LXR linux/drivers/usb/gadget/function/f_mass

   1/*
   2 * f_mass_storage.c -- Mass Storage USB Composite Function
   3 *
   4 * Copyright (C) 2003-2008 Alan Stern
   5 * Copyright (C) 2009 Samsung Electronics
   6 *                    Author: Michal Nazarewicz <mina86@mina86.com>
   7 * All rights reserved.
   8 *
   9 * Redistribution and use in source and binary forms, with or without
  10 * modification, are permitted provided that the following conditions
  11 * are met:
  12 * 1. Redistributions of source code must retain the above copyright
  13 *    notice, this list of conditions, and the following disclaimer,
  14 *    without modification.
  15 * 2. Redistributions in binary form must reproduce the above copyright
  16 *    notice, this list of conditions and the following disclaimer in the
  17 *    documentation and/or other materials provided with the distribution.
  18 * 3. The names of the above-listed copyright holders may not be used
  19 *    to endorse or promote products derived from this software without
  20 *    specific prior written permission.
  21 *
  22 * ALTERNATIVELY, this software may be distributed under the terms of the
  23 * GNU General Public License ("GPL") as published by the Free Software
  24 * Foundation, either version 2 of that License or (at your option) any
  25 * later version.
  26 *
  27 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
  28 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
  29 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  30 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
  31 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  32 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  33 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  34 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  35 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  36 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  37 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  38 */
  39
  40/*
  41 * The Mass Storage Function acts as a USB Mass Storage device,
  42 * appearing to the host as a disk drive or as a CD-ROM drive.  In
  43 * addition to providing an example of a genuinely useful composite
  44 * function for a USB device, it also illustrates a technique of
  45 * double-buffering for increased throughput.
  46 *
  47 * For more information about MSF and in particular its module
  48 * parameters and sysfs interface read the
  49 * <Documentation/usb/mass-storage.txt> file.
  50 */
  51
  52/*
  53 * MSF is configured by specifying a fsg_config structure.  It has the
  54 * following fields:
  55 *
  56 *      nluns           Number of LUNs function have (anywhere from 1
  57 *                              to FSG_MAX_LUNS).
  58 *      luns            An array of LUN configuration values.  This
  59 *                              should be filled for each LUN that
  60 *                              function will include (ie. for "nluns"
  61 *                              LUNs).  Each element of the array has
  62 *                              the following fields:
  63 *      ->filename      The path to the backing file for the LUN.
  64 *                              Required if LUN is not marked as
  65 *                              removable.
  66 *      ->ro            Flag specifying access to the LUN shall be
  67 *                              read-only.  This is implied if CD-ROM
  68 *                              emulation is enabled as well as when
  69 *                              it was impossible to open "filename"
  70 *                              in R/W mode.
  71 *      ->removable     Flag specifying that LUN shall be indicated as
  72 *                              being removable.
  73 *      ->cdrom         Flag specifying that LUN shall be reported as
  74 *                              being a CD-ROM.
  75 *      ->nofua         Flag specifying that FUA flag in SCSI WRITE(10,12)
  76 *                              commands for this LUN shall be ignored.
  77 *
  78 *      vendor_name
  79 *      product_name
  80 *      release         Information used as a reply to INQUIRY
  81 *                              request.  To use default set to NULL,
  82 *                              NULL, 0xffff respectively.  The first
  83 *                              field should be 8 and the second 16
  84 *                              characters or less.
  85 *
  86 *      can_stall       Set to permit function to halt bulk endpoints.
  87 *                              Disabled on some USB devices known not
  88 *                              to work correctly.  You should set it
  89 *                              to true.
  90 *
  91 * If "removable" is not set for a LUN then a backing file must be
  92 * specified.  If it is set, then NULL filename means the LUN's medium
  93 * is not loaded (an empty string as "filename" in the fsg_config
  94 * structure causes error).  The CD-ROM emulation includes a single
  95 * data track and no audio tracks; hence there need be only one
  96 * backing file per LUN.
  97 *
  98 * This function is heavily based on "File-backed Storage Gadget" by
  99 * Alan Stern which in turn is heavily based on "Gadget Zero" by David
 100 * Brownell.  The driver's SCSI command interface was based on the
 101 * "Information technology - Small Computer System Interface - 2"
 102 * document from X3T9.2 Project 375D, Revision 10L, 7-SEP-93,
 103 * available at <http://www.t10.org/ftp/t10/drafts/s2/s2-r10l.pdf>.
 104 * The single exception is opcode 0x23 (READ FORMAT CAPACITIES), which
 105 * was based on the "Universal Serial Bus Mass Storage Class UFI
 106 * Command Specification" document, Revision 1.0, December 14, 1998,
 107 * available at
 108 * <http://www.usb.org/developers/devclass_docs/usbmass-ufi10.pdf>.
 109 */
 110
 111/*
 112 *                              Driver Design
 113 *
 114 * The MSF is fairly straightforward.  There is a main kernel
 115 * thread that handles most of the work.  Interrupt routines field
 116 * callbacks from the controller driver: bulk- and interrupt-request
 117 * completion notifications, endpoint-0 events, and disconnect events.
 118 * Completion events are passed to the main thread by wakeup calls.  Many
 119 * ep0 requests are handled at interrupt time, but SetInterface,
 120 * SetConfiguration, and device reset requests are forwarded to the
 121 * thread in the form of "exceptions" using SIGUSR1 signals (since they
 122 * should interrupt any ongoing file I/O operations).
 123 *
 124 * The thread's main routine implements the standard command/data/status
 125 * parts of a SCSI interaction.  It and its subroutines are full of tests
 126 * for pending signals/exceptions -- all this polling is necessary since
 127 * the kernel has no setjmp/longjmp equivalents.  (Maybe this is an
 128 * indication that the driver really wants to be running in userspace.)
 129 * An important point is that so long as the thread is alive it keeps an
 130 * open reference to the backing file.  This will prevent unmounting
 131 * the backing file's underlying filesystem and could cause problems
 132 * during system shutdown, for example.  To prevent such problems, the
 133 * thread catches INT, TERM, and KILL signals and converts them into
 134 * an EXIT exception.
 135 *
 136 * In normal operation the main thread is started during the gadget's
 137 * fsg_bind() callback and stopped during fsg_unbind().  But it can
 138 * also exit when it receives a signal, and there's no point leaving
 139 * the gadget running when the thread is dead.  As of this moment, MSF
 140 * provides no way to deregister the gadget when thread dies -- maybe
 141 * a callback functions is needed.
 142 *
 143 * To provide maximum throughput, the driver uses a circular pipeline of
 144 * buffer heads (struct fsg_buffhd).  In principle the pipeline can be
 145 * arbitrarily long; in practice the benefits don't justify having more
 146 * than 2 stages (i.e., double buffering).  But it helps to think of the
 147 * pipeline as being a long one.  Each buffer head contains a bulk-in and
 148 * a bulk-out request pointer (since the buffer can be used for both
 149 * output and input -- directions always are given from the host's
 150 * point of view) as well as a pointer to the buffer and various state
 151 * variables.
 152 *
 153 * Use of the pipeline follows a simple protocol.  There is a variable
 154 * (fsg->next_buffhd_to_fill) that points to the next buffer head to use.
 155 * At any time that buffer head may still be in use from an earlier
 156 * request, so each buffer head has a state variable indicating whether
 157 * it is EMPTY, FULL, or BUSY.  Typical use involves waiting for the
 158 * buffer head to be EMPTY, filling the buffer either by file I/O or by
 159 * USB I/O (during which the buffer head is BUSY), and marking the buffer
 160 * head FULL when the I/O is complete.  Then the buffer will be emptied
 161 * (again possibly by USB I/O, during which it is marked BUSY) and
 162 * finally marked EMPTY again (possibly by a completion routine).
 163 *
 164 * A module parameter tells the driver to avoid stalling the bulk
 165 * endpoints wherever the transport specification allows.  This is
 166 * necessary for some UDCs like the SuperH, which cannot reliably clear a
 167 * halt on a bulk endpoint.  However, under certain circumstances the
 168 * Bulk-only specification requires a stall.  In such cases the driver
 169 * will halt the endpoint and set a flag indicating that it should clear
 170 * the halt in software during the next device reset.  Hopefully this
 171 * will permit everything to work correctly.  Furthermore, although the
 172 * specification allows the bulk-out endpoint to halt when the host sends
 173 * too much data, implementing this would cause an unavoidable race.
 174 * The driver will always use the "no-stall" approach for OUT transfers.
 175 *
 176 * One subtle point concerns sending status-stage responses for ep0
 177 * requests.  Some of these requests, such as device reset, can involve
 178 * interrupting an ongoing file I/O operation, which might take an
 179 * arbitrarily long time.  During that delay the host might give up on
 180 * the original ep0 request and issue a new one.  When that happens the
 181 * driver should not notify the host about completion of the original
 182 * request, as the host will no longer be waiting for it.  So the driver
 183 * assigns to each ep0 request a unique tag, and it keeps track of the
 184 * tag value of the request associated with a long-running exception
 185 * (device-reset, interface-change, or configuration-change).  When the
 186 * exception handler is finished, the status-stage response is submitted
 187 * only if the current ep0 request tag is equal to the exception request
 188 * tag.  Thus only the most recently received ep0 request will get a
 189 * status-stage response.
 190 *
 191 * Warning: This driver source file is too long.  It ought to be split up
 192 * into a header file plus about 3 separate .c files, to handle the details
 193 * of the Gadget, USB Mass Storage, and SCSI protocols.
 194 */
 195
 196
 197/* #define VERBOSE_DEBUG */
 198/* #define DUMP_MSGS */
 199
 200#include <linux/blkdev.h>
 201#include <linux/completion.h>
 202#include <linux/dcache.h>
 203#include <linux/delay.h>
 204#include <linux/device.h>
 205#include <linux/fcntl.h>
 206#include <linux/file.h>
 207#include <linux/fs.h>
 208#include <linux/kref.h>
 209#include <linux/kthread.h>
 210#include <linux/limits.h>
 211#include <linux/rwsem.h>
 212#include <linux/slab.h>
 213#include <linux/spinlock.h>
 214#include <linux/string.h>
 215#include <linux/freezer.h>
 216#include <linux/module.h>
 217#include <linux/uaccess.h>
 218
 219#include <linux/usb/ch9.h>
 220#include <linux/usb/gadget.h>
 221#include <linux/usb/composite.h>
 222
 223#include "configfs.h"
 224
 225
 226/*------------------------------------------------------------------------*/
 227
 228#define FSG_DRIVER_DESC         "Mass Storage Function"
 229#define FSG_DRIVER_VERSION      "2009/09/11"
 230
 231static const char fsg_string_interface[] = "Mass Storage";
 232
 233#include "storage_common.h"
 234#include "f_mass_storage.h"
 235
 236/* Static strings, in UTF-8 (for simplicity we use only ASCII characters) */
 237static struct usb_string                fsg_strings[] = {
 238        {FSG_STRING_INTERFACE,          fsg_string_interface},
 239        {}
 240};
 241
 242static struct usb_gadget_strings        fsg_stringtab = {
 243        .language       = 0x0409,               /* en-us */
 244        .strings        = fsg_strings,
 245};
 246
 247static struct usb_gadget_strings *fsg_strings_array[] = {
 248        &fsg_stringtab,
 249        NULL,
 250};
 251
 252/*-------------------------------------------------------------------------*/
 253
 254struct fsg_dev;
 255struct fsg_common;
 256
 257/* Data shared by all the FSG instances. */
 258struct fsg_common {
 259        struct usb_gadget       *gadget;
 260        struct usb_composite_dev *cdev;
 261        struct fsg_dev          *fsg, *new_fsg;
 262        wait_queue_head_t       fsg_wait;
 263
 264        /* filesem protects: backing files in use */
 265        struct rw_semaphore     filesem;
 266
 267        /* lock protects: state, all the req_busy's */
 268        spinlock_t              lock;
 269
 270        struct usb_ep           *ep0;           /* Copy of gadget->ep0 */
 271        struct usb_request      *ep0req;        /* Copy of cdev->req */
 272        unsigned int            ep0_req_tag;
 273
 274        struct fsg_buffhd       *next_buffhd_to_fill;
 275        struct fsg_buffhd       *next_buffhd_to_drain;
 276        struct fsg_buffhd       *buffhds;
 277        unsigned int            fsg_num_buffers;
 278
 279        int                     cmnd_size;
 280        u8                      cmnd[MAX_COMMAND_SIZE];
 281
 282        unsigned int            lun;
 283        struct fsg_lun          *luns[FSG_MAX_LUNS];
 284        struct fsg_lun          *curlun;
 285
 286        unsigned int            bulk_out_maxpacket;
 287        enum fsg_state          state;          /* For exception handling */
 288        unsigned int            exception_req_tag;
 289
 290        enum data_direction     data_dir;
 291        u32                     data_size;
 292        u32                     data_size_from_cmnd;
 293        u32                     tag;
 294        u32                     residue;
 295        u32                     usb_amount_left;
 296
 297        unsigned int            can_stall:1;
 298        unsigned int            free_storage_on_release:1;
 299        unsigned int            phase_error:1;
 300        unsigned int            short_packet_received:1;
 301        unsigned int            bad_lun_okay:1;
 302        unsigned int            running:1;
 303        unsigned int            sysfs:1;
 304
 305        int                     thread_wakeup_needed;
 306        struct completion       thread_notifier;
 307        struct task_struct      *thread_task;
 308
 309        /* Callback functions. */
 310        const struct fsg_operations     *ops;
 311        /* Gadget's private data. */
 312        void                    *private_data;
 313
 314        char inquiry_string[INQUIRY_STRING_LEN];
 315
 316        struct kref             ref;
 317};
 318
 319struct fsg_dev {
 320        struct usb_function     function;
 321        struct usb_gadget       *gadget;        /* Copy of cdev->gadget */
 322        struct fsg_common       *common;
 323
 324        u16                     interface_number;
 325
 326        unsigned int            bulk_in_enabled:1;
 327        unsigned int            bulk_out_enabled:1;
 328
 329        unsigned long           atomic_bitflags;
 330#define IGNORE_BULK_OUT         0
 331
 332        struct usb_ep           *bulk_in;
 333        struct usb_ep           *bulk_out;
 334};
 335
 336static inline int __fsg_is_set(struct fsg_common *common,
 337                               const char *func, unsigned line)
 338{
 339        if (common->fsg)
 340                return 1;
 341        ERROR(common, "common->fsg is NULL in %s at %u\n", func, line);
 342        WARN_ON(1);
 343        return 0;
 344}
 345
 346#define fsg_is_set(common) likely(__fsg_is_set(common, __func__, __LINE__))
 347
 348static inline struct fsg_dev *fsg_from_func(struct usb_function *f)
 349{
 350        return container_of(f, struct fsg_dev, function);
 351}
 352
 353typedef void (*fsg_routine_t)(struct fsg_dev *);
 354
 355static int exception_in_progress(struct fsg_common *common)
 356{
 357        return common->state > FSG_STATE_IDLE;
 358}
 359
 360/* Make bulk-out requests be divisible by the maxpacket size */
 361static void set_bulk_out_req_length(struct fsg_common *common,
 362                                    struct fsg_buffhd *bh, unsigned int length)
 363{
 364        unsigned int    rem;
 365
 366        bh->bulk_out_intended_length = length;
 367        rem = length % common->bulk_out_maxpacket;
 368        if (rem > 0)
 369                length += common->bulk_out_maxpacket - rem;
 370        bh->outreq->length = length;
 371}
 372
 373
 374/*-------------------------------------------------------------------------*/
 375
 376static int fsg_set_halt(struct fsg_dev *fsg, struct usb_ep *ep)
 377{
 378        const char      *name;
 379
 380        if (ep == fsg->bulk_in)
 381                name = "bulk-in";
 382        else if (ep == fsg->bulk_out)
 383                name = "bulk-out";
 384        else
 385                name = ep->name;
 386        DBG(fsg, "%s set halt\n", name);
 387        return usb_ep_set_halt(ep);
 388}
 389
 390
 391/*-------------------------------------------------------------------------*/
 392
 393/* These routines may be called in process context or in_irq */
 394
 395/* Caller must hold fsg->lock */
 396static void wakeup_thread(struct fsg_common *common)
 397{
 398        smp_wmb();      /* ensure the write of bh->state is complete */
 399        /* Tell the main thread that something has happened */
 400        common->thread_wakeup_needed = 1;
 401        if (common->thread_task)
 402                wake_up_process(common->thread_task);
 403}
 404
 405static void raise_exception(struct fsg_common *common, enum fsg_state new_state)
 406{
 407        unsigned long           flags;
 408
 409        /*
 410         * Do nothing if a higher-priority exception is already in progress.
 411         * If a lower-or-equal priority exception is in progress, preempt it
 412         * and notify the main thread by sending it a signal.
 413         */
 414        spin_lock_irqsave(&common->lock, flags);
 415        if (common->state <= new_state) {
 416                common->exception_req_tag = common->ep0_req_tag;
 417                common->state = new_state;
 418                if (common->thread_task)
 419                        send_sig_info(SIGUSR1, SEND_SIG_FORCED,
 420                                      common->thread_task);
 421        }
 422        spin_unlock_irqrestore(&common->lock, flags);
 423}
 424
 425
 426/*-------------------------------------------------------------------------*/
 427
 428static int ep0_queue(struct fsg_common *common)
 429{
 430        int     rc;
 431
 432        rc = usb_ep_queue(common->ep0, common->ep0req, GFP_ATOMIC);
 433        common->ep0->driver_data = common;
 434        if (rc != 0 && rc != -ESHUTDOWN) {
 435                /* We can't do much more than wait for a reset */
 436                WARNING(common, "error in submission: %s --> %d\n",
 437                        common->ep0->name, rc);
 438        }
 439        return rc;
 440}
 441
 442
 443/*-------------------------------------------------------------------------*/
 444
 445/* Completion handlers. These always run in_irq. */
 446
 447static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req)
 448{
 449        struct fsg_common       *common = ep->driver_data;
 450        struct fsg_buffhd       *bh = req->context;
 451
 452        if (req->status || req->actual != req->length)
 453                DBG(common, "%s --> %d, %u/%u\n", __func__,
 454                    req->status, req->actual, req->length);
 455        if (req->status == -ECONNRESET)         /* Request was cancelled */
 456                usb_ep_fifo_flush(ep);
 457
 458        /* Hold the lock while we update the request and buffer states */
 459        smp_wmb();
 460        spin_lock(&common->lock);
 461        bh->inreq_busy = 0;
 462        bh->state = BUF_STATE_EMPTY;
 463        wakeup_thread(common);
 464        spin_unlock(&common->lock);
 465}
 466
 467static void bulk_out_complete(struct usb_ep *ep, struct usb_request *req)
 468{
 469        struct fsg_common       *common = ep->driver_data;
 470        struct fsg_buffhd       *bh = req->context;
 471
 472        dump_msg(common, "bulk-out", req->buf, req->actual);
 473        if (req->status || req->actual != bh->bulk_out_intended_length)
 474                DBG(common, "%s --> %d, %u/%u\n", __func__,
 475                    req->status, req->actual, bh->bulk_out_intended_length);
 476        if (req->status == -ECONNRESET)         /* Request was cancelled */
 477                usb_ep_fifo_flush(ep);
 478
 479        /* Hold the lock while we update the request and buffer states */
 480        smp_wmb();
 481        spin_lock(&common->lock);
 482        bh->outreq_busy = 0;
 483        bh->state = BUF_STATE_FULL;
 484        wakeup_thread(common);
 485        spin_unlock(&common->lock);
 486}
 487
 488static int _fsg_common_get_max_lun(struct fsg_common *common)
 489{
 490        int i = ARRAY_SIZE(common->luns) - 1;
 491
 492        while (i >= 0 && !common->luns[i])
 493                --i;
 494
 495        return i;
 496}
 497
 498static int fsg_setup(struct usb_function *f,
 499                     const struct usb_ctrlrequest *ctrl)
 500{
 501        struct fsg_dev          *fsg = fsg_from_func(f);
 502        struct usb_request      *req = fsg->common->ep0req;
 503        u16                     w_index = le16_to_cpu(ctrl->wIndex);
 504        u16                     w_value = le16_to_cpu(ctrl->wValue);
 505        u16                     w_length = le16_to_cpu(ctrl->wLength);
 506
 507        if (!fsg_is_set(fsg->common))
 508                return -EOPNOTSUPP;
 509
 510        ++fsg->common->ep0_req_tag;     /* Record arrival of a new request */
 511        req->context = NULL;
 512        req->length = 0;
 513        dump_msg(fsg, "ep0-setup", (u8 *) ctrl, sizeof(*ctrl));
 514
 515        switch (ctrl->bRequest) {
 516
 517        case US_BULK_RESET_REQUEST:
 518                if (ctrl->bRequestType !=
 519                    (USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 520                        break;
 521                if (w_index != fsg->interface_number || w_value != 0 ||
 522                                w_length != 0)
 523                        return -EDOM;
 524
 525                /*
 526                 * Raise an exception to stop the current operation
 527                 * and reinitialize our state.
 528                 */
 529                DBG(fsg, "bulk reset request\n");
 530                raise_exception(fsg->common, FSG_STATE_RESET);
 531                return USB_GADGET_DELAYED_STATUS;
 532
 533        case US_BULK_GET_MAX_LUN:
 534                if (ctrl->bRequestType !=
 535                    (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 536                        break;
 537                if (w_index != fsg->interface_number || w_value != 0 ||
 538                                w_length != 1)
 539                        return -EDOM;
 540                VDBG(fsg, "get max LUN\n");
 541                *(u8 *)req->buf = _fsg_common_get_max_lun(fsg->common);
 542
 543                /* Respond with data/status */
 544                req->length = min((u16)1, w_length);
 545                return ep0_queue(fsg->common);
 546        }
 547
 548        VDBG(fsg,
 549             "unknown class-specific control req %02x.%02x v%04x i%04x l%u\n",
 550             ctrl->bRequestType, ctrl->bRequest,
 551             le16_to_cpu(ctrl->wValue), w_index, w_length);
 552        return -EOPNOTSUPP;
 553}
 554
 555
 556/*-------------------------------------------------------------------------*/
 557
 558/* All the following routines run in process context */
 559
 560/* Use this for bulk or interrupt transfers, not ep0 */
 561static void start_transfer(struct fsg_dev *fsg, struct usb_ep *ep,
 562                           struct usb_request *req, int *pbusy,
 563                           enum fsg_buffer_state *state)
 564{
 565        int     rc;
 566
 567        if (ep == fsg->bulk_in)
 568                dump_msg(fsg, "bulk-in", req->buf, req->length);
 569
 570        spin_lock_irq(&fsg->common->lock);
 571        *pbusy = 1;
 572        *state = BUF_STATE_BUSY;
 573        spin_unlock_irq(&fsg->common->lock);
 574
 575        rc = usb_ep_queue(ep, req, GFP_KERNEL);
 576        if (rc == 0)
 577                return;  /* All good, we're done */
 578
 579        *pbusy = 0;
 580        *state = BUF_STATE_EMPTY;
 581
 582        /* We can't do much more than wait for a reset */
 583
 584        /*
 585         * Note: currently the net2280 driver fails zero-length
 586         * submissions if DMA is enabled.
 587         */
 588        if (rc != -ESHUTDOWN && !(rc == -EOPNOTSUPP && req->length == 0))
 589                WARNING(fsg, "error in submission: %s --> %d\n", ep->name, rc);
 590}
 591
 592static bool start_in_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 593{
 594        if (!fsg_is_set(common))
 595                return false;
 596        start_transfer(common->fsg, common->fsg->bulk_in,
 597                       bh->inreq, &bh->inreq_busy, &bh->state);
 598        return true;
 599}
 600
 601static bool start_out_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 602{
 603        if (!fsg_is_set(common))
 604                return false;
 605        start_transfer(common->fsg, common->fsg->bulk_out,
 606                       bh->outreq, &bh->outreq_busy, &bh->state);
 607        return true;
 608}
 609
 610static int sleep_thread(struct fsg_common *common, bool can_freeze)
 611{
 612        int     rc = 0;
 613
 614        /* Wait until a signal arrives or we are woken up */
 615        for (;;) {
 616                if (can_freeze)
 617                        try_to_freeze();
 618                set_current_state(TASK_INTERRUPTIBLE);
 619                if (signal_pending(current)) {
 620                        rc = -EINTR;
 621                        break;
 622                }
 623                if (common->thread_wakeup_needed)
 624                        break;
 625                schedule();
 626        }
 627        __set_current_state(TASK_RUNNING);
 628        common->thread_wakeup_needed = 0;
 629        smp_rmb();      /* ensure the latest bh->state is visible */
 630        return rc;
 631}
 632
 633
 634/*-------------------------------------------------------------------------*/
 635
 636static int do_read(struct fsg_common *common)
 637{
 638        struct fsg_lun          *curlun = common->curlun;
 639        u32                     lba;
 640        struct fsg_buffhd       *bh;
 641        int                     rc;
 642        u32                     amount_left;
 643        loff_t                  file_offset, file_offset_tmp;
 644        unsigned int            amount;
 645        ssize_t                 nread;
 646
 647        /*
 648         * Get the starting Logical Block Address and check that it's
 649         * not too big.
 650         */
 651        if (common->cmnd[0] == READ_6)
 652                lba = get_unaligned_be24(&common->cmnd[1]);
 653        else {
 654                lba = get_unaligned_be32(&common->cmnd[2]);
 655
 656                /*
 657                 * We allow DPO (Disable Page Out = don't save data in the
 658                 * cache) and FUA (Force Unit Access = don't read from the
 659                 * cache), but we don't implement them.
 660                 */
 661                if ((common->cmnd[1] & ~0x18) != 0) {
 662                        curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 663                        return -EINVAL;
 664                }
 665        }
 666        if (lba >= curlun->num_sectors) {
 667                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 668                return -EINVAL;
 669        }
 670        file_offset = ((loff_t) lba) << curlun->blkbits;
 671
 672        /* Carry out the file reads */
 673        amount_left = common->data_size_from_cmnd;
 674        if (unlikely(amount_left == 0))
 675                return -EIO;            /* No default reply */
 676
 677        for (;;) {
 678                /*
 679                 * Figure out how much we need to read:
 680                 * Try to read the remaining amount.
 681                 * But don't read more than the buffer size.
 682                 * And don't try to read past the end of the file.
 683                 */
 684                amount = min(amount_left, FSG_BUFLEN);
 685                amount = min((loff_t)amount,
 686                             curlun->file_length - file_offset);
 687
 688                /* Wait for the next buffer to become available */
 689                bh = common->next_buffhd_to_fill;
 690                while (bh->state != BUF_STATE_EMPTY) {
 691                        rc = sleep_thread(common, false);
 692                        if (rc)
 693                                return rc;
 694                }
 695
 696                /*
 697                 * If we were asked to read past the end of file,
 698                 * end with an empty buffer.
 699                 */
 700                if (amount == 0) {
 701                        curlun->sense_data =
 702                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 703                        curlun->sense_data_info =
 704                                        file_offset >> curlun->blkbits;
 705                        curlun->info_valid = 1;
 706                        bh->inreq->length = 0;
 707                        bh->state = BUF_STATE_FULL;
 708                        break;
 709                }
 710
 711                /* Perform the read */
 712                file_offset_tmp = file_offset;
 713                nread = vfs_read(curlun->filp,
 714                                 (char __user *)bh->buf,
 715                                 amount, &file_offset_tmp);
 716                VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
 717                      (unsigned long long)file_offset, (int)nread);
 718                if (signal_pending(current))
 719                        return -EINTR;
 720
 721                if (nread < 0) {
 722                        LDBG(curlun, "error in file read: %d\n", (int)nread);
 723                        nread = 0;
 724                } else if (nread < amount) {
 725                        LDBG(curlun, "partial file read: %d/%u\n",
 726                             (int)nread, amount);
 727                        nread = round_down(nread, curlun->blksize);
 728                }
 729                file_offset  += nread;
 730                amount_left  -= nread;
 731                common->residue -= nread;
 732
 733                /*
 734                 * Except at the end of the transfer, nread will be
 735                 * equal to the buffer size, which is divisible by the
 736                 * bulk-in maxpacket size.
 737                 */
 738                bh->inreq->length = nread;
 739                bh->state = BUF_STATE_FULL;
 740
 741                /* If an error occurred, report it and its position */
 742                if (nread < amount) {
 743                        curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
 744                        curlun->sense_data_info =
 745                                        file_offset >> curlun->blkbits;
 746                        curlun->info_valid = 1;
 747                        break;
 748                }
 749
 750                if (amount_left == 0)
 751                        break;          /* No more left to read */
 752
 753                /* Send this buffer and go read some more */
 754                bh->inreq->zero = 0;
 755                if (!start_in_transfer(common, bh))
 756                        /* Don't know what to do if common->fsg is NULL */
 757                        return -EIO;
 758                common->next_buffhd_to_fill = bh->next;
 759        }
 760
 761        return -EIO;            /* No default reply */
 762}
 763
 764
 765/*-------------------------------------------------------------------------*/
 766
 767static int do_write(struct fsg_common *common)
 768{
 769        struct fsg_lun          *curlun = common->curlun;
 770        u32                     lba;
 771        struct fsg_buffhd       *bh;
 772        int                     get_some_more;
 773        u32                     amount_left_to_req, amount_left_to_write;
 774        loff_t                  usb_offset, file_offset, file_offset_tmp;
 775        unsigned int            amount;
 776        ssize_t                 nwritten;
 777        int                     rc;
 778
 779        if (curlun->ro) {
 780                curlun->sense_data = SS_WRITE_PROTECTED;
 781                return -EINVAL;
 782        }
 783        spin_lock(&curlun->filp->f_lock);
 784        curlun->filp->f_flags &= ~O_SYNC;       /* Default is not to wait */
 785        spin_unlock(&curlun->filp->f_lock);
 786
 787        /*
 788         * Get the starting Logical Block Address and check that it's
 789         * not too big
 790         */
 791        if (common->cmnd[0] == WRITE_6)
 792                lba = get_unaligned_be24(&common->cmnd[1]);
 793        else {
 794                lba = get_unaligned_be32(&common->cmnd[2]);
 795
 796                /*
 797                 * We allow DPO (Disable Page Out = don't save data in the
 798                 * cache) and FUA (Force Unit Access = write directly to the
 799                 * medium).  We don't implement DPO; we implement FUA by
 800                 * performing synchronous output.
 801                 */
 802                if (common->cmnd[1] & ~0x18) {
 803                        curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 804                        return -EINVAL;
 805                }
 806                if (!curlun->nofua && (common->cmnd[1] & 0x08)) { /* FUA */
 807                        spin_lock(&curlun->filp->f_lock);
 808                        curlun->filp->f_flags |= O_SYNC;
 809                        spin_unlock(&curlun->filp->f_lock);
 810                }
 811        }
 812        if (lba >= curlun->num_sectors) {
 813                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 814                return -EINVAL;
 815        }
 816
 817        /* Carry out the file writes */
 818        get_some_more = 1;
 819        file_offset = usb_offset = ((loff_t) lba) << curlun->blkbits;
 820        amount_left_to_req = common->data_size_from_cmnd;
 821        amount_left_to_write = common->data_size_from_cmnd;
 822
 823        while (amount_left_to_write > 0) {
 824
 825                /* Queue a request for more data from the host */
 826                bh = common->next_buffhd_to_fill;
 827                if (bh->state == BUF_STATE_EMPTY && get_some_more) {
 828
 829                        /*
 830                         * Figure out how much we want to get:
 831                         * Try to get the remaining amount,
 832                         * but not more than the buffer size.
 833                         */
 834                        amount = min(amount_left_to_req, FSG_BUFLEN);
 835
 836                        /* Beyond the end of the backing file? */
 837                        if (usb_offset >= curlun->file_length) {
 838                                get_some_more = 0;
 839                                curlun->sense_data =
 840                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 841                                curlun->sense_data_info =
 842                                        usb_offset >> curlun->blkbits;
 843                                curlun->info_valid = 1;
 844                                continue;
 845                        }
 846
 847                        /* Get the next buffer */
 848                        usb_offset += amount;
 849                        common->usb_amount_left -= amount;
 850                        amount_left_to_req -= amount;
 851                        if (amount_left_to_req == 0)
 852                                get_some_more = 0;
 853
 854                        /*
 855                         * Except at the end of the transfer, amount will be
 856                         * equal to the buffer size, which is divisible by
 857                         * the bulk-out maxpacket size.
 858                         */
 859                        set_bulk_out_req_length(common, bh, amount);
 860                        if (!start_out_transfer(common, bh))
 861                                /* Dunno what to do if common->fsg is NULL */
 862                                return -EIO;
 863                        common->next_buffhd_to_fill = bh->next;
 864                        continue;
 865                }
 866
 867                /* Write the received data to the backing file */
 868                bh = common->next_buffhd_to_drain;
 869                if (bh->state == BUF_STATE_EMPTY && !get_some_more)
 870                        break;                  /* We stopped early */
 871                if (bh->state == BUF_STATE_FULL) {
 872                        smp_rmb();
 873                        common->next_buffhd_to_drain = bh->next;
 874                        bh->state = BUF_STATE_EMPTY;
 875
 876                        /* Did something go wrong with the transfer? */
 877                        if (bh->outreq->status != 0) {
 878                                curlun->sense_data = SS_COMMUNICATION_FAILURE;
 879                                curlun->sense_data_info =
 880                                        file_offset >> curlun->blkbits;
 881                                curlun->info_valid = 1;
 882                                break;
 883                        }
 884
 885                        amount = bh->outreq->actual;
 886                        if (curlun->file_length - file_offset < amount) {
 887                                LERROR(curlun,
 888                                       "write %u @ %llu beyond end %llu\n",
 889                                       amount, (unsigned long long)file_offset,
 890                                       (unsigned long long)curlun->file_length);
 891                                amount = curlun->file_length - file_offset;
 892                        }
 893
 894                        /* Don't accept excess data.  The spec doesn't say
 895                         * what to do in this case.  We'll ignore the error.
 896                         */
 897                        amount = min(amount, bh->bulk_out_intended_length);
 898
 899                        /* Don't write a partial block */
 900                        amount = round_down(amount, curlun->blksize);
 901                        if (amount == 0)
 902                                goto empty_write;
 903
 904                        /* Perform the write */
 905                        file_offset_tmp = file_offset;
 906                        nwritten = vfs_write(curlun->filp,
 907                                             (char __user *)bh->buf,
 908                                             amount, &file_offset_tmp);
 909                        VLDBG(curlun, "file write %u @ %llu -> %d\n", amount,
 910                              (unsigned long long)file_offset, (int)nwritten);
 911                        if (signal_pending(current))
 912                                return -EINTR;          /* Interrupted! */
 913
 914                        if (nwritten < 0) {
 915                                LDBG(curlun, "error in file write: %d\n",
 916                                     (int)nwritten);
 917                                nwritten = 0;
 918                        } else if (nwritten < amount) {
 919                                LDBG(curlun, "partial file write: %d/%u\n",
 920                                     (int)nwritten, amount);
 921                                nwritten = round_down(nwritten, curlun->blksize);
 922                        }
 923                        file_offset += nwritten;
 924                        amount_left_to_write -= nwritten;
 925                        common->residue -= nwritten;
 926
 927                        /* If an error occurred, report it and its position */
 928                        if (nwritten < amount) {
 929                                curlun->sense_data = SS_WRITE_ERROR;
 930                                curlun->sense_data_info =
 931                                        file_offset >> curlun->blkbits;
 932                                curlun->info_valid = 1;
 933                                break;
 934                        }
 935
 936 empty_write:
 937                        /* Did the host decide to stop early? */
 938                        if (bh->outreq->actual < bh->bulk_out_intended_length) {
 939                                common->short_packet_received = 1;
 940                                break;
 941                        }
 942                        continue;
 943                }
 944
 945                /* Wait for something to happen */
 946                rc = sleep_thread(common, false);
 947                if (rc)
 948                        return rc;
 949        }
 950
 951        return -EIO;            /* No default reply */
 952}
 953
 954
 955/*-------------------------------------------------------------------------*/
 956
 957static int do_synchronize_cache(struct fsg_common *common)
 958{
 959        struct fsg_lun  *curlun = common->curlun;
 960        int             rc;
 961
 962        /* We ignore the requested LBA and write out all file's
 963         * dirty data buffers. */
 964        rc = fsg_lun_fsync_sub(curlun);
 965        if (rc)
 966                curlun->sense_data = SS_WRITE_ERROR;
 967        return 0;
 968}
 969
 970
 971/*-------------------------------------------------------------------------*/
 972
 973static void invalidate_sub(struct fsg_lun *curlun)
 974{
 975        struct file     *filp = curlun->filp;
 976        struct inode    *inode = file_inode(filp);
 977        unsigned long   rc;
 978
 979        rc = invalidate_mapping_pages(inode->i_mapping, 0, -1);
 980        VLDBG(curlun, "invalidate_mapping_pages -> %ld\n", rc);
 981}
 982
 983static int do_verify(struct fsg_common *common)
 984{
 985        struct fsg_lun          *curlun = common->curlun;
 986        u32                     lba;
 987        u32                     verification_length;
 988        struct fsg_buffhd       *bh = common->next_buffhd_to_fill;
 989        loff_t                  file_offset, file_offset_tmp;
 990        u32                     amount_left;
 991        unsigned int            amount;
 992        ssize_t                 nread;
 993
 994        /*
 995         * Get the starting Logical Block Address and check that it's
 996         * not too big.
 997         */
 998        lba = get_unaligned_be32(&common->cmnd[2]);
 999        if (lba >= curlun->num_sectors) {
1000                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;

1001                return -EINVAL;
1002        }
1003
1004        /*
1005         * We allow DPO (Disable Page Out = don't save data in the
1006         * cache) but we don't implement it.
1007         */
1008        if (common->cmnd[1] & ~0x10) {
1009                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1010                return -EINVAL;
1011        }
1012
1013        verification_length = get_unaligned_be16(&common->cmnd[7]);
1014        if (unlikely(verification_length == 0))
1015                return -EIO;            /* No default reply */
1016
1017        /* Prepare to carry out the file verify */
1018        amount_left = verification_length << curlun->blkbits;
1019        file_offset = ((loff_t) lba) << curlun->blkbits;
1020
1021        /* Write out all the dirty buffers before invalidating them */
1022        fsg_lun_fsync_sub(curlun);
1023        if (signal_pending(current))
1024                return -EINTR;
1025
1026        invalidate_sub(curlun);
1027        if (signal_pending(current))
1028                return -EINTR;
1029
1030        /* Just try to read the requested blocks */
1031        while (amount_left > 0) {
1032                /*
1033                 * Figure out how much we need to read:
1034                 * Try to read the remaining amount, but not more than
1035                 * the buffer size.
1036                 * And don't try to read past the end of the file.
1037                 */
1038                amount = min(amount_left, FSG_BUFLEN);
1039                amount = min((loff_t)amount,
1040                             curlun->file_length - file_offset);
1041                if (amount == 0) {
1042                        curlun->sense_data =
1043                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1044                        curlun->sense_data_info =
1045                                file_offset >> curlun->blkbits;
1046                        curlun->info_valid = 1;
1047                        break;
1048                }
1049
1050                /* Perform the read */
1051                file_offset_tmp = file_offset;
1052                nread = vfs_read(curlun->filp,
1053                                (char __user *) bh->buf,
1054                                amount, &file_offset_tmp);
1055                VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
1056                                (unsigned long long) file_offset,
1057                                (int) nread);
1058                if (signal_pending(current))
1059                        return -EINTR;
1060
1061                if (nread < 0) {
1062                        LDBG(curlun, "error in file verify: %d\n", (int)nread);
1063                        nread = 0;
1064                } else if (nread < amount) {
1065                        LDBG(curlun, "partial file verify: %d/%u\n",
1066                             (int)nread, amount);
1067                        nread = round_down(nread, curlun->blksize);
1068                }
1069                if (nread == 0) {
1070                        curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
1071                        curlun->sense_data_info =
1072                                file_offset >> curlun->blkbits;
1073                        curlun->info_valid = 1;
1074                        break;
1075                }
1076                file_offset += nread;
1077                amount_left -= nread;
1078        }
1079        return 0;
1080}
1081
1082
1083/*-------------------------------------------------------------------------*/
1084
1085static int do_inquiry(struct fsg_common *common, struct fsg_buffhd *bh)
1086{
1087        struct fsg_lun *curlun = common->curlun;
1088        u8      *buf = (u8 *) bh->buf;
1089
1090        if (!curlun) {          /* Unsupported LUNs are okay */
1091                common->bad_lun_okay = 1;
1092                memset(buf, 0, 36);
1093                buf[0] = TYPE_NO_LUN;   /* Unsupported, no device-type */
1094                buf[4] = 31;            /* Additional length */
1095                return 36;
1096        }
1097
1098        buf[0] = curlun->cdrom ? TYPE_ROM : TYPE_DISK;
1099        buf[1] = curlun->removable ? 0x80 : 0;
1100        buf[2] = 2;             /* ANSI SCSI level 2 */
1101        buf[3] = 2;             /* SCSI-2 INQUIRY data format */
1102        buf[4] = 31;            /* Additional length */
1103        buf[5] = 0;             /* No special options */
1104        buf[6] = 0;
1105        buf[7] = 0;
1106        if (curlun->inquiry_string[0])
1107                memcpy(buf + 8, curlun->inquiry_string,
1108                       sizeof(curlun->inquiry_string));
1109        else
1110                memcpy(buf + 8, common->inquiry_string,
1111                       sizeof(common->inquiry_string));
1112        return 36;
1113}
1114
1115static int do_request_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1116{
1117        struct fsg_lun  *curlun = common->curlun;
1118        u8              *buf = (u8 *) bh->buf;
1119        u32             sd, sdinfo;
1120        int             valid;
1121
1122        /*
1123         * From the SCSI-2 spec., section 7.9 (Unit attention condition):
1124         *
1125         * If a REQUEST SENSE command is received from an initiator
1126         * with a pending unit attention condition (before the target
1127         * generates the contingent allegiance condition), then the
1128         * target shall either:
1129         *   a) report any pending sense data and preserve the unit
1130         *      attention condition on the logical unit, or,
1131         *   b) report the unit attention condition, may discard any
1132         *      pending sense data, and clear the unit attention
1133         *      condition on the logical unit for that initiator.
1134         *
1135         * FSG normally uses option a); enable this code to use option b).
1136         */
1137#if 0
1138        if (curlun && curlun->unit_attention_data != SS_NO_SENSE) {
1139                curlun->sense_data = curlun->unit_attention_data;
1140                curlun->unit_attention_data = SS_NO_SENSE;
1141        }
1142#endif
1143
1144        if (!curlun) {          /* Unsupported LUNs are okay */
1145                common->bad_lun_okay = 1;
1146                sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1147                sdinfo = 0;
1148                valid = 0;
1149        } else {
1150                sd = curlun->sense_data;
1151                sdinfo = curlun->sense_data_info;
1152                valid = curlun->info_valid << 7;
1153                curlun->sense_data = SS_NO_SENSE;
1154                curlun->sense_data_info = 0;
1155                curlun->info_valid = 0;
1156        }
1157
1158        memset(buf, 0, 18);
1159        buf[0] = valid | 0x70;                  /* Valid, current error */
1160        buf[2] = SK(sd);
1161        put_unaligned_be32(sdinfo, &buf[3]);    /* Sense information */
1162        buf[7] = 18 - 8;                        /* Additional sense length */
1163        buf[12] = ASC(sd);
1164        buf[13] = ASCQ(sd);
1165        return 18;
1166}
1167
1168static int do_read_capacity(struct fsg_common *common, struct fsg_buffhd *bh)
1169{
1170        struct fsg_lun  *curlun = common->curlun;
1171        u32             lba = get_unaligned_be32(&common->cmnd[2]);
1172        int             pmi = common->cmnd[8];
1173        u8              *buf = (u8 *)bh->buf;
1174
1175        /* Check the PMI and LBA fields */
1176        if (pmi > 1 || (pmi == 0 && lba != 0)) {
1177                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1178                return -EINVAL;
1179        }
1180
1181        put_unaligned_be32(curlun->num_sectors - 1, &buf[0]);
1182                                                /* Max logical block */
1183        put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1184        return 8;
1185}
1186
1187static int do_read_header(struct fsg_common *common, struct fsg_buffhd *bh)
1188{
1189        struct fsg_lun  *curlun = common->curlun;
1190        int             msf = common->cmnd[1] & 0x02;
1191        u32             lba = get_unaligned_be32(&common->cmnd[2]);
1192        u8              *buf = (u8 *)bh->buf;
1193
1194        if (common->cmnd[1] & ~0x02) {          /* Mask away MSF */
1195                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1196                return -EINVAL;
1197        }
1198        if (lba >= curlun->num_sectors) {
1199                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1200                return -EINVAL;
1201        }
1202
1203        memset(buf, 0, 8);
1204        buf[0] = 0x01;          /* 2048 bytes of user data, rest is EC */
1205        store_cdrom_address(&buf[4], msf, lba);
1206        return 8;
1207}
1208
1209static int do_read_toc(struct fsg_common *common, struct fsg_buffhd *bh)
1210{
1211        struct fsg_lun  *curlun = common->curlun;
1212        int             msf = common->cmnd[1] & 0x02;
1213        int             start_track = common->cmnd[6];
1214        u8              *buf = (u8 *)bh->buf;
1215
1216        if ((common->cmnd[1] & ~0x02) != 0 ||   /* Mask away MSF */
1217                        start_track > 1) {
1218                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1219                return -EINVAL;
1220        }
1221
1222        memset(buf, 0, 20);
1223        buf[1] = (20-2);                /* TOC data length */
1224        buf[2] = 1;                     /* First track number */
1225        buf[3] = 1;                     /* Last track number */
1226        buf[5] = 0x16;                  /* Data track, copying allowed */
1227        buf[6] = 0x01;                  /* Only track is number 1 */
1228        store_cdrom_address(&buf[8], msf, 0);
1229
1230        buf[13] = 0x16;                 /* Lead-out track is data */
1231        buf[14] = 0xAA;                 /* Lead-out track number */
1232        store_cdrom_address(&buf[16], msf, curlun->num_sectors);
1233        return 20;
1234}
1235
1236static int do_mode_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1237{
1238        struct fsg_lun  *curlun = common->curlun;
1239        int             mscmnd = common->cmnd[0];
1240        u8              *buf = (u8 *) bh->buf;
1241        u8              *buf0 = buf;
1242        int             pc, page_code;
1243        int             changeable_values, all_pages;
1244        int             valid_page = 0;
1245        int             len, limit;
1246
1247        if ((common->cmnd[1] & ~0x08) != 0) {   /* Mask away DBD */
1248                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1249                return -EINVAL;
1250        }
1251        pc = common->cmnd[2] >> 6;
1252        page_code = common->cmnd[2] & 0x3f;
1253        if (pc == 3) {
1254                curlun->sense_data = SS_SAVING_PARAMETERS_NOT_SUPPORTED;
1255                return -EINVAL;
1256        }
1257        changeable_values = (pc == 1);
1258        all_pages = (page_code == 0x3f);
1259
1260        /*
1261         * Write the mode parameter header.  Fixed values are: default
1262         * medium type, no cache control (DPOFUA), and no block descriptors.
1263         * The only variable value is the WriteProtect bit.  We will fill in
1264         * the mode data length later.
1265         */
1266        memset(buf, 0, 8);
1267        if (mscmnd == MODE_SENSE) {
1268                buf[2] = (curlun->ro ? 0x80 : 0x00);            /* WP, DPOFUA */
1269                buf += 4;
1270                limit = 255;
1271        } else {                        /* MODE_SENSE_10 */
1272                buf[3] = (curlun->ro ? 0x80 : 0x00);            /* WP, DPOFUA */
1273                buf += 8;
1274                limit = 65535;          /* Should really be FSG_BUFLEN */
1275        }
1276
1277        /* No block descriptors */
1278
1279        /*
1280         * The mode pages, in numerical order.  The only page we support
1281         * is the Caching page.
1282         */
1283        if (page_code == 0x08 || all_pages) {
1284                valid_page = 1;
1285                buf[0] = 0x08;          /* Page code */
1286                buf[1] = 10;            /* Page length */
1287                memset(buf+2, 0, 10);   /* None of the fields are changeable */
1288
1289                if (!changeable_values) {
1290                        buf[2] = 0x04;  /* Write cache enable, */
1291                                        /* Read cache not disabled */
1292                                        /* No cache retention priorities */
1293                        put_unaligned_be16(0xffff, &buf[4]);
1294                                        /* Don't disable prefetch */
1295                                        /* Minimum prefetch = 0 */
1296                        put_unaligned_be16(0xffff, &buf[8]);
1297                                        /* Maximum prefetch */
1298                        put_unaligned_be16(0xffff, &buf[10]);
1299                                        /* Maximum prefetch ceiling */
1300                }
1301                buf += 12;
1302        }
1303
1304        /*
1305         * Check that a valid page was requested and the mode data length
1306         * isn't too long.
1307         */
1308        len = buf - buf0;
1309        if (!valid_page || len > limit) {
1310                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1311                return -EINVAL;
1312        }
1313
1314        /*  Store the mode data length */
1315        if (mscmnd == MODE_SENSE)
1316                buf0[0] = len - 1;
1317        else
1318                put_unaligned_be16(len - 2, buf0);
1319        return len;
1320}
1321
1322static int do_start_stop(struct fsg_common *common)
1323{
1324        struct fsg_lun  *curlun = common->curlun;
1325        int             loej, start;
1326
1327        if (!curlun) {
1328                return -EINVAL;
1329        } else if (!curlun->removable) {
1330                curlun->sense_data = SS_INVALID_COMMAND;
1331                return -EINVAL;
1332        } else if ((common->cmnd[1] & ~0x01) != 0 || /* Mask away Immed */
1333                   (common->cmnd[4] & ~0x03) != 0) { /* Mask LoEj, Start */
1334                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1335                return -EINVAL;
1336        }
1337
1338        loej  = common->cmnd[4] & 0x02;
1339        start = common->cmnd[4] & 0x01;
1340
1341        /*
1342         * Our emulation doesn't support mounting; the medium is
1343         * available for use as soon as it is loaded.
1344         */
1345        if (start) {
1346                if (!fsg_lun_is_open(curlun)) {
1347                        curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1348                        return -EINVAL;
1349                }
1350                return 0;
1351        }
1352
1353        /* Are we allowed to unload the media? */
1354        if (curlun->prevent_medium_removal) {
1355                LDBG(curlun, "unload attempt prevented\n");
1356                curlun->sense_data = SS_MEDIUM_REMOVAL_PREVENTED;
1357                return -EINVAL;
1358        }
1359
1360        if (!loej)
1361                return 0;
1362
1363        up_read(&common->filesem);
1364        down_write(&common->filesem);
1365        fsg_lun_close(curlun);
1366        up_write(&common->filesem);
1367        down_read(&common->filesem);
1368
1369        return 0;
1370}
1371
1372static int do_prevent_allow(struct fsg_common *common)
1373{
1374        struct fsg_lun  *curlun = common->curlun;
1375        int             prevent;
1376
1377        if (!common->curlun) {
1378                return -EINVAL;
1379        } else if (!common->curlun->removable) {
1380                common->curlun->sense_data = SS_INVALID_COMMAND;
1381                return -EINVAL;
1382        }
1383
1384        prevent = common->cmnd[4] & 0x01;
1385        if ((common->cmnd[4] & ~0x01) != 0) {   /* Mask away Prevent */
1386                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1387                return -EINVAL;
1388        }
1389
1390        if (curlun->prevent_medium_removal && !prevent)
1391                fsg_lun_fsync_sub(curlun);
1392        curlun->prevent_medium_removal = prevent;
1393        return 0;
1394}
1395
1396static int do_read_format_capacities(struct fsg_common *common,
1397                        struct fsg_buffhd *bh)
1398{
1399        struct fsg_lun  *curlun = common->curlun;
1400        u8              *buf = (u8 *) bh->buf;
1401
1402        buf[0] = buf[1] = buf[2] = 0;
1403        buf[3] = 8;     /* Only the Current/Maximum Capacity Descriptor */
1404        buf += 4;
1405
1406        put_unaligned_be32(curlun->num_sectors, &buf[0]);
1407                                                /* Number of blocks */
1408        put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1409        buf[4] = 0x02;                          /* Current capacity */
1410        return 12;
1411}
1412
1413static int do_mode_select(struct fsg_common *common, struct fsg_buffhd *bh)
1414{
1415        struct fsg_lun  *curlun = common->curlun;
1416
1417        /* We don't support MODE SELECT */
1418        if (curlun)
1419                curlun->sense_data = SS_INVALID_COMMAND;
1420        return -EINVAL;
1421}
1422
1423
1424/*-------------------------------------------------------------------------*/
1425
1426static int halt_bulk_in_endpoint(struct fsg_dev *fsg)
1427{
1428        int     rc;
1429
1430        rc = fsg_set_halt(fsg, fsg->bulk_in);
1431        if (rc == -EAGAIN)
1432                VDBG(fsg, "delayed bulk-in endpoint halt\n");
1433        while (rc != 0) {
1434                if (rc != -EAGAIN) {
1435                        WARNING(fsg, "usb_ep_set_halt -> %d\n", rc);
1436                        rc = 0;
1437                        break;
1438                }
1439
1440                /* Wait for a short time and then try again */
1441                if (msleep_interruptible(100) != 0)
1442                        return -EINTR;
1443                rc = usb_ep_set_halt(fsg->bulk_in);
1444        }
1445        return rc;
1446}
1447
1448static int wedge_bulk_in_endpoint(struct fsg_dev *fsg)
1449{
1450        int     rc;
1451
1452        DBG(fsg, "bulk-in set wedge\n");
1453        rc = usb_ep_set_wedge(fsg->bulk_in);
1454        if (rc == -EAGAIN)
1455                VDBG(fsg, "delayed bulk-in endpoint wedge\n");
1456        while (rc != 0) {
1457                if (rc != -EAGAIN) {
1458                        WARNING(fsg, "usb_ep_set_wedge -> %d\n", rc);
1459                        rc = 0;
1460                        break;
1461                }
1462
1463                /* Wait for a short time and then try again */
1464                if (msleep_interruptible(100) != 0)
1465                        return -EINTR;
1466                rc = usb_ep_set_wedge(fsg->bulk_in);
1467        }
1468        return rc;
1469}
1470
1471static int throw_away_data(struct fsg_common *common)
1472{
1473        struct fsg_buffhd       *bh;
1474        u32                     amount;
1475        int                     rc;
1476
1477        for (bh = common->next_buffhd_to_drain;
1478             bh->state != BUF_STATE_EMPTY || common->usb_amount_left > 0;
1479             bh = common->next_buffhd_to_drain) {
1480
1481                /* Throw away the data in a filled buffer */
1482                if (bh->state == BUF_STATE_FULL) {
1483                        smp_rmb();
1484                        bh->state = BUF_STATE_EMPTY;
1485                        common->next_buffhd_to_drain = bh->next;
1486
1487                        /* A short packet or an error ends everything */
1488                        if (bh->outreq->actual < bh->bulk_out_intended_length ||
1489                            bh->outreq->status != 0) {
1490                                raise_exception(common,
1491                                                FSG_STATE_ABORT_BULK_OUT);
1492                                return -EINTR;
1493                        }
1494                        continue;
1495                }
1496
1497                /* Try to submit another request if we need one */
1498                bh = common->next_buffhd_to_fill;
1499                if (bh->state == BUF_STATE_EMPTY
1500                 && common->usb_amount_left > 0) {
1501                        amount = min(common->usb_amount_left, FSG_BUFLEN);
1502
1503                        /*
1504                         * Except at the end of the transfer, amount will be
1505                         * equal to the buffer size, which is divisible by
1506                         * the bulk-out maxpacket size.
1507                         */
1508                        set_bulk_out_req_length(common, bh, amount);
1509                        if (!start_out_transfer(common, bh))
1510                                /* Dunno what to do if common->fsg is NULL */
1511                                return -EIO;
1512                        common->next_buffhd_to_fill = bh->next;
1513                        common->usb_amount_left -= amount;
1514                        continue;
1515                }
1516
1517                /* Otherwise wait for something to happen */
1518                rc = sleep_thread(common, true);
1519                if (rc)
1520                        return rc;
1521        }
1522        return 0;
1523}
1524
1525static int finish_reply(struct fsg_common *common)
1526{
1527        struct fsg_buffhd       *bh = common->next_buffhd_to_fill;
1528        int                     rc = 0;
1529
1530        switch (common->data_dir) {
1531        case DATA_DIR_NONE:
1532                break;                  /* Nothing to send */
1533
1534        /*
1535         * If we don't know whether the host wants to read or write,
1536         * this must be CB or CBI with an unknown command.  We mustn't
1537         * try to send or receive any data.  So stall both bulk pipes
1538         * if we can and wait for a reset.
1539         */
1540        case DATA_DIR_UNKNOWN:
1541                if (!common->can_stall) {
1542                        /* Nothing */
1543                } else if (fsg_is_set(common)) {
1544                        fsg_set_halt(common->fsg, common->fsg->bulk_out);
1545                        rc = halt_bulk_in_endpoint(common->fsg);
1546                } else {
1547                        /* Don't know what to do if common->fsg is NULL */
1548                        rc = -EIO;
1549                }
1550                break;
1551
1552        /* All but the last buffer of data must have already been sent */
1553        case DATA_DIR_TO_HOST:
1554                if (common->data_size == 0) {
1555                        /* Nothing to send */
1556
1557                /* Don't know what to do if common->fsg is NULL */
1558                } else if (!fsg_is_set(common)) {
1559                        rc = -EIO;
1560
1561                /* If there's no residue, simply send the last buffer */
1562                } else if (common->residue == 0) {
1563                        bh->inreq->zero = 0;
1564                        if (!start_in_transfer(common, bh))
1565                                return -EIO;
1566                        common->next_buffhd_to_fill = bh->next;
1567
1568                /*
1569                 * For Bulk-only, mark the end of the data with a short
1570                 * packet.  If we are allowed to stall, halt the bulk-in
1571                 * endpoint.  (Note: This violates the Bulk-Only Transport
1572                 * specification, which requires us to pad the data if we
1573                 * don't halt the endpoint.  Presumably nobody will mind.)
1574                 */
1575                } else {
1576                        bh->inreq->zero = 1;
1577                        if (!start_in_transfer(common, bh))
1578                                rc = -EIO;
1579                        common->next_buffhd_to_fill = bh->next;
1580                        if (common->can_stall)
1581                                rc = halt_bulk_in_endpoint(common->fsg);
1582                }
1583                break;
1584
1585        /*
1586         * We have processed all we want from the data the host has sent.
1587         * There may still be outstanding bulk-out requests.
1588         */
1589        case DATA_DIR_FROM_HOST:
1590                if (common->residue == 0) {
1591                        /* Nothing to receive */
1592
1593                /* Did the host stop sending unexpectedly early? */
1594                } else if (common->short_packet_received) {
1595                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1596                        rc = -EINTR;
1597
1598                /*
1599                 * We haven't processed all the incoming data.  Even though
1600                 * we may be allowed to stall, doing so would cause a race.
1601                 * The controller may already have ACK'ed all the remaining
1602                 * bulk-out packets, in which case the host wouldn't see a
1603                 * STALL.  Not realizing the endpoint was halted, it wouldn't
1604                 * clear the halt -- leading to problems later on.
1605                 */
1606#if 0
1607                } else if (common->can_stall) {
1608                        if (fsg_is_set(common))
1609                                fsg_set_halt(common->fsg,
1610                                             common->fsg->bulk_out);
1611                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1612                        rc = -EINTR;
1613#endif
1614
1615                /*
1616                 * We can't stall.  Read in the excess data and throw it
1617                 * all away.
1618                 */
1619                } else {
1620                        rc = throw_away_data(common);
1621                }
1622                break;
1623        }
1624        return rc;
1625}
1626
1627static int send_status(struct fsg_common *common)
1628{
1629        struct fsg_lun          *curlun = common->curlun;
1630        struct fsg_buffhd       *bh;
1631        struct bulk_cs_wrap     *csw;
1632        int                     rc;
1633        u8                      status = US_BULK_STAT_OK;
1634        u32                     sd, sdinfo = 0;
1635
1636        /* Wait for the next buffer to become available */
1637        bh = common->next_buffhd_to_fill;
1638        while (bh->state != BUF_STATE_EMPTY) {
1639                rc = sleep_thread(common, true);
1640                if (rc)
1641                        return rc;
1642        }
1643
1644        if (curlun) {
1645                sd = curlun->sense_data;
1646                sdinfo = curlun->sense_data_info;
1647        } else if (common->bad_lun_okay)
1648                sd = SS_NO_SENSE;
1649        else
1650                sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1651
1652        if (common->phase_error) {
1653                DBG(common, "sending phase-error status\n");
1654                status = US_BULK_STAT_PHASE;
1655                sd = SS_INVALID_COMMAND;
1656        } else if (sd != SS_NO_SENSE) {
1657                DBG(common, "sending command-failure status\n");
1658                status = US_BULK_STAT_FAIL;
1659                VDBG(common, "  sense data: SK x%02x, ASC x%02x, ASCQ x%02x;"
1660                                "  info x%x\n",
1661                                SK(sd), ASC(sd), ASCQ(sd), sdinfo);
1662        }
1663
1664        /* Store and send the Bulk-only CSW */
1665        csw = (void *)bh->buf;
1666
1667        csw->Signature = cpu_to_le32(US_BULK_CS_SIGN);
1668        csw->Tag = common->tag;
1669        csw->Residue = cpu_to_le32(common->residue);
1670        csw->Status = status;
1671
1672        bh->inreq->length = US_BULK_CS_WRAP_LEN;
1673        bh->inreq->zero = 0;
1674        if (!start_in_transfer(common, bh))
1675                /* Don't know what to do if common->fsg is NULL */
1676                return -EIO;
1677
1678        common->next_buffhd_to_fill = bh->next;
1679        return 0;
1680}
1681
1682
1683/*-------------------------------------------------------------------------*/
1684
1685/*
1686 * Check whether the command is properly formed and whether its data size
1687 * and direction agree with the values we already have.
1688 */
1689static int check_command(struct fsg_common *common, int cmnd_size,
1690                         enum data_direction data_dir, unsigned int mask,
1691                         int needs_medium, const char *name)
1692{
1693        int                     i;
1694        unsigned int            lun = common->cmnd[1] >> 5;
1695        static const char       dirletter[4] = {'u', 'o', 'i', 'n'};
1696        char                    hdlen[20];
1697        struct fsg_lun          *curlun;
1698
1699        hdlen[0] = 0;
1700        if (common->data_dir != DATA_DIR_UNKNOWN)
1701                sprintf(hdlen, ", H%c=%u", dirletter[(int) common->data_dir],
1702                        common->data_size);
1703        VDBG(common, "SCSI command: %s;  Dc=%d, D%c=%u;  Hc=%d%s\n",
1704             name, cmnd_size, dirletter[(int) data_dir],
1705             common->data_size_from_cmnd, common->cmnd_size, hdlen);
1706
1707        /*
1708         * We can't reply at all until we know the correct data direction
1709         * and size.
1710         */
1711        if (common->data_size_from_cmnd == 0)
1712                data_dir = DATA_DIR_NONE;
1713        if (common->data_size < common->data_size_from_cmnd) {
1714                /*
1715                 * Host data size < Device data size is a phase error.
1716                 * Carry out the command, but only transfer as much as
1717                 * we are allowed.
1718                 */
1719                common->data_size_from_cmnd = common->data_size;
1720                common->phase_error = 1;
1721        }
1722        common->residue = common->data_size;
1723        common->usb_amount_left = common->data_size;
1724
1725        /* Conflicting data directions is a phase error */
1726        if (common->data_dir != data_dir && common->data_size_from_cmnd > 0) {
1727                common->phase_error = 1;
1728                return -EINVAL;
1729        }
1730
1731        /* Verify the length of the command itself */
1732        if (cmnd_size != common->cmnd_size) {
1733
1734                /*
1735                 * Special case workaround: There are plenty of buggy SCSI
1736                 * implementations. Many have issues with cbw->Length
1737                 * field passing a wrong command size. For those cases we
1738                 * always try to work around the problem by using the length
1739                 * sent by the host side provided it is at least as large
1740                 * as the correct command length.
1741                 * Examples of such cases would be MS-Windows, which issues
1742                 * REQUEST SENSE with cbw->Length == 12 where it should
1743                 * be 6, and xbox360 issuing INQUIRY, TEST UNIT READY and
1744                 * REQUEST SENSE with cbw->Length == 10 where it should
1745                 * be 6 as well.
1746                 */
1747                if (cmnd_size <= common->cmnd_size) {
1748                        DBG(common, "%s is buggy! Expected length %d "
1749                            "but we got %d\n", name,
1750                            cmnd_size, common->cmnd_size);
1751                        cmnd_size = common->cmnd_size;
1752                } else {
1753                        common->phase_error = 1;
1754                        return -EINVAL;
1755                }
1756        }
1757
1758        /* Check that the LUN values are consistent */
1759        if (common->lun != lun)
1760                DBG(common, "using LUN %u from CBW, not LUN %u from CDB\n",
1761                    common->lun, lun);
1762
1763        /* Check the LUN */
1764        curlun = common->curlun;
1765        if (curlun) {
1766                if (common->cmnd[0] != REQUEST_SENSE) {
1767                        curlun->sense_data = SS_NO_SENSE;
1768                        curlun->sense_data_info = 0;
1769                        curlun->info_valid = 0;
1770                }
1771        } else {
1772                common->bad_lun_okay = 0;
1773
1774                /*
1775                 * INQUIRY and REQUEST SENSE commands are explicitly allowed
1776                 * to use unsupported LUNs; all others may not.
1777                 */
1778                if (common->cmnd[0] != INQUIRY &&
1779                    common->cmnd[0] != REQUEST_SENSE) {
1780                        DBG(common, "unsupported LUN %u\n", common->lun);
1781                        return -EINVAL;
1782                }
1783        }
1784
1785        /*
1786         * If a unit attention condition exists, only INQUIRY and
1787         * REQUEST SENSE commands are allowed; anything else must fail.
1788         */
1789        if (curlun && curlun->unit_attention_data != SS_NO_SENSE &&
1790            common->cmnd[0] != INQUIRY &&
1791            common->cmnd[0] != REQUEST_SENSE) {
1792                curlun->sense_data = curlun->unit_attention_data;
1793                curlun->unit_attention_data = SS_NO_SENSE;
1794                return -EINVAL;
1795        }
1796
1797        /* Check that only command bytes listed in the mask are non-zero */
1798        common->cmnd[1] &= 0x1f;                        /* Mask away the LUN */
1799        for (i = 1; i < cmnd_size; ++i) {
1800                if (common->cmnd[i] && !(mask & (1 << i))) {
1801                        if (curlun)
1802                                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1803                        return -EINVAL;
1804                }
1805        }
1806
1807        /* If the medium isn't mounted and the command needs to access
1808         * it, return an error. */
1809        if (curlun && !fsg_lun_is_open(curlun) && needs_medium) {
1810                curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1811                return -EINVAL;
1812        }
1813
1814        return 0;
1815}
1816
1817/* wrapper of check_command for data size in blocks handling */
1818static int check_command_size_in_blocks(struct fsg_common *common,
1819                int cmnd_size, enum data_direction data_dir,
1820                unsigned int mask, int needs_medium, const char *name)
1821{
1822        if (common->curlun)
1823                common->data_size_from_cmnd <<= common->curlun->blkbits;
1824        return check_command(common, cmnd_size, data_dir,
1825                        mask, needs_medium, name);
1826}
1827
1828static int do_scsi_command(struct fsg_common *common)
1829{
1830        struct fsg_buffhd       *bh;
1831        int                     rc;
1832        int                     reply = -EINVAL;
1833        int                     i;
1834        static char             unknown[16];
1835
1836        dump_cdb(common);
1837
1838        /* Wait for the next buffer to become available for data or status */
1839        bh = common->next_buffhd_to_fill;
1840        common->next_buffhd_to_drain = bh;
1841        while (bh->state != BUF_STATE_EMPTY) {
1842                rc = sleep_thread(common, true);
1843                if (rc)
1844                        return rc;
1845        }
1846        common->phase_error = 0;
1847        common->short_packet_received = 0;
1848
1849        down_read(&common->filesem);    /* We're using the backing file */
1850        switch (common->cmnd[0]) {
1851
1852        case INQUIRY:
1853                common->data_size_from_cmnd = common->cmnd[4];
1854                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1855                                      (1<<4), 0,
1856                                      "INQUIRY");
1857                if (reply == 0)
1858                        reply = do_inquiry(common, bh);
1859                break;
1860
1861        case MODE_SELECT:
1862                common->data_size_from_cmnd = common->cmnd[4];
1863                reply = check_command(common, 6, DATA_DIR_FROM_HOST,
1864                                      (1<<1) | (1<<4), 0,
1865                                      "MODE SELECT(6)");
1866                if (reply == 0)
1867                        reply = do_mode_select(common, bh);
1868                break;
1869
1870        case MODE_SELECT_10:
1871                common->data_size_from_cmnd =
1872                        get_unaligned_be16(&common->cmnd[7]);
1873                reply = check_command(common, 10, DATA_DIR_FROM_HOST,
1874                                      (1<<1) | (3<<7), 0,
1875                                      "MODE SELECT(10)");
1876                if (reply == 0)
1877                        reply = do_mode_select(common, bh);
1878                break;
1879
1880        case MODE_SENSE:
1881                common->data_size_from_cmnd = common->cmnd[4];
1882                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1883                                      (1<<1) | (1<<2) | (1<<4), 0,
1884                                      "MODE SENSE(6)");
1885                if (reply == 0)
1886                        reply = do_mode_sense(common, bh);
1887                break;
1888
1889        case MODE_SENSE_10:
1890                common->data_size_from_cmnd =
1891                        get_unaligned_be16(&common->cmnd[7]);
1892                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1893                                      (1<<1) | (1<<2) | (3<<7), 0,
1894                                      "MODE SENSE(10)");
1895                if (reply == 0)
1896                        reply = do_mode_sense(common, bh);
1897                break;
1898
1899        case ALLOW_MEDIUM_REMOVAL:
1900                common->data_size_from_cmnd = 0;
1901                reply = check_command(common, 6, DATA_DIR_NONE,
1902                                      (1<<4), 0,
1903                                      "PREVENT-ALLOW MEDIUM REMOVAL");
1904                if (reply == 0)
1905                        reply = do_prevent_allow(common);
1906                break;
1907
1908        case READ_6:
1909                i = common->cmnd[4];
1910                common->data_size_from_cmnd = (i == 0) ? 256 : i;
1911                reply = check_command_size_in_blocks(common, 6,
1912                                      DATA_DIR_TO_HOST,
1913                                      (7<<1) | (1<<4), 1,
1914                                      "READ(6)");
1915                if (reply == 0)
1916                        reply = do_read(common);
1917                break;
1918
1919        case READ_10:
1920                common->data_size_from_cmnd =
1921                                get_unaligned_be16(&common->cmnd[7]);
1922                reply = check_command_size_in_blocks(common, 10,
1923                                      DATA_DIR_TO_HOST,
1924                                      (1<<1) | (0xf<<2) | (3<<7), 1,
1925                                      "READ(10)");
1926                if (reply == 0)
1927                        reply = do_read(common);
1928                break;
1929
1930        case READ_12:
1931                common->data_size_from_cmnd =
1932                                get_unaligned_be32(&common->cmnd[6]);
1933                reply = check_command_size_in_blocks(common, 12,
1934                                      DATA_DIR_TO_HOST,
1935                                      (1<<1) | (0xf<<2) | (0xf<<6), 1,
1936                                      "READ(12)");
1937                if (reply == 0)
1938                        reply = do_read(common);
1939                break;
1940
1941        case READ_CAPACITY:
1942                common->data_size_from_cmnd = 8;
1943                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1944                                      (0xf<<2) | (1<<8), 1,
1945                                      "READ CAPACITY");
1946                if (reply == 0)
1947                        reply = do_read_capacity(common, bh);
1948                break;
1949
1950        case READ_HEADER:
1951                if (!common->curlun || !common->curlun->cdrom)
1952                        goto unknown_cmnd;
1953                common->data_size_from_cmnd =
1954                        get_unaligned_be16(&common->cmnd[7]);
1955                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1956                                      (3<<7) | (0x1f<<1), 1,
1957                                      "READ HEADER");
1958                if (reply == 0)
1959                        reply = do_read_header(common, bh);
1960                break;
1961
1962        case READ_TOC:
1963                if (!common->curlun || !common->curlun->cdrom)
1964                        goto unknown_cmnd;
1965                common->data_size_from_cmnd =
1966                        get_unaligned_be16(&common->cmnd[7]);
1967                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1968                                      (7<<6) | (1<<1), 1,
1969                                      "READ TOC");
1970                if (reply == 0)
1971                        reply = do_read_toc(common, bh);
1972                break;
1973
1974        case READ_FORMAT_CAPACITIES:
1975                common->data_size_from_cmnd =
1976                        get_unaligned_be16(&common->cmnd[7]);
1977                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1978                                      (3<<7), 1,
1979                                      "READ FORMAT CAPACITIES");
1980                if (reply == 0)
1981                        reply = do_read_format_capacities(common, bh);
1982                break;
1983
1984        case REQUEST_SENSE:
1985                common->data_size_from_cmnd = common->cmnd[4];
1986                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1987                                      (1<<4), 0,
1988                                      "REQUEST SENSE");
1989                if (reply == 0)
1990                        reply = do_request_sense(common, bh);
1991                break;
1992
1993        case START_STOP:
1994                common->data_size_from_cmnd = 0;
1995                reply = check_command(common, 6, DATA_DIR_NONE,
1996                                      (1<<1) | (1<<4), 0,
1997                                      "START-STOP UNIT");
1998                if (reply == 0)
1999                        reply = do_start_stop(common);
2000                break;

2001
2002        case SYNCHRONIZE_CACHE:
2003                common->data_size_from_cmnd = 0;
2004                reply = check_command(common, 10, DATA_DIR_NONE,
2005                                      (0xf<<2) | (3<<7), 1,
2006                                      "SYNCHRONIZE CACHE");
2007                if (reply == 0)
2008                        reply = do_synchronize_cache(common);
2009                break;
2010
2011        case TEST_UNIT_READY:
2012                common->data_size_from_cmnd = 0;
2013                reply = check_command(common, 6, DATA_DIR_NONE,
2014                                0, 1,
2015                                "TEST UNIT READY");
2016                break;
2017
2018        /*
2019         * Although optional, this command is used by MS-Windows.  We
2020         * support a minimal version: BytChk must be 0.
2021         */
2022        case VERIFY:
2023                common->data_size_from_cmnd = 0;
2024                reply = check_command(common, 10, DATA_DIR_NONE,
2025                                      (1<<1) | (0xf<<2) | (3<<7), 1,
2026                                      "VERIFY");
2027                if (reply == 0)
2028                        reply = do_verify(common);
2029                break;
2030
2031        case WRITE_6:
2032                i = common->cmnd[4];
2033                common->data_size_from_cmnd = (i == 0) ? 256 : i;
2034                reply = check_command_size_in_blocks(common, 6,
2035                                      DATA_DIR_FROM_HOST,
2036                                      (7<<1) | (1<<4), 1,
2037                                      "WRITE(6)");
2038                if (reply == 0)
2039                        reply = do_write(common);
2040                break;
2041
2042        case WRITE_10:
2043                common->data_size_from_cmnd =
2044                                get_unaligned_be16(&common->cmnd[7]);
2045                reply = check_command_size_in_blocks(common, 10,
2046                                      DATA_DIR_FROM_HOST,
2047                                      (1<<1) | (0xf<<2) | (3<<7), 1,
2048                                      "WRITE(10)");
2049                if (reply == 0)
2050                        reply = do_write(common);
2051                break;
2052
2053        case WRITE_12:
2054                common->data_size_from_cmnd =
2055                                get_unaligned_be32(&common->cmnd[6]);
2056                reply = check_command_size_in_blocks(common, 12,
2057                                      DATA_DIR_FROM_HOST,
2058                                      (1<<1) | (0xf<<2) | (0xf<<6), 1,
2059                                      "WRITE(12)");
2060                if (reply == 0)
2061                        reply = do_write(common);
2062                break;
2063
2064        /*
2065         * Some mandatory commands that we recognize but don't implement.
2066         * They don't mean much in this setting.  It's left as an exercise
2067         * for anyone interested to implement RESERVE and RELEASE in terms
2068         * of Posix locks.
2069         */
2070        case FORMAT_UNIT:
2071        case RELEASE:
2072        case RESERVE:
2073        case SEND_DIAGNOSTIC:
2074                /* Fall through */
2075
2076        default:
2077unknown_cmnd:
2078                common->data_size_from_cmnd = 0;
2079                sprintf(unknown, "Unknown x%02x", common->cmnd[0]);
2080                reply = check_command(common, common->cmnd_size,
2081                                      DATA_DIR_UNKNOWN, ~0, 0, unknown);
2082                if (reply == 0) {
2083                        common->curlun->sense_data = SS_INVALID_COMMAND;
2084                        reply = -EINVAL;
2085                }
2086                break;
2087        }
2088        up_read(&common->filesem);
2089
2090        if (reply == -EINTR || signal_pending(current))
2091                return -EINTR;
2092
2093        /* Set up the single reply buffer for finish_reply() */
2094        if (reply == -EINVAL)
2095                reply = 0;              /* Error reply length */
2096        if (reply >= 0 && common->data_dir == DATA_DIR_TO_HOST) {
2097                reply = min((u32)reply, common->data_size_from_cmnd);
2098                bh->inreq->length = reply;
2099                bh->state = BUF_STATE_FULL;
2100                common->residue -= reply;
2101        }                               /* Otherwise it's already set */
2102
2103        return 0;
2104}
2105
2106
2107/*-------------------------------------------------------------------------*/
2108
2109static int received_cbw(struct fsg_dev *fsg, struct fsg_buffhd *bh)
2110{
2111        struct usb_request      *req = bh->outreq;
2112        struct bulk_cb_wrap     *cbw = req->buf;
2113        struct fsg_common       *common = fsg->common;
2114
2115        /* Was this a real packet?  Should it be ignored? */
2116        if (req->status || test_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags))
2117                return -EINVAL;
2118
2119        /* Is the CBW valid? */
2120        if (req->actual != US_BULK_CB_WRAP_LEN ||
2121                        cbw->Signature != cpu_to_le32(
2122                                US_BULK_CB_SIGN)) {
2123                DBG(fsg, "invalid CBW: len %u sig 0x%x\n",
2124                                req->actual,
2125                                le32_to_cpu(cbw->Signature));
2126
2127                /*
2128                 * The Bulk-only spec says we MUST stall the IN endpoint
2129                 * (6.6.1), so it's unavoidable.  It also says we must
2130                 * retain this state until the next reset, but there's
2131                 * no way to tell the controller driver it should ignore
2132                 * Clear-Feature(HALT) requests.
2133                 *
2134                 * We aren't required to halt the OUT endpoint; instead
2135                 * we can simply accept and discard any data received
2136                 * until the next reset.
2137                 */
2138                wedge_bulk_in_endpoint(fsg);
2139                set_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags);
2140                return -EINVAL;
2141        }
2142
2143        /* Is the CBW meaningful? */
2144        if (cbw->Lun >= ARRAY_SIZE(common->luns) ||
2145            cbw->Flags & ~US_BULK_FLAG_IN || cbw->Length <= 0 ||
2146            cbw->Length > MAX_COMMAND_SIZE) {
2147                DBG(fsg, "non-meaningful CBW: lun = %u, flags = 0x%x, "
2148                                "cmdlen %u\n",
2149                                cbw->Lun, cbw->Flags, cbw->Length);
2150
2151                /*
2152                 * We can do anything we want here, so let's stall the
2153                 * bulk pipes if we are allowed to.
2154                 */
2155                if (common->can_stall) {
2156                        fsg_set_halt(fsg, fsg->bulk_out);
2157                        halt_bulk_in_endpoint(fsg);
2158                }
2159                return -EINVAL;
2160        }
2161
2162        /* Save the command for later */
2163        common->cmnd_size = cbw->Length;
2164        memcpy(common->cmnd, cbw->CDB, common->cmnd_size);
2165        if (cbw->Flags & US_BULK_FLAG_IN)
2166                common->data_dir = DATA_DIR_TO_HOST;
2167        else
2168                common->data_dir = DATA_DIR_FROM_HOST;
2169        common->data_size = le32_to_cpu(cbw->DataTransferLength);
2170        if (common->data_size == 0)
2171                common->data_dir = DATA_DIR_NONE;
2172        common->lun = cbw->Lun;
2173        if (common->lun < ARRAY_SIZE(common->luns))
2174                common->curlun = common->luns[common->lun];
2175        else
2176                common->curlun = NULL;
2177        common->tag = cbw->Tag;
2178        return 0;
2179}
2180
2181static int get_next_command(struct fsg_common *common)
2182{
2183        struct fsg_buffhd       *bh;
2184        int                     rc = 0;
2185
2186        /* Wait for the next buffer to become available */
2187        bh = common->next_buffhd_to_fill;
2188        while (bh->state != BUF_STATE_EMPTY) {
2189                rc = sleep_thread(common, true);
2190                if (rc)
2191                        return rc;
2192        }
2193
2194        /* Queue a request to read a Bulk-only CBW */
2195        set_bulk_out_req_length(common, bh, US_BULK_CB_WRAP_LEN);
2196        if (!start_out_transfer(common, bh))
2197                /* Don't know what to do if common->fsg is NULL */
2198                return -EIO;
2199
2200        /*
2201         * We will drain the buffer in software, which means we
2202         * can reuse it for the next filling.  No need to advance
2203         * next_buffhd_to_fill.
2204         */
2205
2206        /* Wait for the CBW to arrive */
2207        while (bh->state != BUF_STATE_FULL) {
2208                rc = sleep_thread(common, true);
2209                if (rc)
2210                        return rc;
2211        }
2212        smp_rmb();
2213        rc = fsg_is_set(common) ? received_cbw(common->fsg, bh) : -EIO;
2214        bh->state = BUF_STATE_EMPTY;
2215
2216        return rc;
2217}
2218
2219
2220/*-------------------------------------------------------------------------*/
2221
2222static int alloc_request(struct fsg_common *common, struct usb_ep *ep,
2223                struct usb_request **preq)
2224{
2225        *preq = usb_ep_alloc_request(ep, GFP_ATOMIC);
2226        if (*preq)
2227                return 0;
2228        ERROR(common, "can't allocate request for %s\n", ep->name);
2229        return -ENOMEM;
2230}
2231
2232/* Reset interface setting and re-init endpoint state (toggle etc). */
2233static int do_set_interface(struct fsg_common *common, struct fsg_dev *new_fsg)
2234{
2235        struct fsg_dev *fsg;
2236        int i, rc = 0;
2237
2238        if (common->running)
2239                DBG(common, "reset interface\n");
2240
2241reset:
2242        /* Deallocate the requests */
2243        if (common->fsg) {
2244                fsg = common->fsg;
2245
2246                for (i = 0; i < common->fsg_num_buffers; ++i) {
2247                        struct fsg_buffhd *bh = &common->buffhds[i];
2248
2249                        if (bh->inreq) {
2250                                usb_ep_free_request(fsg->bulk_in, bh->inreq);
2251                                bh->inreq = NULL;
2252                        }
2253                        if (bh->outreq) {
2254                                usb_ep_free_request(fsg->bulk_out, bh->outreq);
2255                                bh->outreq = NULL;
2256                        }
2257                }
2258
2259                /* Disable the endpoints */
2260                if (fsg->bulk_in_enabled) {
2261                        usb_ep_disable(fsg->bulk_in);
2262                        fsg->bulk_in_enabled = 0;
2263                }
2264                if (fsg->bulk_out_enabled) {
2265                        usb_ep_disable(fsg->bulk_out);
2266                        fsg->bulk_out_enabled = 0;
2267                }
2268
2269                common->fsg = NULL;
2270                wake_up(&common->fsg_wait);
2271        }
2272
2273        common->running = 0;
2274        if (!new_fsg || rc)
2275                return rc;
2276
2277        common->fsg = new_fsg;
2278        fsg = common->fsg;
2279
2280        /* Enable the endpoints */
2281        rc = config_ep_by_speed(common->gadget, &(fsg->function), fsg->bulk_in);
2282        if (rc)
2283                goto reset;
2284        rc = usb_ep_enable(fsg->bulk_in);
2285        if (rc)
2286                goto reset;
2287        fsg->bulk_in->driver_data = common;
2288        fsg->bulk_in_enabled = 1;
2289
2290        rc = config_ep_by_speed(common->gadget, &(fsg->function),
2291                                fsg->bulk_out);
2292        if (rc)
2293                goto reset;
2294        rc = usb_ep_enable(fsg->bulk_out);
2295        if (rc)
2296                goto reset;
2297        fsg->bulk_out->driver_data = common;
2298        fsg->bulk_out_enabled = 1;
2299        common->bulk_out_maxpacket = usb_endpoint_maxp(fsg->bulk_out->desc);
2300        clear_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags);
2301
2302        /* Allocate the requests */
2303        for (i = 0; i < common->fsg_num_buffers; ++i) {
2304                struct fsg_buffhd       *bh = &common->buffhds[i];
2305
2306                rc = alloc_request(common, fsg->bulk_in, &bh->inreq);
2307                if (rc)
2308                        goto reset;
2309                rc = alloc_request(common, fsg->bulk_out, &bh->outreq);
2310                if (rc)
2311                        goto reset;
2312                bh->inreq->buf = bh->outreq->buf = bh->buf;
2313                bh->inreq->context = bh->outreq->context = bh;
2314                bh->inreq->complete = bulk_in_complete;
2315                bh->outreq->complete = bulk_out_complete;
2316        }
2317
2318        common->running = 1;
2319        for (i = 0; i < ARRAY_SIZE(common->luns); ++i)
2320                if (common->luns[i])
2321                        common->luns[i]->unit_attention_data =
2322                                SS_RESET_OCCURRED;
2323        return rc;
2324}
2325
2326
2327/****************************** ALT CONFIGS ******************************/
2328
2329static int fsg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
2330{
2331        struct fsg_dev *fsg = fsg_from_func(f);
2332        fsg->common->new_fsg = fsg;
2333        raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2334        return USB_GADGET_DELAYED_STATUS;
2335}
2336
2337static void fsg_disable(struct usb_function *f)
2338{
2339        struct fsg_dev *fsg = fsg_from_func(f);
2340        fsg->common->new_fsg = NULL;
2341        raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2342}
2343
2344
2345/*-------------------------------------------------------------------------*/
2346
2347static void handle_exception(struct fsg_common *common)
2348{
2349        int                     i;
2350        struct fsg_buffhd       *bh;
2351        enum fsg_state          old_state;
2352        struct fsg_lun          *curlun;
2353        unsigned int            exception_req_tag;
2354
2355        /*
2356         * Clear the existing signals.  Anything but SIGUSR1 is converted
2357         * into a high-priority EXIT exception.
2358         */
2359        for (;;) {
2360                int sig = kernel_dequeue_signal(NULL);
2361                if (!sig)
2362                        break;
2363                if (sig != SIGUSR1) {
2364                        if (common->state < FSG_STATE_EXIT)
2365                                DBG(common, "Main thread exiting on signal\n");
2366                        raise_exception(common, FSG_STATE_EXIT);
2367                }
2368        }
2369
2370        /* Cancel all the pending transfers */
2371        if (likely(common->fsg)) {
2372                for (i = 0; i < common->fsg_num_buffers; ++i) {
2373                        bh = &common->buffhds[i];
2374                        if (bh->inreq_busy)
2375                                usb_ep_dequeue(common->fsg->bulk_in, bh->inreq);
2376                        if (bh->outreq_busy)
2377                                usb_ep_dequeue(common->fsg->bulk_out,
2378                                               bh->outreq);
2379                }
2380
2381                /* Wait until everything is idle */
2382                for (;;) {
2383                        int num_active = 0;
2384                        for (i = 0; i < common->fsg_num_buffers; ++i) {
2385                                bh = &common->buffhds[i];
2386                                num_active += bh->inreq_busy + bh->outreq_busy;
2387                        }
2388                        if (num_active == 0)
2389                                break;
2390                        if (sleep_thread(common, true))
2391                                return;
2392                }
2393
2394                /* Clear out the controller's fifos */
2395                if (common->fsg->bulk_in_enabled)
2396                        usb_ep_fifo_flush(common->fsg->bulk_in);
2397                if (common->fsg->bulk_out_enabled)
2398                        usb_ep_fifo_flush(common->fsg->bulk_out);
2399        }
2400
2401        /*
2402         * Reset the I/O buffer states and pointers, the SCSI
2403         * state, and the exception.  Then invoke the handler.
2404         */
2405        spin_lock_irq(&common->lock);
2406
2407        for (i = 0; i < common->fsg_num_buffers; ++i) {
2408                bh = &common->buffhds[i];
2409                bh->state = BUF_STATE_EMPTY;
2410        }
2411        common->next_buffhd_to_fill = &common->buffhds[0];
2412        common->next_buffhd_to_drain = &common->buffhds[0];
2413        exception_req_tag = common->exception_req_tag;
2414        old_state = common->state;
2415
2416        if (old_state == FSG_STATE_ABORT_BULK_OUT)
2417                common->state = FSG_STATE_STATUS_PHASE;
2418        else {
2419                for (i = 0; i < ARRAY_SIZE(common->luns); ++i) {
2420                        curlun = common->luns[i];
2421                        if (!curlun)
2422                                continue;
2423                        curlun->prevent_medium_removal = 0;
2424                        curlun->sense_data = SS_NO_SENSE;
2425                        curlun->unit_attention_data = SS_NO_SENSE;
2426                        curlun->sense_data_info = 0;
2427                        curlun->info_valid = 0;
2428                }
2429                common->state = FSG_STATE_IDLE;
2430        }
2431        spin_unlock_irq(&common->lock);
2432
2433        /* Carry out any extra actions required for the exception */
2434        switch (old_state) {
2435        case FSG_STATE_ABORT_BULK_OUT:
2436                send_status(common);
2437                spin_lock_irq(&common->lock);
2438                if (common->state == FSG_STATE_STATUS_PHASE)
2439                        common->state = FSG_STATE_IDLE;
2440                spin_unlock_irq(&common->lock);
2441                break;
2442
2443        case FSG_STATE_RESET:
2444                /*
2445                 * In case we were forced against our will to halt a
2446                 * bulk endpoint, clear the halt now.  (The SuperH UDC
2447                 * requires this.)
2448                 */
2449                if (!fsg_is_set(common))
2450                        break;
2451                if (test_and_clear_bit(IGNORE_BULK_OUT,
2452                                       &common->fsg->atomic_bitflags))
2453                        usb_ep_clear_halt(common->fsg->bulk_in);
2454
2455                if (common->ep0_req_tag == exception_req_tag)
2456                        ep0_queue(common);      /* Complete the status stage */
2457
2458                /*
2459                 * Technically this should go here, but it would only be
2460                 * a waste of time.  Ditto for the INTERFACE_CHANGE and
2461                 * CONFIG_CHANGE cases.
2462                 */
2463                /* for (i = 0; i < common->ARRAY_SIZE(common->luns); ++i) */
2464                /*      if (common->luns[i]) */
2465                /*              common->luns[i]->unit_attention_data = */
2466                /*                      SS_RESET_OCCURRED;  */
2467                break;
2468
2469        case FSG_STATE_CONFIG_CHANGE:
2470                do_set_interface(common, common->new_fsg);
2471                if (common->new_fsg)
2472                        usb_composite_setup_continue(common->cdev);
2473                break;
2474
2475        case FSG_STATE_EXIT:
2476        case FSG_STATE_TERMINATED:
2477                do_set_interface(common, NULL);         /* Free resources */
2478                spin_lock_irq(&common->lock);
2479                common->state = FSG_STATE_TERMINATED;   /* Stop the thread */
2480                spin_unlock_irq(&common->lock);
2481                break;
2482
2483        case FSG_STATE_INTERFACE_CHANGE:
2484        case FSG_STATE_DISCONNECT:
2485        case FSG_STATE_COMMAND_PHASE:
2486        case FSG_STATE_DATA_PHASE:
2487        case FSG_STATE_STATUS_PHASE:
2488        case FSG_STATE_IDLE:
2489                break;
2490        }
2491}
2492
2493
2494/*-------------------------------------------------------------------------*/
2495
2496static int fsg_main_thread(void *common_)
2497{
2498        struct fsg_common       *common = common_;
2499
2500        /*
2501         * Allow the thread to be killed by a signal, but set the signal mask
2502         * to block everything but INT, TERM, KILL, and USR1.
2503         */
2504        allow_signal(SIGINT);
2505        allow_signal(SIGTERM);
2506        allow_signal(SIGKILL);
2507        allow_signal(SIGUSR1);
2508
2509        /* Allow the thread to be frozen */
2510        set_freezable();
2511
2512        /*
2513         * Arrange for userspace references to be interpreted as kernel
2514         * pointers.  That way we can pass a kernel pointer to a routine
2515         * that expects a __user pointer and it will work okay.
2516         */
2517        set_fs(get_ds());
2518
2519        /* The main loop */
2520        while (common->state != FSG_STATE_TERMINATED) {
2521                if (exception_in_progress(common) || signal_pending(current)) {
2522                        handle_exception(common);
2523                        continue;
2524                }
2525
2526                if (!common->running) {
2527                        sleep_thread(common, true);
2528                        continue;
2529                }
2530
2531                if (get_next_command(common))
2532                        continue;
2533
2534                spin_lock_irq(&common->lock);
2535                if (!exception_in_progress(common))
2536                        common->state = FSG_STATE_DATA_PHASE;
2537                spin_unlock_irq(&common->lock);
2538
2539                if (do_scsi_command(common) || finish_reply(common))
2540                        continue;
2541
2542                spin_lock_irq(&common->lock);
2543                if (!exception_in_progress(common))
2544                        common->state = FSG_STATE_STATUS_PHASE;
2545                spin_unlock_irq(&common->lock);
2546
2547                if (send_status(common))
2548                        continue;
2549
2550                spin_lock_irq(&common->lock);
2551                if (!exception_in_progress(common))
2552                        common->state = FSG_STATE_IDLE;
2553                spin_unlock_irq(&common->lock);
2554        }
2555
2556        spin_lock_irq(&common->lock);
2557        common->thread_task = NULL;
2558        spin_unlock_irq(&common->lock);
2559
2560        if (!common->ops || !common->ops->thread_exits
2561         || common->ops->thread_exits(common) < 0) {
2562                int i;
2563
2564                down_write(&common->filesem);
2565                for (i = 0; i < ARRAY_SIZE(common->luns); --i) {
2566                        struct fsg_lun *curlun = common->luns[i];
2567                        if (!curlun || !fsg_lun_is_open(curlun))
2568                                continue;
2569
2570                        fsg_lun_close(curlun);
2571                        curlun->unit_attention_data = SS_MEDIUM_NOT_PRESENT;
2572                }
2573                up_write(&common->filesem);
2574        }
2575
2576        /* Let fsg_unbind() know the thread has exited */
2577        complete_and_exit(&common->thread_notifier, 0);
2578}
2579
2580
2581/*************************** DEVICE ATTRIBUTES ***************************/
2582
2583static ssize_t ro_show(struct device *dev, struct device_attribute *attr, char *buf)
2584{
2585        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2586
2587        return fsg_show_ro(curlun, buf);
2588}
2589
2590static ssize_t nofua_show(struct device *dev, struct device_attribute *attr,
2591                          char *buf)
2592{
2593        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2594
2595        return fsg_show_nofua(curlun, buf);
2596}
2597
2598static ssize_t file_show(struct device *dev, struct device_attribute *attr,
2599                         char *buf)
2600{
2601        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2602        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2603
2604        return fsg_show_file(curlun, filesem, buf);
2605}
2606
2607static ssize_t ro_store(struct device *dev, struct device_attribute *attr,
2608                        const char *buf, size_t count)
2609{
2610        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2611        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2612
2613        return fsg_store_ro(curlun, filesem, buf, count);
2614}
2615
2616static ssize_t nofua_store(struct device *dev, struct device_attribute *attr,
2617                           const char *buf, size_t count)
2618{
2619        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2620
2621        return fsg_store_nofua(curlun, buf, count);
2622}
2623
2624static ssize_t file_store(struct device *dev, struct device_attribute *attr,
2625                          const char *buf, size_t count)
2626{
2627        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2628        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2629
2630        return fsg_store_file(curlun, filesem, buf, count);
2631}
2632
2633static DEVICE_ATTR_RW(nofua);
2634/* mode wil be set in fsg_lun_attr_is_visible() */
2635static DEVICE_ATTR(ro, 0, ro_show, ro_store);
2636static DEVICE_ATTR(file, 0, file_show, file_store);
2637
2638/****************************** FSG COMMON ******************************/
2639
2640static void fsg_common_release(struct kref *ref);
2641
2642static void fsg_lun_release(struct device *dev)
2643{
2644        /* Nothing needs to be done */
2645}
2646
2647void fsg_common_get(struct fsg_common *common)
2648{
2649        kref_get(&common->ref);
2650}
2651EXPORT_SYMBOL_GPL(fsg_common_get);
2652
2653void fsg_common_put(struct fsg_common *common)
2654{
2655        kref_put(&common->ref, fsg_common_release);
2656}
2657EXPORT_SYMBOL_GPL(fsg_common_put);
2658
2659static struct fsg_common *fsg_common_setup(struct fsg_common *common)
2660{
2661        if (!common) {
2662                common = kzalloc(sizeof(*common), GFP_KERNEL);
2663                if (!common)
2664                        return ERR_PTR(-ENOMEM);
2665                common->free_storage_on_release = 1;
2666        } else {
2667                common->free_storage_on_release = 0;
2668        }
2669        init_rwsem(&common->filesem);
2670        spin_lock_init(&common->lock);
2671        kref_init(&common->ref);
2672        init_completion(&common->thread_notifier);
2673        init_waitqueue_head(&common->fsg_wait);
2674        common->state = FSG_STATE_TERMINATED;
2675        memset(common->luns, 0, sizeof(common->luns));
2676
2677        return common;
2678}
2679
2680void fsg_common_set_sysfs(struct fsg_common *common, bool sysfs)
2681{
2682        common->sysfs = sysfs;
2683}
2684EXPORT_SYMBOL_GPL(fsg_common_set_sysfs);
2685
2686static void _fsg_common_free_buffers(struct fsg_buffhd *buffhds, unsigned n)
2687{
2688        if (buffhds) {
2689                struct fsg_buffhd *bh = buffhds;
2690                while (n--) {
2691                        kfree(bh->buf);
2692                        ++bh;
2693                }
2694                kfree(buffhds);
2695        }
2696}
2697
2698int fsg_common_set_num_buffers(struct fsg_common *common, unsigned int n)
2699{
2700        struct fsg_buffhd *bh, *buffhds;
2701        int i;
2702
2703        buffhds = kcalloc(n, sizeof(*buffhds), GFP_KERNEL);
2704        if (!buffhds)
2705                return -ENOMEM;
2706
2707        /* Data buffers cyclic list */
2708        bh = buffhds;
2709        i = n;
2710        goto buffhds_first_it;
2711        do {
2712                bh->next = bh + 1;
2713                ++bh;
2714buffhds_first_it:
2715                bh->buf = kmalloc(FSG_BUFLEN, GFP_KERNEL);
2716                if (unlikely(!bh->buf))
2717                        goto error_release;
2718        } while (--i);
2719        bh->next = buffhds;
2720
2721        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2722        common->fsg_num_buffers = n;
2723        common->buffhds = buffhds;
2724
2725        return 0;
2726
2727error_release:
2728        /*
2729         * "buf"s pointed to by heads after n - i are NULL
2730         * so releasing them won't hurt
2731         */
2732        _fsg_common_free_buffers(buffhds, n);
2733
2734        return -ENOMEM;
2735}
2736EXPORT_SYMBOL_GPL(fsg_common_set_num_buffers);
2737
2738void fsg_common_remove_lun(struct fsg_lun *lun)
2739{
2740        if (device_is_registered(&lun->dev))
2741                device_unregister(&lun->dev);
2742        fsg_lun_close(lun);
2743        kfree(lun);
2744}
2745EXPORT_SYMBOL_GPL(fsg_common_remove_lun);
2746
2747static void _fsg_common_remove_luns(struct fsg_common *common, int n)
2748{
2749        int i;
2750
2751        for (i = 0; i < n; ++i)
2752                if (common->luns[i]) {
2753                        fsg_common_remove_lun(common->luns[i]);
2754                        common->luns[i] = NULL;
2755                }
2756}
2757
2758void fsg_common_remove_luns(struct fsg_common *common)
2759{
2760        _fsg_common_remove_luns(common, ARRAY_SIZE(common->luns));
2761}
2762EXPORT_SYMBOL_GPL(fsg_common_remove_luns);
2763
2764void fsg_common_set_ops(struct fsg_common *common,
2765                        const struct fsg_operations *ops)
2766{
2767        common->ops = ops;
2768}
2769EXPORT_SYMBOL_GPL(fsg_common_set_ops);
2770
2771void fsg_common_free_buffers(struct fsg_common *common)
2772{
2773        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2774        common->buffhds = NULL;
2775}
2776EXPORT_SYMBOL_GPL(fsg_common_free_buffers);
2777
2778int fsg_common_set_cdev(struct fsg_common *common,
2779                         struct usb_composite_dev *cdev, bool can_stall)
2780{
2781        struct usb_string *us;
2782
2783        common->gadget = cdev->gadget;
2784        common->ep0 = cdev->gadget->ep0;
2785        common->ep0req = cdev->req;
2786        common->cdev = cdev;
2787
2788        us = usb_gstrings_attach(cdev, fsg_strings_array,
2789                                 ARRAY_SIZE(fsg_strings));
2790        if (IS_ERR(us))
2791                return PTR_ERR(us);
2792
2793        fsg_intf_desc.iInterface = us[FSG_STRING_INTERFACE].id;
2794
2795        /*
2796         * Some peripheral controllers are known not to be able to
2797         * halt bulk endpoints correctly.  If one of them is present,
2798         * disable stalls.
2799         */
2800        common->can_stall = can_stall &&
2801                        gadget_is_stall_supported(common->gadget);
2802
2803        return 0;
2804}
2805EXPORT_SYMBOL_GPL(fsg_common_set_cdev);
2806
2807static struct attribute *fsg_lun_dev_attrs[] = {
2808        &dev_attr_ro.attr,
2809        &dev_attr_file.attr,
2810        &dev_attr_nofua.attr,
2811        NULL
2812};
2813
2814static umode_t fsg_lun_dev_is_visible(struct kobject *kobj,
2815                                      struct attribute *attr, int idx)
2816{
2817        struct device *dev = kobj_to_dev(kobj);
2818        struct fsg_lun *lun = fsg_lun_from_dev(dev);
2819
2820        if (attr == &dev_attr_ro.attr)
2821                return lun->cdrom ? S_IRUGO : (S_IWUSR | S_IRUGO);
2822        if (attr == &dev_attr_file.attr)
2823                return lun->removable ? (S_IWUSR | S_IRUGO) : S_IRUGO;
2824        return attr->mode;
2825}
2826
2827static const struct attribute_group fsg_lun_dev_group = {
2828        .attrs = fsg_lun_dev_attrs,
2829        .is_visible = fsg_lun_dev_is_visible,
2830};
2831
2832static const struct attribute_group *fsg_lun_dev_groups[] = {
2833        &fsg_lun_dev_group,
2834        NULL
2835};
2836
2837int fsg_common_create_lun(struct fsg_common *common, struct fsg_lun_config *cfg,
2838                          unsigned int id, const char *name,
2839                          const char **name_pfx)
2840{
2841        struct fsg_lun *lun;
2842        char *pathbuf, *p;
2843        int rc = -ENOMEM;
2844
2845        if (id >= ARRAY_SIZE(common->luns))
2846                return -ENODEV;
2847
2848        if (common->luns[id])
2849                return -EBUSY;
2850
2851        if (!cfg->filename && !cfg->removable) {
2852                pr_err("no file given for LUN%d\n", id);
2853                return -EINVAL;
2854        }
2855
2856        lun = kzalloc(sizeof(*lun), GFP_KERNEL);
2857        if (!lun)
2858                return -ENOMEM;
2859
2860        lun->name_pfx = name_pfx;
2861
2862        lun->cdrom = !!cfg->cdrom;
2863        lun->ro = cfg->cdrom || cfg->ro;
2864        lun->initially_ro = lun->ro;
2865        lun->removable = !!cfg->removable;
2866
2867        if (!common->sysfs) {
2868                /* we DON'T own the name!*/
2869                lun->name = name;
2870        } else {
2871                lun->dev.release = fsg_lun_release;
2872                lun->dev.parent = &common->gadget->dev;
2873                lun->dev.groups = fsg_lun_dev_groups;
2874                dev_set_drvdata(&lun->dev, &common->filesem);
2875                dev_set_name(&lun->dev, "%s", name);
2876                lun->name = dev_name(&lun->dev);
2877
2878                rc = device_register(&lun->dev);
2879                if (rc) {
2880                        pr_info("failed to register LUN%d: %d\n", id, rc);
2881                        put_device(&lun->dev);
2882                        goto error_sysfs;
2883                }
2884        }
2885
2886        common->luns[id] = lun;
2887
2888        if (cfg->filename) {
2889                rc = fsg_lun_open(lun, cfg->filename);
2890                if (rc)
2891                        goto error_lun;
2892        }
2893
2894        pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
2895        p = "(no medium)";
2896        if (fsg_lun_is_open(lun)) {
2897                p = "(error)";
2898                if (pathbuf) {
2899                        p = file_path(lun->filp, pathbuf, PATH_MAX);
2900                        if (IS_ERR(p))
2901                                p = "(error)";
2902                }
2903        }
2904        pr_info("LUN: %s%s%sfile: %s\n",
2905              lun->removable ? "removable " : "",
2906              lun->ro ? "read only " : "",
2907              lun->cdrom ? "CD-ROM " : "",
2908              p);
2909        kfree(pathbuf);
2910
2911        return 0;
2912
2913error_lun:
2914        if (device_is_registered(&lun->dev))
2915                device_unregister(&lun->dev);
2916        fsg_lun_close(lun);
2917        common->luns[id] = NULL;
2918error_sysfs:
2919        kfree(lun);
2920        return rc;
2921}
2922EXPORT_SYMBOL_GPL(fsg_common_create_lun);
2923
2924int fsg_common_create_luns(struct fsg_common *common, struct fsg_config *cfg)
2925{
2926        char buf[8]; /* enough for 100000000 different numbers, decimal */
2927        int i, rc;
2928
2929        fsg_common_remove_luns(common);
2930
2931        for (i = 0; i < cfg->nluns; ++i) {
2932                snprintf(buf, sizeof(buf), "lun%d", i);
2933                rc = fsg_common_create_lun(common, &cfg->luns[i], i, buf, NULL);
2934                if (rc)
2935                        goto fail;
2936        }
2937
2938        pr_info("Number of LUNs=%d\n", cfg->nluns);
2939
2940        return 0;
2941
2942fail:
2943        _fsg_common_remove_luns(common, i);
2944        return rc;
2945}
2946EXPORT_SYMBOL_GPL(fsg_common_create_luns);
2947
2948void fsg_common_set_inquiry_string(struct fsg_common *common, const char *vn,
2949                                   const char *pn)
2950{
2951        int i;
2952
2953        /* Prepare inquiryString */
2954        i = get_default_bcdDevice();
2955        snprintf(common->inquiry_string, sizeof(common->inquiry_string),
2956                 "%-8s%-16s%04x", vn ?: "Linux",
2957                 /* Assume product name dependent on the first LUN */
2958                 pn ?: ((*common->luns)->cdrom
2959                     ? "File-CD Gadget"
2960                     : "File-Stor Gadget"),
2961                 i);
2962}
2963EXPORT_SYMBOL_GPL(fsg_common_set_inquiry_string);
2964
2965static void fsg_common_release(struct kref *ref)
2966{
2967        struct fsg_common *common = container_of(ref, struct fsg_common, ref);
2968        int i;
2969
2970        /* If the thread isn't already dead, tell it to exit now */
2971        if (common->state != FSG_STATE_TERMINATED) {
2972                raise_exception(common, FSG_STATE_EXIT);
2973                wait_for_completion(&common->thread_notifier);
2974                common->thread_task = NULL;
2975        }
2976
2977        for (i = 0; i < ARRAY_SIZE(common->luns); ++i) {
2978                struct fsg_lun *lun = common->luns[i];
2979                if (!lun)
2980                        continue;
2981                fsg_lun_close(lun);
2982                if (device_is_registered(&lun->dev))
2983                        device_unregister(&lun->dev);
2984                kfree(lun);
2985        }
2986
2987        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2988        if (common->free_storage_on_release)
2989                kfree(common);
2990}
2991
2992
2993/*-------------------------------------------------------------------------*/
2994
2995static int fsg_bind(struct usb_configuration *c, struct usb_function *f)
2996{
2997        struct fsg_dev          *fsg = fsg_from_func(f);
2998        struct fsg_common       *common = fsg->common;
2999        struct usb_gadget       *gadget = c->cdev->gadget;
3000        int                     i;

3001        struct usb_ep           *ep;
3002        unsigned                max_burst;
3003        int                     ret;
3004        struct fsg_opts         *opts;
3005
3006        /* Don't allow to bind if we don't have at least one LUN */
3007        ret = _fsg_common_get_max_lun(common);
3008        if (ret < 0) {
3009                pr_err("There should be at least one LUN.\n");
3010                return -EINVAL;
3011        }
3012
3013        opts = fsg_opts_from_func_inst(f->fi);
3014        if (!opts->no_configfs) {
3015                ret = fsg_common_set_cdev(fsg->common, c->cdev,
3016                                          fsg->common->can_stall);
3017                if (ret)
3018                        return ret;
3019                fsg_common_set_inquiry_string(fsg->common, NULL, NULL);
3020        }
3021
3022        if (!common->thread_task) {
3023                common->state = FSG_STATE_IDLE;
3024                common->thread_task =
3025                        kthread_create(fsg_main_thread, common, "file-storage");
3026                if (IS_ERR(common->thread_task)) {
3027                        int ret = PTR_ERR(common->thread_task);
3028                        common->thread_task = NULL;
3029                        common->state = FSG_STATE_TERMINATED;
3030                        return ret;
3031                }
3032                DBG(common, "I/O thread pid: %d\n",
3033                    task_pid_nr(common->thread_task));
3034                wake_up_process(common->thread_task);
3035        }
3036
3037        fsg->gadget = gadget;
3038
3039        /* New interface */
3040        i = usb_interface_id(c, f);
3041        if (i < 0)
3042                goto fail;
3043        fsg_intf_desc.bInterfaceNumber = i;
3044        fsg->interface_number = i;
3045
3046        /* Find all the endpoints we will use */
3047        ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_in_desc);
3048        if (!ep)
3049                goto autoconf_fail;
3050        fsg->bulk_in = ep;
3051
3052        ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_out_desc);
3053        if (!ep)
3054                goto autoconf_fail;
3055        fsg->bulk_out = ep;
3056
3057        /* Assume endpoint addresses are the same for both speeds */
3058        fsg_hs_bulk_in_desc.bEndpointAddress =
3059                fsg_fs_bulk_in_desc.bEndpointAddress;
3060        fsg_hs_bulk_out_desc.bEndpointAddress =
3061                fsg_fs_bulk_out_desc.bEndpointAddress;
3062
3063        /* Calculate bMaxBurst, we know packet size is 1024 */
3064        max_burst = min_t(unsigned, FSG_BUFLEN / 1024, 15);
3065
3066        fsg_ss_bulk_in_desc.bEndpointAddress =
3067                fsg_fs_bulk_in_desc.bEndpointAddress;
3068        fsg_ss_bulk_in_comp_desc.bMaxBurst = max_burst;
3069
3070        fsg_ss_bulk_out_desc.bEndpointAddress =
3071                fsg_fs_bulk_out_desc.bEndpointAddress;
3072        fsg_ss_bulk_out_comp_desc.bMaxBurst = max_burst;
3073
3074        ret = usb_assign_descriptors(f, fsg_fs_function, fsg_hs_function,
3075                        fsg_ss_function, fsg_ss_function);
3076        if (ret)
3077                goto autoconf_fail;
3078
3079        return 0;
3080
3081autoconf_fail:
3082        ERROR(fsg, "unable to autoconfigure all endpoints\n");
3083        i = -ENOTSUPP;
3084fail:
3085        /* terminate the thread */
3086        if (fsg->common->state != FSG_STATE_TERMINATED) {
3087                raise_exception(fsg->common, FSG_STATE_EXIT);
3088                wait_for_completion(&fsg->common->thread_notifier);
3089        }
3090        return i;
3091}
3092
3093/****************************** ALLOCATE FUNCTION *************************/
3094
3095static void fsg_unbind(struct usb_configuration *c, struct usb_function *f)
3096{
3097        struct fsg_dev          *fsg = fsg_from_func(f);
3098        struct fsg_common       *common = fsg->common;
3099
3100        DBG(fsg, "unbind\n");
3101        if (fsg->common->fsg == fsg) {
3102                fsg->common->new_fsg = NULL;
3103                raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
3104                /* FIXME: make interruptible or killable somehow? */
3105                wait_event(common->fsg_wait, common->fsg != fsg);
3106        }
3107
3108        usb_free_all_descriptors(&fsg->function);
3109}
3110
3111static inline struct fsg_lun_opts *to_fsg_lun_opts(struct config_item *item)
3112{
3113        return container_of(to_config_group(item), struct fsg_lun_opts, group);
3114}
3115
3116static inline struct fsg_opts *to_fsg_opts(struct config_item *item)
3117{
3118        return container_of(to_config_group(item), struct fsg_opts,
3119                            func_inst.group);
3120}
3121
3122static void fsg_lun_attr_release(struct config_item *item)
3123{
3124        struct fsg_lun_opts *lun_opts;
3125
3126        lun_opts = to_fsg_lun_opts(item);
3127        kfree(lun_opts);
3128}
3129
3130static struct configfs_item_operations fsg_lun_item_ops = {
3131        .release                = fsg_lun_attr_release,
3132};
3133
3134static ssize_t fsg_lun_opts_file_show(struct config_item *item, char *page)
3135{
3136        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3137        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3138
3139        return fsg_show_file(opts->lun, &fsg_opts->common->filesem, page);
3140}
3141
3142static ssize_t fsg_lun_opts_file_store(struct config_item *item,
3143                                       const char *page, size_t len)
3144{
3145        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3146        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3147
3148        return fsg_store_file(opts->lun, &fsg_opts->common->filesem, page, len);
3149}
3150
3151CONFIGFS_ATTR(fsg_lun_opts_, file);
3152
3153static ssize_t fsg_lun_opts_ro_show(struct config_item *item, char *page)
3154{
3155        return fsg_show_ro(to_fsg_lun_opts(item)->lun, page);
3156}
3157
3158static ssize_t fsg_lun_opts_ro_store(struct config_item *item,
3159                                       const char *page, size_t len)
3160{
3161        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3162        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3163
3164        return fsg_store_ro(opts->lun, &fsg_opts->common->filesem, page, len);
3165}
3166
3167CONFIGFS_ATTR(fsg_lun_opts_, ro);
3168
3169static ssize_t fsg_lun_opts_removable_show(struct config_item *item,
3170                                           char *page)
3171{
3172        return fsg_show_removable(to_fsg_lun_opts(item)->lun, page);
3173}
3174
3175static ssize_t fsg_lun_opts_removable_store(struct config_item *item,
3176                                       const char *page, size_t len)
3177{
3178        return fsg_store_removable(to_fsg_lun_opts(item)->lun, page, len);
3179}
3180
3181CONFIGFS_ATTR(fsg_lun_opts_, removable);
3182
3183static ssize_t fsg_lun_opts_cdrom_show(struct config_item *item, char *page)
3184{
3185        return fsg_show_cdrom(to_fsg_lun_opts(item)->lun, page);
3186}
3187
3188static ssize_t fsg_lun_opts_cdrom_store(struct config_item *item,
3189                                       const char *page, size_t len)
3190{
3191        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3192        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3193
3194        return fsg_store_cdrom(opts->lun, &fsg_opts->common->filesem, page,
3195                               len);
3196}
3197
3198CONFIGFS_ATTR(fsg_lun_opts_, cdrom);
3199
3200static ssize_t fsg_lun_opts_nofua_show(struct config_item *item, char *page)
3201{
3202        return fsg_show_nofua(to_fsg_lun_opts(item)->lun, page);
3203}
3204
3205static ssize_t fsg_lun_opts_nofua_store(struct config_item *item,
3206                                       const char *page, size_t len)
3207{
3208        return fsg_store_nofua(to_fsg_lun_opts(item)->lun, page, len);
3209}
3210
3211CONFIGFS_ATTR(fsg_lun_opts_, nofua);
3212
3213static ssize_t fsg_lun_opts_inquiry_string_show(struct config_item *item,
3214                                                char *page)
3215{
3216        return fsg_show_inquiry_string(to_fsg_lun_opts(item)->lun, page);
3217}
3218
3219static ssize_t fsg_lun_opts_inquiry_string_store(struct config_item *item,
3220                                                 const char *page, size_t len)
3221{
3222        return fsg_store_inquiry_string(to_fsg_lun_opts(item)->lun, page, len);
3223}
3224
3225CONFIGFS_ATTR(fsg_lun_opts_, inquiry_string);
3226
3227static struct configfs_attribute *fsg_lun_attrs[] = {
3228        &fsg_lun_opts_attr_file,
3229        &fsg_lun_opts_attr_ro,
3230        &fsg_lun_opts_attr_removable,
3231        &fsg_lun_opts_attr_cdrom,
3232        &fsg_lun_opts_attr_nofua,
3233        &fsg_lun_opts_attr_inquiry_string,
3234        NULL,
3235};
3236
3237static struct config_item_type fsg_lun_type = {
3238        .ct_item_ops    = &fsg_lun_item_ops,
3239        .ct_attrs       = fsg_lun_attrs,
3240        .ct_owner       = THIS_MODULE,
3241};
3242
3243static struct config_group *fsg_lun_make(struct config_group *group,
3244                                         const char *name)
3245{
3246        struct fsg_lun_opts *opts;
3247        struct fsg_opts *fsg_opts;
3248        struct fsg_lun_config config;
3249        char *num_str;
3250        u8 num;
3251        int ret;
3252
3253        num_str = strchr(name, '.');
3254        if (!num_str) {
3255                pr_err("Unable to locate . in LUN.NUMBER\n");
3256                return ERR_PTR(-EINVAL);
3257        }
3258        num_str++;
3259
3260        ret = kstrtou8(num_str, 0, &num);
3261        if (ret)
3262                return ERR_PTR(ret);
3263
3264        fsg_opts = to_fsg_opts(&group->cg_item);
3265        if (num >= FSG_MAX_LUNS)
3266                return ERR_PTR(-ERANGE);
3267
3268        mutex_lock(&fsg_opts->lock);
3269        if (fsg_opts->refcnt || fsg_opts->common->luns[num]) {
3270                ret = -EBUSY;
3271                goto out;
3272        }
3273
3274        opts = kzalloc(sizeof(*opts), GFP_KERNEL);
3275        if (!opts) {
3276                ret = -ENOMEM;
3277                goto out;
3278        }
3279
3280        memset(&config, 0, sizeof(config));
3281        config.removable = true;
3282
3283        ret = fsg_common_create_lun(fsg_opts->common, &config, num, name,
3284                                    (const char **)&group->cg_item.ci_name);
3285        if (ret) {
3286                kfree(opts);
3287                goto out;
3288        }
3289        opts->lun = fsg_opts->common->luns[num];
3290        opts->lun_id = num;
3291        mutex_unlock(&fsg_opts->lock);
3292
3293        config_group_init_type_name(&opts->group, name, &fsg_lun_type);
3294
3295        return &opts->group;
3296out:
3297        mutex_unlock(&fsg_opts->lock);
3298        return ERR_PTR(ret);
3299}
3300
3301static void fsg_lun_drop(struct config_group *group, struct config_item *item)
3302{
3303        struct fsg_lun_opts *lun_opts;
3304        struct fsg_opts *fsg_opts;
3305
3306        lun_opts = to_fsg_lun_opts(item);
3307        fsg_opts = to_fsg_opts(&group->cg_item);
3308
3309        mutex_lock(&fsg_opts->lock);
3310        if (fsg_opts->refcnt) {
3311                struct config_item *gadget;
3312
3313                gadget = group->cg_item.ci_parent->ci_parent;
3314                unregister_gadget_item(gadget);
3315        }
3316
3317        fsg_common_remove_lun(lun_opts->lun);
3318        fsg_opts->common->luns[lun_opts->lun_id] = NULL;
3319        lun_opts->lun_id = 0;
3320        mutex_unlock(&fsg_opts->lock);
3321
3322        config_item_put(item);
3323}
3324
3325static void fsg_attr_release(struct config_item *item)
3326{
3327        struct fsg_opts *opts = to_fsg_opts(item);
3328
3329        usb_put_function_instance(&opts->func_inst);
3330}
3331
3332static struct configfs_item_operations fsg_item_ops = {
3333        .release                = fsg_attr_release,
3334};
3335
3336static ssize_t fsg_opts_stall_show(struct config_item *item, char *page)
3337{
3338        struct fsg_opts *opts = to_fsg_opts(item);
3339        int result;
3340
3341        mutex_lock(&opts->lock);
3342        result = sprintf(page, "%d", opts->common->can_stall);
3343        mutex_unlock(&opts->lock);
3344
3345        return result;
3346}
3347
3348static ssize_t fsg_opts_stall_store(struct config_item *item, const char *page,
3349                                    size_t len)
3350{
3351        struct fsg_opts *opts = to_fsg_opts(item);
3352        int ret;
3353        bool stall;
3354
3355        mutex_lock(&opts->lock);
3356
3357        if (opts->refcnt) {
3358                mutex_unlock(&opts->lock);
3359                return -EBUSY;
3360        }
3361
3362        ret = strtobool(page, &stall);
3363        if (!ret) {
3364                opts->common->can_stall = stall;
3365                ret = len;
3366        }
3367
3368        mutex_unlock(&opts->lock);
3369
3370        return ret;
3371}
3372
3373CONFIGFS_ATTR(fsg_opts_, stall);
3374
3375#ifdef CONFIG_USB_GADGET_DEBUG_FILES
3376static ssize_t fsg_opts_num_buffers_show(struct config_item *item, char *page)
3377{
3378        struct fsg_opts *opts = to_fsg_opts(item);
3379        int result;
3380
3381        mutex_lock(&opts->lock);
3382        result = sprintf(page, "%d", opts->common->fsg_num_buffers);
3383        mutex_unlock(&opts->lock);
3384
3385        return result;
3386}
3387
3388static ssize_t fsg_opts_num_buffers_store(struct config_item *item,
3389                                          const char *page, size_t len)
3390{
3391        struct fsg_opts *opts = to_fsg_opts(item);
3392        int ret;
3393        u8 num;
3394
3395        mutex_lock(&opts->lock);
3396        if (opts->refcnt) {
3397                ret = -EBUSY;
3398                goto end;
3399        }
3400        ret = kstrtou8(page, 0, &num);
3401        if (ret)
3402                goto end;
3403
3404        fsg_common_set_num_buffers(opts->common, num);
3405        ret = len;
3406
3407end:
3408        mutex_unlock(&opts->lock);
3409        return ret;
3410}
3411
3412CONFIGFS_ATTR(fsg_opts_, num_buffers);
3413#endif
3414
3415static struct configfs_attribute *fsg_attrs[] = {
3416        &fsg_opts_attr_stall,
3417#ifdef CONFIG_USB_GADGET_DEBUG_FILES
3418        &fsg_opts_attr_num_buffers,
3419#endif
3420        NULL,
3421};
3422
3423static struct configfs_group_operations fsg_group_ops = {
3424        .make_group     = fsg_lun_make,
3425        .drop_item      = fsg_lun_drop,
3426};
3427
3428static struct config_item_type fsg_func_type = {
3429        .ct_item_ops    = &fsg_item_ops,
3430        .ct_group_ops   = &fsg_group_ops,
3431        .ct_attrs       = fsg_attrs,
3432        .ct_owner       = THIS_MODULE,
3433};
3434
3435static void fsg_free_inst(struct usb_function_instance *fi)
3436{
3437        struct fsg_opts *opts;
3438
3439        opts = fsg_opts_from_func_inst(fi);
3440        fsg_common_put(opts->common);
3441        kfree(opts);
3442}
3443
3444static struct usb_function_instance *fsg_alloc_inst(void)
3445{
3446        struct fsg_opts *opts;
3447        struct fsg_lun_config config;
3448        int rc;
3449
3450        opts = kzalloc(sizeof(*opts), GFP_KERNEL);
3451        if (!opts)
3452                return ERR_PTR(-ENOMEM);
3453        mutex_init(&opts->lock);
3454        opts->func_inst.free_func_inst = fsg_free_inst;
3455        opts->common = fsg_common_setup(opts->common);
3456        if (IS_ERR(opts->common)) {
3457                rc = PTR_ERR(opts->common);
3458                goto release_opts;
3459        }
3460
3461        rc = fsg_common_set_num_buffers(opts->common,
3462                                        CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS);
3463        if (rc)
3464                goto release_opts;
3465
3466        pr_info(FSG_DRIVER_DESC ", version: " FSG_DRIVER_VERSION "\n");
3467
3468        memset(&config, 0, sizeof(config));
3469        config.removable = true;
3470        rc = fsg_common_create_lun(opts->common, &config, 0, "lun.0",
3471                        (const char **)&opts->func_inst.group.cg_item.ci_name);
3472        if (rc)
3473                goto release_buffers;
3474
3475        opts->lun0.lun = opts->common->luns[0];
3476        opts->lun0.lun_id = 0;
3477
3478        config_group_init_type_name(&opts->func_inst.group, "", &fsg_func_type);
3479
3480        config_group_init_type_name(&opts->lun0.group, "lun.0", &fsg_lun_type);
3481        configfs_add_default_group(&opts->lun0.group, &opts->func_inst.group);
3482
3483        return &opts->func_inst;
3484
3485release_buffers:
3486        fsg_common_free_buffers(opts->common);
3487release_opts:
3488        kfree(opts);
3489        return ERR_PTR(rc);
3490}
3491
3492static void fsg_free(struct usb_function *f)
3493{
3494        struct fsg_dev *fsg;
3495        struct fsg_opts *opts;
3496
3497        fsg = container_of(f, struct fsg_dev, function);
3498        opts = container_of(f->fi, struct fsg_opts, func_inst);
3499
3500        mutex_lock(&opts->lock);
3501        opts->refcnt--;
3502        mutex_unlock(&opts->lock);
3503
3504        kfree(fsg);
3505}
3506
3507static struct usb_function *fsg_alloc(struct usb_function_instance *fi)
3508{
3509        struct fsg_opts *opts = fsg_opts_from_func_inst(fi);
3510        struct fsg_common *common = opts->common;
3511        struct fsg_dev *fsg;
3512
3513        fsg = kzalloc(sizeof(*fsg), GFP_KERNEL);
3514        if (unlikely(!fsg))
3515                return ERR_PTR(-ENOMEM);
3516
3517        mutex_lock(&opts->lock);
3518        opts->refcnt++;
3519        mutex_unlock(&opts->lock);
3520
3521        fsg->function.name      = FSG_DRIVER_DESC;
3522        fsg->function.bind      = fsg_bind;
3523        fsg->function.unbind    = fsg_unbind;
3524        fsg->function.setup     = fsg_setup;
3525        fsg->function.set_alt   = fsg_set_alt;
3526        fsg->function.disable   = fsg_disable;
3527        fsg->function.free_func = fsg_free;
3528
3529        fsg->common               = common;
3530
3531        return &fsg->function;
3532}
3533
3534DECLARE_USB_FUNCTION_INIT(mass_storage, fsg_alloc_inst, fsg_alloc);
3535MODULE_LICENSE("GPL");
3536MODULE_AUTHOR("Michal Nazarewicz");
3537
3538/************************* Module parameters *************************/
3539
3540
3541void fsg_config_from_params(struct fsg_config *cfg,
3542                       const struct fsg_module_parameters *params,
3543                       unsigned int fsg_num_buffers)
3544{
3545        struct fsg_lun_config *lun;
3546        unsigned i;
3547
3548        /* Configure LUNs */
3549        cfg->nluns =
3550                min(params->luns ?: (params->file_count ?: 1u),
3551                    (unsigned)FSG_MAX_LUNS);
3552        for (i = 0, lun = cfg->luns; i < cfg->nluns; ++i, ++lun) {
3553                lun->ro = !!params->ro[i];
3554                lun->cdrom = !!params->cdrom[i];
3555                lun->removable = !!params->removable[i];
3556                lun->filename =
3557                        params->file_count > i && params->file[i][0]
3558                        ? params->file[i]
3559                        : NULL;
3560        }
3561
3562        /* Let MSF use defaults */
3563        cfg->vendor_name = NULL;
3564        cfg->product_name = NULL;
3565
3566        cfg->ops = NULL;
3567        cfg->private_data = NULL;
3568
3569        /* Finalise */
3570        cfg->can_stall = params->stall;
3571        cfg->fsg_num_buffers = fsg_num_buffers;
3572}
3573EXPORT_SYMBOL_GPL(fsg_config_from_params);
3574