LXR linux/drivers/usb/gadget/function/f_mass

   1/*
   2 * f_mass_storage.c -- Mass Storage USB Composite Function
   3 *
   4 * Copyright (C) 2003-2008 Alan Stern
   5 * Copyright (C) 2009 Samsung Electronics
   6 *                    Author: Michal Nazarewicz <mina86@mina86.com>
   7 * All rights reserved.
   8 *
   9 * Redistribution and use in source and binary forms, with or without
  10 * modification, are permitted provided that the following conditions
  11 * are met:
  12 * 1. Redistributions of source code must retain the above copyright
  13 *    notice, this list of conditions, and the following disclaimer,
  14 *    without modification.
  15 * 2. Redistributions in binary form must reproduce the above copyright
  16 *    notice, this list of conditions and the following disclaimer in the
  17 *    documentation and/or other materials provided with the distribution.
  18 * 3. The names of the above-listed copyright holders may not be used
  19 *    to endorse or promote products derived from this software without
  20 *    specific prior written permission.
  21 *
  22 * ALTERNATIVELY, this software may be distributed under the terms of the
  23 * GNU General Public License ("GPL") as published by the Free Software
  24 * Foundation, either version 2 of that License or (at your option) any
  25 * later version.
  26 *
  27 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
  28 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
  29 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  30 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
  31 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  32 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  33 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  34 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  35 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  36 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  37 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  38 */
  39
  40/*
  41 * The Mass Storage Function acts as a USB Mass Storage device,
  42 * appearing to the host as a disk drive or as a CD-ROM drive.  In
  43 * addition to providing an example of a genuinely useful composite
  44 * function for a USB device, it also illustrates a technique of
  45 * double-buffering for increased throughput.
  46 *
  47 * For more information about MSF and in particular its module
  48 * parameters and sysfs interface read the
  49 * <Documentation/usb/mass-storage.txt> file.
  50 */
  51
  52/*
  53 * MSF is configured by specifying a fsg_config structure.  It has the
  54 * following fields:
  55 *
  56 *      nluns           Number of LUNs function have (anywhere from 1
  57 *                              to FSG_MAX_LUNS).
  58 *      luns            An array of LUN configuration values.  This
  59 *                              should be filled for each LUN that
  60 *                              function will include (ie. for "nluns"
  61 *                              LUNs).  Each element of the array has
  62 *                              the following fields:
  63 *      ->filename      The path to the backing file for the LUN.
  64 *                              Required if LUN is not marked as
  65 *                              removable.
  66 *      ->ro            Flag specifying access to the LUN shall be
  67 *                              read-only.  This is implied if CD-ROM
  68 *                              emulation is enabled as well as when
  69 *                              it was impossible to open "filename"
  70 *                              in R/W mode.
  71 *      ->removable     Flag specifying that LUN shall be indicated as
  72 *                              being removable.
  73 *      ->cdrom         Flag specifying that LUN shall be reported as
  74 *                              being a CD-ROM.
  75 *      ->nofua         Flag specifying that FUA flag in SCSI WRITE(10,12)
  76 *                              commands for this LUN shall be ignored.
  77 *
  78 *      vendor_name
  79 *      product_name
  80 *      release         Information used as a reply to INQUIRY
  81 *                              request.  To use default set to NULL,
  82 *                              NULL, 0xffff respectively.  The first
  83 *                              field should be 8 and the second 16
  84 *                              characters or less.
  85 *
  86 *      can_stall       Set to permit function to halt bulk endpoints.
  87 *                              Disabled on some USB devices known not
  88 *                              to work correctly.  You should set it
  89 *                              to true.
  90 *
  91 * If "removable" is not set for a LUN then a backing file must be
  92 * specified.  If it is set, then NULL filename means the LUN's medium
  93 * is not loaded (an empty string as "filename" in the fsg_config
  94 * structure causes error).  The CD-ROM emulation includes a single
  95 * data track and no audio tracks; hence there need be only one
  96 * backing file per LUN.
  97 *
  98 * This function is heavily based on "File-backed Storage Gadget" by
  99 * Alan Stern which in turn is heavily based on "Gadget Zero" by David
 100 * Brownell.  The driver's SCSI command interface was based on the
 101 * "Information technology - Small Computer System Interface - 2"
 102 * document from X3T9.2 Project 375D, Revision 10L, 7-SEP-93,
 103 * available at <http://www.t10.org/ftp/t10/drafts/s2/s2-r10l.pdf>.
 104 * The single exception is opcode 0x23 (READ FORMAT CAPACITIES), which
 105 * was based on the "Universal Serial Bus Mass Storage Class UFI
 106 * Command Specification" document, Revision 1.0, December 14, 1998,
 107 * available at
 108 * <http://www.usb.org/developers/devclass_docs/usbmass-ufi10.pdf>.
 109 */
 110
 111/*
 112 *                              Driver Design
 113 *
 114 * The MSF is fairly straightforward.  There is a main kernel
 115 * thread that handles most of the work.  Interrupt routines field
 116 * callbacks from the controller driver: bulk- and interrupt-request
 117 * completion notifications, endpoint-0 events, and disconnect events.
 118 * Completion events are passed to the main thread by wakeup calls.  Many
 119 * ep0 requests are handled at interrupt time, but SetInterface,
 120 * SetConfiguration, and device reset requests are forwarded to the
 121 * thread in the form of "exceptions" using SIGUSR1 signals (since they
 122 * should interrupt any ongoing file I/O operations).
 123 *
 124 * The thread's main routine implements the standard command/data/status
 125 * parts of a SCSI interaction.  It and its subroutines are full of tests
 126 * for pending signals/exceptions -- all this polling is necessary since
 127 * the kernel has no setjmp/longjmp equivalents.  (Maybe this is an
 128 * indication that the driver really wants to be running in userspace.)
 129 * An important point is that so long as the thread is alive it keeps an
 130 * open reference to the backing file.  This will prevent unmounting
 131 * the backing file's underlying filesystem and could cause problems
 132 * during system shutdown, for example.  To prevent such problems, the
 133 * thread catches INT, TERM, and KILL signals and converts them into
 134 * an EXIT exception.
 135 *
 136 * In normal operation the main thread is started during the gadget's
 137 * fsg_bind() callback and stopped during fsg_unbind().  But it can
 138 * also exit when it receives a signal, and there's no point leaving
 139 * the gadget running when the thread is dead.  As of this moment, MSF
 140 * provides no way to deregister the gadget when thread dies -- maybe
 141 * a callback functions is needed.
 142 *
 143 * To provide maximum throughput, the driver uses a circular pipeline of
 144 * buffer heads (struct fsg_buffhd).  In principle the pipeline can be
 145 * arbitrarily long; in practice the benefits don't justify having more
 146 * than 2 stages (i.e., double buffering).  But it helps to think of the
 147 * pipeline as being a long one.  Each buffer head contains a bulk-in and
 148 * a bulk-out request pointer (since the buffer can be used for both
 149 * output and input -- directions always are given from the host's
 150 * point of view) as well as a pointer to the buffer and various state
 151 * variables.
 152 *
 153 * Use of the pipeline follows a simple protocol.  There is a variable
 154 * (fsg->next_buffhd_to_fill) that points to the next buffer head to use.
 155 * At any time that buffer head may still be in use from an earlier
 156 * request, so each buffer head has a state variable indicating whether
 157 * it is EMPTY, FULL, or BUSY.  Typical use involves waiting for the
 158 * buffer head to be EMPTY, filling the buffer either by file I/O or by
 159 * USB I/O (during which the buffer head is BUSY), and marking the buffer
 160 * head FULL when the I/O is complete.  Then the buffer will be emptied
 161 * (again possibly by USB I/O, during which it is marked BUSY) and
 162 * finally marked EMPTY again (possibly by a completion routine).
 163 *
 164 * A module parameter tells the driver to avoid stalling the bulk
 165 * endpoints wherever the transport specification allows.  This is
 166 * necessary for some UDCs like the SuperH, which cannot reliably clear a
 167 * halt on a bulk endpoint.  However, under certain circumstances the
 168 * Bulk-only specification requires a stall.  In such cases the driver
 169 * will halt the endpoint and set a flag indicating that it should clear
 170 * the halt in software during the next device reset.  Hopefully this
 171 * will permit everything to work correctly.  Furthermore, although the
 172 * specification allows the bulk-out endpoint to halt when the host sends
 173 * too much data, implementing this would cause an unavoidable race.
 174 * The driver will always use the "no-stall" approach for OUT transfers.
 175 *
 176 * One subtle point concerns sending status-stage responses for ep0
 177 * requests.  Some of these requests, such as device reset, can involve
 178 * interrupting an ongoing file I/O operation, which might take an
 179 * arbitrarily long time.  During that delay the host might give up on
 180 * the original ep0 request and issue a new one.  When that happens the
 181 * driver should not notify the host about completion of the original
 182 * request, as the host will no longer be waiting for it.  So the driver
 183 * assigns to each ep0 request a unique tag, and it keeps track of the
 184 * tag value of the request associated with a long-running exception
 185 * (device-reset, interface-change, or configuration-change).  When the
 186 * exception handler is finished, the status-stage response is submitted
 187 * only if the current ep0 request tag is equal to the exception request
 188 * tag.  Thus only the most recently received ep0 request will get a
 189 * status-stage response.
 190 *
 191 * Warning: This driver source file is too long.  It ought to be split up
 192 * into a header file plus about 3 separate .c files, to handle the details
 193 * of the Gadget, USB Mass Storage, and SCSI protocols.
 194 */
 195
 196
 197/* #define VERBOSE_DEBUG */
 198/* #define DUMP_MSGS */
 199
 200#include <linux/blkdev.h>
 201#include <linux/completion.h>
 202#include <linux/dcache.h>
 203#include <linux/delay.h>
 204#include <linux/device.h>
 205#include <linux/fcntl.h>
 206#include <linux/file.h>
 207#include <linux/fs.h>
 208#include <linux/kref.h>
 209#include <linux/kthread.h>
 210#include <linux/sched/signal.h>
 211#include <linux/limits.h>
 212#include <linux/rwsem.h>
 213#include <linux/slab.h>
 214#include <linux/spinlock.h>
 215#include <linux/string.h>
 216#include <linux/freezer.h>
 217#include <linux/module.h>
 218#include <linux/uaccess.h>
 219
 220#include <linux/usb/ch9.h>
 221#include <linux/usb/gadget.h>
 222#include <linux/usb/composite.h>
 223
 224#include "configfs.h"
 225
 226
 227/*------------------------------------------------------------------------*/
 228
 229#define FSG_DRIVER_DESC         "Mass Storage Function"
 230#define FSG_DRIVER_VERSION      "2009/09/11"
 231
 232static const char fsg_string_interface[] = "Mass Storage";
 233
 234#include "storage_common.h"
 235#include "f_mass_storage.h"
 236
 237/* Static strings, in UTF-8 (for simplicity we use only ASCII characters) */
 238static struct usb_string                fsg_strings[] = {
 239        {FSG_STRING_INTERFACE,          fsg_string_interface},
 240        {}
 241};
 242
 243static struct usb_gadget_strings        fsg_stringtab = {
 244        .language       = 0x0409,               /* en-us */
 245        .strings        = fsg_strings,
 246};
 247
 248static struct usb_gadget_strings *fsg_strings_array[] = {
 249        &fsg_stringtab,
 250        NULL,
 251};
 252
 253/*-------------------------------------------------------------------------*/
 254
 255struct fsg_dev;
 256struct fsg_common;
 257
 258/* Data shared by all the FSG instances. */
 259struct fsg_common {
 260        struct usb_gadget       *gadget;
 261        struct usb_composite_dev *cdev;
 262        struct fsg_dev          *fsg, *new_fsg;
 263        wait_queue_head_t       io_wait;
 264        wait_queue_head_t       fsg_wait;
 265
 266        /* filesem protects: backing files in use */
 267        struct rw_semaphore     filesem;
 268
 269        /* lock protects: state and thread_task */
 270        spinlock_t              lock;
 271
 272        struct usb_ep           *ep0;           /* Copy of gadget->ep0 */
 273        struct usb_request      *ep0req;        /* Copy of cdev->req */
 274        unsigned int            ep0_req_tag;
 275
 276        struct fsg_buffhd       *next_buffhd_to_fill;
 277        struct fsg_buffhd       *next_buffhd_to_drain;
 278        struct fsg_buffhd       *buffhds;
 279        unsigned int            fsg_num_buffers;
 280
 281        int                     cmnd_size;
 282        u8                      cmnd[MAX_COMMAND_SIZE];
 283
 284        unsigned int            lun;
 285        struct fsg_lun          *luns[FSG_MAX_LUNS];
 286        struct fsg_lun          *curlun;
 287
 288        unsigned int            bulk_out_maxpacket;
 289        enum fsg_state          state;          /* For exception handling */
 290        unsigned int            exception_req_tag;
 291
 292        enum data_direction     data_dir;
 293        u32                     data_size;
 294        u32                     data_size_from_cmnd;
 295        u32                     tag;
 296        u32                     residue;
 297        u32                     usb_amount_left;
 298
 299        unsigned int            can_stall:1;
 300        unsigned int            free_storage_on_release:1;
 301        unsigned int            phase_error:1;
 302        unsigned int            short_packet_received:1;
 303        unsigned int            bad_lun_okay:1;
 304        unsigned int            running:1;
 305        unsigned int            sysfs:1;
 306
 307        struct completion       thread_notifier;
 308        struct task_struct      *thread_task;
 309
 310        /* Gadget's private data. */
 311        void                    *private_data;
 312
 313        char inquiry_string[INQUIRY_STRING_LEN];
 314
 315        struct kref             ref;
 316};
 317
 318struct fsg_dev {
 319        struct usb_function     function;
 320        struct usb_gadget       *gadget;        /* Copy of cdev->gadget */
 321        struct fsg_common       *common;
 322
 323        u16                     interface_number;
 324
 325        unsigned int            bulk_in_enabled:1;
 326        unsigned int            bulk_out_enabled:1;
 327
 328        unsigned long           atomic_bitflags;
 329#define IGNORE_BULK_OUT         0
 330
 331        struct usb_ep           *bulk_in;
 332        struct usb_ep           *bulk_out;
 333};
 334
 335static inline int __fsg_is_set(struct fsg_common *common,
 336                               const char *func, unsigned line)
 337{
 338        if (common->fsg)
 339                return 1;
 340        ERROR(common, "common->fsg is NULL in %s at %u\n", func, line);
 341        WARN_ON(1);
 342        return 0;
 343}
 344
 345#define fsg_is_set(common) likely(__fsg_is_set(common, __func__, __LINE__))
 346
 347static inline struct fsg_dev *fsg_from_func(struct usb_function *f)
 348{
 349        return container_of(f, struct fsg_dev, function);
 350}
 351
 352typedef void (*fsg_routine_t)(struct fsg_dev *);
 353
 354static int exception_in_progress(struct fsg_common *common)
 355{
 356        return common->state > FSG_STATE_NORMAL;
 357}
 358
 359/* Make bulk-out requests be divisible by the maxpacket size */
 360static void set_bulk_out_req_length(struct fsg_common *common,
 361                                    struct fsg_buffhd *bh, unsigned int length)
 362{
 363        unsigned int    rem;
 364
 365        bh->bulk_out_intended_length = length;
 366        rem = length % common->bulk_out_maxpacket;
 367        if (rem > 0)
 368                length += common->bulk_out_maxpacket - rem;
 369        bh->outreq->length = length;
 370}
 371
 372
 373/*-------------------------------------------------------------------------*/
 374
 375static int fsg_set_halt(struct fsg_dev *fsg, struct usb_ep *ep)
 376{
 377        const char      *name;
 378
 379        if (ep == fsg->bulk_in)
 380                name = "bulk-in";
 381        else if (ep == fsg->bulk_out)
 382                name = "bulk-out";
 383        else
 384                name = ep->name;
 385        DBG(fsg, "%s set halt\n", name);
 386        return usb_ep_set_halt(ep);
 387}
 388
 389
 390/*-------------------------------------------------------------------------*/
 391
 392/* These routines may be called in process context or in_irq */
 393
 394static void raise_exception(struct fsg_common *common, enum fsg_state new_state)
 395{
 396        unsigned long           flags;
 397
 398        /*
 399         * Do nothing if a higher-priority exception is already in progress.
 400         * If a lower-or-equal priority exception is in progress, preempt it
 401         * and notify the main thread by sending it a signal.
 402         */
 403        spin_lock_irqsave(&common->lock, flags);
 404        if (common->state <= new_state) {
 405                common->exception_req_tag = common->ep0_req_tag;
 406                common->state = new_state;
 407                if (common->thread_task)
 408                        send_sig_info(SIGUSR1, SEND_SIG_FORCED,
 409                                      common->thread_task);
 410        }
 411        spin_unlock_irqrestore(&common->lock, flags);
 412}
 413
 414
 415/*-------------------------------------------------------------------------*/
 416
 417static int ep0_queue(struct fsg_common *common)
 418{
 419        int     rc;
 420
 421        rc = usb_ep_queue(common->ep0, common->ep0req, GFP_ATOMIC);
 422        common->ep0->driver_data = common;
 423        if (rc != 0 && rc != -ESHUTDOWN) {
 424                /* We can't do much more than wait for a reset */
 425                WARNING(common, "error in submission: %s --> %d\n",
 426                        common->ep0->name, rc);
 427        }
 428        return rc;
 429}
 430
 431
 432/*-------------------------------------------------------------------------*/
 433
 434/* Completion handlers. These always run in_irq. */
 435
 436static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req)
 437{
 438        struct fsg_common       *common = ep->driver_data;
 439        struct fsg_buffhd       *bh = req->context;
 440
 441        if (req->status || req->actual != req->length)
 442                DBG(common, "%s --> %d, %u/%u\n", __func__,
 443                    req->status, req->actual, req->length);
 444        if (req->status == -ECONNRESET)         /* Request was cancelled */
 445                usb_ep_fifo_flush(ep);
 446
 447        /* Synchronize with the smp_load_acquire() in sleep_thread() */
 448        smp_store_release(&bh->state, BUF_STATE_EMPTY);
 449        wake_up(&common->io_wait);
 450}
 451
 452static void bulk_out_complete(struct usb_ep *ep, struct usb_request *req)
 453{
 454        struct fsg_common       *common = ep->driver_data;
 455        struct fsg_buffhd       *bh = req->context;
 456
 457        dump_msg(common, "bulk-out", req->buf, req->actual);
 458        if (req->status || req->actual != bh->bulk_out_intended_length)
 459                DBG(common, "%s --> %d, %u/%u\n", __func__,
 460                    req->status, req->actual, bh->bulk_out_intended_length);
 461        if (req->status == -ECONNRESET)         /* Request was cancelled */
 462                usb_ep_fifo_flush(ep);
 463
 464        /* Synchronize with the smp_load_acquire() in sleep_thread() */
 465        smp_store_release(&bh->state, BUF_STATE_FULL);
 466        wake_up(&common->io_wait);
 467}
 468
 469static int _fsg_common_get_max_lun(struct fsg_common *common)
 470{
 471        int i = ARRAY_SIZE(common->luns) - 1;
 472
 473        while (i >= 0 && !common->luns[i])
 474                --i;
 475
 476        return i;
 477}
 478
 479static int fsg_setup(struct usb_function *f,
 480                     const struct usb_ctrlrequest *ctrl)
 481{
 482        struct fsg_dev          *fsg = fsg_from_func(f);
 483        struct usb_request      *req = fsg->common->ep0req;
 484        u16                     w_index = le16_to_cpu(ctrl->wIndex);
 485        u16                     w_value = le16_to_cpu(ctrl->wValue);
 486        u16                     w_length = le16_to_cpu(ctrl->wLength);
 487
 488        if (!fsg_is_set(fsg->common))
 489                return -EOPNOTSUPP;
 490
 491        ++fsg->common->ep0_req_tag;     /* Record arrival of a new request */
 492        req->context = NULL;
 493        req->length = 0;
 494        dump_msg(fsg, "ep0-setup", (u8 *) ctrl, sizeof(*ctrl));
 495
 496        switch (ctrl->bRequest) {
 497
 498        case US_BULK_RESET_REQUEST:
 499                if (ctrl->bRequestType !=
 500                    (USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 501                        break;
 502                if (w_index != fsg->interface_number || w_value != 0 ||
 503                                w_length != 0)
 504                        return -EDOM;
 505
 506                /*
 507                 * Raise an exception to stop the current operation
 508                 * and reinitialize our state.
 509                 */
 510                DBG(fsg, "bulk reset request\n");
 511                raise_exception(fsg->common, FSG_STATE_PROTOCOL_RESET);
 512                return USB_GADGET_DELAYED_STATUS;
 513
 514        case US_BULK_GET_MAX_LUN:
 515                if (ctrl->bRequestType !=
 516                    (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 517                        break;
 518                if (w_index != fsg->interface_number || w_value != 0 ||
 519                                w_length != 1)
 520                        return -EDOM;
 521                VDBG(fsg, "get max LUN\n");
 522                *(u8 *)req->buf = _fsg_common_get_max_lun(fsg->common);
 523
 524                /* Respond with data/status */
 525                req->length = min((u16)1, w_length);
 526                return ep0_queue(fsg->common);
 527        }
 528
 529        VDBG(fsg,
 530             "unknown class-specific control req %02x.%02x v%04x i%04x l%u\n",
 531             ctrl->bRequestType, ctrl->bRequest,
 532             le16_to_cpu(ctrl->wValue), w_index, w_length);
 533        return -EOPNOTSUPP;
 534}
 535
 536
 537/*-------------------------------------------------------------------------*/
 538
 539/* All the following routines run in process context */
 540
 541/* Use this for bulk or interrupt transfers, not ep0 */
 542static int start_transfer(struct fsg_dev *fsg, struct usb_ep *ep,
 543                           struct usb_request *req)
 544{
 545        int     rc;
 546
 547        if (ep == fsg->bulk_in)
 548                dump_msg(fsg, "bulk-in", req->buf, req->length);
 549
 550        rc = usb_ep_queue(ep, req, GFP_KERNEL);
 551        if (rc) {
 552
 553                /* We can't do much more than wait for a reset */
 554                req->status = rc;
 555
 556                /*
 557                 * Note: currently the net2280 driver fails zero-length
 558                 * submissions if DMA is enabled.
 559                 */
 560                if (rc != -ESHUTDOWN &&
 561                                !(rc == -EOPNOTSUPP && req->length == 0))
 562                        WARNING(fsg, "error in submission: %s --> %d\n",
 563                                        ep->name, rc);
 564        }
 565        return rc;
 566}
 567
 568static bool start_in_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 569{
 570        if (!fsg_is_set(common))
 571                return false;
 572        bh->state = BUF_STATE_SENDING;
 573        if (start_transfer(common->fsg, common->fsg->bulk_in, bh->inreq))
 574                bh->state = BUF_STATE_EMPTY;
 575        return true;
 576}
 577
 578static bool start_out_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 579{
 580        if (!fsg_is_set(common))
 581                return false;
 582        bh->state = BUF_STATE_RECEIVING;
 583        if (start_transfer(common->fsg, common->fsg->bulk_out, bh->outreq))
 584                bh->state = BUF_STATE_FULL;
 585        return true;
 586}
 587
 588static int sleep_thread(struct fsg_common *common, bool can_freeze,
 589                struct fsg_buffhd *bh)
 590{
 591        int     rc;
 592
 593        /* Wait until a signal arrives or bh is no longer busy */
 594        if (can_freeze)
 595                /*
 596                 * synchronize with the smp_store_release(&bh->state) in
 597                 * bulk_in_complete() or bulk_out_complete()
 598                 */
 599                rc = wait_event_freezable(common->io_wait,
 600                                bh && smp_load_acquire(&bh->state) >=
 601                                        BUF_STATE_EMPTY);
 602        else
 603                rc = wait_event_interruptible(common->io_wait,
 604                                bh && smp_load_acquire(&bh->state) >=
 605                                        BUF_STATE_EMPTY);
 606        return rc ? -EINTR : 0;
 607}
 608
 609
 610/*-------------------------------------------------------------------------*/
 611
 612static int do_read(struct fsg_common *common)
 613{
 614        struct fsg_lun          *curlun = common->curlun;
 615        u32                     lba;
 616        struct fsg_buffhd       *bh;
 617        int                     rc;
 618        u32                     amount_left;
 619        loff_t                  file_offset, file_offset_tmp;
 620        unsigned int            amount;
 621        ssize_t                 nread;
 622
 623        /*
 624         * Get the starting Logical Block Address and check that it's
 625         * not too big.
 626         */
 627        if (common->cmnd[0] == READ_6)
 628                lba = get_unaligned_be24(&common->cmnd[1]);
 629        else {
 630                lba = get_unaligned_be32(&common->cmnd[2]);
 631
 632                /*
 633                 * We allow DPO (Disable Page Out = don't save data in the
 634                 * cache) and FUA (Force Unit Access = don't read from the
 635                 * cache), but we don't implement them.
 636                 */
 637                if ((common->cmnd[1] & ~0x18) != 0) {
 638                        curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 639                        return -EINVAL;
 640                }
 641        }
 642        if (lba >= curlun->num_sectors) {
 643                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 644                return -EINVAL;
 645        }
 646        file_offset = ((loff_t) lba) << curlun->blkbits;
 647
 648        /* Carry out the file reads */
 649        amount_left = common->data_size_from_cmnd;
 650        if (unlikely(amount_left == 0))
 651                return -EIO;            /* No default reply */
 652
 653        for (;;) {
 654                /*
 655                 * Figure out how much we need to read:
 656                 * Try to read the remaining amount.
 657                 * But don't read more than the buffer size.
 658                 * And don't try to read past the end of the file.
 659                 */
 660                amount = min(amount_left, FSG_BUFLEN);
 661                amount = min((loff_t)amount,
 662                             curlun->file_length - file_offset);
 663
 664                /* Wait for the next buffer to become available */
 665                bh = common->next_buffhd_to_fill;
 666                rc = sleep_thread(common, false, bh);
 667                if (rc)
 668                        return rc;
 669
 670                /*
 671                 * If we were asked to read past the end of file,
 672                 * end with an empty buffer.
 673                 */
 674                if (amount == 0) {
 675                        curlun->sense_data =
 676                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 677                        curlun->sense_data_info =
 678                                        file_offset >> curlun->blkbits;
 679                        curlun->info_valid = 1;
 680                        bh->inreq->length = 0;
 681                        bh->state = BUF_STATE_FULL;
 682                        break;
 683                }
 684
 685                /* Perform the read */
 686                file_offset_tmp = file_offset;
 687                nread = kernel_read(curlun->filp, bh->buf, amount,
 688                                &file_offset_tmp);
 689                VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
 690                      (unsigned long long)file_offset, (int)nread);
 691                if (signal_pending(current))
 692                        return -EINTR;
 693
 694                if (nread < 0) {
 695                        LDBG(curlun, "error in file read: %d\n", (int)nread);
 696                        nread = 0;
 697                } else if (nread < amount) {
 698                        LDBG(curlun, "partial file read: %d/%u\n",
 699                             (int)nread, amount);
 700                        nread = round_down(nread, curlun->blksize);
 701                }
 702                file_offset  += nread;
 703                amount_left  -= nread;
 704                common->residue -= nread;
 705
 706                /*
 707                 * Except at the end of the transfer, nread will be
 708                 * equal to the buffer size, which is divisible by the
 709                 * bulk-in maxpacket size.
 710                 */
 711                bh->inreq->length = nread;
 712                bh->state = BUF_STATE_FULL;
 713
 714                /* If an error occurred, report it and its position */
 715                if (nread < amount) {
 716                        curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
 717                        curlun->sense_data_info =
 718                                        file_offset >> curlun->blkbits;
 719                        curlun->info_valid = 1;
 720                        break;
 721                }
 722
 723                if (amount_left == 0)
 724                        break;          /* No more left to read */
 725
 726                /* Send this buffer and go read some more */
 727                bh->inreq->zero = 0;
 728                if (!start_in_transfer(common, bh))
 729                        /* Don't know what to do if common->fsg is NULL */
 730                        return -EIO;
 731                common->next_buffhd_to_fill = bh->next;
 732        }
 733
 734        return -EIO;            /* No default reply */
 735}
 736
 737
 738/*-------------------------------------------------------------------------*/
 739
 740static int do_write(struct fsg_common *common)
 741{
 742        struct fsg_lun          *curlun = common->curlun;
 743        u32                     lba;
 744        struct fsg_buffhd       *bh;
 745        int                     get_some_more;
 746        u32                     amount_left_to_req, amount_left_to_write;
 747        loff_t                  usb_offset, file_offset, file_offset_tmp;
 748        unsigned int            amount;
 749        ssize_t                 nwritten;
 750        int                     rc;
 751
 752        if (curlun->ro) {
 753                curlun->sense_data = SS_WRITE_PROTECTED;
 754                return -EINVAL;
 755        }
 756        spin_lock(&curlun->filp->f_lock);
 757        curlun->filp->f_flags &= ~O_SYNC;       /* Default is not to wait */
 758        spin_unlock(&curlun->filp->f_lock);
 759
 760        /*
 761         * Get the starting Logical Block Address and check that it's
 762         * not too big
 763         */
 764        if (common->cmnd[0] == WRITE_6)
 765                lba = get_unaligned_be24(&common->cmnd[1]);
 766        else {
 767                lba = get_unaligned_be32(&common->cmnd[2]);
 768
 769                /*
 770                 * We allow DPO (Disable Page Out = don't save data in the
 771                 * cache) and FUA (Force Unit Access = write directly to the
 772                 * medium).  We don't implement DPO; we implement FUA by
 773                 * performing synchronous output.
 774                 */
 775                if (common->cmnd[1] & ~0x18) {
 776                        curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 777                        return -EINVAL;
 778                }
 779                if (!curlun->nofua && (common->cmnd[1] & 0x08)) { /* FUA */
 780                        spin_lock(&curlun->filp->f_lock);
 781                        curlun->filp->f_flags |= O_SYNC;
 782                        spin_unlock(&curlun->filp->f_lock);
 783                }
 784        }
 785        if (lba >= curlun->num_sectors) {
 786                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 787                return -EINVAL;
 788        }
 789
 790        /* Carry out the file writes */
 791        get_some_more = 1;
 792        file_offset = usb_offset = ((loff_t) lba) << curlun->blkbits;
 793        amount_left_to_req = common->data_size_from_cmnd;
 794        amount_left_to_write = common->data_size_from_cmnd;
 795
 796        while (amount_left_to_write > 0) {
 797
 798                /* Queue a request for more data from the host */
 799                bh = common->next_buffhd_to_fill;
 800                if (bh->state == BUF_STATE_EMPTY && get_some_more) {
 801
 802                        /*
 803                         * Figure out how much we want to get:
 804                         * Try to get the remaining amount,
 805                         * but not more than the buffer size.
 806                         */
 807                        amount = min(amount_left_to_req, FSG_BUFLEN);
 808
 809                        /* Beyond the end of the backing file? */
 810                        if (usb_offset >= curlun->file_length) {
 811                                get_some_more = 0;
 812                                curlun->sense_data =
 813                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 814                                curlun->sense_data_info =
 815                                        usb_offset >> curlun->blkbits;
 816                                curlun->info_valid = 1;
 817                                continue;
 818                        }
 819
 820                        /* Get the next buffer */
 821                        usb_offset += amount;
 822                        common->usb_amount_left -= amount;
 823                        amount_left_to_req -= amount;
 824                        if (amount_left_to_req == 0)
 825                                get_some_more = 0;
 826
 827                        /*
 828                         * Except at the end of the transfer, amount will be
 829                         * equal to the buffer size, which is divisible by
 830                         * the bulk-out maxpacket size.
 831                         */
 832                        set_bulk_out_req_length(common, bh, amount);
 833                        if (!start_out_transfer(common, bh))
 834                                /* Dunno what to do if common->fsg is NULL */
 835                                return -EIO;
 836                        common->next_buffhd_to_fill = bh->next;
 837                        continue;
 838                }
 839
 840                /* Write the received data to the backing file */
 841                bh = common->next_buffhd_to_drain;
 842                if (bh->state == BUF_STATE_EMPTY && !get_some_more)
 843                        break;                  /* We stopped early */
 844
 845                /* Wait for the data to be received */
 846                rc = sleep_thread(common, false, bh);
 847                if (rc)
 848                        return rc;
 849
 850                common->next_buffhd_to_drain = bh->next;
 851                bh->state = BUF_STATE_EMPTY;
 852
 853                /* Did something go wrong with the transfer? */
 854                if (bh->outreq->status != 0) {
 855                        curlun->sense_data = SS_COMMUNICATION_FAILURE;
 856                        curlun->sense_data_info =
 857                                        file_offset >> curlun->blkbits;
 858                        curlun->info_valid = 1;
 859                        break;
 860                }
 861
 862                amount = bh->outreq->actual;
 863                if (curlun->file_length - file_offset < amount) {
 864                        LERROR(curlun, "write %u @ %llu beyond end %llu\n",
 865                                       amount, (unsigned long long)file_offset,
 866                                       (unsigned long long)curlun->file_length);
 867                        amount = curlun->file_length - file_offset;
 868                }
 869
 870                /*
 871                 * Don't accept excess data.  The spec doesn't say
 872                 * what to do in this case.  We'll ignore the error.
 873                 */
 874                amount = min(amount, bh->bulk_out_intended_length);
 875
 876                /* Don't write a partial block */
 877                amount = round_down(amount, curlun->blksize);
 878                if (amount == 0)
 879                        goto empty_write;
 880
 881                /* Perform the write */
 882                file_offset_tmp = file_offset;
 883                nwritten = kernel_write(curlun->filp, bh->buf, amount,
 884                                &file_offset_tmp);
 885                VLDBG(curlun, "file write %u @ %llu -> %d\n", amount,
 886                                (unsigned long long)file_offset, (int)nwritten);
 887                if (signal_pending(current))
 888                        return -EINTR;          /* Interrupted! */
 889
 890                if (nwritten < 0) {
 891                        LDBG(curlun, "error in file write: %d\n",
 892                                        (int) nwritten);
 893                        nwritten = 0;
 894                } else if (nwritten < amount) {
 895                        LDBG(curlun, "partial file write: %d/%u\n",
 896                                        (int) nwritten, amount);
 897                        nwritten = round_down(nwritten, curlun->blksize);
 898                }
 899                file_offset += nwritten;
 900                amount_left_to_write -= nwritten;
 901                common->residue -= nwritten;
 902
 903                /* If an error occurred, report it and its position */
 904                if (nwritten < amount) {
 905                        curlun->sense_data = SS_WRITE_ERROR;
 906                        curlun->sense_data_info =
 907                                        file_offset >> curlun->blkbits;
 908                        curlun->info_valid = 1;
 909                        break;
 910                }
 911
 912 empty_write:
 913                /* Did the host decide to stop early? */
 914                if (bh->outreq->actual < bh->bulk_out_intended_length) {
 915                        common->short_packet_received = 1;
 916                        break;
 917                }
 918        }
 919
 920        return -EIO;            /* No default reply */
 921}
 922
 923
 924/*-------------------------------------------------------------------------*/
 925
 926static int do_synchronize_cache(struct fsg_common *common)
 927{
 928        struct fsg_lun  *curlun = common->curlun;
 929        int             rc;
 930
 931        /* We ignore the requested LBA and write out all file's
 932         * dirty data buffers. */
 933        rc = fsg_lun_fsync_sub(curlun);
 934        if (rc)
 935                curlun->sense_data = SS_WRITE_ERROR;
 936        return 0;
 937}
 938
 939
 940/*-------------------------------------------------------------------------*/
 941
 942static void invalidate_sub(struct fsg_lun *curlun)
 943{
 944        struct file     *filp = curlun->filp;
 945        struct inode    *inode = file_inode(filp);
 946        unsigned long   rc;
 947
 948        rc = invalidate_mapping_pages(inode->i_mapping, 0, -1);
 949        VLDBG(curlun, "invalidate_mapping_pages -> %ld\n", rc);
 950}
 951
 952static int do_verify(struct fsg_common *common)
 953{
 954        struct fsg_lun          *curlun = common->curlun;
 955        u32                     lba;
 956        u32                     verification_length;
 957        struct fsg_buffhd       *bh = common->next_buffhd_to_fill;
 958        loff_t                  file_offset, file_offset_tmp;
 959        u32                     amount_left;
 960        unsigned int            amount;
 961        ssize_t                 nread;
 962
 963        /*
 964         * Get the starting Logical Block Address and check that it's
 965         * not too big.
 966         */
 967        lba = get_unaligned_be32(&common->cmnd[2]);
 968        if (lba >= curlun->num_sectors) {
 969                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 970                return -EINVAL;
 971        }
 972
 973        /*
 974         * We allow DPO (Disable Page Out = don't save data in the
 975         * cache) but we don't implement it.
 976         */
 977        if (common->cmnd[1] & ~0x10) {
 978                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 979                return -EINVAL;
 980        }
 981
 982        verification_length = get_unaligned_be16(&common->cmnd[7]);
 983        if (unlikely(verification_length == 0))
 984                return -EIO;            /* No default reply */
 985
 986        /* Prepare to carry out the file verify */
 987        amount_left = verification_length << curlun->blkbits;
 988        file_offset = ((loff_t) lba) << curlun->blkbits;
 989
 990        /* Write out all the dirty buffers before invalidating them */
 991        fsg_lun_fsync_sub(curlun);
 992        if (signal_pending(current))
 993                return -EINTR;
 994
 995        invalidate_sub(curlun);
 996        if (signal_pending(current))
 997                return -EINTR;
 998
 999        /* Just try to read the requested blocks */
1000        while (amount_left > 0) {

1001                /*
1002                 * Figure out how much we need to read:
1003                 * Try to read the remaining amount, but not more than
1004                 * the buffer size.
1005                 * And don't try to read past the end of the file.
1006                 */
1007                amount = min(amount_left, FSG_BUFLEN);
1008                amount = min((loff_t)amount,
1009                             curlun->file_length - file_offset);
1010                if (amount == 0) {
1011                        curlun->sense_data =
1012                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1013                        curlun->sense_data_info =
1014                                file_offset >> curlun->blkbits;
1015                        curlun->info_valid = 1;
1016                        break;
1017                }
1018
1019                /* Perform the read */
1020                file_offset_tmp = file_offset;
1021                nread = kernel_read(curlun->filp, bh->buf, amount,
1022                                &file_offset_tmp);
1023                VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
1024                                (unsigned long long) file_offset,
1025                                (int) nread);
1026                if (signal_pending(current))
1027                        return -EINTR;
1028
1029                if (nread < 0) {
1030                        LDBG(curlun, "error in file verify: %d\n", (int)nread);
1031                        nread = 0;
1032                } else if (nread < amount) {
1033                        LDBG(curlun, "partial file verify: %d/%u\n",
1034                             (int)nread, amount);
1035                        nread = round_down(nread, curlun->blksize);
1036                }
1037                if (nread == 0) {
1038                        curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
1039                        curlun->sense_data_info =
1040                                file_offset >> curlun->blkbits;
1041                        curlun->info_valid = 1;
1042                        break;
1043                }
1044                file_offset += nread;
1045                amount_left -= nread;
1046        }
1047        return 0;
1048}
1049
1050
1051/*-------------------------------------------------------------------------*/
1052
1053static int do_inquiry(struct fsg_common *common, struct fsg_buffhd *bh)
1054{
1055        struct fsg_lun *curlun = common->curlun;
1056        u8      *buf = (u8 *) bh->buf;
1057
1058        if (!curlun) {          /* Unsupported LUNs are okay */
1059                common->bad_lun_okay = 1;
1060                memset(buf, 0, 36);
1061                buf[0] = TYPE_NO_LUN;   /* Unsupported, no device-type */
1062                buf[4] = 31;            /* Additional length */
1063                return 36;
1064        }
1065
1066        buf[0] = curlun->cdrom ? TYPE_ROM : TYPE_DISK;
1067        buf[1] = curlun->removable ? 0x80 : 0;
1068        buf[2] = 2;             /* ANSI SCSI level 2 */
1069        buf[3] = 2;             /* SCSI-2 INQUIRY data format */
1070        buf[4] = 31;            /* Additional length */
1071        buf[5] = 0;             /* No special options */
1072        buf[6] = 0;
1073        buf[7] = 0;
1074        if (curlun->inquiry_string[0])
1075                memcpy(buf + 8, curlun->inquiry_string,
1076                       sizeof(curlun->inquiry_string));
1077        else
1078                memcpy(buf + 8, common->inquiry_string,
1079                       sizeof(common->inquiry_string));
1080        return 36;
1081}
1082
1083static int do_request_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1084{
1085        struct fsg_lun  *curlun = common->curlun;
1086        u8              *buf = (u8 *) bh->buf;
1087        u32             sd, sdinfo;
1088        int             valid;
1089
1090        /*
1091         * From the SCSI-2 spec., section 7.9 (Unit attention condition):
1092         *
1093         * If a REQUEST SENSE command is received from an initiator
1094         * with a pending unit attention condition (before the target
1095         * generates the contingent allegiance condition), then the
1096         * target shall either:
1097         *   a) report any pending sense data and preserve the unit
1098         *      attention condition on the logical unit, or,
1099         *   b) report the unit attention condition, may discard any
1100         *      pending sense data, and clear the unit attention
1101         *      condition on the logical unit for that initiator.
1102         *
1103         * FSG normally uses option a); enable this code to use option b).
1104         */
1105#if 0
1106        if (curlun && curlun->unit_attention_data != SS_NO_SENSE) {
1107                curlun->sense_data = curlun->unit_attention_data;
1108                curlun->unit_attention_data = SS_NO_SENSE;
1109        }
1110#endif
1111
1112        if (!curlun) {          /* Unsupported LUNs are okay */
1113                common->bad_lun_okay = 1;
1114                sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1115                sdinfo = 0;
1116                valid = 0;
1117        } else {
1118                sd = curlun->sense_data;
1119                sdinfo = curlun->sense_data_info;
1120                valid = curlun->info_valid << 7;
1121                curlun->sense_data = SS_NO_SENSE;
1122                curlun->sense_data_info = 0;
1123                curlun->info_valid = 0;
1124        }
1125
1126        memset(buf, 0, 18);
1127        buf[0] = valid | 0x70;                  /* Valid, current error */
1128        buf[2] = SK(sd);
1129        put_unaligned_be32(sdinfo, &buf[3]);    /* Sense information */
1130        buf[7] = 18 - 8;                        /* Additional sense length */
1131        buf[12] = ASC(sd);
1132        buf[13] = ASCQ(sd);
1133        return 18;
1134}
1135
1136static int do_read_capacity(struct fsg_common *common, struct fsg_buffhd *bh)
1137{
1138        struct fsg_lun  *curlun = common->curlun;
1139        u32             lba = get_unaligned_be32(&common->cmnd[2]);
1140        int             pmi = common->cmnd[8];
1141        u8              *buf = (u8 *)bh->buf;
1142
1143        /* Check the PMI and LBA fields */
1144        if (pmi > 1 || (pmi == 0 && lba != 0)) {
1145                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1146                return -EINVAL;
1147        }
1148
1149        put_unaligned_be32(curlun->num_sectors - 1, &buf[0]);
1150                                                /* Max logical block */
1151        put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1152        return 8;
1153}
1154
1155static int do_read_header(struct fsg_common *common, struct fsg_buffhd *bh)
1156{
1157        struct fsg_lun  *curlun = common->curlun;
1158        int             msf = common->cmnd[1] & 0x02;
1159        u32             lba = get_unaligned_be32(&common->cmnd[2]);
1160        u8              *buf = (u8 *)bh->buf;
1161
1162        if (common->cmnd[1] & ~0x02) {          /* Mask away MSF */
1163                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1164                return -EINVAL;
1165        }
1166        if (lba >= curlun->num_sectors) {
1167                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1168                return -EINVAL;
1169        }
1170
1171        memset(buf, 0, 8);
1172        buf[0] = 0x01;          /* 2048 bytes of user data, rest is EC */
1173        store_cdrom_address(&buf[4], msf, lba);
1174        return 8;
1175}
1176
1177static int do_read_toc(struct fsg_common *common, struct fsg_buffhd *bh)
1178{
1179        struct fsg_lun  *curlun = common->curlun;
1180        int             msf = common->cmnd[1] & 0x02;
1181        int             start_track = common->cmnd[6];
1182        u8              *buf = (u8 *)bh->buf;
1183
1184        if ((common->cmnd[1] & ~0x02) != 0 ||   /* Mask away MSF */
1185                        start_track > 1) {
1186                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1187                return -EINVAL;
1188        }
1189
1190        memset(buf, 0, 20);
1191        buf[1] = (20-2);                /* TOC data length */
1192        buf[2] = 1;                     /* First track number */
1193        buf[3] = 1;                     /* Last track number */
1194        buf[5] = 0x16;                  /* Data track, copying allowed */
1195        buf[6] = 0x01;                  /* Only track is number 1 */
1196        store_cdrom_address(&buf[8], msf, 0);
1197
1198        buf[13] = 0x16;                 /* Lead-out track is data */
1199        buf[14] = 0xAA;                 /* Lead-out track number */
1200        store_cdrom_address(&buf[16], msf, curlun->num_sectors);
1201        return 20;
1202}
1203
1204static int do_mode_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1205{
1206        struct fsg_lun  *curlun = common->curlun;
1207        int             mscmnd = common->cmnd[0];
1208        u8              *buf = (u8 *) bh->buf;
1209        u8              *buf0 = buf;
1210        int             pc, page_code;
1211        int             changeable_values, all_pages;
1212        int             valid_page = 0;
1213        int             len, limit;
1214
1215        if ((common->cmnd[1] & ~0x08) != 0) {   /* Mask away DBD */
1216                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1217                return -EINVAL;
1218        }
1219        pc = common->cmnd[2] >> 6;
1220        page_code = common->cmnd[2] & 0x3f;
1221        if (pc == 3) {
1222                curlun->sense_data = SS_SAVING_PARAMETERS_NOT_SUPPORTED;
1223                return -EINVAL;
1224        }
1225        changeable_values = (pc == 1);
1226        all_pages = (page_code == 0x3f);
1227
1228        /*
1229         * Write the mode parameter header.  Fixed values are: default
1230         * medium type, no cache control (DPOFUA), and no block descriptors.
1231         * The only variable value is the WriteProtect bit.  We will fill in
1232         * the mode data length later.
1233         */
1234        memset(buf, 0, 8);
1235        if (mscmnd == MODE_SENSE) {
1236                buf[2] = (curlun->ro ? 0x80 : 0x00);            /* WP, DPOFUA */
1237                buf += 4;
1238                limit = 255;
1239        } else {                        /* MODE_SENSE_10 */
1240                buf[3] = (curlun->ro ? 0x80 : 0x00);            /* WP, DPOFUA */
1241                buf += 8;
1242                limit = 65535;          /* Should really be FSG_BUFLEN */
1243        }
1244
1245        /* No block descriptors */
1246
1247        /*
1248         * The mode pages, in numerical order.  The only page we support
1249         * is the Caching page.
1250         */
1251        if (page_code == 0x08 || all_pages) {
1252                valid_page = 1;
1253                buf[0] = 0x08;          /* Page code */
1254                buf[1] = 10;            /* Page length */
1255                memset(buf+2, 0, 10);   /* None of the fields are changeable */
1256
1257                if (!changeable_values) {
1258                        buf[2] = 0x04;  /* Write cache enable, */
1259                                        /* Read cache not disabled */
1260                                        /* No cache retention priorities */
1261                        put_unaligned_be16(0xffff, &buf[4]);
1262                                        /* Don't disable prefetch */
1263                                        /* Minimum prefetch = 0 */
1264                        put_unaligned_be16(0xffff, &buf[8]);
1265                                        /* Maximum prefetch */
1266                        put_unaligned_be16(0xffff, &buf[10]);
1267                                        /* Maximum prefetch ceiling */
1268                }
1269                buf += 12;
1270        }
1271
1272        /*
1273         * Check that a valid page was requested and the mode data length
1274         * isn't too long.
1275         */
1276        len = buf - buf0;
1277        if (!valid_page || len > limit) {
1278                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1279                return -EINVAL;
1280        }
1281
1282        /*  Store the mode data length */
1283        if (mscmnd == MODE_SENSE)
1284                buf0[0] = len - 1;
1285        else
1286                put_unaligned_be16(len - 2, buf0);
1287        return len;
1288}
1289
1290static int do_start_stop(struct fsg_common *common)
1291{
1292        struct fsg_lun  *curlun = common->curlun;
1293        int             loej, start;
1294
1295        if (!curlun) {
1296                return -EINVAL;
1297        } else if (!curlun->removable) {
1298                curlun->sense_data = SS_INVALID_COMMAND;
1299                return -EINVAL;
1300        } else if ((common->cmnd[1] & ~0x01) != 0 || /* Mask away Immed */
1301                   (common->cmnd[4] & ~0x03) != 0) { /* Mask LoEj, Start */
1302                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1303                return -EINVAL;
1304        }
1305
1306        loej  = common->cmnd[4] & 0x02;
1307        start = common->cmnd[4] & 0x01;
1308
1309        /*
1310         * Our emulation doesn't support mounting; the medium is
1311         * available for use as soon as it is loaded.
1312         */
1313        if (start) {
1314                if (!fsg_lun_is_open(curlun)) {
1315                        curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1316                        return -EINVAL;
1317                }
1318                return 0;
1319        }
1320
1321        /* Are we allowed to unload the media? */
1322        if (curlun->prevent_medium_removal) {
1323                LDBG(curlun, "unload attempt prevented\n");
1324                curlun->sense_data = SS_MEDIUM_REMOVAL_PREVENTED;
1325                return -EINVAL;
1326        }
1327
1328        if (!loej)
1329                return 0;
1330
1331        up_read(&common->filesem);
1332        down_write(&common->filesem);
1333        fsg_lun_close(curlun);
1334        up_write(&common->filesem);
1335        down_read(&common->filesem);
1336
1337        return 0;
1338}
1339
1340static int do_prevent_allow(struct fsg_common *common)
1341{
1342        struct fsg_lun  *curlun = common->curlun;
1343        int             prevent;
1344
1345        if (!common->curlun) {
1346                return -EINVAL;
1347        } else if (!common->curlun->removable) {
1348                common->curlun->sense_data = SS_INVALID_COMMAND;
1349                return -EINVAL;
1350        }
1351
1352        prevent = common->cmnd[4] & 0x01;
1353        if ((common->cmnd[4] & ~0x01) != 0) {   /* Mask away Prevent */
1354                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1355                return -EINVAL;
1356        }
1357
1358        if (curlun->prevent_medium_removal && !prevent)
1359                fsg_lun_fsync_sub(curlun);
1360        curlun->prevent_medium_removal = prevent;
1361        return 0;
1362}
1363
1364static int do_read_format_capacities(struct fsg_common *common,
1365                        struct fsg_buffhd *bh)
1366{
1367        struct fsg_lun  *curlun = common->curlun;
1368        u8              *buf = (u8 *) bh->buf;
1369
1370        buf[0] = buf[1] = buf[2] = 0;
1371        buf[3] = 8;     /* Only the Current/Maximum Capacity Descriptor */
1372        buf += 4;
1373
1374        put_unaligned_be32(curlun->num_sectors, &buf[0]);
1375                                                /* Number of blocks */
1376        put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1377        buf[4] = 0x02;                          /* Current capacity */
1378        return 12;
1379}
1380
1381static int do_mode_select(struct fsg_common *common, struct fsg_buffhd *bh)
1382{
1383        struct fsg_lun  *curlun = common->curlun;
1384
1385        /* We don't support MODE SELECT */
1386        if (curlun)
1387                curlun->sense_data = SS_INVALID_COMMAND;
1388        return -EINVAL;
1389}
1390
1391
1392/*-------------------------------------------------------------------------*/
1393
1394static int halt_bulk_in_endpoint(struct fsg_dev *fsg)
1395{
1396        int     rc;
1397
1398        rc = fsg_set_halt(fsg, fsg->bulk_in);
1399        if (rc == -EAGAIN)
1400                VDBG(fsg, "delayed bulk-in endpoint halt\n");
1401        while (rc != 0) {
1402                if (rc != -EAGAIN) {
1403                        WARNING(fsg, "usb_ep_set_halt -> %d\n", rc);
1404                        rc = 0;
1405                        break;
1406                }
1407
1408                /* Wait for a short time and then try again */
1409                if (msleep_interruptible(100) != 0)
1410                        return -EINTR;
1411                rc = usb_ep_set_halt(fsg->bulk_in);
1412        }
1413        return rc;
1414}
1415
1416static int wedge_bulk_in_endpoint(struct fsg_dev *fsg)
1417{
1418        int     rc;
1419
1420        DBG(fsg, "bulk-in set wedge\n");
1421        rc = usb_ep_set_wedge(fsg->bulk_in);
1422        if (rc == -EAGAIN)
1423                VDBG(fsg, "delayed bulk-in endpoint wedge\n");
1424        while (rc != 0) {
1425                if (rc != -EAGAIN) {
1426                        WARNING(fsg, "usb_ep_set_wedge -> %d\n", rc);
1427                        rc = 0;
1428                        break;
1429                }
1430
1431                /* Wait for a short time and then try again */
1432                if (msleep_interruptible(100) != 0)
1433                        return -EINTR;
1434                rc = usb_ep_set_wedge(fsg->bulk_in);
1435        }
1436        return rc;
1437}
1438
1439static int throw_away_data(struct fsg_common *common)
1440{
1441        struct fsg_buffhd       *bh, *bh2;
1442        u32                     amount;
1443        int                     rc;
1444
1445        for (bh = common->next_buffhd_to_drain;
1446             bh->state != BUF_STATE_EMPTY || common->usb_amount_left > 0;
1447             bh = common->next_buffhd_to_drain) {
1448
1449                /* Try to submit another request if we need one */
1450                bh2 = common->next_buffhd_to_fill;
1451                if (bh2->state == BUF_STATE_EMPTY &&
1452                                common->usb_amount_left > 0) {
1453                        amount = min(common->usb_amount_left, FSG_BUFLEN);
1454
1455                        /*
1456                         * Except at the end of the transfer, amount will be
1457                         * equal to the buffer size, which is divisible by
1458                         * the bulk-out maxpacket size.
1459                         */
1460                        set_bulk_out_req_length(common, bh2, amount);
1461                        if (!start_out_transfer(common, bh2))
1462                                /* Dunno what to do if common->fsg is NULL */
1463                                return -EIO;
1464                        common->next_buffhd_to_fill = bh2->next;
1465                        common->usb_amount_left -= amount;
1466                        continue;
1467                }
1468
1469                /* Wait for the data to be received */
1470                rc = sleep_thread(common, false, bh);
1471                if (rc)
1472                        return rc;
1473
1474                /* Throw away the data in a filled buffer */
1475                bh->state = BUF_STATE_EMPTY;
1476                common->next_buffhd_to_drain = bh->next;
1477
1478                /* A short packet or an error ends everything */
1479                if (bh->outreq->actual < bh->bulk_out_intended_length ||
1480                                bh->outreq->status != 0) {
1481                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1482                        return -EINTR;
1483                }
1484        }
1485        return 0;
1486}
1487
1488static int finish_reply(struct fsg_common *common)
1489{
1490        struct fsg_buffhd       *bh = common->next_buffhd_to_fill;
1491        int                     rc = 0;
1492
1493        switch (common->data_dir) {
1494        case DATA_DIR_NONE:
1495                break;                  /* Nothing to send */
1496
1497        /*
1498         * If we don't know whether the host wants to read or write,
1499         * this must be CB or CBI with an unknown command.  We mustn't
1500         * try to send or receive any data.  So stall both bulk pipes
1501         * if we can and wait for a reset.
1502         */
1503        case DATA_DIR_UNKNOWN:
1504                if (!common->can_stall) {
1505                        /* Nothing */
1506                } else if (fsg_is_set(common)) {
1507                        fsg_set_halt(common->fsg, common->fsg->bulk_out);
1508                        rc = halt_bulk_in_endpoint(common->fsg);
1509                } else {
1510                        /* Don't know what to do if common->fsg is NULL */
1511                        rc = -EIO;
1512                }
1513                break;
1514
1515        /* All but the last buffer of data must have already been sent */
1516        case DATA_DIR_TO_HOST:
1517                if (common->data_size == 0) {
1518                        /* Nothing to send */
1519
1520                /* Don't know what to do if common->fsg is NULL */
1521                } else if (!fsg_is_set(common)) {
1522                        rc = -EIO;
1523
1524                /* If there's no residue, simply send the last buffer */
1525                } else if (common->residue == 0) {
1526                        bh->inreq->zero = 0;
1527                        if (!start_in_transfer(common, bh))
1528                                return -EIO;
1529                        common->next_buffhd_to_fill = bh->next;
1530
1531                /*
1532                 * For Bulk-only, mark the end of the data with a short
1533                 * packet.  If we are allowed to stall, halt the bulk-in
1534                 * endpoint.  (Note: This violates the Bulk-Only Transport
1535                 * specification, which requires us to pad the data if we
1536                 * don't halt the endpoint.  Presumably nobody will mind.)
1537                 */
1538                } else {
1539                        bh->inreq->zero = 1;
1540                        if (!start_in_transfer(common, bh))
1541                                rc = -EIO;
1542                        common->next_buffhd_to_fill = bh->next;
1543                        if (common->can_stall)
1544                                rc = halt_bulk_in_endpoint(common->fsg);
1545                }
1546                break;
1547
1548        /*
1549         * We have processed all we want from the data the host has sent.
1550         * There may still be outstanding bulk-out requests.
1551         */
1552        case DATA_DIR_FROM_HOST:
1553                if (common->residue == 0) {
1554                        /* Nothing to receive */
1555
1556                /* Did the host stop sending unexpectedly early? */
1557                } else if (common->short_packet_received) {
1558                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1559                        rc = -EINTR;
1560
1561                /*
1562                 * We haven't processed all the incoming data.  Even though
1563                 * we may be allowed to stall, doing so would cause a race.
1564                 * The controller may already have ACK'ed all the remaining
1565                 * bulk-out packets, in which case the host wouldn't see a
1566                 * STALL.  Not realizing the endpoint was halted, it wouldn't
1567                 * clear the halt -- leading to problems later on.
1568                 */
1569#if 0
1570                } else if (common->can_stall) {
1571                        if (fsg_is_set(common))
1572                                fsg_set_halt(common->fsg,
1573                                             common->fsg->bulk_out);
1574                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1575                        rc = -EINTR;
1576#endif
1577
1578                /*
1579                 * We can't stall.  Read in the excess data and throw it
1580                 * all away.
1581                 */
1582                } else {
1583                        rc = throw_away_data(common);
1584                }
1585                break;
1586        }
1587        return rc;
1588}
1589
1590static void send_status(struct fsg_common *common)
1591{
1592        struct fsg_lun          *curlun = common->curlun;
1593        struct fsg_buffhd       *bh;
1594        struct bulk_cs_wrap     *csw;
1595        int                     rc;
1596        u8                      status = US_BULK_STAT_OK;
1597        u32                     sd, sdinfo = 0;
1598
1599        /* Wait for the next buffer to become available */
1600        bh = common->next_buffhd_to_fill;
1601        rc = sleep_thread(common, false, bh);
1602        if (rc)
1603                return;
1604
1605        if (curlun) {
1606                sd = curlun->sense_data;
1607                sdinfo = curlun->sense_data_info;
1608        } else if (common->bad_lun_okay)
1609                sd = SS_NO_SENSE;
1610        else
1611                sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1612
1613        if (common->phase_error) {
1614                DBG(common, "sending phase-error status\n");
1615                status = US_BULK_STAT_PHASE;
1616                sd = SS_INVALID_COMMAND;
1617        } else if (sd != SS_NO_SENSE) {
1618                DBG(common, "sending command-failure status\n");
1619                status = US_BULK_STAT_FAIL;
1620                VDBG(common, "  sense data: SK x%02x, ASC x%02x, ASCQ x%02x;"
1621                                "  info x%x\n",
1622                                SK(sd), ASC(sd), ASCQ(sd), sdinfo);
1623        }
1624
1625        /* Store and send the Bulk-only CSW */
1626        csw = (void *)bh->buf;
1627
1628        csw->Signature = cpu_to_le32(US_BULK_CS_SIGN);
1629        csw->Tag = common->tag;
1630        csw->Residue = cpu_to_le32(common->residue);
1631        csw->Status = status;
1632
1633        bh->inreq->length = US_BULK_CS_WRAP_LEN;
1634        bh->inreq->zero = 0;
1635        if (!start_in_transfer(common, bh))
1636                /* Don't know what to do if common->fsg is NULL */
1637                return;
1638
1639        common->next_buffhd_to_fill = bh->next;
1640        return;
1641}
1642
1643
1644/*-------------------------------------------------------------------------*/
1645
1646/*
1647 * Check whether the command is properly formed and whether its data size
1648 * and direction agree with the values we already have.
1649 */
1650static int check_command(struct fsg_common *common, int cmnd_size,
1651                         enum data_direction data_dir, unsigned int mask,
1652                         int needs_medium, const char *name)
1653{
1654        int                     i;
1655        unsigned int            lun = common->cmnd[1] >> 5;
1656        static const char       dirletter[4] = {'u', 'o', 'i', 'n'};
1657        char                    hdlen[20];
1658        struct fsg_lun          *curlun;
1659
1660        hdlen[0] = 0;
1661        if (common->data_dir != DATA_DIR_UNKNOWN)
1662                sprintf(hdlen, ", H%c=%u", dirletter[(int) common->data_dir],
1663                        common->data_size);
1664        VDBG(common, "SCSI command: %s;  Dc=%d, D%c=%u;  Hc=%d%s\n",
1665             name, cmnd_size, dirletter[(int) data_dir],
1666             common->data_size_from_cmnd, common->cmnd_size, hdlen);
1667
1668        /*
1669         * We can't reply at all until we know the correct data direction
1670         * and size.
1671         */
1672        if (common->data_size_from_cmnd == 0)
1673                data_dir = DATA_DIR_NONE;
1674        if (common->data_size < common->data_size_from_cmnd) {
1675                /*
1676                 * Host data size < Device data size is a phase error.
1677                 * Carry out the command, but only transfer as much as
1678                 * we are allowed.
1679                 */
1680                common->data_size_from_cmnd = common->data_size;
1681                common->phase_error = 1;
1682        }
1683        common->residue = common->data_size;
1684        common->usb_amount_left = common->data_size;
1685
1686        /* Conflicting data directions is a phase error */
1687        if (common->data_dir != data_dir && common->data_size_from_cmnd > 0) {
1688                common->phase_error = 1;
1689                return -EINVAL;
1690        }
1691
1692        /* Verify the length of the command itself */
1693        if (cmnd_size != common->cmnd_size) {
1694
1695                /*
1696                 * Special case workaround: There are plenty of buggy SCSI
1697                 * implementations. Many have issues with cbw->Length
1698                 * field passing a wrong command size. For those cases we
1699                 * always try to work around the problem by using the length
1700                 * sent by the host side provided it is at least as large
1701                 * as the correct command length.
1702                 * Examples of such cases would be MS-Windows, which issues
1703                 * REQUEST SENSE with cbw->Length == 12 where it should
1704                 * be 6, and xbox360 issuing INQUIRY, TEST UNIT READY and
1705                 * REQUEST SENSE with cbw->Length == 10 where it should
1706                 * be 6 as well.
1707                 */
1708                if (cmnd_size <= common->cmnd_size) {
1709                        DBG(common, "%s is buggy! Expected length %d "
1710                            "but we got %d\n", name,
1711                            cmnd_size, common->cmnd_size);
1712                        cmnd_size = common->cmnd_size;
1713                } else {
1714                        common->phase_error = 1;
1715                        return -EINVAL;
1716                }
1717        }
1718
1719        /* Check that the LUN values are consistent */
1720        if (common->lun != lun)
1721                DBG(common, "using LUN %u from CBW, not LUN %u from CDB\n",
1722                    common->lun, lun);
1723
1724        /* Check the LUN */
1725        curlun = common->curlun;
1726        if (curlun) {
1727                if (common->cmnd[0] != REQUEST_SENSE) {
1728                        curlun->sense_data = SS_NO_SENSE;
1729                        curlun->sense_data_info = 0;
1730                        curlun->info_valid = 0;
1731                }
1732        } else {
1733                common->bad_lun_okay = 0;
1734
1735                /*
1736                 * INQUIRY and REQUEST SENSE commands are explicitly allowed
1737                 * to use unsupported LUNs; all others may not.
1738                 */
1739                if (common->cmnd[0] != INQUIRY &&
1740                    common->cmnd[0] != REQUEST_SENSE) {
1741                        DBG(common, "unsupported LUN %u\n", common->lun);
1742                        return -EINVAL;
1743                }
1744        }
1745
1746        /*
1747         * If a unit attention condition exists, only INQUIRY and
1748         * REQUEST SENSE commands are allowed; anything else must fail.
1749         */
1750        if (curlun && curlun->unit_attention_data != SS_NO_SENSE &&
1751            common->cmnd[0] != INQUIRY &&
1752            common->cmnd[0] != REQUEST_SENSE) {
1753                curlun->sense_data = curlun->unit_attention_data;
1754                curlun->unit_attention_data = SS_NO_SENSE;
1755                return -EINVAL;
1756        }
1757
1758        /* Check that only command bytes listed in the mask are non-zero */
1759        common->cmnd[1] &= 0x1f;                        /* Mask away the LUN */
1760        for (i = 1; i < cmnd_size; ++i) {
1761                if (common->cmnd[i] && !(mask & (1 << i))) {
1762                        if (curlun)
1763                                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1764                        return -EINVAL;
1765                }
1766        }
1767
1768        /* If the medium isn't mounted and the command needs to access
1769         * it, return an error. */
1770        if (curlun && !fsg_lun_is_open(curlun) && needs_medium) {
1771                curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1772                return -EINVAL;
1773        }
1774
1775        return 0;
1776}
1777
1778/* wrapper of check_command for data size in blocks handling */
1779static int check_command_size_in_blocks(struct fsg_common *common,
1780                int cmnd_size, enum data_direction data_dir,
1781                unsigned int mask, int needs_medium, const char *name)
1782{
1783        if (common->curlun)
1784                common->data_size_from_cmnd <<= common->curlun->blkbits;
1785        return check_command(common, cmnd_size, data_dir,
1786                        mask, needs_medium, name);
1787}
1788
1789static int do_scsi_command(struct fsg_common *common)
1790{
1791        struct fsg_buffhd       *bh;
1792        int                     rc;
1793        int                     reply = -EINVAL;
1794        int                     i;
1795        static char             unknown[16];
1796
1797        dump_cdb(common);
1798
1799        /* Wait for the next buffer to become available for data or status */
1800        bh = common->next_buffhd_to_fill;
1801        common->next_buffhd_to_drain = bh;
1802        rc = sleep_thread(common, false, bh);
1803        if (rc)
1804                return rc;
1805
1806        common->phase_error = 0;
1807        common->short_packet_received = 0;
1808
1809        down_read(&common->filesem);    /* We're using the backing file */
1810        switch (common->cmnd[0]) {
1811
1812        case INQUIRY:
1813                common->data_size_from_cmnd = common->cmnd[4];
1814                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1815                                      (1<<4), 0,
1816                                      "INQUIRY");
1817                if (reply == 0)
1818                        reply = do_inquiry(common, bh);
1819                break;
1820
1821        case MODE_SELECT:
1822                common->data_size_from_cmnd = common->cmnd[4];
1823                reply = check_command(common, 6, DATA_DIR_FROM_HOST,
1824                                      (1<<1) | (1<<4), 0,
1825                                      "MODE SELECT(6)");
1826                if (reply == 0)
1827                        reply = do_mode_select(common, bh);
1828                break;
1829
1830        case MODE_SELECT_10:
1831                common->data_size_from_cmnd =
1832                        get_unaligned_be16(&common->cmnd[7]);
1833                reply = check_command(common, 10, DATA_DIR_FROM_HOST,
1834                                      (1<<1) | (3<<7), 0,
1835                                      "MODE SELECT(10)");
1836                if (reply == 0)
1837                        reply = do_mode_select(common, bh);
1838                break;
1839
1840        case MODE_SENSE:
1841                common->data_size_from_cmnd = common->cmnd[4];
1842                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1843                                      (1<<1) | (1<<2) | (1<<4), 0,
1844                                      "MODE SENSE(6)");
1845                if (reply == 0)
1846                        reply = do_mode_sense(common, bh);
1847                break;
1848
1849        case MODE_SENSE_10:
1850                common->data_size_from_cmnd =
1851                        get_unaligned_be16(&common->cmnd[7]);
1852                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1853                                      (1<<1) | (1<<2) | (3<<7), 0,
1854                                      "MODE SENSE(10)");
1855                if (reply == 0)
1856                        reply = do_mode_sense(common, bh);
1857                break;
1858
1859        case ALLOW_MEDIUM_REMOVAL:
1860                common->data_size_from_cmnd = 0;
1861                reply = check_command(common, 6, DATA_DIR_NONE,
1862                                      (1<<4), 0,
1863                                      "PREVENT-ALLOW MEDIUM REMOVAL");
1864                if (reply == 0)
1865                        reply = do_prevent_allow(common);
1866                break;
1867
1868        case READ_6:
1869                i = common->cmnd[4];
1870                common->data_size_from_cmnd = (i == 0) ? 256 : i;
1871                reply = check_command_size_in_blocks(common, 6,
1872                                      DATA_DIR_TO_HOST,
1873                                      (7<<1) | (1<<4), 1,
1874                                      "READ(6)");
1875                if (reply == 0)
1876                        reply = do_read(common);
1877                break;
1878
1879        case READ_10:
1880                common->data_size_from_cmnd =
1881                                get_unaligned_be16(&common->cmnd[7]);
1882                reply = check_command_size_in_blocks(common, 10,
1883                                      DATA_DIR_TO_HOST,
1884                                      (1<<1) | (0xf<<2) | (3<<7), 1,
1885                                      "READ(10)");
1886                if (reply == 0)
1887                        reply = do_read(common);
1888                break;
1889
1890        case READ_12:
1891                common->data_size_from_cmnd =
1892                                get_unaligned_be32(&common->cmnd[6]);
1893                reply = check_command_size_in_blocks(common, 12,
1894                                      DATA_DIR_TO_HOST,
1895                                      (1<<1) | (0xf<<2) | (0xf<<6), 1,
1896                                      "READ(12)");
1897                if (reply == 0)
1898                        reply = do_read(common);
1899                break;
1900
1901        case READ_CAPACITY:
1902                common->data_size_from_cmnd = 8;
1903                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1904                                      (0xf<<2) | (1<<8), 1,
1905                                      "READ CAPACITY");
1906                if (reply == 0)
1907                        reply = do_read_capacity(common, bh);
1908                break;
1909
1910        case READ_HEADER:
1911                if (!common->curlun || !common->curlun->cdrom)
1912                        goto unknown_cmnd;
1913                common->data_size_from_cmnd =
1914                        get_unaligned_be16(&common->cmnd[7]);
1915                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1916                                      (3<<7) | (0x1f<<1), 1,
1917                                      "READ HEADER");
1918                if (reply == 0)
1919                        reply = do_read_header(common, bh);
1920                break;
1921
1922        case READ_TOC:
1923                if (!common->curlun || !common->curlun->cdrom)
1924                        goto unknown_cmnd;
1925                common->data_size_from_cmnd =
1926                        get_unaligned_be16(&common->cmnd[7]);
1927                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1928                                      (7<<6) | (1<<1), 1,
1929                                      "READ TOC");
1930                if (reply == 0)
1931                        reply = do_read_toc(common, bh);
1932                break;
1933
1934        case READ_FORMAT_CAPACITIES:
1935                common->data_size_from_cmnd =
1936                        get_unaligned_be16(&common->cmnd[7]);
1937                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1938                                      (3<<7), 1,
1939                                      "READ FORMAT CAPACITIES");
1940                if (reply == 0)
1941                        reply = do_read_format_capacities(common, bh);
1942                break;
1943
1944        case REQUEST_SENSE:
1945                common->data_size_from_cmnd = common->cmnd[4];
1946                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1947                                      (1<<4), 0,
1948                                      "REQUEST SENSE");
1949                if (reply == 0)
1950                        reply = do_request_sense(common, bh);
1951                break;
1952
1953        case START_STOP:
1954                common->data_size_from_cmnd = 0;
1955                reply = check_command(common, 6, DATA_DIR_NONE,
1956                                      (1<<1) | (1<<4), 0,
1957                                      "START-STOP UNIT");
1958                if (reply == 0)
1959                        reply = do_start_stop(common);
1960                break;
1961
1962        case SYNCHRONIZE_CACHE:
1963                common->data_size_from_cmnd = 0;
1964                reply = check_command(common, 10, DATA_DIR_NONE,
1965                                      (0xf<<2) | (3<<7), 1,
1966                                      "SYNCHRONIZE CACHE");
1967                if (reply == 0)
1968                        reply = do_synchronize_cache(common);
1969                break;
1970
1971        case TEST_UNIT_READY:
1972                common->data_size_from_cmnd = 0;
1973                reply = check_command(common, 6, DATA_DIR_NONE,
1974                                0, 1,
1975                                "TEST UNIT READY");
1976                break;
1977
1978        /*
1979         * Although optional, this command is used by MS-Windows.  We
1980         * support a minimal version: BytChk must be 0.
1981         */
1982        case VERIFY:
1983                common->data_size_from_cmnd = 0;
1984                reply = check_command(common, 10, DATA_DIR_NONE,
1985                                      (1<<1) | (0xf<<2) | (3<<7), 1,
1986                                      "VERIFY");
1987                if (reply == 0)
1988                        reply = do_verify(common);
1989                break;
1990
1991        case WRITE_6:
1992                i = common->cmnd[4];
1993                common->data_size_from_cmnd = (i == 0) ? 256 : i;
1994                reply = check_command_size_in_blocks(common, 6,
1995                                      DATA_DIR_FROM_HOST,
1996                                      (7<<1) | (1<<4), 1,
1997                                      "WRITE(6)");
1998                if (reply == 0)
1999                        reply = do_write(common);
2000                break;

2001
2002        case WRITE_10:
2003                common->data_size_from_cmnd =
2004                                get_unaligned_be16(&common->cmnd[7]);
2005                reply = check_command_size_in_blocks(common, 10,
2006                                      DATA_DIR_FROM_HOST,
2007                                      (1<<1) | (0xf<<2) | (3<<7), 1,
2008                                      "WRITE(10)");
2009                if (reply == 0)
2010                        reply = do_write(common);
2011                break;
2012
2013        case WRITE_12:
2014                common->data_size_from_cmnd =
2015                                get_unaligned_be32(&common->cmnd[6]);
2016                reply = check_command_size_in_blocks(common, 12,
2017                                      DATA_DIR_FROM_HOST,
2018                                      (1<<1) | (0xf<<2) | (0xf<<6), 1,
2019                                      "WRITE(12)");
2020                if (reply == 0)
2021                        reply = do_write(common);
2022                break;
2023
2024        /*
2025         * Some mandatory commands that we recognize but don't implement.
2026         * They don't mean much in this setting.  It's left as an exercise
2027         * for anyone interested to implement RESERVE and RELEASE in terms
2028         * of Posix locks.
2029         */
2030        case FORMAT_UNIT:
2031        case RELEASE:
2032        case RESERVE:
2033        case SEND_DIAGNOSTIC:
2034                /* Fall through */
2035
2036        default:
2037unknown_cmnd:
2038                common->data_size_from_cmnd = 0;
2039                sprintf(unknown, "Unknown x%02x", common->cmnd[0]);
2040                reply = check_command(common, common->cmnd_size,
2041                                      DATA_DIR_UNKNOWN, ~0, 0, unknown);
2042                if (reply == 0) {
2043                        common->curlun->sense_data = SS_INVALID_COMMAND;
2044                        reply = -EINVAL;
2045                }
2046                break;
2047        }
2048        up_read(&common->filesem);
2049
2050        if (reply == -EINTR || signal_pending(current))
2051                return -EINTR;
2052
2053        /* Set up the single reply buffer for finish_reply() */
2054        if (reply == -EINVAL)
2055                reply = 0;              /* Error reply length */
2056        if (reply >= 0 && common->data_dir == DATA_DIR_TO_HOST) {
2057                reply = min((u32)reply, common->data_size_from_cmnd);
2058                bh->inreq->length = reply;
2059                bh->state = BUF_STATE_FULL;
2060                common->residue -= reply;
2061        }                               /* Otherwise it's already set */
2062
2063        return 0;
2064}
2065
2066
2067/*-------------------------------------------------------------------------*/
2068
2069static int received_cbw(struct fsg_dev *fsg, struct fsg_buffhd *bh)
2070{
2071        struct usb_request      *req = bh->outreq;
2072        struct bulk_cb_wrap     *cbw = req->buf;
2073        struct fsg_common       *common = fsg->common;
2074
2075        /* Was this a real packet?  Should it be ignored? */
2076        if (req->status || test_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags))
2077                return -EINVAL;
2078
2079        /* Is the CBW valid? */
2080        if (req->actual != US_BULK_CB_WRAP_LEN ||
2081                        cbw->Signature != cpu_to_le32(
2082                                US_BULK_CB_SIGN)) {
2083                DBG(fsg, "invalid CBW: len %u sig 0x%x\n",
2084                                req->actual,
2085                                le32_to_cpu(cbw->Signature));
2086
2087                /*
2088                 * The Bulk-only spec says we MUST stall the IN endpoint
2089                 * (6.6.1), so it's unavoidable.  It also says we must
2090                 * retain this state until the next reset, but there's
2091                 * no way to tell the controller driver it should ignore
2092                 * Clear-Feature(HALT) requests.
2093                 *
2094                 * We aren't required to halt the OUT endpoint; instead
2095                 * we can simply accept and discard any data received
2096                 * until the next reset.
2097                 */
2098                wedge_bulk_in_endpoint(fsg);
2099                set_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags);
2100                return -EINVAL;
2101        }
2102
2103        /* Is the CBW meaningful? */
2104        if (cbw->Lun >= ARRAY_SIZE(common->luns) ||
2105            cbw->Flags & ~US_BULK_FLAG_IN || cbw->Length <= 0 ||
2106            cbw->Length > MAX_COMMAND_SIZE) {
2107                DBG(fsg, "non-meaningful CBW: lun = %u, flags = 0x%x, "
2108                                "cmdlen %u\n",
2109                                cbw->Lun, cbw->Flags, cbw->Length);
2110
2111                /*
2112                 * We can do anything we want here, so let's stall the
2113                 * bulk pipes if we are allowed to.
2114                 */
2115                if (common->can_stall) {
2116                        fsg_set_halt(fsg, fsg->bulk_out);
2117                        halt_bulk_in_endpoint(fsg);
2118                }
2119                return -EINVAL;
2120        }
2121
2122        /* Save the command for later */
2123        common->cmnd_size = cbw->Length;
2124        memcpy(common->cmnd, cbw->CDB, common->cmnd_size);
2125        if (cbw->Flags & US_BULK_FLAG_IN)
2126                common->data_dir = DATA_DIR_TO_HOST;
2127        else
2128                common->data_dir = DATA_DIR_FROM_HOST;
2129        common->data_size = le32_to_cpu(cbw->DataTransferLength);
2130        if (common->data_size == 0)
2131                common->data_dir = DATA_DIR_NONE;
2132        common->lun = cbw->Lun;
2133        if (common->lun < ARRAY_SIZE(common->luns))
2134                common->curlun = common->luns[common->lun];
2135        else
2136                common->curlun = NULL;
2137        common->tag = cbw->Tag;
2138        return 0;
2139}
2140
2141static int get_next_command(struct fsg_common *common)
2142{
2143        struct fsg_buffhd       *bh;
2144        int                     rc = 0;
2145
2146        /* Wait for the next buffer to become available */
2147        bh = common->next_buffhd_to_fill;
2148        rc = sleep_thread(common, true, bh);
2149        if (rc)
2150                return rc;
2151
2152        /* Queue a request to read a Bulk-only CBW */
2153        set_bulk_out_req_length(common, bh, US_BULK_CB_WRAP_LEN);
2154        if (!start_out_transfer(common, bh))
2155                /* Don't know what to do if common->fsg is NULL */
2156                return -EIO;
2157
2158        /*
2159         * We will drain the buffer in software, which means we
2160         * can reuse it for the next filling.  No need to advance
2161         * next_buffhd_to_fill.
2162         */
2163
2164        /* Wait for the CBW to arrive */
2165        rc = sleep_thread(common, true, bh);
2166        if (rc)
2167                return rc;
2168
2169        rc = fsg_is_set(common) ? received_cbw(common->fsg, bh) : -EIO;
2170        bh->state = BUF_STATE_EMPTY;
2171
2172        return rc;
2173}
2174
2175
2176/*-------------------------------------------------------------------------*/
2177
2178static int alloc_request(struct fsg_common *common, struct usb_ep *ep,
2179                struct usb_request **preq)
2180{
2181        *preq = usb_ep_alloc_request(ep, GFP_ATOMIC);
2182        if (*preq)
2183                return 0;
2184        ERROR(common, "can't allocate request for %s\n", ep->name);
2185        return -ENOMEM;
2186}
2187
2188/* Reset interface setting and re-init endpoint state (toggle etc). */
2189static int do_set_interface(struct fsg_common *common, struct fsg_dev *new_fsg)
2190{
2191        struct fsg_dev *fsg;
2192        int i, rc = 0;
2193
2194        if (common->running)
2195                DBG(common, "reset interface\n");
2196
2197reset:
2198        /* Deallocate the requests */
2199        if (common->fsg) {
2200                fsg = common->fsg;
2201
2202                for (i = 0; i < common->fsg_num_buffers; ++i) {
2203                        struct fsg_buffhd *bh = &common->buffhds[i];
2204
2205                        if (bh->inreq) {
2206                                usb_ep_free_request(fsg->bulk_in, bh->inreq);
2207                                bh->inreq = NULL;
2208                        }
2209                        if (bh->outreq) {
2210                                usb_ep_free_request(fsg->bulk_out, bh->outreq);
2211                                bh->outreq = NULL;
2212                        }
2213                }
2214
2215                /* Disable the endpoints */
2216                if (fsg->bulk_in_enabled) {
2217                        usb_ep_disable(fsg->bulk_in);
2218                        fsg->bulk_in_enabled = 0;
2219                }
2220                if (fsg->bulk_out_enabled) {
2221                        usb_ep_disable(fsg->bulk_out);
2222                        fsg->bulk_out_enabled = 0;
2223                }
2224
2225                common->fsg = NULL;
2226                wake_up(&common->fsg_wait);
2227        }
2228
2229        common->running = 0;
2230        if (!new_fsg || rc)
2231                return rc;
2232
2233        common->fsg = new_fsg;
2234        fsg = common->fsg;
2235
2236        /* Enable the endpoints */
2237        rc = config_ep_by_speed(common->gadget, &(fsg->function), fsg->bulk_in);
2238        if (rc)
2239                goto reset;
2240        rc = usb_ep_enable(fsg->bulk_in);
2241        if (rc)
2242                goto reset;
2243        fsg->bulk_in->driver_data = common;
2244        fsg->bulk_in_enabled = 1;
2245
2246        rc = config_ep_by_speed(common->gadget, &(fsg->function),
2247                                fsg->bulk_out);
2248        if (rc)
2249                goto reset;
2250        rc = usb_ep_enable(fsg->bulk_out);
2251        if (rc)
2252                goto reset;
2253        fsg->bulk_out->driver_data = common;
2254        fsg->bulk_out_enabled = 1;
2255        common->bulk_out_maxpacket = usb_endpoint_maxp(fsg->bulk_out->desc);
2256        clear_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags);
2257
2258        /* Allocate the requests */
2259        for (i = 0; i < common->fsg_num_buffers; ++i) {
2260                struct fsg_buffhd       *bh = &common->buffhds[i];
2261
2262                rc = alloc_request(common, fsg->bulk_in, &bh->inreq);
2263                if (rc)
2264                        goto reset;
2265                rc = alloc_request(common, fsg->bulk_out, &bh->outreq);
2266                if (rc)
2267                        goto reset;
2268                bh->inreq->buf = bh->outreq->buf = bh->buf;
2269                bh->inreq->context = bh->outreq->context = bh;
2270                bh->inreq->complete = bulk_in_complete;
2271                bh->outreq->complete = bulk_out_complete;
2272        }
2273
2274        common->running = 1;
2275        for (i = 0; i < ARRAY_SIZE(common->luns); ++i)
2276                if (common->luns[i])
2277                        common->luns[i]->unit_attention_data =
2278                                SS_RESET_OCCURRED;
2279        return rc;
2280}
2281
2282
2283/****************************** ALT CONFIGS ******************************/
2284
2285static int fsg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
2286{
2287        struct fsg_dev *fsg = fsg_from_func(f);
2288        fsg->common->new_fsg = fsg;
2289        raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2290        return USB_GADGET_DELAYED_STATUS;
2291}
2292
2293static void fsg_disable(struct usb_function *f)
2294{
2295        struct fsg_dev *fsg = fsg_from_func(f);
2296        fsg->common->new_fsg = NULL;
2297        raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2298}
2299
2300
2301/*-------------------------------------------------------------------------*/
2302
2303static void handle_exception(struct fsg_common *common)
2304{
2305        int                     i;
2306        struct fsg_buffhd       *bh;
2307        enum fsg_state          old_state;
2308        struct fsg_lun          *curlun;
2309        unsigned int            exception_req_tag;
2310
2311        /*
2312         * Clear the existing signals.  Anything but SIGUSR1 is converted
2313         * into a high-priority EXIT exception.
2314         */
2315        for (;;) {
2316                int sig = kernel_dequeue_signal(NULL);
2317                if (!sig)
2318                        break;
2319                if (sig != SIGUSR1) {
2320                        spin_lock_irq(&common->lock);
2321                        if (common->state < FSG_STATE_EXIT)
2322                                DBG(common, "Main thread exiting on signal\n");
2323                        common->state = FSG_STATE_EXIT;
2324                        spin_unlock_irq(&common->lock);
2325                }
2326        }
2327
2328        /* Cancel all the pending transfers */
2329        if (likely(common->fsg)) {
2330                for (i = 0; i < common->fsg_num_buffers; ++i) {
2331                        bh = &common->buffhds[i];
2332                        if (bh->state == BUF_STATE_SENDING)
2333                                usb_ep_dequeue(common->fsg->bulk_in, bh->inreq);
2334                        if (bh->state == BUF_STATE_RECEIVING)
2335                                usb_ep_dequeue(common->fsg->bulk_out,
2336                                               bh->outreq);
2337
2338                        /* Wait for a transfer to become idle */
2339                        if (sleep_thread(common, false, bh))
2340                                return;
2341                }
2342
2343                /* Clear out the controller's fifos */
2344                if (common->fsg->bulk_in_enabled)
2345                        usb_ep_fifo_flush(common->fsg->bulk_in);
2346                if (common->fsg->bulk_out_enabled)
2347                        usb_ep_fifo_flush(common->fsg->bulk_out);
2348        }
2349
2350        /*
2351         * Reset the I/O buffer states and pointers, the SCSI
2352         * state, and the exception.  Then invoke the handler.
2353         */
2354        spin_lock_irq(&common->lock);
2355
2356        for (i = 0; i < common->fsg_num_buffers; ++i) {
2357                bh = &common->buffhds[i];
2358                bh->state = BUF_STATE_EMPTY;
2359        }
2360        common->next_buffhd_to_fill = &common->buffhds[0];
2361        common->next_buffhd_to_drain = &common->buffhds[0];
2362        exception_req_tag = common->exception_req_tag;
2363        old_state = common->state;
2364        common->state = FSG_STATE_NORMAL;
2365
2366        if (old_state != FSG_STATE_ABORT_BULK_OUT) {
2367                for (i = 0; i < ARRAY_SIZE(common->luns); ++i) {
2368                        curlun = common->luns[i];
2369                        if (!curlun)
2370                                continue;
2371                        curlun->prevent_medium_removal = 0;
2372                        curlun->sense_data = SS_NO_SENSE;
2373                        curlun->unit_attention_data = SS_NO_SENSE;
2374                        curlun->sense_data_info = 0;
2375                        curlun->info_valid = 0;
2376                }
2377        }
2378        spin_unlock_irq(&common->lock);
2379
2380        /* Carry out any extra actions required for the exception */
2381        switch (old_state) {
2382        case FSG_STATE_NORMAL:
2383                break;
2384
2385        case FSG_STATE_ABORT_BULK_OUT:
2386                send_status(common);
2387                break;
2388
2389        case FSG_STATE_PROTOCOL_RESET:
2390                /*
2391                 * In case we were forced against our will to halt a
2392                 * bulk endpoint, clear the halt now.  (The SuperH UDC
2393                 * requires this.)
2394                 */
2395                if (!fsg_is_set(common))
2396                        break;
2397                if (test_and_clear_bit(IGNORE_BULK_OUT,
2398                                       &common->fsg->atomic_bitflags))
2399                        usb_ep_clear_halt(common->fsg->bulk_in);
2400
2401                if (common->ep0_req_tag == exception_req_tag)
2402                        ep0_queue(common);      /* Complete the status stage */
2403
2404                /*
2405                 * Technically this should go here, but it would only be
2406                 * a waste of time.  Ditto for the INTERFACE_CHANGE and
2407                 * CONFIG_CHANGE cases.
2408                 */
2409                /* for (i = 0; i < common->ARRAY_SIZE(common->luns); ++i) */
2410                /*      if (common->luns[i]) */
2411                /*              common->luns[i]->unit_attention_data = */
2412                /*                      SS_RESET_OCCURRED;  */
2413                break;
2414
2415        case FSG_STATE_CONFIG_CHANGE:
2416                do_set_interface(common, common->new_fsg);
2417                if (common->new_fsg)
2418                        usb_composite_setup_continue(common->cdev);
2419                break;
2420
2421        case FSG_STATE_EXIT:
2422                do_set_interface(common, NULL);         /* Free resources */
2423                spin_lock_irq(&common->lock);
2424                common->state = FSG_STATE_TERMINATED;   /* Stop the thread */
2425                spin_unlock_irq(&common->lock);
2426                break;
2427
2428        case FSG_STATE_TERMINATED:
2429                break;
2430        }
2431}
2432
2433
2434/*-------------------------------------------------------------------------*/
2435
2436static int fsg_main_thread(void *common_)
2437{
2438        struct fsg_common       *common = common_;
2439        int                     i;
2440
2441        /*
2442         * Allow the thread to be killed by a signal, but set the signal mask
2443         * to block everything but INT, TERM, KILL, and USR1.
2444         */
2445        allow_signal(SIGINT);
2446        allow_signal(SIGTERM);
2447        allow_signal(SIGKILL);
2448        allow_signal(SIGUSR1);
2449
2450        /* Allow the thread to be frozen */
2451        set_freezable();
2452
2453        /* The main loop */
2454        while (common->state != FSG_STATE_TERMINATED) {
2455                if (exception_in_progress(common) || signal_pending(current)) {
2456                        handle_exception(common);
2457                        continue;
2458                }
2459
2460                if (!common->running) {
2461                        sleep_thread(common, true, NULL);
2462                        continue;
2463                }
2464
2465                if (get_next_command(common) || exception_in_progress(common))
2466                        continue;
2467                if (do_scsi_command(common) || exception_in_progress(common))
2468                        continue;
2469                if (finish_reply(common) || exception_in_progress(common))
2470                        continue;
2471                send_status(common);
2472        }
2473
2474        spin_lock_irq(&common->lock);
2475        common->thread_task = NULL;
2476        spin_unlock_irq(&common->lock);
2477
2478        /* Eject media from all LUNs */
2479
2480        down_write(&common->filesem);
2481        for (i = 0; i < ARRAY_SIZE(common->luns); i++) {
2482                struct fsg_lun *curlun = common->luns[i];
2483
2484                if (curlun && fsg_lun_is_open(curlun))
2485                        fsg_lun_close(curlun);
2486        }
2487        up_write(&common->filesem);
2488
2489        /* Let fsg_unbind() know the thread has exited */
2490        complete_and_exit(&common->thread_notifier, 0);
2491}
2492
2493
2494/*************************** DEVICE ATTRIBUTES ***************************/
2495
2496static ssize_t ro_show(struct device *dev, struct device_attribute *attr, char *buf)
2497{
2498        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2499
2500        return fsg_show_ro(curlun, buf);
2501}
2502
2503static ssize_t nofua_show(struct device *dev, struct device_attribute *attr,
2504                          char *buf)
2505{
2506        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2507
2508        return fsg_show_nofua(curlun, buf);
2509}
2510
2511static ssize_t file_show(struct device *dev, struct device_attribute *attr,
2512                         char *buf)
2513{
2514        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2515        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2516
2517        return fsg_show_file(curlun, filesem, buf);
2518}
2519
2520static ssize_t ro_store(struct device *dev, struct device_attribute *attr,
2521                        const char *buf, size_t count)
2522{
2523        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2524        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2525
2526        return fsg_store_ro(curlun, filesem, buf, count);
2527}
2528
2529static ssize_t nofua_store(struct device *dev, struct device_attribute *attr,
2530                           const char *buf, size_t count)
2531{
2532        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2533
2534        return fsg_store_nofua(curlun, buf, count);
2535}
2536
2537static ssize_t file_store(struct device *dev, struct device_attribute *attr,
2538                          const char *buf, size_t count)
2539{
2540        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2541        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2542
2543        return fsg_store_file(curlun, filesem, buf, count);
2544}
2545
2546static DEVICE_ATTR_RW(nofua);
2547/* mode wil be set in fsg_lun_attr_is_visible() */
2548static DEVICE_ATTR(ro, 0, ro_show, ro_store);
2549static DEVICE_ATTR(file, 0, file_show, file_store);
2550
2551/****************************** FSG COMMON ******************************/
2552
2553static void fsg_common_release(struct kref *ref);
2554
2555static void fsg_lun_release(struct device *dev)
2556{
2557        /* Nothing needs to be done */
2558}
2559
2560void fsg_common_get(struct fsg_common *common)
2561{
2562        kref_get(&common->ref);
2563}
2564EXPORT_SYMBOL_GPL(fsg_common_get);
2565
2566void fsg_common_put(struct fsg_common *common)
2567{
2568        kref_put(&common->ref, fsg_common_release);
2569}
2570EXPORT_SYMBOL_GPL(fsg_common_put);
2571
2572static struct fsg_common *fsg_common_setup(struct fsg_common *common)
2573{
2574        if (!common) {
2575                common = kzalloc(sizeof(*common), GFP_KERNEL);
2576                if (!common)
2577                        return ERR_PTR(-ENOMEM);
2578                common->free_storage_on_release = 1;
2579        } else {
2580                common->free_storage_on_release = 0;
2581        }
2582        init_rwsem(&common->filesem);
2583        spin_lock_init(&common->lock);
2584        kref_init(&common->ref);
2585        init_completion(&common->thread_notifier);
2586        init_waitqueue_head(&common->io_wait);
2587        init_waitqueue_head(&common->fsg_wait);
2588        common->state = FSG_STATE_TERMINATED;
2589        memset(common->luns, 0, sizeof(common->luns));
2590
2591        return common;
2592}
2593
2594void fsg_common_set_sysfs(struct fsg_common *common, bool sysfs)
2595{
2596        common->sysfs = sysfs;
2597}
2598EXPORT_SYMBOL_GPL(fsg_common_set_sysfs);
2599
2600static void _fsg_common_free_buffers(struct fsg_buffhd *buffhds, unsigned n)
2601{
2602        if (buffhds) {
2603                struct fsg_buffhd *bh = buffhds;
2604                while (n--) {
2605                        kfree(bh->buf);
2606                        ++bh;
2607                }
2608                kfree(buffhds);
2609        }
2610}
2611
2612int fsg_common_set_num_buffers(struct fsg_common *common, unsigned int n)
2613{
2614        struct fsg_buffhd *bh, *buffhds;
2615        int i;
2616
2617        buffhds = kcalloc(n, sizeof(*buffhds), GFP_KERNEL);
2618        if (!buffhds)
2619                return -ENOMEM;
2620
2621        /* Data buffers cyclic list */
2622        bh = buffhds;
2623        i = n;
2624        goto buffhds_first_it;
2625        do {
2626                bh->next = bh + 1;
2627                ++bh;
2628buffhds_first_it:
2629                bh->buf = kmalloc(FSG_BUFLEN, GFP_KERNEL);
2630                if (unlikely(!bh->buf))
2631                        goto error_release;
2632        } while (--i);
2633        bh->next = buffhds;
2634
2635        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2636        common->fsg_num_buffers = n;
2637        common->buffhds = buffhds;
2638
2639        return 0;
2640
2641error_release:
2642        /*
2643         * "buf"s pointed to by heads after n - i are NULL
2644         * so releasing them won't hurt
2645         */
2646        _fsg_common_free_buffers(buffhds, n);
2647
2648        return -ENOMEM;
2649}
2650EXPORT_SYMBOL_GPL(fsg_common_set_num_buffers);
2651
2652void fsg_common_remove_lun(struct fsg_lun *lun)
2653{
2654        if (device_is_registered(&lun->dev))
2655                device_unregister(&lun->dev);
2656        fsg_lun_close(lun);
2657        kfree(lun);
2658}
2659EXPORT_SYMBOL_GPL(fsg_common_remove_lun);
2660
2661static void _fsg_common_remove_luns(struct fsg_common *common, int n)
2662{
2663        int i;
2664
2665        for (i = 0; i < n; ++i)
2666                if (common->luns[i]) {
2667                        fsg_common_remove_lun(common->luns[i]);
2668                        common->luns[i] = NULL;
2669                }
2670}
2671
2672void fsg_common_remove_luns(struct fsg_common *common)
2673{
2674        _fsg_common_remove_luns(common, ARRAY_SIZE(common->luns));
2675}
2676EXPORT_SYMBOL_GPL(fsg_common_remove_luns);
2677
2678void fsg_common_free_buffers(struct fsg_common *common)
2679{
2680        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2681        common->buffhds = NULL;
2682}
2683EXPORT_SYMBOL_GPL(fsg_common_free_buffers);
2684
2685int fsg_common_set_cdev(struct fsg_common *common,
2686                         struct usb_composite_dev *cdev, bool can_stall)
2687{
2688        struct usb_string *us;
2689
2690        common->gadget = cdev->gadget;
2691        common->ep0 = cdev->gadget->ep0;
2692        common->ep0req = cdev->req;
2693        common->cdev = cdev;
2694
2695        us = usb_gstrings_attach(cdev, fsg_strings_array,
2696                                 ARRAY_SIZE(fsg_strings));
2697        if (IS_ERR(us))
2698                return PTR_ERR(us);
2699
2700        fsg_intf_desc.iInterface = us[FSG_STRING_INTERFACE].id;
2701
2702        /*
2703         * Some peripheral controllers are known not to be able to
2704         * halt bulk endpoints correctly.  If one of them is present,
2705         * disable stalls.
2706         */
2707        common->can_stall = can_stall &&
2708                        gadget_is_stall_supported(common->gadget);
2709
2710        return 0;
2711}
2712EXPORT_SYMBOL_GPL(fsg_common_set_cdev);
2713
2714static struct attribute *fsg_lun_dev_attrs[] = {
2715        &dev_attr_ro.attr,
2716        &dev_attr_file.attr,
2717        &dev_attr_nofua.attr,
2718        NULL
2719};
2720
2721static umode_t fsg_lun_dev_is_visible(struct kobject *kobj,
2722                                      struct attribute *attr, int idx)
2723{
2724        struct device *dev = kobj_to_dev(kobj);
2725        struct fsg_lun *lun = fsg_lun_from_dev(dev);
2726
2727        if (attr == &dev_attr_ro.attr)
2728                return lun->cdrom ? S_IRUGO : (S_IWUSR | S_IRUGO);
2729        if (attr == &dev_attr_file.attr)
2730                return lun->removable ? (S_IWUSR | S_IRUGO) : S_IRUGO;
2731        return attr->mode;
2732}
2733
2734static const struct attribute_group fsg_lun_dev_group = {
2735        .attrs = fsg_lun_dev_attrs,
2736        .is_visible = fsg_lun_dev_is_visible,
2737};
2738
2739static const struct attribute_group *fsg_lun_dev_groups[] = {
2740        &fsg_lun_dev_group,
2741        NULL
2742};
2743
2744int fsg_common_create_lun(struct fsg_common *common, struct fsg_lun_config *cfg,
2745                          unsigned int id, const char *name,
2746                          const char **name_pfx)
2747{
2748        struct fsg_lun *lun;
2749        char *pathbuf, *p;
2750        int rc = -ENOMEM;
2751
2752        if (id >= ARRAY_SIZE(common->luns))
2753                return -ENODEV;
2754
2755        if (common->luns[id])
2756                return -EBUSY;
2757
2758        if (!cfg->filename && !cfg->removable) {
2759                pr_err("no file given for LUN%d\n", id);
2760                return -EINVAL;
2761        }
2762
2763        lun = kzalloc(sizeof(*lun), GFP_KERNEL);
2764        if (!lun)
2765                return -ENOMEM;
2766
2767        lun->name_pfx = name_pfx;
2768
2769        lun->cdrom = !!cfg->cdrom;
2770        lun->ro = cfg->cdrom || cfg->ro;
2771        lun->initially_ro = lun->ro;
2772        lun->removable = !!cfg->removable;
2773
2774        if (!common->sysfs) {
2775                /* we DON'T own the name!*/
2776                lun->name = name;
2777        } else {
2778                lun->dev.release = fsg_lun_release;
2779                lun->dev.parent = &common->gadget->dev;
2780                lun->dev.groups = fsg_lun_dev_groups;
2781                dev_set_drvdata(&lun->dev, &common->filesem);
2782                dev_set_name(&lun->dev, "%s", name);
2783                lun->name = dev_name(&lun->dev);
2784
2785                rc = device_register(&lun->dev);
2786                if (rc) {
2787                        pr_info("failed to register LUN%d: %d\n", id, rc);
2788                        put_device(&lun->dev);
2789                        goto error_sysfs;
2790                }
2791        }
2792
2793        common->luns[id] = lun;
2794
2795        if (cfg->filename) {
2796                rc = fsg_lun_open(lun, cfg->filename);
2797                if (rc)
2798                        goto error_lun;
2799        }
2800
2801        pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
2802        p = "(no medium)";
2803        if (fsg_lun_is_open(lun)) {
2804                p = "(error)";
2805                if (pathbuf) {
2806                        p = file_path(lun->filp, pathbuf, PATH_MAX);
2807                        if (IS_ERR(p))
2808                                p = "(error)";
2809                }
2810        }
2811        pr_info("LUN: %s%s%sfile: %s\n",
2812              lun->removable ? "removable " : "",
2813              lun->ro ? "read only " : "",
2814              lun->cdrom ? "CD-ROM " : "",
2815              p);
2816        kfree(pathbuf);
2817
2818        return 0;
2819
2820error_lun:
2821        if (device_is_registered(&lun->dev))
2822                device_unregister(&lun->dev);
2823        fsg_lun_close(lun);
2824        common->luns[id] = NULL;
2825error_sysfs:
2826        kfree(lun);
2827        return rc;
2828}
2829EXPORT_SYMBOL_GPL(fsg_common_create_lun);
2830
2831int fsg_common_create_luns(struct fsg_common *common, struct fsg_config *cfg)
2832{
2833        char buf[8]; /* enough for 100000000 different numbers, decimal */
2834        int i, rc;
2835
2836        fsg_common_remove_luns(common);
2837
2838        for (i = 0; i < cfg->nluns; ++i) {
2839                snprintf(buf, sizeof(buf), "lun%d", i);
2840                rc = fsg_common_create_lun(common, &cfg->luns[i], i, buf, NULL);
2841                if (rc)
2842                        goto fail;
2843        }
2844
2845        pr_info("Number of LUNs=%d\n", cfg->nluns);
2846
2847        return 0;
2848
2849fail:
2850        _fsg_common_remove_luns(common, i);
2851        return rc;
2852}
2853EXPORT_SYMBOL_GPL(fsg_common_create_luns);
2854
2855void fsg_common_set_inquiry_string(struct fsg_common *common, const char *vn,
2856                                   const char *pn)
2857{
2858        int i;
2859
2860        /* Prepare inquiryString */
2861        i = get_default_bcdDevice();
2862        snprintf(common->inquiry_string, sizeof(common->inquiry_string),
2863                 "%-8s%-16s%04x", vn ?: "Linux",
2864                 /* Assume product name dependent on the first LUN */
2865                 pn ?: ((*common->luns)->cdrom
2866                     ? "File-CD Gadget"
2867                     : "File-Stor Gadget"),
2868                 i);
2869}
2870EXPORT_SYMBOL_GPL(fsg_common_set_inquiry_string);
2871
2872static void fsg_common_release(struct kref *ref)
2873{
2874        struct fsg_common *common = container_of(ref, struct fsg_common, ref);
2875        int i;
2876
2877        /* If the thread isn't already dead, tell it to exit now */
2878        if (common->state != FSG_STATE_TERMINATED) {
2879                raise_exception(common, FSG_STATE_EXIT);
2880                wait_for_completion(&common->thread_notifier);
2881        }
2882
2883        for (i = 0; i < ARRAY_SIZE(common->luns); ++i) {
2884                struct fsg_lun *lun = common->luns[i];
2885                if (!lun)
2886                        continue;
2887                fsg_lun_close(lun);
2888                if (device_is_registered(&lun->dev))
2889                        device_unregister(&lun->dev);
2890                kfree(lun);
2891        }
2892
2893        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2894        if (common->free_storage_on_release)
2895                kfree(common);
2896}
2897
2898
2899/*-------------------------------------------------------------------------*/
2900
2901static int fsg_bind(struct usb_configuration *c, struct usb_function *f)
2902{
2903        struct fsg_dev          *fsg = fsg_from_func(f);
2904        struct fsg_common       *common = fsg->common;
2905        struct usb_gadget       *gadget = c->cdev->gadget;
2906        int                     i;
2907        struct usb_ep           *ep;
2908        unsigned                max_burst;
2909        int                     ret;
2910        struct fsg_opts         *opts;
2911
2912        /* Don't allow to bind if we don't have at least one LUN */
2913        ret = _fsg_common_get_max_lun(common);
2914        if (ret < 0) {
2915                pr_err("There should be at least one LUN.\n");
2916                return -EINVAL;
2917        }
2918
2919        opts = fsg_opts_from_func_inst(f->fi);
2920        if (!opts->no_configfs) {
2921                ret = fsg_common_set_cdev(fsg->common, c->cdev,
2922                                          fsg->common->can_stall);
2923                if (ret)
2924                        return ret;
2925                fsg_common_set_inquiry_string(fsg->common, NULL, NULL);
2926        }
2927
2928        if (!common->thread_task) {
2929                common->state = FSG_STATE_NORMAL;
2930                common->thread_task =
2931                        kthread_create(fsg_main_thread, common, "file-storage");
2932                if (IS_ERR(common->thread_task)) {
2933                        ret = PTR_ERR(common->thread_task);
2934                        common->thread_task = NULL;
2935                        common->state = FSG_STATE_TERMINATED;
2936                        return ret;
2937                }
2938                DBG(common, "I/O thread pid: %d\n",
2939                    task_pid_nr(common->thread_task));
2940                wake_up_process(common->thread_task);
2941        }
2942
2943        fsg->gadget = gadget;
2944
2945        /* New interface */
2946        i = usb_interface_id(c, f);
2947        if (i < 0)
2948                goto fail;
2949        fsg_intf_desc.bInterfaceNumber = i;
2950        fsg->interface_number = i;
2951
2952        /* Find all the endpoints we will use */
2953        ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_in_desc);
2954        if (!ep)
2955                goto autoconf_fail;
2956        fsg->bulk_in = ep;
2957
2958        ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_out_desc);
2959        if (!ep)
2960                goto autoconf_fail;
2961        fsg->bulk_out = ep;
2962
2963        /* Assume endpoint addresses are the same for both speeds */
2964        fsg_hs_bulk_in_desc.bEndpointAddress =
2965                fsg_fs_bulk_in_desc.bEndpointAddress;
2966        fsg_hs_bulk_out_desc.bEndpointAddress =
2967                fsg_fs_bulk_out_desc.bEndpointAddress;
2968
2969        /* Calculate bMaxBurst, we know packet size is 1024 */
2970        max_burst = min_t(unsigned, FSG_BUFLEN / 1024, 15);
2971
2972        fsg_ss_bulk_in_desc.bEndpointAddress =
2973                fsg_fs_bulk_in_desc.bEndpointAddress;
2974        fsg_ss_bulk_in_comp_desc.bMaxBurst = max_burst;
2975
2976        fsg_ss_bulk_out_desc.bEndpointAddress =
2977                fsg_fs_bulk_out_desc.bEndpointAddress;
2978        fsg_ss_bulk_out_comp_desc.bMaxBurst = max_burst;
2979
2980        ret = usb_assign_descriptors(f, fsg_fs_function, fsg_hs_function,
2981                        fsg_ss_function, fsg_ss_function);
2982        if (ret)
2983                goto autoconf_fail;
2984
2985        return 0;
2986
2987autoconf_fail:
2988        ERROR(fsg, "unable to autoconfigure all endpoints\n");
2989        i = -ENOTSUPP;
2990fail:
2991        /* terminate the thread */
2992        if (fsg->common->state != FSG_STATE_TERMINATED) {
2993                raise_exception(fsg->common, FSG_STATE_EXIT);
2994                wait_for_completion(&fsg->common->thread_notifier);
2995        }
2996        return i;
2997}
2998
2999/****************************** ALLOCATE FUNCTION *************************/
3000

3001static void fsg_unbind(struct usb_configuration *c, struct usb_function *f)
3002{
3003        struct fsg_dev          *fsg = fsg_from_func(f);
3004        struct fsg_common       *common = fsg->common;
3005
3006        DBG(fsg, "unbind\n");
3007        if (fsg->common->fsg == fsg) {
3008                fsg->common->new_fsg = NULL;
3009                raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
3010                /* FIXME: make interruptible or killable somehow? */
3011                wait_event(common->fsg_wait, common->fsg != fsg);
3012        }
3013
3014        usb_free_all_descriptors(&fsg->function);
3015}
3016
3017static inline struct fsg_lun_opts *to_fsg_lun_opts(struct config_item *item)
3018{
3019        return container_of(to_config_group(item), struct fsg_lun_opts, group);
3020}
3021
3022static inline struct fsg_opts *to_fsg_opts(struct config_item *item)
3023{
3024        return container_of(to_config_group(item), struct fsg_opts,
3025                            func_inst.group);
3026}
3027
3028static void fsg_lun_attr_release(struct config_item *item)
3029{
3030        struct fsg_lun_opts *lun_opts;
3031
3032        lun_opts = to_fsg_lun_opts(item);
3033        kfree(lun_opts);
3034}
3035
3036static struct configfs_item_operations fsg_lun_item_ops = {
3037        .release                = fsg_lun_attr_release,
3038};
3039
3040static ssize_t fsg_lun_opts_file_show(struct config_item *item, char *page)
3041{
3042        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3043        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3044
3045        return fsg_show_file(opts->lun, &fsg_opts->common->filesem, page);
3046}
3047
3048static ssize_t fsg_lun_opts_file_store(struct config_item *item,
3049                                       const char *page, size_t len)
3050{
3051        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3052        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3053
3054        return fsg_store_file(opts->lun, &fsg_opts->common->filesem, page, len);
3055}
3056
3057CONFIGFS_ATTR(fsg_lun_opts_, file);
3058
3059static ssize_t fsg_lun_opts_ro_show(struct config_item *item, char *page)
3060{
3061        return fsg_show_ro(to_fsg_lun_opts(item)->lun, page);
3062}
3063
3064static ssize_t fsg_lun_opts_ro_store(struct config_item *item,
3065                                       const char *page, size_t len)
3066{
3067        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3068        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3069
3070        return fsg_store_ro(opts->lun, &fsg_opts->common->filesem, page, len);
3071}
3072
3073CONFIGFS_ATTR(fsg_lun_opts_, ro);
3074
3075static ssize_t fsg_lun_opts_removable_show(struct config_item *item,
3076                                           char *page)
3077{
3078        return fsg_show_removable(to_fsg_lun_opts(item)->lun, page);
3079}
3080
3081static ssize_t fsg_lun_opts_removable_store(struct config_item *item,
3082                                       const char *page, size_t len)
3083{
3084        return fsg_store_removable(to_fsg_lun_opts(item)->lun, page, len);
3085}
3086
3087CONFIGFS_ATTR(fsg_lun_opts_, removable);
3088
3089static ssize_t fsg_lun_opts_cdrom_show(struct config_item *item, char *page)
3090{
3091        return fsg_show_cdrom(to_fsg_lun_opts(item)->lun, page);
3092}
3093
3094static ssize_t fsg_lun_opts_cdrom_store(struct config_item *item,
3095                                       const char *page, size_t len)
3096{
3097        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3098        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3099
3100        return fsg_store_cdrom(opts->lun, &fsg_opts->common->filesem, page,
3101                               len);
3102}
3103
3104CONFIGFS_ATTR(fsg_lun_opts_, cdrom);
3105
3106static ssize_t fsg_lun_opts_nofua_show(struct config_item *item, char *page)
3107{
3108        return fsg_show_nofua(to_fsg_lun_opts(item)->lun, page);
3109}
3110
3111static ssize_t fsg_lun_opts_nofua_store(struct config_item *item,
3112                                       const char *page, size_t len)
3113{
3114        return fsg_store_nofua(to_fsg_lun_opts(item)->lun, page, len);
3115}
3116
3117CONFIGFS_ATTR(fsg_lun_opts_, nofua);
3118
3119static ssize_t fsg_lun_opts_inquiry_string_show(struct config_item *item,
3120                                                char *page)
3121{
3122        return fsg_show_inquiry_string(to_fsg_lun_opts(item)->lun, page);
3123}
3124
3125static ssize_t fsg_lun_opts_inquiry_string_store(struct config_item *item,
3126                                                 const char *page, size_t len)
3127{
3128        return fsg_store_inquiry_string(to_fsg_lun_opts(item)->lun, page, len);
3129}
3130
3131CONFIGFS_ATTR(fsg_lun_opts_, inquiry_string);
3132
3133static struct configfs_attribute *fsg_lun_attrs[] = {
3134        &fsg_lun_opts_attr_file,
3135        &fsg_lun_opts_attr_ro,
3136        &fsg_lun_opts_attr_removable,
3137        &fsg_lun_opts_attr_cdrom,
3138        &fsg_lun_opts_attr_nofua,
3139        &fsg_lun_opts_attr_inquiry_string,
3140        NULL,
3141};
3142
3143static struct config_item_type fsg_lun_type = {
3144        .ct_item_ops    = &fsg_lun_item_ops,
3145        .ct_attrs       = fsg_lun_attrs,
3146        .ct_owner       = THIS_MODULE,
3147};
3148
3149static struct config_group *fsg_lun_make(struct config_group *group,
3150                                         const char *name)
3151{
3152        struct fsg_lun_opts *opts;
3153        struct fsg_opts *fsg_opts;
3154        struct fsg_lun_config config;
3155        char *num_str;
3156        u8 num;
3157        int ret;
3158
3159        num_str = strchr(name, '.');
3160        if (!num_str) {
3161                pr_err("Unable to locate . in LUN.NUMBER\n");
3162                return ERR_PTR(-EINVAL);
3163        }
3164        num_str++;
3165
3166        ret = kstrtou8(num_str, 0, &num);
3167        if (ret)
3168                return ERR_PTR(ret);
3169
3170        fsg_opts = to_fsg_opts(&group->cg_item);
3171        if (num >= FSG_MAX_LUNS)
3172                return ERR_PTR(-ERANGE);
3173
3174        mutex_lock(&fsg_opts->lock);
3175        if (fsg_opts->refcnt || fsg_opts->common->luns[num]) {
3176                ret = -EBUSY;
3177                goto out;
3178        }
3179
3180        opts = kzalloc(sizeof(*opts), GFP_KERNEL);
3181        if (!opts) {
3182                ret = -ENOMEM;
3183                goto out;
3184        }
3185
3186        memset(&config, 0, sizeof(config));
3187        config.removable = true;
3188
3189        ret = fsg_common_create_lun(fsg_opts->common, &config, num, name,
3190                                    (const char **)&group->cg_item.ci_name);
3191        if (ret) {
3192                kfree(opts);
3193                goto out;
3194        }
3195        opts->lun = fsg_opts->common->luns[num];
3196        opts->lun_id = num;
3197        mutex_unlock(&fsg_opts->lock);
3198
3199        config_group_init_type_name(&opts->group, name, &fsg_lun_type);
3200
3201        return &opts->group;
3202out:
3203        mutex_unlock(&fsg_opts->lock);
3204        return ERR_PTR(ret);
3205}
3206
3207static void fsg_lun_drop(struct config_group *group, struct config_item *item)
3208{
3209        struct fsg_lun_opts *lun_opts;
3210        struct fsg_opts *fsg_opts;
3211
3212        lun_opts = to_fsg_lun_opts(item);
3213        fsg_opts = to_fsg_opts(&group->cg_item);
3214
3215        mutex_lock(&fsg_opts->lock);
3216        if (fsg_opts->refcnt) {
3217                struct config_item *gadget;
3218
3219                gadget = group->cg_item.ci_parent->ci_parent;
3220                unregister_gadget_item(gadget);
3221        }
3222
3223        fsg_common_remove_lun(lun_opts->lun);
3224        fsg_opts->common->luns[lun_opts->lun_id] = NULL;
3225        lun_opts->lun_id = 0;
3226        mutex_unlock(&fsg_opts->lock);
3227
3228        config_item_put(item);
3229}
3230
3231static void fsg_attr_release(struct config_item *item)
3232{
3233        struct fsg_opts *opts = to_fsg_opts(item);
3234
3235        usb_put_function_instance(&opts->func_inst);
3236}
3237
3238static struct configfs_item_operations fsg_item_ops = {
3239        .release                = fsg_attr_release,
3240};
3241
3242static ssize_t fsg_opts_stall_show(struct config_item *item, char *page)
3243{
3244        struct fsg_opts *opts = to_fsg_opts(item);
3245        int result;
3246
3247        mutex_lock(&opts->lock);
3248        result = sprintf(page, "%d", opts->common->can_stall);
3249        mutex_unlock(&opts->lock);
3250
3251        return result;
3252}
3253
3254static ssize_t fsg_opts_stall_store(struct config_item *item, const char *page,
3255                                    size_t len)
3256{
3257        struct fsg_opts *opts = to_fsg_opts(item);
3258        int ret;
3259        bool stall;
3260
3261        mutex_lock(&opts->lock);
3262
3263        if (opts->refcnt) {
3264                mutex_unlock(&opts->lock);
3265                return -EBUSY;
3266        }
3267
3268        ret = strtobool(page, &stall);
3269        if (!ret) {
3270                opts->common->can_stall = stall;
3271                ret = len;
3272        }
3273
3274        mutex_unlock(&opts->lock);
3275
3276        return ret;
3277}
3278
3279CONFIGFS_ATTR(fsg_opts_, stall);
3280
3281#ifdef CONFIG_USB_GADGET_DEBUG_FILES
3282static ssize_t fsg_opts_num_buffers_show(struct config_item *item, char *page)
3283{
3284        struct fsg_opts *opts = to_fsg_opts(item);
3285        int result;
3286
3287        mutex_lock(&opts->lock);
3288        result = sprintf(page, "%d", opts->common->fsg_num_buffers);
3289        mutex_unlock(&opts->lock);
3290
3291        return result;
3292}
3293
3294static ssize_t fsg_opts_num_buffers_store(struct config_item *item,
3295                                          const char *page, size_t len)
3296{
3297        struct fsg_opts *opts = to_fsg_opts(item);
3298        int ret;
3299        u8 num;
3300
3301        mutex_lock(&opts->lock);
3302        if (opts->refcnt) {
3303                ret = -EBUSY;
3304                goto end;
3305        }
3306        ret = kstrtou8(page, 0, &num);
3307        if (ret)
3308                goto end;
3309
3310        fsg_common_set_num_buffers(opts->common, num);
3311        ret = len;
3312
3313end:
3314        mutex_unlock(&opts->lock);
3315        return ret;
3316}
3317
3318CONFIGFS_ATTR(fsg_opts_, num_buffers);
3319#endif
3320
3321static struct configfs_attribute *fsg_attrs[] = {
3322        &fsg_opts_attr_stall,
3323#ifdef CONFIG_USB_GADGET_DEBUG_FILES
3324        &fsg_opts_attr_num_buffers,
3325#endif
3326        NULL,
3327};
3328
3329static struct configfs_group_operations fsg_group_ops = {
3330        .make_group     = fsg_lun_make,
3331        .drop_item      = fsg_lun_drop,
3332};
3333
3334static struct config_item_type fsg_func_type = {
3335        .ct_item_ops    = &fsg_item_ops,
3336        .ct_group_ops   = &fsg_group_ops,
3337        .ct_attrs       = fsg_attrs,
3338        .ct_owner       = THIS_MODULE,
3339};
3340
3341static void fsg_free_inst(struct usb_function_instance *fi)
3342{
3343        struct fsg_opts *opts;
3344
3345        opts = fsg_opts_from_func_inst(fi);
3346        fsg_common_put(opts->common);
3347        kfree(opts);
3348}
3349
3350static struct usb_function_instance *fsg_alloc_inst(void)
3351{
3352        struct fsg_opts *opts;
3353        struct fsg_lun_config config;
3354        int rc;
3355
3356        opts = kzalloc(sizeof(*opts), GFP_KERNEL);
3357        if (!opts)
3358                return ERR_PTR(-ENOMEM);
3359        mutex_init(&opts->lock);
3360        opts->func_inst.free_func_inst = fsg_free_inst;
3361        opts->common = fsg_common_setup(opts->common);
3362        if (IS_ERR(opts->common)) {
3363                rc = PTR_ERR(opts->common);
3364                goto release_opts;
3365        }
3366
3367        rc = fsg_common_set_num_buffers(opts->common,
3368                                        CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS);
3369        if (rc)
3370                goto release_opts;
3371
3372        pr_info(FSG_DRIVER_DESC ", version: " FSG_DRIVER_VERSION "\n");
3373
3374        memset(&config, 0, sizeof(config));
3375        config.removable = true;
3376        rc = fsg_common_create_lun(opts->common, &config, 0, "lun.0",
3377                        (const char **)&opts->func_inst.group.cg_item.ci_name);
3378        if (rc)
3379                goto release_buffers;
3380
3381        opts->lun0.lun = opts->common->luns[0];
3382        opts->lun0.lun_id = 0;
3383
3384        config_group_init_type_name(&opts->func_inst.group, "", &fsg_func_type);
3385
3386        config_group_init_type_name(&opts->lun0.group, "lun.0", &fsg_lun_type);
3387        configfs_add_default_group(&opts->lun0.group, &opts->func_inst.group);
3388
3389        return &opts->func_inst;
3390
3391release_buffers:
3392        fsg_common_free_buffers(opts->common);
3393release_opts:
3394        kfree(opts);
3395        return ERR_PTR(rc);
3396}
3397
3398static void fsg_free(struct usb_function *f)
3399{
3400        struct fsg_dev *fsg;
3401        struct fsg_opts *opts;
3402
3403        fsg = container_of(f, struct fsg_dev, function);
3404        opts = container_of(f->fi, struct fsg_opts, func_inst);
3405
3406        mutex_lock(&opts->lock);
3407        opts->refcnt--;
3408        mutex_unlock(&opts->lock);
3409
3410        kfree(fsg);
3411}
3412
3413static struct usb_function *fsg_alloc(struct usb_function_instance *fi)
3414{
3415        struct fsg_opts *opts = fsg_opts_from_func_inst(fi);
3416        struct fsg_common *common = opts->common;
3417        struct fsg_dev *fsg;
3418
3419        fsg = kzalloc(sizeof(*fsg), GFP_KERNEL);
3420        if (unlikely(!fsg))
3421                return ERR_PTR(-ENOMEM);
3422
3423        mutex_lock(&opts->lock);
3424        opts->refcnt++;
3425        mutex_unlock(&opts->lock);
3426
3427        fsg->function.name      = FSG_DRIVER_DESC;
3428        fsg->function.bind      = fsg_bind;
3429        fsg->function.unbind    = fsg_unbind;
3430        fsg->function.setup     = fsg_setup;
3431        fsg->function.set_alt   = fsg_set_alt;
3432        fsg->function.disable   = fsg_disable;
3433        fsg->function.free_func = fsg_free;
3434
3435        fsg->common               = common;
3436
3437        return &fsg->function;
3438}
3439
3440DECLARE_USB_FUNCTION_INIT(mass_storage, fsg_alloc_inst, fsg_alloc);
3441MODULE_LICENSE("GPL");
3442MODULE_AUTHOR("Michal Nazarewicz");
3443
3444/************************* Module parameters *************************/
3445
3446
3447void fsg_config_from_params(struct fsg_config *cfg,
3448                       const struct fsg_module_parameters *params,
3449                       unsigned int fsg_num_buffers)
3450{
3451        struct fsg_lun_config *lun;
3452        unsigned i;
3453
3454        /* Configure LUNs */
3455        cfg->nluns =
3456                min(params->luns ?: (params->file_count ?: 1u),
3457                    (unsigned)FSG_MAX_LUNS);
3458        for (i = 0, lun = cfg->luns; i < cfg->nluns; ++i, ++lun) {
3459                lun->ro = !!params->ro[i];
3460                lun->cdrom = !!params->cdrom[i];
3461                lun->removable = !!params->removable[i];
3462                lun->filename =
3463                        params->file_count > i && params->file[i][0]
3464                        ? params->file[i]
3465                        : NULL;
3466        }
3467
3468        /* Let MSF use defaults */
3469        cfg->vendor_name = NULL;
3470        cfg->product_name = NULL;
3471
3472        cfg->ops = NULL;
3473        cfg->private_data = NULL;
3474
3475        /* Finalise */
3476        cfg->can_stall = params->stall;
3477        cfg->fsg_num_buffers = fsg_num_buffers;
3478}
3479EXPORT_SYMBOL_GPL(fsg_config_from_params);
3480