file_offset;
 876                }
 877
 878                /*
 879                 * Don't accept excess data.  The spec doesn't say
 880                 * what to do in this case.  We'll ignore the error.
 881                 */
 882                amount = min(amount, bh->bulk_out_intended_length);
 883
 884                /* Don't write a partial block */
 885                amount = round_down(amount, curlun->blksize);
 886                if (amount == 0)
 887                        goto empty_write;
 888
 889                /* Perform the write */
 890                file_offset_tmp = file_offset;
 891                nwritten = kernel_write(curlun->filp, bh->buf, amount,
 892                                &file_offset_tmp);
 893                VLDBG(curlun, "file write %u @ %llu -> %d\n", amount,
 894                                (unsigned long long)file_offset, (int)nwritten);
 895                if (signal_pending(current))
 896                        return -EINTR;          /* Interrupted! */
 897
 898                if (nwritten < 0) {
 899                        LDBG(curlun, "error in file write: %d\n",
 900                                        (int) nwritten);
 901                        nwritten = 0;
 902                } else if (nwritten < amount) {
 903                        LDBG(curlun, "partial file write: %d/%u\n",
 904                                        (int) nwritten, amount);
 905                        nwritten = round_down(nwritten, curlun->blksize);
 906                }
 907                file_offset += nwritten;
 908                amount_left_to_write -= nwritten;
 909                common->residue -= nwritten;
 910
 911                /* If an error occurred, report it and its position */
 912                if (nwritten < amount) {
 913                        curlun->sense_data = SS_WRITE_ERROR;
 914                        curlun->sense_data_info =
 915                                        file_offset >> curlun->blkbits;
 916                        curlun->info_valid = 1;
 917                        break;
 918                }
 919
 920 empty_write:
 921                /* Did the host decide to stop early? */
 922                if (bh->outreq->actual < bh->bulk_out_intended_length) {
 923                        common->short_packet_received = 1;
 924                        break;
 925                }
 926        }
 927
 928        return -EIO;            /* No default reply */
 929}
 930
 931
 932/*-------------------------------------------------------------------------*/
 933
 934static int do_synchronize_cache(struct fsg_common *common)
 935{
 936        struct fsg_lun  *curlun = common->curlun;
 937        int             rc;
 938
 939        /* We ignore the requested LBA and write out all file's
 940         * dirty data buffers. */
 941        rc = fsg_lun_fsync_sub(curlun);
 942        if (rc)
 943                curlun->sense_data = SS_WRITE_ERROR;
 944        return 0;
 945}
 946
 947
 948/*-------------------------------------------------------------------------*/
 949
 950static void invalidate_sub(struct fsg_lun *curlun)
 951{
 952        struct file     *filp = curlun->filp;
 953        struct inode    *inode = file_inode(filp);
 954        unsigned long   rc;
 955
 956        rc = invalidate_mapping_pages(inode->i_mapping, 0, -1);
 957        VLDBG(curlun, "invalidate_mapping_pages -> %ld\n", rc);
 958}
 959
 960static int do_verify(struct fsg_common *common)
 961{
 962        struct fsg_lun          *curlun = common->curlun;
 963        u32                     lba;
 964        u32                     verification_length;
 965        struct fsg_buffhd       *bh = common->next_buffhd_to_fill;
 966        loff_t                  file_offset, file_offset_tmp;
 967        u32                     amount_left;
 968        unsigned int            amount;
 969        ssize_t                 nread;
 970
 971        /*
 972         * Get the starting Logical Block Address and check that it's
 973         * not too big.
 974         */
 975        lba = get_unaligned_be32(&common->cmnd[2]);
 976        if (lba >= curlun->num_sectors) {
 977                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 978                return -EINVAL;
 979        }
 980
 981        /*
 982         * We allow DPO (Disable Page Out = don't save data in the
 983         * cache) but we don't implement it.
 984         */
 985        if (common->cmnd[1] & ~0x10) {
 986                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 987                return -EINVAL;
 988        }
 989
 990        verification_length = get_unaligned_be16(&common->cmnd[7]);
 991        if (unlikely(verification_length == 0))
 992                return -EIO;            /* No default reply */
 993
 994        /* Prepare to carry out the file verify */
 995        amount_left = verification_length << curlun->blkbits;
 996        file_offset = ((loff_t) lba) << curlun->blkbits;
 997
 998        /* Write out all the dirty buffers before invalidating them */
 999        fsg_lun_fsync_sub(curlun);
1000        if (signal_pending(current))

1001                return -EINTR;
1002
1003        invalidate_sub(curlun);
1004        if (signal_pending(current))
1005                return -EINTR;
1006
1007        /* Just try to read the requested blocks */
1008        while (amount_left > 0) {
1009                /*
1010                 * Figure out how much we need to read:
1011                 * Try to read the remaining amount, but not more than
1012                 * the buffer size.
1013                 * And don't try to read past the end of the file.
1014                 */
1015                amount = min(amount_left, FSG_BUFLEN);
1016                amount = min((loff_t)amount,
1017                             curlun->file_length - file_offset);
1018                if (amount == 0) {
1019                        curlun->sense_data =
1020                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1021                        curlun->sense_data_info =
1022                                file_offset >> curlun->blkbits;
1023                        curlun->info_valid = 1;
1024                        break;
1025                }
1026
1027                /* Perform the read */
1028                file_offset_tmp = file_offset;
1029                nread = kernel_read(curlun->filp, bh->buf, amount,
1030                                &file_offset_tmp);
1031                VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
1032                                (unsigned long long) file_offset,
1033                                (int) nread);
1034                if (signal_pending(current))
1035                        return -EINTR;
1036
1037                if (nread < 0) {
1038                        LDBG(curlun, "error in file verify: %d\n", (int)nread);
1039                        nread = 0;
1040                } else if (nread < amount) {
1041                        LDBG(curlun, "partial file verify: %d/%u\n",
1042                             (int)nread, amount);
1043                        nread = round_down(nread, curlun->blksize);
1044                }
1045                if (nread == 0) {
1046                        curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
1047                        curlun->sense_data_info =
1048                                file_offset >> curlun->blkbits;
1049                        curlun->info_valid = 1;
1050                        break;
1051                }
1052                file_offset += nread;
1053                amount_left -= nread;
1054        }
1055        return 0;
1056}
1057
1058
1059/*-------------------------------------------------------------------------*/
1060
1061static int do_inquiry(struct fsg_common *common, struct fsg_buffhd *bh)
1062{
1063        struct fsg_lun *curlun = common->curlun;
1064        u8      *buf = (u8 *) bh->buf;
1065
1066        if (!curlun) {          /* Unsupported LUNs are okay */
1067                common->bad_lun_okay = 1;
1068                memset(buf, 0, 36);
1069                buf[0] = TYPE_NO_LUN;   /* Unsupported, no device-type */
1070                buf[4] = 31;            /* Additional length */
1071                return 36;
1072        }
1073
1074        buf[0] = curlun->cdrom ? TYPE_ROM : TYPE_DISK;
1075        buf[1] = curlun->removable ? 0x80 : 0;
1076        buf[2] = 2;             /* ANSI SCSI level 2 */
1077        buf[3] = 2;             /* SCSI-2 INQUIRY data format */
1078        buf[4] = 31;            /* Additional length */
1079        buf[5] = 0;             /* No special options */
1080        buf[6] = 0;
1081        buf[7] = 0;
1082        if (curlun->inquiry_string[0])
1083                memcpy(buf + 8, curlun->inquiry_string,
1084                       sizeof(curlun->inquiry_string));
1085        else
1086                memcpy(buf + 8, common->inquiry_string,
1087                       sizeof(common->inquiry_string));
1088        return 36;
1089}
1090
1091static int do_request_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1092{
1093        struct fsg_lun  *curlun = common->curlun;
1094        u8              *buf = (u8 *) bh->buf;
1095        u32             sd, sdinfo;
1096        int             valid;
1097
1098        /*
1099         * From the SCSI-2 spec., section 7.9 (Unit attention condition):
1100         *
1101         * If a REQUEST SENSE command is received from an initiator
1102         * with a pending unit attention condition (before the target
1103         * generates the contingent allegiance condition), then the
1104         * target shall either:
1105         *   a) report any pending sense data and preserve the unit
1106         *      attention condition on the logical unit, or,
1107         *   b) report the unit attention condition, may discard any
1108         *      pending sense data, and clear the unit attention
1109         *      condition on the logical unit for that initiator.
1110         *
1111         * FSG normally uses option a); enable this code to use option b).
1112         */
1113#if 0
1114        if (curlun && curlun->unit_attention_data != SS_NO_SENSE) {
1115                curlun->sense_data = curlun->unit_attention_data;
1116                curlun->unit_attention_data = SS_NO_SENSE;
1117        }
1118#endif
1119
1120        if (!curlun) {          /* Unsupported LUNs are okay */
1121                common->bad_lun_okay = 1;
1122                sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1123                sdinfo = 0;
1124                valid = 0;
1125        } else {
1126                sd = curlun->sense_data;
1127                sdinfo = curlun->sense_data_info;
1128                valid = curlun->info_valid << 7;
1129                curlun->sense_data = SS_NO_SENSE;
1130                curlun->sense_data_info = 0;
1131                curlun->info_valid = 0;
1132        }
1133
1134        memset(buf, 0, 18);
1135        buf[0] = valid | 0x70;                  /* Valid, current error */
1136        buf[2] = SK(sd);
1137        put_unaligned_be32(sdinfo, &buf[3]);    /* Sense information */
1138        buf[7] = 18 - 8;                        /* Additional sense length */
1139        buf[12] = ASC(sd);
1140        buf[13] = ASCQ(sd);
1141        return 18;
1142}
1143
1144static int do_read_capacity(struct fsg_common *common, struct fsg_buffhd *bh)
1145{
1146        struct fsg_lun  *curlun = common->curlun;
1147        u32             lba = get_unaligned_be32(&common->cmnd[2]);
1148        int             pmi = common->cmnd[8];
1149        u8              *buf = (u8 *)bh->buf;
1150
1151        /* Check the PMI and LBA fields */
1152        if (pmi > 1 || (pmi == 0 && lba != 0)) {
1153                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1154                return -EINVAL;
1155        }
1156
1157        put_unaligned_be32(curlun->num_sectors - 1, &buf[0]);
1158                                                /* Max logical block */
1159        put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1160        return 8;
1161}
1162
1163static int do_read_header(struct fsg_common *common, struct fsg_buffhd *bh)
1164{
1165        struct fsg_lun  *curlun = common->curlun;
1166        int             msf = common->cmnd[1] & 0x02;
1167        u32             lba = get_unaligned_be32(&common->cmnd[2]);
1168        u8              *buf = (u8 *)bh->buf;
1169
1170        if (common->cmnd[1] & ~0x02) {          /* Mask away MSF */
1171                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1172                return -EINVAL;
1173        }
1174        if (lba >= curlun->num_sectors) {
1175                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1176                return -EINVAL;
1177        }
1178
1179        memset(buf, 0, 8);
1180        buf[0] = 0x01;          /* 2048 bytes of user data, rest is EC */
1181        store_cdrom_address(&buf[4], msf, lba);
1182        return 8;
1183}
1184
1185static int do_read_toc(struct fsg_common *common, struct fsg_buffhd *bh)
1186{
1187        struct fsg_lun  *curlun = common->curlun;
1188        int             msf = common->cmnd[1] & 0x02;
1189        int             start_track = common->cmnd[6];
1190        u8              *buf = (u8 *)bh->buf;
1191
1192        if ((common->cmnd[1] & ~0x02) != 0 ||   /* Mask away MSF */
1193                        start_track > 1) {
1194                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1195                return -EINVAL;
1196        }
1197
1198        memset(buf, 0, 20);
1199        buf[1] = (20-2);                /* TOC data length */
1200        buf[2] = 1;                     /* First track number */
1201        buf[3] = 1;                     /* Last track number */
1202        buf[5] = 0x16;                  /* Data track, copying allowed */
1203        buf[6] = 0x01;                  /* Only track is number 1 */
1204        store_cdrom_address(&buf[8], msf, 0);
1205
1206        buf[13] = 0x16;                 /* Lead-out track is data */
1207        buf[14] = 0xAA;                 /* Lead-out track number */
1208        store_cdrom_address(&buf[16], msf, curlun->num_sectors);
1209        return 20;
1210}
1211
1212static int do_mode_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1213{
1214        struct fsg_lun  *curlun = common->curlun;
1215        int             mscmnd = common->cmnd[0];
1216        u8              *buf = (u8 *) bh->buf;
1217        u8              *buf0 = buf;
1218        int             pc, page_code;
1219        int             changeable_values, all_pages;
1220        int             valid_page = 0;
1221        int             len, limit;
1222
1223        if ((common->cmnd[1] & ~0x08) != 0) {   /* Mask away DBD */
1224                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1225                return -EINVAL;
1226        }
1227        pc = common->cmnd[2] >> 6;
1228        page_code = common->cmnd[2] & 0x3f;
1229        if (pc == 3) {
1230                curlun->sense_data = SS_SAVING_PARAMETERS_NOT_SUPPORTED;
1231                return -EINVAL;
1232        }
1233        changeable_values = (pc == 1);
1234        all_pages = (page_code == 0x3f);
1235
1236        /*
1237         * Write the mode parameter header.  Fixed values are: default
1238         * medium type, no cache control (DPOFUA), and no block descriptors.
1239         * The only variable value is the WriteProtect bit.  We will fill in
1240         * the mode data length later.
1241         */
1242        memset(buf, 0, 8);
1243        if (mscmnd == MODE_SENSE) {
1244                buf[2] = (curlun->ro ? 0x80 : 0x00);            /* WP, DPOFUA */
1245                buf += 4;
1246                limit = 255;
1247        } else {                        /* MODE_SENSE_10 */
1248                buf[3] = (curlun->ro ? 0x80 : 0x00);            /* WP, DPOFUA */
1249                buf += 8;
1250                limit = 65535;          /* Should really be FSG_BUFLEN */
1251        }
1252
1253        /* No block descriptors */
1254
1255        /*
1256         * The mode pages, in numerical order.  The only page we support
1257         * is the Caching page.
1258         */
1259        if (page_code == 0x08 || all_pages) {
1260                valid_page = 1;
1261                buf[0] = 0x08;          /* Page code */
1262                buf[1] = 10;            /* Page length */
1263                memset(buf+2, 0, 10);   /* None of the fields are changeable */
1264
1265                if (!changeable_values) {
1266                        buf[2] = 0x04;  /* Write cache enable, */
1267                                        /* Read cache not disabled */
1268                                        /* No cache retention priorities */
1269                        put_unaligned_be16(0xffff, &buf[4]);
1270                                        /* Don't disable prefetch */
1271                                        /* Minimum prefetch = 0 */
1272                        put_unaligned_be16(0xffff, &buf[8]);
1273                                        /* Maximum prefetch */
1274                        put_unaligned_be16(0xffff, &buf[10]);
1275                                        /* Maximum prefetch ceiling */
1276                }
1277                buf += 12;
1278        }
1279
1280        /*
1281         * Check that a valid page was requested and the mode data length
1282         * isn't too long.
1283         */
1284        len = buf - buf0;
1285        if (!valid_page || len > limit) {
1286                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1287                return -EINVAL;
1288        }
1289
1290        /*  Store the mode data length */
1291        if (mscmnd == MODE_SENSE)
1292                buf0[0] = len - 1;
1293        else
1294                put_unaligned_be16(len - 2, buf0);
1295        return len;
1296}
1297
1298static int do_start_stop(struct fsg_common *common)
1299{
1300        struct fsg_lun  *curlun = common->curlun;
1301        int             loej, start;
1302
1303        if (!curlun) {
1304                return -EINVAL;
1305        } else if (!curlun->removable) {
1306                curlun->sense_data = SS_INVALID_COMMAND;
1307                return -EINVAL;
1308        } else if ((common->cmnd[1] & ~0x01) != 0 || /* Mask away Immed */
1309                   (common->cmnd[4] & ~0x03) != 0) { /* Mask LoEj, Start */
1310                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1311                return -EINVAL;
1312        }
1313
1314        loej  = common->cmnd[4] & 0x02;
1315        start = common->cmnd[4] & 0x01;
1316
1317        /*
1318         * Our emulation doesn't support mounting; the medium is
1319         * available for use as soon as it is loaded.
1320         */
1321        if (start) {
1322                if (!fsg_lun_is_open(curlun)) {
1323                        curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1324                        return -EINVAL;
1325                }
1326                return 0;
1327        }
1328
1329        /* Are we allowed to unload the media? */
1330        if (curlun->prevent_medium_removal) {
1331                LDBG(curlun, "unload attempt prevented\n");
1332                curlun->sense_data = SS_MEDIUM_REMOVAL_PREVENTED;
1333                return -EINVAL;
1334        }
1335
1336        if (!loej)
1337                return 0;
1338
1339        up_read(&common->filesem);
1340        down_write(&common->filesem);
1341        fsg_lun_close(curlun);
1342        up_write(&common->filesem);
1343        down_read(&common->filesem);
1344
1345        return 0;
1346}
1347
1348static int do_prevent_allow(struct fsg_common *common)
1349{
1350        struct fsg_lun  *curlun = common->curlun;
1351        int             prevent;
1352
1353        if (!common->curlun) {
1354                return -EINVAL;
1355        } else if (!common->curlun->removable) {
1356                common->curlun->sense_data = SS_INVALID_COMMAND;
1357                return -EINVAL;
1358        }
1359
1360        prevent = common->cmnd[4] & 0x01;
1361        if ((common->cmnd[4] & ~0x01) != 0) {   /* Mask away Prevent */
1362                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1363                return -EINVAL;
1364        }
1365
1366        if (curlun->prevent_medium_removal && !prevent)
1367                fsg_lun_fsync_sub(curlun);
1368        curlun->prevent_medium_removal = prevent;
1369        return 0;
1370}
1371
1372static int do_read_format_capacities(struct fsg_common *common,
1373                        struct fsg_buffhd *bh)
1374{
1375        struct fsg_lun  *curlun = common->curlun;
1376        u8              *buf = (u8 *) bh->buf;
1377
1378        buf[0] = buf[1] = buf[2] = 0;
1379        buf[3] = 8;     /* Only the Current/Maximum Capacity Descriptor */
1380        buf += 4;
1381
1382        put_unaligned_be32(curlun->num_sectors, &buf[0]);
1383                                                /* Number of blocks */
1384        put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1385        buf[4] = 0x02;                          /* Current capacity */
1386        return 12;
1387}
1388
1389static int do_mode_select(struct fsg_common *common, struct fsg_buffhd *bh)
1390{
1391        struct fsg_lun  *curlun = common->curlun;
1392
1393        /* We don't support MODE SELECT */
1394        if (curlun)
1395                curlun->sense_data = SS_INVALID_COMMAND;
1396        return -EINVAL;
1397}
1398
1399
1400/*-------------------------------------------------------------------------*/
1401
1402static int halt_bulk_in_endpoint(struct fsg_dev *fsg)
1403{
1404        int     rc;
1405
1406        rc = fsg_set_halt(fsg, fsg->bulk_in);
1407        if (rc == -EAGAIN)
1408                VDBG(fsg, "delayed bulk-in endpoint halt\n");
1409        while (rc != 0) {
1410                if (rc != -EAGAIN) {
1411                        WARNING(fsg, "usb_ep_set_halt -> %d\n", rc);
1412                        rc = 0;
1413                        break;
1414                }
1415
1416                /* Wait for a short time and then try again */
1417                if (msleep_interruptible(100) != 0)
1418                        return -EINTR;
1419                rc = usb_ep_set_halt(fsg->bulk_in);
1420        }
1421        return rc;
1422}
1423
1424static int wedge_bulk_in_endpoint(struct fsg_dev *fsg)
1425{
1426        int     rc;
1427
1428        DBG(fsg, "bulk-in set wedge\n");
1429        rc = usb_ep_set_wedge(fsg->bulk_in);
1430        if (rc == -EAGAIN)
1431                VDBG(fsg, "delayed bulk-in endpoint wedge\n");
1432        while (rc != 0) {
1433                if (rc != -EAGAIN) {
1434                        WARNING(fsg, "usb_ep_set_wedge -> %d\n", rc);
1435                        rc = 0;
1436                        break;
1437                }
1438
1439                /* Wait for a short time and then try again */
1440                if (msleep_interruptible(100) != 0)
1441                        return -EINTR;
1442                rc = usb_ep_set_wedge(fsg->bulk_in);
1443        }
1444        return rc;
1445}
1446
1447static int throw_away_data(struct fsg_common *common)
1448{
1449        struct fsg_buffhd       *bh, *bh2;
1450        u32                     amount;
1451        int                     rc;
1452
1453        for (bh = common->next_buffhd_to_drain;
1454             bh->state != BUF_STATE_EMPTY || common->usb_amount_left > 0;
1455             bh = common->next_buffhd_to_drain) {
1456
1457                /* Try to submit another request if we need one */
1458                bh2 = common->next_buffhd_to_fill;
1459                if (bh2->state == BUF_STATE_EMPTY &&
1460                                common->usb_amount_left > 0) {
1461                        amount = min(common->usb_amount_left, FSG_BUFLEN);
1462
1463                        /*
1464                         * Except at the end of the transfer, amount will be
1465                         * equal to the buffer size, which is divisible by
1466                         * the bulk-out maxpacket size.
1467                         */
1468                        set_bulk_out_req_length(common, bh2, amount);
1469                        if (!start_out_transfer(common, bh2))
1470                                /* Dunno what to do if common->fsg is NULL */
1471                                return -EIO;
1472                        common->next_buffhd_to_fill = bh2->next;
1473                        common->usb_amount_left -= amount;
1474                        continue;
1475                }
1476
1477                /* Wait for the data to be received */
1478                rc = sleep_thread(common, false, bh);
1479                if (rc)
1480                        return rc;
1481
1482                /* Throw away the data in a filled buffer */
1483                bh->state = BUF_STATE_EMPTY;
1484                common->next_buffhd_to_drain = bh->next;
1485
1486                /* A short packet or an error ends everything */
1487                if (bh->outreq->actual < bh->bulk_out_intended_length ||
1488                                bh->outreq->status != 0) {
1489                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1490                        return -EINTR;
1491                }
1492        }
1493        return 0;
1494}
1495
1496static int finish_reply(struct fsg_common *common)
1497{
1498        struct fsg_buffhd       *bh = common->next_buffhd_to_fill;
1499        int                     rc = 0;
1500
1501        switch (common->data_dir) {
1502        case DATA_DIR_NONE:
1503                break;                  /* Nothing to send */
1504
1505        /*
1506         * If we don't know whether the host wants to read or write,
1507         * this must be CB or CBI with an unknown command.  We mustn't
1508         * try to send or receive any data.  So stall both bulk pipes
1509         * if we can and wait for a reset.
1510         */
1511        case DATA_DIR_UNKNOWN:
1512                if (!common->can_stall) {
1513                        /* Nothing */
1514                } else if (fsg_is_set(common)) {
1515                        fsg_set_halt(common->fsg, common->fsg->bulk_out);
1516                        rc = halt_bulk_in_endpoint(common->fsg);
1517                } else {
1518                        /* Don't know what to do if common->fsg is NULL */
1519                        rc = -EIO;
1520                }
1521                break;
1522
1523        /* All but the last buffer of data must have already been sent */
1524        case DATA_DIR_TO_HOST:
1525                if (common->data_size == 0) {
1526                        /* Nothing to send */
1527
1528                /* Don't know what to do if common->fsg is NULL */
1529                } else if (!fsg_is_set(common)) {
1530                        rc = -EIO;
1531
1532                /* If there's no residue, simply send the last buffer */
1533                } else if (common->residue == 0) {
1534                        bh->inreq->zero = 0;
1535                        if (!start_in_transfer(common, bh))
1536                                return -EIO;
1537                        common->next_buffhd_to_fill = bh->next;
1538
1539                /*
1540                 * For Bulk-only, mark the end of the data with a short
1541                 * packet.  If we are allowed to stall, halt the bulk-in
1542                 * endpoint.  (Note: This violates the Bulk-Only Transport
1543                 * specification, which requires us to pad the data if we
1544                 * don't halt the endpoint.  Presumably nobody will mind.)
1545                 */
1546                } else {
1547                        bh->inreq->zero = 1;
1548                        if (!start_in_transfer(common, bh))
1549                                rc = -EIO;
1550                        common->next_buffhd_to_fill = bh->next;
1551                        if (common->can_stall)
1552                                rc = halt_bulk_in_endpoint(common->fsg);
1553                }
1554                break;
1555
1556        /*
1557         * We have processed all we want from the data the host has sent.
1558         * There may still be outstanding bulk-out requests.
1559         */
1560        case DATA_DIR_FROM_HOST:
1561                if (common->residue == 0) {
1562                        /* Nothing to receive */
1563
1564                /* Did the host stop sending unexpectedly early? */
1565                } else if (common->short_packet_received) {
1566                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1567                        rc = -EINTR;
1568
1569                /*
1570                 * We haven't processed all the incoming data.  Even though
1571                 * we may be allowed to stall, doing so would cause a race.
1572                 * The controller may already have ACK'ed all the remaining
1573                 * bulk-out packets, in which case the host wouldn't see a
1574                 * STALL.  Not realizing the endpoint was halted, it wouldn't
1575                 * clear the halt -- leading to problems later on.
1576                 */
1577#if 0
1578                } else if (common->can_stall) {
1579                        if (fsg_is_set(common))
1580                                fsg_set_halt(common->fsg,
1581                                             common->fsg->bulk_out);
1582                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1583                        rc = -EINTR;
1584#endif
1585
1586                /*
1587                 * We can't stall.  Read in the excess data and throw it
1588                 * all away.
1589                 */
1590                } else {
1591                        rc = throw_away_data(common);
1592                }
1593                break;
1594        }
1595        return rc;
1596}
1597
1598static void send_status(struct fsg_common *common)
1599{
1600        struct fsg_lun          *curlun = common->curlun;
1601        struct fsg_buffhd       *bh;
1602        struct bulk_cs_wrap     *csw;
1603        int                     rc;
1604        u8                      status = US_BULK_STAT_OK;
1605        u32                     sd, sdinfo = 0;
1606
1607        /* Wait for the next buffer to become available */
1608        bh = common->next_buffhd_to_fill;
1609        rc = sleep_thread(common, false, bh);
1610        if (rc)
1611                return;
1612
1613        if (curlun) {
1614                sd = curlun->sense_data;
1615                sdinfo = curlun->sense_data_info;
1616        } else if (common->bad_lun_okay)
1617                sd = SS_NO_SENSE;
1618        else
1619                sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1620
1621        if (common->phase_error) {
1622                DBG(common, "sending phase-error status\n");
1623                status = US_BULK_STAT_PHASE;
1624                sd = SS_INVALID_COMMAND;
1625        } else if (sd != SS_NO_SENSE) {
1626                DBG(common, "sending command-failure status\n");
1627                status = US_BULK_STAT_FAIL;
1628                VDBG(common, "  sense data: SK x%02x, ASC x%02x, ASCQ x%02x;"
1629                                "  info x%x\n",
1630                                SK(sd), ASC(sd), ASCQ(sd), sdinfo);
1631        }
1632
1633        /* Store and send the Bulk-only CSW */
1634        csw = (void *)bh->buf;
1635
1636        csw->Signature = cpu_to_le32(US_BULK_CS_SIGN);
1637        csw->Tag = common->tag;
1638        csw->Residue = cpu_to_le32(common->residue);
1639        csw->Status = status;
1640
1641        bh->inreq->length = US_BULK_CS_WRAP_LEN;
1642        bh->inreq->zero = 0;
1643        if (!start_in_transfer(common, bh))
1644                /* Don't know what to do if common->fsg is NULL */
1645                return;
1646
1647        common->next_buffhd_to_fill = bh->next;
1648        return;
1649}
1650
1651
1652/*-------------------------------------------------------------------------*/
1653
1654/*
1655 * Check whether the command is properly formed and whether its data size
1656 * and direction agree with the values we already have.
1657 */
1658static int check_command(struct fsg_common *common, int cmnd_size,
1659                         enum data_direction data_dir, unsigned int mask,
1660                         int needs_medium, const char *name)
1661{
1662        int                     i;
1663        unsigned int            lun = common->cmnd[1] >> 5;
1664        static const char       dirletter[4] = {'u', 'o', 'i', 'n'};
1665        char                    hdlen[20];
1666        struct fsg_lun          *curlun;
1667
1668        hdlen[0] = 0;
1669        if (common->data_dir != DATA_DIR_UNKNOWN)
1670                sprintf(hdlen, ", H%c=%u", dirletter[(int) common->data_dir],
1671                        common->data_size);
1672        VDBG(common, "SCSI command: %s;  Dc=%d, D%c=%u;  Hc=%d%s\n",
1673             name, cmnd_size, dirletter[(int) data_dir],
1674             common->data_size_from_cmnd, common->cmnd_size, hdlen);
1675
1676        /*
1677         * We can't reply at all until we know the correct data direction
1678         * and size.
1679         */
1680        if (common->data_size_from_cmnd == 0)
1681                data_dir = DATA_DIR_NONE;
1682        if (common->data_size < common->data_size_from_cmnd) {
1683                /*
1684                 * Host data size < Device data size is a phase error.
1685                 * Carry out the command, but only transfer as much as
1686                 * we are allowed.
1687                 */
1688                common->data_size_from_cmnd = common->data_size;
1689                common->phase_error = 1;
1690        }
1691        common->residue = common->data_size;
1692        common->usb_amount_left = common->data_size;
1693
1694        /* Conflicting data directions is a phase error */
1695        if (common->data_dir != data_dir && common->data_size_from_cmnd > 0) {
1696                common->phase_error = 1;
1697                return -EINVAL;
1698        }
1699
1700        /* Verify the length of the command itself */
1701        if (cmnd_size != common->cmnd_size) {
1702
1703                /*
1704                 * Special case workaround: There are plenty of buggy SCSI
1705                 * implementations. Many have issues with cbw->Length
1706                 * field passing a wrong command size. For those cases we
1707                 * always try to work around the problem by using the length
1708                 * sent by the host side provided it is at least as large
1709                 * as the correct command length.
1710                 * Examples of such cases would be MS-Windows, which issues
1711                 * REQUEST SENSE with cbw->Length == 12 where it should
1712                 * be 6, and xbox360 issuing INQUIRY, TEST UNIT READY and
1713                 * REQUEST SENSE with cbw->Length == 10 where it should
1714                 * be 6 as well.
1715                 */
1716                if (cmnd_size <= common->cmnd_size) {
1717                        DBG(common, "%s is buggy! Expected length %d "
1718                            "but we got %d\n", name,
1719                            cmnd_size, common->cmnd_size);
1720                        cmnd_size = common->cmnd_size;
1721                } else {
1722                        common->phase_error = 1;
1723                        return -EINVAL;
1724                }
1725        }
1726
1727        /* Check that the LUN values are consistent */
1728        if (common->lun != lun)
1729                DBG(common, "using LUN %u from CBW, not LUN %u from CDB\n",
1730                    common->lun, lun);
1731
1732        /* Check the LUN */
1733        curlun = common->curlun;
1734        if (curlun) {
1735                if (common->cmnd[0] != REQUEST_SENSE) {
1736                        curlun->sense_data = SS_NO_SENSE;
1737                        curlun->sense_data_info = 0;
1738                        curlun->info_valid = 0;
1739                }
1740        } else {
1741                common->bad_lun_okay = 0;
1742
1743                /*
1744                 * INQUIRY and REQUEST SENSE commands are explicitly allowed
1745                 * to use unsupported LUNs; all others may not.
1746                 */
1747                if (common->cmnd[0] != INQUIRY &&
1748                    common->cmnd[0] != REQUEST_SENSE) {
1749                        DBG(common, "unsupported LUN %u\n", common->lun);
1750                        return -EINVAL;
1751                }
1752        }
1753
1754        /*
1755         * If a unit attention condition exists, only INQUIRY and
1756         * REQUEST SENSE commands are allowed; anything else must fail.
1757         */
1758        if (curlun && curlun->unit_attention_data != SS_NO_SENSE &&
1759            common->cmnd[0] != INQUIRY &&
1760            common->cmnd[0] != REQUEST_SENSE) {
1761                curlun->sense_data = curlun->unit_attention_data;
1762                curlun->unit_attention_data = SS_NO_SENSE;
1763                return -EINVAL;
1764        }
1765
1766        /* Check that only command bytes listed in the mask are non-zero */
1767        common->cmnd[1] &= 0x1f;                        /* Mask away the LUN */
1768        for (i = 1; i < cmnd_size; ++i) {
1769                if (common->cmnd[i] && !(mask & (1 << i))) {
1770                        if (curlun)
1771                                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1772                        return -EINVAL;
1773                }
1774        }
1775
1776        /* If the medium isn't mounted and the command needs to access
1777         * it, return an error. */
1778        if (curlun && !fsg_lun_is_open(curlun) && needs_medium) {
1779                curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1780                return -EINVAL;
1781        }
1782
1783        return 0;
1784}
1785
1786/* wrapper of check_command for data size in blocks handling */
1787static int check_command_size_in_blocks(struct fsg_common *common,
1788                int cmnd_size, enum data_direction data_dir,
1789                unsigned int mask, int needs_medium, const char *name)
1790{
1791        if (common->curlun)
1792                common->data_size_from_cmnd <<= common->curlun->blkbits;
1793        return check_command(common, cmnd_size, data_dir,
1794                        mask, needs_medium, name);
1795}
1796
1797static int do_scsi_command(struct fsg_common *common)
1798{
1799        struct fsg_buffhd       *bh;
1800        int                     rc;
1801        int                     reply = -EINVAL;
1802        int                     i;
1803        static char             unknown[16];
1804
1805        dump_cdb(common);
1806
1807        /* Wait for the next buffer to become available for data or status */
1808        bh = common->next_buffhd_to_fill;
1809        common->next_buffhd_to_drain = bh;
1810        rc = sleep_thread(common, false, bh);
1811        if (rc)
1812                return rc;
1813
1814        common->phase_error = 0;
1815        common->short_packet_received = 0;
1816
1817        down_read(&common->filesem);    /* We're using the backing file */
1818        switch (common->cmnd[0]) {
1819
1820        case INQUIRY:
1821                common->data_size_from_cmnd = common->cmnd[4];
1822                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1823                                      (1<<4), 0,
1824                                      "INQUIRY");
1825                if (reply == 0)
1826                        reply = do_inquiry(common, bh);
1827                break;
1828
1829        case MODE_SELECT:
1830                common->data_size_from_cmnd = common->cmnd[4];
1831                reply = check_command(common, 6, DATA_DIR_FROM_HOST,
1832                                      (1<<1) | (1<<4), 0,
1833                                      "MODE SELECT(6)");
1834                if (reply == 0)
1835                        reply = do_mode_select(common, bh);
1836                break;
1837
1838        case MODE_SELECT_10:
1839                common->data_size_from_cmnd =
1840                        get_unaligned_be16(&common->cmnd[7]);
1841                reply = check_command(common, 10, DATA_DIR_FROM_HOST,
1842                                      (1<<1) | (3<<7), 0,
1843                                      "MODE SELECT(10)");
1844                if (reply == 0)
1845                        reply = do_mode_select(common, bh);
1846                break;
1847
1848        case MODE_SENSE:
1849                common->data_size_from_cmnd = common->cmnd[4];
1850                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1851                                      (1<<1) | (1<<2) | (1<<4), 0,
1852                                      "MODE SENSE(6)");
1853                if (reply == 0)
1854                        reply = do_mode_sense(common, bh);
1855                break;
1856
1857        case MODE_SENSE_10:
1858                common->data_size_from_cmnd =
1859                        get_unaligned_be16(&common->cmnd[7]);
1860                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1861                                      (1<<1) | (1<<2) | (3<<7), 0,
1862                                      "MODE SENSE(10)");
1863                if (reply == 0)
1864                        reply = do_mode_sense(common, bh);
1865                break;
1866
1867        case ALLOW_MEDIUM_REMOVAL:
1868                common->data_size_from_cmnd = 0;
1869                reply = check_command(common, 6, DATA_DIR_NONE,
1870                                      (1<<4), 0,
1871                                      "PREVENT-ALLOW MEDIUM REMOVAL");
1872                if (reply == 0)
1873                        reply = do_prevent_allow(common);
1874                break;
1875
1876        case READ_6:
1877                i = common->cmnd[4];
1878                common->data_size_from_cmnd = (i == 0) ? 256 : i;
1879                reply = check_command_size_in_blocks(common, 6,
1880                                      DATA_DIR_TO_HOST,
1881                                      (7<<1) | (1<<4), 1,
1882                                      "READ(6)");
1883                if (reply == 0)
1884                        reply = do_read(common);
1885                break;
1886
1887        case READ_10:
1888                common->data_size_from_cmnd =
1889                                get_unaligned_be16(&common->cmnd[7]);
1890                reply = check_command_size_in_blocks(common, 10,
1891                                      DATA_DIR_TO_HOST,
1892                                      (1<<1) | (0xf<<2) | (3<<7), 1,
1893                                      "READ(10)");
1894                if (reply == 0)
1895                        reply = do_read(common);
1896                break;
1897
1898        case READ_12:
1899                common->data_size_from_cmnd =
1900                                get_unaligned_be32(&common->cmnd[6]);
1901                reply = check_command_size_in_blocks(common, 12,
1902                                      DATA_DIR_TO_HOST,
1903                                      (1<<1) | (0xf<<2) | (0xf<<6), 1,
1904                                      "READ(12)");
1905                if (reply == 0)
1906                        reply = do_read(common);
1907                break;
1908
1909        case READ_CAPACITY:
1910                common->data_size_from_cmnd = 8;
1911                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1912                                      (0xf<<2) | (1<<8), 1,
1913                                      "READ CAPACITY");
1914                if (reply == 0)
1915                        reply = do_read_capacity(common, bh);
1916                break;
1917
1918        case READ_HEADER:
1919                if (!common->curlun || !common->curlun->cdrom)
1920                        goto unknown_cmnd;
1921                common->data_size_from_cmnd =
1922                        get_unaligned_be16(&common->cmnd[7]);
1923                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1924                                      (3<<7) | (0x1f<<1), 1,
1925                                      "READ HEADER");
1926                if (reply == 0)
1927                        reply = do_read_header(common, bh);
1928                break;
1929
1930        case READ_TOC:
1931                if (!common->curlun || !common->curlun->cdrom)
1932                        goto unknown_cmnd;
1933                common->data_size_from_cmnd =
1934                        get_unaligned_be16(&common->cmnd[7]);
1935                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1936                                      (7<<6) | (1<<1), 1,
1937                                      "READ TOC");
1938                if (reply == 0)
1939                        reply = do_read_toc(common, bh);
1940                break;
1941
1942        case READ_FORMAT_CAPACITIES:
1943                common->data_size_from_cmnd =
1944                        get_unaligned_be16(&common->cmnd[7]);
1945                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1946                                      (3<<7), 1,
1947                                      "READ FORMAT CAPACITIES");
1948                if (reply == 0)
1949                        reply = do_read_format_capacities(common, bh);
1950                break;
1951
1952        case REQUEST_SENSE:
1953                common->data_size_from_cmnd = common->cmnd[4];
1954                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1955                                      (1<<4), 0,
1956                                      "REQUEST SENSE");
1957                if (reply == 0)
1958                        reply = do_request_sense(common, bh);
1959                break;
1960
1961        case START_STOP:
1962                common->data_size_from_cmnd = 0;
1963                reply = check_command(common, 6, DATA_DIR_NONE,
1964                                      (1<<1) | (1<<4), 0,
1965                                      "START-STOP UNIT");
1966                if (reply == 0)
1967                        reply = do_start_stop(common);
1968                break;
1969
1970        case SYNCHRONIZE_CACHE:
1971                common->data_size_from_cmnd = 0;
1972                reply = check_command(common, 10, DATA_DIR_NONE,
1973                                      (0xf<<2) | (3<<7), 1,
1974                                      "SYNCHRONIZE CACHE");
1975                if (reply == 0)
1976                        reply = do_synchronize_cache(common);
1977                break;
1978
1979        case TEST_UNIT_READY:
1980                common->data_size_from_cmnd = 0;
1981                reply = check_command(common, 6, DATA_DIR_NONE,
1982                                0, 1,
1983                                "TEST UNIT READY");
1984                break;
1985
1986        /*
1987         * Although optional, this command is used by MS-Windows.  We
1988         * support a minimal version: BytChk must be 0.
1989         */
1990        case VERIFY:
1991                common->data_size_from_cmnd = 0;
1992                reply = check_command(common, 10, DATA_DIR_NONE,
1993                                      (1<<1) | (0xf<<2) | (3<<7), 1,
1994                                      "VERIFY");
1995                if (reply == 0)
1996                        reply = do_verify(common);
1997                break;
1998
1999        case WRITE_6:
2000                i = common->cmnd[4];

2001                common->data_size_from_cmnd = (i == 0) ? 256 : i;
2002                reply = check_command_size_in_blocks(common, 6,
2003                                      DATA_DIR_FROM_HOST,
2004                                      (7<<1) | (1<<4), 1,
2005                                      "WRITE(6)");
2006                if (reply == 0)
2007                        reply = do_write(common);
2008                break;
2009
2010        case WRITE_10:
2011                common->data_size_from_cmnd =
2012                                get_unaligned_be16(&common->cmnd[7]);
2013                reply = check_command_size_in_blocks(common, 10,
2014                                      DATA_DIR_FROM_HOST,
2015                                      (1<<1) | (0xf<<2) | (3<<7), 1,
2016                                      "WRITE(10)");
2017                if (reply == 0)
2018                        reply = do_write(common);
2019                break;
2020
2021        case WRITE_12:
2022                common->data_size_from_cmnd =
2023                                get_unaligned_be32(&common->cmnd[6]);
2024                reply = check_command_size_in_blocks(common, 12,
2025                                      DATA_DIR_FROM_HOST,
2026                                      (1<<1) | (0xf<<2) | (0xf<<6), 1,
2027                                      "WRITE(12)");
2028                if (reply == 0)
2029                        reply = do_write(common);
2030                break;
2031
2032        /*
2033         * Some mandatory commands that we recognize but don't implement.
2034         * They don't mean much in this setting.  It's left as an exercise
2035         * for anyone interested to implement RESERVE and RELEASE in terms
2036         * of Posix locks.
2037         */
2038        case FORMAT_UNIT:
2039        case RELEASE:
2040        case RESERVE:
2041        case SEND_DIAGNOSTIC:
2042
2043        default:
2044unknown_cmnd:
2045                common->data_size_from_cmnd = 0;
2046                sprintf(unknown, "Unknown x%02x", common->cmnd[0]);
2047                reply = check_command(common, common->cmnd_size,
2048                                      DATA_DIR_UNKNOWN, ~0, 0, unknown);
2049                if (reply == 0) {
2050                        common->curlun->sense_data = SS_INVALID_COMMAND;
2051                        reply = -EINVAL;
2052                }
2053                break;
2054        }
2055        up_read(&common->filesem);
2056
2057        if (reply == -EINTR || signal_pending(current))
2058                return -EINTR;
2059
2060        /* Set up the single reply buffer for finish_reply() */
2061        if (reply == -EINVAL)
2062                reply = 0;              /* Error reply length */
2063        if (reply >= 0 && common->data_dir == DATA_DIR_TO_HOST) {
2064                reply = min((u32)reply, common->data_size_from_cmnd);
2065                bh->inreq->length = reply;
2066                bh->state = BUF_STATE_FULL;
2067                common->residue -= reply;
2068        }                               /* Otherwise it's already set */
2069
2070        return 0;
2071}
2072
2073
2074/*-------------------------------------------------------------------------*/
2075
2076static int received_cbw(struct fsg_dev *fsg, struct fsg_buffhd *bh)
2077{
2078        struct usb_request      *req = bh->outreq;
2079        struct bulk_cb_wrap     *cbw = req->buf;
2080        struct fsg_common       *common = fsg->common;
2081
2082        /* Was this a real packet?  Should it be ignored? */
2083        if (req->status || test_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags))
2084                return -EINVAL;
2085
2086        /* Is the CBW valid? */
2087        if (req->actual != US_BULK_CB_WRAP_LEN ||
2088                        cbw->Signature != cpu_to_le32(
2089                                US_BULK_CB_SIGN)) {
2090                DBG(fsg, "invalid CBW: len %u sig 0x%x\n",
2091                                req->actual,
2092                                le32_to_cpu(cbw->Signature));
2093
2094                /*
2095                 * The Bulk-only spec says we MUST stall the IN endpoint
2096                 * (6.6.1), so it's unavoidable.  It also says we must
2097                 * retain this state until the next reset, but there's
2098                 * no way to tell the controller driver it should ignore
2099                 * Clear-Feature(HALT) requests.
2100                 *
2101                 * We aren't required to halt the OUT endpoint; instead
2102                 * we can simply accept and discard any data received
2103                 * until the next reset.
2104                 */
2105                wedge_bulk_in_endpoint(fsg);
2106                set_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags);
2107                return -EINVAL;
2108        }
2109
2110        /* Is the CBW meaningful? */
2111        if (cbw->Lun >= ARRAY_SIZE(common->luns) ||
2112            cbw->Flags & ~US_BULK_FLAG_IN || cbw->Length <= 0 ||
2113            cbw->Length > MAX_COMMAND_SIZE) {
2114                DBG(fsg, "non-meaningful CBW: lun = %u, flags = 0x%x, "
2115                                "cmdlen %u\n",
2116                                cbw->Lun, cbw->Flags, cbw->Length);
2117
2118                /*
2119                 * We can do anything we want here, so let's stall the
2120                 * bulk pipes if we are allowed to.
2121                 */
2122                if (common->can_stall) {
2123                        fsg_set_halt(fsg, fsg->bulk_out);
2124                        halt_bulk_in_endpoint(fsg);
2125                }
2126                return -EINVAL;
2127        }
2128
2129        /* Save the command for later */
2130        common->cmnd_size = cbw->Length;
2131        memcpy(common->cmnd, cbw->CDB, common->cmnd_size);
2132        if (cbw->Flags & US_BULK_FLAG_IN)
2133                common->data_dir = DATA_DIR_TO_HOST;
2134        else
2135                common->data_dir = DATA_DIR_FROM_HOST;
2136        common->data_size = le32_to_cpu(cbw->DataTransferLength);
2137        if (common->data_size == 0)
2138                common->data_dir = DATA_DIR_NONE;
2139        common->lun = cbw->Lun;
2140        if (common->lun < ARRAY_SIZE(common->luns))
2141                common->curlun = common->luns[common->lun];
2142        else
2143                common->curlun = NULL;
2144        common->tag = cbw->Tag;
2145        return 0;
2146}
2147
2148static int get_next_command(struct fsg_common *common)
2149{
2150        struct fsg_buffhd       *bh;
2151        int                     rc = 0;
2152
2153        /* Wait for the next buffer to become available */
2154        bh = common->next_buffhd_to_fill;
2155        rc = sleep_thread(common, true, bh);
2156        if (rc)
2157                return rc;
2158
2159        /* Queue a request to read a Bulk-only CBW */
2160        set_bulk_out_req_length(common, bh, US_BULK_CB_WRAP_LEN);
2161        if (!start_out_transfer(common, bh))
2162                /* Don't know what to do if common->fsg is NULL */
2163                return -EIO;
2164
2165        /*
2166         * We will drain the buffer in software, which means we
2167         * can reuse it for the next filling.  No need to advance
2168         * next_buffhd_to_fill.
2169         */
2170
2171        /* Wait for the CBW to arrive */
2172        rc = sleep_thread(common, true, bh);
2173        if (rc)
2174                return rc;
2175
2176        rc = fsg_is_set(common) ? received_cbw(common->fsg, bh) : -EIO;
2177        bh->state = BUF_STATE_EMPTY;
2178
2179        return rc;
2180}
2181
2182
2183/*-------------------------------------------------------------------------*/
2184
2185static int alloc_request(struct fsg_common *common, struct usb_ep *ep,
2186                struct usb_request **preq)
2187{
2188        *preq = usb_ep_alloc_request(ep, GFP_ATOMIC);
2189        if (*preq)
2190                return 0;
2191        ERROR(common, "can't allocate request for %s\n", ep->name);
2192        return -ENOMEM;
2193}
2194
2195/* Reset interface setting and re-init endpoint state (toggle etc). */
2196static int do_set_interface(struct fsg_common *common, struct fsg_dev *new_fsg)
2197{
2198        struct fsg_dev *fsg;
2199        int i, rc = 0;
2200
2201        if (common->running)
2202                DBG(common, "reset interface\n");
2203
2204reset:
2205        /* Deallocate the requests */
2206        if (common->fsg) {
2207                fsg = common->fsg;
2208
2209                for (i = 0; i < common->fsg_num_buffers; ++i) {
2210                        struct fsg_buffhd *bh = &common->buffhds[i];
2211
2212                        if (bh->inreq) {
2213                                usb_ep_free_request(fsg->bulk_in, bh->inreq);
2214                                bh->inreq = NULL;
2215                        }
2216                        if (bh->outreq) {
2217                                usb_ep_free_request(fsg->bulk_out, bh->outreq);
2218                                bh->outreq = NULL;
2219                        }
2220                }
2221
2222                /* Disable the endpoints */
2223                if (fsg->bulk_in_enabled) {
2224                        usb_ep_disable(fsg->bulk_in);
2225                        fsg->bulk_in_enabled = 0;
2226                }
2227                if (fsg->bulk_out_enabled) {
2228                        usb_ep_disable(fsg->bulk_out);
2229                        fsg->bulk_out_enabled = 0;
2230                }
2231
2232                common->fsg = NULL;
2233                wake_up(&common->fsg_wait);
2234        }
2235
2236        common->running = 0;
2237        if (!new_fsg || rc)
2238                return rc;
2239
2240        common->fsg = new_fsg;
2241        fsg = common->fsg;
2242
2243        /* Enable the endpoints */
2244        rc = config_ep_by_speed(common->gadget, &(fsg->function), fsg->bulk_in);
2245        if (rc)
2246                goto reset;
2247        rc = usb_ep_enable(fsg->bulk_in);
2248        if (rc)
2249                goto reset;
2250        fsg->bulk_in->driver_data = common;
2251        fsg->bulk_in_enabled = 1;
2252
2253        rc = config_ep_by_speed(common->gadget, &(fsg->function),
2254                                fsg->bulk_out);
2255        if (rc)
2256                goto reset;
2257        rc = usb_ep_enable(fsg->bulk_out);
2258        if (rc)
2259                goto reset;
2260        fsg->bulk_out->driver_data = common;
2261        fsg->bulk_out_enabled = 1;
2262        common->bulk_out_maxpacket = usb_endpoint_maxp(fsg->bulk_out->desc);
2263        clear_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags);
2264
2265        /* Allocate the requests */
2266        for (i = 0; i < common->fsg_num_buffers; ++i) {
2267                struct fsg_buffhd       *bh = &common->buffhds[i];
2268
2269                rc = alloc_request(common, fsg->bulk_in, &bh->inreq);
2270                if (rc)
2271                        goto reset;
2272                rc = alloc_request(common, fsg->bulk_out, &bh->outreq);
2273                if (rc)
2274                        goto reset;
2275                bh->inreq->buf = bh->outreq->buf = bh->buf;
2276                bh->inreq->context = bh->outreq->context = bh;
2277                bh->inreq->complete = bulk_in_complete;
2278                bh->outreq->complete = bulk_out_complete;
2279        }
2280
2281        common->running = 1;
2282        for (i = 0; i < ARRAY_SIZE(common->luns); ++i)
2283                if (common->luns[i])
2284                        common->luns[i]->unit_attention_data =
2285                                SS_RESET_OCCURRED;
2286        return rc;
2287}
2288
2289
2290/****************************** ALT CONFIGS ******************************/
2291
2292static int fsg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
2293{
2294        struct fsg_dev *fsg = fsg_from_func(f);
2295
2296        __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, fsg);
2297        return USB_GADGET_DELAYED_STATUS;
2298}
2299
2300static void fsg_disable(struct usb_function *f)
2301{
2302        struct fsg_dev *fsg = fsg_from_func(f);
2303
2304        __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, NULL);
2305}
2306
2307
2308/*-------------------------------------------------------------------------*/
2309
2310static void handle_exception(struct fsg_common *common)
2311{
2312        int                     i;
2313        struct fsg_buffhd       *bh;
2314        enum fsg_state          old_state;
2315        struct fsg_lun          *curlun;
2316        unsigned int            exception_req_tag;
2317        struct fsg_dev          *new_fsg;
2318
2319        /*
2320         * Clear the existing signals.  Anything but SIGUSR1 is converted
2321         * into a high-priority EXIT exception.
2322         */
2323        for (;;) {
2324                int sig = kernel_dequeue_signal();
2325                if (!sig)
2326                        break;
2327                if (sig != SIGUSR1) {
2328                        spin_lock_irq(&common->lock);
2329                        if (common->state < FSG_STATE_EXIT)
2330                                DBG(common, "Main thread exiting on signal\n");
2331                        common->state = FSG_STATE_EXIT;
2332                        spin_unlock_irq(&common->lock);
2333                }
2334        }
2335
2336        /* Cancel all the pending transfers */
2337        if (likely(common->fsg)) {
2338                for (i = 0; i < common->fsg_num_buffers; ++i) {
2339                        bh = &common->buffhds[i];
2340                        if (bh->state == BUF_STATE_SENDING)
2341                                usb_ep_dequeue(common->fsg->bulk_in, bh->inreq);
2342                        if (bh->state == BUF_STATE_RECEIVING)
2343                                usb_ep_dequeue(common->fsg->bulk_out,
2344                                               bh->outreq);
2345
2346                        /* Wait for a transfer to become idle */
2347                        if (sleep_thread(common, false, bh))
2348                                return;
2349                }
2350
2351                /* Clear out the controller's fifos */
2352                if (common->fsg->bulk_in_enabled)
2353                        usb_ep_fifo_flush(common->fsg->bulk_in);
2354                if (common->fsg->bulk_out_enabled)
2355                        usb_ep_fifo_flush(common->fsg->bulk_out);
2356        }
2357
2358        /*
2359         * Reset the I/O buffer states and pointers, the SCSI
2360         * state, and the exception.  Then invoke the handler.
2361         */
2362        spin_lock_irq(&common->lock);
2363
2364        for (i = 0; i < common->fsg_num_buffers; ++i) {
2365                bh = &common->buffhds[i];
2366                bh->state = BUF_STATE_EMPTY;
2367        }
2368        common->next_buffhd_to_fill = &common->buffhds[0];
2369        common->next_buffhd_to_drain = &common->buffhds[0];
2370        exception_req_tag = common->exception_req_tag;
2371        new_fsg = common->exception_arg;
2372        old_state = common->state;
2373        common->state = FSG_STATE_NORMAL;
2374
2375        if (old_state != FSG_STATE_ABORT_BULK_OUT) {
2376                for (i = 0; i < ARRAY_SIZE(common->luns); ++i) {
2377                        curlun = common->luns[i];
2378                        if (!curlun)
2379                                continue;
2380                        curlun->prevent_medium_removal = 0;
2381                        curlun->sense_data = SS_NO_SENSE;
2382                        curlun->unit_attention_data = SS_NO_SENSE;
2383                        curlun->sense_data_info = 0;
2384                        curlun->info_valid = 0;
2385                }
2386        }
2387        spin_unlock_irq(&common->lock);
2388
2389        /* Carry out any extra actions required for the exception */
2390        switch (old_state) {
2391        case FSG_STATE_NORMAL:
2392                break;
2393
2394        case FSG_STATE_ABORT_BULK_OUT:
2395                send_status(common);
2396                break;
2397
2398        case FSG_STATE_PROTOCOL_RESET:
2399                /*
2400                 * In case we were forced against our will to halt a
2401                 * bulk endpoint, clear the halt now.  (The SuperH UDC
2402                 * requires this.)
2403                 */
2404                if (!fsg_is_set(common))
2405                        break;
2406                if (test_and_clear_bit(IGNORE_BULK_OUT,
2407                                       &common->fsg->atomic_bitflags))
2408                        usb_ep_clear_halt(common->fsg->bulk_in);
2409
2410                if (common->ep0_req_tag == exception_req_tag)
2411                        ep0_queue(common);      /* Complete the status stage */
2412
2413                /*
2414                 * Technically this should go here, but it would only be
2415                 * a waste of time.  Ditto for the INTERFACE_CHANGE and
2416                 * CONFIG_CHANGE cases.
2417                 */
2418                /* for (i = 0; i < common->ARRAY_SIZE(common->luns); ++i) */
2419                /*      if (common->luns[i]) */
2420                /*              common->luns[i]->unit_attention_data = */
2421                /*                      SS_RESET_OCCURRED;  */
2422                break;
2423
2424        case FSG_STATE_CONFIG_CHANGE:
2425                do_set_interface(common, new_fsg);
2426                if (new_fsg)
2427                        usb_composite_setup_continue(common->cdev);
2428                break;
2429
2430        case FSG_STATE_EXIT:
2431                do_set_interface(common, NULL);         /* Free resources */
2432                spin_lock_irq(&common->lock);
2433                common->state = FSG_STATE_TERMINATED;   /* Stop the thread */
2434                spin_unlock_irq(&common->lock);
2435                break;
2436
2437        case FSG_STATE_TERMINATED:
2438                break;
2439        }
2440}
2441
2442
2443/*-------------------------------------------------------------------------*/
2444
2445static int fsg_main_thread(void *common_)
2446{
2447        struct fsg_common       *common = common_;
2448        int                     i;
2449
2450        /*
2451         * Allow the thread to be killed by a signal, but set the signal mask
2452         * to block everything but INT, TERM, KILL, and USR1.
2453         */
2454        allow_signal(SIGINT);
2455        allow_signal(SIGTERM);
2456        allow_signal(SIGKILL);
2457        allow_signal(SIGUSR1);
2458
2459        /* Allow the thread to be frozen */
2460        set_freezable();
2461
2462        /* The main loop */
2463        while (common->state != FSG_STATE_TERMINATED) {
2464                if (exception_in_progress(common) || signal_pending(current)) {
2465                        handle_exception(common);
2466                        continue;
2467                }
2468
2469                if (!common->running) {
2470                        sleep_thread(common, true, NULL);
2471                        continue;
2472                }
2473
2474                if (get_next_command(common) || exception_in_progress(common))
2475                        continue;
2476                if (do_scsi_command(common) || exception_in_progress(common))
2477                        continue;
2478                if (finish_reply(common) || exception_in_progress(common))
2479                        continue;
2480                send_status(common);
2481        }
2482
2483        spin_lock_irq(&common->lock);
2484        common->thread_task = NULL;
2485        spin_unlock_irq(&common->lock);
2486
2487        /* Eject media from all LUNs */
2488
2489        down_write(&common->filesem);
2490        for (i = 0; i < ARRAY_SIZE(common->luns); i++) {
2491                struct fsg_lun *curlun = common->luns[i];
2492
2493                if (curlun && fsg_lun_is_open(curlun))
2494                        fsg_lun_close(curlun);
2495        }
2496        up_write(&common->filesem);
2497
2498        /* Let fsg_unbind() know the thread has exited */
2499        complete_and_exit(&common->thread_notifier, 0);
2500}
2501
2502
2503/*************************** DEVICE ATTRIBUTES ***************************/
2504
2505static ssize_t ro_show(struct device *dev, struct device_attribute *attr, char *buf)
2506{
2507        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2508
2509        return fsg_show_ro(curlun, buf);
2510}
2511
2512static ssize_t nofua_show(struct device *dev, struct device_attribute *attr,
2513                          char *buf)
2514{
2515        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2516
2517        return fsg_show_nofua(curlun, buf);
2518}
2519
2520static ssize_t file_show(struct device *dev, struct device_attribute *attr,
2521                         char *buf)
2522{
2523        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2524        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2525
2526        return fsg_show_file(curlun, filesem, buf);
2527}
2528
2529static ssize_t ro_store(struct device *dev, struct device_attribute *attr,
2530                        const char *buf, size_t count)
2531{
2532        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2533        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2534
2535        return fsg_store_ro(curlun, filesem, buf, count);
2536}
2537
2538static ssize_t nofua_store(struct device *dev, struct device_attribute *attr,
2539                           const char *buf, size_t count)
2540{
2541        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2542
2543        return fsg_store_nofua(curlun, buf, count);
2544}
2545
2546static ssize_t file_store(struct device *dev, struct device_attribute *attr,
2547                          const char *buf, size_t count)
2548{
2549        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2550        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2551
2552        return fsg_store_file(curlun, filesem, buf, count);
2553}
2554
2555static DEVICE_ATTR_RW(nofua);
2556/* mode wil be set in fsg_lun_attr_is_visible() */
2557static DEVICE_ATTR(ro, 0, ro_show, ro_store);
2558static DEVICE_ATTR(file, 0, file_show, file_store);
2559
2560/****************************** FSG COMMON ******************************/
2561
2562static void fsg_lun_release(struct device *dev)
2563{
2564        /* Nothing needs to be done */
2565}
2566
2567static struct fsg_common *fsg_common_setup(struct fsg_common *common)
2568{
2569        if (!common) {
2570                common = kzalloc(sizeof(*common), GFP_KERNEL);
2571                if (!common)
2572                        return ERR_PTR(-ENOMEM);
2573                common->free_storage_on_release = 1;
2574        } else {
2575                common->free_storage_on_release = 0;
2576        }
2577        init_rwsem(&common->filesem);
2578        spin_lock_init(&common->lock);
2579        init_completion(&common->thread_notifier);
2580        init_waitqueue_head(&common->io_wait);
2581        init_waitqueue_head(&common->fsg_wait);
2582        common->state = FSG_STATE_TERMINATED;
2583        memset(common->luns, 0, sizeof(common->luns));
2584
2585        return common;
2586}
2587
2588void fsg_common_set_sysfs(struct fsg_common *common, bool sysfs)
2589{
2590        common->sysfs = sysfs;
2591}
2592EXPORT_SYMBOL_GPL(fsg_common_set_sysfs);
2593
2594static void _fsg_common_free_buffers(struct fsg_buffhd *buffhds, unsigned n)
2595{
2596        if (buffhds) {
2597                struct fsg_buffhd *bh = buffhds;
2598                while (n--) {
2599                        kfree(bh->buf);
2600                        ++bh;
2601                }
2602                kfree(buffhds);
2603        }
2604}
2605
2606int fsg_common_set_num_buffers(struct fsg_common *common, unsigned int n)
2607{
2608        struct fsg_buffhd *bh, *buffhds;
2609        int i;
2610
2611        buffhds = kcalloc(n, sizeof(*buffhds), GFP_KERNEL);
2612        if (!buffhds)
2613                return -ENOMEM;
2614
2615        /* Data buffers cyclic list */
2616        bh = buffhds;
2617        i = n;
2618        goto buffhds_first_it;
2619        do {
2620                bh->next = bh + 1;
2621                ++bh;
2622buffhds_first_it:
2623                bh->buf = kmalloc(FSG_BUFLEN, GFP_KERNEL);
2624                if (unlikely(!bh->buf))
2625                        goto error_release;
2626        } while (--i);
2627        bh->next = buffhds;
2628
2629        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2630        common->fsg_num_buffers = n;
2631        common->buffhds = buffhds;
2632
2633        return 0;
2634
2635error_release:
2636        /*
2637         * "buf"s pointed to by heads after n - i are NULL
2638         * so releasing them won't hurt
2639         */
2640        _fsg_common_free_buffers(buffhds, n);
2641
2642        return -ENOMEM;
2643}
2644EXPORT_SYMBOL_GPL(fsg_common_set_num_buffers);
2645
2646void fsg_common_remove_lun(struct fsg_lun *lun)
2647{
2648        if (device_is_registered(&lun->dev))
2649                device_unregister(&lun->dev);
2650        fsg_lun_close(lun);
2651        kfree(lun);
2652}
2653EXPORT_SYMBOL_GPL(fsg_common_remove_lun);
2654
2655static void _fsg_common_remove_luns(struct fsg_common *common, int n)
2656{
2657        int i;
2658
2659        for (i = 0; i < n; ++i)
2660                if (common->luns[i]) {
2661                        fsg_common_remove_lun(common->luns[i]);
2662                        common->luns[i] = NULL;
2663                }
2664}
2665
2666void fsg_common_remove_luns(struct fsg_common *common)
2667{
2668        _fsg_common_remove_luns(common, ARRAY_SIZE(common->luns));
2669}
2670EXPORT_SYMBOL_GPL(fsg_common_remove_luns);
2671
2672void fsg_common_free_buffers(struct fsg_common *common)
2673{
2674        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2675        common->buffhds = NULL;
2676}
2677EXPORT_SYMBOL_GPL(fsg_common_free_buffers);
2678
2679int fsg_common_set_cdev(struct fsg_common *common,
2680                         struct usb_composite_dev *cdev, bool can_stall)
2681{
2682        struct usb_string *us;
2683
2684        common->gadget = cdev->gadget;
2685        common->ep0 = cdev->gadget->ep0;
2686        common->ep0req = cdev->req;
2687        common->cdev = cdev;
2688
2689        us = usb_gstrings_attach(cdev, fsg_strings_array,
2690                                 ARRAY_SIZE(fsg_strings));
2691        if (IS_ERR(us))
2692                return PTR_ERR(us);
2693
2694        fsg_intf_desc.iInterface = us[FSG_STRING_INTERFACE].id;
2695
2696        /*
2697         * Some peripheral controllers are known not to be able to
2698         * halt bulk endpoints correctly.  If one of them is present,
2699         * disable stalls.
2700         */
2701        common->can_stall = can_stall &&
2702                        gadget_is_stall_supported(common->gadget);
2703
2704        return 0;
2705}
2706EXPORT_SYMBOL_GPL(fsg_common_set_cdev);
2707
2708static struct attribute *fsg_lun_dev_attrs[] = {
2709        &dev_attr_ro.attr,
2710        &dev_attr_file.attr,
2711        &dev_attr_nofua.attr,
2712        NULL
2713};
2714
2715static umode_t fsg_lun_dev_is_visible(struct kobject *kobj,
2716                                      struct attribute *attr, int idx)
2717{
2718        struct device *dev = kobj_to_dev(kobj);
2719        struct fsg_lun *lun = fsg_lun_from_dev(dev);
2720
2721        if (attr == &dev_attr_ro.attr)
2722                return lun->cdrom ? S_IRUGO : (S_IWUSR | S_IRUGO);
2723        if (attr == &dev_attr_file.attr)
2724                return lun->removable ? (S_IWUSR | S_IRUGO) : S_IRUGO;
2725        return attr->mode;
2726}
2727
2728static const struct attribute_group fsg_lun_dev_group = {
2729        .attrs = fsg_lun_dev_attrs,
2730        .is_visible = fsg_lun_dev_is_visible,
2731};
2732
2733static const struct attribute_group *fsg_lun_dev_groups[] = {
2734        &fsg_lun_dev_group,
2735        NULL
2736};
2737
2738int fsg_common_create_lun(struct fsg_common *common, struct fsg_lun_config *cfg,
2739                          unsigned int id, const char *name,
2740                          const char **name_pfx)
2741{
2742        struct fsg_lun *lun;
2743        char *pathbuf, *p;
2744        int rc = -ENOMEM;
2745
2746        if (id >= ARRAY_SIZE(common->luns))
2747                return -ENODEV;
2748
2749        if (common->luns[id])
2750                return -EBUSY;
2751
2752        if (!cfg->filename && !cfg->removable) {
2753                pr_err("no file given for LUN%d\n", id);
2754                return -EINVAL;
2755        }
2756
2757        lun = kzalloc(sizeof(*lun), GFP_KERNEL);
2758        if (!lun)
2759                return -ENOMEM;
2760
2761        lun->name_pfx = name_pfx;
2762
2763        lun->cdrom = !!cfg->cdrom;
2764        lun->ro = cfg->cdrom || cfg->ro;
2765        lun->initially_ro = lun->ro;
2766        lun->removable = !!cfg->removable;
2767
2768        if (!common->sysfs) {
2769                /* we DON'T own the name!*/
2770                lun->name = name;
2771        } else {
2772                lun->dev.release = fsg_lun_release;
2773                lun->dev.parent = &common->gadget->dev;
2774                lun->dev.groups = fsg_lun_dev_groups;
2775                dev_set_drvdata(&lun->dev, &common->filesem);
2776                dev_set_name(&lun->dev, "%s", name);
2777                lun->name = dev_name(&lun->dev);
2778
2779                rc = device_register(&lun->dev);
2780                if (rc) {
2781                        pr_info("failed to register LUN%d: %d\n", id, rc);
2782                        put_device(&lun->dev);
2783                        goto error_sysfs;
2784                }
2785        }
2786
2787        common->luns[id] = lun;
2788
2789        if (cfg->filename) {
2790                rc = fsg_lun_open(lun, cfg->filename);
2791                if (rc)
2792                        goto error_lun;
2793        }
2794
2795        pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
2796        p = "(no medium)";
2797        if (fsg_lun_is_open(lun)) {
2798                p = "(error)";
2799                if (pathbuf) {
2800                        p = file_path(lun->filp, pathbuf, PATH_MAX);
2801                        if (IS_ERR(p))
2802                                p = "(error)";
2803                }
2804        }
2805        pr_info("LUN: %s%s%sfile: %s\n",
2806              lun->removable ? "removable " : "",
2807              lun->ro ? "read only " : "",
2808              lun->cdrom ? "CD-ROM " : "",
2809              p);
2810        kfree(pathbuf);
2811
2812        return 0;
2813
2814error_lun:
2815        if (device_is_registered(&lun->dev))
2816                device_unregister(&lun->dev);
2817        fsg_lun_close(lun);
2818        common->luns[id] = NULL;
2819error_sysfs:
2820        kfree(lun);
2821        return rc;
2822}
2823EXPORT_SYMBOL_GPL(fsg_common_create_lun);
2824
2825int fsg_common_create_luns(struct fsg_common *common, struct fsg_config *cfg)
2826{
2827        char buf[8]; /* enough for 100000000 different numbers, decimal */
2828        int i, rc;
2829
2830        fsg_common_remove_luns(common);
2831
2832        for (i = 0; i < cfg->nluns; ++i) {
2833                snprintf(buf, sizeof(buf), "lun%d", i);
2834                rc = fsg_common_create_lun(common, &cfg->luns[i], i, buf, NULL);
2835                if (rc)
2836                        goto fail;
2837        }
2838
2839        pr_info("Number of LUNs=%d\n", cfg->nluns);
2840
2841        return 0;
2842
2843fail:
2844        _fsg_common_remove_luns(common, i);
2845        return rc;
2846}
2847EXPORT_SYMBOL_GPL(fsg_common_create_luns);
2848
2849void fsg_common_set_inquiry_string(struct fsg_common *common, const char *vn,
2850                                   const char *pn)
2851{
2852        int i;
2853
2854        /* Prepare inquiryString */
2855        i = get_default_bcdDevice();
2856        snprintf(common->inquiry_string, sizeof(common->inquiry_string),
2857                 "%-8s%-16s%04x", vn ?: "Linux",
2858                 /* Assume product name dependent on the first LUN */
2859                 pn ?: ((*common->luns)->cdrom
2860                     ? "File-CD Gadget"
2861                     : "File-Stor Gadget"),
2862                 i);
2863}
2864EXPORT_SYMBOL_GPL(fsg_common_set_inquiry_string);
2865
2866static void fsg_common_release(struct fsg_common *common)
2867{
2868        int i;
2869
2870        /* If the thread isn't already dead, tell it to exit now */
2871        if (common->state != FSG_STATE_TERMINATED) {
2872                raise_exception(common, FSG_STATE_EXIT);
2873                wait_for_completion(&common->thread_notifier);
2874        }
2875
2876        for (i = 0; i < ARRAY_SIZE(common->luns); ++i) {
2877                struct fsg_lun *lun = common->luns[i];
2878                if (!lun)
2879                        continue;
2880                fsg_lun_close(lun);
2881                if (device_is_registered(&lun->dev))
2882                        device_unregister(&lun->dev);
2883                kfree(lun);
2884        }
2885
2886        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2887        if (common->free_storage_on_release)
2888                kfree(common);
2889}
2890
2891
2892/*-------------------------------------------------------------------------*/
2893
2894static int fsg_bind(struct usb_configuration *c, struct usb_function *f)
2895{
2896        struct fsg_dev          *fsg = fsg_from_func(f);
2897        struct fsg_common       *common = fsg->common;
2898        struct usb_gadget       *gadget = c->cdev->gadget;
2899        int                     i;
2900        struct usb_ep           *ep;
2901        unsigned                max_burst;
2902        int                     ret;
2903        struct fsg_opts         *opts;
2904
2905        /* Don't allow to bind if we don't have at least one LUN */
2906        ret = _fsg_common_get_max_lun(common);
2907        if (ret < 0) {
2908                pr_err("There should be at least one LUN.\n");
2909                return -EINVAL;
2910        }
2911
2912        opts = fsg_opts_from_func_inst(f->fi);
2913        if (!opts->no_configfs) {
2914                ret = fsg_common_set_cdev(fsg->common, c->cdev,
2915                                          fsg->common->can_stall);
2916                if (ret)
2917                        return ret;
2918                fsg_common_set_inquiry_string(fsg->common, NULL, NULL);
2919        }
2920
2921        if (!common->thread_task) {
2922                common->state = FSG_STATE_NORMAL;
2923                common->thread_task =
2924                        kthread_create(fsg_main_thread, common, "file-storage");
2925                if (IS_ERR(common->thread_task)) {
2926                        ret = PTR_ERR(common->thread_task);
2927                        common->thread_task = NULL;
2928                        common->state = FSG_STATE_TERMINATED;
2929                        return ret;
2930                }
2931                DBG(common, "I/O thread pid: %d\n",
2932                    task_pid_nr(common->thread_task));
2933                wake_up_process(common->thread_task);
2934        }
2935
2936        fsg->gadget = gadget;
2937
2938        /* New interface */
2939        i = usb_interface_id(c, f);
2940        if (i < 0)
2941                goto fail;
2942        fsg_intf_desc.bInterfaceNumber = i;
2943        fsg->interface_number = i;
2944
2945        /* Find all the endpoints we will use */
2946        ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_in_desc);
2947        if (!ep)
2948                goto autoconf_fail;
2949        fsg->bulk_in = ep;
2950
2951        ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_out_desc);
2952        if (!ep)
2953                goto autoconf_fail;
2954        fsg->bulk_out = ep;
2955
2956        /* Assume endpoint addresses are the same for both speeds */
2957        fsg_hs_bulk_in_desc.bEndpointAddress =
2958                fsg_fs_bulk_in_desc.bEndpointAddress;
2959        fsg_hs_bulk_out_desc.bEndpointAddress =
2960                fsg_fs_bulk_out_desc.bEndpointAddress;
2961
2962        /* Calculate bMaxBurst, we know packet size is 1024 */
2963        max_burst = min_t(unsigned, FSG_BUFLEN / 1024, 15);
2964
2965        fsg_ss_bulk_in_desc.bEndpointAddress =
2966                fsg_fs_bulk_in_desc.bEndpointAddress;
2967        fsg_ss_bulk_in_comp_desc.bMaxBurst = max_burst;
2968
2969        fsg_ss_bulk_out_desc.bEndpointAddress =
2970                fsg_fs_bulk_out_desc.bEndpointAddress;
2971        fsg_ss_bulk_out_comp_desc.bMaxBurst = max_burst;
2972
2973        ret = usb_assign_descriptors(f, fsg_fs_function, fsg_hs_function,
2974                        fsg_ss_function, fsg_ss_function);
2975        if (ret)
2976                goto autoconf_fail;
2977
2978        return 0;
2979
2980autoconf_fail:
2981        ERROR(fsg, "unable to autoconfigure all endpoints\n");
2982        i = -ENOTSUPP;
2983fail:
2984        /* terminate the thread */
2985        if (fsg->common->state != FSG_STATE_TERMINATED) {
2986                raise_exception(fsg->common, FSG_STATE_EXIT);
2987                wait_for_completion(&fsg->common->thread_notifier);
2988        }
2989        return i;
2990}
2991
2992/****************************** ALLOCATE FUNCTION *************************/
2993
2994static void fsg_unbind(struct usb_configuration *c, struct usb_function *f)
2995{
2996        struct fsg_dev          *fsg = fsg_from_func(f);
2997        struct fsg_common       *common = fsg->common;
2998
2999        DBG(fsg, "unbind\n");
3000        if (fsg->common->fsg == fsg) {

3001                __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, NULL);
3002                /* FIXME: make interruptible or killable somehow? */
3003                wait_event(common->fsg_wait, common->fsg != fsg);
3004        }
3005
3006        usb_free_all_descriptors(&fsg->function);
3007}
3008
3009static inline struct fsg_lun_opts *to_fsg_lun_opts(struct config_item *item)
3010{
3011        return container_of(to_config_group(item), struct fsg_lun_opts, group);
3012}
3013
3014static inline struct fsg_opts *to_fsg_opts(struct config_item *item)
3015{
3016        return container_of(to_config_group(item), struct fsg_opts,
3017                            func_inst.group);
3018}
3019
3020static void fsg_lun_attr_release(struct config_item *item)
3021{
3022        struct fsg_lun_opts *lun_opts;
3023
3024        lun_opts = to_fsg_lun_opts(item);
3025        kfree(lun_opts);
3026}
3027
3028static struct configfs_item_operations fsg_lun_item_ops = {
3029        .release                = fsg_lun_attr_release,
3030};
3031
3032static ssize_t fsg_lun_opts_file_show(struct config_item *item, char *page)
3033{
3034        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3035        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3036
3037        return fsg_show_file(opts->lun, &fsg_opts->common->filesem, page);
3038}
3039
3040static ssize_t fsg_lun_opts_file_store(struct config_item *item,
3041                                       const char *page, size_t len)
3042{
3043        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3044        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3045
3046        return fsg_store_file(opts->lun, &fsg_opts->common->filesem, page, len);
3047}
3048
3049CONFIGFS_ATTR(fsg_lun_opts_, file);
3050
3051static ssize_t fsg_lun_opts_ro_show(struct config_item *item, char *page)
3052{
3053        return fsg_show_ro(to_fsg_lun_opts(item)->lun, page);
3054}
3055
3056static ssize_t fsg_lun_opts_ro_store(struct config_item *item,
3057                                       const char *page, size_t len)
3058{
3059        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3060        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3061
3062        return fsg_store_ro(opts->lun, &fsg_opts->common->filesem, page, len);
3063}
3064
3065CONFIGFS_ATTR(fsg_lun_opts_, ro);
3066
3067static ssize_t fsg_lun_opts_removable_show(struct config_item *item,
3068                                           char *page)
3069{
3070        return fsg_show_removable(to_fsg_lun_opts(item)->lun, page);
3071}
3072
3073static ssize_t fsg_lun_opts_removable_store(struct config_item *item,
3074                                       const char *page, size_t len)
3075{
3076        return fsg_store_removable(to_fsg_lun_opts(item)->lun, page, len);
3077}
3078
3079CONFIGFS_ATTR(fsg_lun_opts_, removable);
3080
3081static ssize_t fsg_lun_opts_cdrom_show(struct config_item *item, char *page)
3082{
3083        return fsg_show_cdrom(to_fsg_lun_opts(item)->lun, page);
3084}
3085
3086static ssize_t fsg_lun_opts_cdrom_store(struct config_item *item,
3087                                       const char *page, size_t len)
3088{
3089        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3090        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3091
3092        return fsg_store_cdrom(opts->lun, &fsg_opts->common->filesem, page,
3093                               len);
3094}
3095
3096CONFIGFS_ATTR(fsg_lun_opts_, cdrom);
3097
3098static ssize_t fsg_lun_opts_nofua_show(struct config_item *item, char *page)
3099{
3100        return fsg_show_nofua(to_fsg_lun_opts(item)->lun, page);
3101}
3102
3103static ssize_t fsg_lun_opts_nofua_store(struct config_item *item,
3104                                       const char *page, size_t len)
3105{
3106        return fsg_store_nofua(to_fsg_lun_opts(item)->lun, page, len);
3107}
3108
3109CONFIGFS_ATTR(fsg_lun_opts_, nofua);
3110
3111static ssize_t fsg_lun_opts_inquiry_string_show(struct config_item *item,
3112                                                char *page)
3113{
3114        return fsg_show_inquiry_string(to_fsg_lun_opts(item)->lun, page);
3115}
3116
3117static ssize_t fsg_lun_opts_inquiry_string_store(struct config_item *item,
3118                                                 const char *page, size_t len)
3119{
3120        return fsg_store_inquiry_string(to_fsg_lun_opts(item)->lun, page, len);
3121}
3122
3123CONFIGFS_ATTR(fsg_lun_opts_, inquiry_string);
3124
3125static struct configfs_attribute *fsg_lun_attrs[] = {
3126        &fsg_lun_opts_attr_file,
3127        &fsg_lun_opts_attr_ro,
3128        &fsg_lun_opts_attr_removable,
3129        &fsg_lun_opts_attr_cdrom,
3130        &fsg_lun_opts_attr_nofua,
3131        &fsg_lun_opts_attr_inquiry_string,
3132        NULL,
3133};
3134
3135static const struct config_item_type fsg_lun_type = {
3136        .ct_item_ops    = &fsg_lun_item_ops,
3137        .ct_attrs       = fsg_lun_attrs,
3138        .ct_owner       = THIS_MODULE,
3139};
3140
3141static struct config_group *fsg_lun_make(struct config_group *group,
3142                                         const char *name)
3143{
3144        struct fsg_lun_opts *opts;
3145        struct fsg_opts *fsg_opts;
3146        struct fsg_lun_config config;
3147        char *num_str;
3148        u8 num;
3149        int ret;
3150
3151        num_str = strchr(name, '.');
3152        if (!num_str) {
3153                pr_err("Unable to locate . in LUN.NUMBER\n");
3154                return ERR_PTR(-EINVAL);
3155        }
3156        num_str++;
3157
3158        ret = kstrtou8(num_str, 0, &num);
3159        if (ret)
3160                return ERR_PTR(ret);
3161
3162        fsg_opts = to_fsg_opts(&group->cg_item);
3163        if (num >= FSG_MAX_LUNS)
3164                return ERR_PTR(-ERANGE);
3165        num = array_index_nospec(num, FSG_MAX_LUNS);
3166
3167        mutex_lock(&fsg_opts->lock);
3168        if (fsg_opts->refcnt || fsg_opts->common->luns[num]) {
3169                ret = -EBUSY;
3170                goto out;
3171        }
3172
3173        opts = kzalloc(sizeof(*opts), GFP_KERNEL);
3174        if (!opts) {
3175                ret = -ENOMEM;
3176                goto out;
3177        }
3178
3179        memset(&config, 0, sizeof(config));
3180        config.removable = true;
3181
3182        ret = fsg_common_create_lun(fsg_opts->common, &config, num, name,
3183                                    (const char **)&group->cg_item.ci_name);
3184        if (ret) {
3185                kfree(opts);
3186                goto out;
3187        }
3188        opts->lun = fsg_opts->common->luns[num];
3189        opts->lun_id = num;
3190        mutex_unlock(&fsg_opts->lock);
3191
3192        config_group_init_type_name(&opts->group, name, &fsg_lun_type);
3193
3194        return &opts->group;
3195out:
3196        mutex_unlock(&fsg_opts->lock);
3197        return ERR_PTR(ret);
3198}
3199
3200static void fsg_lun_drop(struct config_group *group, struct config_item *item)
3201{
3202        struct fsg_lun_opts *lun_opts;
3203        struct fsg_opts *fsg_opts;
3204
3205        lun_opts = to_fsg_lun_opts(item);
3206        fsg_opts = to_fsg_opts(&group->cg_item);
3207
3208        mutex_lock(&fsg_opts->lock);
3209        if (fsg_opts->refcnt) {
3210                struct config_item *gadget;
3211
3212                gadget = group->cg_item.ci_parent->ci_parent;
3213                unregister_gadget_item(gadget);
3214        }
3215
3216        fsg_common_remove_lun(lun_opts->lun);
3217        fsg_opts->common->luns[lun_opts->lun_id] = NULL;
3218        lun_opts->lun_id = 0;
3219        mutex_unlock(&fsg_opts->lock);
3220
3221        config_item_put(item);
3222}
3223
3224static void fsg_attr_release(struct config_item *item)
3225{
3226        struct fsg_opts *opts = to_fsg_opts(item);
3227
3228        usb_put_function_instance(&opts->func_inst);
3229}
3230
3231static struct configfs_item_operations fsg_item_ops = {
3232        .release                = fsg_attr_release,
3233};
3234
3235static ssize_t fsg_opts_stall_show(struct config_item *item, char *page)
3236{
3237        struct fsg_opts *opts = to_fsg_opts(item);
3238        int result;
3239
3240        mutex_lock(&opts->lock);
3241        result = sprintf(page, "%d", opts->common->can_stall);
3242        mutex_unlock(&opts->lock);
3243
3244        return result;
3245}
3246
3247static ssize_t fsg_opts_stall_store(struct config_item *item, const char *page,
3248                                    size_t len)
3249{
3250        struct fsg_opts *opts = to_fsg_opts(item);
3251        int ret;
3252        bool stall;
3253
3254        mutex_lock(&opts->lock);
3255
3256        if (opts->refcnt) {
3257                mutex_unlock(&opts->lock);
3258                return -EBUSY;
3259        }
3260
3261        ret = strtobool(page, &stall);
3262        if (!ret) {
3263                opts->common->can_stall = stall;
3264                ret = len;
3265        }
3266
3267        mutex_unlock(&opts->lock);
3268
3269        return ret;
3270}
3271
3272CONFIGFS_ATTR(fsg_opts_, stall);
3273
3274#ifdef CONFIG_USB_GADGET_DEBUG_FILES
3275static ssize_t fsg_opts_num_buffers_show(struct config_item *item, char *page)
3276{
3277        struct fsg_opts *opts = to_fsg_opts(item);
3278        int result;
3279
3280        mutex_lock(&opts->lock);
3281        result = sprintf(page, "%d", opts->common->fsg_num_buffers);
3282        mutex_unlock(&opts->lock);
3283
3284        return result;
3285}
3286
3287static ssize_t fsg_opts_num_buffers_store(struct config_item *item,
3288                                          const char *page, size_t len)
3289{
3290        struct fsg_opts *opts = to_fsg_opts(item);
3291        int ret;
3292        u8 num;
3293
3294        mutex_lock(&opts->lock);
3295        if (opts->refcnt) {
3296                ret = -EBUSY;
3297                goto end;
3298        }
3299        ret = kstrtou8(page, 0, &num);
3300        if (ret)
3301                goto end;
3302
3303        ret = fsg_common_set_num_buffers(opts->common, num);
3304        if (ret)
3305                goto end;
3306        ret = len;
3307
3308end:
3309        mutex_unlock(&opts->lock);
3310        return ret;
3311}
3312
3313CONFIGFS_ATTR(fsg_opts_, num_buffers);
3314#endif
3315
3316static struct configfs_attribute *fsg_attrs[] = {
3317        &fsg_opts_attr_stall,
3318#ifdef CONFIG_USB_GADGET_DEBUG_FILES
3319        &fsg_opts_attr_num_buffers,
3320#endif
3321        NULL,
3322};
3323
3324static struct configfs_group_operations fsg_group_ops = {
3325        .make_group     = fsg_lun_make,
3326        .drop_item      = fsg_lun_drop,
3327};
3328
3329static const struct config_item_type fsg_func_type = {
3330        .ct_item_ops    = &fsg_item_ops,
3331        .ct_group_ops   = &fsg_group_ops,
3332        .ct_attrs       = fsg_attrs,
3333        .ct_owner       = THIS_MODULE,
3334};
3335
3336static void fsg_free_inst(struct usb_function_instance *fi)
3337{
3338        struct fsg_opts *opts;
3339
3340        opts = fsg_opts_from_func_inst(fi);
3341        fsg_common_release(opts->common);
3342        kfree(opts);
3343}
3344
3345static struct usb_function_instance *fsg_alloc_inst(void)
3346{
3347        struct fsg_opts *opts;
3348        struct fsg_lun_config config;
3349        int rc;
3350
3351        opts = kzalloc(sizeof(*opts), GFP_KERNEL);
3352        if (!opts)
3353                return ERR_PTR(-ENOMEM);
3354        mutex_init(&opts->lock);
3355        opts->func_inst.free_func_inst = fsg_free_inst;
3356        opts->common = fsg_common_setup(opts->common);
3357        if (IS_ERR(opts->common)) {
3358                rc = PTR_ERR(opts->common);
3359                goto release_opts;
3360        }
3361
3362        rc = fsg_common_set_num_buffers(opts->common,
3363                                        CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS);
3364        if (rc)
3365                goto release_common;
3366
3367        pr_info(FSG_DRIVER_DESC ", version: " FSG_DRIVER_VERSION "\n");
3368
3369        memset(&config, 0, sizeof(config));
3370        config.removable = true;
3371        rc = fsg_common_create_lun(opts->common, &config, 0, "lun.0",
3372                        (const char **)&opts->func_inst.group.cg_item.ci_name);
3373        if (rc)
3374                goto release_buffers;
3375
3376        opts->lun0.lun = opts->common->luns[0];
3377        opts->lun0.lun_id = 0;
3378
3379        config_group_init_type_name(&opts->func_inst.group, "", &fsg_func_type);
3380
3381        config_group_init_type_name(&opts->lun0.group, "lun.0", &fsg_lun_type);
3382        configfs_add_default_group(&opts->lun0.group, &opts->func_inst.group);
3383
3384        return &opts->func_inst;
3385
3386release_buffers:
3387        fsg_common_free_buffers(opts->common);
3388release_common:
3389        kfree(opts->common);
3390release_opts:
3391        kfree(opts);
3392        return ERR_PTR(rc);
3393}
3394
3395static void fsg_free(struct usb_function *f)
3396{
3397        struct fsg_dev *fsg;
3398        struct fsg_opts *opts;
3399
3400        fsg = container_of(f, struct fsg_dev, function);
3401        opts = container_of(f->fi, struct fsg_opts, func_inst);
3402
3403        mutex_lock(&opts->lock);
3404        opts->refcnt--;
3405        mutex_unlock(&opts->lock);
3406
3407        kfree(fsg);
3408}
3409
3410static struct usb_function *fsg_alloc(struct usb_function_instance *fi)
3411{
3412        struct fsg_opts *opts = fsg_opts_from_func_inst(fi);
3413        struct fsg_common *common = opts->common;
3414        struct fsg_dev *fsg;
3415
3416        fsg = kzalloc(sizeof(*fsg), GFP_KERNEL);
3417        if (unlikely(!fsg))
3418                return ERR_PTR(-ENOMEM);
3419
3420        mutex_lock(&opts->lock);
3421        opts->refcnt++;
3422        mutex_unlock(&opts->lock);
3423
3424        fsg->function.name      = FSG_DRIVER_DESC;
3425        fsg->function.bind      = fsg_bind;
3426        fsg->function.unbind    = fsg_unbind;
3427        fsg->function.setup     = fsg_setup;
3428        fsg->function.set_alt   = fsg_set_alt;
3429        fsg->function.disable   = fsg_disable;
3430        fsg->function.free_func = fsg_free;
3431
3432        fsg->common               = common;
3433
3434        return &fsg->function;
3435}
3436
3437DECLARE_USB_FUNCTION_INIT(mass_storage, fsg_alloc_inst, fsg_alloc);
3438MODULE_LICENSE("GPL");
3439MODULE_AUTHOR("Michal Nazarewicz");
3440
3441/************************* Module parameters *************************/
3442
3443
3444void fsg_config_from_params(struct fsg_config *cfg,
3445                       const struct fsg_module_parameters *params,
3446                       unsigned int fsg_num_buffers)
3447{
3448        struct fsg_lun_config *lun;
3449        unsigned i;
3450
3451        /* Configure LUNs */
3452        cfg->nluns =
3453                min(params->luns ?: (params->file_count ?: 1u),
3454                    (unsigned)FSG_MAX_LUNS);
3455        for (i = 0, lun = cfg->luns; i < cfg->nluns; ++i, ++lun) {
3456                lun->ro = !!params->ro[i];
3457                lun->cdrom = !!params->cdrom[i];
3458                lun->removable = !!params->removable[i];
3459                lun->filename =
3460                        params->file_count > i && params->file[i][0]
3461                        ? params->file[i]
3462                        : NULL;
3463        }
3464
3465        /* Let MSF use defaults */
3466        cfg->vendor_name = NULL;
3467        cfg->product_name = NULL;
3468
3469        cfg->ops = NULL;
3470        cfg->private_data = NULL;
3471
3472        /* Finalise */
3473        cfg->can_stall = params->stall;
3474        cfg->fsg_num_buffers = fsg_num_buffers;
3475}
3476EXPORT_SYMBOL_GPL(fsg_config_from_params);
3477